kris/pqc
1
1
Fork 0
Koodi Ongelmat Pull-pyynnöt Julkaisut Wiki Toiminta

add firesaber

Selaa lähdekoodia
This commit is contained in:
Matthias J. Kannwischer 2019-06-18 16:37:25 +02:00
vanhempi 8539bd8684
commit 6aafbd56f2
19 muutettua tiedostoa jossa 1010 lisäystä ja 0 poistoa
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
crypto_kem/firesaber/META.yml Normal file
Näytä tiedosto

@ -0,0 +1,13 @@
name: FireSaber
type: kem
claimed-nist-level: 5
claimed-security: IND-CCA2
length-public-key: 1312
length-ciphertext: 1472
length-secret-key: 3040
length-shared-secret: 32
nistkat-sha256: 937d9b2e139112e13d4093a6afe715deff476e4d578208b9e8e1809de43835cd
principal-submitter: Jan-Pieter D'Anvers, Angshuman Karmakar, Sujoy Sinha Roy, Frederik Vercauteren
implementations:
- name: clean
version: https://github.com/KULeuven-COSIC/SABER/commit/14ede83f1ff3bcc41f0464543542366c68b55871

1
crypto_kem/firesaber/clean/LICENSE Normal file
Näytä tiedosto

@ -0,0 +1 @@
TODO

19
crypto_kem/firesaber/clean/Makefile Normal file
Näytä tiedosto

@ -0,0 +1,19 @@
# This Makefile can be used with GNU Make or BSD Make
LIB=libfiresaber_clean.a
HEADERS=api.h cbd.h poly.h poly_mul.h SABER_indcpa.h SABER_params.h verify.h pack_unpack.h
OBJECTS=cbd.o kem.o pack_unpack.o poly.o poly_mul.o SABER_indcpa.o verify.o
CFLAGS=-O3 -Wall -Wextra -Wpedantic -Werror -Wmissing-prototypes -Wredundant-decls -std=c99 -I../../../common $(EXTRAFLAGS)
all: $(LIB)
%.o: %.c $(HEADERS)
$(CC) $(CFLAGS) -c -o $@ $<
$(LIB): $(OBJECTS)
$(AR) -r $@ $(OBJECTS)
clean:
$(RM) $(OBJECTS)
$(RM) $(LIB)

19
crypto_kem/firesaber/clean/Makefile.Microsoft_nmake Normal file
Näytä tiedosto

@ -0,0 +1,19 @@
# This Makefile can be used with Microsoft Visual Studio's nmake using the command:
# nmake /f Makefile.Microsoft_nmake
LIBRARY=libfiresaber_clean.lib
OBJECTS=cbd.obj kem.obj pack_unpack.obj poly.obj poly_mul.obj SABER_indcpa.obj verify.obj
CFLAGS=/nologo /I ..\..\..\common /W4 /WX
all: $(LIBRARY)
# Make sure objects are recompiled if headers change.
$(OBJECTS): *.h
$(LIBRARY): $(OBJECTS)
LIB.EXE /NOLOGO /WX /OUT:$@ $**
clean:
-DEL $(OBJECTS)
-DEL $(LIBRARY)

