Browse Source

ntru: packaging script update. resolves #331

tags/v0.0.1
John M. Schanck 4 years ago
committed by Kris Kwiatkowski
parent
commit
4267e51253
48 changed files with 122 additions and 119 deletions
  1. +2
    -2
      crypto_kem/ntruhps2048509/META.yml
  2. +2
    -2
      crypto_kem/ntruhps2048509/avx2/crypto_sort_int32.c
  3. +2
    -1
      crypto_kem/ntruhps2048509/avx2/crypto_sort_int32.h
  4. +1
    -6
      crypto_kem/ntruhps2048509/avx2/kem.c
  5. +6
    -2
      crypto_kem/ntruhps2048509/avx2/owcpa.c
  6. +0
    -1
      crypto_kem/ntruhps2048509/avx2/sample.c
  7. +2
    -0
      crypto_kem/ntruhps2048509/avx2/sample.h
  8. +1
    -6
      crypto_kem/ntruhps2048509/clean/kem.c
  9. +6
    -2
      crypto_kem/ntruhps2048509/clean/owcpa.c
  10. +4
    -4
      crypto_kem/ntruhps2048509/clean/poly_r2_inv.c
  11. +4
    -4
      crypto_kem/ntruhps2048509/clean/poly_s3_inv.c
  12. +0
    -1
      crypto_kem/ntruhps2048509/clean/sample.c
  13. +2
    -0
      crypto_kem/ntruhps2048509/clean/sample.h
  14. +2
    -2
      crypto_kem/ntruhps2048677/META.yml
  15. +2
    -2
      crypto_kem/ntruhps2048677/avx2/crypto_sort_int32.c
  16. +2
    -1
      crypto_kem/ntruhps2048677/avx2/crypto_sort_int32.h
  17. +1
    -6
      crypto_kem/ntruhps2048677/avx2/kem.c
  18. +6
    -2
      crypto_kem/ntruhps2048677/avx2/owcpa.c
  19. +0
    -1
      crypto_kem/ntruhps2048677/avx2/sample.c
  20. +2
    -0
      crypto_kem/ntruhps2048677/avx2/sample.h
  21. +1
    -6
      crypto_kem/ntruhps2048677/clean/kem.c
  22. +6
    -2
      crypto_kem/ntruhps2048677/clean/owcpa.c
  23. +4
    -4
      crypto_kem/ntruhps2048677/clean/poly_r2_inv.c
  24. +4
    -4
      crypto_kem/ntruhps2048677/clean/poly_s3_inv.c
  25. +0
    -1
      crypto_kem/ntruhps2048677/clean/sample.c
  26. +2
    -0
      crypto_kem/ntruhps2048677/clean/sample.h
  27. +2
    -2
      crypto_kem/ntruhps4096821/META.yml
  28. +2
    -2
      crypto_kem/ntruhps4096821/avx2/crypto_sort_int32.c
  29. +2
    -1
      crypto_kem/ntruhps4096821/avx2/crypto_sort_int32.h
  30. +1
    -6
      crypto_kem/ntruhps4096821/avx2/kem.c
  31. +6
    -2
      crypto_kem/ntruhps4096821/avx2/owcpa.c
  32. +0
    -1
      crypto_kem/ntruhps4096821/avx2/sample.c
  33. +2
    -0
      crypto_kem/ntruhps4096821/avx2/sample.h
  34. +1
    -6
      crypto_kem/ntruhps4096821/clean/kem.c
  35. +6
    -2
      crypto_kem/ntruhps4096821/clean/owcpa.c
  36. +4
    -4
      crypto_kem/ntruhps4096821/clean/poly_r2_inv.c
  37. +4
    -4
      crypto_kem/ntruhps4096821/clean/poly_s3_inv.c
  38. +0
    -1
      crypto_kem/ntruhps4096821/clean/sample.c
  39. +2
    -0
      crypto_kem/ntruhps4096821/clean/sample.h
  40. +2
    -2
      crypto_kem/ntruhrss701/META.yml
  41. +1
    -6
      crypto_kem/ntruhrss701/avx2/kem.c
  42. +6
    -2
      crypto_kem/ntruhrss701/avx2/owcpa.c
  43. +1
    -0
      crypto_kem/ntruhrss701/avx2/sample.h
  44. +1
    -6
      crypto_kem/ntruhrss701/clean/kem.c
  45. +6
    -2
      crypto_kem/ntruhrss701/clean/owcpa.c
  46. +4
    -4
      crypto_kem/ntruhrss701/clean/poly_r2_inv.c
  47. +4
    -4
      crypto_kem/ntruhrss701/clean/poly_s3_inv.c
  48. +1
    -0
      crypto_kem/ntruhrss701/clean/sample.h

+ 2
- 2
crypto_kem/ntruhps2048509/META.yml View File

@@ -23,9 +23,9 @@ auxiliary-submitters:
- Zhenfei Zhang
implementations:
- name: clean
version: https://github.com/jschanck/ntru/tree/ff3c84e1 reference implementation
version: https://github.com/jschanck/ntru/tree/b4b08d67 reference implementation
- name: avx2
version: https://github.com/jschanck/ntru/tree/ff3c84e1 avx2 implementation
version: https://github.com/jschanck/ntru/tree/b4b08d67 avx2 implementation
supported_platforms:
- architecture: x86_64
operating_systems:


+ 2
- 2
crypto_kem/ntruhps2048509/avx2/crypto_sort_int32.c View File

@@ -1,8 +1,8 @@
#include "crypto_sort_int32.h"
#include <immintrin.h>
// Based on supercop-20200820/crypto_sort/int32/avx2

#include "crypto_sort_int32.h"

#include <immintrin.h>
#define int32 int32_t

typedef __m256i int32x8;


