kris
/
pqc
1
1
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

Format mqdss-48

master
Joost Rijneveld 5 years ago
parent
2e304246c4
commit
8357fb1c80
No known key found for this signature in database GPG Key ID: A4FE39CF49CBC553
3 changed files with 73 additions and 80 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +3
    -3
      crypto_sign/mqdss-48/clean/gf31.c
  2. +22
    -26
      crypto_sign/mqdss-48/clean/mq.c
  3. +48
    -51
      crypto_sign/mqdss-48/clean/sign.c

+ 3
- 3
crypto_sign/mqdss-48/clean/gf31.c View File

@@ -22,7 +22,7 @@ gf31 PQCLEAN_MQDSS48_CLEAN_mod31(gf31 x) {

t = (gf31)((t >> 5) + (t & 31));
t = (gf31)((t >> 5) + (t & 31));
return (gf31)((t != 31)*t);
return (gf31)((t != 31) * t);
}

/* Given a vector of N elements in the range [0, 31], this reduces the elements
@@ -95,12 +95,12 @@ void PQCLEAN_MQDSS48_CLEAN_gf31_nunpack(gf31 *out, const unsigned char *in, unsi
unsigned int d = 0;

for (i = n; i > 0; i--) {
out[i-1] = (gf31)((in[j] >> d) & 31);
out[i - 1] = (gf31)((in[j] >> d) & 31);
d += 5;
if (d > 8) {
d -= 8;
j--;
out[i-1] = (gf31)(out[i-1] ^ ((in[j] << (5 - d)) & 31));
out[i - 1] = (gf31)(out[i - 1] ^ ((in[j] << (5 - d)) & 31));
}
}
}


+ 22
- 26
crypto_sign/mqdss-48/clean/mq.c View File

@@ -3,13 +3,12 @@

/* Computes all products x_i * x_j, returns in reduced form */
inline static
void generate_quadratic_terms( gf31 * xij , const gf31 * x )
{
void generate_quadratic_terms( gf31 *xij, const gf31 *x ) {
int i, j, k;
k=0;
for(i=0;i<N;i++) {
for(j=0;j<=i;j++) {
xij[k] = PQCLEAN_MQDSS48_CLEAN_mod31((gf31)(x[i]*x[j]));
k = 0;
for (i = 0; i < N; i++) {
for (j = 0; j <= i; j++) {
xij[k] = PQCLEAN_MQDSS48_CLEAN_mod31((gf31)(x[i] * x[j]));
k++;
}
}
@@ -17,13 +16,12 @@ void generate_quadratic_terms( gf31 * xij , const gf31 * x )

/* Computes all terms (x_i * y_j) + (x_j * y_i), returns in reduced form */
inline static
void generate_xiyj_p_xjyi_terms( gf31 * xij , const gf31 * x , const gf31 * y )
{
void generate_xiyj_p_xjyi_terms( gf31 *xij, const gf31 *x, const gf31 *y ) {
int i, j, k;
k=0;
for(i=0;i<N;i++) {
for(j=0;j<=i;j++) {
xij[k] = PQCLEAN_MQDSS48_CLEAN_mod31((gf31)(x[i]*y[j]+x[j]*y[i]));
k = 0;
for (i = 0; i < N; i++) {
for (j = 0; j <= i; j++) {
xij[k] = PQCLEAN_MQDSS48_CLEAN_mod31((gf31)(x[i] * y[j] + x[j] * y[i]));
k++;
}
}
@@ -33,25 +31,24 @@ void generate_xiyj_p_xjyi_terms( gf31 * xij , const gf31 * x , const gf31 * y )
in reduced 5-bit representation). Expects the coefficients in F to be in
signed representation (i.e. [-15, 15], packed bytewise).
Outputs M gf31 elements in unique 16-bit representation as fx. */
void PQCLEAN_MQDSS48_CLEAN_MQ(gf31 *fx, const gf31 *x, const signed char *F)
{
void PQCLEAN_MQDSS48_CLEAN_MQ(gf31 *fx, const gf31 *x, const signed char *F) {
int i, j;
gf31 _xij[N*(N+1) >> 1];
gf31 _xij[N * (N + 1) >> 1];
int r[M] = {0};

