diff --git a/crypto_kem/babybear-ephem/META.yml b/crypto_kem/babybear-ephem/META.yml deleted file mode 100644 index 260fb2e9..00000000 --- a/crypto_kem/babybear-ephem/META.yml +++ /dev/null @@ -1,14 +0,0 @@ -name: BabyBearEphem -type: kem -claimed-nist-level: 1 -claimed-security: IND-CPA -length-public-key: 804 -length-ciphertext: 917 -length-secret-key: 40 -length-shared-secret: 32 -nistkat-sha256: 1caf1dc65c7b2923c936ed464574694a8983ed5508dadfc554fd98e1095652e9 -principal-submitters: - - Mike Hamburg -implementations: - - name: clean - version: https://sourceforge.net/p/threebears/code/ci/f4ce0ebfc84a5e01a75bfc8297b6d175e993cfa4/ diff --git a/crypto_kem/babybear-ephem/clean/LICENSE b/crypto_kem/babybear-ephem/clean/LICENSE deleted file mode 100644 index 5fb15a7c..00000000 --- a/crypto_kem/babybear-ephem/clean/LICENSE +++ /dev/null @@ -1,24 +0,0 @@ -Copyright (c) 2016-2019 Rambus, Inc. -and licensed under the following MIT license. - -The MIT License (MIT) - -Copyright (c) 2016-2019 Rambus Inc. - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in -all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -THE SOFTWARE. diff --git a/crypto_kem/babybear-ephem/clean/Makefile b/crypto_kem/babybear-ephem/clean/Makefile deleted file mode 100644 index 3a2c62ec..00000000 --- a/crypto_kem/babybear-ephem/clean/Makefile +++ /dev/null @@ -1,21 +0,0 @@ -# This Makefile can be used with GNU Make or BSD Make - -LIB=libbabybear-ephem_clean.a - -HEADERS = api.h melas_fec.h params.h ring.h threebears.h -OBJECTS = kem.o melas_fec.o ring.o threebears.o - - -CFLAGS=-O3 -Wall -Wextra -Wpedantic -Werror -Wmissing-prototypes -Wredundant-decls -std=c99 -I../../../common $(EXTRAFLAGS) - -all: $(LIB) - -%.o: %.c $(HEADERS) - $(CC) $(CFLAGS) -c -o $@ $< - -$(LIB): $(OBJECTS) - $(AR) -r $@ $(OBJECTS) - -clean: - $(RM) $(OBJECTS) - $(RM) $(LIB) diff --git a/crypto_kem/babybear-ephem/clean/Makefile.Microsoft_nmake b/crypto_kem/babybear-ephem/clean/Makefile.Microsoft_nmake deleted file mode 100644 index 0e5c1bda..00000000 --- a/crypto_kem/babybear-ephem/clean/Makefile.Microsoft_nmake +++ /dev/null @@ -1,19 +0,0 @@ -# This Makefile can be used with Microsoft Visual Studio's nmake using the command: -# nmake /f Makefile.Microsoft_nmake - -LIBRARY=libbabybear-ephem_clean.lib -OBJECTS = kem.obj melas_fec.obj ring.obj threebears.obj - -CFLAGS=/nologo /I ..\..\..\common /W4 /WX - -all: $(LIBRARY) - -# Make sure objects are recompiled if headers change. -$(OBJECTS): *.h - -$(LIBRARY): $(OBJECTS) - LIB.EXE /NOLOGO /WX /OUT:$@ $** - -clean: - -DEL $(OBJECTS) - -DEL $(LIBRARY) diff --git a/crypto_kem/babybear-ephem/clean/api.h b/crypto_kem/babybear-ephem/clean/api.h deleted file mode 100644 index 6fee4132..00000000 --- a/crypto_kem/babybear-ephem/clean/api.h +++ /dev/null @@ -1,18 +0,0 @@ -#ifndef PQCLEAN_BABYBEAREPHEM_CLEAN_API_H -#define PQCLEAN_BABYBEAREPHEM_CLEAN_API_H - -#include -#include -#include - -#define PQCLEAN_BABYBEAREPHEM_CLEAN_CRYPTO_SECRETKEYBYTES 40 -#define PQCLEAN_BABYBEAREPHEM_CLEAN_CRYPTO_PUBLICKEYBYTES 804 -#define PQCLEAN_BABYBEAREPHEM_CLEAN_CRYPTO_BYTES 32 -#define PQCLEAN_BABYBEAREPHEM_CLEAN_CRYPTO_CIPHERTEXTBYTES 917 -#define PQCLEAN_BABYBEAREPHEM_CLEAN_CRYPTO_ALGNAME "BabyBearEphem" - -int PQCLEAN_BABYBEAREPHEM_CLEAN_crypto_kem_keypair(uint8_t *pk, uint8_t *sk); -int PQCLEAN_BABYBEAREPHEM_CLEAN_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); -int PQCLEAN_BABYBEAREPHEM_CLEAN_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); - -#endif diff --git a/crypto_kem/babybear-ephem/clean/kem.c b/crypto_kem/babybear-ephem/clean/kem.c deleted file mode 100644 index b3ca3a75..00000000 --- a/crypto_kem/babybear-ephem/clean/kem.c +++ /dev/null @@ -1,22 +0,0 @@ -#include "api.h" -#include "params.h" -#include "randombytes.h" -#include "threebears.h" - -int PQCLEAN_BABYBEAREPHEM_CLEAN_crypto_kem_keypair(uint8_t *pk, uint8_t *sk) { - randombytes(sk, PRIVATE_KEY_BYTES); - PQCLEAN_BABYBEAREPHEM_CLEAN_get_pubkey(pk, sk); - return 0; -} - -int PQCLEAN_BABYBEAREPHEM_CLEAN_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk) { - uint8_t seed[ENC_SEED_BYTES + IV_BYTES]; - randombytes(seed, sizeof(seed)); - encapsulate(ss, ct, pk, seed); - return 0; -} - -int PQCLEAN_BABYBEAREPHEM_CLEAN_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk) { - PQCLEAN_BABYBEAREPHEM_CLEAN_decapsulate(ss, ct, sk); - return 0; -} diff --git a/crypto_kem/babybear-ephem/clean/melas_fec.c b/crypto_kem/babybear-ephem/clean/melas_fec.c deleted file mode 100644 index d4bd9376..00000000 --- a/crypto_kem/babybear-ephem/clean/melas_fec.c +++ /dev/null @@ -1,87 +0,0 @@ -/* Melas forward error correction, reference code (as implemented in the paper) */ -#include "melas_fec.h" - -/* Return s/2^n mod R */ -static fec_gf_t step(size_t n, fec_gf_t R, fec_gf_t s) { - for (; n; n--) { - s = (s ^ ((s & 1) * R)) >> 1; - } - return s; -} - -/* Compute syndrome(data), where data has length len */ -#define syndrome18(data,len) s18update(0,data,len) -static fec_gf_t s18update(fec_gf_t r, const uint8_t *data, size_t len) { - for (size_t i = 0; i < len; i++) { - r = step(8, 0x46231, r ^ data[i]); - } - return r; -} - -/* Append 3 bytes of FEC(data) to data, so that the FEC becomes 0 */ -void PQCLEAN_BABYBEAREPHEM_CLEAN_melas_fec_set( - uint8_t out[MELAS_FEC_BYTES], - const uint8_t *data, - size_t len -) { - fec_gf_t fec = syndrome18(data, len); - for (size_t i = 0; i < MELAS_FEC_BYTES; i++, fec >>= 8) { - out[i] = (uint8_t)fec; - } -} - -/* Return a*b mod Q */ -static fec_gf_t mul(fec_gf_t a, fec_gf_t b) { - fec_gf_t r = 0; - for (size_t i = 0; i < 9; i++) { - r ^= ((b >> (8 - i)) & 1) * a; - a = step(1, Q, a); - } - return r; -} - -/* Reverse an 18-bit number x */ -static fec_gf_t reverse18(fec_gf_t x) { - fec_gf_t ret = 0; - for (size_t i = 0; i < 18; i++) { - ret ^= ((x >> i) & 1) << (17 - i); - } - return ret; -} - -/* Correct data to have the given FEC */ -void PQCLEAN_BABYBEAREPHEM_CLEAN_melas_fec_correct ( - uint8_t *data, - size_t len, - const uint8_t fec[MELAS_FEC_BYTES] -) { - - fec_gf_t a = s18update(syndrome18(data, len), fec, MELAS_FEC_BYTES); - fec_gf_t c, r, htr; - size_t i; - const uint8_t table[9] = {36, 10, 43, 215, 52, 11, 116, 244, 0}; - fec_gf_t e0, e1; - - /* Form a quadratic equation from the syndrome */ - c = mul(step(9, Q, a), step(9, Q, reverse18(a))); - for (i = 0, r = 0x100; i < 510; i++) { - r = mul(r, c); - } - r = step(17, Q, r); - a = step(511 - (len + MELAS_FEC_BYTES) * 8, Q, a); - - /* Solve using the half trace */ - for (i = 0, htr = 0; i < 9; i++) { - htr ^= ((r >> i) & 1) * table[i]; - } - e0 = mul(a, htr); - e1 = e0 ^ a; - - /* Correct the errors using the locators */ - for (i = 0; i < len; i++) { - data[i] ^= (uint8_t)(e0 & (((e0 & (e0 - 1)) - 1) >> 9)); - data[i] ^= (uint8_t)(e1 & (((e1 & (e1 - 1)) - 1) >> 9)); - e0 = step(8, Q, e0); - e1 = step(8, Q, e1); - } -} diff --git a/crypto_kem/babybear-ephem/clean/melas_fec.h b/crypto_kem/babybear-ephem/clean/melas_fec.h deleted file mode 100644 index fd2ed191..00000000 --- a/crypto_kem/babybear-ephem/clean/melas_fec.h +++ /dev/null @@ -1,26 +0,0 @@ -#ifndef __THREEBEARS_MELAS_FEC_H__ -#define __THREEBEARS_MELAS_FEC_H__ - -#include "api.h" - -#define MELAS_FEC_BYTES 3 -#define MELAS_FEC_BITS 18 - -typedef uint32_t fec_gf_t; -static const fec_gf_t Q = 0x211; - -/* Append 3 bytes of FEC(data) to data, so that the FEC becomes 0 */ -void PQCLEAN_BABYBEAREPHEM_CLEAN_melas_fec_set( - uint8_t out[MELAS_FEC_BYTES], - const uint8_t *data, - size_t len -); - -/* Append 3 bytes of FEC(data) to data, so that the FEC becomes 0 */ -void PQCLEAN_BABYBEAREPHEM_CLEAN_melas_fec_correct( - uint8_t *data, - size_t len, - const uint8_t fec[MELAS_FEC_BYTES] -); - -#endif diff --git a/crypto_kem/babybear-ephem/clean/params.h b/crypto_kem/babybear-ephem/clean/params.h deleted file mode 100644 index 4dc8e874..00000000 --- a/crypto_kem/babybear-ephem/clean/params.h +++ /dev/null @@ -1,29 +0,0 @@ -#ifndef __THREEBEARS_PARAMS_H__ -#define __THREEBEARS_PARAMS_H__ - -#define VERSION 1 -#define MATRIX_SEED_BYTES 24 -#define ENC_SEED_BYTES 32 -#define IV_BYTES 0 -#define LGX 10 -#define DIGITS 312 -#define DIM 2 -#define VAR_TIMES_128 128 -#define LPR_BITS 4 -#define FEC_BITS 18 -#define CCA 0 -#define SHARED_SECRET_BYTES 32 -#define PRIVATE_KEY_BYTES 40 -#define PRF_KEY_BYTES PRIVATE_KEY_BYTES - -#define BEAR_NAME "BabyBearEphem" -#define encapsulate PQCLEAN_BABYBEAREPHEM_CLEAN_encapsulate -#define decapsulate PQCLEAN_BABYBEAREPHEM_CLEAN_decapsulate -#define get_pubkey PQCLEAN_BABYBEAREPHEM_CLEAN_get_pubkey - -#define GF_BYTES ((LGX*DIGITS+7)/8) -#define PUBLIC_KEY_BYTES (MATRIX_SEED_BYTES + DIM*GF_BYTES) -#define CAPSULE_BYTES \ - (DIM*GF_BYTES + IV_BYTES + ((ENC_SEED_BYTES*8+FEC_BITS)*LPR_BITS+7)/8) - -#endif diff --git a/crypto_kem/babybear-ephem/clean/ring.c b/crypto_kem/babybear-ephem/clean/ring.c deleted file mode 100644 index 4c751556..00000000 --- a/crypto_kem/babybear-ephem/clean/ring.c +++ /dev/null @@ -1,107 +0,0 @@ -/** Ring arithmetic implementation */ -#include "ring.h" - -/** Return the i'th limb of the modulus */ -limb_t PQCLEAN_BABYBEAREPHEM_CLEAN_modulus(size_t i) { - return (i == DIGITS / 2) ? LMASK - 1 : LMASK; -} - -/** Multiply and accumulate c += a*b */ -void PQCLEAN_BABYBEAREPHEM_CLEAN_mac(gf_t c, const gf_t a, const gf_t b) { - /* Reference non-Karatsuba MAC */ - dslimb_t accum[2 * DIGITS] = {0}; - dslimb_t chain; - size_t i, j; - - /* Initialize accumulator = unclarify(c) */ - for (i = 0; i < DIGITS; i++) { - accum[i + DIGITS / 2] = c[i]; - } - - /* Multiply */ - for (i = 0; i < DIGITS; i++) { - for (j = 0; j < DIGITS; j++) { - accum[i + j] += (dslimb_t)a[i] * b[j]; - } - } - - /* Clarify and reduce */ - for (i = 0; i < DIGITS / 2; i++) { - accum[i + DIGITS / 2] -= accum[i]; - accum[i + DIGITS] += accum[i]; - accum[i + DIGITS / 2] += accum[i + 3 * DIGITS / 2]; - accum[i + DIGITS] += accum[i + 3 * DIGITS / 2]; - } - - /* Carry propagate */ - chain = accum[3 * DIGITS / 2 - 1]; - accum[3 * DIGITS / 2 - 1] = chain & LMASK; - chain >>= LGX; - accum[DIGITS] += chain; - for (i = DIGITS / 2; i < 3 * DIGITS / 2; i++) { - chain += accum[i]; - c[i - DIGITS / 2] = chain & LMASK; - chain >>= LGX; - } - c[0] = (limb_t) (c[0] + chain); - c[DIGITS / 2] = (limb_t) (c[DIGITS / 2] + chain); -} - -/** Reduce a gf_t to canonical form, i.e. strictly less than N. */ -void PQCLEAN_BABYBEAREPHEM_CLEAN_canon(gf_t c) { - const limb_t DELTA = (limb_t)1 << (LGX - 1); - slimb_t hi; - dslimb_t scarry; - dlimb_t carry; - - /* Reduce to 0..2p */ - hi = (slimb_t) (c[DIGITS - 1] - DELTA); - c[DIGITS - 1] = (limb_t) ((hi & LMASK) + DELTA); - c[DIGITS / 2] = (limb_t) (c[DIGITS / 2] + (hi >> LGX)); - - /* Strong reduce. First subtract modulus */ - scarry = hi >> LGX; - for (size_t i = 0; i < DIGITS; i++) { - scarry = scarry + (slimb_t)c[i] - PQCLEAN_BABYBEAREPHEM_CLEAN_modulus(i); - c[i] = scarry & LMASK; - scarry >>= LGX; - } - - /* add it back */ - carry = 0; - for (size_t i = 0; i < DIGITS; i++) { - carry = carry + c[i] + ((dlimb_t)scarry & PQCLEAN_BABYBEAREPHEM_CLEAN_modulus(i)); - c[i] = carry & LMASK; - carry >>= LGX; - } -} - -/** Serialize a gf_t to bytes */ -void PQCLEAN_BABYBEAREPHEM_CLEAN_contract(uint8_t ch[GF_BYTES], gf_t a) { - size_t pos; - - PQCLEAN_BABYBEAREPHEM_CLEAN_canon(a); - for (size_t i = 0; i < GF_BYTES; i++) { - pos = (i * 8) / LGX; - ch[i] = (uint8_t)(a[pos] >> ((i * 8) % LGX)); - if (i < GF_BYTES - 1) { - ch[i] |= (uint8_t)(a[pos + 1] << (LGX - ((i * 8) % LGX))); - } - } -} - -/** Deserialize a gf_t from bytes */ -void PQCLEAN_BABYBEAREPHEM_CLEAN_expand(gf_t ll, const uint8_t ch[GF_BYTES]) { - limb_t tmp, buffer = 0; - - for (size_t i = 0, j = 0, bbits = 0; i < GF_BYTES; i++) { - tmp = ch[i]; - buffer |= (limb_t)(tmp << bbits); - bbits += 8; - if (bbits >= LGX) { - ll[j++] = buffer & LMASK; - buffer = (limb_t)(tmp >> (LGX - (bbits - 8))); - bbits = bbits - LGX; - } - } -} diff --git a/crypto_kem/babybear-ephem/clean/ring.h b/crypto_kem/babybear-ephem/clean/ring.h deleted file mode 100644 index 346e0c9e..00000000 --- a/crypto_kem/babybear-ephem/clean/ring.h +++ /dev/null @@ -1,29 +0,0 @@ -#ifndef __THREEBEARS_RING_H__ -#define __THREEBEARS_RING_H__ - -#include "api.h" -#include "params.h" - -typedef uint16_t limb_t; -typedef int16_t slimb_t; -typedef uint32_t dlimb_t; -typedef int32_t dslimb_t; -#define LMASK (((limb_t)1<> 8, DIM, - VAR_TIMES_128 - 1, LPR_BITS, FEC_BITS, CCA, 0 /* padding */ - }; - - cshake256_inc_init(ctx, NULL, 0, (const uint8_t *)S, sizeof(S) - 1); - cshake256_inc_absorb(ctx, (const uint8_t *)pblock, sizeof(pblock)); - cshake256_inc_absorb(ctx, &purpose, 1); -} - -/** Sample n gf_t's uniformly from a seed */ -static void uniform(gf_t matrix, const uint8_t *seed, uint8_t iv) { - uint8_t c[GF_BYTES]; - shake256incctx ctx; - - threebears_hash_init(&ctx, HASH_PURPOSE_UNIFORM); - cshake256_inc_absorb(&ctx, seed, MATRIX_SEED_BYTES); - cshake256_inc_absorb(&ctx, &iv, 1); - cshake256_inc_finalize(&ctx); - cshake256_inc_squeeze(c, sizeof(c), &ctx); - cshake256_inc_ctx_release(&ctx); - PQCLEAN_BABYBEAREPHEM_CLEAN_expand(matrix, c); -} - -/** The ThreeBears error distribution */ -static slimb_t psi(uint8_t ci) { - int sample = 0, var = VAR_TIMES_128; - - for (; var > 64; var -= 64, ci = (uint8_t)(ci << 2)) { - sample += ((ci + 64) >> 8) + ((ci - 64) >> 8); - } - return (slimb_t)(sample + ((ci + var) >> 8) + ((ci - var) >> 8)); -} - -/** Sample a vector of n noise elements */ -static void noise(gf_t x, const shake256incctx *ctx, uint8_t iv) { - uint8_t c[DIGITS]; - shake256incctx ctx2; - - cshake256_inc_ctx_clone(&ctx2, ctx); - cshake256_inc_absorb(&ctx2, &iv, 1); - cshake256_inc_finalize(&ctx2); - cshake256_inc_squeeze(c, DIGITS, &ctx2); - for (size_t i = 0; i < DIGITS; i++) { - x[i] = (limb_t)(psi(c[i]) + PQCLEAN_BABYBEAREPHEM_CLEAN_modulus(i)); - } - cshake256_inc_ctx_release(&ctx2); -} - -/* Expand public key from private key */ -void PQCLEAN_BABYBEAREPHEM_CLEAN_get_pubkey(uint8_t *pk, const uint8_t *sk) { - shake256incctx ctx; - shake256incctx ctx2; - gf_t sk_expanded[DIM], b, c; - - threebears_hash_init(&ctx, HASH_PURPOSE_KEYGEN); - cshake256_inc_absorb(&ctx, sk, PRIVATE_KEY_BYTES); - - cshake256_inc_ctx_clone(&ctx2, &ctx); - cshake256_inc_finalize(&ctx2); - cshake256_inc_squeeze(pk, MATRIX_SEED_BYTES, &ctx2); - cshake256_inc_ctx_release(&ctx2); - - for (uint8_t i = 0; i < DIM; i++) { - noise(sk_expanded[i], &ctx, i); - } - for (uint8_t i = 0; i < DIM; i++) { - noise(c, &ctx, (uint8_t)(i + DIM)); - for (uint8_t j = 0; j < DIM; j++) { - uniform(b, pk, (uint8_t) (i + DIM * j)); - PQCLEAN_BABYBEAREPHEM_CLEAN_mac(c, b, sk_expanded[j]); - } - PQCLEAN_BABYBEAREPHEM_CLEAN_contract(&pk[MATRIX_SEED_BYTES + i * GF_BYTES], c); - } - cshake256_inc_ctx_release(&ctx); -} - -/* Encapsulate a shared secret and return it */ -void PQCLEAN_BABYBEAREPHEM_CLEAN_encapsulate( - uint8_t *shared_secret, - uint8_t *capsule, - const uint8_t *pk, - const uint8_t *seed -) { - uint8_t *lpr_data = &capsule[GF_BYTES * DIM]; - shake256incctx ctx; - gf_t sk_expanded[DIM], b, c; - uint8_t tbi[ENC_SEED_BYTES + FEC_BYTES]; - dlimb_t rlimb0, rlimb1; - limb_t h; - uint8_t *iv = &lpr_data[(ENC_BITS * LPR_BITS + 7) / 8]; - - memcpy(iv, &seed[ENC_SEED_BYTES], IV_BYTES); - - threebears_hash_init(&ctx, HASH_PURPOSE_ENCAPS); - cshake256_inc_absorb(&ctx, pk, MATRIX_SEED_BYTES); - cshake256_inc_absorb(&ctx, seed, ENC_SEED_BYTES + IV_BYTES); - - for (uint8_t i = 0; i < DIM; i++) { - noise(sk_expanded[i], &ctx, i); - } - for (uint8_t i = 0; i < DIM; i++) { - noise(c, &ctx, (uint8_t)(i + DIM)); - for (uint8_t j = 0; j < DIM; j++) { - uniform(b, pk, (uint8_t)(j + DIM * i)); - PQCLEAN_BABYBEAREPHEM_CLEAN_mac(c, b, sk_expanded[j]); - } - PQCLEAN_BABYBEAREPHEM_CLEAN_contract(&capsule[i * GF_BYTES], c); - } - noise(c, &ctx, (uint8_t)(2 * DIM)); - - /* Calculate approximate shared secret */ - for (uint8_t i = 0; i < DIM; i++) { - PQCLEAN_BABYBEAREPHEM_CLEAN_expand(b, &pk[MATRIX_SEED_BYTES + i * GF_BYTES]); - PQCLEAN_BABYBEAREPHEM_CLEAN_mac(c, b, sk_expanded[i]); - } - PQCLEAN_BABYBEAREPHEM_CLEAN_canon(c); - - - cshake256_inc_finalize(&ctx); - cshake256_inc_squeeze(tbi, ENC_SEED_BYTES, &ctx); - cshake256_inc_ctx_release(&ctx); - - threebears_hash_init(&ctx, HASH_PURPOSE_ENCAPS); - cshake256_inc_absorb(&ctx, pk, MATRIX_SEED_BYTES); - cshake256_inc_absorb(&ctx, tbi, ENC_SEED_BYTES); - cshake256_inc_absorb(&ctx, iv, IV_BYTES); - - PQCLEAN_BABYBEAREPHEM_CLEAN_melas_fec_set(&tbi[ENC_SEED_BYTES], tbi, ENC_SEED_BYTES); - - /* Export with rounding */ - for (size_t i = 0; i < ENC_BITS; i += 2) { - h = (limb_t)(tbi[i / 8] >> (i % 8)); - rlimb0 = (dlimb_t)((c[i / 2] >> (LGX - LPR_BITS)) + (h << 3)); - rlimb1 = (dlimb_t)((c[DIGITS - i / 2 - 1] >> (LGX - LPR_BITS)) + ((h >> 1) << 3)); - lpr_data[i / 2] = (uint8_t)((rlimb0 & 0xF) | rlimb1 << 4); - } - - cshake256_inc_finalize(&ctx); - cshake256_inc_squeeze(shared_secret, SHARED_SECRET_BYTES, &ctx); - cshake256_inc_ctx_release(&ctx); -} - -/* Decapsulate a shared secret and return it */ -void PQCLEAN_BABYBEAREPHEM_CLEAN_decapsulate( - uint8_t shared_secret[SHARED_SECRET_BYTES], - const uint8_t capsule[CAPSULE_BYTES], - const uint8_t sk[PRIVATE_KEY_BYTES] -) { - const uint8_t *lpr_data = &capsule[GF_BYTES * DIM]; - shake256incctx ctx; - gf_t ska, b, c = {0}; - uint8_t seed[ENC_SEED_BYTES + FEC_BYTES + IV_BYTES]; - limb_t rounding, out; - size_t j; - limb_t our_rlimb, their_rlimb, delta; - uint8_t matrix_seed[MATRIX_SEED_BYTES]; - - /* Calculate approximate shared secret */ - threebears_hash_init(&ctx, HASH_PURPOSE_KEYGEN); - cshake256_inc_absorb(&ctx, sk, PRIVATE_KEY_BYTES); - - for (uint8_t i = 0; i < DIM; i++) { - PQCLEAN_BABYBEAREPHEM_CLEAN_expand(b, &capsule[i * GF_BYTES]); - noise(ska, &ctx, i); - PQCLEAN_BABYBEAREPHEM_CLEAN_mac(c, ska, b); - } - - /* Recover seed from LPR data */ - PQCLEAN_BABYBEAREPHEM_CLEAN_canon(c); - rounding = 1 << (LPR_BITS - 1); - out = 0; - for (int32_t i = ENC_BITS - 1; i >= 0; i--) { - j = (size_t) ((i & 1) ? DIGITS - i / 2 - 1 : i / 2); - our_rlimb = (limb_t)(c[j] >> (LGX - LPR_BITS - 1)); - their_rlimb = (limb_t)(lpr_data[i * LPR_BITS / 8] >> ((i * LPR_BITS) % 8)); - delta = (limb_t)(their_rlimb * 2 - our_rlimb + rounding); - out |= (limb_t)(((delta >> LPR_BITS) & 1) << (i % 8)); - if (i % 8 == 0) { - seed[i / 8] = (uint8_t)out; - out = 0; - } - } - PQCLEAN_BABYBEAREPHEM_CLEAN_melas_fec_correct(seed, ENC_SEED_BYTES, &seed[ENC_SEED_BYTES]); - - /* Recalculate matrix seed */ - cshake256_inc_finalize(&ctx); - cshake256_inc_squeeze(matrix_seed, MATRIX_SEED_BYTES, &ctx); - cshake256_inc_ctx_release(&ctx); - - /* Re-run the key derivation from encaps */ - threebears_hash_init(&ctx, HASH_PURPOSE_ENCAPS); - cshake256_inc_absorb(&ctx, matrix_seed, MATRIX_SEED_BYTES); - cshake256_inc_absorb(&ctx, seed, ENC_SEED_BYTES); - cshake256_inc_absorb(&ctx, &lpr_data[(ENC_BITS * LPR_BITS + 7) / 8], IV_BYTES); - cshake256_inc_finalize(&ctx); - cshake256_inc_squeeze(shared_secret, SHARED_SECRET_BYTES, &ctx); - cshake256_inc_ctx_release(&ctx); -} diff --git a/crypto_kem/babybear-ephem/clean/threebears.h b/crypto_kem/babybear-ephem/clean/threebears.h deleted file mode 100644 index af0d70ca..00000000 --- a/crypto_kem/babybear-ephem/clean/threebears.h +++ /dev/null @@ -1,60 +0,0 @@ -#ifndef __THREE_BEARS_BABYBEAREPHEM_H__ -#define __THREE_BEARS_BABYBEAREPHEM_H__ - -#include /* for size_t */ -#include - -#define BABYBEAREPHEM_KEYGEN_SEED_BYTES 40 -#define BABYBEAREPHEM_PRIVATE_KEY_BYTES BABYBEAREPHEM_KEYGEN_SEED_BYTES -#define BABYBEAREPHEM_SHARED_SECRET_BYTES 32 -#define BABYBEAREPHEM_ENC_SEED_AND_IV_BYTES 32 -#define BABYBEAREPHEM_PUBLIC_KEY_BYTES 804 -#define BABYBEAREPHEM_CAPSULE_BYTES 917 - -/** - * Expand a secret seed to a public/private keypair. - * - * @param[out] pk The public key. - * @param[in] sk The private key, which must be uniformly random. - */ -void PQCLEAN_BABYBEAREPHEM_CLEAN_get_pubkey ( - uint8_t pk[BABYBEAREPHEM_PUBLIC_KEY_BYTES], - const uint8_t sk[BABYBEAREPHEM_PRIVATE_KEY_BYTES] -); - -/** - * Create a shared secret using a random seed and another party's public key. - * - * Input and output parameters may not alias. - * - * @param[out] shared_secret The shared secret key. - * @param[out] capsule A ciphertext to send to the other party. - * @param[in] pk The other party's public key. - * @param[in] seed A random seed. - */ -void PQCLEAN_BABYBEAREPHEM_CLEAN_encapsulate ( - uint8_t shared_secret[BABYBEAREPHEM_SHARED_SECRET_BYTES], - uint8_t capsule[BABYBEAREPHEM_CAPSULE_BYTES], - const uint8_t pk[BABYBEAREPHEM_PUBLIC_KEY_BYTES], - const uint8_t seed[BABYBEAREPHEM_ENC_SEED_AND_IV_BYTES] -); - -/** - * Extract the shared secret from a capsule using the private key. - * Has a negligible but nonzero probability of failure. - * - * Input and output parameters may not alias. - * - * @param[out] shared_secret The shared secret. - * @param[in] capsule The capsule produced by encapsulate_cca2. - * @param[in] sk The private key. - * @return -1 on failure, 0 on success. - * @warning The value of shared_secret must not be used on failure - */ -void PQCLEAN_BABYBEAREPHEM_CLEAN_decapsulate ( - uint8_t shared_secret[BABYBEAREPHEM_SHARED_SECRET_BYTES], - const uint8_t capsule[BABYBEAREPHEM_CAPSULE_BYTES], - const uint8_t sk[BABYBEAREPHEM_PRIVATE_KEY_BYTES] -); - -#endif diff --git a/crypto_kem/babybear/META.yml b/crypto_kem/babybear/META.yml deleted file mode 100644 index 5b8d79c6..00000000 --- a/crypto_kem/babybear/META.yml +++ /dev/null @@ -1,14 +0,0 @@ -name: BabyBear -type: kem -claimed-nist-level: 1 -claimed-security: IND-CCA2 -length-public-key: 804 -length-ciphertext: 917 -length-secret-key: 40 -length-shared-secret: 32 -nistkat-sha256: b8442ffaad8e74c6ebfd75d02e13f8db017a7a6dd8458f5d1a5011de6057d775 -principal-submitters: - - Mike Hamburg -implementations: - - name: clean - version: https://sourceforge.net/p/threebears/code/ci/f4ce0ebfc84a5e01a75bfc8297b6d175e993cfa4/ diff --git a/crypto_kem/babybear/clean/LICENSE b/crypto_kem/babybear/clean/LICENSE deleted file mode 100644 index 5fb15a7c..00000000 --- a/crypto_kem/babybear/clean/LICENSE +++ /dev/null @@ -1,24 +0,0 @@ -Copyright (c) 2016-2019 Rambus, Inc. -and licensed under the following MIT license. - -The MIT License (MIT) - -Copyright (c) 2016-2019 Rambus Inc. - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in -all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -THE SOFTWARE. diff --git a/crypto_kem/babybear/clean/Makefile b/crypto_kem/babybear/clean/Makefile deleted file mode 100644 index 21503787..00000000 --- a/crypto_kem/babybear/clean/Makefile +++ /dev/null @@ -1,21 +0,0 @@ -# This Makefile can be used with GNU Make or BSD Make - -LIB=libbabybear_clean.a - -HEADERS = api.h melas_fec.h params.h ring.h threebears.h -OBJECTS = kem.o melas_fec.o ring.o threebears.o - - -CFLAGS=-O3 -Wall -Wextra -Wpedantic -Werror -Wmissing-prototypes -Wredundant-decls -std=c99 -I../../../common $(EXTRAFLAGS) - -all: $(LIB) - -%.o: %.c $(HEADERS) - $(CC) $(CFLAGS) -c -o $@ $< - -$(LIB): $(OBJECTS) - $(AR) -r $@ $(OBJECTS) - -clean: - $(RM) $(OBJECTS) - $(RM) $(LIB) diff --git a/crypto_kem/babybear/clean/Makefile.Microsoft_nmake b/crypto_kem/babybear/clean/Makefile.Microsoft_nmake deleted file mode 100644 index 27e5cdda..00000000 --- a/crypto_kem/babybear/clean/Makefile.Microsoft_nmake +++ /dev/null @@ -1,19 +0,0 @@ -# This Makefile can be used with Microsoft Visual Studio's nmake using the command: -# nmake /f Makefile.Microsoft_nmake - -LIBRARY=libbabybear_clean.lib -OBJECTS = kem.obj melas_fec.obj ring.obj threebears.obj - -CFLAGS=/nologo /I ..\..\..\common /W4 /WX - -all: $(LIBRARY) - -# Make sure objects are recompiled if headers change. -$(OBJECTS): *.h - -$(LIBRARY): $(OBJECTS) - LIB.EXE /NOLOGO /WX /OUT:$@ $** - -clean: - -DEL $(OBJECTS) - -DEL $(LIBRARY) diff --git a/crypto_kem/babybear/clean/api.h b/crypto_kem/babybear/clean/api.h deleted file mode 100644 index d513843f..00000000 --- a/crypto_kem/babybear/clean/api.h +++ /dev/null @@ -1,18 +0,0 @@ -#ifndef PQCLEAN_BABYBEAR_CLEAN_API_H -#define PQCLEAN_BABYBEAR_CLEAN_API_H - -#include -#include -#include - -#define PQCLEAN_BABYBEAR_CLEAN_CRYPTO_SECRETKEYBYTES 40 -#define PQCLEAN_BABYBEAR_CLEAN_CRYPTO_PUBLICKEYBYTES 804 -#define PQCLEAN_BABYBEAR_CLEAN_CRYPTO_BYTES 32 -#define PQCLEAN_BABYBEAR_CLEAN_CRYPTO_CIPHERTEXTBYTES 917 -#define PQCLEAN_BABYBEAR_CLEAN_CRYPTO_ALGNAME "BabyBear" - -int PQCLEAN_BABYBEAR_CLEAN_crypto_kem_keypair(uint8_t *pk, uint8_t *sk); -int PQCLEAN_BABYBEAR_CLEAN_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); -int PQCLEAN_BABYBEAR_CLEAN_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); - -#endif diff --git a/crypto_kem/babybear/clean/kem.c b/crypto_kem/babybear/clean/kem.c deleted file mode 100644 index 5b9e7ad1..00000000 --- a/crypto_kem/babybear/clean/kem.c +++ /dev/null @@ -1,22 +0,0 @@ -#include "api.h" -#include "params.h" -#include "randombytes.h" -#include "threebears.h" - -int PQCLEAN_BABYBEAR_CLEAN_crypto_kem_keypair(uint8_t *pk, uint8_t *sk) { - randombytes(sk, PRIVATE_KEY_BYTES); - PQCLEAN_BABYBEAR_CLEAN_get_pubkey(pk, sk); - return 0; -} - -int PQCLEAN_BABYBEAR_CLEAN_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk) { - uint8_t seed[ENC_SEED_BYTES + IV_BYTES]; - randombytes(seed, sizeof(seed)); - encapsulate(ss, ct, pk, seed); - return 0; -} - -int PQCLEAN_BABYBEAR_CLEAN_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk) { - PQCLEAN_BABYBEAR_CLEAN_decapsulate(ss, ct, sk); - return 0; -} diff --git a/crypto_kem/babybear/clean/melas_fec.c b/crypto_kem/babybear/clean/melas_fec.c deleted file mode 100644 index ace39b9c..00000000 --- a/crypto_kem/babybear/clean/melas_fec.c +++ /dev/null @@ -1,87 +0,0 @@ -/* Melas forward error correction, reference code (as implemented in the paper) */ -#include "melas_fec.h" - -/* Return s/2^n mod R */ -static fec_gf_t step(size_t n, fec_gf_t R, fec_gf_t s) { - for (; n; n--) { - s = (s ^ ((s & 1) * R)) >> 1; - } - return s; -} - -/* Compute syndrome(data), where data has length len */ -#define syndrome18(data,len) s18update(0,data,len) -static fec_gf_t s18update(fec_gf_t r, const uint8_t *data, size_t len) { - for (size_t i = 0; i < len; i++) { - r = step(8, 0x46231, r ^ data[i]); - } - return r; -} - -/* Append 3 bytes of FEC(data) to data, so that the FEC becomes 0 */ -void PQCLEAN_BABYBEAR_CLEAN_melas_fec_set( - uint8_t out[MELAS_FEC_BYTES], - const uint8_t *data, - size_t len -) { - fec_gf_t fec = syndrome18(data, len); - for (size_t i = 0; i < MELAS_FEC_BYTES; i++, fec >>= 8) { - out[i] = (uint8_t)fec; - } -} - -/* Return a*b mod Q */ -static fec_gf_t mul(fec_gf_t a, fec_gf_t b) { - fec_gf_t r = 0; - for (size_t i = 0; i < 9; i++) { - r ^= ((b >> (8 - i)) & 1) * a; - a = step(1, Q, a); - } - return r; -} - -/* Reverse an 18-bit number x */ -static fec_gf_t reverse18(fec_gf_t x) { - fec_gf_t ret = 0; - for (size_t i = 0; i < 18; i++) { - ret ^= ((x >> i) & 1) << (17 - i); - } - return ret; -} - -/* Correct data to have the given FEC */ -void PQCLEAN_BABYBEAR_CLEAN_melas_fec_correct ( - uint8_t *data, - size_t len, - const uint8_t fec[MELAS_FEC_BYTES] -) { - - fec_gf_t a = s18update(syndrome18(data, len), fec, MELAS_FEC_BYTES); - fec_gf_t c, r, htr; - size_t i; - const uint8_t table[9] = {36, 10, 43, 215, 52, 11, 116, 244, 0}; - fec_gf_t e0, e1; - - /* Form a quadratic equation from the syndrome */ - c = mul(step(9, Q, a), step(9, Q, reverse18(a))); - for (i = 0, r = 0x100; i < 510; i++) { - r = mul(r, c); - } - r = step(17, Q, r); - a = step(511 - (len + MELAS_FEC_BYTES) * 8, Q, a); - - /* Solve using the half trace */ - for (i = 0, htr = 0; i < 9; i++) { - htr ^= ((r >> i) & 1) * table[i]; - } - e0 = mul(a, htr); - e1 = e0 ^ a; - - /* Correct the errors using the locators */ - for (i = 0; i < len; i++) { - data[i] ^= (uint8_t)(e0 & (((e0 & (e0 - 1)) - 1) >> 9)); - data[i] ^= (uint8_t)(e1 & (((e1 & (e1 - 1)) - 1) >> 9)); - e0 = step(8, Q, e0); - e1 = step(8, Q, e1); - } -} diff --git a/crypto_kem/babybear/clean/melas_fec.h b/crypto_kem/babybear/clean/melas_fec.h deleted file mode 100644 index c44638bc..00000000 --- a/crypto_kem/babybear/clean/melas_fec.h +++ /dev/null @@ -1,26 +0,0 @@ -#ifndef __THREEBEARS_MELAS_FEC_H__ -#define __THREEBEARS_MELAS_FEC_H__ - -#include "api.h" - -#define MELAS_FEC_BYTES 3 -#define MELAS_FEC_BITS 18 - -typedef uint32_t fec_gf_t; -static const fec_gf_t Q = 0x211; - -/* Append 3 bytes of FEC(data) to data, so that the FEC becomes 0 */ -void PQCLEAN_BABYBEAR_CLEAN_melas_fec_set( - uint8_t out[MELAS_FEC_BYTES], - const uint8_t *data, - size_t len -); - -/* Append 3 bytes of FEC(data) to data, so that the FEC becomes 0 */ -void PQCLEAN_BABYBEAR_CLEAN_melas_fec_correct( - uint8_t *data, - size_t len, - const uint8_t fec[MELAS_FEC_BYTES] -); - -#endif diff --git a/crypto_kem/babybear/clean/params.h b/crypto_kem/babybear/clean/params.h deleted file mode 100644 index b99c2fa3..00000000 --- a/crypto_kem/babybear/clean/params.h +++ /dev/null @@ -1,29 +0,0 @@ -#ifndef __THREEBEARS_PARAMS_H__ -#define __THREEBEARS_PARAMS_H__ - -#define VERSION 1 -#define MATRIX_SEED_BYTES 24 -#define ENC_SEED_BYTES 32 -#define IV_BYTES 0 -#define LGX 10 -#define DIGITS 312 -#define DIM 2 -#define VAR_TIMES_128 72 -#define LPR_BITS 4 -#define FEC_BITS 18 -#define CCA 1 -#define SHARED_SECRET_BYTES 32 -#define PRIVATE_KEY_BYTES 40 -#define PRF_KEY_BYTES PRIVATE_KEY_BYTES - -#define BEAR_NAME "BabyBear" -#define encapsulate PQCLEAN_BABYBEAR_CLEAN_encapsulate -#define decapsulate PQCLEAN_BABYBEAR_CLEAN_decapsulate -#define get_pubkey PQCLEAN_BABYBEAR_CLEAN_get_pubkey - -#define GF_BYTES ((LGX*DIGITS+7)/8) -#define PUBLIC_KEY_BYTES (MATRIX_SEED_BYTES + DIM*GF_BYTES) -#define CAPSULE_BYTES \ - (DIM*GF_BYTES + IV_BYTES + ((ENC_SEED_BYTES*8+FEC_BITS)*LPR_BITS+7)/8) - -#endif diff --git a/crypto_kem/babybear/clean/ring.c b/crypto_kem/babybear/clean/ring.c deleted file mode 100644 index aa2c384c..00000000 --- a/crypto_kem/babybear/clean/ring.c +++ /dev/null @@ -1,107 +0,0 @@ -/** Ring arithmetic implementation */ -#include "ring.h" - -/** Return the i'th limb of the modulus */ -limb_t PQCLEAN_BABYBEAR_CLEAN_modulus(size_t i) { - return (i == DIGITS / 2) ? LMASK - 1 : LMASK; -} - -/** Multiply and accumulate c += a*b */ -void PQCLEAN_BABYBEAR_CLEAN_mac(gf_t c, const gf_t a, const gf_t b) { - /* Reference non-Karatsuba MAC */ - dslimb_t accum[2 * DIGITS] = {0}; - dslimb_t chain; - size_t i, j; - - /* Initialize accumulator = unclarify(c) */ - for (i = 0; i < DIGITS; i++) { - accum[i + DIGITS / 2] = c[i]; - } - - /* Multiply */ - for (i = 0; i < DIGITS; i++) { - for (j = 0; j < DIGITS; j++) { - accum[i + j] += (dslimb_t)a[i] * b[j]; - } - } - - /* Clarify and reduce */ - for (i = 0; i < DIGITS / 2; i++) { - accum[i + DIGITS / 2] -= accum[i]; - accum[i + DIGITS] += accum[i]; - accum[i + DIGITS / 2] += accum[i + 3 * DIGITS / 2]; - accum[i + DIGITS] += accum[i + 3 * DIGITS / 2]; - } - - /* Carry propagate */ - chain = accum[3 * DIGITS / 2 - 1]; - accum[3 * DIGITS / 2 - 1] = chain & LMASK; - chain >>= LGX; - accum[DIGITS] += chain; - for (i = DIGITS / 2; i < 3 * DIGITS / 2; i++) { - chain += accum[i]; - c[i - DIGITS / 2] = chain & LMASK; - chain >>= LGX; - } - c[0] = (limb_t) (c[0] + chain); - c[DIGITS / 2] = (limb_t) (c[DIGITS / 2] + chain); -} - -/** Reduce a gf_t to canonical form, i.e. strictly less than N. */ -void PQCLEAN_BABYBEAR_CLEAN_canon(gf_t c) { - const limb_t DELTA = (limb_t)1 << (LGX - 1); - slimb_t hi; - dslimb_t scarry; - dlimb_t carry; - - /* Reduce to 0..2p */ - hi = (slimb_t) (c[DIGITS - 1] - DELTA); - c[DIGITS - 1] = (limb_t) ((hi & LMASK) + DELTA); - c[DIGITS / 2] = (limb_t) (c[DIGITS / 2] + (hi >> LGX)); - - /* Strong reduce. First subtract modulus */ - scarry = hi >> LGX; - for (size_t i = 0; i < DIGITS; i++) { - scarry = scarry + (slimb_t)c[i] - PQCLEAN_BABYBEAR_CLEAN_modulus(i); - c[i] = scarry & LMASK; - scarry >>= LGX; - } - - /* add it back */ - carry = 0; - for (size_t i = 0; i < DIGITS; i++) { - carry = carry + c[i] + ((dlimb_t)scarry & PQCLEAN_BABYBEAR_CLEAN_modulus(i)); - c[i] = carry & LMASK; - carry >>= LGX; - } -} - -/** Serialize a gf_t to bytes */ -void PQCLEAN_BABYBEAR_CLEAN_contract(uint8_t ch[GF_BYTES], gf_t a) { - size_t pos; - - PQCLEAN_BABYBEAR_CLEAN_canon(a); - for (size_t i = 0; i < GF_BYTES; i++) { - pos = (i * 8) / LGX; - ch[i] = (uint8_t)(a[pos] >> ((i * 8) % LGX)); - if (i < GF_BYTES - 1) { - ch[i] |= (uint8_t)(a[pos + 1] << (LGX - ((i * 8) % LGX))); - } - } -} - -/** Deserialize a gf_t from bytes */ -void PQCLEAN_BABYBEAR_CLEAN_expand(gf_t ll, const uint8_t ch[GF_BYTES]) { - limb_t tmp, buffer = 0; - - for (size_t i = 0, j = 0, bbits = 0; i < GF_BYTES; i++) { - tmp = ch[i]; - buffer |= (limb_t)(tmp << bbits); - bbits += 8; - if (bbits >= LGX) { - ll[j++] = buffer & LMASK; - buffer = (limb_t)(tmp >> (LGX - (bbits - 8))); - bbits = bbits - LGX; - } - } -} diff --git a/crypto_kem/babybear/clean/ring.h b/crypto_kem/babybear/clean/ring.h deleted file mode 100644 index bc6c1a52..00000000 --- a/crypto_kem/babybear/clean/ring.h +++ /dev/null @@ -1,29 +0,0 @@ -#ifndef __THREEBEARS_RING_H__ -#define __THREEBEARS_RING_H__ - -#include "api.h" -#include "params.h" - -typedef uint16_t limb_t; -typedef int16_t slimb_t; -typedef uint32_t dlimb_t; -typedef int32_t dslimb_t; -#define LMASK (((limb_t)1<> 8, DIM, - VAR_TIMES_128 - 1, LPR_BITS, FEC_BITS, CCA, 0 /* padding */ - }; - - cshake256_inc_init(ctx, NULL, 0, (const uint8_t *)S, sizeof(S) - 1); - cshake256_inc_absorb(ctx, (const uint8_t *)pblock, sizeof(pblock)); - cshake256_inc_absorb(ctx, &purpose, 1); -} - -/** Sample n gf_t's uniformly from a seed */ -static void uniform(gf_t matrix, const uint8_t *seed, uint8_t iv) { - uint8_t c[GF_BYTES]; - shake256incctx ctx; - - threebears_hash_init(&ctx, HASH_PURPOSE_UNIFORM); - cshake256_inc_absorb(&ctx, seed, MATRIX_SEED_BYTES); - cshake256_inc_absorb(&ctx, &iv, 1); - cshake256_inc_finalize(&ctx); - cshake256_inc_squeeze(c, sizeof(c), &ctx); - cshake256_inc_ctx_release(&ctx); - PQCLEAN_BABYBEAR_CLEAN_expand(matrix, c); -} - -/** The ThreeBears error distribution */ -static slimb_t psi(uint8_t ci) { - int sample = 0, var = VAR_TIMES_128; - - for (; var > 64; var -= 64, ci = (uint8_t)(ci << 2)) { - sample += ((ci + 64) >> 8) + ((ci - 64) >> 8); - } - return (slimb_t)(sample + ((ci + var) >> 8) + ((ci - var) >> 8)); -} - -/** Sample a vector of n noise elements */ -static void noise(gf_t x, const shake256incctx *ctx, uint8_t iv) { - uint8_t c[DIGITS]; - shake256incctx ctx2; - - cshake256_inc_ctx_clone(&ctx2, ctx); - cshake256_inc_absorb(&ctx2, &iv, 1); - cshake256_inc_finalize(&ctx2); - cshake256_inc_squeeze(c, DIGITS, &ctx2); - for (size_t i = 0; i < DIGITS; i++) { - x[i] = (limb_t)(psi(c[i]) + PQCLEAN_BABYBEAR_CLEAN_modulus(i)); - } - cshake256_inc_ctx_release(&ctx2); -} - -/* Expand public key from private key */ -void PQCLEAN_BABYBEAR_CLEAN_get_pubkey(uint8_t *pk, const uint8_t *sk) { - shake256incctx ctx; - shake256incctx ctx2; - gf_t sk_expanded[DIM], b, c; - - threebears_hash_init(&ctx, HASH_PURPOSE_KEYGEN); - cshake256_inc_absorb(&ctx, sk, PRIVATE_KEY_BYTES); - - cshake256_inc_ctx_clone(&ctx2, &ctx); - cshake256_inc_finalize(&ctx2); - cshake256_inc_squeeze(pk, MATRIX_SEED_BYTES, &ctx2); - cshake256_inc_ctx_release(&ctx2); - - for (uint8_t i = 0; i < DIM; i++) { - noise(sk_expanded[i], &ctx, i); - } - for (uint8_t i = 0; i < DIM; i++) { - noise(c, &ctx, (uint8_t)(i + DIM)); - for (uint8_t j = 0; j < DIM; j++) { - uniform(b, pk, (uint8_t) (i + DIM * j)); - PQCLEAN_BABYBEAR_CLEAN_mac(c, b, sk_expanded[j]); - } - PQCLEAN_BABYBEAR_CLEAN_contract(&pk[MATRIX_SEED_BYTES + i * GF_BYTES], c); - } - cshake256_inc_ctx_release(&ctx); -} - -/* Encapsulate a shared secret and return it */ -void PQCLEAN_BABYBEAR_CLEAN_encapsulate( - uint8_t *shared_secret, - uint8_t *capsule, - const uint8_t *pk, - const uint8_t *seed -) { - uint8_t *lpr_data = &capsule[GF_BYTES * DIM]; - shake256incctx ctx; - gf_t sk_expanded[DIM], b, c; - uint8_t tbi[ENC_SEED_BYTES + FEC_BYTES]; - dlimb_t rlimb0, rlimb1; - limb_t h; - uint8_t *iv = &lpr_data[(ENC_BITS * LPR_BITS + 7) / 8]; - - memcpy(iv, &seed[ENC_SEED_BYTES], IV_BYTES); - - threebears_hash_init(&ctx, HASH_PURPOSE_ENCAPS); - cshake256_inc_absorb(&ctx, pk, MATRIX_SEED_BYTES); - cshake256_inc_absorb(&ctx, seed, ENC_SEED_BYTES + IV_BYTES); - - for (uint8_t i = 0; i < DIM; i++) { - noise(sk_expanded[i], &ctx, i); - } - for (uint8_t i = 0; i < DIM; i++) { - noise(c, &ctx, (uint8_t)(i + DIM)); - for (uint8_t j = 0; j < DIM; j++) { - uniform(b, pk, (uint8_t)(j + DIM * i)); - PQCLEAN_BABYBEAR_CLEAN_mac(c, b, sk_expanded[j]); - } - PQCLEAN_BABYBEAR_CLEAN_contract(&capsule[i * GF_BYTES], c); - } - noise(c, &ctx, (uint8_t)(2 * DIM)); - - /* Calculate approximate shared secret */ - for (uint8_t i = 0; i < DIM; i++) { - PQCLEAN_BABYBEAR_CLEAN_expand(b, &pk[MATRIX_SEED_BYTES + i * GF_BYTES]); - PQCLEAN_BABYBEAR_CLEAN_mac(c, b, sk_expanded[i]); - } - PQCLEAN_BABYBEAR_CLEAN_canon(c); - - - memcpy(tbi, seed, ENC_SEED_BYTES); - - PQCLEAN_BABYBEAR_CLEAN_melas_fec_set(&tbi[ENC_SEED_BYTES], tbi, ENC_SEED_BYTES); - - /* Export with rounding */ - for (size_t i = 0; i < ENC_BITS; i += 2) { - h = (limb_t)(tbi[i / 8] >> (i % 8)); - rlimb0 = (dlimb_t)((c[i / 2] >> (LGX - LPR_BITS)) + (h << 3)); - rlimb1 = (dlimb_t)((c[DIGITS - i / 2 - 1] >> (LGX - LPR_BITS)) + ((h >> 1) << 3)); - lpr_data[i / 2] = (uint8_t)((rlimb0 & 0xF) | rlimb1 << 4); - } - - cshake256_inc_finalize(&ctx); - cshake256_inc_squeeze(shared_secret, SHARED_SECRET_BYTES, &ctx); - cshake256_inc_ctx_release(&ctx); -} - -/* Decapsulate a shared secret and return it */ -void PQCLEAN_BABYBEAR_CLEAN_decapsulate( - uint8_t shared_secret[SHARED_SECRET_BYTES], - const uint8_t capsule[CAPSULE_BYTES], - const uint8_t sk[PRIVATE_KEY_BYTES] -) { - const uint8_t *lpr_data = &capsule[GF_BYTES * DIM]; - shake256incctx ctx; - gf_t ska, b, c = {0}; - uint8_t seed[ENC_SEED_BYTES + FEC_BYTES + IV_BYTES]; - limb_t rounding, out; - size_t j; - limb_t our_rlimb, their_rlimb, delta; - uint8_t pk[PUBLIC_KEY_BYTES], capsule2[CAPSULE_BYTES]; - uint8_t ret, ok, sep, prfk[PRF_KEY_BYTES]; - uint8_t prfout[SHARED_SECRET_BYTES]; - - /* Calculate approximate shared secret */ - threebears_hash_init(&ctx, HASH_PURPOSE_KEYGEN); - cshake256_inc_absorb(&ctx, sk, PRIVATE_KEY_BYTES); - - for (uint8_t i = 0; i < DIM; i++) { - PQCLEAN_BABYBEAR_CLEAN_expand(b, &capsule[i * GF_BYTES]); - noise(ska, &ctx, i); - PQCLEAN_BABYBEAR_CLEAN_mac(c, ska, b); - } - - /* Recover seed from LPR data */ - PQCLEAN_BABYBEAR_CLEAN_canon(c); - rounding = 1 << (LPR_BITS - 1); - out = 0; - for (int32_t i = ENC_BITS - 1; i >= 0; i--) { - j = (size_t) ((i & 1) ? DIGITS - i / 2 - 1 : i / 2); - our_rlimb = (limb_t)(c[j] >> (LGX - LPR_BITS - 1)); - their_rlimb = (limb_t)(lpr_data[i * LPR_BITS / 8] >> ((i * LPR_BITS) % 8)); - delta = (limb_t)(their_rlimb * 2 - our_rlimb + rounding); - out |= (limb_t)(((delta >> LPR_BITS) & 1) << (i % 8)); - if (i % 8 == 0) { - seed[i / 8] = (uint8_t)out; - out = 0; - } - } - PQCLEAN_BABYBEAR_CLEAN_melas_fec_correct(seed, ENC_SEED_BYTES, &seed[ENC_SEED_BYTES]); - - /* Re-encapsulate and check; encapsulate will compute the shared secret */ - PQCLEAN_BABYBEAR_CLEAN_get_pubkey(pk, sk); - memcpy(&seed[ENC_SEED_BYTES], &lpr_data[(ENC_BITS * LPR_BITS + 7) / 8], IV_BYTES); - PQCLEAN_BABYBEAR_CLEAN_encapsulate(shared_secret, capsule2, pk, seed); - - /* Check capsule == capsule2 in constant time */ - ret = 0; - for (size_t i = 0; i < CAPSULE_BYTES; i++) { - ret |= capsule[i] ^ capsule2[i]; - } - ok = (uint8_t)(((int)ret - 1) >> 8); - - /* Calculate PRF key */ - sep = 0xFF; - cshake256_inc_absorb(&ctx, &sep, 1); - cshake256_inc_finalize(&ctx); - cshake256_inc_squeeze(prfk, PRF_KEY_BYTES, &ctx); - cshake256_inc_ctx_release(&ctx); - - /* Calculate PRF */ - threebears_hash_init(&ctx, HASH_PURPOSE_PRF); - cshake256_inc_absorb(&ctx, prfk, PRF_KEY_BYTES); - cshake256_inc_absorb(&ctx, capsule, CAPSULE_BYTES); - cshake256_inc_finalize(&ctx); - cshake256_inc_squeeze(prfout, SHARED_SECRET_BYTES, &ctx); - cshake256_inc_ctx_release(&ctx); - - for (size_t i = 0; i < SHARED_SECRET_BYTES; i++) { - shared_secret[i] = (uint8_t)((shared_secret[i] & ok) | (prfout[i] & ~ok)); - } -} diff --git a/crypto_kem/babybear/clean/threebears.h b/crypto_kem/babybear/clean/threebears.h deleted file mode 100644 index 8157ec94..00000000 --- a/crypto_kem/babybear/clean/threebears.h +++ /dev/null @@ -1,58 +0,0 @@ -#ifndef __THREE_BEARS_BABYBEAR_H__ -#define __THREE_BEARS_BABYBEAR_H__ - -#include /* for size_t */ -#include - -#define BABYBEAR_KEYGEN_SEED_BYTES 40 -#define BABYBEAR_PRIVATE_KEY_BYTES BABYBEAR_KEYGEN_SEED_BYTES -#define BABYBEAR_SHARED_SECRET_BYTES 32 -#define BABYBEAR_ENC_SEED_AND_IV_BYTES 32 -#define BABYBEAR_PUBLIC_KEY_BYTES 804 -#define BABYBEAR_CAPSULE_BYTES 917 - -/** - * Expand a secret seed to a public/private keypair. - * - * @param[out] pk The public key. - * @param[in] sk The private key, which must be uniformly random. - */ -void PQCLEAN_BABYBEAR_CLEAN_get_pubkey ( - uint8_t pk[BABYBEAR_PUBLIC_KEY_BYTES], - const uint8_t sk[BABYBEAR_PRIVATE_KEY_BYTES] -); - -/** - * Create a shared secret using a random seed and another party's public key. - * - * Input and output parameters may not alias. - * - * @param[out] shared_secret The shared secret key. - * @param[out] capsule A ciphertext to send to the other party. - * @param[in] pk The other party's public key. - * @param[in] seed A random seed. - */ -void PQCLEAN_BABYBEAR_CLEAN_encapsulate ( - uint8_t shared_secret[BABYBEAR_SHARED_SECRET_BYTES], - uint8_t capsule[BABYBEAR_CAPSULE_BYTES], - const uint8_t pk[BABYBEAR_PUBLIC_KEY_BYTES], - const uint8_t seed[BABYBEAR_ENC_SEED_AND_IV_BYTES] -); - -/** - * Extract the shared secret from a capsule using the private key. - * Has a negligible but nonzero probability of failure. - * - * Input and output parameters may not alias. - * - * @param[out] shared_secret The shared secret. - * @param[in] capsule The capsule produced by encapsulate_cca2. - * @param[in] sk The private key. - */ -void PQCLEAN_BABYBEAR_CLEAN_decapsulate ( - uint8_t shared_secret[BABYBEAR_SHARED_SECRET_BYTES], - const uint8_t capsule[BABYBEAR_CAPSULE_BYTES], - const uint8_t sk[BABYBEAR_PRIVATE_KEY_BYTES] -); - -#endif diff --git a/crypto_kem/ledakemlt12/META.yml b/crypto_kem/ledakemlt12/META.yml deleted file mode 100644 index e8de5a28..00000000 --- a/crypto_kem/ledakemlt12/META.yml +++ /dev/null @@ -1,19 +0,0 @@ -name: LEDAKEMLT12 -type: kem -claimed-nist-level: 1 -claimed-security: IND-CCA2 -length-public-key: 6520 -length-secret-key: 50 -length-ciphertext: 6544 -length-shared-secret: 32 -nistkat-sha256: c0bd75093e2bbae8bf5717939c59c3c695ee9a60d765fcf6fb06d8db385b04c7 -principal-submitters: - - Marco Baldi -auxiliary-submitters: - - Alessandro Barenghi - - Franco Chiaraluce - - Gerardo Pelosi - - Paolo Santini -implementations: - - name: leaktime - version: 2.1 diff --git a/crypto_kem/ledakemlt12/leaktime/H_Q_matrices_generation.c b/crypto_kem/ledakemlt12/leaktime/H_Q_matrices_generation.c deleted file mode 100644 index 14149d27..00000000 --- a/crypto_kem/ledakemlt12/leaktime/H_Q_matrices_generation.c +++ /dev/null @@ -1,52 +0,0 @@ -#include "H_Q_matrices_generation.h" -#include "gf2x_arith_mod_xPplusOne.h" - -void PQCLEAN_LEDAKEMLT12_LEAKTIME_generateHPosOnes(POSITION_T HPosOnes[N0][DV], AES_XOF_struct *keys_expander) { - for (size_t i = 0; i < N0; i++) { - /* Generate a random block of Htr */ - PQCLEAN_LEDAKEMLT12_LEAKTIME_rand_circulant_sparse_block(&HPosOnes[i][0], DV, keys_expander); - } -} - -void PQCLEAN_LEDAKEMLT12_LEAKTIME_generateQPosOnes(POSITION_T QPosOnes[N0][M], AES_XOF_struct *keys_expander) { - size_t placed_ones; - - for (size_t i = 0; i < N0; i++) { - placed_ones = 0; - for (size_t j = 0; j < N0; j++) { - PQCLEAN_LEDAKEMLT12_LEAKTIME_rand_circulant_sparse_block(&QPosOnes[i][placed_ones], - qBlockWeights[i][j], - keys_expander); - placed_ones += qBlockWeights[i][j]; - } - } -} - -void PQCLEAN_LEDAKEMLT12_LEAKTIME_transposeHPosOnes(POSITION_T HtrPosOnes[N0][DV], POSITION_T HPosOnes[N0][DV]) { - for (size_t i = 0; i < N0; i++) { - /* Obtain directly the sparse representation of the block of H */ - for (size_t k = 0; k < DV; k++) { - HtrPosOnes[i][k] = (P - HPosOnes[i][k]) % P; /* transposes indexes */ - } - } -} - -void PQCLEAN_LEDAKEMLT12_LEAKTIME_transposeQPosOnes(POSITION_T QtrPosOnes[N0][M], POSITION_T QPosOnes[N0][M]) { - POSITION_T transposed_ones_idx[N0] = {0x00}; - size_t currQoneIdx, endQblockIdx; - - for (size_t source_row_idx = 0; source_row_idx < N0 ; source_row_idx++) { - currQoneIdx = 0; // position in the column of QtrPosOnes[][...] - endQblockIdx = 0; - for (int blockIdx = 0; blockIdx < N0; blockIdx++) { - endQblockIdx += qBlockWeights[source_row_idx][blockIdx]; - for (; currQoneIdx < endQblockIdx; currQoneIdx++) { - QtrPosOnes[blockIdx][transposed_ones_idx[blockIdx]] = - (P - QPosOnes[source_row_idx][currQoneIdx]) % P; - transposed_ones_idx[blockIdx]++; - } - } - } -} - - diff --git a/crypto_kem/ledakemlt12/leaktime/H_Q_matrices_generation.h b/crypto_kem/ledakemlt12/leaktime/H_Q_matrices_generation.h deleted file mode 100644 index 0e6856d1..00000000 --- a/crypto_kem/ledakemlt12/leaktime/H_Q_matrices_generation.h +++ /dev/null @@ -1,13 +0,0 @@ -#ifndef H_Q_MATRICES_GENERATION_H -#define H_Q_MATRICES_GENERATION_H - -#include "gf2x_arith.h" -#include "qc_ldpc_parameters.h" -#include "rng.h" - -void PQCLEAN_LEDAKEMLT12_LEAKTIME_generateHPosOnes(POSITION_T HPosOnes[N0][DV], AES_XOF_struct *keys_expander); -void PQCLEAN_LEDAKEMLT12_LEAKTIME_generateQPosOnes(POSITION_T QPosOnes[N0][M], AES_XOF_struct *keys_expander); -void PQCLEAN_LEDAKEMLT12_LEAKTIME_transposeHPosOnes(POSITION_T HtrPosOnes[N0][DV], POSITION_T HPosOnes[N0][DV]); -void PQCLEAN_LEDAKEMLT12_LEAKTIME_transposeQPosOnes(POSITION_T QtrPosOnes[N0][M], POSITION_T QPosOnes[N0][M]); - -#endif diff --git a/crypto_kem/ledakemlt12/leaktime/LICENSE b/crypto_kem/ledakemlt12/leaktime/LICENSE deleted file mode 100644 index c1761078..00000000 --- a/crypto_kem/ledakemlt12/leaktime/LICENSE +++ /dev/null @@ -1,31 +0,0 @@ -/** - * - * LEDAcryptKEM - * - * @version 2.0 (March 2019) - * - * Adapted code from reference ISO-C11 Implementation of the LEDAcrypt KEM-LT cipher. - * - * In alphabetical order: - * - * @author Marco Baldi - * @author Alessandro Barenghi - * @author Franco Chiaraluce - * @author Gerardo Pelosi - * @author Paolo Santini - * - * This code is hereby placed in the public domain. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS - * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR - * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, - * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE - * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, - * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - * - **/ diff --git a/crypto_kem/ledakemlt12/leaktime/Makefile b/crypto_kem/ledakemlt12/leaktime/Makefile deleted file mode 100644 index 8948dfcf..00000000 --- a/crypto_kem/ledakemlt12/leaktime/Makefile +++ /dev/null @@ -1,24 +0,0 @@ -# This Makefile can be used with GNU Make or BSD Make - -LIB=libledakemlt12_leaktime.a -HEADERS=api.h bf_decoding.h dfr_test.h gf2x_arith_mod_xPplusOne.h \ - gf2x_arith.h H_Q_matrices_generation.h \ - niederreiter.h qc_ldpc_parameters.h rng.h sort.h utils.h - -OBJECTS=bf_decoding.o dfr_test.o gf2x_arith_mod_xPplusOne.o \ - gf2x_arith.o H_Q_matrices_generation.o kem.o niederreiter.o rng.o sort.o utils.o - -CFLAGS=-O3 -Wall -Werror -Wextra -Wvla -Wpedantic -Wmissing-prototypes -std=c99 \ - -I../../../common $(EXTRAFLAGS) - -all: $(LIB) - -%.o: %.c $(HEADERS) - $(CC) $(CFLAGS) -c -o $@ $< - -$(LIB): $(OBJECTS) - $(AR) -r $@ $(OBJECTS) - -clean: - $(RM) $(OBJECTS) - $(RM) $(LIB) diff --git a/crypto_kem/ledakemlt12/leaktime/Makefile.Microsoft_nmake b/crypto_kem/ledakemlt12/leaktime/Makefile.Microsoft_nmake deleted file mode 100644 index 3b35cd44..00000000 --- a/crypto_kem/ledakemlt12/leaktime/Makefile.Microsoft_nmake +++ /dev/null @@ -1,19 +0,0 @@ -# This Makefile can be used with Microsoft Visual Studio's nmake using the command: -# nmake /f Makefile.Microsoft_nmake - -LIBRARY=libledakemlt12_leaktime.lib -OBJECTS=bf_decoding.obj dfr_test.obj gf2x_arith_mod_xPplusOne.obj gf2x_arith.obj H_Q_matrices_generation.obj kem.obj niederreiter.obj rng.obj sort.obj utils.obj - -CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /WX - -all: $(LIBRARY) - -# Make sure objects are recompiled if headers change. -$(OBJECTS): *.h - -$(LIBRARY): $(OBJECTS) - LIB.EXE /NOLOGO /WX /OUT:$@ $** - -clean: - -DEL $(OBJECTS) - -DEL $(LIBRARY) diff --git a/crypto_kem/ledakemlt12/leaktime/api.h b/crypto_kem/ledakemlt12/leaktime/api.h deleted file mode 100644 index d5d741cc..00000000 --- a/crypto_kem/ledakemlt12/leaktime/api.h +++ /dev/null @@ -1,18 +0,0 @@ -#ifndef PQCLEAN_LEDAKEMLT12_LEAKTIME_API_H -#define PQCLEAN_LEDAKEMLT12_LEAKTIME_API_H - -#include - -#define PQCLEAN_LEDAKEMLT12_LEAKTIME_CRYPTO_SECRETKEYBYTES 50 -#define PQCLEAN_LEDAKEMLT12_LEAKTIME_CRYPTO_PUBLICKEYBYTES 6520 -#define PQCLEAN_LEDAKEMLT12_LEAKTIME_CRYPTO_CIPHERTEXTBYTES 6544 -#define PQCLEAN_LEDAKEMLT12_LEAKTIME_CRYPTO_BYTES 32 - -#define PQCLEAN_LEDAKEMLT12_LEAKTIME_CRYPTO_ALGNAME "LEDAKEMLT12" - -int PQCLEAN_LEDAKEMLT12_LEAKTIME_crypto_kem_keypair(uint8_t *pk, uint8_t *sk); -int PQCLEAN_LEDAKEMLT12_LEAKTIME_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); -int PQCLEAN_LEDAKEMLT12_LEAKTIME_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); - - -#endif diff --git a/crypto_kem/ledakemlt12/leaktime/bf_decoding.c b/crypto_kem/ledakemlt12/leaktime/bf_decoding.c deleted file mode 100644 index 3faa117c..00000000 --- a/crypto_kem/ledakemlt12/leaktime/bf_decoding.c +++ /dev/null @@ -1,79 +0,0 @@ -#include "bf_decoding.h" -#include "gf2x_arith_mod_xPplusOne.h" - -#include - -int PQCLEAN_LEDAKEMLT12_LEAKTIME_bf_decoding(DIGIT err[], - const POSITION_T HtrPosOnes[N0][DV], - const POSITION_T QtrPosOnes[N0][M], - DIGIT privateSyndrome[], - uint8_t secondIterThreshold) { - - DIGIT currSyndrome[NUM_DIGITS_GF2X_ELEMENT]; - uint8_t unsatParityChecks[N0 * P]; - POSITION_T currQBlkPos[M], currQBitPos[M]; - POSITION_T syndromePosToFlip, tmp; - uint32_t correlation, corrt_syndrome_based; - size_t currQoneIdx, endQblockIdx, currblockoffset; - int check; - int iteration = 0; - - do { - PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_copy(currSyndrome, privateSyndrome); - memset(unsatParityChecks, 0x00, N0 * P * sizeof(uint8_t)); - for (size_t i = 0; i < N0; i++) { - for (POSITION_T valueIdx = 0; valueIdx < P; valueIdx++) { - for (size_t HtrOneIdx = 0; HtrOneIdx < DV; HtrOneIdx++) { - tmp = (HtrPosOnes[i][HtrOneIdx] + valueIdx) >= P ? - (HtrPosOnes[i][HtrOneIdx] + valueIdx) - P : - (HtrPosOnes[i][HtrOneIdx] + valueIdx); - if (PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_get_coeff(currSyndrome, tmp)) { - unsatParityChecks[i * P + valueIdx]++; - } - } - } - } - - /* iteration based threshold determination*/ - corrt_syndrome_based = iteration * secondIterThreshold + (1 - iteration) * B0; - - // Computation of correlation with a full Q matrix - for (size_t i = 0; i < N0; i++) { - for (POSITION_T j = 0; j < P; j++) { - currQoneIdx = endQblockIdx = 0; - correlation = 0; - - for (size_t blockIdx = 0; blockIdx < N0; blockIdx++) { - endQblockIdx += qBlockWeights[blockIdx][i]; - currblockoffset = blockIdx * P; - for (; currQoneIdx < endQblockIdx; currQoneIdx++) { - tmp = QtrPosOnes[i][currQoneIdx] + j; - tmp = tmp >= P ? tmp - P : tmp; - currQBitPos[currQoneIdx] = tmp; - currQBlkPos[currQoneIdx] = (POSITION_T)blockIdx; - correlation += unsatParityChecks[tmp + currblockoffset]; - } - } - - /* Correlation based flipping */ - if (correlation >= corrt_syndrome_based) { - PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_toggle_coeff(err + NUM_DIGITS_GF2X_ELEMENT * i, j); - for (size_t v = 0; v < M; v++) { - for (size_t HtrOneIdx = 0; HtrOneIdx < DV; HtrOneIdx++) { - syndromePosToFlip = (HtrPosOnes[currQBlkPos[v]][HtrOneIdx] + currQBitPos[v]); - syndromePosToFlip = syndromePosToFlip >= P ? syndromePosToFlip - P : syndromePosToFlip; - PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_toggle_coeff(privateSyndrome, syndromePosToFlip); - } - } // end for v - } // end if - } // end for j - } // end for i - - iteration = iteration + 1; - check = 0; - while (check < NUM_DIGITS_GF2X_ELEMENT && privateSyndrome[check++] == 0) {}; - - } while (iteration < ITERATIONS_MAX && check < NUM_DIGITS_GF2X_ELEMENT); - - return (check == NUM_DIGITS_GF2X_ELEMENT); -} diff --git a/crypto_kem/ledakemlt12/leaktime/bf_decoding.h b/crypto_kem/ledakemlt12/leaktime/bf_decoding.h deleted file mode 100644 index 6c62f4b3..00000000 --- a/crypto_kem/ledakemlt12/leaktime/bf_decoding.h +++ /dev/null @@ -1,18 +0,0 @@ -#ifndef BF_DECODING_H -#define BF_DECODING_H - -#include "gf2x_arith.h" -#include "qc_ldpc_parameters.h" - -/* Definitions for DFR level 2^-SL with SL=128 */ -#define ITERATIONS_MAX (2) -#define B0 (43) -#define T_BAR (4) - -int PQCLEAN_LEDAKEMLT12_LEAKTIME_bf_decoding(DIGIT err[], - const POSITION_T HtrPosOnes[N0][DV], - const POSITION_T QtrPosOnes[N0][M], - DIGIT privateSyndrome[], - uint8_t threshold); // B2 - -#endif diff --git a/crypto_kem/ledakemlt12/leaktime/dfr_test.c b/crypto_kem/ledakemlt12/leaktime/dfr_test.c deleted file mode 100644 index 5669c288..00000000 --- a/crypto_kem/ledakemlt12/leaktime/dfr_test.c +++ /dev/null @@ -1,88 +0,0 @@ -#include "bf_decoding.h" -#include "dfr_test.h" -#include "gf2x_arith_mod_xPplusOne.h" -#include "qc_ldpc_parameters.h" -#include "sort.h" - -#include - - -int PQCLEAN_LEDAKEMLT12_LEAKTIME_DFR_test(POSITION_T LSparse[N0][DV * M], uint8_t *secondIterThreshold) { - - POSITION_T LSparse_loc[N0][DV * M]; /* vector of N_0 sparse blocks */ - uint8_t gamma[N0][N0][P] = {{{0}}}; - uint32_t gammaHist[N0][DV * M + 1] = {{0}}; - size_t maxMut[N0], maxMutMinusOne[N0]; - size_t allBlockMaxSumst, allBlockMaxSumstMinusOne; - size_t histIdx, toAdd; - - for (size_t i = 0; i < N0; i++) { - for (size_t j = 0; j < DV * M; j++) { - if (LSparse[i][j] != 0) { - LSparse_loc[i][j] = (P - LSparse[i][j]); - } - } - PQCLEAN_LEDAKEMLT12_LEAKTIME_uint32_sort(LSparse_loc[i], DV * M); - } - - - for (size_t i = 0; i < N0; i++ ) { - for (size_t j = 0; j < N0; j++) { - for (size_t k = 0; k < (DV * M); k++) { - for (size_t l = 0; l < (DV * M); l++) { - gamma[i][j][(P + LSparse_loc[i][k] - LSparse_loc[j][l]) % P]++; - } - } - } - } - - for (size_t i = 0; i < N0; i++ ) { - for (size_t j = 0; j < N0; j++ ) { - gamma[i][j][0] = 0; - } - } - - /* build histogram of values in gamma */ - for (size_t i = 0; i < N0; i++ ) { - for (size_t j = 0; j < N0; j++ ) { - for (size_t k = 0; k < P; k++) { - gammaHist[i][gamma[i][j][k]]++; - } - } - } - - - for (size_t gammaBlockRowIdx = 0; gammaBlockRowIdx < N0; gammaBlockRowIdx++) { - maxMutMinusOne[gammaBlockRowIdx] = 0; - histIdx = DV * M; - toAdd = T_BAR - 1; - while ( (histIdx > 0) && (toAdd > 0)) { - if (gammaHist[gammaBlockRowIdx][histIdx] > toAdd ) { - maxMutMinusOne[gammaBlockRowIdx] += histIdx * toAdd; - toAdd = 0; - } else { - maxMutMinusOne[gammaBlockRowIdx] += histIdx * gammaHist[gammaBlockRowIdx][histIdx]; - toAdd -= gammaHist[gammaBlockRowIdx][histIdx]; - histIdx--; - } - } - maxMut[gammaBlockRowIdx] = histIdx + maxMutMinusOne[gammaBlockRowIdx]; - } - - /*seek max values across all gamma blocks */ - allBlockMaxSumst = maxMut[0]; - allBlockMaxSumstMinusOne = maxMutMinusOne[0]; - for (size_t gammaBlockRowIdx = 0; gammaBlockRowIdx < N0; gammaBlockRowIdx++) { - allBlockMaxSumst = allBlockMaxSumst < maxMut[gammaBlockRowIdx] ? - maxMut[gammaBlockRowIdx] : - allBlockMaxSumst; - allBlockMaxSumstMinusOne = allBlockMaxSumstMinusOne < maxMutMinusOne[gammaBlockRowIdx] ? - maxMutMinusOne[gammaBlockRowIdx] : - allBlockMaxSumstMinusOne; - } - if (DV * M > (allBlockMaxSumstMinusOne + allBlockMaxSumst)) { - *secondIterThreshold = (uint8_t) (allBlockMaxSumst + 1); - return 1; - } - return 0; -} diff --git a/crypto_kem/ledakemlt12/leaktime/dfr_test.h b/crypto_kem/ledakemlt12/leaktime/dfr_test.h deleted file mode 100644 index ad35e440..00000000 --- a/crypto_kem/ledakemlt12/leaktime/dfr_test.h +++ /dev/null @@ -1,6 +0,0 @@ -#ifndef DFR_TEST_H -#define DFR_TEST_H - -int PQCLEAN_LEDAKEMLT12_LEAKTIME_DFR_test(POSITION_T LSparse[N0][DV * M], uint8_t *secondIterThreshold); - -#endif diff --git a/crypto_kem/ledakemlt12/leaktime/gf2x_arith.c b/crypto_kem/ledakemlt12/leaktime/gf2x_arith.c deleted file mode 100644 index 086d4a2c..00000000 --- a/crypto_kem/ledakemlt12/leaktime/gf2x_arith.c +++ /dev/null @@ -1,252 +0,0 @@ -#include "gf2x_arith.h" - -#include // memset(...) - -void PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_add(DIGIT Res[], const DIGIT A[], const DIGIT B[], size_t n) { - for (size_t i = 0; i < n; i++) { - Res[i] = A[i] ^ B[i]; - } -} - -/* copies len digits from a to r if b == 1 */ -void PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_cmov(DIGIT *r, const DIGIT *a, size_t len, int c) { - DIGIT mask = (DIGIT)(-c); - for (size_t i = 0; i < len; i++) { - r[i] ^= mask & (a[i] ^ r[i]); - } -} - -/* PRE: MAX ALLOWED ROTATION AMOUNT : DIGIT_SIZE_b */ -void PQCLEAN_LEDAKEMLT12_LEAKTIME_right_bit_shift_n(size_t length, DIGIT in[], size_t amount) { - if ( amount == 0 ) { - return; - } - size_t j; - DIGIT mask; - mask = ((DIGIT)0x01 << amount) - 1; - for (j = length - 1; j > 0; j--) { - in[j] >>= amount; - in[j] |= (in[j - 1] & mask) << (DIGIT_SIZE_b - amount); - } - in[j] >>= amount; -} - -/* PRE: MAX ALLOWED ROTATION AMOUNT : DIGIT_SIZE_b */ -void PQCLEAN_LEDAKEMLT12_LEAKTIME_left_bit_shift_n(size_t length, DIGIT in[], size_t amount) { - if ( amount == 0 ) { - return; - } - size_t j; - DIGIT mask; - mask = ~(((DIGIT)0x01 << (DIGIT_SIZE_b - amount)) - 1); - for (j = 0 ; j < length - 1; j++) { - in[j] <<= amount; - in[j] |= (in[j + 1] & mask) >> (DIGIT_SIZE_b - amount); - } - in[j] <<= amount; -} - - -static void gf2x_mul1(DIGIT *R, const DIGIT A, const DIGIT B) { - DIGIT tmp; - - R[0] = 0; - R[1] = (A & 1) * B; - for (uint8_t i = 1; i < DIGIT_SIZE_b; i++) { - tmp = ((A >> i) & 1) * B; - R[1] ^= tmp << i; - R[0] ^= tmp >> (DIGIT_SIZE_b - i); - } -} - -static void gf2x_mul_n(DIGIT *R, const DIGIT *A, const DIGIT *B, size_t n) { - DIGIT tmp[2]; - - memset(R, 0x00, 2 * n * sizeof(DIGIT)); - for (size_t i = 0; i < n; i++) { - for (size_t j = 0; j < n; j++) { - gf2x_mul1(tmp, A[i], B[j]); - R[i + j] ^= tmp[0]; - R[i + j + 1] ^= tmp[1]; - } - } -} - -static void gf2x_cpy(DIGIT *R, const DIGIT *A, size_t len) { - for (size_t i = 0; i < len; i++) { - R[i] = A[i]; - } -} - -/* Accumulate */ -#define gf2x_add(R, A, B, n) PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_add(R, A, B, n) -#define gf2x_acc(R, B, n) PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_add(R, R, B, n) - -/* allows the operands to be of different size - * first operand must be the bigger one. - * aligns last array elements */ -static inline void gf2x_add_asymm(DIGIT *R, - size_t na, const DIGIT *A, - size_t nb, const DIGIT *B) { - size_t delta = na - nb; - gf2x_cpy(R, A, delta); - gf2x_add(R + delta, A + delta, B, nb);; -} - -/* aligns first array elements */ -static inline void gf2x_add_asymm2(DIGIT *R, - size_t na, const DIGIT *A, - size_t nb, const DIGIT *B) { - size_t delta = na - nb; - gf2x_add(R, A, B, nb); - gf2x_cpy(R + nb, A + nb, delta); -} - -/* Karatsuba with lowered space complexity - * T(n) = 3 * ceil(n/2) + T(ceil(n / 2)) */ -static void gf2x_mul_kar(DIGIT *R, - const DIGIT *A, - const DIGIT *B, - size_t n, - DIGIT *stack) { - - if (n < MIN_KAR_DIGITS) { - gf2x_mul_n(R, A, B, n); - return; - } - - size_t l = (n + 1) / 2; // limb size = ceil(n / 2) - size_t d = n & 1; - - const DIGIT *a1 = A; // length n - d - const DIGIT *a0 = A + l - d; // length n - const DIGIT *b1 = B; - const DIGIT *b0 = B + l - d; - - DIGIT *aa = stack; - DIGIT *bb = aa + l; - DIGIT *cc = bb + l; - stack = cc + l; // 3l space requirement at each level - - DIGIT *c3 = R + l - 2 * d; - DIGIT *c2 = c3 + l; - DIGIT *c1 = c2 + l; - - gf2x_mul_kar(c2, a0, b0, l, stack); // L in low part of R - gf2x_mul_kar(R, a1, b1, l - d, stack); // H in higher part of R - gf2x_add_asymm(aa, l, a0, l - d, a1); // AH + AL - gf2x_add_asymm(bb, l, b0, l - d, b1); // BH + BL - gf2x_add(cc, c3, c2, l); // HL + LH in cc - gf2x_mul_kar(c3, aa, bb, l, stack); // M = (AH + AL) x (BH + BL) - gf2x_add_asymm(c3, l, c3, l - 2 * d, R); // add HH - gf2x_acc(c2, c1, l); // add LL - gf2x_acc(c3, cc, l); // add HL + LH - gf2x_acc(c2, cc, l); // add HL + LH -} - -static void gf2x_div_w_plus_one(DIGIT *A, size_t n) { - size_t i; - for (i = 0; i < n - 2; i++) { - A[i + 1] ^= A[i]; // runs n - 2 times - } -} - -static void gf2x_shift_left_w(DIGIT *A, size_t n) { - size_t i; - for (i = 0; i < n - 1; i++) { - A[i] = A[i + 1]; - } - A[i] = 0; -} - -/* Word-aligned Toom-Cook 3, source: - * Brent, Richard P., et al. "Faster multiplication in GF (2)[x]." - * International Algorithmic Number Theory Symposium. - * Springer, Berlin, Heidelberg, 2008. */ -static void gf2x_mul_tc3w(DIGIT *R, - const DIGIT *A, - const DIGIT *B, - size_t n, - DIGIT *stack) { - - if (n < MIN_TOOM_DIGITS) { - gf2x_mul_kar(R, A, B, n, stack); - return; - } - - size_t l = (n + 2) / 3; // size of a0, a1, b0, b1 - size_t r = n - 2 * l; // remaining sizes (a2, b2) - size_t x = 2 * l + 4; // size of c1, c2, c3, c4 - size_t z = r + 2 > l + 1 ? r + 2 : l + 1; // size of c5 - - const DIGIT *a0 = A; - const DIGIT *a1 = A + l; - const DIGIT *a2 = A + 2 * l; - const DIGIT *b0 = B; - const DIGIT *b1 = B + l; - const DIGIT *b2 = B + 2 * l; - - DIGIT *c0 = R; // c0 and c4 in the result - DIGIT *c4 = R + 4 * l; - DIGIT *c1 = stack; // the rest in the stack - DIGIT *c2 = c1 + x; - DIGIT *c3 = c2 + x; - DIGIT *c5 = c3 + x; - stack = c5 + z; // Worst-case 7l + 14 - - // Evaluation - c0[0] = 0; // c0[z] = a1*W + a2*W^2 - c0[l + 1] = 0; - gf2x_cpy(c0 + 1, a1, l); - gf2x_acc(c0 + 2, a2, r); - - c4[0] = 0; // c4[z] = b1*W + b2*W^2 - c4[l + 1] = 0; - gf2x_cpy(c4 + 1, b1, l); - gf2x_acc(c4 + 2, b2, r); - - gf2x_cpy(c5, a0, l); // c5[l] = a0 + a1 + a2 - gf2x_acc(c5, a1, l); - gf2x_acc(c5, a2, r); - - gf2x_cpy(c2, b0, l); // c2[l] = b0 + b1 + b2 - gf2x_acc(c2, b1, l); - gf2x_acc(c2, b2, r); - - gf2x_mul_tc3w(c1, c2, c5, l, stack); // c1[2l] = c2 * c5 - gf2x_add_asymm2(c5, z, c0, l, c5); // c5[z] += c0, z >= l - gf2x_add_asymm2(c2, z, c4, l, c2); // c2[z] += c4, idem - gf2x_acc(c0, a0, l); // c0[l] += a0 - gf2x_acc(c4, b0, l); // c4[l] += b0 - gf2x_mul_tc3w(c3, c2, c5, z, stack); // c3[2z] = c2 * c5 - gf2x_mul_tc3w(c2, c0, c4, z, stack); // c2[2z] = c0 * c4 - gf2x_mul_tc3w(c0, a0, b0, l, stack); // c0[2l] = a0 * b0 - gf2x_mul_tc3w(c4, a2, b2, r, stack); // c4[2r] = a2 * b2 - - // Interpolation - gf2x_acc(c3, c2, 2 * z); // c3[2z] += c2 - gf2x_acc(c2, c0, 2 * l); // c2[2z] += c0 - gf2x_shift_left_w(c2, 2 * z); // c2[2z] = c2/y + c3 - gf2x_acc(c2, c3, 2 * z); - gf2x_acc(c2, c4, 2 * r); // c2[2z] += c4 + c4**3 - gf2x_acc(c2 + 3, c4, 2 * r); - gf2x_div_w_plus_one(c2, 2 * z); // c2[2z-1] = c2/(W+1) - gf2x_acc(c1, c0, 2 * l); // c1[2l] += c0 - gf2x_acc(c3, c1, 2 * l); // c3[2z] += c1 - gf2x_shift_left_w(c3, 2 * z); // c3[2z-2] = c3/(W^2 + W) - gf2x_div_w_plus_one(c3, 2 * z - 1); - gf2x_add_asymm2(c1, 2 * z, c2, 2 * l, c1); // c1[2z-1] += c2 + c4 - gf2x_acc(c1, c4, 2 * r); // size c2 >= c1 >= c4 - gf2x_acc(c2, c3, 2 * z - 1); // c2[2z-1] += c3 - - // Recombination - gf2x_cpy(R + 2 * l, c2, 2 * l); - gf2x_acc(R + l, c1, 2 * z - 1); - gf2x_acc(R + 3 * l, c3, 2 * z - 1); -} - -void PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_mul(DIGIT *R, const DIGIT *A, const DIGIT *B, size_t n) { - DIGIT stack[STACK_WORDS]; - gf2x_mul_tc3w(R, A, B, n, stack); -} - diff --git a/crypto_kem/ledakemlt12/leaktime/gf2x_arith.h b/crypto_kem/ledakemlt12/leaktime/gf2x_arith.h deleted file mode 100644 index bce971aa..00000000 --- a/crypto_kem/ledakemlt12/leaktime/gf2x_arith.h +++ /dev/null @@ -1,63 +0,0 @@ -#ifndef GF2X_ARITH_H -#define GF2X_ARITH_H - -#include -#include - -/* - * Elements of GF(2)[x] are stored in compact dense binary form. - * - * Each bit in a byte is assumed to be the coefficient of a binary - * polynomial f(x), in Big-Endian format (i.e., reading everything from - * left to right, the most significant element is met first): - * - * byte:(0000 0000) == 0x00 ... f(x) == 0 - * byte:(0000 0001) == 0x01 ... f(x) == 1 - * byte:(0000 0010) == 0x02 ... f(x) == x - * byte:(0000 0011) == 0x03 ... f(x) == x+1 - * ... ... ... - * byte:(0000 1111) == 0x0F ... f(x) == x^{3}+x^{2}+x+1 - * ... ... ... - * byte:(1111 1111) == 0xFF ... f(x) == x^{7}+x^{6}+x^{5}+x^{4}+x^{3}+x^{2}+x+1 - * - * - * A "machine word" (A_i) is considered as a DIGIT. - * Bytes in a DIGIT are assumed in Big-Endian format: - * E.g., if sizeof(DIGIT) == 4: - * A_i: A_{i,3} A_{i,2} A_{i,1} A_{i,0}. - * A_{i,3} denotes the most significant byte, A_{i,0} the least significant one. - * f(x) == x^{31} + ... + x^{24} + - * + x^{23} + ... + x^{16} + - * + x^{15} + ... + x^{8} + - * + x^{7} + ... + x^{0} - * - * - * Multi-precision elements (i.e., with multiple DIGITs) are stored in - * Big-endian format: - * A = A_{n-1} A_{n-2} ... A_1 A_0 - * - * position[A_{n-1}] == 0 - * position[A_{n-2}] == 1 - * ... - * position[A_{1}] == n-2 - * position[A_{0}] == n-1 - */ - -typedef uint64_t DIGIT; -#define DIGIT_SIZE_B (8) -#define DIGIT_SIZE_b (DIGIT_SIZE_B << 3) -#define POSITION_T uint32_t - -#define MIN_KAR_DIGITS 10 -#define MIN_TOOM_DIGITS 42 - -#define STACK_KAR_ONLY 2433 -#define STACK_WORDS 2892 - -void PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_add(DIGIT Res[], const DIGIT A[], const DIGIT B[], size_t n); -void PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_cmov(DIGIT *r, const DIGIT *a, size_t len, int c); -void PQCLEAN_LEDAKEMLT12_LEAKTIME_right_bit_shift_n(size_t length, DIGIT in[], size_t amount); -void PQCLEAN_LEDAKEMLT12_LEAKTIME_left_bit_shift_n(size_t length, DIGIT in[], size_t amount); -void PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_mul(DIGIT *R, const DIGIT *A, const DIGIT *B, size_t n); - -#endif diff --git a/crypto_kem/ledakemlt12/leaktime/gf2x_arith_mod_xPplusOne.c b/crypto_kem/ledakemlt12/leaktime/gf2x_arith_mod_xPplusOne.c deleted file mode 100644 index 70de3d80..00000000 --- a/crypto_kem/ledakemlt12/leaktime/gf2x_arith_mod_xPplusOne.c +++ /dev/null @@ -1,531 +0,0 @@ -#include "gf2x_arith_mod_xPplusOne.h" -#include "rng.h" -#include "sort.h" - -#include // memcpy(...), memset(...) - -void PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_copy(DIGIT dest[], const DIGIT in[]) { - for (size_t i = 0; i < NUM_DIGITS_GF2X_ELEMENT; i++) { - dest[i] = in[i]; - } -} - -/* returns the coefficient of the x^exponent term as the LSB of a digit */ -DIGIT PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_get_coeff(const DIGIT poly[], size_t exponent) { - size_t straightIdx = (NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_b - 1) - exponent; - size_t digitIdx = straightIdx / DIGIT_SIZE_b; - size_t inDigitIdx = straightIdx % DIGIT_SIZE_b; - return (poly[digitIdx] >> (DIGIT_SIZE_b - 1 - inDigitIdx)) & ((DIGIT) 1) ; -} - -/* sets the coefficient of the x^exponent term as the LSB of a digit */ -void PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_set_coeff(DIGIT poly[], size_t exponent, DIGIT value) { - size_t straightIdx = (NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_b - 1) - exponent; - size_t digitIdx = straightIdx / DIGIT_SIZE_b; - size_t inDigitIdx = straightIdx % DIGIT_SIZE_b; - - /* clear given coefficient */ - DIGIT mask = ~(((DIGIT) 1) << (DIGIT_SIZE_b - 1 - inDigitIdx)); - poly[digitIdx] = poly[digitIdx] & mask; - poly[digitIdx] = poly[digitIdx] | ((value & ((DIGIT) 1)) << (DIGIT_SIZE_b - 1 - inDigitIdx)); -} - -/* toggles (flips) the coefficient of the x^exponent term as the LSB of a digit */ -void PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_toggle_coeff(DIGIT poly[], size_t exponent) { - size_t straightIdx = (NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_b - 1) - exponent; - size_t digitIdx = straightIdx / DIGIT_SIZE_b; - size_t inDigitIdx = straightIdx % DIGIT_SIZE_b; - - /* clear given coefficient */ - DIGIT mask = (((DIGIT) 1) << (DIGIT_SIZE_b - 1 - inDigitIdx)); - poly[digitIdx] = poly[digitIdx] ^ mask; -} - -/* population count for an unsigned 64-bit integer - Source: Hacker's delight, p.66 */ -static int popcount_uint64t(uint64_t x) { - x -= (x >> 1) & 0x5555555555555555; - x = (x & 0x3333333333333333) + ((x >> 2) & 0x3333333333333333); - x = (x + (x >> 4)) & 0x0f0f0f0f0f0f0f0f; - return (int)((x * 0x0101010101010101) >> 56); -} - -/* population count for a single polynomial */ -int PQCLEAN_LEDAKEMLT12_LEAKTIME_population_count(const DIGIT *poly) { - int ret = 0; - for (int i = NUM_DIGITS_GF2X_ELEMENT - 1; i >= 0; i--) { - ret += popcount_uint64t(poly[i]); - } - return ret; -} - -void PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_mod_add(DIGIT Res[], const DIGIT A[], const DIGIT B[]) { - PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_add(Res, A, B, NUM_DIGITS_GF2X_ELEMENT); -} - -static void gf2x_mod(DIGIT out[], const DIGIT in[]) { - DIGIT aux[NUM_DIGITS_GF2X_ELEMENT + 1]; - - memcpy(aux, in, (NUM_DIGITS_GF2X_ELEMENT + 1)*DIGIT_SIZE_B); - PQCLEAN_LEDAKEMLT12_LEAKTIME_right_bit_shift_n(NUM_DIGITS_GF2X_ELEMENT + 1, aux, - MSb_POSITION_IN_MSB_DIGIT_OF_MODULUS); - PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_add(out, aux + 1, in + NUM_DIGITS_GF2X_ELEMENT, - NUM_DIGITS_GF2X_ELEMENT); - out[0] &= ((DIGIT)1 << MSb_POSITION_IN_MSB_DIGIT_OF_MODULUS) - 1; -} - -static void right_bit_shift(size_t length, DIGIT in[]) { - size_t j; - for (j = length - 1; j > 0; j--) { - in[j] >>= 1; - in[j] |= (in[j - 1] & (DIGIT)0x01) << (DIGIT_SIZE_b - 1); - } - in[j] >>= 1; -} - - -/* shifts by whole digits */ -static void left_DIGIT_shift_n(size_t length, DIGIT in[], size_t amount) { - size_t j; - for (j = 0; (j + amount) < length; j++) { - in[j] = in[j + amount]; - } - for (; j < length; j++) { - in[j] = (DIGIT)0; - } -} - -/* may shift by an arbitrary amount*/ -static void left_bit_shift_wide_n(size_t length, DIGIT in[], size_t amount) { - left_DIGIT_shift_n(length, in, amount / DIGIT_SIZE_b); - PQCLEAN_LEDAKEMLT12_LEAKTIME_left_bit_shift_n(length, in, amount % DIGIT_SIZE_b); -} - -/* Hackers delight, reverses a uint64_t */ -static DIGIT reverse_digit(DIGIT x) { - uint64_t t; - x = (x << 31) | (x >> 33); - t = (x ^ (x >> 20)) & 0x00000FFF800007FFLL; - x = (t | (t << 20)) ^ x; - t = (x ^ (x >> 8)) & 0x00F8000F80700807LL; - x = (t | (t << 8)) ^ x; - t = (x ^ (x >> 4)) & 0x0808708080807008LL; - x = (t | (t << 4)) ^ x; - t = (x ^ (x >> 2)) & 0x1111111111111111LL; - x = (t | (t << 2)) ^ x; - return x; -} - -void PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_transpose_in_place(DIGIT A[]) { - /* it keeps the lsb in the same position and - * inverts the sequence of the remaining bits */ - - DIGIT mask = (DIGIT)0x1; - DIGIT rev1, rev2, a00; - int slack_bits_amount = NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_b - P; - - a00 = A[NUM_DIGITS_GF2X_ELEMENT - 1] & mask; - right_bit_shift(NUM_DIGITS_GF2X_ELEMENT, A); - - for (size_t i = NUM_DIGITS_GF2X_ELEMENT - 1; i >= (NUM_DIGITS_GF2X_ELEMENT + 1) / 2; i--) { - rev1 = reverse_digit(A[i]); - rev2 = reverse_digit(A[NUM_DIGITS_GF2X_ELEMENT - 1 - i]); - A[i] = rev2; - A[NUM_DIGITS_GF2X_ELEMENT - 1 - i] = rev1; - } - - A[NUM_DIGITS_GF2X_ELEMENT / 2] = reverse_digit(A[NUM_DIGITS_GF2X_ELEMENT / 2]); - - if (slack_bits_amount) { - PQCLEAN_LEDAKEMLT12_LEAKTIME_right_bit_shift_n(NUM_DIGITS_GF2X_ELEMENT, A, slack_bits_amount); - } - A[NUM_DIGITS_GF2X_ELEMENT - 1] = (A[NUM_DIGITS_GF2X_ELEMENT - 1] & (~mask)) | a00; -} - -static void rotate_bit_right(DIGIT in[]) { /* x^{-1} * in(x) mod x^P+1 */ - - DIGIT rotated_bit = in[NUM_DIGITS_GF2X_ELEMENT - 1] & ((DIGIT)0x1); - right_bit_shift(NUM_DIGITS_GF2X_ELEMENT, in); - int msb_offset_in_digit = MSb_POSITION_IN_MSB_DIGIT_OF_MODULUS - 1; - rotated_bit = rotated_bit << msb_offset_in_digit; - in[0] |= rotated_bit; -} - -/* cond swap: swaps digits A and B if swap_mask == -1 */ -static void gf2x_cswap(DIGIT *a, DIGIT *b, int32_t swap_mask) { - DIGIT t; - for (size_t i = 0; i < NUM_DIGITS_GF2X_ELEMENT; i++) { - t = swap_mask & (a[i] ^ b[i]); - a[i] ^= t; - b[i] ^= t; - } -} - -/* returns -1 mask if x != 0, otherwise 0 */ -static inline int32_t nonzero(DIGIT x) { - DIGIT t = x; - t = (~t) + 1; - t >>= DIGIT_SIZE_b - 1; - return -((int32_t)t); -} - -/* returns -1 mask if x < 0 else 0 */ -static inline int32_t negative(int x) { - uint32_t u = x; - u >>= 31; - return -((int32_t)u); -} - -/* return f(0) as digit */ -static inline DIGIT lsb(const DIGIT *p) { - DIGIT mask = (DIGIT)1; - return p[NUM_DIGITS_GF2X_ELEMENT - 1] & mask; -} - -/* multiply poly with scalar and accumulate, expects s all-zero of all-one mask */ -static void gf2x_mult_scalar_acc(DIGIT *f, const DIGIT *g, const DIGIT s) { - for (size_t i = 0; i < NUM_DIGITS_GF2X_ELEMENT; i++) { - f[i] = f[i] ^ (s & g[i]); - } -} - -/* constant-time inverse, source: gcd.cr.yp.to */ -int PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_mod_inverse(DIGIT out[], const DIGIT in[]) { - int32_t swap, delta = 1; - DIGIT g0_mask; - - DIGIT f[NUM_DIGITS_GF2X_MODULUS] = {0}; // f = x^P + 1 - DIGIT g[NUM_DIGITS_GF2X_ELEMENT]; // g = in - DIGIT *v = out; // v = 0, save space - DIGIT r[NUM_DIGITS_GF2X_ELEMENT] = {0}; // r = 1 - - f[NUM_DIGITS_GF2X_MODULUS - 1] = 1; - f[0] |= ((DIGIT)1 << MSb_POSITION_IN_MSB_DIGIT_OF_MODULUS); - - for (size_t i = 0; i < NUM_DIGITS_GF2X_ELEMENT; i++) { - g[i] = in[i]; - } - - for (size_t i = 0; i < NUM_DIGITS_GF2X_ELEMENT; i++) { - v[i] = 0; - } - - r[NUM_DIGITS_GF2X_ELEMENT - 1] = 1; - - for (int loop = 0; loop < 2 * P - 1; ++loop) { - - swap = negative(-delta) & nonzero(lsb(g)); // swap = -1 if -delta < 0 AND g(0) != 0 - delta ^= swap & (delta ^ -delta); // cond swap delta with -delta if swap - delta++; - - gf2x_cswap(f, g, swap); - gf2x_cswap(v, r, swap); - - g0_mask = ~lsb(g) + 1; - - // g = (g - g0 * f) / x - gf2x_mult_scalar_acc(g, f, g0_mask); - right_bit_shift(NUM_DIGITS_GF2X_ELEMENT, g); - - // r = (r - g0 * v) / x - gf2x_mult_scalar_acc(r, v, g0_mask); - rotate_bit_right(r); - - } - - return nonzero(delta); // -1 if fail, 0 if success -} - -void PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_mod_mul(DIGIT Res[], const DIGIT A[], const DIGIT B[]) { - - DIGIT aux[2 * NUM_DIGITS_GF2X_ELEMENT]; - PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_mul(aux, A, B, NUM_DIGITS_GF2X_ELEMENT); - gf2x_mod(Res, aux); - -} - -/*PRE: the representation of the sparse coefficients is sorted in increasing - order of the coefficients themselves */ -void PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_mod_mul_dense_to_sparse(DIGIT Res[], const DIGIT dense[], - POSITION_T sparse[], size_t nPos) { - - DIGIT aux[2 * NUM_DIGITS_GF2X_ELEMENT] = {0x00}; - DIGIT resDouble[2 * NUM_DIGITS_GF2X_ELEMENT] = {0x00}; - memcpy(aux + NUM_DIGITS_GF2X_ELEMENT, dense, NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B); - memcpy(resDouble + NUM_DIGITS_GF2X_ELEMENT, dense, NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B); - - if (sparse[0] != INVALID_POS_VALUE) { - left_bit_shift_wide_n(2 * NUM_DIGITS_GF2X_ELEMENT, resDouble, sparse[0]); - left_bit_shift_wide_n(2 * NUM_DIGITS_GF2X_ELEMENT, aux, sparse[0]); - - for (size_t i = 1; i < nPos; i++) { - if (sparse[i] != INVALID_POS_VALUE) { - left_bit_shift_wide_n(2 * NUM_DIGITS_GF2X_ELEMENT, aux, (sparse[i] - sparse[i - 1]) ); - PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_add(resDouble, aux, resDouble, 2 * NUM_DIGITS_GF2X_ELEMENT); - } - } - } - - gf2x_mod(Res, resDouble); - -} - -void PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_transpose_in_place_sparse(size_t sizeA, POSITION_T A[]) { - POSITION_T t; - size_t i = 0, j; - - if (A[i] == 0) { - i = 1; - } - j = i; - - for (; i < sizeA && A[i] != INVALID_POS_VALUE; i++) { - A[i] = P - A[i]; - } - - for (i -= 1; j < i; j++, i--) { - t = A[j]; - A[j] = A[i]; - A[i] = t; - } - -} - -void PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_mod_mul_sparse(size_t sizeR, POSITION_T Res[], - size_t sizeA, const POSITION_T A[], - size_t sizeB, const POSITION_T B[]) { - - POSITION_T prod; - POSITION_T lastReadPos; - size_t duplicateCount; - size_t write_idx, read_idx; - - /* compute all the coefficients, filling invalid positions with P*/ - size_t lastFilledPos = 0; - for (size_t i = 0 ; i < sizeA ; i++) { - for (size_t j = 0 ; j < sizeB ; j++) { - prod = A[i] + B[j]; - prod = ( (prod >= P) ? prod - P : prod); - if ((A[i] != INVALID_POS_VALUE) && - (B[j] != INVALID_POS_VALUE)) { - Res[lastFilledPos] = prod; - } else { - Res[lastFilledPos] = INVALID_POS_VALUE; - } - lastFilledPos++; - } - } - while (lastFilledPos < sizeR) { - Res[lastFilledPos] = INVALID_POS_VALUE; - lastFilledPos++; - } - - PQCLEAN_LEDAKEMLT12_LEAKTIME_uint32_sort(Res, sizeR); - - /* eliminate duplicates */ - write_idx = read_idx = 0; - while (read_idx < sizeR && Res[read_idx] != INVALID_POS_VALUE) { - lastReadPos = Res[read_idx]; - read_idx++; - duplicateCount = 1; - while ( (Res[read_idx] == lastReadPos) && (Res[read_idx] != INVALID_POS_VALUE)) { - read_idx++; - duplicateCount++; - } - if (duplicateCount % 2) { - Res[write_idx] = lastReadPos; - write_idx++; - } - } - /* fill remaining cells with INVALID_POS_VALUE */ - for (; write_idx < sizeR; write_idx++) { - Res[write_idx] = INVALID_POS_VALUE; - } -} - -/* the implementation is safe even in case A or B alias with the result - * PRE: A and B should be sorted, disjunct arrays ending with INVALID_POS_VALUE */ -void PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_mod_add_sparse(size_t sizeR, POSITION_T Res[], - size_t sizeA, const POSITION_T A[], - size_t sizeB, const POSITION_T B[]) { - - POSITION_T tmpRes[DV * M]; - size_t idxA = 0, idxB = 0, idxR = 0; - while ( idxA < sizeA && - idxB < sizeB && - A[idxA] != INVALID_POS_VALUE && - B[idxB] != INVALID_POS_VALUE ) { - - if (A[idxA] == B[idxB]) { - idxA++; - idxB++; - } else { - if (A[idxA] < B[idxB]) { - tmpRes[idxR] = A[idxA]; - idxA++; - } else { - tmpRes[idxR] = B[idxB]; - idxB++; - } - idxR++; - } - } - - while (idxA < sizeA && A[idxA] != INVALID_POS_VALUE) { - tmpRes[idxR] = A[idxA]; - idxA++; - idxR++; - } - - while (idxB < sizeB && B[idxB] != INVALID_POS_VALUE) { - tmpRes[idxR] = B[idxB]; - idxB++; - idxR++; - } - - while (idxR < sizeR) { - tmpRes[idxR] = INVALID_POS_VALUE; - idxR++; - } - memcpy(Res, tmpRes, sizeof(POSITION_T)*sizeR); - -} - -/* Return a uniform random value in the range 0..n-1 inclusive, - * applying a rejection sampling strategy and exploiting as a random source - * the NIST seedexpander seeded with the proper key. - * Assumes that the maximum value for the range n is 2^32-1 - */ -static uint32_t rand_range(const unsigned int n, const int logn, AES_XOF_struct *seed_expander_ctx) { - unsigned long required_rnd_bytes = (logn + 7) / 8; - unsigned char rnd_char_buffer[4]; - uint32_t rnd_value; - uint32_t mask = ( (uint32_t)1 << logn) - 1; - - do { - PQCLEAN_LEDAKEMLT12_LEAKTIME_seedexpander(seed_expander_ctx, rnd_char_buffer, required_rnd_bytes); - /* obtain an endianness independent representation of the generated random - bytes into an unsigned integer */ - rnd_value = ((uint32_t)rnd_char_buffer[3] << 24) + - ((uint32_t)rnd_char_buffer[2] << 16) + - ((uint32_t)rnd_char_buffer[1] << 8) + - ((uint32_t)rnd_char_buffer[0] << 0) ; - rnd_value = mask & rnd_value; - } while (rnd_value >= n); - - return rnd_value; -} - -/* Obtains fresh randomness and seed-expands it until all the required positions - * for the '1's in the circulant block are obtained */ -void PQCLEAN_LEDAKEMLT12_LEAKTIME_rand_circulant_sparse_block(POSITION_T *pos_ones, - size_t countOnes, - AES_XOF_struct *seed_expander_ctx) { - - size_t duplicated, placedOnes = 0; - POSITION_T p; - - while (placedOnes < countOnes) { - p = rand_range(NUM_BITS_GF2X_ELEMENT, - P_BITS, - seed_expander_ctx); - duplicated = 0; - for (size_t j = 0; j < placedOnes; j++) { - if (pos_ones[j] == p) { - duplicated = 1; - } - } - if (duplicated == 0) { - pos_ones[placedOnes] = p; - placedOnes++; - } - } -} - -/* Returns random weight-t circulant block */ -void PQCLEAN_LEDAKEMLT12_LEAKTIME_rand_circulant_blocks_sequence(DIGIT sequence[N0 * NUM_DIGITS_GF2X_ELEMENT], - AES_XOF_struct *seed_expander_ctx) { - - size_t polyIndex, duplicated, counter = 0; - POSITION_T p, exponent, rndPos[NUM_ERRORS_T]; - - memset(sequence, 0x00, N0 * NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B); - - while (counter < NUM_ERRORS_T) { - p = rand_range(N0 * NUM_BITS_GF2X_ELEMENT, P_BITS, seed_expander_ctx); - duplicated = 0; - for (size_t j = 0; j < counter; j++) { - if (rndPos[j] == p) { - duplicated = 1; - } - } - if (duplicated == 0) { - rndPos[counter] = p; - counter++; - } - } - for (size_t j = 0; j < counter; j++) { - polyIndex = rndPos[j] / P; - exponent = rndPos[j] % P; - PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_set_coeff( sequence + NUM_DIGITS_GF2X_ELEMENT * polyIndex, exponent, - ( (DIGIT) 1)); - } - -} - - -void PQCLEAN_LEDAKEMLT12_LEAKTIME_rand_error_pos(POSITION_T errorPos[NUM_ERRORS_T], - AES_XOF_struct *seed_expander_ctx) { - - int duplicated; - size_t counter = 0; - - while (counter < NUM_ERRORS_T) { - POSITION_T p = rand_range(N0 * NUM_BITS_GF2X_ELEMENT, P_BITS, seed_expander_ctx); - duplicated = 0; - for (size_t j = 0; j < counter; j++) { - if (errorPos[j] == p) { - duplicated = 1; - } - } - if (duplicated == 0) { - errorPos[counter] = p; - counter++; - } - } -} - -void PQCLEAN_LEDAKEMLT12_LEAKTIME_expand_error(DIGIT sequence[N0 * NUM_DIGITS_GF2X_ELEMENT], - const POSITION_T errorPos[NUM_ERRORS_T]) { - - size_t polyIndex; - POSITION_T exponent; - - memset(sequence, 0x00, N0 * NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B); - for (int j = 0; j < NUM_ERRORS_T; j++) { - polyIndex = errorPos[j] / P; - exponent = errorPos[j] % P; - PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_set_coeff( sequence + NUM_DIGITS_GF2X_ELEMENT * polyIndex, exponent, - ( (DIGIT) 1)); - } -} - - -void PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_tobytes(uint8_t *bytes, const DIGIT *poly) { - size_t i, j; - for (i = 0; i < NUM_DIGITS_GF2X_ELEMENT; i++) { - for (j = 0; j < DIGIT_SIZE_B; j++) { - bytes[i * DIGIT_SIZE_B + j] = (uint8_t) (poly[i] >> 8 * j); - } - } -} - -void PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_frombytes(DIGIT *poly, const uint8_t *poly_bytes) { - size_t i, j; - for (i = 0; i < NUM_DIGITS_GF2X_ELEMENT; i++) { - poly[i] = (DIGIT) 0; - for (j = 0; j < DIGIT_SIZE_B; j++) { - poly[i] |= (DIGIT) poly_bytes[i * DIGIT_SIZE_B + j] << 8 * j; - } - } -} diff --git a/crypto_kem/ledakemlt12/leaktime/gf2x_arith_mod_xPplusOne.h b/crypto_kem/ledakemlt12/leaktime/gf2x_arith_mod_xPplusOne.h deleted file mode 100644 index c01e136b..00000000 --- a/crypto_kem/ledakemlt12/leaktime/gf2x_arith_mod_xPplusOne.h +++ /dev/null @@ -1,39 +0,0 @@ -#ifndef GF2X_ARITH_MOD_XPLUSONE_H -#define GF2X_ARITH_MOD_XPLUSONE_H - -#include "qc_ldpc_parameters.h" - -#include "gf2x_arith.h" -#include "rng.h" - -#define NUM_BITS_GF2X_ELEMENT (P) // 52147 -#define NUM_DIGITS_GF2X_ELEMENT ((P+DIGIT_SIZE_b-1)/DIGIT_SIZE_b) -#define MSb_POSITION_IN_MSB_DIGIT_OF_ELEMENT ((P % DIGIT_SIZE_b) ? (P % DIGIT_SIZE_b)-1 : DIGIT_SIZE_b-1) -#define NUM_BITS_GF2X_MODULUS (P+1) -#define NUM_DIGITS_GF2X_MODULUS ((P+1+DIGIT_SIZE_b-1)/DIGIT_SIZE_b) -#define MSb_POSITION_IN_MSB_DIGIT_OF_MODULUS (P-DIGIT_SIZE_b*(NUM_DIGITS_GF2X_MODULUS-1)) -#define INVALID_POS_VALUE (P) -#define P_BITS (16) // log_2(p) = 15.6703 - -void PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_copy(DIGIT dest[], const DIGIT in[]); -DIGIT PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_get_coeff(const DIGIT poly[], size_t exponent); -void PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_set_coeff(DIGIT poly[], size_t exponent, DIGIT value); -void PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_toggle_coeff(DIGIT poly[], size_t exponent); -int PQCLEAN_LEDAKEMLT12_LEAKTIME_population_count(const DIGIT *poly); -void PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_mod_add(DIGIT Res[], const DIGIT A[], const DIGIT B[]); -void PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_mod_mul(DIGIT Res[], const DIGIT A[], const DIGIT B[]); -void PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_transpose_in_place(DIGIT A[]); -void PQCLEAN_LEDAKEMLT12_LEAKTIME_rand_circulant_sparse_block(POSITION_T *pos_ones, size_t countOnes, AES_XOF_struct *seed_expander_ctx); -void PQCLEAN_LEDAKEMLT12_LEAKTIME_rand_circulant_blocks_sequence(DIGIT *sequence, AES_XOF_struct *seed_expander_ctx); -void PQCLEAN_LEDAKEMLT12_LEAKTIME_rand_error_pos(POSITION_T errorPos[NUM_ERRORS_T], AES_XOF_struct *seed_expander_ctx); -void PQCLEAN_LEDAKEMLT12_LEAKTIME_expand_error(DIGIT sequence[N0 * NUM_DIGITS_GF2X_ELEMENT], const POSITION_T errorPos[NUM_ERRORS_T]); -void PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_mod_add_sparse(size_t sizeR, POSITION_T Res[], size_t sizeA, const POSITION_T A[], size_t sizeB, const POSITION_T B[]); -void PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_transpose_in_place_sparse(size_t sizeA, POSITION_T A[]); -int PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_mod_inverse(DIGIT out[], const DIGIT in[]); -void PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_mod_mul_sparse(size_t sizeR, POSITION_T Res[], size_t sizeA, const POSITION_T A[], size_t sizeB, const POSITION_T B[]); -void PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_mod_mul_dense_to_sparse(DIGIT Res[], const DIGIT dense[], POSITION_T sparse[], size_t nPos); -void PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_tobytes(uint8_t *bytes, const DIGIT *poly); -void PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_frombytes(DIGIT *poly, const uint8_t *poly_bytes); - - -#endif diff --git a/crypto_kem/ledakemlt12/leaktime/kem.c b/crypto_kem/ledakemlt12/leaktime/kem.c deleted file mode 100644 index 6144c190..00000000 --- a/crypto_kem/ledakemlt12/leaktime/kem.c +++ /dev/null @@ -1,157 +0,0 @@ -#include "api.h" -#include "niederreiter.h" -#include "randombytes.h" -#include "rng.h" -#include "utils.h" - -#include - - -#define pack_ct(sk_bytes, ct) PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_tobytes(sk_bytes, ct); -#define unpack_ct(ct, ct_bytes) PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_frombytes(ct, ct_bytes) - -static void pack_pk(uint8_t *pk_bytes, publicKeyNiederreiter_t *pk) { - for (size_t i = 0; i < N0 - 1; i++) { - PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_tobytes(pk_bytes + i * NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B, - pk->Mtr + i * NUM_DIGITS_GF2X_ELEMENT); - } -} - -static void unpack_pk(publicKeyNiederreiter_t *pk, const uint8_t *pk_bytes) { - for (size_t i = 0; i < N0 - 1; i++) { - PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_frombytes(pk->Mtr + i * NUM_DIGITS_GF2X_ELEMENT, - pk_bytes + i * NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B); - } -} - -static void pack_error(uint8_t *error_bytes, DIGIT *error_digits) { - size_t i; - for (i = 0; i < N0; i++) { - PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_tobytes(error_bytes + i * NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B, - error_digits + i * NUM_DIGITS_GF2X_ELEMENT); - } -} - -/* IND-CCA2 Keygen */ -int PQCLEAN_LEDAKEMLT12_LEAKTIME_crypto_kem_keypair(uint8_t *pk, uint8_t *sk) { - publicKeyNiederreiter_t niederreiter_pk; - - PQCLEAN_LEDAKEMLT12_LEAKTIME_niederreiter_keygen(&niederreiter_pk, (privateKeyNiederreiter_t *) sk); - - pack_pk(pk, &niederreiter_pk); - - return 0; -} - -/* IND-CCA2 Encapsulation */ -int PQCLEAN_LEDAKEMLT12_LEAKTIME_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk) { - publicKeyNiederreiter_t niederreiter_pk; - DIGIT syndrome[NUM_DIGITS_GF2X_ELEMENT]; - AES_XOF_struct hashedAndTruncatedSeed_expander; - POSITION_T errorPos[NUM_ERRORS_T]; - DIGIT error_vector[N0 * NUM_DIGITS_GF2X_ELEMENT]; - uint8_t error_bytes[N0 * NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B]; - uint8_t seed[TRNG_BYTE_LENGTH]; - uint8_t ss_input[2 * TRNG_BYTE_LENGTH] = {0}; - uint8_t hashedSeed[HASH_BYTE_LENGTH]; - uint8_t hashedAndTruncatedSeed[TRNG_BYTE_LENGTH] = {0}; - uint8_t hashedErrorVector[HASH_BYTE_LENGTH]; - uint8_t hashedAndTruncatedErrorVector[TRNG_BYTE_LENGTH] = {0}; - uint8_t maskedSeed[TRNG_BYTE_LENGTH]; - - unpack_pk(&niederreiter_pk, pk); - - randombytes(seed, TRNG_BYTE_LENGTH); - memcpy(ss_input, seed, TRNG_BYTE_LENGTH); - - HASH_FUNCTION(ss, ss_input, 2 * TRNG_BYTE_LENGTH); - HASH_FUNCTION(hashedSeed, seed, TRNG_BYTE_LENGTH); - - memcpy(hashedAndTruncatedSeed, hashedSeed, TRNG_BYTE_LENGTH); - - memset(&hashedAndTruncatedSeed_expander, 0x00, sizeof(AES_XOF_struct)); - PQCLEAN_LEDAKEMLT12_LEAKTIME_seedexpander_from_trng(&hashedAndTruncatedSeed_expander, hashedAndTruncatedSeed); - PQCLEAN_LEDAKEMLT12_LEAKTIME_rand_error_pos(errorPos, &hashedAndTruncatedSeed_expander); - PQCLEAN_LEDAKEMLT12_LEAKTIME_expand_error(error_vector, errorPos); - - pack_error(error_bytes, error_vector); - HASH_FUNCTION(hashedErrorVector, error_bytes, (N0 * NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B)); - - memcpy(hashedAndTruncatedErrorVector, hashedErrorVector, TRNG_BYTE_LENGTH); - - for (size_t i = 0; i < TRNG_BYTE_LENGTH; ++i) { - maskedSeed[i] = seed[i] ^ hashedAndTruncatedErrorVector[i]; - } - - PQCLEAN_LEDAKEMLT12_LEAKTIME_niederreiter_encrypt(syndrome, - (const publicKeyNiederreiter_t *) &niederreiter_pk, error_vector); - - pack_ct(ct, syndrome); - memcpy(ct + (NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B), maskedSeed, TRNG_BYTE_LENGTH); - - return 0; -} - - -/* IND-CCA2 Decapsulation */ -int PQCLEAN_LEDAKEMLT12_LEAKTIME_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk) { - DIGIT syndrome[NUM_DIGITS_GF2X_ELEMENT]; - AES_XOF_struct hashedAndTruncatedSeed_expander; - POSITION_T reconstructed_errorPos[NUM_ERRORS_T]; - DIGIT reconstructed_error_vector[N0 * NUM_DIGITS_GF2X_ELEMENT]; - DIGIT decoded_error_vector[N0 * NUM_DIGITS_GF2X_ELEMENT]; - uint8_t decoded_error_bytes[N0 * NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B]; - uint8_t hashedErrorVector[HASH_BYTE_LENGTH]; - uint8_t hashedAndTruncatedErrorVector[TRNG_BYTE_LENGTH] = {0}; - uint8_t decoded_seed[TRNG_BYTE_LENGTH]; - uint8_t hashed_decoded_seed[HASH_BYTE_LENGTH]; - uint8_t hashedAndTruncated_decoded_seed[TRNG_BYTE_LENGTH] = {0}; - uint8_t ss_input[2 * TRNG_BYTE_LENGTH], tail[TRNG_BYTE_LENGTH] = {0}; - int decode_ok, decrypt_ok, equal; - - unpack_ct(syndrome, ct); - - decode_ok = PQCLEAN_LEDAKEMLT12_LEAKTIME_niederreiter_decrypt(decoded_error_vector, - (const privateKeyNiederreiter_t *)sk, syndrome); - - pack_error(decoded_error_bytes, decoded_error_vector); - HASH_FUNCTION(hashedErrorVector, decoded_error_bytes, N0 * NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B); - - memcpy(hashedAndTruncatedErrorVector, hashedErrorVector, TRNG_BYTE_LENGTH); - - for (size_t i = 0; i < TRNG_BYTE_LENGTH; ++i) { - decoded_seed[i] = ct[(NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B) + i] ^ - hashedAndTruncatedErrorVector[i]; - } - - HASH_FUNCTION(hashed_decoded_seed, decoded_seed, TRNG_BYTE_LENGTH); - - memcpy(hashedAndTruncated_decoded_seed, hashed_decoded_seed, TRNG_BYTE_LENGTH); - - memset(&hashedAndTruncatedSeed_expander, 0x00, sizeof(AES_XOF_struct)); - PQCLEAN_LEDAKEMLT12_LEAKTIME_seedexpander_from_trng(&hashedAndTruncatedSeed_expander, - hashed_decoded_seed); - - PQCLEAN_LEDAKEMLT12_LEAKTIME_rand_error_pos(reconstructed_errorPos, &hashedAndTruncatedSeed_expander); - - PQCLEAN_LEDAKEMLT12_LEAKTIME_expand_error(reconstructed_error_vector, reconstructed_errorPos); - - equal = PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_verify(decoded_error_vector, - reconstructed_error_vector, N0 * NUM_DIGITS_GF2X_ELEMENT); - // equal == 0, if the reconstructed error vector match !!! - - decrypt_ok = (decode_ok == 1 && equal == 0); - - memcpy(ss_input, decoded_seed, TRNG_BYTE_LENGTH); - memcpy(ss_input + sizeof(decoded_seed), tail, TRNG_BYTE_LENGTH); - - // Overwrite on failure - PQCLEAN_LEDAKEMLT12_LEAKTIME_cmov(ss_input + sizeof(decoded_seed), - ((const privateKeyNiederreiter_t *) sk)->decryption_failure_secret, - TRNG_BYTE_LENGTH, - !decrypt_ok); - - HASH_FUNCTION(ss, ss_input, 2 * TRNG_BYTE_LENGTH); - - return 0; -} diff --git a/crypto_kem/ledakemlt12/leaktime/niederreiter.c b/crypto_kem/ledakemlt12/leaktime/niederreiter.c deleted file mode 100644 index 1e81a6da..00000000 --- a/crypto_kem/ledakemlt12/leaktime/niederreiter.c +++ /dev/null @@ -1,192 +0,0 @@ -#include "H_Q_matrices_generation.h" -#include "bf_decoding.h" -#include "dfr_test.h" -#include "gf2x_arith_mod_xPplusOne.h" -#include "niederreiter.h" -#include "qc_ldpc_parameters.h" -#include "randombytes.h" -#include "rng.h" - -#include - -void PQCLEAN_LEDAKEMLT12_LEAKTIME_niederreiter_keygen(publicKeyNiederreiter_t *pk, privateKeyNiederreiter_t *sk) { - - AES_XOF_struct keys_expander; - POSITION_T HPosOnes[N0][DV]; - POSITION_T QPosOnes[N0][M]; - POSITION_T LPosOnes[N0][DV * M]; - POSITION_T auxPosOnes[DV * M]; - unsigned char processedQOnes[N0]; - DIGIT Ln0dense[NUM_DIGITS_GF2X_ELEMENT] = {0}; - DIGIT Ln0Inv[NUM_DIGITS_GF2X_ELEMENT] = {0}; - int is_L_full; - int isDFRok = 0; - - memset(&keys_expander, 0x00, sizeof(AES_XOF_struct)); - randombytes(sk->prng_seed, TRNG_BYTE_LENGTH); - PQCLEAN_LEDAKEMLT12_LEAKTIME_seedexpander_from_trng(&keys_expander, sk->prng_seed); - - sk->rejections = (uint8_t) 0; - do { - PQCLEAN_LEDAKEMLT12_LEAKTIME_generateHPosOnes(HPosOnes, &keys_expander); - PQCLEAN_LEDAKEMLT12_LEAKTIME_generateQPosOnes(QPosOnes, &keys_expander); - for (int i = 0; i < N0; i++) { - for (int j = 0; j < DV * M; j++) { - LPosOnes[i][j] = INVALID_POS_VALUE; - } - } - - memset(processedQOnes, 0x00, sizeof(processedQOnes)); - for (int colQ = 0; colQ < N0; colQ++) { - for (int i = 0; i < N0; i++) { - PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_mod_mul_sparse(DV * M, auxPosOnes, - DV, HPosOnes[i], - qBlockWeights[i][colQ], QPosOnes[i] + processedQOnes[i]); - PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_mod_add_sparse(DV * M, LPosOnes[colQ], - DV * M, LPosOnes[colQ], - DV * M, auxPosOnes); - processedQOnes[i] += qBlockWeights[i][colQ]; - } - } - is_L_full = 1; - for (size_t i = 0; i < N0; i++) { - is_L_full = is_L_full && (LPosOnes[i][DV * M - 1] != INVALID_POS_VALUE); - } - sk->rejections = sk->rejections + 1; - if (is_L_full) { - isDFRok = PQCLEAN_LEDAKEMLT12_LEAKTIME_DFR_test(LPosOnes, &(sk->secondIterThreshold)); - } - } while (!is_L_full || !isDFRok); - sk->rejections = sk->rejections - 1; - - PQCLEAN_LEDAKEMLT12_LEAKTIME_seedexpander(&keys_expander, - sk->decryption_failure_secret, - (unsigned long)TRNG_BYTE_LENGTH); - - for (size_t j = 0; j < DV * M; j++) { - if (LPosOnes[N0 - 1][j] != INVALID_POS_VALUE) { - PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_set_coeff(Ln0dense, LPosOnes[N0 - 1][j], 1); - } - } - - PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_mod_inverse(Ln0Inv, Ln0dense); - for (size_t i = 0; i < N0 - 1; i++) { - PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_mod_mul_dense_to_sparse(pk->Mtr + i * NUM_DIGITS_GF2X_ELEMENT, - Ln0Inv, - LPosOnes[i], - DV * M); - } - - for (size_t i = 0; i < N0 - 1; i++) { - PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_transpose_in_place(pk->Mtr + i * NUM_DIGITS_GF2X_ELEMENT); - } -} - -void PQCLEAN_LEDAKEMLT12_LEAKTIME_niederreiter_encrypt(DIGIT syndrome[], - const publicKeyNiederreiter_t *pk, - const DIGIT err[]) { - - DIGIT saux[NUM_DIGITS_GF2X_ELEMENT]; - - memset(syndrome, 0x00, NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B); - for (size_t i = 0; i < N0 - 1; i++) { - PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_mod_mul(saux, - pk->Mtr + i * NUM_DIGITS_GF2X_ELEMENT, - err + i * NUM_DIGITS_GF2X_ELEMENT); - PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_mod_add(syndrome, syndrome, saux); - - } - PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_mod_add(syndrome, syndrome, err + (N0 - 1)*NUM_DIGITS_GF2X_ELEMENT); -} - -int PQCLEAN_LEDAKEMLT12_LEAKTIME_niederreiter_decrypt(DIGIT *err, const privateKeyNiederreiter_t *sk, const DIGIT *syndrome) { - AES_XOF_struct niederreiter_decrypt_expander; - POSITION_T HPosOnes[N0][DV]; - POSITION_T QPosOnes[N0][M]; - POSITION_T LPosOnes[N0][DV * M]; - POSITION_T auxPosOnes[DV * M]; - POSITION_T HtrPosOnes[N0][DV]; - POSITION_T QtrPosOnes[N0][M]; - POSITION_T auxSparse[DV * M]; - POSITION_T Ln0trSparse[DV * M]; - DIGIT err_computed[N0 * NUM_DIGITS_GF2X_ELEMENT] = {0}; - DIGIT err_mockup[N0 * NUM_DIGITS_GF2X_ELEMENT]; - DIGIT privateSyndrome[NUM_DIGITS_GF2X_ELEMENT]; - uint8_t processedQOnes[N0]; - int rejections = sk->rejections; - int decrypt_ok = 0; - int err_weight; - - PQCLEAN_LEDAKEMLT12_LEAKTIME_seedexpander_from_trng(&niederreiter_decrypt_expander, sk->prng_seed); - do { - PQCLEAN_LEDAKEMLT12_LEAKTIME_generateHPosOnes(HPosOnes, &niederreiter_decrypt_expander); - PQCLEAN_LEDAKEMLT12_LEAKTIME_generateQPosOnes(QPosOnes, &niederreiter_decrypt_expander); - - for (size_t i = 0; i < N0; i++) { - for (size_t j = 0; j < DV * M; j++) { - LPosOnes[i][j] = INVALID_POS_VALUE; - } - } - - memset(processedQOnes, 0x00, sizeof(processedQOnes)); - for (size_t colQ = 0; colQ < N0; colQ++) { - for (size_t i = 0; i < N0; i++) { - PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_mod_mul_sparse(DV * M, auxPosOnes, - DV, HPosOnes[i], - qBlockWeights[i][colQ], QPosOnes[i] + processedQOnes[i]); - PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_mod_add_sparse(DV * M, LPosOnes[colQ], - DV * M, LPosOnes[colQ], - DV * M, auxPosOnes); - processedQOnes[i] += qBlockWeights[i][colQ]; - } - } - rejections--; - } while (rejections >= 0); - - PQCLEAN_LEDAKEMLT12_LEAKTIME_transposeHPosOnes(HtrPosOnes, HPosOnes); - PQCLEAN_LEDAKEMLT12_LEAKTIME_transposeQPosOnes(QtrPosOnes, QPosOnes); - - for (size_t i = 0; i < DV * M; i++) { - Ln0trSparse[i] = INVALID_POS_VALUE; - auxSparse[i] = INVALID_POS_VALUE; - } - - for (size_t i = 0; i < N0; i++) { - PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_mod_mul_sparse(DV * M, auxSparse, - DV, HPosOnes[i], - qBlockWeights[i][N0 - 1], &QPosOnes[i][M - qBlockWeights[i][N0 - 1]]); - PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_mod_add_sparse(DV * M, Ln0trSparse, - DV * M, Ln0trSparse, - DV * M, auxSparse); - } - PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_transpose_in_place_sparse(DV * M, Ln0trSparse); - - PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_mod_mul_dense_to_sparse(privateSyndrome, - syndrome, - Ln0trSparse, - DV * M); - - decrypt_ok = PQCLEAN_LEDAKEMLT12_LEAKTIME_bf_decoding(err_computed, - (const POSITION_T (*)[DV]) HtrPosOnes, - (const POSITION_T (*)[M]) QtrPosOnes, - privateSyndrome, sk->secondIterThreshold); - - err_weight = 0; - for (size_t i = 0 ; i < N0; i++) { - err_weight += PQCLEAN_LEDAKEMLT12_LEAKTIME_population_count(err_computed + (NUM_DIGITS_GF2X_ELEMENT * i)); - } - decrypt_ok = decrypt_ok && (err_weight == NUM_ERRORS_T); - - /* prepare mockup error vector in case a decoding failure occurs */ - memcpy(err_mockup, syndrome, NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B); - memcpy(err_mockup + NUM_DIGITS_GF2X_ELEMENT, sk->decryption_failure_secret, TRNG_BYTE_LENGTH); - memset(((unsigned char *) err_mockup) + (NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B) + TRNG_BYTE_LENGTH, 0x00, - (N0 - 1)*NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B - TRNG_BYTE_LENGTH); - - memcpy(err, err_computed, N0 * NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B); - - // Overwrite on decryption failure - PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_cmov(err, err_mockup, N0 * NUM_DIGITS_GF2X_ELEMENT, !decrypt_ok); - - return decrypt_ok; -} diff --git a/crypto_kem/ledakemlt12/leaktime/niederreiter.h b/crypto_kem/ledakemlt12/leaktime/niederreiter.h deleted file mode 100644 index 581263b8..00000000 --- a/crypto_kem/ledakemlt12/leaktime/niederreiter.h +++ /dev/null @@ -1,24 +0,0 @@ -#ifndef NIEDERREITER_H -#define NIEDERREITER_H - -#include "gf2x_arith_mod_xPplusOne.h" -#include "qc_ldpc_parameters.h" -#include "rng.h" - -typedef struct { - unsigned char prng_seed[TRNG_BYTE_LENGTH]; - uint8_t rejections; - uint8_t secondIterThreshold; - uint8_t decryption_failure_secret[TRNG_BYTE_LENGTH]; -} privateKeyNiederreiter_t; - -typedef struct { - DIGIT Mtr[(N0 - 1)*NUM_DIGITS_GF2X_ELEMENT]; -} publicKeyNiederreiter_t; - - -void PQCLEAN_LEDAKEMLT12_LEAKTIME_niederreiter_keygen(publicKeyNiederreiter_t *pk, privateKeyNiederreiter_t *sk); -void PQCLEAN_LEDAKEMLT12_LEAKTIME_niederreiter_encrypt(DIGIT syndrome[], const publicKeyNiederreiter_t *pk, const DIGIT err[]); -int PQCLEAN_LEDAKEMLT12_LEAKTIME_niederreiter_decrypt(DIGIT *err, const privateKeyNiederreiter_t *sk, const DIGIT *syndrome); - -#endif diff --git a/crypto_kem/ledakemlt12/leaktime/qc_ldpc_parameters.h b/crypto_kem/ledakemlt12/leaktime/qc_ldpc_parameters.h deleted file mode 100644 index 01c9c204..00000000 --- a/crypto_kem/ledakemlt12/leaktime/qc_ldpc_parameters.h +++ /dev/null @@ -1,27 +0,0 @@ -#ifndef QC_LDPC_PARAMETERS_H -#define QC_LDPC_PARAMETERS_H - -#include "fips202.h" - -#define TRNG_BYTE_LENGTH (24) -#define HASH_BYTE_LENGTH (32) -#define HASH_FUNCTION sha3_256 - -#define N0 (2) -#define P (52147) // modulus(x) = x^P-1 -#define DV (9) // odd number -#define M (9) -#define M0 (5) -#define M1 (4) -#define NUM_ERRORS_T (136) - -// Derived parameters, they are useful for QC-LDPC algorithms -#define HASH_BIT_LENGTH (HASH_BYTE_LENGTH << 3) -#define K ((N0-1)*P) -#define N (N0*P) -#define DC (N0*DV) - -#define Q_BLOCK_WEIGHTS {{M0,M1},{M1,M0}} -static const unsigned char qBlockWeights[N0][N0] = Q_BLOCK_WEIGHTS; - -#endif diff --git a/crypto_kem/ledakemlt12/leaktime/rng.c b/crypto_kem/ledakemlt12/leaktime/rng.c deleted file mode 100644 index 651b0dd1..00000000 --- a/crypto_kem/ledakemlt12/leaktime/rng.c +++ /dev/null @@ -1,110 +0,0 @@ -#include "rng.h" - -#include // void *memset(void *s, int c, size_t n); - -#include "aes.h" -#include "qc_ldpc_parameters.h" - -/* - seedexpander_init() - ctx - stores the current state of an instance of the seed expander - seed - a 32 byte random value - diversifier - an 8 byte diversifier - maxlen - maximum number of bytes (less than 2**32) generated under this seed and diversifier - */ -static void seedexpander_init(AES_XOF_struct *ctx, - uint8_t *seed, - uint8_t *diversifier, - size_t maxlen) { - - ctx->length_remaining = maxlen; - - memset(ctx->key, 0, 32); - int max_accessible_seed_len = TRNG_BYTE_LENGTH < 32 ? 32 : TRNG_BYTE_LENGTH; - memcpy(ctx->key, seed, max_accessible_seed_len); - - memcpy(ctx->ctr, diversifier, 8); - ctx->ctr[11] = maxlen % 256; - maxlen >>= 8; - ctx->ctr[10] = maxlen % 256; - maxlen >>= 8; - ctx->ctr[9] = maxlen % 256; - maxlen >>= 8; - ctx->ctr[8] = maxlen % 256; - memset(ctx->ctr + 12, 0x00, 4); - - ctx->buffer_pos = 16; - memset(ctx->buffer, 0x00, 16); -} - -void PQCLEAN_LEDAKEMLT12_LEAKTIME_seedexpander_from_trng(AES_XOF_struct *ctx, - const uint8_t *trng_entropy - /* TRNG_BYTE_LENGTH wide buffer */) { - - /*the NIST seedexpander will however access 32B from this buffer */ - unsigned int prng_buffer_size = TRNG_BYTE_LENGTH < 32 ? 32 : TRNG_BYTE_LENGTH; - uint8_t prng_buffer[TRNG_BYTE_LENGTH < 32 ? 32 : TRNG_BYTE_LENGTH] = {0x00}; - uint8_t diversifier[8] = {0}; - - memcpy(prng_buffer, - trng_entropy, - TRNG_BYTE_LENGTH < prng_buffer_size ? TRNG_BYTE_LENGTH : prng_buffer_size); - - /* the required seed expansion will be quite small, set the max number of - * bytes conservatively to 10 MiB*/ - seedexpander_init(ctx, prng_buffer, diversifier, RNG_MAXLEN); -} - -/* - seedexpander() - ctx - stores the current state of an instance of the seed expander - x - returns the XOF data - xlen - number of bytes to return - */ -int PQCLEAN_LEDAKEMLT12_LEAKTIME_seedexpander(AES_XOF_struct *ctx, uint8_t *x, size_t xlen) { - size_t offset; - aes256ctx ctx256; - - if ( x == NULL ) { - return RNG_BAD_OUTBUF; - } - if ( xlen >= ctx->length_remaining ) { - return RNG_BAD_REQ_LEN; - } - - aes256_ecb_keyexp(&ctx256, ctx->key); - ctx->length_remaining -= xlen; - - offset = 0; - while ( xlen > 0 ) { - if ( xlen <= (16 - ctx->buffer_pos) ) { // buffer has what we need - memcpy(x + offset, ctx->buffer + ctx->buffer_pos, xlen); - ctx->buffer_pos += xlen; - - goto end; - } - - // take what's in the buffer - memcpy(x + offset, ctx->buffer + ctx->buffer_pos, 16 - ctx->buffer_pos); - xlen -= 16 - ctx->buffer_pos; - offset += 16 - ctx->buffer_pos; - - aes256_ecb(ctx->buffer, ctx->ctr, 16 / AES_BLOCKBYTES, &ctx256); - ctx->buffer_pos = 0; - - //increment the counter - for (int i = 15; i >= 12; i--) { - if ( ctx->ctr[i] == 0xff ) { - ctx->ctr[i] = 0x00; - } else { - ctx->ctr[i]++; - break; - } - } - - } -end: - aes256_ctx_release(&ctx256); - - return RNG_SUCCESS; -} diff --git a/crypto_kem/ledakemlt12/leaktime/rng.h b/crypto_kem/ledakemlt12/leaktime/rng.h deleted file mode 100644 index fc35f19f..00000000 --- a/crypto_kem/ledakemlt12/leaktime/rng.h +++ /dev/null @@ -1,24 +0,0 @@ -#ifndef RNG_H -#define RNG_H - -#include -#include - -#define RNG_SUCCESS ( 0) -#define RNG_BAD_MAXLEN (-1) -#define RNG_BAD_OUTBUF (-2) -#define RNG_BAD_REQ_LEN (-3) -#define RNG_MAXLEN (10 * 1024 * 1024) - -typedef struct { - unsigned char buffer[16]; - size_t buffer_pos; - size_t length_remaining; - unsigned char key[32]; - unsigned char ctr[16]; -} AES_XOF_struct; - -int PQCLEAN_LEDAKEMLT12_LEAKTIME_seedexpander(AES_XOF_struct *ctx, unsigned char *x, size_t xlen); -void PQCLEAN_LEDAKEMLT12_LEAKTIME_seedexpander_from_trng(AES_XOF_struct *ctx, const unsigned char *trng_entropy); - -#endif diff --git a/crypto_kem/ledakemlt12/leaktime/sort.c b/crypto_kem/ledakemlt12/leaktime/sort.c deleted file mode 100644 index 6b89d7b5..00000000 --- a/crypto_kem/ledakemlt12/leaktime/sort.c +++ /dev/null @@ -1,98 +0,0 @@ -#include "sort.h" - -/* - Constant-time uint32_t sorting by Daniel J. Bernstein - Source: https://sorting.cr.yp.to -*/ - -#define int32_MINMAX(a,b) \ - do { \ - int32 ab = (b) ^ (a); \ - int32 c = (b) - (a); \ - c ^= ab & (c ^ (b)); \ - c >>= 31; \ - c &= ab; \ - (a) ^= c; \ - (b) ^= c; \ - } while(0) - -static void int32_sort(int32 *x, size_t n) { - size_t top, p, q, r, i, j; - - if (n < 2) { - return; - } - top = 1; - while (top < n - top) { - top += top; - } - - for (p = top; p >= 1; p >>= 1) { - i = 0; - while (i + 2 * p <= n) { - for (j = i; j < i + p; ++j) { - int32_MINMAX(x[j], x[j + p]); - } - i += 2 * p; - } - for (j = i; j < n - p; ++j) { - int32_MINMAX(x[j], x[j + p]); - } - - i = 0; - j = 0; - for (q = top; q > p; q >>= 1) { - if (j != i) { - for (;;) { - if (j == n - q) { - goto done; - } - int32 a = x[j + p]; - for (r = q; r > p; r >>= 1) { - int32_MINMAX(a, x[j + r]); - } - x[j + p] = a; - ++j; - if (j == i + p) { - i += 2 * p; - break; - } - } - } - while (i + p <= n - q) { - for (j = i; j < i + p; ++j) { - int32 a = x[j + p]; - for (r = q; r > p; r >>= 1) { - int32_MINMAX(a, x[j + r]); - } - x[j + p] = a; - } - i += 2 * p; - } - /* now i + p > n - q */ - j = i; - while (j < n - q) { - int32 a = x[j + p]; - for (r = q; r > p; r >>= 1) { - int32_MINMAX(a, x[j + r]); - } - x[j + p] = a; - ++j; - } -done: - ; - } - } -} - -/* can save time by integrating xor loops with int32_sort */ -void PQCLEAN_LEDAKEMLT12_LEAKTIME_uint32_sort(uint32_t *x, size_t n) { - size_t j; - for (j = 0; j < n; ++j) { - x[j] ^= 0x80000000; - } - int32_sort((int32_t *) x, n); - for (j = 0; j < n; ++j) { - x[j] ^= 0x80000000; - } -} diff --git a/crypto_kem/ledakemlt12/leaktime/sort.h b/crypto_kem/ledakemlt12/leaktime/sort.h deleted file mode 100644 index d870cc7c..00000000 --- a/crypto_kem/ledakemlt12/leaktime/sort.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef SORT_H -#define SORT_H - -#include -#include - -#define int32 int32_t - -void PQCLEAN_LEDAKEMLT12_LEAKTIME_uint32_sort(uint32_t *x, size_t n); - -#endif diff --git a/crypto_kem/ledakemlt12/leaktime/utils.c b/crypto_kem/ledakemlt12/leaktime/utils.c deleted file mode 100644 index 1f99d88d..00000000 --- a/crypto_kem/ledakemlt12/leaktime/utils.c +++ /dev/null @@ -1,21 +0,0 @@ -#include "gf2x_arith.h" -#include "utils.h" - -/* compares DIGIT sequences, returns 0 if they are equal */ -int PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_verify(const DIGIT *a, const DIGIT *b, size_t len) { - DIGIT x = 0; - for (size_t i = 0; i < len; i++) { - x |= a[i] ^ b[i]; - } - x = (~x) + 1; - x >>= (DIGIT_SIZE_b - 1); - return (int)x; -} - -/* conditionally move a into r if cond */ -void PQCLEAN_LEDAKEMLT12_LEAKTIME_cmov(uint8_t *r, const uint8_t *a, size_t len, int cond) { - uint8_t mask = (uint8_t)(-cond); - for (size_t i = 0; i < len; i++) { - r[i] ^= mask & (r[i] ^ a[i]); - } -} diff --git a/crypto_kem/ledakemlt12/leaktime/utils.h b/crypto_kem/ledakemlt12/leaktime/utils.h deleted file mode 100644 index 9d60d763..00000000 --- a/crypto_kem/ledakemlt12/leaktime/utils.h +++ /dev/null @@ -1,9 +0,0 @@ -#ifndef UTILS_H -#define UTILS_H - -#include - -int PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_verify(const DIGIT *a, const DIGIT *b, size_t len); -void PQCLEAN_LEDAKEMLT12_LEAKTIME_cmov(uint8_t *r, const uint8_t *a, size_t len, int cond); - -#endif diff --git a/crypto_kem/ledakemlt32/META.yml b/crypto_kem/ledakemlt32/META.yml deleted file mode 100644 index 98e34015..00000000 --- a/crypto_kem/ledakemlt32/META.yml +++ /dev/null @@ -1,19 +0,0 @@ -name: LEDAKEMLT32 -type: kem -claimed-nist-level: 3 -claimed-security: IND-CCA2 -length-public-key: 12032 -length-secret-key: 66 -length-ciphertext: 12064 -length-shared-secret: 48 -nistkat-sha256: b8b17dbb77aa3c3c77f738be053b355185388859ae6baa5655bf7e8413020b7f -principal-submitters: - - Marco Baldi -auxiliary-submitters: - - Alessandro Barenghi - - Franco Chiaraluce - - Gerardo Pelosi - - Paolo Santini -implementations: - - name: leaktime - version: 2.1 diff --git a/crypto_kem/ledakemlt32/leaktime/H_Q_matrices_generation.c b/crypto_kem/ledakemlt32/leaktime/H_Q_matrices_generation.c deleted file mode 100644 index 305c3fc5..00000000 --- a/crypto_kem/ledakemlt32/leaktime/H_Q_matrices_generation.c +++ /dev/null @@ -1,52 +0,0 @@ -#include "H_Q_matrices_generation.h" -#include "gf2x_arith_mod_xPplusOne.h" - -void PQCLEAN_LEDAKEMLT32_LEAKTIME_generateHPosOnes(POSITION_T HPosOnes[N0][DV], AES_XOF_struct *keys_expander) { - for (size_t i = 0; i < N0; i++) { - /* Generate a random block of Htr */ - PQCLEAN_LEDAKEMLT32_LEAKTIME_rand_circulant_sparse_block(&HPosOnes[i][0], DV, keys_expander); - } -} - -void PQCLEAN_LEDAKEMLT32_LEAKTIME_generateQPosOnes(POSITION_T QPosOnes[N0][M], AES_XOF_struct *keys_expander) { - size_t placed_ones; - - for (size_t i = 0; i < N0; i++) { - placed_ones = 0; - for (size_t j = 0; j < N0; j++) { - PQCLEAN_LEDAKEMLT32_LEAKTIME_rand_circulant_sparse_block(&QPosOnes[i][placed_ones], - qBlockWeights[i][j], - keys_expander); - placed_ones += qBlockWeights[i][j]; - } - } -} - -void PQCLEAN_LEDAKEMLT32_LEAKTIME_transposeHPosOnes(POSITION_T HtrPosOnes[N0][DV], POSITION_T HPosOnes[N0][DV]) { - for (size_t i = 0; i < N0; i++) { - /* Obtain directly the sparse representation of the block of H */ - for (size_t k = 0; k < DV; k++) { - HtrPosOnes[i][k] = (P - HPosOnes[i][k]) % P; /* transposes indexes */ - } - } -} - -void PQCLEAN_LEDAKEMLT32_LEAKTIME_transposeQPosOnes(POSITION_T QtrPosOnes[N0][M], POSITION_T QPosOnes[N0][M]) { - POSITION_T transposed_ones_idx[N0] = {0x00}; - size_t currQoneIdx, endQblockIdx; - - for (size_t source_row_idx = 0; source_row_idx < N0 ; source_row_idx++) { - currQoneIdx = 0; // position in the column of QtrPosOnes[][...] - endQblockIdx = 0; - for (int blockIdx = 0; blockIdx < N0; blockIdx++) { - endQblockIdx += qBlockWeights[source_row_idx][blockIdx]; - for (; currQoneIdx < endQblockIdx; currQoneIdx++) { - QtrPosOnes[blockIdx][transposed_ones_idx[blockIdx]] = - (P - QPosOnes[source_row_idx][currQoneIdx]) % P; - transposed_ones_idx[blockIdx]++; - } - } - } -} - - diff --git a/crypto_kem/ledakemlt32/leaktime/H_Q_matrices_generation.h b/crypto_kem/ledakemlt32/leaktime/H_Q_matrices_generation.h deleted file mode 100644 index 981b81d4..00000000 --- a/crypto_kem/ledakemlt32/leaktime/H_Q_matrices_generation.h +++ /dev/null @@ -1,13 +0,0 @@ -#ifndef H_Q_MATRICES_GENERATION_H -#define H_Q_MATRICES_GENERATION_H - -#include "gf2x_arith.h" -#include "qc_ldpc_parameters.h" -#include "rng.h" - -void PQCLEAN_LEDAKEMLT32_LEAKTIME_generateHPosOnes(POSITION_T HPosOnes[N0][DV], AES_XOF_struct *keys_expander); -void PQCLEAN_LEDAKEMLT32_LEAKTIME_generateQPosOnes(POSITION_T QPosOnes[N0][M], AES_XOF_struct *keys_expander); -void PQCLEAN_LEDAKEMLT32_LEAKTIME_transposeHPosOnes(POSITION_T HtrPosOnes[N0][DV], POSITION_T HPosOnes[N0][DV]); -void PQCLEAN_LEDAKEMLT32_LEAKTIME_transposeQPosOnes(POSITION_T QtrPosOnes[N0][M], POSITION_T QPosOnes[N0][M]); - -#endif diff --git a/crypto_kem/ledakemlt32/leaktime/LICENSE b/crypto_kem/ledakemlt32/leaktime/LICENSE deleted file mode 100644 index c1761078..00000000 --- a/crypto_kem/ledakemlt32/leaktime/LICENSE +++ /dev/null @@ -1,31 +0,0 @@ -/** - * - * LEDAcryptKEM - * - * @version 2.0 (March 2019) - * - * Adapted code from reference ISO-C11 Implementation of the LEDAcrypt KEM-LT cipher. - * - * In alphabetical order: - * - * @author Marco Baldi - * @author Alessandro Barenghi - * @author Franco Chiaraluce - * @author Gerardo Pelosi - * @author Paolo Santini - * - * This code is hereby placed in the public domain. