b3f9d4f8d6
* Add McEliece reference implementations * Add Vec implementations of McEliece * Add sse implementations * Add AVX2 implementations * Get rid of stuff not supported by Mac ABI * restrict to two cores * Ditch .data files * Remove .hidden from all .S files * speed up duplicate consistency tests by batching * make cpuinfo more robust * Hope to stabilize macos cpuinfo without ccache * Revert "Hope to stabilize macos cpuinfo without ccache" This reverts commit 6129c3cabe1abbc8b956bc87e902a698e32bf322. * Just hardcode what's available at travis * Fixed-size types in api.h * namespace all header files in mceliece * Ditch operations.h * Get rid of static inline functions * fixup! Ditch operations.h
137 lines
3.1 KiB
C
137 lines
3.1 KiB
C
#include "api.h"
|
|
|
|
#include "aes256ctr.h"
|
|
#include "controlbits.h"
|
|
#include "crypto_hash.h"
|
|
#include "decrypt.h"
|
|
#include "encrypt.h"
|
|
#include "params.h"
|
|
#include "pk_gen.h"
|
|
#include "randombytes.h"
|
|
#include "sk_gen.h"
|
|
#include "util.h"
|
|
|
|
#include <stdint.h>
|
|
#include <string.h>
|
|
|
|
int PQCLEAN_MCELIECE6688128_SSE_crypto_kem_enc(
|
|
uint8_t *c,
|
|
uint8_t *key,
|
|
const uint8_t *pk
|
|
) {
|
|
uint8_t two_e[ 1 + SYS_N / 8 ] = {2};
|
|
uint8_t *e = two_e + 1;
|
|
uint8_t one_ec[ 1 + SYS_N / 8 + (SYND_BYTES + 32) ] = {1};
|
|
|
|
PQCLEAN_MCELIECE6688128_SSE_encrypt(c, e, pk);
|
|
|
|
crypto_hash_32b(c + SYND_BYTES, two_e, sizeof(two_e));
|
|
|
|
memcpy(one_ec + 1, e, SYS_N / 8);
|
|
memcpy(one_ec + 1 + SYS_N / 8, c, SYND_BYTES + 32);
|
|
|
|
crypto_hash_32b(key, one_ec, sizeof(one_ec));
|
|
|
|
return 0;
|
|
}
|
|
|
|
int PQCLEAN_MCELIECE6688128_SSE_crypto_kem_dec(
|
|
uint8_t *key,
|
|
const uint8_t *c,
|
|
const uint8_t *sk
|
|
) {
|
|
int i;
|
|
|
|
uint8_t ret_confirm = 0;
|
|
uint8_t ret_decrypt = 0;
|
|
|
|
uint16_t m;
|
|
|
|
uint8_t conf[32];
|
|
uint8_t two_e[ 1 + SYS_N / 8 ] = {2};
|
|
uint8_t *e = two_e + 1;
|
|
uint8_t preimage[ 1 + SYS_N / 8 + (SYND_BYTES + 32) ];
|
|
uint8_t *x = preimage;
|
|
|
|
//
|
|
|
|
ret_decrypt = (uint8_t)PQCLEAN_MCELIECE6688128_SSE_decrypt(e, sk + SYS_N / 8, c);
|
|
|
|
crypto_hash_32b(conf, two_e, sizeof(two_e));
|
|
|
|
for (i = 0; i < 32; i++) {
|
|
ret_confirm |= conf[i] ^ c[SYND_BYTES + i];
|
|
}
|
|
|
|
m = ret_decrypt | ret_confirm;
|
|
m -= 1;
|
|
m >>= 8;
|
|
|
|
*x++ = (~m & 0) | (m & 1);
|
|
for (i = 0; i < SYS_N / 8; i++) {
|
|
*x++ = (~m & sk[i]) | (m & e[i]);
|
|
}
|
|
for (i = 0; i < SYND_BYTES + 32; i++) {
|
|
*x++ = c[i];
|
|
}
|
|
|
|
crypto_hash_32b(key, preimage, sizeof(preimage));
|
|
|
|
return 0;
|
|
}
|
|
|
|
int PQCLEAN_MCELIECE6688128_SSE_crypto_kem_keypair
|
|
(
|
|
uint8_t *pk,
|
|
uint8_t *sk
|
|
) {
|
|
int i;
|
|
uint8_t seed[ 32 ];
|
|
uint8_t r[ SYS_T * 2 + (1 << GFBITS)*sizeof(uint32_t) + SYS_N / 8 + 32 ];
|
|
uint8_t nonce[ 16 ] = {0};
|
|
uint8_t *rp;
|
|
|
|
gf f[ SYS_T ]; // element in GF(2^mt)
|
|
gf irr[ SYS_T ]; // Goppa polynomial
|
|
uint32_t perm[ 1 << GFBITS ]; // random permutation
|
|
|
|
randombytes(seed, sizeof(seed));
|
|
|
|
while (1) {
|
|
rp = r;
|
|
PQCLEAN_MCELIECE6688128_SSE_aes256ctr(r, sizeof(r), nonce, seed);
|
|
memcpy(seed, &r[ sizeof(r) - 32 ], 32);
|
|
|
|
for (i = 0; i < SYS_T; i++) {
|
|
f[i] = PQCLEAN_MCELIECE6688128_SSE_load2(rp + i * 2);
|
|
}
|
|
rp += sizeof(f);
|
|
if (PQCLEAN_MCELIECE6688128_SSE_genpoly_gen(irr, f)) {
|
|
continue;
|
|
}
|
|
|
|
for (i = 0; i < (1 << GFBITS); i++) {
|
|
perm[i] = PQCLEAN_MCELIECE6688128_SSE_load4(rp + i * 4);
|
|
}
|
|
rp += sizeof(perm);
|
|
if (PQCLEAN_MCELIECE6688128_SSE_perm_check(perm)) {
|
|
continue;
|
|
}
|
|
|
|
for (i = 0; i < SYS_T; i++) {
|
|
PQCLEAN_MCELIECE6688128_SSE_store2(sk + SYS_N / 8 + i * 2, irr[i]);
|
|
}
|
|
if (PQCLEAN_MCELIECE6688128_SSE_pk_gen(pk, perm, sk + SYS_N / 8)) {
|
|
continue;
|
|
}
|
|
|
|
memcpy(sk, rp, SYS_N / 8);
|
|
PQCLEAN_MCELIECE6688128_SSE_controlbits(sk + SYS_N / 8 + IRR_BYTES, perm);
|
|
|
|
break;
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|