当前提交
0ed5ba4a30
17
crypto_kem/firesaber/META.yml
普通文件
17
crypto_kem/firesaber/META.yml
普通文件
@ -0,0 +1,17 @@
|
||||
name: FireSaber
|
||||
type: kem
|
||||
claimed-nist-level: 5
|
||||
claimed-security: IND-CCA2
|
||||
length-public-key: 1312
|
||||
length-ciphertext: 1472
|
||||
length-secret-key: 3040
|
||||
length-shared-secret: 32
|
||||
nistkat-sha256: 937d9b2e139112e13d4093a6afe715deff476e4d578208b9e8e1809de43835cd
|
||||
principal-submitters:
|
||||
- Jan-Pieter D'Anvers
|
||||
- Angshuman Karmakar
|
||||
- Sujoy Sinha Roy
|
||||
- Frederik Vercauteren
|
||||
implementations:
|
||||
- name: clean
|
||||
version: https://github.com/KULeuven-COSIC/SABER/commit/14ede83f1ff3bcc41f0464543542366c68b55871
|
@ -0,0 +1,8 @@
|
||||
----------------------------------------------------------------------------------------
|
||||
SABER_v1.1
|
||||
|
||||
Public domain
|
||||
|
||||
Authors: Jan-Pieter D'Anvers, Angshuman Karmakar, Sujoy Sinha Roy,
|
||||
Frederik Vercauteren
|
||||
----------------------------------------------------------------------------------------
|
@ -0,0 +1,19 @@
|
||||
# This Makefile can be used with GNU Make or BSD Make
|
||||
|
||||
LIB=libfiresaber_clean.a
|
||||
HEADERS=api.h cbd.h poly.h poly_mul.h SABER_indcpa.h SABER_params.h verify.h pack_unpack.h
|
||||
OBJECTS=cbd.o kem.o pack_unpack.o poly.o poly_mul.o SABER_indcpa.o verify.o
|
||||
|
||||
CFLAGS=-O3 -Wall -Wextra -Wpedantic -Werror -Wmissing-prototypes -Wredundant-decls -std=c99 -I../../../common $(EXTRAFLAGS)
|
||||
|
||||
all: $(LIB)
|
||||
|
||||
%.o: %.c $(HEADERS)
|
||||
$(CC) $(CFLAGS) -c -o $@ $<
|
||||
|
||||
$(LIB): $(OBJECTS)
|
||||
$(AR) -r $@ $(OBJECTS)
|
||||
|
||||
clean:
|
||||
$(RM) $(OBJECTS)
|
||||
$(RM) $(LIB)
|
@ -0,0 +1,19 @@
|
||||
# This Makefile can be used with Microsoft Visual Studio's nmake using the command:
|
||||
# nmake /f Makefile.Microsoft_nmake
|
||||
|
||||
LIBRARY=libfiresaber_clean.lib
|
||||
OBJECTS=cbd.obj kem.obj pack_unpack.obj poly.obj poly_mul.obj SABER_indcpa.obj verify.obj
|
||||
|
||||
CFLAGS=/nologo /I ..\..\..\common /W4 /WX
|
||||
|
||||
all: $(LIBRARY)
|
||||
|
||||
# Make sure objects are recompiled if headers change.
|
||||
$(OBJECTS): *.h
|
||||
|
||||
$(LIBRARY): $(OBJECTS)
|
||||
LIB.EXE /NOLOGO /WX /OUT:$@ $**
|
||||
|
||||
clean:
|
||||
-DEL $(OBJECTS)
|
||||
-DEL $(LIBRARY)
|
@ -0,0 +1,298 @@
|
||||
#include "SABER_indcpa.h"
|
||||
#include "SABER_params.h"
|
||||
#include "fips202.h"
|
||||
#include "pack_unpack.h"
|
||||
#include "poly.h"
|
||||
#include "poly_mul.h"
|
||||
#include "randombytes.h"
|
||||
#include <stdint.h>
|
||||
#include <string.h>
|
||||
|
||||
|
||||
|
||||
/*-----------------------------------------------------------------------------------
|
||||
This routine generates a=[Matrix K x K] of 256-coefficient polynomials
|
||||
-------------------------------------------------------------------------------------*/
|
||||
|
||||
#define h1 4 //2^(EQ-EP-1)
|
||||
|
||||
#define h2 ( (1<<(SABER_EP-2)) - (1<<(SABER_EP-SABER_ET-1)) + (1<<(SABER_EQ-SABER_EP-1)) )
|
||||
|
||||
static void InnerProd(uint16_t pkcl[SABER_K][SABER_N], uint16_t skpv[SABER_K][SABER_N], uint16_t mod, uint16_t res[SABER_N]);
|
||||
static void MatrixVectorMul(polyvec *a, uint16_t skpv[SABER_K][SABER_N], uint16_t res[SABER_K][SABER_N], uint16_t mod, int16_t transpose);
|
||||
|
||||
static void POL2MSG(const uint16_t *message_dec_unpacked, unsigned char *message_dec);
|
||||
|
||||
static void GenMatrix(polyvec *a, const unsigned char *seed) {
|
||||
unsigned char buf[SABER_K * SABER_K * (13 * SABER_N / 8)];
|
||||
|
||||
uint16_t temp_ar[SABER_N];
|
||||
|
||||
int i, j, k;
|
||||
uint16_t mod = (SABER_Q - 1);
|
||||
|
||||
shake128(buf, sizeof(buf), seed, SABER_SEEDBYTES);
|
||||
|
||||
for (i = 0; i < SABER_K; i++) {
|
||||
for (j = 0; j < SABER_K; j++) {
|
||||
PQCLEAN_FIRESABER_CLEAN_BS2POL(buf + (i * SABER_K + j) * (13 * SABER_N / 8), temp_ar);
|
||||
for (k = 0; k < SABER_N; k++) {
|
||||
a[i].vec[j].coeffs[k] = (temp_ar[k])& mod ;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
void PQCLEAN_FIRESABER_CLEAN_indcpa_kem_keypair(unsigned char *pk, unsigned char *sk) {
|
||||
polyvec a[SABER_K];
|
||||
|
||||
uint16_t skpv[SABER_K][SABER_N];
|
||||
|
||||
unsigned char seed[SABER_SEEDBYTES];
|
||||
unsigned char noiseseed[SABER_COINBYTES];
|
||||
int32_t i, j;
|
||||
uint16_t mod_q = SABER_Q - 1;
|
||||
|
||||
|
||||
uint16_t res[SABER_K][SABER_N];
|
||||
|
||||
randombytes(seed, SABER_SEEDBYTES);
|
||||
|
||||
// for not revealing system RNG state
|
||||
shake128(seed, SABER_SEEDBYTES, seed, SABER_SEEDBYTES);
|
||||
randombytes(noiseseed, SABER_COINBYTES);
|
||||
|
||||
GenMatrix(a, seed); //sample matrix A
|
||||
|
||||
// generate secret from constant-time binomial distribution
|
||||
PQCLEAN_FIRESABER_CLEAN_GenSecret(skpv, noiseseed);
|
||||
|
||||
// do the matrix vector multiplication and rounding
|
||||
for (i = 0; i < SABER_K; i++) {
|
||||
for (j = 0; j < SABER_N; j++) {
|
||||
res[i][j] = 0;
|
||||
}
|
||||
}
|
||||
MatrixVectorMul(a, skpv, res, SABER_Q - 1, 1);
|
||||
|
||||
// now rounding
|
||||
for (i = 0; i < SABER_K; i++) {
|
||||
for (j = 0; j < SABER_N; j++) {
|
||||
// shift right 3 bits
|
||||
res[i][j] = (res[i][j] + h1) & (mod_q);
|
||||
res[i][j] = (res[i][j] >> (SABER_EQ - SABER_EP));
|
||||
}
|
||||
}
|
||||
|
||||
// unload and pack sk=3 x (256 coefficients of 14 bits)
|
||||
PQCLEAN_FIRESABER_CLEAN_POLVEC2BS(sk, skpv, SABER_Q);
|
||||
|
||||
// unload and pack pk=256 bits seed and 3 x (256 coefficients of 11 bits)
|
||||
// load the public-key coefficients
|
||||
PQCLEAN_FIRESABER_CLEAN_POLVEC2BS(pk, res, SABER_P);
|
||||
|
||||
|
||||
// now load the seedbytes in PK. Easy since seed bytes are kept in byte format.
|
||||
for (i = 0; i < SABER_SEEDBYTES; i++) {
|
||||
pk[SABER_POLYVECCOMPRESSEDBYTES + i] = seed[i];
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
|
||||
void PQCLEAN_FIRESABER_CLEAN_indcpa_kem_enc(const unsigned char *message_received, unsigned char *noiseseed, const unsigned char *pk, unsigned char *ciphertext) {
|
||||
uint32_t i, j, k;
|
||||
polyvec a[SABER_K];
|
||||
unsigned char seed[SABER_SEEDBYTES];
|
||||
// public key of received by the client
|
||||
uint16_t pkcl[SABER_K][SABER_N];
|
||||
uint16_t skpv1[SABER_K][SABER_N];
|
||||
uint16_t message[SABER_KEYBYTES * 8];
|
||||
uint16_t res[SABER_K][SABER_N];
|
||||
uint16_t mod_p = SABER_P - 1;
|
||||
uint16_t mod_q = SABER_Q - 1;
|
||||
uint16_t vprime[SABER_N];
|
||||
unsigned char msk_c[SABER_SCALEBYTES_KEM];
|
||||
|
||||
// extract the seedbytes from Public Key.
|
||||
for (i = 0; i < SABER_SEEDBYTES; i++) {
|
||||
seed[i] = pk[ SABER_POLYVECCOMPRESSEDBYTES + i];
|
||||
}
|
||||
|
||||
GenMatrix(a, seed);
|
||||
|
||||
// generate secret from constant-time binomial distribution
|
||||
PQCLEAN_FIRESABER_CLEAN_GenSecret(skpv1, noiseseed);
|
||||
|
||||
// matrix-vector multiplication and rounding
|
||||
for (i = 0; i < SABER_K; i++) {
|
||||
for (j = 0; j < SABER_N; j++) {
|
||||
res[i][j] = 0;
|
||||
}
|
||||
}
|
||||
MatrixVectorMul(a, skpv1, res, SABER_Q - 1, 0);
|
||||
|
||||
// now rounding
|
||||
//shift right 3 bits
|
||||
for (i = 0; i < SABER_K; i++) {
|
||||
for (j = 0; j < SABER_N; j++) {
|
||||
res[i][j] = ( res[i][j] + h1 ) & mod_q;
|
||||
res[i][j] = (res[i][j] >> (SABER_EQ - SABER_EP) );
|
||||
}
|
||||
}
|
||||
|
||||
PQCLEAN_FIRESABER_CLEAN_POLVEC2BS(ciphertext, res, SABER_P);
|
||||
|
||||
// ************client matrix-vector multiplication ends************
|
||||
|
||||
// now calculate the v'
|
||||
// unpack the public_key
|
||||
// pkcl is the b in the protocol
|
||||
PQCLEAN_FIRESABER_CLEAN_BS2POLVEC(pk, pkcl, SABER_P);
|
||||
for (i = 0; i < SABER_N; i++) {
|
||||
vprime[i] = 0;
|
||||
}
|
||||
for (i = 0; i < SABER_K; i++) {
|
||||
for (j = 0; j < SABER_N; j++) {
|
||||
skpv1[i][j] = skpv1[i][j] & (mod_p);
|
||||
}
|
||||
}
|
||||
|
||||
// vector-vector scalar multiplication with mod p
|
||||
InnerProd(pkcl, skpv1, mod_p, vprime);
|
||||
|
||||
// addition of h1 to vprime
|
||||
for (i = 0; i < SABER_N; i++) {
|
||||
vprime[i] = vprime[i] + h1;
|
||||
}
|
||||
|
||||
// unpack message_received;
|
||||
for (j = 0; j < SABER_KEYBYTES; j++) {
|
||||
for (i = 0; i < 8; i++) {
|
||||
message[8 * j + i] = ((message_received[j] >> i) & 0x01);
|
||||
}
|
||||
}
|
||||
|
||||
// message encoding
|
||||
for (i = 0; i < SABER_N; i++) {
|
||||
message[i] = (message[i] << (SABER_EP - 1));
|
||||
}
|
||||
|
||||
for (k = 0; k < SABER_N; k++) {
|
||||
vprime[k] = ( (vprime[k] - message[k]) & (mod_p) ) >> (SABER_EP - SABER_ET);
|
||||
}
|
||||
|
||||
|
||||
PQCLEAN_FIRESABER_CLEAN_pack_6bit(msk_c, vprime);
|
||||
|
||||
for (j = 0; j < SABER_SCALEBYTES_KEM; j++) {
|
||||
ciphertext[SABER_POLYVECCOMPRESSEDBYTES + j] = msk_c[j];
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
void PQCLEAN_FIRESABER_CLEAN_indcpa_kem_dec(const unsigned char *sk, const unsigned char *ciphertext, unsigned char message_dec[]) {
|
||||
uint32_t i, j;
|
||||
// secret key of the server
|
||||
uint16_t sksv[SABER_K][SABER_N];
|
||||
uint16_t pksv[SABER_K][SABER_N];
|
||||
uint8_t scale_ar[SABER_SCALEBYTES_KEM];
|
||||
uint16_t mod_p = SABER_P - 1;
|
||||
uint16_t v[SABER_N];
|
||||
uint16_t op[SABER_N];
|
||||
|
||||
// sksv is the secret-key
|
||||
PQCLEAN_FIRESABER_CLEAN_BS2POLVEC(sk, sksv, SABER_Q);
|
||||
// pksv is the ciphertext
|
||||
PQCLEAN_FIRESABER_CLEAN_BS2POLVEC(ciphertext, pksv, SABER_P);
|
||||
|
||||
// vector-vector scalar multiplication with mod p
|
||||
for (i = 0; i < SABER_N; i++) {
|
||||
v[i] = 0;
|
||||
}
|
||||
for (i = 0; i < SABER_K; i++) {
|
||||
for (j = 0; j < SABER_N; j++) {
|
||||
sksv[i][j] = sksv[i][j] & (mod_p);
|
||||
}
|
||||
}
|
||||
InnerProd(pksv, sksv, mod_p, v);
|
||||
|
||||
//Extraction
|
||||
for (i = 0; i < SABER_SCALEBYTES_KEM; i++) {
|
||||
scale_ar[i] = ciphertext[SABER_POLYVECCOMPRESSEDBYTES + i];
|
||||
}
|
||||
|
||||
PQCLEAN_FIRESABER_CLEAN_un_pack6bit(scale_ar, op);
|
||||
|
||||
//addition of h1
|
||||
for (i = 0; i < SABER_N; i++) {
|
||||
v[i] = ( ( v[i] + h2 - (op[i] << (SABER_EP - SABER_ET)) ) & (mod_p) ) >> (SABER_EP - 1);
|
||||
}
|
||||
|
||||
// pack decrypted message
|
||||
POL2MSG(v, message_dec);
|
||||
}
|
||||
static void MatrixVectorMul(polyvec *a, uint16_t skpv[SABER_K][SABER_N], uint16_t res[SABER_K][SABER_N], uint16_t mod, int16_t transpose) {
|
||||
uint16_t acc[SABER_N];
|
||||
int32_t i, j, k;
|
||||
|
||||
if (transpose == 1) {
|
||||
for (i = 0; i < SABER_K; i++) {
|
||||
for (j = 0; j < SABER_K; j++) {
|
||||
PQCLEAN_FIRESABER_CLEAN_pol_mul((uint16_t *)&a[j].vec[i], skpv[j], acc, SABER_Q, SABER_N);
|
||||
|
||||
for (k = 0; k < SABER_N; k++) {
|
||||
res[i][k] = res[i][k] + acc[k];
|
||||
//reduction mod p
|
||||
res[i][k] = (res[i][k] & mod);
|
||||
//clear the accumulator
|
||||
acc[k] = 0;
|
||||
}
|
||||
}
|
||||
}
|
||||
} else {
|
||||
for (i = 0; i < SABER_K; i++) {
|
||||
for (j = 0; j < SABER_K; j++) {
|
||||
PQCLEAN_FIRESABER_CLEAN_pol_mul((uint16_t *)&a[i].vec[j], skpv[j], acc, SABER_Q, SABER_N);
|
||||
for (k = 0; k < SABER_N; k++) {
|
||||
res[i][k] = res[i][k] + acc[k];
|
||||
// reduction
|
||||
res[i][k] = res[i][k] & mod;
|
||||
// clear the accumulator
|
||||
acc[k] = 0;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
static void POL2MSG(const uint16_t *message_dec_unpacked, unsigned char *message_dec) {
|
||||
int32_t i, j;
|
||||
|
||||
for (j = 0; j < SABER_KEYBYTES; j++) {
|
||||
message_dec[j] = 0;
|
||||
for (i = 0; i < 8; i++) {
|
||||
message_dec[j] = message_dec[j] | (uint8_t) (message_dec_unpacked[j * 8 + i] << i);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
static void InnerProd(uint16_t pkcl[SABER_K][SABER_N], uint16_t skpv[SABER_K][SABER_N], uint16_t mod, uint16_t res[SABER_N]) {
|
||||
uint32_t j, k;
|
||||
uint16_t acc[SABER_N];
|
||||
|
||||
// vector-vector scalar multiplication with mod p
|
||||
for (j = 0; j < SABER_K; j++) {
|
||||
PQCLEAN_FIRESABER_CLEAN_pol_mul(pkcl[j], skpv[j], acc, SABER_P, SABER_N);
|
||||
|
||||
for (k = 0; k < SABER_N; k++) {
|
||||
res[k] = res[k] + acc[k];
|
||||
// reduction
|
||||
res[k] = res[k] & mod;
|
||||
// clear the accumulator
|
||||
acc[k] = 0;
|
||||
}
|
||||
}
|
||||
}
|
@ -0,0 +1,9 @@
|
||||
#ifndef INDCPA_H
|
||||
#define INDCPA_H
|
||||
|
||||
void PQCLEAN_FIRESABER_CLEAN_indcpa_kem_keypair(unsigned char *pk, unsigned char *sk);
|
||||
void PQCLEAN_FIRESABER_CLEAN_indcpa_kem_enc(const unsigned char *message, unsigned char *noiseseed, const unsigned char *pk, unsigned char *ciphertext);
|
||||
void PQCLEAN_FIRESABER_CLEAN_indcpa_kem_dec(const unsigned char *sk, const unsigned char *ciphertext, unsigned char *message_dec);
|
||||
|
||||
#endif
|
||||
|
@ -0,0 +1,49 @@
|
||||
#ifndef PARAMS_H
|
||||
#define PARAMS_H
|
||||
|
||||
#include "api.h"
|
||||
|
||||
#define SABER_K 4
|
||||
#define SABER_MU 6
|
||||
#define SABER_ET 6
|
||||
|
||||
#define SABER_EQ 13
|
||||
#define SABER_EP 10
|
||||
|
||||
#define SABER_N 256
|
||||
#define SABER_Q 8192
|
||||
#define SABER_P 1024
|
||||
|
||||
#define SABER_SEEDBYTES 32
|
||||
#define SABER_NOISESEEDBYTES 32
|
||||
#define SABER_COINBYTES 32
|
||||
#define SABER_KEYBYTES 32
|
||||
|
||||
#define SABER_HASHBYTES 32
|
||||
|
||||
#define SABER_POLYBYTES 416 //13*256/8
|
||||
|
||||
#define SABER_POLYVECBYTES (SABER_K * SABER_POLYBYTES)
|
||||
|
||||
#define SABER_POLYVECCOMPRESSEDBYTES (SABER_K * 320) //10*256/8 NOTE : changed till here due to parameter adaptation
|
||||
|
||||
#define SABER_CIPHERTEXTBYTES (SABER_POLYVECCOMPRESSEDBYTES)
|
||||
|
||||
#define SABER_SCALEBYTES (SABER_DELTA*SABER_N/8)
|
||||
|
||||
#define SABER_SCALEBYTES_KEM ((SABER_ET)*SABER_N/8)
|
||||
|
||||
#define SABER_INDCPA_PUBLICKEYBYTES (SABER_POLYVECCOMPRESSEDBYTES + SABER_SEEDBYTES)
|
||||
#define SABER_INDCPA_SECRETKEYBYTES (SABER_POLYVECBYTES)
|
||||
|
||||
#define SABER_PUBLICKEYBYTES (SABER_INDCPA_PUBLICKEYBYTES)
|
||||
|
||||
#define SABER_SECRETKEYBYTES (SABER_INDCPA_SECRETKEYBYTES + SABER_INDCPA_PUBLICKEYBYTES + SABER_HASHBYTES + SABER_KEYBYTES)
|
||||
|
||||
#define SABER_BYTES_CCA_DEC (SABER_POLYVECCOMPRESSEDBYTES + SABER_SCALEBYTES_KEM) /* Second part is for Targhi-Unruh */
|
||||
|
||||
|
||||
|
||||
|
||||
#endif
|
||||
|
14
crypto_kem/firesaber/clean/api.h
普通文件
14
crypto_kem/firesaber/clean/api.h
普通文件
@ -0,0 +1,14 @@
|
||||
#ifndef PQCLEAN_FIRESABER_CLEAN_API_H
|
||||
#define PQCLEAN_FIRESABER_CLEAN_API_H
|
||||
|
||||
#define PQCLEAN_FIRESABER_CLEAN_CRYPTO_ALGNAME "FireSaber"
|
||||
#define PQCLEAN_FIRESABER_CLEAN_CRYPTO_SECRETKEYBYTES 3040
|
||||
#define PQCLEAN_FIRESABER_CLEAN_CRYPTO_PUBLICKEYBYTES (4*320+32)
|
||||
#define PQCLEAN_FIRESABER_CLEAN_CRYPTO_BYTES 32
|
||||
#define PQCLEAN_FIRESABER_CLEAN_CRYPTO_CIPHERTEXTBYTES 1472
|
||||
|
||||
int PQCLEAN_FIRESABER_CLEAN_crypto_kem_keypair(unsigned char *pk, unsigned char *sk);
|
||||
int PQCLEAN_FIRESABER_CLEAN_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk);
|
||||
int PQCLEAN_FIRESABER_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk);
|
||||
|
||||
#endif /* api_h */
|
52
crypto_kem/firesaber/clean/cbd.c
普通文件
52
crypto_kem/firesaber/clean/cbd.c
普通文件
@ -0,0 +1,52 @@
|
||||
/*---------------------------------------------------------------------
|
||||
This file has been adapted from the implementation
|
||||
(available at, Public Domain https://github.com/pq-crystals/kyber)
|
||||
of "CRYSTALS – Kyber: a CCA-secure module-lattice-based KEM"
|
||||
by : Joppe Bos, Leo Ducas, Eike Kiltz, Tancrede Lepoint,
|
||||
Vadim Lyubashevsky, John M. Schanck, Peter Schwabe & Damien stehle
|
||||
----------------------------------------------------------------------*/
|
||||
|
||||
#include "SABER_params.h"
|
||||
#include "api.h"
|
||||
#include "cbd.h"
|
||||
#include <stdint.h>
|
||||
|
||||
static uint64_t load_littleendian(const unsigned char *x, int bytes) {
|
||||
int i;
|
||||
uint64_t r = x[0];
|
||||
for (i = 1; i < bytes; i++) {
|
||||
r |= (uint64_t)x[i] << (8 * i);
|
||||
}
|
||||
return r;
|
||||
}
|
||||
|
||||
|
||||
void PQCLEAN_FIRESABER_CLEAN_cbd(uint16_t *r, const unsigned char *buf) {
|
||||
uint16_t Qmod_minus1 = SABER_Q - 1;
|
||||
|
||||
uint32_t t, d, a[4], b[4];
|
||||
int i, j;
|
||||
|
||||
for (i = 0; i < SABER_N / 4; i++) {
|
||||
t = (uint32_t) load_littleendian(buf + 3 * i, 3);
|
||||
d = 0;
|
||||
for (j = 0; j < 3; j++) {
|
||||
d += (t >> j) & 0x249249;
|
||||
}
|
||||
|
||||
a[0] = d & 0x7;
|
||||
b[0] = (d >> 3) & 0x7;
|
||||
a[1] = (d >> 6) & 0x7;
|
||||
b[1] = (d >> 9) & 0x7;
|
||||
a[2] = (d >> 12) & 0x7;
|
||||
b[2] = (d >> 15) & 0x7;
|
||||
a[3] = (d >> 18) & 0x7;
|
||||
b[3] = (d >> 21);
|
||||
|
||||
r[4 * i + 0] = (uint16_t)(a[0] - b[0]) & Qmod_minus1;
|
||||
r[4 * i + 1] = (uint16_t)(a[1] - b[1]) & Qmod_minus1;
|
||||
r[4 * i + 2] = (uint16_t)(a[2] - b[2]) & Qmod_minus1;
|
||||
r[4 * i + 3] = (uint16_t)(a[3] - b[3]) & Qmod_minus1;
|
||||
|
||||
}
|
||||
}
|
17
crypto_kem/firesaber/clean/cbd.h
普通文件
17
crypto_kem/firesaber/clean/cbd.h
普通文件
@ -0,0 +1,17 @@
|
||||
#ifndef CBD_H
|
||||
#define CBD_H
|
||||
|
||||
/*---------------------------------------------------------------------
|
||||
This file has been adapted from the implementation
|
||||
(available at, Public Domain https://github.com/pq-crystals/kyber)
|
||||
of "CRYSTALS – Kyber: a CCA-secure module-lattice-based KEM"
|
||||
by : Joppe Bos, Leo Ducas, Eike Kiltz, Tancrede Lepoint,
|
||||
Vadim Lyubashevsky, John M. Schanck, Peter Schwabe & Damien stehle
|
||||
----------------------------------------------------------------------*/
|
||||
|
||||
#include "poly.h"
|
||||
#include <stdint.h>
|
||||
|
||||
void PQCLEAN_FIRESABER_CLEAN_cbd(uint16_t *r, const unsigned char *buf);
|
||||
|
||||
#endif
|
96
crypto_kem/firesaber/clean/kem.c
普通文件
96
crypto_kem/firesaber/clean/kem.c
普通文件
@ -0,0 +1,96 @@
|
||||
#include "SABER_indcpa.h"
|
||||
#include "SABER_params.h"
|
||||
#include "fips202.h"
|
||||
#include "randombytes.h"
|
||||
#include "verify.h"
|
||||
#include <stdint.h>
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
|
||||
int PQCLEAN_FIRESABER_CLEAN_crypto_kem_keypair(unsigned char *pk, unsigned char *sk) {
|
||||
int i;
|
||||
|
||||
// sk[0:SABER_INDCPA_SECRETKEYBYTES-1] <-- sk
|
||||
PQCLEAN_FIRESABER_CLEAN_indcpa_kem_keypair(pk, sk);
|
||||
|
||||
// sk[SABER_INDCPA_SECRETKEYBYTES:SABER_INDCPA_SECRETKEYBYTES+SABER_INDCPA_SECRETKEYBYTES-1] <-- pk
|
||||
for (i = 0; i < SABER_INDCPA_PUBLICKEYBYTES; i++) {
|
||||
sk[i + SABER_INDCPA_SECRETKEYBYTES] = pk[i];
|
||||
}
|
||||
|
||||
// Then hash(pk) is appended.
