diff --git a/crypto_kem/firesaber/clean/SABER_indcpa.c b/crypto_kem/firesaber/clean/SABER_indcpa.c index 552b0907..da8aa685 100644 --- a/crypto_kem/firesaber/clean/SABER_indcpa.c +++ b/crypto_kem/firesaber/clean/SABER_indcpa.c @@ -45,7 +45,7 @@ static void GenMatrix(polyvec *a, const unsigned char *seed) { void PQCLEAN_FIRESABER_CLEAN_indcpa_kem_keypair(unsigned char *pk, unsigned char *sk) { - polyvec a[SABER_K];// skpv; + polyvec a[SABER_K]; uint16_t skpv[SABER_K][SABER_N]; @@ -58,43 +58,43 @@ void PQCLEAN_FIRESABER_CLEAN_indcpa_kem_keypair(unsigned char *pk, unsigned char uint16_t res[SABER_K][SABER_N]; randombytes(seed, SABER_SEEDBYTES); - shake128(seed, SABER_SEEDBYTES, seed, SABER_SEEDBYTES); // for not revealing system RNG state + + // for not revealing system RNG state + shake128(seed, SABER_SEEDBYTES, seed, SABER_SEEDBYTES); randombytes(noiseseed, SABER_COINBYTES); GenMatrix(a, seed); //sample matrix A - PQCLEAN_FIRESABER_CLEAN_GenSecret(skpv, noiseseed); //generate secret from constant-time binomial distribution - - //------------------------do the matrix vector multiplication and rounding------------ + // generate secret from constant-time binomial distribution + PQCLEAN_FIRESABER_CLEAN_GenSecret(skpv, noiseseed); + // do the matrix vector multiplication and rounding for (i = 0; i < SABER_K; i++) { for (j = 0; j < SABER_N; j++) { res[i][j] = 0; } } - MatrixVectorMul(a, skpv, res, SABER_Q - 1, 1); - //-----now rounding - for (i = 0; i < SABER_K; i++) { //shift right 3 bits + // now rounding + for (i = 0; i < SABER_K; i++) { for (j = 0; j < SABER_N; j++) { + // shift right 3 bits res[i][j] = (res[i][j] + h1) & (mod_q); res[i][j] = (res[i][j] >> (SABER_EQ - SABER_EP)); } } - //------------------unload and pack sk=3 x (256 coefficients of 14 bits)------- - + // unload and pack sk=3 x (256 coefficients of 14 bits) PQCLEAN_FIRESABER_CLEAN_POLVEC2BS(sk, skpv, SABER_Q); - //------------------unload and pack pk=256 bits seed and 3 x (256 coefficients of 11 bits)------- + // unload and pack pk=256 bits seed and 3 x (256 coefficients of 11 bits) + // load the public-key coefficients + PQCLEAN_FIRESABER_CLEAN_POLVEC2BS(pk, res, SABER_P); - PQCLEAN_FIRESABER_CLEAN_POLVEC2BS(pk, res, SABER_P); // load the public-key coefficients - - - - for (i = 0; i < SABER_SEEDBYTES; i++) { // now load the seedbytes in PK. Easy since seed bytes are kept in byte format. + // now load the seedbytes in PK. Easy since seed bytes are kept in byte format. + for (i = 0; i < SABER_SEEDBYTES; i++) { pk[SABER_POLYVECCOMPRESSEDBYTES + i] = seed[i]; } @@ -103,47 +103,39 @@ void PQCLEAN_FIRESABER_CLEAN_indcpa_kem_keypair(unsigned char *pk, unsigned char void PQCLEAN_FIRESABER_CLEAN_indcpa_kem_enc(const unsigned char *message_received, unsigned char *noiseseed, const unsigned char *pk, unsigned char *ciphertext) { uint32_t i, j, k; - polyvec a[SABER_K]; // skpv; + polyvec a[SABER_K]; unsigned char seed[SABER_SEEDBYTES]; - uint16_t pkcl[SABER_K][SABER_N]; //public key of received by the client - - - + // public key of received by the client + uint16_t pkcl[SABER_K][SABER_N]; uint16_t skpv1[SABER_K][SABER_N]; - uint16_t message[SABER_KEYBYTES * 8]; - uint16_t res[SABER_K][SABER_N]; uint16_t mod_p = SABER_P - 1; uint16_t mod_q = SABER_Q - 1; - uint16_t vprime[SABER_N]; - - - unsigned char msk_c[SABER_SCALEBYTES_KEM]; - for (i = 0; i < SABER_SEEDBYTES; i++) { // extract the seedbytes from Public Key. + // extract the seedbytes from Public Key. + for (i = 0; i < SABER_SEEDBYTES; i++) { seed[i] = pk[ SABER_POLYVECCOMPRESSEDBYTES + i]; } GenMatrix(a, seed); - PQCLEAN_FIRESABER_CLEAN_GenSecret(skpv1, noiseseed); //generate secret from constant-time binomial distribution - - //-----------------matrix-vector multiplication and rounding + // generate secret from constant-time binomial distribution + PQCLEAN_FIRESABER_CLEAN_GenSecret(skpv1, noiseseed); + // matrix-vector multiplication and rounding for (i = 0; i < SABER_K; i++) { for (j = 0; j < SABER_N; j++) { res[i][j] = 0; } } - MatrixVectorMul(a, skpv1, res, SABER_Q - 1, 0); - //-----now rounding - - for (i = 0; i < SABER_K; i++) { //shift right 3 bits + // now rounding + //shift right 3 bits + for (i = 0; i < SABER_K; i++) { for (j = 0; j < SABER_N; j++) { res[i][j] = ( res[i][j] + h1 ) & mod_q; res[i][j] = (res[i][j] >> (SABER_EQ - SABER_EP) ); @@ -152,21 +144,15 @@ void PQCLEAN_FIRESABER_CLEAN_indcpa_kem_enc(const unsigned char *message_receive PQCLEAN_FIRESABER_CLEAN_POLVEC2BS(ciphertext, res, SABER_P); -//*******************client matrix-vector multiplication ends************************************ + // ************client matrix-vector multiplication ends************ - //------now calculate the v' - - //-------unpack the public_key - - //pkcl is the b in the protocol + // now calculate the v' + // unpack the public_key + // pkcl is the b in the protocol PQCLEAN_FIRESABER_CLEAN_BS2POLVEC(pk, pkcl, SABER_P); - - - for (i = 0; i < SABER_N; i++) { vprime[i] = 0; } - for (i = 0; i < SABER_K; i++) { for (j = 0; j < SABER_N; j++) { skpv1[i][j] = skpv1[i][j] & (mod_p); @@ -176,12 +162,11 @@ void PQCLEAN_FIRESABER_CLEAN_indcpa_kem_enc(const unsigned char *message_receive // vector-vector scalar multiplication with mod p InnerProd(pkcl, skpv1, mod_p, vprime); - //addition of h1 to vprime + // addition of h1 to vprime for (i = 0; i < SABER_N; i++) { vprime[i] = vprime[i] + h1; } - // unpack message_received; for (j = 0; j < SABER_KEYBYTES; j++) { for (i = 0; i < 8; i++) { @@ -194,9 +179,6 @@ void PQCLEAN_FIRESABER_CLEAN_indcpa_kem_enc(const unsigned char *message_receive message[i] = (message[i] << (SABER_EP - 1)); } - - - for (k = 0; k < SABER_N; k++) { vprime[k] = ( (vprime[k] - message[k]) & (mod_p) ) >> (SABER_EP - SABER_ET); } @@ -204,7 +186,6 @@ void PQCLEAN_FIRESABER_CLEAN_indcpa_kem_enc(const unsigned char *message_receive PQCLEAN_FIRESABER_CLEAN_pack_6bit(msk_c, vprime); - for (j = 0; j < SABER_SCALEBYTES_KEM; j++) { ciphertext[SABER_POLYVECCOMPRESSEDBYTES + j] = msk_c[j]; } @@ -212,41 +193,31 @@ void PQCLEAN_FIRESABER_CLEAN_indcpa_kem_enc(const unsigned char *message_receive void PQCLEAN_FIRESABER_CLEAN_indcpa_kem_dec(const unsigned char *sk, const unsigned char *ciphertext, unsigned char message_dec[]) { - uint32_t i, j; - - - uint16_t sksv[SABER_K][SABER_N]; //secret key of the server - - + // secret key of the server + uint16_t sksv[SABER_K][SABER_N]; uint16_t pksv[SABER_K][SABER_N]; - uint8_t scale_ar[SABER_SCALEBYTES_KEM]; - uint16_t mod_p = SABER_P - 1; - uint16_t v[SABER_N]; - uint16_t op[SABER_N]; - - PQCLEAN_FIRESABER_CLEAN_BS2POLVEC(sk, sksv, SABER_Q); //sksv is the secret-key - PQCLEAN_FIRESABER_CLEAN_BS2POLVEC(ciphertext, pksv, SABER_P); //pksv is the ciphertext + // sksv is the secret-key + PQCLEAN_FIRESABER_CLEAN_BS2POLVEC(sk, sksv, SABER_Q); + // pksv is the ciphertext + PQCLEAN_FIRESABER_CLEAN_BS2POLVEC(ciphertext, pksv, SABER_P); // vector-vector scalar multiplication with mod p for (i = 0; i < SABER_N; i++) { v[i] = 0; } - for (i = 0; i < SABER_K; i++) { for (j = 0; j < SABER_N; j++) { sksv[i][j] = sksv[i][j] & (mod_p); } } - InnerProd(pksv, sksv, mod_p, v); - //Extraction for (i = 0; i < SABER_SCALEBYTES_KEM; i++) { scale_ar[i] = ciphertext[SABER_POLYVECCOMPRESSEDBYTES + i]; @@ -254,20 +225,15 @@ void PQCLEAN_FIRESABER_CLEAN_indcpa_kem_dec(const unsigned char *sk, const unsig PQCLEAN_FIRESABER_CLEAN_un_pack6bit(scale_ar, op); - //addition of h1 for (i = 0; i < SABER_N; i++) { v[i] = ( ( v[i] + h2 - (op[i] << (SABER_EP - SABER_ET)) ) & (mod_p) ) >> (SABER_EP - 1); } // pack decrypted message - POL2MSG(v, message_dec); - - } static void MatrixVectorMul(polyvec *a, uint16_t skpv[SABER_K][SABER_N], uint16_t res[SABER_K][SABER_N], uint16_t mod, int16_t transpose) { - uint16_t acc[SABER_N]; int32_t i, j, k; @@ -278,32 +244,30 @@ static void MatrixVectorMul(polyvec *a, uint16_t skpv[SABER_K][SABER_N], uint16_ for (k = 0; k < SABER_N; k++) { res[i][k] = res[i][k] + acc[k]; - res[i][k] = (res[i][k] & mod); //reduction mod p - acc[k] = 0; //clear the accumulator + //reduction mod p + res[i][k] = (res[i][k] & mod); + //clear the accumulator + acc[k] = 0; } - } } } else { - for (i = 0; i < SABER_K; i++) { for (j = 0; j < SABER_K; j++) { PQCLEAN_FIRESABER_CLEAN_pol_mul((uint16_t *)&a[i].vec[j], skpv[j], acc, SABER_Q, SABER_N); for (k = 0; k < SABER_N; k++) { res[i][k] = res[i][k] + acc[k]; - res[i][k] = res[i][k] & mod; //reduction - acc[k] = 0; //clear the accumulator + // reduction + res[i][k] = res[i][k] & mod; + // clear the accumulator + acc[k] = 0; } - } } } - - } static void POL2MSG(const uint16_t *message_dec_unpacked, unsigned char *message_dec) { - int32_t i, j; for (j = 0; j < SABER_KEYBYTES; j++) { @@ -312,13 +276,10 @@ static void POL2MSG(const uint16_t *message_dec_unpacked, unsigned char *message message_dec[j] = message_dec[j] | (uint8_t) (message_dec_unpacked[j * 8 + i] << i); } } - } static void InnerProd(uint16_t pkcl[SABER_K][SABER_N], uint16_t skpv[SABER_K][SABER_N], uint16_t mod, uint16_t res[SABER_N]) { - - uint32_t j, k; uint16_t acc[SABER_N]; @@ -328,8 +289,10 @@ static void InnerProd(uint16_t pkcl[SABER_K][SABER_N], uint16_t skpv[SABER_K][SA for (k = 0; k < SABER_N; k++) { res[k] = res[k] + acc[k]; - res[k] = res[k] & mod; //reduction - acc[k] = 0; //clear the accumulator + // reduction + res[k] = res[k] & mod; + // clear the accumulator + acc[k] = 0; } } } diff --git a/crypto_kem/firesaber/clean/kem.c b/crypto_kem/firesaber/clean/kem.c index 4aef57ce..c66cfed9 100644 --- a/crypto_kem/firesaber/clean/kem.c +++ b/crypto_kem/firesaber/clean/kem.c @@ -10,37 +10,48 @@ int PQCLEAN_FIRESABER_CLEAN_crypto_kem_keypair(unsigned char *pk, unsigned char *sk) { int i; - PQCLEAN_FIRESABER_CLEAN_indcpa_kem_keypair(pk, sk); // sk[0:SABER_INDCPA_SECRETKEYBYTES-1] <-- sk + // sk[0:SABER_INDCPA_SECRETKEYBYTES-1] <-- sk + PQCLEAN_FIRESABER_CLEAN_indcpa_kem_keypair(pk, sk); + + // sk[SABER_INDCPA_SECRETKEYBYTES:SABER_INDCPA_SECRETKEYBYTES+SABER_INDCPA_SECRETKEYBYTES-1] <-- pk for (i = 0; i < SABER_INDCPA_PUBLICKEYBYTES; i++) { - sk[i + SABER_INDCPA_SECRETKEYBYTES] = pk[i]; // sk[SABER_INDCPA_SECRETKEYBYTES:SABER_INDCPA_SECRETKEYBYTES+SABER_INDCPA_SECRETKEYBYTES-1] <-- pk + sk[i + SABER_INDCPA_SECRETKEYBYTES] = pk[i]; } - sha3_256(sk + SABER_SECRETKEYBYTES - 64, pk, SABER_INDCPA_PUBLICKEYBYTES); // Then hash(pk) is appended. + // Then hash(pk) is appended. + sha3_256(sk + SABER_SECRETKEYBYTES - 64, pk, SABER_INDCPA_PUBLICKEYBYTES); - randombytes(sk + SABER_SECRETKEYBYTES - SABER_KEYBYTES, SABER_KEYBYTES ); // Remaining part of sk contains a pseudo-random number. + // Remaining part of sk contains a pseudo-random number. // This is output when check in crypto_kem_dec() fails. + randombytes(sk + SABER_SECRETKEYBYTES - SABER_KEYBYTES, SABER_KEYBYTES ); return (0); } int PQCLEAN_FIRESABER_CLEAN_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk) { - - unsigned char kr[64]; // Will contain key, coins + // Will contain key, coins + unsigned char