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS - * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR - * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, - * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE - * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, - * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - * - **/ diff --git a/crypto_kem/ledakemlt32/leaktime/Makefile b/crypto_kem/ledakemlt32/leaktime/Makefile deleted file mode 100644 index 9fae5312..00000000 --- a/crypto_kem/ledakemlt32/leaktime/Makefile +++ /dev/null @@ -1,24 +0,0 @@ -# This Makefile can be used with GNU Make or BSD Make - -LIB=libledakemlt32_leaktime.a -HEADERS=api.h bf_decoding.h dfr_test.h gf2x_arith_mod_xPplusOne.h \ - gf2x_arith.h H_Q_matrices_generation.h \ - niederreiter.h qc_ldpc_parameters.h rng.h sort.h utils.h - -OBJECTS=bf_decoding.o dfr_test.o gf2x_arith_mod_xPplusOne.o \ - gf2x_arith.o H_Q_matrices_generation.o kem.o niederreiter.o rng.o sort.o utils.o - -CFLAGS=-O3 -Wall -Werror -Wextra -Wvla -Wpedantic -Wmissing-prototypes -std=c99 \ - -I../../../common $(EXTRAFLAGS) - -all: $(LIB) - -%.o: %.c $(HEADERS) - $(CC) $(CFLAGS) -c -o $@ $< - -$(LIB): $(OBJECTS) - $(AR) -r $@ $(OBJECTS) - -clean: - $(RM) $(OBJECTS) - $(RM) $(LIB) diff --git a/crypto_kem/ledakemlt32/leaktime/Makefile.Microsoft_nmake b/crypto_kem/ledakemlt32/leaktime/Makefile.Microsoft_nmake deleted file mode 100644 index 87d47002..00000000 --- a/crypto_kem/ledakemlt32/leaktime/Makefile.Microsoft_nmake +++ /dev/null @@ -1,19 +0,0 @@ -# This Makefile can be used with Microsoft Visual Studio's nmake using the command: -# nmake /f Makefile.Microsoft_nmake - -LIBRARY=libledakemlt32_leaktime.lib -OBJECTS=bf_decoding.obj dfr_test.obj gf2x_arith_mod_xPplusOne.obj gf2x_arith.obj H_Q_matrices_generation.obj kem.obj niederreiter.obj rng.obj sort.obj utils.obj - -CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /WX - -all: $(LIBRARY) - -# Make sure objects are recompiled if headers change. -$(OBJECTS): *.h - -$(LIBRARY): $(OBJECTS) - LIB.EXE /NOLOGO /WX /OUT:$@ $** - -clean: - -DEL $(OBJECTS) - -DEL $(LIBRARY) diff --git a/crypto_kem/ledakemlt32/leaktime/api.h b/crypto_kem/ledakemlt32/leaktime/api.h deleted file mode 100644 index 21319bce..00000000 --- a/crypto_kem/ledakemlt32/leaktime/api.h +++ /dev/null @@ -1,18 +0,0 @@ -#ifndef PQCLEAN_LEDAKEMLT32_LEAKTIME_API_H -#define PQCLEAN_LEDAKEMLT32_LEAKTIME_API_H - -#include - -#define PQCLEAN_LEDAKEMLT32_LEAKTIME_CRYPTO_SECRETKEYBYTES 66 -#define PQCLEAN_LEDAKEMLT32_LEAKTIME_CRYPTO_PUBLICKEYBYTES 12032 -#define PQCLEAN_LEDAKEMLT32_LEAKTIME_CRYPTO_CIPHERTEXTBYTES 12064 -#define PQCLEAN_LEDAKEMLT32_LEAKTIME_CRYPTO_BYTES 48 - -#define PQCLEAN_LEDAKEMLT32_LEAKTIME_CRYPTO_ALGNAME "LEDAKEMLT32" - -int PQCLEAN_LEDAKEMLT32_LEAKTIME_crypto_kem_keypair(uint8_t *pk, uint8_t *sk); -int PQCLEAN_LEDAKEMLT32_LEAKTIME_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); -int PQCLEAN_LEDAKEMLT32_LEAKTIME_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); - - -#endif diff --git a/crypto_kem/ledakemlt32/leaktime/bf_decoding.c b/crypto_kem/ledakemlt32/leaktime/bf_decoding.c deleted file mode 100644 index fc6aab04..00000000 --- a/crypto_kem/ledakemlt32/leaktime/bf_decoding.c +++ /dev/null @@ -1,79 +0,0 @@ -#include "bf_decoding.h" -#include "gf2x_arith_mod_xPplusOne.h" - -#include - -int PQCLEAN_LEDAKEMLT32_LEAKTIME_bf_decoding(DIGIT err[], - const POSITION_T HtrPosOnes[N0][DV], - const POSITION_T QtrPosOnes[N0][M], - DIGIT privateSyndrome[], - uint8_t secondIterThreshold) { - - DIGIT currSyndrome[NUM_DIGITS_GF2X_ELEMENT]; - uint8_t unsatParityChecks[N0 * P]; - POSITION_T currQBlkPos[M], currQBitPos[M]; - POSITION_T syndromePosToFlip, tmp; - uint32_t correlation, corrt_syndrome_based; - size_t currQoneIdx, endQblockIdx, currblockoffset; - int check; - int iteration = 0; - - do { - PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_copy(currSyndrome, privateSyndrome); - memset(unsatParityChecks, 0x00, N0 * P * sizeof(uint8_t)); - for (size_t i = 0; i < N0; i++) { - for (POSITION_T valueIdx = 0; valueIdx < P; valueIdx++) { - for (size_t HtrOneIdx = 0; HtrOneIdx < DV; HtrOneIdx++) { - tmp = (HtrPosOnes[i][HtrOneIdx] + valueIdx) >= P ? - (HtrPosOnes[i][HtrOneIdx] + valueIdx) - P : - (HtrPosOnes[i][HtrOneIdx] + valueIdx); - if (PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_get_coeff(currSyndrome, tmp)) { - unsatParityChecks[i * P + valueIdx]++; - } - } - } - } - - /* iteration based threshold determination*/ - corrt_syndrome_based = iteration * secondIterThreshold + (1 - iteration) * B0; - - // Computation of correlation with a full Q matrix - for (size_t i = 0; i < N0; i++) { - for (POSITION_T j = 0; j < P; j++) { - currQoneIdx = endQblockIdx = 0; - correlation = 0; - - for (size_t blockIdx = 0; blockIdx < N0; blockIdx++) { - endQblockIdx += qBlockWeights[blockIdx][i]; - currblockoffset = blockIdx * P; - for (; currQoneIdx < endQblockIdx; currQoneIdx++) { - tmp = QtrPosOnes[i][currQoneIdx] + j; - tmp = tmp >= P ? tmp - P : tmp; - currQBitPos[currQoneIdx] = tmp; - currQBlkPos[currQoneIdx] = (POSITION_T)blockIdx; - correlation += unsatParityChecks[tmp + currblockoffset]; - } - } - - /* Correlation based flipping */ - if (correlation >= corrt_syndrome_based) { - PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_toggle_coeff(err + NUM_DIGITS_GF2X_ELEMENT * i, j); - for (size_t v = 0; v < M; v++) { - for (size_t HtrOneIdx = 0; HtrOneIdx < DV; HtrOneIdx++) { - syndromePosToFlip = (HtrPosOnes[currQBlkPos[v]][HtrOneIdx] + currQBitPos[v]); - syndromePosToFlip = syndromePosToFlip >= P ? syndromePosToFlip - P : syndromePosToFlip; - PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_toggle_coeff(privateSyndrome, syndromePosToFlip); - } - } // end for v - } // end if - } // end for j - } // end for i - - iteration = iteration + 1; - check = 0; - while (check < NUM_DIGITS_GF2X_ELEMENT && privateSyndrome[check++] == 0) {}; - - } while (iteration < ITERATIONS_MAX && check < NUM_DIGITS_GF2X_ELEMENT); - - return (check == NUM_DIGITS_GF2X_ELEMENT); -} diff --git a/crypto_kem/ledakemlt32/leaktime/bf_decoding.h b/crypto_kem/ledakemlt32/leaktime/bf_decoding.h deleted file mode 100644 index a55b0300..00000000 --- a/crypto_kem/ledakemlt32/leaktime/bf_decoding.h +++ /dev/null @@ -1,18 +0,0 @@ -#ifndef BF_DECODING_H -#define BF_DECODING_H - -#include "gf2x_arith.h" -#include "qc_ldpc_parameters.h" - -/* Definitions for DFR level 2^-SL with SL=128 */ -#define ITERATIONS_MAX (2) -#define B0 (64) -#define T_BAR (5) - -int PQCLEAN_LEDAKEMLT32_LEAKTIME_bf_decoding(DIGIT err[], - const POSITION_T HtrPosOnes[N0][DV], - const POSITION_T QtrPosOnes[N0][M], - DIGIT privateSyndrome[], - uint8_t threshold); - -#endif diff --git a/crypto_kem/ledakemlt32/leaktime/dfr_test.c b/crypto_kem/ledakemlt32/leaktime/dfr_test.c deleted file mode 100644 index bacbb9c4..00000000 --- a/crypto_kem/ledakemlt32/leaktime/dfr_test.c +++ /dev/null @@ -1,88 +0,0 @@ -#include "bf_decoding.h" -#include "dfr_test.h" -#include "gf2x_arith_mod_xPplusOne.h" -#include "qc_ldpc_parameters.h" -#include "sort.h" - -#include - - -int PQCLEAN_LEDAKEMLT32_LEAKTIME_DFR_test(POSITION_T LSparse[N0][DV * M], uint8_t *secondIterThreshold) { - - POSITION_T LSparse_loc[N0][DV * M]; /* vector of N_0 sparse blocks */ - uint8_t gamma[N0][N0][P] = {{{0}}}; - uint32_t gammaHist[N0][DV * M + 1] = {{0}}; - size_t maxMut[N0], maxMutMinusOne[N0]; - size_t allBlockMaxSumst, allBlockMaxSumstMinusOne; - size_t histIdx, toAdd; - - for (size_t i = 0; i < N0; i++) { - for (size_t j = 0; j < DV * M; j++) { - if (LSparse[i][j] != 0) { - LSparse_loc[i][j] = (P - LSparse[i][j]); - } - } - PQCLEAN_LEDAKEMLT32_LEAKTIME_uint32_sort(LSparse_loc[i], DV * M); - } - - - for (size_t i = 0; i < N0; i++ ) { - for (size_t j = 0; j < N0; j++) { - for (size_t k = 0; k < (DV * M); k++) { - for (size_t l = 0; l < (DV * M); l++) { - gamma[i][j][(P + LSparse_loc[i][k] - LSparse_loc[j][l]) % P]++; - } - } - } - } - - for (size_t i = 0; i < N0; i++ ) { - for (size_t j = 0; j < N0; j++ ) { - gamma[i][j][0] = 0; - } - } - - /* build histogram of values in gamma */ - for (size_t i = 0; i < N0; i++ ) { - for (size_t j = 0; j < N0; j++ ) { - for (size_t k = 0; k < P; k++) { - gammaHist[i][gamma[i][j][k]]++; - } - } - } - - - for (size_t gammaBlockRowIdx = 0; gammaBlockRowIdx < N0; gammaBlockRowIdx++) { - maxMutMinusOne[gammaBlockRowIdx] = 0; - histIdx = DV * M; - toAdd = T_BAR - 1; - while ( (histIdx > 0) && (toAdd > 0)) { - if (gammaHist[gammaBlockRowIdx][histIdx] > toAdd ) { - maxMutMinusOne[gammaBlockRowIdx] += histIdx * toAdd; - toAdd = 0; - } else { - maxMutMinusOne[gammaBlockRowIdx] += histIdx * gammaHist[gammaBlockRowIdx][histIdx]; - toAdd -= gammaHist[gammaBlockRowIdx][histIdx]; - histIdx--; - } - } - maxMut[gammaBlockRowIdx] = histIdx + maxMutMinusOne[gammaBlockRowIdx]; - } - - /*seek max values across all gamma blocks */ - allBlockMaxSumst = maxMut[0]; - allBlockMaxSumstMinusOne = maxMutMinusOne[0]; - for (size_t gammaBlockRowIdx = 0; gammaBlockRowIdx < N0; gammaBlockRowIdx++) { - allBlockMaxSumst = allBlockMaxSumst < maxMut[gammaBlockRowIdx] ? - maxMut[gammaBlockRowIdx] : - allBlockMaxSumst; - allBlockMaxSumstMinusOne = allBlockMaxSumstMinusOne < maxMutMinusOne[gammaBlockRowIdx] ? - maxMutMinusOne[gammaBlockRowIdx] : - allBlockMaxSumstMinusOne; - } - if (DV * M > (allBlockMaxSumstMinusOne + allBlockMaxSumst)) { - *secondIterThreshold = (uint8_t) (allBlockMaxSumst + 1); - return 1; - } - return 0; -} diff --git a/crypto_kem/ledakemlt32/leaktime/dfr_test.h b/crypto_kem/ledakemlt32/leaktime/dfr_test.h deleted file mode 100644 index ad013536..00000000 --- a/crypto_kem/ledakemlt32/leaktime/dfr_test.h +++ /dev/null @@ -1,6 +0,0 @@ -#ifndef DFR_TEST_H -#define DFR_TEST_H - -int PQCLEAN_LEDAKEMLT32_LEAKTIME_DFR_test(POSITION_T LSparse[N0][DV * M], uint8_t *secondIterThreshold); - -#endif diff --git a/crypto_kem/ledakemlt32/leaktime/gf2x_arith.c b/crypto_kem/ledakemlt32/leaktime/gf2x_arith.c deleted file mode 100644 index 9f2cedc9..00000000 --- a/crypto_kem/ledakemlt32/leaktime/gf2x_arith.c +++ /dev/null @@ -1,252 +0,0 @@ -#include "gf2x_arith.h" - -#include // memset(...) - -void PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_add(DIGIT Res[], const DIGIT A[], const DIGIT B[], size_t n) { - for (size_t i = 0; i < n; i++) { - Res[i] = A[i] ^ B[i]; - } -} - -/* copies len digits from a to r if b == 1 */ -void PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_cmov(DIGIT *r, const DIGIT *a, size_t len, int c) { - DIGIT mask = (DIGIT)(-c); - for (size_t i = 0; i < len; i++) { - r[i] ^= mask & (a[i] ^ r[i]); - } -} - -/* PRE: MAX ALLOWED ROTATION AMOUNT : DIGIT_SIZE_b */ -void PQCLEAN_LEDAKEMLT32_LEAKTIME_right_bit_shift_n(size_t length, DIGIT in[], size_t amount) { - if ( amount == 0 ) { - return; - } - size_t j; - DIGIT mask; - mask = ((DIGIT)0x01 << amount) - 1; - for (j = length - 1; j > 0; j--) { - in[j] >>= amount; - in[j] |= (in[j - 1] & mask) << (DIGIT_SIZE_b - amount); - } - in[j] >>= amount; -} - -/* PRE: MAX ALLOWED ROTATION AMOUNT : DIGIT_SIZE_b */ -void PQCLEAN_LEDAKEMLT32_LEAKTIME_left_bit_shift_n(size_t length, DIGIT in[], size_t amount) { - if ( amount == 0 ) { - return; - } - size_t j; - DIGIT mask; - mask = ~(((DIGIT)0x01 << (DIGIT_SIZE_b - amount)) - 1); - for (j = 0 ; j < length - 1; j++) { - in[j] <<= amount; - in[j] |= (in[j + 1] & mask) >> (DIGIT_SIZE_b - amount); - } - in[j] <<= amount; -} - - -static void gf2x_mul1(DIGIT *R, const DIGIT A, const DIGIT B) { - DIGIT tmp; - - R[0] = 0; - R[1] = (A & 1) * B; - for (uint8_t i = 1; i < DIGIT_SIZE_b; i++) { - tmp = ((A >> i) & 1) * B; - R[1] ^= tmp << i; - R[0] ^= tmp >> (DIGIT_SIZE_b - i); - } -} - -static void gf2x_mul_n(DIGIT *R, const DIGIT *A, const DIGIT *B, size_t n) { - DIGIT tmp[2]; - - memset(R, 0x00, 2 * n * sizeof(DIGIT)); - for (size_t i = 0; i < n; i++) { - for (size_t j = 0; j < n; j++) { - gf2x_mul1(tmp, A[i], B[j]); - R[i + j] ^= tmp[0]; - R[i + j + 1] ^= tmp[1]; - } - } -} - -static void gf2x_cpy(DIGIT *R, const DIGIT *A, size_t len) { - for (size_t i = 0; i < len; i++) { - R[i] = A[i]; - } -} - -/* Accumulate */ -#define gf2x_add(R, A, B, n) PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_add(R, A, B, n) -#define gf2x_acc(R, B, n) PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_add(R, R, B, n) - -/* allows the operands to be of different size - * first operand must be the bigger one. - * aligns last array elements */ -static inline void gf2x_add_asymm(DIGIT *R, - size_t na, const DIGIT *A, - size_t nb, const DIGIT *B) { - size_t delta = na - nb; - gf2x_cpy(R, A, delta); - gf2x_add(R + delta, A + delta, B, nb);; -} - -/* aligns first array elements */ -static inline void gf2x_add_asymm2(DIGIT *R, - size_t na, const DIGIT *A, - size_t nb, const DIGIT *B) { - size_t delta = na - nb; - gf2x_add(R, A, B, nb); - gf2x_cpy(R + nb, A + nb, delta); -} - -/* Karatsuba with lowered space complexity - * T(n) = 3 * ceil(n/2) + T(ceil(n / 2)) */ -static void gf2x_mul_kar(DIGIT *R, - const DIGIT *A, - const DIGIT *B, - size_t n, - DIGIT *stack) { - - if (n < MIN_KAR_DIGITS) { - gf2x_mul_n(R, A, B, n); - return; - } - - size_t l = (n + 1) / 2; // limb size = ceil(n / 2) - size_t d = n & 1; - - const DIGIT *a1 = A; // length n - d - const DIGIT *a0 = A + l - d; // length n - const DIGIT *b1 = B; - const DIGIT *b0 = B + l - d; - - DIGIT *aa = stack; - DIGIT *bb = aa + l; - DIGIT *cc = bb + l; - stack = cc + l; // 3l space requirement at each level - - DIGIT *c3 = R + l - 2 * d; - DIGIT *c2 = c3 + l; - DIGIT *c1 = c2 + l; - - gf2x_mul_kar(c2, a0, b0, l, stack); // L in low part of R - gf2x_mul_kar(R, a1, b1, l - d, stack); // H in higher part of R - gf2x_add_asymm(aa, l, a0, l - d, a1); // AH + AL - gf2x_add_asymm(bb, l, b0, l - d, b1); // BH + BL - gf2x_add(cc, c3, c2, l); // HL + LH in cc - gf2x_mul_kar(c3, aa, bb, l, stack); // M = (AH + AL) x (BH + BL) - gf2x_add_asymm(c3, l, c3, l - 2 * d, R); // add HH - gf2x_acc(c2, c1, l); // add LL - gf2x_acc(c3, cc, l); // add HL + LH - gf2x_acc(c2, cc, l); // add HL + LH -} - -static void gf2x_div_w_plus_one(DIGIT *A, size_t n) { - size_t i; - for (i = 0; i < n - 2; i++) { - A[i + 1] ^= A[i]; // runs n - 2 times - } -} - -static void gf2x_shift_left_w(DIGIT *A, size_t n) { - size_t i; - for (i = 0; i < n - 1; i++) { - A[i] = A[i + 1]; - } - A[i] = 0; -} - -/* Word-aligned Toom-Cook 3, source: - * Brent, Richard P., et al. "Faster multiplication in GF (2)[x]." - * International Algorithmic Number Theory Symposium. - * Springer, Berlin, Heidelberg, 2008. */ -static void gf2x_mul_tc3w(DIGIT *R, - const DIGIT *A, - const DIGIT *B, - size_t n, - DIGIT *stack) { - - if (n < MIN_TOOM_DIGITS) { - gf2x_mul_kar(R, A, B, n, stack); - return; - } - - size_t l = (n + 2) / 3; // size of a0, a1, b0, b1 - size_t r = n - 2 * l; // remaining sizes (a2, b2) - size_t x = 2 * l + 4; // size of c1, c2, c3, c4 - size_t z = r + 2 > l + 1 ? r + 2 : l + 1; // size of c5 - - const DIGIT *a0 = A; - const DIGIT *a1 = A + l; - const DIGIT *a2 = A + 2 * l; - const DIGIT *b0 = B; - const DIGIT *b1 = B + l; - const DIGIT *b2 = B + 2 * l; - - DIGIT *c0 = R; // c0 and c4 in the result - DIGIT *c4 = R + 4 * l; - DIGIT *c1 = stack; // the rest in the stack - DIGIT *c2 = c1 + x; - DIGIT *c3 = c2 + x; - DIGIT *c5 = c3 + x; - stack = c5 + z; // Worst-case 7l + 14 - - // Evaluation - c0[0] = 0; // c0[z] = a1*W + a2*W^2 - c0[l + 1] = 0; - gf2x_cpy(c0 + 1, a1, l); - gf2x_acc(c0 + 2, a2, r); - - c4[0] = 0; // c4[z] = b1*W + b2*W^2 - c4[l + 1] = 0; - gf2x_cpy(c4 + 1, b1, l); - gf2x_acc(c4 + 2, b2, r); - - gf2x_cpy(c5, a0, l); // c5[l] = a0 + a1 + a2 - gf2x_acc(c5, a1, l); - gf2x_acc(c5, a2, r); - - gf2x_cpy(c2, b0, l); // c2[l] = b0 + b1 + b2 - gf2x_acc(c2, b1, l); - gf2x_acc(c2, b2, r); - - gf2x_mul_tc3w(c1, c2, c5, l, stack); // c1[2l] = c2 * c5 - gf2x_add_asymm2(c5, z, c0, l, c5); // c5[z] += c0, z >= l - gf2x_add_asymm2(c2, z, c4, l, c2); // c2[z] += c4, idem - gf2x_acc(c0, a0, l); // c0[l] += a0 - gf2x_acc(c4, b0, l); // c4[l] += b0 - gf2x_mul_tc3w(c3, c2, c5, z, stack); // c3[2z] = c2 * c5 - gf2x_mul_tc3w(c2, c0, c4, z, stack); // c2[2z] = c0 * c4 - gf2x_mul_tc3w(c0, a0, b0, l, stack); // c0[2l] = a0 * b0 - gf2x_mul_tc3w(c4, a2, b2, r, stack); // c4[2r] = a2 * b2 - - // Interpolation - gf2x_acc(c3, c2, 2 * z); // c3[2z] += c2 - gf2x_acc(c2, c0, 2 * l); // c2[2z] += c0 - gf2x_shift_left_w(c2, 2 * z); // c2[2z] = c2/y + c3 - gf2x_acc(c2, c3, 2 * z); - gf2x_acc(c2, c4, 2 * r); // c2[2z] += c4 + c4**3 - gf2x_acc(c2 + 3, c4, 2 * r); - gf2x_div_w_plus_one(c2, 2 * z); // c2[2z-1] = c2/(W+1) - gf2x_acc(c1, c0, 2 * l); // c1[2l] += c0 - gf2x_acc(c3, c1, 2 * l); // c3[2z] += c1 - gf2x_shift_left_w(c3, 2 * z); // c3[2z-2] = c3/(W^2 + W) - gf2x_div_w_plus_one(c3, 2 * z - 1); - gf2x_add_asymm2(c1, 2 * z, c2, 2 * l, c1); // c1[2z-1] += c2 + c4 - gf2x_acc(c1, c4, 2 * r); // size c2 >= c1 >= c4 - gf2x_acc(c2, c3, 2 * z - 1); // c2[2z-1] += c3 - - // Recombination - gf2x_cpy(R + 2 * l, c2, 2 * l); - gf2x_acc(R + l, c1, 2 * z - 1); - gf2x_acc(R + 3 * l, c3, 2 * z - 1); -} - -void PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_mul(DIGIT *R, const DIGIT *A, const DIGIT *B, size_t n) { - DIGIT stack[STACK_WORDS]; - gf2x_mul_tc3w(R, A, B, n, stack); -} - diff --git a/crypto_kem/ledakemlt32/leaktime/gf2x_arith.h b/crypto_kem/ledakemlt32/leaktime/gf2x_arith.h deleted file mode 100644 index b0e30ddb..00000000 --- a/crypto_kem/ledakemlt32/leaktime/gf2x_arith.h +++ /dev/null @@ -1,63 +0,0 @@ -#ifndef GF2X_ARITH_H -#define GF2X_ARITH_H - -#include -#include - -/* - * Elements of GF(2)[x] are stored in compact dense binary form. - * - * Each bit in a byte is assumed to be the coefficient of a binary - * polynomial f(x), in Big-Endian format (i.e., reading everything from - * left to right, the most significant element is met first): - * - * byte:(0000 0000) == 0x00 ... f(x) == 0 - * byte:(0000 0001) == 0x01 ... f(x) == 1 - * byte:(0000 0010) == 0x02 ... f(x) == x - * byte:(0000 0011) == 0x03 ... f(x) == x+1 - * ... ... ... - * byte:(0000 1111) == 0x0F ... f(x) == x^{3}+x^{2}+x+1 - * ... ... ... - * byte:(1111 1111) == 0xFF ... f(x) == x^{7}+x^{6}+x^{5}+x^{4}+x^{3}+x^{2}+x+1 - * - * - * A "machine word" (A_i) is considered as a DIGIT. - * Bytes in a DIGIT are assumed in Big-Endian format: - * E.g., if sizeof(DIGIT) == 4: - * A_i: A_{i,3} A_{i,2} A_{i,1} A_{i,0}. - * A_{i,3} denotes the most significant byte, A_{i,0} the least significant one. - * f(x) == x^{31} + ... + x^{24} + - * + x^{23} + ... + x^{16} + - * + x^{15} + ... + x^{8} + - * + x^{7} + ... + x^{0} - * - * - * Multi-precision elements (i.e., with multiple DIGITs) are stored in - * Big-endian format: - * A = A_{n-1} A_{n-2} ... A_1 A_0 - * - * position[A_{n-1}] == 0 - * position[A_{n-2}] == 1 - * ... - * position[A_{1}] == n-2 - * position[A_{0}] == n-1 - */ - -typedef uint64_t DIGIT; -#define DIGIT_SIZE_B (8) -#define DIGIT_SIZE_b (DIGIT_SIZE_B << 3) -#define POSITION_T uint32_t - -#define MIN_KAR_DIGITS 10 -#define MIN_TOOM_DIGITS 42 - -#define STACK_KAR_ONLY 4497 -#define STACK_WORDS 5336 - -void PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_add(DIGIT Res[], const DIGIT A[], const DIGIT B[], size_t n); -void PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_cmov(DIGIT *r, const DIGIT *a, size_t len, int c); -void PQCLEAN_LEDAKEMLT32_LEAKTIME_right_bit_shift_n(size_t length, DIGIT in[], size_t amount); -void PQCLEAN_LEDAKEMLT32_LEAKTIME_left_bit_shift_n(size_t length, DIGIT in[], size_t amount); -void PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_mul(DIGIT *R, const DIGIT *A, const DIGIT *B, size_t n); - -#endif diff --git a/crypto_kem/ledakemlt32/leaktime/gf2x_arith_mod_xPplusOne.c b/crypto_kem/ledakemlt32/leaktime/gf2x_arith_mod_xPplusOne.c deleted file mode 100644 index 9206dfb0..00000000 --- a/crypto_kem/ledakemlt32/leaktime/gf2x_arith_mod_xPplusOne.c +++ /dev/null @@ -1,529 +0,0 @@ -#include "gf2x_arith_mod_xPplusOne.h" -#include "rng.h" -#include "sort.h" - -#include // memcpy(...), memset(...) - -void PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_copy(DIGIT dest[], const DIGIT in[]) { - for (size_t i = 0; i < NUM_DIGITS_GF2X_ELEMENT; i++) { - dest[i] = in[i]; - } -} - -/* returns the coefficient of the x^exponent term as the LSB of a digit */ -DIGIT PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_get_coeff(const DIGIT poly[], size_t exponent) { - size_t straightIdx = (NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_b - 1) - exponent; - size_t digitIdx = straightIdx / DIGIT_SIZE_b; - size_t inDigitIdx = straightIdx % DIGIT_SIZE_b; - return (poly[digitIdx] >> (DIGIT_SIZE_b - 1 - inDigitIdx)) & ((DIGIT) 1) ; -} - -/* sets the coefficient of the x^exponent term as the LSB of a digit */ -void PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_set_coeff(DIGIT poly[], size_t exponent, DIGIT value) { - size_t straightIdx = (NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_b - 1) - exponent; - size_t digitIdx = straightIdx / DIGIT_SIZE_b; - size_t inDigitIdx = straightIdx % DIGIT_SIZE_b; - - /* clear given coefficient */ - DIGIT mask = ~(((DIGIT) 1) << (DIGIT_SIZE_b - 1 - inDigitIdx)); - poly[digitIdx] = poly[digitIdx] & mask; - poly[digitIdx] = poly[digitIdx] | ((value & ((DIGIT) 1)) << (DIGIT_SIZE_b - 1 - inDigitIdx)); -} - -/* toggles (flips) the coefficient of the x^exponent term as the LSB of a digit */ -void PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_toggle_coeff(DIGIT poly[], size_t exponent) { - size_t straightIdx = (NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_b - 1) - exponent; - size_t digitIdx = straightIdx / DIGIT_SIZE_b; - size_t inDigitIdx = straightIdx % DIGIT_SIZE_b; - - /* clear given coefficient */ - DIGIT mask = (((DIGIT) 1) << (DIGIT_SIZE_b - 1 - inDigitIdx)); - poly[digitIdx] = poly[digitIdx] ^ mask; -} - -/* population count for an unsigned 64-bit integer - Source: Hacker's delight, p.66 */ -static int popcount_uint64t(uint64_t x) { - x -= (x >> 1) & 0x5555555555555555; - x = (x & 0x3333333333333333) + ((x >> 2) & 0x3333333333333333); - x = (x + (x >> 4)) & 0x0f0f0f0f0f0f0f0f; - return (int)((x * 0x0101010101010101) >> 56); -} - -/* population count for a single polynomial */ -int PQCLEAN_LEDAKEMLT32_LEAKTIME_population_count(const DIGIT *poly) { - int ret = 0; - for (int i = NUM_DIGITS_GF2X_ELEMENT - 1; i >= 0; i--) { - ret += popcount_uint64t(poly[i]); - } - return ret; -} - -void PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_mod_add(DIGIT Res[], const DIGIT A[], const DIGIT B[]) { - PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_add(Res, A, B, NUM_DIGITS_GF2X_ELEMENT); -} - -static void gf2x_mod(DIGIT out[], const DIGIT in[]) { - DIGIT aux[NUM_DIGITS_GF2X_ELEMENT + 1]; - - memcpy(aux, in, (NUM_DIGITS_GF2X_ELEMENT + 1)*DIGIT_SIZE_B); - PQCLEAN_LEDAKEMLT32_LEAKTIME_right_bit_shift_n(NUM_DIGITS_GF2X_ELEMENT + 1, aux, - MSb_POSITION_IN_MSB_DIGIT_OF_MODULUS); - PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_add(out, aux + 1, in + NUM_DIGITS_GF2X_ELEMENT, - NUM_DIGITS_GF2X_ELEMENT); - out[0] &= ((DIGIT)1 << MSb_POSITION_IN_MSB_DIGIT_OF_MODULUS) - 1; -} - -static void right_bit_shift(size_t length, DIGIT in[]) { - size_t j; - for (j = length - 1; j > 0; j--) { - in[j] >>= 1; - in[j] |= (in[j - 1] & (DIGIT)0x01) << (DIGIT_SIZE_b - 1); - } - in[j] >>= 1; -} - - -/* shifts by whole digits */ -static void left_DIGIT_shift_n(size_t length, DIGIT in[], size_t amount) { - size_t j; - for (j = 0; (j + amount) < length; j++) { - in[j] = in[j + amount]; - } - for (; j < length; j++) { - in[j] = (DIGIT)0; - } -} - -/* may shift by an arbitrary amount*/ -static void left_bit_shift_wide_n(size_t length, DIGIT in[], size_t amount) { - left_DIGIT_shift_n(length, in, amount / DIGIT_SIZE_b); - PQCLEAN_LEDAKEMLT32_LEAKTIME_left_bit_shift_n(length, in, amount % DIGIT_SIZE_b); -} - -/* Hackers delight, reverses a uint64_t */ -static DIGIT reverse_digit(DIGIT x) { - uint64_t t; - x = (x << 31) | (x >> 33); - t = (x ^ (x >> 20)) & 0x00000FFF800007FFLL; - x = (t | (t << 20)) ^ x; - t = (x ^ (x >> 8)) & 0x00F8000F80700807LL; - x = (t | (t << 8)) ^ x; - t = (x ^ (x >> 4)) & 0x0808708080807008LL; - x = (t | (t << 4)) ^ x; - t = (x ^ (x >> 2)) & 0x1111111111111111LL; - x = (t | (t << 2)) ^ x; - return x; -} - -void PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_transpose_in_place(DIGIT A[]) { - /* it keeps the lsb in the same position and - * inverts the sequence of the remaining bits */ - - DIGIT mask = (DIGIT)0x1; - DIGIT rev1, rev2, a00; - int slack_bits_amount = NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_b - P; - - a00 = A[NUM_DIGITS_GF2X_ELEMENT - 1] & mask; - right_bit_shift(NUM_DIGITS_GF2X_ELEMENT, A); - - for (size_t i = NUM_DIGITS_GF2X_ELEMENT - 1; i >= (NUM_DIGITS_GF2X_ELEMENT + 1) / 2; i--) { - rev1 = reverse_digit(A[i]); - rev2 = reverse_digit(A[NUM_DIGITS_GF2X_ELEMENT - 1 - i]); - A[i] = rev2; - A[NUM_DIGITS_GF2X_ELEMENT - 1 - i] = rev1; - } - - if (slack_bits_amount) { - PQCLEAN_LEDAKEMLT32_LEAKTIME_right_bit_shift_n(NUM_DIGITS_GF2X_ELEMENT, A, slack_bits_amount); - } - A[NUM_DIGITS_GF2X_ELEMENT - 1] = (A[NUM_DIGITS_GF2X_ELEMENT - 1] & (~mask)) | a00; -} - -static void rotate_bit_right(DIGIT in[]) { /* x^{-1} * in(x) mod x^P+1 */ - - DIGIT rotated_bit = in[NUM_DIGITS_GF2X_ELEMENT - 1] & ((DIGIT)0x1); - right_bit_shift(NUM_DIGITS_GF2X_ELEMENT, in); - int msb_offset_in_digit = MSb_POSITION_IN_MSB_DIGIT_OF_MODULUS - 1; - rotated_bit = rotated_bit << msb_offset_in_digit; - in[0] |= rotated_bit; -} - -/* cond swap: swaps digits A and B if swap_mask == -1 */ -static void gf2x_cswap(DIGIT *a, DIGIT *b, int32_t swap_mask) { - DIGIT t; - for (size_t i = 0; i < NUM_DIGITS_GF2X_ELEMENT; i++) { - t = swap_mask & (a[i] ^ b[i]); - a[i] ^= t; - b[i] ^= t; - } -} - -/* returns -1 mask if x != 0, otherwise 0 */ -static inline int32_t nonzero(DIGIT x) { - DIGIT t = x; - t = (~t) + 1; - t >>= DIGIT_SIZE_b - 1; - return -((int32_t)t); -} - -/* returns -1 mask if x < 0 else 0 */ -static inline int32_t negative(int x) { - uint32_t u = x; - u >>= 31; - return -((int32_t)u); -} - -/* return f(0) as digit */ -static inline DIGIT lsb(const DIGIT *p) { - DIGIT mask = (DIGIT)1; - return p[NUM_DIGITS_GF2X_ELEMENT - 1] & mask; -} - -/* multiply poly with scalar and accumulate, expects s all-zero of all-one mask */ -static void gf2x_mult_scalar_acc(DIGIT *f, const DIGIT *g, const DIGIT s) { - for (size_t i = 0; i < NUM_DIGITS_GF2X_ELEMENT; i++) { - f[i] = f[i] ^ (s & g[i]); - } -} - -/* constant-time inverse, source: gcd.cr.yp.to */ -int PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_mod_inverse(DIGIT out[], const DIGIT in[]) { - int32_t swap, delta = 1; - DIGIT g0_mask; - - DIGIT f[NUM_DIGITS_GF2X_MODULUS] = {0}; // f = x^P + 1 - DIGIT g[NUM_DIGITS_GF2X_ELEMENT]; // g = in - DIGIT *v = out; // v = 0, save space - DIGIT r[NUM_DIGITS_GF2X_ELEMENT] = {0}; // r = 1 - - f[NUM_DIGITS_GF2X_MODULUS - 1] = 1; - f[0] |= ((DIGIT)1 << MSb_POSITION_IN_MSB_DIGIT_OF_MODULUS); - - for (size_t i = 0; i < NUM_DIGITS_GF2X_ELEMENT; i++) { - g[i] = in[i]; - } - - for (size_t i = 0; i < NUM_DIGITS_GF2X_ELEMENT; i++) { - v[i] = 0; - } - - r[NUM_DIGITS_GF2X_ELEMENT - 1] = 1; - - for (int loop = 0; loop < 2 * P - 1; ++loop) { - - swap = negative(-delta) & nonzero(lsb(g)); // swap = -1 if -delta < 0 AND g(0) != 0 - delta ^= swap & (delta ^ -delta); // cond swap delta with -delta if swap - delta++; - - gf2x_cswap(f, g, swap); - gf2x_cswap(v, r, swap); - - g0_mask = ~lsb(g) + 1; - - // g = (g - g0 * f) / x - gf2x_mult_scalar_acc(g, f, g0_mask); - right_bit_shift(NUM_DIGITS_GF2X_ELEMENT, g); - - // r = (r - g0 * v) / x - gf2x_mult_scalar_acc(r, v, g0_mask); - rotate_bit_right(r); - - } - - return nonzero(delta); // -1 if fail, 0 if success -} - -void PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_mod_mul(DIGIT Res[], const DIGIT A[], const DIGIT B[]) { - - DIGIT aux[2 * NUM_DIGITS_GF2X_ELEMENT]; - PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_mul(aux, A, B, NUM_DIGITS_GF2X_ELEMENT); - gf2x_mod(Res, aux); - -} - -/*PRE: the representation of the sparse coefficients is sorted in increasing - order of the coefficients themselves */ -void PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_mod_mul_dense_to_sparse(DIGIT Res[], const DIGIT dense[], - POSITION_T sparse[], size_t nPos) { - - DIGIT aux[2 * NUM_DIGITS_GF2X_ELEMENT] = {0x00}; - DIGIT resDouble[2 * NUM_DIGITS_GF2X_ELEMENT] = {0x00}; - memcpy(aux + NUM_DIGITS_GF2X_ELEMENT, dense, NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B); - memcpy(resDouble + NUM_DIGITS_GF2X_ELEMENT, dense, NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B); - - if (sparse[0] != INVALID_POS_VALUE) { - left_bit_shift_wide_n(2 * NUM_DIGITS_GF2X_ELEMENT, resDouble, sparse[0]); - left_bit_shift_wide_n(2 * NUM_DIGITS_GF2X_ELEMENT, aux, sparse[0]); - - for (size_t i = 1; i < nPos; i++) { - if (sparse[i] != INVALID_POS_VALUE) { - left_bit_shift_wide_n(2 * NUM_DIGITS_GF2X_ELEMENT, aux, (sparse[i] - sparse[i - 1]) ); - PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_add(resDouble, aux, resDouble, 2 * NUM_DIGITS_GF2X_ELEMENT); - } - } - } - - gf2x_mod(Res, resDouble); - -} - -void PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_transpose_in_place_sparse(size_t sizeA, POSITION_T A[]) { - POSITION_T t; - size_t i = 0, j; - - if (A[i] == 0) { - i = 1; - } - j = i; - - for (; i < sizeA && A[i] != INVALID_POS_VALUE; i++) { - A[i] = P - A[i]; - } - - for (i -= 1; j < i; j++, i--) { - t = A[j]; - A[j] = A[i]; - A[i] = t; - } - -} - -void PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_mod_mul_sparse(size_t sizeR, POSITION_T Res[], - size_t sizeA, const POSITION_T A[], - size_t sizeB, const POSITION_T B[]) { - - POSITION_T prod; - POSITION_T lastReadPos; - size_t duplicateCount; - size_t write_idx, read_idx; - - /* compute all the coefficients, filling invalid positions with P*/ - size_t lastFilledPos = 0; - for (size_t i = 0 ; i < sizeA ; i++) { - for (size_t j = 0 ; j < sizeB ; j++) { - prod = A[i] + B[j]; - prod = ( (prod >= P) ? prod - P : prod); - if ((A[i] != INVALID_POS_VALUE) && - (B[j] != INVALID_POS_VALUE)) { - Res[lastFilledPos] = prod; - } else { - Res[lastFilledPos] = INVALID_POS_VALUE; - } - lastFilledPos++; - } - } - while (lastFilledPos < sizeR) { - Res[lastFilledPos] = INVALID_POS_VALUE; - lastFilledPos++; - } - - PQCLEAN_LEDAKEMLT32_LEAKTIME_uint32_sort(Res, sizeR); - - /* eliminate duplicates */ - write_idx = read_idx = 0; - while (read_idx < sizeR && Res[read_idx] != INVALID_POS_VALUE) { - lastReadPos = Res[read_idx]; - read_idx++; - duplicateCount = 1; - while ( (Res[read_idx] == lastReadPos) && (Res[read_idx] != INVALID_POS_VALUE)) { - read_idx++; - duplicateCount++; - } - if (duplicateCount % 2) { - Res[write_idx] = lastReadPos; - write_idx++; - } - } - /* fill remaining cells with INVALID_POS_VALUE */ - for (; write_idx < sizeR; write_idx++) { - Res[write_idx] = INVALID_POS_VALUE; - } -} - -/* the implementation is safe even in case A or B alias with the result - * PRE: A and B should be sorted, disjunct arrays ending with INVALID_POS_VALUE */ -void PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_mod_add_sparse(size_t sizeR, POSITION_T Res[], - size_t sizeA, const POSITION_T A[], - size_t sizeB, const POSITION_T B[]) { - - POSITION_T tmpRes[DV * M]; - size_t idxA = 0, idxB = 0, idxR = 0; - while ( idxA < sizeA && - idxB < sizeB && - A[idxA] != INVALID_POS_VALUE && - B[idxB] != INVALID_POS_VALUE ) { - - if (A[idxA] == B[idxB]) { - idxA++; - idxB++; - } else { - if (A[idxA] < B[idxB]) { - tmpRes[idxR] = A[idxA]; - idxA++; - } else { - tmpRes[idxR] = B[idxB]; - idxB++; - } - idxR++; - } - } - - while (idxA < sizeA && A[idxA] != INVALID_POS_VALUE) { - tmpRes[idxR] = A[idxA]; - idxA++; - idxR++; - } - - while (idxB < sizeB && B[idxB] != INVALID_POS_VALUE) { - tmpRes[idxR] = B[idxB]; - idxB++; - idxR++; - } - - while (idxR < sizeR) { - tmpRes[idxR] = INVALID_POS_VALUE; - idxR++; - } - memcpy(Res, tmpRes, sizeof(POSITION_T)*sizeR); - -} - -/* Return a uniform random value in the range 0..n-1 inclusive, - * applying a rejection sampling strategy and exploiting as a random source - * the NIST seedexpander seeded with the proper key. - * Assumes that the maximum value for the range n is 2^32-1 - */ -static uint32_t rand_range(const unsigned int n, const int logn, AES_XOF_struct *seed_expander_ctx) { - unsigned long required_rnd_bytes = (logn + 7) / 8; - unsigned char rnd_char_buffer[4]; - uint32_t rnd_value; - uint32_t mask = ( (uint32_t)1 << logn) - 1; - - do { - PQCLEAN_LEDAKEMLT32_LEAKTIME_seedexpander(seed_expander_ctx, rnd_char_buffer, required_rnd_bytes); - /* obtain an endianness independent representation of the generated random - bytes into an unsigned integer */ - rnd_value = ((uint32_t)rnd_char_buffer[3] << 24) + - ((uint32_t)rnd_char_buffer[2] << 16) + - ((uint32_t)rnd_char_buffer[1] << 8) + - ((uint32_t)rnd_char_buffer[0] << 0) ; - rnd_value = mask & rnd_value; - } while (rnd_value >= n); - - return rnd_value; -} - -/* Obtains fresh randomness and seed-expands it until all the required positions - * for the '1's in the circulant block are obtained */ -void PQCLEAN_LEDAKEMLT32_LEAKTIME_rand_circulant_sparse_block(POSITION_T *pos_ones, - size_t countOnes, - AES_XOF_struct *seed_expander_ctx) { - - size_t duplicated, placedOnes = 0; - POSITION_T p; - - while (placedOnes < countOnes) { - p = rand_range(NUM_BITS_GF2X_ELEMENT, - P_BITS, - seed_expander_ctx); - duplicated = 0; - for (size_t j = 0; j < placedOnes; j++) { - if (pos_ones[j] == p) { - duplicated = 1; - } - } - if (duplicated == 0) { - pos_ones[placedOnes] = p; - placedOnes++; - } - } -} - -/* Returns random weight-t circulant block */ -void PQCLEAN_LEDAKEMLT32_LEAKTIME_rand_circulant_blocks_sequence(DIGIT sequence[N0 * NUM_DIGITS_GF2X_ELEMENT], - AES_XOF_struct *seed_expander_ctx) { - - size_t polyIndex, duplicated, counter = 0; - POSITION_T p, exponent, rndPos[NUM_ERRORS_T]; - - memset(sequence, 0x00, N0 * NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B); - - while (counter < NUM_ERRORS_T) { - p = rand_range(N0 * NUM_BITS_GF2X_ELEMENT, P_BITS, seed_expander_ctx); - duplicated = 0; - for (size_t j = 0; j < counter; j++) { - if (rndPos[j] == p) { - duplicated = 1; - } - } - if (duplicated == 0) { - rndPos[counter] = p; - counter++; - } - } - for (size_t j = 0; j < counter; j++) { - polyIndex = rndPos[j] / P; - exponent = rndPos[j] % P; - PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_set_coeff( sequence + NUM_DIGITS_GF2X_ELEMENT * polyIndex, exponent, - ( (DIGIT) 1)); - } - -} - - -void PQCLEAN_LEDAKEMLT32_LEAKTIME_rand_error_pos(POSITION_T errorPos[NUM_ERRORS_T], - AES_XOF_struct *seed_expander_ctx) { - - int duplicated; - size_t counter = 0; - - while (counter < NUM_ERRORS_T) { - POSITION_T p = rand_range(N0 * NUM_BITS_GF2X_ELEMENT, P_BITS, seed_expander_ctx); - duplicated = 0; - for (size_t j = 0; j < counter; j++) { - if (errorPos[j] == p) { - duplicated = 1; - } - } - if (duplicated == 0) { - errorPos[counter] = p; - counter++; - } - } -} - -void PQCLEAN_LEDAKEMLT32_LEAKTIME_expand_error(DIGIT sequence[N0 * NUM_DIGITS_GF2X_ELEMENT], - const POSITION_T errorPos[NUM_ERRORS_T]) { - - size_t polyIndex; - POSITION_T exponent; - - memset(sequence, 0x00, N0 * NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B); - for (int j = 0; j < NUM_ERRORS_T; j++) { - polyIndex = errorPos[j] / P; - exponent = errorPos[j] % P; - PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_set_coeff( sequence + NUM_DIGITS_GF2X_ELEMENT * polyIndex, exponent, - ( (DIGIT) 1)); - } -} - - -void PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_tobytes(uint8_t *bytes, const DIGIT *poly) { - size_t i, j; - for (i = 0; i < NUM_DIGITS_GF2X_ELEMENT; i++) { - for (j = 0; j < DIGIT_SIZE_B; j++) { - bytes[i * DIGIT_SIZE_B + j] = (uint8_t) (poly[i] >> 8 * j); - } - } -} - -void PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_frombytes(DIGIT *poly, const uint8_t *poly_bytes) { - size_t i, j; - for (i = 0; i < NUM_DIGITS_GF2X_ELEMENT; i++) { - poly[i] = (DIGIT) 0; - for (j = 0; j < DIGIT_SIZE_B; j++) { - poly[i] |= (DIGIT) poly_bytes[i * DIGIT_SIZE_B + j] << 8 * j; - } - } -} diff --git a/crypto_kem/ledakemlt32/leaktime/gf2x_arith_mod_xPplusOne.h b/crypto_kem/ledakemlt32/leaktime/gf2x_arith_mod_xPplusOne.h deleted file mode 100644 index 9d554937..00000000 --- a/crypto_kem/ledakemlt32/leaktime/gf2x_arith_mod_xPplusOne.h +++ /dev/null @@ -1,39 +0,0 @@ -#ifndef GF2X_ARITH_MOD_XPLUSONE_H -#define GF2X_ARITH_MOD_XPLUSONE_H - -#include "qc_ldpc_parameters.h" - -#include "gf2x_arith.h" -#include "rng.h" - -#define NUM_BITS_GF2X_ELEMENT (P) -#define NUM_DIGITS_GF2X_ELEMENT ((P+DIGIT_SIZE_b-1)/DIGIT_SIZE_b) -#define MSb_POSITION_IN_MSB_DIGIT_OF_ELEMENT ((P % DIGIT_SIZE_b) ? (P % DIGIT_SIZE_b)-1 : DIGIT_SIZE_b-1) -#define NUM_BITS_GF2X_MODULUS (P+1) -#define NUM_DIGITS_GF2X_MODULUS ((P+1+DIGIT_SIZE_b-1)/DIGIT_SIZE_b) -#define MSb_POSITION_IN_MSB_DIGIT_OF_MODULUS (P-DIGIT_SIZE_b*(NUM_DIGITS_GF2X_MODULUS-1)) -#define INVALID_POS_VALUE (P) -#define P_BITS (17) - -void PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_copy(DIGIT dest[], const DIGIT in[]); -DIGIT PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_get_coeff(const DIGIT poly[], size_t exponent); -void PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_set_coeff(DIGIT poly[], size_t exponent, DIGIT value); -void PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_toggle_coeff(DIGIT poly[], size_t exponent); -int PQCLEAN_LEDAKEMLT32_LEAKTIME_population_count(const DIGIT *poly); -void PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_mod_add(DIGIT Res[], const DIGIT A[], const DIGIT B[]); -void PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_mod_mul(DIGIT Res[], const DIGIT A[], const DIGIT B[]); -void PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_transpose_in_place(DIGIT A[]); -void PQCLEAN_LEDAKEMLT32_LEAKTIME_rand_circulant_sparse_block(POSITION_T *pos_ones, size_t countOnes, AES_XOF_struct *seed_expander_ctx); -void PQCLEAN_LEDAKEMLT32_LEAKTIME_rand_circulant_blocks_sequence(DIGIT *sequence, AES_XOF_struct *seed_expander_ctx); -void PQCLEAN_LEDAKEMLT32_LEAKTIME_rand_error_pos(POSITION_T errorPos[NUM_ERRORS_T], AES_XOF_struct *seed_expander_ctx); -void PQCLEAN_LEDAKEMLT32_LEAKTIME_expand_error(DIGIT sequence[N0 * NUM_DIGITS_GF2X_ELEMENT], const POSITION_T errorPos[NUM_ERRORS_T]); -void PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_mod_add_sparse(size_t sizeR, POSITION_T Res[], size_t sizeA, const POSITION_T A[], size_t sizeB, const POSITION_T B[]); -void PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_transpose_in_place_sparse(size_t sizeA, POSITION_T A[]); -int PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_mod_inverse(DIGIT out[], const DIGIT in[]); -void PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_mod_mul_sparse(size_t sizeR, POSITION_T Res[], size_t sizeA, const POSITION_T A[], size_t sizeB, const POSITION_T B[]); -void PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_mod_mul_dense_to_sparse(DIGIT Res[], const DIGIT dense[], POSITION_T sparse[], size_t nPos); -void PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_tobytes(uint8_t *bytes, const DIGIT *poly); -void PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_frombytes(DIGIT *poly, const uint8_t *poly_bytes); - - -#endif diff --git a/crypto_kem/ledakemlt32/leaktime/kem.c b/crypto_kem/ledakemlt32/leaktime/kem.c deleted file mode 100644 index c87b0d7f..00000000 --- a/crypto_kem/ledakemlt32/leaktime/kem.c +++ /dev/null @@ -1,157 +0,0 @@ -#include "api.h" -#include "niederreiter.h" -#include "randombytes.h" -#include "rng.h" -#include "utils.h" - -#include - - -#define pack_ct(sk_bytes, ct) PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_tobytes(sk_bytes, ct); -#define unpack_ct(ct, ct_bytes) PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_frombytes(ct, ct_bytes) - -static void pack_pk(uint8_t *pk_bytes, publicKeyNiederreiter_t *pk) { - for (size_t i = 0; i < N0 - 1; i++) { - PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_tobytes(pk_bytes + i * NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B, - pk->Mtr + i * NUM_DIGITS_GF2X_ELEMENT); - } -} - -static void unpack_pk(publicKeyNiederreiter_t *pk, const uint8_t *pk_bytes) { - for (size_t i = 0; i < N0 - 1; i++) { - PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_frombytes(pk->Mtr + i * NUM_DIGITS_GF2X_ELEMENT, - pk_bytes + i * NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B); - } -} - -static void pack_error(uint8_t *error_bytes, DIGIT *error_digits) { - size_t i; - for (i = 0; i < N0; i++) { - PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_tobytes(error_bytes + i * NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B, - error_digits + i * NUM_DIGITS_GF2X_ELEMENT); - } -} - -/* IND-CCA2 Keygen */ -int PQCLEAN_LEDAKEMLT32_LEAKTIME_crypto_kem_keypair(uint8_t *pk, uint8_t *sk) { - publicKeyNiederreiter_t niederreiter_pk; - - PQCLEAN_LEDAKEMLT32_LEAKTIME_niederreiter_keygen(&niederreiter_pk, (privateKeyNiederreiter_t *) sk); - - pack_pk(pk, &niederreiter_pk); - - return 0; -} - -/* IND-CCA2 Encapsulation */ -int PQCLEAN_LEDAKEMLT32_LEAKTIME_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk) { - publicKeyNiederreiter_t niederreiter_pk; - DIGIT syndrome[NUM_DIGITS_GF2X_ELEMENT]; - AES_XOF_struct hashedAndTruncatedSeed_expander; - POSITION_T errorPos[NUM_ERRORS_T]; - DIGIT error_vector[N0 * NUM_DIGITS_GF2X_ELEMENT]; - uint8_t error_bytes[N0 * NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B]; - uint8_t seed[TRNG_BYTE_LENGTH]; - uint8_t ss_input[2 * TRNG_BYTE_LENGTH] = {0}; - uint8_t hashedSeed[HASH_BYTE_LENGTH]; - uint8_t hashedAndTruncatedSeed[TRNG_BYTE_LENGTH] = {0}; - uint8_t hashedErrorVector[HASH_BYTE_LENGTH]; - uint8_t hashedAndTruncatedErrorVector[TRNG_BYTE_LENGTH] = {0}; - uint8_t maskedSeed[TRNG_BYTE_LENGTH]; - - unpack_pk(&niederreiter_pk, pk); - - randombytes(seed, TRNG_BYTE_LENGTH); - memcpy(ss_input, seed, TRNG_BYTE_LENGTH); - - HASH_FUNCTION(ss, ss_input, 2 * TRNG_BYTE_LENGTH); - HASH_FUNCTION(hashedSeed, seed, TRNG_BYTE_LENGTH); - - memcpy(hashedAndTruncatedSeed, hashedSeed, TRNG_BYTE_LENGTH); - - memset(&hashedAndTruncatedSeed_expander, 0x00, sizeof(AES_XOF_struct)); - PQCLEAN_LEDAKEMLT32_LEAKTIME_seedexpander_from_trng(&hashedAndTruncatedSeed_expander, hashedAndTruncatedSeed); - PQCLEAN_LEDAKEMLT32_LEAKTIME_rand_error_pos(errorPos, &hashedAndTruncatedSeed_expander); - PQCLEAN_LEDAKEMLT32_LEAKTIME_expand_error(error_vector, errorPos); - - pack_error(error_bytes, error_vector); - HASH_FUNCTION(hashedErrorVector, error_bytes, (N0 * NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B)); - - memcpy(hashedAndTruncatedErrorVector, hashedErrorVector, TRNG_BYTE_LENGTH); - - for (size_t i = 0; i < TRNG_BYTE_LENGTH; ++i) { - maskedSeed[i] = seed[i] ^ hashedAndTruncatedErrorVector[i]; - } - - PQCLEAN_LEDAKEMLT32_LEAKTIME_niederreiter_encrypt(syndrome, - (const publicKeyNiederreiter_t *) &niederreiter_pk, error_vector); - - pack_ct(ct, syndrome); - memcpy(ct + (NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B), maskedSeed, TRNG_BYTE_LENGTH); - - return 0; -} - - -/* IND-CCA2 Decapsulation */ -int PQCLEAN_LEDAKEMLT32_LEAKTIME_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk) { - DIGIT syndrome[NUM_DIGITS_GF2X_ELEMENT]; - AES_XOF_struct hashedAndTruncatedSeed_expander; - POSITION_T reconstructed_errorPos[NUM_ERRORS_T]; - DIGIT reconstructed_error_vector[N0 * NUM_DIGITS_GF2X_ELEMENT]; - DIGIT decoded_error_vector[N0 * NUM_DIGITS_GF2X_ELEMENT]; - uint8_t decoded_error_bytes[N0 * NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B]; - uint8_t hashedErrorVector[HASH_BYTE_LENGTH]; - uint8_t hashedAndTruncatedErrorVector[TRNG_BYTE_LENGTH] = {0}; - uint8_t decoded_seed[TRNG_BYTE_LENGTH]; - uint8_t hashed_decoded_seed[HASH_BYTE_LENGTH]; - uint8_t hashedAndTruncated_decoded_seed[TRNG_BYTE_LENGTH] = {0}; - uint8_t ss_input[2 * TRNG_BYTE_LENGTH], tail[TRNG_BYTE_LENGTH] = {0}; - int decode_ok, decrypt_ok, equal; - - unpack_ct(syndrome, ct); - - decode_ok = PQCLEAN_LEDAKEMLT32_LEAKTIME_niederreiter_decrypt(decoded_error_vector, - (const privateKeyNiederreiter_t *)sk, syndrome); - - pack_error(decoded_error_bytes, decoded_error_vector); - HASH_FUNCTION(hashedErrorVector, decoded_error_bytes, N0 * NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B); - - memcpy(hashedAndTruncatedErrorVector, hashedErrorVector, TRNG_BYTE_LENGTH); - - for (size_t i = 0; i < TRNG_BYTE_LENGTH; ++i) { - decoded_seed[i] = ct[(NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B) + i] ^ - hashedAndTruncatedErrorVector[i]; - } - - HASH_FUNCTION(hashed_decoded_seed, decoded_seed, TRNG_BYTE_LENGTH); - - memcpy(hashedAndTruncated_decoded_seed, hashed_decoded_seed, TRNG_BYTE_LENGTH); - - memset(&hashedAndTruncatedSeed_expander, 0x00, sizeof(AES_XOF_struct)); - PQCLEAN_LEDAKEMLT32_LEAKTIME_seedexpander_from_trng(&hashedAndTruncatedSeed_expander, - hashed_decoded_seed); - - PQCLEAN_LEDAKEMLT32_LEAKTIME_rand_error_pos(reconstructed_errorPos, &hashedAndTruncatedSeed_expander); - - PQCLEAN_LEDAKEMLT32_LEAKTIME_expand_error(reconstructed_error_vector, reconstructed_errorPos); - - equal = PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_verify(decoded_error_vector, - reconstructed_error_vector, N0 * NUM_DIGITS_GF2X_ELEMENT); - // equal == 0, if the reconstructed error vector match !!! - - decrypt_ok = (decode_ok == 1 && equal == 0); - - memcpy(ss_input, decoded_seed, TRNG_BYTE_LENGTH); - memcpy(ss_input + sizeof(decoded_seed), tail, TRNG_BYTE_LENGTH); - - // Overwrite on failure - PQCLEAN_LEDAKEMLT32_LEAKTIME_cmov(ss_input + sizeof(decoded_seed), - ((const privateKeyNiederreiter_t *) sk)->decryption_failure_secret, - TRNG_BYTE_LENGTH, - !decrypt_ok); - - HASH_FUNCTION(ss, ss_input, 2 * TRNG_BYTE_LENGTH); - - return 0; -} diff --git a/crypto_kem/ledakemlt32/leaktime/niederreiter.c b/crypto_kem/ledakemlt32/leaktime/niederreiter.c deleted file mode 100644 index e567bbf2..00000000 --- a/crypto_kem/ledakemlt32/leaktime/niederreiter.c +++ /dev/null @@ -1,192 +0,0 @@ -#include "H_Q_matrices_generation.h" -#include "bf_decoding.h" -#include "dfr_test.h" -#include "gf2x_arith_mod_xPplusOne.h" -#include "niederreiter.h" -#include "qc_ldpc_parameters.h" -#include "randombytes.h" -#include "rng.h" - -#include - -void PQCLEAN_LEDAKEMLT32_LEAKTIME_niederreiter_keygen(publicKeyNiederreiter_t *pk, privateKeyNiederreiter_t *sk) { - - AES_XOF_struct keys_expander; - POSITION_T HPosOnes[N0][DV]; - POSITION_T QPosOnes[N0][M]; - POSITION_T LPosOnes[N0][DV * M]; - POSITION_T auxPosOnes[DV * M]; - unsigned char processedQOnes[N0]; - DIGIT Ln0dense[NUM_DIGITS_GF2X_ELEMENT] = {0}; - DIGIT Ln0Inv[NUM_DIGITS_GF2X_ELEMENT] = {0}; - int is_L_full; - int isDFRok = 0; - - memset(&keys_expander, 0x00, sizeof(AES_XOF_struct)); - randombytes(sk->prng_seed, TRNG_BYTE_LENGTH); - PQCLEAN_LEDAKEMLT32_LEAKTIME_seedexpander_from_trng(&keys_expander, sk->prng_seed); - - sk->rejections = (uint8_t) 0; - do { - PQCLEAN_LEDAKEMLT32_LEAKTIME_generateHPosOnes(HPosOnes, &keys_expander); - PQCLEAN_LEDAKEMLT32_LEAKTIME_generateQPosOnes(QPosOnes, &keys_expander); - for (int i = 0; i < N0; i++) { - for (int j = 0; j < DV * M; j++) { - LPosOnes[i][j] = INVALID_POS_VALUE; - } - } - - memset(processedQOnes, 0x00, sizeof(processedQOnes)); - for (int colQ = 0; colQ < N0; colQ++) { - for (int i = 0; i < N0; i++) { - PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_mod_mul_sparse(DV * M, auxPosOnes, - DV, HPosOnes[i], - qBlockWeights[i][colQ], QPosOnes[i] + processedQOnes[i]); - PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_mod_add_sparse(DV * M, LPosOnes[colQ], - DV * M, LPosOnes[colQ], - DV * M, auxPosOnes); - processedQOnes[i] += qBlockWeights[i][colQ]; - } - } - is_L_full = 1; - for (size_t i = 0; i < N0; i++) { - is_L_full = is_L_full && (LPosOnes[i][DV * M - 1] != INVALID_POS_VALUE); - } - sk->rejections = sk->rejections + 1; - if (is_L_full) { - isDFRok = PQCLEAN_LEDAKEMLT32_LEAKTIME_DFR_test(LPosOnes, &(sk->secondIterThreshold)); - } - } while (!is_L_full || !isDFRok); - sk->rejections = sk->rejections - 1; - - PQCLEAN_LEDAKEMLT32_LEAKTIME_seedexpander(&keys_expander, - sk->decryption_failure_secret, - (unsigned long)TRNG_BYTE_LENGTH); - - for (size_t j = 0; j < DV * M; j++) { - if (LPosOnes[N0 - 1][j] != INVALID_POS_VALUE) { - PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_set_coeff(Ln0dense, LPosOnes[N0 - 1][j], 1); - } - } - - PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_mod_inverse(Ln0Inv, Ln0dense); - for (size_t i = 0; i < N0 - 1; i++) { - PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_mod_mul_dense_to_sparse(pk->Mtr + i * NUM_DIGITS_GF2X_ELEMENT, - Ln0Inv, - LPosOnes[i], - DV * M); - } - - for (size_t i = 0; i < N0 - 1; i++) { - PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_transpose_in_place(pk->Mtr + i * NUM_DIGITS_GF2X_ELEMENT); - } -} - -void PQCLEAN_LEDAKEMLT32_LEAKTIME_niederreiter_encrypt(DIGIT syndrome[], - const publicKeyNiederreiter_t *pk, - const DIGIT err[]) { - - DIGIT saux[NUM_DIGITS_GF2X_ELEMENT]; - - memset(syndrome, 0x00, NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B); - for (size_t i = 0; i < N0 - 1; i++) { - PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_mod_mul(saux, - pk->Mtr + i * NUM_DIGITS_GF2X_ELEMENT, - err + i * NUM_DIGITS_GF2X_ELEMENT); - PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_mod_add(syndrome, syndrome, saux); - - } - PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_mod_add(syndrome, syndrome, err + (N0 - 1)*NUM_DIGITS_GF2X_ELEMENT); -} - -int PQCLEAN_LEDAKEMLT32_LEAKTIME_niederreiter_decrypt(DIGIT *err, const privateKeyNiederreiter_t *sk, const DIGIT *syndrome) { - AES_XOF_struct niederreiter_decrypt_expander; - POSITION_T HPosOnes[N0][DV]; - POSITION_T QPosOnes[N0][M]; - POSITION_T LPosOnes[N0][DV * M]; - POSITION_T auxPosOnes[DV * M]; - POSITION_T HtrPosOnes[N0][DV]; - POSITION_T QtrPosOnes[N0][M]; - POSITION_T auxSparse[DV * M]; - POSITION_T Ln0trSparse[DV * M]; - DIGIT err_computed[N0 * NUM_DIGITS_GF2X_ELEMENT] = {0}; - DIGIT err_mockup[N0 * NUM_DIGITS_GF2X_ELEMENT]; - DIGIT privateSyndrome[NUM_DIGITS_GF2X_ELEMENT]; - uint8_t processedQOnes[N0]; - int rejections = sk->rejections; - int decrypt_ok = 0; - int err_weight; - - PQCLEAN_LEDAKEMLT32_LEAKTIME_seedexpander_from_trng(&niederreiter_decrypt_expander, sk->prng_seed); - do { - PQCLEAN_LEDAKEMLT32_LEAKTIME_generateHPosOnes(HPosOnes, &niederreiter_decrypt_expander); - PQCLEAN_LEDAKEMLT32_LEAKTIME_generateQPosOnes(QPosOnes, &niederreiter_decrypt_expander); - - for (size_t i = 0; i < N0; i++) { - for (size_t j = 0; j < DV * M; j++) { - LPosOnes[i][j] = INVALID_POS_VALUE; - } - } - - memset(processedQOnes, 0x00, sizeof(processedQOnes)); - for (size_t colQ = 0; colQ < N0; colQ++) { - for (size_t i = 0; i < N0; i++) { - PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_mod_mul_sparse(DV * M, auxPosOnes, - DV, HPosOnes[i], - qBlockWeights[i][colQ], QPosOnes[i] + processedQOnes[i]); - PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_mod_add_sparse(DV * M, LPosOnes[colQ], - DV * M, LPosOnes[colQ], - DV * M, auxPosOnes); - processedQOnes[i] += qBlockWeights[i][colQ]; - } - } - rejections--; - } while (rejections >= 0); - - PQCLEAN_LEDAKEMLT32_LEAKTIME_transposeHPosOnes(HtrPosOnes, HPosOnes); - PQCLEAN_LEDAKEMLT32_LEAKTIME_transposeQPosOnes(QtrPosOnes, QPosOnes); - - for (size_t i = 0; i < DV * M; i++) { - Ln0trSparse[i] = INVALID_POS_VALUE; - auxSparse[i] = INVALID_POS_VALUE; - } - - for (size_t i = 0; i < N0; i++) { - PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_mod_mul_sparse(DV * M, auxSparse, - DV, HPosOnes[i], - qBlockWeights[i][N0 - 1], &QPosOnes[i][M - qBlockWeights[i][N0 - 1]]); - PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_mod_add_sparse(DV * M, Ln0trSparse, - DV * M, Ln0trSparse, - DV * M, auxSparse); - } - PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_transpose_in_place_sparse(DV * M, Ln0trSparse); - - PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_mod_mul_dense_to_sparse(privateSyndrome, - syndrome, - Ln0trSparse, - DV * M); - - decrypt_ok = PQCLEAN_LEDAKEMLT32_LEAKTIME_bf_decoding(err_computed, - (const POSITION_T (*)[DV]) HtrPosOnes, - (const POSITION_T (*)[M]) QtrPosOnes, - privateSyndrome, sk->secondIterThreshold); - - err_weight = 0; - for (size_t i = 0 ; i < N0; i++) { - err_weight += PQCLEAN_LEDAKEMLT32_LEAKTIME_population_count(err_computed + (NUM_DIGITS_GF2X_ELEMENT * i)); - } - decrypt_ok = decrypt_ok && (err_weight == NUM_ERRORS_T); - - /* prepare mockup error vector in case a decoding failure occurs */ - memcpy(err_mockup, syndrome, NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B); - memcpy(err_mockup + NUM_DIGITS_GF2X_ELEMENT, sk->decryption_failure_secret, TRNG_BYTE_LENGTH); - memset(((unsigned char *) err_mockup) + (NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B) + TRNG_BYTE_LENGTH, 0x00, - (N0 - 1)*NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B - TRNG_BYTE_LENGTH); - - memcpy(err, err_computed, N0 * NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B); - - // Overwrite on decryption failure - PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_cmov(err, err_mockup, N0 * NUM_DIGITS_GF2X_ELEMENT, !decrypt_ok); - - return decrypt_ok; -} diff --git a/crypto_kem/ledakemlt32/leaktime/niederreiter.h b/crypto_kem/ledakemlt32/leaktime/niederreiter.h deleted file mode 100644 index e5497f92..00000000 --- a/crypto_kem/ledakemlt32/leaktime/niederreiter.h +++ /dev/null @@ -1,24 +0,0 @@ -#ifndef NIEDERREITER_H -#define NIEDERREITER_H - -#include "gf2x_arith_mod_xPplusOne.h" -#include "qc_ldpc_parameters.h" -#include "rng.h" - -typedef struct { - unsigned char prng_seed[TRNG_BYTE_LENGTH]; - uint8_t rejections; - uint8_t secondIterThreshold; - uint8_t decryption_failure_secret[TRNG_BYTE_LENGTH]; -} privateKeyNiederreiter_t; - -typedef struct { - DIGIT Mtr[(N0 - 1)*NUM_DIGITS_GF2X_ELEMENT]; -} publicKeyNiederreiter_t; - - -void PQCLEAN_LEDAKEMLT32_LEAKTIME_niederreiter_keygen(publicKeyNiederreiter_t *pk, privateKeyNiederreiter_t *sk); -void PQCLEAN_LEDAKEMLT32_LEAKTIME_niederreiter_encrypt(DIGIT syndrome[], const publicKeyNiederreiter_t *pk, const DIGIT err[]); -int PQCLEAN_LEDAKEMLT32_LEAKTIME_niederreiter_decrypt(DIGIT *err, const privateKeyNiederreiter_t *sk, const DIGIT *syndrome); - -#endif diff --git a/crypto_kem/ledakemlt32/leaktime/qc_ldpc_parameters.h b/crypto_kem/ledakemlt32/leaktime/qc_ldpc_parameters.h deleted file mode 100644 index 5e58fcdc..00000000 --- a/crypto_kem/ledakemlt32/leaktime/qc_ldpc_parameters.h +++ /dev/null @@ -1,27 +0,0 @@ -#ifndef QC_LDPC_PARAMETERS_H -#define QC_LDPC_PARAMETERS_H - -#include "fips202.h" - -#define TRNG_BYTE_LENGTH (32) -#define HASH_BYTE_LENGTH (48) -#define HASH_FUNCTION sha3_384 - -#define N0 (2) -#define P (96221) // modulus(x) = x^P-1 -#define DV (11) // odd number -#define M (11) -#define M0 (6) -#define M1 (5) -#define NUM_ERRORS_T (199) - -// Derived parameters, they are useful for QC-LDPC algorithms -#define HASH_BIT_LENGTH (HASH_BYTE_LENGTH << 3) -#define K ((N0-1)*P) -#define N (N0*P) -#define DC (N0*DV) - -#define Q_BLOCK_WEIGHTS {{M0,M1},{M1,M0}} -static const unsigned char qBlockWeights[N0][N0] = Q_BLOCK_WEIGHTS; - -#endif diff --git a/crypto_kem/ledakemlt32/leaktime/rng.c b/crypto_kem/ledakemlt32/leaktime/rng.c deleted file mode 100644 index 73ed0783..00000000 --- a/crypto_kem/ledakemlt32/leaktime/rng.c +++ /dev/null @@ -1,110 +0,0 @@ -#include "rng.h" - -#include // void *memset(void *s, int c, size_t n); - -#include "aes.h" -#include "qc_ldpc_parameters.h" - -/* - seedexpander_init() - ctx - stores the current state of an instance of the seed expander - seed - a 32 byte random value - diversifier - an 8 byte diversifier - maxlen - maximum number of bytes (less than 2**32) generated under this seed and diversifier - */ -static void seedexpander_init(AES_XOF_struct *ctx, - uint8_t *seed, - uint8_t *diversifier, - size_t maxlen) { - - ctx->length_remaining = maxlen; - - memset(ctx->key, 0, 32); - int max_accessible_seed_len = TRNG_BYTE_LENGTH < 32 ? 32 : TRNG_BYTE_LENGTH; - memcpy(ctx->key, seed, max_accessible_seed_len); - - memcpy(ctx->ctr, diversifier, 8); - ctx->ctr[11] = maxlen % 256; - maxlen >>= 8; - ctx->ctr[10] = maxlen % 256; - maxlen >>= 8; - ctx->ctr[9] = maxlen % 256; - maxlen >>= 8; - ctx->ctr[8] = maxlen % 256; - memset(ctx->ctr + 12, 0x00, 4); - - ctx->buffer_pos = 16; - memset(ctx->buffer, 0x00, 16); -} - -void PQCLEAN_LEDAKEMLT32_LEAKTIME_seedexpander_from_trng(AES_XOF_struct *ctx, - const uint8_t *trng_entropy - /* TRNG_BYTE_LENGTH wide buffer */) { - - /*the NIST seedexpander will however access 32B from this buffer */ - unsigned int prng_buffer_size = TRNG_BYTE_LENGTH < 32 ? 32 : TRNG_BYTE_LENGTH; - uint8_t prng_buffer[TRNG_BYTE_LENGTH < 32 ? 32 : TRNG_BYTE_LENGTH] = {0x00}; - uint8_t diversifier[8] = {0}; - - memcpy(prng_buffer, - trng_entropy, - TRNG_BYTE_LENGTH < prng_buffer_size ? TRNG_BYTE_LENGTH : prng_buffer_size); - - /* the required seed expansion will be quite small, set the max number of - * bytes conservatively to 10 MiB*/ - seedexpander_init(ctx, prng_buffer, diversifier, RNG_MAXLEN); -} - -/* - seedexpander() - ctx - stores the current state of an instance of the seed expander - x - returns the XOF data - xlen - number of bytes to return - */ -int PQCLEAN_LEDAKEMLT32_LEAKTIME_seedexpander(AES_XOF_struct *ctx, uint8_t *x, size_t xlen) { - size_t offset; - aes256ctx ctx256; - - if ( x == NULL ) { - return RNG_BAD_OUTBUF; - } - if ( xlen >= ctx->length_remaining ) { - return RNG_BAD_REQ_LEN; - } - - aes256_ecb_keyexp(&ctx256, ctx->key); - ctx->length_remaining -= xlen; - - offset = 0; - while ( xlen > 0 ) { - if ( xlen <= (16 - ctx->buffer_pos) ) { // buffer has what we need - memcpy(x + offset, ctx->buffer + ctx->buffer_pos, xlen); - ctx->buffer_pos += xlen; - - goto end; - } - - // take what's in the buffer - memcpy(x + offset, ctx->buffer + ctx->buffer_pos, 16 - ctx->buffer_pos); - xlen -= 16 - ctx->buffer_pos; - offset += 16 - ctx->buffer_pos; - - aes256_ecb(ctx->buffer, ctx->ctr, 16 / AES_BLOCKBYTES, &ctx256); - ctx->buffer_pos = 0; - - //increment the counter - for (int i = 15; i >= 12; i--) { - if ( ctx->ctr[i] == 0xff ) { - ctx->ctr[i] = 0x00; - } else { - ctx->ctr[i]++; - break; - } - } - - } -end: - aes256_ctx_release(&ctx256); - - return RNG_SUCCESS; -} diff --git a/crypto_kem/ledakemlt32/leaktime/rng.h b/crypto_kem/ledakemlt32/leaktime/rng.h deleted file mode 100644 index dbff0366..00000000 --- a/crypto_kem/ledakemlt32/leaktime/rng.h +++ /dev/null @@ -1,24 +0,0 @@ -#ifndef RNG_H -#define RNG_H - -#include -#include - -#define RNG_SUCCESS ( 0) -#define RNG_BAD_MAXLEN (-1) -#define RNG_BAD_OUTBUF (-2) -#define RNG_BAD_REQ_LEN (-3) -#define RNG_MAXLEN (10 * 1024 * 1024) - -typedef struct { - unsigned char buffer[16]; - size_t buffer_pos; - size_t length_remaining; - unsigned char key[32]; - unsigned char ctr[16]; -} AES_XOF_struct; - -int PQCLEAN_LEDAKEMLT32_LEAKTIME_seedexpander(AES_XOF_struct *ctx, unsigned char *x, size_t xlen); -void PQCLEAN_LEDAKEMLT32_LEAKTIME_seedexpander_from_trng(AES_XOF_struct *ctx, const unsigned char *trng_entropy); - -#endif diff --git a/crypto_kem/ledakemlt32/leaktime/sort.c b/crypto_kem/ledakemlt32/leaktime/sort.c deleted file mode 100644 index d3b4a158..00000000 --- a/crypto_kem/ledakemlt32/leaktime/sort.c +++ /dev/null @@ -1,98 +0,0 @@ -#include "sort.h" - -/* - Constant-time uint32_t sorting by Daniel J. Bernstein - Source: https://sorting.cr.yp.to -*/ - -#define int32_MINMAX(a,b) \ - do { \ - int32 ab = (b) ^ (a); \ - int32 c = (b) - (a); \ - c ^= ab & (c ^ (b)); \ - c >>= 31; \ - c &= ab; \ - (a) ^= c; \ - (b) ^= c; \ - } while(0) - -static void int32_sort(int32 *x, size_t n) { - size_t top, p, q, r, i, j; - - if (n < 2) { - return; - } - top = 1; - while (top < n - top) { - top += top; - } - - for (p = top; p >= 1; p >>= 1) { - i = 0; - while (i + 2 * p <= n) { - for (j = i; j < i + p; ++j) { - int32_MINMAX(x[j], x[j + p]); - } - i += 2 * p; - } - for (j = i; j < n - p; ++j) { - int32_MINMAX(x[j], x[j + p]); - } - - i = 0; - j = 0; - for (q = top; q > p; q >>= 1) { - if (j != i) { - for (;;) { - if (j == n - q) { - goto done; - } - int32 a = x[j + p]; - for (r = q; r > p; r >>= 1) { - int32_MINMAX(a, x[j + r]); - } - x[j + p] = a; - ++j; - if (j == i + p) { - i += 2 * p; - break; - } - } - } - while (i + p <= n - q) { - for (j = i; j < i + p; ++j) { - int32 a = x[j + p]; - for (r = q; r > p; r >>= 1) { - int32_MINMAX(a, x[j + r]); - } - x[j + p] = a; - } - i += 2 * p; - } - /* now i + p > n - q */ - j = i; - while (j < n - q) { - int32 a = x[j + p]; - for (r = q; r > p; r >>= 1) { - int32_MINMAX(a, x[j + r]); - } - x[j + p] = a; - ++j; - } -done: - ; - } - } -} - -/* can save time by integrating xor loops with int32_sort */ -void PQCLEAN_LEDAKEMLT32_LEAKTIME_uint32_sort(uint32_t *x, size_t n) { - size_t j; - for (j = 0; j < n; ++j) { - x[j] ^= 0x80000000; - } - int32_sort((int32_t *) x, n); - for (j = 0; j < n; ++j) { - x[j] ^= 0x80000000; - } -} diff --git a/crypto_kem/ledakemlt32/leaktime/sort.h b/crypto_kem/ledakemlt32/leaktime/sort.h deleted file mode 100644 index a17e2c49..00000000 --- a/crypto_kem/ledakemlt32/leaktime/sort.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef SORT_H -#define SORT_H - -#include -#include - -#define int32 int32_t - -void PQCLEAN_LEDAKEMLT32_LEAKTIME_uint32_sort(uint32_t *x, size_t n); - -#endif diff --git a/crypto_kem/ledakemlt32/leaktime/utils.c b/crypto_kem/ledakemlt32/leaktime/utils.c deleted file mode 100644 index 5bbbdaff..00000000 --- a/crypto_kem/ledakemlt32/leaktime/utils.c +++ /dev/null @@ -1,21 +0,0 @@ -#include "gf2x_arith.h" -#include "utils.h" - -/* compares DIGIT sequences, returns 0 if they are equal */ -int PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_verify(const DIGIT *a, const DIGIT *b, size_t len) { - DIGIT x = 0; - for (size_t i = 0; i < len; i++) { - x |= a[i] ^ b[i]; - } - x = (~x) + 1; - x >>= (DIGIT_SIZE_b - 1); - return (int)x; -} - -/* conditionally move a into r if cond */ -void PQCLEAN_LEDAKEMLT32_LEAKTIME_cmov(uint8_t *r, const uint8_t *a, size_t len, int cond) { - uint8_t mask = (uint8_t)(-cond); - for (size_t i = 0; i < len; i++) { - r[i] ^= mask & (r[i] ^ a[i]); - } -} diff --git a/crypto_kem/ledakemlt32/leaktime/utils.h b/crypto_kem/ledakemlt32/leaktime/utils.h deleted file mode 100644 index df31a8b8..00000000 --- a/crypto_kem/ledakemlt32/leaktime/utils.h +++ /dev/null @@ -1,9 +0,0 @@ -#ifndef UTILS_H -#define UTILS_H - -#include - -int PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_verify(const DIGIT *a, const DIGIT *b, size_t len); -void PQCLEAN_LEDAKEMLT32_LEAKTIME_cmov(uint8_t *r, const uint8_t *a, size_t len, int cond); - -#endif diff --git a/crypto_kem/ledakemlt52/META.yml b/crypto_kem/ledakemlt52/META.yml deleted file mode 100644 index cd423afb..00000000 --- a/crypto_kem/ledakemlt52/META.yml +++ /dev/null @@ -1,19 +0,0 @@ -name: LEDAKEMLT52 -type: kem -claimed-nist-level: 5 -claimed-security: IND-CCA2 -length-public-key: 19040 -length-secret-key: 82 -length-ciphertext: 19080 -length-shared-secret: 64 -nistkat-sha256: 7a8d7c623bd3a8935861ec088e77a6701a254ac521d5e5150dc4537df4da8fd5 -principal-submitters: - - Marco Baldi -auxiliary-submitters: - - Alessandro Barenghi - - Franco Chiaraluce - - Gerardo Pelosi - - Paolo Santini -implementations: - - name: leaktime - version: 2.1 diff --git a/crypto_kem/ledakemlt52/leaktime/H_Q_matrices_generation.c b/crypto_kem/ledakemlt52/leaktime/H_Q_matrices_generation.c deleted file mode 100644 index 4706578b..00000000 --- a/crypto_kem/ledakemlt52/leaktime/H_Q_matrices_generation.c +++ /dev/null @@ -1,52 +0,0 @@ -#include "H_Q_matrices_generation.h" -#include "gf2x_arith_mod_xPplusOne.h" - -void PQCLEAN_LEDAKEMLT52_LEAKTIME_generateHPosOnes(POSITION_T HPosOnes[N0][DV], AES_XOF_struct *keys_expander) { - for (size_t i = 0; i < N0; i++) { - /* Generate a random block of Htr */ - PQCLEAN_LEDAKEMLT52_LEAKTIME_rand_circulant_sparse_block(&HPosOnes[i][0], DV, keys_expander); - } -} - -void PQCLEAN_LEDAKEMLT52_LEAKTIME_generateQPosOnes(POSITION_T QPosOnes[N0][M], AES_XOF_struct *keys_expander) { - size_t placed_ones; - - for (size_t i = 0; i < N0; i++) { - placed_ones = 0; - for (size_t j = 0; j < N0; j++) { - PQCLEAN_LEDAKEMLT52_LEAKTIME_rand_circulant_sparse_block(&QPosOnes[i][placed_ones], - qBlockWeights[i][j], - keys_expander); - placed_ones += qBlockWeights[i][j]; - } - } -} - -void PQCLEAN_LEDAKEMLT52_LEAKTIME_transposeHPosOnes(POSITION_T HtrPosOnes[N0][DV], POSITION_T HPosOnes[N0][DV]) { - for (size_t i = 0; i < N0; i++) { - /* Obtain directly the sparse representation of the block of H */ - for (size_t k = 0; k < DV; k++) { - HtrPosOnes[i][k] = (P - HPosOnes[i][k]) % P; /* transposes indexes */ - } - } -} - -void PQCLEAN_LEDAKEMLT52_LEAKTIME_transposeQPosOnes(POSITION_T QtrPosOnes[N0][M], POSITION_T QPosOnes[N0][M]) { - POSITION_T transposed_ones_idx[N0] = {0x00}; - size_t currQoneIdx, endQblockIdx; - - for (size_t source_row_idx = 0; source_row_idx < N0 ; source_row_idx++) { - currQoneIdx = 0; // position in the column of QtrPosOnes[][...] - endQblockIdx = 0; - for (int blockIdx = 0; blockIdx < N0; blockIdx++) { - endQblockIdx += qBlockWeights[source_row_idx][blockIdx]; - for (; currQoneIdx < endQblockIdx; currQoneIdx++) { - QtrPosOnes[blockIdx][transposed_ones_idx[blockIdx]] = - (P - QPosOnes[source_row_idx][currQoneIdx]) % P; - transposed_ones_idx[blockIdx]++; - } - } - } -} - - diff --git a/crypto_kem/ledakemlt52/leaktime/H_Q_matrices_generation.h b/crypto_kem/ledakemlt52/leaktime/H_Q_matrices_generation.h deleted file mode 100644 index b207eef3..00000000 --- a/crypto_kem/ledakemlt52/leaktime/H_Q_matrices_generation.h +++ /dev/null @@ -1,13 +0,0 @@ -#ifndef H_Q_MATRICES_GENERATION_H -#define H_Q_MATRICES_GENERATION_H - -#include "gf2x_arith.h" -#include "qc_ldpc_parameters.h" -#include "rng.h" - -void PQCLEAN_LEDAKEMLT52_LEAKTIME_generateHPosOnes(POSITION_T HPosOnes[N0][DV], AES_XOF_struct *keys_expander); -void PQCLEAN_LEDAKEMLT52_LEAKTIME_generateQPosOnes(POSITION_T QPosOnes[N0][M], AES_XOF_struct *keys_expander); -void PQCLEAN_LEDAKEMLT52_LEAKTIME_transposeHPosOnes(POSITION_T HtrPosOnes[N0][DV], POSITION_T HPosOnes[N0][DV]); -void PQCLEAN_LEDAKEMLT52_LEAKTIME_transposeQPosOnes(POSITION_T QtrPosOnes[N0][M], POSITION_T QPosOnes[N0][M]); - -#endif diff --git a/crypto_kem/ledakemlt52/leaktime/LICENSE b/crypto_kem/ledakemlt52/leaktime/LICENSE deleted file mode 100644 index c1761078..00000000 --- a/crypto_kem/ledakemlt52/leaktime/LICENSE +++ /dev/null @@ -1,31 +0,0 @@ -/** - * - * LEDAcryptKEM - * - * @version 2.0 (March 2019) - * - * Adapted code from reference ISO-C11 Implementation of the LEDAcrypt KEM-LT cipher. - * - * In alphabetical order: - * - * @author Marco Baldi - * @author Alessandro Barenghi - * @author Franco Chiaraluce - * @author Gerardo Pelosi - * @author Paolo Santini - * - * This code is hereby placed in the public domain. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS - * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR - * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, - * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE - * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, - * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - * - **/ diff --git a/crypto_kem/ledakemlt52/leaktime/Makefile b/crypto_kem/ledakemlt52/leaktime/Makefile deleted file mode 100644 index 7ef80889..00000000 --- a/crypto_kem/ledakemlt52/leaktime/Makefile +++ /dev/null @@ -1,24 +0,0 @@ -# This Makefile can be used with GNU Make or BSD Make - -LIB=libledakemlt52_leaktime.a -HEADERS=api.h bf_decoding.h dfr_test.h gf2x_arith_mod_xPplusOne.h \ - gf2x_arith.h H_Q_matrices_generation.h \ - niederreiter.h qc_ldpc_parameters.h rng.h sort.h utils.h - -OBJECTS=bf_decoding.o dfr_test.o gf2x_arith_mod_xPplusOne.o \ - gf2x_arith.o H_Q_matrices_generation.o kem.o niederreiter.o rng.o sort.o utils.o - -CFLAGS=-O3 -Wall -Werror -Wextra -Wvla -Wpedantic -Wmissing-prototypes -std=c99 \ - -I../../../common $(EXTRAFLAGS) - -all: $(LIB) - -%.o: %.c $(HEADERS) - $(CC) $(CFLAGS) -c -o $@ $< - -$(LIB): $(OBJECTS) - $(AR) -r $@ $(OBJECTS) - -clean: - $(RM) $(OBJECTS) - $(RM) $(LIB) diff --git a/crypto_kem/ledakemlt52/leaktime/Makefile.Microsoft_nmake b/crypto_kem/ledakemlt52/leaktime/Makefile.Microsoft_nmake deleted file mode 100644 index e7df6f2a..00000000 --- a/crypto_kem/ledakemlt52/leaktime/Makefile.Microsoft_nmake +++ /dev/null @@ -1,19 +0,0 @@ -# This Makefile can be used with Microsoft Visual Studio's nmake using the command: -# nmake /f Makefile.Microsoft_nmake - -LIBRARY=libledakemlt52_leaktime.lib -OBJECTS=bf_decoding.obj dfr_test.obj gf2x_arith_mod_xPplusOne.obj gf2x_arith.obj H_Q_matrices_generation.obj kem.obj niederreiter.obj rng.obj sort.obj utils.obj - -CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /WX - -all: $(LIBRARY) - -# Make sure objects are recompiled if headers change. -$(OBJECTS): *.h - -$(LIBRARY): $(OBJECTS) - LIB.EXE /NOLOGO /WX /OUT:$@ $** - -clean: - -DEL $(OBJECTS) - -DEL $(LIBRARY) diff --git a/crypto_kem/ledakemlt52/leaktime/api.h b/crypto_kem/ledakemlt52/leaktime/api.h deleted file mode 100644 index 2943fba1..00000000 --- a/crypto_kem/ledakemlt52/leaktime/api.h +++ /dev/null @@ -1,18 +0,0 @@ -#ifndef PQCLEAN_LEDAKEMLT52_LEAKTIME_API_H -#define PQCLEAN_LEDAKEMLT52_LEAKTIME_API_H - -#include - -#define PQCLEAN_LEDAKEMLT52_LEAKTIME_CRYPTO_SECRETKEYBYTES 82 -#define PQCLEAN_LEDAKEMLT52_LEAKTIME_CRYPTO_PUBLICKEYBYTES 19040 -#define PQCLEAN_LEDAKEMLT52_LEAKTIME_CRYPTO_CIPHERTEXTBYTES 19080 -#define PQCLEAN_LEDAKEMLT52_LEAKTIME_CRYPTO_BYTES 64 - -#define PQCLEAN_LEDAKEMLT52_LEAKTIME_CRYPTO_ALGNAME "LEDAKEMLT52" - -int PQCLEAN_LEDAKEMLT52_LEAKTIME_crypto_kem_keypair(uint8_t *pk, uint8_t *sk); -int PQCLEAN_LEDAKEMLT52_LEAKTIME_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); -int PQCLEAN_LEDAKEMLT52_LEAKTIME_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); - - -#endif diff --git a/crypto_kem/ledakemlt52/leaktime/bf_decoding.c b/crypto_kem/ledakemlt52/leaktime/bf_decoding.c deleted file mode 100644 index 3b6878d0..00000000 --- a/crypto_kem/ledakemlt52/leaktime/bf_decoding.c +++ /dev/null @@ -1,79 +0,0 @@ -#include "bf_decoding.h" -#include "gf2x_arith_mod_xPplusOne.h" - -#include - -int PQCLEAN_LEDAKEMLT52_LEAKTIME_bf_decoding(DIGIT err[], - const POSITION_T HtrPosOnes[N0][DV], - const POSITION_T QtrPosOnes[N0][M], - DIGIT privateSyndrome[], - uint8_t secondIterThreshold) { - - DIGIT currSyndrome[NUM_DIGITS_GF2X_ELEMENT]; - uint8_t unsatParityChecks[N0 * P]; - POSITION_T currQBlkPos[M], currQBitPos[M]; - POSITION_T syndromePosToFlip, tmp; - uint32_t correlation, corrt_syndrome_based; - size_t currQoneIdx, endQblockIdx, currblockoffset; - int check; - int iteration = 0; - - do { - PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_copy(currSyndrome, privateSyndrome); - memset(unsatParityChecks, 0x00, N0 * P * sizeof(uint8_t)); - for (size_t i = 0; i < N0; i++) { - for (POSITION_T valueIdx = 0; valueIdx < P; valueIdx++) { - for (size_t HtrOneIdx = 0; HtrOneIdx < DV; HtrOneIdx++) { - tmp = (HtrPosOnes[i][HtrOneIdx] + valueIdx) >= P ? - (HtrPosOnes[i][HtrOneIdx] + valueIdx) - P : - (HtrPosOnes[i][HtrOneIdx] + valueIdx); - if (PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_get_coeff(currSyndrome, tmp)) { - unsatParityChecks[i * P + valueIdx]++; - } - } - } - } - - /* iteration based threshold determination*/ - corrt_syndrome_based = iteration * secondIterThreshold + (1 - iteration) * B0; - - // Computation of correlation with a full Q matrix - for (size_t i = 0; i < N0; i++) { - for (POSITION_T j = 0; j < P; j++) { - currQoneIdx = endQblockIdx = 0; - correlation = 0; - - for (size_t blockIdx = 0; blockIdx < N0; blockIdx++) { - endQblockIdx += qBlockWeights[blockIdx][i]; - currblockoffset = blockIdx * P; - for (; currQoneIdx < endQblockIdx; currQoneIdx++) { - tmp = QtrPosOnes[i][currQoneIdx] + j; - tmp = tmp >= P ? tmp - P : tmp; - currQBitPos[currQoneIdx] = tmp; - currQBlkPos[currQoneIdx] = (POSITION_T)blockIdx; - correlation += unsatParityChecks[tmp + currblockoffset]; - } - } - - /* Correlation based flipping */ - if (correlation >= corrt_syndrome_based) { - PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_toggle_coeff(err + NUM_DIGITS_GF2X_ELEMENT * i, j); - for (size_t v = 0; v < M; v++) { - for (size_t HtrOneIdx = 0; HtrOneIdx < DV; HtrOneIdx++) { - syndromePosToFlip = (HtrPosOnes[currQBlkPos[v]][HtrOneIdx] + currQBitPos[v]); - syndromePosToFlip = syndromePosToFlip >= P ? syndromePosToFlip - P : syndromePosToFlip; - PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_toggle_coeff(privateSyndrome, syndromePosToFlip); - } - } // end for v - } // end if - } // end for j - } // end for i - - iteration = iteration + 1; - check = 0; - while (check < NUM_DIGITS_GF2X_ELEMENT && privateSyndrome[check++] == 0) {}; - - } while (iteration < ITERATIONS_MAX && check < NUM_DIGITS_GF2X_ELEMENT); - - return (check == NUM_DIGITS_GF2X_ELEMENT); -} diff --git a/crypto_kem/ledakemlt52/leaktime/bf_decoding.h b/crypto_kem/ledakemlt52/leaktime/bf_decoding.h deleted file mode 100644 index 0b391c48..00000000 --- a/crypto_kem/ledakemlt52/leaktime/bf_decoding.h +++ /dev/null @@ -1,18 +0,0 @@ -#ifndef BF_DECODING_H -#define BF_DECODING_H - -#include "gf2x_arith.h" -#include "qc_ldpc_parameters.h" - -/* Definitions for DFR level 2^-SL with SL=128 */ -#define ITERATIONS_MAX (2) -#define B0 (88) -#define T_BAR (6) - -int PQCLEAN_LEDAKEMLT52_LEAKTIME_bf_decoding(DIGIT err[], - const POSITION_T HtrPosOnes[N0][DV], - const POSITION_T QtrPosOnes[N0][M], - DIGIT privateSyndrome[], - uint8_t threshold); - -#endif diff --git a/crypto_kem/ledakemlt52/leaktime/dfr_test.c b/crypto_kem/ledakemlt52/leaktime/dfr_test.c deleted file mode 100644 index abb80238..00000000 --- a/crypto_kem/ledakemlt52/leaktime/dfr_test.c +++ /dev/null @@ -1,88 +0,0 @@ -#include "bf_decoding.h" -#include "dfr_test.h" -#include "gf2x_arith_mod_xPplusOne.h" -#include "qc_ldpc_parameters.h" -#include "sort.h" - -#include - - -int PQCLEAN_LEDAKEMLT52_LEAKTIME_DFR_test(POSITION_T LSparse[N0][DV * M], uint8_t *secondIterThreshold) { - - POSITION_T LSparse_loc[N0][DV * M]; /* vector of N_0 sparse blocks */ - uint8_t gamma[N0][N0][P] = {{{0}}}; - uint32_t gammaHist[N0][DV * M + 1] = {{0}}; - size_t maxMut[N0], maxMutMinusOne[N0]; - size_t allBlockMaxSumst, allBlockMaxSumstMinusOne; - size_t histIdx, toAdd; - - for (size_t i = 0; i < N0; i++) { - for (size_t j = 0; j < DV * M; j++) { - if (LSparse[i][j] != 0) { - LSparse_loc[i][j] = (P - LSparse[i][j]); - } - } - PQCLEAN_LEDAKEMLT52_LEAKTIME_uint32_sort(LSparse_loc[i], DV * M); - } - - - for (size_t i = 0; i < N0; i++ ) { - for (size_t j = 0; j < N0; j++) { - for (size_t k = 0; k < (DV * M); k++) { - for (size_t l = 0; l < (DV * M); l++) { - gamma[i][j][(P + LSparse_loc[i][k] - LSparse_loc[j][l]) % P]++; - } - } - } - } - - for (size_t i = 0; i < N0; i++ ) { - for (size_t j = 0; j < N0; j++ ) { - gamma[i][j][0] = 0; - } - } - - /* build histogram of values in gamma */ - for (size_t i = 0; i < N0; i++ ) { - for (size_t j = 0; j < N0; j++ ) { - for (size_t k = 0; k < P; k++) { - gammaHist[i][gamma[i][j][k]]++; - } - } - } - - - for (size_t gammaBlockRowIdx = 0; gammaBlockRowIdx < N0; gammaBlockRowIdx++) { - maxMutMinusOne[gammaBlockRowIdx] = 0; - histIdx = DV * M; - toAdd = T_BAR - 1; - while ( (histIdx > 0) && (toAdd > 0)) { - if (gammaHist[gammaBlockRowIdx][histIdx] > toAdd ) { - maxMutMinusOne[gammaBlockRowIdx] += histIdx * toAdd; - toAdd = 0; - } else { - maxMutMinusOne[gammaBlockRowIdx] += histIdx * gammaHist[gammaBlockRowIdx][histIdx]; - toAdd -= gammaHist[gammaBlockRowIdx][histIdx]; - histIdx--; - } - } - maxMut[gammaBlockRowIdx] = histIdx + maxMutMinusOne[gammaBlockRowIdx]; - } - - /*seek max values across all gamma blocks */ - allBlockMaxSumst = maxMut[0]; - allBlockMaxSumstMinusOne = maxMutMinusOne[0]; - for (size_t gammaBlockRowIdx = 0; gammaBlockRowIdx < N0; gammaBlockRowIdx++) { - allBlockMaxSumst = allBlockMaxSumst < maxMut[gammaBlockRowIdx] ? - maxMut[gammaBlockRowIdx] : - allBlockMaxSumst; - allBlockMaxSumstMinusOne = allBlockMaxSumstMinusOne < maxMutMinusOne[gammaBlockRowIdx] ? - maxMutMinusOne[gammaBlockRowIdx] : - allBlockMaxSumstMinusOne; - } - if (DV * M > (allBlockMaxSumstMinusOne + allBlockMaxSumst)) { - *secondIterThreshold = (uint8_t) (allBlockMaxSumst + 1); - return 1; - } - return 0; -} diff --git a/crypto_kem/ledakemlt52/leaktime/dfr_test.h b/crypto_kem/ledakemlt52/leaktime/dfr_test.h deleted file mode 100644 index c8dfd86a..00000000 --- a/crypto_kem/ledakemlt52/leaktime/dfr_test.h +++ /dev/null @@ -1,6 +0,0 @@ -#ifndef DFR_TEST_H -#define DFR_TEST_H - -int PQCLEAN_LEDAKEMLT52_LEAKTIME_DFR_test(POSITION_T LSparse[N0][DV * M], uint8_t *secondIterThreshold); - -#endif diff --git a/crypto_kem/ledakemlt52/leaktime/gf2x_arith.c b/crypto_kem/ledakemlt52/leaktime/gf2x_arith.c deleted file mode 100644 index 8daf4665..00000000 --- a/crypto_kem/ledakemlt52/leaktime/gf2x_arith.c +++ /dev/null @@ -1,252 +0,0 @@ -#include "gf2x_arith.h" - -#include // memset(...) - -void PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_add(DIGIT Res[], const DIGIT A[], const DIGIT B[], size_t n) { - for (size_t i = 0; i < n; i++) { - Res[i] = A[i] ^ B[i]; - } -} - -/* copies len digits from a to r if b == 1 */ -void PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_cmov(DIGIT *r, const DIGIT *a, size_t len, int c) { - DIGIT mask = (DIGIT)(-c); - for (size_t i = 0; i < len; i++) { - r[i] ^= mask & (a[i] ^ r[i]); - } -} - -/* PRE: MAX ALLOWED ROTATION AMOUNT : DIGIT_SIZE_b */ -void PQCLEAN_LEDAKEMLT52_LEAKTIME_right_bit_shift_n(size_t length, DIGIT in[], size_t amount) { - if ( amount == 0 ) { - return; - } - size_t j; - DIGIT mask; - mask = ((DIGIT)0x01 << amount) - 1; - for (j = length - 1; j > 0; j--) { - in[j] >>= amount; - in[j] |= (in[j - 1] & mask) << (DIGIT_SIZE_b - amount); - } - in[j] >>= amount; -} - -/* PRE: MAX ALLOWED ROTATION AMOUNT : DIGIT_SIZE_b */ -void PQCLEAN_LEDAKEMLT52_LEAKTIME_left_bit_shift_n(size_t length, DIGIT in[], size_t amount) { - if ( amount == 0 ) { - return; - } - size_t j; - DIGIT mask; - mask = ~(((DIGIT)0x01 << (DIGIT_SIZE_b - amount)) - 1); - for (j = 0 ; j < length - 1; j++) { - in[j] <<= amount; - in[j] |= (in[j + 1] & mask) >> (DIGIT_SIZE_b - amount); - } - in[j] <<= amount; -} - - -static void gf2x_mul1(DIGIT *R, const DIGIT A, const DIGIT B) { - DIGIT tmp; - - R[0] = 0; - R[1] = (A & 1) * B; - for (uint8_t i = 1; i < DIGIT_SIZE_b; i++) { - tmp = ((A >> i) & 1) * B; - R[1] ^= tmp << i; - R[0] ^= tmp >> (DIGIT_SIZE_b - i); - } -} - -static void gf2x_mul_n(DIGIT *R, const DIGIT *A, const DIGIT *B, size_t n) { - DIGIT tmp[2]; - - memset(R, 0x00, 2 * n * sizeof(DIGIT)); - for (size_t i = 0; i < n; i++) { - for (size_t j = 0; j < n; j++) { - gf2x_mul1(tmp, A[i], B[j]); - R[i + j] ^= tmp[0]; - R[i + j + 1] ^= tmp[1]; - } - } -} - -static void gf2x_cpy(DIGIT *R, const DIGIT *A, size_t len) { - for (size_t i = 0; i < len; i++) { - R[i] = A[i]; - } -} - -/* Accumulate */ -#define gf2x_add(R, A, B, n) PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_add(R, A, B, n) -#define gf2x_acc(R, B, n) PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_add(R, R, B, n) - -/* allows the operands to be of different size - * first operand must be the bigger one. - * aligns last array elements */ -static inline void gf2x_add_asymm(DIGIT *R, - size_t na, const DIGIT *A, - size_t nb, const DIGIT *B) { - size_t delta = na - nb; - gf2x_cpy(R, A, delta); - gf2x_add(R + delta, A + delta, B, nb);; -} - -/* aligns first array elements */ -static inline void gf2x_add_asymm2(DIGIT *R, - size_t na, const DIGIT *A, - size_t nb, const DIGIT *B) { - size_t delta = na - nb; - gf2x_add(R, A, B, nb); - gf2x_cpy(R + nb, A + nb, delta); -} - -/* Karatsuba with lowered space complexity - * T(n) = 3 * ceil(n/2) + T(ceil(n / 2)) */ -static void gf2x_mul_kar(DIGIT *R, - const DIGIT *A, - const DIGIT *B, - size_t n, - DIGIT *stack) { - - if (n < MIN_KAR_DIGITS) { - gf2x_mul_n(R, A, B, n); - return; - } - - size_t l = (n + 1) / 2; // limb size = ceil(n / 2) - size_t d = n & 1; - - const DIGIT *a1 = A; // length n - d - const DIGIT *a0 = A + l - d; // length n - const DIGIT *b1 = B; - const DIGIT *b0 = B + l - d; - - DIGIT *aa = stack; - DIGIT *bb = aa + l; - DIGIT *cc = bb + l; - stack = cc + l; // 3l space requirement at each level - - DIGIT *c3 = R + l - 2 * d; - DIGIT *c2 = c3 + l; - DIGIT *c1 = c2 + l; - - gf2x_mul_kar(c2, a0, b0, l, stack); // L in low part of R - gf2x_mul_kar(R, a1, b1, l - d, stack); // H in higher part of R - gf2x_add_asymm(aa, l, a0, l - d, a1); // AH + AL - gf2x_add_asymm(bb, l, b0, l - d, b1); // BH + BL - gf2x_add(cc, c3, c2, l); // HL + LH in cc - gf2x_mul_kar(c3, aa, bb, l, stack); // M = (AH + AL) x (BH + BL) - gf2x_add_asymm(c3, l, c3, l - 2 * d, R); // add HH - gf2x_acc(c2, c1, l); // add LL - gf2x_acc(c3, cc, l); // add HL + LH - gf2x_acc(c2, cc, l); // add HL + LH -} - -static void gf2x_div_w_plus_one(DIGIT *A, size_t n) { - size_t i; - for (i = 0; i < n - 2; i++) { - A[i + 1] ^= A[i]; // runs n - 2 times - } -} - -static void gf2x_shift_left_w(DIGIT *A, size_t n) { - size_t i; - for (i = 0; i < n - 1; i++) { - A[i] = A[i + 1]; - } - A[i] = 0; -} - -/* Word-aligned Toom-Cook 3, source: - * Brent, Richard P., et al. "Faster multiplication in GF (2)[x]." - * International Algorithmic Number Theory Symposium. - * Springer, Berlin, Heidelberg, 2008. */ -static void gf2x_mul_tc3w(DIGIT *R, - const DIGIT *A, - const DIGIT *B, - size_t n, - DIGIT *stack) { - - if (n < MIN_TOOM_DIGITS) { - gf2x_mul_kar(R, A, B, n, stack); - return; - } - - size_t l = (n + 2) / 3; // size of a0, a1, b0, b1 - size_t r = n - 2 * l; // remaining sizes (a2, b2) - size_t x = 2 * l + 4; // size of c1, c2, c3, c4 - size_t z = r + 2 > l + 1 ? r + 2 : l + 1; // size of c5 - - const DIGIT *a0 = A; - const DIGIT *a1 = A + l; - const DIGIT *a2 = A + 2 * l; - const DIGIT *b0 = B; - const DIGIT *b1 = B + l; - const DIGIT *b2 = B + 2 * l; - - DIGIT *c0 = R; // c0 and c4 in the result - DIGIT *c4 = R + 4 * l; - DIGIT *c1 = stack; // the rest in the stack - DIGIT *c2 = c1 + x; - DIGIT *c3 = c2 + x; - DIGIT *c5 = c3 + x; - stack = c5 + z; // Worst-case 7l + 14 - - // Evaluation - c0[0] = 0; // c0[z] = a1*W + a2*W^2 - c0[l + 1] = 0; - gf2x_cpy(c0 + 1, a1, l); - gf2x_acc(c0 + 2, a2, r); - - c4[0] = 0; // c4[z] = b1*W + b2*W^2 - c4[l + 1] = 0; - gf2x_cpy(c4 + 1, b1, l); - gf2x_acc(c4 + 2, b2, r); - - gf2x_cpy(c5, a0, l); // c5[l] = a0 + a1 + a2 - gf2x_acc(c5, a1, l); - gf2x_acc(c5, a2, r); - - gf2x_cpy(c2, b0, l); // c2[l] = b0 + b1 + b2 - gf2x_acc(c2, b1, l); - gf2x_acc(c2, b2, r); - - gf2x_mul_tc3w(c1, c2, c5, l, stack); // c1[2l] = c2 * c5 - gf2x_add_asymm2(c5, z, c0, l, c5); // c5[z] += c0, z >= l - gf2x_add_asymm2(c2, z, c4, l, c2); // c2[z] += c4, idem - gf2x_acc(c0, a0, l); // c0[l] += a0 - gf2x_acc(c4, b0, l); // c4[l] += b0 - gf2x_mul_tc3w(c3, c2, c5, z, stack); // c3[2z] = c2 * c5 - gf2x_mul_tc3w(c2, c0, c4, z, stack); // c2[2z] = c0 * c4 - gf2x_mul_tc3w(c0, a0, b0, l, stack); // c0[2l] = a0 * b0 - gf2x_mul_tc3w(c4, a2, b2, r, stack); // c4[2r] = a2 * b2 - - // Interpolation - gf2x_acc(c3, c2, 2 * z); // c3[2z] += c2 - gf2x_acc(c2, c0, 2 * l); // c2[2z] += c0 - gf2x_shift_left_w(c2, 2 * z); // c2[2z] = c2/y + c3 - gf2x_acc(c2, c3, 2 * z); - gf2x_acc(c2, c4, 2 * r); // c2[2z] += c4 + c4**3 - gf2x_acc(c2 + 3, c4, 2 * r); - gf2x_div_w_plus_one(c2, 2 * z); // c2[2z-1] = c2/(W+1) - gf2x_acc(c1, c0, 2 * l); // c1[2l] += c0 - gf2x_acc(c3, c1, 2 * l); // c3[2z] += c1 - gf2x_shift_left_w(c3, 2 * z); // c3[2z-2] = c3/(W^2 + W) - gf2x_div_w_plus_one(c3, 2 * z - 1); - gf2x_add_asymm2(c1, 2 * z, c2, 2 * l, c1); // c1[2z-1] += c2 + c4 - gf2x_acc(c1, c4, 2 * r); // size c2 >= c1 >= c4 - gf2x_acc(c2, c3, 2 * z - 1); // c2[2z-1] += c3 - - // Recombination - gf2x_cpy(R + 2 * l, c2, 2 * l); - gf2x_acc(R + l, c1, 2 * z - 1); - gf2x_acc(R + 3 * l, c3, 2 * z - 1); -} - -void PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_mul(DIGIT *R, const DIGIT *A, const DIGIT *B, size_t n) { - DIGIT stack[STACK_WORDS]; - gf2x_mul_tc3w(R, A, B, n, stack); -} - diff --git a/crypto_kem/ledakemlt52/leaktime/gf2x_arith.h b/crypto_kem/ledakemlt52/leaktime/gf2x_arith.h deleted file mode 100644 index b38e1616..00000000 --- a/crypto_kem/ledakemlt52/leaktime/gf2x_arith.h +++ /dev/null @@ -1,68 +0,0 @@ -#ifndef GF2X_ARITH_H -#define GF2X_ARITH_H - -#include -#include - -/* - * Elements of GF(2)[x] are stored in compact dense binary form. - * - * Each bit in a byte is assumed to be the coefficient of a binary - * polynomial f(x), in Big-Endian format (i.e., reading everything from - * left to right, the most significant element is met first): - * - * byte:(0000 0000) == 0x00 ... f(x) == 0 - * byte:(0000 0001) == 0x01 ... f(x) == 1 - * byte:(0000 0010) == 0x02 ... f(x) == x - * byte:(0000 0011) == 0x03 ... f(x) == x+1 - * ... ... ... - * byte:(0000 1111) == 0x0F ... f(x) == x^{3}+x^{2}+x+1 - * ... ... ... - * byte:(1111 1111) == 0xFF ... f(x) == x^{7}+x^{6}+x^{5}+x^{4}+x^{3}+x^{2}+x+1 - * - * - * A "machine word" (A_i) is considered as a DIGIT. - * Bytes in a DIGIT are assumed in Big-Endian format: - * E.g., if sizeof(DIGIT) == 4: - * A_i: A_{i,3} A_{i,2} A_{i,1} A_{i,0}. - * A_{i,3} denotes the most significant byte, A_{i,0} the least significant one. - * f(x) == x^{31} + ... + x^{24} + - * + x^{23} + ... + x^{16} + - * + x^{15} + ... + x^{8} + - * + x^{7} + ... + x^{0} - * - * - * Multi-precision elements (i.e., with multiple DIGITs) are stored in - * Big-endian format: - * A = A_{n-1} A_{n-2} ... A_1 A_0 - * - * position[A_{n-1}] == 0 - * position[A_{n-2}] == 1 - * ... - * position[A_{1}] == n-2 - * position[A_{0}] == n-1 - */ - -typedef uint64_t DIGIT; -#define DIGIT_SIZE_B (8) -#define DIGIT_SIZE_b (DIGIT_SIZE_B << 3) -#define POSITION_T uint32_t - -#define MIN_KAR_DIGITS 10 -#define MIN_TOOM_DIGITS 42 - -#define STACK_KAR_ONLY 7137 -#define STACK_WORDS 8401 - -void PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_add(DIGIT Res[], const DIGIT A[], const DIGIT B[], size_t n); -void PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_cmov(DIGIT *r, const DIGIT *a, size_t len, int c); -void PQCLEAN_LEDAKEMLT52_LEAKTIME_right_bit_shift_n(size_t length, DIGIT in[], size_t amount); -void PQCLEAN_LEDAKEMLT52_LEAKTIME_left_bit_shift_n(size_t length, DIGIT in[], size_t amount); -void PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_mul(DIGIT *R, const DIGIT *A, const DIGIT *B, size_t n); - - - - - - -#endif diff --git a/crypto_kem/ledakemlt52/leaktime/gf2x_arith_mod_xPplusOne.c b/crypto_kem/ledakemlt52/leaktime/gf2x_arith_mod_xPplusOne.c deleted file mode 100644 index f19b6648..00000000 --- a/crypto_kem/ledakemlt52/leaktime/gf2x_arith_mod_xPplusOne.c +++ /dev/null @@ -1,529 +0,0 @@ -#include "gf2x_arith_mod_xPplusOne.h" -#include "rng.h" -#include "sort.h" - -#include // memcpy(...), memset(...) - -void PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_copy(DIGIT dest[], const DIGIT in[]) { - for (size_t i = 0; i < NUM_DIGITS_GF2X_ELEMENT; i++) { - dest[i] = in[i]; - } -} - -/* returns the coefficient of the x^exponent term as the LSB of a digit */ -DIGIT PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_get_coeff(const DIGIT poly[], size_t exponent) { - size_t straightIdx = (NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_b - 1) - exponent; - size_t digitIdx = straightIdx / DIGIT_SIZE_b; - size_t inDigitIdx = straightIdx % DIGIT_SIZE_b; - return (poly[digitIdx] >> (DIGIT_SIZE_b - 1 - inDigitIdx)) & ((DIGIT) 1) ; -} - -/* sets the coefficient of the x^exponent term as the LSB of a digit */ -void PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_set_coeff(DIGIT poly[], size_t exponent, DIGIT value) { - size_t straightIdx = (NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_b - 1) - exponent; - size_t digitIdx = straightIdx / DIGIT_SIZE_b; - size_t inDigitIdx = straightIdx % DIGIT_SIZE_b; - - /* clear given coefficient */ - DIGIT mask = ~(((DIGIT) 1) << (DIGIT_SIZE_b - 1 - inDigitIdx)); - poly[digitIdx] = poly[digitIdx] & mask; - poly[digitIdx] = poly[digitIdx] | ((value & ((DIGIT) 1)) << (DIGIT_SIZE_b - 1 - inDigitIdx)); -} - -/* toggles (flips) the coefficient of the x^exponent term as the LSB of a digit */ -void PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_toggle_coeff(DIGIT poly[], size_t exponent) { - size_t straightIdx = (NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_b - 1) - exponent; - size_t digitIdx = straightIdx / DIGIT_SIZE_b; - size_t inDigitIdx = straightIdx % DIGIT_SIZE_b; - - /* clear given coefficient */ - DIGIT mask = (((DIGIT) 1) << (DIGIT_SIZE_b - 1 - inDigitIdx)); - poly[digitIdx] = poly[digitIdx] ^ mask; -} - -/* population count for an unsigned 64-bit integer - Source: Hacker's delight, p.66 */ -static int popcount_uint64t(uint64_t x) { - x -= (x >> 1) & 0x5555555555555555; - x = (x & 0x3333333333333333) + ((x >> 2) & 0x3333333333333333); - x = (x + (x >> 4)) & 0x0f0f0f0f0f0f0f0f; - return (int)((x * 0x0101010101010101) >> 56); -} - -/* population count for a single polynomial */ -int PQCLEAN_LEDAKEMLT52_LEAKTIME_population_count(const DIGIT *poly) { - int ret = 0; - for (int i = NUM_DIGITS_GF2X_ELEMENT - 1; i >= 0; i--) { - ret += popcount_uint64t(poly[i]); - } - return ret; -} - -void PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_mod_add(DIGIT Res[], const DIGIT A[], const DIGIT B[]) { - PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_add(Res, A, B, NUM_DIGITS_GF2X_ELEMENT); -} - -static void gf2x_mod(DIGIT out[], const DIGIT in[]) { - DIGIT aux[NUM_DIGITS_GF2X_ELEMENT + 1]; - - memcpy(aux, in, (NUM_DIGITS_GF2X_ELEMENT + 1)*DIGIT_SIZE_B); - PQCLEAN_LEDAKEMLT52_LEAKTIME_right_bit_shift_n(NUM_DIGITS_GF2X_ELEMENT + 1, aux, - MSb_POSITION_IN_MSB_DIGIT_OF_MODULUS); - PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_add(out, aux + 1, in + NUM_DIGITS_GF2X_ELEMENT, - NUM_DIGITS_GF2X_ELEMENT); - out[0] &= ((DIGIT)1 << MSb_POSITION_IN_MSB_DIGIT_OF_MODULUS) - 1; -} - -static void right_bit_shift(size_t length, DIGIT in[]) { - size_t j; - for (j = length - 1; j > 0; j--) { - in[j] >>= 1; - in[j] |= (in[j - 1] & (DIGIT)0x01) << (DIGIT_SIZE_b - 1); - } - in[j] >>= 1; -} - - -/* shifts by whole digits */ -static void left_DIGIT_shift_n(size_t length, DIGIT in[], size_t amount) { - size_t j; - for (j = 0; (j + amount) < length; j++) { - in[j] = in[j + amount]; - } - for (; j < length; j++) { - in[j] = (DIGIT)0; - } -} - -/* may shift by an arbitrary amount*/ -static void left_bit_shift_wide_n(size_t length, DIGIT in[], size_t amount) { - left_DIGIT_shift_n(length, in, amount / DIGIT_SIZE_b); - PQCLEAN_LEDAKEMLT52_LEAKTIME_left_bit_shift_n(length, in, amount % DIGIT_SIZE_b); -} - -/* Hackers delight, reverses a uint64_t */ -static DIGIT reverse_digit(DIGIT x) { - uint64_t t; - x = (x << 31) | (x >> 33); - t = (x ^ (x >> 20)) & 0x00000FFF800007FFLL; - x = (t | (t << 20)) ^ x; - t = (x ^ (x >> 8)) & 0x00F8000F80700807LL; - x = (t | (t << 8)) ^ x; - t = (x ^ (x >> 4)) & 0x0808708080807008LL; - x = (t | (t << 4)) ^ x; - t = (x ^ (x >> 2)) & 0x1111111111111111LL; - x = (t | (t << 2)) ^ x; - return x; -} - -void PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_transpose_in_place(DIGIT A[]) { - /* it keeps the lsb in the same position and - * inverts the sequence of the remaining bits */ - - DIGIT mask = (DIGIT)0x1; - DIGIT rev1, rev2, a00; - int slack_bits_amount = NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_b - P; - - a00 = A[NUM_DIGITS_GF2X_ELEMENT - 1] & mask; - right_bit_shift(NUM_DIGITS_GF2X_ELEMENT, A); - - for (size_t i = NUM_DIGITS_GF2X_ELEMENT - 1; i >= (NUM_DIGITS_GF2X_ELEMENT + 1) / 2; i--) { - rev1 = reverse_digit(A[i]); - rev2 = reverse_digit(A[NUM_DIGITS_GF2X_ELEMENT - 1 - i]); - A[i] = rev2; - A[NUM_DIGITS_GF2X_ELEMENT - 1 - i] = rev1; - } - - if (slack_bits_amount) { - PQCLEAN_LEDAKEMLT52_LEAKTIME_right_bit_shift_n(NUM_DIGITS_GF2X_ELEMENT, A, slack_bits_amount); - } - A[NUM_DIGITS_GF2X_ELEMENT - 1] = (A[NUM_DIGITS_GF2X_ELEMENT - 1] & (~mask)) | a00; -} - -static void rotate_bit_right(DIGIT in[]) { /* x^{-1} * in(x) mod x^P+1 */ - - DIGIT rotated_bit = in[NUM_DIGITS_GF2X_ELEMENT - 1] & ((DIGIT)0x1); - right_bit_shift(NUM_DIGITS_GF2X_ELEMENT, in); - int msb_offset_in_digit = MSb_POSITION_IN_MSB_DIGIT_OF_MODULUS - 1; - rotated_bit = rotated_bit << msb_offset_in_digit; - in[0] |= rotated_bit; -} - -/* cond swap: swaps digits A and B if swap_mask == -1 */ -static void gf2x_cswap(DIGIT *a, DIGIT *b, int32_t swap_mask) { - DIGIT t; - for (size_t i = 0; i < NUM_DIGITS_GF2X_ELEMENT; i++) { - t = swap_mask & (a[i] ^ b[i]); - a[i] ^= t; - b[i] ^= t; - } -} - -/* returns -1 mask if x != 0, otherwise 0 */ -static inline int32_t nonzero(DIGIT x) { - DIGIT t = x; - t = (~t) + 1; - t >>= DIGIT_SIZE_b - 1; - return -((int32_t)t); -} - -/* returns -1 mask if x < 0 else 0 */ -static inline int32_t negative(int x) { - uint32_t u = x; - u >>= 31; - return -((int32_t)u); -} - -/* return f(0) as digit */ -static inline DIGIT lsb(const DIGIT *p) { - DIGIT mask = (DIGIT)1; - return p[NUM_DIGITS_GF2X_ELEMENT - 1] & mask; -} - -/* multiply poly with scalar and accumulate, expects s all-zero of all-one mask */ -static void gf2x_mult_scalar_acc(DIGIT *f, const DIGIT *g, const DIGIT s) { - for (size_t i = 0; i < NUM_DIGITS_GF2X_ELEMENT; i++) { - f[i] = f[i] ^ (s & g[i]); - } -} - -/* constant-time inverse, source: gcd.cr.yp.to */ -int PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_mod_inverse(DIGIT out[], const DIGIT in[]) { - int32_t swap, delta = 1; - DIGIT g0_mask; - - DIGIT f[NUM_DIGITS_GF2X_MODULUS] = {0}; // f = x^P + 1 - DIGIT g[NUM_DIGITS_GF2X_ELEMENT]; // g = in - DIGIT *v = out; // v = 0, save space - DIGIT r[NUM_DIGITS_GF2X_ELEMENT] = {0}; // r = 1 - - f[NUM_DIGITS_GF2X_MODULUS - 1] = 1; - f[0] |= ((DIGIT)1 << MSb_POSITION_IN_MSB_DIGIT_OF_MODULUS); - - for (size_t i = 0; i < NUM_DIGITS_GF2X_ELEMENT; i++) { - g[i] = in[i]; - } - - for (size_t i = 0; i < NUM_DIGITS_GF2X_ELEMENT; i++) { - v[i] = 0; - } - - r[NUM_DIGITS_GF2X_ELEMENT - 1] = 1; - - for (int loop = 0; loop < 2 * P - 1; ++loop) { - - swap = negative(-delta) & nonzero(lsb(g)); // swap = -1 if -delta < 0 AND g(0) != 0 - delta ^= swap & (delta ^ -delta); // cond swap delta with -delta if swap - delta++; - - gf2x_cswap(f, g, swap); - gf2x_cswap(v, r, swap); - - g0_mask = ~lsb(g) + 1; - - // g = (g - g0 * f) / x - gf2x_mult_scalar_acc(g, f, g0_mask); - right_bit_shift(NUM_DIGITS_GF2X_ELEMENT, g); - - // r = (r - g0 * v) / x - gf2x_mult_scalar_acc(r, v, g0_mask); - rotate_bit_right(r); - - } - - return nonzero(delta); // -1 if fail, 0 if success -} - -void PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_mod_mul(DIGIT Res[], const DIGIT A[], const DIGIT B[]) { - - DIGIT aux[2 * NUM_DIGITS_GF2X_ELEMENT]; - PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_mul(aux, A, B, NUM_DIGITS_GF2X_ELEMENT); - gf2x_mod(Res, aux); - -} - -/*PRE: the representation of the sparse coefficients is sorted in increasing - order of the coefficients themselves */ -void PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_mod_mul_dense_to_sparse(DIGIT Res[], const DIGIT dense[], - POSITION_T sparse[], size_t nPos) { - - DIGIT aux[2 * NUM_DIGITS_GF2X_ELEMENT] = {0x00}; - DIGIT resDouble[2 * NUM_DIGITS_GF2X_ELEMENT] = {0x00}; - memcpy(aux + NUM_DIGITS_GF2X_ELEMENT, dense, NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B); - memcpy(resDouble + NUM_DIGITS_GF2X_ELEMENT, dense, NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B); - - if (sparse[0] != INVALID_POS_VALUE) { - left_bit_shift_wide_n(2 * NUM_DIGITS_GF2X_ELEMENT, resDouble, sparse[0]); - left_bit_shift_wide_n(2 * NUM_DIGITS_GF2X_ELEMENT, aux, sparse[0]); - - for (size_t i = 1; i < nPos; i++) { - if (sparse[i] != INVALID_POS_VALUE) { - left_bit_shift_wide_n(2 * NUM_DIGITS_GF2X_ELEMENT, aux, (sparse[i] - sparse[i - 1]) ); - PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_add(resDouble, aux, resDouble, 2 * NUM_DIGITS_GF2X_ELEMENT); - } - } - } - - gf2x_mod(Res, resDouble); - -} - -void PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_transpose_in_place_sparse(size_t sizeA, POSITION_T A[]) { - POSITION_T t; - size_t i = 0, j; - - if (A[i] == 0) { - i = 1; - } - j = i; - - for (; i < sizeA && A[i] != INVALID_POS_VALUE; i++) { - A[i] = P - A[i]; - } - - for (i -= 1; j < i; j++, i--) { - t = A[j]; - A[j] = A[i]; - A[i] = t; - } - -} - -void PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_mod_mul_sparse(size_t sizeR, POSITION_T Res[], - size_t sizeA, const POSITION_T A[], - size_t sizeB, const POSITION_T B[]) { - - POSITION_T prod; - POSITION_T lastReadPos; - size_t duplicateCount; - size_t write_idx, read_idx; - - /* compute all the coefficients, filling invalid positions with P*/ - size_t lastFilledPos = 0; - for (size_t i = 0 ; i < sizeA ; i++) { - for (size_t j = 0 ; j < sizeB ; j++) { - prod = A[i] + B[j]; - prod = ( (prod >= P) ? prod - P : prod); - if ((A[i] != INVALID_POS_VALUE) && - (B[j] != INVALID_POS_VALUE)) { - Res[lastFilledPos] = prod; - } else { - Res[lastFilledPos] = INVALID_POS_VALUE; - } - lastFilledPos++; - } - } - while (lastFilledPos < sizeR) { - Res[lastFilledPos] = INVALID_POS_VALUE; - lastFilledPos++; - } - - PQCLEAN_LEDAKEMLT52_LEAKTIME_uint32_sort(Res, sizeR); - - /* eliminate duplicates */ - write_idx = read_idx = 0; - while (read_idx < sizeR && Res[read_idx] != INVALID_POS_VALUE) { - lastReadPos = Res[read_idx]; - read_idx++; - duplicateCount = 1; - while ( (Res[read_idx] == lastReadPos) && (Res[read_idx] != INVALID_POS_VALUE)) { - read_idx++; - duplicateCount++; - } - if (duplicateCount % 2) { - Res[write_idx] = lastReadPos; - write_idx++; - } - } - /* fill remaining cells with INVALID_POS_VALUE */ - for (; write_idx < sizeR; write_idx++) { - Res[write_idx] = INVALID_POS_VALUE; - } -} - -/* the implementation is safe even in case A or B alias with the result - * PRE: A and B should be sorted, disjunct arrays ending with INVALID_POS_VALUE */ -void PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_mod_add_sparse(size_t sizeR, POSITION_T Res[], - size_t sizeA, const POSITION_T A[], - size_t sizeB, const POSITION_T B[]) { - - POSITION_T tmpRes[DV * M]; - size_t idxA = 0, idxB = 0, idxR = 0; - while ( idxA < sizeA && - idxB < sizeB && - A[idxA] != INVALID_POS_VALUE && - B[idxB] != INVALID_POS_VALUE ) { - - if (A[idxA] == B[idxB]) { - idxA++; - idxB++; - } else { - if (A[idxA] < B[idxB]) { - tmpRes[idxR] = A[idxA]; - idxA++; - } else { - tmpRes[idxR] = B[idxB]; - idxB++; - } - idxR++; - } - } - - while (idxA < sizeA && A[idxA] != INVALID_POS_VALUE) { - tmpRes[idxR] = A[idxA]; - idxA++; - idxR++; - } - - while (idxB < sizeB && B[idxB] != INVALID_POS_VALUE) { - tmpRes[idxR] = B[idxB]; - idxB++; - idxR++; - } - - while (idxR < sizeR) { - tmpRes[idxR] = INVALID_POS_VALUE; - idxR++; - } - memcpy(Res, tmpRes, sizeof(POSITION_T)*sizeR); - -} - -/* Return a uniform random value in the range 0..n-1 inclusive, - * applying a rejection sampling strategy and exploiting as a random source - * the NIST seedexpander seeded with the proper key. - * Assumes that the maximum value for the range n is 2^32-1 - */ -static uint32_t rand_range(const unsigned int n, const int logn, AES_XOF_struct *seed_expander_ctx) { - unsigned long required_rnd_bytes = (logn + 7) / 8; - unsigned char rnd_char_buffer[4]; - uint32_t rnd_value; - uint32_t mask = ( (uint32_t)1 << logn) - 1; - - do { - PQCLEAN_LEDAKEMLT52_LEAKTIME_seedexpander(seed_expander_ctx, rnd_char_buffer, required_rnd_bytes); - /* obtain an endianness independent representation of the generated random - bytes into an unsigned integer */ - rnd_value = ((uint32_t)rnd_char_buffer[3] << 24) + - ((uint32_t)rnd_char_buffer[2] << 16) + - ((uint32_t)rnd_char_buffer[1] << 8) + - ((uint32_t)rnd_char_buffer[0] << 0) ; - rnd_value = mask & rnd_value; - } while (rnd_value >= n); - - return rnd_value; -} - -/* Obtains fresh randomness and seed-expands it until all the required positions - * for the '1's in the circulant block are obtained */ -void PQCLEAN_LEDAKEMLT52_LEAKTIME_rand_circulant_sparse_block(POSITION_T *pos_ones, - size_t countOnes, - AES_XOF_struct *seed_expander_ctx) { - - size_t duplicated, placedOnes = 0; - POSITION_T p; - - while (placedOnes < countOnes) { - p = rand_range(NUM_BITS_GF2X_ELEMENT, - P_BITS, - seed_expander_ctx); - duplicated = 0; - for (size_t j = 0; j < placedOnes; j++) { - if (pos_ones[j] == p) { - duplicated = 1; - } - } - if (duplicated == 0) { - pos_ones[placedOnes] = p; - placedOnes++; - } - } -} - -/* Returns random weight-t circulant block */ -void PQCLEAN_LEDAKEMLT52_LEAKTIME_rand_circulant_blocks_sequence(DIGIT sequence[N0 * NUM_DIGITS_GF2X_ELEMENT], - AES_XOF_struct *seed_expander_ctx) { - - size_t polyIndex, duplicated, counter = 0; - POSITION_T p, exponent, rndPos[NUM_ERRORS_T]; - - memset(sequence, 0x00, N0 * NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B); - - while (counter < NUM_ERRORS_T) { - p = rand_range(N0 * NUM_BITS_GF2X_ELEMENT, P_BITS, seed_expander_ctx); - duplicated = 0; - for (size_t j = 0; j < counter; j++) { - if (rndPos[j] == p) { - duplicated = 1; - } - } - if (duplicated == 0) { - rndPos[counter] = p; - counter++; - } - } - for (size_t j = 0; j < counter; j++) { - polyIndex = rndPos[j] / P; - exponent = rndPos[j] % P; - PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_set_coeff( sequence + NUM_DIGITS_GF2X_ELEMENT * polyIndex, exponent, - ( (DIGIT) 1)); - } - -} - - -void PQCLEAN_LEDAKEMLT52_LEAKTIME_rand_error_pos(POSITION_T errorPos[NUM_ERRORS_T], - AES_XOF_struct *seed_expander_ctx) { - - int duplicated; - size_t counter = 0; - - while (counter < NUM_ERRORS_T) { - POSITION_T p = rand_range(N0 * NUM_BITS_GF2X_ELEMENT, P_BITS, seed_expander_ctx); - duplicated = 0; - for (size_t j = 0; j < counter; j++) { - if (errorPos[j] == p) { - duplicated = 1; - } - } - if (duplicated == 0) { - errorPos[counter] = p; - counter++; - } - } -} - -void PQCLEAN_LEDAKEMLT52_LEAKTIME_expand_error(DIGIT sequence[N0 * NUM_DIGITS_GF2X_ELEMENT], - const POSITION_T errorPos[NUM_ERRORS_T]) { - - size_t polyIndex; - POSITION_T exponent; - - memset(sequence, 0x00, N0 * NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B); - for (int j = 0; j < NUM_ERRORS_T; j++) { - polyIndex = errorPos[j] / P; - exponent = errorPos[j] % P; - PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_set_coeff( sequence + NUM_DIGITS_GF2X_ELEMENT * polyIndex, exponent, - ( (DIGIT) 1)); - } -} - - -void PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_tobytes(uint8_t *bytes, const DIGIT *poly) { - size_t i, j; - for (i = 0; i < NUM_DIGITS_GF2X_ELEMENT; i++) { - for (j = 0; j < DIGIT_SIZE_B; j++) { - bytes[i * DIGIT_SIZE_B + j] = (uint8_t) (poly[i] >> 8 * j); - } - } -} - -void PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_frombytes(DIGIT *poly, const uint8_t *poly_bytes) { - size_t i, j; - for (i = 0; i < NUM_DIGITS_GF2X_ELEMENT; i++) { - poly[i] = (DIGIT) 0; - for (j = 0; j < DIGIT_SIZE_B; j++) { - poly[i] |= (DIGIT) poly_bytes[i * DIGIT_SIZE_B + j] << 8 * j; - } - } -} diff --git a/crypto_kem/ledakemlt52/leaktime/gf2x_arith_mod_xPplusOne.h b/crypto_kem/ledakemlt52/leaktime/gf2x_arith_mod_xPplusOne.h deleted file mode 100644 index 06e310b2..00000000 --- a/crypto_kem/ledakemlt52/leaktime/gf2x_arith_mod_xPplusOne.h +++ /dev/null @@ -1,39 +0,0 @@ -#ifndef GF2X_ARITH_MOD_XPLUSONE_H -#define GF2X_ARITH_MOD_XPLUSONE_H - -#include "qc_ldpc_parameters.h" - -#include "gf2x_arith.h" -#include "rng.h" - -#define NUM_BITS_GF2X_ELEMENT (P) -#define NUM_DIGITS_GF2X_ELEMENT ((P+DIGIT_SIZE_b-1)/DIGIT_SIZE_b) -#define MSb_POSITION_IN_MSB_DIGIT_OF_ELEMENT ((P % DIGIT_SIZE_b) ? (P % DIGIT_SIZE_b)-1 : DIGIT_SIZE_b-1) -#define NUM_BITS_GF2X_MODULUS (P+1) -#define NUM_DIGITS_GF2X_MODULUS ((P+1+DIGIT_SIZE_b-1)/DIGIT_SIZE_b) -#define MSb_POSITION_IN_MSB_DIGIT_OF_MODULUS (P-DIGIT_SIZE_b*(NUM_DIGITS_GF2X_MODULUS-1)) -#define INVALID_POS_VALUE (P) -#define P_BITS (18) - -void PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_copy(DIGIT dest[], const DIGIT in[]); -DIGIT PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_get_coeff(const DIGIT poly[], size_t exponent); -void PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_set_coeff(DIGIT poly[], size_t exponent, DIGIT value); -void PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_toggle_coeff(DIGIT poly[], size_t exponent); -int PQCLEAN_LEDAKEMLT52_LEAKTIME_population_count(const DIGIT *poly); -void PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_mod_add(DIGIT Res[], const DIGIT A[], const DIGIT B[]); -void PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_mod_mul(DIGIT Res[], const DIGIT A[], const DIGIT B[]); -void PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_transpose_in_place(DIGIT A[]); -void PQCLEAN_LEDAKEMLT52_LEAKTIME_rand_circulant_sparse_block(POSITION_T *pos_ones, size_t countOnes, AES_XOF_struct *seed_expander_ctx); -void PQCLEAN_LEDAKEMLT52_LEAKTIME_rand_circulant_blocks_sequence(DIGIT *sequence, AES_XOF_struct *seed_expander_ctx); -void PQCLEAN_LEDAKEMLT52_LEAKTIME_rand_error_pos(POSITION_T errorPos[NUM_ERRORS_T], AES_XOF_struct *seed_expander_ctx); -void PQCLEAN_LEDAKEMLT52_LEAKTIME_expand_error(DIGIT sequence[N0 * NUM_DIGITS_GF2X_ELEMENT], const POSITION_T errorPos[NUM_ERRORS_T]); -void PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_mod_add_sparse(size_t sizeR, POSITION_T Res[], size_t sizeA, const POSITION_T A[], size_t sizeB, const POSITION_T B[]); -void PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_transpose_in_place_sparse(size_t sizeA, POSITION_T A[]); -int PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_mod_inverse(DIGIT out[], const DIGIT in[]); -void PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_mod_mul_sparse(size_t sizeR, POSITION_T Res[], size_t sizeA, const POSITION_T A[], size_t sizeB, const POSITION_T B[]); -void PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_mod_mul_dense_to_sparse(DIGIT Res[], const DIGIT dense[], POSITION_T sparse[], size_t nPos); -void PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_tobytes(uint8_t *bytes, const DIGIT *poly); -void PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_frombytes(DIGIT *poly, const uint8_t *poly_bytes); - - -#endif diff --git a/crypto_kem/ledakemlt52/leaktime/kem.c b/crypto_kem/ledakemlt52/leaktime/kem.c deleted file mode 100644 index 1dd5d975..00000000 --- a/crypto_kem/ledakemlt52/leaktime/kem.c +++ /dev/null @@ -1,157 +0,0 @@ -#include "api.h" -#include "niederreiter.h" -#include "randombytes.h" -#include "rng.h" -#include "utils.h" - -#include - - -#define pack_ct(sk_bytes, ct) PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_tobytes(sk_bytes, ct); -#define unpack_ct(ct, ct_bytes) PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_frombytes(ct, ct_bytes) - -static void pack_pk(uint8_t *pk_bytes, publicKeyNiederreiter_t *pk) { - for (size_t i = 0; i < N0 - 1; i++) { - PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_tobytes(pk_bytes + i * NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B, - pk->Mtr + i * NUM_DIGITS_GF2X_ELEMENT); - } -} - -static void unpack_pk(publicKeyNiederreiter_t *pk, const uint8_t *pk_bytes) { - for (size_t i = 0; i < N0 - 1; i++) { - PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_frombytes(pk->Mtr + i * NUM_DIGITS_GF2X_ELEMENT, - pk_bytes + i * NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B); - } -} - -static void pack_error(uint8_t *error_bytes, DIGIT *error_digits) { - size_t i; - for (i = 0; i < N0; i++) { - PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_tobytes(error_bytes + i * NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B, - error_digits + i * NUM_DIGITS_GF2X_ELEMENT); - } -} - -/* IND-CCA2 Keygen */ -int PQCLEAN_LEDAKEMLT52_LEAKTIME_crypto_kem_keypair(uint8_t *pk, uint8_t *sk) { - publicKeyNiederreiter_t niederreiter_pk; - - PQCLEAN_LEDAKEMLT52_LEAKTIME_niederreiter_keygen(&niederreiter_pk, (privateKeyNiederreiter_t *) sk); - - pack_pk(pk, &niederreiter_pk); - - return 0; -} - -/* IND-CCA2 Encapsulation */ -int PQCLEAN_LEDAKEMLT52_LEAKTIME_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk) { - publicKeyNiederreiter_t niederreiter_pk; - DIGIT syndrome[NUM_DIGITS_GF2X_ELEMENT]; - AES_XOF_struct hashedAndTruncatedSeed_expander; - POSITION_T errorPos[NUM_ERRORS_T]; - DIGIT error_vector[N0 * NUM_DIGITS_GF2X_ELEMENT]; - uint8_t error_bytes[N0 * NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B]; - uint8_t seed[TRNG_BYTE_LENGTH]; - uint8_t ss_input[2 * TRNG_BYTE_LENGTH] = {0}; - uint8_t hashedSeed[HASH_BYTE_LENGTH]; - uint8_t hashedAndTruncatedSeed[TRNG_BYTE_LENGTH] = {0}; - uint8_t hashedErrorVector[HASH_BYTE_LENGTH]; - uint8_t hashedAndTruncatedErrorVector[TRNG_BYTE_LENGTH] = {0}; - uint8_t maskedSeed[TRNG_BYTE_LENGTH]; - - unpack_pk(&niederreiter_pk, pk); - - randombytes(seed, TRNG_BYTE_LENGTH); - memcpy(ss_input, seed, TRNG_BYTE_LENGTH); - - HASH_FUNCTION(ss, ss_input, 2 * TRNG_BYTE_LENGTH); - HASH_FUNCTION(hashedSeed, seed, TRNG_BYTE_LENGTH); - - memcpy(hashedAndTruncatedSeed, hashedSeed, TRNG_BYTE_LENGTH); - - memset(&hashedAndTruncatedSeed_expander, 0x00, sizeof(AES_XOF_struct)); - PQCLEAN_LEDAKEMLT52_LEAKTIME_seedexpander_from_trng(&hashedAndTruncatedSeed_expander, hashedAndTruncatedSeed); - PQCLEAN_LEDAKEMLT52_LEAKTIME_rand_error_pos(errorPos, &hashedAndTruncatedSeed_expander); - PQCLEAN_LEDAKEMLT52_LEAKTIME_expand_error(error_vector, errorPos); - - pack_error(error_bytes, error_vector); - HASH_FUNCTION(hashedErrorVector, error_bytes, (N0 * NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B)); - - memcpy(hashedAndTruncatedErrorVector, hashedErrorVector, TRNG_BYTE_LENGTH); - - for (size_t i = 0; i < TRNG_BYTE_LENGTH; ++i) { - maskedSeed[i] = seed[i] ^ hashedAndTruncatedErrorVector[i]; - } - - PQCLEAN_LEDAKEMLT52_LEAKTIME_niederreiter_encrypt(syndrome, - (const publicKeyNiederreiter_t *) &niederreiter_pk, error_vector); - - pack_ct(ct, syndrome); - memcpy(ct + (NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B), maskedSeed, TRNG_BYTE_LENGTH); - - return 0; -} - - -/* IND-CCA2 Decapsulation */ -int PQCLEAN_LEDAKEMLT52_LEAKTIME_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk) { - DIGIT syndrome[NUM_DIGITS_GF2X_ELEMENT]; - AES_XOF_struct hashedAndTruncatedSeed_expander; - POSITION_T reconstructed_errorPos[NUM_ERRORS_T]; - DIGIT reconstructed_error_vector[N0 * NUM_DIGITS_GF2X_ELEMENT]; - DIGIT decoded_error_vector[N0 * NUM_DIGITS_GF2X_ELEMENT]; - uint8_t decoded_error_bytes[N0 * NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B]; - uint8_t hashedErrorVector[HASH_BYTE_LENGTH]; - uint8_t hashedAndTruncatedErrorVector[TRNG_BYTE_LENGTH] = {0}; - uint8_t decoded_seed[TRNG_BYTE_LENGTH]; - uint8_t hashed_decoded_seed[HASH_BYTE_LENGTH]; - uint8_t hashedAndTruncated_decoded_seed[TRNG_BYTE_LENGTH] = {0}; - uint8_t ss_input[2 * TRNG_BYTE_LENGTH], tail[TRNG_BYTE_LENGTH] = {0}; - int decode_ok, decrypt_ok, equal; - - unpack_ct(syndrome, ct); - - decode_ok = PQCLEAN_LEDAKEMLT52_LEAKTIME_niederreiter_decrypt(decoded_error_vector, - (const privateKeyNiederreiter_t *)sk, syndrome); - - pack_error(decoded_error_bytes, decoded_error_vector); - HASH_FUNCTION(hashedErrorVector, decoded_error_bytes, N0 * NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B); - - memcpy(hashedAndTruncatedErrorVector, hashedErrorVector, TRNG_BYTE_LENGTH); - - for (size_t i = 0; i < TRNG_BYTE_LENGTH; ++i) { - decoded_seed[i] = ct[(NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B) + i] ^ - hashedAndTruncatedErrorVector[i]; - } - - HASH_FUNCTION(hashed_decoded_seed, decoded_seed, TRNG_BYTE_LENGTH); - - memcpy(hashedAndTruncated_decoded_seed, hashed_decoded_seed, TRNG_BYTE_LENGTH); - - memset(&hashedAndTruncatedSeed_expander, 0x00, sizeof(AES_XOF_struct)); - PQCLEAN_LEDAKEMLT52_LEAKTIME_seedexpander_from_trng(&hashedAndTruncatedSeed_expander, - hashed_decoded_seed); - - PQCLEAN_LEDAKEMLT52_LEAKTIME_rand_error_pos(reconstructed_errorPos, &hashedAndTruncatedSeed_expander); - - PQCLEAN_LEDAKEMLT52_LEAKTIME_expand_error(reconstructed_error_vector, reconstructed_errorPos); - - equal = PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_verify(decoded_error_vector, - reconstructed_error_vector, N0 * NUM_DIGITS_GF2X_ELEMENT); - // equal == 0, if the reconstructed error vector match !!! - - decrypt_ok = (decode_ok == 1 && equal == 0); - - memcpy(ss_input, decoded_seed, TRNG_BYTE_LENGTH); - memcpy(ss_input + sizeof(decoded_seed), tail, TRNG_BYTE_LENGTH); - - // Overwrite on failure - PQCLEAN_LEDAKEMLT52_LEAKTIME_cmov(ss_input + sizeof(decoded_seed), - ((const privateKeyNiederreiter_t *) sk)->decryption_failure_secret, - TRNG_BYTE_LENGTH, - !decrypt_ok); - - HASH_FUNCTION(ss, ss_input, 2 * TRNG_BYTE_LENGTH); - - return 0; -} diff --git a/crypto_kem/ledakemlt52/leaktime/niederreiter.c b/crypto_kem/ledakemlt52/leaktime/niederreiter.c deleted file mode 100644 index 8a8d5916..00000000 --- a/crypto_kem/ledakemlt52/leaktime/niederreiter.c +++ /dev/null @@ -1,192 +0,0 @@ -#include "H_Q_matrices_generation.h" -#include "bf_decoding.h" -#include "dfr_test.h" -#include "gf2x_arith_mod_xPplusOne.h" -#include "niederreiter.h" -#include "qc_ldpc_parameters.h" -#include "randombytes.h" -#include "rng.h" - -#include - -void PQCLEAN_LEDAKEMLT52_LEAKTIME_niederreiter_keygen(publicKeyNiederreiter_t *pk, privateKeyNiederreiter_t *sk) { - - AES_XOF_struct keys_expander; - POSITION_T HPosOnes[N0][DV]; - POSITION_T QPosOnes[N0][M]; - POSITION_T LPosOnes[N0][DV * M]; - POSITION_T auxPosOnes[DV * M]; - unsigned char processedQOnes[N0]; - DIGIT Ln0dense[NUM_DIGITS_GF2X_ELEMENT] = {0}; - DIGIT Ln0Inv[NUM_DIGITS_GF2X_ELEMENT] = {0}; - int is_L_full; - int isDFRok = 0; - - memset(&keys_expander, 0x00, sizeof(AES_XOF_struct)); - randombytes(sk->prng_seed, TRNG_BYTE_LENGTH); - PQCLEAN_LEDAKEMLT52_LEAKTIME_seedexpander_from_trng(&keys_expander, sk->prng_seed); - - sk->rejections = (uint8_t) 0; - do { - PQCLEAN_LEDAKEMLT52_LEAKTIME_generateHPosOnes(HPosOnes, &keys_expander); - PQCLEAN_LEDAKEMLT52_LEAKTIME_generateQPosOnes(QPosOnes, &keys_expander); - for (int i = 0; i < N0; i++) { - for (int j = 0; j < DV * M; j++) { - LPosOnes[i][j] = INVALID_POS_VALUE; - } - } - - memset(processedQOnes, 0x00, sizeof(processedQOnes)); - for (int colQ = 0; colQ < N0; colQ++) { - for (int i = 0; i < N0; i++) { - PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_mod_mul_sparse(DV * M, auxPosOnes, - DV, HPosOnes[i], - qBlockWeights[i][colQ], QPosOnes[i] + processedQOnes[i]); - PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_mod_add_sparse(DV * M, LPosOnes[colQ], - DV * M, LPosOnes[colQ], - DV * M, auxPosOnes); - processedQOnes[i] += qBlockWeights[i][colQ]; - } - } - is_L_full = 1; - for (size_t i = 0; i < N0; i++) { - is_L_full = is_L_full && (LPosOnes[i][DV * M - 1] != INVALID_POS_VALUE); - } - sk->rejections = sk->rejections + 1; - if (is_L_full) { - isDFRok = PQCLEAN_LEDAKEMLT52_LEAKTIME_DFR_test(LPosOnes, &(sk->secondIterThreshold)); - } - } while (!is_L_full || !isDFRok); - sk->rejections = sk->rejections - 1; - - PQCLEAN_LEDAKEMLT52_LEAKTIME_seedexpander(&keys_expander, - sk->decryption_failure_secret, - (unsigned long)TRNG_BYTE_LENGTH); - - for (size_t j = 0; j < DV * M; j++) { - if (LPosOnes[N0 - 1][j] != INVALID_POS_VALUE) { - PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_set_coeff(Ln0dense, LPosOnes[N0 - 1][j], 1); - } - } - - PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_mod_inverse(Ln0Inv, Ln0dense); - for (size_t i = 0; i < N0 - 1; i++) { - PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_mod_mul_dense_to_sparse(pk->Mtr + i * NUM_DIGITS_GF2X_ELEMENT, - Ln0Inv, - LPosOnes[i], - DV * M); - } - - for (size_t i = 0; i < N0 - 1; i++) { - PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_transpose_in_place(pk->Mtr + i * NUM_DIGITS_GF2X_ELEMENT); - } -} - -void PQCLEAN_LEDAKEMLT52_LEAKTIME_niederreiter_encrypt(DIGIT syndrome[], - const publicKeyNiederreiter_t *pk, - const DIGIT err[]) { - - DIGIT saux[NUM_DIGITS_GF2X_ELEMENT]; - - memset(syndrome, 0x00, NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B); - for (size_t i = 0; i < N0 - 1; i++) { - PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_mod_mul(saux, - pk->Mtr + i * NUM_DIGITS_GF2X_ELEMENT, - err + i * NUM_DIGITS_GF2X_ELEMENT); - PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_mod_add(syndrome, syndrome, saux); - - } - PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_mod_add(syndrome, syndrome, err + (N0 - 1)*NUM_DIGITS_GF2X_ELEMENT); -} - -int PQCLEAN_LEDAKEMLT52_LEAKTIME_niederreiter_decrypt(DIGIT *err, const privateKeyNiederreiter_t *sk, const DIGIT *syndrome) { - AES_XOF_struct niederreiter_decrypt_expander; - POSITION_T HPosOnes[N0][DV]; - POSITION_T QPosOnes[N0][M]; - POSITION_T LPosOnes[N0][DV * M]; - POSITION_T auxPosOnes[DV * M]; - POSITION_T HtrPosOnes[N0][DV]; - POSITION_T QtrPosOnes[N0][M]; - POSITION_T auxSparse[DV * M]; - POSITION_T Ln0trSparse[DV * M]; - DIGIT err_computed[N0 * NUM_DIGITS_GF2X_ELEMENT] = {0}; - DIGIT err_mockup[N0 * NUM_DIGITS_GF2X_ELEMENT]; - DIGIT privateSyndrome[NUM_DIGITS_GF2X_ELEMENT]; - uint8_t processedQOnes[N0]; - int rejections = sk->rejections; - int decrypt_ok = 0; - int err_weight; - - PQCLEAN_LEDAKEMLT52_LEAKTIME_seedexpander_from_trng(&niederreiter_decrypt_expander, sk->prng_seed); - do { - PQCLEAN_LEDAKEMLT52_LEAKTIME_generateHPosOnes(HPosOnes, &niederreiter_decrypt_expander); - PQCLEAN_LEDAKEMLT52_LEAKTIME_generateQPosOnes(QPosOnes, &niederreiter_decrypt_expander); - - for (size_t i = 0; i < N0; i++) { - for (size_t j = 0; j < DV * M; j++) { - LPosOnes[i][j] = INVALID_POS_VALUE; - } - } - - memset(processedQOnes, 0x00, sizeof(processedQOnes)); - for (size_t colQ = 0; colQ < N0; colQ++) { - for (size_t i = 0; i < N0; i++) { - PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_mod_mul_sparse(DV * M, auxPosOnes, - DV, HPosOnes[i], - qBlockWeights[i][colQ], QPosOnes[i] + processedQOnes[i]); - PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_mod_add_sparse(DV * M, LPosOnes[colQ], - DV * M, LPosOnes[colQ], - DV * M, auxPosOnes); - processedQOnes[i] += qBlockWeights[i][colQ]; - } - } - rejections--; - } while (rejections >= 0); - - PQCLEAN_LEDAKEMLT52_LEAKTIME_transposeHPosOnes(HtrPosOnes, HPosOnes); - PQCLEAN_LEDAKEMLT52_LEAKTIME_transposeQPosOnes(QtrPosOnes, QPosOnes); - - for (size_t i = 0; i < DV * M; i++) { - Ln0trSparse[i] = INVALID_POS_VALUE; - auxSparse[i] = INVALID_POS_VALUE; - } - - for (size_t i = 0; i < N0; i++) { - PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_mod_mul_sparse(DV * M, auxSparse, - DV, HPosOnes[i], - qBlockWeights[i][N0 - 1], &QPosOnes[i][M - qBlockWeights[i][N0 - 1]]); - PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_mod_add_sparse(DV * M, Ln0trSparse, - DV * M, Ln0trSparse, - DV * M, auxSparse); - } - PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_transpose_in_place_sparse(DV * M, Ln0trSparse); - - PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_mod_mul_dense_to_sparse(privateSyndrome, - syndrome, - Ln0trSparse, - DV * M); - - decrypt_ok = PQCLEAN_LEDAKEMLT52_LEAKTIME_bf_decoding(err_computed, - (const POSITION_T (*)[DV]) HtrPosOnes, - (const POSITION_T (*)[M]) QtrPosOnes, - privateSyndrome, sk->secondIterThreshold); - - err_weight = 0; - for (size_t i = 0 ; i < N0; i++) { - err_weight += PQCLEAN_LEDAKEMLT52_LEAKTIME_population_count(err_computed + (NUM_DIGITS_GF2X_ELEMENT * i)); - } - decrypt_ok = decrypt_ok && (err_weight == NUM_ERRORS_T); - - /* prepare mockup error vector in case a decoding failure occurs */ - memcpy(err_mockup, syndrome, NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B); - memcpy(err_mockup + NUM_DIGITS_GF2X_ELEMENT, sk->decryption_failure_secret, TRNG_BYTE_LENGTH); - memset(((unsigned char *) err_mockup) + (NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B) + TRNG_BYTE_LENGTH, 0x00, - (N0 - 1)*NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B - TRNG_BYTE_LENGTH); - - memcpy(err, err_computed, N0 * NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B); - - // Overwrite on decryption failure - PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_cmov(err, err_mockup, N0 * NUM_DIGITS_GF2X_ELEMENT, !decrypt_ok); - - return decrypt_ok; -} diff --git a/crypto_kem/ledakemlt52/leaktime/niederreiter.h b/crypto_kem/ledakemlt52/leaktime/niederreiter.h deleted file mode 100644 index cbd51c39..00000000 --- a/crypto_kem/ledakemlt52/leaktime/niederreiter.h +++ /dev/null @@ -1,24 +0,0 @@ -#ifndef NIEDERREITER_H -#define NIEDERREITER_H - -#include "gf2x_arith_mod_xPplusOne.h" -#include "qc_ldpc_parameters.h" -#include "rng.h" - -typedef struct { - unsigned char prng_seed[TRNG_BYTE_LENGTH]; - uint8_t rejections; - uint8_t secondIterThreshold; - uint8_t decryption_failure_secret[TRNG_BYTE_LENGTH]; -} privateKeyNiederreiter_t; - -typedef struct { - DIGIT Mtr[(N0 - 1)*NUM_DIGITS_GF2X_ELEMENT]; -} publicKeyNiederreiter_t; - - -void PQCLEAN_LEDAKEMLT52_LEAKTIME_niederreiter_keygen(publicKeyNiederreiter_t *pk, privateKeyNiederreiter_t *sk); -void PQCLEAN_LEDAKEMLT52_LEAKTIME_niederreiter_encrypt(DIGIT syndrome[], const publicKeyNiederreiter_t *pk, const DIGIT err[]); -int PQCLEAN_LEDAKEMLT52_LEAKTIME_niederreiter_decrypt(DIGIT *err, const privateKeyNiederreiter_t *sk, const DIGIT *syndrome); - -#endif diff --git a/crypto_kem/ledakemlt52/leaktime/qc_ldpc_parameters.h b/crypto_kem/ledakemlt52/leaktime/qc_ldpc_parameters.h deleted file mode 100644 index fbb3e722..00000000 --- a/crypto_kem/ledakemlt52/leaktime/qc_ldpc_parameters.h +++ /dev/null @@ -1,27 +0,0 @@ -#ifndef QC_LDPC_PARAMETERS_H -#define QC_LDPC_PARAMETERS_H - -#include "fips202.h" - -#define TRNG_BYTE_LENGTH (40) -#define HASH_BYTE_LENGTH (64) -#define HASH_FUNCTION sha3_512 - -#define N0 (2) -#define P (152267) // modulus(x) = x^P-1 -#define DV (13) // odd number -#define M (13) -#define M0 (7) -#define M1 (6) -#define NUM_ERRORS_T (267) - -// Derived parameters, they are useful for QC-LDPC algorithms -#define HASH_BIT_LENGTH (HASH_BYTE_LENGTH << 3) -#define K ((N0-1)*P) -#define N (N0*P) -#define DC (N0*DV) - -#define Q_BLOCK_WEIGHTS {{M0,M1},{M1,M0}} -static const unsigned char qBlockWeights[N0][N0] = Q_BLOCK_WEIGHTS; - -#endif diff --git a/crypto_kem/ledakemlt52/leaktime/rng.c b/crypto_kem/ledakemlt52/leaktime/rng.c deleted file mode 100644 index 7bc92388..00000000 --- a/crypto_kem/ledakemlt52/leaktime/rng.c +++ /dev/null @@ -1,110 +0,0 @@ -#include "rng.h" - -#include // void *memset(void *s, int c, size_t n); - -#include "aes.h" -#include "qc_ldpc_parameters.h" - -/* - seedexpander_init() - ctx - stores the current state of an instance of the seed expander - seed - a 32 byte random value - diversifier - an 8 byte diversifier - maxlen - maximum number of bytes (less than 2**32) generated under this seed and diversifier - */ -static void seedexpander_init(AES_XOF_struct *ctx, - uint8_t *seed, - uint8_t *diversifier, - size_t maxlen) { - - ctx->length_remaining = maxlen; - - memset(ctx->key, 0, 32); - int max_accessible_seed_len = TRNG_BYTE_LENGTH < 32 ? 