Przeglądaj źródła

Some cleanup, expanded dependencies, removed two unnecessary files in kyber768

master
Peter Schwabe 5 lat temu
rodzic
commit
8e594f3c23
18 zmienionych plików z 64 dodań i 186 usunięć
  1. +1
    -0
      .astylerc
  2. +1
    -1
      README.md
  3. +2
    -4
      crypto_kem/kyber768/clean/api.h
  4. +3
    -3
      crypto_kem/kyber768/clean/cbd.c
  5. +5
    -8
      crypto_kem/kyber768/clean/indcpa.c
  6. +6
    -3
      crypto_kem/kyber768/clean/indcpa.h
  7. +16
    -35
      crypto_kem/kyber768/clean/kem.c
  8. +0
    -58
      crypto_kem/kyber768/clean/kex.c
  9. +0
    -31
      crypto_kem/kyber768/clean/kex.h
  10. +2
    -4
      crypto_kem/kyber768/clean/ntt.c
  11. +1
    -1
      crypto_kem/kyber768/clean/params.h
  12. +7
    -10
      crypto_kem/kyber768/clean/poly.c
  13. +3
    -6
      crypto_kem/kyber768/clean/poly.h
  14. +5
    -7
      crypto_kem/kyber768/clean/polyvec.c
  15. +2
    -4
      crypto_kem/kyber768/clean/polyvec.h
  16. +6
    -3
      crypto_kem/kyber768/clean/precomp.c
  17. +2
    -4
      crypto_kem/kyber768/clean/verify.c
  18. +2
    -4
      crypto_kem/kyber768/clean/verify.h

+ 1
- 0
.astylerc Wyświetl plik

@@ -5,7 +5,7 @@
--pad-oper
--pad-comma
--pad-header
#--unpad-paren
--align-pointer=name
--add-braces
--convert-tabs


+ 1
- 1
README.md Wyświetl plik

@@ -111,7 +111,7 @@ int crypto_sign_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size

As noted above, PQClean is **not** meant to be built as a single library: it is a collection of source code that can be easily integrated into other libraries. The PQClean repository includes various test programs which do build various files, but you should not use the resulting binaries for any purpose.

List of required dependencies: ``gcc or clang, make, python3, python-yaml library, valgrind``.
List of required dependencies: ``gcc or clang, make, python3, python-yaml library, valgrind, astyle (>= 3.0)``.

## Using source code from PQClean in your own project



+ 2
- 4
crypto_kem/kyber768/clean/api.h Wyświetl plik

@@ -12,10 +12,8 @@

int PQCLEAN_KYBER768_crypto_kem_keypair(unsigned char *pk, unsigned char *sk);

int PQCLEAN_KYBER768_crypto_kem_enc(unsigned char *ct, unsigned char *ss,
const unsigned char *pk);
int PQCLEAN_KYBER768_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk);

int PQCLEAN_KYBER768_crypto_kem_dec(unsigned char *ss, const unsigned char *ct,
const unsigned char *sk);
int PQCLEAN_KYBER768_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk);

#endif

+ 3
- 3
crypto_kem/kyber768/clean/cbd.c Wyświetl plik

@@ -43,7 +43,7 @@ void PQCLEAN_KYBER768_cbd(poly *r, const unsigned char *buf) {
d += (t >> j) & 0x249249;
}

a[0] = d & 0x7;
a[0] = d & 0x7;
b[0] = (d >> 3) & 0x7;
a[1] = (d >> 6) & 0x7;
b[1] = (d >> 9) & 0x7;
@@ -68,7 +68,7 @@ void PQCLEAN_KYBER768_cbd(poly *r, const unsigned char *buf) {
d += (t >> j) & 0x11111111;
}

a[0] = d & 0xf;
a[0] = d & 0xf;
b[0] = (d >> 4) & 0xf;
a[1] = (d >> 8) & 0xf;
b[1] = (d >> 12) & 0xf;
@@ -93,7 +93,7 @@ void PQCLEAN_KYBER768_cbd(poly *r, const unsigned char *buf) {
d += (t >> j) & 0x0842108421UL;
}

a[0] = d & 0x1f;
a[0] = d & 0x1f;
b[0] = (d >> 5) & 0x1f;
a[1] = (d >> 10) & 0x1f;
b[1] = (d >> 15) & 0x1f;