|
||||
sha3_256(sk + SABER_SECRETKEYBYTES - 64, pk, SABER_INDCPA_PUBLICKEYBYTES);
|
||||
|
||||
// Remaining part of sk contains a pseudo-random number.
|
||||
// This is output when check in crypto_kem_dec() fails.
|
||||
randombytes(sk + SABER_SECRETKEYBYTES - SABER_KEYBYTES, SABER_KEYBYTES );
|
||||
return (0);
|
||||
}
|
||||
|
||||
int PQCLEAN_FIRESABER_CLEAN_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk) {
|
||||
// Will contain key, coins
|
||||
unsigned char kr[64];
|
||||
unsigned char buf[64];
|
||||
|
||||
randombytes(buf, 32);
|
||||
|
||||
// BUF[0:31] <-- random message (will be used as the key for client) Note: hash doesnot release system RNG output
|
||||
sha3_256(buf, buf, 32);
|
||||
|
||||
// BUF[32:63] <-- Hash(public key); Multitarget countermeasure for coins + contributory KEM
|
||||
sha3_256(buf + 32, pk, SABER_INDCPA_PUBLICKEYBYTES);
|
||||
|
||||
// kr[0:63] <-- Hash(buf[0:63]);
|
||||
sha3_512(kr, buf, 64);
|
||||
|
||||
// K^ <-- kr[0:31]
|
||||
// noiseseed (r) <-- kr[32:63];
|
||||
// buf[0:31] contains message; kr[32:63] contains randomness r;
|
||||
PQCLEAN_FIRESABER_CLEAN_indcpa_kem_enc(buf, kr + 32, pk, ct);
|
||||
|
||||
sha3_256(kr + 32, ct, SABER_BYTES_CCA_DEC);
|
||||
|
||||
// hash concatenation of pre-k and h(c) to k
|
||||
sha3_256(ss, kr, 64);
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
|
||||
int PQCLEAN_FIRESABER_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk) {
|
||||
int i;
|
||||
unsigned char fail;
|
||||
unsigned char cmp[SABER_BYTES_CCA_DEC];
|
||||
unsigned char buf[64];
|
||||
|
||||
// Will contain key, coins
|
||||
unsigned char kr[64];
|
||||
const unsigned char *pk = sk + SABER_INDCPA_SECRETKEYBYTES;
|
||||
|
||||
// buf[0:31] <-- message
|
||||
PQCLEAN_FIRESABER_CLEAN_indcpa_kem_dec(sk, ct, buf);
|
||||
|
||||
|
||||
// Multitarget countermeasure for coins + contributory KEM
|
||||
// Save hash by storing h(pk) in sk
|
||||
for (i = 0; i < 32; i++) {
|
||||
buf[32 + i] = sk[SABER_SECRETKEYBYTES - 64 + i];
|
||||
}
|
||||
|
||||
sha3_512(kr, buf, 64);
|
||||
|
||||
PQCLEAN_FIRESABER_CLEAN_indcpa_kem_enc(buf, kr + 32, pk, cmp);
|
||||
|
||||
|
||||
fail = PQCLEAN_FIRESABER_CLEAN_verify(ct, cmp, SABER_BYTES_CCA_DEC);
|
||||
|
||||
// overwrite coins in kr with h(c)
|
||||
sha3_256(kr + 32, ct, SABER_BYTES_CCA_DEC);
|
||||
|
||||
PQCLEAN_FIRESABER_CLEAN_cmov(kr, sk + SABER_SECRETKEYBYTES - SABER_KEYBYTES, SABER_KEYBYTES, fail);
|
||||
|
||||
// hash concatenation of pre-k and h(c) to k
|
||||
sha3_256(ss, kr, 64);
|
||||
|
||||
return (0);
|
||||
}
|
@ -0,0 +1,254 @@
|
||||
#include "pack_unpack.h"
|
||||
|
||||
void PQCLEAN_FIRESABER_CLEAN_pack_3bit(uint8_t *bytes, const uint16_t *data) {
|
||||
uint32_t j;
|
||||
uint32_t offset_data, offset_byte;
|
||||
|
||||
for (j = 0; j < SABER_N / 8; j++) {
|
||||
offset_byte = 3 * j;
|
||||
offset_data = 8 * j;
|
||||
bytes[offset_byte + 0] = (data[offset_data + 0] & 0x7) |
|
||||
((data[offset_data + 1] & 0x7) << 3) |
|
||||
((data[offset_data + 2] & 0x3) << 6);
|
||||
bytes[offset_byte + 1] = ((data[offset_data + 2] >> 2 ) & 0x01) |
|
||||
((data[offset_data + 3] & 0x7) << 1) |
|
||||
((data[offset_data + 4] & 0x7) << 4) |
|
||||
(((data[offset_data + 5]) & 0x01) << 7);
|
||||
bytes[offset_byte + 2] = ((data[offset_data + 5] >> 1 ) & 0x03) |
|
||||
((data[offset_data + 6] & 0x7) << 2) |
|
||||
((data[offset_data + 7] & 0x7) << 5);
|
||||
}
|
||||
}
|
||||
|
||||
void PQCLEAN_FIRESABER_CLEAN_un_pack3bit(const uint8_t *bytes, uint16_t *data) {
|
||||
uint32_t j;
|
||||
uint32_t offset_data, offset_byte;
|
||||
|
||||
for (j = 0; j < SABER_N / 8; j++) {
|
||||
offset_byte = 3 * j;
|
||||
offset_data = 8 * j;
|
||||
data[offset_data + 0] = (bytes[offset_byte + 0]) & 0x07;
|
||||
data[offset_data + 1] = ((bytes[offset_byte + 0]) >> 3 ) & 0x07;
|
||||
data[offset_data + 2] = (((bytes[offset_byte + 0]) >> 6 ) & 0x03) |
|
||||
(((bytes[offset_byte + 1]) & 0x01) << 2);
|
||||
data[offset_data + 3] = ((bytes[offset_byte + 1]) >> 1 ) & 0x07;
|
||||
data[offset_data + 4] = ((bytes[offset_byte + 1]) >> 4 ) & 0x07;
|
||||
data[offset_data + 5] = (((bytes[offset_byte + 1]) >> 7 ) & 0x01) |
|
||||
(((bytes[offset_byte + 2]) & 0x03) << 1);
|
||||
data[offset_data + 6] = ((bytes[offset_byte + 2] >> 2) & 0x07);
|
||||
data[offset_data + 7] = ((bytes[offset_byte + 2] >> 5) & 0x07);
|
||||
}
|
||||
}
|
||||
|
||||
void PQCLEAN_FIRESABER_CLEAN_pack_4bit(uint8_t *bytes, const uint16_t *data) {
|
||||
uint32_t j;
|
||||
uint32_t offset_data;
|
||||
|
||||
for (j = 0; j < SABER_N / 2; j++) {
|
||||
offset_data = 2 * j;
|
||||
bytes[j] = (data[offset_data] & 0x0f) |
|
||||
((data[offset_data + 1] & 0x0f) << 4);
|
||||
}
|
||||
}
|
||||
|
||||
void PQCLEAN_FIRESABER_CLEAN_un_pack4bit(const unsigned char *bytes, uint16_t *ar) {
|
||||
uint32_t j;
|
||||
uint32_t offset_data;
|
||||
|
||||
for (j = 0; j < SABER_N / 2; j++) {
|
||||
offset_data = 2 * j;
|
||||
ar[offset_data] = bytes[j] & 0x0f;
|
||||
ar[offset_data + 1] = (bytes[j] >> 4) & 0x0f;
|
||||
}
|
||||
}
|
||||
|
||||
void PQCLEAN_FIRESABER_CLEAN_pack_6bit(uint8_t *bytes, const uint16_t *data) {
|
||||
uint32_t j;
|
||||
uint32_t offset_data, offset_byte;
|
||||
|
||||
for (j = 0; j < SABER_N / 4; j++) {
|
||||
offset_byte = 3 * j;
|
||||
offset_data = 4 * j;
|
||||
bytes[offset_byte + 0] = (data[offset_data + 0] & 0x3f) |
|
||||
((data[offset_data + 1] & 0x03) << 6);
|
||||
bytes[offset_byte + 1] = ((data[offset_data + 1] >> 2) & 0x0f) |
|
||||
((data[offset_data + 2] & 0x0f) << 4);
|
||||
bytes[offset_byte + 2] = ((data[offset_data + 2] >> 4) & 0x03) |
|
||||
((data[offset_data + 3] & 0x3f) << 2);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
void PQCLEAN_FIRESABER_CLEAN_un_pack6bit(const unsigned char *bytes, uint16_t *data) {
|
||||
uint32_t j;
|
||||
uint32_t offset_data, offset_byte;
|
||||
|
||||
for (j = 0; j < SABER_N / 4; j++) {
|
||||
offset_byte = 3 * j;
|
||||
offset_data = 4 * j;
|
||||
data[offset_data + 0] = bytes[offset_byte + 0] & 0x3f;
|
||||
data[offset_data + 1] = ((bytes[offset_byte + 0] >> 6) & 0x03) |
|
||||
((bytes[offset_byte + 1] & 0x0f) << 2);
|
||||
data[offset_data + 2] = ((bytes[offset_byte + 1] & 0xff) >> 4) |
|
||||
((bytes[offset_byte + 2] & 0x03) << 4);
|
||||
data[offset_data + 3] = ((bytes[offset_byte + 2] & 0xff) >> 2);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
static void POLVECp2BS(uint8_t *bytes, uint16_t data[SABER_K][SABER_N]) {
|
||||
uint32_t i, j;
|
||||
uint32_t offset_data, offset_byte, offset_byte1;
|
||||
|
||||
for (i = 0; i < SABER_K; i++) {
|
||||
offset_byte1 = i * (SABER_N * 10) / 8;
|
||||
for (j = 0; j < SABER_N / 4; j++) {
|
||||
offset_byte = offset_byte1 + 5 * j;
|
||||
offset_data = 4 * j;
|
||||
bytes[offset_byte + 0] = (data[i][offset_data + 0] & (0xff));
|
||||
bytes[offset_byte + 1] = ((data[i][offset_data + 0] >> 8) & 0x03) |
|
||||
((data[i][offset_data + 1] & 0x3f) << 2);
|
||||
bytes[offset_byte + 2] = ((data[i][offset_data + 1] >> 6) & 0x0f) |
|
||||
((data[i][offset_data + 2] & 0x0f) << 4);
|
||||
bytes[offset_byte + 3] = ((data[i][offset_data + 2] >> 4) & 0x3f) |
|
||||
((data[i][offset_data + 3] & 0x03) << 6);
|
||||
bytes[offset_byte + 4] = ((data[i][offset_data + 3] >> 2) & 0xff);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
static void BS2POLVECp(const unsigned char *bytes, uint16_t data[SABER_K][SABER_N]) {
|
||||
uint32_t i, j;
|
||||
uint32_t offset_data, offset_byte, offset_byte1;
|
||||
|
||||
for (i = 0; i < SABER_K; i++) {
|
||||
offset_byte1 = i * (SABER_N * 10) / 8;
|
||||
for (j = 0; j < SABER_N / 4; j++) {
|
||||
offset_byte = offset_byte1 + 5 * j;
|
||||
offset_data = 4 * j;
|
||||
data[i][offset_data + 0] = (bytes[offset_byte + 0] & (0xff)) |
|
||||
((bytes[offset_byte + 1] & 0x03) << 8);
|
||||
data[i][offset_data + 1] = ((bytes[offset_byte + 1] >> 2) & (0x3f)) |
|
||||
((bytes[offset_byte + 2] & 0x0f) << 6);
|
||||
data[i][offset_data + 2] = ((bytes[offset_byte + 2] >> 4) & (0x0f)) |
|
||||
((bytes[offset_byte + 3] & 0x3f) << 4);
|
||||
data[i][offset_data + 3] = ((bytes[offset_byte + 3] >> 6) & (0x03)) |
|
||||
((bytes[offset_byte + 4] & 0xff) << 2);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
static void POLVECq2BS(uint8_t *bytes, uint16_t data[SABER_K][SABER_N]) {
|
||||
uint32_t i, j;
|
||||
uint32_t offset_data, offset_byte, offset_byte1;
|
||||
|
||||
for (i = 0; i < SABER_K; i++) {
|
||||
offset_byte1 = i * (SABER_N * 13) / 8;
|
||||
for (j = 0; j < SABER_N / 8; j++) {
|
||||
offset_byte = offset_byte1 + 13 * j;
|
||||
offset_data = 8 * j;
|
||||
bytes[offset_byte + 0] = (data[i][offset_data + 0] & (0xff));
|
||||
bytes[offset_byte + 1] = ((data[i][offset_data + 0] >> 8) & 0x1f) |
|
||||
((data[i][offset_data + 1] & 0x07) << 5);
|
||||
bytes[offset_byte + 2] = ((data[i][offset_data + 1] >> 3) & 0xff);
|
||||
bytes[offset_byte + 3] = ((data[i][offset_data + 1] >> 11) & 0x03) |
|
||||
((data[i][offset_data + 2] & 0x3f) << 2);
|
||||
bytes[offset_byte + 4] = ((data[i][offset_data + 2] >> 6) & 0x7f) |
|
||||
((data[i][offset_data + 3] & 0x01) << 7);
|
||||
bytes[offset_byte + 5] = ((data[i][offset_data + 3] >> 1) & 0xff);
|
||||
bytes[offset_byte + 6] = ((data[i][offset_data + 3] >> 9) & 0x0f) |
|
||||
((data[i][offset_data + 4] & 0x0f) << 4);
|
||||
bytes[offset_byte + 7] = ((data[i][offset_data + 4] >> 4) & 0xff);
|
||||
bytes[offset_byte + 8] = ((data[i][offset_data + 4] >> 12) & 0x01) |
|
||||
((data[i][offset_data + 5] & 0x7f) << 1);
|
||||
bytes[offset_byte + 9] = ((data[i][offset_data + 5] >> 7) & 0x3f) |
|
||||
((data[i][offset_data + 6] & 0x03) << 6);
|
||||
bytes[offset_byte + 10] = ((data[i][offset_data + 6] >> 2) & 0xff);
|
||||
bytes[offset_byte + 11] = ((data[i][offset_data + 6] >> 10) & 0x07) |
|
||||
((data[i][offset_data + 7] & 0x1f) << 3);
|
||||
bytes[offset_byte + 12] = ((data[i][offset_data + 7] >> 5) & 0xff);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
static void BS2POLVECq(const unsigned char *bytes, uint16_t data[SABER_K][SABER_N]) {
|
||||
uint32_t i, j;
|
||||
uint32_t offset_data, offset_byte, offset_byte1;
|
||||
|
||||
for (i = 0; i < SABER_K; i++) {
|
||||
offset_byte1 = i * (SABER_N * 13) / 8;
|
||||
for (j = 0; j < SABER_N / 8; j++) {
|
||||
offset_byte = offset_byte1 + 13 * j;
|
||||
offset_data = 8 * j;
|
||||
data[i][offset_data + 0] = (bytes[offset_byte + 0] & (0xff)) |
|
||||
((bytes[offset_byte + 1] & 0x1f) << 8);
|
||||
data[i][offset_data + 1] = (bytes[offset_byte + 1] >> 5 & (0x07)) |
|
||||
((bytes[offset_byte + 2] & 0xff) << 3) |
|
||||
((bytes[offset_byte + 3] & 0x03) << 11);
|
||||
data[i][offset_data + 2] = (bytes[offset_byte + 3] >> 2 & (0x3f)) |
|
||||
((bytes[offset_byte + 4] & 0x7f) << 6);
|
||||
data[i][offset_data + 3] = (bytes[offset_byte + 4] >> 7 & (0x01)) |
|
||||
((bytes[offset_byte + 5] & 0xff) << 1) |
|
||||
((bytes[offset_byte + 6] & 0x0f) << 9);
|
||||
data[i][offset_data + 4] = (bytes[offset_byte + 6] >> 4 & (0x0f)) |
|
||||
((bytes[offset_byte + 7] & 0xff) << 4) |
|
||||
((bytes[offset_byte + 8] & 0x01) << 12);
|
||||
data[i][offset_data + 5] = (bytes[offset_byte + 8] >> 1 & (0x7f)) |
|
||||
((bytes[offset_byte + 9] & 0x3f) << 7);
|
||||
data[i][offset_data + 6] = (bytes[offset_byte + 9] >> 6 & (0x03)) |
|
||||
((bytes[offset_byte + 10] & 0xff) << 2) |
|
||||
((bytes[offset_byte + 11] & 0x07) << 10);
|
||||
data[i][offset_data + 7] = (bytes[offset_byte + 11] >> 3 & (0x1f)) |
|
||||
((bytes[offset_byte + 12] & 0xff) << 5);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
//only BS2POLq no BS2POLp
|
||||
void PQCLEAN_FIRESABER_CLEAN_BS2POL(const unsigned char *bytes, uint16_t data[SABER_N]) {
|
||||
uint32_t j;
|
||||
uint32_t offset_data, offset_byte;
|
||||
|
||||
for (j = 0; j < SABER_N / 8; j++) {
|
||||
offset_byte = 13 * j;
|
||||
offset_data = 8 * j;
|
||||
data[offset_data + 0] = (bytes[offset_byte + 0] & (0xff)) |
|
||||
((bytes[offset_byte + 1] & 0x1f) << 8);
|
||||
data[offset_data + 1] = (bytes[offset_byte + 1] >> 5 & (0x07)) |
|
||||
((bytes[offset_byte + 2] & 0xff) << 3) |
|
||||
((bytes[offset_byte + 3] & 0x03) << 11);
|
||||
data[offset_data + 2] = (bytes[offset_byte + 3] >> 2 & (0x3f)) |
|
||||
((bytes[offset_byte + 4] & 0x7f) << 6);
|
||||
data[offset_data + 3] = (bytes[offset_byte + 4] >> 7 & (0x01)) |
|
||||
((bytes[offset_byte + 5] & 0xff) << 1) |
|
||||
((bytes[offset_byte + 6] & 0x0f) << 9);
|
||||
data[offset_data + 4] = (bytes[offset_byte + 6] >> 4 & (0x0f)) |
|
||||
((bytes[offset_byte + 7] & 0xff) << 4) |
|
||||
((bytes[offset_byte + 8] & 0x01) << 12);
|
||||
data[offset_data + 5] = (bytes[offset_byte + 8] >> 1 & (0x7f)) |
|
||||
((bytes[offset_byte + 9] & 0x3f) << 7);
|
||||
data[offset_data + 6] = (bytes[offset_byte + 9] >> 6 & (0x03)) |
|
||||
((bytes[offset_byte + 10] & 0xff) << 2) |
|
||||
((bytes[offset_byte + 11] & 0x07) << 10);
|
||||
data[offset_data + 7] = (bytes[offset_byte + 11] >> 3 & (0x1f)) |
|
||||
((bytes[offset_byte + 12] & 0xff) << 5);
|
||||
}
|
||||
}
|
||||
|
||||
void PQCLEAN_FIRESABER_CLEAN_POLVEC2BS(uint8_t *bytes, uint16_t data[SABER_K][SABER_N], uint16_t modulus) {
|
||||
if (modulus == 1024) {
|
||||
POLVECp2BS(bytes, data);
|
||||
} else if (modulus == 8192) {
|
||||
POLVECq2BS(bytes, data);
|
||||
}
|
||||
}
|
||||
|
||||
void PQCLEAN_FIRESABER_CLEAN_BS2POLVEC(const unsigned char *bytes, uint16_t data[SABER_K][SABER_N], uint16_t modulus) {
|
||||
if (modulus == 1024) {
|
||||
BS2POLVECp(bytes, data);
|
||||
} else if (modulus == 8192) {
|
||||
BS2POLVECq(bytes, data);
|
||||
}
|
||||
}
|
@ -0,0 +1,28 @@
|
||||
#ifndef PACK_UNPACK_H
|
||||
#define PACK_UNPACK_H
|
||||
|
||||
#include "SABER_params.h"
|
||||
#include <stdint.h>
|
||||
#include <stdio.h>
|
||||
|
||||
|
||||
void PQCLEAN_FIRESABER_CLEAN_pack_3bit(uint8_t *bytes, const uint16_t *data);
|
||||
|
||||
void PQCLEAN_FIRESABER_CLEAN_un_pack3bit(const uint8_t *bytes, uint16_t *data);
|
||||
|
||||
void PQCLEAN_FIRESABER_CLEAN_pack_4bit(uint8_t *bytes, const uint16_t *data);
|
||||
|
||||
void PQCLEAN_FIRESABER_CLEAN_un_pack4bit(const unsigned char *bytes, uint16_t *ar);
|
||||
|
||||
void PQCLEAN_FIRESABER_CLEAN_pack_6bit(uint8_t *bytes, const uint16_t *data);
|
||||
|
||||
void PQCLEAN_FIRESABER_CLEAN_un_pack6bit(const unsigned char *bytes, uint16_t *data);
|
||||
|
||||
|
||||
void PQCLEAN_FIRESABER_CLEAN_BS2POL(const unsigned char *bytes, uint16_t data[SABER_N]);
|
||||
|
||||
void PQCLEAN_FIRESABER_CLEAN_POLVEC2BS(uint8_t *bytes, uint16_t data[SABER_K][SABER_N], uint16_t modulus);
|
||||
|
||||
void PQCLEAN_FIRESABER_CLEAN_BS2POLVEC(const unsigned char *bytes, uint16_t data[SABER_K][SABER_N], uint16_t modulus);
|
||||
|
||||
#endif
|
@ -0,0 +1,21 @@
|
||||
/*---------------------------------------------------------------------
|
||||
This file has been adapted from the implementation
|
||||
(available at, Public Domain https://github.com/pq-crystals/kyber)
|
||||
of "CRYSTALS – Kyber: a CCA-secure module-lattice-based KEM"
|
||||
by : Joppe Bos, Leo Ducas, Eike Kiltz, Tancrede Lepoint,
|
||||
Vadim Lyubashevsky, John M. Schanck, Peter Schwabe & Damien stehle
|
||||
----------------------------------------------------------------------*/
|
||||
#include "SABER_params.h"
|
||||
#include "cbd.h"
|
||||
#include "fips202.h"
|
||||
#include "poly.h"
|
||||
|
||||
void PQCLEAN_FIRESABER_CLEAN_GenSecret(uint16_t r[SABER_K][SABER_N], const unsigned char *seed) {
|
||||
uint8_t buf[SABER_MU * SABER_N * SABER_K / 8];
|
||||
|
||||
shake128(buf, sizeof(buf), seed, SABER_NOISESEEDBYTES);
|
||||
|
||||
for (size_t i = 0; i < SABER_K; i++) {
|
||||
PQCLEAN_FIRESABER_CLEAN_cbd(r[i], buf + i * SABER_MU * SABER_N / 8);
|
||||
}
|
||||
}
|
@ -0,0 +1,26 @@
|
||||
#ifndef POLY_H
|
||||
#define POLY_H
|
||||
|
||||
/*---------------------------------------------------------------------
|
||||
This file has been adapted from the implementation
|
||||
(available at, Public Domain https://github.com/pq-crystals/kyber)
|
||||
of "CRYSTALS – Kyber: a CCA-secure module-lattice-based KEM"
|
||||
by : Joppe Bos, Leo Ducas, Eike Kiltz, Tancrede Lepoint,
|
||||
Vadim Lyubashevsky, John M. Schanck, Peter Schwabe & Damien stehle
|
||||
----------------------------------------------------------------------*/
|
||||
|
||||
|
||||
#include "SABER_params.h"
|
||||
#include <stdint.h>
|
||||
|
||||
typedef struct {
|
||||
uint16_t coeffs[SABER_N];
|
||||
} poly;
|
||||
|
||||
typedef struct {
|
||||
poly vec[SABER_K];
|
||||
} polyvec;
|
||||
|
||||
void PQCLEAN_FIRESABER_CLEAN_GenSecret(uint16_t r[SABER_K][SABER_N], const unsigned char *seed);
|
||||
|
||||
#endif
|
@ -0,0 +1,237 @@
|
||||
#include "poly_mul.h"
