kris
/
pqcrypto
mirror of https://github.com/henrydcase/pqc.git
1
1
Fork 0
Code Issues 1 Releases 2 Wiki Activity
Browse Source

renamed to something more appropriate, copied source code, ran astyle

tags/v0.0.1
Leon 5 years ago
parent
752ff05b52
commit
587090e744
28 changed files with 4113 additions and 0 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +18
    -0
      crypto_kem/ledakemlt12/META.yml
  2. +71
    -0
      crypto_kem/ledakemlt12/clean/H_Q_matrices_generation.c
  3. +49
    -0
      crypto_kem/ledakemlt12/clean/H_Q_matrices_generation.h
  4. +55
    -0
      crypto_kem/ledakemlt12/clean/Makefile
  5. +600
    -0
      crypto_kem/ledakemlt12/clean/aes256.c
  6. +41
    -0
      crypto_kem/ledakemlt12/clean/aes256.h
  7. +75
    -0
      crypto_kem/ledakemlt12/clean/api.h
  8. +114
    -0
      crypto_kem/ledakemlt12/clean/bf_decoding.c
  9. +78
    -0
      crypto_kem/ledakemlt12/clean/bf_decoding.h
  10. +114
    -0
      crypto_kem/ledakemlt12/clean/dfr_test.c
  11. +3
    -0
      crypto_kem/ledakemlt12/clean/dfr_test.h
  12. +462
    -0
      crypto_kem/ledakemlt12/clean/gf2x_arith.c
  13. +112
    -0
      crypto_kem/ledakemlt12/clean/gf2x_arith.h
  14. +656
    -0
      crypto_kem/ledakemlt12/clean/gf2x_arith_mod_xPplusOne.c
  15. +300
    -0
      crypto_kem/ledakemlt12/clean/gf2x_arith_mod_xPplusOne.h
  16. +94
    -0
      crypto_kem/ledakemlt12/clean/gf2x_limbs.h
  17. +97
    -0
      crypto_kem/ledakemlt12/clean/kem.c
  18. +58
    -0
      crypto_kem/ledakemlt12/clean/niederreiter.h
  19. +153
    -0
      crypto_kem/ledakemlt12/clean/niederreiter_decrypt.c
  20. +45
    -0
      crypto_kem/ledakemlt12/clean/niederreiter_decrypt.h
  21. +57
    -0
      crypto_kem/ledakemlt12/clean/niederreiter_encrypt.c
  22. +41
    -0
      crypto_kem/ledakemlt12/clean/niederreiter_encrypt.h
  23. +145
    -0
      crypto_kem/ledakemlt12/clean/niederreiter_keygen.c
  24. +43
    -0
      crypto_kem/ledakemlt12/clean/niederreiter_keygen.h
  25. +157
    -0
      crypto_kem/ledakemlt12/clean/qc_ldpc_parameters.h
  26. +336
    -0
      crypto_kem/ledakemlt12/clean/rng.c
  27. +96
    -0
      crypto_kem/ledakemlt12/clean/rng.h
  28. +43
    -0
      crypto_kem/ledakemlt12/clean/sha3.h

+ 18
- 0
crypto_kem/ledakemlt12/META.yml View File

@@ -0,0 +1,18 @@
name: LEDAcryptKEM-LT12
type: kem
claimed-nist-level: 1
claimed-security: IND-CCA2
length-public-key: 6520
length-secret-key: 468
length-ciphertext: 6520
length-shared-secret: 32
nistkat-sha256: 3bb5945e0aea26f121e1d56946760e506bdfbebb07e2fb018ce737b90b1eee2b
principal-submitter: Marco Baldi
auxiliary-submitters:
- Alessandro Barenghi
- Franco Chiaraluce
- Gerardo Pelosi
- Paolo Santini
implementations:
- name: clean
version: 2.0

+ 71
- 0
crypto_kem/ledakemlt12/clean/H_Q_matrices_generation.c View File

@@ -0,0 +1,71 @@
/**
*
* <H_Q_matrices_generation.c>
*
* @version 2.0 (March 2019)
*
* Reference ISO-C11 Implementation of the LEDAcrypt KEM-LT cipher using GCC built-ins.
*
* In alphabetical order:
*
* @author Marco Baldi <m.baldi@univpm.it>
* @author Alessandro Barenghi <alessandro.barenghi@polimi.it>
* @author Franco Chiaraluce <f.chiaraluce@univpm.it>
* @author Gerardo Pelosi <gerardo.pelosi@polimi.it>
* @author Paolo Santini <p.santini@pm.univpm.it>
*
* This code is hereby placed in the public domain.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
* OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
* BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
* WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
* OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
* EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
**/

#include "H_Q_matrices_generation.h"
#include "gf2x_arith_mod_xPplusOne.h"

/*----------------------------------------------------------------------------*/

void generateHPosOnes_HtrPosOnes(POSITION_T HPosOnes[N0][DV],
POSITION_T HtrPosOnes[N0][DV],
AES_XOF_struct *keys_expander
) {
for (int i = 0; i < N0; i++) {
/* Generate a random block of Htr */
rand_circulant_sparse_block(&HtrPosOnes[i][0],
DV,
keys_expander);
}
for (int i = 0; i < N0; i++) {
/* Obtain directly the sparse representation of the block of H */
for (int k = 0; k < DV; k++) {
HPosOnes[i][k] = (P - HtrPosOnes[i][k]) % P; /* transposes indexes */
}// end for k
}
} // end generateHtr_HtrPosOnes

/*----------------------------------------------------------------------------*/

void generateQsparse(POSITION_T pos_ones[N0][M],
AES_XOF_struct *keys_expander) {
for (int i = 0; i < N0; i++) {
int placed_ones = 0;
for (int j = 0; j < N0; j++) {
rand_circulant_sparse_block(&pos_ones[i][placed_ones],
qBlockWeights[i][j],
keys_expander);
placed_ones += qBlockWeights[i][j];
} // end for j
} // end for i
} // end generateQsparse

/*----------------------------------------------------------------------------*/

+ 49
- 0
crypto_kem/ledakemlt12/clean/H_Q_matrices_generation.h View File

@@ -0,0 +1,49 @@
/**
*
* <H_Q_matrices_generation.h>
*
* @version 2.0 (March 2019)
*
* Reference ISO-C11 Implementation of the LEDAcrypt KEM-LT cipher using GCC built-ins.
*
* In alphabetical order:
*
* @author Marco Baldi <m.baldi@univpm.it>
* @author Alessandro Barenghi <alessandro.barenghi@polimi.it>
* @author Franco Chiaraluce <f.chiaraluce@univpm.it>
* @author Gerardo Pelosi <gerardo.pelosi@polimi.it>
* @author Paolo Santini <p.santini@pm.univpm.it>
*
* This code is hereby placed in the public domain.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
* OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
* BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
* WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
* OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
* EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
**/

#pragma once
#include "qc_ldpc_parameters.h"
#include "gf2x_limbs.h"
#include "rng.h"
/*----------------------------------------------------------------------------*/


void generateHPosOnes_HtrPosOnes(POSITION_T HPosOnes[N0][DV],
POSITION_T HtrPosOnes[N0][DV],
AES_XOF_struct *niederreiter_keys_expander);

/*----------------------------------------------------------------------------*/

void generateQsparse(POSITION_T pos_ones[N0][M],
AES_XOF_struct *niederreiter_keys_expander);

/*----------------------------------------------------------------------------*/

+ 55
- 0
crypto_kem/ledakemlt12/clean/Makefile View File

@@ -0,0 +1,55 @@
# This Makefile can be used with GNU Make or BSD Make

SL = 1
N0 = 2
DFR_SL_LEVEL = 1

LIB=libLEDAkem_sl$(SL)_N0$(N0)_clean.a
HEADERS=aes256.h api.h bf_decoding.h dfr_test.h gf2x_arith_mod_xPplusOne.h \
gf2x_arith.h gf2x_limbs.h H_Q_matrices_generation.h niederreiter_decrypt.h \
niederreiter_encrypt.h niederreiter_keygen.h niederreiter.h \
qc_ldpc_parameters.h rng.h sha3.h

OBJECTS=aes256.o bf_decoding.o dfr_test.o gf2x_arith_mod_xPplusOne.o \
gf2x_arith.o H_Q_matrices_generation.o kem.o niederreiter_decrypt.o \
niederreiter_encrypt.o niederreiter_keygen.o rng.o

CFLAGS=-O3 -Wall -Wextra -Wpedantic -Wvla -Wmissing-prototypes -std=c99 \
-DCATEGORY=$(SL) -DN0=$(N0) -DDFR_SL_LEVEL=$(DFR_SL_LEVEL) -I../../../common $(EXTRAFLAGS)

all: $(LIB)

%.o: %.c $(HEADERS)
$(CC) $(CFLAGS) -c -o $@ $<

$(LIB): $(OBJECTS)
$(AR) -r $@ $(OBJECTS)

clean:
$(RM) $(OBJECTS)
$(RM) $(LIB)


# old makefile
# CFLAGS = -DCATEGORY=$(SL) -DN0=$(N0) -DDFR_SL_LEVEL=$(DFR_SL_LEVEL) -DCPU_WORD_BITS=64 \
# -std=c11 -Wall -pedantic -Wmaybe-uninitialized -Wuninitialized \
# -march=native -O3 -g3
# LDFLAGS = -lm -lkeccak
# INCLUDES = -I./include
# SRCDIR = library
# OBJDIR = bin
#
# # Gathers the names of all C files
# CSRC = $(wildcard $(SRCDIR)/*.c)
# # Produces in $(COBJS) the names of .o object files for all C files
# COBJS = $(CSRC:$(SRCDIR)/%.c=$(OBJDIR)/%.o)
#
# $(OBJDIR)/%.o: $(SRCDIR)/%.c
# $(CC) -c $(CFLAGS) $(INCLUDES) $< -o $@
#
# .PHONY : all clean
#
# all: $(COBJS)
# ar rcs $(OBJDIR)/libLEDAkem_sl$(SL)_N0$(N0).a $(COBJS)
# clean:
# $(RM) $(OBJDIR)/*.o $(OBJDIR)/libLEDAkem_sl$(SL)_N0$(N0).a

+ 600
- 0
crypto_kem/ledakemlt12/clean/aes256.c View File

@@ -0,0 +1,600 @@
/**
* AES-256 self contained implementation derived from :
*
* rijndael-alg-fst.h
*
* @version 3.0 (December 2000)
*
* Optimised ANSI C code for the Rijndael cipher (now AES)
*
* @author Vincent Rijmen <vincent.rijmen@esat.kuleuven.ac.be>
* @author Antoon Bosselaers <antoon.bosselaers@esat.kuleuven.ac.be>
* @author Paulo Barreto <paulo.barreto@terra.com.br>
*
* originally placed in the public domain by the authors.
*
*
*
* This code is hereby placed in the public domain.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
* OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
* BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
* WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
* OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
* EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/

#include <stdint.h>
#include "aes256.h"

/*
Te0[x] = S [x].[02, 01, 01, 03];
Te1[x] = S [x].[03, 02, 01, 01];
Te2[x] = S [x].[01, 03, 02, 01];
Te3[x] = S [x].[01, 01, 03, 02];
Te4[x] = S [x].[01, 01, 01, 01];
*/