+ 5
- 8
crypto_kem/kyber768/clean/indcpa.c Wyświetl plik

@@ -17,8 +17,7 @@
*public key const poly *pk: pointer to the input public-key
*polynomial const unsigned char *seed: pointer to the input public seed
**************************************************/
static void pack_pk(unsigned char *r, const polyvec *pk,
const unsigned char *seed) {
static void pack_pk(unsigned char *r, const polyvec *pk, const unsigned char *seed) {
int i;
PQCLEAN_KYBER768_polyvec_compress(r, pk);
for (i = 0; i < KYBER_SYMBYTES; i++) {
@@ -39,8 +38,7 @@ static void pack_pk(unsigned char *r, const polyvec *pk,
* - const unsigned char *packedpk: pointer to input serialized
*public key
**************************************************/
static void unpack_pk(polyvec *pk, unsigned char *seed,
const unsigned char *packedpk) {
static void unpack_pk(polyvec *pk, unsigned char *seed, const unsigned char *packedpk) {
int i;
PQCLEAN_KYBER768_polyvec_decompress(pk, packedpk);

@@ -110,8 +108,8 @@ static void unpack_sk(polyvec *sk, const unsigned char *packedsk) {
PQCLEAN_KYBER768_polyvec_frombytes(sk, packedsk);
}

#define gen_a(A, B) PQCLEAN_KYBER768_gen_matrix(A, B, 0)
#define gen_at(A, B) PQCLEAN_KYBER768_gen_matrix(A, B, 1)
#define gen_a(A, B) gen_matrix(A, B, 0)
#define gen_at(A, B) gen_matrix(A, B, 1)

/*************************************************
* Name: gen_matrix
@@ -126,8 +124,7 @@ static void unpack_sk(polyvec *sk, const unsigned char *packedsk) {
* - int transposed: boolean deciding whether A or A^T
*is generated
**************************************************/
void PQCLEAN_KYBER768_gen_matrix(polyvec *a, const unsigned char *seed,
int transposed) { // Not static for benchmarking
static void gen_matrix(polyvec *a, const unsigned char *seed, int transposed) {
unsigned int pos = 0, ctr;
uint16_t val;
unsigned int nblocks;


+ 6
- 3
crypto_kem/kyber768/clean/indcpa.h Wyświetl plik

@@ -1,13 +1,16 @@
#ifndef INDCPA_H
#define INDCPA_H

void PQCLEAN_KYBER768_indcpa_keypair(unsigned char *pk, unsigned char *sk);
void PQCLEAN_KYBER768_indcpa_keypair(unsigned char *pk,
unsigned char *sk);

void PQCLEAN_KYBER768_indcpa_enc(unsigned char *c, const unsigned char *m,
void PQCLEAN_KYBER768_indcpa_enc(unsigned char *c,
const unsigned char *m,
const unsigned char *pk,
const unsigned char *coins);

void PQCLEAN_KYBER768_indcpa_dec(unsigned char *m, const unsigned char *c,
void PQCLEAN_KYBER768_indcpa_dec(unsigned char *m,
const unsigned char *c,
const unsigned char *sk);

#endif

+ 16
- 35
crypto_kem/kyber768/clean/kem.c Wyświetl plik

@@ -24,11 +24,8 @@ int PQCLEAN_KYBER768_crypto_kem_keypair(unsigned char *pk, unsigned char *sk) {
for (i = 0; i < KYBER_INDCPA_PUBLICKEYBYTES; i++) {
sk[i + KYBER_INDCPA_SECRETKEYBYTES] = pk[i];
}
sha3_256(sk + KYBER_SECRETKEYBYTES - 2 * KYBER_SYMBYTES, pk,
KYBER_PUBLICKEYBYTES);
randombytes(
sk + KYBER_SECRETKEYBYTES - KYBER_SYMBYTES,
KYBER_SYMBYTES); /* Value z for pseudo-random output on reject */
sha3_256(sk + KYBER_SECRETKEYBYTES - 2 * KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES);
randombytes(sk + KYBER_SECRETKEYBYTES - KYBER_SYMBYTES, KYBER_SYMBYTES); /* Value z for pseudo-random output on reject */
return 0;
}

@@ -47,27 +44,20 @@ int PQCLEAN_KYBER768_crypto_kem_keypair(unsigned char *pk, unsigned char *sk) {
*
* Returns 0 (success)
**************************************************/
int PQCLEAN_KYBER768_crypto_kem_enc(unsigned char *ct, unsigned char *ss,
const unsigned char *pk) {
int PQCLEAN_KYBER768_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk) {
unsigned char kr[2 * KYBER_SYMBYTES]; /* Will contain key, coins */
unsigned char buf[2 * KYBER_SYMBYTES];

randombytes(buf, KYBER_SYMBYTES);
sha3_256(buf, buf, KYBER_SYMBYTES); /* Don't release system RNG output */
sha3_256(buf, buf, KYBER_SYMBYTES); /* Don't release system RNG output */

sha3_256(buf + KYBER_SYMBYTES, pk,
KYBER_PUBLICKEYBYTES); /* Multitarget countermeasure for coins +
contributory KEM */
sha3_256(buf + KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES); /* Multitarget countermeasure for coins + contributory KEM */
sha3_512(kr, buf, 2 * KYBER_SYMBYTES);