generate_quadratic_terms(_xij, x);

for (i = 0; i < N; i += 2) {
for (j = 0; j < M; j++) {
r[j] += ((int)x[i])*((int)F[i*M + 2*j]) +
((int)x[i+1])*((int)F[i*M + 2*j + 1]);
r[j] += ((int)x[i]) * ((int)F[i * M + 2 * j]) +
((int)x[i + 1]) * ((int)F[i * M + 2 * j + 1]);
}
}

for (i = 0; i < (N*(N+1)) >> 1; i += 2) {
for (i = 0; i < (N * (N + 1)) >> 1; i += 2) {
for (j = 0; j < M; j++) {
r[j] += ((int)_xij[i])*((int)F[N*M + i*M + 2*j]) +
((int)_xij[i+1])*((int)F[N*M + i*M + 2*j + 1]);
r[j] += ((int)_xij[i]) * ((int)F[N * M + i * M + 2 * j]) +
((int)_xij[i + 1]) * ((int)F[N * M + i * M + 2 * j + 1]);
}
}

@@ -64,18 +61,17 @@ void PQCLEAN_MQDSS48_CLEAN_MQ(gf31 *fx, const gf31 *x, const signed char *F)
N gf31 elements x (expected to be in reduced 5-bit representation). Expects
the coefficients in F to be in signed representation (i.e. [-15, 15], packed
bytewise). Outputs M gf31 elements in unique 16-bit representation as fx. */
void PQCLEAN_MQDSS48_CLEAN_G(gf31 *fx, const gf31 *x, const gf31 *y, const signed char *F)
{
void PQCLEAN_MQDSS48_CLEAN_G(gf31 *fx, const gf31 *x, const gf31 *y, const signed char *F) {
int i, j;
gf31 _xij[N*(N+1) >> 1];
gf31 _xij[N * (N + 1) >> 1];
int r[M] = {0};

generate_xiyj_p_xjyi_terms(_xij, x, y);

for (i = 0; i < (N*(N+1)) >> 1; i += 2) {
for (i = 0; i < (N * (N + 1)) >> 1; i += 2) {
for (j = 0; j < M; j++) {
r[j] += ((int)_xij[i])*((int)F[N*M + i*M + 2*j]) +
((int)_xij[i+1])*((int)F[N*M + i*M + 2*j + 1]);
r[j] += ((int)_xij[i]) * ((int)F[N * M + i * M + 2 * j]) +
((int)_xij[i + 1]) * ((int)F[N * M + i * M + 2 * j + 1]);
}
}



+ 48
- 51
crypto_sign/mqdss-48/clean/sign.c View File

@@ -12,32 +12,29 @@

/* Takes an array of len bytes and computes a hash digest.
This is used as a hash function in the Fiat-Shamir transform. */
static void H(unsigned char *out, const unsigned char *in, const size_t len)
{
static void H(unsigned char *out, const unsigned char *in, const size_t len) {
shake256(out, HASH_BYTES, in, len);
}