static const uint32_t Te0[256] = {
0xc66363a5U, 0xf87c7c84U, 0xee777799U, 0xf67b7b8dU,
0xfff2f20dU, 0xd66b6bbdU, 0xde6f6fb1U, 0x91c5c554U,
0x60303050U, 0x02010103U, 0xce6767a9U, 0x562b2b7dU,
0xe7fefe19U, 0xb5d7d762U, 0x4dababe6U, 0xec76769aU,
0x8fcaca45U, 0x1f82829dU, 0x89c9c940U, 0xfa7d7d87U,
0xeffafa15U, 0xb25959ebU, 0x8e4747c9U, 0xfbf0f00bU,
0x41adadecU, 0xb3d4d467U, 0x5fa2a2fdU, 0x45afafeaU,
0x239c9cbfU, 0x53a4a4f7U, 0xe4727296U, 0x9bc0c05bU,
0x75b7b7c2U, 0xe1fdfd1cU, 0x3d9393aeU, 0x4c26266aU,
0x6c36365aU, 0x7e3f3f41U, 0xf5f7f702U, 0x83cccc4fU,
0x6834345cU, 0x51a5a5f4U, 0xd1e5e534U, 0xf9f1f108U,
0xe2717193U, 0xabd8d873U, 0x62313153U, 0x2a15153fU,
0x0804040cU, 0x95c7c752U, 0x46232365U, 0x9dc3c35eU,
0x30181828U, 0x379696a1U, 0x0a05050fU, 0x2f9a9ab5U,
0x0e070709U, 0x24121236U, 0x1b80809bU, 0xdfe2e23dU,
0xcdebeb26U, 0x4e272769U, 0x7fb2b2cdU, 0xea75759fU,
0x1209091bU, 0x1d83839eU, 0x582c2c74U, 0x341a1a2eU,
0x361b1b2dU, 0xdc6e6eb2U, 0xb45a5aeeU, 0x5ba0a0fbU,
0xa45252f6U, 0x763b3b4dU, 0xb7d6d661U, 0x7db3b3ceU,
0x5229297bU, 0xdde3e33eU, 0x5e2f2f71U, 0x13848497U,
0xa65353f5U, 0xb9d1d168U, 0x00000000U, 0xc1eded2cU,
0x40202060U, 0xe3fcfc1fU, 0x79b1b1c8U, 0xb65b5bedU,
0xd46a6abeU, 0x8dcbcb46U, 0x67bebed9U, 0x7239394bU,
0x944a4adeU, 0x984c4cd4U, 0xb05858e8U, 0x85cfcf4aU,
0xbbd0d06bU, 0xc5efef2aU, 0x4faaaae5U, 0xedfbfb16U,
0x864343c5U, 0x9a4d4dd7U, 0x66333355U, 0x11858594U,
0x8a4545cfU, 0xe9f9f910U, 0x04020206U, 0xfe7f7f81U,
0xa05050f0U, 0x783c3c44U, 0x259f9fbaU, 0x4ba8a8e3U,
0xa25151f3U, 0x5da3a3feU, 0x804040c0U, 0x058f8f8aU,
0x3f9292adU, 0x219d9dbcU, 0x70383848U, 0xf1f5f504U,
0x63bcbcdfU, 0x77b6b6c1U, 0xafdada75U, 0x42212163U,
0x20101030U, 0xe5ffff1aU, 0xfdf3f30eU, 0xbfd2d26dU,
0x81cdcd4cU, 0x180c0c14U, 0x26131335U, 0xc3ecec2fU,
0xbe5f5fe1U, 0x359797a2U, 0x884444ccU, 0x2e171739U,
0x93c4c457U, 0x55a7a7f2U, 0xfc7e7e82U, 0x7a3d3d47U,
0xc86464acU, 0xba5d5de7U, 0x3219192bU, 0xe6737395U,
0xc06060a0U, 0x19818198U, 0x9e4f4fd1U, 0xa3dcdc7fU,
0x44222266U, 0x542a2a7eU, 0x3b9090abU, 0x0b888883U,
0x8c4646caU, 0xc7eeee29U, 0x6bb8b8d3U, 0x2814143cU,
0xa7dede79U, 0xbc5e5ee2U, 0x160b0b1dU, 0xaddbdb76U,
0xdbe0e03bU, 0x64323256U, 0x743a3a4eU, 0x140a0a1eU,
0x924949dbU, 0x0c06060aU, 0x4824246cU, 0xb85c5ce4U,
0x9fc2c25dU, 0xbdd3d36eU, 0x43acacefU, 0xc46262a6U,
0x399191a8U, 0x319595a4U, 0xd3e4e437U, 0xf279798bU,
0xd5e7e732U, 0x8bc8c843U, 0x6e373759U, 0xda6d6db7U,
0x018d8d8cU, 0xb1d5d564U, 0x9c4e4ed2U, 0x49a9a9e0U,
0xd86c6cb4U, 0xac5656faU, 0xf3f4f407U, 0xcfeaea25U,
0xca6565afU, 0xf47a7a8eU, 0x47aeaee9U, 0x10080818U,
0x6fbabad5U, 0xf0787888U, 0x4a25256fU, 0x5c2e2e72U,
0x381c1c24U, 0x57a6a6f1U, 0x73b4b4c7U, 0x97c6c651U,
0xcbe8e823U, 0xa1dddd7cU, 0xe874749cU, 0x3e1f1f21U,
0x964b4bddU, 0x61bdbddcU, 0x0d8b8b86U, 0x0f8a8a85U,
0xe0707090U, 0x7c3e3e42U, 0x71b5b5c4U, 0xcc6666aaU,
0x904848d8U, 0x06030305U, 0xf7f6f601U, 0x1c0e0e12U,
0xc26161a3U, 0x6a35355fU, 0xae5757f9U, 0x69b9b9d0U,
0x17868691U, 0x99c1c158U, 0x3a1d1d27U, 0x279e9eb9U,
0xd9e1e138U, 0xebf8f813U, 0x2b9898b3U, 0x22111133U,
0xd26969bbU, 0xa9d9d970U, 0x078e8e89U, 0x339494a7U,
0x2d9b9bb6U, 0x3c1e1e22U, 0x15878792U, 0xc9e9e920U,
0x87cece49U, 0xaa5555ffU, 0x50282878U, 0xa5dfdf7aU,
0x038c8c8fU, 0x59a1a1f8U, 0x09898980U, 0x1a0d0d17U,
0x65bfbfdaU, 0xd7e6e631U, 0x844242c6U, 0xd06868b8U,
0x824141c3U, 0x299999b0U, 0x5a2d2d77U, 0x1e0f0f11U,
0x7bb0b0cbU, 0xa85454fcU, 0x6dbbbbd6U, 0x2c16163aU,
};
static const uint32_t Te1[256] = {
0xa5c66363U, 0x84f87c7cU, 0x99ee7777U, 0x8df67b7bU,
0x0dfff2f2U, 0xbdd66b6bU, 0xb1de6f6fU, 0x5491c5c5U,
0x50603030U, 0x03020101U, 0xa9ce6767U, 0x7d562b2bU,
0x19e7fefeU, 0x62b5d7d7U, 0xe64dababU, 0x9aec7676U,
0x458fcacaU, 0x9d1f8282U, 0x4089c9c9U, 0x87fa7d7dU,
0x15effafaU, 0xebb25959U, 0xc98e4747U, 0x0bfbf0f0U,
0xec41adadU, 0x67b3d4d4U, 0xfd5fa2a2U, 0xea45afafU,
0xbf239c9cU, 0xf753a4a4U, 0x96e47272U, 0x5b9bc0c0U,
0xc275b7b7U, 0x1ce1fdfdU, 0xae3d9393U, 0x6a4c2626U,
0x5a6c3636U, 0x417e3f3fU, 0x02f5f7f7U, 0x4f83ccccU,
0x5c683434U, 0xf451a5a5U, 0x34d1e5e5U, 0x08f9f1f1U,
0x93e27171U, 0x73abd8d8U, 0x53623131U, 0x3f2a1515U,
0x0c080404U, 0x5295c7c7U, 0x65462323U, 0x5e9dc3c3U,
0x28301818U, 0xa1379696U, 0x0f0a0505U, 0xb52f9a9aU,
0x090e0707U, 0x36241212U, 0x9b1b8080U, 0x3ddfe2e2U,
0x26cdebebU, 0x694e2727U, 0xcd7fb2b2U, 0x9fea7575U,
0x1b120909U, 0x9e1d8383U, 0x74582c2cU, 0x2e341a1aU,
0x2d361b1bU, 0xb2dc6e6eU, 0xeeb45a5aU, 0xfb5ba0a0U,
0xf6a45252U, 0x4d763b3bU, 0x61b7d6d6U, 0xce7db3b3U,
0x7b522929U, 0x3edde3e3U, 0x715e2f2fU, 0x97138484U,
0xf5a65353U, 0x68b9d1d1U, 0x00000000U, 0x2cc1ededU,
0x60402020U, 0x1fe3fcfcU, 0xc879b1b1U, 0xedb65b5bU,
0xbed46a6aU, 0x468dcbcbU, 0xd967bebeU, 0x4b723939U,
0xde944a4aU, 0xd4984c4cU, 0xe8b05858U, 0x4a85cfcfU,
0x6bbbd0d0U, 0x2ac5efefU, 0xe54faaaaU, 0x16edfbfbU,
0xc5864343U, 0xd79a4d4dU, 0x55663333U, 0x94118585U,
0xcf8a4545U, 0x10e9f9f9U, 0x06040202U, 0x81fe7f7fU,
0xf0a05050U, 0x44783c3cU, 0xba259f9fU, 0xe34ba8a8U,
0xf3a25151U, 0xfe5da3a3U, 0xc0804040U, 0x8a058f8fU,
0xad3f9292U, 0xbc219d9dU, 0x48703838U, 0x04f1f5f5U,
0xdf63bcbcU, 0xc177b6b6U, 0x75afdadaU, 0x63422121U,
0x30201010U, 0x1ae5ffffU, 0x0efdf3f3U, 0x6dbfd2d2U,
0x4c81cdcdU, 0x14180c0cU, 0x35261313U, 0x2fc3ececU,
0xe1be5f5fU, 0xa2359797U, 0xcc884444U, 0x392e1717U,
0x5793c4c4U, 0xf255a7a7U, 0x82fc7e7eU, 0x477a3d3dU,
0xacc86464U, 0xe7ba5d5dU, 0x2b321919U, 0x95e67373U,
0xa0c06060U, 0x98198181U, 0xd19e4f4fU, 0x7fa3dcdcU,
0x66442222U, 0x7e542a2aU, 0xab3b9090U, 0x830b8888U,
0xca8c4646U, 0x29c7eeeeU, 0xd36bb8b8U, 0x3c281414U,
0x79a7dedeU, 0xe2bc5e5eU, 0x1d160b0bU, 0x76addbdbU,
0x3bdbe0e0U, 0x56643232U, 0x4e743a3aU, 0x1e140a0aU,
0xdb924949U, 0x0a0c0606U, 0x6c482424U, 0xe4b85c5cU,
0x5d9fc2c2U, 0x6ebdd3d3U, 0xef43acacU, 0xa6c46262U,
0xa8399191U, 0xa4319595U, 0x37d3e4e4U, 0x8bf27979U,
0x32d5e7e7U, 0x438bc8c8U, 0x596e3737U, 0xb7da6d6dU,
0x8c018d8dU, 0x64b1d5d5U, 0xd29c4e4eU, 0xe049a9a9U,
0xb4d86c6cU, 0xfaac5656U, 0x07f3f4f4U, 0x25cfeaeaU,
0xafca6565U, 0x8ef47a7aU, 0xe947aeaeU, 0x18100808U,
0xd56fbabaU, 0x88f07878U, 0x6f4a2525U, 0x725c2e2eU,
0x24381c1cU, 0xf157a6a6U, 0xc773b4b4U, 0x5197c6c6U,
0x23cbe8e8U, 0x7ca1ddddU, 0x9ce87474U, 0x213e1f1fU,
0xdd964b4bU, 0xdc61bdbdU, 0x860d8b8bU, 0x850f8a8aU,
0x90e07070U, 0x427c3e3eU, 0xc471b5b5U, 0xaacc6666U,
0xd8904848U, 0x05060303U, 0x01f7f6f6U, 0x121c0e0eU,
0xa3c26161U, 0x5f6a3535U, 0xf9ae5757U, 0xd069b9b9U,
0x91178686U, 0x5899c1c1U, 0x273a1d1dU, 0xb9279e9eU,
0x38d9e1e1U, 0x13ebf8f8U, 0xb32b9898U, 0x33221111U,
0xbbd26969U, 0x70a9d9d9U, 0x89078e8eU, 0xa7339494U,
0xb62d9b9bU, 0x223c1e1eU, 0x92158787U, 0x20c9e9e9U,
0x4987ceceU, 0xffaa5555U, 0x78502828U, 0x7aa5dfdfU,
0x8f038c8cU, 0xf859a1a1U, 0x80098989U, 0x171a0d0dU,
0xda65bfbfU, 0x31d7e6e6U, 0xc6844242U, 0xb8d06868U,
0xc3824141U, 0xb0299999U, 0x775a2d2dU, 0x111e0f0fU,
0xcb7bb0b0U, 0xfca85454U, 0xd66dbbbbU, 0x3a2c1616U,
};
static const uint32_t Te2[256] = {
0x63a5c663U, 0x7c84f87cU, 0x7799ee77U, 0x7b8df67bU,
0xf20dfff2U, 0x6bbdd66bU, 0x6fb1de6fU, 0xc55491c5U,
0x30506030U, 0x01030201U, 0x67a9ce67U, 0x2b7d562bU,
0xfe19e7feU, 0xd762b5d7U, 0xabe64dabU, 0x769aec76U,
0xca458fcaU, 0x829d1f82U, 0xc94089c9U, 0x7d87fa7dU,
0xfa15effaU, 0x59ebb259U, 0x47c98e47U, 0xf00bfbf0U,
0xadec41adU, 0xd467b3d4U, 0xa2fd5fa2U, 0xafea45afU,
0x9cbf239cU, 0xa4f753a4U, 0x7296e472U, 0xc05b9bc0U,
0xb7c275b7U, 0xfd1ce1fdU, 0x93ae3d93U, 0x266a4c26U,
0x365a6c36U, 0x3f417e3fU, 0xf702f5f7U, 0xcc4f83ccU,
0x345c6834U, 0xa5f451a5U, 0xe534d1e5U, 0xf108f9f1U,
0x7193e271U, 0xd873abd8U, 0x31536231U, 0x153f2a15U,
0x040c0804U, 0xc75295c7U, 0x23654623U, 0xc35e9dc3U,
0x18283018U, 0x96a13796U, 0x050f0a05U, 0x9ab52f9aU,
0x07090e07U, 0x12362412U, 0x809b1b80U, 0xe23ddfe2U,
0xeb26cdebU, 0x27694e27U, 0xb2cd7fb2U, 0x759fea75U,
0x091b1209U, 0x839e1d83U, 0x2c74582cU, 0x1a2e341aU,
0x1b2d361bU, 0x6eb2dc6eU, 0x5aeeb45aU, 0xa0fb5ba0U,
0x52f6a452U, 0x3b4d763bU, 0xd661b7d6U, 0xb3ce7db3U,
0x297b5229U, 0xe33edde3U, 0x2f715e2fU, 0x84971384U,
0x53f5a653U, 0xd168b9d1U, 0x00000000U, 0xed2cc1edU,
0x20604020U, 0xfc1fe3fcU, 0xb1c879b1U, 0x5bedb65bU,
0x6abed46aU, 0xcb468dcbU, 0xbed967beU, 0x394b7239U,
0x4ade944aU, 0x4cd4984cU, 0x58e8b058U, 0xcf4a85cfU,
0xd06bbbd0U, 0xef2ac5efU, 0xaae54faaU, 0xfb16edfbU,
0x43c58643U, 0x4dd79a4dU, 0x33556633U, 0x85941185U,
0x45cf8a45U, 0xf910e9f9U, 0x02060402U, 0x7f81fe7fU,
0x50f0a050U, 0x3c44783cU, 0x9fba259fU, 0xa8e34ba8U,
0x51f3a251U, 0xa3fe5da3U, 0x40c08040U, 0x8f8a058fU,
0x92ad3f92U, 0x9dbc219dU, 0x38487038U, 0xf504f1f5U,
0xbcdf63bcU, 0xb6c177b6U, 0xda75afdaU, 0x21634221U,
0x10302010U, 0xff1ae5ffU, 0xf30efdf3U, 0xd26dbfd2U,
0xcd4c81cdU, 0x0c14180cU, 0x13352613U, 0xec2fc3ecU,
0x5fe1be5fU, 0x97a23597U, 0x44cc8844U, 0x17392e17U,
0xc45793c4U, 0xa7f255a7U, 0x7e82fc7eU, 0x3d477a3dU,
0x64acc864U, 0x5de7ba5dU, 0x192b3219U, 0x7395e673U,
0x60a0c060U, 0x81981981U, 0x4fd19e4fU, 0xdc7fa3dcU,
0x22664422U, 0x2a7e542aU, 0x90ab3b90U, 0x88830b88U,
0x46ca8c46U, 0xee29c7eeU, 0xb8d36bb8U, 0x143c2814U,
0xde79a7deU, 0x5ee2bc5eU, 0x0b1d160bU, 0xdb76addbU,
0xe03bdbe0U, 0x32566432U, 0x3a4e743aU, 0x0a1e140aU,
0x49db9249U, 0x060a0c06U, 0x246c4824U, 0x5ce4b85cU,
0xc25d9fc2U, 0xd36ebdd3U, 0xacef43acU, 0x62a6c462U,
0x91a83991U, 0x95a43195U, 0xe437d3e4U, 0x798bf279U,
0xe732d5e7U, 0xc8438bc8U, 0x37596e37U, 0x6db7da6dU,
0x8d8c018dU, 0xd564b1d5U, 0x4ed29c4eU, 0xa9e049a9U,
0x6cb4d86cU, 0x56faac56U, 0xf407f3f4U, 0xea25cfeaU,
0x65afca65U, 0x7a8ef47aU, 0xaee947aeU, 0x08181008U,
0xbad56fbaU, 0x7888f078U, 0x256f4a25U, 0x2e725c2eU,
0x1c24381cU, 0xa6f157a6U, 0xb4c773b4U, 0xc65197c6U,
0xe823cbe8U, 0xdd7ca1ddU, 0x749ce874U, 0x1f213e1fU,
0x4bdd964bU, 0xbddc61bdU, 0x8b860d8bU, 0x8a850f8aU,
0x7090e070U, 0x3e427c3eU, 0xb5c471b5U, 0x66aacc66U,
0x48d89048U, 0x03050603U, 0xf601f7f6U, 0x0e121c0eU,
0x61a3c261U, 0x355f6a35U, 0x57f9ae57U, 0xb9d069b9U,
0x86911786U, 0xc15899c1U, 0x1d273a1dU, 0x9eb9279eU,
0xe138d9e1U, 0xf813ebf8U, 0x98b32b98U, 0x11332211U,
0x69bbd269U, 0xd970a9d9U, 0x8e89078eU, 0x94a73394U,
0x9bb62d9bU, 0x1e223c1eU, 0x87921587U, 0xe920c9e9U,
0xce4987ceU, 0x55ffaa55U, 0x28785028U, 0xdf7aa5dfU,
0x8c8f038cU, 0xa1f859a1U, 0x89800989U, 0x0d171a0dU,
0xbfda65bfU, 0xe631d7e6U, 0x42c68442U, 0x68b8d068U,
0x41c38241U, 0x99b02999U, 0x2d775a2dU, 0x0f111e0fU,
0xb0cb7bb0U, 0x54fca854U, 0xbbd66dbbU, 0x163a2c16U,
};
static const uint32_t Te3[256] = {

0x6363a5c6U, 0x7c7c84f8U, 0x777799eeU, 0x7b7b8df6U,
0xf2f20dffU, 0x6b6bbdd6U, 0x6f6fb1deU, 0xc5c55491U,
0x30305060U, 0x01010302U, 0x6767a9ceU, 0x2b2b7d56U,
0xfefe19e7U, 0xd7d762b5U, 0xababe64dU, 0x76769aecU,
0xcaca458fU, 0x82829d1fU, 0xc9c94089U, 0x7d7d87faU,
0xfafa15efU, 0x5959ebb2U, 0x4747c98eU, 0xf0f00bfbU,
0xadadec41U, 0xd4d467b3U, 0xa2a2fd5fU, 0xafafea45U,
0x9c9cbf23U, 0xa4a4f753U, 0x727296e4U, 0xc0c05b9bU,
0xb7b7c275U, 0xfdfd1ce1U, 0x9393ae3dU, 0x26266a4cU,
0x36365a6cU, 0x3f3f417eU, 0xf7f702f5U, 0xcccc4f83U,
0x34345c68U, 0xa5a5f451U, 0xe5e534d1U, 0xf1f108f9U,
0x717193e2U, 0xd8d873abU, 0x31315362U, 0x15153f2aU,
0x04040c08U, 0xc7c75295U, 0x23236546U, 0xc3c35e9dU,
0x18182830U, 0x9696a137U, 0x05050f0aU, 0x9a9ab52fU,
0x0707090eU, 0x12123624U, 0x80809b1bU, 0xe2e23ddfU,
0xebeb26cdU, 0x2727694eU, 0xb2b2cd7fU, 0x75759feaU,
0x09091b12U, 0x83839e1dU, 0x2c2c7458U, 0x1a1a2e34U,
0x1b1b2d36U, 0x6e6eb2dcU, 0x5a5aeeb4U, 0xa0a0fb5bU,
0x5252f6a4U, 0x3b3b4d76U, 0xd6d661b7U, 0xb3b3ce7dU,
0x29297b52U, 0xe3e33eddU, 0x2f2f715eU, 0x84849713U,
0x5353f5a6U, 0xd1d168b9U, 0x00000000U, 0xeded2cc1U,
0x20206040U, 0xfcfc1fe3U, 0xb1b1c879U, 0x5b5bedb6U,
0x6a6abed4U, 0xcbcb468dU, 0xbebed967U, 0x39394b72U,
0x4a4ade94U, 0x4c4cd498U, 0x5858e8b0U, 0xcfcf4a85U,
0xd0d06bbbU, 0xefef2ac5U, 0xaaaae54fU, 0xfbfb16edU,
0x4343c586U, 0x4d4dd79aU, 0x33335566U, 0x85859411U,
0x4545cf8aU, 0xf9f910e9U, 0x02020604U, 0x7f7f81feU,
0x5050f0a0U, 0x3c3c4478U, 0x9f9fba25U, 0xa8a8e34bU,
0x5151f3a2U, 0xa3a3fe5dU, 0x4040c080U, 0x8f8f8a05U,
0x9292ad3fU, 0x9d9dbc21U, 0x38384870U, 0xf5f504f1U,
0xbcbcdf63U, 0xb6b6c177U, 0xdada75afU, 0x21216342U,
0x10103020U, 0xffff1ae5U, 0xf3f30efdU, 0xd2d26dbfU,
0xcdcd4c81U, 0x0c0c1418U, 0x13133526U, 0xecec2fc3U,
0x5f5fe1beU, 0x9797a235U, 0x4444cc88U, 0x1717392eU,
0xc4c45793U, 0xa7a7f255U, 0x7e7e82fcU, 0x3d3d477aU,
0x6464acc8U, 0x5d5de7baU, 0x19192b32U, 0x737395e6U,
0x6060a0c0U, 0x81819819U, 0x4f4fd19eU, 0xdcdc7fa3U,
0x22226644U, 0x2a2a7e54U, 0x9090ab3bU, 0x8888830bU,
0x4646ca8cU, 0xeeee29c7U, 0xb8b8d36bU, 0x14143c28U,
0xdede79a7U, 0x5e5ee2bcU, 0x0b0b1d16U, 0xdbdb76adU,
0xe0e03bdbU, 0x32325664U, 0x3a3a4e74U, 0x0a0a1e14U,
0x4949db92U, 0x06060a0cU, 0x24246c48U, 0x5c5ce4b8U,
0xc2c25d9fU, 0xd3d36ebdU, 0xacacef43U, 0x6262a6c4U,
0x9191a839U, 0x9595a431U, 0xe4e437d3U, 0x79798bf2U,
0xe7e732d5U, 0xc8c8438bU, 0x3737596eU, 0x6d6db7daU,
0x8d8d8c01U, 0xd5d564b1U, 0x4e4ed29cU, 0xa9a9e049U,
0x6c6cb4d8U, 0x5656faacU, 0xf4f407f3U, 0xeaea25cfU,
0x6565afcaU, 0x7a7a8ef4U, 0xaeaee947U, 0x08081810U,
0xbabad56fU, 0x787888f0U, 0x25256f4aU, 0x2e2e725cU,
0x1c1c2438U, 0xa6a6f157U, 0xb4b4c773U, 0xc6c65197U,
0xe8e823cbU, 0xdddd7ca1U, 0x74749ce8U, 0x1f1f213eU,
0x4b4bdd96U, 0xbdbddc61U, 0x8b8b860dU, 0x8a8a850fU,
0x707090e0U, 0x3e3e427cU, 0xb5b5c471U, 0x6666aaccU,
0x4848d890U, 0x03030506U, 0xf6f601f7U, 0x0e0e121cU,
0x6161a3c2U, 0x35355f6aU, 0x5757f9aeU, 0xb9b9d069U,
0x86869117U, 0xc1c15899U, 0x1d1d273aU, 0x9e9eb927U,
0xe1e138d9U, 0xf8f813ebU, 0x9898b32bU, 0x11113322U,
0x6969bbd2U, 0xd9d970a9U, 0x8e8e8907U, 0x9494a733U,
0x9b9bb62dU, 0x1e1e223cU, 0x87879215U, 0xe9e920c9U,
0xcece4987U, 0x5555ffaaU, 0x28287850U, 0xdfdf7aa5U,
0x8c8c8f03U, 0xa1a1f859U, 0x89898009U, 0x0d0d171aU,
0xbfbfda65U, 0xe6e631d7U, 0x4242c684U, 0x6868b8d0U,
0x4141c382U, 0x9999b029U, 0x2d2d775aU, 0x0f0f111eU,
0xb0b0cb7bU, 0x5454fca8U, 0xbbbbd66dU, 0x16163a2cU,
};
static const uint32_t Te4[256] = {
0x63636363U, 0x7c7c7c7cU, 0x77777777U, 0x7b7b7b7bU,
0xf2f2f2f2U, 0x6b6b6b6bU, 0x6f6f6f6fU, 0xc5c5c5c5U,
0x30303030U, 0x01010101U, 0x67676767U, 0x2b2b2b2bU,
0xfefefefeU, 0xd7d7d7d7U, 0xababababU, 0x76767676U,
0xcacacacaU, 0x82828282U, 0xc9c9c9c9U, 0x7d7d7d7dU,
0xfafafafaU, 0x59595959U, 0x47474747U, 0xf0f0f0f0U,
0xadadadadU, 0xd4d4d4d4U, 0xa2a2a2a2U, 0xafafafafU,
0x9c9c9c9cU, 0xa4a4a4a4U, 0x72727272U, 0xc0c0c0c0U,
0xb7b7b7b7U, 0xfdfdfdfdU, 0x93939393U, 0x26262626U,
0x36363636U, 0x3f3f3f3fU, 0xf7f7f7f7U, 0xccccccccU,
0x34343434U, 0xa5a5a5a5U, 0xe5e5e5e5U, 0xf1f1f1f1U,
0x71717171U, 0xd8d8d8d8U, 0x31313131U, 0x15151515U,
0x04040404U, 0xc7c7c7c7U, 0x23232323U, 0xc3c3c3c3U,
0x18181818U, 0x96969696U, 0x05050505U, 0x9a9a9a9aU,
0x07070707U, 0x12121212U, 0x80808080U, 0xe2e2e2e2U,
0xebebebebU, 0x27272727U, 0xb2b2b2b2U, 0x75757575U,
0x09090909U, 0x83838383U, 0x2c2c2c2cU, 0x1a1a1a1aU,
0x1b1b1b1bU, 0x6e6e6e6eU, 0x5a5a5a5aU, 0xa0a0a0a0U,
0x52525252U, 0x3b3b3b3bU, 0xd6d6d6d6U, 0xb3b3b3b3U,
0x29292929U, 0xe3e3e3e3U, 0x2f2f2f2fU, 0x84848484U,
0x53535353U, 0xd1d1d1d1U, 0x00000000U, 0xededededU,
0x20202020U, 0xfcfcfcfcU, 0xb1b1b1b1U, 0x5b5b5b5bU,
0x6a6a6a6aU, 0xcbcbcbcbU, 0xbebebebeU, 0x39393939U,
0x4a4a4a4aU, 0x4c4c4c4cU, 0x58585858U, 0xcfcfcfcfU,
0xd0d0d0d0U, 0xefefefefU, 0xaaaaaaaaU, 0xfbfbfbfbU,
0x43434343U, 0x4d4d4d4dU, 0x33333333U, 0x85858585U,
0x45454545U, 0xf9f9f9f9U, 0x02020202U, 0x7f7f7f7fU,
0x50505050U, 0x3c3c3c3cU, 0x9f9f9f9fU, 0xa8a8a8a8U,
0x51515151U, 0xa3a3a3a3U, 0x40404040U, 0x8f8f8f8fU,
0x92929292U, 0x9d9d9d9dU, 0x38383838U, 0xf5f5f5f5U,
0xbcbcbcbcU, 0xb6b6b6b6U, 0xdadadadaU, 0x21212121U,
0x10101010U, 0xffffffffU, 0xf3f3f3f3U, 0xd2d2d2d2U,
0xcdcdcdcdU, 0x0c0c0c0cU, 0x13131313U, 0xececececU,
0x5f5f5f5fU, 0x97979797U, 0x44444444U, 0x17171717U,
0xc4c4c4c4U, 0xa7a7a7a7U, 0x7e7e7e7eU, 0x3d3d3d3dU,
0x64646464U, 0x5d5d5d5dU, 0x19191919U, 0x73737373U,
0x60606060U, 0x81818181U, 0x4f4f4f4fU, 0xdcdcdcdcU,
0x22222222U, 0x2a2a2a2aU, 0x90909090U, 0x88888888U,
0x46464646U, 0xeeeeeeeeU, 0xb8b8b8b8U, 0x14141414U,
0xdedededeU, 0x5e5e5e5eU, 0x0b0b0b0bU, 0xdbdbdbdbU,
0xe0e0e0e0U, 0x32323232U, 0x3a3a3a3aU, 0x0a0a0a0aU,
0x49494949U, 0x06060606U, 0x24242424U, 0x5c5c5c5cU,
0xc2c2c2c2U, 0xd3d3d3d3U, 0xacacacacU, 0x62626262U,
0x91919191U, 0x95959595U, 0xe4e4e4e4U, 0x79797979U,
0xe7e7e7e7U, 0xc8c8c8c8U, 0x37373737U, 0x6d6d6d6dU,
0x8d8d8d8dU, 0xd5d5d5d5U, 0x4e4e4e4eU, 0xa9a9a9a9U,
0x6c6c6c6cU, 0x56565656U, 0xf4f4f4f4U, 0xeaeaeaeaU,
0x65656565U, 0x7a7a7a7aU, 0xaeaeaeaeU, 0x08080808U,
0xbabababaU, 0x78787878U, 0x25252525U, 0x2e2e2e2eU,
0x1c1c1c1cU, 0xa6a6a6a6U, 0xb4b4b4b4U, 0xc6c6c6c6U,
0xe8e8e8e8U, 0xddddddddU, 0x74747474U, 0x1f1f1f1fU,
0x4b4b4b4bU, 0xbdbdbdbdU, 0x8b8b8b8bU, 0x8a8a8a8aU,
0x70707070U, 0x3e3e3e3eU, 0xb5b5b5b5U, 0x66666666U,
0x48484848U, 0x03030303U, 0xf6f6f6f6U, 0x0e0e0e0eU,
0x61616161U, 0x35353535U, 0x57575757U, 0xb9b9b9b9U,
0x86868686U, 0xc1c1c1c1U, 0x1d1d1d1dU, 0x9e9e9e9eU,
0xe1e1e1e1U, 0xf8f8f8f8U, 0x98989898U, 0x11111111U,
0x69696969U, 0xd9d9d9d9U, 0x8e8e8e8eU, 0x94949494U,
0x9b9b9b9bU, 0x1e1e1e1eU, 0x87878787U, 0xe9e9e9e9U,
0xcecececeU, 0x55555555U, 0x28282828U, 0xdfdfdfdfU,
0x8c8c8c8cU, 0xa1a1a1a1U, 0x89898989U, 0x0d0d0d0dU,
0xbfbfbfbfU, 0xe6e6e6e6U, 0x42424242U, 0x68686868U,
0x41414141U, 0x99999999U, 0x2d2d2d2dU, 0x0f0f0f0fU,
0xb0b0b0b0U, 0x54545454U, 0xbbbbbbbbU, 0x16161616U,
};

static const uint32_t rcon[] = {
0x01000000, 0x02000000, 0x04000000, 0x08000000,
0x10000000, 0x20000000, 0x40000000, 0x80000000,
0x1B000000, 0x36000000, /* for 128-bit blocks, Rijndael never uses more than 10 rcon values */
};