PQCLEAN_KYBER768_indcpa_enc(
ct, buf, pk, kr + KYBER_SYMBYTES); /* coins are in kr+KYBER_SYMBYTES */
PQCLEAN_KYBER768_indcpa_enc(ct, buf, pk, kr + KYBER_SYMBYTES); /* coins are in kr+KYBER_SYMBYTES */

sha3_256(kr + KYBER_SYMBYTES, ct,
KYBER_CIPHERTEXTBYTES); /* overwrite coins in kr with H(c) */
sha3_256(
ss, kr,
2 * KYBER_SYMBYTES); /* hash concatenation of pre-k and H(c) to k */
sha3_256(kr + KYBER_SYMBYTES, ct, KYBER_CIPHERTEXTBYTES); /* overwrite coins in kr with H(c) */
sha3_256(ss, kr, 2 * KYBER_SYMBYTES); /* hash concatenation of pre-k and H(c) to k */
return 0;
}

@@ -88,40 +78,31 @@ int PQCLEAN_KYBER768_crypto_kem_enc(unsigned char *ct, unsigned char *ss,
*
* On failure, ss will contain a pseudo-random value.
**************************************************/
int PQCLEAN_KYBER768_crypto_kem_dec(unsigned char *ss, const unsigned char *ct,
const unsigned char *sk) {
int PQCLEAN_KYBER768_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk) {
size_t i;
int fail;
unsigned char cmp[KYBER_CIPHERTEXTBYTES];
unsigned char buf[2 * KYBER_SYMBYTES];
unsigned char
kr[2 * KYBER_SYMBYTES]; /* Will contain key, coins, qrom-hash */
kr[2 * KYBER_SYMBYTES]; /* Will contain key, coins, qrom-hash */
const unsigned char *pk = sk + KYBER_INDCPA_SECRETKEYBYTES;

PQCLEAN_KYBER768_indcpa_dec(buf, ct, sk);

for (i = 0; i < KYBER_SYMBYTES;
i++) { /* Multitarget countermeasure for coins + contributory KEM */
buf[KYBER_SYMBYTES + i] = sk[KYBER_SECRETKEYBYTES - 2 * KYBER_SYMBYTES +
i]; /* Save hash by storing H(pk) in sk */
for (i = 0; i < KYBER_SYMBYTES; i++) { /* Multitarget countermeasure for coins + contributory KEM */
buf[KYBER_SYMBYTES + i] = sk[KYBER_SECRETKEYBYTES - 2 * KYBER_SYMBYTES + i]; /* Save hash by storing H(pk) in sk */
}
sha3_512(kr, buf, 2 * KYBER_SYMBYTES);

PQCLEAN_KYBER768_indcpa_enc(
cmp, buf, pk, kr + KYBER_SYMBYTES); /* coins are in kr+KYBER_SYMBYTES */
PQCLEAN_KYBER768_indcpa_enc(cmp, buf, pk, kr + KYBER_SYMBYTES); /* coins are in kr+KYBER_SYMBYTES */

fail = PQCLEAN_KYBER768_verify(ct, cmp, KYBER_CIPHERTEXTBYTES);

sha3_256(kr + KYBER_SYMBYTES, ct,
KYBER_CIPHERTEXTBYTES); /* overwrite coins in kr with H(c) */
sha3_256(kr + KYBER_SYMBYTES, ct, KYBER_CIPHERTEXTBYTES); /* overwrite coins in kr with H(c) */

PQCLEAN_KYBER768_cmov(
kr, sk + KYBER_SECRETKEYBYTES - KYBER_SYMBYTES, KYBER_SYMBYTES,
fail); /* Overwrite pre-k with z on re-encryption failure */
PQCLEAN_KYBER768_cmov(kr, sk + KYBER_SECRETKEYBYTES - KYBER_SYMBYTES, KYBER_SYMBYTES, fail); /* Overwrite pre-k with z on re-encryption failure */

sha3_256(
ss, kr,
2 * KYBER_SYMBYTES); /* hash concatenation of pre-k and H(c) to k */
sha3_256(ss, kr, 2 * KYBER_SYMBYTES); /* hash concatenation of pre-k and H(c) to k */

return 0;
}

+ 0
- 58
crypto_kem/kyber768/clean/kex.c Wyświetl plik

@@ -1,58 +0,0 @@
#include "kex.h"
#include "fips202.h"
#include "verify.h"

