kris/pqc
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

add newhope1024ccakem

Browse Source
This commit is contained in:
Matthias J. Kannwischer 2019-04-29 17:22:02 +02:00
parent 56a3715ddc
commit 5065f46aa7
18 changed files with 1323 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
crypto_kem/newhope1024ccakem/META.yml Normal file
View File

@ -0,0 +1,21 @@
name: NewHope1024CCAKEM
type: kem
claimed-nist-level: 5
length-public-key: 1824
length-secret-key: 3680
length-ciphertext: 2208
length-shared-secret: 32
testvectors-sha256: 233bab7b5e2971b7e271f046e39ba443ffcceada84d3fdb5017d6d3a2e48b0d0
nistkat-sha256: 8500b88222b3a62e57a6ecaac57f79258f08af49211e0c3f2ca7eab8089c0ce0
principal-submitter: Thomas Pöppelmann
auxiliary-submitters:
- Erdem Alkim
- Roberto Avanzi
- Joppe Bos
- Léo Ducas
- Antonio de la Piedra
- Peter Schwabe
- Douglas Stebila
implementations:
- name: clean
version: https://github.com/newhopecrypto/newhope/commit/3fc68c6090b23c56cc190a78af2f43ee8900e9d0

1
crypto_kem/newhope1024ccakem/clean/LICENSE Normal file
View File

@ -0,0 +1 @@
Public Domain

19
crypto_kem/newhope1024ccakem/clean/Makefile Normal file
View File

@ -0,0 +1,19 @@
# This Makefile can be used with GNU Make or BSD Make
LIB=libnewhope1024ccakem_clean.a
HEADERS=api.h cpapke.h ntt.h params.h poly.h reduce.h verify.h
OBJECTS=cpapke.o kem.o ntt.o poly.o precomp.o reduce.o verify.o
CFLAGS=-O3 -Wall -Wextra -Wpedantic -Wvla -Werror -Wmissing-prototypes -std=c99 -I../../../common $(EXTRAFLAGS)
all: $(LIB)
%.o: %.c $(HEADERS)
$(CC) $(CFLAGS) -c -o $@ $<
$(LIB): $(OBJECTS)
$(AR) -r $@ $(OBJECTS)
clean:
$(RM) $(OBJECTS)
$(RM) $(LIB)

19
crypto_kem/newhope1024ccakem/clean/Makefile.Microsoft_nmake Normal file
View File

@ -0,0 +1,19 @@
# This Makefile can be used with Microsoft Visual Studio's nmake using the command:
# nmake /f Makefile.Microsoft_nmake
LIBRARY=libnewhope1024ccakem_clean.lib
OBJECTS=cpapke.obj kem.obj ntt.obj poly.obj precomp.obj reduce.obj verify.obj
CFLAGS=/nologo /I ..\..\..\common /W4 /WX
all: $(LIBRARY)
# Make sure objects are recompiled if headers change.
$(OBJECTS): *.h
$(LIBRARY): $(OBJECTS)
LIB.EXE /NOLOGO /WX /OUT:$@ $**
clean:
-DEL $(OBJECTS)
-DEL $(LIBRARY)

15
crypto_kem/newhope1024ccakem/clean/api.h Normal file
View File

@ -0,0 +1,15 @@
#ifndef PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_API_H
#define PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_API_H
#define PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_CRYPTO_SECRETKEYBYTES 3680
#define PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_CRYPTO_PUBLICKEYBYTES 1824
#define PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_CRYPTO_CIPHERTEXTBYTES 2208
#define PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_CRYPTO_BYTES 32
#define PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_CRYPTO_ALGNAME "NewHope1024-CCAKEM"
int PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_crypto_kem_keypair(unsigned char *pk, unsigned char *sk);
int PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk);
int PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk);
#endif

192
crypto_kem/newhope1024ccakem/clean/cpapke.c Normal file
View File

@ -0,0 +1,192 @@
#include "api.h"
#include "cpapke.h"
#include "fips202.h"
#include "poly.h"
#include "randombytes.h"
#include <stdio.h>
/*************************************************
* Name: encode_pk
*
* Description: Serialize the public key as concatenation of the
* serialization of the polynomial pk and the public seed
* used to generete the polynomial a.
*
* Arguments: unsigned char *r: pointer to the output serialized public key
* const poly *pk: pointer to the input public-key polynomial
* const unsigned char *seed: pointer to the input public seed
**************************************************/
static void encode_pk(unsigned char *r, const poly *pk, const unsigned char *seed) {
int i;
PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_poly_tobytes(r, pk);
for (i = 0; i < NEWHOPE_SYMBYTES; i++) {
r[NEWHOPE_POLYBYTES + i] = seed[i];
}
}
/*************************************************
* Name: decode_pk
*
* Description: De-serialize the public key; inverse of encode_pk
*
* Arguments: poly *pk: pointer to output public-key polynomial
* unsigned char *seed: pointer to output public seed
* const unsigned char *r: pointer to input byte array
**************************************************/
static void decode_pk(poly *pk, unsigned char *seed, const unsigned char *r) {
int i;
PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_poly_frombytes(pk, r);
for (i = 0; i < NEWHOPE_SYMBYTES; i++) {
seed[i] = r[NEWHOPE_POLYBYTES + i];
}
}
/*************************************************
* Name: encode_c
*
* Description: Serialize the ciphertext as concatenation of the
* serialization of the polynomial b and serialization
* of the compressed polynomial v
*
* Arguments: - unsigned char *r: pointer to the output serialized ciphertext
* - const poly *b: pointer to the input polynomial b
* - const poly *v: pointer to the input polynomial v
**************************************************/
static void encode_c(unsigned char *r, const poly *b, const poly *v) {
PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_poly_tobytes(r, b);
PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_poly_compress(r + NEWHOPE_POLYBYTES, v);
}
/*************************************************
* Name: decode_c
*
* Description: de-serialize the ciphertext; inverse of encode_c
*
* Arguments: - poly *b: pointer to output polynomial b
* - poly *v: pointer to output polynomial v
* - const unsigned char *r: pointer to input byte array
**************************************************/
static void decode_c(poly *b, poly *v, const unsigned char *r) {
PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_poly_frombytes(b, r);
PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_poly_decompress(v, r + NEWHOPE_POLYBYTES);
}
/*************************************************
* Name: gen_a
*
* Description: Deterministically generate public polynomial a from seed
*
* Arguments: - poly *a: pointer to output polynomial a
* - const unsigned char *seed: pointer to input seed
**************************************************/
static void gen_a(poly *a, const unsigned char *seed) {
PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_poly_uniform(a, seed);
}
/*************************************************
* Name: cpapke_keypair
*
* Description: Generates public and private key
* for the CPA public-key encryption scheme underlying
* the NewHope KEMs
*
* Arguments: - unsigned char *pk: pointer to output public key
* - unsigned char *sk: pointer to output private key
**************************************************/
void PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_cpapke_keypair(unsigned char *pk,
unsigned char *sk) {
poly ahat, ehat, ahat_shat, bhat, shat;
unsigned char z[2 * NEWHOPE_SYMBYTES];
unsigned char *publicseed = z;
unsigned char *noiseseed = z + NEWHOPE_SYMBYTES;
randombytes(z, NEWHOPE_SYMBYTES);
shake256(z, 2 * NEWHOPE_SYMBYTES, z, NEWHOPE_SYMBYTES);
gen_a(&ahat, publicseed);
PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_poly_sample(&shat, noiseseed, 0);
PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_poly_ntt(&shat);
PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_poly_sample(&ehat, noiseseed, 1);
PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_poly_ntt(&ehat);
PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_poly_mul_pointwise(&ahat_shat, &shat, &ahat);
PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_poly_add(&bhat, &ehat, &ahat_shat);
PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_poly_tobytes(sk, &shat);
encode_pk(pk, &bhat, publicseed);
}
/*************************************************
* Name: cpapke_enc
*
* Description: Encryption function of
* the CPA public-key encryption scheme underlying
* the NewHope KEMs
*
* Arguments: - unsigned char *c: pointer to output ciphertext
* - const unsigned char *m: pointer to input message (of length NEWHOPE_SYMBYTES bytes)
* - const unsigned char *pk: pointer to input public key
* - const unsigned char *coin: pointer to input random coins used as seed
* to deterministically generate all randomness
**************************************************/
void PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_cpapke_enc(unsigned char *c,
const unsigned char *m,
const unsigned char *pk,
const unsigned char *coin) {
poly sprime, eprime, vprime, ahat, bhat, eprimeprime, uhat, v;
unsigned char publicseed[NEWHOPE_SYMBYTES];
PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_poly_frommsg(&v, m);
decode_pk(&bhat, publicseed, pk);
gen_a(&ahat, publicseed);
PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_poly_sample(&sprime, coin, 0);
PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_poly_sample(&eprime, coin, 1);
PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_poly_sample(&eprimeprime, coin, 2);
PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_poly_ntt(&sprime);
PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_poly_ntt(&eprime);
PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_poly_mul_pointwise(&uhat, &ahat, &sprime);
PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_poly_add(&uhat, &uhat, &eprime);
PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_poly_mul_pointwise(&vprime, &bhat, &sprime);
PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_poly_invntt(&vprime);
PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_poly_add(&vprime, &vprime, &eprimeprime);
PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_poly_add(&vprime, &vprime, &v); // add message
encode_c(c, &uhat, &vprime);
}
/*************************************************
* Name: cpapke_dec
*
* Description: Decryption function of
* the CPA public-key encryption scheme underlying
* the NewHope KEMs
*
* Arguments: - unsigned char *m: pointer to output decrypted message
* - const unsigned char *c: pointer to input ciphertext
* - const unsigned char *sk: pointer to input secret key
**************************************************/
void PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_cpapke_dec(unsigned char *m,
const unsigned char *c,
const unsigned char *sk) {
poly vprime, uhat, tmp, shat;
PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_poly_frombytes(&shat, sk);
decode_c(&uhat, &vprime, c);
PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_poly_mul_pointwise(&tmp, &shat, &uhat);
PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_poly_invntt(&tmp);
PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_poly_sub(&tmp, &tmp, &vprime);
PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_poly_tomsg(m, &tmp);
}

16
crypto_kem/newhope1024ccakem/clean/cpapke.h Normal file
View File

@ -0,0 +1,16 @@
#ifndef INDCPA_H
#define INDCPA_H
void PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_cpapke_keypair(unsigned char *pk,
unsigned char *sk);
void PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_cpapke_enc(unsigned char *c,
const unsigned char *m,
const unsigned char *pk,
const unsigned char *coins);
void PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_cpapke_dec(unsigned char *m,
const unsigned char *c,
const unsigned char *sk);
#endif

