kris
/
pqc
1
1
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

Clean up AVX2 code

kyber
John M. Schanck 4 years ago
committed by Kris Kwiatkowski
parent
997f9d462b
commit
df9f4a17a4
87 changed files with 6270 additions and 9624 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +2
    -2
      crypto_kem/firesaber/META.yml
  2. +1
    -1
      crypto_kem/firesaber/avx2/Makefile
  3. +72
    -362
      crypto_kem/firesaber/avx2/SABER_indcpa.c
  4. +18
    -22
      crypto_kem/firesaber/avx2/SABER_params.h
  5. +11
    -15
      crypto_kem/firesaber/avx2/cbd.c
  6. +2
    -2
      crypto_kem/firesaber/avx2/cbd.h
  7. +5
    -7
      crypto_kem/firesaber/avx2/kem.c
  8. +0
    -32
      crypto_kem/firesaber/avx2/kem.h
  9. +112
    -465
      crypto_kem/firesaber/avx2/pack_unpack.c
  10. +9
    -37
      crypto_kem/firesaber/avx2/pack_unpack.h
  11. +62
    -0
      crypto_kem/firesaber/avx2/poly.c
  12. +24
    -12
      crypto_kem/firesaber/avx2/poly.h
  13. +1524
    -0
      crypto_kem/firesaber/avx2/poly_mul.c
  14. +0
    -20
      crypto_kem/firesaber/avx2/polymul/consts.h
  15. +0
    -303
      crypto_kem/firesaber/avx2/polymul/matrix.c
  16. +0
    -753
      crypto_kem/firesaber/avx2/polymul/scm_avx.c
  17. +0
    -1010
      crypto_kem/firesaber/avx2/polymul/toom-cook_4way.c
  18. +63
    -42
      crypto_kem/firesaber/clean/SABER_indcpa.c
  19. +1
    -1
      crypto_kem/firesaber/clean/SABER_indcpa.h
  20. +7
    -5
      crypto_kem/firesaber/clean/SABER_params.h
  21. +1
    -1
      crypto_kem/firesaber/clean/api.h
  22. +87
    -74
      crypto_kem/firesaber/clean/pack_unpack.c
  23. +9
    -8
      crypto_kem/firesaber/clean/pack_unpack.h
  24. +26
    -18
      crypto_kem/firesaber/clean/poly.c
  25. +12
    -4
      crypto_kem/firesaber/clean/poly.h
  26. +12
    -6
      crypto_kem/firesaber/clean/poly_mul.c
  27. +0
    -6
      crypto_kem/firesaber/clean/poly_mul.h
  28. +2
    -2
      crypto_kem/lightsaber/META.yml
  29. +1
    -1
      crypto_kem/lightsaber/avx2/Makefile
  30. +72
    -362
      crypto_kem/lightsaber/avx2/SABER_indcpa.c
  31. +18
    -23
      crypto_kem/lightsaber/avx2/SABER_params.h
  32. +8
    -11
      crypto_kem/lightsaber/avx2/cbd.c
  33. +2
    -2
      crypto_kem/lightsaber/avx2/cbd.h
  34. +5
    -7
      crypto_kem/lightsaber/avx2/kem.c
  35. +0
    -32
      crypto_kem/lightsaber/avx2/kem.h
  36. +118
    -467
      crypto_kem/lightsaber/avx2/pack_unpack.c
  37. +9
    -37
      crypto_kem/lightsaber/avx2/pack_unpack.h
  38. +62
    -0
      crypto_kem/lightsaber/avx2/poly.c
  39. +24
    -12
      crypto_kem/lightsaber/avx2/poly.h
  40. +1524
    -0
      crypto_kem/lightsaber/avx2/poly_mul.c
  41. +0
    -20
      crypto_kem/lightsaber/avx2/polymul/consts.h
  42. +0
    -303
      crypto_kem/lightsaber/avx2/polymul/matrix.c
  43. +0
    -753
      crypto_kem/lightsaber/avx2/polymul/scm_avx.c
  44. +0
    -1010
      crypto_kem/lightsaber/avx2/polymul/toom-cook_4way.c
  45. +63
    -42
      crypto_kem/lightsaber/clean/SABER_indcpa.c
  46. +1
    -1
      crypto_kem/lightsaber/clean/SABER_indcpa.h
  47. +7
    -5
      crypto_kem/lightsaber/clean/SABER_params.h
  48. +1
    -1
      crypto_kem/lightsaber/clean/api.h
  49. +91
    -78
      crypto_kem/lightsaber/clean/pack_unpack.c
  50. +9
    -8
      crypto_kem/lightsaber/clean/pack_unpack.h
  51. +26
    -18
      crypto_kem/lightsaber/clean/poly.c
  52. +12
    -4
      crypto_kem/lightsaber/clean/poly.h
  53. +12
    -6
      crypto_kem/lightsaber/clean/poly_mul.c
  54. +0
    -6
      crypto_kem/lightsaber/clean/poly_mul.h
  55. +2
    -2
      crypto_kem/saber/META.yml
  56. +1
    -1
      crypto_kem/saber/avx2/Makefile
  57. +72
    -362
      crypto_kem/saber/avx2/SABER_indcpa.c
  58. +18
    -23
      crypto_kem/saber/avx2/SABER_params.h
  59. +10
    -13
      crypto_kem/saber/avx2/cbd.c
  60. +2
    -2
      crypto_kem/saber/avx2/cbd.h
  61. +5
    -7
      crypto_kem/saber/avx2/kem.c
  62. +0
    -32
      crypto_kem/saber/avx2/kem.h
  63. +107
    -464
      crypto_kem/saber/avx2/pack_unpack.c
  64. +9
    -37
      crypto_kem/saber/avx2/pack_unpack.h
  65. +62
    -0
      crypto_kem/saber/avx2/poly.c
  66. +24
    -12
      crypto_kem/saber/avx2/poly.h
  67. +1524
    -0
      crypto_kem/saber/avx2/poly_mul.c
  68. +0
    -20
      crypto_kem/saber/avx2/polymul/consts.h
  69. +0
    -303
      crypto_kem/saber/avx2/polymul/matrix.c
  70. +0
    -753
      crypto_kem/saber/avx2/polymul/scm_avx.c
  71. +0
    -1010
      crypto_kem/saber/avx2/polymul/toom-cook_4way.c
  72. +63
    -42
      crypto_kem/saber/clean/SABER_indcpa.c
  73. +1
    -1
      crypto_kem/saber/clean/SABER_indcpa.h
  74. +7
    -5
      crypto_kem/saber/clean/SABER_params.h
  75. +1
    -1
      crypto_kem/saber/clean/api.h
  76. +83
    -70
      crypto_kem/saber/clean/pack_unpack.c
  77. +9
    -8
      crypto_kem/saber/clean/pack_unpack.h
  78. +26
    -18
      crypto_kem/saber/clean/poly.c
  79. +12
    -4
      crypto_kem/saber/clean/poly.h
  80. +12
    -6
      crypto_kem/saber/clean/poly_mul.c
  81. +0
    -6
      crypto_kem/saber/clean/poly_mul.h
  82. +9
    -0
      test/duplicate_consistency/firesaber_avx2.yml
  83. +9
    -0
      test/duplicate_consistency/firesaber_clean.yml
  84. +25
    -2
      test/duplicate_consistency/lightsaber_avx2.yml
  85. +19
    -0
      test/duplicate_consistency/lightsaber_clean.yml
  86. +17
    -1
      test/duplicate_consistency/saber_avx2.yml
  87. +14
    -0
      test/duplicate_consistency/saber_clean.yml

+ 2
- 2
crypto_kem/firesaber/META.yml View File

@@ -14,9 +14,9 @@ principal-submitters:
- Frederik Vercauteren
implementations:
- name: clean
version: https://github.com/KULeuven-COSIC/SABER/tree/509cc5ec3a7e12a751ccdd2ef5bd6e54e00bd350 via https://github.com/jschanck/package-pqclean/tree/b53a47b5/saber
version: https://github.com/KULeuven-COSIC/SABER/tree/509cc5ec3a7e12a751ccdd2ef5bd6e54e00bd350 via https://github.com/jschanck/package-pqclean/tree/88ee652a/saber
- name: avx2
version: https://github.com/KULeuven-COSIC/SABER/tree/509cc5ec3a7e12a751ccdd2ef5bd6e54e00bd350 via https://github.com/jschanck/package-pqclean/tree/b53a47b5/saber
version: https://github.com/KULeuven-COSIC/SABER/tree/509cc5ec3a7e12a751ccdd2ef5bd6e54e00bd350 via https://github.com/jschanck/package-pqclean/tree/88ee652a/saber
supported_platforms:
- architecture: x86_64
operating_systems:


+ 1
- 1
crypto_kem/firesaber/avx2/Makefile View File

@@ -2,7 +2,7 @@

LIB=libfiresaber_avx2.a
HEADERS=api.h cbd.h kem.h pack_unpack.h poly.h SABER_indcpa.h SABER_params.h verify.h
OBJECTS=cbd.o kem.o pack_unpack.o SABER_indcpa.o verify.o
OBJECTS=cbd.o kem.o pack_unpack.o poly.o poly_mul.o SABER_indcpa.o verify.o

CFLAGS=-O3 -mavx2 -Wall -Wextra -Wpedantic -Wvla -Werror -Wredundant-decls -Wmissing-prototypes -std=c99 -I../../../common $(EXTRAFLAGS)



+ 72
- 362
crypto_kem/firesaber/avx2/SABER_indcpa.c View File

@@ -1,416 +1,125 @@
#include "./polymul/toom-cook_4way.c"
#include "SABER_indcpa.h"
#include "SABER_params.h"
#include "api.h"
#include "cbd.h"
#include "fips202.h"
#include "pack_unpack.h"
#include "poly.h"
#include "randombytes.h"
#include <stdint.h>
#include <stdio.h>
#include <string.h>
//#include "randombytes.h"
//#include "./polymul/toom_cook_4/toom-cook_4way.c"

#define h1 4 //2^(EQ-EP-1)
#define h1 (1 << (SABER_EQ - SABER_EP - 1))
#define h2 ((1 << (SABER_EP - 2)) - (1 << (SABER_EP - SABER_ET - 1)) + (1 << (SABER_EQ - SABER_EP - 1)))

#define h2 ( (1<<(SABER_EP-2)) - (1<<(SABER_EP-SABER_ET-1)) + (1<<(SABER_EQ-SABER_EP-1)) )
void PQCLEAN_FIRESABER_AVX2_indcpa_kem_keypair(uint8_t pk[SABER_INDCPA_PUBLICKEYBYTES], uint8_t sk[SABER_INDCPA_SECRETKEYBYTES]) {
size_t i, j;

poly A[SABER_L][SABER_L];
poly *skpv1 = A[0]; // use first row of A to hold sk temporarily
toom4_points skpv1_eval[SABER_L];
poly res[SABER_L];

static void POL2MSG(uint8_t *message_dec, const uint16_t *message_dec_unpacked) {
int32_t i, j;
uint8_t rand[SABER_NOISESEEDBYTES];
uint8_t *seed_A = pk + SABER_POLYVECCOMPRESSEDBYTES;

for (j = 0; j < SABER_KEYBYTES; j++) {
message_dec[j] = 0;
for (i = 0; i < 8; i++) {
message_dec[j] = message_dec[j] | (message_dec_unpacked[j * 8 + i] << i);
}
}
}

/*-----------------------------------------------------------------------------------
This routine generates a=[Matrix K x K] of 256-coefficient polynomials

static void GenMatrix(polyvec *a, const uint8_t *seed) {
uint8_t buf[SABER_K * SABER_K * 13 * SABER_N / 8];

uint16_t temp_ar[SABER_N];

int i, j, k;
uint16_t mod = (SABER_Q - 1);

shake128(buf, sizeof(buf), seed, SABER_SEEDBYTES);

for (i = 0; i < SABER_K; i++) {
for (j = 0; j < SABER_K; j++) {
PQCLEAN_FIRESABER_AVX2_BS2POLq(temp_ar, buf + (i * SABER_K + j) * 13 * SABER_N / 8);
for (k = 0; k < SABER_N; k++) {
a[i].vec[j].coeffs[k] = (temp_ar[k])& mod ;
}
}
}
}

static void GenSecret(uint16_t r[SABER_K][SABER_N], const uint8_t *seed) {

uint32_t i;
randombytes(seed_A, SABER_SEEDBYTES);
shake128(seed_A, SABER_SEEDBYTES, seed_A, SABER_SEEDBYTES); // for not revealing system RNG state

uint8_t buf[SABER_MU * SABER_N * SABER_K / 8];
randombytes(rand, SABER_NOISESEEDBYTES);
PQCLEAN_FIRESABER_AVX2_GenSecret(skpv1, rand);
PQCLEAN_FIRESABER_AVX2_POLVECq2BS(sk, skpv1); // pack secret key

shake128(buf, sizeof(buf), seed, SABER_NOISESEEDBYTES);

for (i = 0; i < SABER_K; i++) {
PQCLEAN_FIRESABER_AVX2_cbd(r[i], buf + i * SABER_MU * SABER_N / 8);
for (j = 0; j < SABER_L; j++) {
PQCLEAN_FIRESABER_AVX2_toom4_eval(&skpv1_eval[j], &skpv1[j]);
}
}

//********************************matrix-vector mul routines*****************************************************
static void matrix_vector_mul(__m256i res_avx[NUM_POLY][AVX_N1], __m256i a1_avx_combined[NUM_POLY][NUM_POLY][AVX_N1], __m256i b_bucket[NUM_POLY][SCHB_N * 4], int isTranspose) {
int64_t i, j;

__m256i c_bucket[2 * SCM_SIZE * 4]; //Holds results for 9 Karatsuba at a time

for (i = 0; i < NUM_POLY; i++) {
for (j = 0; j < NUM_POLY; j++) {
PQCLEAN_FIRESABER_AVX2_GenMatrix(A, seed_A); // sample matrix A
PQCLEAN_FIRESABER_AVX2_MatrixVectorMul(res, (const poly (*)[SABER_L])A, (const toom4_points *)skpv1_eval, 1); // Matrix in transposed order

if (isTranspose == 0) {
toom_cook_4way_avx_n1(a1_avx_combined[i][j], b_bucket[j], c_bucket, j);
} else {
toom_cook_4way_avx_n1(a1_avx_combined[j][i], b_bucket[j], c_bucket, j);
}
// rounding
for (i = 0; i < SABER_L; i++) {
for (j = 0; j < SABER_N; j++) {
res[i].coeffs[j] += h1;
res[i].coeffs[j] >>= SABER_EQ - SABER_EP;
res[i].coeffs[j] &= SABER_Q - 1;
}

TC_interpol(c_bucket, res_avx[i]);
}

}

static void vector_vector_mul(__m256i res_avx[AVX_N1], __m256i a_avx[NUM_POLY][AVX_N1], __m256i b_bucket[NUM_POLY][SCHB_N * 4]) {

int64_t i;

__m256i c_bucket[2 * SCM_SIZE * 4]; //Holds results for 9 Karatsuba at a time

for (i = 0; i < NUM_POLY; i++) {
toom_cook_4way_avx_n1(a_avx[i], b_bucket[i], c_bucket, i);
}
TC_interpol(c_bucket, res_avx);
}

//********************************matrix-vector mul routines*****************************************************

void PQCLEAN_FIRESABER_AVX2_indcpa_kem_keypair(uint8_t *pk, uint8_t *sk) {

polyvec a[SABER_K];

uint16_t skpv1[SABER_K][SABER_N];



uint8_t seed[SABER_SEEDBYTES];
uint8_t noiseseed[SABER_COINBYTES];
int32_t i, j, k;


//--------------AVX declaration------------------

__m256i sk_avx[SABER_K][SABER_N / 16];
__m256i mod;
__m256i res_avx[SABER_K][SABER_N / 16];
__m256i a_avx[SABER_K][SABER_K][SABER_N / 16];
//__m256i acc[2*SABER_N/16];

mod = _mm256_set1_epi16(SABER_Q - 1);

__m256i b_bucket[NUM_POLY][SCHB_N * 4];

//--------------AVX declaration ends------------------

randombytes(seed, SABER_SEEDBYTES);

shake128(seed, SABER_SEEDBYTES, seed, SABER_SEEDBYTES); // for not revealing system RNG state
randombytes(noiseseed, SABER_COINBYTES);


GenMatrix(a, seed); //sample matrix A

GenSecret(skpv1, noiseseed);


// Load sk into avx vectors
for (i = 0; i < SABER_K; i++) {
for (j = 0; j < SABER_N / 16; j++) {
sk_avx[i][j] = _mm256_loadu_si256 ((__m256i const *) (&skpv1[i][j * 16]));
}

}

// Load a into avx vectors
for (i = 0; i < SABER_K; i++) {
for (j = 0; j < SABER_K; j++) {
for (k = 0; k < SABER_N / 16; k++) {
a_avx[i][j][k] = _mm256_loadu_si256 ((__m256i const *) (&a[i].vec[j].coeffs[k * 16]));
}
}
}



//------------------------do the matrix vector multiplication and rounding------------

for (j = 0; j < NUM_POLY; j++) {
TC_eval(sk_avx[j], b_bucket[j]);
}
matrix_vector_mul(res_avx, a_avx, b_bucket, 1);// Matrix-vector multiplication; Matrix in transposed order

// Now truncation


for (i = 0; i < SABER_K; i++) { //shift right EQ-EP bits
for (j = 0; j < SABER_N / 16; j++) {
res_avx[i][j] = _mm256_add_epi16 (res_avx[i][j], _mm256_set1_epi16(h1));
res_avx[i][j] = _mm256_srli_epi16 (res_avx[i][j], (SABER_EQ - SABER_EP) );
res_avx[i][j] = _mm256_and_si256 (res_avx[i][j], mod);
}
}

//------------------Pack sk into byte string-------

PQCLEAN_FIRESABER_AVX2_POLVEC2BS(sk, (const uint16_t (*)[SABER_N])skpv1, SABER_Q);

//------------------Pack pk into byte string-------

for (i = 0; i < SABER_K; i++) { // reuses skpv1[] for unpacking avx of public-key
for (j = 0; j < SABER_N / 16; j++) {
_mm256_maskstore_epi32 ((int *) (skpv1[i] + j * 16), _mm256_set1_epi32(-1), res_avx[i][j]);
}
}
PQCLEAN_FIRESABER_AVX2_POLVEC2BS(pk, (const uint16_t (*)[SABER_N])skpv1, SABER_P); // load the public-key into pk byte string


for (i = 0; i < SABER_SEEDBYTES; i++) { // now load the seedbytes in PK. Easy since seed bytes are kept in byte format.
pk[SABER_POLYVECCOMPRESSEDBYTES + i] = seed[i];
}

PQCLEAN_FIRESABER_AVX2_POLVECp2BS(pk, res); // pack public key
}


void PQCLEAN_FIRESABER_AVX2_indcpa_kem_enc(uint8_t ciphertext[SABER_BYTES_CCA_DEC], const uint8_t m[SABER_KEYBYTES], const uint8_t noiseseed[SABER_NOISESEEDBYTES], const uint8_t pk[SABER_INDCPA_PUBLICKEYBYTES]) {
size_t i, j;

poly A[SABER_L][SABER_L];
poly res[SABER_L];
toom4_points skpv1_eval[SABER_L];

uint32_t i, j, k;
polyvec a[SABER_K]; // skpv;
uint8_t seed[SABER_SEEDBYTES];
uint16_t pkcl[SABER_K][SABER_N]; //public key of received by the client


uint16_t skpv1[SABER_K][SABER_N];
uint16_t temp[SABER_K][SABER_N];
uint16_t message[SABER_KEYBYTES * 8];

uint8_t msk_c[SABER_SCALEBYTES_KEM];

//--------------AVX declaration------------------

__m256i sk_avx[SABER_K][SABER_N / 16];
__m256i mod, mod_p;
__m256i res_avx[SABER_K][SABER_N / 16];
__m256i vprime_avx[SABER_N / 16];
__m256i a_avx[SABER_K][SABER_K][SABER_N / 16];
//__m256i acc[2*SABER_N/16];

__m256i pkcl_avx[SABER_K][SABER_N / 16];

__m256i message_avx[SABER_N / 16];

mod = _mm256_set1_epi16(SABER_Q - 1);
mod_p = _mm256_set1_epi16(SABER_P - 1);
poly *temp = A[0]; // re-use stack space
poly *vprime = &A[0][0];
poly *message = &A[0][1];

const uint8_t *seed_A = pk + SABER_POLYVECCOMPRESSEDBYTES;
uint8_t *msk_c = ciphertext + SABER_POLYVECCOMPRESSEDBYTES;


__m256i b_bucket[NUM_POLY][SCHB_N * 4];

//--------------AVX declaration ends------------------
for (i = 0; i < SABER_SEEDBYTES; i++) { // Load the seedbytes in the client seed from PK.
seed[i] = pk[ SABER_POLYVECCOMPRESSEDBYTES + i];
PQCLEAN_FIRESABER_AVX2_GenSecret(temp, noiseseed);
for (j = 0; j < SABER_L; j++) {
PQCLEAN_FIRESABER_AVX2_toom4_eval(&skpv1_eval[j], &temp[j]);
}

GenMatrix(a, seed);
GenSecret(skpv1, noiseseed);

// ----------- Load skpv1 into avx vectors ----------
for (i = 0; i < SABER_K; i++) {
for (j = 0; j < SABER_N / 16; j++) {
sk_avx[i][j] = _mm256_loadu_si256 ((__m256i const *) (&skpv1[i][j * 16]));
}
}
PQCLEAN_FIRESABER_AVX2_GenMatrix(A, seed_A);
PQCLEAN_FIRESABER_AVX2_MatrixVectorMul(res, (const poly (*)[SABER_L])A, (const toom4_points *)skpv1_eval, 0); // 0 => not transposed

// ----------- Load skpv1 into avx vectors ----------
for (i = 0; i < SABER_K; i++) {
for (j = 0; j < SABER_K; j++) {
for (k = 0; k < SABER_N / 16; k++) {
a_avx[i][j][k] = _mm256_loadu_si256 ((__m256i const *) (&a[i].vec[j].coeffs[k * 16]));
}
// rounding
for (i = 0; i < SABER_L; i++) { //shift right EQ-EP bits
for (j = 0; j < SABER_N; j++) {
res[i].coeffs[j] += h1;
res[i].coeffs[j] >>= SABER_EQ - SABER_EP;
res[i].coeffs[j] &= SABER_Q - 1;
}
}
//-----------------matrix-vector multiplication and rounding

for (j = 0; j < NUM_POLY; j++) {
TC_eval(sk_avx[j], b_bucket[j]);
}
matrix_vector_mul(res_avx, a_avx, b_bucket, 0);// Matrix-vector multiplication; Matrix in normal order

// Now truncation

for (i = 0; i < SABER_K; i++) { //shift right EQ-EP bits
for (j = 0; j < SABER_N / 16; j++) {
res_avx[i][j] = _mm256_add_epi16 (res_avx[i][j], _mm256_set1_epi16(h1));
res_avx[i][j] = _mm256_srli_epi16 (res_avx[i][j], (SABER_EQ - SABER_EP) );
res_avx[i][j] = _mm256_and_si256 (res_avx[i][j], mod);

}
}


//-----this result should be put in b_prime for later use in server.
for (i = 0; i < SABER_K; i++) { // first store in 16 bit arrays
for (j = 0; j < SABER_N / 16; j++) {
_mm256_maskstore_epi32 ((int *)(temp[i] + j * 16), _mm256_set1_epi32(-1), res_avx[i][j]);
}
}

PQCLEAN_FIRESABER_AVX2_POLVEC2BS(ciphertext, (const uint16_t (*)[SABER_N])temp, SABER_P); // Pack b_prime into ciphertext byte string

//**************client matrix-vector multiplication ends******************//

//------now calculate the v'

//-------unpack the public_key
PQCLEAN_FIRESABER_AVX2_BS2POLVEC(pkcl, pk, SABER_P);

for (i = 0; i < SABER_K; i++) {
for (j = 0; j < SABER_N / 16; j++) {
pkcl_avx[i][j] = _mm256_loadu_si256 ((__m256i const *) (&pkcl[i][j * 16]));
}
}

// InnerProduct
//for(k=0;k<SABER_N/16;k++){
// vprime_avx[k]=_mm256_xor_si256(vprime_avx[k],vprime_avx[k]);
//}
PQCLEAN_FIRESABER_AVX2_POLVECp2BS(ciphertext, res);

// vector-vector scalar multiplication with mod p
PQCLEAN_FIRESABER_AVX2_BS2POLVECp(temp, pk);
PQCLEAN_FIRESABER_AVX2_InnerProd(vprime, temp, skpv1_eval);
PQCLEAN_FIRESABER_AVX2_BS2POLmsg(message, m);

vector_vector_mul(vprime_avx, pkcl_avx, b_bucket);

// Computation of v'+h1
for (i = 0; i < SABER_N / 16; i++) { //adding h1
vprime_avx[i] = _mm256_add_epi16(vprime_avx[i], _mm256_set1_epi16(h1));
}

// unpack m;
for (j = 0; j < SABER_KEYBYTES; j++) {
for (i = 0; i < 8; i++) {
message[8 * j + i] = ((m[j] >> i) & 0x01);
}
}
// message encoding
for (i = 0; i < SABER_N / 16; i++) {
message_avx[i] = _mm256_loadu_si256 ((__m256i const *) (&message[i * 16]));
message_avx[i] = _mm256_slli_epi16 (message_avx[i], (SABER_EP - 1) );
}

// SHIFTRIGHT(v'+h1-m mod p, EP-ET)
for (k = 0; k < SABER_N / 16; k++) {
vprime_avx[k] = _mm256_sub_epi16(vprime_avx[k], message_avx[k]);
vprime_avx[k] = _mm256_and_si256(vprime_avx[k], mod_p);
vprime_avx[k] = _mm256_srli_epi16 (vprime_avx[k], (SABER_EP - SABER_ET) );
}

// Unpack avx
for (j = 0; j < SABER_N / 16; j++) {
_mm256_maskstore_epi32 ((int *) (temp[0] + j * 16), _mm256_set1_epi32(-1), vprime_avx[j]);
}

PQCLEAN_FIRESABER_AVX2_SABER_pack_6bit(msk_c, temp[0]);


for (j = 0; j < SABER_SCALEBYTES_KEM; j++) {
ciphertext[SABER_CIPHERTEXTBYTES + j] = msk_c[j];
for (i = 0; i < SABER_N; i++) {
vprime->coeffs[i] += h1 - (message->coeffs[i] << (SABER_EP - 1));
vprime->coeffs[i] &= SABER_P - 1;
vprime->coeffs[i] >>= SABER_EP - SABER_ET;
}

PQCLEAN_FIRESABER_AVX2_POLT2BS(msk_c, vprime);
}


void PQCLEAN_FIRESABER_AVX2_indcpa_kem_dec(uint8_t m[SABER_KEYBYTES], const uint8_t sk[SABER_INDCPA_SECRETKEYBYTES], const uint8_t ciphertext[SABER_BYTES_CCA_DEC]) {
size_t i;

uint32_t i, j;
uint16_t sksv[SABER_K][SABER_N]; //secret key of the server
uint16_t pksv[SABER_K][SABER_N];
uint16_t message_dec_unpacked[SABER_KEYBYTES * 8]; // one element containes on decrypted bit;
uint8_t scale_ar[SABER_SCALEBYTES_KEM];
uint16_t op[SABER_N];

//--------------AVX declaration------------------


//__m256i mod_p;

__m256i v_avx[SABER_N / 16];

//__m256i acc[2*SABER_N/16];

__m256i sksv_avx[SABER_K][SABER_N / 16];
__m256i pksv_avx[SABER_K][SABER_N / 16];
poly temp[SABER_L];
toom4_points sksv_eval[SABER_L];

//mod_p=_mm256_set1_epi16(SABER_P-1);
const uint8_t *packed_cm = ciphertext + SABER_POLYVECCOMPRESSEDBYTES;
poly *v = &temp[0];
poly *cm = &temp[1];

__m256i b_bucket[NUM_POLY][SCHB_N * 4];
//--------------AVX declaration ends------------------

//-------unpack the public_key

PQCLEAN_FIRESABER_AVX2_BS2POLVEC(sksv, sk, SABER_Q); //sksv is the secret-key
PQCLEAN_FIRESABER_AVX2_BS2POLVEC(pksv, ciphertext, SABER_P); //pksv is the ciphertext

for (i = 0; i < SABER_K; i++) {
for (j = 0; j < SABER_N / 16; j++) {
sksv_avx[i][j] = _mm256_loadu_si256 ((__m256i const *) (&sksv[i][j * 16]));
pksv_avx[i][j] = _mm256_loadu_si256 ((__m256i const *) (&pksv[i][j * 16]));
}
PQCLEAN_FIRESABER_AVX2_BS2POLVECq(temp, sk);
for (i = 0; i < SABER_L; i++) {
PQCLEAN_FIRESABER_AVX2_toom4_eval(&sksv_eval[i], &temp[i]);
}

for (i = 0; i < SABER_N / 16; i++) {
v_avx[i] = _mm256_xor_si256(v_avx[i], v_avx[i]);
}


// InnerProduct(b', s, mod p)

for (j = 0; j < NUM_POLY; j++) {
TC_eval(sksv_avx[j], b_bucket[j]);
}
PQCLEAN_FIRESABER_AVX2_BS2POLVECp(temp, ciphertext);
PQCLEAN_FIRESABER_AVX2_InnerProd(v, temp, sksv_eval);

vector_vector_mul(v_avx, pksv_avx, b_bucket);
PQCLEAN_FIRESABER_AVX2_BS2POLT(cm, packed_cm);

for (i = 0; i < SABER_N / 16; i++) {
_mm256_maskstore_epi32 ((int *)(message_dec_unpacked + i * 16), _mm256_set1_epi32(-1), v_avx[i]);
}


for (i = 0; i < SABER_SCALEBYTES_KEM; i++) {
scale_ar[i] = ciphertext[SABER_CIPHERTEXTBYTES + i];
}

PQCLEAN_FIRESABER_AVX2_SABER_un_pack6bit(op, scale_ar);


//addition of h2
for (i = 0; i < SABER_N; i++) {
message_dec_unpacked[i] = ( ( message_dec_unpacked[i] + h2 - (op[i] << (SABER_EP - SABER_ET)) ) & (SABER_P - 1) ) >> (SABER_EP - 1);
v->coeffs[i] += h2 - (cm->coeffs[i] << (SABER_EP - SABER_ET));
v->coeffs[i] &= SABER_P - 1;
v->coeffs[i] >>= SABER_EP - 1;
}


POL2MSG(m, message_dec_unpacked);
PQCLEAN_FIRESABER_AVX2_POLmsg2BS(m, v);
}

+ 18
- 22
crypto_kem/firesaber/avx2/SABER_params.h View File

@@ -1,45 +1,41 @@
#ifndef PARAMS_H
#define PARAMS_H
#include "api.h"




#define SABER_K 4
/* Don't change anything below this line */
#define SABER_L 4
#define SABER_MU 6
#define SABER_ET 6

#define SABER_EQ 13
#define SABER_EP 10

#define SABER_N 256
#define SABER_Q 8192 //2^13
#define SABER_P 1024

#define SABER_SEEDBYTES 32
#define SABER_NOISESEEDBYTES 32
#define SABER_COINBYTES 32
#define SABER_KEYBYTES 32
#define SABER_EP 10
#define SABER_P (1 << SABER_EP)

#define SABER_HASHBYTES 32
#define SABER_EQ 13
#define SABER_Q (1 << SABER_EQ)

#define SABER_POLYBYTES 416 //13*256/8
#define SABER_SEEDBYTES 32
#define SABER_NOISESEEDBYTES 32
#define SABER_KEYBYTES 32
#define SABER_HASHBYTES 32

#define SABER_POLYVECBYTES (SABER_K * SABER_POLYBYTES)
#define SABER_POLYCOINBYTES (SABER_MU * SABER_N / 8)

#define SABER_POLYVECCOMPRESSEDBYTES (SABER_K * 320) //10*256/8 NOTE : changed till here due to parameter adaptation
#define SABER_POLYBYTES (SABER_EQ * SABER_N / 8)
#define SABER_POLYVECBYTES (SABER_L * SABER_POLYBYTES)

#define SABER_CIPHERTEXTBYTES (SABER_POLYVECCOMPRESSEDBYTES)
#define SABER_POLYCOMPRESSEDBYTES (SABER_EP * SABER_N / 8)
#define SABER_POLYVECCOMPRESSEDBYTES (SABER_L * SABER_POLYCOMPRESSEDBYTES)

#define SABER_SCALEBYTES_KEM ((SABER_ET)*SABER_N/8)
#define SABER_SCALEBYTES_KEM (SABER_ET * SABER_N / 8)

#define SABER_INDCPA_PUBLICKEYBYTES (SABER_POLYVECCOMPRESSEDBYTES + SABER_SEEDBYTES)
#define SABER_INDCPA_SECRETKEYBYTES (SABER_POLYVECBYTES)

#define SABER_PUBLICKEYBYTES (SABER_INDCPA_PUBLICKEYBYTES)
#define SABER_SECRETKEYBYTES (SABER_INDCPA_SECRETKEYBYTES + SABER_INDCPA_PUBLICKEYBYTES + SABER_HASHBYTES + SABER_KEYBYTES)

#define SABER_SECRETKEYBYTES (SABER_INDCPA_SECRETKEYBYTES + SABER_INDCPA_PUBLICKEYBYTES + SABER_HASHBYTES + SABER_KEYBYTES)

#define SABER_BYTES_CCA_DEC (SABER_POLYVECCOMPRESSEDBYTES + SABER_SCALEBYTES_KEM) /* Second part is for Targhi-Unruh */
#define SABER_BYTES_CCA_DEC (SABER_POLYVECCOMPRESSEDBYTES + SABER_SCALEBYTES_KEM)

#endif

+ 11
- 15
crypto_kem/firesaber/avx2/cbd.c View File

@@ -11,7 +11,7 @@ Vadim Lyubashevsky, John M. Schanck, Peter Schwabe & Damien stehle
----------------------------------------------------------------------*/


static uint64_t load_littleendian(const unsigned char *x, int bytes) {
static uint64_t load_littleendian(const uint8_t *x, int bytes) {
int i;
uint64_t r = x[0];
for (i = 1; i < bytes; i++) {
@@ -20,33 +20,29 @@ static uint64_t load_littleendian(const unsigned char *x, int bytes) {
return r;
}


void PQCLEAN_FIRESABER_AVX2_cbd(uint16_t *r, const unsigned char *buf) {
uint16_t Qmod_minus1 = SABER_Q - 1;

void PQCLEAN_FIRESABER_AVX2_cbd(uint16_t s[SABER_N], const uint8_t buf[SABER_POLYCOINBYTES]) {
uint32_t t, d, a[4], b[4];
int i, j;

for (i = 0; i < SABER_N / 4; i++) {
t = load_littleendian(buf + 3 * i, 3);
t = (uint32_t) load_littleendian(buf + 3 * i, 3);
d = 0;
for (j = 0; j < 3; j++) {
d += (t >> j) & 0x249249;
}

a[0] = d & 0x7;
b[0] = (d >> 3) & 0x7;
a[1] = (d >> 6) & 0x7;
b[1] = (d >> 9) & 0x7;
a[0] = d & 0x7;
b[0] = (d >> 3) & 0x7;
a[1] = (d >> 6) & 0x7;
b[1] = (d >> 9) & 0x7;
a[2] = (d >> 12) & 0x7;
b[2] = (d >> 15) & 0x7;
a[3] = (d >> 18) & 0x7;
b[3] = (d >> 21);

r[4 * i + 0] = (uint16_t)(a[0] - b[0]) & Qmod_minus1;
r[4 * i + 1] = (uint16_t)(a[1] - b[1]) & Qmod_minus1;
r[4 * i + 2] = (uint16_t)(a[2] - b[2]) & Qmod_minus1;
r[4 * i + 3] = (uint16_t)(a[3] - b[3]) & Qmod_minus1;

s[4 * i + 0] = (uint16_t)(a[0] - b[0]);
s[4 * i + 1] = (uint16_t)(a[1] - b[1]);
s[4 * i + 2] = (uint16_t)(a[2] - b[2]);
s[4 * i + 3] = (uint16_t)(a[3] - b[3]);
}
}

+ 2
- 2
crypto_kem/firesaber/avx2/cbd.h View File

@@ -7,10 +7,10 @@ of "CRYSTALS – Kyber: a CCA-secure module-lattice-based KEM"
by : Joppe Bos, Leo Ducas, Eike Kiltz, Tancrede Lepoint,
Vadim Lyubashevsky, John M. Schanck, Peter Schwabe & Damien stehle
----------------------------------------------------------------------*/
#include "poly.h"
#include "SABER_params.h"
#include <stdint.h>

void PQCLEAN_FIRESABER_AVX2_cbd(uint16_t *r, const unsigned char *buf);
void PQCLEAN_FIRESABER_AVX2_cbd(uint16_t s[SABER_N], const uint8_t buf[SABER_POLYCOINBYTES]);


#endif

+ 5
- 7
crypto_kem/firesaber/avx2/kem.c View File

@@ -4,14 +4,12 @@
#include "fips202.h"
#include "randombytes.h"
#include "verify.h"
#include <immintrin.h>
#include <stddef.h>
#include <stdint.h>
#include <stdio.h>
#include <string.h>


int PQCLEAN_FIRESABER_AVX2_crypto_kem_keypair(uint8_t *pk, uint8_t *sk) {
int i;
size_t i;

PQCLEAN_FIRESABER_AVX2_indcpa_kem_keypair(pk, sk); // sk[0:SABER_INDCPA_SECRETKEYBYTES-1] <-- sk
for (i = 0; i < SABER_INDCPA_PUBLICKEYBYTES; i++) {
@@ -39,7 +37,7 @@ int PQCLEAN_FIRESABER_AVX2_crypto_kem_enc(uint8_t *c, uint8_t *k, const uint8_t
sha3_512(kr, buf, 64); // kr[0:63] <-- Hash(buf[0:63]);
// K^ <-- kr[0:31]
// noiseseed (r) <-- kr[32:63];
PQCLEAN_FIRESABER_AVX2_indcpa_kem_enc(c, buf, (const uint8_t *) (kr + 32), pk); // buf[0:31] contains message; kr[32:63] contains randomness r;
PQCLEAN_FIRESABER_AVX2_indcpa_kem_enc(c, buf, kr + 32, pk); // buf[0:31] contains message; kr[32:63] contains randomness r;

sha3_256(kr + 32, c, SABER_BYTES_CCA_DEC);

@@ -49,7 +47,7 @@ int PQCLEAN_FIRESABER_AVX2_crypto_kem_enc(uint8_t *c, uint8_t *k, const uint8_t
}

int PQCLEAN_FIRESABER_AVX2_crypto_kem_dec(uint8_t *k, const uint8_t *c, const uint8_t *sk) {
int i;
size_t i;
uint8_t fail;
uint8_t cmp[SABER_BYTES_CCA_DEC];
uint8_t buf[64];
@@ -65,7 +63,7 @@ int PQCLEAN_FIRESABER_AVX2_crypto_kem_dec(uint8_t *k, const uint8_t *c, const ui

sha3_512(kr, buf, 64);

PQCLEAN_FIRESABER_AVX2_indcpa_kem_enc(cmp, buf, (const uint8_t *) (kr + 32), pk);
PQCLEAN_FIRESABER_AVX2_indcpa_kem_enc(cmp, buf, kr + 32, pk);

fail = PQCLEAN_FIRESABER_AVX2_verify(c, cmp, SABER_BYTES_CCA_DEC);



+ 0
- 32
crypto_kem/firesaber/avx2/kem.h View File

@@ -1,35 +1,3 @@
#ifndef INDCPA_H
#define INDCPA_H

#include <stdint.h>

void PQCLEAN_FIRESABER_AVX2_indcpa_keypair(uint8_t *pk, uint8_t *sk);


void PQCLEAN_FIRESABER_AVX2_indcpa_client(uint8_t *pk, uint8_t *b_prime, uint8_t *c, uint8_t *key);


void PQCLEAN_FIRESABER_AVX2_indcpa_server(uint8_t *pk, uint8_t *b_prime, uint8_t *c, uint8_t *key);


void PQCLEAN_FIRESABER_AVX2_indcpa_kem_keypair(uint8_t *pk, uint8_t *sk);

void PQCLEAN_FIRESABER_AVX2_indcpa_kem_enc(uint8_t *message, uint8_t *noiseseed, uint8_t *pk, uint8_t *ciphertext);

void PQCLEAN_FIRESABER_AVX2_indcpa_kem_dec(uint8_t *sk, uint8_t *ciphertext, uint8_t message_dec[]);


int PQCLEAN_FIRESABER_AVX2_crypto_kem_keypair(unsigned char *pk, unsigned char *sk);

int PQCLEAN_FIRESABER_AVX2_crypto_kem_enc(unsigned char *c, unsigned char *k, const unsigned char *pk);

int PQCLEAN_FIRESABER_AVX2_crypto_kem_dec(unsigned char *k, const unsigned char *c, const unsigned char *sk);



//uint64_t clock1,clock2;

//uint64_t clock_kp_kex, clock_enc_kex, clock_dec_kex;


#endif

+ 112
- 465
crypto_kem/firesaber/avx2/pack_unpack.c View File

@@ -1,502 +1,149 @@
#include "SABER_params.h"
#include "pack_unpack.h"
#include "poly.h"
#include <string.h>


void PQCLEAN_FIRESABER_AVX2_SABER_pack_3bit(uint8_t *bytes, const uint16_t *data) {

uint32_t j;
uint32_t offset_data = 0, offset_byte = 0;

for (j = 0; j < SABER_N / 8; j++) {
offset_byte = 3 * j;
offset_data = 8 * j;
bytes[offset_byte + 0] = (data[offset_data + 0] & 0x7) | ( (data[offset_data + 1] & 0x7) << 3 ) | ((data[offset_data + 2] & 0x3) << 6);
bytes[offset_byte + 1] = ((data[offset_data + 2] >> 2 ) & 0x01) | ( (data[offset_data + 3] & 0x7) << 1 ) | ( (data[offset_data + 4] & 0x7) << 4 ) | (((data[offset_data + 5]) & 0x01) << 7);
bytes[offset_byte + 2] = ((data[offset_data + 5] >> 1 ) & 0x03) | ( (data[offset_data + 6] & 0x7) << 2 ) | ( (data[offset_data + 7] & 0x7) << 5 );
}
}

void PQCLEAN_FIRESABER_AVX2_SABER_un_pack3bit(uint16_t *data, const uint8_t *bytes) {

uint32_t j;
uint32_t offset_data = 0, offset_byte = 0;

for (j = 0; j < SABER_N / 8; j++) {
offset_byte = 3 * j;
offset_data = 8 * j;
data[offset_data + 0] = (bytes[offset_byte + 0]) & 0x07;
data[offset_data + 1] = ( (bytes[offset_byte + 0]) >> 3 ) & 0x07;
data[offset_data + 2] = ( ( (bytes[offset_byte + 0]) >> 6 ) & 0x03) | ( ( (bytes[offset_byte + 1]) & 0x01) << 2 );
data[offset_data + 3] = ( (bytes[offset_byte + 1]) >> 1 ) & 0x07;
data[offset_data + 4] = ( (bytes[offset_byte + 1]) >> 4 ) & 0x07;
data[offset_data + 5] = ( ( (bytes[offset_byte + 1]) >> 7 ) & 0x01) | ( ( (bytes[offset_byte + 2]) & 0x03) << 1 );
data[offset_data + 6] = ( (bytes[offset_byte + 2] >> 2) & 0x07 );
data[offset_data + 7] = ( (bytes[offset_byte + 2] >> 5) & 0x07 );
}

}

void PQCLEAN_FIRESABER_AVX2_SABER_pack_4bit(uint8_t *bytes, const uint16_t *data) {

uint32_t j;
uint32_t offset_data = 0;

for (j = 0; j < SABER_N / 2; j++) {
offset_data = 2 * j;
bytes[j] = (data[offset_data] & 0x0f) | ( (data[offset_data + 1] & 0x0f) << 4 );
}
}

void PQCLEAN_FIRESABER_AVX2_SABER_un_pack4bit(uint16_t *data, const uint8_t *bytes) {

uint32_t j;
uint32_t offset_data = 0;

for (j = 0; j < SABER_N / 2; j++) {
offset_data = 2 * j;
data[offset_data] = bytes[j] & 0x0f;
data[offset_data + 1] = (bytes[j] >> 4) & 0x0f;
}
}

void PQCLEAN_FIRESABER_AVX2_SABER_pack_6bit(uint8_t *bytes, const uint16_t *data) {

uint32_t j;
uint32_t offset_data = 0, offset_byte = 0;

void PQCLEAN_FIRESABER_AVX2_POLT2BS(uint8_t bytes[SABER_SCALEBYTES_KEM], const poly *data) {
size_t j;
const uint16_t *in = data->coeffs;
uint8_t *out = bytes;
for (j = 0; j < SABER_N / 4; j++) {
offset_byte = 3 * j;
offset_data = 4 * j;
bytes[offset_byte + 0] = (data[offset_data + 0] & 0x3f) | ((data[offset_data + 1] & 0x03) << 6);
bytes[offset_byte + 1] = ((data[offset_data + 1] >> 2) & 0x0f) | ((data[offset_data + 2] & 0x0f) << 4);
bytes[offset_byte + 2] = ((data[offset_data + 2] >> 4) & 0x03) | ((data[offset_data + 3] & 0x3f) << 2);
out[0] = (in[0] & 0x3f) | ((in[1] & 0x03) << 6);
out[1] = ((in[1] >> 2) & 0x0f) | ((in[2] & 0x0f) << 4);
out[2] = ((in[2] >> 4) & 0x03) | ((in[3] & 0x3f) << 2);
in += 4;
out += 3;
}
}


void PQCLEAN_FIRESABER_AVX2_SABER_un_pack6bit(uint16_t *data, const uint8_t *bytes) {

uint32_t j;
uint32_t offset_data = 0, offset_byte = 0;

void PQCLEAN_FIRESABER_AVX2_BS2POLT(poly *data, const uint8_t bytes[SABER_SCALEBYTES_KEM]) {
size_t j;
const uint8_t *in = bytes;
uint16_t *out = data->coeffs;
for (j = 0; j < SABER_N / 4; j++) {
offset_byte = 3 * j;
offset_data = 4 * j;
data[offset_data + 0] = bytes[offset_byte + 0] & 0x3f;
data[offset_data + 1] = ((bytes[offset_byte + 0] >> 6) & 0x03) | ((bytes[offset_byte + 1] & 0x0f) << 2) ;
data[offset_data + 2] = ((bytes[offset_byte + 1] & 0xff) >> 4) | ((bytes[offset_byte + 2] & 0x03) << 4) ;
data[offset_data + 3] = ((bytes[offset_byte + 2] & 0xff) >> 2);
}

}

void PQCLEAN_FIRESABER_AVX2_SABER_pack10bit(uint8_t *bytes, const uint16_t data[SABER_K][SABER_N]) {

uint32_t i, j;
uint32_t offset_data = 0, offset_byte = 0, offset_byte1 = 0;

for (i = 0; i < SABER_K; i++) {
offset_byte1 = i * (SABER_N * 10) / 8;
for (j = 0; j < SABER_N / 4; j++) {
offset_byte = offset_byte1 + 5 * j;
offset_data = 4 * j;
bytes[offset_byte + 0] = ( data[i][ offset_data + 0 ] & (0xff));

bytes[offset_byte + 1] = ( (data[i][ offset_data + 0 ] >> 8) & 0x03 ) | ((data[i][ offset_data + 1 ] & 0x3f) << 2);

bytes[offset_byte + 2] = ( (data[i][ offset_data + 1 ] >> 6) & 0x0f ) | ( (data[i][ offset_data + 2 ] & 0x0f) << 4);

bytes[offset_byte + 3] = ( (data[i][ offset_data + 2 ] >> 4) & 0x3f ) | ((data[i][ offset_data + 3 ] & 0x03) << 6);

bytes[offset_byte + 4] = ( (data[i][ offset_data + 3 ] >> 2) & 0xff );
}
}
}

void PQCLEAN_FIRESABER_AVX2_POLVECp2BS(uint8_t *bytes, const uint16_t data[SABER_K][SABER_N]) {

uint32_t i, j;
uint32_t offset_data = 0, offset_byte = 0, offset_byte1 = 0;

for (i = 0; i < SABER_K; i++) {
offset_byte1 = i * (SABER_N * 10) / 8;
for (j = 0; j < SABER_N / 4; j++) {
offset_byte = offset_byte1 + 5 * j;
offset_data = 4 * j;
bytes[offset_byte + 0] = ( data[i][ offset_data + 0 ] & (0xff));

bytes[offset_byte + 1] = ( (data[i][ offset_data + 0 ] >> 8) & 0x03 ) | ((data[i][ offset_data + 1 ] & 0x3f) << 2);

bytes[offset_byte + 2] = ( (data[i][ offset_data + 1 ] >> 6) & 0x0f ) | ( (data[i][ offset_data + 2 ] & 0x0f) << 4);

bytes[offset_byte + 3] = ( (data[i][ offset_data + 2 ] >> 4) & 0x3f ) | ((data[i][ offset_data + 3 ] & 0x03) << 6);

bytes[offset_byte + 4] = ( (data[i][ offset_data + 3 ] >> 2) & 0xff );
}
}
}

void PQCLEAN_FIRESABER_AVX2_POLVECq2BS(uint8_t *bytes, const uint16_t data[SABER_K][SABER_N]) {

uint32_t i, j;
uint32_t offset_data = 0, offset_byte = 0, offset_byte1 = 0;

for (i = 0; i < SABER_K; i++) {
offset_byte1 = i * (SABER_N * 13) / 8;
for (j = 0; j < SABER_N / 8; j++) {
offset_byte = offset_byte1 + 13 * j;
offset_data = 8 * j;
bytes[offset_byte + 0] = ( data[i][ offset_data + 0 ] & (0xff));

bytes[offset_byte + 1] = ( (data[i][ offset_data + 0 ] >> 8) & 0x1f ) | ((data[i][ offset_data + 1 ] & 0x07) << 5);

bytes[offset_byte + 2] = ( (data[i][ offset_data + 1 ] >> 3) & 0xff );

bytes[offset_byte + 3] = ( (data[i][ offset_data + 1 ] >> 11) & 0x03 ) | ((data[i][ offset_data + 2 ] & 0x3f) << 2);

bytes[offset_byte + 4] = ( (data[i][ offset_data + 2 ] >> 6) & 0x7f ) | ( (data[i][ offset_data + 3 ] & 0x01) << 7 );

bytes[offset_byte + 5] = ( (data[i][ offset_data + 3 ] >> 1) & 0xff );

bytes[offset_byte + 6] = ( (data[i][ offset_data + 3 ] >> 9) & 0x0f ) | ( (data[i][ offset_data + 4 ] & 0x0f) << 4 );

bytes[offset_byte + 7] = ( (data[i][ offset_data + 4] >> 4) & 0xff );

bytes[offset_byte + 8] = ( (data[i][ offset_data + 4 ] >> 12) & 0x01 ) | ( (data[i][ offset_data + 5 ] & 0x7f) << 1 );

bytes[offset_byte + 9] = ( (data[i][ offset_data + 5 ] >> 7) & 0x3f ) | ( (data[i][ offset_data + 6 ] & 0x03) << 6 );

bytes[offset_byte + 10] = ( (data[i][ offset_data + 6 ] >> 2) & 0xff );

bytes[offset_byte + 11] = ( (data[i][ offset_data + 6 ] >> 10) & 0x07 ) | ( (data[i][ offset_data + 7 ] & 0x1f) << 3 );

bytes[offset_byte + 12] = ( (data[i][ offset_data + 7 ] >> 5) & 0xff );

}
out[0] = in[0] & 0x3f;
out[1] = ((in[0] >> 6) & 0x03) | ((in[1] & 0x0f) << 2);
out[2] = ((in[1] & 0xff) >> 4) | ((in[2] & 0x03) << 4);
out[3] = ((in[2] & 0xff) >> 2);
in += 3;
out += 4;
}


}

void PQCLEAN_FIRESABER_AVX2_BS2POLq(uint16_t data[SABER_N], const uint8_t *bytes) {

uint32_t j;
uint32_t offset_data = 0, offset_byte = 0;

static void POLq2BS(uint8_t bytes[SABER_POLYBYTES], const poly *data) {
size_t j;
const uint16_t *in = data->coeffs;
uint8_t *out = bytes;
for (j = 0; j < SABER_N / 8; j++) {
offset_byte = 13 * j;
offset_data = 8 * j;
data[offset_data + 0] = ( bytes[ offset_byte + 0 ] & (0xff)) | ((bytes[offset_byte + 1] & 0x1f) << 8);
data[offset_data + 1] = ( bytes[ offset_byte + 1 ] >> 5 & (0x07)) | ((bytes[offset_byte + 2] & 0xff) << 3) | ((bytes[offset_byte + 3] & 0x03) << 11);
data[offset_data + 2] = ( bytes[ offset_byte + 3 ] >> 2 & (0x3f)) | ((bytes[offset_byte + 4] & 0x7f) << 6);
data[offset_data + 3] = ( bytes[ offset_byte + 4 ] >> 7 & (0x01)) | ((bytes[offset_byte + 5] & 0xff) << 1) | ((bytes[offset_byte + 6] & 0x0f) << 9);
data[offset_data + 4] = ( bytes[ offset_byte + 6 ] >> 4 & (0x0f)) | ((bytes[offset_byte + 7] & 0xff) << 4) | ((bytes[offset_byte + 8] & 0x01) << 12);
data[offset_data + 5] = ( bytes[ offset_byte + 8] >> 1 & (0x7f)) | ((bytes[offset_byte + 9] & 0x3f) << 7);
data[offset_data + 6] = ( bytes[ offset_byte + 9] >> 6 & (0x03)) | ((bytes[offset_byte + 10] & 0xff) << 2) | ((bytes[offset_byte + 11] & 0x07) << 10);
data[offset_data + 7] = ( bytes[ offset_byte + 11] >> 3 & (0x1f)) | ((bytes[offset_byte + 12] & 0xff) << 5);
}
}



void PQCLEAN_FIRESABER_AVX2_BS2POLVECp(uint16_t data[SABER_K][SABER_N], const uint8_t *bytes) {

uint32_t i, j;
uint32_t offset_data = 0, offset_byte = 0, offset_byte1 = 0;

for (i = 0; i < SABER_K; i++) {
offset_byte1 = i * (SABER_N * 10) / 8;
for (j = 0; j < SABER_N / 4; j++) {
offset_byte = offset_byte1 + 5 * j;
offset_data = 4 * j;
data[i][offset_data + 0] = ( bytes[ offset_byte + 0 ] & (0xff)) | ((bytes[ offset_byte + 1 ] & 0x03) << 8);
data[i][offset_data + 1] = ( (bytes[ offset_byte + 1 ] >> 2) & (0x3f)) | ((bytes[ offset_byte + 2 ] & 0x0f) << 6);
data[i][offset_data + 2] = ( (bytes[ offset_byte + 2 ] >> 4) & (0x0f)) | ((bytes[ offset_byte + 3 ] & 0x3f) << 4);
data[i][offset_data + 3] = ( (bytes[ offset_byte + 3 ] >> 6) & (0x03)) | ((bytes[ offset_byte + 4 ] & 0xff) << 2);

}
}
}

void PQCLEAN_FIRESABER_AVX2_BS2POLVECq(uint16_t data[SABER_K][SABER_N], const uint8_t *bytes) {

uint32_t i, j;
uint32_t offset_data = 0, offset_byte = 0, offset_byte1 = 0;

for (i = 0; i < SABER_K; i++) {
offset_byte1 = i * (SABER_N * 13) / 8;
for (j = 0; j < SABER_N / 8; j++) {
offset_byte = offset_byte1 + 13 * j;
offset_data = 8 * j;
data[i][offset_data + 0] = ( bytes[ offset_byte + 0 ] & (0xff)) | ((bytes[offset_byte + 1] & 0x1f) << 8);
data[i][offset_data + 1] = ( bytes[ offset_byte + 1 ] >> 5 & (0x07)) | ((bytes[offset_byte + 2] & 0xff) << 3) | ((bytes[offset_byte + 3] & 0x03) << 11);
data[i][offset_data + 2] = ( bytes[ offset_byte + 3 ] >> 2 & (0x3f)) | ((bytes[offset_byte + 4] & 0x7f) << 6);
data[i][offset_data + 3] = ( bytes[ offset_byte + 4 ] >> 7 & (0x01)) | ((bytes[offset_byte + 5] & 0xff) << 1) | ((bytes[offset_byte + 6] & 0x0f) << 9);
data[i][offset_data + 4] = ( bytes[ offset_byte + 6 ] >> 4 & (0x0f)) | ((bytes[offset_byte + 7] & 0xff) << 4) | ((bytes[offset_byte + 8] & 0x01) << 12);
data[i][offset_data + 5] = ( bytes[ offset_byte + 8] >> 1 & (0x7f)) | ((bytes[offset_byte + 9] & 0x3f) << 7);
data[i][offset_data + 6] = ( bytes[ offset_byte + 9] >> 6 & (0x03)) | ((bytes[offset_byte + 10] & 0xff) << 2) | ((bytes[offset_byte + 11] & 0x07) << 10);
data[i][offset_data + 7] = ( bytes[ offset_byte + 11] >> 3 & (0x1f)) | ((bytes[offset_byte + 12] & 0xff) << 5);
}
}


}



void PQCLEAN_FIRESABER_AVX2_SABER_un_pack10bit(uint16_t data[SABER_K][SABER_N], const uint8_t *bytes) {

uint32_t i, j;
uint32_t offset_data = 0, offset_byte = 0, offset_byte1 = 0;

for (i = 0; i < SABER_K; i++) {
offset_byte1 = i * (SABER_N * 10) / 8;
for (j = 0; j < SABER_N / 4; j++) {
offset_byte = offset_byte1 + 5 * j;
offset_data = 4 * j;
data[i][offset_data + 0] = ( bytes[ offset_byte + 0 ] & (0xff)) | ((bytes[ offset_byte + 1 ] & 0x03) << 8);
data[i][offset_data + 1] = ( (bytes[ offset_byte + 1 ] >> 2) & (0x3f)) | ((bytes[ offset_byte + 2 ] & 0x0f) << 6);
data[i][offset_data + 2] = ( (bytes[ offset_byte + 2 ] >> 4) & (0x0f)) | ((bytes[ offset_byte + 3 ] & 0x3f) << 4);
data[i][offset_data + 3] = ( (bytes[ offset_byte + 3 ] >> 6) & (0x03)) | ((bytes[ offset_byte + 4 ] & 0xff) << 2);

}
out[0] = (in[0] & (0xff));
out[1] = ((in[0] >> 8) & 0x1f) | ((in[1] & 0x07) << 5);
out[2] = ((in[1] >> 3) & 0xff);
out[3] = ((in[1] >> 11) & 0x03) | ((in[2] & 0x3f) << 2);
out[4] = ((in[2] >> 6) & 0x7f) | ((in[3] & 0x01) << 7);
out[5] = ((in[3] >> 1) & 0xff);
out[6] = ((in[3] >> 9) & 0x0f) | ((in[4] & 0x0f) << 4);
out[7] = ((in[4] >> 4) & 0xff);
out[8] = ((in[4] >> 12) & 0x01) | ((in[5] & 0x7f) << 1);
out[9] = ((in[5] >> 7) & 0x3f) | ((in[6] & 0x03) << 6);
out[10] = ((in[6] >> 2) & 0xff);
out[11] = ((in[6] >> 10) & 0x07) | ((in[7] & 0x1f) << 3);
out[12] = ((in[7] >> 5) & 0xff);
in += 8;
out += 13;
}
}

static void BS2POLq(poly *data, const uint8_t bytes[SABER_POLYBYTES]) {
size_t j;
const uint8_t *in = bytes;
uint16_t *out = data->coeffs;
for (j = 0; j < SABER_N / 8; j++) {
out[0] = (in[0] & (0xff)) | ((in[1] & 0x1f) << 8);
out[1] = (in[1] >> 5 & (0x07)) | ((in[2] & 0xff) << 3) | ((in[3] & 0x03) << 11);
out[2] = (in[3] >> 2 & (0x3f)) | ((in[4] & 0x7f) << 6);
out[3] = (in[4] >> 7 & (0x01)) | ((in[5] & 0xff) << 1) | ((in[6] & 0x0f) << 9);
out[4] = (in[6] >> 4 & (0x0f)) | ((in[7] & 0xff) << 4) | ((in[8] & 0x01) << 12);
out[5] = (in[8] >> 1 & (0x7f)) | ((in[9] & 0x3f) << 7);
out[6] = (in[9] >> 6 & (0x03)) | ((in[10] & 0xff) << 2) | ((in[11] & 0x07) << 10);
out[7] = (in[11] >> 3 & (0x1f)) | ((in[12] & 0xff) << 5);
in += 13;
out += 8;
}
}

static void POLp2BS(uint8_t bytes[SABER_POLYCOMPRESSEDBYTES], const poly *data) {
size_t j;
const uint16_t *in = data->coeffs;
uint8_t *out = bytes;
for (j = 0; j < SABER_N / 4; j++) {
out[0] = (in[0] & (0xff));
out[1] = ((in[0] >> 8) & 0x03) | ((in[1] & 0x3f) << 2);
out[2] = ((in[1] >> 6) & 0x0f) | ((in[2] & 0x0f) << 4);
out[3] = ((in[2] >> 4) & 0x3f) | ((in[3] & 0x03) << 6);
out[4] = ((in[3] >> 2) & 0xff);
in += 4;
out += 5;
}


}


void PQCLEAN_FIRESABER_AVX2_SABER_pack13bit(uint8_t *bytes, const uint16_t data[SABER_K][SABER_N]) {

uint32_t i, j;
uint32_t offset_data = 0, offset_byte = 0, offset_byte1 = 0;

for (i = 0; i < SABER_K; i++) {
offset_byte1 = i * (SABER_N * 13) / 8;
for (j = 0; j < SABER_N / 8; j++) {
offset_byte = offset_byte1 + 13 * j;
offset_data = 8 * j;
bytes[offset_byte + 0] = ( data[i][ offset_data + 0 ] & (0xff));

bytes[offset_byte + 1] = ( (data[i][ offset_data + 0 ] >> 8) & 0x1f ) | ((data[i][ offset_data + 1 ] & 0x07) << 5);

bytes[offset_byte + 2] = ( (data[i][ offset_data + 1 ] >> 3) & 0xff );

bytes[offset_byte + 3] = ( (data[i][ offset_data + 1 ] >> 11) & 0x03 ) | ((data[i][ offset_data + 2 ] & 0x3f) << 2);

bytes[offset_byte + 4] = ( (data[i][ offset_data + 2 ] >> 6) & 0x7f ) | ( (data[i][ offset_data + 3 ] & 0x01) << 7 );

bytes[offset_byte + 5] = ( (data[i][ offset_data + 3 ] >> 1) & 0xff );

bytes[offset_byte + 6] = ( (data[i][ offset_data + 3 ] >> 9) & 0x0f ) | ( (data[i][ offset_data + 4 ] & 0x0f) << 4 );

bytes[offset_byte + 7] = ( (data[i][ offset_data + 4] >> 4) & 0xff );

bytes[offset_byte + 8] = ( (data[i][ offset_data + 4 ] >> 12) & 0x01 ) | ( (data[i][ offset_data + 5 ] & 0x7f) << 1 );

bytes[offset_byte + 9] = ( (data[i][ offset_data + 5 ] >> 7) & 0x3f ) | ( (data[i][ offset_data + 6 ] & 0x03) << 6 );

bytes[offset_byte + 10] = ( (data[i][ offset_data + 6 ] >> 2) & 0xff );

bytes[offset_byte + 11] = ( (data[i][ offset_data + 6 ] >> 10) & 0x07 ) | ( (data[i][ offset_data + 7 ] & 0x1f) << 3 );

bytes[offset_byte + 12] = ( (data[i][ offset_data + 7 ] >> 5) & 0xff );