void PQCLEAN_KYBER768_kyber_uake_initA(u8 *send, u8 *tk, u8 *sk,
const u8 *pkb) {
PQCLEAN_KYBER768_crypto_kem_keypair(send, sk);
PQCLEAN_KYBER768_crypto_kem_enc(send + KYBER_PUBLICKEYBYTES, tk, pkb);
}

void PQCLEAN_KYBER768_kyber_uake_sharedB(u8 *send, u8 *k, const u8 *recv,
const u8 *skb) {
unsigned char buf[2 * KYBER_SYMBYTES];
PQCLEAN_KYBER768_crypto_kem_enc(send, buf, recv);
PQCLEAN_KYBER768_crypto_kem_dec(buf + KYBER_SYMBYTES,
recv + KYBER_PUBLICKEYBYTES, skb);
shake256(k, KYBER_SYMBYTES, buf, 2 * KYBER_SYMBYTES);
}

void PQCLEAN_KYBER768_kyber_uake_sharedA(u8 *k, const u8 *recv, const u8 *tk,
const u8 *sk) {
unsigned char buf[2 * KYBER_SYMBYTES];
int i;
PQCLEAN_KYBER768_crypto_kem_dec(buf, recv, sk);
for (i = 0; i < KYBER_SYMBYTES; i++) {
buf[i + KYBER_SYMBYTES] = tk[i];
}
shake256(k, KYBER_SYMBYTES, buf, 2 * KYBER_SYMBYTES);
}

void PQCLEAN_KYBER768_kyber_ake_initA(u8 *send, u8 *tk, u8 *sk, const u8 *pkb) {
PQCLEAN_KYBER768_crypto_kem_keypair(send, sk);
PQCLEAN_KYBER768_crypto_kem_enc(send + KYBER_PUBLICKEYBYTES, tk, pkb);
}

void PQCLEAN_KYBER768_kyber_ake_sharedB(u8 *send, u8 *k, const u8 *recv,
const u8 *skb, const u8 *pka) {
unsigned char buf[3 * KYBER_SYMBYTES];
PQCLEAN_KYBER768_crypto_kem_enc(send, buf, recv);
PQCLEAN_KYBER768_crypto_kem_enc(send + KYBER_CIPHERTEXTBYTES,
buf + KYBER_SYMBYTES, pka);
PQCLEAN_KYBER768_crypto_kem_dec(buf + 2 * KYBER_SYMBYTES,
recv + KYBER_PUBLICKEYBYTES, skb);
shake256(k, KYBER_SYMBYTES, buf, 3 * KYBER_SYMBYTES);
}

void PQCLEAN_KYBER768_kyber_ake_sharedA(u8 *k, const u8 *recv, const u8 *tk,
const u8 *sk, const u8 *ska) {
unsigned char buf[3 * KYBER_SYMBYTES];
int i;
PQCLEAN_KYBER768_crypto_kem_dec(buf, recv, sk);
PQCLEAN_KYBER768_crypto_kem_dec(buf + KYBER_SYMBYTES,
recv + KYBER_CIPHERTEXTBYTES, ska);
for (i = 0; i < KYBER_SYMBYTES; i++) {
buf[i + 2 * KYBER_SYMBYTES] = tk[i];
}
shake256(k, KYBER_SYMBYTES, buf, 3 * KYBER_SYMBYTES);
}

+ 0
- 31
crypto_kem/kyber768/clean/kex.h Wyświetl plik

@@ -1,31 +0,0 @@
#ifndef KEX_H
#define KEX_H

#include "api.h"
#include "params.h"

#define KYBER_UAKE_SENDABYTES (KYBER_PUBLICKEYBYTES + KYBER_CIPHERTEXTBYTES)
#define KYBER_UAKE_SENDBBYTES (KYBER_CIPHERTEXTBYTES)

#define KYBER_AKE_SENDABYTES (KYBER_PUBLICKEYBYTES + KYBER_CIPHERTEXTBYTES)
#define KYBER_AKE_SENDBBYTES (2 * KYBER_CIPHERTEXTBYTES)

typedef unsigned char u8;

void PQCLEAN_KYBER768_kyber_uake_initA(u8 *send, u8 *tk, u8 *sk, const u8 *pkb);

void PQCLEAN_KYBER768_kyber_uake_sharedB(u8 *send, u8 *k, const u8 *recv,
const u8 *skb);

void PQCLEAN_KYBER768_kyber_uake_sharedA(u8 *k, const u8 *recv, const u8 *tk,
const u8 *sk);

void PQCLEAN_KYBER768_kyber_ake_initA(u8 *send, u8 *tk, u8 *sk, const u8 *pkb);

void PQCLEAN_KYBER768_kyber_ake_sharedB(u8 *send, u8 *k, const u8 *recv,
const u8 *skb, const u8 *pka);

void PQCLEAN_KYBER768_kyber_ake_sharedA(u8 *k, const u8 *recv, const u8 *tk,
const u8 *sk, const u8 *ska);