+ 2
- 1
crypto_kem/ntruhps2048509/avx2/crypto_sort_int32.h View File

@@ -1,10 +1,11 @@
#ifndef CRYPTO_SORT
#define CRYPTO_SORT

#include "params.h"

#include <stddef.h>
#include <stdint.h>


void PQCLEAN_NTRUHPS2048509_AVX2_crypto_sort_int32(int32_t *x, size_t n);

#endif

+ 1
- 6
crypto_kem/ntruhps2048509/avx2/kem.c View File

@@ -42,12 +42,7 @@ int PQCLEAN_NTRUHPS2048509_AVX2_crypto_kem_dec(uint8_t *k, const uint8_t *c, con
uint8_t rm[NTRU_OWCPA_MSGBYTES];
uint8_t buf[NTRU_PRFKEYBYTES + NTRU_CIPHERTEXTBYTES];

fail = 0;

/* Check that unused bits of last byte of ciphertext are zero */
fail |= c[NTRU_CIPHERTEXTBYTES - 1] & (0xff << (8 - (7 & (NTRU_LOGQ * NTRU_PACK_DEG))));

fail |= PQCLEAN_NTRUHPS2048509_AVX2_owcpa_dec(rm, c, sk);
fail = PQCLEAN_NTRUHPS2048509_AVX2_owcpa_dec(rm, c, sk);
/* If fail = 0 then c = Enc(h, rm). There is no need to re-encapsulate. */
/* See comment in PQCLEAN_NTRUHPS2048509_AVX2_owcpa_dec for details. */



+ 6
- 2
crypto_kem/ntruhps2048509/avx2/owcpa.c View File

@@ -123,11 +123,15 @@ int PQCLEAN_NTRUHPS2048509_AVX2_owcpa_dec(unsigned char *rm,
PQCLEAN_NTRUHPS2048509_AVX2_poly_S3_mul(m, mf, finv3);
PQCLEAN_NTRUHPS2048509_AVX2_poly_S3_tobytes(rm + NTRU_PACK_TRINARY_BYTES, m);

/* NOTE: For the IND-CCA2 KEM we must ensure that c = Enc(h, (r,m)). */
fail = 0;

/* Check that unused bits of last byte of ciphertext are zero */
fail |= ciphertext[NTRU_CIPHERTEXTBYTES - 1] & (0xff << (8 - (7 & (NTRU_LOGQ * NTRU_PACK_DEG))));

/* For the IND-CCA2 KEM we must ensure that c = Enc(h, (r,m)). */
/* We can avoid re-computing r*h + Lift(m) as long as we check that */
/* r (defined as b/h mod (q, Phi_n)) and m are in the message space. */
/* (m can take any value in S3 in NTRU_HRSS) */
fail = 0;
fail |= owcpa_check_m(m);

/* b = c - Lift(m) mod (q, x^n - 1) */


+ 0
- 1
crypto_kem/ntruhps2048509/avx2/sample.c View File

@@ -1,4 +1,3 @@
#include "crypto_sort_int32.h"
#include "sample.h"

void PQCLEAN_NTRUHPS2048509_AVX2_sample_fg(poly *f, poly *g, const unsigned char uniformbytes[NTRU_SAMPLE_FG_BYTES]) {


+ 2
- 0
crypto_kem/ntruhps2048509/avx2/sample.h View File

@@ -4,6 +4,8 @@
#include "params.h"
#include "poly.h"

#include "crypto_sort_int32.h"

void PQCLEAN_NTRUHPS2048509_AVX2_sample_fg(poly *f, poly *g, const unsigned char uniformbytes[NTRU_SAMPLE_FG_BYTES]);
void PQCLEAN_NTRUHPS2048509_AVX2_sample_rm(poly *r, poly *m, const unsigned char uniformbytes[NTRU_SAMPLE_RM_BYTES]);



+ 1
- 6
crypto_kem/ntruhps2048509/clean/kem.c View File

@@ -42,12 +42,7 @@ int PQCLEAN_NTRUHPS2048509_CLEAN_crypto_kem_dec(uint8_t *k, const uint8_t *c, co
uint8_t rm[NTRU_OWCPA_MSGBYTES];
uint8_t buf[NTRU_PRFKEYBYTES + NTRU_CIPHERTEXTBYTES];

fail = 0;

/* Check that unused bits of last byte of ciphertext are zero */
fail |= c[NTRU_CIPHERTEXTBYTES - 1] & (0xff << (8 - (7 & (NTRU_LOGQ * NTRU_PACK_DEG))));

fail |= PQCLEAN_NTRUHPS2048509_CLEAN_owcpa_dec(rm, c, sk);
fail = PQCLEAN_NTRUHPS2048509_CLEAN_owcpa_dec(rm, c, sk);
/* If fail = 0 then c = Enc(h, rm). There is no need to re-encapsulate. */
/* See comment in PQCLEAN_NTRUHPS2048509_CLEAN_owcpa_dec for details. */



+ 6
- 2
crypto_kem/ntruhps2048509/clean/owcpa.c View File

@@ -123,11 +123,15 @@ int PQCLEAN_NTRUHPS2048509_CLEAN_owcpa_dec(unsigned char *rm,
PQCLEAN_NTRUHPS2048509_CLEAN_poly_S3_mul(m, mf, finv3);
PQCLEAN_NTRUHPS2048509_CLEAN_poly_S3_tobytes(rm + NTRU_PACK_TRINARY_BYTES, m);

/* NOTE: For the IND-CCA2 KEM we must ensure that c = Enc(h, (r,m)). */
fail = 0;

/* Check that unused bits of last byte of ciphertext are zero */
fail |= ciphertext[NTRU_CIPHERTEXTBYTES - 1] & (0xff << (8 - (7 & (NTRU_LOGQ * NTRU_PACK_DEG))));