}
static void BS2POLp(poly *data, const uint8_t bytes[SABER_POLYCOMPRESSEDBYTES]) {
size_t j;
const uint8_t *in = bytes;
uint16_t *out = data->coeffs;
for (j = 0; j < SABER_N / 4; j++) {
out[0] = (in[0] & (0xff)) | ((in[1] & 0x03) << 8);
out[1] = ((in[1] >> 2) & (0x3f)) | ((in[2] & 0x0f) << 6);
out[2] = ((in[2] >> 4) & (0x0f)) | ((in[3] & 0x3f) << 4);
out[3] = ((in[3] >> 6) & (0x03)) | ((in[4] & 0xff) << 2);
in += 5;
out += 4;
}


}

void PQCLEAN_FIRESABER_AVX2_SABER_un_pack13bit(uint16_t data[SABER_K][SABER_N], const uint8_t *bytes) {

uint32_t i, j;
uint32_t offset_data = 0, offset_byte = 0, offset_byte1 = 0;

for (i = 0; i < SABER_K; i++) {
offset_byte1 = i * (SABER_N * 13) / 8;
for (j = 0; j < SABER_N / 8; j++) {
offset_byte = offset_byte1 + 13 * j;
offset_data = 8 * j;
data[i][offset_data + 0] = ( bytes[ offset_byte + 0 ] & (0xff)) | ((bytes[offset_byte + 1] & 0x1f) << 8);
data[i][offset_data + 1] = ( bytes[ offset_byte + 1 ] >> 5 & (0x07)) | ((bytes[offset_byte + 2] & 0xff) << 3) | ((bytes[offset_byte + 3] & 0x03) << 11);
data[i][offset_data + 2] = ( bytes[ offset_byte + 3 ] >> 2 & (0x3f)) | ((bytes[offset_byte + 4] & 0x7f) << 6);
data[i][offset_data + 3] = ( bytes[ offset_byte + 4 ] >> 7 & (0x01)) | ((bytes[offset_byte + 5] & 0xff) << 1) | ((bytes[offset_byte + 6] & 0x0f) << 9);
data[i][offset_data + 4] = ( bytes[ offset_byte + 6 ] >> 4 & (0x0f)) | ((bytes[offset_byte + 7] & 0xff) << 4) | ((bytes[offset_byte + 8] & 0x01) << 12);
data[i][offset_data + 5] = ( bytes[ offset_byte + 8] >> 1 & (0x7f)) | ((bytes[offset_byte + 9] & 0x3f) << 7);
data[i][offset_data + 6] = ( bytes[ offset_byte + 9] >> 6 & (0x03)) | ((bytes[offset_byte + 10] & 0xff) << 2) | ((bytes[offset_byte + 11] & 0x07) << 10);
data[i][offset_data + 7] = ( bytes[ offset_byte + 11] >> 3 & (0x1f)) | ((bytes[offset_byte + 12] & 0xff) << 5);
}
void PQCLEAN_FIRESABER_AVX2_POLVECq2BS(uint8_t bytes[SABER_POLYVECBYTES], const poly data[SABER_L]) {
size_t i;
for (i = 0; i < SABER_L; i++) {
POLq2BS(bytes + i * SABER_POLYBYTES, &data[i]);
}


}

void PQCLEAN_FIRESABER_AVX2_SABER_poly_un_pack13bit(uint16_t data[SABER_N], const uint8_t *bytes) {

uint32_t j;
uint32_t offset_data = 0, offset_byte = 0;

//for(i=0;i<SABER_K;i++){
//i=0;
//offset_byte1=i*(SABER_N*13)/8;
for (j = 0; j < SABER_N / 8; j++) {
//offset_byte=offset_byte1+13*j;
offset_byte = 13 * j;
offset_data = 8 * j;
data[offset_data + 0] = ( bytes[ offset_byte + 0 ] & (0xff)) | ((bytes[offset_byte + 1] & 0x1f) << 8);
data[offset_data + 1] = ( bytes[ offset_byte + 1 ] >> 5 & (0x07)) | ((bytes[offset_byte + 2] & 0xff) << 3) | ((bytes[offset_byte + 3] & 0x03) << 11);
data[offset_data + 2] = ( bytes[ offset_byte + 3 ] >> 2 & (0x3f)) | ((bytes[offset_byte + 4] & 0x7f) << 6);
data[offset_data + 3] = ( bytes[ offset_byte + 4 ] >> 7 & (0x01)) | ((bytes[offset_byte + 5] & 0xff) << 1) | ((bytes[offset_byte + 6] & 0x0f) << 9);
data[offset_data + 4] = ( bytes[ offset_byte + 6 ] >> 4 & (0x0f)) | ((bytes[offset_byte + 7] & 0xff) << 4) | ((bytes[offset_byte + 8] & 0x01) << 12);
data[offset_data + 5] = ( bytes[ offset_byte + 8] >> 1 & (0x7f)) | ((bytes[offset_byte + 9] & 0x3f) << 7);
data[offset_data + 6] = ( bytes[ offset_byte + 9] >> 6 & (0x03)) | ((bytes[offset_byte + 10] & 0xff) << 2) | ((bytes[offset_byte + 11] & 0x07) << 10);
data[offset_data + 7] = ( bytes[ offset_byte + 11] >> 3 & (0x1f)) | ((bytes[offset_byte + 12] & 0xff) << 5);
void PQCLEAN_FIRESABER_AVX2_BS2POLVECq(poly data[SABER_L], const uint8_t bytes[SABER_POLYVECBYTES]) {
size_t i;
for (i = 0; i < SABER_L; i++) {
BS2POLq(&data[i], bytes + i * SABER_POLYBYTES);
}
//}


}


void PQCLEAN_FIRESABER_AVX2_SABER_pack11bit(uint8_t *bytes, const uint16_t data[SABER_K][SABER_N]) {
/*This function packs 11 bit data stream into 8 bits of data.
*/
uint32_t i, j;
uint32_t offset_data = 0, offset_byte = 0, offset_byte1 = 0;

for (i = 0; i < SABER_K; i++) {
offset_byte1 = i * (SABER_N * 11) / 8;
for (j = 0; j < SABER_N / 8; j++) {
offset_byte = offset_byte1 + 11 * j;
offset_data = 8 * j;
bytes[offset_byte + 0] = ( data[i][ offset_data + 0 ] & (0xff));

bytes[offset_byte + 1] = ( (data[i][ offset_data + 0 ] >> 8) & 0x07 ) | ((data[i][ offset_data + 1 ] & 0x1f) << 3);

bytes[offset_byte + 2] = ( (data[i][ offset_data + 1 ] >> 5) & 0x3f ) | ((data[i][ offset_data + 2 ] & 0x03) << 6);

bytes[offset_byte + 3] = ( (data[i][ offset_data + 2 ] >> 2) & 0xff );

bytes[offset_byte + 4] = ( (data[i][ offset_data + 2 ] >> 10) & 0x01 ) | ((data[i][ offset_data + 3 ] & 0x7f) << 1);

bytes[offset_byte + 5] = ( (data[i][ offset_data + 3 ] >> 7) & 0x0f ) | ((data[i][ offset_data + 4 ] & 0x0f) << 4);

bytes[offset_byte + 6] = ( (data[i][ offset_data + 4 ] >> 4) & 0x7f ) | ((data[i][ offset_data + 5 ] & 0x01) << 7);

bytes[offset_byte + 7] = ( (data[i][ offset_data + 5 ] >> 1) & 0xff );

bytes[offset_byte + 8] = ( (data[i][ offset_data + 5 ] >> 9) & 0x03 ) | ((data[i][ offset_data + 6 ] & 0x3f) << 2);

bytes[offset_byte + 9] = ( (data[i][ offset_data + 6 ] >> 6) & 0x1f ) | ((data[i][ offset_data + 7 ] & 0x07) << 5);

bytes[offset_byte + 10] = ( (data[i][ offset_data + 7 ] >> 3) & 0xff );

}
void PQCLEAN_FIRESABER_AVX2_POLVECp2BS(uint8_t bytes[SABER_POLYVECCOMPRESSEDBYTES], const poly data[SABER_L]) {
size_t i;
for (i = 0; i < SABER_L; i++) {
POLp2BS(bytes + i * SABER_POLYCOMPRESSEDBYTES, &data[i]);
}

}

void PQCLEAN_FIRESABER_AVX2_SABER_un_pack11bit(uint16_t data[SABER_K][SABER_N], const uint8_t *bytes) {

uint32_t i, j;
uint32_t offset_data = 0, offset_byte = 0, offset_byte1 = 0;


for (i = 0; i < SABER_K; i++) {
offset_byte1 = i * (SABER_N * 11) / 8;
for (j = 0; j < SABER_N / 8; j++) {
offset_byte = offset_byte1 + 11 * j;
offset_data = 8 * j;

data[i][offset_data + 0] = (bytes[offset_byte + 0]) | ( (bytes[offset_byte + 1] & 0x07) << 8 );

data[i][offset_data + 1] = ( (bytes[offset_byte + 1] >> 3) & 0x1f) | ( (bytes[offset_byte + 2] & 0x3f) << 5 );

data[i][offset_data + 2] = ( (bytes[offset_byte + 2] >> 6) & 0x03) | ( (bytes[offset_byte + 3] & 0xff) << 2 ) | ( (bytes[offset_byte + 4] & 0x01) << 10 );

data[i][offset_data + 3] = ( (bytes[offset_byte + 4] >> 1) & 0x7f) | ( (bytes[offset_byte + 5] & 0x0f) << 7 );

data[i][offset_data + 4] = ( (bytes[offset_byte + 5] >> 4) & 0x0f) | ( (bytes[offset_byte + 6] & 0x7f) << 4 );

data[i][offset_data + 5] = ( (bytes[offset_byte + 6] >> 7) & 0x01) | ( (bytes[offset_byte + 7] & 0xff) << 1 ) | ( (bytes[offset_byte + 8] & 0x03) << 9 );

data[i][offset_data + 6] = ( (bytes[offset_byte + 8] >> 2) & 0x3f) | ( (bytes[offset_byte + 9] & 0x1f) << 6 );

data[i][offset_data + 7] = ( (bytes[offset_byte + 9] >> 5) & 0x07) | ( (bytes[offset_byte + 10] & 0xff) << 3 );
}
void PQCLEAN_FIRESABER_AVX2_BS2POLVECp(poly data[SABER_L], const uint8_t bytes[SABER_POLYVECCOMPRESSEDBYTES]) {
size_t i;
for (i = 0; i < SABER_L; i++) {
BS2POLp(&data[i], bytes + i * SABER_POLYCOMPRESSEDBYTES);
}


}

void PQCLEAN_FIRESABER_AVX2_SABER_pack14bit(uint8_t *bytes, const uint16_t data[SABER_K][SABER_N]) {

uint32_t i, j;
uint32_t offset_data = 0, offset_byte = 0, offset_byte1 = 0;

for (i = 0; i < SABER_K; i++) {
offset_byte1 = i * (SABER_N * 14) / 8;
for (j = 0; j < SABER_N / 4; j++) {
offset_byte = offset_byte1 + 7 * j;
offset_data = 4 * j;
bytes[offset_byte + 0] = ( data[i][ offset_data + 0 ] & (0xff));

bytes[offset_byte + 1] = ( (data[i][ offset_data + 0 ] >> 8) & 0x3f ) | ((data[i][ offset_data + 1 ] & 0x03) << 6);

bytes[offset_byte + 2] = ( (data[i][ offset_data + 1 ] >> 2) & 0xff );

bytes[offset_byte + 3] = ( (data[i][ offset_data + 1 ] >> 10) & 0x0f ) | ((data[i][ offset_data + 2 ] & 0x0f) << 4);

bytes[offset_byte + 4] = ( (data[i][ offset_data + 2 ] >> 4) & 0xff );

bytes[offset_byte + 5] = ( (data[i][ offset_data + 2 ] >> 12) & 0x03 ) | ((data[i][ offset_data + 3 ] & 0x3f) << 2);

bytes[offset_byte + 6] = ( (data[i][ offset_data + 3 ] >> 6) & 0xff );
void PQCLEAN_FIRESABER_AVX2_BS2POLmsg(poly *data, const uint8_t bytes[SABER_KEYBYTES]) {
size_t i, j;
for (j = 0; j < SABER_KEYBYTES; j++) {
for (i = 0; i < 8; i++) {
data->coeffs[j * 8 + i] = ((bytes[j] >> i) & 0x01);
}
}


}

void PQCLEAN_FIRESABER_AVX2_POLmsg2BS(uint8_t bytes[SABER_KEYBYTES], const poly *data) {
size_t i, j;
memset(bytes, 0, SABER_KEYBYTES);

void PQCLEAN_FIRESABER_AVX2_SABER_un_pack14bit(uint16_t data[SABER_K][SABER_N], const uint8_t *bytes) {

uint32_t i, j;
uint32_t offset_data = 0, offset_byte = 0, offset_byte1 = 0;

for (i = 0; i < SABER_K; i++) {
offset_byte1 = i * (SABER_N * 14) / 8;
for (j = 0; j < SABER_N / 4; j++) {
offset_byte = offset_byte1 + 7 * j;
offset_data = 4 * j;
data[i][offset_data + 0] = (bytes[offset_byte + 0] & 0xff) | ( (bytes[offset_byte + 1] & 0x3f) << 8 );

data[i][offset_data + 1] = ( (bytes[offset_byte + 1] >> 6) & 0x03) | ((bytes[offset_byte + 2] & 0xff) << 2 ) | ( (bytes[offset_byte + 3] & 0x0f) << 10 );

data[i][offset_data + 2] = ( (bytes[offset_byte + 3] >> 4) & 0x0f) | ( (bytes[offset_byte + 4] ) << 4 ) | ( (bytes[offset_byte + 5] & 0x03) << 12 );

data[i][offset_data + 3] = ( (bytes[offset_byte + 5] >> 2) & 0x3f) | ( (bytes[offset_byte + 6] ) << 6 );
for (j = 0; j < SABER_KEYBYTES; j++) {
for (i = 0; i < 8; i++) {
bytes[j] = bytes[j] | ((data->coeffs[j * 8 + i] & 0x01) << i);
}
}


}

void PQCLEAN_FIRESABER_AVX2_POLVEC2BS(uint8_t *bytes, const uint16_t data[SABER_K][SABER_N], uint16_t modulus) {

if (modulus == 1024) {
PQCLEAN_FIRESABER_AVX2_POLVECp2BS(bytes, data);
} else if (modulus == 8192) {
PQCLEAN_FIRESABER_AVX2_POLVECq2BS(bytes, data);
}
}

void PQCLEAN_FIRESABER_AVX2_BS2POLVEC(uint16_t data[SABER_K][SABER_N], const uint8_t *bytes, uint16_t modulus) {

if (modulus == 1024) {
PQCLEAN_FIRESABER_AVX2_BS2POLVECp(data, bytes);
} else if (modulus == 8192) {
PQCLEAN_FIRESABER_AVX2_BS2POLVECq(data, bytes);
}

}

+ 9
- 37
crypto_kem/firesaber/avx2/pack_unpack.h View File

@@ -1,56 +1,28 @@
#ifndef PACK_UNPACK_H
#define PACK_UNPACK_H
#include "SABER_params.h"
#include "poly.h"
#include <stdint.h>
#include <stdio.h>

void PQCLEAN_FIRESABER_AVX2_BS2POLq(uint16_t data[SABER_N], const uint8_t *bytes);
void PQCLEAN_FIRESABER_AVX2_POLT2BS(uint8_t bytes[SABER_SCALEBYTES_KEM], const poly *data);

void PQCLEAN_FIRESABER_AVX2_BS2POLVEC(uint16_t data[SABER_K][SABER_N], const uint8_t *bytes, uint16_t modulus);
void PQCLEAN_FIRESABER_AVX2_BS2POLT(poly *data, const uint8_t bytes[SABER_SCALEBYTES_KEM]);

void PQCLEAN_FIRESABER_AVX2_BS2POLVECq(uint16_t data[SABER_K][SABER_N], const uint8_t *bytes);

void PQCLEAN_FIRESABER_AVX2_BS2POLVECp(uint16_t data[SABER_K][SABER_N], const uint8_t *bytes);
void PQCLEAN_FIRESABER_AVX2_POLVECq2BS(uint8_t bytes[SABER_POLYVECBYTES], const poly data[SABER_L]);

void PQCLEAN_FIRESABER_AVX2_POLVECp2BS(uint8_t bytes[SABER_POLYVECCOMPRESSEDBYTES], const poly data[SABER_L]);

void PQCLEAN_FIRESABER_AVX2_POLVEC2BS(uint8_t *bytes, const uint16_t data[SABER_K][SABER_N], uint16_t modulus);

void PQCLEAN_FIRESABER_AVX2_POLVECq2BS(uint8_t *bytes, const uint16_t data[SABER_K][SABER_N]);
void PQCLEAN_FIRESABER_AVX2_BS2POLVECq(poly data[SABER_L], const uint8_t bytes[SABER_POLYVECBYTES]);

void PQCLEAN_FIRESABER_AVX2_POLVECp2BS(uint8_t *bytes, const uint16_t data[SABER_K][SABER_N]);
void PQCLEAN_FIRESABER_AVX2_BS2POLVECp(poly data[SABER_L], const uint8_t bytes[SABER_POLYVECCOMPRESSEDBYTES]);


void PQCLEAN_FIRESABER_AVX2_SABER_pack_3bit(uint8_t *bytes, const uint16_t *data);
void PQCLEAN_FIRESABER_AVX2_BS2POLmsg(poly *data, const uint8_t bytes[SABER_KEYBYTES]);

void PQCLEAN_FIRESABER_AVX2_SABER_pack_4bit(uint8_t *bytes, const uint16_t *data);

void PQCLEAN_FIRESABER_AVX2_SABER_pack_6bit(uint8_t *bytes, const uint16_t *data);

void PQCLEAN_FIRESABER_AVX2_SABER_pack10bit(uint8_t *bytes, const uint16_t data[SABER_K][SABER_N]);

void PQCLEAN_FIRESABER_AVX2_SABER_pack11bit(uint8_t *bytes, const uint16_t data[SABER_K][SABER_N]);

void PQCLEAN_FIRESABER_AVX2_SABER_pack13bit(uint8_t *bytes, const uint16_t data[SABER_K][SABER_N]);

void PQCLEAN_FIRESABER_AVX2_SABER_pack14bit(uint8_t *bytes, const uint16_t data[SABER_K][SABER_N]);


void PQCLEAN_FIRESABER_AVX2_SABER_poly_un_pack13bit(uint16_t data[SABER_N], const uint8_t *bytes);


void PQCLEAN_FIRESABER_AVX2_SABER_un_pack3bit(uint16_t *data, const uint8_t *bytes);

void PQCLEAN_FIRESABER_AVX2_SABER_un_pack4bit(uint16_t *data, const uint8_t *bytes);

void PQCLEAN_FIRESABER_AVX2_SABER_un_pack6bit(uint16_t *data, const uint8_t *bytes);

void PQCLEAN_FIRESABER_AVX2_SABER_un_pack10bit(uint16_t data[SABER_K][SABER_N], const uint8_t *bytes);

void PQCLEAN_FIRESABER_AVX2_SABER_un_pack11bit(uint16_t data[SABER_K][SABER_N], const uint8_t *bytes);

void PQCLEAN_FIRESABER_AVX2_SABER_un_pack13bit(uint16_t data[SABER_K][SABER_N], const uint8_t *bytes);

void PQCLEAN_FIRESABER_AVX2_SABER_un_pack14bit(uint16_t data[SABER_K][SABER_N], const uint8_t *bytes);
void PQCLEAN_FIRESABER_AVX2_POLmsg2BS(uint8_t bytes[SABER_KEYBYTES], const poly *data);


#endif

+ 62
- 0
crypto_kem/firesaber/avx2/poly.c View File

@@ -0,0 +1,62 @@
#include "cbd.h"
#include "fips202.h"
#include "pack_unpack.h"
#include "poly.h"


void PQCLEAN_FIRESABER_AVX2_MatrixVectorMul(poly c[SABER_L], const poly A[SABER_L][SABER_L], const toom4_points s_eval[SABER_L], int transpose) {
size_t i, j;
toom4_points_product c_eval;

if (transpose) {
for (i = 0; i < SABER_L; i++) {
PQCLEAN_FIRESABER_AVX2_toom4_mul_A_by_B_eval(&c_eval, &A[0][i], &s_eval[0], 0);
for (j = 1; j < SABER_L; j++) {
PQCLEAN_FIRESABER_AVX2_toom4_mul_A_by_B_eval(&c_eval, &A[j][i], &s_eval[j], 1);
}
PQCLEAN_FIRESABER_AVX2_toom4_interp(&c[i], &c_eval);
}
} else {
for (i = 0; i < SABER_L; i++) {
PQCLEAN_FIRESABER_AVX2_toom4_mul_A_by_B_eval(&c_eval, &A[i][0], &s_eval[0], 0);
for (j = 1; j < SABER_L; j++) {
PQCLEAN_FIRESABER_AVX2_toom4_mul_A_by_B_eval(&c_eval, &A[i][j], &s_eval[j], 1);
}
PQCLEAN_FIRESABER_AVX2_toom4_interp(&c[i], &c_eval);
}
}
}

void PQCLEAN_FIRESABER_AVX2_InnerProd(poly *c, const poly b[SABER_L], const toom4_points s_eval[SABER_L]) {
size_t i;
toom4_points_product c_eval; //Holds results for 9 Karatsuba at a time

PQCLEAN_FIRESABER_AVX2_toom4_mul_A_by_B_eval(&c_eval, &b[0], &s_eval[0], 0);
for (i = 1; i < SABER_L; i++) {
PQCLEAN_FIRESABER_AVX2_toom4_mul_A_by_B_eval(&c_eval, &b[i], &s_eval[i], 1);
}

PQCLEAN_FIRESABER_AVX2_toom4_interp(c, &c_eval);
}

void PQCLEAN_FIRESABER_AVX2_GenMatrix(poly A[SABER_L][SABER_L], const uint8_t seed[SABER_SEEDBYTES]) {
size_t i;
uint8_t buf[SABER_L * SABER_POLYVECBYTES];

shake128(buf, sizeof(buf), seed, SABER_SEEDBYTES);

for (i = 0; i < SABER_L; i++) {
PQCLEAN_FIRESABER_AVX2_BS2POLVECq(A[i], buf + i * SABER_POLYVECBYTES);
}
}

void PQCLEAN_FIRESABER_AVX2_GenSecret(poly s[SABER_L], const uint8_t seed[SABER_NOISESEEDBYTES]) {
size_t i;
uint8_t buf[SABER_L * SABER_POLYCOINBYTES];

shake128(buf, sizeof(buf), seed, SABER_NOISESEEDBYTES);

for (i = 0; i < SABER_L; i++) {
PQCLEAN_FIRESABER_AVX2_cbd(s[i].coeffs, buf + i * SABER_POLYCOINBYTES);
}
}

+ 24
- 12
crypto_kem/firesaber/avx2/poly.h View File

@@ -1,27 +1,38 @@
#ifndef POLY_H
#define POLY_H
/*---------------------------------------------------------------------
This file has been adapted from the implementation
(available at, Public Domain https://github.com/pq-crystals/kyber)
of "CRYSTALS – Kyber: a CCA-secure module-lattice-based KEM"
by : Joppe Bos, Leo Ducas, Eike Kiltz, Tancrede Lepoint,
Vadim Lyubashevsky, John M. Schanck, Peter Schwabe & Damien stehle
#include "SABER_params.h"
#include <immintrin.h>
#include <stdint.h>

typedef struct {
typedef union {
uint16_t coeffs[SABER_N];
__m256i dummy;
} poly;

typedef struct {
poly vec[SABER_K];
} polyvec;
typedef union {
uint16_t coeffs[4 * SABER_N];
__m256i dummy;
} toom4_points;

void PQCLEAN_FIRESABER_AVX2_poly_getnoise(uint16_t *r, const unsigned char *seed, unsigned char nonce);
typedef union {
uint16_t coeffs[8 * SABER_N];
__m256i dummy;
} toom4_points_product;

void PQCLEAN_FIRESABER_AVX2_MatrixVectorMul(poly c[SABER_L], const poly A[SABER_L][SABER_L], const toom4_points s_eval[SABER_L], int transpose);

void PQCLEAN_FIRESABER_AVX2_poly_getnoise4x(uint16_t *r0, uint16_t *r1, uint16_t *r2, const unsigned char *seed, unsigned char nonce0, unsigned char nonce1, unsigned char nonce2, unsigned char nonce3);
void PQCLEAN_FIRESABER_AVX2_InnerProd(poly *c, const poly b[SABER_L], const toom4_points s_eval[SABER_L]);

void PQCLEAN_FIRESABER_AVX2_GenMatrix(poly a[SABER_L][SABER_L], const uint8_t seed[SABER_SEEDBYTES]);

void PQCLEAN_FIRESABER_AVX2_GenSecret(poly s[SABER_L], const uint8_t seed[SABER_NOISESEEDBYTES]);


void PQCLEAN_FIRESABER_AVX2_toom4_interp(poly *res_avx, const toom4_points_product *c_eval);

void PQCLEAN_FIRESABER_AVX2_toom4_eval(toom4_points *b_eval, const poly *b);

void PQCLEAN_FIRESABER_AVX2_toom4_mul_A_by_B_eval(toom4_points_product *c_eval, const poly *a_avx, const toom4_points *b_eval, int accumulate);


#endif

+ 1524
- 0
crypto_kem/firesaber/avx2/poly_mul.c
File diff suppressed because it is too large
View File


+ 0
- 20
crypto_kem/firesaber/avx2/polymul/consts.h View File

@@ -1,20 +0,0 @@
#include "../SABER_params.h"

#define AVX_N (SABER_N >> 4)
#define small_len_avx (AVX_N >> 2)

#define SCHB_N 16

#define N_SB (SABER_N >> 2)
#define N_SB_RES (2*N_SB-1)

#define N_SB_16 (N_SB >> 2)
#define N_SB_16_RES (2*N_SB_16-1)

#define AVX_N1 16 /*N/16*/

#define SCM_SIZE 16

// The dimension of a vector. i.e vector has NUM_POLY elements and Matrix has NUM_POLY X NUM_POLY elements
#define NUM_POLY SABER_K
//int NUM_POLY=2;

+ 0
- 303
crypto_kem/firesaber/avx2/polymul/matrix.c View File

@@ -1,303 +0,0 @@
#include <immintrin.h>

static void transpose_n1(__m256i *M)
{
//int i;
register __m256i r0, r1, r2, r3, r4, r5, r6, r7, r8, r9, r10, r11;
register __m256i temp, temp0, temp1, temp2;

//for(i=0; i<8; i=i+1)
//{
r0 = _mm256_unpacklo_epi16(M[0], M[1]);
r1 = _mm256_unpacklo_epi16(M[2], M[3]);
r2 = _mm256_unpacklo_epi16(M[4], M[5]);
r3 = _mm256_unpacklo_epi16(M[6], M[7]);
r4 = _mm256_unpacklo_epi16(M[8], M[9]);
r5 = _mm256_unpacklo_epi16(M[10], M[11]);
r6 = _mm256_unpacklo_epi16(M[12], M[13]);
r7 = _mm256_unpacklo_epi16(M[14], M[15]);


temp = _mm256_unpacklo_epi32(r0, r1);
temp0 = _mm256_unpacklo_epi32(r2, r3);
temp1 = _mm256_unpacklo_epi32(r4, r5);
temp2 = _mm256_unpacklo_epi32(r6, r7);

r8 = _mm256_unpackhi_epi32(r0, r1);
r9 = _mm256_unpackhi_epi32(r2, r3);
r10 = _mm256_unpackhi_epi32(r4, r5);
r11 = _mm256_unpackhi_epi32(r6, r7);

r0 = _mm256_unpacklo_epi64(temp, temp0);
r2 = _mm256_unpackhi_epi64(temp, temp0);

r1 = _mm256_unpacklo_epi64(temp1, temp2);
r3 = _mm256_unpackhi_epi64(temp1, temp2);

temp = _mm256_unpackhi_epi16(M[0], M[1]);
temp0 = _mm256_unpackhi_epi16(M[2], M[3]);
temp1 = _mm256_unpackhi_epi16(M[4], M[5]);
temp2 = _mm256_unpackhi_epi16(M[6], M[7]);
r4 = _mm256_unpackhi_epi16(M[8], M[9]);

M[0] = _mm256_permute2f128_si256(r0, r1, 0x20);
M[8] = _mm256_permute2f128_si256(r0, r1, 0x31);
M[1] = _mm256_permute2f128_si256(r2, r3, 0x20);
M[9] = _mm256_permute2f128_si256(r2, r3, 0x31);


r5 = _mm256_unpackhi_epi16(M[10], M[11]);
r6 = _mm256_unpackhi_epi16(M[12], M[13]);
r7 = _mm256_unpackhi_epi16(M[14], M[15]);



r0 = _mm256_unpacklo_epi64(r8, r9);
r1 = _mm256_unpacklo_epi64(r10, r11);

r2 = _mm256_unpackhi_epi64(r8, r9);
r3 = _mm256_unpackhi_epi64(r10, r11);



M[3] = _mm256_permute2f128_si256(r2, r3, 0x20);
M[11] = _mm256_permute2f128_si256(r2, r3, 0x31);
M[2] = _mm256_permute2f128_si256(r0, r1, 0x20);
M[10] = _mm256_permute2f128_si256(r0, r1, 0x31);


//for(i=0; i<4; i=i+1)
//{
r0 = _mm256_unpacklo_epi32(temp, temp0);
r1 = _mm256_unpacklo_epi32(temp1, temp2);
r2 = _mm256_unpacklo_epi32(r4, r5);
r3 = _mm256_unpacklo_epi32(r6, r7);

//}


//for(i=0; i<2; i=i+1)
//{
r8 = _mm256_unpacklo_epi64(r0, r1);
r10 = _mm256_unpackhi_epi64(r0, r1);

r9 = _mm256_unpacklo_epi64(r2, r3);
r11 = _mm256_unpackhi_epi64(r2, r3);

M[4] = _mm256_permute2f128_si256(r8, r9, 0x20);
M[12] = _mm256_permute2f128_si256(r8, r9, 0x31);
M[5] = _mm256_permute2f128_si256(r10, r11, 0x20);
M[13] = _mm256_permute2f128_si256(r10, r11, 0x31);

r0 = _mm256_unpackhi_epi32(temp, temp0);
r1 = _mm256_unpackhi_epi32(temp1, temp2);
r2 = _mm256_unpackhi_epi32(r4, r5);
r3 = _mm256_unpackhi_epi32(r6, r7);

//}
// for(i=0; i<2; i=i+1)
// {
r4 = _mm256_unpacklo_epi64(r0, r1);
r6 = _mm256_unpackhi_epi64(r0, r1);

r5 = _mm256_unpacklo_epi64(r2, r3);
r7 = _mm256_unpackhi_epi64(r2, r3);

// }

//-------------------------------------------------------

M[6] = _mm256_permute2f128_si256(r4, r5, 0x20);
M[14] = _mm256_permute2f128_si256(r4, r5, 0x31);
M[7] = _mm256_permute2f128_si256(r6, r7, 0x20);
M[15] = _mm256_permute2f128_si256(r6, r7, 0x31);
}

/*
void transpose_unrolled(__m256i *M)
{
int i;
__m256i tL[8], tH[8];
__m256i bL[4], bH[4], cL[4], cH[4];
__m256i dL[2], dH[2], eL[2], eH[2], fL[2], fH[2], gL[2], gH[2];

__m256i r0, r1, r2, r3, r4, r5, r6, r7;

//for(i=0; i<8; i=i+1)
//{
tL[0] = _mm256_unpacklo_epi16(M[0], M[1]);
tH[0] = _mm256_unpackhi_epi16(M[0], M[1]);

tL[1] = _mm256_unpacklo_epi16(M[2], M[3]);
tH[1] = _mm256_unpackhi_epi16(M[2], M[3]);

tL[2] = _mm256_unpacklo_epi16(M[4], M[5]);
tH[2] = _mm256_unpackhi_epi16(M[4], M[5]);

tL[3] = _mm256_unpacklo_epi16(M[6], M[7]);
tH[3] = _mm256_unpackhi_epi16(M[6], M[7]);

tL[4] = _mm256_unpacklo_epi16(M[8], M[9]);
tH[4] = _mm256_unpackhi_epi16(M[8], M[9]);

tL[5] = _mm256_unpacklo_epi16(M[10], M[11]);
tH[5] = _mm256_unpackhi_epi16(M[10], M[11]);

tL[6] = _mm256_unpacklo_epi16(M[12], M[13]);
tH[6] = _mm256_unpackhi_epi16(M[12], M[13]);

tL[7] = _mm256_unpacklo_epi16(M[14], M[15]);
tH[7] = _mm256_unpackhi_epi16(M[14], M[15]);

//}

//-------------------------------------------------------
//for(i=0; i<4; i=i+1)
//{
bL[0] = _mm256_unpacklo_epi32(tL[0], tL[1]);
bH[0] = _mm256_unpackhi_epi32(tL[0], tL[1]);

bL[1] = _mm256_unpacklo_epi32(tL[2], tL[3]);
bH[1] = _mm256_unpackhi_epi32(tL[2], tL[3]);

bL[2] = _mm256_unpacklo_epi32(tL[4], tL[5]);
bH[2] = _mm256_unpackhi_epi32(tL[4], tL[5]);

bL[3] = _mm256_unpacklo_epi32(tL[6], tL[7]);
bH[3] = _mm256_unpackhi_epi32(tL[6], tL[7]);

//}

//for(i=0; i<2; i=i+1)
//{
dL[0] = _mm256_unpacklo_epi64(bL[0], bL[1]);
dH[0] = _mm256_unpackhi_epi64(bL[0], bL[1]);

dL[1] = _mm256_unpacklo_epi64(bL[2], bL[3]);
dH[1] = _mm256_unpackhi_epi64(bL[2], bL[3]);

M[0] = _mm256_permute2f128_si256(dL[0], dL[1], 0x20);
M[8] = _mm256_permute2f128_si256(dL[0], dL[1], 0x31);
M[1] = _mm256_permute2f128_si256(dH[0], dH[1], 0x20);
M[9] = _mm256_permute2f128_si256(dH[0], dH[1], 0x31);

//}
//for(i=0; i<2; i=i+1)
//{
eL[0] = _mm256_unpacklo_epi64(bH[0], bH[1]);
eH[0] = _mm256_unpackhi_epi64(bH[0], bH[1]);

eL[1] = _mm256_unpacklo_epi64(bH[2], bH[3]);
eH[1] = _mm256_unpackhi_epi64(bH[2], bH[3]);

//}

//-------------------------------------------------------

//-------------------------------------------------------
for(i=0; i<4; i=i+1)
{
cL[i] = _mm256_unpacklo_epi32(tH[2*i], tH[2*i+1]);
cH[i] = _mm256_unpackhi_epi32(tH[2*i], tH[2*i+1]);
}


for(i=0; i<2; i=i+1)
{
fL[i] = _mm256_unpacklo_epi64(cL[2*i], cL[2*i+1]);
fH[i] = _mm256_unpackhi_epi64(cL[2*i], cL[2*i+1]);
}
for(i=0; i<2; i=i+1)
{
gL[i] = _mm256_unpacklo_epi64(cH[2*i], cH[2*i+1]);
gH[i] = _mm256_unpackhi_epi64(cH[2*i], cH[2*i+1]);
}

//-------------------------------------------------------



M[2] = _mm256_permute2f128_si256(eL[0], eL[1], 0x20);
M[10] = _mm256_permute2f128_si256(eL[0], eL[1], 0x31);
M[3] = _mm256_permute2f128_si256(eH[0], eH[1], 0x20);
M[11] = _mm256_permute2f128_si256(eH[0], eH[1], 0x31);

M[4] = _mm256_permute2f128_si256(fL[0], fL[1], 0x20);
M[12] = _mm256_permute2f128_si256(fL[0], fL[1], 0x31);
M[5] = _mm256_permute2f128_si256(fH[0], fH[1], 0x20);
M[13] = _mm256_permute2f128_si256(fH[0], fH[1], 0x31);

M[6] = _mm256_permute2f128_si256(gL[0], gL[1], 0x20);
M[14] = _mm256_permute2f128_si256(gL[0], gL[1], 0x31);
M[7] = _mm256_permute2f128_si256(gH[0], gH[1], 0x20);
M[15] = _mm256_permute2f128_si256(gH[0], gH[1], 0x31);
}


void transpose1(__m256i *M)
{
int i;
__m256i tL[8], tH[8];
__m256i bL[4], bH[4], cL[4], cH[4];
__m256i dL[2], dH[2], eL[2], eH[2], fL[2], fH[2], gL[2], gH[2];

for(i=0; i<8; i=i+1)
{
tL[i] = _mm256_unpacklo_epi16(M[2*i], M[2*i+1]);
tH[i] = _mm256_unpackhi_epi16(M[2*i], M[2*i+1]);
}

for(i=0; i<4; i=i+1)
{
bL[i] = _mm256_unpacklo_epi32(tL[2*i], tL[2*i+1]);
bH[i] = _mm256_unpackhi_epi32(tL[2*i], tL[2*i+1]);
}
for(i=0; i<4; i=i+1)
{
cL[i] = _mm256_unpacklo_epi32(tH[2*i], tH[2*i+1]);
cH[i] = _mm256_unpackhi_epi32(tH[2*i], tH[2*i+1]);
}

for(i=0; i<2; i=i+1)
{
dL[i] = _mm256_unpacklo_epi64(bL[2*i], bL[2*i+1]);
dH[i] = _mm256_unpackhi_epi64(bL[2*i], bL[2*i+1]);
}
for(i=0; i<2; i=i+1)
{
eL[i] = _mm256_unpacklo_epi64(bH[2*i], bH[2*i+1]);
eH[i] = _mm256_unpackhi_epi64(bH[2*i], bH[2*i+1]);
}

for(i=0; i<2; i=i+1)
{
fL[i] = _mm256_unpacklo_epi64(cL[2*i], cL[2*i+1]);
fH[i] = _mm256_unpackhi_epi64(cL[2*i], cL[2*i+1]);
}
for(i=0; i<2; i=i+1)
{
gL[i] = _mm256_unpacklo_epi64(cH[2*i], cH[2*i+1]);
gH[i] = _mm256_unpackhi_epi64(cH[2*i], cH[2*i+1]);
}

M[0] = _mm256_permute2f128_si256(dL[0], dL[1], 0x20);
M[8] = _mm256_permute2f128_si256(dL[0], dL[1], 0x31);
M[1] = _mm256_permute2f128_si256(dH[0], dH[1], 0x20);
M[9] = _mm256_permute2f128_si256(dH[0], dH[1], 0x31);

M[2] = _mm256_permute2f128_si256(eL[0], eL[1], 0x20);
M[10] = _mm256_permute2f128_si256(eL[0], eL[1], 0x31);
M[3] = _mm256_permute2f128_si256(eH[0], eH[1], 0x20);
M[11] = _mm256_permute2f128_si256(eH[0], eH[1], 0x31);

M[4] = _mm256_permute2f128_si256(fL[0], fL[1], 0x20);
M[12] = _mm256_permute2f128_si256(fL[0], fL[1], 0x31);
M[5] = _mm256_permute2f128_si256(fH[0], fH[1], 0x20);
M[13] = _mm256_permute2f128_si256(fH[0], fH[1], 0x31);

M[6] = _mm256_permute2f128_si256(gL[0], gL[1], 0x20);
M[14] = _mm256_permute2f128_si256(gL[0], gL[1], 0x31);
M[7] = _mm256_permute2f128_si256(gH[0], gH[1], 0x20);
M[15] = _mm256_permute2f128_si256(gH[0], gH[1], 0x31);
}
*/

+ 0
- 753
crypto_kem/firesaber/avx2/polymul/scm_avx.c View File

@@ -1,753 +0,0 @@
//#define SCM_SIZE 16

//#pragma STDC FP_CONTRACT ON

#include <immintrin.h>

static inline __m256i mul_add(__m256i a, __m256i b, __m256i c) {
return _mm256_add_epi16(_mm256_mullo_epi16(a, b), c);
}


static void schoolbook_avx_new3_acc(__m256i* a, __m256i* b, __m256i* c_avx) ////8 coefficients of a and b has been prefetched
//the c_avx are added cummulatively
{

register __m256i a0, a1, a2, a3, a4, a5, a6, a7, b0, b1, b2, b3, b4, b5, b6, b7;
register __m256i temp;


a0=a[0];
a1=a[1];
a2=a[2];
a3=a[3];
a4=a[4];
a5=a[5];
a6=a[6];
a7=a[7];

b0=b[0];
b1=b[1];
b2=b[2];
b3=b[3];
b4=b[4];
b5=b[5];
b6=b[6];
b7=b[7];

// New Unrolled first triangle

//otherwise accumulate
c_avx[0] = mul_add(a0, b0, c_avx[0]);

temp = _mm256_mullo_epi16 (a0, b1);
temp=mul_add(a1, b0, temp);
c_avx[1] = _mm256_add_epi16(temp, c_avx[1]);


temp = _mm256_mullo_epi16 (a0, b2);
temp = mul_add(a1, b1, temp);
temp=mul_add(a2, b0, temp);
c_avx[2] = _mm256_add_epi16(temp, c_avx[2]);

temp = _mm256_mullo_epi16 (a0, b3);
temp = mul_add(a1, b2, temp);
temp = mul_add(a2, b1, temp);
temp=mul_add(a3, b0, temp);
c_avx[3] = _mm256_add_epi16(temp, c_avx[3]);

temp = _mm256_mullo_epi16 (a0, b4);
temp = mul_add(a1, b3, temp);
temp = mul_add(a3, b1, temp);
temp = mul_add(a4, b0, temp);
temp=mul_add(a2, b2, temp);
c_avx[4] = _mm256_add_epi16(temp, c_avx[4]);


temp = _mm256_mullo_epi16 (a0, b5);
temp = mul_add(a1, b4 , temp);
temp = mul_add(a2, b3, temp);
temp = mul_add(a3, b2, temp);
temp = mul_add( a4, b1, temp);
temp=mul_add(a5, b0, temp);
c_avx[5] = _mm256_add_epi16(temp, c_avx[5]);
temp = _mm256_mullo_epi16 (a0, b6);
temp = mul_add(a1, b5, temp);
temp = mul_add(a5, b1, temp);
temp = mul_add(a6, b0, temp);
temp = mul_add(a2, b4, temp);
temp = mul_add(a3, b3, temp);
temp=mul_add(a4, b2, temp);
c_avx[6] = _mm256_add_epi16(temp, c_avx[6]);


temp = _mm256_mullo_epi16 (a0, b7);
temp = mul_add(a1, b6, temp);
temp = mul_add (a6, b1, temp);
temp = mul_add (a7, b0, temp);
temp = mul_add(a2, b5, temp);
temp = mul_add (a3, b4, temp);
temp = mul_add (a4, b3, temp);
temp=mul_add(a5, b2, temp);
c_avx[7] = _mm256_add_epi16(temp, c_avx[7]);

temp = _mm256_mullo_epi16 (a0, b[8]);
temp = mul_add (a1, b7, temp);
temp = mul_add (a7, b1, temp);
temp = mul_add (a[8], b0, temp);
temp = mul_add (a2, b6,temp);
temp = mul_add(a3, b5, temp);
temp = mul_add (a4, b4,temp);
temp = mul_add (a5, b3, temp);
temp=mul_add(a6, b2, temp);
c_avx[8] = _mm256_add_epi16(temp, c_avx[8]);


temp = _mm256_mullo_epi16 (a0, b[9]);
temp = mul_add (a1, b[8], temp);
temp = mul_add (a[8], b1, temp);
temp = mul_add (a[9], b0, temp);
temp = mul_add (a2, b7, temp);
temp = mul_add (a3, b6, temp);
temp = mul_add (a4, b5, temp);
temp = mul_add (a5, b4, temp);
temp = mul_add (a6, b3, temp);
temp=mul_add(a7, b2, temp);
c_avx[9] = _mm256_add_epi16(temp, c_avx[9]);


temp= _mm256_mullo_epi16 (a0, b[10]);
temp = mul_add (a1, b[9], temp);
temp = mul_add (a[9], b1, temp);
temp = mul_add (a[10], b0, temp);
temp = mul_add (a2, b[8], temp);
temp = mul_add (a3, b7, temp);
temp = mul_add (a4, b6, temp);
temp = mul_add (a5, b5, temp);
temp = mul_add (a6, b4, temp);
temp = mul_add (a7, b3, temp);
temp=mul_add(a[8], b2, temp);
c_avx[10] = _mm256_add_epi16(temp, c_avx[10]);


temp = _mm256_mullo_epi16 (a0, b[11]);
temp = mul_add (a1, b[10], temp );
temp = mul_add (a[10], b1, temp );
temp = mul_add (a[11], b0, temp );
temp = mul_add (a2, b[9], temp );
temp = mul_add (a3, b[8], temp );
temp = mul_add (a4, b7, temp );
temp = mul_add (a5, b6, temp );
temp = mul_add (a6, b5, temp );
temp = mul_add (a7, b4, temp );
temp = mul_add (a[8], b3, temp );
temp=mul_add(a[9], b2, temp);
c_avx[11] = _mm256_add_epi16(temp, c_avx[11]);


temp = _mm256_mullo_epi16 (a0, b[12]);
temp = mul_add (a1, b[11], temp);
temp = mul_add (a[11], b1, temp);
temp = mul_add (a[12], b0, temp);
temp = mul_add (a2, b[10], temp);
temp = mul_add (a3, b[9], temp);
temp = mul_add (a4, b[8], temp);
temp = mul_add (a5, b7, temp);
temp = mul_add (a6, b6, temp);
temp = mul_add (a7, b5, temp);
temp = mul_add (a[8], b4, temp);
temp = mul_add (a[9], b3, temp);
temp=mul_add(a[10], b2, temp);
c_avx[12] = _mm256_add_epi16(temp, c_avx[12]);


temp = _mm256_mullo_epi16 (a0, b[13]);
temp = mul_add (a1, b[12], temp );
temp = mul_add (a[12], b1, temp );
temp = mul_add (a[13], b0, temp );
temp = mul_add (a2, b[11], temp );
temp = mul_add (a3, b[10], temp );
temp = mul_add (a4, b[9], temp );
temp = mul_add (a5, b[8], temp );
temp = mul_add (a6, b7, temp );
temp = mul_add (a7, b6, temp );
temp = mul_add (a[8], b5, temp );
temp = mul_add (a[9], b4, temp );
temp = mul_add (a[10], b3, temp );
temp=mul_add(a[11], b2, temp);
c_avx[13] = _mm256_add_epi16(temp, c_avx[13]);



temp = _mm256_mullo_epi16 (a0, b[14]);
temp = mul_add (a1, b[13], temp );
temp = mul_add (a[13], b1, temp );
temp = mul_add (a[14], b0, temp );
temp = mul_add (a2, b[12], temp );
temp = mul_add (a3, b[11], temp );
temp = mul_add (a4, b[10], temp );
temp = mul_add (a5, b[9], temp );
temp = mul_add (a6, b[8], temp );
temp = mul_add (a7, b7, temp );
temp = mul_add (a[8], b6, temp );
temp = mul_add (a[9], b5, temp );
temp = mul_add (a[10], b4, temp );
temp = mul_add (a[11], b3, temp );
temp=mul_add(a[12], b2, temp);
c_avx[14] = _mm256_add_epi16(temp, c_avx[14]);


temp = _mm256_mullo_epi16 (a0, b[15]);
temp = mul_add (a1, b[14], temp );
temp = mul_add (a[14], b1, temp );
temp = mul_add (a[15], b0, temp );
temp = mul_add (a2, b[13], temp );
temp = mul_add (a3, b[12], temp );
temp = mul_add (a4, b[11], temp );
temp = mul_add (a5, b[10], temp );
temp = mul_add (a6, b[9], temp );
temp = mul_add (a7, b[8], temp );
temp = mul_add (a[8], b7, temp );
temp = mul_add (a[9], b6, temp );
temp = mul_add (a[10], b5, temp );
temp = mul_add (a[11], b4, temp );
temp = mul_add (a[12], b3, temp );
temp=mul_add(a[13], b2, temp);
c_avx[15] = _mm256_add_epi16(temp, c_avx[15]);


// unrolled second triangle
a0=a[14];
a1=a[15];
a2=a[13];
a3=a[12];
a4=a[11];
a5=a[10];
a6=a[9];
a7=a[8];

b0=b[14];
b1=b[15];
b2=b[13];
b3=b[12];
b4=b[11];
b5=b[10];
b6=b[9];
b7=b[8];

temp = _mm256_mullo_epi16 (a[1], b1);
temp = mul_add (a[2], b0, temp );
temp = mul_add (a[3], b2, temp );
temp = mul_add (a[4], b3, temp );
temp = mul_add (a[5], b4, temp );
temp = mul_add (a[6], b5, temp );
temp = mul_add (a[7], b6, temp );
temp = mul_add (a7, b7, temp );
temp = mul_add (a6, b[7], temp );
temp = mul_add (a5, b[6], temp );
temp = mul_add (a4, b[5], temp );
temp = mul_add (a3, b[4], temp );
temp = mul_add (a2, b[3], temp );
temp = mul_add (a0, b[2], temp );
temp=mul_add(a1, b[1], temp);
c_avx[16] = _mm256_add_epi16(temp, c_avx[16]);


temp = _mm256_mullo_epi16 (a[2], b1);
temp = mul_add (a[3], b0, temp );
temp = mul_add (a[4], b2, temp );
temp = mul_add (a[5], b3, temp );
temp = mul_add (a[6], b4, temp );
temp = mul_add (a[7], b5, temp );
temp = mul_add (a7, b6, temp );
temp = mul_add (a6, b7, temp );
temp = mul_add (a5, b[7], temp );
temp = mul_add (a4, b[6], temp );
temp = mul_add (a3, b[5], temp );
temp = mul_add (a2, b[4], temp );
temp = mul_add (a0, b[3], temp );
temp=mul_add(a1, b[2], temp);
c_avx[17] = _mm256_add_epi16(temp, c_avx[17]);


temp = _mm256_mullo_epi16 (a[3], b1);
temp = mul_add (a[4], b0, temp );
temp = mul_add (a[5], b2, temp );
temp = mul_add (a[6], b3, temp );
temp = mul_add (a[7], b4, temp );
temp = mul_add (a7, b5, temp );
temp = mul_add (a6, b6, temp );
temp = mul_add (a5, b7, temp );
temp = mul_add (a4, b[7], temp );
temp = mul_add (a3, b[6], temp );
temp = mul_add (a2, b[5], temp );
temp = mul_add (a0, b[4], temp );
temp=mul_add(a1, b[3], temp);
c_avx[18] = _mm256_add_epi16(temp, c_avx[18]);


temp = _mm256_mullo_epi16 (a[4], b1);
temp = mul_add (a[5], b0, temp );
temp = mul_add (a[6], b2, temp );
temp = mul_add (a[7], b3, temp );
temp = mul_add (a7, b4, temp );
temp = mul_add (a6, b5, temp );
temp = mul_add (a5, b6, temp );
temp = mul_add (a4, b7, temp );
temp = mul_add (a3, b[7], temp );
temp = mul_add (a2, b[6], temp );
temp = mul_add (a0, b[5], temp );
temp=mul_add(a1, b[4], temp);
c_avx[19] = _mm256_add_epi16(temp, c_avx[19]);


temp = _mm256_mullo_epi16 (a[5], b1);
temp = mul_add (a[6], b0, temp );
temp = mul_add (a[7], b2, temp );
temp = mul_add (a7, b3, temp );
temp = mul_add (a6, b4, temp );
temp = mul_add (a5, b5, temp );
temp = mul_add (a4, b6, temp );
temp = mul_add (a3, b7, temp );
temp = mul_add (a2, b[7], temp );
temp = mul_add (a0, b[6], temp );
temp=mul_add(a1, b[5], temp);
c_avx[20] = _mm256_add_epi16(temp, c_avx[20]);


temp = _mm256_mullo_epi16 (a[6], b1);
temp = mul_add (a[7], b0, temp );
temp = mul_add (a7, b2, temp );
temp = mul_add (a6, b3, temp );
temp = mul_add (a5, b4, temp );
temp = mul_add (a4, b5, temp );
temp = mul_add (a3, b6, temp );
temp = mul_add (a2, b7, temp );
temp = mul_add (a0, b[7], temp );
temp=mul_add(a1, b[6], temp);
c_avx[21] = _mm256_add_epi16(temp, c_avx[21]);


temp = _mm256_mullo_epi16 (a[7], b1);
temp = mul_add (a7, b0, temp );
temp = mul_add (a6, b2, temp );
temp = mul_add (a5, b3, temp );
temp = mul_add (a4, b4, temp );
temp = mul_add (a3, b5, temp );
temp = mul_add (a2, b6, temp );
temp = mul_add (a0, b7, temp );
temp=mul_add(a1, b[7], temp);
c_avx[22] = _mm256_add_epi16(temp, c_avx[22]);


temp = _mm256_mullo_epi16 (a7, b1);
temp = mul_add (a6, b0, temp );
temp = mul_add (a5, b2, temp );
temp = mul_add (a4, b3, temp );
temp = mul_add (a3, b4, temp );
temp = mul_add (a2, b5, temp );
temp = mul_add (a0, b6, temp );
temp=mul_add(a1, b7, temp);
c_avx[23] = _mm256_add_epi16(temp, c_avx[23]);


temp = _mm256_mullo_epi16 (a6, b1);
temp = mul_add (a5, b0, temp );
temp = mul_add (a4, b2, temp );
temp = mul_add (a3, b3, temp );
temp = mul_add (a2, b4, temp );
temp = mul_add (a0, b5, temp );
temp=mul_add(a1, b6, temp);
c_avx[24] = _mm256_add_epi16(temp, c_avx[24]);


temp = _mm256_mullo_epi16 (a5, b1);
temp = mul_add (a4, b0, temp );
temp = mul_add (a3, b2, temp );
temp = mul_add (a2, b3, temp );
temp = mul_add (a0, b4, temp );
temp=mul_add(a1, b5, temp);
c_avx[25] = _mm256_add_epi16(temp, c_avx[25]);


temp = _mm256_mullo_epi16 (a4, b1);
temp = mul_add (a3, b0, temp );
temp = mul_add (a2, b2, temp );
temp = mul_add (a0, b3, temp );
temp=mul_add(a1, b4, temp);
c_avx[26] = _mm256_add_epi16(temp, c_avx[26]);


temp = _mm256_mullo_epi16 (a3, b1);
temp = mul_add (a2, b0, temp );
temp = mul_add (a0, b2, temp );
temp=mul_add(a1, b3, temp);
c_avx[27] = _mm256_add_epi16(temp, c_avx[27]);


temp = _mm256_mullo_epi16 (a2, b1);
temp = mul_add (a0, b0, temp );
temp=mul_add(a1, b2, temp);
c_avx[28] = _mm256_add_epi16(temp, c_avx[28]);


temp = _mm256_mullo_epi16 (a0, b1);
temp=mul_add(a1, b0, temp);
c_avx[29] = _mm256_add_epi16(temp, c_avx[29]);


c_avx[30] = mul_add(a1, b1, c_avx[30]);



c_avx[2*SCM_SIZE-1] = _mm256_set_epi64x(0, 0, 0, 0);


}



static void schoolbook_avx_new2(__m256i* a, __m256i* b, __m256i* c_avx) ////8 coefficients of a and b has been prefetched
//the c_avx are not added cummulatively
{

__m256i a0, a1, a2, a3, a4, a5, a6, a7, b0, b1, b2, b3, b4, b5, b6, b7;
__m256i temp;


a0=a[0];
a1=a[1];
a2=a[2];
a3=a[3];
a4=a[4];
a5=a[5];
a6=a[6];
a7=a[7];

b0=b[0];
b1=b[1];
b2=b[2];
b3=b[3];
b4=b[4];
b5=b[5];
b6=b[6];
b7=b[7];

// New Unrolled first triangle
c_avx[0] = _mm256_mullo_epi16 (a0, b0);

temp = _mm256_mullo_epi16 (a0, b1);
c_avx[1]=mul_add(a1, b0, temp);

temp = _mm256_mullo_epi16 (a0, b2);

temp = mul_add(a1, b1, temp);
c_avx[2]= mul_add(a2, b0, temp);

temp = _mm256_mullo_epi16 (a0, b3);
temp = mul_add(a1, b2, temp);
temp = mul_add(a2, b1, temp);
c_avx[3]= mul_add(a3, b0, temp);

temp = _mm256_mullo_epi16 (a0, b4);
temp = mul_add(a1, b3, temp);
temp = mul_add(a3, b1, temp);
temp = mul_add(a4, b0, temp);
c_avx[4]= mul_add(a2, b2, temp);

temp = _mm256_mullo_epi16 (a0, b5);
temp = mul_add(a1, b4 , temp);
temp = mul_add(a2, b3, temp);
temp = mul_add(a3, b2, temp);
temp = mul_add( a4, b1, temp);
c_avx[5] = mul_add(a5, b0, temp);
temp = _mm256_mullo_epi16 (a0, b6);
temp = mul_add(a1, b5, temp);
temp = mul_add(a5, b1, temp);
temp = mul_add(a6, b0, temp);
temp = mul_add(a2, b4, temp);
temp = mul_add(a3, b3, temp);
c_avx[6] = mul_add(a4, b2, temp);

temp = _mm256_mullo_epi16 (a0, b7);
temp = mul_add(a1, b6, temp);
temp = mul_add (a6, b1, temp);
temp = mul_add (a7, b0, temp);
temp = mul_add(a2, b5, temp);
temp = mul_add (a3, b4, temp);
temp = mul_add (a4, b3, temp);
c_avx[7] = mul_add (a5, b2, temp);

temp = _mm256_mullo_epi16 (a0, b[8]);
temp = mul_add (a1, b7, temp);
temp = mul_add (a7, b1, temp);
temp = mul_add (a[8], b0, temp);
temp = mul_add (a2, b6,temp);
temp = mul_add(a3, b5, temp);
temp = mul_add (a4, b4,temp);
temp = mul_add (a5, b3, temp);
c_avx[8] = mul_add (a6, b2, temp);

temp = _mm256_mullo_epi16 (a0, b[9]);
temp = mul_add (a1, b[8], temp);
temp = mul_add (a[8], b1, temp);
temp = mul_add (a[9], b0, temp);
temp = mul_add (a2, b7, temp);
temp = mul_add (a3, b6, temp);
temp = mul_add (a4, b5, temp);
temp = mul_add (a5, b4, temp);
temp = mul_add (a6, b3, temp);
c_avx[9] = mul_add (a7, b2, temp);

temp= _mm256_mullo_epi16 (a0, b[10]);
temp = mul_add (a1, b[9], temp);
temp = mul_add (a[9], b1, temp);
temp = mul_add (a[10], b0, temp);
temp = mul_add (a2, b[8], temp);
temp = mul_add (a3, b7, temp);
temp = mul_add (a4, b6, temp);
temp = mul_add (a5, b5, temp);
temp = mul_add (a6, b4, temp);
temp = mul_add (a7, b3, temp);
c_avx[10] = mul_add (a[8], b2, temp);

temp = _mm256_mullo_epi16 (a0, b[11]);
temp = mul_add (a1, b[10], temp );
temp = mul_add (a[10], b1, temp );
temp = mul_add (a[11], b0, temp );
temp = mul_add (a2, b[9], temp );
temp = mul_add (a3, b[8], temp );
temp = mul_add (a4, b7, temp );
temp = mul_add (a5, b6, temp );
temp = mul_add (a6, b5, temp );
temp = mul_add (a7, b4, temp );
temp = mul_add (a[8], b3, temp );
c_avx[11] = mul_add (a[9], b2, temp );

temp = _mm256_mullo_epi16 (a0, b[12]);
temp = mul_add (a1, b[11], temp);
temp = mul_add (a[11], b1, temp);
temp = mul_add (a[12], b0, temp);
temp = mul_add (a2, b[10], temp);
temp = mul_add (a3, b[9], temp);
temp = mul_add (a4, b[8], temp);
temp = mul_add (a5, b7, temp);
temp = mul_add (a6, b6, temp);
temp = mul_add (a7, b5, temp);
temp = mul_add (a[8], b4, temp);
temp = mul_add (a[9], b3, temp);
c_avx[12] = mul_add (a[10], b2, temp);

temp = _mm256_mullo_epi16 (a0, b[13]);
temp = mul_add (a1, b[12], temp );
temp = mul_add (a[12], b1, temp );
temp = mul_add (a[13], b0, temp );
temp = mul_add (a2, b[11], temp );
temp = mul_add (a3, b[10], temp );
temp = mul_add (a4, b[9], temp );
temp = mul_add (a5, b[8], temp );
temp = mul_add (a6, b7, temp );
temp = mul_add (a7, b6, temp );
temp = mul_add (a[8], b5, temp );
temp = mul_add (a[9], b4, temp );
temp = mul_add (a[10], b3, temp );
c_avx[13] = mul_add (a[11], b2, temp );

temp = _mm256_mullo_epi16 (a0, b[14]);
temp = mul_add (a1, b[13], temp );
temp = mul_add (a[13], b1, temp );
temp = mul_add (a[14], b0, temp );
temp = mul_add (a2, b[12], temp );
temp = mul_add (a3, b[11], temp );
temp = mul_add (a4, b[10], temp );
temp = mul_add (a5, b[9], temp );
temp = mul_add (a6, b[8], temp );
temp = mul_add (a7, b7, temp );
temp = mul_add (a[8], b6, temp );
temp = mul_add (a[9], b5, temp );
temp = mul_add (a[10], b4, temp );
temp = mul_add (a[11], b3, temp );
c_avx[14] = mul_add (a[12], b2, temp );

temp = _mm256_mullo_epi16 (a0, b[15]);
temp = mul_add (a1, b[14], temp );
temp = mul_add (a[14], b1, temp );
temp = mul_add (a[15], b0, temp );
temp = mul_add (a2, b[13], temp );
temp = mul_add (a3, b[12], temp );
temp = mul_add (a4, b[11], temp );
temp = mul_add (a5, b[10], temp );
temp = mul_add (a6, b[9], temp );
temp = mul_add (a7, b[8], temp );
temp = mul_add (a[8], b7, temp );
temp = mul_add (a[9], b6, temp );
temp = mul_add (a[10], b5, temp );
temp = mul_add (a[11], b4, temp );
temp = mul_add (a[12], b3, temp );
c_avx[15] = mul_add (a[13], b2, temp );


