commit
b5c7f366b0
@ -4,7 +4,7 @@
|
|||||||
LIB=libkyber768_clean.lib
|
LIB=libkyber768_clean.lib
|
||||||
OBJECTS=cbd.obj indcpa.obj kem.obj ntt.obj poly.obj polyvec.obj precomp.obj reduce.obj verify.obj
|
OBJECTS=cbd.obj indcpa.obj kem.obj ntt.obj poly.obj polyvec.obj precomp.obj reduce.obj verify.obj
|
||||||
|
|
||||||
CFLAGS=/I ..\..\..\common /W1 /WX # FIXME: ideally would use /W4 instead of /W1, but too many failures in Kyber right now
|
CFLAGS=/I ..\..\..\common /W4 /WX
|
||||||
|
|
||||||
all: $(LIB)
|
all: $(LIB)
|
||||||
|
|
||||||
|
@ -37,7 +37,7 @@ void PQCLEAN_KYBER768_cbd(poly *r, const unsigned char *buf) {
|
|||||||
int i, j;
|
int i, j;
|
||||||
|
|
||||||
for (i = 0; i < KYBER_N / 4; i++) {
|
for (i = 0; i < KYBER_N / 4; i++) {
|
||||||
t = load_littleendian(buf + 3 * i, 3);
|
t = (uint32_t)load_littleendian(buf + 3 * i, 3);
|
||||||
d = 0;
|
d = 0;
|
||||||
for (j = 0; j < 3; j++) {
|
for (j = 0; j < 3; j++) {
|
||||||
d += (t >> j) & 0x249249;
|
d += (t >> j) & 0x249249;
|
||||||
@ -52,17 +52,17 @@ void PQCLEAN_KYBER768_cbd(poly *r, const unsigned char *buf) {
|
|||||||
a[3] = (d >> 18) & 0x7;
|
a[3] = (d >> 18) & 0x7;
|
||||||
b[3] = (d >> 21);
|
b[3] = (d >> 21);
|
||||||
|
|
||||||
r->coeffs[4 * i + 0] = a[0] + KYBER_Q - b[0];
|
r->coeffs[4 * i + 0] = (uint16_t)(a[0] + KYBER_Q - b[0]);
|
||||||
r->coeffs[4 * i + 1] = a[1] + KYBER_Q - b[1];
|
r->coeffs[4 * i + 1] = (uint16_t)(a[1] + KYBER_Q - b[1]);
|
||||||
r->coeffs[4 * i + 2] = a[2] + KYBER_Q - b[2];
|
r->coeffs[4 * i + 2] = (uint16_t)(a[2] + KYBER_Q - b[2]);
|
||||||
r->coeffs[4 * i + 3] = a[3] + KYBER_Q - b[3];
|
r->coeffs[4 * i + 3] = (uint16_t)(a[3] + KYBER_Q - b[3]);
|
||||||
}
|
}
|
||||||
#elif KYBER_ETA == 4
|
#elif KYBER_ETA == 4
|
||||||
uint32_t t, d, a[4], b[4];
|
uint32_t t, d, a[4], b[4];
|
||||||
int i, j;
|
int i, j;
|
||||||
|
|
||||||
for (i = 0; i < KYBER_N / 4; i++) {
|
for (i = 0; i < KYBER_N / 4; i++) {
|
||||||
t = load_littleendian(buf + 4 * i, 4);
|
t = (uint32_t)load_littleendian(buf + 4 * i, 4);
|
||||||
d = 0;
|
d = 0;
|
||||||
for (j = 0; j < 4; j++) {
|
for (j = 0; j < 4; j++) {
|
||||||
d += (t >> j) & 0x11111111;
|
d += (t >> j) & 0x11111111;
|
||||||
@ -77,10 +77,10 @@ void PQCLEAN_KYBER768_cbd(poly *r, const unsigned char *buf) {
|
|||||||
a[3] = (d >> 24) & 0xf;
|
a[3] = (d >> 24) & 0xf;
|
||||||
b[3] = (d >> 28);
|
b[3] = (d >> 28);
|
||||||
|
|
||||||
r->coeffs[4 * i + 0] = a[0] + KYBER_Q - b[0];
|
r->coeffs[4 * i + 0] = (uint16_t)(a[0] + KYBER_Q - b[0]);
|
||||||
r->coeffs[4 * i + 1] = a[1] + KYBER_Q - b[1];
|