116
crypto_kem/newhope1024ccakem/clean/kem.c Normal file
View File

@ -0,0 +1,116 @@
#include "api.h"
#include "cpapke.h"
#include "fips202.h"
#include "params.h"
#include "randombytes.h"
#include "verify.h"
#include <string.h>
/*************************************************
* Name: crypto_kem_keypair
*
* Description: Generates public and private key
* for CCA secure NewHope key encapsulation
* mechanism
*
* Arguments: - unsigned char *pk: pointer to output public key (an already allocated array of CRYPTO_PUBLICKEYBYTES bytes)
* - unsigned char *sk: pointer to output private key (an already allocated array of CRYPTO_SECRETKEYBYTES bytes)
*
* Returns 0 (success)
**************************************************/
int PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_crypto_kem_keypair(unsigned char *pk, unsigned char *sk) {
size_t i;
PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_cpapke_keypair(pk, sk); /* First put the actual secret key into sk */
sk += NEWHOPE_CPAPKE_SECRETKEYBYTES;
for (i = 0; i < NEWHOPE_CPAPKE_PUBLICKEYBYTES; i++) { /* Append the public key for re-encryption */
sk[i] = pk[i];
}
sk += NEWHOPE_CPAPKE_PUBLICKEYBYTES;
shake256(sk, NEWHOPE_SYMBYTES, pk, NEWHOPE_CPAPKE_PUBLICKEYBYTES); /* Append the hash of the public key */
sk += NEWHOPE_SYMBYTES;
randombytes(sk, NEWHOPE_SYMBYTES); /* Append the value s for pseudo-random output on reject */
return 0;
}
/*************************************************
* Name: crypto_kem_enc
*
* Description: Generates cipher text and shared
* secret for given public key
*
* Arguments: - unsigned char *ct: pointer to output cipher text (an already allocated array of CRYPTO_CIPHERTEXTBYTES bytes)
* - unsigned char *ss: pointer to output shared secret (an already allocated array of CRYPTO_BYTES bytes)
* - const unsigned char *pk: pointer to input public key (an already allocated array of CRYPTO_PUBLICKEYBYTES bytes)
*
* Returns 0 (success)
**************************************************/
int PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk) {
unsigned char k_coins_d[3 * NEWHOPE_SYMBYTES]; /* Will contain key, coins, qrom-hash */
unsigned char buf[2 * NEWHOPE_SYMBYTES];
int i;
randombytes(buf, NEWHOPE_SYMBYTES);
shake256(buf, NEWHOPE_SYMBYTES, buf, NEWHOPE_SYMBYTES); /* Don't release system RNG output */
shake256(buf + NEWHOPE_SYMBYTES, NEWHOPE_SYMBYTES, pk, NEWHOPE_CCAKEM_PUBLICKEYBYTES); /* Multitarget countermeasure for coins + contributory KEM */
shake256(k_coins_d, 3 * NEWHOPE_SYMBYTES, buf, 2 * NEWHOPE_SYMBYTES);
PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_cpapke_enc(ct, buf, pk, k_coins_d + NEWHOPE_SYMBYTES); /* coins are in k_coins_d+NEWHOPE_SYMBYTES */
for (i = 0; i < NEWHOPE_SYMBYTES; i++) {
ct[i + NEWHOPE_CPAPKE_CIPHERTEXTBYTES] = k_coins_d[i + 2 * NEWHOPE_SYMBYTES]; /* copy Targhi-Unruh hash into ct */
}
shake256(k_coins_d + NEWHOPE_SYMBYTES, NEWHOPE_SYMBYTES, ct, NEWHOPE_CCAKEM_CIPHERTEXTBYTES); /* overwrite coins in k_coins_d with h(c) */
shake256(ss, NEWHOPE_SYMBYTES, k_coins_d, 2 * NEWHOPE_SYMBYTES); /* hash concatenation of pre-k and h(c) to ss */
return 0;
}
/*************************************************
* Name: crypto_kem_dec
*
* Description: Generates shared secret for given
* cipher text and private key
*
* Arguments: - unsigned char *ss: pointer to output shared secret (an already allocated array of CRYPTO_BYTES bytes)
* - const unsigned char *ct: pointer to input cipher text (an already allocated array of CRYPTO_CIPHERTEXTBYTES bytes)
* - const unsigned char *sk: pointer to input private key (an already allocated array of CRYPTO_SECRETKEYBYTES bytes)
*
* Returns 0 for sucess or -1 for failure
*
* On failure, ss will contain a randomized value.
**************************************************/
int PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk) {
int i, fail;
unsigned char ct_cmp[NEWHOPE_CCAKEM_CIPHERTEXTBYTES];
unsigned char buf[2 * NEWHOPE_SYMBYTES];
unsigned char k_coins_d[3 * NEWHOPE_SYMBYTES]; /* Will contain key, coins, qrom-hash */
const unsigned char *pk = sk + NEWHOPE_CPAPKE_SECRETKEYBYTES;
PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_cpapke_dec(buf, ct, sk);
for (i = 0; i < NEWHOPE_SYMBYTES; i++) { /* Use hash of pk stored in sk */
buf[NEWHOPE_SYMBYTES + i] = sk[NEWHOPE_CCAKEM_SECRETKEYBYTES - 2 * NEWHOPE_SYMBYTES + i];
}
shake256(k_coins_d, 3 * NEWHOPE_SYMBYTES, buf, 2 * NEWHOPE_SYMBYTES);
PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_cpapke_enc(ct_cmp, buf, pk, k_coins_d + NEWHOPE_SYMBYTES); /* coins are in k_coins_d+NEWHOPE_SYMBYTES */
for (i = 0; i < NEWHOPE_SYMBYTES; i++) {
ct_cmp[i + NEWHOPE_CPAPKE_CIPHERTEXTBYTES] = k_coins_d[i + 2 * NEWHOPE_SYMBYTES];
}
fail = PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_verify(ct, ct_cmp, NEWHOPE_CCAKEM_CIPHERTEXTBYTES);
shake256(k_coins_d + NEWHOPE_SYMBYTES, NEWHOPE_SYMBYTES, ct, NEWHOPE_CCAKEM_CIPHERTEXTBYTES); /* overwrite coins in k_coins_d with h(c) */
PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_cmov(k_coins_d, sk + NEWHOPE_CCAKEM_SECRETKEYBYTES - NEWHOPE_SYMBYTES, NEWHOPE_SYMBYTES, fail); /* Overwrite pre-k with z on re-encryption failure */
shake256(ss, NEWHOPE_SYMBYTES, k_coins_d, 2 * NEWHOPE_SYMBYTES); /* hash concatenation of pre-k and h(c) to k */
return 0;
}