// unrolled second triangle
a0=a[14];
a1=a[15];
a2=a[13];
a3=a[12];
a4=a[11];
a5=a[10];
a6=a[9];
a7=a[8];

b0=b[14];
b1=b[15];
b2=b[13];
b3=b[12];
b4=b[11];
b5=b[10];
b6=b[9];
b7=b[8];

temp = _mm256_mullo_epi16 (a[1], b1);
temp = mul_add (a[2], b0, temp );
temp = mul_add (a[3], b2, temp );
temp = mul_add (a[4], b3, temp );
temp = mul_add (a[5], b4, temp );
temp = mul_add (a[6], b5, temp );
temp = mul_add (a[7], b6, temp );
temp = mul_add (a7, b7, temp );
temp = mul_add (a6, b[7], temp );
temp = mul_add (a5, b[6], temp );
temp = mul_add (a4, b[5], temp );
temp = mul_add (a3, b[4], temp );
temp = mul_add (a2, b[3], temp );
temp = mul_add (a0, b[2], temp );
c_avx[16] = mul_add (a1, b[1], temp );

temp = _mm256_mullo_epi16 (a[2], b1);
temp = mul_add (a[3], b0, temp );
temp = mul_add (a[4], b2, temp );
temp = mul_add (a[5], b3, temp );
temp = mul_add (a[6], b4, temp );
temp = mul_add (a[7], b5, temp );
temp = mul_add (a7, b6, temp );
temp = mul_add (a6, b7, temp );
temp = mul_add (a5, b[7], temp );
temp = mul_add (a4, b[6], temp );
temp = mul_add (a3, b[5], temp );
temp = mul_add (a2, b[4], temp );
temp = mul_add (a0, b[3], temp );
c_avx[17] = mul_add (a1, b[2], temp );

temp = _mm256_mullo_epi16 (a[3], b1);
temp = mul_add (a[4], b0, temp );
temp = mul_add (a[5], b2, temp );
temp = mul_add (a[6], b3, temp );
temp = mul_add (a[7], b4, temp );
temp = mul_add (a7, b5, temp );
temp = mul_add (a6, b6, temp );
temp = mul_add (a5, b7, temp );
temp = mul_add (a4, b[7], temp );
temp = mul_add (a3, b[6], temp );
temp = mul_add (a2, b[5], temp );
temp = mul_add (a0, b[4], temp );
c_avx[18] = mul_add (a1, b[3], temp );

temp = _mm256_mullo_epi16 (a[4], b1);
temp = mul_add (a[5], b0, temp );
temp = mul_add (a[6], b2, temp );
temp = mul_add (a[7], b3, temp );
temp = mul_add (a7, b4, temp );
temp = mul_add (a6, b5, temp );
temp = mul_add (a5, b6, temp );
temp = mul_add (a4, b7, temp );
temp = mul_add (a3, b[7], temp );
temp = mul_add (a2, b[6], temp );
temp = mul_add (a0, b[5], temp );
c_avx[19] = mul_add (a1, b[4], temp );

temp = _mm256_mullo_epi16 (a[5], b1);
temp = mul_add (a[6], b0, temp );
temp = mul_add (a[7], b2, temp );
temp = mul_add (a7, b3, temp );
temp = mul_add (a6, b4, temp );
temp = mul_add (a5, b5, temp );
temp = mul_add (a4, b6, temp );
temp = mul_add (a3, b7, temp );
temp = mul_add (a2, b[7], temp );
temp = mul_add (a0, b[6], temp );
c_avx[20] = mul_add (a1, b[5], temp );

temp = _mm256_mullo_epi16 (a[6], b1);
temp = mul_add (a[7], b0, temp );
temp = mul_add (a7, b2, temp );
temp = mul_add (a6, b3, temp );
temp = mul_add (a5, b4, temp );
temp = mul_add (a4, b5, temp );
temp = mul_add (a3, b6, temp );
temp = mul_add (a2, b7, temp );
temp = mul_add (a0, b[7], temp );
c_avx[21] = mul_add (a1, b[6], temp );

temp = _mm256_mullo_epi16 (a[7], b1);
temp = mul_add (a7, b0, temp );
temp = mul_add (a6, b2, temp );
temp = mul_add (a5, b3, temp );
temp = mul_add (a4, b4, temp );
temp = mul_add (a3, b5, temp );
temp = mul_add (a2, b6, temp );
temp = mul_add (a0, b7, temp );
c_avx[22] = mul_add (a1, b[7], temp );

temp = _mm256_mullo_epi16 (a7, b1);
temp = mul_add (a6, b0, temp );
temp = mul_add (a5, b2, temp );
temp = mul_add (a4, b3, temp );
temp = mul_add (a3, b4, temp );
temp = mul_add (a2, b5, temp );
temp = mul_add (a0, b6, temp );
c_avx[23] = mul_add (a1, b7, temp );

temp = _mm256_mullo_epi16 (a6, b1);
temp = mul_add (a5, b0, temp );
temp = mul_add (a4, b2, temp );
temp = mul_add (a3, b3, temp );
temp = mul_add (a2, b4, temp );
temp = mul_add (a0, b5, temp );
c_avx[24] = mul_add (a1, b6, temp );

temp = _mm256_mullo_epi16 (a5, b1);
temp = mul_add (a4, b0, temp );
temp = mul_add (a3, b2, temp );
temp = mul_add (a2, b3, temp );
temp = mul_add (a0, b4, temp );
c_avx[25] = mul_add (a1, b5, temp );

temp = _mm256_mullo_epi16 (a4, b1);
temp = mul_add (a3, b0, temp );
temp = mul_add (a2, b2, temp );
temp = mul_add (a0, b3, temp );
c_avx[26] = mul_add (a1, b4, temp );

temp = _mm256_mullo_epi16 (a3, b1);
temp = mul_add (a2, b0, temp );
temp = mul_add (a0, b2, temp );
c_avx[27] = mul_add (a1, b3, temp );

temp = _mm256_mullo_epi16 (a2, b1);
temp = mul_add (a0, b0, temp );
c_avx[28] = mul_add (a1, b2, temp );

temp = _mm256_mullo_epi16 (a0, b1);
c_avx[29] = mul_add (a1, b0, temp);

c_avx[30] = _mm256_mullo_epi16 (a1, b1);


c_avx[2*SCM_SIZE-1] = _mm256_set_epi64x(0, 0, 0, 0);

}

+ 0
- 1010
crypto_kem/firesaber/avx2/polymul/toom-cook_4way.c
File diff suppressed because it is too large
View File


+ 63
- 42
crypto_kem/firesaber/clean/SABER_indcpa.c View File

@@ -11,81 +11,102 @@
#define h2 ((1 << (SABER_EP - 2)) - (1 << (SABER_EP - SABER_ET - 1)) + (1 << (SABER_EQ - SABER_EP - 1)))

void PQCLEAN_FIRESABER_CLEAN_indcpa_kem_keypair(uint8_t pk[SABER_INDCPA_PUBLICKEYBYTES], uint8_t sk[SABER_INDCPA_SECRETKEYBYTES]) {
uint16_t A[SABER_L][SABER_L][SABER_N];
uint16_t s[SABER_L][SABER_N];
uint16_t b[SABER_L][SABER_N] = {{0}};

uint8_t seed_A[SABER_SEEDBYTES];
uint8_t seed_s[SABER_NOISE_SEEDBYTES];
size_t i, j;

poly A[SABER_L][SABER_L];
poly s[SABER_L];
poly res[SABER_L];

uint8_t rand[SABER_NOISESEEDBYTES];
uint8_t *seed_A = pk + SABER_POLYVECCOMPRESSEDBYTES;

randombytes(seed_A, SABER_SEEDBYTES);
shake128(seed_A, SABER_SEEDBYTES, seed_A, SABER_SEEDBYTES); // for not revealing system RNG state
randombytes(seed_s, SABER_NOISE_SEEDBYTES);

PQCLEAN_FIRESABER_CLEAN_GenMatrix(A, seed_A);
PQCLEAN_FIRESABER_CLEAN_GenSecret(s, seed_s);
PQCLEAN_FIRESABER_CLEAN_MatrixVectorMul(b, (const uint16_t (*)[SABER_L][SABER_N])A, (const uint16_t (*)[SABER_N])s, 1);
randombytes(rand, SABER_NOISESEEDBYTES);
PQCLEAN_FIRESABER_CLEAN_GenSecret(s, rand);
PQCLEAN_FIRESABER_CLEAN_POLVECq2BS(sk, s);

PQCLEAN_FIRESABER_CLEAN_GenMatrix(A, seed_A); // sample matrix A
PQCLEAN_FIRESABER_CLEAN_MatrixVectorMul(res, (const poly (*)[SABER_L])A, (const poly *)s, 1); // Matrix in transposed order


// rounding
for (i = 0; i < SABER_L; i++) {
for (j = 0; j < SABER_N; j++) {
b[i][j] = (b[i][j] + h1) >> (SABER_EQ - SABER_EP);
res[i].coeffs[j] += h1;
res[i].coeffs[j] >>= SABER_EQ - SABER_EP;
res[i].coeffs[j] &= SABER_Q - 1;
}
}

PQCLEAN_FIRESABER_CLEAN_POLVECq2BS(sk, (const uint16_t (*)[SABER_N])s);
PQCLEAN_FIRESABER_CLEAN_POLVECp2BS(pk, (const uint16_t (*)[SABER_N])b);
memcpy(pk + SABER_POLYVECCOMPRESSEDBYTES, seed_A, sizeof(seed_A));
PQCLEAN_FIRESABER_CLEAN_POLVECp2BS(pk, res); // pack public key
}

void PQCLEAN_FIRESABER_CLEAN_indcpa_kem_enc(uint8_t ciphertext[SABER_BYTES_CCA_DEC], const uint8_t m[SABER_KEYBYTES], const uint8_t seed_sp[SABER_NOISE_SEEDBYTES], const uint8_t pk[SABER_INDCPA_PUBLICKEYBYTES]) {
uint16_t A[SABER_L][SABER_L][SABER_N];
uint16_t sp[SABER_L][SABER_N];
uint16_t bp[SABER_L][SABER_N] = {{0}};
uint16_t vp[SABER_N] = {0};
uint16_t mp[SABER_N];
uint16_t b[SABER_L][SABER_N];

void PQCLEAN_FIRESABER_CLEAN_indcpa_kem_enc(uint8_t ciphertext[SABER_BYTES_CCA_DEC], const uint8_t m[SABER_KEYBYTES], const uint8_t noiseseed[SABER_NOISESEEDBYTES], const uint8_t pk[SABER_INDCPA_PUBLICKEYBYTES]) {
size_t i, j;

poly A[SABER_L][SABER_L];
poly res[SABER_L];
poly s[SABER_L];
poly *temp = A[0]; // re-use stack space
poly *vprime = &A[0][0];
poly *message = &A[0][1];

const uint8_t *seed_A = pk + SABER_POLYVECCOMPRESSEDBYTES;
uint8_t *msk_c = ciphertext + SABER_POLYVECCOMPRESSEDBYTES;

PQCLEAN_FIRESABER_CLEAN_GenSecret(s, noiseseed);
PQCLEAN_FIRESABER_CLEAN_GenMatrix(A, seed_A);
PQCLEAN_FIRESABER_CLEAN_GenSecret(sp, seed_sp);
PQCLEAN_FIRESABER_CLEAN_MatrixVectorMul(bp, (const uint16_t (*)[SABER_L][SABER_N])A, (const uint16_t (*)[SABER_N])sp, 0);
PQCLEAN_FIRESABER_CLEAN_MatrixVectorMul(res, (const poly (*)[SABER_L])A, (const poly *)s, 0); // 0 => not transposed

for (i = 0; i < SABER_L; i++) {

// rounding
for (i = 0; i < SABER_L; i++) { //shift right EQ-EP bits
for (j = 0; j < SABER_N; j++) {
bp[i][j] = (bp[i][j] + h1) >> (SABER_EQ - SABER_EP);
res[i].coeffs[j] += h1;
res[i].coeffs[j] >>= SABER_EQ - SABER_EP;
res[i].coeffs[j] &= SABER_Q - 1;
}
}
PQCLEAN_FIRESABER_CLEAN_POLVECp2BS(ciphertext, res);

PQCLEAN_FIRESABER_CLEAN_POLVECp2BS(ciphertext, (const uint16_t (*)[SABER_N])bp);
PQCLEAN_FIRESABER_CLEAN_BS2POLVECp(b, pk);
PQCLEAN_FIRESABER_CLEAN_InnerProd(vp, (const uint16_t (*)[SABER_N])b, (const uint16_t (*)[SABER_N])sp);

PQCLEAN_FIRESABER_CLEAN_BS2POLmsg(mp, m);
// vector-vector scalar multiplication with mod p
PQCLEAN_FIRESABER_CLEAN_BS2POLVECp(temp, pk);
PQCLEAN_FIRESABER_CLEAN_InnerProd(vprime, temp, s);
PQCLEAN_FIRESABER_CLEAN_BS2POLmsg(message, m);

for (j = 0; j < SABER_N; j++) {
vp[j] = (vp[j] - (mp[j] << (SABER_EP - 1)) + h1) >> (SABER_EP - SABER_ET);
for (i = 0; i < SABER_N; i++) {
vprime->coeffs[i] += h1 - (message->coeffs[i] << (SABER_EP - 1));
vprime->coeffs[i] &= SABER_P - 1;
vprime->coeffs[i] >>= SABER_EP - SABER_ET;
}

PQCLEAN_FIRESABER_CLEAN_POLT2BS(ciphertext + SABER_POLYVECCOMPRESSEDBYTES, vp);
PQCLEAN_FIRESABER_CLEAN_POLT2BS(msk_c, vprime);
}

void PQCLEAN_FIRESABER_CLEAN_indcpa_kem_dec(uint8_t m[SABER_KEYBYTES], const uint8_t sk[SABER_INDCPA_SECRETKEYBYTES], const uint8_t ciphertext[SABER_BYTES_CCA_DEC]) {

uint16_t s[SABER_L][SABER_N];
uint16_t b[SABER_L][SABER_N];
uint16_t v[SABER_N] = {0};
uint16_t cm[SABER_N];
void PQCLEAN_FIRESABER_CLEAN_indcpa_kem_dec(uint8_t m[SABER_KEYBYTES], const uint8_t sk[SABER_INDCPA_SECRETKEYBYTES], const uint8_t ciphertext[SABER_BYTES_CCA_DEC]) {
size_t i;

poly temp[SABER_L];
poly s[SABER_L];

const uint8_t *packed_cm = ciphertext + SABER_POLYVECCOMPRESSEDBYTES;
poly *v = &temp[0];
poly *cm = &temp[1];

PQCLEAN_FIRESABER_CLEAN_BS2POLVECq(s, sk);
PQCLEAN_FIRESABER_CLEAN_BS2POLVECp(b, ciphertext);
PQCLEAN_FIRESABER_CLEAN_InnerProd(v, (const uint16_t (*)[SABER_N])b, (const uint16_t (*)[SABER_N])s);
PQCLEAN_FIRESABER_CLEAN_BS2POLT(cm, ciphertext + SABER_POLYVECCOMPRESSEDBYTES);
PQCLEAN_FIRESABER_CLEAN_BS2POLVECp(temp, ciphertext);
PQCLEAN_FIRESABER_CLEAN_InnerProd(&temp[0], temp, s);

PQCLEAN_FIRESABER_CLEAN_BS2POLT(cm, packed_cm);

for (i = 0; i < SABER_N; i++) {
v[i] = (v[i] + h2 - (cm[i] << (SABER_EP - SABER_ET))) >> (SABER_EP - 1);
v->coeffs[i] += h2 - (cm->coeffs[i] << (SABER_EP - SABER_ET));
v->coeffs[i] &= SABER_P - 1;
v->coeffs[i] >>= SABER_EP - 1;
}

PQCLEAN_FIRESABER_CLEAN_POLmsg2BS(m, v);


+ 1
- 1
crypto_kem/firesaber/clean/SABER_indcpa.h View File

@@ -5,7 +5,7 @@

void PQCLEAN_FIRESABER_CLEAN_indcpa_kem_keypair(uint8_t pk[SABER_INDCPA_PUBLICKEYBYTES], uint8_t sk[SABER_INDCPA_SECRETKEYBYTES]);

void PQCLEAN_FIRESABER_CLEAN_indcpa_kem_enc(uint8_t ciphertext[SABER_BYTES_CCA_DEC], const uint8_t m[SABER_KEYBYTES], const uint8_t seed_sp[SABER_NOISE_SEEDBYTES], const uint8_t pk[SABER_INDCPA_PUBLICKEYBYTES]);
void PQCLEAN_FIRESABER_CLEAN_indcpa_kem_enc(uint8_t ciphertext[SABER_BYTES_CCA_DEC], const uint8_t m[SABER_KEYBYTES], const uint8_t noiseseed[SABER_NOISESEEDBYTES], const uint8_t pk[SABER_INDCPA_PUBLICKEYBYTES]);

void PQCLEAN_FIRESABER_CLEAN_indcpa_kem_dec(uint8_t m[SABER_KEYBYTES], const uint8_t sk[SABER_INDCPA_SECRETKEYBYTES], const uint8_t ciphertext[SABER_BYTES_CCA_DEC]);



+ 7
- 5
crypto_kem/firesaber/clean/SABER_params.h View File

@@ -2,19 +2,21 @@
#define PARAMS_H


/* Change this for different security strengths */

/* Don't change anything below this line */
#define SABER_L 4
#define SABER_MU 6
#define SABER_ET 6

#define SABER_EQ 13
#define SABER_EP 10
#define SABER_N 256

#define SABER_EP 10
#define SABER_P (1 << SABER_EP)

#define SABER_EQ 13
#define SABER_Q (1 << SABER_EQ)

#define SABER_SEEDBYTES 32
#define SABER_NOISE_SEEDBYTES 32
#define SABER_NOISESEEDBYTES 32
#define SABER_KEYBYTES 32
#define SABER_HASHBYTES 32



+ 1
- 1
crypto_kem/firesaber/clean/api.h View File

@@ -15,4 +15,4 @@ int PQCLEAN_FIRESABER_CLEAN_crypto_kem_enc(unsigned char *ct, unsigned char *k,
int PQCLEAN_FIRESABER_CLEAN_crypto_kem_dec(unsigned char *k, const unsigned char *ct, const unsigned char *sk);


#endif /* api_h */
#endif /* PQCLEAN_FIRESABER_CLEAN_API_H */

+ 87
- 74
crypto_kem/firesaber/clean/pack_unpack.c View File

@@ -1,136 +1,149 @@
#include "api.h"
#include "SABER_params.h"
#include "pack_unpack.h"
#include "poly.h"
#include <string.h>

void PQCLEAN_FIRESABER_CLEAN_POLT2BS(uint8_t bytes[SABER_SCALEBYTES_KEM], const uint16_t data[SABER_N]) {
size_t j, offset_byte, offset_data;
void PQCLEAN_FIRESABER_CLEAN_POLT2BS(uint8_t bytes[SABER_SCALEBYTES_KEM], const poly *data) {
size_t j;
const uint16_t *in = data->coeffs;
uint8_t *out = bytes;
for (j = 0; j < SABER_N / 4; j++) {
offset_byte = 3 * j;
offset_data = 4 * j;
bytes[offset_byte + 0] = (data[offset_data + 0] & 0x3f) | ((data[offset_data + 1] & 0x03) << 6);
bytes[offset_byte + 1] = ((data[offset_data + 1] >> 2) & 0x0f) | ((data[offset_data + 2] & 0x0f) << 4);
bytes[offset_byte + 2] = ((data[offset_data + 2] >> 4) & 0x03) | ((data[offset_data + 3] & 0x3f) << 2);
out[0] = (in[0] & 0x3f) | ((in[1] & 0x03) << 6);
out[1] = ((in[1] >> 2) & 0x0f) | ((in[2] & 0x0f) << 4);
out[2] = ((in[2] >> 4) & 0x03) | ((in[3] & 0x3f) << 2);
in += 4;
out += 3;
}
}

void PQCLEAN_FIRESABER_CLEAN_BS2POLT(uint16_t data[SABER_N], const uint8_t bytes[SABER_SCALEBYTES_KEM]) {
size_t j, offset_byte, offset_data;
void PQCLEAN_FIRESABER_CLEAN_BS2POLT(poly *data, const uint8_t bytes[SABER_SCALEBYTES_KEM]) {
size_t j;
const uint8_t *in = bytes;
uint16_t *out = data->coeffs;
for (j = 0; j < SABER_N / 4; j++) {
offset_byte = 3 * j;
offset_data = 4 * j;
data[offset_data + 0] = bytes[offset_byte + 0] & 0x3f;
data[offset_data + 1] = ((bytes[offset_byte + 0] >> 6) & 0x03) | ((bytes[offset_byte + 1] & 0x0f) << 2);
data[offset_data + 2] = ((bytes[offset_byte + 1] & 0xff) >> 4) | ((bytes[offset_byte + 2] & 0x03) << 4);
data[offset_data + 3] = ((bytes[offset_byte + 2] & 0xff) >> 2);
out[0] = in[0] & 0x3f;
out[1] = ((in[0] >> 6) & 0x03) | ((in[1] & 0x0f) << 2);
out[2] = ((in[1] & 0xff) >> 4) | ((in[2] & 0x03) << 4);
out[3] = ((in[2] & 0xff) >> 2);
in += 3;
out += 4;
}
}

static void POLq2BS(uint8_t bytes[SABER_POLYBYTES], const uint16_t data[SABER_N]) {
size_t j, offset_byte, offset_data;
static void POLq2BS(uint8_t bytes[SABER_POLYBYTES], const poly *data) {
size_t j;
const uint16_t *in = data->coeffs;
uint8_t *out = bytes;
for (j = 0; j < SABER_N / 8; j++) {
offset_byte = 13 * j;
offset_data = 8 * j;
bytes[offset_byte + 0] = (data[offset_data + 0] & (0xff));
bytes[offset_byte + 1] = ((data[offset_data + 0] >> 8) & 0x1f) | ((data[offset_data + 1] & 0x07) << 5);
bytes[offset_byte + 2] = ((data[offset_data + 1] >> 3) & 0xff);
bytes[offset_byte + 3] = ((data[offset_data + 1] >> 11) & 0x03) | ((data[offset_data + 2] & 0x3f) << 2);
bytes[offset_byte + 4] = ((data[offset_data + 2] >> 6) & 0x7f) | ((data[offset_data + 3] & 0x01) << 7);
bytes[offset_byte + 5] = ((data[offset_data + 3] >> 1) & 0xff);
bytes[offset_byte + 6] = ((data[offset_data + 3] >> 9) & 0x0f) | ((data[offset_data + 4] & 0x0f) << 4);
bytes[offset_byte + 7] = ((data[offset_data + 4] >> 4) & 0xff);
bytes[offset_byte + 8] = ((data[offset_data + 4] >> 12) & 0x01) | ((data[offset_data + 5] & 0x7f) << 1);
bytes[offset_byte + 9] = ((data[offset_data + 5] >> 7) & 0x3f) | ((data[offset_data + 6] & 0x03) << 6);
bytes[offset_byte + 10] = ((data[offset_data + 6] >> 2) & 0xff);
bytes[offset_byte + 11] = ((data[offset_data + 6] >> 10) & 0x07) | ((data[offset_data + 7] & 0x1f) << 3);
bytes[offset_byte + 12] = ((data[offset_data + 7] >> 5) & 0xff);
out[0] = (in[0] & (0xff));
out[1] = ((in[0] >> 8) & 0x1f) | ((in[1] & 0x07) << 5);
out[2] = ((in[1] >> 3) & 0xff);
out[3] = ((in[1] >> 11) & 0x03) | ((in[2] & 0x3f) << 2);
out[4] = ((in[2] >> 6) & 0x7f) | ((in[3] & 0x01) << 7);
out[5] = ((in[3] >> 1) & 0xff);
out[6] = ((in[3] >> 9) & 0x0f) | ((in[4] & 0x0f) << 4);
out[7] = ((in[4] >> 4) & 0xff);
out[8] = ((in[4] >> 12) & 0x01) | ((in[5] & 0x7f) << 1);
out[9] = ((in[5] >> 7) & 0x3f) | ((in[6] & 0x03) << 6);
out[10] = ((in[6] >> 2) & 0xff);
out[11] = ((in[6] >> 10) & 0x07) | ((in[7] & 0x1f) << 3);
out[12] = ((in[7] >> 5) & 0xff);
in += 8;
out += 13;
}
}

static void BS2POLq(uint16_t data[SABER_N], const uint8_t bytes[SABER_POLYBYTES]) {
size_t j, offset_byte, offset_data;
static void BS2POLq(poly *data, const uint8_t bytes[SABER_POLYBYTES]) {
size_t j;
const uint8_t *in = bytes;
uint16_t *out = data->coeffs;
for (j = 0; j < SABER_N / 8; j++) {
offset_byte = 13 * j;
offset_data = 8 * j;
data[offset_data + 0] = (bytes[offset_byte + 0] & (0xff)) | ((bytes[offset_byte + 1] & 0x1f) << 8);
data[offset_data + 1] = (bytes[offset_byte + 1] >> 5 & (0x07)) | ((bytes[offset_byte + 2] & 0xff) << 3) | ((bytes[offset_byte + 3] & 0x03) << 11);
data[offset_data + 2] = (bytes[offset_byte + 3] >> 2 & (0x3f)) | ((bytes[offset_byte + 4] & 0x7f) << 6);
data[offset_data + 3] = (bytes[offset_byte + 4] >> 7 & (0x01)) | ((bytes[offset_byte + 5] & 0xff) << 1) | ((bytes[offset_byte + 6] & 0x0f) << 9);
data[offset_data + 4] = (bytes[offset_byte + 6] >> 4 & (0x0f)) | ((bytes[offset_byte + 7] & 0xff) << 4) | ((bytes[offset_byte + 8] & 0x01) << 12);
data[offset_data + 5] = (bytes[offset_byte + 8] >> 1 & (0x7f)) | ((bytes[offset_byte + 9] & 0x3f) << 7);
data[offset_data + 6] = (bytes[offset_byte + 9] >> 6 & (0x03)) | ((bytes[offset_byte + 10] & 0xff) << 2) | ((bytes[offset_byte + 11] & 0x07) << 10);
data[offset_data + 7] = (bytes[offset_byte + 11] >> 3 & (0x1f)) | ((bytes[offset_byte + 12] & 0xff) << 5);
out[0] = (in[0] & (0xff)) | ((in[1] & 0x1f) << 8);
out[1] = (in[1] >> 5 & (0x07)) | ((in[2] & 0xff) << 3) | ((in[3] & 0x03) << 11);
out[2] = (in[3] >> 2 & (0x3f)) | ((in[4] & 0x7f) << 6);
out[3] = (in[4] >> 7 & (0x01)) | ((in[5] & 0xff) << 1) | ((in[6] & 0x0f) << 9);
out[4] = (in[6] >> 4 & (0x0f)) | ((in[7] & 0xff) << 4) | ((in[8] & 0x01) << 12);
out[5] = (in[8] >> 1 & (0x7f)) | ((in[9] & 0x3f) << 7);
out[6] = (in[9] >> 6 & (0x03)) | ((in[10] & 0xff) << 2) | ((in[11] & 0x07) << 10);
out[7] = (in[11] >> 3 & (0x1f)) | ((in[12] & 0xff) << 5);
in += 13;
out += 8;
}
}

static void POLp2BS(uint8_t bytes[SABER_POLYCOMPRESSEDBYTES], const uint16_t data[SABER_N]) {
size_t j, offset_byte, offset_data;
static void POLp2BS(uint8_t bytes[SABER_POLYCOMPRESSEDBYTES], const poly *data) {
size_t j;
const uint16_t *in = data->coeffs;
uint8_t *out = bytes;
for (j = 0; j < SABER_N / 4; j++) {
offset_byte = 5 * j;
offset_data = 4 * j;
bytes[offset_byte + 0] = (data[offset_data + 0] & (0xff));
bytes[offset_byte + 1] = ((data[offset_data + 0] >> 8) & 0x03) | ((data[offset_data + 1] & 0x3f) << 2);
bytes[offset_byte + 2] = ((data[offset_data + 1] >> 6) & 0x0f) | ((data[offset_data + 2] & 0x0f) << 4);
bytes[offset_byte + 3] = ((data[offset_data + 2] >> 4) & 0x3f) | ((data[offset_data + 3] & 0x03) << 6);
bytes[offset_byte + 4] = ((data[offset_data + 3] >> 2) & 0xff);
out[0] = (in[0] & (0xff));
out[1] = ((in[0] >> 8) & 0x03) | ((in[1] & 0x3f) << 2);
out[2] = ((in[1] >> 6) & 0x0f) | ((in[2] & 0x0f) << 4);
out[3] = ((in[2] >> 4) & 0x3f) | ((in[3] & 0x03) << 6);
out[4] = ((in[3] >> 2) & 0xff);
in += 4;
out += 5;
}
}

static void BS2POLp(uint16_t data[SABER_N], const uint8_t bytes[SABER_POLYCOMPRESSEDBYTES]) {
size_t j, offset_byte, offset_data;
static void BS2POLp(poly *data, const uint8_t bytes[SABER_POLYCOMPRESSEDBYTES]) {
size_t j;
const uint8_t *in = bytes;
uint16_t *out = data->coeffs;
for (j = 0; j < SABER_N / 4; j++) {
offset_byte = 5 * j;
offset_data = 4 * j;
data[offset_data + 0] = (bytes[offset_byte + 0] & (0xff)) | ((bytes[offset_byte + 1] & 0x03) << 8);
data[offset_data + 1] = ((bytes[offset_byte + 1] >> 2) & (0x3f)) | ((bytes[offset_byte + 2] & 0x0f) << 6);
data[offset_data + 2] = ((bytes[offset_byte + 2] >> 4) & (0x0f)) | ((bytes[offset_byte + 3] & 0x3f) << 4);
data[offset_data + 3] = ((bytes[offset_byte + 3] >> 6) & (0x03)) | ((bytes[offset_byte + 4] & 0xff) << 2);
out[0] = (in[0] & (0xff)) | ((in[1] & 0x03) << 8);
out[1] = ((in[1] >> 2) & (0x3f)) | ((in[2] & 0x0f) << 6);
out[2] = ((in[2] >> 4) & (0x0f)) | ((in[3] & 0x3f) << 4);
out[3] = ((in[3] >> 6) & (0x03)) | ((in[4] & 0xff) << 2);
in += 5;
out += 4;
}
}

void PQCLEAN_FIRESABER_CLEAN_POLVECq2BS(uint8_t bytes[SABER_POLYVECBYTES], const uint16_t data[SABER_L][SABER_N]) {
void PQCLEAN_FIRESABER_CLEAN_POLVECq2BS(uint8_t bytes[SABER_POLYVECBYTES], const poly data[SABER_L]) {
size_t i;
for (i = 0; i < SABER_L; i++) {
POLq2BS(bytes + i * SABER_POLYBYTES, data[i]);
POLq2BS(bytes + i * SABER_POLYBYTES, &data[i]);
}
}

void PQCLEAN_FIRESABER_CLEAN_BS2POLVECq(uint16_t data[SABER_L][SABER_N], const uint8_t bytes[SABER_POLYVECBYTES]) {
void PQCLEAN_FIRESABER_CLEAN_BS2POLVECq(poly data[SABER_L], const uint8_t bytes[SABER_POLYVECBYTES]) {
size_t i;
for (i = 0; i < SABER_L; i++) {
BS2POLq(data[i], bytes + i * SABER_POLYBYTES);
BS2POLq(&data[i], bytes + i * SABER_POLYBYTES);
}
}

void PQCLEAN_FIRESABER_CLEAN_POLVECp2BS(uint8_t bytes[SABER_POLYVECCOMPRESSEDBYTES], const uint16_t data[SABER_L][SABER_N]) {
void PQCLEAN_FIRESABER_CLEAN_POLVECp2BS(uint8_t bytes[SABER_POLYVECCOMPRESSEDBYTES], const poly data[SABER_L]) {
size_t i;
for (i = 0; i < SABER_L; i++) {
POLp2BS(bytes + i * (SABER_EP * SABER_N / 8), data[i]);
POLp2BS(bytes + i * SABER_POLYCOMPRESSEDBYTES, &data[i]);
}
}

void PQCLEAN_FIRESABER_CLEAN_BS2POLVECp(uint16_t data[SABER_L][SABER_N], const uint8_t bytes[SABER_POLYVECCOMPRESSEDBYTES]) {
void PQCLEAN_FIRESABER_CLEAN_BS2POLVECp(poly data[SABER_L], const uint8_t bytes[SABER_POLYVECCOMPRESSEDBYTES]) {
size_t i;
for (i = 0; i < SABER_L; i++) {
BS2POLp(data[i], bytes + i * (SABER_EP * SABER_N / 8));
BS2POLp(&data[i], bytes + i * SABER_POLYCOMPRESSEDBYTES);
}
}

void PQCLEAN_FIRESABER_CLEAN_BS2POLmsg(uint16_t data[SABER_N], const uint8_t bytes[SABER_KEYBYTES]) {
void PQCLEAN_FIRESABER_CLEAN_BS2POLmsg(poly *data, const uint8_t bytes[SABER_KEYBYTES]) {
size_t i, j;
for (j = 0; j < SABER_KEYBYTES; j++) {
for (i = 0; i < 8; i++) {
data[j * 8 + i] = ((bytes[j] >> i) & 0x01);
data->coeffs[j * 8 + i] = ((bytes[j] >> i) & 0x01);
}
}
}

void PQCLEAN_FIRESABER_CLEAN_POLmsg2BS(uint8_t bytes[SABER_KEYBYTES], const uint16_t data[SABER_N]) {
void PQCLEAN_FIRESABER_CLEAN_POLmsg2BS(uint8_t bytes[SABER_KEYBYTES], const poly *data) {
size_t i, j;
memset(bytes, 0, SABER_KEYBYTES);

for (j = 0; j < SABER_KEYBYTES; j++) {
for (i = 0; i < 8; i++) {
bytes[j] = bytes[j] | ((data[j * 8 + i] & 0x01) << i);
bytes[j] = bytes[j] | ((data->coeffs[j * 8 + i] & 0x01) << i);
}
}
}

+ 9
- 8
crypto_kem/firesaber/clean/pack_unpack.h View File

@@ -1,27 +1,28 @@
#ifndef PACK_UNPACK_H
#define PACK_UNPACK_H
#include "SABER_params.h"
#include "poly.h"
#include <stdint.h>
#include <stdio.h>

void PQCLEAN_FIRESABER_CLEAN_POLT2BS(uint8_t bytes[SABER_SCALEBYTES_KEM], const uint16_t data[SABER_N]);
void PQCLEAN_FIRESABER_CLEAN_POLT2BS(uint8_t bytes[SABER_SCALEBYTES_KEM], const poly *data);

void PQCLEAN_FIRESABER_CLEAN_BS2POLT(uint16_t data[SABER_N], const uint8_t bytes[SABER_SCALEBYTES_KEM]);
void PQCLEAN_FIRESABER_CLEAN_BS2POLT(poly *data, const uint8_t bytes[SABER_SCALEBYTES_KEM]);


void PQCLEAN_FIRESABER_CLEAN_POLVECq2BS(uint8_t bytes[SABER_POLYVECBYTES], const uint16_t data[SABER_L][SABER_N]);
void PQCLEAN_FIRESABER_CLEAN_POLVECq2BS(uint8_t bytes[SABER_POLYVECBYTES], const poly data[SABER_L]);

void PQCLEAN_FIRESABER_CLEAN_POLVECp2BS(uint8_t bytes[SABER_POLYVECCOMPRESSEDBYTES], const uint16_t data[SABER_L][SABER_N]);
void PQCLEAN_FIRESABER_CLEAN_POLVECp2BS(uint8_t bytes[SABER_POLYVECCOMPRESSEDBYTES], const poly data[SABER_L]);


void PQCLEAN_FIRESABER_CLEAN_BS2POLVECq(uint16_t data[SABER_L][SABER_N], const uint8_t bytes[SABER_POLYVECBYTES]);
void PQCLEAN_FIRESABER_CLEAN_BS2POLVECq(poly data[SABER_L], const uint8_t bytes[SABER_POLYVECBYTES]);

void PQCLEAN_FIRESABER_CLEAN_BS2POLVECp(uint16_t data[SABER_L][SABER_N], const uint8_t bytes[SABER_POLYVECCOMPRESSEDBYTES]);
void PQCLEAN_FIRESABER_CLEAN_BS2POLVECp(poly data[SABER_L], const uint8_t bytes[SABER_POLYVECCOMPRESSEDBYTES]);


void PQCLEAN_FIRESABER_CLEAN_BS2POLmsg(uint16_t data[SABER_N], const uint8_t bytes[SABER_KEYBYTES]);
void PQCLEAN_FIRESABER_CLEAN_BS2POLmsg(poly *data, const uint8_t bytes[SABER_KEYBYTES]);

void PQCLEAN_FIRESABER_CLEAN_POLmsg2BS(uint8_t bytes[SABER_KEYBYTES], const uint16_t data[SABER_N]);
void PQCLEAN_FIRESABER_CLEAN_POLmsg2BS(uint8_t bytes[SABER_KEYBYTES], const poly *data);


#endif

+ 26
- 18
crypto_kem/firesaber/clean/poly.c View File

@@ -3,32 +3,40 @@
#include "fips202.h"
#include "pack_unpack.h"
#include "poly.h"
#include "poly_mul.h"
#include <stddef.h>

void PQCLEAN_FIRESABER_CLEAN_MatrixVectorMul(uint16_t res[SABER_L][SABER_N], const uint16_t A[SABER_L][SABER_L][SABER_N], const uint16_t s[SABER_L][SABER_N], int16_t transpose) {
void PQCLEAN_FIRESABER_CLEAN_MatrixVectorMul(poly c[SABER_L], const poly A[SABER_L][SABER_L], const poly s[SABER_L], int16_t transpose) {
size_t i, j;
for (i = 0; i < SABER_L; i++) {
for (j = 0; j < SABER_L; j++) {
if (transpose == 1) {
PQCLEAN_FIRESABER_CLEAN_poly_mul_acc(res[i], A[j][i], s[j]);
} else {
PQCLEAN_FIRESABER_CLEAN_poly_mul_acc(res[i], A[i][j], s[j]);

if (transpose) {
for (i = 0; i < SABER_L; i++) {
PQCLEAN_FIRESABER_CLEAN_poly_mul(&c[i], &A[0][i], &s[0], 0);
for (j = 1; j < SABER_L; j++) {
PQCLEAN_FIRESABER_CLEAN_poly_mul(&c[i], &A[j][i], &s[j], 1);
}
}
} else {
for (i = 0; i < SABER_L; i++) {
PQCLEAN_FIRESABER_CLEAN_poly_mul(&c[i], &A[i][0], &s[0], 0);
for (j = 1; j < SABER_L; j++) {
PQCLEAN_FIRESABER_CLEAN_poly_mul(&c[i], &A[i][j], &s[j], 1);
}
}
}
}

void PQCLEAN_FIRESABER_CLEAN_InnerProd(uint16_t res[SABER_N], const uint16_t b[SABER_L][SABER_N], const uint16_t s[SABER_L][SABER_N]) {
size_t j;
for (j = 0; j < SABER_L; j++) {
PQCLEAN_FIRESABER_CLEAN_poly_mul_acc(res, b[j], s[j]);
void PQCLEAN_FIRESABER_CLEAN_InnerProd(poly *c, const poly b[SABER_L], const poly s[SABER_L]) {
size_t i;

PQCLEAN_FIRESABER_CLEAN_poly_mul(c, &b[0], &s[0], 0);
for (i = 1; i < SABER_L; i++) {
PQCLEAN_FIRESABER_CLEAN_poly_mul(c, &b[i], &s[i], 1);
}
}

void PQCLEAN_FIRESABER_CLEAN_GenMatrix(uint16_t A[SABER_L][SABER_L][SABER_N], const uint8_t seed[SABER_SEEDBYTES]) {
uint8_t buf[SABER_L * SABER_POLYVECBYTES];
void PQCLEAN_FIRESABER_CLEAN_GenMatrix(poly A[SABER_L][SABER_L], const uint8_t seed[SABER_SEEDBYTES]) {
size_t i;
uint8_t buf[SABER_L * SABER_POLYVECBYTES];

shake128(buf, sizeof(buf), seed, SABER_SEEDBYTES);

@@ -37,13 +45,13 @@ void PQCLEAN_FIRESABER_CLEAN_GenMatrix(uint16_t A[SABER_L][SABER_L][SABER_N], co
}
}

void PQCLEAN_FIRESABER_CLEAN_GenSecret(uint16_t s[SABER_L][SABER_N], const uint8_t seed[SABER_NOISE_SEEDBYTES]) {
uint8_t buf[SABER_L * SABER_POLYCOINBYTES];
void PQCLEAN_FIRESABER_CLEAN_GenSecret(poly s[SABER_L], const uint8_t seed[SABER_NOISESEEDBYTES]) {
size_t i;
uint8_t buf[SABER_L * SABER_POLYCOINBYTES];

shake128(buf, sizeof(buf), seed, SABER_NOISE_SEEDBYTES);
shake128(buf, sizeof(buf), seed, SABER_NOISESEEDBYTES);

for (i = 0; i < SABER_L; i++) {
PQCLEAN_FIRESABER_CLEAN_cbd(s[i], buf + i * SABER_POLYCOINBYTES);
PQCLEAN_FIRESABER_CLEAN_cbd(s[i].coeffs, buf + i * SABER_POLYCOINBYTES);
}
}

+ 12
- 4
crypto_kem/firesaber/clean/poly.h View File

@@ -3,13 +3,21 @@
#include "SABER_params.h"
#include <stdint.h>

void PQCLEAN_FIRESABER_CLEAN_MatrixVectorMul(uint16_t res[SABER_L][SABER_N], const uint16_t a[SABER_L][SABER_L][SABER_N], const uint16_t s[SABER_L][SABER_N], int16_t transpose);
typedef union {
uint16_t coeffs[SABER_N];
} poly;

void PQCLEAN_FIRESABER_CLEAN_InnerProd(uint16_t res[SABER_N], const uint16_t b[SABER_L][SABER_N], const uint16_t s[SABER_L][SABER_N]);

void PQCLEAN_FIRESABER_CLEAN_GenMatrix(uint16_t a[SABER_L][SABER_L][SABER_N], const uint8_t seed[SABER_SEEDBYTES]);
void PQCLEAN_FIRESABER_CLEAN_MatrixVectorMul(poly c[SABER_L], const poly A[SABER_L][SABER_L], const poly s[SABER_L], int16_t transpose);

void PQCLEAN_FIRESABER_CLEAN_GenSecret(uint16_t s[SABER_L][SABER_N], const uint8_t seed[SABER_NOISE_SEEDBYTES]);
void PQCLEAN_FIRESABER_CLEAN_InnerProd(poly *c, const poly b[SABER_L], const poly s[SABER_L]);

void PQCLEAN_FIRESABER_CLEAN_GenMatrix(poly A[SABER_L][SABER_L], const uint8_t seed[SABER_SEEDBYTES]);

void PQCLEAN_FIRESABER_CLEAN_GenSecret(poly s[SABER_L], const uint8_t seed[SABER_NOISESEEDBYTES]);


void PQCLEAN_FIRESABER_CLEAN_poly_mul(poly *c, const poly *a, const poly *b, int accumulate);


#endif

+ 12
- 6
crypto_kem/firesaber/clean/poly_mul.c View File

@@ -1,4 +1,4 @@
#include "poly_mul.h"
#include "poly.h"
#include <stdint.h>
#include <string.h>

@@ -229,14 +229,20 @@ static void toom_cook_4way (uint16_t *result, const uint16_t *a1, const uint16_t
}

/* res += a*b */
void PQCLEAN_FIRESABER_CLEAN_poly_mul_acc(uint16_t res[SABER_N], const uint16_t a[SABER_N], const uint16_t b[SABER_N]) {
uint16_t c[2 * SABER_N] = {0};
void PQCLEAN_FIRESABER_CLEAN_poly_mul(poly *c, const poly *a, const poly *b, const int accumulate) {
uint16_t C[2 * SABER_N] = {0};
size_t i;

toom_cook_4way(c, a, b);
toom_cook_4way(C, a->coeffs, b->coeffs);

/* reduction */
for (i = SABER_N; i < 2 * SABER_N; i++) {
res[i - SABER_N] += (c[i - SABER_N] - c[i]);
if (accumulate == 0) {
for (i = SABER_N; i < 2 * SABER_N; i++) {
c->coeffs[i - SABER_N] = (C[i - SABER_N] - C[i]);
}
} else {
for (i = SABER_N; i < 2 * SABER_N; i++) {
c->coeffs[i - SABER_N] += (C[i - SABER_N] - C[i]);
}
}
}

+ 0
- 6
crypto_kem/firesaber/clean/poly_mul.h View File

@@ -1,9 +1,3 @@
#ifndef POLY_MUL_H
#define POLY_MUL_H
#include "SABER_params.h"
#include <stdint.h>

void PQCLEAN_FIRESABER_CLEAN_poly_mul_acc(uint16_t res[SABER_N], const uint16_t a[SABER_N], const uint16_t b[SABER_N]);


#endif

+ 2
- 2
crypto_kem/lightsaber/META.yml View File

@@ -14,9 +14,9 @@ principal-submitters:
- Frederik Vercauteren
implementations:
- name: clean
version: https://github.com/KULeuven-COSIC/SABER/tree/509cc5ec3a7e12a751ccdd2ef5bd6e54e00bd350 via https://github.com/jschanck/package-pqclean/tree/b53a47b5/saber
version: https://github.com/KULeuven-COSIC/SABER/tree/509cc5ec3a7e12a751ccdd2ef5bd6e54e00bd350 via https://github.com/jschanck/package-pqclean/tree/88ee652a/saber
- name: avx2
version: https://github.com/KULeuven-COSIC/SABER/tree/509cc5ec3a7e12a751ccdd2ef5bd6e54e00bd350 via https://github.com/jschanck/package-pqclean/tree/b53a47b5/saber
version: https://github.com/KULeuven-COSIC/SABER/tree/509cc5ec3a7e12a751ccdd2ef5bd6e54e00bd350 via https://github.com/jschanck/package-pqclean/tree/88ee652a/saber
supported_platforms:
- architecture: x86_64
operating_systems:


+ 1
- 1
crypto_kem/lightsaber/avx2/Makefile View File

@@ -2,7 +2,7 @@

LIB=liblightsaber_avx2.a
HEADERS=api.h cbd.h kem.h pack_unpack.h poly.h SABER_indcpa.h SABER_params.h verify.h
OBJECTS=cbd.o kem.o pack_unpack.o SABER_indcpa.o verify.o
OBJECTS=cbd.o kem.o pack_unpack.o poly.o poly_mul.o SABER_indcpa.o verify.o

CFLAGS=-O3 -mavx2 -Wall -Wextra -Wpedantic -Wvla -Werror -Wredundant-decls -Wmissing-prototypes -std=c99 -I../../../common $(EXTRAFLAGS)



+ 72
- 362
crypto_kem/lightsaber/avx2/SABER_indcpa.c View File

@@ -1,416 +1,125 @@
#include "./polymul/toom-cook_4way.c"
#include "SABER_indcpa.h"
#include "SABER_params.h"
#include "api.h"
#include "cbd.h"
#include "fips202.h"
#include "pack_unpack.h"
#include "poly.h"
#include "randombytes.h"
#include <stdint.h>
#include <stdio.h>
#include <string.h>
//#include "randombytes.h"
//#include "./polymul/toom_cook_4/toom-cook_4way.c"

#define h1 4 //2^(EQ-EP-1)
#define h1 (1 << (SABER_EQ - SABER_EP - 1))
#define h2 ((1 << (SABER_EP - 2)) - (1 << (SABER_EP - SABER_ET - 1)) + (1 << (SABER_EQ - SABER_EP - 1)))

#define h2 ( (1<<(SABER_EP-2)) - (1<<(SABER_EP-SABER_ET-1)) + (1<<(SABER_EQ-SABER_EP-1)) )
void PQCLEAN_LIGHTSABER_AVX2_indcpa_kem_keypair(uint8_t pk[SABER_INDCPA_PUBLICKEYBYTES], uint8_t sk[SABER_INDCPA_SECRETKEYBYTES]) {
size_t i, j;

poly A[SABER_L][SABER_L];
poly *skpv1 = A[0]; // use first row of A to hold sk temporarily
toom4_points skpv1_eval[SABER_L];
poly res[SABER_L];

static void POL2MSG(uint8_t *message_dec, const uint16_t *message_dec_unpacked) {
int32_t i, j;
uint8_t rand[SABER_NOISESEEDBYTES];
uint8_t *seed_A = pk + SABER_POLYVECCOMPRESSEDBYTES;

for (j = 0; j < SABER_KEYBYTES; j++) {
message_dec[j] = 0;
for (i = 0; i < 8; i++) {
message_dec[j] = message_dec[j] | (message_dec_unpacked[j * 8 + i] << i);
}
}
}

/*-----------------------------------------------------------------------------------
This routine generates a=[Matrix K x K] of 256-coefficient polynomials

static void GenMatrix(polyvec *a, const uint8_t *seed) {
uint8_t buf[SABER_K * SABER_K * 13 * SABER_N / 8];

uint16_t temp_ar[SABER_N];

int i, j, k;
uint16_t mod = (SABER_Q - 1);

shake128(buf, sizeof(buf), seed, SABER_SEEDBYTES);

for (i = 0; i < SABER_K; i++) {
for (j = 0; j < SABER_K; j++) {
PQCLEAN_LIGHTSABER_AVX2_BS2POLq(temp_ar, buf + (i * SABER_K + j) * 13 * SABER_N / 8);
for (k = 0; k < SABER_N; k++) {
a[i].vec[j].coeffs[k] = (temp_ar[k])& mod ;
}
}
}
}

static void GenSecret(uint16_t r[SABER_K][SABER_N], const uint8_t *seed) {

uint32_t i;
randombytes(seed_A, SABER_SEEDBYTES);
shake128(seed_A, SABER_SEEDBYTES, seed_A, SABER_SEEDBYTES); // for not revealing system RNG state

uint8_t buf[SABER_MU * SABER_N * SABER_K / 8];
randombytes(rand, SABER_NOISESEEDBYTES);
PQCLEAN_LIGHTSABER_AVX2_GenSecret(skpv1, rand);
PQCLEAN_LIGHTSABER_AVX2_POLVECq2BS(sk, skpv1); // pack secret key

shake128(buf, sizeof(buf), seed, SABER_NOISESEEDBYTES);

for (i = 0; i < SABER_K; i++) {
PQCLEAN_LIGHTSABER_AVX2_cbd(r[i], buf + i * SABER_MU * SABER_N / 8);
for (j = 0; j < SABER_L; j++) {
PQCLEAN_LIGHTSABER_AVX2_toom4_eval(&skpv1_eval[j], &skpv1[j]);
}
}

//********************************matrix-vector mul routines*****************************************************
static void matrix_vector_mul(__m256i res_avx[NUM_POLY][AVX_N1], __m256i a1_avx_combined[NUM_POLY][NUM_POLY][AVX_N1], __m256i b_bucket[NUM_POLY][SCHB_N * 4], int isTranspose) {
int64_t i, j;

__m256i c_bucket[2 * SCM_SIZE * 4]; //Holds results for 9 Karatsuba at a time

for (i = 0; i < NUM_POLY; i++) {
for (j = 0; j < NUM_POLY; j++) {
PQCLEAN_LIGHTSABER_AVX2_GenMatrix(A, seed_A); // sample matrix A
PQCLEAN_LIGHTSABER_AVX2_MatrixVectorMul(res, (const poly (*)[SABER_L])A, (const toom4_points *)skpv1_eval, 1); // Matrix in transposed order

if (isTranspose == 0) {
toom_cook_4way_avx_n1(a1_avx_combined[i][j], b_bucket[j], c_bucket, j);
} else {
toom_cook_4way_avx_n1(a1_avx_combined[j][i], b_bucket[j], c_bucket, j);
}
// rounding
for (i = 0; i < SABER_L; i++) {
for (j = 0; j < SABER_N; j++) {
res[i].coeffs[j] += h1;
res[i].coeffs[j] >>= SABER_EQ - SABER_EP;
res[i].coeffs[j] &= SABER_Q - 1;
}

TC_interpol(c_bucket, res_avx[i]);
}

}

static void vector_vector_mul(__m256i res_avx[AVX_N1], __m256i a_avx[NUM_POLY][AVX_N1], __m256i b_bucket[NUM_POLY][SCHB_N * 4]) {

int64_t i;

__m256i c_bucket[2 * SCM_SIZE * 4]; //Holds results for 9 Karatsuba at a time

for (i = 0; i < NUM_POLY; i++) {
toom_cook_4way_avx_n1(a_avx[i], b_bucket[i], c_bucket, i);
}
TC_interpol(c_bucket, res_avx);
}

//********************************matrix-vector mul routines*****************************************************

void PQCLEAN_LIGHTSABER_AVX2_indcpa_kem_keypair(uint8_t *pk, uint8_t *sk) {

polyvec a[SABER_K];

uint16_t skpv1[SABER_K][SABER_N];



uint8_t seed[SABER_SEEDBYTES];
uint8_t noiseseed[SABER_COINBYTES];
int32_t i, j, k;


//--------------AVX declaration------------------

__m256i sk_avx[SABER_K][SABER_N / 16];
__m256i mod;
__m256i res_avx[SABER_K][SABER_N / 16];
__m256i a_avx[SABER_K][SABER_K][SABER_N / 16];
//__m256i acc[2*SABER_N/16];

mod = _mm256_set1_epi16(SABER_Q - 1);

__m256i b_bucket[NUM_POLY][SCHB_N * 4];

//--------------AVX declaration ends------------------

randombytes(seed, SABER_SEEDBYTES);

shake128(seed, SABER_SEEDBYTES, seed, SABER_SEEDBYTES); // for not revealing system RNG state
randombytes(noiseseed, SABER_COINBYTES);


GenMatrix(a, seed); //sample matrix A

GenSecret(skpv1, noiseseed);


// Load sk into avx vectors
for (i = 0; i < SABER_K; i++) {
for (j = 0; j < SABER_N / 16; j++) {
sk_avx[i][j] = _mm256_loadu_si256 ((__m256i const *) (&skpv1[i][j * 16]));
}

}

// Load a into avx vectors
for (i = 0; i < SABER_K; i++) {
for (j = 0; j < SABER_K; j++) {
for (k = 0; k < SABER_N / 16; k++) {
a_avx[i][j][k] = _mm256_loadu_si256 ((__m256i const *) (&a[i].vec[j].coeffs[k * 16]));
}
}
}



//------------------------do the matrix vector multiplication and rounding------------

for (j = 0; j < NUM_POLY; j++) {
TC_eval(sk_avx[j], b_bucket[j]);
}
matrix_vector_mul(res_avx, a_avx, b_bucket, 1);// Matrix-vector multiplication; Matrix in transposed order

// Now truncation


for (i = 0; i < SABER_K; i++) { //shift right EQ-EP bits
for (j = 0; j < SABER_N / 16; j++) {
res_avx[i][j] = _mm256_add_epi16 (res_avx[i][j], _mm256_set1_epi16(h1));
res_avx[i][j] = _mm256_srli_epi16 (res_avx[i][j], (SABER_EQ - SABER_EP) );
res_avx[i][j] = _mm256_and_si256 (res_avx[i][j], mod);
}
}

//------------------Pack sk into byte string-------

PQCLEAN_LIGHTSABER_AVX2_POLVEC2BS(sk, (const uint16_t (*)[SABER_N])skpv1, SABER_Q);

//------------------Pack pk into byte string-------

for (i = 0; i < SABER_K; i++) { // reuses skpv1[] for unpacking avx of public-key
for (j = 0; j < SABER_N / 16; j++) {
_mm256_maskstore_epi32 ((int *) (skpv1[i] + j * 16), _mm256_set1_epi32(-1), res_avx[i][j]);
}
}
PQCLEAN_LIGHTSABER_AVX2_POLVEC2BS(pk, (const uint16_t (*)[SABER_N])skpv1, SABER_P); // load the public-key into pk byte string


for (i = 0; i < SABER_SEEDBYTES; i++) { // now load the seedbytes in PK. Easy since seed bytes are kept in byte format.
pk[SABER_POLYVECCOMPRESSEDBYTES + i] = seed[i];
}

PQCLEAN_LIGHTSABER_AVX2_POLVECp2BS(pk, res); // pack public key
}


void PQCLEAN_LIGHTSABER_AVX2_indcpa_kem_enc(uint8_t ciphertext[SABER_BYTES_CCA_DEC], const uint8_t m[SABER_KEYBYTES], const uint8_t noiseseed[SABER_NOISESEEDBYTES], const uint8_t pk[SABER_INDCPA_PUBLICKEYBYTES]) {
size_t i, j;

poly A[SABER_L][SABER_L];
poly res[SABER_L];
toom4_points skpv1_eval[SABER_L];

uint32_t i, j, k;
polyvec a[SABER_K]; // skpv;
uint8_t seed[SABER_SEEDBYTES];
uint16_t pkcl[SABER_K][SABER_N]; //public key of received by the client


uint16_t skpv1[SABER_K][SABER_N];
uint16_t temp[SABER_K][SABER_N];
uint16_t message[SABER_KEYBYTES * 8];

uint8_t msk_c[SABER_SCALEBYTES_KEM];

//--------------AVX declaration------------------

__m256i sk_avx[SABER_K][SABER_N / 16];
__m256i mod, mod_p;
__m256i res_avx[SABER_K][SABER_N / 16];
__m256i vprime_avx[SABER_N / 16];
__m256i a_avx[SABER_K][SABER_K][SABER_N / 16];
//__m256i acc[2*SABER_N/16];

__m256i pkcl_avx[SABER_K][SABER_N / 16];

__m256i message_avx[SABER_N / 16];

mod = _mm256_set1_epi16(SABER_Q - 1);
mod_p = _mm256_set1_epi16(SABER_P - 1);
poly *temp = A[0]; // re-use stack space
poly *vprime = &A[0][0];
poly *message = &A[0][1];

const uint8_t *seed_A = pk + SABER_POLYVECCOMPRESSEDBYTES;
uint8_t *msk_c = ciphertext + SABER_POLYVECCOMPRESSEDBYTES;


__m256i b_bucket[NUM_POLY][SCHB_N * 4];

//--------------AVX declaration ends------------------
for (i = 0; i < SABER_SEEDBYTES; i++) { // Load the seedbytes in the client seed from PK.
seed[i] = pk[ SABER_POLYVECCOMPRESSEDBYTES + i];
PQCLEAN_LIGHTSABER_AVX2_GenSecret(temp, noiseseed);
for (j = 0; j < SABER_L; j++) {
PQCLEAN_LIGHTSABER_AVX2_toom4_eval(&skpv1_eval[j], &temp[j]);
}

GenMatrix(a, seed);
GenSecret(skpv1, noiseseed);

// ----------- Load skpv1 into avx vectors ----------
for (i = 0; i < SABER_K; i++) {
for (j = 0; j < SABER_N / 16; j++) {
sk_avx[i][j] = _mm256_loadu_si256 ((__m256i const *) (&skpv1[i][j * 16]));
}
}
PQCLEAN_LIGHTSABER_AVX2_GenMatrix(A, seed_A);
PQCLEAN_LIGHTSABER_AVX2_MatrixVectorMul(res, (const poly (*)[SABER_L])A, (const toom4_points *)skpv1_eval, 0); // 0 => not transposed

// ----------- Load skpv1 into avx vectors ----------
for (i = 0; i < SABER_K; i++) {
for (j = 0; j < SABER_K; j++) {
for (k = 0; k < SABER_N / 16; k++) {
a_avx[i][j][k] = _mm256_loadu_si256 ((__m256i const *) (&a[i].vec[j].coeffs[k * 16]));
}
// rounding
for (i = 0; i < SABER_L; i++) { //shift right EQ-EP bits
for (j = 0; j < SABER_N; j++) {
res[i].coeffs[j] += h1;
res[i].coeffs[j] >>= SABER_EQ - SABER_EP;
res[i].coeffs[j] &= SABER_Q - 1;
}
}
//-----------------matrix-vector multiplication and rounding

for (j = 0; j < NUM_POLY; j++) {
TC_eval(sk_avx[j], b_bucket[j]);
}
matrix_vector_mul(res_avx, a_avx, b_bucket, 0);// Matrix-vector multiplication; Matrix in normal order

// Now truncation

for (i = 0; i < SABER_K; i++) { //shift right EQ-EP bits
for (j = 0; j < SABER_N / 16; j++) {
res_avx[i][j] = _mm256_add_epi16 (res_avx[i][j], _mm256_set1_epi16(h1));
res_avx[i][j] = _mm256_srli_epi16 (res_avx[i][j], (SABER_EQ - SABER_EP) );
res_avx[i][j] = _mm256_and_si256 (res_avx[i][j], mod);

}
}


//-----this result should be put in b_prime for later use in server.
for (i = 0; i < SABER_K; i++) { // first store in 16 bit arrays
for (j = 0; j < SABER_N / 16; j++) {
_mm256_maskstore_epi32 ((int *)(temp[i] + j * 16), _mm256_set1_epi32(-1), res_avx[i][j]);
}
}

PQCLEAN_LIGHTSABER_AVX2_POLVEC2BS(ciphertext, (const uint16_t (*)[SABER_N])temp, SABER_P); // Pack b_prime into ciphertext byte string

//**************client matrix-vector multiplication ends******************//

//------now calculate the v'

//-------unpack the public_key
PQCLEAN_LIGHTSABER_AVX2_BS2POLVEC(pkcl, pk, SABER_P);

for (i = 0; i < SABER_K; i++) {
for (j = 0; j < SABER_N / 16; j++) {
pkcl_avx[i][j] = _mm256_loadu_si256 ((__m256i const *) (&pkcl[i][j * 16]));
}
}

// InnerProduct
//for(k=0;k<SABER_N/16;k++){
// vprime_avx[k]=_mm256_xor_si256(vprime_avx[k],vprime_avx[k]);
//}
PQCLEAN_LIGHTSABER_AVX2_POLVECp2BS(ciphertext, res);

