From 8539bd868474feda989905c2d327737eb4e05d2f Mon Sep 17 00:00:00 2001 From: "Matthias J. Kannwischer" Date: Tue, 18 Jun 2019 16:27:03 +0200 Subject: [PATCH] add lightsaber --- crypto_kem/lightsaber/META.yml | 13 + crypto_kem/lightsaber/clean/LICENSE | 1 + crypto_kem/lightsaber/clean/Makefile | 19 + .../lightsaber/clean/Makefile.Microsoft_nmake | 19 + crypto_kem/lightsaber/clean/SABER_indcpa.c | 335 ++++++++++++++++++ crypto_kem/lightsaber/clean/SABER_indcpa.h | 9 + crypto_kem/lightsaber/clean/SABER_params.h | 50 +++ crypto_kem/lightsaber/clean/api.h | 14 + crypto_kem/lightsaber/clean/cbd.c | 51 +++ crypto_kem/lightsaber/clean/cbd.h | 17 + crypto_kem/lightsaber/clean/kem.c | 79 +++++ crypto_kem/lightsaber/clean/pack_unpack.c | 242 +++++++++++++ crypto_kem/lightsaber/clean/pack_unpack.h | 28 ++ crypto_kem/lightsaber/clean/poly.c | 21 ++ crypto_kem/lightsaber/clean/poly.h | 26 ++ crypto_kem/lightsaber/clean/poly_mul.c | 22 ++ crypto_kem/lightsaber/clean/poly_mul.h | 9 + crypto_kem/lightsaber/clean/verify.c | 34 ++ crypto_kem/lightsaber/clean/verify.h | 21 ++ 19 files changed, 1010 insertions(+) create mode 100644 crypto_kem/lightsaber/META.yml create mode 100644 crypto_kem/lightsaber/clean/LICENSE create mode 100644 crypto_kem/lightsaber/clean/Makefile create mode 100644 crypto_kem/lightsaber/clean/Makefile.Microsoft_nmake create mode 100644 crypto_kem/lightsaber/clean/SABER_indcpa.c create mode 100644 crypto_kem/lightsaber/clean/SABER_indcpa.h create mode 100644 crypto_kem/lightsaber/clean/SABER_params.h create mode 100644 crypto_kem/lightsaber/clean/api.h create mode 100644 crypto_kem/lightsaber/clean/cbd.c create mode 100644 crypto_kem/lightsaber/clean/cbd.h create mode 100644 crypto_kem/lightsaber/clean/kem.c create mode 100644 crypto_kem/lightsaber/clean/pack_unpack.c create mode 100644 crypto_kem/lightsaber/clean/pack_unpack.h create mode 100644 crypto_kem/lightsaber/clean/poly.c create mode 100644 crypto_kem/lightsaber/clean/poly.h create mode 100644 crypto_kem/lightsaber/clean/poly_mul.c create mode 100644 crypto_kem/lightsaber/clean/poly_mul.h create mode 100644 crypto_kem/lightsaber/clean/verify.c create mode 100644 crypto_kem/lightsaber/clean/verify.h diff --git a/crypto_kem/lightsaber/META.yml b/crypto_kem/lightsaber/META.yml new file mode 100644 index 00000000..06a7bf70 --- /dev/null +++ b/crypto_kem/lightsaber/META.yml @@ -0,0 +1,13 @@ +name: LightSaber +type: kem +claimed-nist-level: 1 +claimed-security: IND-CCA2 +length-public-key: 672 +length-ciphertext: 736 +length-secret-key: 1568 +length-shared-secret: 32 +nistkat-sha256: dc2233ae221cfabbb1db5ab1a76c93967d37de9f87a8092561f95ab28eff6061 +principal-submitter: Jan-Pieter D'Anvers, Angshuman Karmakar, Sujoy Sinha Roy, Frederik Vercauteren +implementations: + - name: clean + version: https://github.com/KULeuven-COSIC/SABER/commit/14ede83f1ff3bcc41f0464543542366c68b55871 diff --git a/crypto_kem/lightsaber/clean/LICENSE b/crypto_kem/lightsaber/clean/LICENSE new file mode 100644 index 00000000..1333ed77 --- /dev/null +++ b/crypto_kem/lightsaber/clean/LICENSE @@ -0,0 +1 @@ +TODO diff --git a/crypto_kem/lightsaber/clean/Makefile b/crypto_kem/lightsaber/clean/Makefile new file mode 100644 index 00000000..b1b532e4 --- /dev/null +++ b/crypto_kem/lightsaber/clean/Makefile @@ -0,0 +1,19 @@ +# This Makefile can be used with GNU Make or BSD Make + +LIB=liblightsaber_clean.a +HEADERS=api.h cbd.h poly.h poly_mul.h SABER_indcpa.h SABER_params.h verify.h pack_unpack.h +OBJECTS=cbd.o kem.o pack_unpack.o poly.o poly_mul.o SABER_indcpa.o verify.o + +CFLAGS=-O3 -Wall -Wextra -Wpedantic -Werror -Wmissing-prototypes -Wredundant-decls -std=c99 -I../../../common $(EXTRAFLAGS) + +all: $(LIB) + +%.o: %.c $(HEADERS) + $(CC) $(CFLAGS) -c -o $@ $< + +$(LIB): $(OBJECTS) + $(AR) -r $@ $(OBJECTS) + +clean: + $(RM) $(OBJECTS) + $(RM) $(LIB) diff --git a/crypto_kem/lightsaber/clean/Makefile.Microsoft_nmake b/crypto_kem/lightsaber/clean/Makefile.Microsoft_nmake new file mode 100644 index 00000000..b3bb5f92 --- /dev/null +++ b/crypto_kem/lightsaber/clean/Makefile.Microsoft_nmake @@ -0,0 +1,19 @@ +# This Makefile can be used with Microsoft Visual Studio's nmake using the command: +# nmake /f Makefile.Microsoft_nmake + +LIBRARY=liblightsaber_clean.lib +OBJECTS=cbd.obj kem.obj pack_unpack.obj poly.obj poly_mul.obj SABER_indcpa.obj verify.obj + +CFLAGS=/nologo /I ..\..\..