|
||||
#include <stdint.h>
|
||||
#include <string.h>
|
||||
|
||||
#define SCHB_N 16
|
||||
|
||||
#define N_RES (SABER_N << 1)
|
||||
#define N_SB (SABER_N >> 2)
|
||||
#define N_SB_RES (2*N_SB-1)
|
||||
|
||||
|
||||
#define KARATSUBA_N 64
|
||||
static void karatsuba_simple(const uint16_t *a_1, const uint16_t *b_1, uint16_t *result_final) {
|
||||
uint16_t d01[KARATSUBA_N / 2 - 1];
|
||||
uint16_t d0123[KARATSUBA_N / 2 - 1];
|
||||
uint16_t d23[KARATSUBA_N / 2 - 1];
|
||||
uint16_t result_d01[KARATSUBA_N - 1];
|
||||
|
||||
int32_t i, j;
|
||||
|
||||
memset(result_d01, 0, (KARATSUBA_N - 1)*sizeof(uint16_t));
|
||||
memset(d01, 0, (KARATSUBA_N / 2 - 1)*sizeof(uint16_t));
|
||||
memset(d0123, 0, (KARATSUBA_N / 2 - 1)*sizeof(uint16_t));
|
||||
memset(d23, 0, (KARATSUBA_N / 2 - 1)*sizeof(uint16_t));
|
||||
memset(result_final, 0, (2 * KARATSUBA_N - 1)*sizeof(uint16_t));
|
||||
|
||||
uint16_t acc1, acc2, acc3, acc4, acc5, acc6, acc7, acc8, acc9, acc10;
|
||||
|
||||
|
||||
for (i = 0; i < KARATSUBA_N / 4; i++) {
|
||||
acc1 = a_1[i]; //a0
|
||||
acc2 = a_1[i + KARATSUBA_N / 4]; //a1
|
||||
acc3 = a_1[i + 2 * KARATSUBA_N / 4]; //a2
|
||||
acc4 = a_1[i + 3 * KARATSUBA_N / 4]; //a3
|
||||
for (j = 0; j < KARATSUBA_N / 4; j++) {
|
||||
|
||||
acc5 = b_1[j]; //b0
|
||||
acc6 = b_1[j + KARATSUBA_N / 4]; //b1
|
||||
|
||||
result_final[i + j + 0 * KARATSUBA_N / 4] = result_final[i + j + 0 * KARATSUBA_N / 4] + acc1 * acc5;
|
||||
result_final[i + j + 2 * KARATSUBA_N / 4] = result_final[i + j + 2 * KARATSUBA_N / 4] + acc2 * acc6;
|
||||
|
||||
acc7 = acc5 + acc6; //b01
|
||||
acc8 = acc1 + acc2; //a01
|
||||
d01[i + j] = d01[i + j] + acc7 * acc8;
|
||||
//--------------------------------------------------------
|
||||
|
||||
acc7 = b_1[j + 2 * KARATSUBA_N / 4]; //b2
|
||||
acc8 = b_1[j + 3 * KARATSUBA_N / 4]; //b3
|
||||
result_final[i + j + 4 * KARATSUBA_N / 4] = result_final[i + j + 4 * KARATSUBA_N / 4] + acc7 * acc3;
|
||||
|
||||
result_final[i + j + 6 * KARATSUBA_N / 4] = result_final[i + j + 6 * KARATSUBA_N / 4] + acc8 * acc4;
|
||||
|
||||
acc9 = acc3 + acc4;
|
||||
acc10 = acc7 + acc8;
|
||||
d23[i + j] = d23[i + j] + acc9 * acc10;
|
||||
//--------------------------------------------------------
|
||||
|
||||
acc5 = acc5 + acc7; //b02
|
||||
acc7 = acc1 + acc3; //a02
|
||||
result_d01[i + j + 0 * KARATSUBA_N / 4] = result_d01[i + j + 0 * KARATSUBA_N / 4] + acc5 * acc7;
|
||||
|
||||
acc6 = acc6 + acc8; //b13
|
||||
acc8 = acc2 + acc4;
|
||||
result_d01[i + j + 2 * KARATSUBA_N / 4] = result_d01[i + j + 2 * KARATSUBA_N / 4] + acc6 * acc8;
|
||||
|
||||
acc5 = acc5 + acc6;
|
||||
acc7 = acc7 + acc8;
|
||||
d0123[i + j] = d0123[i + j] + acc5 * acc7;
|
||||
}
|
||||
}
|
||||
|
||||
// 2nd last stage
|
||||
|
||||
for (i = 0; i < KARATSUBA_N / 2 - 1; i++) {
|
||||
d0123[i] = d0123[i] - result_d01[i + 0 * KARATSUBA_N / 4] - result_d01[i + 2 * KARATSUBA_N / 4];
|
||||
d01[i] = d01[i] - result_final[i + 0 * KARATSUBA_N / 4] - result_final[i + 2 * KARATSUBA_N / 4];
|
||||
d23[i] = d23[i] - result_final[i + 4 * KARATSUBA_N / 4] - result_final[i + 6 * KARATSUBA_N / 4];
|
||||
}
|
||||
|
||||
for (i = 0; i < KARATSUBA_N / 2 - 1; i++) {
|
||||
result_d01[i + 1 * KARATSUBA_N / 4] = result_d01[i + 1 * KARATSUBA_N / 4] + d0123[i];
|
||||
result_final[i + 1 * KARATSUBA_N / 4] = result_final[i + 1 * KARATSUBA_N / 4] + d01[i];
|
||||
result_final[i + 5 * KARATSUBA_N / 4] = result_final[i + 5 * KARATSUBA_N / 4] + d23[i];
|
||||
}
|
||||
|
||||
// Last stage
|
||||
for (i = 0; i < KARATSUBA_N - 1; i++) {
|
||||
result_d01[i] = result_d01[i] - result_final[i] - result_final[i + KARATSUBA_N];
|
||||
}
|
||||
|
||||
for (i = 0; i < KARATSUBA_N - 1; i++) {
|
||||
result_final[i + 1 * KARATSUBA_N / 2] = result_final[i + 1 * KARATSUBA_N / 2] + result_d01[i];
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
||||
static void toom_cook_4way (const uint16_t *a1, const uint16_t *b1, uint16_t *result) {
|
||||
uint16_t inv3 = 43691, inv9 = 36409, inv15 = 61167;
|
||||
|
||||
uint16_t aw1[N_SB], aw2[N_SB], aw3[N_SB], aw4[N_SB], aw5[N_SB], aw6[N_SB], aw7[N_SB];
|
||||
uint16_t bw1[N_SB], bw2[N_SB], bw3[N_SB], bw4[N_SB], bw5[N_SB], bw6[N_SB], bw7[N_SB];
|
||||
uint16_t w1[N_SB_RES] = {0}, w2[N_SB_RES] = {0}, w3[N_SB_RES] = {0}, w4[N_SB_RES] = {0},
|
||||
w5[N_SB_RES] = {0}, w6[N_SB_RES] = {0}, w7[N_SB_RES] = {0};
|
||||
uint16_t r0, r1, r2, r3, r4, r5, r6, r7;
|
||||
uint16_t *A0, *A1, *A2, *A3, *B0, *B1, *B2, *B3;
|
||||
A0 = (uint16_t *)a1;
|
||||
A1 = (uint16_t *)&a1[N_SB];
|
||||
A2 = (uint16_t *)&a1[2 * N_SB];
|
||||
A3 = (uint16_t *)&a1[3 * N_SB];
|
||||
B0 = (uint16_t *)b1;
|
||||
B1 = (uint16_t *)&b1[N_SB];
|
||||
B2 = (uint16_t *)&b1[2 * N_SB];
|
||||
B3 = (uint16_t *)&b1[3 * N_SB];
|
||||
|
||||
uint16_t *C;
|
||||
C = result;
|
||||
|
||||
int i, j;
|
||||
|
||||
// EVALUATION
|
||||
for (j = 0; j < N_SB; ++j) {
|
||||
r0 = A0[j];
|
||||
r1 = A1[j];
|
||||
r2 = A2[j];
|
||||
r3 = A3[j];
|
||||
r4 = r0 + r2;
|
||||
r5 = r1 + r3;
|
||||
r6 = r4 + r5;
|
||||
r7 = r4 - r5;
|
||||
aw3[j] = r6;
|
||||
aw4[j] = r7;
|
||||
r4 = ((r0 << 2) + r2) << 1;
|
||||
r5 = (r1 << 2) + r3;
|
||||
r6 = r4 + r5;
|
||||
r7 = r4 - r5;
|
||||
aw5[j] = r6;
|
||||
aw6[j] = r7;
|
||||
r4 = (r3 << 3) + (r2 << 2) + (r1 << 1) + r0;
|
||||
aw2[j] = r4;
|
||||
aw7[j] = r0;
|
||||
aw1[j] = r3;
|
||||
}
|
||||
for (j = 0; j < N_SB; ++j) {
|
||||
r0 = B0[j];
|
||||
r1 = B1[j];
|
||||
r2 = B2[j];
|
||||
r3 = B3[j];
|
||||
r4 = r0 + r2;
|
||||
r5 = r1 + r3;
|
||||
r6 = r4 + r5;
|
||||
r7 = r4 - r5;
|
||||
bw3[j] = r6;
|
||||
bw4[j] = r7;
|
||||
r4 = ((r0 << 2) + r2) << 1;
|
||||
r5 = (r1 << 2) + r3;
|
||||
r6 = r4 + r5;
|
||||
r7 = r4 - r5;
|
||||
bw5[j] = r6;
|
||||
bw6[j] = r7;
|
||||
r4 = (r3 << 3) + (r2 << 2) + (r1 << 1) + r0;
|
||||
bw2[j] = r4;
|
||||
bw7[j] = r0;
|
||||
bw1[j] = r3;
|
||||
}
|
||||
|
||||
// MULTIPLICATION
|
||||
|
||||
karatsuba_simple(aw1, bw1, w1);
|
||||
karatsuba_simple(aw2, bw2, w2);
|
||||
karatsuba_simple(aw3, bw3, w3);
|
||||
karatsuba_simple(aw4, bw4, w4);
|
||||
karatsuba_simple(aw5, bw5, w5);
|
||||
karatsuba_simple(aw6, bw6, w6);
|
||||
karatsuba_simple(aw7, bw7, w7);
|
||||
|
||||
// INTERPOLATION
|
||||
for (i = 0; i < N_SB_RES; ++i) {
|
||||
r0 = w1[i];
|
||||
r1 = w2[i];
|
||||
r2 = w3[i];
|
||||
r3 = w4[i];
|
||||
r4 = w5[i];
|
||||
r5 = w6[i];
|
||||
r6 = w7[i];
|
||||
|
||||
r1 = r1 + r4;
|
||||
r5 = r5 - r4;
|
||||
r3 = ((r3 - r2) >> 1);
|
||||
r4 = r4 - r0;
|
||||
r4 = r4 - (r6 << 6);
|
||||
r4 = (r4 << 1) + r5;
|
||||
r2 = r2 + r3;
|
||||
r1 = r1 - (r2 << 6) - r2;
|
||||
r2 = r2 - r6;
|
||||
r2 = r2 - r0;
|
||||
r1 = r1 + 45 * r2;
|
||||
r4 = (((r4 - (r2 << 3)) * inv3) >> 3);
|
||||
r5 = r5 + r1;
|
||||
r1 = (((r1 + (r3 << 4)) * inv9) >> 1);
|
||||
r3 = -(r3 + r1);
|
||||
r5 = (((30 * r1 - r5) * inv15) >> 2);
|
||||
r2 = r2 - r4;
|
||||
r1 = r1 - r5;
|
||||
|
||||
C[i] += r6;
|
||||
C[i + 64] += r5;
|
||||
C[i + 128] += r4;
|
||||
C[i + 192] += r3;
|
||||
C[i + 256] += r2;
|
||||
C[i + 320] += r1;
|
||||
C[i + 384] += r0;
|
||||
}
|
||||
}
|
||||
|
||||
void PQCLEAN_FIRESABER_CLEAN_pol_mul(uint16_t *a, uint16_t *b, uint16_t *res, uint16_t p, uint32_t n)
|
||||
|
||||
{
|
||||
uint32_t i;
|
||||
// normal multiplication
|
||||
uint16_t c[512];
|
||||
|
||||
for (i = 0; i < 512; i++) {
|
||||
c[i] = 0;
|
||||
}
|
||||
|
||||
toom_cook_4way(a, b, c);
|
||||
|
||||
// reduction
|
||||
for (i = n; i < 2 * n; i++) {
|
||||
res[i - n] = (c[i - n] - c[i]) & (p - 1);
|
||||
}
|
||||
|
||||
|
||||
}
|
@ -0,0 +1,9 @@
|
||||
#ifndef POLYMUL_H
|
||||
#define POLYMUL_H
|
||||
|
||||
#include "SABER_params.h"
|
||||
#include <stdint.h>
|
||||
|
||||
void PQCLEAN_FIRESABER_CLEAN_pol_mul(uint16_t *a, uint16_t *b, uint16_t *res, uint16_t p, uint32_t n);
|
||||
|
||||
#endif
|
@ -0,0 +1,34 @@
|
||||
/*-------------------------------------------------
|
||||
This file has been adapted from the implementation
|
||||
(available at https://github.com/pq-crystals/kyber) of
|
||||
"CRYSTALS – Kyber: a CCA-secure module-lattice-based KEM"
|
||||
by : Joppe Bos, Leo Ducas, Eike Kiltz, Tancrede Lepoint,
|
||||
Vadim Lyubashevsky, John M. Schanck, Peter Schwabe & Damien stehle
|
||||
----------------------------------------------------*/
|
||||
#include "verify.h"
|
||||
#include <stdint.h>
|
||||
|
||||
/* returns 0 for equal strings, 1 for non-equal strings */
|
||||
unsigned char PQCLEAN_FIRESABER_CLEAN_verify(const unsigned char *a, const unsigned char *b, size_t len) {
|
||||
uint64_t r;
|
||||
size_t i;
|
||||
|
||||
r = 0;
|
||||
for (i = 0; i < len; i++) {
|
||||
r |= a[i] ^ b[i];
|
||||
}
|
||||
|
||||
r = (~r + 1); // Two's complement
|
||||
r >>= 63;
|
||||
return (unsigned char)r;
|
||||
}
|
||||
|
||||
/* b = 1 means mov, b = 0 means don't mov*/
|
||||
void PQCLEAN_FIRESABER_CLEAN_cmov(unsigned char *r, const unsigned char *x, size_t len, unsigned char b) {
|
||||
size_t i;
|
||||
|
||||
b = -b;
|
||||
for (i = 0; i < len; i++) {
|
||||
r[i] ^= b & (x[i] ^ r[i]);
|
||||
}
|
||||
}
|
@ -0,0 +1,21 @@
|
||||
#ifndef VERIFY_H
|
||||
#define VERIFY_H
|
||||
|
||||
/*-------------------------------------------------
|
||||
This file has been adapted from the implementation
|
||||
(available at https://github.com/pq-crystals/kyber) of
|
||||
"CRYSTALS – Kyber: a CCA-secure module-lattice-based KEM"
|
||||
by : Joppe Bos, Leo Ducas, Eike Kiltz, Tancrede Lepoint,
|
||||
Vadim Lyubashevsky, John M. Schanck, Peter Schwabe & Damien stehle
|
||||
----------------------------------------------------*/
|
||||
|
||||
#include <stddef.h>
|
||||
#include <stdint.h>
|
||||
|
||||
/* returns 0 for equal strings, 1 for non-equal strings */
|
||||
unsigned char PQCLEAN_FIRESABER_CLEAN_verify(const unsigned char *a, const unsigned char *b, size_t len);
|
||||
|
||||
/* b = 1 means mov, b = 0 means don't mov*/
|
||||
void PQCLEAN_FIRESABER_CLEAN_cmov(unsigned char *r, const unsigned char *x, size_t len, unsigned char b);
|
||||
|
||||
#endif
|
17
crypto_kem/lightsaber/META.yml
普通文件
17
crypto_kem/lightsaber/META.yml
普通文件
@ -0,0 +1,17 @@
|
||||
name: LightSaber
|
||||
type: kem
|
||||
claimed-nist-level: 1
|
||||
claimed-security: IND-CCA2
|
||||
length-public-key: 672
|
||||
length-ciphertext: 736
|
||||
length-secret-key: 1568
|
||||
length-shared-secret: 32
|
||||
nistkat-sha256: dc2233ae221cfabbb1db5ab1a76c93967d37de9f87a8092561f95ab28eff6061
|
||||
principal-submitters:
|
||||
- Jan-Pieter D'Anvers
|
||||
- Angshuman Karmakar
|
||||
- Sujoy Sinha Roy
|
||||
- Frederik Vercauteren
|
||||
implementations:
|
||||
- name: clean
|
||||
version: https://github.com/KULeuven-COSIC/SABER/commit/14ede83f1ff3bcc41f0464543542366c68b55871
|
@ -0,0 +1,8 @@
|
||||
----------------------------------------------------------------------------------------
|
||||
SABER_v1.1
|
||||
|
||||
Public domain
|
||||
|
||||
Authors: Jan-Pieter D'Anvers, Angshuman Karmakar, Sujoy Sinha Roy,
|
||||
Frederik Vercauteren
|
||||
----------------------------------------------------------------------------------------
|
@ -0,0 +1,19 @@
|
||||
# This Makefile can be used with GNU Make or BSD Make
|
||||
|
||||
LIB=liblightsaber_clean.a
|
||||
HEADERS=api.h cbd.h poly.h poly_mul.h SABER_indcpa.h SABER_params.h verify.h pack_unpack.h
|
||||
OBJECTS=cbd.o kem.o pack_unpack.o poly.o poly_mul.o SABER_indcpa.o verify.o
|
||||
|
||||
CFLAGS=-O3 -Wall -Wextra -Wpedantic -Werror -Wmissing-prototypes -Wredundant-decls -std=c99 -I../../../common $(EXTRAFLAGS)
|
||||
|
||||
all: $(LIB)
|
||||
|
||||
%.o: %.c $(HEADERS)
|
||||
$(CC) $(CFLAGS) -c -o $@ $<
|
||||
|
||||
$(LIB): $(OBJECTS)
|
||||
$(AR) -r $@ $(OBJECTS)
|
||||
|
||||
clean:
|
||||
$(RM) $(OBJECTS)
|
||||
$(RM) $(LIB)
|
@ -0,0 +1,19 @@
|
||||
# This Makefile can be used with Microsoft Visual Studio's nmake using the command:
|
||||
# nmake /f Makefile.Microsoft_nmake
|
||||
|
||||
LIBRARY=liblightsaber_clean.lib
|
||||
OBJECTS=cbd.obj kem.obj pack_unpack.obj poly.obj poly_mul.obj SABER_indcpa.obj verify.obj
|
||||
|
||||
CFLAGS=/nologo /I ..\..\..\common /W4 /WX
|
||||
|
||||
all: $(LIBRARY)
|
||||
|
||||
# Make sure objects are recompiled if headers change.
|
||||
$(OBJECTS): *.h
|
||||
|
||||
$(LIBRARY): $(OBJECTS)
|
||||
LIB.EXE /NOLOGO /WX /OUT:$@ $**
|
||||
|
||||
clean:
|
||||
-DEL $(OBJECTS)
|
||||
-DEL $(LIBRARY)
|
@ -0,0 +1,298 @@
|
||||
#include "SABER_indcpa.h"
|
||||
#include "SABER_params.h"
|
||||
#include "fips202.h"
|
||||
#include "pack_unpack.h"
|
||||
#include "poly.h"
|
||||
#include "poly_mul.h"
|
||||
#include "randombytes.h"
|
||||
#include <stdint.h>
|
||||
#include <string.h>
|
||||
|
||||
|
||||
|
||||
/*-----------------------------------------------------------------------------------
|
||||
This routine generates a=[Matrix K x K] of 256-coefficient polynomials
|
||||
-------------------------------------------------------------------------------------*/
|
||||
|
||||
#define h1 4 //2^(EQ-EP-1)
|
||||
|
||||
#define h2 ( (1<<(SABER_EP-2)) - (1<<(SABER_EP-SABER_ET-1)) + (1<<(SABER_EQ-SABER_EP-1)) )
|
||||
|
||||
static void InnerProd(uint16_t pkcl[SABER_K][SABER_N], uint16_t skpv[SABER_K][SABER_N], uint16_t mod, uint16_t res[SABER_N]);
|
||||
static void MatrixVectorMul(polyvec *a, uint16_t skpv[SABER_K][SABER_N], uint16_t res[SABER_K][SABER_N], uint16_t mod, int16_t transpose);
|
||||
|
||||
static void POL2MSG(const uint16_t *message_dec_unpacked, unsigned char *message_dec);
|
||||
|
||||
static void GenMatrix(polyvec *a, const unsigned char *seed) {
|
||||
unsigned char buf[SABER_K * SABER_K * (13 * SABER_N / 8)];
|
||||
|
||||
uint16_t temp_ar[SABER_N];
|
||||
|
||||
int i, j, k;
|
||||
uint16_t mod = (SABER_Q - 1);
|
||||
|
||||
shake128(buf, sizeof(buf), seed, SABER_SEEDBYTES);
|
||||
|
||||
for (i = 0; i < SABER_K; i++) {
|
||||
for (j = 0; j < SABER_K; j++) {
|
||||
PQCLEAN_LIGHTSABER_CLEAN_BS2POL(buf + (i * SABER_K + j) * (13 * SABER_N / 8), temp_ar);
|
||||
for (k = 0; k < SABER_N; k++) {
|
||||
a[i].vec[j].coeffs[k] = (temp_ar[k])& mod ;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
void PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_keypair(unsigned char *pk, unsigned char *sk) {
|
||||
polyvec a[SABER_K];
|
||||
|
||||
uint16_t skpv[SABER_K][SABER_N];
|
||||
|
||||
unsigned char seed[SABER_SEEDBYTES];
|
||||
unsigned char noiseseed[SABER_COINBYTES];
|
||||
int32_t i, j;
|
||||
uint16_t mod_q = SABER_Q - 1;
|
||||
|
||||
|
||||
uint16_t res[SABER_K][SABER_N];
|
||||
|
||||
randombytes(seed, SABER_SEEDBYTES);
|
||||
|
||||
// for not revealing system RNG state
|
||||
shake128(seed, SABER_SEEDBYTES, seed, SABER_SEEDBYTES);
|
||||
randombytes(noiseseed, SABER_COINBYTES);
|
||||
|
||||
GenMatrix(a, seed); //sample matrix A
|
||||
|
||||
// generate secret from constant-time binomial distribution
|
||||
PQCLEAN_LIGHTSABER_CLEAN_GenSecret(skpv, noiseseed);
|
||||
|
||||
// do the matrix vector multiplication and rounding
|
||||
for (i = 0; i < SABER_K; i++) {
|
||||
for (j = 0; j < SABER_N; j++) {
|
||||
res[i][j] = 0;
|
||||
}
|
||||
}
|
||||
MatrixVectorMul(a, skpv, res, SABER_Q - 1, 1);
|
||||
|
||||
// now rounding
|
||||
for (i = 0; i < SABER_K; i++) {
|
||||
for (j = 0; j < SABER_N; j++) {
|
||||
// shift right 3 bits
|
||||
res[i][j] = (res[i][j] + h1) & (mod_q);
|
||||
res[i][j] = (res[i][j] >> (SABER_EQ - SABER_EP));
|
||||
}
|
||||
}
|
||||
|
||||
// unload and pack sk=3 x (256 coefficients of 14 bits)
|
||||
PQCLEAN_LIGHTSABER_CLEAN_POLVEC2BS(sk, skpv, SABER_Q);
|
||||
|
||||
// unload and pack pk=256 bits seed and 3 x (256 coefficients of 11 bits)
|
||||
// load the public-key coefficients
|
||||
PQCLEAN_LIGHTSABER_CLEAN_POLVEC2BS(pk, res, SABER_P);
|
||||
|
||||
|
||||
// now load the seedbytes in PK. Easy since seed bytes are kept in byte format.
|
||||
for (i = 0; i < SABER_SEEDBYTES; i++) {
|
||||
pk[SABER_POLYVECCOMPRESSEDBYTES + i] = seed[i];
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
|
||||
void PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_enc(const unsigned char *message_received, unsigned char *noiseseed, const unsigned char *pk, unsigned char *ciphertext) {
|
||||
uint32_t i, j, k;
|
||||
polyvec a[SABER_K];
|
||||
unsigned char seed[SABER_SEEDBYTES];
|
||||
// public key of received by the client
|
||||
uint16_t pkcl[SABER_K][SABER_N];
|
||||
uint16_t skpv1[SABER_K][SABER_N];
|
||||
uint16_t message[SABER_KEYBYTES * 8];
|
||||
uint16_t res[SABER_K][SABER_N];
|
||||
uint16_t mod_p = SABER_P - 1;
|
||||
uint16_t mod_q = SABER_Q - 1;
|
||||
uint16_t vprime[SABER_N];
|
||||
unsigned char msk_c[SABER_SCALEBYTES_KEM];
|
||||
|
||||
// extract the seedbytes from Public Key.
