1
1
mirror of https://github.com/henrydcase/pqc.git synced 2024-11-22 23:48:58 +00:00

ntru: packaging script update. resolves #331

This commit is contained in:
John M. Schanck 2020-10-05 14:09:11 -04:00 committed by Kris Kwiatkowski
parent be7f11975d
commit 4267e51253
48 changed files with 122 additions and 119 deletions

View File

@ -23,9 +23,9 @@ auxiliary-submitters:
- Zhenfei Zhang - Zhenfei Zhang
implementations: implementations:
- name: clean - name: clean
version: https://github.com/jschanck/ntru/tree/ff3c84e1 reference implementation version: https://github.com/jschanck/ntru/tree/b4b08d67 reference implementation
- name: avx2 - name: avx2
version: https://github.com/jschanck/ntru/tree/ff3c84e1 avx2 implementation version: https://github.com/jschanck/ntru/tree/b4b08d67 avx2 implementation
supported_platforms: supported_platforms:
- architecture: x86_64 - architecture: x86_64
operating_systems: operating_systems:

View File

@ -1,8 +1,8 @@
#include "crypto_sort_int32.h"
#include <immintrin.h>
// Based on supercop-20200820/crypto_sort/int32/avx2 // Based on supercop-20200820/crypto_sort/int32/avx2
#include "crypto_sort_int32.h"
#include <immintrin.h>
#define int32 int32_t #define int32 int32_t
typedef __m256i int32x8; typedef __m256i int32x8;

View File

@ -1,10 +1,11 @@
#ifndef CRYPTO_SORT #ifndef CRYPTO_SORT
#define CRYPTO_SORT #define CRYPTO_SORT
#include "params.h" #include "params.h"
#include <stddef.h> #include <stddef.h>
#include <stdint.h> #include <stdint.h>
void PQCLEAN_NTRUHPS2048509_AVX2_crypto_sort_int32(int32_t *x, size_t n); void PQCLEAN_NTRUHPS2048509_AVX2_crypto_sort_int32(int32_t *x, size_t n);
#endif #endif

View File

@ -42,12 +42,7 @@ int PQCLEAN_NTRUHPS2048509_AVX2_crypto_kem_dec(uint8_t *k, const uint8_t *c, con
uint8_t rm[NTRU_OWCPA_MSGBYTES]; uint8_t rm[NTRU_OWCPA_MSGBYTES];
uint8_t buf[NTRU_PRFKEYBYTES + NTRU_CIPHERTEXTBYTES]; uint8_t buf[NTRU_PRFKEYBYTES + NTRU_CIPHERTEXTBYTES];
fail = 0; fail = PQCLEAN_NTRUHPS2048509_AVX2_owcpa_dec(rm, c, sk);
/* Check that unused bits of last byte of ciphertext are zero */
fail |= c[NTRU_CIPHERTEXTBYTES - 1] & (0xff << (8 - (7 & (NTRU_LOGQ * NTRU_PACK_DEG))));
fail |= PQCLEAN_NTRUHPS2048509_AVX2_owcpa_dec(rm, c, sk);
/* If fail = 0 then c = Enc(h, rm). There is no need to re-encapsulate. */ /* If fail = 0 then c = Enc(h, rm). There is no need to re-encapsulate. */
/* See comment in PQCLEAN_NTRUHPS2048509_AVX2_owcpa_dec for details. */ /* See comment in PQCLEAN_NTRUHPS2048509_AVX2_owcpa_dec for details. */

View File

@ -123,11 +123,15 @@ int PQCLEAN_NTRUHPS2048509_AVX2_owcpa_dec(unsigned char *rm,
PQCLEAN_NTRUHPS2048509_AVX2_poly_S3_mul(m, mf, finv3); PQCLEAN_NTRUHPS2048509_AVX2_poly_S3_mul(m, mf, finv3);
PQCLEAN_NTRUHPS2048509_AVX2_poly_S3_tobytes(rm + NTRU_PACK_TRINARY_BYTES, m); PQCLEAN_NTRUHPS2048509_AVX2_poly_S3_tobytes(rm + NTRU_PACK_TRINARY_BYTES, m);
/* NOTE: For the IND-CCA2 KEM we must ensure that c = Enc(h, (r,m)). */ fail = 0;
/* Check that unused bits of last byte of ciphertext are zero */
fail |= ciphertext[NTRU_CIPHERTEXTBYTES - 1] & (0xff << (8 - (7 & (NTRU_LOGQ * NTRU_PACK_DEG))));
/* For the IND-CCA2 KEM we must ensure that c = Enc(h, (r,m)). */
/* We can avoid re-computing r*h + Lift(m) as long as we check that */ /* We can avoid re-computing r*h + Lift(m) as long as we check that */
/* r (defined as b/h mod (q, Phi_n)) and m are in the message space. */ /* r (defined as b/h mod (q, Phi_n)) and m are in the message space. */
/* (m can take any value in S3 in NTRU_HRSS) */ /* (m can take any value in S3 in NTRU_HRSS) */
fail = 0;
fail |= owcpa_check_m(m); fail |= owcpa_check_m(m);
/* b = c - Lift(m) mod (q, x^n - 1) */ /* b = c - Lift(m) mod (q, x^n - 1) */

View File

@ -1,4 +1,3 @@
#include "crypto_sort_int32.h"
#include "sample.h" #include "sample.h"
void PQCLEAN_NTRUHPS2048509_AVX2_sample_fg(poly *f, poly *g, const unsigned char uniformbytes[NTRU_SAMPLE_FG_BYTES]) { void PQCLEAN_NTRUHPS2048509_AVX2_sample_fg(poly *f, poly *g, const unsigned char uniformbytes[NTRU_SAMPLE_FG_BYTES]) {

View File

@ -4,6 +4,8 @@
#include "params.h" #include "params.h"
#include "poly.h" #include "poly.h"
#include "crypto_sort_int32.h"
void PQCLEAN_NTRUHPS2048509_AVX2_sample_fg(poly *f, poly *g, const unsigned char uniformbytes[NTRU_SAMPLE_FG_BYTES]); void PQCLEAN_NTRUHPS2048509_AVX2_sample_fg(poly *f, poly *g, const unsigned char uniformbytes[NTRU_SAMPLE_FG_BYTES]);
void PQCLEAN_NTRUHPS2048509_AVX2_sample_rm(poly *r, poly *m, const unsigned char uniformbytes[NTRU_SAMPLE_RM_BYTES]); void PQCLEAN_NTRUHPS2048509_AVX2_sample_rm(poly *r, poly *m, const unsigned char uniformbytes[NTRU_SAMPLE_RM_BYTES]);

