Use opaque fips202 structs in MQDSS

This commit is contained in:
Thom Wiggers 2019-05-20 10:52:28 +02:00
parent 692fba119c
commit 0e73f2dda2
No known key found for this signature in database
GPG Key ID: 001BB0A7CE26E363
4 changed files with 66 additions and 66 deletions

View File

@ -49,13 +49,13 @@ void PQCLEAN_MQDSS48_CLEAN_vgf31_shorten_unique(gf31 *out, const gf31 *in) {
them in a vector of 16-bit elements */ them in a vector of 16-bit elements */
void PQCLEAN_MQDSS48_CLEAN_gf31_nrand(gf31 *out, int len, const unsigned char *seed, size_t seedlen) { void PQCLEAN_MQDSS48_CLEAN_gf31_nrand(gf31 *out, int len, const unsigned char *seed, size_t seedlen) {
int i = 0, j; int i = 0, j;
uint64_t shakestate[25] = {0}; shake256ctx shakestate;
unsigned char shakeblock[SHAKE256_RATE]; unsigned char shakeblock[SHAKE256_RATE];
shake256_absorb(shakestate, seed, seedlen); shake256_absorb(&shakestate, seed, seedlen);
while (i < len) { while (i < len) {
shake256_squeezeblocks(shakeblock, 1, shakestate); shake256_squeezeblocks(shakeblock, 1, &shakestate);
for (j = 0; j < SHAKE256_RATE && i < len; j++) { for (j = 0; j < SHAKE256_RATE && i < len; j++) {
if ((shakeblock[j] & 31) != 31) { if ((shakeblock[j] & 31) != 31) {
out[i] = (shakeblock[j] & 31); out[i] = (shakeblock[j] & 31);
@ -70,13 +70,13 @@ void PQCLEAN_MQDSS48_CLEAN_gf31_nrand(gf31 *out, int len, const unsigned char *s
This is used for the expansion of F, which wants packed elements. */ This is used for the expansion of F, which wants packed elements. */
void PQCLEAN_MQDSS48_CLEAN_gf31_nrand_schar(signed char *out, int len, const unsigned char *seed, size_t seedlen) { void PQCLEAN_MQDSS48_CLEAN_gf31_nrand_schar(signed char *out, int len, const unsigned char *seed, size_t seedlen) {
int i = 0, j; int i = 0, j;
uint64_t shakestate[25] = {0}; shake256ctx shakestate;
unsigned char shakeblock[SHAKE256_RATE]; unsigned char shakeblock[SHAKE256_RATE];
shake256_absorb(shakestate, seed, seedlen); shake256_absorb(&shakestate, seed, seedlen);
while (i < len) { while (i < len) {
shake256_squeezeblocks(shakeblock, 1, shakestate); shake256_squeezeblocks(shakeblock, 1, &shakestate);
for (j = 0; j < SHAKE256_RATE && i < len; j++) { for (j = 0; j < SHAKE256_RATE && i < len; j++) {
if ((shakeblock[j] & 31) != 31) { if ((shakeblock[j] & 31) != 31) {
out[i] = (signed char)(((signed char)shakeblock[j] & 31) - 15); out[i] = (signed char)(((signed char)shakeblock[j] & 31) - 15);

View File

@ -85,7 +85,7 @@ int PQCLEAN_MQDSS48_CLEAN_crypto_sign_signature(
unsigned char *h0 = D_sigma0_h0_sigma1 + 2 * HASH_BYTES; unsigned char *h0 = D_sigma0_h0_sigma1 + 2 * HASH_BYTES;
