From ca1add7baf7840615de3954233ceedcc424d2e20 Mon Sep 17 00:00:00 2001 From: "Matthias J. Kannwischer" Date: Tue, 18 Jun 2019 10:58:57 +0200 Subject: [PATCH 01/20] temporarily disable pre-processor test --- test/test_preprocessor.py | 36 ------------------------------------ 1 file changed, 36 deletions(-) delete mode 100644 test/test_preprocessor.py diff --git a/test/test_preprocessor.py b/test/test_preprocessor.py deleted file mode 100644 index 043b7a50..00000000 --- a/test/test_preprocessor.py +++ /dev/null @@ -1,36 +0,0 @@ -import pqclean -import helpers - - -def test_preprocessor(): - for scheme in pqclean.Scheme.all_schemes(): - for implementation in scheme.implementations: - yield check_preprocessor, implementation - - -@helpers.filtered_test -def check_preprocessor(implementation: pqclean.Implementation): - cfiles = implementation.cfiles() - hfiles = implementation.hfiles() - errors = [] - for file in hfiles + cfiles: - with open(file) as f: - for i, line in enumerate(f): - line = line.strip() - if file in hfiles and i == 0 and line.startswith('#ifndef'): - continue - if line.startswith('#if'): - errors.append("\n at {}:{}".format(file, i+1)) - if errors: - raise AssertionError( - "Prohibited use of preprocessor conditional" + "".join(errors) - ) - - -if __name__ == "__main__": - try: - import nose2 - nose2.main() - except ImportError: - import nose - nose.runmodule() From f18e464a682deac47ba7d63427f073e122a709ec Mon Sep 17 00:00:00 2001 From: "Matthias J. Kannwischer" Date: Tue, 18 Jun 2019 11:00:33 +0200 Subject: [PATCH 02/20] add Saber --- crypto_kem/saber/META.yml | 13 + crypto_kem/saber/clean/LICENSE | 1 + crypto_kem/saber/clean/Makefile | 19 + .../saber/clean/Makefile.Microsoft_nmake | 19 + crypto_kem/saber/clean/SABER_indcpa.c | 351 ++++++++++++++++++ crypto_kem/saber/clean/SABER_indcpa.h | 9 + crypto_kem/saber/clean/SABER_params.h | 63 ++++ crypto_kem/saber/clean/api.h | 16 + crypto_kem/saber/clean/cbd.c | 106 ++++++ crypto_kem/saber/clean/cbd.h | 16 + crypto_kem/saber/clean/kem.c | 78 ++++ crypto_kem/saber/clean/pack_unpack.c | 242 ++++++++++++ crypto_kem/saber/clean/pack_unpack.h | 28 ++ crypto_kem/saber/clean/poly.c | 27 ++ crypto_kem/saber/clean/poly.h | 25 ++ crypto_kem/saber/clean/poly_mul.c | 240 ++++++++++++ crypto_kem/saber/clean/poly_mul.h | 9 + crypto_kem/saber/clean/verify.c | 33 ++ crypto_kem/saber/clean/verify.h | 19 + 19 files changed, 1314 insertions(+) create mode 100644 crypto_kem/saber/META.yml create mode 100644 crypto_kem/saber/clean/LICENSE create mode 100644 crypto_kem/saber/clean/Makefile create mode 100644 crypto_kem/saber/clean/Makefile.Microsoft_nmake create mode 100644 crypto_kem/saber/clean/SABER_indcpa.c create mode 100644 crypto_kem/saber/clean/SABER_indcpa.h create mode 100644 crypto_kem/saber/clean/SABER_params.h create mode 100644 crypto_kem/saber/clean/api.h create mode 100644 crypto_kem/saber/clean/cbd.c create mode 100644 crypto_kem/saber/clean/cbd.h create mode 100644 crypto_kem/saber/clean/kem.c create mode 100644 crypto_kem/saber/clean/pack_unpack.c create mode 100644 crypto_kem/saber/clean/pack_unpack.h create mode 100644 crypto_kem/saber/clean/poly.c create mode 100644 crypto_kem/saber/clean/poly.h create mode 100644 crypto_kem/saber/clean/poly_mul.c create mode 100644 crypto_kem/saber/clean/poly_mul.h create mode 100644 crypto_kem/saber/clean/verify.c create mode 100644 crypto_kem/saber/clean/verify.h diff --git a/crypto_kem/saber/META.yml b/crypto_kem/saber/META.yml new file mode 100644 index 00000000..5cb3bb48 --- /dev/null +++ b/crypto_kem/saber/META.yml @@ -0,0 +1,13 @@ +name: Saber +type: kem +claimed-nist-level: 3 +claimed-security: IND-CCA2 +length-public-key: 992 +length-ciphertext: 1088 +length-secret-key: 2304 +length-shared-secret: 32 +nistkat-sha256: c9e2c16f41f162c607a1d5704107159e5e12713b9bb8c356b1d68b216e79096e +principal-submitter: Jan-Pieter D'Anvers, Angshuman Karmakar, Sujoy Sinha Roy, Frederik Vercauteren +implementations: + - name: clean + version: https://github.com/KULeuven-COSIC/SABER/commit/14ede83f1ff3bcc41f0464543542366c68b55871 diff --git a/crypto_kem/saber/clean/LICENSE b/crypto_kem/saber/clean/LICENSE new file mode 100644 index 00000000..1333ed77 --- /dev/null +++ b/crypto_kem/saber/clean/LICENSE @@ -0,0 +1 @@ +TODO diff --git a/crypto_kem/saber/clean/Makefile b/crypto_kem/saber/clean/Makefile new file mode 100644 index 00000000..2052d200 --- /dev/null +++ b/crypto_kem/saber/clean/Makefile @@ -0,0 +1,19 @@ +# This Makefile can be used with GNU Make or BSD Make + +LIB=libsaber_clean.a +HEADERS=api.h cbd.h poly.h poly_mul.h SABER_indcpa.h SABER_params.h verify.h pack_unpack.h +OBJECTS=cbd.o kem.o pack_unpack.o poly.o poly_mul.o SABER_indcpa.o verify.o + +CFLAGS=-O3 -Wall -Wextra -Wpedantic -Werror -Wmissing-prototypes -Wredundant-decls -std=c99 -I../../../common $(EXTRAFLAGS) + +all: $(LIB) + +%.o: %.c $(HEADERS) + $(CC) $(CFLAGS) -c -o $@ $< + +$(LIB): $(OBJECTS) + $(AR) -r $@ $(OBJECTS) + +clean: + $(RM) $(OBJECTS) + $(RM) $(LIB) diff --git a/crypto_kem/saber/clean/Makefile.Microsoft_nmake b/crypto_kem/saber/clean/Makefile.Microsoft_nmake new file mode 100644 index 00000000..8dff5705 --- /dev/null +++ b/crypto_kem/saber/clean/Makefile.Microsoft_nmake @@ -0,0 +1,19 @@ +# This Makefile can be used with Microsoft Visual Studio's nmake using the command: +# nmake /f Makefile.Microsoft_nmake + +LIBRARY=libsaber_clean.lib +OBJECTS=cbd.obj kem.obj pack_unpack.obj poly.obj poly_mul.obj SABER_indcpa.obj verify.obj + +CFLAGS=/nologo /I ..\..\..\common /W4 /WX + +all: $(LIBRARY) + +# Make sure objects are recompiled if headers change. +$(OBJECTS): *.h + +$(LIBRARY): $(OBJECTS) + LIB.EXE /NOLOGO /WX /OUT:$@ $** + +clean: + -DEL $(OBJECTS) + -DEL $(LIBRARY) diff --git a/crypto_kem/saber/clean/SABER_indcpa.c b/crypto_kem/saber/clean/SABER_indcpa.c new file mode 100644 index 00000000..ed62635f --- /dev/null +++ b/crypto_kem/saber/clean/SABER_indcpa.c @@ -0,0 +1,351 @@ +#include "SABER_indcpa.h" +#include "SABER_params.h" +#include "fips202.h" +#include "pack_unpack.h" +#include "poly.h" +#include "poly_mul.h" +#include "randombytes.h" +#include +#include + + + +/*----------------------------------------------------------------------------------- + This routine generates a=[Matrix K x K] of 256-coefficient polynomials +-------------------------------------------------------------------------------------*/ + +#define h1 4 //2^(EQ-EP-1) + +#define h2 ( (1<<(SABER_EP-2)) - (1<<(SABER_EP-SABER_ET-1)) + (1<<(SABER_EQ-SABER_EP-1)) ) + +static void InnerProd(uint16_t pkcl[SABER_K][SABER_N], uint16_t skpv[SABER_K][SABER_N], uint16_t mod, uint16_t res[SABER_N]); +static void MatrixVectorMul(polyvec *a, uint16_t skpv[SABER_K][SABER_N], uint16_t res[SABER_K][SABER_N], uint16_t mod, int16_t transpose); + +static void POL2MSG(const uint16_t *message_dec_unpacked, unsigned char *message_dec); + +static void GenMatrix(polyvec *a, const unsigned char *seed) { + unsigned int one_vector = 13 * SABER_N / 8; + unsigned int byte_bank_length = SABER_K * SABER_K * one_vector; + unsigned char buf[byte_bank_length]; + + uint16_t temp_ar[SABER_N]; + + int i, j, k; + uint16_t mod = (SABER_Q - 1); + + shake128(buf, byte_bank_length, seed, SABER_SEEDBYTES); + + for (i = 0; i < SABER_K; i++) { + for (j = 0; j < SABER_K; j++) { + PQCLEAN_SABER_CLEAN_BS2POL(buf + (i * SABER_K + j)*one_vector, temp_ar); + for (k = 0; k < SABER_N; k++) { + a[i].vec[j].coeffs[k] = (temp_ar[k])& mod ; + } + } + } + + +} + + +void PQCLEAN_SABER_CLEAN_indcpa_kem_keypair(unsigned char *pk, unsigned char *sk) { + polyvec a[SABER_K];// skpv; + + uint16_t skpv[SABER_K][SABER_N]; + + unsigned char seed[SABER_SEEDBYTES]; + unsigned char noiseseed[SABER_COINBYTES]; + int32_t i, j; + uint16_t mod_q = SABER_Q - 1; + + + uint16_t res[SABER_K][SABER_N]; + + randombytes(seed, SABER_SEEDBYTES); + shake128(seed, SABER_SEEDBYTES, seed, SABER_SEEDBYTES); // for not revealing system RNG state + randombytes(noiseseed, SABER_COINBYTES); + + GenMatrix(a, seed); //sample matrix A + + PQCLEAN_SABER_CLEAN_GenSecret(skpv, noiseseed); //generate secret from constant-time binomial distribution + + //------------------------do the matrix vector multiplication and rounding------------ + + for (i = 0; i < SABER_K; i++) { + for (j = 0; j < SABER_N; j++) { + res[i][j] = 0; + } + } + + MatrixVectorMul(a, skpv, res, SABER_Q - 1, 1); + + //-----now rounding + for (i = 0; i < SABER_K; i++) { //shift right 3 bits + for (j = 0; j < SABER_N; j++) { + res[i][j] = (res[i][j] + h1) & (mod_q); + res[i][j] = (res[i][j] >> (SABER_EQ - SABER_EP)); + } + } + + //------------------unload and pack sk=3 x (256 coefficients of 14 bits)------- + + PQCLEAN_SABER_CLEAN_POLVEC2BS(sk, skpv, SABER_Q); + + //------------------unload and pack pk=256 bits seed and 3 x (256 coefficients of 11 bits)------- + + + PQCLEAN_SABER_CLEAN_POLVEC2BS(pk, res, SABER_P); // load the public-key coefficients + + + + for (i = 0; i < SABER_SEEDBYTES; i++) { // now load the seedbytes in PK. Easy since seed bytes are kept in byte format. + pk[SABER_POLYVECCOMPRESSEDBYTES + i] = seed[i]; + } + +} + + +void PQCLEAN_SABER_CLEAN_indcpa_kem_enc(const unsigned char *message_received, unsigned char *noiseseed, const unsigned char *pk, unsigned char *ciphertext) { + uint32_t i, j, k; + polyvec a[SABER_K]; // skpv; + unsigned char seed[SABER_SEEDBYTES]; + uint16_t pkcl[SABER_K][SABER_N]; //public key of received by the client + + + + uint16_t skpv1[SABER_K][SABER_N]; + + uint16_t message[SABER_KEYBYTES * 8]; + + uint16_t res[SABER_K][SABER_N]; + uint16_t mod_p = SABER_P - 1; + uint16_t mod_q = SABER_Q - 1; + + uint16_t vprime[SABER_N]; + + + + unsigned char msk_c[SABER_SCALEBYTES_KEM]; + + for (i = 0; i < SABER_SEEDBYTES; i++) { // extract the seedbytes from Public Key. + seed[i] = pk[ SABER_POLYVECCOMPRESSEDBYTES + i]; + } + + GenMatrix(a, seed); + + PQCLEAN_SABER_CLEAN_GenSecret(skpv1, noiseseed); //generate secret from constant-time binomial distribution + + //-----------------matrix-vector multiplication and rounding + + for (i = 0; i < SABER_K; i++) { + for (j = 0; j < SABER_N; j++) { + res[i][j] = 0; + } + } + + MatrixVectorMul(a, skpv1, res, SABER_Q - 1, 0); + + //-----now rounding + + for (i = 0; i < SABER_K; i++) { //shift right 3 bits + for (j = 0; j < SABER_N; j++) { + res[i][j] = ( res[i][j] + h1 ) & mod_q; + res[i][j] = (res[i][j] >> (SABER_EQ - SABER_EP) ); + } + } + + PQCLEAN_SABER_CLEAN_POLVEC2BS(ciphertext, res, SABER_P); + +//*******************client matrix-vector multiplication ends************************************ + + //------now calculate the v' + + //-------unpack the public_key + + //pkcl is the b in the protocol + PQCLEAN_SABER_CLEAN_BS2POLVEC(pk, pkcl, SABER_P); + + + + for (i = 0; i < SABER_N; i++) { + vprime[i] = 0; + } + + for (i = 0; i < SABER_K; i++) { + for (j = 0; j < SABER_N; j++) { + skpv1[i][j] = skpv1[i][j] & (mod_p); + } + } + + // vector-vector scalar multiplication with mod p + InnerProd(pkcl, skpv1, mod_p, vprime); + + //addition of h1 to vprime + for (i = 0; i < SABER_N; i++) { + vprime[i] = vprime[i] + h1; + } + + + // unpack message_received; + for (j = 0; j < SABER_KEYBYTES; j++) { + for (i = 0; i < 8; i++) { + message[8 * j + i] = ((message_received[j] >> i) & 0x01); + } + } + + // message encoding + for (i = 0; i < SABER_N; i++) { + message[i] = (message[i] << (SABER_EP - 1)); + } + + + + + for (k = 0; k < SABER_N; k++) { + vprime[k] = ( (vprime[k] - message[k]) & (mod_p) ) >> (SABER_EP - SABER_ET); + } + + + #if Saber_type == 1 + PQCLEAN_SABER_CLEAN_pack_3bit(msk_c, vprime); + #elif Saber_type == 2 + PQCLEAN_SABER_CLEAN_pack_4bit(msk_c, vprime); + #elif Saber_type == 3 + PQCLEAN_SABER_CLEAN_pack_6bit(msk_c, vprime); + #endif + + + for (j = 0; j < SABER_SCALEBYTES_KEM; j++) { + ciphertext[SABER_POLYVECCOMPRESSEDBYTES + j] = msk_c[j]; + } +} + + +void PQCLEAN_SABER_CLEAN_indcpa_kem_dec(const unsigned char *sk, const unsigned char *ciphertext, unsigned char message_dec[]) { + + uint32_t i, j; + + + uint16_t sksv[SABER_K][SABER_N]; //secret key of the server + + + uint16_t pksv[SABER_K][SABER_N]; + + uint8_t scale_ar[SABER_SCALEBYTES_KEM]; + + uint16_t mod_p = SABER_P - 1; + + uint16_t v[SABER_N]; + + uint16_t op[SABER_N]; + + + PQCLEAN_SABER_CLEAN_BS2POLVEC(sk, sksv, SABER_Q); //sksv is the secret-key + PQCLEAN_SABER_CLEAN_BS2POLVEC(ciphertext, pksv, SABER_P); //pksv is the ciphertext + + // vector-vector scalar multiplication with mod p + for (i = 0; i < SABER_N; i++) { + v[i] = 0; + } + + for (i = 0; i < SABER_K; i++) { + for (j = 0; j < SABER_N; j++) { + sksv[i][j] = sksv[i][j] & (mod_p); + } + } + + InnerProd(pksv, sksv, mod_p, v); + + + //Extraction + for (i = 0; i < SABER_SCALEBYTES_KEM; i++) { + scale_ar[i] = ciphertext[SABER_POLYVECCOMPRESSEDBYTES + i]; + } + + #if Saber_type == 1 + PQCLEAN_SABER_CLEAN_un_pack3bit(scale_ar, op); + #elif Saber_type == 2 + PQCLEAN_SABER_CLEAN_un_pack4bit(scale_ar, op); + #elif Saber_type == 3 + PQCLEAN_SABER_CLEAN_un_pack6bit(scale_ar, op); + #endif + + + //addition of h1 + for (i = 0; i < SABER_N; i++) { + v[i] = ( ( v[i] + h2 - (op[i] << (SABER_EP - SABER_ET)) ) & (mod_p) ) >> (SABER_EP - 1); + } + + // pack decrypted message + + POL2MSG(v, message_dec); + + +} +static void MatrixVectorMul(polyvec *a, uint16_t skpv[SABER_K][SABER_N], uint16_t res[SABER_K][SABER_N], uint16_t mod, int16_t transpose) { + + uint16_t acc[SABER_N]; + int32_t i, j, k; + + if (transpose == 1) { + for (i = 0; i < SABER_K; i++) { + for (j = 0; j < SABER_K; j++) { + PQCLEAN_SABER_CLEAN_pol_mul((uint16_t *)&a[j].vec[i], skpv[j], acc, SABER_Q, SABER_N); + + for (k = 0; k < SABER_N; k++) { + res[i][k] = res[i][k] + acc[k]; + res[i][k] = (res[i][k] & mod); //reduction mod p + acc[k] = 0; //clear the accumulator + } + + } + } + } else { + + for (i = 0; i < SABER_K; i++) { + for (j = 0; j < SABER_K; j++) { + PQCLEAN_SABER_CLEAN_pol_mul((uint16_t *)&a[i].vec[j], skpv[j], acc, SABER_Q, SABER_N); + for (k = 0; k < SABER_N; k++) { + res[i][k] = res[i][k] + acc[k]; + res[i][k] = res[i][k] & mod; //reduction + acc[k] = 0; //clear the accumulator + } + + } + } + } + + +} + +static void POL2MSG(const uint16_t *message_dec_unpacked, unsigned char *message_dec) { + + int32_t i, j; + + for (j = 0; j < SABER_KEYBYTES; j++) { + message_dec[j] = 0; + for (i = 0; i < 8; i++) { + message_dec[j] = message_dec[j] | (message_dec_unpacked[j * 8 + i] << i); + } + } + +} + + +static void InnerProd(uint16_t pkcl[SABER_K][SABER_N], uint16_t skpv[SABER_K][SABER_N], uint16_t mod, uint16_t res[SABER_N]) { + + + uint32_t j, k; + uint16_t acc[SABER_N]; + + // vector-vector scalar multiplication with mod p + for (j = 0; j < SABER_K; j++) { + PQCLEAN_SABER_CLEAN_pol_mul(pkcl[j], skpv[j], acc, SABER_P, SABER_N); + + for (k = 0; k < SABER_N; k++) { + res[k] = res[k] + acc[k]; + res[k] = res[k] & mod; //reduction + acc[k] = 0; //clear the accumulator + } + } +} diff --git a/crypto_kem/saber/clean/SABER_indcpa.h b/crypto_kem/saber/clean/SABER_indcpa.h new file mode 100644 index 00000000..f8503f66 --- /dev/null +++ b/crypto_kem/saber/clean/SABER_indcpa.h @@ -0,0 +1,9 @@ +#ifndef INDCPA_H +#define INDCPA_H + +void PQCLEAN_SABER_CLEAN_indcpa_kem_keypair(unsigned char *pk, unsigned char *sk); +void PQCLEAN_SABER_CLEAN_indcpa_kem_enc(const unsigned char *message, unsigned char *noiseseed, const unsigned char *pk, unsigned char *ciphertext); +void PQCLEAN_SABER_CLEAN_indcpa_kem_dec(const unsigned char *sk, const unsigned char *ciphertext, unsigned char *message_dec); + +#endif + diff --git a/crypto_kem/saber/clean/SABER_params.h b/crypto_kem/saber/clean/SABER_params.h new file mode 100644 index 00000000..7d9ebf3b --- /dev/null +++ b/crypto_kem/saber/clean/SABER_params.h @@ -0,0 +1,63 @@ +#include "api.h" + +#ifndef PARAMS_H +#define PARAMS_H + + + +#if Saber_type == 1 +#define SABER_K 2 +#define SABER_MU 10 +#define SABER_ET 3 + +#elif Saber_type == 2 +#define SABER_K 3 +#define SABER_MU 8 +#define SABER_ET 4 + +#elif Saber_type == 3 +#define SABER_K 4 +#define SABER_MU 6 +#define SABER_ET 6 +#endif + +#define SABER_EQ 13 +#define SABER_EP 10 + +#define SABER_N 256 +#define SABER_Q 8192 +#define SABER_P 1024 + +#define SABER_SEEDBYTES 32 +#define SABER_NOISESEEDBYTES 32 +#define SABER_COINBYTES 32 +#define SABER_KEYBYTES 32 + +#define SABER_HASHBYTES 32 + +#define SABER_POLYBYTES 416 //13*256/8 + +#define SABER_POLYVECBYTES (SABER_K * SABER_POLYBYTES) + +#define SABER_POLYVECCOMPRESSEDBYTES (SABER_K * 320) //10*256/8 NOTE : changed till here due to parameter adaptation + +#define SABER_CIPHERTEXTBYTES (SABER_POLYVECCOMPRESSEDBYTES) + +#define SABER_SCALEBYTES (SABER_DELTA*SABER_N/8) + +#define SABER_SCALEBYTES_KEM ((SABER_ET)*SABER_N/8) + +#define SABER_INDCPA_PUBLICKEYBYTES (SABER_POLYVECCOMPRESSEDBYTES + SABER_SEEDBYTES) +#define SABER_INDCPA_SECRETKEYBYTES (SABER_POLYVECBYTES) + +#define SABER_PUBLICKEYBYTES (SABER_INDCPA_PUBLICKEYBYTES) + +#define SABER_SECRETKEYBYTES (SABER_INDCPA_SECRETKEYBYTES + SABER_INDCPA_PUBLICKEYBYTES + SABER_HASHBYTES + SABER_KEYBYTES) + +#define SABER_BYTES_CCA_DEC (SABER_POLYVECCOMPRESSEDBYTES + SABER_SCALEBYTES_KEM) /* Second part is for Targhi-Unruh */ + + + + +#endif + diff --git a/crypto_kem/saber/clean/api.h b/crypto_kem/saber/clean/api.h new file mode 100644 index 00000000..f54078a5 --- /dev/null +++ b/crypto_kem/saber/clean/api.h @@ -0,0 +1,16 @@ +#ifndef PQCLEAN_SABER_CLEAN_API_H +#define PQCLEAN_SABER_CLEAN_API_H + +#define PQCLEAN_SABER_CLEAN_CRYPTO_ALGNAME "Saber" +#define PQCLEAN_SABER_CLEAN_CRYPTO_SECRETKEYBYTES 2304 +#define PQCLEAN_SABER_CLEAN_CRYPTO_PUBLICKEYBYTES (3*320+32) +#define PQCLEAN_SABER_CLEAN_CRYPTO_BYTES 32 +#define PQCLEAN_SABER_CLEAN_CRYPTO_CIPHERTEXTBYTES 1088 + +#define Saber_type 2 + +int PQCLEAN_SABER_CLEAN_crypto_kem_keypair(unsigned char *pk, unsigned char *sk); +int PQCLEAN_SABER_CLEAN_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk); +int PQCLEAN_SABER_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk); + +#endif /* api_h */ diff --git a/crypto_kem/saber/clean/cbd.c b/crypto_kem/saber/clean/cbd.c new file mode 100644 index 00000000..f5d02deb --- /dev/null +++ b/crypto_kem/saber/clean/cbd.c @@ -0,0 +1,106 @@ +/*--------------------------------------------------------------------- +This file has been adapted from the implementation +(available at, Public Domain https://github.com/pq-crystals/kyber) +of "CRYSTALS – Kyber: a CCA-secure module-lattice-based KEM" +by : Joppe Bos, Leo Ducas, Eike Kiltz, Tancrede Lepoint, +Vadim Lyubashevsky, John M. Schanck, Peter Schwabe & Damien stehle +----------------------------------------------------------------------*/ + +#include "SABER_params.h" +#include "api.h" +#include "cbd.h" +#include + +static uint64_t load_littleendian(const unsigned char *x, int bytes) { + int i; + uint64_t r = x[0]; + for (i = 1; i < bytes; i++) { + r |= (uint64_t)x[i] << (8 * i); + } + return r; +} + + +void PQCLEAN_SABER_CLEAN_cbd(uint16_t *r, const unsigned char *buf) { + uint16_t Qmod_minus1 = SABER_Q - 1; + + #if Saber_type == 3 + uint32_t t, d, a[4], b[4]; + int i, j; + + for (i = 0; i < SABER_N / 4; i++) { + t = load_littleendian(buf + 3 * i, 3); + d = 0; + for (j = 0; j < 3; j++) { + d += (t >> j) & 0x249249; + } + + a[0] = d & 0x7; + b[0] = (d >> 3) & 0x7; + a[1] = (d >> 6) & 0x7; + b[1] = (d >> 9) & 0x7; + a[2] = (d >> 12) & 0x7; + b[2] = (d >> 15) & 0x7; + a[3] = (d >> 18) & 0x7; + b[3] = (d >> 21); + + r[4 * i + 0] = (uint16_t)(a[0] - b[0]) & Qmod_minus1; + r[4 * i + 1] = (uint16_t)(a[1] - b[1]) & Qmod_minus1; + r[4 * i + 2] = (uint16_t)(a[2] - b[2]) & Qmod_minus1; + r[4 * i + 3] = (uint16_t)(a[3] - b[3]) & Qmod_minus1; + + } + #elif Saber_type == 2 + uint32_t t, d, a[4], b[4]; + int i, j; + + for (i = 0; i < SABER_N / 4; i++) { + t = load_littleendian(buf + 4 * i, 4); + d = 0; + for (j = 0; j < 4; j++) { + d += (t >> j) & 0x11111111; + } + + a[0] = d & 0xf; + b[0] = (d >> 4) & 0xf; + a[1] = (d >> 8) & 0xf; + b[1] = (d >> 12) & 0xf; + a[2] = (d >> 16) & 0xf; + b[2] = (d >> 20) & 0xf; + a[3] = (d >> 24) & 0xf; + b[3] = (d >> 28); + + r[4 * i + 0] = (uint16_t)(a[0] - b[0]) & Qmod_minus1; + r[4 * i + 1] = (uint16_t)(a[1] - b[1]) & Qmod_minus1; + r[4 * i + 2] = (uint16_t)(a[2] - b[2]) & Qmod_minus1; + r[4 * i + 3] = (uint16_t)(a[3] - b[3]) & Qmod_minus1; + } + #elif Saber_type == 1 + uint64_t t, d, a[4], b[4]; + int i, j; + + for (i = 0; i < SABER_N / 4; i++) { + t = load_littleendian(buf + 5 * i, 5); + d = 0; + for (j = 0; j < 5; j++) { + d += (t >> j) & 0x0842108421UL; + } + + a[0] = d & 0x1f; + b[0] = (d >> 5) & 0x1f; + a[1] = (d >> 10) & 0x1f; + b[1] = (d >> 15) & 0x1f; + a[2] = (d >> 20) & 0x1f; + b[2] = (d >> 25) & 0x1f; + a[3] = (d >> 30) & 0x1f; + b[3] = (d >> 35); + + r[4 * i + 0] = (uint16_t)(a[0] - b[0]) & Qmod_minus1; + r[4 * i + 1] = (uint16_t)(a[1] - b[1]) & Qmod_minus1; + r[4 * i + 2] = (uint16_t)(a[2] - b[2]) & Qmod_minus1; + r[4 * i + 3] = (uint16_t)(a[3] - b[3]) & Qmod_minus1; + } + #else +#error "Unsupported SABER parameter." + #endif +} diff --git a/crypto_kem/saber/clean/cbd.h b/crypto_kem/saber/clean/cbd.h new file mode 100644 index 00000000..bfa975e6 --- /dev/null +++ b/crypto_kem/saber/clean/cbd.h @@ -0,0 +1,16 @@ +/*--------------------------------------------------------------------- +This file has been adapted from the implementation +(available at, Public Domain https://github.com/pq-crystals/kyber) +of "CRYSTALS – Kyber: a CCA-secure module-lattice-based KEM" +by : Joppe Bos, Leo Ducas, Eike Kiltz, Tancrede Lepoint, +Vadim Lyubashevsky, John M. Schanck, Peter Schwabe & Damien stehle +----------------------------------------------------------------------*/ +#ifndef CBD_H +#define CBD_H + +#include "poly.h" +#include + +void PQCLEAN_SABER_CLEAN_cbd(uint16_t *r, const unsigned char *buf); + +#endif diff --git a/crypto_kem/saber/clean/kem.c b/crypto_kem/saber/clean/kem.c new file mode 100644 index 00000000..5ee4a856 --- /dev/null +++ b/crypto_kem/saber/clean/kem.c @@ -0,0 +1,78 @@ +#include "SABER_indcpa.h" +#include "SABER_params.h" +#include "fips202.h" +#include "randombytes.h" +#include "verify.h" +#include +#include +#include + +int PQCLEAN_SABER_CLEAN_crypto_kem_keypair(unsigned char *pk, unsigned char *sk) { + int i; + + PQCLEAN_SABER_CLEAN_indcpa_kem_keypair(pk, sk); // sk[0:SABER_INDCPA_SECRETKEYBYTES-1] <-- sk + for (i = 0; i < SABER_INDCPA_PUBLICKEYBYTES; i++) { + sk[i + SABER_INDCPA_SECRETKEYBYTES] = pk[i]; // sk[SABER_INDCPA_SECRETKEYBYTES:SABER_INDCPA_SECRETKEYBYTES+SABER_INDCPA_SECRETKEYBYTES-1] <-- pk + } + + sha3_256(sk + SABER_SECRETKEYBYTES - 64, pk, SABER_INDCPA_PUBLICKEYBYTES); // Then hash(pk) is appended. + + randombytes(sk + SABER_SECRETKEYBYTES - SABER_KEYBYTES, SABER_KEYBYTES ); // Remaining part of sk contains a pseudo-random number. + // This is output when check in crypto_kem_dec() fails. + return (0); +} + +int PQCLEAN_SABER_CLEAN_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk) { + + unsigned char kr[64]; // Will contain key, coins + unsigned char buf[64]; + + randombytes(buf, 32); + + sha3_256(buf, buf, 32); // BUF[0:31] <-- random message (will be used as the key for client) Note: hash doesnot release system RNG output + + sha3_256(buf + 32, pk, SABER_INDCPA_PUBLICKEYBYTES); // BUF[32:63] <-- Hash(public key); Multitarget countermeasure for coins + contributory KEM + + sha3_512(kr, buf, 64); // kr[0:63] <-- Hash(buf[0:63]); + // K^ <-- kr[0:31] + // noiseseed (r) <-- kr[32:63]; + PQCLEAN_SABER_CLEAN_indcpa_kem_enc(buf, kr + 32, pk, ct); // buf[0:31] contains message; kr[32:63] contains randomness r; + + sha3_256(kr + 32, ct, SABER_BYTES_CCA_DEC); + + sha3_256(ss, kr, 64); // hash concatenation of pre-k and h(c) to k + + return (0); +} + + +int PQCLEAN_SABER_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk) { + int i, fail; + unsigned char cmp[SABER_BYTES_CCA_DEC]; + unsigned char buf[64]; + unsigned char kr[64]; // Will contain key, coins + const unsigned char *pk = sk + SABER_INDCPA_SECRETKEYBYTES; + + PQCLEAN_SABER_CLEAN_indcpa_kem_dec(sk, ct, buf); // buf[0:31] <-- message + + + // Multitarget countermeasure for coins + contributory KEM + for (i = 0; i < 32; i++) { // Save hash by storing h(pk) in sk + buf[32 + i] = sk[SABER_SECRETKEYBYTES - 64 + i]; + } + + sha3_512(kr, buf, 64); + + PQCLEAN_SABER_CLEAN_indcpa_kem_enc(buf, kr + 32, pk, cmp); + + + fail = PQCLEAN_SABER_CLEAN_verify(ct, cmp, SABER_BYTES_CCA_DEC); + + sha3_256(kr + 32, ct, SABER_BYTES_CCA_DEC); // overwrite coins in kr with h(c) + + PQCLEAN_SABER_CLEAN_cmov(kr, sk + SABER_SECRETKEYBYTES - SABER_KEYBYTES, SABER_KEYBYTES, fail); + + sha3_256(ss, kr, 64); // hash concatenation of pre-k and h(c) to k + + return (0); +} diff --git a/crypto_kem/saber/clean/pack_unpack.c b/crypto_kem/saber/clean/pack_unpack.c new file mode 100644 index 00000000..fa210fcc --- /dev/null +++ b/crypto_kem/saber/clean/pack_unpack.c @@ -0,0 +1,242 @@ +#include "pack_unpack.h" + +void PQCLEAN_SABER_CLEAN_pack_3bit(uint8_t *bytes, const uint16_t *data) { + + uint32_t j; + uint32_t offset_data, offset_byte; + + for (j = 0; j < SABER_N / 8; j++) { + offset_byte = 3 * j; + offset_data = 8 * j; + bytes[offset_byte + 0] = (data[offset_data + 0] & 0x7) | ( (data[offset_data + 1] & 0x7) << 3 ) | ((data[offset_data + 2] & 0x3) << 6); + bytes[offset_byte + 1] = ((data[offset_data + 2] >> 2 ) & 0x01) | ( (data[offset_data + 3] & 0x7) << 1 ) | ( (data[offset_data + 4] & 0x7) << 4 ) | (((data[offset_data + 5]) & 0x01) << 7); + bytes[offset_byte + 2] = ((data[offset_data + 5] >> 1 ) & 0x03) | ( (data[offset_data + 6] & 0x7) << 2 ) | ( (data[offset_data + 7] & 0x7) << 5 ); + } +} + +void PQCLEAN_SABER_CLEAN_un_pack3bit(const uint8_t *bytes, uint16_t *data) { + + uint32_t j; + uint32_t offset_data, offset_byte; + + for (j = 0; j < SABER_N / 8; j++) { + offset_byte = 3 * j; + offset_data = 8 * j; + data[offset_data + 0] = (bytes[offset_byte + 0]) & 0x07; + data[offset_data + 1] = ( (bytes[offset_byte + 0]) >> 3 ) & 0x07; + data[offset_data + 2] = ( ( (bytes[offset_byte + 0]) >> 6 ) & 0x03) | ( ( (bytes[offset_byte + 1]) & 0x01) << 2 ); + data[offset_data + 3] = ( (bytes[offset_byte + 1]) >> 1 ) & 0x07; + data[offset_data + 4] = ( (bytes[offset_byte + 1]) >> 4 ) & 0x07; + data[offset_data + 5] = ( ( (bytes[offset_byte + 1]) >> 7 ) & 0x01) | ( ( (bytes[offset_byte + 2]) & 0x03) << 1 ); + data[offset_data + 6] = ( (bytes[offset_byte + 2] >> 2) & 0x07 ); + data[offset_data + 7] = ( (bytes[offset_byte + 2] >> 5) & 0x07 ); + } + +} + +void PQCLEAN_SABER_CLEAN_pack_4bit(uint8_t *bytes, const uint16_t *data) { + + uint32_t j; + uint32_t offset_data; + + for (j = 0; j < SABER_N / 2; j++) { + offset_data = 2 * j; + bytes[j] = (data[offset_data] & 0x0f) | ( (data[offset_data + 1] & 0x0f) << 4 ); + } +} + +void PQCLEAN_SABER_CLEAN_un_pack4bit(const unsigned char *bytes, uint16_t *ar) { + + uint32_t j; + uint32_t offset_data; + + for (j = 0; j < SABER_N / 2; j++) { + offset_data = 2 * j; + ar[offset_data] = bytes[j] & 0x0f; + ar[offset_data + 1] = (bytes[j] >> 4) & 0x0f; + } +} + +void PQCLEAN_SABER_CLEAN_pack_6bit(uint8_t *bytes, const uint16_t *data) { + uint32_t j; + uint32_t offset_data, offset_byte; + + for (j = 0; j < SABER_N / 4; j++) { + offset_byte = 3 * j; + offset_data = 4 * j; + bytes[offset_byte + 0] = (data[offset_data + 0] & 0x3f) | ((data[offset_data + 1] & 0x03) << 6); + bytes[offset_byte + 1] = ((data[offset_data + 1] >> 2) & 0x0f) | ((data[offset_data + 2] & 0x0f) << 4); + bytes[offset_byte + 2] = ((data[offset_data + 2] >> 4) & 0x03) | ((data[offset_data + 3] & 0x3f) << 2); + } +} + + +void PQCLEAN_SABER_CLEAN_un_pack6bit(const unsigned char *bytes, uint16_t *data) { + uint32_t j; + uint32_t offset_data, offset_byte; + + for (j = 0; j < SABER_N / 4; j++) { + offset_byte = 3 * j; + offset_data = 4 * j; + data[offset_data + 0] = bytes[offset_byte + 0] & 0x3f; + data[offset_data + 1] = ((bytes[offset_byte + 0] >> 6) & 0x03) | ((bytes[offset_byte + 1] & 0x0f) << 2) ; + data[offset_data + 2] = ((bytes[offset_byte + 1] & 0xff) >> 4) | ((bytes[offset_byte + 2] & 0x03) << 4) ; + data[offset_data + 3] = ((bytes[offset_byte + 2] & 0xff) >> 2); + } + +} + + +static void POLVECp2BS(uint8_t *bytes, uint16_t data[SABER_K][SABER_N]) { + uint32_t i, j; + uint32_t offset_data, offset_byte, offset_byte1; + + for (i = 0; i < SABER_K; i++) { + offset_byte1 = i * (SABER_N * 10) / 8; + for (j = 0; j < SABER_N / 4; j++) { + offset_byte = offset_byte1 + 5 * j; + offset_data = 4 * j; + bytes[offset_byte + 0] = ( data[i][ offset_data + 0 ] & (0xff)); + + bytes[offset_byte + 1] = ( (data[i][ offset_data + 0 ] >> 8) & 0x03 ) | ((data[i][ offset_data + 1 ] & 0x3f) << 2); + + bytes[offset_byte + 2] = ( (data[i][ offset_data + 1 ] >> 6) & 0x0f ) | ( (data[i][ offset_data + 2 ] & 0x0f) << 4); + + bytes[offset_byte + 3] = ( (data[i][ offset_data + 2 ] >> 4) & 0x3f ) | ((data[i][ offset_data + 3 ] & 0x03) << 6); + + bytes[offset_byte + 4] = ( (data[i][ offset_data + 3 ] >> 2) & 0xff ); + } + } + + +} + +static void BS2POLVECp(const unsigned char *bytes, uint16_t data[SABER_K][SABER_N]) { + + uint32_t i, j; + uint32_t offset_data, offset_byte, offset_byte1; + + for (i = 0; i < SABER_K; i++) { + offset_byte1 = i * (SABER_N * 10) / 8; + for (j = 0; j < SABER_N / 4; j++) { + offset_byte = offset_byte1 + 5 * j; + offset_data = 4 * j; + data[i][offset_data + 0] = ( bytes[ offset_byte + 0 ] & (0xff)) | ((bytes[ offset_byte + 1 ] & 0x03) << 8); + data[i][offset_data + 1] = ( (bytes[ offset_byte + 1 ] >> 2) & (0x3f)) | ((bytes[ offset_byte + 2 ] & 0x0f) << 6); + data[i][offset_data + 2] = ( (bytes[ offset_byte + 2 ] >> 4) & (0x0f)) | ((bytes[ offset_byte + 3 ] & 0x3f) << 4); + data[i][offset_data + 3] = ( (bytes[ offset_byte + 3 ] >> 6) & (0x03)) | ((bytes[ offset_byte + 4 ] & 0xff) << 2); + + } + } + + +} + + + +static void POLVECq2BS(uint8_t *bytes, uint16_t data[SABER_K][SABER_N]) { + + uint32_t i, j; + uint32_t offset_data, offset_byte, offset_byte1; + + for (i = 0; i < SABER_K; i++) { + offset_byte1 = i * (SABER_N * 13) / 8; + for (j = 0; j < SABER_N / 8; j++) { + offset_byte = offset_byte1 + 13 * j; + offset_data = 8 * j; + bytes[offset_byte + 0] = ( data[i][ offset_data + 0 ] & (0xff)); + + bytes[offset_byte + 1] = ( (data[i][ offset_data + 0 ] >> 8) & 0x1f ) | ((data[i][ offset_data + 1 ] & 0x07) << 5); + + bytes[offset_byte + 2] = ( (data[i][ offset_data + 1 ] >> 3) & 0xff ); + + bytes[offset_byte + 3] = ( (data[i][ offset_data + 1 ] >> 11) & 0x03 ) | ((data[i][ offset_data + 2 ] & 0x3f) << 2); + + bytes[offset_byte + 4] = ( (data[i][ offset_data + 2 ] >> 6) & 0x7f ) | ( (data[i][ offset_data + 3 ] & 0x01) << 7 ); + + bytes[offset_byte + 5] = ( (data[i][ offset_data + 3 ] >> 1) & 0xff ); + + bytes[offset_byte + 6] = ( (data[i][ offset_data + 3 ] >> 9) & 0x0f ) | ( (data[i][ offset_data + 4 ] & 0x0f) << 4 ); + + bytes[offset_byte + 7] = ( (data[i][ offset_data + 4] >> 4) & 0xff ); + + bytes[offset_byte + 8] = ( (data[i][ offset_data + 4 ] >> 12) & 0x01 ) | ( (data[i][ offset_data + 5 ] & 0x7f) << 1 ); + + bytes[offset_byte + 9] = ( (data[i][ offset_data + 5 ] >> 7) & 0x3f ) | ( (data[i][ offset_data + 6 ] & 0x03) << 6 ); + + bytes[offset_byte + 10] = ( (data[i][ offset_data + 6 ] >> 2) & 0xff ); + + bytes[offset_byte + 11] = ( (data[i][ offset_data + 6 ] >> 10) & 0x07 ) | ( (data[i][ offset_data + 7 ] & 0x1f) << 3 ); + + bytes[offset_byte + 12] = ( (data[i][ offset_data + 7 ] >> 5) & 0xff ); + + } + } + + +} + +static void BS2POLVECq(const unsigned char *bytes, uint16_t data[SABER_K][SABER_N]) { + + uint32_t i, j; + uint32_t offset_data, offset_byte, offset_byte1; + + for (i = 0; i < SABER_K; i++) { + offset_byte1 = i * (SABER_N * 13) / 8; + for (j = 0; j < SABER_N / 8; j++) { + offset_byte = offset_byte1 + 13 * j; + offset_data = 8 * j; + data[i][offset_data + 0] = ( bytes[ offset_byte + 0 ] & (0xff)) | ((bytes[offset_byte + 1] & 0x1f) << 8); + data[i][offset_data + 1] = ( bytes[ offset_byte + 1 ] >> 5 & (0x07)) | ((bytes[offset_byte + 2] & 0xff) << 3) | ((bytes[offset_byte + 3] & 0x03) << 11); + data[i][offset_data + 2] = ( bytes[ offset_byte + 3 ] >> 2 & (0x3f)) | ((bytes[offset_byte + 4] & 0x7f) << 6); + data[i][offset_data + 3] = ( bytes[ offset_byte + 4 ] >> 7 & (0x01)) | ((bytes[offset_byte + 5] & 0xff) << 1) | ((bytes[offset_byte + 6] & 0x0f) << 9); + data[i][offset_data + 4] = ( bytes[ offset_byte + 6 ] >> 4 & (0x0f)) | ((bytes[offset_byte + 7] & 0xff) << 4) | ((bytes[offset_byte + 8] & 0x01) << 12); + data[i][offset_data + 5] = ( bytes[ offset_byte + 8] >> 1 & (0x7f)) | ((bytes[offset_byte + 9] & 0x3f) << 7); + data[i][offset_data + 6] = ( bytes[ offset_byte + 9] >> 6 & (0x03)) | ((bytes[offset_byte + 10] & 0xff) << 2) | ((bytes[offset_byte + 11] & 0x07) << 10); + data[i][offset_data + 7] = ( bytes[ offset_byte + 11] >> 3 & (0x1f)) | ((bytes[offset_byte + 12] & 0xff) << 5); + } + } + + +} + +void PQCLEAN_SABER_CLEAN_BS2POL(const unsigned char *bytes, uint16_t data[SABER_N]) { //only BS2POLq no BS2POLp + + uint32_t j; + uint32_t offset_data, offset_byte; + + for (j = 0; j < SABER_N / 8; j++) { + offset_byte = 13 * j; + offset_data = 8 * j; + data[offset_data + 0] = ( bytes[ offset_byte + 0 ] & (0xff)) | ((bytes[offset_byte + 1] & 0x1f) << 8); + data[offset_data + 1] = ( bytes[ offset_byte + 1 ] >> 5 & (0x07)) | ((bytes[offset_byte + 2] & 0xff) << 3) | ((bytes[offset_byte + 3] & 0x03) << 11); + data[offset_data + 2] = ( bytes[ offset_byte + 3 ] >> 2 & (0x3f)) | ((bytes[offset_byte + 4] & 0x7f) << 6); + data[offset_data + 3] = ( bytes[ offset_byte + 4 ] >> 7 & (0x01)) | ((bytes[offset_byte + 5] & 0xff) << 1) | ((bytes[offset_byte + 6] & 0x0f) << 9); + data[offset_data + 4] = ( bytes[ offset_byte + 6 ] >> 4 & (0x0f)) | ((bytes[offset_byte + 7] & 0xff) << 4) | ((bytes[offset_byte + 8] & 0x01) << 12); + data[offset_data + 5] = ( bytes[ offset_byte + 8] >> 1 & (0x7f)) | ((bytes[offset_byte + 9] & 0x3f) << 7); + data[offset_data + 6] = ( bytes[ offset_byte + 9] >> 6 & (0x03)) | ((bytes[offset_byte + 10] & 0xff) << 2) | ((bytes[offset_byte + 11] & 0x07) << 10); + data[offset_data + 7] = ( bytes[ offset_byte + 11] >> 3 & (0x1f)) | ((bytes[offset_byte + 12] & 0xff) << 5); + } + + +} + + +void PQCLEAN_SABER_CLEAN_POLVEC2BS(uint8_t *bytes, uint16_t data[SABER_K][SABER_N], uint16_t modulus) { + + if (modulus == 1024) { + POLVECp2BS(bytes, data); + } else if (modulus == 8192) { + POLVECq2BS(bytes, data); + } +} + +void PQCLEAN_SABER_CLEAN_BS2POLVEC(const unsigned char *bytes, uint16_t data[SABER_K][SABER_N], uint16_t modulus) { + + if (modulus == 1024) { + BS2POLVECp(bytes, data); + } else if (modulus == 8192) { + BS2POLVECq(bytes, data); + } + +} diff --git a/crypto_kem/saber/clean/pack_unpack.h b/crypto_kem/saber/clean/pack_unpack.h new file mode 100644 index 00000000..2431a217 --- /dev/null +++ b/crypto_kem/saber/clean/pack_unpack.h @@ -0,0 +1,28 @@ +#ifndef PACK_UNPACK_H +#define PACK_UNPACK_H + +#include "SABER_params.h" +#include +#include + + +void PQCLEAN_SABER_CLEAN_pack_3bit(uint8_t *bytes, const uint16_t *data); + +void PQCLEAN_SABER_CLEAN_un_pack3bit(const uint8_t *bytes, uint16_t *data); + +void PQCLEAN_SABER_CLEAN_pack_4bit(uint8_t *bytes, const uint16_t *data); + +void PQCLEAN_SABER_CLEAN_un_pack4bit(const unsigned char *bytes, uint16_t *ar); + +void PQCLEAN_SABER_CLEAN_pack_6bit(uint8_t *bytes, const uint16_t *data); + +void PQCLEAN_SABER_CLEAN_un_pack6bit(const unsigned char *bytes, uint16_t *data); + + +void PQCLEAN_SABER_CLEAN_BS2POL(const unsigned char *bytes, uint16_t data[SABER_N]); + +void PQCLEAN_SABER_CLEAN_POLVEC2BS(uint8_t *bytes, uint16_t data[SABER_K][SABER_N], uint16_t modulus); + +void PQCLEAN_SABER_CLEAN_BS2POLVEC(const unsigned char *bytes, uint16_t data[SABER_K][SABER_N], uint16_t modulus); + +#endif diff --git a/crypto_kem/saber/clean/poly.c b/crypto_kem/saber/clean/poly.c new file mode 100644 