|
||||
for (i = 0; i < SABER_SEEDBYTES; i++) {
|
||||
seed[i] = pk[ SABER_POLYVECCOMPRESSEDBYTES + i];
|
||||
}
|
||||
|
||||
GenMatrix(a, seed);
|
||||
|
||||
// generate secret from constant-time binomial distribution
|
||||
PQCLEAN_LIGHTSABER_CLEAN_GenSecret(skpv1, noiseseed);
|
||||
|
||||
// matrix-vector multiplication and rounding
|
||||
for (i = 0; i < SABER_K; i++) {
|
||||
for (j = 0; j < SABER_N; j++) {
|
||||
res[i][j] = 0;
|
||||
}
|
||||
}
|
||||
MatrixVectorMul(a, skpv1, res, SABER_Q - 1, 0);
|
||||
|
||||
// now rounding
|
||||
//shift right 3 bits
|
||||
for (i = 0; i < SABER_K; i++) {
|
||||
for (j = 0; j < SABER_N; j++) {
|
||||
res[i][j] = ( res[i][j] + h1 ) & mod_q;
|
||||
res[i][j] = (res[i][j] >> (SABER_EQ - SABER_EP) );
|
||||
}
|
||||
}
|
||||
|
||||
PQCLEAN_LIGHTSABER_CLEAN_POLVEC2BS(ciphertext, res, SABER_P);
|
||||
|
||||
// ************client matrix-vector multiplication ends************
|
||||
|
||||
// now calculate the v'
|
||||
// unpack the public_key
|
||||
// pkcl is the b in the protocol
|
||||
PQCLEAN_LIGHTSABER_CLEAN_BS2POLVEC(pk, pkcl, SABER_P);
|
||||
for (i = 0; i < SABER_N; i++) {
|
||||
vprime[i] = 0;
|
||||
}
|
||||
for (i = 0; i < SABER_K; i++) {
|
||||
for (j = 0; j < SABER_N; j++) {
|
||||
skpv1[i][j] = skpv1[i][j] & (mod_p);
|
||||
}
|
||||
}
|
||||
|
||||
// vector-vector scalar multiplication with mod p
|
||||
InnerProd(pkcl, skpv1, mod_p, vprime);
|
||||
|
||||
// addition of h1 to vprime
|
||||
for (i = 0; i < SABER_N; i++) {
|
||||
vprime[i] = vprime[i] + h1;
|
||||
}
|
||||
|
||||
// unpack message_received;
|
||||
for (j = 0; j < SABER_KEYBYTES; j++) {
|
||||
for (i = 0; i < 8; i++) {
|
||||
message[8 * j + i] = ((message_received[j] >> i) & 0x01);
|
||||
}
|
||||
}
|
||||
|
||||
// message encoding
|
||||
for (i = 0; i < SABER_N; i++) {
|
||||
message[i] = (message[i] << (SABER_EP - 1));
|
||||
}
|
||||
|
||||
for (k = 0; k < SABER_N; k++) {
|
||||
vprime[k] = ( (vprime[k] - message[k]) & (mod_p) ) >> (SABER_EP - SABER_ET);
|
||||
}
|
||||
|
||||
|
||||
PQCLEAN_LIGHTSABER_CLEAN_pack_3bit(msk_c, vprime);
|
||||
|
||||
for (j = 0; j < SABER_SCALEBYTES_KEM; j++) {
|
||||
ciphertext[SABER_POLYVECCOMPRESSEDBYTES + j] = msk_c[j];
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
void PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_dec(const unsigned char *sk, const unsigned char *ciphertext, unsigned char message_dec[]) {
|
||||
uint32_t i, j;
|
||||
// secret key of the server
|
||||
uint16_t sksv[SABER_K][SABER_N];
|
||||
uint16_t pksv[SABER_K][SABER_N];
|
||||
uint8_t scale_ar[SABER_SCALEBYTES_KEM];
|
||||
uint16_t mod_p = SABER_P - 1;
|
||||
uint16_t v[SABER_N];
|
||||
uint16_t op[SABER_N];
|
||||
|
||||
// sksv is the secret-key
|
||||
PQCLEAN_LIGHTSABER_CLEAN_BS2POLVEC(sk, sksv, SABER_Q);
|
||||
// pksv is the ciphertext
|
||||
PQCLEAN_LIGHTSABER_CLEAN_BS2POLVEC(ciphertext, pksv, SABER_P);
|
||||
|
||||
// vector-vector scalar multiplication with mod p
|
||||
for (i = 0; i < SABER_N; i++) {
|
||||
v[i] = 0;
|
||||
}
|
||||
for (i = 0; i < SABER_K; i++) {
|
||||
for (j = 0; j < SABER_N; j++) {
|
||||
sksv[i][j] = sksv[i][j] & (mod_p);
|
||||
}
|
||||
}
|
||||
InnerProd(pksv, sksv, mod_p, v);
|
||||
|
||||
//Extraction
|
||||
for (i = 0; i < SABER_SCALEBYTES_KEM; i++) {
|
||||
scale_ar[i] = ciphertext[SABER_POLYVECCOMPRESSEDBYTES + i];
|
||||
}
|
||||
|
||||
PQCLEAN_LIGHTSABER_CLEAN_un_pack3bit(scale_ar, op);
|
||||
|
||||
//addition of h1
|
||||
for (i = 0; i < SABER_N; i++) {
|
||||
v[i] = ( ( v[i] + h2 - (op[i] << (SABER_EP - SABER_ET)) ) & (mod_p) ) >> (SABER_EP - 1);
|
||||
}
|
||||
|
||||
// pack decrypted message
|
||||
POL2MSG(v, message_dec);
|
||||
}
|
||||
static void MatrixVectorMul(polyvec *a, uint16_t skpv[SABER_K][SABER_N], uint16_t res[SABER_K][SABER_N], uint16_t mod, int16_t transpose) {
|
||||
uint16_t acc[SABER_N];
|
||||
int32_t i, j, k;
|
||||
|
||||
if (transpose == 1) {
|
||||
for (i = 0; i < SABER_K; i++) {
|
||||
for (j = 0; j < SABER_K; j++) {
|
||||
PQCLEAN_LIGHTSABER_CLEAN_pol_mul((uint16_t *)&a[j].vec[i], skpv[j], acc, SABER_Q, SABER_N);
|
||||
|
||||
for (k = 0; k < SABER_N; k++) {
|
||||
res[i][k] = res[i][k] + acc[k];
|
||||
//reduction mod p
|
||||
res[i][k] = (res[i][k] & mod);
|
||||
//clear the accumulator
|
||||
acc[k] = 0;
|
||||
}
|
||||
}
|
||||
}
|
||||
} else {
|
||||
for (i = 0; i < SABER_K; i++) {
|
||||
for (j = 0; j < SABER_K; j++) {
|
||||
PQCLEAN_LIGHTSABER_CLEAN_pol_mul((uint16_t *)&a[i].vec[j], skpv[j], acc, SABER_Q, SABER_N);
|
||||
for (k = 0; k < SABER_N; k++) {
|
||||
res[i][k] = res[i][k] + acc[k];
|
||||
// reduction
|
||||
res[i][k] = res[i][k] & mod;
|
||||
// clear the accumulator
|
||||
acc[k] = 0;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
static void POL2MSG(const uint16_t *message_dec_unpacked, unsigned char *message_dec) {
|
||||
int32_t i, j;
|
||||
|
||||
for (j = 0; j < SABER_KEYBYTES; j++) {
|
||||
message_dec[j] = 0;
|
||||
for (i = 0; i < 8; i++) {
|
||||
message_dec[j] = message_dec[j] | (uint8_t) (message_dec_unpacked[j * 8 + i] << i);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
static void InnerProd(uint16_t pkcl[SABER_K][SABER_N], uint16_t skpv[SABER_K][SABER_N], uint16_t mod, uint16_t res[SABER_N]) {
|
||||
uint32_t j, k;
|
||||
uint16_t acc[SABER_N];
|
||||
|
||||
// vector-vector scalar multiplication with mod p
|
||||
for (j = 0; j < SABER_K; j++) {
|
||||
PQCLEAN_LIGHTSABER_CLEAN_pol_mul(pkcl[j], skpv[j], acc, SABER_P, SABER_N);
|
||||
|
||||
for (k = 0; k < SABER_N; k++) {
|
||||
res[k] = res[k] + acc[k];
|
||||
// reduction
|
||||
res[k] = res[k] & mod;
|
||||
// clear the accumulator
|
||||
acc[k] = 0;
|
||||
}
|
||||
}
|
||||
}
|
@ -0,0 +1,9 @@
|
||||
#ifndef INDCPA_H
|
||||
#define INDCPA_H
|
||||
|
||||
void PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_keypair(unsigned char *pk, unsigned char *sk);
|
||||
void PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_enc(const unsigned char *message, unsigned char *noiseseed, const unsigned char *pk, unsigned char *ciphertext);
|
||||
void PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_dec(const unsigned char *sk, const unsigned char *ciphertext, unsigned char *message_dec);
|
||||
|
||||
#endif
|
||||
|
@ -0,0 +1,50 @@
|
||||
#ifndef PARAMS_H
|
||||
#define PARAMS_H
|
||||
|
||||
#include "api.h"
|
||||
|
||||
#define SABER_K 2
|
||||
#define SABER_MU 10
|
||||
#define SABER_ET 3
|
||||
|
||||
|
||||
#define SABER_EQ 13
|
||||
#define SABER_EP 10
|
||||
|
||||
#define SABER_N 256
|
||||
#define SABER_Q 8192
|
||||
#define SABER_P 1024
|
||||
|
||||
#define SABER_SEEDBYTES 32
|
||||
#define SABER_NOISESEEDBYTES 32
|
||||
#define SABER_COINBYTES 32
|
||||
#define SABER_KEYBYTES 32
|
||||
|
||||
#define SABER_HASHBYTES 32
|
||||
|
||||
#define SABER_POLYBYTES 416 //13*256/8
|
||||
|
||||
#define SABER_POLYVECBYTES (SABER_K * SABER_POLYBYTES)
|
||||
|
||||
#define SABER_POLYVECCOMPRESSEDBYTES (SABER_K * 320) //10*256/8 NOTE : changed till here due to parameter adaptation
|
||||
|
||||
#define SABER_CIPHERTEXTBYTES (SABER_POLYVECCOMPRESSEDBYTES)
|
||||
|
||||
#define SABER_SCALEBYTES (SABER_DELTA*SABER_N/8)
|
||||
|
||||
#define SABER_SCALEBYTES_KEM ((SABER_ET)*SABER_N/8)
|
||||
|
||||
#define SABER_INDCPA_PUBLICKEYBYTES (SABER_POLYVECCOMPRESSEDBYTES + SABER_SEEDBYTES)
|
||||
#define SABER_INDCPA_SECRETKEYBYTES (SABER_POLYVECBYTES)
|
||||
|
||||
#define SABER_PUBLICKEYBYTES (SABER_INDCPA_PUBLICKEYBYTES)
|
||||
|
||||
#define SABER_SECRETKEYBYTES (SABER_INDCPA_SECRETKEYBYTES + SABER_INDCPA_PUBLICKEYBYTES + SABER_HASHBYTES + SABER_KEYBYTES)
|
||||
|
||||
#define SABER_BYTES_CCA_DEC (SABER_POLYVECCOMPRESSEDBYTES + SABER_SCALEBYTES_KEM) /* Second part is for Targhi-Unruh */
|
||||
|
||||
|
||||
|
||||
|
||||
#endif
|
||||
|
@ -0,0 +1,14 @@
|
||||
#ifndef PQCLEAN_LIGHTSABER_CLEAN_API_H
|
||||
#define PQCLEAN_LIGHTSABER_CLEAN_API_H
|
||||
|
||||
#define PQCLEAN_LIGHTSABER_CLEAN_CRYPTO_ALGNAME "LightSaber"
|
||||
#define PQCLEAN_LIGHTSABER_CLEAN_CRYPTO_SECRETKEYBYTES 1568
|
||||
#define PQCLEAN_LIGHTSABER_CLEAN_CRYPTO_PUBLICKEYBYTES (2*320+32)
|
||||
#define PQCLEAN_LIGHTSABER_CLEAN_CRYPTO_BYTES 32
|
||||
#define PQCLEAN_LIGHTSABER_CLEAN_CRYPTO_CIPHERTEXTBYTES 736
|
||||
|
||||
int PQCLEAN_LIGHTSABER_CLEAN_crypto_kem_keypair(unsigned char *pk, unsigned char *sk);
|
||||
int PQCLEAN_LIGHTSABER_CLEAN_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk);
|
||||
int PQCLEAN_LIGHTSABER_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk);
|
||||
|
||||
#endif /* api_h */
|
@ -0,0 +1,51 @@
|
||||
/*---------------------------------------------------------------------
|
||||
This file has been adapted from the implementation
|
||||
(available at, Public Domain https://github.com/pq-crystals/kyber)
|
||||
of "CRYSTALS – Kyber: a CCA-secure module-lattice-based KEM"
|
||||
by : Joppe Bos, Leo Ducas, Eike Kiltz, Tancrede Lepoint,
|
||||
Vadim Lyubashevsky, John M. Schanck, Peter Schwabe & Damien stehle
|
||||
----------------------------------------------------------------------*/
|
||||
|
||||
#include "SABER_params.h"
|
||||
#include "api.h"
|
||||
#include "cbd.h"
|
||||
#include <stdint.h>
|
||||
|
||||
static uint64_t load_littleendian(const unsigned char *x, int bytes) {
|
||||
int i;
|
||||
uint64_t r = x[0];
|
||||
for (i = 1; i < bytes; i++) {
|
||||
r |= (uint64_t)x[i] << (8 * i);
|
||||
}
|
||||
return r;
|
||||
}
|
||||
|
||||
|
||||
void PQCLEAN_LIGHTSABER_CLEAN_cbd(uint16_t *r, const unsigned char *buf) {
|
||||
uint16_t Qmod_minus1 = SABER_Q - 1;
|
||||
|
||||
uint64_t t, d, a[4], b[4];
|
||||
int i, j;
|
||||
|
||||
for (i = 0; i < SABER_N / 4; i++) {
|
||||
t = load_littleendian(buf + 5 * i, 5);
|
||||
d = 0;
|
||||
for (j = 0; j < 5; j++) {
|
||||
d += (t >> j) & 0x0842108421UL;
|
||||
}
|
||||
|
||||
a[0] = d & 0x1f;
|
||||
b[0] = (d >> 5) & 0x1f;
|
||||
a[1] = (d >> 10) & 0x1f;
|
||||
b[1] = (d >> 15) & 0x1f;
|
||||
a[2] = (d >> 20) & 0x1f;
|
||||
b[2] = (d >> 25) & 0x1f;
|
||||
a[3] = (d >> 30) & 0x1f;
|
||||
b[3] = (d >> 35);
|
||||
|
||||
r[4 * i + 0] = (uint16_t)(a[0] - b[0]) & Qmod_minus1;
|
||||
r[4 * i + 1] = (uint16_t)(a[1] - b[1]) & Qmod_minus1;
|
||||
r[4 * i + 2] = (uint16_t)(a[2] - b[2]) & Qmod_minus1;
|
||||
r[4 * i + 3] = (uint16_t)(a[3] - b[3]) & Qmod_minus1;
|
||||
}
|
||||
}
|
@ -0,0 +1,17 @@
|
||||
#ifndef CBD_H
|
||||
#define CBD_H
|
||||
|
||||
/*---------------------------------------------------------------------
|
||||
This file has been adapted from the implementation
|
||||
(available at, Public Domain https://github.com/pq-crystals/kyber)
|
||||
of "CRYSTALS – Kyber: a CCA-secure module-lattice-based KEM"
|
||||
by : Joppe Bos, Leo Ducas, Eike Kiltz, Tancrede Lepoint,
|
||||
Vadim Lyubashevsky, John M. Schanck, Peter Schwabe & Damien stehle
|
||||
----------------------------------------------------------------------*/
|
||||
|
||||
#include "poly.h"
|
||||
#include <stdint.h>
|
||||
|
||||
void PQCLEAN_LIGHTSABER_CLEAN_cbd(uint16_t *r, const unsigned char *buf);
|
||||
|
||||
#endif
|
@ -0,0 +1,96 @@
|
||||
#include "SABER_indcpa.h"
|
||||
#include "SABER_params.h"
|
||||
#include "fips202.h"
|
||||
#include "randombytes.h"
|
||||
#include "verify.h"
|
||||
#include <stdint.h>
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
|
||||
int PQCLEAN_LIGHTSABER_CLEAN_crypto_kem_keypair(unsigned char *pk, unsigned char *sk) {
|
||||
int i;
|
||||
|
||||
// sk[0:SABER_INDCPA_SECRETKEYBYTES-1] <-- sk
|
||||
PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_keypair(pk, sk);
|
||||
|
||||
// sk[SABER_INDCPA_SECRETKEYBYTES:SABER_INDCPA_SECRETKEYBYTES+SABER_INDCPA_SECRETKEYBYTES-1] <-- pk
|
||||
for (i = 0; i < SABER_INDCPA_PUBLICKEYBYTES; i++) {
|
||||
sk[i + SABER_INDCPA_SECRETKEYBYTES] = pk[i];
|
||||
}
|
||||
|
||||
// Then hash(pk) is appended.
|
||||
sha3_256(sk + SABER_SECRETKEYBYTES - 64, pk, SABER_INDCPA_PUBLICKEYBYTES);
|
||||
|
||||
// Remaining part of sk contains a pseudo-random number.
|
||||
// This is output when check in crypto_kem_dec() fails.
|
||||
randombytes(sk + SABER_SECRETKEYBYTES - SABER_KEYBYTES, SABER_KEYBYTES );
|
||||
return (0);
|
||||
}
|
||||
|
||||
int PQCLEAN_LIGHTSABER_CLEAN_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk) {
|
||||
// Will contain key, coins
|
||||
unsigned char kr[64];
|
||||
unsigned char buf[64];
|
||||
|
||||
randombytes(buf, 32);
|
||||
|
||||
// BUF[0:31] <-- random message (will be used as the key for client) Note: hash doesnot release system RNG output
|
||||
sha3_256(buf, buf, 32);
|
||||
|
||||
// BUF[32:63] <-- Hash(public key); Multitarget countermeasure for coins + contributory KEM
|
||||
sha3_256(buf + 32, pk, SABER_INDCPA_PUBLICKEYBYTES);
|
||||
|
||||
// kr[0:63] <-- Hash(buf[0:63]);
|
||||
sha3_512(kr, buf, 64);
|
||||
|
||||
// K^ <-- kr[0:31]
|
||||
// noiseseed (r) <-- kr[32:63];
|
||||
// buf[0:31] contains message; kr[32:63] contains randomness r;
|
||||
PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_enc(buf, kr + 32, pk, ct);
|
||||
|
||||
sha3_256(kr + 32, ct, SABER_BYTES_CCA_DEC);
|
||||
|
||||
// hash concatenation of pre-k and h(c) to k
|
||||
sha3_256(ss, kr, 64);
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
|
||||
int PQCLEAN_LIGHTSABER_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk) {
|
||||
int i;
|
||||
unsigned char fail;
|
||||
unsigned char cmp[SABER_BYTES_CCA_DEC];
|
||||
unsigned char buf[64];
|
||||
|
||||
// Will contain key, coins
|
||||
unsigned char kr[64];
|
||||
const unsigned char *pk = sk + SABER_INDCPA_SECRETKEYBYTES;
|
||||
|
||||
// buf[0:31] <-- message
|
||||
PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_dec(sk, ct, buf);
|
||||
|
||||
|
||||
// Multitarget countermeasure for coins + contributory KEM
|
||||
// Save hash by storing h(pk) in sk
|
||||
for (i = 0; i < 32; i++) {
|
||||
buf[32 + i] = sk[SABER_SECRETKEYBYTES - 64 + i];
|
||||
}
|
||||
|
||||
sha3_512(kr, buf, 64);
|
||||
|
||||
PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_enc(buf, kr + 32, pk, cmp);
|
||||
|
||||
|
||||
fail = PQCLEAN_LIGHTSABER_CLEAN_verify(ct, cmp, SABER_BYTES_CCA_DEC);
|
||||
|
||||
// overwrite coins in kr with h(c)
|
||||
sha3_256(kr + 32, ct, SABER_BYTES_CCA_DEC);
|
||||
|
||||
PQCLEAN_LIGHTSABER_CLEAN_cmov(kr, sk + SABER_SECRETKEYBYTES - SABER_KEYBYTES, SABER_KEYBYTES, fail);
|
||||
|
||||
// hash concatenation of pre-k and h(c) to k
|
||||
sha3_256(ss, kr, 64);
|
||||
|
||||
return (0);
|
||||
}
|
@ -0,0 +1,254 @@
|
||||
#include "pack_unpack.h"
|
||||
|
||||
void PQCLEAN_LIGHTSABER_CLEAN_pack_3bit(uint8_t *bytes, const uint16_t *data) {
|
||||
uint32_t j;
|
||||
uint32_t offset_data, offset_byte;
|
||||
|
||||
for (j = 0; j < SABER_N / 8; j++) {
|
||||
offset_byte = 3 * j;
|
||||
offset_data = 8 * j;
|
||||
bytes[offset_byte + 0] = (data[offset_data + 0] & 0x7) |
|
||||
((data[offset_data + 1] & 0x7) << 3) |
|
||||
((data[offset_data + 2] & 0x3) << 6);
|
||||
bytes[offset_byte + 1] = ((data[offset_data + 2] >> 2 ) & 0x01) |
|
||||
((data[offset_data + 3] & 0x7) << 1) |
|
||||
((data[offset_data + 4] & 0x7) << 4) |
|
||||
(((data[offset_data + 5]) & 0x01) << 7);
|
||||
bytes[offset_byte + 2] = ((data[offset_data + 5] >> 1 ) & 0x03) |
|
||||
((data[offset_data + 6] & 0x7) << 2) |
|
||||
((data[offset_data + 7] & 0x7) << 5);
|
||||
}
|
||||
}
|
||||
|
||||
void PQCLEAN_LIGHTSABER_CLEAN_un_pack3bit(const uint8_t *bytes, uint16_t *data) {
|
||||
uint32_t j;
|
||||
uint32_t offset_data, offset_byte;
|
||||
|
||||
for (j = 0; j < SABER_N / 8; j++) {
|
||||
offset_byte = 3 * j;
|
||||
offset_data = 8 * j;
|
||||
data[offset_data + 0] = (bytes[offset_byte + 0]) & 0x07;
|
||||
data[offset_data + 1] = ((bytes[offset_byte + 0]) >> 3 ) & 0x07;
|
||||
data[offset_data + 2] = (((bytes[offset_byte + 0]) >> 6 ) & 0x03) |
|
||||
(((bytes[offset_byte + 1]) & 0x01) << 2);
|
||||
data[offset_data + 3] = ((bytes[offset_byte + 1]) >> 1 ) & 0x07;
|
||||
data[offset_data + 4] = ((bytes[offset_byte + 1]) >> 4 ) & 0x07;
|
||||
data[offset_data + 5] = (((bytes[offset_byte + 1]) >> 7 ) & 0x01) |
|
||||
(((bytes[offset_byte + 2]) & 0x03) << 1);
|
||||
data[offset_data + 6] = ((bytes[offset_byte + 2] >> 2) & 0x07);
|
||||
data[offset_data + 7] = ((bytes[offset_byte + 2] >> 5) & 0x07);
|
||||
}
|
||||
}
|
||||
|
||||
void PQCLEAN_LIGHTSABER_CLEAN_pack_4bit(uint8_t *bytes, const uint16_t *data) {
|
||||
uint32_t j;
|
||||
uint32_t offset_data;
|
||||
|
||||
for (j = 0; j < SABER_N / 2; j++) {
|
||||
offset_data = 2 * j;
|
||||
bytes[j] = (data[offset_data] & 0x0f) |
|
||||
((data[offset_data + 1] & 0x0f) << 4);
|
||||
}
|
||||
}
|
||||
|
||||
void PQCLEAN_LIGHTSABER_CLEAN_un_pack4bit(const unsigned char *bytes, uint16_t *ar) {
|
||||
uint32_t j;
|
||||
uint32_t offset_data;
|
||||
|
||||
for (j = 0; j < SABER_N / 2; j++) {
|
||||
offset_data = 2 * j;
|
||||
ar[offset_data] = bytes[j] & 0x0f;
|
||||
ar[offset_data + 1] = (bytes[j] >> 4) & 0x0f;
|
||||
}
|
||||
}
|
||||
|
||||
void PQCLEAN_LIGHTSABER_CLEAN_pack_6bit(uint8_t *bytes, const uint16_t *data) {
|
||||
uint32_t j;
|
||||
uint32_t offset_data, offset_byte;
|
||||
|
||||
for (j = 0; j < SABER_N / 4; j++) {
|
||||
offset_byte = 3 * j;
|
||||
offset_data = 4 * j;
|
||||
bytes[offset_byte + 0] = (data[offset_data + 0] & 0x3f) |
|
||||
((data[offset_data + 1] & 0x03) << 6);
|
||||
bytes[offset_byte + 1] = ((data[offset_data + 1] >> 2) & 0x0f) |
|
||||
((data[offset_data + 2] & 0x0f) << 4);
|
||||
bytes[offset_byte + 2] = ((data[offset_data + 2] >> 4) & 0x03) |
|
||||
((data[offset_data + 3] & 0x3f) << 2);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
void PQCLEAN_LIGHTSABER_CLEAN_un_pack6bit(const unsigned char *bytes, uint16_t *data) {
|
||||
uint32_t j;
|
||||
uint32_t offset_data, offset_byte;
|
||||
|
||||
for (j = 0; j < SABER_N / 4; j++) {
|
||||
offset_byte = 3 * j;
|
||||
offset_data = 4 * j;
|
||||
data[offset_data + 0] = bytes[offset_byte + 0] & 0x3f;
|
||||
data[offset_data + 1] = ((bytes[offset_byte + 0] >> 6) & 0x03) |
|
||||
((bytes[offset_byte + 1] & 0x0f) << 2);
|
||||
data[offset_data + 2] = ((bytes[offset_byte + 1] & 0xff) >> 4) |
|
||||
((bytes[offset_byte + 2] & 0x03) << 4);
|
||||
data[offset_data + 3] = ((bytes[offset_byte + 2] & 0xff) >> 2);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
static void POLVECp2BS(uint8_t *bytes, uint16_t data[SABER_K][SABER_N]) {
|
||||
uint32_t i, j;
|
||||
uint32_t offset_data, offset_byte, offset_byte1;
|
||||
|
||||
for (i = 0; i < SABER_K; i++) {
|
||||
offset_byte1 = i * (SABER_N * 10) / 8;
|
||||
for (j = 0; j < SABER_N / 4; j++) {
|
||||
offset_byte = offset_byte1 + 5 * j;
|
||||
offset_data = 4 * j;
|
||||
bytes[offset_byte + 0] = (data[i][offset_data + 0] & (0xff));
|
||||
bytes[offset_byte + 1] = ((data[i][offset_data + 0] >> 8) & 0x03) |
|
||||
((data[i][offset_data + 1] & 0x3f) << 2);
|
||||
bytes[offset_byte + 2] = ((data[i][offset_data + 1] >> 6) & 0x0f) |
|
||||
((data[i][offset_data + 2] & 0x0f) << 4);
|
||||
bytes[offset_byte + 3] = ((data[i][offset_data + 2] >> 4) & 0x3f) |