kr[64]; unsigned char buf[64]; randombytes(buf, 32); - sha3_256(buf, buf, 32); // BUF[0:31] <-- random message (will be used as the key for client) Note: hash doesnot release system RNG output + // BUF[0:31] <-- random message (will be used as the key for client) Note: hash doesnot release system RNG output + sha3_256(buf, buf, 32); - sha3_256(buf + 32, pk, SABER_INDCPA_PUBLICKEYBYTES); // BUF[32:63] <-- Hash(public key); Multitarget countermeasure for coins + contributory KEM + // BUF[32:63] <-- Hash(public key); Multitarget countermeasure for coins + contributory KEM + sha3_256(buf + 32, pk, SABER_INDCPA_PUBLICKEYBYTES); + + // kr[0:63] <-- Hash(buf[0:63]); + sha3_512(kr, buf, 64); - sha3_512(kr, buf, 64); // kr[0:63] <-- Hash(buf[0:63]); // K^ <-- kr[0:31] // noiseseed (r) <-- kr[32:63]; - PQCLEAN_FIRESABER_CLEAN_indcpa_kem_enc(buf, kr + 32, pk, ct); // buf[0:31] contains message; kr[32:63] contains randomness r; + // buf[0:31] contains message; kr[32:63] contains randomness r; + PQCLEAN_FIRESABER_CLEAN_indcpa_kem_enc(buf, kr + 32, pk, ct); sha3_256(kr + 32, ct, SABER_BYTES_CCA_DEC); - sha3_256(ss, kr, 64); // hash concatenation of pre-k and h(c) to k + // hash concatenation of pre-k and h(c) to k + sha3_256(ss, kr, 64); return (0); } @@ -51,14 +62,18 @@ int PQCLEAN_FIRESABER_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned cha unsigned char fail; unsigned char cmp[SABER_BYTES_CCA_DEC]; unsigned char buf[64]; - unsigned char kr[64]; // Will contain key, coins + + // Will contain key, coins + unsigned char kr[64]; const unsigned char *pk = sk + SABER_INDCPA_SECRETKEYBYTES; - PQCLEAN_FIRESABER_CLEAN_indcpa_kem_dec(sk, ct, buf); // buf[0:31] <-- message + // buf[0:31] <-- message + PQCLEAN_FIRESABER_CLEAN_indcpa_kem_dec(sk, ct, buf); // Multitarget countermeasure for coins + contributory KEM - for (i = 0; i < 32; i++) { // Save hash by storing h(pk) in sk + // Save hash by storing h(pk) in sk + for (i = 0; i < 32; i++) { buf[32 + i] = sk[SABER_SECRETKEYBYTES - 64 + i]; } @@ -69,11 +84,13 @@ int PQCLEAN_FIRESABER_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned cha fail = PQCLEAN_FIRESABER_CLEAN_verify(ct, cmp, SABER_BYTES_CCA_DEC); - sha3_256(kr + 32, ct, SABER_BYTES_CCA_DEC); // overwrite coins in kr with h(c) + // overwrite coins in kr with h(c) + sha3_256(kr + 32, ct, SABER_BYTES_CCA_DEC); PQCLEAN_FIRESABER_CLEAN_cmov(kr, sk + SABER_SECRETKEYBYTES - SABER_KEYBYTES, SABER_KEYBYTES, fail); - sha3_256(ss, kr, 64); // hash concatenation of pre-k and h(c) to k + // hash concatenation of pre-k and h(c) to k + sha3_256(ss, kr, 64); return (0); } diff --git a/crypto_kem/firesaber/clean/pack_unpack.c b/crypto_kem/firesaber/clean/pack_unpack.c index 8d4de5bb..9e68ffc1 100644 --- a/crypto_kem/firesaber/clean/pack_unpack.c +++ b/crypto_kem/firesaber/clean/pack_unpack.c @@ -1,21 +1,26 @@ #include "pack_unpack.h" void PQCLEAN_FIRESABER_CLEAN_pack_3bit(uint8_t *bytes, const uint16_t *data) { - uint32_t j; uint32_t offset_data, offset_byte; for (j = 0; j < SABER_N / 8; j++) { offset_byte = 3 * j; offset_data = 8 * j; - bytes[offset_byte + 0] = (data[offset_data + 0] & 0x7) | ( (data[offset_data + 1] & 0x7) << 3 ) | ((data[offset_data + 2] & 0x3) << 6); - bytes[offset_byte + 1] = ((data[offset_data + 2] >> 2 ) & 0x01) | ( (data[offset_data + 3] & 0x7) << 1 ) | ( (data[offset_data + 4] & 0x7) << 4 ) | (((data[offset_data + 5]) & 0x01) << 7); - bytes[offset_byte + 2] = ((data[offset_data + 5] >> 1 ) & 0x03) | ( (data[offset_data + 6] & 0x7) << 2 ) | ( (data[offset_data + 7] & 0x7) << 5 ); + bytes[offset_byte + 0] = (data[offset_data + 0] & 0x7) | + ((data[offset_data + 1] & 0x7) << 3) | + ((data[offset_data + 2] & 0x3) << 6); + bytes[offset_byte + 1] = ((data[offset_data + 2] >> 2 ) & 0x01) | + ((data[offset_data + 3] & 0x7) << 1) | + ((data[offset_data + 4] & 0x7) << 4) | + (((data[offset_data + 5]) & 0x01) << 7); + bytes[offset_byte + 2] = ((data[offset_data + 5] >> 1 ) & 0x03) | + ((data[offset_data + 6] & 0x7) << 2) | + ((data[offset_data + 7] & 0x7) << 5); } } void PQCLEAN_FIRESABER_CLEAN_un_pack3bit(const uint8_t *bytes, uint16_t *data) { - uint32_t j; uint32_t offset_data, offset_byte; @@ -23,30 +28,30 @@ void PQCLEAN_FIRESABER_CLEAN_un_pack3bit(const uint8_t *bytes, uint16_t *data) { offset_byte = 3 * j; offset_data = 8 * j; data[offset_data + 0] = (bytes[offset_byte + 0]) & 0x07; - data[offset_data + 1] = ( (bytes[offset_byte + 0]) >> 3 ) & 0x07; - data[offset_data + 2] = ( ( (bytes[offset_byte + 0]) >> 6 ) & 0x03) | ( ( (bytes[offset_byte + 1]) & 0x01) << 2 ); - data[offset_data + 3] = ( (bytes[offset_byte + 1]) >> 1 ) & 0x07; - data[offset_data + 4] = ( (bytes[offset_byte + 1]) >> 4 ) & 0x07; - data[offset_data + 5] = ( ( (bytes[offset_byte + 1]) >> 7 ) & 0x01) | ( ( (bytes[offset_byte + 2]) & 0x03) << 1 ); - data[offset_data + 6] = ( (bytes[offset_byte + 2] >> 2) & 0x07 ); - data[offset_data + 7] = ( (bytes[offset_byte + 2] >> 5) & 0x07 ); + data[offset_data + 1] = ((bytes[offset_byte + 0]) >> 3 ) & 0x07; + data[offset_data + 2] = (((bytes[offset_byte + 0]) >> 6 ) & 0x03) | + (((bytes[offset_byte + 1]) & 0x01) << 2); + data[offset_data + 3] = ((bytes[offset_byte + 1]) >> 1 ) & 0x07; + data[offset_data + 4] = ((bytes[offset_byte + 1]) >> 4 ) & 0x07; + data[offset_data + 5] = (((bytes[offset_byte + 1]) >> 7 ) & 0x01) | + (((bytes[offset_byte + 2]) & 0x03) << 1); + data[offset_data + 6] = ((bytes[offset_byte + 2] >> 2) & 0x07); + data[offset_data + 7] = ((bytes[offset_byte + 2] >> 5) & 0x07); } - } void PQCLEAN_FIRESABER_CLEAN_pack_4bit(uint8_t *bytes, const uint16_t *data) { - uint32_t j; uint32_t offset_data; for (j = 0; j < SABER_N / 2; j++) { offset_data = 2 * j; - bytes[j] = (data[offset_data] & 0x0f) | ( (data[offset_data + 1] & 0x0f) << 4 ); + bytes[j] = (data[offset_data] & 0x0f) | + ((data[offset_data + 1] & 0x0f) << 4); } } void PQCLEAN_FIRESABER_CLEAN_un_pack4bit(const unsigned char *bytes, uint16_t *ar) { - uint32_t j; uint32_t offset_data; @@ -64,9 +69,12 @@ void PQCLEAN_FIRESABER_CLEAN_pack_6bit(uint8_t *bytes, const uint16_t *data) { for (j = 0; j < SABER_N / 4; j++) { offset_byte = 3 * j; offset_data = 4 * j; - bytes[offset_byte + 0] = (data[offset_data + 0] & 0x3f) | ((data[offset_data + 1] & 0x03) << 6); - bytes[offset_byte + 1] = ((data[offset_data + 1] >> 2) & 0x0f) | ((data[offset_data + 2] & 0x0f) << 4); - bytes[offset_byte + 2] = ((data[offset_data + 2] >> 4) & 0x03) | ((data[offset_data + 3] & 0x3f) << 2); + bytes[offset_byte + 0] = (data[offset_data + 0] & 0x3f) | + ((data[offset_data + 1] & 0x03) << 6); + bytes[offset_byte + 1] = ((data[offset_data + 1] >> 2) & 0x0f) | + ((data[offset_data + 2] & 0x0f) << 4); + bytes[offset_byte + 2] = ((data[offset_data + 2] >> 4) & 0x03) | + ((data[offset_data + 3] & 0x3f) << 2); } } @@ -79,11 +87,12 @@ void PQCLEAN_FIRESABER_CLEAN_un_pack6bit(const unsigned char *bytes, uint16_t *d offset_byte = 3 * j; offset_data = 4 * j; data[offset_data + 0] = bytes[offset_byte + 0] & 0x3f; - data[offset_data + 1] = ((bytes[offset_byte + 0] >> 6) & 0x03) | ((bytes[offset_byte + 1] & 0x0f) << 2) ; - data[offset_data + 2] = ((bytes[offset_byte + 1] & 0xff) >> 4) | ((bytes[offset_byte + 2] & 0x03) << 4) ; + data[offset_data + 1] = ((bytes[offset_byte + 0] >> 6) & 0x03) | + ((bytes[offset_byte + 1] & 0x0f) << 2); + data[offset_data + 2] = ((bytes[offset_byte + 1] & 0xff) >> 4) | + ((bytes[offset_byte + 2] & 0x03) << 4); data[offset_data + 3] = ((bytes[offset_byte + 2] & 0xff) >> 2); } - } @@ -96,23 +105,19 @@ static void POLVECp2BS(uint8_t *bytes, uint16_t data[SABER_K][SABER_N]) { for (j = 0; j < SABER_N / 4; j++) { offset_byte = offset_byte1 + 5 * j; offset_data = 4 * j; - bytes[offset_byte + 0] = ( data[i][ offset_data + 0 ] & (0xff)); - - bytes[offset_byte + 1] = ( (data[i][ offset_data + 0 ] >> 8) & 0x03 ) | ((data[i][ offset_data + 1 ] & 0x3f) << 2); - - bytes[offset_byte + 2] = ( (data[i][ offset_data + 1 ] >> 6) & 0x0f ) | ( (data[i][ offset_data + 2 ] & 0x0f) << 4); - - bytes[offset_byte + 3] = ( (data[i][ offset_data + 2 ] >> 4) & 0x3f ) | ((data[i][ offset_data + 3 ] & 0x03) << 6); - - bytes[offset_byte + 4] = ( (data[i][ offset_data + 3 ] >> 2) & 0xff ); + bytes[offset_byte + 0] = (data[i][offset_data + 0] & (0xff)); + bytes[offset_byte + 1] = ((data[i][offset_data + 0] >> 8) & 0x03) | + ((data[i][offset_data + 1] & 0x3f) << 2); + bytes[offset_byte + 2] = ((data[i][offset_data + 1] >> 6) & 0x0f) | + ((data[i][offset_data + 2] & 0x0f) << 4); + bytes[offset_byte + 3] = ((data[i][offset_data + 2] >> 4) & 0x3f) | + ((data[i][offset_data + 3] & 0x03) << 6); + bytes[offset_byte + 4] = ((data[i][offset_data + 3] >> 2) & 0xff); } } - - } static void BS2POLVECp(const unsigned char *bytes, uint16_t data[SABER_K][SABER_N]) { - uint32_t i, j; uint32_t offset_data, offset_byte, offset_byte1; @@ -121,21 +126,21 @@ static void BS2POLVECp(const unsigned char *bytes, uint16_t data[SABER_K][SABER_ for (j = 0; j < SABER_N / 4; j++) { offset_byte = offset_byte1 + 5 * j; offset_data = 4 * j; - data[i][offset_data + 0] = ( bytes[ offset_byte + 0 ] & (0xff)) | ((bytes[ offset_byte + 1 ] & 0x03) << 8); - data[i][offset_data + 1] = ( (bytes[ offset_byte + 1 ] >> 2) & (0x3f)) | ((bytes[ offset_byte + 2 ] & 0x0f) << 6); - data[i][offset_data + 2] = ( (bytes[ offset_byte + 2 ] >> 4) & (0x0f)) | ((bytes[ offset_byte + 3 ] & 0x3f) << 4); - data[i][offset_data + 3] = ( (bytes[ offset_byte + 3 ] >> 6) & (0x03)) | ((bytes[ offset_byte + 4 ] & 0xff) << 2); - + data[i][offset_data + 0] = (bytes[offset_byte + 0] & (0xff)) | + ((bytes[offset_byte + 1] & 0x03) << 8); + data[i][offset_data + 1] = ((bytes[offset_byte + 1] >> 2) & (0x3f)) | + ((bytes[offset_byte + 2] & 0x0f) << 6); + data[i][offset_data + 2] = ((bytes[offset_byte + 2] >> 4) & (0x0f)) | + ((bytes[offset_byte + 3] & 0x3f) << 4); + data[i][offset_data + 3] = ((bytes[offset_byte + 3] >> 6) & (0x03)) | + ((bytes[offset_byte + 4] & 0xff) << 2); } } - - } static void POLVECq2BS(uint8_t *bytes, uint16_t data[SABER_K][SABER_N]) { - uint32_t i, j; uint32_t offset_data, offset_byte, offset_byte1; @@ -144,40 +149,31 @@ static void POLVECq2BS(uint8_t *bytes, uint16_t data[SABER_K][SABER_N]) { for (j = 0; j < SABER_N / 8; j++) { offset_byte = offset_byte1 + 13 * j; offset_data = 8 * j; - bytes[offset_byte + 0] = ( data[i][ offset_data + 0 ] & (0xff)); - - bytes[offset_byte + 1] = ( (data[i][ offset_data + 0 ] >> 8) & 0x1f ) | ((data[i][ offset_data + 1 ] & 0x07) << 5); - - bytes[offset_byte + 2] = ( (data[i][ offset_data + 1 ] >> 3) & 0xff ); - - bytes[offset_byte + 3] = ( (data[i][ offset_data + 1 ] >> 11) & 0x03 ) | ((data[i][ offset_data + 2 ] & 0x3f) << 2); - - bytes[offset_byte + 4] = ( (data[i][ offset_data + 2 ] >> 6) & 0x7f ) | ( (data[i][ offset_data + 3 ] & 0x01) << 7 ); - - bytes[offset_byte + 5] = ( (data[i][ offset_data + 3 ] >> 1) & 0xff ); - - bytes[offset_byte + 6] = ( (data[i][ offset_data + 3 ] >> 9) & 0x0f ) | ( (data[i][ offset_data + 4 ] & 0x0f) << 4 ); - - bytes[offset_byte + 