r->coeffs[4 * i + 1] = (uint16_t)(a[1] + KYBER_Q - b[1]);
|
||||||
r->coeffs[4 * i + 2] = a[2] + KYBER_Q - b[2];
|
r->coeffs[4 * i + 2] = (uint16_t)(a[2] + KYBER_Q - b[2]);
|
||||||
r->coeffs[4 * i + 3] = a[3] + KYBER_Q - b[3];
|
r->coeffs[4 * i + 3] = (uint16_t)(a[3] + KYBER_Q - b[3]);
|
||||||
}
|
}
|
||||||
#elif KYBER_ETA == 5
|
#elif KYBER_ETA == 5
|
||||||
uint64_t t, d, a[4], b[4];
|
uint64_t t, d, a[4], b[4];
|
||||||
@ -102,10 +102,10 @@ void PQCLEAN_KYBER768_cbd(poly *r, const unsigned char *buf) {
|
|||||||
a[3] = (d >> 30) & 0x1f;
|
a[3] = (d >> 30) & 0x1f;
|
||||||
b[3] = (d >> 35);
|
b[3] = (d >> 35);
|
||||||
|
|
||||||
r->coeffs[4 * i + 0] = a[0] + KYBER_Q - b[0];
|
r->coeffs[4 * i + 0] = (uint16_t)(a[0] + KYBER_Q - b[0]);
|
||||||
r->coeffs[4 * i + 1] = a[1] + KYBER_Q - b[1];
|
r->coeffs[4 * i + 1] = (uint16_t)(a[1] + KYBER_Q - b[1]);
|
||||||
r->coeffs[4 * i + 2] = a[2] + KYBER_Q - b[2];
|
r->coeffs[4 * i + 2] = (uint16_t)(a[2] + KYBER_Q - b[2]);
|
||||||
r->coeffs[4 * i + 3] = a[3] + KYBER_Q - b[3];
|
r->coeffs[4 * i + 3] = (uint16_t)(a[3] + KYBER_Q - b[3]);
|
||||||
}
|
}
|
||||||
#else
|
#else
|
||||||
#error "poly_getnoise in poly.c only supports eta in {3,4,5}"
|
#error "poly_getnoise in poly.c only supports eta in {3,4,5}"
|
||||||
|
@ -143,11 +143,11 @@ static void gen_matrix(polyvec *a, const unsigned char *seed, int transposed) {
|
|||||||
ctr = pos = 0;
|
ctr = pos = 0;
|
||||||
nblocks = maxnblocks;
|
nblocks = maxnblocks;
|
||||||
if (transposed) {
|
if (transposed) {
|
||||||
extseed[KYBER_SYMBYTES] = i;
|
extseed[KYBER_SYMBYTES] = (unsigned char)i;
|
||||||
extseed[KYBER_SYMBYTES + 1] = j;
|
extseed[KYBER_SYMBYTES + 1] = (unsigned char)j;
|
||||||
} else {
|
} else {
|
||||||
extseed[KYBER_SYMBYTES] = j;
|
extseed[KYBER_SYMBYTES] = (unsigned char)j;
|
||||||
extseed[KYBER_SYMBYTES + 1] = i;
|
extseed[KYBER_SYMBYTES + 1] = (unsigned char)i;
|
||||||
}
|
}
|
||||||
|
|
||||||
shake128_absorb(state, extseed, KYBER_SYMBYTES + 2);
|
shake128_absorb(state, extseed, KYBER_SYMBYTES + 2);
|
||||||
|
@ -84,25 +84,25 @@ int PQCLEAN_KYBER768_crypto_kem_dec(unsigned char *ss, const unsigned char *ct,
|
|||||||
unsigned char cmp[KYBER_CIPHERTEXTBYTES];
|
unsigned char cmp[KYBER_CIPHERTEXTBYTES];
|
||||||
unsigned char buf[2 * KYBER_SYMBYTES];
|
unsigned char buf[2 * KYBER_SYMBYTES];
|
||||||
unsigned char
|
unsigned char
|
||||||
kr[2 * KYBER_SYMBYTES]; /* Will contain key, coins, qrom-hash */
|
kr[2 * KYBER_SYMBYTES]; /* Will contain key, coins, qrom-hash */
|
||||||
const unsigned char *pk = sk + KYBER_INDCPA_SECRETKEYBYTES;
|