View File

@ -42,12 +42,7 @@ int PQCLEAN_NTRUHPS2048509_CLEAN_crypto_kem_dec(uint8_t *k, const uint8_t *c, co
uint8_t rm[NTRU_OWCPA_MSGBYTES]; uint8_t rm[NTRU_OWCPA_MSGBYTES];
uint8_t buf[NTRU_PRFKEYBYTES + NTRU_CIPHERTEXTBYTES]; uint8_t buf[NTRU_PRFKEYBYTES + NTRU_CIPHERTEXTBYTES];
fail = 0; fail = PQCLEAN_NTRUHPS2048509_CLEAN_owcpa_dec(rm, c, sk);
/* Check that unused bits of last byte of ciphertext are zero */
fail |= c[NTRU_CIPHERTEXTBYTES - 1] & (0xff << (8 - (7 & (NTRU_LOGQ * NTRU_PACK_DEG))));
fail |= PQCLEAN_NTRUHPS2048509_CLEAN_owcpa_dec(rm, c, sk);
/* If fail = 0 then c = Enc(h, rm). There is no need to re-encapsulate. */ /* If fail = 0 then c = Enc(h, rm). There is no need to re-encapsulate. */
/* See comment in PQCLEAN_NTRUHPS2048509_CLEAN_owcpa_dec for details. */ /* See comment in PQCLEAN_NTRUHPS2048509_CLEAN_owcpa_dec for details. */

View File

@ -123,11 +123,15 @@ int PQCLEAN_NTRUHPS2048509_CLEAN_owcpa_dec(unsigned char *rm,
PQCLEAN_NTRUHPS2048509_CLEAN_poly_S3_mul(m, mf, finv3); PQCLEAN_NTRUHPS2048509_CLEAN_poly_S3_mul(m, mf, finv3);
PQCLEAN_NTRUHPS2048509_CLEAN_poly_S3_tobytes(rm + NTRU_PACK_TRINARY_BYTES, m); PQCLEAN_NTRUHPS2048509_CLEAN_poly_S3_tobytes(rm + NTRU_PACK_TRINARY_BYTES, m);
/* NOTE: For the IND-CCA2 KEM we must ensure that c = Enc(h, (r,m)). */ fail = 0;
/* Check that unused bits of last byte of ciphertext are zero */
fail |= ciphertext[NTRU_CIPHERTEXTBYTES - 1] & (0xff << (8 - (7 & (NTRU_LOGQ * NTRU_PACK_DEG))));
/* For the IND-CCA2 KEM we must ensure that c = Enc(h, (r,m)). */
/* We can avoid re-computing r*h + Lift(m) as long as we check that */ /* We can avoid re-computing r*h + Lift(m) as long as we check that */
/* r (defined as b/h mod (q, Phi_n)) and m are in the message space. */ /* r (defined as b/h mod (q, Phi_n)) and m are in the message space. */
/* (m can take any value in S3 in NTRU_HRSS) */ /* (m can take any value in S3 in NTRU_HRSS) */
fail = 0;
fail |= owcpa_check_m(m); fail |= owcpa_check_m(m);
/* b = c - Lift(m) mod (q, x^n - 1) */ /* b = c - Lift(m) mod (q, x^n - 1) */

View File

@ -3,14 +3,14 @@
#include "poly.h" #include "poly.h"
/* return -1 if x<0 and y<0; otherwise return 0 */ /* return -1 if x<0 and y<0; otherwise return 0 */
static inline int both_negative_mask(int x, int y) { static inline int16_t both_negative_mask(int16_t x, int16_t y) {
return (x & y) >> 15; return (x & y) >> 15;
} }
void PQCLEAN_NTRUHPS2048509_CLEAN_poly_R2_inv(poly *r, const poly *a) { void PQCLEAN_NTRUHPS2048509_CLEAN_poly_R2_inv(poly *r, const poly *a) {
poly f, g, v, w; poly f, g, v, w;
int i, loop, delta; int16_t i, loop, delta;
int sign, swap, t; int16_t sign, swap, t;
for (i = 0; i < NTRU_N; ++i) { for (i = 0; i < NTRU_N; ++i) {
v.coeffs[i] = 0; v.coeffs[i] = 0;
@ -37,7 +37,7 @@ void PQCLEAN_NTRUHPS2048509_CLEAN_poly_R2_inv(poly *r, const poly *a) {
v.coeffs[0] = 0; v.coeffs[0] = 0;
sign = g.coeffs[0] & f.coeffs[0]; sign = g.coeffs[0] & f.coeffs[0];
swap = both_negative_mask(-delta, -(int) g.coeffs[0]); swap = both_negative_mask(-delta, -(int16_t) g.coeffs[0]);
delta ^= swap & (delta ^ -delta); delta ^= swap & (delta ^ -delta);
delta += 1; delta += 1;

View File

@ -11,14 +11,14 @@ static inline uint8_t mod3(uint8_t a) { /* a between 0 and 9 */
} }
/* return -1 if x<0 and y<0; otherwise return 0 */ /* return -1 if x<0 and y<0; otherwise return 0 */
static inline int both_negative_mask(int x, int y) { static inline int16_t both_negative_mask(int16_t x, int16_t y) {
return (x & y) >> 15; return (x & y) >> 15;
} }
void PQCLEAN_NTRUHPS2048509_CLEAN_poly_S3_inv(poly *r, const poly *a) { void PQCLEAN_NTRUHPS2048509_CLEAN_poly_S3_inv(poly *r, const poly *a) {
poly f, g, v, w; poly f, g, v, w;
int i, loop, delta; int16_t i, loop, delta;
int sign, swap, t; int16_t sign, swap, t;
for (i = 0; i < NTRU_N; ++i) { for (i = 0; i < NTRU_N; ++i) {
v.coeffs[i] = 0; v.coeffs[i] = 0;
@ -45,7 +45,7 @@ void PQCLEAN_NTRUHPS2048509_CLEAN_poly_S3_inv(poly *r, const poly *a) {
v.coeffs[0] = 0; v.coeffs[0] = 0;
sign = mod3((uint8_t) (2 * g.coeffs[0] * f.coeffs[0])); sign = mod3((uint8_t) (2 * g.coeffs[0] * f.coeffs[0]));
swap = both_negative_mask(-delta, -(int) g.coeffs[0]); swap = both_negative_mask(-delta, -(int16_t) g.coeffs[0]);
delta ^= swap & (delta ^ -delta); delta ^= swap & (delta ^ -delta);
delta += 1; delta += 1;

View File

@ -1,4 +1,3 @@
#include "crypto_sort_int32.h"
#include "sample.h" #include "sample.h"
void PQCLEAN_NTRUHPS2048509_CLEAN_sample_fg(poly *f, poly *g, const unsigned char uniformbytes[NTRU_SAMPLE_FG_BYTES]) { void PQCLEAN_NTRUHPS2048509_CLEAN_sample_fg(poly *f, poly *g, const unsigned char uniformbytes[NTRU_SAMPLE_FG_BYTES]) {