unsigned char *t1packed = D_sigma0_h0_sigma1 + 3 * HASH_BYTES; unsigned char *t1packed = D_sigma0_h0_sigma1 + 3 * HASH_BYTES;
unsigned char *e1packed = D_sigma0_h0_sigma1 + 3 * HASH_BYTES + ROUNDS * NPACKED_BYTES; unsigned char *e1packed = D_sigma0_h0_sigma1 + 3 * HASH_BYTES + ROUNDS * NPACKED_BYTES;
uint64_t shakestate[25] = {0}; shake256ctx shakestate;
unsigned char shakeblock[SHAKE256_RATE]; unsigned char shakeblock[SHAKE256_RATE];
unsigned char h1[((ROUNDS + 7) & ~7) >> 3]; unsigned char h1[((ROUNDS + 7) & ~7) >> 3];
unsigned char rnd_seed[HASH_BYTES + SEED_BYTES]; unsigned char rnd_seed[HASH_BYTES + SEED_BYTES];
@ -109,17 +109,17 @@ int PQCLEAN_MQDSS48_CLEAN_crypto_sign_signature(
int alpha_count = 0; int alpha_count = 0;
int b; int b;
int i, j; int i, j;
uint64_t s_inc[26]; shake256incctx state;
shake256(skbuf, SEED_BYTES * 4, sk, SEED_BYTES); shake256(skbuf, SEED_BYTES * 4, sk, SEED_BYTES);
PQCLEAN_MQDSS48_CLEAN_gf31_nrand_schar(F, F_LEN, skbuf, SEED_BYTES); PQCLEAN_MQDSS48_CLEAN_gf31_nrand_schar(F, F_LEN, skbuf, SEED_BYTES);
shake256_inc_init(s_inc); shake256_inc_init(&state);
shake256_inc_absorb(s_inc, sk, SEED_BYTES); shake256_inc_absorb(&state, sk, SEED_BYTES);
shake256_inc_absorb(s_inc, m, mlen); shake256_inc_absorb(&state, m, mlen);
shake256_inc_finalize(s_inc); shake256_inc_finalize(&state);
shake256_inc_squeeze(sig, HASH_BYTES, s_inc); // Compute R. shake256_inc_squeeze(sig, HASH_BYTES, &state); // Compute R.
memcpy(pk, skbuf, SEED_BYTES); memcpy(pk, skbuf, SEED_BYTES);
PQCLEAN_MQDSS48_CLEAN_gf31_nrand(sk_gf31, N, skbuf + SEED_BYTES, SEED_BYTES); PQCLEAN_MQDSS48_CLEAN_gf31_nrand(sk_gf31, N, skbuf + SEED_BYTES, SEED_BYTES);
@ -127,12 +127,12 @@ int PQCLEAN_MQDSS48_CLEAN_crypto_sign_signature(
PQCLEAN_MQDSS48_CLEAN_vgf31_unique(pk_gf31, pk_gf31); PQCLEAN_MQDSS48_CLEAN_vgf31_unique(pk_gf31, pk_gf31);
PQCLEAN_MQDSS48_CLEAN_gf31_npack(pk + SEED_BYTES, pk_gf31, M); PQCLEAN_MQDSS48_CLEAN_gf31_npack(pk + SEED_BYTES, pk_gf31, M);
shake256_inc_init(s_inc); shake256_inc_init(&state);
shake256_inc_absorb(s_inc, pk, PK_BYTES); shake256_inc_absorb(&state, pk, PK_BYTES);
shake256_inc_absorb(s_inc, sig, HASH_BYTES); shake256_inc_absorb(&state, sig, HASH_BYTES);
shake256_inc_absorb(s_inc, m, mlen); shake256_inc_absorb(&state, m, mlen);
shake256_inc_finalize(s_inc); shake256_inc_finalize(&state);
shake256_inc_squeeze(D, HASH_BYTES, s_inc); shake256_inc_squeeze(D, HASH_BYTES, &state);
sig += HASH_BYTES; // Compensate for prefixed R. sig += HASH_BYTES; // Compensate for prefixed R.