index 00000000..6004529d --- /dev/null +++ b/crypto_kem/saber/clean/poly.c @@ -0,0 +1,27 @@ +/*--------------------------------------------------------------------- +This file has been adapted from the implementation +(available at, Public Domain https://github.com/pq-crystals/kyber) +of "CRYSTALS – Kyber: a CCA-secure module-lattice-based KEM" +by : Joppe Bos, Leo Ducas, Eike Kiltz, Tancrede Lepoint, +Vadim Lyubashevsky, John M. Schanck, Peter Schwabe & Damien stehle +----------------------------------------------------------------------*/ +#include "api.h" +#include "cbd.h" +#include "fips202.h" +#include "poly.h" + +void PQCLEAN_SABER_CLEAN_GenSecret(uint16_t r[SABER_K][SABER_N], const unsigned char *seed) { + + + uint32_t i; + + int32_t buf_size = SABER_MU * SABER_N * SABER_K / 8; + + uint8_t buf[buf_size]; + + shake128(buf, buf_size, seed, SABER_NOISESEEDBYTES); + + for (i = 0; i < SABER_K; i++) { + PQCLEAN_SABER_CLEAN_cbd(r[i], buf + i * SABER_MU * SABER_N / 8); + } +} diff --git a/crypto_kem/saber/clean/poly.h b/crypto_kem/saber/clean/poly.h new file mode 100644 index 00000000..cfd7d9df --- /dev/null +++ b/crypto_kem/saber/clean/poly.h @@ -0,0 +1,25 @@ +/*--------------------------------------------------------------------- +This file has been adapted from the implementation +(available at, Public Domain https://github.com/pq-crystals/kyber) +of "CRYSTALS – Kyber: a CCA-secure module-lattice-based KEM" +by : Joppe Bos, Leo Ducas, Eike Kiltz, Tancrede Lepoint, +Vadim Lyubashevsky, John M. Schanck, Peter Schwabe & Damien stehle +----------------------------------------------------------------------*/ + +#ifndef POLY_H +#define POLY_H + +#include "SABER_params.h" +#include + +typedef struct { + uint16_t coeffs[SABER_N]; +} poly; + +typedef struct { + poly vec[SABER_K]; +} polyvec; + +void PQCLEAN_SABER_CLEAN_GenSecret(uint16_t r[SABER_K][SABER_N], const unsigned char *seed); + +#endif diff --git a/crypto_kem/saber/clean/poly_mul.c b/crypto_kem/saber/clean/poly_mul.c new file mode 100644 index 00000000..60ff22de --- /dev/null +++ b/crypto_kem/saber/clean/poly_mul.c @@ -0,0 +1,240 @@ +#include "poly_mul.h" +#include +#include +#include +#include + +#define SCHB_N 16 + +#define N_RES (SABER_N << 1) +#define N_SB (SABER_N >> 2) +#define N_SB_RES (2*N_SB-1) + +static void karatsuba_simple(const uint16_t *a_1, const uint16_t *b_1, uint16_t *result_final) { //uses 10 registers + + uint16_t N = 64; + uint16_t d01[N / 2 - 1]; + uint16_t d0123[N / 2 - 1]; + uint16_t d23[N / 2 - 1]; + uint16_t result_d01[N - 1]; + + int32_t i, j; + + memset(result_d01, 0, (N - 1)*sizeof(uint16_t)); + memset(d01, 0, (N / 2 - 1)*sizeof(uint16_t)); + memset(d0123, 0, (N / 2 - 1)*sizeof(uint16_t)); + memset(d23, 0, (N / 2 - 1)*sizeof(uint16_t)); + memset(result_final, 0, (2 * N - 1)*sizeof(uint16_t)); + + uint16_t acc1, acc2, acc3, acc4, acc5, acc6, acc7, acc8, acc9, acc10; + + + for (i = 0; i < N / 4; i++) { + acc1 = a_1[i]; //a0 + acc2 = a_1[i + N / 4]; //a1 + acc3 = a_1[i + 2 * N / 4]; //a2 + acc4 = a_1[i + 3 * N / 4]; //a3 + for (j = 0; j < N / 4; j++) { + + acc5 = b_1[j]; //b0 + acc6 = b_1[j + N / 4]; //b1 + + result_final[i + j + 0 * N / 4] = result_final[i + j + 0 * N / 4] + acc1 * acc5; + result_final[i + j + 2 * N / 4] = result_final[i + j + 2 * N / 4] + acc2 * acc6; + + acc7 = acc5 + acc6; //b01 + acc8 = acc1 + acc2; //a01 + d01[i + j] = d01[i + j] + acc7 * acc8; + //-------------------------------------------------------- + + acc7 = b_1[j + 2 * N / 4]; //b2 + acc8 = b_1[j + 3 * N / 4]; //b3 + result_final[i + j + 4 * N / 4] = result_final[i + j + 4 * N / 4] + acc7 * acc3; + + result_final[i + j + 6 * N / 4] = result_final[i + j + 6 * N / 4] + acc8 * acc4; + + acc9 = acc3 + acc4; + acc10 = acc7 + acc8; + d23[i + j] = d23[i + j] + acc9 * acc10; + //-------------------------------------------------------- + + acc5 = acc5 + acc7; //b02 + acc7 = acc1 + acc3; //a02 + result_d01[i + j + 0 * N / 4] = result_d01[i + j + 0 * N / 4] + acc5 * acc7; + + acc6 = acc6 + acc8; //b13 + acc8 = acc2 + acc4; + result_d01[i + j + 2 * N / 4] = result_d01[i + j + 2 * N / 4] + acc6 * acc8; + + acc5 = acc5 + acc6; + acc7 = acc7 + acc8; + d0123[i + j] = d0123[i + j] + acc5 * acc7; + } + } + +//------------------2nd last stage------------------------- + + for (i = 0; i < N / 2 - 1; i++) { + d0123[i] = d0123[i] - result_d01[i + 0 * N / 4] - result_d01[i + 2 * N / 4]; + d01[i] = d01[i] - result_final[i + 0 * N / 4] - result_final[i + 2 * N / 4]; + d23[i] = d23[i] - result_final[i + 4 * N / 4] - result_final[i + 6 * N / 4]; + } + + for (i = 0; i < N / 2 - 1; i++) { + result_d01[i + 1 * N / 4] = result_d01[i + 1 * N / 4] + d0123[i]; + result_final[i + 1 * N / 4] = result_final[i + 1 * N / 4] + d01[i]; + result_final[i + 5 * N / 4] = result_final[i + 5 * N / 4] + d23[i]; + } + +//------------Last stage--------------------------- + for (i = 0; i < N - 1; i++) { + result_d01[i] = result_d01[i] - result_final[i] - result_final[i + N]; + } + + for (i = 0; i < N - 1; i++) { + result_final[i + 1 * N / 2] = result_final[i + 1 * N / 2] + result_d01[i]; //-result_d0[i]-result_d1[i]; + } + +} + +static void toom_cook_4way (const uint16_t *a1, const uint16_t *b1, uint16_t *result) { + uint16_t inv3 = 43691, inv9 = 36409, inv15 = 61167; + + uint16_t aw1[N_SB], aw2[N_SB], aw3[N_SB], aw4[N_SB], aw5[N_SB], aw6[N_SB], aw7[N_SB]; + uint16_t bw1[N_SB], bw2[N_SB], bw3[N_SB], bw4[N_SB], bw5[N_SB], bw6[N_SB], bw7[N_SB]; + uint16_t w1[N_SB_RES] = {0}, w2[N_SB_RES] = {0}, w3[N_SB_RES] = {0}, w4[N_SB_RES] = {0}, + w5[N_SB_RES] = {0}, w6[N_SB_RES] = {0}, w7[N_SB_RES] = {0}; + uint16_t r0, r1, r2, r3, r4, r5, r6, r7; + uint16_t *A0, *A1, *A2, *A3, *B0, *B1, *B2, *B3; + A0 = (uint16_t *)a1; + A1 = (uint16_t *)&a1[N_SB]; + A2 = (uint16_t *)&a1[2 * N_SB]; + A3 = (uint16_t *)&a1[3 * N_SB]; + B0 = (uint16_t *)b1; + B1 = (uint16_t *)&b1[N_SB]; + B2 = (uint16_t *)&b1[2 * N_SB]; + B3 = (uint16_t *)&b1[3 * N_SB]; + + uint16_t *C; + C = result; + + int i, j; + +// EVALUATION + for (j = 0; j < N_SB; ++j) { + r0 = A0[j]; + r1 = A1[j]; + r2 = A2[j]; + r3 = A3[j]; + r4 = r0 + r2; + r5 = r1 + r3; + r6 = r4 + r5; + r7 = r4 - r5; + aw3[j] = r6; + aw4[j] = r7; + r4 = ((r0 << 2) + r2) << 1; + r5 = (r1 << 2) + r3; + r6 = r4 + r5; + r7 = r4 - r5; + aw5[j] = r6; + aw6[j] = r7; + r4 = (r3 << 3) + (r2 << 2) + (r1 << 1) + r0; + aw2[j] = r4; + aw7[j] = r0; + aw1[j] = r3; + } + for (j = 0; j < N_SB; ++j) { + r0 = B0[j]; + r1 = B1[j]; + r2 = B2[j]; + r3 = B3[j]; + r4 = r0 + r2; + r5 = r1 + r3; + r6 = r4 + r5; + r7 = r4 - r5; + bw3[j] = r6; + bw4[j] = r7; + r4 = ((r0 << 2) + r2) << 1; + r5 = (r1 << 2) + r3; + r6 = r4 + r5; + r7 = r4 - r5; + bw5[j] = r6; + bw6[j] = r7; + r4 = (r3 << 3) + (r2 << 2) + (r1 << 1) + r0; + bw2[j] = r4; + bw7[j] = r0; + bw1[j] = r3; + } + +// MULTIPLICATION + + karatsuba_simple(aw1, bw1, w1); + karatsuba_simple(aw2, bw2, w2); + karatsuba_simple(aw3, bw3, w3); + karatsuba_simple(aw4, bw4, w4); + karatsuba_simple(aw5, bw5, w5); + karatsuba_simple(aw6, bw6, w6); + karatsuba_simple(aw7, bw7, w7); + +// INTERPOLATION + for (i = 0; i < N_SB_RES; ++i) { + r0 = w1[i]; + r1 = w2[i]; + r2 = w3[i]; + r3 = w4[i]; + r4 = w5[i]; + r5 = w6[i]; + r6 = w7[i]; + + r1 = r1 + r4; + r5 = r5 - r4; + r3 = ((r3 - r2) >> 1); + r4 = r4 - r0; + r4 = r4 - (r6 << 6); + r4 = (r4 << 1) + r5; + r2 = r2 + r3; + r1 = r1 - (r2 << 6) - r2; + r2 = r2 - r6; + r2 = r2 - r0; + r1 = r1 + 45 * r2; + r4 = (((r4 - (r2 << 3)) * inv3) >> 3); + r5 = r5 + r1; + r1 = (((r1 + (r3 << 4)) * inv9) >> 1); + r3 = -(r3 + r1); + r5 = (((30 * r1 - r5) * inv15) >> 2); + r2 = r2 - r4; + r1 = r1 - r5; + + C[i] += r6; + C[i + 64] += r5; + C[i + 128] += r4; + C[i + 192] += r3; + C[i + 256] += r2; + C[i + 320] += r1; + C[i + 384] += r0; + } +} + +void PQCLEAN_SABER_CLEAN_pol_mul(uint16_t *a, uint16_t *b, uint16_t *res, uint16_t p, uint32_t n) { + // Polynomial multiplication using the schoolbook method, c[x] = a[x]*b[x] + // SECURITY NOTE: TO BE USED FOR TESTING ONLY. + + uint32_t i; + + //-------------------normal multiplication----------------- + + uint16_t c[512]; + + for (i = 0; i < 512; i++) { + c[i] = 0; + } + + toom_cook_4way(a, b, c); + + //---------------reduction------- + for (i = n; i < 2 * n; i++) { + res[i - n] = (c[i - n] - c[i]) & (p - 1); + } + + +} diff --git a/crypto_kem/saber/clean/poly_mul.h b/crypto_kem/saber/clean/poly_mul.h new file mode 100644 index 00000000..f813be10 --- /dev/null +++ b/crypto_kem/saber/clean/poly_mul.h @@ -0,0 +1,9 @@ +#ifndef POLYMUL_H +#define POLYMUL_H + +#include "SABER_params.h" +#include + +void PQCLEAN_SABER_CLEAN_pol_mul(uint16_t *a, uint16_t *b, uint16_t *res, uint16_t p, uint32_t n); + +#endif diff --git a/crypto_kem/saber/clean/verify.c b/crypto_kem/saber/clean/verify.c new file mode 100644 index 00000000..2c0f3e07 --- /dev/null +++ b/crypto_kem/saber/clean/verify.c @@ -0,0 +1,33 @@ +/*------------------------------------------------- +This file has been adapted from the implementation +(available at https://github.com/pq-crystals/kyber) of +"CRYSTALS – Kyber: a CCA-secure module-lattice-based KEM" + by : Joppe Bos, Leo Ducas, Eike Kiltz, Tancrede Lepoint, +Vadim Lyubashevsky, John M. Schanck, Peter Schwabe & Damien stehle +----------------------------------------------------*/ +#include "verify.h" +#include + +/* returns 0 for equal strings, 1 for non-equal strings */ +int PQCLEAN_SABER_CLEAN_verify(const unsigned char *a, const unsigned char *b, size_t len) { + uint64_t r; + size_t i; + r = 0; + + for (i = 0; i < len; i++) { + r |= a[i] ^ b[i]; + } + + r = (-r) >> 63; + return r; +} + +/* b = 1 means mov, b = 0 means don't mov*/ +void PQCLEAN_SABER_CLEAN_cmov(unsigned char *r, const unsigned char *x, size_t len, unsigned char b) { + size_t i; + + b = -b; + for (i = 0; i < len; i++) { + r[i] ^= b & (x[i] ^ r[i]); + } +} diff --git a/crypto_kem/saber/clean/verify.h b/crypto_kem/saber/clean/verify.h new file mode 100644 index 00000000..8c0450a4 --- /dev/null +++ b/crypto_kem/saber/clean/verify.h @@ -0,0 +1,19 @@ +/*------------------------------------------------- +This file has been adapted from the implementation +(available at https://github.com/pq-crystals/kyber) of +"CRYSTALS – Kyber: a CCA-secure module-lattice-based KEM" + by : Joppe Bos, Leo Ducas, Eike Kiltz, Tancrede Lepoint, +Vadim Lyubashevsky, John M. Schanck, Peter Schwabe & Damien stehle +----------------------------------------------------*/ +#ifndef VERIFY_H +#define VERIFY_H + +#include + +/* returns 0 for equal strings, 1 for non-equal strings */ +int PQCLEAN_SABER_CLEAN_verify(const unsigned char *a, const unsigned char *b, size_t len); + +/* b = 1 means mov, b = 0 means don't mov*/ +void PQCLEAN_SABER_CLEAN_cmov(unsigned char *r, const unsigned char *x, size_t len, unsigned char b); + +#endif From 7883f8ce8cb445065875a4522d12419d848272d0 Mon Sep 17 00:00:00 2001 From: "Matthias J. Kannwischer" Date: Tue, 18 Jun 2019 11:15:40 +0200 Subject: [PATCH 03/20] Make auxiliary-submitters optional. Saber does not have any --- test/test_metadata.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/test_metadata.py b/test/test_metadata.py index 28fee4c0..eddd0dd5 100644 --- a/test/test_metadata.py +++ b/test/test_metadata.py @@ -49,7 +49,7 @@ EXPECTED_FIELDS = { 'length-secret-key': {'type': int, 'min': 1}, 'nistkat-sha256': {'type': str, 'length': 64}, 'principal-submitters': {'type': list, 'elements': {'type': str}}, - 'auxiliary-submitters': {'type': list, 'elements': {'type': str}}, + 'auxiliary-submitters': {'type': list, 'elements': {'type': str}, 'optional' : True}, 'implementations': { 'type': list, 'elements': { From 31f9ee52cefb29a9798ef7cf924fc5b7f2ba7011 Mon Sep 17 00:00:00 2001 From: "Matthias J. Kannwischer" Date: Tue, 18 Jun 2019 11:24:29 +0200 Subject: [PATCH 04/20] add license --- crypto_kem/saber/clean/LICENSE | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/crypto_kem/saber/clean/LICENSE b/crypto_kem/saber/clean/LICENSE index 1333ed77..cb00a6e3 100644 --- a/crypto_kem/saber/clean/LICENSE +++ b/crypto_kem/saber/clean/LICENSE @@ -1 +1,8 @@ -TODO +`Software implementation of Rainbow for NIST R2 submission' by Ming-Shing Chen + +To the extent possible under law, the person who associated CC0 with +`Software implementation of Rainbow for NIST R2 submission' has waived all copyright and related or neighboring rights +to `Software implementation of Rainbow for NIST R2 submission'. + +You should have received a copy of the CC0 legalcode along with this +work. If not, see . From ef0ad8e7523ef245f49c9fcf420e2ede50ce0a50 Mon Sep 17 00:00:00 2001 From: "Matthias J. Kannwischer" Date: Tue, 18 Jun 2019 11:41:54 +0200 Subject: [PATCH 05/20] fix some vs warnings --- crypto_kem/saber/clean/cbd.c | 2 +- crypto_kem/saber/clean/kem.c | 3 ++- crypto_kem/saber/clean/poly.c | 2 +- crypto_kem/saber/clean/poly_mul.c | 3 +-- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/crypto_kem/saber/clean/cbd.c b/crypto_kem/saber/clean/cbd.c index f5d02deb..9fb397cb 100644 --- a/crypto_kem/saber/clean/cbd.c +++ b/crypto_kem/saber/clean/cbd.c @@ -55,7 +55,7 @@ void PQCLEAN_SABER_CLEAN_cbd(uint16_t *r, const unsigned char *buf) { int i, j; for (i = 0; i < SABER_N / 4; i++) { - t = load_littleendian(buf + 4 * i, 4); + t = (uint32_t) load_littleendian(buf + 4 * i, 4); d = 0; for (j = 0; j < 4; j++) { d += (t >> j) & 0x11111111; diff --git a/crypto_kem/saber/clean/kem.c b/crypto_kem/saber/clean/kem.c index 5ee4a856..05ffde7c 100644 --- a/crypto_kem/saber/clean/kem.c +++ b/crypto_kem/saber/clean/kem.c @@ -47,7 +47,8 @@ int PQCLEAN_SABER_CLEAN_crypto_kem_enc(unsigned char *ct, unsigned char *ss, con int PQCLEAN_SABER_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk) { - int i, fail; + int i; + unsigned char fail; unsigned char cmp[SABER_BYTES_CCA_DEC]; unsigned char buf[64]; unsigned char kr[64]; // Will contain key, coins diff --git a/crypto_kem/saber/clean/poly.c b/crypto_kem/saber/clean/poly.c index 6004529d..98290e36 100644 --- a/crypto_kem/saber/clean/poly.c +++ b/crypto_kem/saber/clean/poly.c @@ -5,7 +5,7 @@ of "CRYSTALS – Kyber: a CCA-secure module-lattice-based KEM" by : Joppe Bos, Leo Ducas, Eike Kiltz, Tancrede Lepoint, Vadim Lyubashevsky, John M. Schanck, Peter Schwabe & Damien stehle ----------------------------------------------------------------------*/ -#include "api.h" +#include "SABER_params.h" #include "cbd.h" #include "fips202.h" #include "poly.h" diff --git a/crypto_kem/saber/clean/poly_mul.c b/crypto_kem/saber/clean/poly_mul.c index 60ff22de..541c5b35 100644 --- a/crypto_kem/saber/clean/poly_mul.c +++ b/crypto_kem/saber/clean/poly_mul.c @@ -1,7 +1,6 @@ #include "poly_mul.h" +#include "SABER_params.h" #include -#include -#include #include #define SCHB_N 16 From 03596d47050a3199f7bb9d4da16d6b875777075c Mon Sep 17 00:00:00 2001 From: "Matthias J. Kannwischer" Date: Tue, 18 Jun 2019 12:07:48 +0200 Subject: [PATCH 06/20] another vs warning --- crypto_kem/saber/clean/verify.c | 4 ++-- crypto_kem/saber/clean/verify.h | 3 ++- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/crypto_kem/saber/clean/verify.c b/crypto_kem/saber/clean/verify.c index 2c0f3e07..ac464863 100644 --- a/crypto_kem/saber/clean/verify.c +++ b/crypto_kem/saber/clean/verify.c @@ -9,7 +9,7 @@ Vadim Lyubashevsky, John M. Schanck, Peter Schwabe & Damien stehle #include /* returns 0 for equal strings, 1 for non-equal strings */ -int PQCLEAN_SABER_CLEAN_verify(const unsigned char *a, const unsigned char *b, size_t len) { +unsigned char PQCLEAN_SABER_CLEAN_verify(const unsigned char *a, const unsigned char *b, size_t len) { uint64_t r; size_t i; r = 0; @@ -19,7 +19,7 @@ int PQCLEAN_SABER_CLEAN_verify(const unsigned char *a, const unsigned char *b, s } r = (-r) >> 63; - return r; + return (unsigned char) r; } /* b = 1 means mov, b = 0 means don't mov*/ diff --git a/crypto_kem/saber/clean/verify.h b/crypto_kem/saber/clean/verify.h index 8c0450a4..baea8be7 100644 --- a/crypto_kem/saber/clean/verify.h +++ b/crypto_kem/saber/clean/verify.h @@ -9,9 +9,10 @@ Vadim Lyubashevsky, John M. Schanck, Peter Schwabe & Damien stehle #define VERIFY_H #include +#include /* returns 0 for equal strings, 1 for non-equal strings */ -int PQCLEAN_SABER_CLEAN_verify(const unsigned char *a, const unsigned char *b, size_t len); +unsigned char PQCLEAN_SABER_CLEAN_verify(const unsigned char *a, const unsigned char *b, size_t len); /* b = 1 means mov, b = 0 means don't mov*/ void PQCLEAN_SABER_CLEAN_cmov(unsigned char *r, const unsigned char *x, size_t len, unsigned char b); From ccfe87a4a356a2f50b2ea76f74ca2183b8d0f8a5 Mon Sep 17 00:00:00 2001 From: "Matthias J. Kannwischer" Date: Tue, 18 Jun 2019 14:20:59 +0200 Subject: [PATCH 07/20] refactoring to make vs more happy --- crypto_kem/saber/clean/SABER_indcpa.c | 12 +- crypto_kem/saber/clean/SABER_params.h | 2 - crypto_kem/saber/clean/poly.c | 12 +- crypto_kem/saber/clean/poly_mul.c | 235 +------------------------- crypto_kem/saber/clean/poly_mul.h | 2 +- crypto_kem/saber/clean/verify.c | 7 +- 6 files changed, 21 insertions(+), 249 deletions(-) diff --git a/crypto_kem/saber/clean/SABER_indcpa.c b/crypto_kem/saber/clean/SABER_indcpa.c index ed62635f..81e2b56c 100644 --- a/crypto_kem/saber/clean/SABER_indcpa.c +++ b/crypto_kem/saber/clean/SABER_indcpa.c @@ -24,27 +24,23 @@ static void MatrixVectorMul(polyvec *a, uint16_t skpv[SABER_K][SABER_N], uint16_ static void POL2MSG(const uint16_t *message_dec_unpacked, unsigned char *message_dec); static void GenMatrix(polyvec *a, const unsigned char *seed) { - unsigned int one_vector = 13 * SABER_N / 8; - unsigned int byte_bank_length = SABER_K * SABER_K * one_vector; - unsigned char buf[byte_bank_length]; + unsigned char buf[SABER_K * SABER_K * (13 * SABER_N / 8)]; uint16_t temp_ar[SABER_N]; int i, j, k; uint16_t mod = (SABER_Q - 1); - shake128(buf, byte_bank_length, seed, SABER_SEEDBYTES); + shake128(buf, sizeof(buf), seed, SABER_SEEDBYTES); for (i = 0; i < SABER_K; i++) { for (j = 0; j < SABER_K; j++) { - PQCLEAN_SABER_CLEAN_BS2POL(buf + (i * SABER_K + j)*one_vector, temp_ar); + PQCLEAN_SABER_CLEAN_BS2POL(buf + (i * SABER_K + j) * (13 * SABER_N / 8), temp_ar); for (k = 0; k < SABER_N; k++) { a[i].vec[j].coeffs[k] = (temp_ar[k])& mod ; } } } - - } @@ -325,7 +321,7 @@ static void POL2MSG(const uint16_t *message_dec_unpacked, unsigned char *message for (j = 0; j < SABER_KEYBYTES; j++) { message_dec[j] = 0; for (i = 0; i < 8; i++) { - message_dec[j] = message_dec[j] | (message_dec_unpacked[j * 8 + i] << i); + message_dec[j] = message_dec[j] | (uint8_t) (message_dec_unpacked[j * 8 + i] << i); } } diff --git a/crypto_kem/saber/clean/SABER_params.h b/crypto_kem/saber/clean/SABER_params.h index 7d9ebf3b..cc5ff82a 100644 --- a/crypto_kem/saber/clean/SABER_params.h +++ b/crypto_kem/saber/clean/SABER_params.h @@ -3,8 +3,6 @@ #ifndef PARAMS_H #define PARAMS_H - - #if Saber_type == 1 #define SABER_K 2 #define SABER_MU 10 diff --git a/crypto_kem/saber/clean/poly.c b/crypto_kem/saber/clean/poly.c index 98290e36..93f55fde 100644 --- a/crypto_kem/saber/clean/poly.c +++ b/crypto_kem/saber/clean/poly.c @@ -11,17 +11,11 @@ Vadim Lyubashevsky, John M. Schanck, Peter Schwabe & Damien stehle #include "poly.h" void PQCLEAN_SABER_CLEAN_GenSecret(uint16_t r[SABER_K][SABER_N], const unsigned char *seed) { + uint8_t buf[SABER_MU * SABER_N * SABER_K / 8]; + shake128(buf, sizeof(buf), seed, SABER_NOISESEEDBYTES); - uint32_t i; - - int32_t buf_size = SABER_MU * SABER_N * SABER_K / 8; - - uint8_t buf[buf_size]; - - shake128(buf, buf_size, seed, SABER_NOISESEEDBYTES); - - for (i = 0; i < SABER_K; i++) { + for (size_t i = 0; i < SABER_K; i++) { PQCLEAN_SABER_CLEAN_cbd(r[i], buf + i * SABER_MU * SABER_N / 8); } } diff --git a/crypto_kem/saber/clean/poly_mul.c b/crypto_kem/saber/clean/poly_mul.c index 541c5b35..36bb956b 100644 --- a/crypto_kem/saber/clean/poly_mul.c +++ b/crypto_kem/saber/clean/poly_mul.c @@ -3,237 +3,20 @@ #include #include -#define SCHB_N 16 -#define N_RES (SABER_N << 1) -#define N_SB (SABER_N >> 2) -#define N_SB_RES (2*N_SB-1) +void PQCLEAN_SABER_CLEAN_pol_mul(const uint16_t *a, const uint16_t *b, uint16_t *res, uint16_t p, uint32_t n) { + // Polynomial multiplication using the schoolbook method, c[x] = a[x]*b[x] -static void karatsuba_simple(const uint16_t *a_1, const uint16_t *b_1, uint16_t *result_final) { //uses 10 registers - - uint16_t N = 64; - uint16_t d01[N / 2 - 1]; - uint16_t d0123[N / 2 - 1]; - uint16_t d23[N / 2 - 1]; - uint16_t result_d01[N - 1]; - - int32_t i, j; - - memset(result_d01, 0, (N - 1)*sizeof(uint16_t)); - memset(d01, 0, (N / 2 - 1)*sizeof(uint16_t)); - memset(d0123, 0, (N / 2 - 1)*sizeof(uint16_t)); - memset(d23, 0, (N / 2 - 1)*sizeof(uint16_t)); - memset(result_final, 0, (2 * N - 1)*sizeof(uint16_t)); - - uint16_t acc1, acc2, acc3, acc4, acc5, acc6, acc7, acc8, acc9, acc10; - - - for (i = 0; i < N / 4; i++) { - acc1 = a_1[i]; //a0 - acc2 = a_1[i + N / 4]; //a1 - acc3 = a_1[i + 2 * N / 4]; //a2 - acc4 = a_1[i + 3 * N / 4]; //a3 - for (j = 0; j < N / 4; j++) { - - acc5 = b_1[j]; //b0 - acc6 = b_1[j + N / 4]; //b1 - - result_final[i + j + 0 * N / 4] = result_final[i + j + 0 * N / 4] + acc1 * acc5; - result_final[i + j + 2 * N / 4] = result_final[i + j + 2 * N / 4] + acc2 * acc6; - - acc7 = acc5 + acc6; //b01 - acc8 = acc1 + acc2; //a01 - d01[i + j] = d01[i + j] + acc7 * acc8; - //-------------------------------------------------------- - - acc7 = b_1[j + 2 * N / 4]; //b2 - acc8 = b_1[j + 3 * N / 4]; //b3 - result_final[i + j + 4 * N / 4] = result_final[i + j + 4 * N / 4] + acc7 * acc3; - - result_final[i + j + 6 * N / 4] = result_final[i + j + 6 * N / 4] + acc8 * acc4; - - acc9 = acc3 + acc4; - acc10 = acc7 + acc8; - d23[i + j] = d23[i + j] + acc9 * acc10; - //-------------------------------------------------------- - - acc5 = acc5 + acc7; //b02 - acc7 = acc1 + acc3; //a02 - result_d01[i + j + 0 * N / 4] = result_d01[i + j + 0 * N / 4] + acc5 * acc7; - - acc6 = acc6 + acc8; //b13 - acc8 = acc2 + acc4; - result_d01[i + j + 2 * N / 4] = result_d01[i + j + 2 * N / 4] + acc6 * acc8; - - acc5 = acc5 + acc6; - acc7 = acc7 + acc8; - d0123[i + j] = d0123[i + j] + acc5 * acc7; + // normal multiplication + uint16_t c[2 * SABER_N] = {0}; + for (size_t i = 0; i < SABER_N; i++) { + for (size_t j = 0; j < SABER_N; j++) { + c[i + j] += a[i] * b[j]; } } -//------------------2nd last stage------------------------- - - for (i = 0; i < N / 2 - 1; i++) { - d0123[i] = d0123[i] - result_d01[i + 0 * N / 4] - result_d01[i + 2 * N / 4]; - d01[i] = d01[i] - result_final[i + 0 * N / 4] - result_final[i + 2 * N / 4]; - d23[i] = d23[i] - result_final[i + 4 * N / 4] - result_final[i + 6 * N / 4]; - } - - for (i = 0; i < N / 2 - 1; i++) { - result_d01[i + 1 * N / 4] = result_d01[i + 1 * N / 4] + d0123[i]; - result_final[i + 1 * N / 4] = result_final[i + 1 * N / 4] + d01[i]; - result_final[i + 5 * N / 4] = result_final[i + 5 * N / 4] + d23[i]; - } - -//------------Last stage--------------------------- - for (i = 0; i < N - 1; i++) { - result_d01[i] = result_d01[i] - result_final[i] - result_final[i + N]; - } - - for (i = 0; i < N - 1; i++) { - result_final[i + 1 * N / 2] = result_final[i + 1 * N / 2] + result_d01[i]; //-result_d0[i]-result_d1[i]; - } - -} - -static void toom_cook_4way (const uint16_t *a1, const uint16_t *b1, uint16_t *result) { - uint16_t inv3 = 43691, inv9 = 36409, inv15 = 61167; - - uint16_t aw1[N_SB], aw2[N_SB], aw3[N_SB], aw4[N_SB], aw5[N_SB], aw6[N_SB], aw7[N_SB]; - uint16_t bw1[N_SB], bw2[N_SB], bw3[N_SB], bw4[N_SB], bw5[N_SB], bw6[N_SB], bw7[N_SB]; - uint16_t w1[N_SB_RES] = {0}, w2[N_SB_RES] = {0}, w3[N_SB_RES] = {0}, w4[N_SB_RES] = {0}, - w5[N_SB_RES] = {0}, w6[N_SB_RES] = {0}, w7[N_SB_RES] = {0}; - uint16_t r0, r1, r2, r3, r4, r5, r6, r7; - uint16_t *A0, *A1, *A2, *A3, *B0, *B1, *B2, *B3; - A0 = (uint16_t *)a1; - A1 = (uint16_t *)&a1[N_SB]; - A2 = (uint16_t *)&a1[2 * N_SB]; - A3 = (uint16_t *)&a1[3 * N_SB]; - B0 = (uint16_t *)b1; - B1 = (uint16_t *)&b1[N_SB]; - B2 = (uint16_t *)&b1[2 * N_SB]; - B3 = (uint16_t *)&b1[3 * N_SB]; - - uint16_t *C; - C = result; - - int i, j; - -// EVALUATION - for (j = 0; j < N_SB; ++j) { - r0 = A0[j]; - r1 = A1[j]; - r2 = A2[j]; - r3 = A3[j]; - r4 = r0 + r2; - r5 = r1 + r3; - r6 = r4 + r5; - r7 = r4 - r5; - aw3[j] = r6; - aw4[j] = r7; - r4 = ((r0 << 2) + r2) << 1; - r5 = (r1 << 2) + r3; - r6 = r4 + r5; - r7 = r4 - r5; - aw5[j] = r6; - aw6[j] = r7; - r4 = (r3 << 3) + (r2 << 2) + (r1 << 1) + r0; - aw2[j] = r4; - aw7[j] = r0; - aw1[j] = r3; - } - for (j = 0; j < N_SB; ++j) { - r0 = B0[j]; - r1 = B1[j]; - r2 = B2[j]; - r3 = B3[j]; - r4 = r0 + r2; - r5 = r1 + r3; - r6 = r4 + r5; - r7 = r4 - r5; - bw3[j] = r6; - bw4[j] = r7; - r4 = ((r0 << 2) + r2) << 1; - r5 = (r1 << 2) + r3; - r6 = r4 + r5; - r7 = r4 - r5; - bw5[j] = r6; - bw6[j] = r7; - r4 = (r3 << 3) + (r2 << 2) + (r1 << 1) + r0; - bw2[j] = r4; - bw7[j] = r0; - bw1[j] = r3; - } - -// MULTIPLICATION - - karatsuba_simple(aw1, bw1, w1); - karatsuba_simple(aw2, bw2, w2); - karatsuba_simple(aw3, bw3, w3); - karatsuba_simple(aw4, bw4, w4); - karatsuba_simple(aw5, bw5, w5); - karatsuba_simple(aw6, bw6, w6); - karatsuba_simple(aw7, bw7, w7); - -// INTERPOLATION - for (i = 0; i < N_SB_RES; ++i) { - r0 = w1[i]; - r1 = w2[i]; - r2 = w3[i]; - r3 = w4[i]; - r4 = w5[i]; - r5 = w6[i]; - r6 = w7[i]; - - r1 = r1 + r4; - r5 = r5 - r4; - r3 = ((r3 - r2) >> 1); - r4 = r4 - r0; - r4 = r4 - (r6 << 6); - r4 = (r4 << 1) + r5; - r2 = r2 + r3; - r1 = r1 - (r2 << 6) - r2; - r2 = r2 - r6; - r2 = r2 - r0; - r1 = r1 + 45 * r2; - r4 = (((r4 - (r2 << 3)) * inv3) >> 3); - r5 = r5 + r1; - r1 = (((r1 + (r3 << 4)) * inv9) >> 1); - r3 = -(r3 + r1); - r5 = (((30 * r1 - r5) * inv15) >> 2); - r2 = r2 - r4; - r1 = r1 - r5; - - C[i] += r6; - C[i + 64] += r5; - C[i + 128] += r4; - C[i + 192] += r3; - C[i + 256] += r2; - C[i + 320] += r1; - C[i + 384] += r0; - } -} - -void PQCLEAN_SABER_CLEAN_pol_mul(uint16_t *a, uint16_t *b, uint16_t *res, uint16_t p, uint32_t n) { - // Polynomial multiplication using the schoolbook method, c[x] = a[x]*b[x] - // SECURITY NOTE: TO BE USED FOR TESTING ONLY. - - uint32_t i; - - //-------------------normal multiplication----------------- - - uint16_t c[512]; - - for (i = 0; i < 512; i++) { - c[i] = 0; - } - - toom_cook_4way(a, b, c); - - //---------------reduction------- - for (i = n; i < 2 * n; i++) { + // reduction + for (size_t i = n; i < 2 * n; i++) { res[i - n] = (c[i - n] - c[i]) & (p - 1); } - - } diff --git a/crypto_kem/saber/clean/poly_mul.h b/crypto_kem/saber/clean/poly_mul.h index f813be10..5e36755f 100644 --- a/crypto_kem/saber/clean/poly_mul.h +++ b/crypto_kem/saber/clean/poly_mul.h @@ -4,6 +4,6 @@ #include "SABER_params.h" #include -void PQCLEAN_SABER_CLEAN_pol_mul(uint16_t *a, uint16_t *b, uint16_t *res, uint16_t p, uint32_t n); +void PQCLEAN_SABER_CLEAN_pol_mul(const uint16_t *a, const uint16_t *b, uint16_t *res, uint16_t p, uint32_t n); #endif diff --git a/crypto_kem/saber/clean/verify.c b/crypto_kem/saber/clean/verify.c index ac464863..81f30604 100644 --- a/crypto_kem/saber/clean/verify.c +++ b/crypto_kem/saber/clean/verify.c @@ -12,14 +12,15 @@ Vadim Lyubashevsky, John M. Schanck, Peter Schwabe & Damien stehle unsigned char PQCLEAN_SABER_CLEAN_verify(const unsigned char *a, const unsigned char *b, size_t len) { uint64_t r; size_t i; - r = 0; + r = 0; for (i = 0; i < len; i++) { r |= a[i] ^ b[i]; } - r = (-r) >> 63; - return (unsigned char) r; + r = (~r + 1); // Two's complement + r >>= 63; + return (unsigned char)r; } /* b = 1 means mov, b = 0 means don't mov*/ From a971a3188bbf4588f86ab7977d2a81c933cdaf8e Mon Sep 17 00:00:00 2001 From: "Matthias J. Kannwischer" Date: Tue, 18 Jun 2019 15:37:35 +0200 Subject: [PATCH 08/20] Revert "temporarily disable pre-processor test" This reverts commit def5bddb62098afe134ed30dbeb82f0c195968cc. --- test/test_preprocessor.py | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 test/test_preprocessor.py diff --git a/test/test_preprocessor.py b/test/test_preprocessor.py new file mode 100644 index 00000000..043b7a50 --- /dev/null +++ b/test/test_preprocessor.py @@ -0,0 +1,36 @@ +import pqclean +import helpers + + +def test_preprocessor(): + for scheme in pqclean.Scheme.all_schemes(): + for implementation in scheme.implementations: + yield check_preprocessor, implementation + + +@helpers.filtered_test +def check_preprocessor(implementation: pqclean.Implementation): + cfiles = implementation.cfiles() + hfiles = implementation.hfiles() + errors = [] + for file in hfiles + cfiles: + with open(file) as f: + for i, line in enumerate(f): + line = line.strip() + if file in hfiles and i == 0 and line.startswith('#ifndef'): + continue + if line.startswith('#if'): + errors.append("\n at {}:{}".format(file, i+1)) + if errors: + raise AssertionError( + "Prohibited use of preprocessor conditional" + "".join(errors) + ) + + +if __name__ == "__main__": + try: + import nose2 + nose2.main() + except ImportError: + import nose + nose.runmodule() From 510a7baee84154a356cad7aa889891ef78396f1b Mon Sep 17 00:00:00 2001 From: "Matthias J. Kannwischer" Date: Tue, 18 Jun 2019 15:40:24 +0200 Subject: [PATCH 09/20] move header guards to the top --- crypto_kem/saber/clean/cbd.h | 5 +++-- crypto_kem/saber/clean/poly.h | 5 +++-- crypto_kem/saber/clean/verify.h | 5 +++-- 3 files changed, 9 insertions(+), 6 deletions(-) diff --git a/crypto_kem/saber/clean/cbd.h b/crypto_kem/saber/clean/cbd.h index bfa975e6..b307921f 100644 --- a/crypto_kem/saber/clean/cbd.h +++ b/crypto_kem/saber/clean/cbd.h @@ -1,3 +1,6 @@ +#ifndef CBD_H +#define CBD_H + /*--------------------------------------------------------------------- This file has been adapted from the implementation (available at, Public Domain https://github.com/pq-crystals/kyber) @@ -5,8 +8,6 @@ of "CRYSTALS – Kyber: a CCA-secure module-lattice-based KEM" by : Joppe Bos, Leo Ducas, Eike Kiltz, Tancrede Lepoint, Vadim Lyubashevsky, John M. Schanck, Peter Schwabe & Damien stehle ----------------------------------------------------------------------*/ -#ifndef CBD_H -#define CBD_H #include "poly.h" #include diff --git a/crypto_kem/saber/clean/poly.h b/crypto_kem/saber/clean/poly.h index cfd7d9df..9d216804 100644 --- a/crypto_kem/saber/clean/poly.h +++ b/crypto_kem/saber/clean/poly.h @@ -1,3 +1,6 @@ +#ifndef POLY_H +#define POLY_H + /*--------------------------------------------------------------------- This file has been adapted from the implementation (available at, Public Domain https://github.com/pq-crystals/kyber) @@ -6,8 +9,6 @@ by : Joppe Bos, Leo Ducas, Eike Kiltz, Tancrede Lepoint, Vadim Lyubashevsky, John M. Schanck, Peter Schwabe & Damien stehle ----------------------------------------------------------------------*/ -#ifndef POLY_H -#define POLY_H #include "SABER_params.h" #include diff --git a/crypto_kem/saber/clean/verify.h b/crypto_kem/saber/clean/verify.h index baea8be7..cacb2ee6 100644 --- a/crypto_kem/saber/clean/verify.h +++ b/crypto_kem/saber/clean/verify.h @@ -1,3 +1,6 @@ +#ifndef VERIFY_H +#define VERIFY_H + /*------------------------------------------------- This file has been adapted from the implementation (available at https://github.com/pq-crystals/kyber) of @@ -5,8 +8,6 @@ This file has been adapted from the implementation by : Joppe Bos, Leo Ducas, Eike Kiltz, Tancrede Lepoint, Vadim Lyubashevsky, John M. Schanck, Peter Schwabe & Damien stehle ----------------------------------------------------*/ -#ifndef VERIFY_H -#define VERIFY_H #include #include From 15a9e77b4c9e0b3c3490de60d8164eb416a9d022 Mon Sep 17 00:00:00 2001 From: "Matthias J. Kannwischer" Date: Tue, 18 Jun 2019 16:08:32 +0200 Subject: [PATCH 10/20] remove pre-processor conditionals --- crypto_kem/saber/clean/LICENSE | 9 +---- crypto_kem/saber/clean/SABER_indcpa.c | 12 ------ crypto_kem/saber/clean/SABER_params.h | 13 +------ crypto_kem/saber/clean/api.h | 2 - crypto_kem/saber/clean/cbd.c | 55 --------------------------- 5 files changed, 2 insertions(+), 89 deletions(-) diff --git a/crypto_kem/saber/clean/LICENSE b/crypto_kem/saber/clean/LICENSE index cb00a6e3..1333ed77 100644 --- a/crypto_kem/saber/clean/LICENSE +++ b/crypto_kem/saber/clean/LICENSE @@ -1,8 +1 @@ -`Software implementation of Rainbow for NIST R2 submission' by Ming-Shing Chen - -To the extent possible under law, the person who associated CC0 with -`Software implementation of Rainbow for NIST R2 submission' has waived all copyright and related or neighboring rights -to `Software implementation of Rainbow for NIST R2 submission'. - -You should have received a copy of the CC0 legalcode along with this -work. If not, see . +TODO diff --git a/crypto_kem/saber/clean/SABER_indcpa.c b/crypto_kem/saber/clean/SABER_indcpa.c index 81e2b56c..c5f113a7 100644 --- a/crypto_kem/saber/clean/SABER_indcpa.c +++ b/crypto_kem/saber/clean/SABER_indcpa.c @@ -202,13 +202,7 @@ void PQCLEAN_SABER_CLEAN_indcpa_kem_enc(const unsigned char *message_received, u } - #if Saber_type == 1 - PQCLEAN_SABER_CLEAN_pack_3bit(msk_c, vprime); - #elif Saber_type == 2 PQCLEAN_SABER_CLEAN_pack_4bit(msk_c, vprime); - #elif Saber_type == 3 - PQCLEAN_SABER_CLEAN_pack_6bit(msk_c, vprime); - #endif for (j = 0; j < SABER_SCALEBYTES_KEM; j++) { @@ -258,13 +252,7 @@ void PQCLEAN_SABER_CLEAN_indcpa_kem_dec(const unsigned char *sk, const unsigned scale_ar[i] = ciphertext[SABER_POLYVECCOMPRESSEDBYTES + i]; } - #if Saber_type == 1 - PQCLEAN_SABER_CLEAN_un_pack3bit(scale_ar, op); - #elif Saber_type == 2 PQCLEAN_SABER_CLEAN_un_pack4bit(scale_ar, op); - #elif Saber_type == 3 - PQCLEAN_SABER_CLEAN_un_pack6bit(scale_ar, op); - #endif //addition of h1 diff --git a/crypto_kem/saber/clean/SABER_params.h b/crypto_kem/saber/clean/SABER_params.h index cc5ff82a..faa9f6db 100644 --- a/crypto_kem/saber/clean/SABER_params.h +++ b/crypto_kem/saber/clean/SABER_params.h @@ -1,23 +1,12 @@ -#include "api.h" - #ifndef PARAMS_H #define PARAMS_H -#if Saber_type == 1 -#define SABER_K 2 -#define SABER_MU 10 -#define SABER_ET 3 +#include "api.h" -#elif Saber_type == 2 #define SABER_K 3 #define SABER_MU 8 #define SABER_ET 4 -#elif Saber_type == 3 -#define SABER_K 4 -#define SABER_MU 6 -#define SABER_ET 6 -#endif #define SABER_EQ 13 #define SABER_EP 10 diff --git a/crypto_kem/saber/clean/api.h b/crypto_kem/saber/clean/api.h index f54078a5..66c3b8bf 100644 --- a/crypto_kem/saber/clean/api.h +++ b/crypto_kem/saber/clean/api.h @@ -7,8 +7,6 @@ #define PQCLEAN_SABER_CLEAN_CRYPTO_BYTES 32 #define PQCLEAN_SABER_CLEAN_CRYPTO_CIPHERTEXTBYTES 1088 -#define Saber_type 2 - int PQCLEAN_SABER_CLEAN_crypto_kem_keypair(unsigned char *pk, unsigned char *sk); int PQCLEAN_SABER_CLEAN_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk); int PQCLEAN_SABER_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk); diff --git a/crypto_kem/saber/clean/cbd.c b/crypto_kem/saber/clean/cbd.c index 9fb397cb..a2d9fcdd 100644 --- a/crypto_kem/saber/clean/cbd.c +++ b/crypto_kem/saber/clean/cbd.c @@ -24,33 +24,6 @@ static uint64_t load_littleendian(const unsigned char *x, int bytes) { void PQCLEAN_SABER_CLEAN_cbd(uint16_t *r, const unsigned char *buf) { uint16_t Qmod_minus1 = SABER_Q - 1; - #if Saber_type == 3 - uint32_t t, d, a[4], b[4]; - int i, j; - - for (i = 0; i < SABER_N / 4; i++) { - t = load_littleendian(buf + 3 * i, 3); - d = 0; - for (j = 0; j < 3; j++) { - d += (t >> j) & 0x249249; - } - - a[0] = d & 0x7; - b[0] = (d >> 3) & 0x7; - a[1] = (d >> 6) & 0x7; - b[1] = (d >> 9) & 0x7; - a[2] = (d >> 12) & 0x7; - b[2] = (d >> 15) & 0x7; - a[3] = (d >> 18) & 0x7; - b[3] = (d >> 21); - - r[4 * i + 0] = (uint16_t)(a[0] - b[0]) & Qmod_minus1; - r[4 * i + 1] = (uint16_t)(a[1] - b[1]) & Qmod_minus1; - r[4 * i + 2] = (uint16_t)(a[2] - b[2]) & Qmod_minus1; - r[4 * i + 3] = (uint16_t)(a[3] - b[3]) & Qmod_minus1; - - } - #elif Saber_type == 2 uint32_t t, d, a[4], b[4]; int i, j; @@ -75,32 +48,4 @@ void PQCLEAN_SABER_CLEAN_cbd(uint16_t *r, const unsigned char *buf) { r[4 * i + 2] = (uint16_t)(a[2] - b[2]) & Qmod_minus1; r[4 * i + 3] = (uint16_t)(a[3] - b[3]) & Qmod_minus1; } - #elif Saber_type == 1 - uint64_t t, d, a[4], b[4]; - int i, j; - - for (i = 0; i < SABER_N / 4; i++) { - t = load_littleendian(buf + 5 * i, 5); - d = 0; - for (j = 0; j < 5; j++) { - d += (t >> j) & 0x0842108421UL; - } - - a[0] = d & 0x1f; - b[0] = (d >> 5) & 0x1f; - a[1] = (d >> 10) & 0x1f; - b[1] = (d >> 15) & 0x1f; - a[2] = (d >> 20) & 0x1f; - b[2] = (d >> 25) & 0x1f; - a[3] = (d >> 30) & 0x1f; - b[3] = (d >> 35); - - r[4 * i + 0] = (uint16_t)(a[0] - b[0]) & Qmod_minus1; - r[4 * i + 1] = (uint16_t)(a[1] - b[1]) & Qmod_minus1; - r[4 * i + 2] = (uint16_t)(a[2] - b[2]) & Qmod_minus1; - r[4 * i + 3] = (uint16_t)(a[3] - b[3]) & Qmod_minus1; - } - #else -#error "Unsupported SABER parameter." - #endif } From 8539bd868474feda989905c2d327737eb4e05d2f Mon Sep 17 00:00:00 2001 From: "Matthias J. Kannwischer" Date: Tue, 18 Jun 2019 16:27:03 +0200 Subject: [PATCH 11/20] add lightsaber --- crypto_kem/lightsaber/META.yml | 13 + crypto_kem/lightsaber/clean/LICENSE | 1 + crypto_kem/lightsaber/clean/Makefile | 19 + .../lightsaber/clean/Makefile.Microsoft_nmake | 19 + crypto_kem/lightsaber/clean/SABER_indcpa.c | 335 ++++++++++++++++++ crypto_kem/lightsaber/clean/SABER_indcpa.h | 9 + crypto_kem/lightsaber/clean/SABER_params.h | 50 +++ crypto_kem/lightsaber/clean/api.h | 14 + crypto_kem/lightsaber/clean/cbd.c | 51 +++ crypto_kem/lightsaber/clean/cbd.h | 17 + crypto_kem/lightsaber/clean/kem.c | 79 +++++ crypto_kem/lightsaber/clean/pack_unpack.c | 242 +++++++++++++ crypto_kem/lightsaber/clean/pack_unpack.h | 28 ++ crypto_kem/lightsaber/clean/poly.c | 21 ++ crypto_kem/lightsaber/clean/poly.h | 26 ++ crypto_kem/lightsaber/clean/poly_mul.c | 22 ++ crypto_kem/lightsaber/clean/poly_mul.h | 9 + crypto_kem/lightsaber/clean/verify.c | 34 ++ crypto_kem/lightsaber/clean/verify.h | 21 ++ 19 files changed, 1010 insertions(+) create mode 100644 crypto_kem/lightsaber/META.yml create mode 100644 crypto_kem/lightsaber/clean/LICENSE create mode 100644 crypto_kem/lightsaber/clean/Makefile create mode 100644 crypto_kem/lightsaber/clean/Makefile.Microsoft_nmake create mode 100644 crypto_kem/lightsaber/clean/SABER_indcpa.c create mode 100644 crypto_kem/lightsaber/clean/SABER_indcpa.h create mode 100644 crypto_kem/lightsaber/clean/SABER_params.h create mode 100644 crypto_kem/lightsaber/clean/api.h create mode 100644 crypto_kem/lightsaber/clean/cbd.c create mode 100644 crypto_kem/lightsaber/clean/cbd.h create mode 100644 crypto_kem/lightsaber/clean/kem.c create mode 100644 crypto_kem/lightsaber/clean/pack_unpack.c create mode 100644 crypto_kem/lightsaber/clean/pack_unpack.h create mode 100644 crypto_kem/lightsaber/clean/poly.c create mode 100644 crypto_kem/lightsaber/clean/poly.h create mode 100644 crypto_kem/lightsaber/clean/poly_mul.c create mode 100644 crypto_kem/lightsaber/clean/poly_mul.h create mode 100644 crypto_kem/lightsaber/clean/verify.c create mode 100644 crypto_kem/lightsaber/clean/verify.h diff --git a/crypto_kem/lightsaber/META.yml b/crypto_kem/lightsaber/META.yml new file mode 100644 index 00000000..06a7bf70 --- /dev/null +++ b/crypto_kem/lightsaber/META.yml @@ -0,0 +1,13 @@ +name: LightSaber +type: kem +claimed-nist-level: 1 +claimed-security: IND-CCA2 +length-public-key: 672 +length-ciphertext: 736 +length-secret-key: 1568 +length-shared-secret: 32 +nistkat-sha256: dc2233ae221cfabbb1db5ab1a76c93967d37de9f87a8092561f95ab28eff6061 +principal-submitter: Jan-Pieter D'Anvers, Angshuman Karmakar, Sujoy Sinha Roy, Frederik Vercauteren +implementations: + - name: clean + version: https://github.com/KULeuven-COSIC/SABER/commit/14ede83f1ff3bcc41f0464543542366c68b55871 diff --git a/crypto_kem/lightsaber/clean/LICENSE b/crypto_kem/lightsaber/clean/LICENSE new file mode 100644 index 00000000..1333ed77 --- /dev/null +++ b/crypto_kem/lightsaber/clean/LICENSE @@ -0,0 +1 @@ +TODO diff --git a/crypto_kem/lightsaber/clean/Makefile b/crypto_kem/lightsaber/clean/Makefile new file mode 100644 index 00000000..b1b532e4 --- /dev/null +++ b/crypto_kem/lightsaber/clean/Makefile @@ -0,0 +1,19 @@ +# This Makefile can be used with GNU Make or BSD Make + +LIB=liblightsaber_clean.a +HEADERS=api.h cbd.h poly.h poly_mul.h SABER_indcpa.h SABER_params.h verify.h pack_unpack.h +OBJECTS=cbd.o kem.o pack_unpack.o poly.o poly_mul.o SABER_indcpa.o verify.o + +CFLAGS=-O3 -Wall -Wextra -Wpedantic -Werror -Wmissing-prototypes -Wredundant-decls -std=c99 -I../../../common $(EXTRAFLAGS) + +all: $(LIB) + +%.o: %.c $(HEADERS) + $(CC) $(CFLAGS) -c -o $@ $< + +$(LIB): $(OBJECTS) + $(AR) -r $@ $(OBJECTS) + +clean: + $(RM) $(OBJECTS) + $(RM) $(LIB) diff --git a/crypto_kem/lightsaber/clean/Makefile.Microsoft_nmake b/crypto_kem/lightsaber/clean/Makefile.Microsoft_nmake new file mode 100644 index 00000000..b3bb5f92 --- /dev/null +++ b/crypto_kem/lightsaber/clean/Makefile.Microsoft_nmake @@ -0,0 +1,19 @@ +# This Makefile can be used with Microsoft Visual Studio's nmake using the command: +# nmake /f Makefile.Microsoft_nmake + +LIBRARY=liblightsaber_clean.lib +OBJECTS=cbd.obj kem.obj pack_unpack.obj poly.obj poly_mul.obj SABER_indcpa.obj verify.obj + +CFLAGS=/nologo /I ..