View File

@ -4,6 +4,8 @@
#include "params.h" #include "params.h"
#include "poly.h" #include "poly.h"
#include "crypto_sort_int32.h"
void PQCLEAN_NTRUHPS2048509_CLEAN_sample_fg(poly *f, poly *g, const unsigned char uniformbytes[NTRU_SAMPLE_FG_BYTES]); void PQCLEAN_NTRUHPS2048509_CLEAN_sample_fg(poly *f, poly *g, const unsigned char uniformbytes[NTRU_SAMPLE_FG_BYTES]);
void PQCLEAN_NTRUHPS2048509_CLEAN_sample_rm(poly *r, poly *m, const unsigned char uniformbytes[NTRU_SAMPLE_RM_BYTES]); void PQCLEAN_NTRUHPS2048509_CLEAN_sample_rm(poly *r, poly *m, const unsigned char uniformbytes[NTRU_SAMPLE_RM_BYTES]);

View File

@ -23,9 +23,9 @@ auxiliary-submitters:
- Zhenfei Zhang - Zhenfei Zhang
implementations: implementations:
- name: clean - name: clean
version: https://github.com/jschanck/ntru/tree/ff3c84e1 reference implementation version: https://github.com/jschanck/ntru/tree/b4b08d67 reference implementation
- name: avx2 - name: avx2
version: https://github.com/jschanck/ntru/tree/ff3c84e1 avx2 implementation version: https://github.com/jschanck/ntru/tree/b4b08d67 avx2 implementation
supported_platforms: supported_platforms:
- architecture: x86_64 - architecture: x86_64
operating_systems: operating_systems:

View File

@ -1,8 +1,8 @@
#include "crypto_sort_int32.h"
#include <immintrin.h>
// Based on supercop-20200820/crypto_sort/int32/avx2 // Based on supercop-20200820/crypto_sort/int32/avx2
#include "crypto_sort_int32.h"
#include <immintrin.h>
#define int32 int32_t #define int32 int32_t
typedef __m256i int32x8; typedef __m256i int32x8;

View File

@ -1,10 +1,11 @@
#ifndef CRYPTO_SORT #ifndef CRYPTO_SORT
#define CRYPTO_SORT #define CRYPTO_SORT
#include "params.h" #include "params.h"
#include <stddef.h> #include <stddef.h>
#include <stdint.h> #include <stdint.h>
void PQCLEAN_NTRUHPS2048677_AVX2_crypto_sort_int32(int32_t *x, size_t n); void PQCLEAN_NTRUHPS2048677_AVX2_crypto_sort_int32(int32_t *x, size_t n);
#endif #endif

View File

@ -42,12 +42,7 @@ int PQCLEAN_NTRUHPS2048677_AVX2_crypto_kem_dec(uint8_t *k, const uint8_t *c, con
uint8_t rm[NTRU_OWCPA_MSGBYTES]; uint8_t rm[NTRU_OWCPA_MSGBYTES];
uint8_t buf[NTRU_PRFKEYBYTES + NTRU_CIPHERTEXTBYTES]; uint8_t buf[NTRU_PRFKEYBYTES + NTRU_CIPHERTEXTBYTES];
fail = 0; fail = PQCLEAN_NTRUHPS2048677_AVX2_owcpa_dec(rm, c, sk);
/* Check that unused bits of last byte of ciphertext are zero */
fail |= c[NTRU_CIPHERTEXTBYTES - 1] & (0xff << (8 - (7 & (NTRU_LOGQ * NTRU_PACK_DEG))));
fail |= PQCLEAN_NTRUHPS2048677_AVX2_owcpa_dec(rm, c, sk);
/* If fail = 0 then c = Enc(h, rm). There is no need to re-encapsulate. */ /* If fail = 0 then c = Enc(h, rm). There is no need to re-encapsulate. */
/* See comment in PQCLEAN_NTRUHPS2048677_AVX2_owcpa_dec for details. */ /* See comment in PQCLEAN_NTRUHPS2048677_AVX2_owcpa_dec for details. */

View File

@ -123,11 +123,15 @@ int PQCLEAN_NTRUHPS2048677_AVX2_owcpa_dec(unsigned char *rm,
PQCLEAN_NTRUHPS2048677_AVX2_poly_S3_mul(m, mf, finv3); PQCLEAN_NTRUHPS2048677_AVX2_poly_S3_mul(m, mf, finv3);
PQCLEAN_NTRUHPS2048677_AVX2_poly_S3_tobytes(rm + NTRU_PACK_TRINARY_BYTES, m); PQCLEAN_NTRUHPS2048677_AVX2_poly_S3_tobytes(rm + NTRU_PACK_TRINARY_BYTES, m);
/* NOTE: For the IND-CCA2 KEM we must ensure that c = Enc(h, (r,m)). */ fail = 0;
/* Check that unused bits of last byte of ciphertext are zero */
fail |= ciphertext[NTRU_CIPHERTEXTBYTES - 1] & (0xff << (8 - (7 & (NTRU_LOGQ * NTRU_PACK_DEG))));
/* For the IND-CCA2 KEM we must ensure that c = Enc(h, (r,m)). */
/* We can avoid re-computing r*h + Lift(m) as long as we check that */ /* We can avoid re-computing r*h + Lift(m) as long as we check that */
/* r (defined as b/h mod (q, Phi_n)) and m are in the message space. */ /* r (defined as b/h mod (q, Phi_n)) and m are in the message space. */
/* (m can take any value in S3 in NTRU_HRSS) */ /* (m can take any value in S3 in NTRU_HRSS) */
fail = 0;
fail |= owcpa_check_m(m); fail |= owcpa_check_m(m);
/* b = c - Lift(m) mod (q, x^n - 1) */ /* b = c - Lift(m) mod (q, x^n - 1) */

View File

@ -1,4 +1,3 @@
#include "crypto_sort_int32.h"
#include "sample.h" #include "sample.h"
void PQCLEAN_NTRUHPS2048677_AVX2_sample_fg(poly *f, poly *g, const unsigned char uniformbytes[NTRU_SAMPLE_FG_BYTES]) { void PQCLEAN_NTRUHPS2048677_AVX2_sample_fg(poly *f, poly *g, const unsigned char uniformbytes[NTRU_SAMPLE_FG_BYTES]) {

View File

@ -4,6 +4,8 @@
#include "params.h" #include "params.h"
#include "poly.h" #include "poly.h"
#include "crypto_sort_int32.h"
void PQCLEAN_NTRUHPS2048677_AVX2_sample_fg(poly *f, poly *g, const unsigned char uniformbytes[NTRU_SAMPLE_FG_BYTES]); void PQCLEAN_NTRUHPS2048677_AVX2_sample_fg(poly *f, poly *g, const unsigned char uniformbytes[NTRU_SAMPLE_FG_BYTES]);
void PQCLEAN_NTRUHPS2048677_AVX2_sample_rm(poly *r, poly *m, const unsigned char uniformbytes[NTRU_SAMPLE_RM_BYTES]); void PQCLEAN_NTRUHPS2048677_AVX2_sample_rm(poly *r, poly *m, const unsigned char uniformbytes[NTRU_SAMPLE_RM_BYTES]);