7] = ( (data[i][ offset_data + 4] >> 4) & 0xff ); - - bytes[offset_byte + 8] = ( (data[i][ offset_data + 4 ] >> 12) & 0x01 ) | ( (data[i][ offset_data + 5 ] & 0x7f) << 1 ); - - bytes[offset_byte + 9] = ( (data[i][ offset_data + 5 ] >> 7) & 0x3f ) | ( (data[i][ offset_data + 6 ] & 0x03) << 6 ); - - bytes[offset_byte + 10] = ( (data[i][ offset_data + 6 ] >> 2) & 0xff ); - - bytes[offset_byte + 11] = ( (data[i][ offset_data + 6 ] >> 10) & 0x07 ) | ( (data[i][ offset_data + 7 ] & 0x1f) << 3 ); - - bytes[offset_byte + 12] = ( (data[i][ offset_data + 7 ] >> 5) & 0xff ); - + bytes[offset_byte + 0] = (data[i][offset_data + 0] & (0xff)); + bytes[offset_byte + 1] = ((data[i][offset_data + 0] >> 8) & 0x1f) | + ((data[i][offset_data + 1] & 0x07) << 5); + bytes[offset_byte + 2] = ((data[i][offset_data + 1] >> 3) & 0xff); + bytes[offset_byte + 3] = ((data[i][offset_data + 1] >> 11) & 0x03) | + ((data[i][offset_data + 2] & 0x3f) << 2); + bytes[offset_byte + 4] = ((data[i][offset_data + 2] >> 6) & 0x7f) | + ((data[i][offset_data + 3] & 0x01) << 7); + bytes[offset_byte + 5] = ((data[i][offset_data + 3] >> 1) & 0xff); + bytes[offset_byte + 6] = ((data[i][offset_data + 3] >> 9) & 0x0f) | + ((data[i][offset_data + 4] & 0x0f) << 4); + bytes[offset_byte + 7] = ((data[i][offset_data + 4] >> 4) & 0xff); + bytes[offset_byte + 8] = ((data[i][offset_data + 4] >> 12) & 0x01) | + ((data[i][offset_data + 5] & 0x7f) << 1); + bytes[offset_byte + 9] = ((data[i][offset_data + 5] >> 7) & 0x3f) | + ((data[i][offset_data + 6] & 0x03) << 6); + bytes[offset_byte + 10] = ((data[i][offset_data + 6] >> 2) & 0xff); + bytes[offset_byte + 11] = ((data[i][offset_data + 6] >> 10) & 0x07) | + ((data[i][offset_data + 7] & 0x1f) << 3); + bytes[offset_byte + 12] = ((data[i][offset_data + 7] >> 5) & 0xff); } } - - } static void BS2POLVECq(const unsigned char *bytes, uint16_t data[SABER_K][SABER_N]) { - uint32_t i, j; uint32_t offset_data, offset_byte, offset_byte1; @@ -186,44 +182,62 @@ static void BS2POLVECq(const unsigned char *bytes, uint16_t data[SABER_K][SABER_ for (j = 0; j < SABER_N / 8; j++) { offset_byte = offset_byte1 + 13 * j; offset_data = 8 * j; - data[i][offset_data + 0] = ( bytes[ offset_byte + 0 ] & (0xff)) | ((bytes[offset_byte + 1] & 0x1f) << 8); - data[i][offset_data + 1] = ( bytes[ offset_byte + 1 ] >> 5 & (0x07)) | ((bytes[offset_byte + 2] & 0xff) << 3) | ((bytes[offset_byte + 3] & 0x03) << 11); - data[i][offset_data + 2] = ( bytes[ offset_byte + 3 ] >> 2 & (0x3f)) | ((bytes[offset_byte + 4] & 0x7f) << 6); - data[i][offset_data + 3] = ( bytes[ offset_byte + 4 ] >> 7 & (0x01)) | ((bytes[offset_byte + 5] & 0xff) << 1) | ((bytes[offset_byte + 6] & 0x0f) << 9); - data[i][offset_data + 4] = ( bytes[ offset_byte + 6 ] >> 4 & (0x0f)) | ((bytes[offset_byte + 7] & 0xff) << 4) | ((bytes[offset_byte + 8] & 0x01) << 12); - data[i][offset_data + 5] = ( bytes[ offset_byte + 8] >> 1 & (0x7f)) | ((bytes[offset_byte + 9] & 0x3f) << 7); - data[i][offset_data + 6] = ( bytes[ offset_byte + 9] >> 6 & (0x03)) | ((bytes[offset_byte + 10] & 0xff) << 2) | ((bytes[offset_byte + 11] & 0x07) << 10); - data[i][offset_data + 7] = ( bytes[ offset_byte + 11] >> 3 & (0x1f)) | ((bytes[offset_byte + 12] & 0xff) << 5); + data[i][offset_data + 0] = (bytes[offset_byte + 0] & (0xff)) | + ((bytes[offset_byte + 1] & 0x1f) << 8); + data[i][offset_data + 1] = (bytes[offset_byte + 1] >> 5 & (0x07)) | + ((bytes[offset_byte + 2] & 0xff) << 3) | + ((bytes[offset_byte + 3] & 0x03) << 11); + data[i][offset_data + 2] = (bytes[offset_byte + 3] >> 2 & (0x3f)) | + ((bytes[offset_byte + 4] & 0x7f) << 6); + data[i][offset_data + 3] = (bytes[offset_byte + 4] >> 7 & (0x01)) | + ((bytes[offset_byte + 5] & 0xff) << 1) | + ((bytes[offset_byte + 6] & 0x0f) << 9); + data[i][offset_data + 4] = (bytes[offset_byte + 6] >> 4 & (0x0f)) | + ((bytes[offset_byte + 7] & 0xff) << 4) | + ((bytes[offset_byte + 8] & 0x01) << 12); + data[i][offset_data + 5] = (bytes[offset_byte + 8] >> 1 & (0x7f)) | + ((bytes[offset_byte + 9] & 0x3f) << 7); + data[i][offset_data + 6] = (bytes[offset_byte + 9] >> 6 & (0x03)) | + ((bytes[offset_byte + 10] & 0xff) << 2) | + ((bytes[offset_byte + 11] & 0x07) << 10); + data[i][offset_data + 7] = (bytes[offset_byte + 11] >> 3 & (0x1f)) | + ((bytes[offset_byte + 12] & 0xff) << 5); } } - - } -void PQCLEAN_FIRESABER_CLEAN_BS2POL(const unsigned char *bytes, uint16_t data[SABER_N]) { //only BS2POLq no BS2POLp - +//only BS2POLq no BS2POLp +void PQCLEAN_FIRESABER_CLEAN_BS2POL(const unsigned char *bytes, uint16_t data[SABER_N]) { uint32_t j; uint32_t offset_data, offset_byte; for (j = 0; j < SABER_N / 8; j++) { offset_byte = 13 * j; offset_data = 8 * j; - data[offset_data + 0] = ( bytes[ offset_byte + 0 ] & (0xff)) | ((bytes[offset_byte + 1] & 0x1f) << 8); - data[offset_data + 1] = ( bytes[ offset_byte + 1 ] >> 5 & (0x07)) | ((bytes[offset_byte + 2] & 0xff) << 3) | ((bytes[offset_byte + 3] & 0x03) << 11); - data[offset_data + 2] = ( bytes[ offset_byte + 3 ] >> 2 & (0x3f)) | ((bytes[offset_byte + 4] & 0x7f) << 6); - data[offset_data + 3] = ( bytes[ offset_byte + 4 ] >> 7 & (0x01)) | ((bytes[offset_byte + 5] & 0xff) << 1) | ((bytes[offset_byte + 6] & 0x0f) << 9); - data[offset_data + 4] = ( bytes[ offset_byte + 6 ] >> 4 & (0x0f)) | ((bytes[offset_byte + 7] & 0xff) << 4) | ((bytes[offset_byte + 8] & 0x01) << 12); - data[offset_data + 5] = ( bytes[ offset_byte + 8] >> 1 & (0x7f)) | ((bytes[offset_byte + 9] & 0x3f) << 7); - data[offset_data + 6] = ( bytes[ offset_byte + 9] >> 6 & (0x03)) | ((bytes[offset_byte + 10] & 0xff) << 2) | ((bytes[offset_byte + 11] & 0x07) << 10); - data[offset_data + 7] = ( bytes[ offset_byte + 11] >> 3 & (0x1f)) | ((bytes[offset_byte + 12] & 0xff) << 5); + data[offset_data + 0] = (bytes[offset_byte + 0] & (0xff)) | + ((bytes[offset_byte + 1] & 0x1f) << 8); + data[offset_data + 1] = (bytes[offset_byte + 1] >> 5 & (0x07)) | + ((bytes[offset_byte + 2] & 0xff) << 3) | + ((bytes[offset_byte + 3] & 0x03) << 11); + data[offset_data + 2] = (bytes[offset_byte + 3] >> 2 & (0x3f)) | + ((bytes[offset_byte + 4] & 0x7f) << 6); + data[offset_data + 3] = (bytes[offset_byte + 4] >> 7 & (0x01)) | + ((bytes[offset_byte + 5] & 0xff) << 1) | + ((bytes[offset_byte + 6] & 0x0f) << 9); + data[offset_data + 4] = (bytes[offset_byte + 6] >> 4 & (0x0f)) | + ((bytes[offset_byte + 7] & 0xff) << 4) | + ((bytes[offset_byte + 8] & 0x01) << 12); + data[offset_data + 5] = (bytes[offset_byte + 8] >> 1 & (0x7f)) | + ((bytes[offset_byte + 9] & 0x3f) << 7); + data[offset_data + 6] = (bytes[offset_byte + 9] >> 6 & (0x03)) | + ((bytes[offset_byte + 10] & 0xff) << 2) | + ((bytes[offset_byte + 11] & 0x07) << 10); + data[offset_data + 7] = (bytes[offset_byte + 11] >> 3 & (0x1f)) | + ((bytes[offset_byte + 12] & 0xff) << 5); } - - } - void PQCLEAN_FIRESABER_CLEAN_POLVEC2BS(uint8_t *bytes, uint16_t data[SABER_K][SABER_N], uint16_t modulus) { - if (modulus == 1024) { POLVECp2BS(bytes, data); } else if (modulus == 8192) { @@ -232,11 +246,9 @@ void PQCLEAN_FIRESABER_CLEAN_POLVEC2BS(uint8_t *bytes, uint16_t data[SABER_K][SA } void PQCLEAN_FIRESABER_CLEAN_BS2POLVEC(const unsigned char *bytes, uint16_t data[SABER_K][SABER_N], uint16_t modulus) { - if (modulus == 1024) { BS2POLVECp(bytes, data); } else if (modulus == 8192) { BS2POLVECq(bytes, data); } - } diff --git a/crypto_kem/lightsaber/clean/SABER_indcpa.c b/crypto_kem/lightsaber/clean/SABER_indcpa.c index d5fb7130..20cf1de2 100644 --- a/crypto_kem/lightsaber/clean/SABER_indcpa.c +++ b/crypto_kem/lightsaber/clean/SABER_indcpa.c @@ -45,7 +45,7 @@ static void GenMatrix(polyvec *a, const unsigned char *seed) { void PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_keypair(unsigned char *pk, unsigned char *sk) { - polyvec a[SABER_K];// skpv; + polyvec a[SABER_K]; uint16_t skpv[SABER_K][SABER_N]; @@ -58,43 +58,43 @@ void PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_keypair(unsigned char *pk, unsigned cha uint16_t res[SABER_K][SABER_N]; randombytes(seed, SABER_SEEDBYTES); - shake128(seed, SABER_SEEDBYTES, seed, SABER_SEEDBYTES); // for not revealing system RNG state + + // for not revealing system RNG state + shake128(seed, SABER_SEEDBYTES, seed, SABER_SEEDBYTES); randombytes(noiseseed, SABER_COINBYTES); GenMatrix(a, seed); //sample matrix A - PQCLEAN_LIGHTSABER_CLEAN_GenSecret(skpv, noiseseed); //generate secret from constant-time binomial distribution - - //------------------------do the matrix vector multiplication and rounding------------ + // generate secret from constant-time binomial distribution + PQCLEAN_LIGHTSABER_CLEAN_GenSecret(skpv, noiseseed); + // do the matrix vector multiplication and rounding for (i = 0; i < SABER_K; i++) { for (j = 0; j < SABER_N; j++) { res[i][j] = 0; } } - MatrixVectorMul(a, skpv, res, SABER_Q - 1, 1); - //-----now rounding - for (i = 0; i < SABER_K; i++) { //shift right 3 bits + // now rounding + for (i = 0; i < SABER_K; i++) { for (j = 0; j < SABER_N; j++) { + // shift right 3 bits res[i][j] = (res[i][j] + h1) & (mod_q); res[i][j] = (res[i][j] >> (SABER_EQ - SABER_EP)); } } - //------------------unload and pack sk=3 x (256 coefficients of 14 bits)------- - + // unload and pack sk=3 x (256 coefficients of 14 bits) PQCLEAN_LIGHTSABER_CLEAN_POLVEC2BS(sk, skpv, SABER_Q); - //------------------unload and pack pk=256 bits seed and 3 x (256 coefficients of 11 bits)------- + // unload and pack pk=256 bits seed and 3 x (256 coefficients of 11 bits) + // load the public-key coefficients + PQCLEAN_LIGHTSABER_CLEAN_POLVEC2BS(pk, res, SABER_P); - PQCLEAN_LIGHTSABER_CLEAN_POLVEC2BS(pk, res, SABER_P); // load the public-key coefficients - - - - for (i = 0; i < SABER_SEEDBYTES; i++) { // now load the seedbytes in PK. Easy since seed bytes are kept in byte format. + // now load the seedbytes in PK. Easy since seed bytes are kept in byte format. + for (i = 0; i < SABER_SEEDBYTES; i++) { pk[SABER_POLYVECCOMPRESSEDBYTES + i] = seed[i]; } @@ -103,47 +103,39 @@ void PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_keypair(unsigned char *pk, unsigned cha void PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_enc(const unsigned char *message_received, unsigned char *noiseseed, const unsigned char *pk, unsigned char *ciphertext) { uint32_t i, j, k; - polyvec a[SABER_K]; // skpv; + polyvec a[SABER_K]; unsigned char seed[SABER_SEEDBYTES]; - uint16_t pkcl[SABER_K][SABER_N]; //public key of received by the client - - - + // public key of received by the client + uint16_t pkcl[SABER_K][SABER_N]; uint16_t skpv1[SABER_K][SABER_N]; - uint16_t message[SABER_KEYBYTES * 8]; - uint16_t res[SABER_K][SABER_N]; uint16_t mod_p = SABER_P - 1; uint16_t mod_q = SABER_Q - 1; - uint16_t vprime[SABER_N]; - - - unsigned char msk_c[SABER_SCALEBYTES_KEM]; - for (i = 0; i < SABER_SEEDBYTES; i++) { // extract the seedbytes from Public Key. + // extract the seedbytes from Public Key. + for (i = 0; i < SABER_SEEDBYTES; i++) { seed[i] = pk[ SABER_POLYVECCOMPRESSEDBYTES + i]; } GenMatrix(a, seed); - PQCLEAN_LIGHTSABER_CLEAN_GenSecret(skpv1, noiseseed); //generate