const unsigned char *pk = sk + KYBER_INDCPA_SECRETKEYBYTES;
|
||||||
|
|
||||||
PQCLEAN_KYBER768_indcpa_dec(buf, ct, sk);
|
PQCLEAN_KYBER768_indcpa_dec(buf, ct, sk);
|
||||||
|
|
||||||
for (i = 0; i < KYBER_SYMBYTES; i++) { /* Multitarget countermeasure for coins + contributory KEM */
|
for (i = 0; i < KYBER_SYMBYTES; i++) { /* Multitarget countermeasure for coins + contributory KEM */
|
||||||
buf[KYBER_SYMBYTES + i] = sk[KYBER_SECRETKEYBYTES - 2 * KYBER_SYMBYTES + i]; /* Save hash by storing H(pk) in sk */
|
buf[KYBER_SYMBYTES + i] = sk[KYBER_SECRETKEYBYTES - 2 * KYBER_SYMBYTES + i]; /* Save hash by storing H(pk) in sk */
|
||||||
}
|
}
|
||||||
sha3_512(kr, buf, 2 * KYBER_SYMBYTES);
|
sha3_512(kr, buf, 2 * KYBER_SYMBYTES);
|
||||||
|
|
||||||
PQCLEAN_KYBER768_indcpa_enc(cmp, buf, pk, kr + KYBER_SYMBYTES); /* coins are in kr+KYBER_SYMBYTES */
|
PQCLEAN_KYBER768_indcpa_enc(cmp, buf, pk, kr + KYBER_SYMBYTES); /* coins are in kr+KYBER_SYMBYTES */
|
||||||
|
|
||||||
fail = PQCLEAN_KYBER768_verify(ct, cmp, KYBER_CIPHERTEXTBYTES);
|
fail = PQCLEAN_KYBER768_verify(ct, cmp, KYBER_CIPHERTEXTBYTES);
|
||||||
|
|
||||||
sha3_256(kr + KYBER_SYMBYTES, ct, KYBER_CIPHERTEXTBYTES); /* overwrite coins in kr with H(c) */
|
sha3_256(kr + KYBER_SYMBYTES, ct, KYBER_CIPHERTEXTBYTES); /* overwrite coins in kr with H(c) */
|
||||||
|
|
||||||
PQCLEAN_KYBER768_cmov(kr, sk + KYBER_SECRETKEYBYTES - KYBER_SYMBYTES, KYBER_SYMBYTES, fail); /* Overwrite pre-k with z on re-encryption failure */
|
PQCLEAN_KYBER768_cmov(kr, sk + KYBER_SECRETKEYBYTES - KYBER_SYMBYTES, KYBER_SYMBYTES, (unsigned char)fail); /* Overwrite pre-k with z on re-encryption failure */
|
||||||
|
|
||||||
sha3_256(ss, kr, 2 * KYBER_SYMBYTES); /* hash concatenation of pre-k and H(c) to k */
|
sha3_256(ss, kr, 2 * KYBER_SYMBYTES); /* hash concatenation of pre-k and H(c) to k */
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
@ -23,9 +23,9 @@ void PQCLEAN_KYBER768_poly_compress(unsigned char *r, const poly *a) {
|
|||||||
t[j] = (((PQCLEAN_KYBER768_freeze(a->coeffs[i + j]) << 3) + KYBER_Q / 2) / KYBER_Q) & 7;
|
t[j] = (((PQCLEAN_KYBER768_freeze(a->coeffs[i + j]) << 3) + KYBER_Q / 2) / KYBER_Q) & 7;
|
||||||
}
|
}
|
||||||
|
|
||||||
r[k] = t[0] | (t[1] << 3) | (t[2] << 6);
|
r[k] = (unsigned char)( t[0] | (t[1] << 3) | (t[2] << 6));
|
||||||
r[k + 1] = (t[2] >> 2) | (t[3] << 1) | (t[4] << 4) | (t[5] << 7);
|
r[k + 1] = (unsigned char)((t[2] >> 2) | (t[3] << 1) | (t[4] << 4) | (t[5] << 7));
|
||||||
r[k + 2] = (t[5] >> 1) | (t[6] << 2) | (t[7] << 5);
|
r[k + 2] = (unsigned char)((t[5] >> 1) | (t[6] << 2) | (t[7] << 5));