|
||||
((data[i][offset_data + 3] & 0x03) << 6);
|
||||
bytes[offset_byte + 4] = ((data[i][offset_data + 3] >> 2) & 0xff);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
static void BS2POLVECp(const unsigned char *bytes, uint16_t data[SABER_K][SABER_N]) {
|
||||
uint32_t i, j;
|
||||
uint32_t offset_data, offset_byte, offset_byte1;
|
||||
|
||||
for (i = 0; i < SABER_K; i++) {
|
||||
offset_byte1 = i * (SABER_N * 10) / 8;
|
||||
for (j = 0; j < SABER_N / 4; j++) {
|
||||
offset_byte = offset_byte1 + 5 * j;
|
||||
offset_data = 4 * j;
|
||||
data[i][offset_data + 0] = (bytes[offset_byte + 0] & (0xff)) |
|
||||
((bytes[offset_byte + 1] & 0x03) << 8);
|
||||
data[i][offset_data + 1] = ((bytes[offset_byte + 1] >> 2) & (0x3f)) |
|
||||
((bytes[offset_byte + 2] & 0x0f) << 6);
|
||||
data[i][offset_data + 2] = ((bytes[offset_byte + 2] >> 4) & (0x0f)) |
|
||||
((bytes[offset_byte + 3] & 0x3f) << 4);
|
||||
data[i][offset_data + 3] = ((bytes[offset_byte + 3] >> 6) & (0x03)) |
|
||||
((bytes[offset_byte + 4] & 0xff) << 2);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
static void POLVECq2BS(uint8_t *bytes, uint16_t data[SABER_K][SABER_N]) {
|
||||
uint32_t i, j;
|
||||
uint32_t offset_data, offset_byte, offset_byte1;
|
||||
|
||||
for (i = 0; i < SABER_K; i++) {
|
||||
offset_byte1 = i * (SABER_N * 13) / 8;
|
||||
for (j = 0; j < SABER_N / 8; j++) {
|
||||
offset_byte = offset_byte1 + 13 * j;
|
||||
offset_data = 8 * j;
|
||||
bytes[offset_byte + 0] = (data[i][offset_data + 0] & (0xff));
|
||||
bytes[offset_byte + 1] = ((data[i][offset_data + 0] >> 8) & 0x1f) |
|
||||
((data[i][offset_data + 1] & 0x07) << 5);
|
||||
bytes[offset_byte + 2] = ((data[i][offset_data + 1] >> 3) & 0xff);
|
||||
bytes[offset_byte + 3] = ((data[i][offset_data + 1] >> 11) & 0x03) |
|
||||
((data[i][offset_data + 2] & 0x3f) << 2);
|
||||
bytes[offset_byte + 4] = ((data[i][offset_data + 2] >> 6) & 0x7f) |
|
||||
((data[i][offset_data + 3] & 0x01) << 7);
|
||||
bytes[offset_byte + 5] = ((data[i][offset_data + 3] >> 1) & 0xff);
|
||||
bytes[offset_byte + 6] = ((data[i][offset_data + 3] >> 9) & 0x0f) |
|
||||
((data[i][offset_data + 4] & 0x0f) << 4);
|
||||
bytes[offset_byte + 7] = ((data[i][offset_data + 4] >> 4) & 0xff);
|
||||
bytes[offset_byte + 8] = ((data[i][offset_data + 4] >> 12) & 0x01) |
|
||||
((data[i][offset_data + 5] & 0x7f) << 1);
|
||||
bytes[offset_byte + 9] = ((data[i][offset_data + 5] >> 7) & 0x3f) |
|
||||
((data[i][offset_data + 6] & 0x03) << 6);
|
||||
bytes[offset_byte + 10] = ((data[i][offset_data + 6] >> 2) & 0xff);
|
||||
bytes[offset_byte + 11] = ((data[i][offset_data + 6] >> 10) & 0x07) |
|
||||
((data[i][offset_data + 7] & 0x1f) << 3);
|
||||
bytes[offset_byte + 12] = ((data[i][offset_data + 7] >> 5) & 0xff);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
static void BS2POLVECq(const unsigned char *bytes, uint16_t data[SABER_K][SABER_N]) {
|
||||
uint32_t i, j;
|
||||
uint32_t offset_data, offset_byte, offset_byte1;
|
||||
|
||||
for (i = 0; i < SABER_K; i++) {
|
||||
offset_byte1 = i * (SABER_N * 13) / 8;
|
||||
for (j = 0; j < SABER_N / 8; j++) {
|
||||
offset_byte = offset_byte1 + 13 * j;
|
||||
offset_data = 8 * j;
|
||||
data[i][offset_data + 0] = (bytes[offset_byte + 0] & (0xff)) |
|
||||
((bytes[offset_byte + 1] & 0x1f) << 8);
|
||||
data[i][offset_data + 1] = (bytes[offset_byte + 1] >> 5 & (0x07)) |
|
||||
((bytes[offset_byte + 2] & 0xff) << 3) |
|
||||
((bytes[offset_byte + 3] & 0x03) << 11);
|
||||
data[i][offset_data + 2] = (bytes[offset_byte + 3] >> 2 & (0x3f)) |
|
||||
((bytes[offset_byte + 4] & 0x7f) << 6);
|
||||
data[i][offset_data + 3] = (bytes[offset_byte + 4] >> 7 & (0x01)) |
|
||||
((bytes[offset_byte + 5] & 0xff) << 1) |
|
||||
((bytes[offset_byte + 6] & 0x0f) << 9);
|
||||
data[i][offset_data + 4] = (bytes[offset_byte + 6] >> 4 & (0x0f)) |
|
||||
((bytes[offset_byte + 7] & 0xff) << 4) |
|
||||
((bytes[offset_byte + 8] & 0x01) << 12);
|
||||
data[i][offset_data + 5] = (bytes[offset_byte + 8] >> 1 & (0x7f)) |
|
||||
((bytes[offset_byte + 9] & 0x3f) << 7);
|
||||
data[i][offset_data + 6] = (bytes[offset_byte + 9] >> 6 & (0x03)) |
|
||||
((bytes[offset_byte + 10] & 0xff) << 2) |
|
||||
((bytes[offset_byte + 11] & 0x07) << 10);
|
||||
data[i][offset_data + 7] = (bytes[offset_byte + 11] >> 3 & (0x1f)) |
|
||||
((bytes[offset_byte + 12] & 0xff) << 5);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
//only BS2POLq no BS2POLp
|
||||
void PQCLEAN_LIGHTSABER_CLEAN_BS2POL(const unsigned char *bytes, uint16_t data[SABER_N]) {
|
||||
uint32_t j;
|
||||
uint32_t offset_data, offset_byte;
|
||||
|
||||
for (j = 0; j < SABER_N / 8; j++) {
|
||||
offset_byte = 13 * j;
|
||||
offset_data = 8 * j;
|
||||
data[offset_data + 0] = (bytes[offset_byte + 0] & (0xff)) |
|
||||
((bytes[offset_byte + 1] & 0x1f) << 8);
|
||||
data[offset_data + 1] = (bytes[offset_byte + 1] >> 5 & (0x07)) |
|
||||
((bytes[offset_byte + 2] & 0xff) << 3) |
|
||||
((bytes[offset_byte + 3] & 0x03) << 11);
|
||||
data[offset_data + 2] = (bytes[offset_byte + 3] >> 2 & (0x3f)) |
|
||||
((bytes[offset_byte + 4] & 0x7f) << 6);
|
||||
data[offset_data + 3] = (bytes[offset_byte + 4] >> 7 & (0x01)) |
|
||||
((bytes[offset_byte + 5] & 0xff) << 1) |
|
||||
((bytes[offset_byte + 6] & 0x0f) << 9);
|
||||
data[offset_data + 4] = (bytes[offset_byte + 6] >> 4 & (0x0f)) |
|
||||
((bytes[offset_byte + 7] & 0xff) << 4) |
|
||||
((bytes[offset_byte + 8] & 0x01) << 12);
|
||||
data[offset_data + 5] = (bytes[offset_byte + 8] >> 1 & (0x7f)) |
|
||||
((bytes[offset_byte + 9] & 0x3f) << 7);
|
||||
data[offset_data + 6] = (bytes[offset_byte + 9] >> 6 & (0x03)) |
|
||||
((bytes[offset_byte + 10] & 0xff) << 2) |
|
||||
((bytes[offset_byte + 11] & 0x07) << 10);
|
||||
data[offset_data + 7] = (bytes[offset_byte + 11] >> 3 & (0x1f)) |
|
||||
((bytes[offset_byte + 12] & 0xff) << 5);
|
||||
}
|
||||
}
|
||||
|
||||
void PQCLEAN_LIGHTSABER_CLEAN_POLVEC2BS(uint8_t *bytes, uint16_t data[SABER_K][SABER_N], uint16_t modulus) {
|
||||
if (modulus == 1024) {
|
||||
POLVECp2BS(bytes, data);
|
||||
} else if (modulus == 8192) {
|
||||
POLVECq2BS(bytes, data);
|
||||
}
|
||||
}
|
||||
|
||||
void PQCLEAN_LIGHTSABER_CLEAN_BS2POLVEC(const unsigned char *bytes, uint16_t data[SABER_K][SABER_N], uint16_t modulus) {
|
||||
if (modulus == 1024) {
|
||||
BS2POLVECp(bytes, data);
|
||||
} else if (modulus == 8192) {
|
||||
BS2POLVECq(bytes, data);
|
||||
}
|
||||
}
|
@ -0,0 +1,28 @@
|
||||
#ifndef PACK_UNPACK_H
|
||||
#define PACK_UNPACK_H
|
||||
|
||||
#include "SABER_params.h"
|
||||
#include <stdint.h>
|
||||
#include <stdio.h>
|
||||
|
||||
|
||||
void PQCLEAN_LIGHTSABER_CLEAN_pack_3bit(uint8_t *bytes, const uint16_t *data);
|
||||
|
||||
void PQCLEAN_LIGHTSABER_CLEAN_un_pack3bit(const uint8_t *bytes, uint16_t *data);
|
||||
|
||||
void PQCLEAN_LIGHTSABER_CLEAN_pack_4bit(uint8_t *bytes, const uint16_t *data);
|
||||
|
||||
void PQCLEAN_LIGHTSABER_CLEAN_un_pack4bit(const unsigned char *bytes, uint16_t *ar);
|
||||
|
||||
void PQCLEAN_LIGHTSABER_CLEAN_pack_6bit(uint8_t *bytes, const uint16_t *data);
|
||||
|
||||
void PQCLEAN_LIGHTSABER_CLEAN_un_pack6bit(const unsigned char *bytes, uint16_t *data);
|
||||
|
||||
|
||||
void PQCLEAN_LIGHTSABER_CLEAN_BS2POL(const unsigned char *bytes, uint16_t data[SABER_N]);
|
||||
|
||||
void PQCLEAN_LIGHTSABER_CLEAN_POLVEC2BS(uint8_t *bytes, uint16_t data[SABER_K][SABER_N], uint16_t modulus);
|
||||
|
||||
void PQCLEAN_LIGHTSABER_CLEAN_BS2POLVEC(const unsigned char *bytes, uint16_t data[SABER_K][SABER_N], uint16_t modulus);
|
||||
|
||||
#endif
|
@ -0,0 +1,21 @@
|
||||
/*---------------------------------------------------------------------
|
||||
This file has been adapted from the implementation
|
||||
(available at, Public Domain https://github.com/pq-crystals/kyber)
|
||||
of "CRYSTALS – Kyber: a CCA-secure module-lattice-based KEM"
|
||||
by : Joppe Bos, Leo Ducas, Eike Kiltz, Tancrede Lepoint,
|
||||
Vadim Lyubashevsky, John M. Schanck, Peter Schwabe & Damien stehle
|
||||
----------------------------------------------------------------------*/
|
||||
#include "SABER_params.h"
|
||||
#include "cbd.h"
|
||||
#include "fips202.h"
|
||||
#include "poly.h"
|
||||
|
||||
void PQCLEAN_LIGHTSABER_CLEAN_GenSecret(uint16_t r[SABER_K][SABER_N], const unsigned char *seed) {
|
||||
uint8_t buf[SABER_MU * SABER_N * SABER_K / 8];
|
||||
|
||||
shake128(buf, sizeof(buf), seed, SABER_NOISESEEDBYTES);
|
||||
|
||||
for (size_t i = 0; i < SABER_K; i++) {
|
||||
PQCLEAN_LIGHTSABER_CLEAN_cbd(r[i], buf + i * SABER_MU * SABER_N / 8);
|
||||
}
|
||||
}
|
@ -0,0 +1,26 @@
|
||||
#ifndef POLY_H
|
||||
#define POLY_H
|
||||
|
||||
/*---------------------------------------------------------------------
|
||||
This file has been adapted from the implementation
|
||||
(available at, Public Domain https://github.com/pq-crystals/kyber)
|
||||
of "CRYSTALS – Kyber: a CCA-secure module-lattice-based KEM"
|
||||
by : Joppe Bos, Leo Ducas, Eike Kiltz, Tancrede Lepoint,
|
||||
Vadim Lyubashevsky, John M. Schanck, Peter Schwabe & Damien stehle
|
||||
----------------------------------------------------------------------*/
|
||||
|
||||
|
||||
#include "SABER_params.h"
|
||||
#include <stdint.h>
|
||||
|
||||
typedef struct {
|
||||
uint16_t coeffs[SABER_N];
|
||||
} poly;
|
||||
|
||||
typedef struct {
|
||||
poly vec[SABER_K];
|
||||
} polyvec;
|
||||
|
||||
void PQCLEAN_LIGHTSABER_CLEAN_GenSecret(uint16_t r[SABER_K][SABER_N], const unsigned char *seed);
|
||||
|
||||
#endif
|
@ -0,0 +1,237 @@
|
||||
#include "poly_mul.h"
|
||||
#include <stdint.h>
|
||||
#include <string.h>
|
||||
|
||||
#define SCHB_N 16
|
||||
|
||||
#define N_RES (SABER_N << 1)
|
||||
#define N_SB (SABER_N >> 2)
|
||||
#define N_SB_RES (2*N_SB-1)
|
||||
|
||||
|
||||
#define KARATSUBA_N 64
|
||||
static void karatsuba_simple(const uint16_t *a_1, const uint16_t *b_1, uint16_t *result_final) {
|
||||
uint16_t d01[KARATSUBA_N / 2 - 1];
|
||||
uint16_t d0123[KARATSUBA_N / 2 - 1];
|
||||
uint16_t d23[KARATSUBA_N / 2 - 1];
|
||||
uint16_t result_d01[KARATSUBA_N - 1];
|
||||
|
||||
int32_t i, j;
|
||||
|
||||
memset(result_d01, 0, (KARATSUBA_N - 1)*sizeof(uint16_t));
|
||||
memset(d01, 0, (KARATSUBA_N / 2 - 1)*sizeof(uint16_t));
|
||||
memset(d0123, 0, (KARATSUBA_N / 2 - 1)*sizeof(uint16_t));
|
||||
memset(d23, 0, (KARATSUBA_N / 2 - 1)*sizeof(uint16_t));
|
||||
memset(result_final, 0, (2 * KARATSUBA_N - 1)*sizeof(uint16_t));
|
||||
|
||||
uint16_t acc1, acc2, acc3, acc4, acc5, acc6, acc7, acc8, acc9, acc10;
|
||||
|
||||
|
||||
for (i = 0; i < KARATSUBA_N / 4; i++) {
|
||||
acc1 = a_1[i]; //a0
|
||||
acc2 = a_1[i + KARATSUBA_N / 4]; //a1
|
||||
acc3 = a_1[i + 2 * KARATSUBA_N / 4]; //a2
|
||||
acc4 = a_1[i + 3 * KARATSUBA_N / 4]; //a3
|
||||
for (j = 0; j < KARATSUBA_N / 4; j++) {
|
||||
|
||||
acc5 = b_1[j]; //b0
|
||||
acc6 = b_1[j + KARATSUBA_N / 4]; //b1
|
||||
|
||||
result_final[i + j + 0 * KARATSUBA_N / 4] = result_final[i + j + 0 * KARATSUBA_N / 4] + acc1 * acc5;
|
||||
result_final[i + j + 2 * KARATSUBA_N / 4] = result_final[i + j + 2 * KARATSUBA_N / 4] + acc2 * acc6;
|
||||
|
||||
acc7 = acc5 + acc6; //b01
|
||||
acc8 = acc1 + acc2; //a01
|
||||
d01[i + j] = d01[i + j] + acc7 * acc8;
|
||||
//--------------------------------------------------------
|
||||
|
||||
acc7 = b_1[j + 2 * KARATSUBA_N / 4]; //b2
|
||||
acc8 = b_1[j + 3 * KARATSUBA_N / 4]; //b3
|
||||
result_final[i + j + 4 * KARATSUBA_N / 4] = result_final[i + j + 4 * KARATSUBA_N / 4] + acc7 * acc3;
|
||||
|
||||
result_final[i + j + 6 * KARATSUBA_N / 4] = result_final[i + j + 6 * KARATSUBA_N / 4] + acc8 * acc4;
|
||||
|
||||
acc9 = acc3 + acc4;
|
||||
acc10 = acc7 + acc8;
|
||||
d23[i + j] = d23[i + j] + acc9 * acc10;
|
||||
//--------------------------------------------------------
|
||||
|
||||
acc5 = acc5 + acc7; //b02
|
||||
acc7 = acc1 + acc3; //a02
|
||||
result_d01[i + j + 0 * KARATSUBA_N / 4] = result_d01[i + j + 0 * KARATSUBA_N / 4] + acc5 * acc7;
|
||||
|
||||
acc6 = acc6 + acc8; //b13
|
||||
acc8 = acc2 + acc4;
|
||||
result_d01[i + j + 2 * KARATSUBA_N / 4] = result_d01[i + j + 2 * KARATSUBA_N / 4] + acc6 * acc8;
|
||||
|
||||
acc5 = acc5 + acc6;
|
||||
acc7 = acc7 + acc8;
|
||||
d0123[i + j] = d0123[i + j] + acc5 * acc7;
|
||||
}
|
||||
}
|
||||
|
||||
// 2nd last stage
|
||||
|
||||
for (i = 0; i < KARATSUBA_N / 2 - 1; i++) {
|
||||
d0123[i] = d0123[i] - result_d01[i + 0 * KARATSUBA_N / 4] - result_d01[i + 2 * KARATSUBA_N / 4];
|
||||
d01[i] = d01[i] - result_final[i + 0 * KARATSUBA_N / 4] - result_final[i + 2 * KARATSUBA_N / 4];
|
||||
d23[i] = d23[i] - result_final[i + 4 * KARATSUBA_N / 4] - result_final[i + 6 * KARATSUBA_N / 4];
|
||||
}
|
||||
|
||||
for (i = 0; i < KARATSUBA_N / 2 - 1; i++) {
|
||||
result_d01[i + 1 * KARATSUBA_N / 4] = result_d01[i + 1 * KARATSUBA_N / 4] + d0123[i];
|
||||
result_final[i + 1 * KARATSUBA_N / 4] = result_final[i + 1 * KARATSUBA_N / 4] + d01[i];
|
||||
result_final[i + 5 * KARATSUBA_N / 4] = result_final[i + 5 * KARATSUBA_N / 4] + d23[i];
|
||||
}
|
||||
|
||||
// Last stage
|
||||
for (i = 0; i < KARATSUBA_N - 1; i++) {
|
||||
result_d01[i] = result_d01[i] - result_final[i] - result_final[i + KARATSUBA_N];
|
||||
}
|
||||
|
||||
for (i = 0; i < KARATSUBA_N - 1; i++) {
|
||||
result_final[i + 1 * KARATSUBA_N / 2] = result_final[i + 1 * KARATSUBA_N / 2] + result_d01[i];
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
||||
static void toom_cook_4way (const uint16_t *a1, const uint16_t *b1, uint16_t *result) {
|
||||
uint16_t inv3 = 43691, inv9 = 36409, inv15 = 61167;
|
||||
|
||||
uint16_t aw1[N_SB], aw2[N_SB], aw3[N_SB], aw4[N_SB], aw5[N_SB], aw6[N_SB], aw7[N_SB];
|
||||
uint16_t bw1[N_SB], bw2[N_SB], bw3[N_SB], bw4[N_SB], bw5[N_SB], bw6[N_SB], bw7[N_SB];
|
||||
uint16_t w1[N_SB_RES] = {0}, w2[N_SB_RES] = {0}, w3[N_SB_RES] = {0}, w4[N_SB_RES] = {0},
|
||||
w5[N_SB_RES] = {0}, w6[N_SB_RES] = {0}, w7[N_SB_RES] = {0};
|
||||
uint16_t r0, r1, r2, r3, r4, r5, r6, r7;
|
||||
uint16_t *A0, *A1, *A2, *A3, *B0, *B1, *B2, *B3;
|
||||
A0 = (uint16_t *)a1;
|
||||
A1 = (uint16_t *)&a1[N_SB];
|
||||
A2 = (uint16_t *)&a1[2 * N_SB];
|
||||
A3 = (uint16_t *)&a1[3 * N_SB];
|
||||
B0 = (uint16_t *)b1;
|
||||
B1 = (uint16_t *)&b1[N_SB];
|
||||
B2 = (uint16_t *)&b1[2 * N_SB];
|
||||
B3 = (uint16_t *)&b1[3 * N_SB];
|
||||
|
||||
uint16_t *C;
|
||||
C = result;
|
||||
|
||||
int i, j;
|
||||
|
||||
// EVALUATION
|
||||
for (j = 0; j < N_SB; ++j) {
|
||||
r0 = A0[j];
|
||||
r1 = A1[j];
|
||||
r2 = A2[j];
|
||||
r3 = A3[j];
|
||||
r4 = r0 + r2;
|
||||
r5 = r1 + r3;
|
||||
r6 = r4 + r5;
|
||||
r7 = r4 - r5;
|
||||
aw3[j] = r6;
|
||||
aw4[j] = r7;
|
||||
r4 = ((r0 << 2) + r2) << 1;
|
||||
r5 = (r1 << 2) + r3;
|
||||
r6 = r4 + r5;
|
||||
r7 = r4 - r5;
|
||||
aw5[j] = r6;
|
||||
aw6[j] = r7;
|
||||
r4 = (r3 << 3) + (r2 << 2) + (r1 << 1) + r0;
|
||||
aw2[j] = r4;
|
||||
aw7[j] = r0;
|
||||
aw1[j] = r3;
|
||||
}
|
||||
for (j = 0; j < N_SB; ++j) {
|
||||
r0 = B0[j];
|
||||
r1 = B1[j];
|
||||
r2 = B2[j];
|
||||
r3 = B3[j];
|
||||
r4 = r0 + r2;
|
||||
r5 = r1 + r3;
|
||||
r6 = r4 + r5;
|
||||
r7 = r4 - r5;
|
||||
bw3[j] = r6;
|
||||
bw4[j] = r7;
|
||||
r4 = ((r0 << 2) + r2) << 1;
|
||||
r5 = (r1 << 2) + r3;
|
||||
r6 = r4 + r5;
|
||||
r7 = r4 - r5;
|
||||
bw5[j] = r6;
|
||||
bw6[j] = r7;
|
||||
r4 = (r3 << 3) + (r2 << 2) + (r1 << 1) + r0;
|
||||
bw2[j] = r4;
|
||||
bw7[j] = r0;
|
||||
bw1[j] = r3;
|
||||
}
|
||||
|
||||
// MULTIPLICATION
|
||||
|
||||
karatsuba_simple(aw1, bw1, w1);
|
||||
karatsuba_simple(aw2, bw2, w2);
|
||||
karatsuba_simple(aw3, bw3, w3);
|
||||
karatsuba_simple(aw4, bw4, w4);
|
||||
karatsuba_simple(aw5, bw5, w5);
|
||||
karatsuba_simple(aw6, bw6, w6);
|
||||
karatsuba_simple(aw7, bw7, w7);
|
||||
|
||||
// INTERPOLATION
|
||||
for (i = 0; i < N_SB_RES; ++i) {
|
||||
r0 = w1[i];
|
||||
r1 = w2[i];
|
||||
r2 = w3[i];
|
||||
r3 = w4[i];
|
||||
r4 = w5[i];
|
||||
r5 = w6[i];
|
||||
r6 = w7[i];
|
||||
|
||||
r1 = r1 + r4;
|
||||
r5 = r5 - r4;
|
||||
r3 = ((r3 - r2) >> 1);
|
||||
r4 = r4 - r0;
|
||||
r4 = r4 - (r6 << 6);
|
||||
r4 = (r4 << 1) + r5;
|
||||
r2 = r2 + r3;
|
||||
r1 = r1 - (r2 << 6) - r2;
|
||||
r2 = r2 - r6;
|
||||
r2 = r2 - r0;
|
||||
r1 = r1 + 45 * r2;
|
||||
r4 = (((r4 - (r2 << 3)) * inv3) >> 3);
|
||||
r5 = r5 + r1;
|
||||
r1 = (((r1 + (r3 << 4)) * inv9) >> 1);
|
||||
r3 = -(r3 + r1);
|
||||
r5 = (((30 * r1 - r5) * inv15) >> 2);
|
||||
r2 = r2 - r4;
|
||||
r1 = r1 - r5;
|
||||
|
||||
C[i] += r6;
|
||||
C[i + 64] += r5;
|
||||
C[i + 128] += r4;
|
||||
C[i + 192] += r3;
|
||||
C[i + 256] += r2;
|
||||
C[i + 320] += r1;
|
||||
C[i + 384] += r0;
|
||||
}
|
||||
}
|
||||
|
||||
void PQCLEAN_LIGHTSABER_CLEAN_pol_mul(uint16_t *a, uint16_t *b, uint16_t *res, uint16_t p, uint32_t n)
|
||||
|
||||
{
|
||||
uint32_t i;
|
||||
// normal multiplication
|
||||
uint16_t c[512];
|
||||
|
||||
for (i = 0; i < 512; i++) {
|
||||
c[i] = 0;
|
||||
}
|
||||
|
||||
toom_cook_4way(a, b, c);
|
||||
|
||||
// reduction
|
||||
for (i = n; i < 2 * n; i++) {
|
||||
res[i - n] = (c[i - n] - c[i]) & (p - 1);
|
||||
}
|
||||
|
||||
|
||||
}
|
@ -0,0 +1,9 @@
|
||||
#ifndef POLYMUL_H
|
||||
#define POLYMUL_H
|
||||
|
||||
#include "SABER_params.h"
|
||||
#include <stdint.h>
|
||||
|
||||
void PQCLEAN_LIGHTSABER_CLEAN_pol_mul(uint16_t *a, uint16_t *b, uint16_t *res, uint16_t p, uint32_t n);
|
||||
|
||||
#endif
|
@ -0,0 +1,34 @@
|
||||
/*-------------------------------------------------
|
||||
This file has been adapted from the implementation
|
||||
(available at https://github.com/pq-crystals/kyber) of
|
||||
"CRYSTALS – Kyber: a CCA-secure module-lattice-based KEM"
|
||||
by : Joppe Bos, Leo Ducas, Eike Kiltz, Tancrede Lepoint,
|
||||
Vadim Lyubashevsky, John M. Schanck, Peter Schwabe & Damien stehle
|
||||
----------------------------------------------------*/
|
||||
#include "verify.h"
|
||||
#include <stdint.h>
|
||||
|
||||
/* returns 0 for equal strings, 1 for non-equal strings */
|
||||
unsigned char PQCLEAN_LIGHTSABER_CLEAN_verify(const unsigned char *a, const unsigned char *b, size_t len) {
|
||||
uint64_t r;
|
||||
size_t i;
|
||||
|
||||
r = 0;
|
||||
for (i = 0; i < len; i++) {
|
||||
r |= a[i] ^ b[i];
|
||||
}
|
||||
|
||||
r = (~r + 1); // Two's complement
|
||||
r >>= 63;
|
||||
return (unsigned char)r;
|
||||
}
|
||||
|
||||
/* b = 1 means mov, b = 0 means don't mov*/
|
||||
void PQCLEAN_LIGHTSABER_CLEAN_cmov(unsigned char *r, const unsigned char *x, size_t len, unsigned char b) {
|
||||
size_t i;
|
||||
|
||||
b = -b;
|
||||
for (i = 0; i < len; i++) {
|
||||
r[i] ^= b & (x[i] ^ r[i]);
|
||||
}
|
||||
}
|
@ -0,0 +1,21 @@
|
||||
#ifndef VERIFY_H
|
||||
#define VERIFY_H
|
||||
|
||||
/*-------------------------------------------------
|
||||
This file has been adapted from the implementation
|
||||
(available at https://github.com/pq-crystals/kyber) of
|
||||
"CRYSTALS – Kyber: a CCA-secure module-lattice-based KEM"
|
||||
by : Joppe Bos, Leo Ducas, Eike Kiltz, Tancrede Lepoint,
|
||||
Vadim Lyubashevsky, John M. Schanck, Peter Schwabe & Damien stehle
|
||||
