From 8e594f3c23e99311dccadefdd49b73598cd0c952 Mon Sep 17 00:00:00 2001 From: Peter Schwabe Date: Thu, 14 Feb 2019 15:30:55 +0100 Subject: [PATCH] Some cleanup, expanded dependencies, removed two unnecessary files in kyber768 --- .astylerc | 2 +- README.md | 2 +- crypto_kem/kyber768/clean/api.h | 6 +-- crypto_kem/kyber768/clean/cbd.c | 6 +-- crypto_kem/kyber768/clean/indcpa.c | 13 +++---- crypto_kem/kyber768/clean/indcpa.h | 9 +++-- crypto_kem/kyber768/clean/kem.c | 51 ++++++++----------------- crypto_kem/kyber768/clean/kex.c | 58 ----------------------------- crypto_kem/kyber768/clean/kex.h | 31 --------------- crypto_kem/kyber768/clean/ntt.c | 6 +-- crypto_kem/kyber768/clean/params.h | 2 +- crypto_kem/kyber768/clean/poly.c | 17 ++++----- crypto_kem/kyber768/clean/poly.h | 9 ++--- crypto_kem/kyber768/clean/polyvec.c | 12 +++--- crypto_kem/kyber768/clean/polyvec.h | 6 +-- crypto_kem/kyber768/clean/precomp.c | 9 +++-- crypto_kem/kyber768/clean/verify.c | 6 +-- crypto_kem/kyber768/clean/verify.h | 6 +-- 18 files changed, 64 insertions(+), 187 deletions(-) delete mode 100644 crypto_kem/kyber768/clean/kex.c delete mode 100644 crypto_kem/kyber768/clean/kex.h diff --git a/.astylerc b/.astylerc index da3cf33b..cba802e4 100644 --- a/.astylerc +++ b/.astylerc @@ -5,7 +5,7 @@ --pad-oper --pad-comma --pad-header ---unpad-paren +#--unpad-paren --align-pointer=name --add-braces --convert-tabs diff --git a/README.md b/README.md index c3d50cf8..09c0196a 100644 --- a/README.md +++ b/README.md @@ -111,7 +111,7 @@ int crypto_sign_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size As noted above, PQClean is **not** meant to be built as a single library: it is a collection of source code that can be easily integrated into other libraries. The PQClean repository includes various test programs which do build various files, but you should not use the resulting binaries for any purpose. -List of required dependencies: ``gcc or clang, make, python3, python-yaml library, valgrind``. +List of required dependencies: ``gcc or clang, make, python3, python-yaml library, valgrind, astyle (>= 3.0)``. ## Using source code from PQClean in your own project diff --git a/crypto_kem/kyber768/clean/api.h b/crypto_kem/kyber768/clean/api.h index 9c0cbe88..ecf30d24 100644 --- a/crypto_kem/kyber768/clean/api.h +++ b/crypto_kem/kyber768/clean/api.h @@ -12,10 +12,8 @@ int PQCLEAN_KYBER768_crypto_kem_keypair(unsigned char *pk, unsigned char *sk); -int PQCLEAN_KYBER768_crypto_kem_enc(unsigned char *ct, unsigned char *ss, - const unsigned char *pk); +int PQCLEAN_KYBER768_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk); -int PQCLEAN_KYBER768_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, - const unsigned char *sk); +int PQCLEAN_KYBER768_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk); #endif diff --git a/crypto_kem/kyber768/clean/cbd.c b/crypto_kem/kyber768/clean/cbd.c index 9c2e697a..b54ee1ce 100644 --- a/crypto_kem/kyber768/clean/cbd.c +++ b/crypto_kem/kyber768/clean/cbd.c @@ -43,7 +43,7 @@ void PQCLEAN_KYBER768_cbd(poly *r, const unsigned char *buf) { d += (t >> j) & 0x249249; } - a[0] = d & 0x7; + a[0] = d & 0x7; b[0] = (d >> 3) & 0x7; a[1] = (d >> 6) & 0x7; b[1] = (d >> 9) & 0x7; @@ -68,7 +68,7 @@ void PQCLEAN_KYBER768_cbd(poly *r, const unsigned char *buf) { d += (t >> j) & 0x11111111; } - a[0] = d & 0xf; + a[0] = d & 0xf; b[0] = (d >> 4) & 0xf; a[1] = (d >> 8) & 0xf; b[1] = (d >> 12) & 0xf; @@ -93,7 +93,7 @@ void