/* For the IND-CCA2 KEM we must ensure that c = Enc(h, (r,m)). */
/* We can avoid re-computing r*h + Lift(m) as long as we check that */
/* r (defined as b/h mod (q, Phi_n)) and m are in the message space. */
/* (m can take any value in S3 in NTRU_HRSS) */
fail = 0;
fail |= owcpa_check_m(m);

/* b = c - Lift(m) mod (q, x^n - 1) */


+ 4
- 4
crypto_kem/ntruhps2048509/clean/poly_r2_inv.c View File

@@ -3,14 +3,14 @@
#include "poly.h"

/* return -1 if x<0 and y<0; otherwise return 0 */
static inline int both_negative_mask(int x, int y) {
static inline int16_t both_negative_mask(int16_t x, int16_t y) {
return (x & y) >> 15;
}

void PQCLEAN_NTRUHPS2048509_CLEAN_poly_R2_inv(poly *r, const poly *a) {
poly f, g, v, w;
int i, loop, delta;
int sign, swap, t;
int16_t i, loop, delta;
int16_t sign, swap, t;

for (i = 0; i < NTRU_N; ++i) {
v.coeffs[i] = 0;
@@ -37,7 +37,7 @@ void PQCLEAN_NTRUHPS2048509_CLEAN_poly_R2_inv(poly *r, const poly *a) {
v.coeffs[0] = 0;

sign = g.coeffs[0] & f.coeffs[0];
swap = both_negative_mask(-delta, -(int) g.coeffs[0]);
swap = both_negative_mask(-delta, -(int16_t) g.coeffs[0]);
delta ^= swap & (delta ^ -delta);
delta += 1;



+ 4
- 4
crypto_kem/ntruhps2048509/clean/poly_s3_inv.c View File

@@ -11,14 +11,14 @@ static inline uint8_t mod3(uint8_t a) { /* a between 0 and 9 */
}

/* return -1 if x<0 and y<0; otherwise return 0 */
static inline int both_negative_mask(int x, int y) {
static inline int16_t both_negative_mask(int16_t x, int16_t y) {
return (x & y) >> 15;
}

void PQCLEAN_NTRUHPS2048509_CLEAN_poly_S3_inv(poly *r, const poly *a) {
poly f, g, v, w;
int i, loop, delta;
int sign, swap, t;
int16_t i, loop, delta;
int16_t sign, swap, t;

for (i = 0; i < NTRU_N; ++i) {
v.coeffs[i] = 0;
@@ -45,7 +45,7 @@ void PQCLEAN_NTRUHPS2048509_CLEAN_poly_S3_inv(poly *r, const poly *a) {
v.coeffs[0] = 0;

sign = mod3((uint8_t) (2 * g.coeffs[0] * f.coeffs[0]));
swap = both_negative_mask(-delta, -(int) g.coeffs[0]);
swap = both_negative_mask(-delta, -(int16_t) g.coeffs[0]);
delta ^= swap & (delta ^ -delta);
delta += 1;



+ 0
- 1
crypto_kem/ntruhps2048509/clean/sample.c View File

@@ -1,4 +1,3 @@
#include "crypto_sort_int32.h"
#include "sample.h"

void PQCLEAN_NTRUHPS2048509_CLEAN_sample_fg(poly *f, poly *g, const unsigned char uniformbytes[NTRU_SAMPLE_FG_BYTES]) {


+ 2
- 0
crypto_kem/ntruhps2048509/clean/sample.h View File

@@ -4,6 +4,8 @@
#include "params.h"
#include "poly.h"

#include "crypto_sort_int32.h"

void PQCLEAN_NTRUHPS2048509_CLEAN_sample_fg(poly *f, poly *g, const unsigned char uniformbytes[NTRU_SAMPLE_FG_BYTES]);
void PQCLEAN_NTRUHPS2048509_CLEAN_sample_rm(poly *r, poly *m, const unsigned char uniformbytes[NTRU_SAMPLE_RM_BYTES]);



+ 2
- 2
crypto_kem/ntruhps2048677/META.yml View File

@@ -23,9 +23,9 @@ auxiliary-submitters:
- Zhenfei Zhang
implementations:
- name: clean
version: https://github.com/jschanck/ntru/tree/ff3c84e1 reference implementation
version: https://github.com/jschanck/ntru/tree/b4b08d67 reference implementation
- name: avx2
version: https://github.com/jschanck/ntru/tree/ff3c84e1 avx2 implementation
version: https://github.com/jschanck/ntru/tree/b4b08d67 avx2 implementation
supported_platforms:
- architecture: x86_64
operating_systems:


+ 2
- 2
crypto_kem/ntruhps2048677/avx2/crypto_sort_int32.c View File

@@ -1,8 +1,8 @@
#include "crypto_sort_int32.h"
#include <immintrin.h>
// Based on supercop-20200820/crypto_sort/int32/avx2

#include "crypto_sort_int32.h"

#include <immintrin.h>
#define int32 int32_t

typedef __m256i int32x8;


+ 2
- 1
crypto_kem/ntruhps2048677/avx2/crypto_sort_int32.h View File

@@ -1,10 +1,11 @@
#ifndef CRYPTO_SORT
#define CRYPTO_SORT

#include "params.h"

#include <stddef.h>
#include <stdint.h>


void PQCLEAN_NTRUHPS2048677_AVX2_crypto_sort_int32(int32_t *x, size_t n);

#endif

+ 1
- 6
crypto_kem/ntruhps2048677/avx2/kem.c View File

@@ -42,12 +42,7 @@ int PQCLEAN_NTRUHPS2048677_AVX2_crypto_kem_dec(uint8_t *k, const uint8_t *c, con
uint8_t rm[NTRU_OWCPA_MSGBYTES];
uint8_t buf[NTRU_PRFKEYBYTES + NTRU_CIPHERTEXTBYTES];

fail = 0;