#endif

+ 2
- 4
crypto_kem/kyber768/clean/ntt.c Wyświetl plik

@@ -62,8 +62,7 @@ void PQCLEAN_KYBER768_invntt(uint16_t *a) {
temp = a[j];

if (level & 1) { /* odd level */
a[j] = PQCLEAN_KYBER768_barrett_reduce(
(temp + a[j + (1 << level)]));
a[j] = PQCLEAN_KYBER768_barrett_reduce((temp + a[j + (1 << level)]));
} else {
a[j] = (temp + a[j + (1 << level)]); /* Omit reduction (be lazy) */
}
@@ -76,7 +75,6 @@ void PQCLEAN_KYBER768_invntt(uint16_t *a) {
}

for (j = 0; j < KYBER_N; j++) {
a[j] = PQCLEAN_KYBER768_montgomery_reduce(
(a[j] * PQCLEAN_KYBER768_psis_inv_montgomery[j]));
a[j] = PQCLEAN_KYBER768_montgomery_reduce((a[j] * PQCLEAN_KYBER768_psis_inv_montgomery[j]));
}
}

+ 1
- 1
crypto_kem/kyber768/clean/params.h Wyświetl plik

@@ -21,7 +21,7 @@
#define KYBER_INDCPA_BYTES (KYBER_POLYVECCOMPRESSEDBYTES + KYBER_POLYCOMPRESSEDBYTES)

#define KYBER_PUBLICKEYBYTES (KYBER_INDCPA_PUBLICKEYBYTES)
#define KYBER_SECRETKEYBYTES (KYBER_INDCPA_SECRETKEYBYTES + KYBER_INDCPA_PUBLICKEYBYTES + 2*KYBER_SYMBYTES) /* 32 bytes of additional space to save H(pk) */
#define KYBER_SECRETKEYBYTES (KYBER_INDCPA_SECRETKEYBYTES + KYBER_INDCPA_PUBLICKEYBYTES + 2 * KYBER_SYMBYTES) /* 32 bytes of additional space to save H(pk) */
#define KYBER_CIPHERTEXTBYTES KYBER_INDCPA_BYTES

#endif

+ 7
- 10
crypto_kem/kyber768/clean/poly.c Wyświetl plik

@@ -23,7 +23,7 @@ void PQCLEAN_KYBER768_poly_compress(unsigned char *r, const poly *a) {
t[j] = (((PQCLEAN_KYBER768_freeze(a->coeffs[i + j]) << 3) + KYBER_Q / 2) / KYBER_Q) & 7;
}

r[k] = t[0] | (t[1] << 3) | (t[2] << 6);
r[k] = t[0] | (t[1] << 3) | (t[2] << 6);
r[k + 1] = (t[2] >> 2) | (t[3] << 1) | (t[4] << 4) | (t[5] << 7);
r[k + 2] = (t[5] >> 1) | (t[6] << 2) | (t[7] << 5);
k += 3;
@@ -42,7 +42,7 @@ void PQCLEAN_KYBER768_poly_compress(unsigned char *r, const poly *a) {
void PQCLEAN_KYBER768_poly_decompress(poly *r, const unsigned char *a) {
unsigned int i;
for (i = 0; i < KYBER_N; i += 8) {
r->coeffs[i + 0] = (((a[0] & 7) * KYBER_Q) + 4) >> 3;
r->coeffs[i + 0] = (((a[0] & 7) * KYBER_Q) + 4) >> 3;
r->coeffs[i + 1] = ((((a[0] >> 3) & 7) * KYBER_Q) + 4) >> 3;
r->coeffs[i + 2] = ((((a[0] >> 6) | ((a[1] << 2) & 4)) * KYBER_Q) + 4) >> 3;
r->coeffs[i + 3] = ((((a[1] >> 1) & 7) * KYBER_Q) + 4) >> 3;
@@ -71,7 +71,7 @@ void PQCLEAN_KYBER768_poly_tobytes(unsigned char *r, const poly *a) {
t[j] = PQCLEAN_KYBER768_freeze(a->coeffs[8 * i + j]);
}