|
||||||
k += 3;
|
k += 3;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -71,19 +71,19 @@ void PQCLEAN_KYBER768_poly_tobytes(unsigned char *r, const poly *a) {
|
|||||||
t[j] = PQCLEAN_KYBER768_freeze(a->coeffs[8 * i + j]);
|
t[j] = PQCLEAN_KYBER768_freeze(a->coeffs[8 * i + j]);
|
||||||
}
|
}
|
||||||
|
|
||||||
r[13 * i + 0] = t[0] & 0xff;
|
r[13 * i + 0] = (unsigned char)( t[0] & 0xff);
|
||||||
r[13 * i + 1] = (t[0] >> 8) | ((t[1] & 0x07) << 5);
|
r[13 * i + 1] = (unsigned char)((t[0] >> 8) | ((t[1] & 0x07) << 5));
|
||||||
r[13 * i + 2] = (t[1] >> 3) & 0xff;
|
r[13 * i + 2] = (unsigned char)((t[1] >> 3) & 0xff);
|
||||||
r[13 * i + 3] = (t[1] >> 11) | ((t[2] & 0x3f) << 2);
|
r[13 * i + 3] = (unsigned char)((t[1] >> 11) | ((t[2] & 0x3f) << 2));
|
||||||
r[13 * i + 4] = (t[2] >> 6) | ((t[3] & 0x01) << 7);
|
r[13 * i + 4] = (unsigned char)((t[2] >> 6) | ((t[3] & 0x01) << 7));
|
||||||
r[13 * i + 5] = (t[3] >> 1) & 0xff;
|
r[13 * i + 5] = (unsigned char)((t[3] >> 1) & 0xff);
|
||||||
r[13 * i + 6] = (t[3] >> 9) | ((t[4] & 0x0f) << 4);
|
r[13 * i + 6] = (unsigned char)((t[3] >> 9) | ((t[4] & 0x0f) << 4));
|
||||||
r[13 * i + 7] = (t[4] >> 4) & 0xff;
|
r[13 * i + 7] = (unsigned char)((t[4] >> 4) & 0xff);
|
||||||
r[13 * i + 8] = (t[4] >> 12) | ((t[5] & 0x7f) << 1);
|
r[13 * i + 8] = (unsigned char)((t[4] >> 12) | ((t[5] & 0x7f) << 1));
|
||||||
r[13 * i + 9] = (t[5] >> 7) | ((t[6] & 0x03) << 6);
|
r[13 * i + 9] = (unsigned char)((t[5] >> 7) | ((t[6] & 0x03) << 6));
|
||||||
r[13 * i + 10] = (t[6] >> 2) & 0xff;
|
r[13 * i + 10] = (unsigned char)((t[6] >> 2) & 0xff);
|
||||||
r[13 * i + 11] = (t[6] >> 10) | ((t[7] & 0x1f) << 3);
|
r[13 * i + 11] = (unsigned char)((t[6] >> 10) | ((t[7] & 0x1f) << 3));
|
||||||
r[13 * i + 12] = (t[7] >> 5);
|
r[13 * i + 12] = (unsigned char)((t[7] >> 5));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -21,17 +21,17 @@ void PQCLEAN_KYBER768_polyvec_compress(unsigned char *r, const polyvec *a) {
|
|||||||
t[k] = ((((uint32_t)PQCLEAN_KYBER768_freeze(a->vec[i].coeffs[8 * j + k]) << 11) + KYBER_Q / 2) / KYBER_Q) & 0x7ff;
|
t[k] = ((((uint32_t)PQCLEAN_KYBER768_freeze(a->vec[i].coeffs[8 * j + k]) << 11) + KYBER_Q / 2) / KYBER_Q) & 0x7ff;
|
||||||
}
|
}
|
||||||
|
|
||||||
r[11 * j + 0] = t[0] & 0xff;
|
r[11 * j + 0] = (unsigned char)( t[0] & 0xff);
|
||||||
r[11 * j + 1] = (t[0] >> 8) | ((t[1] & 0x1f) << 3);
|
r[11 * j + 1] = (unsigned char)((t[0] >> 8) | ((t[1] & 0x1f) << 3));
|
||||||
r[11 * j + 2] = (t[1] >> 5) | ((t[2] & 0x03) << 6);
|
r[11 * j + 2] = (unsigned char)((t[1] >> 5) | ((t[2] & 0x03) << 6));