PQCLEAN_KYBER768_cbd(poly *r, const unsigned char *buf) { d += (t >> j) & 0x0842108421UL; } - a[0] = d & 0x1f; + a[0] = d & 0x1f; b[0] = (d >> 5) & 0x1f; a[1] = (d >> 10) & 0x1f; b[1] = (d >> 15) & 0x1f; diff --git a/crypto_kem/kyber768/clean/indcpa.c b/crypto_kem/kyber768/clean/indcpa.c index cb16e423..a8d531e4 100644 --- a/crypto_kem/kyber768/clean/indcpa.c +++ b/crypto_kem/kyber768/clean/indcpa.c @@ -17,8 +17,7 @@ *public key const poly *pk: pointer to the input public-key *polynomial const unsigned char *seed: pointer to the input public seed **************************************************/ -static void pack_pk(unsigned char *r, const polyvec *pk, - const unsigned char *seed) { +static void pack_pk(unsigned char *r, const polyvec *pk, const unsigned char *seed) { int i; PQCLEAN_KYBER768_polyvec_compress(r, pk); for (i = 0; i < KYBER_SYMBYTES; i++) { @@ -39,8 +38,7 @@ static void pack_pk(unsigned char *r, const polyvec *pk, * - const unsigned char *packedpk: pointer to input serialized *public key **************************************************/ -static void unpack_pk(polyvec *pk, unsigned char *seed, - const unsigned char *packedpk) { +static void unpack_pk(polyvec *pk, unsigned char *seed, const unsigned char *packedpk) { int i; PQCLEAN_KYBER768_polyvec_decompress(pk, packedpk); @@ -110,8 +108,8 @@ static void unpack_sk(polyvec *sk, const unsigned char *packedsk) { PQCLEAN_KYBER768_polyvec_frombytes(sk, packedsk); } -#define gen_a(A, B) PQCLEAN_KYBER768_gen_matrix(A, B, 0) -#define gen_at(A, B) PQCLEAN_KYBER768_gen_matrix(A, B, 1) +#define gen_a(A, B) gen_matrix(A, B, 0) +#define gen_at(A, B) gen_matrix(A, B, 1) /************************************************* * Name: gen_matrix @@ -126,8 +124,7 @@ static void unpack_sk(polyvec *sk, const unsigned char *packedsk) { * - int transposed: boolean deciding whether A or A^T *is generated **************************************************/ -void PQCLEAN_KYBER768_gen_matrix(polyvec *a, const unsigned char *seed, - int transposed) { // Not static for benchmarking +static void gen_matrix(polyvec *a, const unsigned char *seed, int transposed) { unsigned int pos = 0, ctr; uint16_t val; unsigned int nblocks; diff --git a/crypto_kem/kyber768/clean/indcpa.h b/crypto_kem/kyber768/clean/indcpa.h index 5832b4bb..34c44876 100644 --- a/crypto_kem/kyber768/clean/indcpa.h +++ b/crypto_kem/kyber768/clean/indcpa.h @@ -1,13 +1,16 @@ #ifndef INDCPA_H #define INDCPA_H -void PQCLEAN_KYBER768_indcpa_keypair(unsigned char *pk, unsigned char *sk); +void PQCLEAN_KYBER768_indcpa_keypair(unsigned char *pk, + unsigned char *sk); -void PQCLEAN_KYBER768_indcpa_enc(unsigned char *c, const unsigned char *m, +void PQCLEAN_KYBER768_indcpa_enc(unsigned char *c, + const unsigned char *m, const unsigned char *pk, const unsigned char *coins); -void PQCLEAN_KYBER768_indcpa_dec(unsigned char *m, const unsigned char *c, +void PQCLEAN_KYBER768_indcpa_dec(unsigned char *m, + const unsigned char *c, const unsigned char *sk); #endif diff --git a/crypto_kem/kyber768/clean/kem.c b/crypto_kem/kyber768/clean/kem.c index 13135e6e..65694306 100644 --- a/crypto_kem/kyber768/clean/kem.c +++ b/crypto_kem/kyber768/clean/kem.c @@ -24,11 +24,8 @@ int PQCLEAN_KYBER768_crypto_kem_keypair(unsigned char *pk, unsigned char *sk) { for (i = 0; i < KYBER_INDCPA_PUBLICKEYBYTES; i++) { sk[i + KYBER_INDCPA_SECRETKEYBYTES] = pk[i]; } - sha3_256(sk + KYBER_SECRETKEYBYTES - 2 * KYBER_SYMBYTES, pk, - KYBER_PUBLICKEYBYTES); - randombytes( - sk + KYBER_SECRETKEYBYTES - KYBER_SYMBYTES, - KYBER_SYMBYTES); /* Value z for pseudo-random output on reject */ + sha3_256(sk + KYBER_SECRETKEYBYTES - 2 * KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES); + randombytes(sk + KYBER_SECRETKEYBYTES - KYBER_SYMBYTES, KYBER_SYMBYTES); /* Value z for pseudo-random output on reject */ return 0; } @@ -47,27 +44,20 @@ int PQCLEAN_KYBER768_crypto_kem_keypair(unsigned char *pk, unsigned char *sk) { * * Returns 0 (success) **************************************************/ -int PQCLEAN_KYBER768_crypto_kem_enc(unsigned char *ct, unsigned char *ss, - const unsigned char *pk) { +int PQCLEAN_KYBER768_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk) { unsigned char kr[2 * KYBER_SYMBYTES]; /* Will contain key, coins */ unsigned char buf[2 * KYBER_SYMBYTES]; randombytes(buf, KYBER_SYMBYTES); - sha3_256(buf, buf, KYBER_SYMBYTES); /* Don't release system RNG output */ + sha3_256(buf, buf, KYBER_SYMBYTES); /* Don't release system RNG output */ - sha3_256(buf + KYBER_SYMBYTES, pk, - KYBER_PUBLICKEYBYTES); /* Multitarget countermeasure for coins + - contributory KEM */ + sha3_256(buf + KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES); /* Multitarget countermeasure for coins + contributory KEM */ sha3_512(kr, buf, 2 * KYBER_SYMBYTES); - PQCLEAN_KYBER768_indcpa_enc( - ct, buf, pk, kr + KYBER_SYMBYTES); /* coins are in kr+KYBER_SYMBYTES */ + PQCLEAN_KYBER768_indcpa_enc(ct, buf, pk, kr + KYBER_SYMBYTES); /* coins are in kr+KYBER_SYMBYTES */ - sha3_256(kr + KYBER_SYMBYTES, ct, - KYBER_CIPHERTEXTBYTES); /* overwrite coins in kr with H(c) */ - sha3_256( - ss, kr, - 2 * KYBER_SYMBYTES); /* hash concatenation of pre-k and H(c) to k */ + sha3_256(kr + KYBER_SYMBYTES, ct, KYBER_CIPHERTEXTBYTES); /* overwrite coins in kr with H(c) */ + sha3_256(ss, kr, 2 * KYBER_SYMBYTES); /* hash concatenation of pre-k and H(c) to k */ return 0; } @@ -88,40 +78,31 @@ int PQCLEAN_KYBER768_crypto_kem_enc(unsigned char *ct, unsigned char *ss, * * On failure, ss will contain a pseudo-random value. **************************************************/ -int PQCLEAN_KYBER768_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, - const unsigned char *sk) { +int PQCLEAN_KYBER768_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk) { size_t i; int fail; unsigned char cmp[KYBER_CIPHERTEXTBYTES]; unsigned char buf[2 * KYBER_SYMBYTES]; unsigned char - kr[2 * KYBER_SYMBYTES]; /* Will contain key, coins, qrom-hash */ + kr[2 * KYBER_SYMBYTES]; /* Will contain key, coins, qrom-hash */ const unsigned char *pk = sk + KYBER_INDCPA_SECRETKEYBYTES; PQCLEAN_KYBER768_indcpa_dec(buf, ct, sk); - for (i = 0; i < KYBER_SYMBYTES; - i++) { /* Multitarget countermeasure for coins + contributory KEM */ - buf[KYBER_SYMBYTES + i] = sk[KYBER_SECRETKEYBYTES - 2 * KYBER_SYMBYTES + - i]; /* Save hash by storing H(pk) in sk */ + for (i = 0; i < KYBER_SYMBYTES; i++) { /* Multitarget countermeasure for coins + contributory KEM */ + buf[KYBER_SYMBYTES + i] = sk[KYBER_SECRETKEYBYTES - 2 * KYBER_SYMBYTES + i]; /* Save hash by storing H(pk) in sk */ } sha3_512(kr, buf, 2 * KYBER_SYMBYTES); - PQCLEAN_KYBER768_indcpa_enc( - cmp, buf, pk, kr + KYBER_SYMBYTES); /* coins are in kr+KYBER_SYMBYTES */ + PQCLEAN_KYBER768_indcpa_enc(cmp, buf, pk, kr + KYBER_SYMBYTES); /* coins are in kr+KYBER_SYMBYTES */ fail = PQCLEAN_KYBER768_verify(ct, cmp, KYBER_CIPHERTEXTBYTES); - sha3_256(kr + KYBER_SYMBYTES, ct, - KYBER_CIPHERTEXTBYTES); /* overwrite