r[13 * i + 0] = t[0] & 0xff;
r[13 * i + 0] = t[0] & 0xff;
r[13 * i + 1] = (t[0] >> 8) | ((t[1] & 0x07) << 5);
r[13 * i + 2] = (t[1] >> 3) & 0xff;
r[13 * i + 3] = (t[1] >> 11) | ((t[2] & 0x3f) << 2);
@@ -99,7 +99,7 @@ void PQCLEAN_KYBER768_poly_tobytes(unsigned char *r, const poly *a) {
void PQCLEAN_KYBER768_poly_frombytes(poly *r, const unsigned char *a) {
int i;
for (i = 0; i < KYBER_N / 8; i++) {
r->coeffs[8 * i + 0] = a[13 * i + 0] | (((uint16_t)a[13 * i + 1] & 0x1f) << 8);
r->coeffs[8 * i + 0] = a[13 * i + 0] | (((uint16_t)a[13 * i + 1] & 0x1f) << 8);
r->coeffs[8 * i + 1] = (a[13 * i + 1] >> 5) | (((uint16_t)a[13 * i + 2]) << 3) | (((uint16_t)a[13 * i + 3] & 0x03) << 11);
r->coeffs[8 * i + 2] = (a[13 * i + 3] >> 2) | (((uint16_t)a[13 * i + 4] & 0x7f) << 6);
r->coeffs[8 * i + 3] = (a[13 * i + 4] >> 7) | (((uint16_t)a[13 * i + 5]) << 1) | (((uint16_t)a[13 * i + 6] & 0x0f) << 9);
@@ -121,8 +121,7 @@ void PQCLEAN_KYBER768_poly_frombytes(poly *r, const unsigned char *a) {
* - const unsigned char *seed: pointer to input seed
* - unsigned char nonce: one-byte input nonce
**************************************************/
void PQCLEAN_KYBER768_poly_getnoise(poly *r, const unsigned char *seed,
unsigned char nonce) {
void PQCLEAN_KYBER768_poly_getnoise(poly *r, const unsigned char *seed, unsigned char nonce) {
unsigned char buf[KYBER_ETA * KYBER_N / 4];
unsigned char extseed[KYBER_SYMBYTES + 1];
int i;
@@ -204,8 +203,7 @@ void PQCLEAN_KYBER768_poly_sub(poly *r, const poly *a, const poly *b) {
* Arguments: - poly *r: pointer to output polynomial
* - const unsigned char *msg: pointer to input message
**************************************************/
void PQCLEAN_KYBER768_poly_frommsg(poly *r,
const unsigned char msg[KYBER_SYMBYTES]) {
void PQCLEAN_KYBER768_poly_frommsg(poly *r, const unsigned char msg[KYBER_SYMBYTES]) {
uint16_t i, j, mask;

for (i = 0; i < KYBER_SYMBYTES; i++) {
@@ -224,8 +222,7 @@ void PQCLEAN_KYBER768_poly_frommsg(poly *r,
* Arguments: - unsigned char *msg: pointer to output message
* - const poly *a: pointer to input polynomial
**************************************************/
void PQCLEAN_KYBER768_poly_tomsg(unsigned char msg[KYBER_SYMBYTES],
const poly *a) {
void PQCLEAN_KYBER768_poly_tomsg(unsigned char msg[KYBER_SYMBYTES], const poly *a) {
uint16_t t;
int i, j;



+ 3
- 6
crypto_kem/kyber768/clean/poly.h Wyświetl plik

@@ -18,13 +18,10 @@ void PQCLEAN_KYBER768_poly_decompress(poly *r, const unsigned char *a);
void PQCLEAN_KYBER768_poly_tobytes(unsigned char *r, const poly *a);
void PQCLEAN_KYBER768_poly_frombytes(poly *r, const unsigned char *a);

void PQCLEAN_KYBER768_poly_frommsg(poly *r,
const unsigned char msg[KYBER_SYMBYTES]);
void PQCLEAN_KYBER768_poly_tomsg(unsigned char msg[KYBER_SYMBYTES],
const poly *a);
void PQCLEAN_KYBER768_poly_frommsg(poly *r, const unsigned char msg[KYBER_SYMBYTES]);
void PQCLEAN_KYBER768_poly_tomsg(unsigned char msg[KYBER_SYMBYTES], const poly *a);

void PQCLEAN_KYBER768_poly_getnoise(poly *r, const unsigned char *seed,
unsigned char nonce);
void PQCLEAN_KYBER768_poly_getnoise(poly *r, const unsigned char *seed, unsigned char nonce);

void PQCLEAN_KYBER768_poly_ntt(poly *r);
void PQCLEAN_KYBER768_poly_invntt(poly *r);