|
||||||
r[11 * j + 3] = (t[2] >> 2) & 0xff;
|
r[11 * j + 3] = (unsigned char)((t[2] >> 2) & 0xff);
|
||||||
r[11 * j + 4] = (t[2] >> 10) | ((t[3] & 0x7f) << 1);
|
r[11 * j + 4] = (unsigned char)((t[2] >> 10) | ((t[3] & 0x7f) << 1));
|
||||||
r[11 * j + 5] = (t[3] >> 7) | ((t[4] & 0x0f) << 4);
|
r[11 * j + 5] = (unsigned char)((t[3] >> 7) | ((t[4] & 0x0f) << 4));
|
||||||
r[11 * j + 6] = (t[4] >> 4) | ((t[5] & 0x01) << 7);
|
r[11 * j + 6] = (unsigned char)((t[4] >> 4) | ((t[5] & 0x01) << 7));
|
||||||
r[11 * j + 7] = (t[5] >> 1) & 0xff;
|
r[11 * j + 7] = (unsigned char)((t[5] >> 1) & 0xff);
|
||||||
r[11 * j + 8] = (t[5] >> 9) | ((t[6] & 0x3f) << 2);
|
r[11 * j + 8] = (unsigned char)((t[5] >> 9) | ((t[6] & 0x3f) << 2));
|
||||||
r[11 * j + 9] = (t[6] >> 6) | ((t[7] & 0x07) << 5);
|
r[11 * j + 9] = (unsigned char)((t[6] >> 6) | ((t[7] & 0x07) << 5));
|
||||||
r[11 * j + 10] = (t[7] >> 3);
|
r[11 * j + 10] = (unsigned char)((t[7] >> 3));
|
||||||
}
|
}
|
||||||
r += 352;
|
r += 352;
|
||||||
}
|
}
|
||||||
|
@ -24,7 +24,7 @@ uint16_t PQCLEAN_KYBER768_montgomery_reduce(uint32_t a) {
|
|||||||
u &= ((1 << rlog) - 1);
|
u &= ((1 << rlog) - 1);
|
||||||
u *= KYBER_Q;
|
u *= KYBER_Q;
|
||||||
a = a + u;
|
a = a + u;
|
||||||
return a >> rlog;
|
return (uint16_t)(a >> rlog);
|
||||||
}
|
}
|
||||||
|
|
||||||
/*************************************************
|
/*************************************************
|
||||||
@ -38,7 +38,7 @@ uint16_t PQCLEAN_KYBER768_montgomery_reduce(uint32_t a) {
|
|||||||
* Returns: unsigned integer in {0,...,11768} congruent to a modulo q.
|
* Returns: unsigned integer in {0,...,11768} congruent to a modulo q.
|
||||||
**************************************************/
|
**************************************************/
|
||||||
uint16_t PQCLEAN_KYBER768_barrett_reduce(uint16_t a) {
|
uint16_t PQCLEAN_KYBER768_barrett_reduce(uint16_t a) {
|
||||||
uint32_t u;
|
uint16_t u;
|
||||||
|
|
||||||
u = a >> 13; //((uint32_t) a * sinv) >> 16;
|
u = a >> 13; //((uint32_t) a * sinv) >> 16;
|
||||||
u *= KYBER_Q;
|
u *= KYBER_Q;
|
||||||
|
@ -21,8 +21,8 @@ int PQCLEAN_KYBER768_verify(const unsigned char *a, const unsigned char *b, size
|
|||||||
r |= a[i] ^ b[i];
|
r |= a[i] ^ b[i];
|
||||||
}
|
}
|
||||||
|
|
||||||
r = (-r) >> 63;
|
r = (-(int64_t)r) >> 63;
|
||||||
return r;
|
return (int)r;
|
||||||
}
|
}
|
||||||
|
|
||||||
/*************************************************
|
/*************************************************
|
||||||
|
Loading…
Reference in New Issue
Block a user