mirror of
https://github.com/henrydcase/pqc.git
synced 2024-11-22 23:48:58 +00:00
ntru: packaging script update. resolves #331
This commit is contained in:
parent
be7f11975d
commit
4267e51253
@ -23,9 +23,9 @@ auxiliary-submitters:
|
|||||||
- Zhenfei Zhang
|
- Zhenfei Zhang
|
||||||
implementations:
|
implementations:
|
||||||
- name: clean
|
- name: clean
|
||||||
version: https://github.com/jschanck/ntru/tree/ff3c84e1 reference implementation
|
version: https://github.com/jschanck/ntru/tree/b4b08d67 reference implementation
|
||||||
- name: avx2
|
- name: avx2
|
||||||
version: https://github.com/jschanck/ntru/tree/ff3c84e1 avx2 implementation
|
version: https://github.com/jschanck/ntru/tree/b4b08d67 avx2 implementation
|
||||||
supported_platforms:
|
supported_platforms:
|
||||||
- architecture: x86_64
|
- architecture: x86_64
|
||||||
operating_systems:
|
operating_systems:
|
||||||
|
@ -1,8 +1,8 @@
|
|||||||
#include "crypto_sort_int32.h"
|
|
||||||
#include <immintrin.h>
|
|
||||||
// Based on supercop-20200820/crypto_sort/int32/avx2
|
// Based on supercop-20200820/crypto_sort/int32/avx2
|
||||||
|
|
||||||
|
#include "crypto_sort_int32.h"
|
||||||
|
|
||||||
|
#include <immintrin.h>
|
||||||
#define int32 int32_t
|
#define int32 int32_t
|
||||||
|
|
||||||
typedef __m256i int32x8;
|
typedef __m256i int32x8;
|
||||||
|
@ -1,10 +1,11 @@
|
|||||||
#ifndef CRYPTO_SORT
|
#ifndef CRYPTO_SORT
|
||||||
#define CRYPTO_SORT
|
#define CRYPTO_SORT
|
||||||
|
|
||||||
#include "params.h"
|
#include "params.h"
|
||||||
|
|
||||||
#include <stddef.h>
|
#include <stddef.h>
|
||||||
#include <stdint.h>
|
#include <stdint.h>
|
||||||
|
|
||||||
|
|
||||||
void PQCLEAN_NTRUHPS2048509_AVX2_crypto_sort_int32(int32_t *x, size_t n);
|
void PQCLEAN_NTRUHPS2048509_AVX2_crypto_sort_int32(int32_t *x, size_t n);
|
||||||
|
|
||||||
#endif
|
#endif
|
||||||
|
@ -42,12 +42,7 @@ int PQCLEAN_NTRUHPS2048509_AVX2_crypto_kem_dec(uint8_t *k, const uint8_t *c, con
|
|||||||
uint8_t rm[NTRU_OWCPA_MSGBYTES];
|
uint8_t rm[NTRU_OWCPA_MSGBYTES];
|
||||||
uint8_t buf[NTRU_PRFKEYBYTES + NTRU_CIPHERTEXTBYTES];
|
uint8_t buf[NTRU_PRFKEYBYTES + NTRU_CIPHERTEXTBYTES];
|
||||||
|
|
||||||
fail = 0;
|
fail = PQCLEAN_NTRUHPS2048509_AVX2_owcpa_dec(rm, c, sk);
|
||||||
|
|
||||||
/* Check that unused bits of last byte of ciphertext are zero */
|
|
||||||
fail |= c[NTRU_CIPHERTEXTBYTES - 1] & (0xff << (8 - (7 & (NTRU_LOGQ * NTRU_PACK_DEG))));
|
|
||||||
|
|
||||||
fail |= PQCLEAN_NTRUHPS2048509_AVX2_owcpa_dec(rm, c, sk);
|
|
||||||
/* If fail = 0 then c = Enc(h, rm). There is no need to re-encapsulate. */
|
/* If fail = 0 then c = Enc(h, rm). There is no need to re-encapsulate. */
|
||||||
/* See comment in PQCLEAN_NTRUHPS2048509_AVX2_owcpa_dec for details. */
|
/* See comment in PQCLEAN_NTRUHPS2048509_AVX2_owcpa_dec for details. */
|
||||||
|
|
||||||
|
@ -123,11 +123,15 @@ int PQCLEAN_NTRUHPS2048509_AVX2_owcpa_dec(unsigned char *rm,
|
|||||||
PQCLEAN_NTRUHPS2048509_AVX2_poly_S3_mul(m, mf, finv3);
|
PQCLEAN_NTRUHPS2048509_AVX2_poly_S3_mul(m, mf, finv3);
|
||||||
PQCLEAN_NTRUHPS2048509_AVX2_poly_S3_tobytes(rm + NTRU_PACK_TRINARY_BYTES, m);
|
PQCLEAN_NTRUHPS2048509_AVX2_poly_S3_tobytes(rm + NTRU_PACK_TRINARY_BYTES, m);
|
||||||
|
|
||||||
/* NOTE: For the IND-CCA2 KEM we must ensure that c = Enc(h, (r,m)). */
|
fail = 0;
|
||||||
|
|
||||||
|
/* Check that unused bits of last byte of ciphertext are zero */
|
||||||
|
fail |= ciphertext[NTRU_CIPHERTEXTBYTES - 1] & (0xff << (8 - (7 & (NTRU_LOGQ * NTRU_PACK_DEG))));
|
||||||
|
|
||||||
|
/* For the IND-CCA2 KEM we must ensure that c = Enc(h, (r,m)). */
|
||||||
/* We can avoid re-computing r*h + Lift(m) as long as we check that */
|
/* We can avoid re-computing r*h + Lift(m) as long as we check that */
|
||||||
/* r (defined as b/h mod (q, Phi_n)) and m are in the message space. */
|
/* r (defined as b/h mod (q, Phi_n)) and m are in the message space. */
|
||||||
/* (m can take any value in S3 in NTRU_HRSS) */
|
/* (m can take any value in S3 in NTRU_HRSS) */
|
||||||
fail = 0;
|
|
||||||
fail |= owcpa_check_m(m);
|
fail |= owcpa_check_m(m);
|
||||||
|
|
||||||
/* b = c - Lift(m) mod (q, x^n - 1) */
|
/* b = c - Lift(m) mod (q, x^n - 1) */
|
||||||
|
@ -1,4 +1,3 @@
|
|||||||
#include "crypto_sort_int32.h"
|
|
||||||
#include "sample.h"
|
#include "sample.h"
|
||||||
|
|
||||||
void PQCLEAN_NTRUHPS2048509_AVX2_sample_fg(poly *f, poly *g, const unsigned char uniformbytes[NTRU_SAMPLE_FG_BYTES]) {
|
void PQCLEAN_NTRUHPS2048509_AVX2_sample_fg(poly *f, poly *g, const unsigned char uniformbytes[NTRU_SAMPLE_FG_BYTES]) {
|
||||||
|
@ -4,6 +4,8 @@
|
|||||||
#include "params.h"
|
#include "params.h"
|
||||||
#include "poly.h"
|
#include "poly.h"
|
||||||
|
|
||||||
|
#include "crypto_sort_int32.h"
|
||||||
|
|
||||||
void PQCLEAN_NTRUHPS2048509_AVX2_sample_fg(poly *f, poly *g, const unsigned char uniformbytes[NTRU_SAMPLE_FG_BYTES]);
|
void PQCLEAN_NTRUHPS2048509_AVX2_sample_fg(poly *f, poly *g, const unsigned char uniformbytes[NTRU_SAMPLE_FG_BYTES]);
|
||||||
void PQCLEAN_NTRUHPS2048509_AVX2_sample_rm(poly *r, poly *m, const unsigned char uniformbytes[NTRU_SAMPLE_RM_BYTES]);
|
void PQCLEAN_NTRUHPS2048509_AVX2_sample_rm(poly *r, poly *m, const unsigned char uniformbytes[NTRU_SAMPLE_RM_BYTES]);
|
||||||
|
|
||||||
|
@ -42,12 +42,7 @@ int PQCLEAN_NTRUHPS2048509_CLEAN_crypto_kem_dec(uint8_t *k, const uint8_t *c, co
|
|||||||
uint8_t rm[NTRU_OWCPA_MSGBYTES];
|