\common /W4 /WX + +all: $(LIBRARY) + +# Make sure objects are recompiled if headers change. +$(OBJECTS): *.h + +$(LIBRARY): $(OBJECTS) + LIB.EXE /NOLOGO /WX /OUT:$@ $** + +clean: + -DEL $(OBJECTS) + -DEL $(LIBRARY) diff --git a/crypto_kem/lightsaber/clean/SABER_indcpa.c b/crypto_kem/lightsaber/clean/SABER_indcpa.c new file mode 100644 index 00000000..d5fb7130 --- /dev/null +++ b/crypto_kem/lightsaber/clean/SABER_indcpa.c @@ -0,0 +1,335 @@ +#include "SABER_indcpa.h" +#include "SABER_params.h" +#include "fips202.h" +#include "pack_unpack.h" +#include "poly.h" +#include "poly_mul.h" +#include "randombytes.h" +#include +#include + + + +/*----------------------------------------------------------------------------------- + This routine generates a=[Matrix K x K] of 256-coefficient polynomials +-------------------------------------------------------------------------------------*/ + +#define h1 4 //2^(EQ-EP-1) + +#define h2 ( (1<<(SABER_EP-2)) - (1<<(SABER_EP-SABER_ET-1)) + (1<<(SABER_EQ-SABER_EP-1)) ) + +static void InnerProd(uint16_t pkcl[SABER_K][SABER_N], uint16_t skpv[SABER_K][SABER_N], uint16_t mod, uint16_t res[SABER_N]); +static void MatrixVectorMul(polyvec *a, uint16_t skpv[SABER_K][SABER_N], uint16_t res[SABER_K][SABER_N], uint16_t mod, int16_t transpose); + +static void POL2MSG(const uint16_t *message_dec_unpacked, unsigned char *message_dec); + +static void GenMatrix(polyvec *a, const unsigned char *seed) { + unsigned char buf[SABER_K * SABER_K * (13 * SABER_N / 8)]; + + uint16_t temp_ar[SABER_N]; + + int i, j, k; + uint16_t mod = (SABER_Q - 1); + + shake128(buf, sizeof(buf), seed, SABER_SEEDBYTES); + + for (i = 0; i < SABER_K; i++) { + for (j = 0; j < SABER_K; j++) { + PQCLEAN_LIGHTSABER_CLEAN_BS2POL(buf + (i * SABER_K + j) * (13 * SABER_N / 8), temp_ar); + for (k = 0; k < SABER_N; k++) { + a[i].vec[j].coeffs[k] = (temp_ar[k])& mod ; + } + } + } +} + + +void PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_keypair(unsigned char *pk, unsigned char *sk) { + polyvec a[SABER_K];// skpv; + + uint16_t skpv[SABER_K][SABER_N]; + + unsigned char seed[SABER_SEEDBYTES]; + unsigned char noiseseed[SABER_COINBYTES]; + int32_t i, j; + uint16_t mod_q = SABER_Q - 1; + + + uint16_t res[SABER_K][SABER_N]; + + randombytes(seed, SABER_SEEDBYTES); + shake128(seed, SABER_SEEDBYTES, seed, SABER_SEEDBYTES); // for not revealing system RNG state + randombytes(noiseseed, SABER_COINBYTES); + + GenMatrix(a, seed); //sample matrix A + + PQCLEAN_LIGHTSABER_CLEAN_GenSecret(skpv, noiseseed); //generate secret from constant-time binomial distribution + + //------------------------do the matrix vector multiplication and rounding------------ + + for (i = 0; i < SABER_K; i++) { + for (j = 0; j < SABER_N; j++) { + res[i][j] = 0; + } + } + + MatrixVectorMul(a, skpv, res, SABER_Q - 1, 1); + + //-----now rounding + for (i = 0; i < SABER_K; i++) { //shift right 3 bits + for (j = 0; j < SABER_N; j++) { + res[i][j] = (res[i][j] + h1) & (mod_q); + res[i][j] = (res[i][j] >> (SABER_EQ - SABER_EP)); + } + } + + //------------------unload and pack sk=3 x (256 coefficients of 14 bits)------- + + PQCLEAN_LIGHTSABER_CLEAN_POLVEC2BS(sk, skpv, SABER_Q); + + //------------------unload and pack pk=256 bits seed and 3 x (256 coefficients of 11 bits)------- + + + PQCLEAN_LIGHTSABER_CLEAN_POLVEC2BS(pk, res, SABER_P); // load the public-key coefficients + + + + for (i = 0; i < SABER_SEEDBYTES; i++) { // now load the seedbytes in PK. Easy since seed bytes are kept in byte format. + pk[SABER_POLYVECCOMPRESSEDBYTES + i] = seed[i]; + } + +} + + +void PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_enc(const unsigned char *message_received, unsigned char *noiseseed, const unsigned char *pk, unsigned char *ciphertext) { + uint32_t i, j, k; + polyvec a[SABER_K]; // skpv; + unsigned char seed[SABER_SEEDBYTES]; + uint16_t pkcl[SABER_K][SABER_N]; //public key of received by the client + + + + uint16_t skpv1[SABER_K][SABER_N]; + + uint16_t message[SABER_KEYBYTES * 8]; + + uint16_t res[SABER_K][SABER_N]; + uint16_t mod_p = SABER_P - 1; + uint16_t mod_q = SABER_Q - 1; + + uint16_t vprime[SABER_N]; + + + + unsigned char msk_c[SABER_SCALEBYTES_KEM]; + + for (i = 0; i < SABER_SEEDBYTES; i++) { // extract the seedbytes from Public Key. + seed[i] = pk[ SABER_POLYVECCOMPRESSEDBYTES + i]; + } + + GenMatrix(a, seed); + + PQCLEAN_LIGHTSABER_CLEAN_GenSecret(skpv1, noiseseed); //generate secret from constant-time binomial distribution + + //-----------------matrix-vector multiplication and rounding + + for (i = 0; i < SABER_K; i++) { + for (j = 0; j < SABER_N; j++) { + res[i][j] = 0; + } + } + + MatrixVectorMul(a, skpv1, res, SABER_Q - 1, 0); + + //-----now rounding + + for (i = 0; i < SABER_K; i++) { //shift right 3 bits + for (j = 0; j < SABER_N; j++) { + res[i][j] = ( res[i][j] + h1 ) & mod_q; + res[i][j] = (res[i][j] >> (SABER_EQ - SABER_EP) ); + } + } + + PQCLEAN_LIGHTSABER_CLEAN_POLVEC2BS(ciphertext, res, SABER_P); + +//*******************client matrix-vector multiplication ends************************************ + + //------now calculate the v' + + //-------unpack the public_key + + //pkcl is the b in the protocol + PQCLEAN_LIGHTSABER_CLEAN_BS2POLVEC(pk, pkcl, SABER_P); + + + + for (i = 0; i < SABER_N; i++) { + vprime[i] = 0; + } + + for (i = 0; i < SABER_K; i++) { + for (j = 0; j < SABER_N; j++) { + skpv1[i][j] = skpv1[i][j] & (mod_p); + } + } + + // vector-vector scalar multiplication with mod p + InnerProd(pkcl, skpv1, mod_p, vprime); + + //addition of h1 to vprime + for (i = 0; i < SABER_N; i++) { + vprime[i] = vprime[i] + h1; + } + + + // unpack message_received; + for (j = 0; j < SABER_KEYBYTES; j++) { + for (i = 0; i < 8; i++) { + message[8 * j + i] = ((message_received[j] >> i) & 0x01); + } + } + + // message encoding + for (i = 0; i < SABER_N; i++) { + message[i] = (message[i] << (SABER_EP - 1)); + } + + + + + for (k = 0; k < SABER_N; k++) { + vprime[k] = ( (vprime[k] - message[k]) & (mod_p) ) >> (SABER_EP - SABER_ET); + } + + + PQCLEAN_LIGHTSABER_CLEAN_pack_3bit(msk_c, vprime); + + + for (j = 0; j < SABER_SCALEBYTES_KEM; j++) { + ciphertext[SABER_POLYVECCOMPRESSEDBYTES + j] = msk_c[j]; + } +} + + +void PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_dec(const unsigned char *sk, const unsigned char *ciphertext, unsigned char message_dec[]) { + + uint32_t i, j; + + + uint16_t sksv[SABER_K][SABER_N]; //secret key of the server + + + uint16_t pksv[SABER_K][SABER_N]; + + uint8_t scale_ar[SABER_SCALEBYTES_KEM]; + + uint16_t mod_p = SABER_P - 1; + + uint16_t v[SABER_N]; + + uint16_t op[SABER_N]; + + + PQCLEAN_LIGHTSABER_CLEAN_BS2POLVEC(sk, sksv, SABER_Q); //sksv is the secret-key + PQCLEAN_LIGHTSABER_CLEAN_BS2POLVEC(ciphertext, pksv, SABER_P); //pksv is the ciphertext + + // vector-vector scalar multiplication with mod p + for (i = 0; i < SABER_N; i++) { + v[i] = 0; + } + + for (i = 0; i < SABER_K; i++) { + for (j = 0; j < SABER_N; j++) { + sksv[i][j] = sksv[i][j] & (mod_p); + } + } + + InnerProd(pksv, sksv, mod_p, v); + + + //Extraction + for (i = 0; i < SABER_SCALEBYTES_KEM; i++) { + scale_ar[i] = ciphertext[SABER_POLYVECCOMPRESSEDBYTES + i]; + } + + PQCLEAN_LIGHTSABER_CLEAN_un_pack3bit(scale_ar, op); + + + //addition of h1 + for (i = 0; i < SABER_N; i++) { + v[i] = ( ( v[i] + h2 - (op[i] << (SABER_EP - SABER_ET)) ) & (mod_p) ) >> (SABER_EP - 1); + } + + // pack decrypted message + + POL2MSG(v, message_dec); + + +} +static void MatrixVectorMul(polyvec *a, uint16_t skpv[SABER_K][SABER_N], uint16_t res[SABER_K][SABER_N], uint16_t mod, int16_t transpose) { + + uint16_t acc[SABER_N]; + int32_t i, j, k; + + if (transpose == 1) { + for (i = 0; i < SABER_K; i++) { + for (j = 0; j < SABER_K; j++) { + PQCLEAN_LIGHTSABER_CLEAN_pol_mul((uint16_t *)&a[j].vec[i], skpv[j], acc, SABER_Q, SABER_N); + + for (k = 0; k < SABER_N; k++) { + res[i][k] = res[i][k] + acc[k]; + res[i][k] = (res[i][k] & mod); //reduction mod p + acc[k] = 0; //clear the accumulator + } + + } + } + } else { + + for (i = 0; i < SABER_K; i++) { + for (j = 0; j < SABER_K; j++) { + PQCLEAN_LIGHTSABER_CLEAN_pol_mul((uint16_t *)&a[i].vec[j], skpv[j], acc, SABER_Q, SABER_N); + for (k = 0; k < SABER_N; k++) { + res[i][k] = res[i][k] + acc[k]; + res[i][k] = res[i][k] & mod; //reduction + acc[k] = 0; //clear the accumulator + } + + } + } + } + + +} + +static void POL2MSG(const uint16_t *message_dec_unpacked, unsigned char *message_dec) { + + int32_t i, j; + + for (j = 0; j < SABER_KEYBYTES; j++) { + message_dec[j] = 0; + for (i = 0; i < 8; i++) { + message_dec[j] = message_dec[j] | (uint8_t) (message_dec_unpacked[j * 8 + i] << i); + } + } + +} + + +static void InnerProd(uint16_t pkcl[SABER_K][SABER_N], uint16_t skpv[SABER_K][SABER_N], uint16_t mod, uint16_t res[SABER_N]) { + + + uint32_t j, k; + uint16_t acc[SABER_N]; + + // vector-vector scalar multiplication with mod p + for (j = 0; j < SABER_K; j++) { + PQCLEAN_LIGHTSABER_CLEAN_pol_mul(pkcl[j], skpv[j], acc, SABER_P, SABER_N); + + for (k = 0; k < SABER_N; k++) { + res[k] = res[k] + acc[k]; + res[k] = res[k] & mod; //reduction + acc[k] = 0; //clear the accumulator + } + } +} diff --git a/crypto_kem/lightsaber/clean/SABER_indcpa.h b/crypto_kem/lightsaber/clean/SABER_indcpa.h new file mode 100644 index 00000000..4f806c55 --- /dev/null +++ b/crypto_kem/lightsaber/clean/SABER_indcpa.h @@ -0,0 +1,9 @@ +#ifndef INDCPA_H +#define INDCPA_H + +void PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_keypair(unsigned char *pk, unsigned char *sk); +void PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_enc(const unsigned char *message, unsigned char *noiseseed, const unsigned char *pk, unsigned char *ciphertext); +void PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_dec(const unsigned char *sk, const unsigned char *ciphertext, unsigned char *message_dec); + +#endif + diff --git a/crypto_kem/lightsaber/clean/SABER_params.h b/crypto_kem/lightsaber/clean/SABER_params.h new file mode 100644 index 00000000..eb3825f2 --- /dev/null +++ b/crypto_kem/lightsaber/clean/SABER_params.h @@ -0,0 +1,50 @@ +#ifndef PARAMS_H +#define PARAMS_H + +#include "api.h" + +#define SABER_K 2 +#define