View File

@ -42,12 +42,7 @@ int PQCLEAN_NTRUHPS2048677_CLEAN_crypto_kem_dec(uint8_t *k, const uint8_t *c, co
uint8_t rm[NTRU_OWCPA_MSGBYTES]; uint8_t rm[NTRU_OWCPA_MSGBYTES];
uint8_t buf[NTRU_PRFKEYBYTES + NTRU_CIPHERTEXTBYTES]; uint8_t buf[NTRU_PRFKEYBYTES + NTRU_CIPHERTEXTBYTES];
fail = 0; fail = PQCLEAN_NTRUHPS2048677_CLEAN_owcpa_dec(rm, c, sk);
/* Check that unused bits of last byte of ciphertext are zero */
fail |= c[NTRU_CIPHERTEXTBYTES - 1] & (0xff << (8 - (7 & (NTRU_LOGQ * NTRU_PACK_DEG))));
fail |= PQCLEAN_NTRUHPS2048677_CLEAN_owcpa_dec(rm, c, sk);
/* If fail = 0 then c = Enc(h, rm). There is no need to re-encapsulate. */ /* If fail = 0 then c = Enc(h, rm). There is no need to re-encapsulate. */
/* See comment in PQCLEAN_NTRUHPS2048677_CLEAN_owcpa_dec for details. */ /* See comment in PQCLEAN_NTRUHPS2048677_CLEAN_owcpa_dec for details. */

View File

@ -123,11 +123,15 @@ int PQCLEAN_NTRUHPS2048677_CLEAN_owcpa_dec(unsigned char *rm,
PQCLEAN_NTRUHPS2048677_CLEAN_poly_S3_mul(m, mf, finv3); PQCLEAN_NTRUHPS2048677_CLEAN_poly_S3_mul(m, mf, finv3);
PQCLEAN_NTRUHPS2048677_CLEAN_poly_S3_tobytes(rm + NTRU_PACK_TRINARY_BYTES, m); PQCLEAN_NTRUHPS2048677_CLEAN_poly_S3_tobytes(rm + NTRU_PACK_TRINARY_BYTES, m);
/* NOTE: For the IND-CCA2 KEM we must ensure that c = Enc(h, (r,m)). */ fail = 0;
/* Check that unused bits of last byte of ciphertext are zero */
fail |= ciphertext[NTRU_CIPHERTEXTBYTES - 1] & (0xff << (8 - (7 & (NTRU_LOGQ * NTRU_PACK_DEG))));
/* For the IND-CCA2 KEM we must ensure that c = Enc(h, (r,m)). */
/* We can avoid re-computing r*h + Lift(m) as long as we check that */ /* We can avoid re-computing r*h + Lift(m) as long as we check that */
/* r (defined as b/h mod (q, Phi_n)) and m are in the message space. */ /* r (defined as b/h mod (q, Phi_n)) and m are in the message space. */
/* (m can take any value in S3 in NTRU_HRSS) */ /* (m can take any value in S3 in NTRU_HRSS) */
fail = 0;
fail |= owcpa_check_m(m); fail |= owcpa_check_m(m);
/* b = c - Lift(m) mod (q, x^n - 1) */ /* b = c - Lift(m) mod (q, x^n - 1) */

View File

@ -3,14 +3,14 @@
#include "poly.h" #include "poly.h"
/* return -1 if x<0 and y<0; otherwise return 0 */ /* return -1 if x<0 and y<0; otherwise return 0 */
static inline int both_negative_mask(int x, int y) { static inline int16_t both_negative_mask(int16_t x, int16_t y) {
return (x & y) >> 15; return (x & y) >> 15;
} }
void PQCLEAN_NTRUHPS2048677_CLEAN_poly_R2_inv(poly *r, const poly *a) { void PQCLEAN_NTRUHPS2048677_CLEAN_poly_R2_inv(poly *r, const poly *a) {
poly f, g, v, w; poly f, g, v, w;
int i, loop, delta; int16_t i, loop, delta;
int sign, swap, t; int16_t sign, swap, t;
for (i = 0; i < NTRU_N; ++i) { for (i = 0; i < NTRU_N; ++i) {
v.coeffs[i] = 0; v.coeffs[i] = 0;
@ -37,7 +37,7 @@ void PQCLEAN_NTRUHPS2048677_CLEAN_poly_R2_inv(poly *r, const poly *a) {
v.coeffs[0] = 0; v.coeffs[0] = 0;
sign = g.coeffs[0] & f.coeffs[0]; sign = g.coeffs[0] & f.coeffs[0];
swap = both_negative_mask(-delta, -(int) g.coeffs[0]); swap = both_negative_mask(-delta, -(int16_t) g.coeffs[0]);
delta ^= swap & (delta ^ -delta); delta ^= swap & (delta ^ -delta);
delta += 1; delta += 1;

View File

@ -11,14 +11,14 @@ static inline uint8_t mod3(uint8_t a) { /* a between 0 and 9 */
} }
/* return -1 if x<0 and y<0; otherwise return 0 */ /* return -1 if x<0 and y<0; otherwise return 0 */
static inline int both_negative_mask(int x, int y) { static inline int16_t both_negative_mask(int16_t x, int16_t y) {
return (x & y) >> 15; return (x & y) >> 15;
} }
void PQCLEAN_NTRUHPS2048677_CLEAN_poly_S3_inv(poly *r, const poly *a) { void PQCLEAN_NTRUHPS2048677_CLEAN_poly_S3_inv(poly *r, const poly *a) {
poly f, g, v, w; poly f, g, v, w;
int i, loop, delta; int16_t i, loop, delta;
int sign, swap, t; int16_t sign, swap, t;
for (i = 0; i < NTRU_N; ++i) { for (i = 0; i < NTRU_N; ++i) {
v.coeffs[i] = 0; v.coeffs[i] = 0;
@ -45,7 +45,7 @@ void PQCLEAN_NTRUHPS2048677_CLEAN_poly_S3_inv(poly *r, const poly *a) {
v.coeffs[0] = 0; v.coeffs[0] = 0;
sign = mod3((uint8_t) (2 * g.coeffs[0] * f.coeffs[0])); sign = mod3((uint8_t) (2 * g.coeffs[0] * f.coeffs[0]));
swap = both_negative_mask(-delta, -(int) g.coeffs[0]); swap = both_negative_mask(-delta, -(int16_t) g.coeffs[0]);
delta ^= swap & (delta ^ -delta); delta ^= swap & (delta ^ -delta);
delta += 1; delta += 1;

View File

@ -1,4 +1,3 @@
#include "crypto_sort_int32.h"
#include "sample.h" #include "sample.h"
void PQCLEAN_NTRUHPS2048677_CLEAN_sample_fg(poly *f, poly *g, const unsigned char uniformbytes[NTRU_SAMPLE_FG_BYTES]) { void PQCLEAN_NTRUHPS2048677_CLEAN_sample_fg(poly *f, poly *g, const unsigned char uniformbytes[NTRU_SAMPLE_FG_BYTES]) {