uint8_t rm[NTRU_OWCPA_MSGBYTES];
|
||||||
uint8_t buf[NTRU_PRFKEYBYTES + NTRU_CIPHERTEXTBYTES];
|
uint8_t buf[NTRU_PRFKEYBYTES + NTRU_CIPHERTEXTBYTES];
|
||||||
|
|
||||||
fail = 0;
|
fail = PQCLEAN_NTRUHPS2048509_CLEAN_owcpa_dec(rm, c, sk);
|
||||||
|
|
||||||
/* Check that unused bits of last byte of ciphertext are zero */
|
|
||||||
fail |= c[NTRU_CIPHERTEXTBYTES - 1] & (0xff << (8 - (7 & (NTRU_LOGQ * NTRU_PACK_DEG))));
|
|
||||||
|
|
||||||
fail |= PQCLEAN_NTRUHPS2048509_CLEAN_owcpa_dec(rm, c, sk);
|
|
||||||
/* If fail = 0 then c = Enc(h, rm). There is no need to re-encapsulate. */
|
/* If fail = 0 then c = Enc(h, rm). There is no need to re-encapsulate. */
|
||||||
/* See comment in PQCLEAN_NTRUHPS2048509_CLEAN_owcpa_dec for details. */
|
/* See comment in PQCLEAN_NTRUHPS2048509_CLEAN_owcpa_dec for details. */
|
||||||
|
|
||||||
|
@ -123,11 +123,15 @@ int PQCLEAN_NTRUHPS2048509_CLEAN_owcpa_dec(unsigned char *rm,
|
|||||||
PQCLEAN_NTRUHPS2048509_CLEAN_poly_S3_mul(m, mf, finv3);
|
PQCLEAN_NTRUHPS2048509_CLEAN_poly_S3_mul(m, mf, finv3);
|
||||||
PQCLEAN_NTRUHPS2048509_CLEAN_poly_S3_tobytes(rm + NTRU_PACK_TRINARY_BYTES, m);
|
PQCLEAN_NTRUHPS2048509_CLEAN_poly_S3_tobytes(rm + NTRU_PACK_TRINARY_BYTES, m);
|
||||||
|
|
||||||
/* NOTE: For the IND-CCA2 KEM we must ensure that c = Enc(h, (r,m)). */
|
fail = 0;
|
||||||
|
|
||||||
|
/* Check that unused bits of last byte of ciphertext are zero */
|
||||||
|
fail |= ciphertext[NTRU_CIPHERTEXTBYTES - 1] & (0xff << (8 - (7 & (NTRU_LOGQ * NTRU_PACK_DEG))));
|
||||||
|
|
||||||
|
/* For the IND-CCA2 KEM we must ensure that c = Enc(h, (r,m)). */
|
||||||
/* We can avoid re-computing r*h + Lift(m) as long as we check that */
|
/* We can avoid re-computing r*h + Lift(m) as long as we check that */
|
||||||
/* r (defined as b/h mod (q, Phi_n)) and m are in the message space. */
|
/* r (defined as b/h mod (q, Phi_n)) and m are in the message space. */
|
||||||
/* (m can take any value in S3 in NTRU_HRSS) */
|
/* (m can take any value in S3 in NTRU_HRSS) */
|
||||||
fail = 0;
|
|
||||||
fail |= owcpa_check_m(m);
|
fail |= owcpa_check_m(m);
|
||||||
|
|
||||||
/* b = c - Lift(m) mod (q, x^n - 1) */
|
/* b = c - Lift(m) mod (q, x^n - 1) */
|
||||||
|
@ -3,14 +3,14 @@
|
|||||||
#include "poly.h"
|
#include "poly.h"
|
||||||
|
|
||||||
/* return -1 if x<0 and y<0; otherwise return 0 */
|
/* return -1 if x<0 and y<0; otherwise return 0 */
|
||||||
static inline int both_negative_mask(int x, int y) {
|
static inline int16_t both_negative_mask(int16_t x, int16_t y) {
|
||||||
return (x & y) >> 15;
|
return (x & y) >> 15;
|
||||||
}
|
}
|
||||||
|
|
||||||
void PQCLEAN_NTRUHPS2048509_CLEAN_poly_R2_inv(poly *r, const poly *a) {
|
void PQCLEAN_NTRUHPS2048509_CLEAN_poly_R2_inv(poly *r, const poly *a) {
|
||||||
poly f, g, v, w;
|
poly f, g, v, w;
|
||||||
int i, loop, delta;
|
int16_t i, loop, delta;
|
||||||
int sign, swap, t;
|
int16_t sign, swap, t;
|
||||||
|
|
||||||
for (i = 0; i < NTRU_N; ++i) {
|
for (i = 0; i < NTRU_N; ++i) {
|
||||||
v.coeffs[i] = 0;
|
v.coeffs[i] = 0;
|
||||||
@ -37,7 +37,7 @@ void PQCLEAN_NTRUHPS2048509_CLEAN_poly_R2_inv(poly *r, const poly *a) {
|
|||||||
v.coeffs[0] = 0;
|
v.coeffs[0] = 0;
|
||||||
|
|
||||||
sign = g.coeffs[0] & f.coeffs[0];
|
sign = g.coeffs[0] & f.coeffs[0];
|
||||||
swap = both_negative_mask(-delta, -(int) g.coeffs[0]);
|
swap = both_negative_mask(-delta, -(int16_t) g.coeffs[0]);
|
||||||
delta ^= swap & (delta ^ -delta);
|
delta ^= swap & (delta ^ -delta);
|
||||||
delta += 1;
|
delta += 1;
|
||||||
|
|
||||||
|
@ -11,14 +11,14 @@ static inline uint8_t mod3(uint8_t a) { /* a between 0 and 9 */
|
|||||||
}
|
}
|
||||||
|
|
||||||
/* return -1 if x<0 and y<0; otherwise return 0 */
|
/* return -1 if x<0 and y<0; otherwise return 0 */
|
||||||
static inline int both_negative_mask(int x, int y) {
|
static inline int16_t both_negative_mask(int16_t x, int16_t y) {
|
||||||
return (x & y) >> 15;
|
return (x & y) >> 15;
|
||||||
}
|
}
|
||||||
|
|
||||||
void PQCLEAN_NTRUHPS2048509_CLEAN_poly_S3_inv(poly *r, const poly *a) {
|
void PQCLEAN_NTRUHPS2048509_CLEAN_poly_S3_inv(poly *r, const poly *a) {
|
||||||
poly f, g, v, w;
|
poly f, g, v, w;
|
||||||
int i, loop, delta;
|
int16_t i, loop, delta;
|
||||||
int sign, swap, t;
|
int16_t sign, swap, t;
|
||||||
|
|
||||||
for (i = 0; i < NTRU_N; ++i) {
|
for (i = 0; i < NTRU_N; ++i) {
|
||||||
v.coeffs[i] = 0;
|
v.coeffs[i] = 0;
|
||||||
@ -45,7 +45,7 @@ void PQCLEAN_NTRUHPS2048509_CLEAN_poly_S3_inv(poly *r, const poly *a) {
|
|||||||
v.coeffs[0] = 0;
|
v.coeffs[0] = 0;
|
||||||
|
|
||||||
sign = mod3((uint8_t) (2 * g.coeffs[0] * f.coeffs[0]));
|
sign = mod3((uint8_t) (2 * g.coeffs[0] * f.coeffs[0]));
|
||||||
swap = both_negative_mask(-delta, -(int) g.coeffs[0]);
|
swap = both_negative_mask(-delta, -(int16_t) g.coeffs[0]);
|
||||||
delta ^= swap & (delta ^ -delta);
|
delta ^= swap & (delta ^ -delta);
|
||||||
delta += 1;
|
delta += 1;
|
||||||
|
|
||||||
|
@ -1,4 +1,3 @@
|
|||||||
#include "crypto_sort_int32.h"
|
|
||||||
#include "sample.h"
|
#include "sample.h"
|
||||||
|
|
||||||
void PQCLEAN_NTRUHPS2048509_CLEAN_sample_fg(poly *f, poly *g, const unsigned char uniformbytes[NTRU_SAMPLE_FG_BYTES]) {
|
void PQCLEAN_NTRUHPS2048509_CLEAN_sample_fg(poly *f, poly *g, const unsigned char uniformbytes[NTRU_SAMPLE_FG_BYTES]) {
|
||||||
|
@ -4,6 +4,8 @@
|
|||||||
#include "params.h"
|
#include "params.h"
|
||||||
#include "poly.h"
|
#include "poly.h"