32 : TRNG_BYTE_LENGTH; - memcpy(ctx->key, seed, max_accessible_seed_len); - - memcpy(ctx->ctr, diversifier, 8); - ctx->ctr[11] = maxlen % 256; - maxlen >>= 8; - ctx->ctr[10] = maxlen % 256; - maxlen >>= 8; - ctx->ctr[9] = maxlen % 256; - maxlen >>= 8; - ctx->ctr[8] = maxlen % 256; - memset(ctx->ctr + 12, 0x00, 4); - - ctx->buffer_pos = 16; - memset(ctx->buffer, 0x00, 16); -} - -void PQCLEAN_LEDAKEMLT52_LEAKTIME_seedexpander_from_trng(AES_XOF_struct *ctx, - const uint8_t *trng_entropy - /* TRNG_BYTE_LENGTH wide buffer */) { - - /*the NIST seedexpander will however access 32B from this buffer */ - unsigned int prng_buffer_size = TRNG_BYTE_LENGTH < 32 ? 32 : TRNG_BYTE_LENGTH; - uint8_t prng_buffer[TRNG_BYTE_LENGTH < 32 ? 32 : TRNG_BYTE_LENGTH] = {0x00}; - uint8_t *diversifier = (uint8_t *)trng_entropy + 32; - - memcpy(prng_buffer, - trng_entropy, - TRNG_BYTE_LENGTH < prng_buffer_size ? TRNG_BYTE_LENGTH : prng_buffer_size); - - /* the required seed expansion will be quite small, set the max number of - * bytes conservatively to 10 MiB*/ - seedexpander_init(ctx, prng_buffer, diversifier, RNG_MAXLEN); -} - -/* - seedexpander() - ctx - stores the current state of an instance of the seed expander - x - returns the XOF data - xlen - number of bytes to return - */ -int PQCLEAN_LEDAKEMLT52_LEAKTIME_seedexpander(AES_XOF_struct *ctx, uint8_t *x, size_t xlen) { - size_t offset; - aes256ctx ctx256; - - if ( x == NULL ) { - return RNG_BAD_OUTBUF; - } - if ( xlen >= ctx->length_remaining ) { - return RNG_BAD_REQ_LEN; - } - - aes256_ecb_keyexp(&ctx256, ctx->key); - ctx->length_remaining -= xlen; - - offset = 0; - while ( xlen > 0 ) { - if ( xlen <= (16 - ctx->buffer_pos) ) { // buffer has what we need - memcpy(x + offset, ctx->buffer + ctx->buffer_pos, xlen); - ctx->buffer_pos += xlen; - - goto end; - } - - // take what's in the buffer - memcpy(x + offset, ctx->buffer + ctx->buffer_pos, 16 - ctx->buffer_pos); - xlen -= 16 - ctx->buffer_pos; - offset += 16 - ctx->buffer_pos; - - aes256_ecb(ctx->buffer, ctx->ctr, 16 / AES_BLOCKBYTES, &ctx256); - ctx->buffer_pos = 0; - - //increment the counter - for (int i = 15; i >= 12; i--) { - if ( ctx->ctr[i] == 0xff ) { - ctx->ctr[i] = 0x00; - } else { - ctx->ctr[i]++; - break; - } - } - - } -end: - aes256_ctx_release(&ctx256); - - return RNG_SUCCESS; -} diff --git a/crypto_kem/ledakemlt52/leaktime/rng.h b/crypto_kem/ledakemlt52/leaktime/rng.h deleted file mode 100644 index 19470c36..00000000 --- a/crypto_kem/ledakemlt52/leaktime/rng.h +++ /dev/null @@ -1,24 +0,0 @@ -#ifndef RNG_H -#define RNG_H - -#include -#include - -#define RNG_SUCCESS ( 0) -#define RNG_BAD_MAXLEN (-1) -#define RNG_BAD_OUTBUF (-2) -#define RNG_BAD_REQ_LEN (-3) -#define RNG_MAXLEN (10 * 1024 * 1024) - -typedef struct { - unsigned char buffer[16]; - size_t buffer_pos; - size_t length_remaining; - unsigned char key[32]; - unsigned char ctr[16]; -} AES_XOF_struct; - -int PQCLEAN_LEDAKEMLT52_LEAKTIME_seedexpander(AES_XOF_struct *ctx, unsigned char *x, size_t xlen); -void PQCLEAN_LEDAKEMLT52_LEAKTIME_seedexpander_from_trng(AES_XOF_struct *ctx, const unsigned char *trng_entropy); - -#endif diff --git a/crypto_kem/ledakemlt52/leaktime/sort.c b/crypto_kem/ledakemlt52/leaktime/sort.c deleted file mode 100644 index 5db05711..00000000 --- a/crypto_kem/ledakemlt52/leaktime/sort.c +++ /dev/null @@ -1,98 +0,0 @@ -#include "sort.h" - -/* - Constant-time uint32_t sorting by Daniel J. Bernstein - Source: https://sorting.cr.yp.to -*/ - -#define int32_MINMAX(a,b) \ - do { \ - int32 ab = (b) ^ (a); \ - int32 c = (b) - (a); \ - c ^= ab & (c ^ (b)); \ - c >>= 31; \ - c &= ab; \ - (a) ^= c; \ - (b) ^= c; \ - } while(0) - -static void int32_sort(int32 *x, size_t n) { - size_t top, p, q, r, i, j; - - if (n < 2) { - return; - } - top = 1; - while (top < n - top) { - top += top; - } - - for (p = top; p >= 1; p >>= 1) { - i = 0; - while (i + 2 * p <= n) { - for (j = i; j < i + p; ++j) { - int32_MINMAX(x[j], x[j + p]); - } - i += 2 * p; - } - for (j = i; j < n - p; ++j) { - int32_MINMAX(x[j], x[j + p]); - } - - i = 0; - j = 0; - for (q = top; q > p; q >>= 1) { - if (j != i) { - for (;;) { - if (j == n - q) { - goto done; - } - int32 a = x[j + p]; - for (r = q; r > p; r >>= 1) { - int32_MINMAX(a, x[j + r]); - } - x[j + p] = a; - ++j; - if (j == i + p) { - i += 2 * p; - break; - } - } - } - while (i + p <= n - q) { - for (j = i; j < i + p; ++j) { - int32 a = x[j + p]; - for (r = q; r > p; r >>= 1) { - int32_MINMAX(a, x[j + r]); - } - x[j + p] = a; - } - i += 2 * p; - } - /* now i + p > n - q */ - j = i; - while (j < n - q) { - int32 a = x[j + p]; - for (r = q; r > p; r >>= 1) { - int32_MINMAX(a, x[j + r]); - } - x[j + p] = a; - ++j; - } -done: - ; - } - } -} - -/* can save time by integrating xor loops with int32_sort */ -void PQCLEAN_LEDAKEMLT52_LEAKTIME_uint32_sort(uint32_t *x, size_t n) { - size_t j; - for (j = 0; j < n; ++j) { - x[j] ^= 0x80000000; - } - int32_sort((int32_t *) x, n); - for (j = 0; j < n; ++j) { - x[j] ^= 0x80000000; - } -} diff --git a/crypto_kem/ledakemlt52/leaktime/sort.h b/crypto_kem/ledakemlt52/leaktime/sort.h deleted file mode 100644 index e4f414c9..00000000 --- a/crypto_kem/ledakemlt52/leaktime/sort.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef SORT_H -#define SORT_H - -#include -#include - -#define int32 int32_t - -void PQCLEAN_LEDAKEMLT52_LEAKTIME_uint32_sort(uint32_t *x, size_t n); - -#endif diff --git a/crypto_kem/ledakemlt52/leaktime/utils.c b/crypto_kem/ledakemlt52/leaktime/utils.c deleted file mode 100644 index 74fb8414..00000000 --- a/crypto_kem/ledakemlt52/leaktime/utils.c +++ /dev/null @@ -1,21 +0,0 @@ -#include "gf2x_arith.h" -#include "utils.h" - -/* compares DIGIT sequences, returns 0 if they are equal */ -int PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_verify(const DIGIT *a, const DIGIT *b, size_t len) { - DIGIT x = 0; - for (size_t i = 0; i < len; i++) { - x |= a[i] ^ b[i]; - } - x = (~x) + 1; - x >>= (DIGIT_SIZE_b - 1); - return (int)x; -} - -/* conditionally move a into r if cond */ -void PQCLEAN_LEDAKEMLT52_LEAKTIME_cmov(uint8_t *r, const uint8_t *a, size_t len, int cond) { - uint8_t mask = (uint8_t)(-cond); - for (size_t i = 0; i < len; i++) { - r[i] ^= mask & (r[i] ^ a[i]); - } -} diff --git a/crypto_kem/ledakemlt52/leaktime/utils.h b/crypto_kem/ledakemlt52/leaktime/utils.h deleted file mode 100644 index da09a7d8..00000000 --- a/crypto_kem/ledakemlt52/leaktime/utils.h +++ /dev/null @@ -1,9 +0,0 @@ -#ifndef UTILS_H -#define UTILS_H - -#include - -int PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_verify(const DIGIT *a, const DIGIT *b, size_t len); -void PQCLEAN_LEDAKEMLT52_LEAKTIME_cmov(uint8_t *r, const uint8_t *a, size_t len, int cond); - -#endif diff --git a/crypto_kem/mamabear-ephem/META.yml b/crypto_kem/mamabear-ephem/META.yml deleted file mode 100644 index ba148182..00000000 --- a/crypto_kem/mamabear-ephem/META.yml +++ /dev/null @@ -1,14 +0,0 @@ -name: MamaBearEphem -type: kem -claimed-nist-level: 3 -claimed-security: IND-CPA -length-public-key: 1194 -length-ciphertext: 1307 -length-secret-key: 40 -length-shared-secret: 32 -nistkat-sha256: ef94f0f6471a1276efd9e019195489661c2356027fc2e8163e3718a1df027123 -principal-submitters: - - Mike Hamburg -implementations: - - name: clean - version: https://sourceforge.net/p/threebears/code/ci/f4ce0ebfc84a5e01a75bfc8297b6d175e993cfa4/ diff --git a/crypto_kem/mamabear-ephem/clean/LICENSE b/crypto_kem/mamabear-ephem/clean/LICENSE deleted file mode 100644 index 5fb15a7c..00000000 --- a/crypto_kem/mamabear-ephem/clean/LICENSE +++ /dev/null @@ -1,24 +0,0 @@ -Copyright (c) 2016-2019 Rambus, Inc. -and licensed under the following MIT license. - -The MIT License (MIT) - -Copyright (c) 2016-2019 Rambus Inc. - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in -all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -THE SOFTWARE. diff --git a/crypto_kem/mamabear-ephem/clean/Makefile b/crypto_kem/mamabear-ephem/clean/Makefile deleted file mode 100644 index cfec1779..00000000 --- a/crypto_kem/mamabear-ephem/clean/Makefile +++ /dev/null @@ -1,21 +0,0 @@ -# This Makefile can be used with GNU Make or BSD Make - -LIB=libmamabear-ephem_clean.a - -HEADERS = api.h melas_fec.h params.h ring.h threebears.h -OBJECTS = kem.o melas_fec.o ring.o threebears.o - - -CFLAGS=-O3 -Wall -Wextra -Wpedantic -Werror -Wmissing-prototypes -Wredundant-decls -std=c99 -I../../../common $(EXTRAFLAGS) - -all: $(LIB) - -%.o: %.c $(HEADERS) - $(CC) $(CFLAGS) -c -o $@ $< - -$(LIB): $(OBJECTS) - $(AR) -r $@ $(OBJECTS) - -clean: - $(RM) $(OBJECTS) - $(RM) $(LIB) diff --git a/crypto_kem/mamabear-ephem/clean/Makefile.Microsoft_nmake b/crypto_kem/mamabear-ephem/clean/Makefile.Microsoft_nmake deleted file mode 100644 index 078a722d..00000000 --- a/crypto_kem/mamabear-ephem/clean/Makefile.Microsoft_nmake +++ /dev/null @@ -1,19 +0,0 @@ -# This Makefile can be used with Microsoft Visual Studio's nmake using the command: -# nmake /f Makefile.Microsoft_nmake - -LIBRARY=libmamabear-ephem_clean.lib -OBJECTS = kem.obj melas_fec.obj ring.obj threebears.obj - -CFLAGS=/nologo /I ..\..\..\common /W4 /WX - -all: $(LIBRARY) - -# Make sure objects are recompiled if headers change. -$(OBJECTS): *.h - -$(LIBRARY): $(OBJECTS) - LIB.EXE /NOLOGO /WX /OUT:$@ $** - -clean: - -DEL $(OBJECTS) - -DEL $(LIBRARY) diff --git a/crypto_kem/mamabear-ephem/clean/api.h b/crypto_kem/mamabear-ephem/clean/api.h deleted file mode 100644 index fbc93805..00000000 --- a/crypto_kem/mamabear-ephem/clean/api.h +++ /dev/null @@ -1,18 +0,0 @@ -#ifndef PQCLEAN_MAMABEAREPHEM_CLEAN_API_H -#define PQCLEAN_MAMABEAREPHEM_CLEAN_API_H - -#include -#include -#include - -#define PQCLEAN_MAMABEAREPHEM_CLEAN_CRYPTO_SECRETKEYBYTES 40 -#define PQCLEAN_MAMABEAREPHEM_CLEAN_CRYPTO_PUBLICKEYBYTES 1194 -#define PQCLEAN_MAMABEAREPHEM_CLEAN_CRYPTO_BYTES 32 -#define PQCLEAN_MAMABEAREPHEM_CLEAN_CRYPTO_CIPHERTEXTBYTES 1307 -#define PQCLEAN_MAMABEAREPHEM_CLEAN_CRYPTO_ALGNAME "MamaBearEphem" - -int PQCLEAN_MAMABEAREPHEM_CLEAN_crypto_kem_keypair(uint8_t *pk, uint8_t *sk); -int PQCLEAN_MAMABEAREPHEM_CLEAN_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); -int PQCLEAN_MAMABEAREPHEM_CLEAN_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); - -#endif diff --git a/crypto_kem/mamabear-ephem/clean/kem.c b/crypto_kem/mamabear-ephem/clean/kem.c deleted file mode 100644 index e70f0456..00000000 --- a/crypto_kem/mamabear-ephem/clean/kem.c +++ /dev/null @@ -1,22 +0,0 @@ -#include "api.h" -#include "params.h" -#include "randombytes.h" -#include "threebears.h" - -int PQCLEAN_MAMABEAREPHEM_CLEAN_crypto_kem_keypair(uint8_t *pk, uint8_t *sk) { - randombytes(sk, PRIVATE_KEY_BYTES); - PQCLEAN_MAMABEAREPHEM_CLEAN_get_pubkey(pk, sk); - return 0; -} - -int PQCLEAN_MAMABEAREPHEM_CLEAN_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk) { - uint8_t seed[ENC_SEED_BYTES + IV_BYTES]; - randombytes(seed, sizeof(seed)); - encapsulate(ss, ct, pk, seed); - return 0; -} - -int PQCLEAN_MAMABEAREPHEM_CLEAN_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk) { - PQCLEAN_MAMABEAREPHEM_CLEAN_decapsulate(ss, ct, sk); - return 0; -} diff --git a/crypto_kem/mamabear-ephem/clean/melas_fec.c b/crypto_kem/mamabear-ephem/clean/melas_fec.c deleted file mode 100644 index 7c11b822..00000000 --- a/crypto_kem/mamabear-ephem/clean/melas_fec.c +++ /dev/null @@ -1,87 +0,0 @@ -/* Melas forward error correction, reference code (as implemented in the paper) */ -#include "melas_fec.h" - -/* Return s/2^n mod R */ -static fec_gf_t step(size_t n, fec_gf_t R, fec_gf_t s) { - for (; n; n--) { - s = (s ^ ((s & 1) * R)) >> 1; - } - return s; -} - -/* Compute syndrome(data), where data has length len */ -#define syndrome18(data,len) s18update(0,data,len) -static fec_gf_t s18update(fec_gf_t r, const uint8_t *data, size_t len) { - for (size_t i = 0; i < len; i++) { - r = step(8, 0x46231, r ^ data[i]); - } - return r; -} - -/* Append 3 bytes of FEC(data) to data, so that the FEC becomes 0 */ -void PQCLEAN_MAMABEAREPHEM_CLEAN_melas_fec_set( - uint8_t out[MELAS_FEC_BYTES], - const uint8_t *data, - size_t len -) { - fec_gf_t fec = syndrome18(data, len); - for (size_t i = 0; i < MELAS_FEC_BYTES; i++, fec >>= 8) { - out[i] = (uint8_t)fec; - } -} - -/* Return a*b mod Q */ -static fec_gf_t mul(fec_gf_t a, fec_gf_t b) { - fec_gf_t r = 0; - for (size_t i = 0; i < 9; i++) { - r ^= ((b >> (8 - i)) & 1) * a; - a = step(1, Q, a); - } - return r; -} - -/* Reverse an 18-bit number x */ -static fec_gf_t reverse18(fec_gf_t x) { - fec_gf_t ret = 0; - for (size_t i = 0; i < 18; i++) { - ret ^= ((x >> i) & 1) << (17 - i); - } - return ret; -} - -/* Correct data to have the given FEC */ -void PQCLEAN_MAMABEAREPHEM_CLEAN_melas_fec_correct ( - uint8_t *data, - size_t len, - const uint8_t fec[MELAS_FEC_BYTES] -) { - - fec_gf_t a = s18update(syndrome18(data, len), fec, MELAS_FEC_BYTES); - fec_gf_t c, r, htr; - size_t i; - const uint8_t table[9] = {36, 10, 43, 215, 52, 11, 116, 244, 0}; - fec_gf_t e0, e1; - - /* Form a quadratic equation from the syndrome */ - c = mul(step(9, Q, a), step(9, Q, reverse18(a))); - for (i = 0, r = 0x100; i < 510; i++) { - r = mul(r, c); - } - r = step(17, Q, r); - a = step(511 - (len + MELAS_FEC_BYTES) * 8, Q, a); - - /* Solve using the half trace */ - for (i = 0, htr = 0; i < 9; i++) { - htr ^= ((r >> i) & 1) * table[i]; - } - e0 = mul(a, htr); - e1 = e0 ^ a; - - /* Correct the errors using the locators */ - for (i = 0; i < len; i++) { - data[i] ^= (uint8_t)(e0 & (((e0 & (e0 - 1)) - 1) >> 9)); - data[i] ^= (uint8_t)(e1 & (((e1 & (e1 - 1)) - 1) >> 9)); - e0 = step(8, Q, e0); - e1 = step(8, Q, e1); - } -} diff --git a/crypto_kem/mamabear-ephem/clean/melas_fec.h b/crypto_kem/mamabear-ephem/clean/melas_fec.h deleted file mode 100644 index 9dd15313..00000000 --- a/crypto_kem/mamabear-ephem/clean/melas_fec.h +++ /dev/null @@ -1,26 +0,0 @@ -#ifndef __THREEBEARS_MELAS_FEC_H__ -#define __THREEBEARS_MELAS_FEC_H__ - -#include "api.h" - -#define MELAS_FEC_BYTES 3 -#define MELAS_FEC_BITS 18 - -typedef uint32_t fec_gf_t; -static const fec_gf_t Q = 0x211; - -/* Append 3 bytes of FEC(data) to data, so that the FEC becomes 0 */ -void PQCLEAN_MAMABEAREPHEM_CLEAN_melas_fec_set( - uint8_t out[MELAS_FEC_BYTES], - const uint8_t *data, - size_t len -); - -/* Append 3 bytes of FEC(data) to data, so that the FEC becomes 0 */ -void PQCLEAN_MAMABEAREPHEM_CLEAN_melas_fec_correct( - uint8_t *data, - size_t len, - const uint8_t fec[MELAS_FEC_BYTES] -); - -#endif diff --git a/crypto_kem/mamabear-ephem/clean/params.h b/crypto_kem/mamabear-ephem/clean/params.h deleted file mode 100644 index a0eb5351..00000000 --- a/crypto_kem/mamabear-ephem/clean/params.h +++ /dev/null @@ -1,29 +0,0 @@ -#ifndef __THREEBEARS_PARAMS_H__ -#define __THREEBEARS_PARAMS_H__ - -#define VERSION 1 -#define MATRIX_SEED_BYTES 24 -#define ENC_SEED_BYTES 32 -#define IV_BYTES 0 -#define LGX 10 -#define DIGITS 312 -#define DIM 3 -#define VAR_TIMES_128 112 -#define LPR_BITS 4 -#define FEC_BITS 18 -#define CCA 0 -#define SHARED_SECRET_BYTES 32 -#define PRIVATE_KEY_BYTES 40 -#define PRF_KEY_BYTES PRIVATE_KEY_BYTES - -#define BEAR_NAME "MamaBearEphem" -#define encapsulate PQCLEAN_MAMABEAREPHEM_CLEAN_encapsulate -#define decapsulate PQCLEAN_MAMABEAREPHEM_CLEAN_decapsulate -#define get_pubkey PQCLEAN_MAMABEAREPHEM_CLEAN_get_pubkey - -#define GF_BYTES ((LGX*DIGITS+7)/8) -#define PUBLIC_KEY_BYTES (MATRIX_SEED_BYTES + DIM*GF_BYTES) -#define CAPSULE_BYTES \ - (DIM*GF_BYTES + IV_BYTES + ((ENC_SEED_BYTES*8+FEC_BITS)*LPR_BITS+7)/8) - -#endif diff --git a/crypto_kem/mamabear-ephem/clean/ring.c b/crypto_kem/mamabear-ephem/clean/ring.c deleted file mode 100644 index 4b4251db..00000000 --- a/crypto_kem/mamabear-ephem/clean/ring.c +++ /dev/null @@ -1,107 +0,0 @@ -/** Ring arithmetic implementation */ -#include "ring.h" - -/** Return the i'th limb of the modulus */ -limb_t PQCLEAN_MAMABEAREPHEM_CLEAN_modulus(size_t i) { - return (i == DIGITS / 2) ? LMASK - 1 : LMASK; -} - -/** Multiply and accumulate c += a*b */ -void PQCLEAN_MAMABEAREPHEM_CLEAN_mac(gf_t c, const gf_t a, const gf_t b) { - /* Reference non-Karatsuba MAC */ - dslimb_t accum[2 * DIGITS] = {0}; - dslimb_t chain; - size_t i, j; - - /* Initialize accumulator = unclarify(c) */ - for (i = 0; i < DIGITS; i++) { - accum[i + DIGITS / 2] = c[i]; - } - - /* Multiply */ - for (i = 0; i < DIGITS; i++) { - for (j = 0; j < DIGITS; j++) { - accum[i + j] += (dslimb_t)a[i] * b[j]; - } - } - - /* Clarify and reduce */ - for (i = 0; i < DIGITS / 2; i++) { - accum[i + DIGITS / 2] -= accum[i]; - accum[i + DIGITS] += accum[i]; - accum[i + DIGITS / 2] += accum[i + 3 * DIGITS / 2]; - accum[i + DIGITS] += accum[i + 3 * DIGITS / 2]; - } - - /* Carry propagate */ - chain = accum[3 * DIGITS / 2 - 1]; - accum[3 * DIGITS / 2 - 1] = chain & LMASK; - chain >>= LGX; - accum[DIGITS] += chain; - for (i = DIGITS / 2; i < 3 * DIGITS / 2; i++) { - chain += accum[i]; - c[i - DIGITS / 2] = chain & LMASK; - chain >>= LGX; - } - c[0] = (limb_t) (c[0] + chain); - c[DIGITS / 2] = (limb_t) (c[DIGITS / 2] + chain); -} - -/** Reduce a gf_t to canonical form, i.e. strictly less than N. */ -void PQCLEAN_MAMABEAREPHEM_CLEAN_canon(gf_t c) { - const limb_t DELTA = (limb_t)1 << (LGX - 1); - slimb_t hi; - dslimb_t scarry; - dlimb_t carry; - - /* Reduce to 0..2p */ - hi = (slimb_t) (c[DIGITS - 1] - DELTA); - c[DIGITS - 1] = (limb_t) ((hi & LMASK) + DELTA); - c[DIGITS / 2] = (limb_t) (c[DIGITS / 2] + (hi >> LGX)); - - /* Strong reduce. First subtract modulus */ - scarry = hi >> LGX; - for (size_t i = 0; i < DIGITS; i++) { - scarry = scarry + (slimb_t)c[i] - PQCLEAN_MAMABEAREPHEM_CLEAN_modulus(i); - c[i] = scarry & LMASK; - scarry >>= LGX; - } - - /* add it back */ - carry = 0; - for (size_t i = 0; i < DIGITS; i++) { - carry = carry + c[i] + ((dlimb_t)scarry & PQCLEAN_MAMABEAREPHEM_CLEAN_modulus(i)); - c[i] = carry & LMASK; - carry >>= LGX; - } -} - -/** Serialize a gf_t to bytes */ -void PQCLEAN_MAMABEAREPHEM_CLEAN_contract(uint8_t ch[GF_BYTES], gf_t a) { - size_t pos; - - PQCLEAN_MAMABEAREPHEM_CLEAN_canon(a); - for (size_t i = 0; i < GF_BYTES; i++) { - pos = (i * 8) / LGX; - ch[i] = (uint8_t)(a[pos] >> ((i * 8) % LGX)); - if (i < GF_BYTES - 1) { - ch[i] |= (uint8_t)(a[pos + 1] << (LGX - ((i * 8) % LGX))); - } - } -} - -/** Deserialize a gf_t from bytes */ -void PQCLEAN_MAMABEAREPHEM_CLEAN_expand(gf_t ll, const uint8_t ch[GF_BYTES]) { - limb_t tmp, buffer = 0; - - for (size_t i = 0, j = 0, bbits = 0; i < GF_BYTES; i++) { - tmp = ch[i]; - buffer |= (limb_t)(tmp << bbits); - bbits += 8; - if (bbits >= LGX) { - ll[j++] = buffer & LMASK; - buffer = (limb_t)(tmp >> (LGX - (bbits - 8))); - bbits = bbits - LGX; - } - } -} diff --git a/crypto_kem/mamabear-ephem/clean/ring.h b/crypto_kem/mamabear-ephem/clean/ring.h deleted file mode 100644 index 8036f3b9..00000000 --- a/crypto_kem/mamabear-ephem/clean/ring.h +++ /dev/null @@ -1,29 +0,0 @@ -#ifndef __THREEBEARS_RING_H__ -#define __THREEBEARS_RING_H__ - -#include "api.h" -#include "params.h" - -typedef uint16_t limb_t; -typedef int16_t slimb_t; -typedef uint32_t dlimb_t; -typedef int32_t dslimb_t; -#define LMASK (((limb_t)1<> 8, DIM, - VAR_TIMES_128 - 1, LPR_BITS, FEC_BITS, CCA, 0 /* padding */ - }; - - cshake256_inc_init(ctx, NULL, 0, (const uint8_t *)S, sizeof(S) - 1); - cshake256_inc_absorb(ctx, (const uint8_t *)pblock, sizeof(pblock)); - cshake256_inc_absorb(ctx, &purpose, 1); -} - -/** Sample n gf_t's uniformly from a seed */ -static void uniform(gf_t matrix, const uint8_t *seed, uint8_t iv) { - uint8_t c[GF_BYTES]; - shake256incctx ctx; - - threebears_hash_init(&ctx, HASH_PURPOSE_UNIFORM); - cshake256_inc_absorb(&ctx, seed, MATRIX_SEED_BYTES); - cshake256_inc_absorb(&ctx, &iv, 1); - cshake256_inc_finalize(&ctx); - cshake256_inc_squeeze(c, sizeof(c), &ctx); - cshake256_inc_ctx_release(&ctx); - PQCLEAN_MAMABEAREPHEM_CLEAN_expand(matrix, c); -} - -/** The ThreeBears error distribution */ -static slimb_t psi(uint8_t ci) { - int sample = 0, var = VAR_TIMES_128; - - for (; var > 64; var -= 64, ci = (uint8_t)(ci << 2)) { - sample += ((ci + 64) >> 8) + ((ci - 64) >> 8); - } - return (slimb_t)(sample + ((ci + var) >> 8) + ((ci - var) >> 8)); -} - -/** Sample a vector of n noise elements */ -static void noise(gf_t x, const shake256incctx *ctx, uint8_t iv) { - uint8_t c[DIGITS]; - shake256incctx ctx2; - - cshake256_inc_ctx_clone(&ctx2, ctx); - cshake256_inc_absorb(&ctx2, &iv, 1); - cshake256_inc_finalize(&ctx2); - cshake256_inc_squeeze(c, DIGITS, &ctx2); - for (size_t i = 0; i < DIGITS; i++) { - x[i] = (limb_t)(psi(c[i]) + PQCLEAN_MAMABEAREPHEM_CLEAN_modulus(i)); - } - cshake256_inc_ctx_release(&ctx2); -} - -/* Expand public key from private key */ -void PQCLEAN_MAMABEAREPHEM_CLEAN_get_pubkey(uint8_t *pk, const uint8_t *sk) { - shake256incctx ctx; - shake256incctx ctx2; - gf_t sk_expanded[DIM], b, c; - - threebears_hash_init(&ctx, HASH_PURPOSE_KEYGEN); - cshake256_inc_absorb(&ctx, sk, PRIVATE_KEY_BYTES); - - cshake256_inc_ctx_clone(&ctx2, &ctx); - cshake256_inc_finalize(&ctx2); - cshake256_inc_squeeze(pk, MATRIX_SEED_BYTES, &ctx2); - cshake256_inc_ctx_release(&ctx2); - - for (uint8_t i = 0; i < DIM; i++) { - noise(sk_expanded[i], &ctx, i); - } - for (uint8_t i = 0; i < DIM; i++) { - noise(c, &ctx, (uint8_t)(i + DIM)); - for (uint8_t j = 0; j < DIM; j++) { - uniform(b, pk, (uint8_t) (i + DIM * j)); - PQCLEAN_MAMABEAREPHEM_CLEAN_mac(c, b, sk_expanded[j]); - } - PQCLEAN_MAMABEAREPHEM_CLEAN_contract(&pk[MATRIX_SEED_BYTES + i * GF_BYTES], c); - } - cshake256_inc_ctx_release(&ctx); -} - -/* Encapsulate a shared secret and return it */ -void PQCLEAN_MAMABEAREPHEM_CLEAN_encapsulate( - uint8_t *shared_secret, - uint8_t *capsule, - const uint8_t *pk, - const uint8_t *seed -) { - uint8_t *lpr_data = &capsule[GF_BYTES * DIM]; - shake256incctx ctx; - gf_t sk_expanded[DIM], b, c; - uint8_t tbi[ENC_SEED_BYTES + FEC_BYTES]; - dlimb_t rlimb0, rlimb1; - limb_t h; - uint8_t *iv = &lpr_data[(ENC_BITS * LPR_BITS + 7) / 8]; - - memcpy(iv, &seed[ENC_SEED_BYTES], IV_BYTES); - - threebears_hash_init(&ctx, HASH_PURPOSE_ENCAPS); - cshake256_inc_absorb(&ctx, pk, MATRIX_SEED_BYTES); - cshake256_inc_absorb(&ctx, seed, ENC_SEED_BYTES + IV_BYTES); - - for (uint8_t i = 0; i < DIM; i++) { - noise(sk_expanded[i], &ctx, i); - } - for (uint8_t i = 0; i < DIM; i++) { - noise(c, &ctx, (uint8_t)(i + DIM)); - for (uint8_t j = 0; j < DIM; j++) { - uniform(b, pk, (uint8_t)(j + DIM * i)); - PQCLEAN_MAMABEAREPHEM_CLEAN_mac(c, b, sk_expanded[j]); - } - PQCLEAN_MAMABEAREPHEM_CLEAN_contract(&capsule[i * GF_BYTES], c); - } - noise(c, &ctx, (uint8_t)(2 * DIM)); - - /* Calculate approximate shared secret */ - for (uint8_t i = 0; i < DIM; i++) { - PQCLEAN_MAMABEAREPHEM_CLEAN_expand(b, &pk[MATRIX_SEED_BYTES + i * GF_BYTES]); - PQCLEAN_MAMABEAREPHEM_CLEAN_mac(c, b, sk_expanded[i]); - } - PQCLEAN_MAMABEAREPHEM_CLEAN_canon(c); - - - cshake256_inc_finalize(&ctx); - cshake256_inc_squeeze(tbi, ENC_SEED_BYTES, &ctx); - cshake256_inc_ctx_release(&ctx); - - threebears_hash_init(&ctx, HASH_PURPOSE_ENCAPS); - cshake256_inc_absorb(&ctx, pk, MATRIX_SEED_BYTES); - cshake256_inc_absorb(&ctx, tbi, ENC_SEED_BYTES); - cshake256_inc_absorb(&ctx, iv, IV_BYTES); - - PQCLEAN_MAMABEAREPHEM_CLEAN_melas_fec_set(&tbi[ENC_SEED_BYTES], tbi, ENC_SEED_BYTES); - - /* Export with rounding */ - for (size_t i = 0; i < ENC_BITS; i += 2) { - h = (limb_t)(tbi[i / 8] >> (i % 8)); - rlimb0 = (dlimb_t)((c[i / 2] >> (LGX - LPR_BITS)) + (h << 3)); - rlimb1 = (dlimb_t)((c[DIGITS - i / 2 - 1] >> (LGX - LPR_BITS)) + ((h >> 1) << 3)); - lpr_data[i / 2] = (uint8_t)((rlimb0 & 0xF) | rlimb1 << 4); - } - - cshake256_inc_finalize(&ctx); - cshake256_inc_squeeze(shared_secret, SHARED_SECRET_BYTES, &ctx); - cshake256_inc_ctx_release(&ctx); -} - -/* Decapsulate a shared secret and return it */ -void PQCLEAN_MAMABEAREPHEM_CLEAN_decapsulate( - uint8_t shared_secret[SHARED_SECRET_BYTES], - const uint8_t capsule[CAPSULE_BYTES], - const uint8_t sk[PRIVATE_KEY_BYTES] -) { - const uint8_t *lpr_data = &capsule[GF_BYTES * DIM]; - shake256incctx ctx; - gf_t ska, b, c = {0}; - uint8_t seed[ENC_SEED_BYTES + FEC_BYTES + IV_BYTES]; - limb_t rounding, out; - size_t j; - limb_t our_rlimb, their_rlimb, delta; - uint8_t matrix_seed[MATRIX_SEED_BYTES]; - - /* Calculate approximate shared secret */ - threebears_hash_init(&ctx, HASH_PURPOSE_KEYGEN); - cshake256_inc_absorb(&ctx, sk, PRIVATE_KEY_BYTES); - - for (uint8_t i = 0; i < DIM; i++) { - PQCLEAN_MAMABEAREPHEM_CLEAN_expand(b, &capsule[i * GF_BYTES]); - noise(ska, &ctx, i); - PQCLEAN_MAMABEAREPHEM_CLEAN_mac(c, ska, b); - } - - /* Recover seed from LPR data */ - PQCLEAN_MAMABEAREPHEM_CLEAN_canon(c); - rounding = 1 << (LPR_BITS - 1); - out = 0; - for (int32_t i = ENC_BITS - 1; i >= 0; i--) { - j = (size_t) ((i & 1) ? DIGITS - i / 2 - 1 : i / 2); - our_rlimb = (limb_t)(c[j] >> (LGX - LPR_BITS - 1)); - their_rlimb = (limb_t)(lpr_data[i * LPR_BITS / 8] >> ((i * LPR_BITS) % 8)); - delta = (limb_t)(their_rlimb * 2 - our_rlimb + rounding); - out |= (limb_t)(((delta >> LPR_BITS) & 1) << (i % 8)); - if (i % 8 == 0) { - seed[i / 8] = (uint8_t)out; - out = 0; - } - } - PQCLEAN_MAMABEAREPHEM_CLEAN_melas_fec_correct(seed, ENC_SEED_BYTES, &seed[ENC_SEED_BYTES]); - - /* Recalculate matrix seed */ - cshake256_inc_finalize(&ctx); - cshake256_inc_squeeze(matrix_seed, MATRIX_SEED_BYTES, &ctx); - cshake256_inc_ctx_release(&ctx); - - /* Re-run the key derivation from encaps */ - threebears_hash_init(&ctx, HASH_PURPOSE_ENCAPS); - cshake256_inc_absorb(&ctx, matrix_seed, MATRIX_SEED_BYTES); - cshake256_inc_absorb(&ctx, seed, ENC_SEED_BYTES); - cshake256_inc_absorb(&ctx, &lpr_data[(ENC_BITS * LPR_BITS + 7) / 8], IV_BYTES); - cshake256_inc_finalize(&ctx); - cshake256_inc_squeeze(shared_secret, SHARED_SECRET_BYTES, &ctx); - cshake256_inc_ctx_release(&ctx); -} diff --git a/crypto_kem/mamabear-ephem/clean/threebears.h b/crypto_kem/mamabear-ephem/clean/threebears.h deleted file mode 100644 index 87db61c3..00000000 --- a/crypto_kem/mamabear-ephem/clean/threebears.h +++ /dev/null @@ -1,60 +0,0 @@ -#ifndef __THREE_BEARS_MAMABEAREPHEM_H__ -#define __THREE_BEARS_MAMABEAREPHEM_H__ - -#include /* for size_t */ -#include - -#define MAMABEAREPHEM_KEYGEN_SEED_BYTES 40 -#define MAMABEAREPHEM_PRIVATE_KEY_BYTES MAMABEAREPHEM_KEYGEN_SEED_BYTES -#define MAMABEAREPHEM_SHARED_SECRET_BYTES 32 -#define MAMABEAREPHEM_ENC_SEED_AND_IV_BYTES 32 -#define MAMABEAREPHEM_PUBLIC_KEY_BYTES 1194 -#define MAMABEAREPHEM_CAPSULE_BYTES 1307 - -/** - * Expand a secret seed to a public/private keypair. - * - * @param[out] pk The public key. - * @param[in] sk The private key, which must be uniformly random. - */ -void PQCLEAN_MAMABEAREPHEM_CLEAN_get_pubkey ( - uint8_t pk[MAMABEAREPHEM_PUBLIC_KEY_BYTES], - const uint8_t sk[MAMABEAREPHEM_PRIVATE_KEY_BYTES] -); - -/** - * Create a shared secret using a random seed and another party's public key. - * - * Input and output parameters may not alias. - * - * @param[out] shared_secret The shared secret key. - * @param[out] capsule A ciphertext to send to the other party. - * @param[in] pk The other party's public key. - * @param[in] seed A random seed. - */ -void PQCLEAN_MAMABEAREPHEM_CLEAN_encapsulate ( - uint8_t shared_secret[MAMABEAREPHEM_SHARED_SECRET_BYTES], - uint8_t capsule[MAMABEAREPHEM_CAPSULE_BYTES], - const uint8_t pk[MAMABEAREPHEM_PUBLIC_KEY_BYTES], - const uint8_t seed[MAMABEAREPHEM_ENC_SEED_AND_IV_BYTES] -); - -/** - * Extract the shared secret from a capsule using the private key. - * Has a negligible but nonzero probability of failure. - * - * Input and output parameters may not alias. - * - * @param[out] shared_secret The shared secret. - * @param[in] capsule The capsule produced by encapsulate_cca2. - * @param[in] sk The private key. - * @return -1 on failure, 0 on success. - * @warning The value of shared_secret must not be used on failure - */ -void PQCLEAN_MAMABEAREPHEM_CLEAN_decapsulate ( - uint8_t shared_secret[MAMABEAREPHEM_SHARED_SECRET_BYTES], - const uint8_t capsule[MAMABEAREPHEM_CAPSULE_BYTES], - const uint8_t sk[MAMABEAREPHEM_PRIVATE_KEY_BYTES] -); - -#endif diff --git a/crypto_kem/mamabear/META.yml b/crypto_kem/mamabear/META.yml deleted file mode 100644 index d0ea60f8..00000000 --- a/crypto_kem/mamabear/META.yml +++ /dev/null @@ -1,14 +0,0 @@ -name: MamaBear -type: kem -claimed-nist-level: 3 -claimed-security: IND-CCA2 -length-public-key: 1194 -length-ciphertext: 1307 -length-secret-key: 40 -length-shared-secret: 32 -nistkat-sha256: 2161de5015dc0477106b71ba17498982f77fae127fce724496c8a587803b1839 -principal-submitters: - - Mike Hamburg -implementations: - - name: clean - version: https://sourceforge.net/p/threebears/code/ci/f4ce0ebfc84a5e01a75bfc8297b6d175e993cfa4/ diff --git a/crypto_kem/mamabear/clean/LICENSE b/crypto_kem/mamabear/clean/LICENSE deleted file mode 100644 index 5fb15a7c..00000000 --- a/crypto_kem/mamabear/clean/LICENSE +++ /dev/null @@ -1,24 +0,0 @@ -Copyright (c) 2016-2019 Rambus, Inc. -and licensed under the following MIT license. - -The MIT License (MIT) - -Copyright (c) 2016-2019 Rambus Inc. - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in -all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -THE SOFTWARE. diff --git a/crypto_kem/mamabear/clean/Makefile b/crypto_kem/mamabear/clean/Makefile deleted file mode 100644 index b1242883..00000000 --- a/crypto_kem/mamabear/clean/Makefile +++ /dev/null @@ -1,21 +0,0 @@ -# This Makefile can be used with GNU Make or BSD Make - -LIB=libmamabear_clean.a - -HEADERS = api.h melas_fec.h params.h ring.h threebears.h -OBJECTS = kem.o melas_fec.o ring.o threebears.o - - -CFLAGS=-O3 -Wall -Wextra -Wpedantic -Werror -Wmissing-prototypes -Wredundant-decls -std=c99 -I../../../common $(EXTRAFLAGS) - -all: $(LIB) - -%.o: %.c $(HEADERS) - $(CC) $(CFLAGS) -c -o $@ $< - -$(LIB): $(OBJECTS) - $(AR) -r $@ $(OBJECTS) - -clean: - $(RM) $(OBJECTS) - $(RM) $(LIB) diff --git a/crypto_kem/mamabear/clean/Makefile.Microsoft_nmake b/crypto_kem/mamabear/clean/Makefile.Microsoft_nmake deleted file mode 100644 index 164de00d..00000000 --- a/crypto_kem/mamabear/clean/Makefile.Microsoft_nmake +++ /dev/null @@ -1,19 +0,0 @@ -# This Makefile can be used with Microsoft Visual Studio's nmake using the command: -# nmake /f Makefile.Microsoft_nmake - -LIBRARY=libmamabear_clean.lib -OBJECTS = kem.obj melas_fec.obj ring.obj threebears.obj - -CFLAGS=/nologo /I ..\..\..\common /W4 /WX - -all: $(LIBRARY) - -# Make sure objects are recompiled if headers change. -$(OBJECTS): *.h - -$(LIBRARY): $(OBJECTS) - LIB.EXE /NOLOGO /WX /OUT:$@ $** - -clean: - -DEL $(OBJECTS) - -DEL $(LIBRARY) diff --git a/crypto_kem/mamabear/clean/api.h b/crypto_kem/mamabear/clean/api.h deleted file mode 100644 index 135b3607..00000000 --- a/crypto_kem/mamabear/clean/api.h +++ /dev/null @@ -1,18 +0,0 @@ -#ifndef PQCLEAN_MAMABEAR_CLEAN_API_H -#define PQCLEAN_MAMABEAR_CLEAN_API_H - -#include -#include -#include - -#define PQCLEAN_MAMABEAR_CLEAN_CRYPTO_SECRETKEYBYTES 40 -#define PQCLEAN_MAMABEAR_CLEAN_CRYPTO_PUBLICKEYBYTES 1194 -#define PQCLEAN_MAMABEAR_CLEAN_CRYPTO_BYTES 32 -#define PQCLEAN_MAMABEAR_CLEAN_CRYPTO_CIPHERTEXTBYTES 1307 -#define PQCLEAN_MAMABEAR_CLEAN_CRYPTO_ALGNAME "MamaBear" - -int PQCLEAN_MAMABEAR_CLEAN_crypto_kem_keypair(uint8_t *pk, uint8_t *sk); -int PQCLEAN_MAMABEAR_CLEAN_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); -int PQCLEAN_MAMABEAR_CLEAN_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); - -#endif diff --git a/crypto_kem/mamabear/clean/kem.c b/crypto_kem/mamabear/clean/kem.c deleted file mode 100644 index 9e40065f..00000000 --- a/crypto_kem/mamabear/clean/kem.c +++ /dev/null @@ -1,22 +0,0 @@ -#include "api.h" -#include "params.h" -#include "randombytes.h" -#include "threebears.h" - -int PQCLEAN_MAMABEAR_CLEAN_crypto_kem_keypair(uint8_t *pk, uint8_t *sk) { - randombytes(sk, PRIVATE_KEY_BYTES); - PQCLEAN_MAMABEAR_CLEAN_get_pubkey(pk, sk); - return 0; -} - -int PQCLEAN_MAMABEAR_CLEAN_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk) { - uint8_t seed[ENC_SEED_BYTES + IV_BYTES]; - randombytes(seed, sizeof(seed)); - encapsulate(ss, ct, pk, seed); - return 0; -} - -int PQCLEAN_MAMABEAR_CLEAN_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk) { - PQCLEAN_MAMABEAR_CLEAN_decapsulate(ss, ct, sk); - return 0; -} diff --git a/crypto_kem/mamabear/clean/melas_fec.c b/crypto_kem/mamabear/clean/melas_fec.c deleted file mode 100644 index 80e33604..00000000 --- a/crypto_kem/mamabear/clean/melas_fec.c +++ /dev/null @@ -1,87 +0,0 @@ -/* Melas forward error correction, reference code (as implemented in the paper) */ -#include "melas_fec.h" - -/* Return s/2^n mod R */ -static fec_gf_t step(size_t n, fec_gf_t R, fec_gf_t s) { - for (; n; n--) { - s = (s ^ ((s & 1) * R)) >> 1; - } - return s; -} - -/* Compute syndrome(data), where data has length len */ -#define syndrome18(data,len) s18update(0,data,len) -static fec_gf_t s18update(fec_gf_t r, const uint8_t *data, size_t len) { - for (size_t i = 0; i < len; i++) { - r = step(8, 0x46231, r ^ data[i]); - } - return r; -} - -/* Append 3 bytes of FEC(data) to data, so that the FEC becomes 0 */ -void PQCLEAN_MAMABEAR_CLEAN_melas_fec_set( - uint8_t out[MELAS_FEC_BYTES], - const uint8_t *data, - size_t len -) { - fec_gf_t fec = syndrome18(data, len); - for (size_t i = 0; i < MELAS_FEC_BYTES; i++, fec >>= 8) { - out[i] = (uint8_t)fec; - } -} - -/* Return a*b mod Q */ -static fec_gf_t mul(fec_gf_t a, fec_gf_t b) { - fec_gf_t r = 0; - for (size_t i = 0; i < 9; i++) { - r ^= ((b >> (8 - i)) & 1) * a; - a = step(1, Q, a); - } - return r; -} - -/* Reverse an 18-bit number x */ -static fec_gf_t reverse18(fec_gf_t x) { - fec_gf_t ret = 0; - for (size_t i = 0; i < 18; i++) { - ret ^= ((x >> i) & 1) << (17 - i); - } - return ret; -} - -/* Correct data to have the given FEC */ -void PQCLEAN_MAMABEAR_CLEAN_melas_fec_correct ( - uint8_t *data, - size_t len, - const uint8_t fec[MELAS_FEC_BYTES] -) { - - fec_gf_t a = s18update(syndrome18(data, len), fec, MELAS_FEC_BYTES); - fec_gf_t c, r, htr; - size_t i; - const uint8_t table[9] = {36, 10, 43, 215, 52, 11, 116, 244, 0}; - fec_gf_t e0, e1; - - /* Form a quadratic equation from the syndrome */ - c = mul(step(9, Q, a), step(9, Q, reverse18(a))); - for (i = 0, r = 0x100; i < 510; i++) { - r = mul(r, c); - } - r = step(17, Q, r); - a = step(511 - (len + MELAS_FEC_BYTES) * 8, Q, a); - - /* Solve using the half trace */ - for (i = 0, htr = 0; i < 9; i++) { - htr ^= ((r >> i) & 1) * table[i]; - } - e0 = mul(a, htr); - e1 = e0 ^ a; - - /* Correct the errors using the locators */ - for (i = 0; i < len; i++) { - data[i] ^= (uint8_t)(e0 & (((e0 & (e0 - 1)) - 1) >> 9)); - data[i] ^= (uint8_t)(e1 & (((e1 & (e1 - 1)) - 1) >> 9)); - e0 = step(8, Q, e0); - e1 = step(8, Q, e1); - } -} diff --git a/crypto_kem/mamabear/clean/melas_fec.h b/crypto_kem/mamabear/clean/melas_fec.h deleted file mode 100644 index 410ec288..00000000 --- a/crypto_kem/mamabear/clean/melas_fec.h +++ /dev/null @@ -1,26 +0,0 @@ -#ifndef __THREEBEARS_MELAS_FEC_H__ -#define __THREEBEARS_MELAS_FEC_H__ - -#include "api.h" - -#define MELAS_FEC_BYTES 3 -#define MELAS_FEC_BITS 18 - -typedef uint32_t fec_gf_t; -static const fec_gf_t Q = 0x211; - -/* Append 3 bytes of FEC(data) to data, so that the FEC becomes 0 */ -void PQCLEAN_MAMABEAR_CLEAN_melas_fec_set( - uint8_t out[MELAS_FEC_BYTES], - const uint8_t *data, - size_t len -); - -/* Append 3 bytes of FEC(data) to data, so that the FEC becomes 0 */ -void PQCLEAN_MAMABEAR_CLEAN_melas_fec_correct( - uint8_t *data, - size_t len, - const uint8_t fec[MELAS_FEC_BYTES] -); - -#endif diff --git a/crypto_kem/mamabear/clean/params.h b/crypto_kem/mamabear/clean/params.h deleted file mode 100644 index b5ef85fa..00000000 --- a/crypto_kem/mamabear/clean/params.h +++ /dev/null @@ -1,29 +0,0 @@ -#ifndef __THREEBEARS_PARAMS_H__ -#define __THREEBEARS_PARAMS_H__ - -#define VERSION 1 -#define MATRIX_SEED_BYTES 24 -#define ENC_SEED_BYTES 32 -#define IV_BYTES 0 -#define LGX 10 -#define DIGITS 312 -#define DIM 3 -#define VAR_TIMES_128 52 -#define LPR_BITS 4 -#define FEC_BITS 18 -#define CCA 1 -#define SHARED_SECRET_BYTES 32 -#define PRIVATE_KEY_BYTES 40 -#define PRF_KEY_BYTES PRIVATE_KEY_BYTES - -#define BEAR_NAME "MamaBear" -#define encapsulate PQCLEAN_MAMABEAR_CLEAN_encapsulate -#define decapsulate PQCLEAN_MAMABEAR_CLEAN_decapsulate -#define get_pubkey PQCLEAN_MAMABEAR_CLEAN_get_pubkey - -#define GF_BYTES ((LGX*DIGITS+7)/8) -#define PUBLIC_KEY_BYTES (MATRIX_SEED_BYTES + DIM*GF_BYTES) -#define CAPSULE_BYTES \ - (DIM*GF_BYTES + IV_BYTES + ((ENC_SEED_BYTES*8+FEC_BITS)*LPR_BITS+7)/8) - -#endif diff --git a/crypto_kem/mamabear/clean/ring.c b/crypto_kem/mamabear/clean/ring.c deleted file mode 100644 index ac93daff..00000000 --- a/crypto_kem/mamabear/clean/ring.c +++ /dev/null @@ -1,107 +0,0 @@ -/** Ring arithmetic implementation */ -#include "ring.h" - -/** Return the i'th limb of the modulus */ -limb_t PQCLEAN_MAMABEAR_CLEAN_modulus(size_t i) { - return (i == DIGITS / 2) ? LMASK - 1 : LMASK; -} - -/** Multiply and accumulate c += a*b */ -void PQCLEAN_MAMABEAR_CLEAN_mac(gf_t c, const gf_t a, const gf_t b) { - /* Reference non-Karatsuba MAC */ - dslimb_t accum[2 * DIGITS] = {0}; - dslimb_t chain; - size_t i, j; - - /* Initialize accumulator = unclarify(c) */ - for (i = 0; i < DIGITS; i++) { - accum[i + DIGITS / 2] = c[i]; - } - - /* Multiply */ - for (i = 0; i < DIGITS; i++) { - for (j = 0; j < DIGITS; j++) { - accum[i + j] += (dslimb_t)a[i] * b[j]; - } - } - - /* Clarify and reduce */ - for (i = 0; i < DIGITS / 2; i++) { - accum[i + DIGITS / 2] -= accum[i]; - accum[i + DIGITS] += accum[i]; - accum[i + DIGITS / 2] += accum[i + 3 * DIGITS / 2]; - accum[i + DIGITS] += accum[i + 3 * DIGITS / 2]; - } - - /* Carry propagate */ - chain = accum[3 * DIGITS / 2 - 1]; - accum[3 * DIGITS / 2 - 1] = chain & LMASK; - chain >>= LGX; - accum[DIGITS] += chain; - for (i = DIGITS / 2; i < 3 * DIGITS / 2; i++) { - chain += accum[i]; - c[i - DIGITS / 2] = chain & LMASK; - chain >>= LGX; - } - c[0] = (limb_t) (c[0] + chain); - c[DIGITS / 2] = (limb_t) (c[DIGITS / 2] + chain); -} - -/** Reduce a gf_t to canonical form, i.e. strictly less than N. */ -void PQCLEAN_MAMABEAR_CLEAN_canon(gf_t c) { - const limb_t DELTA = (limb_t)1 << (LGX - 1); - slimb_t hi; - dslimb_t scarry; - dlimb_t carry; - - /* Reduce to 0..2p */ - hi = (slimb_t) (c[DIGITS - 1] - DELTA); - c[DIGITS - 1] = (limb_t) ((hi & LMASK) + DELTA); - c[DIGITS / 2] = (limb_t) (c[DIGITS / 2] + (hi >> LGX)); - - /* Strong reduce. First subtract modulus */ - scarry = hi >> LGX; - for (size_t i = 0; i < DIGITS; i++) { - scarry = scarry + (slimb_t)c[i] - PQCLEAN_MAMABEAR_CLEAN_modulus(i); - c[i] = scarry & LMASK; - scarry >>= LGX; - } - - /* add it back */ - carry = 0; - for (size_t i = 0; i < DIGITS; i++) { - carry = carry + c[i] + ((dlimb_t)scarry & PQCLEAN_MAMABEAR_CLEAN_modulus(i)); - c[i] = carry & LMASK; - carry >>= LGX; - } -} - -/** Serialize a gf_t to bytes */ -void PQCLEAN_MAMABEAR_CLEAN_contract(uint8_t ch[GF_BYTES], gf_t a) { - size_t pos; - - PQCLEAN_MAMABEAR_CLEAN_canon(a); - for (size_t i = 0; i < GF_BYTES; i++) { - pos = (i * 8) / LGX; - ch[i] = (uint8_t)(a[pos] >> ((i * 8) % LGX)); - if (i < GF_BYTES - 1) { - ch[i] |= (uint8_t)(a[pos + 1] << (LGX - ((i * 8) % LGX))); - } - } -} - -/** Deserialize a gf_t from bytes */ -void PQCLEAN_MAMABEAR_CLEAN_expand(gf_t ll, const uint8_t ch[GF_BYTES]) { - limb_t tmp, buffer = 0; - - for (size_t i = 0, j = 0, bbits = 0; i < GF_BYTES; i++) { - tmp = ch[i]; - buffer |= (limb_t)(tmp << bbits); - bbits += 8; - if (bbits >= LGX) { - ll[j++] = buffer & LMASK; - buffer = (limb_t)(tmp >> (LGX - (bbits - 8))); - bbits = bbits - LGX; - } - } -} diff --git a/crypto_kem/mamabear/clean/ring.h b/crypto_kem/mamabear/clean/ring.h deleted file mode 100644 index adb4a5bc..00000000 --- a/crypto_kem/mamabear/clean/ring.h +++ /dev/null @@ -1,29 +0,0 @@ -#ifndef __THREEBEARS_RING_H__ -#define __THREEBEARS_RING_H__ - -#include "api.h" -#include "params.h" - -typedef uint16_t limb_t; -typedef int16_t slimb_t; -typedef uint32_t dlimb_t; -typedef int32_t dslimb_t; -#define LMASK (((limb_t)1<> 8, DIM, - VAR_TIMES_128 - 1, LPR_BITS, FEC_BITS, CCA, 0 /* padding */ - }; - - cshake256_inc_init(ctx, NULL, 0, (const uint8_t *)S, sizeof(S) - 1); - cshake256_inc_absorb(ctx, (const uint8_t *)pblock, sizeof(pblock)); - cshake256_inc_absorb(ctx, &purpose, 1); -} - -/** Sample n gf_t's uniformly from a seed */ -static void uniform(gf_t matrix, const uint8_t *seed, uint8_t iv) { - uint8_t c[GF_BYTES]; - shake256incctx ctx; - - threebears_hash_init(&ctx, HASH_PURPOSE_UNIFORM); - cshake256_inc_absorb(&ctx, seed, MATRIX_SEED_BYTES); - cshake256_inc_absorb(&ctx, &iv, 1); - cshake256_inc_finalize(&ctx); - cshake256_inc_squeeze(c, sizeof(c), &ctx); - cshake256_inc_ctx_release(&ctx); - PQCLEAN_MAMABEAR_CLEAN_expand(matrix, c); -} - -/** The ThreeBears error distribution */ -static slimb_t psi(uint8_t ci) { - int sample = 0, var = VAR_TIMES_128; - - for (; var > 64; var -= 64, ci = (uint8_t)(ci << 2)) { - sample += ((ci + 64) >> 8) + ((ci - 64) >> 8); - } - return (slimb_t)(sample + ((ci + var) >> 8) + ((ci - var) >> 8)); -} - -/** Sample a vector of n noise elements */ -static void noise(gf_t x, const shake256incctx *ctx, uint8_t iv) { - uint8_t c[DIGITS]; - shake256incctx ctx2; - - cshake256_inc_ctx_clone(&ctx2, ctx); - cshake256_inc_absorb(&ctx2, &iv, 1); - cshake256_inc_finalize(&ctx2); - cshake256_inc_squeeze(c, DIGITS, &ctx2); - for (size_t i = 0; i < DIGITS; i++) { - x[i] = (limb_t)(psi(c[i]) + PQCLEAN_MAMABEAR_CLEAN_modulus(i)); - } - cshake256_inc_ctx_release(&ctx2); -} - -/* Expand public key from private key */ -void PQCLEAN_MAMABEAR_CLEAN_get_pubkey(uint8_t *pk, const uint8_t *sk) { - shake256incctx ctx; - shake256incctx ctx2; - gf_t sk_expanded[DIM], b, c; - - threebears_hash_init(&ctx, HASH_PURPOSE_KEYGEN); - cshake256_inc_absorb(&ctx, sk, PRIVATE_KEY_BYTES); - - cshake256_inc_ctx_clone(&ctx2, &ctx); - cshake256_inc_finalize(&ctx2); - cshake256_inc_squeeze(pk, MATRIX_SEED_BYTES, &ctx2); - cshake256_inc_ctx_release(&ctx2); - - for (uint8_t i = 0; i < DIM; i++) { - noise(sk_expanded[i], &ctx, i); - } - for (uint8_t i = 0; i < DIM; i++) { - noise(c, &ctx, (uint8_t)(i + DIM)); - for (uint8_t j = 0; j < DIM; j++) { - uniform(b, pk, (uint8_t) (i + DIM * j)); - PQCLEAN_MAMABEAR_CLEAN_mac(c, b, sk_expanded[j]); - } - PQCLEAN_MAMABEAR_CLEAN_contract(&pk[MATRIX_SEED_BYTES + i * GF_BYTES], c); - } - cshake256_inc_ctx_release(&ctx); -} - -/* Encapsulate a shared secret and return it */ -void PQCLEAN_MAMABEAR_CLEAN_encapsulate( - uint8_t *shared_secret, - uint8_t *capsule, - const uint8_t *pk, - const uint8_t *seed -) { - uint8_t *lpr_data = &capsule[GF_BYTES * DIM]; - shake256incctx ctx; - gf_t sk_expanded[DIM], b, c; - uint8_t tbi[ENC_SEED_BYTES + FEC_BYTES]; - dlimb_t rlimb0, rlimb1; - limb_t h; - uint8_t *iv = &lpr_data[(ENC_BITS * LPR_BITS + 7) / 8]; - - memcpy(iv, &seed[ENC_SEED_BYTES], IV_BYTES); - - threebears_hash_init(&ctx, HASH_PURPOSE_ENCAPS); - cshake256_inc_absorb(&ctx, pk, MATRIX_SEED_BYTES); - cshake256_inc_absorb(&ctx, seed, ENC_SEED_BYTES + IV_BYTES); - - for (uint8_t i = 0; i < DIM; i++) { - noise(sk_expanded[i], &ctx, i); - } - for (uint8_t i = 0; i < DIM; i++) { - noise(c, &ctx, (uint8_t)(i + DIM)); - for (uint8_t j = 0; j < DIM; j++) { - uniform(b, pk, (uint8_t)(j + DIM * i)); - PQCLEAN_MAMABEAR_CLEAN_mac(c, b, sk_expanded[j]); - } - PQCLEAN_MAMABEAR_CLEAN_contract(&capsule[i * GF_BYTES], c); - } - noise(c, &ctx, (uint8_t)(2 * DIM)); - - /* Calculate approximate shared secret */ - for (uint8_t i = 0; i < DIM; i++) { - PQCLEAN_MAMABEAR_CLEAN_expand(b, &pk[MATRIX_SEED_BYTES + i * GF_BYTES]); - PQCLEAN_MAMABEAR_CLEAN_mac(c, b, sk_expanded[i]); - } - PQCLEAN_MAMABEAR_CLEAN_canon(c); - - - memcpy(tbi, seed, ENC_SEED_BYTES); - - PQCLEAN_MAMABEAR_CLEAN_melas_fec_set(&tbi[ENC_SEED_BYTES], tbi, ENC_SEED_BYTES); - - /* Export with rounding */ - for (size_t i = 0; i < ENC_BITS; i += 2) { - h = (limb_t)(tbi[i / 8] >> (i % 8)); - rlimb0 = (dlimb_t)((c[i / 2] >> (LGX - LPR_BITS)) + (h << 3)); - rlimb1 = (dlimb_t)((c[DIGITS - i / 2 - 1] >> (LGX - LPR_BITS)) + ((h >> 1) << 3)); - lpr_data[i / 2] = (uint8_t)((rlimb0 & 0xF) | rlimb1 << 4); - } - - cshake256_inc_finalize(&ctx); - cshake256_inc_squeeze(shared_secret, SHARED_SECRET_BYTES, &ctx); - cshake256_inc_ctx_release(&ctx); -} - -/* Decapsulate a shared secret and return it */ -void PQCLEAN_MAMABEAR_CLEAN_decapsulate( - uint8_t shared_secret[SHARED_SECRET_BYTES], - const uint8_t capsule[CAPSULE_BYTES], - const uint8_t sk[PRIVATE_KEY_BYTES] -) { - const uint8_t *lpr_data = &capsule[GF_BYTES * DIM]; - shake256incctx ctx; - gf_t ska, b, c = {0}; - uint8_t seed[ENC_SEED_BYTES + FEC_BYTES + IV_BYTES]; - limb_t rounding, out; - size_t j; - limb_t our_rlimb, their_rlimb, delta; - uint8_t pk[PUBLIC_KEY_BYTES], capsule2[CAPSULE_BYTES]; - uint8_t ret, ok, sep, prfk[PRF_KEY_BYTES]; - uint8_t prfout[SHARED_SECRET_BYTES]; - - /* Calculate approximate shared secret */ - threebears_hash_init(&ctx, HASH_PURPOSE_KEYGEN); - cshake256_inc_absorb(&ctx, sk, PRIVATE_KEY_BYTES); - - for (uint8_t i = 0; i < DIM; i++) { - PQCLEAN_MAMABEAR_CLEAN_expand(b, &capsule[i * GF_BYTES]); - noise(ska, &ctx, i); - PQCLEAN_MAMABEAR_CLEAN_mac(c, ska, b); - } - - /* Recover seed from LPR data */ - PQCLEAN_MAMABEAR_CLEAN_canon(c); - rounding = 1 << (LPR_BITS - 1); - out = 0; - for (int32_t i = ENC_BITS - 1; i >= 0; i--) { - j = (size_t) ((i & 1) ? DIGITS - i / 2 - 1 : i / 2); - our_rlimb = (limb_t)(c[j] >> (LGX - LPR_BITS - 1)); - their_rlimb = (limb_t)(lpr_data[i * LPR_BITS / 8] >> ((i * LPR_BITS) % 8)); - delta = (limb_t)(their_rlimb * 2 - our_rlimb + rounding); - out |= (limb_t)(((delta >> LPR_BITS) & 1) << (i % 8)); - if (i % 8 == 0) { - seed[i / 8] = (uint8_t)out; - out = 0; - } - } - PQCLEAN_MAMABEAR_CLEAN_melas_fec_correct(seed, ENC_SEED_BYTES, &seed[ENC_SEED_BYTES]); - - /* Re-encapsulate and check; encapsulate will compute the shared secret */ - PQCLEAN_MAMABEAR_CLEAN_get_pubkey(pk, sk); - memcpy(&seed[ENC_SEED_BYTES], &lpr_data[(ENC_BITS * LPR_BITS + 7) / 8], IV_BYTES); - PQCLEAN_MAMABEAR_CLEAN_encapsulate(shared_secret, capsule2, pk, seed); - - /* Check capsule == capsule2 in constant time */ - ret = 0; - for (size_t i = 0; i < CAPSULE_BYTES; i++) { - ret |= capsule[i] ^ capsule2[i]; - } - ok = (uint8_t)(((int)ret - 1) >> 8); - - /* Calculate PRF key */ - sep = 0xFF; - cshake256_inc_absorb(&ctx, &sep, 1); - cshake256_inc_finalize(&ctx); - cshake256_inc_squeeze(prfk, PRF_KEY_BYTES, &ctx); - cshake256_inc_ctx_release(&ctx); - - /* Calculate PRF */ - threebears_hash_init(&ctx, HASH_PURPOSE_PRF); - cshake256_inc_absorb(&ctx, prfk, PRF_KEY_BYTES); - cshake256_inc_absorb(&ctx, capsule, CAPSULE_BYTES); - cshake256_inc_finalize(&ctx); - cshake256_inc_squeeze(prfout, SHARED_SECRET_BYTES, &ctx); - cshake256_inc_ctx_release(&ctx); - - for (size_t i = 0; i < SHARED_SECRET_BYTES; i++) { - shared_secret[i] = (uint8_t)((shared_secret[i] & ok) | (prfout[i] & ~ok)); - } -} diff --git a/crypto_kem/mamabear/clean/threebears.h b/crypto_kem/mamabear/clean/threebears.h deleted file mode 100644 index 578bcb63..00000000 --- a/crypto_kem/mamabear/clean/threebears.h +++ /dev/null @@ -1,58 +0,0 @@ -#ifndef __THREE_BEARS_MAMABEAR_H__ -#define __THREE_BEARS_MAMABEAR_H__ - -#include /* for size_t */ -#include - -#define MAMABEAR_KEYGEN_SEED_BYTES 40 -#define MAMABEAR_PRIVATE_KEY_BYTES MAMABEAR_KEYGEN_SEED_BYTES -#define MAMABEAR_SHARED_SECRET_BYTES 32 -#define MAMABEAR_ENC_SEED_AND_IV_BYTES 32 -#define MAMABEAR_PUBLIC_KEY_BYTES 1194 -#define MAMABEAR_CAPSULE_BYTES 1307 - -/** - * Expand a secret seed to a public/private keypair. - * - * @param[out] pk The public key. - * @param[in] sk The private key, which must be uniformly random. - */ -void PQCLEAN_MAMABEAR_CLEAN_get_pubkey ( - uint8_t pk[MAMABEAR_PUBLIC_KEY_BYTES], - const uint8_t sk[MAMABEAR_PRIVATE_KEY_BYTES] -); - -/** - * Create a shared secret using a random seed and another party's public key. - * - * Input and output parameters may not alias. - * - * @param[out] shared_secret The shared secret key. - * @param[out] capsule A ciphertext to send to the other party. - * @param[in] pk The other party's public key. - * @param[in] seed A random seed. - */ -void PQCLEAN_MAMABEAR_CLEAN_encapsulate ( - uint8_t shared_secret[MAMABEAR_SHARED_SECRET_BYTES], - uint8_t capsule[MAMABEAR_CAPSULE_BYTES], - const uint8_t pk[MAMABEAR_PUBLIC_KEY_BYTES], - const uint8_t seed[MAMABEAR_ENC_SEED_AND_IV_BYTES] -); - -/** - * Extract the shared secret from a capsule using the private key. - * Has a negligible but nonzero probability of failure. - * - * Input and output parameters may not alias. - * - * @param[out] shared_secret The shared secret. - * @param[in] capsule The capsule produced by encapsulate_cca2. - * @param[in] sk The private key. - */ -void PQCLEAN_MAMABEAR_CLEAN_decapsulate ( - uint8_t shared_secret[MAMABEAR_SHARED_SECRET_BYTES], - const uint8_t capsule[MAMABEAR_CAPSULE_BYTES], - const uint8_t sk[MAMABEAR_PRIVATE_KEY_BYTES] -); - -#endif diff --git a/crypto_kem/newhope1024cca/META.yml b/crypto_kem/newhope1024cca/META.yml deleted file mode 100644 index 46af1287..00000000 --- a/crypto_kem/newhope1024cca/META.yml +++ /dev/null @@ -1,22 +0,0 @@ -name: NewHope1024-CCAKEM -type: kem -claimed-nist-level: 5 -claimed-security: IND-CCA2 -length-public-key: 1824 -length-secret-key: 3680 -length-ciphertext: 2208 -length-shared-secret: 32 -nistkat-sha256: 4a21f329bb5402a90d343af01ec1c8bc8ffffa8098cb0b89e1d2129f5157a073 -principal-submitters: - - Thomas Pöppelmann -auxiliary-submitters: -- Erdem Alkim -- Roberto Avanzi -- Joppe Bos -- Léo Ducas -- Antonio de la Piedra -- Peter Schwabe -- Douglas Stebila -implementations: -- name: clean - version: https://github.com/newhopecrypto/newhope/commit/3fc68c6090b23c56cc190a78af2f43ee8900e9d0 diff --git a/crypto_kem/newhope1024cca/clean/LICENSE b/crypto_kem/newhope1024cca/clean/LICENSE deleted file mode 100644 index d5d21fff..00000000 --- a/crypto_kem/newhope1024cca/clean/LICENSE +++ /dev/null @@ -1 +0,0 @@ -Public Domain diff --git a/crypto_kem/newhope1024cca/clean/Makefile b/crypto_kem/newhope1024cca/clean/Makefile deleted file mode 100644 index 0d011039..00000000 --- a/crypto_kem/newhope1024cca/clean/Makefile +++ /dev/null @@ -1,19 +0,0 @@ -# This Makefile can be used with GNU Make or BSD Make - -LIB=libnewhope1024cca_clean.a -HEADERS=api.h cpapke.h ntt.h params.h poly.h reduce.h verify.h -OBJECTS=cpapke.o kem.o ntt.o poly.o precomp.o reduce.o verify.o - -CFLAGS=-O3 -Wall -Wextra -Wpedantic -Wvla -Werror -Wmissing-prototypes -Wredundant-decls -std=c99 -I../../../common $(EXTRAFLAGS) - -all: $(LIB) - -%.o: %.c $(HEADERS) - $(CC) $(CFLAGS) -c -o $@ $< - -$(LIB): $(OBJECTS) - $(AR) -r $@ $(OBJECTS) - -clean: - $(RM) $(OBJECTS) - $(RM) $(LIB) diff --git a/crypto_kem/newhope1024cca/clean/Makefile.Microsoft_nmake b/crypto_kem/newhope1024cca/clean/Makefile.Microsoft_nmake deleted file mode 100644 index e3c31b57..00000000 --- a/crypto_kem/newhope1024cca/clean/Makefile.Microsoft_nmake +++ /dev/null @@ -1,19 +0,0 @@ -# This Makefile can be used with Microsoft Visual Studio's nmake using the command: -# nmake /f Makefile.Microsoft_nmake - -LIBRARY=libnewhope1024cca_clean.lib -OBJECTS=cpapke.obj kem.obj ntt.obj poly.obj precomp.obj reduce.obj verify.obj - -CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /WX - -all: $(LIBRARY) - -# Make sure objects are recompiled if headers change. -$(OBJECTS): *.h - -$(LIBRARY): $(OBJECTS) - LIB.EXE /NOLOGO /WX /OUT:$@ $** - -clean: - -DEL $(OBJECTS) - -DEL $(LIBRARY) diff --git a/crypto_kem/newhope1024cca/clean/api.h b/crypto_kem/newhope1024cca/clean/api.h deleted file mode 100644 index 62139de0..00000000 --- a/crypto_kem/newhope1024cca/clean/api.h +++ /dev/null @@ -1,15 +0,0 @@ -#ifndef PQCLEAN_NEWHOPE1024CCA_CLEAN_API_H -#define PQCLEAN_NEWHOPE1024CCA_CLEAN_API_H - - -#define PQCLEAN_NEWHOPE1024CCA_CLEAN_CRYPTO_SECRETKEYBYTES 3680 -#define PQCLEAN_NEWHOPE1024CCA_CLEAN_CRYPTO_PUBLICKEYBYTES 1824 -#define PQCLEAN_NEWHOPE1024CCA_CLEAN_CRYPTO_CIPHERTEXTBYTES 2208 -#define PQCLEAN_NEWHOPE1024CCA_CLEAN_CRYPTO_BYTES 32 -#define PQCLEAN_NEWHOPE1024CCA_CLEAN_CRYPTO_ALGNAME "NewHope1024-CCAKEM" - -int PQCLEAN_NEWHOPE1024CCA_CLEAN_crypto_kem_keypair(unsigned char *pk, unsigned char *sk); -int PQCLEAN_NEWHOPE1024CCA_CLEAN_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk); -int PQCLEAN_NEWHOPE1024CCA_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk); - -#endif diff --git a/crypto_kem/newhope1024cca/clean/cpapke.c b/crypto_kem/newhope1024cca/clean/cpapke.c deleted file mode 100644 index 11644c74..00000000 --- a/crypto_kem/newhope1024cca/clean/cpapke.c +++ /dev/null @@ -1,193 +0,0 @@ -#include "api.h" -#include "cpapke.h" -#include "fips202.h" -#include "poly.h" -#include "randombytes.h" -#include - -/************************************************* -* Name: encode_pk -* -* Description: Serialize the public key as concatenation of the -* serialization of the polynomial pk and the public seed -* used to generete the polynomial a. -* -* Arguments: unsigned char *r: pointer to the output serialized public key -* const poly *pk: pointer to the input public-key polynomial -* const unsigned char *seed: pointer to the input public seed -**************************************************/ -static void encode_pk(unsigned char *r, const poly *pk, const unsigned char *seed) { - int i; - PQCLEAN_NEWHOPE1024CCA_CLEAN_poly_tobytes(r, pk); - for (i = 0; i < NEWHOPE_SYMBYTES; i++) { - r[NEWHOPE_POLYBYTES + i] = seed[i]; - } -} - -/************************************************* -* Name: decode_pk -* -* Description: De-serialize the public key; inverse of encode_pk -* -* Arguments: poly *pk: pointer to output public-key polynomial -* unsigned char *seed: pointer to output public seed -* const unsigned char *r: pointer to input byte array -**************************************************/ -static void decode_pk(poly *pk, unsigned char *seed, const unsigned char *r) { - int i; - PQCLEAN_NEWHOPE1024CCA_CLEAN_poly_frombytes(pk, r); - for (i = 0; i < NEWHOPE_SYMBYTES; i++) { - seed[i] = r[NEWHOPE_POLYBYTES + i]; - } -} - -/************************************************* -* Name: encode_c -* -* Description: Serialize the ciphertext as concatenation of the -* serialization of the polynomial b and serialization -* of the compressed polynomial v -* -* Arguments: - unsigned char *r: pointer to the output serialized ciphertext -* - const poly *b: pointer to the input polynomial b -* - const poly *v: pointer to the input polynomial v -**************************************************/ -static void encode_c(unsigned char *r, const poly *b, const poly *v) { - PQCLEAN_NEWHOPE1024CCA_CLEAN_poly_tobytes(r, b); - PQCLEAN_NEWHOPE1024CCA_CLEAN_poly_compress(r + NEWHOPE_POLYBYTES, v); -} - -/************************************************* -* Name: decode_c -* -* Description: de-serialize the ciphertext; inverse of encode_c -* -* Arguments: - poly *b: pointer to output polynomial b -* - poly *v: pointer to output polynomial v -* - const unsigned char *r: pointer to input byte array -**************************************************/ -static void decode_c(poly *b, poly *v, const unsigned char *r) { - PQCLEAN_NEWHOPE1024CCA_CLEAN_poly_frombytes(b, r); - PQCLEAN_NEWHOPE1024CCA_CLEAN_poly_decompress(v, r + NEWHOPE_POLYBYTES); -} - -/************************************************* -* Name: gen_a -* -* Description: Deterministically generate public polynomial a from seed -* -* Arguments: - poly *a: pointer to output polynomial a -* - const unsigned char *seed: pointer to input seed -**************************************************/ -static void gen_a(poly *a, const unsigned char *seed) { - PQCLEAN_NEWHOPE1024CCA_CLEAN_poly_uniform(a, seed); -} - - -/************************************************* -* Name: cpapke_keypair -* -* Description: Generates public and private key -* for the CPA public-key encryption scheme underlying -* the NewHope KEMs -* -* Arguments: - unsigned char *pk: pointer to output public key -* - unsigned char *sk: pointer to output private key -**************************************************/ -void PQCLEAN_NEWHOPE1024CCA_CLEAN_cpapke_keypair(unsigned char *pk, - unsigned char *sk) { - poly ahat, ehat, ahat_shat, bhat, shat; - unsigned char z[2 * NEWHOPE_SYMBYTES]; - unsigned char *publicseed = z; - unsigned char *noiseseed = z + NEWHOPE_SYMBYTES; - - z[0] = 0x01; - randombytes(z + 1, NEWHOPE_SYMBYTES); - shake256(z, 2 * NEWHOPE_SYMBYTES, z, NEWHOPE_SYMBYTES + 1); - - gen_a(&ahat, publicseed); - - PQCLEAN_NEWHOPE1024CCA_CLEAN_poly_sample(&shat, noiseseed, 0); - PQCLEAN_NEWHOPE1024CCA_CLEAN_poly_ntt(&shat); - - PQCLEAN_NEWHOPE1024CCA_CLEAN_poly_sample(&ehat, noiseseed, 1); - PQCLEAN_NEWHOPE1024CCA_CLEAN_poly_ntt(&ehat); - - PQCLEAN_NEWHOPE1024CCA_CLEAN_poly_mul_pointwise(&ahat_shat, &shat, &ahat); - PQCLEAN_NEWHOPE1024CCA_CLEAN_poly_add(&bhat, &ehat, &ahat_shat); - - PQCLEAN_NEWHOPE1024CCA_CLEAN_poly_tobytes(sk, &shat); - encode_pk(pk, &bhat, publicseed); -} - -/************************************************* -* Name: cpapke_enc -* -* Description: Encryption function of -* the CPA public-key encryption scheme underlying -* the NewHope KEMs -* -* Arguments: - unsigned char *c: pointer to output ciphertext -* - const unsigned char *m: pointer to input message (of length NEWHOPE_SYMBYTES bytes) -* - const unsigned char *pk: pointer to input public key -* - const unsigned char *coin: pointer to input random coins used as seed -* to deterministically generate all randomness -**************************************************/ -void PQCLEAN_NEWHOPE1024CCA_CLEAN_cpapke_enc(unsigned char *c, - const unsigned char *m, - const unsigned char *pk, - const unsigned char *coin) { - poly sprime, eprime, vprime, ahat, bhat, eprimeprime, uhat, v; - unsigned char publicseed[NEWHOPE_SYMBYTES]; - - PQCLEAN_NEWHOPE1024CCA_CLEAN_poly_frommsg(&v, m); - - decode_pk(&bhat, publicseed, pk); - gen_a(&ahat, publicseed); - - PQCLEAN_NEWHOPE1024CCA_CLEAN_poly_sample(&sprime, coin, 0); - PQCLEAN_NEWHOPE1024CCA_CLEAN_poly_sample(&eprime, coin, 1); - PQCLEAN_NEWHOPE1024CCA_CLEAN_poly_sample(&eprimeprime, coin, 2); - - PQCLEAN_NEWHOPE1024CCA_CLEAN_poly_ntt(&sprime); - PQCLEAN_NEWHOPE1024CCA_CLEAN_poly_ntt(&eprime); - - PQCLEAN_NEWHOPE1024CCA_CLEAN_poly_mul_pointwise(&uhat, &ahat, &sprime); - PQCLEAN_NEWHOPE1024CCA_CLEAN_poly_add(&uhat, &uhat, &eprime); - - PQCLEAN_NEWHOPE1024CCA_CLEAN_poly_mul_pointwise(&vprime, &bhat, &sprime); - PQCLEAN_NEWHOPE1024CCA_CLEAN_poly_invntt(&vprime); - - PQCLEAN_NEWHOPE1024CCA_CLEAN_poly_add(&vprime, &vprime, &eprimeprime); - PQCLEAN_NEWHOPE1024CCA_CLEAN_poly_add(&vprime, &vprime, &v); // add message - - encode_c(c, &uhat, &vprime); -} - - -/************************************************* -* Name: cpapke_dec -* -* Description: Decryption function of -* the CPA public-key encryption scheme underlying -* the NewHope KEMs -* -* Arguments: - unsigned char *m: pointer to output decrypted message -* - const unsigned char *c: pointer to input ciphertext -* - const unsigned char *sk: pointer to input secret key -**************************************************/ -void PQCLEAN_NEWHOPE1024CCA_CLEAN_cpapke_dec(unsigned char *m, - const unsigned char *c, - const unsigned char *sk) { - poly vprime, uhat, tmp, shat; - - PQCLEAN_NEWHOPE1024CCA_CLEAN_poly_frombytes(&shat, sk); - - decode_c(&uhat, &vprime, c); - PQCLEAN_NEWHOPE1024CCA_CLEAN_poly_mul_pointwise(&tmp, &shat, &uhat); - PQCLEAN_NEWHOPE1024CCA_CLEAN_poly_invntt(&tmp); - - PQCLEAN_NEWHOPE1024CCA_CLEAN_poly_sub(&tmp, &tmp, &vprime); - - PQCLEAN_NEWHOPE1024CCA_CLEAN_poly_tomsg(m, &tmp); -} diff --git a/crypto_kem/newhope1024cca/clean/cpapke.h b/crypto_kem/newhope1024cca/clean/cpapke.h deleted file mode 100644 index 34be8055..00000000 --- a/crypto_kem/newhope1024cca/clean/cpapke.h +++ /dev/null @@ -1,16 +0,0 @@ -#ifndef INDCPA_H -#define INDCPA_H - -void PQCLEAN_NEWHOPE1024CCA_CLEAN_cpapke_keypair(unsigned char *pk, - unsigned char *sk); - -void PQCLEAN_NEWHOPE1024CCA_CLEAN_cpapke_enc(unsigned char *c, - const unsigned char *m, - const unsigned char *pk, - const unsigned char *coins); - -void PQCLEAN_NEWHOPE1024CCA_CLEAN_cpapke_dec(unsigned char *m, - const unsigned char *c, - const unsigned char *sk); - -#endif diff --git a/crypto_kem/newhope1024cca/clean/kem.c b/crypto_kem/newhope1024cca/clean/kem.c deleted file mode 100644 index 2fbcff50..00000000 --- a/crypto_kem/newhope1024cca/clean/kem.c +++ /dev/null @@ -1,119 +0,0 @@ -#include "api.h" -#include "cpapke.h" -#include "fips202.h" -#include "params.h" -#include "randombytes.h" -#include "verify.h" - -#include - -/************************************************* -* Name: crypto_kem_keypair -* -* Description: Generates public and private key -* for CCA secure NewHope key encapsulation -* mechanism -* -* Arguments: - unsigned char *pk: pointer to output public key (an already allocated array of CRYPTO_PUBLICKEYBYTES bytes) -* - unsigned char *sk: pointer to output private key (an already allocated array of CRYPTO_SECRETKEYBYTES bytes) -* -* Returns 0 (success) -**************************************************/ -int PQCLEAN_NEWHOPE1024CCA_CLEAN_crypto_kem_keypair(unsigned char *pk, unsigned char *sk) { - size_t i; - - PQCLEAN_NEWHOPE1024CCA_CLEAN_cpapke_keypair(pk, sk); /* First put the actual secret key into sk */ - sk += NEWHOPE_CPAPKE_SECRETKEYBYTES; - - for (i = 0; i < NEWHOPE_CPAPKE_PUBLICKEYBYTES; i++) { /* Append the public key for re-encryption */ - sk[i] = pk[i]; - } - sk += NEWHOPE_CPAPKE_PUBLICKEYBYTES; - - shake256(sk, NEWHOPE_SYMBYTES, pk, NEWHOPE_CPAPKE_PUBLICKEYBYTES); /* Append the hash of the public key */ - sk += NEWHOPE_SYMBYTES; - - randombytes(sk, NEWHOPE_SYMBYTES); /* Append the value s for pseudo-random output on reject */ - - return 0; -} - -/************************************************* -* Name: crypto_kem_enc -* -* Description: Generates cipher text and shared -* secret for given public key -* -* Arguments: - unsigned char *ct: pointer to output cipher text (an already allocated array of CRYPTO_CIPHERTEXTBYTES bytes) -* - unsigned char *ss: pointer to output shared secret (an already allocated array of CRYPTO_BYTES bytes) -* - const unsigned char *pk: pointer to input public key (an already allocated array of CRYPTO_PUBLICKEYBYTES bytes) -* -* Returns 0 (success) -**************************************************/ -int PQCLEAN_NEWHOPE1024CCA_CLEAN_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk) { - unsigned char k_coins_d[3 * NEWHOPE_SYMBYTES]; /* Will contain key, coins, qrom-hash */ - unsigned char buf[2 * NEWHOPE_SYMBYTES + 1]; - int i; - - buf[0] = 0x04; - randombytes(buf + 1, NEWHOPE_SYMBYTES); - - shake256(buf + 1, NEWHOPE_SYMBYTES, buf, NEWHOPE_SYMBYTES + 1); /* Don't release system RNG output */ - shake256(buf + 1 + NEWHOPE_SYMBYTES, NEWHOPE_SYMBYTES, pk, NEWHOPE_CCAKEM_PUBLICKEYBYTES); /* Multitarget countermeasure for coins + contributory KEM */ - buf[0] = 0x08; - shake256(k_coins_d, 3 * NEWHOPE_SYMBYTES, buf, 2 * NEWHOPE_SYMBYTES + 1); - - PQCLEAN_NEWHOPE1024CCA_CLEAN_cpapke_enc(ct, buf + 1, pk, k_coins_d + NEWHOPE_SYMBYTES); /* coins are in k_coins_d+NEWHOPE_SYMBYTES */ - - for (i = 0; i < NEWHOPE_SYMBYTES; i++) { - ct[i + NEWHOPE_CPAPKE_CIPHERTEXTBYTES] = k_coins_d[i + 2 * NEWHOPE_SYMBYTES]; /* copy Targhi-Unruh hash into ct */ - } - - shake256(k_coins_d + NEWHOPE_SYMBYTES, NEWHOPE_SYMBYTES, ct, NEWHOPE_CCAKEM_CIPHERTEXTBYTES); /* overwrite coins in k_coins_d with h(c) */ - shake256(ss, NEWHOPE_SYMBYTES, k_coins_d, 2 * NEWHOPE_SYMBYTES); /* hash concatenation of pre-k and h(c) to ss */ - return 0; -} - -/************************************************* -* Name: crypto_kem_dec -* -* Description: Generates shared secret for given -* cipher text and private key -* -* Arguments: - unsigned char *ss: pointer to output shared secret (an already allocated array of CRYPTO_BYTES bytes) -* - const unsigned char *ct: pointer to input cipher text (an already allocated array of CRYPTO_CIPHERTEXTBYTES bytes) -* - const unsigned char *sk: pointer to input private key (an already allocated array of CRYPTO_SECRETKEYBYTES bytes) -* -* Returns 0 for sucess or -1 for failure -* -* On failure, ss will contain a randomized value. -**************************************************/ -int PQCLEAN_NEWHOPE1024CCA_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk) { - int i, fail; - unsigned char ct_cmp[NEWHOPE_CCAKEM_CIPHERTEXTBYTES]; - unsigned char buf[2 * NEWHOPE_SYMBYTES + 1]; - unsigned char k_coins_d[3 * NEWHOPE_SYMBYTES]; /* Will contain key, coins, qrom-hash */ - const unsigned char *pk = sk + NEWHOPE_CPAPKE_SECRETKEYBYTES; - - buf[0] = 0x08; - PQCLEAN_NEWHOPE1024CCA_CLEAN_cpapke_dec(buf + 1, ct, sk); - - for (i = 0; i < NEWHOPE_SYMBYTES; i++) { /* Use hash of pk stored in sk */ - buf[1 + NEWHOPE_SYMBYTES + i] = sk[NEWHOPE_CCAKEM_SECRETKEYBYTES - 2 * NEWHOPE_SYMBYTES + i]; - } - shake256(k_coins_d, 3 * NEWHOPE_SYMBYTES, buf, 2 * NEWHOPE_SYMBYTES + 1); - - PQCLEAN_NEWHOPE1024CCA_CLEAN_cpapke_enc(ct_cmp, buf + 1, pk, k_coins_d + NEWHOPE_SYMBYTES); /* coins are in k_coins_d+NEWHOPE_SYMBYTES */ - - for (i = 0; i < NEWHOPE_SYMBYTES; i++) { - ct_cmp[i + NEWHOPE_CPAPKE_CIPHERTEXTBYTES] = k_coins_d[i + 2 * NEWHOPE_SYMBYTES]; - } - - fail = PQCLEAN_NEWHOPE1024CCA_CLEAN_verify(ct, ct_cmp, NEWHOPE_CCAKEM_CIPHERTEXTBYTES); - - shake256(k_coins_d + NEWHOPE_SYMBYTES, NEWHOPE_SYMBYTES, ct, NEWHOPE_CCAKEM_CIPHERTEXTBYTES); /* overwrite coins in k_coins_d with h(c) */ - PQCLEAN_NEWHOPE1024CCA_CLEAN_cmov(k_coins_d, sk + NEWHOPE_CCAKEM_SECRETKEYBYTES - NEWHOPE_SYMBYTES, NEWHOPE_SYMBYTES, (unsigned char) fail); /* Overwrite pre-k with z on re-encryption failure */ - shake256(ss, NEWHOPE_SYMBYTES, k_coins_d, 2 * NEWHOPE_SYMBYTES); /* hash concatenation of pre-k and h(c) to k */ - - return 0; -} diff --git a/crypto_kem/newhope1024cca/clean/ntt.c b/crypto_kem/newhope1024cca/clean/ntt.c deleted file mode 100644 index ffefa465..00000000 --- a/crypto_kem/newhope1024cca/clean/ntt.c +++ /dev/null @@ -1,127 +0,0 @@ -#include "inttypes.h" -#include "ntt.h" -#include "params.h" -#include "reduce.h" - -/************************************************************ -* Name: bitrev_table -* -* Description: Contains bit-reversed 10-bit indices to be used to re-order -* polynomials before number theoratic transform -************************************************************/ -static uint16_t bitrev_table[NEWHOPE_N] = { - 0, 512, 256, 768, 128, 640, 384, 896, 64, 576, 320, 832, 192, 704, 448, 960, 32, 544, 288, 800, 160, 672, 416, 928, 96, 608, 352, 864, 224, 736, 480, 992, - 16, 528, 272, 784, 144, 656, 400, 912, 80, 592, 336, 848, 208, 720, 464, 976, 48, 560, 304, 816, 176, 688, 432, 944, 112, 624, 368, 880, 240, 752, 496, 1008, - 8, 520, 264, 776, 136, 648, 392, 904, 72, 584, 328, 840, 200, 712, 456, 968, 40, 552, 296, 808, 168, 680, 424, 936, 104, 616, 360, 872, 232, 744, 488, 1000, - 24, 536, 280, 792, 152, 664, 408, 920, 88, 600, 344, 856, 216, 728, 472, 984, 56, 568, 312, 824, 184, 696, 440, 952, 120, 632, 376, 888, 248, 760, 504, 1016, - 4, 516, 260, 772, 132, 644, 388, 900, 68, 580, 324, 836, 196, 708, 452, 964, 36, 548, 292, 804, 164, 676, 420, 932, 100, 612, 356, 868, 228, 740, 484, 996, - 20, 532, 276, 788, 148, 660, 404, 916, 84, 596, 340, 852, 212, 724, 468, 980, 52, 564, 308, 820, 180, 692, 436, 948, 116, 628, 372, 884, 244, 756, 500, 1012, - 12, 524, 268, 780, 140, 652, 396, 908, 76, 588, 332, 844, 204, 716, 460, 972, 44, 556, 300, 812, 172, 684, 428, 940, 108, 620, 364, 876, 236, 748, 492, 1004, - 28, 540, 284, 796, 156, 668, 412, 924, 92, 604, 348, 860, 220, 732, 476, 988, 60, 572, 316, 828, 188, 700, 444, 956, 124, 636, 380, 892, 252, 764, 508, 1020, - 2, 514, 258, 770, 130, 642, 386, 898, 66, 578, 322, 834, 194, 706, 450, 962, 34, 546, 290, 802, 162, 674, 418, 930, 98, 610, 354, 866, 226, 738, 482, 994, - 18, 530, 274, 786, 146, 658, 402, 914, 82, 594, 338, 850, 210, 722, 466, 978, 50, 562, 306, 818, 178, 690, 434, 946, 114, 626, 370, 882, 242, 754, 498, 1010, - 10, 522, 266, 778, 138, 650, 394, 906, 74, 586, 330, 842, 202, 714, 458, 970, 42, 554, 298, 810, 170, 682, 426, 938, 106, 618, 362, 874, 234, 746, 490, 1002, - 26, 538, 282, 794, 154, 666, 410, 922, 90, 602, 346, 858, 218, 730, 474, 986, 58, 570, 314, 826, 186, 698, 442, 954, 122, 634, 378, 890, 250, 762, 506, 1018, - 6, 518, 262, 774, 134, 646, 390, 902, 70, 582, 326, 838, 198, 710, 454, 966, 38, 550, 294, 806, 166, 678, 422, 934, 102, 614, 358, 870, 230, 742, 486, 998, - 22, 534, 278, 790, 150, 662, 406, 918, 86, 598, 342, 854, 214, 726, 470, 982, 54, 566, 310, 822, 182, 694, 438, 950, 118, 630, 374, 886, 246, 758, 502, 1014, - 14, 526, 270, 782, 142, 654, 398, 910, 78, 590, 334, 846, 206, 718, 462, 974, 46, 558, 302, 814, 174, 686, 430, 942, 110, 622, 366, 878, 238, 750, 494, 1006, - 30, 542, 286, 798, 158, 670, 414, 926, 94, 606, 350, 862, 222, 734, 478, 990, 62, 574, 318, 830, 190, 702, 446, 958, 126, 638, 382, 894, 254, 766, 510, 1022, - 1, 513, 257, 769, 129, 641, 385, 897, 65, 577, 321, 833, 193, 705, 449, 961, 33, 545, 289, 801, 161, 673, 417, 929, 97, 609, 353, 865, 225, 737, 481, 993, - 17, 529, 273, 785, 145, 657, 401, 913, 81, 593, 337, 849, 209, 721, 465, 977, 49, 561, 305, 817, 177, 689, 433, 945, 113, 625, 369, 881, 241, 753, 497, 1009, - 9, 521, 265, 777, 137, 649, 393, 905, 73, 585, 329, 841, 201, 713, 457, 969, 41, 553, 297, 809, 169, 681, 425, 937, 105, 617, 361, 873, 233, 745, 489, 1001, - 25, 537, 281, 793, 153, 665, 409, 921, 89, 601, 345, 857, 217, 729, 473, 985, 57, 569, 313, 825, 185, 697, 441, 953, 121, 633, 377, 889, 249, 761, 505, 1017, - 5, 517, 261, 773, 133, 645, 389, 901, 69, 581, 325, 837, 197, 709, 453, 965, 37, 549, 293, 805, 165, 677, 421, 933, 101, 613, 357, 869, 229, 741, 485, 997, - 21, 533, 277, 789, 149, 661, 405, 917, 85, 597, 341, 853, 213, 725, 469, 981, 53, 565, 309, 821, 181, 693, 437, 949, 117, 629, 373, 885, 245, 757, 501, 1013, - 13, 525, 269, 781, 141, 653, 397, 909, 77, 589, 333, 845, 205, 717, 461, 973, 45, 557, 301, 813, 173, 685, 429, 941, 109, 621, 365, 877, 237, 749, 493, 1005, - 29, 541, 285, 797, 157, 669, 413, 925, 93, 605, 349, 861, 221, 733, 477, 989, 61, 573, 317, 829, 189, 701, 445, 957, 125, 637, 381, 893, 253, 765, 509, 1021, - 3, 515, 259, 771, 131, 643, 387, 899, 67, 579, 323, 835, 195, 707, 451, 963, 35, 547, 291, 803, 163, 675, 419, 931, 99, 611, 355, 867, 227, 739, 483, 995, - 19, 531, 275, 787, 147, 659, 403, 915, 83, 595, 339, 851, 211, 723, 467, 979, 51, 563, 307, 819, 179, 691, 435, 947, 115, 627, 371, 883, 243, 755, 499, 1011, - 11, 523, 267, 779, 139, 651, 395, 907, 75, 587, 331, 843, 203, 715, 459, 971, 43, 555, 299, 811, 171, 683, 427, 939, 107, 619, 363, 875, 235, 747, 491, 1003, - 27, 539, 283, 795, 155, 667, 411, 923, 91, 603, 347, 859, 219, 731, 475, 987, 59, 571, 315, 827, 187, 699, 443, 955, 123, 635, 379, 891, 251, 763, 507, 1019, - 7, 519, 263, 775, 135, 647, 391, 903, 71, 583, 327, 839, 199, 711, 455, 967, 39, 551, 295, 807, 167, 679, 423, 935, 103, 615, 359, 871, 231, 743, 487, 999, - 23, 535, 279, 791, 151, 663, 407, 919, 87, 599, 343, 855, 215, 727, 471, 983, 55, 567, 311, 823, 183, 695, 439, 951, 119, 631, 375, 887, 247, 759, 503, 1015, - 15, 527, 271, 783, 143, 655, 399, 911, 79, 591, 335, 847, 207, 719, 463, 975, 47, 559, 303, 815, 175, 687, 431, 943, 111, 623, 367, 879, 239, 751, 495, 1007, - 31, 543, 287, 799, 159, 671, 415, 927, 95, 607, 351, 863, 223, 735, 479, 991, 63, 575, 319, 831, 191, 703, 447, 959, 127, 639, 383, 895, 255, 767, 511, 1023 -}; - -/************************************************* -* Name: bitrev_vector -* -* Description: Permutes coefficients of a polynomial into bitreversed order -* -* Arguments: - uint16_t* poly: pointer to in/output polynomial -**************************************************/ -void PQCLEAN_NEWHOPE1024CCA_CLEAN_bitrev_vector(uint16_t *poly) { - unsigned int i, r; - uint16_t tmp; - - for (i = 0; i < NEWHOPE_N; i++) { - r = bitrev_table[i]; - if (i < r) { - tmp = poly[i]; - poly[i] = poly[r]; - poly[r] = tmp; - } - } -} - -/************************************************* -* Name: mul_coefficients -* -* Description: Performs pointwise (coefficient-wise) multiplication -* of two polynomials -* Arguments: - uint16_t* poly: pointer to in/output polynomial -* - const uint16_t* factors: pointer to input polynomial, coefficients -* are assumed to be in Montgomery representation -**************************************************/ -void PQCLEAN_NEWHOPE1024CCA_CLEAN_mul_coefficients(uint16_t *poly, const uint16_t *factors) { - unsigned int i; - - for (i = 0; i < NEWHOPE_N; i++) { - poly[i] = PQCLEAN_NEWHOPE1024CCA_CLEAN_montgomery_reduce((poly[i] * factors[i])); - } -} - - -void /************************************************* -* Name: ntt -* -* Description: Computes number-theoretic transform (NTT) of -* a polynomial in place; inputs assumed to be in -* bitreversed order, output in normal order -* -* Arguments: - uint16_t * a: pointer to in/output polynomial -* - const uint16_t* omega: pointer to input powers of root of unity omega; -* assumed to be in Montgomery domain -**************************************************/ -PQCLEAN_NEWHOPE1024CCA_CLEAN_ntt(uint16_t *a, const uint16_t *omega) { - int i, start, j, jTwiddle, distance; - uint16_t temp, W; - - - for (i = 0; i < 10; i += 2) { - // Even level - distance = (1 << i); - for (start = 0; start < distance; start++) { - jTwiddle = 0; - for (j = start; j < NEWHOPE_N - 1; j += 2 * distance) { - W = omega[jTwiddle++]; - temp = a[j]; - a[j] = (temp + a[j + distance]); // Omit reduction (be lazy) - a[j + distance] = PQCLEAN_NEWHOPE1024CCA_CLEAN_montgomery_reduce((W * ((uint32_t)temp + 3 * NEWHOPE_Q - a[j + distance]))); - } - } - - // Odd level - distance <<= 1; - for (start = 0; start < distance; start++) { - jTwiddle = 0; - for (j = start; j < NEWHOPE_N - 1; j += 2 * distance) { - W = omega[jTwiddle++]; - temp = a[j]; - a[j] = (temp + a[j + distance]) % NEWHOPE_Q; - a[j + distance] = PQCLEAN_NEWHOPE1024CCA_CLEAN_montgomery_reduce((W * ((uint32_t)temp + 3 * NEWHOPE_Q - a[j + distance]))); - } - } - } -} diff --git a/crypto_kem/newhope1024cca/clean/ntt.h b/crypto_kem/newhope1024cca/clean/ntt.h deleted file mode 100644 index c43ba5f1..00000000 --- a/crypto_kem/newhope1024cca/clean/ntt.h +++ /dev/null @@ -1,14 +0,0 @@ -#ifndef NTT_H -#define NTT_H - -#include "inttypes.h" - -extern const uint16_t PQCLEAN_NEWHOPE1024CCA_CLEAN_omegas_inv_bitrev_montgomery[]; -extern const uint16_t PQCLEAN_NEWHOPE1024CCA_CLEAN_gammas_bitrev_montgomery[]; -extern const uint16_t PQCLEAN_NEWHOPE1024CCA_CLEAN_gammas_inv_montgomery[]; - -void PQCLEAN_NEWHOPE1024CCA_CLEAN_bitrev_vector(uint16_t *poly); -void PQCLEAN_NEWHOPE1024CCA_CLEAN_mul_coefficients(uint16_t *poly, const uint16_t *factors); -void PQCLEAN_NEWHOPE1024CCA_CLEAN_ntt(uint16_t *a, const uint16_t *omegas); - -#endif diff --git a/crypto_kem/newhope1024cca/clean/params.h b/crypto_kem/newhope1024cca/clean/params.h deleted file mode 100644 index 4e5e6442..00000000 --- a/crypto_kem/newhope1024cca/clean/params.h +++ /dev/null @@ -1,25 +0,0 @@ -#ifndef PQCLEAN_NEWHOPE1024CCA_CLEAN_PARAMS_H -#define PQCLEAN_NEWHOPE1024CCA_CLEAN_PARAMS_H - -#define NEWHOPE_N 1024 -#define NEWHOPE_Q 12289 -#define NEWHOPE_K 8 /* used in noise sampling */ - -#define NEWHOPE_SYMBYTES 32 /* size of shared key, seeds/coins, and hashes */ - -#define NEWHOPE_POLYBYTES ((14*NEWHOPE_N)/8) -#define NEWHOPE_POLYCOMPRESSEDBYTES (( 3*NEWHOPE_N)/8) - -#define NEWHOPE_CPAPKE_PUBLICKEYBYTES (NEWHOPE_POLYBYTES + NEWHOPE_SYMBYTES) -#define NEWHOPE_CPAPKE_SECRETKEYBYTES (NEWHOPE_POLYBYTES) -#define NEWHOPE_CPAPKE_CIPHERTEXTBYTES (NEWHOPE_POLYBYTES + NEWHOPE_POLYCOMPRESSEDBYTES) - -#define NEWHOPE_CPAKEM_PUBLICKEYBYTES NEWHOPE_CPAPKE_PUBLICKEYBYTES -#define NEWHOPE_CPAKEM_SECRETKEYBYTES NEWHOPE_CPAPKE_SECRETKEYBYTES -#define NEWHOPE_CPAKEM_CIPHERTEXTBYTES NEWHOPE_CPAPKE_CIPHERTEXTBYTES - -#define NEWHOPE_CCAKEM_PUBLICKEYBYTES NEWHOPE_CPAPKE_PUBLICKEYBYTES -#define NEWHOPE_CCAKEM_SECRETKEYBYTES (NEWHOPE_CPAPKE_SECRETKEYBYTES + NEWHOPE_CPAPKE_PUBLICKEYBYTES + 2*NEWHOPE_SYMBYTES) -#define NEWHOPE_CCAKEM_CIPHERTEXTBYTES (NEWHOPE_CPAPKE_CIPHERTEXTBYTES + NEWHOPE_SYMBYTES) /* Second part is for Targhi-Unruh */ - -#endif diff --git a/crypto_kem/newhope1024cca/clean/poly.c b/crypto_kem/newhope1024cca/clean/poly.c deleted file mode 100644 index efa8fbb5..00000000 --- a/crypto_kem/newhope1024cca/clean/poly.c +++ /dev/null @@ -1,358 +0,0 @@ -#include "fips202.h" -#include "ntt.h" -#include "poly.h" -#include "reduce.h" - -/************************************************* -* Name: coeff_freeze -* -* Description: Fully reduces an integer modulo q in constant time -* -* Arguments: uint16_t x: input integer to be reduced -* -* Returns integer in {0,...,q-1} congruent to x modulo q -**************************************************/ -static uint16_t coeff_freeze(uint16_t x) { - uint16_t m, r; - int16_t c; - r = x % NEWHOPE_Q; - - m = r - NEWHOPE_Q; - c = m; - c >>= 15; - r = m ^ ((r ^ m)&c); - - return r; -} - -/************************************************* -* Name: flipabs -* -* Description: Computes |(x mod q) - Q/2| -* -* Arguments: uint16_t x: input coefficient -* -* Returns |(x mod q) - Q/2| -**************************************************/ -static uint16_t flipabs(uint16_t x) { - int16_t r, m; - r = coeff_freeze(x); - - r = r - NEWHOPE_Q / 2; - m = r >> 15; - return (r + m) ^ m; -} - -/************************************************* -* Name: poly_frombytes -* -* Description: De-serialization of a polynomial -* -* Arguments: - poly *r: pointer to output polynomial -* - const unsigned char *a: pointer to input byte array -**************************************************/ -void PQCLEAN_NEWHOPE1024CCA_CLEAN_poly_frombytes(poly *r, const unsigned char *a) { - int i; - for (i = 0; i < NEWHOPE_N / 4; i++) { - r->coeffs[4 * i + 0] = a[7 * i + 0] | (((uint16_t)a[7 * i + 1] & 0x3f) << 8); - r->coeffs[4 * i + 1] = (a[7 * i + 1] >> 6) | (((uint16_t)a[7 * i + 2]) << 2) | (((uint16_t)a[7 * i + 3] & 0x0f) << 10); - r->coeffs[4 * i + 2] = (a[7 * i + 3] >> 4) | (((uint16_t)a[7 * i + 4]) << 4) | (((uint16_t)a[7 * i + 5] & 0x03) << 12); - r->coeffs[4 * i + 3] = (a[7 * i + 5] >> 2) | (((uint16_t)a[7 * i + 6]) << 6); - } -} - -/************************************************* -* Name: poly_tobytes -* -* Description: Serialization of a polynomial -* -* Arguments: - unsigned char *r: pointer to output byte array -* - const poly *p: pointer to input polynomial -**************************************************/ -void PQCLEAN_NEWHOPE1024CCA_CLEAN_poly_tobytes(unsigned char *r, const poly *p) { - int i; - uint16_t t0, t1, t2, t3; - for (i = 0; i < NEWHOPE_N / 4; i++) { - t0 = coeff_freeze(p->coeffs[4 * i + 0]); - t1 = coeff_freeze(p->coeffs[4 * i + 1]); - t2 = coeff_freeze(p->coeffs[4 * i + 2]); - t3 = coeff_freeze(p->coeffs[4 * i + 3]); - - r[7 * i + 0] = t0 & 0xff; - r[7 * i + 1] = (unsigned char) ((t0 >> 8) | (t1 << 6)); - r[7 * i + 2] = (unsigned char) ((t1 >> 2)); - r[7 * i + 3] = (unsigned char) ((t1 >> 10) | (t2 << 4)); - r[7 * i + 4] = (unsigned char) ((t2 >> 4)); - r[7 * i + 5] = (unsigned char) ((t2 >> 12) | (t3 << 2)); - r[7 * i + 6] = (unsigned char) ((t3 >> 6)); - } -} - -/************************************************* -* Name: poly_compress -* -* Description: Compression and subsequent serialization of a polynomial -* -* Arguments: - unsigned char *r: pointer to output byte array -* - const poly *p: pointer to input polynomial -**************************************************/ -void PQCLEAN_NEWHOPE1024CCA_CLEAN_poly_compress(unsigned char *r, const poly *p) { - unsigned int i, j, k = 0; - - uint32_t t[8]; - - for (i = 0; i < NEWHOPE_N; i += 8) { - for (j = 0; j < 8; j++) { - t[j] = coeff_freeze(p->coeffs[i + j]); - t[j] = (((t[j] << 3) + NEWHOPE_Q / 2) / NEWHOPE_Q) & 0x7; - } - - r[k] = (unsigned char) (t[0] | (t[1] << 3) | (t[2] << 6)); - r[k + 1] = (unsigned char) ((t[2] >> 2) | (t[3] << 1) | (t[4] << 4) | (t[5] << 7)); - r[k + 2] = (unsigned char) ((t[5] >> 1) | (t[6] << 2) | (t[7] << 5)); - k += 3; - } -} - -/************************************************* -* Name: poly_decompress -* -* Description: De-serialization and subsequent decompression of a polynomial; -* approximate inverse of poly_compress -* -* Arguments: - poly *r: pointer to output polynomial -* - const unsigned char *a: pointer to input byte array -**************************************************/ -void PQCLEAN_NEWHOPE1024CCA_CLEAN_poly_decompress(poly *r, const unsigned char *a) { - unsigned int i, j; - for (i = 0; i < NEWHOPE_N; i += 8) { - r->coeffs[i + 0] = a[0] & 7; - r->coeffs[i + 1] = (a[0] >> 3) & 7; - r->coeffs[i + 2] = (a[0] >> 6) | ((a[1] << 2) & 4); - r->coeffs[i + 3] = (a[1] >> 1) & 7; - r->coeffs[i + 4] = (a[1] >> 4) & 7; - r->coeffs[i + 5] = (a[1] >> 7) | ((a[2] << 1) & 6); - r->coeffs[i + 6] = (a[2] >> 2) & 7; - r->coeffs[i + 7] = (a[2] >> 5); - a += 3; - for (j = 0; j < 8; j++) { - r->coeffs[i + j] = ((uint32_t)r->coeffs[i + j] * NEWHOPE_Q + 4) >> 3; - } - } -} - -/************************************************* -* Name: poly_frommsg -* -* Description: Convert 32-byte message to polynomial -* -* Arguments: - poly *r: pointer to output polynomial -* - const unsigned char *msg: pointer to input message -**************************************************/ -void PQCLEAN_NEWHOPE1024CCA_CLEAN_poly_frommsg(poly *r, const unsigned char *msg) { - unsigned int i, j, mask; - for (i = 0; i < NEWHOPE_SYMBYTES; i++) { - for (j = 0; j < 8; j++) { - mask = -((msg[i] >> j) & 1); - r->coeffs[8 * i + j + 0] = mask & (NEWHOPE_Q / 2); - r->coeffs[8 * i + j + 256] = mask & (NEWHOPE_Q / 2); - r->coeffs[8 * i + j + 512] = mask & (NEWHOPE_Q / 2); - r->coeffs[8 * i + j + 768] = mask & (NEWHOPE_Q / 2); - } - } -} - -/************************************************* -* Name: poly_tomsg -* -* Description: Convert polynomial to 32-byte message -* -* Arguments: - unsigned char *msg: pointer to output message -* - const poly *x: pointer to input polynomial -**************************************************/ -void PQCLEAN_NEWHOPE1024CCA_CLEAN_poly_tomsg(unsigned char *msg, const poly *x) { - unsigned int i; - uint16_t t; - - for (i = 0; i < 32; i++) { - msg[i] = 0; - } - - for (i = 0; i < 256; i++) { - t = flipabs(x->coeffs[i + 0]); - t += flipabs(x->coeffs[i + 256]); - t += flipabs(x->coeffs[i + 512]); - t += flipabs(x->coeffs[i + 768]); - t = ((t - NEWHOPE_Q)); - - t >>= 15; - msg[i >> 3] |= t << (i & 7); - } -} - -/************************************************* -* Name: poly_uniform -* -* Description: Sample a polynomial deterministically from a seed, -* with output polynomial looking uniformly random -* -* Arguments: - poly *a: pointer to output polynomial -* - const unsigned char *seed: pointer to input seed -**************************************************/ -void PQCLEAN_NEWHOPE1024CCA_CLEAN_poly_uniform(poly *a, const unsigned char *seed) { - unsigned int ctr = 0; - uint16_t val; - shake128ctx state; - uint8_t buf[SHAKE128_RATE]; - uint8_t extseed[NEWHOPE_SYMBYTES + 1]; - int i, j; - - for (i = 0; i < NEWHOPE_SYMBYTES; i++) { - extseed[i] = seed[i]; - } - - for (i = 0; i < NEWHOPE_N / 64; i++) { /* generate a in blocks of 64 coefficients */ - ctr = 0; - extseed[NEWHOPE_SYMBYTES] = (unsigned char) i; /* domain-separate the 16 independent calls */ - shake128_absorb(&state, extseed, NEWHOPE_SYMBYTES + 1); - while (ctr < 64) { /* Very unlikely to run more than once */ - shake128_squeezeblocks(buf, 1, &state); - for (j = 0; j < SHAKE128_RATE && ctr < 64; j += 2) { - val = (buf[j] | ((uint16_t) buf[j + 1] << 8)); - if (val < 5 * NEWHOPE_Q) { - a->coeffs[i * 64 + ctr] = val; - ctr++; - } - } - } - shake128_ctx_release(&state); - } -} - -/************************************************* -* Name: hw -* -* Description: Compute the Hamming weight of a byte -* -* Arguments: - unsigned char a: input byte -**************************************************/ -static unsigned char hw(unsigned char a) { - unsigned char i, r = 0; - for (i = 0; i < 8; i++) { - r += (a >> i) & 1; - } - return r; -} - -/************************************************* -* Name: poly_sample -* -* Description: Sample a polynomial deterministically from a seed and a nonce, -* with output polynomial close to centered binomial distribution -* with parameter k=8 -* -* Arguments: - poly *r: pointer to output polynomial -* - const unsigned char *seed: pointer to input seed -* - unsigned char nonce: one-byte input nonce -**************************************************/ -void PQCLEAN_NEWHOPE1024CCA_CLEAN_poly_sample(poly *r, const unsigned char *seed, unsigned char nonce) { - unsigned char buf[128], a, b; - int i, j; - - unsigned char extseed[NEWHOPE_SYMBYTES + 2]; - - for (i = 0; i < NEWHOPE_SYMBYTES; i++) { - extseed[i] = seed[i]; - } - extseed[NEWHOPE_SYMBYTES] = nonce; - - for (i = 0; i < NEWHOPE_N / 64; i++) { /* Generate noise in blocks of 64 coefficients */ - extseed[NEWHOPE_SYMBYTES + 1] = (unsigned char) i; - shake256(buf, 128, extseed, NEWHOPE_SYMBYTES + 2); - for (j = 0; j < 64; j++) { - a = buf[2 * j]; - b = buf[2 * j + 1]; - r->coeffs[64 * i + j] = hw(a) + NEWHOPE_Q - hw(b); - } - } -} - -/************************************************* -* Name: poly_pointwise -* -* Description: Multiply two polynomials pointwise (i.e., coefficient-wise). -* -* Arguments: - poly *r: pointer to output polynomial -* - const poly *a: pointer to first input polynomial -* - const poly *b: pointer to second input polynomial -**************************************************/ -void PQCLEAN_NEWHOPE1024CCA_CLEAN_poly_mul_pointwise(poly *r, const poly *a, const poly *b) { - int i; - uint16_t t; - for (i = 0; i < NEWHOPE_N; i++) { - t = PQCLEAN_NEWHOPE1024CCA_CLEAN_montgomery_reduce(3186 * b->coeffs[i]); /* t is now in Montgomery domain */ - r->coeffs[i] = PQCLEAN_NEWHOPE1024CCA_CLEAN_montgomery_reduce(a->coeffs[i] * t); /* r->coeffs[i] is back in normal domain */ - } -} - -/************************************************* -* Name: poly_add -* -* Description: Add two polynomials -* -* Arguments: - poly *r: pointer to output polynomial -* - const poly *a: pointer to first input polynomial -* - const poly *b: pointer to second input polynomial -**************************************************/ -void PQCLEAN_NEWHOPE1024CCA_CLEAN_poly_add(poly *r, const poly *a, const poly *b) { - int i; - for (i = 0; i < NEWHOPE_N; i++) { - r->coeffs[i] = (a->coeffs[i] + b->coeffs[i]) % NEWHOPE_Q; - } -} - -/************************************************* -* Name: poly_sub -* -* Description: Subtract two polynomials -* -* Arguments: - poly *r: pointer to output polynomial -* - const poly *a: pointer to first input polynomial -* - const poly *b: pointer to second input polynomial -**************************************************/ -void PQCLEAN_NEWHOPE1024CCA_CLEAN_poly_sub(poly *r, const poly *a, const poly *b) { - int i; - for (i = 0; i < NEWHOPE_N; i++) { - r->coeffs[i] = (a->coeffs[i] + 3 * NEWHOPE_Q - b->coeffs[i]) % NEWHOPE_Q; - } -} - -/************************************************* -* Name: poly_ntt -* -* Description: Forward NTT transform of a polynomial in place -* Input is assumed to have coefficients in bitreversed order -* Output has coefficients in normal order -* -* Arguments: - poly *r: pointer to in/output polynomial -**************************************************/ -void PQCLEAN_NEWHOPE1024CCA_CLEAN_poly_ntt(poly *r) { - PQCLEAN_NEWHOPE1024CCA_CLEAN_mul_coefficients(r->coeffs, PQCLEAN_NEWHOPE1024CCA_CLEAN_gammas_bitrev_montgomery); - PQCLEAN_NEWHOPE1024CCA_CLEAN_ntt((uint16_t *)r->coeffs, PQCLEAN_NEWHOPE1024CCA_CLEAN_gammas_bitrev_montgomery); -} - -/************************************************* -* Name: poly_invntt -* -* Description: Inverse NTT transform of a polynomial in place -* Input is assumed to have coefficients in normal order -* Output has coefficients in normal order -* -* Arguments: - poly *r: pointer to in/output polynomial -**************************************************/ -void PQCLEAN_NEWHOPE1024CCA_CLEAN_poly_invntt(poly *r) { - PQCLEAN_NEWHOPE1024CCA_CLEAN_bitrev_vector(r->coeffs); - PQCLEAN_NEWHOPE1024CCA_CLEAN_ntt((uint16_t *)r->coeffs, PQCLEAN_NEWHOPE1024CCA_CLEAN_omegas_inv_bitrev_montgomery); - PQCLEAN_NEWHOPE1024CCA_CLEAN_mul_coefficients(r->coeffs, PQCLEAN_NEWHOPE1024CCA_CLEAN_gammas_inv_montgomery); -} - diff --git a/crypto_kem/newhope1024cca/clean/poly.h b/crypto_kem/newhope1024cca/clean/poly.h deleted file mode 100644 index 7da7ee58..00000000 --- a/crypto_kem/newhope1024cca/clean/poly.h +++ /dev/null @@ -1,32 +0,0 @@ -#ifndef POLY_H -#define POLY_H - -#include "params.h" -#include - -/* - * Elements of R_q = Z_q[X]/(X^n + 1). Represents polynomial - * coeffs[0] + X*coeffs[1] + X^2*xoeffs[2] + ... + X^{n-1}*coeffs[n-1] - */ -typedef struct { - uint16_t coeffs[NEWHOPE_N]; -} poly; - -void PQCLEAN_NEWHOPE1024CCA_CLEAN_poly_uniform(poly *a, const unsigned char *seed); -void PQCLEAN_NEWHOPE1024CCA_CLEAN_poly_sample(poly *r, const unsigned char *seed, unsigned char nonce); -void PQCLEAN_NEWHOPE1024CCA_CLEAN_poly_add(poly *r, const poly *a, const poly *b); - -void PQCLEAN_NEWHOPE1024CCA_CLEAN_poly_ntt(poly *r); -void PQCLEAN_NEWHOPE1024CCA_CLEAN_poly_invntt(poly *r); -void PQCLEAN_NEWHOPE1024CCA_CLEAN_poly_mul_pointwise(poly *r, const poly *a, const poly *b); - -void PQCLEAN_NEWHOPE1024CCA_CLEAN_poly_frombytes(poly *r, const unsigned char *a); -void PQCLEAN_NEWHOPE1024CCA_CLEAN_poly_tobytes(unsigned char *r, const poly *p); -void PQCLEAN_NEWHOPE1024CCA_CLEAN_poly_compress(unsigned char *r, const poly *p); -void PQCLEAN_NEWHOPE1024CCA_CLEAN_poly_decompress(poly *r, const unsigned char *a); - -void PQCLEAN_NEWHOPE1024CCA_CLEAN_poly_frommsg(poly *r, const unsigned char *msg); -void PQCLEAN_NEWHOPE1024CCA_CLEAN_poly_tomsg(unsigned char *msg, const poly *x); -void PQCLEAN_NEWHOPE1024CCA_CLEAN_poly_sub(poly *r, const poly *a, const poly *b); - -#endif diff --git a/crypto_kem/newhope1024cca/clean/precomp.c b/crypto_kem/newhope1024cca/clean/precomp.c deleted file mode 100644 index 1540c6bb..00000000 --- a/crypto_kem/newhope1024cca/clean/precomp.c +++ /dev/null @@ -1,261 +0,0 @@ -#include "inttypes.h" -#include "ntt.h" -#include "params.h" - -/* Precomputed NTT contants generated by Pari/GP script as follows: - * - * For n = 512: - * - * brv = [0,256,128,384,64,320,192,448,32,288,160,416,96,352,224,480,16,272,144,400,80,336,208,464,48,304,176,432,112,368,240,496,8, - * 264,136,392,72,328,200,456,40,296,168,424,104,360,232,488,24,280,152,408,88,344,216,472,56,312,184,440,120,376,248,504,4, - * 260,132,388,68,324,196,452,36,292,164,420,100,356,228,484,20,276,148,404,84,340,212,468,52,308,180,436,116,372,244,500,12, - * 268,140,396,76,332,204,460,44,300,172,428,108,364,236,492,28,284,156,412,92,348,220,476,60,316,188,444,124,380,252,508,2, - * 258,130,386,66,322,194,450,34,290,162,418,98,354,226,482,18,274,146,402,82,338,210,466,50,306,178,434,114,370,242,498,10, - * 266,138,394,74,330,202,458,42,298,170,426,106,362,234,490,26,282,154,410,90,346,218,474,58,314,186,442,122,378,250,506,6, - * 262,134,390,70,326,198,454,38,294,166,422,102,358,230,486,22,278,150,406,86,342,214,470,54,310,182,438,118,374,246,502,14, - * 270,142,398,78,334,206,462,46,302,174,430,110,366,238,494,30,286,158,414,94,350,222,478,62,318,190,446,126,382,254,510,1, - * 257,129,385,65,321,193,449,33,289,161,417,97,353,225,481,17,273,145,401,81,337,209,465,49,305,177,433,113,369,241,497,9, - * 265,137,393,73,329,201,457,41,297,169,425,105,361,233,489,25,281,153,409,89,345,217,473,57,313,185,441,121,377,249,505,5, - * 261,133,389,69,325,197,453,37,293,165,421,101,357,229,485,21,277,149,405,85,341,213,469,53,309,181,437,117,373,245,501,13, - * 269,141,397,77,333,205,461,45,301,173,429,109,365,237,493,29,285,157,413,93,349,221,477,61,317,189,445,125,381,253,509,3, - * 259,131,387,67,323,195,451,35,291,163,419,99,355,227,483,19,275,147,403,83,339,211,467,51,307,179,435,115,371,243,499,11, - * 267,139,395,75,331,203,459,43,299,171,427,107,363,235,491,27,283,155,411,91,347,219,475,59,315,187,443,123,379,251,507,7, - * 263,135,391,71,327,199,455,39,295,167,423,103,359,231,487,23,279,151,407,87,343,215,471,55,311,183,439,119,375,247,503,15, - * 271,143,399,79,335,207,463,47,303,175,431,111,367,239,495,31,287,159,415,95,351,223,479,63,319,191,447,127,383,255,511] - * n = 512; q = 12289; mont=2^18 - * g = Mod(10968, q); - * omegas_inv_bitrev_montgomery = lift(vector(n/2, i, (g^2)^(-brv[2*(i-1)+1])*mont)) - * gammas_bitrev_montgomery = lift(vector(n, i, g^(brv[i])*mont)) - * gammas_inv_montgomery = lift(vector(n, i, g^(-(i-1))/n*mont)) - * - * - * For n = 1024: - * - * brv = [0,512,256,768,128,640,384,896,64,576,320,832,192,704,448,960,32,544,288,800,160,672,416,928,96,608,352,864,224,736,480,992, \ - * 16,528,272,784,144,656,400,912,80,592,336,848,208,720,464,976,48,560,304,816,176,688,432,944,112,624,368,880,240,752,496,1008, \ - * 8,520,264,776,136,648,392,904,72,584,328,840,200,712,456,968,40,552,296,808,168,680,424,936,104,616,360,872,232,744,488,1000, \ - * 24,536,280,792,152,664,408,920,88,600,344,856,216,728,472,984,56,568,312,824,184,696,440,952,120,632,376,888,248,760,504,1016, \ - * 4,516,260,772,132,644,388,900,68,580,324,836,196,708,452,964,36,548,292,804,164,676,420,932,100,612,356,868,228,740,484,996, \ - * 20,532,276,788,148,660,404,916,84,596,340,852,212,724,468,980,52,564,308,820,180,692,436,948,116,628,372,884,244,756,500,1012, \ - * 12,524,268,780,140,652,396,908,76,588,332,844,204,716,460,972,44,556,300,812,172,684,428,940,108,620,364,876,236,748,492,1004, \ - * 28,540,284,796,156,668,412,924,92,604,348,860,220,732,476,988,60,572,316,828,188,700,444,956,124,636,380,892,252,764,508,1020, \ - * 2,514,258,770,130,642,386,898,66,578,322,834,194,706,450,962,34,546,290,802,162,674,418,930,98,610,354,866,226,738,482,994, \ - * 18,530,274,786,146,658,402,914,82,594,338,850,210,722,466,978,50,562,306,818,178,690,434,946,114,626,370,882,242,754,498,1010, \ - * 10,522,266,778,138,650,394,906,74,586,330,842,202,714,458,970,42,554,298,810,170,682,426,938,106,618,362,874,234,746,490,1002, \ - * 26,538,282,794,154,666,410,922,90,602,346,858,218,730,474,986,58,570,314,826,186,698,442,954,122,634,378,890,250,762,506,1018, \ - * 6,518,262,774,134,646,390,902,70,582,326,838,198,710,454,966,38,550,294,806,166,678,422,934,102,614,358,870,230,742,486,998, \ - * 22,534,278,790,150,662,406,918,86,598,342,854,214,726,470,982,54,566,310,822,182,694,438,950,118,630,374,886,246,758,502,1014, \ - * 14,526,270,782,142,654,398,910,78,590,334,846,206,718,462,974,46,558,302,814,174,686,430,942,110,622,366,878,238,750,494,1006, \ - * 30,542,286,798,158,670,414,926,94,606,350,862,222,734,478,990,62,574,318,830,190,702,446,958,126,638,382,894,254,766,510,1022, \ - * 1,513,257,769,129,641,385,897,65,577,321,833,193,705,449,961,33,545,289,801,161,673,417,929,97,609,353,865,225,737,481,993, \ - * 17,529,273,785,145,657,401,913,81,593,337,849,209,721,465,977,49,561,305,817,177,689,433,945,113,625,369,881,241,753,497,1009, \ - * 9,521,265,777,137,649,393,905,73,585,329,841,201,713,457,969,41,553,297,809,169,681,425,937,105,617,361,873,233,745,489,1001, \ - * 25,537,281,793,153,665,409,921,89,601,345,857,217,729,473,985,57,569,313,825,185,697,441,953,121,633,377,889,249,761,505,1017, \ - * 5,517,261,773,133,645,389,901,69,581,325,837,197,709,453,965,37,549,293,805,165,677,421,933,101,613,357,869,229,741,485,997, \ - * 21,533,277,789,149,661,405,917,85,597,341,853,213,725,469,981,53,565,309,821,181,693,437,949,117,629,373,885,245,757,501,1013, \ - * 13,525,269,781,141,653,397,909,77,589,333,845,205,717,461,973,45,557,301,813,173,685,429,941,109,621,365,877,237,749,493,1005, \ - * 29,541,285,797,157,669,413,925,93,605,349,861,221,733,477,989,61,573,317,829,189,701,445,957,125,637,381,893,253,765,509,1021, \ - * 3,515,259,771,131,643,387,899,67,579,323,835,195,707,451,963,35,547,291,803,163,675,419,931,99,611,355,867,227,739,483,995, \ - * 19,531,275,787,147,659,403,915,83,595,339,851,211,723,467,979,51,563,307,819,179,691,435,947,115,627,371,883,243,755,499,1011, \ - * 11,523,267,779,139,651,395,907,75,587,331,843,203,715,459,971,43,555,299,811,171,683,427,939,107,619,363,875,235,747,491,1003, \ - * 27,539,283,795,155,667,411,923,91,603,347,859,219,731,475,987,59,571,315,827,187,699,443,955,123,635,379,891,251,763,507,1019, \ - * 7,519,263,775,135,647,391,903,71,583,327,839,199,711,455,967,39,551,295,807,167,679,423,935,103,615,359,871,231,743,487,999, \ - * 23,535,279,791,151,663,407,919,87,599,343,855,215,727,471,983,55,567,311,823,183,695,439,951,119,631,375,887,247,759,503,1015, \ - * 15,527,271,783,143,655,399,911,79,591,335,847,207,719,463,975,47,559,303,815,175,687,431,943,111,623,367,879,239,751,495,1007, \ - * 31,543,287,799,159,671,415,927,95,607,351,863,223,735,479,991,63,575,319,831,191,703,447,959,127,639,383,895,255,767,511,1023] - * - * n = 1024; q = 12289; mont=2^18 - * g = Mod(7, q); - * omegas_inv_bitrev_montgomery = lift(vector(n/2, i, (g^2)^(-brv[2*(i-1)+1])*mont)) - * gammas_bitrev_montgomery = lift(vector(n, i, g^(brv[i])*mont)) - * gammas_inv_montgomery = lift(vector(n, i, g^(-(i-1))/n*mont)) -*/ - - -/************************************************************ -* Name: omegas_inv_bitrev_montgomery -* -* Description: Contains inverses of powers of nth root of unity -* in Montgomery domain with R=2^18 in bit-reversed order -************************************************************/ -const uint16_t PQCLEAN_NEWHOPE1024CCA_CLEAN_omegas_inv_bitrev_montgomery[NEWHOPE_N / 2] = { - 4075, 5315, 4324, 4916, 10120, 11767, 7210, 9027, 10316, 6715, 1278, 9945, 3514, 11248, 11271, 5925, - 147, 8500, 7840, 6833, 5537, 4749, 4467, 7500, 11099, 9606, 6171, 8471, 8429, 5445, 11239, 7753, - 9090, 12233, 5529, 5206, 10587, 1987, 11635, 3565, 5415, 8646, 6153, 6427, 7341, 6152, 10561, 400, - 8410, 1922, 2033, 8291, 1359, 6854, 11035, 973, 8579, 6093, 6950, 5446, 11821, 8301, 11907, 316, - 52, 3174, 10966, 9523, 6055, 8953, 11612, 6415, 2505, 5906, 10710, 11858, 8332, 9450, 10162, 151, - 3482, 787, 5468, 1010, 4169, 9162, 5241, 9369, 7509, 8844, 7232, 4698, 192, 1321, 10240, 4912, - 885, 6281, 10333, 7280, 8757, 11286, 58, 12048, 12147, 11184, 8812, 6608, 2844, 3438, 4212, 11314, - 8687, 6068, 421, 8209, 3600, 3263, 7665, 6077, 7507, 5886, 3029, 6695, 4213, 504, 11684, 2302, - 1962, 1594, 6328, 7183, 168, 2692, 8960, 4298, 5184, 11089, 6122, 9734, 10929, 3956, 5297, 6170, - 3762, 9370, 4016, 4077, 6523, 652, 11994, 6099, 1146, 11341, 11964, 10885, 6299, 1159, 8240, 8561, - 11177, 2078, 10331, 4322, 11367, 441, 4079, 11231, 3150, 1319, 8243, 709, 8049, 8719, 11454, 6224, - 3054, 6803, 3123, 10542, 4433, 6370, 7032, 3834, 8633, 12225, 9830, 683, 1566, 5782, 9786, 9341, - 12115, 723, 3009, 1693, 5735, 2655, 2738, 6421, 11942, 2925, 1975, 8532, 3315, 11863, 4754, 1858, - 1583, 6347, 2500, 10800, 6374, 1483, 12240, 1263, 1815, 5383, 10777, 350, 6920, 10232, 4493, 9087, - 8855, 8760, 9381, 218, 9928, 10446, 9259, 4115, 6147, 9842, 8326, 576, 10335, 10238, 10484, 9407, - 6381, 11836, 8517, 418, 6860, 7515, 1293, 7552, 2767, 156, 8298, 8320, 10008, 5876, 5333, 10258, - 10115, 4372, 2847, 7875, 8232, 9018, 8925, 1689, 8236, 2645, 5042, 9984, 7094, 9509, 1484, 7394, - 3, 4437, 160, 3149, 113, 7370, 10123, 3915, 6998, 2704, 8653, 4938, 1426, 7635, 10512, 1663, - 6957, 3510, 2370, 2865, 3978, 9320, 3247, 9603, 6882, 3186, 10659, 10163, 1153, 9405, 8241, 10040, - 2178, 1544, 5559, 420, 8304, 4905, 476, 3531, 5191, 9153, 2399, 8889, 3000, 671, 243, 3016, - 3763, 10849, 12262, 9223, 10657, 7205, 11272, 7404, 7575, 8146, 10752, 242, 2678, 3704, 11744, 5019, - 3833, 3778, 11899, 773, 5101, 11222, 9888, 442, 2912, 5698, 11935, 4861, 7277, 9808, 11244, 2859, - 3780, 11414, 4976, 10682, 7201, 8005, 11287, 5011, 6267, 2987, 2437, 3646, 2566, 10102, 9867, 6250, - 5444, 2381, 11796, 8193, 4337, 11854, 1912, 1378, 404, 7644, 1065, 2143, 11121, 5277, 3248, 11082, - 2548, 8058, 8907, 11934, 1759, 8582, 3694, 7110, 12144, 6747, 8652, 3459, 2731, 8357, 6378, 7399, - 10861, 1696, 9863, 334, 7657, 6534, 11029, 4388, 11560, 3241, 10276, 9000, 9408, 3284, 10200, 7197, - 6498, 544, 2468, 339, 11267, 9, 2842, 480, 5331, 7300, 1673, 4278, 4177, 8705, 9764, 1381, - 7837, 2396, 8340, 8993, 4354, 130, 6915, 2837, 11462, 5767, 953, 8541, 9813, 118, 7222, 2197, - 3006, 9545, 563, 9314, 2625, 11340, 4821, 2639, 7266, 5828, 6561, 7698, 3328, 6512, 1351, 7311, - 6553, 8155, 1305, 722, 5146, 4043, 12288, 10810, 2545, 3621, 8747, 8785, 1646, 1212, 5860, 3195, - 7203, 10963, 3201, 3014, 955, 11499, 9970, 11119, 3135, 3712, 7443, 9542, 7484, 8736, 