/* Check that unused bits of last byte of ciphertext are zero */
fail |= c[NTRU_CIPHERTEXTBYTES - 1] & (0xff << (8 - (7 & (NTRU_LOGQ * NTRU_PACK_DEG))));

fail |= PQCLEAN_NTRUHPS2048677_AVX2_owcpa_dec(rm, c, sk);
fail = PQCLEAN_NTRUHPS2048677_AVX2_owcpa_dec(rm, c, sk);
/* If fail = 0 then c = Enc(h, rm). There is no need to re-encapsulate. */
/* See comment in PQCLEAN_NTRUHPS2048677_AVX2_owcpa_dec for details. */



+ 6
- 2
crypto_kem/ntruhps2048677/avx2/owcpa.c View File

@@ -123,11 +123,15 @@ int PQCLEAN_NTRUHPS2048677_AVX2_owcpa_dec(unsigned char *rm,
PQCLEAN_NTRUHPS2048677_AVX2_poly_S3_mul(m, mf, finv3);
PQCLEAN_NTRUHPS2048677_AVX2_poly_S3_tobytes(rm + NTRU_PACK_TRINARY_BYTES, m);

/* NOTE: For the IND-CCA2 KEM we must ensure that c = Enc(h, (r,m)). */
fail = 0;

/* Check that unused bits of last byte of ciphertext are zero */
fail |= ciphertext[NTRU_CIPHERTEXTBYTES - 1] & (0xff << (8 - (7 & (NTRU_LOGQ * NTRU_PACK_DEG))));

/* For the IND-CCA2 KEM we must ensure that c = Enc(h, (r,m)). */
/* We can avoid re-computing r*h + Lift(m) as long as we check that */
/* r (defined as b/h mod (q, Phi_n)) and m are in the message space. */
/* (m can take any value in S3 in NTRU_HRSS) */
fail = 0;
fail |= owcpa_check_m(m);

/* b = c - Lift(m) mod (q, x^n - 1) */


+ 0
- 1
crypto_kem/ntruhps2048677/avx2/sample.c View File

@@ -1,4 +1,3 @@
#include "crypto_sort_int32.h"
#include "sample.h"

void PQCLEAN_NTRUHPS2048677_AVX2_sample_fg(poly *f, poly *g, const unsigned char uniformbytes[NTRU_SAMPLE_FG_BYTES]) {


+ 2
- 0
crypto_kem/ntruhps2048677/avx2/sample.h View File

@@ -4,6 +4,8 @@
#include "params.h"
#include "poly.h"

#include "crypto_sort_int32.h"

void PQCLEAN_NTRUHPS2048677_AVX2_sample_fg(poly *f, poly *g, const unsigned char uniformbytes[NTRU_SAMPLE_FG_BYTES]);
void PQCLEAN_NTRUHPS2048677_AVX2_sample_rm(poly *r, poly *m, const unsigned char uniformbytes[NTRU_SAMPLE_RM_BYTES]);



+ 1
- 6
crypto_kem/ntruhps2048677/clean/kem.c View File

@@ -42,12 +42,7 @@ int PQCLEAN_NTRUHPS2048677_CLEAN_crypto_kem_dec(uint8_t *k, const uint8_t *c, co
uint8_t rm[NTRU_OWCPA_MSGBYTES];
uint8_t buf[NTRU_PRFKEYBYTES + NTRU_CIPHERTEXTBYTES];

fail = 0;

/* Check that unused bits of last byte of ciphertext are zero */
fail |= c[NTRU_CIPHERTEXTBYTES - 1] & (0xff << (8 - (7 & (NTRU_LOGQ * NTRU_PACK_DEG))));

fail |= PQCLEAN_NTRUHPS2048677_CLEAN_owcpa_dec(rm, c, sk);
fail = PQCLEAN_NTRUHPS2048677_CLEAN_owcpa_dec(rm, c, sk);
/* If fail = 0 then c = Enc(h, rm). There is no need to re-encapsulate. */
/* See comment in PQCLEAN_NTRUHPS2048677_CLEAN_owcpa_dec for details. */



+ 6
- 2
crypto_kem/ntruhps2048677/clean/owcpa.c View File

@@ -123,11 +123,15 @@ int PQCLEAN_NTRUHPS2048677_CLEAN_owcpa_dec(unsigned char *rm,
PQCLEAN_NTRUHPS2048677_CLEAN_poly_S3_mul(m, mf, finv3);
PQCLEAN_NTRUHPS2048677_CLEAN_poly_S3_tobytes(rm + NTRU_PACK_TRINARY_BYTES, m);

/* NOTE: For the IND-CCA2 KEM we must ensure that c = Enc(h, (r,m)). */
fail = 0;

/* Check that unused bits of last byte of ciphertext are zero */
fail |= ciphertext[NTRU_CIPHERTEXTBYTES - 1] & (0xff << (8 - (7 & (NTRU_LOGQ * NTRU_PACK_DEG))));

/* For the IND-CCA2 KEM we must ensure that c = Enc(h, (r,m)). */
/* We can avoid re-computing r*h + Lift(m) as long as we check that */
/* r (defined as b/h mod (q, Phi_n)) and m are in the message space. */
/* (m can take any value in S3 in NTRU_HRSS) */
fail = 0;
fail |= owcpa_check_m(m);

/* b = c - Lift(m) mod (q, x^n - 1) */


+ 4
- 4
crypto_kem/ntruhps2048677/clean/poly_r2_inv.c View File

@@ -3,14 +3,14 @@
#include "poly.h"