335
crypto_kem/firesaber/clean/SABER_indcpa.c Normal file
Näytä tiedosto

@ -0,0 +1,335 @@
#include "SABER_indcpa.h"
#include "SABER_params.h"
#include "fips202.h"
#include "pack_unpack.h"
#include "poly.h"
#include "poly_mul.h"
#include "randombytes.h"
#include <stdint.h>
#include <string.h>
/*-----------------------------------------------------------------------------------
This routine generates a=[Matrix K x K] of 256-coefficient polynomials
-------------------------------------------------------------------------------------*/
#define h1 4 //2^(EQ-EP-1)
#define h2 ( (1<<(SABER_EP-2)) - (1<<(SABER_EP-SABER_ET-1)) + (1<<(SABER_EQ-SABER_EP-1)) )
static void InnerProd(uint16_t pkcl[SABER_K][SABER_N], uint16_t skpv[SABER_K][SABER_N], uint16_t mod, uint16_t res[SABER_N]);
static void MatrixVectorMul(polyvec *a, uint16_t skpv[SABER_K][SABER_N], uint16_t res[SABER_K][SABER_N], uint16_t mod, int16_t transpose);
static void POL2MSG(const uint16_t *message_dec_unpacked, unsigned char *message_dec);
static void GenMatrix(polyvec *a, const unsigned char *seed) {
unsigned char buf[SABER_K * SABER_K * (13 * SABER_N / 8)];
uint16_t temp_ar[SABER_N];
int i, j, k;
uint16_t mod = (SABER_Q - 1);
shake128(buf, sizeof(buf), seed, SABER_SEEDBYTES);
for (i = 0; i < SABER_K; i++) {
for (j = 0; j < SABER_K; j++) {
PQCLEAN_FIRESABER_CLEAN_BS2POL(buf + (i * SABER_K + j) * (13 * SABER_N / 8), temp_ar);
for (k = 0; k < SABER_N; k++) {
a[i].vec[j].coeffs[k] = (temp_ar[k])& mod ;
}
}
}
}
void PQCLEAN_FIRESABER_CLEAN_indcpa_kem_keypair(unsigned char *pk, unsigned char *sk) {
polyvec a[SABER_K];// skpv;
uint16_t skpv[SABER_K][SABER_N];
unsigned char seed[SABER_SEEDBYTES];
unsigned char noiseseed[SABER_COINBYTES];
int32_t i, j;
uint16_t mod_q = SABER_Q - 1;
uint16_t res[SABER_K][SABER_N];
randombytes(seed, SABER_SEEDBYTES);
shake128(seed, SABER_SEEDBYTES, seed, SABER_SEEDBYTES); // for not revealing system RNG state
randombytes(noiseseed, SABER_COINBYTES);
GenMatrix(a, seed); //sample matrix A
PQCLEAN_FIRESABER_CLEAN_GenSecret(skpv, noiseseed); //generate secret from constant-time binomial distribution
//------------------------do the matrix vector multiplication and rounding------------
for (i = 0; i < SABER_K; i++) {
for (j = 0; j < SABER_N; j++) {
res[i][j] = 0;
}
}
MatrixVectorMul(a, skpv, res, SABER_Q - 1, 1);
//-----now rounding
for (i = 0; i < SABER_K; i++) { //shift right 3 bits
for (j = 0; j < SABER_N; j++) {
res[i][j] = (res[i][j] + h1) & (mod_q);
res[i][j] = (res[i][j] >> (SABER_EQ - SABER_EP));
}
}
//------------------unload and pack sk=3 x (256 coefficients of 14 bits)-------
PQCLEAN_FIRESABER_CLEAN_POLVEC2BS(sk, skpv, SABER_Q);
//------------------unload and pack pk=256 bits seed and 3 x (256 coefficients of 11 bits)-------
PQCLEAN_FIRESABER_CLEAN_POLVEC2BS(pk, res, SABER_P); // load the public-key coefficients
for (i = 0; i < SABER_SEEDBYTES; i++) { // now load the seedbytes in PK. Easy since seed bytes are kept in byte format.
pk[SABER_POLYVECCOMPRESSEDBYTES + i] = seed[i];
}
}
void PQCLEAN_FIRESABER_CLEAN_indcpa_kem_enc(const unsigned char *message_received, unsigned char *noiseseed, const unsigned char *pk, unsigned char *ciphertext) {
uint32_t i, j, k;
polyvec a[SABER_K]; // skpv;
unsigned char seed[SABER_SEEDBYTES];
uint16_t pkcl[SABER_K][SABER_N]; //public key of received by the client
uint16_t skpv1[SABER_K][SABER_N];
uint16_t message[SABER_KEYBYTES * 8];
uint16_t res[SABER_K][SABER_N];
uint16_t mod_p = SABER_P - 1;
uint16_t mod_q = SABER_Q - 1;
uint16_t vprime[SABER_N];
unsigned char msk_c[SABER_SCALEBYTES_KEM];
for (i = 0; i < SABER_SEEDBYTES; i++) { // extract the seedbytes from Public Key.
seed[i] = pk[ SABER_POLYVECCOMPRESSEDBYTES + i];
}
GenMatrix(a, seed);
PQCLEAN_FIRESABER_CLEAN_GenSecret(skpv1, noiseseed); //generate secret from constant-time binomial distribution
//-----------------matrix-vector multiplication and rounding
for (i = 0; i < SABER_K; i++) {
for (j = 0; j < SABER_N; j++) {
res[i][j] = 0;
}
}
MatrixVectorMul(a, skpv1, res, SABER_Q - 1, 0);
//-----now rounding
for (i = 0; i < SABER_K; i++) { //shift right 3 bits
for (j = 0; j < SABER_N; j++) {
res[i][j] = ( res[i][j] + h1 ) & mod_q;
res[i][j] = (res[i][j] >> (SABER_EQ - SABER_EP) );
}
}
PQCLEAN_FIRESABER_CLEAN_POLVEC2BS(ciphertext, res, SABER_P);
//*******************client matrix-vector multiplication ends************************************
//------now calculate the v'
//-------unpack the public_key
//pkcl is the b in the protocol
PQCLEAN_FIRESABER_CLEAN_BS2POLVEC(pk, pkcl, SABER_P);
for (i = 0; i < SABER_N; i++) {
vprime[i] = 0;
}
for (i = 0; i < SABER_K; i++) {
for (j = 0; j < SABER_N; j++) {
skpv1[i][j] = skpv1[i][j] & (mod_p);
}
}
// vector-vector scalar multiplication with mod p
InnerProd(pkcl, skpv1, mod_p, vprime);
//addition of h1 to vprime
for (i = 0; i < SABER_N; i++) {
vprime[i] = vprime[i] + h1;
}
// unpack message_received;
for (j = 0; j < SABER_KEYBYTES; j++) {
for (i = 0; i < 8; i++) {
message[8 * j + i] = ((message_received[j] >> i) & 0x01);
}
}
// message encoding
for (i = 0; i < SABER_N; i++) {
message[i] = (message[i] << (SABER_EP - 1));
}
for (k = 0; k < SABER_N; k++) {
vprime[k] = ( (vprime[k] - message[k]) & (mod_p) ) >> (SABER_EP - SABER_ET);
}
PQCLEAN_FIRESABER_CLEAN_pack_6bit(msk_c, vprime);
for (j = 0; j < SABER_SCALEBYTES_KEM; j++) {
ciphertext[SABER_POLYVECCOMPRESSEDBYTES + j] = msk_c[j];
}
}
void PQCLEAN_FIRESABER_CLEAN_indcpa_kem_dec(const unsigned char *sk, const unsigned char *ciphertext, unsigned char message_dec[]) {
uint32_t i, j;
uint16_t sksv[SABER_K][SABER_N]; //secret key of the server
uint16_t pksv[SABER_K][SABER_N];
uint8_t scale_ar[SABER_SCALEBYTES_KEM];
uint16_t mod_p = SABER_P - 1;
uint16_t v[SABER_N];
uint16_t op[SABER_N];
PQCLEAN_FIRESABER_CLEAN_BS2POLVEC(sk, sksv, SABER_Q); //sksv is the secret-key
PQCLEAN_FIRESABER_CLEAN_BS2POLVEC(ciphertext, pksv, SABER_P); //pksv is the ciphertext
// vector-vector scalar multiplication with mod p
for (i = 0; i < SABER_N; i++) {
v[i] = 0;
}
for (i = 0; i < SABER_K; i++) {
for (j = 0; j < SABER_N; j++) {
sksv[i][j] = sksv[i][j] & (mod_p);
}
}
InnerProd(pksv, sksv, mod_p, v);
//Extraction
for (i = 0; i < SABER_SCALEBYTES_KEM; i++) {
scale_ar[i] = ciphertext[SABER_POLYVECCOMPRESSEDBYTES + i];
}
PQCLEAN_FIRESABER_CLEAN_un_pack6bit(scale_ar, op);
//addition of h1
for (i = 0; i < SABER_N; i++) {
v[i] = ( ( v[i] + h2 - (op[i] << (SABER_EP - SABER_ET)) ) & (mod_p) ) >> (SABER_EP - 1);
}
// pack decrypted message
POL2MSG(v, message_dec);
}
static void MatrixVectorMul(polyvec *a, uint16_t skpv[SABER_K][SABER_N], uint16_t res[SABER_K][SABER_N], uint16_t mod, int16_t transpose) {
uint16_t acc[SABER_N];
int32_t i, j, k;
if (transpose == 1) {
for (i = 0; i < SABER_K; i++) {
for (j = 0; j < SABER_K; j++) {
PQCLEAN_FIRESABER_CLEAN_pol_mul((uint16_t *)&a[j].vec[i], skpv[j], acc, SABER_Q, SABER_N);
for (k = 0; k < SABER_N; k++) {
res[i][k] = res[i][k] + acc[k];
res[i][k] = (res[i][k] & mod); //reduction mod p
acc[k] = 0; //clear the accumulator
}
}
}
} else {
for (i = 0; i < SABER_K; i++) {
for (j = 0; j < SABER_K; j++) {
PQCLEAN_FIRESABER_CLEAN_pol_mul((uint16_t *)&a[i].vec[j], skpv[j], acc, SABER_Q, SABER_N);
for (k = 0; k < SABER_N; k++) {
res[i][k] = res[i][k] + acc[k];
res[i][k] = res[i][k] & mod; //reduction
acc[k] = 0; //clear the accumulator
}
}
}
}
}
static void POL2MSG(const uint16_t *message_dec_unpacked, unsigned char *message_dec) {
int32_t i, j;
for (j = 0; j < SABER_KEYBYTES; j++) {
message_dec[j] = 0;
for (i = 0; i < 8; i++) {
message_dec[j] = message_dec[j] | (uint8_t) (message_dec_unpacked[j * 8 + i] << i);
}
}
}
static void InnerProd(uint16_t pkcl[SABER_K][SABER_N], uint16_t skpv[SABER_K][SABER_N], uint16_t mod, uint16_t res[SABER_N]) {
uint32_t j, k;
uint16_t acc[SABER_N];
// vector-vector scalar multiplication with mod p
for (j = 0; j < SABER_K; j++) {
PQCLEAN_FIRESABER_CLEAN_pol_mul(pkcl[j], skpv[j], acc, SABER_P, SABER_N);
for (k = 0; k < SABER_N; k++) {
res[k] = res[k] + acc[k];
res[k] = res[k] & mod; //reduction
acc[k] = 0; //clear the accumulator
}
}
}