|
||||||
|
|
||||||
|
#include "crypto_sort_int32.h"
|
||||||
|
|
||||||
void PQCLEAN_NTRUHPS2048509_CLEAN_sample_fg(poly *f, poly *g, const unsigned char uniformbytes[NTRU_SAMPLE_FG_BYTES]);
|
void PQCLEAN_NTRUHPS2048509_CLEAN_sample_fg(poly *f, poly *g, const unsigned char uniformbytes[NTRU_SAMPLE_FG_BYTES]);
|
||||||
void PQCLEAN_NTRUHPS2048509_CLEAN_sample_rm(poly *r, poly *m, const unsigned char uniformbytes[NTRU_SAMPLE_RM_BYTES]);
|
void PQCLEAN_NTRUHPS2048509_CLEAN_sample_rm(poly *r, poly *m, const unsigned char uniformbytes[NTRU_SAMPLE_RM_BYTES]);
|
||||||
|
|
||||||
|
@ -23,9 +23,9 @@ auxiliary-submitters:
|
|||||||
- Zhenfei Zhang
|
- Zhenfei Zhang
|
||||||
implementations:
|
implementations:
|
||||||
- name: clean
|
- name: clean
|
||||||
version: https://github.com/jschanck/ntru/tree/ff3c84e1 reference implementation
|
version: https://github.com/jschanck/ntru/tree/b4b08d67 reference implementation
|
||||||
- name: avx2
|
- name: avx2
|
||||||
version: https://github.com/jschanck/ntru/tree/ff3c84e1 avx2 implementation
|
version: https://github.com/jschanck/ntru/tree/b4b08d67 avx2 implementation
|
||||||
supported_platforms:
|
supported_platforms:
|
||||||
- architecture: x86_64
|
- architecture: x86_64
|
||||||
operating_systems:
|
operating_systems:
|
||||||
|
@ -1,8 +1,8 @@
|
|||||||
#include "crypto_sort_int32.h"
|
|
||||||
#include <immintrin.h>
|
|
||||||
// Based on supercop-20200820/crypto_sort/int32/avx2
|
// Based on supercop-20200820/crypto_sort/int32/avx2
|
||||||
|
|
||||||
|
#include "crypto_sort_int32.h"
|
||||||
|
|
||||||
|
#include <immintrin.h>
|
||||||
#define int32 int32_t
|
#define int32 int32_t
|
||||||
|
|
||||||
typedef __m256i int32x8;
|
typedef __m256i int32x8;
|
||||||
|
@ -1,10 +1,11 @@
|
|||||||
#ifndef CRYPTO_SORT
|
#ifndef CRYPTO_SORT
|
||||||
#define CRYPTO_SORT
|
#define CRYPTO_SORT
|
||||||
|
|
||||||
#include "params.h"
|
#include "params.h"
|
||||||
|
|
||||||
#include <stddef.h>
|
#include <stddef.h>
|
||||||
#include <stdint.h>
|
#include <stdint.h>
|
||||||
|
|
||||||
|
|
||||||
void PQCLEAN_NTRUHPS2048677_AVX2_crypto_sort_int32(int32_t *x, size_t n);
|
void PQCLEAN_NTRUHPS2048677_AVX2_crypto_sort_int32(int32_t *x, size_t n);
|
||||||
|
|
||||||
#endif
|
#endif
|
||||||
|
@ -42,12 +42,7 @@ int PQCLEAN_NTRUHPS2048677_AVX2_crypto_kem_dec(uint8_t *k, const uint8_t *c, con
|
|||||||
uint8_t rm[NTRU_OWCPA_MSGBYTES];
|
uint8_t rm[NTRU_OWCPA_MSGBYTES];
|
||||||
uint8_t buf[NTRU_PRFKEYBYTES + NTRU_CIPHERTEXTBYTES];
|
uint8_t buf[NTRU_PRFKEYBYTES + NTRU_CIPHERTEXTBYTES];
|
||||||
|
|
||||||
fail = 0;
|
fail = PQCLEAN_NTRUHPS2048677_AVX2_owcpa_dec(rm, c, sk);
|
||||||
|
|
||||||
/* Check that unused bits of last byte of ciphertext are zero */
|
|
||||||
fail |= c[NTRU_CIPHERTEXTBYTES - 1] & (0xff << (8 - (7 & (NTRU_LOGQ * NTRU_PACK_DEG))));
|
|
||||||
|
|
||||||
fail |= PQCLEAN_NTRUHPS2048677_AVX2_owcpa_dec(rm, c, sk);
|
|
||||||
/* If fail = 0 then c = Enc(h, rm). There is no need to re-encapsulate. */
|
/* If fail = 0 then c = Enc(h, rm). There is no need to re-encapsulate. */
|
||||||
/* See comment in PQCLEAN_NTRUHPS2048677_AVX2_owcpa_dec for details. */
|
/* See comment in PQCLEAN_NTRUHPS2048677_AVX2_owcpa_dec for details. */
|
||||||
|
|
||||||
|
@ -123,11 +123,15 @@ int PQCLEAN_NTRUHPS2048677_AVX2_owcpa_dec(unsigned char *rm,
|
|||||||
PQCLEAN_NTRUHPS2048677_AVX2_poly_S3_mul(m, mf, finv3);
|
PQCLEAN_NTRUHPS2048677_AVX2_poly_S3_mul(m, mf, finv3);
|
||||||
PQCLEAN_NTRUHPS2048677_AVX2_poly_S3_tobytes(rm + NTRU_PACK_TRINARY_BYTES, m);
|
PQCLEAN_NTRUHPS2048677_AVX2_poly_S3_tobytes(rm + NTRU_PACK_TRINARY_BYTES, m);
|
||||||
|
|
||||||
/* NOTE: For the IND-CCA2 KEM we must ensure that c = Enc(h, (r,m)). */
|
fail = 0;
|
||||||
|
|
||||||
|
/* Check that unused bits of last byte of ciphertext are zero */
|
||||||
|
fail |= ciphertext[NTRU_CIPHERTEXTBYTES - 1] & (0xff << (8 - (7 & (NTRU_LOGQ * NTRU_PACK_DEG))));
|
||||||
|
|
||||||
|
/* For the IND-CCA2 KEM we must ensure that c = Enc(h, (r,m)). */
|
||||||
/* We can avoid re-computing r*h + Lift(m) as long as we check that */
|
/* We can avoid re-computing r*h + Lift(m) as long as we check that */
|
||||||
/* r (defined as b/h mod (q, Phi_n)) and m are in the message space. */
|
/* r (defined as b/h mod (q, Phi_n)) and m are in the message space. */
|
||||||
/* (m can take any value in S3 in NTRU_HRSS) */
|
/* (m can take any value in S3 in NTRU_HRSS) */
|
||||||
fail = 0;
|
|
||||||
fail |= owcpa_check_m(m);
|
fail |= owcpa_check_m(m);
|
||||||
|
|
||||||
/* b = c - Lift(m) mod (q, x^n - 1) */
|
/* b = c - Lift(m) mod (q, x^n - 1) */
|
||||||
|
@ -1,4 +1,3 @@
|
|||||||
#include "crypto_sort_int32.h"
|
|
||||||
#include "sample.h"
|
#include "sample.h"
|
||||||
|
|
||||||
void PQCLEAN_NTRUHPS2048677_AVX2_sample_fg(poly *f, poly *g, const unsigned char uniformbytes[NTRU_SAMPLE_FG_BYTES]) {
|
void PQCLEAN_NTRUHPS2048677_AVX2_sample_fg(poly *f, poly *g, const unsigned char uniformbytes[NTRU_SAMPLE_FG_BYTES]) {
|
||||||
|
@ -4,6 +4,8 @@
|
|||||||
#include "params.h"
|
#include "params.h"
|
||||||
#include "poly.h"
|
#include "poly.h"
|
||||||
|
|
||||||
|
#include "crypto_sort_int32.h"
|
||||||
|
|
||||||
void PQCLEAN_NTRUHPS2048677_AVX2_sample_fg(poly *f, poly *g, const unsigned char uniformbytes[NTRU_SAMPLE_FG_BYTES]);
|
void PQCLEAN_NTRUHPS2048677_AVX2_sample_fg(poly *f, poly *g, const unsigned char uniformbytes[NTRU_SAMPLE_FG_BYTES]);
|
||||||