+ 5
- 7
crypto_kem/kyber768/clean/polyvec.c Wyświetl plik

@@ -21,7 +21,7 @@ void PQCLEAN_KYBER768_polyvec_compress(unsigned char *r, const polyvec *a) {
t[k] = ((((uint32_t)PQCLEAN_KYBER768_freeze(a->vec[i].coeffs[8 * j + k]) << 11) + KYBER_Q / 2) / KYBER_Q) & 0x7ff;
}

r[11 * j + 0] = t[0] & 0xff;
r[11 * j + 0] = t[0] & 0xff;
r[11 * j + 1] = (t[0] >> 8) | ((t[1] & 0x1f) << 3);
r[11 * j + 2] = (t[1] >> 5) | ((t[2] & 0x03) << 6);
r[11 * j + 3] = (t[2] >> 2) & 0xff;
@@ -50,12 +50,12 @@ void PQCLEAN_KYBER768_polyvec_decompress(polyvec *r, const unsigned char *a) {
int i, j;
for (i = 0; i < KYBER_K; i++) {
for (j = 0; j < KYBER_N / 8; j++) {
r->vec[i].coeffs[8 * j + 0] = (((a[11 * j + 0] | (((uint32_t)a[11 * j + 1] & 0x07) << 8)) * KYBER_Q) + 1024) >> 11;
r->vec[i].coeffs[8 * j + 0] = (((a[11 * j + 0] | (((uint32_t)a[11 * j + 1] & 0x07) << 8)) * KYBER_Q) + 1024) >> 11;
r->vec[i].coeffs[8 * j + 1] = ((((a[11 * j + 1] >> 3) | (((uint32_t)a[11 * j + 2] & 0x3f) << 5)) * KYBER_Q) + 1024) >> 11;
r->vec[i].coeffs[8 * j + 2] = ((((a[11 * j + 2] >> 6) | (((uint32_t)a[11 * j + 3] & 0xff) << 2) | (((uint32_t)a[11 * j + 4] & 0x01) << 10)) * KYBER_Q) + 1024) >> 11;
r->vec[i].coeffs[8 * j + 3] = ((((a[11 * j + 4] >> 1) | (((uint32_t)a[11 * j + 5] & 0x0f) << 7)) * KYBER_Q) + 1024) >> 11;
r->vec[i].coeffs[8 * j + 4] = ((((a[11 * j + 5] >> 4) | (((uint32_t)a[11 * j + 6] & 0x7f) << 4)) * KYBER_Q) + 1024) >> 11;
r->vec[i].coeffs[8 * j + 5] = ((((a[11 * j + 6] >> 7) | (((uint32_t)a[11 * j + 7] & 0xff) << 1) | (((uint32_t)a[11 * j + 8] & 0x03) << 9)) * KYBER_Q) + 1024) >> 11;
r->vec[i].coeffs[8 * j + 5] = ((((a[11 * j + 6] >> 7) | (((uint32_t)a[11 * j + 7] & 0xff) << 1) | (((uint32_t)a[11 * j + 8] & 0x03) << 9)) * KYBER_Q) + 1024) >> 11;
r->vec[i].coeffs[8 * j + 6] = ((((a[11 * j + 8] >> 2) | (((uint32_t)a[11 * j + 9] & 0x1f) << 6)) * KYBER_Q) + 1024) >> 11;
r->vec[i].coeffs[8 * j + 7] = ((((a[11 * j + 9] >> 5) | (((uint32_t)a[11 * j + 10] & 0xff) << 3)) * KYBER_Q) + 1024) >> 11;
}
@@ -131,8 +131,7 @@ void PQCLEAN_KYBER768_polyvec_invntt(polyvec *r) {
* - const polyvec *a: pointer to first input vector of polynomials
* - const polyvec *b: pointer to second input vector of polynomials
**************************************************/
void PQCLEAN_KYBER768_polyvec_pointwise_acc(poly *r, const polyvec *a,
const polyvec *b) {
void PQCLEAN_KYBER768_polyvec_pointwise_acc(poly *r, const polyvec *a, const polyvec *b) {
int i, j;
uint16_t t;
for (j = 0; j < KYBER_N; j++) {
@@ -155,8 +154,7 @@ void PQCLEAN_KYBER768_polyvec_pointwise_acc(poly *r, const polyvec *a,
* - const polyvec *a: pointer to first input vector of polynomials
* - const polyvec *b: pointer to second input vector of polynomials
**************************************************/
void PQCLEAN_KYBER768_polyvec_add(polyvec *r, const polyvec *a,
const polyvec *b) {
void PQCLEAN_KYBER768_polyvec_add(polyvec *r, const polyvec *a, const polyvec *b) {
int i;
for (i = 0; i < KYBER_K; i++) {
PQCLEAN_KYBER768_poly_add(&r->vec[i], &a->vec[i], &b->vec[i]);