9
crypto_kem/firesaber/clean/SABER_indcpa.h Normal file
Näytä tiedosto

@ -0,0 +1,9 @@
#ifndef INDCPA_H
#define INDCPA_H
void PQCLEAN_FIRESABER_CLEAN_indcpa_kem_keypair(unsigned char *pk, unsigned char *sk);
void PQCLEAN_FIRESABER_CLEAN_indcpa_kem_enc(const unsigned char *message, unsigned char *noiseseed, const unsigned char *pk, unsigned char *ciphertext);
void PQCLEAN_FIRESABER_CLEAN_indcpa_kem_dec(const unsigned char *sk, const unsigned char *ciphertext, unsigned char *message_dec);
#endif

49
crypto_kem/firesaber/clean/SABER_params.h Normal file
Näytä tiedosto

@ -0,0 +1,49 @@
#ifndef PARAMS_H
#define PARAMS_H
#include "api.h"
#define SABER_K 4
#define SABER_MU 6
#define SABER_ET 6
#define SABER_EQ 13
#define SABER_EP 10
#define SABER_N 256
#define SABER_Q 8192
#define SABER_P 1024
#define SABER_SEEDBYTES 32
#define SABER_NOISESEEDBYTES 32
#define SABER_COINBYTES 32
#define SABER_KEYBYTES 32
#define SABER_HASHBYTES 32
#define SABER_POLYBYTES 416 //13*256/8
#define SABER_POLYVECBYTES (SABER_K * SABER_POLYBYTES)
#define SABER_POLYVECCOMPRESSEDBYTES (SABER_K * 320) //10*256/8 NOTE : changed till here due to parameter adaptation
#define SABER_CIPHERTEXTBYTES (SABER_POLYVECCOMPRESSEDBYTES)
#define SABER_SCALEBYTES (SABER_DELTA*SABER_N/8)
#define SABER_SCALEBYTES_KEM ((SABER_ET)*SABER_N/8)
#define SABER_INDCPA_PUBLICKEYBYTES (SABER_POLYVECCOMPRESSEDBYTES + SABER_SEEDBYTES)
#define SABER_INDCPA_SECRETKEYBYTES (SABER_POLYVECBYTES)
#define SABER_PUBLICKEYBYTES (SABER_INDCPA_PUBLICKEYBYTES)
#define SABER_SECRETKEYBYTES (SABER_INDCPA_SECRETKEYBYTES + SABER_INDCPA_PUBLICKEYBYTES + SABER_HASHBYTES + SABER_KEYBYTES)
#define SABER_BYTES_CCA_DEC (SABER_POLYVECCOMPRESSEDBYTES + SABER_SCALEBYTES_KEM) /* Second part is for Targhi-Unruh */
#endif