coins in kr with H(c) */ + sha3_256(kr + KYBER_SYMBYTES, ct, KYBER_CIPHERTEXTBYTES); /* overwrite coins in kr with H(c) */ - PQCLEAN_KYBER768_cmov( - kr, sk + KYBER_SECRETKEYBYTES - KYBER_SYMBYTES, KYBER_SYMBYTES, - fail); /* Overwrite pre-k with z on re-encryption failure */ + PQCLEAN_KYBER768_cmov(kr, sk + KYBER_SECRETKEYBYTES - KYBER_SYMBYTES, KYBER_SYMBYTES, fail); /* Overwrite pre-k with z on re-encryption failure */ - sha3_256( - ss, kr, - 2 * KYBER_SYMBYTES); /* hash concatenation of pre-k and H(c) to k */ + sha3_256(ss, kr, 2 * KYBER_SYMBYTES); /* hash concatenation of pre-k and H(c) to k */ return 0; } diff --git a/crypto_kem/kyber768/clean/kex.c b/crypto_kem/kyber768/clean/kex.c deleted file mode 100644 index d2d08330..00000000 --- a/crypto_kem/kyber768/clean/kex.c +++ /dev/null @@ -1,58 +0,0 @@ -#include "kex.h" -#include "fips202.h" -#include "verify.h" - -void PQCLEAN_KYBER768_kyber_uake_initA(u8 *send, u8 *tk, u8 *sk, - const u8 *pkb) { - PQCLEAN_KYBER768_crypto_kem_keypair(send, sk); - PQCLEAN_KYBER768_crypto_kem_enc(send + KYBER_PUBLICKEYBYTES, tk, pkb); -} - -void PQCLEAN_KYBER768_kyber_uake_sharedB(u8 *send, u8 *k, const u8 *recv, - const u8 *skb) { - unsigned char buf[2 * KYBER_SYMBYTES]; - PQCLEAN_KYBER768_crypto_kem_enc(send, buf, recv); - PQCLEAN_KYBER768_crypto_kem_dec(buf + KYBER_SYMBYTES, - recv + KYBER_PUBLICKEYBYTES, skb); - shake256(k, KYBER_SYMBYTES, buf, 2 * KYBER_SYMBYTES); -} - -void PQCLEAN_KYBER768_kyber_uake_sharedA(u8 *k, const u8 *recv, const u8 *tk, - const u8 *sk) { - unsigned char buf[2 * KYBER_SYMBYTES]; - int i; - PQCLEAN_KYBER768_crypto_kem_dec(buf, recv, sk); - for (i = 0; i < KYBER_SYMBYTES; i++) { - buf[i + KYBER_SYMBYTES] = tk[i]; - } - shake256(k, KYBER_SYMBYTES, buf, 2 * KYBER_SYMBYTES); -} - -void PQCLEAN_KYBER768_kyber_ake_initA(u8 *send, u8 *tk, u8 *sk, const u8 *pkb) { - PQCLEAN_KYBER768_crypto_kem_keypair(send, sk); - PQCLEAN_KYBER768_crypto_kem_enc(send + KYBER_PUBLICKEYBYTES, tk, pkb); -} - -void PQCLEAN_KYBER768_kyber_ake_sharedB(u8 *send, u8 *k, const u8 *recv, - const u8 *skb, const u8 *pka) { - unsigned char buf[3 * KYBER_SYMBYTES]; - PQCLEAN_KYBER768_crypto_kem_enc(send, buf, recv); - PQCLEAN_KYBER768_crypto_kem_enc(send + KYBER_CIPHERTEXTBYTES, - buf + KYBER_SYMBYTES, pka); - PQCLEAN_KYBER768_crypto_kem_dec(buf + 2 * KYBER_SYMBYTES, - recv + KYBER_PUBLICKEYBYTES, skb); - shake256(k, KYBER_SYMBYTES, buf, 3 * KYBER_SYMBYTES); -} - -void PQCLEAN_KYBER768_kyber_ake_sharedA(u8 *k, const u8 *recv, const u8 *tk, - const u8 *sk, const u8 *ska) { - unsigned char buf[3 * KYBER_SYMBYTES]; - int i; - PQCLEAN_KYBER768_crypto_kem_dec(buf, recv, sk); - PQCLEAN_KYBER768_crypto_kem_dec(buf + KYBER_SYMBYTES, - recv + KYBER_CIPHERTEXTBYTES, ska); - for (i = 0; i < KYBER_SYMBYTES; i++) { - buf[i + 2 * KYBER_SYMBYTES] = tk[i]; - } - shake256(k, KYBER_SYMBYTES, buf, 3 * KYBER_SYMBYTES); -} diff --git a/crypto_kem/kyber768/clean/kex.h b/crypto_kem/kyber768/clean/kex.h deleted file mode 100644 index 8338b85d..00000000 --- a/crypto_kem/kyber768/clean/kex.h +++ /dev/null @@ -1,31 +0,0 @@ -#ifndef KEX_H -#define KEX_H - -#include "api.h" -#include "params.h" - -#define KYBER_UAKE_SENDABYTES (KYBER_PUBLICKEYBYTES + KYBER_CIPHERTEXTBYTES) -#define KYBER_UAKE_SENDBBYTES (KYBER_CIPHERTEXTBYTES) - -#define KYBER_AKE_SENDABYTES (KYBER_PUBLICKEYBYTES + KYBER_CIPHERTEXTBYTES) -#define KYBER_AKE_SENDBBYTES (2 * KYBER_CIPHERTEXTBYTES) - -typedef unsigned char u8; - -void