diff --git a/crypto_kem/kyber1024-90s/META.yml b/crypto_kem/kyber1024-90s/META.yml index 6b52fe0b..cf157c78 100644 --- a/crypto_kem/kyber1024-90s/META.yml +++ b/crypto_kem/kyber1024-90s/META.yml @@ -21,14 +21,14 @@ auxiliary-submitters: - Damien Stehlé implementations: - name: clean - version: https://github.com/pq-crystals/kyber/commit/46e283ab575ec92dfe82fb12229ae2d9d6246682 + version: https://github.com/pq-crystals/kyber/commit/844057468e69527bd15b17fbe03f4b61f9a22065 via https://github.com/jschanck/package-pqclean/tree/b45068b8/kyber - name: avx2 - version: https://github.com/pq-crystals/kyber/commit/46e283ab575ec92dfe82fb12229ae2d9d6246682 + version: https://github.com/pq-crystals/kyber/commit/844057468e69527bd15b17fbe03f4b61f9a22065 via https://github.com/jschanck/package-pqclean/tree/b45068b8/kyber supported_platforms: - architecture: x86_64 operating_systems: - - Linux - - Darwin + - Linux + - Darwin required_flags: - aes - avx2 diff --git a/crypto_kem/kyber1024-90s/avx2/Makefile b/crypto_kem/kyber1024-90s/avx2/Makefile index 25635c4b..f146772e 100644 --- a/crypto_kem/kyber1024-90s/avx2/Makefile +++ b/crypto_kem/kyber1024-90s/avx2/Makefile @@ -1,44 +1,11 @@ # This Makefile can be used with GNU Make or BSD Make LIB=libkyber1024-90s_avx2.a -HEADERS= \ - aes256ctr.h \ - align.h \ - api.h \ - cbd.h \ - cdecl.inc \ - consts.h \ - fq.inc \ - indcpa.h \ - kem.h \ - ntt.h \ - params.h \ - poly.h \ - polyvec.h \ - reduce.h \ - rejsample.h \ - shuffle.inc \ - symmetric.h \ - verify.h -OBJECTS= \ - aes256ctr.o \ - basemul.o \ - cbd.o \ - consts.o \ - fq.o \ - indcpa.o \ - invntt.o \ - kem.o \ - ntt.o \ - poly.o \ - polyvec.o \ - rejsample.o \ - shuffle.o \ - verify.o - +HEADERS=aes256ctr.h align.h api.h cbd.h cdecl.h consts.h indcpa.h kem.h ntt.h params.h poly.h polyvec.h reduce.h rejsample.h symmetric.h verify.h fq.inc shuffle.inc +OBJECTS=aes256ctr.o cbd.o consts.o indcpa.o kem.o poly.o polyvec.o rejsample.o verify.o basemul.o fq.o invntt.o ntt.o shuffle.o CFLAGS=-mavx2 -maes -mbmi2 -mpopcnt -O3 -Wall -Wextra -Wpedantic -Werror \ - -Wmissing-prototypes -Wredundant-decls -std=c99 \ - -I../../../common $(EXTRAFLAGS) + -Wmissing-prototypes -Wredundant-decls -std=c99 \ + -I../../../common $(EXTRAFLAGS) all: $(LIB) diff --git a/crypto_kem/kyber1024-90s/avx2/aes256ctr.c b/crypto_kem/kyber1024-90s/avx2/aes256ctr.c index 404794a0..e2ae81cc 100644 --- a/crypto_kem/kyber1024-90s/avx2/aes256ctr.c +++ b/crypto_kem/kyber1024-90s/avx2/aes256ctr.c @@ -1,3 +1,7 @@ +#include "aes256ctr.h" +#include +#include +#include /* Based heavily on public-domain code by Romain Dolbeau Different handling of nonce+counter than original version @@ -5,10 +9,6 @@ Public Domain */ -#include "aes256ctr.h" -#include -#include -#include static inline void aesni_encrypt4(uint8_t out[64], __m128i *n, @@ -114,7 +114,7 @@ void PQCLEAN_KYBER102490S_AVX2_aes256ctr_init(aes256ctr_ctx *state, const uint8_ void PQCLEAN_KYBER102490S_AVX2_aes256ctr_squeezeblocks(uint8_t *out, size_t nblocks, aes256ctr_ctx *state) { - size_t i = 0; + size_t i; for (i = 0; i < nblocks; i++) { aesni_encrypt4(out, &state->n, state->rkeys); out += 64; @@ -123,13 +123,13 @@ void PQCLEAN_KYBER102490S_AVX2_aes256ctr_squeezeblocks(uint8_t *out, void PQCLEAN_KYBER102490S_AVX2_aes256ctr_prf(uint8_t *out, size_t outlen, - const uint8_t seed[32], + const uint8_t key[32], uint64_t nonce) { - unsigned int i = 0; + unsigned int i; uint8_t buf[64]; aes256ctr_ctx state; - PQCLEAN_KYBER102490S_AVX2_aes256ctr_init(&state, seed, nonce); + PQCLEAN_KYBER102490S_AVX2_aes256ctr_init(&state, key, nonce); while (outlen >= 64) { aesni_encrypt4(out, &state.n, state.rkeys); diff --git a/crypto_kem/kyber1024-90s/avx2/aes256ctr.h b/crypto_kem/kyber1024-90s/avx2/aes256ctr.h index d40f1463..3f3c08e1 100644 --- a/crypto_kem/kyber1024-90s/avx2/aes256ctr.h +++ b/crypto_kem/kyber1024-90s/avx2/aes256ctr.h @@ -1,11 +1,10 @@ -#ifndef AES256CTR_H -#define AES256CTR_H +#ifndef PQCLEAN_KYBER102490S_AVX2_AES256CTR_H +#define PQCLEAN_KYBER102490S_AVX2_AES256CTR_H #include #include #include -#define AES256CTR_NAMESPACE(s) pqcrystals_aes256ctr_avx2##s #define AES256CTR_BLOCKBYTES 64 @@ -14,8 +13,17 @@ typedef struct { __m128i n; } aes256ctr_ctx; -void PQCLEAN_KYBER102490S_AVX2_aes256ctr_init(aes256ctr_ctx *state, const uint8_t key[32], uint64_t nonce); -void PQCLEAN_KYBER102490S_AVX2_aes256ctr_squeezeblocks(uint8_t *out, size_t nblocks, aes256ctr_ctx *state); -void PQCLEAN_KYBER102490S_AVX2_aes256ctr_prf(uint8_t *out, size_t outlen, const uint8_t seed[32], uint64_t nonce); +void PQCLEAN_KYBER102490S_AVX2_aes256ctr_init(aes256ctr_ctx *state, + const uint8_t key[32], + uint64_t nonce); + +void PQCLEAN_KYBER102490S_AVX2_aes256ctr_squeezeblocks(uint8_t *out, + size_t nblocks, + aes256ctr_ctx *state); + +void PQCLEAN_KYBER102490S_AVX2_aes256ctr_prf(uint8_t *out, + size_t outlen, + const uint8_t key[32], + uint64_t nonce); #endif diff --git a/crypto_kem/kyber1024-90s/avx2/align.h b/crypto_kem/kyber1024-90s/avx2/align.h index 7227b8f0..8d3aa971 100644 --- a/crypto_kem/kyber1024-90s/avx2/align.h +++ b/crypto_kem/kyber1024-90s/avx2/align.h @@ -1,5 +1,6 @@ #ifndef PQCLEAN_KYBER102490S_AVX2_ALIGN_H #define PQCLEAN_KYBER102490S_AVX2_ALIGN_H + #include #define ALIGN16_TYPE(t) \ diff --git a/crypto_kem/kyber1024-90s/avx2/api.h b/crypto_kem/kyber1024-90s/avx2/api.h index e07cbd01..f1fab310 100644 --- a/crypto_kem/kyber1024-90s/avx2/api.h +++ b/crypto_kem/kyber1024-90s/avx2/api.h @@ -15,5 +15,4 @@ int PQCLEAN_KYBER102490S_AVX2_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uin int PQCLEAN_KYBER102490S_AVX2_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); - #endif diff --git a/crypto_kem/kyber1024-90s/avx2/basemul.S b/crypto_kem/kyber1024-90s/avx2/basemul.S index abd3eda5..a7b98edd 100644 --- a/crypto_kem/kyber1024-90s/avx2/basemul.S +++ b/crypto_kem/kyber1024-90s/avx2/basemul.S @@ -1,5 +1,5 @@ +#include "cdecl.h" #include "params.h" -#include "cdecl.inc" .macro schoolbook off,sign #load @@ -165,7 +165,9 @@ vmovdqa %ymm5,96(%rdi) ret .global cdecl(PQCLEAN_KYBER102490S_AVX2_basemul_acc_avx) +.global _cdecl(PQCLEAN_KYBER102490S_AVX2_basemul_acc_avx) cdecl(PQCLEAN_KYBER102490S_AVX2_basemul_acc_avx): +_cdecl(PQCLEAN_KYBER102490S_AVX2_basemul_acc_avx): #consts vmovdqa _16XQ*2(%rcx),%ymm0 vmovdqa _16XQINV*2(%rcx),%ymm1 @@ -215,7 +217,9 @@ vmovdqa %ymm12,96(%rdi) ret .global cdecl(PQCLEAN_KYBER102490S_AVX2_basemul_avx) +.global _cdecl(PQCLEAN_KYBER102490S_AVX2_basemul_avx) cdecl(PQCLEAN_KYBER102490S_AVX2_basemul_avx): +_cdecl(PQCLEAN_KYBER102490S_AVX2_basemul_avx): #consts vmovdqa _16XQ*2(%rcx),%ymm0 vmovdqa _16XQINV*2(%rcx),%ymm1 diff --git a/crypto_kem/kyber1024-90s/avx2/cbd.c b/crypto_kem/kyber1024-90s/avx2/cbd.c index 6007d47a..26a75d52 100644 --- a/crypto_kem/kyber1024-90s/avx2/cbd.c +++ b/crypto_kem/kyber1024-90s/avx2/cbd.c @@ -1,5 +1,5 @@ -#include "params.h" #include "cbd.h" +#include "params.h" #include #include @@ -14,7 +14,7 @@ * - const unsigned char *buf: pointer to input byte array **************************************************/ void PQCLEAN_KYBER102490S_AVX2_cbd(poly *restrict r, const uint8_t *restrict buf) { - unsigned int i = 0; + unsigned int i; __m256i vec0, vec1, vec2, vec3, tmp; const __m256i mask55 = _mm256_set1_epi32(0x55555555); const __m256i mask33 = _mm256_set1_epi32(0x33333333); diff --git a/crypto_kem/kyber1024-90s/avx2/cbd.h b/crypto_kem/kyber1024-90s/avx2/cbd.h index 72190f5d..5f4e435a 100644 --- a/crypto_kem/kyber1024-90s/avx2/cbd.h +++ b/crypto_kem/kyber1024-90s/avx2/cbd.h @@ -1,11 +1,9 @@ #ifndef PQCLEAN_KYBER102490S_AVX2_CBD_H #define PQCLEAN_KYBER102490S_AVX2_CBD_H - #include "params.h" #include "poly.h" #include - void PQCLEAN_KYBER102490S_AVX2_cbd(poly *r, const uint8_t buf[KYBER_ETA * KYBER_N / 4]); #endif diff --git a/crypto_kem/kyber1024-90s/avx2/cdecl.inc b/crypto_kem/kyber1024-90s/avx2/cdecl.h similarity index 78% rename from crypto_kem/kyber1024-90s/avx2/cdecl.inc rename to crypto_kem/kyber1024-90s/avx2/cdecl.h index 8ded53b1..34bdf281 100644 --- a/crypto_kem/kyber1024-90s/avx2/cdecl.inc +++ b/crypto_kem/kyber1024-90s/avx2/cdecl.h @@ -1,5 +1,5 @@ -#ifndef PQCLEAN_DILITHIUM2_AVX2_CDECL -#define PQCLEAN_DILITHIUM2_AVX2_CDECL +#ifndef PQCLEAN_KYBER102490S_AVX2_CDECL_H +#define PQCLEAN_KYBER102490S_AVX2_CDECL_H #define _16XQ 0 #define _16XQINV 16 @@ -21,10 +21,6 @@ * This define helps us get around this */ -#if defined(__WIN32__) || defined(__APPLE__) -#define cdecl(s) _##s -#else +#define _cdecl(s) _##s #define cdecl(s) s #endif - -#endif diff --git a/crypto_kem/kyber1024-90s/avx2/consts.c b/crypto_kem/kyber1024-90s/avx2/consts.c index 0a2dd000..0afd7b5f 100644 --- a/crypto_kem/kyber1024-90s/avx2/consts.c +++ b/crypto_kem/kyber1024-90s/avx2/consts.c @@ -1,5 +1,5 @@ -#include "params.h" #include "consts.h" +#include "params.h" #include #define Q KYBER_Q diff --git a/crypto_kem/kyber1024-90s/avx2/consts.h b/crypto_kem/kyber1024-90s/avx2/consts.h index 968cbe07..f5755661 100644 --- a/crypto_kem/kyber1024-90s/avx2/consts.h +++ b/crypto_kem/kyber1024-90s/avx2/consts.h @@ -1,12 +1,11 @@ #ifndef PQCLEAN_KYBER102490S_AVX2_CONSTS_H #define PQCLEAN_KYBER102490S_AVX2_CONSTS_H - -#include "cdecl.inc" - +#include "cdecl.h" #include "params.h" #include #include + #define ALIGNED_UINT16_T(N) \ union { \ __m256i as_vec; \ diff --git a/crypto_kem/kyber1024-90s/avx2/fq.S b/crypto_kem/kyber1024-90s/avx2/fq.S index 23ddb9fe..c436df31 100644 --- a/crypto_kem/kyber1024-90s/avx2/fq.S +++ b/crypto_kem/kyber1024-90s/avx2/fq.S @@ -1,4 +1,4 @@ -#include "cdecl.inc" +#include "cdecl.h" .include "fq.inc" .text @@ -35,7 +35,9 @@ vmovdqa %ymm9,224(%rdi) ret .global cdecl(PQCLEAN_KYBER102490S_AVX2_reduce_avx) +.global _cdecl(PQCLEAN_KYBER102490S_AVX2_reduce_avx) cdecl(PQCLEAN_KYBER102490S_AVX2_reduce_avx): +_cdecl(PQCLEAN_KYBER102490S_AVX2_reduce_avx): #consts vmovdqa _16XQ*2(%rsi),%ymm0 vmovdqa _16XV*2(%rsi),%ymm1 @@ -77,7 +79,9 @@ vmovdqa %ymm8,224(%rdi) ret .global cdecl(PQCLEAN_KYBER102490S_AVX2_csubq_avx) +.global _cdecl(PQCLEAN_KYBER102490S_AVX2_csubq_avx) cdecl(PQCLEAN_KYBER102490S_AVX2_csubq_avx): +_cdecl(PQCLEAN_KYBER102490S_AVX2_csubq_avx): #consts vmovdqa _16XQ*2(%rsi),%ymm0 call csubq128_avx @@ -118,7 +122,9 @@ vmovdqa %ymm10,224(%rdi) ret .global cdecl(PQCLEAN_KYBER102490S_AVX2_tomont_avx) +.global _cdecl(PQCLEAN_KYBER102490S_AVX2_tomont_avx) cdecl(PQCLEAN_KYBER102490S_AVX2_tomont_avx): +_cdecl(PQCLEAN_KYBER102490S_AVX2_tomont_avx): #consts vmovdqa _16XQ*2(%rsi),%ymm0 vmovdqa _16XMONTSQLO*2(%rsi),%ymm1 diff --git a/crypto_kem/kyber1024-90s/avx2/indcpa.c b/crypto_kem/kyber1024-90s/avx2/indcpa.c index 35343d57..ae5e7ed2 100644 --- a/crypto_kem/kyber1024-90s/avx2/indcpa.c +++ b/crypto_kem/kyber1024-90s/avx2/indcpa.c @@ -25,7 +25,7 @@ static void pack_pk(uint8_t r[KYBER_INDCPA_PUBLICKEYBYTES], polyvec *pk, const uint8_t seed[KYBER_SYMBYTES]) { - size_t i = 0; + size_t i; PQCLEAN_KYBER102490S_AVX2_polyvec_tobytes(r, pk); for (i = 0; i < KYBER_SYMBYTES; i++) { r[i + KYBER_POLYVECBYTES] = seed[i]; @@ -45,7 +45,7 @@ static void pack_pk(uint8_t r[KYBER_INDCPA_PUBLICKEYBYTES], static void unpack_pk(polyvec *pk, uint8_t seed[KYBER_SYMBYTES], const uint8_t packedpk[KYBER_INDCPA_PUBLICKEYBYTES]) { - size_t i = 0; + size_t i; PQCLEAN_KYBER102490S_AVX2_polyvec_frombytes(pk, packedpk); for (i = 0; i < KYBER_SYMBYTES; i++) { seed[i] = packedpk[i + KYBER_POLYVECBYTES]; @@ -133,8 +133,8 @@ static unsigned int rej_uniform(int16_t *r, unsigned int len, const uint8_t *buf, unsigned int buflen) { - unsigned int ctr = 0, pos = 0; - uint16_t val = 0; + unsigned int ctr, pos; + uint16_t val; ctr = pos = 0; while (ctr < len && pos + 2 <= buflen) { @@ -168,7 +168,7 @@ static unsigned int rej_uniform(int16_t *r, #define GEN_MATRIX_NBLOCKS ((2*KYBER_N*(1U << 16)/(19*KYBER_Q) \ + XOF_BLOCKBYTES)/XOF_BLOCKBYTES) void PQCLEAN_KYBER102490S_AVX2_gen_matrix(polyvec *a, const uint8_t seed[KYBER_SYMBYTES], int transposed) { - unsigned int ctr = 0, i = 0, j = 0; + unsigned int ctr, i, j; ALIGN16_TYPE(uint64_t) nonce = {.orig = 0}; ALIGN32_ARRAY(uint8_t, GEN_MATRIX_NBLOCKS * XOF_BLOCKBYTES) buf; aes256ctr_ctx state; @@ -211,7 +211,7 @@ void PQCLEAN_KYBER102490S_AVX2_gen_matrix(polyvec *a, const uint8_t seed[KYBER_S **************************************************/ void PQCLEAN_KYBER102490S_AVX2_indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]) { - unsigned int i = 0; + unsigned int i; ALIGN32_ARRAY(uint8_t, 2 * KYBER_SYMBYTES) buf; const uint8_t *publicseed = buf.arr; const uint8_t *noiseseed = buf.arr + KYBER_SYMBYTES; @@ -276,7 +276,7 @@ void PQCLEAN_KYBER102490S_AVX2_indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES], const uint8_t m[KYBER_INDCPA_MSGBYTES], const uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], const uint8_t coins[KYBER_SYMBYTES]) { - unsigned int i = 0; + unsigned int i; ALIGN32_ARRAY(uint8_t, KYBER_SYMBYTES) seed; polyvec sp, pkpv, ep, at[KYBER_K], bp; poly v, k, epp; diff --git a/crypto_kem/kyber1024-90s/avx2/indcpa.h b/crypto_kem/kyber1024-90s/avx2/indcpa.h index 3813ad08..dfdfd5ab 100644 --- a/crypto_kem/kyber1024-90s/avx2/indcpa.h +++ b/crypto_kem/kyber1024-90s/avx2/indcpa.h @@ -1,16 +1,20 @@ #ifndef PQCLEAN_KYBER102490S_AVX2_INDCPA_H #define PQCLEAN_KYBER102490S_AVX2_INDCPA_H - #include "params.h" #include "polyvec.h" #include void PQCLEAN_KYBER102490S_AVX2_gen_matrix(polyvec *a, const uint8_t seed[KYBER_SYMBYTES], int transposed); +void PQCLEAN_KYBER102490S_AVX2_indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], + uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]); -void PQCLEAN_KYBER102490S_AVX2_indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]); +void PQCLEAN_KYBER102490S_AVX2_indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES], + const uint8_t m[KYBER_INDCPA_MSGBYTES], + const uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], + const uint8_t coins[KYBER_SYMBYTES]); -void PQCLEAN_KYBER102490S_AVX2_indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES], const uint8_t m[KYBER_INDCPA_MSGBYTES], const uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], const uint8_t coins[KYBER_SYMBYTES]); - -void PQCLEAN_KYBER102490S_AVX2_indcpa_dec(uint8_t m[KYBER_INDCPA_MSGBYTES], const uint8_t c[KYBER_INDCPA_BYTES], const uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]); +void PQCLEAN_KYBER102490S_AVX2_indcpa_dec(uint8_t m[KYBER_INDCPA_MSGBYTES], + const uint8_t c[KYBER_INDCPA_BYTES], + const uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]); #endif diff --git a/crypto_kem/kyber1024-90s/avx2/invntt.S b/crypto_kem/kyber1024-90s/avx2/invntt.S index 84d19a7e..959d4987 100644 --- a/crypto_kem/kyber1024-90s/avx2/invntt.S +++ b/crypto_kem/kyber1024-90s/avx2/invntt.S @@ -1,4 +1,4 @@ -#include "cdecl.inc" +#include "cdecl.h" .include "shuffle.inc" .include "fq.inc" @@ -210,7 +210,9 @@ vmovdqa %ymm7,224(%rdi) ret .global cdecl(PQCLEAN_KYBER102490S_AVX2_invntt_avx) +.global _cdecl(PQCLEAN_KYBER102490S_AVX2_invntt_avx) cdecl(PQCLEAN_KYBER102490S_AVX2_invntt_avx): +_cdecl(PQCLEAN_KYBER102490S_AVX2_invntt_avx): #consts vmovdqa _16XQ*2(%rsi),%ymm0 mov %rsi,%rdx diff --git a/crypto_kem/kyber1024-90s/avx2/kem.c b/crypto_kem/kyber1024-90s/avx2/kem.c index f2a11073..4b6ee88f 100644 --- a/crypto_kem/kyber1024-90s/avx2/kem.c +++ b/crypto_kem/kyber1024-90s/avx2/kem.c @@ -8,7 +8,6 @@ #include #include - /************************************************* * Name: PQCLEAN_KYBER102490S_AVX2_crypto_kem_keypair * @@ -23,7 +22,7 @@ * Returns 0 (success) **************************************************/ int PQCLEAN_KYBER102490S_AVX2_crypto_kem_keypair(unsigned char *pk, unsigned char *sk) { - size_t i = 0; + size_t i; PQCLEAN_KYBER102490S_AVX2_indcpa_keypair(pk, sk); for (i = 0; i < KYBER_INDCPA_PUBLICKEYBYTES; i++) { sk[i + KYBER_INDCPA_SECRETKEYBYTES] = pk[i]; @@ -94,8 +93,8 @@ int PQCLEAN_KYBER102490S_AVX2_crypto_kem_enc(unsigned char *ct, int PQCLEAN_KYBER102490S_AVX2_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk) { - size_t i = 0; - int fail = 0; + size_t i; + int fail; ALIGN32_ARRAY(uint8_t, 2 * KYBER_SYMBYTES) buf; /* Will contain key, coins */ ALIGN32_ARRAY(uint8_t, 2 * KYBER_SYMBYTES) kr; @@ -119,7 +118,7 @@ int PQCLEAN_KYBER102490S_AVX2_crypto_kem_dec(unsigned char *ss, hash_h(kr.arr + KYBER_SYMBYTES, ct, KYBER_CIPHERTEXTBYTES); /* Overwrite pre-k with z on re-encryption failure */ - PQCLEAN_KYBER102490S_AVX2_cmov(kr.arr, sk + KYBER_SECRETKEYBYTES - KYBER_SYMBYTES, KYBER_SYMBYTES, fail); + PQCLEAN_KYBER102490S_AVX2_cmov(kr.arr, sk + KYBER_SECRETKEYBYTES - KYBER_SYMBYTES, KYBER_SYMBYTES, (uint8_t)fail); /* hash concatenation of pre-k and H(c) to k */ kdf(ss, kr.arr, 2 * KYBER_SYMBYTES); diff --git a/crypto_kem/kyber1024-90s/avx2/kem.h b/crypto_kem/kyber1024-90s/avx2/kem.h index 6953252c..89d200c5 100644 --- a/crypto_kem/kyber1024-90s/avx2/kem.h +++ b/crypto_kem/kyber1024-90s/avx2/kem.h @@ -1,17 +1,14 @@ #ifndef PQCLEAN_KYBER102490S_AVX2_KEM_H #define PQCLEAN_KYBER102490S_AVX2_KEM_H - #include "params.h" int PQCLEAN_KYBER102490S_AVX2_crypto_kem_keypair(unsigned char *pk, unsigned char *sk); - int PQCLEAN_KYBER102490S_AVX2_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk); - int PQCLEAN_KYBER102490S_AVX2_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk); diff --git a/crypto_kem/kyber1024-90s/avx2/ntt.S b/crypto_kem/kyber1024-90s/avx2/ntt.S index 5625d5ee..841aa9f4 100644 --- a/crypto_kem/kyber1024-90s/avx2/ntt.S +++ b/crypto_kem/kyber1024-90s/avx2/ntt.S @@ -1,4 +1,4 @@ -#include "cdecl.inc" +#include "cdecl.h" .include "shuffle.inc" .include "fq.inc" @@ -203,7 +203,9 @@ vmovdqa %ymm11,224(%rdi) ret .global cdecl(PQCLEAN_KYBER102490S_AVX2_ntt_avx) +.global _cdecl(PQCLEAN_KYBER102490S_AVX2_ntt_avx) cdecl(PQCLEAN_KYBER102490S_AVX2_ntt_avx): +_cdecl(PQCLEAN_KYBER102490S_AVX2_ntt_avx): #consts vmovdqa _16XQ*2(%rsi),%ymm0 mov %rsi,%rdx diff --git a/crypto_kem/kyber1024-90s/avx2/ntt.h b/crypto_kem/kyber1024-90s/avx2/ntt.h index 9df5c48c..db21cece 100644 --- a/crypto_kem/kyber1024-90s/avx2/ntt.h +++ b/crypto_kem/kyber1024-90s/avx2/ntt.h @@ -1,28 +1,24 @@ -#ifndef