Commit Graph

314 Commits

Author SHA1 Message Date
John M. Schanck
7b5a4c494b NTRU Prime: Match the NIST submission's sequence of calls to randombytes 2021-03-24 21:02:47 +00:00
John M. Schanck
431dbada45 Add sntrup{653,761,857} and ntrulpr{653,761,857}
Exported from SUPERCOP-20200826 using the scripts at:
https://github.com/jschanck/pqclean-package-ntruprime
2021-03-24 21:02:46 +00:00
John M. Schanck
196f0c1ae2 NTRU: remove unused .s file 2021-03-24 21:02:46 +00:00
John M. Schanck
4c268aae14 NTRU: inline the one call that needed @plt 2021-03-24 21:02:46 +00:00
John M. Schanck
a008d4ad21 ntruhrss701/avx2: fix non-PIC call 2021-03-24 21:02:46 +00:00
John M. Schanck
97e0aad338 NTRU: Move crypto_sort_int32.h include to top of sample.c 2021-03-24 21:02:46 +00:00
John M. Schanck
2f56d17d67 NTRU: more explicit casts for MS compiler 2021-03-24 21:02:46 +00:00
John M. Schanck
f772093fd4 NTRU: add explicit cast for MS compiler 2021-03-24 21:02:46 +00:00
John M. Schanck
f37f0f3e85 Update NTRU and add AVX2 NTRU implementations 2021-03-24 21:02:46 +00:00
John Schanck
0d7743d576 Update NTRU (#311)
* Update NTRU

version: https://github.com/jschanck/ntru/tree/485dde03

* Fixed ntruhrss701/clean/Makefile.Microsoft_nmake
2021-03-24 21:02:46 +00:00
Sofía Celi
c59580a355 Fix overflow in multiplication in Saber 2021-03-24 21:02:46 +00:00
Matthias J. Kannwischer
22babfef8a remove threebears, ledakem, newhope, mqdss, qtesla
NIST announced the Round 3 finalists and alternate candidates today:
https://groups.google.com/a/list.nist.gov/d/msg/pqc-forum/0ieuPB-b8eg/Cl7Ji8TpCwAJ

Some of the schemes in PQClean did not make it to Round 3 and this commit
removes them.
2021-03-24 21:02:46 +00:00
Douglas Stebila
96e5f1d7ae Fix timing leak in decapsulation.
As identified in: Qian Guo, Thomas Johansson, Alexander Nilsson. A 
key-recovery timing attack on post-quantum primitives using the 
Fujisaki-Okamoto transformation and its application on FrodoKEM. In 
CRYPTO 2020.

Based on 
155c24c3df
2021-03-24 21:02:46 +00:00
Thom Wiggers
4604907c4c Kyber768 and Kyber1024 don't need -maes (see #296) 2021-03-24 21:02:46 +00:00
Ko-
be16fceb68 Fix whitespace to satisfy test_duplicate_consistency 2021-03-24 21:02:46 +00:00
Ko-
0116179381 Update KAT values 2021-03-24 21:02:46 +00:00
Ko-
f5bc4052c7 Add domain separation to NewHope
NewHope announced a new version of their specification that adds
explicit domain separation. This is a port of
https://github.com/newhopecrypto/newhope/commit/607a9d3
2021-03-24 21:02:46 +00:00
Douglas Stebila
33ac64d922 Use the right AES CTX 2021-03-24 21:02:46 +00:00
Douglas Stebila
cf5107b69f Split aes*_keyexp up into ecb and ctr variants 2021-03-24 21:02:46 +00:00
Sebastian
4054af0c42 HQC submission (#202)
* Sebastian's HQC merge request

* Clean up changes to common infrastructure

* Fix Bitmask macro

It assumed that ``unsigned long`` was 64 bit

* Remove maxlen from nistseedexpander

It's a complicated thing to handle because the value is larger than size_t supports on 32-bit platforms

* Initialize buffers to help linter

* Add Nistseedexpander test

* Resolve UB in gf2x.c

Some of the shifts could be larger than WORD_SIZE_BITS, ie. larger than
the width of uint64_t. This apparently on Intel gets interpreted as the
shift mod 64, but on ARM something else happened.