View File

@ -4,6 +4,8 @@
#include "params.h" #include "params.h"
#include "poly.h" #include "poly.h"
#include "crypto_sort_int32.h"
void PQCLEAN_NTRUHPS2048677_CLEAN_sample_fg(poly *f, poly *g, const unsigned char uniformbytes[NTRU_SAMPLE_FG_BYTES]); void PQCLEAN_NTRUHPS2048677_CLEAN_sample_fg(poly *f, poly *g, const unsigned char uniformbytes[NTRU_SAMPLE_FG_BYTES]);
void PQCLEAN_NTRUHPS2048677_CLEAN_sample_rm(poly *r, poly *m, const unsigned char uniformbytes[NTRU_SAMPLE_RM_BYTES]); void PQCLEAN_NTRUHPS2048677_CLEAN_sample_rm(poly *r, poly *m, const unsigned char uniformbytes[NTRU_SAMPLE_RM_BYTES]);

View File

@ -23,9 +23,9 @@ auxiliary-submitters:
- Zhenfei Zhang - Zhenfei Zhang
implementations: implementations:
- name: clean - name: clean
version: https://github.com/jschanck/ntru/tree/ff3c84e1 reference implementation version: https://github.com/jschanck/ntru/tree/b4b08d67 reference implementation
- name: avx2 - name: avx2
version: https://github.com/jschanck/ntru/tree/ff3c84e1 avx2 implementation version: https://github.com/jschanck/ntru/tree/b4b08d67 avx2 implementation
supported_platforms: supported_platforms:
- architecture: x86_64 - architecture: x86_64
operating_systems: operating_systems:

View File

@ -1,8 +1,8 @@
#include "crypto_sort_int32.h"
#include <immintrin.h>
// Based on supercop-20200820/crypto_sort/int32/avx2 // Based on supercop-20200820/crypto_sort/int32/avx2
#include "crypto_sort_int32.h"
#include <immintrin.h>
#define int32 int32_t #define int32 int32_t
typedef __m256i int32x8; typedef __m256i int32x8;

View File

@ -1,10 +1,11 @@
#ifndef CRYPTO_SORT #ifndef CRYPTO_SORT
#define CRYPTO_SORT #define CRYPTO_SORT
#include "params.h" #include "params.h"
#include <stddef.h> #include <stddef.h>
#include <stdint.h> #include <stdint.h>
void PQCLEAN_NTRUHPS4096821_AVX2_crypto_sort_int32(int32_t *x, size_t n); void PQCLEAN_NTRUHPS4096821_AVX2_crypto_sort_int32(int32_t *x, size_t n);
#endif #endif

View File

@ -42,12 +42,7 @@ int PQCLEAN_NTRUHPS4096821_AVX2_crypto_kem_dec(uint8_t *k, const uint8_t *c, con
uint8_t rm[NTRU_OWCPA_MSGBYTES]; uint8_t rm[NTRU_OWCPA_MSGBYTES];
uint8_t buf[NTRU_PRFKEYBYTES + NTRU_CIPHERTEXTBYTES]; uint8_t buf[NTRU_PRFKEYBYTES + NTRU_CIPHERTEXTBYTES];
fail = 0; fail = PQCLEAN_NTRUHPS4096821_AVX2_owcpa_dec(rm, c, sk);
/* Check that unused bits of last byte of ciphertext are zero */
fail |= c[NTRU_CIPHERTEXTBYTES - 1] & (0xff << (8 - (7 & (NTRU_LOGQ * NTRU_PACK_DEG))));
fail |= PQCLEAN_NTRUHPS4096821_AVX2_owcpa_dec(rm, c, sk);
/* If fail = 0 then c = Enc(h, rm). There is no need to re-encapsulate. */ /* If fail = 0 then c = Enc(h, rm). There is no need to re-encapsulate. */
/* See comment in PQCLEAN_NTRUHPS4096821_AVX2_owcpa_dec for details. */ /* See comment in PQCLEAN_NTRUHPS4096821_AVX2_owcpa_dec for details. */

View File

@ -123,11 +123,15 @@ int PQCLEAN_NTRUHPS4096821_AVX2_owcpa_dec(unsigned char *rm,
PQCLEAN_NTRUHPS4096821_AVX2_poly_S3_mul(m, mf, finv3); PQCLEAN_NTRUHPS4096821_AVX2_poly_S3_mul(m, mf, finv3);
PQCLEAN_NTRUHPS4096821_AVX2_poly_S3_tobytes(rm + NTRU_PACK_TRINARY_BYTES, m); PQCLEAN_NTRUHPS4096821_AVX2_poly_S3_tobytes(rm + NTRU_PACK_TRINARY_BYTES, m);
/* NOTE: For the IND-CCA2 KEM we must ensure that c = Enc(h, (r,m)). */ fail = 0;
/* Check that unused bits of last byte of ciphertext are zero */
fail |= ciphertext[NTRU_CIPHERTEXTBYTES - 1] & (0xff << (8 - (7 & (NTRU_LOGQ * NTRU_PACK_DEG))));
/* For the IND-CCA2 KEM we must ensure that c = Enc(h, (r,m)). */
/* We can avoid re-computing r*h + Lift(m) as long as we check that */ /* We can avoid re-computing r*h + Lift(m) as long as we check that */
/* r (defined as b/h mod (q, Phi_n)) and m are in the message space. */ /* r (defined as b/h mod (q, Phi_n)) and m are in the message space. */
/* (m can take any value in S3 in NTRU_HRSS) */ /* (m can take any value in S3 in NTRU_HRSS) */
fail = 0;
fail |= owcpa_check_m(m); fail |= owcpa_check_m(m);
/* b = c - Lift(m) mod (q, x^n - 1) */ /* b = c - Lift(m) mod (q, x^n - 1) */

View File

@ -1,4 +1,3 @@
#include "crypto_sort_int32.h"
#include "sample.h" #include "sample.h"
void PQCLEAN_NTRUHPS4096821_AVX2_sample_fg(poly *f, poly *g, const unsigned char uniformbytes[NTRU_SAMPLE_FG_BYTES]) { void PQCLEAN_NTRUHPS4096821_AVX2_sample_fg(poly *f, poly *g, const unsigned char uniformbytes[NTRU_SAMPLE_FG_BYTES]) {