// vector-vector scalar multiplication with mod p
PQCLEAN_LIGHTSABER_AVX2_BS2POLVECp(temp, pk);
PQCLEAN_LIGHTSABER_AVX2_InnerProd(vprime, temp, skpv1_eval);
PQCLEAN_LIGHTSABER_AVX2_BS2POLmsg(message, m);

vector_vector_mul(vprime_avx, pkcl_avx, b_bucket);

// Computation of v'+h1
for (i = 0; i < SABER_N / 16; i++) { //adding h1
vprime_avx[i] = _mm256_add_epi16(vprime_avx[i], _mm256_set1_epi16(h1));
}

// unpack m;
for (j = 0; j < SABER_KEYBYTES; j++) {
for (i = 0; i < 8; i++) {
message[8 * j + i] = ((m[j] >> i) & 0x01);
}
}
// message encoding
for (i = 0; i < SABER_N / 16; i++) {
message_avx[i] = _mm256_loadu_si256 ((__m256i const *) (&message[i * 16]));
message_avx[i] = _mm256_slli_epi16 (message_avx[i], (SABER_EP - 1) );
}

// SHIFTRIGHT(v'+h1-m mod p, EP-ET)
for (k = 0; k < SABER_N / 16; k++) {
vprime_avx[k] = _mm256_sub_epi16(vprime_avx[k], message_avx[k]);
vprime_avx[k] = _mm256_and_si256(vprime_avx[k], mod_p);
vprime_avx[k] = _mm256_srli_epi16 (vprime_avx[k], (SABER_EP - SABER_ET) );
}

// Unpack avx
for (j = 0; j < SABER_N / 16; j++) {
_mm256_maskstore_epi32 ((int *) (temp[0] + j * 16), _mm256_set1_epi32(-1), vprime_avx[j]);
}

PQCLEAN_LIGHTSABER_AVX2_SABER_pack_3bit(msk_c, temp[0]);


for (j = 0; j < SABER_SCALEBYTES_KEM; j++) {
ciphertext[SABER_CIPHERTEXTBYTES + j] = msk_c[j];
for (i = 0; i < SABER_N; i++) {
vprime->coeffs[i] += h1 - (message->coeffs[i] << (SABER_EP - 1));
vprime->coeffs[i] &= SABER_P - 1;
vprime->coeffs[i] >>= SABER_EP - SABER_ET;
}

PQCLEAN_LIGHTSABER_AVX2_POLT2BS(msk_c, vprime);
}


void PQCLEAN_LIGHTSABER_AVX2_indcpa_kem_dec(uint8_t m[SABER_KEYBYTES], const uint8_t sk[SABER_INDCPA_SECRETKEYBYTES], const uint8_t ciphertext[SABER_BYTES_CCA_DEC]) {
size_t i;

uint32_t i, j;
uint16_t sksv[SABER_K][SABER_N]; //secret key of the server
uint16_t pksv[SABER_K][SABER_N];
uint16_t message_dec_unpacked[SABER_KEYBYTES * 8]; // one element containes on decrypted bit;
uint8_t scale_ar[SABER_SCALEBYTES_KEM];
uint16_t op[SABER_N];

//--------------AVX declaration------------------


//__m256i mod_p;

__m256i v_avx[SABER_N / 16];

//__m256i acc[2*SABER_N/16];

__m256i sksv_avx[SABER_K][SABER_N / 16];
__m256i pksv_avx[SABER_K][SABER_N / 16];
poly temp[SABER_L];
toom4_points sksv_eval[SABER_L];

//mod_p=_mm256_set1_epi16(SABER_P-1);
const uint8_t *packed_cm = ciphertext + SABER_POLYVECCOMPRESSEDBYTES;
poly *v = &temp[0];
poly *cm = &temp[1];

__m256i b_bucket[NUM_POLY][SCHB_N * 4];
//--------------AVX declaration ends------------------

//-------unpack the public_key

PQCLEAN_LIGHTSABER_AVX2_BS2POLVEC(sksv, sk, SABER_Q); //sksv is the secret-key
PQCLEAN_LIGHTSABER_AVX2_BS2POLVEC(pksv, ciphertext, SABER_P); //pksv is the ciphertext

for (i = 0; i < SABER_K; i++) {
for (j = 0; j < SABER_N / 16; j++) {
sksv_avx[i][j] = _mm256_loadu_si256 ((__m256i const *) (&sksv[i][j * 16]));
pksv_avx[i][j] = _mm256_loadu_si256 ((__m256i const *) (&pksv[i][j * 16]));
}
PQCLEAN_LIGHTSABER_AVX2_BS2POLVECq(temp, sk);
for (i = 0; i < SABER_L; i++) {
PQCLEAN_LIGHTSABER_AVX2_toom4_eval(&sksv_eval[i], &temp[i]);
}

for (i = 0; i < SABER_N / 16; i++) {
v_avx[i] = _mm256_xor_si256(v_avx[i], v_avx[i]);
}


// InnerProduct(b', s, mod p)

for (j = 0; j < NUM_POLY; j++) {
TC_eval(sksv_avx[j], b_bucket[j]);
}
PQCLEAN_LIGHTSABER_AVX2_BS2POLVECp(temp, ciphertext);
PQCLEAN_LIGHTSABER_AVX2_InnerProd(v, temp, sksv_eval);

vector_vector_mul(v_avx, pksv_avx, b_bucket);
PQCLEAN_LIGHTSABER_AVX2_BS2POLT(cm, packed_cm);

for (i = 0; i < SABER_N / 16; i++) {
_mm256_maskstore_epi32 ((int *)(message_dec_unpacked + i * 16), _mm256_set1_epi32(-1), v_avx[i]);
}


for (i = 0; i < SABER_SCALEBYTES_KEM; i++) {
scale_ar[i] = ciphertext[SABER_CIPHERTEXTBYTES + i];
}

PQCLEAN_LIGHTSABER_AVX2_SABER_un_pack3bit(op, scale_ar);


//addition of h2
for (i = 0; i < SABER_N; i++) {
message_dec_unpacked[i] = ( ( message_dec_unpacked[i] + h2 - (op[i] << (SABER_EP - SABER_ET)) ) & (SABER_P - 1) ) >> (SABER_EP - 1);
v->coeffs[i] += h2 - (cm->coeffs[i] << (SABER_EP - SABER_ET));
v->coeffs[i] &= SABER_P - 1;
v->coeffs[i] >>= SABER_EP - 1;
}


POL2MSG(m, message_dec_unpacked);
PQCLEAN_LIGHTSABER_AVX2_POLmsg2BS(m, v);
}

+ 18
- 23
crypto_kem/lightsaber/avx2/SABER_params.h View File

@@ -1,46 +1,41 @@
#ifndef PARAMS_H
#define PARAMS_H
#include "api.h"




#define SABER_K 2
/* Don't change anything below this line */
#define SABER_L 2
#define SABER_MU 10
#define SABER_ET 3


#define SABER_EQ 13
#define SABER_EP 10

#define SABER_N 256
#define SABER_Q 8192 //2^13
#define SABER_P 1024

#define SABER_SEEDBYTES 32
#define SABER_NOISESEEDBYTES 32
#define SABER_COINBYTES 32
#define SABER_KEYBYTES 32
#define SABER_EP 10
#define SABER_P (1 << SABER_EP)

#define SABER_HASHBYTES 32
#define SABER_EQ 13
#define SABER_Q (1 << SABER_EQ)

#define SABER_POLYBYTES 416 //13*256/8
#define SABER_SEEDBYTES 32
#define SABER_NOISESEEDBYTES 32
#define SABER_KEYBYTES 32
#define SABER_HASHBYTES 32

#define SABER_POLYVECBYTES (SABER_K * SABER_POLYBYTES)
#define SABER_POLYCOINBYTES (SABER_MU * SABER_N / 8)

#define SABER_POLYVECCOMPRESSEDBYTES (SABER_K * 320) //10*256/8 NOTE : changed till here due to parameter adaptation
#define SABER_POLYBYTES (SABER_EQ * SABER_N / 8)
#define SABER_POLYVECBYTES (SABER_L * SABER_POLYBYTES)

#define SABER_CIPHERTEXTBYTES (SABER_POLYVECCOMPRESSEDBYTES)
#define SABER_POLYCOMPRESSEDBYTES (SABER_EP * SABER_N / 8)
#define SABER_POLYVECCOMPRESSEDBYTES (SABER_L * SABER_POLYCOMPRESSEDBYTES)

#define SABER_SCALEBYTES_KEM ((SABER_ET)*SABER_N/8)
#define SABER_SCALEBYTES_KEM (SABER_ET * SABER_N / 8)

#define SABER_INDCPA_PUBLICKEYBYTES (SABER_POLYVECCOMPRESSEDBYTES + SABER_SEEDBYTES)
#define SABER_INDCPA_SECRETKEYBYTES (SABER_POLYVECBYTES)

#define SABER_PUBLICKEYBYTES (SABER_INDCPA_PUBLICKEYBYTES)
#define SABER_SECRETKEYBYTES (SABER_INDCPA_SECRETKEYBYTES + SABER_INDCPA_PUBLICKEYBYTES + SABER_HASHBYTES + SABER_KEYBYTES)

#define SABER_SECRETKEYBYTES (SABER_INDCPA_SECRETKEYBYTES + SABER_INDCPA_PUBLICKEYBYTES + SABER_HASHBYTES + SABER_KEYBYTES)

#define SABER_BYTES_CCA_DEC (SABER_POLYVECCOMPRESSEDBYTES + SABER_SCALEBYTES_KEM) /* Second part is for Targhi-Unruh */
#define SABER_BYTES_CCA_DEC (SABER_POLYVECCOMPRESSEDBYTES + SABER_SCALEBYTES_KEM)

#endif

+ 8
- 11
crypto_kem/lightsaber/avx2/cbd.c View File

@@ -11,7 +11,7 @@ Vadim Lyubashevsky, John M. Schanck, Peter Schwabe & Damien stehle
----------------------------------------------------------------------*/


static uint64_t load_littleendian(const unsigned char *x, int bytes) {
static uint64_t load_littleendian(const uint8_t *x, int bytes) {
int i;
uint64_t r = x[0];
for (i = 1; i < bytes; i++) {
@@ -20,10 +20,7 @@ static uint64_t load_littleendian(const unsigned char *x, int bytes) {
return r;
}


void PQCLEAN_LIGHTSABER_AVX2_cbd(uint16_t *r, const unsigned char *buf) {
uint16_t Qmod_minus1 = SABER_Q - 1;

void PQCLEAN_LIGHTSABER_AVX2_cbd(uint16_t s[SABER_N], const uint8_t buf[SABER_POLYCOINBYTES]) {
uint64_t t, d, a[4], b[4];
int i, j;

@@ -34,8 +31,8 @@ void PQCLEAN_LIGHTSABER_AVX2_cbd(uint16_t *r, const unsigned char *buf) {
d += (t >> j) & 0x0842108421UL;
}

a[0] = d & 0x1f;
b[0] = (d >> 5) & 0x1f;
a[0] = d & 0x1f;
b[0] = (d >> 5) & 0x1f;
a[1] = (d >> 10) & 0x1f;
b[1] = (d >> 15) & 0x1f;
a[2] = (d >> 20) & 0x1f;
@@ -43,9 +40,9 @@ void PQCLEAN_LIGHTSABER_AVX2_cbd(uint16_t *r, const unsigned char *buf) {
a[3] = (d >> 30) & 0x1f;
b[3] = (d >> 35);

r[4 * i + 0] = (uint16_t)(a[0] - b[0]) & Qmod_minus1;
r[4 * i + 1] = (uint16_t)(a[1] - b[1]) & Qmod_minus1;
r[4 * i + 2] = (uint16_t)(a[2] - b[2]) & Qmod_minus1;
r[4 * i + 3] = (uint16_t)(a[3] - b[3]) & Qmod_minus1;
s[4 * i + 0] = (uint16_t)(a[0] - b[0]);
s[4 * i + 1] = (uint16_t)(a[1] - b[1]);
s[4 * i + 2] = (uint16_t)(a[2] - b[2]);
s[4 * i + 3] = (uint16_t)(a[3] - b[3]);
}
}

+ 2
- 2
crypto_kem/lightsaber/avx2/cbd.h View File

@@ -7,10 +7,10 @@ of "CRYSTALS – Kyber: a CCA-secure module-lattice-based KEM"
by : Joppe Bos, Leo Ducas, Eike Kiltz, Tancrede Lepoint,
Vadim Lyubashevsky, John M. Schanck, Peter Schwabe & Damien stehle
----------------------------------------------------------------------*/
#include "poly.h"
#include "SABER_params.h"
#include <stdint.h>

void PQCLEAN_LIGHTSABER_AVX2_cbd(uint16_t *r, const unsigned char *buf);
void PQCLEAN_LIGHTSABER_AVX2_cbd(uint16_t s[SABER_N], const uint8_t buf[SABER_POLYCOINBYTES]);


#endif

+ 5
- 7
crypto_kem/lightsaber/avx2/kem.c View File

@@ -4,14 +4,12 @@
#include "fips202.h"
#include "randombytes.h"
#include "verify.h"
#include <immintrin.h>
#include <stddef.h>
#include <stdint.h>
#include <stdio.h>
#include <string.h>


int PQCLEAN_LIGHTSABER_AVX2_crypto_kem_keypair(uint8_t *pk, uint8_t *sk) {
int i;
size_t i;

PQCLEAN_LIGHTSABER_AVX2_indcpa_kem_keypair(pk, sk); // sk[0:SABER_INDCPA_SECRETKEYBYTES-1] <-- sk
for (i = 0; i < SABER_INDCPA_PUBLICKEYBYTES; i++) {
@@ -39,7 +37,7 @@ int PQCLEAN_LIGHTSABER_AVX2_crypto_kem_enc(uint8_t *c, uint8_t *k, const uint8_t
sha3_512(kr, buf, 64); // kr[0:63] <-- Hash(buf[0:63]);
// K^ <-- kr[0:31]
// noiseseed (r) <-- kr[32:63];
PQCLEAN_LIGHTSABER_AVX2_indcpa_kem_enc(c, buf, (const uint8_t *) (kr + 32), pk); // buf[0:31] contains message; kr[32:63] contains randomness r;
PQCLEAN_LIGHTSABER_AVX2_indcpa_kem_enc(c, buf, kr + 32, pk); // buf[0:31] contains message; kr[32:63] contains randomness r;

sha3_256(kr + 32, c, SABER_BYTES_CCA_DEC);

@@ -49,7 +47,7 @@ int PQCLEAN_LIGHTSABER_AVX2_crypto_kem_enc(uint8_t *c, uint8_t *k, const uint8_t
}

int PQCLEAN_LIGHTSABER_AVX2_crypto_kem_dec(uint8_t *k, const uint8_t *c, const uint8_t *sk) {
int i;
size_t i;
uint8_t fail;
uint8_t cmp[SABER_BYTES_CCA_DEC];
uint8_t buf[64];
@@ -65,7 +63,7 @@ int PQCLEAN_LIGHTSABER_AVX2_crypto_kem_dec(uint8_t *k, const uint8_t *c, const u

sha3_512(kr, buf, 64);

PQCLEAN_LIGHTSABER_AVX2_indcpa_kem_enc(cmp, buf, (const uint8_t *) (kr + 32), pk);
PQCLEAN_LIGHTSABER_AVX2_indcpa_kem_enc(cmp, buf, kr + 32, pk);

fail = PQCLEAN_LIGHTSABER_AVX2_verify(c, cmp, SABER_BYTES_CCA_DEC);



+ 0
- 32
crypto_kem/lightsaber/avx2/kem.h View File

@@ -1,35 +1,3 @@
#ifndef INDCPA_H
#define INDCPA_H

#include <stdint.h>

void PQCLEAN_LIGHTSABER_AVX2_indcpa_keypair(uint8_t *pk, uint8_t *sk);


void PQCLEAN_LIGHTSABER_AVX2_indcpa_client(uint8_t *pk, uint8_t *b_prime, uint8_t *c, uint8_t *key);


void PQCLEAN_LIGHTSABER_AVX2_indcpa_server(uint8_t *pk, uint8_t *b_prime, uint8_t *c, uint8_t *key);


void PQCLEAN_LIGHTSABER_AVX2_indcpa_kem_keypair(uint8_t *pk, uint8_t *sk);

void PQCLEAN_LIGHTSABER_AVX2_indcpa_kem_enc(uint8_t *message, uint8_t *noiseseed, uint8_t *pk, uint8_t *ciphertext);

void PQCLEAN_LIGHTSABER_AVX2_indcpa_kem_dec(uint8_t *sk, uint8_t *ciphertext, uint8_t message_dec[]);


int PQCLEAN_LIGHTSABER_AVX2_crypto_kem_keypair(unsigned char *pk, unsigned char *sk);

int PQCLEAN_LIGHTSABER_AVX2_crypto_kem_enc(unsigned char *c, unsigned char *k, const unsigned char *pk);

int PQCLEAN_LIGHTSABER_AVX2_crypto_kem_dec(unsigned char *k, const unsigned char *c, const unsigned char *sk);



//uint64_t clock1,clock2;

//uint64_t clock_kp_kex, clock_enc_kex, clock_dec_kex;


#endif

+ 118
- 467
crypto_kem/lightsaber/avx2/pack_unpack.c View File

@@ -1,502 +1,153 @@
#include "SABER_params.h"
#include "pack_unpack.h"
#include "poly.h"
#include <string.h>


void PQCLEAN_LIGHTSABER_AVX2_SABER_pack_3bit(uint8_t *bytes, const uint16_t *data) {

uint32_t j;
uint32_t offset_data = 0, offset_byte = 0;

void PQCLEAN_LIGHTSABER_AVX2_POLT2BS(uint8_t bytes[SABER_SCALEBYTES_KEM], const poly *data) {
size_t j;
const uint16_t *in = data->coeffs;
uint8_t *out = bytes;
for (j = 0; j < SABER_N / 8; j++) {
offset_byte = 3 * j;
offset_data = 8 * j;
bytes[offset_byte + 0] = (data[offset_data + 0] & 0x7) | ( (data[offset_data + 1] & 0x7) << 3 ) | ((data[offset_data + 2] & 0x3) << 6);
bytes[offset_byte + 1] = ((data[offset_data + 2] >> 2 ) & 0x01) | ( (data[offset_data + 3] & 0x7) << 1 ) | ( (data[offset_data + 4] & 0x7) << 4 ) | (((data[offset_data + 5]) & 0x01) << 7);
bytes[offset_byte + 2] = ((data[offset_data + 5] >> 1 ) & 0x03) | ( (data[offset_data + 6] & 0x7) << 2 ) | ( (data[offset_data + 7] & 0x7) << 5 );
out[0] = (in[0] & 0x7) | ((in[1] & 0x7) << 3) | ((in[2] & 0x3) << 6);
out[1] = ((in[2] >> 2) & 0x01) | ((in[3] & 0x7) << 1) | ((in[4] & 0x7) << 4) | (((in[5]) & 0x01) << 7);
out[2] = ((in[5] >> 1) & 0x03) | ((in[6] & 0x7) << 2) | ((in[7] & 0x7) << 5);
in += 8;
out += 3;
}
}

void PQCLEAN_LIGHTSABER_AVX2_SABER_un_pack3bit(uint16_t *data, const uint8_t *bytes) {

uint32_t j;
uint32_t offset_data = 0, offset_byte = 0;

void PQCLEAN_LIGHTSABER_AVX2_BS2POLT(poly *data, const uint8_t bytes[SABER_SCALEBYTES_KEM]) {
size_t j;
const uint8_t *in = bytes;
uint16_t *out = data->coeffs;
for (j = 0; j < SABER_N / 8; j++) {
offset_byte = 3 * j;
offset_data = 8 * j;
data[offset_data + 0] = (bytes[offset_byte + 0]) & 0x07;
data[offset_data + 1] = ( (bytes[offset_byte + 0]) >> 3 ) & 0x07;
data[offset_data + 2] = ( ( (bytes[offset_byte + 0]) >> 6 ) & 0x03) | ( ( (bytes[offset_byte + 1]) & 0x01) << 2 );
data[offset_data + 3] = ( (bytes[offset_byte + 1]) >> 1 ) & 0x07;
data[offset_data + 4] = ( (bytes[offset_byte + 1]) >> 4 ) & 0x07;
data[offset_data + 5] = ( ( (bytes[offset_byte + 1]) >> 7 ) & 0x01) | ( ( (bytes[offset_byte + 2]) & 0x03) << 1 );
data[offset_data + 6] = ( (bytes[offset_byte + 2] >> 2) & 0x07 );
data[offset_data + 7] = ( (bytes[offset_byte + 2] >> 5) & 0x07 );
}

}

void PQCLEAN_LIGHTSABER_AVX2_SABER_pack_4bit(uint8_t *bytes, const uint16_t *data) {

uint32_t j;
uint32_t offset_data = 0;

for (j = 0; j < SABER_N / 2; j++) {
offset_data = 2 * j;
bytes[j] = (data[offset_data] & 0x0f) | ( (data[offset_data + 1] & 0x0f) << 4 );
}
}

void PQCLEAN_LIGHTSABER_AVX2_SABER_un_pack4bit(uint16_t *data, const uint8_t *bytes) {

uint32_t j;
uint32_t offset_data = 0;

for (j = 0; j < SABER_N / 2; j++) {
offset_data = 2 * j;
data[offset_data] = bytes[j] & 0x0f;
data[offset_data + 1] = (bytes[j] >> 4) & 0x0f;
}
}

void PQCLEAN_LIGHTSABER_AVX2_SABER_pack_6bit(uint8_t *bytes, const uint16_t *data) {

uint32_t j;
uint32_t offset_data = 0, offset_byte = 0;

out[0] = (in[0]) & 0x07;
out[1] = ((in[0]) >> 3) & 0x07;
out[2] = (((in[0]) >> 6) & 0x03) | (((in[1]) & 0x01) << 2);
out[3] = ((in[1]) >> 1) & 0x07;
out[4] = ((in[1]) >> 4) & 0x07;
out[5] = (((in[1]) >> 7) & 0x01) | (((in[2]) & 0x03) << 1);
out[6] = ((in[2] >> 2) & 0x07);
out[7] = ((in[2] >> 5) & 0x07);
in += 3;
out += 8;
}
}

static void POLq2BS(uint8_t bytes[SABER_POLYBYTES], const poly *data) {
size_t j;
const uint16_t *in = data->coeffs;
uint8_t *out = bytes;
for (j = 0; j < SABER_N / 8; j++) {
out[0] = (in[0] & (0xff));
out[1] = ((in[0] >> 8) & 0x1f) | ((in[1] & 0x07) << 5);
out[2] = ((in[1] >> 3) & 0xff);
out[3] = ((in[1] >> 11) & 0x03) | ((in[2] & 0x3f) << 2);
out[4] = ((in[2] >> 6) & 0x7f) | ((in[3] & 0x01) << 7);
out[5] = ((in[3] >> 1) & 0xff);
out[6] = ((in[3] >> 9) & 0x0f) | ((in[4] & 0x0f) << 4);
out[7] = ((in[4] >> 4) & 0xff);
out[8] = ((in[4] >> 12) & 0x01) | ((in[5] & 0x7f) << 1);
out[9] = ((in[5] >> 7) & 0x3f) | ((in[6] & 0x03) << 6);
out[10] = ((in[6] >> 2) & 0xff);
out[11] = ((in[6] >> 10) & 0x07) | ((in[7] & 0x1f) << 3);
out[12] = ((in[7] >> 5) & 0xff);
in += 8;
out += 13;
}
}

static void BS2POLq(poly *data, const uint8_t bytes[SABER_POLYBYTES]) {
size_t j;
const uint8_t *in = bytes;
uint16_t *out = data->coeffs;
for (j = 0; j < SABER_N / 8; j++) {
out[0] = (in[0] & (0xff)) | ((in[1] & 0x1f) << 8);
out[1] = (in[1] >> 5 & (0x07)) | ((in[2] & 0xff) << 3) | ((in[3] & 0x03) << 11);
out[2] = (in[3] >> 2 & (0x3f)) | ((in[4] & 0x7f) << 6);
out[3] = (in[4] >> 7 & (0x01)) | ((in[5] & 0xff) << 1) | ((in[6] & 0x0f) << 9);
out[4] = (in[6] >> 4 & (0x0f)) | ((in[7] & 0xff) << 4) | ((in[8] & 0x01) << 12);
out[5] = (in[8] >> 1 & (0x7f)) | ((in[9] & 0x3f) << 7);
out[6] = (in[9] >> 6 & (0x03)) | ((in[10] & 0xff) << 2) | ((in[11] & 0x07) << 10);
out[7] = (in[11] >> 3 & (0x1f)) | ((in[12] & 0xff) << 5);
in += 13;
out += 8;
}
}

static void POLp2BS(uint8_t bytes[SABER_POLYCOMPRESSEDBYTES], const poly *data) {
size_t j;
const uint16_t *in = data->coeffs;
uint8_t *out = bytes;
for (j = 0; j < SABER_N / 4; j++) {
offset_byte = 3 * j;
offset_data = 4 * j;
bytes[offset_byte + 0] = (data[offset_data + 0] & 0x3f) | ((data[offset_data + 1] & 0x03) << 6);
bytes[offset_byte + 1] = ((data[offset_data + 1] >> 2) & 0x0f) | ((data[offset_data + 2] & 0x0f) << 4);
bytes[offset_byte + 2] = ((data[offset_data + 2] >> 4) & 0x03) | ((data[offset_data + 3] & 0x3f) << 2);
out[0] = (in[0] & (0xff));
out[1] = ((in[0] >> 8) & 0x03) | ((in[1] & 0x3f) << 2);
out[2] = ((in[1] >> 6) & 0x0f) | ((in[2] & 0x0f) << 4);
out[3] = ((in[2] >> 4) & 0x3f) | ((in[3] & 0x03) << 6);
out[4] = ((in[3] >> 2) & 0xff);
in += 4;
out += 5;
}
}


void PQCLEAN_LIGHTSABER_AVX2_SABER_un_pack6bit(uint16_t *data, const uint8_t *bytes) {

uint32_t j;
uint32_t offset_data = 0, offset_byte = 0;

static void BS2POLp(poly *data, const uint8_t bytes[SABER_POLYCOMPRESSEDBYTES]) {
size_t j;
const uint8_t *in = bytes;
uint16_t *out = data->coeffs;
for (j = 0; j < SABER_N / 4; j++) {
offset_byte = 3 * j;
offset_data = 4 * j;
data[offset_data + 0] = bytes[offset_byte + 0] & 0x3f;
data[offset_data + 1] = ((bytes[offset_byte + 0] >> 6) & 0x03) | ((bytes[offset_byte + 1] & 0x0f) << 2) ;
data[offset_data + 2] = ((bytes[offset_byte + 1] & 0xff) >> 4) | ((bytes[offset_byte + 2] & 0x03) << 4) ;
data[offset_data + 3] = ((bytes[offset_byte + 2] & 0xff) >> 2);
out[0] = (in[0] & (0xff)) | ((in[1] & 0x03) << 8);
out[1] = ((in[1] >> 2) & (0x3f)) | ((in[2] & 0x0f) << 6);
out[2] = ((in[2] >> 4) & (0x0f)) | ((in[3] & 0x3f) << 4);
out[3] = ((in[3] >> 6) & (0x03)) | ((in[4] & 0xff) << 2);
in += 5;
out += 4;
}

}

void PQCLEAN_LIGHTSABER_AVX2_SABER_pack10bit(uint8_t *bytes, const uint16_t data[SABER_K][SABER_N]) {

uint32_t i, j;
uint32_t offset_data = 0, offset_byte = 0, offset_byte1 = 0;

for (i = 0; i < SABER_K; i++) {
offset_byte1 = i * (SABER_N * 10) / 8;
for (j = 0; j < SABER_N / 4; j++) {
offset_byte = offset_byte1 + 5 * j;
offset_data = 4 * j;
bytes[offset_byte + 0] = ( data[i][ offset_data + 0 ] & (0xff));

bytes[offset_byte + 1] = ( (data[i][ offset_data + 0 ] >> 8) & 0x03 ) | ((data[i][ offset_data + 1 ] & 0x3f) << 2);

bytes[offset_byte + 2] = ( (data[i][ offset_data + 1 ] >> 6) & 0x0f ) | ( (data[i][ offset_data + 2 ] & 0x0f) << 4);

bytes[offset_byte + 3] = ( (data[i][ offset_data + 2 ] >> 4) & 0x3f ) | ((data[i][ offset_data + 3 ] & 0x03) << 6);

bytes[offset_byte + 4] = ( (data[i][ offset_data + 3 ] >> 2) & 0xff );
}
void PQCLEAN_LIGHTSABER_AVX2_POLVECq2BS(uint8_t bytes[SABER_POLYVECBYTES], const poly data[SABER_L]) {
size_t i;
for (i = 0; i < SABER_L; i++) {
POLq2BS(bytes + i * SABER_POLYBYTES, &data[i]);
}
}

void PQCLEAN_LIGHTSABER_AVX2_POLVECp2BS(uint8_t *bytes, const uint16_t data[SABER_K][SABER_N]) {

uint32_t i, j;
uint32_t offset_data = 0, offset_byte = 0, offset_byte1 = 0;

for (i = 0; i < SABER_K; i++) {
offset_byte1 = i * (SABER_N * 10) / 8;
for (j = 0; j < SABER_N / 4; j++) {
offset_byte = offset_byte1 + 5 * j;
offset_data = 4 * j;
bytes[offset_byte + 0] = ( data[i][ offset_data + 0 ] & (0xff));

bytes[offset_byte + 1] = ( (data[i][ offset_data + 0 ] >> 8) & 0x03 ) | ((data[i][ offset_data + 1 ] & 0x3f) << 2);

bytes[offset_byte + 2] = ( (data[i][ offset_data + 1 ] >> 6) & 0x0f ) | ( (data[i][ offset_data + 2 ] & 0x0f) << 4);

bytes[offset_byte + 3] = ( (data[i][ offset_data + 2 ] >> 4) & 0x3f ) | ((data[i][ offset_data + 3 ] & 0x03) << 6);

bytes[offset_byte + 4] = ( (data[i][ offset_data + 3 ] >> 2) & 0xff );
}
void PQCLEAN_LIGHTSABER_AVX2_BS2POLVECq(poly data[SABER_L], const uint8_t bytes[SABER_POLYVECBYTES]) {
size_t i;
for (i = 0; i < SABER_L; i++) {
BS2POLq(&data[i], bytes + i * SABER_POLYBYTES);
}
}

void PQCLEAN_LIGHTSABER_AVX2_POLVECq2BS(uint8_t *bytes, const uint16_t data[SABER_K][SABER_N]) {

uint32_t i, j;
uint32_t offset_data = 0, offset_byte = 0, offset_byte1 = 0;

for (i = 0; i < SABER_K; i++) {
offset_byte1 = i * (SABER_N * 13) / 8;
for (j = 0; j < SABER_N / 8; j++) {
offset_byte = offset_byte1 + 13 * j;
offset_data = 8 * j;
bytes[offset_byte + 0] = ( data[i][ offset_data + 0 ] & (0xff));

bytes[offset_byte + 1] = ( (data[i][ offset_data + 0 ] >> 8) & 0x1f ) | ((data[i][ offset_data + 1 ] & 0x07) << 5);

bytes[offset_byte + 2] = ( (data[i][ offset_data + 1 ] >> 3) & 0xff );

bytes[offset_byte + 3] = ( (data[i][ offset_data + 1 ] >> 11) & 0x03 ) | ((data[i][ offset_data + 2 ] & 0x3f) << 2);

bytes[offset_byte + 4] = ( (data[i][ offset_data + 2 ] >> 6) & 0x7f ) | ( (data[i][ offset_data + 3 ] & 0x01) << 7 );

bytes[offset_byte + 5] = ( (data[i][ offset_data + 3 ] >> 1) & 0xff );

bytes[offset_byte + 6] = ( (data[i][ offset_data + 3 ] >> 9) & 0x0f ) | ( (data[i][ offset_data + 4 ] & 0x0f) << 4 );

bytes[offset_byte + 7] = ( (data[i][ offset_data + 4] >> 4) & 0xff );

bytes[offset_byte + 8] = ( (data[i][ offset_data + 4 ] >> 12) & 0x01 ) | ( (data[i][ offset_data + 5 ] & 0x7f) << 1 );

bytes[offset_byte + 9] = ( (data[i][ offset_data + 5 ] >> 7) & 0x3f ) | ( (data[i][ offset_data + 6 ] & 0x03) << 6 );

bytes[offset_byte + 10] = ( (data[i][ offset_data + 6 ] >> 2) & 0xff );

bytes[offset_byte + 11] = ( (data[i][ offset_data + 6 ] >> 10) & 0x07 ) | ( (data[i][ offset_data + 7 ] & 0x1f) << 3 );

bytes[offset_byte + 12] = ( (data[i][ offset_data + 7 ] >> 5) & 0xff );

}
void PQCLEAN_LIGHTSABER_AVX2_POLVECp2BS(uint8_t bytes[SABER_POLYVECCOMPRESSEDBYTES], const poly data[SABER_L]) {
size_t i;
for (i = 0; i < SABER_L; i++) {
POLp2BS(bytes + i * SABER_POLYCOMPRESSEDBYTES, &data[i]);
}


}

void PQCLEAN_LIGHTSABER_AVX2_BS2POLq(uint16_t data[SABER_N], const uint8_t *bytes) {

uint32_t j;
uint32_t offset_data = 0, offset_byte = 0;

for (j = 0; j < SABER_N / 8; j++) {
offset_byte = 13 * j;
offset_data = 8 * j;
data[offset_data + 0] = ( bytes[ offset_byte + 0 ] & (0xff)) | ((bytes[offset_byte + 1] & 0x1f) << 8);
data[offset_data + 1] = ( bytes[ offset_byte + 1 ] >> 5 & (0x07)) | ((bytes[offset_byte + 2] & 0xff) << 3) | ((bytes[offset_byte + 3] & 0x03) << 11);
data[offset_data + 2] = ( bytes[ offset_byte + 3 ] >> 2 & (0x3f)) | ((bytes[offset_byte + 4] & 0x7f) << 6);
data[offset_data + 3] = ( bytes[ offset_byte + 4 ] >> 7 & (0x01)) | ((bytes[offset_byte + 5] & 0xff) << 1) | ((bytes[offset_byte + 6] & 0x0f) << 9);
data[offset_data + 4] = ( bytes[ offset_byte + 6 ] >> 4 & (0x0f)) | ((bytes[offset_byte + 7] & 0xff) << 4) | ((bytes[offset_byte + 8] & 0x01) << 12);
data[offset_data + 5] = ( bytes[ offset_byte + 8] >> 1 & (0x7f)) | ((bytes[offset_byte + 9] & 0x3f) << 7);
data[offset_data + 6] = ( bytes[ offset_byte + 9] >> 6 & (0x03)) | ((bytes[offset_byte + 10] & 0xff) << 2) | ((bytes[offset_byte + 11] & 0x07) << 10);
data[offset_data + 7] = ( bytes[ offset_byte + 11] >> 3 & (0x1f)) | ((bytes[offset_byte + 12] & 0xff) << 5);
void PQCLEAN_LIGHTSABER_AVX2_BS2POLVECp(poly data[SABER_L], const uint8_t bytes[SABER_POLYVECCOMPRESSEDBYTES]) {
size_t i;
for (i = 0; i < SABER_L; i++) {
BS2POLp(&data[i], bytes + i * SABER_POLYCOMPRESSEDBYTES);
}
}



void PQCLEAN_LIGHTSABER_AVX2_BS2POLVECp(uint16_t data[SABER_K][SABER_N], const uint8_t *bytes) {

uint32_t i, j;
uint32_t offset_data = 0, offset_byte = 0, offset_byte1 = 0;

for (i = 0; i < SABER_K; i++) {
offset_byte1 = i * (SABER_N * 10) / 8;
for (j = 0; j < SABER_N / 4; j++) {
offset_byte = offset_byte1 + 5 * j;
offset_data = 4 * j;
data[i][offset_data + 0] = ( bytes[ offset_byte + 0 ] & (0xff)) | ((bytes[ offset_byte + 1 ] & 0x03) << 8);
data[i][offset_data + 1] = ( (bytes[ offset_byte + 1 ] >> 2) & (0x3f)) | ((bytes[ offset_byte + 2 ] & 0x0f) << 6);
data[i][offset_data + 2] = ( (bytes[ offset_byte + 2 ] >> 4) & (0x0f)) | ((bytes[ offset_byte + 3 ] & 0x3f) << 4);
data[i][offset_data + 3] = ( (bytes[ offset_byte + 3 ] >> 6) & (0x03)) | ((bytes[ offset_byte + 4 ] & 0xff) << 2);

void PQCLEAN_LIGHTSABER_AVX2_BS2POLmsg(poly *data, const uint8_t bytes[SABER_KEYBYTES]) {
size_t i, j;
for (j = 0; j < SABER_KEYBYTES; j++) {
for (i = 0; i < 8; i++) {
data->coeffs[j * 8 + i] = ((bytes[j] >> i) & 0x01);
}
}
}

void PQCLEAN_LIGHTSABER_AVX2_BS2POLVECq(uint16_t data[SABER_K][SABER_N], const uint8_t *bytes) {

uint32_t i, j;
uint32_t offset_data = 0, offset_byte = 0, offset_byte1 = 0;
void PQCLEAN_LIGHTSABER_AVX2_POLmsg2BS(uint8_t bytes[SABER_KEYBYTES], const poly *data) {
size_t i, j;
memset(bytes, 0, SABER_KEYBYTES);

for (i = 0; i < SABER_K; i++) {
offset_byte1 = i * (SABER_N * 13) / 8;
for (j = 0; j < SABER_N / 8; j++) {
offset_byte = offset_byte1 + 13 * j;
offset_data = 8 * j;
data[i][offset_data + 0] = ( bytes[ offset_byte + 0 ] & (0xff)) | ((bytes[offset_byte + 1] & 0x1f) << 8);
data[i][offset_data + 1] = ( bytes[ offset_byte + 1 ] >> 5 & (0x07)) | ((bytes[offset_byte + 2] & 0xff) << 3) | ((bytes[offset_byte + 3] & 0x03) << 11);
data[i][offset_data + 2] = ( bytes[ offset_byte + 3 ] >> 2 & (0x3f)) | ((bytes[offset_byte + 4] & 0x7f) << 6);
data[i][offset_data + 3] = ( bytes[ offset_byte + 4 ] >> 7 & (0x01)) | ((bytes[offset_byte + 5] & 0xff) << 1) | ((bytes[offset_byte + 6] & 0x0f) << 9);
data[i][offset_data + 4] = ( bytes[ offset_byte + 6 ] >> 4 & (0x0f)) | ((bytes[offset_byte + 7] & 0xff) << 4) | ((bytes[offset_byte + 8] & 0x01) << 12);
data[i][offset_data + 5] = ( bytes[ offset_byte + 8] >> 1 & (0x7f)) | ((bytes[offset_byte + 9] & 0x3f) << 7);
data[i][offset_data + 6] = ( bytes[ offset_byte + 9] >> 6 & (0x03)) | ((bytes[offset_byte + 10] & 0xff) << 2) | ((bytes[offset_byte + 11] & 0x07) << 10);
data[i][offset_data + 7] = ( bytes[ offset_byte + 11] >> 3 & (0x1f)) | ((bytes[offset_byte + 12] & 0xff) << 5);
for (j = 0; j < SABER_KEYBYTES; j++) {
for (i = 0; i < 8; i++) {
bytes[j] = bytes[j] | ((data->coeffs[j * 8 + i] & 0x01) << i);
}
}


}



void PQCLEAN_LIGHTSABER_AVX2_SABER_un_pack10bit(uint16_t data[SABER_K][SABER_N], const uint8_t *bytes) {

uint32_t i, j;
uint32_t offset_data = 0, offset_byte = 0, offset_byte1 = 0;

for (i = 0; i < SABER_K; i++) {
offset_byte1 = i * (SABER_N * 10) / 8;
for (j = 0; j < SABER_N / 4; j++) {
offset_byte = offset_byte1 + 5 * j;
offset_data = 4 * j;
data[i][offset_data + 0] = ( bytes[ offset_byte + 0 ] & (0xff)) | ((bytes[ offset_byte + 1 ] & 0x03) << 8);
data[i][offset_data + 1] = ( (bytes[ offset_byte + 1 ] >> 2) & (0x3f)) | ((bytes[ offset_byte + 2 ] & 0x0f) << 6);
data[i][offset_data + 2] = ( (bytes[ offset_byte + 2 ] >> 4) & (0x0f)) | ((bytes[ offset_byte + 3 ] & 0x3f) << 4);
data[i][offset_data + 3] = ( (bytes[ offset_byte + 3 ] >> 6) & (0x03)) | ((bytes[ offset_byte + 4 ] & 0xff) << 2);

}
}


}


void PQCLEAN_LIGHTSABER_AVX2_SABER_pack13bit(uint8_t *bytes, const uint16_t data[SABER_K][SABER_N]) {

uint32_t i, j;
uint32_t offset_data = 0, offset_byte = 0, offset_byte1 = 0;

for (i = 0; i < SABER_K; i++) {
offset_byte1 = i * (SABER_N * 13) / 8;
for (j = 0; j < SABER_N / 8; j++) {
offset_byte = offset_byte1 + 13 * j;
offset_data = 8 * j;
bytes[offset_byte + 0] = ( data[i][ offset_data + 0 ] & (0xff));

bytes[offset_byte + 1] = ( (data[i][ offset_data + 0 ] >> 8) & 0x1f ) | ((data[i][ offset_data + 1 ] & 0x07) << 5);

bytes[offset_byte + 2] = ( (data[i][ offset_data + 1 ] >> 3) & 0xff );

bytes[offset_byte + 3] = ( (data[i][ offset_data + 1 ] >> 11) & 0x03 ) | ((data[i][ offset_data + 2 ] & 0x3f) << 2);

bytes[offset_byte + 4] = ( (data[i][ offset_data + 2 ] >> 6) & 0x7f ) | ( (data[i][ offset_data + 3 ] & 0x01) << 7 );

bytes[offset_byte + 5] = ( (data[i][ offset_data + 3 ] >> 1) & 0xff );

bytes[offset_byte + 6] = ( (data[i][ offset_data + 3 ] >> 9) & 0x0f ) | ( (data[i][ offset_data + 4 ] & 0x0f) << 4 );

bytes[offset_byte + 7] = ( (data[i][ offset_data + 4] >> 4) & 0xff );

bytes[offset_byte + 8] = ( (data[i][ offset_data + 4 ] >> 12) & 0x01 ) | ( (data[i][ offset_data + 5 ] & 0x7f) << 1 );

bytes[offset_byte + 9] = ( (data[i][ offset_data + 5 ] >> 7) & 0x3f ) | ( (data[i][ offset_data + 6 ] & 0x03) << 6 );

bytes[offset_byte + 10] = ( (data[i][ offset_data + 6 ] >> 2) & 0xff );

bytes[offset_byte + 11] = ( (data[i][ offset_data + 6 ] >> 10) & 0x07 ) | ( (data[i][ offset_data + 7 ] & 0x1f) << 3 );

bytes[offset_byte + 12] = ( (data[i][ offset_data + 7 ] >> 5) & 0xff );

}
}


}

void PQCLEAN_LIGHTSABER_AVX2_SABER_un_pack13bit(uint16_t data[SABER_K][SABER_N], const uint8_t *bytes) {

uint32_t i, j;
uint32_t offset_data = 0, offset_byte = 0, offset_byte1 = 0;

for (i = 0; i < SABER_K; i++) {
offset_byte1 = i * (SABER_N * 13) / 8;
for (j = 0; j < SABER_N / 8; j++) {
offset_byte = offset_byte1 + 13 * j;
offset_data = 8 * j;
data[i][offset_data + 0] = ( bytes[ offset_byte + 0 ] & (0xff)) | ((bytes[offset_byte + 1] & 0x1f) << 8);
data[i][offset_data + 1] = ( bytes[ offset_byte + 1 ] >> 5 & (0x07)) | ((bytes[offset_byte + 2] & 0xff) << 3) | ((bytes[offset_byte + 3] & 0x03) << 11);
data[i][offset_data + 2] = ( bytes[ offset_byte + 3 ] >> 2 & (0x3f)) | ((bytes[offset_byte + 4] & 0x7f) << 6);
data[i][offset_data + 3] = ( bytes[ offset_byte + 4 ] >> 7 & (0x01)) | ((bytes[offset_byte + 5] & 0xff) << 1) | ((bytes[offset_byte + 6] & 0x0f) << 9);
data[i][offset_data + 4] = ( bytes[ offset_byte + 6 ] >> 4 & (0x0f)) | ((bytes[offset_byte + 7] & 0xff) << 4) | ((bytes[offset_byte + 8] & 0x01) << 12);
data[i][offset_data + 5] = ( bytes[ offset_byte + 8] >> 1 & (0x7f)) | ((bytes[offset_byte + 9] & 0x3f) << 7);
data[i][offset_data + 6] = ( bytes[ offset_byte + 9] >> 6 & (0x03)) | ((bytes[offset_byte + 10] & 0xff) << 2) | ((bytes[offset_byte + 11] & 0x07) << 10);
data[i][offset_data + 7] = ( bytes[ offset_byte + 11] >> 3 & (0x1f)) | ((bytes[offset_byte + 12] & 0xff) << 5);
}
}


}

void PQCLEAN_LIGHTSABER_AVX2_SABER_poly_un_pack13bit(uint16_t data[SABER_N], const uint8_t *bytes) {

uint32_t j;
uint32_t offset_data = 0, offset_byte = 0;

//for(i=0;i<SABER_K;i++){
//i=0;
//offset_byte1=i*(SABER_N*13)/8;
for (j = 0; j < SABER_N / 8; j++) {
//offset_byte=offset_byte1+13*j;
offset_byte = 13 * j;
offset_data = 8 * j;
data[offset_data + 0] = ( bytes[ offset_byte + 0 ] & (0xff)) | ((bytes[offset_byte + 1] & 0x1f) << 8);
data[offset_data + 1] = ( bytes[ offset_byte + 1 ] >> 5 & (0x07)) | ((bytes[offset_byte + 2] & 0xff) << 3) | ((bytes[offset_byte + 3] & 0x03) << 11);
data[offset_data + 2] = ( bytes[ offset_byte + 3 ] >> 2 & (0x3f)) | ((bytes[offset_byte + 4] & 0x7f) << 6);
data[offset_data + 3] = ( bytes[ offset_byte + 4 ] >> 7 & (0x01)) | ((bytes[offset_byte + 5] & 0xff) << 1) | ((bytes[offset_byte + 6] & 0x0f) << 9);
data[offset_data + 4] = ( bytes[ offset_byte + 6 ] >> 4 & (0x0f)) | ((bytes[offset_byte + 7] & 0xff) << 4) | ((bytes[offset_byte + 8] & 0x01) << 12);
data[offset_data + 5] = ( bytes[ offset_byte + 8] >> 1 & (0x7f)) | ((bytes[offset_byte + 9] & 0x3f) << 7);
data[offset_data + 6] = ( bytes[ offset_byte + 9] >> 6 & (0x03)) | ((bytes[offset_byte + 10] & 0xff) << 2) | ((bytes[offset_byte + 11] & 0x07) << 10);
data[offset_data + 7] = ( bytes[ offset_byte + 11] >> 3 & (0x1f)) | ((bytes[offset_byte + 12] & 0xff) << 5);
}
//}


}


void PQCLEAN_LIGHTSABER_AVX2_SABER_pack11bit(uint8_t *bytes, const uint16_t data[SABER_K][SABER_N]) {
/*This function packs 11 bit data stream into 8 bits of data.
*/
uint32_t i, j;
uint32_t offset_data = 0, offset_byte = 0, offset_byte1 = 0;

for (i = 0; i < SABER_K; i++) {
offset_byte1 = i * (SABER_N * 11) / 8;
for (j = 0; j < SABER_N / 8; j++) {
offset_byte = offset_byte1 + 11 * j;
offset_data = 8 * j;
bytes[offset_byte + 0] = ( data[i][ offset_data + 0 ] & (0xff));

bytes[offset_byte + 1] = ( (data[i][ offset_data + 0 ] >> 8) & 0x07 ) | ((data[i][ offset_data + 1 ] & 0x1f) << 3);

bytes[offset_byte + 2] = ( (data[i][ offset_data + 1 ] >> 5) & 0x3f ) | ((data[i][ offset_data + 2 ] & 0x03) << 6);

bytes[offset_byte + 3] = ( (data[i][ offset_data + 2 ] >> 2) & 0xff );

bytes[offset_byte + 4] = ( (data[i][ offset_data + 2 ] >> 10) & 0x01 ) | ((data[i][ offset_data + 3 ] & 0x7f) << 1);

bytes[offset_byte + 5] = ( (data[i][ offset_data + 3 ] >> 7) & 0x0f ) | ((data[i][ offset_data + 4 ] & 0x0f) << 4);

bytes[offset_byte + 6] = ( (data[i][ offset_data + 4 ] >> 4) & 0x7f ) | ((data[i][ offset_data + 5 ] & 0x01) << 7);

bytes[offset_byte + 7] = ( (data[i][ offset_data + 5 ] >> 1) & 0xff );

bytes[offset_byte + 8] = ( (data[i][ offset_data + 5 ] >> 9) & 0x03 ) | ((data[i][ offset_data + 6 ] & 0x3f) << 2);

bytes[offset_byte + 9] = ( (data[i][ offset_data + 6 ] >> 6) & 0x1f ) | ((data[i][ offset_data + 7 ] & 0x07) << 5);

bytes[offset_byte + 10] = ( (data[i][ offset_data + 7 ] >> 3) & 0xff );

}
}

}

void PQCLEAN_LIGHTSABER_AVX2_SABER_un_pack11bit(uint16_t data[SABER_K][SABER_N], const uint8_t *bytes) {

uint32_t i, j;
uint32_t offset_data = 0, offset_byte = 0, offset_byte1 = 0;


for (i = 0; i < SABER_K; i++) {
offset_byte1 = i * (SABER_N * 11) / 8;
for (j = 0; j < SABER_N / 8; j++) {
offset_byte = offset_byte1 + 11 * j;
offset_data = 8 * j;

data[i][offset_data + 0] = (bytes[offset_byte + 0]) | ( (bytes[offset_byte + 1] & 0x07) << 8 );

data[i][offset_data + 1] = ( (bytes[offset_byte + 1] >> 3) & 0x1f) | ( (bytes[offset_byte + 2] & 0x3f) << 5 );

data[i][offset_data + 2] = ( (bytes[offset_byte + 2] >> 6) & 0x03) | ( (bytes[offset_byte + 3] & 0xff) << 2 ) | ( (bytes[offset_byte + 4] & 0x01) << 10 );

data[i][offset_data + 3] = ( (bytes[offset_byte + 4] >> 1) & 0x7f) | ( (bytes[offset_byte + 5] & 0x0f) << 7 );

data[i][offset_data + 4] = ( (bytes[offset_byte + 5] >> 4) & 0x0f) | ( (bytes[offset_byte + 6] & 0x7f) << 4 );

data[i][offset_data + 5] = ( (bytes[offset_byte + 6] >> 7) & 0x01) | ( (bytes[offset_byte + 7] & 0xff) << 1 ) | ( (bytes[offset_byte + 8] & 0x03) << 9 );

data[i][offset_data + 6] = ( (bytes[offset_byte + 8] >> 2) & 0x3f) | ( (bytes[offset_byte + 9] & 0x1f) << 6 );

data[i][offset_data + 7] = ( (bytes[offset_byte + 9] >> 5) & 0x07) | ( (bytes[offset_byte + 10] & 0xff) << 3 );
}
}


}

void PQCLEAN_LIGHTSABER_AVX2_SABER_pack14bit(uint8_t *bytes, const uint16_t data[SABER_K][SABER_N]) {

uint32_t i, j;
uint32_t offset_data = 0, offset_byte = 0, offset_byte1 = 0;

for (i = 0; i < SABER_K; i++) {
offset_byte1 = i * (SABER_N * 14) / 8;
for (j = 0; j < SABER_N / 4; j++) {
offset_byte = offset_byte1 + 7 * j;
offset_data = 4 * j;
bytes[offset_byte + 0] = ( data[i][ offset_data + 0 ] & (0xff));

bytes[offset_byte + 1] = ( (data[i][ offset_data + 0 ] >> 8) & 0x3f ) | ((data[i][ offset_data + 1 ] & 0x03) << 6);

bytes[offset_byte + 2] = ( (data[i][ offset_data + 1 ] >> 2) & 0xff );

bytes[offset_byte + 3] = ( (data[i][ offset_data + 1 ] >> 10) & 0x0f ) | ((data[i][ offset_data + 2 ] & 0x0f) << 4);

bytes[offset_byte + 4] = ( (data[i][ offset_data + 2 ] >> 4) & 0xff );

bytes[offset_byte + 5] = ( (data[i][ offset_data + 2 ] >> 12) & 0x03 ) | ((data[i][ offset_data + 3 ] & 0x3f) << 2);

bytes[offset_byte + 6] = ( (data[i][ offset_data + 3 ] >> 6) & 0xff );
}
}


}


void PQCLEAN_LIGHTSABER_AVX2_SABER_un_pack14bit(uint16_t data[SABER_K][SABER_N], const uint8_t *bytes) {

uint32_t i, j;
uint32_t offset_data = 0, offset_byte = 0, offset_byte1 = 0;

for (i = 0; i < SABER_K; i++) {
offset_byte1 = i * (SABER_N * 14) / 8;
for (j = 0; j < SABER_N / 4; j++) {
offset_byte = offset_byte1 + 7 * j;
offset_data = 4 * j;
data[i][offset_data + 0] = (bytes[offset_byte + 0] & 0xff) | ( (bytes[offset_byte + 1] & 0x3f) << 8 );

data[i][offset_data + 1] = ( (bytes[offset_byte + 1] >> 6) & 0x03) | ((bytes[offset_byte + 2] & 0xff) << 2 ) | ( (bytes[offset_byte + 3] & 0x0f) << 10 );

data[i][offset_data + 2] = ( (bytes[offset_byte + 3] >> 4) & 0x0f) | ( (bytes[offset_byte + 4] ) << 4 ) | ( (bytes[offset_byte + 5] & 0x03) << 12 );

data[i][offset_data + 3] = ( (bytes[offset_byte + 5] >> 2) & 0x3f) | ( (bytes[offset_byte + 6] ) << 6 );
}
}


}

void PQCLEAN_LIGHTSABER_AVX2_POLVEC2BS(uint8_t *bytes, const uint16_t data[SABER_K][SABER_N], uint16_t modulus) {

if (modulus == 1024) {
PQCLEAN_LIGHTSABER_AVX2_POLVECp2BS(bytes, data);
} else if (modulus == 8192) {
PQCLEAN_LIGHTSABER_AVX2_POLVECq2BS(bytes, data);
}
}

void PQCLEAN_LIGHTSABER_AVX2_BS2POLVEC(uint16_t data[SABER_K][SABER_N], const uint8_t *bytes, uint16_t modulus) {

if (modulus == 1024) {
PQCLEAN_LIGHTSABER_AVX2_BS2POLVECp(data, bytes);
} else if (modulus == 8192) {
PQCLEAN_LIGHTSABER_AVX2_BS2POLVECq(data, bytes);
}

}

+ 9
- 37
crypto_kem/lightsaber/avx2/pack_unpack.h View File

@@ -1,56 +1,28 @@
#ifndef PACK_UNPACK_H
#define PACK_UNPACK_H
#include "SABER_params.h"
#include "poly.h"
#include <stdint.h>
#include <stdio.h>

void PQCLEAN_LIGHTSABER_AVX2_BS2POLq(uint16_t data[SABER_N], const uint8_t *bytes);
void PQCLEAN_LIGHTSABER_AVX2_POLT2BS(uint8_t bytes[SABER_SCALEBYTES_KEM], const poly *data);

void PQCLEAN_LIGHTSABER_AVX2_BS2POLVEC(uint16_t data[SABER_K][SABER_N], const uint8_t *bytes, uint16_t modulus);
void PQCLEAN_LIGHTSABER_AVX2_BS2POLT(poly *data, const uint8_t bytes[SABER_SCALEBYTES_KEM]);

void PQCLEAN_LIGHTSABER_AVX2_BS2POLVECq(uint16_t data[SABER_K][SABER_N], const uint8_t *bytes);

void PQCLEAN_LIGHTSABER_AVX2_BS2POLVECp(uint16_t data[SABER_K][SABER_N], const uint8_t *bytes);
void PQCLEAN_LIGHTSABER_AVX2_POLVECq2BS(uint8_t bytes[SABER_POLYVECBYTES], const poly data[SABER_L]);

void PQCLEAN_LIGHTSABER_AVX2_POLVECp2BS(uint8_t bytes[SABER_POLYVECCOMPRESSEDBYTES], const poly data[SABER_L]);

void PQCLEAN_LIGHTSABER_AVX2_POLVEC2BS(uint8_t *bytes, const uint16_t data[SABER_K][SABER_N], uint16_t modulus);

void PQCLEAN_LIGHTSABER_AVX2_POLVECq2BS(uint8_t *bytes, const uint16_t data[SABER_K][SABER_N]);
void PQCLEAN_LIGHTSABER_AVX2_BS2POLVECq(poly data[SABER_L], const uint8_t bytes[SABER_POLYVECBYTES]);

void PQCLEAN_LIGHTSABER_AVX2_POLVECp2BS(uint8_t *bytes, const uint16_t data[SABER_K][SABER_N]);
void PQCLEAN_LIGHTSABER_AVX2_BS2POLVECp(poly data[SABER_L], const uint8_t bytes[SABER_POLYVECCOMPRESSEDBYTES]);


void PQCLEAN_LIGHTSABER_AVX2_SABER_pack_3bit(uint8_t *bytes, const uint16_t *data);
void PQCLEAN_LIGHTSABER_AVX2_BS2POLmsg(poly *data, const uint8_t bytes[SABER_KEYBYTES]);

void PQCLEAN_LIGHTSABER_AVX2_SABER_pack_4bit(uint8_t *bytes, const uint16_t *data);

void PQCLEAN_LIGHTSABER_AVX2_SABER_pack_6bit(uint8_t *bytes, const uint16_t *data);

void PQCLEAN_LIGHTSABER_AVX2_SABER_pack10bit(uint8_t *bytes, const uint16_t data[SABER_K][SABER_N]);

void PQCLEAN_LIGHTSABER_AVX2_SABER_pack11bit(uint8_t *bytes, const uint16_t data[SABER_K][SABER_N]);

void PQCLEAN_LIGHTSABER_AVX2_SABER_pack13bit(uint8_t *bytes, const uint16_t data[SABER_K][SABER_N]);

void PQCLEAN_LIGHTSABER_AVX2_SABER_pack14bit(uint8_t *bytes, const uint16_t data[SABER_K][SABER_N]);


void PQCLEAN_LIGHTSABER_AVX2_SABER_poly_un_pack13bit(uint16_t data[SABER_N], const uint8_t *bytes);


void PQCLEAN_LIGHTSABER_AVX2_SABER_un_pack3bit(uint16_t *data, const uint8_t *bytes);

void PQCLEAN_LIGHTSABER_AVX2_SABER_un_pack4bit(uint16_t *data, const uint8_t *bytes);

void PQCLEAN_LIGHTSABER_AVX2_SABER_un_pack6bit(uint16_t *data, const uint8_t *bytes);

void PQCLEAN_LIGHTSABER_AVX2_SABER_un_pack10bit(uint16_t data[SABER_K][SABER_N], const uint8_t *bytes);

void PQCLEAN_LIGHTSABER_AVX2_SABER_un_pack11bit(uint16_t data[SABER_K][SABER_N], const uint8_t *bytes);

void PQCLEAN_LIGHTSABER_AVX2_SABER_un_pack13bit(uint16_t data[SABER_K][SABER_N], const uint8_t *bytes);

void PQCLEAN_LIGHTSABER_AVX2_SABER_un_pack14bit(uint16_t data[SABER_K][SABER_N], const uint8_t *bytes);
void PQCLEAN_LIGHTSABER_AVX2_POLmsg2BS(uint8_t bytes[SABER_KEYBYTES], const poly *data);


#endif

+ 62
- 0
crypto_kem/lightsaber/avx2/poly.c View File

@@ -0,0 +1,62 @@
#include "cbd.h"
#include "fips202.h"
#include "pack_unpack.h"
#include "poly.h"


void PQCLEAN_LIGHTSABER_AVX2_MatrixVectorMul(poly c[SABER_L], const poly A[SABER_L][SABER_L], const toom4_points s_eval[SABER_L], int transpose) {
size_t i, j;
toom4_points_product c_eval;

if (transpose) {
for (i = 0; i < SABER_L; i++) {
PQCLEAN_LIGHTSABER_AVX2_toom4_mul_A_by_B_eval(&c_eval, &A[0][i], &s_eval[0], 0);
for (j = 1; j < SABER_L; j++) {
PQCLEAN_LIGHTSABER_AVX2_toom4_mul_A_by_B_eval(&c_eval, &A[j][i], &s_eval[j], 1);
}
PQCLEAN_LIGHTSABER_AVX2_toom4_interp(&c[i], &c_eval);
}
} else {
for (i = 0; i < SABER_L; i++) {
PQCLEAN_LIGHTSABER_AVX2_toom4_mul_A_by_B_eval(&c_eval, &A[i][0], &s_eval[0], 0);
for (j = 1; j < SABER_L; j++) {
PQCLEAN_LIGHTSABER_AVX2_toom4_mul_A_by_B_eval(&c_eval, &A[i][j], &s_eval[j], 1);
}
PQCLEAN_LIGHTSABER_AVX2_toom4_interp(&c[i], &c_eval);
}
}
}

void PQCLEAN_LIGHTSABER_AVX2_InnerProd(poly *c, const poly b[SABER_L], const toom4_points s_eval[SABER_L]) {
size_t i;
toom4_points_product c_eval; //Holds results for 9 Karatsuba at a time

PQCLEAN_LIGHTSABER_AVX2_toom4_mul_A_by_B_eval(&c_eval, &b[0], &s_eval[0], 0);
for (i = 1; i < SABER_L; i++) {
PQCLEAN_LIGHTSABER_AVX2_toom4_mul_A_by_B_eval(&c_eval, &b[i], &s_eval[i], 1);
}

PQCLEAN_LIGHTSABER_AVX2_toom4_interp(c, &c_eval);
}

void PQCLEAN_LIGHTSABER_AVX2_GenMatrix(poly A[SABER_L][SABER_L], const uint8_t seed[SABER_SEEDBYTES]) {
size_t i;
uint8_t buf[SABER_L * SABER_POLYVECBYTES];

shake128(buf, sizeof(buf), seed, SABER_SEEDBYTES);

for (i = 0; i < SABER_L; i++) {
PQCLEAN_LIGHTSABER_AVX2_BS2POLVECq(A[i], buf + i * SABER_POLYVECBYTES);
}
}

void PQCLEAN_LIGHTSABER_AVX2_GenSecret(poly s[SABER_L], const uint8_t seed[SABER_NOISESEEDBYTES]) {
size_t i;
uint8_t buf[SABER_L * SABER_POLYCOINBYTES];

shake128(buf, sizeof(buf), seed, SABER_NOISESEEDBYTES);

for (i = 0; i < SABER_L; i++) {
PQCLEAN_LIGHTSABER_AVX2_cbd(s[i].coeffs, buf + i * SABER_POLYCOINBYTES);
}
}