* Fix Windows complaints

* rename log, exp which appear to be existing functions on MS

* Solve endianness problems

* remove all spaces before ';'

* Fix duplicate consistency

* Fix duplicate consistency

* Fix complaints by MSVC about narrowing int

* Add nistseedexpander.obj to COMMON_OBJECTS_NOPATH

* astyle format util.[ch]

* add util.h to makefile

* Sort includes in util.h

* Fix more Windows MSVC complaints

Co-authored-by: Sebastian Verschoor <sebastian@zeroknowledge.me>
Co-authored-by: Thom Wiggers <thom@thomwiggers.nl>
2021-03-24 21:02:46 +00:00
Matthias J. Kannwischer
999b76cb90 fix MSVS warning 2021-03-24 21:02:46 +00:00
Matthias J. Kannwischer
e93a6bef1f Fix NewHope verify
https://github.com/mupq/pqm4/issues/132 repoorted that the NewHope verify function does not actually return 0 or 1, but 0 or -1, which consequenctly breaks the cmov in the FO transform.
This bug was introduced when I integrated this into PQClean.
2021-03-24 21:02:46 +00:00
Thom Wiggers
5b5956c2ef fixup! Fix uint8_t to uint16_t upcast in Frodo 2021-03-24 21:02:46 +00:00
Thom Wiggers
3b655f3f72 Fix uint8_t to uint16_t upcast in Frodo 2021-03-24 21:02:46 +00:00
Thom Wiggers
fcd81030d6 Fix too-large shift in mceliece*f 2021-03-24 21:02:46 +00:00
Thom Wiggers
3307f05c49 Clean up SABER 2021-03-24 21:02:46 +00:00
Thom Wiggers
5f02a4e80c Fix overflowing mults in NTRUHRSS701 2021-03-24 21:02:46 +00:00
Thom Wiggers
3ef983c459 Fix reduce.c's overflowing multiplication 2021-03-24 21:02:46 +00:00
Thom Wiggers
83750a2fb2 Fix duplicate consistency 2021-03-24 21:02:46 +00:00
Thom Wiggers
d8c9c431cf Fix memory leaks in LEDAkem 2021-03-24 21:02:46 +00:00
Thom Wiggers
0912b1821c Fix memory leaks in NewHope 2021-03-24 21:02:46 +00:00
Douglas Stebila
833a9d5129 Fix memory leak in Kyber 2021-03-24 21:02:46 +00:00
Thom Wiggers
07db9c1e60 Put all common primitives on the heap (#266)
* Put AES ctx on the heap

This forces people to use the ``ctx_release`` functions, because otherwise there will be leaks

* Put fips202 on the heap

* Add much more docs for fips202.h

* fixup! Put fips202 on the heap

* Put SHA2 on the heap-supporting API

* Fix clang-tidy warnings

* Fix unreachable free() in falcon

* Fix McEliece8192128f-sse GNU Makefile
2021-03-24 21:02:45 +00:00
Thom Wiggers
f20c77f718 Fix McEliece8192128f makefile 2021-03-24 21:02:45 +00:00
Thom Wiggers
6bfec2978e Fix alignment problems with vectors in McEliece AVX2 and fix McEliece 8192128f (#267)
* Fix alignment problems with vectors

* Fix required CPU flags for McEliece

* Fix McElice8192128f that was missed in #259

* fixup! Fix McElice8192128f that was missed in #259

* Fix initialization
2021-03-24 21:02:45 +00:00
Thom Wiggers
ac2c20045c Classic McEliece (#259)
* Add McEliece reference implementations

* Add Vec implementations of McEliece

* Add sse implementations

* Add AVX2 implementations

* Get rid of stuff not supported by Mac ABI

* restrict to two cores

* Ditch .data files

* Remove .hidden from all .S files

* speed up duplicate consistency tests by batching

* make cpuinfo more robust

* Hope to stabilize macos cpuinfo without ccache

* Revert "Hope to stabilize macos cpuinfo without ccache"

This reverts commit 6129c3cabe1abbc8b956bc87e902a698e32bf322.