14
crypto_kem/firesaber/clean/api.h Normal file
Näytä tiedosto

@ -0,0 +1,14 @@
#ifndef PQCLEAN_FIRESABER_CLEAN_API_H
#define PQCLEAN_FIRESABER_CLEAN_API_H
#define PQCLEAN_FIRESABER_CLEAN_CRYPTO_ALGNAME "FireSaber"
#define PQCLEAN_FIRESABER_CLEAN_CRYPTO_SECRETKEYBYTES 3040
#define PQCLEAN_FIRESABER_CLEAN_CRYPTO_PUBLICKEYBYTES (4*320+32)
#define PQCLEAN_FIRESABER_CLEAN_CRYPTO_BYTES 32
#define PQCLEAN_FIRESABER_CLEAN_CRYPTO_CIPHERTEXTBYTES 1472
int PQCLEAN_FIRESABER_CLEAN_crypto_kem_keypair(unsigned char *pk, unsigned char *sk);
int PQCLEAN_FIRESABER_CLEAN_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk);
int PQCLEAN_FIRESABER_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk);
#endif /* api_h */

52
crypto_kem/firesaber/clean/cbd.c Normal file
Näytä tiedosto

@ -0,0 +1,52 @@
/*---------------------------------------------------------------------
This file has been adapted from the implementation
(available at, Public Domain https://github.com/pq-crystals/kyber)
of "CRYSTALS Kyber: a CCA-secure module-lattice-based KEM"
by : Joppe Bos, Leo Ducas, Eike Kiltz, Tancrede Lepoint,
Vadim Lyubashevsky, John M. Schanck, Peter Schwabe & Damien stehle
----------------------------------------------------------------------*/
#include "SABER_params.h"
#include "api.h"
#include "cbd.h"
#include <stdint.h>
static uint64_t load_littleendian(const unsigned char *x, int bytes) {
int i;
uint64_t r = x[0];
for (i = 1; i < bytes; i++) {
r |= (uint64_t)x[i] << (8 * i);
}
return r;
}
void PQCLEAN_FIRESABER_CLEAN_cbd(uint16_t *r, const unsigned char *buf) {
uint16_t Qmod_minus1 = SABER_Q - 1;
uint32_t t, d, a[4], b[4];
int i, j;
for (i = 0; i < SABER_N / 4; i++) {
t = load_littleendian(buf + 3 * i, 3);
d = 0;
for (j = 0; j < 3; j++) {
d += (t >> j) & 0x249249;
}
a[0] = d & 0x7;
b[0] = (d >> 3) & 0x7;
a[1] = (d >> 6) & 0x7;
b[1] = (d >> 9) & 0x7;
a[2] = (d >> 12) & 0x7;
b[2] = (d >> 15) & 0x7;
a[3] = (d >> 18) & 0x7;
b[3] = (d >> 21);
r[4 * i + 0] = (uint16_t)(a[0] - b[0]) & Qmod_minus1;
r[4 * i + 1] = (uint16_t)(a[1] - b[1]) & Qmod_minus1;
r[4 * i + 2] = (uint16_t)(a[2] - b[2]) & Qmod_minus1;
r[4 * i + 3] = (uint16_t)(a[3] - b[3]) & Qmod_minus1;
}
}

17
crypto_kem/firesaber/clean/cbd.h Normal file
Näytä tiedosto

@ -0,0 +1,17 @@
#ifndef CBD_H
#define CBD_H
/*---------------------------------------------------------------------
This file has been adapted from the implementation
(available at, Public Domain https://github.com/pq-crystals/kyber)
of "CRYSTALS Kyber: a CCA-secure module-lattice-based KEM"
by : Joppe Bos, Leo Ducas, Eike Kiltz, Tancrede Lepoint,
Vadim Lyubashevsky, John M. Schanck, Peter Schwabe & Damien stehle
----------------------------------------------------------------------*/
#include "poly.h"
#include <stdint.h>
void PQCLEAN_FIRESABER_CLEAN_cbd(uint16_t *r, const unsigned char *buf);
#endif

79
crypto_kem/firesaber/clean/kem.c Normal file
Näytä tiedosto

@ -0,0 +1,79 @@
#include "SABER_indcpa.h"
#include "SABER_params.h"
#include "fips202.h"
#include "randombytes.h"
#include "verify.h"
#include <stdint.h>
#include <stdio.h>
#include <string.h>
int PQCLEAN_FIRESABER_CLEAN_crypto_kem_keypair(unsigned char *pk, unsigned char *sk) {
int i;
PQCLEAN_FIRESABER_CLEAN_indcpa_kem_keypair(pk, sk); // sk[0:SABER_INDCPA_SECRETKEYBYTES-1] <-- sk
for (i = 0; i < SABER_INDCPA_PUBLICKEYBYTES; i++) {
sk[i + SABER_INDCPA_SECRETKEYBYTES] = pk[i]; // sk[SABER_INDCPA_SECRETKEYBYTES:SABER_INDCPA_SECRETKEYBYTES+SABER_INDCPA_SECRETKEYBYTES-1] <-- pk
}
sha3_256(sk + SABER_SECRETKEYBYTES - 64, pk, SABER_INDCPA_PUBLICKEYBYTES); // Then hash(pk) is appended.
randombytes(sk + SABER_SECRETKEYBYTES - SABER_KEYBYTES, SABER_KEYBYTES ); // Remaining part of sk contains a pseudo-random number.
// This is output when check in crypto_kem_dec() fails.
return (0);
}
int PQCLEAN_FIRESABER_CLEAN_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk) {
unsigned char kr[64]; // Will contain key, coins
unsigned char buf[64];
randombytes(buf, 32);
sha3_256(buf, buf, 32); // BUF[0:31] <-- random message (will be used as the key for client) Note: hash doesnot release system RNG output
sha3_256(buf + 32, pk, SABER_INDCPA_PUBLICKEYBYTES); // BUF[32:63] <-- Hash(public key); Multitarget countermeasure for coins + contributory KEM
sha3_512(kr, buf, 64); // kr[0:63] <-- Hash(buf[0:63]);
// K^ <-- kr[0:31]
// noiseseed (r) <-- kr[32:63];
PQCLEAN_FIRESABER_CLEAN_indcpa_kem_enc(buf, kr + 32, pk, ct); // buf[0:31] contains message; kr[32:63] contains randomness r;
sha3_256(kr + 32, ct, SABER_BYTES_CCA_DEC);
sha3_256(ss, kr, 64); // hash concatenation of pre-k and h(c) to k
return (0);
}
int PQCLEAN_FIRESABER_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk) {
int i;
unsigned char fail;
unsigned char cmp[SABER_BYTES_CCA_DEC];
unsigned char buf[64];
unsigned char kr[64]; // Will contain key, coins
const unsigned char *pk = sk + SABER_INDCPA_SECRETKEYBYTES;
PQCLEAN_FIRESABER_CLEAN_indcpa_kem_dec(sk, ct, buf); // buf[0:31] <-- message
// Multitarget countermeasure for coins + contributory KEM
for (i = 0; i < 32; i++) { // Save hash by storing h(pk) in sk
buf[32 + i] = sk[SABER_SECRETKEYBYTES - 64 + i];
}
sha3_512(kr, buf, 64);
PQCLEAN_FIRESABER_CLEAN_indcpa_kem_enc(buf, kr + 32, pk, cmp);
fail = PQCLEAN_FIRESABER_CLEAN_verify(ct, cmp, SABER_BYTES_CCA_DEC);
sha3_256(kr + 32, ct, SABER_BYTES_CCA_DEC); // overwrite coins in kr with h(c)
PQCLEAN_FIRESABER_CLEAN_cmov(kr, sk + SABER_SECRETKEYBYTES - SABER_KEYBYTES, SABER_KEYBYTES, fail);
sha3_256(ss, kr, 64); // hash concatenation of pre-k and h(c) to k
return (0);
}