127
crypto_kem/newhope1024ccakem/clean/ntt.c Normal file
View File

@ -0,0 +1,127 @@
#include "inttypes.h"
#include "ntt.h"
#include "params.h"
#include "reduce.h"
/************************************************************
* Name: bitrev_table
*
* Description: Contains bit-reversed 10-bit indices to be used to re-order
* polynomials before number theoratic transform
************************************************************/
static uint16_t bitrev_table[NEWHOPE_N] = {
0, 512, 256, 768, 128, 640, 384, 896, 64, 576, 320, 832, 192, 704, 448, 960, 32, 544, 288, 800, 160, 672, 416, 928, 96, 608, 352, 864, 224, 736, 480, 992,
16, 528, 272, 784, 144, 656, 400, 912, 80, 592, 336, 848, 208, 720, 464, 976, 48, 560, 304, 816, 176, 688, 432, 944, 112, 624, 368, 880, 240, 752, 496, 1008,
8, 520, 264, 776, 136, 648, 392, 904, 72, 584, 328, 840, 200, 712, 456, 968, 40, 552, 296, 808, 168, 680, 424, 936, 104, 616, 360, 872, 232, 744, 488, 1000,
24, 536, 280, 792, 152, 664, 408, 920, 88, 600, 344, 856, 216, 728, 472, 984, 56, 568, 312, 824, 184, 696, 440, 952, 120, 632, 376, 888, 248, 760, 504, 1016,
4, 516, 260, 772, 132, 644, 388, 900, 68, 580, 324, 836, 196, 708, 452, 964, 36, 548, 292, 804, 164, 676, 420, 932, 100, 612, 356, 868, 228, 740, 484, 996,
20, 532, 276, 788, 148, 660, 404, 916, 84, 596, 340, 852, 212, 724, 468, 980, 52, 564, 308, 820, 180, 692, 436, 948, 116, 628, 372, 884, 244, 756, 500, 1012,
12, 524, 268, 780, 140, 652, 396, 908, 76, 588, 332, 844, 204, 716, 460, 972, 44, 556, 300, 812, 172, 684, 428, 940, 108, 620, 364, 876, 236, 748, 492, 1004,
28, 540, 284, 796, 156, 668, 412, 924, 92, 604, 348, 860, 220, 732, 476, 988, 60, 572, 316, 828, 188, 700, 444, 956, 124, 636, 380, 892, 252, 764, 508, 1020,
2, 514, 258, 770, 130, 642, 386, 898, 66, 578, 322, 834, 194, 706, 450, 962, 34, 546, 290, 802, 162, 674, 418, 930, 98, 610, 354, 866, 226, 738, 482, 994,
18, 530, 274, 786, 146, 658, 402, 914, 82, 594, 338, 850, 210, 722, 466, 978, 50, 562, 306, 818, 178, 690, 434, 946, 114, 626, 370, 882, 242, 754, 498, 1010,
10, 522, 266, 778, 138, 650, 394, 906, 74, 586, 330, 842, 202, 714, 458, 970, 42, 554, 298, 810, 170, 682, 426, 938, 106, 618, 362, 874, 234, 746, 490, 1002,
26, 538, 282, 794, 154, 666, 410, 922, 90, 602, 346, 858, 218, 730, 474, 986, 58, 570, 314, 826, 186, 698, 442, 954, 122, 634, 378, 890, 250, 762, 506, 1018,
6, 518, 262, 774, 134, 646, 390, 902, 70, 582, 326, 838, 198, 710, 454, 966, 38, 550, 294, 806, 166, 678, 422, 934, 102, 614, 358, 870, 230, 742, 486, 998,
22, 534, 278, 790, 150, 662, 406, 918, 86, 598, 342, 854, 214, 726, 470, 982, 54, 566, 310, 822, 182, 694, 438, 950, 118, 630, 374, 886, 246, 758, 502, 1014,
14, 526, 270, 782, 142, 654, 398, 910, 78, 590, 334, 846, 206, 718, 462, 974, 46, 558, 302, 814, 174, 686, 430, 942, 110, 622, 366, 878, 238, 750, 494, 1006,
30, 542, 286, 798, 158, 670, 414, 926, 94, 606, 350, 862, 222, 734, 478, 990, 62, 574, 318, 830, 190, 702, 446, 958, 126, 638, 382, 894, 254, 766, 510, 1022,
1, 513, 257, 769, 129, 641, 385, 897, 65, 577, 321, 833, 193, 705, 449, 961, 33, 545, 289, 801, 161, 673, 417, 929, 97, 609, 353, 865, 225, 737, 481, 993,
17, 529, 273, 785, 145, 657, 401, 913, 81, 593, 337, 849, 209, 721, 465, 977, 49, 561, 305, 817, 177, 689, 433, 945, 113, 625, 369, 881, 241, 753, 497, 1009,
9, 521, 265, 777, 137, 649, 393, 905, 73, 585, 329, 841, 201, 713, 457, 969, 41, 553, 297, 809, 169, 681, 425, 937, 105, 617, 361, 873, 233, 745, 489, 1001,
25, 537, 281, 793, 153, 665, 409, 921, 89, 601, 345, 857, 217, 729, 473, 985, 57, 569, 313, 825, 185, 697, 441, 953, 121, 633, 377, 889, 249, 761, 505, 1017,
5, 517, 261, 773, 133, 645, 389, 901, 69, 581, 325, 837, 197, 709, 453, 965, 37, 549, 293, 805, 165, 677, 421, 933, 101, 613, 357, 869, 229, 741, 485, 997,
21, 533, 277, 789, 149, 661, 405, 917, 85, 597, 341, 853, 213, 725, 469, 981, 53, 565, 309, 821, 181, 693, 437, 949, 117, 629, 373, 885, 245, 757, 501, 1013,
13, 525, 269, 781, 141, 653, 397, 909, 77, 589, 333, 845, 205, 717, 461, 973, 45, 557, 301, 813, 173, 685, 429, 941, 109, 621, 365, 877, 237, 749, 493, 1005,
29, 541, 285, 797, 157, 669, 413, 925, 93, 605, 349, 861, 221, 733, 477, 989, 61, 573, 317, 829, 189, 701, 445, 957, 125, 637, 381, 893, 253, 765, 509, 1021,
3, 515, 259, 771, 131, 643, 387, 899, 67, 579, 323, 835, 195, 707, 451, 963, 35, 547, 291, 803, 163, 675, 419, 931, 99, 611, 355, 867, 227, 739, 483, 995,
19, 531, 275, 787, 147, 659, 403, 915, 83, 595, 339, 851, 211, 723, 467, 979, 51, 563, 307, 819, 179, 691, 435, 947, 115, 627, 371, 883, 243, 755, 499, 1011,
11, 523, 267, 779, 139, 651, 395, 907, 75, 587, 331, 843, 203, 715, 459, 971, 43, 555, 299, 811, 171, 683, 427, 939, 107, 619, 363, 875, 235, 747, 491, 1003,
27, 539, 283, 795, 155, 667, 411, 923, 91, 603, 347, 859, 219, 731, 475, 987, 59, 571, 315, 827, 187, 699, 443, 955, 123, 635, 379, 891, 251, 763, 507, 1019,
7, 519, 263, 775, 135, 647, 391, 903, 71, 583, 327, 839, 199, 711, 455, 967, 39, 551, 295, 807, 167, 679, 423, 935, 103, 615, 359, 871, 231, 743, 487, 999,
23, 535, 279, 791, 151, 663, 407, 919, 87, 599, 343, 855, 215, 727, 471, 983, 55, 567, 311, 823, 183, 695, 439, 951, 119, 631, 375, 887, 247, 759, 503, 1015,
15, 527, 271, 783, 143, 655, 399, 911, 79, 591, 335, 847, 207, 719, 463, 975, 47, 559, 303, 815, 175, 687, 431, 943, 111, 623, 367, 879, 239, 751, 495, 1007,
31, 543, 287, 799, 159, 671, 415, 927, 95, 607, 351, 863, 223, 735, 479, 991, 63, 575, 319, 831, 191, 703, 447, 959, 127, 639, 383, 895, 255, 767, 511, 1023
};
/*************************************************
* Name: bitrev_vector
*
* Description: Permutes coefficients of a polynomial into bitreversed order
*
* Arguments: - uint16_t* poly: pointer to in/output polynomial
**************************************************/
void PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_bitrev_vector(uint16_t *poly) {
unsigned int i, r;
uint16_t tmp;
for (i = 0; i < NEWHOPE_N; i++) {
r = bitrev_table[i];
if (i < r) {
tmp = poly[i];
poly[i] = poly[r];
poly[r] = tmp;
}
}
}
/*************************************************
* Name: mul_coefficients
*
* Description: Performs pointwise (coefficient-wise) multiplication
* of two polynomials
* Arguments: - uint16_t* poly: pointer to in/output polynomial
* - const uint16_t* factors: pointer to input polynomial, coefficients
* are assumed to be in Montgomery representation
**************************************************/
void PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_mul_coefficients(uint16_t *poly, const uint16_t *factors) {
unsigned int i;
for (i = 0; i < NEWHOPE_N; i++) {
poly[i] = PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_montgomery_reduce((poly[i] * factors[i]));
}
}
void /*************************************************
* Name: ntt
*
* Description: Computes number-theoretic transform (NTT) of
* a polynomial in place; inputs assumed to be in
* bitreversed order, output in normal order
*
* Arguments: - uint16_t * a: pointer to in/output polynomial
* - const uint16_t* omega: pointer to input powers of root of unity omega;
* assumed to be in Montgomery domain
**************************************************/
PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_ntt(uint16_t *a, const uint16_t *omega) {
int i, start, j, jTwiddle, distance;
uint16_t temp, W;
for (i = 0; i < 10; i += 2) {
// Even level
distance = (1 << i);
for (start = 0; start < distance; start++) {
jTwiddle = 0;
for (j = start; j < NEWHOPE_N - 1; j += 2 * distance) {
W = omega[jTwiddle++];
temp = a[j];
a[j] = (temp + a[j + distance]); // Omit reduction (be lazy)
a[j + distance] = PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_montgomery_reduce((W * ((uint32_t)temp + 3 * NEWHOPE_Q - a[j + distance])));
}
}
// Odd level
distance <<= 1;
for (start = 0; start < distance; start++) {
jTwiddle = 0;
for (j = start; j < NEWHOPE_N - 1; j += 2 * distance) {
W = omega[jTwiddle++];
temp = a[j];
a[j] = (temp + a[j + distance]) % NEWHOPE_Q;
a[j + distance] = PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_montgomery_reduce((W * ((uint32_t)temp + 3 * NEWHOPE_Q - a[j + distance])));
}
}
}
}

14
crypto_kem/newhope1024ccakem/clean/ntt.h Normal file
View File

@ -0,0 +1,14 @@
#ifndef NTT_H
#define NTT_H
#include "inttypes.h"
extern const uint16_t PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_omegas_inv_bitrev_montgomery[];
extern const uint16_t PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_gammas_bitrev_montgomery[];
extern const uint16_t PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_gammas_inv_montgomery[];
void PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_bitrev_vector(uint16_t *poly);
void PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_mul_coefficients(uint16_t *poly, const uint16_t *factors);
void PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_ntt(uint16_t *a, const uint16_t *omegas);
#endif

25
crypto_kem/newhope1024ccakem/clean/params.h Normal file
View File

@ -0,0 +1,25 @@
#ifndef PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_PARAMS_H
#define PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_PARAMS_H
#define NEWHOPE_N 1024
#define NEWHOPE_Q 12289
#define NEWHOPE_K 8 /* used in noise sampling */
#define NEWHOPE_SYMBYTES 32 /* size of shared key, seeds/coins, and hashes */
#define NEWHOPE_POLYBYTES ((14*NEWHOPE_N)/8)
#define NEWHOPE_POLYCOMPRESSEDBYTES (( 3*NEWHOPE_N)/8)
#define NEWHOPE_CPAPKE_PUBLICKEYBYTES (NEWHOPE_POLYBYTES + NEWHOPE_SYMBYTES)
#define NEWHOPE_CPAPKE_SECRETKEYBYTES (NEWHOPE_POLYBYTES)
#define NEWHOPE_CPAPKE_CIPHERTEXTBYTES (NEWHOPE_POLYBYTES + NEWHOPE_POLYCOMPRESSEDBYTES)
#define NEWHOPE_CPAKEM_PUBLICKEYBYTES NEWHOPE_CPAPKE_PUBLICKEYBYTES
#define NEWHOPE_CPAKEM_SECRETKEYBYTES NEWHOPE_CPAPKE_SECRETKEYBYTES
#define NEWHOPE_CPAKEM_CIPHERTEXTBYTES NEWHOPE_CPAPKE_CIPHERTEXTBYTES
#define NEWHOPE_CCAKEM_PUBLICKEYBYTES NEWHOPE_CPAPKE_PUBLICKEYBYTES
#define NEWHOPE_CCAKEM_SECRETKEYBYTES (NEWHOPE_CPAPKE_SECRETKEYBYTES + NEWHOPE_CPAPKE_PUBLICKEYBYTES + 2*NEWHOPE_SYMBYTES)
#define NEWHOPE_CCAKEM_CIPHERTEXTBYTES (NEWHOPE_CPAPKE_CIPHERTEXTBYTES + NEWHOPE_SYMBYTES) /* Second part is for Targhi-Unruh */
#endif