#define SWAP(x) (_lrotl(x, 8) & 0x00ff00ff | _lrotr(x, 8) & 0xff00ff00)

#define GETU32(pt) (((uint32_t)(pt)[0] << 24) ^ ((uint32_t)(pt)[1] << 16) ^ ((uint32_t)(pt)[2] << 8) ^ ((uint32_t)(pt)[3]))
#define PUTU32(ct, st) { (ct)[0] = (uint8_t)((st) >> 24); (ct)[1] = (uint8_t)((st) >> 16); (ct)[2] = (uint8_t)((st) >> 8); (ct)[3] = (uint8_t)(st); }

/**
* Expand the cipher key into the encryption key schedule.
*
* @return the number of rounds for the given cipher key size.
*/
int rijndaelKeySetupEnc(uint32_t rk[/*4*(Nr + 1)*/], const uint8_t cipherKey[],
int keyBits) {
int i = 0;
uint32_t temp;

rk[0] = GETU32(cipherKey );
rk[1] = GETU32(cipherKey + 4);
rk[2] = GETU32(cipherKey + 8);
rk[3] = GETU32(cipherKey + 12);
rk[4] = GETU32(cipherKey + 16);
rk[5] = GETU32(cipherKey + 20);
rk[6] = GETU32(cipherKey + 24);
rk[7] = GETU32(cipherKey + 28);
for (;;) {
temp = rk[ 7];
rk[ 8] = rk[ 0] ^
(Te4[(temp >> 16) & 0xff] & 0xff000000) ^
(Te4[(temp >> 8) & 0xff] & 0x00ff0000) ^
(Te4[(temp ) & 0xff] & 0x0000ff00) ^
(Te4[(temp >> 24) ] & 0x000000ff) ^
rcon[i];
rk[ 9] = rk[ 1] ^ rk[ 8];
rk[10] = rk[ 2] ^ rk[ 9];
rk[11] = rk[ 3] ^ rk[10];
if (++i == 7) {
return 14;
}
temp = rk[11];
rk[12] = rk[ 4] ^
(Te4[(temp >> 24) ] & 0xff000000) ^
(Te4[(temp >> 16) & 0xff] & 0x00ff0000) ^
(Te4[(temp >> 8) & 0xff] & 0x0000ff00) ^
(Te4[(temp ) & 0xff] & 0x000000ff);
rk[13] = rk[ 5] ^ rk[12];
rk[14] = rk[ 6] ^ rk[13];
rk[15] = rk[ 7] ^ rk[14];

rk += 8;
}
return 0;
}

void rijndaelEncrypt(const uint32_t rk[/*4*(Nr + 1)*/], int Nr,
const uint8_t pt[16], uint8_t ct[16]) {
uint32_t s0, s1, s2, s3, t0 = 0, t1 = 0, t2 = 0, t3 = 0;

/*
* map byte array block to cipher state
* and add initial round key:
*/
s0 = GETU32(pt ) ^ rk[0];
s1 = GETU32(pt + 4) ^ rk[1];
s2 = GETU32(pt + 8) ^ rk[2];
s3 = GETU32(pt + 12) ^ rk[3];
/* round 1: */
t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 &
0xff] ^ rk[ 4];
t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 &
0xff] ^ rk[ 5];
t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 &
0xff] ^ rk[ 6];
t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 &
0xff] ^ rk[ 7];
/* round 2: */
s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^ Te3[t3 &
0xff] ^ rk[ 8];
s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^ Te3[t0 &
0xff] ^ rk[ 9];
s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >> 8) & 0xff] ^ Te3[t1 &
0xff] ^ rk[10];
s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^ Te3[t2 &
0xff] ^ rk[11];
/* round 3: */
t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 &
0xff] ^ rk[12];
t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 &
0xff] ^ rk[13];
t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 &
0xff] ^ rk[14];
t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 &
0xff] ^ rk[15];
/* round 4: */
s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^ Te3[t3 &
0xff] ^ rk[16];
s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^ Te3[t0 &
0xff] ^ rk[17];
s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >> 8) & 0xff] ^ Te3[t1 &
0xff] ^ rk[18];
s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^ Te3[t2 &
0xff] ^ rk[19];
/* round 5: */
t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 &
0xff] ^ rk[20];
t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 &
0xff] ^ rk[21];
t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 &
0xff] ^ rk[22];
t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 &
0xff] ^ rk[23];
/* round 6: */
s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^ Te3[t3 &
0xff] ^ rk[24];
s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^ Te3[t0 &
0xff] ^ rk[25];
s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >> 8) & 0xff] ^ Te3[t1 &
0xff] ^ rk[26];
s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^ Te3[t2 &
0xff] ^ rk[27];
/* round 7: */
t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 &
0xff] ^ rk[28];
t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 &
0xff] ^ rk[29];
t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 &
0xff] ^ rk[30];
t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 &
0xff] ^ rk[31];
/* round 8: */
s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^ Te3[t3 &
0xff] ^ rk[32];
s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^ Te3[t0 &
0xff] ^ rk[33];
s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >> 8) & 0xff] ^ Te3[t1 &
0xff] ^ rk[34];
s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^ Te3[t2 &
0xff] ^ rk[35];
/* round 9: */
t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 &
0xff] ^ rk[36];
t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 &
0xff] ^ rk[37];
t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 &
0xff] ^ rk[38];
t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 &
0xff] ^ rk[39];

/* round 10: */
s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^ Te3[t3 &
0xff] ^ rk[40];
s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^ Te3[t0 &
0xff] ^ rk[41];
s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >> 8) & 0xff] ^ Te3[t1 &
0xff] ^ rk[42];
s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^ Te3[t2 &
0xff] ^ rk[43];
/* round 11: */
t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 &
0xff] ^ rk[44];
t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 &
0xff] ^ rk[45];
t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 &
0xff] ^ rk[46];
t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 &
0xff] ^ rk[47];

/* round 12: */
s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^ Te3[t3 &
0xff] ^ rk[48];
s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^ Te3[t0 &
0xff] ^ rk[49];
s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >> 8) & 0xff] ^ Te3[t1 &
0xff] ^ rk[50];
s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^ Te3[t2 &
0xff] ^ rk[51];
/* round 13: */
t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 &
0xff] ^ rk[52];
t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 &
0xff] ^ rk[53];
t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 &
0xff] ^ rk[54];
t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 &
0xff] ^ rk[55];


rk += Nr << 2;
/*
* apply last round and
* map cipher state to byte array block:
*/
s0 =
(Te4[(t0 >> 24) ] & 0xff000000) ^
(Te4[(t1 >> 16) & 0xff] & 0x00ff0000) ^
(Te4[(t2 >> 8) & 0xff] & 0x0000ff00) ^
(Te4[(t3 ) & 0xff] & 0x000000ff) ^
rk[0];
PUTU32(ct, s0);
s1 =
(Te4[(t1 >> 24) ] & 0xff000000) ^
(Te4[(t2 >> 16) & 0xff] & 0x00ff0000) ^
(Te4[(t3 >> 8) & 0xff] & 0x0000ff00) ^
(Te4[(t0 ) & 0xff] & 0x000000ff) ^
rk[1];
PUTU32(ct + 4, s1);
s2 =
(Te4[(t2 >> 24) ] & 0xff000000) ^
(Te4[(t3 >> 16) & 0xff] & 0x00ff0000) ^
(Te4[(t0 >> 8) & 0xff] & 0x0000ff00) ^
(Te4[(t1 ) & 0xff] & 0x000000ff) ^
rk[2];
PUTU32(ct + 8, s2);
s3 =
(Te4[(t3 >> 24) ] & 0xff000000) ^
(Te4[(t0 >> 16) & 0xff] & 0x00ff0000) ^
(Te4[(t1 >> 8) & 0xff] & 0x0000ff00) ^
(Te4[(t2 ) & 0xff] & 0x000000ff) ^
rk[3];
PUTU32(ct + 12, s3);
}

+ 41
- 0
crypto_kem/ledakemlt12/clean/aes256.h View File

@@ -0,0 +1,41 @@
#pragma once
/**
* AES-256 self contained implementation derived from :
*
* rijndael-alg-fst.h
*
* @version 3.0 (December 2000)
*
* Optimised ANSI C code for the Rijndael cipher (now AES)
*
* @author Vincent Rijmen <vincent.rijmen@esat.kuleuven.ac.be>
* @author Antoon Bosselaers <antoon.bosselaers@esat.kuleuven.ac.be>
* @author Paulo Barreto <paulo.barreto@terra.com.br>
*
* originally placed in the public domain by the authors.
*
*
*
* This code is hereby placed in the public domain.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
* OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
* BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
* WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
* OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
* EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/


#define NROUNDS 14
#define KEYLEN_b 256

int rijndaelKeySetupEnc(uint32_t rk[/*4*(Nr + 1)*/], const uint8_t cipherKey[],
int keyBits);
void rijndaelEncrypt(const uint32_t rk[/*4*(Nr + 1)*/], int Nr,
const uint8_t pt[16], uint8_t ct[16]);

+ 75
- 0
crypto_kem/ledakemlt12/clean/api.h View File

@@ -0,0 +1,75 @@
/**
*
* <api.h>
*
* @version 2.0 (March 2019)
*
* Reference ISO-C11 Implementation of the LEDAcrypt KEM-LT cipher using GCC built-ins.
*
* In alphabetical order:
*
* @author Marco Baldi <m.baldi@univpm.it>
* @author Alessandro Barenghi <alessandro.barenghi@polimi.it>
* @author Franco Chiaraluce <f.chiaraluce@univpm.it>
* @author Gerardo Pelosi <gerardo.pelosi@polimi.it>
* @author Paolo Santini <p.santini@pm.univpm.it>
*
* This code is hereby placed in the public domain.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
* OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
* BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
* WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
* OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
* EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
**/

#pragma once

#include "qc_ldpc_parameters.h"
#include "gf2x_limbs.h"
#include "gf2x_arith_mod_xPplusOne.h"

#define CRYPTO_ALGNAME "LEDA"

/* required bytes of input randomness */
#define CRYPTO_RANDOMBYTES TRNG_BYTE_LENGTH

/* size in bytes of the secret key */
#define CRYPTO_SECRETKEYBYTES TRNG_BYTE_LENGTH+1

/* size in bytes of the public key */
#define CRYPTO_PUBLICKEYBYTES ((N0-1)*NUM_DIGITS_GF2X_ELEMENT*DIGIT_SIZE_B)

/* size in bytes of the shared secret */
#define CRYPTO_BYTES HASH_BYTE_LENGTH

/*size in bytes of the ciphertext*/
#define CRYPTO_CIPHERTEXTBYTES (NUM_DIGITS_GF2X_ELEMENT*DIGIT_SIZE_B)

/* Your functions must return 0 to indicate success, -1 to indicate an error
* condition */

/* Generates a keypair - pk is the public key and sk is the secret key. */
int crypto_kem_keypair( unsigned char *pk,
unsigned char *sk );

/* Encrypt - pk is the public key, ct is a key encapsulation message
(ciphertext), ss is the shared secret.*/
int crypto_kem_enc( unsigned char *ct,
unsigned char *ss,
const unsigned char *pk );


/* Decrypt - ct is a key encapsulation message (ciphertext), sk is the private
key, ss is the shared secret */

int crypto_kem_dec( unsigned char *ss,
const unsigned char *ct,
const unsigned char *sk );

+ 114
- 0
crypto_kem/ledakemlt12/clean/bf_decoding.c View File

@@ -0,0 +1,114 @@
/**
*
* <bf_decoding.c>
*
* @version 2.0 (March 2019)
*
* Reference ISO-C11 Implementation of the LEDAcrypt KEM-LT cipher using GCC built-ins.
*
* In alphabetical order:
*
* @author Marco Baldi <m.baldi@univpm.it>
* @author Alessandro Barenghi <alessandro.barenghi@polimi.it>
* @author Franco Chiaraluce <f.chiaraluce@univpm.it>
* @author Gerardo Pelosi <gerardo.pelosi@polimi.it>
* @author Paolo Santini <p.santini@pm.univpm.it>
*
* This code is hereby placed in the public domain.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
* OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
* BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
* WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
* OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
* EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
**/
#include "bf_decoding.h"
#include "gf2x_arith_mod_xPplusOne.h"
#include <string.h>
#include <assert.h>

#define ROTBYTE(a) ( (a << 8) | (a >> (DIGIT_SIZE_b - 8)) )
#define ROTUPC(a) ( (a >> 8) | (a << (DIGIT_SIZE_b - 8)) )

int thresholds[2] = {B0, (DV * M) / 2 + 1};

int bf_decoding(DIGIT out[], // N0 polynomials
const POSITION_T HtrPosOnes[N0][DV],
const POSITION_T QtrPosOnes[N0][M],
DIGIT privateSyndrome[] // 1 polynomial
) {
#if P < 64
#error The circulant block size should exceed 64
#endif

uint8_t unsatParityChecks[N0 * P];
POSITION_T currQBlkPos[M], currQBitPos[M];
DIGIT currSyndrome[NUM_DIGITS_GF2X_ELEMENT];
int check;
int iteration = 0;

do {
gf2x_copy(currSyndrome, privateSyndrome);
memset(unsatParityChecks, 0x00, N0 * P * sizeof(uint8_t));
for (int i = 0; i < N0; i++) {
for (int valueIdx = 0; valueIdx < P; valueIdx++) {
for (int HtrOneIdx = 0; HtrOneIdx < DV; HtrOneIdx++) {
POSITION_T tmp = (HtrPosOnes[i][HtrOneIdx] + valueIdx) >= P ? (HtrPosOnes[i][HtrOneIdx] + valueIdx) - P : (HtrPosOnes[i][HtrOneIdx] + valueIdx);
if (gf2x_get_coeff(currSyndrome, tmp)) {
unsatParityChecks[i * P + valueIdx]++;
}
}
}
}

/* iteration based threshold determination*/
int corrt_syndrome_based = thresholds[iteration];

//Computation of correlation with a full Q matrix
for (int i = 0; i < N0; i++) {
for (int j = 0; j < P; j++) {
int currQoneIdx = 0; // position in the column of QtrPosOnes[][...]
int endQblockIdx = 0;
int correlation = 0;

for (int blockIdx = 0; blockIdx < N0; blockIdx++) {
endQblockIdx += qBlockWeights[blockIdx][i];
int currblockoffset = blockIdx * P;
for (; currQoneIdx < endQblockIdx; currQoneIdx++) {
int tmp = QtrPosOnes[i][currQoneIdx] + j;
tmp = tmp >= P ? tmp - P : tmp;
currQBitPos[currQoneIdx] = tmp;
currQBlkPos[currQoneIdx] = blockIdx;
correlation += unsatParityChecks[tmp + currblockoffset];
}
}
/* Correlation based flipping */
if (correlation >= corrt_syndrome_based) {
gf2x_toggle_coeff(out + NUM_DIGITS_GF2X_ELEMENT * i, j);
for (int v = 0; v < M; v++) {
unsigned syndromePosToFlip;
for (int HtrOneIdx = 0; HtrOneIdx < DV; HtrOneIdx++) {
syndromePosToFlip = (HtrPosOnes[currQBlkPos[v]][HtrOneIdx] + currQBitPos[v] );
syndromePosToFlip = syndromePosToFlip >= P ? syndromePosToFlip - P : syndromePosToFlip;
gf2x_toggle_coeff(privateSyndrome, syndromePosToFlip);
}
} // end for v
} // end if
} // end for j
} // end for i

iteration = iteration + 1;
check = 0;
while (check < NUM_DIGITS_GF2X_ELEMENT && privateSyndrome[check++] == 0);

} while (iteration < ITERATIONS_MAX && check < NUM_DIGITS_GF2X_ELEMENT);

return (check == NUM_DIGITS_GF2X_ELEMENT);
} // end QdecodeSyndromeThresh_bitFlip_sparse

+ 78
- 0
crypto_kem/ledakemlt12/clean/bf_decoding.h View File

@@ -0,0 +1,78 @@
/**
*
* <bf_decoding.h>
*
* @version 2.0 (March 2019)
*
* Reference ISO-C11 Implementation of the LEDAcrypt KEM-LT cipher using GCC built-ins.
*
* In alphabetical order:
*
* @author Marco Baldi <m.baldi@univpm.it>
* @author Alessandro Barenghi <alessandro.barenghi@polimi.it>
* @author Franco Chiaraluce <f.chiaraluce@univpm.it>
* @author Gerardo Pelosi <gerardo.pelosi@polimi.it>
* @author Paolo Santini <p.santini@pm.univpm.it>
*
* This code is hereby placed in the public domain.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
* OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
* BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
* WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
* OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
* EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
**/


#pragma once
#include "qc_ldpc_parameters.h"
#include "gf2x_limbs.h"
#define ITERATIONS_MAX (2)


int bf_decoding(DIGIT err[],
const POSITION_T HtrPosOnes[N0][DV],
const POSITION_T QtrPosOnes[N0][M], // N0 vectors containing exp.s of Qtr ones
DIGIT privateSyndrome[] // 1 polynomial -- param. in/out
);

/* Definitions for DFR level 2^-64 */
#if (CATEGORY == 1) && (N0 == 2) && (DFR_SL_LEVEL == 0)
#define B0 44
#define T_BAR 4
#endif

#if ((CATEGORY == 2) || (CATEGORY == 3)) && (N0 == 2) && (DFR_SL_LEVEL == 0)
#define B0 64
#define T_BAR 5
#endif

#if ((CATEGORY == 4) || (CATEGORY == 5)) && (N0 == 2) && (DFR_SL_LEVEL == 0)
#define B0 89
#define T_BAR 6
#endif

/* Definitions for DFR level 2^-SL */
#if (CATEGORY == 1) && (N0 == 2) && (DFR_SL_LEVEL == 1)
#define B0 43
#define T_BAR 4
#endif