@ -166,8 +166,8 @@ int PQCLEAN_MQDSS48_CLEAN_crypto_sign_signature(
} }
H(sigma0, c, HASH_BYTES * ROUNDS * 2); // Compute sigma_0. H(sigma0, c, HASH_BYTES * ROUNDS * 2); // Compute sigma_0.
shake256_absorb(shakestate, D_sigma0_h0_sigma1, 2 * HASH_BYTES); shake256_absorb(&shakestate, D_sigma0_h0_sigma1, 2 * HASH_BYTES);
shake256_squeezeblocks(shakeblock, 1, shakestate); shake256_squeezeblocks(shakeblock, 1, &shakestate);
memcpy(h0, shakeblock, HASH_BYTES); memcpy(h0, shakeblock, HASH_BYTES);
@ -180,7 +180,7 @@ int PQCLEAN_MQDSS48_CLEAN_crypto_sign_signature(
alpha_count++; alpha_count++;
if (alpha_count == SHAKE256_RATE) { if (alpha_count == SHAKE256_RATE) {
alpha_count = 0; alpha_count = 0;
shake256_squeezeblocks(shakeblock, 1, shakestate); shake256_squeezeblocks(shakeblock, 1, &shakestate);
} }
} while (alpha == 31); } while (alpha == 31);
for (j = 0; j < N; j++) { for (j = 0; j < N; j++) {
@ -246,24 +246,24 @@ int PQCLEAN_MQDSS48_CLEAN_crypto_sign_verify(
gf31 z[M]; gf31 z[M];
unsigned char packbuf0[NPACKED_BYTES]; unsigned char packbuf0[NPACKED_BYTES];
unsigned char packbuf1[MPACKED_BYTES]; unsigned char packbuf1[MPACKED_BYTES];
uint64_t shakestate[25] = {0}; shake256ctx shakestate;
unsigned char shakeblock[SHAKE256_RATE]; unsigned char shakeblock[SHAKE256_RATE];
int i, j; int i, j;
gf31 alpha; gf31 alpha;
int alpha_count = 0; int alpha_count = 0;
int b; int b;
uint64_t s_inc[26]; shake256incctx state;
if (siglen != SIG_LEN) { if (siglen != SIG_LEN) {
return -1; return -1;
} }
shake256_inc_init(s_inc); shake256_inc_init(&state);
shake256_inc_absorb(s_inc, pk, PK_BYTES); shake256_inc_absorb(&state, pk, PK_BYTES);
shake256_inc_absorb(s_inc, sig, HASH_BYTES); shake256_inc_absorb(&state, sig, HASH_BYTES);
shake256_inc_absorb(s_inc, m, mlen); shake256_inc_absorb(&state, m, mlen);
shake256_inc_finalize(s_inc); shake256_inc_finalize(&state);
shake256_inc_squeeze(D, HASH_BYTES, s_inc); shake256_inc_squeeze(D, HASH_BYTES, &state);
sig += HASH_BYTES; sig += HASH_BYTES;
@ -273,8 +273,8 @@ int PQCLEAN_MQDSS48_CLEAN_crypto_sign_verify(
memcpy(sigma0, sig, HASH_BYTES); memcpy(sigma0, sig, HASH_BYTES);
shake256_absorb(shakestate, D_sigma0_h0_sigma1, 2 * HASH_BYTES); shake256_absorb(&shakestate, D_sigma0_h0_sigma1, 2 * HASH_BYTES);
shake256_squeezeblocks(shakeblock, 1, shakestate); shake256_squeezeblocks(shakeblock, 1, &shakestate);
memcpy(h0, shakeblock, HASH_BYTES); memcpy(h0, shakeblock, HASH_BYTES);
@ -293,7 +293,7 @@ int PQCLEAN_MQDSS48_CLEAN_crypto_sign_verify(
alpha_count++; alpha_count++;
if (alpha_count == SHAKE256_RATE) { if (alpha_count == SHAKE256_RATE) {