370
crypto_kem/newhope1024ccakem/clean/poly.c Normal file
View File

@ -0,0 +1,370 @@
#include "fips202.h"
#include "ntt.h"
#include "poly.h"
#include "reduce.h"
/*************************************************
* Name: coeff_freeze
*
* Description: Fully reduces an integer modulo q in constant time
*
* Arguments: uint16_t x: input integer to be reduced
*
* Returns integer in {0,...,q-1} congruent to x modulo q
**************************************************/
static uint16_t coeff_freeze(uint16_t x) {
uint16_t m, r;
int16_t c;
r = x % NEWHOPE_Q;
m = r - NEWHOPE_Q;
c = m;
c >>= 15;
r = m ^ ((r ^ m)&c);
return r;
}
/*************************************************
* Name: flipabs
*
* Description: Computes |(x mod q) - Q/2|
*
* Arguments: uint16_t x: input coefficient
*
* Returns |(x mod q) - Q/2|
**************************************************/
static uint16_t flipabs(uint16_t x) {
int16_t r, m;
r = coeff_freeze(x);
r = r - NEWHOPE_Q / 2;
m = r >> 15;
return (r + m) ^ m;
}
/*************************************************
* Name: poly_frombytes
*
* Description: De-serialization of a polynomial
*
* Arguments: - poly *r: pointer to output polynomial
* - const unsigned char *a: pointer to input byte array
**************************************************/
void PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_poly_frombytes(poly *r, const unsigned char *a) {
int i;
for (i = 0; i < NEWHOPE_N / 4; i++) {
r->coeffs[4 * i + 0] = a[7 * i + 0] | (((uint16_t)a[7 * i + 1] & 0x3f) << 8);
r->coeffs[4 * i + 1] = (a[7 * i + 1] >> 6) | (((uint16_t)a[7 * i + 2]) << 2) | (((uint16_t)a[7 * i + 3] & 0x0f) << 10);
r->coeffs[4 * i + 2] = (a[7 * i + 3] >> 4) | (((uint16_t)a[7 * i + 4]) << 4) | (((uint16_t)a[7 * i + 5] & 0x03) << 12);
r->coeffs[4 * i + 3] = (a[7 * i + 5] >> 2) | (((uint16_t)a[7 * i + 6]) << 6);
}
}
/*************************************************
* Name: poly_tobytes
*
* Description: Serialization of a polynomial
*
* Arguments: - unsigned char *r: pointer to output byte array
* - const poly *p: pointer to input polynomial
**************************************************/
void PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_poly_tobytes(unsigned char *r, const poly *p) {
int i;
uint16_t t0, t1, t2, t3;
for (i = 0; i < NEWHOPE_N / 4; i++) {
t0 = coeff_freeze(p->coeffs[4 * i + 0]);
t1 = coeff_freeze(p->coeffs[4 * i + 1]);
t2 = coeff_freeze(p->coeffs[4 * i + 2]);
t3 = coeff_freeze(p->coeffs[4 * i + 3]);
r[7 * i + 0] = t0 & 0xff;
r[7 * i + 1] = (t0 >> 8) | (t1 << 6);
r[7 * i + 2] = (t1 >> 2);
r[7 * i + 3] = (t1 >> 10) | (t2 << 4);
r[7 * i + 4] = (t2 >> 4);
r[7 * i + 5] = (t2 >> 12) | (t3 << 2);
r[7 * i + 6] = (t3 >> 6);
}
}
/*************************************************
* Name: poly_compress
*
* Description: Compression and subsequent serialization of a polynomial
*
* Arguments: - unsigned char *r: pointer to output byte array
* - const poly *p: pointer to input polynomial
**************************************************/
void PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_poly_compress(unsigned char *r, const poly *p) {
unsigned int i, j, k = 0;
uint32_t t[8];
for (i = 0; i < NEWHOPE_N; i += 8) {
for (j = 0; j < 8; j++) {
t[j] = coeff_freeze(p->coeffs[i + j]);
t[j] = (((t[j] << 3) + NEWHOPE_Q / 2) / NEWHOPE_Q) & 0x7;
}
r[k] = t[0] | (t[1] << 3) | (t[2] << 6);
r[k + 1] = (t[2] >> 2) | (t[3] << 1) | (t[4] << 4) | (t[5] << 7);
r[k + 2] = (t[5] >> 1) | (t[6] << 2) | (t[7] << 5);
k += 3;
}
}
/*************************************************
* Name: poly_decompress
*
* Description: De-serialization and subsequent decompression of a polynomial;
* approximate inverse of poly_compress
*
* Arguments: - poly *r: pointer to output polynomial
* - const unsigned char *a: pointer to input byte array
**************************************************/
void PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_poly_decompress(poly *r, const unsigned char *a) {
unsigned int i, j;
for (i = 0; i < NEWHOPE_N; i += 8) {
r->coeffs[i + 0] = a[0] & 7;
r->coeffs[i + 1] = (a[0] >> 3) & 7;
r->coeffs[i + 2] = (a[0] >> 6) | ((a[1] << 2) & 4);
r->coeffs[i + 3] = (a[1] >> 1) & 7;
r->coeffs[i + 4] = (a[1] >> 4) & 7;
r->coeffs[i + 5] = (a[1] >> 7) | ((a[2] << 1) & 6);
r->coeffs[i + 6] = (a[2] >> 2) & 7;
r->coeffs[i + 7] = (a[2] >> 5);
a += 3;
for (j = 0; j < 8; j++) {
r->coeffs[i + j] = ((uint32_t)r->coeffs[i + j] * NEWHOPE_Q + 4) >> 3;
}
}
}
/*************************************************
* Name: poly_frommsg
*
* Description: Convert 32-byte message to polynomial
*
* Arguments: - poly *r: pointer to output polynomial
* - const unsigned char *msg: pointer to input message
**************************************************/
void PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_poly_frommsg(poly *r, const unsigned char *msg) {
unsigned int i, j, mask;
for (i = 0; i < 32; i++) { // XXX: MACRO for 32
for (j = 0; j < 8; j++) {
mask = -((msg[i] >> j) & 1);
r->coeffs[8 * i + j + 0] = mask & (NEWHOPE_Q / 2);
r->coeffs[8 * i + j + 256] = mask & (NEWHOPE_Q / 2);
r->coeffs[8 * i + j + 512] = mask & (NEWHOPE_Q / 2);
r->coeffs[8 * i + j + 768] = mask & (NEWHOPE_Q / 2);
}
}
}
/*************************************************
* Name: poly_tomsg
*
* Description: Convert polynomial to 32-byte message
*
* Arguments: - unsigned char *msg: pointer to output message
* - const poly *x: pointer to input polynomial
**************************************************/
void PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_poly_tomsg(unsigned char *msg, const poly *x) {
unsigned int i;
uint16_t t;
for (i = 0; i < 32; i++) {
msg[i] = 0;
}
for (i = 0; i < 256; i++) {
t = flipabs(x->coeffs[i + 0]);
t += flipabs(x->coeffs[i + 256]);
t += flipabs(x->coeffs[i + 512]);
t += flipabs(x->coeffs[i + 768]);
t = ((t - NEWHOPE_Q));
t >>= 15;
msg[i >> 3] |= t << (i & 7);
}
}
/*************************************************
* Name: poly_uniform
*
* Description: Sample a polynomial deterministically from a seed,
* with output polynomial looking uniformly random
*
* Arguments: - poly *a: pointer to output polynomial
* - const unsigned char *seed: pointer to input seed
**************************************************/
void PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_poly_uniform(poly *a, const unsigned char *seed) {
unsigned int ctr = 0;
uint16_t val;
uint64_t state[25];
uint8_t buf[SHAKE128_RATE];
uint8_t extseed[NEWHOPE_SYMBYTES + 1];
int i, j;
for (i = 0; i < NEWHOPE_SYMBYTES; i++) {
extseed[i] = seed[i];
}
for (i = 0; i < NEWHOPE_N / 64; i++) { /* generate a in blocks of 64 coefficients */
ctr = 0;
extseed[NEWHOPE_SYMBYTES] = i; /* domain-separate the 16 independent calls */
shake128_absorb(state, extseed, NEWHOPE_SYMBYTES + 1);
while (ctr < 64) { /* Very unlikely to run more than once */
shake128_squeezeblocks(buf, 1, state);
for (j = 0; j < SHAKE128_RATE && ctr < 64; j += 2) {
val = (buf[j] | ((uint16_t) buf[j + 1] << 8));
if (val < 5 * NEWHOPE_Q) {
a->coeffs[i * 64 + ctr] = val;
ctr++;
}
}
}
}
}
/*************************************************
* Name: hw
*
* Description: Compute the Hamming weight of a byte
*
* Arguments: - unsigned char a: input byte
**************************************************/
static unsigned char hw(unsigned char a) {
unsigned char i, r = 0;
for (i = 0; i < 8; i++) {
r += (a >> i) & 1;
}
return r;
}
/*************************************************
* Name: poly_sample
*
* Description: Sample a polynomial deterministically from a seed and a nonce,
* with output polynomial close to centered binomial distribution
* with parameter k=8
*
* Arguments: - poly *r: pointer to output polynomial
* - const unsigned char *seed: pointer to input seed
* - unsigned char nonce: one-byte input nonce
**************************************************/
void PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_poly_sample(poly *r, const unsigned char *seed, unsigned char nonce) {
unsigned char buf[128], a, b;
// uint32_t t, d, a, b, c;
int i, j;
unsigned char extseed[NEWHOPE_SYMBYTES + 2];
for (i = 0; i < NEWHOPE_SYMBYTES; i++) {
extseed[i] = seed[i];
}
extseed[NEWHOPE_SYMBYTES] = nonce;
for (i = 0; i < NEWHOPE_N / 64; i++) { /* Generate noise in blocks of 64 coefficients */
extseed[NEWHOPE_SYMBYTES + 1] = i;
shake256(buf, 128, extseed, NEWHOPE_SYMBYTES + 2);
for (j = 0; j < 64; j++) {
a = buf[2 * j];
b = buf[2 * j + 1];
r->coeffs[64 * i + j] = hw(a) + NEWHOPE_Q - hw(b);
/*
t = buf[j] | ((uint32_t)buf[j+1] << 8) | ((uint32_t)buf[j+2] << 16) | ((uint32_t)buf[j+3] << 24);
d = 0;
for(k=0;k<8;k++)
d += (t >> k) & 0x01010101;
a = d & 0xff;
b = ((d >> 8) & 0xff);
c = ((d >> 16) & 0xff);
d >>= 24;
r->coeffs[64*i+j/2] = a + NEWHOPE_Q - b;
r->coeffs[64*i+j/2+1] = c + NEWHOPE_Q - d;
*/
}
}
}
/*************************************************
* Name: poly_pointwise
*
* Description: Multiply two polynomials pointwise (i.e., coefficient-wise).
*
* Arguments: - poly *r: pointer to output polynomial
* - const poly *a: pointer to first input polynomial
* - const poly *b: pointer to second input polynomial
**************************************************/
void PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_poly_mul_pointwise(poly *r, const poly *a, const poly *b) {
int i;
uint16_t t;
for (i = 0; i < NEWHOPE_N; i++) {
t = PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_montgomery_reduce(3186 * b->coeffs[i]); /* t is now in Montgomery domain */
r->coeffs[i] = PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_montgomery_reduce(a->coeffs[i] * t); /* r->coeffs[i] is back in normal domain */
}
}
/*************************************************
* Name: poly_add
*
* Description: Add two polynomials
*
* Arguments: - poly *r: pointer to output polynomial
* - const poly *a: pointer to first input polynomial
* - const poly *b: pointer to second input polynomial
**************************************************/
void PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_poly_add(poly *r, const poly *a, const poly *b) {
int i;
for (i = 0; i < NEWHOPE_N; i++) {
r->coeffs[i] = (a->coeffs[i] + b->coeffs[i]) % NEWHOPE_Q;
}
}
/*************************************************
* Name: poly_sub
*
* Description: Subtract two polynomials
*
* Arguments: - poly *r: pointer to output polynomial
* - const poly *a: pointer to first input polynomial
* - const poly *b: pointer to second input polynomial
**************************************************/
void PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_poly_sub(poly *r, const poly *a, const poly *b) {
int i;
for (i = 0; i < NEWHOPE_N; i++) {
r->coeffs[i] = (a->coeffs[i] + 3 * NEWHOPE_Q - b->coeffs[i]) % NEWHOPE_Q;
}
}
/*************************************************
* Name: poly_ntt
*
* Description: Forward NTT transform of a polynomial in place
* Input is assumed to have coefficients in bitreversed order
* Output has coefficients in normal order
*
* Arguments: - poly *r: pointer to in/output polynomial
**************************************************/
void PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_poly_ntt(poly *r) {
PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_mul_coefficients(r->coeffs, PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_gammas_bitrev_montgomery);
PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_ntt((uint16_t *)r->coeffs, PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_gammas_bitrev_montgomery);
}
/*************************************************
* Name: poly_invntt
*
* Description: Inverse NTT transform of a polynomial in place
* Input is assumed to have coefficients in normal order
* Output has coefficients in normal order
*
* Arguments: - poly *r: pointer to in/output polynomial
**************************************************/
void PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_poly_invntt(poly *r) {
PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_bitrev_vector(r->coeffs);
PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_ntt((uint16_t *)r->coeffs, PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_omegas_inv_bitrev_montgomery);
PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_mul_coefficients(r->coeffs, PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_gammas_inv_montgomery);
}