void PQCLEAN_NTRUHPS2048677_AVX2_sample_rm(poly *r, poly *m, const unsigned char uniformbytes[NTRU_SAMPLE_RM_BYTES]);
|
void PQCLEAN_NTRUHPS2048677_AVX2_sample_rm(poly *r, poly *m, const unsigned char uniformbytes[NTRU_SAMPLE_RM_BYTES]);
|
||||||
|
|
||||||
|
@ -42,12 +42,7 @@ int PQCLEAN_NTRUHPS2048677_CLEAN_crypto_kem_dec(uint8_t *k, const uint8_t *c, co
|
|||||||
uint8_t rm[NTRU_OWCPA_MSGBYTES];
|
uint8_t rm[NTRU_OWCPA_MSGBYTES];
|
||||||
uint8_t buf[NTRU_PRFKEYBYTES + NTRU_CIPHERTEXTBYTES];
|
uint8_t buf[NTRU_PRFKEYBYTES + NTRU_CIPHERTEXTBYTES];
|
||||||
|
|
||||||
fail = 0;
|
fail = PQCLEAN_NTRUHPS2048677_CLEAN_owcpa_dec(rm, c, sk);
|
||||||
|
|
||||||
/* Check that unused bits of last byte of ciphertext are zero */
|
|
||||||
fail |= c[NTRU_CIPHERTEXTBYTES - 1] & (0xff << (8 - (7 & (NTRU_LOGQ * NTRU_PACK_DEG))));
|
|
||||||
|
|
||||||
fail |= PQCLEAN_NTRUHPS2048677_CLEAN_owcpa_dec(rm, c, sk);
|
|
||||||
/* If fail = 0 then c = Enc(h, rm). There is no need to re-encapsulate. */
|
/* If fail = 0 then c = Enc(h, rm). There is no need to re-encapsulate. */
|
||||||
/* See comment in PQCLEAN_NTRUHPS2048677_CLEAN_owcpa_dec for details. */
|
/* See comment in PQCLEAN_NTRUHPS2048677_CLEAN_owcpa_dec for details. */
|
||||||
|
|
||||||
|
@ -123,11 +123,15 @@ int PQCLEAN_NTRUHPS2048677_CLEAN_owcpa_dec(unsigned char *rm,
|
|||||||
PQCLEAN_NTRUHPS2048677_CLEAN_poly_S3_mul(m, mf, finv3);
|
PQCLEAN_NTRUHPS2048677_CLEAN_poly_S3_mul(m, mf, finv3);
|
||||||
PQCLEAN_NTRUHPS2048677_CLEAN_poly_S3_tobytes(rm + NTRU_PACK_TRINARY_BYTES, m);
|
PQCLEAN_NTRUHPS2048677_CLEAN_poly_S3_tobytes(rm + NTRU_PACK_TRINARY_BYTES, m);
|
||||||
|
|
||||||
/* NOTE: For the IND-CCA2 KEM we must ensure that c = Enc(h, (r,m)). */
|
fail = 0;
|
||||||
|
|
||||||
|
/* Check that unused bits of last byte of ciphertext are zero */
|
||||||
|
fail |= ciphertext[NTRU_CIPHERTEXTBYTES - 1] & (0xff << (8 - (7 & (NTRU_LOGQ * NTRU_PACK_DEG))));
|
||||||
|
|
||||||
|
/* For the IND-CCA2 KEM we must ensure that c = Enc(h, (r,m)). */
|
||||||
/* We can avoid re-computing r*h + Lift(m) as long as we check that */
|
/* We can avoid re-computing r*h + Lift(m) as long as we check that */
|
||||||
/* r (defined as b/h mod (q, Phi_n)) and m are in the message space. */
|
/* r (defined as b/h mod (q, Phi_n)) and m are in the message space. */
|
||||||
/* (m can take any value in S3 in NTRU_HRSS) */
|
/* (m can take any value in S3 in NTRU_HRSS) */
|
||||||
fail = 0;
|
|
||||||
fail |= owcpa_check_m(m);
|
fail |= owcpa_check_m(m);
|
||||||
|
|
||||||
/* b = c - Lift(m) mod (q, x^n - 1) */
|
/* b = c - Lift(m) mod (q, x^n - 1) */
|
||||||
|
@ -3,14 +3,14 @@
|
|||||||
#include "poly.h"
|
#include "poly.h"
|
||||||
|
|
||||||
/* return -1 if x<0 and y<0; otherwise return 0 */
|
/* return -1 if x<0 and y<0; otherwise return 0 */
|
||||||
static inline int both_negative_mask(int x, int y) {
|
static inline int16_t both_negative_mask(int16_t x, int16_t y) {
|
||||||
return (x & y) >> 15;
|
return (x & y) >> 15;
|
||||||
}
|
}
|
||||||
|
|
||||||
void PQCLEAN_NTRUHPS2048677_CLEAN_poly_R2_inv(poly *r, const poly *a) {
|
void PQCLEAN_NTRUHPS2048677_CLEAN_poly_R2_inv(poly *r, const poly *a) {
|
||||||
poly f, g, v, w;
|
poly f, g, v, w;
|
||||||
int i, loop, delta;
|
int16_t i, loop, delta;
|
||||||
int sign, swap, t;
|
int16_t sign, swap, t;
|
||||||
|
|
||||||
for (i = 0; i < NTRU_N; ++i) {
|
for (i = 0; i < NTRU_N; ++i) {
|
||||||
v.coeffs[i] = 0;
|
v.coeffs[i] = 0;
|
||||||
@ -37,7 +37,7 @@ void PQCLEAN_NTRUHPS2048677_CLEAN_poly_R2_inv(poly *r, const poly *a) {
|
|||||||
v.coeffs[0] = 0;
|
v.coeffs[0] = 0;
|
||||||
|
|
||||||
sign = g.coeffs[0] & f.coeffs[0];
|
sign = g.coeffs[0] & f.coeffs[0];
|
||||||
swap = both_negative_mask(-delta, -(int) g.coeffs[0]);
|
swap = both_negative_mask(-delta, -(int16_t) g.coeffs[0]);
|
||||||
delta ^= swap & (delta ^ -delta);
|
delta ^= swap & (delta ^ -delta);
|
||||||
delta += 1;
|
delta += 1;
|
||||||
|
|
||||||
|
@ -11,14 +11,14 @@ static inline uint8_t mod3(uint8_t a) { /* a between 0 and 9 */
|
|||||||
}
|
}
|
||||||
|
|
||||||
/* return -1 if x<0 and y<0; otherwise return 0 */
|
/* return -1 if x<0 and y<0; otherwise return 0 */
|
||||||
static inline int both_negative_mask(int x, int y) {
|
static inline int16_t both_negative_mask(int16_t x, int16_t y) {
|
||||||
return (x & y) >> 15;
|
return (x & y) >> 15;
|
||||||
}
|
}
|
||||||
|
|
||||||
void PQCLEAN_NTRUHPS2048677_CLEAN_poly_S3_inv(poly *r, const poly *a) {
|
void PQCLEAN_NTRUHPS2048677_CLEAN_poly_S3_inv(poly *r, const poly *a) {
|
||||||
poly f, g, v, w;
|
poly f, g, v, w;
|
||||||
int i, loop, delta;
|
int16_t i, loop, delta;
|
||||||
int sign, swap, t;
|
int16_t sign, swap, t;
|
||||||
|
|
||||||
for (i = 0; i < NTRU_N; ++i) {
|
for (i = 0; i < NTRU_N; ++i) {
|
||||||
v.coeffs[i] = 0;
|
v.coeffs[i] = 0;
|
||||||
@ -45,7 +45,7 @@ void PQCLEAN_NTRUHPS2048677_CLEAN_poly_S3_inv(poly *r, const poly *a) {
|
|||||||
v.coeffs[0] = 0;
|
v.coeffs[0] = 0;
|
||||||
|
|
||||||
sign = mod3((uint8_t) (2 * g.coeffs[0] * f.coeffs[0]));
|
sign = mod3((uint8_t) (2 * g.coeffs[0] * f.coeffs[0]));
|
||||||
swap = both_negative_mask(-delta, -(int) g.coeffs[0]);
|
swap = both_negative_mask(-delta, -(int16_t) g.coeffs[0]);
|
||||||
delta ^= swap & (delta ^ -delta);
|
delta ^= swap & (delta ^ -delta);
|
||||||
delta += 1;
|
delta += 1;
|
||||||
|
|
||||||
|
@ -1,4 +1,3 @@
|
|||||||
#include "crypto_sort_int32.h"
|
|
||||||
#include "sample.h"