NTT_H -#define NTT_H - +#ifndef PQCLEAN_KYBER102490S_AVX2_NTT_H +#define PQCLEAN_KYBER102490S_AVX2_NTT_H #include "consts.h" -#include "params.h" #include - void PQCLEAN_KYBER102490S_AVX2_ntt_avx(int16_t *r, const qdata_t *PQCLEAN_KYBER102490S_AVX2_qdata); - void PQCLEAN_KYBER102490S_AVX2_invntt_avx(int16_t *r, const qdata_t *PQCLEAN_KYBER102490S_AVX2_qdata); - -void nttpack_avx(int16_t *r, const qdata_t *PQCLEAN_KYBER102490S_AVX2_qdata); - +void PQCLEAN_KYBER102490S_AVX2_nttpack_avx(int16_t *r, const qdata_t *PQCLEAN_KYBER102490S_AVX2_qdata); void PQCLEAN_KYBER102490S_AVX2_nttunpack_avx(int16_t *r, const qdata_t *PQCLEAN_KYBER102490S_AVX2_qdata); - -void PQCLEAN_KYBER102490S_AVX2_basemul_avx(int16_t *r, const int16_t *a, const int16_t *b, const qdata_t *PQCLEAN_KYBER102490S_AVX2_qdata); - -void PQCLEAN_KYBER102490S_AVX2_basemul_acc_avx(int16_t *r, const int16_t *a, const int16_t *b, const qdata_t *PQCLEAN_KYBER102490S_AVX2_qdata); - +void PQCLEAN_KYBER102490S_AVX2_basemul_avx(int16_t *r, + const int16_t *a, + const int16_t *b, + const qdata_t *PQCLEAN_KYBER102490S_AVX2_qdata); +void PQCLEAN_KYBER102490S_AVX2_basemul_acc_avx(int16_t *r, + const int16_t *a, + const int16_t *b, + const qdata_t *PQCLEAN_KYBER102490S_AVX2_qdata); void PQCLEAN_KYBER102490S_AVX2_ntttobytes_avx(uint8_t *r, const int16_t *a, const qdata_t *PQCLEAN_KYBER102490S_AVX2_qdata); - void PQCLEAN_KYBER102490S_AVX2_nttfrombytes_avx(int16_t *r, const uint8_t *a, const qdata_t *PQCLEAN_KYBER102490S_AVX2_qdata); #endif diff --git a/crypto_kem/kyber1024-90s/avx2/params.h b/crypto_kem/kyber1024-90s/avx2/params.h index cbf12dca..a1ba0077 100644 --- a/crypto_kem/kyber1024-90s/avx2/params.h +++ b/crypto_kem/kyber1024-90s/avx2/params.h @@ -1,6 +1,9 @@ #ifndef PQCLEAN_KYBER102490S_AVX2_PARAMS_H #define PQCLEAN_KYBER102490S_AVX2_PARAMS_H + + + #define KYBER_N 256 #define KYBER_Q 3329 diff --git a/crypto_kem/kyber1024-90s/avx2/poly.c b/crypto_kem/kyber1024-90s/avx2/poly.c index af88a7a2..a614ed25 100644 --- a/crypto_kem/kyber1024-90s/avx2/poly.c +++ b/crypto_kem/kyber1024-90s/avx2/poly.c @@ -19,7 +19,7 @@ * - poly *a: pointer to input polynomial **************************************************/ void PQCLEAN_KYBER102490S_AVX2_poly_compress(uint8_t r[KYBER_POLYCOMPRESSEDBYTES], poly *restrict a) { - unsigned int i = 0, j = 0; + unsigned int i, j; uint8_t t[8]; PQCLEAN_KYBER102490S_AVX2_poly_csubq(a); @@ -50,9 +50,9 @@ void PQCLEAN_KYBER102490S_AVX2_poly_compress(uint8_t r[KYBER_POLYCOMPRESSEDBYTES **************************************************/ void PQCLEAN_KYBER102490S_AVX2_poly_decompress(poly *restrict r, const uint8_t a[KYBER_POLYCOMPRESSEDBYTES]) { - unsigned int i = 0; + unsigned int i; - unsigned int j = 0; + unsigned int j; uint8_t t[8]; for (i = 0; i < KYBER_N / 8; i++) { t[0] = (a[0] >> 0); @@ -114,7 +114,7 @@ void PQCLEAN_KYBER102490S_AVX2_poly_frommsg(poly *restrict r, const __m256i hqs = _mm256_set1_epi16((KYBER_Q + 1) / 2); #define FROMMSG64(i) \ - g3 = _mm256_shuffle_epi32(f,0x55*(i)); \ + g3 = _mm256_shuffle_epi32(f,0x55*(i)); \ g3 = _mm256_sllv_epi32(g3,shift); \ g3 = _mm256_shuffle_epi8(g3,idx); \ g0 = _mm256_slli_epi16(g3,12); \ @@ -136,9 +136,9 @@ void PQCLEAN_KYBER102490S_AVX2_poly_frommsg(poly *restrict r, g2 = _mm256_permute2x128_si256(h0,h1,0x31); \ g1 = _mm256_permute2x128_si256(h2,h3,0x20); \ g3 = _mm256_permute2x128_si256(h2,h3,0x31); \ - _mm256_store_si256((__m256i *)&r->coeffs[ 0+32*(i)+ 0],g0); \ - _mm256_store_si256((__m256i *)&r->coeffs[ 0+32*(i)+16],g1); \ - _mm256_store_si256((__m256i *)&r->coeffs[128+32*(i)+ 0],g2); \ + _mm256_store_si256((__m256i *)&r->coeffs[ 0+32*(i)+ 0],g0); \ + _mm256_store_si256((__m256i *)&r->coeffs[ 0+32*(i)+16],g1); \ + _mm256_store_si256((__m256i *)&r->coeffs[128+32*(i)+ 0],g2); \ _mm256_store_si256((__m256i *)&r->coeffs[128+32*(i)+16],g3) f = _mm256_load_si256((__m256i *)msg); @@ -157,8 +157,8 @@ void PQCLEAN_KYBER102490S_AVX2_poly_frommsg(poly *restrict r, * - poly *a: pointer to input polynomial **************************************************/ void PQCLEAN_KYBER102490S_AVX2_poly_tomsg(uint8_t msg[KYBER_INDCPA_MSGBYTES], poly *restrict a) { - unsigned int i = 0; - uint32_t small = 0; + unsigned int i; + uint32_t small; __m256i f0, f1, g0, g1; const __m256i hqs = _mm256_set1_epi16((KYBER_Q - 1) / 2); const __m256i hhqs = _mm256_set1_epi16((KYBER_Q - 5) / 4); @@ -293,7 +293,7 @@ void PQCLEAN_KYBER102490S_AVX2_poly_csubq(poly *r) { * - const poly *b: pointer to second input polynomial **************************************************/ void PQCLEAN_KYBER102490S_AVX2_poly_add(poly *r, const poly *a, const poly *b) { - unsigned int i = 0; + unsigned int i; __m256i f0, f1; for (i = 0; i < KYBER_N; i += 16) { @@ -314,7 +314,7 @@ void PQCLEAN_KYBER102490S_AVX2_poly_add(poly *r, const poly *a, const poly *b) { * - const poly *b: pointer to second input polynomial **************************************************/ void PQCLEAN_KYBER102490S_AVX2_poly_sub(poly *r, const poly *a, const poly *b) { - unsigned int i = 0; + unsigned int i; __m256i f0, f1; for (i = 0; i < KYBER_N; i += 16) { diff --git a/crypto_kem/kyber1024-90s/avx2/poly.h b/crypto_kem/kyber1024-90s/avx2/poly.h index 63bf3f01..5b7a29cc 100644 --- a/crypto_kem/kyber1024-90s/avx2/poly.h +++ b/crypto_kem/kyber1024-90s/avx2/poly.h @@ -1,6 +1,5 @@ #ifndef PQCLEAN_KYBER102490S_AVX2_POLY_H #define PQCLEAN_KYBER102490S_AVX2_POLY_H - #include "params.h" #include #include @@ -14,43 +13,27 @@ typedef union { int16_t coeffs[KYBER_N]; } poly; - void PQCLEAN_KYBER102490S_AVX2_poly_compress(uint8_t r[KYBER_POLYCOMPRESSEDBYTES], poly *a); - void PQCLEAN_KYBER102490S_AVX2_poly_decompress(poly *r, const uint8_t a[KYBER_POLYCOMPRESSEDBYTES]); - void PQCLEAN_KYBER102490S_AVX2_poly_tobytes(uint8_t r[KYBER_POLYBYTES], poly *a); - void PQCLEAN_KYBER102490S_AVX2_poly_frombytes(poly *r, const uint8_t a[KYBER_POLYBYTES]); - void PQCLEAN_KYBER102490S_AVX2_poly_frommsg(poly *r, const uint8_t msg[KYBER_INDCPA_MSGBYTES]); - void PQCLEAN_KYBER102490S_AVX2_poly_tomsg(uint8_t msg[KYBER_INDCPA_MSGBYTES], poly *a); - void PQCLEAN_KYBER102490S_AVX2_poly_getnoise(poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t nonce); - void PQCLEAN_KYBER102490S_AVX2_poly_ntt(poly *r); - void PQCLEAN_KYBER102490S_AVX2_poly_invntt_tomont(poly *r); - void PQCLEAN_KYBER102490S_AVX2_poly_nttunpack(poly *r); - void PQCLEAN_KYBER102490S_AVX2_poly_basemul_montgomery(poly *r, const poly *a, const poly *b); - void PQCLEAN_KYBER102490S_AVX2_poly_tomont(poly *r); - void PQCLEAN_KYBER102490S_AVX2_poly_reduce(poly *r); - void PQCLEAN_KYBER102490S_AVX2_poly_csubq(poly *r); - void PQCLEAN_KYBER102490S_AVX2_poly_add(poly *r, const poly *a, const poly *b); - void PQCLEAN_KYBER102490S_AVX2_poly_sub(poly *r, const poly *a, const poly *b); #endif diff --git a/crypto_kem/kyber1024-90s/avx2/polyvec.c b/crypto_kem/kyber1024-90s/avx2/polyvec.c index c51c6f78..960e320d 100644 --- a/crypto_kem/kyber1024-90s/avx2/polyvec.c +++ b/crypto_kem/kyber1024-90s/avx2/polyvec.c @@ -1,6 +1,6 @@ -#include "params.h" #include "consts.h" #include "ntt.h" +#include "params.h" #include "poly.h" #include "polyvec.h" #include @@ -16,7 +16,7 @@ **************************************************/ void PQCLEAN_KYBER102490S_AVX2_polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES], polyvec *restrict a) { - unsigned int i = 0, j = 0, k = 0; + size_t i, j, k; PQCLEAN_KYBER102490S_AVX2_polyvec_csubq(a); @@ -24,10 +24,8 @@ void PQCLEAN_KYBER102490S_AVX2_polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSE for (i = 0; i < KYBER_K; i++) { for (j = 0; j < KYBER_N / 8; j++) { for (k = 0; k < 8; k++) { - { - t[k] = ((((uint32_t)a->vec[i].coeffs[8 * j + k] << 11) + KYBER_Q / 2) - / KYBER_Q) & 0x7ff; - } + t[k] = ((((uint32_t)a->vec[i].coeffs[8 * j + k] << 11) + KYBER_Q / 2) + / KYBER_Q) & 0x7ff; } r[ 0] = (t[0] >> 0); @@ -58,7 +56,7 @@ void PQCLEAN_KYBER102490S_AVX2_polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSE **************************************************/ void PQCLEAN_KYBER102490S_AVX2_polyvec_decompress(polyvec *restrict r, const uint8_t a[KYBER_POLYVECCOMPRESSEDBYTES]) { - unsigned int i = 0, j = 0, k = 0; + size_t i, j, k; uint16_t t[8]; for (i = 0; i < KYBER_K; i++) { @@ -90,7 +88,7 @@ void PQCLEAN_KYBER102490S_AVX2_polyvec_decompress(polyvec *restrict r, * - polyvec *a: pointer to input vector of polynomials **************************************************/ void PQCLEAN_KYBER102490S_AVX2_polyvec_tobytes(uint8_t r[KYBER_POLYVECBYTES], polyvec *a) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER102490S_AVX2_poly_tobytes(r + i * KYBER_POLYBYTES, &a->vec[i]); } @@ -107,7 +105,7 @@ void PQCLEAN_KYBER102490S_AVX2_polyvec_tobytes(uint8_t r[KYBER_POLYVECBYTES], po * (of length KYBER_POLYVECBYTES) **************************************************/ void PQCLEAN_KYBER102490S_AVX2_polyvec_frombytes(polyvec *r, const uint8_t a[KYBER_POLYVECBYTES]) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER102490S_AVX2_poly_frombytes(&r->vec[i], a + i * KYBER_POLYBYTES); } @@ -121,7 +119,7 @@ void PQCLEAN_KYBER102490S_AVX2_polyvec_frombytes(polyvec *r, const uint8_t a[KYB * Arguments: - polyvec *r: pointer to in/output vector of polynomials **************************************************/ void PQCLEAN_KYBER102490S_AVX2_polyvec_ntt(polyvec *r) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER102490S_AVX2_poly_ntt(&r->vec[i]); } @@ -136,7 +134,7 @@ void PQCLEAN_KYBER102490S_AVX2_polyvec_ntt(polyvec *r) { * Arguments: - polyvec *r: pointer to in/output vector of polynomials **************************************************/ void PQCLEAN_KYBER102490S_AVX2_polyvec_invntt_tomont(polyvec *r) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER102490S_AVX2_poly_invntt_tomont(&r->vec[i]); } @@ -155,7 +153,7 @@ void PQCLEAN_KYBER102490S_AVX2_polyvec_invntt_tomont(polyvec *r) { void PQCLEAN_KYBER102490S_AVX2_polyvec_pointwise_acc_montgomery(poly *r, const polyvec *a, const polyvec *b) { - PQCLEAN_KYBER102490S_AVX2_basemul_acc_avx(r->coeffs, a->vec->coeffs, b->vec->coeffs, &PQCLEAN_KYBER102490S_AVX2_qdata); + PQCLEAN_KYBER102490S_AVX2_basemul_acc_avx(r->coeffs, a->vec->coeffs, b->vec->coeffs, & PQCLEAN_KYBER102490S_AVX2_qdata); } /************************************************* @@ -168,7 +166,7 @@ void PQCLEAN_KYBER102490S_AVX2_polyvec_pointwise_acc_montgomery(poly *r, * Arguments: - poly *r: pointer to input/output polynomial **************************************************/ void PQCLEAN_KYBER102490S_AVX2_polyvec_reduce(polyvec *r) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER102490S_AVX2_poly_reduce(&r->vec[i]); } @@ -185,7 +183,7 @@ void PQCLEAN_KYBER102490S_AVX2_polyvec_reduce(polyvec *r) { * Arguments: - poly *r: pointer to input/output polynomial **************************************************/ void PQCLEAN_KYBER102490S_AVX2_polyvec_csubq(polyvec *r) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER102490S_AVX2_poly_csubq(&r->vec[i]); } @@ -201,7 +199,7 @@ void PQCLEAN_KYBER102490S_AVX2_polyvec_csubq(polyvec *r) { * - const polyvec *b: pointer to second input vector of polynomials **************************************************/ void PQCLEAN_KYBER102490S_AVX2_polyvec_add(polyvec *r, const polyvec *a, const polyvec *b) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER102490S_AVX2_poly_add(&r->vec[i], &a->vec[i], &b->vec[i]); } diff --git a/crypto_kem/kyber1024-90s/avx2/polyvec.h b/crypto_kem/kyber1024-90s/avx2/polyvec.h index 511cd5d3..e8bcb731 100644 --- a/crypto_kem/kyber1024-90s/avx2/polyvec.h +++ b/crypto_kem/kyber1024-90s/avx2/polyvec.h @@ -1,6 +1,5 @@ #ifndef PQCLEAN_KYBER102490S_AVX2_POLYVEC_H #define PQCLEAN_KYBER102490S_AVX2_POLYVEC_H - #include "params.h" #include "poly.h" #include @@ -9,33 +8,23 @@ typedef struct { poly vec[KYBER_K]; } polyvec; - void PQCLEAN_KYBER102490S_AVX2_polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES], polyvec *a); - void PQCLEAN_KYBER102490S_AVX2_polyvec_decompress(polyvec *r, const uint8_t a[KYBER_POLYVECCOMPRESSEDBYTES]); - void PQCLEAN_KYBER102490S_AVX2_polyvec_tobytes(uint8_t r[KYBER_POLYVECBYTES], polyvec *a); - void PQCLEAN_KYBER102490S_AVX2_polyvec_frombytes(polyvec *r, const uint8_t a[KYBER_POLYVECBYTES]); - void PQCLEAN_KYBER102490S_AVX2_polyvec_ntt(polyvec *r); - void PQCLEAN_KYBER102490S_AVX2_polyvec_invntt_tomont(polyvec *r); - void PQCLEAN_KYBER102490S_AVX2_polyvec_pointwise_acc_montgomery(poly *r, const polyvec *a, const polyvec *b); - void PQCLEAN_KYBER102490S_AVX2_polyvec_reduce(polyvec *r); - void PQCLEAN_KYBER102490S_AVX2_polyvec_csubq(polyvec *r); - void PQCLEAN_KYBER102490S_AVX2_polyvec_add(polyvec *r, const polyvec *a, const polyvec *b); #endif diff --git a/crypto_kem/kyber1024-90s/avx2/reduce.h b/crypto_kem/kyber1024-90s/avx2/reduce.h index 8c7b116b..8ac905e7 100644 --- a/crypto_kem/kyber1024-90s/avx2/reduce.h +++ b/crypto_kem/kyber1024-90s/avx2/reduce.h @@ -1,16 +1,10 @@ -#ifndef REDUCE_H -#define REDUCE_H - +#ifndef PQCLEAN_KYBER102490S_AVX2_REDUCE_H +#define PQCLEAN_KYBER102490S_AVX2_REDUCE_H +#include "consts.h" #include -#include "consts.h" -#include "params.h" - - int16_t PQCLEAN_KYBER102490S_AVX2_reduce_avx(int16_t *r, const qdata_t *PQCLEAN_KYBER102490S_AVX2_qdata); - int16_t PQCLEAN_KYBER102490S_AVX2_csubq_avx(int16_t *r, const qdata_t *PQCLEAN_KYBER102490S_AVX2_qdata); - int16_t PQCLEAN_KYBER102490S_AVX2_tomont_avx(int16_t *r, const qdata_t *PQCLEAN_KYBER102490S_AVX2_qdata); #endif diff --git a/crypto_kem/kyber1024-90s/avx2/rejsample.c b/crypto_kem/kyber1024-90s/avx2/rejsample.c index a75068f1..a8a8fbd5 100644 --- a/crypto_kem/kyber1024-90s/avx2/rejsample.c +++ b/crypto_kem/kyber1024-90s/avx2/rejsample.c @@ -2,6 +2,7 @@ #include "consts.h" #include "params.h" #include "rejsample.h" +#include #include static const ALIGN32_ARRAY_2D(uint8_t, 256, 8) idx = {.arr = { @@ -270,9 +271,9 @@ static const ALIGN32_ARRAY_2D(uint8_t, 256, 8) idx = {.arr = { #define REJ_UNIFORM_BUFLEN 576 unsigned int PQCLEAN_KYBER102490S_AVX2_rej_uniform_avx(int16_t *restrict r, const uint8_t *restrict buf) { - unsigned int ctr = 0, pos = 0; - uint16_t val = 0; - uint32_t good = 0; + unsigned int ctr, pos; + uint16_t val; + uint32_t good; const __m256i bound = _mm256_set1_epi16((int16_t)(19 * KYBER_Q - 1)); const __m256i ones = _mm256_set1_epi8(1); const __m256i kyberq = _mm256_load_si256((__m256i *)&PQCLEAN_KYBER102490S_AVX2_qdata.as_arr[_16XQ]); @@ -297,7 +298,7 @@ unsigned int PQCLEAN_KYBER102490S_AVX2_rej_uniform_avx(int16_t *restrict r, g1 = _mm256_inserti128_si256(g1, _mm_loadl_epi64((__m128i *)&idx.arr[(good >> 24) & 0xFF]), 1); //g0 = _mm256_cvtepu8_epi64(_mm_loadl_epi64((__m128i *)&good)); - //g1 = _mm256_i64gather_epi64((long long *)idx, g0, 8); + //g1 = _mm256_i64gather_epi64((long long *)idx.arr, g0, 8); /* Barrett reduction of (still unsigned) values */ g2 = _mm256_mulhi_epu16(f0, v); diff --git a/crypto_kem/kyber1024-90s/avx2/rejsample.h b/crypto_kem/kyber1024-90s/avx2/rejsample.h index 03f04912..bbf8f8a7 100644 --- a/crypto_kem/kyber1024-90s/avx2/rejsample.h +++ b/crypto_kem/kyber1024-90s/avx2/rejsample.h @@ -1,10 +1,8 @@ -#ifndef REJSAMPLE_H -#define REJSAMPLE_H - +#ifndef PQCLEAN_KYBER102490S_AVX2_REJSAMPLE_H +#define PQCLEAN_KYBER102490S_AVX2_REJSAMPLE_H #include "params.h" #include - unsigned int PQCLEAN_KYBER102490S_AVX2_rej_uniform_avx(int16_t *r, const unsigned char *buf); diff --git a/crypto_kem/kyber1024-90s/avx2/shuffle.S b/crypto_kem/kyber1024-90s/avx2/shuffle.S index e60befbe..d994de45 100644 --- a/crypto_kem/kyber1024-90s/avx2/shuffle.S +++ b/crypto_kem/kyber1024-90s/avx2/shuffle.S @@ -1,4 +1,4 @@ -#include "cdecl.inc" +#include "cdecl.h" .include "fq.inc" .include "shuffle.inc" @@ -92,7 +92,9 @@ vmovdqa %ymm11,224(%rdi) ret .global cdecl(PQCLEAN_KYBER102490S_AVX2_nttunpack_avx) +.global _cdecl(PQCLEAN_KYBER102490S_AVX2_nttunpack_avx) cdecl(PQCLEAN_KYBER102490S_AVX2_nttunpack_avx): +_cdecl(PQCLEAN_KYBER102490S_AVX2_nttunpack_avx): call nttunpack128_avx add $256,%rdi call nttunpack128_avx @@ -169,7 +171,9 @@ vmovdqu %ymm9,160(%rdi) ret .global cdecl(PQCLEAN_KYBER102490S_AVX2_ntttobytes_avx) +.global _cdecl(PQCLEAN_KYBER102490S_AVX2_ntttobytes_avx) cdecl(PQCLEAN_KYBER102490S_AVX2_ntttobytes_avx): +_cdecl(PQCLEAN_KYBER102490S_AVX2_ntttobytes_avx): #consts vmovdqa _16XQ*2(%rdx),%ymm0 call ntttobytes128_avx @@ -245,7 +249,9 @@ vmovdqa %ymm1,224(%rdi) ret .global cdecl(PQCLEAN_KYBER102490S_AVX2_nttfrombytes_avx) +.global _cdecl(PQCLEAN_KYBER102490S_AVX2_nttfrombytes_avx) cdecl(PQCLEAN_KYBER102490S_AVX2_nttfrombytes_avx): +_cdecl(PQCLEAN_KYBER102490S_AVX2_nttfrombytes_avx): #consts vmovdqa _16XMASK*2(%rdx),%ymm0 call nttfrombytes128_avx diff --git a/crypto_kem/kyber1024-90s/avx2/symmetric.h b/crypto_kem/kyber1024-90s/avx2/symmetric.h index 47579fd8..00a7d655 100644 --- a/crypto_kem/kyber1024-90s/avx2/symmetric.h +++ b/crypto_kem/kyber1024-90s/avx2/symmetric.h @@ -1,13 +1,12 @@ -#ifndef SYMMETRIC_H -#define SYMMETRIC_H - +#ifndef PQCLEAN_KYBER102490S_AVX2_SYMMETRIC_H +#define PQCLEAN_KYBER102490S_AVX2_SYMMETRIC_H +#include "aes256ctr.h" #include "params.h" +#include "sha2.h" #include #include -#include "aes256ctr.h" -#include "sha2.h" typedef aes256ctr_ctx xof_state; diff --git a/crypto_kem/kyber1024-90s/avx2/verify.c b/crypto_kem/kyber1024-90s/avx2/verify.c index 0390d14d..9d4f4feb 100644 --- a/crypto_kem/kyber1024-90s/avx2/verify.c +++ b/crypto_kem/kyber1024-90s/avx2/verify.c @@ -15,8 +15,8 @@ * Returns 0 if the byte arrays are equal, 1 otherwise **************************************************/ int PQCLEAN_KYBER102490S_AVX2_verify(const uint8_t *a, const uint8_t *b, size_t len) { - size_t pos = 0; - uint64_t r = 0; + size_t pos; + uint64_t r; __m256i avec, bvec, cvec; cvec = _mm256_setzero_si256(); @@ -53,7 +53,7 @@ int PQCLEAN_KYBER102490S_AVX2_verify(const uint8_t *a, const uint8_t *b, size_t * unsigned char b: Condition bit; has to be in {0,1} **************************************************/ void PQCLEAN_KYBER102490S_AVX2_cmov(uint8_t *restrict r, const uint8_t *restrict x, size_t len, uint8_t b) { - size_t pos = 