alpha_count = 0; alpha_count = 0;
shake256_squeezeblocks(shakeblock, 1, shakestate); shake256_squeezeblocks(shakeblock, 1, &shakestate);
} }
} while (alpha == 31); } while (alpha == 31);
b = (h1[(i >> 3)] >> (i & 7)) & 1; b = (h1[(i >> 3)] >> (i & 7)) & 1;

View File

@ -49,13 +49,13 @@ void PQCLEAN_MQDSS64_CLEAN_vgf31_shorten_unique(gf31 *out, const gf31 *in) {
them in a vector of 16-bit elements */ them in a vector of 16-bit elements */
void PQCLEAN_MQDSS64_CLEAN_gf31_nrand(gf31 *out, int len, const unsigned char *seed, size_t seedlen) { void PQCLEAN_MQDSS64_CLEAN_gf31_nrand(gf31 *out, int len, const unsigned char *seed, size_t seedlen) {
int i = 0, j; int i = 0, j;
uint64_t shakestate[25] = {0}; shake256ctx shakestate;
unsigned char shakeblock[SHAKE256_RATE]; unsigned char shakeblock[SHAKE256_RATE];
shake256_absorb(shakestate, seed, seedlen); shake256_absorb(&shakestate, seed, seedlen);
while (i < len) { while (i < len) {
shake256_squeezeblocks(shakeblock, 1, shakestate); shake256_squeezeblocks(shakeblock, 1, &shakestate);
for (j = 0; j < SHAKE256_RATE && i < len; j++) { for (j = 0; j < SHAKE256_RATE && i < len; j++) {
if ((shakeblock[j] & 31) != 31) { if ((shakeblock[j] & 31) != 31) {
out[i] = (shakeblock[j] & 31); out[i] = (shakeblock[j] & 31);
@ -70,13 +70,13 @@ void PQCLEAN_MQDSS64_CLEAN_gf31_nrand(gf31 *out, int len, const unsigned char *s
This is used for the expansion of F, which wants packed elements. */ This is used for the expansion of F, which wants packed elements. */
void PQCLEAN_MQDSS64_CLEAN_gf31_nrand_schar(signed char *out, int len, const unsigned char *seed, size_t seedlen) { void PQCLEAN_MQDSS64_CLEAN_gf31_nrand_schar(signed char *out, int len, const unsigned char *seed, size_t seedlen) {
int i = 0, j; int i = 0, j;
uint64_t shakestate[25] = {0}; shake256ctx shakestate;
unsigned char shakeblock[SHAKE256_RATE]; unsigned char shakeblock[SHAKE256_RATE];
shake256_absorb(shakestate, seed, seedlen); shake256_absorb(&shakestate, seed, seedlen);
while (i < len) { while (i < len) {
shake256_squeezeblocks(shakeblock, 1, shakestate); shake256_squeezeblocks(shakeblock, 1, &shakestate);
for (j = 0; j < SHAKE256_RATE && i < len; j++) { for (j = 0; j < SHAKE256_RATE && i < len; j++) {
if ((shakeblock[j] & 31) != 31) { if ((shakeblock[j] & 31) != 31) {
out[i] = (signed char)(((signed char)shakeblock[j] & 31) - 15); out[i] = (signed char)(((signed char)shakeblock[j] & 31) - 15);

View File

@ -85,7 +85,7 @@ int PQCLEAN_MQDSS64_CLEAN_crypto_sign_signature(