SABER_MU 10 +#define SABER_ET 3 + + +#define SABER_EQ 13 +#define SABER_EP 10 + +#define SABER_N 256 +#define SABER_Q 8192 +#define SABER_P 1024 + +#define SABER_SEEDBYTES 32 +#define SABER_NOISESEEDBYTES 32 +#define SABER_COINBYTES 32 +#define SABER_KEYBYTES 32 + +#define SABER_HASHBYTES 32 + +#define SABER_POLYBYTES 416 //13*256/8 + +#define SABER_POLYVECBYTES (SABER_K * SABER_POLYBYTES) + +#define SABER_POLYVECCOMPRESSEDBYTES (SABER_K * 320) //10*256/8 NOTE : changed till here due to parameter adaptation + +#define SABER_CIPHERTEXTBYTES (SABER_POLYVECCOMPRESSEDBYTES) + +#define SABER_SCALEBYTES (SABER_DELTA*SABER_N/8) + +#define SABER_SCALEBYTES_KEM ((SABER_ET)*SABER_N/8) + +#define SABER_INDCPA_PUBLICKEYBYTES (SABER_POLYVECCOMPRESSEDBYTES + SABER_SEEDBYTES) +#define SABER_INDCPA_SECRETKEYBYTES (SABER_POLYVECBYTES) + +#define SABER_PUBLICKEYBYTES (SABER_INDCPA_PUBLICKEYBYTES) + +#define SABER_SECRETKEYBYTES (SABER_INDCPA_SECRETKEYBYTES + SABER_INDCPA_PUBLICKEYBYTES + SABER_HASHBYTES + SABER_KEYBYTES) + +#define SABER_BYTES_CCA_DEC (SABER_POLYVECCOMPRESSEDBYTES + SABER_SCALEBYTES_KEM) /* Second part is for Targhi-Unruh */ + + + + +#endif + diff --git a/crypto_kem/lightsaber/clean/api.h b/crypto_kem/lightsaber/clean/api.h new file mode 100644 index 00000000..4f73c035 --- /dev/null +++ b/crypto_kem/lightsaber/clean/api.h @@ -0,0 +1,14 @@ +#ifndef PQCLEAN_LIGHTSABER_CLEAN_API_H +#define PQCLEAN_LIGHTSABER_CLEAN_API_H + +#define PQCLEAN_LIGHTSABER_CLEAN_CRYPTO_ALGNAME "LightSaber" +#define PQCLEAN_LIGHTSABER_CLEAN_CRYPTO_SECRETKEYBYTES 1568 +#define PQCLEAN_LIGHTSABER_CLEAN_CRYPTO_PUBLICKEYBYTES (2*320+32) +#define PQCLEAN_LIGHTSABER_CLEAN_CRYPTO_BYTES 32 +#define PQCLEAN_LIGHTSABER_CLEAN_CRYPTO_CIPHERTEXTBYTES 736 + +int PQCLEAN_LIGHTSABER_CLEAN_crypto_kem_keypair(unsigned char *pk, unsigned char *sk); +int PQCLEAN_LIGHTSABER_CLEAN_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk); +int PQCLEAN_LIGHTSABER_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk); + +#endif /* api_h */ diff --git a/crypto_kem/lightsaber/clean/cbd.c b/crypto_kem/lightsaber/clean/cbd.c new file mode 100644 index 00000000..f6ebe4d7 --- /dev/null +++ b/crypto_kem/lightsaber/clean/cbd.c @@ -0,0 +1,51 @@ +/*--------------------------------------------------------------------- +This file has been adapted from the implementation +(available at, Public Domain https://github.com/pq-crystals/kyber) +of "CRYSTALS – Kyber: a CCA-secure module-lattice-based KEM" +by : Joppe Bos, Leo Ducas, Eike Kiltz, Tancrede Lepoint, +Vadim Lyubashevsky, John M. Schanck, Peter Schwabe & Damien stehle +----------------------------------------------------------------------*/ + +#include "SABER_params.h" +#include "api.h" +#include "cbd.h" +#include + +static uint64_t load_littleendian(const unsigned char *x, int bytes) { + int i; + uint64_t r = x[0]; + for (i = 1; i < bytes; i++) { + r |= (uint64_t)x[i] << (8 * i); + } + return r; +} + + +void PQCLEAN_LIGHTSABER_CLEAN_cbd(uint16_t *r, const unsigned char *buf) { + uint16_t Qmod_minus1 = SABER_Q - 1; + + uint64_t t, d, a[4], b[4]; + int i, j; + + for (i = 0; i < SABER_N / 4; i++) { + t = load_littleendian(buf + 5 * i, 5); + d = 0; + for (j = 0; j < 5; j++) { + d += (t >> j) & 0x0842108421UL; + } + + a[0] = d & 0x1f; + b[0] = (d >> 5) & 0x1f; + a[1] = (d >> 10) & 0x1f; + b[1] = (d >> 15) & 0x1f; + a[2] = (d >> 20) & 0x1f; + b[2] = (d >> 25) & 0x1f; + a[3] = (d >> 30) & 0x1f; + b[3] = (d >> 35); + + r[4 * i + 0] = (uint16_t)(a[0] - b[0]) & Qmod_minus1; + r[4 * i + 1] = (uint16_t)(a[1] - b[1]) & Qmod_minus1; + r[4 * i + 2] = (uint16_t)(a[2] - b[2]) & Qmod_minus1; + r[4 * i + 3] = (uint16_t)(a[3] - b[3]) & Qmod_minus1; + } +} diff --git a/crypto_kem/lightsaber/clean/cbd.h b/crypto_kem/lightsaber/clean/cbd.h new file mode 100644 index 00000000..37553425 --- /dev/null +++ b/crypto_kem/lightsaber/clean/cbd.h @@ -0,0 +1,17 @@ +#ifndef CBD_H +#define CBD_H + +/*--------------------------------------------------------------------- +This file has been adapted from the implementation +(available at, Public Domain https://github.com/pq-crystals/kyber) +of "CRYSTALS – Kyber: a CCA-secure module-lattice-based KEM" +by : Joppe Bos, Leo Ducas, Eike Kiltz, Tancrede Lepoint, +Vadim Lyubashevsky, John M. Schanck, Peter Schwabe & Damien stehle +----------------------------------------------------------------------*/ + +#include "poly.h" +#include + +void PQCLEAN_LIGHTSABER_CLEAN_cbd(uint16_t *r, const unsigned char *buf); + +#endif diff --git a/crypto_kem/lightsaber/clean/kem.c b/crypto_kem/lightsaber/clean/kem.c new file mode 100644 index 00000000..f4a5c5a3 --- /dev/null +++ b/crypto_kem/lightsaber/clean/kem.c @@ -0,0 +1,79 @@ +#include "SABER_indcpa.h" +#include "SABER_params.h" +#include "fips202.h" +#include "randombytes.h" +#include "verify.h" +#include +#include +#include + +int PQCLEAN_LIGHTSABER_CLEAN_crypto_kem_keypair(unsigned char *pk, unsigned char *sk) { + int i; + + PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_keypair(pk, sk); // sk[0:SABER_INDCPA_SECRETKEYBYTES-1] <-- sk + for (i = 0; i < SABER_INDCPA_PUBLICKEYBYTES; i++) { + sk[i + SABER_INDCPA_SECRETKEYBYTES] = pk[i]; // sk[SABER_INDCPA_SECRETKEYBYTES:SABER_INDCPA_SECRETKEYBYTES+SABER_INDCPA_SECRETKEYBYTES-1] <-- pk + } + + sha3_256(sk + SABER_SECRETKEYBYTES - 64, pk, SABER_INDCPA_PUBLICKEYBYTES); // Then hash(pk) is appended. + + randombytes(sk + SABER_SECRETKEYBYTES - SABER_KEYBYTES, SABER_KEYBYTES ); // Remaining part of sk contains a pseudo-random number. + // This is output when check in crypto_kem_dec() fails. + return (0); +} + +int PQCLEAN_LIGHTSABER_CLEAN_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk) { + + unsigned char kr[64]; // Will contain key, coins + unsigned char buf[64]; + + randombytes(buf, 32); + + sha3_256(buf, buf, 32); // BUF[0:31] <-- random message (will be used as the key for client) Note: hash doesnot release system RNG output + + sha3_256(buf + 32, pk, SABER_INDCPA_PUBLICKEYBYTES); // BUF[32:63] <-- Hash(public key); Multitarget countermeasure for coins + contributory KEM + + sha3_512(kr, buf, 64); // kr[0:63] <-- Hash(buf[0:63]); + // K^ <-- kr[0:31] + // noiseseed (r) <-- kr[32:63]; + PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_enc(buf, kr + 32, pk, ct); // buf[0:31] contains message; kr[32:63] contains randomness r; + + sha3_256(kr + 32, ct, SABER_BYTES_CCA_DEC); + + sha3_256(ss, kr, 64); // hash concatenation of pre-k and h(c) to k + + return (0); +} + + +int PQCLEAN_LIGHTSABER_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk) { + int i; + unsigned char fail; + unsigned char cmp[SABER_BYTES_CCA_DEC]; + unsigned char buf[64]; + unsigned char kr[64]; // Will contain key, coins + const unsigned char *pk = sk + SABER_INDCPA_SECRETKEYBYTES; + + PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_dec(sk, ct, buf); // buf[0:31] <-- message + + + // Multitarget countermeasure for coins + contributory KEM + for (i = 0; i < 32; i++) { // Save hash by storing h(pk) in sk + buf[32 + i] = sk[SABER_SECRETKEYBYTES - 64 + i]; + } + + sha3_512(kr, buf, 64); + + PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_enc(buf, kr + 32, pk, cmp); + + + fail = PQCLEAN_LIGHTSABER_CLEAN_verify(ct, cmp, SABER_BYTES_CCA_DEC); + + sha3_256(kr + 32, ct, SABER_BYTES_CCA_DEC); // overwrite coins in kr with h(c) + + PQCLEAN_LIGHTSABER_CLEAN_cmov(kr, sk + SABER_SECRETKEYBYTES - SABER_KEYBYTES, SABER_KEYBYTES, fail); + + sha3_256(ss, kr, 64); // hash concatenation of pre-k and h(c) to k + + return (0); +} diff --git a/crypto_kem/lightsaber/clean/pack_unpack.c b/crypto_kem/lightsaber/clean/pack_unpack.c new file mode 100644 index 00000000..c93e3f22 --- /dev/null +++ b/crypto_kem/lightsaber/clean/pack_unpack.c @@ -0,0 +1,242 @@ +#include "pack_unpack.h" + +void PQCLEAN_LIGHTSABER_CLEAN_pack_3bit(uint8_t *bytes, const uint16_t *data) { + + uint32_t j; + uint32_t offset_data, offset_byte; + + for (j = 0; j < SABER_N / 8; j++) { + offset_byte = 3 * j; + offset_data = 8 * j; + bytes[offset_byte + 0] = (data[offset_data + 0] & 0x7) | ( (data[offset_data + 1] & 0x7) << 3 ) | ((data[offset_data + 2] & 0x3) << 6); + bytes[offset_byte + 1] = ((data[offset_data + 2] >> 2 ) & 0x01) | ( (data[offset_data + 3] & 0x7) << 1 ) | ( (data[offset_data + 4] & 0x7) << 4 ) | (((data[offset_data + 5]) & 0x01) << 7); + bytes[offset_byte + 2] = ((data[offset_data + 5] >> 1 ) & 0x03) | ( (data[offset_data + 6] & 0x7) << 2 ) | ( (data[offset_data + 7] & 0x7) << 5 ); + } +} + +void PQCLEAN_LIGHTSABER_CLEAN_un_pack3bit(const uint8_t *bytes, uint16_t *data) { + + uint32_t j; + uint32_t offset_data, offset_byte; + + for (j = 0; j < SABER_N / 8; j++) { + offset_byte = 3 * j; + offset_data = 8 * j; + data[offset_data + 0] = (bytes[offset_byte + 0]) & 0x07; + data[offset_data + 1] = ( (bytes[offset_byte + 0]) >> 3 ) & 0x07; + data[offset_data + 2] = ( ( (bytes[offset_byte + 0]) >> 6 ) & 0x03) | ( ( (bytes[offset_byte + 1]) & 0x01) << 2 ); + data[offset_data + 3] = ( (bytes[offset_byte + 1]) >> 1 ) & 0x07; + data[offset_data + 4] = ( (bytes[offset_byte + 1]) >> 4 ) & 0x07; + data[offset_data + 5] = ( ( (bytes[offset_byte + 1]) >> 7 ) & 0x01) | ( ( (bytes[offset_byte + 2]) & 0x03) << 1 ); + data[offset_data + 6] = ( (bytes[offset_byte + 2] >> 2) & 0x07 ); + data[offset_data + 7] = ( (bytes[offset_byte + 2] >> 5) & 0x07 ); + } + +} + +void PQCLEAN_LIGHTSABER_CLEAN_pack_4bit(uint8_t *bytes, const uint16_t *data) { + + uint32_t j; + uint32_t offset_data; + + for (j = 0; j < SABER_N / 2; j++) { + offset_data = 2 * j; + bytes[j] = (data[offset_data] & 0x0f) | ( (data[offset_data + 1] & 0x0f) << 4 ); + } +} + +void PQCLEAN_LIGHTSABER_CLEAN_un_pack4bit(const