+ 24
- 12
crypto_kem/lightsaber/avx2/poly.h View File

@@ -1,27 +1,38 @@
#ifndef POLY_H
#define POLY_H
/*---------------------------------------------------------------------
This file has been adapted from the implementation
(available at, Public Domain https://github.com/pq-crystals/kyber)
of "CRYSTALS – Kyber: a CCA-secure module-lattice-based KEM"
by : Joppe Bos, Leo Ducas, Eike Kiltz, Tancrede Lepoint,
Vadim Lyubashevsky, John M. Schanck, Peter Schwabe & Damien stehle
#include "SABER_params.h"
#include <immintrin.h>
#include <stdint.h>

typedef struct {
typedef union {
uint16_t coeffs[SABER_N];
__m256i dummy;
} poly;

typedef struct {
poly vec[SABER_K];
} polyvec;
typedef union {
uint16_t coeffs[4 * SABER_N];
__m256i dummy;
} toom4_points;

void PQCLEAN_LIGHTSABER_AVX2_poly_getnoise(uint16_t *r, const unsigned char *seed, unsigned char nonce);
typedef union {
uint16_t coeffs[8 * SABER_N];
__m256i dummy;
} toom4_points_product;

void PQCLEAN_LIGHTSABER_AVX2_MatrixVectorMul(poly c[SABER_L], const poly A[SABER_L][SABER_L], const toom4_points s_eval[SABER_L], int transpose);

void PQCLEAN_LIGHTSABER_AVX2_poly_getnoise4x(uint16_t *r0, uint16_t *r1, uint16_t *r2, const unsigned char *seed, unsigned char nonce0, unsigned char nonce1, unsigned char nonce2, unsigned char nonce3);
void PQCLEAN_LIGHTSABER_AVX2_InnerProd(poly *c, const poly b[SABER_L], const toom4_points s_eval[SABER_L]);

void PQCLEAN_LIGHTSABER_AVX2_GenMatrix(poly a[SABER_L][SABER_L], const uint8_t seed[SABER_SEEDBYTES]);

void PQCLEAN_LIGHTSABER_AVX2_GenSecret(poly s[SABER_L], const uint8_t seed[SABER_NOISESEEDBYTES]);


void PQCLEAN_LIGHTSABER_AVX2_toom4_interp(poly *res_avx, const toom4_points_product *c_eval);

void PQCLEAN_LIGHTSABER_AVX2_toom4_eval(toom4_points *b_eval, const poly *b);

void PQCLEAN_LIGHTSABER_AVX2_toom4_mul_A_by_B_eval(toom4_points_product *c_eval, const poly *a_avx, const toom4_points *b_eval, int accumulate);


#endif

+ 1524
- 0
crypto_kem/lightsaber/avx2/poly_mul.c
File diff suppressed because it is too large
View File


+ 0
- 20
crypto_kem/lightsaber/avx2/polymul/consts.h View File

@@ -1,20 +0,0 @@
#include "../SABER_params.h"

#define AVX_N (SABER_N >> 4)
#define small_len_avx (AVX_N >> 2)

#define SCHB_N 16

#define N_SB (SABER_N >> 2)
#define N_SB_RES (2*N_SB-1)

#define N_SB_16 (N_SB >> 2)
#define N_SB_16_RES (2*N_SB_16-1)

#define AVX_N1 16 /*N/16*/

#define SCM_SIZE 16

// The dimension of a vector. i.e vector has NUM_POLY elements and Matrix has NUM_POLY X NUM_POLY elements
#define NUM_POLY SABER_K
//int NUM_POLY=2;

+ 0
- 303
crypto_kem/lightsaber/avx2/polymul/matrix.c View File

@@ -1,303 +0,0 @@
#include <immintrin.h>

static void transpose_n1(__m256i *M)
{
//int i;
register __m256i r0, r1, r2, r3, r4, r5, r6, r7, r8, r9, r10, r11;
register __m256i temp, temp0, temp1, temp2;

//for(i=0; i<8; i=i+1)
//{
r0 = _mm256_unpacklo_epi16(M[0], M[1]);
r1 = _mm256_unpacklo_epi16(M[2], M[3]);
r2 = _mm256_unpacklo_epi16(M[4], M[5]);
r3 = _mm256_unpacklo_epi16(M[6], M[7]);
r4 = _mm256_unpacklo_epi16(M[8], M[9]);
r5 = _mm256_unpacklo_epi16(M[10], M[11]);
r6 = _mm256_unpacklo_epi16(M[12], M[13]);
r7 = _mm256_unpacklo_epi16(M[14], M[15]);


temp = _mm256_unpacklo_epi32(r0, r1);
temp0 = _mm256_unpacklo_epi32(r2, r3);
temp1 = _mm256_unpacklo_epi32(r4, r5);
temp2 = _mm256_unpacklo_epi32(r6, r7);

r8 = _mm256_unpackhi_epi32(r0, r1);
r9 = _mm256_unpackhi_epi32(r2, r3);
r10 = _mm256_unpackhi_epi32(r4, r5);
r11 = _mm256_unpackhi_epi32(r6, r7);

r0 = _mm256_unpacklo_epi64(temp, temp0);
r2 = _mm256_unpackhi_epi64(temp, temp0);

r1 = _mm256_unpacklo_epi64(temp1, temp2);
r3 = _mm256_unpackhi_epi64(temp1, temp2);

temp = _mm256_unpackhi_epi16(M[0], M[1]);
temp0 = _mm256_unpackhi_epi16(M[2], M[3]);
temp1 = _mm256_unpackhi_epi16(M[4], M[5]);
temp2 = _mm256_unpackhi_epi16(M[6], M[7]);
r4 = _mm256_unpackhi_epi16(M[8], M[9]);

M[0] = _mm256_permute2f128_si256(r0, r1, 0x20);
M[8] = _mm256_permute2f128_si256(r0, r1, 0x31);
M[1] = _mm256_permute2f128_si256(r2, r3, 0x20);
M[9] = _mm256_permute2f128_si256(r2, r3, 0x31);


r5 = _mm256_unpackhi_epi16(M[10], M[11]);
r6 = _mm256_unpackhi_epi16(M[12], M[13]);
r7 = _mm256_unpackhi_epi16(M[14], M[15]);



r0 = _mm256_unpacklo_epi64(r8, r9);
r1 = _mm256_unpacklo_epi64(r10, r11);

r2 = _mm256_unpackhi_epi64(r8, r9);
r3 = _mm256_unpackhi_epi64(r10, r11);



M[3] = _mm256_permute2f128_si256(r2, r3, 0x20);
M[11] = _mm256_permute2f128_si256(r2, r3, 0x31);
M[2] = _mm256_permute2f128_si256(r0, r1, 0x20);
M[10] = _mm256_permute2f128_si256(r0, r1, 0x31);


//for(i=0; i<4; i=i+1)
//{
r0 = _mm256_unpacklo_epi32(temp, temp0);
r1 = _mm256_unpacklo_epi32(temp1, temp2);
r2 = _mm256_unpacklo_epi32(r4, r5);
r3 = _mm256_unpacklo_epi32(r6, r7);

//}


//for(i=0; i<2; i=i+1)
//{
r8 = _mm256_unpacklo_epi64(r0, r1);
r10 = _mm256_unpackhi_epi64(r0, r1);

r9 = _mm256_unpacklo_epi64(r2, r3);
r11 = _mm256_unpackhi_epi64(r2, r3);

M[4] = _mm256_permute2f128_si256(r8, r9, 0x20);
M[12] = _mm256_permute2f128_si256(r8, r9, 0x31);
M[5] = _mm256_permute2f128_si256(r10, r11, 0x20);
M[13] = _mm256_permute2f128_si256(r10, r11, 0x31);

r0 = _mm256_unpackhi_epi32(temp, temp0);
r1 = _mm256_unpackhi_epi32(temp1, temp2);
r2 = _mm256_unpackhi_epi32(r4, r5);
r3 = _mm256_unpackhi_epi32(r6, r7);

//}
// for(i=0; i<2; i=i+1)
// {
r4 = _mm256_unpacklo_epi64(r0, r1);
r6 = _mm256_unpackhi_epi64(r0, r1);

r5 = _mm256_unpacklo_epi64(r2, r3);
r7 = _mm256_unpackhi_epi64(r2, r3);

// }

//-------------------------------------------------------

M[6] = _mm256_permute2f128_si256(r4, r5, 0x20);
M[14] = _mm256_permute2f128_si256(r4, r5, 0x31);
M[7] = _mm256_permute2f128_si256(r6, r7, 0x20);
M[15] = _mm256_permute2f128_si256(r6, r7, 0x31);
}

/*
void transpose_unrolled(__m256i *M)
{
int i;
__m256i tL[8], tH[8];
__m256i bL[4], bH[4], cL[4], cH[4];
__m256i dL[2], dH[2], eL[2], eH[2], fL[2], fH[2], gL[2], gH[2];

__m256i r0, r1, r2, r3, r4, r5, r6, r7;

//for(i=0; i<8; i=i+1)
//{
tL[0] = _mm256_unpacklo_epi16(M[0], M[1]);
tH[0] = _mm256_unpackhi_epi16(M[0], M[1]);

tL[1] = _mm256_unpacklo_epi16(M[2], M[3]);
tH[1] = _mm256_unpackhi_epi16(M[2], M[3]);

tL[2] = _mm256_unpacklo_epi16(M[4], M[5]);
tH[2] = _mm256_unpackhi_epi16(M[4], M[5]);

tL[3] = _mm256_unpacklo_epi16(M[6], M[7]);
tH[3] = _mm256_unpackhi_epi16(M[6], M[7]);

tL[4] = _mm256_unpacklo_epi16(M[8], M[9]);
tH[4] = _mm256_unpackhi_epi16(M[8], M[9]);

tL[5] = _mm256_unpacklo_epi16(M[10], M[11]);
tH[5] = _mm256_unpackhi_epi16(M[10], M[11]);

tL[6] = _mm256_unpacklo_epi16(M[12], M[13]);
tH[6] = _mm256_unpackhi_epi16(M[12], M[13]);

tL[7] = _mm256_unpacklo_epi16(M[14], M[15]);
tH[7] = _mm256_unpackhi_epi16(M[14], M[15]);

//}

//-------------------------------------------------------
//for(i=0; i<4; i=i+1)
//{
bL[0] = _mm256_unpacklo_epi32(tL[0], tL[1]);
bH[0] = _mm256_unpackhi_epi32(tL[0], tL[1]);

bL[1] = _mm256_unpacklo_epi32(tL[2], tL[3]);
bH[1] = _mm256_unpackhi_epi32(tL[2], tL[3]);

bL[2] = _mm256_unpacklo_epi32(tL[4], tL[5]);
bH[2] = _mm256_unpackhi_epi32(tL[4], tL[5]);

bL[3] = _mm256_unpacklo_epi32(tL[6], tL[7]);
bH[3] = _mm256_unpackhi_epi32(tL[6], tL[7]);

//}

//for(i=0; i<2; i=i+1)
//{
dL[0] = _mm256_unpacklo_epi64(bL[0], bL[1]);
dH[0] = _mm256_unpackhi_epi64(bL[0], bL[1]);

dL[1] = _mm256_unpacklo_epi64(bL[2], bL[3]);
dH[1] = _mm256_unpackhi_epi64(bL[2], bL[3]);

M[0] = _mm256_permute2f128_si256(dL[0], dL[1], 0x20);
M[8] = _mm256_permute2f128_si256(dL[0], dL[1], 0x31);
M[1] = _mm256_permute2f128_si256(dH[0], dH[1], 0x20);
M[9] = _mm256_permute2f128_si256(dH[0], dH[1], 0x31);

//}
//for(i=0; i<2; i=i+1)
//{
eL[0] = _mm256_unpacklo_epi64(bH[0], bH[1]);
eH[0] = _mm256_unpackhi_epi64(bH[0], bH[1]);

eL[1] = _mm256_unpacklo_epi64(bH[2], bH[3]);
eH[1] = _mm256_unpackhi_epi64(bH[2], bH[3]);

//}

//-------------------------------------------------------

//-------------------------------------------------------
for(i=0; i<4; i=i+1)
{
cL[i] = _mm256_unpacklo_epi32(tH[2*i], tH[2*i+1]);
cH[i] = _mm256_unpackhi_epi32(tH[2*i], tH[2*i+1]);
}


for(i=0; i<2; i=i+1)
{
fL[i] = _mm256_unpacklo_epi64(cL[2*i], cL[2*i+1]);
fH[i] = _mm256_unpackhi_epi64(cL[2*i], cL[2*i+1]);
}
for(i=0; i<2; i=i+1)
{
gL[i] = _mm256_unpacklo_epi64(cH[2*i], cH[2*i+1]);
gH[i] = _mm256_unpackhi_epi64(cH[2*i], cH[2*i+1]);
}

//-------------------------------------------------------



M[2] = _mm256_permute2f128_si256(eL[0], eL[1], 0x20);
M[10] = _mm256_permute2f128_si256(eL[0], eL[1], 0x31);
M[3] = _mm256_permute2f128_si256(eH[0], eH[1], 0x20);
M[11] = _mm256_permute2f128_si256(eH[0], eH[1], 0x31);

M[4] = _mm256_permute2f128_si256(fL[0], fL[1], 0x20);
M[12] = _mm256_permute2f128_si256(fL[0], fL[1], 0x31);
M[5] = _mm256_permute2f128_si256(fH[0], fH[1], 0x20);
M[13] = _mm256_permute2f128_si256(fH[0], fH[1], 0x31);

M[6] = _mm256_permute2f128_si256(gL[0], gL[1], 0x20);
M[14] = _mm256_permute2f128_si256(gL[0], gL[1], 0x31);
M[7] = _mm256_permute2f128_si256(gH[0], gH[1], 0x20);
M[15] = _mm256_permute2f128_si256(gH[0], gH[1], 0x31);
}


void transpose1(__m256i *M)
{
int i;
__m256i tL[8], tH[8];
__m256i bL[4], bH[4], cL[4], cH[4];
__m256i dL[2], dH[2], eL[2], eH[2], fL[2], fH[2], gL[2], gH[2];

for(i=0; i<8; i=i+1)
{
tL[i] = _mm256_unpacklo_epi16(M[2*i], M[2*i+1]);
tH[i] = _mm256_unpackhi_epi16(M[2*i], M[2*i+1]);
}

for(i=0; i<4; i=i+1)
{
bL[i] = _mm256_unpacklo_epi32(tL[2*i], tL[2*i+1]);
bH[i] = _mm256_unpackhi_epi32(tL[2*i], tL[2*i+1]);
}
for(i=0; i<4; i=i+1)
{
cL[i] = _mm256_unpacklo_epi32(tH[2*i], tH[2*i+1]);
cH[i] = _mm256_unpackhi_epi32(tH[2*i], tH[2*i+1]);
}

for(i=0; i<2; i=i+1)
{
dL[i] = _mm256_unpacklo_epi64(bL[2*i], bL[2*i+1]);
dH[i] = _mm256_unpackhi_epi64(bL[2*i], bL[2*i+1]);
}
for(i=0; i<2; i=i+1)
{
eL[i] = _mm256_unpacklo_epi64(bH[2*i], bH[2*i+1]);
eH[i] = _mm256_unpackhi_epi64(bH[2*i], bH[2*i+1]);
}

for(i=0; i<2; i=i+1)
{
fL[i] = _mm256_unpacklo_epi64(cL[2*i], cL[2*i+1]);
fH[i] = _mm256_unpackhi_epi64(cL[2*i], cL[2*i+1]);
}
for(i=0; i<2; i=i+1)
{
gL[i] = _mm256_unpacklo_epi64(cH[2*i], cH[2*i+1]);
gH[i] = _mm256_unpackhi_epi64(cH[2*i], cH[2*i+1]);
}

M[0] = _mm256_permute2f128_si256(dL[0], dL[1], 0x20);
M[8] = _mm256_permute2f128_si256(dL[0], dL[1], 0x31);
M[1] = _mm256_permute2f128_si256(dH[0], dH[1], 0x20);
M[9] = _mm256_permute2f128_si256(dH[0], dH[1], 0x31);

M[2] = _mm256_permute2f128_si256(eL[0], eL[1], 0x20);
M[10] = _mm256_permute2f128_si256(eL[0], eL[1], 0x31);
M[3] = _mm256_permute2f128_si256(eH[0], eH[1], 0x20);
M[11] = _mm256_permute2f128_si256(eH[0], eH[1], 0x31);

M[4] = _mm256_permute2f128_si256(fL[0], fL[1], 0x20);
M[12] = _mm256_permute2f128_si256(fL[0], fL[1], 0x31);
M[5] = _mm256_permute2f128_si256(fH[0], fH[1], 0x20);
M[13] = _mm256_permute2f128_si256(fH[0], fH[1], 0x31);

M[6] = _mm256_permute2f128_si256(gL[0], gL[1], 0x20);
M[14] = _mm256_permute2f128_si256(gL[0], gL[1], 0x31);
M[7] = _mm256_permute2f128_si256(gH[0], gH[1], 0x20);
M[15] = _mm256_permute2f128_si256(gH[0], gH[1], 0x31);
}
*/

+ 0
- 753
crypto_kem/lightsaber/avx2/polymul/scm_avx.c View File

@@ -1,753 +0,0 @@
//#define SCM_SIZE 16

//#pragma STDC FP_CONTRACT ON

#include <immintrin.h>

static inline __m256i mul_add(__m256i a, __m256i b, __m256i c) {
return _mm256_add_epi16(_mm256_mullo_epi16(a, b), c);
}


static void schoolbook_avx_new3_acc(__m256i* a, __m256i* b, __m256i* c_avx) ////8 coefficients of a and b has been prefetched
//the c_avx are added cummulatively
{

register __m256i a0, a1, a2, a3, a4, a5, a6, a7, b0, b1, b2, b3, b4, b5, b6, b7;
register __m256i temp;


a0=a[0];
a1=a[1];
a2=a[2];
a3=a[3];
a4=a[4];
a5=a[5];
a6=a[6];
a7=a[7];

b0=b[0];
b1=b[1];
b2=b[2];
b3=b[3];
b4=b[4];
b5=b[5];
b6=b[6];
b7=b[7];

// New Unrolled first triangle

//otherwise accumulate
c_avx[0] = mul_add(a0, b0, c_avx[0]);

temp = _mm256_mullo_epi16 (a0, b1);
temp=mul_add(a1, b0, temp);
c_avx[1] = _mm256_add_epi16(temp, c_avx[1]);


temp = _mm256_mullo_epi16 (a0, b2);
temp = mul_add(a1, b1, temp);
temp=mul_add(a2, b0, temp);
c_avx[2] = _mm256_add_epi16(temp, c_avx[2]);

temp = _mm256_mullo_epi16 (a0, b3);
temp = mul_add(a1, b2, temp);
temp = mul_add(a2, b1, temp);
temp=mul_add(a3, b0, temp);
c_avx[3] = _mm256_add_epi16(temp, c_avx[3]);

temp = _mm256_mullo_epi16 (a0, b4);
temp = mul_add(a1, b3, temp);
temp = mul_add(a3, b1, temp);
temp = mul_add(a4, b0, temp);
temp=mul_add(a2, b2, temp);
c_avx[4] = _mm256_add_epi16(temp, c_avx[4]);


temp = _mm256_mullo_epi16 (a0, b5);
temp = mul_add(a1, b4 , temp);
temp = mul_add(a2, b3, temp);
temp = mul_add(a3, b2, temp);
temp = mul_add( a4, b1, temp);
temp=mul_add(a5, b0, temp);
c_avx[5] = _mm256_add_epi16(temp, c_avx[5]);
temp = _mm256_mullo_epi16 (a0, b6);
temp = mul_add(a1, b5, temp);
temp = mul_add(a5, b1, temp);
temp = mul_add(a6, b0, temp);
temp = mul_add(a2, b4, temp);
temp = mul_add(a3, b3, temp);
temp=mul_add(a4, b2, temp);
c_avx[6] = _mm256_add_epi16(temp, c_avx[6]);


temp = _mm256_mullo_epi16 (a0, b7);
temp = mul_add(a1, b6, temp);
temp = mul_add (a6, b1, temp);
temp = mul_add (a7, b0, temp);
temp = mul_add(a2, b5, temp);
temp = mul_add (a3, b4, temp);
temp = mul_add (a4, b3, temp);
temp=mul_add(a5, b2, temp);
c_avx[7] = _mm256_add_epi16(temp, c_avx[7]);

temp = _mm256_mullo_epi16 (a0, b[8]);
temp = mul_add (a1, b7, temp);
temp = mul_add (a7, b1, temp);
temp = mul_add (a[8], b0, temp);
temp = mul_add (a2, b6,temp);
temp = mul_add(a3, b5, temp);
temp = mul_add (a4, b4,temp);
temp = mul_add (a5, b3, temp);
temp=mul_add(a6, b2, temp);
c_avx[8] = _mm256_add_epi16(temp, c_avx[8]);


temp = _mm256_mullo_epi16 (a0, b[9]);
temp = mul_add (a1, b[8], temp);
temp = mul_add (a[8], b1, temp);
temp = mul_add (a[9], b0, temp);
temp = mul_add (a2, b7, temp);
temp = mul_add (a3, b6, temp);
temp = mul_add (a4, b5, temp);
temp = mul_add (a5, b4, temp);
temp = mul_add (a6, b3, temp);
temp=mul_add(a7, b2, temp);
c_avx[9] = _mm256_add_epi16(temp, c_avx[9]);


temp= _mm256_mullo_epi16 (a0, b[10]);
temp = mul_add (a1, b[9], temp);
temp = mul_add (a[9], b1, temp);
temp = mul_add (a[10], b0, temp);
temp = mul_add (a2, b[8], temp);
temp = mul_add (a3, b7, temp);
temp = mul_add (a4, b6, temp);
temp = mul_add (a5, b5, temp);
temp = mul_add (a6, b4, temp);
temp = mul_add (a7, b3, temp);
temp=mul_add(a[8], b2, temp);
c_avx[10] = _mm256_add_epi16(temp, c_avx[10]);


temp = _mm256_mullo_epi16 (a0, b[11]);
temp = mul_add (a1, b[10], temp );
temp = mul_add (a[10], b1, temp );
temp = mul_add (a[11], b0, temp );
temp = mul_add (a2, b[9], temp );
temp = mul_add (a3, b[8], temp );
temp = mul_add (a4, b7, temp );
temp = mul_add (a5, b6, temp );
temp = mul_add (a6, b5, temp );
temp = mul_add (a7, b4, temp );
temp = mul_add (a[8], b3, temp );
temp=mul_add(a[9], b2, temp);
c_avx[11] = _mm256_add_epi16(temp, c_avx[11]);


temp = _mm256_mullo_epi16 (a0, b[12]);
temp = mul_add (a1, b[11], temp);
temp = mul_add (a[11], b1, temp);
temp = mul_add (a[12], b0, temp);
temp = mul_add (a2, b[10], temp);
temp = mul_add (a3, b[9], temp);
temp = mul_add (a4, b[8], temp);
temp = mul_add (a5, b7, temp);
temp = mul_add (a6, b6, temp);
temp = mul_add (a7, b5, temp);
temp = mul_add (a[8], b4, temp);
temp = mul_add (a[9], b3, temp);
temp=mul_add(a[10], b2, temp);
c_avx[12] = _mm256_add_epi16(temp, c_avx[12]);


temp = _mm256_mullo_epi16 (a0, b[13]);
temp = mul_add (a1, b[12], temp );
temp = mul_add (a[12], b1, temp );
temp = mul_add (a[13], b0, temp );
temp = mul_add (a2, b[11], temp );
temp = mul_add (a3, b[10], temp );
temp = mul_add (a4, b[9], temp );
temp = mul_add (a5, b[8], temp );
temp = mul_add (a6, b7, temp );
temp = mul_add (a7, b6, temp );
temp = mul_add (a[8], b5, temp );
temp = mul_add (a[9], b4, temp );
temp = mul_add (a[10], b3, temp );
temp=mul_add(a[11], b2, temp);
c_avx[13] = _mm256_add_epi16(temp, c_avx[13]);



temp = _mm256_mullo_epi16 (a0, b[14]);
temp = mul_add (a1, b[13], temp );
temp = mul_add (a[13], b1, temp );
temp = mul_add (a[14], b0, temp );
temp = mul_add (a2, b[12], temp );
temp = mul_add (a3, b[11], temp );
temp = mul_add (a4, b[10], temp );
temp = mul_add (a5, b[9], temp );
temp = mul_add (a6, b[8], temp );
temp = mul_add (a7, b7, temp );
temp = mul_add (a[8], b6, temp );
temp = mul_add (a[9], b5, temp );
temp = mul_add (a[10], b4, temp );
temp = mul_add (a[11], b3, temp );
temp=mul_add(a[12], b2, temp);
c_avx[14] = _mm256_add_epi16(temp, c_avx[14]);


temp = _mm256_mullo_epi16 (a0, b[15]);
temp = mul_add (a1, b[14], temp );
temp = mul_add (a[14], b1, temp );
temp = mul_add (a[15], b0, temp );
temp = mul_add (a2, b[13], temp );
temp = mul_add (a3, b[12], temp );
temp = mul_add (a4, b[11], temp );
temp = mul_add (a5, b[10], temp );
temp = mul_add (a6, b[9], temp );
temp = mul_add (a7, b[8], temp );
temp = mul_add (a[8], b7, temp );
temp = mul_add (a[9], b6, temp );
temp = mul_add (a[10], b5, temp );
temp = mul_add (a[11], b4, temp );
temp = mul_add (a[12], b3, temp );
temp=mul_add(a[13], b2, temp);
c_avx[15] = _mm256_add_epi16(temp, c_avx[15]);


// unrolled second triangle
a0=a[14];
a1=a[15];
a2=a[13];
a3=a[12];
a4=a[11];
a5=a[10];
a6=a[9];
a7=a[8];

b0=b[14];
b1=b[15];
b2=b[13];
b3=b[12];
b4=b[11];
b5=b[10];
b6=b[9];
b7=b[8];

temp = _mm256_mullo_epi16 (a[1], b1);
temp = mul_add (a[2], b0, temp );
temp = mul_add (a[3], b2, temp );
temp = mul_add (a[4], b3, temp );
temp = mul_add (a[5], b4, temp );
temp = mul_add (a[6], b5, temp );
temp = mul_add (a[7], b6, temp );
temp = mul_add (a7, b7, temp );
temp = mul_add (a6, b[7], temp );
temp = mul_add (a5, b[6], temp );
temp = mul_add (a4, b[5], temp );
temp = mul_add (a3, b[4], temp );
temp = mul_add (a2, b[3], temp );
temp = mul_add (a0, b[2], temp );
temp=mul_add(a1, b[1], temp);
c_avx[16] = _mm256_add_epi16(temp, c_avx[16]);


temp = _mm256_mullo_epi16 (a[2], b1);
temp = mul_add (a[3], b0, temp );
temp = mul_add (a[4], b2, temp );
temp = mul_add (a[5], b3, temp );
temp = mul_add (a[6], b4, temp );
temp = mul_add (a[7], b5, temp );
temp = mul_add (a7, b6, temp );
temp = mul_add (a6, b7, temp );
temp = mul_add (a5, b[7], temp );
temp = mul_add (a4, b[6], temp );
temp = mul_add (a3, b[5], temp );
temp = mul_add (a2, b[4], temp );
temp = mul_add (a0, b[3], temp );
temp=mul_add(a1, b[2], temp);
c_avx[17] = _mm256_add_epi16(temp, c_avx[17]);


temp = _mm256_mullo_epi16 (a[3], b1);
temp = mul_add (a[4], b0, temp );
temp = mul_add (a[5], b2, temp );
temp = mul_add (a[6], b3, temp );
temp = mul_add (a[7], b4, temp );
temp = mul_add (a7, b5, temp );
temp = mul_add (a6, b6, temp );
temp = mul_add (a5, b7, temp );
temp = mul_add (a4, b[7], temp );
temp = mul_add (a3, b[6], temp );
temp = mul_add (a2, b[5], temp );
temp = mul_add (a0, b[4], temp );
temp=mul_add(a1, b[3], temp);
c_avx[18] = _mm256_add_epi16(temp, c_avx[18]);


temp = _mm256_mullo_epi16 (a[4], b1);
temp = mul_add (a[5], b0, temp );
temp = mul_add (a[6], b2, temp );
temp = mul_add (a[7], b3, temp );
temp = mul_add (a7, b4, temp );
temp = mul_add (a6, b5, temp );
temp = mul_add (a5, b6, temp );
temp = mul_add (a4, b7, temp );
temp = mul_add (a3, b[7], temp );
temp = mul_add (a2, b[6], temp );
temp = mul_add (a0, b[5], temp );
temp=mul_add(a1, b[4], temp);
c_avx[19] = _mm256_add_epi16(temp, c_avx[19]);


temp = _mm256_mullo_epi16 (a[5], b1);
temp = mul_add (a[6], b0, temp );
temp = mul_add (a[7], b2, temp );
temp = mul_add (a7, b3, temp );
temp = mul_add (a6, b4, temp );
temp = mul_add (a5, b5, temp );
temp = mul_add (a4, b6, temp );
temp = mul_add (a3, b7, temp );
temp = mul_add (a2, b[7], temp );
temp = mul_add (a0, b[6], temp );
temp=mul_add(a1, b[5], temp);
c_avx[20] = _mm256_add_epi16(temp, c_avx[20]);


temp = _mm256_mullo_epi16 (a[6], b1);
temp = mul_add (a[7], b0, temp );
temp = mul_add (a7, b2, temp );
temp = mul_add (a6, b3, temp );
temp = mul_add (a5, b4, temp );
temp = mul_add (a4, b5, temp );
temp = mul_add (a3, b6, temp );
temp = mul_add (a2, b7, temp );
temp = mul_add (a0, b[7], temp );
temp=mul_add(a1, b[6], temp);
c_avx[21] = _mm256_add_epi16(temp, c_avx[21]);


temp = _mm256_mullo_epi16 (a[7], b1);
temp = mul_add (a7, b0, temp );
temp = mul_add (a6, b2, temp );
temp = mul_add (a5, b3, temp );
temp = mul_add (a4, b4, temp );
temp = mul_add (a3, b5, temp );
temp = mul_add (a2, b6, temp );
temp = mul_add (a0, b7, temp );
temp=mul_add(a1, b[7], temp);
c_avx[22] = _mm256_add_epi16(temp, c_avx[22]);


temp = _mm256_mullo_epi16 (a7, b1);
temp = mul_add (a6, b0, temp );
temp = mul_add (a5, b2, temp );
temp = mul_add (a4, b3, temp );
temp = mul_add (a3, b4, temp );
temp = mul_add (a2, b5, temp );
temp = mul_add (a0, b6, temp );
temp=mul_add(a1, b7, temp);
c_avx[23] = _mm256_add_epi16(temp, c_avx[23]);


temp = _mm256_mullo_epi16 (a6, b1);
temp = mul_add (a5, b0, temp );
temp = mul_add (a4, b2, temp );
temp = mul_add (a3, b3, temp );
temp = mul_add (a2, b4, temp );
temp = mul_add (a0, b5, temp );
temp=mul_add(a1, b6, temp);
c_avx[24] = _mm256_add_epi16(temp, c_avx[24]);


temp = _mm256_mullo_epi16 (a5, b1);
temp = mul_add (a4, b0, temp );
temp = mul_add (a3, b2, temp );
temp = mul_add (a2, b3, temp );
temp = mul_add (a0, b4, temp );
temp=mul_add(a1, b5, temp);
c_avx[25] = _mm256_add_epi16(temp, c_avx[25]);


temp = _mm256_mullo_epi16 (a4, b1);
temp = mul_add (a3, b0, temp );
temp = mul_add (a2, b2, temp );
temp = mul_add (a0, b3, temp );
temp=mul_add(a1, b4, temp);
c_avx[26] = _mm256_add_epi16(temp, c_avx[26]);


temp = _mm256_mullo_epi16 (a3, b1);
temp = mul_add (a2, b0, temp );
temp = mul_add (a0, b2, temp );
temp=mul_add(a1, b3, temp);
c_avx[27] = _mm256_add_epi16(temp, c_avx[27]);


temp = _mm256_mullo_epi16 (a2, b1);
temp = mul_add (a0, b0, temp );
temp=mul_add(a1, b2, temp);
c_avx[28] = _mm256_add_epi16(temp, c_avx[28]);


temp = _mm256_mullo_epi16 (a0, b1);
temp=mul_add(a1, b0, temp);
c_avx[29] = _mm256_add_epi16(temp, c_avx[29]);


c_avx[30] = mul_add(a1, b1, c_avx[30]);



c_avx[2*SCM_SIZE-1] = _mm256_set_epi64x(0, 0, 0, 0);


}



static void schoolbook_avx_new2(__m256i* a, __m256i* b, __m256i* c_avx) ////8 coefficients of a and b has been prefetched
//the c_avx are not added cummulatively
{

__m256i a0, a1, a2, a3, a4, a5, a6, a7, b0, b1, b2, b3, b4, b5, b6, b7;
__m256i temp;


a0=a[0];
a1=a[1];
a2=a[2];
a3=a[3];
a4=a[4];
a5=a[5];
a6=a[6];
a7=a[7];

b0=b[0];
b1=b[1];
b2=b[2];
b3=b[3];
b4=b[4];
b5=b[5];
b6=b[6];
b7=b[7];

// New Unrolled first triangle
c_avx[0] = _mm256_mullo_epi16 (a0, b0);

temp = _mm256_mullo_epi16 (a0, b1);
c_avx[1]=mul_add(a1, b0, temp);

temp = _mm256_mullo_epi16 (a0, b2);

temp = mul_add(a1, b1, temp);
c_avx[2]= mul_add(a2, b0, temp);

temp = _mm256_mullo_epi16 (a0, b3);
temp = mul_add(a1, b2, temp);
temp = mul_add(a2, b1, temp);
c_avx[3]= mul_add(a3, b0, temp);

temp = _mm256_mullo_epi16 (a0, b4);
temp = mul_add(a1, b3, temp);
temp = mul_add(a3, b1, temp);
temp = mul_add(a4, b0, temp);
c_avx[4]= mul_add(a2, b2, temp);

temp = _mm256_mullo_epi16 (a0, b5);
temp = mul_add(a1, b4 , temp);
temp = mul_add(a2, b3, temp);
temp = mul_add(a3, b2, temp);
temp = mul_add( a4, b1, temp);
c_avx[5] = mul_add(a5, b0, temp);
temp = _mm256_mullo_epi16 (a0, b6);
temp = mul_add(a1, b5, temp);
temp = mul_add(a5, b1, temp);
temp = mul_add(a6, b0, temp);
temp = mul_add(a2, b4, temp);
temp = mul_add(a3, b3, temp);
c_avx[6] = mul_add(a4, b2, temp);

temp = _mm256_mullo_epi16 (a0, b7);
temp = mul_add(a1, b6, temp);
temp = mul_add (a6, b1, temp);
temp = mul_add (a7, b0, temp);
temp = mul_add(a2, b5, temp);
temp = mul_add (a3, b4, temp);
temp = mul_add (a4, b3, temp);
c_avx[7] = mul_add (a5, b2, temp);

temp = _mm256_mullo_epi16 (a0, b[8]);
temp = mul_add (a1, b7, temp);
temp = mul_add (a7, b1, temp);
temp = mul_add (a[8], b0, temp);
temp = mul_add (a2, b6,temp);
temp = mul_add(a3, b5, temp);
temp = mul_add (a4, b4,temp);
temp = mul_add (a5, b3, temp);
c_avx[8] = mul_add (a6, b2, temp);

temp = _mm256_mullo_epi16 (a0, b[9]);
temp = mul_add (a1, b[8], temp);
temp = mul_add (a[8], b1, temp);
temp = mul_add (a[9], b0, temp);
temp = mul_add (a2, b7, temp);
temp = mul_add (a3, b6, temp);
temp = mul_add (a4, b5, temp);
temp = mul_add (a5, b4, temp);
temp = mul_add (a6, b3, temp);
c_avx[9] = mul_add (a7, b2, temp);

temp= _mm256_mullo_epi16 (a0, b[10]);
temp = mul_add (a1, b[9], temp);
temp = mul_add (a[9], b1, temp);
temp = mul_add (a[10], b0, temp);
temp = mul_add (a2, b[8], temp);
temp = mul_add (a3, b7, temp);
temp = mul_add (a4, b6, temp);
temp = mul_add (a5, b5, temp);
temp = mul_add (a6, b4, temp);
temp = mul_add (a7, b3, temp);
c_avx[10] = mul_add (a[8], b2, temp);

temp = _mm256_mullo_epi16 (a0, b[11]);
temp = mul_add (a1, b[10], temp );
temp = mul_add (a[10], b1, temp );
temp = mul_add (a[11], b0, temp );
temp = mul_add (a2, b[9], temp );
temp = mul_add (a3, b[8], temp );
temp = mul_add (a4, b7, temp );
temp = mul_add (a5, b6, temp );
temp = mul_add (a6, b5, temp );
temp = mul_add (a7, b4, temp );
temp = mul_add (a[8], b3, temp );
c_avx[11] = mul_add (a[9], b2, temp );

temp = _mm256_mullo_epi16 (a0, b[12]);
temp = mul_add (a1, b[11], temp);
temp = mul_add (a[11], b1, temp);
temp = mul_add (a[12], b0, temp);
temp = mul_add (a2, b[10], temp);
temp = mul_add (a3, b[9], temp);
temp = mul_add (a4, b[8], temp);
temp = mul_add (a5, b7, temp);
temp = mul_add (a6, b6, temp);
temp = mul_add (a7, b5, temp);
temp = mul_add (a[8], b4, temp);
temp = mul_add (a[9], b3, temp);
c_avx[12] = mul_add (a[10], b2, temp);

temp = _mm256_mullo_epi16 (a0, b[13]);
temp = mul_add (a1, b[12], temp );
temp = mul_add (a[12], b1, temp );
temp = mul_add (a[13], b0, temp );
temp = mul_add (a2, b[11], temp );
temp = mul_add (a3, b[10], temp );
temp = mul_add (a4, b[9], temp );
temp = mul_add (a5, b[8], temp );
temp = mul_add (a6, b7, temp );
temp = mul_add (a7, b6, temp );
temp = mul_add (a[8], b5, temp );
temp = mul_add (a[9], b4, temp );
temp = mul_add (a[10], b3, temp );
c_avx[13] = mul_add (a[11], b2, temp );

temp = _mm256_mullo_epi16 (a0, b[14]);
temp = mul_add (a1, b[13], temp );
temp = mul_add (a[13], b1, temp );
temp = mul_add (a[14], b0, temp );
temp = mul_add (a2, b[12], temp );
temp = mul_add (a3, b[11], temp );
temp = mul_add (a4, b[10], temp );
temp = mul_add (a5, b[9], temp );
temp = mul_add (a6, b[8], temp );
temp = mul_add (a7, b7, temp );
temp = mul_add (a[8], b6, temp );
temp = mul_add (a[9], b5, temp );
temp = mul_add (a[10], b4, temp );
temp = mul_add (a[11], b3, temp );
c_avx[14] = mul_add (a[12], b2, temp );

temp = _mm256_mullo_epi16 (a0, b[15]);
temp = mul_add (a1, b[14], temp );
temp = mul_add (a[14], b1, temp );
temp = mul_add (a[15], b0, temp );
temp = mul_add (a2, b[13], temp );
temp = mul_add (a3, b[12], temp );
temp = mul_add (a4, b[11], temp );
temp = mul_add (a5, b[10], temp );
temp = mul_add (a6, b[9], temp );
temp = mul_add (a7, b[8], temp );
temp = mul_add (a[8], b7, temp );
temp = mul_add (a[9], b6, temp );
temp = mul_add (a[10], b5, temp );
temp = mul_add (a[11], b4, temp );
temp = mul_add (a[12], b3, temp );
c_avx[15] = mul_add (a[13], b2, temp );


// unrolled second triangle
a0=a[14];
a1=a[15];
a2=a[13];
a3=a[12];
a4=a[11];
a5=a[10];
a6=a[9];
a7=a[8];

b0=b[14];
b1=b[15];
b2=b[13];
b3=b[12];
b4=b[11];
b5=b[10];
b6=b[9];
b7=b[8];

temp = _mm256_mullo_epi16 (a[1], b1);
temp = mul_add (a[2], b0, temp );
temp = mul_add (a[3], b2, temp );
temp = mul_add (a[4], b3, temp );
temp = mul_add (a[5], b4, temp );
temp = mul_add (a[6], b5, temp );
temp = mul_add (a[7], b6, temp );
temp = mul_add (a7, b7, temp );
temp = mul_add (a6, b[7], temp );
temp = mul_add (a5, b[6], temp );
temp = mul_add (a4, b[5], temp );
temp = mul_add (a3, b[4], temp );
temp = mul_add (a2, b[3], temp );
temp = mul_add (a0, b[2], temp );
c_avx[16] = mul_add (a1, b[1], temp );

temp = _mm256_mullo_epi16 (a[2], b1);
temp = mul_add (a[3], b0, temp );
temp = mul_add (a[4], b2, temp );
temp = mul_add (a[5], b3, temp );
temp = mul_add (a[6], b4, temp );
temp = mul_add (a[7], b5, temp );
temp = mul_add (a7, b6, temp );
temp = mul_add (a6, b7, temp );
temp = mul_add (a5, b[7], temp );
temp = mul_add (a4, b[6], temp );
temp = mul_add (a3, b[5], temp );
temp = mul_add (a2, b[4], temp );
temp = mul_add (a0, b[3], temp );
c_avx[17] = mul_add (a1, b[2], temp );

temp = _mm256_mullo_epi16 (a[3], b1);
temp = mul_add (a[4], b0, temp );
temp = mul_add (a[5], b2, temp );
temp = mul_add (a[6], b3, temp );
temp = mul_add (a[7], b4, temp );
temp = mul_add (a7, b5, temp );
temp = mul_add (a6, b6, temp );
temp = mul_add (a5, b7, temp );
temp = mul_add (a4, b[7], temp );
temp = mul_add (a3, b[6], temp );
temp = mul_add (a2, b[5], temp );
temp = mul_add (a0, b[4], temp );
c_avx[18] = mul_add (a1, b[3], temp );

temp = _mm256_mullo_epi16 (a[4], b1);
temp = mul_add (a[5], b0, temp );
temp = mul_add (a[6], b2, temp );
temp = mul_add (a[7], b3, temp );
temp = mul_add (a7, b4, temp );
temp = mul_add (a6, b5, temp );
temp = mul_add (a5, b6, temp );
temp = mul_add (a4, b7, temp );
temp = mul_add (a3, b[7], temp );
temp = mul_add (a2, b[6], temp );
temp = mul_add (a0, b[5], temp );
c_avx[19] = mul_add (a1, b[4], temp );

temp = _mm256_mullo_epi16 (a[5], b1);
temp = mul_add (a[6], b0, temp );
temp = mul_add (a[7], b2, temp );
temp = mul_add (a7, b3, temp );
temp = mul_add (a6, b4, temp );
temp = mul_add (a5, b5, temp );
temp = mul_add (a4, b6, temp );
temp = mul_add (a3, b7, temp );
temp = mul_add (a2, b[7], temp );
temp = mul_add (a0, b[6], temp );
c_avx[20] = mul_add (a1, b[5], temp );

temp = _mm256_mullo_epi16 (a[6], b1);
temp = mul_add (a[7], b0, temp );
temp = mul_add (a7, b2, temp );
temp = mul_add (a6, b3, temp );
temp = mul_add (a5, b4, temp );
temp = mul_add (a4, b5, temp );
temp = mul_add (a3, b6, temp );
temp = mul_add (a2, b7, temp );
temp = mul_add (a0, b[7], temp );
c_avx[21] = mul_add (a1, b[6], temp );

temp = _mm256_mullo_epi16 (a[7], b1);
temp = mul_add (a7, b0, temp );
temp = mul_add (a6, b2, temp );
temp = mul_add (a5, b3, temp );
temp = mul_add (a4, b4, temp );
temp = mul_add (a3, b5, temp );
temp = mul_add (a2, b6, temp );
temp = mul_add (a0, b7, temp );
c_avx[22] = mul_add (a1, b[7], temp );

temp = _mm256_mullo_epi16 (a7, b1);
temp = mul_add (a6, b0, temp );
temp = mul_add (a5, b2, temp );
temp = mul_add (a4, b3, temp );
temp = mul_add (a3, b4, temp );
temp = mul_add (a2, b5, temp );
temp = mul_add (a0, b6, temp );
c_avx[23] = mul_add (a1, b7, temp );

temp = _mm256_mullo_epi16 (a6, b1);
temp = mul_add (a5, b0, temp );
temp = mul_add (a4, b2, temp );
temp = mul_add (a3, b3, temp );
temp = mul_add (a2, b4, temp );
temp = mul_add (a0, b5, temp );
c_avx[24] = mul_add (a1, b6, temp );

temp = _mm256_mullo_epi16 (a5, b1);
temp = mul_add (a4, b0, temp );
temp = mul_add (a3, b2, temp );
temp = mul_add (a2, b3, temp );
temp = mul_add (a0, b4, temp );
c_avx[25] = mul_add (a1, b5, temp );

temp = _mm256_mullo_epi16 (a4, b1);
temp = mul_add (a3, b0, temp );
temp = mul_add (a2, b2, temp );
temp = mul_add (a0, b3, temp );
c_avx[26] = mul_add (a1, b4, temp );

temp = _mm256_mullo_epi16 (a3, b1);
temp = mul_add (a2, b0, temp );
temp = mul_add (a0, b2, temp );
c_avx[27] = mul_add (a1, b3, temp );

temp = _mm256_mullo_epi16 (a2, b1);
temp = mul_add (a0, b0, temp );
c_avx[28] = mul_add (a1, b2, temp );

temp = _mm256_mullo_epi16 (a0, b1);
c_avx[29] = mul_add (a1, b0, temp);

c_avx[30] = _mm256_mullo_epi16 (a1, b1);


c_avx[2*SCM_SIZE-1] = _mm256_set_epi64x(0, 0, 0, 0);

}

+ 0
- 1010
crypto_kem/lightsaber/avx2/polymul/toom-cook_4way.c
File diff suppressed because it is too large
View File


+ 63
- 42
crypto_kem/lightsaber/clean/SABER_indcpa.c View File

@@ -11,81 +11,102 @@
#define h2 ((1 << (SABER_EP - 2)) - (1 << (SABER_EP - SABER_ET - 1)) + (1 << (SABER_EQ - SABER_EP - 1)))

void PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_keypair(uint8_t pk[SABER_INDCPA_PUBLICKEYBYTES], uint8_t sk[SABER_INDCPA_SECRETKEYBYTES]) {
uint16_t A[SABER_L][SABER_L][SABER_N];
uint16_t s[SABER_L][SABER_N];
uint16_t b[SABER_L][SABER_N] = {{0}};

uint8_t seed_A[SABER_SEEDBYTES];
uint8_t seed_s[SABER_NOISE_SEEDBYTES];
size_t i, j;

poly A[SABER_L][SABER_L];
poly s[SABER_L];
poly res[SABER_L];

uint8_t rand[SABER_NOISESEEDBYTES];
uint8_t *seed_A = pk + SABER_POLYVECCOMPRESSEDBYTES;

randombytes(seed_A, SABER_SEEDBYTES);
shake128(seed_A, SABER_SEEDBYTES, seed_A, SABER_SEEDBYTES); // for not revealing system RNG state
randombytes(seed_s, SABER_NOISE_SEEDBYTES);

PQCLEAN_LIGHTSABER_CLEAN_GenMatrix(A, seed_A);
PQCLEAN_LIGHTSABER_CLEAN_GenSecret(s, seed_s);
PQCLEAN_LIGHTSABER_CLEAN_MatrixVectorMul(b, (const uint16_t (*)[SABER_L][SABER_N])A, (const uint16_t (*)[SABER_N])s, 1);
randombytes(rand, SABER_NOISESEEDBYTES);
PQCLEAN_LIGHTSABER_CLEAN_GenSecret(s, rand);
PQCLEAN_LIGHTSABER_CLEAN_POLVECq2BS(sk, s);

PQCLEAN_LIGHTSABER_CLEAN_GenMatrix(A, seed_A); // sample matrix A
PQCLEAN_LIGHTSABER_CLEAN_MatrixVectorMul(res, (const poly (*)[SABER_L])A, (const poly *)s, 1); // Matrix in transposed order


// rounding
for (i = 0; i < SABER_L; i++) {
for (j = 0; j < SABER_N; j++) {
b[i][j] = (b[i][j] + h1) >> (SABER_EQ - SABER_EP);
res[i].coeffs[j] += h1;
res[i].coeffs[j] >>= SABER_EQ - SABER_EP;
res[i].coeffs[j] &= SABER_Q - 1;
}
}

PQCLEAN_LIGHTSABER_CLEAN_POLVECq2BS(sk, (const uint16_t (*)[SABER_N])s);
PQCLEAN_LIGHTSABER_CLEAN_POLVECp2BS(pk, (const uint16_t (*)[SABER_N])b);
memcpy(pk + SABER_POLYVECCOMPRESSEDBYTES, seed_A, sizeof(seed_A));
PQCLEAN_LIGHTSABER_CLEAN_POLVECp2BS(pk, res); // pack public key
}

void PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_enc(uint8_t ciphertext[SABER_BYTES_CCA_DEC], const uint8_t m[SABER_KEYBYTES], const uint8_t seed_sp[SABER_NOISE_SEEDBYTES], const uint8_t pk[SABER_INDCPA_PUBLICKEYBYTES]) {
uint16_t A[SABER_L][SABER_L][SABER_N];
uint16_t sp[SABER_L][SABER_N];
uint16_t bp[SABER_L][SABER_N] = {{0}};
uint16_t vp[SABER_N] = {0};
uint16_t mp[SABER_N];
uint16_t b[SABER_L][SABER_N];

void PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_enc(uint8_t ciphertext[SABER_BYTES_CCA_DEC], const uint8_t m[SABER_KEYBYTES], const uint8_t noiseseed[SABER_NOISESEEDBYTES], const uint8_t pk[SABER_INDCPA_PUBLICKEYBYTES]) {
size_t i, j;

poly A[SABER_L][SABER_L];
poly res[SABER_L];
poly s[SABER_L];
poly *temp = A[0]; // re-use stack space
poly *vprime = &A[0][0];
poly *message = &A[0][1];

const uint8_t *seed_A = pk + SABER_POLYVECCOMPRESSEDBYTES;
uint8_t *msk_c = ciphertext + SABER_POLYVECCOMPRESSEDBYTES;

PQCLEAN_LIGHTSABER_CLEAN_GenSecret(s, noiseseed);
PQCLEAN_LIGHTSABER_CLEAN_GenMatrix(A, seed_A);
PQCLEAN_LIGHTSABER_CLEAN_GenSecret(sp, seed_sp);
PQCLEAN_LIGHTSABER_CLEAN_MatrixVectorMul(bp, (const uint16_t (*)[SABER_L][SABER_N])A, (const uint16_t (*)[SABER_N])sp, 0);
PQCLEAN_LIGHTSABER_CLEAN_MatrixVectorMul(res, (const poly (*)[SABER_L])A, (const poly *)s, 0); // 0 => not transposed

for (i = 0; i < SABER_L; i++) {

// rounding
for (i = 0; i < SABER_L; i++) { //shift right EQ-EP bits
for (j = 0; j < SABER_N; j++) {
bp[i][j] = (bp[i][j] + h1) >> (SABER_EQ - SABER_EP);
res[i].coeffs[j] += h1;
res[i].coeffs[j] >>= SABER_EQ - SABER_EP;
res[i].coeffs[j] &= SABER_Q - 1;
}
}
PQCLEAN_LIGHTSABER_CLEAN_POLVECp2BS(ciphertext, res);

PQCLEAN_LIGHTSABER_CLEAN_POLVECp2BS(ciphertext, (const uint16_t (*)[SABER_N])bp);
PQCLEAN_LIGHTSABER_CLEAN_BS2POLVECp(b, pk);
PQCLEAN_LIGHTSABER_CLEAN_InnerProd(vp, (const uint16_t (*)[SABER_N])b, (const uint16_t (*)[SABER_N])sp);

PQCLEAN_LIGHTSABER_CLEAN_BS2POLmsg(mp, m);
// vector-vector scalar multiplication with mod p
PQCLEAN_LIGHTSABER_CLEAN_BS2POLVECp(temp, pk);
PQCLEAN_LIGHTSABER_CLEAN_InnerProd(vprime, temp, s);
PQCLEAN_LIGHTSABER_CLEAN_BS2POLmsg(message, m);

for (j = 0; j < SABER_N; j++) {
vp[j] = (vp[j] - (mp[j] << (SABER_EP - 1)) + h1) >> (SABER_EP - SABER_ET);
for (i = 0; i < SABER_N; i++) {
vprime->coeffs[i] += h1 - (message->coeffs[i] << (SABER_EP - 1));
vprime->coeffs[i] &= SABER_P - 1;
vprime->coeffs[i] >>= SABER_EP - SABER_ET;
}

PQCLEAN_LIGHTSABER_CLEAN_POLT2BS(ciphertext + SABER_POLYVECCOMPRESSEDBYTES, vp);
PQCLEAN_LIGHTSABER_CLEAN_POLT2BS(msk_c, vprime);
}

void PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_dec(uint8_t m[SABER_KEYBYTES], const uint8_t sk[SABER_INDCPA_SECRETKEYBYTES], const uint8_t ciphertext[SABER_BYTES_CCA_DEC]) {

uint16_t s[SABER_L][SABER_N];
uint16_t b[SABER_L][SABER_N];
uint16_t v[SABER_N] = {0};
uint16_t cm[SABER_N];
void PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_dec(uint8_t m[SABER_KEYBYTES], const uint8_t sk[SABER_INDCPA_SECRETKEYBYTES], const uint8_t ciphertext[SABER_BYTES_CCA_DEC]) {
size_t i;

poly temp[SABER_L];
poly s[SABER_L];

const uint8_t *packed_cm = ciphertext + SABER_POLYVECCOMPRESSEDBYTES;
poly *v = &temp[0];
poly *cm = &temp[1];

PQCLEAN_LIGHTSABER_CLEAN_BS2POLVECq(s, sk);
PQCLEAN_LIGHTSABER_CLEAN_BS2POLVECp(b, ciphertext);
PQCLEAN_LIGHTSABER_CLEAN_InnerProd(v, (const uint16_t (*)[SABER_N])b, (const uint16_t (*)[SABER_N])s);
PQCLEAN_LIGHTSABER_CLEAN_BS2POLT(cm, ciphertext + SABER_POLYVECCOMPRESSEDBYTES);
PQCLEAN_LIGHTSABER_CLEAN_BS2POLVECp(temp, ciphertext);
PQCLEAN_LIGHTSABER_CLEAN_InnerProd(&temp[0], temp, s);

PQCLEAN_LIGHTSABER_CLEAN_BS2POLT(cm, packed_cm);

for (i = 0; i < SABER_N; i++) {
v[i] = (v[i] + h2 - (cm[i] << (SABER_EP - SABER_ET))) >> (SABER_EP - 1);
v->coeffs[i] += h2 - (cm->coeffs[i] << (SABER_EP - SABER_ET));
v->coeffs[i] &= SABER_P - 1;
v->coeffs[i] >>= SABER_EP - 1;
}

PQCLEAN_LIGHTSABER_CLEAN_POLmsg2BS(m, v);


+ 1
- 1
crypto_kem/lightsaber/clean/SABER_indcpa.h View File

@@ -5,7 +5,7 @@

void PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_keypair(uint8_t pk[SABER_INDCPA_PUBLICKEYBYTES], uint8_t sk[SABER_INDCPA_SECRETKEYBYTES]);

void PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_enc(uint8_t ciphertext[SABER_BYTES_CCA_DEC], const uint8_t m[SABER_KEYBYTES], const uint8_t seed_sp[SABER_NOISE_SEEDBYTES], const uint8_t pk[SABER_INDCPA_PUBLICKEYBYTES]);
void PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_enc(uint8_t ciphertext[SABER_BYTES_CCA_DEC], const uint8_t m[SABER_KEYBYTES], const uint8_t noiseseed[SABER_NOISESEEDBYTES], const uint8_t pk[SABER_INDCPA_PUBLICKEYBYTES]);

void PQCLEAN_LIGHTSABER_CLEAN_indcpa_kem_dec(uint8_t m[SABER_KEYBYTES], const uint8_t sk[SABER_INDCPA_SECRETKEYBYTES], const uint8_t ciphertext[SABER_BYTES_CCA_DEC]);



+ 7
- 5
crypto_kem/lightsaber/clean/SABER_params.h View File

@@ -2,19 +2,21 @@
#define PARAMS_H


/* Change this for different security strengths */

/* Don't change anything below this line */
#define SABER_L 2
#define SABER_MU 10
#define SABER_ET 3

#define SABER_EQ 13
#define SABER_EP 10
#define SABER_N 256

#define SABER_EP 10
#define SABER_P (1 << SABER_EP)

#define SABER_EQ 13
#define SABER_Q (1 << SABER_EQ)

#define SABER_SEEDBYTES 32
#define SABER_NOISE_SEEDBYTES 32
#define SABER_NOISESEEDBYTES 32
#define SABER_KEYBYTES 32
#define SABER_HASHBYTES 32



+ 1
- 1
crypto_kem/lightsaber/clean/api.h View File

@@ -15,4 +15,4 @@ int PQCLEAN_LIGHTSABER_CLEAN_crypto_kem_enc(unsigned char *ct, unsigned char *k,
int PQCLEAN_LIGHTSABER_CLEAN_crypto_kem_dec(unsigned char *k, const unsigned char *ct, const unsigned char *sk);