* Just hardcode what's available at travis

* Fixed-size types in api.h

* namespace all header files in mceliece

* Ditch operations.h

* Get rid of static inline functions

* fixup! Ditch operations.h
2021-03-24 21:02:45 +00:00
Leon Botros
13c0317e25 Add ephemeral versions of ThreeBears 2021-03-24 21:02:45 +00:00
Thom Wiggers
7da91aa360 Don't advertise MacOS support for Kyber-AVX2
In light of #251
2021-03-24 21:02:45 +00:00
Leon Botros
e3db88d7e4 use the same compiler flags as other implementations 2021-03-24 21:02:45 +00:00
Leon Botros
692e7bea39 add -Werror 2021-03-24 21:02:45 +00:00
Leon Botros
c95f1b4ebb move modulus function to source, namespace it 2021-03-24 21:02:45 +00:00
Leon Botros
4c84fd915b fix namespacing for mamabear, papabear 2021-03-24 21:02:44 +00:00
Leon Botros
e94842b0ef remove empty line, add version 2021-03-24 21:02:44 +00:00
Leon Botros
3b740033ef add ThreeBears 2021-03-24 21:02:44 +00:00
Matthias J. Kannwischer
6c98832774 remove unnecessary if in kyber768
clang-tidy9.0.0 added a new check: bugprone-branch-clone
(https://releases.llvm.org/9.0.0/tools/clang/tools/extra/docs/ReleaseNotes.html)
This doesn't like both branches of an if are the same.
In this case I don't think there is any reason to do this, so I've removed it.
2021-03-24 21:02:44 +00:00
Thom Wiggers
f792b925b4 Enable optimizers on Windows (#244) 2019-10-21 14:23:59 +02:00
Matthias J. Kannwischer
df8cc49670 fix kyber-90s warning if size_t is not 32 bits 2019-10-15 15:20:57 +02:00
Matthias J. Kannwischer
39246b808d fix for big-endian 2019-10-04 13:10:29 +02:00
Matthias J. Kannwischer
9571a3b017 use common aes256_ecb instead of providing local AES implementation 2019-10-04 09:31:16 +02:00
Thom Wiggers
ac1f8cc74d
fixup! Add Kyber90s
Fix CRYPTO_ALGNAME
2019-09-24 08:01:54 +02:00
Thom Wiggers
526a841886
Add Kyber90s 2019-09-24 08:01:54 +02:00
Matthias J. Kannwischer
7d10484030 fix algo names for schemes that are inconsistent with the api.h 2019-09-19 12:44:26 +02:00
Thom Wiggers
f4bd312180 Adds AVX2 variants of Kyber512, Kyber768, Kyber1024 (#225)
* Integrate Kyber-AVX2 into PQClean