----------------------------------------------------*/
|
||||
|
||||
#include <stddef.h>
|
||||
#include <stdint.h>
|
||||
|
||||
/* returns 0 for equal strings, 1 for non-equal strings */
|
||||
unsigned char PQCLEAN_LIGHTSABER_CLEAN_verify(const unsigned char *a, const unsigned char *b, size_t len);
|
||||
|
||||
/* b = 1 means mov, b = 0 means don't mov*/
|
||||
void PQCLEAN_LIGHTSABER_CLEAN_cmov(unsigned char *r, const unsigned char *x, size_t len, unsigned char b);
|
||||
|
||||
#endif
|
17
crypto_kem/saber/META.yml
普通文件
17
crypto_kem/saber/META.yml
普通文件
@ -0,0 +1,17 @@
|
||||
name: Saber
|
||||
type: kem
|
||||
claimed-nist-level: 3
|
||||
claimed-security: IND-CCA2
|
||||
length-public-key: 992
|
||||
length-ciphertext: 1088
|
||||
length-secret-key: 2304
|
||||
length-shared-secret: 32
|
||||
nistkat-sha256: c9e2c16f41f162c607a1d5704107159e5e12713b9bb8c356b1d68b216e79096e
|
||||
principal-submitters:
|
||||
- Jan-Pieter D'Anvers
|
||||
- Angshuman Karmakar
|
||||
- Sujoy Sinha Roy
|
||||
- Frederik Vercauteren
|
||||
implementations:
|
||||
- name: clean
|
||||
version: https://github.com/KULeuven-COSIC/SABER/commit/14ede83f1ff3bcc41f0464543542366c68b55871
|
@ -0,0 +1,8 @@
|
||||
----------------------------------------------------------------------------------------
|
||||
SABER_v1.1
|
||||
|
||||
Public domain
|
||||
|
||||
Authors: Jan-Pieter D'Anvers, Angshuman Karmakar, Sujoy Sinha Roy,
|
||||
Frederik Vercauteren
|
||||
----------------------------------------------------------------------------------------
|
19
crypto_kem/saber/clean/Makefile
普通文件
19
crypto_kem/saber/clean/Makefile
普通文件
@ -0,0 +1,19 @@
|
||||
# This Makefile can be used with GNU Make or BSD Make
|
||||
|
||||
LIB=libsaber_clean.a
|
||||
HEADERS=api.h cbd.h poly.h poly_mul.h SABER_indcpa.h SABER_params.h verify.h pack_unpack.h
|
||||
OBJECTS=cbd.o kem.o pack_unpack.o poly.o poly_mul.o SABER_indcpa.o verify.o
|
||||
|
||||
CFLAGS=-O3 -Wall -Wextra -Wpedantic -Werror -Wmissing-prototypes -Wredundant-decls -std=c99 -I../../../common $(EXTRAFLAGS)
|
||||
|
||||
all: $(LIB)
|
||||
|
||||
%.o: %.c $(HEADERS)
|
||||
$(CC) $(CFLAGS) -c -o $@ $<
|
||||
|
||||
$(LIB): $(OBJECTS)
|
||||
$(AR) -r $@ $(OBJECTS)
|
||||
|
||||
clean:
|
||||
$(RM) $(OBJECTS)
|
||||
$(RM) $(LIB)
|
@ -0,0 +1,19 @@
|
||||
# This Makefile can be used with Microsoft Visual Studio's nmake using the command:
|
||||
# nmake /f Makefile.Microsoft_nmake
|
||||
|
||||
LIBRARY=libsaber_clean.lib
|
||||
OBJECTS=cbd.obj kem.obj pack_unpack.obj poly.obj poly_mul.obj SABER_indcpa.obj verify.obj
|
||||
|
||||
CFLAGS=/nologo /I ..\..\..\common /W4 /WX
|
||||
|
||||
all: $(LIBRARY)
|
||||
|
||||
# Make sure objects are recompiled if headers change.
|
||||
$(OBJECTS): *.h
|
||||
|
||||
$(LIBRARY): $(OBJECTS)
|
||||
LIB.EXE /NOLOGO /WX /OUT:$@ $**
|
||||
|
||||
clean:
|
||||
-DEL $(OBJECTS)
|
||||
-DEL $(LIBRARY)
|
@ -0,0 +1,298 @@
|
||||
#include "SABER_indcpa.h"
|
||||
#include "SABER_params.h"
|
||||
#include "fips202.h"
|
||||
#include "pack_unpack.h"
|
||||
#include "poly.h"
|
||||
#include "poly_mul.h"
|
||||
#include "randombytes.h"
|
||||
#include <stdint.h>
|
||||
#include <string.h>
|
||||
|
||||
|
||||
|
||||
/*-----------------------------------------------------------------------------------
|
||||
This routine generates a=[Matrix K x K] of 256-coefficient polynomials
|
||||
-------------------------------------------------------------------------------------*/
|
||||
|
||||
#define h1 4 //2^(EQ-EP-1)
|
||||
|
||||
#define h2 ( (1<<(SABER_EP-2)) - (1<<(SABER_EP-SABER_ET-1)) + (1<<(SABER_EQ-SABER_EP-1)) )
|
||||
|
||||
static void InnerProd(uint16_t pkcl[SABER_K][SABER_N], uint16_t skpv[SABER_K][SABER_N], uint16_t mod, uint16_t res[SABER_N]);
|
||||
static void MatrixVectorMul(polyvec *a, uint16_t skpv[SABER_K][SABER_N], uint16_t res[SABER_K][SABER_N], uint16_t mod, int16_t transpose);
|
||||
|
||||
static void POL2MSG(const uint16_t *message_dec_unpacked, unsigned char *message_dec);
|
||||
|
||||
static void GenMatrix(polyvec *a, const unsigned char *seed) {
|
||||
unsigned char buf[SABER_K * SABER_K * (13 * SABER_N / 8)];
|
||||
|
||||
uint16_t temp_ar[SABER_N];
|
||||
|
||||
int i, j, k;
|
||||
uint16_t mod = (SABER_Q - 1);
|
||||
|
||||
shake128(buf, sizeof(buf), seed, SABER_SEEDBYTES);
|
||||
|
||||
for (i = 0; i < SABER_K; i++) {
|
||||
for (j = 0; j < SABER_K; j++) {
|
||||
PQCLEAN_SABER_CLEAN_BS2POL(buf + (i * SABER_K + j) * (13 * SABER_N / 8), temp_ar);
|
||||
for (k = 0; k < SABER_N; k++) {
|
||||
a[i].vec[j].coeffs[k] = (temp_ar[k])& mod ;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
void PQCLEAN_SABER_CLEAN_indcpa_kem_keypair(unsigned char *pk, unsigned char *sk) {
|
||||
polyvec a[SABER_K];
|
||||
|
||||
uint16_t skpv[SABER_K][SABER_N];
|
||||
|
||||
unsigned char seed[SABER_SEEDBYTES];
|
||||
unsigned char noiseseed[SABER_COINBYTES];
|
||||
int32_t i, j;
|
||||
uint16_t mod_q = SABER_Q - 1;
|
||||
|
||||
|
||||
uint16_t res[SABER_K][SABER_N];
|
||||
|
||||
randombytes(seed, SABER_SEEDBYTES);
|
||||
|
||||
// for not revealing system RNG state
|
||||
shake128(seed, SABER_SEEDBYTES, seed, SABER_SEEDBYTES);
|
||||
randombytes(noiseseed, SABER_COINBYTES);
|
||||
|
||||
GenMatrix(a, seed); //sample matrix A
|
||||
|
||||
// generate secret from constant-time binomial distribution
|
||||
PQCLEAN_SABER_CLEAN_GenSecret(skpv, noiseseed);
|
||||
|
||||
// do the matrix vector multiplication and rounding
|
||||
for (i = 0; i < SABER_K; i++) {
|
||||
for (j = 0; j < SABER_N; j++) {
|
||||
res[i][j] = 0;
|
||||
}
|
||||
}
|
||||
MatrixVectorMul(a, skpv, res, SABER_Q - 1, 1);
|
||||
|
||||
// now rounding
|
||||
for (i = 0; i < SABER_K; i++) {
|
||||
for (j = 0; j < SABER_N; j++) {
|
||||
// shift right 3 bits
|
||||
res[i][j] = (res[i][j] + h1) & (mod_q);
|
||||
res[i][j] = (res[i][j] >> (SABER_EQ - SABER_EP));
|
||||
}
|
||||
}
|
||||
|
||||
// unload and pack sk=3 x (256 coefficients of 14 bits)
|
||||
PQCLEAN_SABER_CLEAN_POLVEC2BS(sk, skpv, SABER_Q);
|
||||
|
||||
// unload and pack pk=256 bits seed and 3 x (256 coefficients of 11 bits)
|
||||
// load the public-key coefficients
|
||||
PQCLEAN_SABER_CLEAN_POLVEC2BS(pk, res, SABER_P);
|
||||
|
||||
|
||||
// now load the seedbytes in PK. Easy since seed bytes are kept in byte format.
|
||||
for (i = 0; i < SABER_SEEDBYTES; i++) {
|
||||
pk[SABER_POLYVECCOMPRESSEDBYTES + i] = seed[i];
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
|
||||
void PQCLEAN_SABER_CLEAN_indcpa_kem_enc(const unsigned char *message_received, unsigned char *noiseseed, const unsigned char *pk, unsigned char *ciphertext) {
|
||||
uint32_t i, j, k;
|
||||
polyvec a[SABER_K];
|
||||
unsigned char seed[SABER_SEEDBYTES];
|
||||
// public key of received by the client
|
||||
uint16_t pkcl[SABER_K][SABER_N];
|
||||
uint16_t skpv1[SABER_K][SABER_N];
|
||||
uint16_t message[SABER_KEYBYTES * 8];
|
||||
uint16_t res[SABER_K][SABER_N];
|
||||
uint16_t mod_p = SABER_P - 1;
|
||||
uint16_t mod_q = SABER_Q - 1;
|
||||
uint16_t vprime[SABER_N];
|
||||
unsigned char msk_c[SABER_SCALEBYTES_KEM];
|
||||
|
||||
// extract the seedbytes from Public Key.
|
||||
for (i = 0; i < SABER_SEEDBYTES; i++) {
|
||||
seed[i] = pk[ SABER_POLYVECCOMPRESSEDBYTES + i];
|
||||
}
|
||||
|
||||
GenMatrix(a, seed);
|
||||
|
||||
// generate secret from constant-time binomial distribution
|
||||
PQCLEAN_SABER_CLEAN_GenSecret(skpv1, noiseseed);
|
||||
|
||||
// matrix-vector multiplication and rounding
|
||||
for (i = 0; i < SABER_K; i++) {
|
||||
for (j = 0; j < SABER_N; j++) {
|
||||
res[i][j] = 0;
|
||||
}
|
||||
}
|
||||
MatrixVectorMul(a, skpv1, res, SABER_Q - 1, 0);
|
||||
|
||||
// now rounding
|
||||
//shift right 3 bits
|
||||
for (i = 0; i < SABER_K; i++) {
|
||||
for (j = 0; j < SABER_N; j++) {
|
||||
res[i][j] = ( res[i][j] + h1 ) & mod_q;
|
||||
res[i][j] = (res[i][j] >> (SABER_EQ - SABER_EP) );
|
||||
}
|
||||
}
|
||||
|
||||
PQCLEAN_SABER_CLEAN_POLVEC2BS(ciphertext, res, SABER_P);
|
||||
|
||||
// ************client matrix-vector multiplication ends************
|
||||
|
||||
// now calculate the v'
|
||||
// unpack the public_key
|
||||
// pkcl is the b in the protocol
|
||||
PQCLEAN_SABER_CLEAN_BS2POLVEC(pk, pkcl, SABER_P);
|
||||
for (i = 0; i < SABER_N; i++) {
|
||||
vprime[i] = 0;
|
||||
}
|
||||
for (i = 0; i < SABER_K; i++) {
|
||||
for (j = 0; j < SABER_N; j++) {
|
||||
skpv1[i][j] = skpv1[i][j] & (mod_p);
|
||||
}
|
||||
}
|
||||
|
||||
// vector-vector scalar multiplication with mod p
|
||||
InnerProd(pkcl, skpv1, mod_p, vprime);
|
||||
|
||||
// addition of h1 to vprime
|
||||
for (i = 0; i < SABER_N; i++) {
|
||||
vprime[i] = vprime[i] + h1;
|
||||
}
|
||||
|
||||
// unpack message_received;
|
||||
for (j = 0; j < SABER_KEYBYTES; j++) {
|
||||
for (i = 0; i < 8; i++) {
|
||||
message[8 * j + i] = ((message_received[j] >> i) & 0x01);
|
||||
}
|
||||
}
|
||||
|
||||
// message encoding
|
||||
for (i = 0; i < SABER_N; i++) {
|
||||
message[i] = (message[i] << (SABER_EP - 1));
|
||||
}
|
||||
|
||||
for (k = 0; k < SABER_N; k++) {
|
||||
vprime[k] = ( (vprime[k] - message[k]) & (mod_p) ) >> (SABER_EP - SABER_ET);
|
||||
}
|
||||
|
||||
|
||||
PQCLEAN_SABER_CLEAN_pack_4bit(msk_c, vprime);
|
||||
|
||||
for (j = 0; j < SABER_SCALEBYTES_KEM; j++) {
|
||||
ciphertext[SABER_POLYVECCOMPRESSEDBYTES + j] = msk_c[j];
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
void PQCLEAN_SABER_CLEAN_indcpa_kem_dec(const unsigned char *sk, const unsigned char *ciphertext, unsigned char message_dec[]) {
|
||||
uint32_t i, j;
|
||||
// secret key of the server
|
||||
uint16_t sksv[SABER_K][SABER_N];
|
||||
uint16_t pksv[SABER_K][SABER_N];
|
||||
uint8_t scale_ar[SABER_SCALEBYTES_KEM];
|
||||
uint16_t mod_p = SABER_P - 1;
|
||||
uint16_t v[SABER_N];
|
||||
uint16_t op[SABER_N];
|
||||
|
||||
// sksv is the secret-key
|
||||
PQCLEAN_SABER_CLEAN_BS2POLVEC(sk, sksv, SABER_Q);
|
||||
// pksv is the ciphertext
|
||||
PQCLEAN_SABER_CLEAN_BS2POLVEC(ciphertext, pksv, SABER_P);
|
||||
|
||||
// vector-vector scalar multiplication with mod p
|
||||
for (i = 0; i < SABER_N; i++) {
|
||||
v[i] = 0;
|
||||
}
|
||||
for (i = 0; i < SABER_K; i++) {
|
||||
for (j = 0; j < SABER_N; j++) {
|
||||
sksv[i][j] = sksv[i][j] & (mod_p);
|
||||
}
|
||||
}
|
||||
InnerProd(pksv, sksv, mod_p, v);
|
||||
|
||||
//Extraction
|
||||
for (i = 0; i < SABER_SCALEBYTES_KEM; i++) {
|
||||
scale_ar[i] = ciphertext[SABER_POLYVECCOMPRESSEDBYTES + i];
|
||||
}
|
||||
|
||||
PQCLEAN_SABER_CLEAN_un_pack4bit(scale_ar, op);
|
||||
|
||||
//addition of h1
|
||||
for (i = 0; i < SABER_N; i++) {
|
||||
v[i] = ( ( v[i] + h2 - (op[i] << (SABER_EP - SABER_ET)) ) & (mod_p) ) >> (SABER_EP - 1);
|
||||
}
|
||||
|
||||
// pack decrypted message
|
||||
POL2MSG(v, message_dec);
|
||||
}
|
||||
static void MatrixVectorMul(polyvec *a, uint16_t skpv[SABER_K][SABER_N], uint16_t res[SABER_K][SABER_N], uint16_t mod, int16_t transpose) {
|
||||
uint16_t acc[SABER_N];
|
||||
int32_t i, j, k;
|
||||
|
||||
if (transpose == 1) {
|
||||
for (i = 0; i < SABER_K; i++) {
|
||||
for (j = 0; j < SABER_K; j++) {
|
||||
PQCLEAN_SABER_CLEAN_pol_mul((uint16_t *)&a[j].vec[i], skpv[j], acc, SABER_Q, SABER_N);
|
||||
|
||||
for (k = 0; k < SABER_N; k++) {
|
||||
res[i][k] = res[i][k] + acc[k];
|
||||
//reduction mod p
|
||||
res[i][k] = (res[i][k] & mod);
|
||||
//clear the accumulator
|
||||
acc[k] = 0;
|
||||
}
|
||||
}
|
||||
}
|
||||
} else {
|
||||
for (i = 0; i < SABER_K; i++) {
|
||||
for (j = 0; j < SABER_K; j++) {
|
||||
PQCLEAN_SABER_CLEAN_pol_mul((uint16_t *)&a[i].vec[j], skpv[j], acc, SABER_Q, SABER_N);
|
||||
for (k = 0; k < SABER_N; k++) {
|
||||
res[i][k] = res[i][k] + acc[k];
|
||||
// reduction
|
||||
res[i][k] = res[i][k] & mod;
|
||||
// clear the accumulator
|
||||
acc[k] = 0;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
static void POL2MSG(const uint16_t *message_dec_unpacked, unsigned char *message_dec) {
|
||||
int32_t i, j;
|
||||
|
||||
for (j = 0; j < SABER_KEYBYTES; j++) {
|
||||
message_dec[j] = 0;
|
||||
for (i = 0; i < 8; i++) {
|
||||
message_dec[j] = message_dec[j] | (uint8_t) (message_dec_unpacked[j * 8 + i] << i);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
static void InnerProd(uint16_t pkcl[SABER_K][SABER_N], uint16_t skpv[SABER_K][SABER_N], uint16_t mod, uint16_t res[SABER_N]) {
|
||||
uint32_t j, k;
|
||||
uint16_t acc[SABER_N];
|
||||
|
||||
// vector-vector scalar multiplication with mod p
|
||||
for (j = 0; j < SABER_K; j++) {
|
||||
PQCLEAN_SABER_CLEAN_pol_mul(pkcl[j], skpv[j], acc, SABER_P, SABER_N);
|
||||
|
||||
for (k = 0; k < SABER_N; k++) {
|
||||
res[k] = res[k] + acc[k];
|
||||
// reduction
|
||||
res[k] = res[k] & mod;
|
||||
// clear the accumulator
|
||||
acc[k] = 0;
|
||||
}
|
||||
}
|
||||
}
|
@ -0,0 +1,9 @@
|
||||
#ifndef INDCPA_H
|
||||
#define INDCPA_H
|
||||
|
||||
void PQCLEAN_SABER_CLEAN_indcpa_kem_keypair(unsigned char *pk, unsigned char *sk);
|
||||
void PQCLEAN_SABER_CLEAN_indcpa_kem_enc(const unsigned char *message, unsigned char *noiseseed, const unsigned char *pk, unsigned char *ciphertext);
|
||||
void PQCLEAN_SABER_CLEAN_indcpa_kem_dec(const unsigned char *sk, const unsigned char *ciphertext, unsigned char *message_dec);
|
||||
|
||||
#endif
|
||||
|
@ -0,0 +1,50 @@
|
||||
#ifndef PARAMS_H
|
||||
#define PARAMS_H
|
||||
|
||||
#include "api.h"
|
||||
|
||||
#define SABER_K 3
|
||||
#define SABER_MU 8
|
||||
#define SABER_ET 4
|
||||
|
||||
|
||||
#define SABER_EQ 13
|
||||
#define SABER_EP 10
|
||||
|
||||
#define SABER_N 256
|
||||
#define SABER_Q 8192
|
||||
#define SABER_P 1024
|
||||
|
||||
#define SABER_SEEDBYTES 32
|
||||
#define SABER_NOISESEEDBYTES 32
|
||||
#define SABER_COINBYTES 32
|
||||
#define SABER_KEYBYTES 32
|
||||
|
||||
#define SABER_HASHBYTES 32
|
||||
|
||||
#define SABER_POLYBYTES 416 //13*256/8
|
||||
|
||||
#define SABER_POLYVECBYTES (SABER_K * SABER_POLYBYTES)
|
||||
|
||||
#define SABER_POLYVECCOMPRESSEDBYTES (SABER_K * 320) //10*256/8 NOTE : changed till here due to parameter adaptation
|
||||
|
||||
#define SABER_CIPHERTEXTBYTES (SABER_POLYVECCOMPRESSEDBYTES)
|
||||
|
||||
#define SABER_SCALEBYTES (SABER_DELTA*SABER_N/8)
|
||||
|
||||
#define SABER_SCALEBYTES_KEM ((SABER_ET)*SABER_N/8)
|
||||
|
||||
#define SABER_INDCPA_PUBLICKEYBYTES (SABER_POLYVECCOMPRESSEDBYTES + SABER_SEEDBYTES)
|
||||
#define SABER_INDCPA_SECRETKEYBYTES (SABER_POLYVECBYTES)
|
||||
|
||||
#define SABER_PUBLICKEYBYTES (SABER_INDCPA_PUBLICKEYBYTES)
|
||||
|
||||
#define SABER_SECRETKEYBYTES (SABER_INDCPA_SECRETKEYBYTES + SABER_INDCPA_PUBLICKEYBYTES + SABER_HASHBYTES + SABER_KEYBYTES)
|
||||
|
||||
#define SABER_BYTES_CCA_DEC (SABER_POLYVECCOMPRESSEDBYTES + SABER_SCALEBYTES_KEM) /* Second part is for Targhi-Unruh */
|
||||
|
||||
|
||||
|
||||
|
||||
#endif
|
||||
|
14
crypto_kem/saber/clean/api.h
普通文件
14
crypto_kem/saber/clean/api.h
普通文件
@ -0,0 +1,14 @@
|
||||
#ifndef PQCLEAN_SABER_CLEAN_API_H
|
||||
#define PQCLEAN_SABER_CLEAN_API_H
|
||||
|
||||
#define PQCLEAN_SABER_CLEAN_CRYPTO_ALGNAME "Saber"
|
||||
#define PQCLEAN_SABER_CLEAN_CRYPTO_SECRETKEYBYTES 2304
|
||||
#define PQCLEAN_SABER_CLEAN_CRYPTO_PUBLICKEYBYTES (3*320+32)
|
||||
#define PQCLEAN_SABER_CLEAN_CRYPTO_BYTES 32
|
||||
#define PQCLEAN_SABER_CLEAN_CRYPTO_CIPHERTEXTBYTES 1088
|
||||
|
||||
int PQCLEAN_SABER_CLEAN_crypto_kem_keypair(unsigned char *pk, unsigned char *sk);
|
||||
int PQCLEAN_SABER_CLEAN_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk);
|
||||
int PQCLEAN_SABER_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk);
|
||||
|
||||
#endif /* api_h */
|
51
crypto_kem/saber/clean/cbd.c
普通文件
51
crypto_kem/saber/clean/cbd.c
普通文件
@ -0,0 +1,51 @@
|
||||
/*---------------------------------------------------------------------
|
||||
This file has been adapted from the implementation
|
||||
(available at, Public Domain https://github.com/pq-crystals/kyber)
|
||||
of "CRYSTALS – Kyber: a CCA-secure module-lattice-based KEM"
|
||||
by : Joppe Bos, Leo Ducas, Eike Kiltz, Tancrede Lepoint,
|
||||
Vadim Lyubashevsky, John M. Schanck, Peter Schwabe & Damien stehle
|
||||
----------------------------------------------------------------------*/
|
||||
|
||||
#include "SABER_params.h"
|
||||
#include "api.h"
|
||||
#include "cbd.h"
|
||||
#include <stdint.h>
|
||||
|
||||
static uint64_t load_littleendian(const unsigned char *x, int bytes) {
|
||||
int i;
|
||||
uint64_t r = x[0];
|
||||
for (i = 1; i < bytes; i++) {
|
||||
r |= (uint64_t)x[i] << (8 * i);
|
||||
}
|
||||
return r;
|
||||
}
|
||||
|
||||
|
||||
void PQCLEAN_SABER_CLEAN_cbd(uint16_t *r, const unsigned char *buf) {
|
||||
uint16_t Qmod_minus1 = SABER_Q - 1;
|
||||
|
||||
uint32_t t, d, a[4], b[4];
|
||||
int i, j;
|
||||
|
||||
for (i = 0; i < SABER_N / 4; i++) {
|
||||
t = (uint32_t) load_littleendian(buf + 4 * i, 4);
|
||||
d = 0;
|
||||
for (j = 0; j < 4; j++) {
|
||||
d += (t >> j) & 0x11111111;
|
||||
}
|
||||
|
||||
a[0] = d & 0xf;
|
||||
b[0] = (d >> 4) & 0xf;
|
||||
a[1] = (d >> 8) & 0xf;
|
||||
b[1] = (d >> 12) & 0xf;
|
||||
a[2] = (d >> 16) & 0xf;
|
||||
b[2] = (d >> 20) & 0xf;
|
||||
a[3] = (d >> 24) & 0xf;
|
||||
b[3] = (d >> 28);
|
||||
|
||||
r[4 * i + 0] = (uint16_t)(a[0] - b[0]) & Qmod_minus1;
|
||||
r[4 * i + 1] = (uint16_t)(a[1] - b[1]) & Qmod_minus1;
|
||||
r[4 * i + 2] = (uint16_t)(a[2] - b[2]) & Qmod_minus1;
|
||||
r[4 * i + 3] = (uint16_t)(a[3] - b[3]) & Qmod_minus1;
|
||||
}
|
||||
}
|
17
crypto_kem/saber/clean/cbd.h
普通文件
17
crypto_kem/saber/clean/cbd.h
普通文件
@ -0,0 +1,17 @@
|
||||
#ifndef CBD_H
|
||||
#define CBD_H
|
||||
|
||||
/*---------------------------------------------------------------------
|
||||
This file has been adapted from the implementation
|
||||
(available at, Public Domain https://github.com/pq-crystals/kyber)
|
||||
of "CRYSTALS – Kyber: a CCA-secure module-lattice-based KEM"
|
||||
by : Joppe Bos, Leo Ducas, Eike Kiltz, Tancrede Lepoint,
|
||||
Vadim Lyubashevsky, John M. Schanck, Peter Schwabe & Damien stehle
|
||||
----------------------------------------------------------------------*/
|
||||
|
||||
#include "poly.h"
|
||||
#include <stdint.h>
|
||||
|
||||
void PQCLEAN_SABER_CLEAN_cbd(uint16_t *r, const unsigned char *buf);
|
||||
|
||||
#endif
|
96
crypto_kem/saber/clean/kem.c
普通文件
96
crypto_kem/saber/clean/kem.c
普通文件
@ -0,0 +1,96 @@
|
||||
#include "SABER_indcpa.h"
|
||||
#include "SABER_params.h"
|
||||
#include "fips202.h"
|
||||
#include "randombytes.h"
|
||||
#include "verify.h"
|
||||
#include <stdint.h>
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
|
||||
int PQCLEAN_SABER_CLEAN_crypto_kem_keypair(unsigned char *pk, unsigned char *sk) {
|
||||
int i;
|
||||
|
||||
// sk[0:SABER_INDCPA_SECRETKEYBYTES-1] <-- sk
|
||||
PQCLEAN_SABER_CLEAN_indcpa_kem_keypair(pk, sk);
|
||||
|
||||
// sk[SABER_INDCPA_SECRETKEYBYTES:SABER_INDCPA_SECRETKEYBYTES+SABER_INDCPA_SECRETKEYBYTES-1] <-- pk
|
||||
for (i = 0; i < SABER_INDCPA_PUBLICKEYBYTES; i++) {
|
||||
sk[i + SABER_INDCPA_SECRETKEYBYTES] = pk[i];
|
||||
}
|
||||
|
||||
// Then hash(pk) is appended.