\..\..\common /W4 /WX + +all: $(LIBRARY) + +# Make sure objects are recompiled if headers change. +$(OBJECTS): *.h + +$(LIBRARY): $(OBJECTS) + LIB.EXE /NOLOGO /WX /OUT:$@ $** + +clean: + -DEL $(OBJECTS) + -DEL $(LIBRARY) diff --git a/crypto_kem/lightsaber/clean/SABER_indcpa.c b/crypto_kem/lightsaber/clean/SABER_indcpa.c new file mode 100644 index 00000000..d5fb7130 --- /dev/null +++ b/crypto_kem/lightsaber/clean/SABER_indcpa.c @@ -0,0 +1,335 @@ +#include "SABER_indcpa.h" +#include "SABER_params.h" +#include "fips202.h" +#include "pack_unpack.h" +#include "poly.h" +#include "poly_mul.h" +#include "randombytes.h" +#include +#include + + + +/*----------------------------------------------------------------------------------- + This routine generates a=[Matrix K x K] of 256-coefficient polynomials +-------------------------------------------------------------------------------------*/ + +#define h1 4 //2^(EQ-EP-1) + +#define h2 ( (1<<(SABER_EP-2)) - (1<<(SABER_EP-SABER_ET-1)) + (1<<(SABER_EQ-SABER_EP-1)) ) + +static void InnerProd(uint16_t pkcl[SABER_K][SABER_N], uint16_t skpv[SABER_K][SABER_N], uint16_t mod, uint16_t res[SABER_N]); +static void MatrixVectorMul(polyvec *a, uint16_t skpv[SABER_K][SABER_N], uint16_t res[SABER_K][SABER_N], uint16_t mod, int16_t transpose); + +static void POL2MSG(const uint16_t *message_dec_unpacked, unsigned char *message_dec); + +static void GenMatrix(polyvec *a, const unsigned char *seed) { + unsigned char buf[SABER_K * SABER_K * (13 * SABER_N / 8)]; + + uint16_t temp_ar[SABER_N]; + + int i, j, k; + uint16_t mod = (SABER_Q - 1); + + shake128(buf, sizeof(buf), seed, SABER_SEEDBYTES); + + for (i = 0; i < SABER_K; i++) { + for (j = 0; j < SABER_K; j++) { + PQCLEAN_LIGHTSABER_CLEAN_BS2POL(buf + (i * SABER_K + j) * (13 * SABER_N / 8), temp_ar); + for (k = 0; k < SABER_N; k++) { + a[i].vec[j].coeffs[k] = (temp_ar[k])& mod ; + } + } + } +} + + +void PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_keypair(unsigned char *pk, unsigned char *sk) { + polyvec a[SABER_K];// skpv; + + uint16_t skpv[SABER_K][SABER_N]; + + unsigned char seed[SABER_SEEDBYTES]; + unsigned char noiseseed[SABER_COINBYTES]; + int32_t i, j; + uint16_t mod_q = SABER_Q - 1; + + + uint16_t res[SABER_K][SABER_N]; + + randombytes(seed, SABER_SEEDBYTES); + shake128(seed, SABER_SEEDBYTES, seed, SABER_SEEDBYTES); // for not revealing system RNG state + randombytes(noiseseed, SABER_COINBYTES); + + GenMatrix(a, seed); //sample matrix A + + PQCLEAN_LIGHTSABER_CLEAN_GenSecret(skpv, noiseseed); //generate secret from constant-time binomial distribution + + //------------------------do the matrix vector multiplication and rounding------------ + + for (i = 0; i < SABER_K; i++) { + for (j = 0; j < SABER_N; j++) { + res[i][j] = 0; + } + } + + MatrixVectorMul(a, skpv, res, SABER_Q - 1, 1); + + //-----now rounding + for (i = 0; i < SABER_K; i++) { //shift right 3 bits + for (j = 0; j < SABER_N; j++) { + res[i][j] = (res[i][j] + h1) & (mod_q); + res[i][j] = (res[i][j] >> (SABER_EQ - SABER_EP)); + } + } + + //------------------unload and pack sk=3 x (256 coefficients of 14 bits)------- + + PQCLEAN_LIGHTSABER_CLEAN_POLVEC2BS(sk, skpv, SABER_Q); + + //------------------unload and pack pk=256 bits seed and 3 x (256 coefficients of 11 bits)------- + + + PQCLEAN_LIGHTSABER_CLEAN_POLVEC2BS(pk, res, SABER_P); // load the public-key coefficients + + + + for (i = 0; i < SABER_SEEDBYTES; i++) { // now load the seedbytes in PK. Easy since seed bytes are kept in byte format. + pk[SABER_POLYVECCOMPRESSEDBYTES + i] = seed[i]; + } + +} + + +void PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_enc(const unsigned char *message_received, unsigned char *noiseseed, const unsigned char *pk, unsigned char *ciphertext) { + uint32_t i, j, k; + polyvec a[SABER_K]; // skpv; + unsigned char seed[SABER_SEEDBYTES]; + uint16_t pkcl[SABER_K][SABER_N]; //public key of received by the client + + + + uint16_t skpv1[SABER_K][SABER_N]; + + uint16_t message[SABER_KEYBYTES * 8]; + + uint16_t res[SABER_K][SABER_N]; + uint16_t mod_p = SABER_P - 1; + uint16_t mod_q = SABER_Q - 1; + + uint16_t vprime[SABER_N]; + + + + unsigned char msk_c[SABER_SCALEBYTES_KEM]; + + for (i = 0; i < SABER_SEEDBYTES; i++) { // extract the seedbytes from Public Key. + seed[i] = pk[ SABER_POLYVECCOMPRESSEDBYTES + i]; + } + + GenMatrix(a, seed); + + PQCLEAN_LIGHTSABER_CLEAN_GenSecret(skpv1, noiseseed); //generate secret from constant-time binomial distribution + + //-----------------matrix-vector multiplication and rounding + + for (i = 0; i < SABER_K; i++) { + for (j = 0; j < SABER_N; j++) { + res[i][j] = 0; + } + } + + MatrixVectorMul(a, skpv1, res, SABER_Q - 1, 0); + + //-----now rounding + + for (i = 0; i < SABER_K; i++) { //shift right 3 bits + for (j = 0; j < SABER_N; j++) { + res[i][j] = ( res[i][j] + h1 ) & mod_q; + res[i][j] = (res[i][j] >> (SABER_EQ - SABER_EP) ); + } + } + + PQCLEAN_LIGHTSABER_CLEAN_POLVEC2BS(ciphertext, res, SABER_P); + +//*******************client matrix-vector multiplication ends************************************ + + //------now calculate the v' + + //-------unpack the public_key + + //pkcl is the b in the protocol + PQCLEAN_LIGHTSABER_CLEAN_BS2POLVEC(pk, pkcl, SABER_P); + + + + for (i = 0; i < SABER_N; i++) { + vprime[i] = 0; + } + + for (i = 0; i < SABER_K; i++) { + for (j = 0; j < SABER_N; j++) { + skpv1[i][j] = skpv1[i][j] & (mod_p); + } + } + + // vector-vector scalar multiplication with mod p + InnerProd(pkcl, skpv1, mod_p, vprime); + + //addition of h1 to vprime + for (i = 0; i < SABER_N; i++) { + vprime[i] = vprime[i] + h1; + } + + + // unpack message_received; + for (j = 0; j < SABER_KEYBYTES; j++) { + for (i = 0; i < 8; i++) { + message[8 * j + i] = ((message_received[j] >> i) & 0x01); + } + } + + // message encoding + for (i = 0; i < SABER_N; i++) { + message[i] = (message[i] << (SABER_EP - 1)); + } + + + + + for (k = 0; k < SABER_N; k++) { + vprime[k] = ( (vprime[k] - message[k]) & (mod_p) ) >> (SABER_EP - SABER_ET); + } + + + PQCLEAN_LIGHTSABER_CLEAN_pack_3bit(msk_c, vprime); + + + for (j = 0; j < SABER_SCALEBYTES_KEM; j++) { + ciphertext[SABER_POLYVECCOMPRESSEDBYTES + j] = msk_c[j]; + } +} + + +void PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_dec(const unsigned char *sk, const unsigned char *ciphertext, unsigned char message_dec[]) { + + uint32_t i, j; + + + uint16_t sksv[SABER_K][SABER_N]; //secret key of the server + + + uint16_t pksv[SABER_K][SABER_N]; + + uint8_t scale_ar[SABER_SCALEBYTES_KEM]; + + uint16_t mod_p = SABER_P - 1; + + uint16_t v[SABER_N]; + + uint16_t op[SABER_N]; + + + PQCLEAN_LIGHTSABER_CLEAN_BS2POLVEC(sk, sksv, SABER_Q); //sksv is the secret-key + PQCLEAN_LIGHTSABER_CLEAN_BS2POLVEC(ciphertext, pksv, SABER_P); //pksv is the ciphertext + + // vector-vector scalar multiplication with mod p + for (i = 0; i < SABER_N; i++) { + v[i] = 0; + } + + for (i = 0; i < SABER_K; i++) { + for (j = 0; j < SABER_N; j++) { + sksv[i][j] = sksv[i][j] & (mod_p); + } + } + + InnerProd(pksv, sksv, mod_p, v); + + + //Extraction + for (i = 0; i < SABER_SCALEBYTES_KEM; i++) { + scale_ar[i] = ciphertext[SABER_POLYVECCOMPRESSEDBYTES + i]; + } + + PQCLEAN_LIGHTSABER_CLEAN_un_pack3bit(scale_ar, op); + + + //addition of h1 + for (i = 0; i < SABER_N; i++) { + v[i] = ( ( v[i] + h2 - (op[i] << (SABER_EP - SABER_ET)) ) & (mod_p) ) >> (SABER_EP - 1); + } + + // pack decrypted message + + POL2MSG(v, message_dec); + + +} +static void MatrixVectorMul(polyvec *a, uint16_t skpv[SABER_K][SABER_N], uint16_t res[SABER_K][SABER_N], uint16_t mod, int16_t transpose) { + + uint16_t acc[SABER_N]; + int32_t i, j, k; + + if (transpose == 1) { + for (i = 0; i < SABER_K; i++) { + for (j = 0; j < SABER_K; j++) { + PQCLEAN_LIGHTSABER_CLEAN_pol_mul((uint16_t *)&a[j].vec[i], skpv[j], acc, SABER_Q, SABER_N); + + for (k = 0; k < SABER_N; k++) { + res[i][k] = res[i][k] + acc[k]; + res[i][k] = (res[i][k] & mod); //reduction mod p + acc[k] = 0; //clear the accumulator + } + + } + } + } else { + + for (i = 0; i < SABER_K; i++) { + for (j = 0; j < SABER_K; j++) { + PQCLEAN_LIGHTSABER_CLEAN_pol_mul((uint16_t *)&a[i].vec[j], skpv[j], acc, SABER_Q, SABER_N); + for (k = 0; k < SABER_N; k++) { + res[i][k] = res[i][k] + acc[k]; + res[i][k] = res[i][k] & mod; //reduction + acc[k] = 0; //clear the accumulator + } + + } + } + } + + +} + +static void POL2MSG(const uint16_t *message_dec_unpacked, unsigned char *message_dec) { + + int32_t i, j; + + for (j = 0; j < SABER_KEYBYTES; j++) { + message_dec[j] = 0; + for (i = 0; i < 8; i++) { + message_dec[j] = message_dec[j] | (uint8_t) (message_dec_unpacked[j * 8 + i] << i); + } + } + +} + + +static void InnerProd(uint16_t pkcl[SABER_K][SABER_N], uint16_t skpv[SABER_K][SABER_N], uint16_t mod, uint16_t res[SABER_N]) { + + + uint32_t j, k; + uint16_t acc[SABER_N]; + + // vector-vector scalar multiplication with mod p + for (j = 0; j < SABER_K; j++) { + PQCLEAN_LIGHTSABER_CLEAN_pol_mul(pkcl[j], skpv[j], acc, SABER_P, SABER_N); + + for (k = 0; k < SABER_N; k++) { + res[k] = res[k] + acc[k]; + res[k] = res[k] & mod; //reduction + acc[k] = 0; //clear the accumulator + } + } +} diff --git a/crypto_kem/lightsaber/clean/SABER_indcpa.h b/crypto_kem/lightsaber/clean/SABER_indcpa.h new file mode 100644 index 00000000..4f806c55 --- /dev/null +++ b/crypto_kem/lightsaber/clean/SABER_indcpa.h @@ -0,0 +1,9 @@ +#ifndef INDCPA_H +#define INDCPA_H + +void PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_keypair(unsigned char *pk, unsigned char *sk); +void PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_enc(const unsigned char *message, unsigned char *noiseseed, const unsigned char *pk, unsigned char *ciphertext); +void PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_dec(const unsigned char *sk, const unsigned char *ciphertext, unsigned char *message_dec); + +#endif + diff --git a/crypto_kem/lightsaber/clean/SABER_params.h b/crypto_kem/lightsaber/clean/SABER_params.h new file mode 100644 index 00000000..eb3825f2 --- /dev/null +++ b/crypto_kem/lightsaber/clean/SABER_params.h @@ -0,0 +1,50 @@ +#ifndef PARAMS_H +#define PARAMS_H + +#include "api.h" + +#define SABER_K 2 +#define SABER_MU 10 +#define SABER_ET 3 + + +#define SABER_EQ 13 +#define SABER_EP 10 + +#define SABER_N 256 +#define SABER_Q 8192 +#define SABER_P 1024 + +#define SABER_SEEDBYTES 32 +#define SABER_NOISESEEDBYTES 32 +#define SABER_COINBYTES 32 +#define SABER_KEYBYTES 32 + +#define SABER_HASHBYTES 32 + +#define SABER_POLYBYTES 416 //13*256/8 + +#define SABER_POLYVECBYTES (SABER_K * SABER_POLYBYTES) + +#define SABER_POLYVECCOMPRESSEDBYTES (SABER_K * 320) //10*256/8 NOTE : changed till here due to parameter adaptation + +#define SABER_CIPHERTEXTBYTES (SABER_POLYVECCOMPRESSEDBYTES) + +#define SABER_SCALEBYTES (SABER_DELTA*SABER_N/8) + +#define SABER_SCALEBYTES_KEM ((SABER_ET)*SABER_N/8) + +#define SABER_INDCPA_PUBLICKEYBYTES (SABER_POLYVECCOMPRESSEDBYTES + SABER_SEEDBYTES) +#define SABER_INDCPA_SECRETKEYBYTES (SABER_POLYVECBYTES) + +#define SABER_PUBLICKEYBYTES (SABER_INDCPA_PUBLICKEYBYTES) + +#define SABER_SECRETKEYBYTES (SABER_INDCPA_SECRETKEYBYTES + SABER_INDCPA_PUBLICKEYBYTES + SABER_HASHBYTES + SABER_KEYBYTES) + +#define SABER_BYTES_CCA_DEC (SABER_POLYVECCOMPRESSEDBYTES + SABER_SCALEBYTES_KEM) /* Second part is for Targhi-Unruh */ + + + + +#endif + diff --git a/crypto_kem/lightsaber/clean/api.h b/crypto_kem/lightsaber/clean/api.h new file mode 100644 index 00000000..4f73c035 --- /dev/null +++ b/crypto_kem/lightsaber/clean/api.h @@ -0,0 +1,14 @@ +#ifndef PQCLEAN_LIGHTSABER_CLEAN_API_H +#define PQCLEAN_LIGHTSABER_CLEAN_API_H + +#define PQCLEAN_LIGHTSABER_CLEAN_CRYPTO_ALGNAME "LightSaber" +#define PQCLEAN_LIGHTSABER_CLEAN_CRYPTO_SECRETKEYBYTES 1568 +#define PQCLEAN_LIGHTSABER_CLEAN_CRYPTO_PUBLICKEYBYTES (2*320+32) +#define PQCLEAN_LIGHTSABER_CLEAN_CRYPTO_BYTES 32 +#define PQCLEAN_LIGHTSABER_CLEAN_CRYPTO_CIPHERTEXTBYTES 736 + +int PQCLEAN_LIGHTSABER_CLEAN_crypto_kem_keypair(unsigned char *pk, unsigned char *sk); +int PQCLEAN_LIGHTSABER_CLEAN_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk); +int PQCLEAN_LIGHTSABER_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk); + +#endif /* api_h */ diff --git a/crypto_kem/lightsaber/clean/cbd.c b/crypto_kem/lightsaber/clean/cbd.c new file mode 100644 index 00000000..f6ebe4d7 --- /dev/null +++ b/crypto_kem/lightsaber/clean/cbd.c @@ -0,0 +1,51 @@ +/*--------------------------------------------------------------------- +This file has been adapted from the implementation +(available at, Public Domain https://github.com/pq-crystals/kyber) +of "CRYSTALS – Kyber: a CCA-secure module-lattice-based KEM" +by : Joppe Bos, Leo Ducas, Eike Kiltz, Tancrede Lepoint, +Vadim Lyubashevsky, John M. Schanck, Peter Schwabe & Damien stehle +----------------------------------------------------------------------*/ + +#include "SABER_params.h" +#include "api.h" +#include "cbd.h" +#include + +static uint64_t load_littleendian(const unsigned char *x, int bytes) { + int i; + uint64_t r = x[0]; + for (i = 1; i < bytes; i++) { + r |= (uint64_t)x[i] << (8 * i); + } + return r; +} + + +void PQCLEAN_LIGHTSABER_CLEAN_cbd(uint16_t *r, const unsigned char *buf) { + uint16_t Qmod_minus1 = SABER_Q - 1; + + uint64_t t, d, a[4], b[4]; + int i, j; + + for (i = 0; i < SABER_N / 4; i++) { + t = load_littleendian(buf + 5 * i, 5); + d = 0; + for (j = 0; j < 5; j++) { + d += (t >> j) & 0x0842108421UL; + } + + a[0] = d & 0x1f; + b[0] = (d >> 5) & 0x1f; + a[1] = (d >> 10) & 0x1f; + b[1] = (d >> 15) & 0x1f; + a[2] = (d >> 20) & 0x1f; + b[2] = (d >> 25) & 0x1f; + a[3] = (d >> 30) & 0x1f; + b[3] = (d >> 35); + + r[4 * i + 0] = (uint16_t)(a[0] - b[0]) & Qmod_minus1; + r[4 * i + 1] = (uint16_t)(a[1] - b[1]) & Qmod_minus1; + r[4 * i + 2] = (uint16_t)(a[2] - b[2]) & Qmod_minus1; + r[4 * i + 3] = (uint16_t)(a[3] - b[3]) & Qmod_minus1; + } +} diff --git a/crypto_kem/lightsaber/clean/cbd.h b/crypto_kem/lightsaber/clean/cbd.h new file mode 100644 index 00000000..37553425 --- /dev/null +++ b/crypto_kem/lightsaber/clean/cbd.h @@ -0,0 +1,17 @@ +#ifndef CBD_H +#define CBD_H + +/*--------------------------------------------------------------------- +This file has been adapted from the implementation +(available at, Public Domain https://github.com/pq-crystals/kyber) +of "CRYSTALS – Kyber: a CCA-secure module-lattice-based KEM" +by : Joppe Bos, Leo Ducas, Eike Kiltz, Tancrede Lepoint, +Vadim Lyubashevsky, John M. Schanck, Peter Schwabe & Damien stehle +----------------------------------------------------------------------*/ + +#include "poly.h" +#include + +void PQCLEAN_LIGHTSABER_CLEAN_cbd(uint16_t *r, const unsigned char *buf); + +#endif diff --git a/crypto_kem/lightsaber/clean/kem.c b/crypto_kem/lightsaber/clean/kem.c new file mode 100644 index 00000000..f4a5c5a3 --- /dev/null +++ b/crypto_kem/lightsaber/clean/kem.c @@ -0,0 +1,79 @@ +#include "SABER_indcpa.h" +#include "SABER_params.h" +#include "fips202.h" +#include "randombytes.h" +#include "verify.h" +#include +#include +#include + +int PQCLEAN_LIGHTSABER_CLEAN_crypto_kem_keypair(unsigned char *pk, unsigned char *sk) { + int i; + + PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_keypair(pk, sk); // sk[0:SABER_INDCPA_SECRETKEYBYTES-1] <-- sk + for (i = 0; i < SABER_INDCPA_PUBLICKEYBYTES; i++) { + sk[i + SABER_INDCPA_SECRETKEYBYTES] = pk[i]; // sk[SABER_INDCPA_SECRETKEYBYTES:SABER_INDCPA_SECRETKEYBYTES+SABER_INDCPA_SECRETKEYBYTES-1] <-- pk + } + + sha3_256(sk + SABER_SECRETKEYBYTES - 64, pk, SABER_INDCPA_PUBLICKEYBYTES); // Then hash(pk) is appended. + + randombytes(sk + SABER_SECRETKEYBYTES - SABER_KEYBYTES, SABER_KEYBYTES ); // Remaining part of sk contains a pseudo-random number. + // This is output when check in crypto_kem_dec() fails. + return (0); +} + +int PQCLEAN_LIGHTSABER_CLEAN_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk) { + + unsigned char kr[64]; // Will contain key, coins + unsigned char buf[64]; + + randombytes(buf, 32); + + sha3_256(buf, buf, 32); // BUF[0:31] <-- random message (will be used as the key for client) Note: hash doesnot release system RNG output + + sha3_256(buf + 32, pk, SABER_INDCPA_PUBLICKEYBYTES); // BUF[32:63] <-- Hash(public key); Multitarget countermeasure for coins + contributory KEM + + sha3_512(kr, buf, 64); // kr[0:63] <-- Hash(buf[0:63]); + // K^ <-- kr[0:31] + // noiseseed (r) <-- kr[32:63]; + PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_enc(buf, kr + 32, pk, ct); // buf[0:31] contains message; kr[32:63] contains randomness r; + + sha3_256(kr + 32, ct, SABER_BYTES_CCA_DEC); + + sha3_256(ss, kr, 64); // hash concatenation of pre-k and h(c) to k + + return (0); +} + + +int PQCLEAN_LIGHTSABER_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk) { + int i; + unsigned char fail; + unsigned char cmp[SABER_BYTES_CCA_DEC]; + unsigned char buf[64]; + unsigned char kr[64]; // Will contain key, coins + const unsigned char *pk = sk + SABER_INDCPA_SECRETKEYBYTES; + + PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_dec(sk, ct, buf); // buf[0:31] <-- message + + + // Multitarget countermeasure for coins + contributory KEM + for (i = 0; i < 32; i++) { // Save hash by storing h(pk) in sk + buf[32 + i] = sk[SABER_SECRETKEYBYTES - 64 + i]; + } + + sha3_512(kr, buf, 64); + + PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_enc(buf, kr + 32, pk, cmp); + + + fail = PQCLEAN_LIGHTSABER_CLEAN_verify(ct, cmp, SABER_BYTES_CCA_DEC); + + sha3_256(kr + 32, ct, SABER_BYTES_CCA_DEC); // overwrite coins in kr with h(c) + + PQCLEAN_LIGHTSABER_CLEAN_cmov(kr, sk + SABER_SECRETKEYBYTES - SABER_KEYBYTES, SABER_KEYBYTES, fail); + + sha3_256(ss, kr, 64); // hash concatenation of pre-k and h(c) to k + + return (0); +} diff --git a/crypto_kem/lightsaber/clean/pack_unpack.c b/crypto_kem/lightsaber/clean/pack_unpack.c new file mode 100644 index 00000000..c93e3f22 --- /dev/null +++ b/crypto_kem/lightsaber/clean/pack_unpack.c @@ -0,0 +1,242 @@ +#include "pack_unpack.h" + +void PQCLEAN_LIGHTSABER_CLEAN_pack_3bit(uint8_t *bytes, const uint16_t *data) { + + uint32_t j; + uint32_t offset_data, offset_byte; + + for (j = 0; j < SABER_N / 8; j++) { + offset_byte = 3 * j; + offset_data = 8 * j; + bytes[offset_byte + 0] = (data[offset_data + 0] & 0x7) | ( (data[offset_data + 1] & 0x7) << 3 ) | ((data[offset_data + 2] & 0x3) << 6); + bytes[offset_byte + 1] = ((data[offset_data + 2] >> 2 ) & 0x01) | ( (data[offset_data + 3] & 0x7) << 1 ) | ( (data[offset_data + 4] & 0x7) << 4 ) | (((data[offset_data + 5]) & 0x01) << 7); + bytes[offset_byte + 2] = ((data[offset_data + 5] >> 1 ) & 0x03) | ( (data[offset_data + 6] & 0x7) << 2 ) | ( (data[offset_data + 7] & 0x7) << 5 ); + } +} + +void PQCLEAN_LIGHTSABER_CLEAN_un_pack3bit(const uint8_t *bytes, uint16_t *data) { + + uint32_t j; + uint32_t offset_data, offset_byte; + + for (j = 0; j < SABER_N / 8; j++) { + offset_byte = 3 * j; + offset_data = 8 * j; + data[offset_data + 0] = (bytes[offset_byte + 0]) & 0x07; + data[offset_data + 1] = ( (bytes[offset_byte + 0]) >> 3 ) & 0x07; + data[offset_data + 2] = ( ( (bytes[offset_byte + 0]) >> 6 ) & 0x03) | ( ( (bytes[offset_byte + 1]) & 0x01) << 2 ); + data[offset_data + 3] = ( (bytes[offset_byte + 1]) >> 1 ) & 0x07; + data[offset_data + 4] = ( (bytes[offset_byte + 1]) >> 4 ) & 0x07; + data[offset_data + 5] = ( ( (bytes[offset_byte + 1]) >> 7 ) & 0x01) | ( ( (bytes[offset_byte + 2]) & 0x03) << 1 ); + data[offset_data + 6] = ( (bytes[offset_byte + 2] >> 2) & 0x07 ); + data[offset_data + 7] = ( (bytes[offset_byte + 2] >> 5) & 0x07 ); + } + +} + +void PQCLEAN_LIGHTSABER_CLEAN_pack_4bit(uint8_t *bytes, const uint16_t *data) { + + uint32_t j; + uint32_t offset_data; + + for (j = 0; j < SABER_N / 2; j++) { + offset_data = 2 * j; + bytes[j] = (data[offset_data] & 0x0f) | ( (data[offset_data + 1] & 0x0f) << 4 ); + } +} + +void PQCLEAN_LIGHTSABER_CLEAN_un_pack4bit(const unsigned char *bytes, uint16_t *ar) { + + uint32_t j; + uint32_t offset_data; + + for (j = 0; j < SABER_N / 2; j++) { + offset_data = 2 * j; + ar[offset_data] = bytes[j] & 0x0f; + ar[offset_data + 1] = (bytes[j] >> 4) & 0x0f; + } +} + +void PQCLEAN_LIGHTSABER_CLEAN_pack_6bit(uint8_t *bytes, const uint16_t *data) { + uint32_t j; + uint32_t offset_data, offset_byte; + + for (j = 0; j < SABER_N / 4; j++) { + offset_byte = 3 * j; + offset_data = 4 * j; + bytes[offset_byte + 0] = (data[offset_data + 0] & 0x3f) | ((data[offset_data + 1] & 0x03) << 6); + bytes[offset_byte + 1] = ((data[offset_data + 1] >> 2) & 0x0f) | ((data[offset_data + 2] & 0x0f) << 4); + bytes[offset_byte + 2] = ((data[offset_data + 2] >> 4) & 0x03) | ((data[offset_data + 3] & 0x3f) << 2); + } +} + + +void PQCLEAN_LIGHTSABER_CLEAN_un_pack6bit(const unsigned char *bytes, uint16_t *data) { + uint32_t j; + uint32_t offset_data, offset_byte; + + for (j = 0; j < SABER_N / 4; j++) { + offset_byte = 3 * j; + offset_data = 4 * j; + data[offset_data + 0] = bytes[offset_byte + 0] & 0x3f; + data[offset_data + 1] = ((bytes[offset_byte + 0] >> 6) & 0x03) | ((bytes[offset_byte + 1] & 0x0f) << 2) ; + data[offset_data + 2] = ((bytes[offset_byte + 1] & 0xff) >> 4) | ((bytes[offset_byte + 2] & 0x03) << 4) ; + data[offset_data + 3] = ((bytes[offset_byte + 2] & 0xff) >> 2); + } + +} + + +static void POLVECp2BS(uint8_t *bytes, uint16_t data[SABER_K][SABER_N]) { + uint32_t i, j; + uint32_t offset_data, offset_byte, offset_byte1; + + for (i = 0; i < SABER_K; i++) { + offset_byte1 = i * (SABER_N * 10) / 8; + for (j = 0; j < SABER_N / 4; j++) { + offset_byte = offset_byte1 + 5 * j; + offset_data = 4 * j; + bytes[offset_byte + 0] = ( data[i][ offset_data + 0 ] & (0xff)); + + bytes[offset_byte + 1] = ( (data[i][ offset_data + 0 ] >> 8) & 0x03 ) | ((data[i][ offset_data + 1 ] & 0x3f) << 2); + + bytes[offset_byte + 2] = ( (data[i][ offset_data + 1 ] >> 6) & 0x0f ) | ( (data[i][ offset_data + 2 ] & 0x0f) << 4); + + bytes[offset_byte + 3] = ( (data[i][ offset_data + 2 ] >> 4) & 0x3f ) | ((data[i][ offset_data + 3 ] & 0x03) << 6); + + bytes[offset_byte + 4] = ( (data[i][ offset_data + 3 ] >> 2) & 0xff ); + } + } + + +} + +static void BS2POLVECp(const unsigned char *bytes, uint16_t data[SABER_K][SABER_N]) { + + uint32_t i, j; + uint32_t offset_data, offset_byte, offset_byte1; + + for (i = 0; i < SABER_K; i++) { + offset_byte1 = i * (SABER_N * 10) / 8; + for (j = 0; j < SABER_N / 4; j++) { + offset_byte = offset_byte1 + 5 * j; + offset_data = 4 * j; + data[i][offset_data + 0] = ( bytes[ offset_byte + 0 ] & (0xff)) | ((bytes[ offset_byte + 1 ] & 0x03) << 8); + data[i][offset_data + 1] = ( (bytes[ offset_byte + 1 ] >> 2) & (0x3f)) | ((bytes[ offset_byte + 2 ] & 0x0f) << 6); + data[i][offset_data + 2] = ( (bytes[ offset_byte + 2 ] >> 4) & (0x0f)) | ((bytes[ offset_byte + 3 ] & 0x3f) << 4); + data[i][offset_data + 3] = ( (bytes[ offset_byte + 3 ] >> 6) & (0x03)) | ((bytes[ offset_byte + 4 ] & 0xff) << 2); + + } + } + + +} + + + +static void POLVECq2BS(uint8_t *bytes, uint16_t data[SABER_K][SABER_N]) { + + uint32_t i, j; + uint32_t offset_data, offset_byte, offset_byte1; + + for (i = 0; i < SABER_K; i++) { + offset_byte1 = i * (SABER_N * 13) / 8; + for (j = 0; j < SABER_N / 8; j++) { + offset_byte = offset_byte1 + 13 * j; + offset_data = 8 * j; + bytes[offset_byte + 0] = ( data[i][ offset_data + 0 ] & (0xff)); + + bytes[offset_byte + 1] = ( (data[i][ offset_data + 0 ] >> 8) & 0x1f ) | ((data[i][ offset_data + 1 ] & 0x07) << 5); + + bytes[offset_byte + 2] = ( (data[i][ offset_data + 1 ] >> 3) & 0xff ); + + bytes[offset_byte + 3] = ( (data[i][ offset_data + 1 ] >> 11) & 0x03 ) | ((data[i][ offset_data + 2 ] & 0x3f) << 2); + + bytes[offset_byte + 4] = ( (data[i][ offset_data + 2 ] >> 6) & 0x7f ) | ( (data[i][ offset_data + 3 ] & 0x01) << 7 ); + + bytes[offset_byte + 5] = ( (data[i][ offset_data + 3 ] >> 1) & 0xff ); + + bytes[offset_byte + 6] = ( (data[i][ offset_data + 3 ] >> 9) & 0x0f ) | ( (data[i][ offset_data + 4 ] & 0x0f) << 4 ); + + bytes[offset_byte + 7] = ( (data[i][ offset_data + 4] >> 4) & 0xff ); + + bytes[offset_byte + 8] = ( (data[i][ offset_data + 4 ] >> 12) & 0x01 ) | ( (data[i][ offset_data + 5 ] & 0x7f) << 1 ); + + bytes[offset_byte + 9] = ( (data[i][ offset_data + 5 ] >> 7) & 0x3f ) | ( (data[i][ offset_data + 6 ] & 0x03) << 6 ); + + bytes[offset_byte + 10] = ( (data[i][ offset_data + 6 ] >> 2) & 0xff ); + + bytes[offset_byte + 11] = ( (data[i][ offset_data + 6 ] >> 10) & 0x07 ) | ( (data[i][ offset_data + 7 ] & 0x1f) << 3 ); + + bytes[offset_byte + 12] = ( (data[i][ offset_data + 7 ] >> 5) & 0xff ); + + } + } + + +} + +static void BS2POLVECq(const unsigned char *bytes, uint16_t data[SABER_K][SABER_N]) { + + uint32_t i, j; + uint32_t offset_data, offset_byte, offset_byte1; + + for (i = 0; i < SABER_K; i++) { + offset_byte1 = i * (SABER_N * 13) / 8; + for (j = 0; j < SABER_N / 8; j++) { + offset_byte = offset_byte1 + 13 * j; + offset_data = 8 * j; + data[i][offset_data + 0] = ( bytes[ offset_byte + 0 ] & (0xff)) | ((bytes[offset_byte + 1] & 0x1f) << 8); + data[i][offset_data + 1] = ( bytes[ offset_byte + 1 ] >> 5 & (0x07)) | ((bytes[offset_byte + 2] & 0xff) << 3) | ((bytes[offset_byte + 3] & 0x03) << 11); + data[i][offset_data + 2] = ( bytes[ offset_byte + 3 ] >> 2 & (0x3f)) | ((bytes[offset_byte + 4] & 0x7f) << 6); + data[i][offset_data + 3] = ( bytes[ offset_byte + 4 ] >> 7 & (0x01)) | ((bytes[offset_byte + 5] & 0xff) << 1) | ((bytes[offset_byte + 6] & 0x0f) << 9); + data[i][offset_data + 4] = ( bytes[ offset_byte + 6 ] >> 4 & (0x0f)) | ((bytes[offset_byte + 7] & 0xff) << 4) | ((bytes[offset_byte + 8] & 0x01) << 12); + data[i][offset_data + 5] = ( bytes[ offset_byte + 8] >> 1 & (0x7f)) | ((bytes[offset_byte + 9] & 0x3f) << 7); + data[i][offset_data + 6] = ( bytes[ offset_byte + 9] >> 6 & (0x03)) | ((bytes[offset_byte + 10] & 0xff) << 2) | ((bytes[offset_byte + 11] & 0x07) << 10); + data[i][offset_data + 7] = ( bytes[ offset_byte + 11] >> 3 & (0x1f)) | ((bytes[offset_byte + 12] & 0xff) << 5); + } + } + + +} + +void PQCLEAN_LIGHTSABER_CLEAN_BS2POL(const unsigned char *bytes, uint16_t data[SABER_N]) { //only BS2POLq no BS2POLp + + uint32_t j; + uint32_t offset_data, offset_byte; + + for (j = 0; j < SABER_N / 8; j++) { + offset_byte = 13 * j; + offset_data = 8 * j; + data[offset_data + 0] = ( bytes[ offset_byte + 0 ] & (0xff)) | ((bytes[offset_byte + 1] & 0x1f) << 8); + data[offset_data + 1] = ( bytes[ offset_byte + 1 ] >> 5 & (0x07)) | ((bytes[offset_byte + 2] & 0xff) << 3) | ((bytes[offset_byte + 3] & 0x03) << 11); + data[offset_data + 2] = ( bytes[ offset_byte + 3 ] >> 2 & (0x3f)) | ((bytes[offset_byte + 4] & 0x7f) << 6); + data[offset_data + 3] = ( bytes[ offset_byte + 4 ] >> 7 & (0x01)) | ((bytes[offset_byte + 5] & 0xff) << 1) | ((bytes[offset_byte + 6] & 0x0f) << 9); + data[offset_data + 4] = ( bytes[ offset_byte + 6 ] >> 4 & (0x0f)) | ((bytes[offset_byte + 7] & 0xff) << 4) | ((bytes[offset_byte + 8] & 0x01) << 12); + data[offset_data + 5] = ( bytes[ offset_byte + 8] >> 1 & (0x7f)) | ((bytes[offset_byte + 9] & 0x3f) << 7); + data[offset_data + 6] = ( bytes[ offset_byte + 9] >> 6 & (0x03)) | ((bytes[offset_byte + 10] & 0xff) << 2) | ((bytes[offset_byte + 11] & 0x07) << 10); + data[offset_data + 7] = ( bytes[ offset_byte + 11] >> 3 & (0x1f)) | ((bytes[offset_byte + 12] & 0xff) << 5); + } + + +} + + +void PQCLEAN_LIGHTSABER_CLEAN_POLVEC2BS(uint8_t *bytes, uint16_t data[SABER_K][SABER_N], uint16_t modulus) { + + if (modulus == 1024) { + POLVECp2BS(bytes, data); + } else if (modulus == 8192) { + POLVECq2BS(bytes, data); + } +} + +void PQCLEAN_LIGHTSABER_CLEAN_BS2POLVEC(const unsigned char *bytes, uint16_t data[SABER_K][SABER_N], uint16_t modulus) { + + if (modulus == 1024) { + BS2POLVECp(bytes, data); + } else if (modulus == 8192) { + BS2POLVECq(bytes, data); + } + +} diff --git a/crypto_kem/lightsaber/clean/pack_unpack.h b/crypto_kem/lightsaber/clean/pack_unpack.h new file mode 100644 index 00000000..86fd2fad --- /dev/null +++ b/crypto_kem/lightsaber/clean/pack_unpack.h @@ -0,0 +1,28 @@ +#ifndef PACK_UNPACK_H +#define PACK_UNPACK_H + +#include "SABER_params.h" +#include +#include + + +void PQCLEAN_LIGHTSABER_CLEAN_pack_3bit(uint8_t *bytes, const uint16_t *data); + +void PQCLEAN_LIGHTSABER_CLEAN_un_pack3bit(const uint8_t *bytes, uint16_t *data); + +void PQCLEAN_LIGHTSABER_CLEAN_pack_4bit(uint8_t *bytes, const uint16_t *data); + +void PQCLEAN_LIGHTSABER_CLEAN_un_pack4bit(const unsigned char *bytes, uint16_t *ar); + +void PQCLEAN_LIGHTSABER_CLEAN_pack_6bit(uint8_t *bytes, const uint16_t *data); + +void PQCLEAN_LIGHTSABER_CLEAN_un_pack6bit(const unsigned char *bytes, uint16_t *data); + + +void PQCLEAN_LIGHTSABER_CLEAN_BS2POL(const unsigned char *bytes, uint16_t data[SABER_N]); + +void PQCLEAN_LIGHTSABER_CLEAN_POLVEC2BS(uint8_t *bytes, uint16_t data[SABER_K][SABER_N], uint16_t modulus); + +void PQCLEAN_LIGHTSABER_CLEAN_BS2POLVEC(const unsigned char *bytes, uint16_t data[SABER_K][SABER_N], uint16_t modulus); + +#endif diff --git a/crypto_kem/lightsaber/clean/poly.c b/crypto_kem/lightsaber/clean/poly.c new file mode 100644 index 00000000..fc86ab3c --- /dev/null +++ b/crypto_kem/lightsaber/clean/poly.c @@ -0,0 +1,21 @@ +/*--------------------------------------------------------------------- +This file has been adapted from the implementation +(available at, Public Domain https://github.com/pq-crystals/kyber) +of "CRYSTALS – Kyber: a CCA-secure module-lattice-based KEM" +by : Joppe Bos, Leo Ducas, Eike Kiltz, Tancrede Lepoint, +Vadim Lyubashevsky, John M. Schanck, Peter Schwabe & Damien stehle +----------------------------------------------------------------------*/ +#include "SABER_params.h" +#include "cbd.h" +#include "fips202.h" +#include "poly.h" + +void PQCLEAN_LIGHTSABER_CLEAN_GenSecret(uint16_t r[SABER_K][SABER_N], const unsigned char *seed) { + uint8_t buf[SABER_MU * SABER_N * SABER_K / 8]; + + shake128(buf, sizeof(buf), seed, SABER_NOISESEEDBYTES); + + for (size_t i = 0; i < SABER_K; i++) { + PQCLEAN_LIGHTSABER_CLEAN_cbd(r[i], buf + i * SABER_MU * SABER_N / 8); + } +} diff --git a/crypto_kem/lightsaber/clean/poly.h b/crypto_kem/lightsaber/clean/poly.h new file mode 100644 index 00000000..47ceeebb --- /dev/null +++ b/crypto_kem/lightsaber/clean/poly.h @@ -0,0 +1,26 @@ +#ifndef POLY_H +#define POLY_H + +/*--------------------------------------------------------------------- +This file has been adapted from the implementation +(available at, Public Domain https://github.com/pq-crystals/kyber) +of "CRYSTALS – Kyber: a CCA-secure module-lattice-based KEM" +by : Joppe Bos, Leo Ducas, Eike Kiltz, Tancrede Lepoint, +Vadim Lyubashevsky, John M. Schanck, Peter Schwabe & Damien stehle +----------------------------------------------------------------------*/ + + +#include "SABER_params.h" +#include + +typedef struct { + uint16_t coeffs[SABER_N]; +} poly; + +typedef struct { + poly vec[SABER_K]; +} polyvec; + +void PQCLEAN_LIGHTSABER_CLEAN_GenSecret(uint16_t r[SABER_K][SABER_N], const unsigned char *seed); + +#endif diff --git a/crypto_kem/lightsaber/clean/poly_mul.c b/crypto_kem/lightsaber/clean/poly_mul.c new file mode 100644 index 00000000..ddc7c9a2 --- /dev/null +++ b/crypto_kem/lightsaber/clean/poly_mul.c @@ -0,0 +1,22 @@ +#include "poly_mul.h" +#include "SABER_params.h" +#include +#include + + +void PQCLEAN_LIGHTSABER_CLEAN_pol_mul(const uint16_t *a, const uint16_t *b, uint16_t *res, uint16_t p, uint32_t n) { + // Polynomial multiplication using the schoolbook method, c[x] = a[x]*b[x] + + // normal multiplication + uint16_t c[2 * SABER_N] = {0}; + for (size_t i = 0; i < SABER_N; i++) { + for (size_t j = 0; j < SABER_N; j++) { + c[i + j] += a[i] * b[j]; + } + } + + // reduction + for (size_t i = n; i < 2 * n; i++) { + res[i - n] = (c[i - n] - c[i]) & (p - 1); + } +} diff --git a/crypto_kem/lightsaber/clean/poly_mul.h b/crypto_kem/lightsaber/clean/poly_mul.h new file mode 100644 index 00000000..adc877aa --- /dev/null +++ b/crypto_kem/lightsaber/clean/poly_mul.h @@ -0,0 +1,9 @@ +#ifndef POLYMUL_H +#define POLYMUL_H + +#include "SABER_params.h" +#include + +void PQCLEAN_LIGHTSABER_CLEAN_pol_mul(const uint16_t *a, const uint16_t *b, uint16_t *res, uint16_t p, uint32_t n); + +#endif diff --git a/crypto_kem/lightsaber/clean/verify.c b/crypto_kem/lightsaber/clean/verify.c new file mode 100644 index 00000000..52c6969b --- /dev/null +++ b/crypto_kem/lightsaber/clean/verify.c @@ -0,0 +1,34 @@ +/*------------------------------------------------- +This file has been adapted from the implementation +(available at https://github.com/pq-crystals/kyber) of +"CRYSTALS – Kyber: a CCA-secure module-lattice-based KEM" + by : Joppe Bos, Leo Ducas, Eike Kiltz, Tancrede Lepoint, +Vadim Lyubashevsky, John M. Schanck, Peter Schwabe & Damien stehle +----------------------------------------------------*/ +#include "verify.h" +#include + +/* returns 0 for equal strings, 1 for non-equal strings */ +unsigned char PQCLEAN_LIGHTSABER_CLEAN_verify(const unsigned char *a, const unsigned char *b, size_t len) { + uint64_t r; + size_t i; + + r = 0; + for (i = 0; i < len; i++) { + r |= a[i] ^ b[i]; + } + + r = (~r + 1); // Two's complement + r >>= 63; + return (unsigned char)r; +} + +/* b = 1 means mov, b = 0 means don't mov*/ +void PQCLEAN_LIGHTSABER_CLEAN_cmov(unsigned char *r, const unsigned char *x, size_t len, unsigned char b) { + size_t i; + + b = -b; + for (i = 0; i < len; i++) { + r[i] ^= b & (x[i] ^ r[i]); + } +} diff --git a/crypto_kem/lightsaber/clean/verify.h b/crypto_kem/lightsaber/clean/verify.h new file mode 100644 index 00000000..32c2adb5 --- /dev/null +++ b/crypto_kem/lightsaber/clean/verify.h @@ -0,0 +1,21 @@ +#ifndef VERIFY_H +#define VERIFY_H + +/*------------------------------------------------- +This file has been adapted from the implementation +(available at https://github.com/pq-crystals/kyber) of +"CRYSTALS – Kyber: a CCA-secure module-lattice-based KEM" + by : Joppe Bos, Leo Ducas, Eike Kiltz, Tancrede Lepoint, +Vadim Lyubashevsky, John M. Schanck, Peter Schwabe & Damien stehle +----------------------------------------------------*/ + +#include +#include + +/* returns 0 for equal strings, 1 for non-equal strings */ +unsigned char PQCLEAN_LIGHTSABER_CLEAN_verify(const unsigned char *a, const unsigned char *b, size_t len); + +/* b = 1 means mov, b = 0 means don't mov*/ +void PQCLEAN_LIGHTSABER_CLEAN_cmov(unsigned char *r, const unsigned char *x, size_t len, unsigned char b); + +#endif From 6aafbd56f2d1f384452f1c209d6e5fb43771b58b Mon Sep 17 00:00:00 2001 From: "Matthias J. Kannwischer" Date: Tue, 18 Jun 2019 16:37:25 +0200 Subject: [PATCH 12/20] add firesaber --- crypto_kem/firesaber/META.yml | 13 + crypto_kem/firesaber/clean/LICENSE | 1 + crypto_kem/firesaber/clean/Makefile | 19 + .../firesaber/clean/Makefile.Microsoft_nmake | 19 + crypto_kem/firesaber/clean/SABER_indcpa.c | 335 ++++++++++++++++++ crypto_kem/firesaber/clean/SABER_indcpa.h | 9 + crypto_kem/firesaber/clean/SABER_params.h | 49 +++ crypto_kem/firesaber/clean/api.h | 14 + crypto_kem/firesaber/clean/cbd.c | 52 +++ crypto_kem/firesaber/clean/cbd.h | 17 + crypto_kem/firesaber/clean/kem.c | 79 +++++ crypto_kem/firesaber/clean/pack_unpack.c | 242 +++++++++++++ crypto_kem/firesaber/clean/pack_unpack.h | 28 ++ crypto_kem/firesaber/clean/poly.c | 21 ++ crypto_kem/firesaber/clean/poly.h | 26 ++ crypto_kem/firesaber/clean/poly_mul.c | 22 ++ crypto_kem/firesaber/clean/poly_mul.h | 9 + crypto_kem/firesaber/clean/verify.c | 34 ++ crypto_kem/firesaber/clean/verify.h | 21 ++ 19 files changed, 1010 insertions(+) create mode 100644 crypto_kem/firesaber/META.yml create mode 100644 crypto_kem/firesaber/clean/LICENSE create mode 100644 crypto_kem/firesaber/clean/Makefile create mode 100644 crypto_kem/firesaber/clean/Makefile.Microsoft_nmake create mode 100644 crypto_kem/firesaber/clean/SABER_indcpa.c create mode 100644 crypto_kem/firesaber/clean/SABER_indcpa.h create mode 100644 crypto_kem/firesaber/clean/SABER_params.h create mode 100644 crypto_kem/firesaber/clean/api.h create mode 100644 crypto_kem/firesaber/clean/cbd.c create mode 100644 crypto_kem/firesaber/clean/cbd.h create mode 100644 crypto_kem/firesaber/clean/kem.c create mode 100644 crypto_kem/firesaber/clean/pack_unpack.c create mode 100644 crypto_kem/firesaber/clean/pack_unpack.h create mode 100644 crypto_kem/firesaber/clean/poly.c create mode 100644 crypto_kem/firesaber/clean/poly.h create mode 100644 crypto_kem/firesaber/clean/poly_mul.c create mode 100644 crypto_kem/firesaber/clean/poly_mul.h create mode 100644 crypto_kem/firesaber/clean/verify.c create mode 100644 crypto_kem/firesaber/clean/verify.h diff --git a/crypto_kem/firesaber/META.yml b/crypto_kem/firesaber/META.yml new file mode 100644 index 00000000..ec3da894 --- /dev/null +++ b/crypto_kem/firesaber/META.yml @@ -0,0 +1,13 @@ +name: FireSaber +type: kem +claimed-nist-level: 5 +claimed-security: IND-CCA2 +length-public-key: 1312 +length-ciphertext: 1472 +length-secret-key: 3040 +length-shared-secret: 32 +nistkat-sha256: 937d9b2e139112e13d4093a6afe715deff476e4d578208b9e8e1809de43835cd +principal-submitter: Jan-Pieter D'Anvers, Angshuman Karmakar, Sujoy Sinha Roy, Frederik Vercauteren +implementations: + - name: clean + version: https://github.com/KULeuven-COSIC/SABER/commit/14ede83f1ff3bcc41f0464543542366c68b55871 diff --git a/crypto_kem/firesaber/clean/LICENSE b/crypto_kem/firesaber/clean/LICENSE new file mode 100644 index 00000000..1333ed77 --- /dev/null +++ b/crypto_kem/firesaber/clean/LICENSE @@ -0,0 +1 @@ +TODO diff --git a/crypto_kem/firesaber/clean/Makefile b/crypto_kem/firesaber/clean/Makefile new file mode 100644 index 00000000..e00112e8 --- /dev/null +++ b/crypto_kem/firesaber/clean/Makefile @@ -0,0 +1,19 @@ +# This Makefile can be used with GNU Make or BSD Make + +LIB=libfiresaber_clean.a +HEADERS=api.h cbd.h poly.h poly_mul.h SABER_indcpa.h SABER_params.h verify.h pack_unpack.h +OBJECTS=cbd.o kem.o pack_unpack.o poly.o poly_mul.o SABER_indcpa.o verify.o + +CFLAGS=-O3 -Wall -Wextra -Wpedantic -Werror -Wmissing-prototypes -Wredundant-decls -std=c99 -I../../../common $(EXTRAFLAGS) + +all: $(LIB) + +%.o: %.c $(HEADERS) + $(CC) $(CFLAGS) -c -o $@ $< + +$(LIB): $(OBJECTS) + $(AR) -r $@ $(OBJECTS) + +clean: + $(RM) $(OBJECTS) + $(RM) $(LIB) diff --git a/crypto_kem/firesaber/clean/Makefile.Microsoft_nmake b/crypto_kem/firesaber/clean/Makefile.Microsoft_nmake new file mode 100644 index 00000000..99927392 --- /dev/null +++ b/crypto_kem/firesaber/clean/Makefile.Microsoft_nmake @@ -0,0 +1,19 @@ +# This Makefile can be used with Microsoft Visual Studio's nmake using the command: +# nmake /f Makefile.Microsoft_nmake + +LIBRARY=libfiresaber_clean.lib +OBJECTS=cbd.obj kem.obj pack_unpack.obj poly.obj poly_mul.obj SABER_indcpa.obj verify.obj + +CFLAGS=/nologo /I ..\..\..\common /W4 /WX + +all: $(LIBRARY) + +# Make sure objects are recompiled if headers change. +$(OBJECTS): *.h + +$(LIBRARY): $(OBJECTS) + LIB.EXE /NOLOGO /WX /OUT:$@ $** + +clean: + -DEL $(OBJECTS) + -DEL $(LIBRARY) diff --git a/crypto_kem/firesaber/clean/SABER_indcpa.c b/crypto_kem/firesaber/clean/SABER_indcpa.c new file mode 100644 index 00000000..552b0907 --- /dev/null +++ b/crypto_kem/firesaber/clean/SABER_indcpa.c @@ -0,0 +1,335 @@ +#include "SABER_indcpa.h" +#include "SABER_params.h" +#include "fips202.h" +#include "pack_unpack.h" +#include "poly.h" +#include "poly_mul.h" +#include "randombytes.h" +#include +#include + + + +/*----------------------------------------------------------------------------------- + This routine generates a=[Matrix K x K] of 256-coefficient polynomials +-------------------------------------------------------------------------------------*/ + +#define h1 4 //2^(EQ-EP-1) + +#define h2 ( (1<<(SABER_EP-2)) - (1<<(SABER_EP-SABER_ET-1)) + (1<<(SABER_EQ-SABER_EP-1)) ) + +static void InnerProd(uint16_t pkcl[SABER_K][SABER_N], uint16_t skpv[SABER_K][SABER_N], uint16_t mod, uint16_t res[SABER_N]); +static void MatrixVectorMul(polyvec *a, uint16_t skpv[SABER_K][SABER_N], uint16_t res[SABER_K][SABER_N], uint16_t mod, int16_t transpose); + +static void POL2MSG(const uint16_t *message_dec_unpacked, unsigned char *message_dec); + +static void GenMatrix(polyvec *a, const unsigned char *seed) { + unsigned char buf[SABER_K * SABER_K * (13 * SABER_N / 8)]; + + uint16_t temp_ar[SABER_N]; + + int i, j, k; + uint16_t mod = (SABER_Q - 1); + + shake128(buf, sizeof(buf), seed, SABER_SEEDBYTES); + + for (i = 0; i < SABER_K; i++) { + for (j = 0; j < SABER_K; j++) { + PQCLEAN_FIRESABER_CLEAN_BS2POL(buf + (i * SABER_K + j) * (13 * SABER_N / 8), temp_ar); + for (k = 0; k < SABER_N; k++) { + a[i].vec[j].coeffs[k] = (temp_ar[k])& mod ; + } + } + } +} + + +void PQCLEAN_FIRESABER_CLEAN_indcpa_kem_keypair(unsigned char *pk, unsigned char *sk) { + polyvec a[SABER_K];// skpv; + + uint16_t skpv[SABER_K][SABER_N]; + + unsigned char seed[SABER_SEEDBYTES]; + unsigned char noiseseed[SABER_COINBYTES]; + int32_t i, j; + uint16_t mod_q = SABER_Q - 1; + + + uint16_t res[SABER_K][SABER_N]; + + randombytes(seed, SABER_SEEDBYTES); + shake128(seed, SABER_SEEDBYTES, seed, SABER_SEEDBYTES); // for not revealing system RNG state + randombytes(noiseseed, SABER_COINBYTES); + + GenMatrix(a, seed); //sample matrix A + + PQCLEAN_FIRESABER_CLEAN_GenSecret(skpv, noiseseed); //generate secret from constant-time binomial distribution + + //------------------------do the matrix vector multiplication and rounding------------ + + for (i = 0; i < SABER_K; i++) { + for (j = 0; j < SABER_N; j++) { + res[i][j] = 0; + } + } + + MatrixVectorMul(a, skpv, res, SABER_Q - 1, 1); + + //-----now rounding + for (i = 0; i < SABER_K; i++) { //shift right 3 bits + for (j = 0; j < SABER_N; j++) { + res[i][j] = (res[i][j] + h1) & (mod_q); + res[i][j] = (res[i][j] >> (SABER_EQ - SABER_EP)); + } + } + + //------------------unload and pack sk=3 x (256 coefficients of 14 bits)------- + + PQCLEAN_FIRESABER_CLEAN_POLVEC2BS(sk, skpv, SABER_Q); + + //------------------unload and pack pk=256 bits seed and 3 x (256 coefficients of 11 bits)------- + + + PQCLEAN_FIRESABER_CLEAN_POLVEC2BS(pk, res, SABER_P); // load the public-key coefficients + + + + for (i = 0; i < SABER_SEEDBYTES; i++) { // now load the seedbytes in PK. Easy since seed bytes are kept in byte format. + pk[SABER_POLYVECCOMPRESSEDBYTES + i] = seed[i]; + } + +} + + +void PQCLEAN_FIRESABER_CLEAN_indcpa_kem_enc(const unsigned char *message_received, unsigned char *noiseseed, const unsigned char *pk, unsigned char *ciphertext) { + uint32_t i, j, k; + polyvec a[SABER_K]; // skpv; + unsigned char seed[SABER_SEEDBYTES]; + uint16_t pkcl[SABER_K][SABER_N]; //public key of received by the client + + + + uint16_t skpv1[SABER_K][SABER_N]; + + uint16_t message[SABER_KEYBYTES * 8]; + + uint16_t res[SABER_K][SABER_N]; + uint16_t mod_p = SABER_P - 1; + uint16_t mod_q = SABER_Q - 1; + + uint16_t vprime[SABER_N]; + + + + unsigned char msk_c[SABER_SCALEBYTES_KEM]; + + for (i = 0; i < SABER_SEEDBYTES; i++) { // extract the seedbytes from Public Key. + seed[i] = pk[ SABER_POLYVECCOMPRESSEDBYTES + i]; + } + + GenMatrix(a, seed); + + PQCLEAN_FIRESABER_CLEAN_GenSecret(skpv1, noiseseed); //generate secret from constant-time binomial distribution + + //-----------------matrix-vector multiplication and rounding + + for (i = 0; i < SABER_K; i++) { + for (j = 0; j < SABER_N; j++) { + res[i][j] = 0; + } + } + + MatrixVectorMul(a, skpv1, res, SABER_Q - 1, 0); + + //-----now rounding + + for (i = 0; i < SABER_K; i++) { //shift right 3 bits + for (j = 0; j < SABER_N; j++) { + res[i][j] = ( res[i][j] + h1 ) & mod_q; + res[i][j] = (res[i][j] >> (SABER_EQ - SABER_EP) ); + } + } + + PQCLEAN_FIRESABER_CLEAN_POLVEC2BS(ciphertext, res, SABER_P); + +//*******************client matrix-vector multiplication ends************************************ + + //------now calculate the v' + + //-------unpack the public_key + + //pkcl is the b in the protocol + PQCLEAN_FIRESABER_CLEAN_BS2POLVEC(pk, pkcl, SABER_P); + + + + for (i = 0; i < SABER_N; i++) { + vprime[i] = 0; + } + + for (i = 0; i < SABER_K; i++) { + for (j = 0; j < SABER_N; j++) { + skpv1[i][j] = skpv1[i][j] & (mod_p); + } + } + + // vector-vector scalar multiplication with mod p + InnerProd(pkcl, skpv1, mod_p, vprime); + + //addition of h1 to vprime + for (i = 0; i < SABER_N; i++) { + vprime[i] = vprime[i] + h1; + } + + + // unpack message_received; + for (j = 0; j < SABER_KEYBYTES; j++) { + for (i = 0; i < 8; i++) { + message[8 * j + i] = ((message_received[j] >> i) & 0x01); + } + } + + // message encoding + for (i = 0; i < SABER_N; i++) { + message[i] = (message[i] << (SABER_EP - 1)); + } + + + + + for (k = 0; k < SABER_N; k++) { + vprime[k] = ( (vprime[k] - message[k]) & (mod_p) ) >> (SABER_EP - SABER_ET); + } + + + PQCLEAN_FIRESABER_CLEAN_pack_6bit(msk_c, vprime); + + + for (j = 0; j < SABER_SCALEBYTES_KEM; j++) { + ciphertext[SABER_POLYVECCOMPRESSEDBYTES + j] = msk_c[j]; + } +} + + +void PQCLEAN_FIRESABER_CLEAN_indcpa_kem_dec(const unsigned char *sk, const unsigned char *ciphertext, unsigned char message_dec[]) { + + uint32_t i, j; + + + uint16_t sksv[SABER_K][SABER_N]; //secret key of the server + + + uint16_t pksv[SABER_K][SABER_N]; + + uint8_t scale_ar[SABER_SCALEBYTES_KEM]; + + uint16_t mod_p = SABER_P - 1; + + uint16_t v[SABER_N]; + + uint16_t op[SABER_N]; + + + PQCLEAN_FIRESABER_CLEAN_BS2POLVEC(sk, sksv, SABER_Q); //sksv is the secret-key + PQCLEAN_FIRESABER_CLEAN_BS2POLVEC(ciphertext, pksv, SABER_P); //pksv is the ciphertext + + // vector-vector scalar multiplication with mod p + for (i = 0; i < SABER_N; i++) { + v[i] = 0; + } + + for (i = 0; i < SABER_K; i++) { + for (j = 0; j < SABER_N; j++) { + sksv[i][j] = sksv[i][j] & (mod_p); + } + } + + InnerProd(pksv, sksv, mod_p, v); + + + //Extraction + for (i = 0; i < SABER_SCALEBYTES_KEM; i++) { + scale_ar[i] = ciphertext[SABER_POLYVECCOMPRESSEDBYTES + i]; + } + + PQCLEAN_FIRESABER_CLEAN_un_pack6bit(scale_ar, op); + + + //addition of h1 + for (i = 0; i < SABER_N; i++) { + v[i] = ( ( v[i] + h2 - (op[i] << (SABER_EP - SABER_ET)) ) & (mod_p) ) >> (SABER_EP - 1); + } + + // pack decrypted message + + POL2MSG(v, message_dec); + + +} +static void MatrixVectorMul(polyvec *a, uint16_t skpv[SABER_K][SABER_N], uint16_t res[SABER_K][SABER_N], uint16_t mod, int16_t transpose) { + + uint16_t acc[SABER_N]; + int32_t i, j, k; + + if (transpose == 1) { + for (i = 0; i < SABER_K; i++) { + for (j = 0; j < SABER_K; j++) { + PQCLEAN_FIRESABER_CLEAN_pol_mul((uint16_t *)&a[j].vec[i], skpv[j], acc, SABER_Q, SABER_N); + + for (k = 0; k < SABER_N; k++) { + res[i][k] = res[i][k] + acc[k]; + res[i][k] = (res[i][k] & mod); //reduction mod p + acc[k] = 0; //clear the accumulator + } + + } + } + } else { + + for (i = 0; i < SABER_K; i++) { + for (j = 0; j < SABER_K; j++) { + PQCLEAN_FIRESABER_CLEAN_pol_mul((uint16_t *)&a[i].vec[j], skpv[j], acc, SABER_Q, SABER_N); + for (k = 0; k < SABER_N; k++) { + res[i][k] = res[i][k] + acc[k]; + res[i][k] = res[i][k] & mod; //reduction + acc[k] = 0; //clear the accumulator + } + + } + } + } + + +} + +static void POL2MSG(const uint16_t *message_dec_unpacked, unsigned char *message_dec) { + + int32_t i, j; + + for (j = 0; j < SABER_KEYBYTES; j++) { + message_dec[j] = 0; + for (i = 0; i < 8; i++) { + message_dec[j] = message_dec[j] | (uint8_t) (message_dec_unpacked[j * 8 + i] << i); + } + } + +} + + +static void InnerProd(uint16_t pkcl[SABER_K][SABER_N], uint16_t skpv[SABER_K][SABER_N], uint16_t mod, uint16_t res[SABER_N]) { + + + uint32_t j, k; + uint16_t acc[SABER_N]; + + // vector-vector scalar multiplication with mod p + for (j = 0; j < SABER_K; j++) { + PQCLEAN_FIRESABER_CLEAN_pol_mul(pkcl[j], skpv[j], acc, SABER_P, SABER_N); + + for (k = 0; k < SABER_N; k++) { + res[k] = res[k] + acc[k]; + res[k] = res[k] & mod; //reduction + acc[k] = 0; //clear the accumulator + } + } +} diff --git a/crypto_kem/firesaber/clean/SABER_indcpa.h b/crypto_kem/firesaber/clean/SABER_indcpa.h new file mode 100644 index 00000000..6007352d --- /dev/null +++ b/crypto_kem/firesaber/clean/SABER_indcpa.h @@ -0,0 +1,9 @@ +#ifndef INDCPA_H +#define INDCPA_H + +void PQCLEAN_FIRESABER_CLEAN_indcpa_kem_keypair(unsigned char *pk, unsigned char *sk); +void PQCLEAN_FIRESABER_CLEAN_indcpa_kem_enc(const unsigned char *message, unsigned char *noiseseed, const unsigned char *pk, unsigned char *ciphertext); +void PQCLEAN_FIRESABER_CLEAN_indcpa_kem_dec(const unsigned char *sk, const unsigned char *ciphertext, unsigned char *message_dec); + +#endif + diff --git a/crypto_kem/firesaber/clean/SABER_params.h b/crypto_kem/firesaber/clean/SABER_params.h new file mode 100644 index 00000000..b0d517f8 --- /dev/null +++ b/crypto_kem/firesaber/clean/SABER_params.h @@ -0,0 +1,49 @@ +#ifndef PARAMS_H +#define PARAMS_H + +#include "api.h" + +#define SABER_K 4 +#define SABER_MU 6 +#define SABER_ET 6 + +#define SABER_EQ 13 +#define SABER_EP 10 + +#define SABER_N 256 +#define SABER_Q 8192 +#define SABER_P 1024 + +#define SABER_SEEDBYTES 32 +#define SABER_NOISESEEDBYTES 32 +#define SABER_COINBYTES 32 +#define SABER_KEYBYTES 32 + +#define SABER_HASHBYTES 32 + +#define SABER_POLYBYTES 416 //13*256/8 + +#define SABER_POLYVECBYTES (SABER_K * SABER_POLYBYTES) + +#define SABER_POLYVECCOMPRESSEDBYTES (SABER_K * 320) //10*256/8 NOTE : changed till here due to parameter adaptation + +#define SABER_CIPHERTEXTBYTES (SABER_POLYVECCOMPRESSEDBYTES) + +#define SABER_SCALEBYTES (SABER_DELTA*SABER_N/8) + +#define SABER_SCALEBYTES_KEM ((SABER_ET)*SABER_N/8) + +#define SABER_INDCPA_PUBLICKEYBYTES (SABER_POLYVECCOMPRESSEDBYTES + SABER_SEEDBYTES) +#define SABER_INDCPA_SECRETKEYBYTES (SABER_POLYVECBYTES) + +#define SABER_PUBLICKEYBYTES (SABER_INDCPA_PUBLICKEYBYTES) + +#define SABER_SECRETKEYBYTES (SABER_INDCPA_SECRETKEYBYTES + SABER_INDCPA_PUBLICKEYBYTES + SABER_HASHBYTES + SABER_KEYBYTES) + +#define SABER_BYTES_CCA_DEC (SABER_POLYVECCOMPRESSEDBYTES + SABER_SCALEBYTES_KEM) /* Second part is for Targhi-Unruh */ + + + + +#endif + diff --git a/crypto_kem/firesaber/clean/api.h b/crypto_kem/firesaber/clean/api.h new file mode 100644 index 00000000..56d17038 --- /dev/null +++ b/crypto_kem/firesaber/clean/api.h @@ -0,0 +1,14 @@ +#ifndef PQCLEAN_FIRESABER_CLEAN_API_H +#define PQCLEAN_FIRESABER_CLEAN_API_H + +#define PQCLEAN_FIRESABER_CLEAN_CRYPTO_ALGNAME "FireSaber" +#define PQCLEAN_FIRESABER_CLEAN_CRYPTO_SECRETKEYBYTES 3040 +#define PQCLEAN_FIRESABER_CLEAN_CRYPTO_PUBLICKEYBYTES (4*320+32) +#define PQCLEAN_FIRESABER_CLEAN_CRYPTO_BYTES 32 +#define PQCLEAN_FIRESABER_CLEAN_CRYPTO_CIPHERTEXTBYTES 1472 + +int PQCLEAN_FIRESABER_CLEAN_crypto_kem_keypair(unsigned char *pk, unsigned char *sk); +int PQCLEAN_FIRESABER_CLEAN_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk); +int PQCLEAN_FIRESABER_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk); + +#endif /* api_h */ diff --git a/crypto_kem/firesaber/clean/cbd.c b/crypto_kem/firesaber/clean/cbd.c new file mode 100644 index 00000000..0eddfa91 --- /dev/null +++ b/crypto_kem/firesaber/clean/cbd.c @@ -0,0 +1,52 @@ +/*--------------------------------------------------------------------- +This file has been adapted from the implementation +(available at, Public Domain https://github.com/pq-crystals/kyber) +of "CRYSTALS – Kyber: a CCA-secure module-lattice-based KEM" +by : Joppe Bos, Leo Ducas, Eike Kiltz, Tancrede Lepoint, +Vadim Lyubashevsky, John M. Schanck, Peter Schwabe & Damien stehle +----------------------------------------------------------------------*/ + +#include "SABER_params.h" +#include "api.h" +#include "cbd.h" +#include + +static uint64_t load_littleendian(const unsigned char *x, int bytes) { + int i; + uint64_t r = x[0]; + for (i = 1; i < bytes; i++) { + r |= (uint64_t)x[i] << (8 * i); + } + return r; +} + + +void PQCLEAN_FIRESABER_CLEAN_cbd(uint16_t *r, const unsigned char *buf) { + uint16_t Qmod_minus1 = SABER_Q - 1; + + uint32_t t, d, a[4], b[4]; + int i, j; + + for (i = 0; i < SABER_N / 4; i++) { + t = load_littleendian(buf + 3 * i, 3); + d = 0; + for (j = 0; j < 3; j++) { + d += (t >> j) & 0x249249; + } + + a[0] = d & 0x7; + b[0] = (d >> 3) & 0x7; + a[1] = (d >> 6) & 0x7; + b[1] = (d >> 9) & 0x7; + a[2] = (d >> 12) & 0x7; + b[2] = (d >> 15) & 0x7; + a[3] = (d >> 18) & 0x7; + b[3] = (d >> 21); + + r[4 * i + 0] = (uint16_t)(a[0] - b[0]) & Qmod_minus1; + r[4 * i + 1] = (uint16_t)(a[1] - b[1]) & Qmod_minus1; + r[4 * i + 2] = (uint16_t)(a[2] - b[2]) & Qmod_minus1; + r[4 * i + 3] = (uint16_t)(a[3] - b[3]) & Qmod_minus1; + + } +} diff --git a/crypto_kem/firesaber/clean/cbd.h b/crypto_kem/firesaber/clean/cbd.h new file mode 100644 index 00000000..b10e5202 --- /dev/null +++ b/crypto_kem/firesaber/clean/cbd.h @@ -0,0 +1,17 @@ +#ifndef CBD_H +#define CBD_H + +/*--------------------------------------------------------------------- +This file has been adapted from the implementation +(available at, Public Domain https://github.com/pq-crystals/kyber) +of "CRYSTALS – Kyber: a CCA-secure module-lattice-based KEM" +by : Joppe Bos, Leo Ducas, Eike Kiltz, Tancrede Lepoint, +Vadim Lyubashevsky, John M. Schanck, Peter Schwabe & Damien stehle +----------------------------------------------------------------------*/ + +#include "poly.h" +#include + +void PQCLEAN_FIRESABER_CLEAN_cbd(uint16_t *r, const unsigned char *buf); + +#endif diff --git a/crypto_kem/firesaber/clean/kem.c b/crypto_kem/firesaber/clean/kem.c new file mode 100644 index 00000000..4aef57ce --- /dev/null +++ b/crypto_kem/firesaber/clean/kem.c @@ -0,0 +1,79 @@ +#include "SABER_indcpa.h" +#include "SABER_params.h" +#include "fips202.h" +#include "randombytes.h" +#include "verify.h" +#include +#include +#include + +int PQCLEAN_FIRESABER_CLEAN_crypto_kem_keypair(unsigned char *pk, unsigned char *sk) { + int i; + + PQCLEAN_FIRESABER_CLEAN_indcpa_kem_keypair(pk, sk); // sk[0:SABER_INDCPA_SECRETKEYBYTES-1] <-- sk + for (i = 0; i < SABER_INDCPA_PUBLICKEYBYTES; i++) { + sk[i + SABER_INDCPA_SECRETKEYBYTES] = pk[i]; // sk[SABER_INDCPA_SECRETKEYBYTES:SABER_INDCPA_SECRETKEYBYTES+SABER_INDCPA_SECRETKEYBYTES-1] <-- pk + } + + sha3_256(sk + SABER_SECRETKEYBYTES - 64, pk, SABER_INDCPA_PUBLICKEYBYTES); // Then hash(pk) is appended. + + randombytes(sk + SABER_SECRETKEYBYTES - SABER_KEYBYTES, SABER_KEYBYTES ); // Remaining part of sk contains a pseudo-random number. + // This is output when check in crypto_kem_dec() fails. + return (0); +} + +int PQCLEAN_FIRESABER_CLEAN_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk) { + + unsigned char kr[64]; // Will contain key, coins + unsigned char buf[64]; + + randombytes(buf, 32); + + sha3_256(buf, buf, 32); // BUF[0:31] <-- random message (will be used as the key for client) Note: hash doesnot release system RNG output + + sha3_256(buf + 32, pk, SABER_INDCPA_PUBLICKEYBYTES); // BUF[32:63] <-- Hash(public key); Multitarget countermeasure for coins + contributory KEM + + sha3_512(kr, buf, 64); // kr[0:63] <-- Hash(buf[0:63]); + // K^ <-- kr[0:31] + // noiseseed (r) <-- kr[32:63]; + PQCLEAN_FIRESABER_CLEAN_indcpa_kem_enc(buf, kr + 32, pk, ct); // buf[0:31] contains message; kr[32:63] contains randomness r; + + sha3_256(kr + 32, ct, SABER_BYTES_CCA_DEC); + + sha3_256(ss, kr, 64); // hash concatenation of pre-k and h(c) to k + + return (0); +} + + +int PQCLEAN_FIRESABER_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk) { + int i; + unsigned char fail; + unsigned char cmp[SABER_BYTES_CCA_DEC]; + unsigned char buf[64]; + unsigned char kr[64]; // Will contain key, coins + const unsigned char *pk = sk + SABER_INDCPA_SECRETKEYBYTES; + + PQCLEAN_FIRESABER_CLEAN_indcpa_kem_dec(sk, ct, buf); // buf[0:31] <-- message + + + // Multitarget countermeasure for coins + contributory KEM + for (i = 0; i < 32; i++) { // Save hash by storing h(pk) in sk + buf[32 + i] = sk[SABER_SECRETKEYBYTES - 64 + i]; + } + + sha3_512(kr, buf, 64); + + PQCLEAN_FIRESABER_CLEAN_indcpa_kem_enc(buf, kr + 32, pk, cmp); + + + fail = PQCLEAN_FIRESABER_CLEAN_verify(ct, cmp, SABER_BYTES_CCA_DEC); + + sha3_256(kr + 32, ct, SABER_BYTES_CCA_DEC); // overwrite coins in kr with h(c) + + PQCLEAN_FIRESABER_CLEAN_cmov(kr, sk + SABER_SECRETKEYBYTES - SABER_KEYBYTES, SABER_KEYBYTES, fail); + + sha3_256(ss, kr, 64); // hash concatenation of pre-k and h(c) to k + + return (0); +} diff --git a/crypto_kem/firesaber/clean/pack_unpack.c b/crypto_kem/firesaber/clean/pack_unpack.c new file mode 100644 index 00000000..8d4de5bb --- /dev/null +++ b/crypto_kem/firesaber/clean/pack_unpack.c @@ -0,0 +1,242 @@ +#include "pack_unpack.h" + +void PQCLEAN_FIRESABER_CLEAN_pack_3bit(uint8_t *bytes, const uint16_t *data) { + + uint32_t j; + uint32_t offset_data, offset_byte; + + for (j = 0; j < SABER_N / 8; j++) { + offset_byte = 3 * j; + offset_data = 8 * j; + bytes[offset_byte + 0] = (data[offset_data + 0] & 0x7) | ( (data[offset_data + 1] & 0x7) << 3 ) | ((data[offset_data + 2] & 0x3) << 6); + bytes[offset_byte + 1] = ((data[offset_data + 2] >> 2 ) & 0x01) | ( (data[offset_data + 3] & 0x7) << 1 ) | ( (data[offset_data + 4] & 0x7) << 4 ) | (((data[offset_data + 5]) & 0x01) << 7); + bytes[offset_byte + 2] = ((data[offset_data + 5] >> 1 ) & 0x03) | ( (data[offset_data + 6] & 0x7) << 2 ) | ( (data[offset_data + 7] & 0x7) << 5 ); + } +} + +void PQCLEAN_FIRESABER_CLEAN_un_pack3bit(const uint8_t *bytes, uint16_t *data) { + + uint32_t j; + uint32_t offset_data, offset_byte; + + for (j = 0; j < SABER_N / 8; j++) { + offset_byte = 3 * j; + offset_data = 8 * j; + data[offset_data + 0] = (bytes[offset_byte + 0]) & 0x07; + data[offset_data + 1] = ( (bytes[offset_byte + 0]) >> 3 ) & 0x07; + data[offset_data + 2] = ( ( (bytes[offset_byte + 0]) >> 6 ) & 0x03) | ( ( (bytes[offset_byte + 1]) & 0x01) << 2 ); + data[offset_data + 3] = ( (bytes[offset_byte + 1]) >> 1 ) & 0x07; + data[offset_data + 4] = ( (bytes[offset_byte + 1]) >> 4 ) & 0x07; + data[offset_data + 5] = ( ( (bytes[offset_byte + 1]) >> 7 ) & 0x01) | ( ( (bytes[offset_byte + 2]) & 0x03) << 1 ); + data[offset_data + 6] = ( (bytes[offset_byte + 2] >> 2) & 0x07 ); + data[offset_data + 7] = ( (bytes[offset_byte + 2] >> 5) & 0x07 ); + } + +} + +void PQCLEAN_FIRESABER_CLEAN_pack_4bit(uint8_t *bytes, const uint16_t *data) { + + uint32_t j; + uint32_t offset_data; + + for (j = 0; j < SABER_N / 2; j++) { + offset_data = 2 * j; + bytes[j] = (data[offset_data] & 0x0f) | ( (data[offset_data + 1] & 0x0f) << 4 ); + } +} + +void PQCLEAN_FIRESABER_CLEAN_un_pack4bit(const unsigned char *bytes, uint16_t *ar) { + + uint32_t j; + uint32_t offset_data; + + for (j = 0; j < SABER_N / 2; j++) { + offset_data = 2 * j; + ar[offset_data] = bytes[j] & 0x0f; + ar[offset_data + 1] = (bytes[j] >> 4) & 0x0f; + } +} + +void PQCLEAN_FIRESABER_CLEAN_pack_6bit(uint8_t *bytes, const uint16_t *data) { + uint32_t j; + uint32_t offset_data, offset_byte; + + for (j = 0; j < SABER_N / 4; j++) { + offset_byte = 3 * j; + offset_data = 4 * j; + bytes[offset_byte + 0] = (data[offset_data + 0] & 0x3f) | ((data[offset_data + 1] & 0x03) << 6); + bytes[offset_byte + 1] = ((data[offset_data + 1] >> 2) & 0x0f) | ((data[offset_data + 2] & 0x0f) << 4); + bytes[offset_byte + 2] = ((data[offset_data + 2] >> 4) & 0x03) | ((data[offset_data + 3] & 0x3f) << 2); + } +} + + +void PQCLEAN_FIRESABER_CLEAN_un_pack6bit(const unsigned char *bytes, uint16_t *data) { + uint32_t j; + uint32_t offset_data, offset_byte; + + for (j = 0; j < SABER_N / 4; j++) { + offset_byte = 3 * j; + offset_data = 4 * j; + data[offset_data + 0] = bytes[offset_byte + 0] & 0x3f; + data[offset_data + 1] = ((bytes[offset_byte + 0] >> 6) & 0x03) | ((bytes[offset_byte + 1] & 0x0f) << 2) ; + data[offset_data + 2] = ((bytes[offset_byte + 1] & 0xff) >> 4) | ((bytes[offset_byte + 2] & 0x03) << 4) ; + data[offset_data + 3] = ((bytes[offset_byte + 2] & 0xff) >> 2); + } + +} + + +static void POLVECp2BS(uint8_t *bytes, uint16_t data[SABER_K][SABER_N]) { + uint32_t i, j; + uint32_t offset_data, offset_byte, offset_byte1; + + for (i = 0; i < SABER_K; i++) { + offset_byte1 = i * (SABER_N * 10) / 8; + for (j = 0; j < SABER_N / 4; j++) { + offset_byte = offset_byte1 + 5 * j; + offset_data = 4 * j; + bytes[offset_byte + 0] = ( data[i][ offset_data + 0 ] & (0xff)); + + bytes[offset_byte + 1] = ( (data[i][ offset_data + 0 ] >> 8) & 0x03 ) | ((data[i][ offset_data + 1 ] & 0x3f) << 2); + + bytes[offset_byte + 2] = ( (data[i][ offset_data + 1 ] >> 6) & 0x0f ) | ( (data[i][ offset_data + 2 ] & 0x0f) << 4); + + bytes[offset_byte + 3] = ( (data[i][ offset_data + 2 ] >> 4) & 0x3f ) | ((data[i][ offset_data + 3 ] & 0x03) << 6); + + bytes[offset_byte + 4] = ( (data[i][ offset_data + 3 ] >> 2) & 0xff ); + } + } + + +} + +static void BS2POLVECp(const unsigned char *bytes, uint16_t data[SABER_K][SABER_N]) { + + uint32_t i, j; + uint32_t offset_data, offset_byte, offset_byte1; + + for (i = 0; i < SABER_K; i++) { + offset_byte1 = i * (SABER_N * 10) / 8; + for (j = 0; j < SABER_N / 4; j++) { + offset_byte = offset_byte1 + 5 * j; + offset_data = 4 * j; + data[i][offset_data + 0] = ( bytes[ offset_byte + 0 ] & (0xff)) | ((bytes[ offset_byte + 1 ] & 0x03) << 8); + data[i][offset_data + 1] = ( (bytes[ offset_byte + 1 ] >> 2) & (0x3f)) | ((bytes[ offset_byte + 2 ] & 0x0f) << 6); + data[i][offset_data + 2] = ( (bytes[ offset_byte + 2 ] >> 4) & (0x0f)) | ((bytes[ offset_byte + 3 ] & 0x3f) << 4); + data[i][offset_data + 3] = ( (bytes[ offset_byte + 3 ] >> 6) & (0x03)) | ((bytes[ offset_byte + 4 ] & 0xff) << 2); + + } + } + + +} + + + +static void POLVECq2BS(uint8_t *bytes, uint16_t data[SABER_K][SABER_N]) { + + uint32_t i, j; + uint32_t offset_data, offset_byte, offset_byte1; + + for (i = 0; i < SABER_K; i++) { + offset_byte1 = i * (SABER_N * 13) / 8; + for (j = 0; j < SABER_N / 8; j++) { + offset_byte = offset_byte1 + 13 * j; + offset_data = 8 * j; + bytes[offset_byte + 0] = ( data[i][ offset_data + 0 ] & (0xff)); + + bytes[offset_byte + 1] = ( (data[i][ offset_data + 0 ] >> 8) & 0x1f ) | ((data[i][ offset_data + 1 ] & 0x07) << 5); + + bytes[offset_byte + 2] = ( (data[i][ offset_data + 1 ] >> 3) & 0xff ); + + bytes[offset_byte + 3] = ( (data[i][ offset_data + 1 ] >> 11) & 0x03 ) | ((data[i][ offset_data + 2 ] & 0x3f) << 2); + + bytes[offset_byte + 4] = ( (data[i][ offset_data + 2 ] >> 6) & 0x7f ) | ( (data[i][ offset_data + 3 ] & 0x01) << 7 ); + + bytes[offset_byte + 5] = ( (data[i][ offset_data + 3 ] >> 1) & 0xff ); + + bytes[offset_byte + 6] = ( (data[i][ offset_data + 3 ] >> 9) & 0x0f ) | ( (data[i][ offset_data + 4 ] & 0x0f) << 4 ); + + bytes[offset_byte + 7] = ( (data[i][ offset_data + 4] >> 4) & 0xff ); + + bytes[offset_byte + 8] = ( (data[i][ offset_data + 4 ] >> 12) & 0x01 ) | ( (data[i][ offset_data + 5 ] & 0x7f) << 1 ); + + bytes[offset_byte + 9] = ( (data[i][ offset_data + 5 ] >> 7) & 0x3f ) | ( (data[i][ offset_data + 6 ] & 0x03) << 6 ); + + bytes[offset_byte + 10] = ( (data[i][ offset_data + 6 ] >> 2) & 0xff ); + + bytes[offset_byte + 11] = ( (data[i][ offset_data + 6 ] >> 10) & 0x07 ) | ( (data[i][ offset_data + 7 ] & 0x1f) << 3 ); + + bytes[offset_byte + 12] = ( (data[i][ offset_data + 7 ] >> 5) & 0xff ); + + } + } + + +} + +static void BS2POLVECq(const unsigned char *bytes, uint16_t data[SABER_K][SABER_N]) { + + uint32_t i, j; + uint32_t offset_data, offset_byte, offset_byte1; + + for (i = 0; i < SABER_K; i++) { + offset_byte1 = i * (SABER_N * 13) / 8; + for (j = 0; j < SABER_N / 8; j++) { + offset_byte = offset_byte1 + 13 * j; + offset_data = 8 * j; + data[i][offset_data + 0] = ( bytes[ offset_byte + 0 ] & (0xff)) | ((bytes[offset_byte + 1] & 0x1f) << 8); + data[i][offset_data + 1] = ( bytes[ offset_byte + 1 ] >> 5 & (0x07)) | ((bytes[offset_byte + 2] & 0xff) << 3) | ((bytes[offset_byte + 3] & 0x03) << 11); + data[i][offset_data + 2] = ( bytes[ offset_byte + 3 ] >> 2 & (0x3f)) | ((bytes[offset_byte + 4] & 0x7f) << 6); + data[i][offset_data + 3] = ( bytes[ offset_byte + 4 ] >> 7 & (0x01)) | ((bytes[offset_byte + 5] & 0xff) << 1) | ((bytes[offset_byte + 6] & 0x0f) << 9); + data[i][offset_data + 4] = ( bytes[ offset_byte + 6 ] >> 4 & (0x0f)) | ((bytes[offset_byte + 7] & 0xff) << 4) | ((bytes[offset_byte + 8] & 0x01) << 12); + data[i][offset_data + 5] = ( bytes[ offset_byte + 8] >> 1 & (0x7f)) | ((bytes[offset_byte + 9] & 0x3f) << 7); + data[i][offset_data + 6] = ( bytes[ offset_byte + 9] >> 6 & (0x03)) | ((bytes[offset_byte + 10] & 0xff) << 2) | ((bytes[offset_byte + 11] & 0x07) << 10); + data[i][offset_data + 7] = ( bytes[ offset_byte + 11] >> 3 & (0x1f)) | ((bytes[offset_byte + 12] & 0xff) << 5); + } + } + + +} + +void PQCLEAN_FIRESABER_CLEAN_BS2POL(const unsigned char *bytes, uint16_t data[SABER_N]) { //only BS2POLq no BS2POLp + + uint32_t j; + uint32_t offset_data, offset_byte; + + for (j = 0; j < SABER_N / 8; j++) { + offset_byte = 13 * j; + offset_data = 8 * j; + data[offset_data + 0] = ( bytes[ offset_byte + 0 ] & (0xff)) | ((bytes[offset_byte + 1] & 0x1f) << 8); + data[offset_data + 1] = ( bytes[ offset_byte + 1 ] >> 5 & (0x07)) | ((bytes[offset_byte + 2] & 0xff) << 3) | ((bytes[offset_byte + 3] & 0x03) << 11); + data[offset_data + 2] = ( bytes[ offset_byte + 3 ] >> 2 & (0x3f)) | ((bytes[offset_byte + 4] & 0x7f) << 6); + data[offset_data + 3] = ( bytes[ offset_byte + 4 ] >> 7 & (0x01)) | ((bytes[offset_byte + 5] & 0xff) << 1) | ((bytes[offset_byte + 6] & 0x0f) << 9); + data[offset_data + 4] = ( bytes[ offset_byte + 6 ] >> 4 & (0x0f)) | ((bytes[offset_byte + 7] & 0xff) << 4) | ((bytes[offset_byte + 8] & 0x01) << 12); + data[offset_data + 5] = ( bytes[ offset_byte + 8] >> 1 & (0x7f)) | ((bytes[offset_byte + 9] & 0x3f) << 7); + data[offset_data + 6] = ( bytes[ offset_byte + 9] >> 6 & (0x03)) | ((bytes[offset_byte + 10] & 0xff) << 2) | ((bytes[offset_byte + 11] & 0x07) << 10); + data[offset_data + 7] = ( bytes[ offset_byte + 11] >> 3 & (0x1f)) | ((bytes[offset_byte + 12] & 0xff) << 5); + } + + +} + + +void PQCLEAN_FIRESABER_CLEAN_POLVEC2BS(uint8_t *bytes, uint16_t data[SABER_K][SABER_N], uint16_t modulus) { + + if (modulus == 1024) { + POLVECp2BS(bytes, data); + } else if (modulus == 8192) { + POLVECq2BS(bytes, data); + } +} + +void PQCLEAN_FIRESABER_CLEAN_BS2POLVEC(const unsigned char *bytes, uint16_t data[SABER_K][SABER_N], uint16_t modulus) { + + if (modulus == 1024) { + BS2POLVECp(bytes, data); + } else if (modulus == 8192) { + BS2POLVECq(bytes, data); + } + +} diff --git a/crypto_kem/firesaber/clean/pack_unpack.h b/crypto_kem/firesaber/clean/pack_unpack.h new file mode 100644 index 00000000..6509f107 --- /dev/null +++ b/crypto_kem/firesaber/clean/pack_unpack.h @@ -0,0 +1,28 @@ +#ifndef PACK_UNPACK_H +#define PACK_UNPACK_H + +#include "SABER_params.h" +#include +#include + + +void PQCLEAN_FIRESABER_CLEAN_pack_3bit(uint8_t *bytes, const uint16_t *data); + +void PQCLEAN_FIRESABER_CLEAN_un_pack3bit(const