View File

@ -4,6 +4,8 @@
#include "params.h" #include "params.h"
#include "poly.h" #include "poly.h"
#include "crypto_sort_int32.h"
void PQCLEAN_NTRUHPS4096821_AVX2_sample_fg(poly *f, poly *g, const unsigned char uniformbytes[NTRU_SAMPLE_FG_BYTES]); void PQCLEAN_NTRUHPS4096821_AVX2_sample_fg(poly *f, poly *g, const unsigned char uniformbytes[NTRU_SAMPLE_FG_BYTES]);
void PQCLEAN_NTRUHPS4096821_AVX2_sample_rm(poly *r, poly *m, const unsigned char uniformbytes[NTRU_SAMPLE_RM_BYTES]); void PQCLEAN_NTRUHPS4096821_AVX2_sample_rm(poly *r, poly *m, const unsigned char uniformbytes[NTRU_SAMPLE_RM_BYTES]);

View File

@ -42,12 +42,7 @@ int PQCLEAN_NTRUHPS4096821_CLEAN_crypto_kem_dec(uint8_t *k, const uint8_t *c, co
uint8_t rm[NTRU_OWCPA_MSGBYTES]; uint8_t rm[NTRU_OWCPA_MSGBYTES];
uint8_t buf[NTRU_PRFKEYBYTES + NTRU_CIPHERTEXTBYTES]; uint8_t buf[NTRU_PRFKEYBYTES + NTRU_CIPHERTEXTBYTES];
fail = 0; fail = PQCLEAN_NTRUHPS4096821_CLEAN_owcpa_dec(rm, c, sk);
/* Check that unused bits of last byte of ciphertext are zero */
fail |= c[NTRU_CIPHERTEXTBYTES - 1] & (0xff << (8 - (7 & (NTRU_LOGQ * NTRU_PACK_DEG))));
fail |= PQCLEAN_NTRUHPS4096821_CLEAN_owcpa_dec(rm, c, sk);
/* If fail = 0 then c = Enc(h, rm). There is no need to re-encapsulate. */ /* If fail = 0 then c = Enc(h, rm). There is no need to re-encapsulate. */
/* See comment in PQCLEAN_NTRUHPS4096821_CLEAN_owcpa_dec for details. */ /* See comment in PQCLEAN_NTRUHPS4096821_CLEAN_owcpa_dec for details. */

View File

@ -123,11 +123,15 @@ int PQCLEAN_NTRUHPS4096821_CLEAN_owcpa_dec(unsigned char *rm,
PQCLEAN_NTRUHPS4096821_CLEAN_poly_S3_mul(m, mf, finv3); PQCLEAN_NTRUHPS4096821_CLEAN_poly_S3_mul(m, mf, finv3);
PQCLEAN_NTRUHPS4096821_CLEAN_poly_S3_tobytes(rm + NTRU_PACK_TRINARY_BYTES, m); PQCLEAN_NTRUHPS4096821_CLEAN_poly_S3_tobytes(rm + NTRU_PACK_TRINARY_BYTES, m);
/* NOTE: For the IND-CCA2 KEM we must ensure that c = Enc(h, (r,m)). */ fail = 0;
/* Check that unused bits of last byte of ciphertext are zero */
fail |= ciphertext[NTRU_CIPHERTEXTBYTES - 1] & (0xff << (8 - (7 & (NTRU_LOGQ * NTRU_PACK_DEG))));
/* For the IND-CCA2 KEM we must ensure that c = Enc(h, (r,m)). */
/* We can avoid re-computing r*h + Lift(m) as long as we check that */ /* We can avoid re-computing r*h + Lift(m) as long as we check that */
/* r (defined as b/h mod (q, Phi_n)) and m are in the message space. */ /* r (defined as b/h mod (q, Phi_n)) and m are in the message space. */
/* (m can take any value in S3 in NTRU_HRSS) */ /* (m can take any value in S3 in NTRU_HRSS) */
fail = 0;
fail |= owcpa_check_m(m); fail |= owcpa_check_m(m);
/* b = c - Lift(m) mod (q, x^n - 1) */ /* b = c - Lift(m) mod (q, x^n - 1) */

View File

@ -3,14 +3,14 @@
#include "poly.h" #include "poly.h"
/* return -1 if x<0 and y<0; otherwise return 0 */ /* return -1 if x<0 and y<0; otherwise return 0 */
static inline int both_negative_mask(int x, int y) { static inline int16_t both_negative_mask(int16_t x, int16_t y) {
return (x & y) >> 15; return (x & y) >> 15;
} }
void PQCLEAN_NTRUHPS4096821_CLEAN_poly_R2_inv(poly *r, const poly *a) { void PQCLEAN_NTRUHPS4096821_CLEAN_poly_R2_inv(poly *r, const poly *a) {
poly f, g, v, w; poly f, g, v, w;
int i, loop, delta; int16_t i, loop, delta;
int sign, swap, t; int16_t sign, swap, t;
for (i = 0; i < NTRU_N; ++i) { for (i = 0; i < NTRU_N; ++i) {
v.coeffs[i] = 0; v.coeffs[i] = 0;
@ -37,7 +37,7 @@ void PQCLEAN_NTRUHPS4096821_CLEAN_poly_R2_inv(poly *r, const poly *a) {
v.coeffs[0] = 0; v.coeffs[0] = 0;
sign = g.coeffs[0] & f.coeffs[0]; sign = g.coeffs[0] & f.coeffs[0];
swap = both_negative_mask(-delta, -(int) g.coeffs[0]); swap = both_negative_mask(-delta, -(int16_t) g.coeffs[0]);
delta ^= swap & (delta ^ -delta); delta ^= swap & (delta ^ -delta);
delta += 1; delta += 1;

View File

@ -11,14 +11,14 @@ static inline uint8_t mod3(uint8_t a) { /* a between 0 and 9 */
} }
/* return -1 if x<0 and y<0; otherwise return 0 */ /* return -1 if x<0 and y<0; otherwise return 0 */
static inline int both_negative_mask(int x, int y) { static inline int16_t both_negative_mask(int16_t x, int16_t y) {
return (x & y) >> 15; return (x & y) >> 15;
} }
void PQCLEAN_NTRUHPS4096821_CLEAN_poly_S3_inv(poly *r, const poly *a) { void PQCLEAN_NTRUHPS4096821_CLEAN_poly_S3_inv(poly *r, const poly *a) {
poly f, g, v, w; poly f, g, v, w;
int i, loop, delta; int16_t i, loop, delta;
int sign, swap, t; int16_t sign, swap, t;
for (i = 0; i < NTRU_N; ++i) { for (i = 0; i < NTRU_N; ++i) {
v.coeffs[i] = 0; v.coeffs[i] = 0;
@ -45,7 +45,7 @@ void PQCLEAN_NTRUHPS4096821_CLEAN_poly_S3_inv(poly *r, const poly *a) {
v.coeffs[0] = 0; v.coeffs[0] = 0;
sign = mod3((uint8_t) (2 * g.coeffs[0] * f.coeffs[0])); sign = mod3((uint8_t) (2 * g.coeffs[0] * f.coeffs[0]));
swap = both_negative_mask(-delta, -(int) g.coeffs[0]); swap = both_negative_mask(-delta, -(int16_t) g.coeffs[0]);
delta ^= swap & (delta ^ -delta); delta ^= swap & (delta ^ -delta);
delta += 1; delta += 1;