|
||||
sha3_256(sk + SABER_SECRETKEYBYTES - 64, pk, SABER_INDCPA_PUBLICKEYBYTES);
|
||||
|
||||
// Remaining part of sk contains a pseudo-random number.
|
||||
// This is output when check in crypto_kem_dec() fails.
|
||||
randombytes(sk + SABER_SECRETKEYBYTES - SABER_KEYBYTES, SABER_KEYBYTES );
|
||||
return (0);
|
||||
}
|
||||
|
||||
int PQCLEAN_SABER_CLEAN_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk) {
|
||||
// Will contain key, coins
|
||||
unsigned char kr[64];
|
||||
unsigned char buf[64];
|
||||
|
||||
randombytes(buf, 32);
|
||||
|
||||
// BUF[0:31] <-- random message (will be used as the key for client) Note: hash doesnot release system RNG output
|
||||
sha3_256(buf, buf, 32);
|
||||
|
||||
// BUF[32:63] <-- Hash(public key); Multitarget countermeasure for coins + contributory KEM
|
||||
sha3_256(buf + 32, pk, SABER_INDCPA_PUBLICKEYBYTES);
|
||||
|
||||
// kr[0:63] <-- Hash(buf[0:63]);
|
||||
sha3_512(kr, buf, 64);
|
||||
|
||||
// K^ <-- kr[0:31]
|
||||
// noiseseed (r) <-- kr[32:63];
|
||||
// buf[0:31] contains message; kr[32:63] contains randomness r;
|
||||
PQCLEAN_SABER_CLEAN_indcpa_kem_enc(buf, kr + 32, pk, ct);
|
||||
|
||||
sha3_256(kr + 32, ct, SABER_BYTES_CCA_DEC);
|
||||
|
||||
// hash concatenation of pre-k and h(c) to k
|
||||
sha3_256(ss, kr, 64);
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
|
||||
int PQCLEAN_SABER_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk) {
|
||||
int i;
|
||||
unsigned char fail;
|
||||
unsigned char cmp[SABER_BYTES_CCA_DEC];
|
||||
unsigned char buf[64];
|
||||
|
||||
// Will contain key, coins
|
||||
unsigned char kr[64];
|
||||
const unsigned char *pk = sk + SABER_INDCPA_SECRETKEYBYTES;
|
||||
|
||||
// buf[0:31] <-- message
|
||||
PQCLEAN_SABER_CLEAN_indcpa_kem_dec(sk, ct, buf);
|
||||
|
||||
|
||||
// Multitarget countermeasure for coins + contributory KEM
|
||||
// Save hash by storing h(pk) in sk
|
||||
for (i = 0; i < 32; i++) {
|
||||
buf[32 + i] = sk[SABER_SECRETKEYBYTES - 64 + i];
|
||||
}
|
||||
|
||||
sha3_512(kr, buf, 64);
|
||||
|
||||
PQCLEAN_SABER_CLEAN_indcpa_kem_enc(buf, kr + 32, pk, cmp);
|
||||
|
||||
|
||||
fail = PQCLEAN_SABER_CLEAN_verify(ct, cmp, SABER_BYTES_CCA_DEC);
|
||||
|
||||
// overwrite coins in kr with h(c)
|
||||
sha3_256(kr + 32, ct, SABER_BYTES_CCA_DEC);
|
||||
|
||||
PQCLEAN_SABER_CLEAN_cmov(kr, sk + SABER_SECRETKEYBYTES - SABER_KEYBYTES, SABER_KEYBYTES, fail);
|
||||
|
||||
// hash concatenation of pre-k and h(c) to k
|
||||
sha3_256(ss, kr, 64);
|
||||
|
||||
return (0);
|
||||
}
|
254
crypto_kem/saber/clean/pack_unpack.c
普通文件
254
crypto_kem/saber/clean/pack_unpack.c
普通文件
@ -0,0 +1,254 @@
|
||||
#include "pack_unpack.h"
|
||||
|
||||
void PQCLEAN_SABER_CLEAN_pack_3bit(uint8_t *bytes, const uint16_t *data) {
|
||||
uint32_t j;
|
||||
uint32_t offset_data, offset_byte;
|
||||
|
||||
for (j = 0; j < SABER_N / 8; j++) {
|
||||
offset_byte = 3 * j;
|
||||
offset_data = 8 * j;
|
||||
bytes[offset_byte + 0] = (data[offset_data + 0] & 0x7) |
|
||||
((data[offset_data + 1] & 0x7) << 3) |
|
||||
((data[offset_data + 2] & 0x3) << 6);
|
||||
bytes[offset_byte + 1] = ((data[offset_data + 2] >> 2 ) & 0x01) |
|
||||
((data[offset_data + 3] & 0x7) << 1) |
|
||||
((data[offset_data + 4] & 0x7) << 4) |
|
||||
(((data[offset_data + 5]) & 0x01) << 7);
|
||||
bytes[offset_byte + 2] = ((data[offset_data + 5] >> 1 ) & 0x03) |
|
||||
((data[offset_data + 6] & 0x7) << 2) |
|
||||
((data[offset_data + 7] & 0x7) << 5);
|
||||
}
|
||||
}
|
||||
|
||||
void PQCLEAN_SABER_CLEAN_un_pack3bit(const uint8_t *bytes, uint16_t *data) {
|
||||
uint32_t j;
|
||||
uint32_t offset_data, offset_byte;
|
||||
|
||||
for (j = 0; j < SABER_N / 8; j++) {
|
||||
offset_byte = 3 * j;
|
||||
offset_data = 8 * j;
|
||||
data[offset_data + 0] = (bytes[offset_byte + 0]) & 0x07;
|
||||
data[offset_data + 1] = ((bytes[offset_byte + 0]) >> 3 ) & 0x07;
|
||||
data[offset_data + 2] = (((bytes[offset_byte + 0]) >> 6 ) & 0x03) |
|
||||
(((bytes[offset_byte + 1]) & 0x01) << 2);
|
||||
data[offset_data + 3] = ((bytes[offset_byte + 1]) >> 1 ) & 0x07;
|
||||
data[offset_data + 4] = ((bytes[offset_byte + 1]) >> 4 ) & 0x07;
|
||||
data[offset_data + 5] = (((bytes[offset_byte + 1]) >> 7 ) & 0x01) |
|
||||
(((bytes[offset_byte + 2]) & 0x03) << 1);
|
||||
data[offset_data + 6] = ((bytes[offset_byte + 2] >> 2) & 0x07);
|
||||
data[offset_data + 7] = ((bytes[offset_byte + 2] >> 5) & 0x07);
|
||||
}
|
||||
}
|
||||
|
||||
void PQCLEAN_SABER_CLEAN_pack_4bit(uint8_t *bytes, const uint16_t *data) {
|
||||
uint32_t j;
|
||||
uint32_t offset_data;
|
||||
|
||||
for (j = 0; j < SABER_N / 2; j++) {
|
||||
offset_data = 2 * j;
|
||||
bytes[j] = (data[offset_data] & 0x0f) |
|
||||
((data[offset_data + 1] & 0x0f) << 4);
|
||||
}
|
||||
}
|
||||
|
||||
void PQCLEAN_SABER_CLEAN_un_pack4bit(const unsigned char *bytes, uint16_t *ar) {
|
||||
uint32_t j;
|
||||
uint32_t offset_data;
|
||||
|
||||
for (j = 0; j < SABER_N / 2; j++) {
|
||||
offset_data = 2 * j;
|
||||
ar[offset_data] = bytes[j] & 0x0f;
|
||||
ar[offset_data + 1] = (bytes[j] >> 4) & 0x0f;
|
||||
}
|
||||
}
|
||||
|
||||
void PQCLEAN_SABER_CLEAN_pack_6bit(uint8_t *bytes, const uint16_t *data) {
|
||||
uint32_t j;
|
||||
uint32_t offset_data, offset_byte;
|
||||
|
||||
for (j = 0; j < SABER_N / 4; j++) {
|
||||
offset_byte = 3 * j;
|
||||
offset_data = 4 * j;
|
||||
bytes[offset_byte + 0] = (data[offset_data + 0] & 0x3f) |
|
||||
((data[offset_data + 1] & 0x03) << 6);
|
||||
bytes[offset_byte + 1] = ((data[offset_data + 1] >> 2) & 0x0f) |
|
||||
((data[offset_data + 2] & 0x0f) << 4);
|
||||
bytes[offset_byte + 2] = ((data[offset_data + 2] >> 4) & 0x03) |
|
||||
((data[offset_data + 3] & 0x3f) << 2);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
void PQCLEAN_SABER_CLEAN_un_pack6bit(const unsigned char *bytes, uint16_t *data) {
|
||||
uint32_t j;
|
||||
uint32_t offset_data, offset_byte;
|
||||
|
||||
for (j = 0; j < SABER_N / 4; j++) {
|
||||
offset_byte = 3 * j;
|
||||
offset_data = 4 * j;
|
||||
data[offset_data + 0] = bytes[offset_byte + 0] & 0x3f;
|
||||
data[offset_data + 1] = ((bytes[offset_byte + 0] >> 6) & 0x03) |
|
||||
((bytes[offset_byte + 1] & 0x0f) << 2);
|
||||
data[offset_data + 2] = ((bytes[offset_byte + 1] & 0xff) >> 4) |
|
||||
((bytes[offset_byte + 2] & 0x03) << 4);
|
||||
data[offset_data + 3] = ((bytes[offset_byte + 2] & 0xff) >> 2);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
static void POLVECp2BS(uint8_t *bytes, uint16_t data[SABER_K][SABER_N]) {
|
||||
uint32_t i, j;
|
||||
uint32_t offset_data, offset_byte, offset_byte1;
|
||||
|
||||
for (i = 0; i < SABER_K; i++) {
|
||||
offset_byte1 = i * (SABER_N * 10) / 8;
|
||||
for (j = 0; j < SABER_N / 4; j++) {
|
||||
offset_byte = offset_byte1 + 5 * j;
|
||||
offset_data = 4 * j;
|
||||
bytes[offset_byte + 0] = (data[i][offset_data + 0] & (0xff));
|
||||
bytes[offset_byte + 1] = ((data[i][offset_data + 0] >> 8) & 0x03) |
|
||||
((data[i][offset_data + 1] & 0x3f) << 2);
|
||||
bytes[offset_byte + 2] = ((data[i][offset_data + 1] >> 6) & 0x0f) |
|
||||
((data[i][offset_data + 2] & 0x0f) << 4);
|
||||
bytes[offset_byte + 3] = ((data[i][offset_data + 2] >> 4) & 0x3f) |
|
||||
((data[i][offset_data + 3] & 0x03) << 6);
|
||||
bytes[offset_byte + 4] = ((data[i][offset_data + 3] >> 2) & 0xff);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
static void BS2POLVECp(const unsigned char *bytes, uint16_t data[SABER_K][SABER_N]) {
|
||||
uint32_t i, j;
|
||||
uint32_t offset_data, offset_byte, offset_byte1;
|
||||
|
||||
for (i = 0; i < SABER_K; i++) {
|
||||
offset_byte1 = i * (SABER_N * 10) / 8;
|
||||
for (j = 0; j < SABER_N / 4; j++) {
|
||||
offset_byte = offset_byte1 + 5 * j;
|
||||
offset_data = 4 * j;
|
||||
data[i][offset_data + 0] = (bytes[offset_byte + 0] & (0xff)) |
|
||||
((bytes[offset_byte + 1] & 0x03) << 8);
|
||||
data[i][offset_data + 1] = ((bytes[offset_byte + 1] >> 2) & (0x3f)) |
|
||||
((bytes[offset_byte + 2] & 0x0f) << 6);
|
||||
data[i][offset_data + 2] = ((bytes[offset_byte + 2] >> 4) & (0x0f)) |
|
||||
((bytes[offset_byte + 3] & 0x3f) << 4);
|
||||
data[i][offset_data + 3] = ((bytes[offset_byte + 3] >> 6) & (0x03)) |
|
||||
((bytes[offset_byte + 4] & 0xff) << 2);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
static void POLVECq2BS(uint8_t *bytes, uint16_t data[SABER_K][SABER_N]) {
|
||||
uint32_t i, j;
|
||||
uint32_t offset_data, offset_byte, offset_byte1;
|
||||
|
||||
for (i = 0; i < SABER_K; i++) {
|
||||
offset_byte1 = i * (SABER_N * 13) / 8;
|
||||
for (j = 0; j < SABER_N / 8; j++) {
|
||||
offset_byte = offset_byte1 + 13 * j;
|
||||
offset_data = 8 * j;
|
||||
bytes[offset_byte + 0] = (data[i][offset_data + 0] & (0xff));
|
||||
bytes[offset_byte + 1] = ((data[i][offset_data + 0] >> 8) & 0x1f) |
|
||||
((data[i][offset_data + 1] & 0x07) << 5);
|
||||
bytes[offset_byte + 2] = ((data[i][offset_data + 1] >> 3) & 0xff);
|
||||
bytes[offset_byte + 3] = ((data[i][offset_data + 1] >> 11) & 0x03) |
|
||||
((data[i][offset_data + 2] & 0x3f) << 2);
|
||||
bytes[offset_byte + 4] = ((data[i][offset_data + 2] >> 6) & 0x7f) |
|
||||
((data[i][offset_data + 3] & 0x01) << 7);
|
||||
bytes[offset_byte + 5] = ((data[i][offset_data + 3] >> 1) & 0xff);
|
||||
bytes[offset_byte + 6] = ((data[i][offset_data + 3] >> 9) & 0x0f) |
|
||||
((data[i][offset_data + 4] & 0x0f) << 4);
|
||||
bytes[offset_byte + 7] = ((data[i][offset_data + 4] >> 4) & 0xff);
|
||||
bytes[offset_byte + 8] = ((data[i][offset_data + 4] >> 12) & 0x01) |
|
||||
((data[i][offset_data + 5] & 0x7f) << 1);
|
||||
bytes[offset_byte + 9] = ((data[i][offset_data + 5] >> 7) & 0x3f) |
|
||||
((data[i][offset_data + 6] & 0x03) << 6);
|
||||
bytes[offset_byte + 10] = ((data[i][offset_data + 6] >> 2) & 0xff);
|
||||
bytes[offset_byte + 11] = ((data[i][offset_data + 6] >> 10) & 0x07) |
|
||||
((data[i][offset_data + 7] & 0x1f) << 3);
|
||||
bytes[offset_byte + 12] = ((data[i][offset_data + 7] >> 5) & 0xff);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
static void BS2POLVECq(const unsigned char *bytes, uint16_t data[SABER_K][SABER_N]) {
|
||||
uint32_t i, j;
|
||||
uint32_t offset_data, offset_byte, offset_byte1;
|
||||
|
||||
for (i = 0; i < SABER_K; i++) {
|
||||
offset_byte1 = i * (SABER_N * 13) / 8;
|
||||
for (j = 0; j < SABER_N / 8; j++) {
|
||||
offset_byte = offset_byte1 + 13 * j;
|
||||
offset_data = 8 * j;
|
||||
data[i][offset_data + 0] = (bytes[offset_byte + 0] & (0xff)) |
|
||||
((bytes[offset_byte + 1] & 0x1f) << 8);
|
||||
data[i][offset_data + 1] = (bytes[offset_byte + 1] >> 5 & (0x07)) |
|
||||
((bytes[offset_byte + 2] & 0xff) << 3) |
|
||||
((bytes[offset_byte + 3] & 0x03) << 11);
|
||||
data[i][offset_data + 2] = (bytes[offset_byte + 3] >> 2 & (0x3f)) |
|
||||
((bytes[offset_byte + 4] & 0x7f) << 6);
|
||||
data[i][offset_data + 3] = (bytes[offset_byte + 4] >> 7 & (0x01)) |
|
||||
((bytes[offset_byte + 5] & 0xff) << 1) |
|
||||
((bytes[offset_byte + 6] & 0x0f) << 9);
|
||||
data[i][offset_data + 4] = (bytes[offset_byte + 6] >> 4 & (0x0f)) |
|
||||
((bytes[offset_byte + 7] & 0xff) << 4) |
|
||||
((bytes[offset_byte + 8] & 0x01) << 12);
|
||||
data[i][offset_data + 5] = (bytes[offset_byte + 8] >> 1 & (0x7f)) |
|
||||
((bytes[offset_byte + 9] & 0x3f) << 7);
|
||||
data[i][offset_data + 6] = (bytes[offset_byte + 9] >> 6 & (0x03)) |
|
||||
((bytes[offset_byte + 10] & 0xff) << 2) |
|
||||
((bytes[offset_byte + 11] & 0x07) << 10);
|
||||
data[i][offset_data + 7] = (bytes[offset_byte + 11] >> 3 & (0x1f)) |
|
||||
((bytes[offset_byte + 12] & 0xff) << 5);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
//only BS2POLq no BS2POLp
|
||||
void PQCLEAN_SABER_CLEAN_BS2POL(const unsigned char *bytes, uint16_t data[SABER_N]) {
|
||||
uint32_t j;
|
||||
uint32_t offset_data, offset_byte;
|
||||
|
||||
for (j = 0; j < SABER_N / 8; j++) {
|
||||
offset_byte = 13 * j;
|
||||
offset_data = 8 * j;
|
||||
data[offset_data + 0] = (bytes[offset_byte + 0] & (0xff)) |
|
||||
((bytes[offset_byte + 1] & 0x1f) << 8);
|
||||
data[offset_data + 1] = (bytes[offset_byte + 1] >> 5 & (0x07)) |
|
||||
((bytes[offset_byte + 2] & 0xff) << 3) |
|
||||
((bytes[offset_byte + 3] & 0x03) << 11);
|
||||
data[offset_data + 2] = (bytes[offset_byte + 3] >> 2 & (0x3f)) |
|
||||
((bytes[offset_byte + 4] & 0x7f) << 6);
|
||||
data[offset_data + 3] = (bytes[offset_byte + 4] >> 7 & (0x01)) |
|
||||
((bytes[offset_byte + 5] & 0xff) << 1) |
|
||||
((bytes[offset_byte + 6] & 0x0f) << 9);
|
||||
data[offset_data + 4] = (bytes[offset_byte + 6] >> 4 & (0x0f)) |
|
||||
((bytes[offset_byte + 7] & 0xff) << 4) |
|
||||
((bytes[offset_byte + 8] & 0x01) << 12);
|
||||
data[offset_data + 5] = (bytes[offset_byte + 8] >> 1 & (0x7f)) |
|
||||
((bytes[offset_byte + 9] & 0x3f) << 7);
|
||||
data[offset_data + 6] = (bytes[offset_byte + 9] >> 6 & (0x03)) |
|
||||
((bytes[offset_byte + 10] & 0xff) << 2) |
|
||||
((bytes[offset_byte + 11] & 0x07) << 10);
|
||||
data[offset_data + 7] = (bytes[offset_byte + 11] >> 3 & (0x1f)) |
|
||||
((bytes[offset_byte + 12] & 0xff) << 5);
|
||||
}
|
||||
}
|
||||
|
||||
void PQCLEAN_SABER_CLEAN_POLVEC2BS(uint8_t *bytes, uint16_t data[SABER_K][SABER_N], uint16_t modulus) {
|
||||
if (modulus == 1024) {
|
||||
POLVECp2BS(bytes, data);
|
||||
} else if (modulus == 8192) {
|
||||
POLVECq2BS(bytes, data);
|
||||
}
|
||||
}
|
||||
|
||||
void PQCLEAN_SABER_CLEAN_BS2POLVEC(const unsigned char *bytes, uint16_t data[SABER_K][SABER_N], uint16_t modulus) {
|
||||
if (modulus == 1024) {
|
||||
BS2POLVECp(bytes, data);
|
||||
} else if (modulus == 8192) {
|
||||
BS2POLVECq(bytes, data);
|
||||
}
|
||||
}
|
@ -0,0 +1,28 @@
|
||||
#ifndef PACK_UNPACK_H
|
||||
#define PACK_UNPACK_H
|
||||
|
||||
#include "SABER_params.h"
|
||||
#include <stdint.h>
|
||||
#include <stdio.h>
|
||||
|
||||
|
||||
void PQCLEAN_SABER_CLEAN_pack_3bit(uint8_t *bytes, const uint16_t *data);
|
||||
|
||||
void PQCLEAN_SABER_CLEAN_un_pack3bit(const uint8_t *bytes, uint16_t *data);
|
||||
|
||||
void PQCLEAN_SABER_CLEAN_pack_4bit(uint8_t *bytes, const uint16_t *data);
|
||||
|
||||
void PQCLEAN_SABER_CLEAN_un_pack4bit(const unsigned char *bytes, uint16_t *ar);
|
||||
|
||||
void PQCLEAN_SABER_CLEAN_pack_6bit(uint8_t *bytes, const uint16_t *data);
|
||||
|
||||
void PQCLEAN_SABER_CLEAN_un_pack6bit(const unsigned char *bytes, uint16_t *data);
|
||||
|
||||
|
||||
void PQCLEAN_SABER_CLEAN_BS2POL(const unsigned char *bytes, uint16_t data[SABER_N]);
|
||||
|
||||
void PQCLEAN_SABER_CLEAN_POLVEC2BS(uint8_t *bytes, uint16_t data[SABER_K][SABER_N], uint16_t modulus);
|
||||
|
||||
void PQCLEAN_SABER_CLEAN_BS2POLVEC(const unsigned char *bytes, uint16_t data[SABER_K][SABER_N], uint16_t modulus);
|
||||
|
||||
#endif
|
21