|
#include "sample.h"
|
||||||
|
|
||||||
void PQCLEAN_NTRUHPS2048677_CLEAN_sample_fg(poly *f, poly *g, const unsigned char uniformbytes[NTRU_SAMPLE_FG_BYTES]) {
|
void PQCLEAN_NTRUHPS2048677_CLEAN_sample_fg(poly *f, poly *g, const unsigned char uniformbytes[NTRU_SAMPLE_FG_BYTES]) {
|
||||||
|
@ -4,6 +4,8 @@
|
|||||||
#include "params.h"
|
#include "params.h"
|
||||||
#include "poly.h"
|
#include "poly.h"
|
||||||
|
|
||||||
|
#include "crypto_sort_int32.h"
|
||||||
|
|
||||||
void PQCLEAN_NTRUHPS2048677_CLEAN_sample_fg(poly *f, poly *g, const unsigned char uniformbytes[NTRU_SAMPLE_FG_BYTES]);
|
void PQCLEAN_NTRUHPS2048677_CLEAN_sample_fg(poly *f, poly *g, const unsigned char uniformbytes[NTRU_SAMPLE_FG_BYTES]);
|
||||||
void PQCLEAN_NTRUHPS2048677_CLEAN_sample_rm(poly *r, poly *m, const unsigned char uniformbytes[NTRU_SAMPLE_RM_BYTES]);
|
void PQCLEAN_NTRUHPS2048677_CLEAN_sample_rm(poly *r, poly *m, const unsigned char uniformbytes[NTRU_SAMPLE_RM_BYTES]);
|
||||||
|
|
||||||
|
@ -23,9 +23,9 @@ auxiliary-submitters:
|
|||||||
- Zhenfei Zhang
|
- Zhenfei Zhang
|
||||||
implementations:
|
implementations:
|
||||||
- name: clean
|
- name: clean
|
||||||
version: https://github.com/jschanck/ntru/tree/ff3c84e1 reference implementation
|
version: https://github.com/jschanck/ntru/tree/b4b08d67 reference implementation
|
||||||
- name: avx2
|
- name: avx2
|
||||||
version: https://github.com/jschanck/ntru/tree/ff3c84e1 avx2 implementation
|
version: https://github.com/jschanck/ntru/tree/b4b08d67 avx2 implementation
|
||||||
supported_platforms:
|
supported_platforms:
|
||||||
- architecture: x86_64
|
- architecture: x86_64
|
||||||
operating_systems:
|
operating_systems:
|
||||||
|
@ -1,8 +1,8 @@
|
|||||||
#include "crypto_sort_int32.h"
|
|
||||||
#include <immintrin.h>
|
|
||||||
// Based on supercop-20200820/crypto_sort/int32/avx2
|
// Based on supercop-20200820/crypto_sort/int32/avx2
|
||||||
|
|
||||||
|
#include "crypto_sort_int32.h"
|
||||||
|
|
||||||
|
#include <immintrin.h>
|
||||||
#define int32 int32_t
|
#define int32 int32_t
|
||||||
|
|
||||||
typedef __m256i int32x8;
|
typedef __m256i int32x8;
|
||||||
|
@ -1,10 +1,11 @@
|
|||||||
#ifndef CRYPTO_SORT
|
#ifndef CRYPTO_SORT
|
||||||
#define CRYPTO_SORT
|
#define CRYPTO_SORT
|
||||||
|
|
||||||
#include "params.h"
|
#include "params.h"
|
||||||
|
|
||||||
#include <stddef.h>
|
#include <stddef.h>
|
||||||
#include <stdint.h>
|
#include <stdint.h>
|
||||||
|
|
||||||
|
|
||||||
void PQCLEAN_NTRUHPS4096821_AVX2_crypto_sort_int32(int32_t *x, size_t n);
|
void PQCLEAN_NTRUHPS4096821_AVX2_crypto_sort_int32(int32_t *x, size_t n);
|
||||||
|
|
||||||
#endif
|
#endif
|
||||||
|
@ -42,12 +42,7 @@ int PQCLEAN_NTRUHPS4096821_AVX2_crypto_kem_dec(uint8_t *k, const uint8_t *c, con
|
|||||||
uint8_t rm[NTRU_OWCPA_MSGBYTES];
|
uint8_t rm[NTRU_OWCPA_MSGBYTES];
|
||||||
uint8_t buf[NTRU_PRFKEYBYTES + NTRU_CIPHERTEXTBYTES];
|
uint8_t buf[NTRU_PRFKEYBYTES + NTRU_CIPHERTEXTBYTES];
|
||||||
|
|
||||||
fail = 0;
|
fail = PQCLEAN_NTRUHPS4096821_AVX2_owcpa_dec(rm, c, sk);
|
||||||
|
|
||||||
/* Check that unused bits of last byte of ciphertext are zero */
|
|
||||||
fail |= c[NTRU_CIPHERTEXTBYTES - 1] & (0xff << (8 - (7 & (NTRU_LOGQ * NTRU_PACK_DEG))));
|
|
||||||
|
|
||||||
fail |= PQCLEAN_NTRUHPS4096821_AVX2_owcpa_dec(rm, c, sk);
|
|
||||||
/* If fail = 0 then c = Enc(h, rm). There is no need to re-encapsulate. */
|
/* If fail = 0 then c = Enc(h, rm). There is no need to re-encapsulate. */
|
||||||
/* See comment in PQCLEAN_NTRUHPS4096821_AVX2_owcpa_dec for details. */
|
/* See comment in PQCLEAN_NTRUHPS4096821_AVX2_owcpa_dec for details. */
|
||||||
|
|
||||||
|
@ -123,11 +123,15 @@ int PQCLEAN_NTRUHPS4096821_AVX2_owcpa_dec(unsigned char *rm,
|
|||||||
PQCLEAN_NTRUHPS4096821_AVX2_poly_S3_mul(m, mf, finv3);
|
PQCLEAN_NTRUHPS4096821_AVX2_poly_S3_mul(m, mf, finv3);
|
||||||
PQCLEAN_NTRUHPS4096821_AVX2_poly_S3_tobytes(rm + NTRU_PACK_TRINARY_BYTES, m);
|
PQCLEAN_NTRUHPS4096821_AVX2_poly_S3_tobytes(rm + NTRU_PACK_TRINARY_BYTES, m);
|
||||||
|
|
||||||
/* NOTE: For the IND-CCA2 KEM we must ensure that c = Enc(h, (r,m)). */
|
fail = 0;
|
||||||
|
|
||||||
|
/* Check that unused bits of last byte of ciphertext are zero */
|
||||||
|
fail |= ciphertext[NTRU_CIPHERTEXTBYTES - 1] & (0xff << (8 - (7 & (NTRU_LOGQ * NTRU_PACK_DEG))));
|
||||||
|
|
||||||
|
/* For the IND-CCA2 KEM we must ensure that c = Enc(h, (r,m)). */
|
||||||
/* We can avoid re-computing r*h + Lift(m) as long as we check that */
|
/* We can avoid re-computing r*h + Lift(m) as long as we check that */
|
||||||
/* r (defined as b/h mod (q, Phi_n)) and m are in the message space. */
|
/* r (defined as b/h mod (q, Phi_n)) and m are in the message space. */
|
||||||
/* (m can take any value in S3 in NTRU_HRSS) */
|
/* (m can take any value in S3 in NTRU_HRSS) */
|
||||||
fail = 0;
|
|
||||||
fail |= owcpa_check_m(m);
|
fail |= owcpa_check_m(m);
|
||||||
|
|
||||||
/* b = c - Lift(m) mod (q, x^n - 1) */
|
/* b = c - Lift(m) mod (q, x^n - 1) */
|
||||||
|
@ -1,4 +1,3 @@
|
|||||||
#include "crypto_sort_int32.h"
|
|
||||||
#include "sample.h"
|
#include "sample.h"
|
||||||
|
|
||||||
void PQCLEAN_NTRUHPS4096821_AVX2_sample_fg(poly *f, poly *g, const unsigned char uniformbytes[NTRU_SAMPLE_FG_BYTES]) {
|
void PQCLEAN_NTRUHPS4096821_AVX2_sample_fg(poly *f, poly *g, const unsigned char uniformbytes[NTRU_SAMPLE_FG_BYTES]) {
|
||||||
|
@ -4,6 +4,8 @@
|
|||||||
#include "params.h"