9995, 11227, - 1635, 9521, 1177, 8034, 140, 10436, 11563, 7678, 4320, 11289, 9198, 12208, 2963, 7393, 2366, 9238 -}; - -/************************************************************ -* Name: gammas_bitrev_montgomery -* -* Description: Contains powers of nth root of -1 in Montgomery -* domain with R=2^18 in bit-reversed order -************************************************************/ -const uint16_t PQCLEAN_NEWHOPE1024CCA_CLEAN_gammas_bitrev_montgomery[NEWHOPE_N] = { - 4075, 6974, 7373, 7965, 3262, 5079, 522, 2169, 6364, 1018, 1041, 8775, 2344, 11011, 5574, 1973, - 4536, 1050, 6844, 3860, 3818, 6118, 2683, 1190, 4789, 7822, 7540, 6752, 5456, 4449, 3789, 12142, - 11973, 382, 3988, 468, 6843, 5339, 6196, 3710, 11316, 1254, 5435, 10930, 3998, 10256, 10367, 3879, - 11889, 1728, 6137, 4948, 5862, 6136, 3643, 6874, 8724, 654, 10302, 1702, 7083, 6760, 56, 3199, - 9987, 605, 11785, 8076, 5594, 9260, 6403, 4782, 6212, 4624, 9026, 8689, 4080, 11868, 6221, 3602, - 975, 8077, 8851, 9445, 5681, 3477, 1105, 142, 241, 12231, 1003, 3532, 5009, 1956, 6008, 11404, - 7377, 2049, 10968, 12097, 7591, 5057, 3445, 4780, 2920, 7048, 3127, 8120, 11279, 6821, 11502, 8807, - 12138, 2127, 2839, 3957, 431, 1579, 6383, 9784, 5874, 677, 3336, 6234, 2766, 1323, 9115, 12237, - 2031, 6956, 6413, 2281, 3969, 3991, 12133, 9522, 4737, 10996, 4774, 5429, 11871, 3772, 453, 5908, - 2882, 1805, 2051, 1954, 11713, 3963, 2447, 6142, 8174, 3030, 1843, 2361, 12071, 2908, 3529, 3434, - 3202, 7796, 2057, 5369, 11939, 1512, 6906, 10474, 11026, 49, 10806, 5915, 1489, 9789, 5942, 10706, - 10431, 7535, 426, 8974, 3757, 10314, 9364, 347, 5868, 9551, 9634, 6554, 10596, 9280, 11566, 174, - 2948, 2503, 6507, 10723, 11606, 2459, 64, 3656, 8455, 5257, 5919, 7856, 1747, 9166, 5486, 9235, - 6065, 835, 3570, 4240, 11580, 4046, 10970, 9139, 1058, 8210, 11848, 922, 7967, 1958, 10211, 1112, - 3728, 4049, 11130, 5990, 1404, 325, 948, 11143, 6190, 295, 11637, 5766, 8212, 8273, 2919, 8527, - 6119, 6992, 8333, 1360, 2555, 6167, 1200, 7105, 7991, 3329, 9597, 12121, 5106, 5961, 10695, 10327, - 3051, 9923, 4896, 9326, 81, 3091, 1000, 7969, 4611, 726, 1853, 12149, 4255, 11112, 2768, 10654, - 1062, 2294, 3553, 4805, 2747, 4846, 8577, 9154, 1170, 2319, 790, 11334, 9275, 9088, 1326, 5086, - 9094, 6429, 11077, 10643, 3504, 3542, 8668, 9744, 1479, 1, 8246, 7143, 11567, 10984, 4134, 5736, - 4978, 10938, 5777, 8961, 4591, 5728, 6461, 5023, 9650, 7468, 949, 9664, 2975, 11726, 2744, 9283, - 10092, 5067, 12171, 2476, 3748, 11336, 6522, 827, 9452, 5374, 12159, 7935, 3296, 3949, 9893, 4452, - 10908, 2525, 3584, 8112, 8011, 10616, 4989, 6958, 11809, 9447, 12280, 1022, 11950, 9821, 11745, 5791, - 5092, 2089, 9005, 2881, 3289, 2013, 9048, 729, 7901, 1260, 5755, 4632, 11955, 2426, 10593, 1428, - 4890, 5911, 3932, 9558, 8830, 3637, 5542, 145, 5179, 8595, 3707, 10530, 355, 3382, 4231, 9741, - 1207, 9041, 7012, 1168, 10146, 11224, 4645, 11885, 10911, 10377, 435, 7952, 4096, 493, 9908, 6845, - 6039, 2422, 2187, 9723, 8643, 9852, 9302, 6022, 7278, 1002, 4284, 5088, 1607, 7313, 875, 8509, - 9430, 1045, 2481, 5012, 7428, 354, 6591, 9377, 11847, 2401, 1067, 7188, 11516, 390, 8511, 8456, - 7270, 545, 8585, 9611, 12047, 1537, 4143, 4714, 4885, 1017, 5084, 1632, 3066, 27, 1440, 8526, - 9273, 12046, 11618, 9289, 3400, 9890, 3136, 7098, 8758, 11813, 7384, 3985, 11869, 6730, 10745, 10111, - 2249, 4048, 2884, 11136, 2126, 1630, 9103, 5407, 2686, 9042, 2969, 8311, 9424, 9919, 8779, 5332, - 10626, 1777, 4654, 10863, 7351, 3636, 9585, 5291, 8374, 2166, 4919, 12176, 9140, 12129, 7852, 12286, - 4895, 10805, 2780, 5195, 2305, 7247, 9644, 4053, 10600, 3364, 3271, 4057, 4414, 9442, 7917, 2174, - 3947, 11951, 2455, 6599, 10545, 10975, 3654, 2894, 7681, 7126, 7287, 12269, 4119, 3343, 2151, 1522, - 7174, 7350, 11041, 2442, 2148, 5959, 6492, 8330, 8945, 5598, 3624, 10397, 1325, 6565, 1945, 11260, - 10077, 2674, 3338, 3276, 11034, 506, 6505, 1392, 5478, 8778, 1178, 2776, 3408, 10347, 11124, 2575, - 9489, 12096, 6092, 10058, 4167, 6085, 923, 11251, 11912, 4578, 10669, 11914, 425, 10453, 392, 10104, - 8464, 4235, 8761, 7376, 2291, 3375, 7954, 8896, 6617, 7790, 1737, 11667, 3982, 9342, 6680, 636, - 6825, 7383, 512, 4670, 2900, 12050, 7735, 994, 1687, 11883, 7021, 146, 10485, 1403, 5189, 6094, - 2483, 2054, 3042, 10945, 3981, 10821, 11826, 8882, 8151, 180, 9600, 7684, 5219, 10880, 6780, 204, - 11232, 2600, 7584, 3121, 3017, 11053, 7814, 7043, 4251, 4739, 11063, 6771, 7073, 9261, 2360, 11925, - 1928, 11825, 8024, 3678, 3205, 3359, 11197, 5209, 8581, 3238, 8840, 1136, 9363, 1826, 3171, 4489, - 7885, 346, 2068, 1389, 8257, 3163, 4840, 6127, 8062, 8921, 612, 4238, 10763, 8067, 125, 11749, - 10125, 5416, 2110, 716, 9839, 10584, 11475, 11873, 3448, 343, 1908, 4538, 10423, 7078, 4727, 1208, - 11572, 3589, 2982, 1373, 1721, 10753, 4103, 2429, 4209, 5412, 5993, 9011, 438, 3515, 7228, 1218, - 8347, 5232, 8682, 1327, 7508, 4924, 448, 1014, 10029, 12221, 4566, 5836, 12229, 2717, 1535, 3200, - 5588, 5845, 412, 5102, 7326, 3744, 3056, 2528, 7406, 8314, 9202, 6454, 6613, 1417, 10032, 7784, - 1518, 3765, 4176, 5063, 9828, 2275, 6636, 4267, 6463, 2065, 7725, 3495, 8328, 8755, 8144, 10533, - 5966, 12077, 9175, 9520, 5596, 6302, 8400, 579, 6781, 11014, 5734, 11113, 11164, 4860, 1131, 10844, - 9068, 8016, 9694, 3837, 567, 9348, 7000, 6627, 7699, 5082, 682, 11309, 5207, 4050, 7087, 844, - 7434, 3769, 293, 9057, 6940, 9344, 10883, 2633, 8190, 3944, 5530, 5604, 3480, 2171, 9282, 11024, - 2213, 8136, 3805, 767, 12239, 216, 11520, 6763, 10353, 7, 8566, 845, 7235, 3154, 4360, 3285, - 10268, 2832, 3572, 1282, 7559, 3229, 8360, 10583, 6105, 3120, 6643, 6203, 8536, 8348, 6919, 3536, - 9199, 10891, 11463, 5043, 1658, 5618, 8787, 5789, 4719, 751, 11379, 6389, 10783, 3065, 7806, 6586, - 2622, 5386, 510, 7628, 6921, 578, 10345, 11839, 8929, 4684, 12226, 7154, 9916, 7302, 8481, 3670, - 11066, 2334, 1590, 7878, 10734, 1802, 1891, 5103, 6151, 8820, 3418, 7846, 9951, 4693, 417, 9996, - 9652, 4510, 2946, 5461, 365, 881, 1927, 1015, 11675, 11009, 1371, 12265, 2485, 11385, 5039, 6742, - 8449, 1842, 12217, 8176, 9577, 4834, 7937, 9461, 2643, 11194, 3045, 6508, 4094, 3451, 7911, 11048, - 5406, 4665, 3020, 6616, 11345, 7519, 3669, 5287, 1790, 7014, 5410, 11038, 11249, 2035, 6125, 10407, - 4565, 7315, 5078, 10506, 2840, 2478, 9270, 4194, 9195, 4518, 7469, 1160, 6878, 2730, 10421, 10036, - 1734, 3815, 10939, 5832, 10595, 10759, 4423, 8420, 9617, 7119, 11010, 11424, 9173, 189, 10080, 10526, - 3466, 10588, 7592, 3578, 11511, 7785, 9663, 530, 12150, 8957, 2532, 3317, 9349, 10243, 1481, 9332, - 3454, 3758, 7899, 4218, 2593, 11410, 2276, 982, 6513, 1849, 8494, 9021, 4523, 7988, 8, 457, - 648, 150, 8000, 2307, 2301, 874, 5650, 170, 9462, 2873, 9855, 11498, 2535, 11169, 5808, 12268, - 9687, 1901, 7171, 11787, 3846, 1573, 6063, 3793, 466, 11259, 10608, 3821, 6320, 4649, 6263, 2929 -}; - -/************************************************************ -* Name: gammas_inv_montgomery -* -* Description: Contains inverses of powers of nth root of -1 -* divided by n in Montgomery domain with R=2^18 -************************************************************/ -const uint16_t PQCLEAN_NEWHOPE1024CCA_CLEAN_gammas_inv_montgomery[NEWHOPE_N] = { - 256, 10570, 1510, 7238, 1034, 7170, 6291, 7921, 11665, 3422, 4000, 2327, 2088, 5565, 795, 10647, - 1521, 5484, 2539, 7385, 1055, 7173, 8047, 11683, 1669, 1994, 3796, 5809, 4341, 9398, 11876, 12230, - 10525, 12037, 12253, 3506, 4012, 9351, 4847, 2448, 7372, 9831, 3160, 2207, 5582, 2553, 7387, 6322, - 9681, 1383, 10731, 1533, 219, 5298, 4268, 7632, 6357, 9686, 8406, 4712, 9451, 10128, 4958, 5975, - 11387, 8649, 11769, 6948, 11526, 12180, 1740, 10782, 6807, 2728, 7412, 4570, 4164, 4106, 11120, 12122, - 8754, 11784, 3439, 5758, 11356, 6889, 9762, 11928, 1704, 1999, 10819, 12079, 12259, 7018, 11536, 1648, - 1991, 2040, 2047, 2048, 10826, 12080, 8748, 8272, 8204, 1172, 1923, 7297, 2798, 7422, 6327, 4415, - 7653, 6360, 11442, 12168, 7005, 8023, 9924, 8440, 8228, 2931, 7441, 1063, 3663, 5790, 9605, 10150, - 1450, 8985, 11817, 10466, 10273, 12001, 3470, 7518, 1074, 1909, 7295, 9820, 4914, 702, 5367, 7789, - 8135, 9940, 1420, 3714, 11064, 12114, 12264, 1752, 5517, 9566, 11900, 1700, 3754, 5803, 829, 1874, - 7290, 2797, 10933, 5073, 7747, 8129, 6428, 6185, 11417, 1631, 233, 5300, 9535, 10140, 11982, 8734, - 8270, 2937, 10953, 8587, 8249, 2934, 9197, 4825, 5956, 4362, 9401, 1343, 3703, 529, 10609, 12049, - 6988, 6265, 895, 3639, 4031, 4087, 4095, 585, 10617, 8539, 4731, 4187, 9376, 3095, 9220, 10095, - 10220, 1460, 10742, 12068, 1724, 5513, 11321, 6884, 2739, 5658, 6075, 4379, 11159, 10372, 8504, 4726, - 9453, 3106, 7466, 11600, 10435, 8513, 9994, 8450, 9985, 3182, 10988, 8592, 2983, 9204, 4826, 2445, - 5616, 6069, 867, 3635, 5786, 11360, 5134, 2489, 10889, 12089, 1727, 7269, 2794, 9177, 1311, 5454, - 9557, 6632, 2703, 9164, 10087, 1441, 3717, 531, 3587, 2268, 324, 5313, 759, 1864, 5533, 2546, - 7386, 9833, 8427, 4715, 11207, 1601, 7251, 4547, 11183, 12131, 1733, 10781, 10318, 1474, 10744, 5046, - 4232, 11138, 10369, 6748, 964, 7160, 4534, 7670, 8118, 8182, 4680, 11202, 6867, 981, 8918, 1274, - 182, 26, 7026, 8026, 11680, 12202, 10521, 1503, 7237, 4545, 5916, 9623, 8397, 11733, 10454, 3249, - 9242, 6587, 941, 1890, 270, 10572, 6777, 9746, 6659, 6218, 6155, 6146, 878, 1881, 7291, 11575, - 12187, 1741, 7271, 8061, 11685, 6936, 4502, 9421, 4857, 4205, 7623, 1089, 10689, 1527, 8996, 10063, - 11971, 10488, 6765, 2722, 3900, 9335, 11867, 6962, 11528, 5158, 4248, 4118, 5855, 2592, 5637, 6072, - 2623, 7397, 8079, 9932, 4930, 5971, 853, 3633, 519, 8852, 11798, 3441, 11025, 1575, 225, 8810, - 11792, 12218, 3501, 9278, 3081, 9218, 4828, 7712, 8124, 11694, 12204, 3499, 4011, 573, 3593, 5780, - 7848, 9899, 10192, 1456, 208, 7052, 2763, 7417, 11593, 10434, 12024, 8740, 11782, 10461, 3250, 5731, - 7841, 9898, 1414, 202, 3540, 7528, 2831, 2160, 10842, 5060, 4234, 4116, 588, 84, 12, 7024, - 2759, 9172, 6577, 11473, 1639, 9012, 3043, 7457, 6332, 11438, 1634, 1989, 9062, 11828, 8712, 11778, - 12216, 10523, 6770, 9745, 10170, 4964, 9487, 6622, 946, 8913, 6540, 6201, 4397, 9406, 8366, 9973, - 8447, 8229, 11709, 8695, 10020, 3187, 5722, 2573, 10901, 6824, 4486, 4152, 9371, 8361, 2950, 2177, - 311, 1800, 9035, 8313, 11721, 3430, 490, 70, 10, 1757, 251, 3547, 7529, 11609, 3414, 7510, - 4584, 4166, 9373, 1339, 5458, 7802, 11648, 1664, 7260, 9815, 10180, 6721, 9738, 10169, 8475, 8233, - 9954, 1422, 8981, 1283, 5450, 11312, 1616, 3742, 11068, 10359, 4991, 713, 3613, 9294, 8350, 4704, - 672, 96, 7036, 9783, 11931, 3460, 5761, 823, 10651, 12055, 10500, 1500, 5481, 783, 3623, 11051, - 8601, 8251, 8201, 11705, 10450, 5004, 4226, 7626, 2845, 2162, 3820, 7568, 9859, 3164, 452, 10598, - 1514, 5483, 6050, 6131, 4387, 7649, 8115, 6426, 918, 8909, 8295, 1185, 5436, 11310, 8638, 1234, - 5443, 11311, 5127, 2488, 2111, 10835, 5059, 7745, 2862, 3920, 560, 80, 1767, 2008, 3798, 11076, - 6849, 2734, 10924, 12094, 8750, 1250, 10712, 6797, 971, 7161, 1023, 8924, 4786, 7706, 4612, 4170, - 7618, 6355, 4419, 5898, 11376, 10403, 10264, 6733, 4473, 639, 5358, 2521, 9138, 3061, 5704, 4326, - 618, 5355, 765, 5376, 768, 7132, 4530, 9425, 3102, 9221, 6584, 11474, 10417, 10266, 12000, 6981, - 6264, 4406, 2385, 7363, 4563, 4163, 7617, 9866, 3165, 9230, 11852, 10471, 5007, 5982, 11388, 5138, - 734, 3616, 11050, 12112, 6997, 11533, 12181, 10518, 12036, 3475, 2252, 7344, 9827, 4915, 9480, 6621, - 4457, 7659, 9872, 6677, 4465, 4149, 7615, 4599, 657, 3605, 515, 10607, 6782, 4480, 640, 1847, - 3775, 5806, 2585, 5636, 9583, 1369, 10729, 8555, 10000, 11962, 5220, 7768, 8132, 8184, 9947, 1421, - 203, 29, 8782, 11788, 1684, 10774, 10317, 4985, 9490, 8378, 4708, 11206, 5112, 5997, 7879, 11659, - 12199, 8765, 10030, 4944, 5973, 6120, 6141, 6144, 7900, 11662, 1666, 238, 34, 3516, 5769, 9602, - 8394, 9977, 6692, 956, 10670, 6791, 9748, 11926, 8726, 11780, 5194, 742, 106, 8793, 10034, 3189, - 10989, 5081, 4237, 5872, 4350, 2377, 10873, 6820, 6241, 11425, 10410, 10265, 3222, 5727, 9596, 4882, - 2453, 2106, 3812, 11078, 12116, 5242, 4260, 11142, 8614, 11764, 12214, 5256, 4262, 4120, 11122, 5100, - 11262, 5120, 2487, 5622, 9581, 8391, 8221, 2930, 10952, 12098, 6995, 6266, 9673, 4893, 699, 3611, - 4027, 5842, 11368, 1624, 232, 8811, 8281, 1183, 169, 8802, 3013, 2186, 5579, 797, 3625, 4029, - 11109, 1587, 7249, 11569, 8675, 6506, 2685, 10917, 12093, 12261, 12285, 1755, 7273, 1039, 1904, 272, - 3550, 9285, 3082, 5707, 6082, 4380, 7648, 11626, 5172, 4250, 9385, 8363, 8217, 4685, 5936, 848, - 8899, 6538, 934, 1889, 3781, 9318, 10109, 10222, 6727, 961, 5404, 772, 5377, 9546, 8386, 1198, - 8949, 3034, 2189, 7335, 4559, 5918, 2601, 10905, 5069, 9502, 3113, 7467, 8089, 11689, 5181, 9518, - 8382, 2953, 3933, 4073, 4093, 7607, 8109, 2914, 5683, 4323, 11151, 1593, 10761, 6804, 972, 3650, - 2277, 5592, 4310, 7638, 9869, 4921, 703, 1856, 9043, 4803, 9464, 1352, 8971, 11815, 5199, 7765, - 6376, 4422, 7654, 2849, 407, 8836, 6529, 7955, 2892, 9191, 1313, 10721, 12065, 12257, 1751, 9028, - 8312, 2943, 2176, 3822, 546, 78, 8789, 11789, 10462, 12028, 6985, 4509, 9422, 1346, 5459, 4291, - 613, 10621, 6784, 9747, 3148, 7472, 2823, 5670, 810, 7138, 8042, 4660, 7688, 6365, 6176, 6149, - 2634, 5643, 9584, 10147, 11983, 5223, 9524, 11894, 10477, 8519, 1217, 3685, 2282, 326, 10580, 3267, - 7489, 4581, 2410, 5611, 11335, 6886, 8006, 8166, 11700, 3427, 11023, 8597, 10006, 3185, 455, 65, - 5276, 7776, 4622, 5927, 7869, 9902, 11948, 5218, 2501, 5624, 2559, 10899, 1557, 1978, 10816, 10323, - 8497, 4725, 675, 1852, 10798, 12076, 10503, 3256, 9243, 3076, 2195, 10847, 12083, 10504, 12034, 10497 -}; - diff --git a/crypto_kem/newhope1024cca/clean/reduce.c b/crypto_kem/newhope1024cca/clean/reduce.c deleted file mode 100644 index e96b25e5..00000000 --- a/crypto_kem/newhope1024cca/clean/reduce.c +++ /dev/null @@ -1,26 +0,0 @@ -#include "reduce.h" -#include "params.h" - -static const uint32_t qinv = 12287; // -inverse_mod(p,2^18) -static const uint32_t rlog = 18; - -/************************************************* -* Name: montgomery_reduce -* -* Description: Montgomery reduction; given a 32-bit integer a, computes -* 16-bit integer congruent to a * R^-1 mod q, -* where R=2^18 (see value of rlog) -* -* Arguments: - uint32_t a: input unsigned integer to be reduced; has to be in {0,...,1073491968} -* -* Returns: unsigned integer in {0,...,2^14-1} congruent to a * R^-1 modulo q. -**************************************************/ -uint16_t PQCLEAN_NEWHOPE1024CCA_CLEAN_montgomery_reduce(uint32_t a) { - uint32_t u; - - u = (a * qinv); - u &= ((1 << rlog) - 1); - u *= NEWHOPE_Q; - a = a + u; - return a >> 18; -} diff --git a/crypto_kem/newhope1024cca/clean/reduce.h b/crypto_kem/newhope1024cca/clean/reduce.h deleted file mode 100644 index 268b049b..00000000 --- a/crypto_kem/newhope1024cca/clean/reduce.h +++ /dev/null @@ -1,8 +0,0 @@ -#ifndef REDUCE_H -#define REDUCE_H - -#include - -uint16_t PQCLEAN_NEWHOPE1024CCA_CLEAN_montgomery_reduce(uint32_t a); - -#endif diff --git a/crypto_kem/newhope1024cca/clean/verify.c b/crypto_kem/newhope1024cca/clean/verify.c deleted file mode 100644 index f68c9328..00000000 --- a/crypto_kem/newhope1024cca/clean/verify.c +++ /dev/null @@ -1,49 +0,0 @@ -#include "verify.h" -#include -#include - -/************************************************* -* Name: verify -* -* Description: Compare two arrays for equality in constant time. -* -* Arguments: const unsigned char *a: pointer to first byte array -* const unsigned char *b: pointer to second byte array -* size_t len: length of the byte arrays -* -* Returns 0 if the byte arrays are equal, 1 otherwise -**************************************************/ -int PQCLEAN_NEWHOPE1024CCA_CLEAN_verify(const unsigned char *a, const unsigned char *b, size_t len) { - uint64_t r; - size_t i; - r = 0; - - for (i = 0; i < len; i++) { - r |= a[i] ^ b[i]; - } - - r = (uint64_t)(-(int64_t)r) >> 63; - return (int)r; -} - -/************************************************* -* Name: cmov -* -* Description: Copy len bytes from x to r if b is 1; -* don't modify x if b is 0. Requires b to be in {0,1}; -* assumes two's complement representation of negative integers. -* Runs in constant time. -* -* Arguments: unsigned char *r: pointer to output byte array -* const unsigned char *x: pointer to input byte array -* size_t len: Amount of bytes to be copied -* unsigned char b: Condition bit; has to be in {0,1} -**************************************************/ -void PQCLEAN_NEWHOPE1024CCA_CLEAN_cmov(unsigned char *r, const unsigned char *x, size_t len, unsigned char b) { - size_t i; - - b = -b; - for (i = 0; i < len; i++) { - r[i] ^= b & (x[i] ^ r[i]); - } -} diff --git a/crypto_kem/newhope1024cca/clean/verify.h b/crypto_kem/newhope1024cca/clean/verify.h deleted file mode 100644 index e5819338..00000000 --- a/crypto_kem/newhope1024cca/clean/verify.h +++ /dev/null @@ -1,12 +0,0 @@ -#ifndef VERIFY_H -#define VERIFY_H - -#include - -/* returns 0 for equal strings, 1 for non-equal strings */ -int PQCLEAN_NEWHOPE1024CCA_CLEAN_verify(const unsigned char *a, const unsigned char *b, size_t len); - -/* b = 1 means mov, b = 0 means don't mov*/ -void PQCLEAN_NEWHOPE1024CCA_CLEAN_cmov(unsigned char *r, const unsigned char *x, size_t len, unsigned char b); - -#endif diff --git a/crypto_kem/newhope1024cpa/META.yml b/crypto_kem/newhope1024cpa/META.yml deleted file mode 100644 index dcfa3746..00000000 --- a/crypto_kem/newhope1024cpa/META.yml +++ /dev/null @@ -1,22 +0,0 @@ -name: NewHope1024-CPAKEM -type: kem -claimed-nist-level: 5 -claimed-security: IND-CPA -length-public-key: 1824 -length-secret-key: 1792 -length-ciphertext: 2176 -length-shared-secret: 32 -nistkat-sha256: 440e2afb40d212a44d1bb1dc9963d7c942fa6ceb16fed2b1ccf015fa75ab115b -principal-submitters: - - Thomas Pöppelmann -auxiliary-submitters: -- Erdem Alkim -- Roberto Avanzi -- Joppe Bos -- Léo Ducas -- Antonio de la Piedra -- Peter Schwabe -- Douglas Stebila -implementations: -- name: clean - version: https://github.com/newhopecrypto/newhope/commit/3fc68c6090b23c56cc190a78af2f43ee8900e9d0 diff --git a/crypto_kem/newhope1024cpa/clean/LICENSE b/crypto_kem/newhope1024cpa/clean/LICENSE deleted file mode 100644 index d5d21fff..00000000 --- a/crypto_kem/newhope1024cpa/clean/LICENSE +++ /dev/null @@ -1 +0,0 @@ -Public Domain diff --git a/crypto_kem/newhope1024cpa/clean/Makefile b/crypto_kem/newhope1024cpa/clean/Makefile deleted file mode 100644 index 46b0b736..00000000 --- a/crypto_kem/newhope1024cpa/clean/Makefile +++ /dev/null @@ -1,19 +0,0 @@ -# This Makefile can be used with GNU Make or BSD Make - -LIB=libnewhope1024cpa_clean.a -HEADERS=api.h cpapke.h ntt.h params.h poly.h reduce.h verify.h -OBJECTS=cpapke.o kem.o ntt.o poly.o precomp.o reduce.o verify.o - -CFLAGS=-O3 -Wall -Wextra -Wpedantic -Wvla -Werror -Wmissing-prototypes -Wredundant-decls -std=c99 -I../../../common $(EXTRAFLAGS) - -all: $(LIB) - -%.o: %.c $(HEADERS) - $(CC) $(CFLAGS) -c -o $@ $< - -$(LIB): $(OBJECTS) - $(AR) -r $@ $(OBJECTS) - -clean: - $(RM) $(OBJECTS) - $(RM) $(LIB) diff --git a/crypto_kem/newhope1024cpa/clean/Makefile.Microsoft_nmake b/crypto_kem/newhope1024cpa/clean/Makefile.Microsoft_nmake deleted file mode 100644 index 3afa12d6..00000000 --- a/crypto_kem/newhope1024cpa/clean/Makefile.Microsoft_nmake +++ /dev/null @@ -1,19 +0,0 @@ -# This Makefile can be used with Microsoft Visual Studio's nmake using the command: -# nmake /f Makefile.Microsoft_nmake - -LIBRARY=libnewhope1024cpa_clean.lib -OBJECTS=cpapke.obj kem.obj ntt.obj poly.obj precomp.obj reduce.obj verify.obj - -CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /WX - -all: $(LIBRARY) - -# Make sure objects are recompiled if headers change. -$(OBJECTS): *.h - -$(LIBRARY): $(OBJECTS) - LIB.EXE /NOLOGO /WX /OUT:$@ $** - -clean: - -DEL $(OBJECTS) - -DEL $(LIBRARY) diff --git a/crypto_kem/newhope1024cpa/clean/api.h b/crypto_kem/newhope1024cpa/clean/api.h deleted file mode 100644 index 683aa8a7..00000000 --- a/crypto_kem/newhope1024cpa/clean/api.h +++ /dev/null @@ -1,15 +0,0 @@ -#ifndef PQCLEAN_NEWHOPE1024CPA_CLEAN_API_H -#define PQCLEAN_NEWHOPE1024CPA_CLEAN_API_H - - -#define PQCLEAN_NEWHOPE1024CPA_CLEAN_CRYPTO_SECRETKEYBYTES 1792 -#define PQCLEAN_NEWHOPE1024CPA_CLEAN_CRYPTO_PUBLICKEYBYTES 1824 -#define PQCLEAN_NEWHOPE1024CPA_CLEAN_CRYPTO_CIPHERTEXTBYTES 2176 -#define PQCLEAN_NEWHOPE1024CPA_CLEAN_CRYPTO_BYTES 32 -#define PQCLEAN_NEWHOPE1024CPA_CLEAN_CRYPTO_ALGNAME "NewHope1024-CPAKEM" - -int PQCLEAN_NEWHOPE1024CPA_CLEAN_crypto_kem_keypair(unsigned char *pk, unsigned char *sk); -int PQCLEAN_NEWHOPE1024CPA_CLEAN_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk); -int PQCLEAN_NEWHOPE1024CPA_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk); - -#endif diff --git a/crypto_kem/newhope1024cpa/clean/cpapke.c b/crypto_kem/newhope1024cpa/clean/cpapke.c deleted file mode 100644 index fa11ebe7..00000000 --- a/crypto_kem/newhope1024cpa/clean/cpapke.c +++ /dev/null @@ -1,193 +0,0 @@ -#include "api.h" -#include "cpapke.h" -#include "fips202.h" -#include "poly.h" -#include "randombytes.h" -#include - -/************************************************* -* Name: encode_pk -* -* Description: Serialize the public key as concatenation of the -* serialization of the polynomial pk and the public seed -* used to generete the polynomial a. -* -* Arguments: unsigned char *r: pointer to the output serialized public key -* const poly *pk: pointer to the input public-key polynomial -* const unsigned char *seed: pointer to the input public seed -**************************************************/ -static void encode_pk(unsigned char *r, const poly *pk, const unsigned char *seed) { - int i; - PQCLEAN_NEWHOPE1024CPA_CLEAN_poly_tobytes(r, pk); - for (i = 0; i < NEWHOPE_SYMBYTES; i++) { - r[NEWHOPE_POLYBYTES + i] = seed[i]; - } -} - -/************************************************* -* Name: decode_pk -* -* Description: De-serialize the public key; inverse of encode_pk -* -* Arguments: poly *pk: pointer to output public-key polynomial -* unsigned char *seed: pointer to output public seed -* const unsigned char *r: pointer to input byte array -**************************************************/ -static void decode_pk(poly *pk, unsigned char *seed, const unsigned char *r) { - int i; - PQCLEAN_NEWHOPE1024CPA_CLEAN_poly_frombytes(pk, r); - for (i = 0; i < NEWHOPE_SYMBYTES; i++) { - seed[i] = r[NEWHOPE_POLYBYTES + i]; - } -} - -/************************************************* -* Name: encode_c -* -* Description: Serialize the ciphertext as concatenation of the -* serialization of the polynomial b and serialization -* of the compressed polynomial v -* -* Arguments: - unsigned char *r: pointer to the output serialized ciphertext -* - const poly *b: pointer to the input polynomial b -* - const poly *v: pointer to the input polynomial v -**************************************************/ -static void encode_c(unsigned char *r, const poly *b, const poly *v) { - PQCLEAN_NEWHOPE1024CPA_CLEAN_poly_tobytes(r, b); - PQCLEAN_NEWHOPE1024CPA_CLEAN_poly_compress(r + NEWHOPE_POLYBYTES, v); -} - -/************************************************* -* Name: decode_c -* -* Description: de-serialize the ciphertext; inverse of encode_c -* -* Arguments: - poly *b: pointer to output polynomial b -* - poly *v: pointer to output polynomial v -* - const unsigned char *r: pointer to input byte array -**************************************************/ -static void decode_c(poly *b, poly *v, const unsigned char *r) { - PQCLEAN_NEWHOPE1024CPA_CLEAN_poly_frombytes(b, r); - PQCLEAN_NEWHOPE1024CPA_CLEAN_poly_decompress(v, r + NEWHOPE_POLYBYTES); -} - -/************************************************* -* Name: gen_a -* -* Description: Deterministically generate public polynomial a from seed -* -* Arguments: - poly *a: pointer to output polynomial a -* - const unsigned char *seed: pointer to input seed -**************************************************/ -static void gen_a(poly *a, const unsigned char *seed) { - PQCLEAN_NEWHOPE1024CPA_CLEAN_poly_uniform(a, seed); -} - - -/************************************************* -* Name: cpapke_keypair -* -* Description: Generates public and private key -* for the CPA public-key encryption scheme underlying -* the NewHope KEMs -* -* Arguments: - unsigned char *pk: pointer to output public key -* - unsigned char *sk: pointer to output private key -**************************************************/ -void PQCLEAN_NEWHOPE1024CPA_CLEAN_cpapke_keypair(unsigned char *pk, - unsigned char *sk) { - poly ahat, ehat, ahat_shat, bhat, shat; - unsigned char z[2 * NEWHOPE_SYMBYTES]; - unsigned char *publicseed = z; - unsigned char *noiseseed = z + NEWHOPE_SYMBYTES; - - z[0] = 0x01; - randombytes(z + 1, NEWHOPE_SYMBYTES); - shake256(z, 2 * NEWHOPE_SYMBYTES, z, NEWHOPE_SYMBYTES + 1); - - gen_a(&ahat, publicseed); - - PQCLEAN_NEWHOPE1024CPA_CLEAN_poly_sample(&shat, noiseseed, 0); - PQCLEAN_NEWHOPE1024CPA_CLEAN_poly_ntt(&shat); - - PQCLEAN_NEWHOPE1024CPA_CLEAN_poly_sample(&ehat, noiseseed, 1); - PQCLEAN_NEWHOPE1024CPA_CLEAN_poly_ntt(&ehat); - - PQCLEAN_NEWHOPE1024CPA_CLEAN_poly_mul_pointwise(&ahat_shat, &shat, &ahat); - PQCLEAN_NEWHOPE1024CPA_CLEAN_poly_add(&bhat, &ehat, &ahat_shat); - - PQCLEAN_NEWHOPE1024CPA_CLEAN_poly_tobytes(sk, &shat); - encode_pk(pk, &bhat, publicseed); -} - -/************************************************* -* Name: cpapke_enc -* -* Description: Encryption function of -* the CPA public-key encryption scheme underlying -* the NewHope KEMs -* -* Arguments: - unsigned char *c: pointer to output ciphertext -* - const unsigned char *m: pointer to input message (of length NEWHOPE_SYMBYTES bytes) -* - const unsigned char *pk: pointer to input public key -* - const unsigned char *coin: pointer to input random coins used as seed -* to deterministically generate all randomness -**************************************************/ -void PQCLEAN_NEWHOPE1024CPA_CLEAN_cpapke_enc(unsigned char *c, - const unsigned char *m, - const unsigned char *pk, - const unsigned char *coin) { - poly sprime, eprime, vprime, ahat, bhat, eprimeprime, uhat, v; - unsigned char publicseed[NEWHOPE_SYMBYTES]; - - PQCLEAN_NEWHOPE1024CPA_CLEAN_poly_frommsg(&v, m); - - decode_pk(&bhat, publicseed, pk); - gen_a(&ahat, publicseed); - - PQCLEAN_NEWHOPE1024CPA_CLEAN_poly_sample(&sprime, coin, 0); - PQCLEAN_NEWHOPE1024CPA_CLEAN_poly_sample(&eprime, coin, 1); - PQCLEAN_NEWHOPE1024CPA_CLEAN_poly_sample(&eprimeprime, coin, 2); - - PQCLEAN_NEWHOPE1024CPA_CLEAN_poly_ntt(&sprime); - PQCLEAN_NEWHOPE1024CPA_CLEAN_poly_ntt(&eprime); - - PQCLEAN_NEWHOPE1024CPA_CLEAN_poly_mul_pointwise(&uhat, &ahat, &sprime); - PQCLEAN_NEWHOPE1024CPA_CLEAN_poly_add(&uhat, &uhat, &eprime); - - PQCLEAN_NEWHOPE1024CPA_CLEAN_poly_mul_pointwise(&vprime, &bhat, &sprime); - PQCLEAN_NEWHOPE1024CPA_CLEAN_poly_invntt(&vprime); - - PQCLEAN_NEWHOPE1024CPA_CLEAN_poly_add(&vprime, &vprime, &eprimeprime); - PQCLEAN_NEWHOPE1024CPA_CLEAN_poly_add(&vprime, &vprime, &v); // add message - - encode_c(c, &uhat, &vprime); -} - - -/************************************************* -* Name: cpapke_dec -* -* Description: Decryption function of -* the CPA public-key encryption scheme underlying -* the NewHope KEMs -* -* Arguments: - unsigned char *m: pointer to output decrypted message -* - const unsigned char *c: pointer to input ciphertext -* - const unsigned char *sk: pointer to input secret key -**************************************************/ -void PQCLEAN_NEWHOPE1024CPA_CLEAN_cpapke_dec(unsigned char *m, - const unsigned char *c, - const unsigned char *sk) { - poly vprime, uhat, tmp, shat; - - PQCLEAN_NEWHOPE1024CPA_CLEAN_poly_frombytes(&shat, sk); - - decode_c(&uhat, &vprime, c); - PQCLEAN_NEWHOPE1024CPA_CLEAN_poly_mul_pointwise(&tmp, &shat, &uhat); - PQCLEAN_NEWHOPE1024CPA_CLEAN_poly_invntt(&tmp); - - PQCLEAN_NEWHOPE1024CPA_CLEAN_poly_sub(&tmp, &tmp, &vprime); - - PQCLEAN_NEWHOPE1024CPA_CLEAN_poly_tomsg(m, &tmp); -} diff --git a/crypto_kem/newhope1024cpa/clean/cpapke.h b/crypto_kem/newhope1024cpa/clean/cpapke.h deleted file mode 100644 index ea284e10..00000000 --- a/crypto_kem/newhope1024cpa/clean/cpapke.h +++ /dev/null @@ -1,16 +0,0 @@ -#ifndef INDCPA_H -#define INDCPA_H - -void PQCLEAN_NEWHOPE1024CPA_CLEAN_cpapke_keypair(unsigned char *pk, - unsigned char *sk); - -void PQCLEAN_NEWHOPE1024CPA_CLEAN_cpapke_enc(unsigned char *c, - const unsigned char *m, - const unsigned char *pk, - const unsigned char *coins); - -void PQCLEAN_NEWHOPE1024CPA_CLEAN_cpapke_dec(unsigned char *m, - const unsigned char *c, - const unsigned char *sk); - -#endif diff --git a/crypto_kem/newhope1024cpa/clean/kem.c b/crypto_kem/newhope1024cpa/clean/kem.c deleted file mode 100644 index d1f41113..00000000 --- a/crypto_kem/newhope1024cpa/clean/kem.c +++ /dev/null @@ -1,72 +0,0 @@ -#include "api.h" -#include "cpapke.h" -#include "fips202.h" -#include "params.h" -#include "randombytes.h" -#include "verify.h" -#include - -/************************************************* -* Name: crypto_kem_keypair -* -* Description: Generates public and private key -* for CCA secure NewHope key encapsulation -* mechanism -* -* Arguments: - unsigned char *pk: pointer to output public key (an already allocated array of CRYPTO_PUBLICKEYBYTES bytes) -* - unsigned char *sk: pointer to output private key (an already allocated array of CRYPTO_SECRETKEYBYTES bytes) -* -* Returns 0 (success) -**************************************************/ -int PQCLEAN_NEWHOPE1024CPA_CLEAN_crypto_kem_keypair(unsigned char *pk, unsigned char *sk) { - PQCLEAN_NEWHOPE1024CPA_CLEAN_cpapke_keypair(pk, sk); /* First put the actual secret key into sk */ - - return 0; -} - -/************************************************* -* Name: crypto_kem_enc -* -* Description: Generates cipher text and shared -* secret for given public key -* -* Arguments: - unsigned char *ct: pointer to output cipher text (an already allocated array of CRYPTO_CIPHERTEXTBYTES bytes) -* - unsigned char *ss: pointer to output shared secret (an already allocated array of CRYPTO_BYTES bytes) -* - const unsigned char *pk: pointer to input public key (an already allocated array of CRYPTO_PUBLICKEYBYTES bytes) -* -* Returns 0 (success) -**************************************************/ -int PQCLEAN_NEWHOPE1024CPA_CLEAN_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk) { - unsigned char buf[2 * NEWHOPE_SYMBYTES]; - - buf[0] = 0x02; - randombytes(buf + 1, NEWHOPE_SYMBYTES); - - shake256(buf, 2 * NEWHOPE_SYMBYTES, buf, NEWHOPE_SYMBYTES + 1); /* Don't release system RNG output */ - - PQCLEAN_NEWHOPE1024CPA_CLEAN_cpapke_enc(ct, buf, pk, buf + NEWHOPE_SYMBYTES); /* coins are in buf+NEWHOPE_SYMBYTES */ - - shake256(ss, NEWHOPE_SYMBYTES, buf, NEWHOPE_SYMBYTES); /* hash pre-k to ss */ - return 0; -} - - -/************************************************* -* Name: crypto_kem_dec -* -* Description: Generates shared secret for given -* cipher text and private key -* -* Arguments: - unsigned char *ss: pointer to output shared secret (an already allocated array of CRYPTO_BYTES bytes) -* - const unsigned char *ct: pointer to input cipher text (an already allocated array of CRYPTO_CIPHERTEXTBYTES bytes) -* - const unsigned char *sk: pointer to input private key (an already allocated array of CRYPTO_SECRETKEYBYTES bytes) -* -* Returns 0 (success) -**************************************************/ -int PQCLEAN_NEWHOPE1024CPA_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk) { - PQCLEAN_NEWHOPE1024CPA_CLEAN_cpapke_dec(ss, ct, sk); - - shake256(ss, NEWHOPE_SYMBYTES, ss, NEWHOPE_SYMBYTES); /* hash pre-k to ss */ - - return 0; -} diff --git a/crypto_kem/newhope1024cpa/clean/ntt.c b/crypto_kem/newhope1024cpa/clean/ntt.c deleted file mode 100644 index 4680c81c..00000000 --- a/crypto_kem/newhope1024cpa/clean/ntt.c +++ /dev/null @@ -1,127 +0,0 @@ -#include "inttypes.h" -#include "ntt.h" -#include "params.h" -#include "reduce.h" - -/************************************************************ -* Name: bitrev_table -* -* Description: Contains bit-reversed 10-bit indices to be used to re-order -* polynomials before number theoratic transform -************************************************************/ -static uint16_t bitrev_table[NEWHOPE_N] = { - 0, 512, 256, 768, 128, 640, 384, 896, 64, 576, 320, 832, 192, 704, 448, 960, 32, 544, 288, 800, 160, 672, 416, 928, 96, 608, 352, 864, 224, 736, 480, 992, - 16, 528, 272, 784, 144, 656, 400, 912, 80, 592, 336, 848, 208, 720, 464, 976, 48, 560, 304, 816, 176, 688, 432, 944, 112, 624, 368, 880, 240, 752, 496, 1008, - 8, 520, 264, 776, 136, 648, 392, 904, 72, 584, 328, 840, 200, 712, 456, 968, 40, 552, 296, 808, 168, 680, 424, 936, 104, 616, 360, 872, 232, 744, 488, 1000, - 24, 536, 280, 792, 152, 664, 408, 920, 88, 600, 344, 856, 216, 728, 472, 984, 56, 568, 312, 824, 184, 696, 440, 952, 120, 632, 376, 888, 248, 760, 504, 1016, - 4, 516, 260, 772, 132, 644, 388, 900, 68, 580, 324, 836, 196, 708, 452, 964, 36, 548, 292, 804, 164, 676, 420, 932, 100, 612, 356, 868, 228, 740, 484, 996, - 20, 532, 276, 788, 148, 660, 404, 916, 84, 596, 340, 852, 212, 724, 468, 980, 52, 564, 308, 820, 180, 692, 436, 948, 116, 628, 372, 884, 244, 756, 500, 1012, - 12, 524, 268, 780, 140, 652, 396, 908, 76, 588, 332, 844, 204, 716, 460, 972, 44, 556, 300, 812, 172, 684, 428, 940, 108, 620, 364, 876, 236, 748, 492, 1004, - 28, 540, 284, 796, 156, 668, 412, 924, 92, 604, 348, 860, 220, 732, 476, 988, 60, 572, 316, 828, 188, 700, 444, 956, 124, 636, 380, 892, 252, 764, 508, 1020, - 2, 514, 258, 770, 130, 642, 386, 898, 66, 578, 322, 834, 194, 706, 450, 962, 34, 546, 290, 802, 162, 674, 418, 930, 98, 610, 354, 866, 226, 738, 482, 994, - 18, 530, 274, 786, 146, 658, 402, 914, 82, 594, 338, 850, 210, 722, 466, 978, 50, 562, 306, 818, 178, 690, 434, 946, 114, 626, 370, 882, 242, 754, 498, 1010, - 10, 522, 266, 778, 138, 650, 394, 906, 74, 586, 330, 842, 202, 714, 458, 970, 42, 554, 298, 810, 170, 682, 426, 938, 106, 618, 362, 874, 234, 746, 490, 1002, - 26, 538, 282, 794, 154, 666, 410, 922, 90, 602, 346, 858, 218, 730, 474, 986, 58, 570, 314, 826, 186, 698, 442, 954, 122, 634, 378, 890, 250, 762, 506, 1018, - 6, 518, 262, 774, 134, 646, 390, 902, 70, 582, 326, 838, 198, 710, 454, 966, 38, 550, 294, 806, 166, 678, 422, 934, 102, 614, 358, 870, 230, 742, 486, 998, - 22, 534, 278, 790, 150, 662, 406, 918, 86, 598, 342, 854, 214, 726, 470, 982, 54, 566, 310, 822, 182, 694, 438, 950, 118, 630, 374, 886, 246, 758, 502, 1014, - 14, 526, 270, 782, 142, 654, 398, 910, 78, 590, 334, 846, 206, 718, 462, 974, 46, 558, 302, 814, 174, 686, 430, 942, 110, 622, 366, 878, 238, 750, 494, 1006, - 30, 542, 286, 798, 158, 670, 414, 926, 94, 606, 350, 862, 222, 734, 478, 990, 62, 574, 318, 830, 190, 702, 446, 958, 126, 638, 382, 894, 254, 766, 510, 1022, - 1, 513, 257, 769, 129, 641, 385, 897, 65, 577, 321, 833, 193, 705, 449, 961, 33, 545, 289, 801, 161, 673, 417, 929, 97, 609, 353, 865, 225, 737, 481, 993, - 17, 529, 273, 785, 145, 657, 401, 913, 81, 593, 337, 849, 209, 721, 465, 977, 49, 561, 305, 817, 177, 689, 433, 945, 113, 625, 369, 881, 241, 753, 497, 1009, - 9, 521, 265, 777, 137, 649, 393, 905, 73, 585, 329, 841, 201, 713, 457, 969, 41, 553, 297, 809, 169, 681, 425, 937, 105, 617, 361, 873, 233, 745, 489, 1001, - 25, 537, 281, 793, 153, 665, 409, 921, 89, 601, 345, 857, 217, 729, 473, 985, 57, 569, 313, 825, 185, 697, 441, 953, 121, 633, 377, 889, 249, 761, 505, 1017, - 5, 517, 261, 773, 133, 645, 389, 901, 69, 581, 325, 837, 197, 709, 453, 965, 37, 549, 293, 805, 165, 677, 421, 933, 101, 613, 357, 869, 229, 741, 485, 997, - 21, 533, 277, 789, 149, 661, 405, 917, 85, 597, 341, 853, 213, 725, 469, 981, 53, 565, 309, 821, 181, 693, 437, 949, 117, 629, 373, 885, 245, 757, 501, 1013, - 13, 525, 269, 781, 141, 653, 397, 909, 77, 589, 333, 845, 205, 717, 461, 973, 45, 557, 301, 813, 173, 685, 429, 941, 109, 621, 365, 877, 237, 749, 493, 1005, - 29, 541, 285, 797, 157, 669, 413, 925, 93, 605, 349, 861, 221, 733, 477, 989, 61, 573, 317, 829, 189, 701, 445, 957, 125, 637, 381, 893, 253, 765, 509, 1021, - 3, 515, 259, 771, 131, 643, 387, 899, 67, 579, 323, 835, 195, 707, 451, 963, 35, 547, 291, 803, 163, 675, 419, 931, 99, 611, 355, 867, 227, 739, 483, 995, - 19, 531, 275, 787, 147, 659, 403, 915, 83, 595, 339, 851, 211, 723, 467, 979, 51, 563, 307, 819, 179, 691, 435, 947, 115, 627, 371, 883, 243, 755, 499, 1011, - 11, 523, 267, 779, 139, 651, 395, 907, 75, 587, 331, 843, 203, 715, 459, 971, 43, 555, 299, 811, 171, 683, 427, 939, 107, 619, 363, 875, 235, 747, 491, 1003, - 27, 539, 283, 795, 155, 667, 411, 923, 91, 603, 347, 859, 219, 731, 475, 987, 59, 571, 315, 827, 187, 699, 443, 955, 123, 635, 379, 891, 251, 763, 507, 1019, - 7, 519, 263, 775, 135, 647, 391, 903, 71, 583, 327, 839, 199, 711, 455, 967, 39, 551, 295, 807, 167, 679, 423, 935, 103, 615, 359, 871, 231, 743, 487, 999, - 23, 535, 279, 791, 151, 663, 407, 919, 87, 599, 343, 855, 215, 727, 471, 983, 55, 567, 311, 823, 183, 695, 439, 951, 119, 631, 375, 887, 247, 759, 503, 1015, - 15, 527, 271, 783, 143, 655, 399, 911, 79, 591, 335, 847, 207, 719, 463, 975, 47, 559, 303, 815, 175, 687, 431, 943, 111, 623, 367, 879, 239, 751, 495, 1007, - 31, 543, 287, 799, 159, 671, 415, 927, 95, 607, 351, 863, 223, 735, 479, 991, 63, 575, 319, 831, 191, 703, 447, 959, 127, 639, 383, 895, 255, 767, 511, 1023 -}; - -/************************************************* -* Name: bitrev_vector -* -* Description: Permutes coefficients of a polynomial into bitreversed order -* -* Arguments: - uint16_t* poly: pointer to in/output polynomial -**************************************************/ -void PQCLEAN_NEWHOPE1024CPA_CLEAN_bitrev_vector(uint16_t *poly) { - unsigned int i, r; - uint16_t tmp; - - for (i = 0; i < NEWHOPE_N; i++) { - r = bitrev_table[i]; - if (i < r) { - tmp = poly[i]; - poly[i] = poly[r]; - poly[r] = tmp; - } - } -} - -/************************************************* -* Name: mul_coefficients -* -* Description: Performs pointwise (coefficient-wise) multiplication -* of two polynomials -* Arguments: - uint16_t* poly: pointer to in/output polynomial -* - const uint16_t* factors: pointer to input polynomial, coefficients -* are assumed to be in Montgomery representation -**************************************************/ -void PQCLEAN_NEWHOPE1024CPA_CLEAN_mul_coefficients(uint16_t *poly, const uint16_t *factors) { - unsigned int i; - - for (i = 0; i < NEWHOPE_N; i++) { - poly[i] = PQCLEAN_NEWHOPE1024CPA_CLEAN_montgomery_reduce((poly[i] * factors[i])); - } -} - - -void /************************************************* -* Name: ntt -* -* Description: Computes number-theoretic transform (NTT) of -* a polynomial in place; inputs assumed to be in -* bitreversed order, output in normal order -* -* Arguments: - uint16_t * a: pointer to in/output polynomial -* - const uint16_t* omega: pointer to input powers of root of unity omega; -* assumed to be in Montgomery domain -**************************************************/ -PQCLEAN_NEWHOPE1024CPA_CLEAN_ntt(uint16_t *a, const uint16_t *omega) { - int i, start, j, jTwiddle, distance; - uint16_t temp, W; - - - for (i = 0; i < 10; i += 2) { - // Even level - distance = (1 << i); - for (start = 0; start < distance; start++) { - jTwiddle = 0; - for (j = start; j < NEWHOPE_N - 1; j += 2 * distance) { - W = omega[jTwiddle++]; - temp = a[j]; - a[j] = (temp + a[j + distance]); // Omit reduction (be lazy) - a[j + distance] = PQCLEAN_NEWHOPE1024CPA_CLEAN_montgomery_reduce((W * ((uint32_t)temp + 3 * NEWHOPE_Q - a[j + distance]))); - } - } - - // Odd level - distance <<= 1; - for (start = 0; start < distance; start++) { - jTwiddle = 0; - for (j = start; j < NEWHOPE_N - 1; j += 2 * distance) { - W = omega[jTwiddle++]; - temp = a[j]; - a[j] = (temp + a[j + distance]) % NEWHOPE_Q; - a[j + distance] = PQCLEAN_NEWHOPE1024CPA_CLEAN_montgomery_reduce((W * ((uint32_t)temp + 3 * NEWHOPE_Q - a[j + distance]))); - } - } - } -} diff --git a/crypto_kem/newhope1024cpa/clean/ntt.h b/crypto_kem/newhope1024cpa/clean/ntt.h deleted file mode 100644 index 42e41df0..00000000 --- a/crypto_kem/newhope1024cpa/clean/ntt.h +++ /dev/null @@ -1,14 +0,0 @@ -#ifndef NTT_H -#define NTT_H - -#include "inttypes.h" - -extern const uint16_t PQCLEAN_NEWHOPE1024CPA_CLEAN_omegas_inv_bitrev_montgomery[]; -extern const uint16_t PQCLEAN_NEWHOPE1024CPA_CLEAN_gammas_bitrev_montgomery[]; -extern const uint16_t PQCLEAN_NEWHOPE1024CPA_CLEAN_gammas_inv_montgomery[]; - -void PQCLEAN_NEWHOPE1024CPA_CLEAN_bitrev_vector(uint16_t *poly); -void PQCLEAN_NEWHOPE1024CPA_CLEAN_mul_coefficients(uint16_t *poly, const uint16_t *factors); -void PQCLEAN_NEWHOPE1024CPA_CLEAN_ntt(uint16_t *a, const uint16_t *omegas); - -#endif diff --git a/crypto_kem/newhope1024cpa/clean/params.h b/crypto_kem/newhope1024cpa/clean/params.h deleted file mode 100644 index 64d582b7..00000000 --- a/crypto_kem/newhope1024cpa/clean/params.h +++ /dev/null @@ -1,25 +0,0 @@ -#ifndef PQCLEAN_NEWHOPE1024CPA_CLEAN_PARAMS_H -#define PQCLEAN_NEWHOPE1024CPA_CLEAN_PARAMS_H - -#define NEWHOPE_N 1024 -#define NEWHOPE_Q 12289 -#define NEWHOPE_K 8 /* used in noise sampling */ - -#define NEWHOPE_SYMBYTES 32 /* size of shared key, seeds/coins, and hashes */ - -#define NEWHOPE_POLYBYTES ((14*NEWHOPE_N)/8) -#define NEWHOPE_POLYCOMPRESSEDBYTES (( 3*NEWHOPE_N)/8) - -#define NEWHOPE_CPAPKE_PUBLICKEYBYTES (NEWHOPE_POLYBYTES + NEWHOPE_SYMBYTES) -#define NEWHOPE_CPAPKE_SECRETKEYBYTES (NEWHOPE_POLYBYTES) -#define NEWHOPE_CPAPKE_CIPHERTEXTBYTES (NEWHOPE_POLYBYTES + NEWHOPE_POLYCOMPRESSEDBYTES) - -#define NEWHOPE_CPAKEM_PUBLICKEYBYTES NEWHOPE_CPAPKE_PUBLICKEYBYTES -#define NEWHOPE_CPAKEM_SECRETKEYBYTES NEWHOPE_CPAPKE_SECRETKEYBYTES -#define NEWHOPE_CPAKEM_CIPHERTEXTBYTES NEWHOPE_CPAPKE_CIPHERTEXTBYTES - -#define NEWHOPE_CCAKEM_PUBLICKEYBYTES NEWHOPE_CPAPKE_PUBLICKEYBYTES -#define NEWHOPE_CCAKEM_SECRETKEYBYTES (NEWHOPE_CPAPKE_SECRETKEYBYTES + NEWHOPE_CPAPKE_PUBLICKEYBYTES + 2*NEWHOPE_SYMBYTES) -#define NEWHOPE_CCAKEM_CIPHERTEXTBYTES (NEWHOPE_CPAPKE_CIPHERTEXTBYTES + NEWHOPE_SYMBYTES) /* Second part is for Targhi-Unruh */ - -#endif diff --git a/crypto_kem/newhope1024cpa/clean/poly.c b/crypto_kem/newhope1024cpa/clean/poly.c deleted file mode 100644 index 3f64de42..00000000 --- a/crypto_kem/newhope1024cpa/clean/poly.c +++ /dev/null @@ -1,358 +0,0 @@ -#include "fips202.h" -#include "ntt.h" -#include "poly.h" -#include "reduce.h" - -/************************************************* -* Name: coeff_freeze -* -* Description: Fully reduces an integer modulo q in constant time -* -* Arguments: uint16_t x: input integer to be reduced -* -* Returns integer in {0,...,q-1} congruent to x modulo q -**************************************************/ -static uint16_t coeff_freeze(uint16_t x) { - uint16_t m, r; - int16_t c; - r = x % NEWHOPE_Q; - - m = r - NEWHOPE_Q; - c = m; - c >>= 15; - r = m ^ ((r ^ m)&c); - - return r; -} - -/************************************************* -* Name: flipabs -* -* Description: Computes |(x mod q) - Q/2| -* -* Arguments: uint16_t x: input coefficient -* -* Returns |(x mod q) - Q/2| -**************************************************/ -static uint16_t flipabs(uint16_t x) { - int16_t r, m; - r = coeff_freeze(x); - - r = r - NEWHOPE_Q / 2; - m = r >> 15; - return (r + m) ^ m; -} - -/************************************************* -* Name: poly_frombytes -* -* Description: De-serialization of a polynomial -* -* Arguments: - poly *r: pointer to output polynomial -* - const unsigned char *a: pointer to input byte array -**************************************************/ -void PQCLEAN_NEWHOPE1024CPA_CLEAN_poly_frombytes(poly *r, const unsigned char *a) { - int i; - for (i = 0; i < NEWHOPE_N / 4; i++) { - r->coeffs[4 * i + 0] = a[7 * i + 0] | (((uint16_t)a[7 * i + 1] & 0x3f) << 8); - r->coeffs[4 * i + 1] = (a[7 * i + 1] >> 6) | (((uint16_t)a[7 * i + 2]) << 2) | (((uint16_t)a[7 * i + 3] & 0x0f) << 10); - r->coeffs[4 * i + 2] = (a[7 * i + 3] >> 4) | (((uint16_t)a[7 * i + 4]) << 4) | (((uint16_t)a[7 * i + 5] & 0x03) << 12); - r->coeffs[4 * i + 3] = (a[7 * i + 5] >> 2) | (((uint16_t)a[7 * i + 6]) << 6); - } -} - -/************************************************* -* Name: poly_tobytes -* -* Description: Serialization of a polynomial -* -* Arguments: - unsigned char *r: pointer to output byte array -* - const poly *p: pointer to input polynomial -**************************************************/ -void PQCLEAN_NEWHOPE1024CPA_CLEAN_poly_tobytes(unsigned char *r, const poly *p) { - int i; - uint16_t t0, t1, t2, t3; - for (i = 0; i < NEWHOPE_N / 4; i++) { - t0 = coeff_freeze(p->coeffs[4 * i + 0]); - t1 = coeff_freeze(p->coeffs[4 * i + 1]); - t2 = coeff_freeze(p->coeffs[4 * i + 2]); - t3 = coeff_freeze(p->coeffs[4 * i + 3]); - - r[7 * i + 0] = t0 & 0xff; - r[7 * i + 1] = (unsigned char) ((t0 >> 8) | (t1 << 6)); - r[7 * i + 2] = (unsigned char) ((t1 >> 2)); - r[7 * i + 3] = (unsigned char) ((t1 >> 10) | (t2 << 4)); - r[7 * i + 4] = (unsigned char) ((t2 >> 4)); - r[7 * i + 5] = (unsigned char) ((t2 >> 12) | (t3 << 2)); - r[7 * i + 6] = (unsigned char) ((t3 >> 6)); - } -} - -/************************************************* -* Name: poly_compress -* -* Description: Compression and subsequent serialization of a polynomial -* -* Arguments: - unsigned char *r: pointer to output byte array -* - const poly *p: pointer to input polynomial -**************************************************/ -void PQCLEAN_NEWHOPE1024CPA_CLEAN_poly_compress(unsigned char *r, const poly *p) { - unsigned int i, j, k = 0; - - uint32_t t[8]; - - for (i = 0; i < NEWHOPE_N; i += 8) { - for (j = 0; j < 8; j++) { - t[j] = coeff_freeze(p->coeffs[i + j]); - t[j] = (((t[j] << 3) + NEWHOPE_Q / 2) / NEWHOPE_Q) & 0x7; - } - - r[k] = (unsigned char) (t[0] | (t[1] << 3) | (t[2] << 6)); - r[k + 1] = (unsigned char) ((t[2] >> 2) | (t[3] << 1) | (t[4] << 4) | (t[5] << 7)); - r[k + 2] = (unsigned char) ((t[5] >> 1) | (t[6] << 2) | (t[7] << 5)); - k += 3; - } -} - -/************************************************* -* Name: poly_decompress -* -* Description: De-serialization and subsequent decompression of a polynomial; -* approximate inverse of poly_compress -* -* Arguments: - poly *r: pointer to output polynomial -* - const unsigned char *a: pointer to input byte array -**************************************************/ -void PQCLEAN_NEWHOPE1024CPA_CLEAN_poly_decompress(poly *r, const unsigned char *a) { - unsigned int i, j; - for (i = 0; i < NEWHOPE_N; i += 8) { - r->coeffs[i + 0] = a[0] & 7; - r->coeffs[i + 1] = (a[0] >> 3) & 7; - r->coeffs[i + 2] = (a[0] >> 6) | ((a[1] << 2) & 4); - r->coeffs[i + 3] = (a[1] >> 1) & 7; - r->coeffs[i + 4] = (a[1] >> 4) & 7; - r->coeffs[i + 5] = (a[1] >> 7) | ((a[2] << 1) & 6); - r->coeffs[i + 6] = (a[2] >> 2) & 7; - r->coeffs[i + 7] = (a[2] >> 5); - a += 3; - for (j = 0; j < 8; j++) { - r->coeffs[i + j] = ((uint32_t)r->coeffs[i + j] * NEWHOPE_Q + 4) >> 3; - } - } -} - -/************************************************* -* Name: poly_frommsg -* -* Description: Convert 32-byte message to polynomial -* -* Arguments: - poly *r: pointer to output polynomial -* - const unsigned char *msg: pointer to input message -**************************************************/ -void PQCLEAN_NEWHOPE1024CPA_CLEAN_poly_frommsg(poly *r, const unsigned char *msg) { - unsigned int i, j, mask; - for (i = 0; i < NEWHOPE_SYMBYTES; i++) { - for (j = 0; j < 8; j++) { - mask = -((msg[i] >> j) & 1); - r->coeffs[8 * i + j + 0] = mask & (NEWHOPE_Q / 2); - r->coeffs[8 * i + j + 256] = mask & (NEWHOPE_Q / 2); - r->coeffs[8 * i + j + 512] = mask & (NEWHOPE_Q / 2); - r->coeffs[8 * i + j + 768] = mask & (NEWHOPE_Q / 2); - } - } -} - -/************************************************* -* Name: poly_tomsg -* -* Description: Convert polynomial to 32-byte message -* -* Arguments: - unsigned char *msg: pointer to output message -* - const poly *x: pointer to input polynomial -**************************************************/ -void PQCLEAN_NEWHOPE1024CPA_CLEAN_poly_tomsg(unsigned char *msg, const poly *x) { - unsigned int i; - uint16_t t; - - for (i = 0; i < 32; i++) { - msg[i] = 0; - } - - for (i = 0; i < 256; i++) { - t = flipabs(x->coeffs[i + 0]); - t += flipabs(x->coeffs[i + 256]); - t += flipabs(x->coeffs[i + 512]); - t += flipabs(x->coeffs[i + 768]); - t = ((t - NEWHOPE_Q)); - - t >>= 15; - msg[i >> 3] |= t << (i & 7); - } -} - -/************************************************* -* Name: poly_uniform -* -* Description: Sample a polynomial deterministically from a seed, -* with output polynomial looking uniformly random -* -* Arguments: - poly *a: pointer to output polynomial -* - const unsigned char *seed: pointer to input seed -**************************************************/ -void PQCLEAN_NEWHOPE1024CPA_CLEAN_poly_uniform(poly *a, const unsigned char *seed) { - unsigned int ctr = 0; - uint16_t val; - shake128ctx state; - uint8_t buf[SHAKE128_RATE]; - uint8_t extseed[NEWHOPE_SYMBYTES + 1]; - int i, j; - - for (i = 0; i < NEWHOPE_SYMBYTES; i++) { - extseed[i] = seed[i]; - } - - for (i = 0; i < NEWHOPE_N / 64; i++) { /* generate a in blocks of 64 coefficients */ - ctr = 0; - extseed[NEWHOPE_SYMBYTES] = (unsigned char) i; /* domain-separate the 16 independent calls */ - shake128_absorb(&state, extseed, NEWHOPE_SYMBYTES + 1); - while (ctr < 64) { /* Very unlikely to run more than once */ - shake128_squeezeblocks(buf, 1, &state); - for (j = 0; j < SHAKE128_RATE && ctr < 64; j += 2) { - val = (buf[j] | ((uint16_t) buf[j + 1] << 8)); - if (val < 5 * NEWHOPE_Q) { - a->coeffs[i * 64 + ctr] = val; - ctr++; - } - } - } - shake128_ctx_release(&state); - } -} - -/************************************************* -* Name: hw -* -* Description: Compute the Hamming weight of a byte -* -* Arguments: - unsigned char a: input byte -**************************************************/ -static unsigned char hw(unsigned char a) { - unsigned char i, r = 0; - for (i = 0; i < 8; i++) { - r += (a >> i) & 1; - } - return r; -} - -/************************************************* -* Name: poly_sample -* -* Description: Sample a polynomial deterministically from a seed and a nonce, -* with output polynomial close to centered binomial distribution -* with parameter k=8 -* -* Arguments: - poly *r: pointer to output polynomial -* - const unsigned char *seed: pointer to input seed -* - unsigned char nonce: one-byte input nonce -**************************************************/ -void PQCLEAN_NEWHOPE1024CPA_CLEAN_poly_sample(poly *r, const unsigned char *seed, unsigned char nonce) { - unsigned char buf[128], a, b; - int i, j; - - unsigned char extseed[NEWHOPE_SYMBYTES + 2]; - - for (i = 0; i < NEWHOPE_SYMBYTES; i++) { - extseed[i] = seed[i]; - } - extseed[NEWHOPE_SYMBYTES] = nonce; - - for (i = 0; i < NEWHOPE_N / 64; i++) { /* Generate noise in blocks of 64 coefficients */ - extseed[NEWHOPE_SYMBYTES + 1] = (unsigned char) i; - shake256(buf, 128, extseed, NEWHOPE_SYMBYTES + 2); - for (j = 0; j < 64; j++) { - a = buf[2 * j]; - b = buf[2 * j + 1]; - r->coeffs[64 * i + j] = hw(a) + NEWHOPE_Q - hw(b); - } - } -} - -/************************************************* -* Name: poly_pointwise -* -* Description: Multiply two polynomials pointwise (i.e., coefficient-wise). -* -* Arguments: - poly *r: pointer to output polynomial -* - const poly *a: pointer to first input polynomial -* - const poly *b: pointer to second input polynomial -**************************************************/ -void PQCLEAN_NEWHOPE1024CPA_CLEAN_poly_mul_pointwise(poly *r, const poly *a, const poly *b) { - int i; - uint16_t t; - for (i = 0; i < NEWHOPE_N; i++) { - t = PQCLEAN_NEWHOPE1024CPA_CLEAN_montgomery_reduce(3186 * b->coeffs[i]); /* t is now in Montgomery domain */ - r->coeffs[i] = PQCLEAN_NEWHOPE1024CPA_CLEAN_montgomery_reduce(a->coeffs[i] * t); /* r->coeffs[i] is back in normal domain */ - } -} - -/************************************************* -* Name: poly_add -* -* Description: Add two polynomials -* -* Arguments: - poly *r: pointer to output polynomial -* - const poly *a: pointer to first input polynomial -* - const poly *b: pointer to second input polynomial -**************************************************/ -void PQCLEAN_NEWHOPE1024CPA_CLEAN_poly_add(poly *r, const poly *a, const poly *b) { - int i; - for (i = 0; i < NEWHOPE_N; i++) { - r->coeffs[i] = (a->coeffs[i] + b->coeffs[i]) % NEWHOPE_Q; - } -} - -/************************************************* -* Name: poly_sub -* -* Description: Subtract two polynomials -* -* Arguments: - poly *r: pointer to output polynomial -* - const poly *a: pointer to first input polynomial -* - const poly *b: pointer to second input polynomial -**************************************************/ -void PQCLEAN_NEWHOPE1024CPA_CLEAN_poly_sub(poly *r, const poly *a, const poly *b) { - int i; - for (i = 0; i < NEWHOPE_N; i++) { - r->coeffs[i] = (a->coeffs[i] + 3 * NEWHOPE_Q - b->coeffs[i]) % NEWHOPE_Q; - } -} - -/************************************************* -* Name: poly_ntt -* -* Description: Forward NTT transform of a polynomial in place -* Input is assumed to have coefficients in bitreversed order -* Output has coefficients in normal order -* -* Arguments: - poly *r: pointer to in/output polynomial -**************************************************/ -void PQCLEAN_NEWHOPE1024CPA_CLEAN_poly_ntt(poly *r) { - PQCLEAN_NEWHOPE1024CPA_CLEAN_mul_coefficients(r->coeffs, PQCLEAN_NEWHOPE1024CPA_CLEAN_gammas_bitrev_montgomery); - PQCLEAN_NEWHOPE1024CPA_CLEAN_ntt((uint16_t *)r->coeffs, PQCLEAN_NEWHOPE1024CPA_CLEAN_gammas_bitrev_montgomery); -} - -/************************************************* -* Name: poly_invntt -* -* Description: Inverse NTT transform of a polynomial in place -* Input is assumed to have coefficients in normal order -* Output has coefficients in normal order -* -* Arguments: - poly *r: pointer to in/output polynomial -**************************************************/ -void PQCLEAN_NEWHOPE1024CPA_CLEAN_poly_invntt(poly *r) { - PQCLEAN_NEWHOPE1024CPA_CLEAN_bitrev_vector(r->coeffs); - PQCLEAN_NEWHOPE1024CPA_CLEAN_ntt((uint16_t *)r->coeffs, PQCLEAN_NEWHOPE1024CPA_CLEAN_omegas_inv_bitrev_montgomery); - PQCLEAN_NEWHOPE1024CPA_CLEAN_mul_coefficients(r->coeffs, PQCLEAN_NEWHOPE1024CPA_CLEAN_gammas_inv_montgomery); -} - diff --git a/crypto_kem/newhope1024cpa/clean/poly.h b/crypto_kem/newhope1024cpa/clean/poly.h deleted file mode 100644 index 349d1ed9..00000000 --- a/crypto_kem/newhope1024cpa/clean/poly.h +++ /dev/null @@ -1,32 +0,0 @@ -#ifndef POLY_H -#define POLY_H - -#include "params.h" -#include - -/* - * Elements of R_q = Z_q[X]/(X^n + 1). Represents polynomial - * coeffs[0] + X*coeffs[1] + X^2*xoeffs[2] + ... + X^{n-1}*coeffs[n-1] - */ -typedef struct { - uint16_t coeffs[NEWHOPE_N]; -} poly; - -void PQCLEAN_NEWHOPE1024CPA_CLEAN_poly_uniform(poly *a, const unsigned char *seed); -void PQCLEAN_NEWHOPE1024CPA_CLEAN_poly_sample(poly *r, const unsigned char *seed, unsigned char nonce); -void PQCLEAN_NEWHOPE1024CPA_CLEAN_poly_add(poly *r, const poly *a, const poly *b); - -void PQCLEAN_NEWHOPE1024CPA_CLEAN_poly_ntt(poly *r); -void PQCLEAN_NEWHOPE1024CPA_CLEAN_poly_invntt(poly *r); -void PQCLEAN_NEWHOPE1024CPA_CLEAN_poly_mul_pointwise(poly *r, const poly *a, const poly *b); - -void PQCLEAN_NEWHOPE1024CPA_CLEAN_poly_frombytes(poly *r, const unsigned char *a); -void PQCLEAN_NEWHOPE1024CPA_CLEAN_poly_tobytes(unsigned char *r, const poly *p); -void PQCLEAN_NEWHOPE1024CPA_CLEAN_poly_compress(unsigned char *r, const poly *p); -void PQCLEAN_NEWHOPE1024CPA_CLEAN_poly_decompress(poly *r, const unsigned char *a); - -void PQCLEAN_NEWHOPE1024CPA_CLEAN_poly_frommsg(poly *r, const unsigned char *msg); -void PQCLEAN_NEWHOPE1024CPA_CLEAN_poly_tomsg(unsigned char *msg, const poly *x); -void PQCLEAN_NEWHOPE1024CPA_CLEAN_poly_sub(poly *r, const poly *a, const poly *b); - -#endif diff --git a/crypto_kem/newhope1024cpa/clean/precomp.c b/crypto_kem/newhope1024cpa/clean/precomp.c deleted file mode 100644 index 19eda045..00000000 --- a/crypto_kem/newhope1024cpa/clean/precomp.c +++ /dev/null @@ -1,261 +0,0 @@ -#include "inttypes.h" -#include "ntt.h" -#include "params.h" - -/* Precomputed NTT contants generated by Pari/GP script as follows: - * - * For n = 512: - * - * brv = [0,256,128,384,64,320,192,448,32,288,160,416,96,352,224,480,16,272,144,400,80,336,208,464,48,304,176,432,112,368,240,496,8, - * 264,136,392,72,328,200,456,40,296,168,424,104,360,232,488,24,280,152,408,88,344,216,472,56,312,184,440,120,376,248,504,4, - * 260,132,388,68,324,196,452,36,292,164,420,100,356,228,484,20,276,148,404,84,340,212,468,52,308,180,436,116,372,244,500,12, - * 268,140,396,76,332,204,460,44,300,172,428,108,364,236,492,28,284,156,412,92,348,220,476,60,316,188,444,124,380,252,508,2, - * 258,130,386,66,322,194,450,34,290,162,418,98,354,226,482,18,274,146,402,82,338,210,466,50,306,178,434,114,370,242,498,10, - * 266,138,394,74,330,202,458,42,298,170,426,106,362,234,490,26,282,154,410,90,346,218,474,58,314,186,442,122,378,250,506,6, - * 262,134,390,70,326,198,454,38,294,166,422,102,358,230,486,22,278,150,406,86,342,214,470,54,310,182,438,118,374,246,502,14, - * 270,142,398,78,334,206,462,46,302,174,430,110,366,238,494,30,286,158,414,94,350,222,478,62,318,190,446,126,382,254,510,1, - * 257,129,385,65,321,193,449,33,289,161,417,97,353,225,481,17,273,145,401,81,337,209,465,49,305,177,433,113,369,241,497,9, - * 265,137,393,73,329,201,457,41,297,169,425,105,361,233,489,25,281,153,409,89,345,217,473,57,313,185,441,121,377,249,505,5, - * 261,133,389,69,325,197,453,37,293,165,421,101,357,229,485,21,277,149,405,85,341,213,469,53,309,181,437,117,373,245,501,13, - * 269,141,397,77,333,205,461,45,301,173,429,109,365,237,493,29,285,157,413,93,349,221,477,61,317,189,445,125,381,253,509,3, - * 259,131,387,67,323,195,451,35,291,163,419,99,355,227,483,19,275,147,403,83,339,211,467,51,307,179,435,115,371,243,499,11, - * 267,139,395,75,331,203,459,43,299,171,427,107,363,235,491,27,283,155,411,91,347,219,475,59,315,187,443,123,379,251,507,7, - * 263,135,391,71,327,199,455,39,295,167,423,103,359,231,487,23,279,151,407,87,343,215,471,55,311,183,439,119,375,247,503,15, - * 271,143,399,79,335,207,463,47,303,175,431,111,367,239,495,31,287,159,415,95,351,223,479,63,319,191,447,127,383,255,511] - * n = 512; q = 12289; mont=2^18 - * g = Mod(10968, q); - * omegas_inv_bitrev_montgomery = lift(vector(n/2, i, (g^2)^(-brv[2*(i-1)+1])*mont)) - * gammas_bitrev_montgomery = lift(vector(n, i, g^(brv[i])*mont)) - * gammas_inv_montgomery = lift(vector(n, i, g^(-(i-1))/n*mont)) - * - * - * For n = 1024: - * - * brv = [0,512,256,768,128,640,384,896,64,576,320,832,192,704,448,960,32,544,288,800,160,672,416,928,96,608,352,864,224,736,480,992, \ - * 16,528,272,784,144,656,400,912,80,592,336,848,208,720,464,976,48,560,304,816,176,688,432,944,112,624,368,880,240,752,496,1008, \ - * 8,520,264,776,136,648,392,904,72,584,328,840,200,712,456,968,40,552,296,808,168,680,424,936,104,616,360,872,232,744,488,1000, \ - * 24,536,280,792,152,664,408,920,88,600,344,856,216,728,472,984,56,568,312,824,184,696,440,952,120,632,376,888,248,760,504,1016, \ - * 4,516,260,772,132,644,388,900,68,580,324,836,196,708,452,964,36,548,292,804,164,676,420,932,100,612,356,868,228,740,484,996, \ - * 20,532,276,788,148,660,404,916,84,596,340,852,212,724,468,980,52,564,308,820,180,692,436,948,116,628,372,884,244,756,500,1012, \ - * 12,524,268,780,140,652,396,908,76,588,332,844,204,716,460,972,44,556,300,812,172,684,428,940,108,620,364,876,236,748,492,1004, \ - * 28,540,284,796,156,668,412,924,92,604,348,860,220,732,476,988,60,572,316,828,188,700,444,956,124,636,380,892,252,764,508,1020, \ - * 2,514,258,770,130,642,386,898,66,578,322,834,194,706,450,962,34,546,290,802,162,674,418,930,98,610,354,866,226,738,482,994, \ - * 18,530,274,786,146,658,402,914,82,594,338,850,210,722,466,978,50,562,306,818,178,690,434,946,114,626,370,882,242,754,498,1010, \ - * 10,522,266,778,138,650,394,906,74,586,330,842,202,714,458,970,42,554,298,810,170,682,426,938,106,618,362,874,234,746,490,1002, \ - * 26,538,282,794,154,666,410,922,90,602,346,858,218,730,474,986,58,570,314,826,186,698,442,954,122,634,378,890,250,762,506,1018, \ - * 6,518,262,774,134,646,390,902,70,582,326,838,198,710,454,966,38,550,294,806,166,678,422,934,102,614,358,870,230,742,486,998, \ - * 22,534,278,790,150,662,406,918,86,598,342,854,214,726,470,982,54,566,310,822,182,694,438,950,118,630,374,886,246,758,502,1014, \ - * 14,526,270,782,142,654,398,910,78,590,334,846,206,718,462,974,46,558,302,814,174,686,430,942,110,622,366,878,238,750,494,1006, \ - * 30,542,286,798,158,670,414,926,94,606,350,862,222,734,478,990,62,574,318,830,190,702,446,958,126,638,382,894,254,766,510,1022, \ - * 1,513,257,769,129,641,385,897,65,577,321,833,193,705,449,961,33,545,289,801,161,673,417,929,97,609,353,865,225,737,481,993, \ - * 17,529,273,785,145,657,401,913,81,593,337,849,209,721,465,977,49,561,305,817,177,689,433,945,113,625,369,881,241,753,497,1009, \ - * 9,521,265,777,137,649,393,905,73,585,329,841,201,713,457,969,41,553,297,809,169,681,425,937,105,617,361,873,233,745,489,1001, \ - * 25,537,281,793,153,665,409,921,89,601,345,857,217,729,473,985,57,569,313,825,185,697,441,953,121,633,377,889,249,761,505,1017, \ - * 5,517,261,773,133,645,389,901,69,581,325,837,197,709,453,965,37,549,293,805,165,677,421,933,101,613,357,869,229,741,485,997, \ - * 21,533,277,789,149,661,405,917,85,597,341,853,213,725,469,981,53,565,309,821,181,693,437,949,117,629,373,885,245,757,501,1013, \ - * 13,525,269,781,141,653,397,909,77,589,333,845,205,717,461,973,45,557,301,813,173,685,429,941,109,621,365,877,237,749,493,1005, \ - * 29,541,285,797,157,669,413,925,93,605,349,861,221,733,477,989,61,573,317,829,189,701,445,957,125,637,381,893,253,765,509,1021, \ - * 3,515,259,771,131,643,387,899,67,579,323,835,195,707,451,963,35,547,291,803,163,675,419,931,99,611,355,867,227,739,483,995, \ - * 19,531,275,787,147,659,403,915,83,595,339,851,211,723,467,979,51,563,307,819,179,691,435,947,115,627,371,883,243,755,499,1011, \ - * 11,523,267,779,139,651,395,907,75,587,331,843,203,715,459,971,43,555,299,811,171,683,427,939,107,619,363,875,235,747,491,1003, \ - * 27,539,283,795,155,667,411,923,91,603,347,859,219,731,475,987,59,571,315,827,187,699,443,955,123,635,379,891,251,763,507,1019, \ - * 7,519,263,775,135,647,391,903,71,583,327,839,199,711,455,967,39,551,295,807,167,679,423,935,103,615,359,871,231,743,487,999, \ - * 23,535,279,791,151,663,407,919,87,599,343,855,215,727,471,983,55,567,311,823,183,695,439,951,119,631,375,887,247,759,503,1015, \ - * 15,527,271,783,143,655,399,911,79,591,335,847,207,719,463,975,47,559,303,815,175,687,431,943,111,623,367,879,239,751,495,1007, \ - * 31,543,287,799,159,671,415,927,95,607,351,863,223,735,479,991,63,575,319,831,191,703,447,959,127,639,383,895,255,767,511,1023] - * - * n = 1024; q = 12289; mont=2^18 - * g = Mod(7, q); - * omegas_inv_bitrev_montgomery = lift(vector(n/2, i, (g^2)^(-brv[2*(i-1)+1])*mont)) - * gammas_bitrev_montgomery = lift(vector(n, i, g^(brv[i])*mont)) - * gammas_inv_montgomery = lift(vector(n, i, g^(-(i-1))/n*mont)) -*/ - - -/************************************************************ -* Name: omegas_inv_bitrev_montgomery -* -* Description: Contains inverses of powers of nth root of unity -* in Montgomery domain with R=2^18 in bit-reversed order -************************************************************/ -const uint16_t PQCLEAN_NEWHOPE1024CPA_CLEAN_omegas_inv_bitrev_montgomery[NEWHOPE_N / 2] = { - 4075, 5315, 4324, 4916, 10120, 11767, 7210, 9027, 10316, 6715, 1278, 9945, 3514, 11248, 11271, 5925, - 147, 8500, 7840, 6833, 5537, 4749, 4467, 7500, 11099, 9606, 6171, 8471, 8429, 5445, 11239, 7753, - 9090, 12233, 5529, 5206, 10587, 1987, 11635, 3565, 5415, 8646, 6153, 6427, 7341, 6152, 10561, 400, - 8410, 1922, 2033, 8291, 1359, 6854, 11035, 973, 8579, 6093, 6950, 5446, 11821, 8301, 11907, 316, - 52, 3174, 10966, 9523, 6055, 8953, 11612, 6415, 2505, 5906, 10710, 11858, 8332, 9450, 10162, 151, - 3482, 787, 5468, 1010, 4169, 9162, 5241, 9369, 7509, 8844, 7232, 4698, 192, 1321, 10240, 4912, - 885, 6281, 10333, 7280, 8757, 11286, 58, 12048, 12147, 11184, 8812, 6608, 2844, 3438, 4212, 11314, - 8687, 6068, 421, 8209, 3600, 3263, 7665, 6077, 7507, 5886, 3029, 6695, 4213, 504, 11684, 2302, - 1962, 1594, 6328, 7183, 168, 2692, 8960, 4298, 5184, 11089, 6122, 9734, 10929, 3956, 5297, 6170, - 3762, 9370, 4016, 4077, 6523, 652, 11994, 6099, 1146, 11341, 11964, 10885, 6299, 1159, 8240, 8561, - 11177, 2078, 10331, 4322, 11367, 441, 4079, 11231, 3150, 1319, 8243, 709, 8049, 8719, 11454, 6224, - 3054, 6803, 3123, 10542, 4433, 6370, 7032, 3834, 8633, 12225, 9830, 683, 1566, 5782, 9786, 9341, - 12115, 723, 3009, 1693, 5735, 2655, 2738, 6421, 11942, 2925, 1975, 8532, 3315, 11863, 4754, 1858, - 1583, 6347, 2500, 10800, 6374, 1483, 12240, 1263, 1815, 5383, 10777, 350, 6920, 10232, 4493, 9087, - 8855, 8760, 9381, 218, 9928, 10446, 9259, 4115, 6147, 9842, 8326, 576, 10335, 10238, 10484, 9407, - 6381, 11836, 8517, 418, 6860, 7515, 1293, 7552, 2767, 156, 8298, 8320, 10008, 5876, 5333, 10258, - 10115, 4372, 2847, 7875, 8232, 9018, 8925, 1689, 8236, 2645, 5042, 9984, 7094, 9509, 1484, 7394, - 3, 4437, 160, 3149, 113, 7370, 10123, 3915, 6998, 2704, 8653, 4938, 1426, 7635, 10512, 1663, - 6957, 3510, 2370, 2865, 3978, 9320, 3247, 9603, 6882, 3186, 10659, 10163, 1153, 9405, 8241, 10040, - 2178, 1544, 5559, 420, 8304, 4905, 476, 3531, 5191, 9153, 2399, 8889, 3000, 671, 243, 3016, - 3763, 10849, 12262, 9223, 10657, 7205, 11272, 7404, 7575, 8146, 10752, 242, 2678, 3704, 11744, 5019, - 3833, 3778, 11899, 773, 5101, 11222, 9888, 442, 2912, 5698, 11935, 4861, 7277, 9808, 11244, 2859, - 3780, 11414, 4976, 10682, 7201, 8005, 11287, 5011, 6267, 2987, 2437, 3646, 2566, 10102, 9867, 6250, - 5444, 2381, 11796, 8193, 4337, 11854, 1912, 1378, 404, 7644, 1065, 2143, 11121, 5277, 3248, 11082, - 2548, 8058, 8907, 11934, 1759, 8582, 3694, 7110, 12144, 6747, 8652, 3459, 2731, 8357, 6378, 7399, - 10861, 1696, 9863, 334, 7657, 6534, 11029, 4388, 11560, 3241, 10276, 9000, 9408, 3284, 10200, 7197, - 6498, 544, 2468, 339, 11267, 9, 2842, 480, 5331, 7300, 1673, 4278, 4177, 8705, 9764, 1381, - 7837, 2396, 8340, 8993, 4354, 130, 6915, 2837, 11462, 5767, 953, 8541, 9813, 118, 7222, 2197, - 3006, 9545, 563, 9314, 2625, 11340, 4821, 2639, 7266, 5828, 6561, 7698, 3328, 6512, 1351, 7311, - 6553, 8155, 1305, 722, 5146, 4043, 12288, 10810, 2545, 3621, 8747, 8785, 1646, 1212, 5860, 3195, - 7203, 10963, 3201, 3014, 955, 11499, 9970, 11119, 3135, 3712, 7443, 9542, 7484, 8736, 9995, 11227, - 1635, 9521, 1177, 8034, 140, 10436, 11563, 7678, 4320, 11289, 9198, 12208, 2963, 7393, 2366, 9238 -}; - -/************************************************************ -* Name: gammas_bitrev_montgomery -* -* Description: Contains powers of nth root of -1 in Montgomery -* domain with R=2^18 in bit-reversed order -************************************************************/ -const uint16_t PQCLEAN_NEWHOPE1024CPA_CLEAN_gammas_bitrev_montgomery[NEWHOPE_N] = { - 4075, 6974, 7373, 7965, 3262, 5079, 522, 2169, 6364, 1018, 1041, 8775, 2344, 11011, 5574, 1973, - 4536, 1050, 6844, 3860, 3818, 6118, 2683, 1190, 4789, 7822, 7540, 6752, 5456, 4449, 3789, 12142, - 11973, 382, 3988, 468, 6843, 5339, 6196, 3710, 11316, 1254, 5435, 10930, 3998, 10256, 10367, 3879, - 11889, 1728, 6137, 4948, 5862, 6136, 3643, 6874, 8724, 654, 10302, 1702, 7083, 6760, 56, 3199, - 9987, 605, 11785, 8076, 5594, 9260, 6403, 4782, 6212, 4624, 9026, 8689, 4080, 11868, 6221, 3602, - 975, 8077, 8851, 9445, 5681, 3477, 1105, 142, 241, 12231, 1003, 3532, 5009, 1956, 6008, 11404, - 7377, 2049, 10968, 12097, 7591, 5057, 3445, 4780, 2920, 7048, 3127, 8120, 11279, 6821, 11502, 8807, - 12138, 2127, 2839, 3957, 431, 1579, 6383, 9784, 5874, 677, 3336, 6234, 2766, 1323, 9115, 12237, - 2031, 6956, 6413, 2281, 3969, 3991, 12133, 9522, 4737, 10996, 4774, 5429, 11871, 3772, 453, 5908, - 2882, 1805, 2051, 1954, 11713, 3963, 2447, 6142, 8174, 3030, 1843, 2361, 12071, 2908, 3529, 3434, - 3202, 7796, 2057, 5369, 11939, 1512, 6906, 10474, 11026, 49, 10806, 5915, 1489, 9789, 5942, 10706, - 10431, 7535, 426, 8974, 3757, 10314, 9364, 347, 5868, 9551, 9634, 6554, 10596, 9280, 11566, 174, - 2948, 2503, 6507, 10723, 11606, 2459, 64, 3656, 8455, 5257, 5919, 7856, 1747, 9166, 5486, 9235, - 6065, 835, 3570, 4240, 11580, 4046, 10970, 9139, 1058, 8210, 11848, 922, 7967, 1958, 10211, 1112, - 3728, 4049, 11130, 5990, 1404, 325, 948, 11143, 6190, 295, 11637, 5766, 8212, 8273, 2919, 8527, - 6119, 6992, 8333, 1360, 2555, 6167, 1200, 7105, 7991, 3329, 9597, 12121, 5106, 5961, 10695, 10327, - 3051, 9923, 4896, 9326, 81, 3091, 1000, 7969, 4611, 726, 1853, 12149, 4255, 11112, 2768, 10654, - 1062, 2294, 3553, 4805, 2747, 4846, 8577, 9154, 1170, 2319, 790, 11334, 9275, 9088, 1326, 5086, - 9094, 6429, 11077, 10643, 3504, 3542, 8668, 9744, 1479, 1, 8246, 7143, 11567, 10984, 4134, 5736, - 4978, 10938, 5777, 8961, 4591, 5728, 6461, 5023, 9650, 7468, 949, 9664, 2975, 11726, 2744, 9283, - 10092, 5067, 12171, 2476, 3748, 11336, 6522, 827, 9452, 5374, 12159, 7935, 3296, 3949, 9893, 4452, - 10908, 2525, 3584, 8112, 8011, 10616, 4989, 6958, 11809, 9447, 12280, 1022, 11950, 9821, 11745, 5791, - 5092, 2089, 9005, 2881, 3289, 2013, 9048, 729, 7901, 1260, 5755, 4632, 11955, 2426, 10593, 1428, - 4890, 5911, 3932, 9558, 8830, 3637, 5542, 145, 5179, 8595, 3707, 10530, 355, 3382, 4231, 9741, - 1207, 9041, 7012, 1168, 10146, 11224, 4645, 11885, 10911, 10377, 435, 7952, 4096, 493, 9908, 6845, - 6039, 2422, 2187, 9723, 8643, 9852, 9302, 6022, 7278, 1002, 4284, 5088, 1607, 7313, 875, 8509, - 9430, 1045, 2481, 5012, 7428, 354, 6591, 9377, 11847, 2401, 1067, 7188, 11516, 390, 8511, 8456, - 7270, 545, 8585, 9611, 12047, 1537, 4143, 4714, 4885, 1017, 5084, 1632, 3066, 27, 1440, 8526, - 9273, 12046, 11618, 9289, 3400, 9890, 3136, 7098, 8758, 11813, 7384, 3985, 11869, 6730, 10745, 10111, - 2249, 4048, 2884, 11136, 2126, 1630, 9103, 5407, 2686, 9042, 2969, 8311, 9424, 9919, 8779, 5332, - 10626, 1777, 4654, 10863, 7351, 3636, 9585, 5291, 8374, 2166, 4919, 12176, 9140, 12129, 7852, 12286, - 4895, 10805, 2780, 5195, 2305, 7247, 9644, 4053, 10600, 3364, 3271, 4057, 4414, 9442, 7917, 2174, - 3947, 11951, 2455, 6599, 10545, 10975, 3654, 2894, 7681, 7126, 7287, 12269, 4119, 3343, 2151, 1522, - 7174, 7350, 11041, 2442, 2148, 5959, 6492, 8330, 8945, 5598, 3624, 10397, 1325, 6565, 1945, 11260, - 10077, 2674, 3338, 3276, 11034, 506, 6505, 1392, 5478, 8778, 1178, 2776, 3408, 10347, 11124, 2575, - 9489, 12096, 6092, 10058, 4167, 6085, 923, 11251, 11912, 4578, 10669, 11914, 425, 10453, 392, 10104, - 8464, 4235, 8761, 7376, 2291, 3375, 7954, 8896, 6617, 7790, 1737, 11667, 3982, 9342, 6680, 636, - 6825, 7383, 512, 4670, 2900, 12050, 7735, 994, 1687, 11883, 7021, 146, 10485, 1403, 5189, 6094, - 2483, 2054, 3042, 10945, 3981, 10821, 11826, 8882, 8151, 180, 9600, 7684, 5219, 10880, 6780, 204, - 11232, 2600, 7584, 3121, 3017, 11053, 7814, 7043, 4251, 4739, 11063, 6771, 7073, 9261, 2360, 11925, - 1928, 11825, 8024, 3678, 3205, 3359, 11197, 5209, 8581, 3238, 8840, 1136, 9363, 1826, 3171, 4489, - 7885, 346, 2068, 1389, 8257, 3163, 4840, 6127, 8062, 8921, 612, 4238, 10763, 8067, 125, 11749, - 10125, 5416, 2110, 716, 9839, 10584, 11475, 11873, 3448, 343, 1908, 4538, 10423, 7078, 4727, 1208, - 11572, 3589, 2982, 1373, 1721, 10753, 4103, 2429, 4209, 5412, 5993, 9011, 438, 3515, 7228, 1218, - 8347, 5232, 8682, 1327, 7508, 4924, 448, 1014, 10029, 12221, 4566, 5836, 12229, 2717, 1535, 3200, - 5588, 5845, 412, 5102, 7326, 3744, 3056, 2528, 7406, 8314, 9202, 6454, 6613, 1417, 10032, 7784, - 1518, 3765, 4176, 5063, 9828, 2275, 6636, 4267, 6463, 2065, 7725, 3495, 8328, 8755, 8144, 10533, - 5966, 12077, 9175, 9520, 5596, 6302, 8400, 579, 6781, 11014, 5734, 11113, 11164, 4860, 1131, 10844, - 9068, 8016, 9694, 3837, 567, 9348, 7000, 6627, 7699, 5082, 682, 11309, 5207, 4050, 7087, 844, - 7434, 3769, 293, 9057, 6940, 9344, 10883, 2633, 8190, 3944, 5530, 5604, 3480, 2171, 9282, 11024, - 2213, 8136, 3805, 767, 12239, 216, 11520, 6763, 10353, 7, 8566, 845, 7235, 3154, 4360, 3285, - 10268, 2832, 3572, 1282, 7559, 3229, 8360, 10583, 6105, 3120, 6643, 6203, 8536, 8348, 6919, 3536, - 9199, 10891, 11463, 5043, 1658, 5618, 8787, 5789, 4719, 751, 11379, 6389, 10783, 3065, 7806, 6586, - 2622, 5386, 510, 7628, 6921, 578, 10345, 11839, 8929, 4684, 12226, 7154, 9916, 7302, 8481, 3670, - 11066, 2334, 1590, 7878, 10734, 1802, 1891, 5103, 6151, 8820, 3418, 7846, 9951, 4693, 417, 9996, - 9652, 4510, 2946, 5461, 365, 881, 1927, 1015, 11675, 11009, 1371, 12265, 2485, 11385, 5039, 6742, - 8449, 1842, 12217, 8176, 9577, 4834, 7937, 9461, 2643, 11194, 3045, 6508, 4094, 3451, 7911, 11048, - 5406, 4665, 3020, 6616, 11345, 7519, 3669, 5287, 1790, 7014, 5410, 11038, 11249, 2035, 6125, 10407, - 4565, 7315, 5078, 10506, 2840, 2478, 9270, 4194, 9195, 4518, 7469, 1160, 6878, 2730, 10421, 10036, - 1734, 3815, 10939, 5832, 10595, 10759, 4423, 8420, 9617, 7119, 11010, 11424, 9173, 189, 10080, 10526, - 3466, 10588, 7592, 3578, 11511, 7785, 9663, 530, 12150, 8957, 2532, 3317, 9349, 10243, 1481, 9332, - 3454, 3758, 7899, 4218, 2593, 11410, 2276, 982, 6513, 1849, 8494, 9021, 4523, 7988, 8, 457, - 648, 150, 8000, 2307, 2301, 874, 5650, 170, 9462, 2873, 9855, 11498, 2535, 11169, 5808, 12268, - 9687, 1901, 7171, 11787, 3846, 1573, 6063, 3793, 466, 11259, 10608, 3821, 6320, 4649, 6263, 2929 -}; - -/************************************************************ -* Name: gammas_inv_montgomery -* -* Description: Contains inverses of powers of nth root of -1 -* divided by n in Montgomery domain with R=2^18 -************************************************************/ -const uint16_t PQCLEAN_NEWHOPE1024CPA_CLEAN_gammas_inv_montgomery[NEWHOPE_N] = { - 256, 10570, 1510, 7238, 1034, 7170, 6291, 7921, 11665, 3422, 4000, 2327, 2088, 5565, 795, 10647, - 1521, 5484, 2539, 7385, 1055, 7173, 8047, 11683, 1669, 1994, 3796, 5809, 4341, 9398, 11876, 12230, - 10525, 12037, 12253, 3506, 4012, 9351, 4847, 2448, 7372, 9831, 3160, 2207, 5582, 2553, 7387, 6322, - 9681, 1383, 10731, 1533, 219, 5298, 4268, 7632, 6357, 9686, 8406, 4712, 9451, 10128, 4958, 5975, - 11387, 8649, 11769, 6948, 11526, 12180, 1740, 10782, 6807, 2728, 7412, 4570, 4164, 4106, 11120, 12122, - 8754, 11784, 3439, 5758, 11356, 6889, 9762, 11928, 1704, 1999, 10819, 12079, 12259, 7018, 11536, 1648, - 1991, 2040, 2047, 2048, 10826, 12080, 8748, 8272, 8204, 1172, 1923, 7297, 2798, 7422, 6327, 4415, - 7653, 6360, 11442, 12168, 7005, 8023, 9924, 8440, 8228, 2931, 7441, 1063, 3663, 5790, 9605, 10150, - 1450, 8985, 11817, 10466, 10273, 12001, 3470, 7518, 1074, 1909, 7295, 9820, 4914, 702, 5367, 7789, - 8135, 9940, 1420, 3714, 11064, 12114, 12264, 1752, 5517, 9566, 11900, 1700, 3754, 5803, 829, 1874, - 7290, 2797, 10933, 5073, 7747, 8129, 6428, 6185, 11417, 1631, 233, 5300, 9535, 10140, 11982, 8734, - 8270, 2937, 10953, 8587, 8249, 2934, 9197, 4825, 5956, 4362, 9401, 1343, 3703, 529, 10609, 12049, - 6988, 6265, 895, 3639, 4031, 4087, 4095, 585, 10617, 8539, 4731, 4187, 9376, 3095, 9220, 10095, - 10220, 1460, 10742, 12068, 1724, 5513, 11321, 6884, 2739, 5658, 6075, 4379, 11159, 10372, 8504, 4726, - 9453, 3106, 7466, 11600, 10435, 8513, 9994, 8450, 9985, 3182, 10988, 8592, 2983, 9204, 4826, 2445, - 5616, 6069, 867, 3635, 5786, 11360, 5134, 2489, 10889, 12089, 1727, 7269, 2794, 9177, 1311, 5454, - 9557, 6632, 2703, 9164, 10087, 1441, 3717, 531, 3587, 2268, 324, 5313, 759, 1864, 5533, 2546, - 7386, 9833, 8427, 4715, 11207, 1601, 7251, 4547, 11183, 12131, 1733, 10781, 10318, 1474, 10744, 5046, - 4232, 11138, 10369, 6748, 964, 7160, 4534, 7670, 8118, 8182, 4680, 11202, 6867, 981, 8918, 1274, - 182, 26, 7026, 8026, 11680, 12202, 10521, 1503, 7237, 4545, 5916, 9623, 8397, 11733, 10454, 3249, - 9242, 6587, 941, 1890, 270, 10572, 6777, 9746, 6659, 6218, 6155, 6146, 878, 1881, 7291, 11575, - 12187, 1741, 7271, 8061, 11685, 6936, 4502, 9421, 4857, 4205, 7623, 1089, 10689, 1527, 8996, 10063, - 11971, 10488, 6765, 2722, 3900, 9335, 11867, 6962, 11528, 5158, 4248, 4118, 5855, 2592, 5637, 6072, - 2623, 7397, 8079, 9932, 4930, 5971, 853, 3633, 519, 8852, 11798, 3441, 11025, 1575, 225, 8810, - 11792, 12218, 3501, 9278, 3081, 9218, 4828, 7712, 8124, 11694, 12204, 3499, 4011, 573, 3593, 5780, - 7848, 9899, 10192, 1456, 208, 7052, 2763, 7417, 11593, 10434, 12024, 8740, 11782, 10461, 3250, 5731, - 7841, 9898, 1414, 202, 3540, 7528, 2831, 2160, 10842, 5060, 4234, 4116, 588, 84, 12, 7024, - 2759, 9172, 6577, 11473, 1639, 9012, 3043, 7457, 6332, 11438, 1634, 1989, 9062, 11828, 8712, 11778, - 12216, 10523, 6770, 9745, 10170, 4964, 9487, 6622, 946, 8913, 6540, 6201, 4397, 9406, 8366, 9973, - 8447, 8229, 11709, 8695, 10020, 3187, 5722, 2573, 10901, 6824, 4486, 4152, 9371, 8361, 2950, 2177, - 311, 1800, 9035, 8313, 11721, 3430, 490, 70, 10, 1757, 251, 3547, 7529, 11609, 3414, 7510, - 4584, 4166, 9373, 1339, 5458, 7802, 11648, 1664, 7260, 9815, 10180, 6721, 9738, 10169, 8475, 8233, - 9954, 1422, 8981, 1283, 5450, 11312, 1616, 3742, 11068, 10359, 4991, 713, 3613, 9294, 8350, 4704, - 672, 96, 7036, 9783, 11931, 3460, 5761, 823, 10651, 12055, 10500, 1500, 5481, 783, 3623, 11051, - 8601, 8251, 8201, 11705, 10450, 5004, 4226, 7626, 2845, 2162, 3820, 7568, 9859, 3164, 452, 10598, - 1514, 5483, 6050, 6131, 4387, 7649, 8115, 6426, 918, 8909, 8295, 1185, 5436, 11310, 8638, 1234, - 5443, 11311, 5127, 2488, 2111, 10835, 5059, 7745, 2862, 3920, 560, 80, 1767, 2008, 3798, 11076, - 6849, 2734, 10924, 12094, 8750, 1250, 10712, 6797, 971, 7161, 1023, 8924, 4786, 7706, 4612, 4170, - 7618, 6355, 4419, 5898, 11376, 10403, 10264, 6733, 4473, 639, 5358, 2521, 9138, 3061, 5704, 4326, - 618, 5355, 765, 5376, 768, 7132, 4530, 9425, 3102, 9221, 6584, 11474, 10417, 10266, 12000, 6981, - 6264, 4406, 2385, 7363, 4563, 4163, 7617, 9866, 3165, 9230, 11852, 10471, 5007, 5982, 11388, 5138, - 734, 3616, 11050, 12112, 6997, 11533, 12181, 10518, 12036, 3475, 2252, 7344, 9827, 4915, 9480, 6621, - 4457, 7659, 9872, 6677, 4465, 4149, 7615, 4599, 657, 3605, 515, 10607, 6782, 4480, 640, 1847, - 3775, 5806, 2585, 5636, 9583, 1369, 10729, 8555, 10000, 11962, 5220, 7768, 8132, 8184, 9947, 1421, - 203, 29, 8782, 11788, 1684, 10774, 10317, 4985, 9490, 8378, 4708, 11206, 5112, 5997, 7879, 11659, - 12199, 8765, 10030, 4944, 5973, 6120, 6141, 6144, 7900, 11662, 1666, 238, 34, 3516, 5769, 9602, - 8394, 9977, 6692, 956, 10670, 6791, 9748, 11926, 8726, 11780, 5194, 742, 106, 8793, 10034, 3189, - 10989, 5081, 4237, 5872, 4350, 2377, 10873, 6820, 6241, 11425, 10410, 10265, 3222, 5727, 9596, 4882, - 2453, 2106, 3812, 11078, 12116, 5242, 4260, 11142, 8614, 11764, 12214, 5256, 4262, 4120, 11122, 5100, - 11262, 5120, 2487, 5622, 9581, 8391, 8221, 2930, 10952, 12098, 6995, 6266, 9673, 4893, 699, 3611, - 4027, 5842, 11368, 1624, 232, 8811, 8281, 1183, 169, 8802, 3013, 2186, 5579, 797, 3625, 4029, - 11109, 1587, 7249, 11569, 8675, 6506, 2685, 10917, 12093, 12261, 12285, 1755, 7273, 1039, 1904, 272, - 3550, 9285, 3082, 5707, 6082, 4380, 7648, 11626, 5172, 4250, 9385, 8363, 8217, 4685, 5936, 848, - 8899, 6538, 934, 1889, 3781, 9318, 10109, 10222, 6727, 961, 5404, 772, 5377, 9546, 8386, 1198, - 8949, 3034, 2189, 7335, 4559, 5918, 2601, 10905, 5069, 9502, 3113, 7467, 8089, 11689, 5181, 9518, - 8382, 2953, 3933, 4073, 4093, 7607, 8109, 2914, 5683, 4323, 11151, 1593, 10761, 6804, 972, 3650, - 2277, 5592, 4310, 7638, 9869, 4921, 703, 1856, 9043, 4803, 9464, 1352, 8971, 11815, 5199, 7765, - 6376, 4422, 7654, 2849, 407, 8836, 6529, 7955, 2892, 9191, 1313, 10721, 12065, 12257, 1751, 9028, - 8312, 2943, 2176, 3822, 546, 78, 8789, 11789, 10462, 12028, 6985, 4509, 9422, 1346, 5459, 4291, - 613, 10621, 6784, 9747, 3148, 7472, 2823, 5670, 810, 7138, 8042, 4660, 7688, 6365, 6176, 6149, - 2634, 5643, 9584, 10147, 11983, 5223, 9524, 11894, 10477, 8519, 1217, 3685, 2282, 326, 10580, 3267, - 7489, 4581, 2410, 5611, 11335, 6886, 8006, 8166, 11700, 3427, 11023, 8597, 10006, 3185, 455, 65, - 5276, 7776, 4622, 5927, 7869, 9902, 11948, 5218, 2501, 5624, 2559, 10899, 1557, 1978, 10816, 10323, - 8497, 4725, 675, 1852, 10798, 12076, 10503, 3256, 9243, 3076, 2195, 10847, 12083, 10504, 12034, 10497 -}; - diff --git a/crypto_kem/newhope1024cpa/clean/reduce.c b/crypto_kem/newhope1024cpa/clean/reduce.c deleted file mode 100644 index 49421e3d..00000000 --- a/crypto_kem/newhope1024cpa/clean/reduce.c +++ /dev/null @@ -1,26 +0,0 @@ -#include "reduce.h" -#include "params.h" - -static const uint32_t qinv = 12287; // -inverse_mod(p,2^18) -static const uint32_t rlog = 18; - -/************************************************* -* Name: montgomery_reduce -* -* Description: Montgomery reduction; given a 32-bit integer a, computes -* 16-bit integer congruent to a * R^-1 mod q, -* where R=2^18 (see value of rlog) -* -* Arguments: - uint32_t a: input unsigned integer to be reduced; has to be in {0,...,1073491968} -* -* Returns: unsigned integer in {0,...,2^14-1} congruent to a * R^-1 modulo q. -**************************************************/ -uint16_t PQCLEAN_NEWHOPE1024CPA_CLEAN_montgomery_reduce(uint32_t a) { - uint32_t u; - - u = (a * qinv); - u &= ((1 << rlog) - 1); - u *= NEWHOPE_Q; - a = a + u; - return a >> 18; -} diff --git a/crypto_kem/newhope1024cpa/clean/reduce.h b/crypto_kem/newhope1024cpa/clean/reduce.h deleted file mode 100644 index 724e20fe..00000000 --- a/crypto_kem/newhope1024cpa/clean/reduce.h +++ /dev/null @@ -1,8 +0,0 @@ -#ifndef REDUCE_H -#define REDUCE_H - -#include - -uint16_t PQCLEAN_NEWHOPE1024CPA_CLEAN_montgomery_reduce(uint32_t a); - -#endif diff --git a/crypto_kem/newhope1024cpa/clean/verify.c b/crypto_kem/newhope1024cpa/clean/verify.c deleted file mode 100644 index 677e3ae9..00000000 --- a/crypto_kem/newhope1024cpa/clean/verify.c +++ /dev/null @@ -1,49 +0,0 @@ -#include "verify.h" -#include -#include - -/************************************************* -* Name: verify -* -* Description: Compare two arrays for equality in constant time. -* -* Arguments: const unsigned char *a: pointer to first byte array -* const unsigned char *b: pointer to second byte array -* size_t len: length of the byte arrays -* -* Returns 0 if the byte arrays are equal, 1 otherwise -**************************************************/ -int PQCLEAN_NEWHOPE1024CPA_CLEAN_verify(const unsigned char *a, const unsigned char *b, size_t len) { - uint64_t r; - size_t i; - r = 0; - - for (i = 0; i < len; i++) { - r |= a[i] ^ b[i]; - } - - r = (uint64_t)(-(int64_t)r) >> 63; - return (int)r; -} - -/************************************************* -* Name: cmov -* -* Description: Copy len bytes from x to r if b is 1; -* don't modify x if b is 0. Requires b to be in {0,1}; -* assumes two's complement representation of negative integers. -* Runs in constant time. -* -* Arguments: unsigned char *r: pointer to output byte array -* const unsigned char *x: pointer to input byte array -* size_t len: Amount of bytes to be copied -* unsigned char b: Condition bit; has to be in {0,1} -**************************************************/ -void PQCLEAN_NEWHOPE1024CPA_CLEAN_cmov(unsigned char *r, const unsigned char *x, size_t len, unsigned char b) { - size_t i; - - b = -b; - for (i = 0; i < len; i++) { - r[i] ^= b & (x[i] ^ r[i]); - } -} diff --git a/crypto_kem/newhope1024cpa/clean/verify.h b/crypto_kem/newhope1024cpa/clean/verify.h deleted file mode 100644 index 9cdd0e95..00000000 --- a/crypto_kem/newhope1024cpa/clean/verify.h +++ /dev/null @@ -1,12 +0,0 @@ -#ifndef VERIFY_H -#define VERIFY_H - -#include - -/* returns 0 for equal strings, 1 for non-equal strings */ -int PQCLEAN_NEWHOPE1024CPA_CLEAN_verify(const unsigned char *a, const unsigned char *b, size_t len); - -/* b = 1 means mov, b = 0 means don't mov*/ -void PQCLEAN_NEWHOPE1024CPA_CLEAN_cmov(unsigned char *r, const unsigned char *x, size_t len, unsigned char b); - -#endif diff --git a/crypto_kem/newhope512cca/META.yml b/crypto_kem/newhope512cca/META.yml deleted file mode 100644 index 5cb83873..00000000 --- a/crypto_kem/newhope512cca/META.yml +++ /dev/null @@ -1,22 +0,0 @@ -name: NewHope512-CCAKEM -type: kem -claimed-nist-level: 1 -claimed-security: IND-CCA2 -length-public-key: 928 -length-secret-key: 1888 -length-ciphertext: 1120 -length-shared-secret: 32 -nistkat-sha256: 4290da64305e70e65766be5d4e488dee2b4b238172876ceefc931934b6964a7d -principal-submitters: - - Thomas Pöppelmann -auxiliary-submitters: -- Erdem Alkim -- Roberto Avanzi -- Joppe Bos -- Léo Ducas -- Antonio de la Piedra -- Peter Schwabe -- Douglas Stebila -implementations: -- name: clean - version: https://github.com/newhopecrypto/newhope/commit/3fc68c6090b23c56cc190a78af2f43ee8900e9d0 diff --git a/crypto_kem/newhope512cca/clean/LICENSE b/crypto_kem/newhope512cca/clean/LICENSE deleted file mode 100644 index d5d21fff..00000000 --- a/crypto_kem/newhope512cca/clean/LICENSE +++ /dev/null @@ -1 +0,0 @@ -Public Domain diff --git a/crypto_kem/newhope512cca/clean/Makefile b/crypto_kem/newhope512cca/clean/Makefile deleted file mode 100644 index 73a193d0..00000000 --- a/crypto_kem/newhope512cca/clean/Makefile +++ /dev/null @@ -1,19 +0,0 @@ -# This Makefile can be used with GNU Make or BSD Make - -LIB=libnewhope512cca_clean.a -HEADERS=api.h cpapke.h ntt.h params.h poly.h reduce.h verify.h -OBJECTS=cpapke.o kem.o ntt.o poly.o precomp.o reduce.o verify.o - -CFLAGS=-O3 -Wall -Wextra -Wpedantic -Wvla -Werror -Wmissing-prototypes -Wredundant-decls -std=c99 -I../../../common $(EXTRAFLAGS) - -all: $(LIB) - -%.o: %.c $(HEADERS) - $(CC) $(CFLAGS) -c -o $@ $< - -$(LIB): $(OBJECTS) - $(AR) -r $@ $(OBJECTS) - -clean: - $(RM) $(OBJECTS) - $(RM) $(LIB) diff --git a/crypto_kem/newhope512cca/clean/Makefile.Microsoft_nmake b/crypto_kem/newhope512cca/clean/Makefile.Microsoft_nmake deleted file mode 100644 index e6a71e86..00000000 --- a/crypto_kem/newhope512cca/clean/Makefile.Microsoft_nmake +++ /dev/null @@ -1,19 +0,0 @@ -# This Makefile can be used with Microsoft Visual Studio's nmake using the command: -# nmake /f Makefile.Microsoft_nmake - -LIBRARY=libnewhope512cca_clean.lib -OBJECTS=cpapke.obj kem.obj ntt.obj poly.obj precomp.obj reduce.obj verify.obj - -CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /WX - -all: $(LIBRARY) - -# Make sure objects are recompiled if headers change. -$(OBJECTS): *.h - -$(LIBRARY): $(OBJECTS) - LIB.EXE /NOLOGO /WX /OUT:$@ $** - -clean: - -DEL $(OBJECTS) - -DEL $(LIBRARY) diff --git a/crypto_kem/newhope512cca/clean/api.h b/crypto_kem/newhope512cca/clean/api.h deleted file mode 100644 index 6526df97..00000000 --- a/crypto_kem/newhope512cca/clean/api.h +++ /dev/null @@ -1,15 +0,0 @@ -#ifndef PQCLEAN_NEWHOPE512CCA_CLEAN_API_H -#define PQCLEAN_NEWHOPE512CCA_CLEAN_API_H - - -#define PQCLEAN_NEWHOPE512CCA_CLEAN_CRYPTO_SECRETKEYBYTES 1888 -#define PQCLEAN_NEWHOPE512CCA_CLEAN_CRYPTO_PUBLICKEYBYTES 928 -#define PQCLEAN_NEWHOPE512CCA_CLEAN_CRYPTO_CIPHERTEXTBYTES 1120 -#define PQCLEAN_NEWHOPE512CCA_CLEAN_CRYPTO_BYTES 32 -#define PQCLEAN_NEWHOPE512CCA_CLEAN_CRYPTO_ALGNAME "NewHope512-CCAKEM" - -int PQCLEAN_NEWHOPE512CCA_CLEAN_crypto_kem_keypair(unsigned char *pk, unsigned char *sk); -int PQCLEAN_NEWHOPE512CCA_CLEAN_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk); -int PQCLEAN_NEWHOPE512CCA_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk); - -#endif diff --git a/crypto_kem/newhope512cca/clean/cpapke.c b/crypto_kem/newhope512cca/clean/cpapke.c deleted file mode 100644 index 4328e6de..00000000 --- a/crypto_kem/newhope512cca/clean/cpapke.c +++ /dev/null @@ -1,193 +0,0 @@ -#include "api.h" -#include "cpapke.h" -#include "fips202.h" -#include "poly.h" -#include "randombytes.h" -#include - -/************************************************* -* Name: encode_pk -* -* Description: Serialize the public key as concatenation of the -* serialization of the polynomial pk and the public seed -* used to generete the polynomial a. -* -* Arguments: unsigned char *r: pointer to the output serialized public key -* const poly *pk: pointer to the input public-key polynomial -* const unsigned char *seed: pointer to the input public seed -**************************************************/ -static void encode_pk(unsigned char *r, const poly *pk, const unsigned char *seed) { - int i; - PQCLEAN_NEWHOPE512CCA_CLEAN_poly_tobytes(r, pk); - for (i = 0; i < NEWHOPE_SYMBYTES; i++) { - r[NEWHOPE_POLYBYTES + i] = seed[i]; - } -} - -/************************************************* -* Name: decode_pk -* -* Description: De-serialize the public key; inverse of encode_pk -* -* Arguments: poly *pk: pointer to output public-key polynomial -* unsigned char *seed: pointer to output public seed -* const unsigned char *r: pointer to input byte array -**************************************************/ -static void decode_pk(poly *pk, unsigned char *seed, const unsigned char *r) { - int i; - PQCLEAN_NEWHOPE512CCA_CLEAN_poly_frombytes(pk, r); - for (i = 0; i < NEWHOPE_SYMBYTES; i++) { - seed[i] = r[NEWHOPE_POLYBYTES + i]; - } -} - -/************************************************* -* Name: encode_c -* -* Description: Serialize the ciphertext as concatenation of the -* serialization of the polynomial b and serialization -* of the compressed polynomial v -* -* Arguments: - unsigned char *r: pointer to the output serialized ciphertext -* - const poly *b: pointer to the input polynomial b -* - const poly *v: pointer to the input polynomial v -**************************************************/ -static void encode_c(unsigned char *r, const poly *b, const poly *v) { - PQCLEAN_NEWHOPE512CCA_CLEAN_poly_tobytes(r, b); - PQCLEAN_NEWHOPE512CCA_CLEAN_poly_compress(r + NEWHOPE_POLYBYTES, v); -} - -/************************************************* -* Name: decode_c -* -* Description: de-serialize the ciphertext; inverse of encode_c -* -* Arguments: - poly *b: pointer to output polynomial b -* - poly *v: pointer to output polynomial v -* - const unsigned char *r: pointer to input byte array -**************************************************/ -static void decode_c(poly *b, poly *v, const unsigned char *r) { - PQCLEAN_NEWHOPE512CCA_CLEAN_poly_frombytes(b, r); - PQCLEAN_NEWHOPE512CCA_CLEAN_poly_decompress(v, r + NEWHOPE_POLYBYTES); -} - -/************************************************* -* Name: gen_a -* -* Description: Deterministically generate public polynomial a from seed -* -* Arguments: - poly *a: pointer to output polynomial a -* - const unsigned char *seed: pointer to input seed -**************************************************/ -static void gen_a(poly *a, const unsigned char *seed) { - PQCLEAN_NEWHOPE512CCA_CLEAN_poly_uniform(a, seed); -} - - -/************************************************* -* Name: cpapke_keypair -* -* Description: Generates public and private key -* for the CPA public-key encryption scheme underlying -* the NewHope KEMs -* -* Arguments: - unsigned char *pk: pointer to output public key -* - unsigned char *sk: pointer to output private key -**************************************************/ -void PQCLEAN_NEWHOPE512CCA_CLEAN_cpapke_keypair(unsigned char *pk, - unsigned char *sk) { - poly ahat, ehat, ahat_shat, bhat, shat; - unsigned char z[2 * NEWHOPE_SYMBYTES]; - unsigned char *publicseed = z; - unsigned char *noiseseed = z + NEWHOPE_SYMBYTES; - - z[0] = 0x01; - randombytes(z + 1, NEWHOPE_SYMBYTES); - shake256(z, 2 * NEWHOPE_SYMBYTES, z, NEWHOPE_SYMBYTES + 1); - - gen_a(&ahat, publicseed); - - PQCLEAN_NEWHOPE512CCA_CLEAN_poly_sample(&shat, noiseseed, 0); - PQCLEAN_NEWHOPE512CCA_CLEAN_poly_ntt(&shat); - - PQCLEAN_NEWHOPE512CCA_CLEAN_poly_sample(&ehat, noiseseed, 1); - PQCLEAN_NEWHOPE512CCA_CLEAN_poly_ntt(&ehat); - - PQCLEAN_NEWHOPE512CCA_CLEAN_poly_mul_pointwise(&ahat_shat, &shat, &ahat); - PQCLEAN_NEWHOPE512CCA_CLEAN_poly_add(&bhat, &ehat, &ahat_shat); - - PQCLEAN_NEWHOPE512CCA_CLEAN_poly_tobytes(sk, &shat); - encode_pk(pk, &bhat, publicseed); -} - -/************************************************* -* Name: cpapke_enc -* -* Description: Encryption function of -* the CPA public-key encryption scheme underlying -* the NewHope KEMs -* -* Arguments: - unsigned char *c: pointer to output ciphertext -* - const unsigned char *m: pointer to input message (of length NEWHOPE_SYMBYTES bytes) -* - const unsigned char *pk: pointer to input public key -* - const unsigned char *coin: pointer to input random coins used as seed -* to deterministically generate all randomness -**************************************************/ -void PQCLEAN_NEWHOPE512CCA_CLEAN_cpapke_enc(unsigned char *c, - const unsigned char *m, - const unsigned char *pk, - const unsigned char *coin) { - poly sprime, eprime, vprime, ahat, bhat, eprimeprime, uhat, v; - unsigned char publicseed[NEWHOPE_SYMBYTES]; - - PQCLEAN_NEWHOPE512CCA_CLEAN_poly_frommsg(&v, m); - - decode_pk(&bhat, publicseed, pk); - gen_a(&ahat, publicseed); - - PQCLEAN_NEWHOPE512CCA_CLEAN_poly_sample(&sprime, coin, 0); - PQCLEAN_NEWHOPE512CCA_CLEAN_poly_sample(&eprime, coin, 1); - PQCLEAN_NEWHOPE512CCA_CLEAN_poly_sample(&eprimeprime, coin, 2); - - PQCLEAN_NEWHOPE512CCA_CLEAN_poly_ntt(&sprime); - PQCLEAN_NEWHOPE512CCA_CLEAN_poly_ntt(&eprime); - - PQCLEAN_NEWHOPE512CCA_CLEAN_poly_mul_pointwise(&uhat, &ahat, &sprime); - PQCLEAN_NEWHOPE512CCA_CLEAN_poly_add(&uhat, &uhat, &eprime); - - PQCLEAN_NEWHOPE512CCA_CLEAN_poly_mul_pointwise(&vprime, &bhat, &sprime); - PQCLEAN_NEWHOPE512CCA_CLEAN_poly_invntt(&vprime); - - PQCLEAN_NEWHOPE512CCA_CLEAN_poly_add(&vprime, &vprime, &eprimeprime); - PQCLEAN_NEWHOPE512CCA_CLEAN_poly_add(&vprime, &vprime, &v); // add message - - encode_c(c, &uhat, &vprime); -} - - -/************************************************* -* Name: cpapke_dec -* -* Description: Decryption function of -* the CPA public-key encryption scheme underlying -* the NewHope KEMs -* -* Arguments: - unsigned char *m: pointer to output decrypted message -* - const unsigned char *c: pointer to input ciphertext -* - const unsigned char *sk: pointer to input secret key -**************************************************/ -void PQCLEAN_NEWHOPE512CCA_CLEAN_cpapke_dec(unsigned char *m, - const unsigned char *c, - const unsigned char *sk) { - poly vprime, uhat, tmp, shat; - - PQCLEAN_NEWHOPE512CCA_CLEAN_poly_frombytes(&shat, sk); - - decode_c(&uhat, &vprime, c); - PQCLEAN_NEWHOPE512CCA_CLEAN_poly_mul_pointwise(&tmp, &shat, &uhat); - PQCLEAN_NEWHOPE512CCA_CLEAN_poly_invntt(&tmp); - - PQCLEAN_NEWHOPE512CCA_CLEAN_poly_sub(&tmp, &tmp, &vprime); - - PQCLEAN_NEWHOPE512CCA_CLEAN_poly_tomsg(m, &tmp); -} diff --git a/crypto_kem/newhope512cca/clean/cpapke.h b/crypto_kem/newhope512cca/clean/cpapke.h deleted file mode 100644 index 4b99524b..00000000 --- a/crypto_kem/newhope512cca/clean/cpapke.h +++ /dev/null @@ -1,16 +0,0 @@ -#ifndef INDCPA_H -#define INDCPA_H - -void PQCLEAN_NEWHOPE512CCA_CLEAN_cpapke_keypair(unsigned char *pk, - unsigned char *sk); - -void PQCLEAN_NEWHOPE512CCA_CLEAN_cpapke_enc(unsigned char *c, - const unsigned char *m, - const unsigned char *pk, - const unsigned char *coins); - -void PQCLEAN_NEWHOPE512CCA_CLEAN_cpapke_dec(unsigned char *m, - const unsigned char *c, - const unsigned char *sk); - -#endif diff --git a/crypto_kem/newhope512cca/clean/kem.c b/crypto_kem/newhope512cca/clean/kem.c deleted file mode 100644 index ac674d7b..00000000 --- a/crypto_kem/newhope512cca/clean/kem.c +++ /dev/null @@ -1,119 +0,0 @@ -#include "api.h" -#include "cpapke.h" -#include "fips202.h" -#include "params.h" -#include "randombytes.h" -#include "verify.h" - -#include - -/************************************************* -* Name: crypto_kem_keypair -* -* Description: Generates public and private key -* for CCA secure NewHope key encapsulation -* mechanism -* -* Arguments: - unsigned char *pk: pointer to output public key (an already allocated array of CRYPTO_PUBLICKEYBYTES bytes) -* - unsigned char *sk: pointer to output private key (an already allocated array of CRYPTO_SECRETKEYBYTES bytes) -* -* Returns 0 (success) -**************************************************/ -int PQCLEAN_NEWHOPE512CCA_CLEAN_crypto_kem_keypair(unsigned char *pk, unsigned char *sk) { - size_t i; - - PQCLEAN_NEWHOPE512CCA_CLEAN_cpapke_keypair(pk, sk); /* First put the actual secret key into sk */ - sk += NEWHOPE_CPAPKE_SECRETKEYBYTES; - - for (i = 0; i < NEWHOPE_CPAPKE_PUBLICKEYBYTES; i++) { /* Append the public key for re-encryption */ - sk[i] = pk[i]; - } - sk += NEWHOPE_CPAPKE_PUBLICKEYBYTES; - - shake256(sk, NEWHOPE_SYMBYTES, pk, NEWHOPE_CPAPKE_PUBLICKEYBYTES); /* Append the hash of the public key */ - sk += NEWHOPE_SYMBYTES; - - randombytes(sk, NEWHOPE_SYMBYTES); /* Append the value s for pseudo-random output on reject */ - - return 0; -} - -/************************************************* -* Name: crypto_kem_enc -* -* Description: Generates cipher text and shared -* secret for given public key -* -* Arguments: - unsigned char *ct: pointer to output cipher text (an already allocated array of CRYPTO_CIPHERTEXTBYTES bytes) -* - unsigned char *ss: pointer to output shared secret (an already allocated array of CRYPTO_BYTES bytes) -* - const unsigned char *pk: pointer to input public key (an already allocated array of CRYPTO_PUBLICKEYBYTES bytes) -* -* Returns 0 (success) -**************************************************/ -int PQCLEAN_NEWHOPE512CCA_CLEAN_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk) { - unsigned char k_coins_d[3 * NEWHOPE_SYMBYTES]; /* Will contain key, coins, qrom-hash */ - unsigned char buf[2 * NEWHOPE_SYMBYTES + 1]; - int i; - - buf[0] = 0x04; - randombytes(buf + 1, NEWHOPE_SYMBYTES); - - shake256(buf + 1, NEWHOPE_SYMBYTES, buf, NEWHOPE_SYMBYTES + 1); /* Don't release system RNG output */ - shake256(buf + 1 + NEWHOPE_SYMBYTES, NEWHOPE_SYMBYTES, pk, NEWHOPE_CCAKEM_PUBLICKEYBYTES); /* Multitarget countermeasure for coins + contributory KEM */ - buf[0] = 0x08; - shake256(k_coins_d, 3 * NEWHOPE_SYMBYTES, buf, 2 * NEWHOPE_SYMBYTES + 1); - - PQCLEAN_NEWHOPE512CCA_CLEAN_cpapke_enc(ct, buf + 1, pk, k_coins_d + NEWHOPE_SYMBYTES); /* coins are in k_coins_d+NEWHOPE_SYMBYTES */ - - for (i = 0; i < NEWHOPE_SYMBYTES; i++) { - ct[i + NEWHOPE_CPAPKE_CIPHERTEXTBYTES] = k_coins_d[i + 2 * NEWHOPE_SYMBYTES]; /* copy Targhi-Unruh hash into ct */ - } - - shake256(k_coins_d + NEWHOPE_SYMBYTES, NEWHOPE_SYMBYTES, ct, NEWHOPE_CCAKEM_CIPHERTEXTBYTES); /* overwrite coins in k_coins_d with h(c) */ - shake256(ss, NEWHOPE_SYMBYTES, k_coins_d, 2 * NEWHOPE_SYMBYTES); /* hash concatenation of pre-k and h(c) to ss */ - return 0; -} - -/************************************************* -* Name: crypto_kem_dec -* -* Description: Generates shared secret for given -* cipher text and private key -* -* Arguments: - unsigned char *ss: pointer to output shared secret (an already allocated array of CRYPTO_BYTES bytes) -* - const unsigned char *ct: pointer to input cipher text (an already allocated array of CRYPTO_CIPHERTEXTBYTES bytes) -* - const unsigned char *sk: pointer to input private key (an already allocated array of CRYPTO_SECRETKEYBYTES bytes) -* -* Returns 0 for sucess or -1 for failure -* -* On failure, ss will contain a randomized value. -**************************************************/ -int PQCLEAN_NEWHOPE512CCA_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk) { - int i, fail; - unsigned char ct_cmp[NEWHOPE_CCAKEM_CIPHERTEXTBYTES]; - unsigned char buf[2 * NEWHOPE_SYMBYTES + 1]; - unsigned char k_coins_d[3 * NEWHOPE_SYMBYTES]; /* Will contain key, coins, qrom-hash */ - const unsigned char *pk = sk + NEWHOPE_CPAPKE_SECRETKEYBYTES; - - buf[0] = 0x08; - PQCLEAN_NEWHOPE512CCA_CLEAN_cpapke_dec(buf + 1, ct, sk); - - for (i = 0; i < NEWHOPE_SYMBYTES; i++) { /* Use hash of pk stored in sk */ - buf[1 + NEWHOPE_SYMBYTES + i] = sk[NEWHOPE_CCAKEM_SECRETKEYBYTES - 2 * NEWHOPE_SYMBYTES + i]; - } - shake256(k_coins_d, 3 * NEWHOPE_SYMBYTES, buf, 2 * NEWHOPE_SYMBYTES + 1); - - PQCLEAN_NEWHOPE512CCA_CLEAN_cpapke_enc(ct_cmp, buf + 1, pk, k_coins_d + NEWHOPE_SYMBYTES); /* coins are in k_coins_d+NEWHOPE_SYMBYTES */ - - for (i = 0; i < NEWHOPE_SYMBYTES; i++) { - ct_cmp[i + NEWHOPE_CPAPKE_CIPHERTEXTBYTES] = k_coins_d[i + 2 * NEWHOPE_SYMBYTES]; - } - - fail = PQCLEAN_NEWHOPE512CCA_CLEAN_verify(ct, ct_cmp, NEWHOPE_CCAKEM_CIPHERTEXTBYTES); - - shake256(k_coins_d + NEWHOPE_SYMBYTES, NEWHOPE_SYMBYTES, ct, NEWHOPE_CCAKEM_CIPHERTEXTBYTES); /* overwrite coins in k_coins_d with h(c) */ - PQCLEAN_NEWHOPE512CCA_CLEAN_cmov(k_coins_d, sk + NEWHOPE_CCAKEM_SECRETKEYBYTES - NEWHOPE_SYMBYTES, NEWHOPE_SYMBYTES, (unsigned char) fail); /* Overwrite pre-k with z on re-encryption failure */ - shake256(ss, NEWHOPE_SYMBYTES, k_coins_d, 2 * NEWHOPE_SYMBYTES); /* hash concatenation of pre-k and h(c) to k */ - - return 0; -} diff --git a/crypto_kem/newhope512cca/clean/ntt.c b/crypto_kem/newhope512cca/clean/ntt.c deleted file mode 100644 index 17cad0a0..00000000 --- a/crypto_kem/newhope512cca/clean/ntt.c +++ /dev/null @@ -1,112 +0,0 @@ -#include "inttypes.h" -#include "ntt.h" -#include "params.h" -#include "reduce.h" - -/************************************************************ -* Name: bitrev_table -* -* Description: Contains bit-reversed 9-bit indices to be used to re-order -* polynomials before number theoratic transform -************************************************************/ -static uint16_t bitrev_table [512] = { - 0, 256, 128, 384, 64, 320, 192, 448, 32, 288, 160, 416, 96, 352, 224, 480, 16, 272, 144, 400, 80, 336, 208, 464, 48, 304, 176, 432, 112, 368, 240, 496, 8, - 264, 136, 392, 72, 328, 200, 456, 40, 296, 168, 424, 104, 360, 232, 488, 24, 280, 152, 408, 88, 344, 216, 472, 56, 312, 184, 440, 120, 376, 248, 504, 4, - 260, 132, 388, 68, 324, 196, 452, 36, 292, 164, 420, 100, 356, 228, 484, 20, 276, 148, 404, 84, 340, 212, 468, 52, 308, 180, 436, 116, 372, 244, 500, 12, - 268, 140, 396, 76, 332, 204, 460, 44, 300, 172, 428, 108, 364, 236, 492, 28, 284, 156, 412, 92, 348, 220, 476, 60, 316, 188, 444, 124, 380, 252, 508, 2, - 258, 130, 386, 66, 322, 194, 450, 34, 290, 162, 418, 98, 354, 226, 482, 18, 274, 146, 402, 82, 338, 210, 466, 50, 306, 178, 434, 114, 370, 242, 498, 10, - 266, 138, 394, 74, 330, 202, 458, 42, 298, 170, 426, 106, 362, 234, 490, 26, 282, 154, 410, 90, 346, 218, 474, 58, 314, 186, 442, 122, 378, 250, 506, 6, - 262, 134, 390, 70, 326, 198, 454, 38, 294, 166, 422, 102, 358, 230, 486, 22, 278, 150, 406, 86, 342, 214, 470, 54, 310, 182, 438, 118, 374, 246, 502, 14, - 270, 142, 398, 78, 334, 206, 462, 46, 302, 174, 430, 110, 366, 238, 494, 30, 286, 158, 414, 94, 350, 222, 478, 62, 318, 190, 446, 126, 382, 254, 510, 1, - 257, 129, 385, 65, 321, 193, 449, 33, 289, 161, 417, 97, 353, 225, 481, 17, 273, 145, 401, 81, 337, 209, 465, 49, 305, 177, 433, 113, 369, 241, 497, 9, - 265, 137, 393, 73, 329, 201, 457, 41, 297, 169, 425, 105, 361, 233, 489, 25, 281, 153, 409, 89, 345, 217, 473, 57, 313, 185, 441, 121, 377, 249, 505, 5, - 261, 133, 389, 69, 325, 197, 453, 37, 293, 165, 421, 101, 357, 229, 485, 21, 277, 149, 405, 85, 341, 213, 469, 53, 309, 181, 437, 117, 373, 245, 501, 13, - 269, 141, 397, 77, 333, 205, 461, 45, 301, 173, 429, 109, 365, 237, 493, 29, 285, 157, 413, 93, 349, 221, 477, 61, 317, 189, 445, 125, 381, 253, 509, 3, - 259, 131, 387, 67, 323, 195, 451, 35, 291, 163, 419, 99, 355, 227, 483, 19, 275, 147, 403, 83, 339, 211, 467, 51, 307, 179, 435, 115, 371, 243, 499, 11, - 267, 139, 395, 75, 331, 203, 459, 43, 299, 171, 427, 107, 363, 235, 491, 27, 283, 155, 411, 91, 347, 219, 475, 59, 315, 187, 443, 123, 379, 251, 507, 7, - 263, 135, 391, 71, 327, 199, 455, 39, 295, 167, 423, 103, 359, 231, 487, 23, 279, 151, 407, 87, 343, 215, 471, 55, 311, 183, 439, 119, 375, 247, 503, 15, - 271, 143, 399, 79, 335, 207, 463, 47, 303, 175, 431, 111, 367, 239, 495, 31, 287, 159, 415, 95, 351, 223, 479, 63, 319, 191, 447, 127, 383, 255, 511 -}; - -/************************************************* -* Name: bitrev_vector -* -* Description: Permutes coefficients of a polynomial into bitreversed order -* -* Arguments: - uint16_t* poly: pointer to in/output polynomial -**************************************************/ -void PQCLEAN_NEWHOPE512CCA_CLEAN_bitrev_vector(uint16_t *poly) { - unsigned int i, r; - uint16_t tmp; - - for (i = 0; i < NEWHOPE_N; i++) { - r = bitrev_table[i]; - if (i < r) { - tmp = poly[i]; - poly[i] = poly[r]; - poly[r] = tmp; - } - } -} - -/************************************************* -* Name: mul_coefficients -* -* Description: Performs pointwise (coefficient-wise) multiplication -* of two polynomials -* Arguments: - uint16_t* poly: pointer to in/output polynomial -* - const uint16_t* factors: pointer to input polynomial, coefficients -* are assumed to be in Montgomery representation -**************************************************/ -void PQCLEAN_NEWHOPE512CCA_CLEAN_mul_coefficients(uint16_t *poly, const uint16_t *factors) { - unsigned int i; - - for (i = 0; i < NEWHOPE_N; i++) { - poly[i] = PQCLEAN_NEWHOPE512CCA_CLEAN_montgomery_reduce((poly[i] * factors[i])); - } -} - - -/************************************************* -* Name: ntt -* -* Description: Computes number-theoretic transform (NTT) of -* a polynomial in place; inputs assumed to be in -* bitreversed order, output in normal order -* -* Arguments: - uint16_t * a: pointer to in/output polynomial -* - const uint16_t* omega: pointer to input powers of root of unity omega; -* assumed to be in Montgomery domain -**************************************************/ -void PQCLEAN_NEWHOPE512CCA_CLEAN_ntt(uint16_t *a, const uint16_t *omega) { - int i, start, j, jTwiddle, distance; - uint16_t temp, W; - - - for (i = 0; i < 9; i += 2) { - // Even level - distance = (1 << i); - for (start = 0; start < distance; start++) { - jTwiddle = 0; - for (j = start; j < NEWHOPE_N - 1; j += 2 * distance) { - W = omega[jTwiddle++]; - temp = a[j]; - a[j] = (temp + a[j + distance]); // Omit reduction (be lazy) - a[j + distance] = PQCLEAN_NEWHOPE512CCA_CLEAN_montgomery_reduce((W * ((uint32_t)temp + 3 * NEWHOPE_Q - a[j + distance]))); - } - } - if (i + 1 < 9) { - // Odd level - distance <<= 1; - for (start = 0; start < distance; start++) { - jTwiddle = 0; - for (j = start; j < NEWHOPE_N - 1; j += 2 * distance) { - W = omega[jTwiddle++]; - temp = a[j]; - a[j] = (temp + a[j + distance]) % NEWHOPE_Q; - a[j + distance] = PQCLEAN_NEWHOPE512CCA_CLEAN_montgomery_reduce((W * ((uint32_t)temp + 3 * NEWHOPE_Q - a[j + distance]))); - } - } - } - } -} diff --git a/crypto_kem/newhope512cca/clean/ntt.h b/crypto_kem/newhope512cca/clean/ntt.h deleted file mode 100644 index ecc7b993..00000000 --- a/crypto_kem/newhope512cca/clean/ntt.h +++ /dev/null @@ -1,14 +0,0 @@ -#ifndef NTT_H -#define NTT_H - -#include "inttypes.h" - -extern const uint16_t PQCLEAN_NEWHOPE512CCA_CLEAN_omegas_inv_bitrev_montgomery[]; -extern const uint16_t PQCLEAN_NEWHOPE512CCA_CLEAN_gammas_bitrev_montgomery[]; -extern const uint16_t PQCLEAN_NEWHOPE512CCA_CLEAN_gammas_inv_montgomery[]; - -void PQCLEAN_NEWHOPE512CCA_CLEAN_bitrev_vector(uint16_t *poly); -void PQCLEAN_NEWHOPE512CCA_CLEAN_mul_coefficients(uint16_t *poly, const uint16_t *factors); -void PQCLEAN_NEWHOPE512CCA_CLEAN_ntt(uint16_t *a, const uint16_t *omegas); - -#endif diff --git a/crypto_kem/newhope512cca/clean/params.h b/crypto_kem/newhope512cca/clean/params.h deleted file mode 100644 index 6526ba90..00000000 --- a/crypto_kem/newhope512cca/clean/params.h +++ /dev/null @@ -1,25 +0,0 @@ -#ifndef PQCLEAN_NEWHOPE512CCA_CLEAN_PARAMS_H -#define PQCLEAN_NEWHOPE512CCA_CLEAN_PARAMS_H - -#define NEWHOPE_N 512 -#define NEWHOPE_Q 12289 -#define NEWHOPE_K 8 /* used in noise sampling */ - -#define NEWHOPE_SYMBYTES 32 /* size of shared key, seeds/coins, and hashes */ - -#define NEWHOPE_POLYBYTES ((14*NEWHOPE_N)/8) -#define NEWHOPE_POLYCOMPRESSEDBYTES (( 3*NEWHOPE_N)/8) - -#define NEWHOPE_CPAPKE_PUBLICKEYBYTES (NEWHOPE_POLYBYTES + NEWHOPE_SYMBYTES) -#define NEWHOPE_CPAPKE_SECRETKEYBYTES (NEWHOPE_POLYBYTES) -#define NEWHOPE_CPAPKE_CIPHERTEXTBYTES (NEWHOPE_POLYBYTES + NEWHOPE_POLYCOMPRESSEDBYTES) - -#define NEWHOPE_CPAKEM_PUBLICKEYBYTES NEWHOPE_CPAPKE_PUBLICKEYBYTES -#define NEWHOPE_CPAKEM_SECRETKEYBYTES NEWHOPE_CPAPKE_SECRETKEYBYTES -#define NEWHOPE_CPAKEM_CIPHERTEXTBYTES NEWHOPE_CPAPKE_CIPHERTEXTBYTES - -#define NEWHOPE_CCAKEM_PUBLICKEYBYTES NEWHOPE_CPAPKE_PUBLICKEYBYTES -#define NEWHOPE_CCAKEM_SECRETKEYBYTES (NEWHOPE_CPAPKE_SECRETKEYBYTES + NEWHOPE_CPAPKE_PUBLICKEYBYTES + 2*NEWHOPE_SYMBYTES) -#define NEWHOPE_CCAKEM_CIPHERTEXTBYTES (NEWHOPE_CPAPKE_CIPHERTEXTBYTES + NEWHOPE_SYMBYTES) /* Second part is for Targhi-Unruh */ - -#endif diff --git a/crypto_kem/newhope512cca/clean/poly.c b/crypto_kem/newhope512cca/clean/poly.c deleted file mode 100644 index 39ec8e59..00000000 --- a/crypto_kem/newhope512cca/clean/poly.c +++ /dev/null @@ -1,354 +0,0 @@ -#include "fips202.h" -#include "ntt.h" -#include "poly.h" -#include "reduce.h" - -/************************************************* -* Name: coeff_freeze -* -* Description: Fully reduces an integer modulo q in constant time -* -* Arguments: uint16_t x: input integer to be reduced -* -* Returns integer in {0,...,q-1} congruent to x modulo q -**************************************************/ -static uint16_t coeff_freeze(uint16_t x) { - uint16_t m, r; - int16_t c; - r = x % NEWHOPE_Q; - - m = r - NEWHOPE_Q; - c = m; - c >>= 15; - r = m ^ ((r ^ m)&c); - - return r; -} - -/************************************************* -* Name: flipabs -* -* Description: Computes |(x mod q) - Q/2| -* -* Arguments: uint16_t x: input coefficient -* -* Returns |(x mod q) - Q/2| -**************************************************/ -static uint16_t flipabs(uint16_t x) { - int16_t r, m; - r = coeff_freeze(x); - - r = r - NEWHOPE_Q / 2; - m = r >> 15; - return (r + m) ^ m; -} - -/************************************************* -* Name: poly_frombytes -* -* Description: De-serialization of a polynomial -* -* Arguments: - poly *r: pointer to output polynomial -* - const unsigned char *a: pointer to input byte array -**************************************************/ -void PQCLEAN_NEWHOPE512CCA_CLEAN_poly_frombytes(poly *r, const unsigned char *a) { - int i; - for (i = 0; i < NEWHOPE_N / 4; i++) { - r->coeffs[4 * i + 0] = a[7 * i + 0] | (((uint16_t)a[7 * i + 1] & 0x3f) << 8); - r->coeffs[4 * i + 1] = (a[7 * i + 1] >> 6) | (((uint16_t)a[7 * i + 2]) << 2) | (((uint16_t)a[7 * i + 3] & 0x0f) << 10); - r->coeffs[4 * i + 2] = (a[7 * i + 3] >> 4) | (((uint16_t)a[7 * i + 4]) << 4) | (((uint16_t)a[7 * i + 5] & 0x03) << 12); - r->coeffs[4 * i + 3] = (a[7 * i + 5] >> 2) | (((uint16_t)a[7 * i + 6]) << 6); - } -} - -/************************************************* -* Name: poly_tobytes -* -* Description: Serialization of a polynomial -* -* Arguments: - unsigned char *r: pointer to output byte array -* - const poly *p: pointer to input polynomial -**************************************************/ -void PQCLEAN_NEWHOPE512CCA_CLEAN_poly_tobytes(unsigned char *r, const poly *p) { - int i; - uint16_t t0, t1, t2, t3; - for (i = 0; i < NEWHOPE_N / 4; i++) { - t0 = coeff_freeze(p->coeffs[4 * i + 0]); - t1 = coeff_freeze(p->coeffs[4 * i + 1]); - t2 = coeff_freeze(p->coeffs[4 * i + 2]); - t3 = coeff_freeze(p->coeffs[4 * i + 3]); - - r[7 * i + 0] = t0 & 0xff; - r[7 * i + 1] = (unsigned char) ((t0 >> 8) | (t1 << 6)); - r[7 * i + 2] = (unsigned char) ((t1 >> 2)); - r[7 * i + 3] = (unsigned char) ((t1 >> 10) | (t2 << 4)); - r[7 * i + 4] = (unsigned char) ((t2 >> 4)); - r[7 * i + 5] = (unsigned char) ((t2 >> 12) | (t3 << 2)); - r[7 * i + 6] = (unsigned char) ((t3 >> 6)); - } -} - -/************************************************* -* Name: poly_compress -* -* Description: Compression and subsequent serialization of a polynomial -* -* Arguments: - unsigned char *r: pointer to output byte array -* - const poly *p: pointer to input polynomial -**************************************************/ -void PQCLEAN_NEWHOPE512CCA_CLEAN_poly_compress(unsigned char *r, const poly *p) { - unsigned int i, j, k = 0; - - uint32_t t[8]; - - for (i = 0; i < NEWHOPE_N; i += 8) { - for (j = 0; j < 8; j++) { - t[j] = coeff_freeze(p->coeffs[i + j]); - t[j] = (((t[j] << 3) + NEWHOPE_Q / 2) / NEWHOPE_Q) & 0x7; - } - - r[k] = (unsigned char) (t[0] | (t[1] << 3) | (t[2] << 6)); - r[k + 1] = (unsigned char) ((t[2] >> 2) | (t[3] << 1) | (t[4] << 4) | (t[5] << 7)); - r[k + 2] = (unsigned char) ((t[5] >> 1) | (t[6] << 2) | (t[7] << 5)); - k += 3; - } -} - -/************************************************* -* Name: poly_decompress -* -* Description: De-serialization and subsequent decompression of a polynomial; -* approximate inverse of poly_compress -* -* Arguments: - poly *r: pointer to output polynomial -* - const unsigned char *a: pointer to input byte array -**************************************************/ -void PQCLEAN_NEWHOPE512CCA_CLEAN_poly_decompress(poly *r, const unsigned char *a) { - unsigned int i, j; - for (i = 0; i < NEWHOPE_N; i += 8) { - r->coeffs[i + 0] = a[0] & 7; - r->coeffs[i + 1] = (a[0] >> 3) & 7; - r->coeffs[i + 2] = (a[0] >> 6) | ((a[1] << 2) & 4); - r->coeffs[i + 3] = (a[1] >> 1) & 7; - r->coeffs[i + 4] = (a[1] >> 4) & 7; - r->coeffs[i + 5] = (a[1] >> 7) | ((a[2] << 1) & 6); - r->coeffs[i + 6] = (a[2] >> 2) & 7; - r->coeffs[i + 7] = (a[2] >> 5); - a += 3; - for (j = 0; j < 8; j++) { - r->coeffs[i + j] = ((uint32_t)r->coeffs[i + j] * NEWHOPE_Q + 4) >> 3; - } - } -} - -/************************************************* -* Name: poly_frommsg -* -* Description: Convert 32-byte message to polynomial -* -* Arguments: - poly *r: pointer to output polynomial -* - const unsigned char *msg: pointer to input message -**************************************************/ -void PQCLEAN_NEWHOPE512CCA_CLEAN_poly_frommsg(poly *r, const unsigned char *msg) { - unsigned int i, j, mask; - for (i = 0; i < NEWHOPE_SYMBYTES; i++) { - for (j = 0; j < 8; j++) { - mask = -((msg[i] >> j) & 1); - r->coeffs[8 * i + j + 0] = mask & (NEWHOPE_Q / 2); - r->coeffs[8 * i + j + 256] = mask & (NEWHOPE_Q / 2); - } - } -} - -/************************************************* -* Name: poly_tomsg -* -* Description: Convert polynomial to 32-byte message -* -* Arguments: - unsigned char *msg: pointer to output message -* - const poly *x: pointer to input polynomial -**************************************************/ -void PQCLEAN_NEWHOPE512CCA_CLEAN_poly_tomsg(unsigned char *msg, const poly *x) { - unsigned int i; - uint16_t t; - - for (i = 0; i < 32; i++) { - msg[i] = 0; - } - - for (i = 0; i < 256; i++) { - t = flipabs(x->coeffs[i + 0]); - t += flipabs(x->coeffs[i + 256]); - t = ((t - NEWHOPE_Q / 2)); - - t >>= 15; - msg[i >> 3] |= t << (i & 7); - } -} - -/************************************************* -* Name: poly_uniform -* -* Description: Sample a polynomial deterministically from a seed, -* with output polynomial looking uniformly random -* -* Arguments: - poly *a: pointer to output polynomial -* - const unsigned char *seed: pointer to input seed -**************************************************/ -void PQCLEAN_NEWHOPE512CCA_CLEAN_poly_uniform(poly *a, const unsigned char *seed) { - unsigned int ctr = 0; - uint16_t val; - shake128ctx state; - uint8_t buf[SHAKE128_RATE]; - uint8_t extseed[NEWHOPE_SYMBYTES + 1]; - int i, j; - - for (i = 0; i < NEWHOPE_SYMBYTES; i++) { - extseed[i] = seed[i]; - } - - for (i = 0; i < NEWHOPE_N / 64; i++) { /* generate a in blocks of 64 coefficients */ - ctr = 0; - extseed[NEWHOPE_SYMBYTES] = (unsigned char) i; /* domain-separate the 16 independent calls */ - shake128_absorb(&state, extseed, NEWHOPE_SYMBYTES + 1); - while (ctr < 64) { /* Very unlikely to run more than once */ - shake128_squeezeblocks(buf, 1, &state); - for (j = 0; j < SHAKE128_RATE && ctr < 64; j += 2) { - val = (buf[j] | ((uint16_t) buf[j + 1] << 8)); - if (val < 5 * NEWHOPE_Q) { - a->coeffs[i * 64 + ctr] = val; - ctr++; - } - } - } - shake128_ctx_release(&state); - } -} - -/************************************************* -* Name: hw -* -* Description: Compute the Hamming weight of a byte -* -* Arguments: - unsigned char a: input byte -**************************************************/ -static unsigned char hw(unsigned char a) { - unsigned char i, r = 0; - for (i = 0; i < 8; i++) { - r += (a >> i) & 1; - } - return r; -} - -/************************************************* -* Name: poly_sample -* -* Description: Sample a polynomial deterministically from a seed and a nonce, -* with output polynomial close to centered binomial distribution -* with parameter k=8 -* -* Arguments: - poly *r: pointer to output polynomial -* - const unsigned char *seed: pointer to input seed -* - unsigned char nonce: one-byte input nonce -**************************************************/ -void PQCLEAN_NEWHOPE512CCA_CLEAN_poly_sample(poly *r, const unsigned char *seed, unsigned char nonce) { - unsigned char buf[128], a, b; - int i, j; - - unsigned char extseed[NEWHOPE_SYMBYTES + 2]; - - for (i = 0; i < NEWHOPE_SYMBYTES; i++) { - extseed[i] = seed[i]; - } - extseed[NEWHOPE_SYMBYTES] = nonce; - - for (i = 0; i < NEWHOPE_N / 64; i++) { /* Generate noise in blocks of 64 coefficients */ - extseed[NEWHOPE_SYMBYTES + 1] = (unsigned char) i; - shake256(buf, 128, extseed, NEWHOPE_SYMBYTES + 2); - for (j = 0; j < 64; j++) { - a = buf[2 * j]; - b = buf[2 * j + 1]; - r->coeffs[64 * i + j] = hw(a) + NEWHOPE_Q - hw(b); - } - } -} - -/************************************************* -* Name: poly_pointwise -* -* Description: Multiply two polynomials pointwise (i.e., coefficient-wise). -* -* Arguments: - poly *r: pointer to output polynomial -* - const poly *a: pointer to first input polynomial -* - const poly *b: pointer to second input polynomial -**************************************************/ -void PQCLEAN_NEWHOPE512CCA_CLEAN_poly_mul_pointwise(poly *r, const poly *a, const poly *b) { - int i; - uint16_t t; - for (i = 0; i < NEWHOPE_N; i++) { - t = PQCLEAN_NEWHOPE512CCA_CLEAN_montgomery_reduce(3186 * b->coeffs[i]); /* t is now in Montgomery domain */ - r->coeffs[i] = PQCLEAN_NEWHOPE512CCA_CLEAN_montgomery_reduce(a->coeffs[i] * t); /* r->coeffs[i] is back in normal domain */ - } -} - -/************************************************* -* Name: poly_add -* -* Description: Add two polynomials -* -* Arguments: - poly *r: pointer to output polynomial -* - const poly *a: pointer to first input polynomial -* - const poly *b: pointer to second input polynomial -**************************************************/ -void PQCLEAN_NEWHOPE512CCA_CLEAN_poly_add(poly *r, const poly *a, const poly *b) { - int i; - for (i = 0; i < NEWHOPE_N; i++) { - r->coeffs[i] = (a->coeffs[i] + b->coeffs[i]) % NEWHOPE_Q; - } -} - -/************************************************* -* Name: poly_sub -* -* Description: Subtract two polynomials -* -* Arguments: - poly *r: pointer to output polynomial -* - const poly *a: pointer to first input polynomial -* - const poly *b: pointer to second input polynomial -**************************************************/ -void PQCLEAN_NEWHOPE512CCA_CLEAN_poly_sub(poly *r, const poly *a, const poly *b) { - int i; - for (i = 0; i < NEWHOPE_N; i++) { - r->coeffs[i] = (a->coeffs[i] + 3 * NEWHOPE_Q - b->coeffs[i]) % NEWHOPE_Q; - } -} - -/************************************************* -* Name: poly_ntt -* -* Description: Forward NTT transform of a polynomial in place -* Input is assumed to have coefficients in bitreversed order -* Output has coefficients in normal order -* -* Arguments: - poly *r: pointer to in/output polynomial -**************************************************/ -void PQCLEAN_NEWHOPE512CCA_CLEAN_poly_ntt(poly *r) { - PQCLEAN_NEWHOPE512CCA_CLEAN_mul_coefficients(r->coeffs, PQCLEAN_NEWHOPE512CCA_CLEAN_gammas_bitrev_montgomery); - PQCLEAN_NEWHOPE512CCA_CLEAN_ntt((uint16_t *)r->coeffs, PQCLEAN_NEWHOPE512CCA_CLEAN_gammas_bitrev_montgomery); -} - -/************************************************* -* Name: poly_invntt -* -* Description: Inverse NTT transform of a polynomial in place -* Input is assumed to have coefficients in normal order -* Output has coefficients in normal order -* -* Arguments: - poly *r: pointer to in/output polynomial -**************************************************/ -void PQCLEAN_NEWHOPE512CCA_CLEAN_poly_invntt(poly *r) { - PQCLEAN_NEWHOPE512CCA_CLEAN_bitrev_vector(r->coeffs); - PQCLEAN_NEWHOPE512CCA_CLEAN_ntt((uint16_t *)r->coeffs, PQCLEAN_NEWHOPE512CCA_CLEAN_omegas_inv_bitrev_montgomery); - PQCLEAN_NEWHOPE512CCA_CLEAN_mul_coefficients(r->coeffs, PQCLEAN_NEWHOPE512CCA_CLEAN_gammas_inv_montgomery); -} - diff --git a/crypto_kem/newhope512cca/clean/poly.h b/crypto_kem/newhope512cca/clean/poly.h deleted file mode 100644 index cdf9e98f..00000000 --- a/crypto_kem/newhope512cca/clean/poly.h +++ /dev/null @@ -1,32 +0,0 @@ -#ifndef POLY_H -#define POLY_H - -#include "params.h" -#include - -/* - * Elements of R_q = Z_q[X]/(X^n + 1). Represents polynomial - * coeffs[0] + X*coeffs[1] + X^2*xoeffs[2] + ... + X^{n-1}*coeffs[n-1] - */ -typedef struct { - uint16_t coeffs[NEWHOPE_N]; -} poly; - -void PQCLEAN_NEWHOPE512CCA_CLEAN_poly_uniform(poly *a, const unsigned char *seed); -void PQCLEAN_NEWHOPE512CCA_CLEAN_poly_sample(poly *r, const unsigned char *seed, unsigned char nonce); -void PQCLEAN_NEWHOPE512CCA_CLEAN_poly_add(poly *r, const poly *a, const poly *b); - -void PQCLEAN_NEWHOPE512CCA_CLEAN_poly_ntt(poly *r); -void PQCLEAN_NEWHOPE512CCA_CLEAN_poly_invntt(poly *r); -void PQCLEAN_NEWHOPE512CCA_CLEAN_poly_mul_pointwise(poly *r, const poly *a, const poly *b); - -void PQCLEAN_NEWHOPE512CCA_CLEAN_poly_frombytes(poly *r, const unsigned char *a); -void PQCLEAN_NEWHOPE512CCA_CLEAN_poly_tobytes(unsigned char *r, const poly *p); -void PQCLEAN_NEWHOPE512CCA_CLEAN_poly_compress(unsigned char *r, const poly *p); -void PQCLEAN_NEWHOPE512CCA_CLEAN_poly_decompress(poly *r, const unsigned char *a); - -void PQCLEAN_NEWHOPE512CCA_CLEAN_poly_frommsg(poly *r, const unsigned char *msg); -void PQCLEAN_NEWHOPE512CCA_CLEAN_poly_tomsg(unsigned char *msg, const poly *x); -void PQCLEAN_NEWHOPE512CCA_CLEAN_poly_sub(poly *r, const poly *a, const poly *b); - -#endif diff --git a/crypto_kem/newhope512cca/clean/precomp.c b/crypto_kem/newhope512cca/clean/precomp.c deleted file mode 100644 index 20d5a9e1..00000000 --- a/crypto_kem/newhope512cca/clean/precomp.c +++ /dev/null @@ -1,179 +0,0 @@ -#include "inttypes.h" -#include "ntt.h" -#include "params.h" - -/* Precomputed NTT contants generated by Pari/GP script as follows: - * - * For n = 512: - * - * brv = [0,256,128,384,64,320,192,448,32,288,160,416,96,352,224,480,16,272,144,400,80,336,208,464,48,304,176,432,112,368,240,496,8, - * 264,136,392,72,328,200,456,40,296,168,424,104,360,232,488,24,280,152,408,88,344,216,472,56,312,184,440,120,376,248,504,4, - * 260,132,388,68,324,196,452,36,292,164,420,100,356,228,484,20,276,148,404,84,340,212,468,52,308,180,436,116,372,244,500,12, - * 268,140,396,76,332,204,460,44,300,172,428,108,364,236,492,28,284,156,412,92,348,220,476,60,316,188,444,124,380,252,508,2, - * 258,130,386,66,322,194,450,34,290,162,418,98,354,226,482,18,274,146,402,82,338,210,466,50,306,178,434,114,370,242,498,10, - * 266,138,394,74,330,202,458,42,298,170,426,106,362,234,490,26,282,154,410,90,346,218,474,58,314,186,442,122,378,250,506,6, - * 262,134,390,70,326,198,454,38,294,166,422,102,358,230,486,22,278,150,406,86,342,214,470,54,310,182,438,118,374,246,502,14, - * 270,142,398,78,334,206,462,46,302,174,430,110,366,238,494,30,286,158,414,94,350,222,478,62,318,190,446,126,382,254,510,1, - * 257,129,385,65,321,193,449,33,289,161,417,97,353,225,481,17,273,145,401,81,337,209,465,49,305,177,433,113,369,241,497,9, - * 265,137,393,73,329,201,457,41,297,169,425,105,361,233,489,25,281,153,409,89,345,217,473,57,313,185,441,121,377,249,505,5, - * 261,133,389,69,325,197,453,37,293,165,421,101,357,229,485,21,277,149,405,85,341,213,469,53,309,181,437,117,373,245,501,13, - * 269,141,397,77,333,205,461,45,301,173,429,109,365,237,493,29,285,157,413,93,349,221,477,61,317,189,445,125,381,253,509,3, - * 259,131,387,67,323,195,451,35,291,163,419,99,355,227,483,19,275,147,403,83,339,211,467,51,307,179,435,115,371,243,499,11, - * 267,139,395,75,331,203,459,43,299,171,427,107,363,235,491,27,283,155,411,91,347,219,475,59,315,187,443,123,379,251,507,7, - * 263,135,391,71,327,199,455,39,295,167,423,103,359,231,487,23,279,151,407,87,343,215,471,55,311,183,439,119,375,247,503,15, - * 271,143,399,79,335,207,463,47,303,175,431,111,367,239,495,31,287,159,415,95,351,223,479,63,319,191,447,127,383,255,511] - * n = 512; q = 12289; mont=2^18 - * g = Mod(10968, q); - * omegas_inv_bitrev_montgomery = lift(vector(n/2, i, (g^2)^(-brv[2*(i-1)+1])*mont)) - * gammas_bitrev_montgomery = lift(vector(n, i, g^(brv[i])*mont)) - * gammas_inv_montgomery = lift(vector(n, i, g^(-(i-1))/n*mont)) - * - * - * For n = 1024: - * - * brv = [0,512,256,768,128,640,384,896,64,576,320,832,192,704,448,960,32,544,288,800,160,672,416,928,96,608,352,864,224,736,480,992, \ - * 16,528,272,784,144,656,400,912,80,592,336,848,208,720,464,976,48,560,304,816,176,688,432,944,112,624,368,880,240,752,496,1008, \ - * 8,520,264,776,136,648,392,904,72,584,328,840,200,712,456,968,40,552,296,808,168,680,424,936,104,616,360,872,232,744,488,1000, \ - * 24,536,280,792,152,664,408,920,88,600,344,856,216,728,472,984,56,568,312,824,184,696,440,952,120,632,376,888,248,760,504,1016, \ - * 4,516,260,772,132,644,388,900,68,580,324,836,196,708,452,964,36,548,292,804,164,676,420,932,100,612,356,868,228,740,484,996, \ - * 20,532,276,788,148,660,404,916,84,596,340,852,212,724,468,980,52,564,308,820,180,692,436,948,116,628,372,884,244,756,500,1012, \ - * 12,524,268,780,140,652,396,908,76,588,332,844,204,716,460,972,44,556,300,812,172,684,428,940,108,620,364,876,236,748,492,1004, \ - * 28,540,284,796,156,668,412,924,92,604,348,860,220,732,476,988,60,572,316,828,188,700,444,956,124,636,380,892,252,764,508,1020, \ - * 2,514,258,770,130,642,386,898,66,578,322,834,194,706,450,962,34,546,290,802,162,674,418,930,98,610,354,866,226,738,482,994, \ - * 18,530,274,786,146,658,402,914,82,594,338,850,210,722,466,978,50,562,306,818,178,690,434,946,114,626,370,882,242,754,498,1010, \ - * 10,522,266,778,138,650,394,906,74,586,330,842,202,714,458,970,42,554,298,810,170,682,426,938,106,618,362,874,234,746,490,1002, \ - * 26,538,282,794,154,666,410,922,90,602,346,858,218,730,474,986,58,570,314,826,186,698,442,954,122,634,378,890,250,762,506,1018, \ - * 6,518,262,774,134,646,390,902,70,582,326,838,198,710,454,966,38,550,294,806,166,678,422,934,102,614,358,870,230,742,486,998, \ - * 22,534,278,790,150,662,406,918,86,598,342,854,214,726,470,982,54,566,310,822,182,694,438,950,118,630,374,886,246,758,502,1014, \ - * 14,526,270,782,142,654,398,910,78,590,334,846,206,718,462,974,46,558,302,814,174,686,430,942,110,622,366,878,238,750,494,1006, \ - * 30,542,286,798,158,670,414,926,94,606,350,862,222,734,478,990,62,574,318,830,190,702,446,958,126,638,382,894,254,766,510,1022, \ - * 1,513,257,769,129,641,385,897,65,577,321,833,193,705,449,961,33,545,289,801,161,673,417,929,97,609,353,865,225,737,481,993, \ - * 17,529,273,785,145,657,401,913,81,593,337,849,209,721,465,977,49,561,305,817,177,689,433,945,113,625,369,881,241,753,497,1009, \ - * 9,521,265,777,137,649,393,905,73,585,329,841,201,713,457,969,41,553,297,809,169,681,425,937,105,617,361,873,233,745,489,1001, \ - * 25,537,281,793,153,665,409,921,89,601,345,857,217,729,473,985,57,569,313,825,185,697,441,953,121,633,377,889,249,761,505,1017, \ - * 5,517,261,773,133,645,389,901,69,581,325,837,197,709,453,965,37,549,293,805,165,677,421,933,101,613,357,869,229,741,485,997, \ - * 21,533,277,789,149,661,405,917,85,597,341,853,213,725,469,981,53,565,309,821,181,693,437,949,117,629,373,885,245,757,501,1013, \ - * 13,525,269,781,141,653,397,909,77,589,333,845,205,717,461,973,45,557,301,813,173,685,429,941,109,621,365,877,237,749,493,1005, \ - * 29,541,285,797,157,669,413,925,93,605,349,861,221,733,477,989,61,573,317,829,189,701,445,957,125,637,381,893,253,765,509,1021, \ - * 3,515,259,771,131,643,387,899,67,579,323,835,195,707,451,963,35,547,291,803,163,675,419,931,99,611,355,867,227,739,483,995, \ - * 19,531,275,787,147,659,403,915,83,595,339,851,211,723,467,979,51,563,307,819,179,691,435,947,115,627,371,883,243,755,499,1011, \ - * 11,523,267,779,139,651,395,907,75,587,331,843,203,715,459,971,43,555,299,811,171,683,427,939,107,619,363,875,235,747,491,1003, \ - * 27,539,283,795,155,667,411,923,91,603,347,859,219,731,475,987,59,571,315,827,187,699,443,955,123,635,379,891,251,763,507,1019, \ - * 7,519,263,775,135,647,391,903,71,583,327,839,199,711,455,967,39,551,295,807,167,679,423,935,103,615,359,871,231,743,487,999, \ - * 23,535,279,791,151,663,407,919,87,599,343,855,215,727,471,983,55,567,311,823,183,695,439,951,119,631,375,887,247,759,503,1015, \ - * 15,527,271,783,143,655,399,911,79,591,335,847,207,719,463,975,47,559,303,815,175,687,431,943,111,623,367,879,239,751,495,1007, \ - * 31,543,287,799,159,671,415,927,95,607,351,863,223,735,479,991,63,575,319,831,191,703,447,959,127,639,383,895,255,767,511,1023] - * - * n = 1024; q = 12289; mont=2^18 - * g = Mod(7, q); - * omegas_inv_bitrev_montgomery = lift(vector(n/2, i, (g^2)^(-brv[2*(i-1)+1])*mont)) - * gammas_bitrev_montgomery = lift(vector(n, i, g^(brv[i])*mont)) - * gammas_inv_montgomery = lift(vector(n, i, g^(-(i-1))/n*mont)) -*/ - -/************************************************************ -* Name: omegas_inv_bitrev_montgomery -* -* Description: Contains inverses of powers of nth root of unity -* in Montgomery domain with R=2^18 in bit-reversed order -************************************************************/ -const uint16_t PQCLEAN_NEWHOPE512CCA_CLEAN_omegas_inv_bitrev_montgomery[NEWHOPE_N / 2] = { - 4075, 6974, 4916, 4324, 7210, 3262, 2169, 11767, 3514, 1041, 5925, 11271, 6715, 10316, 11011, 9945, - 1190, 9606, 3818, 6118, 1050, 7753, 8429, 6844, 4449, 6833, 147, 3789, 7540, 6752, 4467, 4789, - 10367, 3879, 2033, 3998, 11316, 1254, 6854, 1359, 3988, 468, 11907, 11973, 8579, 6196, 5446, 6950, - 1987, 10587, 654, 3565, 3199, 12233, 7083, 6760, 6427, 6153, 3643, 6874, 4948, 6152, 11889, 1728, - 7280, 10333, 6008, 11404, 3532, 11286, 241, 12231, 11314, 4212, 8851, 9445, 3477, 6608, 12147, 1105, - 5594, 9260, 5886, 7507, 4213, 11785, 2302, 11684, 8687, 6221, 8209, 421, 7665, 6212, 8689, 3263, - 10710, 431, 9784, 5906, 9450, 8332, 2127, 151, 3174, 52, 1323, 9523, 6415, 11612, 3336, 6234, - 7048, 9369, 4169, 3127, 11279, 6821, 787, 3482, 3445, 4780, 7232, 7591, 7377, 2049, 1321, 192, - 9551, 6421, 5735, 9634, 10596, 9280, 723, 12115, 9364, 347, 1975, 3757, 10431, 7535, 11863, 3315, - 4493, 3202, 5369, 10232, 350, 10777, 6906, 10474, 1483, 6374, 49, 1263, 10706, 6347, 1489, 9789, - 7552, 1293, 4774, 5429, 3772, 418, 6381, 453, 9522, 156, 3969, 3991, 6956, 10258, 10008, 6413, - 8855, 3529, 218, 9381, 9259, 8174, 2361, 10446, 10335, 2051, 9407, 10484, 9842, 6147, 3963, 576, - 6523, 11637, 6099, 11994, 9370, 3762, 8273, 4077, 11964, 1404, 11143, 11341, 1159, 6299, 4049, 8561, - 5961, 7183, 1962, 10695, 9597, 12121, 8960, 7991, 6992, 6170, 10929, 8333, 2555, 6167, 11089, 5184, - 3570, 4240, 11454, 6065, 3150, 10970, 709, 8243, 1058, 8210, 441, 11367, 10331, 7967, 1112, 2078, - 10542, 3123, 5486, 9235, 7856, 6370, 8455, 5257, 9341, 9786, 6507, 10723, 2459, 683, 8633, 64, -}; - -/************************************************************ -* Name: gammas_bitrev_montgomery -* -* Description: Contains powers of nth root of -1 in Montgomery -* domain with R=2^18 in bit-reversed order -************************************************************/ -const uint16_t PQCLEAN_NEWHOPE512CCA_CLEAN_gammas_bitrev_montgomery[NEWHOPE_N] = { - 4075, 5315, 7965, 7373, 522, 10120, 9027, 5079, 2344, 1278, 1973, 5574, 1018, 6364, 11248, 8775, - 7500, 7822, 5537, 4749, 8500, 12142, 5456, 7840, 5445, 3860, 4536, 11239, 6171, 8471, 2683, 11099, - 10561, 400, 6137, 7341, 5415, 8646, 6136, 5862, 5529, 5206, 56, 9090, 8724, 11635, 1702, 10302, - 5339, 6843, 6093, 3710, 316, 382, 11821, 8301, 10930, 5435, 11035, 973, 8291, 10256, 8410, 1922, - 12097, 10968, 10240, 4912, 4698, 5057, 7509, 8844, 8807, 11502, 5468, 1010, 9162, 8120, 2920, 5241, - 6055, 8953, 677, 5874, 2766, 10966, 12237, 9115, 12138, 10162, 3957, 2839, 6383, 2505, 11858, 1579, - 9026, 3600, 6077, 4624, 11868, 4080, 6068, 3602, 605, 9987, 504, 8076, 4782, 6403, 3029, 6695, - 11184, 142, 5681, 8812, 2844, 3438, 8077, 975, 58, 12048, 1003, 8757, 885, 6281, 1956, 5009, - 12225, 3656, 11606, 9830, 1566, 5782, 2503, 2948, 7032, 3834, 5919, 4433, 3054, 6803, 9166, 1747, - 10211, 11177, 4322, 1958, 922, 11848, 4079, 11231, 4046, 11580, 1319, 9139, 6224, 835, 8049, 8719, - 7105, 1200, 6122, 9734, 3956, 1360, 6119, 5297, 4298, 3329, 168, 2692, 1594, 10327, 5106, 6328, - 3728, 8240, 5990, 11130, 948, 1146, 10885, 325, 8212, 4016, 8527, 2919, 295, 6190, 652, 5766, - 11713, 8326, 6142, 2447, 1805, 2882, 10238, 1954, 1843, 9928, 4115, 3030, 2908, 12071, 8760, 3434, - 5876, 2281, 2031, 5333, 8298, 8320, 12133, 2767, 11836, 5908, 11871, 8517, 6860, 7515, 10996, 4737, - 2500, 10800, 5942, 1583, 11026, 12240, 5915, 10806, 1815, 5383, 1512, 11939, 2057, 6920, 9087, 7796, - 8974, 426, 4754, 1858, 8532, 10314, 11942, 2925, 174, 11566, 3009, 1693, 2655, 6554, 5868, 2738, - 11796, 8193, 9908, 5444, 10911, 1912, 7952, 435, 404, 7644, 11224, 10146, 7012, 11121, 11082, 9041, - 9723, 2187, 9867, 6250, 3646, 9852, 6267, 2987, 8509, 875, 4976, 10682, 8005, 5088, 7278, 11287, - 9223, 27, 3763, 10849, 11272, 7404, 5084, 10657, 8146, 4714, 12047, 10752, 2678, 3704, 545, 7270, - 1067, 5101, 442, 2401, 390, 11516, 3778, 8456, 1045, 9430, 9808, 5012, 9377, 6591, 11935, 4861, - 7852, 3, 3149, 12129, 12176, 4919, 10123, 3915, 3636, 7351, 2704, 5291, 1663, 1777, 1426, 7635, - 1484, 7394, 2780, 7094, 8236, 2645, 7247, 2305, 2847, 7875, 7917, 10115, 10600, 8925, 4057, 3271, - 9273, 243, 9289, 11618, 3136, 5191, 8889, 9890, 11869, 5559, 10111, 10745, 11813, 8758, 4905, 3985, - 9603, 9042, 3978, 9320, 3510, 5332, 9424, 2370, 9405, 11136, 2249, 8241, 10659, 10163, 9103, 6882, - 10810, 1, 5146, 4043, 8155, 5736, 11567, 1305, 1212, 10643, 9094, 5860, 8747, 8785, 8668, 2545, - 4591, 6561, 5023, 6461, 10938, 4978, 6512, 8961, 949, 2625, 2639, 7468, 11726, 2975, 9545, 9283, - 3091, 81, 11289, 7969, 9238, 9923, 2963, 7393, 12149, 1853, 11563, 7678, 8034, 11112, 1635, 9521, - 3201, 3014, 1326, 7203, 1170, 9970, 11334, 790, 3135, 3712, 4846, 2747, 3553, 7484, 11227, 2294, - 11267, 9, 9447, 11809, 11950, 2468, 5791, 11745, 10908, 9764, 8112, 3584, 4989, 5331, 4278, 10616, - 4452, 9893, 8340, 8993, 130, 7935, 9452, 6915, 8541, 11336, 11462, 5767, 7222, 2197, 12171, 9813, - 3241, 729, 3289, 10276, 9408, 3284, 2089, 5092, 11029, 4388, 5755, 7657, 10861, 1696, 2426, 11955, - 4231, 2548, 11934, 3382, 10530, 3707, 3694, 7110, 3637, 8830, 6747, 145, 7399, 5911, 2731, 8357, -}; - -/************************************************************ -* Name: gammas_inv_montgomery -* -* Description: Contains inverses of powers of nth root of -1 -* divided by n in Montgomery domain with R=2^18 -************************************************************/ -const uint16_t PQCLEAN_NEWHOPE512CCA_CLEAN_gammas_inv_montgomery[NEWHOPE_N] = { - 512, 3944, 4267, 5411, 9615, 5900, 3205, 6063, 9261, 2021, 3087, 4770, 1029, 1590, 343, 530, - 8307, 4273, 2769, 9617, 923, 7302, 4404, 2434, 1468, 9004, 8682, 11194, 2894, 11924, 5061, 8071, - 1687, 10883, 8755, 7724, 11111, 6671, 7800, 6320, 2600, 6203, 4963, 6164, 9847, 6151, 11475, 10243, - 3825, 11607, 1275, 3869, 425, 5386, 4238, 9988, 5509, 11522, 10029, 7937, 3343, 6742, 9307, 10440, - 11295, 3480, 3765, 1160, 1255, 4483, 8611, 9687, 11063, 3229, 7784, 9269, 6691, 7186, 10423, 10588, - 11667, 11722, 3889, 12100, 9489, 12226, 3163, 12268, 9247, 12282, 11275, 4094, 11951, 5461, 8080, 10013, - 10886, 7434, 7725, 2478, 2575, 826, 9051, 8468, 3017, 6919, 5102, 10499, 5797, 7596, 10125, 2532, - 3375, 844, 1125, 8474, 375, 6921, 125, 2307, 4138, 769, 9572, 8449, 7287, 11009, 2429, 7766, - 4906, 6685, 9828, 10421, 3276, 7570, 1092, 10716, 364, 3572, 8314, 5287, 10964, 9955, 7751, 11511, - 6680, 3837, 6323, 1279, 6204, 8619, 2068, 2873, 8882, 5054, 7057, 5781, 10545, 1927, 3515, 8835, - 5268, 2945, 1756, 5078, 8778, 5789, 2926, 6026, 9168, 6105, 3056, 2035, 5115, 8871, 1705, 2957, - 8761, 5082, 11113, 1694, 11897, 4661, 8062, 5650, 10880, 10076, 7723, 7455, 10767, 2485, 3589, 9021, - 9389, 3007, 7226, 9195, 6505, 3065, 10361, 5118, 7550, 1706, 6613, 4665, 10397, 1555, 7562, 8711, - 6617, 7000, 6302, 10526, 6197, 7605, 6162, 2535, 2054, 845, 4781, 4378, 5690, 9652, 5993, 11410, - 6094, 11996, 10224, 8095, 3408, 10891, 1136, 11823, 4475, 3941, 5588, 5410, 5959, 9996, 10179, 3332, - 3393, 5207, 1131, 5832, 377, 1944, 4222, 648, 9600, 216, 3200, 72, 5163, 24, 1721, 8, - 4670, 4099, 5653, 9559, 10077, 11379, 3359, 3793, 5216, 9457, 5835, 11345, 1945, 7878, 8841, 2626, - 2947, 9068, 9175, 7119, 11251, 2373, 11943, 791, 3981, 4360, 1327, 9646, 8635, 11408, 11071, 7899, - 11883, 2633, 3961, 4974, 9513, 1658, 3171, 4649, 1057, 5646, 8545, 1882, 11041, 8820, 11873, 2940, - 8054, 980, 6781, 4423, 10453, 9667, 11677, 11415, 12085, 3805, 12221, 9461, 8170, 7250, 10916, 6513, - 7735, 2171, 10771, 4820, 11783, 5703, 8024, 1901, 6771, 4730, 2257, 5673, 8945, 1891, 7078, 8823, - 10552, 2941, 11710, 9173, 12096, 7154, 4032, 6481, 1344, 10353, 448, 3451, 8342, 9343, 6877, 11307, - 10485, 3769, 3495, 9449, 1165, 7246, 8581, 10608, 11053, 3536, 11877, 5275, 3959, 9951, 5416, 3317, - 9998, 5202, 7429, 1734, 10669, 578, 11749, 4289, 12109, 5526, 12229, 1842, 12269, 614, 8186, 4301, - 6825, 5530, 2275, 10036, 8951, 11538, 7080, 3846, 2360, 1282, 4883, 8620, 5724, 11066, 1908, 7785, - 636, 2595, 212, 865, 4167, 8481, 1389, 2827, 463, 9135, 8347, 3045, 10975, 1015, 11851, 8531, - 12143, 6940, 8144, 10506, 6811, 3502, 10463, 9360, 7584, 3120, 2528, 1040, 4939, 4443, 9839, 1481, - 7376, 4590, 6555, 1530, 2185, 510, 8921, 170, 7070, 4153, 6453, 9577, 2151, 11385, 717, 3795, - 239, 1265, 4176, 4518, 1392, 1506, 464, 502, 4251, 8360, 1417, 6883, 8665, 10487, 11081, 7592, - 7790, 6627, 6693, 2209, 2231, 8929, 4840, 11169, 9806, 3723, 7365, 1241, 2455, 4510, 9011, 9696, - 7100, 3232, 6463, 9270, 10347, 3090, 3449, 1030, 5246, 8536, 5845, 11038, 10141, 11872, 11573, 12150, - 7954, 4050, 10844, 1350, 7711, 450, 10763, 150, 7684, 50, 10754, 4113, 7681, 1371, 10753, 457, -}; diff --git a/crypto_kem/newhope512cca/clean/reduce.c b/crypto_kem/newhope512cca/clean/reduce.c deleted file mode 100644 index c3d7f97e..00000000 --- a/crypto_kem/newhope512cca/clean/reduce.c +++ /dev/null @@ -1,26 +0,0 @@ -#include "reduce.h" -#include "params.h" - -static const uint32_t qinv = 12287; // -inverse_mod(p,2^18) -static const uint32_t rlog = 18; - -/************************************************* -* Name: montgomery_reduce -* -* Description: Montgomery reduction; given a 32-bit integer a, computes -* 16-bit integer congruent to a * R^-1 mod q, -* where R=2^18 (see value of rlog) -* -* Arguments: - uint32_t a: input unsigned integer to be reduced; has to be in {0,...,1073491968} -* -* Returns: unsigned integer in {0,...,2^14-1} congruent to a * R^-1 modulo q. -**************************************************/ -uint16_t PQCLEAN_NEWHOPE512CCA_CLEAN_montgomery_reduce(uint32_t a) { - uint32_t u; - - u = (a * qinv); - u &= ((1 << rlog) - 1); - u *= NEWHOPE_Q; - a = a + u; - return a >> 18; -} diff --git a/crypto_kem/newhope512cca/clean/reduce.h b/crypto_kem/newhope512cca/clean/reduce.h deleted file mode 100644 index 7e98ce2e..00000000 --- a/crypto_kem/newhope512cca/clean/reduce.h +++ /dev/null @@ -1,8 +0,0 @@ -#ifndef REDUCE_H -#define REDUCE_H - -#include - -uint16_t PQCLEAN_NEWHOPE512CCA_CLEAN_montgomery_reduce(uint32_t a); - -#endif diff --git a/crypto_kem/newhope512cca/clean/verify.c b/crypto_kem/newhope512cca/clean/verify.c deleted file mode 100644 index 37e65f94..00000000 --- a/crypto_kem/newhope512cca/clean/verify.c +++ /dev/null @@ -1,49 +0,0 @@ -#include "verify.h" -#include -#include - -/************************************************* -* Name: verify -* -* Description: Compare two arrays for equality in constant time. -* -* Arguments: const unsigned char *a: pointer to first byte array -* const unsigned char *b: pointer to second byte array -* size_t len: length of the byte arrays -* -* Returns 0 if the byte arrays are equal, 1 otherwise -**************************************************/ -int PQCLEAN_NEWHOPE512CCA_CLEAN_verify(const unsigned char *a, const unsigned char *b, size_t len) { - uint64_t r; - size_t i; - r = 0; - - for (i = 0; i < len; i++) { - r |= a[i] ^ b[i]; - } - - r = (uint64_t)(-(int64_t)r) >> 63; - return (int)r; -} - -/************************************************* -* Name: cmov -* -* Description: Copy len bytes from x to r if b is 1; -* don't modify x if b is 0. Requires b to be in {0,1}; -* assumes two's complement representation of negative integers. -* Runs in constant time. -* -* Arguments: unsigned char *r: pointer to output byte array -* const unsigned char *x: pointer to input byte array -* size_t len: Amount of bytes to be copied -* unsigned char b: Condition bit; has to be in {0,1} -**************************************************/ -void PQCLEAN_NEWHOPE512CCA_CLEAN_cmov(unsigned char *r, const unsigned char *x, size_t len, unsigned char b) { - size_t i; - - b = -b; - for (i = 0; i < len; i++) { - r[i] ^= b & (x[i] ^ r[i]); - } -} diff --git a/crypto_kem/newhope512cca/clean/verify.h b/crypto_kem/newhope512cca/clean/verify.h deleted file mode 100644 index 5db88072..00000000 --- a/crypto_kem/newhope512cca/clean/verify.h +++ /dev/null @@ -1,12 +0,0 @@ -#ifndef VERIFY_H -#define VERIFY_H - -#include - -/* returns 0 for equal strings, 1 for non-equal strings */ -int PQCLEAN_NEWHOPE512CCA_CLEAN_verify(const unsigned char *a, const unsigned char *b, size_t len); - -/* b = 1 means mov, b = 0 means don't mov*/ -void PQCLEAN_NEWHOPE512CCA_CLEAN_cmov(unsigned char *r, const unsigned char *x, size_t len, unsigned char b); - -#endif diff --git a/crypto_kem/newhope512cpa/META.yml b/crypto_kem/newhope512cpa/META.yml deleted file mode 100644 index 277b9ceb..00000000 --- a/crypto_kem/newhope512cpa/META.yml +++ /dev/null @@ -1,22 +0,0 @@ -name: NewHope512-CPAKEM -type: kem -claimed-nist-level: 1 -claimed-security: IND-CPA -length-public-key: 928 -length-secret-key: 896 -length-ciphertext: 1088 -length-shared-secret: 32 -nistkat-sha256: 7df3eae4740483a61d13610f6bc2221f27e32c7849cf371e9770f986ce6fdb54 -principal-submitters: - - Thomas Pöppelmann -auxiliary-submitters: -- Erdem Alkim -- Roberto Avanzi -- Joppe Bos -- Léo Ducas -- Antonio de la Piedra -- Peter Schwabe -- Douglas Stebila -implementations: -- name: clean - version: https://github.com/newhopecrypto/newhope/commit/3fc68c6090b23c56cc190a78af2f43ee8900e9d0 diff --git a/crypto_kem/newhope512cpa/clean/LICENSE b/crypto_kem/newhope512cpa/clean/LICENSE deleted file mode 100644 index d5d21fff..00000000 --- a/crypto_kem/newhope512cpa/clean/LICENSE +++ /dev/null @@ -1 +0,0 @@ -Public Domain diff --git a/crypto_kem/newhope512cpa/clean/Makefile b/crypto_kem/newhope512cpa/clean/Makefile deleted file mode 100644 index 8659694c..00000000 --- a/crypto_kem/newhope512cpa/clean/Makefile +++ /dev/null @@ -1,19 +0,0 @@ -# This Makefile can be used with GNU Make or BSD Make - -LIB=libnewhope512cpa_clean.a -HEADERS=api.h cpapke.h ntt.h params.h poly.h reduce.h verify.h -OBJECTS=cpapke.o kem.o ntt.o poly.o precomp.o reduce.o verify.o - -CFLAGS=-O3 -Wall -Wextra -Wpedantic -Wvla -Werror -Wredundant-decls -Wmissing-prototypes -std=c99 -I../../../common $(EXTRAFLAGS) - -all: $(LIB) - -%.o: %.c $(HEADERS) - $(CC) $(CFLAGS) -c -o $@ $< - -$(LIB): $(OBJECTS) - $(AR) -r $@ $(OBJECTS) - -clean: - $(RM) $(OBJECTS) - $(RM) $(LIB) diff --git a/crypto_kem/newhope512cpa/clean/Makefile.Microsoft_nmake b/crypto_kem/newhope512cpa/clean/Makefile.Microsoft_nmake deleted file mode 100644 index 8556af0f..00000000 --- a/crypto_kem/newhope512cpa/clean/Makefile.Microsoft_nmake +++ /dev/null @@ -1,19 +0,0 @@ -# This Makefile can be used with Microsoft Visual Studio's nmake using the command: -# nmake /f Makefile.Microsoft_nmake - -LIBRARY=libnewhope512cpa_clean.lib -OBJECTS=cpapke.obj kem.obj ntt.obj poly.obj precomp.obj reduce.obj verify.obj - -CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /WX - -all: $(LIBRARY) - -# Make sure objects are recompiled if headers change. -$(OBJECTS): *.h - -$(LIBRARY): $(OBJECTS) - LIB.EXE /NOLOGO /WX /OUT:$@ $** - -clean: - -DEL $(OBJECTS) - -DEL $(LIBRARY) diff --git a/crypto_kem/newhope512cpa/clean/api.h b/crypto_kem/newhope512cpa/clean/api.h deleted file mode 100644 index 791d72af..00000000 --- a/crypto_kem/newhope512cpa/clean/api.h +++ /dev/null @@ -1,15 +0,0 @@ -#ifndef PQCLEAN_NEWHOPE512CPA_CLEAN_API_H -#define PQCLEAN_NEWHOPE512CPA_CLEAN_API_H - - -#define PQCLEAN_NEWHOPE512CPA_CLEAN_CRYPTO_SECRETKEYBYTES 896 -#define PQCLEAN_NEWHOPE512CPA_CLEAN_CRYPTO_PUBLICKEYBYTES 928 -#define PQCLEAN_NEWHOPE512CPA_CLEAN_CRYPTO_CIPHERTEXTBYTES 1088 -#define PQCLEAN_NEWHOPE512CPA_CLEAN_CRYPTO_BYTES 32 -#define PQCLEAN_NEWHOPE512CPA_CLEAN_CRYPTO_ALGNAME "NewHope512-CPAKEM" - -int PQCLEAN_NEWHOPE512CPA_CLEAN_crypto_kem_keypair(unsigned char *pk, unsigned char *sk); -int PQCLEAN_NEWHOPE512CPA_CLEAN_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk); -int PQCLEAN_NEWHOPE512CPA_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk); - -#endif diff --git a/crypto_kem/newhope512cpa/clean/cpapke.c b/crypto_kem/newhope512cpa/clean/cpapke.c deleted file mode 100644 index c53b657a..00000000 --- a/crypto_kem/newhope512cpa/clean/cpapke.c +++ /dev/null @@ -1,193 +0,0 @@ -#include "api.h" -#include "cpapke.h" -#include "fips202.h" -#include "poly.h" -#include "randombytes.h" -#include - -/************************************************* -* Name: encode_pk -* -* Description: Serialize the public key as concatenation of the -* serialization of the polynomial pk and the public seed -* used to generete the polynomial a. -* -* Arguments: unsigned char *r: pointer to the output serialized public key -* const poly *pk: pointer to the input public-key polynomial -* const unsigned char *seed: pointer to the input public seed -**************************************************/ -static void encode_pk(unsigned char *r, const poly *pk, const unsigned char *seed) { - int i; - PQCLEAN_NEWHOPE512CPA_CLEAN_poly_tobytes(r, pk); - for (i = 0; i < NEWHOPE_SYMBYTES; i++) { - r[NEWHOPE_POLYBYTES + i] = seed[i]; - } -} - -/************************************************* -* Name: decode_pk -* -* Description: De-serialize the public key; inverse of encode_pk -* -* Arguments: poly *pk: pointer to output public-key polynomial -* unsigned char *seed: pointer to output public seed -* const unsigned char *r: pointer to input byte array -**************************************************/ -static void decode_pk(poly *pk, unsigned char *seed, const unsigned char *r) { - int i; - PQCLEAN_NEWHOPE512CPA_CLEAN_poly_frombytes(pk, r); - for (i = 0; i < NEWHOPE_SYMBYTES; i++) { - seed[i] = r[NEWHOPE_POLYBYTES + i]; - } -} - -/************************************************* -* Name: encode_c -* -* Description: Serialize the ciphertext as concatenation of the -* serialization of the polynomial b and serialization -* of the compressed polynomial v -* -* Arguments: - unsigned char *r: pointer to the output serialized ciphertext -* - const poly *b: pointer to the input polynomial b -* - const poly *v: pointer to the input polynomial v -**************************************************/ -static void encode_c(unsigned char *r, const poly *b, const poly *v) { - PQCLEAN_NEWHOPE512CPA_CLEAN_poly_tobytes(r, b); - PQCLEAN_NEWHOPE512CPA_CLEAN_poly_compress(r + NEWHOPE_POLYBYTES, v); -} - -/************************************************* -* Name: decode_c -* -* Description: de-serialize the ciphertext; inverse of encode_c -* -* Arguments: - poly *b: pointer to output polynomial b -* - poly *v: pointer to output polynomial v -* - const unsigned char *r: pointer to input byte array -**************************************************/ -static void decode_c(poly *b, poly *v, const unsigned char *r) { - PQCLEAN_NEWHOPE512CPA_CLEAN_poly_frombytes(b, r); - PQCLEAN_NEWHOPE512CPA_CLEAN_poly_decompress(v, r + NEWHOPE_POLYBYTES); -} - -/************************************************* -* Name: gen_a -* -* Description: Deterministically generate public polynomial a from seed -* -* Arguments: - poly *a: pointer to output polynomial a -* - const unsigned char *seed: pointer to input seed -**************************************************/ -static void gen_a(poly *a, const unsigned char *seed) { - PQCLEAN_NEWHOPE512CPA_CLEAN_poly_uniform(a, seed); -} - - -/************************************************* -* Name: cpapke_keypair -* -* Description: Generates public and private key -* for the CPA public-key encryption scheme underlying -* the NewHope KEMs -* -* Arguments: - unsigned char *pk: pointer to output public key -* - unsigned char *sk: pointer to output private key -**************************************************/ -void PQCLEAN_NEWHOPE512CPA_CLEAN_cpapke_keypair(unsigned char *pk, - unsigned char *sk) { - poly ahat, ehat, ahat_shat, bhat, shat; - unsigned char z[2 * NEWHOPE_SYMBYTES]; - unsigned char *publicseed = z; - unsigned char *noiseseed = z + NEWHOPE_SYMBYTES; - - z[0] = 0x01; - randombytes(z + 1, NEWHOPE_SYMBYTES); - shake256(z, 2 * NEWHOPE_SYMBYTES, z, NEWHOPE_SYMBYTES + 1); - - gen_a(&ahat, publicseed); - - PQCLEAN_NEWHOPE512CPA_CLEAN_poly_sample(&shat, noiseseed, 0); - PQCLEAN_NEWHOPE512CPA_CLEAN_poly_ntt(&shat); - - PQCLEAN_NEWHOPE512CPA_CLEAN_poly_sample(&ehat, noiseseed, 1); - PQCLEAN_NEWHOPE512CPA_CLEAN_poly_ntt(&ehat); - - PQCLEAN_NEWHOPE512CPA_CLEAN_poly_mul_pointwise(&ahat_shat, &shat, &ahat); - PQCLEAN_NEWHOPE512CPA_CLEAN_poly_add(&bhat, &ehat, &ahat_shat); - - PQCLEAN_NEWHOPE512CPA_CLEAN_poly_tobytes(sk, &shat); - encode_pk(pk, &bhat, publicseed); -} - -/************************************************* -* Name: cpapke_enc -* -* Description: Encryption function of -* the CPA public-key encryption scheme underlying -* the NewHope KEMs -* -* Arguments: - unsigned char *c: pointer to output ciphertext -* - const unsigned char *m: pointer to input message (of length NEWHOPE_SYMBYTES bytes) -* - const unsigned char *pk: pointer to input public key -* - const unsigned char *coin: pointer to input random coins used as seed -* to deterministically generate all randomness -**************************************************/ -void PQCLEAN_NEWHOPE512CPA_CLEAN_cpapke_enc(unsigned char *c, - const unsigned char *m, - const unsigned char *pk, - const unsigned char *coin) { - poly sprime, eprime, vprime, ahat, bhat, eprimeprime, uhat, v; - unsigned char publicseed[NEWHOPE_SYMBYTES]; - - PQCLEAN_NEWHOPE512CPA_CLEAN_poly_frommsg(&v, m); - - decode_pk(&bhat, publicseed, pk); - gen_a(&ahat, publicseed); - - PQCLEAN_NEWHOPE512CPA_CLEAN_poly_sample(&sprime, coin, 0); - PQCLEAN_NEWHOPE512CPA_CLEAN_poly_sample(&eprime, coin, 1); - PQCLEAN_NEWHOPE512CPA_CLEAN_poly_sample(&eprimeprime, coin, 2); - - PQCLEAN_NEWHOPE512CPA_CLEAN_poly_ntt(&sprime); - PQCLEAN_NEWHOPE512CPA_CLEAN_poly_ntt(&eprime); - - PQCLEAN_NEWHOPE512CPA_CLEAN_poly_mul_pointwise(&uhat, &ahat, &sprime); - PQCLEAN_NEWHOPE512CPA_CLEAN_poly_add(&uhat, &uhat, &eprime); - - PQCLEAN_NEWHOPE512CPA_CLEAN_poly_mul_pointwise(&vprime, &bhat, &sprime); - PQCLEAN_NEWHOPE512CPA_CLEAN_poly_invntt(&vprime); - - PQCLEAN_NEWHOPE512CPA_CLEAN_poly_add(&vprime, &vprime, &eprimeprime); - PQCLEAN_NEWHOPE512CPA_CLEAN_poly_add(&vprime, &vprime, &v); // add message - - encode_c(c, &uhat, &vprime); -} - - -/************************************************* -* Name: cpapke_dec -* -* Description: Decryption function of -* the CPA public-key encryption scheme underlying -* the NewHope KEMs -* -* Arguments: - unsigned char *m: pointer to output decrypted message -* - const unsigned char *c: pointer to input ciphertext -* - const unsigned char *sk: pointer to input secret key -**************************************************/ -void PQCLEAN_NEWHOPE512CPA_CLEAN_cpapke_dec(unsigned char *m, - const unsigned char *c, - const unsigned char *sk) { - poly vprime, uhat, tmp, shat; - - PQCLEAN_NEWHOPE512CPA_CLEAN_poly_frombytes(&shat, sk); - - decode_c(&uhat, &vprime, c); - PQCLEAN_NEWHOPE512CPA_CLEAN_poly_mul_pointwise(&tmp, &shat, &uhat); - PQCLEAN_NEWHOPE512CPA_CLEAN_poly_invntt(&tmp); - - PQCLEAN_NEWHOPE512CPA_CLEAN_poly_sub(&tmp, &tmp, &vprime); - - PQCLEAN_NEWHOPE512CPA_CLEAN_poly_tomsg(m, &tmp); -} diff --git a/crypto_kem/newhope512cpa/clean/cpapke.h b/crypto_kem/newhope512cpa/clean/cpapke.h deleted file mode 100644 index 43539e07..00000000 --- a/crypto_kem/newhope512cpa/clean/cpapke.h +++ /dev/null @@ -1,16 +0,0 @@ -#ifndef INDCPA_H -#define INDCPA_H - -void PQCLEAN_NEWHOPE512CPA_CLEAN_cpapke_keypair(unsigned char *pk, - unsigned char *sk); - -void PQCLEAN_NEWHOPE512CPA_CLEAN_cpapke_enc(unsigned char *c, - const unsigned char *m, - const unsigned char *pk, - const unsigned char *coins); - -void PQCLEAN_NEWHOPE512CPA_CLEAN_cpapke_dec(unsigned char *m, - const unsigned char *c, - const unsigned char *sk); - -#endif diff --git a/crypto_kem/newhope512cpa/clean/kem.c b/crypto_kem/newhope512cpa/clean/kem.c deleted file mode 100644 index ae3f9d4b..00000000 --- a/crypto_kem/newhope512cpa/clean/kem.c +++ /dev/null @@ -1,72 +0,0 @@ -#include "api.h" -#include "cpapke.h" -#include "fips202.h" -#include "params.h" -#include "randombytes.h" -#include "verify.h" -#include - -/************************************************* -* Name: crypto_kem_keypair -* -* Description: Generates public and private key -* for CCA secure NewHope key encapsulation -* mechanism -* -* Arguments: - unsigned char *pk: pointer to output public key (an already allocated array of CRYPTO_PUBLICKEYBYTES bytes) -* - unsigned char *sk: pointer to output private key (an already allocated array of CRYPTO_SECRETKEYBYTES bytes) -* -* Returns 0 (success) -**************************************************/ -int PQCLEAN_NEWHOPE512CPA_CLEAN_crypto_kem_keypair(unsigned char *pk, unsigned char *sk) { - PQCLEAN_NEWHOPE512CPA_CLEAN_cpapke_keypair(pk, sk); /* First put the actual secret key into sk */ - - return 0; -} - -/************************************************* -* Name: crypto_kem_enc -* -* Description: Generates cipher text and shared -* secret for given public key -* -* Arguments: - unsigned char *ct: pointer to output cipher text (an already allocated array of CRYPTO_CIPHERTEXTBYTES bytes) -* - unsigned char *ss: pointer to output shared secret (an already allocated array of CRYPTO_BYTES bytes) -* - const unsigned char *pk: pointer to input public key (an already allocated array of CRYPTO_PUBLICKEYBYTES bytes) -* -* Returns 0 (success) -**************************************************/ -int PQCLEAN_NEWHOPE512CPA_CLEAN_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk) { - unsigned char buf[2 * NEWHOPE_SYMBYTES]; - - buf[0] = 0x02; - randombytes(buf + 1, NEWHOPE_SYMBYTES); - - shake256(buf, 2 * NEWHOPE_SYMBYTES, buf, NEWHOPE_SYMBYTES + 1); /* Don't release system RNG output */ - - PQCLEAN_NEWHOPE512CPA_CLEAN_cpapke_enc(ct, buf, pk, buf + NEWHOPE_SYMBYTES); /* coins are in buf+NEWHOPE_SYMBYTES */ - - shake256(ss, NEWHOPE_SYMBYTES, buf, NEWHOPE_SYMBYTES); /* hash pre-k to ss */ - return 0; -} - - -/************************************************* -* Name: crypto_kem_dec -* -* Description: Generates shared secret for given -* cipher text and private key -* -* Arguments: - unsigned char *ss: pointer to output shared secret (an already allocated array of CRYPTO_BYTES bytes) -* - const unsigned char *ct: pointer to input cipher text (an already allocated array of CRYPTO_CIPHERTEXTBYTES bytes) -* - const unsigned char *sk: pointer to input private key (an already allocated array of CRYPTO_SECRETKEYBYTES bytes) -* -* Returns 0 (success) -**************************************************/ -int PQCLEAN_NEWHOPE512CPA_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk) { - PQCLEAN_NEWHOPE512CPA_CLEAN_cpapke_dec(ss, ct, sk); - - shake256(ss, NEWHOPE_SYMBYTES, ss, NEWHOPE_SYMBYTES); /* hash pre-k to ss */ - - return 0; -} diff --git a/crypto_kem/newhope512cpa/clean/ntt.c b/crypto_kem/newhope512cpa/clean/ntt.c deleted file mode 100644 index 7a449088..00000000 --- a/crypto_kem/newhope512cpa/clean/ntt.c +++ /dev/null @@ -1,112 +0,0 @@ -#include "inttypes.h" -#include "ntt.h" -#include "params.h" -#include "reduce.h" - -/************************************************************ -* Name: bitrev_table -* -* Description: Contains bit-reversed 9-bit indices to be used to re-order -* polynomials before number theoratic transform -************************************************************/ -static uint16_t bitrev_table [512] = { - 0, 256, 128, 384, 64, 320, 192, 448, 32, 288, 160, 416, 96, 352, 224, 480, 16, 272, 144, 400, 80, 336, 208, 464, 48, 304, 176, 432, 112, 368, 240, 496, 8, - 264, 136, 392, 72, 328, 200, 456, 40, 296, 168, 424, 104, 360, 232, 488, 24, 280, 152, 408, 88, 344, 216, 472, 56, 312, 184, 440, 120, 376, 248, 504, 4, - 260, 132, 388, 68, 324, 196, 452, 36, 292, 164, 420, 100, 356, 228, 484, 20, 276, 148, 404, 84, 340, 212, 468, 52, 308, 180, 436, 116, 372, 244, 500, 12, - 268, 140, 396, 76, 332, 204, 460, 44, 300, 172, 428, 108, 364, 236, 492, 28, 284, 156, 412, 92, 348, 220, 476, 60, 316, 188, 444, 124, 380, 252, 508, 2, - 258, 130, 386, 66, 322, 194, 450, 34, 290, 162, 418, 98, 354, 226, 482, 18, 274, 146, 402, 82, 338, 210, 466, 50, 306, 178, 434, 114, 370, 242, 498, 10, - 266, 138, 394, 74, 330, 202, 458, 42, 298, 170, 426, 106, 362, 234, 490, 26, 282, 154, 410, 90, 346, 218, 474, 58, 314, 186, 442, 122, 378, 250, 506, 6, - 262, 134, 390, 70, 326, 198, 454, 38, 294, 166, 422, 102, 358, 230, 486, 22, 278, 150, 406, 86, 342, 214, 470, 54, 310, 182, 438, 118, 374, 246, 502, 14, - 270, 142, 398, 78, 334, 206, 462, 46, 302, 174, 430, 110, 366, 238, 494, 30, 286, 158, 414, 94, 350, 222, 478, 62, 318, 190, 446, 126, 382, 254, 510, 1, - 257, 129, 385, 65, 321, 193, 449, 33, 289, 161, 417, 97, 353, 225, 481, 17, 273, 145, 401, 81, 337, 209, 465, 49, 305, 177, 433, 113, 369, 241, 497, 9, - 265, 137, 393, 73, 329, 201, 457, 41, 297, 169, 425, 105, 361, 233, 489, 25, 281, 153, 409, 89, 345, 217, 473, 57, 313, 185, 441, 121, 377, 249, 505, 5, - 261, 133, 389, 69, 325, 197, 453, 37, 293, 165, 421, 101, 357, 229, 485, 21, 277, 149, 405, 85, 341, 213, 469, 53, 309, 181, 437, 117, 373, 245, 501, 13, - 269, 141, 397, 77, 333, 205, 461, 45, 301, 173, 429, 109, 365, 237, 493, 29, 285, 157, 413, 93, 349, 221, 477, 61, 317, 189, 445, 125, 381, 253, 509, 3, - 259, 131, 387, 67, 323, 195, 451, 35, 291, 163, 419, 99, 355, 227, 483, 19, 275, 147, 403, 83, 339, 211, 467, 51, 307, 179, 435, 115, 371, 243, 499, 11, - 267, 139, 395, 75, 331, 203, 459, 43, 299, 171, 427, 107, 363, 235, 491, 27, 283, 155, 411, 91, 347, 219, 475, 59, 315, 187, 443, 123, 379, 251, 507, 7, - 263, 135, 391, 71, 327, 199, 455, 39, 295, 167, 423, 103, 359, 231, 487, 23, 279, 151, 407, 87, 343, 215, 471, 55, 311, 183, 439, 119, 375, 247, 503, 15, - 271, 143, 399, 79, 335, 207, 463, 47, 303, 175, 431, 111, 367, 239, 495, 31, 287, 159, 415, 95, 351, 223, 479, 63, 319, 191, 447, 127, 383, 255, 511 -}; - -/************************************************* -* Name: bitrev_vector -* -* Description: Permutes coefficients of a polynomial into bitreversed order -* -* Arguments: - uint16_t* poly: pointer to in/output polynomial -**************************************************/ -void PQCLEAN_NEWHOPE512CPA_CLEAN_bitrev_vector(uint16_t *poly) { - unsigned int i, r; - uint16_t tmp; - - for (i = 0; i < NEWHOPE_N; i++) { - r = bitrev_table[i]; - if (i < r) { - tmp = poly[i]; - poly[i] = poly[r]; - poly[r] = tmp; - } - } -} - -/************************************************* -* Name: mul_coefficients -* -* Description: Performs pointwise (coefficient-wise) multiplication -* of two polynomials -* Arguments: - uint16_t* poly: pointer to in/output polynomial -* - const uint16_t* factors: pointer to input polynomial, coefficients -* are assumed to be in Montgomery representation -**************************************************/ -void PQCLEAN_NEWHOPE512CPA_CLEAN_mul_coefficients(uint16_t *poly, const uint16_t *factors) { - unsigned int i; - - for (i = 0; i < NEWHOPE_N; i++) { - poly[i] = PQCLEAN_NEWHOPE512CPA_CLEAN_montgomery_reduce((poly[i] * factors[i])); - } -} - - -/************************************************* -* Name: ntt -* -* Description: Computes number-theoretic transform (NTT) of -* a polynomial in place; inputs assumed to be in -* bitreversed order, output in normal order -* -* Arguments: - uint16_t * a: pointer to in/output polynomial -* - const uint16_t* omega: pointer to input powers of root of unity omega; -* assumed to be in Montgomery domain -**************************************************/ -void PQCLEAN_NEWHOPE512CPA_CLEAN_ntt(uint16_t *a, const uint16_t *omega) { - int i, start, j, jTwiddle, distance; - uint16_t temp, W; - - - for (i = 0; i < 9; i += 2) { - // Even level - distance = (1 << i); - for (start = 0; start < distance; start++) { - jTwiddle = 0; - for (j = start; j < NEWHOPE_N - 1; j += 2 * distance) { - W = omega[jTwiddle++]; - temp = a[j]; - a[j] = (temp + a[j + distance]); // Omit reduction (be lazy) - a[j + distance] = PQCLEAN_NEWHOPE512CPA_CLEAN_montgomery_reduce((W * ((uint32_t)temp + 3 * NEWHOPE_Q - a[j + distance]))); - } - } - if (i + 1 < 9) { - // Odd level - distance <<= 1; - for (start = 0; start < distance; start++) { - jTwiddle = 0; - for (j = start; j < NEWHOPE_N - 1; j += 2 * distance) { - W = omega[jTwiddle++]; - temp = a[j]; - a[j] = (temp + a[j + distance]) % NEWHOPE_Q; - a[j + distance] = PQCLEAN_NEWHOPE512CPA_CLEAN_montgomery_reduce((W * ((uint32_t)temp + 3 * NEWHOPE_Q - a[j + distance]))); - } - } - } - } -} diff --git a/crypto_kem/newhope512cpa/clean/ntt.h b/crypto_kem/newhope512cpa/clean/ntt.h deleted file mode 100644 index 6d17c247..00000000 --- a/crypto_kem/newhope512cpa/clean/ntt.h +++ /dev/null @@ -1,14 +0,0 @@ -#ifndef NTT_H -#define NTT_H - -#include "inttypes.h" - -extern const uint16_t PQCLEAN_NEWHOPE512CPA_CLEAN_omegas_inv_bitrev_montgomery[]; -extern const uint16_t PQCLEAN_NEWHOPE512CPA_CLEAN_gammas_bitrev_montgomery[]; -extern const uint16_t PQCLEAN_NEWHOPE512CPA_CLEAN_gammas_inv_montgomery[]; - -void PQCLEAN_NEWHOPE512CPA_CLEAN_bitrev_vector(uint16_t *poly); -void PQCLEAN_NEWHOPE512CPA_CLEAN_mul_coefficients(uint16_t *poly, const uint16_t *factors); -void PQCLEAN_NEWHOPE512CPA_CLEAN_ntt(uint16_t *a, const uint16_t *omegas); - -#endif diff --git a/crypto_kem/newhope512cpa/clean/params.h b/crypto_kem/newhope512cpa/clean/params.h deleted file mode 100644 index f9de0856..00000000 --- a/crypto_kem/newhope512cpa/clean/params.h +++ /dev/null @@ -1,25 +0,0 @@ -#ifndef PQCLEAN_NEWHOPE512CPA_CLEAN_PARAMS_H -#define PQCLEAN_NEWHOPE512CPA_CLEAN_PARAMS_H - -#define NEWHOPE_N 512 -#define NEWHOPE_Q 12289 -#define NEWHOPE_K 8 /* used in noise sampling */ - -#define NEWHOPE_SYMBYTES 32 /* size of shared key, seeds/coins, and hashes */ - -#define NEWHOPE_POLYBYTES ((14*NEWHOPE_N)/8) -#define NEWHOPE_POLYCOMPRESSEDBYTES (( 3*NEWHOPE_N)/8) - -#define NEWHOPE_CPAPKE_PUBLICKEYBYTES (NEWHOPE_POLYBYTES + NEWHOPE_SYMBYTES) -#define NEWHOPE_CPAPKE_SECRETKEYBYTES (NEWHOPE_POLYBYTES) -#define NEWHOPE_CPAPKE_CIPHERTEXTBYTES (NEWHOPE_POLYBYTES + NEWHOPE_POLYCOMPRESSEDBYTES) - -#define NEWHOPE_CPAKEM_PUBLICKEYBYTES NEWHOPE_CPAPKE_PUBLICKEYBYTES -#define NEWHOPE_CPAKEM_SECRETKEYBYTES NEWHOPE_CPAPKE_SECRETKEYBYTES -#define NEWHOPE_CPAKEM_CIPHERTEXTBYTES NEWHOPE_CPAPKE_CIPHERTEXTBYTES - -#define NEWHOPE_CCAKEM_PUBLICKEYBYTES NEWHOPE_CPAPKE_PUBLICKEYBYTES -#define NEWHOPE_CCAKEM_SECRETKEYBYTES (NEWHOPE_CPAPKE_SECRETKEYBYTES + NEWHOPE_CPAPKE_PUBLICKEYBYTES + 2*NEWHOPE_SYMBYTES) -#define NEWHOPE_CCAKEM_CIPHERTEXTBYTES (NEWHOPE_CPAPKE_CIPHERTEXTBYTES + NEWHOPE_SYMBYTES) /* Second part is for Targhi-Unruh */ - -#endif diff --git a/crypto_kem/newhope512cpa/clean/poly.c b/crypto_kem/newhope512cpa/clean/poly.c deleted file mode 100644 index 3f03fdcf..00000000 --- a/crypto_kem/newhope512cpa/clean/poly.c +++ /dev/null @@ -1,354 +0,0 @@ -#include "fips202.h" -#include "ntt.h" -#include "poly.h" -#include "reduce.h" - -/************************************************* -* Name: coeff_freeze -* -* Description: Fully reduces an integer modulo q in constant time -* -* Arguments: uint16_t x: input integer to be reduced -* -* Returns integer in {0,...,q-1} congruent to x modulo q -**************************************************/ -static uint16_t coeff_freeze(uint16_t x) { - uint16_t m, r; - int16_t c; - r = x % NEWHOPE_Q; - - m = r - NEWHOPE_Q; - c = m; - c >>= 15; - r = m ^ ((r ^ m)&c); - - return r; -} - -/************************************************* -* Name: flipabs -* -* Description: Computes |(x mod q) - Q/2| -* -* Arguments: uint16_t x: input coefficient -* -* Returns |(x mod q) - Q/2| -**************************************************/ -static uint16_t flipabs(uint16_t x) { - int16_t r, m; - r = coeff_freeze(x); - - r = r - NEWHOPE_Q / 2; - m = r >> 15; - return (r + m) ^ m; -} - -/************************************************* -* Name: poly_frombytes -* -* Description: De-serialization of a polynomial -* -* Arguments: - poly *r: pointer to output polynomial -* - const unsigned char *a: pointer to input byte array -**************************************************/ -void PQCLEAN_NEWHOPE512CPA_CLEAN_poly_frombytes(poly *r, const unsigned char *a) { - int i; - for (i = 0; i < NEWHOPE_N / 4; i++) { - r->coeffs[4 * i + 0] = a[7 * i + 0] | (((uint16_t)a[7 * i + 1] & 0x3f) << 8); - r->coeffs[4 * i + 1] = (a[7 * i + 1] >> 6) | (((uint16_t)a[7 * i + 2]) << 2) | (((uint16_t)a[7 * i + 3] & 0x0f) << 10); - r->coeffs[4 * i + 2] = (a[7 * i + 3] >> 4) | (((uint16_t)a[7 * i + 4]) << 4) | (((uint16_t)a[7 * i + 5] & 0x03) << 12); - r->coeffs[4 * i + 3] = (a[7 * i + 5] >> 2) | (((uint16_t)a[7 * i + 6]) << 6); - } -} - -/************************************************* -* Name: poly_tobytes -* -* Description: Serialization of a polynomial -* -* Arguments: - unsigned char *r: pointer to output byte array -* - const poly *p: pointer to input polynomial -**************************************************/ -void PQCLEAN_NEWHOPE512CPA_CLEAN_poly_tobytes(unsigned char *r, const poly *p) { - int i; - uint16_t t0, t1, t2, t3; - for (i = 0; i < NEWHOPE_N / 4; i++) { - t0 = coeff_freeze(p->coeffs[4 * i + 0]); - t1 = coeff_freeze(p->coeffs[4 * i + 1]); - t2 = coeff_freeze(p->coeffs[4 * i + 2]); - t3 = coeff_freeze(p->coeffs[4 * i + 3]); - - r[7 * i + 0] = t0 & 0xff; - r[7 * i + 1] = (unsigned char) ((t0 >> 8) | (t1 << 6)); - r[7 * i + 2] = (unsigned char) ((t1 >> 2)); - r[7 * i + 3] = (unsigned char) ((t1 >> 10) | (t2 << 4)); - r[7 * i + 4] = (unsigned char) ((t2 >> 4)); - r[7 * i + 5] = (unsigned char) ((t2 >> 12) | (t3 << 2)); - r[7 * i + 6] = (unsigned char) ((t3 >> 6)); - } -} - -/************************************************* -* Name: poly_compress -* -* Description: Compression and subsequent serialization of a polynomial -* -* Arguments: - unsigned char *r: pointer to output byte array -* - const poly *p: pointer to input polynomial -**************************************************/ -void PQCLEAN_NEWHOPE512CPA_CLEAN_poly_compress(unsigned char *r, const poly *p) { - unsigned int i, j, k = 0; - - uint32_t t[8]; - - for (i = 0; i < NEWHOPE_N; i += 8) { - for (j = 0; j < 8; j++) { - t[j] = coeff_freeze(p->coeffs[i + j]); - t[j] = (((t[j] << 3) + NEWHOPE_Q / 2) / NEWHOPE_Q) & 0x7; - } - - r[k] = (unsigned char) (t[0] | (t[1] << 3) | (t[2] << 6)); - r[k + 1] = (unsigned char) ((t[2] >> 2) | (t[3] << 1) | (t[4] << 4) | (t[5] << 7)); - r[k + 2] = (unsigned char) ((t[5] >> 1) | (t[6] << 2) | (t[7] << 5)); - k += 3; - } -} - -/************************************************* -* Name: poly_decompress -* -* Description: De-serialization and subsequent decompression of a polynomial; -* approximate inverse of poly_compress -* -* Arguments: - poly *r: pointer to output polynomial -* - const unsigned char *a: pointer to input byte array -**************************************************/ -void PQCLEAN_NEWHOPE512CPA_CLEAN_poly_decompress(poly *r, const unsigned char *a) { - unsigned int i, j; - for (i = 0; i < NEWHOPE_N; i += 8) { - r->coeffs[i + 0] = a[0] & 7; - r->coeffs[i + 1] = (a[0] >> 3) & 7; - r->coeffs[i + 2] = (a[0] >> 6) | ((a[1] << 2) & 4); - r->coeffs[i + 3] = (a[1] >> 1) & 7; - r->coeffs[i + 4] = (a[1] >> 4) & 7; - r->coeffs[i + 5] = (a[1] >> 7) | ((a[2] << 1) & 6); - r->coeffs[i + 6] = (a[2] >> 2) & 7; - r->coeffs[i + 7] = (a[2] >> 5); - a += 3; - for (j = 0; j < 8; j++) { - r->coeffs[i + j] = ((uint32_t)r->coeffs[i + j] * NEWHOPE_Q + 4) >> 3; - } - } -} - -/************************************************* -* Name: poly_frommsg -* -* Description: Convert 32-byte message to polynomial -* -* Arguments: - poly *r: pointer to output polynomial -* - const unsigned char *msg: pointer to input message -**************************************************/ -void PQCLEAN_NEWHOPE512CPA_CLEAN_poly_frommsg(poly *r, const unsigned char *msg) { - unsigned int i, j, mask; - for (i = 0; i < NEWHOPE_SYMBYTES; i++) { - for (j = 0; j < 8; j++) { - mask = -((msg[i] >> j) & 1); - r->coeffs[8 * i + j + 0] = mask & (NEWHOPE_Q / 2); - r->coeffs[8 * i + j + 256] = mask & (NEWHOPE_Q / 2); - } - } -} - -/************************************************* -* Name: poly_tomsg -* -* Description: Convert polynomial to 32-byte message -* -* Arguments: - unsigned char *msg: pointer to output message -* - const poly *x: pointer to input polynomial -**************************************************/ -void PQCLEAN_NEWHOPE512CPA_CLEAN_poly_tomsg(unsigned char *msg, const poly *x) { - unsigned int i; - uint16_t t; - - for (i = 0; i < 32; i++) { - msg[i] = 0; - } - - for (i = 0; i < 256; i++) { - t = flipabs(x->coeffs[i + 0]); - t += flipabs(x->coeffs[i + 256]); - t = ((t - NEWHOPE_Q / 2)); - - t >>= 15; - msg[i >> 3] |= t << (i & 7); - } -} - -/************************************************* -* Name: poly_uniform -* -* Description: Sample a polynomial deterministically from a seed, -* with output polynomial looking uniformly random -* -* Arguments: - poly *a: pointer to output polynomial -* - const unsigned char *seed: pointer to input seed -**************************************************/ -void PQCLEAN_NEWHOPE512CPA_CLEAN_poly_uniform(poly *a, const unsigned char *seed) { - unsigned int ctr = 0; - uint16_t val; - shake128ctx state; - uint8_t buf[SHAKE128_RATE]; - uint8_t extseed[NEWHOPE_SYMBYTES + 1]; - int i, j; - - for (i = 0; i < NEWHOPE_SYMBYTES; i++) { - extseed[i] = seed[i]; - } - - for (i = 0; i < NEWHOPE_N / 64; i++) { /* generate a in blocks of 64 coefficients */ - ctr = 0; - extseed[NEWHOPE_SYMBYTES] = (unsigned char) i; /* domain-separate the 16 independent calls */ - shake128_absorb(&state, extseed, NEWHOPE_SYMBYTES + 1); - while (ctr < 64) { /* Very unlikely to run more than once */ - shake128_squeezeblocks(buf, 1, &state); - for (j = 0; j < SHAKE128_RATE && ctr < 64; j += 2) { - val = (buf[j] | ((uint16_t) buf[j + 1] << 8)); - if (val < 5 * NEWHOPE_Q) { - a->coeffs[i * 64 + ctr] = val; - ctr++; - } - } - } - shake128_ctx_release(&state); - } -} - -/************************************************* -* Name: hw -* -* Description: Compute the Hamming weight of a byte -* -* Arguments: - unsigned char a: input byte -**************************************************/ -static unsigned char hw(unsigned char a) { - unsigned char i, r = 0; - for (i = 0; i < 8; i++) { - r += (a >> i) & 1; - } - return r; -} - -/************************************************* -* Name: poly_sample -* -* Description: Sample a polynomial deterministically from a seed and a nonce, -* with output polynomial close to centered binomial distribution -* with parameter k=8 -* -* Arguments: - poly *r: pointer to output polynomial -* - const unsigned char *seed: pointer to input seed -* - unsigned char nonce: one-byte input nonce -**************************************************/ -void PQCLEAN_NEWHOPE512CPA_CLEAN_poly_sample(poly *r, const unsigned char *seed, unsigned char nonce) { - unsigned char buf[128], a, b; - int i, j; - - unsigned char extseed[NEWHOPE_SYMBYTES + 2]; - - for (i = 0; i < NEWHOPE_SYMBYTES; i++) { - extseed[i] = seed[i]; - } - extseed[NEWHOPE_SYMBYTES] = nonce; - - for (i = 0; i < NEWHOPE_N / 64; i++) { /* Generate noise in blocks of 64 coefficients */ - extseed[NEWHOPE_SYMBYTES + 1] = (unsigned char) i; - shake256(buf, 128, extseed, NEWHOPE_SYMBYTES + 2); - for (j = 0; j < 64; j++) { - a = buf[2 * j]; - b = buf[2 * j + 1]; - r->coeffs[64 * i + j] = hw(a) + NEWHOPE_Q - hw(b); - } - } -} - -/************************************************* -* Name: poly_pointwise -* -* Description: Multiply two polynomials pointwise (i.e., coefficient-wise). -* -* Arguments: - poly *r: pointer to output polynomial -* - const poly *a: pointer to first input polynomial -* - const poly *b: pointer to second input polynomial -**************************************************/ -void PQCLEAN_NEWHOPE512CPA_CLEAN_poly_mul_pointwise(poly *r, const poly *a, const poly *b) { - int i; - uint16_t t; - for (i = 0; i < NEWHOPE_N; i++) { - t = PQCLEAN_NEWHOPE512CPA_CLEAN_montgomery_reduce(3186 * b->coeffs[i]); /* t is now in Montgomery domain */ - r->coeffs[i] = PQCLEAN_NEWHOPE512CPA_CLEAN_montgomery_reduce(a->coeffs[i] * t); /* r->coeffs[i] is back in normal domain */ - } -} - -/************************************************* -* Name: poly_add -* -* Description: Add two polynomials -* -* Arguments: - poly *r: pointer to output polynomial -* - const poly *a: pointer to first input polynomial -* - const poly *b: pointer to second input polynomial -**************************************************/ -void PQCLEAN_NEWHOPE512CPA_CLEAN_poly_add(poly *r, const poly *a, const poly *b) { - int i; - for (i = 0; i < NEWHOPE_N; i++) { - r->coeffs[i] = (a->coeffs[i] + b->coeffs[i]) % NEWHOPE_Q; - } -} - -/************************************************* -* Name: poly_sub -* -* Description: Subtract two polynomials -* -* Arguments: - poly *r: pointer to output polynomial -* - const poly *a: pointer to first input polynomial -* - const poly *b: pointer to second input polynomial -**************************************************/ -void PQCLEAN_NEWHOPE512CPA_CLEAN_poly_sub(poly *r, const poly *a, const poly *b) { - int i; - for (i = 0; i < NEWHOPE_N; i++) { - r->coeffs[i] = (a->coeffs[i] + 3 * NEWHOPE_Q - b->coeffs[i]) % NEWHOPE_Q; - } -} - -/************************************************* -* Name: poly_ntt -* -* Description: Forward NTT transform of a polynomial in place -* Input is assumed to have coefficients in bitreversed order -* Output has coefficients in normal order -* -* Arguments: - poly *r: pointer to in/output polynomial -**************************************************/ -void PQCLEAN_NEWHOPE512CPA_CLEAN_poly_ntt(poly *r) { - PQCLEAN_NEWHOPE512CPA_CLEAN_mul_coefficients(r->coeffs, PQCLEAN_NEWHOPE512CPA_CLEAN_gammas_bitrev_montgomery); - PQCLEAN_NEWHOPE512CPA_CLEAN_ntt((uint16_t *)r->coeffs, PQCLEAN_NEWHOPE512CPA_CLEAN_gammas_bitrev_montgomery); -} - -/************************************************* -* Name: poly_invntt -* -* Description: Inverse NTT transform of a polynomial in place -* Input is assumed to have coefficients in normal order -* Output has coefficients in normal order -* -* Arguments: - poly *r: pointer to in/output polynomial -**************************************************/ -void PQCLEAN_NEWHOPE512CPA_CLEAN_poly_invntt(poly *r) { - PQCLEAN_NEWHOPE512CPA_CLEAN_bitrev_vector(r->coeffs); - PQCLEAN_NEWHOPE512CPA_CLEAN_ntt((uint16_t *)r->coeffs, PQCLEAN_NEWHOPE512CPA_CLEAN_omegas_inv_bitrev_montgomery); - PQCLEAN_NEWHOPE512CPA_CLEAN_mul_coefficients(r->coeffs, PQCLEAN_NEWHOPE512CPA_CLEAN_gammas_inv_montgomery); -} - diff --git a/crypto_kem/newhope512cpa/clean/poly.h b/crypto_kem/newhope512cpa/clean/poly.h deleted file mode 100644 index 18b5e9a9..00000000 --- a/crypto_kem/newhope512cpa/clean/poly.h +++ /dev/null @@ -1,32 +0,0 @@ -#ifndef POLY_H -#define POLY_H - -#include "params.h" -#include - -/* - * Elements of R_q = Z_q[X]/(X^n + 1). Represents polynomial - * coeffs[0] + X*coeffs[1] + X^2*xoeffs[2] + ... + X^{n-1}*coeffs[n-1] - */ -typedef struct { - uint16_t coeffs[NEWHOPE_N]; -} poly; - -void PQCLEAN_NEWHOPE512CPA_CLEAN_poly_uniform(poly *a, const unsigned char *seed); -void PQCLEAN_NEWHOPE512CPA_CLEAN_poly_sample(poly *r, const unsigned char *seed, unsigned char nonce); -void PQCLEAN_NEWHOPE512CPA_CLEAN_poly_add(poly *r, const poly *a, const poly *b); - -void PQCLEAN_NEWHOPE512CPA_CLEAN_poly_ntt(poly *r); -void PQCLEAN_NEWHOPE512CPA_CLEAN_poly_invntt(poly *r); -void PQCLEAN_NEWHOPE512CPA_CLEAN_poly_mul_pointwise(poly *r, const poly *a, const poly *b); - -void PQCLEAN_NEWHOPE512CPA_CLEAN_poly_frombytes(poly *r, const unsigned char *a); -void PQCLEAN_NEWHOPE512CPA_CLEAN_poly_tobytes(unsigned char *r, const poly *p); -void PQCLEAN_NEWHOPE512CPA_CLEAN_poly_compress(unsigned char *r, const poly *p); -void PQCLEAN_NEWHOPE512CPA_CLEAN_poly_decompress(poly *r, const unsigned char *a); - -void PQCLEAN_NEWHOPE512CPA_CLEAN_poly_frommsg(poly *r, const unsigned char *msg); -void PQCLEAN_NEWHOPE512CPA_CLEAN_poly_tomsg(unsigned char *msg, const poly *x); -void PQCLEAN_NEWHOPE512CPA_CLEAN_poly_sub(poly *r, const poly *a, const poly *b); - -#endif diff --git a/crypto_kem/newhope512cpa/clean/precomp.c b/crypto_kem/newhope512cpa/clean/precomp.c deleted file mode 100644 index 039d671b..00000000 --- a/crypto_kem/newhope512cpa/clean/precomp.c +++ /dev/null @@ -1,179 +0,0 @@ -#include "inttypes.h" -#include "ntt.h" -#include "params.h" - -/* Precomputed NTT contants generated by Pari/GP script as follows: - * - * For n = 512: - * - * brv = [0,256,128,384,64,320,192,448,32,288,160,416,96,352,224,480,16,272,144,400,80,336,208,464,48,304,176,432,112,368,240,496,8, - * 264,136,392,72,328,200,456,40,296,168,424,104,360,232,488,24,280,152,408,88,344,216,472,56,312,184,440,120,376,248,504,4, - * 260,132,388,68,324,196,452,36,292,164,420,100,356,228,484,20,276,148,404,84,340,212,468,52,308,180,436,116,372,244,500,12, - * 268,140,396,76,332,204,460,44,300,172,428,108,364,236,492,28,284,156,412,92,348,220,476,60,316,188,444,124,380,252,508,2, - * 258,130,386,66,322,194,450,34,290,162,418,98,354,226,482,18,274,146,402,82,338,210,466,50,306,178,434,114,370,242,498,10, - * 266,138,394,74,330,202,458,42,298,170,426,106,362,234,490,26,282,154,410,90,346,218,474,58,314,186,442,122,378,250,506,6, - * 262,134,390,70,326,198,454,38,294,166,422,102,358,230,486,22,278,150,406,86,342,214,470,54,310,182,438,118,374,246,502,14, - * 270,142,398,78,334,206,462,46,302,174,430,110,366,238,494,30,286,158,414,94,350,222,478,62,318,190,446,126,382,254,510,1, - * 257,129,385,65,321,193,449,33,289,161,417,97,353,225,481,17,273,145,401,81,337,209,465,49,305,177,433,113,369,241,497,9, - * 265,137,393,73,329,201,457,41,297,169,425,105,361,233,489,25,281,153,409,89,345,217,473,57,313,185,441,121,377,249,505,5, - * 261,133,389,69,325,197,453,37,293,165,421,101,357,229,485,21,277,149,405,85,341,213,469,53,309,181,437,117,373,245,501,13, - * 269,141,397,77,333,205,461,45,301,173,429,109,365,237,493,29,285,157,413,93,349,221,477,61,317,189,445,125,381,253,509,3, - * 259,131,387,67,323,195,451,35,291,163,419,99,355,227,483,19,275,147,403,83,339,211,467,51,307,179,435,115,371,243,499,11, - * 267,139,395,75,331,203,459,43,299,171,427,107,363,235,491,27,283,155,411,91,347,219,475,59,315,187,443,123,379,251,507,7, - * 263,135,391,71,327,199,455,39,295,167,423,103,359,231,487,23,279,151,407,87,343,215,471,55,311,183,439,119,375,247,503,15, - * 271,143,399,79,335,207,463,47,303,175,431,111,367,239,495,31,287,159,415,95,351,223,479,63,319,191,447,127,383,255,511] - * n = 512; q = 12289; mont=2^18 - * g = Mod(10968, q); - * omegas_inv_bitrev_montgomery = lift(vector(n/2, i, (g^2)^(-brv[2*(i-1)+1])*mont)) - * gammas_bitrev_montgomery = lift(vector(n, i, g^(brv[i])*mont)) - * gammas_inv_montgomery = lift(vector(n, i, g^(-(i-1))/n*mont)) - * - * - * For n = 1024: - * - * brv = [0,512,256,768,128,640,384,896,64,576,320,832,192,704,448,960,32,544,288,800,160,672,416,928,96,608,352,864,224,736,480,992, \ - * 16,528,272,784,144,656,400,912,80,592,336,848,208,720,464,976,48,560,304,816,176,688,432,944,112,624,368,880,240,752,496,1008, \ - * 8,520,264,776,136,648,392,904,72,584,328,840,200,712,456,968,40,552,296,808,168,680,424,936,104,616,360,872,232,744,488,1000, \ - * 24,536,280,792,152,664,408,920,88,600,344,856,216,728,472,984,56,568,312,824,184,696,440,952,120,632,376,888,248,760,504,1016, \ - * 4,516,260,772,132,644,388,900,68,580,324,836,196,708,452,964,36,548,292,804,164,676,420,932,100,612,356,868,228,740,484,996, \ - * 20,532,276,788,148,660,404,916,84,596,340,852,212,724,468,980,52,564,308,820,180,692,436,948,116,628,372,884,244,756,500,1012, \ - * 12,524,268,780,140,652,396,908,76,588,332,844,204,716,460,972,44,556,300,812,172,684,428,940,108,620,364,876,236,748,492,1004, \ - * 28,540,284,796,156,668,412,924,92,604,348,860,220,732,476,988,60,572,316,828,188,700,444,956,124,636,380,892,252,764,508,1020, \ - * 2,514,258,770,130,642,386,898,66,578,322,834,194,706,450,962,34,546,290,802,162,674,418,930,98,610,354,866,226,738,482,994, \ - * 18,530,274,786,146,658,402,914,82,594,338,850,210,722,466,978,50,562,306,818,178,690,434,946,114,626,370,882,242,754,498,1010, \ - * 10,522,266,778,138,650,394,906,74,586,330,842,202,714,458,970,42,554,298,810,170,682,426,938,106,618,362,874,234,746,490,1002, \ - * 26,538,282,794,154,666,410,922,90,602,346,858,218,730,474,986,58,570,314,826,186,698,442,954,122,634,378,890,250,762,506,1018, \ - * 6,518,262,774,134,646,390,902,70,582,326,838,198,710,454,966,38,550,294,806,166,678,422,934,102,614,358,870,230,742,486,998, \ - * 22,534,278,790,150,662,406,918,86,598,342,854,214,726,470,982,54,566,310,822,182,694,438,950,118,630,374,886,246,758,502,1014, \ - * 14,526,270,782,142,654,398,910,78,590,334,846,206,718,462,974,46,558,302,814,174,686,430,942,110,622,366,878,238,750,494,1006, \ - * 30,542,286,798,158,670,414,926,94,606,350,862,222,734,478,990,62,574,318,830,190,702,446,958,126,638,382,894,254,766,510,1022, \ - * 1,513,257,769,129,641,385,897,65,577,321,833,193,705,449,961,33,545,289,801,161,673,417,929,97,609,353,865,225,737,481,993, \ - * 17,529,273,785,145,657,401,913,81,593,337,849,209,721,465,977,49,561,305,817,177,689,433,945,113,625,369,881,241,753,497,1009, \ - * 9,521,265,777,137,649,393,905,73,585,329,841,201,713,457,969,41,553,297,809,169,681,425,937,105,617,361,873,233,745,489,1001, \ - * 25,537,281,793,153,665,409,921,89,601,345,857,217,729,473,985,57,569,313,825,185,697,441,953,121,633,377,889,249,761,505,1017, \ - * 5,517,261,773,133,645,389,901,69,581,325,837,197,709,453,965,37,549,293,805,165,677,421,933,101,613,357,869,229,741,485,997, \ - * 21,533,277,789,149,661,405,917,85,597,341,853,213,725,469,981,53,565,309,821,181,693,437,949,117,629,373,885,245,757,501,1013, \ - * 13,525,269,781,141,653,397,909,77,589,333,845,205,717,461,973,45,557,301,813,173,685,429,941,109,621,365,877,237,749,493,1005, \ - * 29,541,285,797,157,669,413,925,93,605,349,861,221,733,477,989,61,573,317,829,189,701,445,957,125,637,381,893,253,765,509,1021, \ - * 3,515,259,771,131,643,387,899,67,579,323,835,195,707,451,963,35,547,291,803,163,675,419,931,99,611,355,867,227,739,483,995, \ - * 19,531,275,787,147,659,403,915,83,595,339,851,211,723,467,979,51,563,307,819,179,691,435,947,115,627,371,883,243,755,499,1011, \ - * 11,523,267,779,139,651,395,907,75,587,331,843,203,715,459,971,43,555,299,811,171,683,427,939,107,619,363,875,235,747,491,1003, \ - * 27,539,283,795,155,667,411,923,91,603,347,859,219,731,475,987,59,571,315,827,187,699,443,955,123,635,379,891,251,763,507,1019, \ - * 7,519,263,775,135,647,391,903,71,583,327,839,199,711,455,967,39,551,295,807,167,679,423,935,103,615,359,871,231,743,487,999, \ - * 23,535,279,791,151,663,407,919,87,599,343,855,215,727,471,983,55,567,311,823,183,695,439,951,119,631,375,887,247,759,503,1015, \ - * 15,527,271,783,143,655,399,911,79,591,335,847,207,719,463,975,47,559,303,815,175,687,431,943,111,623,367,879,239,751,495,1007, \ - * 31,543,287,799,159,671,415,927,95,607,351,863,223,735,479,991,63,575,319,831,191,703,447,959,127,639,383,895,255,767,511,1023] - * - * n = 1024; q = 12289; mont=2^18 - * g = Mod(7, q); - * omegas_inv_bitrev_montgomery = lift(vector(n/2, i, (g^2)^(-brv[2*(i-1)+1])*mont)) - * gammas_bitrev_montgomery = lift(vector(n, i, g^(brv[i])*mont)) - * gammas_inv_montgomery = lift(vector(n, i, g^(-(i-1))/n*mont)) -*/ - -/************************************************************ -* Name: omegas_inv_bitrev_montgomery -* -* Description: Contains inverses of powers of nth root of unity -* in Montgomery domain with R=2^18 in bit-reversed order -************************************************************/ -const uint16_t PQCLEAN_NEWHOPE512CPA_CLEAN_omegas_inv_bitrev_montgomery[NEWHOPE_N / 2] = { - 4075, 6974, 4916, 4324, 7210, 3262, 2169, 11767, 3514, 1041, 5925, 11271, 6715, 10316, 11011, 9945, - 1190, 9606, 3818, 6118, 1050, 7753, 8429, 6844, 4449, 6833, 147, 3789, 7540, 6752, 4467, 4789, - 10367, 3879, 2033, 3998, 11316, 1254, 6854, 1359, 3988, 468, 11907, 11973, 8579, 6196, 5446, 6950, - 1987, 10587, 654, 3565, 3199, 12233, 7083, 6760, 6427, 6153, 3643, 6874, 4948, 6152, 11889, 1728, - 7280, 10333, 6008, 11404, 3532, 11286, 241, 12231, 11314, 4212, 8851, 9445, 3477, 6608, 12147, 1105, - 5594, 9260, 5886, 7507, 4213, 11785, 2302, 11684, 8687, 6221, 8209, 421, 7665, 6212, 8689, 3263, - 10710, 431, 9784, 5906, 9450, 8332, 2127, 151, 3174, 52, 1323, 9523, 6415, 11612, 3336, 6234, - 7048, 9369, 4169, 3127, 11279, 6821, 787, 3482, 3445, 4780, 7232, 7591, 7377, 2049, 1321, 192, - 9551, 6421, 5735, 9634, 10596, 9280, 723, 12115, 9364, 347, 1975, 3757, 10431, 7535, 11863, 3315, - 4493, 3202, 5369, 10232, 350, 10777, 6906, 10474, 1483, 6374, 49, 1263, 10706, 6347, 1489, 9789, - 7552, 1293, 4774, 5429, 3772, 418, 6381, 453, 9522, 156, 3969, 3991, 6956, 10258, 10008, 6413, - 8855, 3529, 218, 9381, 9259, 8174, 2361, 10446, 10335, 2051, 9407, 10484, 9842, 6147, 3963, 576, - 6523, 11637, 6099, 11994, 9370, 3762, 8273, 4077, 11964, 1404, 11143, 11341, 1159, 6299, 4049, 8561, - 5961, 7183, 1962, 10695, 9597, 12121, 8960, 7991, 6992, 6170, 10929, 8333, 2555, 6167, 11089, 5184, - 3570, 4240, 11454, 6065, 3150, 10970, 709, 8243, 1058, 8210, 441, 11367, 10331, 7967, 1112, 2078, - 10542, 3123, 5486, 9235, 7856, 6370, 8455, 5257, 9341, 9786, 6507, 10723, 2459, 683, 8633, 64, -}; - -/************************************************************ -* Name: gammas_bitrev_montgomery -* -* Description: Contains powers of nth root of -1 in Montgomery -* domain with R=2^18 in bit-reversed order -************************************************************/ -const uint16_t PQCLEAN_NEWHOPE512CPA_CLEAN_gammas_bitrev_montgomery[NEWHOPE_N] = { - 4075, 5315, 7965, 7373, 522, 10120, 9027, 5079, 2344, 1278, 1973, 5574, 1018, 6364, 11248, 8775, - 7500, 7822, 5537, 4749, 8500, 12142, 5456, 7840, 5445, 3860, 4536, 11239, 6171, 8471, 2683, 11099, - 10561, 400, 6137, 7341, 5415, 8646, 6136, 5862, 5529, 5206, 56, 9090, 8724, 11635, 1702, 10302, - 5339, 6843, 6093, 3710, 316, 382, 11821, 8301, 10930, 5435, 11035, 973, 8291, 10256, 8410, 1922, - 12097, 10968, 10240, 4912, 4698, 5057, 7509, 8844, 8807, 11502, 5468, 1010, 9162, 8120, 2920, 5241, - 6055, 8953, 677, 5874, 2766, 10966, 12237, 9115, 12138, 10162, 3957, 2839, 6383, 2505, 11858, 1579, - 9026, 3600, 6077, 4624, 11868, 4080, 6068, 3602, 605, 9987, 504, 8076, 4782, 6403, 3029, 6695, - 11184, 142, 5681, 8812, 2844, 3438, 8077, 975, 58, 12048, 1003, 8757, 885, 6281, 1956, 5009, - 12225, 3656, 11606, 9830, 1566, 5782, 2503, 2948, 7032, 3834, 5919, 4433, 3054, 6803, 9166, 1747, - 10211, 11177, 4322, 1958, 922, 11848, 4079, 11231, 4046, 11580, 1319, 9139, 6224, 835, 8049, 8719, - 7105, 1200, 6122, 9734, 3956, 1360, 6119, 5297, 4298, 3329, 168, 2692, 1594, 10327, 5106, 6328, - 3728, 8240, 5990, 11130, 948, 1146, 10885, 325, 8212, 4016, 8527, 2919, 295, 6190, 652, 5766, - 11713, 8326, 6142, 2447, 1805, 2882, 10238, 1954, 1843, 9928, 4115, 3030, 2908, 12071, 8760, 3434, - 5876, 2281, 2031, 5333, 8298, 8320, 12133, 2767, 11836, 5908, 11871, 8517, 6860, 7515, 10996, 4737, - 2500, 10800, 5942, 1583, 11026, 12240, 5915, 10806, 1815, 5383, 1512, 11939, 2057, 6920, 9087, 7796, - 8974, 426, 4754, 1858, 8532, 10314, 11942, 2925, 174, 11566, 3009, 1693, 2655, 6554, 5868, 2738, - 11796, 8193, 9908, 5444, 10911, 1912, 7952, 435, 404, 7644, 11224, 10146, 7012, 11121, 11082, 9041, - 9723, 2187, 9867, 6250, 3646, 9852, 6267, 2987, 8509, 875, 4976, 10682, 8005, 5088, 7278, 11287, - 9223, 27, 3763, 10849, 11272, 7404, 5084, 10657, 8146, 4714, 12047, 10752, 2678, 3704, 545, 7270, - 1067, 5101, 442, 2401, 390, 11516, 3778, 8456, 1045, 9430, 9808, 5012, 9377, 6591, 11935, 4861, - 7852, 3, 3149, 12129, 12176, 4919, 10123, 3915, 3636, 7351, 2704, 5291, 1663, 1777, 1426, 7635, - 1484, 7394, 2780, 7094, 8236, 2645, 7247, 2305, 2847, 7875, 7917, 10115, 10600, 8925, 4057, 3271, - 9273, 243, 9289, 11618, 3136, 5191, 8889, 9890, 11869, 5559, 10111, 10745, 11813, 8758, 4905, 3985, - 9603, 9042, 3978, 9320, 3510, 5332, 9424, 2370, 9405, 11136, 2249, 8241, 10659, 10163, 9103, 6882, - 10810, 1, 5146, 4043, 8155, 5736, 11567, 1305, 1212, 10643, 9094, 5860, 8747, 8785, 8668, 2545, - 4591, 6561, 5023, 6461, 10938, 4978, 6512, 8961, 949, 2625, 2639, 7468, 11726, 2975, 9545, 9283, - 3091, 81, 11289, 7969, 9238, 9923, 2963, 7393, 12149, 1853, 11563, 7678, 8034, 11112, 1635, 9521, - 3201, 3014, 1326, 7203, 1170, 9970, 11334, 790, 3135, 3712, 4846, 2747, 3553, 7484, 11227, 2294, - 11267, 9, 9447, 11809, 11950, 2468, 5791, 11745, 10908, 9764, 8112, 3584, 4989, 5331, 4278, 10616, - 4452, 9893, 8340, 8993, 130, 7935, 9452, 6915, 8541, 11336, 11462, 5767, 7222, 2197, 12171, 9813, - 3241, 729, 3289, 10276, 9408, 3284, 2089, 5092, 11029, 4388, 5755, 7657, 10861, 1696, 2426, 11955, - 4231, 2548, 11934, 3382, 10530, 3707, 3694, 7110, 3637, 8830, 6747, 145, 7399, 5911, 2731, 8357, -}; - -/************************************************************ -* Name: gammas_inv_montgomery -* -* Description: Contains inverses of powers of nth root of -1 -* divided by n in Montgomery domain with R=2^18 -************************************************************/ -const uint16_t PQCLEAN_NEWHOPE512CPA_CLEAN_gammas_inv_montgomery[NEWHOPE_N] = { - 512, 3944, 4267, 5411, 9615, 5900, 3205, 6063, 9261, 2021, 3087, 4770, 1029, 1590, 343, 530, - 8307, 4273, 2769, 9617, 923, 7302, 4404, 2434, 1468, 9004, 8682, 11194, 2894, 11924, 5061, 8071, - 1687, 10883, 8755, 7724, 11111, 6671, 7800, 6320, 2600, 6203, 4963, 6164, 9847, 6151, 11475, 10243, - 3825, 11607, 1275, 3869, 425, 5386, 4238, 9988, 5509, 11522, 10029, 7937, 3343, 6742, 9307, 10440, - 11295, 3480, 3765, 1160, 1255, 4483, 8611, 9687, 11063, 3229, 7784, 9269, 6691, 7186, 10423, 10588, - 11667, 11722, 3889, 12100, 9489, 12226, 3163, 12268, 9247, 12282, 11275, 4094, 11951, 5461, 8080, 10013, - 10886, 7434, 7725, 2478, 2575, 826, 9051, 8468, 3017, 6919, 5102, 10499, 5797, 7596, 10125, 2532, - 3375, 844, 1125, 8474, 375, 6921, 125, 2307, 4138, 769, 9572, 8449, 7287, 11009, 2429, 7766, - 4906, 6685, 9828, 10421, 3276, 7570, 1092, 10716, 364, 3572, 8314, 5287, 10964, 9955, 7751, 11511, - 6680, 3837, 6323, 1279, 6204, 8619, 2068, 2873, 8882, 5054, 7057, 5781, 10545, 1927, 3515, 8835, - 5268, 2945, 1756, 5078, 8778, 5789, 2926, 6026, 9168, 6105, 3056, 2035, 5115, 8871, 1705, 2957, - 8761, 5082, 11113, 1694, 11897, 4661, 8062, 5650, 10880, 10076, 7723, 7455, 10767, 2485, 3589, 9021, - 9389, 3007, 7226, 9195, 6505, 3065, 10361, 5118, 7550, 1706, 6613, 4665, 10397, 1555, 7562, 8711, - 6617, 7000, 6302, 10526, 6197, 7605, 6162, 2535, 2054, 845, 4781, 4378, 5690, 9652, 5993, 11410, - 6094, 11996, 10224, 8095, 3408, 10891, 1136, 11823, 4475, 3941, 5588, 5410, 5959, 9996, 10179, 3332, - 3393, 5207, 1131, 5832, 377, 1944, 4222, 648, 9600, 216, 3200, 72, 5163, 24, 1721, 8, - 4670, 4099, 5653, 9559, 10077, 11379, 3359, 3793, 5216, 9457, 5835, 11345, 1945, 7878, 8841, 2626, - 2947, 9068, 9175, 7119, 11251, 2373, 11943, 791, 3981, 4360, 1327, 9646, 8635, 11408, 11071, 7899, - 11883, 2633, 3961, 4974, 9513, 1658, 3171, 4649, 1057, 5646, 8545, 1882, 11041, 8820, 11873, 2940, - 8054, 980, 6781, 4423, 10453, 9667, 11677, 11415, 12085, 3805, 12221, 9461, 8170, 7250, 10916, 6513, - 7735, 2171, 10771, 4820, 11783, 5703, 8024, 1901, 6771, 4730, 2257, 5673, 8945, 1891, 7078, 8823, - 10552, 2941, 11710, 9173, 12096, 7154, 4032, 6481, 1344, 10353, 448, 3451, 8342, 9343, 6877, 11307, - 10485, 3769, 3495, 9449, 1165, 7246, 8581, 10608, 11053, 3536, 11877, 5275, 3959, 9951, 5416, 3317, - 9998, 5202, 7429, 1734, 10669, 578, 11749, 4289, 12109, 5526, 12229, 1842, 12269, 614, 8186, 4301, - 6825, 5530, 2275, 10036, 8951, 11538, 7080, 3846, 2360, 1282, 4883, 8620, 5724, 11066, 1908, 7785, - 636, 2595, 212, 865, 4167, 8481, 1389, 2827, 463, 9135, 8347, 3045, 10975, 1015, 11851, 8531, - 12143, 6940, 8144, 10506, 6811, 3502, 10463, 9360, 7584, 3120, 2528, 1040, 4939, 4443, 9839, 1481, - 7376, 4590, 6555, 1530, 2185, 510, 8921, 170, 7070, 4153, 6453, 9577, 2151, 11385, 717, 3795, - 239, 1265, 4176, 4518, 1392, 1506, 464, 502, 4251, 8360, 1417, 6883, 8665, 10487, 11081, 7592, - 7790, 6627, 6693, 2209, 2231, 8929, 4840, 11169, 9806, 3723, 7365, 1241, 2455, 4510, 9011, 9696, - 7100, 3232, 6463, 9270, 10347, 3090, 3449, 1030, 5246, 8536, 5845, 11038, 10141, 11872, 11573, 12150, - 7954, 4050, 10844, 1350, 7711, 450, 10763, 150, 7684, 50, 10754, 4113, 7681, 1371, 10753, 457, -}; diff --git a/crypto_kem/newhope512cpa/clean/reduce.c b/crypto_kem/newhope512cpa/clean/reduce.c deleted file mode 100644 index c7adf562..00000000 --- a/crypto_kem/newhope512cpa/clean/reduce.c +++ /dev/null @@ -1,26 +0,0 @@ -#include "reduce.h" -#include "params.h" - -static const uint32_t qinv = 12287; // -inverse_mod(p,2^18) -static const uint32_t rlog = 18; - -/************************************************* -* Name: montgomery_reduce -* -* Description: Montgomery reduction; given a 32-bit integer a, computes -* 16-bit integer congruent to a * R^-1 mod q, -* where R=2^18 (see value of rlog) -* -* Arguments: - uint32_t a: input unsigned integer to be reduced; has to be in {0,...,1073491968} -* -* Returns: unsigned integer in {0,...,2^14-1} congruent to a * R^-1 modulo q. -**************************************************/ -uint16_t PQCLEAN_NEWHOPE512CPA_CLEAN_montgomery_reduce(uint32_t a) { - uint32_t u; - - u = (a * qinv); - u &= ((1 << rlog) - 1); - u *= NEWHOPE_Q; - a = a + u; - return a >> 18; -} diff --git a/crypto_kem/newhope512cpa/clean/reduce.h b/crypto_kem/newhope512cpa/clean/reduce.h deleted file mode 100644 index d7424375..00000000 --- a/crypto_kem/newhope512cpa/clean/reduce.h +++ /dev/null @@ -1,8 +0,0 @@ -#ifndef REDUCE_H -#define REDUCE_H - -#include - -uint16_t PQCLEAN_NEWHOPE512CPA_CLEAN_montgomery_reduce(uint32_t a); - -#endif diff --git a/crypto_kem/newhope512cpa/clean/verify.c b/crypto_kem/newhope512cpa/clean/verify.c deleted file mode 100644 index a03cf862..00000000 --- a/crypto_kem/newhope512cpa/clean/verify.c +++ /dev/null @@ -1,49 +0,0 @@ -#include "verify.h" -#include -#include - -/************************************************* -* Name: verify -* -* Description: Compare two arrays for equality in constant time. -* -* Arguments: const unsigned char *a: pointer to first byte array -* const unsigned char *b: pointer to second byte array -* size_t len: length of the byte arrays -* -* Returns 0 if the byte arrays are equal, 1 otherwise -**************************************************/ -int PQCLEAN_NEWHOPE512CPA_CLEAN_verify(const unsigned char *a, const unsigned char *b, size_t len) { - uint64_t r; - size_t i; - r = 0; - - for (i = 0; i < len; i++) { - r |= a[i] ^ b[i]; - } - - r = (uint64_t)(-(int64_t)r) >> 63; - return (int)r; -} - -/************************************************* -* Name: cmov -* -* Description: Copy len bytes from x to r if b is 1; -* don't modify x if b is 0. Requires b to be in {0,1}; -* assumes two's complement representation of negative integers. -* Runs in constant time. -* -* Arguments: unsigned char *r: pointer to output byte array -* const unsigned char *x: pointer to input byte array -* size_t len: Amount of bytes to be copied -* unsigned char b: Condition bit; has to be in {0,1} -**************************************************/ -void PQCLEAN_NEWHOPE512CPA_CLEAN_cmov(unsigned char *r, const unsigned char *x, size_t len, unsigned char b) { - size_t i; - - b = -b; - for (i = 0; i < len; i++) { - r[i] ^= b & (x[i] ^ r[i]); - } -} diff --git a/crypto_kem/newhope512cpa/clean/verify.h b/crypto_kem/newhope512cpa/clean/verify.h deleted file mode 100644 index 64385a42..00000000 --- a/crypto_kem/newhope512cpa/clean/verify.h +++ /dev/null @@ -1,12 +0,0 @@ -#ifndef VERIFY_H -#define VERIFY_H - -#include - -/* returns 0 for equal strings, 1 for non-equal strings */ -int PQCLEAN_NEWHOPE512CPA_CLEAN_verify(const unsigned char *a, const unsigned char *b, size_t len); - -/* b = 1 means mov, b = 0 means don't mov*/ -void PQCLEAN_NEWHOPE512CPA_CLEAN_cmov(unsigned char *r, const unsigned char *x, size_t len, unsigned char b); - -#endif diff --git a/crypto_kem/papabear-ephem/META.yml b/crypto_kem/papabear-ephem/META.yml deleted file mode 100644 index 04027005..00000000 --- a/crypto_kem/papabear-ephem/META.yml +++ /dev/null @@ -1,14 +0,0 @@ -name: PapaBearEphem -type: kem -claimed-nist-level: 5 -claimed-security: IND-CPA -length-public-key: 1584 -length-ciphertext: 1697 -length-secret-key: 40 -length-shared-secret: 32 -nistkat-sha256: afe40a1172ab5f4f87135297e0a7c67047d21c87f33ab518864c030820c3674d -principal-submitters: - - Mike Hamburg -implementations: - - name: clean - version: https://sourceforge.net/p/threebears/code/ci/f4ce0ebfc84a5e01a75bfc8297b6d175e993cfa4/ diff --git a/crypto_kem/papabear-ephem/clean/LICENSE b/crypto_kem/papabear-ephem/clean/LICENSE deleted file mode 100644 index 5fb15a7c..00000000 --- a/crypto_kem/papabear-ephem/clean/LICENSE +++ /dev/null @@ -1,24 +0,0 @@ -Copyright (c) 2016-2019 Rambus, Inc. -and licensed under the following MIT license. - -The MIT License (MIT) - -Copyright (c) 2016-2019 Rambus Inc. - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in -all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -THE SOFTWARE. diff --git a/crypto_kem/papabear-ephem/clean/Makefile b/crypto_kem/papabear-ephem/clean/Makefile deleted file mode 100644 index 84363791..00000000 --- a/crypto_kem/papabear-ephem/clean/Makefile +++ /dev/null @@ -1,21 +0,0 @@ -# This Makefile can be used with GNU Make or BSD Make - -LIB=libpapabear-ephem_clean.a - -HEADERS = api.h melas_fec.h params.h ring.h threebears.h -OBJECTS = kem.o melas_fec.o ring.o threebears.o - - -CFLAGS=-O3 -Wall -Wextra -Wpedantic -Werror -Wmissing-prototypes -Wredundant-decls -std=c99 -I../../../common $(EXTRAFLAGS) - -all: $(LIB) - -%.o: %.c $(HEADERS) - $(CC) $(CFLAGS) -c -o $@ $< - -$(LIB): $(OBJECTS) - $(AR) -r $@ $(OBJECTS) - -clean: - $(RM) $(OBJECTS) - $(RM) $(LIB) diff --git a/crypto_kem/papabear-ephem/clean/Makefile.Microsoft_nmake b/crypto_kem/papabear-ephem/clean/Makefile.Microsoft_nmake deleted file mode 100644 index 4b6c7ef0..00000000 --- a/crypto_kem/papabear-ephem/clean/Makefile.Microsoft_nmake +++ /dev/null @@ -1,19 +0,0 @@ -# This Makefile can be used with Microsoft Visual Studio's nmake using the command: -# nmake /f Makefile.Microsoft_nmake - -LIBRARY=libpapabear-ephem_clean.lib -OBJECTS = kem.obj melas_fec.obj ring.obj threebears.obj - -CFLAGS=/nologo /I ..\..\..\common /W4 /WX - -all: $(LIBRARY) - -# Make sure objects are recompiled if headers change. -$(OBJECTS): *.h - -$(LIBRARY): $(OBJECTS) - LIB.EXE /NOLOGO /WX /OUT:$@ $** - -clean: - -DEL $(OBJECTS) - -DEL $(LIBRARY) diff --git a/crypto_kem/papabear-ephem/clean/api.h b/crypto_kem/papabear-ephem/clean/api.h deleted file mode 100644 index 07c9f8fd..00000000 --- a/crypto_kem/papabear-ephem/clean/api.h +++ /dev/null @@ -1,18 +0,0 @@ -#ifndef PQCLEAN_PAPABEAREPHEM_CLEAN_API_H -#define PQCLEAN_PAPABEAREPHEM_CLEAN_API_H - -#include -#include -#include - -#define PQCLEAN_PAPABEAREPHEM_CLEAN_CRYPTO_SECRETKEYBYTES 40 -#define PQCLEAN_PAPABEAREPHEM_CLEAN_CRYPTO_PUBLICKEYBYTES 1584 -#define PQCLEAN_PAPABEAREPHEM_CLEAN_CRYPTO_BYTES 32 -#define PQCLEAN_PAPABEAREPHEM_CLEAN_CRYPTO_CIPHERTEXTBYTES 1697 -#define PQCLEAN_PAPABEAREPHEM_CLEAN_CRYPTO_ALGNAME "PapaBearEphem" - -int PQCLEAN_PAPABEAREPHEM_CLEAN_crypto_kem_keypair(uint8_t *pk, uint8_t *sk); -int PQCLEAN_PAPABEAREPHEM_CLEAN_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); -int PQCLEAN_PAPABEAREPHEM_CLEAN_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); - -#endif diff --git a/crypto_kem/papabear-ephem/clean/kem.c b/crypto_kem/papabear-ephem/clean/kem.c deleted file mode 100644 index f817daa8..00000000 --- a/crypto_kem/papabear-ephem/clean/kem.c +++ /dev/null @@ -1,22 +0,0 @@ -#include "api.h" -#include "params.h" -#include "randombytes.h" -#include "threebears.h" - -int PQCLEAN_PAPABEAREPHEM_CLEAN_crypto_kem_keypair(uint8_t *pk, uint8_t *sk) { - randombytes(sk, PRIVATE_KEY_BYTES); - PQCLEAN_PAPABEAREPHEM_CLEAN_get_pubkey(pk, sk); - return 0; -} - -int PQCLEAN_PAPABEAREPHEM_CLEAN_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk) { - uint8_t seed[ENC_SEED_BYTES + IV_BYTES]; - randombytes(seed, sizeof(seed)); - encapsulate(ss, ct, pk, seed); - return 0; -} - -int PQCLEAN_PAPABEAREPHEM_CLEAN_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk) { - PQCLEAN_PAPABEAREPHEM_CLEAN_decapsulate(ss, ct, sk); - return 0; -} diff --git a/crypto_kem/papabear-ephem/clean/melas_fec.c b/crypto_kem/papabear-ephem/clean/melas_fec.c deleted file mode 100644 index 39867f58..00000000 --- a/crypto_kem/papabear-ephem/clean/melas_fec.c +++ /dev/null @@ -1,87 +0,0 @@ -/* Melas forward error correction, reference code (as implemented in the paper) */ -#include "melas_fec.h" - -/* Return s/2^n mod R */ -static fec_gf_t step(size_t n, fec_gf_t R, fec_gf_t s) { - for (; n; n--) { - s = (s ^ ((s & 1) * R)) >> 1; - } - return s; -} - -/* Compute syndrome(data), where data has length len */ -#define syndrome18(data,len) s18update(0,data,len) -static fec_gf_t s18update(fec_gf_t r, const uint8_t *data, size_t len) { - for (size_t i = 0; i < len; i++) { - r = step(8, 0x46231, r ^ data[i]); - } - return r; -} - -/* Append 3 bytes of FEC(data) to data, so that the FEC becomes 0 */ -void PQCLEAN_PAPABEAREPHEM_CLEAN_melas_fec_set( - uint8_t out[MELAS_FEC_BYTES], - const uint8_t *data, - size_t len -) { - fec_gf_t fec = syndrome18(data, len); - for (size_t i = 0; i < MELAS_FEC_BYTES; i++, fec >>= 8) { - out[i] = (uint8_t)fec; - } -} - -/* Return a*b mod Q */ -static fec_gf_t mul(fec_gf_t a, fec_gf_t b) { - fec_gf_t r = 0; - for (size_t i = 0; i < 9; i++) { - r ^= ((b >> (8 - i)) & 1) * a; - a = step(1, Q, a); - } - return r; -} - -/* Reverse an 18-bit number x */ -static fec_gf_t reverse18(fec_gf_t x) { - fec_gf_t ret = 0; - for (size_t i = 0; i < 18; i++) { - ret ^= ((x >> i) & 1) << (17 - i); - } - return ret; -} - -/* Correct data to have the given FEC */ -void PQCLEAN_PAPABEAREPHEM_CLEAN_melas_fec_correct ( - uint8_t *data, - size_t len, - const uint8_t fec[MELAS_FEC_BYTES] -) { - - fec_gf_t a = s18update(syndrome18(data, len), fec, MELAS_FEC_BYTES); - fec_gf_t c, r, htr; - size_t i; - const uint8_t table[9] = {36, 10, 43, 215, 52, 11, 116, 244, 0}; - fec_gf_t e0, e1; - - /* Form a quadratic equation from the syndrome */ - c = mul(step(9, Q, a), step(9, Q, reverse18(a))); - for (i = 0, r = 0x100; i < 510; i++) { - r = mul(r, c); - } - r = step(17, Q, r); - a = step(511 - (len + MELAS_FEC_BYTES) * 8, Q, a); - - /* Solve using the half trace */ - for (i = 0, htr = 0; i < 9; i++) { - htr ^= ((r >> i) & 1) * table[i]; - } - e0 = mul(a, htr); - e1 = e0 ^ a; - - /* Correct the errors using the locators */ - for (i = 0; i < len; i++) { - data[i] ^= (uint8_t)(e0 & (((e0 & (e0 - 1)) - 1) >> 9)); - data[i] ^= (uint8_t)(e1 & (((e1 & (e1 - 1)) - 1) >> 9)); - e0 = step(8, Q, e0); - e1 = step(8, Q, e1); - } -} diff --git a/crypto_kem/papabear-ephem/clean/melas_fec.h b/crypto_kem/papabear-ephem/clean/melas_fec.h deleted file mode 100644 index f71f9e14..00000000 --- a/crypto_kem/papabear-ephem/clean/melas_fec.h +++ /dev/null @@ -1,26 +0,0 @@ -#ifndef __THREEBEARS_MELAS_FEC_H__ -#define __THREEBEARS_MELAS_FEC_H__ - -#include "api.h" - -#define MELAS_FEC_BYTES 3 -#define MELAS_FEC_BITS 18 - -typedef uint32_t fec_gf_t; -static const fec_gf_t Q = 0x211; - -/* Append 3 bytes of FEC(data) to data, so that the FEC becomes 0 */ -void PQCLEAN_PAPABEAREPHEM_CLEAN_melas_fec_set( - uint8_t out[MELAS_FEC_BYTES], - const uint8_t *data, - size_t len -); - -/* Append 3 bytes of FEC(data) to data, so that the FEC becomes 0 */ -void PQCLEAN_PAPABEAREPHEM_CLEAN_melas_fec_correct( - uint8_t *data, - size_t len, - const uint8_t fec[MELAS_FEC_BYTES] -); - -#endif diff --git a/crypto_kem/papabear-ephem/clean/params.h b/crypto_kem/papabear-ephem/clean/params.h deleted file mode 100644 index 781f0d4c..00000000 --- a/crypto_kem/papabear-ephem/clean/params.h +++ /dev/null @@ -1,29 +0,0 @@ -#ifndef __THREEBEARS_PARAMS_H__ -#define __THREEBEARS_PARAMS_H__ - -#define VERSION 1 -#define MATRIX_SEED_BYTES 24 -#define ENC_SEED_BYTES 32 -#define IV_BYTES 0 -#define LGX 10 -#define DIGITS 312 -#define DIM 4 -#define VAR_TIMES_128 96 -#define LPR_BITS 4 -#define FEC_BITS 18 -#define CCA 0 -#define SHARED_SECRET_BYTES 32 -#define PRIVATE_KEY_BYTES 40 -#define PRF_KEY_BYTES PRIVATE_KEY_BYTES - -#define BEAR_NAME "PapaBearEphem" -#define encapsulate PQCLEAN_PAPABEAREPHEM_CLEAN_encapsulate -#define decapsulate PQCLEAN_PAPABEAREPHEM_CLEAN_decapsulate -#define get_pubkey PQCLEAN_PAPABEAREPHEM_CLEAN_get_pubkey - -#define GF_BYTES ((LGX*DIGITS+7)/8) -#define PUBLIC_KEY_BYTES (MATRIX_SEED_BYTES + DIM*GF_BYTES) -#define CAPSULE_BYTES \ - (DIM*GF_BYTES + IV_BYTES + ((ENC_SEED_BYTES*8+FEC_BITS)*LPR_BITS+7)/8) - -#endif diff --git a/crypto_kem/papabear-ephem/clean/ring.c b/crypto_kem/papabear-ephem/clean/ring.c deleted file mode 100644 index 6414ea4c..00000000 --- a/crypto_kem/papabear-ephem/clean/ring.c +++ /dev/null @@ -1,107 +0,0 @@ -/** Ring arithmetic implementation */ -#include "ring.h" - -/** Return the i'th limb of the modulus */ -limb_t PQCLEAN_PAPABEAREPHEM_CLEAN_modulus(size_t i) { - return (i == DIGITS / 2) ? LMASK - 1 : LMASK; -} - -/** Multiply and accumulate c += a*b */ -void PQCLEAN_PAPABEAREPHEM_CLEAN_mac(gf_t c, const gf_t a, const gf_t b) { - /* Reference non-Karatsuba MAC */ - dslimb_t accum[2 * DIGITS] = {0}; - dslimb_t chain; - size_t i, j; - - /* Initialize accumulator = unclarify(c) */ - for (i = 0; i < DIGITS; i++) { - accum[i + DIGITS / 2] = c[i]; - } - - /* Multiply */ - for (i = 0; i < DIGITS; i++) { - for (j = 0; j < DIGITS; j++) { - accum[i + j] += (dslimb_t)a[i] * b[j]; - } - } - - /* Clarify and reduce */ - for (i = 0; i < DIGITS / 2; i++) { - accum[i + DIGITS / 2] -= accum[i]; - accum[i + DIGITS] += accum[i]; - accum[i + DIGITS / 2] += accum[i + 3 * DIGITS / 2]; - accum[i + DIGITS] += accum[i + 3 * DIGITS / 2]; - } - - /* Carry propagate */ - chain = accum[3 * DIGITS / 2 - 1]; - accum[3 * DIGITS / 2 - 1] = chain & LMASK; - chain >>= LGX; - accum[DIGITS] += chain; - for (i = DIGITS / 2; i < 3 * DIGITS / 2; i++) { - chain += accum[i]; - c[i - DIGITS / 2] = chain & LMASK; - chain >>= LGX; - } - c[0] = (limb_t) (c[0] + chain); - c[DIGITS / 2] = (limb_t) (c[DIGITS / 2] + chain); -} - -/** Reduce a gf_t to canonical form, i.e. strictly less than N. */ -void PQCLEAN_PAPABEAREPHEM_CLEAN_canon(gf_t c) { - const limb_t DELTA = (limb_t)1 << (LGX - 1); - slimb_t hi; - dslimb_t scarry; - dlimb_t carry; - - /* Reduce to 0..2p */ - hi = (slimb_t) (c[DIGITS - 1] - DELTA); - c[DIGITS - 1] = (limb_t) ((hi & LMASK) + DELTA); - c[DIGITS / 2] = (limb_t) (c[DIGITS / 2] + (hi >> LGX)); - - /* Strong reduce. First subtract modulus */ - scarry = hi >> LGX; - for (size_t i = 0; i < DIGITS; i++) { - scarry = scarry + (slimb_t)c[i] - PQCLEAN_PAPABEAREPHEM_CLEAN_modulus(i); - c[i] = scarry & LMASK; - scarry >>= LGX; - } - - /* add it back */ - carry = 0; - for (size_t i = 0; i < DIGITS; i++) { - carry = carry + c[i] + ((dlimb_t)scarry & PQCLEAN_PAPABEAREPHEM_CLEAN_modulus(i)); - c[i] = carry & LMASK; - carry >>= LGX; - } -} - -/** Serialize a gf_t to bytes */ -void PQCLEAN_PAPABEAREPHEM_CLEAN_contract(uint8_t ch[GF_BYTES], gf_t a) { - size_t pos; - - PQCLEAN_PAPABEAREPHEM_CLEAN_canon(a); - for (size_t i = 0; i < GF_BYTES; i++) { - pos = (i * 8) / LGX; - ch[i] = (uint8_t)(a[pos] >> ((i * 8) % LGX)); - if (i < GF_BYTES - 1) { - ch[i] |= (uint8_t)(a[pos + 1] << (LGX - ((i * 8) % LGX))); - } - } -} - -/** Deserialize a gf_t from bytes */ -void PQCLEAN_PAPABEAREPHEM_CLEAN_expand(gf_t ll, const uint8_t ch[GF_BYTES]) { - limb_t tmp, buffer = 0; - - for (size_t i = 0, j = 0, bbits = 0; i < GF_BYTES; i++) { - tmp = ch[i]; - buffer |= (limb_t)(tmp << bbits); - bbits += 8; - if (bbits >= LGX) { - ll[j++] = buffer & LMASK; - buffer = (limb_t)(tmp >> (LGX - (bbits - 8))); - bbits = bbits - LGX; - } - } -} diff --git a/crypto_kem/papabear-ephem/clean/ring.h b/crypto_kem/papabear-ephem/clean/ring.h deleted file mode 100644 index 28c40ca7..00000000 --- a/crypto_kem/papabear-ephem/clean/ring.h +++ /dev/null @@ -1,29 +0,0 @@ -#ifndef __THREEBEARS_RING_H__ -#define __THREEBEARS_RING_H__ - -#include "api.h" -#include "params.h" - -typedef uint16_t limb_t; -typedef int16_t slimb_t; -typedef uint32_t dlimb_t; -typedef int32_t dslimb_t; -#define LMASK (((limb_t)1<> 8, DIM, - VAR_TIMES_128 - 1, LPR_BITS, FEC_BITS, CCA, 0 /* padding */ - }; - - cshake256_inc_init(ctx, NULL, 0, (const uint8_t *)S, sizeof(S) - 1); - cshake256_inc_absorb(ctx, (const uint8_t *)pblock, sizeof(pblock)); - cshake256_inc_absorb(ctx, &purpose, 1); -} - -/** Sample n gf_t's uniformly from a seed */ -static void uniform(gf_t matrix, const uint8_t *seed, uint8_t iv) { - uint8_t c[GF_BYTES]; - shake256incctx ctx; - - threebears_hash_init(&ctx, HASH_PURPOSE_UNIFORM); - cshake256_inc_absorb(&ctx, seed, MATRIX_SEED_BYTES); - cshake256_inc_absorb(&ctx, &iv, 1); - cshake256_inc_finalize(&ctx); - cshake256_inc_squeeze(c, sizeof(c), &ctx); - cshake256_inc_ctx_release(&ctx); - PQCLEAN_PAPABEAREPHEM_CLEAN_expand(matrix, c); -} - -/** The ThreeBears error distribution */ -static slimb_t psi(uint8_t ci) { - int sample = 0, var = VAR_TIMES_128; - - for (; var > 64; var -= 64, ci = (uint8_t)(ci << 2)) { - sample += ((ci + 64) >> 8) + ((ci - 64) >> 8); - } - return (slimb_t)(sample + ((ci + var) >> 8) + ((ci - var) >> 8)); -} - -/** Sample a vector of n noise elements */ -static void noise(gf_t x, const shake256incctx *ctx, uint8_t iv) { - uint8_t c[DIGITS]; - shake256incctx ctx2; - - cshake256_inc_ctx_clone(&ctx2, ctx); - cshake256_inc_absorb(&ctx2, &iv, 1); - cshake256_inc_finalize(&ctx2); - cshake256_inc_squeeze(c, DIGITS, &ctx2); - for (size_t i = 0; i < DIGITS; i++) { - x[i] = (limb_t)(psi(c[i]) + PQCLEAN_PAPABEAREPHEM_CLEAN_modulus(i)); - } - cshake256_inc_ctx_release(&ctx2); -} - -/* Expand public key from private key */ -void PQCLEAN_PAPABEAREPHEM_CLEAN_get_pubkey(uint8_t *pk, const uint8_t *sk) { - shake256incctx ctx; - shake256incctx ctx2; - gf_t sk_expanded[DIM], b, c; - - threebears_hash_init(&ctx, HASH_PURPOSE_KEYGEN); - cshake256_inc_absorb(&ctx, sk, PRIVATE_KEY_BYTES); - - cshake256_inc_ctx_clone(&ctx2, &ctx); - cshake256_inc_finalize(&ctx2); - cshake256_inc_squeeze(pk, MATRIX_SEED_BYTES, &ctx2); - cshake256_inc_ctx_release(&ctx2); - - for (uint8_t i = 0; i < DIM; i++) { - noise(sk_expanded[i], &ctx, i); - } - for (uint8_t i = 0; i < DIM; i++) { - noise(c, &ctx, (uint8_t)(i + DIM)); - for (uint8_t j = 0; j < DIM; j++) { - uniform(b, pk, (uint8_t) (i + DIM * j)); - PQCLEAN_PAPABEAREPHEM_CLEAN_mac(c, b, sk_expanded[j]); - } - PQCLEAN_PAPABEAREPHEM_CLEAN_contract(&pk[MATRIX_SEED_BYTES + i * GF_BYTES], c); - } - cshake256_inc_ctx_release(&ctx); -} - -/* Encapsulate a shared secret and return it */ -void PQCLEAN_PAPABEAREPHEM_CLEAN_encapsulate( - uint8_t *shared_secret, - uint8_t *capsule, - const uint8_t *pk, - const uint8_t *seed -) { - uint8_t *lpr_data = &capsule[GF_BYTES * DIM]; - shake256incctx ctx; - gf_t sk_expanded[DIM], b, c; - uint8_t tbi[ENC_SEED_BYTES + FEC_BYTES]; - dlimb_t rlimb0, rlimb1; - limb_t h; - uint8_t *iv = &lpr_data[(ENC_BITS * LPR_BITS + 7) / 8]; - - memcpy(iv, &seed[ENC_SEED_BYTES], IV_BYTES); - - threebears_hash_init(&ctx, HASH_PURPOSE_ENCAPS); - cshake256_inc_absorb(&ctx, pk, MATRIX_SEED_BYTES); - cshake256_inc_absorb(&ctx, seed, ENC_SEED_BYTES + IV_BYTES); - - for (uint8_t i = 0; i < DIM; i++) { - noise(sk_expanded[i], &ctx, i); - } - for (uint8_t i = 0; i < DIM; i++) { - noise(c, &ctx, (uint8_t)(i + DIM)); - for (uint8_t j = 0; j < DIM; j++) { - uniform(b, pk, (uint8_t)(j + DIM * i)); - PQCLEAN_PAPABEAREPHEM_CLEAN_mac(c, b, sk_expanded[j]); - } - PQCLEAN_PAPABEAREPHEM_CLEAN_contract(&capsule[i * GF_BYTES], c); - } - noise(c, &ctx, (uint8_t)(2 * DIM)); - - /* Calculate approximate shared secret */ - for (uint8_t i = 0; i < DIM; i++) { - PQCLEAN_PAPABEAREPHEM_CLEAN_expand(b, &pk[MATRIX_SEED_BYTES + i * GF_BYTES]); - PQCLEAN_PAPABEAREPHEM_CLEAN_mac(c, b, sk_expanded[i]); - } - PQCLEAN_PAPABEAREPHEM_CLEAN_canon(c); - - - cshake256_inc_finalize(&ctx); - cshake256_inc_squeeze(tbi, ENC_SEED_BYTES, &ctx); - cshake256_inc_ctx_release(&ctx); - - threebears_hash_init(&ctx, HASH_PURPOSE_ENCAPS); - cshake256_inc_absorb(&ctx, pk, MATRIX_SEED_BYTES); - cshake256_inc_absorb(&ctx, tbi, ENC_SEED_BYTES); - cshake256_inc_absorb(&ctx, iv, IV_BYTES); - - PQCLEAN_PAPABEAREPHEM_CLEAN_melas_fec_set(&tbi[ENC_SEED_BYTES], tbi, ENC_SEED_BYTES); - - /* Export with rounding */ - for (size_t i = 0; i < ENC_BITS; i += 2) { - h = (limb_t)(tbi[i / 8] >> (i % 8)); - rlimb0 = (dlimb_t)((c[i / 2] >> (LGX - LPR_BITS)) + (h << 3)); - rlimb1 = (dlimb_t)((c[DIGITS - i / 2 - 1] >> (LGX - LPR_BITS)) + ((h >> 1) << 3)); - lpr_data[i / 2] = (uint8_t)((rlimb0 & 0xF) | rlimb1 << 4); - } - - cshake256_inc_finalize(&ctx); - cshake256_inc_squeeze(shared_secret, SHARED_SECRET_BYTES, &ctx); - cshake256_inc_ctx_release(&ctx); -} - -/* Decapsulate a shared secret and return it */ -void PQCLEAN_PAPABEAREPHEM_CLEAN_decapsulate( - uint8_t shared_secret[SHARED_SECRET_BYTES], - const uint8_t capsule[CAPSULE_BYTES], - const uint8_t sk[PRIVATE_KEY_BYTES] -) { - const uint8_t *lpr_data = &capsule[GF_BYTES * DIM]; - shake256incctx ctx; - gf_t ska, b, c = {0}; - uint8_t seed[ENC_SEED_BYTES + FEC_BYTES + IV_BYTES]; - limb_t rounding, out; - size_t j; - limb_t our_rlimb, their_rlimb, delta; - uint8_t matrix_seed[MATRIX_SEED_BYTES]; - - /* Calculate approximate shared secret */ - threebears_hash_init(&ctx, HASH_PURPOSE_KEYGEN); - cshake256_inc_absorb(&ctx, sk, PRIVATE_KEY_BYTES); - - for (uint8_t i = 0; i < DIM; i++) { - PQCLEAN_PAPABEAREPHEM_CLEAN_expand(b, &capsule[i * GF_BYTES]); - noise(ska, &ctx, i); - PQCLEAN_PAPABEAREPHEM_CLEAN_mac(c, ska, b); - } - - /* Recover seed from LPR data */ - PQCLEAN_PAPABEAREPHEM_CLEAN_canon(c); - rounding = 1 << (LPR_BITS - 1); - out = 0; - for (int32_t i = ENC_BITS - 1; i >= 0; i--) { - j = (size_t) ((i & 1) ? DIGITS - i / 2 - 1 : i / 2); - our_rlimb = (limb_t)(c[j] >> (LGX - LPR_BITS - 1)); - their_rlimb = (limb_t)(lpr_data[i * LPR_BITS / 8] >> ((i * LPR_BITS) % 8)); - delta = (limb_t)(their_rlimb * 2 - our_rlimb + rounding); - out |= (limb_t)(((delta >> LPR_BITS) & 1) << (i % 8)); - if (i % 8 == 0) { - seed[i / 8] = (uint8_t)out; - out = 0; - } - } - PQCLEAN_PAPABEAREPHEM_CLEAN_melas_fec_correct(seed, ENC_SEED_BYTES, &seed[ENC_SEED_BYTES]); - - /* Recalculate matrix seed */ - cshake256_inc_finalize(&ctx); - cshake256_inc_squeeze(matrix_seed, MATRIX_SEED_BYTES, &ctx); - cshake256_inc_ctx_release(&ctx); - - /* Re-run the key derivation from encaps */ - threebears_hash_init(&ctx, HASH_PURPOSE_ENCAPS); - cshake256_inc_absorb(&ctx, matrix_seed, MATRIX_SEED_BYTES); - cshake256_inc_absorb(&ctx, seed, ENC_SEED_BYTES); - cshake256_inc_absorb(&ctx, &lpr_data[(ENC_BITS * LPR_BITS + 7) / 8], IV_BYTES); - cshake256_inc_finalize(&ctx); - cshake256_inc_squeeze(shared_secret, SHARED_SECRET_BYTES, &ctx); - cshake256_inc_ctx_release(&ctx); -} diff --git a/crypto_kem/papabear-ephem/clean/threebears.h b/crypto_kem/papabear-ephem/clean/threebears.h deleted file mode 100644 index 9b48e0ca..00000000 --- a/crypto_kem/papabear-ephem/clean/threebears.h +++ /dev/null @@ -1,60 +0,0 @@ -#ifndef __THREE_BEARS_PAPABEAREPHEM_H__ -#define __THREE_BEARS_PAPABEAREPHEM_H__ - -#include /* for size_t */ -#include - -#define PAPABEAREPHEM_KEYGEN_SEED_BYTES 40 -#define PAPABEAREPHEM_PRIVATE_KEY_BYTES PAPABEAREPHEM_KEYGEN_SEED_BYTES -#define PAPABEAREPHEM_SHARED_SECRET_BYTES 32 -#define PAPABEAREPHEM_ENC_SEED_AND_IV_BYTES 32 -#define PAPABEAREPHEM_PUBLIC_KEY_BYTES 1584 -#define PAPABEAREPHEM_CAPSULE_BYTES 1697 - -/** - * Expand a secret seed to a public/private keypair. - * - * @param[out] pk The public key. - * @param[in] sk The private key, which must be uniformly random. - */ -void PQCLEAN_PAPABEAREPHEM_CLEAN_get_pubkey ( - uint8_t pk[PAPABEAREPHEM_PUBLIC_KEY_BYTES], - const uint8_t sk[PAPABEAREPHEM_PRIVATE_KEY_BYTES] -); - -/** - * Create a shared secret using a random seed and another party's public key. - * - * Input and output parameters may not alias. - * - * @param[out] shared_secret The shared secret key. - * @param[out] capsule A ciphertext to send to the other party. - * @param[in] pk The other party's public key. - * @param[in] seed A random seed. - */ -void PQCLEAN_PAPABEAREPHEM_CLEAN_encapsulate ( - uint8_t shared_secret[PAPABEAREPHEM_SHARED_SECRET_BYTES], - uint8_t capsule[PAPABEAREPHEM_CAPSULE_BYTES], - const uint8_t pk[PAPABEAREPHEM_PUBLIC_KEY_BYTES], - const uint8_t seed[PAPABEAREPHEM_ENC_SEED_AND_IV_BYTES] -); - -/** - * Extract the shared secret from a capsule using the private key. - * Has a negligible but nonzero probability of failure. - * - * Input and output parameters may not alias. - * - * @param[out] shared_secret The shared secret. - * @param[in] capsule The capsule produced by encapsulate_cca2. - * @param[in] sk The private key. - * @return -1 on failure, 0 on success. - * @warning The value of shared_secret must not be used on failure - */ -void PQCLEAN_PAPABEAREPHEM_CLEAN_decapsulate ( - uint8_t shared_secret[PAPABEAREPHEM_SHARED_SECRET_BYTES], - const uint8_t capsule[PAPABEAREPHEM_CAPSULE_BYTES], - const uint8_t sk[PAPABEAREPHEM_PRIVATE_KEY_BYTES] -); - -#endif diff --git a/crypto_kem/papabear/META.yml b/crypto_kem/papabear/META.yml deleted file mode 100644 index 32b02549..00000000 --- a/crypto_kem/papabear/META.yml +++ /dev/null @@ -1,14 +0,0 @@ -name: PapaBear -type: kem -claimed-nist-level: 5 -claimed-security: IND-CCA2 -length-public-key: 1584 -length-ciphertext: 1697 -length-secret-key: 40 -length-shared-secret: 32 -nistkat-sha256: 60212e4433ee326c375b00996e1f524b37a8a12fba16aa51c420315a20dbd708 -principal-submitters: - - Mike Hamburg -implementations: - - name: clean - version: https://sourceforge.net/p/threebears/code/ci/f4ce0ebfc84a5e01a75bfc8297b6d175e993cfa4/ diff --git a/crypto_kem/papabear/clean/LICENSE b/crypto_kem/papabear/clean/LICENSE deleted file mode 100644 index 5fb15a7c..00000000 --- a/crypto_kem/papabear/clean/LICENSE +++ /dev/null @@ -1,24 +0,0 @@ -Copyright (c) 2016-2019 Rambus, Inc. -and licensed under the following MIT license. - -The MIT License (MIT) - -Copyright (c) 2016-2019 Rambus Inc. - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in -all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -THE SOFTWARE. diff --git a/crypto_kem/papabear/clean/Makefile b/crypto_kem/papabear/clean/Makefile deleted file mode 100644 index 9ca62142..00000000 --- a/crypto_kem/papabear/clean/Makefile +++ /dev/null @@ -1,21 +0,0 @@ -# This Makefile can be used with GNU Make or BSD Make - -LIB=libpapabear_clean.a - -HEADERS = api.h melas_fec.h params.h ring.h threebears.h -OBJECTS = kem.o melas_fec.o ring.o threebears.o - - -CFLAGS=-O3 -Wall -Wextra -Wpedantic -Werror -Wmissing-prototypes -Wredundant-decls -std=c99 -I../../../common $(EXTRAFLAGS) - -all: $(LIB) - -%.o: %.c $(HEADERS) - $(CC) $(CFLAGS) -c -o $@ $< - -$(LIB): $(OBJECTS) - $(AR) -r $@ $(OBJECTS) - -clean: - $(RM) $(OBJECTS) - $(RM) $(LIB) diff --git a/crypto_kem/papabear/clean/Makefile.Microsoft_nmake b/crypto_kem/papabear/clean/Makefile.Microsoft_nmake deleted file mode 100644 index 87462c40..00000000 --- a/crypto_kem/papabear/clean/Makefile.Microsoft_nmake +++ /dev/null @@ -1,19 +0,0 @@ -# This Makefile can be used with Microsoft Visual Studio's nmake using the command: -# nmake /f Makefile.Microsoft_nmake - -LIBRARY=libpapabear_clean.lib -OBJECTS = kem.obj melas_fec.obj ring.obj threebears.obj - -CFLAGS=/nologo /I ..\..\..