unsigned char *h0 = D_sigma0_h0_sigma1 + 2 * HASH_BYTES; unsigned char *h0 = D_sigma0_h0_sigma1 + 2 * HASH_BYTES;
unsigned char *t1packed = D_sigma0_h0_sigma1 + 3 * HASH_BYTES; unsigned char *t1packed = D_sigma0_h0_sigma1 + 3 * HASH_BYTES;
unsigned char *e1packed = D_sigma0_h0_sigma1 + 3 * HASH_BYTES + ROUNDS * NPACKED_BYTES; unsigned char *e1packed = D_sigma0_h0_sigma1 + 3 * HASH_BYTES + ROUNDS * NPACKED_BYTES;
uint64_t shakestate[25] = {0}; shake256ctx shakestate;
unsigned char shakeblock[SHAKE256_RATE]; unsigned char shakeblock[SHAKE256_RATE];
unsigned char h1[((ROUNDS + 7) & ~7) >> 3]; unsigned char h1[((ROUNDS + 7) & ~7) >> 3];
unsigned char rnd_seed[HASH_BYTES + SEED_BYTES]; unsigned char rnd_seed[HASH_BYTES + SEED_BYTES];
@ -109,17 +109,17 @@ int PQCLEAN_MQDSS64_CLEAN_crypto_sign_signature(
int alpha_count = 0; int alpha_count = 0;
int b; int b;
int i, j; int i, j;
uint64_t s_inc[26]; shake256incctx state;
shake256(skbuf, SEED_BYTES * 4, sk, SEED_BYTES); shake256(skbuf, SEED_BYTES * 4, sk, SEED_BYTES);
PQCLEAN_MQDSS64_CLEAN_gf31_nrand_schar(F, F_LEN, skbuf, SEED_BYTES); PQCLEAN_MQDSS64_CLEAN_gf31_nrand_schar(F, F_LEN, skbuf, SEED_BYTES);
shake256_inc_init(s_inc); shake256_inc_init(&state);
shake256_inc_absorb(s_inc, sk, SEED_BYTES); shake256_inc_absorb(&state, sk, SEED_BYTES);
shake256_inc_absorb(s_inc, m, mlen); shake256_inc_absorb(&state, m, mlen);
shake256_inc_finalize(s_inc); shake256_inc_finalize(&state);
shake256_inc_squeeze(sig, HASH_BYTES, s_inc); // Compute R. shake256_inc_squeeze(sig, HASH_BYTES, &state); // Compute R.
memcpy(pk, skbuf, SEED_BYTES); memcpy(pk, skbuf, SEED_BYTES);
PQCLEAN_MQDSS64_CLEAN_gf31_nrand(sk_gf31, N, skbuf + SEED_BYTES, SEED_BYTES); PQCLEAN_MQDSS64_CLEAN_gf31_nrand(sk_gf31, N, skbuf + SEED_BYTES, SEED_BYTES);
@ -127,12 +127,12 @@ int PQCLEAN_MQDSS64_CLEAN_crypto_sign_signature(
PQCLEAN_MQDSS64_CLEAN_vgf31_unique(pk_gf31, pk_gf31); PQCLEAN_MQDSS64_CLEAN_vgf31_unique(pk_gf31, pk_gf31);
PQCLEAN_MQDSS64_CLEAN_gf31_npack(pk + SEED_BYTES, pk_gf31, M); PQCLEAN_MQDSS64_CLEAN_gf31_npack(pk + SEED_BYTES, pk_gf31, M);
shake256_inc_init(s_inc); shake256_inc_init(&state);
shake256_inc_absorb(s_inc, pk, PK_BYTES); shake256_inc_absorb(&state, pk, PK_BYTES);
shake256_inc_absorb(s_inc, sig, HASH_BYTES); shake256_inc_absorb(&state, sig, HASH_BYTES);
shake256_inc_absorb(s_inc, m, mlen); shake256_inc_absorb(&state, m, mlen);
shake256_inc_finalize(s_inc); shake256_inc_finalize(&state);
shake256_inc_squeeze(D, HASH_BYTES, s_inc); shake256_inc_squeeze(D, HASH_BYTES, &state);
sig += HASH_BYTES; // Compensate for prefixed R. sig += HASH_BYTES; // Compensate for prefixed R.