|
#include "params.h"
|
||||||
#include "poly.h"
|
#include "poly.h"
|
||||||
|
|
||||||
|
#include "crypto_sort_int32.h"
|
||||||
|
|
||||||
void PQCLEAN_NTRUHPS4096821_AVX2_sample_fg(poly *f, poly *g, const unsigned char uniformbytes[NTRU_SAMPLE_FG_BYTES]);
|
void PQCLEAN_NTRUHPS4096821_AVX2_sample_fg(poly *f, poly *g, const unsigned char uniformbytes[NTRU_SAMPLE_FG_BYTES]);
|
||||||
void PQCLEAN_NTRUHPS4096821_AVX2_sample_rm(poly *r, poly *m, const unsigned char uniformbytes[NTRU_SAMPLE_RM_BYTES]);
|
void PQCLEAN_NTRUHPS4096821_AVX2_sample_rm(poly *r, poly *m, const unsigned char uniformbytes[NTRU_SAMPLE_RM_BYTES]);
|
||||||
|
|
||||||
|
@ -42,12 +42,7 @@ int PQCLEAN_NTRUHPS4096821_CLEAN_crypto_kem_dec(uint8_t *k, const uint8_t *c, co
|
|||||||
uint8_t rm[NTRU_OWCPA_MSGBYTES];
|
uint8_t rm[NTRU_OWCPA_MSGBYTES];
|
||||||
uint8_t buf[NTRU_PRFKEYBYTES + NTRU_CIPHERTEXTBYTES];
|
uint8_t buf[NTRU_PRFKEYBYTES + NTRU_CIPHERTEXTBYTES];
|
||||||
|
|
||||||
fail = 0;
|
fail = PQCLEAN_NTRUHPS4096821_CLEAN_owcpa_dec(rm, c, sk);
|
||||||
|
|
||||||
/* Check that unused bits of last byte of ciphertext are zero */
|
|
||||||
fail |= c[NTRU_CIPHERTEXTBYTES - 1] & (0xff << (8 - (7 & (NTRU_LOGQ * NTRU_PACK_DEG))));
|
|
||||||
|
|
||||||
fail |= PQCLEAN_NTRUHPS4096821_CLEAN_owcpa_dec(rm, c, sk);
|
|
||||||
/* If fail = 0 then c = Enc(h, rm). There is no need to re-encapsulate. */
|
/* If fail = 0 then c = Enc(h, rm). There is no need to re-encapsulate. */
|
||||||
/* See comment in PQCLEAN_NTRUHPS4096821_CLEAN_owcpa_dec for details. */
|
/* See comment in PQCLEAN_NTRUHPS4096821_CLEAN_owcpa_dec for details. */
|
||||||
|
|
||||||
|
@ -123,11 +123,15 @@ int PQCLEAN_NTRUHPS4096821_CLEAN_owcpa_dec(unsigned char *rm,
|
|||||||
PQCLEAN_NTRUHPS4096821_CLEAN_poly_S3_mul(m, mf, finv3);
|
PQCLEAN_NTRUHPS4096821_CLEAN_poly_S3_mul(m, mf, finv3);
|
||||||
PQCLEAN_NTRUHPS4096821_CLEAN_poly_S3_tobytes(rm + NTRU_PACK_TRINARY_BYTES, m);
|
PQCLEAN_NTRUHPS4096821_CLEAN_poly_S3_tobytes(rm + NTRU_PACK_TRINARY_BYTES, m);
|
||||||
|
|
||||||
/* NOTE: For the IND-CCA2 KEM we must ensure that c = Enc(h, (r,m)). */
|
fail = 0;
|
||||||
|
|
||||||
|
/* Check that unused bits of last byte of ciphertext are zero */
|
||||||
|
fail |= ciphertext[NTRU_CIPHERTEXTBYTES - 1] & (0xff << (8 - (7 & (NTRU_LOGQ * NTRU_PACK_DEG))));
|
||||||
|
|
||||||
|
/* For the IND-CCA2 KEM we must ensure that c = Enc(h, (r,m)). */
|
||||||
/* We can avoid re-computing r*h + Lift(m) as long as we check that */
|
/* We can avoid re-computing r*h + Lift(m) as long as we check that */
|
||||||
/* r (defined as b/h mod (q, Phi_n)) and m are in the message space. */
|
/* r (defined as b/h mod (q, Phi_n)) and m are in the message space. */
|
||||||
/* (m can take any value in S3 in NTRU_HRSS) */
|
/* (m can take any value in S3 in NTRU_HRSS) */
|
||||||
fail = 0;
|
|
||||||
fail |= owcpa_check_m(m);
|
fail |= owcpa_check_m(m);
|
||||||
|
|
||||||
/* b = c - Lift(m) mod (q, x^n - 1) */
|
/* b = c - Lift(m) mod (q, x^n - 1) */
|
||||||
|
@ -3,14 +3,14 @@
|
|||||||
#include "poly.h"
|
#include "poly.h"
|
||||||
|
|
||||||
/* return -1 if x<0 and y<0; otherwise return 0 */
|
/* return -1 if x<0 and y<0; otherwise return 0 */
|
||||||
static inline int both_negative_mask(int x, int y) {
|
static inline int16_t both_negative_mask(int16_t x, int16_t y) {
|
||||||
return (x & y) >> 15;
|
return (x & y) >> 15;
|
||||||
}
|
}
|
||||||
|
|
||||||
void PQCLEAN_NTRUHPS4096821_CLEAN_poly_R2_inv(poly *r, const poly *a) {
|
void PQCLEAN_NTRUHPS4096821_CLEAN_poly_R2_inv(poly *r, const poly *a) {
|
||||||
poly f, g, v, w;
|
poly f, g, v, w;
|
||||||
int i, loop, delta;
|
int16_t i, loop, delta;
|
||||||
int sign, swap, t;
|
int16_t sign, swap, t;
|
||||||
|
|
||||||
for (i = 0; i < NTRU_N; ++i) {
|
for (i = 0; i < NTRU_N; ++i) {
|
||||||
v.coeffs[i] = 0;
|
v.coeffs[i] = 0;
|
||||||
@ -37,7 +37,7 @@ void PQCLEAN_NTRUHPS4096821_CLEAN_poly_R2_inv(poly *r, const poly *a) {
|
|||||||
v.coeffs[0] = 0;
|
v.coeffs[0] = 0;
|
||||||
|
|
||||||
sign = g.coeffs[0] & f.coeffs[0];
|
sign = g.coeffs[0] & f.coeffs[0];
|
||||||
swap = both_negative_mask(-delta, -(int) g.coeffs[0]);
|
swap = both_negative_mask(-delta, -(int16_t) g.coeffs[0]);
|
||||||
delta ^= swap & (delta ^ -delta);
|
delta ^= swap & (delta ^ -delta);
|
||||||
delta += 1;
|
delta += 1;
|
||||||
|
|
||||||
|
@ -11,14 +11,14 @@ static inline uint8_t mod3(uint8_t a) { /* a between 0 and 9 */
|
|||||||
}
|
}
|
||||||
|
|
||||||
/* return -1 if x<0 and y<0; otherwise return 0 */
|
/* return -1 if x<0 and y<0; otherwise return 0 */
|
||||||
static inline int both_negative_mask(int x, int y) {
|
static inline int16_t both_negative_mask(int16_t x, int16_t y) {
|
||||||
return (x & y) >> 15;
|
return (x & y) >> 15;
|
||||||
}
|
}
|
||||||
|
|
||||||
void PQCLEAN_NTRUHPS4096821_CLEAN_poly_S3_inv(poly *r, const poly *a) {
|
void PQCLEAN_NTRUHPS4096821_CLEAN_poly_S3_inv(poly *r, const poly *a) {
|
||||||
poly f, g, v, w;
|
poly f, g, v, w;
|
||||||
int i, loop, delta;
|
int16_t i, loop, delta;
|
||||||
int sign, swap, t;
|
int16_t sign, swap, t;
|
||||||
|
|
||||||
for (i = 0; i < NTRU_N; ++i) {
|
for (i = 0; i < NTRU_N; ++i) {
|
||||||
v.coeffs[i] = 0;
|
v.coeffs[i] = 0;
|
||||||
@ -45,7 +45,7 @@ void PQCLEAN_NTRUHPS4096821_CLEAN_poly_S3_inv(poly *r, const poly *a) {
|
|||||||
v.coeffs[0] = 0;
|
v.coeffs[0] = 0;
|
||||||
|
|
||||||
sign = mod3((uint8_t) (2 * g.coeffs[0] * f.coeffs[0]));
|