#if ((CATEGORY == 2) || (CATEGORY == 3)) && (N0 == 2) && (DFR_SL_LEVEL == 1)
#define B0 64
#define T_BAR 5
#endif

#if ((CATEGORY == 4) || (CATEGORY == 5)) && (N0 == 2) && (DFR_SL_LEVEL == 1)
#define B0 88
#define T_BAR 6
#endif



+ 114
- 0
crypto_kem/ledakemlt12/clean/dfr_test.c View File

@@ -0,0 +1,114 @@
#include "qc_ldpc_parameters.h"
#include "gf2x_arith_mod_xPplusOne.h"
#include "bf_decoding.h"

#include <string.h>

/*---------------------------------------------------------------------------*/
/* Tests if the current code attains the desired DFR. If that is the case,
* computes the threshold for the second iteration of the decoder and stores
* it in the globally accessible vector*/

extern int thresholds[2];

int DFR_test(POSITION_T LSparse[N0][DV * M]) {

POSITION_T LSparse_loc[N0][DV * M];

/*transpose blocks of L, we need its columns */
for (int i = 0; i < N0; i++) {
for (int j = 0; j < DV * M; j++) {
if (LSparse[i][j] != 0) {
LSparse_loc[i][j] = (P - LSparse[i][j]) ;
}
}
quicksort(LSparse_loc[i], DV * M);
}
/* Gamma matrix: an N0 x N0 block circulant matrix with block size p
* gamma[a][b][c] stores the intersection of the first column of the a-th
* block of L with the c-th column of the b-th block of L */
/* Gamma computation can be accelerated employing symmetry and QC properties */
int gamma[N0][N0][P] = {{{0}}};
unsigned int rotated_column[DV * M];
for (int i = 0; i < N0; i++ ) {
for (int j = 0; j < N0; j++ ) {
for (int k = 0; k < P; k++) {
/* compute the rotated sparse column needed */
for (int idxToRotate = 0; idxToRotate < (DV * M); idxToRotate++) {
rotated_column[idxToRotate] = (LSparse_loc[j][idxToRotate] + k) % P;
}
quicksort(rotated_column, DV * M);
/* compute the intersection amount */
int firstidx = 0, secondidx = 0;
int intersectionval = 0;
while ( (firstidx < DV * M) && (secondidx < DV * M) ) {
if ( LSparse_loc[i][firstidx] == rotated_column[secondidx] ) {
intersectionval++;
firstidx++;
secondidx++;
}
if ( LSparse_loc[i][firstidx] > rotated_column[secondidx] ) {
secondidx++;
}
if ( LSparse_loc[i][firstidx] < rotated_column[secondidx] ) {
firstidx++;
}
}
gamma[i][j][k] = intersectionval;

}
}
}
for (int i = 0; i < N0; i++ ) {
for (int j = 0; j < N0; j++ ) {
gamma[i][j][0] = 0;
}
}
/* build histogram of values in gamma */
unsigned int gammaHist[N0][DV * M + 1] = {{0}};
for (int i = 0; i < N0; i++ ) {
for (int j = 0; j < N0; j++ ) {
for (int k = 0; k < P; k++) {
gammaHist[i][gamma[i][j][k]]++;
}
}
}

int maxMut[N0], maxMutMinusOne[N0];
int allBlockMaxSumst, allBlockMaxSumstMinusOne;

for (int gammaBlockRowIdx = 0; gammaBlockRowIdx < N0; gammaBlockRowIdx++) {
int toAdd = T_BAR - 1;
maxMutMinusOne[gammaBlockRowIdx] = 0;
int histIdx = DV * M;
while ( (histIdx > 0) && (toAdd > 0)) {
if (gammaHist[gammaBlockRowIdx][histIdx] > toAdd ) {
maxMutMinusOne[gammaBlockRowIdx] += histIdx * toAdd;
toAdd = 0;
} else {
maxMutMinusOne[gammaBlockRowIdx] += histIdx * gammaHist[gammaBlockRowIdx][histIdx];
toAdd -= gammaHist[gammaBlockRowIdx][histIdx];
histIdx--;
}
}
maxMut[gammaBlockRowIdx] = histIdx + maxMutMinusOne[gammaBlockRowIdx];
}


/*seek max values across all gamma blocks */
allBlockMaxSumst = maxMut[0];
allBlockMaxSumstMinusOne = maxMutMinusOne[0];
for (int gammaBlockRowIdx = 0; gammaBlockRowIdx < N0 ; gammaBlockRowIdx++) {
allBlockMaxSumst = allBlockMaxSumst < maxMut[gammaBlockRowIdx] ?
maxMut[gammaBlockRowIdx] :
allBlockMaxSumst;
allBlockMaxSumstMinusOne = allBlockMaxSumstMinusOne < maxMutMinusOne[gammaBlockRowIdx] ?
maxMutMinusOne[gammaBlockRowIdx] :
allBlockMaxSumstMinusOne;
}
if (DV * M > (allBlockMaxSumstMinusOne + allBlockMaxSumst)) {
thresholds[1] = allBlockMaxSumst + 1;
return 1;
}
return 0;
}

+ 3
- 0
crypto_kem/ledakemlt12/clean/dfr_test.h View File

@@ -0,0 +1,3 @@
#pragma once

int DFR_test(POSITION_T LSparse[N0][DV * M]);

+ 462
- 0
crypto_kem/ledakemlt12/clean/gf2x_arith.c View File

@@ -0,0 +1,462 @@
/**
*
* <gf2x_arith.c>
*
* @version 2.0 (March 2019)
*
* Reference ISO-C11 Implementation of the LEDAcrypt KEM-LT cipher using GCC built-ins.
*
* In alphabetical order:
*
* @author Marco Baldi <m.baldi@univpm.it>
* @author Alessandro Barenghi <alessandro.barenghi@polimi.it>
* @author Franco Chiaraluce <f.chiaraluce@univpm.it>
* @author Gerardo Pelosi <gerardo.pelosi@polimi.it>
* @author Paolo Santini <p.santini@pm.univpm.it>
*
* This code is hereby placed in the public domain.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
* OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
* BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
* WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
* OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
* EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
**/


#include "gf2x_arith.h"
#include <string.h> // memset(...)
#include <assert.h>

/*----------------------------------------------------------------------------*/

/* allows the second operand to be shorter than the first */
/* the result should be as large as the first operand*/
static inline void gf2x_add_asymm(const int nr, DIGIT Res[],
const int na, const DIGIT A[],
const int nb, const DIGIT B[]) {
int delta = na - nb;
for (unsigned i = 0; i < delta; i++) {
Res[i] = A[i];
}
for (unsigned i = 0; i < nb; i++) {
Res[i + delta] = A[i + delta] ^ B[i];
}
} // end gf2x_add

/*----------------------------------------------------------------------------*/

/* PRE: MAX ALLOWED ROTATION AMOUNT : DIGIT_SIZE_b */

void right_bit_shift_n(const int length, DIGIT in[], const int amount) {
assert(amount < DIGIT_SIZE_b);
if ( amount == 0 ) {
return;
}
int j;
DIGIT mask;
mask = ((DIGIT)0x01 << amount) - 1;
for (j = length - 1; j > 0 ; j--) {
in[j] >>= amount;
in[j] |= (in[j - 1] & mask) << (DIGIT_SIZE_b - amount);
}
in[j] >>= amount;
} // end right_bit_shift_n

/*----------------------------------------------------------------------------*/

/* PRE: MAX ALLOWED ROTATION AMOUNT : DIGIT_SIZE_b */
void left_bit_shift_n(const int length, DIGIT in[], const int amount) {
assert(amount < DIGIT_SIZE_b);
if ( amount == 0 ) {
return;
}
int j;
DIGIT mask;
mask = ~(((DIGIT)0x01 << (DIGIT_SIZE_b - amount)) - 1);
for (j = 0 ; j < length - 1 ; j++) {
in[j] <<= amount;
in[j] |= (in[j + 1] & mask) >> (DIGIT_SIZE_b - amount);
}
in[j] <<= amount;
} // end right_bit_shift_n

/*----------------------------------------------------------------------------*/

void gf2x_mul_comb(const int nr, DIGIT Res[],
const int na, const DIGIT A[],
const int nb, const DIGIT B[]) {
int i, j, k;
DIGIT u, h;

memset(Res, 0x00, nr * sizeof(DIGIT));

for (k = DIGIT_SIZE_b - 1; k > 0; k--) {
for (i = na - 1; i >= 0; i--)
if ( A[i] & (((DIGIT)0x1) << k) )
for (j = nb - 1; j >= 0; j--) {
Res[i + j + 1] ^= B[j];
}


u = Res[na + nb - 1];
Res[na + nb - 1] = u << 0x1;
for (j = 1; j < na + nb; ++j) {
h = u >> (DIGIT_SIZE_b - 1);
u = Res[na + nb - 1 - j];
Res[na + nb - 1 - j] = h ^ (u << 0x1);
}
}
for (i = na - 1; i >= 0; i--)
if ( A[i] & ((DIGIT)0x1) )
for (j = nb - 1; j >= 0; j--) {
Res[i + j + 1] ^= B[j];
}
}

/*----------------------------------------------------------------------------*/

static inline void gf2x_exact_div_x_plus_one(const int na, DIGIT A[]) {
DIGIT t = 0;
for (int i = na - 1; i >= 0; i--) {

t ^= A[i];

for (int j = 1; j <= DIGIT_SIZE_b / 2; j = j * 2) {
t ^= t << (unsigned) j;
}
A[i] = t;
t >>= DIGIT_SIZE_b - 1;
}
} // end gf2x_exact_div_x_plus_one

/*---------------------------------------------------------------------------*/
#define MIN_KAR_DIGITS 20

void gf2x_mul_Kar(const int nr, DIGIT Res[],
const int na, const DIGIT A[],
const int nb, const DIGIT B[]) {

if (na < MIN_KAR_DIGITS || nb < MIN_KAR_DIGITS) {
/* fall back to schoolbook */
gf2x_mul_comb(nr, Res, na, A, nb, B);
return;
}

if (na % 2 == 0) {
unsigned bih = na / 2;
DIGIT middle[2 * bih], sumA[bih], sumB[bih];
gf2x_add(bih, sumA,
bih, A,
bih, A + bih);
gf2x_add(bih, sumB,
bih, B,
bih, B + bih);
gf2x_mul_Kar(2 * bih, middle,
bih, sumA,
bih, sumB);
gf2x_mul_Kar(2 * bih, Res + 2 * bih,
bih, A + bih,
bih, B + bih);
gf2x_add(2 * bih, middle,
2 * bih, middle,
2 * bih, Res + 2 * bih);
gf2x_mul_Kar(2 * bih, Res,
bih, A,
bih, B);
gf2x_add(2 * bih, middle,
2 * bih, middle,
2 * bih, Res);
gf2x_add(2 * bih, Res + bih,
2 * bih, Res + bih,
2 * bih, middle);
} else {
unsigned bih = na / 2 + 1;
DIGIT middle[2 * bih], sumA[bih], sumB[bih];
gf2x_add_asymm(bih, sumA,
bih, A + bih - 1,
bih - 1, A);
gf2x_add_asymm(bih, sumB,
bih, B + bih - 1,
bih - 1, B);
gf2x_mul_Kar(2 * bih, middle,
bih, sumA,
bih, sumB);
gf2x_mul_Kar(2 * bih, Res + 2 * (bih - 1),
bih, A + bih - 1,
bih, B + bih - 1);
gf2x_add(2 * bih, middle,
2 * bih, middle,
2 * bih, Res + 2 * (bih - 1));
gf2x_mul_Kar(2 * (bih - 1), Res,
(bih - 1), A,
(bih - 1), B);
gf2x_add_asymm(2 * bih, middle,
2 * bih, middle,
2 * (bih - 1), Res);
gf2x_add(2 * bih, Res + bih - 2,
2 * bih, Res + bih - 2,
2 * bih, middle);
}
}


/*---------------------------------------------------------------------------*/
#define MIN_TOOM_DIGITS 35

void gf2x_mul_TC3(const int nr, DIGIT Res[],
const int na, const DIGIT A[],
const int nb, const DIGIT B[]) {

if (na < MIN_TOOM_DIGITS || nb < MIN_TOOM_DIGITS) {
/* fall back to schoolbook */
gf2x_mul_Kar(nr, Res, na, A, nb, B);
return;
}

unsigned bih; //number of limbs for each part.
if (na % 3 == 0) {
bih = na / 3;
} else {
bih = na / 3 + 1;
}

DIGIT u2[bih], u1[bih], u0[bih];

int leading_slack = (3 - (na) % 3) % 3;
// printf("leading slack %d",leading_slack);
int i;
for (i = 0; i < leading_slack ; i++) {
u2[i] = 0;
}
for (; i < bih; ++i) {
u2[i] = A[i - leading_slack];
}
/* note: only u2 needs to be a copy, refactor */
for (; i < 2 * bih; ++i) {
u1[i - bih] = A[i - leading_slack];
}
for (; i < 3 * bih; ++i) {
u0[i - 2 * bih] = A[i - leading_slack];
}

DIGIT v2[bih], v1[bih], v0[bih]; /* partitioned inputs */
/* note: only v2 needs to be a copy, refactor */
for (i = 0; i < leading_slack ; i++) {
v2[i] = 0;
}
for (; i < bih; ++i) {
v2[i] = B[i - leading_slack];
}
/* note , only v2 needs to be a copy */
for (; i < 2 * bih; ++i) {
v1[i - bih] = B[i - leading_slack];
}
for (; i < 3 * bih; ++i) {
v0[i - 2 * bih] = B[i - leading_slack];
}

DIGIT sum_u[bih]; /*bih digit wide*/
gf2x_add(bih, sum_u,
bih, u0,
bih, u1);
gf2x_add(bih, sum_u,
bih, sum_u,
bih, u2);

DIGIT sum_v[bih]; /*bih digit wide*/
gf2x_add(bih, sum_v,
bih, v0,
bih, v1);
gf2x_add(bih, sum_v,
bih, sum_v,
bih, v2);


DIGIT w1[2 * bih];
gf2x_mul_TC3(2 * bih, w1,
bih, sum_u,
bih, sum_v);


DIGIT u2_x2[bih + 1];
u2_x2[0] = 0;
memcpy(u2_x2 + 1, u2, bih * DIGIT_SIZE_B);
left_bit_shift_n(bih + 1, u2_x2, 2);

DIGIT u1_x[bih + 1];
u1_x[0] = 0;
memcpy(u1_x + 1, u1, bih * DIGIT_SIZE_B);
left_bit_shift_n(bih + 1, u1_x, 1);

DIGIT u1_x1_u2_x2[bih + 1];
gf2x_add(bih + 1, u1_x1_u2_x2,
bih + 1, u1_x,
bih + 1, u2_x2);

DIGIT temp_u_components[bih + 1];
gf2x_add_asymm(bih + 1, temp_u_components,
bih + 1, u1_x1_u2_x2,
bih, sum_u);

DIGIT v2_x2[bih + 1];
v2_x2[0] = 0;
memcpy(v2_x2 + 1, v2, bih * DIGIT_SIZE_B);
left_bit_shift_n(bih + 1, v2_x2, 2);

DIGIT v1_x[bih + 1];
v1_x[0] = 0;
memcpy(v1_x + 1, v1, bih * DIGIT_SIZE_B);
left_bit_shift_n(bih + 1, v1_x, 1);

DIGIT v1_x1_v2_x2[bih + 1];
gf2x_add(bih + 1, v1_x1_v2_x2,
bih + 1, v1_x,
bih + 1, v2_x2);

DIGIT temp_v_components[bih + 1];
gf2x_add_asymm(bih + 1, temp_v_components,
bih + 1, v1_x1_v2_x2,
bih, sum_v);

DIGIT w3[2 * bih + 2];
gf2x_mul_TC3(2 * bih + 2, w3,
bih + 1, temp_u_components,
bih + 1, temp_v_components);

gf2x_add_asymm(bih + 1, u1_x1_u2_x2,
bih + 1, u1_x1_u2_x2,
bih, u0);
gf2x_add_asymm(bih + 1, v1_x1_v2_x2,
bih + 1, v1_x1_v2_x2,
bih, v0);

DIGIT w2[2 * bih + 2];
gf2x_mul_TC3(2 * bih + 2, w2,
bih + 1, u1_x1_u2_x2,
bih + 1, v1_x1_v2_x2);

DIGIT w4[2 * bih];
gf2x_mul_TC3(2 * bih, w4,
bih, u2,
bih, v2);
DIGIT w0[2 * bih];
gf2x_mul_TC3(2 * bih, w0,
bih, u0,
bih, v0);

// Interpolation starts
gf2x_add(2 * bih + 2, w3,
2 * bih + 2, w2,
2 * bih + 2, w3);
gf2x_add_asymm(2 * bih + 2, w2,
2 * bih + 2, w2,
2 * bih, w0);
right_bit_shift_n(2 * bih + 2, w2, 1);
gf2x_add(2 * bih + 2, w2,
2 * bih + 2, w2,
2 * bih + 2, w3);

// w2 + (w4 * x^3+1) = w2 + w4 + w4 << 3
DIGIT w4_x3_plus_1[2 * bih + 1];
w4_x3_plus_1[0] = 0;
memcpy(w4_x3_plus_1 + 1, w4, 2 * bih * DIGIT_SIZE_B);
left_bit_shift_n(2 * bih + 1, w4_x3_plus_1, 3);
gf2x_add_asymm(2 * bih + 2, w2,
2 * bih + 2, w2,
2 * bih, w4);
gf2x_add_asymm(2 * bih + 2, w2,
2 * bih + 2, w2,
2 * bih + 1, w4_x3_plus_1);

gf2x_exact_div_x_plus_one(2 * bih + 2, w2);

gf2x_add(2 * bih, w1,
2 * bih, w1,
2 * bih, w0);
gf2x_add_asymm(2 * bih + 2, w3,
2 * bih + 2, w3,
2 * bih, w1);

right_bit_shift_n(2 * bih + 2, w3, 1);
gf2x_exact_div_x_plus_one(2 * bih + 2, w3);

gf2x_add(2 * bih, w1,
2 * bih, w1,
2 * bih, w4);

DIGIT w1_final[2 * bih + 2];
gf2x_add_asymm(2 * bih + 2, w1_final,
2 * bih + 2, w2,
2 * bih, w1);
gf2x_add(2 * bih + 2, w2,
2 * bih + 2, w2,
2 * bih + 2, w3);

// Result recombination starts here

memset(Res, 0, nr * DIGIT_SIZE_B);
/* optimization: topmost slack digits should be computed, and not addedd,
* zeroization can be avoided altogether with a proper merge of the
* results */

int leastSignifDigitIdx = nr - 1;
for (int i = 0; i < 2 * bih; i++) {
Res[leastSignifDigitIdx - i] ^= w0[2 * bih - 1 - i];
}
leastSignifDigitIdx -= bih;
for (int i = 0; i < 2 * bih + 2; i++) {
Res[leastSignifDigitIdx - i] ^= w1_final[2 * bih + 2 - 1 - i];
}
leastSignifDigitIdx -= bih;
for (int i = 0; i < 2 * bih + 2; i++) {
Res[leastSignifDigitIdx - i] ^= w2[2 * bih + 2 - 1 - i];
}
leastSignifDigitIdx -= bih;
for (int i = 0; i < 2 * bih + 2 ; i++) {
Res[leastSignifDigitIdx - i] ^= w3[2 * bih + 2 - 1 - i];
}
leastSignifDigitIdx -= bih;
for (int i = 0; i < 2 * bih && (leastSignifDigitIdx - i >= 0) ; i++) {
Res[leastSignifDigitIdx - i] ^= w4[2 * bih - 1 - i];
}
}


/*----------------------------------------------------------------------------*/

int gf2x_cmp(const unsigned lenA, const DIGIT A[],
const unsigned lenB, const DIGIT B[]) {

int i;
unsigned lA = lenA, lB = lenB;
for (i = 0; i < lenA && A[i] == 0; i++) {
lA--;
}
for (i = 0; i < lenB && B[i] == 0; i++) {
lB--;
}
if (lA < lB) {
return -1;
}
if (lA > lB) {
return +1;
}
for (i = 0; i < lA; i++) {
if (A[i] > B[i]) {
return +1;
}
if (A[i] < B[i]) {
return -1;
}
}
return 0;

