As identified in: Qian Guo, Thomas Johansson, Alexander Nilsson. A
key-recovery timing attack on post-quantum primitives using the
Fujisaki-Okamoto transformation and its application on FrodoKEM. In
CRYPTO 2020.
Based on
155c24c3df
* Sebastian's HQC merge request
* Clean up changes to common infrastructure
* Fix Bitmask macro
It assumed that ``unsigned long`` was 64 bit
* Remove maxlen from nistseedexpander
It's a complicated thing to handle because the value is larger than size_t supports on 32-bit platforms
* Initialize buffers to help linter
* Add Nistseedexpander test
* Resolve UB in gf2x.c
Some of the shifts could be larger than WORD_SIZE_BITS, ie. larger than
the width of uint64_t. This apparently on Intel gets interpreted as the
shift mod 64, but on ARM something else happened.
* Fix Windows complaints
* rename log, exp which appear to be existing functions on MS
* Solve endianness problems
* remove all spaces before ';'
* Fix duplicate consistency
* Fix duplicate consistency
* Fix complaints by MSVC about narrowing int
* Add nistseedexpander.obj to COMMON_OBJECTS_NOPATH
* astyle format util.[ch]
* add util.h to makefile
* Sort includes in util.h
* Fix more Windows MSVC complaints
Co-authored-by: Sebastian Verschoor <sebastian@zeroknowledge.me>
Co-authored-by: Thom Wiggers <thom@thomwiggers.nl>
https://github.com/mupq/pqm4/issues/132 repoorted that the NewHope verify function does not actually return 0 or 1, but 0 or -1, which consequenctly breaks the cmov in the FO transform.
This bug was introduced when I integrated this into PQClean.
* Put AES ctx on the heap
This forces people to use the ``ctx_release`` functions, because otherwise there will be leaks
* Put fips202 on the heap
* Add much more docs for fips202.h
* fixup! Put fips202 on the heap
* Put SHA2 on the heap-supporting API
* Fix clang-tidy warnings
* Fix unreachable free() in falcon
* Fix McEliece8192128f-sse GNU Makefile
* Fix alignment problems with vectors
* Fix required CPU flags for McEliece
* Fix McElice8192128f that was missed in #259
* fixup! Fix McElice8192128f that was missed in #259
* Fix initialization
* Add McEliece reference implementations
* Add Vec implementations of McEliece
* Add sse implementations
* Add AVX2 implementations
* Get rid of stuff not supported by Mac ABI
* restrict to two cores
* Ditch .data files
* Remove .hidden from all .S files
* speed up duplicate consistency tests by batching
* make cpuinfo more robust
* Hope to stabilize macos cpuinfo without ccache
* Revert "Hope to stabilize macos cpuinfo without ccache"
This reverts commit 6129c3cabe1abbc8b956bc87e902a698e32bf322.
* Just hardcode what's available at travis
* Fixed-size types in api.h
* namespace all header files in mceliece
* Ditch operations.h
* Get rid of static inline functions
* fixup! Ditch operations.h
* Integrate Kyber-AVX2 into PQClean
* Fix types and formatting in Kyber
* Workaround a valgrind crash
* Remove comment in shuffle.s
* Remove some extraneous truncations
* fixup! Fix types and formatting in Kyber
There are schemes, like SABER (#192) that have more than one principal
submitter. Consistency warrants that we turn it into a list for all
schemes and don't do something with allowing either a str or a list:
that would just be very annoying to parse.
Closes#194