* Fix types and formatting in Kyber

* Workaround a valgrind crash

* Remove comment in shuffle.s

* Remove some extraneous truncations

* fixup! Fix types and formatting in Kyber
2019-09-10 11:45:01 +02:00
Leon Botros
9190172f1a fix a bug where error array is allocated way too big 2019-08-27 15:38:34 +02:00
Leon Botros
7dd7223587 more fixed sizes, hopefully fix mscv warnings 2019-08-24 16:40:47 +02:00
Leon Botros
9dd4a4b5da fix requested changes 2019-08-24 15:48:38 +02:00
Leon Botros
823ba3f13b fix msvc complaints #2 2019-08-23 14:21:09 +02:00
Leon Botros
50665606f0 serialize error before hashing 2019-08-23 12:57:17 +02:00
Leon Botros
46145a3183 hopefully fix msvc complaints 2019-08-23 12:41:58 +02:00
Leon Botros
537d2a1ac0 serialize pk/ct 2019-08-23 11:30:02 +02:00
Leon Botros
1fc2f51f82 fix clang-tidy warnings, replace variable-time schoolbook multiplications 2019-08-22 12:59:04 +02:00
Leon Botros
901d53ebe4 constant-time decapsulation/decryption failure 2019-08-21 21:27:53 +02:00
Leon Botros
d3d72f64cc constant-time inverses 2019-08-21 18:54:04 +02:00
Leon Botros
e4a5cc3cf2 add karatsuba + toom-cook-3 without VLAs 2019-08-21 17:31:57 +02:00
Leon Botros
ca898f01bc update implementations to leda v2.1 2019-08-21 14:28:31 +02:00
Thom Wiggers
2108bdcdb5
Make a static global explicitly const 2019-07-18 13:42:37 +02:00
Thom Wiggers
0ed5ba4a30
Merge pull request #192 from PQClean/saber
Add Saber
2019-07-04 15:53:57 +02:00
Matthias J. Kannwischer
756b550ceb add Saber LICENSE 2019-07-01 07:48:17 +02:00
Douglas Stebila
4157e0fbad Add release function for AES key schedule 2019-06-25 09:37:23 -04:00
Matthias J. Kannwischer
acde8afff2 Convert into a list for the Saber parameter sets 2019-06-24 09:18:58 +02:00
Matthias J. Kannwischer
515b04d87b fix warnings 2019-06-24 09:14:24 +02:00
Matthias J. Kannwischer
931f466937 switch to the polymul from the submission 2019-06-24 09:14:24 +02:00
Matthias J. Kannwischer
8378132c5e clean up of comments and packing 2019-06-24 09:14:24 +02:00
Matthias J. Kannwischer
61b36e933b remove wrong cast 2019-06-24 09:14:24 +02:00
Matthias J. Kannwischer
cc94db88fa fix vs warning 2019-06-24 09:14:24 +02:00
Matthias J. Kannwischer
6aafbd56f2 add firesaber 2019-06-24 09:14:24 +02:00
Matthias J. Kannwischer
8539bd8684 add lightsaber 2019-06-24 09:14:24 +02:00
Matthias J. Kannwischer
15a9e77b4c remove pre-processor conditionals 2019-06-24 09:14:24 +02:00
Matthias J. Kannwischer
510a7baee8 move header guards to the top 2019-06-24 09:14:24 +02:00
Matthias J. Kannwischer
ccfe87a4a3 refactoring to make vs more happy 2019-06-24 09:14:24 +02:00
Matthias J. Kannwischer
03596d4705 another vs warning 2019-06-24 09:14:24 +02:00
Matthias J. Kannwischer
ef0ad8e752 fix some vs warnings 2019-06-24 09:14:24 +02:00
Matthias J. Kannwischer
31f9ee52ce add license 2019-06-24 09:14:24 +02:00
Matthias J. Kannwischer
f18e464a68 add Saber 2019-06-24 09:14:00 +02:00
Thom Wiggers
4cea81d15f
Convert principal-submitter into a list
There are schemes, like SABER (#192) that have more than one principal
submitter. Consistency warrants that we turn it into a list for all
schemes and don't do something with allowing either a str or a list:
that would just be very annoying to parse.

Closes #194
2019-06-21 09:30:55 +02:00
Leon
3c733b6691 resolve todo, remove asserts, add duplicate checks and make sure they pass 2019-06-17 14:03:59 +02:00
Leon
e5b9b13160 rename impl to leaktime 2019-06-16 17:01:29 +02:00
Leon
db99d3ec09 more msvc complaints 2019-06-14 16:07:31 +02:00
Leon
e353081cc2 fix msvc warnings 2019-06-14 15:04:30 +02:00
Leon
bf0aca644e avoid global state by including 2nd round threshold in secret key 2019-06-14 14:23:58 +02:00
Leon
5a4b7f24a3 (de)serialization instead of pointer casts 2019-06-12 15:33:20 +02:00
Leon
6811a40527 move implementations of functions to .c files 2019-06-11 22:50:33 +02:00
Leon
9e3f973f56 define a constant for max number of rng bytes, remove unnecessary check 2019-06-11 21:45:39 +02:00
Leon
889a1f1e53 fix mvsc warning 2019-06-11 17:09:28 +02:00
Leon
9c2449387a include stdint in api 2019-06-11 16:50:38 +02:00
Leon
26dad0211d remove unused functions 2019-06-11 16:39:41 +02:00
Leon
98e643e5c7 use size_t for index in aes xof buffer and not for index of digits 2019-06-11 16:20:31 +02:00
Leon
e5da5da9a6 use uint8_t in api 2019-06-11 16:18:21 +02:00
Leon
3caad74525 variable declarations at the beginning, namespace extern variables 2019-06-11 14:21:49 +02:00
Leon
737cb1bb2e add ledakemlt32 2019-06-10 20:42:31 +02:00