0; + size_t pos; __m256i xvec, rvec, bvec; b = -b; diff --git a/crypto_kem/kyber1024-90s/avx2/verify.h b/crypto_kem/kyber1024-90s/avx2/verify.h index ff8dfe4d..70720cbc 100644 --- a/crypto_kem/kyber1024-90s/avx2/verify.h +++ b/crypto_kem/kyber1024-90s/avx2/verify.h @@ -1,14 +1,11 @@ #ifndef PQCLEAN_KYBER102490S_AVX2_VERIFY_H #define PQCLEAN_KYBER102490S_AVX2_VERIFY_H - #include "params.h" #include #include - int PQCLEAN_KYBER102490S_AVX2_verify(const uint8_t *a, const uint8_t *b, size_t len); - void PQCLEAN_KYBER102490S_AVX2_cmov(uint8_t *r, const uint8_t *x, size_t len, uint8_t b); #endif diff --git a/crypto_kem/kyber1024-90s/clean/Makefile b/crypto_kem/kyber1024-90s/clean/Makefile index 21c159e1..2574c694 100644 --- a/crypto_kem/kyber1024-90s/clean/Makefile +++ b/crypto_kem/kyber1024-90s/clean/Makefile @@ -1,29 +1,8 @@ # This Makefile can be used with GNU Make or BSD Make LIB=libkyber1024-90s_clean.a -HEADERS= \ - api.h \ - cbd.h \ - indcpa.h \ - kem.h \ - ntt.h \ - params.h \ - poly.h \ - polyvec.h \ - reduce.h \ - symmetric-aes.h \ - symmetric.h \ - verify.h -OBJECTS= \ - cbd.o \ - indcpa.o \ - kem.o \ - ntt.o \ - poly.o \ - polyvec.o \ - reduce.o \ - verify.o \ - symmetric-aes.o +HEADERS=api.h cbd.h indcpa.h kem.h ntt.h params.h poly.h polyvec.h reduce.h symmetric-aes.h symmetric.h verify.h +OBJECTS=cbd.o indcpa.o kem.o ntt.o poly.o polyvec.o reduce.o symmetric-aes.o verify.o CFLAGS=-O3 -Wall -Wextra -Wpedantic -Werror -Wmissing-prototypes -Wredundant-decls -std=c99 -I../../../common $(EXTRAFLAGS) diff --git a/crypto_kem/kyber1024-90s/clean/Makefile.Microsoft_nmake b/crypto_kem/kyber1024-90s/clean/Makefile.Microsoft_nmake index 15cfe253..24fc3849 100644 --- a/crypto_kem/kyber1024-90s/clean/Makefile.Microsoft_nmake +++ b/crypto_kem/kyber1024-90s/clean/Makefile.Microsoft_nmake @@ -2,7 +2,7 @@ # nmake /f Makefile.Microsoft_nmake LIBRARY=libkyber1024-90s_clean.lib -OBJECTS=cbd.obj indcpa.obj kem.obj ntt.obj poly.obj polyvec.obj reduce.obj verify.obj symmetric-aes.obj +OBJECTS=cbd.obj indcpa.obj kem.obj ntt.obj poly.obj polyvec.obj reduce.obj symmetric-aes.obj verify.obj # Warning C4146 is raised when a unary minus operator is applied to an # unsigned type; this has nonetheless been standard and portable for as diff --git a/crypto_kem/kyber1024-90s/clean/api.h b/crypto_kem/kyber1024-90s/clean/api.h index 69d338fc..99545db9 100644 --- a/crypto_kem/kyber1024-90s/clean/api.h +++ b/crypto_kem/kyber1024-90s/clean/api.h @@ -15,5 +15,4 @@ int PQCLEAN_KYBER102490S_CLEAN_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const ui int PQCLEAN_KYBER102490S_CLEAN_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); - #endif diff --git a/crypto_kem/kyber1024-90s/clean/cbd.c b/crypto_kem/kyber1024-90s/clean/cbd.c index 92fb85a6..dde70cd7 100644 --- a/crypto_kem/kyber1024-90s/clean/cbd.c +++ b/crypto_kem/kyber1024-90s/clean/cbd.c @@ -1,5 +1,5 @@ -#include "params.h" #include "cbd.h" +#include "params.h" #include /************************************************* @@ -13,7 +13,7 @@ * Returns 32-bit unsigned integer loaded from x **************************************************/ static uint32_t load32_littleendian(const uint8_t x[4]) { - uint32_t r = 0; + uint32_t r; r = (uint32_t)x[0]; r |= (uint32_t)x[1] << 8; r |= (uint32_t)x[2] << 16; @@ -32,9 +32,9 @@ static uint32_t load32_littleendian(const uint8_t x[4]) { * - const uint8_t *buf: pointer to input byte array **************************************************/ void PQCLEAN_KYBER102490S_CLEAN_cbd(poly *r, const uint8_t buf[KYBER_ETA * KYBER_N / 4]) { - unsigned int i = 0, j = 0; - uint32_t t = 0, d = 0; - int16_t a = 0, b = 0; + unsigned int i, j; + uint32_t t, d; + int16_t a, b; for (i = 0; i < KYBER_N / 8; i++) { t = load32_littleendian(buf + 4 * i); diff --git a/crypto_kem/kyber1024-90s/clean/cbd.h b/crypto_kem/kyber1024-90s/clean/cbd.h index 7e9c635e..12f16252 100644 --- a/crypto_kem/kyber1024-90s/clean/cbd.h +++ b/crypto_kem/kyber1024-90s/clean/cbd.h @@ -1,11 +1,9 @@ #ifndef PQCLEAN_KYBER102490S_CLEAN_CBD_H #define PQCLEAN_KYBER102490S_CLEAN_CBD_H - #include "params.h" #include "poly.h" #include - void PQCLEAN_KYBER102490S_CLEAN_cbd(poly *r, const uint8_t buf[KYBER_ETA * KYBER_N / 4]); #endif diff --git a/crypto_kem/kyber1024-90s/clean/indcpa.c b/crypto_kem/kyber1024-90s/clean/indcpa.c index 49821e55..abc10b3c 100644 --- a/crypto_kem/kyber1024-90s/clean/indcpa.c +++ b/crypto_kem/kyber1024-90s/clean/indcpa.c @@ -22,7 +22,7 @@ static void pack_pk(uint8_t r[KYBER_INDCPA_PUBLICKEYBYTES], polyvec *pk, const uint8_t seed[KYBER_SYMBYTES]) { - size_t i = 0; + size_t i; PQCLEAN_KYBER102490S_CLEAN_polyvec_tobytes(r, pk); for (i = 0; i < KYBER_SYMBYTES; i++) { r[i + KYBER_POLYVECBYTES] = seed[i]; @@ -44,7 +44,7 @@ static void pack_pk(uint8_t r[KYBER_INDCPA_PUBLICKEYBYTES], static void unpack_pk(polyvec *pk, uint8_t seed[KYBER_SYMBYTES], const uint8_t packedpk[KYBER_INDCPA_PUBLICKEYBYTES]) { - size_t i = 0; + size_t i; PQCLEAN_KYBER102490S_CLEAN_polyvec_frombytes(pk, packedpk); for (i = 0; i < KYBER_SYMBYTES; i++) { seed[i] = packedpk[i + KYBER_POLYVECBYTES]; @@ -132,8 +132,8 @@ static unsigned int rej_uniform(int16_t *r, unsigned int len, const uint8_t *buf, unsigned int buflen) { - unsigned int ctr = 0, pos = 0; - uint16_t val = 0; + unsigned int ctr, pos; + uint16_t val; ctr = pos = 0; while (ctr < len && pos + 2 <= buflen) { @@ -169,8 +169,7 @@ static unsigned int rej_uniform(int16_t *r, + XOF_BLOCKBYTES)/XOF_BLOCKBYTES) // Not static for benchmarking void PQCLEAN_KYBER102490S_CLEAN_gen_matrix(polyvec *a, const uint8_t seed[KYBER_SYMBYTES], int transposed) { - unsigned int ctr = 0; - uint8_t i = 0, j = 0; + unsigned int ctr, i, j; uint8_t buf[GEN_MATRIX_NBLOCKS * XOF_BLOCKBYTES]; xof_state state; @@ -208,7 +207,7 @@ void PQCLEAN_KYBER102490S_CLEAN_gen_matrix(polyvec *a, const uint8_t seed[KYBER_ **************************************************/ void PQCLEAN_KYBER102490S_CLEAN_indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]) { - unsigned int i = 0; + unsigned int i; uint8_t buf[2 * KYBER_SYMBYTES]; const uint8_t *publicseed = buf; const uint8_t *noiseseed = buf + KYBER_SYMBYTES; @@ -264,7 +263,7 @@ void PQCLEAN_KYBER102490S_CLEAN_indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES], const uint8_t m[KYBER_INDCPA_MSGBYTES], const uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], const uint8_t coins[KYBER_SYMBYTES]) { - unsigned int i = 0; + unsigned int i; uint8_t seed[KYBER_SYMBYTES]; uint8_t nonce = 0; polyvec sp, pkpv, ep, at[KYBER_K], bp; diff --git a/crypto_kem/kyber1024-90s/clean/indcpa.h b/crypto_kem/kyber1024-90s/clean/indcpa.h index b8d62e3b..1ecd5131 100644 --- a/crypto_kem/kyber1024-90s/clean/indcpa.h +++ b/crypto_kem/kyber1024-90s/clean/indcpa.h @@ -1,16 +1,20 @@ #ifndef PQCLEAN_KYBER102490S_CLEAN_INDCPA_H #define PQCLEAN_KYBER102490S_CLEAN_INDCPA_H - #include "params.h" #include "polyvec.h" #include void PQCLEAN_KYBER102490S_CLEAN_gen_matrix(polyvec *a, const uint8_t seed[KYBER_SYMBYTES], int transposed); +void PQCLEAN_KYBER102490S_CLEAN_indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], + uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]); -void PQCLEAN_KYBER102490S_CLEAN_indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]); +void PQCLEAN_KYBER102490S_CLEAN_indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES], + const uint8_t m[KYBER_INDCPA_MSGBYTES], + const uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], + const uint8_t coins[KYBER_SYMBYTES]); -void PQCLEAN_KYBER102490S_CLEAN_indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES], const uint8_t m[KYBER_INDCPA_MSGBYTES], const uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], const uint8_t coins[KYBER_SYMBYTES]); - -void PQCLEAN_KYBER102490S_CLEAN_indcpa_dec(uint8_t m[KYBER_INDCPA_MSGBYTES], const uint8_t c[KYBER_INDCPA_BYTES], const uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]); +void PQCLEAN_KYBER102490S_CLEAN_indcpa_dec(uint8_t m[KYBER_INDCPA_MSGBYTES], + const uint8_t c[KYBER_INDCPA_BYTES], + const uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]); #endif diff --git a/crypto_kem/kyber1024-90s/clean/kem.c b/crypto_kem/kyber1024-90s/clean/kem.c index 6ea89031..24b221f2 100644 --- a/crypto_kem/kyber1024-90s/clean/kem.c +++ b/crypto_kem/kyber1024-90s/clean/kem.c @@ -21,7 +21,7 @@ * Returns 0 (success) **************************************************/ int PQCLEAN_KYBER102490S_CLEAN_crypto_kem_keypair(unsigned char *pk, unsigned char *sk) { - size_t i = 0; + size_t i; PQCLEAN_KYBER102490S_CLEAN_indcpa_keypair(pk, sk); for (i = 0; i < KYBER_INDCPA_PUBLICKEYBYTES; i++) { sk[i + KYBER_INDCPA_SECRETKEYBYTES] = pk[i]; @@ -92,8 +92,8 @@ int PQCLEAN_KYBER102490S_CLEAN_crypto_kem_enc(unsigned char *ct, int PQCLEAN_KYBER102490S_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk) { - size_t i = 0; - int fail = 0; + size_t i; + int fail; uint8_t buf[2 * KYBER_SYMBYTES]; /* Will contain key, coins */ uint8_t kr[2 * KYBER_SYMBYTES]; diff --git a/crypto_kem/kyber1024-90s/clean/kem.h