secret from constant-time binomial distribution - - //-----------------matrix-vector multiplication and rounding + // generate secret from constant-time binomial distribution + PQCLEAN_LIGHTSABER_CLEAN_GenSecret(skpv1, noiseseed); + // matrix-vector multiplication and rounding for (i = 0; i < SABER_K; i++) { for (j = 0; j < SABER_N; j++) { res[i][j] = 0; } } - MatrixVectorMul(a, skpv1, res, SABER_Q - 1, 0); - //-----now rounding - - for (i = 0; i < SABER_K; i++) { //shift right 3 bits + // now rounding + //shift right 3 bits + for (i = 0; i < SABER_K; i++) { for (j = 0; j < SABER_N; j++) { res[i][j] = ( res[i][j] + h1 ) & mod_q; res[i][j] = (res[i][j] >> (SABER_EQ - SABER_EP) ); @@ -152,21 +144,15 @@ void PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_enc(const unsigned char *message_receiv PQCLEAN_LIGHTSABER_CLEAN_POLVEC2BS(ciphertext, res, SABER_P); -//*******************client matrix-vector multiplication ends************************************ + // ************client matrix-vector multiplication ends************ - //------now calculate the v' - - //-------unpack the public_key - - //pkcl is the b in the protocol + // now calculate the v' + // unpack the public_key + // pkcl is the b in the protocol PQCLEAN_LIGHTSABER_CLEAN_BS2POLVEC(pk, pkcl, SABER_P); - - - for (i = 0; i < SABER_N; i++) { vprime[i] = 0; } - for (i = 0; i < SABER_K; i++) { for (j = 0; j < SABER_N; j++) { skpv1[i][j] = skpv1[i][j] & (mod_p); @@ -176,12 +162,11 @@ void PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_enc(const unsigned char *message_receiv // vector-vector scalar multiplication with mod p InnerProd(pkcl, skpv1, mod_p, vprime); - //addition of h1 to vprime + // addition of h1 to vprime for (i = 0; i < SABER_N; i++) { vprime[i] = vprime[i] + h1; } - // unpack message_received; for (j = 0; j < SABER_KEYBYTES; j++) { for (i = 0; i < 8; i++) { @@ -194,9 +179,6 @@ void PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_enc(const unsigned char *message_receiv message[i] = (message[i] << (SABER_EP - 1)); } - - - for (k = 0; k < SABER_N; k++) { vprime[k] = ( (vprime[k] - message[k]) & (mod_p) ) >> (SABER_EP - SABER_ET); } @@ -204,7 +186,6 @@ void PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_enc(const unsigned char *message_receiv PQCLEAN_LIGHTSABER_CLEAN_pack_3bit(msk_c, vprime); - for (j = 0; j < SABER_SCALEBYTES_KEM; j++) { ciphertext[SABER_POLYVECCOMPRESSEDBYTES + j] = msk_c[j]; } @@ -212,41 +193,31 @@ void PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_enc(const unsigned char *message_receiv void PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_dec(const unsigned char *sk, const unsigned char *ciphertext, unsigned char message_dec[]) { - uint32_t i, j; - - - uint16_t sksv[SABER_K][SABER_N]; //secret key of the server - - + // secret key of the server + uint16_t sksv[SABER_K][SABER_N]; uint16_t pksv[SABER_K][SABER_N]; - uint8_t scale_ar[SABER_SCALEBYTES_KEM]; - uint16_t mod_p = SABER_P - 1; - uint16_t v[SABER_N]; - uint16_t op[SABER_N]; - - PQCLEAN_LIGHTSABER_CLEAN_BS2POLVEC(sk, sksv, SABER_Q); //sksv is the secret-key - PQCLEAN_LIGHTSABER_CLEAN_BS2POLVEC(ciphertext, pksv, SABER_P); //pksv is the ciphertext + // sksv is the secret-key + PQCLEAN_LIGHTSABER_CLEAN_BS2POLVEC(sk, sksv, SABER_Q); + // pksv is the ciphertext + PQCLEAN_LIGHTSABER_CLEAN_BS2POLVEC(ciphertext, pksv, SABER_P); // vector-vector scalar multiplication with mod p for (i = 0; i < SABER_N; i++) { v[i] = 0; } - for (i = 0; i < SABER_K; i++) { for (j = 0; j < SABER_N; j++) { sksv[i][j] = sksv[i][j] & (mod_p); } } - InnerProd(pksv, sksv, mod_p, v); - //Extraction for (i = 0; i < SABER_SCALEBYTES_KEM; i++) { scale_ar[i] = ciphertext[SABER_POLYVECCOMPRESSEDBYTES + i]; @@ -254,20 +225,15 @@ void PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_dec(const unsigned char *sk, const unsi PQCLEAN_LIGHTSABER_CLEAN_un_pack3bit(scale_ar, op); - //addition of h1 for (i = 0; i < SABER_N; i++) { v[i] = ( ( v[i] + h2 - (op[i] << (SABER_EP - SABER_ET)) ) & (mod_p) ) >> (SABER_EP - 1); } // pack decrypted message - POL2MSG(v, message_dec); - - } static void MatrixVectorMul(polyvec *a, uint16_t skpv[SABER_K][SABER_N], uint16_t res[SABER_K][SABER_N], uint16_t mod, int16_t transpose) { - uint16_t acc[SABER_N]; int32_t i, j, k; @@ -278,32 +244,30 @@ static void MatrixVectorMul(polyvec *a, uint16_t skpv[SABER_K][SABER_N], uint16_ for (k = 0; k < SABER_N; k++) { res[i][k] = res[i][k] + acc[k]; - res[i][k] = (res[i][k] & mod); //reduction mod p - acc[k] = 0; //clear the accumulator + //reduction mod p + res[i][k] = (res[i][k] & mod); + //clear the accumulator + acc[k] = 0; } - } } } else { - for (i = 0; i < SABER_K; i++) { for (j = 0; j < SABER_K; j++) { PQCLEAN_LIGHTSABER_CLEAN_pol_mul((uint16_t *)&a[i].vec[j], skpv[j], acc, SABER_Q, SABER_N); for (k = 0; k < SABER_N; k++) { res[i][k] = res[i][k] + acc[k]; - res[i][k] = res[i][k] & mod; //reduction - acc[k] = 0; //clear the accumulator + // reduction + res[i][k] = res[i][k] & mod; + // clear the accumulator + acc[k] = 0; } - } } } - - } static void POL2MSG(const uint16_t *message_dec_unpacked, unsigned char *message_dec) { - int32_t i, j; for (j = 0; j < SABER_KEYBYTES; j++) { @@ -312,13 +276,10 @@ static void POL2MSG(const uint16_t *message_dec_unpacked, unsigned char *message message_dec[j] = message_dec[j] | (uint8_t) (message_dec_unpacked[j * 8 + i] << i); } } - } static void InnerProd(uint16_t pkcl[SABER_K][SABER_N], uint16_t skpv[SABER_K][SABER_N], uint16_t mod, uint16_t res[SABER_N]) { - - uint32_t j, k; uint16_t acc[SABER_N]; @@ -328,8 +289,10 @@ static void InnerProd(uint16_t pkcl[SABER_K][SABER_N], uint16_t skpv[SABER_K][SA for (k = 0; k < SABER_N; k++) { res[k] = res[k] + acc[k]; - res[k] = res[k] & mod; //reduction - acc[k] = 0; //clear the accumulator + // reduction + res[k] = res[k] & mod; + // clear the accumulator + acc[k] = 0; } } } diff --git a/crypto_kem/lightsaber/clean/kem.c b/crypto_kem/lightsaber/clean/kem.c index f4a5c5a3..8aad4302 100644 --- a/crypto_kem/lightsaber/clean/kem.c +++ b/crypto_kem/lightsaber/clean/kem.c @@ -10,37 +10,48 @@ int PQCLEAN_LIGHTSABER_CLEAN_crypto_kem_keypair(unsigned char *pk, unsigned char *sk) { int i; - PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_keypair(pk, sk); // sk[0:SABER_INDCPA_SECRETKEYBYTES-1] <-- sk + // sk[0:SABER_INDCPA_SECRETKEYBYTES-1] <-- sk + PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_keypair(pk, sk); + + // sk[SABER_INDCPA_SECRETKEYBYTES:SABER_INDCPA_SECRETKEYBYTES+SABER_INDCPA_SECRETKEYBYTES-1] <-- pk for (i = 0; i < SABER_INDCPA_PUBLICKEYBYTES; i++) { - sk[i + SABER_INDCPA_SECRETKEYBYTES] = pk[i]; // sk[SABER_INDCPA_SECRETKEYBYTES:SABER_INDCPA_SECRETKEYBYTES+SABER_INDCPA_SECRETKEYBYTES-1] <-- pk + sk[i + SABER_INDCPA_SECRETKEYBYTES] = pk[i]; } - sha3_256(sk + SABER_SECRETKEYBYTES - 64, pk, SABER_INDCPA_PUBLICKEYBYTES); // Then hash(pk) is appended. + // Then hash(pk) is appended. + sha3_256(sk + SABER_SECRETKEYBYTES - 64, pk, SABER_INDCPA_PUBLICKEYBYTES); - randombytes(sk + SABER_SECRETKEYBYTES - SABER_KEYBYTES, SABER_KEYBYTES ); // Remaining part of sk contains a pseudo-random number. + // Remaining part of sk contains a pseudo-random number. // This is output when check in crypto_kem_dec() fails. + randombytes(sk + SABER_SECRETKEYBYTES - SABER_KEYBYTES, SABER_KEYBYTES ); return (0); } int PQCLEAN_LIGHTSABER_CLEAN_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk) { - - unsigned char kr[64]; // Will contain key, coins + // Will contain key, coins + unsigned char kr[64]; unsigned char buf[64]; randombytes(buf, 32); - sha3_256(buf, buf, 32); // BUF[0:31] <-- random message (will be used as the key for client) Note: hash doesnot release system RNG output + // BUF[0:31] <-- random message (will be used as the key for client) Note: hash doesnot release system RNG output + sha3_256(buf, buf, 32); - sha3_256(buf + 32, pk, SABER_INDCPA_PUBLICKEYBYTES); // BUF[32:63] <-- Hash(public key); Multitarget countermeasure for coins + contributory KEM + // BUF[32:63] <-- Hash(public key); Multitarget countermeasure for coins + contributory KEM + sha3_256(buf + 32, pk, SABER_INDCPA_PUBLICKEYBYTES); + + // kr[0:63] <-- Hash(buf[0:63]); + sha3_512(kr, buf, 64); - sha3_512(kr, buf, 64); // kr[0:63] <-- Hash(buf[0:63]); // K^ <-- kr[0:31] // noiseseed (r) <-- kr[32:63]; - PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_enc(buf, kr + 32, pk, ct); // buf[0:31] contains message; kr[32:63] contains randomness r; + // buf[0:31] contains message; kr[32:63] contains randomness r; + PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_enc(buf, kr + 32, pk, ct); sha3_256(kr + 32, ct, SABER_BYTES_CCA_DEC); - sha3_256(ss, kr, 64); // hash concatenation of pre-k and h(c) to k + // hash concatenation of pre-k and h(c) to k + sha3_256(ss, kr, 64); return (0); } @@ -51,14 +62,18 @@ int PQCLEAN_LIGHTSABER_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned ch unsigned char fail; unsigned char cmp[SABER_BYTES_CCA_DEC]; unsigned char buf[64]; - unsigned char kr[64]; // Will contain key, coins + + // Will contain key, coins + unsigned char kr[64]; const unsigned char *pk = sk + SABER_INDCPA_SECRETKEYBYTES; - PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_dec(sk, ct, buf); // buf[0:31] <-- message + // buf[0:31] <-- message + PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_dec(sk, ct, buf); // Multitarget countermeasure for coins + contributory KEM - for (i = 0; i < 32; i++) { // Save hash by storing h(pk) in sk + // Save hash by storing h(pk) in sk + for (i = 0; i < 32; i++) { buf[32 + i] = sk[SABER_SECRETKEYBYTES - 64 + i]; } @@ -69,11 +84,13 @@ int PQCLEAN_LIGHTSABER_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned ch fail = PQCLEAN_LIGHTSABER_CLEAN_verify(ct, cmp, SABER_BYTES_CCA_DEC); - sha3_256(kr + 32, ct, SABER_BYTES_CCA_DEC); // overwrite coins in kr with h(c) + // overwrite coins in kr with h(c) + sha3_256(kr + 32, ct, SABER_BYTES_CCA_DEC); PQCLEAN_LIGHTSABER_CLEAN_cmov(kr, sk + SABER_SECRETKEYBYTES - SABER_KEYBYTES, SABER_KEYBYTES, fail); - sha3_256(ss, kr, 64); // hash concatenation of pre-k and h(c) to k + // hash concatenation of pre-k and h(c) to k + sha3_256(ss, kr, 64); return (0); } diff --git a/crypto_kem/lightsaber/clean/pack_unpack.c b/crypto_kem/lightsaber/clean/pack_unpack.c index c93e3f22..4b1c409f 100644 --- a/crypto_kem/lightsaber/clean/pack_unpack.c +++ b/crypto_kem/lightsaber/clean/pack_unpack.c @@ -1,21 +1,26 @@ #include "pack_unpack.h" void PQCLEAN_LIGHTSABER_CLEAN_pack_3bit(uint8_t *bytes, const uint16_t *data) { - uint32_t j; uint32_t offset_data, offset_byte; for (j = 0; j < SABER_N / 8; j++) { offset_byte = 3 * j; offset_data = 8 * j; - bytes[offset_byte + 0] = (data[offset_data + 0] & 0x7) | ( (data[offset_data + 1] & 0x7) << 3 ) | ((data[offset_data + 2] & 0x3) << 6); - bytes[offset_byte + 1] = ((data[offset_data + 2] >> 2 ) & 0x01) | ( (data[offset_data + 3] & 0x7) << 1 ) | ( (data[offset_data + 4] & 0x7) << 