sign = mod3((uint8_t) (2 * g.coeffs[0] * f.coeffs[0]));
|
||||||
swap = both_negative_mask(-delta, -(int) g.coeffs[0]);
|
swap = both_negative_mask(-delta, -(int16_t) g.coeffs[0]);
|
||||||
delta ^= swap & (delta ^ -delta);
|
delta ^= swap & (delta ^ -delta);
|
||||||
delta += 1;
|
delta += 1;
|
||||||
|
|
||||||
|
@ -1,4 +1,3 @@
|
|||||||
#include "crypto_sort_int32.h"
|
|
||||||
#include "sample.h"
|
#include "sample.h"
|
||||||
|
|
||||||
void PQCLEAN_NTRUHPS4096821_CLEAN_sample_fg(poly *f, poly *g, const unsigned char uniformbytes[NTRU_SAMPLE_FG_BYTES]) {
|
void PQCLEAN_NTRUHPS4096821_CLEAN_sample_fg(poly *f, poly *g, const unsigned char uniformbytes[NTRU_SAMPLE_FG_BYTES]) {
|
||||||
|
@ -4,6 +4,8 @@
|
|||||||
#include "params.h"
|
#include "params.h"
|
||||||
#include "poly.h"
|
#include "poly.h"
|
||||||
|
|
||||||
|
#include "crypto_sort_int32.h"
|
||||||
|
|
||||||
void PQCLEAN_NTRUHPS4096821_CLEAN_sample_fg(poly *f, poly *g, const unsigned char uniformbytes[NTRU_SAMPLE_FG_BYTES]);
|
void PQCLEAN_NTRUHPS4096821_CLEAN_sample_fg(poly *f, poly *g, const unsigned char uniformbytes[NTRU_SAMPLE_FG_BYTES]);
|
||||||
void PQCLEAN_NTRUHPS4096821_CLEAN_sample_rm(poly *r, poly *m, const unsigned char uniformbytes[NTRU_SAMPLE_RM_BYTES]);
|
void PQCLEAN_NTRUHPS4096821_CLEAN_sample_rm(poly *r, poly *m, const unsigned char uniformbytes[NTRU_SAMPLE_RM_BYTES]);
|
||||||
|
|
||||||
|
@ -23,9 +23,9 @@ auxiliary-submitters:
|
|||||||
- Zhenfei Zhang
|
- Zhenfei Zhang
|
||||||
implementations:
|
implementations:
|
||||||
- name: clean
|
- name: clean
|
||||||
version: https://github.com/jschanck/ntru/tree/ff3c84e1 reference implementation
|
version: https://github.com/jschanck/ntru/tree/b4b08d67 reference implementation
|
||||||
- name: avx2
|
- name: avx2
|
||||||
version: https://github.com/jschanck/ntru/tree/ff3c84e1 avx2 implementation
|
version: https://github.com/jschanck/ntru/tree/b4b08d67 avx2 implementation
|
||||||
supported_platforms:
|
supported_platforms:
|
||||||
- architecture: x86_64
|
- architecture: x86_64
|
||||||
operating_systems:
|
operating_systems:
|
||||||
|
@ -42,12 +42,7 @@ int PQCLEAN_NTRUHRSS701_AVX2_crypto_kem_dec(uint8_t *k, const uint8_t *c, const
|
|||||||
uint8_t rm[NTRU_OWCPA_MSGBYTES];
|
uint8_t rm[NTRU_OWCPA_MSGBYTES];
|
||||||
uint8_t buf[NTRU_PRFKEYBYTES + NTRU_CIPHERTEXTBYTES];
|
uint8_t buf[NTRU_PRFKEYBYTES + NTRU_CIPHERTEXTBYTES];
|
||||||
|
|
||||||
fail = 0;
|
fail = PQCLEAN_NTRUHRSS701_AVX2_owcpa_dec(rm, c, sk);
|
||||||
|
|
||||||
/* Check that unused bits of last byte of ciphertext are zero */
|
|
||||||
fail |= c[NTRU_CIPHERTEXTBYTES - 1] & (0xff << (8 - (7 & (NTRU_LOGQ * NTRU_PACK_DEG))));
|
|
||||||
|
|
||||||
fail |= PQCLEAN_NTRUHRSS701_AVX2_owcpa_dec(rm, c, sk);
|
|
||||||
/* If fail = 0 then c = Enc(h, rm). There is no need to re-encapsulate. */
|
/* If fail = 0 then c = Enc(h, rm). There is no need to re-encapsulate. */
|
||||||
/* See comment in PQCLEAN_NTRUHRSS701_AVX2_owcpa_dec for details. */
|
/* See comment in PQCLEAN_NTRUHRSS701_AVX2_owcpa_dec for details. */
|
||||||
|
|
||||||
|
@ -106,11 +106,15 @@ int PQCLEAN_NTRUHRSS701_AVX2_owcpa_dec(unsigned char *rm,
|
|||||||
PQCLEAN_NTRUHRSS701_AVX2_poly_S3_mul(m, mf, finv3);
|
PQCLEAN_NTRUHRSS701_AVX2_poly_S3_mul(m, mf, finv3);
|
||||||
PQCLEAN_NTRUHRSS701_AVX2_poly_S3_tobytes(rm + NTRU_PACK_TRINARY_BYTES, m);
|
PQCLEAN_NTRUHRSS701_AVX2_poly_S3_tobytes(rm + NTRU_PACK_TRINARY_BYTES, m);
|
||||||
|
|
||||||
/* NOTE: For the IND-CCA2 KEM we must ensure that c = Enc(h, (r,m)). */
|
fail = 0;
|
||||||
|
|
||||||
|
/* Check that unused bits of last byte of ciphertext are zero */
|
||||||
|
fail |= ciphertext[NTRU_CIPHERTEXTBYTES - 1] & (0xff << (8 - (7 & (NTRU_LOGQ * NTRU_PACK_DEG))));
|
||||||
|
|
||||||
|
/* For the IND-CCA2 KEM we must ensure that c = Enc(h, (r,m)). */
|
||||||
/* We can avoid re-computing r*h + Lift(m) as long as we check that */
|
/* We can avoid re-computing r*h + Lift(m) as long as we check that */
|
||||||
/* r (defined as b/h mod (q, Phi_n)) and m are in the message space. */
|
/* r (defined as b/h mod (q, Phi_n)) and m are in the message space. */
|
||||||
/* (m can take any value in S3 in NTRU_HRSS) */
|
/* (m can take any value in S3 in NTRU_HRSS) */
|
||||||
fail = 0;
|
|
||||||
|
|
||||||
/* b = c - Lift(m) mod (q, x^n - 1) */
|
/* b = c - Lift(m) mod (q, x^n - 1) */
|
||||||
PQCLEAN_NTRUHRSS701_AVX2_poly_lift(liftm, m);
|
PQCLEAN_NTRUHRSS701_AVX2_poly_lift(liftm, m);
|
||||||
|
@ -4,6 +4,7 @@
|
|||||||
#include "params.h"
|
#include "params.h"
|
||||||
#include "poly.h"
|
#include "poly.h"
|
||||||
|
|
||||||
|
|
||||||
void PQCLEAN_NTRUHRSS701_AVX2_sample_fg(poly *f, poly *g, const unsigned char uniformbytes[NTRU_SAMPLE_FG_BYTES]);
|
void PQCLEAN_NTRUHRSS701_AVX2_sample_fg(poly *f, poly *g, const unsigned char uniformbytes[NTRU_SAMPLE_FG_BYTES]);
|
||||||
void PQCLEAN_NTRUHRSS701_AVX2_sample_rm(poly *r, poly *m, const unsigned char uniformbytes[NTRU_SAMPLE_RM_BYTES]);
|
void PQCLEAN_NTRUHRSS701_AVX2_sample_rm(poly *r, poly *m, const unsigned char uniformbytes[NTRU_SAMPLE_RM_BYTES]);
|
||||||
|
|
||||||
|
@ -42,12 +42,7 @@ int PQCLEAN_NTRUHRSS701_CLEAN_crypto_kem_dec(uint8_t *k, const uint8_t *c, const
|
|||||||
uint8_t rm[NTRU_OWCPA_MSGBYTES];
|
uint8_t rm[NTRU_OWCPA_MSGBYTES];
|
||||||
uint8_t buf[NTRU_PRFKEYBYTES + NTRU_CIPHERTEXTBYTES];
|
uint8_t buf[NTRU_PRFKEYBYTES + NTRU_CIPHERTEXTBYTES];
|
||||||
|
|
||||||
fail = 0;
|