/* return -1 if x<0 and y<0; otherwise return 0 */
static inline int both_negative_mask(int x, int y) {
static inline int16_t both_negative_mask(int16_t x, int16_t y) {
return (x & y) >> 15;
}

void PQCLEAN_NTRUHPS2048677_CLEAN_poly_R2_inv(poly *r, const poly *a) {
poly f, g, v, w;
int i, loop, delta;
int sign, swap, t;
int16_t i, loop, delta;
int16_t sign, swap, t;

for (i = 0; i < NTRU_N; ++i) {
v.coeffs[i] = 0;
@@ -37,7 +37,7 @@ void PQCLEAN_NTRUHPS2048677_CLEAN_poly_R2_inv(poly *r, const poly *a) {
v.coeffs[0] = 0;

sign = g.coeffs[0] & f.coeffs[0];
swap = both_negative_mask(-delta, -(int) g.coeffs[0]);
swap = both_negative_mask(-delta, -(int16_t) g.coeffs[0]);
delta ^= swap & (delta ^ -delta);
delta += 1;



+ 4
- 4
crypto_kem/ntruhps2048677/clean/poly_s3_inv.c View File

@@ -11,14 +11,14 @@ static inline uint8_t mod3(uint8_t a) { /* a between 0 and 9 */
}

/* return -1 if x<0 and y<0; otherwise return 0 */
static inline int both_negative_mask(int x, int y) {
static inline int16_t both_negative_mask(int16_t x, int16_t y) {
return (x & y) >> 15;
}

void PQCLEAN_NTRUHPS2048677_CLEAN_poly_S3_inv(poly *r, const poly *a) {
poly f, g, v, w;
int i, loop, delta;
int sign, swap, t;
int16_t i, loop, delta;
int16_t sign, swap, t;

for (i = 0; i < NTRU_N; ++i) {
v.coeffs[i] = 0;
@@ -45,7 +45,7 @@ void PQCLEAN_NTRUHPS2048677_CLEAN_poly_S3_inv(poly *r, const poly *a) {
v.coeffs[0] = 0;

sign = mod3((uint8_t) (2 * g.coeffs[0] * f.coeffs[0]));
swap = both_negative_mask(-delta, -(int) g.coeffs[0]);
swap = both_negative_mask(-delta, -(int16_t) g.coeffs[0]);
delta ^= swap & (delta ^ -delta);
delta += 1;



+ 0
- 1
crypto_kem/ntruhps2048677/clean/sample.c View File

@@ -1,4 +1,3 @@
#include "crypto_sort_int32.h"
#include "sample.h"

void PQCLEAN_NTRUHPS2048677_CLEAN_sample_fg(poly *f, poly *g, const unsigned char uniformbytes[NTRU_SAMPLE_FG_BYTES]) {


+ 2
- 0
crypto_kem/ntruhps2048677/clean/sample.h View File

@@ -4,6 +4,8 @@
#include "params.h"
#include "poly.h"

#include "crypto_sort_int32.h"

void PQCLEAN_NTRUHPS2048677_CLEAN_sample_fg(poly *f, poly *g, const unsigned char uniformbytes[NTRU_SAMPLE_FG_BYTES]);
void PQCLEAN_NTRUHPS2048677_CLEAN_sample_rm(poly *r, poly *m, const unsigned char uniformbytes[NTRU_SAMPLE_RM_BYTES]);



+ 2
- 2
crypto_kem/ntruhps4096821/META.yml View File

@@ -23,9 +23,9 @@ auxiliary-submitters:
- Zhenfei Zhang
implementations:
- name: clean
version: https://github.com/jschanck/ntru/tree/ff3c84e1 reference implementation
version: https://github.com/jschanck/ntru/tree/b4b08d67 reference implementation
- name: avx2
version: https://github.com/jschanck/ntru/tree/ff3c84e1 avx2 implementation
version: https://github.com/jschanck/ntru/tree/b4b08d67 avx2 implementation
supported_platforms:
- architecture: x86_64
operating_systems:


+ 2
- 2
crypto_kem/ntruhps4096821/avx2/crypto_sort_int32.c View File

@@ -1,8 +1,8 @@
#include "crypto_sort_int32.h"
#include <immintrin.h>
// Based on supercop-20200820/crypto_sort/int32/avx2

#include "crypto_sort_int32.h"

#include <immintrin.h>
#define int32 int32_t

typedef __m256i int32x8;


+ 2
- 1
crypto_kem/ntruhps4096821/avx2/crypto_sort_int32.h View File

@@ -1,10 +1,11 @@
#ifndef CRYPTO_SORT
#define CRYPTO_SORT

#include "params.h"

#include <stddef.h>
#include <stdint.h>


void PQCLEAN_NTRUHPS4096821_AVX2_crypto_sort_int32(int32_t *x, size_t n);

#endif

+ 1
- 6
crypto_kem/ntruhps4096821/avx2/kem.c View File

@@ -42,12 +42,7 @@ int PQCLEAN_NTRUHPS4096821_AVX2_crypto_kem_dec(uint8_t *k, const uint8_t *c, con
uint8_t rm[NTRU_OWCPA_MSGBYTES];
uint8_t buf[NTRU_PRFKEYBYTES + NTRU_CIPHERTEXTBYTES];

fail = 0;

/* Check that unused bits of last byte of ciphertext are zero */
fail |= c[NTRU_CIPHERTEXTBYTES - 1] & (0xff << (8 - (7 & (NTRU_LOGQ * NTRU_PACK_DEG))));

fail |= PQCLEAN_NTRUHPS4096821_AVX2_owcpa_dec(rm, c, sk);
fail = PQCLEAN_NTRUHPS4096821_AVX2_owcpa_dec(rm, c, sk);
/* If fail = 0 then c = Enc(h, rm). There is no need to re-encapsulate. */
/* See comment in PQCLEAN_NTRUHPS4096821_AVX2_owcpa_dec for details. */