PQCLEAN_KYBER768_kyber_uake_initA(u8 *send, u8 *tk, u8 *sk, const u8 *pkb); - -void PQCLEAN_KYBER768_kyber_uake_sharedB(u8 *send, u8 *k, const u8 *recv, - const u8 *skb); - -void PQCLEAN_KYBER768_kyber_uake_sharedA(u8 *k, const u8 *recv, const u8 *tk, - const u8 *sk); - -void PQCLEAN_KYBER768_kyber_ake_initA(u8 *send, u8 *tk, u8 *sk, const u8 *pkb); - -void PQCLEAN_KYBER768_kyber_ake_sharedB(u8 *send, u8 *k, const u8 *recv, - const u8 *skb, const u8 *pka); - -void PQCLEAN_KYBER768_kyber_ake_sharedA(u8 *k, const u8 *recv, const u8 *tk, - const u8 *sk, const u8 *ska); - -#endif diff --git a/crypto_kem/kyber768/clean/ntt.c b/crypto_kem/kyber768/clean/ntt.c index 49f4c5f6..35a40b33 100644 --- a/crypto_kem/kyber768/clean/ntt.c +++ b/crypto_kem/kyber768/clean/ntt.c @@ -62,8 +62,7 @@ void PQCLEAN_KYBER768_invntt(uint16_t *a) { temp = a[j]; if (level & 1) { /* odd level */ - a[j] = PQCLEAN_KYBER768_barrett_reduce( - (temp + a[j + (1 << level)])); + a[j] = PQCLEAN_KYBER768_barrett_reduce((temp + a[j + (1 << level)])); } else { a[j] = (temp + a[j + (1 << level)]); /* Omit reduction (be lazy) */ } @@ -76,7 +75,6 @@ void PQCLEAN_KYBER768_invntt(uint16_t *a) { } for (j = 0; j < KYBER_N; j++) { - a[j] = PQCLEAN_KYBER768_montgomery_reduce( - (a[j] * PQCLEAN_KYBER768_psis_inv_montgomery[j])); + a[j] = PQCLEAN_KYBER768_montgomery_reduce((a[j] * PQCLEAN_KYBER768_psis_inv_montgomery[j])); } } diff --git a/crypto_kem/kyber768/clean/params.h b/crypto_kem/kyber768/clean/params.h index c8884d2d..f685061a 100644 --- a/crypto_kem/kyber768/clean/params.h +++ b/crypto_kem/kyber768/clean/params.h @@ -21,7 +21,7 @@ #define KYBER_INDCPA_BYTES (KYBER_POLYVECCOMPRESSEDBYTES + KYBER_POLYCOMPRESSEDBYTES) #define KYBER_PUBLICKEYBYTES (KYBER_INDCPA_PUBLICKEYBYTES) -#define KYBER_SECRETKEYBYTES (KYBER_INDCPA_SECRETKEYBYTES + KYBER_INDCPA_PUBLICKEYBYTES + 2*KYBER_SYMBYTES) /* 32 bytes of additional space to save H(pk) */ +#define KYBER_SECRETKEYBYTES (KYBER_INDCPA_SECRETKEYBYTES + KYBER_INDCPA_PUBLICKEYBYTES + 2 * KYBER_SYMBYTES) /* 32 bytes of additional space to save H(pk) */ #define KYBER_CIPHERTEXTBYTES KYBER_INDCPA_BYTES #endif diff --git a/crypto_kem/kyber768/clean/poly.c b/crypto_kem/kyber768/clean/poly.c index 41dd3e81..f020db96 100644 --- a/crypto_kem/kyber768/clean/poly.c +++ b/crypto_kem/kyber768/clean/poly.c @@ -23,7 +23,7 @@ void PQCLEAN_KYBER768_poly_compress(unsigned char *r, const poly *a) { t[j] = (((PQCLEAN_KYBER768_freeze(a->coeffs[i + j]) << 3) + KYBER_Q / 2) / KYBER_Q) & 7; } - r[k] = t[0] | (t[1] << 3) | (t[2] << 6); + r[k] = t[0] | (t[1] << 3) | (t[2] << 6); r[k + 1] = (t[2] >> 2) | (t[3] << 1) | (t[4] << 4) | (t[5] << 7); r[k + 2] = (t[5] >> 1) | (t[6] << 2) | (t[7] << 5); k += 3; @@ -42,7 +42,7 @@ void PQCLEAN_KYBER768_poly_compress(unsigned char *r, const poly *a) { void PQCLEAN_KYBER768_poly_decompress(poly *r, const unsigned char *a) { unsigned int i; for (i = 0; i < KYBER_N; i += 8) { - r->coeffs[i + 0] = (((a[0] & 7) * KYBER_Q) + 4) >> 3; + r->coeffs[i + 0] = (((a[0] & 7) * KYBER_Q) + 4) >> 3; r->coeffs[i + 1] = ((((a[0] >> 3) & 7) * KYBER_Q) + 4) >> 3; r->coeffs[i + 2] = ((((a[0] >> 6) | ((a[1] << 2) & 4)) * KYBER_Q) + 4) >> 3; r->coeffs[i + 3] = ((((a[1] >> 1) & 7) * KYBER_Q) + 4) >> 3; @@ -71,7 +71,7 @@ void PQCLEAN_KYBER768_poly_tobytes(unsigned char *r, const poly *a) { t[j] = PQCLEAN_KYBER768_freeze(a->coeffs[8 * i + j]); } - r[13 * i + 0] = t[0] & 0xff; + r[13 * i + 0] = t[0] & 0xff; r[13 * i + 1] = (t[0] >> 8) | ((t[1] & 