242
crypto_kem/firesaber/clean/pack_unpack.c Normal file
Näytä tiedosto

@ -0,0 +1,242 @@
#include "pack_unpack.h"
void PQCLEAN_FIRESABER_CLEAN_pack_3bit(uint8_t *bytes, const uint16_t *data) {
uint32_t j;
uint32_t offset_data, offset_byte;
for (j = 0; j < SABER_N / 8; j++) {
offset_byte = 3 * j;
offset_data = 8 * j;
bytes[offset_byte + 0] = (data[offset_data + 0] & 0x7) | ( (data[offset_data + 1] & 0x7) << 3 ) | ((data[offset_data + 2] & 0x3) << 6);
bytes[offset_byte + 1] = ((data[offset_data + 2] >> 2 ) & 0x01) | ( (data[offset_data + 3] & 0x7) << 1 ) | ( (data[offset_data + 4] & 0x7) << 4 ) | (((data[offset_data + 5]) & 0x01) << 7);
bytes[offset_byte + 2] = ((data[offset_data + 5] >> 1 ) & 0x03) | ( (data[offset_data + 6] & 0x7) << 2 ) | ( (data[offset_data + 7] & 0x7) << 5 );
}
}
void PQCLEAN_FIRESABER_CLEAN_un_pack3bit(const uint8_t *bytes, uint16_t *data) {
uint32_t j;
uint32_t offset_data, offset_byte;
for (j = 0; j < SABER_N / 8; j++) {
offset_byte = 3 * j;
offset_data = 8 * j;
data[offset_data + 0] = (bytes[offset_byte + 0]) & 0x07;
data[offset_data + 1] = ( (bytes[offset_byte + 0]) >> 3 ) & 0x07;
data[offset_data + 2] = ( ( (bytes[offset_byte + 0]) >> 6 ) & 0x03) | ( ( (bytes[offset_byte + 1]) & 0x01) << 2 );
data[offset_data + 3] = ( (bytes[offset_byte + 1]) >> 1 ) & 0x07;
data[offset_data + 4] = ( (bytes[offset_byte + 1]) >> 4 ) & 0x07;
data[offset_data + 5] = ( ( (bytes[offset_byte + 1]) >> 7 ) & 0x01) | ( ( (bytes[offset_byte + 2]) & 0x03) << 1 );
data[offset_data + 6] = ( (bytes[offset_byte + 2] >> 2) & 0x07 );
data[offset_data + 7] = ( (bytes[offset_byte + 2] >> 5) & 0x07 );
}
}
void PQCLEAN_FIRESABER_CLEAN_pack_4bit(uint8_t *bytes, const uint16_t *data) {
uint32_t j;
uint32_t offset_data;
for (j = 0; j < SABER_N / 2; j++) {
offset_data = 2 * j;
bytes[j] = (data[offset_data] & 0x0f) | ( (data[offset_data + 1] & 0x0f) << 4 );
}
}
void PQCLEAN_FIRESABER_CLEAN_un_pack4bit(const unsigned char *bytes, uint16_t *ar) {
uint32_t j;
uint32_t offset_data;
for (j = 0; j < SABER_N / 2; j++) {
offset_data = 2 * j;
ar[offset_data] = bytes[j] & 0x0f;
ar[offset_data + 1] = (bytes[j] >> 4) & 0x0f;
}
}
void PQCLEAN_FIRESABER_CLEAN_pack_6bit(uint8_t *bytes, const uint16_t *data) {
uint32_t j;
uint32_t offset_data, offset_byte;
for (j = 0; j < SABER_N / 4; j++) {
offset_byte = 3 * j;
offset_data = 4 * j;
bytes[offset_byte + 0] = (data[offset_data + 0] & 0x3f) | ((data[offset_data + 1] & 0x03) << 6);
bytes[offset_byte + 1] = ((data[offset_data + 1] >> 2) & 0x0f) | ((data[offset_data + 2] & 0x0f) << 4);
bytes[offset_byte + 2] = ((data[offset_data + 2] >> 4) & 0x03) | ((data[offset_data + 3] & 0x3f) << 2);
}
}
void PQCLEAN_FIRESABER_CLEAN_un_pack6bit(const unsigned char *bytes, uint16_t *data) {
uint32_t j;
uint32_t offset_data, offset_byte;
for (j = 0; j < SABER_N / 4; j++) {
offset_byte = 3 * j;
offset_data = 4 * j;
data[offset_data + 0] = bytes[offset_byte + 0] & 0x3f;
data[offset_data + 1] = ((bytes[offset_byte + 0] >> 6) & 0x03) | ((bytes[offset_byte + 1] & 0x0f) << 2) ;
data[offset_data + 2] = ((bytes[offset_byte + 1] & 0xff) >> 4) | ((bytes[offset_byte + 2] & 0x03) << 4) ;
data[offset_data + 3] = ((bytes[offset_byte + 2] & 0xff) >> 2);
}
}
static void POLVECp2BS(uint8_t *bytes, uint16_t data[SABER_K][SABER_N]) {
uint32_t i, j;
uint32_t offset_data, offset_byte, offset_byte1;
for (i = 0; i < SABER_K; i++) {
offset_byte1 = i * (SABER_N * 10) / 8;
for (j = 0; j < SABER_N / 4; j++) {
offset_byte = offset_byte1 + 5 * j;
offset_data = 4 * j;
bytes[offset_byte + 0] = ( data[i][ offset_data + 0 ] & (0xff));
bytes[offset_byte + 1] = ( (data[i][ offset_data + 0 ] >> 8) & 0x03 ) | ((data[i][ offset_data + 1 ] & 0x3f) << 2);
bytes[offset_byte + 2] = ( (data[i][ offset_data + 1 ] >> 6) & 0x0f ) | ( (data[i][ offset_data + 2 ] & 0x0f) << 4);
bytes[offset_byte + 3] = ( (data[i][ offset_data + 2 ] >> 4) & 0x3f ) | ((data[i][ offset_data + 3 ] & 0x03) << 6);
bytes[offset_byte + 4] = ( (data[i][ offset_data + 3 ] >> 2) & 0xff );
}
}
}
static void BS2POLVECp(const unsigned char *bytes, uint16_t data[SABER_K][SABER_N]) {
uint32_t i, j;
uint32_t offset_data, offset_byte, offset_byte1;
for (i = 0; i < SABER_K; i++) {
offset_byte1 = i * (SABER_N * 10) / 8;
for (j = 0; j < SABER_N / 4; j++) {
offset_byte = offset_byte1 + 5 * j;
offset_data = 4 * j;
data[i][offset_data + 0] = ( bytes[ offset_byte + 0 ] & (0xff)) | ((bytes[ offset_byte + 1 ] & 0x03) << 8);
data[i][offset_data + 1] = ( (bytes[ offset_byte + 1 ] >> 2) & (0x3f)) | ((bytes[ offset_byte + 2 ] & 0x0f) << 6);
data[i][offset_data + 2] = ( (bytes[ offset_byte + 2 ] >> 4) & (0x0f)) | ((bytes[ offset_byte + 3 ] & 0x3f) << 4);
data[i][offset_data + 3] = ( (bytes[ offset_byte + 3 ] >> 6) & (0x03)) | ((bytes[ offset_byte + 4 ] & 0xff) << 2);