/* Takes two arrays of N packed elements and an array of M packed elements,
and computes a HASH_BYTES commitment. */
static void com_0(unsigned char *c,
const unsigned char *rho,
const unsigned char *inn, const unsigned char *inn2,
const unsigned char *inm)
{
unsigned char buffer[HASH_BYTES + 2*NPACKED_BYTES + MPACKED_BYTES];
const unsigned char *rho,
const unsigned char *inn, const unsigned char *inn2,
const unsigned char *inm) {
unsigned char buffer[HASH_BYTES + 2 * NPACKED_BYTES + MPACKED_BYTES];
memcpy(buffer, rho, HASH_BYTES);
memcpy(buffer + HASH_BYTES, inn, NPACKED_BYTES);
memcpy(buffer + HASH_BYTES + NPACKED_BYTES, inn2, NPACKED_BYTES);
memcpy(buffer + HASH_BYTES + 2*NPACKED_BYTES, inm, MPACKED_BYTES);
shake256(c, HASH_BYTES, buffer, HASH_BYTES + 2*NPACKED_BYTES + MPACKED_BYTES);
memcpy(buffer + HASH_BYTES + 2 * NPACKED_BYTES, inm, MPACKED_BYTES);
shake256(c, HASH_BYTES, buffer, HASH_BYTES + 2 * NPACKED_BYTES + MPACKED_BYTES);
}

/* Takes an array of N packed elements and an array of M packed elements,
and computes a HASH_BYTES commitment. */
static void com_1(unsigned char *c,
const unsigned char *rho,
const unsigned char *inn, const unsigned char *inm)
{
const unsigned char *rho,
const unsigned char *inn, const unsigned char *inm) {
unsigned char buffer[HASH_BYTES + NPACKED_BYTES + MPACKED_BYTES];
memcpy(buffer, rho, HASH_BYTES);
memcpy(buffer + HASH_BYTES, inn, NPACKED_BYTES);
@@ -85,9 +82,9 @@ int PQCLEAN_MQDSS48_CLEAN_crypto_sign_signature(
unsigned char D_sigma0_h0_sigma1[HASH_BYTES * 3 + ROUNDS * (NPACKED_BYTES + MPACKED_BYTES)];
unsigned char *D = D_sigma0_h0_sigma1;
unsigned char *sigma0 = D_sigma0_h0_sigma1 + HASH_BYTES;
unsigned char *h0 = D_sigma0_h0_sigma1 + 2*HASH_BYTES;
unsigned char *t1packed = D_sigma0_h0_sigma1 + 3*HASH_BYTES;
unsigned char *e1packed = D_sigma0_h0_sigma1 + 3*HASH_BYTES + ROUNDS * NPACKED_BYTES;
unsigned char *h0 = D_sigma0_h0_sigma1 + 2 * HASH_BYTES;
unsigned char *t1packed = D_sigma0_h0_sigma1 + 3 * HASH_BYTES;
unsigned char *e1packed = D_sigma0_h0_sigma1 + 3 * HASH_BYTES + ROUNDS * NPACKED_BYTES;
uint64_t shakestate[25] = {0};
unsigned char shakeblock[SHAKE256_RATE];
unsigned char h1[((ROUNDS + 7) & ~7) >> 3];
@@ -139,33 +136,33 @@ int PQCLEAN_MQDSS48_CLEAN_crypto_sign_signature(

sig += HASH_BYTES; // Compensate for prefixed R.

memcpy(rnd_seed, skbuf + 2*SEED_BYTES, SEED_BYTES);
memcpy(rnd_seed, skbuf + 2 * SEED_BYTES, SEED_BYTES);
memcpy(rnd_seed + SEED_BYTES, D, HASH_BYTES);
shake256(rho, 2 * ROUNDS * HASH_BYTES, rnd_seed, SEED_BYTES + HASH_BYTES);

memcpy(rnd_seed, skbuf + 3*SEED_BYTES, SEED_BYTES);
memcpy(rnd_seed, skbuf + 3 * SEED_BYTES, SEED_BYTES);
memcpy(rnd_seed + SEED_BYTES, D, HASH_BYTES);
PQCLEAN_MQDSS48_CLEAN_gf31_nrand(rnd, (2 * N + M) * ROUNDS, rnd_seed, SEED_BYTES + HASH_BYTES);