\common /W4 /WX - -all: $(LIBRARY) - -# Make sure objects are recompiled if headers change. -$(OBJECTS): *.h - -$(LIBRARY): $(OBJECTS) - LIB.EXE /NOLOGO /WX /OUT:$@ $** - -clean: - -DEL $(OBJECTS) - -DEL $(LIBRARY) diff --git a/crypto_kem/papabear/clean/api.h b/crypto_kem/papabear/clean/api.h deleted file mode 100644 index c872e00c..00000000 --- a/crypto_kem/papabear/clean/api.h +++ /dev/null @@ -1,18 +0,0 @@ -#ifndef PQCLEAN_PAPABEAR_CLEAN_API_H -#define PQCLEAN_PAPABEAR_CLEAN_API_H - -#include -#include -#include - -#define PQCLEAN_PAPABEAR_CLEAN_CRYPTO_SECRETKEYBYTES 40 -#define PQCLEAN_PAPABEAR_CLEAN_CRYPTO_PUBLICKEYBYTES 1584 -#define PQCLEAN_PAPABEAR_CLEAN_CRYPTO_BYTES 32 -#define PQCLEAN_PAPABEAR_CLEAN_CRYPTO_CIPHERTEXTBYTES 1697 -#define PQCLEAN_PAPABEAR_CLEAN_CRYPTO_ALGNAME "PapaBear" - -int PQCLEAN_PAPABEAR_CLEAN_crypto_kem_keypair(uint8_t *pk, uint8_t *sk); -int PQCLEAN_PAPABEAR_CLEAN_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); -int PQCLEAN_PAPABEAR_CLEAN_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); - -#endif diff --git a/crypto_kem/papabear/clean/kem.c b/crypto_kem/papabear/clean/kem.c deleted file mode 100644 index 908d3118..00000000 --- a/crypto_kem/papabear/clean/kem.c +++ /dev/null @@ -1,22 +0,0 @@ -#include "api.h" -#include "params.h" -#include "randombytes.h" -#include "threebears.h" - -int PQCLEAN_PAPABEAR_CLEAN_crypto_kem_keypair(uint8_t *pk, uint8_t *sk) { - randombytes(sk, PRIVATE_KEY_BYTES); - PQCLEAN_PAPABEAR_CLEAN_get_pubkey(pk, sk); - return 0; -} - -int PQCLEAN_PAPABEAR_CLEAN_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk) { - uint8_t seed[ENC_SEED_BYTES + IV_BYTES]; - randombytes(seed, sizeof(seed)); - encapsulate(ss, ct, pk, seed); - return 0; -} - -int PQCLEAN_PAPABEAR_CLEAN_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk) { - PQCLEAN_PAPABEAR_CLEAN_decapsulate(ss, ct, sk); - return 0; -} diff --git a/crypto_kem/papabear/clean/melas_fec.c b/crypto_kem/papabear/clean/melas_fec.c deleted file mode 100644 index 2e271067..00000000 --- a/crypto_kem/papabear/clean/melas_fec.c +++ /dev/null @@ -1,87 +0,0 @@ -/* Melas forward error correction, reference code (as implemented in the paper) */ -#include "melas_fec.h" - -/* Return s/2^n mod R */ -static fec_gf_t step(size_t n, fec_gf_t R, fec_gf_t s) { - for (; n; n--) { - s = (s ^ ((s & 1) * R)) >> 1; - } - return s; -} - -/* Compute syndrome(data), where data has length len */ -#define syndrome18(data,len) s18update(0,data,len) -static fec_gf_t s18update(fec_gf_t r, const uint8_t *data, size_t len) { - for (size_t i = 0; i < len; i++) { - r = step(8, 0x46231, r ^ data[i]); - } - return r; -} - -/* Append 3 bytes of FEC(data) to data, so that the FEC becomes 0 */ -void PQCLEAN_PAPABEAR_CLEAN_melas_fec_set( - uint8_t out[MELAS_FEC_BYTES], - const uint8_t *data, - size_t len -) { - fec_gf_t fec = syndrome18(data, len); - for (size_t i = 0; i < MELAS_FEC_BYTES; i++, fec >>= 8) { - out[i] = (uint8_t)fec; - } -} - -/* Return a*b mod Q */ -static fec_gf_t mul(fec_gf_t a, fec_gf_t b) { - fec_gf_t r = 0; - for (size_t i = 0; i < 9; i++) { - r ^= ((b >> (8 - i)) & 1) * a; - a = step(1, Q, a); - } - return r; -} - -/* Reverse an 18-bit number x */ -static fec_gf_t reverse18(fec_gf_t x) { - fec_gf_t ret = 0; - for (size_t i = 0; i < 18; i++) { - ret ^= ((x >> i) & 1) << (17 - i); - } - return ret; -} - -/* Correct data to have the given FEC */ -void PQCLEAN_PAPABEAR_CLEAN_melas_fec_correct ( - uint8_t *data, - size_t len, - const uint8_t fec[MELAS_FEC_BYTES] -) { - - fec_gf_t a = s18update(syndrome18(data, len), fec, MELAS_FEC_BYTES); - fec_gf_t c, r, htr; - size_t i; - const uint8_t table[9] = {36, 10, 43, 215, 52, 11, 116, 244, 0}; - fec_gf_t e0, e1; - - /* Form a quadratic equation from the syndrome */ - c = mul(step(9, Q, a), step(9, Q, reverse18(a))); - for (i = 0, r = 0x100; i < 510; i++) { - r = mul(r, c); - } - r = step(17, Q, r); - a = step(511 - (len + MELAS_FEC_BYTES) * 8, Q, a); - - /* Solve using the half trace */ - for (i = 0, htr = 0; i < 9; i++) { - htr ^= ((r >> i) & 1) * table[i]; - } - e0 = mul(a, htr); - e1 = e0 ^ a; - - /* Correct the errors using the locators */ - for (i = 0; i < len; i++) { - data[i] ^= (uint8_t)(e0 & (((e0 & (e0 - 1)) - 1) >> 9)); - data[i] ^= (uint8_t)(e1 & (((e1 & (e1 - 1)) - 1) >> 9)); - e0 = step(8, Q, e0); - e1 = step(8, Q, e1); - } -} diff --git a/crypto_kem/papabear/clean/melas_fec.h b/crypto_kem/papabear/clean/melas_fec.h deleted file mode 100644 index 6d2ca1ee..00000000 --- a/crypto_kem/papabear/clean/melas_fec.h +++ /dev/null @@ -1,26 +0,0 @@ -#ifndef __THREEBEARS_MELAS_FEC_H__ -#define __THREEBEARS_MELAS_FEC_H__ - -#include "api.h" - -#define MELAS_FEC_BYTES 3 -#define MELAS_FEC_BITS 18 - -typedef uint32_t fec_gf_t; -static const fec_gf_t Q = 0x211; - -/* Append 3 bytes of FEC(data) to data, so that the FEC becomes 0 */ -void PQCLEAN_PAPABEAR_CLEAN_melas_fec_set( - uint8_t out[MELAS_FEC_BYTES], - const uint8_t *data, - size_t len -); - -/* Append 3 bytes of FEC(data) to data, so that the FEC becomes 0 */ -void PQCLEAN_PAPABEAR_CLEAN_melas_fec_correct( - uint8_t *data, - size_t len, - const uint8_t fec[MELAS_FEC_BYTES] -); - -#endif diff --git a/crypto_kem/papabear/clean/params.h b/crypto_kem/papabear/clean/params.h deleted file mode 100644 index 46e21598..00000000 --- a/crypto_kem/papabear/clean/params.h +++ /dev/null @@ -1,29 +0,0 @@ -#ifndef __THREEBEARS_PARAMS_H__ -#define __THREEBEARS_PARAMS_H__ - -#define VERSION 1 -#define MATRIX_SEED_BYTES 24 -#define ENC_SEED_BYTES 32 -#define IV_BYTES 0 -#define LGX 10 -#define DIGITS 312 -#define DIM 4 -#define VAR_TIMES_128 40 -#define LPR_BITS 4 -#define FEC_BITS 18 -#define CCA 1 -#define SHARED_SECRET_BYTES 32 -#define PRIVATE_KEY_BYTES 40 -#define PRF_KEY_BYTES PRIVATE_KEY_BYTES - -#define BEAR_NAME "PapaBear" -#define encapsulate PQCLEAN_PAPABEAR_CLEAN_encapsulate -#define decapsulate PQCLEAN_PAPABEAR_CLEAN_decapsulate -#define get_pubkey PQCLEAN_PAPABEAR_CLEAN_get_pubkey - -#define GF_BYTES ((LGX*DIGITS+7)/8) -#define PUBLIC_KEY_BYTES (MATRIX_SEED_BYTES + DIM*GF_BYTES) -#define CAPSULE_BYTES \ - (DIM*GF_BYTES + IV_BYTES + ((ENC_SEED_BYTES*8+FEC_BITS)*LPR_BITS+7)/8) - -#endif diff --git a/crypto_kem/papabear/clean/ring.c b/crypto_kem/papabear/clean/ring.c deleted file mode 100644 index 1a1e2925..00000000 --- a/crypto_kem/papabear/clean/ring.c +++ /dev/null @@ -1,107 +0,0 @@ -/** Ring arithmetic implementation */ -#include "ring.h" - -/** Return the i'th limb of the modulus */ -limb_t PQCLEAN_PAPABEAR_CLEAN_modulus(size_t i) { - return (i == DIGITS / 2) ? LMASK - 1 : LMASK; -} - -/** Multiply and accumulate c += a*b */ -void PQCLEAN_PAPABEAR_CLEAN_mac(gf_t c, const gf_t a, const gf_t b) { - /* Reference non-Karatsuba MAC */ - dslimb_t accum[2 * DIGITS] = {0}; - dslimb_t chain; - size_t i, j; - - /* Initialize accumulator = unclarify(c) */ - for (i = 0; i < DIGITS; i++) { - accum[i + DIGITS / 2] = c[i]; - } - - /* Multiply */ - for (i = 0; i < DIGITS; i++) { - for (j = 0; j < DIGITS; j++) { - accum[i + j] += (dslimb_t)a[i] * b[j]; - } - } - - /* Clarify and reduce */ - for (i = 0; i < DIGITS / 2; i++) { - accum[i + DIGITS / 2] -= accum[i]; - accum[i + DIGITS] += accum[i]; - accum[i + DIGITS / 2] += accum[i + 3 * DIGITS / 2]; - accum[i + DIGITS] += accum[i + 3 * DIGITS / 2]; - } - - /* Carry propagate */ - chain = accum[3 * DIGITS / 2 - 1]; - accum[3 * DIGITS / 2 - 1] = chain & LMASK; - chain >>= LGX; - accum[DIGITS] += chain; - for (i = DIGITS / 2; i < 3 * DIGITS / 2; i++) { - chain += accum[i]; - c[i - DIGITS / 2] = chain & LMASK; - chain >>= LGX; - } - c[0] = (limb_t) (c[0] + chain); - c[DIGITS / 2] = (limb_t) (c[DIGITS / 2] + chain); -} - -/** Reduce a gf_t to canonical form, i.e. strictly less than N. */ -void PQCLEAN_PAPABEAR_CLEAN_canon(gf_t c) { - const limb_t DELTA = (limb_t)1 << (LGX - 1); - slimb_t hi; - dslimb_t scarry; - dlimb_t carry; - - /* Reduce to 0..2p */ - hi = (slimb_t) (c[DIGITS - 1] - DELTA); - c[DIGITS - 1] = (limb_t) ((hi & LMASK) + DELTA); - c[DIGITS / 2] = (limb_t) (c[DIGITS / 2] + (hi >> LGX)); - - /* Strong reduce. First subtract modulus */ - scarry = hi >> LGX; - for (size_t i = 0; i < DIGITS; i++) { - scarry = scarry + (slimb_t)c[i] - PQCLEAN_PAPABEAR_CLEAN_modulus(i); - c[i] = scarry & LMASK; - scarry >>= LGX; - } - - /* add it back */ - carry = 0; - for (size_t i = 0; i < DIGITS; i++) { - carry = carry + c[i] + ((dlimb_t)scarry & PQCLEAN_PAPABEAR_CLEAN_modulus(i)); - c[i] = carry & LMASK; - carry >>= LGX; - } -} - -/** Serialize a gf_t to bytes */ -void PQCLEAN_PAPABEAR_CLEAN_contract(uint8_t ch[GF_BYTES], gf_t a) { - size_t pos; - - PQCLEAN_PAPABEAR_CLEAN_canon(a); - for (size_t i = 0; i < GF_BYTES; i++) { - pos = (i * 8) / LGX; - ch[i] = (uint8_t)(a[pos] >> ((i * 8) % LGX)); - if (i < GF_BYTES - 1) { - ch[i] |= (uint8_t)(a[pos + 1] << (LGX - ((i * 8) % LGX))); - } - } -} - -/** Deserialize a gf_t from bytes */ -void PQCLEAN_PAPABEAR_CLEAN_expand(gf_t ll, const uint8_t ch[GF_BYTES]) { - limb_t tmp, buffer = 0; - - for (size_t i = 0, j = 0, bbits = 0; i < GF_BYTES; i++) { - tmp = ch[i]; - buffer |= (limb_t)(tmp << bbits); - bbits += 8; - if (bbits >= LGX) { - ll[j++] = buffer & LMASK; - buffer = (limb_t)(tmp >> (LGX - (bbits - 8))); - bbits = bbits - LGX; - } - } -} diff --git a/crypto_kem/papabear/clean/ring.h b/crypto_kem/papabear/clean/ring.h deleted file mode 100644 index b51b4b4b..00000000 --- a/crypto_kem/papabear/clean/ring.h +++ /dev/null @@ -1,29 +0,0 @@ -#ifndef __THREEBEARS_RING_H__ -#define __THREEBEARS_RING_H__ - -#include "api.h" -#include "params.h" - -typedef uint16_t limb_t; -typedef int16_t slimb_t; -typedef uint32_t dlimb_t; -typedef int32_t dslimb_t; -#define LMASK (((limb_t)1<> 8, DIM, - VAR_TIMES_128 - 1, LPR_BITS, FEC_BITS, CCA, 0 /* padding */ - }; - - cshake256_inc_init(ctx, NULL, 0, (const uint8_t *)S, sizeof(S) - 1); - cshake256_inc_absorb(ctx, (const uint8_t *)pblock, sizeof(pblock)); - cshake256_inc_absorb(ctx, &purpose, 1); -} - -/** Sample n gf_t's uniformly from a seed */ -static void uniform(gf_t matrix, const uint8_t *seed, uint8_t iv) { - uint8_t c[GF_BYTES]; - shake256incctx ctx; - - threebears_hash_init(&ctx, HASH_PURPOSE_UNIFORM); - cshake256_inc_absorb(&ctx, seed, MATRIX_SEED_BYTES); - cshake256_inc_absorb(&ctx, &iv, 1); - cshake256_inc_finalize(&ctx); - cshake256_inc_squeeze(c, sizeof(c), &ctx); - cshake256_inc_ctx_release(&ctx); - PQCLEAN_PAPABEAR_CLEAN_expand(matrix, c); -} - -/** The ThreeBears error distribution */ -static slimb_t psi(uint8_t ci) { - int sample = 0, var = VAR_TIMES_128; - - for (; var > 64; var -= 64, ci = (uint8_t)(ci << 2)) { - sample += ((ci + 64) >> 8) + ((ci - 64) >> 8); - } - return (slimb_t)(sample + ((ci + var) >> 8) + ((ci - var) >> 8)); -} - -/** Sample a vector of n noise elements */ -static void noise(gf_t x, const shake256incctx *ctx, uint8_t iv) { - uint8_t c[DIGITS]; - shake256incctx ctx2; - - cshake256_inc_ctx_clone(&ctx2, ctx); - cshake256_inc_absorb(&ctx2, &iv, 1); - cshake256_inc_finalize(&ctx2); - cshake256_inc_squeeze(c, DIGITS, &ctx2); - for (size_t i = 0; i < DIGITS; i++) { - x[i] = (limb_t)(psi(c[i]) + PQCLEAN_PAPABEAR_CLEAN_modulus(i)); - } - cshake256_inc_ctx_release(&ctx2); -} - -/* Expand public key from private key */ -void PQCLEAN_PAPABEAR_CLEAN_get_pubkey(uint8_t *pk, const uint8_t *sk) { - shake256incctx ctx; - shake256incctx ctx2; - gf_t sk_expanded[DIM], b, c; - - threebears_hash_init(&ctx, HASH_PURPOSE_KEYGEN); - cshake256_inc_absorb(&ctx, sk, PRIVATE_KEY_BYTES); - - cshake256_inc_ctx_clone(&ctx2, &ctx); - cshake256_inc_finalize(&ctx2); - cshake256_inc_squeeze(pk, MATRIX_SEED_BYTES, &ctx2); - cshake256_inc_ctx_release(&ctx2); - - for (uint8_t i = 0; i < DIM; i++) { - noise(sk_expanded[i], &ctx, i); - } - for (uint8_t i = 0; i < DIM; i++) { - noise(c, &ctx, (uint8_t)(i + DIM)); - for (uint8_t j = 0; j < DIM; j++) { - uniform(b, pk, (uint8_t) (i + DIM * j)); - PQCLEAN_PAPABEAR_CLEAN_mac(c, b, sk_expanded[j]); - } - PQCLEAN_PAPABEAR_CLEAN_contract(&pk[MATRIX_SEED_BYTES + i * GF_BYTES], c); - } - cshake256_inc_ctx_release(&ctx); -} - -/* Encapsulate a shared secret and return it */ -void PQCLEAN_PAPABEAR_CLEAN_encapsulate( - uint8_t *shared_secret, - uint8_t *capsule, - const uint8_t *pk, - const uint8_t *seed -) { - uint8_t *lpr_data = &capsule[GF_BYTES * DIM]; - shake256incctx ctx; - gf_t sk_expanded[DIM], b, c; - uint8_t tbi[ENC_SEED_BYTES + FEC_BYTES]; - dlimb_t rlimb0, rlimb1; - limb_t h; - uint8_t *iv = &lpr_data[(ENC_BITS * LPR_BITS + 7) / 8]; - - memcpy(iv, &seed[ENC_SEED_BYTES], IV_BYTES); - - threebears_hash_init(&ctx, HASH_PURPOSE_ENCAPS); - cshake256_inc_absorb(&ctx, pk, MATRIX_SEED_BYTES); - cshake256_inc_absorb(&ctx, seed, ENC_SEED_BYTES + IV_BYTES); - - for (uint8_t i = 0; i < DIM; i++) { - noise(sk_expanded[i], &ctx, i); - } - for (uint8_t i = 0; i < DIM; i++) { - noise(c, &ctx, (uint8_t)(i + DIM)); - for (uint8_t j = 0; j < DIM; j++) { - uniform(b, pk, (uint8_t)(j + DIM * i)); - PQCLEAN_PAPABEAR_CLEAN_mac(c, b, sk_expanded[j]); - } - PQCLEAN_PAPABEAR_CLEAN_contract(&capsule[i * GF_BYTES], c); - } - noise(c, &ctx, (uint8_t)(2 * DIM)); - - /* Calculate approximate shared secret */ - for (uint8_t i = 0; i < DIM; i++) { - PQCLEAN_PAPABEAR_CLEAN_expand(b, &pk[MATRIX_SEED_BYTES + i * GF_BYTES]); - PQCLEAN_PAPABEAR_CLEAN_mac(c, b, sk_expanded[i]); - } - PQCLEAN_PAPABEAR_CLEAN_canon(c); - - - memcpy(tbi, seed, ENC_SEED_BYTES); - - PQCLEAN_PAPABEAR_CLEAN_melas_fec_set(&tbi[ENC_SEED_BYTES], tbi, ENC_SEED_BYTES); - - /* Export with rounding */ - for (size_t i = 0; i < ENC_BITS; i += 2) { - h = (limb_t)(tbi[i / 8] >> (i % 8)); - rlimb0 = (dlimb_t)((c[i / 2] >> (LGX - LPR_BITS)) + (h << 3)); - rlimb1 = (dlimb_t)((c[DIGITS - i / 2 - 1] >> (LGX - LPR_BITS)) + ((h >> 1) << 3)); - lpr_data[i / 2] = (uint8_t)((rlimb0 & 0xF) | rlimb1 << 4); - } - - cshake256_inc_finalize(&ctx); - cshake256_inc_squeeze(shared_secret, SHARED_SECRET_BYTES, &ctx); - cshake256_inc_ctx_release(&ctx); -} - -/* Decapsulate a shared secret and return it */ -void PQCLEAN_PAPABEAR_CLEAN_decapsulate( - uint8_t shared_secret[SHARED_SECRET_BYTES], - const uint8_t capsule[CAPSULE_BYTES], - const uint8_t sk[PRIVATE_KEY_BYTES] -) { - const uint8_t *lpr_data = &capsule[GF_BYTES * DIM]; - shake256incctx ctx; - gf_t ska, b, c = {0}; - uint8_t seed[ENC_SEED_BYTES + FEC_BYTES + IV_BYTES]; - limb_t rounding, out; - size_t j; - limb_t our_rlimb, their_rlimb, delta; - uint8_t pk[PUBLIC_KEY_BYTES], capsule2[CAPSULE_BYTES]; - uint8_t ret, ok, sep, prfk[PRF_KEY_BYTES]; - uint8_t prfout[SHARED_SECRET_BYTES]; - - /* Calculate approximate shared secret */ - threebears_hash_init(&ctx, HASH_PURPOSE_KEYGEN); - cshake256_inc_absorb(&ctx, sk, PRIVATE_KEY_BYTES); - - for (uint8_t i = 0; i < DIM; i++) { - PQCLEAN_PAPABEAR_CLEAN_expand(b, &capsule[i * GF_BYTES]); - noise(ska, &ctx, i); - PQCLEAN_PAPABEAR_CLEAN_mac(c, ska, b); - } - - /* Recover seed from LPR data */ - PQCLEAN_PAPABEAR_CLEAN_canon(c); - rounding = 1 << (LPR_BITS - 1); - out = 0; - for (int32_t i = ENC_BITS - 1; i >= 0; i--) { - j = (size_t) ((i & 1) ? DIGITS - i / 2 - 1 : i / 2); - our_rlimb = (limb_t)(c[j] >> (LGX - LPR_BITS - 1)); - their_rlimb = (limb_t)(lpr_data[i * LPR_BITS / 8] >> ((i * LPR_BITS) % 8)); - delta = (limb_t)(their_rlimb * 2 - our_rlimb + rounding); - out |= (limb_t)(((delta >> LPR_BITS) & 1) << (i % 8)); - if (i % 8 == 0) { - seed[i / 8] = (uint8_t)out; - out = 0; - } - } - PQCLEAN_PAPABEAR_CLEAN_melas_fec_correct(seed, ENC_SEED_BYTES, &seed[ENC_SEED_BYTES]); - - /* Re-encapsulate and check; encapsulate will compute the shared secret */ - PQCLEAN_PAPABEAR_CLEAN_get_pubkey(pk, sk); - memcpy(&seed[ENC_SEED_BYTES], &lpr_data[(ENC_BITS * LPR_BITS + 7) / 8], IV_BYTES); - PQCLEAN_PAPABEAR_CLEAN_encapsulate(shared_secret, capsule2, pk, seed); - - /* Check capsule == capsule2 in constant time */ - ret = 0; - for (size_t i = 0; i < CAPSULE_BYTES; i++) { - ret |= capsule[i] ^ capsule2[i]; - } - ok = (uint8_t)(((int)ret - 1) >> 8); - - /* Calculate PRF key */ - sep = 0xFF; - cshake256_inc_absorb(&ctx, &sep, 1); - cshake256_inc_finalize(&ctx); - cshake256_inc_squeeze(prfk, PRF_KEY_BYTES, &ctx); - cshake256_inc_ctx_release(&ctx); - - /* Calculate PRF */ - threebears_hash_init(&ctx, HASH_PURPOSE_PRF); - cshake256_inc_absorb(&ctx, prfk, PRF_KEY_BYTES); - cshake256_inc_absorb(&ctx, capsule, CAPSULE_BYTES); - cshake256_inc_finalize(&ctx); - cshake256_inc_squeeze(prfout, SHARED_SECRET_BYTES, &ctx); - cshake256_inc_ctx_release(&ctx); - - for (size_t i = 0; i < SHARED_SECRET_BYTES; i++) { - shared_secret[i] = (uint8_t)((shared_secret[i] & ok) | (prfout[i] & ~ok)); - } -} diff --git a/crypto_kem/papabear/clean/threebears.h b/crypto_kem/papabear/clean/threebears.h deleted file mode 100644 index 558cd557..00000000 --- a/crypto_kem/papabear/clean/threebears.h +++ /dev/null @@ -1,58 +0,0 @@ -#ifndef __THREE_BEARS_PAPABEAR_H__ -#define __THREE_BEARS_PAPABEAR_H__ - -#include /* for size_t */ -#include - -#define PAPABEAR_KEYGEN_SEED_BYTES 40 -#define PAPABEAR_PRIVATE_KEY_BYTES PAPABEAR_KEYGEN_SEED_BYTES -#define PAPABEAR_SHARED_SECRET_BYTES 32 -#define PAPABEAR_ENC_SEED_AND_IV_BYTES 32 -#define PAPABEAR_PUBLIC_KEY_BYTES 1584 -#define PAPABEAR_CAPSULE_BYTES 1697 - -/** - * Expand a secret seed to a public/private keypair. - * - * @param[out] pk The public key. - * @param[in] sk The private key, which must be uniformly random. - */ -void PQCLEAN_PAPABEAR_CLEAN_get_pubkey ( - uint8_t pk[PAPABEAR_PUBLIC_KEY_BYTES], - const uint8_t sk[PAPABEAR_PRIVATE_KEY_BYTES] -); - -/** - * Create a shared secret using a random seed and another party's public key. - * - * Input and output parameters may not alias. - * - * @param[out] shared_secret The shared secret key. - * @param[out] capsule A ciphertext to send to the other party. - * @param[in] pk The other party's public key. - * @param[in] seed A random seed. - */ -void PQCLEAN_PAPABEAR_CLEAN_encapsulate ( - uint8_t shared_secret[PAPABEAR_SHARED_SECRET_BYTES], - uint8_t capsule[PAPABEAR_CAPSULE_BYTES], - const uint8_t pk[PAPABEAR_PUBLIC_KEY_BYTES], - const uint8_t seed[PAPABEAR_ENC_SEED_AND_IV_BYTES] -); - -/** - * Extract the shared secret from a capsule using the private key. - * Has a negligible but nonzero probability of failure. - * - * Input and output parameters may not alias. - * - * @param[out] shared_secret The shared secret. - * @param[in] capsule The capsule produced by encapsulate_cca2. - * @param[in] sk The private key. - */ -void PQCLEAN_PAPABEAR_CLEAN_decapsulate ( - uint8_t shared_secret[PAPABEAR_SHARED_SECRET_BYTES], - const uint8_t capsule[PAPABEAR_CAPSULE_BYTES], - const uint8_t sk[PAPABEAR_PRIVATE_KEY_BYTES] -); - -#endif diff --git a/crypto_sign/mqdss-48/META.yml b/crypto_sign/mqdss-48/META.yml deleted file mode 100644 index 0fba019d..00000000 --- a/crypto_sign/mqdss-48/META.yml +++ /dev/null @@ -1,27 +0,0 @@ -name: MQDSS-48 -type: signature -claimed-nist-level: 1 -length-public-key: 46 -length-secret-key: 16 -length-signature: 28400 -nistkat-sha256: 9ca5c44144cfbf554748a1278f1abfdc97ae2ac4615561f2004c3f234c452d82 -testvectors-sha256: 9a2413984acd79b59d7270d0c05fbd1396a933f334362638fc2a1e7271f733f2 -principal-submitters: - - Simona Samardjiska -auxiliary-submitters: - - Ming-Shing Chen - - Andreas Hülsing - - Joost Rijneveld - - Peter Schwabe -implementations: - - name: clean - version: https://github.com/joostrijneveld/MQDSS/commit/00608d7610262ff07b1834885d32bc3fd27ef5e1 - - name: avx2 - version: https://github.com/joostrijneveld/MQDSS/commit/00608d7610262ff07b1834885d32bc3fd27ef5e1 - supported_platforms: - - architecture: x86_64 - required_flags: - - avx2 - - architecture: x86 - required_flags: - - avx2 diff --git a/crypto_sign/mqdss-48/avx2/LICENSE b/crypto_sign/mqdss-48/avx2/LICENSE deleted file mode 100644 index 670154e3..00000000 --- a/crypto_sign/mqdss-48/avx2/LICENSE +++ /dev/null @@ -1,116 +0,0 @@ -CC0 1.0 Universal - -Statement of Purpose - -The laws of most jurisdictions throughout the world automatically confer -exclusive Copyright and Related Rights (defined below) upon the creator and -subsequent owner(s) (each and all, an "owner") of an original work of -authorship and/or a database (each, a "Work"). - -Certain owners wish to permanently relinquish those rights to a Work for the -purpose of contributing to a commons of creative, cultural and scientific -works ("Commons") that the public can reliably and without fear of later -claims of infringement build upon, modify, incorporate in other works, reuse -and redistribute as freely as possible in any form whatsoever and for any -purposes, including without limitation commercial purposes. These owners may -contribute to the Commons to promote the ideal of a free culture and the -further production of creative, cultural and scientific works, or to gain -reputation or greater distribution for their Work in part through the use and -efforts of others. - -For these and/or other purposes and motivations, and without any expectation -of additional consideration or compensation, the person associating CC0 with a -Work (the "Affirmer"), to the extent that he or she is an owner of Copyright -and Related Rights in the Work, voluntarily elects to apply CC0 to the Work -and publicly distribute the Work under its terms, with knowledge of his or her -Copyright and Related Rights in the Work and the meaning and intended legal -effect of CC0 on those rights. - -1. Copyright and Related Rights. A Work made available under CC0 may be -protected by copyright and related or neighboring rights ("Copyright and -Related Rights"). Copyright and Related Rights include, but are not limited -to, the following: - - i. the right to reproduce, adapt, distribute, perform, display, communicate, - and translate a Work; - - ii. moral rights retained by the original author(s) and/or performer(s); - - iii. publicity and privacy rights pertaining to a person's image or likeness - depicted in a Work; - - iv. rights protecting against unfair competition in regards to a Work, - subject to the limitations in paragraph 4(a), below; - - v. rights protecting the extraction, dissemination, use and reuse of data in - a Work; - - vi. database rights (such as those arising under Directive 96/9/EC of the - European Parliament and of the Council of 11 March 1996 on the legal - protection of databases, and under any national implementation thereof, - including any amended or successor version of such directive); and - - vii. other similar, equivalent or corresponding rights throughout the world - based on applicable law or treaty, and any national implementations thereof. - -2. Waiver. To the greatest extent permitted by, but not in contravention of, -applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and -unconditionally waives, abandons, and surrenders all of Affirmer's Copyright -and Related Rights and associated claims and causes of action, whether now -known or unknown (including existing as well as future claims and causes of -action), in the Work (i) in all territories worldwide, (ii) for the maximum -duration provided by applicable law or treaty (including future time -extensions), (iii) in any current or future medium and for any number of -copies, and (iv) for any purpose whatsoever, including without limitation -commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes -the Waiver for the benefit of each member of the public at large and to the -detriment of Affirmer's heirs and successors, fully intending that such Waiver -shall not be subject to revocation, rescission, cancellation, termination, or -any other legal or equitable action to disrupt the quiet enjoyment of the Work -by the public as contemplated by Affirmer's express Statement of Purpose. - -3. Public License Fallback. Should any part of the Waiver for any reason be -judged legally invalid or ineffective under applicable law, then the Waiver -shall be preserved to the maximum extent permitted taking into account -Affirmer's express Statement of Purpose. In addition, to the extent the Waiver -is so judged Affirmer hereby grants to each affected person a royalty-free, -non transferable, non sublicensable, non exclusive, irrevocable and -unconditional license to exercise Affirmer's Copyright and Related Rights in -the Work (i) in all territories worldwide, (ii) for the maximum duration -provided by applicable law or treaty (including future time extensions), (iii) -in any current or future medium and for any number of copies, and (iv) for any -purpose whatsoever, including without limitation commercial, advertising or -promotional purposes (the "License"). The License shall be deemed effective as -of the date CC0 was applied by Affirmer to the Work. Should any part of the -License for any reason be judged legally invalid or ineffective under -applicable law, such partial invalidity or ineffectiveness shall not -invalidate the remainder of the License, and in such case Affirmer hereby -affirms that he or she will not (i) exercise any of his or her remaining -Copyright and Related Rights in the Work or (ii) assert any associated claims -and causes of action with respect to the Work, in either case contrary to -Affirmer's express Statement of Purpose. - -4. Limitations and Disclaimers. - - a. No trademark or patent rights held by Affirmer are waived, abandoned, - surrendered, licensed or otherwise affected by this document. - - b. Affirmer offers the Work as-is and makes no representations or warranties - of any kind concerning the Work, express, implied, statutory or otherwise, - including without limitation warranties of title, merchantability, fitness - for a particular purpose, non infringement, or the absence of latent or - other defects, accuracy, or the present or absence of errors, whether or not - discoverable, all to the greatest extent permissible under applicable law. - - c. Affirmer disclaims responsibility for clearing rights of other persons - that may apply to the Work or any use thereof, including without limitation - any person's Copyright and Related Rights in the Work. Further, Affirmer - disclaims responsibility for obtaining any necessary consents, permissions - or other rights required for any use of the Work. - - d. Affirmer understands and acknowledges that Creative Commons is not a - party to this document and has no duty or obligation with respect to this - CC0 or use of the Work. - -For more information, please see - diff --git a/crypto_sign/mqdss-48/avx2/Makefile b/crypto_sign/mqdss-48/avx2/Makefile deleted file mode 100644 index af26c1f7..00000000 --- a/crypto_sign/mqdss-48/avx2/Makefile +++ /dev/null @@ -1,22 +0,0 @@ -# This Makefile can be used with GNU Make or BSD Make - -LIB=libmqdss-48_avx2.a - -HEADERS = params.h gf31.h mq.h api.h -OBJECTS = gf31.o mq.o sign.o - -CFLAGS=-O3 -Wall -Wconversion -Wextra -Wpedantic -Wvla -Werror \ - -Wmissing-prototypes -Wredundant-decls -std=c99 -mavx2 \ - -I../../../common $(EXTRAFLAGS) - -all: $(LIB) - -%.o: %.c $(HEADERS) - $(CC) $(CFLAGS) -c -o $@ $< - -$(LIB): $(OBJECTS) - $(AR) -r $@ $(OBJECTS) - -clean: - $(RM) $(OBJECTS) - $(RM) $(LIB) diff --git a/crypto_sign/mqdss-48/avx2/Makefile.Microsoft_nmake b/crypto_sign/mqdss-48/avx2/Makefile.Microsoft_nmake deleted file mode 100644 index 07d51db5..00000000 --- a/crypto_sign/mqdss-48/avx2/Makefile.Microsoft_nmake +++ /dev/null @@ -1,19 +0,0 @@ -# This Makefile can be used with Microsoft Visual Studio's nmake using the command: -# nmake /f Makefile.Microsoft_nmake - -LIBRARY=libmqdss-48_avx2.lib -OBJECTS=gf31.obj mq.obj sign.obj - -CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /WX /arch:AVX2 - -all: $(LIBRARY) - -# Make sure objects are recompiled if headers change. -$(OBJECTS): *.h - -$(LIBRARY): $(OBJECTS) - LIB.EXE /NOLOGO /WX /OUT:$@ $** - -clean: - -DEL $(OBJECTS) - -DEL $(LIBRARY) diff --git a/crypto_sign/mqdss-48/avx2/api.h b/crypto_sign/mqdss-48/avx2/api.h deleted file mode 100644 index 82109189..00000000 --- a/crypto_sign/mqdss-48/avx2/api.h +++ /dev/null @@ -1,47 +0,0 @@ -#ifndef PQCLEAN_MQDSS48_AVX2_API_H -#define PQCLEAN_MQDSS48_AVX2_API_H - -#include -#include - -#define PQCLEAN_MQDSS48_AVX2_CRYPTO_ALGNAME "MQDSS-48" - -#define PQCLEAN_MQDSS48_AVX2_CRYPTO_SECRETKEYBYTES 16 -#define PQCLEAN_MQDSS48_AVX2_CRYPTO_PUBLICKEYBYTES 46 -#define PQCLEAN_MQDSS48_AVX2_CRYPTO_BYTES 28400 - -/* - * Generates an MQDSS key pair. - */ -int PQCLEAN_MQDSS48_AVX2_crypto_sign_keypair( - uint8_t *pk, uint8_t *sk); - -/** - * Returns an array containing a detached signature. - */ -int PQCLEAN_MQDSS48_AVX2_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -/** - * Verifies a detached signature and message under a given public key. - */ -int PQCLEAN_MQDSS48_AVX2_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk); - -/** - * Returns an array containing the signature followed by the message. - */ -int PQCLEAN_MQDSS48_AVX2_crypto_sign( - uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -/** - * Verifies a given signature-message pair under a given public key. - */ -int PQCLEAN_MQDSS48_AVX2_crypto_sign_open( - uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, const uint8_t *pk); - -#endif diff --git a/crypto_sign/mqdss-48/avx2/gf31.c b/crypto_sign/mqdss-48/avx2/gf31.c deleted file mode 100644 index 1a456e54..00000000 --- a/crypto_sign/mqdss-48/avx2/gf31.c +++ /dev/null @@ -1,123 +0,0 @@ -#include "params.h" -#include "fips202.h" -#include "gf31.h" -#include -#include -#include - -/* Given a vector of N elements in the range [0, 31], this reduces the elements - to the range [0, 30] by mapping 31 to 0 (i.e reduction mod 31) */ -void PQCLEAN_MQDSS48_AVX2_vgf31_unique(gf31 *out, gf31 *in) { - __m256i x; - __m256i _w31 = _mm256_set1_epi16(31); - int i; - - for (i = 0; i < (N >> 4); ++i) { - x = _mm256_loadu_si256((__m256i const *) (in + 16 * i)); - x = _mm256_xor_si256(x, _mm256_and_si256(_w31, _mm256_cmpeq_epi16(x, _w31))); - _mm256_storeu_si256((__m256i *)(out + i * 16), x); - } -} - -/* This function acts on vectors with 64 gf31 elements. -It performs one reduction step and guarantees output in [0, 30], -but requires input to be in [0, 32768). */ -void PQCLEAN_MQDSS48_AVX2_vgf31_shorten_unique(gf31 *out, gf31 *in) { - __m256i x; - __m256i _w2114 = _mm256_set1_epi32(2114 * 65536 + 2114); - __m256i _w31 = _mm256_set1_epi16(31); - int i; - - for (i = 0; i < (N >> 4); ++i) { - x = _mm256_loadu_si256((__m256i const *) (in + 16 * i)); - x = _mm256_sub_epi16(x, _mm256_mullo_epi16(_w31, _mm256_mulhi_epi16(x, _w2114))); - x = _mm256_xor_si256(x, _mm256_and_si256(_w31, _mm256_cmpeq_epi16(x, _w31))); - _mm256_storeu_si256((__m256i *)(out + i * 16), x); - } -} - -/* Given a seed, samples len gf31 elements (in the range [0, 30]), and places - them in a vector of 16-bit elements */ -void PQCLEAN_MQDSS48_AVX2_gf31_nrand(gf31 *out, size_t len, const uint8_t *seed, size_t seedlen) { - size_t i = 0, j; - shake256ctx shakestate; - uint8_t shakeblock[SHAKE256_RATE]; - - shake256_absorb(&shakestate, seed, seedlen); - - while (i < len) { - shake256_squeezeblocks(shakeblock, 1, &shakestate); - for (j = 0; j < SHAKE256_RATE && i < len; j++) { - if ((shakeblock[j] & 31) != 31) { - out[i] = (shakeblock[j] & 31); - i++; - } - } - } - shake256_ctx_release(&shakestate); -} - -/* Given a seed, samples len gf31 elements, transposed into unsigned range, - i.e. in the range [-15, 15], and places them in an array of 8-bit integers. - This is used for the expansion of F, which wants packed elements. */ -void PQCLEAN_MQDSS48_AVX2_gf31_nrand_schar(signed char *out, size_t len, const uint8_t *seed, size_t seedlen) { - size_t i = 0, j; - shake256ctx shakestate; - uint8_t shakeblock[SHAKE256_RATE]; - - shake256_absorb(&shakestate, seed, seedlen); - - while (i < len) { - shake256_squeezeblocks(shakeblock, 1, &shakestate); - for (j = 0; j < SHAKE256_RATE && i < len; j++) { - if ((shakeblock[j] & 31) != 31) { - out[i] = (signed char)((shakeblock[j] & 31) - 15); - i++; - } - } - } - shake256_ctx_release(&shakestate); - -} - -/* Unpacks an array of packed GF31 elements to one element per gf31. - Assumes that there is sufficient empty space available at the end of the - array to unpack. Can perform in-place. */ -void PQCLEAN_MQDSS48_AVX2_gf31_nunpack(gf31 *out, const uint8_t *in, size_t n) { - size_t i; - size_t j = ((n * 5) >> 3) - 1; - unsigned int d = 0; - - for (i = n; i > 0; i--) { - out[i - 1] = (gf31)((in[j] >> d) & 31); - d += 5; - if (d > 8) { - d -= 8; - j--; - out[i - 1] = (gf31)(out[i - 1] ^ ((in[j] << (5 - d)) & 31)); - } - } -} - -/* Packs an array of GF31 elements from gf31's to concatenated 5-bit values. - Assumes that there is sufficient space available to unpack. - Can perform in-place. */ -void PQCLEAN_MQDSS48_AVX2_gf31_npack(uint8_t *out, const gf31 *in, size_t n) { - unsigned int i = 0; - unsigned int j; - int d = 3; - - /* There will be ceil(5n / 8) output blocks */ - memset(out, 0, (size_t)((5 * n + 7) & ~7U) >> 3); - - for (j = 0; j < n; j++) { - if (d < 0) { - d += 8; - out[i] = (uint8_t)((out[i] & (255 << (d - 3))) | - ((in[j] >> (8 - d)) & ~(255 << (d - 3)))); - i++; - } - out[i] = (uint8_t)((out[i] & ~(31 << d)) | ((in[j] << d) & (31 << d))); - d -= 5; - } -} diff --git a/crypto_sign/mqdss-48/avx2/gf31.h b/crypto_sign/mqdss-48/avx2/gf31.h deleted file mode 100644 index 91ef43b8..00000000 --- a/crypto_sign/mqdss-48/avx2/gf31.h +++ /dev/null @@ -1,36 +0,0 @@ -#ifndef MQDSS_GF31_H -#define MQDSS_GF31_H - -#include -#include - -typedef unsigned short gf31; - -/* Given a vector of elements in the range [0, 31], this reduces the elements - to the range [0, 30] by mapping 31 to 0 (i.e reduction mod 31) */ -void PQCLEAN_MQDSS48_AVX2_vgf31_unique(gf31 *out, gf31 *in); - -/* Given a vector of 16-bit integers (i.e. in [0, 65535], this reduces the - elements to the range [0, 30] by mapping 31 to 0 (i.e reduction mod 31) */ -void PQCLEAN_MQDSS48_AVX2_vgf31_shorten_unique(gf31 *out, gf31 *in); - -/* Given a seed, samples len gf31 elements (in the range [0, 30]), and places - them in a vector of 16-bit elements */ -void PQCLEAN_MQDSS48_AVX2_gf31_nrand(gf31 *out, size_t len, const uint8_t *seed, size_t seedlen); - -/* Given a seed, samples len gf31 elements, transposed into unsigned range, - i.e. in the range [-15, 15], and places them in an array of 8-bit integers. - This is used for the expansion of F, which wants packed elements. */ -void PQCLEAN_MQDSS48_AVX2_gf31_nrand_schar(signed char *out, size_t len, const uint8_t *seed, size_t seedlen); - -/* Unpacks an array of packed GF31 elements to one element per gf31. - Assumes that there is sufficient empty space available at the end of the - array to unpack. Can perform in-place. */ -void PQCLEAN_MQDSS48_AVX2_gf31_nunpack(gf31 *out, const uint8_t *in, size_t n); - -/* Packs an array of GF31 elements from gf31's to concatenated 5-bit values. - Assumes that there is sufficient space available to unpack. - Can perform in-place. */ -void PQCLEAN_MQDSS48_AVX2_gf31_npack(uint8_t *out, const gf31 *in, size_t n); - -#endif diff --git a/crypto_sign/mqdss-48/avx2/mq.c b/crypto_sign/mqdss-48/avx2/mq.c deleted file mode 100644 index 3eb9cd3c..00000000 --- a/crypto_sign/mqdss-48/avx2/mq.c +++ /dev/null @@ -1,251 +0,0 @@ -#include "mq.h" -#include "params.h" -#include -#include - -static inline __m256i reduce_16(__m256i r, __m256i _w31, __m256i _w2114) { - __m256i exp = _mm256_mulhi_epi16(r, _w2114); - return _mm256_sub_epi16(r, _mm256_mullo_epi16(_w31, exp)); -} - -/* Computes all products x_i * x_j, returns in reduced form */ -inline static -void generate_quadratic_terms( unsigned char *xij, const gf31 *x ) { - __m256i mask_2114 = _mm256_set1_epi16( 2114 ); - __m256i mask_31 = _mm256_set1_epi16( 31 ); - __m256i xi[4]; - xi[0] = _mm256_loadu_si256((__m256i const *) (x)); - xi[1] = _mm256_loadu_si256((__m256i const *) (x + 16)); - xi[2] = _mm256_loadu_si256((__m256i const *) (x + 32)); - xi[3] = _mm256_setzero_si256(); - - __m256i xixj[4]; - xixj[0] = _mm256_setzero_si256(); - xixj[1] = _mm256_setzero_si256(); - xixj[2] = _mm256_setzero_si256(); - xixj[3] = _mm256_setzero_si256(); - - int k = 0; - for (int i = 0; i < 32; i++) { - __m256i br_xi = _mm256_set1_epi16( (short)x[i] ); - for (int j = 0; j <= (i >> 4); j++) { - xixj[j] = _mm256_mullo_epi16( xi[j], br_xi ); - xixj[j] = reduce_16( xixj[j], mask_31, mask_2114 ); - } - - __m256i r = _mm256_packs_epi16(xixj[0], xixj[1]); - r = _mm256_permute4x64_epi64(r, 0xd8); // 3,1,2,0 - _mm256_storeu_si256( (__m256i *)( xij + k ), r ); - k += i + 1; - } - - for (int i = 32; i < N; i++) { - __m256i br_xi = _mm256_set1_epi16( (short)x[i] ); - for (int j = 0; j <= (i >> 4); j++) { - xixj[j] = _mm256_mullo_epi16( xi[j], br_xi ); - xixj[j] = reduce_16( xixj[j], mask_31, mask_2114 ); - } - - __m256i r0 = _mm256_packs_epi16(xixj[0], xixj[1]); - r0 = _mm256_permute4x64_epi64(r0, 0xd8); // 3,1,2,0 - _mm256_storeu_si256( (__m256i *)( xij + k ), r0 ); - __m256i r1 = _mm256_packs_epi16(xixj[2], xixj[3]); - r1 = _mm256_permute4x64_epi64(r1, 0xd8); // 3,1,2,0 - _mm256_storeu_si256( (__m256i *)( xij + 32 + k ), r1 ); - k += i + 1; - } -} - -/* Computes all terms (x_i * y_j) + (x_j * y_i), returns in reduced form */ -inline static -void generate_xiyj_p_xjyi_terms( unsigned char *xij, const gf31 *x, const gf31 *y ) { - __m256i mask_2114 = _mm256_set1_epi16( 2114 ); - __m256i mask_31 = _mm256_set1_epi16( 31 ); - __m256i xiyi[4]; - xiyi[0] = _mm256_xor_si256(_mm256_loadu_si256((__m256i const *) (x)), _mm256_slli_si256( _mm256_loadu_si256((__m256i const *) (y)), 1 )); - xiyi[1] = _mm256_xor_si256(_mm256_loadu_si256((__m256i const *) (x + 16)), _mm256_slli_si256( _mm256_loadu_si256((__m256i const *) (y + 16)), 1 )); - xiyi[2] = _mm256_xor_si256(_mm256_loadu_si256((__m256i const *) (x + 32)), _mm256_slli_si256( _mm256_loadu_si256((__m256i const *) (y + 32)), 1 )); - xiyi[3] = _mm256_setzero_si256(); - - __m256i xixj[4]; - xixj[0] = _mm256_setzero_si256(); - xixj[1] = _mm256_setzero_si256(); - xixj[2] = _mm256_setzero_si256(); - xixj[3] = _mm256_setzero_si256(); - - int k = 0; - for (int i = 0; i < 32; i++) { - __m256i br_yixi = _mm256_set1_epi16( (short)((x[i] << 8)^y[i]) ); - for (int j = 0; j <= (i >> 4); j++) { - xixj[j] = _mm256_maddubs_epi16( xiyi[j], br_yixi ); - xixj[j] = reduce_16( xixj[j], mask_31, mask_2114 ); - } - - __m256i r = _mm256_packs_epi16(xixj[0], xixj[1]); - r = _mm256_permute4x64_epi64(r, 0xd8); // 3,1,2,0 - _mm256_storeu_si256( (__m256i *)( xij + k ), r ); - k += i + 1; - } - - for (int i = 32; i < N; i++) { - __m256i br_yixi = _mm256_set1_epi16( (short)((x[i] << 8)^y[i]) ); - for (int j = 0; j <= (i >> 4); j++) { - xixj[j] = _mm256_maddubs_epi16( xiyi[j], br_yixi ); - xixj[j] = reduce_16( xixj[j], mask_31, mask_2114 ); - } - - __m256i r0 = _mm256_packs_epi16(xixj[0], xixj[1]); - r0 = _mm256_permute4x64_epi64(r0, 0xd8); // 3,1,2,0 - _mm256_storeu_si256( (__m256i *)( xij + k ), r0 ); - __m256i r1 = _mm256_packs_epi16(xixj[2], xixj[3]); - r1 = _mm256_permute4x64_epi64(r1, 0xd8); // 3,1,2,0 - _mm256_storeu_si256( (__m256i *)( xij + 32 + k ), r1 ); - k += i + 1; - } -} - -#define EVAL_YMM_0(xx) {\ - __m128i tmp = _mm256_castsi256_si128(xx); \ - for (int macro_i = 0; macro_i < 8; macro_i++) { \ - __m256i _xi = _mm256_broadcastw_epi16(tmp); \ - tmp = _mm_srli_si128(tmp, 2); \ - for (int macro_j = 0; macro_j < (N/16); macro_j++) { \ - __m256i coeff = _mm256_loadu_si256((__m256i const *) F); \ - F += 32; \ - yy[macro_j] = _mm256_add_epi16(yy[macro_j], _mm256_maddubs_epi16(_xi, coeff)); \ - } \ - } \ - } - -#define EVAL_YMM_1(xx) {\ - __m128i tmp = _mm256_extracti128_si256(xx, 1); \ - for (int macro_i = 0; macro_i < 8; macro_i++) { \ - __m256i _xi = _mm256_broadcastw_epi16(tmp); \ - tmp = _mm_srli_si128(tmp, 2); \ - for (int macro_j = 0; macro_j < (N/16); macro_j++) { \ - __m256i coeff = _mm256_loadu_si256((__m256i const *) F); \ - F += 32; \ - yy[macro_j] = _mm256_add_epi16(yy[macro_j], _mm256_maddubs_epi16(_xi, coeff)); \ - } \ - } \ - } - -#define REDUCE_(yy) { \ - (yy)[0] = reduce_16((yy)[0], mask_reduce, mask_2114); \ - (yy)[1] = reduce_16((yy)[1], mask_reduce, mask_2114); \ - (yy)[2] = reduce_16((yy)[2], mask_reduce, mask_2114); \ - } - -/* Evaluates the MQ function on a vector of N gf31 elements x (expected to be - in reduced 5-bit representation). Expects the coefficients in F to be in - signed representation (i.e. [-15, 15], packed bytewise). - Outputs M gf31 elements in unique 16-bit representation as fx. */ -void PQCLEAN_MQDSS48_AVX2_MQ(gf31 *fx, const gf31 *x, const signed char *F) { - __m256i mask_2114 = _mm256_set1_epi32(2114 * 65536 + 2114); - __m256i mask_reduce = _mm256_srli_epi16(_mm256_cmpeq_epi16(mask_2114, mask_2114), 11); - - __m256i xi[4]; - xi[0] = _mm256_loadu_si256((__m256i const *) (x)); - xi[1] = _mm256_loadu_si256((__m256i const *) (x + 16)); - xi[2] = _mm256_loadu_si256((__m256i const *) (x + 32)); - xi[3] = _mm256_setzero_si256(); - - __m256i _zero = _mm256_setzero_si256(); - xi[0] = _mm256_add_epi16(_mm256_and_si256(mask_reduce, _mm256_cmpgt_epi16(_zero, xi[0])), xi[0]); - xi[1] = _mm256_add_epi16(_mm256_and_si256(mask_reduce, _mm256_cmpgt_epi16(_zero, xi[1])), xi[1]); - xi[2] = _mm256_add_epi16(_mm256_and_si256(mask_reduce, _mm256_cmpgt_epi16(_zero, xi[2])), xi[2]); - - __m256i x1 = _mm256_packs_epi16(xi[0], xi[1]); - x1 = _mm256_permute4x64_epi64(x1, 0xd8); // 3,1,2,0 - __m256i x2 = _mm256_packs_epi16(xi[2], xi[3]); - x2 = _mm256_permute4x64_epi64(x2, 0xd8); // 3,1,2,0 - - __m256i yy[M / 16]; - yy[0] = _zero; - yy[1] = _zero; - yy[2] = _zero; - - EVAL_YMM_0(x1) - EVAL_YMM_1(x1) - EVAL_YMM_0(x2) - REDUCE_(yy) - - __m256i xixj[38]; - generate_quadratic_terms( (unsigned char *) xixj, x ); - for (int i = 0 ; i < 36 ; i += 2) { - EVAL_YMM_0(xixj[i]) - EVAL_YMM_1(xixj[i]) - EVAL_YMM_0(xixj[i + 1]) - EVAL_YMM_1(xixj[i + 1]) - REDUCE_(yy) - } - EVAL_YMM_0(xixj[36]) { - __m128i tmp = _mm256_extracti128_si256(xixj[36], 1); - for (int i = 0; i < 4; i++) { - __m256i _xi = _mm256_broadcastw_epi16(tmp); - tmp = _mm_srli_si128(tmp, 2); - for (int j = 0; j < (N / 16); j++) { - __m256i coeff = _mm256_loadu_si256((__m256i const *) F); - F += 32; - yy[j] = _mm256_add_epi16(yy[j], _mm256_maddubs_epi16(_xi, coeff)); - } - } - } - REDUCE_(yy) - - yy[0] = _mm256_add_epi16(_mm256_and_si256(mask_reduce, _mm256_cmpgt_epi16(_mm256_setzero_si256(), yy[0])), yy[0]); - yy[1] = _mm256_add_epi16(_mm256_and_si256(mask_reduce, _mm256_cmpgt_epi16(_mm256_setzero_si256(), yy[1])), yy[1]); - yy[2] = _mm256_add_epi16(_mm256_and_si256(mask_reduce, _mm256_cmpgt_epi16(_mm256_setzero_si256(), yy[2])), yy[2]); - - for (int i = 0; i < (N / 16); ++i) { - _mm256_storeu_si256((__m256i *)(fx + i * 16), yy[i]); - } -} - -/* Evaluates the bilinear polar form of the MQ function (i.e. G) on a vector of - N gf31 elements x (expected to be in reduced 5-bit representation). Expects - the coefficients in F to be in signed representation (i.e. [-15, 15], packed - bytewise). Outputs M gf31 elements in unique 16-bit representation as fx. */ -void PQCLEAN_MQDSS48_AVX2_G(gf31 *fx, const gf31 *x, const gf31 *y, const signed char *F) { - __m256i mask_2114 = _mm256_set1_epi32(2114 * 65536 + 2114); - __m256i mask_reduce = _mm256_srli_epi16(_mm256_cmpeq_epi16(mask_2114, mask_2114), 11); - __m256i _zero = _mm256_setzero_si256(); - - __m256i yy[(M / 16)]; - yy[0] = _zero; - yy[1] = _zero; - yy[2] = _zero; - - F += N * M; - - __m256i xixj[38]; - generate_xiyj_p_xjyi_terms( (unsigned char *) xixj, x, y ); - for (int i = 0 ; i < 36 ; i += 2) { - EVAL_YMM_0(xixj[i]) - EVAL_YMM_1(xixj[i]) - EVAL_YMM_0(xixj[i + 1]) - EVAL_YMM_1(xixj[i + 1]) - REDUCE_(yy) - } - EVAL_YMM_0(xixj[36]) { - __m128i tmp = _mm256_extracti128_si256(xixj[36], 1); - for (int i = 0; i < 4; i++) { - __m256i _xi = _mm256_broadcastw_epi16(tmp); - tmp = _mm_srli_si128(tmp, 2); - for (int j = 0; j < (N / 16); j++) { - __m256i coeff = _mm256_loadu_si256((__m256i const *) F); - F += 32; - yy[j] = _mm256_add_epi16(yy[j], _mm256_maddubs_epi16(_xi, coeff)); - } - } - } - REDUCE_(yy) - - yy[0] = _mm256_add_epi16(_mm256_and_si256(mask_reduce, _mm256_cmpgt_epi16(_mm256_setzero_si256(), yy[0])), yy[0]); - yy[1] = _mm256_add_epi16(_mm256_and_si256(mask_reduce, _mm256_cmpgt_epi16(_mm256_setzero_si256(), yy[1])), yy[1]); - yy[2] = _mm256_add_epi16(_mm256_and_si256(mask_reduce, _mm256_cmpgt_epi16(_mm256_setzero_si256(), yy[2])), yy[2]); - - for (int i = 0; i < (N / 16); ++i) { - _mm256_storeu_si256((__m256i *)(fx + i * 16), yy[i]); - } -} diff --git a/crypto_sign/mqdss-48/avx2/mq.h b/crypto_sign/mqdss-48/avx2/mq.h deleted file mode 100644 index 4975740d..00000000 --- a/crypto_sign/mqdss-48/avx2/mq.h +++ /dev/null @@ -1,18 +0,0 @@ -#ifndef MQDSS_MQ_H -#define MQDSS_MQ_H - -#include "gf31.h" - -/* Evaluates the MQ function on a vector of N gf31 elements x (expected to be - in reduced 5-bit representation). Expects the coefficients in F to be in - signed representation (i.e. [-15, 15], packed bytewise). - Outputs M gf31 elements in unique 16-bit representation as fx. */ -void PQCLEAN_MQDSS48_AVX2_MQ(gf31 *fx, const gf31 *x, const signed char *F); - -/* Evaluates the bilinear polar form of the MQ function (i.e. G) on a vector of - N gf31 elements x (expected to be in reduced 5-bit representation). Expects - the coefficients in F to be in signed representation (i.e. [-15, 15], packed - bytewise). Outputs M gf31 elements in unique 16-bit representation as fx. */ -void PQCLEAN_MQDSS48_AVX2_G(gf31 *fx, const gf31 *x, const gf31 *y, const signed char *F); - -#endif diff --git a/crypto_sign/mqdss-48/avx2/params.h b/crypto_sign/mqdss-48/avx2/params.h deleted file mode 100644 index 94e47077..00000000 --- a/crypto_sign/mqdss-48/avx2/params.h +++ /dev/null @@ -1,25 +0,0 @@ -#ifndef MQDSS_PARAMS_H -#define MQDSS_PARAMS_H - -#define N 48 -#define M N -#define F_LEN (M * (((N * (N + 1)) >> 1) + N)) /* Number of elements in F */ - -#define ROUNDS 184 - -/* Number of bytes that N, M and F_LEN elements require when packed into a byte - array, 5-bit elements packed continuously. */ -/* Assumes N and M to be multiples of 8 */ -#define NPACKED_BYTES ((N * 5) >> 3) -#define MPACKED_BYTES ((M * 5) >> 3) -#define FPACKED_BYTES ((F_LEN * 5) >> 3) - -#define HASH_BYTES 32 -#define SEED_BYTES 16 -#define PK_BYTES (SEED_BYTES + MPACKED_BYTES) -#define SK_BYTES SEED_BYTES - -// R, sigma_0, ROUNDS * (t1, r{0,1}, e1, c, rho) -#define SIG_LEN (2 * HASH_BYTES + ROUNDS * (2*NPACKED_BYTES + MPACKED_BYTES + HASH_BYTES + HASH_BYTES)) - -#endif diff --git a/crypto_sign/mqdss-48/avx2/sign.c b/crypto_sign/mqdss-48/avx2/sign.c deleted file mode 100644 index f454a254..00000000 --- a/crypto_sign/mqdss-48/avx2/sign.c +++ /dev/null @@ -1,389 +0,0 @@ -#include -#include -#include - -#include "api.h" -#include "fips202.h" -#include "gf31.h" -#include "mq.h" -#include "params.h" -#include "randombytes.h" - -/* Takes an array of len bytes and computes a hash digest. - This is used as a hash function in the Fiat-Shamir transform. */ -static void H(unsigned char *out, const unsigned char *in, const size_t len) { - shake256(out, HASH_BYTES, in, len); -} - -/* Takes two arrays of N packed elements and an array of M packed elements, - and computes a HASH_BYTES commitment. */ -static void com_0(unsigned char *c, - const unsigned char *rho, - const unsigned char *inn, const unsigned char *inn2, - const unsigned char *inm) { - unsigned char buffer[HASH_BYTES + 2 * NPACKED_BYTES + MPACKED_BYTES]; - memcpy(buffer, rho, HASH_BYTES); - memcpy(buffer + HASH_BYTES, inn, NPACKED_BYTES); - memcpy(buffer + HASH_BYTES + NPACKED_BYTES, inn2, NPACKED_BYTES); - memcpy(buffer + HASH_BYTES + 2 * NPACKED_BYTES, inm, MPACKED_BYTES); - shake256(c, HASH_BYTES, buffer, HASH_BYTES + 2 * NPACKED_BYTES + MPACKED_BYTES); -} - -/* Takes an array of N packed elements and an array of M packed elements, - and computes a HASH_BYTES commitment. */ -static void com_1(unsigned char *c, - const unsigned char *rho, - const unsigned char *inn, const unsigned char *inm) { - unsigned char buffer[HASH_BYTES + NPACKED_BYTES + MPACKED_BYTES]; - memcpy(buffer, rho, HASH_BYTES); - memcpy(buffer + HASH_BYTES, inn, NPACKED_BYTES); - memcpy(buffer + HASH_BYTES + NPACKED_BYTES, inm, MPACKED_BYTES); - shake256(c, HASH_BYTES, buffer, HASH_BYTES + NPACKED_BYTES + MPACKED_BYTES); -} - -/* - * Generates an MQDSS key pair. - */ -int PQCLEAN_MQDSS48_AVX2_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) { - signed char F[F_LEN]; - unsigned char skbuf[SEED_BYTES * 2]; - gf31 sk_gf31[N]; - gf31 pk_gf31[M]; - - // Expand sk to obtain a seed for F and the secret input s. - // We also expand to obtain a value for sampling r0, t0 and e0 during - // signature generation, but that is not relevant here. - randombytes(sk, SEED_BYTES); - shake256(skbuf, SEED_BYTES * 2, sk, SEED_BYTES); - - memcpy(pk, skbuf, SEED_BYTES); - PQCLEAN_MQDSS48_AVX2_gf31_nrand_schar(F, F_LEN, pk, SEED_BYTES); - PQCLEAN_MQDSS48_AVX2_gf31_nrand(sk_gf31, N, skbuf + SEED_BYTES, SEED_BYTES); - PQCLEAN_MQDSS48_AVX2_MQ(pk_gf31, sk_gf31, F); - PQCLEAN_MQDSS48_AVX2_vgf31_unique(pk_gf31, pk_gf31); - PQCLEAN_MQDSS48_AVX2_gf31_npack(pk + SEED_BYTES, pk_gf31, M); - - return 0; -} - -/** - * Returns an array containing a detached signature. - */ -int PQCLEAN_MQDSS48_AVX2_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk) { - - signed char F[F_LEN]; - unsigned char skbuf[SEED_BYTES * 4]; - gf31 pk_gf31[M]; - unsigned char pk[SEED_BYTES + MPACKED_BYTES]; - // Concatenated for convenient hashing. - unsigned char D_sigma0_h0_sigma1[HASH_BYTES * 3 + ROUNDS * (NPACKED_BYTES + MPACKED_BYTES)]; - unsigned char *D = D_sigma0_h0_sigma1; - unsigned char *sigma0 = D_sigma0_h0_sigma1 + HASH_BYTES; - unsigned char *h0 = D_sigma0_h0_sigma1 + 2 * HASH_BYTES; - unsigned char *t1packed = D_sigma0_h0_sigma1 + 3 * HASH_BYTES; - unsigned char *e1packed = D_sigma0_h0_sigma1 + 3 * HASH_BYTES + ROUNDS * NPACKED_BYTES; - shake256ctx shakestate; - unsigned char shakeblock[SHAKE256_RATE]; - unsigned char h1[((ROUNDS + 7) & ~7) >> 3]; - unsigned char rnd_seed[HASH_BYTES + SEED_BYTES]; - unsigned char rho[2 * ROUNDS * HASH_BYTES]; - unsigned char *rho0 = rho; - unsigned char *rho1 = rho + ROUNDS * HASH_BYTES; - gf31 sk_gf31[N]; - gf31 rnd[(2 * N + M) * ROUNDS]; // Concatenated for easy RNG. - gf31 *r0 = rnd; - gf31 *t0 = rnd + N * ROUNDS; - gf31 *e0 = rnd + 2 * N * ROUNDS; - gf31 r1[N * ROUNDS]; - gf31 t1[N * ROUNDS]; - gf31 e1[M * ROUNDS]; - gf31 gx[M * ROUNDS]; - unsigned char packbuf0[NPACKED_BYTES]; - unsigned char packbuf1[NPACKED_BYTES]; - unsigned char packbuf2[MPACKED_BYTES]; - unsigned char c[HASH_BYTES * ROUNDS * 2]; - gf31 alpha; - int alpha_count = 0; - int b; - int i, j; - shake256incctx state; - - shake256(skbuf, SEED_BYTES * 4, sk, SEED_BYTES); - - PQCLEAN_MQDSS48_AVX2_gf31_nrand_schar(F, F_LEN, skbuf, SEED_BYTES); - - shake256_inc_init(&state); - shake256_inc_absorb(&state, sk, SEED_BYTES); - shake256_inc_absorb(&state, m, mlen); - shake256_inc_finalize(&state); - shake256_inc_squeeze(sig, HASH_BYTES, &state); // Compute R. - shake256_inc_ctx_release(&state); - - memcpy(pk, skbuf, SEED_BYTES); - PQCLEAN_MQDSS48_AVX2_gf31_nrand(sk_gf31, N, skbuf + SEED_BYTES, SEED_BYTES); - PQCLEAN_MQDSS48_AVX2_MQ(pk_gf31, sk_gf31, F); - PQCLEAN_MQDSS48_AVX2_vgf31_unique(pk_gf31, pk_gf31); - PQCLEAN_MQDSS48_AVX2_gf31_npack(pk + SEED_BYTES, pk_gf31, M); - - shake256_inc_init(&state); - shake256_inc_absorb(&state, pk, PK_BYTES); - shake256_inc_absorb(&state, sig, HASH_BYTES); - shake256_inc_absorb(&state, m, mlen); - shake256_inc_finalize(&state); - shake256_inc_squeeze(D, HASH_BYTES, &state); - shake256_inc_ctx_release(&state); - - sig += HASH_BYTES; // Compensate for prefixed R. - - memcpy(rnd_seed, skbuf + 2 * SEED_BYTES, SEED_BYTES); - memcpy(rnd_seed + SEED_BYTES, D, HASH_BYTES); - shake256(rho, 2 * ROUNDS * HASH_BYTES, rnd_seed, SEED_BYTES + HASH_BYTES); - - memcpy(rnd_seed, skbuf + 3 * SEED_BYTES, SEED_BYTES); - memcpy(rnd_seed + SEED_BYTES, D, HASH_BYTES); - PQCLEAN_MQDSS48_AVX2_gf31_nrand(rnd, (2 * N + M) * ROUNDS, rnd_seed, SEED_BYTES + HASH_BYTES); - - for (i = 0; i < ROUNDS; i++) { - for (j = 0; j < N; j++) { - r1[j + i * N] = (gf31)(31 + sk_gf31[j] - r0[j + i * N]); - } - PQCLEAN_MQDSS48_AVX2_G(gx + i * M, t0 + i * N, r1 + i * N, F); - } - for (i = 0; i < ROUNDS * M; i++) { - gx[i] = (gf31)(gx[i] + e0[i]); - } - for (i = 0; i < ROUNDS; i++) { - PQCLEAN_MQDSS48_AVX2_gf31_npack(packbuf0, r0 + i * N, N); - PQCLEAN_MQDSS48_AVX2_gf31_npack(packbuf1, t0 + i * N, N); - PQCLEAN_MQDSS48_AVX2_gf31_npack(packbuf2, e0 + i * M, M); - com_0(c + HASH_BYTES * (2 * i + 0), rho0 + i * HASH_BYTES, packbuf0, packbuf1, packbuf2); - PQCLEAN_MQDSS48_AVX2_vgf31_shorten_unique(r1 + i * N, r1 + i * N); - PQCLEAN_MQDSS48_AVX2_vgf31_shorten_unique(gx + i * M, gx + i * M); - PQCLEAN_MQDSS48_AVX2_gf31_npack(packbuf0, r1 + i * N, N); - PQCLEAN_MQDSS48_AVX2_gf31_npack(packbuf1, gx + i * M, M); - com_1(c + HASH_BYTES * (2 * i + 1), rho1 + i * HASH_BYTES, packbuf0, packbuf1); - } - - H(sigma0, c, HASH_BYTES * ROUNDS * 2); // Compute sigma_0. - shake256_absorb(&shakestate, D_sigma0_h0_sigma1, 2 * HASH_BYTES); - shake256_squeezeblocks(shakeblock, 1, &shakestate); - - memcpy(h0, shakeblock, HASH_BYTES); - - memcpy(sig, sigma0, HASH_BYTES); - sig += HASH_BYTES; // Compensate for sigma_0. - - for (i = 0; i < ROUNDS; i++) { - do { - alpha = shakeblock[alpha_count] & 31; - alpha_count++; - if (alpha_count == SHAKE256_RATE) { - alpha_count = 0; - shake256_squeezeblocks(shakeblock, 1, &shakestate); - } - } while (alpha == 31); - for (j = 0; j < N; j++) { - t1[i * N + j] = (gf31)(alpha * r0[j + i * N] - t0[j + i * N] + 31); - } - PQCLEAN_MQDSS48_AVX2_MQ(e1 + i * M, r0 + i * N, F); - for (j = 0; j < N; j++) { - e1[i * N + j] = (gf31)(alpha * e1[j + i * M] - e0[j + i * M] + 31); - } - PQCLEAN_MQDSS48_AVX2_vgf31_shorten_unique(t1 + i * N, t1 + i * N); - PQCLEAN_MQDSS48_AVX2_vgf31_shorten_unique(e1 + i * N, e1 + i * N); - } - shake256_ctx_release(&shakestate); - - PQCLEAN_MQDSS48_AVX2_gf31_npack(t1packed, t1, N * ROUNDS); - PQCLEAN_MQDSS48_AVX2_gf31_npack(e1packed, e1, M * ROUNDS); - - memcpy(sig, t1packed, NPACKED_BYTES * ROUNDS); - sig += NPACKED_BYTES * ROUNDS; - memcpy(sig, e1packed, MPACKED_BYTES * ROUNDS); - sig += MPACKED_BYTES * ROUNDS; - - shake256(h1, ((ROUNDS + 7) & ~7) >> 3, D_sigma0_h0_sigma1, 3 * HASH_BYTES + ROUNDS * (NPACKED_BYTES + MPACKED_BYTES)); - - for (i = 0; i < ROUNDS; i++) { - b = (h1[(i >> 3)] >> (i & 7)) & 1; - if (b == 0) { - PQCLEAN_MQDSS48_AVX2_gf31_npack(sig, r0 + i * N, N); - } else if (b == 1) { - PQCLEAN_MQDSS48_AVX2_gf31_npack(sig, r1 + i * N, N); - } - memcpy(sig + NPACKED_BYTES, c + HASH_BYTES * (2 * i + (1 - b)), HASH_BYTES); - memcpy(sig + NPACKED_BYTES + HASH_BYTES, rho + (i + b * ROUNDS) * HASH_BYTES, HASH_BYTES); - sig += NPACKED_BYTES + 2 * HASH_BYTES; - } - - *siglen = SIG_LEN; - return 0; -} - -/** - * Verifies a detached signature and message under a given public key. - */ -int PQCLEAN_MQDSS48_AVX2_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk) { - - gf31 r[N]; - gf31 t[N]; - gf31 e[M]; - signed char F[F_LEN]; - gf31 pk_gf31[M]; - // Concatenated for convenient hashing. - unsigned char D_sigma0_h0_sigma1[HASH_BYTES * 3 + ROUNDS * (NPACKED_BYTES + MPACKED_BYTES)]; - unsigned char *D = D_sigma0_h0_sigma1; - unsigned char *sigma0 = D_sigma0_h0_sigma1 + HASH_BYTES; - unsigned char *h0 = D_sigma0_h0_sigma1 + 2 * HASH_BYTES; - unsigned char *t1packed = D_sigma0_h0_sigma1 + 3 * HASH_BYTES; - unsigned char *e1packed = D_sigma0_h0_sigma1 + 3 * HASH_BYTES + ROUNDS * NPACKED_BYTES; - unsigned char h1[((ROUNDS + 7) & ~7) >> 3]; - unsigned char c[HASH_BYTES * ROUNDS * 2]; - memset(c, 0, HASH_BYTES * 2); - gf31 x[N]; - gf31 y[M]; - gf31 z[M]; - unsigned char packbuf0[NPACKED_BYTES]; - unsigned char packbuf1[MPACKED_BYTES]; - shake256ctx shakestate; - unsigned char shakeblock[SHAKE256_RATE]; - int i, j; - gf31 alpha; - int alpha_count = 0; - int b; - shake256incctx state; - - if (siglen != SIG_LEN) { - return -1; - } - - shake256_inc_init(&state); - shake256_inc_absorb(&state, pk, PK_BYTES); - shake256_inc_absorb(&state, sig, HASH_BYTES); - shake256_inc_absorb(&state, m, mlen); - shake256_inc_finalize(&state); - shake256_inc_squeeze(D, HASH_BYTES, &state); - shake256_inc_ctx_release(&state); - - sig += HASH_BYTES; - - PQCLEAN_MQDSS48_AVX2_gf31_nrand_schar(F, F_LEN, pk, SEED_BYTES); - pk += SEED_BYTES; - PQCLEAN_MQDSS48_AVX2_gf31_nunpack(pk_gf31, pk, M); - - memcpy(sigma0, sig, HASH_BYTES); - - shake256_absorb(&shakestate, D_sigma0_h0_sigma1, 2 * HASH_BYTES); - shake256_squeezeblocks(shakeblock, 1, &shakestate); - - memcpy(h0, shakeblock, HASH_BYTES); - - sig += HASH_BYTES; - - memcpy(t1packed, sig, ROUNDS * NPACKED_BYTES); - sig += ROUNDS * NPACKED_BYTES; - memcpy(e1packed, sig, ROUNDS * MPACKED_BYTES); - sig += ROUNDS * MPACKED_BYTES; - - shake256(h1, ((ROUNDS + 7) & ~7) >> 3, D_sigma0_h0_sigma1, 3 * HASH_BYTES + ROUNDS * (NPACKED_BYTES + MPACKED_BYTES)); - - for (i = 0; i < ROUNDS; i++) { - do { - alpha = shakeblock[alpha_count] & 31; - alpha_count++; - if (alpha_count == SHAKE256_RATE) { - alpha_count = 0; - shake256_squeezeblocks(shakeblock, 1, &shakestate); - } - } while (alpha == 31); - b = (h1[(i >> 3)] >> (i & 7)) & 1; - - PQCLEAN_MQDSS48_AVX2_gf31_nunpack(r, sig, N); - PQCLEAN_MQDSS48_AVX2_gf31_nunpack(t, t1packed + NPACKED_BYTES * i, N); - PQCLEAN_MQDSS48_AVX2_gf31_nunpack(e, e1packed + MPACKED_BYTES * i, M); - - if (b == 0) { - PQCLEAN_MQDSS48_AVX2_MQ(y, r, F); - for (j = 0; j < N; j++) { - x[j] = (gf31)(alpha * r[j] - t[j] + 31); - } - for (j = 0; j < N; j++) { - y[j] = (gf31)(alpha * y[j] - e[j] + 31); - } - PQCLEAN_MQDSS48_AVX2_vgf31_shorten_unique(x, x); - PQCLEAN_MQDSS48_AVX2_vgf31_shorten_unique(y, y); - PQCLEAN_MQDSS48_AVX2_gf31_npack(packbuf0, x, N); - PQCLEAN_MQDSS48_AVX2_gf31_npack(packbuf1, y, M); - com_0(c + HASH_BYTES * (2 * i + 0), sig + HASH_BYTES + NPACKED_BYTES, sig, packbuf0, packbuf1); - } else { - PQCLEAN_MQDSS48_AVX2_MQ(y, r, F); - PQCLEAN_MQDSS48_AVX2_G(z, t, r, F); - for (j = 0; j < N; j++) { - y[j] = (gf31)(alpha * (31 + pk_gf31[j] - y[j]) - z[j] - e[j] + 62); - } - PQCLEAN_MQDSS48_AVX2_vgf31_shorten_unique(y, y); - PQCLEAN_MQDSS48_AVX2_gf31_npack(packbuf0, y, M); - com_1(c + HASH_BYTES * (2 * i + 1), sig + HASH_BYTES + NPACKED_BYTES, sig, packbuf0); - } - memcpy(c + HASH_BYTES * (2 * i + (1 - b)), sig + NPACKED_BYTES, HASH_BYTES); - sig += NPACKED_BYTES + 2 * HASH_BYTES; - } - shake256_ctx_release(&shakestate); - - H(c, c, HASH_BYTES * ROUNDS * 2); - if (memcmp(c, sigma0, HASH_BYTES) != 0) { - return -1; - } - - return 0; -} - -/** - * Returns an array containing the signature followed by the message. - */ -int PQCLEAN_MQDSS48_AVX2_crypto_sign( - uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, const uint8_t *sk) { - size_t siglen; - - PQCLEAN_MQDSS48_AVX2_crypto_sign_signature( - sm, &siglen, m, mlen, sk); - - memmove(sm + SIG_LEN, m, mlen); - *smlen = siglen + mlen; - - return 0; -} - -/** - * Verifies a given signature-message pair under a given public key. - */ -int PQCLEAN_MQDSS48_AVX2_crypto_sign_open( - uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, const uint8_t *pk) { - /* The API caller does not necessarily know what size a signature should be - but MQDSS signatures are always exactly SIG_LEN. */ - if (smlen < SIG_LEN) { - memset(m, 0, smlen); - *mlen = 0; - return -1; - } - - *mlen = smlen - SIG_LEN; - - if (PQCLEAN_MQDSS48_AVX2_crypto_sign_verify( - sm, SIG_LEN, sm + SIG_LEN, *mlen, pk)) { - memset(m, 0, smlen); - *mlen = 0; - return -1; - } - - /* If verification was successful, move the message to the right place. */ - memmove(m, sm + SIG_LEN, *mlen); - - return 0; -} diff --git a/crypto_sign/mqdss-48/clean/LICENSE b/crypto_sign/mqdss-48/clean/LICENSE deleted file mode 100644 index 670154e3..00000000 --- a/crypto_sign/mqdss-48/clean/LICENSE +++ /dev/null @@ -1,116 +0,0 @@ -CC0 1.0 Universal - -Statement of Purpose - -The laws of most jurisdictions throughout the world automatically confer -exclusive Copyright and Related Rights (defined below) upon the creator and -subsequent owner(s) (each and all, an "owner") of an original work of -authorship and/or a database (each, a "Work"). - -Certain owners wish to permanently relinquish those rights to a Work for the -purpose of contributing to a commons of creative, cultural and scientific -works ("Commons") that the public can reliably and without fear of later -claims of infringement build upon, modify, incorporate in other works, reuse -and redistribute as freely as possible in any form whatsoever and for any -purposes, including without limitation commercial purposes. These owners may -contribute to the Commons to promote the ideal of a free culture and the -further production of creative, cultural and scientific works, or to gain -reputation or greater distribution for their Work in part through the use and -efforts of others. - -For these and/or other purposes and motivations, and without any expectation -of additional consideration or compensation, the person associating CC0 with a -Work (the "Affirmer"), to the extent that he or she is an owner of Copyright -and Related Rights in the Work, voluntarily elects to apply CC0 to the Work -and publicly distribute the Work under its terms, with knowledge of his or her -Copyright and Related Rights in the Work and the meaning and intended legal -effect of CC0 on those rights. - -1. Copyright and Related Rights. A Work made available under CC0 may be -protected by copyright and related or neighboring rights ("Copyright and -Related Rights"). Copyright and Related Rights include, but are not limited -to, the following: - - i. the right to reproduce, adapt, distribute, perform, display, communicate, - and translate a Work; - - ii. moral rights retained by the original author(s) and/or performer(s); - - iii. publicity and privacy rights pertaining to a person's image or likeness - depicted in a Work; - - iv. rights protecting against unfair competition in regards to a Work, - subject to the limitations in paragraph 4(a), below; - - v. rights protecting the extraction, dissemination, use and reuse of data in - a Work; - - vi. database rights (such as those arising under Directive 96/9/EC of the - European Parliament and of the Council of 11 March 1996 on the legal - protection of databases, and under any national implementation thereof, - including any amended or successor version of such directive); and - - vii. other similar, equivalent or corresponding rights throughout the world - based on applicable law or treaty, and any national implementations thereof. - -2. Waiver. To the greatest extent permitted by, but not in contravention of, -applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and -unconditionally waives, abandons, and surrenders all of Affirmer's Copyright -and Related Rights and associated claims and causes of action, whether now -known or unknown (including existing as well as future claims and causes of -action), in the Work (i) in all territories worldwide, (ii) for the maximum -duration provided by applicable law or treaty (including future time -extensions), (iii) in any current or future medium and for any number of -copies, and (iv) for any purpose whatsoever, including without limitation -commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes -the Waiver for the benefit of each member of the public at large and to the -detriment of Affirmer's heirs and successors, fully intending that such Waiver -shall not be subject to revocation, rescission, cancellation, termination, or -any other legal or equitable action to disrupt the quiet enjoyment of the Work -by the public as contemplated by Affirmer's express Statement of Purpose. - -3. Public License Fallback. Should any part of the Waiver for any reason be -judged legally invalid or ineffective under applicable law, then the Waiver -shall be preserved to the maximum extent permitted taking into account -Affirmer's express Statement of Purpose. In addition, to the extent the Waiver -is so judged Affirmer hereby grants to each affected person a royalty-free, -non transferable, non sublicensable, non exclusive, irrevocable and -unconditional license to exercise Affirmer's Copyright and Related Rights in -the Work (i) in all territories worldwide, (ii) for the maximum duration -provided by applicable law or treaty (including future time extensions), (iii) -in any current or future medium and for any number of copies, and (iv) for any -purpose whatsoever, including without limitation commercial, advertising or -promotional purposes (the "License"). The License shall be deemed effective as -of the date CC0 was applied by Affirmer to the Work. Should any part of the -License for any reason be judged legally invalid or ineffective under -applicable law, such partial invalidity or ineffectiveness shall not -invalidate the remainder of the License, and in such case Affirmer hereby -affirms that he or she will not (i) exercise any of his or her remaining -Copyright and Related Rights in the Work or (ii) assert any associated claims -and causes of action with respect to the Work, in either case contrary to -Affirmer's express Statement of Purpose. - -4. Limitations and Disclaimers. - - a. No trademark or patent rights held by Affirmer are waived, abandoned, - surrendered, licensed or otherwise affected by this document. - - b. Affirmer offers the Work as-is and makes no representations or warranties - of any kind concerning the Work, express, implied, statutory or otherwise, - including without limitation warranties of title, merchantability, fitness - for a particular purpose, non infringement, or the absence of latent or - other defects, accuracy, or the present or absence of errors, whether or not - discoverable, all to the greatest extent permissible under applicable law. - - c. Affirmer disclaims responsibility for clearing rights of other persons - that may apply to the Work or any use thereof, including without limitation - any person's Copyright and Related Rights in the Work. Further, Affirmer - disclaims responsibility for obtaining any necessary consents, permissions - or other rights required for any use of the Work. - - d. Affirmer understands and acknowledges that Creative Commons is not a - party to this document and has no duty or obligation with respect to this - CC0 or use of the Work. - -For more information, please see - diff --git a/crypto_sign/mqdss-48/clean/Makefile b/crypto_sign/mqdss-48/clean/Makefile deleted file mode 100644 index 258fe79e..00000000 --- a/crypto_sign/mqdss-48/clean/Makefile +++ /dev/null @@ -1,20 +0,0 @@ -# This Makefile can be used with GNU Make or BSD Make - -LIB=libmqdss-48_clean.a - -HEADERS = params.h gf31.h mq.h api.h -OBJECTS = gf31.o mq.o sign.o - -CFLAGS=-O3 -Wall -Wconversion -Wextra -Wpedantic -Wvla -Werror -Wmissing-prototypes -Wredundant-decls -std=c99 -I../../../common $(EXTRAFLAGS) - -all: $(LIB) - -%.o: %.c $(HEADERS) - $(CC) $(CFLAGS) -c -o $@ $< - -$(LIB): $(OBJECTS) - $(AR) -r $@ $(OBJECTS) - -clean: - $(RM) $(OBJECTS) - $(RM) $(LIB) diff --git a/crypto_sign/mqdss-48/clean/Makefile.Microsoft_nmake b/crypto_sign/mqdss-48/clean/Makefile.Microsoft_nmake deleted file mode 100644 index 067f2841..00000000 --- a/crypto_sign/mqdss-48/clean/Makefile.Microsoft_nmake +++ /dev/null @@ -1,19 +0,0 @@ -# This Makefile can be used with Microsoft Visual Studio's nmake using the command: -# nmake /f Makefile.Microsoft_nmake - -LIBRARY=libmqdss-48_clean.lib -OBJECTS=gf31.obj mq.obj sign.obj - -CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /WX - -all: $(LIBRARY) - -# Make sure objects are recompiled if headers change. -$(OBJECTS): *.h - -$(LIBRARY): $(OBJECTS) - LIB.EXE /NOLOGO /WX /OUT:$@ $** - -clean: - -DEL $(OBJECTS) - -DEL $(LIBRARY) diff --git a/crypto_sign/mqdss-48/clean/api.h b/crypto_sign/mqdss-48/clean/api.h deleted file mode 100644 index 2fa5c780..00000000 --- a/crypto_sign/mqdss-48/clean/api.h +++ /dev/null @@ -1,47 +0,0 @@ -#ifndef PQCLEAN_MQDSS48_CLEAN_API_H -#define PQCLEAN_MQDSS48_CLEAN_API_H - -#include -#include - -#define PQCLEAN_MQDSS48_CLEAN_CRYPTO_ALGNAME "MQDSS-48" - -#define PQCLEAN_MQDSS48_CLEAN_CRYPTO_SECRETKEYBYTES 16 -#define PQCLEAN_MQDSS48_CLEAN_CRYPTO_PUBLICKEYBYTES 46 -#define PQCLEAN_MQDSS48_CLEAN_CRYPTO_BYTES 28400 - -/* - * Generates an MQDSS key pair. - */ -int PQCLEAN_MQDSS48_CLEAN_crypto_sign_keypair( - uint8_t *pk, uint8_t *sk); - -/** - * Returns an array containing a detached signature. - */ -int PQCLEAN_MQDSS48_CLEAN_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -/** - * Verifies a detached signature and message under a given public key. - */ -int PQCLEAN_MQDSS48_CLEAN_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk); - -/** - * Returns an array containing the signature followed by the message. - */ -int PQCLEAN_MQDSS48_CLEAN_crypto_sign( - uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -/** - * Verifies a given signature-message pair under a given public key. - */ -int PQCLEAN_MQDSS48_CLEAN_crypto_sign_open( - uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, const uint8_t *pk); - -#endif diff --git a/crypto_sign/mqdss-48/clean/gf31.c b/crypto_sign/mqdss-48/clean/gf31.c deleted file mode 100644 index a3838e30..00000000 --- a/crypto_sign/mqdss-48/clean/gf31.c +++ /dev/null @@ -1,135 +0,0 @@ -#include -#include -#include -#include - -#include "fips202.h" -#include "gf31.h" -#include "params.h" - -/* This performs a full unique reduction mod 13 on x; x can be any unsigned - 16-bit integer (i.e. in the range [0, 65535]) */ -gf31 PQCLEAN_MQDSS48_CLEAN_mod31(gf31 x) { - gf31 t; - - t = (gf31)(x & 31); - x >>= 5; - t = (gf31)(t + (x & 31)); - x >>= 5; - t = (gf31)(t + (x & 31)); - x >>= 5; - t = (gf31)(t + (x & 31)); - - t = (gf31)((t >> 5) + (t & 31)); - t = (gf31)((t >> 5) + (t & 31)); - return (gf31)((t != 31) * t); -} - -/* Given a vector of N elements in the range [0, 31], this reduces the elements - to the range [0, 30] by mapping 31 to 0 (i.e reduction mod 31) */ -void PQCLEAN_MQDSS48_CLEAN_vgf31_unique(gf31 *out, const gf31 *in) { - int i; - - for (i = 0; i < N; i++) { - out[i] = (gf31)((1 - (in[i] == 31)) * in[i]); - } -} - -/* Given a vector of 16-bit integers (i.e. in [0, 65535], this reduces the - elements to the range [0, 30] by mapping 31 to 0 (i.e reduction mod 31) */ -void PQCLEAN_MQDSS48_CLEAN_vgf31_shorten_unique(gf31 *out, const gf31 *in) { - int i; - - for (i = 0; i < N; i++) { - out[i] = PQCLEAN_MQDSS48_CLEAN_mod31(in[i]); - } -} - -/* Given a seed, samples len gf31 elements (in the range [0, 30]), and places - them in a vector of 16-bit elements */ -void PQCLEAN_MQDSS48_CLEAN_gf31_nrand(gf31 *out, int len, const unsigned char *seed, size_t seedlen) { - int i = 0, j; - shake256ctx shakestate; - unsigned char shakeblock[SHAKE256_RATE]; - - shake256_absorb(&shakestate, seed, seedlen); - - while (i < len) { - shake256_squeezeblocks(shakeblock, 1, &shakestate); - for (j = 0; j < SHAKE256_RATE && i < len; j++) { - if ((shakeblock[j] & 31) != 31) { - out[i] = (shakeblock[j] & 31); - i++; - } - } - } - shake256_ctx_release(&shakestate); -} - -/* Given a seed, samples len gf31 elements, transposed into unsigned range, - i.e. in the range [-15, 15], and places them in an array of 8-bit integers. - This is used for the expansion of F, which wants packed elements. */ -void PQCLEAN_MQDSS48_CLEAN_gf31_nrand_schar(signed char *out, int len, const unsigned char *seed, size_t seedlen) { - int i = 0, j; - shake256ctx shakestate; - unsigned char shakeblock[SHAKE256_RATE]; - - shake256_absorb(&shakestate, seed, seedlen); - - while (i < len) { - shake256_squeezeblocks(shakeblock, 1, &shakestate); - for (j = 0; j < SHAKE256_RATE && i < len; j++) { - if ((shakeblock[j] & 31) != 31) { - out[i] = (signed char)(((signed char)shakeblock[j] & 31) - 15); - i++; - } - } - } - shake256_ctx_release(&shakestate); -} - -/* Unpacks an array of packed GF31 elements to one element per gf31. - Assumes that there is sufficient empty space available at the end of the - array to unpack. Can perform in-place. */ -void PQCLEAN_MQDSS48_CLEAN_gf31_nunpack(gf31 *out, const unsigned char *in, unsigned int n) { - size_t i; - unsigned int j = ((n * 5) >> 3) - 1; - unsigned int d = 0; - - for (i = n; i > 0; i--) { - out[i - 1] = (gf31)((in[j] >> d) & 31); - d += 5; - if (d > 8) { - d -= 8; - j--; - out[i - 1] = (gf31)(out[i - 1] ^ ((in[j] << (5 - d)) & 31)); - } - } -} - -/* Packs an array of GF31 elements from gf31's to concatenated 5-bit values. - Assumes that there is sufficient space available to unpack. - Can perform in-place. */ -void PQCLEAN_MQDSS48_CLEAN_gf31_npack(unsigned char *out, const gf31 *in, unsigned int n) { - unsigned int i = 0; - unsigned int j; - int d = 3; - - for (j = 0; j < n; j++) { - assert(in[j] < 31); - } - - /* There will be ceil(5n / 8) output blocks */ - memset(out, 0, ((5 * n + 7) & (unsigned int)~7) >> 3); - - for (j = 0; j < n; j++) { - if (d < 0) { - d += 8; - out[i] = (unsigned char)((out[i] & (255 << (d - 3))) | - ((in[j] >> (8 - d)) & ~(255 << (d - 3)))); - i++; - } - out[i] = (unsigned char)((out[i] & ~(31 << d)) | ((in[j] << d) & (31 << d))); - d -= 5; - } -} diff --git a/crypto_sign/mqdss-48/clean/gf31.h b/crypto_sign/mqdss-48/clean/gf31.h deleted file mode 100644 index ae85811b..00000000 --- a/crypto_sign/mqdss-48/clean/gf31.h +++ /dev/null @@ -1,40 +0,0 @@ -#ifndef MQDSS_GF31_H -#define MQDSS_GF31_H - -#include -#include - -typedef uint16_t gf31; - -/* This performs a full unique reduction mod 13 on x; x can be any unsigned - 16-bit integer (i.e. in the range [0, 65535]) */ -gf31 PQCLEAN_MQDSS48_CLEAN_mod31(gf31 x); - -/* Given a vector of elements in the range [0, 31], this reduces the elements - to the range [0, 30] by mapping 31 to 0 (i.e reduction mod 31) */ -void PQCLEAN_MQDSS48_CLEAN_vgf31_unique(gf31 *out, const gf31 *in); - -/* Given a vector of 16-bit integers (i.e. in [0, 65535], this reduces the - elements to the range [0, 30] by mapping 31 to 0 (i.e reduction mod 31) */ -void PQCLEAN_MQDSS48_CLEAN_vgf31_shorten_unique(gf31 *out, const gf31 *in); - -/* Given a seed, samples len gf31 elements (in the range [0, 30]), and places - them in a vector of 16-bit elements */ -void PQCLEAN_MQDSS48_CLEAN_gf31_nrand(gf31 *out, int len, const unsigned char *seed, size_t seedlen); - -/* Given a seed, samples len gf31 elements, transposed into unsigned range, - i.e. in the range [-15, 15], and places them in an array of 8-bit integers. - This is used for the expansion of F, which wants packed elements. */ -void PQCLEAN_MQDSS48_CLEAN_gf31_nrand_schar(signed char *out, int len, const unsigned char *seed, size_t seedlen); - -/* Unpacks an array of packed GF31 elements to one element per gf31. - Assumes that there is sufficient empty space available at the end of the - array to unpack. Can perform in-place. */ -void PQCLEAN_MQDSS48_CLEAN_gf31_nunpack(gf31 *out, const unsigned char *in, unsigned int n); - -/* Packs an array of GF31 elements from gf31's to concatenated 5-bit values. - Assumes that there is sufficient space available to unpack. - Can perform in-place. */ -void PQCLEAN_MQDSS48_CLEAN_gf31_npack(unsigned char *out, const gf31 *in, unsigned int n); - -#endif diff --git a/crypto_sign/mqdss-48/clean/mq.c b/crypto_sign/mqdss-48/clean/mq.c deleted file mode 100644 index fde77d63..00000000 --- a/crypto_sign/mqdss-48/clean/mq.c +++ /dev/null @@ -1,81 +0,0 @@ -#include "mq.h" -#include "params.h" - -/* Computes all products x_i * x_j, returns in reduced form */ -inline static -void generate_quadratic_terms( gf31 *xij, const gf31 *x ) { - int i, j, k; - k = 0; - for (i = 0; i < N; i++) { - for (j = 0; j <= i; j++) { - xij[k] = PQCLEAN_MQDSS48_CLEAN_mod31((gf31)(x[i] * x[j])); - k++; - } - } -} - -/* Computes all terms (x_i * y_j) + (x_j * y_i), returns in reduced form */ -inline static -void generate_xiyj_p_xjyi_terms( gf31 *xij, const gf31 *x, const gf31 *y ) { - int i, j, k; - k = 0; - for (i = 0; i < N; i++) { - for (j = 0; j <= i; j++) { - xij[k] = PQCLEAN_MQDSS48_CLEAN_mod31((gf31)(x[i] * y[j] + x[j] * y[i])); - k++; - } - } -} - -/* Evaluates the MQ function on a vector of N gf31 elements x (expected to be - in reduced 5-bit representation). Expects the coefficients in F to be in - signed representation (i.e. [-15, 15], packed bytewise). - Outputs M gf31 elements in unique 16-bit representation as fx. */ -void PQCLEAN_MQDSS48_CLEAN_MQ(gf31 *fx, const gf31 *x, const signed char *F) { - int i, j; - gf31 _xij[N * (N + 1) >> 1]; - int r[M] = {0}; - - generate_quadratic_terms(_xij, x); - - for (i = 0; i < N; i += 2) { - for (j = 0; j < M; j++) { - r[j] += ((int)x[i]) * ((int)F[i * M + 2 * j]) + - ((int)x[i + 1]) * ((int)F[i * M + 2 * j + 1]); - } - } - - for (i = 0; i < (N * (N + 1)) >> 1; i += 2) { - for (j = 0; j < M; j++) { - r[j] += ((int)_xij[i]) * ((int)F[N * M + i * M + 2 * j]) + - ((int)_xij[i + 1]) * ((int)F[N * M + i * M + 2 * j + 1]); - } - } - - for (i = 0; i < M; i++) { - fx[i] = PQCLEAN_MQDSS48_CLEAN_mod31((gf31)((r[i] >> 15) + (r[i] & 0x7FFF))); - } -} - -/* Evaluates the bilinear polar form of the MQ function (i.e. G) on a vector of - N gf31 elements x (expected to be in reduced 5-bit representation). Expects - the coefficients in F to be in signed representation (i.e. [-15, 15], packed - bytewise). Outputs M gf31 elements in unique 16-bit representation as fx. */ -void PQCLEAN_MQDSS48_CLEAN_G(gf31 *fx, const gf31 *x, const gf31 *y, const signed char *F) { - int i, j; - gf31 _xij[N * (N + 1) >> 1]; - int r[M] = {0}; - - generate_xiyj_p_xjyi_terms(_xij, x, y); - - for (i = 0; i < (N * (N + 1)) >> 1; i += 2) { - for (j = 0; j < M; j++) { - r[j] += ((int)_xij[i]) * ((int)F[N * M + i * M + 2 * j]) + - ((int)_xij[i + 1]) * ((int)F[N * M + i * M + 2 * j + 1]); - } - } - - for (i = 0; i < M; i++) { - fx[i] = PQCLEAN_MQDSS48_CLEAN_mod31((gf31)((r[i] >> 15) + (r[i] & 0x7FFF))); - } -} diff --git a/crypto_sign/mqdss-48/clean/mq.h b/crypto_sign/mqdss-48/clean/mq.h deleted file mode 100644 index c2ab462c..00000000 --- a/crypto_sign/mqdss-48/clean/mq.h +++ /dev/null @@ -1,18 +0,0 @@ -#ifndef MQDSS_MQ_H -#define MQDSS_MQ_H - -#include "gf31.h" - -/* Evaluates the MQ function on a vector of N gf31 elements x (expected to be - in reduced 5-bit representation). Expects the coefficients in F to be in - signed representation (i.e. [-15, 15], packed bytewise). - Outputs M gf31 elements in unique 16-bit representation as fx. */ -void PQCLEAN_MQDSS48_CLEAN_MQ(gf31 *fx, const gf31 *x, const signed char *F); - -/* Evaluates the bilinear polar form of the MQ function (i.e. G) on a vector of - N gf31 elements x (expected to be in reduced 5-bit representation). Expects - the coefficients in F to be in signed representation (i.e. [-15, 15], packed - bytewise). Outputs M gf31 elements in unique 16-bit representation as fx. */ -void PQCLEAN_MQDSS48_CLEAN_G(gf31 *fx, const gf31 *x, const gf31 *y, const signed char *F); - -#endif diff --git a/crypto_sign/mqdss-48/clean/params.h b/crypto_sign/mqdss-48/clean/params.h deleted file mode 100644 index 94e47077..00000000 --- a/crypto_sign/mqdss-48/clean/params.h +++ /dev/null @@ -1,25 +0,0 @@ -#ifndef MQDSS_PARAMS_H -#define MQDSS_PARAMS_H - -#define N 48 -#define M N -#define F_LEN (M * (((N * (N + 1)) >> 1) + N)) /* Number of elements in F */ - -#define ROUNDS 184 - -/* Number of bytes that N, M and F_LEN elements require when packed into a byte - array, 5-bit elements packed continuously. */ -/* Assumes N and M to be multiples of 8 */ -#define NPACKED_BYTES ((N * 5) >> 3) -#define MPACKED_BYTES ((M * 5) >> 3) -#define FPACKED_BYTES ((F_LEN * 5) >> 3) - -#define HASH_BYTES 32 -#define SEED_BYTES 16 -#define PK_BYTES (SEED_BYTES + MPACKED_BYTES) -#define SK_BYTES SEED_BYTES - -// R, sigma_0, ROUNDS * (t1, r{0,1}, e1, c, rho) -#define SIG_LEN (2 * HASH_BYTES + ROUNDS * (2*NPACKED_BYTES + MPACKED_BYTES + HASH_BYTES + HASH_BYTES)) - -#endif diff --git a/crypto_sign/mqdss-48/clean/sign.c b/crypto_sign/mqdss-48/clean/sign.c deleted file mode 100644 index 57b11d66..00000000 --- a/crypto_sign/mqdss-48/clean/sign.c +++ /dev/null @@ -1,389 +0,0 @@ -#include -#include -#include - -#include "api.h" -#include "fips202.h" -#include "gf31.h" -#include "mq.h" -#include "params.h" -#include "randombytes.h" - -/* Takes an array of len bytes and computes a hash digest. - This is used as a hash function in the Fiat-Shamir transform. */ -static void H(unsigned char *out, const unsigned char *in, const size_t len) { - shake256(out, HASH_BYTES, in, len); -} - -/* Takes two arrays of N packed elements and an array of M packed elements, - and computes a HASH_BYTES commitment. */ -static void com_0(unsigned char *c, - const unsigned char *rho, - const unsigned char *inn, const unsigned char *inn2, - const unsigned char *inm) { - unsigned char buffer[HASH_BYTES + 2 * NPACKED_BYTES + MPACKED_BYTES]; - memcpy(buffer, rho, HASH_BYTES); - memcpy(buffer + HASH_BYTES, inn, NPACKED_BYTES); - memcpy(buffer + HASH_BYTES + NPACKED_BYTES, inn2, NPACKED_BYTES); - memcpy(buffer + HASH_BYTES + 2 * NPACKED_BYTES, inm, MPACKED_BYTES); - shake256(c, HASH_BYTES, buffer, HASH_BYTES + 2 * NPACKED_BYTES + MPACKED_BYTES); -} - -/* Takes an array of N packed elements and an array of M packed elements, - and computes a HASH_BYTES commitment. */ -static void com_1(unsigned char *c, - const unsigned char *rho, - const unsigned char *inn, const unsigned char *inm) { - unsigned char buffer[HASH_BYTES + NPACKED_BYTES + MPACKED_BYTES]; - memcpy(buffer, rho, HASH_BYTES); - memcpy(buffer + HASH_BYTES, inn, NPACKED_BYTES); - memcpy(buffer + HASH_BYTES + NPACKED_BYTES, inm, MPACKED_BYTES); - shake256(c, HASH_BYTES, buffer, HASH_BYTES + NPACKED_BYTES + MPACKED_BYTES); -} - -/* - * Generates an MQDSS key pair. - */ -int PQCLEAN_MQDSS48_CLEAN_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) { - signed char F[F_LEN]; - unsigned char skbuf[SEED_BYTES * 2]; - gf31 sk_gf31[N]; - gf31 pk_gf31[M]; - - // Expand sk to obtain a seed for F and the secret input s. - // We also expand to obtain a value for sampling r0, t0 and e0 during - // signature generation, but that is not relevant here. - randombytes(sk, SEED_BYTES); - shake256(skbuf, SEED_BYTES * 2, sk, SEED_BYTES); - - memcpy(pk, skbuf, SEED_BYTES); - PQCLEAN_MQDSS48_CLEAN_gf31_nrand_schar(F, F_LEN, pk, SEED_BYTES); - PQCLEAN_MQDSS48_CLEAN_gf31_nrand(sk_gf31, N, skbuf + SEED_BYTES, SEED_BYTES); - PQCLEAN_MQDSS48_CLEAN_MQ(pk_gf31, sk_gf31, F); - PQCLEAN_MQDSS48_CLEAN_vgf31_unique(pk_gf31, pk_gf31); - PQCLEAN_MQDSS48_CLEAN_gf31_npack(pk + SEED_BYTES, pk_gf31, M); - - return 0; -} - -/** - * Returns an array containing a detached signature. - */ -int PQCLEAN_MQDSS48_CLEAN_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk) { - - signed char F[F_LEN]; - unsigned char skbuf[SEED_BYTES * 4]; - gf31 pk_gf31[M]; - unsigned char pk[SEED_BYTES + MPACKED_BYTES]; - // Concatenated for convenient hashing. - unsigned char D_sigma0_h0_sigma1[HASH_BYTES * 3 + ROUNDS * (NPACKED_BYTES + MPACKED_BYTES)]; - unsigned char *D = D_sigma0_h0_sigma1; - unsigned char *sigma0 = D_sigma0_h0_sigma1 + HASH_BYTES; - unsigned char *h0 = D_sigma0_h0_sigma1 + 2 * HASH_BYTES; - unsigned char *t1packed = D_sigma0_h0_sigma1 + 3 * HASH_BYTES; - unsigned char *e1packed = D_sigma0_h0_sigma1 + 3 * HASH_BYTES + ROUNDS * NPACKED_BYTES; - shake256ctx shakestate; - unsigned char shakeblock[SHAKE256_RATE]; - unsigned char h1[((ROUNDS + 7) & ~7) >> 3]; - unsigned char rnd_seed[HASH_BYTES + SEED_BYTES]; - unsigned char rho[2 * ROUNDS * HASH_BYTES]; - unsigned char *rho0 = rho; - unsigned char *rho1 = rho + ROUNDS * HASH_BYTES; - gf31 sk_gf31[N]; - gf31 rnd[(2 * N + M) * ROUNDS]; // Concatenated for easy RNG. - gf31 *r0 = rnd; - gf31 *t0 = rnd + N * ROUNDS; - gf31 *e0 = rnd + 2 * N * ROUNDS; - gf31 r1[N * ROUNDS]; - gf31 t1[N * ROUNDS]; - gf31 e1[M * ROUNDS]; - gf31 gx[M * ROUNDS]; - unsigned char packbuf0[NPACKED_BYTES]; - unsigned char packbuf1[NPACKED_BYTES]; - unsigned char packbuf2[MPACKED_BYTES]; - unsigned char c[HASH_BYTES * ROUNDS * 2]; - gf31 alpha; - int alpha_count = 0; - int b; - int i, j; - shake256incctx state; - - shake256(skbuf, SEED_BYTES * 4, sk, SEED_BYTES); - - PQCLEAN_MQDSS48_CLEAN_gf31_nrand_schar(F, F_LEN, skbuf, SEED_BYTES); - - shake256_inc_init(&state); - shake256_inc_absorb(&state, sk, SEED_BYTES); - shake256_inc_absorb(&state, m, mlen); - shake256_inc_finalize(&state); - shake256_inc_squeeze(sig, HASH_BYTES, &state); // Compute R. - shake256_inc_ctx_release(&state); - - memcpy(pk, skbuf, SEED_BYTES); - PQCLEAN_MQDSS48_CLEAN_gf31_nrand(sk_gf31, N, skbuf + SEED_BYTES, SEED_BYTES); - PQCLEAN_MQDSS48_CLEAN_MQ(pk_gf31, sk_gf31, F); - PQCLEAN_MQDSS48_CLEAN_vgf31_unique(pk_gf31, pk_gf31); - PQCLEAN_MQDSS48_CLEAN_gf31_npack(pk + SEED_BYTES, pk_gf31, M); - - shake256_inc_init(&state); - shake256_inc_absorb(&state, pk, PK_BYTES); - shake256_inc_absorb(&state, sig, HASH_BYTES); - shake256_inc_absorb(&state, m, mlen); - shake256_inc_finalize(&state); - shake256_inc_squeeze(D, HASH_BYTES, &state); - shake256_inc_ctx_release(&state); - - sig += HASH_BYTES; // Compensate for prefixed R. - - memcpy(rnd_seed, skbuf + 2 * SEED_BYTES, SEED_BYTES); - memcpy(rnd_seed + SEED_BYTES, D, HASH_BYTES); - shake256(rho, 2 * ROUNDS * HASH_BYTES, rnd_seed, SEED_BYTES + HASH_BYTES); - - memcpy(rnd_seed, skbuf + 3 * SEED_BYTES, SEED_BYTES); - memcpy(rnd_seed + SEED_BYTES, D, HASH_BYTES); - PQCLEAN_MQDSS48_CLEAN_gf31_nrand(rnd, (2 * N + M) * ROUNDS, rnd_seed, SEED_BYTES + HASH_BYTES); - - for (i = 0; i < ROUNDS; i++) { - for (j = 0; j < N; j++) { - r1[j + i * N] = (gf31)(31 + sk_gf31[j] - r0[j + i * N]); - } - PQCLEAN_MQDSS48_CLEAN_G(gx + i * M, t0 + i * N, r1 + i * N, F); - } - for (i = 0; i < ROUNDS * M; i++) { - gx[i] = (gf31)(gx[i] + e0[i]); - } - for (i = 0; i < ROUNDS; i++) { - PQCLEAN_MQDSS48_CLEAN_gf31_npack(packbuf0, r0 + i * N, N); - PQCLEAN_MQDSS48_CLEAN_gf31_npack(packbuf1, t0 + i * N, N); - PQCLEAN_MQDSS48_CLEAN_gf31_npack(packbuf2, e0 + i * M, M); - com_0(c + HASH_BYTES * (2 * i + 0), rho0 + i * HASH_BYTES, packbuf0, packbuf1, packbuf2); - PQCLEAN_MQDSS48_CLEAN_vgf31_shorten_unique(r1 + i * N, r1 + i * N); - PQCLEAN_MQDSS48_CLEAN_vgf31_shorten_unique(gx + i * M, gx + i * M); - PQCLEAN_MQDSS48_CLEAN_gf31_npack(packbuf0, r1 + i * N, N); - PQCLEAN_MQDSS48_CLEAN_gf31_npack(packbuf1, gx + i * M, M); - com_1(c + HASH_BYTES * (2 * i + 1), rho1 + i * HASH_BYTES, packbuf0, packbuf1); - } - - H(sigma0, c, HASH_BYTES * ROUNDS * 2); // Compute sigma_0. - shake256_absorb(&shakestate, D_sigma0_h0_sigma1, 2 * HASH_BYTES); - shake256_squeezeblocks(shakeblock, 1, &shakestate); - - memcpy(h0, shakeblock, HASH_BYTES); - - memcpy(sig, sigma0, HASH_BYTES); - sig += HASH_BYTES; // Compensate for sigma_0. - - for (i = 0; i < ROUNDS; i++) { - do { - alpha = shakeblock[alpha_count] & 31; - alpha_count++; - if (alpha_count == SHAKE256_RATE) { - alpha_count = 0; - shake256_squeezeblocks(shakeblock, 1, &shakestate); - } - } while (alpha == 31); - for (j = 0; j < N; j++) { - t1[i * N + j] = (gf31)(alpha * r0[j + i * N] - t0[j + i * N] + 31); - } - PQCLEAN_MQDSS48_CLEAN_MQ(e1 + i * M, r0 + i * N, F); - for (j = 0; j < N; j++) { - e1[i * N + j] = (gf31)(alpha * e1[j + i * M] - e0[j + i * M] + 31); - } - PQCLEAN_MQDSS48_CLEAN_vgf31_shorten_unique(t1 + i * N, t1 + i * N); - PQCLEAN_MQDSS48_CLEAN_vgf31_shorten_unique(e1 + i * N, e1 + i * N); - } - shake256_ctx_release(&shakestate); - - PQCLEAN_MQDSS48_CLEAN_gf31_npack(t1packed, t1, N * ROUNDS); - PQCLEAN_MQDSS48_CLEAN_gf31_npack(e1packed, e1, M * ROUNDS); - - memcpy(sig, t1packed, NPACKED_BYTES * ROUNDS); - sig += NPACKED_BYTES * ROUNDS; - memcpy(sig, e1packed, MPACKED_BYTES * ROUNDS); - sig += MPACKED_BYTES * ROUNDS; - - shake256(h1, ((ROUNDS + 7) & ~7) >> 3, D_sigma0_h0_sigma1, 3 * HASH_BYTES + ROUNDS * (NPACKED_BYTES + MPACKED_BYTES)); - - for (i = 0; i < ROUNDS; i++) { - b = (h1[(i >> 3)] >> (i & 7)) & 1; - if (b == 0) { - PQCLEAN_MQDSS48_CLEAN_gf31_npack(sig, r0 + i * N, N); - } else if (b == 1) { - PQCLEAN_MQDSS48_CLEAN_gf31_npack(sig, r1 + i * N, N); - } - memcpy(sig + NPACKED_BYTES, c + HASH_BYTES * (2 * i + (1 - b)), HASH_BYTES); - memcpy(sig + NPACKED_BYTES + HASH_BYTES, rho + (i + b * ROUNDS) * HASH_BYTES, HASH_BYTES); - sig += NPACKED_BYTES + 2 * HASH_BYTES; - } - - *siglen = SIG_LEN; - return 0; -} - -/** - * Verifies a detached signature and message under a given public key. - */ -int PQCLEAN_MQDSS48_CLEAN_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk) { - - gf31 r[N]; - gf31 t[N]; - gf31 e[M]; - signed char F[F_LEN]; - gf31 pk_gf31[M]; - // Concatenated for convenient hashing. - unsigned char D_sigma0_h0_sigma1[HASH_BYTES * 3 + ROUNDS * (NPACKED_BYTES + MPACKED_BYTES)]; - unsigned char *D = D_sigma0_h0_sigma1; - unsigned char *sigma0 = D_sigma0_h0_sigma1 + HASH_BYTES; - unsigned char *h0 = D_sigma0_h0_sigma1 + 2 * HASH_BYTES; - unsigned char *t1packed = D_sigma0_h0_sigma1 + 3 * HASH_BYTES; - unsigned char *e1packed = D_sigma0_h0_sigma1 + 3 * HASH_BYTES + ROUNDS * NPACKED_BYTES; - unsigned char h1[((ROUNDS + 7) & ~7) >> 3]; - unsigned char c[HASH_BYTES * ROUNDS * 2]; - memset(c, 0, HASH_BYTES * 2); - gf31 x[N]; - gf31 y[M]; - gf31 z[M]; - unsigned char packbuf0[NPACKED_BYTES]; - unsigned char packbuf1[MPACKED_BYTES]; - shake256ctx shakestate; - unsigned char shakeblock[SHAKE256_RATE]; - int i, j; - gf31 alpha; - int alpha_count = 0; - int b; - shake256incctx state; - - if (siglen != SIG_LEN) { - return -1; - } - - shake256_inc_init(&state); - shake256_inc_absorb(&state, pk, PK_BYTES); - shake256_inc_absorb(&state, sig, HASH_BYTES); - shake256_inc_absorb(&state, m, mlen); - shake256_inc_finalize(&state); - shake256_inc_squeeze(D, HASH_BYTES, &state); - shake256_inc_ctx_release(&state); - - sig += HASH_BYTES; - - PQCLEAN_MQDSS48_CLEAN_gf31_nrand_schar(F, F_LEN, pk, SEED_BYTES); - pk += SEED_BYTES; - PQCLEAN_MQDSS48_CLEAN_gf31_nunpack(pk_gf31, pk, M); - - memcpy(sigma0, sig, HASH_BYTES); - - shake256_absorb(&shakestate, D_sigma0_h0_sigma1, 2 * HASH_BYTES); - shake256_squeezeblocks(shakeblock, 1, &shakestate); - - memcpy(h0, shakeblock, HASH_BYTES); - - sig += HASH_BYTES; - - memcpy(t1packed, sig, ROUNDS * NPACKED_BYTES); - sig += ROUNDS * NPACKED_BYTES; - memcpy(e1packed, sig, ROUNDS * MPACKED_BYTES); - sig += ROUNDS * MPACKED_BYTES; - - shake256(h1, ((ROUNDS + 7) & ~7) >> 3, D_sigma0_h0_sigma1, 3 * HASH_BYTES + ROUNDS * (NPACKED_BYTES + MPACKED_BYTES)); - - for (i = 0; i < ROUNDS; i++) { - do { - alpha = shakeblock[alpha_count] & 31; - alpha_count++; - if (alpha_count == SHAKE256_RATE) { - alpha_count = 0; - shake256_squeezeblocks(shakeblock, 1, &shakestate); - } - } while (alpha == 31); - b = (h1[(i >> 3)] >> (i & 7)) & 1; - - PQCLEAN_MQDSS48_CLEAN_gf31_nunpack(r, sig, N); - PQCLEAN_MQDSS48_CLEAN_gf31_nunpack(t, t1packed + NPACKED_BYTES * i, N); - PQCLEAN_MQDSS48_CLEAN_gf31_nunpack(e, e1packed + MPACKED_BYTES * i, M); - - if (b == 0) { - PQCLEAN_MQDSS48_CLEAN_MQ(y, r, F); - for (j = 0; j < N; j++) { - x[j] = (gf31)(alpha * r[j] - t[j] + 31); - } - for (j = 0; j < N; j++) { - y[j] = (gf31)(alpha * y[j] - e[j] + 31); - } - PQCLEAN_MQDSS48_CLEAN_vgf31_shorten_unique(x, x); - PQCLEAN_MQDSS48_CLEAN_vgf31_shorten_unique(y, y); - PQCLEAN_MQDSS48_CLEAN_gf31_npack(packbuf0, x, N); - PQCLEAN_MQDSS48_CLEAN_gf31_npack(packbuf1, y, M); - com_0(c + HASH_BYTES * (2 * i + 0), sig + HASH_BYTES + NPACKED_BYTES, sig, packbuf0, packbuf1); - } else { - PQCLEAN_MQDSS48_CLEAN_MQ(y, r, F); - PQCLEAN_MQDSS48_CLEAN_G(z, t, r, F); - for (j = 0; j < N; j++) { - y[j] = (gf31)(alpha * (31 + pk_gf31[j] - y[j]) - z[j] - e[j] + 62); - } - PQCLEAN_MQDSS48_CLEAN_vgf31_shorten_unique(y, y); - PQCLEAN_MQDSS48_CLEAN_gf31_npack(packbuf0, y, M); - com_1(c + HASH_BYTES * (2 * i + 1), sig + HASH_BYTES + NPACKED_BYTES, sig, packbuf0); - } - memcpy(c + HASH_BYTES * (2 * i + (1 - b)), sig + NPACKED_BYTES, HASH_BYTES); - sig += NPACKED_BYTES + 2 * HASH_BYTES; - } - shake256_ctx_release(&shakestate); - - H(c, c, HASH_BYTES * ROUNDS * 2); - if (memcmp(c, sigma0, HASH_BYTES) != 0) { - return -1; - } - - return 0; -} - -/** - * Returns an array containing the signature followed by the message. - */ -int PQCLEAN_MQDSS48_CLEAN_crypto_sign( - uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, const uint8_t *sk) { - size_t siglen; - - PQCLEAN_MQDSS48_CLEAN_crypto_sign_signature( - sm, &siglen, m, mlen, sk); - - memmove(sm + SIG_LEN, m, mlen); - *smlen = siglen + mlen; - - return 0; -} - -/** - * Verifies a given signature-message pair under a given public key. - */ -int PQCLEAN_MQDSS48_CLEAN_crypto_sign_open( - uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, const uint8_t *pk) { - /* The API caller does not necessarily know what size a signature should be - but MQDSS signatures are always exactly SIG_LEN. */ - if (smlen < SIG_LEN) { - memset(m, 0, smlen); - *mlen = 0; - return -1; - } - - *mlen = smlen - SIG_LEN; - - if (PQCLEAN_MQDSS48_CLEAN_crypto_sign_verify( - sm, SIG_LEN, sm + SIG_LEN, *mlen, pk)) { - memset(m, 0, smlen); - *mlen = 0; - return -1; - } - - /* If verification was successful, move the message to the right place. */ - memmove(m, sm + SIG_LEN, *mlen); - - return 0; -} diff --git a/crypto_sign/mqdss-64/META.yml b/crypto_sign/mqdss-64/META.yml deleted file mode 100644 index be2a6a1f..00000000 --- a/crypto_sign/mqdss-64/META.yml +++ /dev/null @@ -1,27 +0,0 @@ -name: MQDSS-64 -type: signature -claimed-nist-level: 3 -length-public-key: 64 -length-secret-key: 24 -length-signature: 59928 -nistkat-sha256: afdfc887ec7d0ee648ea3802310ccff92ce0ed1f9c96d9d47ae3d5cf602785fd -testvectors-sha256: ff8afac3a7d4bbb8c088c23d12fdc0e0c3bc8aace57386ac20ac0a65ae4f3e68 -principal-submitters: - - Simona Samardjiska -auxiliary-submitters: - - Ming-Shing Chen - - Andreas Hülsing - - Joost Rijneveld - - Peter Schwabe -implementations: - - name: clean - version: https://github.com/joostrijneveld/MQDSS/commit/00608d7610262ff07b1834885d32bc3fd27ef5e1 - - name: avx2 - version: https://github.com/joostrijneveld/MQDSS/commit/00608d7610262ff07b1834885d32bc3fd27ef5e1 - supported_platforms: - - architecture: x86_64 - required_flags: - - avx2 - - architecture: x86 - required_flags: - - avx2 diff --git a/crypto_sign/mqdss-64/avx2/LICENSE b/crypto_sign/mqdss-64/avx2/LICENSE deleted file mode 100644 index 670154e3..00000000 --- a/crypto_sign/mqdss-64/avx2/LICENSE +++ /dev/null @@ -1,116 +0,0 @@ -CC0 1.0 Universal - -Statement of Purpose - -The laws of most jurisdictions throughout the world automatically confer -exclusive Copyright and Related Rights (defined below) upon the creator and -subsequent owner(s) (each and all, an "owner") of an original work of -authorship and/or a database (each, a "Work"). - -Certain owners wish to permanently relinquish those rights to a Work for the -purpose of contributing to a commons of creative, cultural and scientific -works ("Commons") that the public can reliably and without fear of later -claims of infringement build upon, modify, incorporate in other works, reuse -and redistribute as freely as possible in any form whatsoever and for any -purposes, including without limitation commercial purposes. These owners may -contribute to the Commons to promote the ideal of a free culture and the -further production of creative, cultural and scientific works, or to gain -reputation or greater distribution for their Work in part through the use and -efforts of others. - -For these and/or other purposes and motivations, and without any expectation -of additional consideration or compensation, the person associating CC0 with a -Work (the "Affirmer"), to the extent that he or she is an owner of Copyright -and Related Rights in the Work, voluntarily elects to apply CC0 to the Work -and publicly distribute the Work under its terms, with knowledge of his or her -Copyright and Related Rights in the Work and the meaning and intended legal -effect of CC0 on those rights. - -1. Copyright and Related Rights. A Work made available under CC0 may be -protected by copyright and related or neighboring rights ("Copyright and -Related Rights"). Copyright and Related Rights include, but are not limited -to, the following: - - i. the right to reproduce, adapt, distribute, perform, display, communicate, - and translate a Work; - - ii. moral rights retained by the original author(s) and/or performer(s); - - iii. publicity and privacy rights pertaining to a person's image or likeness - depicted in a Work; - - iv. rights protecting against unfair competition in regards to a Work, - subject to the limitations in paragraph 4(a), below; - - v. rights protecting the extraction, dissemination, use and reuse of data in - a Work; - - vi. database rights (such as those arising under Directive 96/9/EC of the - European Parliament and of the Council of 11 March 1996 on the legal - protection of databases, and under any national implementation thereof, - including any amended or successor version of such directive); and - - vii. other similar, equivalent or corresponding rights throughout the world - based on applicable law or treaty, and any national implementations thereof. - -2. Waiver. To the greatest extent permitted by, but not in contravention of, -applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and -unconditionally waives, abandons, and surrenders all of Affirmer's Copyright -and Related Rights and associated claims and causes of action, whether now -known or unknown (including existing as well as future claims and causes of -action), in the Work (i) in all territories worldwide, (ii) for the maximum -duration provided by applicable law or treaty (including future time -extensions), (iii) in any current or future medium and for any number of -copies, and (iv) for any purpose whatsoever, including without limitation -commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes -the Waiver for the benefit of each member of the public at large and to the -detriment of Affirmer's heirs and successors, fully intending that such Waiver -shall not be subject to revocation, rescission, cancellation, termination, or -any other legal or equitable action to disrupt the quiet enjoyment of the Work -by the public as contemplated by Affirmer's express Statement of Purpose. - -3. Public License Fallback. Should any part of the Waiver for any reason be -judged legally invalid or ineffective under applicable law, then the Waiver -shall be preserved to the maximum extent permitted taking into account -Affirmer's express Statement of Purpose. In addition, to the extent the Waiver -is so judged Affirmer hereby grants to each affected person a royalty-free, -non transferable, non sublicensable, non exclusive, irrevocable and -unconditional license to exercise Affirmer's Copyright and Related Rights in -the Work (i) in all territories worldwide, (ii) for the maximum duration -provided by applicable law or treaty (including future time extensions), (iii) -in any current or future medium and for any number of copies, and (iv) for any -purpose whatsoever, including without limitation commercial, advertising or -promotional purposes (the "License"). The License shall be deemed effective as -of the date CC0 was applied by Affirmer to the Work. Should any part of the -License for any reason be judged legally invalid or ineffective under -applicable law, such partial invalidity or ineffectiveness shall not -invalidate the remainder of the License, and in such case Affirmer hereby -affirms that he or she will not (i) exercise any of his or her remaining -Copyright and Related Rights in the Work or (ii) assert any associated claims -and causes of action with respect to the Work, in either case contrary to -Affirmer's express Statement of Purpose. - -4. Limitations and Disclaimers. - - a. No trademark or patent rights held by Affirmer are waived, abandoned, - surrendered, licensed or otherwise affected by this document. - - b. Affirmer offers the Work as-is and makes no representations or warranties - of any kind concerning the Work, express, implied, statutory or otherwise, - including without limitation warranties of title, merchantability, fitness - for a particular purpose, non infringement, or the absence of latent or - other defects, accuracy, or the present or absence of errors, whether or not - discoverable, all to the greatest extent permissible under applicable law. - - c. Affirmer disclaims responsibility for clearing rights of other persons - that may apply to the Work or any use thereof, including without limitation - any person's Copyright and Related Rights in the Work. Further, Affirmer - disclaims responsibility for obtaining any necessary consents, permissions - or other rights required for any use of the Work. - - d. Affirmer understands and acknowledges that Creative Commons is not a - party to this document and has no duty or obligation with respect to this - CC0 or use of the Work. - -For more information, please see - diff --git a/crypto_sign/mqdss-64/avx2/Makefile b/crypto_sign/mqdss-64/avx2/Makefile deleted file mode 100644 index 940ebbd4..00000000 --- a/crypto_sign/mqdss-64/avx2/Makefile +++ /dev/null @@ -1,22 +0,0 @@ -# This Makefile can be used with GNU Make or BSD Make - -LIB=libmqdss-64_avx2.a - -HEADERS = params.h gf31.h mq.h api.h -OBJECTS = gf31.o mq.o sign.o - -CFLAGS=-O3 -Wall -Wconversion -Wextra -Wpedantic -Wvla -Werror \ - -Wmissing-prototypes -Wredundant-decls -std=c99 -mavx2 \ - -I../../../common $(EXTRAFLAGS) - -all: $(LIB) - -%.o: %.c $(HEADERS) - $(CC) $(CFLAGS) -c -o $@ $< - -$(LIB): $(OBJECTS) - $(AR) -r $@ $(OBJECTS) - -clean: - $(RM) $(OBJECTS) - $(RM) $(LIB) diff --git a/crypto_sign/mqdss-64/avx2/Makefile.Microsoft_nmake b/crypto_sign/mqdss-64/avx2/Makefile.Microsoft_nmake deleted file mode 100644 index 9a3e768c..00000000 --- a/crypto_sign/mqdss-64/avx2/Makefile.Microsoft_nmake +++ /dev/null @@ -1,19 +0,0 @@ -# This Makefile can be used with Microsoft Visual Studio's nmake using the command: -# nmake /f Makefile.Microsoft_nmake - -LIBRARY=libmqdss-64_clean.lib -OBJECTS=gf31.obj mq.obj sign.obj - -CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /WX /arch:AVX2 - -all: $(LIBRARY) - -# Make sure objects are recompiled if headers change. -$(OBJECTS): *.h - -$(LIBRARY): $(OBJECTS) - LIB.EXE /NOLOGO /WX /OUT:$@ $** - -clean: - -DEL $(OBJECTS) - -DEL $(LIBRARY) diff --git a/crypto_sign/mqdss-64/avx2/api.h b/crypto_sign/mqdss-64/avx2/api.h deleted file mode 100644 index 91326baa..00000000 --- a/crypto_sign/mqdss-64/avx2/api.h +++ /dev/null @@ -1,47 +0,0 @@ -#ifndef PQCLEAN_MQDSS64_AVX2_API_H -#define PQCLEAN_MQDSS64_AVX2_API_H - -#include -#include - -#define PQCLEAN_MQDSS64_AVX2_CRYPTO_ALGNAME "MQDSS-64" - -#define PQCLEAN_MQDSS64_AVX2_CRYPTO_SECRETKEYBYTES 24 -#define PQCLEAN_MQDSS64_AVX2_CRYPTO_PUBLICKEYBYTES 64 -#define PQCLEAN_MQDSS64_AVX2_CRYPTO_BYTES 59928 - -/* - * Generates an MQDSS key pair. - */ -int PQCLEAN_MQDSS64_AVX2_crypto_sign_keypair( - uint8_t *pk, uint8_t *sk); - -/** - * Returns an array containing a detached signature. - */ -int PQCLEAN_MQDSS64_AVX2_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -/** - * Verifies a detached signature and message under a given public key. - */ -int PQCLEAN_MQDSS64_AVX2_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk); - -/** - * Returns an array containing the signature followed by the message. - */ -int PQCLEAN_MQDSS64_AVX2_crypto_sign( - uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -/** - * Verifies a given signature-message pair under a given public key. - */ -int PQCLEAN_MQDSS64_AVX2_crypto_sign_open( - uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, const uint8_t *pk); - -#endif diff --git a/crypto_sign/mqdss-64/avx2/gf31.c b/crypto_sign/mqdss-64/avx2/gf31.c deleted file mode 100644 index 5f65eb77..00000000 --- a/crypto_sign/mqdss-64/avx2/gf31.c +++ /dev/null @@ -1,128 +0,0 @@ -#include "params.h" -#include "fips202.h" -#include "gf31.h" -#include -#include -#include -#include - -/* Given a vector of N elements in the range [0, 31], this reduces the elements - to the range [0, 30] by mapping 31 to 0 (i.e reduction mod 31) */ -void PQCLEAN_MQDSS64_AVX2_vgf31_unique(gf31 *out, gf31 *in) { - __m256i x; - __m256i _w31 = _mm256_set1_epi16(31); - int i; - - for (i = 0; i < (N >> 4); ++i) { - x = _mm256_loadu_si256((__m256i const *) (in + 16 * i)); - x = _mm256_xor_si256(x, _mm256_and_si256(_w31, _mm256_cmpeq_epi16(x, _w31))); - _mm256_storeu_si256((__m256i *)(out + i * 16), x); - } -} - -/* This function acts on vectors with 64 gf31 elements. -It performs one reduction step and guarantees output in [0, 30], -but requires input to be in [0, 32768). */ -void PQCLEAN_MQDSS64_AVX2_vgf31_shorten_unique(gf31 *out, gf31 *in) { - __m256i x; - __m256i _w2114 = _mm256_set1_epi32(2114 * 65536 + 2114); - __m256i _w31 = _mm256_set1_epi16(31); - int i; - - for (i = 0; i < (N >> 4); ++i) { - x = _mm256_loadu_si256((__m256i const *) (in + 16 * i)); - x = _mm256_sub_epi16(x, _mm256_mullo_epi16(_w31, _mm256_mulhi_epi16(x, _w2114))); - x = _mm256_xor_si256(x, _mm256_and_si256(_w31, _mm256_cmpeq_epi16(x, _w31))); - _mm256_storeu_si256((__m256i *)(out + i * 16), x); - } -} - -/* Given a seed, samples len gf31 elements (in the range [0, 30]), and places - them in a vector of 16-bit elements */ -void PQCLEAN_MQDSS64_AVX2_gf31_nrand(gf31 *out, size_t len, const uint8_t *seed, size_t seedlen) { - size_t i = 0, j; - shake256ctx shakestate; - uint8_t shakeblock[SHAKE256_RATE]; - - shake256_absorb(&shakestate, seed, seedlen); - - while (i < len) { - shake256_squeezeblocks(shakeblock, 1, &shakestate); - for (j = 0; j < SHAKE256_RATE && i < len; j++) { - if ((shakeblock[j] & 31) != 31) { - out[i] = (shakeblock[j] & 31); - i++; - } - } - } - shake256_ctx_release(&shakestate); -} - -/* Given a seed, samples len gf31 elements, transposed into unsigned range, - i.e. in the range [-15, 15], and places them in an array of 8-bit integers. - This is used for the expansion of F, which wants packed elements. */ -void PQCLEAN_MQDSS64_AVX2_gf31_nrand_schar(signed char *out, size_t len, const uint8_t *seed, size_t seedlen) { - size_t i = 0, j; - shake256ctx shakestate; - uint8_t shakeblock[SHAKE256_RATE]; - - shake256_absorb(&shakestate, seed, seedlen); - - while (i < len) { - shake256_squeezeblocks(shakeblock, 1, &shakestate); - for (j = 0; j < SHAKE256_RATE && i < len; j++) { - if ((shakeblock[j] & 31) != 31) { - out[i] = (signed char)((shakeblock[j] & 31) - 15); - i++; - } - } - } - shake256_ctx_release(&shakestate); - -} - -/* Unpacks an array of packed GF31 elements to one element per gf31. - Assumes that there is sufficient empty space available at the end of the - array to unpack. Can perform in-place. */ -void PQCLEAN_MQDSS64_AVX2_gf31_nunpack(gf31 *out, const uint8_t *in, size_t n) { - size_t i; - size_t j = ((n * 5) >> 3) - 1; - unsigned int d = 0; - - for (i = n; i > 0; i--) { - out[i - 1] = (gf31)((in[j] >> d) & 31); - d += 5; - if (d > 8) { - d -= 8; - j--; - out[i - 1] = (gf31)(out[i - 1] ^ ((in[j] << (5 - d)) & 31)); - } - } -} - -/* Packs an array of GF31 elements from gf31's to concatenated 5-bit values. - Assumes that there is sufficient space available to unpack. - Can perform in-place. */ -void PQCLEAN_MQDSS64_AVX2_gf31_npack(uint8_t *out, const gf31 *in, size_t n) { - unsigned int i = 0; - unsigned int j; - int d = 3; - - for (j = 0; j < n; j++) { - assert(in[j] < 31); - } - - /* There will be ceil(5n / 8) output blocks */ - memset(out, 0, (size_t)((5 * n + 7) & ~7U) >> 3); - - for (j = 0; j < n; j++) { - if (d < 0) { - d += 8; - out[i] = (uint8_t)((out[i] & (255 << (d - 3))) | - ((in[j] >> (8 - d)) & ~(255 << (d - 3)))); - i++; - } - out[i] = (uint8_t)((out[i] & ~(31 << d)) | ((in[j] << d) & (31 << d))); - d -= 5; - } -} diff --git a/crypto_sign/mqdss-64/avx2/gf31.h b/crypto_sign/mqdss-64/avx2/gf31.h deleted file mode 100644 index 556df9be..00000000 --- a/crypto_sign/mqdss-64/avx2/gf31.h +++ /dev/null @@ -1,36 +0,0 @@ -#ifndef MQDSS_GF31_H -#define MQDSS_GF31_H - -#include -#include - -typedef unsigned short gf31; - -/* Given a vector of elements in the range [0, 31], this reduces the elements - to the range [0, 30] by mapping 31 to 0 (i.e reduction mod 31) */ -void PQCLEAN_MQDSS64_AVX2_vgf31_unique(gf31 *out, gf31 *in); - -/* Given a vector of 16-bit integers (i.e. in [0, 65535], this reduces the - elements to the range [0, 30] by mapping 31 to 0 (i.e reduction mod 31) */ -void PQCLEAN_MQDSS64_AVX2_vgf31_shorten_unique(gf31 *out, gf31 *in); - -/* Given a seed, samples len gf31 elements (in the range [0, 30]), and places - them in a vector of 16-bit elements */ -void PQCLEAN_MQDSS64_AVX2_gf31_nrand(gf31 *out, size_t len, const uint8_t *seed, size_t seedlen); - -/* Given a seed, samples len gf31 elements, transposed into unsigned range, - i.e. in the range [-15, 15], and places them in an array of 8-bit integers. - This is used for the expansion of F, which wants packed elements. */ -void PQCLEAN_MQDSS64_AVX2_gf31_nrand_schar(signed char *out, size_t len, const uint8_t *seed, size_t seedlen); - -/* Unpacks an array of packed GF31 elements to one element per gf31. - Assumes that there is sufficient empty space available at the end of the - array to unpack. Can perform in-place. */ -void PQCLEAN_MQDSS64_AVX2_gf31_nunpack(gf31 *out, const uint8_t *in, size_t n); - -/* Packs an array of GF31 elements from gf31's to concatenated 5-bit values. - Assumes that there is sufficient space available to unpack. - Can perform in-place. */ -void PQCLEAN_MQDSS64_AVX2_gf31_npack(uint8_t *out, const gf31 *in, size_t n); - -#endif diff --git a/crypto_sign/mqdss-64/avx2/mq.c b/crypto_sign/mqdss-64/avx2/mq.c deleted file mode 100644 index b44e85fe..00000000 --- a/crypto_sign/mqdss-64/avx2/mq.c +++ /dev/null @@ -1,239 +0,0 @@ -#include "mq.h" -#include "params.h" -#include -#include - -static inline __m256i reduce_16(__m256i r, __m256i _w31, __m256i _w2114) { - __m256i exp = _mm256_mulhi_epi16(r, _w2114); - return _mm256_sub_epi16(r, _mm256_mullo_epi16(_w31, exp)); -} - -/* Computes all products x_i * x_j, returns in reduced form */ -inline static -void generate_quadratic_terms( unsigned char *xij, const gf31 *x ) { - __m256i mask_2114 = _mm256_set1_epi16( 2114 ); - __m256i mask_31 = _mm256_set1_epi16( 31 ); - __m256i xi[4]; - xi[0] = _mm256_loadu_si256((__m256i const *) (x)); - xi[1] = _mm256_loadu_si256((__m256i const *) (x + 16)); - xi[2] = _mm256_loadu_si256((__m256i const *) (x + 32)); - xi[3] = _mm256_loadu_si256((__m256i const *) (x + 48)); - - __m256i xixj[4]; - xixj[0] = _mm256_setzero_si256(); - xixj[1] = _mm256_setzero_si256(); - xixj[2] = _mm256_setzero_si256(); - xixj[3] = _mm256_setzero_si256(); - - int k = 0; - for (int i = 0; i < 32; i++) { - __m256i br_xi = _mm256_set1_epi16( (short)x[i] ); - for (int j = 0; j <= (i >> 4); j++) { - xixj[j] = _mm256_mullo_epi16( xi[j], br_xi ); - xixj[j] = reduce_16( xixj[j], mask_31, mask_2114 ); - } - - __m256i r = _mm256_packs_epi16(xixj[0], xixj[1]); - r = _mm256_permute4x64_epi64(r, 0xd8); // 3,1,2,0 - _mm256_storeu_si256( (__m256i *)( xij + k ), r ); - k += i + 1; - } - - for (int i = 32; i < N; i++) { - __m256i br_xi = _mm256_set1_epi16( (short)x[i] ); - for (int j = 0; j <= (i >> 4); j++) { - xixj[j] = _mm256_mullo_epi16( xi[j], br_xi ); - xixj[j] = reduce_16( xixj[j], mask_31, mask_2114 ); - } - - __m256i r0 = _mm256_packs_epi16(xixj[0], xixj[1]); - r0 = _mm256_permute4x64_epi64(r0, 0xd8); // 3,1,2,0 - _mm256_storeu_si256( (__m256i *)( xij + k ), r0 ); - __m256i r1 = _mm256_packs_epi16(xixj[2], xixj[3]); - r1 = _mm256_permute4x64_epi64(r1, 0xd8); // 3,1,2,0 - _mm256_storeu_si256( (__m256i *)( xij + 32 + k ), r1 ); - k += i + 1; - } -} - -/* Computes all terms (x_i * y_j) + (x_j * y_i), returns in reduced form */ -inline static -void generate_xiyj_p_xjyi_terms( unsigned char *xij, const gf31 *x, const gf31 *y ) { - __m256i mask_2114 = _mm256_set1_epi16( 2114 ); - __m256i mask_31 = _mm256_set1_epi16( 31 ); - __m256i xiyi[4]; - xiyi[0] = _mm256_xor_si256(_mm256_loadu_si256((__m256i const *) (x)), _mm256_slli_si256( _mm256_loadu_si256((__m256i const *) (y)), 1 )); - xiyi[1] = _mm256_xor_si256(_mm256_loadu_si256((__m256i const *) (x + 16)), _mm256_slli_si256( _mm256_loadu_si256((__m256i const *) (y + 16)), 1 )); - xiyi[2] = _mm256_xor_si256(_mm256_loadu_si256((__m256i const *) (x + 32)), _mm256_slli_si256( _mm256_loadu_si256((__m256i const *) (y + 32)), 1 )); - xiyi[3] = _mm256_xor_si256(_mm256_loadu_si256((__m256i const *) (x + 48)), _mm256_slli_si256( _mm256_loadu_si256((__m256i const *) (y + 48)), 1 )); - - __m256i xixj[4]; - xixj[0] = _mm256_setzero_si256(); - xixj[1] = _mm256_setzero_si256(); - xixj[2] = _mm256_setzero_si256(); - xixj[3] = _mm256_setzero_si256(); - - int k = 0; - for (int i = 0; i < 32; i++) { - __m256i br_yixi = _mm256_set1_epi16( (short)((x[i] << 8)^y[i]) ); - for (int j = 0; j <= (i >> 4); j++) { - xixj[j] = _mm256_maddubs_epi16( xiyi[j], br_yixi ); - xixj[j] = reduce_16( xixj[j], mask_31, mask_2114 ); - } - - __m256i r = _mm256_packs_epi16(xixj[0], xixj[1]); - r = _mm256_permute4x64_epi64(r, 0xd8); // 3,1,2,0 - _mm256_storeu_si256( (__m256i *)( xij + k ), r ); - k += i + 1; - } - - for (int i = 32; i < N; i++) { - __m256i br_yixi = _mm256_set1_epi16( (short)((x[i] << 8)^y[i]) ); - for (int j = 0; j <= (i >> 4); j++) { - xixj[j] = _mm256_maddubs_epi16( xiyi[j], br_yixi ); - xixj[j] = reduce_16( xixj[j], mask_31, mask_2114 ); - } - - __m256i r0 = _mm256_packs_epi16(xixj[0], xixj[1]); - r0 = _mm256_permute4x64_epi64(r0, 0xd8); // 3,1,2,0 - _mm256_storeu_si256( (__m256i *)( xij + k ), r0 ); - __m256i r1 = _mm256_packs_epi16(xixj[2], xixj[3]); - r1 = _mm256_permute4x64_epi64(r1, 0xd8); // 3,1,2,0 - _mm256_storeu_si256( (__m256i *)( xij + 32 + k ), r1 ); - k += i + 1; - } -} - -#define EVAL_YMM_0(xx) {\ - __m128i tmp = _mm256_castsi256_si128(xx); \ - for (int macro_i = 0; macro_i < 8; macro_i++) { \ - __m256i _xi = _mm256_broadcastw_epi16(tmp); \ - tmp = _mm_srli_si128(tmp, 2); \ - for (int macro_j = 0; macro_j < (N/16); macro_j++) { \ - __m256i coeff = _mm256_loadu_si256((__m256i const *) F); \ - F += 32; \ - yy[macro_j] = _mm256_add_epi16(yy[macro_j], _mm256_maddubs_epi16(_xi, coeff)); \ - } \ - } \ - } - -#define EVAL_YMM_1(xx) {\ - __m128i tmp = _mm256_extracti128_si256(xx, 1); \ - for (int macro_i = 0; macro_i < 8; macro_i++) { \ - __m256i _xi = _mm256_broadcastw_epi16(tmp); \ - tmp = _mm_srli_si128(tmp, 2); \ - for (int macro_j = 0; macro_j < (N/16); macro_j++) { \ - __m256i coeff = _mm256_loadu_si256((__m256i const *) F); \ - F += 32; \ - yy[macro_j] = _mm256_add_epi16(yy[macro_j], _mm256_maddubs_epi16(_xi, coeff)); \ - } \ - } \ - } - -#define REDUCE_(yy) { \ - (yy)[0] = reduce_16((yy)[0], mask_reduce, mask_2114); \ - (yy)[1] = reduce_16((yy)[1], mask_reduce, mask_2114); \ - (yy)[2] = reduce_16((yy)[2], mask_reduce, mask_2114); \ - (yy)[3] = reduce_16((yy)[3], mask_reduce, mask_2114); \ - } - - -/* Evaluates the MQ function on a vector of N gf31 elements x (expected to be - in reduced 5-bit representation). Expects the coefficients in F to be in - signed representation (i.e. [-15, 15], packed bytewise). - Outputs M gf31 elements in unique 16-bit representation as fx. */ -void PQCLEAN_MQDSS64_AVX2_MQ(gf31 *fx, const gf31 *x, const signed char *F) { - __m256i mask_2114 = _mm256_set1_epi32(2114 * 65536 + 2114); - __m256i mask_reduce = _mm256_srli_epi16(_mm256_cmpeq_epi16(mask_2114, mask_2114), 11); - - __m256i xi[4]; - xi[0] = _mm256_loadu_si256((__m256i const *) (x)); - xi[1] = _mm256_loadu_si256((__m256i const *) (x + 16)); - xi[2] = _mm256_loadu_si256((__m256i const *) (x + 32)); - xi[3] = _mm256_loadu_si256((__m256i const *) (x + 48)); - - __m256i _zero = _mm256_setzero_si256(); - xi[0] = _mm256_add_epi16(_mm256_and_si256(mask_reduce, _mm256_cmpgt_epi16(_zero, xi[0])), xi[0]); - xi[1] = _mm256_add_epi16(_mm256_and_si256(mask_reduce, _mm256_cmpgt_epi16(_zero, xi[1])), xi[1]); - xi[2] = _mm256_add_epi16(_mm256_and_si256(mask_reduce, _mm256_cmpgt_epi16(_zero, xi[2])), xi[2]); - xi[3] = _mm256_add_epi16(_mm256_and_si256(mask_reduce, _mm256_cmpgt_epi16(_zero, xi[3])), xi[3]); - - __m256i x1 = _mm256_packs_epi16(xi[0], xi[1]); - x1 = _mm256_permute4x64_epi64(x1, 0xd8); // 3,1,2,0 - __m256i x2 = _mm256_packs_epi16(xi[2], xi[3]); - x2 = _mm256_permute4x64_epi64(x2, 0xd8); // 3,1,2,0 - - __m256i yy[M / 16]; - yy[0] = _zero; - yy[1] = _zero; - yy[2] = _zero; - yy[3] = _zero; - - EVAL_YMM_0(x1) - EVAL_YMM_1(x1) - EVAL_YMM_0(x2) - EVAL_YMM_1(x2) - REDUCE_(yy) - - __m256i xixj[65]; - generate_quadratic_terms( (unsigned char *) xixj, x ); - for (int i = 0 ; i < 64 ; i += 2) { - EVAL_YMM_0(xixj[i]) - EVAL_YMM_1(xixj[i]) - EVAL_YMM_0(xixj[i + 1]) - EVAL_YMM_1(xixj[i + 