#endif /* api_h */
#endif /* PQCLEAN_LIGHTSABER_CLEAN_API_H */

+ 91
- 78
crypto_kem/lightsaber/clean/pack_unpack.c View File

@@ -1,140 +1,153 @@
#include "api.h"
#include "SABER_params.h"
#include "pack_unpack.h"
#include "poly.h"
#include <string.h>

void PQCLEAN_LIGHTSABER_CLEAN_POLT2BS(uint8_t bytes[SABER_SCALEBYTES_KEM], const uint16_t data[SABER_N]) {
size_t j, offset_byte, offset_data;
void PQCLEAN_LIGHTSABER_CLEAN_POLT2BS(uint8_t bytes[SABER_SCALEBYTES_KEM], const poly *data) {
size_t j;
const uint16_t *in = data->coeffs;
uint8_t *out = bytes;
for (j = 0; j < SABER_N / 8; j++) {
offset_byte = 3 * j;
offset_data = 8 * j;
bytes[offset_byte + 0] = (data[offset_data + 0] & 0x7) | ((data[offset_data + 1] & 0x7) << 3) | ((data[offset_data + 2] & 0x3) << 6);
bytes[offset_byte + 1] = ((data[offset_data + 2] >> 2) & 0x01) | ((data[offset_data + 3] & 0x7) << 1) | ((data[offset_data + 4] & 0x7) << 4) | (((data[offset_data + 5]) & 0x01) << 7);
bytes[offset_byte + 2] = ((data[offset_data + 5] >> 1) & 0x03) | ((data[offset_data + 6] & 0x7) << 2) | ((data[offset_data + 7] & 0x7) << 5);
out[0] = (in[0] & 0x7) | ((in[1] & 0x7) << 3) | ((in[2] & 0x3) << 6);
out[1] = ((in[2] >> 2) & 0x01) | ((in[3] & 0x7) << 1) | ((in[4] & 0x7) << 4) | (((in[5]) & 0x01) << 7);
out[2] = ((in[5] >> 1) & 0x03) | ((in[6] & 0x7) << 2) | ((in[7] & 0x7) << 5);
in += 8;
out += 3;
}
}

void PQCLEAN_LIGHTSABER_CLEAN_BS2POLT(uint16_t data[SABER_N], const uint8_t bytes[SABER_SCALEBYTES_KEM]) {
size_t j, offset_byte, offset_data;
void PQCLEAN_LIGHTSABER_CLEAN_BS2POLT(poly *data, const uint8_t bytes[SABER_SCALEBYTES_KEM]) {
size_t j;
const uint8_t *in = bytes;
uint16_t *out = data->coeffs;
for (j = 0; j < SABER_N / 8; j++) {
offset_byte = 3 * j;
offset_data = 8 * j;
data[offset_data + 0] = (bytes[offset_byte + 0]) & 0x07;
data[offset_data + 1] = ((bytes[offset_byte + 0]) >> 3) & 0x07;
data[offset_data + 2] = (((bytes[offset_byte + 0]) >> 6) & 0x03) | (((bytes[offset_byte + 1]) & 0x01) << 2);
data[offset_data + 3] = ((bytes[offset_byte + 1]) >> 1) & 0x07;
data[offset_data + 4] = ((bytes[offset_byte + 1]) >> 4) & 0x07;
data[offset_data + 5] = (((bytes[offset_byte + 1]) >> 7) & 0x01) | (((bytes[offset_byte + 2]) & 0x03) << 1);
data[offset_data + 6] = ((bytes[offset_byte + 2] >> 2) & 0x07);
data[offset_data + 7] = ((bytes[offset_byte + 2] >> 5) & 0x07);
out[0] = (in[0]) & 0x07;
out[1] = ((in[0]) >> 3) & 0x07;
out[2] = (((in[0]) >> 6) & 0x03) | (((in[1]) & 0x01) << 2);
out[3] = ((in[1]) >> 1) & 0x07;
out[4] = ((in[1]) >> 4) & 0x07;
out[5] = (((in[1]) >> 7) & 0x01) | (((in[2]) & 0x03) << 1);
out[6] = ((in[2] >> 2) & 0x07);
out[7] = ((in[2] >> 5) & 0x07);
in += 3;
out += 8;
}
}

static void POLq2BS(uint8_t bytes[SABER_POLYBYTES], const uint16_t data[SABER_N]) {
size_t j, offset_byte, offset_data;
static void POLq2BS(uint8_t bytes[SABER_POLYBYTES], const poly *data) {
size_t j;
const uint16_t *in = data->coeffs;
uint8_t *out = bytes;
for (j = 0; j < SABER_N / 8; j++) {
offset_byte = 13 * j;
offset_data = 8 * j;
bytes[offset_byte + 0] = (data[offset_data + 0] & (0xff));
bytes[offset_byte + 1] = ((data[offset_data + 0] >> 8) & 0x1f) | ((data[offset_data + 1] & 0x07) << 5);
bytes[offset_byte + 2] = ((data[offset_data + 1] >> 3) & 0xff);
bytes[offset_byte + 3] = ((data[offset_data + 1] >> 11) & 0x03) | ((data[offset_data + 2] & 0x3f) << 2);
bytes[offset_byte + 4] = ((data[offset_data + 2] >> 6) & 0x7f) | ((data[offset_data + 3] & 0x01) << 7);
bytes[offset_byte + 5] = ((data[offset_data + 3] >> 1) & 0xff);
bytes[offset_byte + 6] = ((data[offset_data + 3] >> 9) & 0x0f) | ((data[offset_data + 4] & 0x0f) << 4);
bytes[offset_byte + 7] = ((data[offset_data + 4] >> 4) & 0xff);
bytes[offset_byte + 8] = ((data[offset_data + 4] >> 12) & 0x01) | ((data[offset_data + 5] & 0x7f) << 1);
bytes[offset_byte + 9] = ((data[offset_data + 5] >> 7) & 0x3f) | ((data[offset_data + 6] & 0x03) << 6);
bytes[offset_byte + 10] = ((data[offset_data + 6] >> 2) & 0xff);
bytes[offset_byte + 11] = ((data[offset_data + 6] >> 10) & 0x07) | ((data[offset_data + 7] & 0x1f) << 3);
bytes[offset_byte + 12] = ((data[offset_data + 7] >> 5) & 0xff);
out[0] = (in[0] & (0xff));
out[1] = ((in[0] >> 8) & 0x1f) | ((in[1] & 0x07) << 5);
out[2] = ((in[1] >> 3) & 0xff);
out[3] = ((in[1] >> 11) & 0x03) | ((in[2] & 0x3f) << 2);
out[4] = ((in[2] >> 6) & 0x7f) | ((in[3] & 0x01) << 7);
out[5] = ((in[3] >> 1) & 0xff);
out[6] = ((in[3] >> 9) & 0x0f) | ((in[4] & 0x0f) << 4);
out[7] = ((in[4] >> 4) & 0xff);
out[8] = ((in[4] >> 12) & 0x01) | ((in[5] & 0x7f) << 1);
out[9] = ((in[5] >> 7) & 0x3f) | ((in[6] & 0x03) << 6);
out[10] = ((in[6] >> 2) & 0xff);
out[11] = ((in[6] >> 10) & 0x07) | ((in[7] & 0x1f) << 3);
out[12] = ((in[7] >> 5) & 0xff);
in += 8;
out += 13;
}
}

static void BS2POLq(uint16_t data[SABER_N], const uint8_t bytes[SABER_POLYBYTES]) {
size_t j, offset_byte, offset_data;
static void BS2POLq(poly *data, const uint8_t bytes[SABER_POLYBYTES]) {
size_t j;
const uint8_t *in = bytes;
uint16_t *out = data->coeffs;
for (j = 0; j < SABER_N / 8; j++) {
offset_byte = 13 * j;
offset_data = 8 * j;
data[offset_data + 0] = (bytes[offset_byte + 0] & (0xff)) | ((bytes[offset_byte + 1] & 0x1f) << 8);
data[offset_data + 1] = (bytes[offset_byte + 1] >> 5 & (0x07)) | ((bytes[offset_byte + 2] & 0xff) << 3) | ((bytes[offset_byte + 3] & 0x03) << 11);
data[offset_data + 2] = (bytes[offset_byte + 3] >> 2 & (0x3f)) | ((bytes[offset_byte + 4] & 0x7f) << 6);
data[offset_data + 3] = (bytes[offset_byte + 4] >> 7 & (0x01)) | ((bytes[offset_byte + 5] & 0xff) << 1) | ((bytes[offset_byte + 6] & 0x0f) << 9);
data[offset_data + 4] = (bytes[offset_byte + 6] >> 4 & (0x0f)) | ((bytes[offset_byte + 7] & 0xff) << 4) | ((bytes[offset_byte + 8] & 0x01) << 12);
data[offset_data + 5] = (bytes[offset_byte + 8] >> 1 & (0x7f)) | ((bytes[offset_byte + 9] & 0x3f) << 7);
data[offset_data + 6] = (bytes[offset_byte + 9] >> 6 & (0x03)) | ((bytes[offset_byte + 10] & 0xff) << 2) | ((bytes[offset_byte + 11] & 0x07) << 10);
data[offset_data + 7] = (bytes[offset_byte + 11] >> 3 & (0x1f)) | ((bytes[offset_byte + 12] & 0xff) << 5);
out[0] = (in[0] & (0xff)) | ((in[1] & 0x1f) << 8);
out[1] = (in[1] >> 5 & (0x07)) | ((in[2] & 0xff) << 3) | ((in[3] & 0x03) << 11);
out[2] = (in[3] >> 2 & (0x3f)) | ((in[4] & 0x7f) << 6);
out[3] = (in[4] >> 7 & (0x01)) | ((in[5] & 0xff) << 1) | ((in[6] & 0x0f) << 9);
out[4] = (in[6] >> 4 & (0x0f)) | ((in[7] & 0xff) << 4) | ((in[8] & 0x01) << 12);
out[5] = (in[8] >> 1 & (0x7f)) | ((in[9] & 0x3f) << 7);
out[6] = (in[9] >> 6 & (0x03)) | ((in[10] & 0xff) << 2) | ((in[11] & 0x07) << 10);
out[7] = (in[11] >> 3 & (0x1f)) | ((in[12] & 0xff) << 5);
in += 13;
out += 8;
}
}

static void POLp2BS(uint8_t bytes[SABER_POLYCOMPRESSEDBYTES], const uint16_t data[SABER_N]) {
size_t j, offset_byte, offset_data;
static void POLp2BS(uint8_t bytes[SABER_POLYCOMPRESSEDBYTES], const poly *data) {
size_t j;
const uint16_t *in = data->coeffs;
uint8_t *out = bytes;
for (j = 0; j < SABER_N / 4; j++) {
offset_byte = 5 * j;
offset_data = 4 * j;
bytes[offset_byte + 0] = (data[offset_data + 0] & (0xff));
bytes[offset_byte + 1] = ((data[offset_data + 0] >> 8) & 0x03) | ((data[offset_data + 1] & 0x3f) << 2);
bytes[offset_byte + 2] = ((data[offset_data + 1] >> 6) & 0x0f) | ((data[offset_data + 2] & 0x0f) << 4);
bytes[offset_byte + 3] = ((data[offset_data + 2] >> 4) & 0x3f) | ((data[offset_data + 3] & 0x03) << 6);
bytes[offset_byte + 4] = ((data[offset_data + 3] >> 2) & 0xff);
out[0] = (in[0] & (0xff));
out[1] = ((in[0] >> 8) & 0x03) | ((in[1] & 0x3f) << 2);
out[2] = ((in[1] >> 6) & 0x0f) | ((in[2] & 0x0f) << 4);
out[3] = ((in[2] >> 4) & 0x3f) | ((in[3] & 0x03) << 6);
out[4] = ((in[3] >> 2) & 0xff);
in += 4;
out += 5;
}
}

static void BS2POLp(uint16_t data[SABER_N], const uint8_t bytes[SABER_POLYCOMPRESSEDBYTES]) {
size_t j, offset_byte, offset_data;
static void BS2POLp(poly *data, const uint8_t bytes[SABER_POLYCOMPRESSEDBYTES]) {
size_t j;
const uint8_t *in = bytes;
uint16_t *out = data->coeffs;
for (j = 0; j < SABER_N / 4; j++) {
offset_byte = 5 * j;
offset_data = 4 * j;
data[offset_data + 0] = (bytes[offset_byte + 0] & (0xff)) | ((bytes[offset_byte + 1] & 0x03) << 8);
data[offset_data + 1] = ((bytes[offset_byte + 1] >> 2) & (0x3f)) | ((bytes[offset_byte + 2] & 0x0f) << 6);
data[offset_data + 2] = ((bytes[offset_byte + 2] >> 4) & (0x0f)) | ((bytes[offset_byte + 3] & 0x3f) << 4);
data[offset_data + 3] = ((bytes[offset_byte + 3] >> 6) & (0x03)) | ((bytes[offset_byte + 4] & 0xff) << 2);
out[0] = (in[0] & (0xff)) | ((in[1] & 0x03) << 8);
out[1] = ((in[1] >> 2) & (0x3f)) | ((in[2] & 0x0f) << 6);
out[2] = ((in[2] >> 4) & (0x0f)) | ((in[3] & 0x3f) << 4);
out[3] = ((in[3] >> 6) & (0x03)) | ((in[4] & 0xff) << 2);
in += 5;
out += 4;
}
}

void PQCLEAN_LIGHTSABER_CLEAN_POLVECq2BS(uint8_t bytes[SABER_POLYVECBYTES], const uint16_t data[SABER_L][SABER_N]) {
void PQCLEAN_LIGHTSABER_CLEAN_POLVECq2BS(uint8_t bytes[SABER_POLYVECBYTES], const poly data[SABER_L]) {
size_t i;
for (i = 0; i < SABER_L; i++) {
POLq2BS(bytes + i * SABER_POLYBYTES, data[i]);
POLq2BS(bytes + i * SABER_POLYBYTES, &data[i]);
}
}

void PQCLEAN_LIGHTSABER_CLEAN_BS2POLVECq(uint16_t data[SABER_L][SABER_N], const uint8_t bytes[SABER_POLYVECBYTES]) {
void PQCLEAN_LIGHTSABER_CLEAN_BS2POLVECq(poly data[SABER_L], const uint8_t bytes[SABER_POLYVECBYTES]) {
size_t i;
for (i = 0; i < SABER_L; i++) {
BS2POLq(data[i], bytes + i * SABER_POLYBYTES);
BS2POLq(&data[i], bytes + i * SABER_POLYBYTES);
}
}

void PQCLEAN_LIGHTSABER_CLEAN_POLVECp2BS(uint8_t bytes[SABER_POLYVECCOMPRESSEDBYTES], const uint16_t data[SABER_L][SABER_N]) {
void PQCLEAN_LIGHTSABER_CLEAN_POLVECp2BS(uint8_t bytes[SABER_POLYVECCOMPRESSEDBYTES], const poly data[SABER_L]) {
size_t i;
for (i = 0; i < SABER_L; i++) {
POLp2BS(bytes + i * (SABER_EP * SABER_N / 8), data[i]);
POLp2BS(bytes + i * SABER_POLYCOMPRESSEDBYTES, &data[i]);
}
}

void PQCLEAN_LIGHTSABER_CLEAN_BS2POLVECp(uint16_t data[SABER_L][SABER_N], const uint8_t bytes[SABER_POLYVECCOMPRESSEDBYTES]) {
void PQCLEAN_LIGHTSABER_CLEAN_BS2POLVECp(poly data[SABER_L], const uint8_t bytes[SABER_POLYVECCOMPRESSEDBYTES]) {
size_t i;
for (i = 0; i < SABER_L; i++) {
BS2POLp(data[i], bytes + i * (SABER_EP * SABER_N / 8));
BS2POLp(&data[i], bytes + i * SABER_POLYCOMPRESSEDBYTES);
}
}

void PQCLEAN_LIGHTSABER_CLEAN_BS2POLmsg(uint16_t data[SABER_N], const uint8_t bytes[SABER_KEYBYTES]) {
void PQCLEAN_LIGHTSABER_CLEAN_BS2POLmsg(poly *data, const uint8_t bytes[SABER_KEYBYTES]) {
size_t i, j;
for (j = 0; j < SABER_KEYBYTES; j++) {
for (i = 0; i < 8; i++) {
data[j * 8 + i] = ((bytes[j] >> i) & 0x01);
data->coeffs[j * 8 + i] = ((bytes[j] >> i) & 0x01);
}
}
}

void PQCLEAN_LIGHTSABER_CLEAN_POLmsg2BS(uint8_t bytes[SABER_KEYBYTES], const uint16_t data[SABER_N]) {
void PQCLEAN_LIGHTSABER_CLEAN_POLmsg2BS(uint8_t bytes[SABER_KEYBYTES], const poly *data) {
size_t i, j;
memset(bytes, 0, SABER_KEYBYTES);

for (j = 0; j < SABER_KEYBYTES; j++) {
for (i = 0; i < 8; i++) {
bytes[j] = bytes[j] | ((data[j * 8 + i] & 0x01) << i);
bytes[j] = bytes[j] | ((data->coeffs[j * 8 + i] & 0x01) << i);
}
}
}

+ 9
- 8
crypto_kem/lightsaber/clean/pack_unpack.h View File

@@ -1,27 +1,28 @@
#ifndef PACK_UNPACK_H
#define PACK_UNPACK_H
#include "SABER_params.h"
#include "poly.h"
#include <stdint.h>
#include <stdio.h>

void PQCLEAN_LIGHTSABER_CLEAN_POLT2BS(uint8_t bytes[SABER_SCALEBYTES_KEM], const uint16_t data[SABER_N]);
void PQCLEAN_LIGHTSABER_CLEAN_POLT2BS(uint8_t bytes[SABER_SCALEBYTES_KEM], const poly *data);

void PQCLEAN_LIGHTSABER_CLEAN_BS2POLT(uint16_t data[SABER_N], const uint8_t bytes[SABER_SCALEBYTES_KEM]);
void PQCLEAN_LIGHTSABER_CLEAN_BS2POLT(poly *data, const uint8_t bytes[SABER_SCALEBYTES_KEM]);


void PQCLEAN_LIGHTSABER_CLEAN_POLVECq2BS(uint8_t bytes[SABER_POLYVECBYTES], const uint16_t data[SABER_L][SABER_N]);
void PQCLEAN_LIGHTSABER_CLEAN_POLVECq2BS(uint8_t bytes[SABER_POLYVECBYTES], const poly data[SABER_L]);

void PQCLEAN_LIGHTSABER_CLEAN_POLVECp2BS(uint8_t bytes[SABER_POLYVECCOMPRESSEDBYTES], const uint16_t data[SABER_L][SABER_N]);
void PQCLEAN_LIGHTSABER_CLEAN_POLVECp2BS(uint8_t bytes[SABER_POLYVECCOMPRESSEDBYTES], const poly data[SABER_L]);


void PQCLEAN_LIGHTSABER_CLEAN_BS2POLVECq(uint16_t data[SABER_L][SABER_N], const uint8_t bytes[SABER_POLYVECBYTES]);
void PQCLEAN_LIGHTSABER_CLEAN_BS2POLVECq(poly data[SABER_L], const uint8_t bytes[SABER_POLYVECBYTES]);

void PQCLEAN_LIGHTSABER_CLEAN_BS2POLVECp(uint16_t data[SABER_L][SABER_N], const uint8_t bytes[SABER_POLYVECCOMPRESSEDBYTES]);
void PQCLEAN_LIGHTSABER_CLEAN_BS2POLVECp(poly data[SABER_L], const uint8_t bytes[SABER_POLYVECCOMPRESSEDBYTES]);


void PQCLEAN_LIGHTSABER_CLEAN_BS2POLmsg(uint16_t data[SABER_N], const uint8_t bytes[SABER_KEYBYTES]);
void PQCLEAN_LIGHTSABER_CLEAN_BS2POLmsg(poly *data, const uint8_t bytes[SABER_KEYBYTES]);

void PQCLEAN_LIGHTSABER_CLEAN_POLmsg2BS(uint8_t bytes[SABER_KEYBYTES], const uint16_t data[SABER_N]);
void PQCLEAN_LIGHTSABER_CLEAN_POLmsg2BS(uint8_t bytes[SABER_KEYBYTES], const poly *data);


#endif

+ 26
- 18
crypto_kem/lightsaber/clean/poly.c View File

@@ -3,32 +3,40 @@
#include "fips202.h"
#include "pack_unpack.h"
#include "poly.h"
#include "poly_mul.h"
#include <stddef.h>

void PQCLEAN_LIGHTSABER_CLEAN_MatrixVectorMul(uint16_t res[SABER_L][SABER_N], const uint16_t A[SABER_L][SABER_L][SABER_N], const uint16_t s[SABER_L][SABER_N], int16_t transpose) {
void PQCLEAN_LIGHTSABER_CLEAN_MatrixVectorMul(poly c[SABER_L], const poly A[SABER_L][SABER_L], const poly s[SABER_L], int16_t transpose) {
size_t i, j;
for (i = 0; i < SABER_L; i++) {
for (j = 0; j < SABER_L; j++) {
if (transpose == 1) {
PQCLEAN_LIGHTSABER_CLEAN_poly_mul_acc(res[i], A[j][i], s[j]);
} else {
PQCLEAN_LIGHTSABER_CLEAN_poly_mul_acc(res[i], A[i][j], s[j]);

if (transpose) {
for (i = 0; i < SABER_L; i++) {
PQCLEAN_LIGHTSABER_CLEAN_poly_mul(&c[i], &A[0][i], &s[0], 0);
for (j = 1; j < SABER_L; j++) {
PQCLEAN_LIGHTSABER_CLEAN_poly_mul(&c[i], &A[j][i], &s[j], 1);
}
}
} else {
for (i = 0; i < SABER_L; i++) {
PQCLEAN_LIGHTSABER_CLEAN_poly_mul(&c[i], &A[i][0], &s[0], 0);
for (j = 1; j < SABER_L; j++) {
PQCLEAN_LIGHTSABER_CLEAN_poly_mul(&c[i], &A[i][j], &s[j], 1);
}
}
}
}

void PQCLEAN_LIGHTSABER_CLEAN_InnerProd(uint16_t res[SABER_N], const uint16_t b[SABER_L][SABER_N], const uint16_t s[SABER_L][SABER_N]) {
size_t j;
for (j = 0; j < SABER_L; j++) {
PQCLEAN_LIGHTSABER_CLEAN_poly_mul_acc(res, b[j], s[j]);
void PQCLEAN_LIGHTSABER_CLEAN_InnerProd(poly *c, const poly b[SABER_L], const poly s[SABER_L]) {
size_t i;

PQCLEAN_LIGHTSABER_CLEAN_poly_mul(c, &b[0], &s[0], 0);
for (i = 1; i < SABER_L; i++) {
PQCLEAN_LIGHTSABER_CLEAN_poly_mul(c, &b[i], &s[i], 1);
}
}

void PQCLEAN_LIGHTSABER_CLEAN_GenMatrix(uint16_t A[SABER_L][SABER_L][SABER_N], const uint8_t seed[SABER_SEEDBYTES]) {
uint8_t buf[SABER_L * SABER_POLYVECBYTES];
void PQCLEAN_LIGHTSABER_CLEAN_GenMatrix(poly A[SABER_L][SABER_L], const uint8_t seed[SABER_SEEDBYTES]) {
size_t i;
uint8_t buf[SABER_L * SABER_POLYVECBYTES];

shake128(buf, sizeof(buf), seed, SABER_SEEDBYTES);

@@ -37,13 +45,13 @@ void PQCLEAN_LIGHTSABER_CLEAN_GenMatrix(uint16_t A[SABER_L][SABER_L][SABER_N], c
}
}

void PQCLEAN_LIGHTSABER_CLEAN_GenSecret(uint16_t s[SABER_L][SABER_N], const uint8_t seed[SABER_NOISE_SEEDBYTES]) {
uint8_t buf[SABER_L * SABER_POLYCOINBYTES];
void PQCLEAN_LIGHTSABER_CLEAN_GenSecret(poly s[SABER_L], const uint8_t seed[SABER_NOISESEEDBYTES]) {
size_t i;
uint8_t buf[SABER_L * SABER_POLYCOINBYTES];

shake128(buf, sizeof(buf), seed, SABER_NOISE_SEEDBYTES);
shake128(buf, sizeof(buf), seed, SABER_NOISESEEDBYTES);

for (i = 0; i < SABER_L; i++) {
PQCLEAN_LIGHTSABER_CLEAN_cbd(s[i], buf + i * SABER_POLYCOINBYTES);
PQCLEAN_LIGHTSABER_CLEAN_cbd(s[i].coeffs, buf + i * SABER_POLYCOINBYTES);
}
}

+ 12
- 4
crypto_kem/lightsaber/clean/poly.h View File

@@ -3,13 +3,21 @@
#include "SABER_params.h"
#include <stdint.h>

void PQCLEAN_LIGHTSABER_CLEAN_MatrixVectorMul(uint16_t res[SABER_L][SABER_N], const uint16_t a[SABER_L][SABER_L][SABER_N], const uint16_t s[SABER_L][SABER_N], int16_t transpose);
typedef union {
uint16_t coeffs[SABER_N];
} poly;

void PQCLEAN_LIGHTSABER_CLEAN_InnerProd(uint16_t res[SABER_N], const uint16_t b[SABER_L][SABER_N], const uint16_t s[SABER_L][SABER_N]);

void PQCLEAN_LIGHTSABER_CLEAN_GenMatrix(uint16_t a[SABER_L][SABER_L][SABER_N], const uint8_t seed[SABER_SEEDBYTES]);
void PQCLEAN_LIGHTSABER_CLEAN_MatrixVectorMul(poly c[SABER_L], const poly A[SABER_L][SABER_L], const poly s[SABER_L], int16_t transpose);

void PQCLEAN_LIGHTSABER_CLEAN_GenSecret(uint16_t s[SABER_L][SABER_N], const uint8_t seed[SABER_NOISE_SEEDBYTES]);
void PQCLEAN_LIGHTSABER_CLEAN_InnerProd(poly *c, const poly b[SABER_L], const poly s[SABER_L]);

void PQCLEAN_LIGHTSABER_CLEAN_GenMatrix(poly A[SABER_L][SABER_L], const uint8_t seed[SABER_SEEDBYTES]);

void PQCLEAN_LIGHTSABER_CLEAN_GenSecret(poly s[SABER_L], const uint8_t seed[SABER_NOISESEEDBYTES]);


void PQCLEAN_LIGHTSABER_CLEAN_poly_mul(poly *c, const poly *a, const poly *b, int accumulate);


#endif

+ 12
- 6
crypto_kem/lightsaber/clean/poly_mul.c View File

@@ -1,4 +1,4 @@
#include "poly_mul.h"
#include "poly.h"
#include <stdint.h>
#include <string.h>

@@ -229,14 +229,20 @@ static void toom_cook_4way (uint16_t *result, const uint16_t *a1, const uint16_t
}

/* res += a*b */
void PQCLEAN_LIGHTSABER_CLEAN_poly_mul_acc(uint16_t res[SABER_N], const uint16_t a[SABER_N], const uint16_t b[SABER_N]) {
uint16_t c[2 * SABER_N] = {0};
void PQCLEAN_LIGHTSABER_CLEAN_poly_mul(poly *c, const poly *a, const poly *b, const int accumulate) {
uint16_t C[2 * SABER_N] = {0};
size_t i;

toom_cook_4way(c, a, b);
toom_cook_4way(C, a->coeffs, b->coeffs);

/* reduction */
for (i = SABER_N; i < 2 * SABER_N; i++) {
res[i - SABER_N] += (c[i - SABER_N] - c[i]);
if (accumulate == 0) {
for (i = SABER_N; i < 2 * SABER_N; i++) {
c->coeffs[i - SABER_N] = (C[i - SABER_N] - C[i]);
}
} else {
for (i = SABER_N; i < 2 * SABER_N; i++) {
c->coeffs[i - SABER_N] += (C[i - SABER_N] - C[i]);
}
}
}

+ 0
- 6
crypto_kem/lightsaber/clean/poly_mul.h View File

@@ -1,9 +1,3 @@
#ifndef POLY_MUL_H
#define POLY_MUL_H
#include "SABER_params.h"
#include <stdint.h>

void PQCLEAN_LIGHTSABER_CLEAN_poly_mul_acc(uint16_t res[SABER_N], const uint16_t a[SABER_N], const uint16_t b[SABER_N]);


#endif

+ 2
- 2
crypto_kem/saber/META.yml View File

@@ -14,9 +14,9 @@ principal-submitters:
- Frederik Vercauteren
implementations:
- name: clean
version: https://github.com/KULeuven-COSIC/SABER/tree/509cc5ec3a7e12a751ccdd2ef5bd6e54e00bd350 via https://github.com/jschanck/package-pqclean/tree/b53a47b5/saber
version: https://github.com/KULeuven-COSIC/SABER/tree/509cc5ec3a7e12a751ccdd2ef5bd6e54e00bd350 via https://github.com/jschanck/package-pqclean/tree/88ee652a/saber
- name: avx2
version: https://github.com/KULeuven-COSIC/SABER/tree/509cc5ec3a7e12a751ccdd2ef5bd6e54e00bd350 via https://github.com/jschanck/package-pqclean/tree/b53a47b5/saber
version: https://github.com/KULeuven-COSIC/SABER/tree/509cc5ec3a7e12a751ccdd2ef5bd6e54e00bd350 via https://github.com/jschanck/package-pqclean/tree/88ee652a/saber
supported_platforms:
- architecture: x86_64
operating_systems:


+ 1
- 1
crypto_kem/saber/avx2/Makefile View File

@@ -2,7 +2,7 @@

LIB=libsaber_avx2.a
HEADERS=api.h cbd.h kem.h pack_unpack.h poly.h SABER_indcpa.h SABER_params.h verify.h
OBJECTS=cbd.o kem.o pack_unpack.o SABER_indcpa.o verify.o
OBJECTS=cbd.o kem.o pack_unpack.o poly.o poly_mul.o SABER_indcpa.o verify.o

CFLAGS=-O3 -mavx2 -Wall -Wextra -Wpedantic -Wvla -Werror -Wredundant-decls -Wmissing-prototypes -std=c99 -I../../../common $(EXTRAFLAGS)



+ 72
- 362
crypto_kem/saber/avx2/SABER_indcpa.c View File

@@ -1,416 +1,125 @@
#include "./polymul/toom-cook_4way.c"
#include "SABER_indcpa.h"
#include "SABER_params.h"
#include "api.h"
#include "cbd.h"
#include "fips202.h"
#include "pack_unpack.h"
#include "poly.h"
#include "randombytes.h"
#include <stdint.h>
#include <stdio.h>
#include <string.h>
//#include "randombytes.h"
//#include "./polymul/toom_cook_4/toom-cook_4way.c"

#define h1 4 //2^(EQ-EP-1)
#define h1 (1 << (SABER_EQ - SABER_EP - 1))
#define h2 ((1 << (SABER_EP - 2)) - (1 << (SABER_EP - SABER_ET - 1)) + (1 << (SABER_EQ - SABER_EP - 1)))

#define h2 ( (1<<(SABER_EP-2)) - (1<<(SABER_EP-SABER_ET-1)) + (1<<(SABER_EQ-SABER_EP-1)) )
void PQCLEAN_SABER_AVX2_indcpa_kem_keypair(uint8_t pk[SABER_INDCPA_PUBLICKEYBYTES], uint8_t sk[SABER_INDCPA_SECRETKEYBYTES]) {
size_t i, j;

poly A[SABER_L][SABER_L];
poly *skpv1 = A[0]; // use first row of A to hold sk temporarily
toom4_points skpv1_eval[SABER_L];
poly res[SABER_L];

static void POL2MSG(uint8_t *message_dec, const uint16_t *message_dec_unpacked) {
int32_t i, j;
uint8_t rand[SABER_NOISESEEDBYTES];
uint8_t *seed_A = pk + SABER_POLYVECCOMPRESSEDBYTES;

for (j = 0; j < SABER_KEYBYTES; j++) {
message_dec[j] = 0;
for (i = 0; i < 8; i++) {
message_dec[j] = message_dec[j] | (message_dec_unpacked[j * 8 + i] << i);
}
}
}

/*-----------------------------------------------------------------------------------
This routine generates a=[Matrix K x K] of 256-coefficient polynomials

static void GenMatrix(polyvec *a, const uint8_t *seed) {
uint8_t buf[SABER_K * SABER_K * 13 * SABER_N / 8];

uint16_t temp_ar[SABER_N];

int i, j, k;
uint16_t mod = (SABER_Q - 1);

shake128(buf, sizeof(buf), seed, SABER_SEEDBYTES);

for (i = 0; i < SABER_K; i++) {
for (j = 0; j < SABER_K; j++) {
PQCLEAN_SABER_AVX2_BS2POLq(temp_ar, buf + (i * SABER_K + j) * 13 * SABER_N / 8);
for (k = 0; k < SABER_N; k++) {
a[i].vec[j].coeffs[k] = (temp_ar[k])& mod ;
}
}
}
}

static void GenSecret(uint16_t r[SABER_K][SABER_N], const uint8_t *seed) {

uint32_t i;
randombytes(seed_A, SABER_SEEDBYTES);
shake128(seed_A, SABER_SEEDBYTES, seed_A, SABER_SEEDBYTES); // for not revealing system RNG state

uint8_t buf[SABER_MU * SABER_N * SABER_K / 8];
randombytes(rand, SABER_NOISESEEDBYTES);
PQCLEAN_SABER_AVX2_GenSecret(skpv1, rand);
PQCLEAN_SABER_AVX2_POLVECq2BS(sk, skpv1); // pack secret key

shake128(buf, sizeof(buf), seed, SABER_NOISESEEDBYTES);

for (i = 0; i < SABER_K; i++) {
PQCLEAN_SABER_AVX2_cbd(r[i], buf + i * SABER_MU * SABER_N / 8);
for (j = 0; j < SABER_L; j++) {
PQCLEAN_SABER_AVX2_toom4_eval(&skpv1_eval[j], &skpv1[j]);
}
}

//********************************matrix-vector mul routines*****************************************************
static void matrix_vector_mul(__m256i res_avx[NUM_POLY][AVX_N1], __m256i a1_avx_combined[NUM_POLY][NUM_POLY][AVX_N1], __m256i b_bucket[NUM_POLY][SCHB_N * 4], int isTranspose) {
int64_t i, j;

__m256i c_bucket[2 * SCM_SIZE * 4]; //Holds results for 9 Karatsuba at a time

for (i = 0; i < NUM_POLY; i++) {
for (j = 0; j < NUM_POLY; j++) {
PQCLEAN_SABER_AVX2_GenMatrix(A, seed_A); // sample matrix A
PQCLEAN_SABER_AVX2_MatrixVectorMul(res, (const poly (*)[SABER_L])A, (const toom4_points *)skpv1_eval, 1); // Matrix in transposed order

if (isTranspose == 0) {
toom_cook_4way_avx_n1(a1_avx_combined[i][j], b_bucket[j], c_bucket, j);
} else {
toom_cook_4way_avx_n1(a1_avx_combined[j][i], b_bucket[j], c_bucket, j);
}
// rounding
for (i = 0; i < SABER_L; i++) {
for (j = 0; j < SABER_N; j++) {
res[i].coeffs[j] += h1;
res[i].coeffs[j] >>= SABER_EQ - SABER_EP;
res[i].coeffs[j] &= SABER_Q - 1;
}

TC_interpol(c_bucket, res_avx[i]);
}

}

static void vector_vector_mul(__m256i res_avx[AVX_N1], __m256i a_avx[NUM_POLY][AVX_N1], __m256i b_bucket[NUM_POLY][SCHB_N * 4]) {

int64_t i;

__m256i c_bucket[2 * SCM_SIZE * 4]; //Holds results for 9 Karatsuba at a time

for (i = 0; i < NUM_POLY; i++) {
toom_cook_4way_avx_n1(a_avx[i], b_bucket[i], c_bucket, i);
}
TC_interpol(c_bucket, res_avx);
}

//********************************matrix-vector mul routines*****************************************************

void PQCLEAN_SABER_AVX2_indcpa_kem_keypair(uint8_t *pk, uint8_t *sk) {

polyvec a[SABER_K];

uint16_t skpv1[SABER_K][SABER_N];



uint8_t seed[SABER_SEEDBYTES];
uint8_t noiseseed[SABER_COINBYTES];
int32_t i, j, k;


//--------------AVX declaration------------------

__m256i sk_avx[SABER_K][SABER_N / 16];
__m256i mod;
__m256i res_avx[SABER_K][SABER_N / 16];
__m256i a_avx[SABER_K][SABER_K][SABER_N / 16];
//__m256i acc[2*SABER_N/16];

mod = _mm256_set1_epi16(SABER_Q - 1);

__m256i b_bucket[NUM_POLY][SCHB_N * 4];

//--------------AVX declaration ends------------------

randombytes(seed, SABER_SEEDBYTES);

shake128(seed, SABER_SEEDBYTES, seed, SABER_SEEDBYTES); // for not revealing system RNG state
randombytes(noiseseed, SABER_COINBYTES);


GenMatrix(a, seed); //sample matrix A

GenSecret(skpv1, noiseseed);


// Load sk into avx vectors
for (i = 0; i < SABER_K; i++) {
for (j = 0; j < SABER_N / 16; j++) {
sk_avx[i][j] = _mm256_loadu_si256 ((__m256i const *) (&skpv1[i][j * 16]));
}

}

// Load a into avx vectors
for (i = 0; i < SABER_K; i++) {
for (j = 0; j < SABER_K; j++) {
for (k = 0; k < SABER_N / 16; k++) {
a_avx[i][j][k] = _mm256_loadu_si256 ((__m256i const *) (&a[i].vec[j].coeffs[k * 16]));
}
}
}



//------------------------do the matrix vector multiplication and rounding------------

for (j = 0; j < NUM_POLY; j++) {
TC_eval(sk_avx[j], b_bucket[j]);
}
matrix_vector_mul(res_avx, a_avx, b_bucket, 1);// Matrix-vector multiplication; Matrix in transposed order

// Now truncation


for (i = 0; i < SABER_K; i++) { //shift right EQ-EP bits
for (j = 0; j < SABER_N / 16; j++) {
res_avx[i][j] = _mm256_add_epi16 (res_avx[i][j], _mm256_set1_epi16(h1));
res_avx[i][j] = _mm256_srli_epi16 (res_avx[i][j], (SABER_EQ - SABER_EP) );
res_avx[i][j] = _mm256_and_si256 (res_avx[i][j], mod);
}
}

//------------------Pack sk into byte string-------

PQCLEAN_SABER_AVX2_POLVEC2BS(sk, (const uint16_t (*)[SABER_N])skpv1, SABER_Q);

//------------------Pack pk into byte string-------

for (i = 0; i < SABER_K; i++) { // reuses skpv1[] for unpacking avx of public-key
for (j = 0; j < SABER_N / 16; j++) {
_mm256_maskstore_epi32 ((int *) (skpv1[i] + j * 16), _mm256_set1_epi32(-1), res_avx[i][j]);
}
}
PQCLEAN_SABER_AVX2_POLVEC2BS(pk, (const uint16_t (*)[SABER_N])skpv1, SABER_P); // load the public-key into pk byte string


for (i = 0; i < SABER_SEEDBYTES; i++) { // now load the seedbytes in PK. Easy since seed bytes are kept in byte format.
pk[SABER_POLYVECCOMPRESSEDBYTES + i] = seed[i];
}

PQCLEAN_SABER_AVX2_POLVECp2BS(pk, res); // pack public key
}


void PQCLEAN_SABER_AVX2_indcpa_kem_enc(uint8_t ciphertext[SABER_BYTES_CCA_DEC], const uint8_t m[SABER_KEYBYTES], const uint8_t noiseseed[SABER_NOISESEEDBYTES], const uint8_t pk[SABER_INDCPA_PUBLICKEYBYTES]) {
size_t i, j;

poly A[SABER_L][SABER_L];
poly res[SABER_L];
toom4_points skpv1_eval[SABER_L];

uint32_t i, j, k;
polyvec a[SABER_K]; // skpv;
uint8_t seed[SABER_SEEDBYTES];
uint16_t pkcl[SABER_K][SABER_N]; //public key of received by the client


uint16_t skpv1[SABER_K][SABER_N];
uint16_t temp[SABER_K][SABER_N];
uint16_t message[SABER_KEYBYTES * 8];

uint8_t msk_c[SABER_SCALEBYTES_KEM];

//--------------AVX declaration------------------

__m256i sk_avx[SABER_K][SABER_N / 16];
__m256i mod, mod_p;
__m256i res_avx[SABER_K][SABER_N / 16];
__m256i vprime_avx[SABER_N / 16];
__m256i a_avx[SABER_K][SABER_K][SABER_N / 16];
//__m256i acc[2*SABER_N/16];

__m256i pkcl_avx[SABER_K][SABER_N / 16];

__m256i message_avx[SABER_N / 16];

mod = _mm256_set1_epi16(SABER_Q - 1);
mod_p = _mm256_set1_epi16(SABER_P - 1);
poly *temp = A[0]; // re-use stack space
poly *vprime = &A[0][0];
poly *message = &A[0][1];

const uint8_t *seed_A = pk + SABER_POLYVECCOMPRESSEDBYTES;
uint8_t *msk_c = ciphertext + SABER_POLYVECCOMPRESSEDBYTES;


__m256i b_bucket[NUM_POLY][SCHB_N * 4];

//--------------AVX declaration ends------------------
for (i = 0; i < SABER_SEEDBYTES; i++) { // Load the seedbytes in the client seed from PK.
seed[i] = pk[ SABER_POLYVECCOMPRESSEDBYTES + i];
PQCLEAN_SABER_AVX2_GenSecret(temp, noiseseed);
for (j = 0; j < SABER_L; j++) {
PQCLEAN_SABER_AVX2_toom4_eval(&skpv1_eval[j], &temp[j]);
}

GenMatrix(a, seed);
GenSecret(skpv1, noiseseed);

// ----------- Load skpv1 into avx vectors ----------
for (i = 0; i < SABER_K; i++) {
for (j = 0; j < SABER_N / 16; j++) {
sk_avx[i][j] = _mm256_loadu_si256 ((__m256i const *) (&skpv1[i][j * 16]));
}
}
PQCLEAN_SABER_AVX2_GenMatrix(A, seed_A);
PQCLEAN_SABER_AVX2_MatrixVectorMul(res, (const poly (*)[SABER_L])A, (const toom4_points *)skpv1_eval, 0); // 0 => not transposed

// ----------- Load skpv1 into avx vectors ----------
for (i = 0; i < SABER_K; i++) {
for (j = 0; j < SABER_K; j++) {
for (k = 0; k < SABER_N / 16; k++) {
a_avx[i][j][k] = _mm256_loadu_si256 ((__m256i const *) (&a[i].vec[j].coeffs[k * 16]));
}
// rounding
for (i = 0; i < SABER_L; i++) { //shift right EQ-EP bits
for (j = 0; j < SABER_N; j++) {
res[i].coeffs[j] += h1;
res[i].coeffs[j] >>= SABER_EQ - SABER_EP;
res[i].coeffs[j] &= SABER_Q - 1;
}
}
//-----------------matrix-vector multiplication and rounding

for (j = 0; j < NUM_POLY; j++) {
TC_eval(sk_avx[j], b_bucket[j]);
}
matrix_vector_mul(res_avx, a_avx, b_bucket, 0);// Matrix-vector multiplication; Matrix in normal order

// Now truncation

for (i = 0; i < SABER_K; i++) { //shift right EQ-EP bits
for (j = 0; j < SABER_N / 16; j++) {
res_avx[i][j] = _mm256_add_epi16 (res_avx[i][j], _mm256_set1_epi16(h1));
res_avx[i][j] = _mm256_srli_epi16 (res_avx[i][j], (SABER_EQ - SABER_EP) );
res_avx[i][j] = _mm256_and_si256 (res_avx[i][j], mod);

}
}


//-----this result should be put in b_prime for later use in server.
for (i = 0; i < SABER_K; i++) { // first store in 16 bit arrays
for (j = 0; j < SABER_N / 16; j++) {
_mm256_maskstore_epi32 ((int *)(temp[i] + j * 16), _mm256_set1_epi32(-1), res_avx[i][j]);
}
}

PQCLEAN_SABER_AVX2_POLVEC2BS(ciphertext, (const uint16_t (*)[SABER_N])temp, SABER_P); // Pack b_prime into ciphertext byte string

//**************client matrix-vector multiplication ends******************//

//------now calculate the v'

//-------unpack the public_key
PQCLEAN_SABER_AVX2_BS2POLVEC(pkcl, pk, SABER_P);

for (i = 0; i < SABER_K; i++) {
for (j = 0; j < SABER_N / 16; j++) {
pkcl_avx[i][j] = _mm256_loadu_si256 ((__m256i const *) (&pkcl[i][j * 16]));
}
}

// InnerProduct
//for(k=0;k<SABER_N/16;k++){
// vprime_avx[k]=_mm256_xor_si256(vprime_avx[k],vprime_avx[k]);
//}
PQCLEAN_SABER_AVX2_POLVECp2BS(ciphertext, res);

// vector-vector scalar multiplication with mod p
PQCLEAN_SABER_AVX2_BS2POLVECp(temp, pk);
PQCLEAN_SABER_AVX2_InnerProd(vprime, temp, skpv1_eval);
PQCLEAN_SABER_AVX2_BS2POLmsg(message, m);

vector_vector_mul(vprime_avx, pkcl_avx, b_bucket);

// Computation of v'+h1
for (i = 0; i < SABER_N / 16; i++) { //adding h1
vprime_avx[i] = _mm256_add_epi16(vprime_avx[i], _mm256_set1_epi16(h1));
}

// unpack m;
for (j = 0; j < SABER_KEYBYTES; j++) {
for (i = 0; i < 8; i++) {
message[8 * j + i] = ((m[j] >> i) & 0x01);
}
}
// message encoding
for (i = 0; i < SABER_N / 16; i++) {
message_avx[i] = _mm256_loadu_si256 ((__m256i const *) (&message[i * 16]));
message_avx[i] = _mm256_slli_epi16 (message_avx[i], (SABER_EP - 1) );
}

// SHIFTRIGHT(v'+h1-m mod p, EP-ET)
for (k = 0; k < SABER_N / 16; k++) {
vprime_avx[k] = _mm256_sub_epi16(vprime_avx[k], message_avx[k]);
vprime_avx[k] = _mm256_and_si256(vprime_avx[k], mod_p);
vprime_avx[k] = _mm256_srli_epi16 (vprime_avx[k], (SABER_EP - SABER_ET) );
}

// Unpack avx
for (j = 0; j < SABER_N / 16; j++) {
_mm256_maskstore_epi32 ((int *) (temp[0] + j * 16), _mm256_set1_epi32(-1), vprime_avx[j]);
}

PQCLEAN_SABER_AVX2_SABER_pack_4bit(msk_c, temp[0]);


for (j = 0; j < SABER_SCALEBYTES_KEM; j++) {
ciphertext[SABER_CIPHERTEXTBYTES + j] = msk_c[j];
for (i = 0; i < SABER_N; i++) {
vprime->coeffs[i] += h1 - (message->coeffs[i] << (SABER_EP - 1));
vprime->coeffs[i] &= SABER_P - 1;
vprime->coeffs[i] >>= SABER_EP - SABER_ET;
}

PQCLEAN_SABER_AVX2_POLT2BS(msk_c, vprime);
}


void PQCLEAN_SABER_AVX2_indcpa_kem_dec(uint8_t m[SABER_KEYBYTES], const uint8_t sk[SABER_INDCPA_SECRETKEYBYTES], const uint8_t ciphertext[SABER_BYTES_CCA_DEC]) {
size_t i;

uint32_t i, j;
uint16_t sksv[SABER_K][SABER_N]; //secret key of the server
uint16_t pksv[SABER_K][SABER_N];
uint16_t message_dec_unpacked[SABER_KEYBYTES * 8]; // one element containes on decrypted bit;
uint8_t scale_ar[SABER_SCALEBYTES_KEM];
uint16_t op[SABER_N];

//--------------AVX declaration------------------


//__m256i mod_p;

__m256i v_avx[SABER_N / 16];

//__m256i acc[2*SABER_N/16];

__m256i sksv_avx[SABER_K][SABER_N / 16];
__m256i pksv_avx[SABER_K][SABER_N / 16];
poly temp[SABER_L];
toom4_points sksv_eval[SABER_L];

//mod_p=_mm256_set1_epi16(SABER_P-1);
const uint8_t *packed_cm = ciphertext + SABER_POLYVECCOMPRESSEDBYTES;
poly *v = &temp[0];
poly *cm = &temp[1];

__m256i b_bucket[NUM_POLY][SCHB_N * 4];
//--------------AVX declaration ends------------------

//-------unpack the public_key

PQCLEAN_SABER_AVX2_BS2POLVEC(sksv, sk, SABER_Q); //sksv is the secret-key
PQCLEAN_SABER_AVX2_BS2POLVEC(pksv, ciphertext, SABER_P); //pksv is the ciphertext

for (i = 0; i < SABER_K; i++) {
for (j = 0; j < SABER_N / 16; j++) {
sksv_avx[i][j] = _mm256_loadu_si256 ((__m256i const *) (&sksv[i][j * 16]));
pksv_avx[i][j] = _mm256_loadu_si256 ((__m256i const *) (&pksv[i][j * 16]));
}
PQCLEAN_SABER_AVX2_BS2POLVECq(temp, sk);
for (i = 0; i < SABER_L; i++) {
PQCLEAN_SABER_AVX2_toom4_eval(&sksv_eval[i], &temp[i]);
}

for (i = 0; i < SABER_N / 16; i++) {
v_avx[i] = _mm256_xor_si256(v_avx[i], v_avx[i]);
}


// InnerProduct(b', s, mod p)

for (j = 0; j < NUM_POLY; j++) {
TC_eval(sksv_avx[j], b_bucket[j]);
}
PQCLEAN_SABER_AVX2_BS2POLVECp(temp, ciphertext);
PQCLEAN_SABER_AVX2_InnerProd(v, temp, sksv_eval);

vector_vector_mul(v_avx, pksv_avx, b_bucket);
PQCLEAN_SABER_AVX2_BS2POLT(cm, packed_cm);

for (i = 0; i < SABER_N / 16; i++) {
_mm256_maskstore_epi32 ((int *)(message_dec_unpacked + i * 16), _mm256_set1_epi32(-1), v_avx[i]);
}


for (i = 0; i < SABER_SCALEBYTES_KEM; i++) {
scale_ar[i] = ciphertext[SABER_CIPHERTEXTBYTES + i];
}

PQCLEAN_SABER_AVX2_SABER_un_pack4bit(op, scale_ar);


//addition of h2
for (i = 0; i < SABER_N; i++) {
message_dec_unpacked[i] = ( ( message_dec_unpacked[i] + h2 - (op[i] << (SABER_EP - SABER_ET)) ) & (SABER_P - 1) ) >> (SABER_EP - 1);
v->coeffs[i] += h2 - (cm->coeffs[i] << (SABER_EP - SABER_ET));
v->coeffs[i] &= SABER_P - 1;
v->coeffs[i] >>= SABER_EP - 1;
}


POL2MSG(m, message_dec_unpacked);
PQCLEAN_SABER_AVX2_POLmsg2BS(m, v);
}

+ 18
- 23
crypto_kem/saber/avx2/SABER_params.h View File

@@ -1,46 +1,41 @@
#ifndef PARAMS_H
#define PARAMS_H
#include "api.h"




#define SABER_K 3
/* Don't change anything below this line */
#define SABER_L 3
#define SABER_MU 8
#define SABER_ET 4


#define SABER_EQ 13
#define SABER_EP 10

#define SABER_N 256
#define SABER_Q 8192 //2^13
#define SABER_P 1024

#define SABER_SEEDBYTES 32
#define SABER_NOISESEEDBYTES 32
#define SABER_COINBYTES 32
#define SABER_KEYBYTES 32
#define SABER_EP 10
#define SABER_P (1 << SABER_EP)

#define SABER_HASHBYTES 32
#define SABER_EQ 13
#define SABER_Q (1 << SABER_EQ)

#define SABER_POLYBYTES 416 //13*256/8
#define SABER_SEEDBYTES 32
#define SABER_NOISESEEDBYTES 32
#define SABER_KEYBYTES 32
#define SABER_HASHBYTES 32

#define SABER_POLYVECBYTES (SABER_K * SABER_POLYBYTES)
#define SABER_POLYCOINBYTES (SABER_MU * SABER_N / 8)

#define SABER_POLYVECCOMPRESSEDBYTES (SABER_K * 320) //10*256/8 NOTE : changed till here due to parameter adaptation
#define SABER_POLYBYTES (SABER_EQ * SABER_N / 8)
#define SABER_POLYVECBYTES (SABER_L * SABER_POLYBYTES)

#define SABER_CIPHERTEXTBYTES (SABER_POLYVECCOMPRESSEDBYTES)
#define SABER_POLYCOMPRESSEDBYTES (SABER_EP * SABER_N / 8)
#define SABER_POLYVECCOMPRESSEDBYTES (SABER_L * SABER_POLYCOMPRESSEDBYTES)

#define SABER_SCALEBYTES_KEM ((SABER_ET)*SABER_N/8)
#define SABER_SCALEBYTES_KEM (SABER_ET * SABER_N / 8)

#define SABER_INDCPA_PUBLICKEYBYTES (SABER_POLYVECCOMPRESSEDBYTES + SABER_SEEDBYTES)
#define SABER_INDCPA_SECRETKEYBYTES (SABER_POLYVECBYTES)

#define SABER_PUBLICKEYBYTES (SABER_INDCPA_PUBLICKEYBYTES)
#define SABER_SECRETKEYBYTES (SABER_INDCPA_SECRETKEYBYTES + SABER_INDCPA_PUBLICKEYBYTES + SABER_HASHBYTES + SABER_KEYBYTES)

#define SABER_SECRETKEYBYTES (SABER_INDCPA_SECRETKEYBYTES + SABER_INDCPA_PUBLICKEYBYTES + SABER_HASHBYTES + SABER_KEYBYTES)

#define SABER_BYTES_CCA_DEC (SABER_POLYVECCOMPRESSEDBYTES + SABER_SCALEBYTES_KEM) /* Second part is for Targhi-Unruh */
#define SABER_BYTES_CCA_DEC (SABER_POLYVECCOMPRESSEDBYTES + SABER_SCALEBYTES_KEM)

#endif

+ 10
- 13
crypto_kem/saber/avx2/cbd.c View File

@@ -11,7 +11,7 @@ Vadim Lyubashevsky, John M. Schanck, Peter Schwabe & Damien stehle
----------------------------------------------------------------------*/


static uint64_t load_littleendian(const unsigned char *x, int bytes) {
static uint64_t load_littleendian(const uint8_t *x, int bytes) {
int i;
uint64_t r = x[0];
for (i = 1; i < bytes; i++) {
@@ -20,32 +20,29 @@ static uint64_t load_littleendian(const unsigned char *x, int bytes) {
return r;
}


void PQCLEAN_SABER_AVX2_cbd(uint16_t *r, const unsigned char *buf) {
uint16_t Qmod_minus1 = SABER_Q - 1;

void PQCLEAN_SABER_AVX2_cbd(uint16_t s[SABER_N], const uint8_t buf[SABER_POLYCOINBYTES]) {
uint32_t t, d, a[4], b[4];
int i, j;

for (i = 0; i < SABER_N / 4; i++) {
t = load_littleendian(buf + 4 * i, 4);
t = (uint32_t) load_littleendian(buf + 4 * i, 4);
d = 0;
for (j = 0; j < 4; j++) {
d += (t >> j) & 0x11111111;
}

a[0] = d & 0xf;
b[0] = (d >> 4) & 0xf;
a[1] = (d >> 8) & 0xf;
a[0] = d & 0xf;
b[0] = (d >> 4) & 0xf;
a[1] = (d >> 8) & 0xf;
b[1] = (d >> 12) & 0xf;
a[2] = (d >> 16) & 0xf;
b[2] = (d >> 20) & 0xf;
a[3] = (d >> 24) & 0xf;
b[3] = (d >> 28);

r[4 * i + 0] = (uint16_t)(a[0] - b[0]) & Qmod_minus1;
r[4 * i + 1] = (uint16_t)(a[1] - b[1]) & Qmod_minus1;
r[4 * i + 2] = (uint16_t)(a[2] - b[2]) & Qmod_minus1;
r[4 * i + 3] = (uint16_t)(a[3] - b[3]) & Qmod_minus1;
s[4 * i + 0] = (uint16_t)(a[0] - b[0]);
s[4 * i + 1] = (uint16_t)(a[1] - b[1]);
s[4 * i + 2] = (uint16_t)(a[2] - b[2]);
s[4 * i + 3] = (uint16_t)(a[3] - b[3]);
}
}

+ 2
- 2
crypto_kem/saber/avx2/cbd.h View File

@@ -7,10 +7,10 @@ of "CRYSTALS – Kyber: a CCA-secure module-lattice-based KEM"
by : Joppe Bos, Leo Ducas, Eike Kiltz, Tancrede Lepoint,
Vadim Lyubashevsky, John M. Schanck, Peter Schwabe & Damien stehle
----------------------------------------------------------------------*/
#include "poly.h"
#include "SABER_params.h"
#include <stdint.h>

void PQCLEAN_SABER_AVX2_cbd(uint16_t *r, const unsigned char *buf);
void PQCLEAN_SABER_AVX2_cbd(uint16_t s[SABER_N], const uint8_t buf[SABER_POLYCOINBYTES]);


#endif

+ 5
- 7
crypto_kem/saber/avx2/kem.c View File

@@ -4,14 +4,12 @@
#include "fips202.h"
#include "randombytes.h"
#include "verify.h"
#include <immintrin.h>
#include <stddef.h>
#include <stdint.h>
#include <stdio.h>
#include <string.h>


int PQCLEAN_SABER_AVX2_crypto_kem_keypair(uint8_t *pk, uint8_t *sk) {
int i;
size_t i;

PQCLEAN_SABER_AVX2_indcpa_kem_keypair(pk, sk); // sk[0:SABER_INDCPA_SECRETKEYBYTES-1] <-- sk
for (i = 0; i < SABER_INDCPA_PUBLICKEYBYTES; i++) {
@@ -39,7 +37,7 @@ int PQCLEAN_SABER_AVX2_crypto_kem_enc(uint8_t *c, uint8_t *k, const uint8_t *pk)
sha3_512(kr, buf, 64); // kr[0:63] <-- Hash(buf[0:63]);
// K^ <-- kr[0:31]
// noiseseed (r) <-- kr[32:63];
PQCLEAN_SABER_AVX2_indcpa_kem_enc(c, buf, (const uint8_t *) (kr + 32), pk); // buf[0:31] contains message; kr[32:63] contains randomness r;
PQCLEAN_SABER_AVX2_indcpa_kem_enc(c, buf, kr + 32, pk); // buf[0:31] contains message; kr[32:63] contains randomness r;

sha3_256(kr + 32, c, SABER_BYTES_CCA_DEC);

@@ -49,7 +47,7 @@ int PQCLEAN_SABER_AVX2_crypto_kem_enc(uint8_t *c, uint8_t *k, const uint8_t *pk)
}

int PQCLEAN_SABER_AVX2_crypto_kem_dec(uint8_t *k, const uint8_t *c, const uint8_t *sk) {
int i;
size_t i;
uint8_t fail;
uint8_t cmp[SABER_BYTES_CCA_DEC];
uint8_t buf[64];
@@ -65,7 +63,7 @@ int PQCLEAN_SABER_AVX2_crypto_kem_dec(uint8_t *k, const uint8_t *c, const uint8_

sha3_512(kr, buf, 64);

PQCLEAN_SABER_AVX2_indcpa_kem_enc(cmp, buf, (const uint8_t *) (kr + 32), pk);
PQCLEAN_SABER_AVX2_indcpa_kem_enc(cmp, buf, kr + 32, pk);

fail = PQCLEAN_SABER_AVX2_verify(c, cmp, SABER_BYTES_CCA_DEC);



+ 0
- 32
crypto_kem/saber/avx2/kem.h View File

@@ -1,35 +1,3 @@
#ifndef INDCPA_H
#define INDCPA_H

#include <stdint.h>

void PQCLEAN_SABER_AVX2_indcpa_keypair(uint8_t *pk, uint8_t *sk);


void PQCLEAN_SABER_AVX2_indcpa_client(uint8_t *pk, uint8_t *b_prime, uint8_t *c, uint8_t *key);


void PQCLEAN_SABER_AVX2_indcpa_server(uint8_t *pk, uint8_t *b_prime, uint8_t *c, uint8_t *key);


void PQCLEAN_SABER_AVX2_indcpa_kem_keypair(uint8_t *pk, uint8_t *sk);

void PQCLEAN_SABER_AVX2_indcpa_kem_enc(uint8_t *message, uint8_t *noiseseed, uint8_t *pk, uint8_t *ciphertext);

void PQCLEAN_SABER_AVX2_indcpa_kem_dec(uint8_t *sk, uint8_t *ciphertext, uint8_t message_dec[]);


int PQCLEAN_SABER_AVX2_crypto_kem_keypair(unsigned char *pk, unsigned char *sk);

int PQCLEAN_SABER_AVX2_crypto_kem_enc(unsigned char *c, unsigned char *k, const unsigned char *pk);

int PQCLEAN_SABER_AVX2_crypto_kem_dec(unsigned char *k, const unsigned char *c, const unsigned char *sk);



//uint64_t clock1,clock2;

//uint64_t clock_kp_kex, clock_enc_kex, clock_dec_kex;


#endif

+ 107
- 464
crypto_kem/saber/avx2/pack_unpack.c View File

@@ -1,502 +1,145 @@
#include "SABER_params.h"
#include "pack_unpack.h"
#include "poly.h"
#include <string.h>


void PQCLEAN_SABER_AVX2_SABER_pack_3bit(uint8_t *bytes, const uint16_t *data) {

uint32_t j;
uint32_t offset_data = 0, offset_byte = 0;

for (j = 0; j < SABER_N / 8; j++) {
offset_byte = 3 * j;
offset_data = 8 * j;
bytes[offset_byte + 0] = (data[offset_data + 0] & 0x7) | ( (data[offset_data + 1] & 0x7) << 3 ) | ((data[offset_data + 2] & 0x3) << 6);
bytes[offset_byte + 1] = ((data[offset_data + 2] >> 2 ) & 0x01) | ( (data[offset_data + 3] & 0x7) << 1 ) | ( (data[offset_data + 4] & 0x7) << 4 ) | (((data[offset_data + 5]) & 0x01) << 7);
bytes[offset_byte + 2] = ((data[offset_data + 5] >> 1 ) & 0x03) | ( (data[offset_data + 6] & 0x7) << 2 ) | ( (data[offset_data + 7] & 0x7) << 5 );
}
}

void PQCLEAN_SABER_AVX2_SABER_un_pack3bit(uint16_t *data, const uint8_t *bytes) {

uint32_t j;
uint32_t offset_data = 0, offset_byte = 0;

for (j = 0; j < SABER_N / 8; j++) {
offset_byte = 3 * j;
offset_data = 8 * j;
data[offset_data + 0] = (bytes[offset_byte + 0]) & 0x07;
data[offset_data + 1] = ( (bytes[offset_byte + 0]) >> 3 ) & 0x07;
data[offset_data + 2] = ( ( (bytes[offset_byte + 0]) >> 6 ) & 0x03) | ( ( (bytes[offset_byte + 1]) & 0x01) << 2 );
data[offset_data + 3] = ( (bytes[offset_byte + 1]) >> 1 ) & 0x07;
data[offset_data + 4] = ( (bytes[offset_byte + 1]) >> 4 ) & 0x07;
data[offset_data + 5] = ( ( (bytes[offset_byte + 1]) >> 7 ) & 0x01) | ( ( (bytes[offset_byte + 2]) & 0x03) << 1 );
data[offset_data + 6] = ( (bytes[offset_byte + 2] >> 2) & 0x07 );
data[offset_data + 7] = ( (bytes[offset_byte + 2] >> 5) & 0x07 );
}

}

void PQCLEAN_SABER_AVX2_SABER_pack_4bit(uint8_t *bytes, const uint16_t *data) {

uint32_t j;
uint32_t offset_data = 0;

void PQCLEAN_SABER_AVX2_POLT2BS(uint8_t bytes[SABER_SCALEBYTES_KEM], const poly *data) {
size_t j;
const uint16_t *in = data->coeffs;
uint8_t *out = bytes;
for (j = 0; j < SABER_N / 2; j++) {
offset_data = 2 * j;
bytes[j] = (data[offset_data] & 0x0f) | ( (data[offset_data + 1] & 0x0f) << 4 );
out[0] = (in[0] & 0x0f) | ((in[1] & 0x0f) << 4);
in += 2;
out += 1;
}
}

void PQCLEAN_SABER_AVX2_SABER_un_pack4bit(uint16_t *data, const uint8_t *bytes) {

uint32_t j;
uint32_t offset_data = 0;

void PQCLEAN_SABER_AVX2_BS2POLT(poly *data, const uint8_t bytes[SABER_SCALEBYTES_KEM]) {
size_t j;
const uint8_t *in = bytes;
uint16_t *out = data->coeffs;
for (j = 0; j < SABER_N / 2; j++) {
offset_data = 2 * j;
data[offset_data] = bytes[j] & 0x0f;
data[offset_data + 1] = (bytes[j] >> 4) & 0x0f;
out[0] = in[0] & 0x0f;
out[1] = (in[0] >> 4) & 0x0f;
in += 1;
out += 2;
}
}

void PQCLEAN_SABER_AVX2_SABER_pack_6bit(uint8_t *bytes, const uint16_t *data) {

uint32_t j;
uint32_t offset_data = 0, offset_byte = 0;

static void POLq2BS(uint8_t bytes[SABER_POLYBYTES], const poly *data) {
size_t j;
const uint16_t *in = data->coeffs;
uint8_t *out = bytes;
for (j = 0; j < SABER_N / 8; j++) {
out[0] = (in[0] & (0xff));
out[1] = ((in[0] >> 8) & 0x1f) | ((in[1] & 0x07) << 5);
out[2] = ((in[1] >> 3) & 0xff);
out[3] = ((in[1] >> 11) & 0x03) | ((in[2] & 0x3f) << 2);
out[4] = ((in[2] >> 6) & 0x7f) | ((in[3] & 0x01) << 7);
out[5] = ((in[3] >> 1) & 0xff);
out[6] = ((in[3] >> 9) & 0x0f) | ((in[4] & 0x0f) << 4);
out[7] = ((in[4] >> 4) & 0xff);
out[8] = ((in[4] >> 12) & 0x01) | ((in[5] & 0x7f) << 1);
out[9] = ((in[5] >> 7) & 0x3f) | ((in[6] & 0x03) << 6);
out[10] = ((in[6] >> 2) & 0xff);
out[11] = ((in[6] >> 10) & 0x07) | ((in[7] & 0x1f) << 3);
out[12] = ((in[7] >> 5) & 0xff);
in += 8;
out += 13;
}
}

static void BS2POLq(poly *data, const uint8_t bytes[SABER_POLYBYTES]) {
size_t j;
const uint8_t *in = bytes;
uint16_t *out = data->coeffs;
for (j = 0; j < SABER_N / 8; j++) {
out[0] = (in[0] & (0xff)) | ((in[1] & 0x1f) << 8);
out[1] = (in[1] >> 5 & (0x07)) | ((in[2] & 0xff) << 3) | ((in[3] & 0x03) << 11);
out[2] = (in[3] >> 2 & (0x3f)) | ((in[4] & 0x7f) << 6);
out[3] = (in[4] >> 7 & (0x01)) | ((in[5] & 0xff) << 1) | ((in[6] & 0x0f) << 9);
out[4] = (in[6] >> 4 & (0x0f)) | ((in[7] & 0xff) << 4) | ((in[8] & 0x01) << 12);
out[5] = (in[8] >> 1 & (0x7f)) | ((in[9] & 0x3f) << 7);
out[6] = (in[9] >> 6 & (0x03)) | ((in[10] & 0xff) << 2) | ((in[11] & 0x07) << 10);
out[7] = (in[11] >> 3 & (0x1f)) | ((in[12] & 0xff) << 5);
in += 13;
out += 8;
}
}

static void POLp2BS(uint8_t bytes[SABER_POLYCOMPRESSEDBYTES], const poly *data) {
size_t j;
const uint16_t *in = data->coeffs;
uint8_t *out = bytes;
for (j = 0; j < SABER_N / 4; j++) {
offset_byte = 3 * j;
offset_data = 4 * j;
bytes[offset_byte + 0] = (data[offset_data + 0] & 0x3f) | ((data[offset_data + 1] & 0x03) << 6);
bytes[offset_byte + 1] = ((data[offset_data + 1] >> 2) & 0x0f) | ((data[offset_data + 2] & 0x0f) << 4);
bytes[offset_byte + 2] = ((data[offset_data + 2] >> 4) & 0x03) | ((data[offset_data + 3] & 0x3f) << 2);
out[0] = (in[0] & (0xff));
out[1] = ((in[0] >> 8) & 0x03) | ((in[1] & 0x3f) << 2);
out[2] = ((in[1] >> 6) & 0x0f) | ((in[2] & 0x0f) << 4);
out[3] = ((in[2] >> 4) & 0x3f) | ((in[3] & 0x03) << 6);
out[4] = ((in[3] >> 2) & 0xff);
in += 4;
out += 5;
}
}


void PQCLEAN_SABER_AVX2_SABER_un_pack6bit(uint16_t *data, const uint8_t *bytes) {

uint32_t j;
uint32_t offset_data = 0, offset_byte = 0;

static void BS2POLp(poly *data, const uint8_t bytes[SABER_POLYCOMPRESSEDBYTES]) {
size_t j;
const uint8_t *in = bytes;
uint16_t *out = data->coeffs;
for (j = 0; j < SABER_N / 4; j++) {
offset_byte = 3 * j;
offset_data = 4 * j;
data[offset_data + 0] = bytes[offset_byte + 0] & 0x3f;
data[offset_data + 1] = ((bytes[offset_byte + 0] >> 6) & 0x03) | ((bytes[offset_byte + 1] & 0x0f) << 2) ;
data[offset_data + 2] = ((bytes[offset_byte + 1] & 0xff) >> 4) | ((bytes[offset_byte + 2] & 0x03) << 4) ;
data[offset_data + 3] = ((bytes[offset_byte + 2] & 0xff) >> 2);
}