for (i = 0; i < ROUNDS; i++) {
for (j = 0; j < N; j++) {
r1[j + i*N] = (gf31)(31 + sk_gf31[j] - r0[j + i*N]);
r1[j + i * N] = (gf31)(31 + sk_gf31[j] - r0[j + i * N]);
}
PQCLEAN_MQDSS48_CLEAN_G(gx + i*M, t0 + i*N, r1 + i*N, F);
PQCLEAN_MQDSS48_CLEAN_G(gx + i * M, t0 + i * N, r1 + i * N, F);
}
for (i = 0; i < ROUNDS * M; i++) {
gx[i] = (gf31)(gx[i] + e0[i]);
}
for (i = 0; i < ROUNDS; i++) {
PQCLEAN_MQDSS48_CLEAN_gf31_npack(packbuf0, r0 + i*N, N);
PQCLEAN_MQDSS48_CLEAN_gf31_npack(packbuf1, t0 + i*N, N);
PQCLEAN_MQDSS48_CLEAN_gf31_npack(packbuf2, e0 + i*M, M);
com_0(c + HASH_BYTES * (2*i + 0), rho0 + i*HASH_BYTES, packbuf0, packbuf1, packbuf2);
PQCLEAN_MQDSS48_CLEAN_vgf31_shorten_unique(r1 + i*N, r1 + i*N);
PQCLEAN_MQDSS48_CLEAN_vgf31_shorten_unique(gx + i*M, gx + i*M);
PQCLEAN_MQDSS48_CLEAN_gf31_npack(packbuf0, r1 + i*N, N);
PQCLEAN_MQDSS48_CLEAN_gf31_npack(packbuf1, gx + i*M, M);
com_1(c + HASH_BYTES * (2*i + 1), rho1 + i*HASH_BYTES, packbuf0, packbuf1);
PQCLEAN_MQDSS48_CLEAN_gf31_npack(packbuf0, r0 + i * N, N);
PQCLEAN_MQDSS48_CLEAN_gf31_npack(packbuf1, t0 + i * N, N);
PQCLEAN_MQDSS48_CLEAN_gf31_npack(packbuf2, e0 + i * M, M);
com_0(c + HASH_BYTES * (2 * i + 0), rho0 + i * HASH_BYTES, packbuf0, packbuf1, packbuf2);
PQCLEAN_MQDSS48_CLEAN_vgf31_shorten_unique(r1 + i * N, r1 + i * N);
PQCLEAN_MQDSS48_CLEAN_vgf31_shorten_unique(gx + i * M, gx + i * M);
PQCLEAN_MQDSS48_CLEAN_gf31_npack(packbuf0, r1 + i * N, N);
PQCLEAN_MQDSS48_CLEAN_gf31_npack(packbuf1, gx + i * M, M);
com_1(c + HASH_BYTES * (2 * i + 1), rho1 + i * HASH_BYTES, packbuf0, packbuf1);
}

H(sigma0, c, HASH_BYTES * ROUNDS * 2); // Compute sigma_0.
@@ -187,14 +184,14 @@ int PQCLEAN_MQDSS48_CLEAN_crypto_sign_signature(
}
} while (alpha == 31);
for (j = 0; j < N; j++) {
t1[i*N + j] = (gf31)(alpha * r0[j + i*N] - t0[j + i*N] + 31);
t1[i * N + j] = (gf31)(alpha * r0[j + i * N] - t0[j + i * N] + 31);
}
PQCLEAN_MQDSS48_CLEAN_MQ(e1 + i*M, r0 + i*N, F);
PQCLEAN_MQDSS48_CLEAN_MQ(e1 + i * M, r0 + i * N, F);
for (j = 0; j < N; j++) {
e1[i*N + j] = (gf31)(alpha * e1[j + i*M] - e0[j + i*M] + 31);
e1[i * N + j] = (gf31)(alpha * e1[j + i * M] - e0[j + i * M] + 31);
}
PQCLEAN_MQDSS48_CLEAN_vgf31_shorten_unique(t1 + i*N, t1 + i*N);
PQCLEAN_MQDSS48_CLEAN_vgf31_shorten_unique(e1 + i*N, e1 + i*N);
PQCLEAN_MQDSS48_CLEAN_vgf31_shorten_unique(t1 + i * N, t1 + i * N);
PQCLEAN_MQDSS48_CLEAN_vgf31_shorten_unique(e1 + i * N, e1 + i * N);
}
PQCLEAN_MQDSS48_CLEAN_gf31_npack(t1packed, t1, N * ROUNDS);
PQCLEAN_MQDSS48_CLEAN_gf31_npack(e1packed, e1, M * ROUNDS);
@@ -204,18 +201,18 @@ int PQCLEAN_MQDSS48_CLEAN_crypto_sign_signature(
memcpy(sig, e1packed, MPACKED_BYTES * ROUNDS);
sig += MPACKED_BYTES * ROUNDS;

