diff --git a/crypto_kem/ledakemlt12/clean/gf2x_arith_mod_xPplusOne.c b/crypto_kem/ledakemlt12/clean/gf2x_arith_mod_xPplusOne.c index 69f09833..7d2add83 100644 --- a/crypto_kem/ledakemlt12/clean/gf2x_arith_mod_xPplusOne.c +++ b/crypto_kem/ledakemlt12/clean/gf2x_arith_mod_xPplusOne.c @@ -12,12 +12,15 @@ static void gf2x_mod(DIGIT out[], const DIGIT in[]) { memcpy(aux, in, 2 * NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B); memset(out, 0x00, NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B); + + /* not true for parameter set if (2 * NUM_DIGITS_GF2X_ELEMENT < NUM_DIGITS_GF2X_MODULUS) { for (i = 0; i < 2 * NUM_DIGITS_GF2X_ELEMENT; i++) { out[NUM_DIGITS_GF2X_ELEMENT - 1 - i] = in[2 * NUM_DIGITS_GF2X_ELEMENT - 1 - i]; } return; } + */ for (i = 0; i < (2 * NUM_DIGITS_GF2X_ELEMENT) - NUM_DIGITS_GF2X_MODULUS; i += 1) { for (j = DIGIT_SIZE_b - 1; j >= 0; j--) { @@ -95,6 +98,13 @@ static uint8_t byte_reverse_with_64bitDIGIT(uint8_t b) { return b; } +/* https://stackoverflow.com/questions/2182002/convert-big-endian-to-little-endian-in-c-without-using-provided-func */ +static uint64_t swap_uint64( uint64_t val ) { + val = ((val << 8) & 0xFF00FF00FF00FF00ULL ) | ((val >> 8) & 0x00FF00FF00FF00FFULL ); + val = ((val << 16) & 0xFFFF0000FFFF0000ULL ) | ((val >> 16) & 0x0000FFFF0000FFFFULL ); + return (val << 32) | (val >> 32); +} + static DIGIT reverse_digit(const DIGIT b) { int i; union toReverse_t { @@ -107,7 +117,7 @@ static DIGIT reverse_digit(const DIGIT b) { toReverse.inByte[i] = byte_reverse_with_64bitDIGIT(toReverse.inByte[i]); } - return __builtin_bswap64(toReverse.digitValue); + return swap_uint64(toReverse.digitValue); } void PQCLEAN_LEDAKEMLT12_CLEAN_gf2x_transpose_in_place(DIGIT A[]) { @@ -127,9 +137,11 @@ void PQCLEAN_LEDAKEMLT12_CLEAN_gf2x_transpose_in_place(DIGIT A[]) { A[i] = rev2; A[NUM_DIGITS_GF2X_ELEMENT - 1 - i] = rev1; } + /* if (NUM_DIGITS_GF2X_ELEMENT % 2 == 1) { A[NUM_DIGITS_GF2X_ELEMENT / 2] = reverse_digit(A[NUM_DIGITS_GF2X_ELEMENT / 2]); - } + }*/ + A[NUM_DIGITS_GF2X_ELEMENT / 2] = reverse_digit(A[NUM_DIGITS_GF2X_ELEMENT / 2]); if (slack_bits_amount) { PQCLEAN_LEDAKEMLT12_CLEAN_right_bit_shift_n(NUM_DIGITS_GF2X_ELEMENT, A, slack_bits_amount); @@ -140,24 +152,26 @@ void PQCLEAN_LEDAKEMLT12_CLEAN_gf2x_transpose_in_place(DIGIT A[]) { static void rotate_bit_left(DIGIT in[]) { /* equivalent to x * in(x) mod x^P+1 */ DIGIT mask, rotated_bit; - + /* if (NUM_DIGITS_GF2X_MODULUS == NUM_DIGITS_GF2X_ELEMENT) { - int msb_offset_in_digit = MSb_POSITION_IN_MSB_DIGIT_OF_MODULUS - 1; mask = ((DIGIT)0x1) << msb_offset_in_digit; rotated_bit = !!