} // end gf2x_cmp

+ 112
- 0
crypto_kem/ledakemlt12/clean/gf2x_arith.h View File

@@ -0,0 +1,112 @@
/**
*
* <gf2x_arith.h>
*
* @version 2.0 (March 2019)
*
* Reference ISO-C11 Implementation of the LEDAcrypt KEM-LT cipher using GCC built-ins.
*
* In alphabetical order:
*
* @author Marco Baldi <m.baldi@univpm.it>
* @author Alessandro Barenghi <alessandro.barenghi@polimi.it>
* @author Franco Chiaraluce <f.chiaraluce@univpm.it>
* @author Gerardo Pelosi <gerardo.pelosi@polimi.it>
* @author Paolo Santini <p.santini@pm.univpm.it>
*
* This code is hereby placed in the public domain.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
* OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
* BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
* WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
* OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
* EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
**/

#pragma once

#include "gf2x_limbs.h"

/*----------------------------------------------------------------------------*/
/*
* Elements of GF(2)[x] are stored in compact dense binary form.
*
* Each bit in a byte is assumed to be the coefficient of a binary
* polynomial f(x), in Big-Endian format (i.e., reading everything from
* left to right, the most significant element is met first):
*
* byte:(0000 0000) == 0x00 ... f(x) == 0
* byte:(0000 0001) == 0x01 ... f(x) == 1
* byte:(0000 0010) == 0x02 ... f(x) == x
* byte:(0000 0011) == 0x03 ... f(x) == x+1
* ... ... ...
* byte:(0000 1111) == 0x0F ... f(x) == x^{3}+x^{2}+x+1
* ... ... ...
* byte:(1111 1111) == 0xFF ... f(x) == x^{7}+x^{6}+x^{5}+x^{4}+x^{3}+x^{2}+x+1
*
*
* A "machine word" (A_i) is considered as a DIGIT.
* Bytes in a DIGIT are assumed in Big-Endian format:
* E.g., if sizeof(DIGIT) == 4:
* A_i: A_{i,3} A_{i,2} A_{i,1} A_{i,0}.
* A_{i,3} denotes the most significant byte, A_{i,0} the least significant one.
* f(x) == x^{31} + ... + x^{24} +
* + x^{23} + ... + x^{16} +
* + x^{15} + ... + x^{8} +
* + x^{7} + ... + x^{0}
*
*
* Multi-precision elements (i.e., with multiple DIGITs) are stored in
* Big-endian format:
* A = A_{n-1} A_{n-2} ... A_1 A_0
*
* position[A_{n-1}] == 0
* position[A_{n-2}] == 1
* ...
* position[A_{1}] == n-2
* position[A_{0}] == n-1
*/
/*----------------------------------------------------------------------------*/

#define TC3
#if defined(TC3)
#define GF2X_MUL gf2x_mul_TC3
#else
#define GF2X_MUL gf2x_mul_comb
#endif



/*----------------------------------------------------------------------------*/

static inline void gf2x_add(const int nr, DIGIT Res[],
const int na, const DIGIT A[],
const int nb, const DIGIT B[]) {
for (unsigned i = 0; i < nr; i++) {
Res[i] = A[i] ^ B[i];
}
} // end gf2x_add

/*----------------------------------------------------------------------------*/

void GF2X_MUL(const int nr, DIGIT Res[],
const int na, const DIGIT A[],
const int nb, const DIGIT B[]
);

int gf2x_cmp(const unsigned lenA, const DIGIT A[],
const unsigned lenB, const DIGIT B[]);

/* PRE: MAX ALLOWED ROTATION AMOUNT : DIGIT_SIZE_b */
void right_bit_shift_n(const int length, DIGIT in[], const int amount);

/* PRE: MAX ALLOWED ROTATION AMOUNT : DIGIT_SIZE_b */
void left_bit_shift_n(const int length, DIGIT in[], const int amount);
/*----------------------------------------------------------------------------*/

+ 656
- 0
crypto_kem/ledakemlt12/clean/gf2x_arith_mod_xPplusOne.c View File

@@ -0,0 +1,656 @@
/**
*
* <gf2x_arith_mod_xPplusOne.c>
*
* @version 2.0 (March 2019)
*
* Reference ISO-C11 Implementation of the LEDAcrypt KEM-LT cipher using GCC built-ins.
*
* In alphabetical order:
*
* @author Marco Baldi <m.baldi@univpm.it>
* @author Alessandro Barenghi <alessandro.barenghi@polimi.it>
* @author Franco Chiaraluce <f.chiaraluce@univpm.it>
* @author Gerardo Pelosi <gerardo.pelosi@polimi.it>
* @author Paolo Santini <p.santini@pm.univpm.it>
*
* This code is hereby placed in the public domain.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
* OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
* BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
* WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
* OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
* EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
**/


#include "gf2x_arith_mod_xPplusOne.h"
#include "rng.h"
#include <string.h> // memcpy(...), memset(...)
#include <assert.h>
#include <stdalign.h>
/*----------------------------------------------------------------------------*/

void gf2x_mod(DIGIT out[],
const int nin, const DIGIT in[]) {

long int i, j, posTrailingBit, maskOffset;
DIGIT mask, aux[nin];

memcpy(aux, in, nin * DIGIT_SIZE_B);
memset(out, 0x00, NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B);
if (nin < NUM_DIGITS_GF2X_MODULUS) {
for (i = 0; i < nin; i++) {
out[NUM_DIGITS_GF2X_ELEMENT - 1 - i] = in[nin - 1 - i];
}
return;
}

for (i = 0; i < nin - NUM_DIGITS_GF2X_MODULUS; i += 1) {
for (j = DIGIT_SIZE_b - 1; j >= 0; j--) {
mask = ((DIGIT)0x1) << j;
if (aux[i] & mask) {
aux[i] ^= mask;
posTrailingBit = (DIGIT_SIZE_b - 1 - j) + i * DIGIT_SIZE_b + P;
maskOffset = (DIGIT_SIZE_b - 1 - (posTrailingBit % DIGIT_SIZE_b));
mask = (DIGIT) 0x1 << maskOffset;
aux[posTrailingBit / DIGIT_SIZE_b] ^= mask;
}
}
}

for (j = DIGIT_SIZE_b - 1; j >= MSb_POSITION_IN_MSB_DIGIT_OF_MODULUS; j--) {
mask = ((DIGIT)0x1) << j;
if (aux[i] & mask) {
aux[i] ^= mask;
posTrailingBit = (DIGIT_SIZE_b - 1 - j) + i * DIGIT_SIZE_b + P;
maskOffset = (DIGIT_SIZE_b - 1 - (posTrailingBit % DIGIT_SIZE_b));
mask = (DIGIT) 0x1 << maskOffset;
aux[posTrailingBit / DIGIT_SIZE_b] ^= mask;
}
}

int to_copy = (nin > NUM_DIGITS_GF2X_ELEMENT) ? NUM_DIGITS_GF2X_ELEMENT : nin;

for (i = 0; i < to_copy; i++) {
out[NUM_DIGITS_GF2X_ELEMENT - 1 - i] = aux[nin - 1 - i];
}

} // end gf2x_mod

/*----------------------------------------------------------------------------*/

static
void left_bit_shift(const int length, DIGIT in[]) {

int j;
for (j = 0; j < length - 1; j++) {
in[j] <<= 1; /* logical shift does not need clearing */
in[j] |= in[j + 1] >> (DIGIT_SIZE_b - 1);
}
in[j] <<= 1;
} // end left_bit_shift

/*----------------------------------------------------------------------------*/

static
void right_bit_shift(const int length, DIGIT in[]) {

int j;
for (j = length - 1; j > 0 ; j--) {
in[j] >>= 1;
in[j] |= (in[j - 1] & (DIGIT)0x01) << (DIGIT_SIZE_b - 1);
}
in[j] >>= 1;
} // end right_bit_shift

/*----------------------------------------------------------------------------*/
/* shifts by whole digits */
static inline
void left_DIGIT_shift_n(const int length, DIGIT in[], int amount) {
int j;
for (j = 0; (j + amount) < length; j++) {
in[j] = in[j + amount];
}
for (; j < length; j++) {
in[j] = (DIGIT)0;
}
} // end left_bit_shift_n

/*----------------------------------------------------------------------------*/
/* may shift by an arbitrary amount*/

void left_bit_shift_wide_n(const int length, DIGIT in[], int amount) {
left_DIGIT_shift_n(length, in, amount / DIGIT_SIZE_b);
left_bit_shift_n(length, in, amount % DIGIT_SIZE_b);
} // end left_bit_shift_n

/*----------------------------------------------------------------------------*/

#if (defined(DIGIT_IS_UINT8) || defined(DIGIT_IS_UINT16))
static
uint8_t byte_reverse_with_less32bitDIGIT(uint8_t b) {
uint8_t r = b;
int s = (sizeof(b) << 3) - 1;
for (b >>= 1; b; b >>= 1) {
r <<= 1;
r |= b & 1;
s--;
}
r <<= s;
return r;
} // end byte_reverse_less32bitDIGIT
#endif

#if defined(DIGIT_IS_UINT32)
static
uint8_t byte_reverse_with_32bitDIGIT(uint8_t b) {
b = ( (b * 0x0802LU & 0x22110LU) | (b * 0x8020LU & 0x88440LU)
) * 0x10101LU >> 16;
return b;
} // end byte_reverse_32bitDIGIT
#endif

#if defined(DIGIT_IS_UINT64)
static
uint8_t byte_reverse_with_64bitDIGIT(uint8_t b) {
b = (b * 0x0202020202ULL & 0x010884422010ULL) % 1023;
return b;
} // end byte_reverse_64bitDIGIT
#endif

/*----------------------------------------------------------------------------*/

static
DIGIT reverse_digit(const DIGIT b) {
int i;
union toReverse_t {
uint8_t inByte[DIGIT_SIZE_B];
DIGIT digitValue;
} toReverse;

toReverse.digitValue = b;
#if defined(DIGIT_IS_UINT64)
for (i = 0; i < DIGIT_SIZE_B; i++) {
toReverse.inByte[i] = byte_reverse_with_64bitDIGIT(toReverse.inByte[i]);
}
return __builtin_bswap64(toReverse.digitValue);
#elif defined(DIGIT_IS_UINT32)
for (i = 0; i < DIGIT_SIZE_B; i++) {
toReverse.inByte[i] = byte_reverse_with_32bitDIGIT(toReverse.inByte[i]);
}
return __builtin_bswap32(toReverse.digitValue);
#elif defined(DIGIT_IS_UINT16)
for (i = 0; i < DIGIT_SIZE_B; i++) {
toReverse.inByte[i] = byte_reverse_with_less32bitDIGIT(toReverse.inByte[i]);
}
reversed = __builtin_bswap16(toReverse.digitValue);
#elif defined(DIGIT_IS_UINT8)
return byte_reverse_with_less32bitDIGIT(toReverse.inByte[0]);
#else
#error "Missing implementation for reverse_digit(...) \
with this CPU word bitsize !!! "
#endif
return toReverse.digitValue;
} // end reverse_digit


/*----------------------------------------------------------------------------*/

void gf2x_transpose_in_place(DIGIT A[]) {
/* it keeps the lsb in the same position and
* inverts the sequence of the remaining bits
*/

DIGIT mask = (DIGIT)0x1;
DIGIT rev1, rev2, a00;
int i, slack_bits_amount = NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_b - P;

if (NUM_DIGITS_GF2X_ELEMENT == 1) {
a00 = A[0] & mask;
right_bit_shift(1, A);
rev1 = reverse_digit(A[0]);
#if (NUM_DIGITS_GF2X_MOD_P_ELEMENT*DIGIT_SIZE_b - P)
rev1 >>= (DIGIT_SIZE_b - (P % DIGIT_SIZE_b));
#endif
A[0] = (rev1 & (~mask)) | a00;
return;
}

a00 = A[NUM_DIGITS_GF2X_ELEMENT - 1] & mask;
right_bit_shift(NUM_DIGITS_GF2X_ELEMENT, A);

for (i = NUM_DIGITS_GF2X_ELEMENT - 1; i >= (NUM_DIGITS_GF2X_ELEMENT + 1) / 2; i--) {
rev1 = reverse_digit(A[i]);
rev2 = reverse_digit(A[NUM_DIGITS_GF2X_ELEMENT - 1 - i]);
A[i] = rev2;
A[NUM_DIGITS_GF2X_ELEMENT - 1 - i] = rev1;
}
if (NUM_DIGITS_GF2X_ELEMENT % 2 == 1) {
A[NUM_DIGITS_GF2X_ELEMENT / 2] = reverse_digit(A[NUM_DIGITS_GF2X_ELEMENT / 2]);
}

if (slack_bits_amount) {
right_bit_shift_n(NUM_DIGITS_GF2X_ELEMENT, A, slack_bits_amount);
}
A[NUM_DIGITS_GF2X_ELEMENT - 1] = (A[NUM_DIGITS_GF2X_ELEMENT - 1] & (~mask)) | a00;
} // end transpose_in_place

/*----------------------------------------------------------------------------*/

void rotate_bit_left(DIGIT in[]) { /* equivalent to x * in(x) mod x^P+1 */

DIGIT mask, rotated_bit;

if (NUM_DIGITS_GF2X_MODULUS == NUM_DIGITS_GF2X_ELEMENT) {

int msb_offset_in_digit = MSb_POSITION_IN_MSB_DIGIT_OF_MODULUS - 1;
mask = ((DIGIT)0x1) << msb_offset_in_digit;
rotated_bit = !!(in[0] & mask);
in[0] &= ~mask; /* clear shifted bit */
left_bit_shift(NUM_DIGITS_GF2X_ELEMENT, in);
} else {
/* NUM_DIGITS_GF2X_MODULUS == 1 + NUM_DIGITS_GF2X_ELEMENT and
* MSb_POSITION_IN_MSB_DIGIT_OF_MODULUS == 0
*/
mask = ((DIGIT)0x1) << (DIGIT_SIZE_b - 1);
rotated_bit = !!(in[0] & mask);
in[0] &= ~mask; /* clear shifted bit */
left_bit_shift(NUM_DIGITS_GF2X_ELEMENT, in);

}
in[NUM_DIGITS_GF2X_ELEMENT - 1] |= rotated_bit;
} // end rotate_bit_left



/*----------------------------------------------------------------------------*/

void rotate_bit_right(DIGIT in[]) { /* x^{-1} * in(x) mod x^P+1 */

DIGIT rotated_bit = in[NUM_DIGITS_GF2X_ELEMENT - 1] & ((DIGIT)0x1);
right_bit_shift(NUM_DIGITS_GF2X_ELEMENT, in);

if (NUM_DIGITS_GF2X_MODULUS == NUM_DIGITS_GF2X_ELEMENT) {
int msb_offset_in_digit = MSb_POSITION_IN_MSB_DIGIT_OF_MODULUS - 1;
rotated_bit = rotated_bit << msb_offset_in_digit;
} else {
/* NUM_DIGITS_GF2X_MODULUS == 1 + NUM_DIGITS_GF2X_ELEMENT and
* MSb_POSITION_IN_MSB_DIGIT_OF_MODULUS == 0
*/
rotated_bit = rotated_bit << (DIGIT_SIZE_b - 1);
}
in[0] |= rotated_bit;
} // end rotate_bit_right

/*----------------------------------------------------------------------------*/

static
void gf2x_swap(const int length,
DIGIT f[],
DIGIT s[]) {
DIGIT t;
for (int i = length - 1; i >= 0; i--) {
t = f[i];
f[i] = s[i];
s[i] = t;
}
} // end gf2x_swap

/*----------------------------------------------------------------------------*/

/*
* Optimized extended GCD algorithm to compute the multiplicative inverse of
* a non-zero element in GF(2)[x] mod x^P+1, in polyn. representation.
*
* H. Brunner, A. Curiger, and M. Hofstetter. 1993.
* On Computing Multiplicative Inverses in GF(2^m).
* IEEE Trans. Comput. 42, 8 (August 1993), 1010-1015.
* DOI=http://dx.doi.org/10.1109/12.238496
*
*
* Henri Cohen, Gerhard Frey, Roberto Avanzi, Christophe Doche, Tanja Lange,
* Kim Nguyen, and Frederik Vercauteren. 2012.
* Handbook of Elliptic and Hyperelliptic Curve Cryptography,
* Second Edition (2nd ed.). Chapman & Hall/CRC.
* (Chapter 11 -- Algorithm 11.44 -- pag 223)
*
*/

int gf2x_mod_inverse(DIGIT out[], const DIGIT in[]) { /* in^{-1} mod x^P-1 */

int i;
long int delta = 0;
alignas(32) DIGIT u[NUM_DIGITS_GF2X_ELEMENT] = {0},
v[NUM_DIGITS_GF2X_ELEMENT] = {0},
s[NUM_DIGITS_GF2X_MODULUS] = {0},
f[NUM_DIGITS_GF2X_MODULUS] = {0};

DIGIT mask;
u[NUM_DIGITS_GF2X_ELEMENT - 1] = 0x1;
v[NUM_DIGITS_GF2X_ELEMENT - 1] = 0x0;

s[NUM_DIGITS_GF2X_MODULUS - 1] = 0x1;
if (MSb_POSITION_IN_MSB_DIGIT_OF_MODULUS == 0) {
mask = 0x1;
} else {
mask = (((DIGIT)0x1) << MSb_POSITION_IN_MSB_DIGIT_OF_MODULUS);
}
s[0] |= mask;

for (i = NUM_DIGITS_GF2X_ELEMENT - 1; i >= 0 && in[i] == 0; i--);
if (i < 0) {
return 0;
}

if (NUM_DIGITS_GF2X_MODULUS == 1 + NUM_DIGITS_GF2X_ELEMENT)
for (i = NUM_DIGITS_GF2X_MODULUS - 1; i >= 1 ; i--) {
f[i] = in[i - 1];
} else /* they are equal */
for (i = NUM_DIGITS_GF2X_MODULUS - 1; i >= 0 ; i--) {
f[i] = in[i];
}

for (i = 1; i <= 2 * P; i++) {
if ( (f[0] & mask) == 0 ) {
left_bit_shift(NUM_DIGITS_GF2X_MODULUS, f);
rotate_bit_left(u);
delta += 1;
} else {
if ( (s[0] & mask) != 0) {
gf2x_add(NUM_DIGITS_GF2X_MODULUS, s,
NUM_DIGITS_GF2X_MODULUS, s,
NUM_DIGITS_GF2X_MODULUS, f);
gf2x_mod_add(v, v, u);
}
left_bit_shift(NUM_DIGITS_GF2X_MODULUS, s);
if ( delta == 0 ) {
gf2x_swap(NUM_DIGITS_GF2X_MODULUS, f, s);
gf2x_swap(NUM_DIGITS_GF2X_ELEMENT, u, v);
rotate_bit_left(u);
delta = 1;
} else {
rotate_bit_right(u);
delta = delta - 1;
}
}
}

for (i = NUM_DIGITS_GF2X_ELEMENT - 1; i >= 0 ; i--) {
out[i] = u[i];
}

return (delta == 0);
} // end gf2x_mod_inverse

/*----------------------------------------------------------------------------*/

void gf2x_mod_mul(DIGIT Res[], const DIGIT A[], const DIGIT B[]) {

DIGIT aux[2 * NUM_DIGITS_GF2X_ELEMENT];
GF2X_MUL(2 * NUM_DIGITS_GF2X_ELEMENT, aux,
NUM_DIGITS_GF2X_ELEMENT, A,
NUM_DIGITS_GF2X_ELEMENT, B);
gf2x_mod(Res, 2 * NUM_DIGITS_GF2X_ELEMENT, aux);

} // end gf2x_mod_mul

/*----------------------------------------------------------------------------*/

/*PRE: the representation of the sparse coefficients is sorted in increasing
order of the coefficients themselves */
void gf2x_mod_mul_dense_to_sparse(DIGIT Res[],
const DIGIT dense[],
POSITION_T sparse[],
unsigned int nPos) {
DIGIT aux[2 * NUM_DIGITS_GF2X_ELEMENT] = {0x00};
DIGIT resDouble[2 * NUM_DIGITS_GF2X_ELEMENT] = {0x00};
memcpy(aux + NUM_DIGITS_GF2X_ELEMENT, dense, NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B);
memcpy(resDouble + NUM_DIGITS_GF2X_ELEMENT, dense,
NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B);

if (sparse[0] != INVALID_POS_VALUE) {
left_bit_shift_wide_n(2 * NUM_DIGITS_GF2X_ELEMENT, resDouble, sparse[0]);
left_bit_shift_wide_n(2 * NUM_DIGITS_GF2X_ELEMENT, aux, sparse[0]);

for (unsigned int i = 1; i < nPos; i++) {
if (sparse[i] != INVALID_POS_VALUE) {
left_bit_shift_wide_n(2 * NUM_DIGITS_GF2X_ELEMENT, aux, (sparse[i] - sparse[i - 1]) );
gf2x_add(2 * NUM_DIGITS_GF2X_ELEMENT, resDouble,
2 * NUM_DIGITS_GF2X_ELEMENT, aux,
2 * NUM_DIGITS_GF2X_ELEMENT, resDouble);
}
}
}

gf2x_mod(Res, 2 * NUM_DIGITS_GF2X_ELEMENT, resDouble);