crypto_kem/saber/clean/poly.c
普通文件
21
crypto_kem/saber/clean/poly.c
普通文件
@ -0,0 +1,21 @@
|
||||
/*---------------------------------------------------------------------
|
||||
This file has been adapted from the implementation
|
||||
(available at, Public Domain https://github.com/pq-crystals/kyber)
|
||||
of "CRYSTALS – Kyber: a CCA-secure module-lattice-based KEM"
|
||||
by : Joppe Bos, Leo Ducas, Eike Kiltz, Tancrede Lepoint,
|
||||
Vadim Lyubashevsky, John M. Schanck, Peter Schwabe & Damien stehle
|
||||
----------------------------------------------------------------------*/
|
||||
#include "SABER_params.h"
|
||||
#include "cbd.h"
|
||||
#include "fips202.h"
|
||||
#include "poly.h"
|
||||
|
||||
void PQCLEAN_SABER_CLEAN_GenSecret(uint16_t r[SABER_K][SABER_N], const unsigned char *seed) {
|
||||
uint8_t buf[SABER_MU * SABER_N * SABER_K / 8];
|
||||
|
||||
shake128(buf, sizeof(buf), seed, SABER_NOISESEEDBYTES);
|
||||
|
||||
for (size_t i = 0; i < SABER_K; i++) {
|
||||
PQCLEAN_SABER_CLEAN_cbd(r[i], buf + i * SABER_MU * SABER_N / 8);
|
||||
}
|
||||
}
|
26
crypto_kem/saber/clean/poly.h
普通文件
26
crypto_kem/saber/clean/poly.h
普通文件
@ -0,0 +1,26 @@
|
||||
#ifndef POLY_H
|
||||
#define POLY_H
|
||||
|
||||
/*---------------------------------------------------------------------
|
||||
This file has been adapted from the implementation
|
||||
(available at, Public Domain https://github.com/pq-crystals/kyber)
|
||||
of "CRYSTALS – Kyber: a CCA-secure module-lattice-based KEM"
|
||||
by : Joppe Bos, Leo Ducas, Eike Kiltz, Tancrede Lepoint,
|
||||
Vadim Lyubashevsky, John M. Schanck, Peter Schwabe & Damien stehle
|
||||
----------------------------------------------------------------------*/
|
||||
|
||||
|
||||
#include "SABER_params.h"
|
||||
#include <stdint.h>
|
||||
|
||||
typedef struct {
|
||||
uint16_t coeffs[SABER_N];
|
||||
} poly;
|
||||
|
||||
typedef struct {
|
||||
poly vec[SABER_K];
|
||||
} polyvec;
|
||||
|
||||
void PQCLEAN_SABER_CLEAN_GenSecret(uint16_t r[SABER_K][SABER_N], const unsigned char *seed);
|
||||
|
||||
#endif
|
237
crypto_kem/saber/clean/poly_mul.c
普通文件
237
crypto_kem/saber/clean/poly_mul.c
普通文件
@ -0,0 +1,237 @@
|
||||
#include "poly_mul.h"
|
||||
#include <stdint.h>
|
||||
#include <string.h>
|
||||
|
||||
#define SCHB_N 16
|
||||
|
||||
#define N_RES (SABER_N << 1)
|
||||
#define N_SB (SABER_N >> 2)
|
||||
#define N_SB_RES (2*N_SB-1)
|
||||
|
||||
|
||||
#define KARATSUBA_N 64
|
||||
static void karatsuba_simple(const uint16_t *a_1, const uint16_t *b_1, uint16_t *result_final) {
|
||||
uint16_t d01[KARATSUBA_N / 2 - 1];
|
||||
uint16_t d0123[KARATSUBA_N / 2 - 1];
|
||||
uint16_t d23[KARATSUBA_N / 2 - 1];
|
||||
uint16_t result_d01[KARATSUBA_N - 1];
|
||||
|
||||
int32_t i, j;
|
||||
|
||||
memset(result_d01, 0, (KARATSUBA_N - 1)*sizeof(uint16_t));
|
||||
memset(d01, 0, (KARATSUBA_N / 2 - 1)*sizeof(uint16_t));
|
||||
memset(d0123, 0, (KARATSUBA_N / 2 - 1)*sizeof(uint16_t));
|
||||
memset(d23, 0, (KARATSUBA_N / 2 - 1)*sizeof(uint16_t));
|
||||
memset(result_final, 0, (2 * KARATSUBA_N - 1)*sizeof(uint16_t));
|
||||
|
||||
uint16_t acc1, acc2, acc3, acc4, acc5, acc6, acc7, acc8, acc9, acc10;
|
||||
|
||||
|
||||
for (i = 0; i < KARATSUBA_N / 4; i++) {
|
||||
acc1 = a_1[i]; //a0
|
||||
acc2 = a_1[i + KARATSUBA_N / 4]; //a1
|
||||
acc3 = a_1[i + 2 * KARATSUBA_N / 4]; //a2
|
||||
acc4 = a_1[i + 3 * KARATSUBA_N / 4]; //a3
|
||||
for (j = 0; j < KARATSUBA_N / 4; j++) {
|
||||
|
||||
acc5 = b_1[j]; //b0
|
||||
acc6 = b_1[j + KARATSUBA_N / 4]; //b1
|
||||
|
||||
result_final[i + j + 0 * KARATSUBA_N / 4] = result_final[i + j + 0 * KARATSUBA_N / 4] + acc1 * acc5;
|
||||
result_final[i + j + 2 * KARATSUBA_N / 4] = result_final[i + j + 2 * KARATSUBA_N / 4] + acc2 * acc6;
|
||||
|
||||
acc7 = acc5 + acc6; //b01
|
||||
acc8 = acc1 + acc2; //a01
|
||||
d01[i + j] = d01[i + j] + acc7 * acc8;
|
||||
//--------------------------------------------------------
|
||||
|
||||
acc7 = b_1[j + 2 * KARATSUBA_N / 4]; //b2
|
||||
acc8 = b_1[j + 3 * KARATSUBA_N / 4]; //b3
|
||||
result_final[i + j + 4 * KARATSUBA_N / 4] = result_final[i + j + 4 * KARATSUBA_N / 4] + acc7 * acc3;
|
||||
|
||||
result_final[i + j + 6 * KARATSUBA_N / 4] = result_final[i + j + 6 * KARATSUBA_N / 4] + acc8 * acc4;
|
||||
|
||||
acc9 = acc3 + acc4;
|
||||
acc10 = acc7 + acc8;
|
||||
d23[i + j] = d23[i + j] + acc9 * acc10;
|
||||
//--------------------------------------------------------
|
||||
|
||||
acc5 = acc5 + acc7; //b02
|
||||
acc7 = acc1 + acc3; //a02
|
||||
result_d01[i + j + 0 * KARATSUBA_N / 4] = result_d01[i + j + 0 * KARATSUBA_N / 4] + acc5 * acc7;
|
||||
|
||||
acc6 = acc6 + acc8; //b13
|
||||
acc8 = acc2 + acc4;
|
||||
result_d01[i + j + 2 * KARATSUBA_N / 4] = result_d01[i + j + 2 * KARATSUBA_N / 4] + acc6 * acc8;
|
||||
|
||||
acc5 = acc5 + acc6;
|
||||
acc7 = acc7 + acc8;
|
||||
d0123[i + j] = d0123[i + j] + acc5 * acc7;
|
||||
}
|
||||
}
|
||||
|
||||
// 2nd last stage
|
||||
|
||||
for (i = 0; i < KARATSUBA_N / 2 - 1; i++) {
|
||||
d0123[i] = d0123[i] - result_d01[i + 0 * KARATSUBA_N / 4] - result_d01[i + 2 * KARATSUBA_N / 4];
|
||||
d01[i] = d01[i] - result_final[i + 0 * KARATSUBA_N / 4] - result_final[i + 2 * KARATSUBA_N / 4];
|
||||
d23[i] = d23[i] - result_final[i + 4 * KARATSUBA_N / 4] - result_final[i + 6 * KARATSUBA_N / 4];
|
||||
}
|
||||
|
||||
for (i = 0; i < KARATSUBA_N / 2 - 1; i++) {
|
||||
result_d01[i + 1 * KARATSUBA_N / 4] = result_d01[i + 1 * KARATSUBA_N / 4] + d0123[i];
|
||||
result_final[i + 1 * KARATSUBA_N / 4] = result_final[i + 1 * KARATSUBA_N / 4] + d01[i];
|
||||
result_final[i + 5 * KARATSUBA_N / 4] = result_final[i + 5 * KARATSUBA_N / 4] + d23[i];
|
||||
}
|
||||
|
||||
// Last stage
|
||||
for (i = 0; i < KARATSUBA_N - 1; i++) {
|
||||
result_d01[i] = result_d01[i] - result_final[i] - result_final[i + KARATSUBA_N];
|
||||
}
|
||||
|
||||
for (i = 0; i < KARATSUBA_N - 1; i++) {
|
||||
result_final[i + 1 * KARATSUBA_N / 2] = result_final[i + 1 * KARATSUBA_N / 2] + result_d01[i];
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
||||
static void toom_cook_4way (const uint16_t *a1, const uint16_t *b1, uint16_t *result) {
|
||||
uint16_t inv3 = 43691, inv9 = 36409, inv15 = 61167;
|
||||
|
||||
uint16_t aw1[N_SB], aw2[N_SB], aw3[N_SB], aw4[N_SB], aw5[N_SB], aw6[N_SB], aw7[N_SB];
|
||||
uint16_t bw1[N_SB], bw2[N_SB], bw3[N_SB], bw4[N_SB], bw5[N_SB], bw6[N_SB], bw7[N_SB];
|
||||
uint16_t w1[N_SB_RES] = {0}, w2[N_SB_RES] = {0}, w3[N_SB_RES] = {0}, w4[N_SB_RES] = {0},
|
||||
w5[N_SB_RES] = {0}, w6[N_SB_RES] = {0}, w7[N_SB_RES] = {0};
|
||||
uint16_t r0, r1, r2, r3, r4, r5, r6, r7;
|
||||
uint16_t *A0, *A1, *A2, *A3, *B0, *B1, *B2, *B3;
|
||||
A0 = (uint16_t *)a1;
|
||||
A1 = (uint16_t *)&a1[N_SB];
|
||||
A2 = (uint16_t *)&a1[2 * N_SB];
|
||||
A3 = (uint16_t *)&a1[3 * N_SB];
|
||||
B0 = (uint16_t *)b1;
|
||||
B1 = (uint16_t *)&b1[N_SB];
|
||||
B2 = (uint16_t *)&b1[2 * N_SB];
|
||||
B3 = (uint16_t *)&b1[3 * N_SB];
|
||||
|
||||
uint16_t *C;
|
||||
C = result;
|
||||
|
||||
int i, j;
|
||||
|
||||
// EVALUATION
|
||||
for (j = 0; j < N_SB; ++j) {
|
||||
r0 = A0[j];
|
||||
r1 = A1[j];
|
||||
r2 = A2[j];
|
||||
r3 = A3[j];
|
||||
r4 = r0 + r2;
|
||||
r5 = r1 + r3;
|
||||
r6 = r4 + r5;
|
||||
r7 = r4 - r5;
|
||||
aw3[j] = r6;
|
||||
aw4[j] = r7;
|
||||
r4 = ((r0 << 2) + r2) << 1;
|
||||
r5 = (r1 << 2) + r3;
|
||||
r6 = r4 + r5;
|
||||
r7 = r4 - r5;
|
||||
aw5[j] = r6;
|
||||
aw6[j] = r7;
|
||||
r4 = (r3 << 3) + (r2 << 2) + (r1 << 1) + r0;
|
||||
aw2[j] = r4;
|
||||
aw7[j] = r0;
|
||||
aw1[j] = r3;
|
||||
}
|
||||
for (j = 0; j < N_SB; ++j) {
|
||||
r0 = B0[j];
|
||||
r1 = B1[j];
|
||||
r2 = B2[j];
|
||||
r3 = B3[j];
|
||||
r4 = r0 + r2;
|
||||
r5 = r1 + r3;
|
||||
r6 = r4 + r5;
|
||||
r7 = r4 - r5;
|
||||
bw3[j] = r6;
|
||||
bw4[j] = r7;
|
||||
r4 = ((r0 << 2) + r2) << 1;
|
||||
r5 = (r1 << 2) + r3;
|
||||
r6 = r4 + r5;
|
||||
r7 = r4 - r5;
|
||||
bw5[j] = r6;
|
||||
bw6[j] = r7;
|
||||
r4 = (r3 << 3) + (r2 << 2) + (r1 << 1) + r0;
|
||||
bw2[j] = r4;
|
||||
bw7[j] = r0;
|
||||
bw1[j] = r3;
|
||||
}
|
||||
|
||||
// MULTIPLICATION
|
||||
|
||||
karatsuba_simple(aw1, bw1, w1);
|
||||
karatsuba_simple(aw2, bw2, w2);
|
||||
karatsuba_simple(aw3, bw3, w3);
|
||||
karatsuba_simple(aw4, bw4, w4);
|
||||
karatsuba_simple(aw5, bw5, w5);
|
||||
karatsuba_simple(aw6, bw6, w6);
|
||||
karatsuba_simple(aw7, bw7, w7);
|
||||
|
||||
// INTERPOLATION
|
||||
for (i = 0; i < N_SB_RES; ++i) {
|
||||
r0 = w1[i];
|
||||
r1 = w2[i];
|
||||
r2 = w3[i];
|
||||
r3 = w4[i];
|
||||
r4 = w5[i];
|
||||
r5 = w6[i];
|
||||
r6 = w7[i];
|
||||
|
||||
r1 = r1 + r4;
|
||||
r5 = r5 - r4;
|
||||
r3 = ((r3 - r2) >> 1);
|
||||
r4 = r4 - r0;
|
||||
r4 = r4 - (r6 << 6);
|
||||
r4 = (r4 << 1) + r5;
|
||||
r2 = r2 + r3;
|
||||
r1 = r1 - (r2 << 6) - r2;
|
||||
r2 = r2 - r6;
|
||||
r2 = r2 - r0;
|
||||
r1 = r1 + 45 * r2;
|
||||
r4 = (((r4 - (r2 << 3)) * inv3) >> 3);
|
||||
r5 = r5 + r1;
|
||||
r1 = (((r1 + (r3 << 4)) * inv9) >> 1);
|
||||
r3 = -(r3 + r1);
|
||||
r5 = (((30 * r1 - r5) * inv15) >> 2);
|
||||
r2 = r2 - r4;
|
||||
r1 = r1 - r5;
|
||||
|
||||
C[i] += r6;
|
||||
C[i + 64] += r5;
|
||||
C[i + 128] += r4;
|
||||
C[i + 192] += r3;
|
||||
C[i + 256] += r2;
|
||||
C[i + 320] += r1;
|
||||
C[i + 384] += r0;
|
||||
}
|
||||
}
|
||||
|
||||
void PQCLEAN_SABER_CLEAN_pol_mul(uint16_t *a, uint16_t *b, uint16_t *res, uint16_t p, uint32_t n)
|
||||
|
||||
{
|
||||
uint32_t i;
|
||||
// normal multiplication
|
||||
uint16_t c[512];
|
||||
|
||||
for (i = 0; i < 512; i++) {
|
||||
c[i] = 0;
|
||||
}
|
||||
|
||||
toom_cook_4way(a, b, c);
|
||||
|
||||
// reduction
|
||||
for (i = n; i < 2 * n; i++) {
|
||||
res[i - n] = (c[i - n] - c[i]) & (p - 1);
|
||||
}
|
||||
|
||||
|
||||
}
|
@ -0,0 +1,9 @@
|
||||
#ifndef POLYMUL_H
|
||||
#define POLYMUL_H
|
||||
|
||||
#include "SABER_params.h"
|
||||
#include <stdint.h>
|
||||
|
||||
void PQCLEAN_SABER_CLEAN_pol_mul(uint16_t *a, uint16_t *b, uint16_t *res, uint16_t p, uint32_t n);
|
||||
|
||||
#endif
|
34
crypto_kem/saber/clean/verify.c
普通文件
34
crypto_kem/saber/clean/verify.c
普通文件
@ -0,0 +1,34 @@
|
||||
/*-------------------------------------------------
|
||||
This file has been adapted from the implementation
|
||||
(available at https://github.com/pq-crystals/kyber) of
|
||||
"CRYSTALS – Kyber: a CCA-secure module-lattice-based KEM"
|
||||
by : Joppe Bos, Leo Ducas, Eike Kiltz, Tancrede Lepoint,
|
||||
Vadim Lyubashevsky, John M. Schanck, Peter Schwabe & Damien stehle
|
||||
----------------------------------------------------*/
|
||||
#include "verify.h"
|
||||
#include <stdint.h>
|
||||
|
||||
/* returns 0 for equal strings, 1 for non-equal strings */
|
||||
unsigned char PQCLEAN_SABER_CLEAN_verify(const unsigned char *a, const unsigned char *b, size_t len) {
|
||||
uint64_t r;
|
||||
size_t i;
|
||||
|
||||
r = 0;
|
||||
for (i = 0; i < len; i++) {
|
||||
r |= a[i] ^ b[i];
|
||||
}
|
||||
|
||||
r = (~r + 1); // Two's complement
|
||||
r >>= 63;
|
||||
return (unsigned char)r;
|
||||
}
|
||||
|
||||
/* b = 1 means mov, b = 0 means don't mov*/
|
||||
void PQCLEAN_SABER_CLEAN_cmov(unsigned char *r, const unsigned char *x, size_t len, unsigned char b) {
|
||||
size_t i;
|
||||
|
||||
b = -b;
|
||||
for (i = 0; i < len; i++) {
|
||||
r[i] ^= b & (x[i] ^ r[i]);
|
||||
}
|
||||
}
|
21
crypto_kem/saber/clean/verify.h
普通文件
21
crypto_kem/saber/clean/verify.h
普通文件
@ -0,0 +1,21 @@
|
||||
#ifndef VERIFY_H
|
||||
#define VERIFY_H
|
||||
|
||||
/*-------------------------------------------------
|
||||
This file has been adapted from the implementation
|
||||
(available at https://github.com/pq-crystals/kyber) of
|
||||
"CRYSTALS – Kyber: a CCA-secure module-lattice-based KEM"
|
||||
by : Joppe Bos, Leo Ducas, Eike Kiltz, Tancrede Lepoint,
|
||||
Vadim Lyubashevsky, John M. Schanck, Peter Schwabe & Damien stehle
|
||||
----------------------------------------------------*/
|
||||
|
||||
#include <stddef.h>
|
||||
#include <stdint.h>
|
||||
|
||||
/* returns 0 for equal strings, 1 for non-equal strings */
|
||||
unsigned char PQCLEAN_SABER_CLEAN_verify(const unsigned char *a, const unsigned char *b, size_t len);
|
||||
|
||||
/* b = 1 means mov, b = 0 means don't mov*/
|
||||
void PQCLEAN_SABER_CLEAN_cmov(unsigned char *r, const unsigned char *x, size_t len, unsigned char b);
|
||||
|
||||
#endif
|
@ -0,0 +1,31 @@
|
||||
consistency_checks:
|
||||
- source:
|
||||
scheme: lightsaber
|
||||
implementation: clean
|
||||
files:
|
||||
- cbd.h
|
||||
- kem.c
|
||||
- pack_unpack.c
|
||||
- pack_unpack.h
|
||||
- poly.c
|
||||
- poly.h
|
||||
- poly_mul.c
|
||||
- poly_mul.h
|
||||
- SABER_indcpa.h
|
||||
- verify.c
|
||||
- verify.h
|
||||
- source:
|
||||
scheme: saber
|
||||
implementation: clean
|
||||
files:
|
||||
- cbd.h
|
||||
- kem.c
|
||||
- pack_unpack.c
|
||||
- pack_unpack.h
|
||||
- poly.c
|
||||
- poly.h
|
||||
- poly_mul.c
|
||||
- poly_mul.h
|
||||
- SABER_indcpa.h
|
||||
- verify.c
|
||||
- verify.h
|
@ -0,0 +1,31 @@
|
||||
consistency_checks:
|
||||
- source:
|
||||
scheme: saber
|
||||
implementation: clean
|
||||
files:
|
||||
- cbd.h
|
||||
- kem.c
|
||||
- pack_unpack.c
|
||||
- pack_unpack.h
|
||||
- poly.c
|
||||
- poly.h
|
||||
- poly_mul.c
|
||||
- poly_mul.h
|
||||
- SABER_indcpa.h
|
||||
- verify.c
|
||||
- verify.h
|
||||
- source:
|
||||
scheme: firesaber
|
||||
implementation: clean
|
||||
files:
|
||||
- cbd.h
|
||||
- kem.c
|
||||
- pack_unpack.c
|
||||
- pack_unpack.h
|
||||
- poly.c
|
||||
- poly.h
|
||||
- poly_mul.c
|
||||
- poly_mul.h
|
||||
- SABER_indcpa.h
|
||||
- verify.c
|
||||
- verify.h
|
@ -0,0 +1,31 @@
|
||||
consistency_checks:
|
||||
- source:
|
||||
scheme: lightsaber
|
||||
implementation: clean
|
||||
files:
|
||||
- cbd.h
|
||||
- kem.c
|
||||
- pack_unpack.c
|
||||
- pack_unpack.h
|
||||
- poly.c
|
||||
- poly.h
|
||||
- poly_mul.c
|
||||
- poly_mul.h
|
||||
- SABER_indcpa.h
|
||||
- verify.c
|
||||
- verify.h
|
||||
- source:
|
||||
scheme: firesaber
|
||||
implementation: clean
|
||||
files:
|
||||
- cbd.h
|
||||
- kem.c
|
||||
- pack_unpack.c
|
||||
- pack_unpack.h
|
||||
- poly.c
|
||||
- poly.h
|
||||
- poly_mul.c
|
||||
- poly_mul.h
|
||||
- SABER_indcpa.h
|
||||
- verify.c
|
||||
- verify.h
|
@ -49,7 +49,7 @@ EXPECTED_FIELDS = {
|
||||
'length-secret-key': {'type': int, 'min': 1},
|
||||
'nistkat-sha256': {'type': str, 'length': 64},
|
||||
'principal-submitters': {'type': list, 'elements': {'type': str}},
|
||||
'auxiliary-submitters': {'type': list, 'elements': {'type': str}},
|
||||
'auxiliary-submitters': {'type': list, 'elements': {'type': str}, 'optional' : True},
|
||||
'implementations': {
|
||||
'type': list,
|
||||
'elements': {
|
||||
|
正在加载...
在新工单中引用
屏蔽一个用户