diff --git a/crypto_kem/kyber768/clean/api.h b/crypto_kem/kyber768/clean/api.h index cf6617f7..9c0cbe88 100644 --- a/crypto_kem/kyber768/clean/api.h +++ b/crypto_kem/kyber768/clean/api.h @@ -10,12 +10,12 @@ #define CRYPTO_ALGNAME "Kyber768" -int crypto_kem_keypair(unsigned char *pk, unsigned char *sk); +int PQCLEAN_KYBER768_crypto_kem_keypair(unsigned char *pk, unsigned char *sk); -int crypto_kem_enc(unsigned char *ct, unsigned char *ss, - const unsigned char *pk); +int PQCLEAN_KYBER768_crypto_kem_enc(unsigned char *ct, unsigned char *ss, + const unsigned char *pk); -int crypto_kem_dec(unsigned char *ss, const unsigned char *ct, - const unsigned char *sk); +int PQCLEAN_KYBER768_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, + const unsigned char *sk); #endif diff --git a/crypto_kem/kyber768/clean/cbd.c b/crypto_kem/kyber768/clean/cbd.c index 9eb2467e..7da601e4 100644 --- a/crypto_kem/kyber768/clean/cbd.c +++ b/crypto_kem/kyber768/clean/cbd.c @@ -31,7 +31,7 @@ static uint64_t load_littleendian(const unsigned char *x, int bytes) { * Arguments: - poly *r: pointer to output polynomial * - const unsigned char *buf: pointer to input byte array **************************************************/ -void cbd(poly *r, const unsigned char *buf) { +void PQCLEAN_KYBER768_cbd(poly *r, const unsigned char *buf) { #if KYBER_ETA == 3 uint32_t t, d, a[4], b[4]; int i, j; diff --git a/crypto_kem/kyber768/clean/cbd.h b/crypto_kem/kyber768/clean/cbd.h index 45e8b29e..de31db83 100644 --- a/crypto_kem/kyber768/clean/cbd.h +++ b/crypto_kem/kyber768/clean/cbd.h @@ -4,6 +4,6 @@ #include "poly.h" #include -void cbd(poly *r, const unsigned char *buf); +void PQCLEAN_KYBER768_cbd(poly *r, const unsigned char *buf); #endif diff --git a/crypto_kem/kyber768/clean/indcpa.c b/crypto_kem/kyber768/clean/indcpa.c index caa4e6f3..528851c7 100644 --- a/crypto_kem/kyber768/clean/indcpa.c +++ b/crypto_kem/kyber768/clean/indcpa.c @@ -20,7 +20,7 @@ static void pack_pk(unsigned char *r, const polyvec *pk, const unsigned char *seed) { int i; - polyvec_compress(r, pk); + PQCLEAN_KYBER768_polyvec_compress(r, pk); for (i = 0; i < KYBER_SYMBYTES; i++) { r[i + KYBER_POLYVECCOMPRESSEDBYTES] = seed[i]; } @@ -42,7 +42,7 @@ static void pack_pk(unsigned char *r, const polyvec *pk, static void unpack_pk(polyvec *pk, unsigned char *seed, const unsigned char *packedpk) { int i; - polyvec_decompress(pk, packedpk); + PQCLEAN_KYBER768_polyvec_decompress(pk, packedpk); for (i = 0; i < KYBER_SYMBYTES; i++) { seed[i] = packedpk[i + KYBER_POLYVECCOMPRESSEDBYTES]; @@ -61,8 +61,8 @@ static void unpack_pk(polyvec *pk, unsigned char *seed, *polynomials b const unsigned char *seed: pointer to the input polynomial v **************************************************/ static void pack_ciphertext(unsigned char *r, const polyvec *b, const poly *v) { - polyvec_compress(r, b); - poly_compress(r + KYBER_POLYVECCOMPRESSEDBYTES, v); + PQCLEAN_KYBER768_polyvec_compress(r, b); + PQCLEAN_KYBER768_poly_compress(r + KYBER_POLYVECCOMPRESSEDBYTES, v); } /************************************************* @@ -78,8 +78,8 @@ static void pack_ciphertext(unsigned char *r, const polyvec *b, const poly *v) { *ciphertext **************************************************/ static void unpack_ciphertext(polyvec *b, poly *v, const unsigned char *c) { - polyvec_decompress(b, c); - poly_decompress(v, c + KYBER_POLYVECCOMPRESSEDBYTES); + PQCLEAN_KYBER768_polyvec_decompress(b, c); + PQCLEAN_KYBER768_poly_decompress(v, c + KYBER_POLYVECCOMPRESSEDBYTES); } /************************************************* @@ -92,7 +92,7 @@ static void unpack_ciphertext(polyvec *b, poly *v, const unsigned char *c) { *(secret key) **************************************************/ static void pack_sk(unsigned char *r, const polyvec *sk) { - polyvec_tobytes(r, sk); + PQCLEAN_KYBER768_polyvec_tobytes(r, sk); } /************************************************* @@ -107,11 +107,11 @@ static void pack_sk(unsigned char *r, const polyvec *sk) { *secret key **************************************************/ static void unpack_sk(polyvec *sk, const unsigned char *packedsk) { - polyvec_frombytes(sk, packedsk); + PQCLEAN_KYBER768_polyvec_frombytes(sk, packedsk); } -#define gen_a(A, B) gen_matrix(A, B, 0) -#define gen_at(A, B) gen_matrix(A, B, 1) +#define gen_a(A, B) PQCLEAN_KYBER768_gen_matrix(A, B, 0) +#define gen_at(A, B) PQCLEAN_KYBER768_gen_matrix(A, B, 1) /************************************************* * Name: gen_matrix @@ -126,8 +126,8 @@ static void unpack_sk(polyvec *sk, const unsigned char *packedsk) { * - int transposed: boolean deciding whether A or A^T *is generated **************************************************/ -void gen_matrix(polyvec *a, const unsigned char *seed, - int transposed) // Not static for benchmarking +void PQCLEAN_KYBER768_gen_matrix(polyvec *a, const unsigned char *seed, + int transposed) // Not static for benchmarking { unsigned int pos = 0, ctr; uint16_t val; @@ -185,7 +185,7 @@ void gen_matrix(polyvec *a, const unsigned char *seed, * - unsigned char *sk: pointer to output private key (of length *KYBER_INDCPA_SECRETKEYBYTES bytes) **************************************************/ -void indcpa_keypair(unsigned char *pk, unsigned char *sk) { +void PQCLEAN_KYBER768_indcpa_keypair(unsigned char *pk, unsigned char *sk) { polyvec a[KYBER_K], e, pkpv, skpv; unsigned char buf[KYBER_SYMBYTES + KYBER_SYMBYTES]; unsigned char *publicseed = buf; @@ -199,22 +199,22 @@ void indcpa_keypair(unsigned char *pk, unsigned char *sk) { gen_a(a, publicseed); for (i = 0; i < KYBER_K; i++) { - poly_getnoise(skpv.vec + i, noiseseed, nonce++); + PQCLEAN_KYBER768_poly_getnoise(skpv.vec + i, noiseseed, nonce++); } - polyvec_ntt(&skpv); + PQCLEAN_KYBER768_polyvec_ntt(&skpv); for (i = 0; i < KYBER_K; i++) { - poly_getnoise(e.vec + i, noiseseed, nonce++); + PQCLEAN_KYBER768_poly_getnoise(e.vec + i, noiseseed, nonce++); } // matrix-vector multiplication for (i = 0; i < KYBER_K; i++) { - polyvec_pointwise_acc(&pkpv.vec[i], &skpv, a + i); + PQCLEAN_KYBER768_polyvec_pointwise_acc(&pkpv.vec[i], &skpv, a + i); } - polyvec_invntt(&pkpv); - polyvec_add(&pkpv, &pkpv, &e); + PQCLEAN_KYBER768_polyvec_invntt(&pkpv); + PQCLEAN_KYBER768_polyvec_add(&pkpv, &pkpv, &e); pack_sk(sk, &skpv); pack_pk(pk, &pkpv, publicseed); @@ -236,8 +236,9 @@ void indcpa_keypair(unsigned char *pk, unsigned char *sk) { *as seed (of length KYBER_SYMBYTES bytes) to deterministically generate all *randomness **************************************************/ -void indcpa_enc(unsigned char *c, const unsigned char *m, - const unsigned char *pk, const unsigned char *coins) { +void PQCLEAN_KYBER768_indcpa_enc(unsigned char *c, const unsigned char *m, + const unsigned char *pk, + const unsigned char *coins) { polyvec sp, pkpv, ep, at[KYBER_K], bp; poly v, k, epp; unsigned char seed[KYBER_SYMBYTES]; @@ -246,37 +247,37 @@ void indcpa_enc(unsigned char *c, const unsigned char *m, unpack_pk(&pkpv, seed, pk); - poly_frommsg(&k, m); + PQCLEAN_KYBER768_poly_frommsg(&k, m); - polyvec_ntt(&pkpv); + PQCLEAN_KYBER768_polyvec_ntt(&pkpv); gen_at(at, seed); for (i = 0; i < KYBER_K; i++) { - poly_getnoise(sp.vec + i, coins, nonce++); + PQCLEAN_KYBER768_poly_getnoise(sp.vec + i, coins, nonce++); } - polyvec_ntt(&sp); + PQCLEAN_KYBER768_polyvec_ntt(&sp); for (i = 0; i < KYBER_K; i++) { - poly_getnoise(ep.vec + i, coins, nonce++); + PQCLEAN_KYBER768_poly_getnoise(ep.vec + i, coins, nonce++); } // matrix-vector multiplication for (i = 0; i < KYBER_K; i++) { - polyvec_pointwise_acc(&bp.vec[i], &sp, at + i); + PQCLEAN_KYBER768_polyvec_pointwise_acc(&bp.vec[i], &sp, at + i); } - polyvec_invntt(&bp); - polyvec_add(&bp, &bp, &ep); + PQCLEAN_KYBER768_polyvec_invntt(&bp); + PQCLEAN_KYBER768_polyvec_add(&bp, &bp, &ep); - polyvec_pointwise_acc(&v, &pkpv, &sp); - poly_invntt(&v); + PQCLEAN_KYBER768_polyvec_pointwise_acc(&v, &pkpv, &sp); + PQCLEAN_KYBER768_poly_invntt(&v); - poly_getnoise(&epp, coins, nonce++); + PQCLEAN_KYBER768_poly_getnoise(&epp, coins, nonce++); - poly_add(&v, &v, &epp); - poly_add(&v, &v, &k); + PQCLEAN_KYBER768_poly_add(&v, &v, &epp); + PQCLEAN_KYBER768_poly_add(&v, &v, &k); pack_ciphertext(c, &bp, &v); } @@ -294,20 +295,20 @@ void indcpa_enc(unsigned char *c, const unsigned char *m, * - const unsigned char *sk: pointer to input secret key (of *length KYBER_INDCPA_SECRETKEYBYTES) **************************************************/ -void indcpa_dec(unsigned char *m, const unsigned char *c, - const unsigned char *sk) { +void PQCLEAN_KYBER768_indcpa_dec(unsigned char *m, const unsigned char *c, + const unsigned char *sk) { polyvec bp, skpv; poly v, mp; unpack_ciphertext(&bp, &v, c); unpack_sk(&skpv, sk); - polyvec_ntt(&bp); + PQCLEAN_KYBER768_polyvec_ntt(&bp); - polyvec_pointwise_acc(&mp, &skpv, &bp); - poly_invntt(&mp); + PQCLEAN_KYBER768_polyvec_pointwise_acc(&mp, &skpv, &bp); + PQCLEAN_KYBER768_poly_invntt(&mp); - poly_sub(&mp, &mp, &v); + PQCLEAN_KYBER768_poly_sub(&mp, &mp, &v); - poly_tomsg(m, &mp); + PQCLEAN_KYBER768_poly_tomsg(m, &mp); } diff --git a/crypto_kem/kyber768/clean/indcpa.h b/crypto_kem/kyber768/clean/indcpa.h index 50050178..5832b4bb 100644 --- a/crypto_kem/kyber768/clean/indcpa.h +++ b/crypto_kem/kyber768/clean/indcpa.h @@ -1,12 +1,13 @@ #ifndef INDCPA_H #define INDCPA_H -void indcpa_keypair(unsigned char *pk, unsigned char *sk); +void PQCLEAN_KYBER768_indcpa_keypair(unsigned char *pk, unsigned char *sk); -void indcpa_enc(unsigned char *c, const unsigned char *m, - const unsigned char *pk, const unsigned char *coins); +void PQCLEAN_KYBER768_indcpa_enc(unsigned char *c, const unsigned char *m, + const unsigned char *pk, + const unsigned char *coins); -void indcpa_dec(unsigned char *m, const unsigned char *c, - const unsigned char *sk); +void PQCLEAN_KYBER768_indcpa_dec(unsigned char *m, const unsigned char *c, + const unsigned char *sk); #endif diff --git a/crypto_kem/kyber768/clean/kem.c b/crypto_kem/kyber768/clean/kem.c index ac999e98..637dbf3b 100644 --- a/crypto_kem/kyber768/clean/kem.c +++ b/crypto_kem/kyber768/clean/kem.c @@ -18,9 +18,9 @@ * * Returns 0 (success) **************************************************/ -int crypto_kem_keypair(unsigned char *pk, unsigned char *sk) { +int PQCLEAN_KYBER768_crypto_kem_keypair(unsigned char *pk, unsigned char *sk) { size_t i; - indcpa_keypair(pk, sk); + PQCLEAN_KYBER768_indcpa_keypair(pk, sk); for (i = 0; i < KYBER_INDCPA_PUBLICKEYBYTES; i++) { sk[i + KYBER_INDCPA_SECRETKEYBYTES] = pk[i]; } @@ -47,8 +47,8 @@ int crypto_kem_keypair(unsigned char *pk, unsigned char *sk) { * * Returns 0 (success) **************************************************/ -int crypto_kem_enc(unsigned char *ct, unsigned char *ss, - const unsigned char *pk) { +int PQCLEAN_KYBER768_crypto_kem_enc(unsigned char *ct, unsigned char *ss, + const unsigned char *pk) { unsigned char kr[2 * KYBER_SYMBYTES]; /* Will contain key, coins */ unsigned char buf[2 * KYBER_SYMBYTES]; @@ -60,8 +60,8 @@ int crypto_kem_enc(unsigned char *ct, unsigned char *ss, contributory KEM */ sha3_512(kr, buf, 2 * KYBER_SYMBYTES); - indcpa_enc(ct, buf, pk, - kr + KYBER_SYMBYTES); /* coins are in kr+KYBER_SYMBYTES */ + PQCLEAN_KYBER768_indcpa_enc( + ct, buf, pk, kr + KYBER_SYMBYTES); /* coins are in kr+KYBER_SYMBYTES */ sha3_256(kr + KYBER_SYMBYTES, ct, KYBER_CIPHERTEXTBYTES); /* overwrite coins in kr with H(c) */ @@ -88,8 +88,8 @@ int crypto_kem_enc(unsigned char *ct, unsigned char *ss, * * On failure, ss will contain a pseudo-random value. **************************************************/ -int crypto_kem_dec(unsigned char *ss, const unsigned char *ct, - const unsigned char *sk) { +int PQCLEAN_KYBER768_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, + const unsigned char *sk) { size_t i; int fail; unsigned char cmp[KYBER_CIPHERTEXTBYTES]; @@ -98,7 +98,7 @@ int crypto_kem_dec(unsigned char *ss, const unsigned char *ct, kr[2 * KYBER_SYMBYTES]; /* Will contain key, coins, qrom-hash */ const unsigned char *pk = sk + KYBER_INDCPA_SECRETKEYBYTES; - indcpa_dec(buf, ct, sk); + PQCLEAN_KYBER768_indcpa_dec(buf, ct, sk); for (i = 0; i < KYBER_SYMBYTES; i++) { /* Multitarget countermeasure for coins + contributory KEM */ @@ -107,16 +107,17 @@ int crypto_kem_dec(unsigned char *ss, const unsigned char *ct, } sha3_512(kr, buf, 2 * KYBER_SYMBYTES); - indcpa_enc(cmp, buf, pk, - kr + KYBER_SYMBYTES); /* coins are in kr+KYBER_SYMBYTES */ + PQCLEAN_KYBER768_indcpa_enc( + cmp, buf, pk, kr + KYBER_SYMBYTES); /* coins are in kr+KYBER_SYMBYTES */ - fail = verify(ct, cmp, KYBER_CIPHERTEXTBYTES); + fail = PQCLEAN_KYBER768_verify(ct, cmp, KYBER_CIPHERTEXTBYTES); sha3_256(kr + KYBER_SYMBYTES, ct, KYBER_CIPHERTEXTBYTES); /* overwrite coins in kr with H(c) */ - cmov(kr, sk + KYBER_SECRETKEYBYTES - KYBER_SYMBYTES, KYBER_SYMBYTES, - fail); /* Overwrite pre-k with z on re-encryption failure */ + PQCLEAN_KYBER768_cmov( + kr, sk + KYBER_SECRETKEYBYTES - KYBER_SYMBYTES, KYBER_SYMBYTES, + fail); /* Overwrite pre-k with z on re-encryption failure */ sha3_256( ss, kr, diff --git a/crypto_kem/kyber768/clean/kex.c b/crypto_kem/kyber768/clean/kex.c index 98da0115..8e2669b3 100644 --- a/crypto_kem/kyber768/clean/kex.c +++ b/crypto_kem/kyber768/clean/kex.c @@ -2,48 +2,55 @@ #include "fips202.h" #include "verify.h" -void kyber_uake_initA(u8 *send, u8 *tk, u8 *sk, const u8 *pkb) { - crypto_kem_keypair(send, sk); - crypto_kem_enc(send + KYBER_PUBLICKEYBYTES, tk, pkb); +void PQCLEAN_KYBER768_kyber_uake_initA(u8 *send, u8 *tk, u8 *sk, + const u8 *pkb) { + PQCLEAN_KYBER768_crypto_kem_keypair(send, sk); + PQCLEAN_KYBER768_crypto_kem_enc(send + KYBER_PUBLICKEYBYTES, tk, pkb); } -void kyber_uake_sharedB(u8 *send, u8 *k, const u8 *recv, const u8 *skb) { +void PQCLEAN_KYBER768_kyber_uake_sharedB(u8 *send, u8 *k, const u8 *recv, + const u8 *skb) { unsigned char buf[2 * KYBER_SYMBYTES]; - crypto_kem_enc(send, buf, recv); - crypto_kem_dec(buf + KYBER_SYMBYTES, recv + KYBER_PUBLICKEYBYTES, skb); + PQCLEAN_KYBER768_crypto_kem_enc(send, buf, recv); + PQCLEAN_KYBER768_crypto_kem_dec(buf + KYBER_SYMBYTES, + recv + KYBER_PUBLICKEYBYTES, skb); shake256(k, KYBER_SYMBYTES, buf, 2 * KYBER_SYMBYTES); } -void kyber_uake_sharedA(u8 *k, const u8 *recv, const u8 *tk, const u8 *sk) { +void PQCLEAN_KYBER768_kyber_uake_sharedA(u8 *k, const u8 *recv, const u8 *tk, + const u8 *sk) { unsigned char buf[2 * KYBER_SYMBYTES]; int i; - crypto_kem_dec(buf, recv, sk); + PQCLEAN_KYBER768_crypto_kem_dec(buf, recv, sk); for (i = 0; i < KYBER_SYMBYTES; i++) { buf[i + KYBER_SYMBYTES] = tk[i]; } shake256(k, KYBER_SYMBYTES, buf, 2 * KYBER_SYMBYTES); } -void kyber_ake_initA(u8 *send, u8 *tk, u8 *sk, const u8 *pkb) { - crypto_kem_keypair(send, sk); - crypto_kem_enc(send + KYBER_PUBLICKEYBYTES, tk, pkb); +void PQCLEAN_KYBER768_kyber_ake_initA(u8 *send, u8 *tk, u8 *sk, const u8 *pkb) { + PQCLEAN_KYBER768_crypto_kem_keypair(send, sk); + PQCLEAN_KYBER768_crypto_kem_enc(send + KYBER_PUBLICKEYBYTES, tk, pkb); } -void kyber_ake_sharedB(u8 *send, u8 *k, const u8 *recv, const u8 *skb, - const u8 *pka) { +void PQCLEAN_KYBER768_kyber_ake_sharedB(u8 *send, u8 *k, const u8 *recv, + const u8 *skb, const u8 *pka) { unsigned char buf[3 * KYBER_SYMBYTES]; - crypto_kem_enc(send, buf, recv); - crypto_kem_enc(send + KYBER_CIPHERTEXTBYTES, buf + KYBER_SYMBYTES, pka); - crypto_kem_dec(buf + 2 * KYBER_SYMBYTES, recv + KYBER_PUBLICKEYBYTES, skb); + PQCLEAN_KYBER768_crypto_kem_enc(send, buf, recv); + PQCLEAN_KYBER768_crypto_kem_enc(send + KYBER_CIPHERTEXTBYTES, + buf + KYBER_SYMBYTES, pka); + PQCLEAN_KYBER768_crypto_kem_dec(buf + 2 * KYBER_SYMBYTES, + recv + KYBER_PUBLICKEYBYTES, skb); shake256(k, KYBER_SYMBYTES, buf, 3 * KYBER_SYMBYTES); } -void kyber_ake_sharedA(u8 *k, const u8 *recv, const u8 *tk, const u8 *sk, - const u8 *ska) { +void PQCLEAN_KYBER768_kyber_ake_sharedA(u8 *k, const u8 *recv, const u8 *tk, + const u8 *sk, const u8 *ska) { unsigned char buf[3 * KYBER_SYMBYTES]; int i; - crypto_kem_dec(buf, recv, sk); - crypto_kem_dec(buf + KYBER_SYMBYTES, recv + KYBER_CIPHERTEXTBYTES, ska); + PQCLEAN_KYBER768_crypto_kem_dec(buf, recv, sk); + PQCLEAN_KYBER768_crypto_kem_dec(buf + KYBER_SYMBYTES, + recv + KYBER_CIPHERTEXTBYTES, ska); for (i = 0; i < KYBER_SYMBYTES; i++) { buf[i + 2 * KYBER_SYMBYTES] = tk[i]; } diff --git a/crypto_kem/kyber768/clean/kex.h b/crypto_kem/kyber768/clean/kex.h index 5a8acc06..36e50856 100644 --- a/crypto_kem/kyber768/clean/kex.h +++ b/crypto_kem/kyber768/clean/kex.h @@ -12,18 +12,20 @@ typedef unsigned char u8; -void kyber_uake_initA(u8 *send, u8 *tk, u8 *sk, const u8 *pkb); +void PQCLEAN_KYBER768_kyber_uake_initA(u8 *send, u8 *tk, u8 *sk, const u8 *pkb); -void kyber_uake_sharedB(u8 *send, u8 *k, const u8 *recv, const u8 *skb); +void PQCLEAN_KYBER768_kyber_uake_sharedB(u8 *send, u8 *k, const u8 *recv, + const u8 *skb); -void kyber_uake_sharedA(u8 *k, const u8 *recv, const u8 *tk, const u8 *sk); +void PQCLEAN_KYBER768_kyber_uake_sharedA(u8 *k, const u8 *recv, const u8 *tk, + const u8 *sk); -void kyber_ake_initA(u8 *send, u8 *tk, u8 *sk, const u8 *pkb); +void PQCLEAN_KYBER768_kyber_ake_initA(u8 *send, u8 *tk, u8 *sk, const u8 *pkb); -void kyber_ake_sharedB(u8 *send, u8 *k, const u8 *recv, const u8 *skb, - const u8 *pka); +void PQCLEAN_KYBER768_kyber_ake_sharedB(u8 *send, u8 *k, const u8 *recv, + const u8 *skb, const u8 *pka); -void kyber_ake_sharedA(u8 *k, const u8 *recv, const u8 *tk, const u8 *sk, - const u8 *ska); +void PQCLEAN_KYBER768_kyber_ake_sharedA(u8 *k, const u8 *recv, const u8 *tk, + const u8 *sk, const u8 *ska); #endif diff --git a/crypto_kem/kyber768/clean/ntt.c b/crypto_kem/kyber768/clean/ntt.c index 0fa23a4f..5dee2332 100644 --- a/crypto_kem/kyber768/clean/ntt.c +++ b/crypto_kem/kyber768/clean/ntt.c @@ -3,9 +3,9 @@ #include "params.h" #include "reduce.h" -extern const uint16_t omegas_inv_bitrev_montgomery[]; -extern const uint16_t psis_inv_montgomery[]; -extern const uint16_t zetas[]; +extern const uint16_t PQCLEAN_KYBER768_omegas_inv_bitrev_montgomery[]; +extern const uint16_t PQCLEAN_KYBER768_psis_inv_montgomery[]; +extern const uint16_t PQCLEAN_KYBER768_zetas[]; /************************************************* * Name: ntt @@ -17,23 +17,25 @@ extern const uint16_t zetas[]; * * Arguments: - uint16_t *p: pointer to in/output polynomial **************************************************/ -void ntt(uint16_t *p) { +void PQCLEAN_KYBER768_ntt(uint16_t *p) { int level, start, j, k; uint16_t zeta, t; k = 1; for (level = 7; level >= 0; level--) { for (start = 0; start < KYBER_N; start = j + (1 << level)) { - zeta = zetas[k++]; + zeta = PQCLEAN_KYBER768_zetas[k++]; for (j = start; j < start + (1 << level); ++j) { - t = montgomery_reduce((uint32_t)zeta * p[j + (1 << level)]); + t = PQCLEAN_KYBER768_montgomery_reduce((uint32_t)zeta * + p[j + (1 << level)]); - p[j + (1 << level)] = barrett_reduce(p[j] + 4 * KYBER_Q - t); + p[j + (1 << level)] = + PQCLEAN_KYBER768_barrett_reduce(p[j] + 4 * KYBER_Q - t); if (level & 1) { /* odd level */ p[j] = p[j] + t; /* Omit reduction (be lazy) */ } else { - p[j] = barrett_reduce(p[j] + t); + p[j] = PQCLEAN_KYBER768_barrett_reduce(p[j] + t); } } } @@ -49,7 +51,7 @@ void ntt(uint16_t *p) { * * Arguments: - uint16_t *a: pointer to in/output polynomial **************************************************/ -void invntt(uint16_t *a) { +void PQCLEAN_KYBER768_invntt(uint16_t *a) { int start, j, jTwiddle, level; uint16_t temp, W; uint32_t t; @@ -58,11 +60,12 @@ void invntt(uint16_t *a) { for (start = 0; start < (1 << level); start++) { jTwiddle = 0; for (j = start; j < KYBER_N - 1; j += 2 * (1 << level)) { - W = omegas_inv_bitrev_montgomery[jTwiddle++]; + W = PQCLEAN_KYBER768_omegas_inv_bitrev_montgomery[jTwiddle++]; temp = a[j]; if (level & 1) { /* odd level */ - a[j] = barrett_reduce((temp + a[j + (1 << level)])); + a[j] = PQCLEAN_KYBER768_barrett_reduce( + (temp + a[j + (1 << level)])); } else { a[j] = (temp + a[j + (1 << level)]); /* Omit reduction (be lazy) */ @@ -70,12 +73,13 @@ void invntt(uint16_t *a) { t = (W * ((uint32_t)temp + 4 * KYBER_Q - a[j + (1 << level)])); - a[j + (1 << level)] = montgomery_reduce(t); + a[j + (1 << level)] = PQCLEAN_KYBER768_montgomery_reduce(t); } } } for (j = 0; j < KYBER_N; j++) { - a[j] = montgomery_reduce((a[j] * psis_inv_montgomery[j])); + a[j] = PQCLEAN_KYBER768_montgomery_reduce( + (a[j] * PQCLEAN_KYBER768_psis_inv_montgomery[j])); } } diff --git a/crypto_kem/kyber768/clean/ntt.h b/crypto_kem/kyber768/clean/ntt.h index 68b86735..4afd19d1 100644 --- a/crypto_kem/kyber768/clean/ntt.h +++ b/crypto_kem/kyber768/clean/ntt.h @@ -3,7 +3,7 @@ #include -void ntt(uint16_t *p); -void invntt(uint16_t *a); +void PQCLEAN_KYBER768_ntt(uint16_t *p); +void PQCLEAN_KYBER768_invntt(uint16_t *a); #endif diff --git a/crypto_kem/kyber768/clean/poly.c b/crypto_kem/kyber768/clean/poly.c index 7b679680..69661bda 100644 --- a/crypto_kem/kyber768/clean/poly.c +++ b/crypto_kem/kyber768/clean/poly.c @@ -14,14 +14,16 @@ * Arguments: - unsigned char *r: pointer to output byte array * - const poly *a: pointer to input polynomial **************************************************/ -void poly_compress(unsigned char *r, const poly *a) { +void PQCLEAN_KYBER768_poly_compress(unsigned char *r, const poly *a) { uint32_t t[8]; unsigned int i, j, k = 0; for (i = 0; i < KYBER_N; i += 8) { for (j = 0; j < 8; j++) { - t[j] = - (((freeze(a->coeffs[i + j]) << 3) + KYBER_Q / 2) / KYBER_Q) & 7; + t[j] = (((PQCLEAN_KYBER768_freeze(a->coeffs[i + j]) << 3) + + KYBER_Q / 2) / + KYBER_Q) & + 7; } r[k] = t[0] | (t[1] << 3) | (t[2] << 6); @@ -40,7 +42,7 @@ void poly_compress(unsigned char *r, const poly *a) { * Arguments: - poly *r: pointer to output polynomial * - const unsigned char *a: pointer to input byte array **************************************************/ -void poly_decompress(poly *r, const unsigned char *a) { +void PQCLEAN_KYBER768_poly_decompress(poly *r, const unsigned char *a) { unsigned int i; for (i = 0; i < KYBER_N; i += 8) { r->coeffs[i + 0] = (((a[0] & 7) * KYBER_Q) + 4) >> 3; @@ -65,13 +67,13 @@ void poly_decompress(poly *r, const unsigned char *a) { * Arguments: - unsigned char *r: pointer to output byte array * - const poly *a: pointer to input polynomial **************************************************/ -void poly_tobytes(unsigned char *r, const poly *a) { +void PQCLEAN_KYBER768_poly_tobytes(unsigned char *r, const poly *a) { int i, j; uint16_t t[8]; for (i = 0; i < KYBER_N / 8; i++) { for (j = 0; j < 8; j++) { - t[j] = freeze(a->coeffs[8 * i + j]); + t[j] = PQCLEAN_KYBER768_freeze(a->coeffs[8 * i + j]); } r[13 * i + 0] = t[0] & 0xff; @@ -99,7 +101,7 @@ void poly_tobytes(unsigned char *r, const poly *a) { * Arguments: - poly *r: pointer to output polynomial * - const unsigned char *a: pointer to input byte array **************************************************/ -void poly_frombytes(poly *r, const unsigned char *a) { +void PQCLEAN_KYBER768_poly_frombytes(poly *r, const unsigned char *a) { int i; for (i = 0; i < KYBER_N / 8; i++) { r->coeffs[8 * i + 0] = @@ -136,7 +138,8 @@ void poly_frombytes(poly *r, const unsigned char *a) { * - const unsigned char *seed: pointer to input seed * - unsigned char nonce: one-byte input nonce **************************************************/ -void poly_getnoise(poly *r, const unsigned char *seed, unsigned char nonce) { +void PQCLEAN_KYBER768_poly_getnoise(poly *r, const unsigned char *seed, + unsigned char nonce) { unsigned char buf[KYBER_ETA * KYBER_N / 4]; unsigned char extseed[KYBER_SYMBYTES + 1]; int i; @@ -148,7 +151,7 @@ void poly_getnoise(poly *r, const unsigned char *seed, unsigned char nonce) { shake256(buf, KYBER_ETA * KYBER_N / 4, extseed, KYBER_SYMBYTES + 1); - cbd(r, buf); + PQCLEAN_KYBER768_cbd(r, buf); } /************************************************* @@ -161,8 +164,8 @@ void poly_getnoise(poly *r, const unsigned char *seed, unsigned char nonce) { * * Arguments: - uint16_t *r: pointer to in/output polynomial **************************************************/ -void poly_ntt(poly *r) { - ntt(r->coeffs); +void PQCLEAN_KYBER768_poly_ntt(poly *r) { + PQCLEAN_KYBER768_ntt(r->coeffs); } /************************************************* @@ -174,8 +177,8 @@ void poly_ntt(poly *r) { * * Arguments: - uint16_t *a: pointer to in/output polynomial **************************************************/ -void poly_invntt(poly *r) { - invntt(r->coeffs); +void PQCLEAN_KYBER768_poly_invntt(poly *r) { + PQCLEAN_KYBER768_invntt(r->coeffs); } /************************************************* @@ -187,10 +190,11 @@ void poly_invntt(poly *r) { * - const poly *a: pointer to first input polynomial * - const poly *b: pointer to second input polynomial **************************************************/ -void poly_add(poly *r, const poly *a, const poly *b) { +void PQCLEAN_KYBER768_poly_add(poly *r, const poly *a, const poly *b) { int i; for (i = 0; i < KYBER_N; i++) { - r->coeffs[i] = barrett_reduce(a->coeffs[i] + b->coeffs[i]); + r->coeffs[i] = + PQCLEAN_KYBER768_barrett_reduce(a->coeffs[i] + b->coeffs[i]); } } @@ -203,11 +207,11 @@ void poly_add(poly *r, const poly *a, const poly *b) { * - const poly *a: pointer to first input polynomial * - const poly *b: pointer to second input polynomial **************************************************/ -void poly_sub(poly *r, const poly *a, const poly *b) { +void PQCLEAN_KYBER768_poly_sub(poly *r, const poly *a, const poly *b) { int i; for (i = 0; i < KYBER_N; i++) { - r->coeffs[i] = - barrett_reduce(a->coeffs[i] + 3 * KYBER_Q - b->coeffs[i]); + r->coeffs[i] = PQCLEAN_KYBER768_barrett_reduce( + a->coeffs[i] + 3 * KYBER_Q - b->coeffs[i]); } } @@ -219,7 +223,8 @@ void poly_sub(poly *r, const poly *a, const poly *b) { * Arguments: - poly *r: pointer to output polynomial * - const unsigned char *msg: pointer to input message **************************************************/ -void poly_frommsg(poly *r, const unsigned char msg[KYBER_SYMBYTES]) { +void PQCLEAN_KYBER768_poly_frommsg(poly *r, + const unsigned char msg[KYBER_SYMBYTES]) { uint16_t i, j, mask; for (i = 0; i < KYBER_SYMBYTES; i++) { @@ -238,14 +243,16 @@ void poly_frommsg(poly *r, const unsigned char msg[KYBER_SYMBYTES]) { * Arguments: - unsigned char *msg: pointer to output message * - const poly *a: pointer to input polynomial **************************************************/ -void poly_tomsg(unsigned char msg[KYBER_SYMBYTES], const poly *a) { +void PQCLEAN_KYBER768_poly_tomsg(unsigned char msg[KYBER_SYMBYTES], + const poly *a) { uint16_t t; int i, j; for (i = 0; i < KYBER_SYMBYTES; i++) { msg[i] = 0; for (j = 0; j < 8; j++) { - t = (((freeze(a->coeffs[8 * i + j]) << 1) + KYBER_Q / 2) / + t = (((PQCLEAN_KYBER768_freeze(a->coeffs[8 * i + j]) << 1) + + KYBER_Q / 2) / KYBER_Q) & 1; msg[i] |= t << j; diff --git a/crypto_kem/kyber768/clean/poly.h b/crypto_kem/kyber768/clean/poly.h index 0b42e07e..5a3b652e 100644 --- a/crypto_kem/kyber768/clean/poly.h +++ b/crypto_kem/kyber768/clean/poly.h @@ -12,21 +12,24 @@ typedef struct { uint16_t coeffs[KYBER_N]; } poly; -void poly_compress(unsigned char *r, const poly *a); -void poly_decompress(poly *r, const unsigned char *a); +void PQCLEAN_KYBER768_poly_compress(unsigned char *r, const poly *a); +void PQCLEAN_KYBER768_poly_decompress(poly *r, const unsigned char *a); -void poly_tobytes(unsigned char *r, const poly *a); -void poly_frombytes(poly *r, const unsigned char *a); +void PQCLEAN_KYBER768_poly_tobytes(unsigned char *r, const poly *a); +void PQCLEAN_KYBER768_poly_frombytes(poly *r, const unsigned char *a); -void poly_frommsg(poly *r, const unsigned char msg[KYBER_SYMBYTES]); -void poly_tomsg(unsigned char msg[KYBER_SYMBYTES], const poly *a); +void PQCLEAN_KYBER768_poly_frommsg(poly *r, + const unsigned char msg[KYBER_SYMBYTES]); +void PQCLEAN_KYBER768_poly_tomsg(unsigned char msg[KYBER_SYMBYTES], + const poly *a); -void poly_getnoise(poly *r, const unsigned char *seed, unsigned char nonce); +void PQCLEAN_KYBER768_poly_getnoise(poly *r, const unsigned char *seed, + unsigned char nonce); -void poly_ntt(poly *r); -void poly_invntt(poly *r); +void PQCLEAN_KYBER768_poly_ntt(poly *r); +void PQCLEAN_KYBER768_poly_invntt(poly *r); -void poly_add(poly *r, const poly *a, const poly *b); -void poly_sub(poly *r, const poly *a, const poly *b); +void PQCLEAN_KYBER768_poly_add(poly *r, const poly *a, const poly *b); +void PQCLEAN_KYBER768_poly_sub(poly *r, const poly *a, const poly *b); #endif diff --git a/crypto_kem/kyber768/clean/polyvec.c b/crypto_kem/kyber768/clean/polyvec.c index a4895ac9..53c9cc34 100644 --- a/crypto_kem/kyber768/clean/polyvec.c +++ b/crypto_kem/kyber768/clean/polyvec.c @@ -12,13 +12,15 @@ * Arguments: - unsigned char *r: pointer to output byte array * - const polyvec *a: pointer to input vector of polynomials **************************************************/ -void polyvec_compress(unsigned char *r, const polyvec *a) { +void PQCLEAN_KYBER768_polyvec_compress(unsigned char *r, const polyvec *a) { int i, j, k; uint16_t t[8]; for (i = 0; i < KYBER_K; i++) { for (j = 0; j < KYBER_N / 8; j++) { for (k = 0; k < 8; k++) { - t[k] = ((((uint32_t)freeze(a->vec[i].coeffs[8 * j + k]) << 11) + + t[k] = ((((uint32_t)PQCLEAN_KYBER768_freeze( + a->vec[i].coeffs[8 * j + k]) + << 11) + KYBER_Q / 2) / KYBER_Q) & 0x7ff; @@ -49,7 +51,7 @@ void polyvec_compress(unsigned char *r, const polyvec *a) { * Arguments: - polyvec *r: pointer to output vector of polynomials * - unsigned char *a: pointer to input byte array **************************************************/ -void polyvec_decompress(polyvec *r, const unsigned char *a) { +void PQCLEAN_KYBER768_polyvec_decompress(polyvec *r, const unsigned char *a) { int i, j; for (i = 0; i < KYBER_K; i++) { for (j = 0; j < KYBER_N / 8; j++) { @@ -115,10 +117,10 @@ void polyvec_decompress(polyvec *r, const unsigned char *a) { * Arguments: - unsigned char *r: pointer to output byte array * - const polyvec *a: pointer to input vector of polynomials **************************************************/ -void polyvec_tobytes(unsigned char *r, const polyvec *a) { +void PQCLEAN_KYBER768_polyvec_tobytes(unsigned char *r, const polyvec *a) { int i; for (i = 0; i < KYBER_K; i++) { - poly_tobytes(r + i * KYBER_POLYBYTES, &a->vec[i]); + PQCLEAN_KYBER768_poly_tobytes(r + i * KYBER_POLYBYTES, &a->vec[i]); } } @@ -131,10 +133,10 @@ void polyvec_tobytes(unsigned char *r, const polyvec *a) { * Arguments: - unsigned char *r: pointer to output byte array * - const polyvec *a: pointer to input vector of polynomials **************************************************/ -void polyvec_frombytes(polyvec *r, const unsigned char *a) { +void PQCLEAN_KYBER768_polyvec_frombytes(polyvec *r, const unsigned char *a) { int i; for (i = 0; i < KYBER_K; i++) { - poly_frombytes(&r->vec[i], a + i * KYBER_POLYBYTES); + PQCLEAN_KYBER768_poly_frombytes(&r->vec[i], a + i * KYBER_POLYBYTES); } } @@ -145,10 +147,10 @@ void polyvec_frombytes(polyvec *r, const unsigned char *a) { * * Arguments: - polyvec *r: pointer to in/output vector of polynomials **************************************************/ -void polyvec_ntt(polyvec *r) { +void PQCLEAN_KYBER768_polyvec_ntt(polyvec *r) { int i; for (i = 0; i < KYBER_K; i++) { - poly_ntt(&r->vec[i]); + PQCLEAN_KYBER768_poly_ntt(&r->vec[i]); } } @@ -159,10 +161,10 @@ void polyvec_ntt(polyvec *r) { * * Arguments: - polyvec *r: pointer to in/output vector of polynomials **************************************************/ -void polyvec_invntt(polyvec *r) { +void PQCLEAN_KYBER768_polyvec_invntt(polyvec *r) { int i; for (i = 0; i < KYBER_K; i++) { - poly_invntt(&r->vec[i]); + PQCLEAN_KYBER768_poly_invntt(&r->vec[i]); } } @@ -175,18 +177,22 @@ void polyvec_invntt(polyvec *r) { * - const polyvec *a: pointer to first input vector of polynomials * - const polyvec *b: pointer to second input vector of polynomials **************************************************/ -void polyvec_pointwise_acc(poly *r, const polyvec *a, const polyvec *b) { +void PQCLEAN_KYBER768_polyvec_pointwise_acc(poly *r, const polyvec *a, + const polyvec *b) { int i, j; uint16_t t; for (j = 0; j < KYBER_N; j++) { - t = montgomery_reduce( + t = PQCLEAN_KYBER768_montgomery_reduce( 4613 * (uint32_t)b->vec[0].coeffs[j]); // 4613 = 2^{2*18} % q - r->coeffs[j] = montgomery_reduce(a->vec[0].coeffs[j] * t); + r->coeffs[j] = + PQCLEAN_KYBER768_montgomery_reduce(a->vec[0].coeffs[j] * t); for (i = 1; i < KYBER_K; i++) { - t = montgomery_reduce(4613 * (uint32_t)b->vec[i].coeffs[j]); - r->coeffs[j] += montgomery_reduce(a->vec[i].coeffs[j] * t); + t = PQCLEAN_KYBER768_montgomery_reduce( + 4613 * (uint32_t)b->vec[i].coeffs[j]); + r->coeffs[j] += + PQCLEAN_KYBER768_montgomery_reduce(a->vec[i].coeffs[j] * t); } - r->coeffs[j] = barrett_reduce(r->coeffs[j]); + r->coeffs[j] = PQCLEAN_KYBER768_barrett_reduce(r->coeffs[j]); } } @@ -199,9 +205,10 @@ void polyvec_pointwise_acc(poly *r, const polyvec *a, const polyvec *b) { * - const polyvec *a: pointer to first input vector of polynomials * - const polyvec *b: pointer to second input vector of polynomials **************************************************/ -void polyvec_add(polyvec *r, const polyvec *a, const polyvec *b) { +void PQCLEAN_KYBER768_polyvec_add(polyvec *r, const polyvec *a, + const polyvec *b) { int i; for (i = 0; i < KYBER_K; i++) { - poly_add(&r->vec[i], &a->vec[i], &b->vec[i]); + PQCLEAN_KYBER768_poly_add(&r->vec[i], &a->vec[i], &b->vec[i]); } } diff --git a/crypto_kem/kyber768/clean/polyvec.h b/crypto_kem/kyber768/clean/polyvec.h index 2ce29df5..0deba5dc 100644 --- a/crypto_kem/kyber768/clean/polyvec.h +++ b/crypto_kem/kyber768/clean/polyvec.h @@ -8,17 +8,19 @@ typedef struct { poly vec[KYBER_K]; } polyvec; -void polyvec_compress(unsigned char *r, const polyvec *a); -void polyvec_decompress(polyvec *r, const unsigned char *a); +void PQCLEAN_KYBER768_polyvec_compress(unsigned char *r, const polyvec *a); +void PQCLEAN_KYBER768_polyvec_decompress(polyvec *r, const unsigned char *a); -void polyvec_tobytes(unsigned char *r, const polyvec *a); -void polyvec_frombytes(polyvec *r, const unsigned char *a); +void PQCLEAN_KYBER768_polyvec_tobytes(unsigned char *r, const polyvec *a); +void PQCLEAN_KYBER768_polyvec_frombytes(polyvec *r, const unsigned char *a); -void polyvec_ntt(polyvec *r); -void polyvec_invntt(polyvec *r); +void PQCLEAN_KYBER768_polyvec_ntt(polyvec *r); +void PQCLEAN_KYBER768_polyvec_invntt(polyvec *r); -void polyvec_pointwise_acc(poly *r, const polyvec *a, const polyvec *b); +void PQCLEAN_KYBER768_polyvec_pointwise_acc(poly *r, const polyvec *a, + const polyvec *b); -void polyvec_add(polyvec *r, const polyvec *a, const polyvec *b); +void PQCLEAN_KYBER768_polyvec_add(polyvec *r, const polyvec *a, + const polyvec *b); #endif diff --git a/crypto_kem/kyber768/clean/precomp.c b/crypto_kem/kyber768/clean/precomp.c index 243d5159..1c6c4aee 100644 --- a/crypto_kem/kyber768/clean/precomp.c +++ b/crypto_kem/kyber768/clean/precomp.c @@ -35,7 +35,7 @@ g^(-(i-1))/n*mont)) */ -const uint16_t zetas[KYBER_N] = { +const uint16_t PQCLEAN_KYBER768_zetas[KYBER_N] = { 990, 7427, 2634, 6819, 578, 3281, 2143, 1095, 484, 6362, 3336, 5382, 6086, 3823, 877, 5656, 3583, 7010, 6414, 263, 1285, 291, 7143, 7338, 1581, 5134, 5184, 5932, 4042, 5775, 2468, 3, 606, 729, 5383, 962, @@ -59,7 +59,7 @@ const uint16_t zetas[KYBER_N] = { 1990, 4067, 2036, 2069, 3567, 7371, 2368, 339, 6947, 2159, 654, 7327, 2768, 6676, 987, 2214}; -const uint16_t omegas_inv_bitrev_montgomery[KYBER_N / 2] = { +const uint16_t PQCLEAN_KYBER768_omegas_inv_bitrev_montgomery[KYBER_N / 2] = { 990, 254, 862, 5047, 6586, 5538, 4400, 7103, 2025, 6804, 3858, 1595, 2299, 4345, 1319, 7197, 7678, 5213, 1906, 3639, 1749, 2497, 2547, 6100, 343, 538, 7390, 6396, 7418, 1267, 671, 4098, 5724, 491, 4146, 412, @@ -72,7 +72,7 @@ const uint16_t omegas_inv_bitrev_montgomery[KYBER_N / 2] = { 2920, 594, 6189, 6662, 3247, 771, 5822, 1742, 4206, 3686, 776, 5987, 8, 4021, 38, 5658, 3017, 6143, 889, 4216}; -const uint16_t psis_inv_montgomery[KYBER_N] = { +const uint16_t PQCLEAN_KYBER768_psis_inv_montgomery[KYBER_N] = { 1024, 4972, 5779, 6907, 4943, 4168, 315, 5580, 90, 497, 