4 ) | (((data[offset_data + 5]) & 0x01) << 7); - bytes[offset_byte + 2] = ((data[offset_data + 5] >> 1 ) & 0x03) | ( (data[offset_data + 6] & 0x7) << 2 ) | ( (data[offset_data + 7] & 0x7) << 5 ); + bytes[offset_byte + 0] = (data[offset_data + 0] & 0x7) | + ((data[offset_data + 1] & 0x7) << 3) | + ((data[offset_data + 2] & 0x3) << 6); + bytes[offset_byte + 1] = ((data[offset_data + 2] >> 2 ) & 0x01) | + ((data[offset_data + 3] & 0x7) << 1) | + ((data[offset_data + 4] & 0x7) << 4) | + (((data[offset_data + 5]) & 0x01) << 7); + bytes[offset_byte + 2] = ((data[offset_data + 5] >> 1 ) & 0x03) | + ((data[offset_data + 6] & 0x7) << 2) | + ((data[offset_data + 7] & 0x7) << 5); } } void PQCLEAN_LIGHTSABER_CLEAN_un_pack3bit(const uint8_t *bytes, uint16_t *data) { - uint32_t j; uint32_t offset_data, offset_byte; @@ -23,30 +28,30 @@ void PQCLEAN_LIGHTSABER_CLEAN_un_pack3bit(const uint8_t *bytes, uint16_t *data) offset_byte = 3 * j; offset_data = 8 * j; data[offset_data + 0] = (bytes[offset_byte + 0]) & 0x07; - data[offset_data + 1] = ( (bytes[offset_byte + 0]) >> 3 ) & 0x07; - data[offset_data + 2] = ( ( (bytes[offset_byte + 0]) >> 6 ) & 0x03) | ( ( (bytes[offset_byte + 1]) & 0x01) << 2 ); - data[offset_data + 3] = ( (bytes[offset_byte + 1]) >> 1 ) & 0x07; - data[offset_data + 4] = ( (bytes[offset_byte + 1]) >> 4 ) & 0x07; - data[offset_data + 5] = ( ( (bytes[offset_byte + 1]) >> 7 ) & 0x01) | ( ( (bytes[offset_byte + 2]) & 0x03) << 1 ); - data[offset_data + 6] = ( (bytes[offset_byte + 2] >> 2) & 0x07 ); - data[offset_data + 7] = ( (bytes[offset_byte + 2] >> 5) & 0x07 ); + data[offset_data + 1] = ((bytes[offset_byte + 0]) >> 3 ) & 0x07; + data[offset_data + 2] = (((bytes[offset_byte + 0]) >> 6 ) & 0x03) | + (((bytes[offset_byte + 1]) & 0x01) << 2); + data[offset_data + 3] = ((bytes[offset_byte + 1]) >> 1 ) & 0x07; + data[offset_data + 4] = ((bytes[offset_byte + 1]) >> 4 ) & 0x07; + data[offset_data + 5] = (((bytes[offset_byte + 1]) >> 7 ) & 0x01) | + (((bytes[offset_byte + 2]) & 0x03) << 1); + data[offset_data + 6] = ((bytes[offset_byte + 2] >> 2) & 0x07); + data[offset_data + 7] = ((bytes[offset_byte + 2] >> 5) & 0x07); } - } void PQCLEAN_LIGHTSABER_CLEAN_pack_4bit(uint8_t *bytes, const uint16_t *data) { - uint32_t j; uint32_t offset_data; for (j = 0; j < SABER_N / 2; j++) { offset_data = 2 * j; - bytes[j] = (data[offset_data] & 0x0f) | ( (data[offset_data + 1] & 0x0f) << 4 ); + bytes[j] = (data[offset_data] & 0x0f) | + ((data[offset_data + 1] & 0x0f) << 4); } } void PQCLEAN_LIGHTSABER_CLEAN_un_pack4bit(const unsigned char *bytes, uint16_t *ar) { - uint32_t j; uint32_t offset_data; @@ -64,9 +69,12 @@ void PQCLEAN_LIGHTSABER_CLEAN_pack_6bit(uint8_t *bytes, const uint16_t *data) { for (j = 0; j < SABER_N / 4; j++) { offset_byte = 3 * j; offset_data = 4 * j; - bytes[offset_byte + 0] = (data[offset_data + 0] & 0x3f) | ((data[offset_data + 1] & 0x03) << 6); - bytes[offset_byte + 1] = ((data[offset_data + 1] >> 2) & 0x0f) | ((data[offset_data + 2] & 0x0f) << 4); - bytes[offset_byte + 2] = ((data[offset_data + 2] >> 4) & 0x03) | ((data[offset_data + 3] & 0x3f) << 2); + bytes[offset_byte + 0] = (data[offset_data + 0] & 0x3f) | + ((data[offset_data + 1] & 0x03) << 6); + bytes[offset_byte + 1] = ((data[offset_data + 1] >> 2) & 0x0f) | + ((data[offset_data + 2] & 0x0f) << 4); + bytes[offset_byte + 2] = ((data[offset_data + 2] >> 4) & 0x03) | + ((data[offset_data + 3] & 0x3f) << 2); } } @@ -79,11 +87,12 @@ void PQCLEAN_LIGHTSABER_CLEAN_un_pack6bit(const unsigned char *bytes, uint16_t * offset_byte = 3 * j; offset_data = 4 * j; data[offset_data + 0] = bytes[offset_byte + 0] & 0x3f; - data[offset_data + 1] = ((bytes[offset_byte + 0] >> 6) & 0x03) | ((bytes[offset_byte + 1] & 0x0f) << 2) ; - data[offset_data + 2] = ((bytes[offset_byte + 1] & 0xff) >> 4) | ((bytes[offset_byte + 2] & 0x03) << 4) ; + data[offset_data + 1] = ((bytes[offset_byte + 0] >> 6) & 0x03) | + ((bytes[offset_byte + 1] & 0x0f) << 2); + data[offset_data + 2] = ((bytes[offset_byte + 1] & 0xff) >> 4) | + ((bytes[offset_byte + 2] & 0x03) << 4); data[offset_data + 3] = ((bytes[offset_byte + 2] & 0xff) >> 2); } - } @@ -96,23 +105,19 @@ static void POLVECp2BS(uint8_t *bytes, uint16_t data[SABER_K][SABER_N]) { for (j = 0; j < SABER_N / 4; j++) { offset_byte = offset_byte1 + 5 * j; offset_data = 4 * j; - bytes[offset_byte + 0] = ( data[i][ offset_data + 0 ] & (0xff)); - - bytes[offset_byte + 1] = ( (data[i][ offset_data + 0 ] >> 8) & 0x03 ) | ((data[i][ offset_data + 1 ] & 0x3f) << 2); - - bytes[offset_byte + 2] = ( (data[i][ offset_data + 1 ] >> 6) & 0x0f ) | ( (data[i][ offset_data + 2 ] & 0x0f) << 4); - - bytes[offset_byte + 3] = ( (data[i][ offset_data + 2 ] >> 4) & 0x3f ) | ((data[i][ offset_data + 3 ] & 0x03) << 6); - - bytes[offset_byte + 4] = ( (data[i][ offset_data + 3 ] >> 2) & 0xff ); + bytes[offset_byte + 0] = (data[i][offset_data + 0] & (0xff)); + bytes[offset_byte + 1] = ((data[i][offset_data + 0] >> 8) & 0x03) | + ((data[i][offset_data + 1] & 0x3f) << 2); + bytes[offset_byte + 2] = ((data[i][offset_data + 1] >> 6) & 0x0f) | + ((data[i][offset_data + 2] & 0x0f) << 4); + bytes[offset_byte + 3] = ((data[i][offset_data + 2] >> 4) & 0x3f) | + ((data[i][offset_data + 3] & 0x03) << 6); + bytes[offset_byte + 4] = ((data[i][offset_data + 3] >> 2) & 0xff); } } - - } static void BS2POLVECp(const unsigned char *bytes, uint16_t data[SABER_K][SABER_N]) { - uint32_t i, j; uint32_t offset_data, offset_byte, offset_byte1; @@ -121,21 +126,21 @@ static void BS2POLVECp(const unsigned char *bytes, uint16_t data[SABER_K][SABER_ for (j = 0; j < SABER_N / 4; j++) { offset_byte = offset_byte1 + 5 * j; offset_data = 4 * j; - data[i][offset_data + 0] = ( bytes[ offset_byte + 0 ] & (0xff)) | ((bytes[ offset_byte + 1 ] & 0x03) << 8); - data[i][offset_data + 1] = ( (bytes[ offset_byte + 1 ] >> 2) & (0x3f)) | ((bytes[ offset_byte + 2 ] & 0x0f) << 6); - data[i][offset_data + 2] = ( (bytes[ offset_byte + 2 ] >> 4) & (0x0f)) | ((bytes[ offset_byte + 3 ] & 0x3f) << 4); - data[i][offset_data + 3] = ( (bytes[ offset_byte + 3 ] >> 6) & (0x03)) | ((bytes[ offset_byte + 4 ] & 0xff) << 2); - + data[i][offset_data + 0] = (bytes[offset_byte + 0] & (0xff)) | + ((bytes[offset_byte + 1] & 0x03) << 8); + data[i][offset_data + 1] = ((bytes[offset_byte + 1] >> 2) & (0x3f)) | + ((bytes[offset_byte + 2] & 0x0f) << 6); + data[i][offset_data + 2] = ((bytes[offset_byte + 2] >> 4) & (0x0f)) | + ((bytes[offset_byte + 3] & 0x3f) << 4); + data[i][offset_data + 3] = ((bytes[offset_byte + 3] >> 6) & (0x03)) | + ((bytes[offset_byte + 4] & 0xff) << 2); } } - - } static void POLVECq2BS(uint8_t *bytes, uint16_t data[SABER_K][SABER_N]) { - uint32_t i, j; uint32_t offset_data, offset_byte, offset_byte1; @@ -144,40 +149,31 @@ static void POLVECq2BS(uint8_t *bytes, uint16_t data[SABER_K][SABER_N]) { for (j = 0; j < SABER_N / 8; j++) { offset_byte = offset_byte1 + 13 * j; offset_data = 8 * j; - bytes[offset_byte + 0] = ( data[i][ offset_data + 0 ] & (0xff)); - - bytes[offset_byte + 1] = ( (data[i][ offset_data + 0 ] >> 8) & 0x1f ) | ((data[i][ offset_data + 1 ] & 0x07) << 5); - - bytes[offset_byte + 2] = ( (data[i][ offset_data + 1 ] >> 3) & 0xff ); - - bytes[offset_byte + 3] = ( (data[i][ offset_data + 1 ] >> 11) & 0x03 ) | ((data[i][ offset_data + 2 ] & 0x3f) << 2); - - bytes[offset_byte + 4] = ( (data[i][ offset_data + 2 ] >> 6) & 0x7f ) | ( (data[i][ offset_data + 3 ] & 0x01) << 7 ); - - bytes[offset_byte + 5] = ( (data[i][ offset_data + 3 ] >> 1) & 0xff ); - - bytes[offset_byte + 6] = ( (data[i][ offset_data + 3 ] >> 9) & 0x0f ) | ( (data[i][ offset_data + 4 ] & 0x0f) << 4 ); - - bytes[offset_byte + 7] = ( (data[i][ offset_data + 4] >> 4) & 0xff ); - - bytes[offset_byte + 8] = ( (data[i][ offset_data + 4 ] >> 12) & 0x01 ) | ( (data[i][ offset_data + 5 ] & 0x7f) << 1 ); - - bytes[offset_byte + 9] = ( (data[i][ offset_data + 5 ] >> 7) & 0x3f ) | ( (data[i][ offset_data + 6 ] & 0x03) << 6 ); - - bytes[offset_byte + 10] = ( (data[i][ offset_data + 6 ] >> 2) & 0xff ); - - bytes[offset_byte + 11] = ( (data[i][ offset_data + 6 ] >> 10) & 0x07 ) | ( (data[i][ offset_data + 7 ] & 0x1f) << 3 ); - - bytes[offset_byte + 12] = ( (data[i][ offset_data + 7 ] >> 5) & 0xff ); - + bytes[offset_byte + 0] = (data[i][offset_data + 0] & (0xff)); + bytes[offset_byte + 1] = ((data[i][offset_data + 0] >> 8) & 0x1f) | + ((data[i][offset_data + 1] & 0x07) << 5); + bytes[offset_byte + 2] = ((data[i][offset_data + 1] >> 3) & 0xff); + bytes[offset_byte + 3] = ((data[i][offset_data + 1] >> 11) & 0x03) | + ((data[i][offset_data + 2] & 0x3f) << 2); + bytes[offset_byte + 4] = ((data[i][offset_data + 2] >> 6) & 0x7f) | + ((data[i][offset_data + 3] & 0x01) << 7); + bytes[offset_byte + 5] = ((data[i][offset_data + 3] >> 1) & 0xff); + bytes[offset_byte + 6] = ((data[i][offset_data + 3] >> 9) & 0x0f) | + ((data[i][offset_data + 4] & 0x0f) << 4); + bytes[offset_byte + 7] = ((data[i][offset_data + 4] >> 4) & 0xff); + bytes[offset_byte + 8] = ((data[i][offset_data + 4] >> 12) & 0x01) | + ((data[i][offset_data + 5] & 0x7f) << 1); + bytes[offset_byte + 9] = ((data[i][offset_data + 5] >> 7) & 0x3f) | + ((data[i][offset_data + 6] & 0x03) << 6); + bytes[offset_byte + 10] = ((data[i][offset_data + 6] >> 2) & 0xff); + bytes[offset_byte + 11] = ((data[i][offset_data + 6] >> 10) & 0x07) | + ((data[i][offset_data + 7] & 0x1f) << 3); + bytes[offset_byte + 12] = ((data[i][offset_data + 7] >> 5) & 0xff); } } - - } static void BS2POLVECq(const unsigned char *bytes, uint16_t data[SABER_K][SABER_N]) { - uint32_t i, j; uint32_t offset_data, offset_byte, offset_byte1; @@ -186,44 +182,62 @@ static void BS2POLVECq(const unsigned char *bytes, uint16_t data[SABER_K][SABER_ for (j = 0; j < SABER_N / 8; j++) { offset_byte = offset_byte1 + 13 * j; offset_data = 8 * j; - data[i][offset_data + 0] = ( bytes[ offset_byte + 0 ] & (0xff)) | ((bytes[offset_byte + 1] & 0x1f) << 8); - data[i][offset_data + 1] = ( bytes[ offset_byte + 1 ] >> 5 & (0x07)) | ((bytes[offset_byte + 2] & 0xff) << 3) | ((bytes[offset_byte + 3] & 0x03) << 11); - data[i][offset_data + 2] = ( bytes[ offset_byte + 3 ] >> 2 & (0x3f)) | ((bytes[offset_byte + 4] & 0x7f) << 6); - data[i][offset_data + 3] = ( bytes[ offset_byte + 4 ] >> 7 & (0x01)) | ((bytes[offset_byte + 5] & 0xff) << 1) | ((bytes[offset_byte + 6] & 0x0f) << 9); - data[i][offset_data + 4] = ( bytes[ offset_byte + 6 ] >> 4 & (0x0f)) | ((bytes[offset_byte + 7] & 0xff) << 4) | ((bytes[offset_byte + 8] & 0x01) << 12); - data[i][offset_data + 5] = ( bytes[ offset_byte + 8] >> 1 & (0x7f)) | ((bytes[offset_byte + 9] & 0x3f) << 7); - data[i][offset_data + 6] = ( bytes[ offset_byte + 9] >> 6 & (0x03)) | ((bytes[offset_byte + 10] & 0xff) << 2) | ((bytes[offset_byte + 11] & 0x07) << 10); - data[i][offset_data + 7] = ( bytes[ offset_byte + 11] >> 3 & (0x1f)) | ((bytes[offset_byte + 12] & 0xff) << 5); + data[i][offset_data + 0] = (bytes[offset_byte + 0] & (0xff)) | + ((bytes[offset_byte + 1] & 0x1f) << 8); + data[i][offset_data + 1] = (bytes[offset_byte + 1] >> 5 & (0x07)) | + ((bytes[offset_byte + 2] & 0xff) << 3) | + ((bytes[offset_byte + 3] & 0x03) << 11); + data[i][offset_data + 2] = (bytes[offset_byte + 3] >> 2 & (0x3f)) | + ((bytes[offset_byte + 4] & 0x7f) << 6); + data[i][offset_data + 3] = (bytes[offset_byte + 4] >> 7 & (0x01)) | + ((bytes[offset_byte + 5] & 0xff) << 1) | + ((bytes[offset_byte + 6] & 0x0f) << 9); + data[i][offset_data + 4] = (bytes[offset_byte + 6] >> 4 & (0x0f)) | + ((bytes[offset_byte + 7] & 0xff) << 4) | + ((bytes[offset_byte + 8] & 0x01) << 12); + data[i][offset_data + 5] = (bytes[offset_byte + 8] >> 1 & (0x7f)) | + ((bytes[offset_byte + 9] & 0x3f) << 7); + data[i][offset_data + 6] = (bytes[offset_byte + 9] >> 6 & (0x03)) | + ((bytes[offset_byte + 10] & 0xff) << 2) | + ((bytes[offset_byte + 11] & 0x07) << 10); + data[i][offset_data + 7] = (bytes[offset_byte + 11] >> 3 & (0x1f)) | + ((bytes[offset_byte + 12] & 0xff) << 5); } } - - } -void PQCLEAN_LIGHTSABER_CLEAN_BS2POL(const unsigned char *bytes, uint16_t data[SABER_N]) { //only BS2POLq no BS2POLp - +//only BS2POLq no BS2POLp +void PQCLEAN_LIGHTSABER_CLEAN_BS2POL(const unsigned char *bytes, uint16_t data[SABER_N]) { uint32_t j; uint32_t offset_data, offset_byte; for (j = 0; j < SABER_N / 8; j++) { offset_byte = 13 * j; offset_data = 8 * j; - data[offset_data + 0] = ( bytes[ offset_byte + 0 ] & (0xff)) | ((bytes[offset_byte + 1] & 0x1f) << 8); - data[offset_data + 1] = ( bytes[ offset_byte + 1 ] >> 5 & (0x07)) | ((bytes[offset_byte + 2] & 0xff) << 3) | ((bytes[offset_byte + 3] & 0x03) << 11); - data[offset_data + 2] = ( bytes[ offset_byte + 3 ] >> 2 & (0x3f)) | ((bytes[offset_byte + 4] & 0x7f) << 6); - data[offset_data + 3] = ( bytes[ offset_byte + 4 ] >> 7 & (0x01)) | ((bytes[offset_byte + 5] & 0xff) << 1) | ((bytes[offset_byte + 6] & 0x0f) << 9); - data[offset_data + 4] = ( bytes[ offset_byte + 6 ] >> 4 & (0x0f)) | ((bytes[offset_byte + 7] & 0xff) << 4) | ((bytes[offset_byte + 8] & 0x01) << 12); - data[offset_data + 5] = ( bytes[ offset_byte + 8] >> 1 & (0x7f)) | ((bytes[offset_byte + 9] & 0x3f) << 7); - data[offset_data + 6] = ( bytes[ offset_byte + 9] >> 6 & (0x03)) | ((bytes[offset_byte + 10] & 0xff) << 2) | ((bytes[offset_byte + 11] & 0x07) << 10); - data[offset_data + 7] = ( bytes[ offset_byte + 11] >> 3 & (0x1f)) | ((bytes[offset_byte + 12] & 0xff) << 5); + data[offset_data + 0] = (bytes[offset_byte + 0] & (0xff)) | + ((bytes[offset_byte + 1] & 0x1f) << 8); + data[offset_data + 1] = (bytes[offset_byte + 1] >> 5 & (0x07)) | + ((bytes[offset_byte + 2] & 0xff) << 3) | + ((bytes[offset_byte + 3] & 0x03) << 11); + data[offset_data + 2] = (bytes[offset_byte + 3] >> 2 & (0x3f)) | + ((bytes[offset_byte + 4] & 0x7f) << 6); + data[offset_data + 3] = (bytes[offset_byte + 4] >> 7 & (0x01)) | + ((bytes[offset_byte + 5] & 0xff) << 1) | + ((bytes[offset_byte + 6] & 0x0f) << 9); + data[offset_data + 4] = (bytes[offset_byte + 6] >> 4 & (0x0f)) | + ((bytes[offset_byte + 7] & 0xff) << 4) | + ((bytes[offset_byte + 8] & 0x01) << 12); + data[offset_data + 5] = (bytes[offset_byte + 8] >> 1 & (0x7f)) | + ((bytes[offset_byte + 9] & 0x3f) << 7); + data[offset_data + 6] = (bytes[offset_byte + 9] >> 6 & (0x03)) | + ((bytes[offset_byte + 10] & 0xff) << 2) | + ((bytes[offset_byte + 11] & 0x07) << 10); + data[offset_data + 7] = (bytes[offset_byte + 11] >> 3 & (0x1f)) | + ((bytes[offset_byte + 12] & 0xff) << 5); } - - } - void PQCLEAN_LIGHTSABER_CLEAN_POLVEC2BS(uint8_t *bytes, uint16_t data[SABER_K][SABER_N], uint16_t modulus) { - if (modulus == 1024) { POLVECp2BS(bytes, data); } else if (modulus == 8192) { @@ -232,11 +246,9 @@ void PQCLEAN_LIGHTSABER_CLEAN_POLVEC2BS(uint8_t *bytes, uint16_t data[SABER_K][S } void PQCLEAN_LIGHTSABER_CLEAN_BS2POLVEC(const unsigned char *bytes, uint16_t data[SABER_K][SABER_N], uint16_t modulus) { - if (modulus == 1024) { BS2POLVECp(bytes, data); } else if (modulus == 8192) { BS2POLVECq(bytes, data); } - } diff --git a/crypto_kem/saber/clean/SABER_indcpa.c b/crypto_kem/saber/clean/SABER_indcpa.c index c5f113a7..d381194c 100644 --- a/crypto_kem/saber/clean/SABER_indcpa.c +++ b/crypto_kem/saber/clean/SABER_indcpa.c @@ -45,7 +45,7 @@ static void GenMatrix(polyvec *a, const unsigned char *seed) { void PQCLEAN_SABER_CLEAN_indcpa_kem_keypair(unsigned char *pk, unsigned char *sk) { - polyvec a[SABER_K];// skpv; + polyvec a[SABER_K]; uint16_t skpv[SABER_K][SABER_N]; @@ -58,43 +58,43 @@ void PQCLEAN_SABER_CLEAN_indcpa_kem_keypair(unsigned char *pk, unsigned char *sk uint16_t res[SABER_K][SABER_N]; randombytes(seed, SABER_SEEDBYTES); - shake128(seed, SABER_SEEDBYTES, seed, SABER_SEEDBYTES); // for not revealing system RNG state + + // for not revealing system RNG state + shake128(seed, SABER_SEEDBYTES, seed, SABER_SEEDBYTES); randombytes(noiseseed, SABER_COINBYTES); GenMatrix(a, seed); //sample matrix A - PQCLEAN_SABER_CLEAN_GenSecret(skpv, noiseseed); //generate secret from constant-time binomial distribution - - //------------------------do the matrix vector multiplication and rounding------------ + // generate secret from constant-time binomial distribution + PQCLEAN_SABER_CLEAN_GenSecret(skpv, noiseseed); + // do the matrix vector multiplication and rounding for (i = 0; i < SABER_K; i++) { for (j = 0; j < SABER_N; j++) { res[i][j] = 0; } } - MatrixVectorMul(a, skpv, res, SABER_Q - 1, 1); - //-----now rounding - for (i = 0; i < SABER_K; i++) { //shift right 3 bits + // now rounding + for (i = 0; i < SABER_K; i++) { for (j = 0; j < SABER_N; j++) { + // shift right 3 bits res[i][j] = (res[i][j] + h1) & (mod_q); res[i][j] = (res[i][j] >> (SABER_EQ - SABER_EP)); } } - //------------------unload and pack sk=3 x (256 coefficients of 14 bits)------- - + // unload and pack sk=3 x (256 coefficients of 14 bits) PQCLEAN_SABER_CLEAN_POLVEC2BS(sk, skpv, SABER_Q); - //------------------unload and pack pk=256 bits seed and 3 x (256 coefficients of 11 bits)------- + // unload and pack pk=256 bits seed and 3 x (256 coefficients of 11 bits) + // load the public-key coefficients + PQCLEAN_SABER_CLEAN_POLVEC2BS(pk, res, SABER_P); - PQCLEAN_SABER_CLEAN_POLVEC2BS(pk, res, SABER_P); // load the public-key coefficients - - - - for (i = 0; i < SABER_SEEDBYTES; i++) { // now load the seedbytes in PK. Easy since seed bytes are kept in byte format. + // now load the seedbytes in PK. Easy since seed bytes are kept in byte format. + for (i = 0; i < SABER_SEEDBYTES; i++) { pk[SABER_POLYVECCOMPRESSEDBYTES + i] = seed[i]; } @@ -103,47 +103,39 @@ void PQCLEAN_SABER_CLEAN_indcpa_kem_keypair(unsigned char *pk, unsigned char *sk void PQCLEAN_SABER_CLEAN_indcpa_kem_enc(const unsigned char *message_received, unsigned char *noiseseed, const unsigned char *pk, unsigned char *ciphertext) { uint32_t i, j, k; - polyvec a[SABER_K]; // skpv; + polyvec a[SABER_K]; unsigned char seed[SABER_SEEDBYTES]; - uint16_t pkcl[SABER_K][SABER_N]; //public key of received by the client - - - + // public key of received by the client + uint16_t pkcl[SABER_K][SABER_N]; uint16_t skpv1[SABER_K][SABER_N]; - uint16_t message[SABER_KEYBYTES * 8]; - uint16_t res[SABER_K][SABER_N]; uint16_t mod_p = SABER_P - 1; uint16_t mod_q = SABER_Q - 1; - uint16_t vprime[SABER_N]; - - - unsigned char msk_c[SABER_SCALEBYTES_KEM]; - for (i = 0; i < SABER_SEEDBYTES; i++) { // extract the seedbytes from Public Key. + // extract the seedbytes from Public Key. + for (i = 0; i < SABER_SEEDBYTES; i++) { seed[i] = pk[ SABER_POLYVECCOMPRESSEDBYTES + i]; } GenMatrix(a, seed); - PQCLEAN_SABER_CLEAN_GenSecret(skpv1, noiseseed); //generate secret from constant-time binomial distribution - - //-----------------matrix-vector multiplication and rounding + // generate secret from constant-time binomial distribution + PQCLEAN_SABER_CLEAN_GenSecret(skpv1, noiseseed); + // matrix-vector multiplication and rounding for (i = 0; i < SABER_K; i++) { for (j = 0; j < SABER_N; j++) { res[i][j] = 0; } } - MatrixVectorMul(a, skpv1, res, SABER_Q - 1, 0); - //-----now rounding - - for (i = 0; i < SABER_K; i++) { //shift right 3 bits + // now rounding + //shift right 3 bits + for (i = 0; i < SABER_K; i++) { for (j = 0; j < SABER_N; j++) { res[i][j] = ( res[i][j] + h1 ) & mod_q; res[i][j] = (res[i][j] >> (SABER_EQ - SABER_EP) ); @@ -152,21 +144,15 @@ void PQCLEAN_SABER_CLEAN_indcpa_kem_enc(const unsigned char *message_received, u PQCLEAN_SABER_CLEAN_POLVEC2BS(ciphertext, res, SABER_P); -//*******************client matrix-vector multiplication ends************************************ + // ************client matrix-vector multiplication ends************ - //------now calculate the v' - - //-------unpack the public_key - - //pkcl is the b in the protocol + // now calculate the v' + // unpack the public_key + // pkcl is the b in the protocol PQCLEAN_SABER_CLEAN_BS2POLVEC(pk, pkcl, SABER_P); - - - for (i = 0; i < SABER_N; i++) { vprime[i] = 0; } - for (i = 0; i < SABER_K; i++) { for (j = 0; j < SABER_N; j++) { skpv1[i][j] = skpv1[i][j] & (mod_p); @@ -176,12 +162,11 @@ void PQCLEAN_SABER_CLEAN_indcpa_kem_enc(const unsigned char *message_received, u // vector-vector scalar multiplication with mod p InnerProd(pkcl, skpv1, mod_p, vprime); - //addition of h1 to vprime + // addition of h1 to vprime for (i = 0; i < SABER_N; i++) { vprime[i] = vprime[i] + h1; } - // unpack message_received; for (j = 0; j < SABER_KEYBYTES; j++) { for (i = 0; i < 8; i++) { @@ -194,9 +179,6 @@ void PQCLEAN_SABER_CLEAN_indcpa_kem_enc(const unsigned char *message_received, u message[i] = (message[i] << (SABER_EP - 1)); } - - - for (k = 0; k < SABER_N; k++) { vprime[k] = ( (vprime[k] - message[k]) & (mod_p) ) >> (SABER_EP - SABER_ET); } @@ -204,7 +186,6 @@ void PQCLEAN_SABER_CLEAN_indcpa_kem_enc(const unsigned char *message_received, u PQCLEAN_SABER_CLEAN_pack_4bit(msk_c, vprime); - for (j = 0; j < SABER_SCALEBYTES_KEM; j++) { ciphertext[SABER_POLYVECCOMPRESSEDBYTES + j] = msk_c[j]; } @@ -212,41 +193,31 @@ void PQCLEAN_SABER_CLEAN_indcpa_kem_enc(const unsigned char *message_received, u void PQCLEAN_SABER_CLEAN_indcpa_kem_dec(const unsigned char *sk, const unsigned char *ciphertext, unsigned char message_dec[]) { - uint32_t i, j; - - - uint16_t sksv[SABER_K][SABER_N]; //secret key of the server - - + // secret key of the server + uint16_t sksv[SABER_K][SABER_N]; uint16_t pksv[SABER_K][SABER_N]; - uint8_t scale_ar[SABER_SCALEBYTES_KEM]; - uint16_t mod_p = SABER_P - 1; - uint16_t v[SABER_N]; - uint16_t op[SABER_N]; - - PQCLEAN_SABER_CLEAN_BS2POLVEC(sk, sksv, SABER_Q); //sksv is the secret-key - PQCLEAN_SABER_CLEAN_BS2POLVEC(ciphertext, pksv, SABER_P); //pksv is the ciphertext + // sksv is the secret-key + PQCLEAN_SABER_CLEAN_BS2POLVEC(sk, sksv, SABER_Q); + // pksv is the ciphertext + PQCLEAN_SABER_CLEAN_BS2POLVEC(ciphertext, pksv, SABER_P); // vector-vector scalar multiplication with mod p for (i = 0; i < SABER_N; i++) { v[i] = 0; } - for (i = 0; i < SABER_K; i++) { for (j = 0; j < SABER_N; j++) { sksv[i][j] = sksv[i][j] & (mod_p); } } - InnerProd(pksv, sksv, mod_p, v); - //Extraction for (i = 0; i < SABER_SCALEBYTES_KEM; i++) { scale_ar[i] = ciphertext[SABER_POLYVECCOMPRESSEDBYTES + i]; @@ -254,20 +225,15 @@ void PQCLEAN_SABER_CLEAN_indcpa_kem_dec(const unsigned char *sk, const unsigned PQCLEAN_SABER_CLEAN_un_pack4bit(scale_ar, op); - //addition of h1 for (i = 0; i < SABER_N; i++) { v[i] = ( ( v[i] + h2 - (op[i] << (SABER_EP - SABER_ET)) ) & (mod_p) ) >> (SABER_EP - 1); } // pack decrypted message - POL2MSG(v, message_dec); - - } static void MatrixVectorMul(polyvec *a, uint16_t skpv[SABER_K][SABER_N], uint16_t res[SABER_K][SABER_N], uint16_t mod, int16_t transpose) { - uint16_t acc[SABER_N]; int32_t i, j, k; @@ -278,32 +244,30 @@ static void MatrixVectorMul(polyvec *a, uint16_t skpv[SABER_K][SABER_N], uint16_ for (k = 0; k < SABER_N; k++) { res[i][k] = res[i][k] + acc[k]; - res[i][k] = (res[i][k] & mod); //reduction mod p - acc[k] = 0; //clear the accumulator + //reduction mod p + res[i][k] = (res[i][k] & mod); + //clear the accumulator + acc[k] = 0; } - } } } else { - for (i = 0; i < SABER_K; i++) { for (j = 0; j < SABER_K; j++) { PQCLEAN_SABER_CLEAN_pol_mul((uint16_t *)&a[i].vec[j], skpv[j], acc, SABER_Q, SABER_N); for (k = 0; k < SABER_N; k++) { res[i][k] = res[i][k] + acc[k]; - res[i][k] = res[i][k] & mod; //reduction - acc[k] = 0; //clear the accumulator + // reduction + res[i][k] = res[i][k] & mod; + // clear the accumulator + acc[k] = 0; } - } } } - - } static void POL2MSG(const uint16_t *message_dec_unpacked, unsigned char *message_dec) { - int32_t i, j; for (j = 0; j < SABER_KEYBYTES; j++) { @@ -312,13 +276,10 @@ static void POL2MSG(const uint16_t *message_dec_unpacked, unsigned char *message message_dec[j] = message_dec[j] | (uint8_t) (message_dec_unpacked[j * 8 + i] << i); } } - } static void InnerProd(uint16_t pkcl[SABER_K][SABER_N], uint16_t skpv[SABER_K][SABER_N], uint16_t mod, uint16_t res[SABER_N]) { - - uint32_t j, k; uint16_t acc[SABER_N]; @@ -328,8 +289,10 @@ static void InnerProd(uint16_t pkcl[SABER_K][SABER_N], uint16_t skpv[SABER_K][SA for (k = 0; k < SABER_N; k++) { res[k] = res[k] + acc[k]; - res[k] = res[k] & mod; //reduction - acc[k] = 0; //clear the accumulator + // reduction + res[k] = res[k] & mod; + // clear the accumulator + acc[k] = 0; } } } diff --git a/crypto_kem/saber/clean/kem.c b/crypto_kem/saber/clean/kem.c index 05ffde7c..9e5b01f4 100644 --- a/crypto_kem/saber/clean/kem.c +++ b/crypto_kem/saber/clean/kem.c @@ -10,37 +10,48 @@ int PQCLEAN_SABER_CLEAN_crypto_kem_keypair(unsigned char *pk, unsigned char *sk) { int i; - PQCLEAN_SABER_CLEAN_indcpa_kem_keypair(pk, sk); // sk[0:SABER_INDCPA_SECRETKEYBYTES-1] <-- sk + // sk[0:SABER_INDCPA_SECRETKEYBYTES-1] <-- sk + PQCLEAN_SABER_CLEAN_indcpa_kem_keypair(pk, sk); + + // sk[SABER_INDCPA_SECRETKEYBYTES:SABER_INDCPA_SECRETKEYBYTES+SABER_INDCPA_SECRETKEYBYTES-1] <-- pk for (i = 0; i < SABER_INDCPA_PUBLICKEYBYTES; i++) { - sk[i + SABER_INDCPA_SECRETKEYBYTES] = pk[i]; // sk[SABER_INDCPA_SECRETKEYBYTES:SABER_INDCPA_SECRETKEYBYTES+SABER_INDCPA_SECRETKEYBYTES-1] <-- pk + sk[i + SABER_INDCPA_SECRETKEYBYTES] = pk[i]; } - sha3_256(sk + SABER_SECRETKEYBYTES - 64, pk, SABER_INDCPA_PUBLICKEYBYTES); // Then hash(pk) is appended. + // Then hash(pk) is appended. + sha3_256(sk + SABER_SECRETKEYBYTES - 64, pk, SABER_INDCPA_PUBLICKEYBYTES); - randombytes(sk + SABER_SECRETKEYBYTES - SABER_KEYBYTES, SABER_KEYBYTES ); // Remaining part of sk contains a pseudo-random number. + // Remaining part of sk contains a pseudo-random number. // This is output when check in crypto_kem_dec() fails. + randombytes(sk + SABER_SECRETKEYBYTES - SABER_KEYBYTES, SABER_KEYBYTES ); return (0); } int PQCLEAN_SABER_CLEAN_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk) { - - unsigned char kr[64]; // Will contain key, coins + // Will contain key, coins + unsigned char kr[64]; unsigned char buf[64]; randombytes(buf, 32); - sha3_256(buf, buf, 32); // BUF[0:31] <-- random message (will be used as the key for client) Note: hash doesnot release system RNG output + // BUF[0:31] <-- random message (will be used as the key for client) Note: hash doesnot release system RNG output + sha3_256(buf, buf, 32); - sha3_256(buf + 32, pk, SABER_INDCPA_PUBLICKEYBYTES); // BUF[32:63] <-- Hash(public key); Multitarget countermeasure for coins + contributory KEM + // BUF[32:63] <-- Hash(public key); Multitarget countermeasure for coins + contributory KEM + sha3_256(buf + 32, pk, SABER_INDCPA_PUBLICKEYBYTES); + + // kr[0:63] <-- Hash(buf[0:63]); + sha3_512(kr, buf, 64); - sha3_512(kr, buf, 64); // kr[0:63] <-- Hash(buf[0:63]); // K^ <-- kr[0:31] // noiseseed (r) <-- kr[32:63]; - PQCLEAN_SABER_CLEAN_indcpa_kem_enc(buf, kr + 32, pk, ct); // buf[0:31] contains message; kr[32:63] contains randomness r; + // buf[0:31] contains message; kr[32:63] contains randomness r; + PQCLEAN_SABER_CLEAN_indcpa_kem_enc(buf, kr + 32, pk, ct); sha3_256(kr + 32, ct, SABER_BYTES_CCA_DEC); - sha3_256(ss, kr, 64); // hash concatenation of pre-k and h(c) to k + // hash concatenation of pre-k and h(c) to k + sha3_256(ss, kr, 64); return (0); } @@ -51,14 +62,18 @@ int PQCLEAN_SABER_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned char *c unsigned char fail; unsigned char cmp[SABER_BYTES_CCA_DEC]; unsigned char buf[64]; - unsigned char kr[64]; // Will contain key, coins + + // Will contain key, coins + unsigned char kr[64]; const unsigned char *pk = sk + SABER_INDCPA_SECRETKEYBYTES; - PQCLEAN_SABER_CLEAN_indcpa_kem_dec(sk, ct, buf); // buf[0:31] <-- message + // buf[0:31] <-- message + PQCLEAN_SABER_CLEAN_indcpa_kem_dec(sk, ct, buf); // Multitarget countermeasure for coins + contributory KEM - for (i = 0; i < 32; i++) { // Save hash by storing h(pk) in sk + // Save hash by storing h(pk) in sk + for (i = 0; i < 32; i++) { buf[32 + i] = sk[SABER_SECRETKEYBYTES - 64 + i]; } @@ -69,11 +84,13 @@ int PQCLEAN_SABER_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned char *c fail = PQCLEAN_SABER_CLEAN_verify(ct, cmp, SABER_BYTES_CCA_DEC); - sha3_256(kr + 32, ct, SABER_BYTES_CCA_DEC); // overwrite coins in kr with h(c) + // overwrite coins in kr with h(c) + sha3_256(kr + 32, ct, SABER_BYTES_CCA_DEC); PQCLEAN_SABER_CLEAN_cmov(kr, sk + SABER_SECRETKEYBYTES - SABER_KEYBYTES, SABER_KEYBYTES, fail); - sha3_256(ss, kr, 64); // hash concatenation of pre-k and h(c) to k + // hash concatenation of pre-k and h(c) to k + sha3_256(ss, kr, 64); return (0); } diff --git a/crypto_kem/saber/clean/pack_unpack.c b/crypto_kem/saber/clean/pack_unpack.c index fa210fcc..06a74778 100644 --- a/crypto_kem/saber/clean/pack_unpack.c +++ b/crypto_kem/saber/clean/pack_unpack.c @@ -1,21 +1,26 @@ #include "pack_unpack.h" void PQCLEAN_SABER_CLEAN_pack_3bit(uint8_t *bytes, const uint16_t *data) { - uint32_t j; uint32_t offset_data, offset_byte; for (j = 0; j < SABER_N / 8; j++) { offset_byte = 3 * j; offset_data = 8 * j; - bytes[offset_byte + 0] = (data[offset_data + 0] & 0x7) | ( (data[offset_data + 1] & 0x7) << 3 ) | ((data[offset_data + 2] & 0x3) << 6); - bytes[offset_byte + 1] = ((data[offset_data + 2] >> 2 ) & 0x01) | ( (data[offset_data + 3] & 0x7) << 1 ) | ( (data[offset_data + 4] & 0x7) << 4 ) | (((data[offset_data + 5]) & 0x01) << 7); - bytes[offset_byte + 2] = ((data[offset_data + 5] >> 1 ) & 0x03) | ( (data[offset_data + 6] & 0x7) << 2 ) | ( (data[offset_data + 7] & 0x7) << 5 ); + bytes[offset_byte + 0] = (data[offset_data + 0] & 0x7) | + ((data[offset_data + 1] & 0x7) << 3) | + ((data[offset_data + 2] & 0x3) << 6); + bytes[offset_byte + 1] = ((data[offset_data + 2] >> 2 ) & 0x01) | + ((data[offset_data + 3] & 0x7) << 1) | + ((data[offset_data + 4] & 0x7) << 4) | + (((data[offset_data + 5]) & 0x01) << 7); + bytes[offset_byte + 2] = ((data[offset_data + 5] >> 1 ) & 0x03) | + ((data[offset_data + 6] & 0x7) << 2) | + ((data[offset_data + 7] & 0x7) << 5); } } void PQCLEAN_SABER_CLEAN_un_pack3bit(const uint8_t *bytes, uint16_t *data) { - uint32_t j; uint32_t offset_data, offset_byte; @@ -23,30 +28,30 @@ void PQCLEAN_SABER_CLEAN_un_pack3bit(const uint8_t *bytes, uint16_t *data) { offset_byte = 3 * j; offset_data = 8 * j; data[offset_data + 0] = (bytes[offset_byte + 0]) & 0x07; - data[offset_data + 1] = ( (bytes[offset_byte + 0]) >> 3 ) & 0x07; - data[offset_data + 2] = ( ( (bytes[offset_byte + 0]) >> 6 ) & 0x03) | ( ( (bytes[offset_byte + 1]) & 0x01) << 2 ); - data[offset_data + 3] = ( (bytes[offset_byte + 1]) >> 1 ) & 0x07; - data[offset_data + 4] = ( (bytes[offset_byte + 1]) >> 4 ) & 0x07; - data[offset_data + 5] = ( ( (bytes[offset_byte + 1]) >> 7 ) & 0x01) | ( ( (bytes[offset_byte + 2]) & 0x03) << 1 ); - data[offset_data + 6] = ( (bytes[offset_byte + 2] >> 2) & 0x07 ); - data[offset_data + 7] = ( (bytes[offset_byte + 2] >> 5) & 0x07 ); + data[offset_data + 1] = ((bytes[offset_byte + 0]) >> 3 ) & 0x07; + data[offset_data + 2] = (((bytes[offset_byte + 0]) >> 6 ) & 0x03) | + (((bytes[offset_byte + 1]) & 0x01) << 2); + data[offset_data + 3] = ((bytes[offset_byte + 1]) >> 1 ) & 0x07; + data[offset_data + 4] = ((bytes[offset_byte + 1]) >> 4 ) & 0x07; + data[offset_data + 5] = (((bytes[offset_byte + 1]) >> 7 ) & 0x01) | + (((bytes[offset_byte + 2]) & 0x03) << 1); + data[offset_data + 6] = ((bytes[offset_byte + 2] >> 2) & 0x07); + data[offset_data + 7] = ((bytes[offset_byte + 2] >> 5) & 0x07); } - } void PQCLEAN_SABER_CLEAN_pack_4bit(uint8_t *bytes, const uint16_t *data) { - uint32_t j; uint32_t offset_data; for (j = 0; j < SABER_N / 2; j++) { offset_data = 2 * j; - bytes[j] = (data[offset_data] & 0x0f) | ( (data[offset_data + 1] & 0x0f) << 4 ); + bytes[j] = (data[offset_data] & 0x0f) | + ((data[offset_data + 1] & 0x0f) << 4); } } void PQCLEAN_SABER_CLEAN_un_pack4bit(const unsigned char *bytes, uint16_t *ar) { - uint32_t j; uint32_t offset_data; @@ -64,9 +69,12 @@ void PQCLEAN_SABER_CLEAN_pack_6bit(uint8_t *bytes, const uint16_t *data) { for (j = 0; j < SABER_N / 4; j++) { offset_byte = 3 * j; offset_data = 4 * j; - bytes[offset_byte + 0] = (data[offset_data + 0] & 0x3f) | ((data[offset_data + 1] & 0x03) << 6); - bytes[offset_byte + 1] = ((data[offset_data + 1] >> 2) & 0x0f) | ((data[offset_data + 2] & 0x0f) << 4); - bytes[offset_byte + 2] = ((data[offset_data + 2] >> 4) & 0x03) | ((data[offset_data + 3] & 0x3f) << 2); + bytes[offset_byte + 0] = (data[offset_data + 0] & 0x3f) | + ((data[offset_data + 1] & 0x03) << 6); + bytes[offset_byte + 1] = ((data[offset_data + 1] >> 2) & 0x0f) | + ((data[offset_data + 2] & 0x0f) << 4); + bytes[offset_byte + 2] = ((data[offset_data + 2] >> 4) & 0x03) | + ((data[offset_data + 3] & 0x3f) << 2); } } @@ -79,11 +87,12 @@ void PQCLEAN_SABER_CLEAN_un_pack6bit(const unsigned char *bytes, uint16_t *data) offset_byte = 3 * j; offset_data = 4 * j; data[offset_data + 0] = bytes[offset_byte + 0] & 0x3f; - data[offset_data + 1] = ((bytes[offset_byte + 0] >> 6) & 0x03) | ((bytes[offset_byte + 1] & 0x0f) << 2) ; - data[offset_data + 2] = ((bytes[offset_byte + 1] & 0xff) >> 4) | ((bytes[offset_byte + 2] & 0x03) << 4) ; + data[offset_data + 1] = ((bytes[offset_byte + 0] >> 6) & 