32
crypto_kem/newhope1024ccakem/clean/poly.h Normal file
View File

@ -0,0 +1,32 @@
#ifndef POLY_H
#define POLY_H
#include "params.h"
#include <stdint.h>
/*
* Elements of R_q = Z_q[X]/(X^n + 1). Represents polynomial
* coeffs[0] + X*coeffs[1] + X^2*xoeffs[2] + ... + X^{n-1}*coeffs[n-1]
*/
typedef struct {
uint16_t coeffs[NEWHOPE_N];
} poly;
void PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_poly_uniform(poly *a, const unsigned char *seed);
void PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_poly_sample(poly *r, const unsigned char *seed, unsigned char nonce);
void PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_poly_add(poly *r, const poly *a, const poly *b);
void PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_poly_ntt(poly *r);
void PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_poly_invntt(poly *r);
void PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_poly_mul_pointwise(poly *r, const poly *a, const poly *b);
void PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_poly_frombytes(poly *r, const unsigned char *a);
void PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_poly_tobytes(unsigned char *r, const poly *p);
void PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_poly_compress(unsigned char *r, const poly *p);
void PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_poly_decompress(poly *r, const unsigned char *a);
void PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_poly_frommsg(poly *r, const unsigned char *msg);
void PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_poly_tomsg(unsigned char *msg, const poly *x);
void PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_poly_sub(poly *r, const poly *a, const poly *b);
#endif