unsigned char *bytes, uint16_t *ar) { + + uint32_t j; + uint32_t offset_data; + + for (j = 0; j < SABER_N / 2; j++) { + offset_data = 2 * j; + ar[offset_data] = bytes[j] & 0x0f; + ar[offset_data + 1] = (bytes[j] >> 4) & 0x0f; + } +} + +void PQCLEAN_LIGHTSABER_CLEAN_pack_6bit(uint8_t *bytes, const uint16_t *data) { + uint32_t j; + uint32_t offset_data, offset_byte; + + for (j = 0; j < SABER_N / 4; j++) { + offset_byte = 3 * j; + offset_data = 4 * j; + bytes[offset_byte + 0] = (data[offset_data + 0] & 0x3f) | ((data[offset_data + 1] & 0x03) << 6); + bytes[offset_byte + 1] = ((data[offset_data + 1] >> 2) & 0x0f) | ((data[offset_data + 2] & 0x0f) << 4); + bytes[offset_byte + 2] = ((data[offset_data + 2] >> 4) & 0x03) | ((data[offset_data + 3] & 0x3f) << 2); + } +} + + +void PQCLEAN_LIGHTSABER_CLEAN_un_pack6bit(const unsigned char *bytes, uint16_t *data) { + uint32_t j; + uint32_t offset_data, offset_byte; + + for (j = 0; j < SABER_N / 4; j++) { + offset_byte = 3 * j; + offset_data = 4 * j; + data[offset_data + 0] = bytes[offset_byte + 0] & 0x3f; + data[offset_data + 1] = ((bytes[offset_byte + 0] >> 6) & 0x03) | ((bytes[offset_byte + 1] & 0x0f) << 2) ; + data[offset_data + 2] = ((bytes[offset_byte + 1] & 0xff) >> 4) | ((bytes[offset_byte + 2] & 0x03) << 4) ; + data[offset_data + 3] = ((bytes[offset_byte + 2] & 0xff) >> 2); + } + +} + + +static void POLVECp2BS(uint8_t *bytes, uint16_t data[SABER_K][SABER_N]) { + uint32_t i, j; + uint32_t offset_data, offset_byte, offset_byte1; + + for (i = 0; i < SABER_K; i++) { + offset_byte1 = i * (SABER_N * 10) / 8; + for (j = 0; j < SABER_N / 4; j++) { + offset_byte = offset_byte1 + 5 * j; + offset_data = 4 * j; + bytes[offset_byte + 0] = ( data[i][ offset_data + 0 ] & (0xff)); + + bytes[offset_byte + 1] = ( (data[i][ offset_data + 0 ] >> 8) & 0x03 ) | ((data[i][ offset_data + 1 ] & 0x3f) << 2); + + bytes[offset_byte + 2] = ( (data[i][ offset_data + 1 ] >> 6) & 0x0f ) | ( (data[i][ offset_data + 2 ] & 0x0f) << 4); + + bytes[offset_byte + 3] = ( (data[i][ offset_data + 2 ] >> 4) & 0x3f ) | ((data[i][ offset_data + 3 ] & 0x03) << 6); + + bytes[offset_byte + 4] = ( (data[i][ offset_data + 3 ] >> 2) & 0xff ); + } + } + + +} + +static void BS2POLVECp(const unsigned char *bytes, uint16_t data[SABER_K][SABER_N]) { + + uint32_t i, j; + uint32_t offset_data, offset_byte, offset_byte1; + + for (i = 0; i < SABER_K; i++) { + offset_byte1 = i * (SABER_N * 10) / 8; + for (j = 0; j < SABER_N / 4; j++) { + offset_byte = offset_byte1 + 5 * j; + offset_data = 4 * j; + data[i][offset_data + 0] = ( bytes[ offset_byte + 0 ] & (0xff)) | ((bytes[ offset_byte + 1 ] & 0x03) << 8); + data[i][offset_data + 1] = ( (bytes[ offset_byte + 1 ] >> 2) & (0x3f)) | ((bytes[ offset_byte + 2 ] & 0x0f) << 6); + data[i][offset_data + 2] = ( (bytes[ offset_byte + 2 ] >> 4) & (0x0f)) | ((bytes[ offset_byte + 3 ] & 0x3f) << 4); + data[i][offset_data + 3] = ( (bytes[ offset_byte + 3 ] >> 6) & (0x03)) | ((bytes[ offset_byte + 4 ] & 0xff) << 2); + + } + } + + +} + + + +static void POLVECq2BS(uint8_t *bytes, uint16_t data[SABER_K][SABER_N]) { + + uint32_t i, j; + uint32_t offset_data, offset_byte, offset_byte1; + + for (i = 0; i < SABER_K; i++) { + offset_byte1 = i * (SABER_N * 13) / 8; + for (j = 0; j < SABER_N / 8; j++) { + offset_byte = offset_byte1 + 13 * j; + offset_data = 8 * j; + bytes[offset_byte + 0] = ( data[i][ offset_data + 0 ] & (0xff)); + + bytes[offset_byte + 1] = ( (data[i][ offset_data + 0 ] >> 8) & 0x1f ) | ((data[i][ offset_data + 1 ] & 0x07) << 5); + + bytes[offset_byte + 2] = ( (data[i][ offset_data + 1 ] >> 3) & 0xff ); + + bytes[offset_byte + 3] = ( (data[i][ offset_data + 1 ] >> 11) & 0x03 ) | ((data[i][ offset_data + 2 ] & 0x3f) << 2); + + bytes[offset_byte + 4] = ( (data[i][ offset_data + 2 ] >> 6) & 0x7f ) | ( (data[i][ offset_data + 3 ] & 0x01) << 7 ); + + bytes[offset_byte + 5] = ( (data[i][ offset_data + 3 ] >> 1) & 0xff ); + + bytes[offset_byte + 6] = ( (data[i][ offset_data + 3 ] >> 9) & 0x0f ) | ( (data[i][ offset_data + 4 ] & 0x0f) << 4 ); + + bytes[offset_byte + 7] = ( (data[i][ offset_data + 4] >> 4) & 0xff ); + + bytes[offset_byte + 8] = ( (data[i][ offset_data + 4 ] >> 12) & 0x01 ) | ( (data[i][ offset_data + 5 ] & 0x7f) << 1 ); + + bytes[offset_byte + 9] = ( (data[i][ offset_data + 5 ] >> 7) & 0x3f ) | ( (data[i][ offset_data + 6 ] & 0x03) << 6 ); + + bytes[offset_byte + 10] = ( (data[i][ offset_data + 6 ] >> 2) & 0xff ); + + bytes[offset_byte + 11] = ( (data[i][ offset_data + 6 ] >> 10) & 0x07 ) | ( (data[i][ offset_data + 7 ] & 0x1f) << 3 ); + + bytes[offset_byte + 12] = ( (data[i][ offset_data + 7 ] >> 5) & 0xff ); + + } + } + + +} + +static void BS2POLVECq(const unsigned char *bytes, uint16_t data[SABER_K][SABER_N]) { + + uint32_t i, j; + uint32_t offset_data, offset_byte, offset_byte1; + + for (i = 0; i < SABER_K; i++) { + offset_byte1 = i * (SABER_N * 13) / 8; + for (j = 0; j < SABER_N / 8; j++) { + offset_byte = offset_byte1 + 13 * j; + offset_data = 8 * j; + data[i][offset_data + 0] = ( bytes[ offset_byte + 0 ] & (0xff)) | ((bytes[offset_byte + 1] & 0x1f) << 8); + data[i][offset_data + 1] = ( bytes[ offset_byte + 1 ] >> 5 & (0x07)) | ((bytes[offset_byte + 2] & 0xff) << 3) | ((bytes[offset_byte + 3] & 0x03) << 11); + data[i][offset_data + 2] = ( bytes[ offset_byte + 3 ] >> 2 & (0x3f)) | ((bytes[offset_byte + 4] & 0x7f) << 6); + data[i][offset_data + 3] = ( bytes[ offset_byte + 4 ] >> 7 & (0x01)) | ((bytes[offset_byte + 5] & 0xff) << 1) | ((bytes[offset_byte + 6] & 0x0f) << 9); + data[i][offset_data + 4] = ( bytes[ offset_byte + 6 ] >> 4 & (0x0f)) | ((bytes[offset_byte + 7] & 0xff) << 4) | ((bytes[offset_byte + 8] & 0x01) << 12); + data[i][offset_data + 5] = ( bytes[ offset_byte + 8] >> 1 & (0x7f)) | ((bytes[offset_byte + 9] & 0x3f) << 7); + data[i][offset_data + 6] = ( bytes[ offset_byte + 9] >> 6 & (0x03)) | ((bytes[offset_byte + 10] & 0xff) << 2) | ((bytes[offset_byte + 11] & 0x07) << 10); + data[i][offset_data + 7] = ( bytes[ offset_byte + 11] >> 3 & (0x1f)) | ((bytes[offset_byte + 12] & 0xff) << 5); + } + } + + +} + +void PQCLEAN_LIGHTSABER_CLEAN_BS2POL(const unsigned char *bytes, uint16_t data[SABER_N]) { //only BS2POLq no BS2POLp + + uint32_t j; + uint32_t offset_data, offset_byte; + + for (j = 0; j < SABER_N / 8; j++) { + offset_byte = 13 * j; + offset_data = 8 * j; + data[offset_data + 0] = ( bytes[ offset_byte + 0 ] & (0xff)) | ((bytes[offset_byte + 1] & 0x1f) << 8); + data[offset_data + 1] = ( bytes[ offset_byte + 1 ] >> 5 & (0x07)) | ((bytes[offset_byte + 2] & 0xff) << 3) | ((bytes[offset_byte + 3] & 0x03) << 11); + data[offset_data + 2] = ( bytes[ offset_byte + 3 ] >> 2 & (0x3f)) | ((bytes[offset_byte + 4] & 0x7f) << 6); + data[offset_data + 3] = ( bytes[ offset_byte + 4 ] >> 7 & (0x01)) | ((bytes[offset_byte + 5] & 0xff) << 1) | ((bytes[offset_byte + 6] & 0x0f) << 9); + data[offset_data + 4] = ( bytes[ offset_byte + 6 ] >> 4 & (0x0f)) | ((bytes[offset_byte + 7] & 0xff) << 4) | ((bytes[offset_byte + 8] & 0x01) << 12); + data[offset_data + 5] = ( bytes[ offset_byte + 8] >> 1 & (0x7f)) | ((bytes[offset_byte + 9] & 0x3f) << 7); + data[offset_data + 6] = ( bytes[ offset_byte + 9] >> 6 & (0x03)) | ((bytes[offset_byte + 10] & 0xff) << 2) | ((bytes[offset_byte + 11] & 0x07) << 10); + data[offset_data + 7] = ( bytes[ offset_byte + 11] >> 3 & (0x1f)) | ((bytes[offset_byte + 12] & 0xff) << 5); + } + + +} + + +void PQCLEAN_LIGHTSABER_CLEAN_POLVEC2BS(uint8_t *bytes, uint16_t data[SABER_K][SABER_N], uint16_t modulus) { + + if (modulus == 1024) { + POLVECp2BS(bytes, data); + } else if (modulus == 8192) { + POLVECq2BS(bytes, data); + } +} + +void PQCLEAN_LIGHTSABER_CLEAN_BS2POLVEC(const unsigned char *bytes, uint16_t data[SABER_K][SABER_N], uint16_t modulus) { + + if (modulus == 1024) { + BS2POLVECp(bytes, data); + } else if (modulus == 8192) { + BS2POLVECq(bytes, data); + } + +} diff --git a/crypto_kem/lightsaber/clean/pack_unpack.h b/crypto_kem/lightsaber/clean/pack_unpack.h new file mode 100644 index 00000000..86fd2fad --- /dev/null +++ b/crypto_kem/lightsaber/clean/pack_unpack.h @@ -0,0 +1,28 @@ +#ifndef PACK_UNPACK_H +#define PACK_UNPACK_H + +#include "SABER_params.h" +#include +#include + + +void PQCLEAN_LIGHTSABER_CLEAN_pack_3bit(uint8_t *bytes, const uint16_t *data); + +void PQCLEAN_LIGHTSABER_CLEAN_un_pack3bit(const uint8_t *bytes, uint16_t *data); + +void PQCLEAN_LIGHTSABER_CLEAN_pack_4bit(uint8_t *bytes, const uint16_t *data); + +void PQCLEAN_LIGHTSABER_CLEAN_un_pack4bit(const unsigned char *bytes, uint16_t *ar); + +void PQCLEAN_LIGHTSABER_CLEAN_pack_6bit(uint8_t *bytes, const uint16_t *data); + +void PQCLEAN_LIGHTSABER_CLEAN_un_pack6bit(const unsigned char *bytes, uint16_t *data); + + +void PQCLEAN_LIGHTSABER_CLEAN_BS2POL(const unsigned char *bytes, uint16_t data[SABER_N]); + +void PQCLEAN_LIGHTSABER_CLEAN_POLVEC2BS(uint8_t *bytes, uint16_t data[SABER_K][SABER_N], uint16_t modulus); + +void PQCLEAN_LIGHTSABER_CLEAN_BS2POLVEC(const unsigned char *bytes, uint16_t data[SABER_K][SABER_N], uint16_t modulus); + +#endif diff --git a/crypto_kem/lightsaber/clean/poly.c b/crypto_kem/lightsaber/clean/poly.c new file mode 100644 index 00000000..fc86ab3c --- /dev/null +++ b/crypto_kem/lightsaber/clean/poly.c @@ -0,0 +1,21 @@ +/*--------------------------------------------------------------------- +This file has been adapted from the implementation +(available at, Public Domain https://github.com/pq-crystals/kyber) +of "CRYSTALS – Kyber: a CCA-secure module-lattice-based KEM" +by : Joppe Bos, Leo Ducas, Eike Kiltz, Tancrede Lepoint, +Vadim Lyubashevsky, John M. Schanck, Peter Schwabe & Damien stehle +----------------------------------------------------------------------*/ +#include "SABER_params.h" +#include "cbd.h" +#include "fips202.h" +#include "poly.h" + +void PQCLEAN_LIGHTSABER_CLEAN_GenSecret(uint16_t r[SABER_K][SABER_N], const unsigned char *seed) { + uint8_t buf[SABER_MU * SABER_N * SABER_K / 8]; + + shake128(buf, sizeof(buf), seed, SABER_NOISESEEDBYTES); + + for (size_t i = 0; i < SABER_K; i++) { + PQCLEAN_LIGHTSABER_CLEAN_cbd(r[i], buf + i * SABER_MU * SABER_N / 8); + } +} diff --git a/crypto_kem/lightsaber/clean/poly.h b/crypto_kem/lightsaber/clean/poly.h new file mode 100644 index 00000000..47ceeebb --- /dev/null +++ b/crypto_kem/lightsaber/clean/poly.h @@ -0,0 +1,26 @@ +#ifndef POLY_H +#define POLY_H + +/*--------------------------------------------------------------------- +This file has been adapted from the implementation +(available at, Public Domain https://github.com/pq-crystals/kyber) +of "CRYSTALS – Kyber: a CCA-secure module-lattice-based KEM" +by : Joppe Bos, Leo Ducas, Eike Kiltz, Tancrede Lepoint, +Vadim Lyubashevsky, John M. Schanck, Peter Schwabe & Damien stehle +----------------------------------------------------------------------*/ + + +#include "SABER_params.h" +#include + +typedef struct { + uint16_t coeffs[SABER_N]; +} poly; + +typedef struct { + poly vec[SABER_K]; +} polyvec; + +void PQCLEAN_LIGHTSABER_CLEAN_GenSecret(uint16_t r[SABER_K][SABER_N], const unsigned char *seed); + +#endif diff --git a/crypto_kem/lightsaber/clean/poly_mul.c b/crypto_kem/lightsaber/clean/poly_mul.c new file mode 100644 index 00000000..ddc7c9a2 --- /dev/null +++ b/crypto_kem/lightsaber/clean/poly_mul.c @@ -0,0 +1,22 @@ +#include "poly_mul.h" +#include "SABER_params.h" +#include +#include + + +void PQCLEAN_LIGHTSABER_CLEAN_pol_mul(const uint16_t *a, const uint16_t *b, uint16_t *res, uint16_t p, uint32_t n) { + // Polynomial multiplication using the schoolbook method, c[x] = a[x]*b[x] + + // normal multiplication + uint16_t c[2 * SABER_N] = {0}; + for (size_t i = 0; i < SABER_N; i++) { + for (size_t j = 0; j < SABER_N; j++) { + c[i + j] += a[i] * b[j]; + } + } + + // reduction + for (size_t i = n; i < 2 * n; i++) { + res[i - n] = (c[i - n] - c[i]) & (p - 1); + } +} diff --git a/crypto_kem/lightsaber/clean/poly_mul.h b/crypto_kem/lightsaber/clean/poly_mul.h new file mode 100644 index 00000000..adc877aa --- /dev/null +++ b/crypto_kem/lightsaber/clean/poly_mul.h @@ -0,0 +1,9 @@ +#ifndef POLYMUL_H +#define POLYMUL_H + +#include "SABER_params.h" +#include + +void PQCLEAN_LIGHTSABER_CLEAN_pol_mul(const uint16_t *a, const uint16_t *b, uint16_t *res, uint16_t p, uint32_t n); + +#endif diff --git a/crypto_kem/lightsaber/clean/verify.c b/crypto_kem/lightsaber/clean/verify.c new file mode 100644 index 00000000..52c6969b --- /dev/null +++ b/crypto_kem/lightsaber/clean/verify.c @@ -0,0 +1,34 @@ +/*------------------------------------------------- +This file has been adapted from the implementation +(available at https://github.com/pq-crystals/kyber) of +"CRYSTALS – Kyber: a CCA-secure module-lattice-based KEM" + by : Joppe Bos, Leo Ducas, Eike Kiltz, Tancrede Lepoint, +Vadim Lyubashevsky, John M. Schanck, Peter Schwabe & Damien stehle +----------------------------------------------------*/ +#include "verify.h" +#include + +/* returns 0 for equal strings, 1 for non-equal strings */ +unsigned char PQCLEAN_LIGHTSABER_CLEAN_verify(const unsigned char *a, const unsigned char *b, size_t len) { + uint64_t r; + size_t i; + + r = 0; + for (i = 0; i < len; i++) { + r |= a[i] ^ b[i]; + } + + r = (~r + 1); // Two's complement + r >>= 63; + return (unsigned char)r; +} + +/* b = 1 means mov, b = 0 means don't mov*/ +void PQCLEAN_LIGHTSABER_CLEAN_cmov(unsigned char *r, const unsigned char *x, size_t len, unsigned char b) { + size_t i; + + b = -b; + for (i = 0; i < len; i++) { + r[i] ^= b & (x[i] ^ r[i]); + } +} diff --git a/crypto_kem/lightsaber/clean/verify.h b/crypto_kem/lightsaber/clean/verify.h new file mode 100644 index 00000000..32c2adb5 --- /dev/null +++ b/crypto_kem/lightsaber/clean/verify.h @@ -0,0 +1,21 @@ +#ifndef VERIFY_H +#define VERIFY_H + +/*------------------------------------------------- +This file has been adapted from the implementation +(available at https://github.com/pq-crystals/kyber) of +"CRYSTALS – Kyber: a CCA-secure module-lattice-based KEM" + by : Joppe Bos, Leo Ducas, Eike Kiltz, Tancrede Lepoint, +Vadim Lyubashevsky, John M. Schanck, Peter Schwabe & Damien stehle +----------------------------------------------------*/ + +#include +#include + +/* returns 0 for equal strings, 1 for non-equal strings */ +unsigned char PQCLEAN_LIGHTSABER_CLEAN_verify(const unsigned char *a, const unsigned char *b, size_t len); + +/* b = 1 means mov, b = 0 means don't mov*/ +void PQCLEAN_LIGHTSABER_CLEAN_cmov(unsigned char *r, const unsigned char *x, size_t len, unsigned char b); + +#endif