} // end gf2x_mod_mul

/*----------------------------------------------------------------------------*/


void gf2x_transpose_in_place_sparse(int sizeA, POSITION_T A[]) {

POSITION_T t;
int i = 0, j;

if (A[i] == 0) {
i = 1;
}
j = i;

for (; i < sizeA && A[i] != INVALID_POS_VALUE; i++) {
A[i] = P - A[i];
}

for (i -= 1; j < i; j++, i--) {
t = A[j];
A[j] = A[i];
A[i] = t;
}

} // end gf2x_transpose_in_place_sparse

/*----------------------------------------------------------------------------*/

void gf2x_mod_mul_sparse(int
sizeR, /*number of ones in the result, max sizeA*sizeB */
POSITION_T Res[],
int sizeA, /*number of ones in A*/
const POSITION_T A[],
int sizeB, /*number of ones in B*/
const POSITION_T B[]) {
/* compute all the coefficients, filling invalid positions with P*/
unsigned lastFilledPos = 0;
for (int i = 0 ; i < sizeA ; i++) {
for (int j = 0 ; j < sizeB ; j++) {
uint32_t prod = ((uint32_t) A[i]) + ((uint32_t) B[j]);
prod = ( (prod >= P) ? prod - P : prod);
if ((A[i] != INVALID_POS_VALUE) &&
(B[j] != INVALID_POS_VALUE)) {
Res[lastFilledPos] = prod;
} else {
Res[lastFilledPos] = INVALID_POS_VALUE;
}
lastFilledPos++;
}
}
while (lastFilledPos < sizeR) {
Res[lastFilledPos] = INVALID_POS_VALUE;
lastFilledPos++;
}
quicksort(Res, sizeR);
/* eliminate duplicates */
POSITION_T lastReadPos = Res[0];
int duplicateCount;
int write_idx = 0;
int read_idx = 0;
while (read_idx < sizeR && Res[read_idx] != INVALID_POS_VALUE) {
lastReadPos = Res[read_idx];
read_idx++;
duplicateCount = 1;
while ( (Res[read_idx] == lastReadPos) && (Res[read_idx] != INVALID_POS_VALUE)) {
read_idx++;
duplicateCount++;
}
if (duplicateCount % 2) {
Res[write_idx] = lastReadPos;
write_idx++;
}
}
/* fill remaining cells with INVALID_POS_VALUE */
for (; write_idx < sizeR; write_idx++) {
Res[write_idx] = INVALID_POS_VALUE;
}
} // end gf2x_mod_mul_sparse


/*----------------------------------------------------------------------------*/
/* the implementation is safe even in case A or B alias with the result */
/* PRE: A and B should be sorted and have INVALID_POS_VALUE at the end */
void gf2x_mod_add_sparse(int sizeR,
POSITION_T Res[],
int sizeA,
POSITION_T A[],
int sizeB,
POSITION_T B[]) {

POSITION_T tmpRes[sizeR];
int idxA = 0, idxB = 0, idxR = 0;
while ( idxA < sizeA &&
idxB < sizeB &&
A[idxA] != INVALID_POS_VALUE &&
B[idxB] != INVALID_POS_VALUE ) {

if (A[idxA] == B[idxB]) {
idxA++;
idxB++;
} else {
if (A[idxA] < B[idxB]) {
tmpRes[idxR] = A[idxA];
idxA++;
} else {
tmpRes[idxR] = B[idxB];
idxB++;
}
idxR++;
}
}

while (idxA < sizeA && A[idxA] != INVALID_POS_VALUE) {
tmpRes[idxR] = A[idxA];
idxA++;
idxR++;
}

while (idxB < sizeB && B[idxB] != INVALID_POS_VALUE) {
tmpRes[idxR] = B[idxB];
idxB++;
idxR++;
}

while (idxR < sizeR) {
tmpRes[idxR] = INVALID_POS_VALUE;
idxR++;
}
memcpy(Res, tmpRes, sizeof(POSITION_T)*sizeR);

} // end gf2x_mod_add_sparse

/*----------------------------------------------------------------------------*/

/* Return a uniform random value in the range 0..n-1 inclusive,
* applying a rejection sampling strategy and exploiting as a random source
* the NIST seedexpander seeded with the proper key.
* Assumes that the maximum value for the range n is 2^32-1
*/
static
int rand_range(const int n, const int logn, AES_XOF_struct *seed_expander_ctx) {

unsigned long required_rnd_bytes = (logn + 7) / 8;
unsigned char rnd_char_buffer[4];
uint32_t rnd_value;
uint32_t mask = ( (uint32_t)1 << logn) - 1;

do {
seedexpander(seed_expander_ctx, rnd_char_buffer, required_rnd_bytes);
/* obtain an endianness independent representation of the generated random
bytes into an unsigned integer */
rnd_value = ((uint32_t)rnd_char_buffer[3] << 24) +
((uint32_t)rnd_char_buffer[2] << 16) +
((uint32_t)rnd_char_buffer[1] << 8) +
((uint32_t)rnd_char_buffer[0] << 0) ;
rnd_value = mask & rnd_value;
} while (rnd_value >= n);

return rnd_value;
} // end rand_range



/*----------------------------------------------------------------------------*/
/* Obtains fresh randomness and seed-expands it until all the required positions
* for the '1's in the circulant block are obtained */

void rand_circulant_sparse_block(POSITION_T *pos_ones,
const int countOnes,
AES_XOF_struct *seed_expander_ctx) {

int duplicated, placedOnes = 0;

while (placedOnes < countOnes) {
int p = rand_range(NUM_BITS_GF2X_ELEMENT,
BITS_TO_REPRESENT(P),
seed_expander_ctx);
duplicated = 0;
for (int j = 0; j < placedOnes; j++) if (pos_ones[j] == p) {
duplicated = 1;
}
if (duplicated == 0) {
pos_ones[placedOnes] = p;
placedOnes++;
}
}
} // rand_circulant_sparse_block

/*----------------------------------------------------------------------------*/


void rand_circulant_blocks_sequence(DIGIT sequence[N0 * NUM_DIGITS_GF2X_ELEMENT],
const int countOnes,
AES_XOF_struct *seed_expander_ctx) {

int rndPos[countOnes], duplicated, counter = 0;
memset(sequence, 0x00, N0 * NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B);


while (counter < countOnes) {
int p = rand_range(N0 * NUM_BITS_GF2X_ELEMENT, BITS_TO_REPRESENT(P),
seed_expander_ctx);
duplicated = 0;
for (int j = 0; j < counter; j++) if (rndPos[j] == p) {
duplicated = 1;
}
if (duplicated == 0) {
rndPos[counter] = p;
counter++;
}
}
for (int j = 0; j < counter; j++) {
int polyIndex = rndPos[j] / P;
int exponent = rndPos[j] % P;
gf2x_set_coeff( sequence + NUM_DIGITS_GF2X_ELEMENT * polyIndex, exponent,
( (DIGIT) 1));
}

} // end rand_circulant_blocks_sequence

/*----------------------------------------------------------------------------*/

+ 300
- 0
crypto_kem/ledakemlt12/clean/gf2x_arith_mod_xPplusOne.h View File

@@ -0,0 +1,300 @@
/**
*
* <gf2x_arith_mod_xPplusOne.h>
*
* @version 2.0 (March 2019)
*
* Reference ISO-C11 Implementation of the LEDAcrypt KEM-LT cipher using GCC built-ins.
*
* In alphabetical order:
*
* @author Marco Baldi <m.baldi@univpm.it>
* @author Alessandro Barenghi <alessandro.barenghi@polimi.it>
* @author Franco Chiaraluce <f.chiaraluce@univpm.it>
* @author Gerardo Pelosi <gerardo.pelosi@polimi.it>
* @author Paolo Santini <p.santini@pm.univpm.it>
*
* This code is hereby placed in the public domain.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
* OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
* BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
* WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
* OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
* EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
**/

#pragma once

#include "gf2x_limbs.h"
#include "qc_ldpc_parameters.h"

#include "gf2x_arith.h"
#include "rng.h"

/*----------------------------------------------------------------------------*/

#define NUM_BITS_GF2X_ELEMENT (P)
#define NUM_DIGITS_GF2X_ELEMENT ((P+DIGIT_SIZE_b-1)/DIGIT_SIZE_b)
#define MSb_POSITION_IN_MSB_DIGIT_OF_ELEMENT ( (P % DIGIT_SIZE_b) ? (P % DIGIT_SIZE_b)-1 : DIGIT_SIZE_b-1 )

#define NUM_BITS_GF2X_MODULUS (P+1)
#define NUM_DIGITS_GF2X_MODULUS ((P+1+DIGIT_SIZE_b-1)/DIGIT_SIZE_b)
#define MSb_POSITION_IN_MSB_DIGIT_OF_MODULUS (P-DIGIT_SIZE_b*(NUM_DIGITS_GF2X_MODULUS-1))

#define INVALID_POS_VALUE (P)

#define IS_REPRESENTABLE_IN_D_BITS(D, N) \
(((unsigned long) N >= (1UL << (D - 1)) && (unsigned long) N < (1UL << D)) ? D : -1)

#define BITS_TO_REPRESENT(N) \
(N == 0 ? 1 : (31 \
+ IS_REPRESENTABLE_IN_D_BITS( 1, N) \
+ IS_REPRESENTABLE_IN_D_BITS( 2, N) \
+ IS_REPRESENTABLE_IN_D_BITS( 3, N) \
+ IS_REPRESENTABLE_IN_D_BITS( 4, N) \
+ IS_REPRESENTABLE_IN_D_BITS( 5, N) \
+ IS_REPRESENTABLE_IN_D_BITS( 6, N) \
+ IS_REPRESENTABLE_IN_D_BITS( 7, N) \
+ IS_REPRESENTABLE_IN_D_BITS( 8, N) \
+ IS_REPRESENTABLE_IN_D_BITS( 9, N) \
+ IS_REPRESENTABLE_IN_D_BITS(10, N) \
+ IS_REPRESENTABLE_IN_D_BITS(11, N) \
+ IS_REPRESENTABLE_IN_D_BITS(12, N) \
+ IS_REPRESENTABLE_IN_D_BITS(13, N) \
+ IS_REPRESENTABLE_IN_D_BITS(14, N) \
+ IS_REPRESENTABLE_IN_D_BITS(15, N) \
+ IS_REPRESENTABLE_IN_D_BITS(16, N) \
+ IS_REPRESENTABLE_IN_D_BITS(17, N) \
+ IS_REPRESENTABLE_IN_D_BITS(18, N) \
+ IS_REPRESENTABLE_IN_D_BITS(19, N) \
+ IS_REPRESENTABLE_IN_D_BITS(20, N) \
+ IS_REPRESENTABLE_IN_D_BITS(21, N) \
+ IS_REPRESENTABLE_IN_D_BITS(22, N) \
+ IS_REPRESENTABLE_IN_D_BITS(23, N) \
+ IS_REPRESENTABLE_IN_D_BITS(24, N) \
+ IS_REPRESENTABLE_IN_D_BITS(25, N) \
+ IS_REPRESENTABLE_IN_D_BITS(26, N) \
+ IS_REPRESENTABLE_IN_D_BITS(27, N) \
+ IS_REPRESENTABLE_IN_D_BITS(28, N) \
+ IS_REPRESENTABLE_IN_D_BITS(29, N) \
+ IS_REPRESENTABLE_IN_D_BITS(30, N) \
+ IS_REPRESENTABLE_IN_D_BITS(31, N) \
+ IS_REPRESENTABLE_IN_D_BITS(32, N) \
) \
)

/*----------------------------------------------------------------------------*/



/*----------------------------------------------------------------------------*/

static inline void gf2x_copy(DIGIT dest[], const DIGIT in[]) {
for (int i = NUM_DIGITS_GF2X_ELEMENT - 1; i >= 0; i--) {
dest[i] = in[i];
}
} // end gf2x_copy

/*---------------------------------------------------------------------------*/

void gf2x_mod(DIGIT out[],
const int nin, const DIGIT in[]); /* out(x) = in(x) mod x^P+1 */

/*---------------------------------------------------------------------------*/

void gf2x_mod_mul(DIGIT Res[], const DIGIT A[], const DIGIT B[]);

/*---------------------------------------------------------------------------*/

static inline void gf2x_mod_add(DIGIT Res[], const DIGIT A[], const DIGIT B[]) {
gf2x_add(NUM_DIGITS_GF2X_ELEMENT, Res,
NUM_DIGITS_GF2X_ELEMENT, A,
NUM_DIGITS_GF2X_ELEMENT, B);
} // end gf2x_mod_add

/*----------------------------------------------------------------------------*/

/*
* Optimized extended GCD algorithm to compute the multiplicative inverse of
* a non-zero element in GF(2)[x] mod x^P+1, in polyn. representation.
*
* H. Brunner, A. Curiger, and M. Hofstetter. 1993.
* On Computing Multiplicative Inverses in GF(2^m).
* IEEE Trans. Comput. 42, 8 (August 1993), 1010-1015.
* DOI=http://dx.doi.org/10.1109/12.238496
*
*
* Henri Cohen, Gerhard Frey, Roberto Avanzi, Christophe Doche, Tanja Lange,
* Kim Nguyen, and Frederik Vercauteren. 2012.
* Handbook of Elliptic and Hyperelliptic Curve Cryptography,
* Second Edition (2nd ed.). Chapman & Hall/CRC.
* (Chapter 11 -- Algorithm 11.44 -- pag 223)
*
*/
int gf2x_mod_inverse(DIGIT out[], const DIGIT in[]);/* ret. 1 if inv. exists */

/*---------------------------------------------------------------------------*/

void gf2x_transpose_in_place(DIGIT
A[]); /* in place bit-transp. of a(x) % x^P+1 *
* e.g.: a3 a2 a1 a0 --> a1 a2 a3 a0 */

/*---------------------------------------------------------------------------*/

/* population count for a single polynomial */
static inline int population_count(DIGIT upc[]) {
int ret = 0;
for (int i = NUM_DIGITS_GF2X_ELEMENT - 1; i >= 0; i--) {
#if defined(DIGIT_IS_ULLONG)
ret += __builtin_popcountll((unsigned long long int) (upc[i]));
#elif defined(DIGIT_IS_ULONG)
ret += __builtin_popcountl((unsigned long int) (upc[i]));
#elif defined(DIGIT_IS_UINT)
ret += __builtin_popcount((unsigned int) (upc[i]));
#elif defined(DIGIT_IS_UCHAR)
const unsigned char split_lookup[] = {
0, 1, 1, 2, 1, 2, 2, 3, 1, 2, 2, 3, 2, 3, 3, 4
};
ret += split_lookup[upc[i] & 0xF] + split_lookup[upc[i] >> 4];
#else
#error "Missing implementation for population_count(...) \
with this CPU word bitsize !!! "
#endif
}
return ret;
} // end population_count

/*--------------------------------------------------------------------------*/

/* returns the coefficient of the x^exponent term as the LSB of a digit */
static inline
DIGIT gf2x_get_coeff(const DIGIT poly[], const unsigned int exponent) {
unsigned int straightIdx = (NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_b - 1) - exponent;
unsigned int digitIdx = straightIdx / DIGIT_SIZE_b;
unsigned int inDigitIdx = straightIdx % DIGIT_SIZE_b;
return (poly[digitIdx] >> (DIGIT_SIZE_b - 1 - inDigitIdx)) & ((DIGIT) 1) ;
}

/*--------------------------------------------------------------------------*/

/* sets the coefficient of the x^exponent term as the LSB of a digit */
static inline
void gf2x_set_coeff(DIGIT poly[], const unsigned int exponent, DIGIT value) {
int straightIdx = (NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_b - 1) - exponent;
int digitIdx = straightIdx / DIGIT_SIZE_b;

unsigned int inDigitIdx = straightIdx % DIGIT_SIZE_b;

/* clear given coefficient */
DIGIT mask = ~( ((DIGIT) 1) << (DIGIT_SIZE_b - 1 - inDigitIdx));
poly[digitIdx] = poly[digitIdx] & mask;
poly[digitIdx] = poly[digitIdx] | (( value & ((DIGIT) 1)) <<
(DIGIT_SIZE_b - 1 - inDigitIdx));
}
/*--------------------------------------------------------------------------*/

/* toggles (flips) the coefficient of the x^exponent term as the LSB of a digit */
static inline
void gf2x_toggle_coeff(DIGIT poly[], const unsigned int exponent) {

int straightIdx = (NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_b - 1) - exponent;
int digitIdx = straightIdx / DIGIT_SIZE_b;
unsigned int inDigitIdx = straightIdx % DIGIT_SIZE_b;

/* clear given coefficient */
DIGIT mask = ( ((DIGIT) 1) << (DIGIT_SIZE_b - 1 - inDigitIdx));
poly[digitIdx] = poly[digitIdx] ^ mask;
}
/*--------------------------------------------------------------------------*/

void rand_circulant_sparse_block(POSITION_T *pos_ones,
const int countOnes,
AES_XOF_struct *seed_expander_ctx);
/*--------------------------------------------------------------------------*/

void rand_circulant_blocks_sequence(DIGIT sequence[N0 * NUM_DIGITS_GF2X_ELEMENT],
const int countOnes,
AES_XOF_struct *seed_expander_ctx
);

/*---------------------------------------------------------------------------*/


void gf2x_mod_add_sparse(int sizeR,
POSITION_T Res[],
int sizeA,
POSITION_T A[],
int sizeB,
POSITION_T B[]);

/*----------------------------------------------------------------------------*/

void gf2x_transpose_in_place_sparse(int sizeA, POSITION_T A[]);

/*----------------------------------------------------------------------------*/

void gf2x_mod_mul_sparse(int
sizeR, /*number of ones in the result, max sizeA*sizeB */
POSITION_T Res[],
int sizeA, /*number of ones in A*/
const POSITION_T A[],
int sizeB, /*number of ones in B*/
const POSITION_T B[]);
/*----------------------------------------------------------------------------*/
void gf2x_mod_mul_dense_to_sparse(DIGIT Res[],
const DIGIT dense[],
POSITION_T sparse[],
unsigned int nPos);
/*----------------------------------------------------------------------------*/
static inline
int partition (POSITION_T arr[], int lo, int hi) {
POSITION_T x = arr[hi];
POSITION_T tmp;
int i = (lo - 1);
for (int j = lo; j <= hi - 1; j++) {
if (arr[j] <= x) {
i++;
tmp = arr[i];
arr[i] = arr[j];
arr[j] = tmp;
}
}
tmp = arr[i + 1];
arr[i + 1] = arr[hi];
arr[hi] = tmp;

return i + 1;
} // end partition

/*----------------------------------------------------------------------------*/

static inline
void quicksort(POSITION_T Res[], unsigned int sizeR) {
/* sort the result */
int stack[sizeR];
int hi, lo, pivot, tos = -1;
stack[++tos] = 0;
stack[++tos] = sizeR - 1;
while (tos >= 0 ) {
hi = stack[tos--];
lo = stack[tos--];
pivot = partition(Res, lo, hi);
if ( (pivot - 1) > lo) {
stack[++tos] = lo;
stack[++tos] = pivot - 1;
}
if ( (pivot + 1) < hi) {
stack[++tos] = pivot + 1;
stack[++tos] = hi;
}
}
}

/*---------------------------------------------------------------------------*/

+ 94
- 0
crypto_kem/ledakemlt12/clean/gf2x_limbs.h View File

@@ -0,0 +1,94 @@
/**
*
* <gf2x_limbs.h>
*
* @version 2.0 (March 2019)
*
* Reference ISO-C11 Implementation of the LEDAcrypt KEM-LT cipher using GCC built-ins.
*
* In alphabetical order:
*
* @author Marco Baldi <m.baldi@univpm.it>
* @author Alessandro Barenghi <alessandro.barenghi@polimi.it>
* @author Franco Chiaraluce <f.chiaraluce@univpm.it>
* @author Gerardo Pelosi <gerardo.pelosi@polimi.it>
* @author Paolo Santini <p.santini@pm.univpm.it>
*
* This code is hereby placed in the public domain.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
* OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
* BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
* WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
* OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
* EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
**/

#pragma once

/*----------------------------------------------------------------------------*/

#include <inttypes.h>
#include <limits.h>
#include <stddef.h>
#include "qc_ldpc_parameters.h"

/*----------------------------------------------------------------------------*/

#define LITTLE_ENDIAN

/*----------------------------------------------------------------------------*/
/* limb size definitions for the multi-precision GF(2^x) library */
/*----------------------------------------------------------------------------*/