+ 6
- 2
crypto_kem/ntruhps4096821/avx2/owcpa.c View File

@@ -123,11 +123,15 @@ int PQCLEAN_NTRUHPS4096821_AVX2_owcpa_dec(unsigned char *rm,
PQCLEAN_NTRUHPS4096821_AVX2_poly_S3_mul(m, mf, finv3);
PQCLEAN_NTRUHPS4096821_AVX2_poly_S3_tobytes(rm + NTRU_PACK_TRINARY_BYTES, m);

/* NOTE: For the IND-CCA2 KEM we must ensure that c = Enc(h, (r,m)). */
fail = 0;

/* Check that unused bits of last byte of ciphertext are zero */
fail |= ciphertext[NTRU_CIPHERTEXTBYTES - 1] & (0xff << (8 - (7 & (NTRU_LOGQ * NTRU_PACK_DEG))));

/* For the IND-CCA2 KEM we must ensure that c = Enc(h, (r,m)). */
/* We can avoid re-computing r*h + Lift(m) as long as we check that */
/* r (defined as b/h mod (q, Phi_n)) and m are in the message space. */
/* (m can take any value in S3 in NTRU_HRSS) */
fail = 0;
fail |= owcpa_check_m(m);

/* b = c - Lift(m) mod (q, x^n - 1) */


+ 0
- 1
crypto_kem/ntruhps4096821/avx2/sample.c View File

@@ -1,4 +1,3 @@
#include "crypto_sort_int32.h"
#include "sample.h"

void PQCLEAN_NTRUHPS4096821_AVX2_sample_fg(poly *f, poly *g, const unsigned char uniformbytes[NTRU_SAMPLE_FG_BYTES]) {


+ 2
- 0
crypto_kem/ntruhps4096821/avx2/sample.h View File

@@ -4,6 +4,8 @@
#include "params.h"
#include "poly.h"

#include "crypto_sort_int32.h"

void PQCLEAN_NTRUHPS4096821_AVX2_sample_fg(poly *f, poly *g, const unsigned char uniformbytes[NTRU_SAMPLE_FG_BYTES]);
void PQCLEAN_NTRUHPS4096821_AVX2_sample_rm(poly *r, poly *m, const unsigned char uniformbytes[NTRU_SAMPLE_RM_BYTES]);



+ 1
- 6
crypto_kem/ntruhps4096821/clean/kem.c View File

@@ -42,12 +42,7 @@ int PQCLEAN_NTRUHPS4096821_CLEAN_crypto_kem_dec(uint8_t *k, const uint8_t *c, co
uint8_t rm[NTRU_OWCPA_MSGBYTES];
uint8_t buf[NTRU_PRFKEYBYTES + NTRU_CIPHERTEXTBYTES];

fail = 0;

/* Check that unused bits of last byte of ciphertext are zero */
fail |= c[NTRU_CIPHERTEXTBYTES - 1] & (0xff << (8 - (7 & (NTRU_LOGQ * NTRU_PACK_DEG))));

fail |= PQCLEAN_NTRUHPS4096821_CLEAN_owcpa_dec(rm, c, sk);
fail = PQCLEAN_NTRUHPS4096821_CLEAN_owcpa_dec(rm, c, sk);
/* If fail = 0 then c = Enc(h, rm). There is no need to re-encapsulate. */
/* See comment in PQCLEAN_NTRUHPS4096821_CLEAN_owcpa_dec for details. */



+ 6
- 2
crypto_kem/ntruhps4096821/clean/owcpa.c View File

@@ -123,11 +123,15 @@ int PQCLEAN_NTRUHPS4096821_CLEAN_owcpa_dec(unsigned char *rm,
PQCLEAN_NTRUHPS4096821_CLEAN_poly_S3_mul(m, mf, finv3);
PQCLEAN_NTRUHPS4096821_CLEAN_poly_S3_tobytes(rm + NTRU_PACK_TRINARY_BYTES, m);

/* NOTE: For the IND-CCA2 KEM we must ensure that c = Enc(h, (r,m)). */
fail = 0;

/* Check that unused bits of last byte of ciphertext are zero */
fail |= ciphertext[NTRU_CIPHERTEXTBYTES - 1] & (0xff << (8 - (7 & (NTRU_LOGQ * NTRU_PACK_DEG))));

/* For the IND-CCA2 KEM we must ensure that c = Enc(h, (r,m)). */
/* We can avoid re-computing r*h + Lift(m) as long as we check that */
/* r (defined as b/h mod (q, Phi_n)) and m are in the message space. */
/* (m can take any value in S3 in NTRU_HRSS) */
fail = 0;
fail |= owcpa_check_m(m);

/* b = c - Lift(m) mod (q, x^n - 1) */


+ 4
- 4
crypto_kem/ntruhps4096821/clean/poly_r2_inv.c View File

@@ -3,14 +3,14 @@
#include "poly.h"

/* return -1 if x<0 and y<0; otherwise return 0 */
static inline int both_negative_mask(int x, int y) {
static inline int16_t both_negative_mask(int16_t x, int16_t y) {
return (x & y) >> 15;
}

void PQCLEAN_NTRUHPS4096821_CLEAN_poly_R2_inv(poly *r, const poly *a) {
poly f, g, v, w;
int i, loop, delta;
int sign, swap, t;
int16_t i, loop, delta;
int16_t sign, swap, t;

for (i = 0; i < NTRU_N; ++i) {
v.coeffs[i] = 0;
@@ -37,7 +37,7 @@ void PQCLEAN_NTRUHPS4096821_CLEAN_poly_R2_inv(poly *r, const poly *a) {
v.coeffs[0] = 0;

sign = g.coeffs[0] & f.coeffs[0];
swap = both_negative_mask(-delta, -(int) g.coeffs[0]);
swap = both_negative_mask(-delta, -(int16_t) g.coeffs[0]);
delta ^= swap & (delta ^ -delta);
delta += 1;