261
crypto_kem/newhope1024ccakem/clean/precomp.c Normal file
View File

@ -0,0 +1,261 @@
#include "inttypes.h"
#include "ntt.h"
#include "params.h"
/* Precomputed NTT contants generated by Pari/GP script as follows:
*
* For n = 512:
*
* brv = [0,256,128,384,64,320,192,448,32,288,160,416,96,352,224,480,16,272,144,400,80,336,208,464,48,304,176,432,112,368,240,496,8,
* 264,136,392,72,328,200,456,40,296,168,424,104,360,232,488,24,280,152,408,88,344,216,472,56,312,184,440,120,376,248,504,4,
* 260,132,388,68,324,196,452,36,292,164,420,100,356,228,484,20,276,148,404,84,340,212,468,52,308,180,436,116,372,244,500,12,
* 268,140,396,76,332,204,460,44,300,172,428,108,364,236,492,28,284,156,412,92,348,220,476,60,316,188,444,124,380,252,508,2,
* 258,130,386,66,322,194,450,34,290,162,418,98,354,226,482,18,274,146,402,82,338,210,466,50,306,178,434,114,370,242,498,10,
* 266,138,394,74,330,202,458,42,298,170,426,106,362,234,490,26,282,154,410,90,346,218,474,58,314,186,442,122,378,250,506,6,
* 262,134,390,70,326,198,454,38,294,166,422,102,358,230,486,22,278,150,406,86,342,214,470,54,310,182,438,118,374,246,502,14,
* 270,142,398,78,334,206,462,46,302,174,430,110,366,238,494,30,286,158,414,94,350,222,478,62,318,190,446,126,382,254,510,1,
* 257,129,385,65,321,193,449,33,289,161,417,97,353,225,481,17,273,145,401,81,337,209,465,49,305,177,433,113,369,241,497,9,
* 265,137,393,73,329,201,457,41,297,169,425,105,361,233,489,25,281,153,409,89,345,217,473,57,313,185,441,121,377,249,505,5,
* 261,133,389,69,325,197,453,37,293,165,421,101,357,229,485,21,277,149,405,85,341,213,469,53,309,181,437,117,373,245,501,13,
* 269,141,397,77,333,205,461,45,301,173,429,109,365,237,493,29,285,157,413,93,349,221,477,61,317,189,445,125,381,253,509,3,
* 259,131,387,67,323,195,451,35,291,163,419,99,355,227,483,19,275,147,403,83,339,211,467,51,307,179,435,115,371,243,499,11,
* 267,139,395,75,331,203,459,43,299,171,427,107,363,235,491,27,283,155,411,91,347,219,475,59,315,187,443,123,379,251,507,7,
* 263,135,391,71,327,199,455,39,295,167,423,103,359,231,487,23,279,151,407,87,343,215,471,55,311,183,439,119,375,247,503,15,
* 271,143,399,79,335,207,463,47,303,175,431,111,367,239,495,31,287,159,415,95,351,223,479,63,319,191,447,127,383,255,511]
* n = 512; q = 12289; mont=2^18
* g = Mod(10968, q);
* omegas_inv_bitrev_montgomery = lift(vector(n/2, i, (g^2)^(-brv[2*(i-1)+1])*mont))
* gammas_bitrev_montgomery = lift(vector(n, i, g^(brv[i])*mont))
* gammas_inv_montgomery = lift(vector(n, i, g^(-(i-1))/n*mont))
*
*
* For n = 1024:
*
* brv = [0,512,256,768,128,640,384,896,64,576,320,832,192,704,448,960,32,544,288,800,160,672,416,928,96,608,352,864,224,736,480,992, \
* 16,528,272,784,144,656,400,912,80,592,336,848,208,720,464,976,48,560,304,816,176,688,432,944,112,624,368,880,240,752,496,1008, \
* 8,520,264,776,136,648,392,904,72,584,328,840,200,712,456,968,40,552,296,808,168,680,424,936,104,616,360,872,232,744,488,1000, \
* 24,536,280,792,152,664,408,920,88,600,344,856,216,728,472,984,56,568,312,824,184,696,440,952,120,632,376,888,248,760,504,1016, \
* 4,516,260,772,132,644,388,900,68,580,324,836,196,708,452,964,36,548,292,804,164,676,420,932,100,612,356,868,228,740,484,996, \
* 20,532,276,788,148,660,404,916,84,596,340,852,212,724,468,980,52,564,308,820,180,692,436,948,116,628,372,884,244,756,500,1012, \
* 12,524,268,780,140,652,396,908,76,588,332,844,204,716,460,972,44,556,300,812,172,684,428,940,108,620,364,876,236,748,492,1004, \
* 28,540,284,796,156,668,412,924,92,604,348,860,220,732,476,988,60,572,316,828,188,700,444,956,124,636,380,892,252,764,508,1020, \
* 2,514,258,770,130,642,386,898,66,578,322,834,194,706,450,962,34,546,290,802,162,674,418,930,98,610,354,866,226,738,482,994, \
* 18,530,274,786,146,658,402,914,82,594,338,850,210,722,466,978,50,562,306,818,178,690,434,946,114,626,370,882,242,754,498,1010, \
* 10,522,266,778,138,650,394,906,74,586,330,842,202,714,458,970,42,554,298,810,170,682,426,938,106,618,362,874,234,746,490,1002, \
* 26,538,282,794,154,666,410,922,90,602,346,858,218,730,474,986,58,570,314,826,186,698,442,954,122,634,378,890,250,762,506,1018, \
* 6,518,262,774,134,646,390,902,70,582,326,838,198,710,454,966,38,550,294,806,166,678,422,934,102,614,358,870,230,742,486,998, \
* 22,534,278,790,150,662,406,918,86,598,342,854,214,726,470,982,54,566,310,822,182,694,438,950,118,630,374,886,246,758,502,1014, \
* 14,526,270,782,142,654,398,910,78,590,334,846,206,718,462,974,46,558,302,814,174,686,430,942,110,622,366,878,238,750,494,1006, \
* 30,542,286,798,158,670,414,926,94,606,350,862,222,734,478,990,62,574,318,830,190,702,446,958,126,638,382,894,254,766,510,1022, \
* 1,513,257,769,129,641,385,897,65,577,321,833,193,705,449,961,33,545,289,801,161,673,417,929,97,609,353,865,225,737,481,993, \
* 17,529,273,785,145,657,401,913,81,593,337,849,209,721,465,977,49,561,305,817,177,689,433,945,113,625,369,881,241,753,497,1009, \
* 9,521,265,777,137,649,393,905,73,585,329,841,201,713,457,969,41,553,297,809,169,681,425,937,105,617,361,873,233,745,489,1001, \
* 25,537,281,793,153,665,409,921,89,601,345,857,217,729,473,985,57,569,313,825,185,697,441,953,121,633,377,889,249,761,505,1017, \
* 5,517,261,773,133,645,389,901,69,581,325,837,197,709,453,965,37,549,293,805,165,677,421,933,101,613,357,869,229,741,485,997, \
* 21,533,277,789,149,661,405,917,85,597,341,853,213,725,469,981,53,565,309,821,181,693,437,949,117,629,373,885,245,757,501,1013, \
* 13,525,269,781,141,653,397,909,77,589,333,845,205,717,461,973,45,557,301,813,173,685,429,941,109,621,365,877,237,749,493,1005, \
* 29,541,285,797,157,669,413,925,93,605,349,861,221,733,477,989,61,573,317,829,189,701,445,957,125,637,381,893,253,765,509,1021, \
* 3,515,259,771,131,643,387,899,67,579,323,835,195,707,451,963,35,547,291,803,163,675,419,931,99,611,355,867,227,739,483,995, \
* 19,531,275,787,147,659,403,915,83,595,339,851,211,723,467,979,51,563,307,819,179,691,435,947,115,627,371,883,243,755,499,1011, \
* 11,523,267,779,139,651,395,907,75,587,331,843,203,715,459,971,43,555,299,811,171,683,427,939,107,619,363,875,235,747,491,1003, \
* 27,539,283,795,155,667,411,923,91,603,347,859,219,731,475,987,59,571,315,827,187,699,443,955,123,635,379,891,251,763,507,1019, \
* 7,519,263,775,135,647,391,903,71,583,327,839,199,711,455,967,39,551,295,807,167,679,423,935,103,615,359,871,231,743,487,999, \
* 23,535,279,791,151,663,407,919,87,599,343,855,215,727,471,983,55,567,311,823,183,695,439,951,119,631,375,887,247,759,503,1015, \
* 15,527,271,783,143,655,399,911,79,591,335,847,207,719,463,975,47,559,303,815,175,687,431,943,111,623,367,879,239,751,495,1007, \
* 31,543,287,799,159,671,415,927,95,607,351,863,223,735,479,991,63,575,319,831,191,703,447,959,127,639,383,895,255,767,511,1023]
*
* n = 1024; q = 12289; mont=2^18
* g = Mod(7, q);
* omegas_inv_bitrev_montgomery = lift(vector(n/2, i, (g^2)^(-brv[2*(i-1)+1])*mont))
* gammas_bitrev_montgomery = lift(vector(n, i, g^(brv[i])*mont))
* gammas_inv_montgomery = lift(vector(n, i, g^(-(i-1))/n*mont))
*/
/************************************************************
* Name: omegas_inv_bitrev_montgomery
*
* Description: Contains inverses of powers of nth root of unity
* in Montgomery domain with R=2^18 in bit-reversed order
************************************************************/
const uint16_t PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_omegas_inv_bitrev_montgomery[NEWHOPE_N / 2] = {
4075, 5315, 4324, 4916, 10120, 11767, 7210, 9027, 10316, 6715, 1278, 9945, 3514, 11248, 11271, 5925,
147, 8500, 7840, 6833, 5537, 4749, 4467, 7500, 11099, 9606, 6171, 8471, 8429, 5445, 11239, 7753,
9090, 12233, 5529, 5206, 10587, 1987, 11635, 3565, 5415, 8646, 6153, 6427, 7341, 6152, 10561, 400,
8410, 1922, 2033, 8291, 1359, 6854, 11035, 973, 8579, 6093, 6950, 5446, 11821, 8301, 11907, 316,
52, 3174, 10966, 9523, 6055, 8953, 11612, 6415, 2505, 5906, 10710, 11858, 8332, 9450, 10162, 151,
3482, 787, 5468, 1010, 4169, 9162, 5241, 9369, 7509, 8844, 7232, 4698, 192, 1321, 10240, 4912,
885, 6281, 10333, 7280, 8757, 11286, 58, 12048, 12147, 11184, 8812, 6608, 2844, 3438, 4212, 11314,
8687, 6068, 421, 8209, 3600, 3263, 7665, 6077, 7507, 5886, 3029, 6695, 4213, 504, 11684, 2302,
1962, 1594, 6328, 7183, 168, 2692, 8960, 4298, 5184, 11089, 6122, 9734, 10929, 3956, 5297, 6170,
3762, 9370, 4016, 4077, 6523, 652, 11994, 6099, 1146, 11341, 11964, 10885, 6299, 1159, 8240, 8561,
11177, 2078, 10331, 4322, 11367, 441, 4079, 11231, 3150, 1319, 8243, 709, 8049, 8719, 11454, 6224,
3054, 6803, 3123, 10542, 4433, 6370, 7032, 3834, 8633, 12225, 9830, 683, 1566, 5782, 9786, 9341,
12115, 723, 3009, 1693, 5735, 2655, 2738, 6421, 11942, 2925, 1975, 8532, 3315, 11863, 4754, 1858,
1583, 6347, 2500, 10800, 6374, 1483, 12240, 1263, 1815, 5383, 10777, 350, 6920, 10232, 4493, 9087,
8855, 8760, 9381, 218, 9928, 10446, 9259, 4115, 6147, 9842, 8326, 576, 10335, 10238, 10484, 9407,
6381, 11836, 8517, 418, 6860, 7515, 1293, 7552, 2767, 156, 8298, 8320, 10008, 5876, 5333, 10258,
10115, 4372, 2847, 7875, 8232, 9018, 8925, 1689, 8236, 2645, 5042, 9984, 7094, 9509, 1484, 7394,
3, 4437, 160, 3149, 113, 7370, 10123, 3915, 6998, 2704, 8653, 4938, 1426, 7635, 10512, 1663,
6957, 3510, 2370, 2865, 3978, 9320, 3247, 9603, 6882, 3186, 10659, 10163, 1153, 9405, 8241, 10040,
2178, 1544, 5559, 420, 8304, 4905, 476, 3531, 5191, 9153, 2399, 8889, 3000, 671, 243, 3016,
3763, 10849, 12262, 9223, 10657, 7205, 11272, 7404, 7575, 8146, 10752, 242, 2678, 3704, 11744, 5019,
3833, 3778, 11899, 773, 5101, 11222, 9888, 442, 2912, 5698, 11935, 4861, 7277, 9808, 11244, 2859,
3780, 11414, 4976, 10682, 7201, 8005, 11287, 5011, 6267, 2987, 2437, 3646, 2566, 10102, 9867, 6250,
5444, 2381, 11796, 8193, 4337, 11854, 1912, 1378, 404, 7644, 1065, 2143, 11121, 5277, 3248, 11082,
2548, 8058, 8907, 11934, 1759, 8582, 3694, 7110, 12144, 6747, 8652, 3459, 2731, 8357, 6378, 7399,
10861, 1696, 9863, 334, 7657, 6534, 11029, 4388, 11560, 3241, 10276, 9000, 9408, 3284, 10200, 7197,
6498, 544, 2468, 339, 11267, 9, 2842, 480, 5331, 7300, 1673, 4278, 4177, 8705, 9764, 1381,
7837, 2396, 8340, 8993, 4354, 130, 6915, 2837, 11462, 5767, 953, 8541, 9813, 118, 7222, 2197,
3006, 9545, 563, 9314, 2625, 11340, 4821, 2639, 7266, 5828, 6561, 7698, 3328, 6512, 1351, 7311,
6553, 8155, 1305, 722, 5146, 4043, 12288, 10810, 2545, 3621, 8747, 8785, 1646, 1212, 5860, 3195,
7203, 10963, 3201, 3014, 955, 11499, 9970, 11119, 3135, 3712, 7443, 9542, 7484, 8736, 9995, 11227,
1635, 9521, 1177, 8034, 140, 10436, 11563, 7678, 4320, 11289, 9198, 12208, 2963, 7393, 2366, 9238
};
/************************************************************
* Name: gammas_bitrev_montgomery
*
* Description: Contains powers of nth root of -1 in Montgomery
* domain with R=2^18 in bit-reversed order
************************************************************/
const uint16_t PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_gammas_bitrev_montgomery[NEWHOPE_N] = {
4075, 6974, 7373, 7965, 3262, 5079, 522, 2169, 6364, 1018, 1041, 8775, 2344, 11011, 5574, 1973,
4536, 1050, 6844, 3860, 3818, 6118, 2683, 1190, 4789, 7822, 7540, 6752, 5456, 4449, 3789, 12142,
11973, 382, 3988, 468, 6843, 5339, 6196, 3710, 11316, 1254, 5435, 10930, 3998, 10256, 10367, 3879,
11889, 1728, 6137, 4948, 5862, 6136, 3643, 6874, 8724, 654, 10302, 1702, 7083, 6760, 56, 3199,
9987, 605, 11785, 8076, 5594, 9260, 6403, 4782, 6212, 4624, 9026, 8689, 4080, 11868, 6221, 3602,
975, 8077, 8851, 9445, 5681, 3477, 1105, 142, 241, 12231, 1003, 3532, 5009, 1956, 6008, 11404,
7377, 2049, 10968, 12097, 7591, 5057, 3445, 4780, 2920, 7048, 3127, 8120, 11279, 6821, 11502, 8807,
12138, 2127, 2839, 3957, 431, 1579, 6383, 9784, 5874, 677, 3336, 6234, 2766, 1323, 9115, 12237,
2031, 6956, 6413, 2281, 3969, 3991, 12133, 9522, 4737, 10996, 4774, 5429, 11871, 3772, 453, 5908,
2882, 1805, 2051, 1954, 11713, 3963, 2447, 6142, 8174, 3030, 1843, 2361, 12071, 2908, 3529, 3434,