View File

@ -1,4 +1,3 @@
#include "crypto_sort_int32.h"
#include "sample.h" #include "sample.h"
void PQCLEAN_NTRUHPS4096821_CLEAN_sample_fg(poly *f, poly *g, const unsigned char uniformbytes[NTRU_SAMPLE_FG_BYTES]) { void PQCLEAN_NTRUHPS4096821_CLEAN_sample_fg(poly *f, poly *g, const unsigned char uniformbytes[NTRU_SAMPLE_FG_BYTES]) {

View File

@ -4,6 +4,8 @@
#include "params.h" #include "params.h"
#include "poly.h" #include "poly.h"
#include "crypto_sort_int32.h"
void PQCLEAN_NTRUHPS4096821_CLEAN_sample_fg(poly *f, poly *g, const unsigned char uniformbytes[NTRU_SAMPLE_FG_BYTES]); void PQCLEAN_NTRUHPS4096821_CLEAN_sample_fg(poly *f, poly *g, const unsigned char uniformbytes[NTRU_SAMPLE_FG_BYTES]);
void PQCLEAN_NTRUHPS4096821_CLEAN_sample_rm(poly *r, poly *m, const unsigned char uniformbytes[NTRU_SAMPLE_RM_BYTES]); void PQCLEAN_NTRUHPS4096821_CLEAN_sample_rm(poly *r, poly *m, const unsigned char uniformbytes[NTRU_SAMPLE_RM_BYTES]);

View File

@ -23,9 +23,9 @@ auxiliary-submitters:
- Zhenfei Zhang - Zhenfei Zhang
implementations: implementations:
- name: clean - name: clean
version: https://github.com/jschanck/ntru/tree/ff3c84e1 reference implementation version: https://github.com/jschanck/ntru/tree/b4b08d67 reference implementation
- name: avx2 - name: avx2
version: https://github.com/jschanck/ntru/tree/ff3c84e1 avx2 implementation version: https://github.com/jschanck/ntru/tree/b4b08d67 avx2 implementation
supported_platforms: supported_platforms:
- architecture: x86_64 - architecture: x86_64
operating_systems: operating_systems:

View File

@ -42,12 +42,7 @@ int PQCLEAN_NTRUHRSS701_AVX2_crypto_kem_dec(uint8_t *k, const uint8_t *c, const
uint8_t rm[NTRU_OWCPA_MSGBYTES]; uint8_t rm[NTRU_OWCPA_MSGBYTES];
uint8_t buf[NTRU_PRFKEYBYTES + NTRU_CIPHERTEXTBYTES]; uint8_t buf[NTRU_PRFKEYBYTES + NTRU_CIPHERTEXTBYTES];
fail = 0; fail = PQCLEAN_NTRUHRSS701_AVX2_owcpa_dec(rm, c, sk);
/* Check that unused bits of last byte of ciphertext are zero */
fail |= c[NTRU_CIPHERTEXTBYTES - 1] & (0xff << (8 - (7 & (NTRU_LOGQ * NTRU_PACK_DEG))));
fail |= PQCLEAN_NTRUHRSS701_AVX2_owcpa_dec(rm, c, sk);
/* If fail = 0 then c = Enc(h, rm). There is no need to re-encapsulate. */ /* If fail = 0 then c = Enc(h, rm). There is no need to re-encapsulate. */
/* See comment in PQCLEAN_NTRUHRSS701_AVX2_owcpa_dec for details. */ /* See comment in PQCLEAN_NTRUHRSS701_AVX2_owcpa_dec for details. */

View File

@ -106,11 +106,15 @@ int PQCLEAN_NTRUHRSS701_AVX2_owcpa_dec(unsigned char *rm,
PQCLEAN_NTRUHRSS701_AVX2_poly_S3_mul(m, mf, finv3); PQCLEAN_NTRUHRSS701_AVX2_poly_S3_mul(m, mf, finv3);
PQCLEAN_NTRUHRSS701_AVX2_poly_S3_tobytes(rm + NTRU_PACK_TRINARY_BYTES, m); PQCLEAN_NTRUHRSS701_AVX2_poly_S3_tobytes(rm + NTRU_PACK_TRINARY_BYTES, m);
/* NOTE: For the IND-CCA2 KEM we must ensure that c = Enc(h, (r,m)). */ fail = 0;
/* Check that unused bits of last byte of ciphertext are zero */
fail |= ciphertext[NTRU_CIPHERTEXTBYTES - 1] & (0xff << (8 - (7 & (NTRU_LOGQ * NTRU_PACK_DEG))));
/* For the IND-CCA2 KEM we must ensure that c = Enc(h, (r,m)). */
/* We can avoid re-computing r*h + Lift(m) as long as we check that */ /* We can avoid re-computing r*h + Lift(m) as long as we check that */
/* r (defined as b/h mod (q, Phi_n)) and m are in the message space. */ /* r (defined as b/h mod (q, Phi_n)) and m are in the message space. */
/* (m can take any value in S3 in NTRU_HRSS) */ /* (m can take any value in S3 in NTRU_HRSS) */
fail = 0;
/* b = c - Lift(m) mod (q, x^n - 1) */ /* b = c - Lift(m) mod (q, x^n - 1) */
PQCLEAN_NTRUHRSS701_AVX2_poly_lift(liftm, m); PQCLEAN_NTRUHRSS701_AVX2_poly_lift(liftm, m);

View File

@ -4,6 +4,7 @@
#include "params.h" #include "params.h"
#include "poly.h" #include "poly.h"
void PQCLEAN_NTRUHRSS701_AVX2_sample_fg(poly *f, poly *g, const unsigned char uniformbytes[NTRU_SAMPLE_FG_BYTES]); void PQCLEAN_NTRUHRSS701_AVX2_sample_fg(poly *f, poly *g, const unsigned char uniformbytes[NTRU_SAMPLE_FG_BYTES]);
void PQCLEAN_NTRUHRSS701_AVX2_sample_rm(poly *r, poly *m, const unsigned char uniformbytes[NTRU_SAMPLE_RM_BYTES]); void PQCLEAN_NTRUHRSS701_AVX2_sample_rm(poly *r, poly *m, const unsigned char uniformbytes[NTRU_SAMPLE_RM_BYTES]);