}
}
}
static void POLVECq2BS(uint8_t *bytes, uint16_t data[SABER_K][SABER_N]) {
uint32_t i, j;
uint32_t offset_data, offset_byte, offset_byte1;
for (i = 0; i < SABER_K; i++) {
offset_byte1 = i * (SABER_N * 13) / 8;
for (j = 0; j < SABER_N / 8; j++) {
offset_byte = offset_byte1 + 13 * j;
offset_data = 8 * j;
bytes[offset_byte + 0] = ( data[i][ offset_data + 0 ] & (0xff));
bytes[offset_byte + 1] = ( (data[i][ offset_data + 0 ] >> 8) & 0x1f ) | ((data[i][ offset_data + 1 ] & 0x07) << 5);
bytes[offset_byte + 2] = ( (data[i][ offset_data + 1 ] >> 3) & 0xff );
bytes[offset_byte + 3] = ( (data[i][ offset_data + 1 ] >> 11) & 0x03 ) | ((data[i][ offset_data + 2 ] & 0x3f) << 2);
bytes[offset_byte + 4] = ( (data[i][ offset_data + 2 ] >> 6) & 0x7f ) | ( (data[i][ offset_data + 3 ] & 0x01) << 7 );
bytes[offset_byte + 5] = ( (data[i][ offset_data + 3 ] >> 1) & 0xff );
bytes[offset_byte + 6] = ( (data[i][ offset_data + 3 ] >> 9) & 0x0f ) | ( (data[i][ offset_data + 4 ] & 0x0f) << 4 );
bytes[offset_byte + 7] = ( (data[i][ offset_data + 4] >> 4) & 0xff );
bytes[offset_byte + 8] = ( (data[i][ offset_data + 4 ] >> 12) & 0x01 ) | ( (data[i][ offset_data + 5 ] & 0x7f) << 1 );
bytes[offset_byte + 9] = ( (data[i][ offset_data + 5 ] >> 7) & 0x3f ) | ( (data[i][ offset_data + 6 ] & 0x03) << 6 );
bytes[offset_byte + 10] = ( (data[i][ offset_data + 6 ] >> 2) & 0xff );
bytes[offset_byte + 11] = ( (data[i][ offset_data + 6 ] >> 10) & 0x07 ) | ( (data[i][ offset_data + 7 ] & 0x1f) << 3 );
bytes[offset_byte + 12] = ( (data[i][ offset_data + 7 ] >> 5) & 0xff );
}
}
}
static void BS2POLVECq(const unsigned char *bytes, uint16_t data[SABER_K][SABER_N]) {
uint32_t i, j;
uint32_t offset_data, offset_byte, offset_byte1;
for (i = 0; i < SABER_K; i++) {
offset_byte1 = i * (SABER_N * 13) / 8;
for (j = 0; j < SABER_N / 8; j++) {
offset_byte = offset_byte1 + 13 * j;
offset_data = 8 * j;
data[i][offset_data + 0] = ( bytes[ offset_byte + 0 ] & (0xff)) | ((bytes[offset_byte + 1] & 0x1f) << 8);
data[i][offset_data + 1] = ( bytes[ offset_byte + 1 ] >> 5 & (0x07)) | ((bytes[offset_byte + 2] & 0xff) << 3) | ((bytes[offset_byte + 3] & 0x03) << 11);
data[i][offset_data + 2] = ( bytes[ offset_byte + 3 ] >> 2 & (0x3f)) | ((bytes[offset_byte + 4] & 0x7f) << 6);
data[i][offset_data + 3] = ( bytes[ offset_byte + 4 ] >> 7 & (0x01)) | ((bytes[offset_byte + 5] & 0xff) << 1) | ((bytes[offset_byte + 6] & 0x0f) << 9);
data[i][offset_data + 4] = ( bytes[ offset_byte + 6 ] >> 4 & (0x0f)) | ((bytes[offset_byte + 7] & 0xff) << 4) | ((bytes[offset_byte + 8] & 0x01) << 12);
data[i][offset_data + 5] = ( bytes[ offset_byte + 8] >> 1 & (0x7f)) | ((bytes[offset_byte + 9] & 0x3f) << 7);
data[i][offset_data + 6] = ( bytes[ offset_byte + 9] >> 6 & (0x03)) | ((bytes[offset_byte + 10] & 0xff) << 2) | ((bytes[offset_byte + 11] & 0x07) << 10);
data[i][offset_data + 7] = ( bytes[ offset_byte + 11] >> 3 & (0x1f)) | ((bytes[offset_byte + 12] & 0xff) << 5);
}
}
}
void PQCLEAN_FIRESABER_CLEAN_BS2POL(const unsigned char *bytes, uint16_t data[SABER_N]) { //only BS2POLq no BS2POLp
uint32_t j;
uint32_t offset_data, offset_byte;
for (j = 0; j < SABER_N / 8; j++) {
offset_byte = 13 * j;
offset_data = 8 * j;
data[offset_data + 0] = ( bytes[ offset_byte + 0 ] & (0xff)) | ((bytes[offset_byte + 1] & 0x1f) << 8);
data[offset_data + 1] = ( bytes[ offset_byte + 1 ] >> 5 & (0x07)) | ((bytes[offset_byte + 2] & 0xff) << 3) | ((bytes[offset_byte + 3] & 0x03) << 11);
data[offset_data + 2] = ( bytes[ offset_byte + 3 ] >> 2 & (0x3f)) | ((bytes[offset_byte + 4] & 0x7f) << 6);
data[offset_data + 3] = ( bytes[ offset_byte + 4 ] >> 7 & (0x01)) | ((bytes[offset_byte + 5] & 0xff) << 1) | ((bytes[offset_byte + 6] & 0x0f) << 9);
data[offset_data + 4] = ( bytes[ offset_byte + 6 ] >> 4 & (0x0f)) | ((bytes[offset_byte + 7] & 0xff) << 4) | ((bytes[offset_byte + 8] & 0x01) << 12);
data[offset_data + 5] = ( bytes[ offset_byte + 8] >> 1 & (0x7f)) | ((bytes[offset_byte + 9] & 0x3f) << 7);
data[offset_data + 6] = ( bytes[ offset_byte + 9] >> 6 & (0x03)) | ((bytes[offset_byte + 10] & 0xff) << 2) | ((bytes[offset_byte + 11] & 0x07) << 10);
data[offset_data + 7] = ( bytes[ offset_byte + 11] >> 3 & (0x1f)) | ((bytes[offset_byte + 12] & 0xff) << 5);
}
}
void PQCLEAN_FIRESABER_CLEAN_POLVEC2BS(uint8_t *bytes, uint16_t data[SABER_K][SABER_N], uint16_t modulus) {
if (modulus == 1024) {
POLVECp2BS(bytes, data);
} else if (modulus == 8192) {
POLVECq2BS(bytes, data);
}
}
void PQCLEAN_FIRESABER_CLEAN_BS2POLVEC(const unsigned char *bytes, uint16_t data[SABER_K][SABER_N], uint16_t modulus) {
if (modulus == 1024) {
BS2POLVECp(bytes, data);
} else if (modulus == 8192) {
BS2POLVECq(bytes, data);
}
}