3202, 7796, 2057, 5369, 11939, 1512, 6906, 10474, 11026, 49, 10806, 5915, 1489, 9789, 5942, 10706,
10431, 7535, 426, 8974, 3757, 10314, 9364, 347, 5868, 9551, 9634, 6554, 10596, 9280, 11566, 174,
2948, 2503, 6507, 10723, 11606, 2459, 64, 3656, 8455, 5257, 5919, 7856, 1747, 9166, 5486, 9235,
6065, 835, 3570, 4240, 11580, 4046, 10970, 9139, 1058, 8210, 11848, 922, 7967, 1958, 10211, 1112,
3728, 4049, 11130, 5990, 1404, 325, 948, 11143, 6190, 295, 11637, 5766, 8212, 8273, 2919, 8527,
6119, 6992, 8333, 1360, 2555, 6167, 1200, 7105, 7991, 3329, 9597, 12121, 5106, 5961, 10695, 10327,
3051, 9923, 4896, 9326, 81, 3091, 1000, 7969, 4611, 726, 1853, 12149, 4255, 11112, 2768, 10654,
1062, 2294, 3553, 4805, 2747, 4846, 8577, 9154, 1170, 2319, 790, 11334, 9275, 9088, 1326, 5086,
9094, 6429, 11077, 10643, 3504, 3542, 8668, 9744, 1479, 1, 8246, 7143, 11567, 10984, 4134, 5736,
4978, 10938, 5777, 8961, 4591, 5728, 6461, 5023, 9650, 7468, 949, 9664, 2975, 11726, 2744, 9283,
10092, 5067, 12171, 2476, 3748, 11336, 6522, 827, 9452, 5374, 12159, 7935, 3296, 3949, 9893, 4452,
10908, 2525, 3584, 8112, 8011, 10616, 4989, 6958, 11809, 9447, 12280, 1022, 11950, 9821, 11745, 5791,
5092, 2089, 9005, 2881, 3289, 2013, 9048, 729, 7901, 1260, 5755, 4632, 11955, 2426, 10593, 1428,
4890, 5911, 3932, 9558, 8830, 3637, 5542, 145, 5179, 8595, 3707, 10530, 355, 3382, 4231, 9741,
1207, 9041, 7012, 1168, 10146, 11224, 4645, 11885, 10911, 10377, 435, 7952, 4096, 493, 9908, 6845,
6039, 2422, 2187, 9723, 8643, 9852, 9302, 6022, 7278, 1002, 4284, 5088, 1607, 7313, 875, 8509,
9430, 1045, 2481, 5012, 7428, 354, 6591, 9377, 11847, 2401, 1067, 7188, 11516, 390, 8511, 8456,
7270, 545, 8585, 9611, 12047, 1537, 4143, 4714, 4885, 1017, 5084, 1632, 3066, 27, 1440, 8526,
9273, 12046, 11618, 9289, 3400, 9890, 3136, 7098, 8758, 11813, 7384, 3985, 11869, 6730, 10745, 10111,
2249, 4048, 2884, 11136, 2126, 1630, 9103, 5407, 2686, 9042, 2969, 8311, 9424, 9919, 8779, 5332,
10626, 1777, 4654, 10863, 7351, 3636, 9585, 5291, 8374, 2166, 4919, 12176, 9140, 12129, 7852, 12286,
4895, 10805, 2780, 5195, 2305, 7247, 9644, 4053, 10600, 3364, 3271, 4057, 4414, 9442, 7917, 2174,
3947, 11951, 2455, 6599, 10545, 10975, 3654, 2894, 7681, 7126, 7287, 12269, 4119, 3343, 2151, 1522,
7174, 7350, 11041, 2442, 2148, 5959, 6492, 8330, 8945, 5598, 3624, 10397, 1325, 6565, 1945, 11260,
10077, 2674, 3338, 3276, 11034, 506, 6505, 1392, 5478, 8778, 1178, 2776, 3408, 10347, 11124, 2575,
9489, 12096, 6092, 10058, 4167, 6085, 923, 11251, 11912, 4578, 10669, 11914, 425, 10453, 392, 10104,
8464, 4235, 8761, 7376, 2291, 3375, 7954, 8896, 6617, 7790, 1737, 11667, 3982, 9342, 6680, 636,
6825, 7383, 512, 4670, 2900, 12050, 7735, 994, 1687, 11883, 7021, 146, 10485, 1403, 5189, 6094,
2483, 2054, 3042, 10945, 3981, 10821, 11826, 8882, 8151, 180, 9600, 7684, 5219, 10880, 6780, 204,
11232, 2600, 7584, 3121, 3017, 11053, 7814, 7043, 4251, 4739, 11063, 6771, 7073, 9261, 2360, 11925,
1928, 11825, 8024, 3678, 3205, 3359, 11197, 5209, 8581, 3238, 8840, 1136, 9363, 1826, 3171, 4489,
7885, 346, 2068, 1389, 8257, 3163, 4840, 6127, 8062, 8921, 612, 4238, 10763, 8067, 125, 11749,
10125, 5416, 2110, 716, 9839, 10584, 11475, 11873, 3448, 343, 1908, 4538, 10423, 7078, 4727, 1208,
11572, 3589, 2982, 1373, 1721, 10753, 4103, 2429, 4209, 5412, 5993, 9011, 438, 3515, 7228, 1218,
8347, 5232, 8682, 1327, 7508, 4924, 448, 1014, 10029, 12221, 4566, 5836, 12229, 2717, 1535, 3200,
5588, 5845, 412, 5102, 7326, 3744, 3056, 2528, 7406, 8314, 9202, 6454, 6613, 1417, 10032, 7784,
1518, 3765, 4176, 5063, 9828, 2275, 6636, 4267, 6463, 2065, 7725, 3495, 8328, 8755, 8144, 10533,
5966, 12077, 9175, 9520, 5596, 6302, 8400, 579, 6781, 11014, 5734, 11113, 11164, 4860, 1131, 10844,
9068, 8016, 9694, 3837, 567, 9348, 7000, 6627, 7699, 5082, 682, 11309, 5207, 4050, 7087, 844,
7434, 3769, 293, 9057, 6940, 9344, 10883, 2633, 8190, 3944, 5530, 5604, 3480, 2171, 9282, 11024,
2213, 8136, 3805, 767, 12239, 216, 11520, 6763, 10353, 7, 8566, 845, 7235, 3154, 4360, 3285,
10268, 2832, 3572, 1282, 7559, 3229, 8360, 10583, 6105, 3120, 6643, 6203, 8536, 8348, 6919, 3536,
9199, 10891, 11463, 5043, 1658, 5618, 8787, 5789, 4719, 751, 11379, 6389, 10783, 3065, 7806, 6586,
2622, 5386, 510, 7628, 6921, 578, 10345, 11839, 8929, 4684, 12226, 7154, 9916, 7302, 8481, 3670,
11066, 2334, 1590, 7878, 10734, 1802, 1891, 5103, 6151, 8820, 3418, 7846, 9951, 4693, 417, 9996,
9652, 4510, 2946, 5461, 365, 881, 1927, 1015, 11675, 11009, 1371, 12265, 2485, 11385, 5039, 6742,
8449, 1842, 12217, 8176, 9577, 4834, 7937, 9461, 2643, 11194, 3045, 6508, 4094, 3451, 7911, 11048,
5406, 4665, 3020, 6616, 11345, 7519, 3669, 5287, 1790, 7014, 5410, 11038, 11249, 2035, 6125, 10407,
4565, 7315, 5078, 10506, 2840, 2478, 9270, 4194, 9195, 4518, 7469, 1160, 6878, 2730, 10421, 10036,
1734, 3815, 10939, 5832, 10595, 10759, 4423, 8420, 9617, 7119, 11010, 11424, 9173, 189, 10080, 10526,
3466, 10588, 7592, 3578, 11511, 7785, 9663, 530, 12150, 8957, 2532, 3317, 9349, 10243, 1481, 9332,
3454, 3758, 7899, 4218, 2593, 11410, 2276, 982, 6513, 1849, 8494, 9021, 4523, 7988, 8, 457,
648, 150, 8000, 2307, 2301, 874, 5650, 170, 9462, 2873, 9855, 11498, 2535, 11169, 5808, 12268,
9687, 1901, 7171, 11787, 3846, 1573, 6063, 3793, 466, 11259, 10608, 3821, 6320, 4649, 6263, 2929
};
/************************************************************
* Name: gammas_inv_montgomery
*
* Description: Contains inverses of powers of nth root of -1
* divided by n in Montgomery domain with R=2^18
************************************************************/
const uint16_t PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_gammas_inv_montgomery[NEWHOPE_N] = {
256, 10570, 1510, 7238, 1034, 7170, 6291, 7921, 11665, 3422, 4000, 2327, 2088, 5565, 795, 10647,
1521, 5484, 2539, 7385, 1055, 7173, 8047, 11683, 1669, 1994, 3796, 5809, 4341, 9398, 11876, 12230,
10525, 12037, 12253, 3506, 4012, 9351, 4847, 2448, 7372, 9831, 3160, 2207, 5582, 2553, 7387, 6322,
9681, 1383, 10731, 1533, 219, 5298, 4268, 7632, 6357, 9686, 8406, 4712, 9451, 10128, 4958, 5975,
11387, 8649, 11769, 6948, 11526, 12180, 1740, 10782, 6807, 2728, 7412, 4570, 4164, 4106, 11120, 12122,
8754, 11784, 3439, 5758, 11356, 6889, 9762, 11928, 1704, 1999, 10819, 12079, 12259, 7018, 11536, 1648,
1991, 2040, 2047, 2048, 10826, 12080, 8748, 8272, 8204, 1172, 1923, 7297, 2798, 7422, 6327, 4415,
7653, 6360, 11442, 12168, 7005, 8023, 9924, 8440, 8228, 2931, 7441, 1063, 3663, 5790, 9605, 10150,
1450, 8985, 11817, 10466, 10273, 12001, 3470, 7518, 1074, 1909, 7295, 9820, 4914, 702, 5367, 7789,
8135, 9940, 1420, 3714, 11064, 12114, 12264, 1752, 5517, 9566, 11900, 1700, 3754, 5803, 829, 1874,
7290, 2797, 10933, 5073, 7747, 8129, 6428, 6185, 11417, 1631, 233, 5300, 9535, 10140, 11982, 8734,
8270, 2937, 10953, 8587, 8249, 2934, 9197, 4825, 5956, 4362, 9401, 1343, 3703, 529, 10609, 12049,
6988, 6265, 895, 3639, 4031, 4087, 4095, 585, 10617, 8539, 4731, 4187, 9376, 3095, 9220, 10095,
10220, 1460, 10742, 12068, 1724, 5513, 11321, 6884, 2739, 5658, 6075, 4379, 11159, 10372, 8504, 4726,
9453, 3106, 7466, 11600, 10435, 8513, 9994, 8450, 9985, 3182, 10988, 8592, 2983, 9204, 4826, 2445,
5616, 6069, 867, 3635, 5786, 11360, 5134, 2489, 10889, 12089, 1727, 7269, 2794, 9177, 1311, 5454,
9557, 6632, 2703, 9164, 10087, 1441, 3717, 531, 3587, 2268, 324, 5313, 759, 1864, 5533, 2546,
7386, 9833, 8427, 4715, 11207, 1601, 7251, 4547, 11183, 12131, 1733, 10781, 10318, 1474, 10744, 5046,
4232, 11138, 10369, 6748, 964, 7160, 4534, 7670, 8118, 8182, 4680, 11202, 6867, 981, 8918, 1274,
182, 26, 7026, 8026, 11680, 12202, 10521, 1503, 7237, 4545, 5916, 9623, 8397, 11733, 10454, 3249,
9242, 6587, 941, 1890, 270, 10572, 6777, 9746, 6659, 6218, 6155, 6146, 878, 1881, 7291, 11575,
12187, 1741, 7271, 8061, 11685, 6936, 4502, 9421, 4857, 4205, 7623, 1089, 10689, 1527, 8996, 10063,
11971, 10488, 6765, 2722, 3900, 9335, 11867, 6962, 11528, 5158, 4248, 4118, 5855, 2592, 5637, 6072,
2623, 7397, 8079, 9932, 4930, 5971, 853, 3633, 519, 8852, 11798, 3441, 11025, 1575, 225, 8810,
11792, 12218, 3501, 9278, 3081, 9218, 4828, 7712, 8124, 11694, 12204, 3499, 4011, 573, 3593, 5780,
7848, 9899, 10192, 1456, 208, 7052, 2763, 7417, 11593, 10434, 12024, 8740, 11782, 10461, 3250, 5731,
7841, 9898, 1414, 202, 3540, 7528, 2831, 2160, 10842, 5060, 4234, 4116, 588, 84, 12, 7024,
2759, 9172, 6577, 11473, 1639, 9012, 3043, 7457, 6332, 11438, 1634, 1989, 9062, 11828, 8712, 11778,
12216, 10523, 6770, 9745, 10170, 4964, 9487, 6622, 946, 8913, 6540, 6201, 4397, 9406, 8366, 9973,
8447, 8229, 11709, 8695, 10020, 3187, 5722, 2573, 10901, 6824, 4486, 4152, 9371, 8361, 2950, 2177,
311, 1800, 9035, 8313, 11721, 3430, 490, 70, 10, 1757, 251, 3547, 7529, 11609, 3414, 7510,
4584, 4166, 9373, 1339, 5458, 7802, 11648, 1664, 7260, 9815, 10180, 6721, 9738, 10169, 8475, 8233,
9954, 1422, 8981, 1283, 5450, 11312, 1616, 3742, 11068, 10359, 4991, 713, 3613, 9294, 8350, 4704,
672, 96, 7036, 9783, 11931, 3460, 5761, 823, 10651, 12055, 10500, 1500, 5481, 783, 3623, 11051,
8601, 8251, 8201, 11705, 10450, 5004, 4226, 7626, 2845, 2162, 3820, 7568, 9859, 3164, 452, 10598,
1514, 5483, 6050, 6131, 4387, 7649, 8115, 6426, 918, 8909, 8295, 1185, 5436, 11310, 8638, 1234,
5443, 11311, 5127, 2488, 2111, 10835, 5059, 7745, 2862, 3920, 560, 80, 1767, 2008, 3798, 11076,
6849, 2734, 10924, 12094, 8750, 1250, 10712, 6797, 971, 7161, 1023, 8924, 4786, 7706, 4612, 4170,
7618, 6355, 4419, 5898, 11376, 10403, 10264, 6733, 4473, 639, 5358, 2521, 9138, 3061, 5704, 4326,
618, 5355, 765, 5376, 768, 7132, 4530, 9425, 3102, 9221, 6584, 11474, 10417, 10266, 12000, 6981,
6264, 4406, 2385, 7363, 4563, 4163, 7617, 9866, 3165, 9230, 11852, 10471, 5007, 5982, 11388, 5138,
734, 3616, 11050, 12112, 6997, 11533, 12181, 10518, 12036, 3475, 2252, 7344, 9827, 4915, 9480, 6621,
4457, 7659, 9872, 6677, 4465, 4149, 7615, 4599, 657, 3605, 515, 10607, 6782, 4480, 640, 1847,
3775, 5806, 2585, 5636, 9583, 1369, 10729, 8555, 10000, 11962, 5220, 7768, 8132, 8184, 9947, 1421,
203, 29, 8782, 11788, 1684, 10774, 10317, 4985, 9490, 8378, 4708, 11206, 5112, 5997, 7879, 11659,
12199, 8765, 10030, 4944, 5973, 6120, 6141, 6144, 7900, 11662, 1666, 238, 34, 3516, 5769, 9602,
8394, 9977, 6692, 956, 10670, 6791, 9748, 11926, 8726, 11780, 5194, 742, 106, 8793, 10034, 3189,
10989, 5081, 4237, 5872, 4350, 2377, 10873, 6820, 6241, 11425, 10410, 10265, 3222, 5727, 9596, 4882,
2453, 2106, 3812, 11078, 12116, 5242, 4260, 11142, 8614, 11764, 12214, 5256, 4262, 4120, 11122, 5100,
11262, 5120, 2487, 5622, 9581, 8391, 8221, 2930, 10952, 12098, 6995, 6266, 9673, 4893, 699, 3611,
4027, 5842, 11368, 1624, 232, 8811, 8281, 1183, 169, 8802, 3013, 2186, 5579, 797, 3625, 4029,
11109, 1587, 7249, 11569, 8675, 6506, 2685, 10917, 12093, 12261, 12285, 1755, 7273, 1039, 1904, 272,
3550, 9285, 3082, 5707, 6082, 4380, 7648, 11626, 5172, 4250, 9385, 8363, 8217, 4685, 5936, 848,
8899, 6538, 934, 1889, 3781, 9318, 10109, 10222, 6727, 961, 5404, 772, 5377, 9546, 8386, 1198,
8949, 3034, 2189, 7335, 4559, 5918, 2601, 10905, 5069, 9502, 3113, 7467, 8089, 11689, 5181, 9518,
8382, 2953, 3933, 4073, 4093, 7607, 8109, 2914, 5683, 4323, 11151, 1593, 10761, 6804, 972, 3650,
2277, 5592, 4310, 7638, 9869, 4921, 703, 1856, 9043, 4803, 9464, 1352, 8971, 11815, 5199, 7765,
6376, 4422, 7654, 2849, 407, 8836, 6529, 7955, 2892, 9191, 1313, 10721, 12065, 12257, 1751, 9028,
8312, 2943, 2176, 3822, 546, 78, 8789, 11789, 10462, 12028, 6985, 4509, 9422, 1346, 5459, 4291,
613, 10621, 6784, 9747, 3148, 7472, 2823, 5670, 810, 7138, 8042, 4660, 7688, 6365, 6176, 6149,
2634, 5643, 9584, 10147, 11983, 5223, 9524, 11894, 10477, 8519, 1217, 3685, 2282, 326, 10580, 3267,
7489, 4581, 2410, 5611, 11335, 6886, 8006, 8166, 11700, 3427, 11023, 8597, 10006, 3185, 455, 65,
5276, 7776, 4622, 5927, 7869, 9902, 11948, 5218, 2501, 5624, 2559, 10899, 1557, 1978, 10816, 10323,
8497, 4725, 675, 1852, 10798, 12076, 10503, 3256, 9243, 3076, 2195, 10847, 12083, 10504, 12034, 10497
};