1]) - REDUCE_(yy) - } - EVAL_YMM_0(xixj[64]) - EVAL_YMM_1(xixj[64]) - REDUCE_(yy) - - yy[0] = _mm256_add_epi16(_mm256_and_si256(mask_reduce, _mm256_cmpgt_epi16(_mm256_setzero_si256(), yy[0])), yy[0]); - yy[1] = _mm256_add_epi16(_mm256_and_si256(mask_reduce, _mm256_cmpgt_epi16(_mm256_setzero_si256(), yy[1])), yy[1]); - yy[2] = _mm256_add_epi16(_mm256_and_si256(mask_reduce, _mm256_cmpgt_epi16(_mm256_setzero_si256(), yy[2])), yy[2]); - yy[3] = _mm256_add_epi16(_mm256_and_si256(mask_reduce, _mm256_cmpgt_epi16(_mm256_setzero_si256(), yy[3])), yy[3]); - - for (int i = 0; i < (N / 16); ++i) { - _mm256_storeu_si256((__m256i *)(fx + i * 16), yy[i]); - } -} - -/* Evaluates the bilinear polar form of the MQ function (i.e. G) on a vector of - N gf31 elements x (expected to be in reduced 5-bit representation). Expects - the coefficients in F to be in signed representation (i.e. [-15, 15], packed - bytewise). Outputs M gf31 elements in unique 16-bit representation as fx. */ -void PQCLEAN_MQDSS64_AVX2_G(gf31 *fx, const gf31 *x, const gf31 *y, const signed char *F) { - __m256i mask_2114 = _mm256_set1_epi32(2114 * 65536 + 2114); - __m256i mask_reduce = _mm256_srli_epi16(_mm256_cmpeq_epi16(mask_2114, mask_2114), 11); - __m256i _zero = _mm256_setzero_si256(); - - __m256i yy[(M / 16)]; - yy[0] = _zero; - yy[1] = _zero; - yy[2] = _zero; - yy[3] = _zero; - - F += N * M; - - __m256i xixj[65]; - generate_xiyj_p_xjyi_terms( (unsigned char *) xixj, x, y ); - for (int i = 0 ; i < 64 ; i += 2) { - EVAL_YMM_0(xixj[i]) - EVAL_YMM_1(xixj[i]) - EVAL_YMM_0(xixj[i + 1]) - EVAL_YMM_1(xixj[i + 1]) - REDUCE_(yy) - } - EVAL_YMM_0(xixj[64]) - EVAL_YMM_1(xixj[64]) - REDUCE_(yy) - - yy[0] = _mm256_add_epi16(_mm256_and_si256(mask_reduce, _mm256_cmpgt_epi16(_mm256_setzero_si256(), yy[0])), yy[0]); - yy[1] = _mm256_add_epi16(_mm256_and_si256(mask_reduce, _mm256_cmpgt_epi16(_mm256_setzero_si256(), yy[1])), yy[1]); - yy[2] = _mm256_add_epi16(_mm256_and_si256(mask_reduce, _mm256_cmpgt_epi16(_mm256_setzero_si256(), yy[2])), yy[2]); - yy[3] = _mm256_add_epi16(_mm256_and_si256(mask_reduce, _mm256_cmpgt_epi16(_mm256_setzero_si256(), yy[3])), yy[3]); - - for (int i = 0; i < (N / 16); ++i) { - _mm256_storeu_si256((__m256i *)(fx + i * 16), yy[i]); - } -} diff --git a/crypto_sign/mqdss-64/avx2/mq.h b/crypto_sign/mqdss-64/avx2/mq.h deleted file mode 100644 index 179555a3..00000000 --- a/crypto_sign/mqdss-64/avx2/mq.h +++ /dev/null @@ -1,18 +0,0 @@ -#ifndef MQDSS_MQ_H -#define MQDSS_MQ_H - -#include "gf31.h" - -/* Evaluates the MQ function on a vector of N gf31 elements x (expected to be - in reduced 5-bit representation). Expects the coefficients in F to be in - signed representation (i.e. [-15, 15], packed bytewise). - Outputs M gf31 elements in unique 16-bit representation as fx. */ -void PQCLEAN_MQDSS64_AVX2_MQ(gf31 *fx, const gf31 *x, const signed char *F); - -/* Evaluates the bilinear polar form of the MQ function (i.e. G) on a vector of - N gf31 elements x (expected to be in reduced 5-bit representation). Expects - the coefficients in F to be in signed representation (i.e. [-15, 15], packed - bytewise). Outputs M gf31 elements in unique 16-bit representation as fx. */ -void PQCLEAN_MQDSS64_AVX2_G(gf31 *fx, const gf31 *x, const gf31 *y, const signed char *F); - -#endif diff --git a/crypto_sign/mqdss-64/avx2/params.h b/crypto_sign/mqdss-64/avx2/params.h deleted file mode 100644 index d0278f01..00000000 --- a/crypto_sign/mqdss-64/avx2/params.h +++ /dev/null @@ -1,25 +0,0 @@ -#ifndef MQDSS_PARAMS_H -#define MQDSS_PARAMS_H - -#define N 64 -#define M N -#define F_LEN (M * (((N * (N + 1)) >> 1) + N)) /* Number of elements in F */ - -#define ROUNDS 277 - -/* Number of bytes that N, M and F_LEN elements require when packed into a byte - array, 5-bit elements packed continuously. */ -/* Assumes N and M to be multiples of 8 */ -#define NPACKED_BYTES ((N * 5) >> 3) -#define MPACKED_BYTES ((M * 5) >> 3) -#define FPACKED_BYTES ((F_LEN * 5) >> 3) - -#define HASH_BYTES 48 -#define SEED_BYTES 24 -#define PK_BYTES (SEED_BYTES + MPACKED_BYTES) -#define SK_BYTES SEED_BYTES - -// R, sigma_0, ROUNDS * (t1, r{0,1}, e1, c, rho) -#define SIG_LEN (2 * HASH_BYTES + ROUNDS * (2*NPACKED_BYTES + MPACKED_BYTES + HASH_BYTES + HASH_BYTES)) - -#endif diff --git a/crypto_sign/mqdss-64/avx2/sign.c b/crypto_sign/mqdss-64/avx2/sign.c deleted file mode 100644 index 47940a5b..00000000 --- a/crypto_sign/mqdss-64/avx2/sign.c +++ /dev/null @@ -1,389 +0,0 @@ -#include -#include -#include - -#include "api.h" -#include "fips202.h" -#include "gf31.h" -#include "mq.h" -#include "params.h" -#include "randombytes.h" - -/* Takes an array of len bytes and computes a hash digest. - This is used as a hash function in the Fiat-Shamir transform. */ -static void H(unsigned char *out, const unsigned char *in, const size_t len) { - shake256(out, HASH_BYTES, in, len); -} - -/* Takes two arrays of N packed elements and an array of M packed elements, - and computes a HASH_BYTES commitment. */ -static void com_0(unsigned char *c, - const unsigned char *rho, - const unsigned char *inn, const unsigned char *inn2, - const unsigned char *inm) { - unsigned char buffer[HASH_BYTES + 2 * NPACKED_BYTES + MPACKED_BYTES]; - memcpy(buffer, rho, HASH_BYTES); - memcpy(buffer + HASH_BYTES, inn, NPACKED_BYTES); - memcpy(buffer + HASH_BYTES + NPACKED_BYTES, inn2, NPACKED_BYTES); - memcpy(buffer + HASH_BYTES + 2 * NPACKED_BYTES, inm, MPACKED_BYTES); - shake256(c, HASH_BYTES, buffer, HASH_BYTES + 2 * NPACKED_BYTES + MPACKED_BYTES); -} - -/* Takes an array of N packed elements and an array of M packed elements, - and computes a HASH_BYTES commitment. */ -static void com_1(unsigned char *c, - const unsigned char *rho, - const unsigned char *inn, const unsigned char *inm) { - unsigned char buffer[HASH_BYTES + NPACKED_BYTES + MPACKED_BYTES]; - memcpy(buffer, rho, HASH_BYTES); - memcpy(buffer + HASH_BYTES, inn, NPACKED_BYTES); - memcpy(buffer + HASH_BYTES + NPACKED_BYTES, inm, MPACKED_BYTES); - shake256(c, HASH_BYTES, buffer, HASH_BYTES + NPACKED_BYTES + MPACKED_BYTES); -} - -/* - * Generates an MQDSS key pair. - */ -int PQCLEAN_MQDSS64_AVX2_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) { - signed char F[F_LEN]; - unsigned char skbuf[SEED_BYTES * 2]; - gf31 sk_gf31[N]; - gf31 pk_gf31[M]; - - // Expand sk to obtain a seed for F and the secret input s. - // We also expand to obtain a value for sampling r0, t0 and e0 during - // signature generation, but that is not relevant here. - randombytes(sk, SEED_BYTES); - shake256(skbuf, SEED_BYTES * 2, sk, SEED_BYTES); - - memcpy(pk, skbuf, SEED_BYTES); - PQCLEAN_MQDSS64_AVX2_gf31_nrand_schar(F, F_LEN, pk, SEED_BYTES); - PQCLEAN_MQDSS64_AVX2_gf31_nrand(sk_gf31, N, skbuf + SEED_BYTES, SEED_BYTES); - PQCLEAN_MQDSS64_AVX2_MQ(pk_gf31, sk_gf31, F); - PQCLEAN_MQDSS64_AVX2_vgf31_unique(pk_gf31, pk_gf31); - PQCLEAN_MQDSS64_AVX2_gf31_npack(pk + SEED_BYTES, pk_gf31, M); - - return 0; -} - -/** - * Returns an array containing a detached signature. - */ -int PQCLEAN_MQDSS64_AVX2_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk) { - - signed char F[F_LEN]; - unsigned char skbuf[SEED_BYTES * 4]; - gf31 pk_gf31[M]; - unsigned char pk[SEED_BYTES + MPACKED_BYTES]; - // Concatenated for convenient hashing. - unsigned char D_sigma0_h0_sigma1[HASH_BYTES * 3 + ROUNDS * (NPACKED_BYTES + MPACKED_BYTES)]; - unsigned char *D = D_sigma0_h0_sigma1; - unsigned char *sigma0 = D_sigma0_h0_sigma1 + HASH_BYTES; - unsigned char *h0 = D_sigma0_h0_sigma1 + 2 * HASH_BYTES; - unsigned char *t1packed = D_sigma0_h0_sigma1 + 3 * HASH_BYTES; - unsigned char *e1packed = D_sigma0_h0_sigma1 + 3 * HASH_BYTES + ROUNDS * NPACKED_BYTES; - shake256ctx shakestate; - unsigned char shakeblock[SHAKE256_RATE]; - unsigned char h1[((ROUNDS + 7) & ~7) >> 3]; - unsigned char rnd_seed[HASH_BYTES + SEED_BYTES]; - unsigned char rho[2 * ROUNDS * HASH_BYTES]; - unsigned char *rho0 = rho; - unsigned char *rho1 = rho + ROUNDS * HASH_BYTES; - gf31 sk_gf31[N]; - gf31 rnd[(2 * N + M) * ROUNDS]; // Concatenated for easy RNG. - gf31 *r0 = rnd; - gf31 *t0 = rnd + N * ROUNDS; - gf31 *e0 = rnd + 2 * N * ROUNDS; - gf31 r1[N * ROUNDS]; - gf31 t1[N * ROUNDS]; - gf31 e1[M * ROUNDS]; - gf31 gx[M * ROUNDS]; - unsigned char packbuf0[NPACKED_BYTES]; - unsigned char packbuf1[NPACKED_BYTES]; - unsigned char packbuf2[MPACKED_BYTES]; - unsigned char c[HASH_BYTES * ROUNDS * 2]; - gf31 alpha; - int alpha_count = 0; - int b; - int i, j; - shake256incctx state; - - shake256(skbuf, SEED_BYTES * 4, sk, SEED_BYTES); - - PQCLEAN_MQDSS64_AVX2_gf31_nrand_schar(F, F_LEN, skbuf, SEED_BYTES); - - shake256_inc_init(&state); - shake256_inc_absorb(&state, sk, SEED_BYTES); - shake256_inc_absorb(&state, m, mlen); - shake256_inc_finalize(&state); - shake256_inc_squeeze(sig, HASH_BYTES, &state); // Compute R. - shake256_inc_ctx_release(&state); - - memcpy(pk, skbuf, SEED_BYTES); - PQCLEAN_MQDSS64_AVX2_gf31_nrand(sk_gf31, N, skbuf + SEED_BYTES, SEED_BYTES); - PQCLEAN_MQDSS64_AVX2_MQ(pk_gf31, sk_gf31, F); - PQCLEAN_MQDSS64_AVX2_vgf31_unique(pk_gf31, pk_gf31); - PQCLEAN_MQDSS64_AVX2_gf31_npack(pk + SEED_BYTES, pk_gf31, M); - - shake256_inc_init(&state); - shake256_inc_absorb(&state, pk, PK_BYTES); - shake256_inc_absorb(&state, sig, HASH_BYTES); - shake256_inc_absorb(&state, m, mlen); - shake256_inc_finalize(&state); - shake256_inc_squeeze(D, HASH_BYTES, &state); - shake256_inc_ctx_release(&state); - - sig += HASH_BYTES; // Compensate for prefixed R. - - memcpy(rnd_seed, skbuf + 2 * SEED_BYTES, SEED_BYTES); - memcpy(rnd_seed + SEED_BYTES, D, HASH_BYTES); - shake256(rho, 2 * ROUNDS * HASH_BYTES, rnd_seed, SEED_BYTES + HASH_BYTES); - - memcpy(rnd_seed, skbuf + 3 * SEED_BYTES, SEED_BYTES); - memcpy(rnd_seed + SEED_BYTES, D, HASH_BYTES); - PQCLEAN_MQDSS64_AVX2_gf31_nrand(rnd, (2 * N + M) * ROUNDS, rnd_seed, SEED_BYTES + HASH_BYTES); - - for (i = 0; i < ROUNDS; i++) { - for (j = 0; j < N; j++) { - r1[j + i * N] = (gf31)(31 + sk_gf31[j] - r0[j + i * N]); - } - PQCLEAN_MQDSS64_AVX2_G(gx + i * M, t0 + i * N, r1 + i * N, F); - } - for (i = 0; i < ROUNDS * M; i++) { - gx[i] = (gf31)(gx[i] + e0[i]); - } - for (i = 0; i < ROUNDS; i++) { - PQCLEAN_MQDSS64_AVX2_gf31_npack(packbuf0, r0 + i * N, N); - PQCLEAN_MQDSS64_AVX2_gf31_npack(packbuf1, t0 + i * N, N); - PQCLEAN_MQDSS64_AVX2_gf31_npack(packbuf2, e0 + i * M, M); - com_0(c + HASH_BYTES * (2 * i + 0), rho0 + i * HASH_BYTES, packbuf0, packbuf1, packbuf2); - PQCLEAN_MQDSS64_AVX2_vgf31_shorten_unique(r1 + i * N, r1 + i * N); - PQCLEAN_MQDSS64_AVX2_vgf31_shorten_unique(gx + i * M, gx + i * M); - PQCLEAN_MQDSS64_AVX2_gf31_npack(packbuf0, r1 + i * N, N); - PQCLEAN_MQDSS64_AVX2_gf31_npack(packbuf1, gx + i * M, M); - com_1(c + HASH_BYTES * (2 * i + 1), rho1 + i * HASH_BYTES, packbuf0, packbuf1); - } - - H(sigma0, c, HASH_BYTES * ROUNDS * 2); // Compute sigma_0. - shake256_absorb(&shakestate, D_sigma0_h0_sigma1, 2 * HASH_BYTES); - shake256_squeezeblocks(shakeblock, 1, &shakestate); - - memcpy(h0, shakeblock, HASH_BYTES); - - memcpy(sig, sigma0, HASH_BYTES); - sig += HASH_BYTES; // Compensate for sigma_0. - - for (i = 0; i < ROUNDS; i++) { - do { - alpha = shakeblock[alpha_count] & 31; - alpha_count++; - if (alpha_count == SHAKE256_RATE) { - alpha_count = 0; - shake256_squeezeblocks(shakeblock, 1, &shakestate); - } - } while (alpha == 31); - for (j = 0; j < N; j++) { - t1[i * N + j] = (gf31)(alpha * r0[j + i * N] - t0[j + i * N] + 31); - } - PQCLEAN_MQDSS64_AVX2_MQ(e1 + i * M, r0 + i * N, F); - for (j = 0; j < N; j++) { - e1[i * N + j] = (gf31)(alpha * e1[j + i * M] - e0[j + i * M] + 31); - } - PQCLEAN_MQDSS64_AVX2_vgf31_shorten_unique(t1 + i * N, t1 + i * N); - PQCLEAN_MQDSS64_AVX2_vgf31_shorten_unique(e1 + i * N, e1 + i * N); - } - shake256_ctx_release(&shakestate); - - PQCLEAN_MQDSS64_AVX2_gf31_npack(t1packed, t1, N * ROUNDS); - PQCLEAN_MQDSS64_AVX2_gf31_npack(e1packed, e1, M * ROUNDS); - - memcpy(sig, t1packed, NPACKED_BYTES * ROUNDS); - sig += NPACKED_BYTES * ROUNDS; - memcpy(sig, e1packed, MPACKED_BYTES * ROUNDS); - sig += MPACKED_BYTES * ROUNDS; - - shake256(h1, ((ROUNDS + 7) & ~7) >> 3, D_sigma0_h0_sigma1, 3 * HASH_BYTES + ROUNDS * (NPACKED_BYTES + MPACKED_BYTES)); - - for (i = 0; i < ROUNDS; i++) { - b = (h1[(i >> 3)] >> (i & 7)) & 1; - if (b == 0) { - PQCLEAN_MQDSS64_AVX2_gf31_npack(sig, r0 + i * N, N); - } else if (b == 1) { - PQCLEAN_MQDSS64_AVX2_gf31_npack(sig, r1 + i * N, N); - } - memcpy(sig + NPACKED_BYTES, c + HASH_BYTES * (2 * i + (1 - b)), HASH_BYTES); - memcpy(sig + NPACKED_BYTES + HASH_BYTES, rho + (i + b * ROUNDS) * HASH_BYTES, HASH_BYTES); - sig += NPACKED_BYTES + 2 * HASH_BYTES; - } - - *siglen = SIG_LEN; - return 0; -} - -/** - * Verifies a detached signature and message under a given public key. - */ -int PQCLEAN_MQDSS64_AVX2_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk) { - - gf31 r[N]; - gf31 t[N]; - gf31 e[M]; - signed char F[F_LEN]; - gf31 pk_gf31[M]; - // Concatenated for convenient hashing. - unsigned char D_sigma0_h0_sigma1[HASH_BYTES * 3 + ROUNDS * (NPACKED_BYTES + MPACKED_BYTES)]; - unsigned char *D = D_sigma0_h0_sigma1; - unsigned char *sigma0 = D_sigma0_h0_sigma1 + HASH_BYTES; - unsigned char *h0 = D_sigma0_h0_sigma1 + 2 * HASH_BYTES; - unsigned char *t1packed = D_sigma0_h0_sigma1 + 3 * HASH_BYTES; - unsigned char *e1packed = D_sigma0_h0_sigma1 + 3 * HASH_BYTES + ROUNDS * NPACKED_BYTES; - unsigned char h1[((ROUNDS + 7) & ~7) >> 3]; - unsigned char c[HASH_BYTES * ROUNDS * 2]; - memset(c, 0, HASH_BYTES * 2); - gf31 x[N]; - gf31 y[M]; - gf31 z[M]; - unsigned char packbuf0[NPACKED_BYTES]; - unsigned char packbuf1[MPACKED_BYTES]; - shake256ctx shakestate; - unsigned char shakeblock[SHAKE256_RATE]; - int i, j; - gf31 alpha; - int alpha_count = 0; - int b; - shake256incctx state; - - if (siglen != SIG_LEN) { - return -1; - } - - shake256_inc_init(&state); - shake256_inc_absorb(&state, pk, PK_BYTES); - shake256_inc_absorb(&state, sig, HASH_BYTES); - shake256_inc_absorb(&state, m, mlen); - shake256_inc_finalize(&state); - shake256_inc_squeeze(D, HASH_BYTES, &state); - shake256_inc_ctx_release(&state); - - sig += HASH_BYTES; - - PQCLEAN_MQDSS64_AVX2_gf31_nrand_schar(F, F_LEN, pk, SEED_BYTES); - pk += SEED_BYTES; - PQCLEAN_MQDSS64_AVX2_gf31_nunpack(pk_gf31, pk, M); - - memcpy(sigma0, sig, HASH_BYTES); - - shake256_absorb(&shakestate, D_sigma0_h0_sigma1, 2 * HASH_BYTES); - shake256_squeezeblocks(shakeblock, 1, &shakestate); - - memcpy(h0, shakeblock, HASH_BYTES); - - sig += HASH_BYTES; - - memcpy(t1packed, sig, ROUNDS * NPACKED_BYTES); - sig += ROUNDS * NPACKED_BYTES; - memcpy(e1packed, sig, ROUNDS * MPACKED_BYTES); - sig += ROUNDS * MPACKED_BYTES; - - shake256(h1, ((ROUNDS + 7) & ~7) >> 3, D_sigma0_h0_sigma1, 3 * HASH_BYTES + ROUNDS * (NPACKED_BYTES + MPACKED_BYTES)); - - for (i = 0; i < ROUNDS; i++) { - do { - alpha = shakeblock[alpha_count] & 31; - alpha_count++; - if (alpha_count == SHAKE256_RATE) { - alpha_count = 0; - shake256_squeezeblocks(shakeblock, 1, &shakestate); - } - } while (alpha == 31); - b = (h1[(i >> 3)] >> (i & 7)) & 1; - - PQCLEAN_MQDSS64_AVX2_gf31_nunpack(r, sig, N); - PQCLEAN_MQDSS64_AVX2_gf31_nunpack(t, t1packed + NPACKED_BYTES * i, N); - PQCLEAN_MQDSS64_AVX2_gf31_nunpack(e, e1packed + MPACKED_BYTES * i, M); - - if (b == 0) { - PQCLEAN_MQDSS64_AVX2_MQ(y, r, F); - for (j = 0; j < N; j++) { - x[j] = (gf31)(alpha * r[j] - t[j] + 31); - } - for (j = 0; j < N; j++) { - y[j] = (gf31)(alpha * y[j] - e[j] + 31); - } - PQCLEAN_MQDSS64_AVX2_vgf31_shorten_unique(x, x); - PQCLEAN_MQDSS64_AVX2_vgf31_shorten_unique(y, y); - PQCLEAN_MQDSS64_AVX2_gf31_npack(packbuf0, x, N); - PQCLEAN_MQDSS64_AVX2_gf31_npack(packbuf1, y, M); - com_0(c + HASH_BYTES * (2 * i + 0), sig + HASH_BYTES + NPACKED_BYTES, sig, packbuf0, packbuf1); - } else { - PQCLEAN_MQDSS64_AVX2_MQ(y, r, F); - PQCLEAN_MQDSS64_AVX2_G(z, t, r, F); - for (j = 0; j < N; j++) { - y[j] = (gf31)(alpha * (31 + pk_gf31[j] - y[j]) - z[j] - e[j] + 62); - } - PQCLEAN_MQDSS64_AVX2_vgf31_shorten_unique(y, y); - PQCLEAN_MQDSS64_AVX2_gf31_npack(packbuf0, y, M); - com_1(c + HASH_BYTES * (2 * i + 1), sig + HASH_BYTES + NPACKED_BYTES, sig, packbuf0); - } - memcpy(c + HASH_BYTES * (2 * i + (1 - b)), sig + NPACKED_BYTES, HASH_BYTES); - sig += NPACKED_BYTES + 2 * HASH_BYTES; - } - shake256_ctx_release(&shakestate); - - H(c, c, HASH_BYTES * ROUNDS * 2); - if (memcmp(c, sigma0, HASH_BYTES) != 0) { - return -1; - } - - return 0; -} - -/** - * Returns an array containing the signature followed by the message. - */ -int PQCLEAN_MQDSS64_AVX2_crypto_sign( - uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, const uint8_t *sk) { - size_t siglen; - - PQCLEAN_MQDSS64_AVX2_crypto_sign_signature( - sm, &siglen, m, mlen, sk); - - memmove(sm + SIG_LEN, m, mlen); - *smlen = siglen + mlen; - - return 0; -} - -/** - * Verifies a given signature-message pair under a given public key. - */ -int PQCLEAN_MQDSS64_AVX2_crypto_sign_open( - uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, const uint8_t *pk) { - /* The API caller does not necessarily know what size a signature should be - but MQDSS signatures are always exactly SIG_LEN. */ - if (smlen < SIG_LEN) { - memset(m, 0, smlen); - *mlen = 0; - return -1; - } - - *mlen = smlen - SIG_LEN; - - if (PQCLEAN_MQDSS64_AVX2_crypto_sign_verify( - sm, SIG_LEN, sm + SIG_LEN, *mlen, pk)) { - memset(m, 0, smlen); - *mlen = 0; - return -1; - } - - /* If verification was successful, move the message to the right place. */ - memmove(m, sm + SIG_LEN, *mlen); - - return 0; -} diff --git a/crypto_sign/mqdss-64/clean/LICENSE b/crypto_sign/mqdss-64/clean/LICENSE deleted file mode 100644 index 670154e3..00000000 --- a/crypto_sign/mqdss-64/clean/LICENSE +++ /dev/null @@ -1,116 +0,0 @@ -CC0 1.0 Universal - -Statement of Purpose - -The laws of most jurisdictions throughout the world automatically confer -exclusive Copyright and Related Rights (defined below) upon the creator and -subsequent owner(s) (each and all, an "owner") of an original work of -authorship and/or a database (each, a "Work"). - -Certain owners wish to permanently relinquish those rights to a Work for the -purpose of contributing to a commons of creative, cultural and scientific -works ("Commons") that the public can reliably and without fear of later -claims of infringement build upon, modify, incorporate in other works, reuse -and redistribute as freely as possible in any form whatsoever and for any -purposes, including without limitation commercial purposes. These owners may -contribute to the Commons to promote the ideal of a free culture and the -further production of creative, cultural and scientific works, or to gain -reputation or greater distribution for their Work in part through the use and -efforts of others. - -For these and/or other purposes and motivations, and without any expectation -of additional consideration or compensation, the person associating CC0 with a -Work (the "Affirmer"), to the extent that he or she is an owner of Copyright -and Related Rights in the Work, voluntarily elects to apply CC0 to the Work -and publicly distribute the Work under its terms, with knowledge of his or her -Copyright and Related Rights in the Work and the meaning and intended legal -effect of CC0 on those rights. - -1. Copyright and Related Rights. A Work made available under CC0 may be -protected by copyright and related or neighboring rights ("Copyright and -Related Rights"). Copyright and Related Rights include, but are not limited -to, the following: - - i. the right to reproduce, adapt, distribute, perform, display, communicate, - and translate a Work; - - ii. moral rights retained by the original author(s) and/or performer(s); - - iii. publicity and privacy rights pertaining to a person's image or likeness - depicted in a Work; - - iv. rights protecting against unfair competition in regards to a Work, - subject to the limitations in paragraph 4(a), below; - - v. rights protecting the extraction, dissemination, use and reuse of data in - a Work; - - vi. database rights (such as those arising under Directive 96/9/EC of the - European Parliament and of the Council of 11 March 1996 on the legal - protection of databases, and under any national implementation thereof, - including any amended or successor version of such directive); and - - vii. other similar, equivalent or corresponding rights throughout the world - based on applicable law or treaty, and any national implementations thereof. - -2. Waiver. To the greatest extent permitted by, but not in contravention of, -applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and -unconditionally waives, abandons, and surrenders all of Affirmer's Copyright -and Related Rights and associated claims and causes of action, whether now -known or unknown (including existing as well as future claims and causes of -action), in the Work (i) in all territories worldwide, (ii) for the maximum -duration provided by applicable law or treaty (including future time -extensions), (iii) in any current or future medium and for any number of -copies, and (iv) for any purpose whatsoever, including without limitation -commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes -the Waiver for the benefit of each member of the public at large and to the -detriment of Affirmer's heirs and successors, fully intending that such Waiver -shall not be subject to revocation, rescission, cancellation, termination, or -any other legal or equitable action to disrupt the quiet enjoyment of the Work -by the public as contemplated by Affirmer's express Statement of Purpose. - -3. Public License Fallback. Should any part of the Waiver for any reason be -judged legally invalid or ineffective under applicable law, then the Waiver -shall be preserved to the maximum extent permitted taking into account -Affirmer's express Statement of Purpose. In addition, to the extent the Waiver -is so judged Affirmer hereby grants to each affected person a royalty-free, -non transferable, non sublicensable, non exclusive, irrevocable and -unconditional license to exercise Affirmer's Copyright and Related Rights in -the Work (i) in all territories worldwide, (ii) for the maximum duration -provided by applicable law or treaty (including future time extensions), (iii) -in any current or future medium and for any number of copies, and (iv) for any -purpose whatsoever, including without limitation commercial, advertising or -promotional purposes (the "License"). The License shall be deemed effective as -of the date CC0 was applied by Affirmer to the Work. Should any part of the -License for any reason be judged legally invalid or ineffective under -applicable law, such partial invalidity or ineffectiveness shall not -invalidate the remainder of the License, and in such case Affirmer hereby -affirms that he or she will not (i) exercise any of his or her remaining -Copyright and Related Rights in the Work or (ii) assert any associated claims -and causes of action with respect to the Work, in either case contrary to -Affirmer's express Statement of Purpose. - -4. Limitations and Disclaimers. - - a. No trademark or patent rights held by Affirmer are waived, abandoned, - surrendered, licensed or otherwise affected by this document. - - b. Affirmer offers the Work as-is and makes no representations or warranties - of any kind concerning the Work, express, implied, statutory or otherwise, - including without limitation warranties of title, merchantability, fitness - for a particular purpose, non infringement, or the absence of latent or - other defects, accuracy, or the present or absence of errors, whether or not - discoverable, all to the greatest extent permissible under applicable law. - - c. Affirmer disclaims responsibility for clearing rights of other persons - that may apply to the Work or any use thereof, including without limitation - any person's Copyright and Related Rights in the Work. Further, Affirmer - disclaims responsibility for obtaining any necessary consents, permissions - or other rights required for any use of the Work. - - d. Affirmer understands and acknowledges that Creative Commons is not a - party to this document and has no duty or obligation with respect to this - CC0 or use of the Work. - -For more information, please see - diff --git a/crypto_sign/mqdss-64/clean/Makefile b/crypto_sign/mqdss-64/clean/Makefile deleted file mode 100644 index 1582ef72..00000000 --- a/crypto_sign/mqdss-64/clean/Makefile +++ /dev/null @@ -1,20 +0,0 @@ -# This Makefile can be used with GNU Make or BSD Make - -LIB=libmqdss-64_clean.a - -HEADERS = params.h gf31.h mq.h api.h -OBJECTS = gf31.o mq.o sign.o - -CFLAGS=-O3 -Wall -Wconversion -Wextra -Wpedantic -Wvla -Werror -Wmissing-prototypes -Wredundant-decls -std=c99 -I../../../common $(EXTRAFLAGS) - -all: $(LIB) - -%.o: %.c $(HEADERS) - $(CC) $(CFLAGS) -c -o $@ $< - -$(LIB): $(OBJECTS) - $(AR) -r $@ $(OBJECTS) - -clean: - $(RM) $(OBJECTS) - $(RM) $(LIB) diff --git a/crypto_sign/mqdss-64/clean/Makefile.Microsoft_nmake b/crypto_sign/mqdss-64/clean/Makefile.Microsoft_nmake deleted file mode 100644 index 7f3c172a..00000000 --- a/crypto_sign/mqdss-64/clean/Makefile.Microsoft_nmake +++ /dev/null @@ -1,19 +0,0 @@ -# This Makefile can be used with Microsoft Visual Studio's nmake using the command: -# nmake /f Makefile.Microsoft_nmake - -LIBRARY=libmqdss-64_clean.lib -OBJECTS=gf31.obj mq.obj sign.obj - -CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /WX - -all: $(LIBRARY) - -# Make sure objects are recompiled if headers change. -$(OBJECTS): *.h - -$(LIBRARY): $(OBJECTS) - LIB.EXE /NOLOGO /WX /OUT:$@ $** - -clean: - -DEL $(OBJECTS) - -DEL $(LIBRARY) diff --git a/crypto_sign/mqdss-64/clean/api.h b/crypto_sign/mqdss-64/clean/api.h deleted file mode 100644 index b44ce0e9..00000000 --- a/crypto_sign/mqdss-64/clean/api.h +++ /dev/null @@ -1,47 +0,0 @@ -#ifndef PQCLEAN_MQDSS64_CLEAN_API_H -#define PQCLEAN_MQDSS64_CLEAN_API_H - -#include -#include - -#define PQCLEAN_MQDSS64_CLEAN_CRYPTO_ALGNAME "MQDSS-64" - -#define PQCLEAN_MQDSS64_CLEAN_CRYPTO_SECRETKEYBYTES 24 -#define PQCLEAN_MQDSS64_CLEAN_CRYPTO_PUBLICKEYBYTES 64 -#define PQCLEAN_MQDSS64_CLEAN_CRYPTO_BYTES 59928 - -/* - * Generates an MQDSS key pair. - */ -int PQCLEAN_MQDSS64_CLEAN_crypto_sign_keypair( - uint8_t *pk, uint8_t *sk); - -/** - * Returns an array containing a detached signature. - */ -int PQCLEAN_MQDSS64_CLEAN_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -/** - * Verifies a detached signature and message under a given public key. - */ -int PQCLEAN_MQDSS64_CLEAN_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk); - -/** - * Returns an array containing the signature followed by the message. - */ -int PQCLEAN_MQDSS64_CLEAN_crypto_sign( - uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -/** - * Verifies a given signature-message pair under a given public key. - */ -int PQCLEAN_MQDSS64_CLEAN_crypto_sign_open( - uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, const uint8_t *pk); - -#endif diff --git a/crypto_sign/mqdss-64/clean/gf31.c b/crypto_sign/mqdss-64/clean/gf31.c deleted file mode 100644 index dac416b0..00000000 --- a/crypto_sign/mqdss-64/clean/gf31.c +++ /dev/null @@ -1,135 +0,0 @@ -#include -#include -#include -#include - -#include "fips202.h" -#include "gf31.h" -#include "params.h" - -/* This performs a full unique reduction mod 13 on x; x can be any unsigned - 16-bit integer (i.e. in the range [0, 65535]) */ -gf31 PQCLEAN_MQDSS64_CLEAN_mod31(gf31 x) { - gf31 t; - - t = (gf31)(x & 31); - x >>= 5; - t = (gf31)(t + (x & 31)); - x >>= 5; - t = (gf31)(t + (x & 31)); - x >>= 5; - t = (gf31)(t + (x & 31)); - - t = (gf31)((t >> 5) + (t & 31)); - t = (gf31)((t >> 5) + (t & 31)); - return (gf31)((t != 31) * t); -} - -/* Given a vector of N elements in the range [0, 31], this reduces the elements - to the range [0, 30] by mapping 31 to 0 (i.e reduction mod 31) */ -void PQCLEAN_MQDSS64_CLEAN_vgf31_unique(gf31 *out, const gf31 *in) { - int i; - - for (i = 0; i < N; i++) { - out[i] = (gf31)((1 - (in[i] == 31)) * in[i]); - } -} - -/* Given a vector of 16-bit integers (i.e. in [0, 65535], this reduces the - elements to the range [0, 30] by mapping 31 to 0 (i.e reduction mod 31) */ -void PQCLEAN_MQDSS64_CLEAN_vgf31_shorten_unique(gf31 *out, const gf31 *in) { - int i; - - for (i = 0; i < N; i++) { - out[i] = PQCLEAN_MQDSS64_CLEAN_mod31(in[i]); - } -} - -/* Given a seed, samples len gf31 elements (in the range [0, 30]), and places - them in a vector of 16-bit elements */ -void PQCLEAN_MQDSS64_CLEAN_gf31_nrand(gf31 *out, int len, const unsigned char *seed, size_t seedlen) { - int i = 0, j; - shake256ctx shakestate; - unsigned char shakeblock[SHAKE256_RATE]; - - shake256_absorb(&shakestate, seed, seedlen); - - while (i < len) { - shake256_squeezeblocks(shakeblock, 1, &shakestate); - for (j = 0; j < SHAKE256_RATE && i < len; j++) { - if ((shakeblock[j] & 31) != 31) { - out[i] = (shakeblock[j] & 31); - i++; - } - } - } - shake256_ctx_release(&shakestate); -} - -/* Given a seed, samples len gf31 elements, transposed into unsigned range, - i.e. in the range [-15, 15], and places them in an array of 8-bit integers. - This is used for the expansion of F, which wants packed elements. */ -void PQCLEAN_MQDSS64_CLEAN_gf31_nrand_schar(signed char *out, int len, const unsigned char *seed, size_t seedlen) { - int i = 0, j; - shake256ctx shakestate; - unsigned char shakeblock[SHAKE256_RATE]; - - shake256_absorb(&shakestate, seed, seedlen); - - while (i < len) { - shake256_squeezeblocks(shakeblock, 1, &shakestate); - for (j = 0; j < SHAKE256_RATE && i < len; j++) { - if ((shakeblock[j] & 31) != 31) { - out[i] = (signed char)(((signed char)shakeblock[j] & 31) - 15); - i++; - } - } - } - shake256_ctx_release(&shakestate); -} - -/* Unpacks an array of packed GF31 elements to one element per gf31. - Assumes that there is sufficient empty space available at the end of the - array to unpack. Can perform in-place. */ -void PQCLEAN_MQDSS64_CLEAN_gf31_nunpack(gf31 *out, const unsigned char *in, unsigned int n) { - size_t i; - unsigned int j = ((n * 5) >> 3) - 1; - unsigned int d = 0; - - for (i = n; i > 0; i--) { - out[i - 1] = (gf31)((in[j] >> d) & 31); - d += 5; - if (d > 8) { - d -= 8; - j--; - out[i - 1] = (gf31)(out[i - 1] ^ ((in[j] << (5 - d)) & 31)); - } - } -} - -/* Packs an array of GF31 elements from gf31's to concatenated 5-bit values. - Assumes that there is sufficient space available to unpack. - Can perform in-place. */ -void PQCLEAN_MQDSS64_CLEAN_gf31_npack(unsigned char *out, const gf31 *in, unsigned int n) { - unsigned int i = 0; - unsigned int j; - int d = 3; - - for (j = 0; j < n; j++) { - assert(in[j] < 31); - } - - /* There will be ceil(5n / 8) output blocks */ - memset(out, 0, ((5 * n + 7) & (unsigned int)~7) >> 3); - - for (j = 0; j < n; j++) { - if (d < 0) { - d += 8; - out[i] = (unsigned char)((out[i] & (255 << (d - 3))) | - ((in[j] >> (8 - d)) & ~(255 << (d - 3)))); - i++; - } - out[i] = (unsigned char)((out[i] & ~(31 << d)) | ((in[j] << d) & (31 << d))); - d -= 5; - } -} diff --git a/crypto_sign/mqdss-64/clean/gf31.h b/crypto_sign/mqdss-64/clean/gf31.h deleted file mode 100644 index a0036b7f..00000000 --- a/crypto_sign/mqdss-64/clean/gf31.h +++ /dev/null @@ -1,40 +0,0 @@ -#ifndef MQDSS_GF31_H -#define MQDSS_GF31_H - -#include -#include - -typedef uint16_t gf31; - -/* This performs a full unique reduction mod 13 on x; x can be any unsigned - 16-bit integer (i.e. in the range [0, 65535]) */ -gf31 PQCLEAN_MQDSS64_CLEAN_mod31(gf31 x); - -/* Given a vector of elements in the range [0, 31], this reduces the elements - to the range [0, 30] by mapping 31 to 0 (i.e reduction mod 31) */ -void PQCLEAN_MQDSS64_CLEAN_vgf31_unique(gf31 *out, const gf31 *in); - -/* Given a vector of 16-bit integers (i.e. in [0, 65535], this reduces the - elements to the range [0, 30] by mapping 31 to 0 (i.e reduction mod 31) */ -void PQCLEAN_MQDSS64_CLEAN_vgf31_shorten_unique(gf31 *out, const gf31 *in); - -/* Given a seed, samples len gf31 elements (in the range [0, 30]), and places - them in a vector of 16-bit elements */ -void PQCLEAN_MQDSS64_CLEAN_gf31_nrand(gf31 *out, int len, const unsigned char *seed, size_t seedlen); - -/* Given a seed, samples len gf31 elements, transposed into unsigned range, - i.e. in the range [-15, 15], and places them in an array of 8-bit integers. - This is used for the expansion of F, which wants packed elements. */ -void PQCLEAN_MQDSS64_CLEAN_gf31_nrand_schar(signed char *out, int len, const unsigned char *seed, size_t seedlen); - -/* Unpacks an array of packed GF31 elements to one element per gf31. - Assumes that there is sufficient empty space available at the end of the - array to unpack. Can perform in-place. */ -void PQCLEAN_MQDSS64_CLEAN_gf31_nunpack(gf31 *out, const unsigned char *in, unsigned int n); - -/* Packs an array of GF31 elements from gf31's to concatenated 5-bit values. - Assumes that there is sufficient space available to unpack. - Can perform in-place. */ -void PQCLEAN_MQDSS64_CLEAN_gf31_npack(unsigned char *out, const gf31 *in, unsigned int n); - -#endif diff --git a/crypto_sign/mqdss-64/clean/mq.c b/crypto_sign/mqdss-64/clean/mq.c deleted file mode 100644 index e67f6ddc..00000000 --- a/crypto_sign/mqdss-64/clean/mq.c +++ /dev/null @@ -1,81 +0,0 @@ -#include "mq.h" -#include "params.h" - -/* Computes all products x_i * x_j, returns in reduced form */ -inline static -void generate_quadratic_terms( gf31 *xij, const gf31 *x ) { - int i, j, k; - k = 0; - for (i = 0; i < N; i++) { - for (j = 0; j <= i; j++) { - xij[k] = PQCLEAN_MQDSS64_CLEAN_mod31((gf31)(x[i] * x[j])); - k++; - } - } -} - -/* Computes all terms (x_i * y_j) + (x_j * y_i), returns in reduced form */ -inline static -void generate_xiyj_p_xjyi_terms( gf31 *xij, const gf31 *x, const gf31 *y ) { - int i, j, k; - k = 0; - for (i = 0; i < N; i++) { - for (j = 0; j <= i; j++) { - xij[k] = PQCLEAN_MQDSS64_CLEAN_mod31((gf31)(x[i] * y[j] + x[j] * y[i])); - k++; - } - } -} - -/* Evaluates the MQ function on a vector of N gf31 elements x (expected to be - in reduced 5-bit representation). Expects the coefficients in F to be in - signed representation (i.e. [-15, 15], packed bytewise). - Outputs M gf31 elements in unique 16-bit representation as fx. */ -void PQCLEAN_MQDSS64_CLEAN_MQ(gf31 *fx, const gf31 *x, const signed char *F) { - int i, j; - gf31 _xij[N * (N + 1) >> 1]; - int r[M] = {0}; - - generate_quadratic_terms(_xij, x); - - for (i = 0; i < N; i += 2) { - for (j = 0; j < M; j++) { - r[j] += ((int)x[i]) * ((int)F[i * M + 2 * j]) + - ((int)x[i + 1]) * ((int)F[i * M + 2 * j + 1]); - } - } - - for (i = 0; i < (N * (N + 1)) >> 1; i += 2) { - for (j = 0; j < M; j++) { - r[j] += ((int)_xij[i]) * ((int)F[N * M + i * M + 2 * j]) + - ((int)_xij[i + 1]) * ((int)F[N * M + i * M + 2 * j + 1]); - } - } - - for (i = 0; i < M; i++) { - fx[i] = PQCLEAN_MQDSS64_CLEAN_mod31((gf31)((r[i] >> 15) + (r[i] & 0x7FFF))); - } -} - -/* Evaluates the bilinear polar form of the MQ function (i.e. G) on a vector of - N gf31 elements x (expected to be in reduced 5-bit representation). Expects - the coefficients in F to be in signed representation (i.e. [-15, 15], packed - bytewise). Outputs M gf31 elements in unique 16-bit representation as fx. */ -void PQCLEAN_MQDSS64_CLEAN_G(gf31 *fx, const gf31 *x, const gf31 *y, const signed char *F) { - int i, j; - gf31 _xij[N * (N + 1) >> 1]; - int r[M] = {0}; - - generate_xiyj_p_xjyi_terms(_xij, x, y); - - for (i = 0; i < (N * (N + 1)) >> 1; i += 2) { - for (j = 0; j < M; j++) { - r[j] += ((int)_xij[i]) * ((int)F[N * M + i * M + 2 * j]) + - ((int)_xij[i + 1]) * ((int)F[N * M + i * M + 2 * j + 1]); - } - } - - for (i = 0; i < M; i++) { - fx[i] = PQCLEAN_MQDSS64_CLEAN_mod31((gf31)((r[i] >> 15) + (r[i] & 0x7FFF))); - } -} diff --git a/crypto_sign/mqdss-64/clean/mq.h b/crypto_sign/mqdss-64/clean/mq.h deleted file mode 100644 index 2f38c1ef..00000000 --- a/crypto_sign/mqdss-64/clean/mq.h +++ /dev/null @@ -1,18 +0,0 @@ -#ifndef MQDSS_MQ_H -#define MQDSS_MQ_H - -#include "gf31.h" - -/* Evaluates the MQ function on a vector of N gf31 elements x (expected to be - in reduced 5-bit representation). Expects the coefficients in F to be in - signed representation (i.e. [-15, 15], packed bytewise). - Outputs M gf31 elements in unique 16-bit representation as fx. */ -void PQCLEAN_MQDSS64_CLEAN_MQ(gf31 *fx, const gf31 *x, const signed char *F); - -/* Evaluates the bilinear polar form of the MQ function (i.e. G) on a vector of - N gf31 elements x (expected to be in reduced 5-bit representation). Expects - the coefficients in F to be in signed representation (i.e. [-15, 15], packed - bytewise). Outputs M gf31 elements in unique 16-bit representation as fx. */ -void PQCLEAN_MQDSS64_CLEAN_G(gf31 *fx, const gf31 *x, const gf31 *y, const signed char *F); - -#endif diff --git a/crypto_sign/mqdss-64/clean/params.h b/crypto_sign/mqdss-64/clean/params.h deleted file mode 100644 index d0278f01..00000000 --- a/crypto_sign/mqdss-64/clean/params.h +++ /dev/null @@ -1,25 +0,0 @@ -#ifndef MQDSS_PARAMS_H -#define MQDSS_PARAMS_H - -#define N 64 -#define M N -#define F_LEN (M * (((N * (N + 1)) >> 1) + N)) /* Number of elements in F */ - -#define ROUNDS 277 - -/* Number of bytes that N, M and F_LEN elements require when packed into a byte - array, 5-bit elements packed continuously. */ -/* Assumes N and M to be multiples of 8 */ -#define NPACKED_BYTES ((N * 5) >> 3) -#define MPACKED_BYTES ((M * 5) >> 3) -#define FPACKED_BYTES ((F_LEN * 5) >> 3) - -#define HASH_BYTES 48 -#define SEED_BYTES 24 -#define PK_BYTES (SEED_BYTES + MPACKED_BYTES) -#define SK_BYTES SEED_BYTES - -// R, sigma_0, ROUNDS * (t1, r{0,1}, e1, c, rho) -#define SIG_LEN (2 * HASH_BYTES + ROUNDS * (2*NPACKED_BYTES + MPACKED_BYTES + HASH_BYTES + HASH_BYTES)) - -#endif diff --git a/crypto_sign/mqdss-64/clean/sign.c b/crypto_sign/mqdss-64/clean/sign.c deleted file mode 100644 index 16bbe254..00000000 --- a/crypto_sign/mqdss-64/clean/sign.c +++ /dev/null @@ -1,389 +0,0 @@ -#include -#include -#include - -#include "api.h" -#include "fips202.h" -#include "gf31.h" -#include "mq.h" -#include "params.h" -#include "randombytes.h" - -/* Takes an array of len bytes and computes a hash digest. - This is used as a hash function in the Fiat-Shamir transform. */ -static void H(unsigned char *out, const unsigned char *in, const size_t len) { - shake256(out, HASH_BYTES, in, len); -} - -/* Takes two arrays of N packed elements and an array of M packed elements, - and computes a HASH_BYTES commitment. */ -static void com_0(unsigned char *c, - const unsigned char *rho, - const unsigned char *inn, const unsigned char *inn2, - const unsigned char *inm) { - unsigned char buffer[HASH_BYTES + 2 * NPACKED_BYTES + MPACKED_BYTES]; - memcpy(buffer, rho, HASH_BYTES); - memcpy(buffer + HASH_BYTES, inn, NPACKED_BYTES); - memcpy(buffer + HASH_BYTES + NPACKED_BYTES, inn2, NPACKED_BYTES); - memcpy(buffer + HASH_BYTES + 2 * NPACKED_BYTES, inm, MPACKED_BYTES); - shake256(c, HASH_BYTES, buffer, HASH_BYTES + 2 * NPACKED_BYTES + MPACKED_BYTES); -} - -/* Takes an array of N packed elements and an array of M packed elements, - and computes a HASH_BYTES commitment. */ -static void com_1(unsigned char *c, - const unsigned char *rho, - const unsigned char *inn, const unsigned char *inm) { - unsigned char buffer[HASH_BYTES + NPACKED_BYTES + MPACKED_BYTES]; - memcpy(buffer, rho, HASH_BYTES); - memcpy(buffer + HASH_BYTES, inn, NPACKED_BYTES); - memcpy(buffer + HASH_BYTES + NPACKED_BYTES, inm, MPACKED_BYTES); - shake256(c, HASH_BYTES, buffer, HASH_BYTES + NPACKED_BYTES + MPACKED_BYTES); -} - -/* - * Generates an MQDSS key pair. - */ -int PQCLEAN_MQDSS64_CLEAN_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) { - signed char F[F_LEN]; - unsigned char skbuf[SEED_BYTES * 2]; - gf31 sk_gf31[N]; - gf31 pk_gf31[M]; - - // Expand sk to obtain a seed for F and the secret input s. - // We also expand to obtain a value for sampling r0, t0 and e0 during - // signature generation, but that is not relevant here. - randombytes(sk, SEED_BYTES); - shake256(skbuf, SEED_BYTES * 2, sk, SEED_BYTES); - - memcpy(pk, skbuf, SEED_BYTES); - PQCLEAN_MQDSS64_CLEAN_gf31_nrand_schar(F, F_LEN, pk, SEED_BYTES); - PQCLEAN_MQDSS64_CLEAN_gf31_nrand(sk_gf31, N, skbuf + SEED_BYTES, SEED_BYTES); - PQCLEAN_MQDSS64_CLEAN_MQ(pk_gf31, sk_gf31, F); - PQCLEAN_MQDSS64_CLEAN_vgf31_unique(pk_gf31, pk_gf31); - PQCLEAN_MQDSS64_CLEAN_gf31_npack(pk + SEED_BYTES, pk_gf31, M); - - return 0; -} - -/** - * Returns an array containing a detached signature. - */ -int PQCLEAN_MQDSS64_CLEAN_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk) { - - signed char F[F_LEN]; - unsigned char skbuf[SEED_BYTES * 4]; - gf31 pk_gf31[M]; - unsigned char pk[SEED_BYTES + MPACKED_BYTES]; - // Concatenated for convenient hashing. - unsigned char D_sigma0_h0_sigma1[HASH_BYTES * 3 + ROUNDS * (NPACKED_BYTES + MPACKED_BYTES)]; - unsigned char *D = D_sigma0_h0_sigma1; - unsigned char *sigma0 = D_sigma0_h0_sigma1 + HASH_BYTES; - unsigned char *h0 = D_sigma0_h0_sigma1 + 2 * HASH_BYTES; - unsigned char *t1packed = D_sigma0_h0_sigma1 + 3 * HASH_BYTES; - unsigned char *e1packed = D_sigma0_h0_sigma1 + 3 * HASH_BYTES + ROUNDS * NPACKED_BYTES; - shake256ctx shakestate; - unsigned char shakeblock[SHAKE256_RATE]; - unsigned char h1[((ROUNDS + 7) & ~7) >> 3]; - unsigned char rnd_seed[HASH_BYTES + SEED_BYTES]; - unsigned char rho[2 * ROUNDS * HASH_BYTES]; - unsigned char *rho0 = rho; - unsigned char *rho1 = rho + ROUNDS * HASH_BYTES; - gf31 sk_gf31[N]; - gf31 rnd[(2 * N + M) * ROUNDS]; // Concatenated for easy RNG. - gf31 *r0 = rnd; - gf31 *t0 = rnd + N * ROUNDS; - gf31 *e0 = rnd + 2 * N * ROUNDS; - gf31 r1[N * ROUNDS]; - gf31 t1[N * ROUNDS]; - gf31 e1[M * ROUNDS]; - gf31 gx[M * ROUNDS]; - unsigned char packbuf0[NPACKED_BYTES]; - unsigned char packbuf1[NPACKED_BYTES]; - unsigned char packbuf2[MPACKED_BYTES]; - unsigned char c[HASH_BYTES * ROUNDS * 2]; - gf31 alpha; - int alpha_count = 0; - int b; - int i, j; - shake256incctx state; - - shake256(skbuf, SEED_BYTES * 4, sk, SEED_BYTES); - - PQCLEAN_MQDSS64_CLEAN_gf31_nrand_schar(F, F_LEN, skbuf, SEED_BYTES); - - shake256_inc_init(&state); - shake256_inc_absorb(&state, sk, SEED_BYTES); - shake256_inc_absorb(&state, m, mlen); - shake256_inc_finalize(&state); - shake256_inc_squeeze(sig, HASH_BYTES, &state); // Compute R. - shake256_inc_ctx_release(&state); - - memcpy(pk, skbuf, SEED_BYTES); - PQCLEAN_MQDSS64_CLEAN_gf31_nrand(sk_gf31, N, skbuf + SEED_BYTES, SEED_BYTES); - PQCLEAN_MQDSS64_CLEAN_MQ(pk_gf31, sk_gf31, F); - PQCLEAN_MQDSS64_CLEAN_vgf31_unique(pk_gf31, pk_gf31); - PQCLEAN_MQDSS64_CLEAN_gf31_npack(pk + SEED_BYTES, pk_gf31, M); - - shake256_inc_init(&state); - shake256_inc_absorb(&state, pk, PK_BYTES); - shake256_inc_absorb(&state, sig, HASH_BYTES); - shake256_inc_absorb(&state, m, mlen); - shake256_inc_finalize(&state); - shake256_inc_squeeze(D, HASH_BYTES, &state); - shake256_inc_ctx_release(&state); - - sig += HASH_BYTES; // Compensate for prefixed R. - - memcpy(rnd_seed, skbuf + 2 * SEED_BYTES, SEED_BYTES); - memcpy(rnd_seed + SEED_BYTES, D, HASH_BYTES); - shake256(rho, 2 * ROUNDS * HASH_BYTES, rnd_seed, SEED_BYTES + HASH_BYTES); - - memcpy(rnd_seed, skbuf + 3 * SEED_BYTES, SEED_BYTES); - memcpy(rnd_seed + SEED_BYTES, D, HASH_BYTES); - PQCLEAN_MQDSS64_CLEAN_gf31_nrand(rnd, (2 * N + M) * ROUNDS, rnd_seed, SEED_BYTES + HASH_BYTES); - - for (i = 0; i < ROUNDS; i++) { - for (j = 0; j < N; j++) { - r1[j + i * N] = (gf31)(31 + sk_gf31[j] - r0[j + i * N]); - } - PQCLEAN_MQDSS64_CLEAN_G(gx + i * M, t0 + i * N, r1 + i * N, F); - } - for (i = 0; i < ROUNDS * M; i++) { - gx[i] = (gf31)(gx[i] + e0[i]); - } - for (i = 0; i < ROUNDS; i++) { - PQCLEAN_MQDSS64_CLEAN_gf31_npack(packbuf0, r0 + i * N, N); - PQCLEAN_MQDSS64_CLEAN_gf31_npack(packbuf1, t0 + i * N, N); - PQCLEAN_MQDSS64_CLEAN_gf31_npack(packbuf2, e0 + i * M, M); - com_0(c + HASH_BYTES * (2 * i + 0), rho0 + i * HASH_BYTES, packbuf0, packbuf1, packbuf2); - PQCLEAN_MQDSS64_CLEAN_vgf31_shorten_unique(r1 + i * N, r1 + i * N); - PQCLEAN_MQDSS64_CLEAN_vgf31_shorten_unique(gx + i * M, gx + i * M); - PQCLEAN_MQDSS64_CLEAN_gf31_npack(packbuf0, r1 + i * N, N); - PQCLEAN_MQDSS64_CLEAN_gf31_npack(packbuf1, gx + i * M, M); - com_1(c + HASH_BYTES * (2 * i + 1), rho1 + i * HASH_BYTES, packbuf0, packbuf1); - } - - H(sigma0, c, HASH_BYTES * ROUNDS * 2); // Compute sigma_0. - shake256_absorb(&shakestate, D_sigma0_h0_sigma1, 2 * HASH_BYTES); - shake256_squeezeblocks(shakeblock, 1, &shakestate); - - memcpy(h0, shakeblock, HASH_BYTES); - - memcpy(sig, sigma0, HASH_BYTES); - sig += HASH_BYTES; // Compensate for sigma_0. - - for (i = 0; i < ROUNDS; i++) { - do { - alpha = shakeblock[alpha_count] & 31; - alpha_count++; - if (alpha_count == SHAKE256_RATE) { - alpha_count = 0; - shake256_squeezeblocks(shakeblock, 1, &shakestate); - } - } while (alpha == 31); - for (j = 0; j < N; j++) { - t1[i * N + j] = (gf31)(alpha * r0[j + i * N] - t0[j + i * N] + 31); - } - PQCLEAN_MQDSS64_CLEAN_MQ(e1 + i * M, r0 + i * N, F); - for (j = 0; j < N; j++) { - e1[i * N + j] = (gf31)(alpha * e1[j + i * M] - e0[j + i * M] + 31); - } - PQCLEAN_MQDSS64_CLEAN_vgf31_shorten_unique(t1 + i * N, t1 + i * N); - PQCLEAN_MQDSS64_CLEAN_vgf31_shorten_unique(e1 + i * N, e1 + i * N); - } - shake256_ctx_release(&shakestate); - - PQCLEAN_MQDSS64_CLEAN_gf31_npack(t1packed, t1, N * ROUNDS); - PQCLEAN_MQDSS64_CLEAN_gf31_npack(e1packed, e1, M * ROUNDS); - - memcpy(sig, t1packed, NPACKED_BYTES * ROUNDS); - sig += NPACKED_BYTES * ROUNDS; - memcpy(sig, e1packed, MPACKED_BYTES * ROUNDS); - sig += MPACKED_BYTES * ROUNDS; - - shake256(h1, ((ROUNDS + 7) & ~7) >> 3, D_sigma0_h0_sigma1, 3 * HASH_BYTES + ROUNDS * (NPACKED_BYTES + MPACKED_BYTES)); - - for (i = 0; i < ROUNDS; i++) { - b = (h1[(i >> 3)] >> (i & 7)) & 1; - if (b == 0) { - PQCLEAN_MQDSS64_CLEAN_gf31_npack(sig, r0 + i * N, N); - } else if (b == 1) { - PQCLEAN_MQDSS64_CLEAN_gf31_npack(sig, r1 + i * N, N); - } - memcpy(sig + NPACKED_BYTES, c + HASH_BYTES * (2 * i + (1 - b)), HASH_BYTES); - memcpy(sig + NPACKED_BYTES + HASH_BYTES, rho + (i + b * ROUNDS) * HASH_BYTES, HASH_BYTES); - sig += NPACKED_BYTES + 2 * HASH_BYTES; - } - - *siglen = SIG_LEN; - return 0; -} - -/** - * Verifies a detached signature and message under a given public key. - */ -int PQCLEAN_MQDSS64_CLEAN_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk) { - - gf31 r[N]; - gf31 t[N]; - gf31 e[M]; - signed char F[F_LEN]; - gf31 pk_gf31[M]; - // Concatenated for convenient hashing. - unsigned char D_sigma0_h0_sigma1[HASH_BYTES * 3 + ROUNDS * (NPACKED_BYTES + MPACKED_BYTES)]; - unsigned char *D = D_sigma0_h0_sigma1; - unsigned char *sigma0 = D_sigma0_h0_sigma1 + HASH_BYTES; - unsigned char *h0 = D_sigma0_h0_sigma1 + 2 * HASH_BYTES; - unsigned char *t1packed = D_sigma0_h0_sigma1 + 3 * HASH_BYTES; - unsigned char *e1packed = D_sigma0_h0_sigma1 + 3 * HASH_BYTES + ROUNDS * NPACKED_BYTES; - unsigned char h1[((ROUNDS + 7) & ~7) >> 3]; - unsigned char c[HASH_BYTES * ROUNDS * 2]; - memset(c, 0, HASH_BYTES * 2); - gf31 x[N]; - gf31 y[M]; - gf31 z[M]; - unsigned char packbuf0[NPACKED_BYTES]; - unsigned char packbuf1[MPACKED_BYTES]; - shake256ctx shakestate; - unsigned char shakeblock[SHAKE256_RATE]; - int i, j; - gf31 alpha; - int alpha_count = 0; - int b; - shake256incctx state; - - if (siglen != SIG_LEN) { - return -1; - } - - shake256_inc_init(&state); - shake256_inc_absorb(&state, pk, PK_BYTES); - shake256_inc_absorb(&state, sig, HASH_BYTES); - shake256_inc_absorb(&state, m, mlen); - shake256_inc_finalize(&state); - shake256_inc_squeeze(D, HASH_BYTES, &state); - shake256_inc_ctx_release(&state); - - sig += HASH_BYTES; - - PQCLEAN_MQDSS64_CLEAN_gf31_nrand_schar(F, F_LEN, pk, SEED_BYTES); - pk += SEED_BYTES; - PQCLEAN_MQDSS64_CLEAN_gf31_nunpack(pk_gf31, pk, M); - - memcpy(sigma0, sig, HASH_BYTES); - - shake256_absorb(&shakestate, D_sigma0_h0_sigma1, 2 * HASH_BYTES); - shake256_squeezeblocks(shakeblock, 1, &shakestate); - - memcpy(h0, shakeblock, HASH_BYTES); - - sig += HASH_BYTES; - - memcpy(t1packed, sig, ROUNDS * NPACKED_BYTES); - sig += ROUNDS * NPACKED_BYTES; - memcpy(e1packed, sig, ROUNDS * MPACKED_BYTES); - sig += ROUNDS * MPACKED_BYTES; - - shake256(h1, ((ROUNDS + 7) & ~7) >> 3, D_sigma0_h0_sigma1, 3 * HASH_BYTES + ROUNDS * (NPACKED_BYTES + MPACKED_BYTES)); - - for (i = 0; i < ROUNDS; i++) { - do { - alpha = shakeblock[alpha_count] & 31; - alpha_count++; - if (alpha_count == SHAKE256_RATE) { - alpha_count = 0; - shake256_squeezeblocks(shakeblock, 1, &shakestate); - } - } while (alpha == 31); - b = (h1[(i >> 3)] >> (i & 7)) & 1; - - PQCLEAN_MQDSS64_CLEAN_gf31_nunpack(r, sig, N); - PQCLEAN_MQDSS64_CLEAN_gf31_nunpack(t, t1packed + NPACKED_BYTES * i, N); - PQCLEAN_MQDSS64_CLEAN_gf31_nunpack(e, e1packed + MPACKED_BYTES * i, M); - - if (b == 0) { - PQCLEAN_MQDSS64_CLEAN_MQ(y, r, F); - for (j = 0; j < N; j++) { - x[j] = (gf31)(alpha * r[j] - t[j] + 31); - } - for (j = 0; j < N; j++) { - y[j] = (gf31)(alpha * y[j] - e[j] + 31); - } - PQCLEAN_MQDSS64_CLEAN_vgf31_shorten_unique(x, x); - PQCLEAN_MQDSS64_CLEAN_vgf31_shorten_unique(y, y); - PQCLEAN_MQDSS64_CLEAN_gf31_npack(packbuf0, x, N); - PQCLEAN_MQDSS64_CLEAN_gf31_npack(packbuf1, y, M); - com_0(c + HASH_BYTES * (2 * i + 0), sig + HASH_BYTES + NPACKED_BYTES, sig, packbuf0, packbuf1); - } else { - PQCLEAN_MQDSS64_CLEAN_MQ(y, r, F); - PQCLEAN_MQDSS64_CLEAN_G(z, t, r, F); - for (j = 0; j < N; j++) { - y[j] = (gf31)(alpha * (31 + pk_gf31[j] - y[j]) - z[j] - e[j] + 62); - } - PQCLEAN_MQDSS64_CLEAN_vgf31_shorten_unique(y, y); - PQCLEAN_MQDSS64_CLEAN_gf31_npack(packbuf0, y, M); - com_1(c + HASH_BYTES * (2 * i + 1), sig + HASH_BYTES + NPACKED_BYTES, sig, packbuf0); - } - memcpy(c + HASH_BYTES * (2 * i + (1 - b)), sig + NPACKED_BYTES, HASH_BYTES); - sig += NPACKED_BYTES + 2 * HASH_BYTES; - } - shake256_ctx_release(&shakestate); - - H(c, c, HASH_BYTES * ROUNDS * 2); - if (memcmp(c, sigma0, HASH_BYTES) != 0) { - return -1; - } - - return 0; -} - -/** - * Returns an array containing the signature followed by the message. - */ -int PQCLEAN_MQDSS64_CLEAN_crypto_sign( - uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, const uint8_t *sk) { - size_t siglen; - - PQCLEAN_MQDSS64_CLEAN_crypto_sign_signature( - sm, &siglen, m, mlen, sk); - - memmove(sm + SIG_LEN, m, mlen); - *smlen = siglen + mlen; - - return 0; -} - -/** - * Verifies a given signature-message pair under a given public key. - */ -int PQCLEAN_MQDSS64_CLEAN_crypto_sign_open( - uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, const uint8_t *pk) { - /* The API caller does not necessarily know what size a signature should be - but MQDSS signatures are always exactly SIG_LEN. */ - if (smlen < SIG_LEN) { - memset(m, 0, smlen); - *mlen = 0; - return -1; - } - - *mlen = smlen - SIG_LEN; - - if (PQCLEAN_MQDSS64_CLEAN_crypto_sign_verify( - sm, SIG_LEN, sm + SIG_LEN, *mlen, pk)) { - memset(m, 0, smlen); - *mlen = 0; - return -1; - } - - /* If verification was successful, move the message to the right place. */ - memmove(m, sm + SIG_LEN, *mlen); - - return 0; -} diff --git a/crypto_sign/qtesla-p-I/META.yml b/crypto_sign/qtesla-p-I/META.yml deleted file mode 100644 index 7ac06f67..00000000 --- a/crypto_sign/qtesla-p-I/META.yml +++ /dev/null @@ -1,25 +0,0 @@ -name: qTESLA-p-I -type: signature -claimed-nist-level: 1 -length-public-key: 14880 -length-secret-key: 5184 -length-signature: 2592 -nistkat-sha256: e6bc42e0281cd95865e9707181a381b81f84c85957cd8e46a7889179769707dd -testvectors-sha256: b2ebe8cc08c43a46648b3801236aeb6691e0bf2e683e77c3820dd22ee7fd9574 -principal-submitters: - - Nina Bindel -auxiliary-submitters: - - Sedat Akleylek - - Erdem Alkim - - Paulo S. L. M. Barreto - - Johannes Buchmann - - Edward Eaton - - Gus Gutoski - - Juliane Krämer - - Patrick Longa - - Harun Polat - - Jefferson E. Ricardini - - Gustavo Zanon -implementations: - - name: clean - version: https://qtesla.org/wp-content/uploads/2019/08/qTESLA_NIST_update_08.19.2019.zip diff --git a/crypto_sign/qtesla-p-I/clean/CDT32.h b/crypto_sign/qtesla-p-I/clean/CDT32.h deleted file mode 100644 index 9e650589..00000000 --- a/crypto_sign/qtesla-p-I/clean/CDT32.h +++ /dev/null @@ -1,109 +0,0 @@ -#ifndef PQCLEAN_QTESLAPI_CLEAN_CDTSAMP -#define PQCLEAN_QTESLAPI_CLEAN_CDTSAMP - -/************************************************************************************* -* qTESLA: an efficient post-quantum signature scheme based on the R-LWE problem -* -* Abstract: CDT constants for the Gaussian sampler -**************************************************************************************/ - -#include "params.h" -#include - -// Sigma = 8.5, 64-bit precision - -#define CDT_ROWS 78 -#define CDT_COLS 2 - -static const int32_t cdt_v[CDT_ROWS * CDT_COLS] = { - 0x00000000L, 0x00000000L, // 0 - 0x0601F22AL, 0x280663D4L, // 1 - 0x11F09FFAL, 0x162FE23DL, // 2 - 0x1DA089E9L, 0x437226E8L, // 3 - 0x28EAB25DL, 0x04C51FE2L, // 4 - 0x33AC2F26L, 0x14FDBA70L, // 5 - 0x3DC767DCL, 0x4565C960L, // 6 - 0x4724FC62L, 0x3342C78AL, // 7 - 0x4FB448F4L, 0x5229D06DL, // 8 - 0x576B8599L, 0x7423407FL, // 9 - 0x5E4786DAL, 0x3210BAF7L, // 10 - 0x644B2C92L, 0x431B3947L, // 11 - 0x697E90CEL, 0x77C362C4L, // 12 - 0x6DEE0B96L, 0x2798C9CEL, // 13 - 0x71A92144L, 0x5765FCE4L, // 14 - 0x74C16FD5L, 0x1E2A0990L, // 15 - 0x7749AC92L, 0x0DF36EEBL, // 16 - 0x7954BFA4L, 0x28079289L, // 17 - 0x7AF5067AL, 0x2EDC2050L, // 18 - 0x7C3BC17CL, 0x123D5E7BL, // 19 - 0x7D38AD76L, 0x2A9381D9L, // 20 - 0x7DF9C5DFL, 0x0E868CA7L, // 21 - 0x7E8B2ABAL, 0x18E5C811L, // 22 - 0x7EF7237CL, 0x00908272L, // 23 - 0x7F4637C5L, 0x6DBA5126L, // 24 - 0x7F7F5707L, 0x4A52EDEBL, // 25 - 0x7FA808CCL, 0x23290599L, // 26 - 0x7FC4A083L, 0x69BDF2D5L, // 27 - 0x7FD870CAL, 0x42275558L, // 28 - 0x7FE5FB5DL, 0x3EF82C1BL, // 29 - 0x7FEF1BFAL, 0x6C03A362L, // 30 - 0x7FF52D4EL, 0x316C2C8CL, // 31 - 0x7FF927BAL, 0x12AE54AFL, // 32 - 0x7FFBBA43L, 0x749CC0E2L, // 33 - 0x7FFD5E3DL, 0x4524AD91L, // 34 - 0x7FFE6664L, 0x535785B5L, // 35 - 0x7FFF0A41L, 0x0B291681L, // 36 - 0x7FFF6E81L, 0x132C3D6FL, // 37 - 0x7FFFAAFEL, 0x4DBC6BEDL, // 38 - 0x7FFFCEFDL, 0x7A1E2D14L, // 39 - 0x7FFFE41EL, 0x4C6EC115L, // 40 - 0x7FFFF059L, 0x319503C8L, // 41 - 0x7FFFF754L, 0x5DDD0D40L, // 42 - 0x7FFFFB43L, 0x0B9E9823L, // 43 - 0x7FFFFD71L, 0x76B81AE1L, // 44 - 0x7FFFFEA3L, 0x7E66A1ECL, // 45 - 0x7FFFFF49L, 0x26F6E191L, // 46 - 0x7FFFFFA1L, 0x2FA31694L, // 47 - 0x7FFFFFCFL, 0x5247BEC9L, // 48 - 0x7FFFFFE7L, 0x4F4127C7L, // 49 - 0x7FFFFFF3L, 0x6FAA69FDL, // 50 - 0x7FFFFFFAL, 0x0630D073L, // 51 - 0x7FFFFFFDL, 0x0F2957BBL, // 52 - 0x7FFFFFFEL, 0x4FD29432L, // 53 - 0x7FFFFFFFL, 0x2CFAD60DL, // 54 - 0x7FFFFFFFL, 0x5967A930L, // 55 - 0x7FFFFFFFL, 0x6E4C9DFFL, // 56 - 0x7FFFFFFFL, 0x77FDCCC8L, // 57 - 0x7FFFFFFFL, 0x7C6CE89EL, // 58 - 0x7FFFFFFFL, 0x7E6D116FL, // 59 - 0x7FFFFFFFL, 0x7F50FA31L, // 60 - 0x7FFFFFFFL, 0x7FB50089L, // 61 - 0x7FFFFFFFL, 0x7FE04C2DL, // 62 - 0x7FFFFFFFL, 0x7FF2C7C1L, // 63 - 0x7FFFFFFFL, 0x7FFA8FE3L, // 64 - 0x7FFFFFFFL, 0x7FFDCB1BL, // 65 - 0x7FFFFFFFL, 0x7FFF1DE2L, // 66 - 0x7FFFFFFFL, 0x7FFFA6B7L, // 67 - 0x7FFFFFFFL, 0x7FFFDD39L, // 68 - 0x7FFFFFFFL, 0x7FFFF2A3L, // 69 - 0x7FFFFFFFL, 0x7FFFFAEFL, // 70 - 0x7FFFFFFFL, 0x7FFFFE1BL, // 71 - 0x7FFFFFFFL, 0x7FFFFF4DL, // 72 - 0x7FFFFFFFL, 0x7FFFFFBFL, // 73 - 0x7FFFFFFFL, 0x7FFFFFE9L, // 74 - 0x7FFFFFFFL, 0x7FFFFFF8L, // 75 - 0x7FFFFFFFL, 0x7FFFFFFDL, // 76 - 0x7FFFFFFFL, 0x7FFFFFFFL, // 77 -}; // cdt_v - -// memory requirements: -// 2048 samples: 25512 bytes -// 1024 samples: 13224 bytes -// 512 samples: 7080 bytes -// 256 samples: 4008 bytes -// 128 samples: 2472 bytes -// 64 samples: 1704 bytes -// 32 samples: 1320 bytes -// table alone: 624 bytes - -#endif diff --git a/crypto_sign/qtesla-p-I/clean/LICENSE b/crypto_sign/qtesla-p-I/clean/LICENSE deleted file mode 100644 index 4cf37e67..00000000 --- a/crypto_sign/qtesla-p-I/clean/LICENSE +++ /dev/null @@ -1,28 +0,0 @@ -Lattice-based digital signature scheme qTESLA - -The qTESLA source code and header files in this package are released with an MIT license. - -MIT License - -Copyright (c) Microsoft Corporation and qTESLA implementation owners: -Sedat Akleylek, Erdem Alkim, Paulo Barreto, Patrick Longa, Harun Polat, -Jefferson Ricardini, and Gustavo Zanon. All rights reserved. - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE - diff --git a/crypto_sign/qtesla-p-I/clean/Makefile b/crypto_sign/qtesla-p-I/clean/Makefile deleted file mode 100644 index 01588f67..00000000 --- a/crypto_sign/qtesla-p-I/clean/Makefile +++ /dev/null @@ -1,20 +0,0 @@ -# This Makefile can be used with GNU Make or BSD Make - -LIB=libqtesla-p-I_clean.a - -HEADERS = api.h CDT32.h config.h gauss.h pack.h params.h poly.h sample.h -OBJECTS = consts.o gauss.o pack.o poly.o sample.o sign.o - -CFLAGS=-O3 -Wall -Wconversion -Wextra -Wpedantic -Wvla -Werror -Wmissing-prototypes -Wredundant-decls -std=c99 -I../../../common $(EXTRAFLAGS) - -all: $(LIB) - -%.o: %.c $(HEADERS) - $(CC) $(CFLAGS) -c -o $@ $< - -$(LIB): $(OBJECTS) - $(AR) -r $@ $(OBJECTS) - -clean: - $(RM) $(OBJECTS) - $(RM) $(LIB) diff --git a/crypto_sign/qtesla-p-I/clean/Makefile.Microsoft_nmake b/crypto_sign/qtesla-p-I/clean/Makefile.Microsoft_nmake deleted file mode 100644 index d841b9aa..00000000 --- a/crypto_sign/qtesla-p-I/clean/Makefile.Microsoft_nmake +++ /dev/null @@ -1,19 +0,0 @@ -# This Makefile can be used with Microsoft Visual Studio's nmake using the command: -# nmake /f Makefile.Microsoft_nmake - -LIBRARY=libqtesla-p-I_clean.lib -OBJECTS=consts.obj gauss.obj pack.obj poly.obj sample.obj sign.obj - -CFLAGS=/nologo /I ..\..\..\common /W4 /WX - -all: $(LIBRARY) - -# Make sure objects are recompiled if headers change. -$(OBJECTS): *.h - -$(LIBRARY): $(OBJECTS) - LIB.EXE /NOLOGO /WX /OUT:$@ $** - -clean: - -DEL $(OBJECTS) - -DEL $(LIBRARY) diff --git a/crypto_sign/qtesla-p-I/clean/api.h b/crypto_sign/qtesla-p-I/clean/api.h deleted file mode 100644 index cee114e9..00000000 --- a/crypto_sign/qtesla-p-I/clean/api.h +++ /dev/null @@ -1,42 +0,0 @@ -#ifndef PQCLEAN_QTESLAPI_CLEAN_API_H -#define PQCLEAN_QTESLAPI_CLEAN_API_H - -/************************************************************************************* -* qTESLA: an efficient post-quantum signature scheme based on the R-LWE problem -* -* Abstract: API header file -**************************************************************************************/ - -#include -#include - -#define PQCLEAN_QTESLAPI_CLEAN_CRYPTO_SECRETKEYBYTES 5184 -#define PQCLEAN_QTESLAPI_CLEAN_CRYPTO_PUBLICKEYBYTES 14880 -#define PQCLEAN_QTESLAPI_CLEAN_CRYPTO_BYTES 2592 -#define PQCLEAN_QTESLAPI_CLEAN_CRYPTO_ALGNAME "qTESLA-p-I" - -int PQCLEAN_QTESLAPI_CLEAN_crypto_sign_keypair( - uint8_t *pk, uint8_t *sk); - -int PQCLEAN_QTESLAPI_CLEAN_crypto_sign( - uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, - const uint8_t *sk); - -int PQCLEAN_QTESLAPI_CLEAN_crypto_sign_open( - uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, - const uint8_t *pk -); - -int PQCLEAN_QTESLAPI_CLEAN_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, - const uint8_t *sk); - -int PQCLEAN_QTESLAPI_CLEAN_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, - const uint8_t *pk); - -#endif diff --git a/crypto_sign/qtesla-p-I/clean/config.h b/crypto_sign/qtesla-p-I/clean/config.h deleted file mode 100644 index 1a46d5ae..00000000 --- a/crypto_sign/qtesla-p-I/clean/config.h +++ /dev/null @@ -1,19 +0,0 @@ -#ifndef PQCLEAN_QTESLAPI_CLEAN_CONFIG_H -#define PQCLEAN_QTESLAPI_CLEAN_CONFIG_H - -/************************************************************************************* -* qTESLA: an efficient post-quantum signature scheme based on the R-LWE problem -* -* Abstract: configuration file -**************************************************************************************/ - -#include -#include -#include - -#define RADIX 32 -#define RADIX32 32 -typedef uint32_t digit_t; -typedef int32_t sdigit_t; - -#endif diff --git a/crypto_sign/qtesla-p-I/clean/consts.c b/crypto_sign/qtesla-p-I/clean/consts.c deleted file mode 100644 index 8ae4d1df..00000000 --- a/crypto_sign/qtesla-p-I/clean/consts.c +++ /dev/null @@ -1,146 +0,0 @@ -/************************************************************************************* -* qTESLA: an efficient post-quantum signature scheme based on the R-LWE problem -* -* Abstract: constants for the NTT -**************************************************************************************/ - -#include "params.h" -#include "poly.h" -#include - - -const poly PQCLEAN_QTESLAPI_CLEAN_zeta = { - - 184007114, 341297933, 172127038, 306069179, 260374244, 269720605, 20436325, 2157599, 36206659, 61987110, 112759694, 92762708, 278504038, 139026960, 183642748, 298230187, - 37043356, 230730845, 107820937, 97015745, 156688276, 38891102, 170244636, 259345227, 170077366, 141586883, 100118513, 328793523, 289946488, 263574185, 132014089, 14516260, - 87424978, 192691578, 190961717, 262687761, 333967048, 12957952, 326574509, 273585413, 151922543, 195893203, 261889302, 120488377, 169571794, 44896463, 128576039, 68257019, - 20594664, 44164717, 36060712, 256009818, 172063915, 211967562, 135533785, 104908181, 203788155, 52968398, 123297488, 44711423, 329131026, 245797804, 220629853, 200431766, - 92905498, 215466666, 227373088, 120513729, 274875394, 236766448, 84216704, 97363940, 224003799, 167341181, 333540791, 225846253, 290150331, 137934911, 101127339, 95054535, - 7072757, 58600117, 264117725, 207480694, 268253444, 292044590, 166300682, 256585624, 133577520, 119707476, 58169614, 188489502, 184778640, 156039906, 286669262, 112658784, - 89254003, 266568758, 290599527, 80715937, 180664712, 225980378, 103512701, 304604206, 327443646, 92082345, 296093912, 144843084, 309484036, 329737605, 141656867, 264967053, - 227847682, 328674715, 208663554, 309005608, 315790590, 182996330, 333212133, 203436199, 13052895, 23858345, 173478900, 97132319, 57066271, 70747422, 202106993, 309870606, - 56390934, 336126437, 189147643, 219236223, 293351741, 305570320, 18378834, 336914091, 59506067, 277923611, 217306643, 129369847, 308113789, 56954705, 190254906, 199465001, - 119331054, 143640880, 17590914, 309468163, 172483421, 153376031, 58864560, 70957183, 237697179, 116097341, 62196815, 80692520, 310642530, 328595292, 12121494, 71200620, - 200016287, 235006678, 21821056, 102505389, 183332133, 59734849, 283127491, 313646880, 30359439, 163176989, 50717815, 100183661, 322975554, 92821217, 283119421, 34453836, - 303758926, 89460722, 147514506, 175603941, 76494101, 220775631, 304963431, 38821441, 217317485, 301302769, 328727631, 101476595, 270750726, 253708871, 176201368, 324059659, - 114780906, 304156831, 273708648, 144095014, 263545324, 179240984, 187811389, 244886526, 202581571, 209325648, 117231636, 182195945, 217965216, 252295904, 332003328, 46153749, - 334740528, 62618402, 301165510, 283016648, 212224416, 234984074, 107363471, 125430881, 172821269, 270409387, 156316970, 311644197, 50537885, 248376507, 154072039, 331539029, - 48454192, 267029920, 225963915, 16753350, 76840946, 226444843, 108106635, 154887261, 326283837, 101291223, 204194230, 54014060, 104099734, 104245071, 260949411, 333985274, - 291682234, 328313139, 29607387, 106291750, 162553334, 275058303, 64179189, 263147140, 15599810, 325103190, 137254480, 66787068, 4755224, 308520011, 181897417, 325162685, - 221099032, 131741505, 147534370, 131533267, 144073688, 166398146, 155829711, 252509898, 251605008, 323547097, 216038649, 232629333, 95137254, 287931575, 235583527, 32386598, - 76722491, 60825791, 138354268, 400761, 51907675, 197369064, 319840588, 98618414, 84343982, 108113946, 314679670, 134518178, 64988900, 4333172, 295712261, 200707216, - 147647414, 318013383, 77682006, 92518996, 42154619, 87464521, 285037574, 332936592, 62635246, 5534097, 308862707, 91097989, 269726589, 273280832, 251670430, 95492698, - 21676891, 182964692, 177187742, 294825274, 85128609, 273594538, 93115857, 116308166, 312212122, 18665807, 32192823, 313249299, 98777368, 273984239, 312125377, 205655336, - 264861277, 178920022, 341054719, 232663249, 173564046, 176591124, 157537342, 305058098, 277279130, 170028356, 228573747, 31628995, 175280663, 37304323, 122111670, 210658936, - 175704183, 314649282, 325535066, 266783938, 301319742, 327923297, 279787306, 304633001, 304153402, 292839078, 147442886, 94150133, 40461238, 221384781, 269671052, 265445273, - 208370149, 160863546, 287765159, 339146643, 129600429, 96192870, 113146118, 95879915, 216708053, 285201955, 67756451, 79028039, 309141895, 138447809, 212246614, 12641916, - 243544995, 33459809, 76979779, 71155723, 152521243, 200750888, 36425947, 339074467, 319204591, 188312744, 266105966, 280016981, 183723313, 238915015, 23277613, 160934729, - 200611286, 163282810, 297928823, 226921588, 86839172, 145317111, 202226936, 51887320, 318474782, 282270658, 221219795, 207597867, 132089009, 334627662, 163952597, 67529059, - 173759630, 234865017, 255217646, 277806158, 61964704, 216678166, 96126463, 39218331, 70028373, 4899005, 238135514, 242700690, 284680271, 81041980, 332906491, 463527, - 299280916, 204600651, 149654879, 222229829, 26825157, 81825189, 127990873, 200962599, 16149163, 108812393, 217708971, 152638110, 28735779, 5272794, 19720409, 231726324, - 49854178, 118319174, 185669526, 223407181, 243138094, 259020958, 308825615, 164156486, 341391280, 192526841, 97036052, 279986894, 20263748, 32228956, 43816679, 343421811, - 124320208, 3484106, 31711063, 147679160, 195369505, 54243678, 279088595, 149119313, 301997352, 244557309, 19700779, 138872683, 230523717, 113507709, 135291486, 313025300, - 254384479, 219815764, 253574481, 220646316, 124744817, 123915741, 325760383, 123516396, 138140410, 154060994, 314730104, 57286356, 222353426, 76630003, 145380041, 52039855, - 229881219, 332902036, 152308429, 95071889, 124799350, 270141530, 47897266, 119620601, 133269057, 138561303, 341820265, 66049665, 273409631, 304306012, 212490958, 210388603, - 277413768, 280793261, 223131872, 162407285, 44911970, 316685837, 298709373, 252812339, 230786851, 230319350, 56863422, 341141914, 177295413, 248222411, 215148650, 97970603, - 291678055, 161911155, 339645428, 206445182, 31895080, 279676698, 78257775, 268845232, 92545841, 336725589, 47384597, 62216335, 82290365, 89893410, 266117967, 791867, - 28042243, 110563426, 183316855, 281174508, 166338432, 86326996, 261473803, 164647535, 84749290, 157518777, 214336587, 72257047, 13358702, 229010735, 204196474, 179927635, - 21786785, 330554989, 164559635, 144505300, 280425045, 324057501, 268227440, 323362437, 26891539, 228523003, 166709094, 61174973, 13532911, 42168701, 133044957, 158219357, - 220115616, 15174468, 281706353, 283813987, 263212325, 289818392, 247170937, 276072317, 197581495, 33713097, 181695825, 96829354, 32991226, 228583784, 4040287, 65188717, - 258204083, 96366799, 176298395, 341574369, 306098123, 218746932, 29191888, 311810435, 305844323, 31614267, 28130094, 72716426, 38568041, 197579396, 14876445, 228525674, - 294569685, 2451649, 165929882, 112195415, 204786047, 138216235, 3438132, 126150615, 59754608, 158965324, 268160978, 266231264, 244422459, 306155336, 218178824, 301806695, - 208837335, 212153467, 209725081, 269355286, 295716530, 13980580, 264284060, 301901789, 275319045, 107139083, 4006959, 143908623, 139848274, 25357089, 21607040, 340818603, - 91260932, 198869267, 45119941, 224113252, 269556513, 42857483, 268925602, 188501450, 235382337, 324688793, 113056679, 177232352, 98280013, 117743899, 87369665, 330110286, - 310895756, 268425063, 27568325, 266303142, 181405304, 65876631, 246283438, 127636847, 16153922, 210256884, 9257227, 147272724, 235571791, 340876897, 31558760, 224463520, - 229909008, 40943950, 263351999, 14865952, 27279162, 51980445, 99553161, 108121152, 145230283, 217402431, 84060866, 190168688, 46894008, 205718237, 296935065, 331646198, - 59709076, 265829428, 214503586, 310273189, 86051634, 247210969, 275872780, 55395653, 302717617, 155583500, 207999042, 293597246, 305796948, 139332832, 198434142, 104197059, - 320317582, 101819543, 70813687, 43594385, 241913829, 210308279, 298735610, 151599086, 92093482, 24654121, 52528801, 134711941, 324580593, 293101038, 121757877, 323940193, - 276114751, 33522997, 218880483, 46953248, 33126382, 294367143, 161595040, 208968904, 129221110, 323693686, 234366848, 50155901, 123936119, 72127416, 34243899, 171824126, - 26019236, 93997235, 28452989, 24219933, 188331672, 181161011, 146526219, 186502916, 258266311, 207146754, 206589869, 189836867, 107762500, 129011227, 222324073, 331319091, - 36618753, 141615400, 273319528, 246222615, 156139193, 290104141, 154851520, 310226922, 60187406, 73704819, 225899604, 87931539, 142487643, 152682959, 45891249, 212048348, - 148547910, 207745063, 4405848, 179269204, 216233362, 230307487, 303352796, 41616117, 47140231, 13452075, 94626849, 48892822, 78453712, 214721933, 300785835, 1512599, - 173577933, 163255132, 239883248, 205714288, 306118903, 106953300, 150085654, 77068348, 246390345, 199698311, 280165539, 256497526, 194381508, 78125966, 168327358, 180735395, - 145983352, 243342736, 198463602, 83165996, 286431792, 22885329, 271516106, 66137359, 243561376, 324886778, 149497212, 24531379, 32857894, 62778029, 56960216, 224996784, - 129315394, 81068505, 277744916, 215817366, 117205172, 195090165, 287841567, 57750901, 162987791, 259309908, 135370005, 194853269, 236792732, 219249166, 42349628, 27805769, - 186263338, 310699018, 6491000, 228545163, 315890485, 22219119, 144392189, 15505150, 87848372, 155973124, 20446561, 177725890, 226669021, 205315635, 269580641, 133696452, - 189388357, 314652032, 317225560, 304194584, 157633737, 298144493, 185785271, 337434647, 559796, 4438732, 249110619, 184824722, 221490126, 205632858, 172362641, 176702767, - 276712118, 296075254, 111221225, 259809961, 15438443, 198021462, 134378223, 162261445, 170746654, 256890644, 125206341, 307078324, 279553989, 170124925, 296845387, 188226544, - 295437875, 315053523, 172025817, 279046062, 189967278, 158662482, 192989875, 326540363, 135446089, 98631439, 257379933, 325004289, 26554274, 62190249, 228828648, 274361329, - 18518762, 184854759, 210189061, 186836398, 230859454, 206912014, 201250021, 276332768, 119984643, 91358832, 325377399, 69085488, 307352479, 308876137, 208756649, 32865966, - 152976045, 207821125, 66426662, 67585526, 118828370, 3107192, 322037257, 146029104, 106553806, 266958791, 89567376, 153815988, 90786397, 271042585, 203781777, 169087756, - 315867500, 306916544, 7528726, 327732739, 227901532, 2263402, 14357894, 269740764, 322090105, 59838559, 298337502, 292797139, 337635349, 66476915, 75612762, 328089387, - 155232910, 87069405, 36163560, 273715413, 321325749, 218096743, 308178877, 21861281, 180676741, 135208372, 119891712, 122406065, 267537516, 341350322, 87789083, 196340943, - 217070591, 83564209, 159382818, 253921239, 184673854, 213569600, 194031064, 35973794, 18071215, 250854127, 115090766, 147707843, 330337973, 266187164, 27853295, 296801215, - 254949704, 43331190, 73930201, 35703461, 119780800, 216998106, 12687572, 250863345, 243908221, 330555990, 296216993, 202100577, 111307303, 151049872, 103451600, 237710099, - 78658022, 121490075, 134292528, 88277916, 177315676, 186629690, 77848818, 211822377, 145696683, 289190386, 274721999, 328391282, 218772820, 91324151, 321725584, 277577004, - 65732866, 275538085, 144429136, 204062923, 177280727, 214204692, 264758257, 169151951, 335535576, 334002493, 281131703, 305997258, 310527888, 136973519, 216764406, 235954329, - 254049694, 285174861, 264316834, 11792643, 149333889, 214699018, 261331547, 317320791, 24527858, 118790777, 264146824, 174296812, 332779737, 94199786, 288227027, 172048372, -}; - -const poly PQCLEAN_QTESLAPI_CLEAN_zetainv = { - - 55349550, 249376791, 10796840, 169279765, 79429753, 224785800, 319048719, 26255786, 82245030, 128877559, 194242688, 331783934, 79259743, 58401716, 89526883, 107622248, - 126812171, 206603058, 33048689, 37579319, 62444874, 9574084, 8041001, 174424626, 78818320, 129371885, 166295850, 139513654, 199147441, 68038492, 277843711, 65999573, - 21850993, 252252426, 124803757, 15185295, 68854578, 54386191, 197879894, 131754200, 265727759, 156946887, 166260901, 255298661, 209284049, 222086502, 264918555, 105866478, - 240124977, 192526705, 232269274, 141476000, 47359584, 13020587, 99668356, 92713232, 330889005, 126578471, 223795777, 307873116, 269646376, 300245387, 88626873, 46775362, - 315723282, 77389413, 13238604, 195868734, 228485811, 92722450, 325505362, 307602783, 149545513, 130006977, 158902723, 89655338, 184193759, 260012368, 126505986, 147235634, - 255787494, 2226255, 76039061, 221170512, 223684865, 208368205, 162899836, 321715296, 35397700, 125479834, 22250828, 69861164, 307413017, 256507172, 188343667, 15487190, - 267963815, 277099662, 5941228, 50779438, 45239075, 283738018, 21486472, 73835813, 329218683, 341313175, 115675045, 15843838, 336047851, 36660033, 27709077, 174488821, - 139794800, 72533992, 252790180, 189760589, 254009201, 76617786, 237022771, 197547473, 21539320, 340469385, 224748207, 275991051, 277149915, 135755452, 190600532, 310710611, - 134819928, 34700440, 36224098, 274491089, 18199178, 252217745, 223591934, 67243809, 142326556, 136664563, 112717123, 156740179, 133387516, 158721818, 325057815, 69215248, - 114747929, 281386328, 317022303, 18572288, 86196644, 244945138, 208130488, 17036214, 150586702, 184914095, 153609299, 64530515, 171550760, 28523054, 48138702, 155350033, - 46731190, 173451652, 64022588, 36498253, 218370236, 86685933, 172829923, 181315132, 209198354, 145555115, 328138134, 83766616, 232355352, 47501323, 66864459, 166873810, - 171213936, 137943719, 122086451, 158751855, 94465958, 339137845, 343016781, 6141930, 157791306, 45432084, 185942840, 39381993, 26351017, 28924545, 154188220, 209880125, - 73995936, 138260942, 116907556, 165850687, 323130016, 187603453, 255728205, 328071427, 199184388, 321357458, 27686092, 115031414, 337085577, 32877559, 157313239, 315770808, - 301226949, 124327411, 106783845, 148723308, 208206572, 84266669, 180588786, 285825676, 55735010, 148486412, 226371405, 127759211, 65831661, 262508072, 214261183, 118579793, - 286616361, 280798548, 310718683, 319045198, 194079365, 18689799, 100015201, 277439218, 72060471, 320691248, 57144785, 260410581, 145112975, 100233841, 197593225, 162841182, - 175249219, 265450611, 149195069, 87079051, 63411038, 143878266, 97186232, 266508229, 193490923, 236623277, 37457674, 137862289, 103693329, 180321445, 169998644, 342063978, - 42790742, 128854644, 265122865, 294683755, 248949728, 330124502, 296436346, 301960460, 40223781, 113269090, 127343215, 164307373, 339170729, 135831514, 195028667, 131528229, - 297685328, 190893618, 201088934, 255645038, 117676973, 269871758, 283389171, 33349655, 188725057, 53472436, 187437384, 97353962, 70257049, 201961177, 306957824, 12257486, - 121252504, 214565350, 235814077, 153739710, 136986708, 136429823, 85310266, 157073661, 197050358, 162415566, 155244905, 319356644, 315123588, 249579342, 317557341, 171752451, - 309332678, 271449161, 219640458, 293420676, 109209729, 19882891, 214355467, 134607673, 181981537, 49209434, 310450195, 296623329, 124696094, 310053580, 67461826, 19636384, - 221818700, 50475539, 18995984, 208864636, 291047776, 318922456, 251483095, 191977491, 44840967, 133268298, 101662748, 299982192, 272762890, 241757034, 23258995, 239379518, - 145142435, 204243745, 37779629, 49979331, 135577535, 187993077, 40858960, 288180924, 67703797, 96365608, 257524943, 33303388, 129072991, 77747149, 283867501, 11930379, - 46641512, 137858340, 296682569, 153407889, 259515711, 126174146, 198346294, 235455425, 244023416, 291596132, 316297415, 328710625, 80224578, 302632627, 113667569, 119113057, - 312017817, 2699680, 108004786, 196303853, 334319350, 133319693, 327422655, 215939730, 97293139, 277699946, 162171273, 77273435, 316008252, 75151514, 32680821, 13466291, - 256206912, 225832678, 245296564, 166344225, 230519898, 18887784, 108194240, 155075127, 74650975, 300719094, 74020064, 119463325, 298456636, 144707310, 252315645, 2757974, - 321969537, 318219488, 203728303, 199667954, 339569618, 236437494, 68257532, 41674788, 79292517, 329595997, 47860047, 74221291, 133851496, 131423110, 134739242, 41769882, - 125397753, 37421241, 99154118, 77345313, 75415599, 184611253, 283821969, 217425962, 340138445, 205360342, 138790530, 231381162, 177646695, 341124928, 49006892, 115050903, - 328700132, 145997181, 305008536, 270860151, 315446483, 311962310, 37732254, 31766142, 314384689, 124829645, 37478454, 2002208, 167278182, 247209778, 85372494, 278387860, - 339536290, 114992793, 310585351, 246747223, 161880752, 309863480, 145995082, 67504260, 96405640, 53758185, 80364252, 59762590, 61870224, 328402109, 123460961, 185357220, - 210531620, 301407876, 330043666, 282401604, 176867483, 115053574, 316685038, 20214140, 75349137, 19519076, 63151532, 199071277, 179016942, 13021588, 321789792, 163648942, - 139380103, 114565842, 330217875, 271319530, 129239990, 186057800, 258827287, 178929042, 82102774, 257249581, 177238145, 62402069, 160259722, 233013151, 315534334, 342784710, - 77458610, 253683167, 261286212, 281360242, 296191980, 6850988, 251030736, 74731345, 265318802, 63899879, 311681497, 137131395, 3931149, 181665422, 51898522, 245605974, - 128427927, 95354166, 166281164, 2434663, 286713155, 113257227, 112789726, 90764238, 44867204, 26890740, 298664607, 181169292, 120444705, 62783316, 66162809, 133187974, - 131085619, 39270565, 70166946, 277526912, 1756312, 205015274, 210307520, 223955976, 295679311, 73435047, 218777227, 248504688, 191268148, 10674541, 113695358, 291536722, - 198196536, 266946574, 121223151, 286290221, 28846473, 189515583, 205436167, 220060181, 17816194, 219660836, 218831760, 122930261, 90002096, 123760813, 89192098, 30551277, - 208285091, 230068868, 113052860, 204703894, 323875798, 99019268, 41579225, 194457264, 64487982, 289332899, 148207072, 195897417, 311865514, 340092471, 219256369, 154766, - 299759898, 311347621, 323312829, 63589683, 246540525, 151049736, 2185297, 179420091, 34750962, 84555619, 100438483, 120169396, 157907051, 225257403, 293722399, 111850253, - 323856168, 338303783, 314840798, 190938467, 125867606, 234764184, 327427414, 142613978, 215585704, 261751388, 316751420, 121346748, 193921698, 138975926, 44295661, 343113050, - 10670086, 262534597, 58896306, 100875887, 105441063, 338677572, 273548204, 304358246, 247450114, 126898411, 281611873, 65770419, 88358931, 108711560, 169816947, 276047518, - 179623980, 8948915, 211487568, 135978710, 122356782, 61305919, 25101795, 291689257, 141349641, 198259466, 256737405, 116654989, 45647754, 180293767, 142965291, 182641848, - 320298964, 104661562, 159853264, 63559596, 77470611, 155263833, 24371986, 4502110, 307150630, 142825689, 191055334, 272420854, 266596798, 310116768, 100031582, 330934661, - 131329963, 205128768, 34434682, 264548538, 275820126, 58374622, 126868524, 247696662, 230430459, 247383707, 213976148, 4429934, 55811418, 182713031, 135206428, 78131304, - 73905525, 122191796, 303115339, 249426444, 196133691, 50737499, 39423175, 38943576, 63789271, 15653280, 42256835, 76792639, 18041511, 28927295, 167872394, 132917641, - 221464907, 306272254, 168295914, 311947582, 115002830, 173548221, 66297447, 38518479, 186039235, 166985453, 170012531, 110913328, 2521858, 164656555, 78715300, 137921241, - 31451200, 69592338, 244799209, 30327278, 311383754, 324910770, 31364455, 227268411, 250460720, 69982039, 258447968, 48751303, 166388835, 160611885, 321899686, 248083879, - 91906147, 70295745, 73849988, 252478588, 34713870, 338042480, 280941331, 10639985, 58539003, 256112056, 301421958, 251057581, 265894571, 25563194, 195929163, 142869361, - 47864316, 339243405, 278587677, 209058399, 28896907, 235462631, 259232595, 244958163, 23735989, 146207513, 291668902, 343175816, 205222309, 282750786, 266854086, 311189979, - 107993050, 55645002, 248439323, 110947244, 127537928, 20029480, 91971569, 91066679, 187746866, 177178431, 199502889, 212043310, 196042207, 211835072, 122477545, 18413892, - 161679160, 35056566, 338821353, 276789509, 206322097, 18473387, 327976767, 80429437, 279397388, 68518274, 181023243, 237284827, 313969190, 15263438, 51894343, 9591303, - 82627166, 239331506, 239476843, 289562517, 139382347, 242285354, 17292740, 188689316, 235469942, 117131734, 266735631, 326823227, 117612662, 76546657, 295122385, 12037548, - 189504538, 95200070, 293038692, 31932380, 187259607, 73167190, 170755308, 218145696, 236213106, 108592503, 131352161, 60559929, 42411067, 280958175, 8836049, 297422828, - 11573249, 91280673, 125611361, 161380632, 226344941, 134250929, 140995006, 98690051, 155765188, 164335593, 80031253, 199481563, 69867929, 39419746, 228795671, 19516918, - 167375209, 89867706, 72825851, 242099982, 14848946, 42273808, 126259092, 304755136, 38613146, 122800946, 267082476, 167972636, 196062071, 254115855, 39817651, 309122741, - 60457156, 250755360, 20601023, 243392916, 292858762, 180399588, 313217138, 29929697, 60449086, 283841728, 160244444, 241071188, 321755521, 108569899, 143560290, 272375957, - 331455083, 14981285, 32934047, 262884057, 281379762, 227479236, 105879398, 272619394, 284712017, 190200546, 171093156, 34108414, 325985663, 199935697, 224245523, 144111576, - 153321671, 286621872, 35462788, 214206730, 126269934, 65652966, 284070510, 6662486, 325197743, 38006257, 50224836, 124340354, 154428934, 7450140, 287185643, 33705971, - 141469584, 272829155, 286510306, 246444258, 170097677, 319718232, 330523682, 140140378, 10364444, 160580247, 27785987, 34570969, 134913023, 14901862, 115728895, 78609524, - 201919710, 13838972, 34092541, 198733493, 47482665, 251494232, 16132931, 38972371, 240063876, 117596199, 162911865, 262860640, 52977050, 77007819, 254322574, 230917793, - 56907315, 187536671, 158797937, 155087075, 285406963, 223869101, 209999057, 86990953, 177275895, 51531987, 75323133, 136095883, 79458852, 284976460, 336503820, 248522042, - 242449238, 205641666, 53426246, 117730324, 10035786, 176235396, 119572778, 246212637, 259359873, 106810129, 68701183, 223062848, 116203489, 128109911, 250671079, 143144811, - 122946724, 97778773, 14445551, 298865154, 220279089, 290608179, 139788422, 238668396, 208042792, 131609015, 171512662, 87566759, 307515865, 299411860, 322981913, 275319558, - 215000538, 298680114, 174004783, 223088200, 81687275, 147683374, 191654034, 69991164, 17002068, 330618625, 9609529, 80888816, 152614860, 150884999, 256151599, 329060317, - 211562488, 80002392, 53630089, 14783054, 243458064, 201989694, 173499211, 84231350, 173331941, 304685475, 186888301, 246560832, 235755640, 112845732, 306533221, 45346390, - 159933829, 204549617, 65072539, 250813869, 230816883, 281589467, 307369918, 341418978, 323140252, 73855972, 83202333, 37507398, 171449539, 2278644, 159569463, 171528205, -}; diff --git a/crypto_sign/qtesla-p-I/clean/gauss.c b/crypto_sign/qtesla-p-I/clean/gauss.c deleted file mode 100644 index 452a09d4..00000000 --- a/crypto_sign/qtesla-p-I/clean/gauss.c +++ /dev/null @@ -1,44 +0,0 @@ -/************************************************************************************* -* qTESLA: an efficient post-quantum signature scheme based on the R-LWE problem -* -* Abstract: portable, constant-time Gaussian sampler -**************************************************************************************/ - -#include "api.h" -#include "CDT32.h" -#include "gauss.h" -#include "sp800-185.h" -#include - -void PQCLEAN_QTESLAPI_CLEAN_sample_gauss_poly(poly z, const uint8_t *seed, uint16_t nonce) { - uint16_t dmsp = (uint16_t)(nonce << 8); - int32_t samp[CHUNK_SIZE * CDT_COLS], c[CDT_COLS], borrow, sign; - const int32_t mask = (int32_t)((uint32_t)(-1) >> 1); - uint8_t buf[CHUNK_SIZE * CDT_COLS * sizeof(int32_t)]; - - for (size_t chunk = 0; chunk < PARAM_N; chunk += CHUNK_SIZE) { - uint8_t dmsp_bytes[2]; - dmsp_bytes[0] = (uint8_t)(dmsp & 0xff); - dmsp_bytes[1] = (uint8_t)(dmsp >> 8); - cSHAKE(buf, CHUNK_SIZE * CDT_COLS * sizeof(int32_t), (uint8_t *)NULL, 0, dmsp_bytes, 2, seed, CRYPTO_RANDOMBYTES); - ++dmsp; - for (size_t i = 0, j = 0; i < CHUNK_SIZE * CDT_COLS; i += 1, j += 4) { - samp[i] = (int32_t)(buf[j] | (buf[j + 1] << 8) | (buf[j + 2] << 16) | (int32_t)((uint32_t)buf[j + 3] << 24)); - } - for (size_t i = 0; i < CHUNK_SIZE; i++) { - z[chunk + i] = 0; - for (size_t j = 1; j < CDT_ROWS; j++) { - borrow = 0; - for (size_t k = CDT_COLS; k > 0; ) { - k--; - c[k] = (samp[i * CDT_COLS + k] & mask) - (cdt_v[j * CDT_COLS + k] + borrow); - borrow = c[k] >> (RADIX32 - 1); - } - z[chunk + i] += ~borrow & 1; - } - sign = samp[i * CDT_COLS] >> (RADIX32 - 1); - z[chunk + i] = (sign & -z[chunk + i]) | (~sign & z[chunk + i]); - } - } -} - diff --git a/crypto_sign/qtesla-p-I/clean/gauss.h b/crypto_sign/qtesla-p-I/clean/gauss.h deleted file mode 100644 index 8f953ee2..00000000 --- a/crypto_sign/qtesla-p-I/clean/gauss.h +++ /dev/null @@ -1,13 +0,0 @@ -#ifndef PQCLEAN_QTESLAPI_CLEAN_GAUSS_H -#define PQCLEAN_QTESLAPI_CLEAN_GAUSS_H - -#include "config.h" -#include "params.h" -#include "poly.h" -#include - -#define CHUNK_SIZE 512 // Fix chunk size for sampling - -void PQCLEAN_QTESLAPI_CLEAN_sample_gauss_poly(poly z, const uint8_t *seed, uint16_t nonce); - -#endif diff --git a/crypto_sign/qtesla-p-I/clean/pack.c b/crypto_sign/qtesla-p-I/clean/pack.c deleted file mode 100644 index 80595dd8..00000000 --- a/crypto_sign/qtesla-p-I/clean/pack.c +++ /dev/null @@ -1,118 +0,0 @@ -/************************************************************************************* -* qTESLA: an efficient post-quantum signature scheme based on the R-LWE problem -* -* Abstract: packing functions -**************************************************************************************/ - -#include "api.h" -#include "pack.h" -#include "params.h" -#include "poly.h" -#include - -void PQCLEAN_QTESLAPI_CLEAN_pack_sk(uint8_t *sk, const poly s, const poly_k e, uint8_t *seeds) { - // Pack secret key sk - size_t i, k; - - for (i = 0; i < PARAM_N; i++) { - sk[i] = (uint8_t)s[i]; - } - - sk += PARAM_N; - for (k = 0; k < PARAM_K; k++) { - for (i = 0; i < PARAM_N; i++) { - sk[k * PARAM_N + i] = (uint8_t)e[k * PARAM_N + i]; - } - } - - memcpy(&sk[PARAM_K * PARAM_N], seeds, 2 * CRYPTO_SEEDBYTES); -} - -void PQCLEAN_QTESLAPI_CLEAN_encode_pk(uint8_t *pk, const poly_k t, const uint8_t *seedA) { - // Encode public key pk - size_t i, j; - - for (i = 0, j = 0; i < PARAM_N * PARAM_K; i += 8, j += 29) { - pk[j ] = (uint8_t)( t[i ] ); - pk[j + 1] = (uint8_t)( t[i ] >> 8); - pk[j + 2] = (uint8_t)( t[i ] >> 16); - pk[j + 3] = (uint8_t)((t[i ] >> 24) | (t[i + 1] << 5)); - pk[j + 4] = (uint8_t)( t[i + 1] >> 3); - pk[j + 5] = (uint8_t)( t[i + 1] >> 11); - pk[j + 6] = (uint8_t)( t[i + 1] >> 19); - pk[j + 7] = (uint8_t)((t[i + 1] >> 27) | (t[i + 2] << 2)); - pk[j + 8] = (uint8_t)( t[i + 2] >> 6); - pk[j + 9] = (uint8_t)( t[i + 2] >> 14); - pk[j + 10] = (uint8_t)((t[i + 2] >> 22) | (t[i + 3] << 7)); - pk[j + 11] = (uint8_t)( t[i + 3] >> 1); - pk[j + 12] = (uint8_t)( t[i + 3] >> 9); - pk[j + 13] = (uint8_t)( t[i + 3] >> 17); - pk[j + 14] = (uint8_t)((t[i + 3] >> 25) | (t[i + 4] << 4)); - pk[j + 15] = (uint8_t)( t[i + 4] >> 4); - pk[j + 16] = (uint8_t)( t[i + 4] >> 12); - pk[j + 17] = (uint8_t)( t[i + 4] >> 20); - pk[j + 18] = (uint8_t)((t[i + 4] >> 28) | (t[i + 5] << 1)); - pk[j + 19] = (uint8_t)( t[i + 5] >> 7); - pk[j + 20] = (uint8_t)( t[i + 5] >> 15); - pk[j + 21] = (uint8_t)((t[i + 5] >> 23) | (t[i + 6] << 6)); - pk[j + 22] = (uint8_t)( t[i + 6] >> 2); - pk[j + 23] = (uint8_t)( t[i + 6] >> 10); - pk[j + 24] = (uint8_t)( t[i + 6] >> 18); - pk[j + 25] = (uint8_t)((t[i + 6] >> 26) | (t[i + 7] << 3)); - pk[j + 26] = (uint8_t)( t[i + 7] >> 5); - pk[j + 27] = (uint8_t)( t[i + 7] >> 13); - pk[j + 28] = (uint8_t)( t[i + 7] >> 21); - } - - memcpy(&pk[j], seedA, CRYPTO_SEEDBYTES); -} - - -void PQCLEAN_QTESLAPI_CLEAN_decode_pk(int32_t *pk, uint8_t *seedA, const uint8_t *pk_in) { - // Decode public key pk - size_t i, j; - int32_t mask29 = (1 << PARAM_Q_LOG) - 1; - const uint8_t *a = pk_in; - - for (i = 0, j = 0; i < PARAM_N * PARAM_K; i += 8, j += 29) { - pk[i ] = (int32_t)(( a[j ] | (a[j + 1] << 8) | (a[j + 2] << 16) | (int32_t)((uint32_t)a[j + 3] << 24) ) & mask29); - pk[i + 1] = (int32_t)(((a[j + 3] >> 5) | (a[j + 4] << 3) | (a[j + 5] << 11) | (a[j + 6] << 19) | (int32_t)((uint32_t)a[j + 7] << 27)) & mask29); - pk[i + 2] = (int32_t)(((a[j + 7] >> 2) | (a[j + 8] << 6) | (a[j + 9] << 14) | (a[j + 10] << 22) ) & mask29); - pk[i + 3] = (int32_t)(((a[j + 10] >> 7) | (a[j + 11] << 1) | (a[j + 12] << 9) | (a[j + 13] << 17) | (int32_t)((uint32_t)a[j + 14] << 25)) & mask29); - pk[i + 4] = (int32_t)(((a[j + 14] >> 4) | (a[j + 15] << 4) | (a[j + 16] << 12) | (a[j + 17] << 20) | (int32_t)((uint32_t)a[j + 18] << 28)) & mask29); - pk[i + 5] = (int32_t)(((a[j + 18] >> 1) | (a[j + 19] << 7) | (a[j + 20] << 15) | (a[j + 21] << 23) ) & mask29); - pk[i + 6] = (int32_t)(((a[j + 21] >> 6) | (a[j + 22] << 2) | (a[j + 23] << 10) | (a[j + 24] << 18) | (int32_t)((uint32_t)a[j + 25] << 26)) & mask29); - pk[i + 7] = (int32_t)( (a[j + 25] >> 3) | (a[j + 26] << 5) | (a[j + 27] << 13) | (a[j + 28] << 21) ); - } - - memcpy(seedA, &pk_in[j], CRYPTO_SEEDBYTES); -} - - -void PQCLEAN_QTESLAPI_CLEAN_encode_sig(uint8_t *sm, uint8_t *c, const poly z) { - // Encode signature sm - size_t i, j; - - for (i = 0, j = 0; i < PARAM_N; i += 2, j += 5) { - sm[j ] = (uint8_t)( z[i ] ); - sm[j + 1] = (uint8_t)( z[i ] >> 8); - sm[j + 2] = (uint8_t)(((z[i ] >> 16) & 0x0F) | (int64_t)((uint64_t)z[i + 1] << 4)); - sm[j + 3] = (uint8_t)( z[i + 1] >> 4); - sm[j + 4] = (uint8_t)( z[i + 1] >> 12); - } - - memcpy(&sm[j], c, CRYPTO_C_BYTES); -} - -void PQCLEAN_QTESLAPI_CLEAN_decode_sig(uint8_t *c, poly z, const uint8_t *sm) { - // Decode signature sm - size_t i, j; - - for (i = 0, j = 0; i < PARAM_N; i += 2, j += 5) { - z[i ] = sm[j ] | (sm[j + 1] << 8) | ((int64_t)((uint64_t)sm[j + 2] << 60) >> 44); - z[i + 1] = (sm[j + 2] >> 4) | (sm[j + 3] << 4) | ((int64_t)((uint64_t)sm[j + 4] << 56) >> 44); - } - - memcpy(c, &sm[j], CRYPTO_C_BYTES); -} - diff --git a/crypto_sign/qtesla-p-I/clean/pack.h b/crypto_sign/qtesla-p-I/clean/pack.h deleted file mode 100644 index fecfd570..00000000 --- a/crypto_sign/qtesla-p-I/clean/pack.h +++ /dev/null @@ -1,13 +0,0 @@ -#ifndef PQCLEAN_QTESLAPI_CLEAN_PACK_H -#define PQCLEAN_QTESLAPI_CLEAN_PACK_H - -#include "poly.h" -#include - -void PQCLEAN_QTESLAPI_CLEAN_pack_sk(uint8_t *sk, const poly s, const poly_k e, uint8_t *seeds); -void PQCLEAN_QTESLAPI_CLEAN_encode_pk(uint8_t *pk, const poly_k t, const uint8_t *seedA); -void PQCLEAN_QTESLAPI_CLEAN_decode_pk(int32_t *pk, uint8_t *seedA, const uint8_t *pk_in); -void PQCLEAN_QTESLAPI_CLEAN_encode_sig(uint8_t *sm, uint8_t *c, const poly z); -void PQCLEAN_QTESLAPI_CLEAN_decode_sig(uint8_t *c, poly z, const uint8_t *sm); - -#endif diff --git a/crypto_sign/qtesla-p-I/clean/params.h b/crypto_sign/qtesla-p-I/clean/params.h deleted file mode 100644 index fb661b71..00000000 --- a/crypto_sign/qtesla-p-I/clean/params.h +++ /dev/null @@ -1,42 +0,0 @@ -#ifndef PQCLEAN_QTESLAPI_CLEAN_PARAMS_H -#define PQCLEAN_QTESLAPI_CLEAN_PARAMS_H - -/************************************************************************************* -* qTESLA: an efficient post-quantum signature scheme based on the R-LWE problem -* -* Abstract: provably-secure qTESLA parameters -**************************************************************************************/ - -#define PARAM_N 1024 -#define PARAM_N_LOG 10 -#define PARAM_SIGMA 8.5 -#define PARAM_Q 343576577 -#define PARAM_Q_LOG 29 -#define PARAM_QINV 2205847551 -#define PARAM_BARR_MULT 3 -#define PARAM_BARR_DIV 30 -#define PARAM_B 524287 -#define PARAM_B_BITS 19 -#define PARAM_S_BITS 8 -#define PARAM_K 4 -#define PARAM_SIGMA_E PARAM_SIGMA -#define PARAM_H 25 -#define PARAM_D 22 -#define PARAM_GEN_A 108 -#define PARAM_KEYGEN_BOUND_E 554 -#define PARAM_E PARAM_KEYGEN_BOUND_E -#define PARAM_KEYGEN_BOUND_S 554 -#define PARAM_S PARAM_KEYGEN_BOUND_S -#define PARAM_R2_INVN 13632409 -#define PARAM_R 172048372 - -#define SHAKE shake128 -#define cSHAKE cshake128 -#define SHAKE_RATE SHAKE128_RATE - -#define CRYPTO_RANDOMBYTES 32 -#define CRYPTO_SEEDBYTES 32 -#define CRYPTO_C_BYTES 32 -#define HM_BYTES 64 - -#endif diff --git a/crypto_sign/qtesla-p-I/clean/poly.c b/crypto_sign/qtesla-p-I/clean/poly.c deleted file mode 100644 index 0eb3d96b..00000000 --- a/crypto_sign/qtesla-p-I/clean/poly.c +++ /dev/null @@ -1,255 +0,0 @@ -/************************************************************************************* -* qTESLA: an efficient post-quantum signature scheme based on the R-LWE problem -* -* Abstract: NTT, modular reduction and polynomial functions -**************************************************************************************/ - -#include "api.h" -#include "poly.h" -#include "sp800-185.h" - -extern const poly PQCLEAN_QTESLAPI_CLEAN_zeta; -extern const poly PQCLEAN_QTESLAPI_CLEAN_zetainv; - - - -static int64_t reduce(int64_t a) { - // Montgomery reduction - int64_t u; - - u = ((uint64_t)a * PARAM_QINV) & 0xFFFFFFFF; - u *= PARAM_Q; - a += u; - return a >> 32; -} - - -static int64_t barr_reduce(int64_t a) { - // Barrett reduction - int64_t u = (a * PARAM_BARR_MULT) >> PARAM_BARR_DIV; - return a - u * PARAM_Q; -} - - -static void ntt(poly a, const poly w) { - // Forward NTT transform - size_t NumoProblems = PARAM_N >> 1, jTwiddle = 0; - - for (; NumoProblems > 0; NumoProblems >>= 1) { - size_t jFirst, j = 0; - for (jFirst = 0; jFirst < PARAM_N; jFirst = j + NumoProblems) { - sdigit_t W = (sdigit_t)w[jTwiddle++]; - for (j = jFirst; j < jFirst + NumoProblems; j++) { - int64_t temp = reduce((int64_t)W * a[j + NumoProblems]); - a[j + NumoProblems] = a[j] + (PARAM_Q - temp); - a[j] = temp + a[j]; - } - } - } -} - - -static void nttinv(poly a, const poly w) { - // Inverse NTT transform - size_t NumoProblems = 1, jTwiddle = 0; - for (; NumoProblems < PARAM_N; NumoProblems *= 2) { - size_t jFirst, j = 0; - for (jFirst = 0; jFirst < PARAM_N; jFirst = j + NumoProblems) { - sdigit_t W = (sdigit_t)w[jTwiddle++]; - for (j = jFirst; j < jFirst + NumoProblems; j++) { - int64_t temp = a[j]; - a[j] = (temp + a[j + NumoProblems]); - a[j + NumoProblems] = reduce((int64_t)W * (temp + (2 * PARAM_Q - a[j + NumoProblems]))); - } - } - NumoProblems *= 2; - for (jFirst = 0; jFirst < PARAM_N; jFirst = j + NumoProblems) { - sdigit_t W = (sdigit_t)w[jTwiddle++]; - for (j = jFirst; j < jFirst + NumoProblems; j++) { - int64_t temp = a[j]; - a[j] = barr_reduce(temp + a[j + NumoProblems]); - a[j + NumoProblems] = reduce((int64_t)W * (temp + (2 * PARAM_Q - a[j + NumoProblems]))); - } - } - } -} - - -static void poly_pointwise(poly result, const poly x, const poly y) { - // Pointwise polynomial multiplication result = x.y - - for (size_t i = 0; i < PARAM_N; i++) { - result[i] = reduce(x[i] * y[i]); - } -} - -void PQCLEAN_QTESLAPI_CLEAN_poly_ntt(poly x_ntt, const poly x) { - // Call to NTT function. Avoids input destruction - - for (size_t i = 0; i < PARAM_N; i++) { - x_ntt[i] = x[i]; - } - ntt(x_ntt, PQCLEAN_QTESLAPI_CLEAN_zeta); -} - - -void PQCLEAN_QTESLAPI_CLEAN_poly_mul(poly result, const poly x, const poly y) { - // Polynomial multiplication result = x*y, with in place reduction for (X^N+1) - // The inputs x and y are assumed to be in NTT form - - poly_pointwise(result, x, y); - nttinv(result, PQCLEAN_QTESLAPI_CLEAN_zetainv); -} - - -void PQCLEAN_QTESLAPI_CLEAN_poly_add(poly result, const poly x, const poly y) { - // Polynomial addition result = x+y - - for (size_t i = 0; i < PARAM_N; i++) { - result[i] = x[i] + y[i]; - } -} - - -void PQCLEAN_QTESLAPI_CLEAN_poly_add_correct(poly result, const poly x, const poly y) { - // Polynomial addition result = x+y with correction - - for (size_t i = 0; i < PARAM_N; i++) { - result[i] = x[i] + y[i]; - result[i] -= PARAM_Q; - result[i] += (result[i] >> (RADIX32 - 1)) & PARAM_Q; // If result[i] >= q then subtract q - } -} - - -void PQCLEAN_QTESLAPI_CLEAN_poly_sub(poly result, const poly x, const poly y) { - // Polynomial subtraction result = x-y - - for (size_t i = 0; i < PARAM_N; i++) { - result[i] = barr_reduce(x[i] - y[i]); - } -} - -/******************************************************************************************** -* Name: sparse_mul8 -* Description: performs sparse polynomial multiplication -* Parameters: inputs: -* - const uint8_t *s: part of the secret key -* - const uint32_t pos_list[PARAM_H]: list of indices of nonzero elements in c -* - const int16_t sign_list[PARAM_H]: list of signs of nonzero elements in c -* outputs: -* - poly prod: product of 2 polynomials -* -* Note: pos_list[] and sign_list[] contain public information since c is public -*********************************************************************************************/ -void PQCLEAN_QTESLAPI_CLEAN_sparse_mul8(poly prod, const uint8_t *s, const uint32_t pos_list[PARAM_H], const int16_t sign_list[PARAM_H]) { - size_t i, j, pos; - int8_t *t = (int8_t *)s; - - for (i = 0; i < PARAM_N; i++) { - prod[i] = 0; - } - - for (i = 0; i < PARAM_H; i++) { - pos = pos_list[i]; - for (j = 0; j < pos; j++) { - prod[j] = prod[j] - sign_list[i] * t[j + PARAM_N - pos]; - } - for (j = pos; j < PARAM_N; j++) { - prod[j] = prod[j] + sign_list[i] * t[j - pos]; - } - } -} - -/******************************************************************************************** -* Name: sparse_mul32 -* Description: performs sparse polynomial multiplication -* Parameters: inputs: -* - const int32_t* pk: part of the public key -* - const uint32_t pos_list[PARAM_H]: list of indices of nonzero elements in c -* - const int16_t sign_list[PARAM_H]: list of signs of nonzero elements in c -* outputs: -* - poly prod: product of 2 polynomials -*********************************************************************************************/ -void PQCLEAN_QTESLAPI_CLEAN_sparse_mul32(poly prod, const int32_t *pk, const uint32_t pos_list[PARAM_H], const int16_t sign_list[PARAM_H]) { - size_t i, j, pos; - - for (i = 0; i < PARAM_N; i++) { - prod[i] = 0; - } - - for (i = 0; i < PARAM_H; i++) { - pos = pos_list[i]; - for (j = 0; j < pos; j++) { - prod[j] = prod[j] - sign_list[i] * pk[j + PARAM_N - pos]; - } - for (j = pos; j < PARAM_N; j++) { - prod[j] = prod[j] + sign_list[i] * pk[j - pos]; - } - } - for (i = 0; i < PARAM_N; i++) { - prod[i] = barr_reduce(prod[i]); - } -} - -void PQCLEAN_QTESLAPI_CLEAN_poly_uniform(poly_k a, const uint8_t *seed) { - // Generation of polynomials "a_i" - size_t pos = 0, i = 0, nbytes = (PARAM_Q_LOG + 7) / 8; - size_t nblocks = PARAM_GEN_A; - uint32_t val1, val2, val3, val4, mask = (uint32_t)(1 << PARAM_Q_LOG) - 1; - uint8_t buf[SHAKE128_RATE * PARAM_GEN_A]; - uint16_t dmsp = 0; - uint8_t dmsp_bytes[2]; - dmsp_bytes[0] = (uint8_t)(dmsp & 0xff); - dmsp_bytes[1] = (uint8_t)(dmsp >> 8); - cshake128(buf, SHAKE128_RATE * PARAM_GEN_A, (uint8_t *)NULL, 0, dmsp_bytes, 2, seed, CRYPTO_RANDOMBYTES); - ++dmsp; - - while (i < PARAM_K * PARAM_N) { - if (pos > SHAKE128_RATE * nblocks - 4 * nbytes) { - nblocks = 1; - dmsp_bytes[0] = (uint8_t)(dmsp & 0xff); - dmsp_bytes[1] = (uint8_t)(dmsp >> 8); - cshake128(buf, SHAKE128_RATE * nblocks, (uint8_t *)NULL, 0, dmsp_bytes, 2, seed, CRYPTO_RANDOMBYTES); - ++dmsp; - pos = 0; - } - val1 = ((uint32_t)(buf[pos]) - | ((uint32_t)buf[pos + 1] << 8) - | ((uint32_t)buf[pos + 2] << 16) - | ((uint32_t)buf[pos + 3] << 24)) - & mask; - pos += nbytes; - val2 = ((uint32_t)(buf[pos]) - | ((uint32_t)buf[pos + 1] << 8) - | ((uint32_t)buf[pos + 2] << 16) - | ((uint32_t)buf[pos + 3] << 24)) - & mask; - pos += nbytes; - val3 = ((uint32_t)(buf[pos]) - | ((uint32_t)buf[pos + 1] << 8) - | ((uint32_t)buf[pos + 2] << 16) - | ((uint32_t)buf[pos + 3] << 24)) - & mask; - pos += nbytes; - val4 = ((uint32_t)(buf[pos]) - | ((uint32_t)buf[pos + 1] << 8) - | ((uint32_t)buf[pos + 2] << 16) - | ((uint32_t)buf[pos + 3] << 24)) - & mask; - pos += nbytes; - if (val1 < PARAM_Q && i < PARAM_K * PARAM_N) { - a[i++] = reduce((int64_t)val1 * PARAM_R2_INVN); - } - if (val2 < PARAM_Q && i < PARAM_K * PARAM_N) { - a[i++] = reduce((int64_t)val2 * PARAM_R2_INVN); - } - if (val3 < PARAM_Q && i < PARAM_K * PARAM_N) { - a[i++] = reduce((int64_t)val3 * PARAM_R2_INVN); - } - if (val4 < PARAM_Q && i < PARAM_K * PARAM_N) { - a[i++] = reduce((int64_t)val4 * PARAM_R2_INVN); - } - } -} - diff --git a/crypto_sign/qtesla-p-I/clean/poly.h b/crypto_sign/qtesla-p-I/clean/poly.h deleted file mode 100644 index aa407f39..00000000 --- a/crypto_sign/qtesla-p-I/clean/poly.h +++ /dev/null @@ -1,20 +0,0 @@ -#ifndef PQCLEAN_QTESLAPI_CLEAN_POLY_H -#define PQCLEAN_QTESLAPI_CLEAN_POLY_H - -#include "config.h" -#include "params.h" -#include - -typedef int64_t poly[PARAM_N]; -typedef int64_t poly_k[PARAM_N * PARAM_K]; - -void PQCLEAN_QTESLAPI_CLEAN_poly_ntt(poly x_ntt, const poly x); -void PQCLEAN_QTESLAPI_CLEAN_poly_mul(poly result, const poly x, const poly y); -void PQCLEAN_QTESLAPI_CLEAN_poly_add(poly result, const poly x, const poly y); -void PQCLEAN_QTESLAPI_CLEAN_poly_add_correct(poly result, const poly x, const poly y); -void PQCLEAN_QTESLAPI_CLEAN_poly_sub(poly result, const poly x, const poly y); -void PQCLEAN_QTESLAPI_CLEAN_sparse_mul8(poly prod, const uint8_t *s, const uint32_t pos_list[PARAM_H], const int16_t sign_list[PARAM_H]); -void PQCLEAN_QTESLAPI_CLEAN_sparse_mul32(poly prod, const int32_t *pk, const uint32_t pos_list[PARAM_H], const int16_t sign_list[PARAM_H]); -void PQCLEAN_QTESLAPI_CLEAN_poly_uniform(poly_k a, const uint8_t *seed); - -#endif diff --git a/crypto_sign/qtesla-p-I/clean/sample.c b/crypto_sign/qtesla-p-I/clean/sample.c deleted file mode 100644 index 78582aed..00000000 --- a/crypto_sign/qtesla-p-I/clean/sample.c +++ /dev/null @@ -1,89 +0,0 @@ -/************************************************************************************* -* qTESLA: an efficient post-quantum signature scheme based on the R-LWE problem -* -* Abstract: sampling functions -**************************************************************************************/ - -#include "api.h" -#include "params.h" -#include "sample.h" -#include "sp800-185.h" - -#define NBLOCKS_SHAKE (SHAKE_RATE/(((PARAM_B_BITS+1)+7)/8)) -#define BPLUS1BYTES (((PARAM_B_BITS+1)+7)/8) - - -void PQCLEAN_QTESLAPI_CLEAN_sample_y(poly y, const uint8_t *seed, uint16_t nonce) { - // Sample polynomial y, such that each coefficient is in the range [-B,B] - size_t i = 0, pos = 0, nblocks = PARAM_N; - uint8_t buf[PARAM_N * BPLUS1BYTES + 1]; - uint16_t dmsp = (uint16_t)(nonce << 8); - uint8_t dmsp_bytes[2]; - - dmsp_bytes[0] = (uint8_t)(dmsp & 0xff); - dmsp_bytes[1] = (uint8_t)(dmsp >> 8); - cSHAKE(buf, PARAM_N * BPLUS1BYTES, (uint8_t *)NULL, 0, dmsp_bytes, 2, seed, CRYPTO_RANDOMBYTES); - ++dmsp; - - while (i < PARAM_N) { - if (pos >= nblocks * BPLUS1BYTES) { - nblocks = NBLOCKS_SHAKE; - dmsp_bytes[0] = (uint8_t)(dmsp & 0xff); - dmsp_bytes[1] = (uint8_t)(dmsp >> 8); - cSHAKE(buf, SHAKE_RATE, (uint8_t *)NULL, 0, dmsp_bytes, 2, seed, CRYPTO_RANDOMBYTES); - ++dmsp; - pos = 0; - } - y[i] = (uint32_t)((buf[pos] | (buf[pos + 1] << 8) | (buf[pos + 2] << 16)) & ((1 << (PARAM_B_BITS + 1)) - 1)); - y[i] -= PARAM_B; - if (y[i] != (1 << PARAM_B_BITS)) { - i++; - } - pos += BPLUS1BYTES; - } -} - - -void PQCLEAN_QTESLAPI_CLEAN_encode_c(uint32_t *pos_list, int16_t *sign_list, uint8_t *c_bin) { - // Encoding of c' by mapping the output of the hash function H to an N-element vector with entries {-1,0,1} - size_t i, pos, cnt = 0; - int16_t c[PARAM_N]; - uint8_t r[SHAKE128_RATE]; - uint16_t dmsp = 0; - uint8_t dmsp_bytes[2]; - - // Use the hash value as key to generate some randomness - dmsp_bytes[0] = (uint8_t)(dmsp & 0xff); - dmsp_bytes[1] = (uint8_t)(dmsp >> 8); - cshake128(r, SHAKE128_RATE, (uint8_t *)NULL, 0, dmsp_bytes, 2, c_bin, CRYPTO_RANDOMBYTES); - ++dmsp; - - // Use rejection sampling to determine positions to be set in the new vector - for (i = 0; i < PARAM_N; i++) { - c[i] = 0; - } - - for (i = 0; i < PARAM_H;) { // Sample a unique position k times. Use two bytes - if (cnt > (SHAKE128_RATE - 3)) { - dmsp_bytes[0] = (uint8_t)(dmsp & 0xff); - dmsp_bytes[1] = (uint8_t)(dmsp >> 8); - cshake128(r, SHAKE128_RATE, (uint8_t *)NULL, 0, dmsp_bytes, 2, c_bin, CRYPTO_RANDOMBYTES); - ++dmsp; - cnt = 0; - } - pos = (size_t)((r[cnt] << 8) | (r[cnt + 1])); - pos = pos & (PARAM_N - 1); // Position is in the range [0,N-1] - - if (c[pos] == 0) { // Position has not been set yet. Determine sign - if ((r[cnt + 2] & 1) == 1) { - c[pos] = -1; - } else { - c[pos] = 1; - } - pos_list[i] = (uint32_t)pos; - sign_list[i] = c[pos]; - i++; - } - cnt += 3; - } -} diff --git a/crypto_sign/qtesla-p-I/clean/sample.h b/crypto_sign/qtesla-p-I/clean/sample.h deleted file mode 100644 index 35b18c0d..00000000 --- a/crypto_sign/qtesla-p-I/clean/sample.