fail = PQCLEAN_NTRUHRSS701_CLEAN_owcpa_dec(rm, c, sk);
|
||||||
|
|
||||||
/* Check that unused bits of last byte of ciphertext are zero */
|
|
||||||
fail |= c[NTRU_CIPHERTEXTBYTES - 1] & (0xff << (8 - (7 & (NTRU_LOGQ * NTRU_PACK_DEG))));
|
|
||||||
|
|
||||||
fail |= PQCLEAN_NTRUHRSS701_CLEAN_owcpa_dec(rm, c, sk);
|
|
||||||
/* If fail = 0 then c = Enc(h, rm). There is no need to re-encapsulate. */
|
/* If fail = 0 then c = Enc(h, rm). There is no need to re-encapsulate. */
|
||||||
/* See comment in PQCLEAN_NTRUHRSS701_CLEAN_owcpa_dec for details. */
|
/* See comment in PQCLEAN_NTRUHRSS701_CLEAN_owcpa_dec for details. */
|
||||||
|
|
||||||
|
@ -106,11 +106,15 @@ int PQCLEAN_NTRUHRSS701_CLEAN_owcpa_dec(unsigned char *rm,
|
|||||||
PQCLEAN_NTRUHRSS701_CLEAN_poly_S3_mul(m, mf, finv3);
|
PQCLEAN_NTRUHRSS701_CLEAN_poly_S3_mul(m, mf, finv3);
|
||||||
PQCLEAN_NTRUHRSS701_CLEAN_poly_S3_tobytes(rm + NTRU_PACK_TRINARY_BYTES, m);
|
PQCLEAN_NTRUHRSS701_CLEAN_poly_S3_tobytes(rm + NTRU_PACK_TRINARY_BYTES, m);
|
||||||
|
|
||||||
/* NOTE: For the IND-CCA2 KEM we must ensure that c = Enc(h, (r,m)). */
|
fail = 0;
|
||||||
|
|
||||||
|
/* Check that unused bits of last byte of ciphertext are zero */
|
||||||
|
fail |= ciphertext[NTRU_CIPHERTEXTBYTES - 1] & (0xff << (8 - (7 & (NTRU_LOGQ * NTRU_PACK_DEG))));
|
||||||
|
|
||||||
|
/* For the IND-CCA2 KEM we must ensure that c = Enc(h, (r,m)). */
|
||||||
/* We can avoid re-computing r*h + Lift(m) as long as we check that */
|
/* We can avoid re-computing r*h + Lift(m) as long as we check that */
|
||||||
/* r (defined as b/h mod (q, Phi_n)) and m are in the message space. */
|
/* r (defined as b/h mod (q, Phi_n)) and m are in the message space. */
|
||||||
/* (m can take any value in S3 in NTRU_HRSS) */
|
/* (m can take any value in S3 in NTRU_HRSS) */
|
||||||
fail = 0;
|
|
||||||
|
|
||||||
/* b = c - Lift(m) mod (q, x^n - 1) */
|
/* b = c - Lift(m) mod (q, x^n - 1) */
|
||||||
PQCLEAN_NTRUHRSS701_CLEAN_poly_lift(liftm, m);
|
PQCLEAN_NTRUHRSS701_CLEAN_poly_lift(liftm, m);
|
||||||
|
@ -3,14 +3,14 @@
|
|||||||
#include "poly.h"
|
#include "poly.h"
|
||||||
|
|
||||||
/* return -1 if x<0 and y<0; otherwise return 0 */
|
/* return -1 if x<0 and y<0; otherwise return 0 */
|
||||||
static inline int both_negative_mask(int x, int y) {
|
static inline int16_t both_negative_mask(int16_t x, int16_t y) {
|
||||||
return (x & y) >> 15;
|
return (x & y) >> 15;
|
||||||
}
|
}
|
||||||
|
|
||||||
void PQCLEAN_NTRUHRSS701_CLEAN_poly_R2_inv(poly *r, const poly *a) {
|
void PQCLEAN_NTRUHRSS701_CLEAN_poly_R2_inv(poly *r, const poly *a) {
|
||||||
poly f, g, v, w;
|
poly f, g, v, w;
|
||||||
int i, loop, delta;
|
int16_t i, loop, delta;
|
||||||
int sign, swap, t;
|
int16_t sign, swap, t;
|
||||||
|
|
||||||
for (i = 0; i < NTRU_N; ++i) {
|
for (i = 0; i < NTRU_N; ++i) {
|
||||||
v.coeffs[i] = 0;
|
v.coeffs[i] = 0;
|
||||||
@ -37,7 +37,7 @@ void PQCLEAN_NTRUHRSS701_CLEAN_poly_R2_inv(poly *r, const poly *a) {
|
|||||||
v.coeffs[0] = 0;
|
v.coeffs[0] = 0;
|
||||||
|
|
||||||
sign = g.coeffs[0] & f.coeffs[0];
|
sign = g.coeffs[0] & f.coeffs[0];
|
||||||
swap = both_negative_mask(-delta, -(int) g.coeffs[0]);
|
swap = both_negative_mask(-delta, -(int16_t) g.coeffs[0]);
|
||||||
delta ^= swap & (delta ^ -delta);
|
delta ^= swap & (delta ^ -delta);
|
||||||
delta += 1;
|
delta += 1;
|
||||||
|
|
||||||
|
@ -11,14 +11,14 @@ static inline uint8_t mod3(uint8_t a) { /* a between 0 and 9 */
|
|||||||
}
|
}
|
||||||
|
|
||||||
/* return -1 if x<0 and y<0; otherwise return 0 */
|
/* return -1 if x<0 and y<0; otherwise return 0 */
|
||||||
static inline int both_negative_mask(int x, int y) {
|
static inline int16_t both_negative_mask(int16_t x, int16_t y) {
|
||||||
return (x & y) >> 15;
|
return (x & y) >> 15;
|
||||||
}
|
}
|
||||||
|
|
||||||
void PQCLEAN_NTRUHRSS701_CLEAN_poly_S3_inv(poly *r, const poly *a) {
|
void PQCLEAN_NTRUHRSS701_CLEAN_poly_S3_inv(poly *r, const poly *a) {
|
||||||
poly f, g, v, w;
|
poly f, g, v, w;
|
||||||
int i, loop, delta;
|
int16_t i, loop, delta;
|
||||||
int sign, swap, t;
|
int16_t sign, swap, t;
|
||||||
|
|
||||||
for (i = 0; i < NTRU_N; ++i) {
|
for (i = 0; i < NTRU_N; ++i) {
|
||||||
v.coeffs[i] = 0;
|
v.coeffs[i] = 0;
|
||||||
@ -45,7 +45,7 @@ void PQCLEAN_NTRUHRSS701_CLEAN_poly_S3_inv(poly *r, const poly *a) {
|
|||||||
v.coeffs[0] = 0;
|
v.coeffs[0] = 0;
|
||||||
|
|
||||||
sign = mod3((uint8_t) (2 * g.coeffs[0] * f.coeffs[0]));
|
sign = mod3((uint8_t) (2 * g.coeffs[0] * f.coeffs[0]));
|
||||||
swap = both_negative_mask(-delta, -(int) g.coeffs[0]);
|
swap = both_negative_mask(-delta, -(int16_t) g.coeffs[0]);
|
||||||
delta ^= swap & (delta ^ -delta);
|
delta ^= swap & (delta ^ -delta);
|
||||||
delta += 1;
|
delta += 1;
|
||||||
|
|
||||||
|
@ -4,6 +4,7 @@
|
|||||||
#include "params.h"
|
#include "params.h"
|
||||||
#include "poly.h"
|
#include "poly.h"
|
||||||
|
|
||||||
|
|
||||||
void PQCLEAN_NTRUHRSS701_CLEAN_sample_fg(poly *f, poly *g, const unsigned char uniformbytes[NTRU_SAMPLE_FG_BYTES]);
|
void PQCLEAN_NTRUHRSS701_CLEAN_sample_fg(poly *f, poly *g, const unsigned char uniformbytes[NTRU_SAMPLE_FG_BYTES]);
|
||||||
void PQCLEAN_NTRUHRSS701_CLEAN_sample_rm(poly *r, poly *m, const unsigned char uniformbytes[NTRU_SAMPLE_RM_BYTES]);
|
void PQCLEAN_NTRUHRSS701_CLEAN_sample_rm(poly *r, poly *m, const unsigned char uniformbytes[NTRU_SAMPLE_RM_BYTES]);
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user