26
crypto_kem/newhope1024ccakem/clean/reduce.c Normal file
View File

@ -0,0 +1,26 @@
#include "reduce.h"
#include "params.h"
static const uint32_t qinv = 12287; // -inverse_mod(p,2^18)
static const uint32_t rlog = 18;
/*************************************************
* Name: verify
*
* Description: Montgomery reduction; given a 32-bit integer a, computes
* 16-bit integer congruent to a * R^-1 mod q,
* where R=2^18 (see value of rlog)
*
* Arguments: - uint32_t a: input unsigned integer to be reduced; has to be in {0,...,1073491968}
*
* Returns: unsigned integer in {0,...,2^14-1} congruent to a * R^-1 modulo q.
**************************************************/
uint16_t PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_montgomery_reduce(uint32_t a) {
uint32_t u;
u = (a * qinv);
u &= ((1 << rlog) - 1);
u *= NEWHOPE_Q;
a = a + u;
return a >> 18;
}

8
crypto_kem/newhope1024ccakem/clean/reduce.h Normal file
View File

@ -0,0 +1,8 @@
#ifndef REDUCE_H
#define REDUCE_H
#include <stdint.h>
uint16_t PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_montgomery_reduce(uint32_t a);
#endif

49
crypto_kem/newhope1024ccakem/clean/verify.c Normal file
View File

@ -0,0 +1,49 @@
#include "verify.h"
#include <stdint.h>
#include <string.h>
/*************************************************
* Name: verify
*
* Description: Compare two arrays for equality in constant time.
*
* Arguments: const unsigned char *a: pointer to first byte array
* const unsigned char *b: pointer to second byte array
* size_t len: length of the byte arrays
*
* Returns 0 if the byte arrays are equal, 1 otherwise
**************************************************/
int PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_verify(const unsigned char *a, const unsigned char *b, size_t len) {
uint64_t r;
size_t i;
r = 0;
for (i = 0; i < len; i++) {
r |= a[i] ^ b[i];
}
r = (-r) >> 63;
return r;
}
/*************************************************
* Name: cmov
*
* Description: Copy len bytes from x to r if b is 1;
* don't modify x if b is 0. Requires b to be in {0,1};
* assumes two's complement representation of negative integers.
* Runs in constant time.
*
* Arguments: unsigned char *r: pointer to output byte array
* const unsigned char *x: pointer to input byte array
* size_t len: Amount of bytes to be copied
* unsigned char b: Condition bit; has to be in {0,1}
**************************************************/
void PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_cmov(unsigned char *r, const unsigned char *x, size_t len, unsigned char b) {
size_t i;
b = -b;
for (i = 0; i < len; i++) {
r[i] ^= b & (x[i] ^ r[i]);
}
}

12
crypto_kem/newhope1024ccakem/clean/verify.h Normal file
View File

@ -0,0 +1,12 @@
#ifndef VERIFY_H
#define VERIFY_H
#include <stdio.h>
/* returns 0 for equal strings, 1 for non-equal strings */
int PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_verify(const unsigned char *a, const unsigned char *b, size_t len);
/* b = 1 means mov, b = 0 means don't mov*/
void PQCLEAN_NEWHOPE1024CCAKEM_CLEAN_cmov(unsigned char *r, const unsigned char *x, size_t len, unsigned char b);
#endif