@ -166,8 +166,8 @@ int PQCLEAN_MQDSS64_CLEAN_crypto_sign_signature(
} }
H(sigma0, c, HASH_BYTES * ROUNDS * 2); // Compute sigma_0. H(sigma0, c, HASH_BYTES * ROUNDS * 2); // Compute sigma_0.
shake256_absorb(shakestate, D_sigma0_h0_sigma1, 2 * HASH_BYTES); shake256_absorb(&shakestate, D_sigma0_h0_sigma1, 2 * HASH_BYTES);
shake256_squeezeblocks(shakeblock, 1, shakestate); shake256_squeezeblocks(shakeblock, 1, &shakestate);
memcpy(h0, shakeblock, HASH_BYTES); memcpy(h0, shakeblock, HASH_BYTES);
@ -180,7 +180,7 @@ int PQCLEAN_MQDSS64_CLEAN_crypto_sign_signature(
alpha_count++; alpha_count++;
if (alpha_count == SHAKE256_RATE) { if (alpha_count == SHAKE256_RATE) {
alpha_count = 0; alpha_count = 0;
shake256_squeezeblocks(shakeblock, 1, shakestate); shake256_squeezeblocks(shakeblock, 1, &shakestate);
} }
} while (alpha == 31); } while (alpha == 31);
for (j = 0; j < N; j++) { for (j = 0; j < N; j++) {
@ -246,24 +246,24 @@ int PQCLEAN_MQDSS64_CLEAN_crypto_sign_verify(
gf31 z[M]; gf31 z[M];
unsigned char packbuf0[NPACKED_BYTES]; unsigned char packbuf0[NPACKED_BYTES];
unsigned char packbuf1[MPACKED_BYTES]; unsigned char packbuf1[MPACKED_BYTES];
uint64_t shakestate[25] = {0}; shake256ctx shakestate;
unsigned char shakeblock[SHAKE256_RATE]; unsigned char shakeblock[SHAKE256_RATE];
int i, j; int i, j;
gf31 alpha; gf31 alpha;
int alpha_count = 0; int alpha_count = 0;
int b; int b;
uint64_t s_inc[26]; shake256incctx state;
if (siglen != SIG_LEN) { if (siglen != SIG_LEN) {
return -1; return -1;
} }
shake256_inc_init(s_inc); shake256_inc_init(&state);
shake256_inc_absorb(s_inc, pk, PK_BYTES); shake256_inc_absorb(&state, pk, PK_BYTES);
shake256_inc_absorb(s_inc, sig, HASH_BYTES); shake256_inc_absorb(&state, sig, HASH_BYTES);
shake256_inc_absorb(s_inc, m, mlen); shake256_inc_absorb(&state, m, mlen);
shake256_inc_finalize(s_inc); shake256_inc_finalize(&state);
shake256_inc_squeeze(D, HASH_BYTES, s_inc); shake256_inc_squeeze(D, HASH_BYTES, &state);
sig += HASH_BYTES; sig += HASH_BYTES;
@ -273,8 +273,8 @@ int PQCLEAN_MQDSS64_CLEAN_crypto_sign_verify(
memcpy(sigma0, sig, HASH_BYTES); memcpy(sigma0, sig, HASH_BYTES);
shake256_absorb(shakestate, D_sigma0_h0_sigma1, 2 * HASH_BYTES); shake256_absorb(&shakestate, D_sigma0_h0_sigma1, 2 * HASH_BYTES);
shake256_squeezeblocks(shakeblock, 1, shakestate); shake256_squeezeblocks(shakeblock, 1, &shakestate);
memcpy(h0, shakeblock, HASH_BYTES); memcpy(h0, shakeblock, HASH_BYTES);
@ -293,7 +293,7 @@ int PQCLEAN_MQDSS64_CLEAN_crypto_sign_verify(
alpha_count++; alpha_count++;
if (alpha_count == SHAKE256_RATE) { if (alpha_count == SHAKE256_RATE) {
alpha_count = 0; alpha_count = 0;
shake256_squeezeblocks(shakeblock, 1, shakestate); shake256_squeezeblocks(shakeblock, 1, &shakestate);
} }
} while (alpha == 31); } while (alpha == 31);
b = (h1[(i >> 3)] >> (i & 7)) & 1; b = (h1[(i >> 3)] >> (i & 7)) & 1;