#ifndef CPU_WORD_BITS
typedef size_t DIGIT;
#define DIGIT_MAX SIZE_MAX
#else
// gcc -DCPU_WORD_BITS=64 ...
#define CAT(a, b, c) PRIMITIVE_CAT(a, b, c)
#define PRIMITIVE_CAT(a, b, c) a ## b ## c

typedef CAT( uint, CPU_WORD_BITS, _t ) DIGIT;
#define DIGIT_MAX (CAT(UINT, CPU_WORD_BITS, _MAX))
#endif

#if (DIGIT_MAX == ULLONG_MAX)
#define DIGIT_IS_ULLONG
#elif (DIGIT_MAX == ULONG_MAX)
#define DIGIT_IS_ULONG
#elif (DIGIT_MAX == UINT_MAX)
#define DIGIT_IS_UINT
#elif (DIGIT_MAX == UCHAR_MAX)
#define DIGIT_IS_UCHAR
#else
#error "unable to find the type of CPU_WORD_BITS"
#endif

#if (DIGIT_MAX == UINT64_MAX)
#define DIGIT_IS_UINT64
#define DIGIT_SIZE_B 8
#elif (DIGIT_MAX == UINT32_MAX)
#define DIGIT_IS_UINT32
#define DIGIT_SIZE_B 4
#elif (DIGIT_MAX == UINT16_MAX)
#define DIGIT_IS_UINT16
#define DIGIT_SIZE_B 2
#elif (DIGIT_MAX == UINT8_MAX)
#define DIGIT_IS_UINT8
#define DIGIT_SIZE_B 1
#else
#error "unable to find the bitsize of size_t"
#endif

#define DIGIT_SIZE_b (DIGIT_SIZE_B << 3)

#define POSITION_T uint32_t
/*----------------------------------------------------------------------------*/


+ 97
- 0
crypto_kem/ledakemlt12/clean/kem.c View File

@@ -0,0 +1,97 @@
/**
*
* <kem.c>
*
* @version 2.0 (March 2019)
*
* Reference ISO-C11 Implementation of the LEDAcrypt KEM-LT cipher using GCC built-ins.
*
* In alphabetical order:
*
* @author Marco Baldi <m.baldi@univpm.it>
* @author Alessandro Barenghi <alessandro.barenghi@polimi.it>
* @author Franco Chiaraluce <f.chiaraluce@univpm.it>
* @author Gerardo Pelosi <gerardo.pelosi@polimi.it>
* @author Paolo Santini <p.santini@pm.univpm.it>
*
* This code is hereby placed in the public domain.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
* OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
* BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
* WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
* OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
* EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
**/

#include "niederreiter_keygen.h"
#include "niederreiter_encrypt.h"
#include "niederreiter_decrypt.h"
#include "rng.h"
#include "sha3.h"
#include <string.h>
/* Generates a keypair - pk is the public key and sk is the secret key. */
int crypto_kem_keypair( unsigned char *pk,
unsigned char *sk ) {

AES_XOF_struct niederreiter_keys_expander;
randombytes( ((privateKeyNiederreiter_t *)sk)->prng_seed,
TRNG_BYTE_LENGTH);
seedexpander_from_trng(&niederreiter_keys_expander,
((privateKeyNiederreiter_t *)sk)->prng_seed);
key_gen_niederreiter((publicKeyNiederreiter_t *) pk,
(privateKeyNiederreiter_t *) sk,
&niederreiter_keys_expander);
return 0;
}

/* Encrypt - pk is the public key, ct is a key encapsulation message
(ciphertext), ss is the shared secret.*/
int crypto_kem_enc( unsigned char *ct,
unsigned char *ss,
const unsigned char *pk ) {

AES_XOF_struct niederreiter_encap_key_expander;
unsigned char encapsulated_key_seed[TRNG_BYTE_LENGTH];
randombytes(encapsulated_key_seed, TRNG_BYTE_LENGTH);
seedexpander_from_trng(&niederreiter_encap_key_expander, encapsulated_key_seed);

DIGIT error_vector[N0 * NUM_DIGITS_GF2X_ELEMENT];
rand_circulant_blocks_sequence(error_vector,
NUM_ERRORS_T,
&niederreiter_encap_key_expander);

HASH_FUNCTION((const unsigned char *) error_vector, // input
(N0 * NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B), // input Length
ss);

encrypt_niederreiter((DIGIT *) ct, (publicKeyNiederreiter_t *) pk, error_vector);
return 0;
}


/* Decrypt - ct is a key encapsulation message (ciphertext), sk is the private
key, ss is the shared secret */

int crypto_kem_dec( unsigned char *ss,
const unsigned char *ct,
const unsigned char *sk ) {
DIGIT decoded_error_vector[N0 * NUM_DIGITS_GF2X_ELEMENT];

int decode_ok = decrypt_niederreiter(decoded_error_vector,
(privateKeyNiederreiter_t *)sk,
(DIGIT *)ct);
HASH_FUNCTION((const unsigned char *) decoded_error_vector,
(N0 * NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B),
ss);
if (decode_ok == 1) {
return 0;
}
return 1;
}

+ 58
- 0
crypto_kem/ledakemlt12/clean/niederreiter.h View File

@@ -0,0 +1,58 @@
/**
*
* <niederreiter.h>
*
* @version 2.0 (March 2019)
*
* Reference ISO-C11 Implementation of the LEDAcrypt KEM-LT cipher using GCC built-ins.
*
* In alphabetical order:
*
* @author Marco Baldi <m.baldi@univpm.it>
* @author Alessandro Barenghi <alessandro.barenghi@polimi.it>
* @author Franco Chiaraluce <f.chiaraluce@univpm.it>
* @author Gerardo Pelosi <gerardo.pelosi@polimi.it>
* @author Paolo Santini <p.santini@pm.univpm.it>
*
* This code is hereby placed in the public domain.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
* OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
* BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
* WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
* OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
* EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
**/

#pragma once
#include "qc_ldpc_parameters.h"
#include "gf2x_limbs.h"
#include "gf2x_arith_mod_xPplusOne.h"


/*----------------------------------------------------------------------------*/
#pragma pack(1)

typedef struct {
/* raw entropy extracted from TRNG, will be deterministically expanded into
* H and Q during decryption */
unsigned char prng_seed[TRNG_BYTE_LENGTH];
int8_t rejections;
} privateKeyNiederreiter_t;

typedef struct {
DIGIT Mtr[(N0 - 1)*NUM_DIGITS_GF2X_ELEMENT];
// Dense representation of the matrix M=Ln0*L,
// An array including a sequence of (N0-1) gf2x elements;
// each gf2x element is stored as a binary polynomial(mod x^P+1)
// with P coefficients.
} publicKeyNiederreiter_t;

#pragma pack()
/*----------------------------------------------------------------------------*/

+ 153
- 0
crypto_kem/ledakemlt12/clean/niederreiter_decrypt.c View File

@@ -0,0 +1,153 @@
/**
*
* <niederreiter_decrypt.c>
*
* @version 2.0 (March 2019)
*
* Reference ISO-C11 Implementation of the LEDAcrypt KEM-LT cipher using GCC built-ins.
*
* In alphabetical order:
*
* @author Marco Baldi <m.baldi@univpm.it>
* @author Alessandro Barenghi <alessandro.barenghi@polimi.it>
* @author Franco Chiaraluce <f.chiaraluce@univpm.it>
* @author Gerardo Pelosi <gerardo.pelosi@polimi.it>
* @author Paolo Santini <p.santini@pm.univpm.it>
*
* This code is hereby placed in the public domain.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
* OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
* BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
* WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
* OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
* EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
**/

#include "niederreiter_decrypt.h"

#include "qc_ldpc_parameters.h"
#include "gf2x_arith_mod_xPplusOne.h"
#include "H_Q_matrices_generation.h"

#include "bf_decoding.h"
#include "dfr_test.h"
#include <string.h>

/*----------------------------------------------------------------------------*/

int decrypt_niederreiter(DIGIT err[], // N0 circ poly
const privateKeyNiederreiter_t *const sk,
const DIGIT syndrome[] // 1 circ poly
) {
AES_XOF_struct niederreiter_decrypt_expander;
seedexpander_from_trng(&niederreiter_decrypt_expander,
sk->prng_seed);

/**************************************************************************/
// sequence of N0 circ block matrices (p x p):
POSITION_T HPosOnes[N0][DV];
POSITION_T HtrPosOnes[N0][DV];
POSITION_T QPosOnes[N0][M];
int rejections = sk->rejections;
POSITION_T LPosOnes[N0][DV * M];
do {
generateHPosOnes_HtrPosOnes(HPosOnes, HtrPosOnes,
&niederreiter_decrypt_expander);
generateQsparse(QPosOnes, &niederreiter_decrypt_expander);
for (int i = 0; i < N0; i++) {
for (int j = 0; j < DV * M; j++) {
LPosOnes[i][j] = INVALID_POS_VALUE;
}
}

POSITION_T auxPosOnes[DV * M];
unsigned char processedQOnes[N0] = {0};
for (int colQ = 0; colQ < N0; colQ++) {
for (int i = 0; i < N0; i++) {
gf2x_mod_mul_sparse(DV * M, auxPosOnes,
DV, HPosOnes[i],
qBlockWeights[i][colQ], QPosOnes[i] + processedQOnes[i]);
gf2x_mod_add_sparse(DV * M, LPosOnes[colQ],
DV * M, LPosOnes[colQ],
DV * M, auxPosOnes);
processedQOnes[i] += qBlockWeights[i][colQ];
}
}
rejections--;
} while (rejections >= 0);

POSITION_T QtrPosOnes[N0][M];
unsigned transposed_ones_idx[N0] = {0x00};
for (unsigned source_row_idx = 0; source_row_idx < N0 ; source_row_idx++) {
int currQoneIdx = 0; // position in the column of QtrPosOnes[][...]
int endQblockIdx = 0;
for (int blockIdx = 0; blockIdx < N0; blockIdx++) {
endQblockIdx += qBlockWeights[source_row_idx][blockIdx];
for (; currQoneIdx < endQblockIdx; currQoneIdx++) {
QtrPosOnes[blockIdx][transposed_ones_idx[blockIdx]] = (P -
QPosOnes[source_row_idx][currQoneIdx]) % P;
transposed_ones_idx[blockIdx]++;
}
}
}

POSITION_T auxSparse[DV * M];
POSITION_T Ln0trSparse[DV * M];
for (int i = 0; i < DV * M; i++) {
Ln0trSparse[i] = INVALID_POS_VALUE;
auxSparse[i] = INVALID_POS_VALUE;
}

for (int i = 0; i < N0; i++) {
gf2x_mod_mul_sparse(DV * M, auxSparse,
DV, HPosOnes[i],
qBlockWeights[i][N0 - 1], &QPosOnes[i][ M - qBlockWeights[i][N0 - 1] ]
);
gf2x_mod_add_sparse(DV * M, Ln0trSparse,
DV * M, Ln0trSparse,
DV * M, auxSparse
);
} // end for i
gf2x_transpose_in_place_sparse(DV * M, Ln0trSparse);

DIGIT privateSyndrome[NUM_DIGITS_GF2X_ELEMENT];
gf2x_mod_mul_dense_to_sparse(privateSyndrome,
syndrome,
Ln0trSparse,
DV * M);

/* prepare mockup error vector in case a decoding failure occurs */
DIGIT mockup_error_vector[N0 * NUM_DIGITS_GF2X_ELEMENT];
memset(mockup_error_vector, 0x00, N0 * NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B);
memcpy(mockup_error_vector, syndrome, NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B);
seedexpander(&niederreiter_decrypt_expander,
((unsigned char *) mockup_error_vector) + (NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B), TRNG_BYTE_LENGTH);

int decryptOk = 0;
memset(err, 0x00, N0 * NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B);
decryptOk = bf_decoding(err, (const POSITION_T (*)[DV]) HtrPosOnes,
(const POSITION_T (*)[M]) QtrPosOnes, privateSyndrome);

int err_weight = 0;
for (int i = 0 ; i < N0; i++) {
err_weight += population_count(err + (NUM_DIGITS_GF2X_ELEMENT * i));
}
decryptOk = decryptOk && (err_weight == NUM_ERRORS_T);

if (!decryptOk) {
memcpy(err, mockup_error_vector, N0 * NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B);
}

return decryptOk;
} // end decrypt_niederreiter

/*----------------------------------------------------------------------------*/



+ 45
- 0
crypto_kem/ledakemlt12/clean/niederreiter_decrypt.h View File

@@ -0,0 +1,45 @@
/**
*
* <niederreiter_decrypt.h>
*
* @version 2.0 (March 2019)
*
* Reference ISO-C11 Implementation of the LEDAcrypt KEM-LT cipher using GCC built-ins.
*
* In alphabetical order:
*
* @author Marco Baldi <m.baldi@univpm.it>
* @author Alessandro Barenghi <alessandro.barenghi@polimi.it>
* @author Franco Chiaraluce <f.chiaraluce@univpm.it>
* @author Gerardo Pelosi <gerardo.pelosi@polimi.it>
* @author Paolo Santini <p.santini@pm.univpm.it>
*
* This code is hereby placed in the public domain.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
* OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
* BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
* WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
* OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
* EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
**/

#pragma once

#include "niederreiter.h"
#include "gf2x_limbs.h"

/*----------------------------------------------------------------------------*/

int decrypt_niederreiter(DIGIT err[], // return 1 if everything is ok
const privateKeyNiederreiter_t *const sk,
const DIGIT syndrome[]
);

/*----------------------------------------------------------------------------*/

+ 57
- 0
crypto_kem/ledakemlt12/clean/niederreiter_encrypt.c View File

@@ -0,0 +1,57 @@
/**
*
* <niederreiter_encrypt.c>
*
* @version 2.0 (March 2019)
*
* Reference ISO-C11 Implementation of the LEDAcrypt KEM-LT cipher using GCC built-ins.
*
* In alphabetical order:
*
* @author Marco Baldi <m.baldi@univpm.it>
* @author Alessandro Barenghi <alessandro.barenghi@polimi.it>
* @author Franco Chiaraluce <f.chiaraluce@univpm.it>
* @author Gerardo Pelosi <gerardo.pelosi@polimi.it>
* @author Paolo Santini <p.santini@pm.univpm.it>
*
* This code is hereby placed in the public domain.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
* OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
* BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
* WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
* OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
* EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
**/

#include "niederreiter_encrypt.h"
#include "qc_ldpc_parameters.h"
#include "gf2x_arith_mod_xPplusOne.h"

#include <string.h> // memset(...)

void encrypt_niederreiter(DIGIT syndrome[], // 1 polynomial
const publicKeyNiederreiter_t *const pk,
const DIGIT err[]) { // N0 polynomials
int i;
DIGIT saux[NUM_DIGITS_GF2X_ELEMENT];

memset(syndrome, 0x00, NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B);

for (i = 0; i < N0 - 1; i++) {
gf2x_mod_mul(saux,
pk->Mtr + i * NUM_DIGITS_GF2X_ELEMENT,
err + i * NUM_DIGITS_GF2X_ELEMENT
);
gf2x_mod_add(syndrome, syndrome, saux);
} // end for
gf2x_mod_add(syndrome, syndrome, err + (N0 - 1)*NUM_DIGITS_GF2X_ELEMENT);
} // end encrypt_niederreiter

/*----------------------------------------------------------------------------*/

+ 41
- 0
crypto_kem/ledakemlt12/clean/niederreiter_encrypt.h View File

@@ -0,0 +1,41 @@
/**
*
* <niederreiter_encrypt.c>
*
* @version 2.0 (March 2019)
*
* Reference ISO-C11 Implementation of the LEDAcrypt KEM-LT cipher using GCC built-ins.
*
* In alphabetical order:
*
* @author Marco Baldi <m.baldi@univpm.it>
* @author Alessandro Barenghi <alessandro.barenghi@polimi.it>
* @author Franco Chiaraluce <f.chiaraluce@univpm.it>
* @author Gerardo Pelosi <gerardo.pelosi@polimi.it>
* @author Paolo Santini <p.santini@pm.univpm.it>
*
* This code is hereby placed in the public domain.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
* OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
* BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
* WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
* OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
* EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
**/

#pragma once

#include "niederreiter.h"
#include "gf2x_limbs.h"

void encrypt_niederreiter(DIGIT syndrome[],
const publicKeyNiederreiter_t *const pk,
const DIGIT err[]
);

+ 145
- 0
crypto_kem/ledakemlt12/clean/niederreiter_keygen.c View File

@@ -0,0 +1,145 @@
/**
*
* <niederreiter_keygen.c>
*
* @version 2.0 (March 2019)
*
* Reference ISO-C11 Implementation of the LEDAcrypt KEM-LT cipher using GCC built-ins.
*
* In alphabetical order:
*
* @author Marco Baldi <m.baldi@univpm.it>
* @author Alessandro Barenghi <alessandro.barenghi@polimi.it>
* @author Franco Chiaraluce <f.chiaraluce@univpm.it>
* @author Gerardo Pelosi <gerardo.pelosi@polimi.it>
* @author Paolo Santini <p.santini@pm.univpm.it>
*
* This code is hereby placed in the public domain.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
* OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
* BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
* WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
* OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
* EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
**/

#include "niederreiter_keygen.h"

#include "H_Q_matrices_generation.h"
#include "gf2x_arith_mod_xPplusOne.h"
#include "rng.h"
#include "dfr_test.h"

#include <string.h>
/*----------------------------------------------------------------------------*/
/* Implementation that should never be optimized out by the compiler */
static inline void zeroize( void *v, size_t n ) {
volatile unsigned char *p = v;
while ( n-- ) {
*p++ = 0;
}
} // end zeroize

/*----------------------------------------------------------------------------*/

void key_gen_niederreiter(publicKeyNiederreiter_t *const pk,
privateKeyNiederreiter_t *const sk,
AES_XOF_struct *keys_expander) {
// sequence of N0 circ block matrices (p x p): Hi

POSITION_T HPosOnes[N0][DV];
POSITION_T HtrPosOnes[N0][DV];
/* Sparse representation of the transposed circulant matrix H,
with weight DV. Each index contains the position of a '1' digit in the
corresponding Htr block */

/* Sparse representation of the matrix (Q).
A matrix containing the positions of the ones in the circulant
blocks of Q. Each row contains the position of the
ones of all the blocks of a row of Q as exponent+
P*block_position */
POSITION_T QPosOnes[N0][M];

/*Rejection-sample for a full L*/
POSITION_T LPosOnes[N0][DV * M];
int is_L_full;
int isDFRok;
sk->rejections = (int8_t) 0;
do {
generateHPosOnes_HtrPosOnes(HPosOnes,
HtrPosOnes,
keys_expander);

generateQsparse(QPosOnes,
keys_expander);
for (int i = 0; i < N0; i++) {
for (int j = 0; j < DV * M; j++) {
LPosOnes[i][j] = INVALID_POS_VALUE;
}
}

POSITION_T auxPosOnes[DV * M];
unsigned char processedQOnes[N0] = {0};
for (int colQ = 0; colQ < N0; colQ++) {
for (int i = 0; i < N0; i++) {
gf2x_mod_mul_sparse(DV * M, auxPosOnes,
DV, HPosOnes[i],
qBlockWeights[i][colQ], QPosOnes[i] + processedQOnes[i]);
gf2x_mod_add_sparse(DV * M, LPosOnes[colQ],
DV * M, LPosOnes[colQ],
DV * M, auxPosOnes);
processedQOnes[i] += qBlockWeights[i][colQ];
}
}
is_L_full = 1;
for (int i = 0; i < N0; i++) {
is_L_full = is_L_full && (LPosOnes[i][DV * M - 1] != INVALID_POS_VALUE);
}
sk->rejections = sk->rejections + 1;
if (is_L_full) {
isDFRok = DFR_test(LPosOnes);
}
} while (!is_L_full || !isDFRok);
sk->rejections = sk->rejections - 1;

DIGIT Ln0dense[NUM_DIGITS_GF2X_ELEMENT] = {0x00};
for (int j = 0; j < DV * M; j++) {
if (LPosOnes[N0 - 1][j] != INVALID_POS_VALUE) {
gf2x_set_coeff(Ln0dense, LPosOnes[N0 - 1][j], 1);
}
}
DIGIT Ln0Inv[NUM_DIGITS_GF2X_ELEMENT] = {0x00};
gf2x_mod_inverse(Ln0Inv, Ln0dense);
for (int i = 0; i < N0 - 1; i++) {
gf2x_mod_mul_dense_to_sparse(pk->Mtr + i * NUM_DIGITS_GF2X_ELEMENT,
Ln0Inv,
LPosOnes[i],
DV * M);
}

for (int i = 0; i < N0 - 1; i++) {
gf2x_transpose_in_place(pk->Mtr + i * NUM_DIGITS_GF2X_ELEMENT);
}
} // end key_gen_niederreiter