0x07) << 5); r[13 * i + 2] = (t[1] >> 3) & 0xff; r[13 * i + 3] = (t[1] >> 11) | ((t[2] & 0x3f) << 2); @@ -99,7 +99,7 @@ void PQCLEAN_KYBER768_poly_tobytes(unsigned char *r, const poly *a) { void PQCLEAN_KYBER768_poly_frombytes(poly *r, const unsigned char *a) { int i; for (i = 0; i < KYBER_N / 8; i++) { - r->coeffs[8 * i + 0] = a[13 * i + 0] | (((uint16_t)a[13 * i + 1] & 0x1f) << 8); + r->coeffs[8 * i + 0] = a[13 * i + 0] | (((uint16_t)a[13 * i + 1] & 0x1f) << 8); r->coeffs[8 * i + 1] = (a[13 * i + 1] >> 5) | (((uint16_t)a[13 * i + 2]) << 3) | (((uint16_t)a[13 * i + 3] & 0x03) << 11); r->coeffs[8 * i + 2] = (a[13 * i + 3] >> 2) | (((uint16_t)a[13 * i + 4] & 0x7f) << 6); r->coeffs[8 * i + 3] = (a[13 * i + 4] >> 7) | (((uint16_t)a[13 * i + 5]) << 1) | (((uint16_t)a[13 * i + 6] & 0x0f) << 9); @@ -121,8 +121,7 @@ void PQCLEAN_KYBER768_poly_frombytes(poly *r, const unsigned char *a) { * - const unsigned char *seed: pointer to input seed * - unsigned char nonce: one-byte input nonce **************************************************/ -void PQCLEAN_KYBER768_poly_getnoise(poly *r, const unsigned char *seed, - unsigned char nonce) { +void PQCLEAN_KYBER768_poly_getnoise(poly *r, const unsigned char *seed, unsigned char nonce) { unsigned char buf[KYBER_ETA * KYBER_N / 4]; unsigned char extseed[KYBER_SYMBYTES + 1]; int i; @@ -204,8 +203,7 @@ void PQCLEAN_KYBER768_poly_sub(poly *r, const poly *a, const poly *b) { * Arguments: - poly *r: pointer to output polynomial * - const unsigned char *msg: pointer to input message **************************************************/ -void PQCLEAN_KYBER768_poly_frommsg(poly *r, - const unsigned char msg[KYBER_SYMBYTES]) { +void PQCLEAN_KYBER768_poly_frommsg(poly *r, const unsigned char msg[KYBER_SYMBYTES]) { uint16_t i, j, mask; for (i = 0; i < KYBER_SYMBYTES; i++) { @@ -224,8 +222,7 @@ void PQCLEAN_KYBER768_poly_frommsg(poly *r, * Arguments: - unsigned char *msg: pointer to output message * - const poly *a: pointer to input polynomial **************************************************/ -void PQCLEAN_KYBER768_poly_tomsg(unsigned char msg[KYBER_SYMBYTES], - const poly *a) { +void PQCLEAN_KYBER768_poly_tomsg(unsigned char msg[KYBER_SYMBYTES], const poly *a) { uint16_t t; int i, j; diff --git a/crypto_kem/kyber768/clean/poly.h b/crypto_kem/kyber768/clean/poly.h index 5a3b652e..fea82792 100644 --- a/crypto_kem/kyber768/clean/poly.h +++ b/crypto_kem/kyber768/clean/poly.h @@ -18,13 +18,10 @@ void PQCLEAN_KYBER768_poly_decompress(poly *r, const unsigned char *a); void PQCLEAN_KYBER768_poly_tobytes(unsigned char *r, const poly *a); void PQCLEAN_KYBER768_poly_frombytes(poly *r, const unsigned char *a); -void PQCLEAN_KYBER768_poly_frommsg(poly *r, - const unsigned char msg[KYBER_SYMBYTES]); -void PQCLEAN_KYBER768_poly_tomsg(unsigned char msg[KYBER_SYMBYTES], - const poly *a); +void PQCLEAN_KYBER768_poly_frommsg(poly *r, const unsigned char msg[KYBER_SYMBYTES]); +void PQCLEAN_KYBER768_poly_tomsg(unsigned char msg[KYBER_SYMBYTES], const poly *a); -void PQCLEAN_KYBER768_poly_getnoise(poly *r, const unsigned char *seed, - unsigned char nonce); +void PQCLEAN_KYBER768_poly_getnoise(poly *r, const unsigned char *seed, unsigned char nonce); void PQCLEAN_KYBER768_poly_ntt(poly *r); void PQCLEAN_KYBER768_poly_invntt(poly *r); diff --git a/crypto_kem/kyber768/clean/polyvec.c b/crypto_kem/kyber768/clean/polyvec.c index d4f4fc9a..f90af808 100644 --- a/crypto_kem/kyber768/clean/polyvec.c +++ b/crypto_kem/kyber768/clean/polyvec.c @@ -21,7 +21,7 @@ void PQCLEAN_KYBER768_polyvec_compress(unsigned char *r, const polyvec *a) { t[k] = ((((uint32_t)PQCLEAN_KYBER768_freeze(a->vec[i].coeffs[8 * j + k]) << 11) + KYBER_Q / 2) / KYBER_Q) & 0x7ff; } - r[11 * j + 0] = t[0] & 0xff; + r[11 * j + 0] = t[0] & 0xff; r[11 * j + 1] = (t[0] >> 8) | ((t[1] & 0x1f) << 3); r[11 * j + 2] = (t[1] >> 5) | ((t[2] & 0x03) << 6); r[11 * j + 3] = (t[2] >> 2) & 0xff; @@ -50,12 +50,12 @@ void PQCLEAN_KYBER768_polyvec_decompress(polyvec *r, const unsigned char *a) { int i, j; for (i = 0; i < KYBER_K; i++) { for (j = 0; j < KYBER_N / 8; j++) { - r->vec[i].coeffs[8 * j + 0] = (((a[11 * j + 0] | (((uint32_t)a[11 * j + 1] & 0x07) << 8)) * KYBER_Q) + 1024) >> 11; + r->vec[i].coeffs[8 * j + 0] = (((a[11 * j + 0] | (((uint32_t)a[11 * j + 1] & 0x07) << 8)) * KYBER_Q) + 1024) >> 11; r->vec[i].coeffs[8 * j + 1] = ((((a[11 * j + 1] >> 3) | (((uint32_t)a[11 * j + 2] & 0x3f) << 5)) * KYBER_Q) + 1024) >> 11; r->vec[i].coeffs[8 * j + 2] = ((((a[11 * j + 2] >> 6) | (((uint32_t)a[11 * j + 3] & 0xff) << 2) | (((uint32_t)a[11 * j + 4] & 0x01) << 10)) * KYBER_Q) + 1024) >> 11; r->vec[i].coeffs[8 * j + 3] = ((((a[11 * j + 4] >> 1) | (((uint32_t)a[11 * j + 5] & 0x0f) << 7)) * KYBER_Q) + 1024) >> 11; r->vec[i].coeffs[8 * j + 4] = ((((a[11 * j + 5] >> 4) | (((uint32_t)a[11 * j + 6] & 0x7f) << 4)) * KYBER_Q) + 1024) >> 11; - r->vec[i].coeffs[8 * j + 5] = ((((a[11 * j + 6] >> 7) | (((uint32_t)a[11 * j + 7] & 0xff) << 1) | (((uint32_t)a[11 * j + 8] & 0x03) << 9)) * KYBER_Q) + 1024) >> 11; + r->vec[i].coeffs[8 * j + 5] = ((((a[11 * j + 6] >> 7) | (((uint32_t)a[11 * j + 7] & 0xff) << 1) | (((uint32_t)a[11 * j + 8] & 0x03) << 9)) * KYBER_Q) + 1024) >> 11; r->vec[i].coeffs[8 * j + 6] = ((((a[11 * j + 8] >> 2) | (((uint32_t)a[11 * j + 9] & 0x1f) << 6)) * KYBER_Q) + 1024) >> 11; r->vec[i].coeffs[8 * j + 7] = ((((a[11 * j + 9] >> 5) | (((uint32_t)a[11 * j + 10] & 0xff) << 3)) * KYBER_Q) + 1024) >> 11; } @@ -131,8 +131,7 @@ void PQCLEAN_KYBER768_polyvec_invntt(polyvec *r) { * - const polyvec *a: pointer to first input vector of polynomials * - const polyvec *b: pointer to second input vector of polynomials **************************************************/ -void PQCLEAN_KYBER768_polyvec_pointwise_acc(poly *r, const polyvec *a, - const polyvec *b) { +void PQCLEAN_KYBER768_polyvec_pointwise_acc(poly *r, const polyvec *a, const polyvec *b) { int i, j; uint16_t t; for (j = 0; j < KYBER_N; j++) { @@ -155,8 +154,7 @@ void PQCLEAN_KYBER768_polyvec_pointwise_acc(poly *r, const polyvec *a, * - const polyvec *a: pointer to first input vector of polynomials * - const polyvec *b: pointer to second input vector of polynomials **************************************************/ -void PQCLEAN_KYBER768_polyvec_add(polyvec *r, const polyvec *a, - const polyvec *b) { +void PQCLEAN_KYBER768_polyvec_add(polyvec *r, const polyvec *a, const polyvec *b) { int i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER768_poly_add(&r->vec[i], &a->vec[i], &b->vec[i]); diff --git a/crypto_kem/kyber768/clean/polyvec.h b/crypto_kem/kyber768/clean/polyvec.h index fcd2469e..868ac714 100644 --- a/crypto_kem/kyber768/clean/polyvec.h +++ b/crypto_kem/kyber768/clean/polyvec.h @@ -17,10 +17,8 @@ void PQCLEAN_KYBER768_polyvec_frombytes(polyvec *r, const unsigned char *a); void PQCLEAN_KYBER768_polyvec_ntt(polyvec *r); void PQCLEAN_KYBER768_polyvec_invntt(polyvec *r); -void PQCLEAN_KYBER768_polyvec_pointwise_acc(poly *r, const