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef PQCLEAN_QTESLAPI_CLEAN_SAMPLE_H -#define PQCLEAN_QTESLAPI_CLEAN_SAMPLE_H - -#include "params.h" -#include "poly.h" -#include - -void PQCLEAN_QTESLAPI_CLEAN_sample_y(poly y, const uint8_t *seed, uint16_t nonce); -void PQCLEAN_QTESLAPI_CLEAN_encode_c(uint32_t *pos_list, int16_t *sign_list, uint8_t *c_bin); - -#endif diff --git a/crypto_sign/qtesla-p-I/clean/sign.c b/crypto_sign/qtesla-p-I/clean/sign.c deleted file mode 100644 index a1b5b80a..00000000 --- a/crypto_sign/qtesla-p-I/clean/sign.c +++ /dev/null @@ -1,403 +0,0 @@ -/************************************************************************************* -* qTESLA: an efficient post-quantum signature scheme based on the R-LWE problem -* -* Abstract: high-level functions of the signature scheme -**************************************************************************************/ - -#include "api.h" -#include "fips202.h" -#include "gauss.h" -#include "pack.h" -#include "params.h" -#include "poly.h" -#include "randombytes.h" -#include "sample.h" -#include -#include - -static void hash_H(uint8_t *c_bin, const poly_k v, const uint8_t *hm) { - // Hash-based function H to generate c' - uint8_t t[PARAM_K * PARAM_N + HM_BYTES]; - int32_t mask, cL, temp; - size_t i, k, index; - - for (k = 0; k < PARAM_K; k++) { - index = k * PARAM_N; - for (i = 0; i < PARAM_N; i++) { - temp = (int32_t)v[index]; - // If v[i] > PARAM_Q/2 then v[i] -= PARAM_Q - mask = (PARAM_Q / 2 - temp) >> (RADIX32 - 1); - temp = ((temp - PARAM_Q) & mask) | (temp & ~mask); - - cL = temp & ((1 << PARAM_D) - 1); - // If cL > 2^(d-1) then cL -= 2^d - mask = ((1 << (PARAM_D - 1)) - cL) >> (RADIX32 - 1); - cL = ((cL - (1 << PARAM_D)) & mask) | (cL & ~mask); - t[index++] = (uint8_t)((temp - cL) >> PARAM_D); - } - } - memcpy(&t[PARAM_K * PARAM_N], hm, HM_BYTES); - SHAKE(c_bin, CRYPTO_C_BYTES, t, PARAM_K * PARAM_N + HM_BYTES); -} - - -static inline int32_t Abs(int32_t value) { - // Compute absolute value - - int32_t mask = value >> (RADIX32 - 1); - return (mask ^ value) - mask; -} - - -static int test_rejection(const poly z) { - // Check bounds for signature vector z during signing. Returns 0 if valid, otherwise outputs 1 if invalid (rejected). - // This function does not leak any information about the coefficient that fails the test. - uint32_t valid = 0; - - for (size_t i = 0; i < PARAM_N; i++) { - valid |= (PARAM_B - PARAM_S) - (uint32_t)Abs((int32_t)z[i]); - } - return (int)(valid >> 31); -} - - -static int test_correctness(const poly v) { - // Check bounds for w = v - ec during signature verification. Returns 0 if valid, otherwise outputs 1 if invalid (rejected). - // This function leaks the position of the coefficient that fails the test (but this is independent of the secret data). - // It does not leak the sign of the coefficients. - int32_t mask, left, val; - uint32_t t0, t1; - - for (size_t i = 0; i < PARAM_N; i++) { - // If v[i] > PARAM_Q/2 then v[i] -= PARAM_Q - mask = (int32_t)(PARAM_Q / 2 - v[i]) >> (RADIX32 - 1); - val = (int32_t)(((v[i] - PARAM_Q) & mask) | (v[i] & ~mask)); - // If (Abs(val) < PARAM_Q/2 - PARAM_E) then t0 = 0, else t0 = 1 - t0 = (uint32_t)(~(Abs(val) - (PARAM_Q / 2 - PARAM_E))) >> (RADIX32 - 1); - - left = val; - val = (val + (1 << (PARAM_D - 1)) - 1) >> PARAM_D; - val = left - (int32_t)((uint32_t)val << PARAM_D); - // If (Abs(val) < (1<<(PARAM_D-1))-PARAM_E) then t1 = 0, else t1 = 1 - t1 = (uint32_t)(~(Abs(val) - ((1 << (PARAM_D - 1)) - PARAM_E))) >> (RADIX32 - 1); - - if ((t0 | t1) == 1) { // Returns 1 if any of the two tests failed - return 1; - } - } - return 0; -} - - -static int test_z(const poly z) { - // Check bounds for signature vector z during signature verification - // Returns 0 if valid, otherwise outputs 1 if invalid (rejected) - - for (size_t i = 0; i < PARAM_N; i++) { - if (z[i] < -(PARAM_B - PARAM_S) || z[i] > (PARAM_B - PARAM_S)) { - return 1; - } - } - return 0; -} - - -static int check_ES(poly p, unsigned int bound) { - // Checks the generated polynomial e or s - // Returns 0 if ok, otherwise returns 1 - unsigned int sum = 0; - size_t i, j, limit = PARAM_N; - int32_t temp, mask, list[PARAM_N]; - - for (j = 0; j < PARAM_N; j++) { - list[j] = Abs((int32_t)p[j]); - } - - for (j = 0; j < PARAM_H; j++) { - for (i = 0; i < limit - 1; i++) { - // If list[i+1] > list[i] then exchange contents - mask = (list[i + 1] - list[i]) >> (RADIX32 - 1); - temp = (list[i + 1] & mask) | (list[i] & ~mask); - list[i + 1] = (list[i] & mask) | (list[i + 1] & ~mask); - list[i] = temp; - } - sum += (unsigned int)list[limit - 1]; - limit -= 1; - } - - if (sum > bound) { - return 1; - } - return 0; -} - - -/********************************************************* -* Name: crypto_sign_keypair -* Description: generates a public and private key pair -* Parameters: inputs: none -* outputs: -* - uint8_t *pk: public key -* - uint8_t *sk: secret key -* Returns: 0 for successful execution -**********************************************************/ -int PQCLEAN_QTESLAPI_CLEAN_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) { - uint8_t randomness[CRYPTO_RANDOMBYTES], randomness_extended[(PARAM_K + 3)*CRYPTO_SEEDBYTES]; - poly s, s_ntt; - poly_k e, a, t; - size_t k; // Initialize domain separator for error and secret polynomials - uint16_t nonce = 0; - - // Get randomness_extended <- seed_e, seed_s, seed_a, seed_y - randombytes(randomness, CRYPTO_RANDOMBYTES); - SHAKE(randomness_extended, (PARAM_K + 3)*CRYPTO_SEEDBYTES, randomness, CRYPTO_RANDOMBYTES); - - for (k = 0; k < PARAM_K; k++) { - do { // Sample the error polynomials - PQCLEAN_QTESLAPI_CLEAN_sample_gauss_poly(&e[k * PARAM_N], &randomness_extended[k * CRYPTO_SEEDBYTES], ++nonce); - } while (check_ES(&e[k * PARAM_N], PARAM_KEYGEN_BOUND_E) != 0); - } - - do { // Sample the secret polynomial - PQCLEAN_QTESLAPI_CLEAN_sample_gauss_poly(s, &randomness_extended[PARAM_K * CRYPTO_SEEDBYTES], ++nonce); - } while (check_ES(s, PARAM_KEYGEN_BOUND_S) != 0); - - // Generate uniform polynomial "a" - PQCLEAN_QTESLAPI_CLEAN_poly_uniform(a, &randomness_extended[(PARAM_K + 1)*CRYPTO_SEEDBYTES]); - PQCLEAN_QTESLAPI_CLEAN_poly_ntt(s_ntt, s); - - // Compute the public key t = as+e - for (k = 0; k < PARAM_K; k++) { - PQCLEAN_QTESLAPI_CLEAN_poly_mul(&t[k * PARAM_N], &a[k * PARAM_N], s_ntt); - PQCLEAN_QTESLAPI_CLEAN_poly_add_correct(&t[k * PARAM_N], &t[k * PARAM_N], &e[k * PARAM_N]); - } - - // Pack public and private keys - PQCLEAN_QTESLAPI_CLEAN_pack_sk(sk, s, e, &randomness_extended[(PARAM_K + 1)*CRYPTO_SEEDBYTES]); - PQCLEAN_QTESLAPI_CLEAN_encode_pk(pk, t, &randomness_extended[(PARAM_K + 1)*CRYPTO_SEEDBYTES]); - - return 0; -} - - -/*************************************************************** -* Name: crypto_sign -* Description: outputs a signature for a given message m -* Parameters: inputs: -* - const uint8_t *m: message to be signed -* - size_t mlen: message length -* - const uint8_t* sk: secret key -* outputs: -* - uint8_t *sm: signature -* - size_t *smlen: signature length* -* Returns: 0 for successful execution -***************************************************************/ -int PQCLEAN_QTESLAPI_CLEAN_crypto_sign(uint8_t *sm, size_t *smlen, const uint8_t *m, size_t mlen, const uint8_t *sk) { - uint8_t c[CRYPTO_C_BYTES], randomness[CRYPTO_SEEDBYTES], randomness_input[CRYPTO_RANDOMBYTES + CRYPTO_SEEDBYTES + HM_BYTES]; - uint32_t pos_list[PARAM_H]; - int16_t sign_list[PARAM_H]; - poly y, y_ntt, Sc, z; - poly_k v, Ec, a; - size_t k; - int rsp; - uint16_t nonce = 0; // Initialize domain separator for sampling y - - // Get H(seed_y, r, H(m)) to sample y - randombytes(randomness_input + CRYPTO_RANDOMBYTES, CRYPTO_RANDOMBYTES); - memcpy(randomness_input, &sk[PQCLEAN_QTESLAPI_CLEAN_CRYPTO_SECRETKEYBYTES - CRYPTO_SEEDBYTES], CRYPTO_SEEDBYTES); - SHAKE(randomness_input + CRYPTO_RANDOMBYTES + CRYPTO_SEEDBYTES, HM_BYTES, m, mlen); - SHAKE(randomness, CRYPTO_SEEDBYTES, randomness_input, CRYPTO_RANDOMBYTES + CRYPTO_SEEDBYTES + HM_BYTES); - - PQCLEAN_QTESLAPI_CLEAN_poly_uniform(a, &sk[PQCLEAN_QTESLAPI_CLEAN_CRYPTO_SECRETKEYBYTES - 2 * CRYPTO_SEEDBYTES]); - - while (1) { - PQCLEAN_QTESLAPI_CLEAN_sample_y(y, randomness, ++nonce); // Sample y uniformly at random from [-B,B] - PQCLEAN_QTESLAPI_CLEAN_poly_ntt (y_ntt, y); - for (k = 0; k < PARAM_K; k++) { - PQCLEAN_QTESLAPI_CLEAN_poly_mul(&v[k * PARAM_N], &a[k * PARAM_N], y_ntt); - } - hash_H(c, v, randomness_input + CRYPTO_RANDOMBYTES + CRYPTO_SEEDBYTES); - PQCLEAN_QTESLAPI_CLEAN_encode_c(pos_list, sign_list, c); // Generate c = Enc(c'), where c' is the hashing of v together with m - PQCLEAN_QTESLAPI_CLEAN_sparse_mul8(Sc, sk, pos_list, sign_list); - PQCLEAN_QTESLAPI_CLEAN_poly_add(z, y, Sc); // Compute z = y + sc - - if (test_rejection(z) != 0) { // Rejection sampling - continue; - } - - for (k = 0; k < PARAM_K; k++) { - PQCLEAN_QTESLAPI_CLEAN_sparse_mul8(&Ec[k * PARAM_N], sk + (sizeof(int8_t)*PARAM_N * (k + 1)), pos_list, sign_list); - PQCLEAN_QTESLAPI_CLEAN_poly_sub(&v[k * PARAM_N], &v[k * PARAM_N], &Ec[k * PARAM_N]); - rsp = test_correctness(&v[k * PARAM_N]); - if (rsp != 0) { - break; - } - } - if (rsp != 0) { - continue; - } - - // Copy message to signature package, and pack signature - for (size_t i = 0; i < mlen; i++) { - sm[PQCLEAN_QTESLAPI_CLEAN_CRYPTO_BYTES + i] = m[i]; - } - *smlen = PQCLEAN_QTESLAPI_CLEAN_CRYPTO_BYTES + mlen; - PQCLEAN_QTESLAPI_CLEAN_encode_sig(sm, c, z); - - return 0; - } -} - - -/************************************************************ -* Name: crypto_sign_open -* Description: verification of a signature sm -* Parameters: inputs: -* - const uint8_t *sm: signature -* - size_t smlen: signature length -* - const uint8_t* pk: public Key -* outputs: -* - uint8_t *m: original (signed) message -* - size_t *mlen: message length* -* Returns: 0 for valid signature -* <0 for invalid signature -************************************************************/ -int PQCLEAN_QTESLAPI_CLEAN_crypto_sign_open(uint8_t *m, size_t *mlen, const uint8_t *sm, size_t smlen, const uint8_t *pk) { - uint8_t c[CRYPTO_C_BYTES], c_sig[CRYPTO_C_BYTES], seed[CRYPTO_SEEDBYTES], hm[HM_BYTES]; - uint32_t pos_list[PARAM_H]; - int16_t sign_list[PARAM_H]; - int32_t pk_t[PARAM_N * PARAM_K]; - poly_k w, a, Tc; - poly z, z_ntt; - size_t k; - - if (smlen < PQCLEAN_QTESLAPI_CLEAN_CRYPTO_BYTES) { - return -1; - } - - PQCLEAN_QTESLAPI_CLEAN_decode_sig(c, z, sm); - if (test_z(z) != 0) { - return -2; // Check norm of z - } - PQCLEAN_QTESLAPI_CLEAN_decode_pk(pk_t, seed, pk); - PQCLEAN_QTESLAPI_CLEAN_poly_uniform(a, seed); - PQCLEAN_QTESLAPI_CLEAN_encode_c(pos_list, sign_list, c); - PQCLEAN_QTESLAPI_CLEAN_poly_ntt(z_ntt, z); - - for (k = 0; k < PARAM_K; k++) { // Compute w = az - tc - PQCLEAN_QTESLAPI_CLEAN_sparse_mul32(&Tc[k * PARAM_N], &pk_t[k * PARAM_N], pos_list, sign_list); - PQCLEAN_QTESLAPI_CLEAN_poly_mul(&w[k * PARAM_N], &a[k * PARAM_N], z_ntt); - PQCLEAN_QTESLAPI_CLEAN_poly_sub(&w[k * PARAM_N], &w[k * PARAM_N], &Tc[k * PARAM_N]); - } - SHAKE(hm, HM_BYTES, sm + PQCLEAN_QTESLAPI_CLEAN_CRYPTO_BYTES, smlen - PQCLEAN_QTESLAPI_CLEAN_CRYPTO_BYTES); - hash_H(c_sig, w, hm); - - // Check if the calculated c matches c from the signature - if (memcmp(c, c_sig, CRYPTO_C_BYTES) != 0) { - return -3; - } - - *mlen = smlen - PQCLEAN_QTESLAPI_CLEAN_CRYPTO_BYTES; - for (size_t i = 0; i < *mlen; i++) { - m[i] = sm[PQCLEAN_QTESLAPI_CLEAN_CRYPTO_BYTES + i]; - } - - return 0; -} - -int PQCLEAN_QTESLAPI_CLEAN_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, - const uint8_t *sk) { - uint8_t c[CRYPTO_C_BYTES], randomness[CRYPTO_SEEDBYTES], randomness_input[CRYPTO_RANDOMBYTES + CRYPTO_SEEDBYTES + HM_BYTES]; - uint32_t pos_list[PARAM_H]; - int16_t sign_list[PARAM_H]; - poly y, y_ntt, Sc, z; - poly_k v, Ec, a; - size_t k; - int rsp; - uint16_t nonce = 0; // Initialize domain separator for sampling y - - // Get H(seed_y, r, H(m)) to sample y - randombytes(randomness_input + CRYPTO_RANDOMBYTES, CRYPTO_RANDOMBYTES); - memcpy(randomness_input, &sk[PQCLEAN_QTESLAPI_CLEAN_CRYPTO_SECRETKEYBYTES - CRYPTO_SEEDBYTES], CRYPTO_SEEDBYTES); - SHAKE(randomness_input + CRYPTO_RANDOMBYTES + CRYPTO_SEEDBYTES, HM_BYTES, m, mlen); - SHAKE(randomness, CRYPTO_SEEDBYTES, randomness_input, CRYPTO_RANDOMBYTES + CRYPTO_SEEDBYTES + HM_BYTES); - - PQCLEAN_QTESLAPI_CLEAN_poly_uniform(a, &sk[PQCLEAN_QTESLAPI_CLEAN_CRYPTO_SECRETKEYBYTES - 2 * CRYPTO_SEEDBYTES]); - - while (1) { - PQCLEAN_QTESLAPI_CLEAN_sample_y(y, randomness, ++nonce); // Sample y uniformly at random from [-B,B] - PQCLEAN_QTESLAPI_CLEAN_poly_ntt (y_ntt, y); - for (k = 0; k < PARAM_K; k++) { - PQCLEAN_QTESLAPI_CLEAN_poly_mul(&v[k * PARAM_N], &a[k * PARAM_N], y_ntt); - } - hash_H(c, v, randomness_input + CRYPTO_RANDOMBYTES + CRYPTO_SEEDBYTES); - PQCLEAN_QTESLAPI_CLEAN_encode_c(pos_list, sign_list, c); // Generate c = Enc(c'), where c' is the hashing of v together with m - PQCLEAN_QTESLAPI_CLEAN_sparse_mul8(Sc, sk, pos_list, sign_list); - PQCLEAN_QTESLAPI_CLEAN_poly_add(z, y, Sc); // Compute z = y + sc - - if (test_rejection(z) != 0) { // Rejection sampling - continue; - } - - for (k = 0; k < PARAM_K; k++) { - PQCLEAN_QTESLAPI_CLEAN_sparse_mul8(&Ec[k * PARAM_N], sk + (sizeof(int8_t)*PARAM_N * (k + 1)), pos_list, sign_list); - PQCLEAN_QTESLAPI_CLEAN_poly_sub(&v[k * PARAM_N], &v[k * PARAM_N], &Ec[k * PARAM_N]); - rsp = test_correctness(&v[k * PARAM_N]); - if (rsp != 0) { - break; - } - } - if (rsp != 0) { - continue; - } - - // pack signature - *siglen = PQCLEAN_QTESLAPI_CLEAN_CRYPTO_BYTES; - PQCLEAN_QTESLAPI_CLEAN_encode_sig(sig, c, z); - - return 0; - } -} - -int PQCLEAN_QTESLAPI_CLEAN_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, - const uint8_t *pk) { - uint8_t c[CRYPTO_C_BYTES], c_sig[CRYPTO_C_BYTES], seed[CRYPTO_SEEDBYTES], hm[HM_BYTES]; - uint32_t pos_list[PARAM_H]; - int16_t sign_list[PARAM_H]; - int32_t pk_t[PARAM_N * PARAM_K]; - poly_k w, a, Tc; - poly z, z_ntt; - size_t k; - - if (siglen < PQCLEAN_QTESLAPI_CLEAN_CRYPTO_BYTES) { - return -1; - } - - PQCLEAN_QTESLAPI_CLEAN_decode_sig(c, z, sig); - if (test_z(z) != 0) { - return -2; // Check norm of z - } - PQCLEAN_QTESLAPI_CLEAN_decode_pk(pk_t, seed, pk); - PQCLEAN_QTESLAPI_CLEAN_poly_uniform(a, seed); - PQCLEAN_QTESLAPI_CLEAN_encode_c(pos_list, sign_list, c); - PQCLEAN_QTESLAPI_CLEAN_poly_ntt(z_ntt, z); - - for (k = 0; k < PARAM_K; k++) { // Compute w = az - tc - PQCLEAN_QTESLAPI_CLEAN_sparse_mul32(&Tc[k * PARAM_N], &pk_t[k * PARAM_N], pos_list, sign_list); - PQCLEAN_QTESLAPI_CLEAN_poly_mul(&w[k * PARAM_N], &a[k * PARAM_N], z_ntt); - PQCLEAN_QTESLAPI_CLEAN_poly_sub(&w[k * PARAM_N], &w[k * PARAM_N], &Tc[k * PARAM_N]); - } - SHAKE(hm, HM_BYTES, m, mlen); - hash_H(c_sig, w, hm); - - // Check if the calculated c matches c from the signature - if (memcmp(c, c_sig, CRYPTO_C_BYTES) != 0) { - return -3; - } - - return 0; -} diff --git a/crypto_sign/qtesla-p-III/META.yml b/crypto_sign/qtesla-p-III/META.yml deleted file mode 100644 index f59210be..00000000 --- a/crypto_sign/qtesla-p-III/META.yml +++ /dev/null @@ -1,25 +0,0 @@ -name: qTESLA-p-III -type: signature -claimed-nist-level: 3 -length-public-key: 38432 -length-secret-key: 12352 -length-signature: 5664 -nistkat-sha256: f2c0c872ab5bcb9276205f09364bf5cd6705141899360d2e231e42fce0a06b59 -testvectors-sha256: 484cb7f79dade34857c58845842893a6dc60b6c4a80557b4500b604e1d07fe87 -principal-submitters: - - Nina Bindel -auxiliary-submitters: - - Sedat Akleylek - - Erdem Alkim - - Paulo S. L. M. Barreto - - Johannes Buchmann - - Edward Eaton - - Gus Gutoski - - Juliane Krämer - - Patrick Longa - - Harun Polat - - Jefferson E. Ricardini - - Gustavo Zanon -implementations: - - name: clean - version: https://qtesla.org/wp-content/uploads/2019/08/qTESLA_NIST_update_08.19.2019.zip diff --git a/crypto_sign/qtesla-p-III/clean/CDT32.h b/crypto_sign/qtesla-p-III/clean/CDT32.h deleted file mode 100644 index e84b4e02..00000000 --- a/crypto_sign/qtesla-p-III/clean/CDT32.h +++ /dev/null @@ -1,142 +0,0 @@ -#ifndef PQCLEAN_QTESLAPIII_CLEAN_CDTSAMP -#define PQCLEAN_QTESLAPIII_CLEAN_CDTSAMP - -/************************************************************************************* -* qTESLA: an efficient post-quantum signature scheme based on the R-LWE problem -* -* Abstract: CDT constants for the Gaussian sampler -**************************************************************************************/ - -#include "params.h" -#include - -// Sigma = 8.5, 128-bit precision - -#define CDT_ROWS 111 -#define CDT_COLS 4 - -static const int32_t cdt_v[CDT_ROWS * CDT_COLS] = { - 0x00000000L, 0x00000000L, 0x00000000L, 0x00000000L, // 0 - 0x0601F22AL, 0x280663D4L, 0x2E1B038CL, 0x1E75FCA7L, // 1 - 0x11F09FFAL, 0x162FE23DL, 0x403739B4L, 0x3F2AA531L, // 2 - 0x1DA089E9L, 0x437226E8L, 0x115E99C8L, 0x68C472A6L, // 3 - 0x28EAB25DL, 0x04C51FE2L, 0x13F63FD0L, 0x1E56BF40L, // 4 - 0x33AC2F26L, 0x14FDBA70L, 0x6618880FL, 0x792CE93EL, // 5 - 0x3DC767DCL, 0x4565C95FL, 0x7EAC4790L, 0x163F4D99L, // 6 - 0x4724FC62L, 0x3342C78AL, 0x390873B2L, 0x13A12ACEL, // 7 - 0x4FB448F4L, 0x5229D06DL, 0x09A6C84BL, 0x1D13CB0DL, // 8 - 0x576B8599L, 0x7423407FL, 0x1287EE2FL, 0x7B908556L, // 9 - 0x5E4786DAL, 0x3210BAF6L, 0x6881795CL, 0x13DF4F59L, // 10 - 0x644B2C92L, 0x431B3946L, 0x63F188D9L, 0x22AFB6DEL, // 11 - 0x697E90CEL, 0x77C362C3L, 0x600A627EL, 0x66AEDF96L, // 12 - 0x6DEE0B96L, 0x2798C9CEL, 0x147A98F9L, 0x27427F24L, // 13 - 0x71A92144L, 0x5765FCE4L, 0x0FF04C94L, 0x74183C18L, // 14 - 0x74C16FD5L, 0x1E2A0990L, 0x13EB545FL, 0x1CD9A2ADL, // 15 - 0x7749AC92L, 0x0DF36EEBL, 0x414629E5L, 0x66610A51L, // 16 - 0x7954BFA4L, 0x28079289L, 0x29D5B127L, 0x29B69601L, // 17 - 0x7AF5067AL, 0x2EDC2050L, 0x2B486556L, 0x43BF4664L, // 18 - 0x7C3BC17CL, 0x123D5E7AL, 0x63D4DD26L, 0x3B1E3755L, // 19 - 0x7D38AD76L, 0x2A9381D9L, 0x1D20D034L, 0x77C09C55L, // 20 - 0x7DF9C5DFL, 0x0E868CA7L, 0x23627687L, 0x78864423L, // 21 - 0x7E8B2ABAL, 0x18E5C810L, 0x7C85B42CL, 0x7AC98BCCL, // 22 - 0x7EF7237CL, 0x00908272L, 0x3D4B170EL, 0x3CD572E3L, // 23 - 0x7F4637C5L, 0x6DBA5125L, 0x5B0285ECL, 0x46661EB9L, // 24 - 0x7F7F5707L, 0x4A52EDEBL, 0x50ECECB1L, 0x7384DC42L, // 25 - 0x7FA808CCL, 0x23290598L, 0x704F7A4DL, 0x08532154L, // 26 - 0x7FC4A083L, 0x69BDF2D4L, 0x73B67B27L, 0x3AE237ADL, // 27 - 0x7FD870CAL, 0x42275557L, 0x6F2AE034L, 0x4E4B0395L, // 28 - 0x7FE5FB5DL, 0x3EF82C1BL, 0x256E2EB0L, 0x09E42B11L, // 29 - 0x7FEF1BFAL, 0x6C03A362L, 0x07334BD4L, 0x22B6B15FL, // 30 - 0x7FF52D4EL, 0x316C2C8CL, 0x1C77A4C3L, 0x1C3A974EL, // 31 - 0x7FF927BAL, 0x12AE54AEL, 0x6CC24956L, 0x3BA9A3E4L, // 32 - 0x7FFBBA43L, 0x749CC0E2L, 0x044B3068L, 0x620F14DAL, // 33 - 0x7FFD5E3DL, 0x4524AD91L, 0x31F84A1FL, 0x4D23AF51L, // 34 - 0x7FFE6664L, 0x535785B4L, 0x683C9E5EL, 0x2BD857DFL, // 35 - 0x7FFF0A41L, 0x0B291681L, 0x1CB4CE6FL, 0x32B314B9L, // 36 - 0x7FFF6E81L, 0x132C3D6FL, 0x4C8771CCL, 0x67421A75L, // 37 - 0x7FFFAAFEL, 0x4DBC6BEDL, 0x4E8644D2L, 0x5158A208L, // 38 - 0x7FFFCEFDL, 0x7A1E2D14L, 0x2CF905AAL, 0x79BFABD9L, // 39 - 0x7FFFE41EL, 0x4C6EC115L, 0x2D648F1AL, 0x4B01BA3EL, // 40 - 0x7FFFF059L, 0x319503C8L, 0x2CBEB96AL, 0x52FF656EL, // 41 - 0x7FFFF754L, 0x5DDD0D40L, 0x09D07206L, 0x6BF97EB5L, // 42 - 0x7FFFFB43L, 0x0B9E9822L, 0x5B584BE0L, 0x4974ED83L, // 43 - 0x7FFFFD71L, 0x76B81AE1L, 0x3C93755CL, 0x375F857BL, // 44 - 0x7FFFFEA3L, 0x7E66A1ECL, 0x3E342087L, 0x44ED1696L, // 45 - 0x7FFFFF49L, 0x26F6E190L, 0x7E3625F9L, 0x2F4F5849L, // 46 - 0x7FFFFFA1L, 0x2FA31694L, 0x0D53F684L, 0x59931C0DL, // 47 - 0x7FFFFFCFL, 0x5247BEC8L, 0x5CC20735L, 0x397CE966L, // 48 - 0x7FFFFFE7L, 0x4F4127C6L, 0x64926788L, 0x01CFEF66L, // 49 - 0x7FFFFFF3L, 0x6FAA69FDL, 0x26A67DC3L, 0x1FFA2528L, // 50 - 0x7FFFFFFAL, 0x0630D072L, 0x7AA0C1B7L, 0x7E90AAE6L, // 51 - 0x7FFFFFFDL, 0x0F2957BBL, 0x3ADCE1E6L, 0x5A311C28L, // 52 - 0x7FFFFFFEL, 0x4FD29431L, 0x6429F9EDL, 0x04653965L, // 53 - 0x7FFFFFFFL, 0x2CFAD60DL, 0x52ED82D1L, 0x26455881L, // 54 - 0x7FFFFFFFL, 0x5967A92FL, 0x5C85AB2DL, 0x188033BEL, // 55 - 0x7FFFFFFFL, 0x6E4C9DFEL, 0x76798EAFL, 0x0DC0BA65L, // 56 - 0x7FFFFFFFL, 0x77FDCCC8L, 0x194FF9ACL, 0x2C3FA855L, // 57 - 0x7FFFFFFFL, 0x7C6CE89EL, 0x01FA1A72L, 0x6C3DC40BL, // 58 - 0x7FFFFFFFL, 0x7E6D116EL, 0x5F82B352L, 0x57B67FCEL, // 59 - 0x7FFFFFFFL, 0x7F50FA31L, 0x31856599L, 0x579DC24BL, // 60 - 0x7FFFFFFFL, 0x7FB50089L, 0x43E64BB5L, 0x7F498E42L, // 61 - 0x7FFFFFFFL, 0x7FE04C2CL, 0x56CBFAEFL, 0x7FC9C15FL, // 62 - 0x7FFFFFFFL, 0x7FF2C7C0L, 0x5D509634L, 0x41DCA82BL, // 63 - 0x7FFFFFFFL, 0x7FFA8FE3L, 0x24F6020DL, 0x7B594401L, // 64 - 0x7FFFFFFFL, 0x7FFDCB1BL, 0x2D294BB3L, 0x1D1631BFL, // 65 - 0x7FFFFFFFL, 0x7FFF1DE1L, 0x5D75B704L, 0x323B12FEL, // 66 - 0x7FFFFFFFL, 0x7FFFA6B6L, 0x7E983E86L, 0x23392636L, // 67 - 0x7FFFFFFFL, 0x7FFFDD39L, 0x029CCA2CL, 0x035F7017L, // 68 - 0x7FFFFFFFL, 0x7FFFF2A3L, 0x205DBF7BL, 0x173D7F90L, // 69 - 0x7FFFFFFFL, 0x7FFFFAEFL, 0x3F79145BL, 0x642F005DL, // 70 - 0x7FFFFFFFL, 0x7FFFFE1BL, 0x23B2C7E4L, 0x6CA216CFL, // 71 - 0x7FFFFFFFL, 0x7FFFFF4DL, 0x1E959E3FL, 0x4A29BB03L, // 72 - 0x7FFFFFFFL, 0x7FFFFFBEL, 0x7C23D3D9L, 0x71DC92E4L, // 73 - 0x7FFFFFFFL, 0x7FFFFFE8L, 0x55110485L, 0x0E1813E2L, // 74 - 0x7FFFFFFFL, 0x7FFFFFF7L, 0x5EBC7B7BL, 0x2DFEE922L, // 75 - 0x7FFFFFFFL, 0x7FFFFFFDL, 0x0EDB0975L, 0x0C9F1639L, // 76 - 0x7FFFFFFFL, 0x7FFFFFFFL, 0x00DDA1A1L, 0x6DE86AA0L, // 77 - 0x7FFFFFFFL, 0x7FFFFFFFL, 0x54CF6D87L, 0x023F1F47L, // 78 - 0x7FFFFFFFL, 0x7FFFFFFFL, 0x7186FF6AL, 0x5B71BF8CL, // 79 - 0x7FFFFFFFL, 0x7FFFFFFFL, 0x7B375EBCL, 0x767A89DCL, // 80 - 0x7FFFFFFFL, 0x7FFFFFFFL, 0x7E70BA89L, 0x44EBCEAAL, // 81 - 0x7FFFFFFFL, 0x7FFFFFFFL, 0x7F7F98B5L, 0x44C8E44AL, // 82 - 0x7FFFFFFFL, 0x7FFFFFFFL, 0x7FD744C2L, 0x448EE5A4L, // 83 - 0x7FFFFFFFL, 0x7FFFFFFFL, 0x7FF34165L, 0x008855D0L, // 84 - 0x7FFFFFFFL, 0x7FFFFFFFL, 0x7FFC1110L, 0x754A60B6L, // 85 - 0x7FFFFFFFL, 0x7FFFFFFFL, 0x7FFECD77L, 0x44BE6D4AL, // 86 - 0x7FFFFFFFL, 0x7FFFFFFFL, 0x7FFFA3F4L, 0x7400A73EL, // 87 - 0x7FFFFFFFL, 0x7FFFFFFFL, 0x7FFFE4BDL, 0x1143830BL, // 88 - 0x7FFFFFFFL, 0x7FFFFFFFL, 0x7FFFF809L, 0x1A385059L, // 89 - 0x7FFFFFFFL, 0x7FFFFFFFL, 0x7FFFFDB4L, 0x41CA0794L, // 90 - 0x7FFFFFFFL, 0x7FFFFFFFL, 0x7FFFFF59L, 0x02FFB605L, // 91 - 0x7FFFFFFFL, 0x7FFFFFFFL, 0x7FFFFFD1L, 0x18360E8DL, // 92 - 0x7FFFFFFFL, 0x7FFFFFFFL, 0x7FFFFFF3L, 0x072A0E9AL, // 93 - 0x7FFFFFFFL, 0x7FFFFFFFL, 0x7FFFFFFCL, 0x3C1BFEB0L, // 94 - 0x7FFFFFFFL, 0x7FFFFFFFL, 0x7FFFFFFFL, 0x066EBCDDL, // 95 - 0x7FFFFFFFL, 0x7FFFFFFFL, 0x7FFFFFFFL, 0x5FBE171AL, // 96 - 0x7FFFFFFFL, 0x7FFFFFFFL, 0x7FFFFFFFL, 0x778EB81FL, // 97 - 0x7FFFFFFFL, 0x7FFFFFFFL, 0x7FFFFFFFL, 0x7DD211FEL, // 98 - 0x7FFFFFFFL, 0x7FFFFFFFL, 0x7FFFFFFFL, 0x7F71F071L, // 99 - 0x7FFFFFFFL, 0x7FFFFFFFL, 0x7FFFFFFFL, 0x7FDC528FL, // 100 - 0x7FFFFFFFL, 0x7FFFFFFFL, 0x7FFFFFFFL, 0x7FF7298CL, // 101 - 0x7FFFFFFFL, 0x7FFFFFFFL, 0x7FFFFFFFL, 0x7FFDD739L, // 102 - 0x7FFFFFFFL, 0x7FFFFFFFL, 0x7FFFFFFFL, 0x7FFF7ACAL, // 103 - 0x7FFFFFFFL, 0x7FFFFFFFL, 0x7FFFFFFFL, 0x7FFFE056L, // 104 - 0x7FFFFFFFL, 0x7FFFFFFFL, 0x7FFFFFFFL, 0x7FFFF893L, // 105 - 0x7FFFFFFFL, 0x7FFFFFFFL, 0x7FFFFFFFL, 0x7FFFFE48L, // 106 - 0x7FFFFFFFL, 0x7FFFFFFFL, 0x7FFFFFFFL, 0x7FFFFF9CL, // 107 - 0x7FFFFFFFL, 0x7FFFFFFFL, 0x7FFFFFFFL, 0x7FFFFFE9L, // 108 - 0x7FFFFFFFL, 0x7FFFFFFFL, 0x7FFFFFFFL, 0x7FFFFFFBL, // 109 - 0x7FFFFFFFL, 0x7FFFFFFFL, 0x7FFFFFFFL, 0x7FFFFFFFL, // 110 -}; // cdt_v - -// memory requirements: -// 2048 samples: 43180 bytes -// 1024 samples: 22700 bytes -// 512 samples: 12460 bytes -// 256 samples: 7340 bytes -// 128 samples: 4780 bytes -// 64 samples: 3500 bytes -// 32 samples: 2860 bytes -// table alone: 1776 bytes - -#endif diff --git a/crypto_sign/qtesla-p-III/clean/LICENSE b/crypto_sign/qtesla-p-III/clean/LICENSE deleted file mode 100644 index 4cf37e67..00000000 --- a/crypto_sign/qtesla-p-III/clean/LICENSE +++ /dev/null @@ -1,28 +0,0 @@ -Lattice-based digital signature scheme qTESLA - -The qTESLA source code and header files in this package are released with an MIT license. - -MIT License - -Copyright (c) Microsoft Corporation and qTESLA implementation owners: -Sedat Akleylek, Erdem Alkim, Paulo Barreto, Patrick Longa, Harun Polat, -Jefferson Ricardini, and Gustavo Zanon. All rights reserved. - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE - diff --git a/crypto_sign/qtesla-p-III/clean/Makefile b/crypto_sign/qtesla-p-III/clean/Makefile deleted file mode 100644 index ea4698b8..00000000 --- a/crypto_sign/qtesla-p-III/clean/Makefile +++ /dev/null @@ -1,20 +0,0 @@ -# This Makefile can be used with GNU Make or BSD Make - -LIB=libqtesla-p-III_clean.a - -HEADERS = api.h CDT32.h config.h gauss.h pack.h params.h poly.h sample.h -OBJECTS = consts.o gauss.o pack.o poly.o sample.o sign.o - -CFLAGS=-O3 -Wall -Wconversion -Wextra -Wpedantic -Wvla -Werror -Wmissing-prototypes -Wredundant-decls -std=c99 -I../../../common $(EXTRAFLAGS) - -all: $(LIB) - -%.o: %.c $(HEADERS) - $(CC) $(CFLAGS) -c -o $@ $< - -$(LIB): $(OBJECTS) - $(AR) -r $@ $(OBJECTS) - -clean: - $(RM) $(OBJECTS) - $(RM) $(LIB) diff --git a/crypto_sign/qtesla-p-III/clean/Makefile.Microsoft_nmake b/crypto_sign/qtesla-p-III/clean/Makefile.Microsoft_nmake deleted file mode 100644 index b982f6b5..00000000 --- a/crypto_sign/qtesla-p-III/clean/Makefile.Microsoft_nmake +++ /dev/null @@ -1,19 +0,0 @@ -# This Makefile can be used with Microsoft Visual Studio's nmake using the command: -# nmake /f Makefile.Microsoft_nmake - -LIBRARY=libqtesla-p-III_clean.lib -OBJECTS=consts.obj gauss.obj pack.obj poly.obj sample.obj sign.obj - -CFLAGS=/nologo /I ..\..\..\common /W4 /WX - -all: $(LIBRARY) - -# Make sure objects are recompiled if headers change. -$(OBJECTS): *.h - -$(LIBRARY): $(OBJECTS) - LIB.EXE /NOLOGO /WX /OUT:$@ $** - -clean: - -DEL $(OBJECTS) - -DEL $(LIBRARY) diff --git a/crypto_sign/qtesla-p-III/clean/api.h b/crypto_sign/qtesla-p-III/clean/api.h deleted file mode 100644 index 50f0974b..00000000 --- a/crypto_sign/qtesla-p-III/clean/api.h +++ /dev/null @@ -1,42 +0,0 @@ -#ifndef PQCLEAN_QTESLAPIII_CLEAN_API_H -#define PQCLEAN_QTESLAPIII_CLEAN_API_H - -/************************************************************************************* -* qTESLA: an efficient post-quantum signature scheme based on the R-LWE problem -* -* Abstract: API header file -**************************************************************************************/ - -#include -#include - -#define PQCLEAN_QTESLAPIII_CLEAN_CRYPTO_SECRETKEYBYTES 12352 -#define PQCLEAN_QTESLAPIII_CLEAN_CRYPTO_PUBLICKEYBYTES 38432 -#define PQCLEAN_QTESLAPIII_CLEAN_CRYPTO_BYTES 5664 -#define PQCLEAN_QTESLAPIII_CLEAN_CRYPTO_ALGNAME "qTESLA-p-III" - -int PQCLEAN_QTESLAPIII_CLEAN_crypto_sign_keypair( - uint8_t *pk, uint8_t *sk); - -int PQCLEAN_QTESLAPIII_CLEAN_crypto_sign( - uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, - const uint8_t *sk); - -int PQCLEAN_QTESLAPIII_CLEAN_crypto_sign_open( - uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, - const uint8_t *pk -); - -int PQCLEAN_QTESLAPIII_CLEAN_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, - const uint8_t *sk); - -int PQCLEAN_QTESLAPIII_CLEAN_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, - const uint8_t *pk); - -#endif diff --git a/crypto_sign/qtesla-p-III/clean/config.h b/crypto_sign/qtesla-p-III/clean/config.h deleted file mode 100644 index 19cc1fcc..00000000 --- a/crypto_sign/qtesla-p-III/clean/config.h +++ /dev/null @@ -1,19 +0,0 @@ -#ifndef PQCLEAN_QTESLAPIII_CLEAN_CONFIG_H -#define PQCLEAN_QTESLAPIII_CLEAN_CONFIG_H - -/************************************************************************************* -* qTESLA: an efficient post-quantum signature scheme based on the R-LWE problem -* -* Abstract: configuration file -**************************************************************************************/ - -#include -#include -#include - -#define RADIX 32 -#define RADIX32 32 -typedef uint32_t digit_t; -typedef int32_t sdigit_t; - -#endif diff --git a/crypto_sign/qtesla-p-III/clean/consts.c b/crypto_sign/qtesla-p-III/clean/consts.c deleted file mode 100644 index 33a44f3d..00000000 --- a/crypto_sign/qtesla-p-III/clean/consts.c +++ /dev/null @@ -1,274 +0,0 @@ -/************************************************************************************* -* qTESLA: an efficient post-quantum signature scheme based on the R-LWE problem -* -* Abstract: constants for the NTT -**************************************************************************************/ - -#include "params.h" -#include "poly.h" -#include - -const poly PQCLEAN_QTESLAPIII_CLEAN_zeta = { - - 147314272, 762289503, 284789571, 461457674, 723990704, 123382358, 685457283, 458774590, 644795450, 723622678, 441493948, 676062368, 648739792, 214990524, 261899220, 138474554, - 205277234, 788000393, 541334956, 769530525, 786231394, 812002793, 251385069, 152717354, 674883688, 458756880, 323745289, 823881240, 686340396, 716163820, 107735873, 144028791, - 586327243, 71257244, 739303131, 487030542, 313626215, 396596783, 664640087, 728258996, 854656117, 567834989, 2315110, 210792230, 795895843, 433034260, 432732757, 480454055, - 750130006, 47628047, 2271301, 98590211, 729637734, 683553815, 476917424, 121851414, 296210757, 820475433, 403416438, 605633242, 804828963, 435181077, 781182803, 276684653, - 329135201, 697859430, 248472020, 396579594, 109340098, 97605675, 755271019, 565755143, 534799496, 378374148, 85686225, 298978496, 650100484, 712463562, 818417023, 283716467, - 269132585, 153024538, 223768950, 331863760, 761523727, 586019306, 805044248, 810909760, 77905343, 401203343, 162625701, 616243024, 659789238, 385270982, 720521140, 545633566, - 688663167, 740046782, 257189758, 115795491, 101106443, 409863172, 622399622, 405606434, 498832246, 730567206, 350755879, 41236295, 561547732, 525723591, 18655497, 3396399, - 289694332, 221478904, 738940554, 769726362, 32128402, 693016435, 275431006, 65292213, 601823865, 469363520, 480544944, 607230206, 473150754, 267072604, 463615065, 412972775, - 197544577, 770873783, 189036815, 407973558, 110878446, 442760341, 667560342, 756992079, 663708407, 585601880, 763637579, 660019224, 424935088, 249313490, 844593983, 664952705, - 274981537, 40233161, 655530034, 742724096, 8926394, 67709207, 616610795, 539664358, 306118645, 741629065, 283521858, 621397947, 369041534, 162477412, 258256937, 269480966, - 75469364, 815614830, 724060729, 510819743, 489239410, 265607303, 103024793, 434961090, 474838542, 234701483, 505818866, 450427360, 188113529, 650423376, 599263141, 720479782, - 755079140, 469798456, 745591660, 432033717, 530128582, 94480771, 722477467, 169342233, 35413255, 89769525, 424389771, 240236288, 360665614, 66702784, 76128663, 565345206, - 605031892, 393503210, 249841967, 485930917, 45880284, 746120091, 684031522, 537926896, 408749937, 608644803, 692593939, 515424474, 748771159, 155377700, 347101257, 393516280, - 708186062, 809233270, 562547654, 768251664, 651110951, 574473323, 588028067, 352359235, 646902518, 410726541, 134129459, 460099853, 829152883, 819102028, 7270760, 562515302, - 419641762, 347973450, 161011009, 401974733, 619807719, 559105457, 276126568, 165473862, 380215069, 356617900, 347744328, 615885981, 824819772, 811367929, 6451967, 515345658, - 648239021, 56427040, 709160497, 71545092, 390921213, 17177139, 194174898, 825533429, 497469884, 88988508, 64227614, 641021859, 159258883, 529265733, 823190295, 567280997, - 414094239, 238392498, 695610059, 416342151, 90807038, 206865379, 568337348, 168011486, 844375038, 777332780, 147582038, 199025846, 396231915, 151630666, 466807217, 12672521, - 570774644, 764098787, 283719496, 779154504, 383628791, 851035387, 395488461, 291115871, 52707730, 776449280, 479801706, 73403989, 402014636, 255214342, 56904698, 446531030, - 639487570, 848061696, 202732901, 739018922, 653983847, 453022791, 391722680, 584290855, 270911670, 390838431, 653070075, 535876472, 83207555, 131151682, 505677504, 778583044, - 472363568, 734419459, 768500943, 321131696, 371745445, 751887879, 51797676, 157604159, 838805925, 358099697, 763440819, 776721566, 719570904, 304610785, 656838485, 239522278, - 796234199, 659506535, 825373307, 674901303, 250484891, 54612517, 410236408, 111976920, 728940855, 720463104, 559960962, 514189554, 637176165, 436151981, 485801800, 802811374, - 549456481, 808832355, 112672706, 199163132, 807410080, 645955491, 365378122, 222316474, 381896744, 693909930, 402130292, 199856804, 277639257, 6848838, 648262319, 601521139, - 108516632, 392382841, 563420106, 475932203, 249861415, 99274558, 152886431, 744977783, 269184267, 562674804, 760959275, 733098096, 771348891, 674288361, 631521272, 513632066, - 476339117, 621937967, 206834230, 507101607, 420341698, 528715580, 853092790, 580174958, 278044321, 432350205, 603769437, 144426940, 733518338, 365468467, 848983278, 385382826, - 846062026, 593903051, 216589699, 219997638, 350708517, 733669279, 624754239, 499821820, 772548008, 199677439, 287505007, 144199205, 215073292, 825467700, 101591831, 571728784, - 841898341, 420897808, 61323616, 823475752, 72494861, 89946011, 236594097, 379582577, 539401967, 221244669, 479250487, 100726882, 263096036, 647161225, 491060387, 419890898, - 816149055, 546441322, 690509770, 215789647, 5870948, 821456387, 294091098, 783700004, 278643020, 520754327, 813718894, 123610053, 157045201, 265331664, 807174256, 258134244, - 703519669, 300265991, 41892125, 662173055, 439638698, 494124024, 700655120, 535348417, 37146186, 379568907, 644973451, 554904963, 594757858, 477812802, 266085643, 46337543, - 454847754, 496027901, 701947604, 5722633, 790588605, 233501932, 728956461, 462020148, 214013660, 155806979, 159935426, 423504958, 638889309, 602641304, 277759403, 71654804, - 710920410, 108337831, 641924564, 252946326, 463082282, 23277660, 142056200, 263317553, 9044238, 367816044, 349695658, 291597086, 230031083, 385106216, 281069679, 644033142, - 134221740, 212497862, 686686078, 787489098, 781698667, 748299513, 774414792, 380836293, 114027649, 766161763, 10536612, 707355910, 100516219, 637517297, 21478533, 769067854, - 668364559, 410803198, 64949715, 643421522, 525590993, 585289785, 423839840, 554109325, 450599860, 295350132, 435789550, 306634115, 611298620, 777817576, 553655202, 804525538, - 794474290, 138542076, 780958763, 62228371, 738032107, 684994110, 661486955, 67099069, 68865906, 32413094, 358393763, 205008770, 849715545, 289798348, 384767209, 787328590, - 823677120, 47455925, 706001331, 612392717, 487804928, 731804935, 520572665, 442307581, 351275150, 726042356, 667657829, 254929787, 459520026, 625393223, 319307882, 77267096, - 815224795, 335964550, 408353208, 604252110, 574953308, 563501897, 515015302, 313600371, 178773384, 417549087, 510834475, 167049599, 488791556, 664276219, 82933775, 822541833, - 17111190, 409659978, 96304098, 500484311, 269766378, 327037310, 584926256, 538611363, 404132255, 170931824, 744460626, 154011192, 322194096, 215888234, 258344560, 702851111, - 192046250, 738511820, 530780560, 57197515, 335425579, 410968369, 830078545, 448351649, 208921555, 356653676, 718038774, 424362596, 158929491, 420096666, 387056270, 797383293, - 381201911, 466480709, 373815662, 84912008, 4969808, 524614597, 93448903, 559481007, 400813998, 665223025, 601707338, 466022707, 192709574, 615503265, 822863744, 639854175, - 158713505, 12757666, 389196370, 823105438, 682974863, 468401586, 93508626, 402414043, 806357152, 180544963, 27876186, 321527031, 329857607, 669501423, 829809824, 333202822, - 106923493, 368991112, 282317903, 790323774, 517381333, 548329656, 236147848, 700119793, 404187488, 343578810, 798813301, 497964535, 656188346, 678161787, 736817175, 518031339, - 716647183, 674797219, 308643560, 714308544, 516103468, 605229646, 564549717, 47650358, 706404486, 494887760, 152496104, 54954356, 271435602, 76951527, 136123931, 601823638, - 329273401, 252710411, 754980731, 351648254, 49239731, 837833233, 88830509, 598216539, 155534490, 669603727, 418388693, 79322074, 636251444, 703683994, 796989459, 126497707, - 644863316, 730359063, 265213001, 64483814, 552208981, 8135537, 782474322, 780853310, 733976806, 395661138, 128188419, 266691358, 407092046, 447349747, 526245954, 119272088, - 359659635, 812410956, 669835517, 565139408, 248981831, 139910745, 685462294, 406991131, 709944045, 589819925, 714299787, 72923680, 648836181, 145321778, 392775383, 243093077, - 412955839, 174619485, 310936394, 699727061, 421087619, 745421519, 539546394, 29471558, 116471631, 852650639, 443777703, 773131303, 81618669, 756719012, 702785073, 847088653, - 851830586, 300908692, 430974543, 463215976, 668971423, 414271988, 108350516, 345933325, 716417649, 174980945, 679092437, 384030489, 814050910, 506580116, 249434097, 178438885, - 146797119, 10369463, 296359082, 215645133, 149545847, 483689845, 322009569, 308978588, 38531178, 328571637, 815396967, 709744233, 765487128, 645413104, 564779557, 213794315, - 280607549, 124792697, 423470554, 631348430, 21223627, 220718413, 598791979, 47797633, 734556299, 590321944, 168292920, 484802055, 340999812, 769601438, 42675060, 116026587, - 227462622, 543574607, 444066479, 467277895, 278798674, 597413704, 350168725, 301936652, 82885511, 656047519, 765110538, 52228202, 533005731, 621989298, 148235931, 317833915, - 118463894, 522391939, 451332724, 548031654, 73854149, 527786213, 583308898, 840663438, 275278054, 362931963, 587861579, 830807449, 431695707, 178004048, 75513216, 60681147, - 638603143, 470791469, 490903319, 527370962, 102981857, 224220555, 756514239, 293859807, 797926303, 620196520, 466126507, 646136763, 265504163, 213257337, 92270416, 398713724, - 91810366, 724247342, 855386762, 631553083, 376095634, 833728623, 636218061, 510719408, 378530670, 737821436, 127781731, 3443282, 770116208, 769633348, 430675947, 40370755, - 52361322, 844601468, 442556599, 128290354, 494328514, 405616679, 651440882, 421541290, 171560170, 386143493, 284277254, 450756213, 248305939, 526718005, 300780198, 714218239, - 68021827, 527353904, 236472015, 309320156, 683815803, 527980097, 598849444, 779607597, 339852811, 845420163, 96001931, 326760873, 609319751, 520803868, 140143851, 766988701, - 844896794, 532008178, 388459130, 574799295, 760406065, 773758517, 453271555, 134636434, 155747417, 105505251, 796987277, 399016325, 71156680, 709579308, 274279004, 96962867, - 476741915, 585319990, 709143538, 721328791, 293159344, 640577897, 138404614, 572892015, 394460832, 465897068, 325895331, 413861636, 447337182, 376950267, 721061932, 181671909, - 272138750, 247768905, 634973622, 280653872, 165108426, 134241779, 15142090, 153256717, 783424845, 773227607, 172477802, 504458250, 349868083, 461422806, 487725644, 586146740, - 561546455, 815406759, 468110471, 126476456, 285774551, 522013234, 801943660, 79684345, 654558548, 188038414, 249923934, 551812615, 562560206, 407120348, 384535446, 176837117, - 433155458, 82591339, 459412819, 435604627, 312211805, 98158590, 752137480, 446017293, 666480139, 60261988, 275386848, 642778031, 8582401, 677484160, 819506256, 333441964, - 25465219, 190315429, 91529631, 754681170, 563660271, 167135649, 20270015, 115773732, 658954441, 132923202, 844102455, 453432758, 250487209, 423813160, 632223296, 537494486, - 158265753, 327949044, 494109748, 659672289, 67984726, 422358258, 345141182, 164372996, 338500924, 41400311, 207638305, 832074651, 50853458, 228267776, 621895888, 635834787, - 484972544, 181125024, 558134871, 282159878, 788157855, 145576343, 194837894, 501440949, 63641414, 252098681, 835930645, 662856247, 456140980, 206147937, 565198503, 449503819, - 684013129, 494002381, 793836418, 649296754, 444313288, 136544068, 540002286, 355912945, 613175147, 134541429, 843111781, 672612536, 541098995, 734996181, 211869705, 620777828, - 756152791, 242128346, 795442420, 73925532, 735232214, 738668090, 530800757, 266183732, 97165934, 803231879, 10057267, 175942047, 181460965, 320684297, 637472526, 213840116, - 182671953, 152704513, 388004388, 597349323, 473851493, 445333546, 679315863, 267078568, 46538491, 530171754, 698082287, 75308587, 266467406, 96440883, 759196579, 470119952, - 381731475, 428392158, 10628712, 173921356, 116809433, 323843928, 812172630, 403459283, 655501128, 261944441, 774418023, 790520709, 589149480, 264133112, 806274256, 752372117, - 66236193, 713859568, 90804933, 551864345, 843839891, 600244073, 719230074, 803646506, 254956426, 138935723, 738829647, 109576220, 105819621, 249706947, 110623114, 10002331, - 795710911, 547062229, 721440199, 820747461, 397666160, 685179945, 463869301, 470338753, 641244231, 652990696, 698429485, 41147155, 638072709, 515832968, 241130026, 314161759, - 526815813, 529167244, 53391331, 782008115, 822962086, 337706389, 648197286, 209496506, 760818531, 781900302, 717270807, 709143641, 740503641, 734328409, 514061476, 844010670, - 67993787, 712083588, 319801387, 338260400, 48758556, 304195768, 478833380, 841413917, 710197685, 196321647, 777595184, 775983866, 147506314, 620961439, 399972264, 398715644, - 684489092, 659918078, 664075287, 723890579, 643103903, 508525962, 375409248, 501237729, 740609783, 639854810, 510797913, 521151016, 421045341, 193698327, 800266392, 93518128, - 443879633, 699245445, 194001794, 123905867, 75572337, 242620749, 463111940, 755239011, 31718790, 162155292, 386689240, 381413538, 745322913, 367897558, 343088005, 31706107, - 10842029, 404961623, 537521191, 281624684, 372852160, 55286017, 534907560, 264398082, 667644310, 486871690, 716964533, 734731419, 143593638, 293949413, 760014789, 594443755, - 147804127, 537704286, 460110740, 596458323, 577775570, 333025386, 260094086, 711487611, 359384182, 323339045, 716675075, 248179763, 525311626, 76326208, 559009987, 548139736, - 541721430, 31450329, 653923741, 676193285, 295171241, 558845563, 387079118, 403184480, 807941436, 501042343, 284608894, 705710380, 82388415, 763336555, 126077422, 438548854, - 606252517, 144569238, 126964439, 809559381, 263253751, 547929033, 236704198, 377978058, 59501955, 749500335, 254242336, 605755194, 408388953, 116242711, 116340056, 691021496, - 48100285, 371076069, 638156108, 211570763, 185945242, 653505761, 667569173, 335131755, 736662207, 572078378, 755939949, 840393623, 322934679, 520522390, 252068808, 491370519, - 200565770, 552637112, 182345569, 394747039, 822229467, 817698102, 644484388, 156591766, 729600982, 695826242, 509682463, 785132583, 746139100, 188369785, 628995003, 406654440, - 650660075, 676485042, 540766742, 493428142, 753346328, 82608613, 670846442, 145894970, 770907988, 621807160, 14676199, 793865193, 36579515, 619741404, 303691972, 794920577, - 134684826, 190038753, 538889970, 836657477, 643017556, 316870164, 464572481, 305395359, 446406992, 587814221, 423552502, 122802120, 146043780, 173756097, 130720237, 445515559, - 109884833, 133119099, 804139234, 834841519, 458514524, 74213698, 490363622, 119287122, 165016718, 351506713, 433750226, 439149867, 348281119, 319795826, 320785867, 446561207, - 705678831, 714536161, 172299381, 552925586, 635421942, 851853231, 208071525, 142303096, 93164236, 207534795, 655906672, 558127940, 98870558, 388322132, 87475979, 835970665, - 61996500, 298060757, 256194194, 563529863, 249184704, 451295997, 73892211, 559049908, 44006160, 832886345, 720732161, 255948582, 827295342, 629663637, 323103159, 155698755, - 598913314, 586685341, 761273875, 135225209, 324099714, 391112815, 493469140, 796490769, 667498514, 148390126, 721802249, 781884558, 309264043, 603401759, 503111668, 563611748, - 363342598, 383209405, 108340736, 758017880, 145907493, 312330194, 608895549, 45540348, 143092704, 772401556, 806068040, 853177536, 662120004, 463347842, 495085709, 560431884, - 274002454, 76985308, 519320299, 253092838, 727478114, 593752634, 490277266, 206283832, 701277908, 504787112, 816832531, 730997507, 27807749, 58254704, 584933136, 515463756, - 241104222, 251881934, 566567573, 592887586, 528932268, 88111104, 523103099, 448331392, 351083975, 157811347, 758866581, 802151021, 843579185, 481417280, 507414106, 462708367, - 461501222, 790988186, 462220673, 727683888, 159759683, 59757110, 310746434, 326369241, 305829588, 457718309, 529317279, 503631310, 661769334, 343160359, 472216278, 740498212, - 11312284, 760170115, 513391009, 538224236, 710934956, 491998229, 539829044, 610387964, 86624968, 72542777, 493966272, 132327984, 371526334, 182549152, 51622114, 173997077, - 550633787, 205437301, 435219235, 406409162, 414751325, 33371226, 40899348, 77245052, 763383124, 817701136, 598256078, 357440859, 468418959, 353612800, 721601331, 262567156, - 521577430, 232027892, 75986872, 443113391, 107360999, 482079354, 563502258, 782475535, 402866161, 515580626, 742688144, 677398836, 425899303, 42066550, 537192943, 430672016, - 115368023, 64053241, 92008456, 74327791, 572607165, 681138002, 378104858, 695786430, 844827190, 436817825, 751393351, 142965259, 81300919, 688342617, 433082724, 221191094, - 712003270, 301076404, 747091407, 514191589, 814985450, 260951422, 187161058, 22316970, 806106670, 759397054, 158423624, 419813636, 462241316, 438231460, 108466764, 212745115, - 386264342, 176072326, 767127195, 399981627, 762991681, 173125691, 464627163, 770046798, 179369718, 829917528, 693004603, 178596003, 422852852, 182684967, 662425026, 713404098, - 766206683, 130088738, 321282752, 134898541, 86701214, 120555423, 464987852, 82865891, 758340585, 138256323, 308997895, 659614345, 510091933, 822699180, 464631718, 819896232, - 120792059, 160708255, 462868879, 72974246, 260451492, 120601343, 228097712, 369436704, 155304088, 74380537, 732305166, 203294189, 307421597, 96510570, 634243454, 486539430, - 16204477, 241987531, 317824421, 510180366, 794475492, 262770124, 441034891, 741864347, 205569410, 684844547, 340863522, 440616421, 454438375, 26285496, 141886125, 648947081, - 3791510, 529746935, 317826713, 411458050, 661690316, 45696331, 679684665, 184597094, 829228068, 375683582, 591739456, 855242340, 628594662, 30968619, 363932244, 103091463, - 614269714, 465960778, 791477766, 332731888, 853151007, 266045534, 132189407, 435008168, 65667470, 669304246, 760035868, 481409581, 36650645, 523634336, 702968013, 351902214, - 284360680, 34261165, 593134528, 337534074, 239112910, 710342799, 163287447, 20209506, 780785984, 480727309, 125776519, 691236193, 603228570, 48261672, 183120677, 73638683, - 3430616, 568026489, 808739797, 298585898, 64471573, 724550960, 568093636, 187449517, 655699449, 672689645, 829049456, 263525899, 612969883, 621652807, 186362075, 731851539, - 377104257, 39335761, 210768226, 253965025, 201921517, 715681274, 369453531, 18897741, 612559390, 660723864, 476963596, 585483298, 318614839, 227626072, 298891387, 110505944, - 814885802, 177563961, 443724544, 374856237, 577963338, 617516835, 475669105, 633353115, 12579943, 796644307, 569746680, 22381253, 343603333, 724567543, 845363898, 4023795, - 801359177, 347489967, 214644600, 78674056, 131782857, 284041623, 660502381, 161470286, 668158595, 765738294, 715872268, 678418089, 280458288, 758715787, 9311288, 490771912, - 757112000, 253990619, 698573830, 390611635, 52593584, 421202448, 494394112, 386893540, 29349323, 533111491, 774401558, 108660117, 405990553, 143728136, 852741683, 354532633, - 440222591, 663461253, 593338391, 298882952, 758170600, 660294062, 332348846, 541714172, 77716403, 169377728, 71932929, 110210904, 776771173, 645222398, 162195941, 792388932, - 502165627, 146897021, 243625970, 139123400, 462352793, 409369440, 247509680, 270865496, 539140627, 16949766, 245869282, 637926655, 37386603, 383033875, 316560876, 707909555, - 367315004, 173821041, 529529257, 227507318, 831716891, 830055847, 228911074, 205127100, 178872273, 819938491, 129875615, 764680417, 97028082, 560682982, 433649390, 727508847, - 494848582, 81279272, 435186566, 174468080, 69172161, 241860102, 692179355, 333985572, 788895276, 469576414, 594155471, 157828532, 182105752, 310394758, 673085082, 695719789, - 39004854, 251000641, 98748282, 744318650, 815050298, 622456803, 240419561, 403871914, 202214044, 627433637, 649505808, 668918393, 334630440, 386856024, 352649543, 135139523, - 216499252, 736376783, 269223150, 468318208, 801808348, 180378366, 640086372, 672618369, 291378195, 732195369, 805632553, 518515631, 603280165, 629836417, 59712833, 531020081, - 708771168, 539819295, 179149444, 552251927, 458994127, 584987693, 238644928, 640603619, 46728500, 843989005, 688747457, 236924093, 261539965, 705411056, 765907765, 38095657, - 382461698, 146650814, 351462947, 749417520, 628887925, 800857475, 790554154, 695483946, 160495923, 40896482, 471385785, 535516195, 197056285, 622795937, 368016917, 696525353, - 377315918, 58087122, 246518254, 431338589, 795949654, 611141265, 406307405, 365750089, 396243561, 843849531, 33802729, 573076974, 557841126, 411725124, 109489622, 370935707, - 372610558, 769825999, 367932152, 231499145, 240819898, 22648665, 418344529, 142438794, 552806180, 669450690, 614608056, 784369586, 258710636, 474742428, 166021530, 805595815, - 603578176, 686703780, 412868426, 26588048, 379895115, 77550061, 751188758, 294447541, 433574579, 234362222, 821492181, 23912038, 681093196, 483584545, 404339808, 396405029, - 744756742, 702481685, 413127074, 204115019, 187381271, 633523978, 433629465, 628184183, 783160918, 268799033, 646479372, 160458176, 602612912, 644506365, 391554011, 676966578, - 386430153, 98736426, 412745127, 296141927, 685909285, 355152260, 361415843, 127323093, 586337666, 1734791, 368678692, 155431915, 597290023, 109507713, 291804866, 135016081, - 144077689, 35054937, 16808265, 431962815, 534195521, 629326143, 309352001, 319948849, 443083246, 336744161, 100845182, 314804947, 476736581, 468528479, 416978018, 35141019, - 43314058, 384847955, 665126798, 295857628, 768013680, 741182796, 157855570, 695547618, 145251639, 818473396, 708640763, 87460130, 736400748, 465173936, 376720282, 437268868, - 137236663, 693860377, 247960644, 402124416, 656418852, 231401654, 248187016, 628418583, 224261112, 120581342, 49749199, 588812480, 309599954, 111357387, 14507354, 754564049, - 513444423, 816496110, 509193085, 361635970, 190608265, 697367838, 230953561, 140447357, 27745100, 163340427, 607823059, 325305463, 383028479, 269707244, 475022415, 708990989, - 738971809, 797646021, 126610937, 589310701, 191123172, 819715815, 337443183, 432224976, 337343783, 257301390, 172631141, 560659319, 646332329, 55110483, 467212803, 442977895, - 311159578, 569890333, 669396086, 536323022, 542648615, 366162176, 88951009, 408335586, 276237497, 384733042, 525960156, 74199534, 338209206, 676233089, 264342641, 241682204, - 226505461, 165013960, 129858819, 664852498, 432090291, 165700308, 382150900, 537002255, 368893910, 61006155, 238726881, 92317627, 632392147, 404715651, 802622348, 126100061, - 306024238, 397891265, 214661020, 211132870, 783722518, 149847645, 665379914, 624725195, 85864665, 496272723, 304811252, 29995710, 410500887, 756406394, 31206753, 647154006, - 596539568, 783214792, 286381882, 24560691, 681500270, 774933112, 506538708, 850347997, 611696036, 512607061, 251719669, 367108021, 456442965, 636694730, 399940257, 73870039, - 85190759, 264953709, 238854238, 395048514, 612738126, 27417876, 652695826, 188238483, 324168828, 736238139, 789061724, 529275445, 382304068, 176318391, 709989466, 14237691, -}; - -const poly PQCLEAN_QTESLAPIII_CLEAN_zetainv = { - - 146156455, 679827530, 473841853, 326870476, 67084197, 119907782, 531977093, 667907438, 203450095, 828728045, 243407795, 461097407, 617291683, 591192212, 770955162, 782275882, - 456205664, 219451191, 399702956, 489037900, 604426252, 343538860, 244449885, 5797924, 349607213, 81212809, 174645651, 831585230, 569764039, 72931129, 259606353, 208991915, - 824939168, 99739527, 445645034, 826150211, 551334669, 359873198, 770281256, 231420726, 190766007, 706298276, 72423403, 645013051, 641484901, 458254656, 550121683, 730045860, - 53523573, 451430270, 223753774, 763828294, 617419040, 795139766, 487252011, 319143666, 473995021, 690445613, 424055630, 191293423, 726287102, 691131961, 629640460, 614463717, - 591803280, 179912832, 517936715, 781946387, 330185765, 471412879, 579908424, 447810335, 767194912, 489983745, 313497306, 319822899, 186749835, 286255588, 544986343, 413168026, - 388933118, 801035438, 209813592, 295486602, 683514780, 598844531, 518802138, 423920945, 518702738, 36430106, 665022749, 266835220, 729534984, 58499900, 117174112, 147154932, - 381123506, 586438677, 473117442, 530840458, 248322862, 692805494, 828400821, 715698564, 625192360, 158778083, 665537656, 494509951, 346952836, 39649811, 342701498, 101581872, - 841638567, 744788534, 546545967, 267333441, 806396722, 735564579, 631884809, 227727338, 607958905, 624744267, 199727069, 454021505, 608185277, 162285544, 718909258, 418877053, - 479425639, 390971985, 119745173, 768685791, 147505158, 37672525, 710894282, 160598303, 698290351, 114963125, 88132241, 560288293, 191019123, 471297966, 812831863, 821004902, - 439167903, 387617442, 379409340, 541340974, 755300739, 519401760, 413062675, 536197072, 546793920, 226819778, 321950400, 424183106, 839337656, 821090984, 712068232, 721129840, - 564341055, 746638208, 258855898, 700714006, 487467229, 854411130, 269808255, 728822828, 494730078, 500993661, 170236636, 560003994, 443400794, 757409495, 469715768, 179179343, - 464591910, 211639556, 253533009, 695687745, 209666549, 587346888, 72985003, 227961738, 422516456, 222621943, 668764650, 652030902, 443018847, 153664236, 111389179, 459740892, - 451806113, 372561376, 175052725, 832233883, 34653740, 621783699, 422571342, 561698380, 104957163, 778595860, 476250806, 829557873, 443277495, 169442141, 252567745, 50550106, - 690124391, 381403493, 597435285, 71776335, 241537865, 186695231, 303339741, 713707127, 437801392, 833497256, 615326023, 624646776, 488213769, 86319922, 483535363, 485210214, - 746656299, 444420797, 298304795, 283068947, 822343192, 12296390, 459902360, 490395832, 449838516, 245004656, 60196267, 424807332, 609627667, 798058799, 478830003, 159620568, - 488129004, 233349984, 659089636, 320629726, 384760136, 815249439, 695649998, 160661975, 65591767, 55288446, 227257996, 106728401, 504682974, 709495107, 473684223, 818050264, - 90238156, 150734865, 594605956, 619221828, 167398464, 12156916, 809417421, 215542302, 617500993, 271158228, 397151794, 303893994, 676996477, 316326626, 147374753, 325125840, - 796433088, 226309504, 252865756, 337630290, 50513368, 123950552, 564767726, 183527552, 216059549, 675767555, 54337573, 387827713, 586922771, 119769138, 639646669, 721006398, - 503496378, 469289897, 521515481, 187227528, 206640113, 228712284, 653931877, 452274007, 615726360, 233689118, 41095623, 111827271, 757397639, 605145280, 817141067, 160426132, - 183060839, 545751163, 674040169, 698317389, 261990450, 386569507, 67250645, 522160349, 163966566, 614285819, 786973760, 681677841, 420959355, 774866649, 361297339, 128637074, - 422496531, 295462939, 759117839, 91465504, 726270306, 36207430, 677273648, 651018821, 627234847, 26090074, 24429030, 628638603, 326616664, 682324880, 488830917, 148236366, - 539585045, 473112046, 818759318, 218219266, 610276639, 839196155, 317005294, 585280425, 608636241, 446776481, 393793128, 717022521, 612519951, 709248900, 353980294, 63756989, - 693949980, 210923523, 79374748, 745935017, 784212992, 686768193, 778429518, 314431749, 523797075, 195851859, 97975321, 557262969, 262807530, 192684668, 415923330, 501613288, - 3404238, 712417785, 450155368, 747485804, 81744363, 323034430, 826796598, 469252381, 361751809, 434943473, 803552337, 465534286, 157572091, 602155302, 99033921, 365374009, - 846834633, 97430134, 575687633, 177727832, 140273653, 90407627, 187987326, 694675635, 195643540, 572104298, 724363064, 777471865, 641501321, 508655954, 54786744, 852122126, - 10782023, 131578378, 512542588, 833764668, 286399241, 59501614, 843565978, 222792806, 380476816, 238629086, 278182583, 481289684, 412421377, 678581960, 41260119, 745639977, - 557254534, 628519849, 537531082, 270662623, 379182325, 195422057, 243586531, 837248180, 486692390, 140464647, 654224404, 602180896, 645377695, 816810160, 479041664, 124294382, - 669783846, 234493114, 243176038, 592620022, 27096465, 183456276, 200446472, 668696404, 288052285, 131594961, 791674348, 557560023, 47406124, 288119432, 852715305, 782507238, - 673025244, 807884249, 252917351, 164909728, 730369402, 375418612, 75359937, 835936415, 692858474, 145803122, 617033011, 518611847, 263011393, 821884756, 571785241, 504243707, - 153177908, 332511585, 819495276, 374736340, 96110053, 186841675, 790478451, 421137753, 723956514, 590100387, 2994914, 523414033, 64668155, 390185143, 241876207, 753054458, - 492213677, 825177302, 227551259, 903581, 264406465, 480462339, 26917853, 671548827, 176461256, 810449590, 194455605, 444687871, 538319208, 326398986, 852354411, 207198840, - 714259796, 829860425, 401707546, 415529500, 515282399, 171301374, 650576511, 114281574, 415111030, 593375797, 61670429, 345965555, 538321500, 614158390, 839941444, 369606491, - 221902467, 759635351, 548724324, 652851732, 123840755, 781765384, 700841833, 486709217, 628048209, 735544578, 595694429, 783171675, 393277042, 695437666, 735353862, 36249689, - 391514203, 33446741, 346053988, 196531576, 547148026, 717889598, 97805336, 773280030, 391158069, 735590498, 769444707, 721247380, 534863169, 726057183, 89939238, 142741823, - 193720895, 673460954, 433293069, 677549918, 163141318, 26228393, 676776203, 86099123, 391518758, 683020230, 93154240, 456164294, 89018726, 680073595, 469881579, 643400806, - 747679157, 417914461, 393904605, 436332285, 697722297, 96748867, 50039251, 833828951, 668984863, 595194499, 41160471, 341954332, 109054514, 555069517, 144142651, 634954827, - 423063197, 167803304, 774845002, 713180662, 104752570, 419328096, 11318731, 160359491, 478041063, 175007919, 283538756, 781818130, 764137465, 792092680, 740777898, 425473905, - 318952978, 814079371, 430246618, 178747085, 113457777, 340565295, 453279760, 73670386, 292643663, 374066567, 748784922, 413032530, 780159049, 624118029, 334568491, 593578765, - 134544590, 502533121, 387726962, 498705062, 257889843, 38444785, 92762797, 778900869, 815246573, 822774695, 441394596, 449736759, 420926686, 650708620, 305512134, 682148844, - 804523807, 673596769, 484619587, 723817937, 362179649, 783603144, 769520953, 245757957, 316316877, 364147692, 145210965, 317921685, 342754912, 95975806, 844833637, 115647709, - 383929643, 512985562, 194376587, 352514611, 326828642, 398427612, 550316333, 529776680, 545399487, 796388811, 696386238, 128462033, 393925248, 65157735, 394644699, 393437554, - 348731815, 374728641, 12566736, 53994900, 97279340, 698334574, 505061946, 407814529, 333042822, 768034817, 327213653, 263258335, 289578348, 604263987, 615041699, 340682165, - 271212785, 797891217, 828338172, 125148414, 39313390, 351358809, 154868013, 649862089, 365868655, 262393287, 128667807, 603053083, 336825622, 779160613, 582143467, 295714037, - 361060212, 392798079, 194025917, 2968385, 50077881, 83744365, 713053217, 810605573, 247250372, 543815727, 710238428, 98128041, 747805185, 472936516, 492803323, 292534173, - 353034253, 252744162, 546881878, 74261363, 134343672, 707755795, 188647407, 59655152, 362676781, 465033106, 532046207, 720920712, 94872046, 269460580, 257232607, 700447166, - 533042762, 226482284, 28850579, 600197339, 135413760, 23259576, 812139761, 297096013, 782253710, 404849924, 606961217, 292616058, 599951727, 558085164, 794149421, 20175256, - 768669942, 467823789, 757275363, 298017981, 200239249, 648611126, 762981685, 713842825, 648074396, 4292690, 220723979, 303220335, 683846540, 141609760, 150467090, 409584714, - 535360054, 536350095, 507864802, 416996054, 422395695, 504639208, 691129203, 736858799, 365782299, 781932223, 397631397, 21304402, 52006687, 723026822, 746261088, 410630362, - 725425684, 682389824, 710102141, 733343801, 432593419, 268331700, 409738929, 550750562, 391573440, 539275757, 213128365, 19488444, 317255951, 666107168, 721461095, 61225344, - 552453949, 236404517, 819566406, 62280728, 841469722, 234338761, 85237933, 710250951, 185299479, 773537308, 102799593, 362717779, 315379179, 179660879, 205485846, 449491481, - 227150918, 667776136, 110006821, 71013338, 346463458, 160319679, 126544939, 699554155, 211661533, 38447819, 33916454, 461398882, 673800352, 303508809, 655580151, 364775402, - 604077113, 335623531, 533211242, 15752298, 100205972, 284067543, 119483714, 521014166, 188576748, 202640160, 670200679, 644575158, 217989813, 485069852, 808045636, 165124425, - 739805865, 739903210, 447756968, 250390727, 601903585, 106645586, 796643966, 478167863, 619441723, 308216888, 592892170, 46586540, 729181482, 711576683, 249893404, 417597067, - 730068499, 92809366, 773757506, 150435541, 571537027, 355103578, 48204485, 452961441, 469066803, 297300358, 560974680, 179952636, 202222180, 824695592, 314424491, 308006185, - 297135934, 779819713, 330834295, 607966158, 139470846, 532806876, 496761739, 144658310, 596051835, 523120535, 278370351, 259687598, 396035181, 318441635, 708341794, 261702166, - 96131132, 562196508, 712552283, 121414502, 139181388, 369274231, 188501611, 591747839, 321238361, 800859904, 483293761, 574521237, 318624730, 451184298, 845303892, 824439814, - 513057916, 488248363, 110823008, 474732383, 469456681, 693990629, 824427131, 100906910, 393033981, 613525172, 780573584, 732240054, 662144127, 156900476, 412266288, 762627793, - 55879529, 662447594, 435100580, 334994905, 345348008, 216291111, 115536138, 354908192, 480736673, 347619959, 213042018, 132255342, 192070634, 196227843, 171656829, 457430277, - 456173657, 235184482, 708639607, 80162055, 78550737, 659824274, 145948236, 14732004, 377312541, 551950153, 807387365, 517885521, 536344534, 144062333, 788152134, 12135251, - 342084445, 121817512, 115642280, 147002280, 138875114, 74245619, 95327390, 646649415, 207948635, 518439532, 33183835, 74137806, 802754590, 326978677, 329330108, 541984162, - 615015895, 340312953, 218073212, 814998766, 157716436, 203155225, 214901690, 385807168, 392276620, 170965976, 458479761, 35398460, 134705722, 309083692, 60435010, 846143590, - 745522807, 606438974, 750326300, 746569701, 117316274, 717210198, 601189495, 52499415, 136915847, 255901848, 12306030, 304281576, 765340988, 142286353, 789909728, 103773804, - 49871665, 592012809, 266996441, 65625212, 81727898, 594201480, 200644793, 452686638, 43973291, 532301993, 739336488, 682224565, 845517209, 427753763, 474414446, 386025969, - 96949342, 759705038, 589678515, 780837334, 158063634, 325974167, 809607430, 589067353, 176830058, 410812375, 382294428, 258796598, 468141533, 703441408, 673473968, 642305805, - 218673395, 535461624, 674684956, 680203874, 846088654, 52914042, 758979987, 589962189, 325345164, 117477831, 120913707, 782220389, 60703501, 614017575, 99993130, 235368093, - 644276216, 121149740, 315046926, 183533385, 13034140, 721604492, 242970774, 500232976, 316143635, 719601853, 411832633, 206849167, 62309503, 362143540, 172132792, 406642102, - 290947418, 649997984, 400004941, 193289674, 20215276, 604047240, 792504507, 354704972, 661308027, 710569578, 67988066, 573986043, 298011050, 675020897, 371173377, 220311134, - 234250033, 627878145, 805292463, 24071270, 648507616, 814745610, 517644997, 691772925, 511004739, 433787663, 788161195, 196473632, 362036173, 528196877, 697880168, 318651435, - 223922625, 432332761, 605658712, 402713163, 12043466, 723222719, 197191480, 740372189, 835875906, 689010272, 292485650, 101464751, 764616290, 665830492, 830680702, 522703957, - 36639665, 178661761, 847563520, 213367890, 580759073, 795883933, 189665782, 410128628, 104008441, 757987331, 543934116, 420541294, 396733102, 773554582, 422990463, 679308804, - 471610475, 449025573, 293585715, 304333306, 606221987, 668107507, 201587373, 776461576, 54202261, 334132687, 570371370, 729669465, 388035450, 40739162, 294599466, 269999181, - 368420277, 394723115, 506277838, 351687671, 683668119, 82918314, 72721076, 702889204, 841003831, 721904142, 691037495, 575492049, 221172299, 608377016, 584007171, 674474012, - 135083989, 479195654, 408808739, 442284285, 530250590, 390248853, 461685089, 283253906, 717741307, 215568024, 562986577, 134817130, 147002383, 270825931, 379404006, 759183054, - 581866917, 146566613, 784989241, 457129596, 59158644, 750640670, 700398504, 721509487, 402874366, 82387404, 95739856, 281346626, 467686791, 324137743, 11249127, 89157220, - 716002070, 335342053, 246826170, 529385048, 760143990, 10725758, 516293110, 76538324, 257296477, 328165824, 172330118, 546825765, 619673906, 328792017, 788124094, 141927682, - 555365723, 329427916, 607839982, 405389708, 571868667, 470002428, 684585751, 434604631, 204705039, 450529242, 361817407, 727855567, 413589322, 11544453, 803784599, 815775166, - 425469974, 86512573, 86029713, 852702639, 728364190, 118324485, 477615251, 345426513, 219927860, 22417298, 480050287, 224592838, 759159, 131898579, 764335555, 457432197, - 763875505, 642888584, 590641758, 210009158, 390019414, 235949401, 58219618, 562286114, 99631682, 631925366, 753164064, 328774959, 365242602, 385354452, 217542778, 795464774, - 780632705, 678141873, 424450214, 25338472, 268284342, 493213958, 580867867, 15482483, 272837023, 328359708, 782291772, 308114267, 404813197, 333753982, 737682027, 538312006, - 707909990, 234156623, 323140190, 803917719, 91035383, 200098402, 773260410, 554209269, 505977196, 258732217, 577347247, 388868026, 412079442, 312571314, 628683299, 740119334, - 813470861, 86544483, 515146109, 371343866, 687853001, 265823977, 121589622, 808348288, 257353942, 635427508, 834922294, 224797491, 432675367, 731353224, 575538372, 642351606, - 291366364, 210732817, 90658793, 146401688, 40748954, 527574284, 817614743, 547167333, 534136352, 372456076, 706600074, 640500788, 559786839, 845776458, 709348802, 677707036, - 606711824, 349565805, 42095011, 472115432, 177053484, 681164976, 139728272, 510212596, 747795405, 441873933, 187174498, 392929945, 425171378, 555237229, 4315335, 9057268, - 153360848, 99426909, 774527252, 83014618, 412368218, 3495282, 739674290, 826674363, 316599527, 110724402, 435058302, 156418860, 545209527, 681526436, 443190082, 613052844, - 463370538, 710824143, 207309740, 783222241, 141846134, 266325996, 146201876, 449154790, 170683627, 716235176, 607164090, 291006513, 186310404, 43734965, 496486286, 736873833, - 329899967, 408796174, 449053875, 589454563, 727957502, 460484783, 122169115, 75292611, 73671599, 848010384, 303936940, 791662107, 590932920, 125786858, 211282605, 729648214, - 59156462, 152461927, 219894477, 776823847, 437757228, 186542194, 700611431, 257929382, 767315412, 18312688, 806906190, 504497667, 101165190, 603435510, 526872520, 254322283, - 720021990, 779194394, 584710319, 801191565, 703649817, 361258161, 149741435, 808495563, 291596204, 250916275, 340042453, 141837377, 547502361, 181348702, 139498738, 338114582, - 119328746, 177984134, 199957575, 358181386, 57332620, 512567111, 451958433, 156026128, 619998073, 307816265, 338764588, 65822147, 573828018, 487154809, 749222428, 522943099, - 26336097, 186644498, 526288314, 534618890, 828269735, 675600958, 49788769, 453731878, 762637295, 387744335, 173171058, 33040483, 466949551, 843388255, 697432416, 216291746, - 33282177, 240642656, 663436347, 390123214, 254438583, 190922896, 455331923, 296664914, 762697018, 331531324, 851176113, 771233913, 482330259, 389665212, 474944010, 58762628, - 469089651, 436049255, 697216430, 431783325, 138107147, 499492245, 647224366, 407794272, 26067376, 445177552, 520720342, 798948406, 325365361, 117634101, 664099671, 153294810, - 597801361, 640257687, 533951825, 702134729, 111685295, 685214097, 452013666, 317534558, 271219665, 529108611, 586379543, 355661610, 759841823, 446485943, 839034731, 33604088, - 773212146, 191869702, 367354365, 689096322, 345311446, 438596834, 677372537, 542545550, 341130619, 292644024, 281192613, 251893811, 447792713, 520181371, 40921126, 778878825, - 536838039, 230752698, 396625895, 601216134, 188488092, 130103565, 504870771, 413838340, 335573256, 124340986, 368340993, 243753204, 150144590, 808689996, 32468801, 68817331, - 471378712, 566347573, 6430376, 651137151, 497752158, 823732827, 787280015, 789046852, 194658966, 171151811, 118113814, 793917550, 75187158, 717603845, 61671631, 51620383, - 302490719, 78328345, 244847301, 549511806, 420356371, 560795789, 405546061, 302036596, 432306081, 270856136, 330554928, 212724399, 791196206, 445342723, 187781362, 87078067, - 834667388, 218628624, 755629702, 148790011, 845609309, 89984158, 742118272, 475309628, 81731129, 107846408, 74447254, 68656823, 169459843, 643648059, 721924181, 212112779, - 575076242, 471039705, 626114838, 564548835, 506450263, 488329877, 847101683, 592828368, 714089721, 832868261, 393063639, 603199595, 214221357, 747808090, 145225511, 784491117, - 578386518, 253504617, 217256612, 432640963, 696210495, 700338942, 642132261, 394125773, 127189460, 622643989, 65557316, 850423288, 154198317, 360118020, 401298167, 809808378, - 590060278, 378333119, 261388063, 301240958, 211172470, 476577014, 818999735, 320797504, 155490801, 362021897, 416507223, 193972866, 814253796, 555879930, 152626252, 598011677, - 48971665, 590814257, 699100720, 732535868, 42427027, 335391594, 577502901, 72445917, 562054823, 34689534, 850274973, 640356274, 165636151, 309704599, 39996866, 436255023, - 365085534, 208984696, 593049885, 755419039, 376895434, 634901252, 316743954, 476563344, 619551824, 766199910, 783651060, 32670169, 794822305, 435248113, 14247580, 284417137, - 754554090, 30678221, 641072629, 711946716, 568640914, 656468482, 83597913, 356324101, 231391682, 122476642, 505437404, 636148283, 639556222, 262242870, 10083895, 470763095, - 7162643, 490677454, 122627583, 711718981, 252376484, 423795716, 578101600, 275970963, 3053131, 327430341, 435804223, 349044314, 649311691, 234207954, 379806804, 342513855, - 224624649, 181857560, 84797030, 123047825, 95186646, 293471117, 586961654, 111168138, 703259490, 756871363, 606284506, 380213718, 292725815, 463763080, 747629289, 254624782, - 207883602, 849297083, 578506664, 656289117, 454015629, 162235991, 474249177, 633829447, 490767799, 210190430, 48735841, 656982789, 743473215, 47313566, 306689440, 53334547, - 370344121, 419993940, 218969756, 341956367, 296184959, 135682817, 127205066, 744169001, 445909513, 801533404, 605661030, 181244618, 30772614, 196639386, 59911722, 616623643, - 199307436, 551535136, 136575017, 79424355, 92705102, 498046224, 17339996, 698541762, 804348245, 104258042, 484400476, 535014225, 87644978, 121726462, 383782353, 77562877, - 350468417, 724994239, 772938366, 320269449, 203075846, 465307490, 585234251, 271855066, 464423241, 403123130, 202162074, 117126999, 653413020, 8084225, 216658351, 409614891, - 799241223, 600931579, 454131285, 782741932, 376344215, 79696641, 803438191, 565030050, 460657460, 5110534, 472517130, 76991417, 572426425, 92047134, 285371277, 843473400, - 389338704, 704515255, 459914006, 657120075, 708563883, 78813141, 11770883, 688134435, 287808573, 649280542, 765338883, 439803770, 160535862, 617753423, 442051682, 288864924, - 32955626, 326880188, 696887038, 215124062, 791918307, 767157413, 358676037, 30612492, 661971023, 838968782, 465224708, 784600829, 146985424, 799718881, 207906900, 340800263, - 849693954, 44777992, 31326149, 240259940, 508401593, 499528021, 475930852, 690672059, 580019353, 297040464, 236338202, 454171188, 695134912, 508172471, 436504159, 293630619, - 848875161, 37043893, 26993038, 396046068, 722016462, 445419380, 209243403, 503786686, 268117854, 281672598, 205034970, 87894257, 293598267, 46912651, 147959859, 462629641, - 509044664, 700768221, 107374762, 340721447, 163551982, 247501118, 447395984, 318219025, 172114399, 110025830, 810265637, 370215004, 606303954, 462642711, 251114029, 290800715, - 780017258, 789443137, 495480307, 615909633, 431756150, 766376396, 820732666, 686803688, 133668454, 761665150, 326017339, 424112204, 110554261, 386347465, 101066781, 135666139, - 256882780, 205722545, 668032392, 405718561, 350327055, 621444438, 381307379, 421184831, 753121128, 590538618, 366906511, 345326178, 132085192, 40531091, 780676557, 586664955, - 597888984, 693668509, 487104387, 234747974, 572624063, 114516856, 550027276, 316481563, 239535126, 788436714, 847219527, 113421825, 200615887, 815912760, 581164384, 191193216, - 11551938, 606832431, 431210833, 196126697, 92508342, 270544041, 192437514, 99153842, 188585579, 413385580, 745267475, 448172363, 667109106, 85272138, 658601344, 443173146, - 392530856, 589073317, 382995167, 248915715, 375600977, 386782401, 254322056, 790853708, 580714915, 163129486, 824017519, 86419559, 117205367, 634667017, 566451589, 852749522, - 837490424, 330422330, 294598189, 814909626, 505390042, 125578715, 357313675, 450539487, 233746299, 446282749, 755039478, 740350430, 598956163, 116099139, 167482754, 310512355, - 135624781, 470874939, 196356683, 239902897, 693520220, 454942578, 778240578, 45236161, 51101673, 270126615, 94622194, 524282161, 632376971, 703121383, 587013336, 572429454, - 37728898, 143682359, 206045437, 557167425, 770459696, 477771773, 321346425, 290390778, 100874902, 758540246, 746805823, 459566327, 607673901, 158286491, 527010720, 579461268, - 74963118, 420964844, 51316958, 250512679, 452729483, 35670488, 559935164, 734294507, 379228497, 172592106, 126508187, 757555710, 853874620, 808517874, 106015915, 375691866, - 423413164, 423111661, 60250078, 645353691, 853830811, 288310932, 1489804, 127886925, 191505834, 459549138, 542519706, 369115379, 116842790, 784888677, 269818678, 712117130, - 748410048, 139982101, 169805525, 32264681, 532400632, 397389041, 181262233, 703428567, 604760852, 44143128, 69914527, 86615396, 314810965, 68145528, 650868687, 717671367, - 594246701, 641155397, 207406129, 180083553, 414651973, 132523243, 211350471, 397371331, 170688638, 732763563, 132155217, 394688247, 571356350, 93856418, 708831649, 841908230, -}; - diff --git a/crypto_sign/qtesla-p-III/clean/gauss.c b/crypto_sign/qtesla-p-III/clean/gauss.c deleted file mode 100644 index 9e0fe05d..00000000 --- a/crypto_sign/qtesla-p-III/clean/gauss.c +++ /dev/null @@ -1,44 +0,0 @@ -/************************************************************************************* -* qTESLA: an efficient post-quantum signature scheme based on the R-LWE problem -* -* Abstract: portable, constant-time Gaussian sampler -**************************************************************************************/ - -#include "api.h" -#include "CDT32.h" -#include "gauss.h" -#include "sp800-185.h" -#include - -void PQCLEAN_QTESLAPIII_CLEAN_sample_gauss_poly(poly z, const uint8_t *seed, uint16_t nonce) { - uint16_t dmsp = (uint16_t)(nonce << 8); - int32_t samp[CHUNK_SIZE * CDT_COLS], c[CDT_COLS], borrow, sign; - const int32_t mask = (int32_t)((uint32_t)(-1) >> 1); - uint8_t buf[CHUNK_SIZE * CDT_COLS * sizeof(int32_t)]; - - for (size_t chunk = 0; chunk < PARAM_N; chunk += CHUNK_SIZE) { - uint8_t dmsp_bytes[2]; - dmsp_bytes[0] = (uint8_t)(dmsp & 0xff); - dmsp_bytes[1] = (uint8_t)(dmsp >> 8); - cSHAKE(buf, CHUNK_SIZE * CDT_COLS * sizeof(int32_t), (uint8_t *)NULL, 0, dmsp_bytes, 2, seed, CRYPTO_RANDOMBYTES); - ++dmsp; - for (size_t i = 0, j = 0; i < CHUNK_SIZE * CDT_COLS; i += 1, j += 4) { - samp[i] = (int32_t)(buf[j] | (buf[j + 1] << 8) | (buf[j + 2] << 16) | (int32_t)((uint32_t)buf[j + 3] << 24)); - } - for (size_t i = 0; i < CHUNK_SIZE; i++) { - z[chunk + i] = 0; - for (size_t j = 1; j < CDT_ROWS; j++) { - borrow = 0; - for (size_t k = CDT_COLS; k > 0; ) { - k--; - c[k] = (samp[i * CDT_COLS + k] & mask) - (cdt_v[j * CDT_COLS + k] + borrow); - borrow = c[k] >> (RADIX32 - 1); - } - z[chunk + i] += ~borrow & 1; - } - sign = samp[i * CDT_COLS] >> (RADIX32 - 1); - z[chunk + i] = (sign & -z[chunk + i]) | (~sign & z[chunk + i]); - } - } -} - diff --git a/crypto_sign/qtesla-p-III/clean/gauss.h b/crypto_sign/qtesla-p-III/clean/gauss.h deleted file mode 100644 index 5a4f6d44..00000000 --- a/crypto_sign/qtesla-p-III/clean/gauss.h +++ /dev/null @@ -1,13 +0,0 @@ -#ifndef PQCLEAN_QTESLAPIII_CLEAN_GAUSS_H -#define PQCLEAN_QTESLAPIII_CLEAN_GAUSS_H - -#include "config.h" -#include "params.h" -#include "poly.h" -#include - -#define CHUNK_SIZE 512 // Fix chunk size for sampling - -void PQCLEAN_QTESLAPIII_CLEAN_sample_gauss_poly(poly z, const uint8_t *seed, uint16_t nonce); - -#endif diff --git a/crypto_sign/qtesla-p-III/clean/pack.c b/crypto_sign/qtesla-p-III/clean/pack.c deleted file mode 100644 index 379ab20d..00000000 --- a/crypto_sign/qtesla-p-III/clean/pack.c +++ /dev/null @@ -1,108 +0,0 @@ -/************************************************************************************* -* qTESLA: an efficient post-quantum signature scheme based on the R-LWE problem -* -* Abstract: packing functions -**************************************************************************************/ - -#include "api.h" -#include "pack.h" -#include "params.h" -#include "poly.h" -#include - -void PQCLEAN_QTESLAPIII_CLEAN_pack_sk(uint8_t *sk, const poly s, const poly_k e, uint8_t *seeds) { - // Pack secret key sk - size_t i, k; - - for (i = 0; i < PARAM_N; i++) { - sk[i] = (uint8_t)s[i]; - } - - sk += PARAM_N; - for (k = 0; k < PARAM_K; k++) { - for (i = 0; i < PARAM_N; i++) { - sk[k * PARAM_N + i] = (uint8_t)e[k * PARAM_N + i]; - } - } - - memcpy(&sk[PARAM_K * PARAM_N], seeds, 2 * CRYPTO_SEEDBYTES); -} - -void PQCLEAN_QTESLAPIII_CLEAN_encode_pk(uint8_t *pk, const poly_k t, const uint8_t *seedA) { - // Encode public key pk - size_t i, j; - - for (i = 0, j = 0; i < PARAM_N * PARAM_K; i += 4, j += 15) { - pk[j ] = (uint8_t)( t[i ] ); - pk[j + 1] = (uint8_t)( t[i ] >> 8 ); - pk[j + 2] = (uint8_t)( t[i ] >> 16 ); - pk[j + 3] = (uint8_t)((t[i ] >> 24) | (t[i + 1] << 6)); - pk[j + 4] = (uint8_t)( t[i + 1] >> 2 ); - pk[j + 5] = (uint8_t)( t[i + 1] >> 10 ); - pk[j + 6] = (uint8_t)( t[i + 1] >> 18 ); - pk[j + 7] = (uint8_t)((t[i + 1] >> 26) | (t[i + 2] << 4)); - pk[j + 8] = (uint8_t)( t[i + 2] >> 4 ); - pk[j + 9] = (uint8_t)( t[i + 2] >> 12 ); - pk[j + 10] = (uint8_t)( t[i + 2] >> 20 ); - pk[j + 11] = (uint8_t)((t[i + 2] >> 28) | (t[i + 3] << 2)); - pk[j + 12] = (uint8_t)( t[i + 3] >> 6 ); - pk[j + 13] = (uint8_t)( t[i + 3] >> 14 ); - pk[j + 14] = (uint8_t)( t[i + 3] >> 22 ); - } - - memcpy(&pk[j], seedA, CRYPTO_SEEDBYTES); -} - - -void PQCLEAN_QTESLAPIII_CLEAN_decode_pk(int32_t *pk, uint8_t *seedA, const uint8_t *pk_in) { - // Decode public key pk - size_t i, j; - int32_t mask30 = (1 << PARAM_Q_LOG) - 1; - const uint8_t *a = pk_in; - - for (i = 0, j = 0; i < PARAM_N * PARAM_K; i += 4, j += 15) { - pk[i ] = (int32_t)(( a[j ] | (a[j + 1] << 8) | (a[j + 2] << 16) | (int32_t)((uint32_t)a[j + 3] << 24) ) & mask30); - pk[i + 1] = (int32_t)(((a[j + 3] >> 6) | (a[j + 4] << 2) | (a[j + 5] << 10) | (a[j + 6] << 18) | (int32_t)((uint32_t)a[j + 7] << 26)) & mask30); - pk[i + 2] = (int32_t)(((a[j + 7] >> 4) | (a[j + 8] << 4) | (a[j + 9] << 12) | (a[j + 10] << 20) | (int32_t)((uint32_t)a[j + 11] << 28)) & mask30); - pk[i + 3] = (int32_t)( (a[j + 11] >> 2) | (a[j + 12] << 6) | (a[j + 13] << 14) | (a[j + 14] << 22) ); - } - - memcpy(seedA, &pk_in[j], CRYPTO_SEEDBYTES); -} - - -void PQCLEAN_QTESLAPIII_CLEAN_encode_sig(uint8_t *sm, uint8_t *c, const poly z) { - // Encode signature sm - size_t i, j; - - for (i = 0, j = 0; i < PARAM_N; i += 4, j += 11) { - sm[j ] = (uint8_t)( z[i ] ); - sm[j + 1] = (uint8_t)( z[i ] >> 8); - sm[j + 2] = (uint8_t)(((z[i ] >> 16) & 0x3F) | ((uint64_t)z[i + 1] << 6)); - sm[j + 3] = (uint8_t)( z[i + 1] >> 2); - sm[j + 4] = (uint8_t)( z[i + 1] >> 10); - sm[j + 5] = (uint8_t)(((z[i + 1] >> 18) & 0x0F) | ((uint64_t)z[i + 2] << 4)); - sm[j + 6] = (uint8_t)( z[i + 2] >> 4); - sm[j + 7] = (uint8_t)( z[i + 2] >> 12); - sm[j + 8] = (uint8_t)(((z[i + 2] >> 20) & 0x03) | ((uint64_t)z[i + 3] << 2)); - sm[j + 9] = (uint8_t)( z[i + 3] >> 6); - sm[j + 10] = (uint8_t)( z[i + 3] >> 14); - } - - memcpy(&sm[j], c, CRYPTO_C_BYTES); -} - - -void PQCLEAN_QTESLAPIII_CLEAN_decode_sig(uint8_t *c, poly z, const uint8_t *sm) { - // Decode signature sm - size_t i, j; - - for (i = 0, j = 0; i < PARAM_N; i += 4, j += 11) { - z[i ] = sm[j ] | (sm[j + 1] << 8) | ((int64_t)((uint64_t)sm[j + 2] << 58) >> 42); - z[i + 1] = (sm[j + 2] >> 6) | (sm[j + 3] << 2) | (sm[j + 4] << 10) | ((int64_t)((uint64_t)sm[j + 5] << 60) >> 42); - z[i + 2] = (sm[j + 5] >> 4) | (sm[j + 6] << 4) | (sm[j + 7] << 12) | ((int64_t)((uint64_t)sm[j + 8] << 62) >> 42); - z[i + 3] = (sm[j + 8] >> 2) | (sm[j + 9] << 6) | ((int64_t)((uint64_t)sm[j + 10] << 56) >> 42); - } - - memcpy(c, &sm[j], CRYPTO_C_BYTES); -} diff --git a/crypto_sign/qtesla-p-III/clean/pack.h b/crypto_sign/qtesla-p-III/clean/pack.h deleted file mode 100644 index 1c361187..00000000 --- a/crypto_sign/qtesla-p-III/clean/pack.h +++ /dev/null @@ -1,13 +0,0 @@ -#ifndef PQCLEAN_QTESLAPIII_CLEAN_PACK_H -#define PQCLEAN_QTESLAPIII_CLEAN_PACK_H - -#include "poly.h" -#include - -void PQCLEAN_QTESLAPIII_CLEAN_pack_sk(uint8_t *sk, const poly s, const poly_k e, uint8_t *seeds); -void PQCLEAN_QTESLAPIII_CLEAN_encode_pk(uint8_t *pk, const poly_k t, const uint8_t *seedA); -void PQCLEAN_QTESLAPIII_CLEAN_decode_pk(int32_t *pk, uint8_t *seedA, const uint8_t *pk_in); -void PQCLEAN_QTESLAPIII_CLEAN_encode_sig(uint8_t *sm, uint8_t *c, const poly z); -void PQCLEAN_QTESLAPIII_CLEAN_decode_sig(uint8_t *c, poly z, const uint8_t *sm); - -#endif diff --git a/crypto_sign/qtesla-p-III/clean/params.h b/crypto_sign/qtesla-p-III/clean/params.h deleted file mode 100644 index d7caede7..00000000 --- a/crypto_sign/qtesla-p-III/clean/params.h +++ /dev/null @@ -1,42 +0,0 @@ -#ifndef PQCLEAN_QTESLAPIII_CLEAN_PARAMS_H -#define PQCLEAN_QTESLAPIII_CLEAN_PARAMS_H - -/************************************************************************************* -* qTESLA: an efficient post-quantum signature scheme based on the R-LWE problem -* -* Abstract: provably-secure qTESLA parameters -**************************************************************************************/ - -#define PARAM_N 2048 -#define PARAM_N_LOG 11 -#define PARAM_SIGMA 8.5 -#define PARAM_Q 856145921 -#define PARAM_Q_LOG 30 -#define PARAM_QINV 587710463 -#define PARAM_BARR_MULT 5 -#define PARAM_BARR_DIV 32 -#define PARAM_B 2097151 -#define PARAM_B_BITS 21 -#define PARAM_S_BITS 8 -#define PARAM_K 5 -#define PARAM_SIGMA_E PARAM_SIGMA -#define PARAM_H 40 -#define PARAM_D 24 -#define PARAM_GEN_A 180 -#define PARAM_KEYGEN_BOUND_E 901 -#define PARAM_E PARAM_KEYGEN_BOUND_E -#define PARAM_KEYGEN_BOUND_S 901 -#define PARAM_S PARAM_KEYGEN_BOUND_S -#define PARAM_R2_INVN 513161157 -#define PARAM_R 14237691 - -#define SHAKE shake256 -#define cSHAKE cshake256 -#define SHAKE_RATE SHAKE256_RATE - -#define CRYPTO_RANDOMBYTES 32 -#define CRYPTO_SEEDBYTES 32 -#define CRYPTO_C_BYTES 32 -#define HM_BYTES 64 - -#endif diff --git a/crypto_sign/qtesla-p-III/clean/poly.c b/crypto_sign/qtesla-p-III/clean/poly.c deleted file mode 100644 index e0cb51f4..00000000 --- a/crypto_sign/qtesla-p-III/clean/poly.c +++ /dev/null @@ -1,246 +0,0 @@ -/************************************************************************************* -* qTESLA: an efficient post-quantum signature scheme based on the R-LWE problem -* -* Abstract: NTT, modular reduction and polynomial functions -**************************************************************************************/ - -#include "api.h" -#include "poly.h" -#include "sp800-185.h" - -extern const poly PQCLEAN_QTESLAPIII_CLEAN_zeta; -extern const poly PQCLEAN_QTESLAPIII_CLEAN_zetainv; - - - -static int64_t reduce(int64_t a) { - // Montgomery reduction - int64_t u; - - u = ((uint64_t)a * PARAM_QINV) & 0xFFFFFFFF; - u *= PARAM_Q; - a += u; - return a >> 32; -} - - -static int64_t barr_reduce(int64_t a) { - // Barrett reduction - int64_t u = (int64_t)((uint64_t)a * PARAM_BARR_MULT) >> PARAM_BARR_DIV; - return a - u * PARAM_Q; -} - - -static void ntt(poly a, const poly w) { - // Forward NTT transform - size_t NumoProblems = PARAM_N >> 1, jTwiddle = 0; - - for (; NumoProblems > 0; NumoProblems >>= 1) { - size_t jFirst, j = 0; - for (jFirst = 0; jFirst < PARAM_N; jFirst = j + NumoProblems) { - sdigit_t W = (sdigit_t)w[jTwiddle++]; - for (j = jFirst; j < jFirst + NumoProblems; j++) { - int64_t temp = barr_reduce(reduce((int64_t)W * a[j + NumoProblems])); - a[j + NumoProblems] = barr_reduce(a[j] + (2LL * PARAM_Q - temp)); - a[j] = barr_reduce(temp + a[j]); - } - } - } -} - - -static void nttinv(poly a, const poly w) { - // Inverse NTT transform - size_t NumoProblems = 1, jTwiddle = 0; - for (; NumoProblems < PARAM_N; NumoProblems *= 2) { - size_t jFirst, j = 0; - for (jFirst = 0; jFirst < PARAM_N; jFirst = j + NumoProblems) { - sdigit_t W = (sdigit_t)w[jTwiddle++]; - for (j = jFirst; j < jFirst + NumoProblems; j++) { - int64_t temp = a[j]; - a[j] = barr_reduce((temp + a[j + NumoProblems])); - a[j + NumoProblems] = barr_reduce(reduce((int64_t)W * (temp + (2LL * PARAM_Q - a[j + NumoProblems])))); - } - } - } -} - - -static void poly_pointwise(poly result, const poly x, const poly y) { - // Pointwise polynomial multiplication result = x.y - - for (size_t i = 0; i < PARAM_N; i++) { - result[i] = reduce(x[i] * y[i]); - } -} - -void PQCLEAN_QTESLAPIII_CLEAN_poly_ntt(poly x_ntt, const poly x) { - // Call to NTT function. Avoids input destruction - - for (size_t i = 0; i < PARAM_N; i++) { - x_ntt[i] = x[i]; - } - ntt(x_ntt, PQCLEAN_QTESLAPIII_CLEAN_zeta); -} - - -void PQCLEAN_QTESLAPIII_CLEAN_poly_mul(poly result, const poly x, const poly y) { - // Polynomial multiplication result = x*y, with in place reduction for (X^N+1) - // The inputs x and y are assumed to be in NTT form - - poly_pointwise(result, x, y); - nttinv(result, PQCLEAN_QTESLAPIII_CLEAN_zetainv); -} - - -void PQCLEAN_QTESLAPIII_CLEAN_poly_add(poly result, const poly x, const poly y) { - // Polynomial addition result = x+y - - for (size_t i = 0; i < PARAM_N; i++) { - result[i] = x[i] + y[i]; - } -} - - -void PQCLEAN_QTESLAPIII_CLEAN_poly_add_correct(poly result, const poly x, const poly y) { - // Polynomial addition result = x+y with correction - - for (size_t i = 0; i < PARAM_N; i++) { - result[i] = x[i] + y[i]; - result[i] -= PARAM_Q; - result[i] += (result[i] >> (RADIX32 - 1)) & PARAM_Q; // If result[i] >= q then subtract q - } -} - - -void PQCLEAN_QTESLAPIII_CLEAN_poly_sub(poly result, const poly x, const poly y) { - // Polynomial subtraction result = x-y - - for (size_t i = 0; i < PARAM_N; i++) { - result[i] = barr_reduce(x[i] - y[i]); - } -} - -/******************************************************************************************** -* Name: sparse_mul8 -* Description: performs sparse polynomial multiplication -* Parameters: inputs: -* - const uint8_t *s: part of the secret key -* - const uint32_t pos_list[PARAM_H]: list of indices of nonzero elements in c -* - const int16_t sign_list[PARAM_H]: list of signs of nonzero elements in c -* outputs: -* - poly prod: product of 2 polynomials -* -* Note: pos_list[] and sign_list[] contain public information since c is public -*********************************************************************************************/ -void PQCLEAN_QTESLAPIII_CLEAN_sparse_mul8(poly prod, const uint8_t *s, const uint32_t pos_list[PARAM_H], const int16_t sign_list[PARAM_H]) { - size_t i, j, pos; - int8_t *t = (int8_t *)s; - - for (i = 0; i < PARAM_N; i++) { - prod[i] = 0; - } - - for (i = 0; i < PARAM_H; i++) { - pos = pos_list[i]; - for (j = 0; j < pos; j++) { - prod[j] = prod[j] - sign_list[i] * t[j + PARAM_N - pos]; - } - for (j = pos; j < PARAM_N; j++) { - prod[j] = prod[j] + sign_list[i] * t[j - pos]; - } - } -} - -/******************************************************************************************** -* Name: sparse_mul32 -* Description: performs sparse polynomial multiplication -* Parameters: inputs: -* - const int32_t* pk: part of the public key -* - const uint32_t pos_list[PARAM_H]: list of indices of nonzero elements in c -* - const int16_t sign_list[PARAM_H]: list of signs of nonzero elements in c -* outputs: -* - poly prod: product of 2 polynomials -*********************************************************************************************/ -void PQCLEAN_QTESLAPIII_CLEAN_sparse_mul32(poly prod, const int32_t *pk, const uint32_t pos_list[PARAM_H], const int16_t sign_list[PARAM_H]) { - size_t i, j, pos; - - for (i = 0; i < PARAM_N; i++) { - prod[i] = 0; - } - - for (i = 0; i < PARAM_H; i++) { - pos = pos_list[i]; - for (j = 0; j < pos; j++) { - prod[j] = prod[j] - sign_list[i] * pk[j + PARAM_N - pos]; - } - for (j = pos; j < PARAM_N; j++) { - prod[j] = prod[j] + sign_list[i] * pk[j - pos]; - } - } - for (i = 0; i < PARAM_N; i++) { - prod[i] = barr_reduce(prod[i]); - } -} - -void PQCLEAN_QTESLAPIII_CLEAN_poly_uniform(poly_k a, const uint8_t *seed) { - // Generation of polynomials "a_i" - size_t pos = 0, i = 0, nbytes = (PARAM_Q_LOG + 7) / 8; - size_t nblocks = PARAM_GEN_A; - uint32_t val1, val2, val3, val4, mask = (uint32_t)(1 << PARAM_Q_LOG) - 1; - uint8_t buf[SHAKE128_RATE * PARAM_GEN_A]; - uint16_t dmsp = 0; - uint8_t dmsp_bytes[2]; - dmsp_bytes[0] = (uint8_t)(dmsp & 0xff); - dmsp_bytes[1] = (uint8_t)(dmsp >> 8); - cshake128(buf, SHAKE128_RATE * PARAM_GEN_A, (uint8_t *)NULL, 0, dmsp_bytes, 2, seed, CRYPTO_RANDOMBYTES); - ++dmsp; - - while (i < PARAM_K * PARAM_N) { - if (pos > SHAKE128_RATE * nblocks - 4 * nbytes) { - nblocks = 1; - dmsp_bytes[0] = (uint8_t)(dmsp & 0xff); - dmsp_bytes[1] = (uint8_t)(dmsp >> 8); - cshake128(buf, SHAKE128_RATE * nblocks, (uint8_t *)NULL, 0, dmsp_bytes, 2, seed, CRYPTO_RANDOMBYTES); - ++dmsp; - pos = 0; - } - val1 = ((uint32_t)(buf[pos]) - | ((uint32_t)buf[pos + 1] << 8) - | ((uint32_t)buf[pos + 2] << 16) - | ((uint32_t)buf[pos + 3] << 24)) - & mask; - pos += nbytes; - val2 = ((uint32_t)(buf[pos]) - | ((uint32_t)buf[pos + 1] << 8) - | ((uint32_t)buf[pos + 2] << 16) - | ((uint32_t)buf[pos + 3] << 24)) - & mask; - pos += nbytes; - val3 = ((uint32_t)(buf[pos]) - | ((uint32_t)buf[pos + 1] << 8) - | ((uint32_t)buf[pos + 2] << 16) - | ((uint32_t)buf[pos + 3] << 24)) - & mask; - pos += nbytes; - val4 = ((uint32_t)(buf[pos]) - | ((uint32_t)buf[pos + 1] << 8) - | ((uint32_t)buf[pos + 2] << 16) - | ((uint32_t)buf[pos + 3] << 24)) - & mask; - pos += nbytes; - if (val1 < PARAM_Q && i < PARAM_K * PARAM_N) { - a[i++] = reduce((int64_t)val1 * PARAM_R2_INVN); - } - if (val2 < PARAM_Q && i < PARAM_K * PARAM_N) { - a[i++] = reduce((int64_t)val2 * PARAM_R2_INVN); - } - if (val3 < PARAM_Q && i < PARAM_K * PARAM_N) { - a[i++] = reduce((int64_t)val3 * PARAM_R2_INVN); - } - if (val4 < PARAM_Q && i < PARAM_K * PARAM_N) { - a[i++] = reduce((int64_t)val4 * PARAM_R2_INVN); - } - } -} - diff --git a/crypto_sign/qtesla-p-III/clean/poly.h b/crypto_sign/qtesla-p-III/clean/poly.h deleted file mode 100644 index 5d8195c8..00000000 --- a/crypto_sign/qtesla-p-III/clean/poly.h +++ /dev/null @@ -1,20 +0,0 @@ -#ifndef PQCLEAN_QTESLAPIII_CLEAN_POLY_H -#define PQCLEAN_QTESLAPIII_CLEAN_POLY_H - -#include "config.h" -#include "params.h" -#include - -typedef int64_t poly[PARAM_N]; -typedef int64_t poly_k[PARAM_N * PARAM_K]; - -void PQCLEAN_QTESLAPIII_CLEAN_poly_ntt(poly x_ntt, const poly x); -void PQCLEAN_QTESLAPIII_CLEAN_poly_mul(poly result, const poly x, const poly y); -void PQCLEAN_QTESLAPIII_CLEAN_poly_add(poly result, const poly x, const poly y); -void PQCLEAN_QTESLAPIII_CLEAN_poly_add_correct(poly result, const poly x, const poly y); -void PQCLEAN_QTESLAPIII_CLEAN_poly_sub(poly result, const poly x, const poly y); -void PQCLEAN_QTESLAPIII_CLEAN_sparse_mul8(poly prod, const uint8_t *s, const uint32_t pos_list[PARAM_H], const int16_t sign_list[PARAM_H]); -void PQCLEAN_QTESLAPIII_CLEAN_sparse_mul32(poly prod, const int32_t *pk, const uint32_t pos_list[PARAM_H], const int16_t sign_list[PARAM_H]); -void PQCLEAN_QTESLAPIII_CLEAN_poly_uniform(poly_k a, const uint8_t *seed); - -#endif diff --git a/crypto_sign/qtesla-p-III/clean/sample.c b/crypto_sign/qtesla-p-III/clean/sample.c deleted file mode 100644 index 08cdf3ee..00000000 --- a/crypto_sign/qtesla-p-III/clean/sample.c +++ /dev/null @@ -1,89 +0,0 @@ -/************************************************************************************* -* qTESLA: an efficient post-quantum signature scheme based on the R-LWE problem -* -* Abstract: sampling functions -**************************************************************************************/ - -#include "api.h" -#include "params.h" -#include "sample.h" -#include "sp800-185.h" - -#define NBLOCKS_SHAKE (SHAKE_RATE/(((PARAM_B_BITS+1)+7)/8)) -#define BPLUS1BYTES (((PARAM_B_BITS+1)+7)/8) - - -void PQCLEAN_QTESLAPIII_CLEAN_sample_y(poly y, const uint8_t *seed, uint16_t nonce) { - // Sample polynomial y, such that each coefficient is in the range [-B,B] - size_t i = 0, pos = 0, nblocks = PARAM_N; - uint8_t buf[PARAM_N * BPLUS1BYTES + 1]; - uint16_t dmsp = (uint16_t)(nonce << 8); - uint8_t dmsp_bytes[2]; - - dmsp_bytes[0] = (uint8_t)(dmsp & 0xff); - dmsp_bytes[1] = (uint8_t)(dmsp >> 8); - cSHAKE(buf, PARAM_N * BPLUS1BYTES, (uint8_t *)NULL, 0, dmsp_bytes, 2, seed, CRYPTO_RANDOMBYTES); - ++dmsp; - - while (i < PARAM_N) { - if (pos >= nblocks * BPLUS1BYTES) { - nblocks = NBLOCKS_SHAKE; - dmsp_bytes[0] = (uint8_t)(dmsp & 0xff); - dmsp_bytes[1] = (uint8_t)(dmsp >> 8); - cSHAKE(buf, SHAKE_RATE, (uint8_t *)NULL, 0, dmsp_bytes, 2, seed, CRYPTO_RANDOMBYTES); - ++dmsp; - pos = 0; - } - y[i] = (uint32_t)((buf[pos] | (buf[pos + 1] << 8) | (buf[pos + 2] << 16)) & ((1 << (PARAM_B_BITS + 1)) - 1)); - y[i] -= PARAM_B; - if (y[i] != (1 << PARAM_B_BITS)) { - i++; - } - pos += BPLUS1BYTES; - } -} - - -void PQCLEAN_QTESLAPIII_CLEAN_encode_c(uint32_t *pos_list, int16_t *sign_list, uint8_t *c_bin) { - // Encoding of c' by mapping the output of the hash function H to an N-element vector with entries {-1,0,1} - size_t i, pos, cnt = 0; - int16_t c[PARAM_N]; - uint8_t r[SHAKE128_RATE]; - uint16_t dmsp = 0; - uint8_t dmsp_bytes[2]; - - // Use the hash value as key to generate some randomness - dmsp_bytes[0] = (uint8_t)(dmsp & 0xff); - dmsp_bytes[1] = (uint8_t)(dmsp >> 8); - cshake128(r, SHAKE128_RATE, (uint8_t *)NULL, 0, dmsp_bytes, 2, c_bin, CRYPTO_RANDOMBYTES); - ++dmsp; - - // Use rejection sampling to determine positions to be set in the new vector - for (i = 0; i < PARAM_N; i++) { - c[i] = 0; - } - - for (i = 0; i < PARAM_H;) { // Sample a unique position k times. Use two bytes - if (cnt > (SHAKE128_RATE - 3)) { - dmsp_bytes[0] = (uint8_t)(dmsp & 0xff); - dmsp_bytes[1] = (uint8_t)(dmsp >> 8); - cshake128(r, SHAKE128_RATE, (uint8_t *)NULL, 0, dmsp_bytes, 2, c_bin, CRYPTO_RANDOMBYTES); - ++dmsp; - cnt = 0; - } - pos = (size_t)((r[cnt] << 8) | (r[cnt + 1])); - pos = pos & (PARAM_N - 1); // Position is in the range [0,N-1] - - if (c[pos] == 0) { // Position has not been set yet. Determine sign - if ((r[cnt + 2] & 1) == 1) { - c[pos] = -1; - } else { - c[pos] = 1; - } - pos_list[i] = (uint32_t)pos; - sign_list[i] = c[pos]; - i++; - } - cnt += 3; - } -} diff --git a/crypto_sign/qtesla-p-III/clean/sample.h b/crypto_sign/qtesla-p-III/clean/sample.h deleted file mode 100644 index 2c9669e7..00000000 --- a/crypto_sign/qtesla-p-III/clean/sample.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef PQCLEAN_QTESLAPIII_CLEAN_SAMPLE_H -#define PQCLEAN_QTESLAPIII_CLEAN_SAMPLE_H - -#include "params.h" -#include "poly.h" -#include - -void PQCLEAN_QTESLAPIII_CLEAN_sample_y(poly y, const uint8_t *seed, uint16_t nonce); -void PQCLEAN_QTESLAPIII_CLEAN_encode_c(uint32_t *pos_list, int16_t *sign_list, uint8_t *c_bin); - -#endif diff --git a/crypto_sign/qtesla-p-III/clean/sign.c b/crypto_sign/qtesla-p-III/clean/sign.c deleted file mode 100644 index ab37d18e..00000000 --- a/crypto_sign/qtesla-p-III/clean/sign.c +++ /dev/null @@ -1,403 +0,0 @@ -/************************************************************************************* -* qTESLA: an efficient post-quantum signature scheme based on the R-LWE problem -* -* Abstract: high-level functions of the signature scheme -**************************************************************************************/ - -#include "api.h" -#include "fips202.h" -#include "gauss.h" -#include "pack.h" -#include "params.h" -#include "poly.h" -#include "randombytes.h" -#include "sample.h" -#include -#include - -static void hash_H(uint8_t *c_bin, const poly_k v, const uint8_t *hm) { - // Hash-based function H to generate c' - uint8_t t[PARAM_K * PARAM_N + HM_BYTES]; - int32_t mask, cL, temp; - size_t i, k, index; - - for (k = 0; k < PARAM_K; k++) { - index = k * PARAM_N; - for (i = 0; i < PARAM_N; i++) { - temp = (int32_t)v[index]; - // If v[i] > PARAM_Q/2 then v[i] -= PARAM_Q - mask = (PARAM_Q / 2 - temp) >> (RADIX32 - 1); - temp = ((temp - PARAM_Q) & mask) | (temp & ~mask); - - cL = temp & ((1 << PARAM_D) - 1); - // If cL > 2^(d-1) then cL -= 2^d - mask = ((1 << (PARAM_D - 1)) - cL) >> (RADIX32 - 1); - cL = ((cL - (1 << PARAM_D)) & mask) | (cL & ~mask); - t[index++] = (uint8_t)((temp - cL) >> PARAM_D); - } - } - memcpy(&t[PARAM_K * PARAM_N], hm, HM_BYTES); - SHAKE(c_bin, CRYPTO_C_BYTES, t, PARAM_K * PARAM_N + HM_BYTES); -} - - -static inline int32_t Abs(int32_t value) { - // Compute absolute value - - int32_t mask = value >> (RADIX32 - 1); - return (mask ^ value) - mask; -} - - -static int test_rejection(const poly z) { - // Check bounds for signature vector z during signing. Returns 0 if valid, otherwise outputs 1 if invalid (rejected). - // This function does not leak any information about the coefficient that fails the test. - uint32_t valid = 0; - - for (size_t i = 0; i < PARAM_N; i++) { - valid |= (PARAM_B - PARAM_S) - (uint32_t)Abs((int32_t)z[i]); - } - return (int)(valid >> 31); -} - - -static int test_correctness(const poly v) { - // Check bounds for w = v - ec during signature verification. Returns 0 if valid, otherwise outputs 1 if invalid (rejected). - // This function leaks the position of the coefficient that fails the test (but this is independent of the secret data). - // It does not leak the sign of the coefficients. - int32_t mask, left, val; - uint32_t t0, t1; - - for (size_t i = 0; i < PARAM_N; i++) { - // If v[i] > PARAM_Q/2 then v[i] -= PARAM_Q - mask = (int32_t)(PARAM_Q / 2 - v[i]) >> (RADIX32 - 1); - val = (int32_t)(((v[i] - PARAM_Q) & mask) | (v[i] & ~mask)); - // If (Abs(val) < PARAM_Q/2 - PARAM_E) then t0 = 0, else t0 = 1 - t0 = (uint32_t)(~(Abs(val) - (PARAM_Q / 2 - PARAM_E))) >> (RADIX32 - 1); - - left = val; - val = (val + (1 << (PARAM_D - 1)) - 1) >> PARAM_D; - val = left - (int32_t)((uint32_t)val << PARAM_D); - // If (Abs(val) < (1<<(PARAM_D-1))-PARAM_E) then t1 = 0, else t1 = 1 - t1 = (uint32_t)(~(Abs(val) - ((1 << (PARAM_D - 1)) - PARAM_E))) >> (RADIX32 - 1); - - if ((t0 | t1) == 1) { // Returns 1 if any of the two tests failed - return 1; - } - } - return 0; -} - - -static int test_z(const poly z) { - // Check bounds for signature vector z during signature verification - // Returns 0 if valid, otherwise outputs 1 if invalid (rejected) - - for (size_t i = 0; i < PARAM_N; i++) { - if (z[i] < -(PARAM_B - PARAM_S) || z[i] > (PARAM_B - PARAM_S)) { - return 1; - } - } - return 0; -} - - -static int check_ES(poly p, unsigned int bound) { - // Checks the generated polynomial e or s - // Returns 0 if ok, otherwise returns 1 - unsigned int sum = 0; - size_t i, j, limit = PARAM_N; - int32_t temp, mask, list[PARAM_N]; - - for (j = 0; j < PARAM_N; j++) { - list[j] = Abs((int32_t)p[j]); - } - - for (j = 0; j < PARAM_H; j++) { - for (i = 0; i < limit - 1; i++) { - // If list[i+1] > list[i] then exchange contents - mask = (list[i + 1] - list[i]) >> (RADIX32 - 1); - temp = (list[i + 1] & mask) | (list[i] & ~mask); - list[i + 1] = (list[i] & mask) | (list[i + 1] & ~mask); - list[i] = temp; - } - sum += (unsigned int)list[limit - 1]; - limit -= 1; - } - - if (sum > bound) { - return 1; - } - return 0; -} - - -/********************************************************* -* Name: crypto_sign_keypair -* Description: generates a public and private key pair -* Parameters: inputs: none -* outputs: -* - uint8_t *pk: public key -* - uint8_t *sk: secret key -* Returns: 0 for successful execution -**********************************************************/ -int PQCLEAN_QTESLAPIII_CLEAN_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) { - uint8_t randomness[CRYPTO_RANDOMBYTES], randomness_extended[(PARAM_K + 3)*CRYPTO_SEEDBYTES]; - poly s, s_ntt; - poly_k e, a, t; - size_t k; // Initialize domain separator for error and secret polynomials - uint16_t nonce = 0; - - // Get randomness_extended <- seed_e, seed_s, seed_a, seed_y - randombytes(randomness, CRYPTO_RANDOMBYTES); - SHAKE(randomness_extended, (PARAM_K + 3)*CRYPTO_SEEDBYTES, randomness, CRYPTO_RANDOMBYTES); - - for (k = 0; k < PARAM_K; k++) { - do { // Sample the error polynomials - PQCLEAN_QTESLAPIII_CLEAN_sample_gauss_poly(&e[k * PARAM_N], &randomness_extended[k * CRYPTO_SEEDBYTES], ++nonce); - } while (check_ES(&e[k * PARAM_N], PARAM_KEYGEN_BOUND_E) != 0); - } - - do { // Sample the secret polynomial - PQCLEAN_QTESLAPIII_CLEAN_sample_gauss_poly(s, &randomness_extended[PARAM_K * CRYPTO_SEEDBYTES], ++nonce); - } while (check_ES(s, PARAM_KEYGEN_BOUND_S) != 0); - - // Generate uniform polynomial "a" - PQCLEAN_QTESLAPIII_CLEAN_poly_uniform(a, &randomness_extended[(PARAM_K + 1)*CRYPTO_SEEDBYTES]); - PQCLEAN_QTESLAPIII_CLEAN_poly_ntt(s_ntt, s); - - // Compute the public key t = as+e - for (k = 0; k < PARAM_K; k++) { - PQCLEAN_QTESLAPIII_CLEAN_poly_mul(&t[k * PARAM_N], &a[k * PARAM_N], s_ntt); - PQCLEAN_QTESLAPIII_CLEAN_poly_add_correct(&t[k * PARAM_N], &t[k * PARAM_N], &e[k * PARAM_N]); - } - - // Pack public and private keys - PQCLEAN_QTESLAPIII_CLEAN_pack_sk(sk, s, e, &randomness_extended[(PARAM_K + 1)*CRYPTO_SEEDBYTES]); - PQCLEAN_QTESLAPIII_CLEAN_encode_pk(pk, t, &randomness_extended[(PARAM_K + 1)*CRYPTO_SEEDBYTES]); - - return 0; -} - - -/*************************************************************** -* Name: crypto_sign -* Description: outputs a signature for a given message m -* Parameters: inputs: -* - const uint8_t *m: message to be signed -* - size_t mlen: message length -* - const uint8_t* sk: secret key -* outputs: -* - uint8_t *sm: signature -* - size_t *smlen: signature length* -* Returns: 0 for successful execution -***************************************************************/ -int PQCLEAN_QTESLAPIII_CLEAN_crypto_sign(uint8_t *sm, size_t *smlen, const uint8_t *m, size_t mlen, const uint8_t *sk) { - uint8_t c[CRYPTO_C_BYTES], randomness[CRYPTO_SEEDBYTES], randomness_input[CRYPTO_RANDOMBYTES + CRYPTO_SEEDBYTES + HM_BYTES]; - uint32_t pos_list[PARAM_H]; - int16_t sign_list[PARAM_H]; - poly y, y_ntt, Sc, z; - poly_k v, Ec, a; - size_t k; - int rsp; - uint16_t nonce = 0; // Initialize domain separator for sampling y - - // Get H(seed_y, r, H(m)) to sample y - randombytes(randomness_input + CRYPTO_RANDOMBYTES, CRYPTO_RANDOMBYTES); - memcpy(randomness_input, &sk[PQCLEAN_QTESLAPIII_CLEAN_CRYPTO_SECRETKEYBYTES - CRYPTO_SEEDBYTES], CRYPTO_SEEDBYTES); - SHAKE(randomness_input + CRYPTO_RANDOMBYTES + CRYPTO_SEEDBYTES, HM_BYTES, m, mlen); - SHAKE(randomness, CRYPTO_SEEDBYTES, randomness_input, CRYPTO_RANDOMBYTES + CRYPTO_SEEDBYTES + HM_BYTES); - - PQCLEAN_QTESLAPIII_CLEAN_poly_uniform(a, &sk[PQCLEAN_QTESLAPIII_CLEAN_CRYPTO_SECRETKEYBYTES - 2 * CRYPTO_SEEDBYTES]); - - while (1) { - PQCLEAN_QTESLAPIII_CLEAN_sample_y(y, randomness, ++nonce); // Sample y uniformly at random from [-B,B] - PQCLEAN_QTESLAPIII_CLEAN_poly_ntt (y_ntt, y); - for (k = 0; k < PARAM_K; k++) { - PQCLEAN_QTESLAPIII_CLEAN_poly_mul(&v[k * PARAM_N], &a[k * PARAM_N], y_ntt); - } - hash_H(c, v, randomness_input + CRYPTO_RANDOMBYTES + CRYPTO_SEEDBYTES); - PQCLEAN_QTESLAPIII_CLEAN_encode_c(pos_list, sign_list, c); // Generate c = Enc(c'), where c' is the hashing of v together with m - PQCLEAN_QTESLAPIII_CLEAN_sparse_mul8(Sc, sk, pos_list, sign_list); - PQCLEAN_QTESLAPIII_CLEAN_poly_add(z, y, Sc); // Compute z = y + sc - - if (test_rejection(z) != 0) { // Rejection sampling - continue; - } - - for (k = 0; k < PARAM_K; k++) { - PQCLEAN_QTESLAPIII_CLEAN_sparse_mul8(&Ec[k * PARAM_N], sk + (sizeof(int8_t)*PARAM_N * (k + 1)), pos_list, sign_list); - PQCLEAN_QTESLAPIII_CLEAN_poly_sub(&v[k * PARAM_N], &v[k * PARAM_N], &Ec[k * PARAM_N]); - rsp = test_correctness(&v[k * PARAM_N]); - if (rsp != 0) { - break; - } - } - if (rsp != 0) { - continue; - } - - // Copy message to signature package, and pack signature - for (size_t i = 0; i < mlen; i++) { - sm[PQCLEAN_QTESLAPIII_CLEAN_CRYPTO_BYTES + i] = m[i]; - } - *smlen = PQCLEAN_QTESLAPIII_CLEAN_CRYPTO_BYTES + mlen; - PQCLEAN_QTESLAPIII_CLEAN_encode_sig(sm, c, z); - - return 0; - } -} - - -/************************************************************ -* Name: crypto_sign_open -* Description: verification of a signature sm -* Parameters: inputs: -* - const uint8_t *sm: signature -* - size_t smlen: signature length -* - const uint8_t* pk: public Key -* outputs: -* - uint8_t *m: original (signed) message -* - size_t *mlen: message length* -* Returns: 0 for valid signature -* <0 for invalid signature -************************************************************/ -int PQCLEAN_QTESLAPIII_CLEAN_crypto_sign_open(uint8_t *m, size_t *mlen, const uint8_t *sm, size_t smlen, const uint8_t *pk) { - uint8_t c[CRYPTO_C_BYTES], c_sig[CRYPTO_C_BYTES], seed[CRYPTO_SEEDBYTES], hm[HM_BYTES]; - uint32_t pos_list[PARAM_H]; - int16_t sign_list[PARAM_H]; - int32_t pk_t[PARAM_N * PARAM_K]; - poly_k w, a, Tc; - poly z, z_ntt; - size_t k; - - if (smlen < PQCLEAN_QTESLAPIII_CLEAN_CRYPTO_BYTES) { - return -1; - } - - PQCLEAN_QTESLAPIII_CLEAN_decode_sig(c, z, sm); - if (test_z(z) != 0) { - return -2; // Check norm of z - } - PQCLEAN_QTESLAPIII_CLEAN_decode_pk(pk_t, seed, pk); - PQCLEAN_QTESLAPIII_CLEAN_poly_uniform(a, seed); - PQCLEAN_QTESLAPIII_CLEAN_encode_c(pos_list, sign_list, c); - PQCLEAN_QTESLAPIII_CLEAN_poly_ntt(z_ntt, z); - - for (k = 0; k < PARAM_K; k++) { // Compute w = az - tc - PQCLEAN_QTESLAPIII_CLEAN_sparse_mul32(&Tc[k * PARAM_N], &pk_t[k * PARAM_N], pos_list, sign_list); - PQCLEAN_QTESLAPIII_CLEAN_poly_mul(&w[k * PARAM_N], &a[k * PARAM_N], z_ntt); - PQCLEAN_QTESLAPIII_CLEAN_poly_sub(&w[k * PARAM_N], &w[k * PARAM_N], &Tc[k * PARAM_N]); - } - SHAKE(hm, HM_BYTES, sm + PQCLEAN_QTESLAPIII_CLEAN_CRYPTO_BYTES, smlen - PQCLEAN_QTESLAPIII_CLEAN_CRYPTO_BYTES); - hash_H(c_sig, w, hm); - - // Check if the calculated c matches c from the signature - if (memcmp(c, c_sig, CRYPTO_C_BYTES) != 0) { - return -3; - } - - *mlen = smlen - PQCLEAN_QTESLAPIII_CLEAN_CRYPTO_BYTES; - for (size_t i = 0; i < *mlen; i++) { - m[i] = sm[PQCLEAN_QTESLAPIII_CLEAN_CRYPTO_BYTES + i]; - } - - return 0; -} - -int PQCLEAN_QTESLAPIII_CLEAN_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, - const uint8_t *sk) { - uint8_t c[CRYPTO_C_BYTES], randomness[CRYPTO_SEEDBYTES], randomness_input[CRYPTO_RANDOMBYTES + CRYPTO_SEEDBYTES + HM_BYTES]; - uint32_t pos_list[PARAM_H]; - int16_t sign_list[PARAM_H]; - poly y, y_ntt, Sc, z; - poly_k v, Ec, a; - size_t k; - int rsp; - uint16_t nonce = 0; // Initialize domain separator for sampling y - - // Get H(seed_y, r, H(m)) to sample y - randombytes(randomness_input + CRYPTO_RANDOMBYTES, CRYPTO_RANDOMBYTES); - memcpy(randomness_input, &sk[PQCLEAN_QTESLAPIII_CLEAN_CRYPTO_SECRETKEYBYTES - CRYPTO_SEEDBYTES], CRYPTO_SEEDBYTES); - SHAKE(randomness_input + CRYPTO_RANDOMBYTES + CRYPTO_SEEDBYTES, HM_BYTES, m, mlen); - SHAKE(randomness, CRYPTO_SEEDBYTES, randomness_input, CRYPTO_RANDOMBYTES + CRYPTO_SEEDBYTES + HM_BYTES); - - PQCLEAN_QTESLAPIII_CLEAN_poly_uniform(a, &sk[PQCLEAN_QTESLAPIII_CLEAN_CRYPTO_SECRETKEYBYTES - 2 * CRYPTO_SEEDBYTES]); - - while (1) { - PQCLEAN_QTESLAPIII_CLEAN_sample_y(y, randomness, ++nonce); // Sample y uniformly at random from [-B,B] - PQCLEAN_QTESLAPIII_CLEAN_poly_ntt (y_ntt, y); - for (k = 0; k < PARAM_K; k++) { - PQCLEAN_QTESLAPIII_CLEAN_poly_mul(&v[k * PARAM_N], &a[k * PARAM_N], y_ntt); - } - hash_H(c, v, randomness_input + CRYPTO_RANDOMBYTES + CRYPTO_SEEDBYTES); - PQCLEAN_QTESLAPIII_CLEAN_encode_c(pos_list, sign_list, c); // Generate c = Enc(c'), where c' is the hashing of v together with m - PQCLEAN_QTESLAPIII_CLEAN_sparse_mul8(Sc, sk, pos_list, sign_list); - PQCLEAN_QTESLAPIII_CLEAN_poly_add(z, y, Sc); // Compute z = y + sc - - if (test_rejection(z) != 0) { // Rejection sampling - continue; - } - - for (k = 0; k < PARAM_K; k++) { - PQCLEAN_QTESLAPIII_CLEAN_sparse_mul8(&Ec[k * PARAM_N], sk + (sizeof(int8_t)*PARAM_N * (k + 1)), pos_list, sign_list); - PQCLEAN_QTESLAPIII_CLEAN_poly_sub(&v[k * PARAM_N], &v[k * PARAM_N], &Ec[k * PARAM_N]); - rsp = test_correctness(&v[k * PARAM_N]); - if (rsp != 0) { - break; - } - } - if (rsp != 0) { - continue; - } - - // pack signature - *siglen = PQCLEAN_QTESLAPIII_CLEAN_CRYPTO_BYTES; - PQCLEAN_QTESLAPIII_CLEAN_encode_sig(sig, c, z); - - return 0; - } -} - -int PQCLEAN_QTESLAPIII_CLEAN_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, - const uint8_t *pk) { - uint8_t c[CRYPTO_C_BYTES], c_sig[CRYPTO_C_BYTES], seed[CRYPTO_SEEDBYTES], hm[HM_BYTES]; - uint32_t pos_list[PARAM_H]; - int16_t sign_list[PARAM_H]; - int32_t pk_t[PARAM_N * PARAM_K]; - poly_k w, a, Tc; - poly z, z_ntt; - size_t k; - - if (siglen < PQCLEAN_QTESLAPIII_CLEAN_CRYPTO_BYTES) { - return -1; - } - - PQCLEAN_QTESLAPIII_CLEAN_decode_sig(c, z, sig); - if (test_z(z) != 0) { - return -2; // Check norm of z - } - PQCLEAN_QTESLAPIII_CLEAN_decode_pk(pk_t, seed, pk); - PQCLEAN_QTESLAPIII_CLEAN_poly_uniform(a, seed); - PQCLEAN_QTESLAPIII_CLEAN_encode_c(pos_list, sign_list, c); - PQCLEAN_QTESLAPIII_CLEAN_poly_ntt(z_ntt, z); - - for (k = 0; k < PARAM_K; k++) { // Compute w = az - tc - PQCLEAN_QTESLAPIII_CLEAN_sparse_mul32(&Tc[k * PARAM_N], &pk_t[k * PARAM_N], pos_list, sign_list); - PQCLEAN_QTESLAPIII_CLEAN_poly_mul(&w[k * PARAM_N], &a[k * PARAM_N], z_ntt); - PQCLEAN_QTESLAPIII_CLEAN_poly_sub(&w[k * PARAM_N], &w[k * PARAM_N], &Tc[k * PARAM_N]); - } - SHAKE(hm, HM_BYTES, m, mlen); - hash_H(c_sig, w, hm); - - // Check if the calculated c matches c from the signature - if (memcmp(c, c_sig, CRYPTO_C_BYTES) != 0) { - return -3; - } - - return 0; -} diff --git a/test/duplicate_consistency/babybear-ephem_clean.yml b/test/duplicate_consistency/babybear-ephem_clean.yml deleted file mode 100644 index aa916ee4..00000000 --- a/test/duplicate_consistency/babybear-ephem_clean.yml +++ /dev/null @@ -1,21 +0,0 @@ -consistency_checks: -- source: - scheme: mamabear-ephem - implementation: clean - files: - - kem.c - - melas_fec.c - - melas_fec.h - - ring.c - - ring.h - - threebears.c -- source: - scheme: papabear-ephem - implementation: clean - files: - - kem.c - - melas_fec.c - - melas_fec.h - - ring.c - - ring.h - - threebears.c diff --git a/test/duplicate_consistency/babybear_clean.yml b/test/duplicate_consistency/babybear_clean.yml deleted file mode 100644 index 39392453..00000000 --- a/test/duplicate_consistency/babybear_clean.yml +++ /dev/null @@ -1,21 +0,0 @@ -consistency_checks: -- source: - scheme: mamabear - implementation: clean - files: - - kem.c - - melas_fec.c - - melas_fec.h - - ring.c - - ring.h - - threebears.c -- source: - scheme: papabear - implementation: clean - files: - - kem.c - - melas_fec.c - - melas_fec.h - - ring.c - - ring.h - - threebears.c diff --git a/test/duplicate_consistency/ledakemlt12_leaktime.yml b/test/duplicate_consistency/ledakemlt12_leaktime.yml deleted file mode 100644 index cc7cea1f..00000000 --- a/test/duplicate_consistency/ledakemlt12_leaktime.yml +++ /dev/null @@ -1,34 +0,0 @@ -consistency_checks: -- source: - scheme: ledakemlt32 - implementation: leaktime - files: - - bf_decoding.c - - dfr_test.c - - dfr_test.h - - gf2x_arith.c - - H_Q_matrices_generation.c - - H_Q_matrices_generation.h - - kem.c - - niederreiter.c - - niederreiter.h - - rng.c - - rng.h - - utils.c - - utils.h -- source: - scheme: ledakemlt52 - implementation: leaktime - files: - - bf_decoding.c - - dfr_test.c - - dfr_test.h - - gf2x_arith.c - - H_Q_matrices_generation.c - - H_Q_matrices_generation.h - - kem.c - - niederreiter.c - - niederreiter.h - - rng.h - - utils.c - - utils.h diff --git a/test/duplicate_consistency/ledakemlt32_leaktime.yml b/test/duplicate_consistency/ledakemlt32_leaktime.yml deleted file mode 100644 index c3abc67c..00000000 --- a/test/duplicate_consistency/ledakemlt32_leaktime.yml +++ /dev/null @@ -1,35 +0,0 @@ -consistency_checks: -- source: - scheme: ledakemlt12 - implementation: leaktime - files: - - bf_decoding.c - - dfr_test.c - - dfr_test.h - - gf2x_arith.c - - H_Q_matrices_generation.c - - H_Q_matrices_generation.h - - kem.c - - niederreiter.c - - niederreiter.h - - rng.c - - rng.h - - utils.c - - utils.h -- source: - scheme: ledakemlt52 - implementation: leaktime - files: - - bf_decoding.c - - dfr_test.c - - dfr_test.h - - gf2x_arith.c - - gf2x_arith_mod_xPplusOne.c - - H_Q_matrices_generation.c - - H_Q_matrices_generation.h - - kem.c - - niederreiter.c - - niederreiter.h - - rng.h - - utils.c - - utils.h diff --git a/test/duplicate_consistency/ledakemlt52_leaktime.yml b/test/duplicate_consistency/ledakemlt52_leaktime.yml deleted file mode 100644 index 62cb4756..00000000 --- a/test/duplicate_consistency/ledakemlt52_leaktime.yml +++ /dev/null @@ -1,34 +0,0 @@ -consistency_checks: -- source: - scheme: ledakemlt12 - implementation: leaktime - files: - - bf_decoding.c - - dfr_test.c - - dfr_test.h - - gf2x_arith.c - - H_Q_matrices_generation.c - - H_Q_matrices_generation.h - - kem.c - - niederreiter.c - - niederreiter.h - - rng.h - - utils.c - - utils.h -- source: - scheme: ledakemlt32 - implementation: leaktime - files: - - bf_decoding.c - - dfr_test.c - - dfr_test.h - - gf2x_arith.c - - gf2x_arith_mod_xPplusOne.c - - H_Q_matrices_generation.c - - H_Q_matrices_generation.h - - kem.c - - niederreiter.c - - niederreiter.h - - rng.h - - utils.c - - utils.h diff --git a/test/duplicate_consistency/mamabear-ephem_clean.yml b/test/duplicate_consistency/mamabear-ephem_clean.yml deleted file mode 100644 index 5c02ca4a..00000000 --- a/test/duplicate_consistency/mamabear-ephem_clean.yml +++ /dev/null @@ -1,21 +0,0 @@ -consistency_checks: -- source: - scheme: babybear-ephem - implementation: clean - files: - - kem.c - - melas_fec.c - - melas_fec.h - - ring.c - - ring.h - - threebears.c -- source: - scheme: papabear-ephem - implementation: clean - files: - - kem.c - - melas_fec.c - - melas_fec.h - - ring.c - - ring.h - - threebears.c diff --git a/test/duplicate_consistency/mamabear_clean.yml b/test/duplicate_consistency/mamabear_clean.yml deleted file mode 100644 index b4c9b1f3..00000000 --- a/test/duplicate_consistency/mamabear_clean.yml +++ /dev/null @@ -1,21 +0,0 @@ -consistency_checks: -- source: - scheme: babybear - implementation: clean - files: - - kem.c - - melas_fec.c - - melas_fec.h - - ring.c - - ring.h - - threebears.c -- source: - scheme: papabear - implementation: clean - files: - - kem.c - - melas_fec.c - - melas_fec.h - - ring.c - - ring.h - - threebears.c diff --git a/test/duplicate_consistency/mqdss-48_clean.yml b/test/duplicate_consistency/mqdss-48_clean.yml deleted file mode 100644 index a5d2e758..00000000 --- a/test/duplicate_consistency/mqdss-48_clean.yml +++ /dev/null @@ -1,20 +0,0 @@ -consistency_checks: -- source: - scheme: mqdss-48 - implementation: avx2 - files: - - api.h - - mq.h - - LICENSE - - mq.h - - sign.c - - params.h -- source: - scheme: mqdss-64 - implementation: clean - files: - - gf31.c - - gf31.h - - LICENSE - - mq.c - - mq.h diff --git a/test/duplicate_consistency/mqdss-64_clean.yml b/test/duplicate_consistency/mqdss-64_clean.yml deleted file mode 100644 index 79021ca0..00000000 --- a/test/duplicate_consistency/mqdss-64_clean.yml +++ /dev/null @@ -1,22 +0,0 @@ -consistency_checks: -- source: - scheme: mqdss-48 - implementation: clean - files: - - gf31.c - - gf31.h - - LICENSE - - mq.c - - mq.h - - sign.c -- source: - scheme: mqdss-64 - implementation: avx2 - files: - - api.h - - mq.h - - LICENSE - - mq.h - - sign.c - - params.h - diff --git a/test/duplicate_consistency/newhope1024cca_clean.yml b/test/duplicate_consistency/newhope1024cca_clean.yml deleted file mode 100644 index 21764ea3..00000000 --- a/test/duplicate_consistency/newhope1024cca_clean.yml +++ /dev/null @@ -1,43 +0,0 @@ -consistency_checks: -- source: - scheme: newhope1024cpa - implementation: clean - files: - - ntt.c - - poly.c - - precomp.c - - cpapke.c - - reduce.c - - verify.c - - params.h - - cpapke.h - - ntt.h - - poly.h - - reduce.h - - verify.h -- source: - scheme: newhope512cca - implementation: clean - files: - - kem.c - - cpapke.c - - reduce.c - - verify.c - - cpapke.h - - ntt.h - - poly.h - - reduce.h - - verify.h -- source: - scheme: newhope512cpa - implementation: clean - files: - - cpapke.c - - reduce.c - - verify.c - - cpapke.h - - ntt.h - - poly.h - - reduce.h - - verify.h - diff --git a/test/duplicate_consistency/newhope1024cpa_clean.yml b/test/duplicate_consistency/newhope1024cpa_clean.yml deleted file mode 100644 index ecf8b874..00000000 --- a/test/duplicate_consistency/newhope1024cpa_clean.yml +++ /dev/null @@ -1,42 +0,0 @@ -consistency_checks: -- source: - scheme: newhope1024cca - implementation: clean - files: - - ntt.c - - poly.c - - precomp.c - - cpapke.c - - reduce.c - - verify.c - - params.h - - cpapke.h - - ntt.h - - poly.h - - reduce.h - - verify.h -- source: - scheme: newhope512cca - implementation: clean - files: - - cpapke.c - - reduce.c - - verify.c - - cpapke.h - - ntt.h - - poly.h - - reduce.h - - verify.h -- source: - scheme: newhope512cpa - implementation: clean - files: - - kem.c - - cpapke.c - - reduce.c - - verify.c - - cpapke.h - - ntt.h - - poly.h - - reduce.h - - verify.h diff --git a/test/duplicate_consistency/newhope512cca_clean.yml b/test/duplicate_consistency/newhope512cca_clean.yml deleted file mode 100644 index ff0c6036..00000000 --- a/test/duplicate_consistency/newhope512cca_clean.yml +++ /dev/null @@ -1,44 +0,0 @@ -consistency_checks: -- source: - scheme: newhope1024cpa - implementation: clean - files: - - cpapke.c - - reduce.c - - verify.c - - cpapke.h - - ntt.h - - poly.h - - reduce.h - - verify.h -- source: - scheme: newhope1024cca - implementation: clean - files: - - kem.c - - cpapke.c - - reduce.c - - verify.c - - cpapke.h - - ntt.h - - poly.h - - reduce.h - - verify.h -- source: - scheme: newhope512cpa - implementation: clean - files: - - ntt.c - - poly.c - - precomp.c - - cpapke.c - - reduce.c - - verify.c - - params.h - - cpapke.h - - ntt.h - - poly.h - - reduce.h - - verify.h - - diff --git a/test/duplicate_consistency/newhope512cpa_clean.yml b/test/duplicate_consistency/newhope512cpa_clean.yml deleted file mode 100644 index e18fab3b..00000000 --- a/test/duplicate_consistency/newhope512cpa_clean.yml +++ /dev/null @@ -1,42 +0,0 @@ -consistency_checks: -- source: - scheme: newhope1024cpa - implementation: clean - files: - - kem.c - - cpapke.c - - reduce.c - - verify.c - - cpapke.h - - ntt.h - - poly.h - - reduce.h - - verify.h -- source: - scheme: newhope1024cca - implementation: clean - files: - - cpapke.c - - reduce.c - - verify.c - - cpapke.h - - ntt.h - - poly.h - - reduce.h - - verify.h -- source: - scheme: newhope512cca - implementation: clean - files: - - ntt.c - - poly.c - - precomp.c - - cpapke.c - - reduce.c - - verify.c - - params.h - - cpapke.h - - ntt.h - - poly.h - - reduce.h - - verify.h diff --git a/test/duplicate_consistency/papabear-ephem_clean.yml b/test/duplicate_consistency/papabear-ephem_clean.yml deleted file mode 100644 index f8c9b2da..00000000 --- a/test/duplicate_consistency/papabear-ephem_clean.yml +++ /dev/null @@ -1,21 +0,0 @@ -consistency_checks: -- source: - scheme: babybear-ephem - implementation: clean - files: - - kem.c - - melas_fec.c - - melas_fec.h - - ring.c - - ring.h - - threebears.c -- source: - scheme: mamabear-ephem - implementation: clean - files: - - kem.c - - melas_fec.c - - melas_fec.h - - ring.c - - ring.h - - threebears.c diff --git a/test/duplicate_consistency/papabear_clean.yml b/test/duplicate_consistency/papabear_clean.yml deleted file mode 100644 index a393e9c6..00000000 --- a/test/duplicate_consistency/papabear_clean.yml +++ /dev/null @@ -1,21 +0,0 @@ -consistency_checks: -- source: - scheme: babybear - implementation: clean - files: - - kem.c - - melas_fec.c - - melas_fec.h - - ring.c - - ring.h - - threebears.c -- source: - scheme: mamabear - implementation: clean - files: - - kem.c - - melas_fec.c - - melas_fec.h - - ring.c - - ring.h - - threebears.c diff --git a/test/duplicate_consistency/qtesla-p-III_clean.yml b/test/duplicate_consistency/qtesla-p-III_clean.yml deleted file mode 100644 index 5ee39c09..00000000 --- a/test/duplicate_consistency/qtesla-p-III_clean.yml +++ /dev/null @@ -1,13 +0,0 @@ -consistency_checks: -- source: - scheme: qtesla-p-I - implementation: clean - files: - - config.h - - gauss.c - - gauss.h - - pack.h - - poly.h - - sample.c - - sample.h - - sign.c diff --git a/test/duplicate_consistency/qtesla-p-I_clean.yml b/test/duplicate_consistency/qtesla-p-I_clean.yml deleted file mode 100644 index 835c7915..00000000 --- a/test/duplicate_consistency/qtesla-p-I_clean.yml +++ /dev/null @@ -1,13 +0,0 @@ -consistency_checks: -- source: - scheme: qtesla-p-III - implementation: clean - files: - - config.h - - gauss.c - - gauss.h - - pack.h - - poly.h - - sample.c - - sample.h - - sign.c