+ 4
- 4
crypto_kem/ntruhps4096821/clean/poly_s3_inv.c View File

@@ -11,14 +11,14 @@ static inline uint8_t mod3(uint8_t a) { /* a between 0 and 9 */
}

/* return -1 if x<0 and y<0; otherwise return 0 */
static inline int both_negative_mask(int x, int y) {
static inline int16_t both_negative_mask(int16_t x, int16_t y) {
return (x & y) >> 15;
}

void PQCLEAN_NTRUHPS4096821_CLEAN_poly_S3_inv(poly *r, const poly *a) {
poly f, g, v, w;
int i, loop, delta;
int sign, swap, t;
int16_t i, loop, delta;
int16_t sign, swap, t;

for (i = 0; i < NTRU_N; ++i) {
v.coeffs[i] = 0;
@@ -45,7 +45,7 @@ void PQCLEAN_NTRUHPS4096821_CLEAN_poly_S3_inv(poly *r, const poly *a) {
v.coeffs[0] = 0;

sign = mod3((uint8_t) (2 * g.coeffs[0] * f.coeffs[0]));
swap = both_negative_mask(-delta, -(int) g.coeffs[0]);
swap = both_negative_mask(-delta, -(int16_t) g.coeffs[0]);
delta ^= swap & (delta ^ -delta);
delta += 1;



+ 0
- 1
crypto_kem/ntruhps4096821/clean/sample.c View File

@@ -1,4 +1,3 @@
#include "crypto_sort_int32.h"
#include "sample.h"

void PQCLEAN_NTRUHPS4096821_CLEAN_sample_fg(poly *f, poly *g, const unsigned char uniformbytes[NTRU_SAMPLE_FG_BYTES]) {


+ 2
- 0
crypto_kem/ntruhps4096821/clean/sample.h View File

@@ -4,6 +4,8 @@
#include "params.h"
#include "poly.h"

#include "crypto_sort_int32.h"

void PQCLEAN_NTRUHPS4096821_CLEAN_sample_fg(poly *f, poly *g, const unsigned char uniformbytes[NTRU_SAMPLE_FG_BYTES]);
void PQCLEAN_NTRUHPS4096821_CLEAN_sample_rm(poly *r, poly *m, const unsigned char uniformbytes[NTRU_SAMPLE_RM_BYTES]);



+ 2
- 2
crypto_kem/ntruhrss701/META.yml View File

@@ -23,9 +23,9 @@ auxiliary-submitters:
- Zhenfei Zhang
implementations:
- name: clean
version: https://github.com/jschanck/ntru/tree/ff3c84e1 reference implementation
version: https://github.com/jschanck/ntru/tree/b4b08d67 reference implementation
- name: avx2
version: https://github.com/jschanck/ntru/tree/ff3c84e1 avx2 implementation
version: https://github.com/jschanck/ntru/tree/b4b08d67 avx2 implementation
supported_platforms:
- architecture: x86_64
operating_systems:


+ 1
- 6
crypto_kem/ntruhrss701/avx2/kem.c View File

@@ -42,12 +42,7 @@ int PQCLEAN_NTRUHRSS701_AVX2_crypto_kem_dec(uint8_t *k, const uint8_t *c, const
uint8_t rm[NTRU_OWCPA_MSGBYTES];
uint8_t buf[NTRU_PRFKEYBYTES + NTRU_CIPHERTEXTBYTES];

fail = 0;

/* Check that unused bits of last byte of ciphertext are zero */
fail |= c[NTRU_CIPHERTEXTBYTES - 1] & (0xff << (8 - (7 & (NTRU_LOGQ * NTRU_PACK_DEG))));

fail |= PQCLEAN_NTRUHRSS701_AVX2_owcpa_dec(rm, c, sk);
fail = PQCLEAN_NTRUHRSS701_AVX2_owcpa_dec(rm, c, sk);
/* If fail = 0 then c = Enc(h, rm). There is no need to re-encapsulate. */
/* See comment in PQCLEAN_NTRUHRSS701_AVX2_owcpa_dec for details. */



+ 6
- 2
crypto_kem/ntruhrss701/avx2/owcpa.c View File

@@ -106,11 +106,15 @@ int PQCLEAN_NTRUHRSS701_AVX2_owcpa_dec(unsigned char *rm,
PQCLEAN_NTRUHRSS701_AVX2_poly_S3_mul(m, mf, finv3);
PQCLEAN_NTRUHRSS701_AVX2_poly_S3_tobytes(rm + NTRU_PACK_TRINARY_BYTES, m);

/* NOTE: For the IND-CCA2 KEM we must ensure that c = Enc(h, (r,m)). */
fail = 0;

/* Check that unused bits of last byte of ciphertext are zero */
fail |= ciphertext[NTRU_CIPHERTEXTBYTES - 1] & (0xff << (8 - (7 & (NTRU_LOGQ * NTRU_PACK_DEG))));

/* For the IND-CCA2 KEM we must ensure that c = Enc(h, (r,m)). */
/* We can avoid re-computing r*h + Lift(m) as long as we check that */
/* r (defined as b/h mod (q, Phi_n)) and m are in the message space. */
/* (m can take any value in S3 in NTRU_HRSS) */
fail = 0;

/* b = c - Lift(m) mod (q, x^n - 1) */
PQCLEAN_NTRUHRSS701_AVX2_poly_lift(liftm, m);


+ 1
- 0
crypto_kem/ntruhrss701/avx2/sample.h View File

@@ -4,6 +4,7 @@
#include "params.h"
#include "poly.h"


void PQCLEAN_NTRUHRSS701_AVX2_sample_fg(poly *f, poly *g, const unsigned char uniformbytes[NTRU_SAMPLE_FG_BYTES]);
void PQCLEAN_NTRUHRSS701_AVX2_sample_rm(poly *r, poly *m, const unsigned char uniformbytes[NTRU_SAMPLE_RM_BYTES]);