28
crypto_kem/firesaber/clean/pack_unpack.h Normal file
Näytä tiedosto

@ -0,0 +1,28 @@
#ifndef PACK_UNPACK_H
#define PACK_UNPACK_H
#include "SABER_params.h"
#include <stdint.h>
#include <stdio.h>
void PQCLEAN_FIRESABER_CLEAN_pack_3bit(uint8_t *bytes, const uint16_t *data);
void PQCLEAN_FIRESABER_CLEAN_un_pack3bit(const uint8_t *bytes, uint16_t *data);
void PQCLEAN_FIRESABER_CLEAN_pack_4bit(uint8_t *bytes, const uint16_t *data);
void PQCLEAN_FIRESABER_CLEAN_un_pack4bit(const unsigned char *bytes, uint16_t *ar);
void PQCLEAN_FIRESABER_CLEAN_pack_6bit(uint8_t *bytes, const uint16_t *data);
void PQCLEAN_FIRESABER_CLEAN_un_pack6bit(const unsigned char *bytes, uint16_t *data);
void PQCLEAN_FIRESABER_CLEAN_BS2POL(const unsigned char *bytes, uint16_t data[SABER_N]);
void PQCLEAN_FIRESABER_CLEAN_POLVEC2BS(uint8_t *bytes, uint16_t data[SABER_K][SABER_N], uint16_t modulus);
void PQCLEAN_FIRESABER_CLEAN_BS2POLVEC(const unsigned char *bytes, uint16_t data[SABER_K][SABER_N], uint16_t modulus);
#endif