/*----------------------------------------------------------------------------*/

void publicKey_deletion_niederreiter(publicKeyNiederreiter_t *const pk) {

zeroize(pk, sizeof(publicKeyNiederreiter_t));
} // publicKey_deletion_niederreiter

/*----------------------------------------------------------------------------*/

void privateKey_deletion_niederreiter(privateKeyNiederreiter_t *const sk) {
zeroize(sk, sizeof(privateKeyNiederreiter_t));
} // privateKey_deletion_niederreiter

/*----------------------------------------------------------------------------*/

+ 43
- 0
crypto_kem/ledakemlt12/clean/niederreiter_keygen.h View File

@@ -0,0 +1,43 @@
/**
*
* <niederreiter_keygen.h>
*
* @version 2.0 (March 2019)
*
* Reference ISO-C11 Implementation of the LEDAcrypt KEM-LT cipher using GCC built-ins.
*
* In alphabetical order:
*
* @author Marco Baldi <m.baldi@univpm.it>
* @author Alessandro Barenghi <alessandro.barenghi@polimi.it>
* @author Franco Chiaraluce <f.chiaraluce@univpm.it>
* @author Gerardo Pelosi <gerardo.pelosi@polimi.it>
* @author Paolo Santini <p.santini@pm.univpm.it>
*
* This code is hereby placed in the public domain.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
* OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
* BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
* WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
* OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
* EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
**/

#pragma once

#include "niederreiter.h"
#include "rng.h"

void key_gen_niederreiter(publicKeyNiederreiter_t *const pk,
privateKeyNiederreiter_t *const sk,
AES_XOF_struct *keys_expander);

void publicKey_deletion_niederreiter(publicKeyNiederreiter_t *const pk);
void privateKey_deletion_niederreiter(privateKeyNiederreiter_t *const sk);

+ 157
- 0
crypto_kem/ledakemlt12/clean/qc_ldpc_parameters.h View File

@@ -0,0 +1,157 @@
/**
*
* <qc_ldpc_parameters.h>
*
* @version 2.0 (March 2019)
*
* Reference ISO-C11 Implementation of the LEDAcrypt KEM-LT cipher using GCC built-ins.
*
* In alphabetical order:
*
* @author Marco Baldi <m.baldi@univpm.it>
* @author Alessandro Barenghi <alessandro.barenghi@polimi.it>
* @author Franco Chiaraluce <f.chiaraluce@univpm.it>
* @author Gerardo Pelosi <gerardo.pelosi@polimi.it>
* @author Paolo Santini <p.santini@pm.univpm.it>
*
* This code is hereby placed in the public domain.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
* OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
* BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
* WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
* OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
* EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
**/
#pragma once
// CATEGORY defined in the makefile

/*----------------------------------------------------------------------------*/
#if CATEGORY == 1
#define TRNG_BYTE_LENGTH (24)
#define HASH_FUNCTION sha3_256
#define HASH_BYTE_LENGTH (32)
// N0 defined in the makefile
#if (DFR_SL_LEVEL == 0)
#define P (35899) // modulus(x) = x^P-1
#define DV (9) // odd number
#define M (9)
#define M0 (5)
#define M1 (4)
#define NUM_ERRORS_T (136)

#elif (DFR_SL_LEVEL == 1)
#define P (52147) // modulus(x) = x^P-1
#define DV (9) // odd number
#define M (9)
#define M0 (5)
#define M1 (4)
#define NUM_ERRORS_T (136)

#else
#error "Unsupported number of circulant blocks"
#endif
#endif // end CATEGORY == 1

/*----------------------------------------------------------------------------*/

// We employ the parameters for Category 3 also in the case where the required
// security level is Category 2, where Category 2 has the following parameters.
// #define TRNG_BYTE_LENGTH (32)
// #define HASH_FUNCTION sha3_256
// #define HASH_BYTE_LENGTH (32)

/*----------------------------------------------------------------------------*/

#if (CATEGORY == 2) || (CATEGORY == 3)
#define TRNG_BYTE_LENGTH (32)
#define HASH_FUNCTION sha3_384
#define HASH_BYTE_LENGTH (48)
// N0 defined in the makefile
#if (DFR_SL_LEVEL == 0)
#define P (57899) // modulus(x) = x^P-1
#define DV (11) // odd number
#define M (11)
#define M0 (6)
#define M1 (5)
#define NUM_ERRORS_T (199)

#elif (DFR_SL_LEVEL == 1)
#define P (96221) // modulus(x) = x^P-1
#define DV (11) // odd number
#define M (11)
#define M0 (6)
#define M1 (5)
#define NUM_ERRORS_T (199)

#else
#error "Unsupported number of circulant blocks"
#endif
#endif

/*----------------------------------------------------------------------------*/

// We employ the parameters for Category 4 also in the case where the required
// security level is Category 5, where Category 4 has the following parameters.
// #if CATEGORY == 4
// #define TRNG_BYTE_LENGTH (40)
// #define HASH_FUNCTION sha3_384
// #define HASH_BYTE_LENGTH (48)
// #endif

/*----------------------------------------------------------------------------*/

#if (CATEGORY == 4) || (CATEGORY == 5)
#define TRNG_BYTE_LENGTH (40)
#define HASH_FUNCTION sha3_512
#define HASH_BYTE_LENGTH (64)
// N0 defined in the makefile
#if (DFR_SL_LEVEL == 0)
#define P (89051) // modulus(x) = x^P-1
#define DV (13) // odd number
#define M (13)
#define M0 (7)
#define M1 (6)
#define NUM_ERRORS_T (267)

#elif (DFR_SL_LEVEL == 1)
#define P (152267) // modulus(x) = x^P-1
#define DV (13) // odd number
#define M (13)
#define M0 (7)
#define M1 (6)
#define NUM_ERRORS_T (267)

#else
#error "Unsupported number of circulant blocks"
#endif
#endif
/*----------------------------------------------------------------------------*/

// Derived parameters, they are useful for QC-LDPC algorithms
#define HASH_BIT_LENGTH (HASH_BYTE_LENGTH << 3)
#define K ((N0-1)*P)
#define N (N0*P)
#define DC (N0*DV)

// Circulant weight structure of the Q matrix, specialized per value of N0
#if N0 == 2
#define Q_BLOCK_WEIGHTS {{M0,M1},{M1,M0}}
#elif N0 == 3
#define Q_BLOCK_WEIGHTS {{M0,M1,M2},{M2,M0,M1},{M1,M2,M0}}
#elif N0 == 4
#define Q_BLOCK_WEIGHTS {{M0,M1,M2,M3},{M3,M0,M1,M2},{M2,M3,M0,M1},{M1,M2,M3,M0}}
#else
#error "Unsupported number of circulant blocks"
#endif

static const unsigned char qBlockWeights[N0][N0] = Q_BLOCK_WEIGHTS;


/*----------------------------------------------------------------------------*/

+ 336
- 0
crypto_kem/ledakemlt12/clean/rng.c View File

@@ -0,0 +1,336 @@
/**
*
* <rng.c>
*
* @version 2.0 (March 2019)
*
* Reference ISO-C11 Implementation of the LEDAcrypt KEM-LT cipher using GCC built-ins.
*
* In alphabetical order:
*
* @author Marco Baldi <m.baldi@univpm.it>
* @author Alessandro Barenghi <alessandro.barenghi@polimi.it>
* @author Franco Chiaraluce <f.chiaraluce@univpm.it>
* @author Gerardo Pelosi <gerardo.pelosi@polimi.it>
* @author Paolo Santini <p.santini@pm.univpm.it>
*
* This code is hereby placed in the public domain.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
* OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
* BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
* WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
* OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
* EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
**/


#include "rng.h"

#include <stddef.h>
#include <stdint.h>
#include <stdlib.h> // void srand(unsigned int seed); int rand(void); RAND_MAX
#include <string.h> // void *memset(void *s, int c, size_t n);
#define __USE_POSIX199309
#include <time.h> // struct timespec; clock_gettime(...); CLOCK_REALTIME

#include "aes256.h"
#include "qc_ldpc_parameters.h"


/******************************************************************************/
/*----------------------------------------------------------------------------*/
/* start PSEUDO-RAND GENERATOR ROUTINES for rnd.h */
/*----------------------------------------------------------------------------*/


void initialize_pseudo_random_generator_seed(int ac, char *av[]) {

if (ac == 2) {
srand(atoi(av[1]));
} else {
struct timespec seedValue;
clock_gettime(CLOCK_REALTIME, &seedValue);
srand(seedValue.tv_nsec);
} // end else-if
unsigned char pseudo_entropy[48];
for (int i = 0; i < 48; i++) {
pseudo_entropy[i] = rand() & 0xff;
}
randombytes_init(pseudo_entropy,
NULL,
0 /*unused in NIST function*/);


} // end initilize_pseudo_random_sequence_seed


/*----------------------------------------------------------------------------*/

/* Initializes a dedicated DRBG context to avoid conflicts with the global one
* declared by NIST for KATs. Provides the output of the DRBG in output, for
* the given length */


/*----------------------------------------------------------------------------*/
/* end PSEUDO-RAND GENERATOR ROUTINES for rnd.h */
/*----------------------------------------------------------------------------*/

AES256_CTR_DRBG_struct DRBG_ctx;

void AES256_ECB(unsigned char *key, unsigned char *ctr,
unsigned char *buffer);

/*
seedexpander_init()
ctx - stores the current state of an instance of the seed expander
seed - a 32 byte random value
diversifier - an 8 byte diversifier
maxlen - maximum number of bytes (less than 2**32) generated under this seed and diversifier
*/
int
seedexpander_init(AES_XOF_struct *ctx,
unsigned char *seed,
unsigned char *diversifier,
unsigned long maxlen) {
if ( maxlen >= 0x100000000 ) {
return RNG_BAD_MAXLEN;
}

ctx->length_remaining = maxlen;

memset(ctx->key, 0, 32);
int max_accessible_seed_len = TRNG_BYTE_LENGTH < 32 ? 32 : TRNG_BYTE_LENGTH;
memcpy(ctx->key, seed, max_accessible_seed_len);

memcpy(ctx->ctr, diversifier, 8);
ctx->ctr[11] = maxlen % 256;
maxlen >>= 8;
ctx->ctr[10] = maxlen % 256;
maxlen >>= 8;
ctx->ctr[9] = maxlen % 256;
maxlen >>= 8;
ctx->ctr[8] = maxlen % 256;
memset(ctx->ctr + 12, 0x00, 4);

ctx->buffer_pos = 16;
memset(ctx->buffer, 0x00, 16);

return RNG_SUCCESS;
}

/*
seedexpander()
ctx - stores the current state of an instance of the seed expander
x - returns the XOF data
xlen - number of bytes to return
*/
int
seedexpander(AES_XOF_struct *ctx, unsigned char *x, unsigned long xlen) {
unsigned long offset;

if ( x == NULL ) {
return RNG_BAD_OUTBUF;
}
if ( xlen >= ctx->length_remaining ) {
return RNG_BAD_REQ_LEN;
}

ctx->length_remaining -= xlen;

offset = 0;
while ( xlen > 0 ) {
if ( xlen <= (16 - ctx->buffer_pos) ) { // buffer has what we need
memcpy(x + offset, ctx->buffer + ctx->buffer_pos, xlen);
ctx->buffer_pos += xlen;

return RNG_SUCCESS;
}

// take what's in the buffer
memcpy(x + offset, ctx->buffer + ctx->buffer_pos, 16 - ctx->buffer_pos);
xlen -= 16 - ctx->buffer_pos;
offset += 16 - ctx->buffer_pos;

AES256_ECB(ctx->key, ctx->ctr, ctx->buffer);
ctx->buffer_pos = 0;

//increment the counter
for (int i = 15; i >= 12; i--) {
if ( ctx->ctr[i] == 0xff ) {
ctx->ctr[i] = 0x00;
} else {
ctx->ctr[i]++;
break;
}
}

}

return RNG_SUCCESS;
}

// Use whatever AES implementation you have. This uses AES from openSSL library
// key - 256-bit AES key
// ptx - a 128-bit plaintext value
// ctx - a 128-bit ciphertext value

void
AES256_ECB(unsigned char *key, unsigned char *ptx, unsigned char *ctx) {
uint32_t round_key[4 * (NROUNDS + 1)] = {0x00};
rijndaelKeySetupEnc(round_key, key, KEYLEN_b);
rijndaelEncrypt(round_key, NROUNDS, ptx, ctx);
}

void
randombytes_init(unsigned char *entropy_input,
unsigned char *personalization_string,
int security_strength) {
unsigned char seed_material[48];

memcpy(seed_material, entropy_input, 48);
if (personalization_string)
for (int i = 0; i < 48; i++) {
seed_material[i] ^= personalization_string[i];
}
memset(DRBG_ctx.Key, 0x00, 32);
memset(DRBG_ctx.V, 0x00, 16);
AES256_CTR_DRBG_Update(seed_material, DRBG_ctx.Key, DRBG_ctx.V);
DRBG_ctx.reseed_counter = 1;
}

int
randombytes(unsigned char *x, unsigned long long xlen) {
unsigned char block[16];
int i = 0;

while ( xlen > 0 ) {
//increment V
for (int j = 15; j >= 0; j--) {
if ( DRBG_ctx.V[j] == 0xff ) {
DRBG_ctx.V[j] = 0x00;
} else {
DRBG_ctx.V[j]++;
break;
}
}
AES256_ECB(DRBG_ctx.Key, DRBG_ctx.V, block);
if ( xlen > 15 ) {
memcpy(x + i, block, 16);
i += 16;
xlen -= 16;
} else {
memcpy(x + i, block, xlen);
xlen = 0;
}
}
AES256_CTR_DRBG_Update(NULL, DRBG_ctx.Key, DRBG_ctx.V);
DRBG_ctx.reseed_counter++;

return RNG_SUCCESS;
}

void
AES256_CTR_DRBG_Update(unsigned char *provided_data,
unsigned char *Key,
unsigned char *V) {
unsigned char temp[48];

for (int i = 0; i < 3; i++) {
//increment V
for (int j = 15; j >= 0; j--) {
if ( V[j] == 0xff ) {
V[j] = 0x00;
} else {
V[j]++;
break;
}
}

AES256_ECB(Key, V, temp + 16 * i);
}
if ( provided_data != NULL )
for (int i = 0; i < 48; i++) {
temp[i] ^= provided_data[i];
}
memcpy(Key, temp, 32);
memcpy(V, temp + 32, 16);
}



void deterministic_random_byte_generator(unsigned char *const output,
const unsigned long long output_len,
const unsigned char *const seed,
const unsigned long long seed_length
) {
/* DRBG context initialization */
AES256_CTR_DRBG_struct ctx;
unsigned char seed_material[48];
memset(seed_material, 0x00, 48);
memcpy(seed_material, seed, seed_length);

memset(ctx.Key, 0x00, 32);
memset(ctx.V, 0x00, 16);
AES256_CTR_DRBG_Update(seed_material, ctx.Key, ctx.V);
ctx.reseed_counter = 1;

/* Actual DRBG computation as from the randombytes(unsigned char *x,
* unsigned long long xlen) from NIST */

unsigned char block[16];
int i = 0, length_remaining;

length_remaining = output_len;

while ( length_remaining > 0 ) {
//increment V
for (int j = 15; j >= 0; j--) {
if ( ctx.V[j] == 0xff ) {
ctx.V[j] = 0x00;
} else {
ctx.V[j]++;
break;
}
}
AES256_ECB(ctx.Key, ctx.V, block);
if ( length_remaining > 15 ) {
memcpy(output + i, block, 16);
i += 16;
length_remaining -= 16;
} else {
memcpy(output + i, block, length_remaining);
length_remaining = 0;
}
}
AES256_CTR_DRBG_Update(NULL, ctx.Key, ctx.V);
ctx.reseed_counter++;

} // end deterministic_random_byte_generator

void seedexpander_from_trng(AES_XOF_struct *ctx,
const unsigned char *trng_entropy
/* TRNG_BYTE_LENGTH wide buffer */) {

/*the NIST seedexpander will however access 32B from this buffer */
unsigned int prng_buffer_size = TRNG_BYTE_LENGTH < 32 ? 32 : TRNG_BYTE_LENGTH;
unsigned char prng_buffer[TRNG_BYTE_LENGTH < 32 ? 32 : TRNG_BYTE_LENGTH] = { 0x00 };
memcpy(prng_buffer,
trng_entropy,
TRNG_BYTE_LENGTH < prng_buffer_size ? TRNG_BYTE_LENGTH : prng_buffer_size);
/* if extra entropy is provided, add it to the diversifier */
#if TRNG_BYTE_LENGTH == 40
unsigned char *diversifier = ((unsigned char *)trng_entropy) + 32;
#else
unsigned char diversifier[8] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
#endif
/* the required seed expansion will be quite small, set the max number of
* bytes conservatively to 10 MiB*/
seedexpander_init(ctx, prng_buffer, diversifier, 10 * 1024 * 1024);
}

+ 96
- 0
crypto_kem/ledakemlt12/clean/rng.h View File

@@ -0,0 +1,96 @@
/**
*
* <rng.h>
*
* @version 2.0 (March 2019)
*
* Reference ISO-C11 Implementation of the LEDAcrypt KEM-LT cipher using GCC built-ins.
*
* In alphabetical order:
*
* @author Marco Baldi <m.baldi@univpm.it>
* @author Alessandro Barenghi <alessandro.barenghi@polimi.it>
* @author Franco Chiaraluce <f.chiaraluce@univpm.it>
* @author Gerardo Pelosi <gerardo.pelosi@polimi.it>
* @author Paolo Santini <p.santini@pm.univpm.it>
*
* This code is hereby placed in the public domain.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
* OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
* BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
* WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
* OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
* EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
**/

#pragma once

/****** From this point on, the code was supplied by NIST ****************/
// Created by Bassham, Lawrence E (Fed) on 8/29/17.
// Copyright © 2017 Bassham, Lawrence E (Fed). All rights reserved.
//
/****** from NIST ****************/

#include <stdio.h>

#define RNG_SUCCESS 0
#define RNG_BAD_MAXLEN -1
#define RNG_BAD_OUTBUF -2
#define RNG_BAD_REQ_LEN -3

typedef struct {
unsigned char buffer[16];
int buffer_pos;
unsigned long length_remaining;
unsigned char key[32];
unsigned char ctr[16];
} AES_XOF_struct;

typedef struct {
unsigned char Key[32];
unsigned char V[16];
int reseed_counter;
} AES256_CTR_DRBG_struct;


void
AES256_CTR_DRBG_Update(unsigned char *provided_data,
unsigned char *Key,
unsigned char *V);

int
seedexpander_init(AES_XOF_struct *ctx,
unsigned char *seed,
unsigned char *diversifier,
unsigned long maxlen);

int
seedexpander(AES_XOF_struct *ctx, unsigned char *x, unsigned long xlen);

void
randombytes_init(unsigned char *entropy_input,
unsigned char *personalization_string,
int security_strength);

int
randombytes(unsigned char *x, unsigned long long xlen);

/****** End of NIST supplied code ****************/

void initialize_pseudo_random_generator_seed(int ac, char *av[]);

void deterministic_random_byte_generator(unsigned char *const output,
const unsigned long long output_len,
const unsigned char *const seed,
const unsigned long long seed_length);

void seedexpander_from_trng(AES_XOF_struct *ctx,
const unsigned char *trng_entropy
/* TRNG_BYTE_LENGTH wide buffer */);

+ 43
- 0
crypto_kem/ledakemlt12/clean/sha3.h View File

@@ -0,0 +1,43 @@
#pragma once

#define LITTLE_ENDIAN
#include <libkeccak.a.headers/KeccakHash.h>

static inline
void sha3_256(const unsigned char *input,
unsigned int inputByteLen,
unsigned char *output) {
Keccak_HashInstance state;
Keccak_HashInitialize(&state, 1088, 512, 256, 0x06);
Keccak_HashUpdate(&state, input, inputByteLen * 8);
Keccak_HashFinal(&state, output);
}

/**
* Function to compute SHA3-384 on the input message.
* The output length is fixed to 48 bytes.
*/
static inline
void sha3_384(const unsigned char *input,
unsigned int inputByteLen,
unsigned char *output) {
Keccak_HashInstance state;
Keccak_HashInitialize(&state, 832, 768, 384, 0x06);
Keccak_HashUpdate(&state, input, inputByteLen * 8);
Keccak_HashFinal(&state, output);
}

/**
* Function to compute SHA3-512 on the input message.
* The output length is fixed to 64 bytes.
*/
static inline
void sha3_512(const unsigned char *input,
unsigned int inputByteLen,
unsigned char *output) {
Keccak_HashInstance state;
Keccak_HashInitialize(&state, 576, 1024, 512, 0x06);
Keccak_HashUpdate(&state, input, inputByteLen * 8);
Keccak_HashFinal(&state, output);
}


Write Preview
Loading…
Cancel
Save