+ 1
- 6
crypto_kem/ntruhrss701/clean/kem.c View File

@@ -42,12 +42,7 @@ int PQCLEAN_NTRUHRSS701_CLEAN_crypto_kem_dec(uint8_t *k, const uint8_t *c, const
uint8_t rm[NTRU_OWCPA_MSGBYTES];
uint8_t buf[NTRU_PRFKEYBYTES + NTRU_CIPHERTEXTBYTES];

fail = 0;

/* Check that unused bits of last byte of ciphertext are zero */
fail |= c[NTRU_CIPHERTEXTBYTES - 1] & (0xff << (8 - (7 & (NTRU_LOGQ * NTRU_PACK_DEG))));

fail |= PQCLEAN_NTRUHRSS701_CLEAN_owcpa_dec(rm, c, sk);
fail = PQCLEAN_NTRUHRSS701_CLEAN_owcpa_dec(rm, c, sk);
/* If fail = 0 then c = Enc(h, rm). There is no need to re-encapsulate. */
/* See comment in PQCLEAN_NTRUHRSS701_CLEAN_owcpa_dec for details. */



+ 6
- 2
crypto_kem/ntruhrss701/clean/owcpa.c View File

@@ -106,11 +106,15 @@ int PQCLEAN_NTRUHRSS701_CLEAN_owcpa_dec(unsigned char *rm,
PQCLEAN_NTRUHRSS701_CLEAN_poly_S3_mul(m, mf, finv3);
PQCLEAN_NTRUHRSS701_CLEAN_poly_S3_tobytes(rm + NTRU_PACK_TRINARY_BYTES, m);

/* NOTE: For the IND-CCA2 KEM we must ensure that c = Enc(h, (r,m)). */
fail = 0;

/* Check that unused bits of last byte of ciphertext are zero */
fail |= ciphertext[NTRU_CIPHERTEXTBYTES - 1] & (0xff << (8 - (7 & (NTRU_LOGQ * NTRU_PACK_DEG))));

/* For the IND-CCA2 KEM we must ensure that c = Enc(h, (r,m)). */
/* We can avoid re-computing r*h + Lift(m) as long as we check that */
/* r (defined as b/h mod (q, Phi_n)) and m are in the message space. */
/* (m can take any value in S3 in NTRU_HRSS) */
fail = 0;

/* b = c - Lift(m) mod (q, x^n - 1) */
PQCLEAN_NTRUHRSS701_CLEAN_poly_lift(liftm, m);


+ 4
- 4
crypto_kem/ntruhrss701/clean/poly_r2_inv.c View File

@@ -3,14 +3,14 @@
#include "poly.h"

/* return -1 if x<0 and y<0; otherwise return 0 */
static inline int both_negative_mask(int x, int y) {
static inline int16_t both_negative_mask(int16_t x, int16_t y) {
return (x & y) >> 15;
}

void PQCLEAN_NTRUHRSS701_CLEAN_poly_R2_inv(poly *r, const poly *a) {
poly f, g, v, w;
int i, loop, delta;
int sign, swap, t;
int16_t i, loop, delta;
int16_t sign, swap, t;

for (i = 0; i < NTRU_N; ++i) {
v.coeffs[i] = 0;
@@ -37,7 +37,7 @@ void PQCLEAN_NTRUHRSS701_CLEAN_poly_R2_inv(poly *r, const poly *a) {
v.coeffs[0] = 0;

sign = g.coeffs[0] & f.coeffs[0];
swap = both_negative_mask(-delta, -(int) g.coeffs[0]);
swap = both_negative_mask(-delta, -(int16_t) g.coeffs[0]);
delta ^= swap & (delta ^ -delta);
delta += 1;



+ 4
- 4
crypto_kem/ntruhrss701/clean/poly_s3_inv.c View File

@@ -11,14 +11,14 @@ static inline uint8_t mod3(uint8_t a) { /* a between 0 and 9 */
}

/* return -1 if x<0 and y<0; otherwise return 0 */
static inline int both_negative_mask(int x, int y) {
static inline int16_t both_negative_mask(int16_t x, int16_t y) {
return (x & y) >> 15;
}

void PQCLEAN_NTRUHRSS701_CLEAN_poly_S3_inv(poly *r, const poly *a) {
poly f, g, v, w;
int i, loop, delta;
int sign, swap, t;
int16_t i, loop, delta;
int16_t sign, swap, t;

for (i = 0; i < NTRU_N; ++i) {
v.coeffs[i] = 0;
@@ -45,7 +45,7 @@ void PQCLEAN_NTRUHRSS701_CLEAN_poly_S3_inv(poly *r, const poly *a) {
v.coeffs[0] = 0;

sign = mod3((uint8_t) (2 * g.coeffs[0] * f.coeffs[0]));
swap = both_negative_mask(-delta, -(int) g.coeffs[0]);
swap = both_negative_mask(-delta, -(int16_t) g.coeffs[0]);
delta ^= swap & (delta ^ -delta);
delta += 1;



+ 1
- 0
crypto_kem/ntruhrss701/clean/sample.h View File

@@ -4,6 +4,7 @@
#include "params.h"
#include "poly.h"


void PQCLEAN_NTRUHRSS701_CLEAN_sample_fg(poly *f, poly *g, const unsigned char uniformbytes[NTRU_SAMPLE_FG_BYTES]);
void PQCLEAN_NTRUHRSS701_CLEAN_sample_rm(poly *r, poly *m, const unsigned char uniformbytes[NTRU_SAMPLE_RM_BYTES]);



Loading…
Cancel
Save