polyvec *a, - const polyvec *b); +void PQCLEAN_KYBER768_polyvec_pointwise_acc(poly *r, const polyvec *a, const polyvec *b); -void PQCLEAN_KYBER768_polyvec_add(polyvec *r, const polyvec *a, - const polyvec *b); +void PQCLEAN_KYBER768_polyvec_add(polyvec *r, const polyvec *a, const polyvec *b); #endif diff --git a/crypto_kem/kyber768/clean/precomp.c b/crypto_kem/kyber768/clean/precomp.c index 1c6c4aee..a4b79c57 100644 --- a/crypto_kem/kyber768/clean/precomp.c +++ b/crypto_kem/kyber768/clean/precomp.c @@ -57,7 +57,8 @@ const uint16_t PQCLEAN_KYBER768_zetas[KYBER_N] = { 5113, 333, 3502, 4517, 1480, 1172, 5567, 651, 925, 4573, 599, 1367, 4109, 1863, 6929, 1605, 3866, 2065, 4048, 839, 5764, 2447, 2022, 3345, 1990, 4067, 2036, 2069, 3567, 7371, 2368, 339, 6947, 2159, 654, 7327, - 2768, 6676, 987, 2214}; + 2768, 6676, 987, 2214 +}; const uint16_t PQCLEAN_KYBER768_omegas_inv_bitrev_montgomery[KYBER_N / 2] = { 990, 254, 862, 5047, 6586, 5538, 4400, 7103, 2025, 6804, 3858, 1595, @@ -70,7 +71,8 @@ const uint16_t PQCLEAN_KYBER768_omegas_inv_bitrev_montgomery[KYBER_N / 2] = { 1597, 2908, 1825, 6132, 98, 1251, 4306, 4022, 4314, 362, 1289, 5560, 3830, 6724, 6671, 1215, 2281, 4899, 5074, 5988, 5041, 1883, 2822, 7024, 2920, 594, 6189, 6662, 3247, 771, 5822, 1742, 4206, 3686, 776, 5987, - 8, 4021, 38, 5658, 3017, 6143, 889, 4216}; + 8, 4021, 38, 5658, 3017, 6143, 889, 4216 +}; const uint16_t PQCLEAN_KYBER768_psis_inv_montgomery[KYBER_N] = { 1024, 4972, 5779, 6907, 4943, 4168, 315, 5580, 90, 497, 1123, 142, @@ -94,4 +96,5 @@ const uint16_t PQCLEAN_KYBER768_psis_inv_montgomery[KYBER_N] = { 145, 374, 2236, 4496, 5028, 6771, 6923, 7421, 1978, 1023, 3857, 6876, 1102, 7451, 4704, 6518, 1344, 765, 384, 5705, 1207, 1630, 4734, 1563, 6839, 5933, 1954, 4987, 7142, 5814, 7527, 4953, 7637, 4707, 2182, 5734, - 2818, 541, 4097, 5641}; + 2818, 541, 4097, 5641 +}; diff --git a/crypto_kem/kyber768/clean/verify.c b/crypto_kem/kyber768/clean/verify.c index c1a8410d..a3e14d53 100644 --- a/crypto_kem/kyber768/clean/verify.c +++ b/crypto_kem/kyber768/clean/verify.c @@ -12,8 +12,7 @@ * * Returns 0 if the byte arrays are equal, 1 otherwise **************************************************/ -int PQCLEAN_KYBER768_verify(const unsigned char *a, const unsigned char *b, - size_t len) { +int PQCLEAN_KYBER768_verify(const unsigned char *a, const unsigned char *b, size_t len) { uint64_t r; size_t i; r = 0; @@ -39,8 +38,7 @@ int PQCLEAN_KYBER768_verify(const unsigned char *a, const unsigned char *b, * size_t len: Amount of bytes to be copied * unsigned char b: Condition bit; has to be in {0,1} **************************************************/ -void PQCLEAN_KYBER768_cmov(unsigned char *r, const unsigned char *x, size_t len, - unsigned char b) { +void PQCLEAN_KYBER768_cmov(unsigned char *r, const unsigned char *x, size_t len, unsigned char b) { size_t i; b = -b; diff --git a/crypto_kem/kyber768/clean/verify.h b/crypto_kem/kyber768/clean/verify.h index 1156bd1c..ef29d392 100644 --- a/crypto_kem/kyber768/clean/verify.h +++ b/crypto_kem/kyber768/clean/verify.h @@ -3,10 +3,8 @@ #include -int PQCLEAN_KYBER768_verify(const unsigned char *a, const unsigned char *b, - size_t len); +int PQCLEAN_KYBER768_verify(const unsigned char *a, const unsigned char *b, size_t len); -void PQCLEAN_KYBER768_cmov(unsigned char *r, const unsigned char *x, size_t len, - unsigned char b); +void PQCLEAN_KYBER768_cmov(unsigned char *r, const unsigned char *x, size_t len, unsigned char b); #endif