shake256(h1, ((ROUNDS + 7) & ~7) >> 3, D_sigma0_h0_sigma1, 3*HASH_BYTES + ROUNDS*(NPACKED_BYTES + MPACKED_BYTES));
shake256(h1, ((ROUNDS + 7) & ~7) >> 3, D_sigma0_h0_sigma1, 3 * HASH_BYTES + ROUNDS * (NPACKED_BYTES + MPACKED_BYTES));

for (i = 0; i < ROUNDS; i++) {
b = (h1[(i >> 3)] >> (i & 7)) & 1;
if (b == 0) {
PQCLEAN_MQDSS48_CLEAN_gf31_npack(sig, r0+i*N, N);
PQCLEAN_MQDSS48_CLEAN_gf31_npack(sig, r0 + i * N, N);
} else if (b == 1) {
PQCLEAN_MQDSS48_CLEAN_gf31_npack(sig, r1+i*N, N);
PQCLEAN_MQDSS48_CLEAN_gf31_npack(sig, r1 + i * N, N);
}
memcpy(sig + NPACKED_BYTES, c + HASH_BYTES * (2*i + (1 - b)), HASH_BYTES);
memcpy(sig + NPACKED_BYTES, c + HASH_BYTES * (2 * i + (1 - b)), HASH_BYTES);
memcpy(sig + NPACKED_BYTES + HASH_BYTES, rho + (i + b * ROUNDS) * HASH_BYTES, HASH_BYTES);
sig += NPACKED_BYTES + 2*HASH_BYTES;
sig += NPACKED_BYTES + 2 * HASH_BYTES;
}

*siglen = SIG_LEN;
@@ -238,12 +235,12 @@ int PQCLEAN_MQDSS48_CLEAN_crypto_sign_verify(
unsigned char D_sigma0_h0_sigma1[HASH_BYTES * 3 + ROUNDS * (NPACKED_BYTES + MPACKED_BYTES)];
unsigned char *D = D_sigma0_h0_sigma1;
unsigned char *sigma0 = D_sigma0_h0_sigma1 + HASH_BYTES;
unsigned char *h0 = D_sigma0_h0_sigma1 + 2*HASH_BYTES;
unsigned char *t1packed = D_sigma0_h0_sigma1 + 3*HASH_BYTES;
unsigned char *e1packed = D_sigma0_h0_sigma1 + 3*HASH_BYTES + ROUNDS * NPACKED_BYTES;
unsigned char *h0 = D_sigma0_h0_sigma1 + 2 * HASH_BYTES;
unsigned char *t1packed = D_sigma0_h0_sigma1 + 3 * HASH_BYTES;
unsigned char *e1packed = D_sigma0_h0_sigma1 + 3 * HASH_BYTES + ROUNDS * NPACKED_BYTES;
unsigned char h1[((ROUNDS + 7) & ~7) >> 3];
unsigned char c[HASH_BYTES * ROUNDS * 2];
memset(c, 0, HASH_BYTES*2);
memset(c, 0, HASH_BYTES * 2);
gf31 x[N];
gf31 y[M];
gf31 z[M];
@@ -284,11 +281,11 @@ int PQCLEAN_MQDSS48_CLEAN_crypto_sign_verify(
sig += HASH_BYTES;