1123, 142, 4710, 5527, 2443, 4871, 698, 2489, 2394, 4003, 684, 2241, 2390, 7224, 5072, 2064, 4741, 1687, 6841, 482, 7441, 1235, 2126, 4742, 2802, 5744, diff --git a/crypto_kem/kyber768/clean/reduce.c b/crypto_kem/kyber768/clean/reduce.c index 3437cf0a..8c030d7d 100644 --- a/crypto_kem/kyber768/clean/reduce.c +++ b/crypto_kem/kyber768/clean/reduce.c @@ -17,7 +17,7 @@ static const uint32_t rlog = 18; * Returns: unsigned integer in {0,...,2^13-1} congruent to a * R^-1 modulo *q. **************************************************/ -uint16_t montgomery_reduce(uint32_t a) { +uint16_t PQCLEAN_KYBER768_montgomery_reduce(uint32_t a) { uint32_t u; u = (a * qinv); @@ -37,7 +37,7 @@ uint16_t montgomery_reduce(uint32_t a) { * * Returns: unsigned integer in {0,...,11768} congruent to a modulo q. **************************************************/ -uint16_t barrett_reduce(uint16_t a) { +uint16_t PQCLEAN_KYBER768_barrett_reduce(uint16_t a) { uint32_t u; u = a >> 13; //((uint32_t) a * sinv) >> 16; @@ -56,10 +56,10 @@ uint16_t barrett_reduce(uint16_t a) { * * Returns: unsigned integer in {0,...,q-1} congruent to a modulo q. **************************************************/ -uint16_t freeze(uint16_t x) { +uint16_t PQCLEAN_KYBER768_freeze(uint16_t x) { uint16_t m, r; int16_t c; - r = barrett_reduce(x); + r = PQCLEAN_KYBER768_barrett_reduce(x); m = r - KYBER_Q; c = m; diff --git a/crypto_kem/kyber768/clean/reduce.h b/crypto_kem/kyber768/clean/reduce.h index 6deab6a0..ddcec0a8 100644 --- a/crypto_kem/kyber768/clean/reduce.h +++ b/crypto_kem/kyber768/clean/reduce.h @@ -3,10 +3,10 @@ #include -uint16_t freeze(uint16_t x); +uint16_t PQCLEAN_KYBER768_freeze(uint16_t x); -uint16_t montgomery_reduce(uint32_t a); +uint16_t PQCLEAN_KYBER768_montgomery_reduce(uint32_t a); -uint16_t barrett_reduce(uint16_t a); +uint16_t PQCLEAN_KYBER768_barrett_reduce(uint16_t a); #endif diff --git a/crypto_kem/kyber768/clean/verify.c b/crypto_kem/kyber768/clean/verify.c index c7640643..c1a8410d 100644 --- a/crypto_kem/kyber768/clean/verify.c +++ b/crypto_kem/kyber768/clean/verify.c @@ -12,7 +12,8 @@ * * Returns 0 if the byte arrays are equal, 1 otherwise **************************************************/ -int verify(const unsigned char *a, const unsigned char *b, size_t len) { +int PQCLEAN_KYBER768_verify(const unsigned char *a, const unsigned char *b, + size_t len) { uint64_t r; size_t i; r = 0; @@ -38,8 +39,8 @@ int verify(const unsigned char *a, const unsigned char *b, size_t len) { * size_t len: Amount of bytes to be copied * unsigned char b: Condition bit; has to be in {0,1} **************************************************/ -void cmov(unsigned char *r, const unsigned char *x, size_t len, - unsigned char b) { +void PQCLEAN_KYBER768_cmov(unsigned char *r, const unsigned char *x, size_t len, + unsigned char b) { size_t i; b = -b; diff --git a/crypto_kem/kyber768/clean/verify.h b/crypto_kem/kyber768/clean/verify.h index 15e9255d..1156bd1c 100644 --- a/crypto_kem/kyber768/clean/verify.h +++ b/crypto_kem/kyber768/clean/verify.h @@ -3,9 +3,10 @@ #include -int verify(const unsigned char *a, const unsigned char *b, size_t len); +int PQCLEAN_KYBER768_verify(const unsigned char *a, const unsigned char *b, + size_t len); -void cmov(unsigned char *r, const unsigned char *x, size_t len, - unsigned char b); +void PQCLEAN_KYBER768_cmov(unsigned char *r, const unsigned char *x, size_t len, + unsigned char b); #endif diff --git a/crypto_sign/dilithium-iii/clean/api.h b/crypto_sign/dilithium-iii/clean/api.h index 6b7bb7be..d30d8c12 100644 --- a/crypto_sign/dilithium-iii/clean/api.h +++ b/crypto_sign/dilithium-iii/clean/api.h @@ -9,14 +9,19 @@ #define CRYPTO_ALGNAME "Dilithium-III" -int crypto_sign_keypair(unsigned char *pk, unsigned char *sk); +int PQCLEAN_DILITHIUMIII_crypto_sign_keypair(unsigned char *pk, + unsigned char *sk); -int crypto_sign(unsigned char *sm, unsigned long long *smlen, - const unsigned char *msg, unsigned long long len, - const unsigned char *sk); +int PQCLEAN_DILITHIUMIII_crypto_sign(unsigned char *sm, + unsigned long long *smlen, + const unsigned char *msg, + unsigned long long len, + const unsigned char *sk); -int crypto_sign_open(unsigned char *m, unsigned long long *mlen, - const unsigned char *sm, unsigned long long smlen, - const unsigned char *pk); +int PQCLEAN_DILITHIUMIII_crypto_sign_open(unsigned char *m, + unsigned long long *mlen, + const unsigned char *sm, + unsigned long long smlen, + const unsigned char *pk); #endif diff --git a/crypto_sign/dilithium-iii/clean/ntt.c b/crypto_sign/dilithium-iii/clean/ntt.c index 3632e42e..a6d8f923 100644 --- a/crypto_sign/dilithium-iii/clean/ntt.c +++ b/crypto_sign/dilithium-iii/clean/ntt.c @@ -4,7 +4,7 @@ #include "reduce.h" /* Roots of unity in order needed by forward ntt */ -static const uint32_t zetas[N] = { +static const uint32_t PQCLEAN_DILITHIUMIII_zetas[N] = { 0, 25847, 5771523, 7861508, 237124, 7602457, 7504169, 466468, 1826347, 2353451, 8021166, 6288512, 3119733, 5495562, 3111497, 2680103, 2725464, 1024112, 7300517, 3585928, 7830929, 7260833, 2619752, 6271868, @@ -39,7 +39,7 @@ static const uint32_t zetas[N] = { 7826001, 3919660, 8332111, 7018208, 3937738, 1400424, 7534263, 1976782}; /* Roots of unity in order needed by inverse ntt */ -static const uint32_t zetas_inv[N] = { +static const uint32_t PQCLEAN_DILITHIUMIII_zetas_inv[N] = { 6403635, 846154, 6979993, 4442679, 1362209, 48306, 4460757, 554416, 3545687, 6767575, 976891, 8196974, 2286327, 420899, 2235985, 2939036, 3833893, 260646, 1104333, 1667432, 6470041, 1803090, 6656817, 426683, @@ -83,16 +83,17 @@ static const uint32_t zetas_inv[N] = { * * Arguments: - uint32_t p[N]: input/output coefficient array **************************************************/ -void ntt(uint32_t p[N]) { +void PQCLEAN_DILITHIUMIII_ntt(uint32_t p[N]) { unsigned int len, start, j, k; uint32_t zeta, t; k = 1; for (len = 128; len > 0; len >>= 1) { for (start = 0; start < N; start = j + len) { - zeta = zetas[k++]; + zeta = PQCLEAN_DILITHIUMIII_zetas[k++]; for (j = start; j < start + len; ++j) { - t = montgomery_reduce((uint64_t)zeta * p[j + len]); + t = PQCLEAN_DILITHIUMIII_montgomery_reduce((uint64_t)zeta * + p[j + len]); p[j + len] = p[j] + 2 * Q - t; p[j] = p[j] + t; } @@ -110,7 +111,7 @@ void ntt(uint32_t p[N]) { * * Arguments: - uint32_t p[N]: input/output coefficient array **************************************************/ -void invntt_frominvmont(uint32_t p[N]) { +void PQCLEAN_DILITHIUMIII_invntt_frominvmont(uint32_t p[N]) { unsigned int start, len, j, k; uint32_t t, zeta; const uint32_t f = @@ -119,17 +120,18 @@ void invntt_frominvmont(uint32_t p[N]) { k = 0; for (len = 1; len < N; len <<= 1) { for (start = 0; start < N; start = j + len) { - zeta = zetas_inv[k++]; + zeta = PQCLEAN_DILITHIUMIII_zetas_inv[k++]; for (j = start; j < start + len; ++j) { t = p[j]; p[j] = t + p[j + len]; p[j + len] = t + 256 * Q - p[j + len]; - p[j + len] = montgomery_reduce((uint64_t)zeta * p[j + len]); + p[j + len] = PQCLEAN_DILITHIUMIII_montgomery_reduce( + (uint64_t)zeta * p[j + len]); } } } for (j = 0; j < N; ++j) { - p[j] = montgomery_reduce((uint64_t)f * p[j]); + p[j] = PQCLEAN_DILITHIUMIII_montgomery_reduce((uint64_t)f * p[j]); } } diff --git a/crypto_sign/dilithium-iii/clean/ntt.h b/crypto_sign/dilithium-iii/clean/ntt.h index 840f8048..e855866b 100644 --- a/crypto_sign/dilithium-iii/clean/ntt.h +++ b/crypto_sign/dilithium-iii/clean/ntt.h @@ -4,7 +4,7 @@ #include "params.h" #include -void ntt(uint32_t p[N]); -void invntt_frominvmont(uint32_t p[N]); +void PQCLEAN_DILITHIUMIII_ntt(uint32_t p[N]); +void PQCLEAN_DILITHIUMIII_invntt_frominvmont(uint32_t p[N]); #endif diff --git a/crypto_sign/dilithium-iii/clean/packing.c b/crypto_sign/dilithium-iii/clean/packing.c index 4ff58f16..0adecf6b 100644 --- a/crypto_sign/dilithium-iii/clean/packing.c +++ b/crypto_sign/dilithium-iii/clean/packing.c @@ -12,8 +12,9 @@ * - const unsigned char rho[]: byte array containing rho * - const polyveck *t1: pointer to vector t1 **************************************************/ -void pack_pk(unsigned char pk[CRYPTO_PUBLICKEYBYTES], - const unsigned char rho[SEEDBYTES], const polyveck *t1) { +void PQCLEAN_DILITHIUMIII_pack_pk(unsigned char pk[CRYPTO_PUBLICKEYBYTES], + const unsigned char rho[SEEDBYTES], + const polyveck *t1) { unsigned int i; for (i = 0; i < SEEDBYTES; ++i) { @@ -22,7 +23,8 @@ void pack_pk(unsigned char pk[CRYPTO_PUBLICKEYBYTES], pk += SEEDBYTES; for (i = 0; i < K; ++i) { - polyt1_pack(pk + i * POLT1_SIZE_PACKED, t1->vec + i); + PQCLEAN_DILITHIUMIII_polyt1_pack(pk + i * POLT1_SIZE_PACKED, + t1->vec + i); } } @@ -35,8 +37,9 @@ void pack_pk(unsigned char pk[CRYPTO_PUBLICKEYBYTES], * - const polyveck *t1: pointer to output vector t1 * - unsigned char pk[]: byte array containing bit-packed pk **************************************************/ -void unpack_pk(unsigned char rho[SEEDBYTES], polyveck *t1, - const unsigned char pk[CRYPTO_PUBLICKEYBYTES]) { +void PQCLEAN_DILITHIUMIII_unpack_pk( + unsigned char rho[SEEDBYTES], polyveck *t1, + const unsigned char pk[CRYPTO_PUBLICKEYBYTES]) { unsigned int i; for (i = 0; i < SEEDBYTES; ++i) { @@ -45,7 +48,8 @@ void unpack_pk(unsigned char rho[SEEDBYTES], polyveck *t1, pk += SEEDBYTES; for (i = 0; i < K; ++i) { - polyt1_unpack(t1->vec + i, pk + i * POLT1_SIZE_PACKED); + PQCLEAN_DILITHIUMIII_polyt1_unpack(t1->vec + i, + pk + i * POLT1_SIZE_PACKED); } } @@ -62,11 +66,12 @@ void unpack_pk(unsigned char rho[SEEDBYTES], polyveck *t1, * - const polyveck *s2: pointer to vector s2 * - const polyveck *t0: pointer to vector t0 **************************************************/ -void pack_sk(unsigned char sk[CRYPTO_SECRETKEYBYTES], - const unsigned char rho[SEEDBYTES], - const unsigned char key[SEEDBYTES], - const unsigned char tr[CRHBYTES], const polyvecl *s1, - const polyveck *s2, const polyveck *t0) { +void PQCLEAN_DILITHIUMIII_pack_sk(unsigned char sk[CRYPTO_SECRETKEYBYTES], + const unsigned char rho[SEEDBYTES], + const unsigned char key[SEEDBYTES], + const unsigned char tr[CRHBYTES], + const polyvecl *s1, const polyveck *s2, + const polyveck *t0) { unsigned int i; for (i = 0; i < SEEDBYTES; ++i) { @@ -85,17 +90,20 @@ void pack_sk(unsigned char sk[CRYPTO_SECRETKEYBYTES], sk += CRHBYTES; for (i = 0; i < L; ++i) { - polyeta_pack(sk + i * POLETA_SIZE_PACKED, s1->vec + i); + PQCLEAN_DILITHIUMIII_polyeta_pack(sk + i * POLETA_SIZE_PACKED, + s1->vec + i); } sk += L * POLETA_SIZE_PACKED; for (i = 0; i < K; ++i) { - polyeta_pack(sk + i * POLETA_SIZE_PACKED, s2->vec + i); + PQCLEAN_DILITHIUMIII_polyeta_pack(sk + i * POLETA_SIZE_PACKED, + s2->vec + i); } sk += K * POLETA_SIZE_PACKED; for (i = 0; i < K; ++i) { - polyt0_pack(sk + i * POLT0_SIZE_PACKED, t0->vec + i); + PQCLEAN_DILITHIUMIII_polyt0_pack(sk + i * POLT0_SIZE_PACKED, + t0->vec + i); } } @@ -112,9 +120,10 @@ void pack_sk(unsigned char sk[CRYPTO_SECRETKEYBYTES], * - const polyveck *r0: pointer to output vector t0 * - unsigned char sk[]: byte array containing bit-packed sk **************************************************/ -void unpack_sk(unsigned char rho[SEEDBYTES], unsigned char key[SEEDBYTES], - unsigned char tr[CRHBYTES], polyvecl *s1, polyveck *s2, - polyveck *t0, const unsigned char sk[CRYPTO_SECRETKEYBYTES]) { +void PQCLEAN_DILITHIUMIII_unpack_sk( + unsigned char rho[SEEDBYTES], unsigned char key[SEEDBYTES], + unsigned char tr[CRHBYTES], polyvecl *s1, polyveck *s2, polyveck *t0, + const unsigned char sk[CRYPTO_SECRETKEYBYTES]) { unsigned int i; for (i = 0; i < SEEDBYTES; ++i) { @@ -133,17 +142,20 @@ void unpack_sk(unsigned char rho[SEEDBYTES], unsigned char key[SEEDBYTES], sk += CRHBYTES; for (i = 0; i < L; ++i) { - polyeta_unpack(s1->vec + i, sk + i * POLETA_SIZE_PACKED); + PQCLEAN_DILITHIUMIII_polyeta_unpack(s1->vec + i, + sk + i * POLETA_SIZE_PACKED); } sk += L * POLETA_SIZE_PACKED; for (i = 0; i < K; ++i) { - polyeta_unpack(s2->vec + i, sk + i * POLETA_SIZE_PACKED); + PQCLEAN_DILITHIUMIII_polyeta_unpack(s2->vec + i, + sk + i * POLETA_SIZE_PACKED); } sk += K * POLETA_SIZE_PACKED; for (i = 0; i < K; ++i) { - polyt0_unpack(t0->vec + i, sk + i * POLT0_SIZE_PACKED); + PQCLEAN_DILITHIUMIII_polyt0_unpack(t0->vec + i, + sk + i * POLT0_SIZE_PACKED); } } @@ -157,13 +169,14 @@ void unpack_sk(unsigned char rho[SEEDBYTES], unsigned char key[SEEDBYTES], * - const polyveck *h: pointer to hint vector h * - const poly *c: pointer to challenge polynomial **************************************************/ -void pack_sig(unsigned char sig[CRYPTO_BYTES], const polyvecl *z, - const polyveck *h, const poly *c) { +void PQCLEAN_DILITHIUMIII_pack_sig(unsigned char sig[CRYPTO_BYTES], + const polyvecl *z, const polyveck *h, + const poly *c) { unsigned int i, j, k; uint64_t signs, mask; for (i = 0; i < L; ++i) { - polyz_pack(sig + i * POLZ_SIZE_PACKED, z->vec + i); + PQCLEAN_DILITHIUMIII_polyz_pack(sig + i * POLZ_SIZE_PACKED, z->vec + i); } sig += L * POLZ_SIZE_PACKED; @@ -217,13 +230,14 @@ void pack_sig(unsigned char sig[CRYPTO_BYTES], const polyvecl *z, * * Returns 1 in case of malformed signature; otherwise 0. **************************************************/ -int unpack_sig(polyvecl *z, polyveck *h, poly *c, - const unsigned char sig[CRYPTO_BYTES]) { +int PQCLEAN_DILITHIUMIII_unpack_sig(polyvecl *z, polyveck *h, poly *c, + const unsigned char sig[CRYPTO_BYTES]) { unsigned int i, j, k; uint64_t signs, mask; for (i = 0; i < L; ++i) { - polyz_unpack(z->vec + i, sig + i * POLZ_SIZE_PACKED); + PQCLEAN_DILITHIUMIII_polyz_unpack(z->vec + i, + sig + i * POLZ_SIZE_PACKED); } sig += L * POLZ_SIZE_PACKED; diff --git a/crypto_sign/dilithium-iii/clean/packing.h b/crypto_sign/dilithium-iii/clean/packing.h index d9bc5acc..5884165d 100644 --- a/crypto_sign/dilithium-iii/clean/packing.h +++ b/crypto_sign/dilithium-iii/clean/packing.h @@ -4,22 +4,27 @@ #include "params.h" #include "polyvec.h" -void pack_pk(unsigned char pk[CRYPTO_PUBLICKEYBYTES], - const unsigned char rho[SEEDBYTES], const polyveck *t1); -void pack_sk(unsigned char sk[CRYPTO_SECRETKEYBYTES], - const unsigned char rho[SEEDBYTES], - const unsigned char key[SEEDBYTES], - const unsigned char tr[CRHBYTES], const polyvecl *s1, - const polyveck *s2, const polyveck *t0); -void pack_sig(unsigned char sig[CRYPTO_BYTES], const polyvecl *z, - const polyveck *h, const poly *c); +void PQCLEAN_DILITHIUMIII_pack_pk(unsigned char pk[CRYPTO_PUBLICKEYBYTES], + const unsigned char rho[SEEDBYTES], + const polyveck *t1); +void PQCLEAN_DILITHIUMIII_pack_sk(unsigned char sk[CRYPTO_SECRETKEYBYTES], + const unsigned char rho[SEEDBYTES], + const unsigned char key[SEEDBYTES], + const unsigned char tr[CRHBYTES], + const polyvecl *s1, const polyveck *s2, + const polyveck *t0); +void PQCLEAN_DILITHIUMIII_pack_sig(unsigned char sig[CRYPTO_BYTES], + const polyvecl *z, const polyveck *h, + const poly *c); -void unpack_pk(unsigned char rho[SEEDBYTES], polyveck *t1, - const unsigned char pk[CRYPTO_PUBLICKEYBYTES]); -void unpack_sk(unsigned char rho[SEEDBYTES], unsigned char key[SEEDBYTES], - unsigned char tr[CRHBYTES], polyvecl *s1, polyveck *s2, - polyveck *t0, const unsigned char sk[CRYPTO_SECRETKEYBYTES]); -int unpack_sig(polyvecl *z, polyveck *h, poly *c, - const unsigned char sig[CRYPTO_BYTES]); +void PQCLEAN_DILITHIUMIII_unpack_pk( + unsigned char rho[SEEDBYTES], polyveck *t1, + const unsigned char pk[CRYPTO_PUBLICKEYBYTES]); +void PQCLEAN_DILITHIUMIII_unpack_sk( + unsigned char rho[SEEDBYTES], unsigned char key[SEEDBYTES], + unsigned char tr[CRHBYTES], polyvecl *s1, polyveck *s2, polyveck *t0, + const unsigned char sk[CRYPTO_SECRETKEYBYTES]); +int PQCLEAN_DILITHIUMIII_unpack_sig(polyvecl *z, polyveck *h, poly *c, + const unsigned char sig[CRYPTO_BYTES]); #endif diff --git a/crypto_sign/dilithium-iii/clean/poly.c b/crypto_sign/dilithium-iii/clean/poly.c index 78b075b0..cf9c7ed1 100644 --- a/crypto_sign/dilithium-iii/clean/poly.c +++ b/crypto_sign/dilithium-iii/clean/poly.c @@ -14,11 +14,11 @@ * * Arguments: - poly *a: pointer to input/output polynomial **************************************************/ -void poly_reduce(poly *a) { +void PQCLEAN_DILITHIUMIII_poly_reduce(poly *a) { unsigned int i; for (i = 0; i < N; ++i) { - a->coeffs[i] = reduce32(a->coeffs[i]); + a->coeffs[i] = PQCLEAN_DILITHIUMIII_reduce32(a->coeffs[i]); } } @@ -30,11 +30,11 @@ void poly_reduce(poly *a) { * * Arguments: - poly *a: pointer to input/output polynomial **************************************************/ -void poly_csubq(poly *a) { +void PQCLEAN_DILITHIUMIII_poly_csubq(poly *a) { unsigned int i; for (i = 0; i < N; ++i) { - a->coeffs[i] = csubq(a->coeffs[i]); + a->coeffs[i] = PQCLEAN_DILITHIUMIII_csubq(a->coeffs[i]); } } @@ -46,11 +46,11 @@ void poly_csubq(poly *a) { * * Arguments: - poly *a: pointer to input/output polynomial **************************************************/ -void poly_freeze(poly *a) { +void PQCLEAN_DILITHIUMIII_poly_freeze(poly *a) { unsigned int i; for (i = 0; i < N; ++i) { - a->coeffs[i] = freeze(a->coeffs[i]); + a->coeffs[i] = PQCLEAN_DILITHIUMIII_freeze(a->coeffs[i]); } } @@ -63,7 +63,7 @@ void poly_freeze(poly *a) { * - const poly *a: pointer to first summand * - const poly *b: pointer to second summand **************************************************/ -void poly_add(poly *c, const poly *a, const poly *b) { +void PQCLEAN_DILITHIUMIII_poly_add(poly *c, const poly *a, const poly *b) { unsigned int i; for (i = 0; i < N; ++i) { @@ -83,7 +83,7 @@ void poly_add(poly *c, const poly *a, const poly *b) { * - const poly *b: pointer to second input polynomial to be * subtraced from first input polynomial **************************************************/ -void poly_sub(poly *c, const poly *a, const poly *b) { +void PQCLEAN_DILITHIUMIII_poly_sub(poly *c, const poly *a, const poly *b) { unsigned int i; for (i = 0; i < N; ++i) { @@ -99,7 +99,7 @@ void poly_sub(poly *c, const poly *a, const poly *b) { * * Arguments: - poly *a: pointer to input/output polynomial **************************************************/ -void poly_neg(poly *a) { +void PQCLEAN_DILITHIUMIII_poly_neg(poly *a) { unsigned int i; for (i = 0; i < N; ++i) { @@ -116,7 +116,7 @@ void poly_neg(poly *a) { * Arguments: - poly *a: pointer to input/output polynomial * - unsigned int k: exponent **************************************************/ -void poly_shiftl(poly *a, unsigned int k) { +void PQCLEAN_DILITHIUMIII_poly_shiftl(poly *a, unsigned int k) { unsigned int i; for (i = 0; i < N; ++i) { @@ -132,8 +132,8 @@ void poly_shiftl(poly *a, unsigned int k) { * * Arguments: - poly *a: pointer to input/output polynomial **************************************************/ -void poly_ntt(poly *a) { - ntt(a->coeffs); +void PQCLEAN_DILITHIUMIII_poly_ntt(poly *a) { + PQCLEAN_DILITHIUMIII_ntt(a->coeffs); } /************************************************* @@ -144,8 +144,8 @@ void poly_ntt(poly *a) { * * Arguments: - poly *a: pointer to input/output polynomial **************************************************/ -void poly_invntt_montgomery(poly *a) { - invntt_frominvmont(a->coeffs); +void PQCLEAN_DILITHIUMIII_poly_invntt_montgomery(poly *a) { + PQCLEAN_DILITHIUMIII_invntt_frominvmont(a->coeffs); } /************************************************* @@ -160,11 +160,13 @@ void poly_invntt_montgomery(poly *a) { * - const poly *a: pointer to first input polynomial * - const poly *b: pointer to second input polynomial **************************************************/ -void poly_pointwise_invmontgomery(poly *c, const poly *a, const poly *b) { +void PQCLEAN_DILITHIUMIII_poly_pointwise_invmontgomery(poly *c, const poly *a, + const poly *b) { unsigned int i; for (i = 0; i < N; ++i) { - c->coeffs[i] = montgomery_reduce((uint64_t)a->coeffs[i] * b->coeffs[i]); + c->coeffs[i] = PQCLEAN_DILITHIUMIII_montgomery_reduce( + (uint64_t)a->coeffs[i] * b->coeffs[i]); } } @@ -181,11 +183,12 @@ void poly_pointwise_invmontgomery(poly *c, const poly *a, const poly *b) { *a0 * - const poly *v: pointer to input polynomial **************************************************/ -void poly_power2round(poly *a1, poly *a0, const poly *a) { +void PQCLEAN_DILITHIUMIII_poly_power2round(poly *a1, poly *a0, const poly *a) { unsigned int i; for (i = 0; i < N; ++i) { - a1->coeffs[i] = power2round(a->coeffs[i], a0->coeffs + i); + a1->coeffs[i] = + PQCLEAN_DILITHIUMIII_power2round(a->coeffs[i], a0->coeffs + i); } } @@ -203,11 +206,12 @@ void poly_power2round(poly *a1, poly *a0, const poly *a) { *a0 * - const poly *c: pointer to input polynomial **************************************************/ -void poly_decompose(poly *a1, poly *a0, const poly *a) { +void PQCLEAN_DILITHIUMIII_poly_decompose(poly *a1, poly *a0, const poly *a) { unsigned int i; for (i = 0; i < N; ++i) { - a1->coeffs[i] = decompose(a->coeffs[i], a0->coeffs + i); + a1->coeffs[i] = + PQCLEAN_DILITHIUMIII_decompose(a->coeffs[i], a0->coeffs + i); } } @@ -225,11 +229,13 @@ void poly_decompose(poly *a1, poly *a0, const poly *a) { * * Returns number of 1 bits. **************************************************/ -unsigned int poly_make_hint(poly *h, const poly *a, const poly *b) { +unsigned int PQCLEAN_DILITHIUMIII_poly_make_hint(poly *h, const poly *a, + const poly *b) { unsigned int i, s = 0; for (i = 0; i < N; ++i) { - h->coeffs[i] = make_hint(a->coeffs[i], b->coeffs[i]); + h->coeffs[i] = + PQCLEAN_DILITHIUMIII_make_hint(a->coeffs[i], b->coeffs[i]); s += h->coeffs[i]; } return s; @@ -244,11 +250,12 @@ unsigned int poly_make_hint(poly *h, const poly *a, const poly *b) { * - const poly *b: pointer to input polynomial * - const poly *h: pointer to input hint polynomial **************************************************/ -void poly_use_hint(poly *a, const poly *b, const poly *h) { +void PQCLEAN_DILITHIUMIII_poly_use_hint(poly *a, const poly *b, const poly *h) { unsigned int i; for (i = 0; i < N; ++i) { - a->coeffs[i] = use_hint(b->coeffs[i], h->coeffs[i]); + a->coeffs[i] = + PQCLEAN_DILITHIUMIII_use_hint(b->coeffs[i], h->coeffs[i]); } } @@ -263,7 +270,7 @@ void poly_use_hint(poly *a, const poly *b, const poly *h) { * * Returns 0 if norm is strictly smaller than B and 1 otherwise. **************************************************/ -int poly_chknorm(const poly *a, uint32_t B) { +int PQCLEAN_DILITHIUMIII_poly_chknorm(const poly *a, uint32_t B) { unsigned int i; int32_t t; @@ -293,7 +300,7 @@ int poly_chknorm(const poly *a, uint32_t B) { * Arguments: - poly *a: pointer to output polynomial * - const unsigned char *buf: array of random bytes **************************************************/ -void poly_uniform(poly *a, const unsigned char *buf) { +void PQCLEAN_DILITHIUMIII_poly_uniform(poly *a, const unsigned char *buf) { unsigned int ctr, pos; uint32_t t; @@ -364,8 +371,9 @@ static unsigned int rej_eta(uint32_t *a, unsigned int len, * SEEDBYTES * - unsigned char nonce: nonce byte **************************************************/ -void poly_uniform_eta(poly *a, const unsigned char seed[SEEDBYTES], - unsigned char nonce) { +void PQCLEAN_DILITHIUMIII_poly_uniform_eta(poly *a, + const unsigned char seed[SEEDBYTES], + unsigned char nonce) { unsigned int i, ctr; unsigned char inbuf[SEEDBYTES + 1]; /* Probability that we need more than 2 blocks: < 2^{-84} @@ -448,9 +456,8 @@ static unsigned int rej_gamma1m1(uint32_t *a, unsigned int len, * SEEDBYTES + CRHBYTES * - uint16_t nonce: 16-bit nonce **************************************************/ -void poly_uniform_gamma1m1(poly *a, - const unsigned char seed[SEEDBYTES + CRHBYTES], - uint16_t nonce) { +void PQCLEAN_DILITHIUMIII_poly_uniform_gamma1m1( + poly *a, const unsigned char seed[SEEDBYTES + CRHBYTES], uint16_t nonce) { unsigned int i, ctr; unsigned char inbuf[SEEDBYTES + CRHBYTES + 2]; /* Probability that we need more than 5 blocks: < 2^{-81} @@ -486,7 +493,7 @@ void poly_uniform_gamma1m1(poly *a, * POLETA_SIZE_PACKED bytes * - const poly *a: pointer to input polynomial **************************************************/ -void polyeta_pack(unsigned char *r, const poly *a) { +void PQCLEAN_DILITHIUMIII_polyeta_pack(unsigned char *r, const poly *a) { #if ETA > 7 #error "polyeta_pack() assumes ETA <= 7" #endif @@ -533,7 +540,7 @@ void polyeta_pack(unsigned char *r, const poly *a) { * Arguments: - poly *r: pointer to output polynomial * - const unsigned char *a: byte array with bit-packed polynomial **************************************************/ -void polyeta_unpack(poly *r, const unsigned char *a) { +void PQCLEAN_DILITHIUMIII_polyeta_unpack(poly *r, const unsigned char *a) { unsigned int i; #if ETA <= 3 @@ -578,7 +585,7 @@ void polyeta_unpack(poly *r, const unsigned char *a) { * POLT1_SIZE_PACKED bytes * - const poly *a: pointer to input polynomial **************************************************/ -void polyt1_pack(unsigned char *r, const poly *a) { +void PQCLEAN_DILITHIUMIII_polyt1_pack(unsigned char *r, const poly *a) { #if D != 14 #error "polyt1_pack() assumes D == 14" #endif @@ -613,7 +620,7 @@ void polyt1_pack(unsigned char *r, const poly *a) { * Arguments: - poly *r: pointer to output polynomial * - const unsigned char *a: byte array with bit-packed polynomial **************************************************/ -void polyt1_unpack(poly *r, const unsigned char *a) { +void PQCLEAN_DILITHIUMIII_polyt1_unpack(poly *r, const unsigned char *a) { unsigned int i; for (i = 0; i < N / 8; ++i) { @@ -646,7 +653,7 @@ void polyt1_unpack(poly *r, const unsigned char *a) { * POLT0_SIZE_PACKED bytes * - const poly *a: pointer to input polynomial **************************************************/ -void polyt0_pack(unsigned char *r, const poly *a) { +void PQCLEAN_DILITHIUMIII_polyt0_pack(unsigned char *r, const poly *a) { unsigned int i; uint32_t t[4]; @@ -678,7 +685,7 @@ void polyt0_pack(unsigned char *r, const poly *a) { * Arguments: - poly *r: pointer to output polynomial * - const unsigned char *a: byte array with bit-packed polynomial **************************************************/ -void polyt0_unpack(poly *r, const unsigned char *a) { +void PQCLEAN_DILITHIUMIII_polyt0_unpack(poly *r, const unsigned char *a) { unsigned int i; for (i = 0; i < N / 4; ++i) { @@ -714,7 +721,7 @@ void polyt0_unpack(poly *r, const unsigned char *a) { * POLZ_SIZE_PACKED bytes * - const poly *a: pointer to input polynomial **************************************************/ -void polyz_pack(unsigned char *r, const poly *a) { +void PQCLEAN_DILITHIUMIII_polyz_pack(unsigned char *r, const poly *a) { #if GAMMA1 > (1 << 19) #error "polyz_pack() assumes GAMMA1 <= 2^{19}" #endif @@ -747,7 +754,7 @@ void polyz_pack(unsigned char *r, const poly *a) { * Arguments: - poly *r: pointer to output polynomial * - const unsigned char *a: byte array with bit-packed polynomial **************************************************/ -void polyz_unpack(poly *r, const unsigned char *a) { +void PQCLEAN_DILITHIUMIII_polyz_unpack(poly *r, const unsigned char *a) { unsigned int i; for (i = 0; i < N / 2; ++i) { @@ -776,7 +783,7 @@ void polyz_unpack(poly *r, const unsigned char *a) { * POLW1_SIZE_PACKED bytes * - const poly *a: pointer to input polynomial **************************************************/ -void polyw1_pack(unsigned char *r, const poly *a) { +void PQCLEAN_DILITHIUMIII_polyw1_pack(unsigned char *r, const poly *a) { unsigned int i; for (i = 0; i < N / 2; ++i) { diff --git a/crypto_sign/dilithium-iii/clean/poly.h b/crypto_sign/dilithium-iii/clean/poly.h index 9751740b..c8b984f9 100644 --- a/crypto_sign/dilithium-iii/clean/poly.h +++ b/crypto_sign/dilithium-iii/clean/poly.h @@ -9,43 +9,45 @@ typedef struct { uint32_t coeffs[N]; } poly __attribute__((aligned(32))); -void poly_reduce(poly *a); -void poly_csubq(poly *a); -void poly_freeze(poly *a); +void PQCLEAN_DILITHIUMIII_poly_reduce(poly *a); +void PQCLEAN_DILITHIUMIII_poly_csubq(poly *a); +void PQCLEAN_DILITHIUMIII_poly_freeze(poly *a); -void poly_add(poly *c, const poly *a, const poly *b); -void poly_sub(poly *c, const poly *a, const poly *b); -void poly_neg(poly *a); -void poly_shiftl(poly *a, unsigned int k); +void PQCLEAN_DILITHIUMIII_poly_add(poly *c, const poly *a, const poly *b); +void PQCLEAN_DILITHIUMIII_poly_sub(poly *c, const poly *a, const poly *b); +void PQCLEAN_DILITHIUMIII_poly_neg(poly *a); +void PQCLEAN_DILITHIUMIII_poly_shiftl(poly *a, unsigned int k); -void poly_ntt(poly *a); -void poly_invntt_montgomery(poly *a); -void poly_pointwise_invmontgomery(poly *c, const poly *a, const poly *b); +void PQCLEAN_DILITHIUMIII_poly_ntt(poly *a); +void PQCLEAN_DILITHIUMIII_poly_invntt_montgomery(poly *a); +void PQCLEAN_DILITHIUMIII_poly_pointwise_invmontgomery(poly *c, const poly *a, + const poly *b); -void poly_power2round(poly *a1, poly *a0, const poly *a); -void poly_decompose(poly *a1, poly *a0, const poly *a); -unsigned int poly_make_hint(poly *h, const poly *a, const poly *b); -void poly_use_hint(poly *a, const poly *b, const poly *h); +void PQCLEAN_DILITHIUMIII_poly_power2round(poly *a1, poly *a0, const poly *a); +void PQCLEAN_DILITHIUMIII_poly_decompose(poly *a1, poly *a0, const poly *a); +unsigned int PQCLEAN_DILITHIUMIII_poly_make_hint(poly *h, const poly *a, + const poly *b); +void PQCLEAN_DILITHIUMIII_poly_use_hint(poly *a, const poly *b, const poly *h); -int poly_chknorm(const poly *a, uint32_t B); -void poly_uniform(poly *a, const unsigned char *buf); -void poly_uniform_eta(poly *a, const unsigned char seed[SEEDBYTES], - unsigned char nonce); -void poly_uniform_gamma1m1(poly *a, - const unsigned char seed[SEEDBYTES + CRHBYTES], - uint16_t nonce); +int PQCLEAN_DILITHIUMIII_poly_chknorm(const poly *a, uint32_t B); +void PQCLEAN_DILITHIUMIII_poly_uniform(poly *a, const unsigned char *buf); +void PQCLEAN_DILITHIUMIII_poly_uniform_eta(poly *a, + const unsigned char seed[SEEDBYTES], + unsigned char nonce); +void PQCLEAN_DILITHIUMIII_poly_uniform_gamma1m1( + poly *a, const unsigned char seed[SEEDBYTES + CRHBYTES], uint16_t nonce); -void polyeta_pack(unsigned char *r, const poly *a); -void polyeta_unpack(poly *r, const unsigned char *a); +void PQCLEAN_DILITHIUMIII_polyeta_pack(unsigned char *r, const poly *a); +void PQCLEAN_DILITHIUMIII_polyeta_unpack(poly *r, const unsigned char *a); -void polyt1_pack(unsigned char *r, const poly *a); -void polyt1_unpack(poly *r, const unsigned char *a); +void PQCLEAN_DILITHIUMIII_polyt1_pack(unsigned char *r, const poly *a); +void PQCLEAN_DILITHIUMIII_polyt1_unpack(poly *r, const unsigned char *a); -void polyt0_pack(unsigned char *r, const poly *a); -void polyt0_unpack(poly *r, const unsigned char *a); +void PQCLEAN_DILITHIUMIII_polyt0_pack(unsigned char *r, const poly *a); +void PQCLEAN_DILITHIUMIII_polyt0_unpack(poly *r, const unsigned char *a); -void polyz_pack(unsigned char *r, const poly *a); -void polyz_unpack(poly *r, const unsigned char *a); +void PQCLEAN_DILITHIUMIII_polyz_pack(unsigned char *r, const poly *a); +void PQCLEAN_DILITHIUMIII_polyz_unpack(poly *r, const unsigned char *a); -void polyw1_pack(unsigned char *r, const poly *a); +void PQCLEAN_DILITHIUMIII_polyw1_pack(unsigned char *r, const poly *a); #endif diff --git a/crypto_sign/dilithium-iii/clean/polyvec.c b/crypto_sign/dilithium-iii/clean/polyvec.c index 70d9d477..308e3b04 100644 --- a/crypto_sign/dilithium-iii/clean/polyvec.c +++ b/crypto_sign/dilithium-iii/clean/polyvec.c @@ -15,11 +15,11 @@ * * Arguments: - polyvecl *v: pointer to input/output vector **************************************************/ -void polyvecl_freeze(polyvecl *v) { +void PQCLEAN_DILITHIUMIII_polyvecl_freeze(polyvecl *v) { unsigned int i; for (i = 0; i < L; ++i) { - poly_freeze(v->vec + i); + PQCLEAN_DILITHIUMIII_poly_freeze(v->vec + i); } } @@ -33,11 +33,12 @@ void polyvecl_freeze(polyvecl *v) { * - const polyvecl *u: pointer to first summand * - const polyvecl *v: pointer to second summand **************************************************/ -void polyvecl_add(polyvecl *w, const polyvecl *u, const polyvecl *v) { +void PQCLEAN_DILITHIUMIII_polyvecl_add(polyvecl *w, const polyvecl *u, + const polyvecl *v) { unsigned int i; for (i = 0; i < L; ++i) { - poly_add(w->vec + i, u->vec + i, v->vec + i); + PQCLEAN_DILITHIUMIII_poly_add(w->vec + i, u->vec + i, v->vec + i); } } @@ -49,11 +50,11 @@ void polyvecl_add(polyvecl *w, const polyvecl *u, const polyvecl *v) { * * Arguments: - polyvecl *v: pointer to input/output vector **************************************************/ -void polyvecl_ntt(polyvecl *v) { +void PQCLEAN_DILITHIUMIII_polyvecl_ntt(polyvecl *v) { unsigned int i; for (i = 0; i < L; ++i) { - poly_ntt(v->vec + i); + PQCLEAN_DILITHIUMIII_poly_ntt(v->vec + i); } } @@ -70,16 +71,18 @@ void polyvecl_ntt(polyvecl *v) { * - const polyvecl *u: pointer to first input vector * - const polyvecl *v: pointer to second input vector **************************************************/ -void polyvecl_pointwise_acc_invmontgomery(poly *w, const polyvecl *u, - const polyvecl *v) { +void PQCLEAN_DILITHIUMIII_polyvecl_pointwise_acc_invmontgomery( + poly *w, const polyvecl *u, const polyvecl *v) { unsigned int i; poly t; - poly_pointwise_invmontgomery(w, u->vec + 0, v->vec + 0); + PQCLEAN_DILITHIUMIII_poly_pointwise_invmontgomery(w, u->vec + 0, + v->vec + 0); for (i = 1; i < L; ++i) { - poly_pointwise_invmontgomery(&t, u->vec + i, v->vec + i); - poly_add(w, w, &t); + PQCLEAN_DILITHIUMIII_poly_pointwise_invmontgomery(&t, u->vec + i, + v->vec + i); + PQCLEAN_DILITHIUMIII_poly_add(w, w, &t); } } @@ -95,12 +98,12 @@ void polyvecl_pointwise_acc_invmontgomery(poly *w, const polyvecl *u, * Returns 0 if norm of all polynomials is strictly smaller than B and 1 * otherwise. **************************************************/ -int polyvecl_chknorm(const polyvecl *v, uint32_t bound) { +int PQCLEAN_DILITHIUMIII_polyvecl_chknorm(const polyvecl *v, uint32_t bound) { unsigned int i; int ret = 0; for (i = 0; i < L; ++i) { - ret |= poly_chknorm(v->vec + i, bound); + ret |= PQCLEAN_DILITHIUMIII_poly_chknorm(v->vec + i, bound); } return ret; @@ -118,11 +121,11 @@ int polyvecl_chknorm(const polyvecl *v, uint32_t bound) { * * Arguments: - polyveck *v: pointer to input/output vector **************************************************/ -void polyveck_reduce(polyveck *v) { +void PQCLEAN_DILITHIUMIII_polyveck_reduce(polyveck *v) { unsigned int i; for (i = 0; i < K; ++i) { - poly_reduce(v->vec + i); + PQCLEAN_DILITHIUMIII_poly_reduce(v->vec + i); } } @@ -134,11 +137,11 @@ void polyveck_reduce(polyveck *v) { * * Arguments: - polyveck *v: pointer to input/output vector **************************************************/ -void polyveck_csubq(polyveck *v) { +void PQCLEAN_DILITHIUMIII_polyveck_csubq(polyveck *v) { unsigned int i; for (i = 0; i < K; ++i) { - poly_csubq(v->vec + i); + PQCLEAN_DILITHIUMIII_poly_csubq(v->vec + i); } } @@ -150,11 +153,11 @@ void polyveck_csubq(polyveck *v) { * * Arguments: - polyveck *v: pointer to input/output vector **************************************************/ -void polyveck_freeze(polyveck *v) { +void PQCLEAN_DILITHIUMIII_polyveck_freeze(polyveck *v) { unsigned int i; for (i = 0; i < K; ++i) { - poly_freeze(v->vec + i); + PQCLEAN_DILITHIUMIII_poly_freeze(v->vec + i); } } @@ -168,11 +171,12 @@ void polyveck_freeze(polyveck *v) { * - const polyveck *u: pointer to first summand * - const polyveck *v: pointer to second summand **************************************************/ -void polyveck_add(polyveck *w, const polyveck *u, const polyveck *v) { +void PQCLEAN_DILITHIUMIII_polyveck_add(polyveck *w, const polyveck *u, + const polyveck *v) { unsigned int i; for (i = 0; i < K; ++i) { - poly_add(w->vec + i, u->vec + i, v->vec + i); + PQCLEAN_DILITHIUMIII_poly_add(w->vec + i, u->vec + i, v->vec + i); } } @@ -188,11 +192,12 @@ void polyveck_add(polyveck *w, const polyveck *u, const polyveck *v) { * - const polyveck *v: pointer to second input vector to be * subtracted from first input vector **************************************************/ -void polyveck_sub(polyveck *w, const polyveck *u, const polyveck *v) { +void PQCLEAN_DILITHIUMIII_polyveck_sub(polyveck *w, const polyveck *u, + const polyveck *v) { unsigned int i; for (i = 0; i < K; ++i) { - poly_sub(w->vec + i, u->vec + i, v->vec + i); + PQCLEAN_DILITHIUMIII_poly_sub(w->vec + i, u->vec + i, v->vec + i); } } @@ -205,11 +210,11 @@ void polyveck_sub(polyveck *w, const polyveck *u, const polyveck *v) { * Arguments: - polyveck *v: pointer to input/output vector * - unsigned int k: exponent **************************************************/ -void polyveck_shiftl(polyveck *v, unsigned int k) { +void PQCLEAN_DILITHIUMIII_polyveck_shiftl(polyveck *v, unsigned int k) { unsigned int i; for (i = 0; i < K; ++i) { - poly_shiftl(v->vec + i, k); + PQCLEAN_DILITHIUMIII_poly_shiftl(v->vec + i, k); } } @@ -221,11 +226,11 @@ void polyveck_shiftl(polyveck *v, unsigned int k) { * * Arguments: - polyveck *v: pointer to input/output vector **************************************************/ -void polyveck_ntt(polyveck *v) { +void PQCLEAN_DILITHIUMIII_polyveck_ntt(polyveck *v) { unsigned int i; for (i = 0; i < K; ++i) { - poly_ntt(v->vec + i); + PQCLEAN_DILITHIUMIII_poly_ntt(v->vec + i); } } @@ -238,11 +243,11 @@ void polyveck_ntt(polyveck *v) { * * Arguments: - polyveck *v: pointer to input/output vector **************************************************/ -void polyveck_invntt_montgomery(polyveck *v) { +void PQCLEAN_DILITHIUMIII_polyveck_invntt_montgomery(polyveck *v) { unsigned int i; for (i = 0; i < K; ++i) { - poly_invntt_montgomery(v->vec + i); + PQCLEAN_DILITHIUMIII_poly_invntt_montgomery(v->vec + i); } } @@ -258,12 +263,12 @@ void polyveck_invntt_montgomery(polyveck *v) { * Returns 0 if norm of all polynomials are strictly smaller than B and 1 * otherwise. **************************************************/ -int polyveck_chknorm(const polyveck *v, uint32_t bound) { +int PQCLEAN_DILITHIUMIII_polyveck_chknorm(const polyveck *v, uint32_t bound) { unsigned int i; int ret = 0; for (i = 0; i < K; ++i) { - ret |= poly_chknorm(v->vec + i, bound); + ret |= PQCLEAN_DILITHIUMIII_poly_chknorm(v->vec + i, bound); } return ret; @@ -283,11 +288,13 @@ int polyveck_chknorm(const polyveck *v, uint32_t bound) { * coefficients Q + a0 * - const polyveck *v: pointer to input vector **************************************************/ -void polyveck_power2round(polyveck *v1, polyveck *v0, const polyveck *v) { +void PQCLEAN_DILITHIUMIII_polyveck_power2round(polyveck *v1, polyveck *v0, + const polyveck *v) { unsigned int i; for (i = 0; i < K; ++i) { - poly_power2round(v1->vec + i, v0->vec + i, v->vec + i); + PQCLEAN_DILITHIUMIII_poly_power2round(v1->vec + i, v0->vec + i, + v->vec + i); } } @@ -306,11 +313,13 @@ void polyveck_power2round(polyveck *v1, polyveck *v0, const polyveck *v) { * coefficients Q + a0 * - const polyveck *v: pointer to input vector **************************************************/ -void polyveck_decompose(polyveck *v1, polyveck *v0, const polyveck *v) { +void PQCLEAN_DILITHIUMIII_polyveck_decompose(polyveck *v1, polyveck *v0, + const polyveck *v) { unsigned int i; for (i = 0; i < K; ++i) { - poly_decompose(v1->vec + i, v0->vec + i, v->vec + i); + PQCLEAN_DILITHIUMIII_poly_decompose(v1->vec + i, v0->vec + i, + v->vec + i); } } @@ -325,12 +334,14 @@ void polyveck_decompose(polyveck *v1, polyveck *v0, const polyveck *v) { * * Returns number of 1 bits. **************************************************/ -unsigned int polyveck_make_hint(polyveck *h, const polyveck *u, - const polyveck *v) { +unsigned int PQCLEAN_DILITHIUMIII_polyveck_make_hint(polyveck *h, + const polyveck *u, + const polyveck *v) { unsigned int i, s = 0; for (i = 0; i < K; ++i) { - s += poly_make_hint(h->vec + i, u->vec + i, v->vec + i); + s += PQCLEAN_DILITHIUMIII_poly_make_hint(h->vec + i, u->vec + i, + v->vec + i); } return s; @@ -346,10 +357,11 @@ unsigned int polyveck_make_hint(polyveck *h, const polyveck *u, * - const polyveck *u: pointer to input vector * - const polyveck *h: pointer to input hint vector **************************************************/ -void polyveck_use_hint(polyveck *w, const polyveck *u, const polyveck *h) { +void PQCLEAN_DILITHIUMIII_polyveck_use_hint(polyveck *w, const polyveck *u, + const polyveck *h) { unsigned int i; for (i = 0; i < K; ++i) { - poly_use_hint(w->vec + i, u->vec + i, h->vec + i); + PQCLEAN_DILITHIUMIII_poly_use_hint(w->vec + i, u->vec + i, h->vec + i); } } diff --git a/crypto_sign/dilithium-iii/clean/polyvec.h b/crypto_sign/dilithium-iii/clean/polyvec.h index 9f593cd8..68f6aeed 100644 --- a/crypto_sign/dilithium-iii/clean/polyvec.h +++ b/crypto_sign/dilithium-iii/clean/polyvec.h @@ -10,38 +10,45 @@ typedef struct { poly vec[L]; } polyvecl; -void polyvecl_freeze(polyvecl *v); +void PQCLEAN_DILITHIUMIII_polyvecl_freeze(polyvecl *v); -void polyvecl_add(polyvecl *w, const polyvecl *u, const polyvecl *v); +void PQCLEAN_DILITHIUMIII_polyvecl_add(polyvecl *w, const polyvecl *u, + const polyvecl *v); -void polyvecl_ntt(polyvecl *v); -void polyvecl_pointwise_acc_invmontgomery(poly *w, const polyvecl *u, - const polyvecl *v); +void PQCLEAN_DILITHIUMIII_polyvecl_ntt(polyvecl *v); +void PQCLEAN_DILITHIUMIII_polyvecl_pointwise_acc_invmontgomery( + poly *w, const polyvecl *u, const polyvecl *v); -int polyvecl_chknorm(const polyvecl *v, uint32_t bound); +int PQCLEAN_DILITHIUMIII_polyvecl_chknorm(const polyvecl *v, uint32_t bound); /* Vectors of polynomials of length K */ typedef struct { poly vec[K]; } polyveck; -void polyveck_reduce(polyveck *v); -void polyveck_csubq(polyveck *v); -void polyveck_freeze(polyveck *v); +void PQCLEAN_DILITHIUMIII_polyveck_reduce(polyveck *v); +void PQCLEAN_DILITHIUMIII_polyveck_csubq(polyveck *v); +void PQCLEAN_DILITHIUMIII_polyveck_freeze(polyveck *v); -void polyveck_add(polyveck *w, const polyveck *u, const polyveck *v); -void polyveck_sub(polyveck *w, const polyveck *u, const polyveck *v); -void polyveck_shiftl(polyveck *v, unsigned int k); +void PQCLEAN_DILITHIUMIII_polyveck_add(polyveck *w, const polyveck *u, + const polyveck *v); +void PQCLEAN_DILITHIUMIII_polyveck_sub(polyveck *w, const polyveck *u, + const polyveck *v); +void PQCLEAN_DILITHIUMIII_polyveck_shiftl(polyveck *v, unsigned int k); -void polyveck_ntt(polyveck *v); -void polyveck_invntt_montgomery(polyveck *v); +void PQCLEAN_DILITHIUMIII_polyveck_ntt(polyveck *v); +void PQCLEAN_DILITHIUMIII_polyveck_invntt_montgomery(polyveck *v); -int polyveck_chknorm(const polyveck *v, uint32_t bound); +int PQCLEAN_DILITHIUMIII_polyveck_chknorm(const polyveck *v, uint32_t bound); -void polyveck_power2round(polyveck *v1, polyveck *v0, const polyveck *v); -void polyveck_decompose(polyveck *v1, polyveck *v0, const polyveck *v); -unsigned int polyveck_make_hint(polyveck *h, const polyveck *u, - const polyveck *v); -void polyveck_use_hint(polyveck *w, const polyveck *u, const polyveck *h); +void PQCLEAN_DILITHIUMIII_polyveck_power2round(polyveck *v1, polyveck *v0, + const polyveck *v); +void PQCLEAN_DILITHIUMIII_polyveck_decompose(polyveck *v1, polyveck *v0, + const polyveck *v); +unsigned int PQCLEAN_DILITHIUMIII_polyveck_make_hint(polyveck *h, + const polyveck *u, + const polyveck *v); +void PQCLEAN_DILITHIUMIII_polyveck_use_hint(polyveck *w, const polyveck *u, + const polyveck *h); #endif diff --git a/crypto_sign/dilithium-iii/clean/reduce.c b/crypto_sign/dilithium-iii/clean/reduce.c index 44c6e27f..3cbee4fe 100644 --- a/crypto_sign/dilithium-iii/clean/reduce.c +++ b/crypto_sign/dilithium-iii/clean/reduce.c @@ -12,7 +12,7 @@ * * Returns r. **************************************************/ -uint32_t montgomery_reduce(uint64_t a) { +uint32_t PQCLEAN_DILITHIUMIII_montgomery_reduce(uint64_t a) { uint64_t t; t = a * QINV; @@ -33,7 +33,7 @@ uint32_t montgomery_reduce(uint64_t a) { * * Returns r. **************************************************/ -uint32_t reduce32(uint32_t a) { +uint32_t PQCLEAN_DILITHIUMIII_reduce32(uint32_t a) { uint32_t t; t = a & 0x7FFFFF; @@ -51,7 +51,7 @@ uint32_t reduce32(uint32_t a) { * * Returns r. **************************************************/ -uint32_t csubq(uint32_t a) { +uint32_t PQCLEAN_DILITHIUMIII_csubq(uint32_t a) { a -= Q; a += ((int32_t)a >> 31) & Q; return a; @@ -67,8 +67,8 @@ uint32_t csubq(uint32_t a) { * * Returns r. **************************************************/ -uint32_t freeze(uint32_t a) { - a = reduce32(a); - a = csubq(a); +uint32_t PQCLEAN_DILITHIUMIII_freeze(uint32_t a) { + a = PQCLEAN_DILITHIUMIII_reduce32(a); + a = PQCLEAN_DILITHIUMIII_csubq(a); return a; } diff --git a/crypto_sign/dilithium-iii/clean/reduce.h b/crypto_sign/dilithium-iii/clean/reduce.h index 83aeffaf..61a09c4b 100644 --- a/crypto_sign/dilithium-iii/clean/reduce.h +++ b/crypto_sign/dilithium-iii/clean/reduce.h @@ -7,15 +7,15 @@ #define QINV 4236238847U // -q^(-1) mod 2^32 /* a <= Q*2^32 => r < 2*Q */ -uint32_t montgomery_reduce(uint64_t a); +uint32_t PQCLEAN_DILITHIUMIII_montgomery_reduce(uint64_t a); /* r < 2*Q */ -uint32_t reduce32(uint32_t a); +uint32_t PQCLEAN_DILITHIUMIII_reduce32(uint32_t a); /* a < 2*Q => r < Q */ -uint32_t csubq(uint32_t a); +uint32_t PQCLEAN_DILITHIUMIII_csubq(uint32_t a); /* r < Q */ -uint32_t freeze(uint32_t a); +uint32_t PQCLEAN_DILITHIUMIII_freeze(uint32_t a); #endif diff --git a/crypto_sign/dilithium-iii/clean/rounding.c b/crypto_sign/dilithium-iii/clean/rounding.c index fba70fbc..038ec993 100644 --- a/crypto_sign/dilithium-iii/clean/rounding.c +++ b/crypto_sign/dilithium-iii/clean/rounding.c @@ -13,7 +13,7 @@ * * Returns a1. **************************************************/ -uint32_t power2round(uint32_t a, uint32_t *a0) { +uint32_t PQCLEAN_DILITHIUMIII_power2round(uint32_t a, uint32_t *a0) { int32_t t; /* Centralized remainder mod 2^D */ @@ -39,7 +39,7 @@ uint32_t power2round(uint32_t a, uint32_t *a0) { * * Returns a1. **************************************************/ -uint32_t decompose(uint32_t a, uint32_t *a0) { +uint32_t PQCLEAN_DILITHIUMIII_decompose(uint32_t a, uint32_t *a0) { #if ALPHA != (Q - 1) / 16 #error "decompose assumes ALPHA == (Q-1)/16" #endif @@ -77,10 +77,12 @@ uint32_t decompose(uint32_t a, uint32_t *a0) { * * Returns 1 if high bits of a and b differ and 0 otherwise. **************************************************/ -unsigned int make_hint(const uint32_t a, const uint32_t b) { +unsigned int PQCLEAN_DILITHIUMIII_make_hint(const uint32_t a, + const uint32_t b) { uint32_t t; - return decompose(a, &t) != decompose(b, &t); + return PQCLEAN_DILITHIUMIII_decompose(a, &t) != + PQCLEAN_DILITHIUMIII_decompose(b, &t); } /************************************************* @@ -93,10 +95,11 @@ unsigned int make_hint(const uint32_t a, const uint32_t b) { * * Returns corrected high bits. **************************************************/ -uint32_t use_hint(const uint32_t a, const unsigned int hint) { +uint32_t PQCLEAN_DILITHIUMIII_use_hint(const uint32_t a, + const unsigned int hint) { uint32_t a0, a1; - a1 = decompose(a, &a0); + a1 = PQCLEAN_DILITHIUMIII_decompose(a, &a0); if (hint == 0) { return a1; } diff --git a/crypto_sign/dilithium-iii/clean/rounding.h b/crypto_sign/dilithium-iii/clean/rounding.h index b621a5dc..499cd30d 100644 --- a/crypto_sign/dilithium-iii/clean/rounding.h +++ b/crypto_sign/dilithium-iii/clean/rounding.h @@ -3,9 +3,9 @@ #include -uint32_t power2round(uint32_t a, uint32_t *a0); -uint32_t decompose(uint32_t a, uint32_t *a0); -unsigned int make_hint(uint32_t a, uint32_t b); -uint32_t use_hint(uint32_t a, unsigned int hint); +uint32_t PQCLEAN_DILITHIUMIII_power2round(uint32_t a, uint32_t *a0); +uint32_t PQCLEAN_DILITHIUMIII_decompose(uint32_t a, uint32_t *a0); +unsigned int PQCLEAN_DILITHIUMIII_make_hint(uint32_t a, uint32_t b); +uint32_t PQCLEAN_DILITHIUMIII_use_hint(uint32_t a, unsigned int hint); #endif diff --git a/crypto_sign/dilithium-iii/clean/sign.c b/crypto_sign/dilithium-iii/clean/sign.c index 99a5f07e..3e31a1e7 100644 --- a/crypto_sign/dilithium-iii/clean/sign.c +++ b/crypto_sign/dilithium-iii/clean/sign.c @@ -17,7 +17,8 @@ * Arguments: - polyvecl mat[K]: output matrix * - const unsigned char rho[]: byte array containing seed rho **************************************************/ -void expand_mat(polyvecl mat[K], const unsigned char rho[SEEDBYTES]) { +void