}

void PQCLEAN_SABER_AVX2_SABER_pack10bit(uint8_t *bytes, const uint16_t data[SABER_K][SABER_N]) {

uint32_t i, j;
uint32_t offset_data = 0, offset_byte = 0, offset_byte1 = 0;

for (i = 0; i < SABER_K; i++) {
offset_byte1 = i * (SABER_N * 10) / 8;
for (j = 0; j < SABER_N / 4; j++) {
offset_byte = offset_byte1 + 5 * j;
offset_data = 4 * j;
bytes[offset_byte + 0] = ( data[i][ offset_data + 0 ] & (0xff));

bytes[offset_byte + 1] = ( (data[i][ offset_data + 0 ] >> 8) & 0x03 ) | ((data[i][ offset_data + 1 ] & 0x3f) << 2);

bytes[offset_byte + 2] = ( (data[i][ offset_data + 1 ] >> 6) & 0x0f ) | ( (data[i][ offset_data + 2 ] & 0x0f) << 4);

bytes[offset_byte + 3] = ( (data[i][ offset_data + 2 ] >> 4) & 0x3f ) | ((data[i][ offset_data + 3 ] & 0x03) << 6);

bytes[offset_byte + 4] = ( (data[i][ offset_data + 3 ] >> 2) & 0xff );
}
}
}

void PQCLEAN_SABER_AVX2_POLVECp2BS(uint8_t *bytes, const uint16_t data[SABER_K][SABER_N]) {

uint32_t i, j;
uint32_t offset_data = 0, offset_byte = 0, offset_byte1 = 0;

for (i = 0; i < SABER_K; i++) {
offset_byte1 = i * (SABER_N * 10) / 8;
for (j = 0; j < SABER_N / 4; j++) {
offset_byte = offset_byte1 + 5 * j;
offset_data = 4 * j;
bytes[offset_byte + 0] = ( data[i][ offset_data + 0 ] & (0xff));

bytes[offset_byte + 1] = ( (data[i][ offset_data + 0 ] >> 8) & 0x03 ) | ((data[i][ offset_data + 1 ] & 0x3f) << 2);

bytes[offset_byte + 2] = ( (data[i][ offset_data + 1 ] >> 6) & 0x0f ) | ( (data[i][ offset_data + 2 ] & 0x0f) << 4);

bytes[offset_byte + 3] = ( (data[i][ offset_data + 2 ] >> 4) & 0x3f ) | ((data[i][ offset_data + 3 ] & 0x03) << 6);

bytes[offset_byte + 4] = ( (data[i][ offset_data + 3 ] >> 2) & 0xff );
}
}
}

void PQCLEAN_SABER_AVX2_POLVECq2BS(uint8_t *bytes, const uint16_t data[SABER_K][SABER_N]) {

uint32_t i, j;
uint32_t offset_data = 0, offset_byte = 0, offset_byte1 = 0;

for (i = 0; i < SABER_K; i++) {
offset_byte1 = i * (SABER_N * 13) / 8;
for (j = 0; j < SABER_N / 8; j++) {
offset_byte = offset_byte1 + 13 * j;
offset_data = 8 * j;
bytes[offset_byte + 0] = ( data[i][ offset_data + 0 ] & (0xff));

bytes[offset_byte + 1] = ( (data[i][ offset_data + 0 ] >> 8) & 0x1f ) | ((data[i][ offset_data + 1 ] & 0x07) << 5);

bytes[offset_byte + 2] = ( (data[i][ offset_data + 1 ] >> 3) & 0xff );

bytes[offset_byte + 3] = ( (data[i][ offset_data + 1 ] >> 11) & 0x03 ) | ((data[i][ offset_data + 2 ] & 0x3f) << 2);

bytes[offset_byte + 4] = ( (data[i][ offset_data + 2 ] >> 6) & 0x7f ) | ( (data[i][ offset_data + 3 ] & 0x01) << 7 );

bytes[offset_byte + 5] = ( (data[i][ offset_data + 3 ] >> 1) & 0xff );

bytes[offset_byte + 6] = ( (data[i][ offset_data + 3 ] >> 9) & 0x0f ) | ( (data[i][ offset_data + 4 ] & 0x0f) << 4 );

bytes[offset_byte + 7] = ( (data[i][ offset_data + 4] >> 4) & 0xff );

bytes[offset_byte + 8] = ( (data[i][ offset_data + 4 ] >> 12) & 0x01 ) | ( (data[i][ offset_data + 5 ] & 0x7f) << 1 );

bytes[offset_byte + 9] = ( (data[i][ offset_data + 5 ] >> 7) & 0x3f ) | ( (data[i][ offset_data + 6 ] & 0x03) << 6 );

bytes[offset_byte + 10] = ( (data[i][ offset_data + 6 ] >> 2) & 0xff );

bytes[offset_byte + 11] = ( (data[i][ offset_data + 6 ] >> 10) & 0x07 ) | ( (data[i][ offset_data + 7 ] & 0x1f) << 3 );

bytes[offset_byte + 12] = ( (data[i][ offset_data + 7 ] >> 5) & 0xff );

}
}


}

void PQCLEAN_SABER_AVX2_BS2POLq(uint16_t data[SABER_N], const uint8_t *bytes) {

uint32_t j;
uint32_t offset_data = 0, offset_byte = 0;

for (j = 0; j < SABER_N / 8; j++) {
offset_byte = 13 * j;
offset_data = 8 * j;
data[offset_data + 0] = ( bytes[ offset_byte + 0 ] & (0xff)) | ((bytes[offset_byte + 1] & 0x1f) << 8);
data[offset_data + 1] = ( bytes[ offset_byte + 1 ] >> 5 & (0x07)) | ((bytes[offset_byte + 2] & 0xff) << 3) | ((bytes[offset_byte + 3] & 0x03) << 11);
data[offset_data + 2] = ( bytes[ offset_byte + 3 ] >> 2 & (0x3f)) | ((bytes[offset_byte + 4] & 0x7f) << 6);
data[offset_data + 3] = ( bytes[ offset_byte + 4 ] >> 7 & (0x01)) | ((bytes[offset_byte + 5] & 0xff) << 1) | ((bytes[offset_byte + 6] & 0x0f) << 9);
data[offset_data + 4] = ( bytes[ offset_byte + 6 ] >> 4 & (0x0f)) | ((bytes[offset_byte + 7] & 0xff) << 4) | ((bytes[offset_byte + 8] & 0x01) << 12);
data[offset_data + 5] = ( bytes[ offset_byte + 8] >> 1 & (0x7f)) | ((bytes[offset_byte + 9] & 0x3f) << 7);
data[offset_data + 6] = ( bytes[ offset_byte + 9] >> 6 & (0x03)) | ((bytes[offset_byte + 10] & 0xff) << 2) | ((bytes[offset_byte + 11] & 0x07) << 10);
data[offset_data + 7] = ( bytes[ offset_byte + 11] >> 3 & (0x1f)) | ((bytes[offset_byte + 12] & 0xff) << 5);
}
}



void PQCLEAN_SABER_AVX2_BS2POLVECp(uint16_t data[SABER_K][SABER_N], const uint8_t *bytes) {

uint32_t i, j;
uint32_t offset_data = 0, offset_byte = 0, offset_byte1 = 0;

for (i = 0; i < SABER_K; i++) {
offset_byte1 = i * (SABER_N * 10) / 8;
for (j = 0; j < SABER_N / 4; j++) {
offset_byte = offset_byte1 + 5 * j;
offset_data = 4 * j;
data[i][offset_data + 0] = ( bytes[ offset_byte + 0 ] & (0xff)) | ((bytes[ offset_byte + 1 ] & 0x03) << 8);
data[i][offset_data + 1] = ( (bytes[ offset_byte + 1 ] >> 2) & (0x3f)) | ((bytes[ offset_byte + 2 ] & 0x0f) << 6);
data[i][offset_data + 2] = ( (bytes[ offset_byte + 2 ] >> 4) & (0x0f)) | ((bytes[ offset_byte + 3 ] & 0x3f) << 4);
data[i][offset_data + 3] = ( (bytes[ offset_byte + 3 ] >> 6) & (0x03)) | ((bytes[ offset_byte + 4 ] & 0xff) << 2);

}
}
}

void PQCLEAN_SABER_AVX2_BS2POLVECq(uint16_t data[SABER_K][SABER_N], const uint8_t *bytes) {

uint32_t i, j;
uint32_t offset_data = 0, offset_byte = 0, offset_byte1 = 0;

for (i = 0; i < SABER_K; i++) {
offset_byte1 = i * (SABER_N * 13) / 8;
for (j = 0; j < SABER_N / 8; j++) {
offset_byte = offset_byte1 + 13 * j;
offset_data = 8 * j;
data[i][offset_data + 0] = ( bytes[ offset_byte + 0 ] & (0xff)) | ((bytes[offset_byte + 1] & 0x1f) << 8);
data[i][offset_data + 1] = ( bytes[ offset_byte + 1 ] >> 5 & (0x07)) | ((bytes[offset_byte + 2] & 0xff) << 3) | ((bytes[offset_byte + 3] & 0x03) << 11);
data[i][offset_data + 2] = ( bytes[ offset_byte + 3 ] >> 2 & (0x3f)) | ((bytes[offset_byte + 4] & 0x7f) << 6);
data[i][offset_data + 3] = ( bytes[ offset_byte + 4 ] >> 7 & (0x01)) | ((bytes[offset_byte + 5] & 0xff) << 1) | ((bytes[offset_byte + 6] & 0x0f) << 9);
data[i][offset_data + 4] = ( bytes[ offset_byte + 6 ] >> 4 & (0x0f)) | ((bytes[offset_byte + 7] & 0xff) << 4) | ((bytes[offset_byte + 8] & 0x01) << 12);
data[i][offset_data + 5] = ( bytes[ offset_byte + 8] >> 1 & (0x7f)) | ((bytes[offset_byte + 9] & 0x3f) << 7);
data[i][offset_data + 6] = ( bytes[ offset_byte + 9] >> 6 & (0x03)) | ((bytes[offset_byte + 10] & 0xff) << 2) | ((bytes[offset_byte + 11] & 0x07) << 10);
data[i][offset_data + 7] = ( bytes[ offset_byte + 11] >> 3 & (0x1f)) | ((bytes[offset_byte + 12] & 0xff) << 5);
}
}


}



void PQCLEAN_SABER_AVX2_SABER_un_pack10bit(uint16_t data[SABER_K][SABER_N], const uint8_t *bytes) {

uint32_t i, j;
uint32_t offset_data = 0, offset_byte = 0, offset_byte1 = 0;

for (i = 0; i < SABER_K; i++) {
offset_byte1 = i * (SABER_N * 10) / 8;
for (j = 0; j < SABER_N / 4; j++) {
offset_byte = offset_byte1 + 5 * j;
offset_data = 4 * j;
data[i][offset_data + 0] = ( bytes[ offset_byte + 0 ] & (0xff)) | ((bytes[ offset_byte + 1 ] & 0x03) << 8);
data[i][offset_data + 1] = ( (bytes[ offset_byte + 1 ] >> 2) & (0x3f)) | ((bytes[ offset_byte + 2 ] & 0x0f) << 6);
data[i][offset_data + 2] = ( (bytes[ offset_byte + 2 ] >> 4) & (0x0f)) | ((bytes[ offset_byte + 3 ] & 0x3f) << 4);
data[i][offset_data + 3] = ( (bytes[ offset_byte + 3 ] >> 6) & (0x03)) | ((bytes[ offset_byte + 4 ] & 0xff) << 2);

}
out[0] = (in[0] & (0xff)) | ((in[1] & 0x03) << 8);
out[1] = ((in[1] >> 2) & (0x3f)) | ((in[2] & 0x0f) << 6);
out[2] = ((in[2] >> 4) & (0x0f)) | ((in[3] & 0x3f) << 4);
out[3] = ((in[3] >> 6) & (0x03)) | ((in[4] & 0xff) << 2);
in += 5;
out += 4;
}


}


void PQCLEAN_SABER_AVX2_SABER_pack13bit(uint8_t *bytes, const uint16_t data[SABER_K][SABER_N]) {

uint32_t i, j;
uint32_t offset_data = 0, offset_byte = 0, offset_byte1 = 0;

for (i = 0; i < SABER_K; i++) {
offset_byte1 = i * (SABER_N * 13) / 8;
for (j = 0; j < SABER_N / 8; j++) {
offset_byte = offset_byte1 + 13 * j;
offset_data = 8 * j;
bytes[offset_byte + 0] = ( data[i][ offset_data + 0 ] & (0xff));

bytes[offset_byte + 1] = ( (data[i][ offset_data + 0 ] >> 8) & 0x1f ) | ((data[i][ offset_data + 1 ] & 0x07) << 5);

bytes[offset_byte + 2] = ( (data[i][ offset_data + 1 ] >> 3) & 0xff );

bytes[offset_byte + 3] = ( (data[i][ offset_data + 1 ] >> 11) & 0x03 ) | ((data[i][ offset_data + 2 ] & 0x3f) << 2);

bytes[offset_byte + 4] = ( (data[i][ offset_data + 2 ] >> 6) & 0x7f ) | ( (data[i][ offset_data + 3 ] & 0x01) << 7 );

bytes[offset_byte + 5] = ( (data[i][ offset_data + 3 ] >> 1) & 0xff );

bytes[offset_byte + 6] = ( (data[i][ offset_data + 3 ] >> 9) & 0x0f ) | ( (data[i][ offset_data + 4 ] & 0x0f) << 4 );

bytes[offset_byte + 7] = ( (data[i][ offset_data + 4] >> 4) & 0xff );

bytes[offset_byte + 8] = ( (data[i][ offset_data + 4 ] >> 12) & 0x01 ) | ( (data[i][ offset_data + 5 ] & 0x7f) << 1 );

bytes[offset_byte + 9] = ( (data[i][ offset_data + 5 ] >> 7) & 0x3f ) | ( (data[i][ offset_data + 6 ] & 0x03) << 6 );

bytes[offset_byte + 10] = ( (data[i][ offset_data + 6 ] >> 2) & 0xff );

bytes[offset_byte + 11] = ( (data[i][ offset_data + 6 ] >> 10) & 0x07 ) | ( (data[i][ offset_data + 7 ] & 0x1f) << 3 );

bytes[offset_byte + 12] = ( (data[i][ offset_data + 7 ] >> 5) & 0xff );

}
void PQCLEAN_SABER_AVX2_POLVECq2BS(uint8_t bytes[SABER_POLYVECBYTES], const poly data[SABER_L]) {
size_t i;
for (i = 0; i < SABER_L; i++) {
POLq2BS(bytes + i * SABER_POLYBYTES, &data[i]);
}


}

void PQCLEAN_SABER_AVX2_SABER_un_pack13bit(uint16_t data[SABER_K][SABER_N], const uint8_t *bytes) {

uint32_t i, j;
uint32_t offset_data = 0, offset_byte = 0, offset_byte1 = 0;

for (i = 0; i < SABER_K; i++) {
offset_byte1 = i * (SABER_N * 13) / 8;
for (j = 0; j < SABER_N / 8; j++) {
offset_byte = offset_byte1 + 13 * j;
offset_data = 8 * j;
data[i][offset_data + 0] = ( bytes[ offset_byte + 0 ] & (0xff)) | ((bytes[offset_byte + 1] & 0x1f) << 8);
data[i][offset_data + 1] = ( bytes[ offset_byte + 1 ] >> 5 & (0x07)) | ((bytes[offset_byte + 2] & 0xff) << 3) | ((bytes[offset_byte + 3] & 0x03) << 11);
data[i][offset_data + 2] = ( bytes[ offset_byte + 3 ] >> 2 & (0x3f)) | ((bytes[offset_byte + 4] & 0x7f) << 6);
data[i][offset_data + 3] = ( bytes[ offset_byte + 4 ] >> 7 & (0x01)) | ((bytes[offset_byte + 5] & 0xff) << 1) | ((bytes[offset_byte + 6] & 0x0f) << 9);
data[i][offset_data + 4] = ( bytes[ offset_byte + 6 ] >> 4 & (0x0f)) | ((bytes[offset_byte + 7] & 0xff) << 4) | ((bytes[offset_byte + 8] & 0x01) << 12);
data[i][offset_data + 5] = ( bytes[ offset_byte + 8] >> 1 & (0x7f)) | ((bytes[offset_byte + 9] & 0x3f) << 7);
data[i][offset_data + 6] = ( bytes[ offset_byte + 9] >> 6 & (0x03)) | ((bytes[offset_byte + 10] & 0xff) << 2) | ((bytes[offset_byte + 11] & 0x07) << 10);
data[i][offset_data + 7] = ( bytes[ offset_byte + 11] >> 3 & (0x1f)) | ((bytes[offset_byte + 12] & 0xff) << 5);
}
void PQCLEAN_SABER_AVX2_BS2POLVECq(poly data[SABER_L], const uint8_t bytes[SABER_POLYVECBYTES]) {
size_t i;
for (i = 0; i < SABER_L; i++) {
BS2POLq(&data[i], bytes + i * SABER_POLYBYTES);
}


}

void PQCLEAN_SABER_AVX2_SABER_poly_un_pack13bit(uint16_t data[SABER_N], const uint8_t *bytes) {

uint32_t j;
uint32_t offset_data = 0, offset_byte = 0;

//for(i=0;i<SABER_K;i++){
//i=0;
//offset_byte1=i*(SABER_N*13)/8;
for (j = 0; j < SABER_N / 8; j++) {
//offset_byte=offset_byte1+13*j;
offset_byte = 13 * j;
offset_data = 8 * j;
data[offset_data + 0] = ( bytes[ offset_byte + 0 ] & (0xff)) | ((bytes[offset_byte + 1] & 0x1f) << 8);
data[offset_data + 1] = ( bytes[ offset_byte + 1 ] >> 5 & (0x07)) | ((bytes[offset_byte + 2] & 0xff) << 3) | ((bytes[offset_byte + 3] & 0x03) << 11);
data[offset_data + 2] = ( bytes[ offset_byte + 3 ] >> 2 & (0x3f)) | ((bytes[offset_byte + 4] & 0x7f) << 6);
data[offset_data + 3] = ( bytes[ offset_byte + 4 ] >> 7 & (0x01)) | ((bytes[offset_byte + 5] & 0xff) << 1) | ((bytes[offset_byte + 6] & 0x0f) << 9);
data[offset_data + 4] = ( bytes[ offset_byte + 6 ] >> 4 & (0x0f)) | ((bytes[offset_byte + 7] & 0xff) << 4) | ((bytes[offset_byte + 8] & 0x01) << 12);
data[offset_data + 5] = ( bytes[ offset_byte + 8] >> 1 & (0x7f)) | ((bytes[offset_byte + 9] & 0x3f) << 7);
data[offset_data + 6] = ( bytes[ offset_byte + 9] >> 6 & (0x03)) | ((bytes[offset_byte + 10] & 0xff) << 2) | ((bytes[offset_byte + 11] & 0x07) << 10);
data[offset_data + 7] = ( bytes[ offset_byte + 11] >> 3 & (0x1f)) | ((bytes[offset_byte + 12] & 0xff) << 5);
}
//}


}


void PQCLEAN_SABER_AVX2_SABER_pack11bit(uint8_t *bytes, const uint16_t data[SABER_K][SABER_N]) {
/*This function packs 11 bit data stream into 8 bits of data.
*/
uint32_t i, j;
uint32_t offset_data = 0, offset_byte = 0, offset_byte1 = 0;

for (i = 0; i < SABER_K; i++) {
offset_byte1 = i * (SABER_N * 11) / 8;
for (j = 0; j < SABER_N / 8; j++) {
offset_byte = offset_byte1 + 11 * j;
offset_data = 8 * j;
bytes[offset_byte + 0] = ( data[i][ offset_data + 0 ] & (0xff));

bytes[offset_byte + 1] = ( (data[i][ offset_data + 0 ] >> 8) & 0x07 ) | ((data[i][ offset_data + 1 ] & 0x1f) << 3);

bytes[offset_byte + 2] = ( (data[i][ offset_data + 1 ] >> 5) & 0x3f ) | ((data[i][ offset_data + 2 ] & 0x03) << 6);

bytes[offset_byte + 3] = ( (data[i][ offset_data + 2 ] >> 2) & 0xff );

bytes[offset_byte + 4] = ( (data[i][ offset_data + 2 ] >> 10) & 0x01 ) | ((data[i][ offset_data + 3 ] & 0x7f) << 1);

bytes[offset_byte + 5] = ( (data[i][ offset_data + 3 ] >> 7) & 0x0f ) | ((data[i][ offset_data + 4 ] & 0x0f) << 4);

bytes[offset_byte + 6] = ( (data[i][ offset_data + 4 ] >> 4) & 0x7f ) | ((data[i][ offset_data + 5 ] & 0x01) << 7);

bytes[offset_byte + 7] = ( (data[i][ offset_data + 5 ] >> 1) & 0xff );

bytes[offset_byte + 8] = ( (data[i][ offset_data + 5 ] >> 9) & 0x03 ) | ((data[i][ offset_data + 6 ] & 0x3f) << 2);

bytes[offset_byte + 9] = ( (data[i][ offset_data + 6 ] >> 6) & 0x1f ) | ((data[i][ offset_data + 7 ] & 0x07) << 5);

bytes[offset_byte + 10] = ( (data[i][ offset_data + 7 ] >> 3) & 0xff );

}
void PQCLEAN_SABER_AVX2_POLVECp2BS(uint8_t bytes[SABER_POLYVECCOMPRESSEDBYTES], const poly data[SABER_L]) {
size_t i;
for (i = 0; i < SABER_L; i++) {
POLp2BS(bytes + i * SABER_POLYCOMPRESSEDBYTES, &data[i]);
}

}

void PQCLEAN_SABER_AVX2_SABER_un_pack11bit(uint16_t data[SABER_K][SABER_N], const uint8_t *bytes) {

uint32_t i, j;
uint32_t offset_data = 0, offset_byte = 0, offset_byte1 = 0;


for (i = 0; i < SABER_K; i++) {
offset_byte1 = i * (SABER_N * 11) / 8;
for (j = 0; j < SABER_N / 8; j++) {
offset_byte = offset_byte1 + 11 * j;
offset_data = 8 * j;

data[i][offset_data + 0] = (bytes[offset_byte + 0]) | ( (bytes[offset_byte + 1] & 0x07) << 8 );

data[i][offset_data + 1] = ( (bytes[offset_byte + 1] >> 3) & 0x1f) | ( (bytes[offset_byte + 2] & 0x3f) << 5 );

data[i][offset_data + 2] = ( (bytes[offset_byte + 2] >> 6) & 0x03) | ( (bytes[offset_byte + 3] & 0xff) << 2 ) | ( (bytes[offset_byte + 4] & 0x01) << 10 );

data[i][offset_data + 3] = ( (bytes[offset_byte + 4] >> 1) & 0x7f) | ( (bytes[offset_byte + 5] & 0x0f) << 7 );

data[i][offset_data + 4] = ( (bytes[offset_byte + 5] >> 4) & 0x0f) | ( (bytes[offset_byte + 6] & 0x7f) << 4 );

data[i][offset_data + 5] = ( (bytes[offset_byte + 6] >> 7) & 0x01) | ( (bytes[offset_byte + 7] & 0xff) << 1 ) | ( (bytes[offset_byte + 8] & 0x03) << 9 );

data[i][offset_data + 6] = ( (bytes[offset_byte + 8] >> 2) & 0x3f) | ( (bytes[offset_byte + 9] & 0x1f) << 6 );

data[i][offset_data + 7] = ( (bytes[offset_byte + 9] >> 5) & 0x07) | ( (bytes[offset_byte + 10] & 0xff) << 3 );
}
void PQCLEAN_SABER_AVX2_BS2POLVECp(poly data[SABER_L], const uint8_t bytes[SABER_POLYVECCOMPRESSEDBYTES]) {
size_t i;
for (i = 0; i < SABER_L; i++) {
BS2POLp(&data[i], bytes + i * SABER_POLYCOMPRESSEDBYTES);
}


}

void PQCLEAN_SABER_AVX2_SABER_pack14bit(uint8_t *bytes, const uint16_t data[SABER_K][SABER_N]) {

uint32_t i, j;
uint32_t offset_data = 0, offset_byte = 0, offset_byte1 = 0;

for (i = 0; i < SABER_K; i++) {
offset_byte1 = i * (SABER_N * 14) / 8;
for (j = 0; j < SABER_N / 4; j++) {
offset_byte = offset_byte1 + 7 * j;
offset_data = 4 * j;
bytes[offset_byte + 0] = ( data[i][ offset_data + 0 ] & (0xff));

bytes[offset_byte + 1] = ( (data[i][ offset_data + 0 ] >> 8) & 0x3f ) | ((data[i][ offset_data + 1 ] & 0x03) << 6);

bytes[offset_byte + 2] = ( (data[i][ offset_data + 1 ] >> 2) & 0xff );

bytes[offset_byte + 3] = ( (data[i][ offset_data + 1 ] >> 10) & 0x0f ) | ((data[i][ offset_data + 2 ] & 0x0f) << 4);

bytes[offset_byte + 4] = ( (data[i][ offset_data + 2 ] >> 4) & 0xff );

bytes[offset_byte + 5] = ( (data[i][ offset_data + 2 ] >> 12) & 0x03 ) | ((data[i][ offset_data + 3 ] & 0x3f) << 2);

bytes[offset_byte + 6] = ( (data[i][ offset_data + 3 ] >> 6) & 0xff );
void PQCLEAN_SABER_AVX2_BS2POLmsg(poly *data, const uint8_t bytes[SABER_KEYBYTES]) {
size_t i, j;
for (j = 0; j < SABER_KEYBYTES; j++) {
for (i = 0; i < 8; i++) {
data->coeffs[j * 8 + i] = ((bytes[j] >> i) & 0x01);
}
}


}

void PQCLEAN_SABER_AVX2_POLmsg2BS(uint8_t bytes[SABER_KEYBYTES], const poly *data) {
size_t i, j;
memset(bytes, 0, SABER_KEYBYTES);

void PQCLEAN_SABER_AVX2_SABER_un_pack14bit(uint16_t data[SABER_K][SABER_N], const uint8_t *bytes) {

uint32_t i, j;
uint32_t offset_data = 0, offset_byte = 0, offset_byte1 = 0;

for (i = 0; i < SABER_K; i++) {
offset_byte1 = i * (SABER_N * 14) / 8;
for (j = 0; j < SABER_N / 4; j++) {
offset_byte = offset_byte1 + 7 * j;
offset_data = 4 * j;
data[i][offset_data + 0] = (bytes[offset_byte + 0] & 0xff) | ( (bytes[offset_byte + 1] & 0x3f) << 8 );

data[i][offset_data + 1] = ( (bytes[offset_byte + 1] >> 6) & 0x03) | ((bytes[offset_byte + 2] & 0xff) << 2 ) | ( (bytes[offset_byte + 3] & 0x0f) << 10 );

data[i][offset_data + 2] = ( (bytes[offset_byte + 3] >> 4) & 0x0f) | ( (bytes[offset_byte + 4] ) << 4 ) | ( (bytes[offset_byte + 5] & 0x03) << 12 );

data[i][offset_data + 3] = ( (bytes[offset_byte + 5] >> 2) & 0x3f) | ( (bytes[offset_byte + 6] ) << 6 );
for (j = 0; j < SABER_KEYBYTES; j++) {
for (i = 0; i < 8; i++) {
bytes[j] = bytes[j] | ((data->coeffs[j * 8 + i] & 0x01) << i);
}
}


}

void PQCLEAN_SABER_AVX2_POLVEC2BS(uint8_t *bytes, const uint16_t data[SABER_K][SABER_N], uint16_t modulus) {

if (modulus == 1024) {
PQCLEAN_SABER_AVX2_POLVECp2BS(bytes, data);
} else if (modulus == 8192) {
PQCLEAN_SABER_AVX2_POLVECq2BS(bytes, data);
}
}

void PQCLEAN_SABER_AVX2_BS2POLVEC(uint16_t data[SABER_K][SABER_N], const uint8_t *bytes, uint16_t modulus) {

if (modulus == 1024) {
PQCLEAN_SABER_AVX2_BS2POLVECp(data, bytes);
} else if (modulus == 8192) {
PQCLEAN_SABER_AVX2_BS2POLVECq(data, bytes);
}

}

+ 9
- 37
crypto_kem/saber/avx2/pack_unpack.h View File

@@ -1,56 +1,28 @@
#ifndef PACK_UNPACK_H
#define PACK_UNPACK_H
#include "SABER_params.h"
#include "poly.h"
#include <stdint.h>
#include <stdio.h>

void PQCLEAN_SABER_AVX2_BS2POLq(uint16_t data[SABER_N], const uint8_t *bytes);
void PQCLEAN_SABER_AVX2_POLT2BS(uint8_t bytes[SABER_SCALEBYTES_KEM], const poly *data);

void PQCLEAN_SABER_AVX2_BS2POLVEC(uint16_t data[SABER_K][SABER_N], const uint8_t *bytes, uint16_t modulus);
void PQCLEAN_SABER_AVX2_BS2POLT(poly *data, const uint8_t bytes[SABER_SCALEBYTES_KEM]);

void PQCLEAN_SABER_AVX2_BS2POLVECq(uint16_t data[SABER_K][SABER_N], const uint8_t *bytes);

void PQCLEAN_SABER_AVX2_BS2POLVECp(uint16_t data[SABER_K][SABER_N], const uint8_t *bytes);
void PQCLEAN_SABER_AVX2_POLVECq2BS(uint8_t bytes[SABER_POLYVECBYTES], const poly data[SABER_L]);

void PQCLEAN_SABER_AVX2_POLVECp2BS(uint8_t bytes[SABER_POLYVECCOMPRESSEDBYTES], const poly data[SABER_L]);

void PQCLEAN_SABER_AVX2_POLVEC2BS(uint8_t *bytes, const uint16_t data[SABER_K][SABER_N], uint16_t modulus);

void PQCLEAN_SABER_AVX2_POLVECq2BS(uint8_t *bytes, const uint16_t data[SABER_K][SABER_N]);
void PQCLEAN_SABER_AVX2_BS2POLVECq(poly data[SABER_L], const uint8_t bytes[SABER_POLYVECBYTES]);

void PQCLEAN_SABER_AVX2_POLVECp2BS(uint8_t *bytes, const uint16_t data[SABER_K][SABER_N]);
void PQCLEAN_SABER_AVX2_BS2POLVECp(poly data[SABER_L], const uint8_t bytes[SABER_POLYVECCOMPRESSEDBYTES]);


void PQCLEAN_SABER_AVX2_SABER_pack_3bit(uint8_t *bytes, const uint16_t *data);
void PQCLEAN_SABER_AVX2_BS2POLmsg(poly *data, const uint8_t bytes[SABER_KEYBYTES]);

void PQCLEAN_SABER_AVX2_SABER_pack_4bit(uint8_t *bytes, const uint16_t *data);

void PQCLEAN_SABER_AVX2_SABER_pack_6bit(uint8_t *bytes, const uint16_t *data);

void PQCLEAN_SABER_AVX2_SABER_pack10bit(uint8_t *bytes, const uint16_t data[SABER_K][SABER_N]);

void PQCLEAN_SABER_AVX2_SABER_pack11bit(uint8_t *bytes, const uint16_t data[SABER_K][SABER_N]);

void PQCLEAN_SABER_AVX2_SABER_pack13bit(uint8_t *bytes, const uint16_t data[SABER_K][SABER_N]);

void PQCLEAN_SABER_AVX2_SABER_pack14bit(uint8_t *bytes, const uint16_t data[SABER_K][SABER_N]);


void PQCLEAN_SABER_AVX2_SABER_poly_un_pack13bit(uint16_t data[SABER_N], const uint8_t *bytes);


void PQCLEAN_SABER_AVX2_SABER_un_pack3bit(uint16_t *data, const uint8_t *bytes);

void PQCLEAN_SABER_AVX2_SABER_un_pack4bit(uint16_t *data, const uint8_t *bytes);

void PQCLEAN_SABER_AVX2_SABER_un_pack6bit(uint16_t *data, const uint8_t *bytes);

void PQCLEAN_SABER_AVX2_SABER_un_pack10bit(uint16_t data[SABER_K][SABER_N], const uint8_t *bytes);

void PQCLEAN_SABER_AVX2_SABER_un_pack11bit(uint16_t data[SABER_K][SABER_N], const uint8_t *bytes);

void PQCLEAN_SABER_AVX2_SABER_un_pack13bit(uint16_t data[SABER_K][SABER_N], const uint8_t *bytes);

void PQCLEAN_SABER_AVX2_SABER_un_pack14bit(uint16_t data[SABER_K][SABER_N], const uint8_t *bytes);
void PQCLEAN_SABER_AVX2_POLmsg2BS(uint8_t bytes[SABER_KEYBYTES], const poly *data);


#endif

+ 62
- 0
crypto_kem/saber/avx2/poly.c View File

@@ -0,0 +1,62 @@
#include "cbd.h"
#include "fips202.h"
#include "pack_unpack.h"
#include "poly.h"


void PQCLEAN_SABER_AVX2_MatrixVectorMul(poly c[SABER_L], const poly A[SABER_L][SABER_L], const toom4_points s_eval[SABER_L], int transpose) {
size_t i, j;
toom4_points_product c_eval;

if (transpose) {
for (i = 0; i < SABER_L; i++) {
PQCLEAN_SABER_AVX2_toom4_mul_A_by_B_eval(&c_eval, &A[0][i], &s_eval[0], 0);
for (j = 1; j < SABER_L; j++) {
PQCLEAN_SABER_AVX2_toom4_mul_A_by_B_eval(&c_eval, &A[j][i], &s_eval[j], 1);
}
PQCLEAN_SABER_AVX2_toom4_interp(&c[i], &c_eval);
}
} else {
for (i = 0; i < SABER_L; i++) {
PQCLEAN_SABER_AVX2_toom4_mul_A_by_B_eval(&c_eval, &A[i][0], &s_eval[0], 0);
for (j = 1; j < SABER_L; j++) {
PQCLEAN_SABER_AVX2_toom4_mul_A_by_B_eval(&c_eval, &A[i][j], &s_eval[j], 1);
}
PQCLEAN_SABER_AVX2_toom4_interp(&c[i], &c_eval);
}
}
}

void PQCLEAN_SABER_AVX2_InnerProd(poly *c, const poly b[SABER_L], const toom4_points s_eval[SABER_L]) {
size_t i;
toom4_points_product c_eval; //Holds results for 9 Karatsuba at a time

PQCLEAN_SABER_AVX2_toom4_mul_A_by_B_eval(&c_eval, &b[0], &s_eval[0], 0);
for (i = 1; i < SABER_L; i++) {
PQCLEAN_SABER_AVX2_toom4_mul_A_by_B_eval(&c_eval, &b[i], &s_eval[i], 1);
}

PQCLEAN_SABER_AVX2_toom4_interp(c, &c_eval);
}

void PQCLEAN_SABER_AVX2_GenMatrix(poly A[SABER_L][SABER_L], const uint8_t seed[SABER_SEEDBYTES]) {
size_t i;
uint8_t buf[SABER_L * SABER_POLYVECBYTES];

shake128(buf, sizeof(buf), seed, SABER_SEEDBYTES);

for (i = 0; i < SABER_L; i++) {
PQCLEAN_SABER_AVX2_BS2POLVECq(A[i], buf + i * SABER_POLYVECBYTES);
}
}

void PQCLEAN_SABER_AVX2_GenSecret(poly s[SABER_L], const uint8_t seed[SABER_NOISESEEDBYTES]) {
size_t i;
uint8_t buf[SABER_L * SABER_POLYCOINBYTES];

shake128(buf, sizeof(buf), seed, SABER_NOISESEEDBYTES);

for (i = 0; i < SABER_L; i++) {
PQCLEAN_SABER_AVX2_cbd(s[i].coeffs, buf + i * SABER_POLYCOINBYTES);
}
}

+ 24
- 12
crypto_kem/saber/avx2/poly.h View File

@@ -1,27 +1,38 @@
#ifndef POLY_H
#define POLY_H
/*---------------------------------------------------------------------
This file has been adapted from the implementation
(available at, Public Domain https://github.com/pq-crystals/kyber)
of "CRYSTALS – Kyber: a CCA-secure module-lattice-based KEM"
by : Joppe Bos, Leo Ducas, Eike Kiltz, Tancrede Lepoint,
Vadim Lyubashevsky, John M. Schanck, Peter Schwabe & Damien stehle
#include "SABER_params.h"
#include <immintrin.h>
#include <stdint.h>

typedef struct {
typedef union {
uint16_t coeffs[SABER_N];
__m256i dummy;
} poly;

typedef struct {
poly vec[SABER_K];
} polyvec;
typedef union {
uint16_t coeffs[4 * SABER_N];
__m256i dummy;
} toom4_points;

void PQCLEAN_SABER_AVX2_poly_getnoise(uint16_t *r, const unsigned char *seed, unsigned char nonce);
typedef union {
uint16_t coeffs[8 * SABER_N];
__m256i dummy;
} toom4_points_product;

void PQCLEAN_SABER_AVX2_MatrixVectorMul(poly c[SABER_L], const poly A[SABER_L][SABER_L], const toom4_points s_eval[SABER_L], int transpose);

void PQCLEAN_SABER_AVX2_poly_getnoise4x(uint16_t *r0, uint16_t *r1, uint16_t *r2, const unsigned char *seed, unsigned char nonce0, unsigned char nonce1, unsigned char nonce2, unsigned char nonce3);
void PQCLEAN_SABER_AVX2_InnerProd(poly *c, const poly b[SABER_L], const toom4_points s_eval[SABER_L]);

void PQCLEAN_SABER_AVX2_GenMatrix(poly a[SABER_L][SABER_L], const uint8_t seed[SABER_SEEDBYTES]);

void PQCLEAN_SABER_AVX2_GenSecret(poly s[SABER_L], const uint8_t seed[SABER_NOISESEEDBYTES]);


void PQCLEAN_SABER_AVX2_toom4_interp(poly *res_avx, const toom4_points_product *c_eval);

void PQCLEAN_SABER_AVX2_toom4_eval(toom4_points *b_eval, const poly *b);

void PQCLEAN_SABER_AVX2_toom4_mul_A_by_B_eval(toom4_points_product *c_eval, const poly *a_avx, const toom4_points *b_eval, int accumulate);


#endif

+ 1524
- 0
crypto_kem/saber/avx2/poly_mul.c
File diff suppressed because it is too large
View File


+ 0
- 20
crypto_kem/saber/avx2/polymul/consts.h View File

@@ -1,20 +0,0 @@
#include "../SABER_params.h"

#define AVX_N (SABER_N >> 4)
#define small_len_avx (AVX_N >> 2)

#define SCHB_N 16

#define N_SB (SABER_N >> 2)
#define N_SB_RES (2*N_SB-1)

#define N_SB_16 (N_SB >> 2)
#define N_SB_16_RES (2*N_SB_16-1)

#define AVX_N1 16 /*N/16*/

#define SCM_SIZE 16

// The dimension of a vector. i.e vector has NUM_POLY elements and Matrix has NUM_POLY X NUM_POLY elements
#define NUM_POLY SABER_K
//int NUM_POLY=2;

+ 0
- 303
crypto_kem/saber/avx2/polymul/matrix.c View File

@@ -1,303 +0,0 @@
#include <immintrin.h>

static void transpose_n1(__m256i *M)
{
//int i;
register __m256i r0, r1, r2, r3, r4, r5, r6, r7, r8, r9, r10, r11;
register __m256i temp, temp0, temp1, temp2;

//for(i=0; i<8; i=i+1)
//{
r0 = _mm256_unpacklo_epi16(M[0], M[1]);
r1 = _mm256_unpacklo_epi16(M[2], M[3]);
r2 = _mm256_unpacklo_epi16(M[4], M[5]);
r3 = _mm256_unpacklo_epi16(M[6], M[7]);
r4 = _mm256_unpacklo_epi16(M[8], M[9]);
r5 = _mm256_unpacklo_epi16(M[10], M[11]);
r6 = _mm256_unpacklo_epi16(M[12], M[13]);
r7 = _mm256_unpacklo_epi16(M[14], M[15]);


temp = _mm256_unpacklo_epi32(r0, r1);
temp0 = _mm256_unpacklo_epi32(r2, r3);
temp1 = _mm256_unpacklo_epi32(r4, r5);
temp2 = _mm256_unpacklo_epi32(r6, r7);

r8 = _mm256_unpackhi_epi32(r0, r1);
r9 = _mm256_unpackhi_epi32(r2, r3);
r10 = _mm256_unpackhi_epi32(r4, r5);
r11 = _mm256_unpackhi_epi32(r6, r7);

r0 = _mm256_unpacklo_epi64(temp, temp0);
r2 = _mm256_unpackhi_epi64(temp, temp0);

r1 = _mm256_unpacklo_epi64(temp1, temp2);
r3 = _mm256_unpackhi_epi64(temp1, temp2);

temp = _mm256_unpackhi_epi16(M[0], M[1]);
temp0 = _mm256_unpackhi_epi16(M[2], M[3]);
temp1 = _mm256_unpackhi_epi16(M[4], M[5]);
temp2 = _mm256_unpackhi_epi16(M[6], M[7]);
r4 = _mm256_unpackhi_epi16(M[8], M[9]);

M[0] = _mm256_permute2f128_si256(r0, r1, 0x20);
M[8] = _mm256_permute2f128_si256(r0, r1, 0x31);
M[1] = _mm256_permute2f128_si256(r2, r3, 0x20);
M[9] = _mm256_permute2f128_si256(r2, r3, 0x31);


r5 = _mm256_unpackhi_epi16(M[10], M[11]);
r6 = _mm256_unpackhi_epi16(M[12], M[13]);
r7 = _mm256_unpackhi_epi16(M[14], M[15]);



r0 = _mm256_unpacklo_epi64(r8, r9);
r1 = _mm256_unpacklo_epi64(r10, r11);

r2 = _mm256_unpackhi_epi64(r8, r9);
r3 = _mm256_unpackhi_epi64(r10, r11);



M[3] = _mm256_permute2f128_si256(r2, r3, 0x20);
M[11] = _mm256_permute2f128_si256(r2, r3, 0x31);
M[2] = _mm256_permute2f128_si256(r0, r1, 0x20);
M[10] = _mm256_permute2f128_si256(r0, r1, 0x31);


//for(i=0; i<4; i=i+1)
//{
r0 = _mm256_unpacklo_epi32(temp, temp0);
r1 = _mm256_unpacklo_epi32(temp1, temp2);
r2 = _mm256_unpacklo_epi32(r4, r5);
r3 = _mm256_unpacklo_epi32(r6, r7);

//}


//for(i=0; i<2; i=i+1)
//{
r8 = _mm256_unpacklo_epi64(r0, r1);
r10 = _mm256_unpackhi_epi64(r0, r1);

r9 = _mm256_unpacklo_epi64(r2, r3);
r11 = _mm256_unpackhi_epi64(r2, r3);

M[4] = _mm256_permute2f128_si256(r8, r9, 0x20);
M[12] = _mm256_permute2f128_si256(r8, r9, 0x31);
M[5] = _mm256_permute2f128_si256(r10, r11, 0x20);
M[13] = _mm256_permute2f128_si256(r10, r11, 0x31);

r0 = _mm256_unpackhi_epi32(temp, temp0);
r1 = _mm256_unpackhi_epi32(temp1, temp2);
r2 = _mm256_unpackhi_epi32(r4, r5);
r3 = _mm256_unpackhi_epi32(r6, r7);

//}
// for(i=0; i<2; i=i+1)
// {
r4 = _mm256_unpacklo_epi64(r0, r1);
r6 = _mm256_unpackhi_epi64(r0, r1);

r5 = _mm256_unpacklo_epi64(r2, r3);
r7 = _mm256_unpackhi_epi64(r2, r3);

// }

//-------------------------------------------------------

M[6] = _mm256_permute2f128_si256(r4, r5, 0x20);
M[14] = _mm256_permute2f128_si256(r4, r5, 0x31);
M[7] = _mm256_permute2f128_si256(r6, r7, 0x20);
M[15] = _mm256_permute2f128_si256(r6, r7, 0x31);
}

/*
void transpose_unrolled(__m256i *M)
{
int i;
__m256i tL[8], tH[8];
__m256i bL[4], bH[4], cL[4], cH[4];
__m256i dL[2], dH[2], eL[2], eH[2], fL[2], fH[2], gL[2], gH[2];

__m256i r0, r1, r2, r3, r4, r5, r6, r7;

//for(i=0; i<8; i=i+1)
//{
tL[0] = _mm256_unpacklo_epi16(M[0], M[1]);
tH[0] = _mm256_unpackhi_epi16(M[0], M[1]);

tL[1] = _mm256_unpacklo_epi16(M[2], M[3]);
tH[1] = _mm256_unpackhi_epi16(M[2], M[3]);

tL[2] = _mm256_unpacklo_epi16(M[4], M[5]);
tH[2] = _mm256_unpackhi_epi16(M[4], M[5]);

tL[3] = _mm256_unpacklo_epi16(M[6], M[7]);
tH[3] = _mm256_unpackhi_epi16(M[6], M[7]);

tL[4] = _mm256_unpacklo_epi16(M[8], M[9]);
tH[4] = _mm256_unpackhi_epi16(M[8], M[9]);

tL[5] = _mm256_unpacklo_epi16(M[10], M[11]);
tH[5] = _mm256_unpackhi_epi16(M[10], M[11]);

tL[6] = _mm256_unpacklo_epi16(M[12], M[13]);
tH[6] = _mm256_unpackhi_epi16(M[12], M[13]);

tL[7] = _mm256_unpacklo_epi16(M[14], M[15]);
tH[7] = _mm256_unpackhi_epi16(M[14], M[15]);

//}

//-------------------------------------------------------
//for(i=0; i<4; i=i+1)
//{
bL[0] = _mm256_unpacklo_epi32(tL[0], tL[1]);
bH[0] = _mm256_unpackhi_epi32(tL[0], tL[1]);

bL[1] = _mm256_unpacklo_epi32(tL[2], tL[3]);
bH[1] = _mm256_unpackhi_epi32(tL[2], tL[3]);

bL[2] = _mm256_unpacklo_epi32(tL[4], tL[5]);
bH[2] = _mm256_unpackhi_epi32(tL[4], tL[5]);

bL[3] = _mm256_unpacklo_epi32(tL[6], tL[7]);
bH[3] = _mm256_unpackhi_epi32(tL[6], tL[7]);

//}

//for(i=0; i<2; i=i+1)
//{
dL[0] = _mm256_unpacklo_epi64(bL[0], bL[1]);
dH[0] = _mm256_unpackhi_epi64(bL[0], bL[1]);

dL[1] = _mm256_unpacklo_epi64(bL[2], bL[3]);
dH[1] = _mm256_unpackhi_epi64(bL[2], bL[3]);

M[0] = _mm256_permute2f128_si256(dL[0], dL[1], 0x20);
M[8] = _mm256_permute2f128_si256(dL[0], dL[1], 0x31);
M[1] = _mm256_permute2f128_si256(dH[0], dH[1], 0x20);
M[9] = _mm256_permute2f128_si256(dH[0], dH[1], 0x31);

//}
//for(i=0; i<2; i=i+1)
//{
eL[0] = _mm256_unpacklo_epi64(bH[0], bH[1]);
eH[0] = _mm256_unpackhi_epi64(bH[0], bH[1]);

eL[1] = _mm256_unpacklo_epi64(bH[2], bH[3]);
eH[1] = _mm256_unpackhi_epi64(bH[2], bH[3]);

//}

//-------------------------------------------------------

//-------------------------------------------------------
for(i=0; i<4; i=i+1)
{
cL[i] = _mm256_unpacklo_epi32(tH[2*i], tH[2*i+1]);
cH[i] = _mm256_unpackhi_epi32(tH[2*i], tH[2*i+1]);
}


for(i=0; i<2; i=i+1)
{
fL[i] = _mm256_unpacklo_epi64(cL[2*i], cL[2*i+1]);
fH[i] = _mm256_unpackhi_epi64(cL[2*i], cL[2*i+1]);
}
for(i=0; i<2; i=i+1)
{
gL[i] = _mm256_unpacklo_epi64(cH[2*i], cH[2*i+1]);
gH[i] = _mm256_unpackhi_epi64(cH[2*i], cH[2*i+1]);
}

//-------------------------------------------------------



M[2] = _mm256_permute2f128_si256(eL[0], eL[1], 0x20);
M[10] = _mm256_permute2f128_si256(eL[0], eL[1], 0x31);
M[3] = _mm256_permute2f128_si256(eH[0], eH[1], 0x20);
M[11] = _mm256_permute2f128_si256(eH[0], eH[1], 0x31);

M[4] = _mm256_permute2f128_si256(fL[0], fL[1], 0x20);
M[12] = _mm256_permute2f128_si256(fL[0], fL[1], 0x31);
M[5] = _mm256_permute2f128_si256(fH[0], fH[1], 0x20);
M[13] = _mm256_permute2f128_si256(fH[0], fH[1], 0x31);

M[6] = _mm256_permute2f128_si256(gL[0], gL[1], 0x20);
M[14] = _mm256_permute2f128_si256(gL[0], gL[1], 0x31);
M[7] = _mm256_permute2f128_si256(gH[0], gH[1], 0x20);
M[15] = _mm256_permute2f128_si256(gH[0], gH[1], 0x31);
}


void transpose1(__m256i *M)
{
int i;
__m256i tL[8], tH[8];
__m256i bL[4], bH[4], cL[4], cH[4];
__m256i dL[2], dH[2], eL[2], eH[2], fL[2], fH[2], gL[2], gH[2];

for(i=0; i<8; i=i+1)
{
tL[i] = _mm256_unpacklo_epi16(M[2*i], M[2*i+1]);
tH[i] = _mm256_unpackhi_epi16(M[2*i], M[2*i+1]);
}

for(i=0; i<4; i=i+1)
{
bL[i] = _mm256_unpacklo_epi32(tL[2*i], tL[2*i+1]);
bH[i] = _mm256_unpackhi_epi32(tL[2*i], tL[2*i+1]);
}
for(i=0; i<4; i=i+1)
{
cL[i] = _mm256_unpacklo_epi32(tH[2*i], tH[2*i+1]);
cH[i] = _mm256_unpackhi_epi32(tH[2*i], tH[2*i+1]);
}

for(i=0; i<2; i=i+1)
{
dL[i] = _mm256_unpacklo_epi64(bL[2*i], bL[2*i+1]);
dH[i] = _mm256_unpackhi_epi64(bL[2*i], bL[2*i+1]);
}
for(i=0; i<2; i=i+1)
{
eL[i] = _mm256_unpacklo_epi64(bH[2*i], bH[2*i+1]);
eH[i] = _mm256_unpackhi_epi64(bH[2*i], bH[2*i+1]);
}

for(i=0; i<2; i=i+1)
{
fL[i] = _mm256_unpacklo_epi64(cL[2*i], cL[2*i+1]);
fH[i] = _mm256_unpackhi_epi64(cL[2*i], cL[2*i+1]);
}
for(i=0; i<2; i=i+1)
{
gL[i] = _mm256_unpacklo_epi64(cH[2*i], cH[2*i+1]);
gH[i] = _mm256_unpackhi_epi64(cH[2*i], cH[2*i+1]);
}

M[0] = _mm256_permute2f128_si256(dL[0], dL[1], 0x20);
M[8] = _mm256_permute2f128_si256(dL[0], dL[1], 0x31);
M[1] = _mm256_permute2f128_si256(dH[0], dH[1], 0x20);
M[9] = _mm256_permute2f128_si256(dH[0], dH[1], 0x31);

M[2] = _mm256_permute2f128_si256(eL[0], eL[1], 0x20);
M[10] = _mm256_permute2f128_si256(eL[0], eL[1], 0x31);
M[3] = _mm256_permute2f128_si256(eH[0], eH[1], 0x20);
M[11] = _mm256_permute2f128_si256(eH[0], eH[1], 0x31);

M[4] = _mm256_permute2f128_si256(fL[0], fL[1], 0x20);
M[12] = _mm256_permute2f128_si256(fL[0], fL[1], 0x31);
M[5] = _mm256_permute2f128_si256(fH[0], fH[1], 0x20);
M[13] = _mm256_permute2f128_si256(fH[0], fH[1], 0x31);

M[6] = _mm256_permute2f128_si256(gL[0], gL[1], 0x20);
M[14] = _mm256_permute2f128_si256(gL[0], gL[1], 0x31);
M[7] = _mm256_permute2f128_si256(gH[0], gH[1], 0x20);
M[15] = _mm256_permute2f128_si256(gH[0], gH[1], 0x31);
}
*/

+ 0
- 753
crypto_kem/saber/avx2/polymul/scm_avx.c View File

@@ -1,753 +0,0 @@
//#define SCM_SIZE 16

//#pragma STDC FP_CONTRACT ON

#include <immintrin.h>

static inline __m256i mul_add(__m256i a, __m256i b, __m256i c) {
return _mm256_add_epi16(_mm256_mullo_epi16(a, b), c);
}


static void schoolbook_avx_new3_acc(__m256i* a, __m256i* b, __m256i* c_avx) ////8 coefficients of a and b has been prefetched
//the c_avx are added cummulatively
{

register __m256i a0, a1, a2, a3, a4, a5, a6, a7, b0, b1, b2, b3, b4, b5, b6, b7;
register __m256i temp;


a0=a[0];
a1=a[1];
a2=a[2];
a3=a[3];
a4=a[4];
a5=a[5];
a6=a[6];
a7=a[7];

b0=b[0];
b1=b[1];
b2=b[2];
b3=b[3];
b4=b[4];
b5=b[5];
b6=b[6];
b7=b[7];

// New Unrolled first triangle

//otherwise accumulate
c_avx[0] = mul_add(a0, b0, c_avx[0]);

temp = _mm256_mullo_epi16 (a0, b1);
temp=mul_add(a1, b0, temp);
c_avx[1] = _mm256_add_epi16(temp, c_avx[1]);


temp = _mm256_mullo_epi16 (a0, b2);
temp = mul_add(a1, b1, temp);
temp=mul_add(a2, b0, temp);
c_avx[2] = _mm256_add_epi16(temp, c_avx[2]);

temp = _mm256_mullo_epi16 (a0, b3);
temp = mul_add(a1, b2, temp);
temp = mul_add(a2, b1, temp);
temp=mul_add(a3, b0, temp);
c_avx[3] = _mm256_add_epi16(temp, c_avx[3]);

temp = _mm256_mullo_epi16 (a0, b4);
temp = mul_add(a1, b3, temp);
temp = mul_add(a3, b1, temp);
temp = mul_add(a4, b0, temp);
temp=mul_add(a2, b2, temp);
c_avx[4] = _mm256_add_epi16(temp, c_avx[4]);


temp = _mm256_mullo_epi16 (a0, b5);
temp = mul_add(a1, b4 , temp);
temp = mul_add(a2, b3, temp);
temp = mul_add(a3, b2, temp);
temp = mul_add( a4, b1, temp);
temp=mul_add(a5, b0, temp);
c_avx[5] = _mm256_add_epi16(temp, c_avx[5]);
temp = _mm256_mullo_epi16 (a0, b6);
temp = mul_add(a1, b5, temp);
temp = mul_add(a5, b1, temp);
temp = mul_add(a6, b0, temp);
temp = mul_add(a2, b4, temp);
temp = mul_add(a3, b3, temp);
temp=mul_add(a4, b2, temp);
c_avx[6] = _mm256_add_epi16(temp, c_avx[6]);


temp = _mm256_mullo_epi16 (a0, b7);
temp = mul_add(a1, b6, temp);
temp = mul_add (a6, b1, temp);
temp = mul_add (a7, b0, temp);
temp = mul_add(a2, b5, temp);
temp = mul_add (a3, b4, temp);
temp = mul_add (a4, b3, temp);
temp=mul_add(a5, b2, temp);
c_avx[7] = _mm256_add_epi16(temp, c_avx[7]);

temp = _mm256_mullo_epi16 (a0, b[8]);
temp = mul_add (a1, b7, temp);
temp = mul_add (a7, b1, temp);
temp = mul_add (a[8], b0, temp);
temp = mul_add (a2, b6,temp);
temp = mul_add(a3, b5, temp);
temp = mul_add (a4, b4,temp);
temp = mul_add (a5, b3, temp);
temp=mul_add(a6, b2, temp);
c_avx[8] = _mm256_add_epi16(temp, c_avx[8]);


temp = _mm256_mullo_epi16 (a0, b[9]);
temp = mul_add (a1, b[8], temp);
temp = mul_add (a[8], b1, temp);
temp = mul_add (a[9], b0, temp);
temp = mul_add (a2, b7, temp);
temp = mul_add (a3, b6, temp);
temp = mul_add (a4, b5, temp);
temp = mul_add (a5, b4, temp);
temp = mul_add (a6, b3, temp);
temp=mul_add(a7, b2, temp);
c_avx[9] = _mm256_add_epi16(temp, c_avx[9]);


temp= _mm256_mullo_epi16 (a0, b[10]);
temp = mul_add (a1, b[9], temp);
temp = mul_add (a[9], b1, temp);
temp = mul_add (a[10], b0, temp);
temp = mul_add (a2, b[8], temp);
temp = mul_add (a3, b7, temp);
temp = mul_add (a4, b6, temp);
temp = mul_add (a5, b5, temp);
temp = mul_add (a6, b4, temp);
temp = mul_add (a7, b3, temp);
temp=mul_add(a[8], b2, temp);
c_avx[10] = _mm256_add_epi16(temp, c_avx[10]);


temp = _mm256_mullo_epi16 (a0, b[11]);
temp = mul_add (a1, b[10], temp );
temp = mul_add (a[10], b1, temp );
temp = mul_add (a[11], b0, temp );
temp = mul_add (a2, b[9], temp );
temp = mul_add (a3, b[8], temp );
temp = mul_add (a4, b7, temp );
temp = mul_add (a5, b6, temp );
temp = mul_add (a6, b5, temp );
temp = mul_add (a7, b4, temp );
temp = mul_add (a[8], b3, temp );
temp=mul_add(a[9], b2, temp);
c_avx[11] = _mm256_add_epi16(temp, c_avx[11]);


temp = _mm256_mullo_epi16 (a0, b[12]);
temp = mul_add (a1, b[11], temp);
temp = mul_add (a[11], b1, temp);
temp = mul_add (a[12], b0, temp);
temp = mul_add (a2, b[10], temp);
temp = mul_add (a3, b[9], temp);
temp = mul_add (a4, b[8], temp);
temp = mul_add (a5, b7, temp);
temp = mul_add (a6, b6, temp);
temp = mul_add (a7, b5, temp);
temp = mul_add (a[8], b4, temp);
temp = mul_add (a[9], b3, temp);
temp=mul_add(a[10], b2, temp);
c_avx[12] = _mm256_add_epi16(temp, c_avx[12]);


temp = _mm256_mullo_epi16 (a0, b[13]);
temp = mul_add (a1, b[12], temp );
temp = mul_add (a[12], b1, temp );
temp = mul_add (a[13], b0, temp );
temp = mul_add (a2, b[11], temp );
temp = mul_add (a3, b[10], temp );
temp = mul_add (a4, b[9], temp );
temp = mul_add (a5, b[8], temp );
temp = mul_add (a6, b7, temp );
temp = mul_add (a7, b6, temp );
temp = mul_add (a[8], b5, temp );
temp = mul_add (a[9], b4, temp );
temp = mul_add (a[10], b3, temp );
temp=mul_add(a[11], b2, temp);
c_avx[13] = _mm256_add_epi16(temp, c_avx[13]);



temp = _mm256_mullo_epi16 (a0, b[14]);
temp = mul_add (a1, b[13], temp );
temp = mul_add (a[13], b1, temp );
temp = mul_add (a[14], b0, temp );
temp = mul_add (a2, b[12], temp );
temp = mul_add (a3, b[11], temp );
temp = mul_add (a4, b[10], temp );
temp = mul_add (a5, b[9], temp );
temp = mul_add (a6, b[8], temp );
temp = mul_add (a7, b7, temp );
temp = mul_add (a[8], b6, temp );
temp = mul_add (a[9], b5, temp );
temp = mul_add (a[10], b4, temp );
temp = mul_add (a[11], b3, temp );
temp=mul_add(a[12], b2, temp);
c_avx[14] = _mm256_add_epi16(temp, c_avx[14]);


temp = _mm256_mullo_epi16 (a0, b[15]);
temp = mul_add (a1, b[14], temp );
temp = mul_add (a[14], b1, temp );
temp = mul_add (a[15], b0, temp );
temp = mul_add (a2, b[13], temp );
temp = mul_add (a3, b[12], temp );
temp = mul_add (a4, b[11], temp );
temp = mul_add (a5, b[10], temp );
temp = mul_add (a6, b[9], temp );
temp = mul_add (a7, b[8], temp );
temp = mul_add (a[8], b7, temp );
temp = mul_add (a[9], b6, temp );
temp = mul_add (a[10], b5, temp );
temp = mul_add (a[11], b4, temp );
temp = mul_add (a[12], b3, temp );
temp=mul_add(a[13], b2, temp);
c_avx[15] = _mm256_add_epi16(temp, c_avx[15]);