memcpy(t1packed, sig, ROUNDS * NPACKED_BYTES);
sig += ROUNDS*NPACKED_BYTES;
sig += ROUNDS * NPACKED_BYTES;
memcpy(e1packed, sig, ROUNDS * MPACKED_BYTES);
sig += ROUNDS*MPACKED_BYTES;
sig += ROUNDS * MPACKED_BYTES;

shake256(h1, ((ROUNDS + 7) & ~7) >> 3, D_sigma0_h0_sigma1, 3*HASH_BYTES + ROUNDS*(NPACKED_BYTES + MPACKED_BYTES));
shake256(h1, ((ROUNDS + 7) & ~7) >> 3, D_sigma0_h0_sigma1, 3 * HASH_BYTES + ROUNDS * (NPACKED_BYTES + MPACKED_BYTES));

for (i = 0; i < ROUNDS; i++) {
do {
@@ -302,8 +299,8 @@ int PQCLEAN_MQDSS48_CLEAN_crypto_sign_verify(
b = (h1[(i >> 3)] >> (i & 7)) & 1;

PQCLEAN_MQDSS48_CLEAN_gf31_nunpack(r, sig, N);
PQCLEAN_MQDSS48_CLEAN_gf31_nunpack(t, t1packed + NPACKED_BYTES*i, N);
PQCLEAN_MQDSS48_CLEAN_gf31_nunpack(e, e1packed + MPACKED_BYTES*i, M);
PQCLEAN_MQDSS48_CLEAN_gf31_nunpack(t, t1packed + NPACKED_BYTES * i, N);
PQCLEAN_MQDSS48_CLEAN_gf31_nunpack(e, e1packed + MPACKED_BYTES * i, M);

if (b == 0) {
PQCLEAN_MQDSS48_CLEAN_MQ(y, r, F);
@@ -317,7 +314,7 @@ int PQCLEAN_MQDSS48_CLEAN_crypto_sign_verify(
PQCLEAN_MQDSS48_CLEAN_vgf31_shorten_unique(y, y);
PQCLEAN_MQDSS48_CLEAN_gf31_npack(packbuf0, x, N);
PQCLEAN_MQDSS48_CLEAN_gf31_npack(packbuf1, y, M);
com_0(c + HASH_BYTES*(2*i + 0), sig + HASH_BYTES + NPACKED_BYTES, sig, packbuf0, packbuf1);
com_0(c + HASH_BYTES * (2 * i + 0), sig + HASH_BYTES + NPACKED_BYTES, sig, packbuf0, packbuf1);
} else {
PQCLEAN_MQDSS48_CLEAN_MQ(y, r, F);
PQCLEAN_MQDSS48_CLEAN_G(z, t, r, F);
@@ -326,10 +323,10 @@ int PQCLEAN_MQDSS48_CLEAN_crypto_sign_verify(
}
PQCLEAN_MQDSS48_CLEAN_vgf31_shorten_unique(y, y);
PQCLEAN_MQDSS48_CLEAN_gf31_npack(packbuf0, y, M);
com_1(c + HASH_BYTES*(2*i + 1), sig + HASH_BYTES + NPACKED_BYTES, sig, packbuf0);
com_1(c + HASH_BYTES * (2 * i + 1), sig + HASH_BYTES + NPACKED_BYTES, sig, packbuf0);
}
memcpy(c + HASH_BYTES*(2*i + (1 - b)), sig + NPACKED_BYTES, HASH_BYTES);
sig += NPACKED_BYTES + 2*HASH_BYTES;
memcpy(c + HASH_BYTES * (2 * i + (1 - b)), sig + NPACKED_BYTES, HASH_BYTES);
sig += NPACKED_BYTES + 2 * HASH_BYTES;
}

H(c, c, HASH_BYTES * ROUNDS * 2);


Write Preview
Loading…
Cancel
Save