0x03) | + ((bytes[offset_byte + 1] & 0x0f) << 2); + data[offset_data + 2] = ((bytes[offset_byte + 1] & 0xff) >> 4) | + ((bytes[offset_byte + 2] & 0x03) << 4); data[offset_data + 3] = ((bytes[offset_byte + 2] & 0xff) >> 2); } - } @@ -96,23 +105,19 @@ static void POLVECp2BS(uint8_t *bytes, uint16_t data[SABER_K][SABER_N]) { for (j = 0; j < SABER_N / 4; j++) { offset_byte = offset_byte1 + 5 * j; offset_data = 4 * j; - bytes[offset_byte + 0] = ( data[i][ offset_data + 0 ] & (0xff)); - - bytes[offset_byte + 1] = ( (data[i][ offset_data + 0 ] >> 8) & 0x03 ) | ((data[i][ offset_data + 1 ] & 0x3f) << 2); - - bytes[offset_byte + 2] = ( (data[i][ offset_data + 1 ] >> 6) & 0x0f ) | ( (data[i][ offset_data + 2 ] & 0x0f) << 4); - - bytes[offset_byte + 3] = ( (data[i][ offset_data + 2 ] >> 4) & 0x3f ) | ((data[i][ offset_data + 3 ] & 0x03) << 6); - - bytes[offset_byte + 4] = ( (data[i][ offset_data + 3 ] >> 2) & 0xff ); + bytes[offset_byte + 0] = (data[i][offset_data + 0] & (0xff)); + bytes[offset_byte + 1] = ((data[i][offset_data + 0] >> 8) & 0x03) | + ((data[i][offset_data + 1] & 0x3f) << 2); + bytes[offset_byte + 2] = ((data[i][offset_data + 1] >> 6) & 0x0f) | + ((data[i][offset_data + 2] & 0x0f) << 4); + bytes[offset_byte + 3] = ((data[i][offset_data + 2] >> 4) & 0x3f) | + ((data[i][offset_data + 3] & 0x03) << 6); + bytes[offset_byte + 4] = ((data[i][offset_data + 3] >> 2) & 0xff); } } - - } static void BS2POLVECp(const unsigned char *bytes, uint16_t data[SABER_K][SABER_N]) { - uint32_t i, j; uint32_t offset_data, offset_byte, offset_byte1; @@ -121,21 +126,21 @@ static void BS2POLVECp(const unsigned char *bytes, uint16_t data[SABER_K][SABER_ for (j = 0; j < SABER_N / 4; j++) { offset_byte = offset_byte1 + 5 * j; offset_data = 4 * j; - data[i][offset_data + 0] = ( bytes[ offset_byte + 0 ] & (0xff)) | ((bytes[ offset_byte + 1 ] & 0x03) << 8); - data[i][offset_data + 1] = ( (bytes[ offset_byte + 1 ] >> 2) & (0x3f)) | ((bytes[ offset_byte + 2 ] & 0x0f) << 6); - data[i][offset_data + 2] = ( (bytes[ offset_byte + 2 ] >> 4) & (0x0f)) | ((bytes[ offset_byte + 3 ] & 0x3f) << 4); - data[i][offset_data + 3] = ( (bytes[ offset_byte + 3 ] >> 6) & (0x03)) | ((bytes[ offset_byte + 4 ] & 0xff) << 2); - + data[i][offset_data + 0] = (bytes[offset_byte + 0] & (0xff)) | + ((bytes[offset_byte + 1] & 0x03) << 8); + data[i][offset_data + 1] = ((bytes[offset_byte + 1] >> 2) & (0x3f)) | + ((bytes[offset_byte + 2] & 0x0f) << 6); + data[i][offset_data + 2] = ((bytes[offset_byte + 2] >> 4) & (0x0f)) | + ((bytes[offset_byte + 3] & 0x3f) << 4); + data[i][offset_data + 3] = ((bytes[offset_byte + 3] >> 6) & (0x03)) | + ((bytes[offset_byte + 4] & 0xff) << 2); } } - - } static void POLVECq2BS(uint8_t *bytes, uint16_t data[SABER_K][SABER_N]) { - uint32_t i, j; uint32_t offset_data, offset_byte, offset_byte1; @@ -144,40 +149,31 @@ static void POLVECq2BS(uint8_t *bytes, uint16_t data[SABER_K][SABER_N]) { for (j = 0; j < SABER_N / 8; j++) { offset_byte = offset_byte1 + 13 * j; offset_data = 8 * j; - bytes[offset_byte + 0] = ( data[i][ offset_data + 0 ] & (0xff)); - - bytes[offset_byte + 1] = ( (data[i][ offset_data + 0 ] >> 8) & 0x1f ) | ((data[i][ offset_data + 1 ] & 0x07) << 5); - - bytes[offset_byte + 2] = ( (data[i][ offset_data + 1 ] >> 3) & 0xff ); - - bytes[offset_byte + 3] = ( (data[i][ offset_data + 1 ] >> 11) & 0x03 ) | ((data[i][ offset_data + 2 ] & 0x3f) << 2); - - bytes[offset_byte + 4] = ( (data[i][ offset_data + 2 ] >> 6) & 0x7f ) | ( (data[i][ offset_data + 3 ] & 0x01) << 7 ); - - bytes[offset_byte + 5] = ( (data[i][ offset_data + 3 ] >> 1) & 0xff ); - - bytes[offset_byte + 6] = ( (data[i][ offset_data + 3 ] >> 9) & 0x0f ) | ( (data[i][ offset_data + 4 ] & 0x0f) << 4 ); - - bytes[offset_byte + 7] = ( (data[i][ offset_data + 4] >> 4) & 0xff ); - - bytes[offset_byte + 8] = ( (data[i][ offset_data + 4 ] >> 12) & 0x01 ) | ( (data[i][ offset_data + 5 ] & 0x7f) << 1 ); - - bytes[offset_byte + 9] = ( (data[i][ offset_data + 5 ] >> 7) & 0x3f ) | ( (data[i][ offset_data + 6 ] & 0x03) << 6 ); - - bytes[offset_byte + 10] = ( (data[i][ offset_data + 6 ] >> 2) & 0xff ); - - bytes[offset_byte + 11] = ( (data[i][ offset_data + 6 ] >> 10) & 0x07 ) | ( (data[i][ offset_data + 7 ] & 0x1f) << 3 ); - - bytes[offset_byte + 12] = ( (data[i][ offset_data + 7 ] >> 5) & 0xff ); - + bytes[offset_byte + 0] = (data[i][offset_data + 0] & (0xff)); + bytes[offset_byte + 1] = ((data[i][offset_data + 0] >> 8) & 0x1f) | + ((data[i][offset_data + 1] & 0x07) << 5); + bytes[offset_byte + 2] = ((data[i][offset_data + 1] >> 3) & 0xff); + bytes[offset_byte + 3] = ((data[i][offset_data + 1] >> 11) & 0x03) | + ((data[i][offset_data + 2] & 0x3f) << 2); + bytes[offset_byte + 4] = ((data[i][offset_data + 2] >> 6) & 0x7f) | + ((data[i][offset_data + 3] & 0x01) << 7); + bytes[offset_byte + 5] = ((data[i][offset_data + 3] >> 1) & 0xff); + bytes[offset_byte + 6] = ((data[i][offset_data + 3] >> 9) & 0x0f) | + ((data[i][offset_data + 4] & 0x0f) << 4); + bytes[offset_byte + 7] = ((data[i][offset_data + 4] >> 4) & 0xff); + bytes[offset_byte + 8] = ((data[i][offset_data + 4] >> 12) & 0x01) | + ((data[i][offset_data + 5] & 0x7f) << 1); + bytes[offset_byte + 9] = ((data[i][offset_data + 5] >> 7) & 0x3f) | + ((data[i][offset_data + 6] & 0x03) << 6); + bytes[offset_byte + 10] = ((data[i][offset_data + 6] >> 2) & 0xff); + bytes[offset_byte + 11] = ((data[i][offset_data + 6] >> 10) & 0x07) | + ((data[i][offset_data + 7] & 0x1f) << 3); + bytes[offset_byte + 12] = ((data[i][offset_data + 7] >> 5) & 0xff); } } - - } static void BS2POLVECq(const unsigned char *bytes, uint16_t data[SABER_K][SABER_N]) { - uint32_t i, j; uint32_t offset_data, offset_byte, offset_byte1; @@ -186,44 +182,62 @@ static void BS2POLVECq(const unsigned char *bytes, uint16_t data[SABER_K][SABER_ for (j = 0; j < SABER_N / 8; j++) { offset_byte = offset_byte1 + 13 * j; offset_data = 8 * j; - data[i][offset_data + 0] = ( bytes[ offset_byte + 0 ] & (0xff)) | ((bytes[offset_byte + 1] & 0x1f) << 8); - data[i][offset_data + 1] = ( bytes[ offset_byte + 1 ] >> 5 & (0x07)) | ((bytes[offset_byte + 2] & 0xff) << 3) | ((bytes[offset_byte + 3] & 0x03) << 11); - data[i][offset_data + 2] = ( bytes[ offset_byte + 3 ] >> 2 & (0x3f)) | ((bytes[offset_byte + 4] & 0x7f) << 6); - data[i][offset_data + 3] = ( bytes[ offset_byte + 4 ] >> 7 & (0x01)) | ((bytes[offset_byte + 5] & 0xff) << 1) | ((bytes[offset_byte + 6] & 0x0f) << 9); - data[i][offset_data + 4] = ( bytes[ offset_byte + 6 ] >> 4 & (0x0f)) | ((bytes[offset_byte + 7] & 0xff) << 4) | ((bytes[offset_byte + 8] & 0x01) << 12); - data[i][offset_data + 5] = ( bytes[ offset_byte + 8] >> 1 & (0x7f)) | ((bytes[offset_byte + 9] & 0x3f) << 7); - data[i][offset_data + 6] = ( bytes[ offset_byte + 9] >> 6 & (0x03)) | ((bytes[offset_byte + 10] & 0xff) << 2) | ((bytes[offset_byte + 11] & 0x07) << 10); - data[i][offset_data + 7] = ( bytes[ offset_byte + 11] >> 3 & (0x1f)) | ((bytes[offset_byte + 12] & 0xff) << 5); + data[i][offset_data + 0] = (bytes[offset_byte + 0] & (0xff)) | + ((bytes[offset_byte + 1] & 0x1f) << 8); + data[i][offset_data + 1] = (bytes[offset_byte + 1] >> 5 & (0x07)) | + ((bytes[offset_byte + 2] & 0xff) << 3) | + ((bytes[offset_byte + 3] & 0x03) << 11); + data[i][offset_data + 2] = (bytes[offset_byte + 3] >> 2 & (0x3f)) | + ((bytes[offset_byte + 4] & 0x7f) << 6); + data[i][offset_data + 3] = (bytes[offset_byte + 4] >> 7 & (0x01)) | + ((bytes[offset_byte + 5] & 0xff) << 1) | + ((bytes[offset_byte + 6] & 0x0f) << 9); + data[i][offset_data + 4] = (bytes[offset_byte + 6] >> 4 & (0x0f)) | + ((bytes[offset_byte + 7] & 0xff) << 4) | + ((bytes[offset_byte + 8] & 0x01) << 12); + data[i][offset_data + 5] = (bytes[offset_byte + 8] >> 1 & (0x7f)) | + ((bytes[offset_byte + 9] & 0x3f) << 7); + data[i][offset_data + 6] = (bytes[offset_byte + 9] >> 6 & (0x03)) | + ((bytes[offset_byte + 10] & 0xff) << 2) | + ((bytes[offset_byte + 11] & 0x07) << 10); + data[i][offset_data + 7] = (bytes[offset_byte + 11] >> 3 & (0x1f)) | + ((bytes[offset_byte + 12] & 0xff) << 5); } } - - } -void PQCLEAN_SABER_CLEAN_BS2POL(const unsigned char *bytes, uint16_t data[SABER_N]) { //only BS2POLq no BS2POLp - +//only BS2POLq no BS2POLp +void PQCLEAN_SABER_CLEAN_BS2POL(const unsigned char *bytes, uint16_t data[SABER_N]) { uint32_t j; uint32_t offset_data, offset_byte; for (j = 0; j < SABER_N / 8; j++) { offset_byte = 13 * j; offset_data = 8 * j; - data[offset_data + 0] = ( bytes[ offset_byte + 0 ] & (0xff)) | ((bytes[offset_byte + 1] & 0x1f) << 8); - data[offset_data + 1] = ( bytes[ offset_byte + 1 ] >> 5 & (0x07)) | ((bytes[offset_byte + 2] & 0xff) << 3) | ((bytes[offset_byte + 3] & 0x03) << 11); - data[offset_data + 2] = ( bytes[ offset_byte + 3 ] >> 2 & (0x3f)) | ((bytes[offset_byte + 4] & 0x7f) << 6); - data[offset_data + 3] = ( bytes[ offset_byte + 4 ] >> 7 & (0x01)) | ((bytes[offset_byte + 5] & 0xff) << 1) | ((bytes[offset_byte + 6] & 0x0f) << 9); - data[offset_data + 4] = ( bytes[ offset_byte + 6 ] >> 4 & (0x0f)) | ((bytes[offset_byte + 7] & 0xff) << 4) | ((bytes[offset_byte + 8] & 0x01) << 12); - data[offset_data + 5] = ( bytes[ offset_byte + 8] >> 1 & (0x7f)) | ((bytes[offset_byte + 9] & 0x3f) << 7); - data[offset_data + 6] = ( bytes[ offset_byte + 9] >> 6 & (0x03)) | ((bytes[offset_byte + 10] & 0xff) << 2) | ((bytes[offset_byte + 11] & 0x07) << 10); - data[offset_data + 7] = ( bytes[ offset_byte + 11] >> 3 & (0x1f)) | ((bytes[offset_byte + 12] & 0xff) << 5); + data[offset_data + 0] = (bytes[offset_byte + 0] & (0xff)) | + ((bytes[offset_byte + 1] & 0x1f) << 8); + data[offset_data + 1] = (bytes[offset_byte + 1] >> 5 & (0x07)) | + ((bytes[offset_byte + 2] & 0xff) << 3) | + ((bytes[offset_byte + 3] & 0x03) << 11); + data[offset_data + 2] = (bytes[offset_byte + 3] >> 2 & (0x3f)) | + ((bytes[offset_byte + 4] & 0x7f) << 6); + data[offset_data + 3] = (bytes[offset_byte + 4] >> 7 & (0x01)) | + ((bytes[offset_byte + 5] & 0xff) << 1) | + ((bytes[offset_byte + 6] & 0x0f) << 9); + data[offset_data + 4] = (bytes[offset_byte + 6] >> 4 & (0x0f)) | + ((bytes[offset_byte + 7] & 0xff) << 4) | + ((bytes[offset_byte + 8] & 0x01) << 12); + data[offset_data + 5] = (bytes[offset_byte + 8] >> 1 & (0x7f)) | + ((bytes[offset_byte + 9] & 0x3f) << 7); + data[offset_data + 6] = (bytes[offset_byte + 9] >> 6 & (0x03)) | + ((bytes[offset_byte + 10] & 0xff) << 2) | + ((bytes[offset_byte + 11] & 0x07) << 10); + data[offset_data + 7] = (bytes[offset_byte + 11] >> 3 & (0x1f)) | + ((bytes[offset_byte + 12] & 0xff) << 5); } - - } - void PQCLEAN_SABER_CLEAN_POLVEC2BS(uint8_t *bytes, uint16_t data[SABER_K][SABER_N], uint16_t modulus) { - if (modulus == 1024) { POLVECp2BS(bytes, data); } else if (modulus == 8192) { @@ -232,11 +246,9 @@ void PQCLEAN_SABER_CLEAN_POLVEC2BS(uint8_t *bytes, uint16_t data[SABER_K][SABER_ } void PQCLEAN_SABER_CLEAN_BS2POLVEC(const unsigned char *bytes, uint16_t data[SABER_K][SABER_N], uint16_t modulus) { - if (modulus == 1024) { BS2POLVECp(bytes, data); } else if (modulus == 8192) { BS2POLVECq(bytes, data); } - }