// unrolled second triangle
a0=a[14];
a1=a[15];
a2=a[13];
a3=a[12];
a4=a[11];
a5=a[10];
a6=a[9];
a7=a[8];

b0=b[14];
b1=b[15];
b2=b[13];
b3=b[12];
b4=b[11];
b5=b[10];
b6=b[9];
b7=b[8];

temp = _mm256_mullo_epi16 (a[1], b1);
temp = mul_add (a[2], b0, temp );
temp = mul_add (a[3], b2, temp );
temp = mul_add (a[4], b3, temp );
temp = mul_add (a[5], b4, temp );
temp = mul_add (a[6], b5, temp );
temp = mul_add (a[7], b6, temp );
temp = mul_add (a7, b7, temp );
temp = mul_add (a6, b[7], temp );
temp = mul_add (a5, b[6], temp );
temp = mul_add (a4, b[5], temp );
temp = mul_add (a3, b[4], temp );
temp = mul_add (a2, b[3], temp );
temp = mul_add (a0, b[2], temp );
temp=mul_add(a1, b[1], temp);
c_avx[16] = _mm256_add_epi16(temp, c_avx[16]);


temp = _mm256_mullo_epi16 (a[2], b1);
temp = mul_add (a[3], b0, temp );
temp = mul_add (a[4], b2, temp );
temp = mul_add (a[5], b3, temp );
temp = mul_add (a[6], b4, temp );
temp = mul_add (a[7], b5, temp );
temp = mul_add (a7, b6, temp );
temp = mul_add (a6, b7, temp );
temp = mul_add (a5, b[7], temp );
temp = mul_add (a4, b[6], temp );
temp = mul_add (a3, b[5], temp );
temp = mul_add (a2, b[4], temp );
temp = mul_add (a0, b[3], temp );
temp=mul_add(a1, b[2], temp);
c_avx[17] = _mm256_add_epi16(temp, c_avx[17]);


temp = _mm256_mullo_epi16 (a[3], b1);
temp = mul_add (a[4], b0, temp );
temp = mul_add (a[5], b2, temp );
temp = mul_add (a[6], b3, temp );
temp = mul_add (a[7], b4, temp );
temp = mul_add (a7, b5, temp );
temp = mul_add (a6, b6, temp );
temp = mul_add (a5, b7, temp );
temp = mul_add (a4, b[7], temp );
temp = mul_add (a3, b[6], temp );
temp = mul_add (a2, b[5], temp );
temp = mul_add (a0, b[4], temp );
temp=mul_add(a1, b[3], temp);
c_avx[18] = _mm256_add_epi16(temp, c_avx[18]);


temp = _mm256_mullo_epi16 (a[4], b1);
temp = mul_add (a[5], b0, temp );
temp = mul_add (a[6], b2, temp );
temp = mul_add (a[7], b3, temp );
temp = mul_add (a7, b4, temp );
temp = mul_add (a6, b5, temp );
temp = mul_add (a5, b6, temp );
temp = mul_add (a4, b7, temp );
temp = mul_add (a3, b[7], temp );
temp = mul_add (a2, b[6], temp );
temp = mul_add (a0, b[5], temp );
temp=mul_add(a1, b[4], temp);
c_avx[19] = _mm256_add_epi16(temp, c_avx[19]);


temp = _mm256_mullo_epi16 (a[5], b1);
temp = mul_add (a[6], b0, temp );
temp = mul_add (a[7], b2, temp );
temp = mul_add (a7, b3, temp );
temp = mul_add (a6, b4, temp );
temp = mul_add (a5, b5, temp );
temp = mul_add (a4, b6, temp );
temp = mul_add (a3, b7, temp );
temp = mul_add (a2, b[7], temp );
temp = mul_add (a0, b[6], temp );
temp=mul_add(a1, b[5], temp);
c_avx[20] = _mm256_add_epi16(temp, c_avx[20]);


temp = _mm256_mullo_epi16 (a[6], b1);
temp = mul_add (a[7], b0, temp );
temp = mul_add (a7, b2, temp );
temp = mul_add (a6, b3, temp );
temp = mul_add (a5, b4, temp );
temp = mul_add (a4, b5, temp );
temp = mul_add (a3, b6, temp );
temp = mul_add (a2, b7, temp );
temp = mul_add (a0, b[7], temp );
temp=mul_add(a1, b[6], temp);
c_avx[21] = _mm256_add_epi16(temp, c_avx[21]);


temp = _mm256_mullo_epi16 (a[7], b1);
temp = mul_add (a7, b0, temp );
temp = mul_add (a6, b2, temp );
temp = mul_add (a5, b3, temp );
temp = mul_add (a4, b4, temp );
temp = mul_add (a3, b5, temp );
temp = mul_add (a2, b6, temp );
temp = mul_add (a0, b7, temp );
temp=mul_add(a1, b[7], temp);
c_avx[22] = _mm256_add_epi16(temp, c_avx[22]);


temp = _mm256_mullo_epi16 (a7, b1);
temp = mul_add (a6, b0, temp );
temp = mul_add (a5, b2, temp );
temp = mul_add (a4, b3, temp );
temp = mul_add (a3, b4, temp );
temp = mul_add (a2, b5, temp );
temp = mul_add (a0, b6, temp );
temp=mul_add(a1, b7, temp);
c_avx[23] = _mm256_add_epi16(temp, c_avx[23]);


temp = _mm256_mullo_epi16 (a6, b1);
temp = mul_add (a5, b0, temp );
temp = mul_add (a4, b2, temp );
temp = mul_add (a3, b3, temp );
temp = mul_add (a2, b4, temp );
temp = mul_add (a0, b5, temp );
temp=mul_add(a1, b6, temp);
c_avx[24] = _mm256_add_epi16(temp, c_avx[24]);


temp = _mm256_mullo_epi16 (a5, b1);
temp = mul_add (a4, b0, temp );
temp = mul_add (a3, b2, temp );
temp = mul_add (a2, b3, temp );
temp = mul_add (a0, b4, temp );
temp=mul_add(a1, b5, temp);
c_avx[25] = _mm256_add_epi16(temp, c_avx[25]);


temp = _mm256_mullo_epi16 (a4, b1);
temp = mul_add (a3, b0, temp );
temp = mul_add (a2, b2, temp );
temp = mul_add (a0, b3, temp );
temp=mul_add(a1, b4, temp);
c_avx[26] = _mm256_add_epi16(temp, c_avx[26]);


temp = _mm256_mullo_epi16 (a3, b1);
temp = mul_add (a2, b0, temp );
temp = mul_add (a0, b2, temp );
temp=mul_add(a1, b3, temp);
c_avx[27] = _mm256_add_epi16(temp, c_avx[27]);


temp = _mm256_mullo_epi16 (a2, b1);
temp = mul_add (a0, b0, temp );
temp=mul_add(a1, b2, temp);
c_avx[28] = _mm256_add_epi16(temp, c_avx[28]);


temp = _mm256_mullo_epi16 (a0, b1);
temp=mul_add(a1, b0, temp);
c_avx[29] = _mm256_add_epi16(temp, c_avx[29]);


c_avx[30] = mul_add(a1, b1, c_avx[30]);



c_avx[2*SCM_SIZE-1] = _mm256_set_epi64x(0, 0, 0, 0);


}



static void schoolbook_avx_new2(__m256i* a, __m256i* b, __m256i* c_avx) ////8 coefficients of a and b has been prefetched
//the c_avx are not added cummulatively
{

__m256i a0, a1, a2, a3, a4, a5, a6, a7, b0, b1, b2, b3, b4, b5, b6, b7;
__m256i temp;


a0=a[0];
a1=a[1];
a2=a[2];
a3=a[3];
a4=a[4];
a5=a[5];
a6=a[6];
a7=a[7];

b0=b[0];
b1=b[1];
b2=b[2];
b3=b[3];
b4=b[4];
b5=b[5];
b6=b[6];
b7=b[7];

// New Unrolled first triangle
c_avx[0] = _mm256_mullo_epi16 (a0, b0);

temp = _mm256_mullo_epi16 (a0, b1);
c_avx[1]=mul_add(a1, b0, temp);

temp = _mm256_mullo_epi16 (a0, b2);

temp = mul_add(a1, b1, temp);
c_avx[2]= mul_add(a2, b0, temp);

temp = _mm256_mullo_epi16 (a0, b3);
temp = mul_add(a1, b2, temp);
temp = mul_add(a2, b1, temp);
c_avx[3]= mul_add(a3, b0, temp);

temp = _mm256_mullo_epi16 (a0, b4);
temp = mul_add(a1, b3, temp);
temp = mul_add(a3, b1, temp);
temp = mul_add(a4, b0, temp);
c_avx[4]= mul_add(a2, b2, temp);

temp = _mm256_mullo_epi16 (a0, b5);
temp = mul_add(a1, b4 , temp);
temp = mul_add(a2, b3, temp);
temp = mul_add(a3, b2, temp);
temp = mul_add( a4, b1, temp);
c_avx[5] = mul_add(a5, b0, temp);
temp = _mm256_mullo_epi16 (a0, b6);
temp = mul_add(a1, b5, temp);
temp = mul_add(a5, b1, temp);
temp = mul_add(a6, b0, temp);
temp = mul_add(a2, b4, temp);
temp = mul_add(a3, b3, temp);
c_avx[6] = mul_add(a4, b2, temp);

temp = _mm256_mullo_epi16 (a0, b7);
temp = mul_add(a1, b6, temp);
temp = mul_add (a6, b1, temp);
temp = mul_add (a7, b0, temp);
temp = mul_add(a2, b5, temp);
temp = mul_add (a3, b4, temp);
temp = mul_add (a4, b3, temp);
c_avx[7] = mul_add (a5, b2, temp);

temp = _mm256_mullo_epi16 (a0, b[8]);
temp = mul_add (a1, b7, temp);
temp = mul_add (a7, b1, temp);
temp = mul_add (a[8], b0, temp);
temp = mul_add (a2, b6,temp);
temp = mul_add(a3, b5, temp);
temp = mul_add (a4, b4,temp);
temp = mul_add (a5, b3, temp);
c_avx[8] = mul_add (a6, b2, temp);

temp = _mm256_mullo_epi16 (a0, b[9]);
temp = mul_add (a1, b[8], temp);
temp = mul_add (a[8], b1, temp);
temp = mul_add (a[9], b0, temp);
temp = mul_add (a2, b7, temp);
temp = mul_add (a3, b6, temp);
temp = mul_add (a4, b5, temp);
temp = mul_add (a5, b4, temp);
temp = mul_add (a6, b3, temp);
c_avx[9] = mul_add (a7, b2, temp);

temp= _mm256_mullo_epi16 (a0, b[10]);
temp = mul_add (a1, b[9], temp);
temp = mul_add (a[9], b1, temp);
temp = mul_add (a[10], b0, temp);
temp = mul_add (a2, b[8], temp);
temp = mul_add (a3, b7, temp);
temp = mul_add (a4, b6, temp);
temp = mul_add (a5, b5, temp);
temp = mul_add (a6, b4, temp);
temp = mul_add (a7, b3, temp);
c_avx[10] = mul_add (a[8], b2, temp);

temp = _mm256_mullo_epi16 (a0, b[11]);
temp = mul_add (a1, b[10], temp );
temp = mul_add (a[10], b1, temp );
temp = mul_add (a[11], b0, temp );
temp = mul_add (a2, b[9], temp );
temp = mul_add (a3, b[8], temp );
temp = mul_add (a4, b7, temp );
temp = mul_add (a5, b6, temp );
temp = mul_add (a6, b5, temp );
temp = mul_add (a7, b4, temp );
temp = mul_add (a[8], b3, temp );
c_avx[11] = mul_add (a[9], b2, temp );

temp = _mm256_mullo_epi16 (a0, b[12]);
temp = mul_add (a1, b[11], temp);
temp = mul_add (a[11], b1, temp);
temp = mul_add (a[12], b0, temp);
temp = mul_add (a2, b[10], temp);
temp = mul_add (a3, b[9], temp);
temp = mul_add (a4, b[8], temp);
temp = mul_add (a5, b7, temp);
temp = mul_add (a6, b6, temp);
temp = mul_add (a7, b5, temp);
temp = mul_add (a[8], b4, temp);
temp = mul_add (a[9], b3, temp);
c_avx[12] = mul_add (a[10], b2, temp);

temp = _mm256_mullo_epi16 (a0, b[13]);
temp = mul_add (a1, b[12], temp );
temp = mul_add (a[12], b1, temp );
temp = mul_add (a[13], b0, temp );
temp = mul_add (a2, b[11], temp );
temp = mul_add (a3, b[10], temp );
temp = mul_add (a4, b[9], temp );
temp = mul_add (a5, b[8], temp );
temp = mul_add (a6, b7, temp );
temp = mul_add (a7, b6, temp );
temp = mul_add (a[8], b5, temp );
temp = mul_add (a[9], b4, temp );
temp = mul_add (a[10], b3, temp );
c_avx[13] = mul_add (a[11], b2, temp );

temp = _mm256_mullo_epi16 (a0, b[14]);
temp = mul_add (a1, b[13], temp );
temp = mul_add (a[13], b1, temp );
temp = mul_add (a[14], b0, temp );
temp = mul_add (a2, b[12], temp );
temp = mul_add (a3, b[11], temp );
temp = mul_add (a4, b[10], temp );
temp = mul_add (a5, b[9], temp );
temp = mul_add (a6, b[8], temp );
temp = mul_add (a7, b7, temp );
temp = mul_add (a[8], b6, temp );
temp = mul_add (a[9], b5, temp );
temp = mul_add (a[10], b4, temp );
temp = mul_add (a[11], b3, temp );
c_avx[14] = mul_add (a[12], b2, temp );

temp = _mm256_mullo_epi16 (a0, b[15]);
temp = mul_add (a1, b[14], temp );
temp = mul_add (a[14], b1, temp );
temp = mul_add (a[15], b0, temp );
temp = mul_add (a2, b[13], temp );
temp = mul_add (a3, b[12], temp );
temp = mul_add (a4, b[11], temp );
temp = mul_add (a5, b[10], temp );
temp = mul_add (a6, b[9], temp );
temp = mul_add (a7, b[8], temp );
temp = mul_add (a[8], b7, temp );
temp = mul_add (a[9], b6, temp );
temp = mul_add (a[10], b5, temp );
temp = mul_add (a[11], b4, temp );
temp = mul_add (a[12], b3, temp );
c_avx[15] = mul_add (a[13], b2, temp );


// unrolled second triangle
a0=a[14];
a1=a[15];
a2=a[13];
a3=a[12];
a4=a[11];
a5=a[10];
a6=a[9];
a7=a[8];

b0=b[14];
b1=b[15];
b2=b[13];
b3=b[12];
b4=b[11];
b5=b[10];
b6=b[9];
b7=b[8];

temp = _mm256_mullo_epi16 (a[1], b1);
temp = mul_add (a[2], b0, temp );
temp = mul_add (a[3], b2, temp );
temp = mul_add (a[4], b3, temp );
temp = mul_add (a[5], b4, temp );
temp = mul_add (a[6], b5, temp );
temp = mul_add (a[7], b6, temp );
temp = mul_add (a7, b7, temp );
temp = mul_add (a6, b[7], temp );
temp = mul_add (a5, b[6], temp );
temp = mul_add (a4, b[5], temp );
temp = mul_add (a3, b[4], temp );
temp = mul_add (a2, b[3], temp );
temp = mul_add (a0, b[2], temp );
c_avx[16] = mul_add (a1, b[1], temp );

temp = _mm256_mullo_epi16 (a[2], b1);
temp = mul_add (a[3], b0, temp );
temp = mul_add (a[4], b2, temp );
temp = mul_add (a[5], b3, temp );
temp = mul_add (a[6], b4, temp );
temp = mul_add (a[7], b5, temp );
temp = mul_add (a7, b6, temp );
temp = mul_add (a6, b7, temp );
temp = mul_add (a5, b[7], temp );
temp = mul_add (a4, b[6], temp );
temp = mul_add (a3, b[5], temp );
temp = mul_add (a2, b[4], temp );
temp = mul_add (a0, b[3], temp );
c_avx[17] = mul_add (a1, b[2], temp );

temp = _mm256_mullo_epi16 (a[3], b1);
temp = mul_add (a[4], b0, temp );
temp = mul_add (a[5], b2, temp );
temp = mul_add (a[6], b3, temp );
temp = mul_add (a[7], b4, temp );
temp = mul_add (a7, b5, temp );
temp = mul_add (a6, b6, temp );
temp = mul_add (a5, b7, temp );
temp = mul_add (a4, b[7], temp );
temp = mul_add (a3, b[6], temp );
temp = mul_add (a2, b[5], temp );
temp = mul_add (a0, b[4], temp );
c_avx[18] = mul_add (a1, b[3], temp );

temp = _mm256_mullo_epi16 (a[4], b1);
temp = mul_add (a[5], b0, temp );
temp = mul_add (a[6], b2, temp );
temp = mul_add (a[7], b3, temp );
temp = mul_add (a7, b4, temp );
temp = mul_add (a6, b5, temp );
temp = mul_add (a5, b6, temp );
temp = mul_add (a4, b7, temp );
temp = mul_add (a3, b[7], temp );
temp = mul_add (a2, b[6], temp );
temp = mul_add (a0, b[5], temp );
c_avx[19] = mul_add (a1, b[4], temp );

temp = _mm256_mullo_epi16 (a[5], b1);
temp = mul_add (a[6], b0, temp );
temp = mul_add (a[7], b2, temp );
temp = mul_add (a7, b3, temp );
temp = mul_add (a6, b4, temp );
temp = mul_add (a5, b5, temp );
temp = mul_add (a4, b6, temp );
temp = mul_add (a3, b7, temp );
temp = mul_add (a2, b[7], temp );
temp = mul_add (a0, b[6], temp );
c_avx[20] = mul_add (a1, b[5], temp );

temp = _mm256_mullo_epi16 (a[6], b1);
temp = mul_add (a[7], b0, temp );
temp = mul_add (a7, b2, temp );
temp = mul_add (a6, b3, temp );
temp = mul_add (a5, b4, temp );
temp = mul_add (a4, b5, temp );
temp = mul_add (a3, b6, temp );
temp = mul_add (a2, b7, temp );
temp = mul_add (a0, b[7], temp );
c_avx[21] = mul_add (a1, b[6], temp );

temp = _mm256_mullo_epi16 (a[7], b1);
temp = mul_add (a7, b0, temp );
temp = mul_add (a6, b2, temp );
temp = mul_add (a5, b3, temp );
temp = mul_add (a4, b4, temp );
temp = mul_add (a3, b5, temp );
temp = mul_add (a2, b6, temp );
temp = mul_add (a0, b7, temp );
c_avx[22] = mul_add (a1, b[7], temp );

temp = _mm256_mullo_epi16 (a7, b1);
temp = mul_add (a6, b0, temp );
temp = mul_add (a5, b2, temp );
temp = mul_add (a4, b3, temp );
temp = mul_add (a3, b4, temp );
temp = mul_add (a2, b5, temp );
temp = mul_add (a0, b6, temp );
c_avx[23] = mul_add (a1, b7, temp );

temp = _mm256_mullo_epi16 (a6, b1);
temp = mul_add (a5, b0, temp );
temp = mul_add (a4, b2, temp );
temp = mul_add (a3, b3, temp );
temp = mul_add (a2, b4, temp );
temp = mul_add (a0, b5, temp );
c_avx[24] = mul_add (a1, b6, temp );

temp = _mm256_mullo_epi16 (a5, b1);
temp = mul_add (a4, b0, temp );
temp = mul_add (a3, b2, temp );
temp = mul_add (a2, b3, temp );
temp = mul_add (a0, b4, temp );
c_avx[25] = mul_add (a1, b5, temp );

temp = _mm256_mullo_epi16 (a4, b1);
temp = mul_add (a3, b0, temp );
temp = mul_add (a2, b2, temp );
temp = mul_add (a0, b3, temp );
c_avx[26] = mul_add (a1, b4, temp );

temp = _mm256_mullo_epi16 (a3, b1);
temp = mul_add (a2, b0, temp );
temp = mul_add (a0, b2, temp );
c_avx[27] = mul_add (a1, b3, temp );

temp = _mm256_mullo_epi16 (a2, b1);
temp = mul_add (a0, b0, temp );
c_avx[28] = mul_add (a1, b2, temp );

temp = _mm256_mullo_epi16 (a0, b1);
c_avx[29] = mul_add (a1, b0, temp);

c_avx[30] = _mm256_mullo_epi16 (a1, b1);


c_avx[2*SCM_SIZE-1] = _mm256_set_epi64x(0, 0, 0, 0);

}

+ 0
- 1010
crypto_kem/saber/avx2/polymul/toom-cook_4way.c
File diff suppressed because it is too large
View File


+ 63
- 42
crypto_kem/saber/clean/SABER_indcpa.c View File

@@ -11,81 +11,102 @@
#define h2 ((1 << (SABER_EP - 2)) - (1 << (SABER_EP - SABER_ET - 1)) + (1 << (SABER_EQ - SABER_EP - 1)))

void PQCLEAN_SABER_CLEAN_indcpa_kem_keypair(uint8_t pk[SABER_INDCPA_PUBLICKEYBYTES], uint8_t sk[SABER_INDCPA_SECRETKEYBYTES]) {
uint16_t A[SABER_L][SABER_L][SABER_N];
uint16_t s[SABER_L][SABER_N];
uint16_t b[SABER_L][SABER_N] = {{0}};

uint8_t seed_A[SABER_SEEDBYTES];
uint8_t seed_s[SABER_NOISE_SEEDBYTES];
size_t i, j;

poly A[SABER_L][SABER_L];
poly s[SABER_L];
poly res[SABER_L];

uint8_t rand[SABER_NOISESEEDBYTES];
uint8_t *seed_A = pk + SABER_POLYVECCOMPRESSEDBYTES;

randombytes(seed_A, SABER_SEEDBYTES);
shake128(seed_A, SABER_SEEDBYTES, seed_A, SABER_SEEDBYTES); // for not revealing system RNG state
randombytes(seed_s, SABER_NOISE_SEEDBYTES);

PQCLEAN_SABER_CLEAN_GenMatrix(A, seed_A);
PQCLEAN_SABER_CLEAN_GenSecret(s, seed_s);
PQCLEAN_SABER_CLEAN_MatrixVectorMul(b, (const uint16_t (*)[SABER_L][SABER_N])A, (const uint16_t (*)[SABER_N])s, 1);
randombytes(rand, SABER_NOISESEEDBYTES);
PQCLEAN_SABER_CLEAN_GenSecret(s, rand);
PQCLEAN_SABER_CLEAN_POLVECq2BS(sk, s);

PQCLEAN_SABER_CLEAN_GenMatrix(A, seed_A); // sample matrix A
PQCLEAN_SABER_CLEAN_MatrixVectorMul(res, (const poly (*)[SABER_L])A, (const poly *)s, 1); // Matrix in transposed order


// rounding
for (i = 0; i < SABER_L; i++) {
for (j = 0; j < SABER_N; j++) {
b[i][j] = (b[i][j] + h1) >> (SABER_EQ - SABER_EP);
res[i].coeffs[j] += h1;
res[i].coeffs[j] >>= SABER_EQ - SABER_EP;
res[i].coeffs[j] &= SABER_Q - 1;
}
}

PQCLEAN_SABER_CLEAN_POLVECq2BS(sk, (const uint16_t (*)[SABER_N])s);
PQCLEAN_SABER_CLEAN_POLVECp2BS(pk, (const uint16_t (*)[SABER_N])b);
memcpy(pk + SABER_POLYVECCOMPRESSEDBYTES, seed_A, sizeof(seed_A));
PQCLEAN_SABER_CLEAN_POLVECp2BS(pk, res); // pack public key
}

void PQCLEAN_SABER_CLEAN_indcpa_kem_enc(uint8_t ciphertext[SABER_BYTES_CCA_DEC], const uint8_t m[SABER_KEYBYTES], const uint8_t seed_sp[SABER_NOISE_SEEDBYTES], const uint8_t pk[SABER_INDCPA_PUBLICKEYBYTES]) {
uint16_t A[SABER_L][SABER_L][SABER_N];
uint16_t sp[SABER_L][SABER_N];
uint16_t bp[SABER_L][SABER_N] = {{0}};
uint16_t vp[SABER_N] = {0};
uint16_t mp[SABER_N];
uint16_t b[SABER_L][SABER_N];

void PQCLEAN_SABER_CLEAN_indcpa_kem_enc(uint8_t ciphertext[SABER_BYTES_CCA_DEC], const uint8_t m[SABER_KEYBYTES], const uint8_t noiseseed[SABER_NOISESEEDBYTES], const uint8_t pk[SABER_INDCPA_PUBLICKEYBYTES]) {
size_t i, j;

poly A[SABER_L][SABER_L];
poly res[SABER_L];
poly s[SABER_L];
poly *temp = A[0]; // re-use stack space
poly *vprime = &A[0][0];
poly *message = &A[0][1];

const uint8_t *seed_A = pk + SABER_POLYVECCOMPRESSEDBYTES;
uint8_t *msk_c = ciphertext + SABER_POLYVECCOMPRESSEDBYTES;

PQCLEAN_SABER_CLEAN_GenSecret(s, noiseseed);
PQCLEAN_SABER_CLEAN_GenMatrix(A, seed_A);
PQCLEAN_SABER_CLEAN_GenSecret(sp, seed_sp);
PQCLEAN_SABER_CLEAN_MatrixVectorMul(bp, (const uint16_t (*)[SABER_L][SABER_N])A, (const uint16_t (*)[SABER_N])sp, 0);
PQCLEAN_SABER_CLEAN_MatrixVectorMul(res, (const poly (*)[SABER_L])A, (const poly *)s, 0); // 0 => not transposed

for (i = 0; i < SABER_L; i++) {

// rounding
for (i = 0; i < SABER_L; i++) { //shift right EQ-EP bits
for (j = 0; j < SABER_N; j++) {
bp[i][j] = (bp[i][j] + h1) >> (SABER_EQ - SABER_EP);
res[i].coeffs[j] += h1;
res[i].coeffs[j] >>= SABER_EQ - SABER_EP;
res[i].coeffs[j] &= SABER_Q - 1;
}
}
PQCLEAN_SABER_CLEAN_POLVECp2BS(ciphertext, res);

PQCLEAN_SABER_CLEAN_POLVECp2BS(ciphertext, (const uint16_t (*)[SABER_N])bp);
PQCLEAN_SABER_CLEAN_BS2POLVECp(b, pk);
PQCLEAN_SABER_CLEAN_InnerProd(vp, (const uint16_t (*)[SABER_N])b, (const uint16_t (*)[SABER_N])sp);

PQCLEAN_SABER_CLEAN_BS2POLmsg(mp, m);
// vector-vector scalar multiplication with mod p
PQCLEAN_SABER_CLEAN_BS2POLVECp(temp, pk);
PQCLEAN_SABER_CLEAN_InnerProd(vprime, temp, s);
PQCLEAN_SABER_CLEAN_BS2POLmsg(message, m);

for (j = 0; j < SABER_N; j++) {
vp[j] = (vp[j] - (mp[j] << (SABER_EP - 1)) + h1) >> (SABER_EP - SABER_ET);
for (i = 0; i < SABER_N; i++) {
vprime->coeffs[i] += h1 - (message->coeffs[i] << (SABER_EP - 1));
vprime->coeffs[i] &= SABER_P - 1;
vprime->coeffs[i] >>= SABER_EP - SABER_ET;
}

PQCLEAN_SABER_CLEAN_POLT2BS(ciphertext + SABER_POLYVECCOMPRESSEDBYTES, vp);
PQCLEAN_SABER_CLEAN_POLT2BS(msk_c, vprime);
}

void PQCLEAN_SABER_CLEAN_indcpa_kem_dec(uint8_t m[SABER_KEYBYTES], const uint8_t sk[SABER_INDCPA_SECRETKEYBYTES], const uint8_t ciphertext[SABER_BYTES_CCA_DEC]) {

uint16_t s[SABER_L][SABER_N];
uint16_t b[SABER_L][SABER_N];
uint16_t v[SABER_N] = {0};
uint16_t cm[SABER_N];
void PQCLEAN_SABER_CLEAN_indcpa_kem_dec(uint8_t m[SABER_KEYBYTES], const uint8_t sk[SABER_INDCPA_SECRETKEYBYTES], const uint8_t ciphertext[SABER_BYTES_CCA_DEC]) {
size_t i;

poly temp[SABER_L];
poly s[SABER_L];

const uint8_t *packed_cm = ciphertext + SABER_POLYVECCOMPRESSEDBYTES;
poly *v = &temp[0];
poly *cm = &temp[1];

PQCLEAN_SABER_CLEAN_BS2POLVECq(s, sk);
PQCLEAN_SABER_CLEAN_BS2POLVECp(b, ciphertext);
PQCLEAN_SABER_CLEAN_InnerProd(v, (const uint16_t (*)[SABER_N])b, (const uint16_t (*)[SABER_N])s);
PQCLEAN_SABER_CLEAN_BS2POLT(cm, ciphertext + SABER_POLYVECCOMPRESSEDBYTES);
PQCLEAN_SABER_CLEAN_BS2POLVECp(temp, ciphertext);
PQCLEAN_SABER_CLEAN_InnerProd(&temp[0], temp, s);

PQCLEAN_SABER_CLEAN_BS2POLT(cm, packed_cm);

for (i = 0; i < SABER_N; i++) {
v[i] = (v[i] + h2 - (cm[i] << (SABER_EP - SABER_ET))) >> (SABER_EP - 1);
v->coeffs[i] += h2 - (cm->coeffs[i] << (SABER_EP - SABER_ET));
v->coeffs[i] &= SABER_P - 1;
v->coeffs[i] >>= SABER_EP - 1;
}

PQCLEAN_SABER_CLEAN_POLmsg2BS(m, v);


+ 1
- 1
crypto_kem/saber/clean/SABER_indcpa.h View File

@@ -5,7 +5,7 @@

void PQCLEAN_SABER_CLEAN_indcpa_kem_keypair(uint8_t pk[SABER_INDCPA_PUBLICKEYBYTES], uint8_t sk[SABER_INDCPA_SECRETKEYBYTES]);

void PQCLEAN_SABER_CLEAN_indcpa_kem_enc(uint8_t ciphertext[SABER_BYTES_CCA_DEC], const uint8_t m[SABER_KEYBYTES], const uint8_t seed_sp[SABER_NOISE_SEEDBYTES], const uint8_t pk[SABER_INDCPA_PUBLICKEYBYTES]);
void PQCLEAN_SABER_CLEAN_indcpa_kem_enc(uint8_t ciphertext[SABER_BYTES_CCA_DEC], const uint8_t m[SABER_KEYBYTES], const uint8_t noiseseed[SABER_NOISESEEDBYTES], const uint8_t pk[SABER_INDCPA_PUBLICKEYBYTES]);

void PQCLEAN_SABER_CLEAN_indcpa_kem_dec(uint8_t m[SABER_KEYBYTES], const uint8_t sk[SABER_INDCPA_SECRETKEYBYTES], const uint8_t ciphertext[SABER_BYTES_CCA_DEC]);



+ 7
- 5
crypto_kem/saber/clean/SABER_params.h View File

@@ -2,19 +2,21 @@
#define PARAMS_H


/* Change this for different security strengths */

/* Don't change anything below this line */
#define SABER_L 3
#define SABER_MU 8
#define SABER_ET 4

#define SABER_EQ 13
#define SABER_EP 10
#define SABER_N 256

#define SABER_EP 10
#define SABER_P (1 << SABER_EP)

#define SABER_EQ 13
#define SABER_Q (1 << SABER_EQ)

#define SABER_SEEDBYTES 32
#define SABER_NOISE_SEEDBYTES 32
#define SABER_NOISESEEDBYTES 32
#define SABER_KEYBYTES 32
#define SABER_HASHBYTES 32



+ 1
- 1
crypto_kem/saber/clean/api.h View File

@@ -15,4 +15,4 @@ int PQCLEAN_SABER_CLEAN_crypto_kem_enc(unsigned char *ct, unsigned char *k, cons
int PQCLEAN_SABER_CLEAN_crypto_kem_dec(unsigned char *k, const unsigned char *ct, const unsigned char *sk);


#endif /* api_h */
#endif /* PQCLEAN_SABER_CLEAN_API_H */

+ 83
- 70
crypto_kem/saber/clean/pack_unpack.c View File

@@ -1,132 +1,145 @@
#include "api.h"
#include "SABER_params.h"
#include "pack_unpack.h"
#include "poly.h"
#include <string.h>

void PQCLEAN_SABER_CLEAN_POLT2BS(uint8_t bytes[SABER_SCALEBYTES_KEM], const uint16_t data[SABER_N]) {
size_t j, offset_byte, offset_data;
void PQCLEAN_SABER_CLEAN_POLT2BS(uint8_t bytes[SABER_SCALEBYTES_KEM], const poly *data) {
size_t j;
const uint16_t *in = data->coeffs;
uint8_t *out = bytes;
for (j = 0; j < SABER_N / 2; j++) {
offset_byte = j;
offset_data = 2 * j;
bytes[offset_byte] = (data[offset_data] & 0x0f) | ((data[offset_data + 1] & 0x0f) << 4);
out[0] = (in[0] & 0x0f) | ((in[1] & 0x0f) << 4);
in += 2;
out += 1;
}
}

void PQCLEAN_SABER_CLEAN_BS2POLT(uint16_t data[SABER_N], const uint8_t bytes[SABER_SCALEBYTES_KEM]) {
size_t j, offset_byte, offset_data;
void PQCLEAN_SABER_CLEAN_BS2POLT(poly *data, const uint8_t bytes[SABER_SCALEBYTES_KEM]) {
size_t j;
const uint8_t *in = bytes;
uint16_t *out = data->coeffs;
for (j = 0; j < SABER_N / 2; j++) {
offset_byte = j;
offset_data = 2 * j;
data[offset_data] = bytes[offset_byte] & 0x0f;
data[offset_data + 1] = (bytes[offset_byte] >> 4) & 0x0f;
out[0] = in[0] & 0x0f;
out[1] = (in[0] >> 4) & 0x0f;
in += 1;
out += 2;
}
}

static void POLq2BS(uint8_t bytes[SABER_POLYBYTES], const uint16_t data[SABER_N]) {
size_t j, offset_byte, offset_data;
static void POLq2BS(uint8_t bytes[SABER_POLYBYTES], const poly *data) {
size_t j;
const uint16_t *in = data->coeffs;
uint8_t *out = bytes;
for (j = 0; j < SABER_N / 8; j++) {
offset_byte = 13 * j;
offset_data = 8 * j;
bytes[offset_byte + 0] = (data[offset_data + 0] & (0xff));
bytes[offset_byte + 1] = ((data[offset_data + 0] >> 8) & 0x1f) | ((data[offset_data + 1] & 0x07) << 5);
bytes[offset_byte + 2] = ((data[offset_data + 1] >> 3) & 0xff);
bytes[offset_byte + 3] = ((data[offset_data + 1] >> 11) & 0x03) | ((data[offset_data + 2] & 0x3f) << 2);
bytes[offset_byte + 4] = ((data[offset_data + 2] >> 6) & 0x7f) | ((data[offset_data + 3] & 0x01) << 7);
bytes[offset_byte + 5] = ((data[offset_data + 3] >> 1) & 0xff);
bytes[offset_byte + 6] = ((data[offset_data + 3] >> 9) & 0x0f) | ((data[offset_data + 4] & 0x0f) << 4);
bytes[offset_byte + 7] = ((data[offset_data + 4] >> 4) & 0xff);
bytes[offset_byte + 8] = ((data[offset_data + 4] >> 12) & 0x01) | ((data[offset_data + 5] & 0x7f) << 1);
bytes[offset_byte + 9] = ((data[offset_data + 5] >> 7) & 0x3f) | ((data[offset_data + 6] & 0x03) << 6);
bytes[offset_byte + 10] = ((data[offset_data + 6] >> 2) & 0xff);
bytes[offset_byte + 11] = ((data[offset_data + 6] >> 10) & 0x07) | ((data[offset_data + 7] & 0x1f) << 3);
bytes[offset_byte + 12] = ((data[offset_data + 7] >> 5) & 0xff);
out[0] = (in[0] & (0xff));
out[1] = ((in[0] >> 8) & 0x1f) | ((in[1] & 0x07) << 5);
out[2] = ((in[1] >> 3) & 0xff);
out[3] = ((in[1] >> 11) & 0x03) | ((in[2] & 0x3f) << 2);
out[4] = ((in[2] >> 6) & 0x7f) | ((in[3] & 0x01) << 7);
out[5] = ((in[3] >> 1) & 0xff);
out[6] = ((in[3] >> 9) & 0x0f) | ((in[4] & 0x0f) << 4);
out[7] = ((in[4] >> 4) & 0xff);
out[8] = ((in[4] >> 12) & 0x01) | ((in[5] & 0x7f) << 1);
out[9] = ((in[5] >> 7) & 0x3f) | ((in[6] & 0x03) << 6);
out[10] = ((in[6] >> 2) & 0xff);
out[11] = ((in[6] >> 10) & 0x07) | ((in[7] & 0x1f) << 3);
out[12] = ((in[7] >> 5) & 0xff);
in += 8;
out += 13;
}
}

static void BS2POLq(uint16_t data[SABER_N], const uint8_t bytes[SABER_POLYBYTES]) {
size_t j, offset_byte, offset_data;
static void BS2POLq(poly *data, const uint8_t bytes[SABER_POLYBYTES]) {
size_t j;
const uint8_t *in = bytes;
uint16_t *out = data->coeffs;
for (j = 0; j < SABER_N / 8; j++) {
offset_byte = 13 * j;
offset_data = 8 * j;
data[offset_data + 0] = (bytes[offset_byte + 0] & (0xff)) | ((bytes[offset_byte + 1] & 0x1f) << 8);
data[offset_data + 1] = (bytes[offset_byte + 1] >> 5 & (0x07)) | ((bytes[offset_byte + 2] & 0xff) << 3) | ((bytes[offset_byte + 3] & 0x03) << 11);
data[offset_data + 2] = (bytes[offset_byte + 3] >> 2 & (0x3f)) | ((bytes[offset_byte + 4] & 0x7f) << 6);
data[offset_data + 3] = (bytes[offset_byte + 4] >> 7 & (0x01)) | ((bytes[offset_byte + 5] & 0xff) << 1) | ((bytes[offset_byte + 6] & 0x0f) << 9);
data[offset_data + 4] = (bytes[offset_byte + 6] >> 4 & (0x0f)) | ((bytes[offset_byte + 7] & 0xff) << 4) | ((bytes[offset_byte + 8] & 0x01) << 12);
data[offset_data + 5] = (bytes[offset_byte + 8] >> 1 & (0x7f)) | ((bytes[offset_byte + 9] & 0x3f) << 7);
data[offset_data + 6] = (bytes[offset_byte + 9] >> 6 & (0x03)) | ((bytes[offset_byte + 10] & 0xff) << 2) | ((bytes[offset_byte + 11] & 0x07) << 10);
data[offset_data + 7] = (bytes[offset_byte + 11] >> 3 & (0x1f)) | ((bytes[offset_byte + 12] & 0xff) << 5);
out[0] = (in[0] & (0xff)) | ((in[1] & 0x1f) << 8);
out[1] = (in[1] >> 5 & (0x07)) | ((in[2] & 0xff) << 3) | ((in[3] & 0x03) << 11);
out[2] = (in[3] >> 2 & (0x3f)) | ((in[4] & 0x7f) << 6);
out[3] = (in[4] >> 7 & (0x01)) | ((in[5] & 0xff) << 1) | ((in[6] & 0x0f) << 9);
out[4] = (in[6] >> 4 & (0x0f)) | ((in[7] & 0xff) << 4) | ((in[8] & 0x01) << 12);
out[5] = (in[8] >> 1 & (0x7f)) | ((in[9] & 0x3f) << 7);
out[6] = (in[9] >> 6 & (0x03)) | ((in[10] & 0xff) << 2) | ((in[11] & 0x07) << 10);
out[7] = (in[11] >> 3 & (0x1f)) | ((in[12] & 0xff) << 5);
in += 13;
out += 8;
}
}

static void POLp2BS(uint8_t bytes[SABER_POLYCOMPRESSEDBYTES], const uint16_t data[SABER_N]) {
size_t j, offset_byte, offset_data;
static void POLp2BS(uint8_t bytes[SABER_POLYCOMPRESSEDBYTES], const poly *data) {
size_t j;
const uint16_t *in = data->coeffs;
uint8_t *out = bytes;
for (j = 0; j < SABER_N / 4; j++) {
offset_byte = 5 * j;
offset_data = 4 * j;
bytes[offset_byte + 0] = (data[offset_data + 0] & (0xff));
bytes[offset_byte + 1] = ((data[offset_data + 0] >> 8) & 0x03) | ((data[offset_data + 1] & 0x3f) << 2);
bytes[offset_byte + 2] = ((data[offset_data + 1] >> 6) & 0x0f) | ((data[offset_data + 2] & 0x0f) << 4);
bytes[offset_byte + 3] = ((data[offset_data + 2] >> 4) & 0x3f) | ((data[offset_data + 3] & 0x03) << 6);
bytes[offset_byte + 4] = ((data[offset_data + 3] >> 2) & 0xff);
out[0] = (in[0] & (0xff));
out[1] = ((in[0] >> 8) & 0x03) | ((in[1] & 0x3f) << 2);
out[2] = ((in[1] >> 6) & 0x0f) | ((in[2] & 0x0f) << 4);
out[3] = ((in[2] >> 4) & 0x3f) | ((in[3] & 0x03) << 6);
out[4] = ((in[3] >> 2) & 0xff);
in += 4;
out += 5;
}
}

static void BS2POLp(uint16_t data[SABER_N], const uint8_t bytes[SABER_POLYCOMPRESSEDBYTES]) {
size_t j, offset_byte, offset_data;
static void BS2POLp(poly *data, const uint8_t bytes[SABER_POLYCOMPRESSEDBYTES]) {
size_t j;
const uint8_t *in = bytes;
uint16_t *out = data->coeffs;
for (j = 0; j < SABER_N / 4; j++) {
offset_byte = 5 * j;
offset_data = 4 * j;
data[offset_data + 0] = (bytes[offset_byte + 0] & (0xff)) | ((bytes[offset_byte + 1] & 0x03) << 8);
data[offset_data + 1] = ((bytes[offset_byte + 1] >> 2) & (0x3f)) | ((bytes[offset_byte + 2] & 0x0f) << 6);
data[offset_data + 2] = ((bytes[offset_byte + 2] >> 4) & (0x0f)) | ((bytes[offset_byte + 3] & 0x3f) << 4);
data[offset_data + 3] = ((bytes[offset_byte + 3] >> 6) & (0x03)) | ((bytes[offset_byte + 4] & 0xff) << 2);
out[0] = (in[0] & (0xff)) | ((in[1] & 0x03) << 8);
out[1] = ((in[1] >> 2) & (0x3f)) | ((in[2] & 0x0f) << 6);
out[2] = ((in[2] >> 4) & (0x0f)) | ((in[3] & 0x3f) << 4);
out[3] = ((in[3] >> 6) & (0x03)) | ((in[4] & 0xff) << 2);
in += 5;
out += 4;
}
}

void PQCLEAN_SABER_CLEAN_POLVECq2BS(uint8_t bytes[SABER_POLYVECBYTES], const uint16_t data[SABER_L][SABER_N]) {
void PQCLEAN_SABER_CLEAN_POLVECq2BS(uint8_t bytes[SABER_POLYVECBYTES], const poly data[SABER_L]) {
size_t i;
for (i = 0; i < SABER_L; i++) {
POLq2BS(bytes + i * SABER_POLYBYTES, data[i]);
POLq2BS(bytes + i * SABER_POLYBYTES, &data[i]);
}
}

void PQCLEAN_SABER_CLEAN_BS2POLVECq(uint16_t data[SABER_L][SABER_N], const uint8_t bytes[SABER_POLYVECBYTES]) {
void PQCLEAN_SABER_CLEAN_BS2POLVECq(poly data[SABER_L], const uint8_t bytes[SABER_POLYVECBYTES]) {
size_t i;
for (i = 0; i < SABER_L; i++) {
BS2POLq(data[i], bytes + i * SABER_POLYBYTES);
BS2POLq(&data[i], bytes + i * SABER_POLYBYTES);
}
}

void PQCLEAN_SABER_CLEAN_POLVECp2BS(uint8_t bytes[SABER_POLYVECCOMPRESSEDBYTES], const uint16_t data[SABER_L][SABER_N]) {
void PQCLEAN_SABER_CLEAN_POLVECp2BS(uint8_t bytes[SABER_POLYVECCOMPRESSEDBYTES], const poly data[SABER_L]) {
size_t i;
for (i = 0; i < SABER_L; i++) {
POLp2BS(bytes + i * (SABER_EP * SABER_N / 8), data[i]);
POLp2BS(bytes + i * SABER_POLYCOMPRESSEDBYTES, &data[i]);
}
}

void PQCLEAN_SABER_CLEAN_BS2POLVECp(uint16_t data[SABER_L][SABER_N], const uint8_t bytes[SABER_POLYVECCOMPRESSEDBYTES]) {
void PQCLEAN_SABER_CLEAN_BS2POLVECp(poly data[SABER_L], const uint8_t bytes[SABER_POLYVECCOMPRESSEDBYTES]) {
size_t i;
for (i = 0; i < SABER_L; i++) {
BS2POLp(data[i], bytes + i * (SABER_EP * SABER_N / 8));
BS2POLp(&data[i], bytes + i * SABER_POLYCOMPRESSEDBYTES);
}
}

void PQCLEAN_SABER_CLEAN_BS2POLmsg(uint16_t data[SABER_N], const uint8_t bytes[SABER_KEYBYTES]) {
void PQCLEAN_SABER_CLEAN_BS2POLmsg(poly *data, const uint8_t bytes[SABER_KEYBYTES]) {
size_t i, j;
for (j = 0; j < SABER_KEYBYTES; j++) {
for (i = 0; i < 8; i++) {
data[j * 8 + i] = ((bytes[j] >> i) & 0x01);
data->coeffs[j * 8 + i] = ((bytes[j] >> i) & 0x01);
}
}
}

void PQCLEAN_SABER_CLEAN_POLmsg2BS(uint8_t bytes[SABER_KEYBYTES], const uint16_t data[SABER_N]) {
void PQCLEAN_SABER_CLEAN_POLmsg2BS(uint8_t bytes[SABER_KEYBYTES], const poly *data) {
size_t i, j;
memset(bytes, 0, SABER_KEYBYTES);

for (j = 0; j < SABER_KEYBYTES; j++) {
for (i = 0; i < 8; i++) {
bytes[j] = bytes[j] | ((data[j * 8 + i] & 0x01) << i);
bytes[j] = bytes[j] | ((data->coeffs[j * 8 + i] & 0x01) << i);
}
}
}

+ 9
- 8
crypto_kem/saber/clean/pack_unpack.h View File

@@ -1,27 +1,28 @@
#ifndef PACK_UNPACK_H
#define PACK_UNPACK_H
#include "SABER_params.h"
#include "poly.h"
#include <stdint.h>
#include <stdio.h>

void PQCLEAN_SABER_CLEAN_POLT2BS(uint8_t bytes[SABER_SCALEBYTES_KEM], const uint16_t data[SABER_N]);
void PQCLEAN_SABER_CLEAN_POLT2BS(uint8_t bytes[SABER_SCALEBYTES_KEM], const poly *data);

void PQCLEAN_SABER_CLEAN_BS2POLT(uint16_t data[SABER_N], const uint8_t bytes[SABER_SCALEBYTES_KEM]);
void PQCLEAN_SABER_CLEAN_BS2POLT(poly *data, const uint8_t bytes[SABER_SCALEBYTES_KEM]);


void PQCLEAN_SABER_CLEAN_POLVECq2BS(uint8_t bytes[SABER_POLYVECBYTES], const uint16_t data[SABER_L][SABER_N]);
void PQCLEAN_SABER_CLEAN_POLVECq2BS(uint8_t bytes[SABER_POLYVECBYTES], const poly data[SABER_L]);

void PQCLEAN_SABER_CLEAN_POLVECp2BS(uint8_t bytes[SABER_POLYVECCOMPRESSEDBYTES], const uint16_t data[SABER_L][SABER_N]);
void PQCLEAN_SABER_CLEAN_POLVECp2BS(uint8_t bytes[SABER_POLYVECCOMPRESSEDBYTES], const poly data[SABER_L]);


void PQCLEAN_SABER_CLEAN_BS2POLVECq(uint16_t data[SABER_L][SABER_N], const uint8_t bytes[SABER_POLYVECBYTES]);
void PQCLEAN_SABER_CLEAN_BS2POLVECq(poly data[SABER_L], const uint8_t bytes[SABER_POLYVECBYTES]);

void PQCLEAN_SABER_CLEAN_BS2POLVECp(uint16_t data[SABER_L][SABER_N], const uint8_t bytes[SABER_POLYVECCOMPRESSEDBYTES]);
void PQCLEAN_SABER_CLEAN_BS2POLVECp(poly data[SABER_L], const uint8_t bytes[SABER_POLYVECCOMPRESSEDBYTES]);


void PQCLEAN_SABER_CLEAN_BS2POLmsg(uint16_t data[SABER_N], const uint8_t bytes[SABER_KEYBYTES]);
void PQCLEAN_SABER_CLEAN_BS2POLmsg(poly *data, const uint8_t bytes[SABER_KEYBYTES]);

void PQCLEAN_SABER_CLEAN_POLmsg2BS(uint8_t bytes[SABER_KEYBYTES], const uint16_t data[SABER_N]);
void PQCLEAN_SABER_CLEAN_POLmsg2BS(uint8_t bytes[SABER_KEYBYTES], const poly *data);


#endif

+ 26
- 18
crypto_kem/saber/clean/poly.c View File

@@ -3,32 +3,40 @@
#include "fips202.h"
#include "pack_unpack.h"
#include "poly.h"
#include "poly_mul.h"
#include <stddef.h>

void PQCLEAN_SABER_CLEAN_MatrixVectorMul(uint16_t res[SABER_L][SABER_N], const uint16_t A[SABER_L][SABER_L][SABER_N], const uint16_t s[SABER_L][SABER_N], int16_t transpose) {
void PQCLEAN_SABER_CLEAN_MatrixVectorMul(poly c[SABER_L], const poly A[SABER_L][SABER_L], const poly s[SABER_L], int16_t transpose) {
size_t i, j;
for (i = 0; i < SABER_L; i++) {
for (j = 0; j < SABER_L; j++) {
if (transpose == 1) {
PQCLEAN_SABER_CLEAN_poly_mul_acc(res[i], A[j][i], s[j]);
} else {
PQCLEAN_SABER_CLEAN_poly_mul_acc(res[i], A[i][j], s[j]);

if (transpose) {
for (i = 0; i < SABER_L; i++) {
PQCLEAN_SABER_CLEAN_poly_mul(&c[i], &A[0][i], &s[0], 0);
for (j = 1; j < SABER_L; j++) {
PQCLEAN_SABER_CLEAN_poly_mul(&c[i], &A[j][i], &s[j], 1);
}
}
} else {
for (i = 0; i < SABER_L; i++) {
PQCLEAN_SABER_CLEAN_poly_mul(&c[i], &A[i][0], &s[0], 0);
for (j = 1; j < SABER_L; j++) {
PQCLEAN_SABER_CLEAN_poly_mul(&c[i], &A[i][j], &s[j], 1);
}
}
}
}

void PQCLEAN_SABER_CLEAN_InnerProd(uint16_t res[SABER_N], const uint16_t b[SABER_L][SABER_N], const uint16_t s[SABER_L][SABER_N]) {
size_t j;
for (j = 0; j < SABER_L; j++) {
PQCLEAN_SABER_CLEAN_poly_mul_acc(res, b[j], s[j]);
void PQCLEAN_SABER_CLEAN_InnerProd(poly *c, const poly b[SABER_L], const poly s[SABER_L]) {
size_t i;

PQCLEAN_SABER_CLEAN_poly_mul(c, &b[0], &s[0], 0);
for (i = 1; i < SABER_L; i++) {
PQCLEAN_SABER_CLEAN_poly_mul(c, &b[i], &s[i], 1);
}
}

void PQCLEAN_SABER_CLEAN_GenMatrix(uint16_t A[SABER_L][SABER_L][SABER_N], const uint8_t seed[SABER_SEEDBYTES]) {
uint8_t buf[SABER_L * SABER_POLYVECBYTES];
void PQCLEAN_SABER_CLEAN_GenMatrix(poly A[SABER_L][SABER_L], const uint8_t seed[SABER_SEEDBYTES]) {
size_t i;
uint8_t buf[SABER_L * SABER_POLYVECBYTES];

shake128(buf, sizeof(buf), seed, SABER_SEEDBYTES);

@@ -37,13 +45,13 @@ void PQCLEAN_SABER_CLEAN_GenMatrix(uint16_t A[SABER_L][SABER_L][SABER_N], const
}
}

void PQCLEAN_SABER_CLEAN_GenSecret(uint16_t s[SABER_L][SABER_N], const uint8_t seed[SABER_NOISE_SEEDBYTES]) {
uint8_t buf[SABER_L * SABER_POLYCOINBYTES];
void PQCLEAN_SABER_CLEAN_GenSecret(poly s[SABER_L], const uint8_t seed[SABER_NOISESEEDBYTES]) {
size_t i;
uint8_t buf[SABER_L * SABER_POLYCOINBYTES];

shake128(buf, sizeof(buf), seed, SABER_NOISE_SEEDBYTES);
shake128(buf, sizeof(buf), seed, SABER_NOISESEEDBYTES);

for (i = 0; i < SABER_L; i++) {
PQCLEAN_SABER_CLEAN_cbd(s[i], buf + i * SABER_POLYCOINBYTES);
PQCLEAN_SABER_CLEAN_cbd(s[i].coeffs, buf + i * SABER_POLYCOINBYTES);
}
}

+ 12
- 4
crypto_kem/saber/clean/poly.h View File

@@ -3,13 +3,21 @@
#include "SABER_params.h"
#include <stdint.h>

void PQCLEAN_SABER_CLEAN_MatrixVectorMul(uint16_t res[SABER_L][SABER_N], const uint16_t a[SABER_L][SABER_L][SABER_N], const uint16_t s[SABER_L][SABER_N], int16_t transpose);
typedef union {
uint16_t coeffs[SABER_N];
} poly;

void PQCLEAN_SABER_CLEAN_InnerProd(uint16_t res[SABER_N], const uint16_t b[SABER_L][SABER_N], const uint16_t s[SABER_L][SABER_N]);

void PQCLEAN_SABER_CLEAN_GenMatrix(uint16_t a[SABER_L][SABER_L][SABER_N], const uint8_t seed[SABER_SEEDBYTES]);
void PQCLEAN_SABER_CLEAN_MatrixVectorMul(poly c[SABER_L], const poly A[SABER_L][SABER_L], const poly s[SABER_L], int16_t transpose);

void PQCLEAN_SABER_CLEAN_GenSecret(uint16_t s[SABER_L][SABER_N], const uint8_t seed[SABER_NOISE_SEEDBYTES]);
void PQCLEAN_SABER_CLEAN_InnerProd(poly *c, const poly b[SABER_L], const poly s[SABER_L]);

void PQCLEAN_SABER_CLEAN_GenMatrix(poly A[SABER_L][SABER_L], const uint8_t seed[SABER_SEEDBYTES]);

void PQCLEAN_SABER_CLEAN_GenSecret(poly s[SABER_L], const uint8_t seed[SABER_NOISESEEDBYTES]);


void PQCLEAN_SABER_CLEAN_poly_mul(poly *c, const poly *a, const poly *b, int accumulate);


#endif

+ 12
- 6
crypto_kem/saber/clean/poly_mul.c View File

@@ -1,4 +1,4 @@
#include "poly_mul.h"
#include "poly.h"
#include <stdint.h>
#include <string.h>

@@ -229,14 +229,20 @@ static void toom_cook_4way (uint16_t *result, const uint16_t *a1, const uint16_t
}

/* res += a*b */
void PQCLEAN_SABER_CLEAN_poly_mul_acc(uint16_t res[SABER_N], const uint16_t a[SABER_N], const uint16_t b[SABER_N]) {
uint16_t c[2 * SABER_N] = {0};
void PQCLEAN_SABER_CLEAN_poly_mul(poly *c, const poly *a, const poly *b, const int accumulate) {
uint16_t C[2 * SABER_N] = {0};
size_t i;

toom_cook_4way(c, a, b);
toom_cook_4way(C, a->coeffs, b->coeffs);

/* reduction */
for (i = SABER_N; i < 2 * SABER_N; i++) {
res[i - SABER_N] += (c[i - SABER_N] - c[i]);
if (accumulate == 0) {
for (i = SABER_N; i < 2 * SABER_N; i++) {
c->coeffs[i - SABER_N] = (C[i - SABER_N] - C[i]);
}
} else {
for (i = SABER_N; i < 2 * SABER_N; i++) {
c->coeffs[i - SABER_N] += (C[i - SABER_N] - C[i]);
}
}
}

+ 0
- 6
crypto_kem/saber/clean/poly_mul.h View File

@@ -1,9 +1,3 @@
#ifndef POLY_MUL_H
#define POLY_MUL_H
#include "SABER_params.h"
#include <stdint.h>

void PQCLEAN_SABER_CLEAN_poly_mul_acc(uint16_t res[SABER_N], const uint16_t a[SABER_N], const uint16_t b[SABER_N]);


#endif

+ 9
- 0
test/duplicate_consistency/firesaber_avx2.yml View File

@@ -3,5 +3,14 @@ consistency_checks:
scheme: firesaber
implementation: clean
files:
- api.h
- cbd.h
- pack_unpack.h
- kem.h
- SABER_indcpa.h
- SABER_params.h
- verify.h
- cbd.c
- kem.c
- pack_unpack.c
- verify.c

+ 9
- 0
test/duplicate_consistency/firesaber_clean.yml View File

@@ -3,5 +3,14 @@ consistency_checks:
scheme: firesaber
implementation: avx2
files:
- api.h
- cbd.h
- poly_mul.h
- pack_unpack.h
- SABER_indcpa.h
- SABER_params.h
- verify.h
- cbd.c
- kem.c
- pack_unpack.c
- verify.c

+ 25
- 2
test/duplicate_consistency/lightsaber_avx2.yml View File

@@ -3,13 +3,27 @@ consistency_checks:
scheme: lightsaber
implementation: clean
files:
- api.h
- cbd.h
- pack_unpack.h
- kem.h
- SABER_indcpa.h
- SABER_params.h
- verify.h
- cbd.c
- kem.c
- pack_unpack.c
- verify.c
- source:
scheme: saber
implementation: clean
files:
- cbd.h
- pack_unpack.h
- kem.h
- SABER_indcpa.h
- verify.h
- kem.c
- verify.c
- source:
scheme: saber
@@ -22,13 +36,20 @@ consistency_checks:
- SABER_indcpa.h
- verify.h
- kem.c
- pack_unpack.c
- poly.c
- poly_mul.c
- SABER_indcpa.c
- verify.c
- source:
scheme: firesaber
implementation: clean
files:
- cbd.h
- pack_unpack.h
- kem.h
- SABER_indcpa.h
- verify.h
- kem.c
- verify.c
- source:
scheme: firesaber
@@ -41,5 +62,7 @@ consistency_checks:
- SABER_indcpa.h
- verify.h
- kem.c
- pack_unpack.c
- poly.c
- poly_mul.c
- SABER_indcpa.c
- verify.c

+ 19
- 0
test/duplicate_consistency/lightsaber_clean.yml View File

@@ -3,7 +3,16 @@ consistency_checks:
scheme: lightsaber
implementation: avx2
files:
- api.h
- cbd.h
- poly_mul.h
- pack_unpack.h
- SABER_indcpa.h
- SABER_params.h
- verify.h
- cbd.c
- kem.c
- pack_unpack.c
- verify.c
- source:
scheme: saber
@@ -24,7 +33,12 @@ consistency_checks:
scheme: saber
implementation: avx2
files:
- cbd.h
- poly_mul.h
- pack_unpack.h
- SABER_indcpa.h
- verify.h
- kem.c
- verify.c
- source:
scheme: firesaber
@@ -45,5 +59,10 @@ consistency_checks:
scheme: firesaber
implementation: avx2
files:
- cbd.h
- poly_mul.h
- pack_unpack.h
- SABER_indcpa.h
- verify.h
- kem.c
- verify.c

+ 17
- 1
test/duplicate_consistency/saber_avx2.yml View File

@@ -3,13 +3,27 @@ consistency_checks:
scheme: saber
implementation: clean
files:
- api.h
- cbd.h
- pack_unpack.h
- kem.h
- SABER_indcpa.h
- SABER_params.h
- verify.h
- cbd.c
- kem.c
- pack_unpack.c
- verify.c
- source:
scheme: firesaber
implementation: clean
files:
- cbd.h
- pack_unpack.h
- kem.h
- SABER_indcpa.h
- verify.h
- kem.c
- verify.c
- source:
scheme: firesaber
@@ -22,5 +36,7 @@ consistency_checks:
- SABER_indcpa.h
- verify.h
- kem.c
- pack_unpack.c
- poly.c
- poly_mul.c
- SABER_indcpa.c
- verify.c

+ 14
- 0
test/duplicate_consistency/saber_clean.yml View File

@@ -3,7 +3,16 @@ consistency_checks:
scheme: saber
implementation: avx2
files:
- api.h
- cbd.h
- poly_mul.h
- pack_unpack.h
- SABER_indcpa.h
- SABER_params.h
- verify.h
- cbd.c
- kem.c
- pack_unpack.c
- verify.c
- source:
scheme: firesaber
@@ -24,5 +33,10 @@ consistency_checks:
scheme: firesaber
implementation: avx2
files:
- cbd.h
- poly_mul.h
- pack_unpack.h
- SABER_indcpa.h
- verify.h
- kem.c
- verify.c

Write Preview
Loading…
Cancel
Save