View File

@ -42,12 +42,7 @@ int PQCLEAN_NTRUHRSS701_CLEAN_crypto_kem_dec(uint8_t *k, const uint8_t *c, const
uint8_t rm[NTRU_OWCPA_MSGBYTES]; uint8_t rm[NTRU_OWCPA_MSGBYTES];
uint8_t buf[NTRU_PRFKEYBYTES + NTRU_CIPHERTEXTBYTES]; uint8_t buf[NTRU_PRFKEYBYTES + NTRU_CIPHERTEXTBYTES];
fail = 0; fail = PQCLEAN_NTRUHRSS701_CLEAN_owcpa_dec(rm, c, sk);
/* Check that unused bits of last byte of ciphertext are zero */
fail |= c[NTRU_CIPHERTEXTBYTES - 1] & (0xff << (8 - (7 & (NTRU_LOGQ * NTRU_PACK_DEG))));
fail |= PQCLEAN_NTRUHRSS701_CLEAN_owcpa_dec(rm, c, sk);
/* If fail = 0 then c = Enc(h, rm). There is no need to re-encapsulate. */ /* If fail = 0 then c = Enc(h, rm). There is no need to re-encapsulate. */
/* See comment in PQCLEAN_NTRUHRSS701_CLEAN_owcpa_dec for details. */ /* See comment in PQCLEAN_NTRUHRSS701_CLEAN_owcpa_dec for details. */

View File

@ -106,11 +106,15 @@ int PQCLEAN_NTRUHRSS701_CLEAN_owcpa_dec(unsigned char *rm,
PQCLEAN_NTRUHRSS701_CLEAN_poly_S3_mul(m, mf, finv3); PQCLEAN_NTRUHRSS701_CLEAN_poly_S3_mul(m, mf, finv3);
PQCLEAN_NTRUHRSS701_CLEAN_poly_S3_tobytes(rm + NTRU_PACK_TRINARY_BYTES, m); PQCLEAN_NTRUHRSS701_CLEAN_poly_S3_tobytes(rm + NTRU_PACK_TRINARY_BYTES, m);
/* NOTE: For the IND-CCA2 KEM we must ensure that c = Enc(h, (r,m)). */ fail = 0;
/* Check that unused bits of last byte of ciphertext are zero */
fail |= ciphertext[NTRU_CIPHERTEXTBYTES - 1] & (0xff << (8 - (7 & (NTRU_LOGQ * NTRU_PACK_DEG))));
/* For the IND-CCA2 KEM we must ensure that c = Enc(h, (r,m)). */
/* We can avoid re-computing r*h + Lift(m) as long as we check that */ /* We can avoid re-computing r*h + Lift(m) as long as we check that */
/* r (defined as b/h mod (q, Phi_n)) and m are in the message space. */ /* r (defined as b/h mod (q, Phi_n)) and m are in the message space. */
/* (m can take any value in S3 in NTRU_HRSS) */ /* (m can take any value in S3 in NTRU_HRSS) */
fail = 0;
/* b = c - Lift(m) mod (q, x^n - 1) */ /* b = c - Lift(m) mod (q, x^n - 1) */
PQCLEAN_NTRUHRSS701_CLEAN_poly_lift(liftm, m); PQCLEAN_NTRUHRSS701_CLEAN_poly_lift(liftm, m);

View File

@ -3,14 +3,14 @@
#include "poly.h" #include "poly.h"
/* return -1 if x<0 and y<0; otherwise return 0 */ /* return -1 if x<0 and y<0; otherwise return 0 */
static inline int both_negative_mask(int x, int y) { static inline int16_t both_negative_mask(int16_t x, int16_t y) {
return (x & y) >> 15; return (x & y) >> 15;
} }
void PQCLEAN_NTRUHRSS701_CLEAN_poly_R2_inv(poly *r, const poly *a) { void PQCLEAN_NTRUHRSS701_CLEAN_poly_R2_inv(poly *r, const poly *a) {
poly f, g, v, w; poly f, g, v, w;
int i, loop, delta; int16_t i, loop, delta;
int sign, swap, t; int16_t sign, swap, t;
for (i = 0; i < NTRU_N; ++i) { for (i = 0; i < NTRU_N; ++i) {
v.coeffs[i] = 0; v.coeffs[i] = 0;
@ -37,7 +37,7 @@ void PQCLEAN_NTRUHRSS701_CLEAN_poly_R2_inv(poly *r, const poly *a) {
v.coeffs[0] = 0; v.coeffs[0] = 0;
sign = g.coeffs[0] & f.coeffs[0]; sign = g.coeffs[0] & f.coeffs[0];
swap = both_negative_mask(-delta, -(int) g.coeffs[0]); swap = both_negative_mask(-delta, -(int16_t) g.coeffs[0]);
delta ^= swap & (delta ^ -delta); delta ^= swap & (delta ^ -delta);
delta += 1; delta += 1;

View File

@ -11,14 +11,14 @@ static inline uint8_t mod3(uint8_t a) { /* a between 0 and 9 */
} }
/* return -1 if x<0 and y<0; otherwise return 0 */ /* return -1 if x<0 and y<0; otherwise return 0 */
static inline int both_negative_mask(int x, int y) { static inline int16_t both_negative_mask(int16_t x, int16_t y) {
return (x & y) >> 15; return (x & y) >> 15;
} }
void PQCLEAN_NTRUHRSS701_CLEAN_poly_S3_inv(poly *r, const poly *a) { void PQCLEAN_NTRUHRSS701_CLEAN_poly_S3_inv(poly *r, const poly *a) {
poly f, g, v, w; poly f, g, v, w;
int i, loop, delta; int16_t i, loop, delta;
int sign, swap, t; int16_t sign, swap, t;
for (i = 0; i < NTRU_N; ++i) { for (i = 0; i < NTRU_N; ++i) {
v.coeffs[i] = 0; v.coeffs[i] = 0;
@ -45,7 +45,7 @@ void PQCLEAN_NTRUHRSS701_CLEAN_poly_S3_inv(poly *r, const poly *a) {
v.coeffs[0] = 0; v.coeffs[0] = 0;
sign = mod3((uint8_t) (2 * g.coeffs[0] * f.coeffs[0])); sign = mod3((uint8_t) (2 * g.coeffs[0] * f.coeffs[0]));
swap = both_negative_mask(-delta, -(int) g.coeffs[0]); swap = both_negative_mask(-delta, -(int16_t) g.coeffs[0]);
delta ^= swap & (delta ^ -delta); delta ^= swap & (delta ^ -delta);
delta += 1; delta += 1;

View File

@ -4,6 +4,7 @@
#include "params.h" #include "params.h"
#include "poly.h" #include "poly.h"
void PQCLEAN_NTRUHRSS701_CLEAN_sample_fg(poly *f, poly *g, const unsigned char uniformbytes[NTRU_SAMPLE_FG_BYTES]); void PQCLEAN_NTRUHRSS701_CLEAN_sample_fg(poly *f, poly *g, const unsigned char uniformbytes[NTRU_SAMPLE_FG_BYTES]);
void PQCLEAN_NTRUHRSS701_CLEAN_sample_rm(poly *r, poly *m, const unsigned char uniformbytes[NTRU_SAMPLE_RM_BYTES]); void PQCLEAN_NTRUHRSS701_CLEAN_sample_rm(poly *r, poly *m, const unsigned char uniformbytes[NTRU_SAMPLE_RM_BYTES]);