21
crypto_kem/firesaber/clean/poly.c Normal file
Näytä tiedosto

@ -0,0 +1,21 @@
/*---------------------------------------------------------------------
This file has been adapted from the implementation
(available at, Public Domain https://github.com/pq-crystals/kyber)
of "CRYSTALS Kyber: a CCA-secure module-lattice-based KEM"
by : Joppe Bos, Leo Ducas, Eike Kiltz, Tancrede Lepoint,
Vadim Lyubashevsky, John M. Schanck, Peter Schwabe & Damien stehle
----------------------------------------------------------------------*/
#include "SABER_params.h"
#include "cbd.h"
#include "fips202.h"
#include "poly.h"
void PQCLEAN_FIRESABER_CLEAN_GenSecret(uint16_t r[SABER_K][SABER_N], const unsigned char *seed) {
uint8_t buf[SABER_MU * SABER_N * SABER_K / 8];
shake128(buf, sizeof(buf), seed, SABER_NOISESEEDBYTES);
for (size_t i = 0; i < SABER_K; i++) {
PQCLEAN_FIRESABER_CLEAN_cbd(r[i], buf + i * SABER_MU * SABER_N / 8);
}
}

26
crypto_kem/firesaber/clean/poly.h Normal file
Näytä tiedosto

@ -0,0 +1,26 @@
#ifndef POLY_H
#define POLY_H
/*---------------------------------------------------------------------
This file has been adapted from the implementation
(available at, Public Domain https://github.com/pq-crystals/kyber)
of "CRYSTALS Kyber: a CCA-secure module-lattice-based KEM"
by : Joppe Bos, Leo Ducas, Eike Kiltz, Tancrede Lepoint,
Vadim Lyubashevsky, John M. Schanck, Peter Schwabe & Damien stehle
----------------------------------------------------------------------*/
#include "SABER_params.h"
#include <stdint.h>
typedef struct {
uint16_t coeffs[SABER_N];
} poly;
typedef struct {
poly vec[SABER_K];
} polyvec;
void PQCLEAN_FIRESABER_CLEAN_GenSecret(uint16_t r[SABER_K][SABER_N], const unsigned char *seed);
#endif

22
crypto_kem/firesaber/clean/poly_mul.c Normal file
Näytä tiedosto

@ -0,0 +1,22 @@
#include "poly_mul.h"
#include "SABER_params.h"
#include <stdint.h>
#include <string.h>
void PQCLEAN_FIRESABER_CLEAN_pol_mul(const uint16_t *a, const uint16_t *b, uint16_t *res, uint16_t p, uint32_t n) {
// Polynomial multiplication using the schoolbook method, c[x] = a[x]*b[x]
// normal multiplication
uint16_t c[2 * SABER_N] = {0};
for (size_t i = 0; i < SABER_N; i++) {
for (size_t j = 0; j < SABER_N; j++) {
c[i + j] += a[i] * b[j];
}
}
// reduction
for (size_t i = n; i < 2 * n; i++) {
res[i - n] = (c[i - n] - c[i]) & (p - 1);
}
}

9
crypto_kem/firesaber/clean/poly_mul.h Normal file
Näytä tiedosto

@ -0,0 +1,9 @@
#ifndef POLYMUL_H
#define POLYMUL_H
#include "SABER_params.h"
#include <stdint.h>
void PQCLEAN_FIRESABER_CLEAN_pol_mul(const uint16_t *a, const uint16_t *b, uint16_t *res, uint16_t p, uint32_t n);
#endif

34
crypto_kem/firesaber/clean/verify.c Normal file
Näytä tiedosto

@ -0,0 +1,34 @@
/*-------------------------------------------------
This file has been adapted from the implementation
(available at https://github.com/pq-crystals/kyber) of
"CRYSTALS Kyber: a CCA-secure module-lattice-based KEM"
by : Joppe Bos, Leo Ducas, Eike Kiltz, Tancrede Lepoint,
Vadim Lyubashevsky, John M. Schanck, Peter Schwabe & Damien stehle
----------------------------------------------------*/
#include "verify.h"
#include <stdint.h>
/* returns 0 for equal strings, 1 for non-equal strings */
unsigned char PQCLEAN_FIRESABER_CLEAN_verify(const unsigned char *a, const unsigned char *b, size_t len) {
uint64_t r;
size_t i;
r = 0;
for (i = 0; i < len; i++) {
r |= a[i] ^ b[i];
}
r = (~r + 1); // Two's complement
r >>= 63;
return (unsigned char)r;
}
/* b = 1 means mov, b = 0 means don't mov*/
void PQCLEAN_FIRESABER_CLEAN_cmov(unsigned char *r, const unsigned char *x, size_t len, unsigned char b) {
size_t i;
b = -b;
for (i = 0; i < len; i++) {
r[i] ^= b & (x[i] ^ r[i]);
}
}

21
crypto_kem/firesaber/clean/verify.h Normal file
Näytä tiedosto

@ -0,0 +1,21 @@
#ifndef VERIFY_H
#define VERIFY_H
/*-------------------------------------------------
This file has been adapted from the implementation
(available at https://github.com/pq-crystals/kyber) of
"CRYSTALS Kyber: a CCA-secure module-lattice-based KEM"
by : Joppe Bos, Leo Ducas, Eike Kiltz, Tancrede Lepoint,
Vadim Lyubashevsky, John M. Schanck, Peter Schwabe & Damien stehle
----------------------------------------------------*/
#include <stddef.h>
#include <stdint.h>
/* returns 0 for equal strings, 1 for non-equal strings */
unsigned char PQCLEAN_FIRESABER_CLEAN_verify(const unsigned char *a, const unsigned char *b, size_t len);
/* b = 1 means mov, b = 0 means don't mov*/
void PQCLEAN_FIRESABER_CLEAN_cmov(unsigned char *r, const unsigned char *x, size_t len, unsigned char b);
#endif