uint8_t *bytes, uint16_t *data); + +void PQCLEAN_FIRESABER_CLEAN_pack_4bit(uint8_t *bytes, const uint16_t *data); + +void PQCLEAN_FIRESABER_CLEAN_un_pack4bit(const unsigned char *bytes, uint16_t *ar); + +void PQCLEAN_FIRESABER_CLEAN_pack_6bit(uint8_t *bytes, const uint16_t *data); + +void PQCLEAN_FIRESABER_CLEAN_un_pack6bit(const unsigned char *bytes, uint16_t *data); + + +void PQCLEAN_FIRESABER_CLEAN_BS2POL(const unsigned char *bytes, uint16_t data[SABER_N]); + +void PQCLEAN_FIRESABER_CLEAN_POLVEC2BS(uint8_t *bytes, uint16_t data[SABER_K][SABER_N], uint16_t modulus); + +void PQCLEAN_FIRESABER_CLEAN_BS2POLVEC(const unsigned char *bytes, uint16_t data[SABER_K][SABER_N], uint16_t modulus); + +#endif diff --git a/crypto_kem/firesaber/clean/poly.c b/crypto_kem/firesaber/clean/poly.c new file mode 100644 index 00000000..6fef45d5 --- /dev/null +++ b/crypto_kem/firesaber/clean/poly.c @@ -0,0 +1,21 @@ +/*--------------------------------------------------------------------- +This file has been adapted from the implementation +(available at, Public Domain https://github.com/pq-crystals/kyber) +of "CRYSTALS – Kyber: a CCA-secure module-lattice-based KEM" +by : Joppe Bos, Leo Ducas, Eike Kiltz, Tancrede Lepoint, +Vadim Lyubashevsky, John M. Schanck, Peter Schwabe & Damien stehle +----------------------------------------------------------------------*/ +#include "SABER_params.h" +#include "cbd.h" +#include "fips202.h" +#include "poly.h" + +void PQCLEAN_FIRESABER_CLEAN_GenSecret(uint16_t r[SABER_K][SABER_N], const unsigned char *seed) { + uint8_t buf[SABER_MU * SABER_N * SABER_K / 8]; + + shake128(buf, sizeof(buf), seed, SABER_NOISESEEDBYTES); + + for (size_t i = 0; i < SABER_K; i++) { + PQCLEAN_FIRESABER_CLEAN_cbd(r[i], buf + i * SABER_MU * SABER_N / 8); + } +} diff --git a/crypto_kem/firesaber/clean/poly.h b/crypto_kem/firesaber/clean/poly.h new file mode 100644 index 00000000..4f69a068 --- /dev/null +++ b/crypto_kem/firesaber/clean/poly.h @@ -0,0 +1,26 @@ +#ifndef POLY_H +#define POLY_H + +/*--------------------------------------------------------------------- +This file has been adapted from the implementation +(available at, Public Domain https://github.com/pq-crystals/kyber) +of "CRYSTALS – Kyber: a CCA-secure module-lattice-based KEM" +by : Joppe Bos, Leo Ducas, Eike Kiltz, Tancrede Lepoint, +Vadim Lyubashevsky, John M. Schanck, Peter Schwabe & Damien stehle +----------------------------------------------------------------------*/ + + +#include "SABER_params.h" +#include + +typedef struct { + uint16_t coeffs[SABER_N]; +} poly; + +typedef struct { + poly vec[SABER_K]; +} polyvec; + +void PQCLEAN_FIRESABER_CLEAN_GenSecret(uint16_t r[SABER_K][SABER_N], const unsigned char *seed); + +#endif diff --git a/crypto_kem/firesaber/clean/poly_mul.c b/crypto_kem/firesaber/clean/poly_mul.c new file mode 100644 index 00000000..cc701fa8 --- /dev/null +++ b/crypto_kem/firesaber/clean/poly_mul.c @@ -0,0 +1,22 @@ +#include "poly_mul.h" +#include "SABER_params.h" +#include +#include + + +void PQCLEAN_FIRESABER_CLEAN_pol_mul(const uint16_t *a, const uint16_t *b, uint16_t *res, uint16_t p, uint32_t n) { + // Polynomial multiplication using the schoolbook method, c[x] = a[x]*b[x] + + // normal multiplication + uint16_t c[2 * SABER_N] = {0}; + for (size_t i = 0; i < SABER_N; i++) { + for (size_t j = 0; j < SABER_N; j++) { + c[i + j] += a[i] * b[j]; + } + } + + // reduction + for (size_t i = n; i < 2 * n; i++) { + res[i - n] = (c[i - n] - c[i]) & (p - 1); + } +} diff --git a/crypto_kem/firesaber/clean/poly_mul.h b/crypto_kem/firesaber/clean/poly_mul.h new file mode 100644 index 00000000..e2530f06 --- /dev/null +++ b/crypto_kem/firesaber/clean/poly_mul.h @@ -0,0 +1,9 @@ +#ifndef POLYMUL_H +#define POLYMUL_H + +#include "SABER_params.h" +#include + +void PQCLEAN_FIRESABER_CLEAN_pol_mul(const uint16_t *a, const uint16_t *b, uint16_t *res, uint16_t p, uint32_t n); + +#endif diff --git a/crypto_kem/firesaber/clean/verify.c b/crypto_kem/firesaber/clean/verify.c new file mode 100644 index 00000000..3c571e92 --- /dev/null +++ b/crypto_kem/firesaber/clean/verify.c @@ -0,0 +1,34 @@ +/*------------------------------------------------- +This file has been adapted from the implementation +(available at https://github.com/pq-crystals/kyber) of +"CRYSTALS – Kyber: a CCA-secure module-lattice-based KEM" + by : Joppe Bos, Leo Ducas, Eike Kiltz, Tancrede Lepoint, +Vadim Lyubashevsky, John M. Schanck, Peter Schwabe & Damien stehle +----------------------------------------------------*/ +#include "verify.h" +#include + +/* returns 0 for equal strings, 1 for non-equal strings */ +unsigned char PQCLEAN_FIRESABER_CLEAN_verify(const unsigned char *a, const unsigned char *b, size_t len) { + uint64_t r; + size_t i; + + r = 0; + for (i = 0; i < len; i++) { + r |= a[i] ^ b[i]; + } + + r = (~r + 1); // Two's complement + r >>= 63; + return (unsigned char)r; +} + +/* b = 1 means mov, b = 0 means don't mov*/ +void PQCLEAN_FIRESABER_CLEAN_cmov(unsigned char *r, const unsigned char *x, size_t len, unsigned char b) { + size_t i; + + b = -b; + for (i = 0; i < len; i++) { + r[i] ^= b & (x[i] ^ r[i]); + } +} diff --git a/crypto_kem/firesaber/clean/verify.h b/crypto_kem/firesaber/clean/verify.h new file mode 100644 index 00000000..1b69b071 --- /dev/null +++ b/crypto_kem/firesaber/clean/verify.h @@ -0,0 +1,21 @@ +#ifndef VERIFY_H +#define VERIFY_H + +/*------------------------------------------------- +This file has been adapted from the implementation +(available at https://github.com/pq-crystals/kyber) of +"CRYSTALS – Kyber: a CCA-secure module-lattice-based KEM" + by : Joppe Bos, Leo Ducas, Eike Kiltz, Tancrede Lepoint, +Vadim Lyubashevsky, John M. Schanck, Peter Schwabe & Damien stehle +----------------------------------------------------*/ + +#include +#include + +/* returns 0 for equal strings, 1 for non-equal strings */ +unsigned char PQCLEAN_FIRESABER_CLEAN_verify(const unsigned char *a, const unsigned char *b, size_t len); + +/* b = 1 means mov, b = 0 means don't mov*/ +void PQCLEAN_FIRESABER_CLEAN_cmov(unsigned char *r, const unsigned char *x, size_t len, unsigned char b); + +#endif From cc94db88fa2b1a01b1914358b322346c89be0ce3 Mon Sep 17 00:00:00 2001 From: "Matthias J. Kannwischer" Date: Tue, 18 Jun 2019 16:58:07 +0200 Subject: [PATCH 13/20] fix vs warning --- crypto_kem/firesaber/clean/cbd.c | 2 +- crypto_kem/lightsaber/clean/cbd.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/crypto_kem/firesaber/clean/cbd.c b/crypto_kem/firesaber/clean/cbd.c index 0eddfa91..cca885a1 100644 --- a/crypto_kem/firesaber/clean/cbd.c +++ b/crypto_kem/firesaber/clean/cbd.c @@ -28,7 +28,7 @@ void PQCLEAN_FIRESABER_CLEAN_cbd(uint16_t *r, const unsigned char *buf) { int i, j; for (i = 0; i < SABER_N / 4; i++) { - t = load_littleendian(buf + 3 * i, 3); + t = (uint32_t) load_littleendian(buf + 3 * i, 3); d = 0; for (j = 0; j < 3; j++) { d += (t >> j) & 0x249249; diff --git a/crypto_kem/lightsaber/clean/cbd.c b/crypto_kem/lightsaber/clean/cbd.c index f6ebe4d7..cb0d7312 100644 --- a/crypto_kem/lightsaber/clean/cbd.c +++ b/crypto_kem/lightsaber/clean/cbd.c @@ -28,7 +28,7 @@ void PQCLEAN_LIGHTSABER_CLEAN_cbd(uint16_t *r, const unsigned char *buf) { int i, j; for (i = 0; i < SABER_N / 4; i++) { - t = load_littleendian(buf + 5 * i, 5); + t = (uint32_t) load_littleendian(buf + 5 * i, 5); d = 0; for (j = 0; j < 5; j++) { d += (t >> j) & 0x0842108421UL; From 61b36e933bd92c07632f8d408e8c2acb066899de Mon Sep 17 00:00:00 2001 From: "Matthias J. Kannwischer" Date: Tue, 18 Jun 2019 17:16:32 +0200 Subject: [PATCH 14/20] remove wrong cast --- crypto_kem/lightsaber/clean/cbd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto_kem/lightsaber/clean/cbd.c b/crypto_kem/lightsaber/clean/cbd.c index cb0d7312..f6ebe4d7 100644 --- a/crypto_kem/lightsaber/clean/cbd.c +++ b/crypto_kem/lightsaber/clean/cbd.c @@ -28,7 +28,7 @@ void PQCLEAN_LIGHTSABER_CLEAN_cbd(uint16_t *r, const unsigned char *buf) { int i, j; for (i = 0; i < SABER_N / 4; i++) { - t = (uint32_t) load_littleendian(buf + 5 * i, 5); + t = load_littleendian(buf + 5 * i, 5); d = 0; for (j = 0; j < 5; j++) { d += (t >> j) & 0x0842108421UL; From 8378132c5e04cb8a0667b526a26d37167fb02e08 Mon Sep 17 00:00:00 2001 From: "Matthias J. Kannwischer" Date: Thu, 20 Jun 2019 11:03:20 +0200 Subject: [PATCH 15/20] clean up of comments and packing --- crypto_kem/firesaber/clean/SABER_indcpa.c | 137 +++++--------- crypto_kem/firesaber/clean/kem.c | 49 +++-- crypto_kem/firesaber/clean/pack_unpack.c | 206 +++++++++++---------- crypto_kem/lightsaber/clean/SABER_indcpa.c | 137 +++++--------- crypto_kem/lightsaber/clean/kem.c | 49 +++-- crypto_kem/lightsaber/clean/pack_unpack.c | 206 +++++++++++---------- crypto_kem/saber/clean/SABER_indcpa.c | 137 +++++--------- crypto_kem/saber/clean/kem.c | 49 +++-- crypto_kem/saber/clean/pack_unpack.c | 206 +++++++++++---------- 9 files changed, 576 insertions(+), 600 deletions(-) diff --git a/crypto_kem/firesaber/clean/SABER_indcpa.c b/crypto_kem/firesaber/clean/SABER_indcpa.c index 552b0907..da8aa685 100644 --- a/crypto_kem/firesaber/clean/SABER_indcpa.c +++ b/crypto_kem/firesaber/clean/SABER_indcpa.c @@ -45,7 +45,7 @@ static void GenMatrix(polyvec *a, const unsigned char *seed) { void PQCLEAN_FIRESABER_CLEAN_indcpa_kem_keypair(unsigned char *pk, unsigned char *sk) { - polyvec a[SABER_K];// skpv; + polyvec a[SABER_K]; uint16_t skpv[SABER_K][SABER_N]; @@ -58,43 +58,43 @@ void PQCLEAN_FIRESABER_CLEAN_indcpa_kem_keypair(unsigned char *pk, unsigned char uint16_t res[SABER_K][SABER_N]; randombytes(seed, SABER_SEEDBYTES); - shake128(seed, SABER_SEEDBYTES, seed, SABER_SEEDBYTES); // for not revealing system RNG state + + // for not revealing system RNG state + shake128(seed, SABER_SEEDBYTES, seed, SABER_SEEDBYTES); randombytes(noiseseed, SABER_COINBYTES); GenMatrix(a, seed); //sample matrix A - PQCLEAN_FIRESABER_CLEAN_GenSecret(skpv, noiseseed); //generate secret from constant-time binomial distribution - - //------------------------do the matrix vector multiplication and rounding------------ + // generate secret from constant-time binomial distribution + PQCLEAN_FIRESABER_CLEAN_GenSecret(skpv, noiseseed); + // do the matrix vector multiplication and rounding for (i = 0; i < SABER_K; i++) { for (j = 0; j < SABER_N; j++) { res[i][j] = 0; } } - MatrixVectorMul(a, skpv, res, SABER_Q - 1, 1); - //-----now rounding - for (i = 0; i < SABER_K; i++) { //shift right 3 bits + // now rounding + for (i = 0; i < SABER_K; i++) { for (j = 0; j < SABER_N; j++) { + // shift right 3 bits res[i][j] = (res[i][j] + h1) & (mod_q); res[i][j] = (res[i][j] >> (SABER_EQ - SABER_EP)); } } - //------------------unload and pack sk=3 x (256 coefficients of 14 bits)------- - + // unload and pack sk=3 x (256 coefficients of 14 bits) PQCLEAN_FIRESABER_CLEAN_POLVEC2BS(sk, skpv, SABER_Q); - //------------------unload and pack pk=256 bits seed and 3 x (256 coefficients of 11 bits)------- + // unload and pack pk=256 bits seed and 3 x (256 coefficients of 11 bits) + // load the public-key coefficients + PQCLEAN_FIRESABER_CLEAN_POLVEC2BS(pk, res, SABER_P); - PQCLEAN_FIRESABER_CLEAN_POLVEC2BS(pk, res, SABER_P); // load the public-key coefficients - - - - for (i = 0; i < SABER_SEEDBYTES; i++) { // now load the seedbytes in PK. Easy since seed bytes are kept in byte format. + // now load the seedbytes in PK. Easy since seed bytes are kept in byte format. + for (i = 0; i < SABER_SEEDBYTES; i++) { pk[SABER_POLYVECCOMPRESSEDBYTES + i] = seed[i]; } @@ -103,47 +103,39 @@ void PQCLEAN_FIRESABER_CLEAN_indcpa_kem_keypair(unsigned char *pk, unsigned char void PQCLEAN_FIRESABER_CLEAN_indcpa_kem_enc(const unsigned char *message_received, unsigned char *noiseseed, const unsigned char *pk, unsigned char *ciphertext) { uint32_t i, j, k; - polyvec a[SABER_K]; // skpv; + polyvec a[SABER_K]; unsigned char seed[SABER_SEEDBYTES]; - uint16_t pkcl[SABER_K][SABER_N]; //public key of received by the client - - - + // public key of received by the client + uint16_t pkcl[SABER_K][SABER_N]; uint16_t skpv1[SABER_K][SABER_N]; - uint16_t message[SABER_KEYBYTES * 8]; - uint16_t res[SABER_K][SABER_N]; uint16_t mod_p = SABER_P - 1; uint16_t mod_q = SABER_Q - 1; - uint16_t vprime[SABER_N]; - - - unsigned char msk_c[SABER_SCALEBYTES_KEM]; - for (i = 0; i < SABER_SEEDBYTES; i++) { // extract the seedbytes from Public Key. + // extract the seedbytes from Public Key. + for (i = 0; i < SABER_SEEDBYTES; i++) { seed[i] = pk[ SABER_POLYVECCOMPRESSEDBYTES + i]; } GenMatrix(a, seed); - PQCLEAN_FIRESABER_CLEAN_GenSecret(skpv1, noiseseed); //generate secret from constant-time binomial distribution - - //-----------------matrix-vector multiplication and rounding + // generate secret from constant-time binomial distribution + PQCLEAN_FIRESABER_CLEAN_GenSecret(skpv1, noiseseed); + // matrix-vector multiplication and rounding for (i = 0; i < SABER_K; i++) { for (j = 0; j < SABER_N; j++) { res[i][j] = 0; } } - MatrixVectorMul(a, skpv1, res, SABER_Q - 1, 0); - //-----now rounding - - for (i = 0; i < SABER_K; i++) { //shift right 3 bits + // now rounding + //shift right 3 bits + for (i = 0; i < SABER_K; i++) { for (j = 0; j < SABER_N; j++) { res[i][j] = ( res[i][j] + h1 ) & mod_q; res[i][j] = (res[i][j] >> (SABER_EQ - SABER_EP) ); @@ -152,21 +144,15 @@ void PQCLEAN_FIRESABER_CLEAN_indcpa_kem_enc(const unsigned char *message_receive PQCLEAN_FIRESABER_CLEAN_POLVEC2BS(ciphertext, res, SABER_P); -//*******************client matrix-vector multiplication ends************************************ + // ************client matrix-vector multiplication ends************ - //------now calculate the v' - - //-------unpack the public_key - - //pkcl is the b in the protocol + // now calculate the v' + // unpack the public_key + // pkcl is the b in the protocol PQCLEAN_FIRESABER_CLEAN_BS2POLVEC(pk, pkcl, SABER_P); - - - for (i = 0; i < SABER_N; i++) { vprime[i] = 0; } - for (i = 0; i < SABER_K; i++) { for (j = 0; j < SABER_N; j++) { skpv1[i][j] = skpv1[i][j] & (mod_p); @@ -176,12 +162,11 @@ void PQCLEAN_FIRESABER_CLEAN_indcpa_kem_enc(const unsigned char *message_receive // vector-vector scalar multiplication with mod p InnerProd(pkcl, skpv1, mod_p, vprime); - //addition of h1 to vprime + // addition of h1 to vprime for (i = 0; i < SABER_N; i++) { vprime[i] = vprime[i] + h1; } - // unpack message_received; for (j = 0; j < SABER_KEYBYTES; j++) { for (i = 0; i < 8; i++) { @@ -194,9 +179,6 @@ void PQCLEAN_FIRESABER_CLEAN_indcpa_kem_enc(const unsigned char *message_receive message[i] = (message[i] << (SABER_EP - 1)); } - - - for (k = 0; k < SABER_N; k++) { vprime[k] = ( (vprime[k] - message[k]) & (mod_p) ) >> (SABER_EP - SABER_ET); } @@ -204,7 +186,6 @@ void PQCLEAN_FIRESABER_CLEAN_indcpa_kem_enc(const unsigned char *message_receive PQCLEAN_FIRESABER_CLEAN_pack_6bit(msk_c, vprime); - for (j = 0; j < SABER_SCALEBYTES_KEM; j++) { ciphertext[SABER_POLYVECCOMPRESSEDBYTES + j] = msk_c[j]; } @@ -212,41 +193,31 @@ void PQCLEAN_FIRESABER_CLEAN_indcpa_kem_enc(const unsigned char *message_receive void PQCLEAN_FIRESABER_CLEAN_indcpa_kem_dec(const unsigned char *sk, const unsigned char *ciphertext, unsigned char message_dec[]) { - uint32_t i, j; - - - uint16_t sksv[SABER_K][SABER_N]; //secret key of the server - - + // secret key of the server + uint16_t sksv[SABER_K][SABER_N]; uint16_t pksv[SABER_K][SABER_N]; - uint8_t scale_ar[SABER_SCALEBYTES_KEM]; - uint16_t mod_p = SABER_P - 1; - uint16_t v[SABER_N]; - uint16_t op[SABER_N]; - - PQCLEAN_FIRESABER_CLEAN_BS2POLVEC(sk, sksv, SABER_Q); //sksv is the secret-key - PQCLEAN_FIRESABER_CLEAN_BS2POLVEC(ciphertext, pksv, SABER_P); //pksv is the ciphertext + // sksv is the secret-key + PQCLEAN_FIRESABER_CLEAN_BS2POLVEC(sk, sksv, SABER_Q); + // pksv is the ciphertext + PQCLEAN_FIRESABER_CLEAN_BS2POLVEC(ciphertext, pksv, SABER_P); // vector-vector scalar multiplication with mod p for (i = 0; i < SABER_N; i++) { v[i] = 0; } - for (i = 0; i < SABER_K; i++) { for (j = 0; j < SABER_N; j++) { sksv[i][j] = sksv[i][j] & (mod_p); } } - InnerProd(pksv, sksv, mod_p, v); - //Extraction for (i = 0; i < SABER_SCALEBYTES_KEM; i++) { scale_ar[i] = ciphertext[SABER_POLYVECCOMPRESSEDBYTES + i]; @@ -254,20 +225,15 @@ void PQCLEAN_FIRESABER_CLEAN_indcpa_kem_dec(const unsigned char *sk, const unsig PQCLEAN_FIRESABER_CLEAN_un_pack6bit(scale_ar, op); - //addition of h1 for (i = 0; i < SABER_N; i++) { v[i] = ( ( v[i] + h2 - (op[i] << (SABER_EP - SABER_ET)) ) & (mod_p) ) >> (SABER_EP - 1); } // pack decrypted message - POL2MSG(v, message_dec); - - } static void MatrixVectorMul(polyvec *a, uint16_t skpv[SABER_K][SABER_N], uint16_t res[SABER_K][SABER_N], uint16_t mod, int16_t transpose) { - uint16_t acc[SABER_N]; int32_t i, j, k; @@ -278,32 +244,30 @@ static void MatrixVectorMul(polyvec *a, uint16_t skpv[SABER_K][SABER_N], uint16_ for (k = 0; k < SABER_N; k++) { res[i][k] = res[i][k] + acc[k]; - res[i][k] = (res[i][k] & mod); //reduction mod p - acc[k] = 0; //clear the accumulator + //reduction mod p + res[i][k] = (res[i][k] & mod); + //clear the accumulator + acc[k] = 0; } - } } } else { - for (i = 0; i < SABER_K; i++) { for (j = 0; j < SABER_K; j++) { PQCLEAN_FIRESABER_CLEAN_pol_mul((uint16_t *)&a[i].vec[j], skpv[j], acc, SABER_Q, SABER_N); for (k = 0; k < SABER_N; k++) { res[i][k] = res[i][k] + acc[k]; - res[i][k] = res[i][k] & mod; //reduction - acc[k] = 0; //clear the accumulator + // reduction + res[i][k] = res[i][k] & mod; + // clear the accumulator + acc[k] = 0; } - } } } - - } static void POL2MSG(const uint16_t *message_dec_unpacked, unsigned char *message_dec) { - int32_t i, j; for (j = 0; j < SABER_KEYBYTES; j++) { @@ -312,13 +276,10 @@ static void POL2MSG(const uint16_t *message_dec_unpacked, unsigned char *message message_dec[j] = message_dec[j] | (uint8_t) (message_dec_unpacked[j * 8 + i] << i); } } - } static void InnerProd(uint16_t pkcl[SABER_K][SABER_N], uint16_t skpv[SABER_K][SABER_N], uint16_t mod, uint16_t res[SABER_N]) { - - uint32_t j, k; uint16_t acc[SABER_N]; @@ -328,8 +289,10 @@ static void InnerProd(uint16_t pkcl[SABER_K][SABER_N], uint16_t skpv[SABER_K][SA for (k = 0; k < SABER_N; k++) { res[k] = res[k] + acc[k]; - res[k] = res[k] & mod; //reduction - acc[k] = 0; //clear the accumulator + // reduction + res[k] = res[k] & mod; + // clear the accumulator + acc[k] = 0; } } } diff --git a/crypto_kem/firesaber/clean/kem.c b/crypto_kem/firesaber/clean/kem.c index 4aef57ce..c66cfed9 100644 --- a/crypto_kem/firesaber/clean/kem.c +++ b/crypto_kem/firesaber/clean/kem.c @@ -10,37 +10,48 @@ int PQCLEAN_FIRESABER_CLEAN_crypto_kem_keypair(unsigned char *pk, unsigned char *sk) { int i; - PQCLEAN_FIRESABER_CLEAN_indcpa_kem_keypair(pk, sk); // sk[0:SABER_INDCPA_SECRETKEYBYTES-1] <-- sk + // sk[0:SABER_INDCPA_SECRETKEYBYTES-1] <-- sk + PQCLEAN_FIRESABER_CLEAN_indcpa_kem_keypair(pk, sk); + + // sk[SABER_INDCPA_SECRETKEYBYTES:SABER_INDCPA_SECRETKEYBYTES+SABER_INDCPA_SECRETKEYBYTES-1] <-- pk for (i = 0; i < SABER_INDCPA_PUBLICKEYBYTES; i++) { - sk[i + SABER_INDCPA_SECRETKEYBYTES] = pk[i]; // sk[SABER_INDCPA_SECRETKEYBYTES:SABER_INDCPA_SECRETKEYBYTES+SABER_INDCPA_SECRETKEYBYTES-1] <-- pk + sk[i + SABER_INDCPA_SECRETKEYBYTES] = pk[i]; } - sha3_256(sk + SABER_SECRETKEYBYTES - 64, pk, SABER_INDCPA_PUBLICKEYBYTES); // Then hash(pk) is appended. + // Then hash(pk) is appended. + sha3_256(sk + SABER_SECRETKEYBYTES - 64, pk, SABER_INDCPA_PUBLICKEYBYTES); - randombytes(sk + SABER_SECRETKEYBYTES - SABER_KEYBYTES, SABER_KEYBYTES ); // Remaining part of sk contains a pseudo-random number. + // Remaining part of sk contains a pseudo-random number. // This is output when check in crypto_kem_dec() fails. + randombytes(sk + SABER_SECRETKEYBYTES - SABER_KEYBYTES, SABER_KEYBYTES ); return (0); } int PQCLEAN_FIRESABER_CLEAN_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk) { - - unsigned char kr[64]; // Will contain key, coins + // Will contain key, coins + unsigned char kr[64]; unsigned char buf[64]; randombytes(buf, 32); - sha3_256(buf, buf, 32); // BUF[0:31] <-- random message (will be used as the key for client) Note: hash doesnot release system RNG output + // BUF[0:31] <-- random message (will be used as the key for client) Note: hash doesnot release system RNG output + sha3_256(buf, buf, 32); - sha3_256(buf + 32, pk, SABER_INDCPA_PUBLICKEYBYTES); // BUF[32:63] <-- Hash(public key); Multitarget countermeasure for coins + contributory KEM + // BUF[32:63] <-- Hash(public key); Multitarget countermeasure for coins + contributory KEM + sha3_256(buf + 32, pk, SABER_INDCPA_PUBLICKEYBYTES); + + // kr[0:63] <-- Hash(buf[0:63]); + sha3_512(kr, buf, 64); - sha3_512(kr, buf, 64); // kr[0:63] <-- Hash(buf[0:63]); // K^ <-- kr[0:31] // noiseseed (r) <-- kr[32:63]; - PQCLEAN_FIRESABER_CLEAN_indcpa_kem_enc(buf, kr + 32, pk, ct); // buf[0:31] contains message; kr[32:63] contains randomness r; + // buf[0:31] contains message; kr[32:63] contains randomness r; + PQCLEAN_FIRESABER_CLEAN_indcpa_kem_enc(buf, kr + 32, pk, ct); sha3_256(kr + 32, ct, SABER_BYTES_CCA_DEC); - sha3_256(ss, kr, 64); // hash concatenation of pre-k and h(c) to k + // hash concatenation of pre-k and h(c) to k + sha3_256(ss, kr, 64); return (0); } @@ -51,14 +62,18 @@ int PQCLEAN_FIRESABER_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned cha unsigned char fail; unsigned char cmp[SABER_BYTES_CCA_DEC]; unsigned char buf[64]; - unsigned char kr[64]; // Will contain key, coins + + // Will contain key, coins + unsigned char kr[64]; const unsigned char *pk = sk + SABER_INDCPA_SECRETKEYBYTES; - PQCLEAN_FIRESABER_CLEAN_indcpa_kem_dec(sk, ct, buf); // buf[0:31] <-- message + // buf[0:31] <-- message + PQCLEAN_FIRESABER_CLEAN_indcpa_kem_dec(sk, ct, buf); // Multitarget countermeasure for coins + contributory KEM - for (i = 0; i < 32; i++) { // Save hash by storing h(pk) in sk + // Save hash by storing h(pk) in sk + for (i = 0; i < 32; i++) { buf[32 + i] = sk[SABER_SECRETKEYBYTES - 64 + i]; } @@ -69,11 +84,13 @@ int PQCLEAN_FIRESABER_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned cha fail = PQCLEAN_FIRESABER_CLEAN_verify(ct, cmp, SABER_BYTES_CCA_DEC); - sha3_256(kr + 32, ct, SABER_BYTES_CCA_DEC); // overwrite coins in kr with h(c) + // overwrite coins in kr with h(c) + sha3_256(kr + 32, ct, SABER_BYTES_CCA_DEC); PQCLEAN_FIRESABER_CLEAN_cmov(kr, sk + SABER_SECRETKEYBYTES - SABER_KEYBYTES, SABER_KEYBYTES, fail); - sha3_256(ss, kr, 64); // hash concatenation of pre-k and h(c) to k + // hash concatenation of pre-k and h(c) to k + sha3_256(ss, kr, 64); return (0); } diff --git a/crypto_kem/firesaber/clean/pack_unpack.c b/crypto_kem/firesaber/clean/pack_unpack.c index 8d4de5bb..9e68ffc1 100644 --- a/crypto_kem/firesaber/clean/pack_unpack.c +++ b/crypto_kem/firesaber/clean/pack_unpack.c @@ -1,21 +1,26 @@ #include "pack_unpack.h" void PQCLEAN_FIRESABER_CLEAN_pack_3bit(uint8_t *bytes, const uint16_t *data) { - uint32_t j; uint32_t offset_data, offset_byte; for (j = 0; j < SABER_N / 8; j++) { offset_byte = 3 * j; offset_data = 8 * j; - bytes[offset_byte + 0] = (data[offset_data + 0] & 0x7) | ( (data[offset_data + 1] & 0x7) << 3 ) | ((data[offset_data + 2] & 0x3) << 6); - bytes[offset_byte + 1] = ((data[offset_data + 2] >> 2 ) & 0x01) | ( (data[offset_data + 3] & 0x7) << 1 ) | ( (data[offset_data + 4] & 0x7) << 4 ) | (((data[offset_data + 5]) & 0x01) << 7); - bytes[offset_byte + 2] = ((data[offset_data + 5] >> 1 ) & 0x03) | ( (data[offset_data + 6] & 0x7) << 2 ) | ( (data[offset_data + 7] & 0x7) << 5 ); + bytes[offset_byte + 0] = (data[offset_data + 0] & 0x7) | + ((data[offset_data + 1] & 0x7) << 3) | + ((data[offset_data + 2] & 0x3) << 6); + bytes[offset_byte + 1] = ((data[offset_data + 2] >> 2 ) & 0x01) | + ((data[offset_data + 3] & 0x7) << 1) | + ((data[offset_data + 4] & 0x7) << 4) | + (((data[offset_data + 5]) & 0x01) << 7); + bytes[offset_byte + 2] = ((data[offset_data + 5] >> 1 ) & 0x03) | + ((data[offset_data + 6] & 0x7) << 2) | + ((data[offset_data + 7] & 0x7) << 5); } } void PQCLEAN_FIRESABER_CLEAN_un_pack3bit(const uint8_t *bytes, uint16_t *data) { - uint32_t j; uint32_t offset_data, offset_byte; @@ -23,30 +28,30 @@ void PQCLEAN_FIRESABER_CLEAN_un_pack3bit(const uint8_t *bytes, uint16_t *data) { offset_byte = 3 * j; offset_data = 8 * j; data[offset_data + 0] = (bytes[offset_byte + 0]) & 0x07; - data[offset_data + 1] = ( (bytes[offset_byte + 0]) >> 3 ) & 0x07; - data[offset_data + 2] = ( ( (bytes[offset_byte + 0]) >> 6 ) & 0x03) | ( ( (bytes[offset_byte + 1]) & 0x01) << 2 ); - data[offset_data + 3] = ( (bytes[offset_byte + 1]) >> 1 ) & 0x07; - data[offset_data + 4] = ( (bytes[offset_byte + 1]) >> 4 ) & 0x07; - data[offset_data + 5] = ( ( (bytes[offset_byte + 1]) >> 7 ) & 0x01) | ( ( (bytes[offset_byte + 2]) & 0x03) << 1 ); - data[offset_data + 6] = ( (bytes[offset_byte + 2] >> 2) & 0x07 ); - data[offset_data + 7] = ( (bytes[offset_byte + 2] >> 5) & 0x07 ); + data[offset_data + 1] = ((bytes[offset_byte + 0]) >> 3 ) & 0x07; + data[offset_data + 2] = (((bytes[offset_byte + 0]) >> 6 ) & 0x03) | + (((bytes[offset_byte + 1]) & 0x01) << 2); + data[offset_data + 3] = ((bytes[offset_byte + 1]) >> 1 ) & 0x07; + data[offset_data + 4] = ((bytes[offset_byte + 1]) >> 4 ) & 0x07; + data[offset_data + 5] = (((bytes[offset_byte + 1]) >> 7 ) & 0x01) | + (((bytes[offset_byte + 2]) & 0x03) << 1); + data[offset_data + 6] = ((bytes[offset_byte + 2] >> 2) & 0x07); + data[offset_data + 7] = ((bytes[offset_byte + 2] >> 5) & 0x07); } - } void PQCLEAN_FIRESABER_CLEAN_pack_4bit(uint8_t *bytes, const uint16_t *data) { - uint32_t j; uint32_t offset_data; for (j = 0; j < SABER_N / 2; j++) { offset_data = 2 * j; - bytes[j] = (data[offset_data] & 0x0f) | ( (data[offset_data + 1] & 0x0f) << 4 ); + bytes[j] = (data[offset_data] & 0x0f) | + ((data[offset_data + 1] & 0x0f) << 4); } } void PQCLEAN_FIRESABER_CLEAN_un_pack4bit(const unsigned char *bytes, uint16_t *ar) { - uint32_t j; uint32_t offset_data; @@ -64,9 +69,12 @@ void PQCLEAN_FIRESABER_CLEAN_pack_6bit(uint8_t *bytes, const uint16_t *data) { for (j = 0; j < SABER_N / 4; j++) { offset_byte = 3 * j; offset_data = 4 * j; - bytes[offset_byte + 0] = (data[offset_data + 0] & 0x3f) | ((data[offset_data + 1] & 0x03) << 6); - bytes[offset_byte + 1] = ((data[offset_data + 1] >> 2) & 0x0f) | ((data[offset_data + 2] & 0x0f) << 4); - bytes[offset_byte + 2] = ((data[offset_data + 2] >> 4) & 0x03) | ((data[offset_data + 3] & 0x3f) << 2); + bytes[offset_byte + 0] = (data[offset_data + 0] & 0x3f) | + ((data[offset_data + 1] & 0x03) << 6); + bytes[offset_byte + 1] = ((data[offset_data + 1] >> 2) & 0x0f) | + ((data[offset_data + 2] & 0x0f) << 4); + bytes[offset_byte + 2] = ((data[offset_data + 2] >> 4) & 0x03) | + ((data[offset_data + 3] & 0x3f) << 2); } } @@ -79,11 +87,12 @@ void PQCLEAN_FIRESABER_CLEAN_un_pack6bit(const unsigned char *bytes, uint16_t *d offset_byte = 3 * j; offset_data = 4 * j; data[offset_data + 0] = bytes[offset_byte + 0] & 0x3f; - data[offset_data + 1] = ((bytes[offset_byte + 0] >> 6) & 0x03) | ((bytes[offset_byte + 1] & 0x0f) << 2) ; - data[offset_data + 2] = ((bytes[offset_byte + 1] & 0xff) >> 4) | ((bytes[offset_byte + 2] & 0x03) << 4) ; + data[offset_data + 1] = ((bytes[offset_byte + 0] >> 6) & 0x03) | + ((bytes[offset_byte + 1] & 0x0f) << 2); + data[offset_data + 2] = ((bytes[offset_byte + 1] & 0xff) >> 4) | + ((bytes[offset_byte + 2] & 0x03) << 4); data[offset_data + 3] = ((bytes[offset_byte + 2] & 0xff) >> 2); } - } @@ -96,23 +105,19 @@ static void POLVECp2BS(uint8_t *bytes, uint16_t data[SABER_K][SABER_N]) { for (j = 0; j < SABER_N / 4; j++) { offset_byte = offset_byte1 + 5 * j; offset_data = 4 * j; - bytes[offset_byte + 0] = ( data[i][ offset_data + 0 ] & (0xff)); - - bytes[offset_byte + 1] = ( (data[i][ offset_data + 0 ] >> 8) & 0x03 ) | ((data[i][ offset_data + 1 ] & 0x3f) << 2); - - bytes[offset_byte + 2] = ( (data[i][ offset_data + 1 ] >> 6) & 0x0f ) | ( (data[i][ offset_data + 2 ] & 0x0f) << 4); - - bytes[offset_byte + 3] = ( (data[i][ offset_data + 2 ] >> 4) & 0x3f ) | ((data[i][ offset_data + 3 ] & 0x03) << 6); - - bytes[offset_byte + 4] = ( (data[i][ offset_data + 3 ] >> 2) & 0xff ); + bytes[offset_byte + 0] = (data[i][offset_data + 0] & (0xff)); + bytes[offset_byte + 1] = ((data[i][offset_data + 0] >> 8) & 0x03) | + ((data[i][offset_data + 1] & 0x3f) << 2); + bytes[offset_byte + 2] = ((data[i][offset_data + 1] >> 6) & 0x0f) | + ((data[i][offset_data + 2] & 0x0f) << 4); + bytes[offset_byte + 3] = ((data[i][offset_data + 2] >> 4) & 0x3f) | + ((data[i][offset_data + 3] & 0x03) << 6); + bytes[offset_byte + 4] = ((data[i][offset_data + 3] >> 2) & 0xff); } } - - } static void BS2POLVECp(const unsigned char *bytes, uint16_t data[SABER_K][SABER_N]) { - uint32_t i, j; uint32_t offset_data, offset_byte, offset_byte1; @@ -121,21 +126,21 @@ static void BS2POLVECp(const unsigned char *bytes, uint16_t data[SABER_K][SABER_ for (j = 0; j < SABER_N / 4; j++) { offset_byte = offset_byte1 + 5 * j; offset_data = 4 * j; - data[i][offset_data + 0] = ( bytes[ offset_byte + 0 ] & (0xff)) | ((bytes[ offset_byte + 1 ] & 0x03) << 8); - data[i][offset_data + 1] = ( (bytes[ offset_byte + 1 ] >> 2) & (0x3f)) | ((bytes[ offset_byte + 2 ] & 0x0f) << 6); - data[i][offset_data + 2] = ( (bytes[ offset_byte + 2 ] >> 4) & (0x0f)) | ((bytes[ offset_byte + 3 ] & 0x3f) << 4); - data[i][offset_data + 3] = ( (bytes[ offset_byte + 3 ] >> 6) & (0x03)) | ((bytes[ offset_byte + 4 ] & 0xff) << 2); - + data[i][offset_data + 0] = (bytes[offset_byte + 0] & (0xff)) | + ((bytes[offset_byte + 1] & 0x03) << 8); + data[i][offset_data + 1] = ((bytes[offset_byte + 1] >> 2) & (0x3f)) | + ((bytes[offset_byte + 2] & 0x0f) << 6); + data[i][offset_data + 2] = ((bytes[offset_byte + 2] >> 4) & (0x0f)) | + ((bytes[offset_byte + 3] & 0x3f) << 4); + data[i][offset_data + 3] = ((bytes[offset_byte + 3] >> 6) & (0x03)) | + ((bytes[offset_byte + 4] & 0xff) << 2); } } - - } static void POLVECq2BS(uint8_t *bytes, uint16_t data[SABER_K][SABER_N]) { - uint32_t i, j; uint32_t offset_data, offset_byte, offset_byte1; @@ -144,40 +149,31 @@ static void POLVECq2BS(uint8_t *bytes, uint16_t data[SABER_K][SABER_N]) { for (j = 0; j < SABER_N / 8; j++) { offset_byte = offset_byte1 + 13 * j; offset_data = 8 * j; - bytes[offset_byte + 0] = ( data[i][ offset_data + 0 ] & (0xff)); - - bytes[offset_byte + 1] = ( (data[i][ offset_data + 0 ] >> 8) & 0x1f ) | ((data[i][ offset_data + 1 ] & 0x07) << 5); - - bytes[offset_byte + 2] = ( (data[i][ offset_data + 1 ] >> 3) & 0xff ); - - bytes[offset_byte + 3] = ( (data[i][ offset_data + 1 ] >> 11) & 0x03 ) | ((data[i][ offset_data + 2 ] & 0x3f) << 2); - - bytes[offset_byte + 4] = ( (data[i][ offset_data + 2 ] >> 6) & 0x7f ) | ( (data[i][ offset_data + 3 ] & 0x01) << 7 ); - - bytes[offset_byte + 5] = ( (data[i][ offset_data + 3 ] >> 1) & 0xff ); - - bytes[offset_byte + 6] = ( (data[i][ offset_data + 3 ] >> 9) & 0x0f ) | ( (data[i][ offset_data + 4 ] & 0x0f) << 4 ); - - bytes[offset_byte + 7] = ( (data[i][ offset_data + 4] >> 4) & 0xff ); - - bytes[offset_byte + 8] = ( (data[i][ offset_data + 4 ] >> 12) & 0x01 ) | ( (data[i][ offset_data + 5 ] & 0x7f) << 1 ); - - bytes[offset_byte + 9] = ( (data[i][ offset_data + 5 ] >> 7) & 0x3f ) | ( (data[i][ offset_data + 6 ] & 0x03) << 6 ); - - bytes[offset_byte + 10] = ( (data[i][ offset_data + 6 ] >> 2) & 0xff ); - - bytes[offset_byte + 11] = ( (data[i][ offset_data + 6 ] >> 10) & 0x07 ) | ( (data[i][ offset_data + 7 ] & 0x1f) << 3 ); - - bytes[offset_byte + 12] = ( (data[i][ offset_data + 7 ] >> 5) & 0xff ); - + bytes[offset_byte + 0] = (data[i][offset_data + 0] & (0xff)); + bytes[offset_byte + 1] = ((data[i][offset_data + 0] >> 8) & 0x1f) | + ((data[i][offset_data + 1] & 0x07) << 5); + bytes[offset_byte + 2] = ((data[i][offset_data + 1] >> 3) & 0xff); + bytes[offset_byte + 3] = ((data[i][offset_data + 1] >> 11) & 0x03) | + ((data[i][offset_data + 2] & 0x3f) << 2); + bytes[offset_byte + 4] = ((data[i][offset_data + 2] >> 6) & 0x7f) | + ((data[i][offset_data + 3] & 0x01) << 7); + bytes[offset_byte + 5] = ((data[i][offset_data + 3] >> 1) & 0xff); + bytes[offset_byte + 6] = ((data[i][offset_data + 3] >> 9) & 0x0f) | + ((data[i][offset_data + 4] & 0x0f) << 4); + bytes[offset_byte + 7] = ((data[i][offset_data + 4] >> 4) & 0xff); + bytes[offset_byte + 8] = ((data[i][offset_data + 4] >> 12) & 0x01) | + ((data[i][offset_data + 5] & 0x7f) << 1); + bytes[offset_byte + 9] = ((data[i][offset_data + 5] >> 7) & 0x3f) | + ((data[i][offset_data + 6] & 0x03) << 6); + bytes[offset_byte + 10] = ((data[i][offset_data + 6] >> 2) & 0xff); + bytes[offset_byte + 11] = ((data[i][offset_data + 6] >> 10) & 0x07) | + ((data[i][offset_data + 7] & 0x1f) << 3); + bytes[offset_byte + 12] = ((data[i][offset_data + 7] >> 5) & 0xff); } } - - } static void BS2POLVECq(const unsigned char *bytes, uint16_t data[SABER_K][SABER_N]) { - uint32_t i, j; uint32_t offset_data, offset_byte, offset_byte1; @@ -186,44 +182,62 @@ static void BS2POLVECq(const unsigned char *bytes, uint16_t data[SABER_K][SABER_ for (j = 0; j < SABER_N / 8; j++) { offset_byte = offset_byte1 + 13 * j; offset_data = 8 * j; - data[i][offset_data + 0] = ( bytes[ offset_byte + 0 ] & (0xff)) | ((bytes[offset_byte + 1] & 0x1f) << 8); - data[i][offset_data + 1] = ( bytes[ offset_byte + 1 ] >> 5 & (0x07)) | ((bytes[offset_byte + 2] & 0xff) << 3) | ((bytes[offset_byte + 3] & 0x03) << 11); - data[i][offset_data + 2] = ( bytes[ offset_byte + 3 ] >> 2 & (0x3f)) | ((bytes[offset_byte + 4] & 0x7f) << 6); - data[i][offset_data + 3] = ( bytes[ offset_byte + 4 ] >> 7 & (0x01)) | ((bytes[offset_byte + 5] & 0xff) << 1) | ((bytes[offset_byte + 6] & 0x0f) << 9); - data[i][offset_data + 4] = ( bytes[ offset_byte + 6 ] >> 4 & (0x0f)) | ((bytes[offset_byte + 7] & 0xff) << 4) | ((bytes[offset_byte + 8] & 0x01) << 12); - data[i][offset_data + 5] = ( bytes[ offset_byte + 8] >> 1 & (0x7f)) | ((bytes[offset_byte + 9] & 0x3f) << 7); - data[i][offset_data + 6] = ( bytes[ offset_byte + 9] >> 6 & (0x03)) | ((bytes[offset_byte + 10] & 0xff) << 2) | ((bytes[offset_byte + 11] & 0x07) << 10); - data[i][offset_data + 7] = ( bytes[ offset_byte + 11] >> 3 & (0x1f)) | ((bytes[offset_byte + 12] & 0xff) << 5); + data[i][offset_data + 0] = (bytes[offset_byte + 0] & (0xff)) | + ((bytes[offset_byte + 1] & 0x1f) << 8); + data[i][offset_data + 1] = (bytes[offset_byte + 1] >> 5 & (0x07)) | + ((bytes[offset_byte + 2] & 0xff) << 3) | + ((bytes[offset_byte + 3] & 0x03) << 11); + data[i][offset_data + 2] = (bytes[offset_byte + 3] >> 2 & (0x3f)) | + ((bytes[offset_byte + 4] & 0x7f) << 6); + data[i][offset_data + 3] = (bytes[offset_byte + 4] >> 7 & (0x01)) | + ((bytes[offset_byte + 5] & 0xff) << 1) | + ((bytes[offset_byte + 6] & 0x0f) << 9); + data[i][offset_data + 4] = (bytes[offset_byte + 6] >> 4 & (0x0f)) | + ((bytes[offset_byte + 7] & 0xff) << 4) | + ((bytes[offset_byte + 8] & 0x01) << 12); + data[i][offset_data + 5] = (bytes[offset_byte + 8] >> 1 & (0x7f)) | + ((bytes[offset_byte + 9] & 0x3f) << 7); + data[i][offset_data + 6] = (bytes[offset_byte + 9] >> 6 & (0x03)) | + ((bytes[offset_byte + 10] & 0xff) << 2) | + ((bytes[offset_byte + 11] & 0x07) << 10); + data[i][offset_data + 7] = (bytes[offset_byte + 11] >> 3 & (0x1f)) | + ((bytes[offset_byte + 12] & 0xff) << 5); } } - - } -void PQCLEAN_FIRESABER_CLEAN_BS2POL(const unsigned char *bytes, uint16_t data[SABER_N]) { //only BS2POLq no BS2POLp - +//only BS2POLq no BS2POLp +void PQCLEAN_FIRESABER_CLEAN_BS2POL(const unsigned char *bytes, uint16_t data[SABER_N]) { uint32_t j; uint32_t offset_data, offset_byte; for (j = 0; j < SABER_N / 8; j++) { offset_byte = 13 * j; offset_data = 8 * j; - data[offset_data + 0] = ( bytes[ offset_byte + 0 ] & (0xff)) | ((bytes[offset_byte + 1] & 0x1f) << 8); - data[offset_data + 1] = ( bytes[ offset_byte + 1 ] >> 5 & (0x07)) | ((bytes[offset_byte + 2] & 0xff) << 3) | ((bytes[offset_byte + 3] & 0x03) << 11); - data[offset_data + 2] = ( bytes[ offset_byte + 3 ] >> 2 & (0x3f)) | ((bytes[offset_byte + 4] & 0x7f) << 6); - data[offset_data + 3] = ( bytes[ offset_byte + 4 ] >> 7 & (0x01)) | ((bytes[offset_byte + 5] & 0xff) << 1) | ((bytes[offset_byte + 6] & 0x0f) << 9); - data[offset_data + 4] = ( bytes[ offset_byte + 6 ] >> 4 & (0x0f)) | ((bytes[offset_byte + 7] & 0xff) << 4) | ((bytes[offset_byte + 8] & 0x01) << 12); - data[offset_data + 5] = ( bytes[ offset_byte + 8] >> 1 & (0x7f)) | ((bytes[offset_byte + 9] & 0x3f) << 7); - data[offset_data + 6] = ( bytes[ offset_byte + 9] >> 6 & (0x03)) | ((bytes[offset_byte + 10] & 0xff) << 2) | ((bytes[offset_byte + 11] & 0x07) << 10); - data[offset_data + 7] = ( bytes[ offset_byte + 11] >> 3 & (0x1f)) | ((bytes[offset_byte + 12] & 0xff) << 5); + data[offset_data + 0] = (bytes[offset_byte + 0] & (0xff)) | + ((bytes[offset_byte + 1] & 0x1f) << 8); + data[offset_data + 1] = (bytes[offset_byte + 1] >> 5 & (0x07)) | + ((bytes[offset_byte + 2] & 0xff) << 3) | + ((bytes[offset_byte + 3] & 0x03) << 11); + data[offset_data + 2] = (bytes[offset_byte + 3] >> 2 & (0x3f)) | + ((bytes[offset_byte + 4] & 0x7f) << 6); + data[offset_data + 3] = (bytes[offset_byte + 4] >> 7 & (0x01)) | + ((bytes[offset_byte + 5] & 0xff) << 1) | + ((bytes[offset_byte + 6] & 0x0f) << 9); + data[offset_data + 4] = (bytes[offset_byte + 6] >> 4 & (0x0f)) | + ((bytes[offset_byte + 7] & 0xff) << 4) | + ((bytes[offset_byte + 8] & 0x01) << 12); + data[offset_data + 5] = (bytes[offset_byte + 8] >> 1 & (0x7f)) | + ((bytes[offset_byte + 9] & 0x3f) << 7); + data[offset_data + 6] = (bytes[offset_byte + 9] >> 6 & (0x03)) | + ((bytes[offset_byte + 10] & 0xff) << 2) | + ((bytes[offset_byte + 11] & 0x07) << 10); + data[offset_data + 7] = (bytes[offset_byte + 11] >> 3 & (0x1f)) | + ((bytes[offset_byte + 12] & 0xff) << 5); } - - } - void PQCLEAN_FIRESABER_CLEAN_POLVEC2BS(uint8_t *bytes, uint16_t data[SABER_K][SABER_N], uint16_t modulus) { - if (modulus == 1024) { POLVECp2BS(bytes, data); } else if (modulus == 8192) { @@ -232,11 +246,9 @@ void PQCLEAN_FIRESABER_CLEAN_POLVEC2BS(uint8_t *bytes, uint16_t data[SABER_K][SA } void PQCLEAN_FIRESABER_CLEAN_BS2POLVEC(const unsigned char *bytes, uint16_t data[SABER_K][SABER_N], uint16_t modulus) { - if (modulus == 1024) { BS2POLVECp(bytes, data); } else if (modulus == 8192) { BS2POLVECq(bytes, data); } - } diff --git a/crypto_kem/lightsaber/clean/SABER_indcpa.c b/crypto_kem/lightsaber/clean/SABER_indcpa.c index d5fb7130..20cf1de2 100644 --- a/crypto_kem/lightsaber/clean/SABER_indcpa.c +++ b/crypto_kem/lightsaber/clean/SABER_indcpa.c @@ -45,7 +45,7 @@ static void GenMatrix(polyvec *a, const unsigned char *seed) { void PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_keypair(unsigned char *pk, unsigned char *sk) { - polyvec a[SABER_K];// skpv; + polyvec a[SABER_K]; uint16_t skpv[SABER_K][SABER_N]; @@ -58,43 +58,43 @@ void PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_keypair(unsigned char *pk, unsigned cha uint16_t res[SABER_K][SABER_N]; randombytes(seed, SABER_SEEDBYTES); - shake128(seed, SABER_SEEDBYTES, seed, SABER_SEEDBYTES); // for not revealing system RNG state + + // for not revealing system RNG state + shake128(seed, SABER_SEEDBYTES, seed, SABER_SEEDBYTES); randombytes(noiseseed, SABER_COINBYTES); GenMatrix(a, seed); //sample matrix A - PQCLEAN_LIGHTSABER_CLEAN_GenSecret(skpv, noiseseed); //generate secret from constant-time binomial distribution - - //------------------------do the matrix vector multiplication and rounding------------ + // generate secret from constant-time binomial distribution + PQCLEAN_LIGHTSABER_CLEAN_GenSecret(skpv, noiseseed); + // do the matrix vector multiplication and rounding for (i = 0; i < SABER_K; i++) { for (j = 0; j < SABER_N; j++) { res[i][j] = 0; } } - MatrixVectorMul(a, skpv, res, SABER_Q - 1, 1); - //-----now rounding - for (i = 0; i < SABER_K; i++) { //shift right 3 bits + // now rounding + for (i = 0; i < SABER_K; i++) { for (j = 0; j < SABER_N; j++) { + // shift right 3 bits res[i][j] = (res[i][j] + h1) & (mod_q); res[i][j] = (res[i][j] >> (SABER_EQ - SABER_EP)); } } - //------------------unload and pack sk=3 x (256 coefficients of 14 bits)------- - + // unload and pack sk=3 x (256 coefficients of 14 bits) PQCLEAN_LIGHTSABER_CLEAN_POLVEC2BS(sk, skpv, SABER_Q); - //------------------unload and pack pk=256 bits seed and 3 x (256 coefficients of 11 bits)------- + // unload and pack pk=256 bits seed and 3 x (256 coefficients of 11 bits) + // load the public-key coefficients + PQCLEAN_LIGHTSABER_CLEAN_POLVEC2BS(pk, res, SABER_P); - PQCLEAN_LIGHTSABER_CLEAN_POLVEC2BS(pk, res, SABER_P); // load the public-key coefficients - - - - for (i = 0; i < SABER_SEEDBYTES; i++) { // now load the seedbytes in PK. Easy since seed bytes are kept in byte format. + // now load the seedbytes in PK. Easy since seed bytes are kept in byte format. + for (i = 0; i < SABER_SEEDBYTES; i++) { pk[SABER_POLYVECCOMPRESSEDBYTES + i] = seed[i]; } @@ -103,47 +103,39 @@ void PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_keypair(unsigned char *pk, unsigned cha void PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_enc(const unsigned char *message_received, unsigned char *noiseseed, const unsigned char *pk, unsigned char *ciphertext) { uint32_t i, j, k; - polyvec a[SABER_K]; // skpv; + polyvec a[SABER_K]; unsigned char seed[SABER_SEEDBYTES]; - uint16_t pkcl[SABER_K][SABER_N]; //public key of received by the client - - - + // public key of received by the client + uint16_t pkcl[SABER_K][SABER_N]; uint16_t skpv1[SABER_K][SABER_N]; - uint16_t message[SABER_KEYBYTES * 8]; - uint16_t res[SABER_K][SABER_N]; uint16_t mod_p = SABER_P - 1; uint16_t mod_q = SABER_Q - 1; - uint16_t vprime[SABER_N]; - - - unsigned char msk_c[SABER_SCALEBYTES_KEM]; - for (i = 0; i < SABER_SEEDBYTES; i++) { // extract the seedbytes from Public Key. + // extract the seedbytes from Public Key. + for (i = 0; i < SABER_SEEDBYTES; i++) { seed[i] = pk[ SABER_POLYVECCOMPRESSEDBYTES + i]; } GenMatrix(a, seed); - PQCLEAN_LIGHTSABER_CLEAN_GenSecret(skpv1, noiseseed); //generate secret from constant-time binomial distribution - - //-----------------matrix-vector multiplication and rounding + // generate secret from constant-time binomial distribution + PQCLEAN_LIGHTSABER_CLEAN_GenSecret(skpv1, noiseseed); + // matrix-vector multiplication and rounding for (i = 0; i < SABER_K; i++) { for (j = 0; j < SABER_N; j++) { res[i][j] = 0; } } - MatrixVectorMul(a, skpv1, res, SABER_Q - 1, 0); - //-----now rounding - - for (i = 0; i < SABER_K; i++) { //shift right 3 bits + // now rounding + //shift right 3 bits + for (i = 0; i < SABER_K; i++) { for (j = 0; j < SABER_N; j++) { res[i][j] = ( res[i][j] + h1 ) & mod_q; res[i][j] = (res[i][j] >> (SABER_EQ - SABER_EP) ); @@ -152,21 +144,15 @@ void PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_enc(const unsigned char *message_receiv PQCLEAN_LIGHTSABER_CLEAN_POLVEC2BS(ciphertext, res, SABER_P); -//*******************client matrix-vector multiplication ends************************************ + // ************client matrix-vector multiplication ends************ - //------now calculate the v' - - //-------unpack the public_key - - //pkcl is the b in the protocol + // now calculate the v' + // unpack the public_key + // pkcl is the b in the protocol PQCLEAN_LIGHTSABER_CLEAN_BS2POLVEC(pk, pkcl, SABER_P); - - - for (i = 0; i < SABER_N; i++) { vprime[i] = 0; } - for (i = 0; i < SABER_K; i++) { for (j = 0; j < SABER_N; j++) { skpv1[i][j] = skpv1[i][j] & (mod_p); @@ -176,12 +162,11 @@ void PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_enc(const unsigned char *message_receiv // vector-vector scalar multiplication with mod p InnerProd(pkcl, skpv1, mod_p, vprime); - //addition of h1 to vprime + // addition of h1 to vprime for (i = 0; i < SABER_N; i++) { vprime[i] = vprime[i] + h1; } - // unpack message_received; for (j = 0; j < SABER_KEYBYTES; j++) { for (i = 0; i < 8; i++) { @@ -194,9 +179,6 @@ void PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_enc(const unsigned char *message_receiv message[i] = (message[i] << (SABER_EP - 1)); } - - - for (k = 0; k < SABER_N; k++) { vprime[k] = ( (vprime[k] - message[k]) & (mod_p) ) >> (SABER_EP - SABER_ET); } @@ -204,7 +186,6 @@ void PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_enc(const unsigned char *message_receiv PQCLEAN_LIGHTSABER_CLEAN_pack_3bit(msk_c, vprime); - for (j = 0; j < SABER_SCALEBYTES_KEM; j++) { ciphertext[SABER_POLYVECCOMPRESSEDBYTES + j] = msk_c[j]; } @@ -212,41 +193,31 @@ void PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_enc(const unsigned char *message_receiv void PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_dec(const unsigned char *sk, const unsigned char *ciphertext, unsigned char message_dec[]) { - uint32_t i, j; - - - uint16_t sksv[SABER_K][SABER_N]; //secret key of the server - - + // secret key of the server + uint16_t sksv[SABER_K][SABER_N]; uint16_t pksv[SABER_K][SABER_N]; - uint8_t scale_ar[SABER_SCALEBYTES_KEM]; - uint16_t mod_p = SABER_P - 1; - uint16_t v[SABER_N]; - uint16_t op[SABER_N]; - - PQCLEAN_LIGHTSABER_CLEAN_BS2POLVEC(sk, sksv, SABER_Q); //sksv is the secret-key - PQCLEAN_LIGHTSABER_CLEAN_BS2POLVEC(ciphertext, pksv, SABER_P); //pksv is the ciphertext + // sksv is the secret-key + PQCLEAN_LIGHTSABER_CLEAN_BS2POLVEC(sk, sksv, SABER_Q); + // pksv is the ciphertext + PQCLEAN_LIGHTSABER_CLEAN_BS2POLVEC(ciphertext, pksv, SABER_P); // vector-vector scalar multiplication with mod p for (i = 0; i < SABER_N; i++) { v[i] = 0; } - for (i = 0; i < SABER_K; i++) { for (j = 0; j < SABER_N; j++) { sksv[i][j] = sksv[i][j] & (mod_p); } } - InnerProd(pksv, sksv, mod_p, v); - //Extraction for (i = 0; i < SABER_SCALEBYTES_KEM; i++) { scale_ar[i] = ciphertext[SABER_POLYVECCOMPRESSEDBYTES + i]; @@ -254,20 +225,15 @@ void PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_dec(const unsigned char *sk, const unsi PQCLEAN_LIGHTSABER_CLEAN_un_pack3bit(scale_ar, op); - //addition of h1 for (i = 0; i < SABER_N; i++) { v[i] = ( ( v[i] + h2 - (op[i] << (SABER_EP - SABER_ET)) ) & (mod_p) ) >> (SABER_EP - 1); } // pack decrypted message - POL2MSG(v, message_dec); - - } static void MatrixVectorMul(polyvec *a, uint16_t skpv[SABER_K][SABER_N], uint16_t res[SABER_K][SABER_N], uint16_t mod, int16_t transpose) { - uint16_t acc[SABER_N]; int32_t i, j, k; @@ -278,32 +244,30 @@ static void MatrixVectorMul(polyvec *a, uint16_t skpv[SABER_K][SABER_N], uint16_ for (k = 0; k < SABER_N; k++) { res[i][k] = res[i][k] + acc[k]; - res[i][k] = (res[i][k] & mod); //reduction mod p - acc[k] = 0; //clear the accumulator + //reduction mod p + res[i][k] = (res[i][k] & mod); + //clear the accumulator + acc[k] = 0; } - } } } else { - for (i = 0; i < SABER_K; i++) { for (j = 0; j < SABER_K; j++) { PQCLEAN_LIGHTSABER_CLEAN_pol_mul((uint16_t *)&a[i].vec[j], skpv[j], acc, SABER_Q, SABER_N); for (k = 0; k < SABER_N; k++) { res[i][k] = res[i][k] + acc[k]; - res[i][k] = res[i][k] & mod; //reduction - acc[k] = 0; //clear the accumulator + // reduction + res[i][k] = res[i][k] & mod; + // clear the accumulator + acc[k] = 0; } - } } } - - } static void POL2MSG(const uint16_t *message_dec_unpacked, unsigned char *message_dec) { - int32_t i, j; for (j = 0; j < SABER_KEYBYTES; j++) { @@ -312,13 +276,10 @@ static void POL2MSG(const uint16_t *message_dec_unpacked, unsigned char *message message_dec[j] = message_dec[j] | (uint8_t) (message_dec_unpacked[j * 8 + i] << i); } } - } static void InnerProd(uint16_t pkcl[SABER_K][SABER_N], uint16_t skpv[SABER_K][SABER_N], uint16_t mod, uint16_t res[SABER_N]) { - - uint32_t j, k; uint16_t acc[SABER_N]; @@ -328,8 +289,10 @@ static void InnerProd(uint16_t pkcl[SABER_K][SABER_N], uint16_t skpv[SABER_K][SA for (k = 0; k < SABER_N; k++) { res[k] = res[k] + acc[k]; - res[k] = res[k] & mod; //reduction - acc[k] = 0; //clear the accumulator + // reduction + res[k] = res[k] & mod; + // clear the accumulator + acc[k] = 0; } } } diff --git a/crypto_kem/lightsaber/clean/kem.c b/crypto_kem/lightsaber/clean/kem.c index f4a5c5a3..8aad4302 100644 --- a/crypto_kem/lightsaber/clean/kem.c +++ b/crypto_kem/lightsaber/clean/kem.c @@ -10,37 +10,48 @@ int PQCLEAN_LIGHTSABER_CLEAN_crypto_kem_keypair(unsigned char *pk, unsigned char *sk) { int i; - PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_keypair(pk, sk); // sk[0:SABER_INDCPA_SECRETKEYBYTES-1] <-- sk + // sk[0:SABER_INDCPA_SECRETKEYBYTES-1] <-- sk + PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_keypair(pk, sk); + + // sk[SABER_INDCPA_SECRETKEYBYTES:SABER_INDCPA_SECRETKEYBYTES+SABER_INDCPA_SECRETKEYBYTES-1] <-- pk for (i = 0; i < SABER_INDCPA_PUBLICKEYBYTES; i++) { - sk[i + SABER_INDCPA_SECRETKEYBYTES] = pk[i]; // sk[SABER_INDCPA_SECRETKEYBYTES:SABER_INDCPA_SECRETKEYBYTES+SABER_INDCPA_SECRETKEYBYTES-1] <-- pk + sk[i + SABER_INDCPA_SECRETKEYBYTES] = pk[i]; } - sha3_256(sk + SABER_SECRETKEYBYTES - 64, pk, SABER_INDCPA_PUBLICKEYBYTES); // Then hash(pk) is appended. + // Then hash(pk) is appended. + sha3_256(sk + SABER_SECRETKEYBYTES - 64, pk, SABER_INDCPA_PUBLICKEYBYTES); - randombytes(sk + SABER_SECRETKEYBYTES - SABER_KEYBYTES, SABER_KEYBYTES ); // Remaining part of sk contains a pseudo-random number. + // Remaining part of sk contains a pseudo-random number. // This is output when check in crypto_kem_dec() fails. + randombytes(sk + SABER_SECRETKEYBYTES - SABER_KEYBYTES, SABER_KEYBYTES ); return (0); } int PQCLEAN_LIGHTSABER_CLEAN_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk) { - - unsigned char kr[64]; // Will contain key, coins + // Will contain key, coins + unsigned char kr[64]; unsigned char buf[64]; randombytes(buf, 32); - sha3_256(buf, buf, 32); // BUF[0:31] <-- random message (will be used as the key for client) Note: hash doesnot release system RNG output + // BUF[0:31] <-- random message (will be used as the key for client) Note: hash doesnot release system RNG output + sha3_256(buf, buf, 32); - sha3_256(buf + 32, pk, SABER_INDCPA_PUBLICKEYBYTES); // BUF[32:63] <-- Hash(public key); Multitarget countermeasure for coins + contributory KEM + // BUF[32:63] <-- Hash(public key); Multitarget countermeasure for coins + contributory KEM + sha3_256(buf + 32, pk, SABER_INDCPA_PUBLICKEYBYTES); + + // kr[0:63] <-- Hash(buf[0:63]); + sha3_512(kr, buf, 64); - sha3_512(kr, buf, 64); // kr[0:63] <-- Hash(buf[0:63]); // K^ <-- kr[0:31] // noiseseed (r) <-- kr[32:63]; - PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_enc(buf, kr + 32, pk, ct); // buf[0:31] contains message; kr[32:63] contains randomness r; + // buf[0:31] contains message; kr[32:63] contains randomness r; + PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_enc(buf, kr + 32, pk, ct); sha3_256(kr + 32, ct, SABER_BYTES_CCA_DEC); - sha3_256(ss, kr, 64); // hash concatenation of pre-k and h(c) to k + // hash concatenation of pre-k and h(c) to k + sha3_256(ss, kr, 64); return (0); } @@ -51,14 +62,18 @@ int PQCLEAN_LIGHTSABER_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned ch unsigned char fail; unsigned char cmp[SABER_BYTES_CCA_DEC]; unsigned char buf[64]; - unsigned char kr[64]; // Will contain key, coins + + // Will contain key, coins + unsigned char kr[64]; const unsigned char *pk = sk + SABER_INDCPA_SECRETKEYBYTES; - PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_dec(sk, ct, buf); // buf[0:31] <-- message + // buf[0:31] <-- message + PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_dec(sk, ct, buf); // Multitarget countermeasure for coins + contributory KEM - for (i = 0; i < 32; i++) { // Save hash by storing h(pk) in sk + // Save hash by storing h(pk) in sk + for (i = 0; i < 32; i++) { buf[32 + i] = sk[SABER_SECRETKEYBYTES - 64 + i]; } @@ -69,11 +84,13 @@ int PQCLEAN_LIGHTSABER_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned ch fail = PQCLEAN_LIGHTSABER_CLEAN_verify(ct, cmp, SABER_BYTES_CCA_DEC); - sha3_256(kr + 32, ct, SABER_BYTES_CCA_DEC); // overwrite coins in kr with h(c) + // overwrite coins in kr with h(c) + sha3_256(kr + 32, ct, SABER_BYTES_CCA_DEC); PQCLEAN_LIGHTSABER_CLEAN_cmov(kr, sk + SABER_SECRETKEYBYTES - SABER_KEYBYTES, SABER_KEYBYTES, fail); - sha3_256(ss, kr, 64); // hash concatenation of pre-k and h(c) to k + // hash concatenation of pre-k and h(c) to k + sha3_256(ss, kr, 64); return (0); } diff --git a/crypto_kem/lightsaber/clean/pack_unpack.c b/crypto_kem/lightsaber/clean/pack_unpack.c index c93e3f22..4b1c409f 100644 --- a/crypto_kem/lightsaber/clean/pack_unpack.c +++ b/crypto_kem/lightsaber/clean/pack_unpack.c @@ -1,21 +1,26 @@ #include "pack_unpack.h" void PQCLEAN_LIGHTSABER_CLEAN_pack_3bit(uint8_t *bytes, const uint16_t *data) { - uint32_t j; uint32_t offset_data, offset_byte; for (j = 0; j < SABER_N / 8; j++) { offset_byte = 3 * j; offset_data = 8 * j; - bytes[offset_byte + 0] = (data[offset_data + 0] & 0x7) | ( (data[offset_data + 1] & 0x7) << 3 ) | ((data[offset_data + 2] & 0x3) << 6); - bytes[offset_byte + 1] = ((data[offset_data + 2] >> 2 ) & 0x01) | ( (data[offset_data + 3] & 0x7) << 1 ) | ( (data[offset_data + 4] & 0x7) << 4 ) | (((data[offset_data + 5]) & 0x01) << 7); - bytes[offset_byte + 2] = ((data[offset_data + 5] >> 1 ) & 0x03) | ( (data[offset_data + 6] & 0x7) << 2 ) | ( (data[offset_data + 7] & 0x7) << 5 ); + bytes[offset_byte + 0] = (data[offset_data + 0] & 0x7) | + ((data[offset_data + 1] & 0x7) << 3) | + ((data[offset_data + 2] & 0x3) << 6); + bytes[offset_byte + 1] = ((data[offset_data + 2] >> 2 ) & 0x01) | + ((data[offset_data + 3] & 0x7) << 1) | + ((data[offset_data + 4] & 0x7) << 4) | + (((data[offset_data + 5]) & 0x01) << 7); + bytes[offset_byte + 2] = ((data[offset_data + 5] >> 1 ) & 0x03) | + ((data[offset_data + 6] & 0x7) << 2) | + ((data[offset_data + 7] & 0x7) << 5); } } void PQCLEAN_LIGHTSABER_CLEAN_un_pack3bit(const uint8_t *bytes, uint16_t *data) { - uint32_t j; uint32_t offset_data, offset_byte; @@ -23,30 +28,30 @@ void PQCLEAN_LIGHTSABER_CLEAN_un_pack3bit(const uint8_t *bytes, uint16_t *data) offset_byte = 3 * j; offset_data = 8 * j; data[offset_data + 0] = (bytes[offset_byte + 0]) & 0x07; - data[offset_data + 1] = ( (bytes[offset_byte + 0]) >> 3 ) & 0x07; - data[offset_data + 2] = ( ( (bytes[offset_byte + 0]) >> 6 ) & 0x03) | ( ( (bytes[offset_byte + 1]) & 0x01) << 2 ); - data[offset_data + 3] = ( (bytes[offset_byte + 1]) >> 1 ) & 0x07; - data[offset_data + 4] = ( (bytes[offset_byte + 1]) >> 4 ) & 0x07; - data[offset_data + 5] = ( ( (bytes[offset_byte + 1]) >> 7 ) & 0x01) | ( ( (bytes[offset_byte + 2]) & 0x03) << 1 ); - data[offset_data + 6] = ( (bytes[offset_byte + 2] >> 2) & 0x07 ); - data[offset_data + 7] = ( (bytes[offset_byte + 2] >> 5) & 0x07 ); + data[offset_data + 1] = ((bytes[offset_byte + 0]) >> 3 ) & 0x07; + data[offset_data + 2] = (((bytes[offset_byte + 0]) >> 6 ) & 0x03) | + (((bytes[offset_byte + 1]) & 0x01) << 2); + data[offset_data + 3] = ((bytes[offset_byte + 1]) >> 1 ) & 0x07; + data[offset_data + 4] = ((bytes[offset_byte + 1]) >> 4 ) & 0x07; + data[offset_data + 5] = (((bytes[offset_byte + 1]) >> 7 ) & 0x01) | + (((bytes[offset_byte + 2]) & 0x03) << 1); + data[offset_data + 6] = ((bytes[offset_byte + 2] >> 2) & 0x07); + data[offset_data + 7] = ((bytes[offset_byte + 2] >> 5) & 0x07); } - } void PQCLEAN_LIGHTSABER_CLEAN_pack_4bit(uint8_t *bytes, const uint16_t *data) { - uint32_t j; uint32_t offset_data; for (j = 0; j < SABER_N / 2; j++) { offset_data = 2 * j; - bytes[j] = (data[offset_data] & 0x0f) | ( (data[offset_data + 1] & 0x0f) << 4 ); + bytes[j] = (data[offset_data] & 0x0f) | + ((data[offset_data + 1] & 0x0f) << 4); } } void PQCLEAN_LIGHTSABER_CLEAN_un_pack4bit(const unsigned char *bytes, uint16_t *ar) { - uint32_t j; uint32_t offset_data; @@ -64,9 +69,12 @@ void PQCLEAN_LIGHTSABER_CLEAN_pack_6bit(uint8_t *bytes, const uint16_t *data) { for (j = 0; j < SABER_N / 4; j++) { offset_byte = 3 * j; offset_data = 4 * j; - bytes[offset_byte + 0] = (data[offset_data + 0] & 0x3f) | ((data[offset_data + 1] & 0x03) << 6); - bytes[offset_byte + 1] = ((data[offset_data + 1] >> 2) & 0x0f) | ((data[offset_data + 2] & 0x0f) << 4); - bytes[offset_byte + 2] = ((data[offset_data + 2] >> 4) & 0x03) | ((data[offset_data + 3] & 0x3f) << 2); + bytes[offset_byte + 0] = (data[offset_data + 0] & 0x3f) | + ((data[offset_data + 1] & 0x03) << 6); + bytes[offset_byte + 1] = ((data[offset_data + 1] >> 2) & 0x0f) | + ((data[offset_data + 2] & 0x0f) << 4); + bytes[offset_byte + 2] = ((data[offset_data + 2] >> 4) & 0x03) | + ((data[offset_data + 3] & 0x3f) << 2); } } @@ -79,11 +87,12 @@ void PQCLEAN_LIGHTSABER_CLEAN_un_pack6bit(const unsigned char *bytes, uint16_t * offset_byte = 3 * j; offset_data = 4 * j; data[offset_data + 0] = bytes[offset_byte + 0] & 0x3f; - data[offset_data + 1] = ((bytes[offset_byte + 0] >> 6) & 0x03) | ((bytes[offset_byte + 1] & 0x0f) << 2) ; - data[offset_data + 2] = ((bytes[offset_byte + 1] & 0xff) >> 4) | ((bytes[offset_byte + 2] & 0x03) << 4) ; + data[offset_data + 1] = ((bytes[offset_byte + 0] >> 6) & 0x03) | + ((bytes[offset_byte + 1] & 0x0f) << 2); + data[offset_data + 2] = ((bytes[offset_byte + 1] & 0xff) >> 4) | + ((bytes[offset_byte + 2] & 0x03) << 4); data[offset_data + 3] = ((bytes[offset_byte + 2] & 0xff) >> 2); } - } @@ -96,23 +105,19 @@ static void POLVECp2BS(uint8_t *bytes, uint16_t data[SABER_K][SABER_N]) { for (j = 0; j < SABER_N / 4; j++) { offset_byte = offset_byte1 + 5 * j; offset_data = 4 * j; - bytes[offset_byte + 0] = ( data[i][ offset_data + 0 ] & (0xff)); - - bytes[offset_byte + 1] = ( (data[i][ offset_data + 0 ] >> 8) & 0x03 ) | ((data[i][ offset_data + 1 ] & 0x3f) << 2); - - bytes[offset_byte + 2] = ( (data[i][ offset_data + 1 ] >> 6) & 0x0f ) | ( (data[i][ offset_data + 2 ] & 0x0f) << 4); - - bytes[offset_byte + 3] = ( (data[i][ offset_data + 2 ] >> 4) & 0x3f ) | ((data[i][ offset_data + 3 ] & 0x03) << 6); - - bytes[offset_byte + 4] = ( (data[i][ offset_data + 3 ] >> 2) & 0xff ); + bytes[offset_byte + 0] = (data[i][offset_data + 0] & (0xff)); + bytes[offset_byte + 1] = ((data[i][offset_data + 0] >> 8) & 0x03) | + ((data[i][offset_data + 1] & 0x3f) << 2); + bytes[offset_byte + 2] = ((data[i][offset_data + 1] >> 6) & 0x0f) | + ((data[i][offset_data + 2] & 0x0f) << 4); + bytes[offset_byte + 3] = ((data[i][offset_data + 2] >> 4) & 0x3f) | + ((data[i][offset_data + 3] & 0x03) << 6); + bytes[offset_byte + 4] = ((data[i][offset_data + 3] >> 2) & 0xff); } } - - } static void BS2POLVECp(const unsigned char *bytes, uint16_t data[SABER_K][SABER_N]) { - uint32_t i, j; uint32_t offset_data, offset_byte, offset_byte1; @@ -121,21 +126,21 @@ static void BS2POLVECp(const unsigned char *bytes, uint16_t data[SABER_K][SABER_ for (j = 0; j < SABER_N / 4; j++) { offset_byte = offset_byte1 + 5 * j; offset_data = 4 * j; - data[i][offset_data + 0] = ( bytes[ offset_byte + 0 ] & (0xff)) | ((bytes[ offset_byte + 1 ] & 0x03) << 8); - data[i][offset_data + 1] = ( (bytes[ offset_byte + 1 ] >> 2) & (0x3f)) | ((bytes[ offset_byte + 2 ] & 0x0f) << 6); - data[i][offset_data + 2] = ( (bytes[ offset_byte + 2 ] >> 4) & (0x0f)) | ((bytes[ offset_byte + 3 ] & 0x3f) << 4); - data[i][offset_data + 3] = ( (bytes[ offset_byte + 3 ] >> 6) & (0x03)) | ((bytes[ offset_byte + 4 ] & 0xff) << 2); - + data[i][offset_data + 0] = (bytes[offset_byte + 0] & (0xff)) | + ((bytes[offset_byte + 1] & 0x03) << 8); + data[i][offset_data + 1] = ((bytes[offset_byte + 1] >> 2) & (0x3f)) | + ((bytes[offset_byte + 2] & 0x0f) << 6); + data[i][offset_data + 2] = ((bytes[offset_byte + 2] >> 4) & (0x0f)) | + ((bytes[offset_byte + 3] & 0x3f) << 4); + data[i][offset_data + 3] = ((bytes[offset_byte + 3] >> 6) & (0x03)) | + ((bytes[offset_byte + 4] & 0xff) << 2); } } - - } static void POLVECq2BS(uint8_t *bytes, uint16_t data[SABER_K][SABER_N]) { - uint32_t i, j; uint32_t offset_data, offset_byte, offset_byte1; @@ -144,40 +149,31 @@ static void POLVECq2BS(uint8_t *bytes, uint16_t data[SABER_K][SABER_N]) { for (j = 0; j < SABER_N / 8; j++) { offset_byte = offset_byte1 + 13 * j; offset_data = 8 * j; - bytes[offset_byte + 0] = ( data[i][ offset_data + 0 ] & (0xff)); - - bytes[offset_byte + 1] = ( (data[i][ offset_data + 0 ] >> 8) & 0x1f ) | ((data[i][ offset_data + 1 ] & 0x07) << 5); - - bytes[offset_byte + 2] = ( (data[i][ offset_data + 1 ] >> 3) & 0xff ); - - bytes[offset_byte + 3] = ( (data[i][ offset_data + 1 ] >> 11) & 0x03 ) | ((data[i][ offset_data + 2 ] & 0x3f) << 2); - - bytes[offset_byte + 4] = ( (data[i][ offset_data + 2 ] >> 6) & 0x7f ) | ( (data[i][ offset_data + 3 ] & 0x01) << 7 ); - - bytes[offset_byte + 5] = ( (data[i][ offset_data + 3 ] >> 1) & 0xff ); - - bytes[offset_byte + 6] = ( (data[i][ offset_data + 3 ] >> 9) & 0x0f ) | ( (data[i][ offset_data + 4 ] & 0x0f) << 4 ); - - bytes[offset_byte + 7] = ( (data[i][ offset_data + 4] >> 4) & 0xff ); - - bytes[offset_byte + 8] = ( (data[i][ offset_data + 4 ] >> 12) & 0x01 ) | ( (data[i][ offset_data + 5 ] & 0x7f) << 1 ); - - bytes[offset_byte + 9] = ( (data[i][ offset_data + 5 ] >> 7) & 0x3f ) | ( (data[i][ offset_data + 6 ] & 0x03) << 6 ); - - bytes[offset_byte + 10] = ( (data[i][ offset_data + 6 ] >> 2) & 0xff ); - - bytes[offset_byte + 11] = ( (data[i][ offset_data + 6 ] >> 10) & 0x07 ) | ( (data[i][ offset_data + 7 ] & 0x1f) << 3 ); - - bytes[offset_byte + 12] = ( (data[i][ offset_data + 7 ] >> 5) & 0xff ); - + bytes[offset_byte + 0] = (data[i][offset_data + 0] & (0xff)); + bytes[offset_byte + 1] = ((data[i][offset_data + 0] >> 8) & 0x1f) | + ((data[i][offset_data + 1] & 0x07) << 5); + bytes[offset_byte + 2] = ((data[i][offset_data + 1] >> 3) & 0xff); + bytes[offset_byte + 3] = ((data[i][offset_data + 1] >> 11) & 0x03) | + ((data[i][offset_data + 2] & 0x3f) << 2); + bytes[offset_byte + 4] = ((data[i][offset_data + 2] >> 6) & 0x7f) | + ((data[i][offset_data + 3] & 0x01) << 7); + bytes[offset_byte + 5] = ((data[i][offset_data + 3] >> 1) & 0xff); + bytes[offset_byte + 6] = ((data[i][offset_data + 3] >> 9) & 0x0f) | + ((data[i][offset_data + 4] & 0x0f) << 4); + bytes[offset_byte + 7] = ((data[i][offset_data + 4] >> 4) & 0xff); + bytes[offset_byte + 8] = ((data[i][offset_data + 4] >> 12) & 0x01) | + ((data[i][offset_data + 5] & 0x7f) << 1); + bytes[offset_byte + 9] = ((data[i][offset_data + 5] >> 7) & 0x3f) | + ((data[i][offset_data + 6] & 0x03) << 6); + bytes[offset_byte + 10] = ((data[i][offset_data + 6] >> 2) & 0xff); + bytes[offset_byte + 11] = ((data[i][offset_data + 6] >> 10) & 0x07) | + ((data[i][offset_data + 7] & 0x1f) << 3); + bytes[offset_byte + 12] = ((data[i][offset_data + 7] >> 5) & 0xff); } } - - } static void BS2POLVECq(const unsigned char *bytes, uint16_t data[SABER_K][SABER_N]) { - uint32_t i, j; uint32_t offset_data, offset_byte, offset_byte1; @@ -186,44 +182,62 @@ static void BS2POLVECq(const unsigned char *bytes, uint16_t data[SABER_K][SABER_ for (j = 0; j < SABER_N / 8; j++) { offset_byte = offset_byte1 + 13 * j; offset_data = 8 * j; - data[i][offset_data + 0] = ( bytes[ offset_byte + 0 ] & (0xff)) | ((bytes[offset_byte + 1] & 0x1f) << 8); - data[i][offset_data + 1] = ( bytes[ offset_byte + 1 ] >> 5 & (0x07)) | ((bytes[offset_byte + 2] & 0xff) << 3) | ((bytes[offset_byte + 3] & 0x03) << 11); - data[i][offset_data + 2] = ( bytes[ offset_byte + 3 ] >> 2 & (0x3f)) | ((bytes[offset_byte + 4] & 0x7f) << 6); - data[i][offset_data + 3] = ( bytes[ offset_byte + 4 ] >> 7 & (0x01)) | ((bytes[offset_byte + 5] & 0xff) << 1) | ((bytes[offset_byte + 6] & 0x0f) << 9); - data[i][offset_data + 4] = ( bytes[ offset_byte + 6 ] >> 4 & (0x0f)) | ((bytes[offset_byte + 7] & 0xff) << 4) | ((bytes[offset_byte + 8] & 0x01) << 12); - data[i][offset_data + 5] = ( bytes[ offset_byte + 8] >> 1 & (0x7f)) | ((bytes[offset_byte + 9] & 0x3f) << 7); - data[i][offset_data + 6] = ( bytes[ offset_byte + 9] >> 6 & (0x03)) | ((bytes[offset_byte + 10] & 0xff) << 2) | ((bytes[offset_byte + 11] & 0x07) << 10); - data[i][offset_data + 7] = ( bytes[ offset_byte + 11] >> 3 & (0x1f)) | ((bytes[offset_byte + 12] & 0xff) << 5); + data[i][offset_data + 0] = (bytes[offset_byte + 0] & (0xff)) | + ((bytes[offset_byte + 1] & 0x1f) << 8); + data[i][offset_data + 1] = (bytes[offset_byte + 1] >> 5 & (0x07)) | + ((bytes[offset_byte + 2] & 0xff) << 3) | + ((bytes[offset_byte + 3] & 0x03) << 11); + data[i][offset_data + 2] = (bytes[offset_byte + 3] >> 2 & (0x3f)) | + ((bytes[offset_byte + 4] & 0x7f) << 6); + data[i][offset_data + 3] = (bytes[offset_byte + 4] >> 7 & (0x01)) | + ((bytes[offset_byte + 5] & 0xff) << 1) | + ((bytes[offset_byte + 6] & 0x0f) << 9); + data[i][offset_data + 4] = (bytes[offset_byte + 6] >> 4 & (0x0f)) | + ((bytes[offset_byte + 7] & 0xff) << 4) | + ((bytes[offset_byte + 8] & 0x01) << 12); + data[i][offset_data + 5] = (bytes[offset_byte + 8] >> 1 & (0x7f)) | + ((bytes[offset_byte + 9] & 0x3f) << 7); + data[i][offset_data + 6] = (bytes[offset_byte + 9] >> 6 & (0x03)) | + ((bytes[offset_byte + 10] & 0xff) << 2) | + ((bytes[offset_byte + 11] & 0x07) << 10); + data[i][offset_data + 7] = (bytes[offset_byte + 11] >> 3 & (0x1f)) | + ((bytes[offset_byte + 12] & 0xff) << 5); } } - - } -void PQCLEAN_LIGHTSABER_CLEAN_BS2POL(const unsigned char *bytes, uint16_t data[SABER_N]) { //only BS2POLq no BS2POLp - +//only BS2POLq no BS2POLp +void PQCLEAN_LIGHTSABER_CLEAN_BS2POL(const unsigned char *bytes, uint16_t data[SABER_N]) { uint32_t j; uint32_t offset_data, offset_byte; for (j = 0; j < SABER_N / 8; j++) { offset_byte = 13 * j; offset_data = 8 * j; - data[offset_data + 0] = ( bytes[ offset_byte + 0 ] & (0xff)) | ((bytes[offset_byte + 1] & 0x1f) << 8); - data[offset_data + 1] = ( bytes[ offset_byte + 1 ] >> 5 & (0x07)) | ((bytes[offset_byte + 2] & 0xff) << 3) | ((bytes[offset_byte + 3] & 0x03) << 11); - data[offset_data + 2] = ( bytes[ offset_byte + 3 ] >> 2 & (0x3f)) | ((bytes[offset_byte + 4] & 0x7f) << 6); - data[offset_data + 3] = ( bytes[ offset_byte + 4 ] >> 7 & (0x01)) | ((bytes[offset_byte + 5] & 0xff) << 1) | ((bytes[offset_byte + 6] & 0x0f) << 9); - data[offset_data + 4] = ( bytes[ offset_byte + 6 ] >> 4 & (0x0f)) | ((bytes[offset_byte + 7] & 0xff) << 4) | ((bytes[offset_byte + 8] & 0x01) << 12); - data[offset_data + 5] = ( bytes[ offset_byte + 8] >> 1 & (0x7f)) | ((bytes[offset_byte + 9] & 0x3f) << 7); - data[offset_data + 6] = ( bytes[ offset_byte + 9] >> 6 & (0x03)) | ((bytes[offset_byte + 10] & 0xff) << 2) | ((bytes[offset_byte + 11] & 0x07) << 10); - data[offset_data + 7] = ( bytes[ offset_byte + 11] >> 3 & (0x1f)) | ((bytes[offset_byte + 12] & 0xff) << 5); + data[offset_data + 0] = (bytes[offset_byte + 0] & (0xff)) | + ((bytes[offset_byte + 1] & 0x1f) << 8); + data[offset_data + 1] = (bytes[offset_byte + 1] >> 5 & (0x07)) | + ((bytes[offset_byte + 2] & 0xff) << 3) | + ((bytes[offset_byte + 3] & 0x03) << 11); + data[offset_data + 2] = (bytes[offset_byte + 3] >> 2 & (0x3f)) | + ((bytes[offset_byte + 4] & 0x7f) << 6); + data[offset_data + 3] = (bytes[offset_byte + 4] >> 7 & (0x01)) | + ((bytes[offset_byte + 5] & 0xff) << 1) | + ((bytes[offset_byte + 6] & 0x0f) << 9); + data[offset_data + 4] = (bytes[offset_byte + 6] >> 4 & (0x0f)) | + ((bytes[offset_byte + 7] & 0xff) << 4) | + ((bytes[offset_byte + 8] & 0x01) << 12); + data[offset_data + 5] = (bytes[offset_byte + 8] >> 1 & (0x7f)) | + ((bytes[offset_byte + 9] & 0x3f) << 7); + data[offset_data + 6] = (bytes[offset_byte + 9] >> 6 & (0x03)) | + ((bytes[offset_byte + 10] & 0xff) << 2) | + ((bytes[offset_byte + 11] & 0x07) << 10); + data[offset_data + 7] = (bytes[offset_byte + 11] >> 3 & (0x1f)) | + ((bytes[offset_byte + 12] & 0xff) << 5); } - - } - void PQCLEAN_LIGHTSABER_CLEAN_POLVEC2BS(uint8_t *bytes, uint16_t data[SABER_K][SABER_N], uint16_t modulus) { - if (modulus == 1024) { POLVECp2BS(bytes, data); } else if (modulus == 8192) { @@ -232,11 +246,9 @@ void PQCLEAN_LIGHTSABER_CLEAN_POLVEC2BS(uint8_t *bytes, uint16_t data[SABER_K][S } void PQCLEAN_LIGHTSABER_CLEAN_BS2POLVEC(const unsigned char *bytes, uint16_t data[SABER_K][SABER_N], uint16_t modulus) { - if (modulus == 1024) { BS2POLVECp(bytes, data); } else if (modulus == 8192) { BS2POLVECq(bytes, data); } - } diff --git a/crypto_kem/saber/clean/SABER_indcpa.c b/crypto_kem/saber/clean/SABER_indcpa.c index c5f113a7..d381194c 100644 --- a/crypto_kem/saber/clean/SABER_indcpa.c +++ b/crypto_kem/saber/clean/SABER_indcpa.c @@ -45,7 +45,7 @@ static void GenMatrix(polyvec *a, const unsigned char *seed) { void PQCLEAN_SABER_CLEAN_indcpa_kem_keypair(unsigned char *pk, unsigned char *sk) { - polyvec a[SABER_K];// skpv; + polyvec a[SABER_K]; uint16_t skpv[SABER_K][SABER_N]; @@ -58,43 +58,43 @@ void PQCLEAN_SABER_CLEAN_indcpa_kem_keypair(unsigned char *pk, unsigned char *sk uint16_t res[SABER_K][SABER_N]; randombytes(seed, SABER_SEEDBYTES); - shake128(seed, SABER_SEEDBYTES, seed, SABER_SEEDBYTES); // for not revealing system RNG state + + // for not revealing system RNG state + shake128(seed, SABER_SEEDBYTES, seed, SABER_SEEDBYTES); randombytes(noiseseed, SABER_COINBYTES); GenMatrix(a, seed); //sample matrix A - PQCLEAN_SABER_CLEAN_GenSecret(skpv, noiseseed); //generate secret from constant-time binomial distribution - - //------------------------do the matrix vector multiplication and rounding------------ + // generate secret from constant-time binomial distribution + PQCLEAN_SABER_CLEAN_GenSecret(skpv, noiseseed); + // do the matrix vector multiplication and rounding for (i = 0; i < SABER_K; i++) { for (j = 0; j < SABER_N; j++) { res[i][j] = 0; } } - MatrixVectorMul(a, skpv, res, SABER_Q - 1, 1); - //-----now rounding - for (i = 0; i < SABER_K; i++) { //shift right 3 bits + // now rounding + for (i = 0; i < SABER_K; i++) { for (j = 0; j < SABER_N; j++) { + // shift right 3 bits res[i][j] = (res[i][j] + h1) & (mod_q); res[i][j] = (res[i][j] >> (SABER_EQ - SABER_EP)); } } - //------------------unload and pack sk=3 x (256 coefficients of 14 bits)------- - + // unload and pack sk=3 x (256 coefficients of 14 bits) PQCLEAN_SABER_CLEAN_POLVEC2BS(sk, skpv, SABER_Q); - //------------------unload and pack pk=256 bits seed and 3 x (256 coefficients of 11 bits)------- + // unload and pack pk=256 bits seed and 3 x (256 coefficients of 11 bits) + // load the public-key coefficients + PQCLEAN_SABER_CLEAN_POLVEC2BS(pk, res, SABER_P); - PQCLEAN_SABER_CLEAN_POLVEC2BS(pk, res, SABER_P); // load the public-key coefficients - - - - for (i = 0; i < SABER_SEEDBYTES; i++) { // now load the seedbytes in PK. Easy since seed bytes are kept in byte format. + // now load the seedbytes in PK. Easy since seed bytes are kept in byte format. + for (i = 0; i < SABER_SEEDBYTES; i++) { pk[SABER_POLYVECCOMPRESSEDBYTES + i] = seed[i]; } @@ -103,47 +103,39 @@ void PQCLEAN_SABER_CLEAN_indcpa_kem_keypair(unsigned char *pk, unsigned char *sk void PQCLEAN_SABER_CLEAN_indcpa_kem_enc(const unsigned char *message_received, unsigned char *noiseseed, const unsigned char *pk, unsigned char *ciphertext) { uint32_t i, j, k; - polyvec a[SABER_K]; // skpv; + polyvec a[SABER_K]; unsigned char seed[SABER_SEEDBYTES]; - uint16_t pkcl[SABER_K][SABER_N]; //public key of received by the client - - - + // public key of received by the client + uint16_t pkcl[SABER_K][SABER_N]; uint16_t skpv1[SABER_K][SABER_N]; - uint16_t message[SABER_KEYBYTES * 8]; - uint16_t res[SABER_K][SABER_N]; uint16_t mod_p = SABER_P - 1; uint16_t mod_q = SABER_Q - 1; - uint16_t vprime[SABER_N]; - - - unsigned char msk_c[SABER_SCALEBYTES_KEM]; - for (i = 0; i < SABER_SEEDBYTES; i++) { // extract the seedbytes from Public Key. + // extract the seedbytes from Public Key. + for (i = 0; i < SABER_SEEDBYTES; i++) { seed[i] = pk[ SABER_POLYVECCOMPRESSEDBYTES + i]; } GenMatrix(a, seed); - PQCLEAN_SABER_CLEAN_GenSecret(skpv1, noiseseed); //generate secret from constant-time binomial distribution - - //-----------------matrix-vector multiplication and rounding + // generate secret from constant-time binomial distribution + PQCLEAN_SABER_CLEAN_GenSecret(skpv1, noiseseed); + // matrix-vector multiplication