+ 2
- 4
crypto_kem/kyber768/clean/polyvec.h Wyświetl plik

@@ -17,10 +17,8 @@ void PQCLEAN_KYBER768_polyvec_frombytes(polyvec *r, const unsigned char *a);
void PQCLEAN_KYBER768_polyvec_ntt(polyvec *r);
void PQCLEAN_KYBER768_polyvec_invntt(polyvec *r);

void PQCLEAN_KYBER768_polyvec_pointwise_acc(poly *r, const polyvec *a,
const polyvec *b);
void PQCLEAN_KYBER768_polyvec_pointwise_acc(poly *r, const polyvec *a, const polyvec *b);

void PQCLEAN_KYBER768_polyvec_add(polyvec *r, const polyvec *a,
const polyvec *b);
void PQCLEAN_KYBER768_polyvec_add(polyvec *r, const polyvec *a, const polyvec *b);

#endif

+ 6
- 3
crypto_kem/kyber768/clean/precomp.c Wyświetl plik

@@ -57,7 +57,8 @@ const uint16_t PQCLEAN_KYBER768_zetas[KYBER_N] = {
5113, 333, 3502, 4517, 1480, 1172, 5567, 651, 925, 4573, 599, 1367,
4109, 1863, 6929, 1605, 3866, 2065, 4048, 839, 5764, 2447, 2022, 3345,
1990, 4067, 2036, 2069, 3567, 7371, 2368, 339, 6947, 2159, 654, 7327,
2768, 6676, 987, 2214};
2768, 6676, 987, 2214
};

const uint16_t PQCLEAN_KYBER768_omegas_inv_bitrev_montgomery[KYBER_N / 2] = {
990, 254, 862, 5047, 6586, 5538, 4400, 7103, 2025, 6804, 3858, 1595,
@@ -70,7 +71,8 @@ const uint16_t PQCLEAN_KYBER768_omegas_inv_bitrev_montgomery[KYBER_N / 2] = {
1597, 2908, 1825, 6132, 98, 1251, 4306, 4022, 4314, 362, 1289, 5560,
3830, 6724, 6671, 1215, 2281, 4899, 5074, 5988, 5041, 1883, 2822, 7024,
2920, 594, 6189, 6662, 3247, 771, 5822, 1742, 4206, 3686, 776, 5987,
8, 4021, 38, 5658, 3017, 6143, 889, 4216};
8, 4021, 38, 5658, 3017, 6143, 889, 4216
};

const uint16_t PQCLEAN_KYBER768_psis_inv_montgomery[KYBER_N] = {
1024, 4972, 5779, 6907, 4943, 4168, 315, 5580, 90, 497, 1123, 142,
@@ -94,4 +96,5 @@ const uint16_t PQCLEAN_KYBER768_psis_inv_montgomery[KYBER_N] = {
145, 374, 2236, 4496, 5028, 6771, 6923, 7421, 1978, 1023, 3857, 6876,
1102, 7451, 4704, 6518, 1344, 765, 384, 5705, 1207, 1630, 4734, 1563,
6839, 5933, 1954, 4987, 7142, 5814, 7527, 4953, 7637, 4707, 2182, 5734,
2818, 541, 4097, 5641};
2818, 541, 4097, 5641
};

+ 2
- 4
crypto_kem/kyber768/clean/verify.c Wyświetl plik

@@ -12,8 +12,7 @@
*
* Returns 0 if the byte arrays are equal, 1 otherwise
**************************************************/
int PQCLEAN_KYBER768_verify(const unsigned char *a, const unsigned char *b,
size_t len) {
int PQCLEAN_KYBER768_verify(const unsigned char *a, const unsigned char *b, size_t len) {
uint64_t r;
size_t i;
r = 0;
@@ -39,8 +38,7 @@ int PQCLEAN_KYBER768_verify(const unsigned char *a, const unsigned char *b,
* size_t len: Amount of bytes to be copied
* unsigned char b: Condition bit; has to be in {0,1}
**************************************************/
void PQCLEAN_KYBER768_cmov(unsigned char *r, const unsigned char *x, size_t len,
unsigned char b) {
void PQCLEAN_KYBER768_cmov(unsigned char *r, const unsigned char *x, size_t len, unsigned char b) {
size_t i;

b = -b;


+ 2
- 4
crypto_kem/kyber768/clean/verify.h Wyświetl plik

@@ -3,10 +3,8 @@

#include <stdio.h>

int PQCLEAN_KYBER768_verify(const unsigned char *a, const unsigned char *b,
size_t len);
int PQCLEAN_KYBER768_verify(const unsigned char *a, const unsigned char *b, size_t len);

void PQCLEAN_KYBER768_cmov(unsigned char *r, const unsigned char *x, size_t len,
unsigned char b);
void PQCLEAN_KYBER768_cmov(unsigned char *r, const unsigned char *x, size_t len, unsigned char b);

#endif

Ładowanie…
Anuluj
Zapisz