PQCLEAN_DILITHIUMIII_expand_mat(polyvecl mat[K], + const unsigned char rho[SEEDBYTES]) { unsigned int i, j; unsigned char inbuf[SEEDBYTES + 1]; /* Don't change this to smaller values, @@ -34,7 +35,7 @@ void expand_mat(polyvecl mat[K], const unsigned char rho[SEEDBYTES]) { for (j = 0; j < L; ++j) { inbuf[SEEDBYTES] = i + (j << 4); shake128(outbuf, sizeof(outbuf), inbuf, SEEDBYTES + 1); - poly_uniform(mat[i].vec + j, outbuf); + PQCLEAN_DILITHIUMIII_poly_uniform(mat[i].vec + j, outbuf); } } } @@ -50,7 +51,8 @@ void expand_mat(polyvecl mat[K], const unsigned char rho[SEEDBYTES]) { * - const unsigned char mu[]: byte array containing mu * - const polyveck *w1: pointer to vector w1 **************************************************/ -void challenge(poly *c, const unsigned char mu[CRHBYTES], const polyveck *w1) { +void PQCLEAN_DILITHIUMIII_challenge(poly *c, const unsigned char mu[CRHBYTES], + const polyveck *w1) { unsigned int i, b, pos; unsigned char inbuf[CRHBYTES + K * POLW1_SIZE_PACKED]; unsigned char outbuf[SHAKE256_RATE]; @@ -60,7 +62,8 @@ void challenge(poly *c, const unsigned char mu[CRHBYTES], const polyveck *w1) { inbuf[i] = mu[i]; } for (i = 0; i < K; ++i) { - polyw1_pack(inbuf + CRHBYTES + i * POLW1_SIZE_PACKED, w1->vec + i); + PQCLEAN_DILITHIUMIII_polyw1_pack( + inbuf + CRHBYTES + i * POLW1_SIZE_PACKED, w1->vec + i); } shake256_absorb(state, inbuf, sizeof(inbuf)); @@ -106,7 +109,8 @@ void challenge(poly *c, const unsigned char mu[CRHBYTES], const polyveck *w1) { * * Returns 0 (success) **************************************************/ -int crypto_sign_keypair(unsigned char *pk, unsigned char *sk) { +int PQCLEAN_DILITHIUMIII_crypto_sign_keypair(unsigned char *pk, + unsigned char *sk) { unsigned int i; unsigned char seedbuf[3 * SEEDBYTES]; unsigned char tr[CRHBYTES]; @@ -124,36 +128,37 @@ int crypto_sign_keypair(unsigned char *pk, unsigned char *sk) { key = rho + 2 * SEEDBYTES; /* Expand matrix */ - expand_mat(mat, rho); + PQCLEAN_DILITHIUMIII_expand_mat(mat, rho); /* Sample short vectors s1 and s2 */ for (i = 0; i < L; ++i) { - poly_uniform_eta(s1.vec + i, rhoprime, nonce++); + PQCLEAN_DILITHIUMIII_poly_uniform_eta(s1.vec + i, rhoprime, nonce++); } for (i = 0; i < K; ++i) { - poly_uniform_eta(s2.vec + i, rhoprime, nonce++); + PQCLEAN_DILITHIUMIII_poly_uniform_eta(s2.vec + i, rhoprime, nonce++); } /* Matrix-vector multiplication */ s1hat = s1; - polyvecl_ntt(&s1hat); + PQCLEAN_DILITHIUMIII_polyvecl_ntt(&s1hat); for (i = 0; i < K; ++i) { - polyvecl_pointwise_acc_invmontgomery(t.vec + i, mat + i, &s1hat); - poly_reduce(t.vec + i); - poly_invntt_montgomery(t.vec + i); + PQCLEAN_DILITHIUMIII_polyvecl_pointwise_acc_invmontgomery( + t.vec + i, mat + i, &s1hat); + PQCLEAN_DILITHIUMIII_poly_reduce(t.vec + i); + PQCLEAN_DILITHIUMIII_poly_invntt_montgomery(t.vec + i); } /* Add noise vector s2 */ - polyveck_add(&t, &t, &s2); + PQCLEAN_DILITHIUMIII_polyveck_add(&t, &t, &s2); /* Extract t1 and write public key */ - polyveck_freeze(&t); - polyveck_power2round(&t1, &t0, &t); - pack_pk(pk, rho, &t1); + PQCLEAN_DILITHIUMIII_polyveck_freeze(&t); + PQCLEAN_DILITHIUMIII_polyveck_power2round(&t1, &t0, &t); + PQCLEAN_DILITHIUMIII_pack_pk(pk, rho, &t1); /* Compute CRH(rho, t1) and write secret key */ shake256(tr, CRHBYTES, pk, CRYPTO_PUBLICKEYBYTES); - pack_sk(sk, rho, key, tr, &s1, &s2, &t0); + PQCLEAN_DILITHIUMIII_pack_sk(sk, rho, key, tr, &s1, &s2, &t0); return 0; } @@ -174,9 +179,11 @@ int crypto_sign_keypair(unsigned char *pk, unsigned char *sk) { * * Returns 0 (success) **************************************************/ -int crypto_sign(unsigned char *sm, unsigned long long *smlen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *sk) { +int PQCLEAN_DILITHIUMIII_crypto_sign(unsigned char *sm, + unsigned long long *smlen, + const unsigned char *m, + unsigned long long mlen, + const unsigned char *sk) { unsigned long long i, j; unsigned int n; unsigned char @@ -192,7 +199,7 @@ int crypto_sign(unsigned char *sm, unsigned long long *smlen, rho = seedbuf; key = seedbuf + SEEDBYTES; mu = seedbuf + 2 * SEEDBYTES; - unpack_sk(rho, key, tr, &s1, &s2, &t0, sk); + PQCLEAN_DILITHIUMIII_unpack_sk(rho, key, tr, &s1, &s2, &t0, sk); /* Copy tr and message into the sm buffer, * backwards since m and sm can be equal in SUPERCOP API */ @@ -207,54 +214,57 @@ int crypto_sign(unsigned char *sm, unsigned long long *smlen, shake256(mu, CRHBYTES, sm + CRYPTO_BYTES - CRHBYTES, CRHBYTES + mlen); /* Expand matrix and transform vectors */ - expand_mat(mat, rho); - polyvecl_ntt(&s1); - polyveck_ntt(&s2); - polyveck_ntt(&t0); + PQCLEAN_DILITHIUMIII_expand_mat(mat, rho); + PQCLEAN_DILITHIUMIII_polyvecl_ntt(&s1); + PQCLEAN_DILITHIUMIII_polyveck_ntt(&s2); + PQCLEAN_DILITHIUMIII_polyveck_ntt(&t0); rej: /* Sample intermediate vector y */ for (i = 0; i < L; ++i) { - poly_uniform_gamma1m1(y.vec + i, key, nonce++); + PQCLEAN_DILITHIUMIII_poly_uniform_gamma1m1(y.vec + i, key, nonce++); } /* Matrix-vector multiplication */ yhat = y; - polyvecl_ntt(&yhat); + PQCLEAN_DILITHIUMIII_polyvecl_ntt(&yhat); for (i = 0; i < K; ++i) { - polyvecl_pointwise_acc_invmontgomery(w.vec + i, mat + i, &yhat); - poly_reduce(w.vec + i); - poly_invntt_montgomery(w.vec + i); + PQCLEAN_DILITHIUMIII_polyvecl_pointwise_acc_invmontgomery( + w.vec + i, mat + i, &yhat); + PQCLEAN_DILITHIUMIII_poly_reduce(w.vec + i); + PQCLEAN_DILITHIUMIII_poly_invntt_montgomery(w.vec + i); } /* Decompose w and call the random oracle */ - polyveck_csubq(&w); - polyveck_decompose(&w1, &tmp, &w); - challenge(&c, mu, &w1); + PQCLEAN_DILITHIUMIII_polyveck_csubq(&w); + PQCLEAN_DILITHIUMIII_polyveck_decompose(&w1, &tmp, &w); + PQCLEAN_DILITHIUMIII_challenge(&c, mu, &w1); /* Compute z, reject if it reveals secret */ chat = c; - poly_ntt(&chat); + PQCLEAN_DILITHIUMIII_poly_ntt(&chat); for (i = 0; i < L; ++i) { - poly_pointwise_invmontgomery(z.vec + i, &chat, s1.vec + i); - poly_invntt_montgomery(z.vec + i); + PQCLEAN_DILITHIUMIII_poly_pointwise_invmontgomery(z.vec + i, &chat, + s1.vec + i); + PQCLEAN_DILITHIUMIII_poly_invntt_montgomery(z.vec + i); } - polyvecl_add(&z, &z, &y); - polyvecl_freeze(&z); - if (polyvecl_chknorm(&z, GAMMA1 - BETA)) { + PQCLEAN_DILITHIUMIII_polyvecl_add(&z, &z, &y); + PQCLEAN_DILITHIUMIII_polyvecl_freeze(&z); + if (PQCLEAN_DILITHIUMIII_polyvecl_chknorm(&z, GAMMA1 - BETA)) { goto rej; } /* Compute w - cs2, reject if w1 can not be computed from it */ for (i = 0; i < K; ++i) { - poly_pointwise_invmontgomery(wcs2.vec + i, &chat, s2.vec + i); - poly_invntt_montgomery(wcs2.vec + i); + PQCLEAN_DILITHIUMIII_poly_pointwise_invmontgomery(wcs2.vec + i, &chat, + s2.vec + i); + PQCLEAN_DILITHIUMIII_poly_invntt_montgomery(wcs2.vec + i); } - polyveck_sub(&wcs2, &w, &wcs2); - polyveck_freeze(&wcs2); - polyveck_decompose(&tmp, &wcs20, &wcs2); - polyveck_csubq(&wcs20); - if (polyveck_chknorm(&wcs20, GAMMA2 - BETA)) { + PQCLEAN_DILITHIUMIII_polyveck_sub(&wcs2, &w, &wcs2); + PQCLEAN_DILITHIUMIII_polyveck_freeze(&wcs2); + PQCLEAN_DILITHIUMIII_polyveck_decompose(&tmp, &wcs20, &wcs2); + PQCLEAN_DILITHIUMIII_polyveck_csubq(&wcs20); + if (PQCLEAN_DILITHIUMIII_polyveck_chknorm(&wcs20, GAMMA2 - BETA)) { goto rej; } @@ -268,24 +278,25 @@ rej: /* Compute hints for w1 */ for (i = 0; i < K; ++i) { - poly_pointwise_invmontgomery(ct0.vec + i, &chat, t0.vec + i); - poly_invntt_montgomery(ct0.vec + i); + PQCLEAN_DILITHIUMIII_poly_pointwise_invmontgomery(ct0.vec + i, &chat, + t0.vec + i); + PQCLEAN_DILITHIUMIII_poly_invntt_montgomery(ct0.vec + i); } - polyveck_csubq(&ct0); - if (polyveck_chknorm(&ct0, GAMMA2)) { + PQCLEAN_DILITHIUMIII_polyveck_csubq(&ct0); + if (PQCLEAN_DILITHIUMIII_polyveck_chknorm(&ct0, GAMMA2)) { goto rej; } - polyveck_add(&tmp, &wcs2, &ct0); - polyveck_csubq(&tmp); - n = polyveck_make_hint(&h, &wcs2, &tmp); + PQCLEAN_DILITHIUMIII_polyveck_add(&tmp, &wcs2, &ct0); + PQCLEAN_DILITHIUMIII_polyveck_csubq(&tmp); + n = PQCLEAN_DILITHIUMIII_polyveck_make_hint(&h, &wcs2, &tmp); if (n > OMEGA) { goto rej; } /* Write signature */ - pack_sig(sm, &z, &h, &c); + PQCLEAN_DILITHIUMIII_pack_sig(sm, &z, &h, &c); *smlen = mlen + CRYPTO_BYTES; return 0; @@ -305,9 +316,11 @@ rej: * * Returns 0 if signed message could be verified correctly and -1 otherwise **************************************************/ -int crypto_sign_open(unsigned char *m, unsigned long long *mlen, - const unsigned char *sm, unsigned long long smlen, - const unsigned char *pk) { +int PQCLEAN_DILITHIUMIII_crypto_sign_open(unsigned char *m, + unsigned long long *mlen, + const unsigned char *sm, + unsigned long long smlen, + const unsigned char *pk) { unsigned long long i; unsigned char rho[SEEDBYTES]; unsigned char mu[CRHBYTES]; @@ -321,11 +334,11 @@ int crypto_sign_open(unsigned char *m, unsigned long long *mlen, *mlen = smlen - CRYPTO_BYTES; - unpack_pk(rho, &t1, pk); - if (unpack_sig(&z, &h, &c, sm)) { + PQCLEAN_DILITHIUMIII_unpack_pk(rho, &t1, pk); + if (PQCLEAN_DILITHIUMIII_unpack_sig(&z, &h, &c, sm)) { goto badsig; } - if (polyvecl_chknorm(&z, GAMMA1 - BETA)) { + if (PQCLEAN_DILITHIUMIII_polyvecl_chknorm(&z, GAMMA1 - BETA)) { goto badsig; } @@ -340,30 +353,32 @@ int crypto_sign_open(unsigned char *m, unsigned long long *mlen, shake256(mu, CRHBYTES, m + CRYPTO_BYTES - CRHBYTES, CRHBYTES + *mlen); /* Matrix-vector multiplication; compute Az - c2^dt1 */ - expand_mat(mat, rho); - polyvecl_ntt(&z); + PQCLEAN_DILITHIUMIII_expand_mat(mat, rho); + PQCLEAN_DILITHIUMIII_polyvecl_ntt(&z); for (i = 0; i < K; ++i) { - polyvecl_pointwise_acc_invmontgomery(tmp1.vec + i, mat + i, &z); + PQCLEAN_DILITHIUMIII_polyvecl_pointwise_acc_invmontgomery(tmp1.vec + i, + mat + i, &z); } chat = c; - poly_ntt(&chat); - polyveck_shiftl(&t1, D); - polyveck_ntt(&t1); + PQCLEAN_DILITHIUMIII_poly_ntt(&chat); + PQCLEAN_DILITHIUMIII_polyveck_shiftl(&t1, D); + PQCLEAN_DILITHIUMIII_polyveck_ntt(&t1); for (i = 0; i < K; ++i) { - poly_pointwise_invmontgomery(tmp2.vec + i, &chat, t1.vec + i); + PQCLEAN_DILITHIUMIII_poly_pointwise_invmontgomery(tmp2.vec + i, &chat, + t1.vec + i); } - polyveck_sub(&tmp1, &tmp1, &tmp2); - polyveck_reduce(&tmp1); - polyveck_invntt_montgomery(&tmp1); + PQCLEAN_DILITHIUMIII_polyveck_sub(&tmp1, &tmp1, &tmp2); + PQCLEAN_DILITHIUMIII_polyveck_reduce(&tmp1); + PQCLEAN_DILITHIUMIII_polyveck_invntt_montgomery(&tmp1); /* Reconstruct w1 */ - polyveck_csubq(&tmp1); - polyveck_use_hint(&w1, &tmp1, &h); + PQCLEAN_DILITHIUMIII_polyveck_csubq(&tmp1); + PQCLEAN_DILITHIUMIII_polyveck_use_hint(&w1, &tmp1, &h); /* Call random oracle and verify challenge */ - challenge(&cp, mu, &w1); + PQCLEAN_DILITHIUMIII_challenge(&cp, mu, &w1); for (i = 0; i < N; ++i) { if (c.coeffs[i] != cp.coeffs[i]) { goto badsig; diff --git a/crypto_sign/dilithium-iii/clean/sign.h b/crypto_sign/dilithium-iii/clean/sign.h index 7f52b7b3..4b12b763 100644 --- a/crypto_sign/dilithium-iii/clean/sign.h +++ b/crypto_sign/dilithium-iii/clean/sign.h @@ -5,17 +5,24 @@ #include "poly.h" #include "polyvec.h" -void expand_mat(polyvecl mat[K], const unsigned char rho[SEEDBYTES]); -void challenge(poly *c, const unsigned char mu[CRHBYTES], const polyveck *w1); +void PQCLEAN_DILITHIUMIII_expand_mat(polyvecl mat[K], + const unsigned char rho[SEEDBYTES]); +void PQCLEAN_DILITHIUMIII_challenge(poly *c, const unsigned char mu[CRHBYTES], + const polyveck *w1); -int crypto_sign_keypair(unsigned char *pk, unsigned char *sk); +int PQCLEAN_DILITHIUMIII_crypto_sign_keypair(unsigned char *pk, + unsigned char *sk); -int crypto_sign(unsigned char *sm, unsigned long long *smlen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *sk); +int PQCLEAN_DILITHIUMIII_crypto_sign(unsigned char *sm, + unsigned long long *smlen, + const unsigned char *m, + unsigned long long mlen, + const unsigned char *sk); -int crypto_sign_open(unsigned char *m, unsigned long long *mlen, - const unsigned char *sm, unsigned long long smlen, - const unsigned char *pk); +int PQCLEAN_DILITHIUMIII_crypto_sign_open(unsigned char *m, + unsigned long long *mlen, + const unsigned char *sm, + unsigned long long smlen, + const unsigned char *pk); #endif