and rounding for (i = 0; i < SABER_K; i++) { for (j = 0; j < SABER_N; j++) { res[i][j] = 0; } } - MatrixVectorMul(a, skpv1, res, SABER_Q - 1, 0); - //-----now rounding - - for (i = 0; i < SABER_K; i++) { //shift right 3 bits + // now rounding + //shift right 3 bits + for (i = 0; i < SABER_K; i++) { for (j = 0; j < SABER_N; j++) { res[i][j] = ( res[i][j] + h1 ) & mod_q; res[i][j] = (res[i][j] >> (SABER_EQ - SABER_EP) ); @@ -152,21 +144,15 @@ void PQCLEAN_SABER_CLEAN_indcpa_kem_enc(const unsigned char *message_received, u PQCLEAN_SABER_CLEAN_POLVEC2BS(ciphertext, res, SABER_P); -//*******************client matrix-vector multiplication ends************************************ + // ************client matrix-vector multiplication ends************ - //------now calculate the v' - - //-------unpack the public_key - - //pkcl is the b in the protocol + // now calculate the v' + // unpack the public_key + // pkcl is the b in the protocol PQCLEAN_SABER_CLEAN_BS2POLVEC(pk, pkcl, SABER_P); - - - for (i = 0; i < SABER_N; i++) { vprime[i] = 0; } - for (i = 0; i < SABER_K; i++) { for (j = 0; j < SABER_N; j++) { skpv1[i][j] = skpv1[i][j] & (mod_p); @@ -176,12 +162,11 @@ void PQCLEAN_SABER_CLEAN_indcpa_kem_enc(const unsigned char *message_received, u // vector-vector scalar multiplication with mod p InnerProd(pkcl, skpv1, mod_p, vprime); - //addition of h1 to vprime + // addition of h1 to vprime for (i = 0; i < SABER_N; i++) { vprime[i] = vprime[i] + h1; } - // unpack message_received; for (j = 0; j < SABER_KEYBYTES; j++) { for (i = 0; i < 8; i++) { @@ -194,9 +179,6 @@ void PQCLEAN_SABER_CLEAN_indcpa_kem_enc(const unsigned char *message_received, u message[i] = (message[i] << (SABER_EP - 1)); } - - - for (k = 0; k < SABER_N; k++) { vprime[k] = ( (vprime[k] - message[k]) & (mod_p) ) >> (SABER_EP - SABER_ET); } @@ -204,7 +186,6 @@ void PQCLEAN_SABER_CLEAN_indcpa_kem_enc(const unsigned char *message_received, u PQCLEAN_SABER_CLEAN_pack_4bit(msk_c, vprime); - for (j = 0; j < SABER_SCALEBYTES_KEM; j++) { ciphertext[SABER_POLYVECCOMPRESSEDBYTES + j] = msk_c[j]; } @@ -212,41 +193,31 @@ void PQCLEAN_SABER_CLEAN_indcpa_kem_enc(const unsigned char *message_received, u void PQCLEAN_SABER_CLEAN_indcpa_kem_dec(const unsigned char *sk, const unsigned char *ciphertext, unsigned char message_dec[]) { - uint32_t i, j; - - - uint16_t sksv[SABER_K][SABER_N]; //secret key of the server - - + // secret key of the server + uint16_t sksv[SABER_K][SABER_N]; uint16_t pksv[SABER_K][SABER_N]; - uint8_t scale_ar[SABER_SCALEBYTES_KEM]; - uint16_t mod_p = SABER_P - 1; - uint16_t v[SABER_N]; - uint16_t op[SABER_N]; - - PQCLEAN_SABER_CLEAN_BS2POLVEC(sk, sksv, SABER_Q); //sksv is the secret-key - PQCLEAN_SABER_CLEAN_BS2POLVEC(ciphertext, pksv, SABER_P); //pksv is the ciphertext + // sksv is the secret-key + PQCLEAN_SABER_CLEAN_BS2POLVEC(sk, sksv, SABER_Q); + // pksv is the ciphertext + PQCLEAN_SABER_CLEAN_BS2POLVEC(ciphertext, pksv, SABER_P); // vector-vector scalar multiplication with mod p for (i = 0; i < SABER_N; i++) { v[i] = 0; } - for (i = 0; i < SABER_K; i++) { for (j = 0; j < SABER_N; j++) { sksv[i][j] = sksv[i][j] & (mod_p); } } - InnerProd(pksv, sksv, mod_p, v); - //Extraction for (i = 0; i < SABER_SCALEBYTES_KEM; i++) { scale_ar[i] = ciphertext[SABER_POLYVECCOMPRESSEDBYTES + i]; @@ -254,20 +225,15 @@ void PQCLEAN_SABER_CLEAN_indcpa_kem_dec(const unsigned char *sk, const unsigned PQCLEAN_SABER_CLEAN_un_pack4bit(scale_ar, op); - //addition of h1 for (i = 0; i < SABER_N; i++) { v[i] = ( ( v[i] + h2 - (op[i] << (SABER_EP - SABER_ET)) ) & (mod_p) ) >> (SABER_EP - 1); } // pack decrypted message - POL2MSG(v, message_dec); - - } static void MatrixVectorMul(polyvec *a, uint16_t skpv[SABER_K][SABER_N], uint16_t res[SABER_K][SABER_N], uint16_t mod, int16_t transpose) { - uint16_t acc[SABER_N]; int32_t i, j, k; @@ -278,32 +244,30 @@ static void MatrixVectorMul(polyvec *a, uint16_t skpv[SABER_K][SABER_N], uint16_ for (k = 0; k < SABER_N; k++) { res[i][k] = res[i][k] + acc[k]; - res[i][k] = (res[i][k] & mod); //reduction mod p - acc[k] = 0; //clear the accumulator + //reduction mod p + res[i][k] = (res[i][k] & mod); + //clear the accumulator + acc[k] = 0; } - } } } else { - for (i = 0; i < SABER_K; i++) { for (j = 0; j < SABER_K; j++) { PQCLEAN_SABER_CLEAN_pol_mul((uint16_t *)&a[i].vec[j], skpv[j], acc, SABER_Q, SABER_N); for (k = 0; k < SABER_N; k++) { res[i][k] = res[i][k] + acc[k]; - res[i][k] = res[i][k] & mod; //reduction - acc[k] = 0; //clear the accumulator + // reduction + res[i][k] = res[i][k] & mod; + // clear the accumulator + acc[k] = 0; } - } } } - - } static void POL2MSG(const uint16_t *message_dec_unpacked, unsigned char *message_dec) { - int32_t i, j; for (j = 0; j < SABER_KEYBYTES; j++) { @@ -312,13 +276,10 @@ static void POL2MSG(const uint16_t *message_dec_unpacked, unsigned char *message message_dec[j] = message_dec[j] | (uint8_t) (message_dec_unpacked[j * 8 + i] << i); } } - } static void InnerProd(uint16_t pkcl[SABER_K][SABER_N], uint16_t skpv[SABER_K][SABER_N], uint16_t mod, uint16_t res[SABER_N]) { - - uint32_t j, k; uint16_t acc[SABER_N]; @@ -328,8 +289,10 @@ static void InnerProd(uint16_t pkcl[SABER_K][SABER_N], uint16_t skpv[SABER_K][SA for (k = 0; k < SABER_N; k++) { res[k] = res[k] + acc[k]; - res[k] = res[k] & mod; //reduction - acc[k] = 0; //clear the accumulator + // reduction + res[k] = res[k] & mod; + // clear the accumulator + acc[k] = 0; } } } diff --git a/crypto_kem/saber/clean/kem.c b/crypto_kem/saber/clean/kem.c index 05ffde7c..9e5b01f4 100644 --- a/crypto_kem/saber/clean/kem.c +++ b/crypto_kem/saber/clean/kem.c @@ -10,37 +10,48 @@ int PQCLEAN_SABER_CLEAN_crypto_kem_keypair(unsigned char *pk, unsigned char *sk) { int i; - PQCLEAN_SABER_CLEAN_indcpa_kem_keypair(pk, sk); // sk[0:SABER_INDCPA_SECRETKEYBYTES-1] <-- sk + // sk[0:SABER_INDCPA_SECRETKEYBYTES-1] <-- sk + PQCLEAN_SABER_CLEAN_indcpa_kem_keypair(pk, sk); + + // sk[SABER_INDCPA_SECRETKEYBYTES:SABER_INDCPA_SECRETKEYBYTES+SABER_INDCPA_SECRETKEYBYTES-1] <-- pk for (i = 0; i < SABER_INDCPA_PUBLICKEYBYTES; i++) { - sk[i + SABER_INDCPA_SECRETKEYBYTES] = pk[i]; // sk[SABER_INDCPA_SECRETKEYBYTES:SABER_INDCPA_SECRETKEYBYTES+SABER_INDCPA_SECRETKEYBYTES-1] <-- pk + sk[i + SABER_INDCPA_SECRETKEYBYTES] = pk[i]; } - sha3_256(sk + SABER_SECRETKEYBYTES - 64, pk, SABER_INDCPA_PUBLICKEYBYTES); // Then hash(pk) is appended. + // Then hash(pk) is appended. + sha3_256(sk + SABER_SECRETKEYBYTES - 64, pk, SABER_INDCPA_PUBLICKEYBYTES); - randombytes(sk + SABER_SECRETKEYBYTES - SABER_KEYBYTES, SABER_KEYBYTES ); // Remaining part of sk contains a pseudo-random number. + // Remaining part of sk contains a pseudo-random number. // This is output when check in crypto_kem_dec() fails. + randombytes(sk + SABER_SECRETKEYBYTES - SABER_KEYBYTES, SABER_KEYBYTES ); return (0); } int PQCLEAN_SABER_CLEAN_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk) { - - unsigned char kr[64]; // Will contain key, coins + // Will contain key, coins + unsigned char kr[64]; unsigned char buf[64]; randombytes(buf, 32); - sha3_256(buf, buf, 32); // BUF[0:31] <-- random message (will be used as the key for client) Note: hash doesnot release system RNG output + // BUF[0:31] <-- random message (will be used as the key for client) Note: hash doesnot release system RNG output + sha3_256(buf, buf, 32); - sha3_256(buf + 32, pk, SABER_INDCPA_PUBLICKEYBYTES); // BUF[32:63] <-- Hash(public key); Multitarget countermeasure for coins + contributory KEM + // BUF[32:63] <-- Hash(public key); Multitarget countermeasure for coins + contributory KEM + sha3_256(buf + 32, pk, SABER_INDCPA_PUBLICKEYBYTES); + + // kr[0:63] <-- Hash(buf[0:63]); + sha3_512(kr, buf, 64); - sha3_512(kr, buf, 64); // kr[0:63] <-- Hash(buf[0:63]); // K^ <-- kr[0:31] // noiseseed (r) <-- kr[32:63]; - PQCLEAN_SABER_CLEAN_indcpa_kem_enc(buf, kr + 32, pk, ct); // buf[0:31] contains message; kr[32:63] contains randomness r; + // buf[0:31] contains message; kr[32:63] contains randomness r; + PQCLEAN_SABER_CLEAN_indcpa_kem_enc(buf, kr + 32, pk, ct); sha3_256(kr + 32, ct, SABER_BYTES_CCA_DEC); - sha3_256(ss, kr, 64); // hash concatenation of pre-k and h(c) to k + // hash concatenation of pre-k and h(c) to k + sha3_256(ss, kr, 64); return (0); } @@ -51,14 +62,18 @@ int PQCLEAN_SABER_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned char *c unsigned char fail; unsigned char cmp[SABER_BYTES_CCA_DEC]; unsigned char buf[64]; - unsigned char kr[64]; // Will contain key, coins + + // Will contain key, coins + unsigned char kr[64]; const unsigned char *pk = sk + SABER_INDCPA_SECRETKEYBYTES; - PQCLEAN_SABER_CLEAN_indcpa_kem_dec(sk, ct, buf); // buf[0:31] <-- message + // buf[0:31] <-- message + PQCLEAN_SABER_CLEAN_indcpa_kem_dec(sk, ct, buf); // Multitarget countermeasure for coins + contributory KEM - for (i = 0; i < 32; i++) { // Save hash by storing h(pk) in sk + // Save hash by storing h(pk) in sk + for (i = 0; i < 32; i++) { buf[32 + i] = sk[SABER_SECRETKEYBYTES - 64 + i]; } @@ -69,11 +84,13 @@ int PQCLEAN_SABER_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned char *c fail = PQCLEAN_SABER_CLEAN_verify(ct, cmp, SABER_BYTES_CCA_DEC); - sha3_256(kr + 32, ct, SABER_BYTES_CCA_DEC); // overwrite coins in kr with h(c) + // overwrite coins in kr with h(c) + sha3_256(kr + 32, ct, SABER_BYTES_CCA_DEC); PQCLEAN_SABER_CLEAN_cmov(kr, sk + SABER_SECRETKEYBYTES - SABER_KEYBYTES, SABER_KEYBYTES, fail); - sha3_256(ss, kr, 64); // hash concatenation of pre-k and h(c) to k + // hash concatenation of pre-k and h(c) to k + sha3_256(ss, kr, 64); return (0); } diff --git a/crypto_kem/saber/clean/pack_unpack.c b/crypto_kem/saber/clean/pack_unpack.c index fa210fcc..06a74778 100644 --- a/crypto_kem/saber/clean/pack_unpack.c +++ b/crypto_kem/saber/clean/pack_unpack.c @@ -1,21 +1,26 @@ #include "pack_unpack.h" void PQCLEAN_SABER_CLEAN_pack_3bit(uint8_t *bytes, const uint16_t *data) { - uint32_t j; uint32_t offset_data, offset_byte; for (j = 0; j < SABER_N / 8; j++) { offset_byte = 3 * j; offset_data = 8 * j; - bytes[offset_byte + 0] = (data[offset_data + 0] & 0x7) | ( (data[offset_data + 1] & 0x7) << 3 ) | ((data[offset_data + 2] & 0x3) << 6); - bytes[offset_byte + 1] = ((data[offset_data + 2] >> 2 ) & 0x01) | ( (data[offset_data + 3] & 0x7) << 1 ) | ( (data[offset_data + 4] & 0x7) << 4 ) | (((data[offset_data + 5]) & 0x01) << 7); - bytes[offset_byte + 2] = ((data[offset_data + 5] >> 1 ) & 0x03) | ( (data[offset_data + 6] & 0x7) << 2 ) | ( (data[offset_data + 7] & 0x7) << 5 ); + bytes[offset_byte + 0] = (data[offset_data + 0] & 0x7) | + ((data[offset_data + 1] & 0x7) << 3) | + ((data[offset_data + 2] & 0x3) << 6); + bytes[offset_byte + 1] = ((data[offset_data + 2] >> 2 ) & 0x01) | + ((data[offset_data + 3] & 0x7) << 1) | + ((data[offset_data + 4] & 0x7) << 4) | + (((data[offset_data + 5]) & 0x01) << 7); + bytes[offset_byte + 2] = ((data[offset_data + 5] >> 1 ) & 0x03) | + ((data[offset_data + 6] & 0x7) << 2) | + ((data[offset_data + 7] & 0x7) << 5); } } void PQCLEAN_SABER_CLEAN_un_pack3bit(const uint8_t *bytes, uint16_t *data) { - uint32_t j; uint32_t offset_data, offset_byte; @@ -23,30 +28,30 @@ void PQCLEAN_SABER_CLEAN_un_pack3bit(const uint8_t *bytes, uint16_t *data) { offset_byte = 3 * j; offset_data = 8 * j; data[offset_data + 0] = (bytes[offset_byte + 0]) & 0x07; - data[offset_data + 1] = ( (bytes[offset_byte + 0]) >> 3 ) & 0x07; - data[offset_data + 2] = ( ( (bytes[offset_byte + 0]) >> 6 ) & 0x03) | ( ( (bytes[offset_byte + 1]) & 0x01) << 2 ); - data[offset_data + 3] = ( (bytes[offset_byte + 1]) >> 1 ) & 0x07; - data[offset_data + 4] = ( (bytes[offset_byte + 1]) >> 4 ) & 0x07; - data[offset_data + 5] = ( ( (bytes[offset_byte + 1]) >> 7 ) & 0x01) | ( ( (bytes[offset_byte + 2]) & 0x03) << 1 ); - data[offset_data + 6] = ( (bytes[offset_byte + 2] >> 2) & 0x07 ); - data[offset_data + 7] = ( (bytes[offset_byte + 2] >> 5) & 0x07 ); + data[offset_data + 1] = ((bytes[offset_byte + 0]) >> 3 ) & 0x07; + data[offset_data + 2] = (((bytes[offset_byte + 0]) >> 6 ) & 0x03) | + (((bytes[offset_byte + 1]) & 0x01) << 2); + data[offset_data + 3] = ((bytes[offset_byte + 1]) >> 1 ) & 0x07; + data[offset_data + 4] = ((bytes[offset_byte + 1]) >> 4 ) & 0x07; + data[offset_data + 5] = (((bytes[offset_byte + 1]) >> 7 ) & 0x01) | + (((bytes[offset_byte + 2]) & 0x03) << 1); + data[offset_data + 6] = ((bytes[offset_byte + 2] >> 2) & 0x07); + data[offset_data + 7] = ((bytes[offset_byte + 2] >> 5) & 0x07); } - } void PQCLEAN_SABER_CLEAN_pack_4bit(uint8_t *bytes, const uint16_t *data) { - uint32_t j; uint32_t offset_data; for (j = 0; j < SABER_N / 2; j++) { offset_data = 2 * j; - bytes[j] = (data[offset_data] & 0x0f) | ( (data[offset_data + 1] & 0x0f) << 4 ); + bytes[j] = (data[offset_data] & 0x0f) | + ((data[offset_data + 1] & 0x0f) << 4); } } void PQCLEAN_SABER_CLEAN_un_pack4bit(const unsigned char *bytes, uint16_t *ar) { - uint32_t j; uint32_t offset_data; @@ -64,9 +69,12 @@ void PQCLEAN_SABER_CLEAN_pack_6bit(uint8_t *bytes, const uint16_t *data) { for (j = 0; j < SABER_N / 4; j++) { offset_byte = 3 * j; offset_data = 4 * j; - bytes[offset_byte + 0] = (data[offset_data + 0] & 0x3f) | ((data[offset_data + 1] & 0x03) << 6); - bytes[offset_byte + 1] = ((data[offset_data + 1] >> 2) & 0x0f) | ((data[offset_data + 2] & 0x0f) << 4); - bytes[offset_byte + 2] = ((data[offset_data + 2] >> 4) & 0x03) | ((data[offset_data + 3] & 0x3f) << 2); + bytes[offset_byte + 0] = (data[offset_data + 0] & 0x3f) | + ((data[offset_data + 1] & 0x03) << 6); + bytes[offset_byte + 1] = ((data[offset_data + 1] >> 2) & 0x0f) | + ((data[offset_data + 2] & 0x0f) << 4); + bytes[offset_byte + 2] = ((data[offset_data + 2] >> 4) & 0x03) | + ((data[offset_data + 3] & 0x3f) << 2); } } @@ -79,11 +87,12 @@ void PQCLEAN_SABER_CLEAN_un_pack6bit(const unsigned char *bytes, uint16_t *data) offset_byte = 3 * j; offset_data = 4 * j; data[offset_data + 0] = bytes[offset_byte + 0] & 0x3f; - data[offset_data + 1] = ((bytes[offset_byte + 0] >> 6) & 0x03) | ((bytes[offset_byte + 1] & 0x0f) << 2) ; - data[offset_data + 2] = ((bytes[offset_byte + 1] & 0xff) >> 4) | ((bytes[offset_byte + 2] & 0x03) << 4) ; + data[offset_data + 1] = ((bytes[offset_byte + 0] >> 6) & 0x03) | + ((bytes[offset_byte + 1] & 0x0f) << 2); + data[offset_data + 2] = ((bytes[offset_byte + 1] & 0xff) >> 4) | + ((bytes[offset_byte + 2] & 0x03) << 4); data[offset_data + 3] = ((bytes[offset_byte + 2] & 0xff) >> 2); } - } @@ -96,23 +105,19 @@ static void POLVECp2BS(uint8_t *bytes, uint16_t data[SABER_K][SABER_N]) { for (j = 0; j < SABER_N / 4; j++) { offset_byte = offset_byte1 + 5 * j; offset_data = 4 * j; - bytes[offset_byte + 0] = ( data[i][ offset_data + 0 ] & (0xff)); - - bytes[offset_byte + 1] = ( (data[i][ offset_data + 0 ] >> 8) & 0x03 ) | ((data[i][ offset_data + 1 ] & 0x3f) << 2); - - bytes[offset_byte + 2] = ( (data[i][ offset_data + 1 ] >> 6) & 0x0f ) | ( (data[i][ offset_data + 2 ] & 0x0f) << 4); - - bytes[offset_byte + 3] = ( (data[i][ offset_data + 2 ] >> 4) & 0x3f ) | ((data[i][ offset_data + 3 ] & 0x03) << 6); - - bytes[offset_byte + 4] = ( (data[i][ offset_data + 3 ] >> 2) & 0xff ); + bytes[offset_byte + 0] = (data[i][offset_data + 0] & (0xff)); + bytes[offset_byte + 1] = ((data[i][offset_data + 0] >> 8) & 0x03) | + ((data[i][offset_data + 1] & 0x3f) << 2); + bytes[offset_byte + 2] = ((data[i][offset_data + 1] >> 6) & 0x0f) | + ((data[i][offset_data + 2] & 0x0f) << 4); + bytes[offset_byte + 3] = ((data[i][offset_data + 2] >> 4) & 0x3f) | + ((data[i][offset_data + 3] & 0x03) << 6); + bytes[offset_byte + 4] = ((data[i][offset_data + 3] >> 2) & 0xff); } } - - } static void BS2POLVECp(const unsigned char *bytes, uint16_t data[SABER_K][SABER_N]) { - uint32_t i, j; uint32_t offset_data, offset_byte, offset_byte1; @@ -121,21 +126,21 @@ static void BS2POLVECp(const unsigned char *bytes, uint16_t data[SABER_K][SABER_ for (j = 0; j < SABER_N / 4; j++) { offset_byte = offset_byte1 + 5 * j; offset_data = 4 * j; - data[i][offset_data + 0] = ( bytes[ offset_byte + 0 ] & (0xff)) | ((bytes[ offset_byte + 1 ] & 0x03) << 8); - data[i][offset_data + 1] = ( (bytes[ offset_byte + 1 ] >> 2) & (0x3f)) | ((bytes[ offset_byte + 2 ] & 0x0f) << 6); - data[i][offset_data + 2] = ( (bytes[ offset_byte + 2 ] >> 4) & (0x0f)) | ((bytes[ offset_byte + 3 ] & 0x3f) << 4); - data[i][offset_data + 3] = ( (bytes[ offset_byte + 3 ] >> 6) & (0x03)) | ((bytes[ offset_byte + 4 ] & 0xff) << 2); - + data[i][offset_data + 0] = (bytes[offset_byte + 0] & (0xff)) | + ((bytes[offset_byte + 1] & 0x03) << 8); + data[i][offset_data + 1] = ((bytes[offset_byte + 1] >> 2) & (0x3f)) | + ((bytes[offset_byte + 2] & 0x0f) << 6); + data[i][offset_data + 2] = ((bytes[offset_byte + 2] >> 4) & (0x0f)) | + ((bytes[offset_byte + 3] & 0x3f) << 4); + data[i][offset_data + 3] = ((bytes[offset_byte + 3] >> 6) & (0x03)) | + ((bytes[offset_byte + 4] & 0xff) << 2); } } - - } static void POLVECq2BS(uint8_t *bytes, uint16_t data[SABER_K][SABER_N]) { - uint32_t i, j; uint32_t offset_data, offset_byte, offset_byte1; @@ -144,40 +149,31 @@ static void POLVECq2BS(uint8_t *bytes, uint16_t data[SABER_K][SABER_N]) { for (j = 0; j < SABER_N / 8; j++) { offset_byte = offset_byte1 + 13 * j; offset_data = 8 * j; - bytes[offset_byte + 0] = ( data[i][ offset_data + 0 ] & (0xff)); - - bytes[offset_byte + 1] = ( (data[i][ offset_data + 0 ] >> 8) & 0x1f ) | ((data[i][ offset_data + 1 ] & 0x07) << 5); - - bytes[offset_byte + 2] = ( (data[i][ offset_data + 1 ] >> 3) & 0xff ); - - bytes[offset_byte + 3] = ( (data[i][ offset_data + 1 ] >> 11) & 0x03 ) | ((data[i][ offset_data + 2 ] & 0x3f) << 2); - - bytes[offset_byte + 4] = ( (data[i][ offset_data + 2 ] >> 6) & 0x7f ) | ( (data[i][ offset_data + 3 ] & 0x01) << 7 ); - - bytes[offset_byte + 5] = ( (data[i][ offset_data + 3 ] >> 1) & 0xff ); - - bytes[offset_byte + 6] = ( (data[i][ offset_data + 3 ] >> 9) & 0x0f ) | ( (data[i][ offset_data + 4 ] & 0x0f) << 4 ); - - bytes[offset_byte + 7] = ( (data[i][ offset_data + 4] >> 4) & 0xff ); - - bytes[offset_byte + 8] = ( (data[i][ offset_data + 4 ] >> 12) & 0x01 ) | ( (data[i][ offset_data + 5 ] & 0x7f) << 1 ); - - bytes[offset_byte + 9] = ( (data[i][ offset_data + 5 ] >> 7) & 0x3f ) | ( (data[i][ offset_data + 6 ] & 0x03) << 6 ); - - bytes[offset_byte + 10] = ( (data[i][ offset_data + 6 ] >> 2) & 0xff ); - - bytes[offset_byte + 11] = ( (data[i][ offset_data + 6 ] >> 10) & 0x07 ) | ( (data[i][ offset_data + 7 ] & 0x1f) << 3 ); - - bytes[offset_byte + 12] = ( (data[i][ offset_data + 7 ] >> 5) & 0xff ); - + bytes[offset_byte + 0] = (data[i][offset_data + 0] & (0xff)); + bytes[offset_byte + 1] = ((data[i][offset_data + 0] >> 8) & 0x1f) | + ((data[i][offset_data + 1] & 0x07) << 5); + bytes[offset_byte + 2] = ((data[i][offset_data + 1] >> 3) & 0xff); + bytes[offset_byte + 3] = ((data[i][offset_data + 1] >> 11) & 0x03) | + ((data[i][offset_data + 2] & 0x3f) << 2); + bytes[offset_byte + 4] = ((data[i][offset_data + 2] >> 6) & 0x7f) | + ((data[i][offset_data + 3] & 0x01) << 7); + bytes[offset_byte + 5] = ((data[i][offset_data + 3] >> 1) & 0xff); + bytes[offset_byte + 6] = ((data[i][offset_data + 3] >> 9) & 0x0f) | + ((data[i][offset_data + 4] & 0x0f) << 4); + bytes[offset_byte + 7] = ((data[i][offset_data + 4] >> 4) & 0xff); + bytes[offset_byte + 8] = ((data[i][offset_data + 4] >> 12) & 0x01) | + ((data[i][offset_data + 5] & 0x7f) << 1); + bytes[offset_byte + 9] = ((data[i][offset_data + 5] >> 7) & 0x3f) | + ((data[i][offset_data + 6] & 0x03) << 6); + bytes[offset_byte + 10] = ((data[i][offset_data + 6] >> 2) & 0xff); + bytes[offset_byte + 11] = ((data[i][offset_data + 6] >> 10) & 0x07) | + ((data[i][offset_data + 7] & 0x1f) << 3); + bytes[offset_byte + 12] = ((data[i][offset_data + 7] >> 5) & 0xff); } } - - } static void BS2POLVECq(const unsigned char *bytes, uint16_t data[SABER_K][SABER_N]) { - uint32_t i, j; uint32_t offset_data, offset_byte, offset_byte1; @@ -186,44 +182,62 @@ static void BS2POLVECq(const unsigned char *bytes, uint16_t data[SABER_K][SABER_ for (j = 0; j < SABER_N / 8; j++) { offset_byte = offset_byte1 + 13 * j; offset_data = 8 * j; - data[i][offset_data + 0] = ( bytes[ offset_byte + 0 ] & (0xff)) | ((bytes[offset_byte + 1] & 0x1f) << 8); - data[i][offset_data + 1] = ( bytes[ offset_byte + 1 ] >> 5 & (0x07)) | ((bytes[offset_byte + 2] & 0xff) << 3) | ((bytes[offset_byte + 3] & 0x03) << 11); - data[i][offset_data + 2] = ( bytes[ offset_byte + 3 ] >> 2 & (0x3f)) | ((bytes[offset_byte + 4] & 0x7f) << 6); - data[i][offset_data + 3] = ( bytes[ offset_byte + 4 ] >> 7 & (0x01)) | ((bytes[offset_byte + 5] & 0xff) << 1) | ((bytes[offset_byte + 6] & 0x0f) << 9); - data[i][offset_data + 4] = ( bytes[ offset_byte + 6 ] >> 4 & (0x0f)) | ((bytes[offset_byte + 7] & 0xff) << 4) | ((bytes[offset_byte + 8] & 0x01) << 12); - data[i][offset_data + 5] = ( bytes[ offset_byte + 8] >> 1 & (0x7f)) | ((bytes[offset_byte + 9] & 0x3f) << 7); - data[i][offset_data + 6] = ( bytes[ offset_byte + 9] >> 6 & (0x03)) | ((bytes[offset_byte + 10] & 0xff) << 2) | ((bytes[offset_byte + 11] & 0x07) << 10); - data[i][offset_data + 7] = ( bytes[ offset_byte + 11] >> 3 & (0x1f)) | ((bytes[offset_byte + 12] & 0xff) << 5); + data[i][offset_data + 0] = (bytes[offset_byte + 0] & (0xff)) | + ((bytes[offset_byte + 1] & 0x1f) << 8); + data[i][offset_data + 1] = (bytes[offset_byte + 1] >> 5 & (0x07)) | + ((bytes[offset_byte + 2] & 0xff) << 3) | + ((bytes[offset_byte + 3] & 0x03) << 11); + data[i][offset_data + 2] = (bytes[offset_byte + 3] >> 2 & (0x3f)) | + ((bytes[offset_byte + 4] & 0x7f) << 6); + data[i][offset_data + 3] = (bytes[offset_byte + 4] >> 7 & (0x01)) | + ((bytes[offset_byte + 5] & 0xff) << 1) | + ((bytes[offset_byte + 6] & 0x0f) << 9); + data[i][offset_data + 4] = (bytes[offset_byte + 6] >> 4 & (0x0f)) | + ((bytes[offset_byte + 7] & 0xff) << 4) | + ((bytes[offset_byte + 8] & 0x01) << 12); + data[i][offset_data + 5] = (bytes[offset_byte + 8] >> 1 & (0x7f)) | + ((bytes[offset_byte + 9] & 0x3f) << 7); + data[i][offset_data + 6] = (bytes[offset_byte + 9] >> 6 & (0x03)) | + ((bytes[offset_byte + 10] & 0xff) << 2) | + ((bytes[offset_byte + 11] & 0x07) << 10); + data[i][offset_data + 7] = (bytes[offset_byte + 11] >> 3 & (0x1f)) | + ((bytes[offset_byte + 12] & 0xff) << 5); } } - - } -void PQCLEAN_SABER_CLEAN_BS2POL(const unsigned char *bytes, uint16_t data[SABER_N]) { //only BS2POLq no BS2POLp - +//only BS2POLq no BS2POLp +void PQCLEAN_SABER_CLEAN_BS2POL(const unsigned char *bytes, uint16_t data[SABER_N]) { uint32_t j; uint32_t offset_data, offset_byte; for (j = 0; j < SABER_N / 8; j++) { offset_byte = 13 * j; offset_data = 8 * j; - data[offset_data + 0] = ( bytes[ offset_byte + 0 ] & (0xff)) | ((bytes[offset_byte + 1] & 0x1f) << 8); - data[offset_data + 1] = ( bytes[ offset_byte + 1 ] >> 5 & (0x07)) | ((bytes[offset_byte + 2] & 0xff) << 3) | ((bytes[offset_byte + 3] & 0x03) << 11); - data[offset_data + 2] = ( bytes[ offset_byte + 3 ] >> 2 & (0x3f)) | ((bytes[offset_byte + 4] & 0x7f) << 6); - data[offset_data + 3] = ( bytes[ offset_byte + 4 ] >> 7 & (0x01)) | ((bytes[offset_byte + 5] & 0xff) << 1) | ((bytes[offset_byte + 6] & 0x0f) << 9); - data[offset_data + 4] = ( bytes[ offset_byte + 6 ] >> 4 & (0x0f)) | ((bytes[offset_byte + 7] & 0xff) << 4) | ((bytes[offset_byte + 8] & 0x01) << 12); - data[offset_data + 5] = ( bytes[ offset_byte + 8] >> 1 & (0x7f)) | ((bytes[offset_byte + 9] & 0x3f) << 7); - data[offset_data + 6] = ( bytes[ offset_byte + 9] >> 6 & (0x03)) | ((bytes[offset_byte + 10] & 0xff) << 2) | ((bytes[offset_byte + 11] & 0x07) << 10); - data[offset_data + 7] = ( bytes[ offset_byte + 11] >> 3 & (0x1f)) | ((bytes[offset_byte + 12] & 0xff) << 5); + data[offset_data + 0] = (bytes[offset_byte + 0] & (0xff)) | + ((bytes[offset_byte + 1] & 0x1f) << 8); + data[offset_data + 1] = (bytes[offset_byte + 1] >> 5 & (0x07)) | + ((bytes[offset_byte + 2] & 0xff) << 3) | + ((bytes[offset_byte + 3] & 0x03) << 11); + data[offset_data + 2] = (bytes[offset_byte + 3] >> 2 & (0x3f)) | + ((bytes[offset_byte + 4] & 0x7f) << 6); + data[offset_data + 3] = (bytes[offset_byte + 4] >> 7 & (0x01)) | + ((bytes[offset_byte + 5] & 0xff) << 1) | + ((bytes[offset_byte + 6] & 0x0f) << 9); + data[offset_data + 4] = (bytes[offset_byte + 6] >> 4 & (0x0f)) | + ((bytes[offset_byte + 7] & 0xff) << 4) | + ((bytes[offset_byte + 8] & 0x01) << 12); + data[offset_data + 5] = (bytes[offset_byte + 8] >> 1 & (0x7f)) | + ((bytes[offset_byte + 9] & 0x3f) << 7); + data[offset_data + 6] = (bytes[offset_byte + 9] >> 6 & (0x03)) | + ((bytes[offset_byte + 10] & 0xff) << 2) | + ((bytes[offset_byte + 11] & 0x07) << 10); + data[offset_data + 7] = (bytes[offset_byte + 11] >> 3 & (0x1f)) | + ((bytes[offset_byte + 12] & 0xff) << 5); } - - } - void PQCLEAN_SABER_CLEAN_POLVEC2BS(uint8_t *bytes, uint16_t data[SABER_K][SABER_N], uint16_t modulus) { - if (modulus == 1024) { POLVECp2BS(bytes, data); } else if (modulus == 8192) { @@ -232,11 +246,9 @@ void PQCLEAN_SABER_CLEAN_POLVEC2BS(uint8_t *bytes, uint16_t data[SABER_K][SABER_ } void PQCLEAN_SABER_CLEAN_BS2POLVEC(const unsigned char *bytes, uint16_t data[SABER_K][SABER_N], uint16_t modulus) { - if (modulus == 1024) { BS2POLVECp(bytes, data); } else if (modulus == 8192) { BS2POLVECq(bytes, data); } - } From e543aea8ea1d71734c7c1caeac50edbf93f530c1 Mon Sep 17 00:00:00 2001 From: "Matthias J. Kannwischer" Date: Thu, 20 Jun 2019 11:09:49 +0200 Subject: [PATCH 16/20] add duplicate consistency checks for saber --- .../duplicate_consistency/firesaber_clean.yml | 31 +++++++++++++++++++ .../lightsaber_clean.yml | 31 +++++++++++++++++++ test/duplicate_consistency/saber_clean.yml | 31 +++++++++++++++++++ 3 files changed, 93 insertions(+) create mode 100644 test/duplicate_consistency/firesaber_clean.yml create mode 100644 test/duplicate_consistency/lightsaber_clean.yml create mode 100644 test/duplicate_consistency/saber_clean.yml diff --git a/test/duplicate_consistency/firesaber_clean.yml b/test/duplicate_consistency/firesaber_clean.yml new file mode 100644 index 00000000..60a1a153 --- /dev/null +++ b/test/duplicate_consistency/firesaber_clean.yml @@ -0,0 +1,31 @@ +consistency_checks: +- source: + scheme: lightsaber + implementation: clean + files: + - cbd.h + - kem.c + - pack_unpack.c + - pack_unpack.h + - poly.c + - poly.h + - poly_mul.c + - poly_mul.h + - SABER_indcpa.h + - verify.c + - verify.h +- source: + scheme: saber + implementation: clean + files: + - cbd.h + - kem.c + - pack_unpack.c + - pack_unpack.h + - poly.c + - poly.h + - poly_mul.c + - poly_mul.h + - SABER_indcpa.h + - verify.c + - verify.h diff --git a/test/duplicate_consistency/lightsaber_clean.yml b/test/duplicate_consistency/lightsaber_clean.yml new file mode 100644 index 00000000..a4d483be --- /dev/null +++ b/test/duplicate_consistency/lightsaber_clean.yml @@ -0,0 +1,31 @@ +consistency_checks: +- source: + scheme: saber + implementation: clean + files: + - cbd.h + - kem.c + - pack_unpack.c + - pack_unpack.h + - poly.c + - poly.h + - poly_mul.c + - poly_mul.h + - SABER_indcpa.h + - verify.c + - verify.h +- source: + scheme: firesaber + implementation: clean + files: + - cbd.h + - kem.c + - pack_unpack.c + - pack_unpack.h + - poly.c + - poly.h + - poly_mul.c + - poly_mul.h + - SABER_indcpa.h + - verify.c + - verify.h diff --git a/test/duplicate_consistency/saber_clean.yml b/test/duplicate_consistency/saber_clean.yml new file mode 100644 index 00000000..0e1b89dd --- /dev/null +++ b/test/duplicate_consistency/saber_clean.yml @@ -0,0 +1,31 @@ +consistency_checks: +- source: + scheme: lightsaber + implementation: clean + files: + - cbd.h + - kem.c + - pack_unpack.c + - pack_unpack.h + - poly.c + - poly.h + - poly_mul.c + - poly_mul.h + - SABER_indcpa.h + - verify.c + - verify.h +- source: + scheme: firesaber + implementation: clean + files: + - cbd.h + - kem.c + - pack_unpack.c + - pack_unpack.h + - poly.c + - poly.h + - poly_mul.c + - poly_mul.h + - SABER_indcpa.h + - verify.c + - verify.h From 931f4669371a1488f7737594032715e7f7167aec Mon Sep 17 00:00:00 2001 From: "Matthias J. Kannwischer" Date: Fri, 21 Jun 2019 15:05:59 +0200 Subject: [PATCH 17/20] switch to the polymul from the submission --- crypto_kem/firesaber/clean/poly_mul.c | 240 +++++++++++++++++++++++-- crypto_kem/firesaber/clean/poly_mul.h | 2 +- crypto_kem/lightsaber/clean/poly_mul.c | 240 +++++++++++++++++++++++-- crypto_kem/lightsaber/clean/poly_mul.h | 2 +- crypto_kem/saber/clean/poly_mul.c | 240 +++++++++++++++++++++++-- crypto_kem/saber/clean/poly_mul.h | 2 +- 6 files changed, 690 insertions(+), 36 deletions(-) diff --git a/crypto_kem/firesaber/clean/poly_mul.c b/crypto_kem/firesaber/clean/poly_mul.c index cc701fa8..bd5de334 100644 --- a/crypto_kem/firesaber/clean/poly_mul.c +++ b/crypto_kem/firesaber/clean/poly_mul.c @@ -1,22 +1,240 @@ #include "poly_mul.h" -#include "SABER_params.h" #include #include +#define SCHB_N 16 -void PQCLEAN_FIRESABER_CLEAN_pol_mul(const uint16_t *a, const uint16_t *b, uint16_t *res, uint16_t p, uint32_t n) { - // Polynomial multiplication using the schoolbook method, c[x] = a[x]*b[x] +#define N_RES (SABER_N << 1) +#define N_SB (SABER_N >> 2) +#define N_SB_RES (2*N_SB-1) - // normal multiplication - uint16_t c[2 * SABER_N] = {0}; - for (size_t i = 0; i < SABER_N; i++) { - for (size_t j = 0; j < SABER_N; j++) { - c[i + j] += a[i] * b[j]; +static void karatsuba_simple(const uint16_t *a_1, const uint16_t *b_1, uint16_t *result_final) { + uint16_t N = 64; + uint16_t d01[N / 2 - 1]; + uint16_t d0123[N / 2 - 1]; + uint16_t d23[N / 2 - 1]; + uint16_t result_d01[N - 1]; + + int32_t i, j; + + memset(result_d01, 0, (N - 1)*sizeof(uint16_t)); + memset(d01, 0, (N / 2 - 1)*sizeof(uint16_t)); + memset(d0123, 0, (N / 2 - 1)*sizeof(uint16_t)); + memset(d23, 0, (N / 2 - 1)*sizeof(uint16_t)); + memset(result_final, 0, (2 * N - 1)*sizeof(uint16_t)); + + uint16_t acc1, acc2, acc3, acc4, acc5, acc6, acc7, acc8, acc9, acc10; + + + for (i = 0; i < N / 4; i++) { + acc1 = a_1[i]; //a0 + acc2 = a_1[i + N / 4]; //a1 + acc3 = a_1[i + 2 * N / 4]; //a2 + acc4 = a_1[i + 3 * N / 4]; //a3 + for (j = 0; j < N / 4; j++) { + + acc5 = b_1[j]; //b0 + acc6 = b_1[j + N / 4]; //b1 + + result_final[i + j + 0 * N / 4] = result_final[i + j + 0 * N / 4] + acc1 * acc5; + result_final[i + j + 2 * N / 4] = result_final[i + j + 2 * N / 4] + acc2 * acc6; + + acc7 = acc5 + acc6; //b01 + acc8 = acc1 + acc2; //a01 + d01[i + j] = d01[i + j] + acc7 * acc8; + //-------------------------------------------------------- + + acc7 = b_1[j + 2 * N / 4]; //b2 + acc8 = b_1[j + 3 * N / 4]; //b3 + result_final[i + j + 4 * N / 4] = result_final[i + j + 4 * N / 4] + acc7 * acc3; + + result_final[i + j + 6 * N / 4] = result_final[i + j + 6 * N / 4] + acc8 * acc4; + + acc9 = acc3 + acc4; + acc10 = acc7 + acc8; + d23[i + j] = d23[i + j] + acc9 * acc10; + //-------------------------------------------------------- + + acc5 = acc5 + acc7; //b02 + acc7 = acc1 + acc3; //a02 + result_d01[i + j + 0 * N / 4] = result_d01[i + j + 0 * N / 4] + acc5 * acc7; + + acc6 = acc6 + acc8; //b13 + acc8 = acc2 + acc4; + result_d01[i + j + 2 * N / 4] = result_d01[i + j + 2 * N / 4] + acc6 * acc8; + + acc5 = acc5 + acc6; + acc7 = acc7 + acc8; + d0123[i + j] = d0123[i + j] + acc5 * acc7; } } - // reduction - for (size_t i = n; i < 2 * n; i++) { - res[i - n] = (c[i - n] - c[i]) & (p - 1); + // 2nd last stage + + for (i = 0; i < N / 2 - 1; i++) { + d0123[i] = d0123[i] - result_d01[i + 0 * N / 4] - result_d01[i + 2 * N / 4]; + d01[i] = d01[i] - result_final[i + 0 * N / 4] - result_final[i + 2 * N / 4]; + d23[i] = d23[i] - result_final[i + 4 * N / 4] - result_final[i + 6 * N / 4]; + } + + for (i = 0; i < N / 2 - 1; i++) { + result_d01[i + 1 * N / 4] = result_d01[i + 1 * N / 4] + d0123[i]; + result_final[i + 1 * N / 4] = result_final[i + 1 * N / 4] + d01[i]; + result_final[i + 5 * N / 4] = result_final[i + 5 * N / 4] + d23[i]; + } + + // Last stage + for (i = 0; i < N - 1; i++) { + result_d01[i] = result_d01[i] - result_final[i] - result_final[i + N]; + } + + for (i = 0; i < N - 1; i++) { + result_final[i + 1 * N / 2] = result_final[i + 1 * N / 2] + result_d01[i]; + } + +} + + + +static void toom_cook_4way (const uint16_t *a1, const uint16_t *b1, uint16_t *result) { + uint16_t inv3 = 43691, inv9 = 36409, inv15 = 61167; + + uint16_t aw1[N_SB], aw2[N_SB], aw3[N_SB], aw4[N_SB], aw5[N_SB], aw6[N_SB], aw7[N_SB]; + uint16_t bw1[N_SB], bw2[N_SB], bw3[N_SB], bw4[N_SB], bw5[N_SB], bw6[N_SB], bw7[N_SB]; + uint16_t w1[N_SB_RES] = {0}, w2[N_SB_RES] = {0}, w3[N_SB_RES] = {0}, w4[N_SB_RES] = {0}, + w5[N_SB_RES] = {0}, w6[N_SB_RES] = {0}, w7[N_SB_RES] = {0}; + uint16_t r0, r1, r2, r3, r4, r5, r6, r7; + uint16_t *A0, *A1, *A2, *A3, *B0, *B1, *B2, *B3; + A0 = (uint16_t *)a1; + A1 = (uint16_t *)&a1[N_SB]; + A2 = (uint16_t *)&a1[2 * N_SB]; + A3 = (uint16_t *)&a1[3 * N_SB]; + B0 = (uint16_t *)b1; + B1 = (uint16_t *)&b1[N_SB]; + B2 = (uint16_t *)&b1[2 * N_SB]; + B3 = (uint16_t *)&b1[3 * N_SB]; + + uint16_t *C; + C = result; + + int i, j; + + // EVALUATION + for (j = 0; j < N_SB; ++j) { + r0 = A0[j]; + r1 = A1[j]; + r2 = A2[j]; + r3 = A3[j]; + r4 = r0 + r2; + r5 = r1 + r3; + r6 = r4 + r5; + r7 = r4 - r5; + aw3[j] = r6; + aw4[j] = r7; + r4 = ((r0 << 2) + r2) << 1; + r5 = (r1 << 2) + r3; + r6 = r4 + r5; + r7 = r4 - r5; + aw5[j] = r6; + aw6[j] = r7; + r4 = (r3 << 3) + (r2 << 2) + (r1 << 1) + r0; + aw2[j] = r4; + aw7[j] = r0; + aw1[j] = r3; + } + for (j = 0; j < N_SB; ++j) { + r0 = B0[j]; + r1 = B1[j]; + r2 = B2[j]; + r3 = B3[j]; + r4 = r0 + r2; + r5 = r1 + r3; + r6 = r4 + r5; + r7 = r4 - r5; + bw3[j] = r6; + bw4[j] = r7; + r4 = ((r0 << 2) + r2) << 1; + r5 = (r1 << 2) + r3; + r6 = r4 + r5; + r7 = r4 - r5; + bw5[j] = r6; + bw6[j] = r7; + r4 = (r3 << 3) + (r2 << 2) + (r1 << 1) + r0; + bw2[j] = r4; + bw7[j] = r0; + bw1[j] = r3; + } + + // MULTIPLICATION + + karatsuba_simple(aw1, bw1, w1); + karatsuba_simple(aw2, bw2, w2); + karatsuba_simple(aw3, bw3, w3); + karatsuba_simple(aw4, bw4, w4); + karatsuba_simple(aw5, bw5, w5); + karatsuba_simple(aw6, bw6, w6); + karatsuba_simple(aw7, bw7, w7); + + // INTERPOLATION + for (i = 0; i < N_SB_RES; ++i) { + r0 = w1[i]; + r1 = w2[i]; + r2 = w3[i]; + r3 = w4[i]; + r4 = w5[i]; + r5 = w6[i]; + r6 = w7[i]; + + r1 = r1 + r4; + r5 = r5 - r4; + r3 = ((r3 - r2) >> 1); + r4 = r4 - r0; + r4 = r4 - (r6 << 6); + r4 = (r4 << 1) + r5; + r2 = r2 + r3; + r1 = r1 - (r2 << 6) - r2; + r2 = r2 - r6; + r2 = r2 - r0; + r1 = r1 + 45 * r2; + r4 = (((r4 - (r2 << 3)) * inv3) >> 3); + r5 = r5 + r1; + r1 = (((r1 + (r3 << 4)) * inv9) >> 1); + r3 = -(r3 + r1); + r5 = (((30 * r1 - r5) * inv15) >> 2); + r2 = r2 - r4; + r1 = r1 - r5; + + C[i] += r6; + C[i + 64] += r5; + C[i + 128] += r4; + C[i + 192] += r3; + C[i + 256] += r2; + C[i + 320] += r1; + C[i + 384] += r0; } } + +static inline int16_t reduce(int16_t a, int64_t p) { + return a & (p - 1); +} + +void PQCLEAN_FIRESABER_CLEAN_pol_mul(uint16_t *a, uint16_t *b, uint16_t *res, uint16_t p, uint32_t n) + +{ + uint32_t i; + // normal multiplication + uint16_t c[512]; + + for (i = 0; i < 512; i++) { + c[i] = 0; + } + + toom_cook_4way(a, b, c); + + // reduction + for (i = n; i < 2 * n; i++) { + res[i - n] = (c[i - n] - c[i]) & (p - 1); + } + + +} diff --git a/crypto_kem/firesaber/clean/poly_mul.h b/crypto_kem/firesaber/clean/poly_mul.h index e2530f06..4d960042 100644 --- a/crypto_kem/firesaber/clean/poly_mul.h +++ b/crypto_kem/firesaber/clean/poly_mul.h @@ -4,6 +4,6 @@ #include "SABER_params.h" #include -void PQCLEAN_FIRESABER_CLEAN_pol_mul(const uint16_t *a, const uint16_t *b, uint16_t *res, uint16_t p, uint32_t n); +void PQCLEAN_FIRESABER_CLEAN_pol_mul(uint16_t *a, uint16_t *b, uint16_t *res, uint16_t p, uint32_t n); #endif diff --git a/crypto_kem/lightsaber/clean/poly_mul.c b/crypto_kem/lightsaber/clean/poly_mul.c index ddc7c9a2..ab2ce4b7 100644 --- a/crypto_kem/lightsaber/clean/poly_mul.c +++ b/crypto_kem/lightsaber/clean/poly_mul.c @@ -1,22 +1,240 @@ #include "poly_mul.h" -#include "SABER_params.h" #include #include +#define SCHB_N 16 -void PQCLEAN_LIGHTSABER_CLEAN_pol_mul(const uint16_t *a, const uint16_t *b, uint16_t *res, uint16_t p, uint32_t n) { - // Polynomial multiplication using the schoolbook method, c[x] = a[x]*b[x] +#define N_RES (SABER_N << 1) +#define N_SB (SABER_N >> 2) +#define N_SB_RES (2*N_SB-1) - // normal multiplication - uint16_t c[2 * SABER_N] = {0}; - for (size_t i = 0; i < SABER_N; i++) { - for (size_t j = 0; j < SABER_N; j++) { - c[i + j] += a[i] * b[j]; +static void karatsuba_simple(const uint16_t *a_1, const uint16_t *b_1, uint16_t *result_final) { + uint16_t N = 64; + uint16_t d01[N / 2 - 1]; + uint16_t d0123[N / 2 - 1]; + uint16_t d23[N / 2 - 1]; + uint16_t result_d01[N - 1]; + + int32_t i, j; + + memset(result_d01, 0, (N - 1)*sizeof(uint16_t)); + memset(d01, 0, (N / 2 - 1)*sizeof(uint16_t)); + memset(d0123, 0, (N / 2 - 1)*sizeof(uint16_t)); + memset(d23, 0, (N / 2 - 1)*sizeof(uint16_t)); + memset(result_final, 0, (2 * N - 1)*sizeof(uint16_t)); + + uint16_t acc1, acc2, acc3, acc4, acc5, acc6, acc7, acc8, acc9, acc10; + + + for (i = 0; i < N / 4; i++) { + acc1 = a_1[i]; //a0 + acc2 = a_1[i + N / 4]; //a1 + acc3 = a_1[i + 2 * N / 4]; //a2 + acc4 = a_1[i + 3 * N / 4]; //a3 + for (j = 0; j < N / 4; j++) { + + acc5 = b_1[j]; //b0 + acc6 = b_1[j + N / 4]; //b1 + + result_final[i + j + 0 * N / 4] = result_final[i + j + 0 * N / 4] + acc1 * acc5; + result_final[i + j + 2 * N / 4] = result_final[i + j + 2 * N / 4] + acc2 * acc6; + + acc7 = acc5 + acc6; //b01 + acc8 = acc1 + acc2; //a01 + d01[i + j] = d01[i + j] + acc7 * acc8; + //-------------------------------------------------------- + + acc7 = b_1[j + 2 * N / 4]; //b2 + acc8 = b_1[j + 3 * N / 4]; //b3 + result_final[i + j + 4 * N / 4] = result_final[i + j + 4 * N / 4] + acc7 * acc3; + + result_final[i + j + 6 * N / 4] = result_final[i + j + 6 * N / 4] + acc8 * acc4; + + acc9 = acc3 + acc4; + acc10 = acc7 + acc8; + d23[i + j] = d23[i + j] + acc9 * acc10; + //-------------------------------------------------------- + + acc5 = acc5 + acc7; //b02 + acc7 = acc1 + acc3; //a02 + result_d01[i + j + 0 * N / 4] = result_d01[i + j + 0 * N / 4] + acc5 * acc7; + + acc6 = acc6 + acc8; //b13 + acc8 = acc2 + acc4; + result_d01[i + j + 2 * N / 4] = result_d01[i + j + 2 * N / 4] + acc6 * acc8; + + acc5 = acc5 + acc6; + acc7 = acc7 + acc8; + d0123[i + j] = d0123[i + j] + acc5 * acc7; } } - // reduction - for (size_t i = n; i < 2 * n; i++) { - res[i - n] = (c[i - n] - c[i]) & (p - 1); + // 2nd last stage + + for (i = 0; i < N / 2 - 1; i++) { + d0123[i] = d0123[i] - result_d01[i + 0 * N / 4] - result_d01[i + 2 * N / 4]; + d01[i] = d01[i] - result_final[i + 0 * N / 4] - result_final[i + 2 * N / 4]; + d23[i] = d23[i] - result_final[i + 4 * N / 4] - result_final[i + 6 * N / 4]; + } + + for (i = 0; i < N / 2 - 1; i++) { + result_d01[i + 1 * N / 4] = result_d01[i + 1 * N / 4] + d0123[i]; + result_final[i + 1 * N / 4] = result_final[i + 1 * N / 4] + d01[i]; + result_final[i + 5 * N / 4] = result_final[i + 5 * N / 4] + d23[i]; + } + + // Last stage + for (i = 0; i < N - 1; i++) { + result_d01[i] = result_d01[i] - result_final[i] - result_final[i + N]; + } + + for (i = 0; i < N - 1; i++) { + result_final[i + 1 * N / 2] = result_final[i + 1 * N / 2] + result_d01[i]; + } + +} + + + +static void toom_cook_4way (const uint16_t *a1, const uint16_t *b1, uint16_t *result) { + uint16_t inv3 = 43691, inv9 = 36409, inv15 = 61167; + + uint16_t aw1[N_SB], aw2[N_SB], aw3[N_SB], aw4[N_SB], aw5[N_SB], aw6[N_SB], aw7[N_SB]; + uint16_t bw1[N_SB], bw2[N_SB], bw3[N_SB], bw4[N_SB], bw5[N_SB], bw6[N_SB], bw7[N_SB]; + uint16_t w1[N_SB_RES] = {0}, w2[N_SB_RES] = {0}, w3[N_SB_RES] = {0}, w4[N_SB_RES] = {0}, + w5[N_SB_RES] = {0}, w6[N_SB_RES] = {0}, w7[N_SB_RES] = {0}; + uint16_t r0, r1, r2, r3, r4, r5, r6, r7; + uint16_t *A0, *A1, *A2, *A3, *B0, *B1, *B2, *B3; + A0 = (uint16_t *)a1; + A1 = (uint16_t *)&a1[N_SB]; + A2 = (uint16_t *)&a1[2 * N_SB]; + A3 = (uint16_t *)&a1[3 * N_SB]; + B0 = (uint16_t *)b1; + B1 = (uint16_t *)&b1[N_SB]; + B2 = (uint16_t *)&b1[2 * N_SB]; + B3 = (uint16_t *)&b1[3 * N_SB]; + + uint16_t *C; + C = result; + + int i, j; + + // EVALUATION + for (j = 0; j < N_SB; ++j) { + r0 = A0[j]; + r1 = A1[j]; + r2 = A2[j]; + r3 = A3[j]; + r4 = r0 + r2; + r5 = r1 + r3; + r6 = r4 + r5; + r7 = r4 - r5; + aw3[j] = r6; + aw4[j] = r7; + r4 = ((r0 << 2) + r2) << 1; + r5 = (r1 << 2) + r3; + r6 = r4 + r5; + r7 = r4 - r5; + aw5[j] = r6; + aw6[j] = r7; + r4 = (r3 << 3) + (r2 << 2) + (r1 << 1) + r0; + aw2[j] = r4; + aw7[j] = r0; + aw1[j] = r3; + } + for (j = 0; j < N_SB; ++j) { + r0 = B0[j]; + r1 = B1[j]; + r2 = B2[j]; + r3 = B3[j]; + r4 = r0 + r2; + r5 = r1 + r3; + r6 = r4 + r5; + r7 = r4 - r5; + bw3[j] = r6; + bw4[j] = r7; + r4 = ((r0 << 2) + r2) << 1; + r5 = (r1 << 2) + r3; + r6 = r4 + r5; + r7 = r4 - r5; + bw5[j] = r6; + bw6[j] = r7; + r4 = (r3 << 3) + (r2 << 2) + (r1 << 1) + r0; + bw2[j] = r4; + bw7[j] = r0; + bw1[j] = r3; + } + + // MULTIPLICATION + + karatsuba_simple(aw1, bw1, w1); + karatsuba_simple(aw2, bw2, w2); + karatsuba_simple(aw3, bw3, w3); + karatsuba_simple(aw4, bw4, w4); + karatsuba_simple(aw5, bw5, w5); + karatsuba_simple(aw6, bw6, w6); + karatsuba_simple(aw7, bw7, w7); + + // INTERPOLATION + for (i = 0; i < N_SB_RES; ++i) { + r0 = w1[i]; + r1 = w2[i]; + r2 = w3[i]; + r3 = w4[i]; + r4 = w5[i]; + r5 = w6[i]; + r6 = w7[i]; + + r1 = r1 + r4; + r5 = r5 - r4; + r3 = ((r3 - r2) >> 1); + r4 = r4 - r0; + r4 = r4 - (r6 << 6); + r4 = (r4 << 1) + r5; + r2 = r2 + r3; + r1 = r1 - (r2 << 6) - r2; + r2 = r2 - r6; + r2 = r2 - r0; + r1 = r1 + 45 * r2; + r4 = (((r4 - (r2 << 3)) * inv3) >> 3); + r5 = r5 + r1; + r1 = (((r1 + (r3 << 4)) * inv9) >> 1); + r3 = -(r3 + r1); + r5 = (((30 * r1 - r5) * inv15) >> 2); + r2 = r2 - r4; + r1 = r1 - r5; + + C[i] += r6; + C[i + 64] += r5; + C[i + 128] += r4; + C[i + 192] += r3; + C[i + 256] += r2; + C[i + 320] += r1; + C[i + 384] += r0; } } + +static inline int16_t reduce(int16_t a, int64_t p) { + return a & (p - 1); +} + +void PQCLEAN_LIGHTSABER_CLEAN_pol_mul(uint16_t *a, uint16_t *b, uint16_t *res, uint16_t p, uint32_t n) + +{ + uint32_t i; + // normal multiplication + uint16_t c[512]; + + for (i = 0; i < 512; i++) { + c[i] = 0; + } + + toom_cook_4way(a, b, c); + + // reduction + for (i = n; i < 2 * n; i++) { + res[i - n] = (c[i - n] - c[i]) & (p - 1); + } + + +} diff --git a/crypto_kem/lightsaber/clean/poly_mul.h b/crypto_kem/lightsaber/clean/poly_mul.h index adc877aa..8d634584 100644 --- a/crypto_kem/lightsaber/clean/poly_mul.h +++ b/crypto_kem/lightsaber/clean/poly_mul.h @@ -4,6 +4,6 @@ #include "SABER_params.h" #include -void PQCLEAN_LIGHTSABER_CLEAN_pol_mul(const uint16_t *a, const uint16_t *b, uint16_t *res, uint16_t p, uint32_t n); +void PQCLEAN_LIGHTSABER_CLEAN_pol_mul(uint16_t *a, uint16_t *b, uint16_t *res, uint16_t p, uint32_t n); #endif diff --git a/crypto_kem/saber/clean/poly_mul.c b/crypto_kem/saber/clean/poly_mul.c index 36bb956b..5c579475 100644 --- a/crypto_kem/saber/clean/poly_mul.c +++ b/crypto_kem/saber/clean/poly_mul.c @@ -1,22 +1,240 @@ #include "poly_mul.h" -#include "SABER_params.h" #include #include +#define SCHB_N 16 -void PQCLEAN_SABER_CLEAN_pol_mul(const uint16_t *a, const uint16_t *b, uint16_t *res, uint16_t p, uint32_t n) { - // Polynomial multiplication using the schoolbook method, c[x] = a[x]*b[x] +#define N_RES (SABER_N << 1) +#define N_SB (SABER_N >> 2) +#define N_SB_RES (2*N_SB-1) - // normal multiplication - uint16_t c[2 * SABER_N] = {0}; - for (size_t i = 0; i < SABER_N; i++) { - for (size_t j = 0; j < SABER_N; j++) { - c[i + j] += a[i] * b[j]; +static void karatsuba_simple(const uint16_t *a_1, const uint16_t *b_1, uint16_t *result_final) { + uint16_t N = 64; + uint16_t d01[N / 2 - 1]; + uint16_t d0123[N / 2 - 1]; + uint16_t d23[N / 2 - 1]; + uint16_t result_d01[N - 1]; + + int32_t i, j; + + memset(result_d01, 0, (N - 1)*sizeof(uint16_t)); + memset(d01, 0, (N / 2 - 1)*sizeof(uint16_t)); + memset(d0123, 0, (N / 2 - 1)*sizeof(uint16_t)); + memset(d23, 0, (N / 2 - 1)*sizeof(uint16_t)); + memset(result_final, 0, (2 * N - 1)*sizeof(uint16_t)); + + uint16_t acc1, acc2, acc3, acc4, acc5, acc6, acc7, acc8, acc9, acc10; + + + for (i = 0; i < N / 4; i++) { + acc1 = a_1[i]; //a0 + acc2 = a_1[i + N / 4]; //a1 + acc3 = a_1[i + 2 * N / 4]; //a2 + acc4 = a_1[i + 3 * N / 4]; //a3 + for (j = 0; j < N / 4; j++) { + + acc5 = b_1[j]; //b0 + acc6 = b_1[j + N / 4]; //b1 + + result_final[i + j + 0 * N / 4] = result_final[i + j + 0 * N / 4] + acc1 * acc5; + result_final[i + j + 2 * N / 4] = result_final[i + j + 2 * N / 4] + acc2 * acc6; + + acc7 = acc5 + acc6; //b01 + acc8 = acc1 + acc2; //a01 + d01[i + j] = d01[i + j] + acc7 * acc8; + //-------------------------------------------------------- + + acc7 = b_1[j + 2 * N / 4]; //b2 + acc8 = b_1[j + 3 * N / 4]; //b3 + result_final[i + j + 4 * N / 4] = result_final[i + j + 4 * N / 4] + acc7 * acc3; + + result_final[i + j + 6 * N / 4] = result_final[i + j + 6 * N / 4] + acc8 * acc4; + + acc9 = acc3 + acc4; + acc10 = acc7 + acc8; + d23[i + j] = d23[i + j] + acc9 * acc10; + //-------------------------------------------------------- + + acc5 = acc5 + acc7; //b02 + acc7 = acc1 + acc3; //a02 + result_d01[i + j + 0 * N / 4] = result_d01[i + j + 0 * N / 4] + acc5 * acc7; + + acc6 = acc6 + acc8; //b13 + acc8 = acc2 + acc4; + result_d01[i + j + 2 * N / 4] = result_d01[i + j + 2 * N / 4] + acc6 * acc8; + + acc5 = acc5 + acc6; + acc7 = acc7 + acc8; + d0123[i + j] = d0123[i + j] + acc5 * acc7; } } - // reduction - for (size_t i = n; i < 2 * n; i++) { - res[i - n] = (c[i - n] - c[i]) & (p - 1); + // 2nd last stage + + for (i = 0; i < N / 2 - 1; i++) { + d0123[i] = d0123[i] - result_d01[i + 0 * N / 4] - result_d01[i + 2 * N / 4]; + d01[i] = d01[i] - result_final[i + 0 * N / 4] - result_final[i + 2 * N / 4]; + d23[i] = d23[i] - result_final[i + 4 * N / 4] - result_final[i + 6 * N / 4]; + } + + for (i = 0; i < N / 2 - 1; i++) { + result_d01[i + 1 * N / 4] = result_d01[i + 1 * N / 4] + d0123[i]; + result_final[i + 1 * N / 4] = result_final[i + 1 * N / 4] + d01[i]; + result_final[i + 5 * N / 4] = result_final[i + 5 * N / 4] + d23[i]; + } + + // Last stage + for (i = 0; i < N - 1; i++) { + result_d01[i] = result_d01[i] - result_final[i] - result_final[i + N]; + } + + for (i = 0; i < N - 1; i++) { + result_final[i + 1 * N / 2] = result_final[i + 1 * N / 2] + result_d01[i]; + } + +} + + + +static void toom_cook_4way (const uint16_t *a1, const uint16_t *b1, uint16_t *result) { + uint16_t inv3 = 43691, inv9 = 36409, inv15 = 61167; + + uint16_t aw1[N_SB], aw2[N_SB], aw3[N_SB], aw4[N_SB], aw5[N_SB], aw6[N_SB], aw7[N_SB]; + uint16_t bw1[N_SB], bw2[N_SB], bw3[N_SB], bw4[N_SB], bw5[N_SB], bw6[N_SB], bw7[N_SB]; + uint16_t w1[N_SB_RES] = {0}, w2[N_SB_RES] = {0}, w3[N_SB_RES] = {0}, w4[N_SB_RES] = {0}, + w5[N_SB_RES] = {0}, w6[N_SB_RES] = {0}, w7[N_SB_RES] = {0}; + uint16_t r0, r1, r2, r3, r4, r5, r6, r7; + uint16_t *A0, *A1, *A2, *A3, *B0, *B1, *B2, *B3; + A0 = (uint16_t *)a1; + A1 = (uint16_t *)&a1[N_SB]; + A2 = (uint16_t *)&a1[2 * N_SB]; + A3 = (uint16_t *)&a1[3 * N_SB]; + B0 = (uint16_t *)b1; + B1 = (uint16_t *)&b1[N_SB]; + B2 = (uint16_t *)&b1[2 * N_SB]; + B3 = (uint16_t *)&b1[3 * N_SB]; + + uint16_t *C; + C = result; + + int i, j; + + // EVALUATION + for (j = 0; j < N_SB; ++j) { + r0 = A0[j]; + r1 = A1[j]; + r2 = A2[j]; + r3 = A3[j]; + r4 = r0 + r2; + r5 = r1 + r3; + r6 = r4 + r5; + r7 = r4 - r5; + aw3[j] = r6; + aw4[j] = r7; + r4 = ((r0 << 2) + r2) << 1; + r5 = (r1 << 2) + r3; + r6 = r4 + r5; + r7 = r4 - r5; + aw5[j] = r6; + aw6[j] = r7; + r4 = (r3 << 3) + (r2 << 2) + (r1 << 1) + r0; + aw2[j] = r4; + aw7[j] = r0; + aw1[j] = r3; + } + for (j = 0; j < N_SB; ++j) { + r0 = B0[j]; + r1 = B1[j]; + r2 = B2[j]; + r3 = B3[j]; + r4 = r0 + r2; + r5 = r1 + r3; + r6 = r4 + r5; + r7 = r4 - r5; + bw3[j] = r6; + bw4[j] = r7; + r4 = ((r0 << 2) + r2) << 1; + r5 = (r1 << 2) + r3; + r6 = r4 + r5; + r7 = r4 - r5; + bw5[j] = r6; + bw6[j] = r7; + r4 = (r3 << 3) + (r2 << 2) + (r1 << 1) + r0; + bw2[j] = r4; + bw7[j] = r0; + bw1[j] = r3; + } + + // MULTIPLICATION + + karatsuba_simple(aw1, bw1, w1); + karatsuba_simple(aw2, bw2, w2); + karatsuba_simple(aw3, bw3, w3); + karatsuba_simple(aw4, bw4, w4); + karatsuba_simple(aw5, bw5, w5); + karatsuba_simple(aw6, bw6, w6); + karatsuba_simple(aw7, bw7, w7); + + // INTERPOLATION + for (i = 0; i < N_SB_RES; ++i) { + r0 = w1[i]; + r1 = w2[i]; + r2 = w3[i]; + r3 = w4[i]; + r4 = w5[i]; + r5 = w6[i]; + r6 = w7[i]; + + r1 = r1 + r4; + r5 = r5 - r4; + r3 = ((r3 - r2) >> 1); + r4 = r4 - r0; + r4 = r4 - (r6 << 6); + r4 = (r4 << 1) + r5; + r2 = r2 + r3; + r1 = r1 - (r2 << 6) - r2; + r2 = r2 - r6; + r2 = r2 - r0; + r1 = r1 + 45 * r2; + r4 = (((r4 - (r2 << 3)) * inv3) >> 3); + r5 = r5 + r1; + r1 = (((r1 + (r3 << 4)) * inv9) >> 1); + r3 = -(r3 + r1); + r5 = (((30 * r1 - r5) * inv15) >> 2); + r2 = r2 - r4; + r1 = r1 - r5; + + C[i] += r6; + C[i + 64] += r5; + C[i + 128] += r4; + C[i + 192] += r3; + C[i + 256] += r2; + C[i + 320] += r1; + C[i + 384] += r0; } } + +static inline int16_t reduce(int16_t a, int64_t p) { + return a & (p - 1); +} + +void PQCLEAN_SABER_CLEAN_pol_mul(uint16_t *a, uint16_t *b, uint16_t *res, uint16_t p, uint32_t n) + +{ + uint32_t i; + // normal multiplication + uint16_t c[512]; + + for (i = 0; i < 512; i++) { + c[i] = 0; + } + + toom_cook_4way(a, b, c); + + // reduction + for (i = n; i < 2 * n; i++) { + res[i - n] = (c[i - n] - c[i]) & (p - 1); + } + + +} diff --git a/crypto_kem/saber/clean/poly_mul.h b/crypto_kem/saber/clean/poly_mul.h index 5e36755f..f813be10 100644 --- a/crypto_kem/saber/clean/poly_mul.h +++ b/crypto_kem/saber/clean/poly_mul.h @@ -4,6 +4,6 @@ #include "SABER_params.h" #include -void PQCLEAN_SABER_CLEAN_pol_mul(const uint16_t *a, const uint16_t *b, uint16_t *res, uint16_t p, uint32_t n); +void PQCLEAN_SABER_CLEAN_pol_mul(uint16_t *a, uint16_t *b, uint16_t *res, uint16_t p, uint32_t n); #endif From 515b04d87b7cbf652c0d482d4f85e4c09ea96292 Mon Sep 17 00:00:00 2001 From: "Matthias J. Kannwischer" Date: Fri, 21 Jun 2019 16:01:16 +0200 Subject: [PATCH 18/20] fix warnings --- crypto_kem/firesaber/clean/poly_mul.c | 77 +++++++++++++------------- crypto_kem/lightsaber/clean/poly_mul.c | 77 +++++++++++++------------- crypto_kem/saber/clean/poly_mul.c | 77 +++++++++++++------------- 3 files changed, 111 insertions(+), 120 deletions(-) diff --git a/crypto_kem/firesaber/clean/poly_mul.c b/crypto_kem/firesaber/clean/poly_mul.c index bd5de334..c71d917c 100644 --- a/crypto_kem/firesaber/clean/poly_mul.c +++ b/crypto_kem/firesaber/clean/poly_mul.c @@ -8,47 +8,48 @@ #define N_SB (SABER_N >> 2) #define N_SB_RES (2*N_SB-1) + +#define KARATSUBA_N 64 static void karatsuba_simple(const uint16_t *a_1, const uint16_t *b_1, uint16_t *result_final) { - uint16_t N = 64; - uint16_t d01[N / 2 - 1]; - uint16_t d0123[N / 2 - 1]; - uint16_t d23[N / 2 - 1]; - uint16_t result_d01[N - 1]; + uint16_t d01[KARATSUBA_N / 2 - 1]; + uint16_t d0123[KARATSUBA_N / 2 - 1]; + uint16_t d23[KARATSUBA_N / 2 - 1]; + uint16_t result_d01[KARATSUBA_N - 1]; int32_t i, j; - memset(result_d01, 0, (N - 1)*sizeof(uint16_t)); - memset(d01, 0, (N / 2 - 1)*sizeof(uint16_t)); - memset(d0123, 0, (N / 2 - 1)*sizeof(uint16_t)); - memset(d23, 0, (N / 2 - 1)*sizeof(uint16_t)); - memset(result_final, 0, (2 * N - 1)*sizeof(uint16_t)); + memset(result_d01, 0, (KARATSUBA_N - 1)*sizeof(uint16_t)); + memset(d01, 0, (KARATSUBA_N / 2 - 1)*sizeof(uint16_t)); + memset(d0123, 0, (KARATSUBA_N / 2 - 1)*sizeof(uint16_t)); + memset(d23, 0, (KARATSUBA_N / 2 - 1)*sizeof(uint16_t)); + memset(result_final, 0, (2 * KARATSUBA_N - 1)*sizeof(uint16_t)); uint16_t acc1, acc2, acc3, acc4, acc5, acc6, acc7, acc8, acc9, acc10; - for (i = 0; i < N / 4; i++) { + for (i = 0; i < KARATSUBA_N / 4; i++) { acc1 = a_1[i]; //a0 - acc2 = a_1[i + N / 4]; //a1 - acc3 = a_1[i + 2 * N / 4]; //a2 - acc4 = a_1[i + 3 * N / 4]; //a3 - for (j = 0; j < N / 4; j++) { + acc2 = a_1[i + KARATSUBA_N / 4]; //a1 + acc3 = a_1[i + 2 * KARATSUBA_N / 4]; //a2 + acc4 = a_1[i + 3 * KARATSUBA_N / 4]; //a3 + for (j = 0; j < KARATSUBA_N / 4; j++) { acc5 = b_1[j]; //b0 - acc6 = b_1[j + N / 4]; //b1 + acc6 = b_1[j + KARATSUBA_N / 4]; //b1 - result_final[i + j + 0 * N / 4] = result_final[i + j + 0 * N / 4] + acc1 * acc5; - result_final[i + j + 2 * N / 4] = result_final[i + j + 2 * N / 4] + acc2 * acc6; + result_final[i + j + 0 * KARATSUBA_N / 4] = result_final[i + j + 0 * KARATSUBA_N / 4] + acc1 * acc5; + result_final[i + j + 2 * KARATSUBA_N / 4] = result_final[i + j + 2 * KARATSUBA_N / 4] + acc2 * acc6; acc7 = acc5 + acc6; //b01 acc8 = acc1 + acc2; //a01 d01[i + j] = d01[i + j] + acc7 * acc8; //-------------------------------------------------------- - acc7 = b_1[j + 2 * N / 4]; //b2 - acc8 = b_1[j + 3 * N / 4]; //b3 - result_final[i + j + 4 * N / 4] = result_final[i + j + 4 * N / 4] + acc7 * acc3; + acc7 = b_1[j + 2 * KARATSUBA_N / 4]; //b2 + acc8 = b_1[j + 3 * KARATSUBA_N / 4]; //b3 + result_final[i + j + 4 * KARATSUBA_N / 4] = result_final[i + j + 4 * KARATSUBA_N / 4] + acc7 * acc3; - result_final[i + j + 6 * N / 4] = result_final[i + j + 6 * N / 4] + acc8 * acc4; + result_final[i + j + 6 * KARATSUBA_N / 4] = result_final[i + j + 6 * KARATSUBA_N / 4] + acc8 * acc4; acc9 = acc3 + acc4; acc10 = acc7 + acc8; @@ -57,11 +58,11 @@ static void karatsuba_simple(const uint16_t *a_1, const uint16_t *b_1, uint16_t acc5 = acc5 + acc7; //b02 acc7 = acc1 + acc3; //a02 - result_d01[i + j + 0 * N / 4] = result_d01[i + j + 0 * N / 4] + acc5 * acc7; + result_d01[i + j + 0 * KARATSUBA_N / 4] = result_d01[i + j + 0 * KARATSUBA_N / 4] + acc5 * acc7; acc6 = acc6 + acc8; //b13 acc8 = acc2 + acc4; - result_d01[i + j + 2 * N / 4] = result_d01[i + j + 2 * N / 4] + acc6 * acc8; + result_d01[i + j + 2 * KARATSUBA_N / 4] = result_d01[i + j + 2 * KARATSUBA_N / 4] + acc6 * acc8; acc5 = acc5 + acc6; acc7 = acc7 + acc8; @@ -71,25 +72,25 @@ static void karatsuba_simple(const uint16_t *a_1, const uint16_t *b_1, uint16_t // 2nd last stage - for (i = 0; i < N / 2 - 1; i++) { - d0123[i] = d0123[i] - result_d01[i + 0 * N / 4] - result_d01[i + 2 * N / 4]; - d01[i] = d01[i] - result_final[i + 0 * N / 4] - result_final[i + 2 * N / 4]; - d23[i] = d23[i] - result_final[i + 4 * N / 4] - result_final[i + 6 * N / 4]; + for (i = 0; i < KARATSUBA_N / 2 - 1; i++) { + d0123[i] = d0123[i] - result_d01[i + 0 * KARATSUBA_N / 4] - result_d01[i + 2 * KARATSUBA_N / 4]; + d01[i] = d01[i] - result_final[i + 0 * KARATSUBA_N / 4] - result_final[i + 2 * KARATSUBA_N / 4]; + d23[i] = d23[i] - result_final[i + 4 * KARATSUBA_N / 4] - result_final[i + 6 * KARATSUBA_N / 4]; } - for (i = 0; i < N / 2 - 1; i++) { - result_d01[i + 1 * N / 4] = result_d01[i + 1 * N / 4] + d0123[i]; - result_final[i + 1 * N / 4] = result_final[i + 1 * N / 4] + d01[i]; - result_final[i + 5 * N / 4] = result_final[i + 5 * N / 4] + d23[i]; + for (i = 0; i < KARATSUBA_N / 2 - 1; i++) { + result_d01[i + 1 * KARATSUBA_N / 4] = result_d01[i + 1 * KARATSUBA_N / 4] + d0123[i]; + result_final[i + 1 * KARATSUBA_N / 4] = result_final[i + 1 * KARATSUBA_N / 4] + d01[i]; + result_final[i + 5 * KARATSUBA_N / 4] = result_final[i + 5 * KARATSUBA_N / 4] + d23[i]; } // Last stage - for (i = 0; i < N - 1; i++) { - result_d01[i] = result_d01[i] - result_final[i] - result_final[i + N]; + for (i = 0; i < KARATSUBA_N - 1; i++) { + result_d01[i] = result_d01[i] - result_final[i] - result_final[i + KARATSUBA_N]; } - for (i = 0; i < N - 1; i++) { - result_final[i + 1 * N / 2] = result_final[i + 1 * N / 2] + result_d01[i]; + for (i = 0; i < KARATSUBA_N - 1; i++) { + result_final[i + 1 * KARATSUBA_N / 2] = result_final[i + 1 * KARATSUBA_N / 2] + result_d01[i]; } } @@ -214,10 +215,6 @@ static void toom_cook_4way (const uint16_t *a1, const uint16_t *b1, uint16_t *re } } -static inline int16_t reduce(int16_t a, int64_t p) { - return a & (p - 1); -} - void PQCLEAN_FIRESABER_CLEAN_pol_mul(uint16_t *a, uint16_t *b, uint16_t *res, uint16_t p, uint32_t n) { diff --git a/crypto_kem/lightsaber/clean/poly_mul.c b/crypto_kem/lightsaber/clean/poly_mul.c index ab2ce4b7..5b029a78 100644 --- a/crypto_kem/lightsaber/clean/poly_mul.c +++ b/crypto_kem/lightsaber/clean/poly_mul.c @@ -8,47 +8,48 @@ #define N_SB (SABER_N >> 2) #define N_SB_RES (2*N_SB-1) + +#define KARATSUBA_N 64 static void karatsuba_simple(const uint16_t *a_1, const uint16_t *b_1, uint16_t *result_final) { - uint16_t N = 64; - uint16_t d01[N / 2 - 1]; - uint16_t d0123[N / 2 - 1]; - uint16_t d23[N / 2 - 1]; - uint16_t result_d01[N - 1]; + uint16_t d01[KARATSUBA_N / 2 - 1]; + uint16_t d0123[KARATSUBA_N / 2 - 1]; + uint16_t d23[KARATSUBA_N / 2 - 1]; + uint16_t result_d01[KARATSUBA_N - 1]; int32_t i, j; - memset(result_d01, 0, (N - 1)*sizeof(uint16_t)); - memset(d01, 0, (N / 2 - 1)*sizeof(uint16_t)); - memset(d0123, 0, (N / 2 - 1)*sizeof(uint16_t)); - memset(d23, 0, (N / 2 - 1)*sizeof(uint16_t)); - memset(result_final, 0, (2 * N - 1)*sizeof(uint16_t)); + memset(result_d01, 0, (KARATSUBA_N - 1)*sizeof(uint16_t)); + memset(d01, 0, (KARATSUBA_N / 2 - 1)*sizeof(uint16_t)); + memset(d0123, 0, (KARATSUBA_N / 2 - 1)*sizeof(uint16_t)); + memset(d23, 0, (KARATSUBA_N / 2 - 1)*sizeof(uint16_t)); + memset(result_final, 0, (2 * KARATSUBA_N - 1)*sizeof(uint16_t)); uint16_t acc1, acc2, acc3, acc4, acc5, acc6, acc7, acc8, acc9, acc10; - for (i = 0; i < N / 4; i++) { + for (i = 0; i < KARATSUBA_N / 4; i++) { acc1 = a_1[i]; //a0 - acc2 = a_1[i + N / 4]; //a1 - acc3 = a_1[i + 2 * N / 4]; //a2 - acc4 = a_1[i + 3 * N / 4]; //a3 - for (j = 0; j < N / 4; j++) { + acc2 = a_1[i + KARATSUBA_N / 4]; //a1 + acc3 = a_1[i + 2 * KARATSUBA_N / 4]; //a2 + acc4 = a_1[i + 3 * KARATSUBA_N / 4]; //a3 + for (j = 0; j < KARATSUBA_N / 4; j++) { acc5 = b_1[j]; //b0 - acc6 = b_1[j + N / 4]; //b1 + acc6 = b_1[j + KARATSUBA_N / 4]; //b1 - result_final[i + j + 0 * N / 4] = result_final[i + j + 0 * N / 4] + acc1 * acc5; - result_final[i + j + 2 * N / 4] = result_final[i + j + 2 * N / 4] + acc2 * acc6; + result_final[i + j + 0 * KARATSUBA_N / 4] = result_final[i + j + 0 * KARATSUBA_N / 4] + acc1 * acc5; + result_final[i + j + 2 * KARATSUBA_N / 4] = result_final[i + j + 2 * KARATSUBA_N / 4] + acc2 * acc6; acc7 = acc5 + acc6; //b01 acc8 = acc1 + acc2; //a01 d01[i + j] = d01[i + j] + acc7 * acc8; //-------------------------------------------------------- - acc7 = b_1[j + 2 * N / 4]; //b2 - acc8 = b_1[j + 3 * N / 4]; //b3 - result_final[i + j + 4 * N / 4] = result_final[i + j + 4 * N / 4] + acc7 * acc3; + acc7 = b_1[j + 2 * KARATSUBA_N / 4]; //b2 + acc8 = b_1[j + 3 * KARATSUBA_N / 4]; //b3 + result_final[i + j + 4 * KARATSUBA_N / 4] = result_final[i + j + 4 * KARATSUBA_N / 4] + acc7 * acc3; - result_final[i + j + 6 * N / 4] = result_final[i + j + 6 * N / 4] + acc8 * acc4; + result_final[i + j + 6 * KARATSUBA_N / 4] = result_final[i + j + 6 * KARATSUBA_N / 4] + acc8 * acc4; acc9 = acc3 + acc4; acc10 = acc7 + acc8; @@ -57,11 +58,11 @@ static void karatsuba_simple(const uint16_t *a_1, const uint16_t *b_1, uint16_t acc5 = acc5 + acc7; //b02 acc7 = acc1 + acc3; //a02 - result_d01[i + j + 0 * N / 4] = result_d01[i + j + 0 * N / 4] + acc5 * acc7; + result_d01[i + j + 0 * KARATSUBA_N / 4] = result_d01[i + j + 0 * KARATSUBA_N / 4] + acc5 * acc7; acc6 = acc6 + acc8; //b13 acc8 = acc2 + acc4; - result_d01[i + j + 2 * N / 4] = result_d01[i + j + 2 * N / 4] + acc6 * acc8; + result_d01[i + j + 2 * KARATSUBA_N / 4] = result_d01[i + j + 2 * KARATSUBA_N / 4] + acc6 * acc8; acc5 = acc5 + acc6; acc7 = acc7 + acc8; @@ -71,25 +72,25 @@ static void karatsuba_simple(const uint16_t *a_1, const uint16_t *b_1, uint16_t // 2nd last stage - for (i = 0; i < N / 2 - 1; i++) { - d0123[i] = d0123[i] - result_d01[i + 0 * N / 4] - result_d01[i + 2 * N / 4]; - d01[i] = d01[i] - result_final[i + 0 * N / 4] - result_final[i + 2 * N / 4]; - d23[i] = d23[i] - result_final[i + 4 * N / 4] - result_final[i + 6 * N / 4]; + for (i = 0; i < KARATSUBA_N / 2 - 1; i++) { + d0123[i] = d0123[i] - result_d01[i + 0 * KARATSUBA_N / 4] - result_d01[i + 2 * KARATSUBA_N / 4]; + d01[i] = d01[i] - result_final[i + 0 * KARATSUBA_N / 4] - result_final[i + 2 * KARATSUBA_N / 4]; + d23[i] = d23[i] - result_final[i + 4 * KARATSUBA_N / 4] - result_final[i + 6 * KARATSUBA_N / 4]; } - for (i = 0; i < N / 2 - 1; i++) { - result_d01[i + 1 * N / 4] = result_d01[i + 1 * N / 4] + d0123[i]; - result_final[i + 1 * N / 4] = result_final[i + 1 * N / 4] + d01[i]; - result_final[i + 5 * N / 4] = result_final[i + 5 * N / 4] + d23[i]; + for (i = 0; i < KARATSUBA_N / 2 - 1; i++) { + result_d01[i + 1 * KARATSUBA_N / 4] = result_d01[i + 1 * KARATSUBA_N / 4] + d0123[i]; + result_final[i + 1 * KARATSUBA_N / 4] = result_final[i + 1 * KARATSUBA_N / 4] + d01[i]; + result_final[i + 5 * KARATSUBA_N / 4] = result_final[i + 5 * KARATSUBA_N / 4] + d23[i]; } // Last stage - for (i = 0; i < N - 1; i++) { - result_d01[i] = result_d01[i] - result_final[i] - result_final[i + N]; + for (i = 0; i < KARATSUBA_N - 1; i++) { + result_d01[i] = result_d01[i] - result_final[i] - result_final[i + KARATSUBA_N]; } - for (i = 0; i < N - 1; i++) { - result_final[i + 1 * N / 2] = result_final[i + 1 * N / 2] + result_d01[i]; + for (i = 0; i < KARATSUBA_N - 1; i++) { + result_final[i + 1 * KARATSUBA_N / 2] = result_final[i + 1 * KARATSUBA_N / 2] + result_d01[i]; } } @@ -214,10 +215,6 @@ static void toom_cook_4way (const uint16_t *a1, const uint16_t *b1, uint16_t *re } } -static inline int16_t reduce(int16_t a, int64_t p) { - return a & (p - 1); -} - void PQCLEAN_LIGHTSABER_CLEAN_pol_mul(uint16_t *a, uint16_t *b, uint16_t *res, uint16_t p, uint32_t n) { diff --git a/crypto_kem/saber/clean/poly_mul.c b/crypto_kem/saber/clean/poly_mul.c index 5c579475..eb0f38d5 100644 --- a/crypto_kem/saber/clean/poly_mul.c +++ b/crypto_kem/saber/clean/poly_mul.c @@ -8,47 +8,48 @@ #define N_SB (SABER_N >> 2) #define N_SB_RES (2*N_SB-1) + +#define KARATSUBA_N 64 static void karatsuba_simple(const uint16_t *a_1, const uint16_t *b_1, uint16_t *result_final) { - uint16_t N = 64; - uint16_t d01[N / 2 - 1]; - uint16_t d0123[N / 2 - 1]; - uint16_t d23[N / 2 - 1]; - uint16_t result_d01[N - 1]; + uint16_t d01[KARATSUBA_N / 2 - 1]; + uint16_t d0123[KARATSUBA_N / 2 - 1]; + uint16_t d23[KARATSUBA_N / 2 - 1]; + uint16_t result_d01[KARATSUBA_N - 1]; int32_t i, j; - memset(result_d01, 0, (N - 1)*sizeof(uint16_t)); - memset(d01, 0, (N / 2 - 1)*sizeof(uint16_t)); - memset(d0123, 0, (N / 2 - 1)*sizeof(uint16_t)); - memset(d23, 0, (N / 2 - 1)*sizeof(uint16_t)); - memset(result_final, 0, (2 * N - 1)*sizeof(uint16_t)); + memset(result_d01, 0, (KARATSUBA_N - 1)*sizeof(uint16_t)); + memset(d01, 0, (KARATSUBA_N / 2 - 1)*sizeof(uint16_t)); + memset(d0123, 0, (KARATSUBA_N / 2 - 1)*sizeof(uint16_t)); + memset(d23, 0, (KARATSUBA_N / 2 - 1)*sizeof(uint16_t)); + memset(result_final, 0, (2 * KARATSUBA_N - 1)*sizeof(uint16_t)); uint16_t acc1, acc2, acc3, acc4, acc5, acc6, acc7, acc8, acc9, acc10; - for (i = 0; i < N / 4; i++) { + for (i = 0; i < KARATSUBA_N / 4; i++) { acc1 = a_1[i]; //a0 - acc2 = a_1[i + N / 4]; //a1 - acc3 = a_1[i + 2 * N / 4]; //a2 - acc4 = a_1[i + 3 * N / 4]; //a3 - for (j = 0; j < N / 4; j++) { + acc2 = a_1[i + KARATSUBA_N / 4]; //a1 + acc3 = a_1[i + 2 * KARATSUBA_N / 4]; //a2 + acc4 = a_1[i + 3 * KARATSUBA_N / 4]; //a3 + for (j = 0; j < KARATSUBA_N / 4; j++) { acc5 = b_1[j]; //b0 - acc6 = b_1[j + N / 4]; //b1 + acc6 = b_1[j + KARATSUBA_N / 4]; //b1 - result_final[i + j + 0 * N / 4] = result_final[i + j + 0 * N / 4] + acc1 * acc5; - result_final[i + j + 2 * N / 4] = result_final[i + j + 2 * N / 4] + acc2 * acc6; + result_final[i + j + 0 * KARATSUBA_N / 4] = result_final[i + j + 0 * KARATSUBA_N / 4] + acc1 * acc5; + result_final[i + j + 2 * KARATSUBA_N / 4] = result_final[i + j + 2 * KARATSUBA_N / 4] + acc2 * acc6; acc7 = acc5 + acc6; //b01 acc8 = acc1 + acc2; //a01 d01[i + j] = d01[i + j] + acc7 * acc8; //-------------------------------------------------------- - acc7 = b_1[j + 2 * N / 4]; //b2 - acc8 = b_1[j + 3 * N / 4]; //b3 - result_final[i + j + 4 * N / 4] = result_final[i + j + 4 * N / 4] + acc7 * acc3; + acc7 = b_1[j + 2 * KARATSUBA_N / 4]; //b2 + acc8 = b_1[j + 3 * KARATSUBA_N / 4]; //b3 + result_final[i + j + 4 * KARATSUBA_N / 4] = result_final[i + j + 4 * KARATSUBA_N / 4] + acc7 * acc3; - result_final[i + j + 6 * N / 4] = result_final[i + j + 6 * N / 4] + acc8 * acc4; + result_final[i + j + 6 * KARATSUBA_N / 4] = result_final[i + j + 6 * KARATSUBA_N / 4] + acc8 * acc4; acc9 = acc3 + acc4; acc10 = acc7 + acc8; @@ -57,11 +58,11 @@ static void karatsuba_simple(const uint16_t *a_1, const uint16_t *b_1, uint16_t acc5 = acc5 + acc7; //b02 acc7 = acc1 + acc3; //a02 - result_d01[i + j + 0 * N / 4] = result_d01[i + j + 0 * N / 4] + acc5 * acc7; + result_d01[i + j + 0 * KARATSUBA_N / 4] = result_d01[i + j + 0 * KARATSUBA_N / 4] + acc5 * acc7; acc6 = acc6 + acc8; //b13 acc8 = acc2 + acc4; - result_d01[i + j + 2 * N / 4] = result_d01[i + j + 2 * N / 4] + acc6 * acc8; + result_d01[i + j + 2 * KARATSUBA_N / 4] = result_d01[i + j + 2 * KARATSUBA_N / 4] + acc6 * acc8; acc5 = acc5 + acc6; acc7 = acc7 + acc8; @@ -71,25 +72,25 @@ static void karatsuba_simple(const uint16_t *a_1, const uint16_t *b_1, uint16_t // 2nd last stage - for (i = 0; i < N / 2 - 1; i++) { - d0123[i] = d0123[i] - result_d01[i + 0 * N / 4] - result_d01[i + 2 * N / 4]; - d01[i] = d01[i] - result_final[i + 0 * N / 4] - result_final[i + 2 * N / 4]; - d23[i] = d23[i] - result_final[i + 4 * N / 4] - result_final[i + 6 * N / 4]; + for (i = 0; i < KARATSUBA_N / 2 - 1; i++) { + d0123[i] = d0123[i] - result_d01[i + 0 * KARATSUBA_N / 4] - result_d01[i + 2 * KARATSUBA_N / 4]; + d01[i] = d01[i] - result_final[i + 0 * KARATSUBA_N / 4] - result_final[i + 2 * KARATSUBA_N / 4]; + d23[i] = d23[i] - result_final[i + 4 * KARATSUBA_N / 4] - result_final[i + 6 * KARATSUBA_N / 4]; } - for (i = 0; i < N / 2 - 1; i++) { - result_d01[i + 1 * N / 4] = result_d01[i + 1 * N / 4] + d0123[i]; - result_final[i + 1 * N / 4] = result_final[i + 1 * N / 4] + d01[i]; - result_final[i + 5 * N / 4] = result_final[i + 5 * N / 4] + d23[i]; + for (i = 0; i < KARATSUBA_N / 2 - 1; i++) { + result_d01[i + 1 * KARATSUBA_N / 4] = result_d01[i + 1 * KARATSUBA_N / 4] + d0123[i]; + result_final[i + 1 * KARATSUBA_N / 4] = result_final[i + 1 * KARATSUBA_N / 4] + d01[i]; + result_final[i + 5 * KARATSUBA_N / 4] = result_final[i + 5 * KARATSUBA_N / 4] + d23[i]; } // Last stage - for (i = 0; i < N - 1; i++) { - result_d01[i] = result_d01[i] - result_final[i] - result_final[i + N]; + for (i = 0; i < KARATSUBA_N - 1; i++) { + result_d01[i] = result_d01[i] - result_final[i] - result_final[i + KARATSUBA_N]; } - for (i = 0; i < N - 1; i++) { - result_final[i + 1 * N / 2] = result_final[i + 1 * N / 2] + result_d01[i]; + for (i = 0; i < KARATSUBA_N - 1; i++) { + result_final[i + 1 * KARATSUBA_N / 2] = result_final[i + 1 * KARATSUBA_N / 2] + result_d01[i]; } } @@ -214,10 +215,6 @@ static void toom_cook_4way (const uint16_t *a1, const uint16_t *b1, uint16_t *re } } -static inline int16_t reduce(int16_t a, int64_t p) { - return a & (p - 1); -} - void PQCLEAN_SABER_CLEAN_pol_mul(uint16_t *a, uint16_t *b, uint16_t *res, uint16_t p, uint32_t n) { From acde8afff2a9fa0b573fd20f9903a28b12090d46 Mon Sep 17 00:00:00 2001 From: "Matthias J. Kannwischer" Date: Mon, 24 Jun 2019 09:18:58 +0200 Subject: [PATCH 19/20] Convert into a list for the Saber parameter sets --- crypto_kem/firesaber/META.yml | 8 ++++++-- crypto_kem/lightsaber/META.yml | 8 ++++++-- crypto_kem/saber/META.yml | 8 ++++++-- 3 files changed, 18 insertions(+), 6 deletions(-) diff --git a/crypto_kem/firesaber/META.yml b/crypto_kem/firesaber/META.yml index ec3da894..e58c7a7c 100644 --- a/crypto_kem/firesaber/META.yml +++ b/crypto_kem/firesaber/META.yml @@ -1,4 +1,4 @@ -name: FireSaber +name: FireSaber type: kem claimed-nist-level: 5 claimed-security: IND-CCA2 @@ -7,7 +7,11 @@ length-ciphertext: 1472 length-secret-key: 3040 length-shared-secret: 32 nistkat-sha256: 937d9b2e139112e13d4093a6afe715deff476e4d578208b9e8e1809de43835cd -principal-submitter: Jan-Pieter D'Anvers, Angshuman Karmakar, Sujoy Sinha Roy, Frederik Vercauteren +principal-submitters: + - Jan-Pieter D'Anvers + - Angshuman Karmakar + - Sujoy Sinha Roy + - Frederik Vercauteren implementations: - name: clean version: https://github.com/KULeuven-COSIC/SABER/commit/14ede83f1ff3bcc41f0464543542366c68b55871 diff --git a/crypto_kem/lightsaber/META.yml b/crypto_kem/lightsaber/META.yml index 06a7bf70..1b7912f6 100644 --- a/crypto_kem/lightsaber/META.yml +++ b/crypto_kem/lightsaber/META.yml @@ -1,4 +1,4 @@ -name: LightSaber +name: LightSaber type: kem claimed-nist-level: 1 claimed-security: IND-CCA2 @@ -7,7 +7,11 @@ length-ciphertext: 736 length-secret-key: 1568 length-shared-secret: 32 nistkat-sha256: dc2233ae221cfabbb1db5ab1a76c93967d37de9f87a8092561f95ab28eff6061 -principal-submitter: Jan-Pieter D'Anvers, Angshuman Karmakar, Sujoy Sinha Roy, Frederik Vercauteren +principal-submitters: + - Jan-Pieter D'Anvers + - Angshuman Karmakar + - Sujoy Sinha Roy + - Frederik Vercauteren implementations: - name: clean version: https://github.com/KULeuven-COSIC/SABER/commit/14ede83f1ff3bcc41f0464543542366c68b55871 diff --git a/crypto_kem/saber/META.yml b/crypto_kem/saber/META.yml index 5cb3bb48..4de4f1c8 100644 --- a/crypto_kem/saber/META.yml +++ b/crypto_kem/saber/META.yml @@ -1,4 +1,4 @@ -name: Saber +name: Saber type: kem claimed-nist-level: 3 claimed-security: IND-CCA2 @@ -7,7 +7,11 @@ length-ciphertext: 1088 length-secret-key: 2304 length-shared-secret: 32 nistkat-sha256: c9e2c16f41f162c607a1d5704107159e5e12713b9bb8c356b1d68b216e79096e -principal-submitter: Jan-Pieter D'Anvers, Angshuman Karmakar, Sujoy Sinha Roy, Frederik Vercauteren +principal-submitters: + - Jan-Pieter D'Anvers + - Angshuman Karmakar + - Sujoy Sinha Roy + - Frederik Vercauteren implementations: - name: clean version: https://github.com/KULeuven-COSIC/SABER/commit/14ede83f1ff3bcc41f0464543542366c68b55871 From 756b550cebade517eabe8e90032bee6a46b74971 Mon Sep 17 00:00:00 2001 From: "Matthias J. Kannwischer" Date: Mon, 1 Jul 2019 07:48:17 +0200 Subject: [PATCH 20/20] add Saber LICENSE --- crypto_kem/firesaber/clean/LICENSE | 9 ++++++++- crypto_kem/lightsaber/clean/LICENSE | 9 ++++++++- crypto_kem/saber/clean/LICENSE | 9 ++++++++- 3 files changed, 24 insertions(+), 3 deletions(-) diff --git a/crypto_kem/firesaber/clean/LICENSE b/crypto_kem/firesaber/clean/LICENSE index 1333ed77..08c799e3 100644 --- a/crypto_kem/firesaber/clean/LICENSE +++ b/crypto_kem/firesaber/clean/LICENSE @@ -1 +1,8 @@ -TODO +---------------------------------------------------------------------------------------- +SABER_v1.1 + +Public domain + +Authors: Jan-Pieter D'Anvers, Angshuman Karmakar, Sujoy Sinha Roy, +Frederik Vercauteren +---------------------------------------------------------------------------------------- diff --git a/crypto_kem/lightsaber/clean/LICENSE b/crypto_kem/lightsaber/clean/LICENSE index 1333ed77..08c799e3 100644 --- a/crypto_kem/lightsaber/clean/LICENSE +++ b/crypto_kem/lightsaber/clean/LICENSE @@ -1 +1,8 @@ -TODO +---------------------------------------------------------------------------------------- +SABER_v1.1 + +Public domain + +Authors: Jan-Pieter D'Anvers, Angshuman Karmakar, Sujoy Sinha Roy, +Frederik Vercauteren +---------------------------------------------------------------------------------------- diff --git a/crypto_kem/saber/clean/LICENSE b/crypto_kem/saber/clean/LICENSE index 1333ed77..08c799e3 100644 --- a/crypto_kem/saber/clean/LICENSE +++ b/crypto_kem/saber/clean/LICENSE @@ -1 +1,8 @@ -TODO +---------------------------------------------------------------------------------------- +SABER_v1.1 + +Public domain + +Authors: Jan-Pieter D'Anvers, Angshuman Karmakar, Sujoy Sinha Roy, +Frederik Vercauteren +----------------------------------------------------------------------------------------