(in[0] & mask); - in[0] &= ~mask; /* clear shifted bit */ + in[0] &= ~mask; left_bit_shift(NUM_DIGITS_GF2X_ELEMENT, in); } else { - /* NUM_DIGITS_GF2X_MODULUS == 1 + NUM_DIGITS_GF2X_ELEMENT and - * MSb_POSITION_IN_MSB_DIGIT_OF_MODULUS == 0 - */ mask = ((DIGIT)0x1) << (DIGIT_SIZE_b - 1); rotated_bit = !!(in[0] & mask); - in[0] &= ~mask; /* clear shifted bit */ + in[0] &= ~mask; left_bit_shift(NUM_DIGITS_GF2X_ELEMENT, in); - } + } */ + + int msb_offset_in_digit = MSb_POSITION_IN_MSB_DIGIT_OF_MODULUS - 1; + mask = ((DIGIT)0x1) << msb_offset_in_digit; + rotated_bit = !!(in[0] & mask); + in[0] &= ~mask; + left_bit_shift(NUM_DIGITS_GF2X_ELEMENT, in); in[NUM_DIGITS_GF2X_ELEMENT - 1] |= rotated_bit; } @@ -166,15 +180,15 @@ static void rotate_bit_right(DIGIT in[]) { /* x^{-1} * in(x) mod x^P+1 */ DIGIT rotated_bit = in[NUM_DIGITS_GF2X_ELEMENT - 1] & ((DIGIT)0x1); right_bit_shift(NUM_DIGITS_GF2X_ELEMENT, in); + /* if (NUM_DIGITS_GF2X_MODULUS == NUM_DIGITS_GF2X_ELEMENT) { int msb_offset_in_digit = MSb_POSITION_IN_MSB_DIGIT_OF_MODULUS - 1; rotated_bit = rotated_bit << msb_offset_in_digit; } else { - /* NUM_DIGITS_GF2X_MODULUS == 1 + NUM_DIGITS_GF2X_ELEMENT and - * MSb_POSITION_IN_MSB_DIGIT_OF_MODULUS == 0 - */ rotated_bit = rotated_bit << (DIGIT_SIZE_b - 1); - } + } */ + int msb_offset_in_digit = MSb_POSITION_IN_MSB_DIGIT_OF_MODULUS - 1; + rotated_bit = rotated_bit << msb_offset_in_digit; in[0] |= rotated_bit; } @@ -221,11 +235,13 @@ int PQCLEAN_LEDAKEMLT12_CLEAN_gf2x_mod_inverse(DIGIT out[], const DIGIT in[]) { v[NUM_DIGITS_GF2X_ELEMENT - 1] = 0x0; s[NUM_DIGITS_GF2X_MODULUS - 1] = 0x1; + /* if (MSb_POSITION_IN_MSB_DIGIT_OF_MODULUS == 0) { mask = 0x1; } else { mask = (((DIGIT)0x1) << MSb_POSITION_IN_MSB_DIGIT_OF_MODULUS); - } + }*/ + mask = (((DIGIT)0x1) << MSb_POSITION_IN_MSB_DIGIT_OF_MODULUS); s[0] |= mask; for (i = NUM_DIGITS_GF2X_ELEMENT - 1; i >= 0 && in[i] == 0; i--) { }; @@ -233,14 +249,18 @@ int PQCLEAN_LEDAKEMLT12_CLEAN_gf2x_mod_inverse(DIGIT out[], const DIGIT in[]) { return 0; } + /* if (NUM_DIGITS_GF2X_MODULUS == 1 + NUM_DIGITS_GF2X_ELEMENT) { for (i = NUM_DIGITS_GF2X_MODULUS - 1; i >= 1 ; i--) { f[i] = in[i - 1]; } - } else { /* they are equal */ + } else { for (i = NUM_DIGITS_GF2X_MODULUS - 1; i >= 0 ; i--) { f[i] = in[i]; } + }*/ + for (i = NUM_DIGITS_GF2X_MODULUS - 1; i >= 0 ; i--) { + f[i] = in[i]; } for (i = 1; i <= 2 * P; i++) { @@ -467,7 +487,7 @@ void PQCLEAN_LEDAKEMLT12_CLEAN_rand_circulant_sparse_block(POSITION_T *pos_ones, while (placedOnes < countOnes) { p = rand_range(NUM_BITS_GF2X_ELEMENT, - BITS_TO_REPRESENT(P), + P_BITS, seed_expander_ctx); duplicated = 0; for (int j = 0; j < placedOnes; j++) { @@ -483,15 +503,16 @@ void PQCLEAN_LEDAKEMLT12_CLEAN_rand_circulant_sparse_block(POSITION_T *pos_ones, } /* Returns random weight-t circulant block */ -void PQCLEAN_LEDAKEMLT12_CLEAN_rand_circulant_blocks_sequence(DIGIT sequence[N0 * NUM_DIGITS_GF2X_ELEMENT], - AES_XOF_struct *seed_expander_ctx) { +void PQCLEAN_LEDAKEMLT12_CLEAN_rand_circulant_blocks_sequence( + DIGIT sequence[N0 * NUM_DIGITS_GF2X_ELEMENT], + AES_XOF_struct *seed_expander_ctx) { int rndPos[NUM_ERRORS_T], duplicated, counter = 0; memset(sequence, 0x00, N0 * NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B); while (counter < NUM_ERRORS_T) { - int p = rand_range(N0 * NUM_BITS_GF2X_ELEMENT, BITS_TO_REPRESENT(P), + int p = rand_range(N0 * NUM_BITS_GF2X_ELEMENT, P_BITS, seed_expander_ctx); duplicated = 0; for (int j = 0; j < counter; j++) { diff --git a/crypto_kem/ledakemlt12/clean/gf2x_arith_mod_xPplusOne.h b/crypto_kem/ledakemlt12/clean/gf2x_arith_mod_xPplusOne.h index 0d6be87b..f41eb8ef 100644 --- a/crypto_kem/ledakemlt12/clean/gf2x_arith_mod_xPplusOne.h +++ b/crypto_kem/ledakemlt12/clean/gf2x_arith_mod_xPplusOne.h @@ -7,8 +7,8 @@ #include "gf2x_arith.h" #include "rng.h" -#define NUM_BITS_GF2X_ELEMENT (P) -#define NUM_DIGITS_GF2X_ELEMENT ((P+DIGIT_SIZE_b-1)/DIGIT_SIZE_b) +#define NUM_BITS_GF2X_ELEMENT (P) // 52147 +#define NUM_DIGITS_GF2X_ELEMENT ((P+DIGIT_SIZE_b-1)/DIGIT_SIZE_b) // 815 #define MSb_POSITION_IN_MSB_DIGIT_OF_ELEMENT ( (P % DIGIT_SIZE_b) ? (P % DIGIT_SIZE_b)-1 : DIGIT_SIZE_b-1 ) #define NUM_BITS_GF2X_MODULUS (P+1) @@ -17,45 +17,7 @@ #define INVALID_POS_VALUE (P) -#define IS_REPRESENTABLE_IN_D_BITS(D, N) \ - (((unsigned long) (N) >= (1UL << ((D) - 1)) && (unsigned long) (N) < (1UL << (D))) ? (D) : -1) - -#define BITS_TO_REPRESENT(N) \ - ((N) == 0 ? 1 : (31 \ - + IS_REPRESENTABLE_IN_D_BITS( 1, N) \ - + IS_REPRESENTABLE_IN_D_BITS( 2, N) \ - + IS_REPRESENTABLE_IN_D_BITS( 3, N) \ - + IS_REPRESENTABLE_IN_D_BITS( 4, N) \ - + IS_REPRESENTABLE_IN_D_BITS( 5, N) \ - + IS_REPRESENTABLE_IN_D_BITS( 6, N) \ - + IS_REPRESENTABLE_IN_D_BITS( 7, N) \ - + IS_REPRESENTABLE_IN_D_BITS( 8, N) \ - + IS_REPRESENTABLE_IN_D_BITS( 9, N) \ - + IS_REPRESENTABLE_IN_D_BITS(10, N) \ - + IS_REPRESENTABLE_IN_D_BITS(11, N) \ - + IS_REPRESENTABLE_IN_D_BITS(12, N) \ - + IS_REPRESENTABLE_IN_D_BITS(13, N) \ - + IS_REPRESENTABLE_IN_D_BITS(14, N) \ - + IS_REPRESENTABLE_IN_D_BITS(15, N) \ - + IS_REPRESENTABLE_IN_D_BITS(16, N) \ - + IS_REPRESENTABLE_IN_D_BITS(17, N) \ - + IS_REPRESENTABLE_IN_D_BITS(18, N) \ - + IS_REPRESENTABLE_IN_D_BITS(19, N) \ - + IS_REPRESENTABLE_IN_D_BITS(20, N) \ - + IS_REPRESENTABLE_IN_D_BITS(21, N) \ - + IS_REPRESENTABLE_IN_D_BITS(22, N) \ - + IS_REPRESENTABLE_IN_D_BITS(23, N) \ - + IS_REPRESENTABLE_IN_D_BITS(24, N) \ - + IS_REPRESENTABLE_IN_D_BITS(25, N) \ - + IS_REPRESENTABLE_IN_D_BITS(26, N) \ - + IS_REPRESENTABLE_IN_D_BITS(27, N) \ - + IS_REPRESENTABLE_IN_D_BITS(28, N) \ - + IS_REPRESENTABLE_IN_D_BITS(29, N) \ - + IS_REPRESENTABLE_IN_D_BITS(30, N) \ - + IS_REPRESENTABLE_IN_D_BITS(31, N) \ - + IS_REPRESENTABLE_IN_D_BITS(32, N) \ - ) \ - ) +#define P_BITS (16) // log_2(p) = 15.6703 static inline void gf2x_copy(DIGIT dest[], const DIGIT in[]) { diff --git a/crypto_kem/ledakemlt12/clean/niederreiter.c b/crypto_kem/ledakemlt12/clean/niederreiter.c index 4fc49796..e52a7077 100644 --- a/crypto_kem/ledakemlt12/clean/niederreiter.c +++ b/crypto_kem/ledakemlt12/clean/niederreiter.c @@ -8,11 +8,11 @@ #include -void PQCLEAN_LEDAKEMLT12_CLEAN_niederreiter_keygen(publicKeyNiederreiter_t *const pk, - privateKeyNiederreiter_t *const sk, +void PQCLEAN_LEDAKEMLT12_CLEAN_niederreiter_keygen(publicKeyNiederreiter_t *pk, + privateKeyNiederreiter_t *sk, AES_XOF_struct *keys_expander) { - // sequence of N0 circ block matrices (p x p): Hi + // sequence of N0 circ block matrices (p x p): Hi POSITION_T HPosOnes[N0][DV]; POSITION_T HtrPosOnes[N0][DV]; /* Sparse representation of the transposed circulant matrix H, @@ -89,9 +89,10 @@ void PQCLEAN_LEDAKEMLT12_CLEAN_niederreiter_keygen(publicKeyNiederreiter_t *co } -void PQCLEAN_LEDAKEMLT12_CLEAN_niederreiter_encrypt(DIGIT syndrome[], // 1 polynomial - const publicKeyNiederreiter_t *const pk, - const DIGIT err[]) { // N0 polynomials +void PQCLEAN_LEDAKEMLT12_CLEAN_niederreiter_encrypt(DIGIT *syndrome, // 1 polynomial + const publicKeyNiederreiter_t *pk, + const DIGIT *err) { // N0 polynomials + int i; DIGIT saux[NUM_DIGITS_GF2X_ELEMENT]; @@ -108,9 +109,9 @@ void PQCLEAN_LEDAKEMLT12_CLEAN_niederreiter_encrypt(DIGIT syndrome[], } -int PQCLEAN_LEDAKEMLT12_CLEAN_niederreiter_decrypt(DIGIT err[], // N0 circ poly - const privateKeyNiederreiter_t *const sk, - const DIGIT syndrome[]) { +int PQCLEAN_LEDAKEMLT12_CLEAN_niederreiter_decrypt(DIGIT *err, // N0 circ poly + const privateKeyNiederreiter_t *sk, + const DIGIT *syndrome) { AES_XOF_struct niederreiter_decrypt_expander; PQCLEAN_LEDAKEMLT12_CLEAN_seedexpander_from_trng(&niederreiter_decrypt_expander,