b/crypto_kem/kyber1024-90s/clean/kem.h index 84951187..6e554661 100644 --- a/crypto_kem/kyber1024-90s/clean/kem.h +++ b/crypto_kem/kyber1024-90s/clean/kem.h @@ -1,17 +1,14 @@ #ifndef PQCLEAN_KYBER102490S_CLEAN_KEM_H #define PQCLEAN_KYBER102490S_CLEAN_KEM_H - #include "params.h" int PQCLEAN_KYBER102490S_CLEAN_crypto_kem_keypair(unsigned char *pk, unsigned char *sk); - int PQCLEAN_KYBER102490S_CLEAN_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk); - int PQCLEAN_KYBER102490S_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk); diff --git a/crypto_kem/kyber1024-90s/clean/ntt.c b/crypto_kem/kyber1024-90s/clean/ntt.c index 8537f819..9cbd5523 100644 --- a/crypto_kem/kyber1024-90s/clean/ntt.c +++ b/crypto_kem/kyber1024-90s/clean/ntt.c @@ -1,5 +1,5 @@ -#include "params.h" #include "ntt.h" +#include "params.h" #include "reduce.h" #include @@ -89,8 +89,8 @@ static int16_t fqmul(int16_t a, int16_t b) { * of Zq **************************************************/ void PQCLEAN_KYBER102490S_CLEAN_ntt(int16_t r[256]) { - unsigned int len = 0, start = 0, j = 0, k = 0; - int16_t t = 0, zeta = 0; + unsigned int len, start, j, k; + int16_t t, zeta; k = 1; for (len = 128; len >= 2; len >>= 1) { @@ -116,8 +116,8 @@ void PQCLEAN_KYBER102490S_CLEAN_ntt(int16_t r[256]) { * of Zq **************************************************/ void PQCLEAN_KYBER102490S_CLEAN_invntt(int16_t r[256]) { - unsigned int start = 0, len = 0, j = 0, k = 0; - int16_t t = 0, zeta = 0; + unsigned int start, len, j, k; + int16_t t, zeta; k = 0; for (len = 2; len <= 128; len <<= 1) { @@ -148,7 +148,10 @@ void PQCLEAN_KYBER102490S_CLEAN_invntt(int16_t r[256]) { * - const int16_t b[2]: pointer to the second factor * - int16_t zeta: integer defining the reduction polynomial **************************************************/ -void PQCLEAN_KYBER102490S_CLEAN_basemul(int16_t r[2], const int16_t a[2], const int16_t b[2], int16_t zeta) { +void PQCLEAN_KYBER102490S_CLEAN_basemul(int16_t r[2], + const int16_t a[2], + const int16_t b[2], + int16_t zeta) { r[0] = fqmul(a[1], b[1]); r[0] = fqmul(r[0], zeta); r[0] += fqmul(a[0], b[0]); diff --git a/crypto_kem/kyber1024-90s/clean/ntt.h b/crypto_kem/kyber1024-90s/clean/ntt.h index a64fd0a7..c9b8eb31 100644 --- a/crypto_kem/kyber1024-90s/clean/ntt.h +++ b/crypto_kem/kyber1024-90s/clean/ntt.h @@ -1,22 +1,19 @@ #ifndef PQCLEAN_KYBER102490S_CLEAN_NTT_H #define PQCLEAN_KYBER102490S_CLEAN_NTT_H - #include "params.h" #include - extern const int16_t PQCLEAN_KYBER102490S_CLEAN_zetas[128]; - extern const int16_t PQCLEAN_KYBER102490S_CLEAN_zetas_inv[128]; - void PQCLEAN_KYBER102490S_CLEAN_ntt(int16_t r[256]); - void PQCLEAN_KYBER102490S_CLEAN_invntt(int16_t r[256]); - -void PQCLEAN_KYBER102490S_CLEAN_basemul(int16_t r[2], const int16_t a[2], const int16_t b[2], int16_t zeta); +void PQCLEAN_KYBER102490S_CLEAN_basemul(int16_t r[2], + const int16_t a[2], + const int16_t b[2], + int16_t zeta); #endif diff --git a/crypto_kem/kyber1024-90s/clean/params.h b/crypto_kem/kyber1024-90s/clean/params.h index 97aa969f..e12e9666 100644 --- a/crypto_kem/kyber1024-90s/clean/params.h +++ b/crypto_kem/kyber1024-90s/clean/params.h @@ -1,6 +1,9 @@ #ifndef PQCLEAN_KYBER102490S_CLEAN_PARAMS_H #define PQCLEAN_KYBER102490S_CLEAN_PARAMS_H + + + #define KYBER_N 256 #define KYBER_Q 3329 diff --git a/crypto_kem/kyber1024-90s/clean/poly.c b/crypto_kem/kyber1024-90s/clean/poly.c index abecfc70..0f1eb852 100644 --- a/crypto_kem/kyber1024-90s/clean/poly.c +++ b/crypto_kem/kyber1024-90s/clean/poly.c @@ -1,6 +1,6 @@ -#include "params.h" #include "cbd.h" #include "ntt.h" +#include "params.h" #include "poly.h" #include "reduce.h" #include "symmetric.h" @@ -16,7 +16,7 @@ * - poly *a: pointer to input polynomial **************************************************/ void PQCLEAN_KYBER102490S_CLEAN_poly_compress(uint8_t r[KYBER_POLYCOMPRESSEDBYTES], poly *a) { - unsigned int i = 0, j = 0; + size_t i, j; uint8_t t[8]; PQCLEAN_KYBER102490S_CLEAN_poly_csubq(a); @@ -46,9 +46,9 @@ void PQCLEAN_KYBER102490S_CLEAN_poly_compress(uint8_t r[KYBER_POLYCOMPRESSEDBYTE * (of length KYBER_POLYCOMPRESSEDBYTES bytes) **************************************************/ void PQCLEAN_KYBER102490S_CLEAN_poly_decompress(poly *r, const uint8_t a[KYBER_POLYCOMPRESSEDBYTES]) { - unsigned int i = 0; + size_t i; - unsigned int j = 0; + size_t j; uint8_t t[8]; for (i = 0; i < KYBER_N / 8; i++) { t[0] = (a[0] >> 0); @@ -77,8 +77,8 @@ void PQCLEAN_KYBER102490S_CLEAN_poly_decompress(poly *r, const uint8_t a[KYBER_P * - poly *a: pointer to input polynomial **************************************************/ void PQCLEAN_KYBER102490S_CLEAN_poly_tobytes(uint8_t r[KYBER_POLYBYTES], poly *a) { - unsigned int i = 0; - uint16_t t0 = 0, t1 = 0; + size_t i; + uint16_t t0, t1; PQCLEAN_KYBER102490S_CLEAN_poly_csubq(a); @@ -102,7 +102,7 @@ void PQCLEAN_KYBER102490S_CLEAN_poly_tobytes(uint8_t r[KYBER_POLYBYTES], poly *a * (of KYBER_POLYBYTES bytes) **************************************************/ void PQCLEAN_KYBER102490S_CLEAN_poly_frombytes(poly *r, const uint8_t a[KYBER_POLYBYTES]) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_N / 2; i++) { r->coeffs[2 * i] = ((a[3 * i + 0] >> 0) | ((uint16_t)a[3 * i + 1] << 8)) & 0xFFF; r->coeffs[2 * i + 1] = ((a[3 * i + 1] >> 4) | ((uint16_t)a[3 * i + 2] << 4)) & 0xFFF; @@ -118,8 +118,8 @@ void PQCLEAN_KYBER102490S_CLEAN_poly_frombytes(poly *r, const uint8_t a[KYBER_PO * - const uint8_t *msg: pointer to input message **************************************************/ void PQCLEAN_KYBER102490S_CLEAN_poly_frommsg(poly *r, const uint8_t msg[KYBER_INDCPA_MSGBYTES]) { - unsigned int i = 0, j = 0; - int16_t mask = 0; + size_t i, j; + int16_t mask; for (i = 0; i < KYBER_N / 8; i++) { for (j = 0; j < 8; j++) { @@ -138,8 +138,8 @@ void PQCLEAN_KYBER102490S_CLEAN_poly_frommsg(poly *r, const uint8_t msg[KYBER_IN * - poly *a: pointer to input polynomial **************************************************/ void PQCLEAN_KYBER102490S_CLEAN_poly_tomsg(uint8_t msg[KYBER_INDCPA_MSGBYTES], poly *a) { - unsigned int i = 0, j = 0; - uint16_t t = 0; + size_t i, j; + uint16_t t; PQCLEAN_KYBER102490S_CLEAN_poly_csubq(a); @@ -207,7 +207,7 @@ void PQCLEAN_KYBER102490S_CLEAN_poly_invntt_tomont(poly *r) { * - const poly *b: pointer to second input polynomial **************************************************/ void PQCLEAN_KYBER102490S_CLEAN_poly_basemul_montgomery(poly *r, const poly *a, const poly *b) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_N / 4; i++) { PQCLEAN_KYBER102490S_CLEAN_basemul(&r->coeffs[4 * i], &a->coeffs[4 * i], &b->coeffs[4 * i], PQCLEAN_KYBER102490S_CLEAN_zetas[64 + i]); PQCLEAN_KYBER102490S_CLEAN_basemul(&r->coeffs[4 * i + 2], &a->coeffs[4 * i + 2], &b->coeffs[4 * i + 2], @@ -224,7 +224,7 @@ void PQCLEAN_KYBER102490S_CLEAN_poly_basemul_montgomery(poly *r, const poly *a, * Arguments: - poly *r: pointer to input/output polynomial **************************************************/ void PQCLEAN_KYBER102490S_CLEAN_poly_tomont(poly *r) { - unsigned int i = 0; + size_t i; const int16_t f = (1ULL << 32) % KYBER_Q; for (i = 0; i < KYBER_N; i++) { r->coeffs[i] = PQCLEAN_KYBER102490S_CLEAN_montgomery_reduce((int32_t)r->coeffs[i] * f); @@ -240,7 +240,7 @@ void PQCLEAN_KYBER102490S_CLEAN_poly_tomont(poly *r) { * Arguments: - poly *r: pointer to input/output polynomial **************************************************/ void PQCLEAN_KYBER102490S_CLEAN_poly_reduce(poly *r) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_N; i++) { r->coeffs[i] = PQCLEAN_KYBER102490S_CLEAN_barrett_reduce(r->coeffs[i]); } @@ -256,7 +256,7 @@ void PQCLEAN_KYBER102490S_CLEAN_poly_reduce(poly *r) { * Arguments: - poly *r: pointer to input/output polynomial **************************************************/ void PQCLEAN_KYBER102490S_CLEAN_poly_csubq(poly *r) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_N; i++) { r->coeffs[i] = PQCLEAN_KYBER102490S_CLEAN_csubq(r->coeffs[i]); } @@ -272,7 +272,7 @@ void PQCLEAN_KYBER102490S_CLEAN_poly_csubq(poly *r) { * - const poly *b: pointer to second input polynomial **************************************************/ void PQCLEAN_KYBER102490S_CLEAN_poly_add(poly *r, const poly *a, const poly *b) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_N; i++) { r->coeffs[i] = a->coeffs[i] + b->coeffs[i]; } @@ -288,7 +288,7 @@ void PQCLEAN_KYBER102490S_CLEAN_poly_add(poly *r, const poly *a, const poly *b) * - const poly *b: pointer to second input polynomial **************************************************/ void PQCLEAN_KYBER102490S_CLEAN_poly_sub(poly *r, const poly *a, const poly *b) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_N; i++) { r->coeffs[i] = a->coeffs[i] - b->coeffs[i]; } diff --git a/crypto_kem/kyber1024-90s/clean/poly.h b/crypto_kem/kyber1024-90s/clean/poly.h index 1c01914d..607687dd 100644 --- a/crypto_kem/kyber1024-90s/clean/poly.h +++ b/crypto_kem/kyber1024-90s/clean/poly.h @@ -1,6 +1,5 @@ #ifndef PQCLEAN_KYBER102490S_CLEAN_POLY_H #define PQCLEAN_KYBER102490S_CLEAN_POLY_H - #include "params.h" #include @@ -12,41 +11,26 @@ typedef struct { int16_t coeffs[KYBER_N]; } poly; - void PQCLEAN_KYBER102490S_CLEAN_poly_compress(uint8_t r[KYBER_POLYCOMPRESSEDBYTES], poly *a); - void PQCLEAN_KYBER102490S_CLEAN_poly_decompress(poly *r, const uint8_t a[KYBER_POLYCOMPRESSEDBYTES]); - void PQCLEAN_KYBER102490S_CLEAN_poly_tobytes(uint8_t r[KYBER_POLYBYTES], poly *a); - void PQCLEAN_KYBER102490S_CLEAN_poly_frombytes(poly *r, const uint8_t a[KYBER_POLYBYTES]); - void PQCLEAN_KYBER102490S_CLEAN_poly_frommsg(poly *r, const uint8_t msg[KYBER_INDCPA_MSGBYTES]); - void PQCLEAN_KYBER102490S_CLEAN_poly_tomsg(uint8_t msg[KYBER_INDCPA_MSGBYTES], poly *a); - void PQCLEAN_KYBER102490S_CLEAN_poly_getnoise(poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t nonce); - void PQCLEAN_KYBER102490S_CLEAN_poly_ntt(poly *r); - void PQCLEAN_KYBER102490S_CLEAN_poly_invntt_tomont(poly *r); - void PQCLEAN_KYBER102490S_CLEAN_poly_basemul_montgomery(poly *r, const poly *a, const poly *b); - void PQCLEAN_KYBER102490S_CLEAN_poly_tomont(poly *r); - void PQCLEAN_KYBER102490S_CLEAN_poly_reduce(poly *r); - void PQCLEAN_KYBER102490S_CLEAN_poly_csubq(poly *r); - void PQCLEAN_KYBER102490S_CLEAN_poly_add(poly *r, const poly *a, const poly *b); - void PQCLEAN_KYBER102490S_CLEAN_poly_sub(poly *r, const poly *a, const poly *b); #endif diff --git a/crypto_kem/kyber1024-90s/clean/polyvec.c b/crypto_kem/kyber1024-90s/clean/polyvec.c index a0cc8d12..ac7b5ab1 100644 --- a/crypto_kem/kyber1024-90s/clean/polyvec.c +++ b/crypto_kem/kyber1024-90s/clean/polyvec.c @@ -13,7 +13,7 @@ * - polyvec *a: pointer to input vector of polynomials **************************************************/ void PQCLEAN_KYBER102490S_CLEAN_polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES], polyvec *a) { - unsigned int i = 0, j = 0, k = 0; + unsigned int i, j, k; PQCLEAN_KYBER102490S_CLEAN_polyvec_csubq(a); @@ -21,10 +21,8 @@ void PQCLEAN_KYBER102490S_CLEAN_polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESS for (i = 0; i < KYBER_K; i++) { for (j = 0; j < KYBER_N / 8; j++) { for (k = 0; k < 8; k++) { - { - t[k] = ((((uint32_t)a->vec[i].coeffs[8 * j + k] << 11) + KYBER_Q / 2) - / KYBER_Q) & 0x7ff; - } + t[k] = ((((uint32_t)a->vec[i].coeffs[8 * j + k] << 11) + KYBER_Q / 2) + / KYBER_Q) & 0x7ff; } r[ 0] = (uint8_t)(t[0] >> 0); @@ -55,7 +53,7 @@ void PQCLEAN_KYBER102490S_CLEAN_polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESS **************************************************/ void PQCLEAN_KYBER102490S_CLEAN_polyvec_decompress(polyvec *r, const uint8_t a[KYBER_POLYVECCOMPRESSEDBYTES]) { - unsigned int i = 0, j = 0, k = 0; + unsigned int i, j, k; uint16_t t[8]; for (i = 0; i < KYBER_K; i++) { @@ -87,7 +85,7 @@ void PQCLEAN_KYBER102490S_CLEAN_polyvec_decompress(polyvec *r, * - polyvec *a: pointer to input vector of polynomials **************************************************/ void PQCLEAN_KYBER102490S_CLEAN_polyvec_tobytes(uint8_t r[KYBER_POLYVECBYTES], polyvec *a) { - unsigned int i = 0; + unsigned int i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER102490S_CLEAN_poly_tobytes(r + i * KYBER_POLYBYTES, &a->vec[i]); } @@ -104,7 +102,7 @@ void PQCLEAN_KYBER102490S_CLEAN_polyvec_tobytes(uint8_t r[KYBER_POLYVECBYTES], p * (of length KYBER_POLYVECBYTES) **************************************************/ void PQCLEAN_KYBER102490S_CLEAN_polyvec_frombytes(polyvec *r, const uint8_t a[KYBER_POLYVECBYTES]) { - unsigned int i = 0; + unsigned int i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER102490S_CLEAN_poly_frombytes(&r->vec[i], a + i * KYBER_POLYBYTES); } @@ -118,7 +116,7 @@ void PQCLEAN_KYBER102490S_CLEAN_polyvec_frombytes(polyvec *r, const uint8_t a[KY * Arguments: - polyvec *r: pointer to in/output vector of polynomials **************************************************/ void PQCLEAN_KYBER102490S_CLEAN_polyvec_ntt(polyvec *r) { - unsigned int i = 0; + unsigned int i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER102490S_CLEAN_poly_ntt(&r->vec[i]); } @@ -133,7 +131,7 @@ void PQCLEAN_KYBER102490S_CLEAN_polyvec_ntt(polyvec *r) { * Arguments: - polyvec *r: pointer to in/output vector of polynomials **************************************************/ void PQCLEAN_KYBER102490S_CLEAN_polyvec_invntt_tomont(polyvec *r) { - unsigned int i = 0; + unsigned int i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER102490S_CLEAN_poly_invntt_tomont(&r->vec[i]); } @@ -152,7 +150,7 @@ void PQCLEAN_KYBER102490S_CLEAN_polyvec_invntt_tomont(polyvec *r) { void PQCLEAN_KYBER102490S_CLEAN_polyvec_pointwise_acc_montgomery(poly *r, const polyvec *a, const polyvec *b) { - unsigned int i = 0; + unsigned int i; poly t; PQCLEAN_KYBER102490S_CLEAN_poly_basemul_montgomery(r, &a->vec[0], &b->vec[0]); @@ -174,7 +172,7 @@ void PQCLEAN_KYBER102490S_CLEAN_polyvec_pointwise_acc_montgomery(poly *r, * Arguments: - poly *r: pointer to input/output polynomial **************************************************/ void PQCLEAN_KYBER102490S_CLEAN_polyvec_reduce(polyvec *r) { - unsigned int i = 0; + unsigned int i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER102490S_CLEAN_poly_reduce(&r->vec[i]); } @@ -191,7 +189,7 @@ void PQCLEAN_KYBER102490S_CLEAN_polyvec_reduce(polyvec *r) { * Arguments: - poly *r: pointer to input/output polynomial **************************************************/ void PQCLEAN_KYBER102490S_CLEAN_polyvec_csubq(polyvec *r) { - unsigned int i = 0; + unsigned int i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER102490S_CLEAN_poly_csubq(&r->vec[i]); } @@ -207,7 +205,7 @@ void PQCLEAN_KYBER102490S_CLEAN_polyvec_csubq(polyvec *r) { * - const polyvec *b: pointer to second input vector of polynomials **************************************************/ void PQCLEAN_KYBER102490S_CLEAN_polyvec_add(polyvec *r, const polyvec *a, const polyvec *b) { - unsigned int i = 0; + unsigned int i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER102490S_CLEAN_poly_add(&r->vec[i], &a->vec[i], &b->vec[i]); } diff --git a/crypto_kem/kyber1024-90s/clean/polyvec.h b/crypto_kem/kyber1024-90s/clean/polyvec.h index 00d41ea2..44e18924 100644 --- a/crypto_kem/kyber1024-90s/clean/polyvec.h +++ b/crypto_kem/kyber1024-90s/clean/polyvec.h @@ -1,6 +1,5 @@ #ifndef PQCLEAN_KYBER102490S_CLEAN_POLYVEC_H #define PQCLEAN_KYBER102490S_CLEAN_POLYVEC_H - #include "params.h" #include "poly.h" #include @@ -9,33 +8,23 @@ typedef struct { poly vec[KYBER_K]; } polyvec; - void PQCLEAN_KYBER102490S_CLEAN_polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES], polyvec *a); - void PQCLEAN_KYBER102490S_CLEAN_polyvec_decompress(polyvec *r, const uint8_t a[KYBER_POLYVECCOMPRESSEDBYTES]); - void PQCLEAN_KYBER102490S_CLEAN_polyvec_tobytes(uint8_t r[KYBER_POLYVECBYTES], polyvec *a); - void PQCLEAN_KYBER102490S_CLEAN_polyvec_frombytes(polyvec *r, const uint8_t a[KYBER_POLYVECBYTES]); - void PQCLEAN_KYBER102490S_CLEAN_polyvec_ntt(polyvec *r); - void PQCLEAN_KYBER102490S_CLEAN_polyvec_invntt_tomont(polyvec *r); - void PQCLEAN_KYBER102490S_CLEAN_polyvec_pointwise_acc_montgomery(poly *r, const polyvec *a, const polyvec *b); - void PQCLEAN_KYBER102490S_CLEAN_polyvec_reduce(polyvec *r); - void PQCLEAN_KYBER102490S_CLEAN_polyvec_csubq(polyvec *r); - void PQCLEAN_KYBER102490S_CLEAN_polyvec_add(polyvec *r, const polyvec *a, const polyvec *b); #endif diff --git a/crypto_kem/kyber1024-90s/clean/reduce.c b/crypto_kem/kyber1024-90s/clean/reduce.c index 638cf7eb..f42859ed 100644 --- a/crypto_kem/kyber1024-90s/clean/reduce.c +++ b/crypto_kem/kyber1024-90s/clean/reduce.c @@ -15,8 +15,8 @@ * Returns: integer in {-q+1,...,q-1} congruent to a * R^-1 modulo q. **************************************************/ int16_t PQCLEAN_KYBER102490S_CLEAN_montgomery_reduce(int32_t a) { - int32_t t = 0; - int16_t u = 0; + int32_t t; + int16_t u; u = (int16_t)(a * (int64_t)QINV); t = (int32_t)u * KYBER_Q; @@ -36,7 +36,7 @@ int16_t PQCLEAN_KYBER102490S_CLEAN_montgomery_reduce(int32_t a) { * Returns: integer in {0,...,q} congruent to a modulo q. **************************************************/ int16_t PQCLEAN_KYBER102490S_CLEAN_barrett_reduce(int16_t a) { - int16_t t = 0; + int16_t t; const int16_t v = ((1U << 26) + KYBER_Q / 2) / KYBER_Q; t = (int32_t)v * a >> 26; diff --git a/crypto_kem/kyber1024-90s/clean/reduce.h b/crypto_kem/kyber1024-90s/clean/reduce.h index d53bafdc..1c23db2f 100644 --- a/crypto_kem/kyber1024-90s/clean/reduce.h +++ b/crypto_kem/kyber1024-90s/clean/reduce.h @@ -1,19 +1,15 @@ #ifndef PQCLEAN_KYBER102490S_CLEAN_REDUCE_H #define PQCLEAN_KYBER102490S_CLEAN_REDUCE_H - #include "params.h" #include #define MONT 2285 // 2^16 mod q #define QINV 62209 // q^-1 mod 2^16 - int16_t PQCLEAN_KYBER102490S_CLEAN_montgomery_reduce(int32_t a); - int16_t PQCLEAN_KYBER102490S_CLEAN_barrett_reduce(int16_t a); - int16_t PQCLEAN_KYBER102490S_CLEAN_csubq(int16_t a); #endif diff --git a/crypto_kem/kyber1024-90s/clean/symmetric-aes.c b/crypto_kem/kyber1024-90s/clean/symmetric-aes.c index 1728f02e..7a4433d8 100644 --- a/crypto_kem/kyber1024-90s/clean/symmetric-aes.c +++ b/crypto_kem/kyber1024-90s/clean/symmetric-aes.c @@ -1,5 +1,6 @@ -#include "symmetric-aes.h" #include "aes.h" +#include "params.h" +#include "symmetric.h" #include #include #include @@ -34,7 +35,7 @@ static void aes256_ctr_xof(unsigned char *out, size_t outlen, const unsigned cha } /************************************************* -* Name: aes256_prf +* Name: PQCLEAN_KYBER102490S_CLEAN_aes256_prf * * Description: AES256 stream generation in CTR mode using 32-bit counter, * nonce is zero-padded to 12 bytes, counter starts at zero @@ -58,7 +59,7 @@ void PQCLEAN_KYBER102490S_CLEAN_aes256_prf(uint8_t *output, size_t outlen, const } /************************************************* -* Name: aes256xof_absorb +* Name: PQCLEAN_KYBER102490S_CLEAN_aes256xof_absorb * * Description: AES256 CTR used as a replacement for a XOF; this function * "absorbs" a 32-byte key and two additional bytes that are zero-padded @@ -80,7 +81,7 @@ void PQCLEAN_KYBER102490S_CLEAN_aes256xof_absorb(aes256xof_ctx *s, const uint8_t } /************************************************* -* Name: aes256xof_squeezeblocks +* Name: PQCLEAN_KYBER102490S_CLEAN_aes256xof_squeezeblocks * * Description: AES256 CTR used as a replacement for a XOF; this function * generates 4 blocks out AES256-CTR output diff --git a/crypto_kem/kyber1024-90s/clean/symmetric-aes.h b/crypto_kem/kyber1024-90s/clean/symmetric-aes.h index bc2d7483..3fff518b 100644 --- a/crypto_kem/kyber1024-90s/clean/symmetric-aes.h +++ b/crypto_kem/kyber1024-90s/clean/symmetric-aes.h @@ -1,11 +1,10 @@ -#ifndef AES256CTR_H -#define AES256CTR_H - +#ifndef PQCLEAN_KYBER102490S_CLEAN_SYMMETRIC_AES_H +#define PQCLEAN_KYBER102490S_CLEAN_SYMMETRIC_AES_H #include "aes.h" - #include #include + typedef struct { aes256ctx sk_exp; uint8_t iv[12]; diff --git a/crypto_kem/kyber1024-90s/clean/symmetric.h b/crypto_kem/kyber1024-90s/clean/symmetric.h index d5adb1fb..6ceb075d 100644 --- a/crypto_kem/kyber1024-90s/clean/symmetric.h +++ b/crypto_kem/kyber1024-90s/clean/symmetric.h @@ -1,13 +1,12 @@ -#ifndef SYMMETRIC_H -#define SYMMETRIC_H - +#ifndef PQCLEAN_KYBER102490S_CLEAN_SYMMETRIC_H +#define PQCLEAN_KYBER102490S_CLEAN_SYMMETRIC_H #include "params.h" +#include "sha2.h" +#include "symmetric-aes.h" #include #include -#include "sha2.h" -#include "symmetric-aes.h" typedef aes256xof_ctx xof_state; diff --git a/crypto_kem/kyber1024-90s/clean/verify.c b/crypto_kem/kyber1024-90s/clean/verify.c index 2b03b703..23911d39 100644 --- a/crypto_kem/kyber1024-90s/clean/verify.c +++ b/crypto_kem/kyber1024-90s/clean/verify.c @@ -14,7 +14,7 @@ * Returns 0 if the byte arrays are equal, 1 otherwise **************************************************/ int PQCLEAN_KYBER102490S_CLEAN_verify(const uint8_t *a, const uint8_t *b, size_t len) { - size_t i = 0; + size_t i; uint8_t r = 0; for (i = 0; i < len; i++) { @@ -38,7 +38,7 @@ int PQCLEAN_KYBER102490S_CLEAN_verify(const uint8_t *a, const uint8_t *b, size_t * uint8_t b: Condition bit; has to be in {0,1} **************************************************/ void PQCLEAN_KYBER102490S_CLEAN_cmov(uint8_t *r, const uint8_t *x, size_t len, uint8_t b) { - size_t i = 0; + size_t i; b = -b; for (i = 0; i < len; i++) { diff --git a/crypto_kem/kyber1024-90s/clean/verify.h b/crypto_kem/kyber1024-90s/clean/verify.h index 2446d798..1d48a111 100644 --- a/crypto_kem/kyber1024-90s/clean/verify.h +++ b/crypto_kem/kyber1024-90s/clean/verify.h @@ -1,14 +1,11 @@ #ifndef PQCLEAN_KYBER102490S_CLEAN_VERIFY_H #define PQCLEAN_KYBER102490S_CLEAN_VERIFY_H - #include "params.h" #include #include - int PQCLEAN_KYBER102490S_CLEAN_verify(const uint8_t *a, const uint8_t *b, size_t len); - void PQCLEAN_KYBER102490S_CLEAN_cmov(uint8_t *r, const uint8_t *x, size_t len, uint8_t b); #endif diff --git a/crypto_kem/kyber1024/META.yml b/crypto_kem/kyber1024/META.yml index 9e75d2ef..68fad5a9 100644 --- a/crypto_kem/kyber1024/META.yml +++ b/crypto_kem/kyber1024/META.yml @@ -21,15 +21,16 @@ auxiliary-submitters: - Damien Stehlé implementations: - name: clean - version: https://github.com/pq-crystals/kyber/commit/46e283ab575ec92dfe82fb12229ae2d9d6246682 + version: https://github.com/pq-crystals/kyber/commit/844057468e69527bd15b17fbe03f4b61f9a22065 via https://github.com/jschanck/package-pqclean/tree/b45068b8/kyber - name: avx2 - version: https://github.com/pq-crystals/kyber/commit/46e283ab575ec92dfe82fb12229ae2d9d6246682 + version: https://github.com/pq-crystals/kyber/commit/844057468e69527bd15b17fbe03f4b61f9a22065 via https://github.com/jschanck/package-pqclean/tree/b45068b8/kyber supported_platforms: - architecture: x86_64 operating_systems: - - Linux - - Darwin + - Linux + - Darwin required_flags: + - aes - avx2 - bmi2 - popcnt diff --git a/crypto_kem/kyber1024/avx2/Makefile b/crypto_kem/kyber1024/avx2/Makefile index d8addf47..83f3ca9e 100644 --- a/crypto_kem/kyber1024/avx2/Makefile +++ b/crypto_kem/kyber1024/avx2/Makefile @@ -1,50 +1,16 @@ # This Makefile can be used with GNU Make or BSD Make LIB=libkyber1024_avx2.a -HEADERS= \ - align.h \ - api.h \ - cbd.h \ - cdecl.inc \ - consts.h \ - fips202x4.h \ - fq.inc \ - indcpa.h \ - kem.h \ - ntt.h \ - params.h \ - poly.h \ - polyvec.h \ - reduce.h \ - rejsample.h \ - shuffle.inc \ - symmetric.h \ - verify.h -OBJECTS= \ - basemul.o \ - cbd.o \ - consts.o \ - fips202x4.o \ - fq.o \ - indcpa.o \ - invntt.o \ - kem.o \ - ntt.o \ - poly.o \ - polyvec.o \ - rejsample.o \ - shuffle.o \ - symmetric-shake.o \ - verify.o - +HEADERS=align.h api.h cbd.h cdecl.h consts.h fips202x4.h indcpa.h kem.h ntt.h params.h poly.h polyvec.h reduce.h rejsample.h symmetric.h verify.h fq.inc shuffle.inc +OBJECTS=cbd.o consts.o fips202x4.o indcpa.o kem.o poly.o polyvec.o rejsample.o symmetric-shake.o verify.o basemul.o fq.o invntt.o ntt.o shuffle.o KECCAK4XDIR=../../../common/keccak4x KECCAK4XOBJ=KeccakP-1600-times4-SIMD256.o KECCAK4X=$(KECCAK4XDIR)/$(KECCAK4XOBJ) CFLAGS=-mavx2 -mbmi2 -mpopcnt -O3 -Wall -Wextra -Wpedantic -Werror \ - -Wmissing-prototypes -Wredundant-decls \ - -Wpointer-arith -Wshadow \ - -std=c99 -I../../../common $(EXTRAFLAGS) + -Wmissing-prototypes -Wredundant-decls \ + -Wpointer-arith -Wshadow \ + -std=c99 -I../../../common $(EXTRAFLAGS) all: $(LIB) diff --git a/crypto_kem/kyber1024/avx2/align.h b/crypto_kem/kyber1024/avx2/align.h index bd9c2be5..89a1f23b 100644 --- a/crypto_kem/kyber1024/avx2/align.h +++ b/crypto_kem/kyber1024/avx2/align.h @@ -1,5 +1,6 @@ #ifndef PQCLEAN_KYBER1024_AVX2_ALIGN_H #define PQCLEAN_KYBER1024_AVX2_ALIGN_H + #include #define ALIGN16_TYPE(t) \ diff --git a/crypto_kem/kyber1024/avx2/api.h b/crypto_kem/kyber1024/avx2/api.h index ebcbb41f..49b55a7f 100644 --- a/crypto_kem/kyber1024/avx2/api.h +++ b/crypto_kem/kyber1024/avx2/api.h @@ -15,5 +15,4 @@ int PQCLEAN_KYBER1024_AVX2_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_ int PQCLEAN_KYBER1024_AVX2_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); - #endif diff --git a/crypto_kem/kyber1024/avx2/basemul.S b/crypto_kem/kyber1024/avx2/basemul.S index c2ee0bdb..80a4c4cc 100644 --- a/crypto_kem/kyber1024/avx2/basemul.S +++ b/crypto_kem/kyber1024/avx2/basemul.S @@ -1,5 +1,5 @@ +#include "cdecl.h" #include "params.h" -#include "cdecl.inc" .macro schoolbook off,sign #load @@ -165,7 +165,9 @@ vmovdqa %ymm5,96(%rdi) ret .global cdecl(PQCLEAN_KYBER1024_AVX2_basemul_acc_avx) +.global _cdecl(PQCLEAN_KYBER1024_AVX2_basemul_acc_avx) cdecl(PQCLEAN_KYBER1024_AVX2_basemul_acc_avx): +_cdecl(PQCLEAN_KYBER1024_AVX2_basemul_acc_avx): #consts vmovdqa _16XQ*2(%rcx),%ymm0 vmovdqa _16XQINV*2(%rcx),%ymm1 @@ -215,7 +217,9 @@ vmovdqa %ymm12,96(%rdi) ret .global cdecl(PQCLEAN_KYBER1024_AVX2_basemul_avx) +.global _cdecl(PQCLEAN_KYBER1024_AVX2_basemul_avx) cdecl(PQCLEAN_KYBER1024_AVX2_basemul_avx): +_cdecl(PQCLEAN_KYBER1024_AVX2_basemul_avx): #consts vmovdqa _16XQ*2(%rcx),%ymm0 vmovdqa _16XQINV*2(%rcx),%ymm1 diff --git a/crypto_kem/kyber1024/avx2/cbd.c b/crypto_kem/kyber1024/avx2/cbd.c index 6377f9dc..93ff7fa9 100644 --- a/crypto_kem/kyber1024/avx2/cbd.c +++ b/crypto_kem/kyber1024/avx2/cbd.c @@ -1,5 +1,5 @@ -#include "params.h" #include "cbd.h" +#include "params.h" #include #include @@ -14,7 +14,7 @@ * - const unsigned char *buf: pointer to input byte array **************************************************/ void PQCLEAN_KYBER1024_AVX2_cbd(poly *restrict r, const uint8_t *restrict buf) { - unsigned int i = 0; + unsigned int i; __m256i vec0, vec1, vec2, vec3, tmp; const __m256i mask55 = _mm256_set1_epi32(0x55555555); const __m256i mask33 = _mm256_set1_epi32(0x33333333); diff --git a/crypto_kem/kyber1024/avx2/cbd.h b/crypto_kem/kyber1024/avx2/cbd.h index 7603f2e7..53ae890e 100644 --- a/crypto_kem/kyber1024/avx2/cbd.h +++ b/crypto_kem/kyber1024/avx2/cbd.h @@ -1,11 +1,9 @@ #ifndef PQCLEAN_KYBER1024_AVX2_CBD_H #define PQCLEAN_KYBER1024_AVX2_CBD_H - #include "params.h" #include "poly.h" #include - void PQCLEAN_KYBER1024_AVX2_cbd(poly *r, const uint8_t buf[KYBER_ETA * KYBER_N / 4]); #endif diff --git a/crypto_kem/kyber1024/avx2/cdecl.inc b/crypto_kem/kyber1024/avx2/cdecl.h similarity index 78% rename from crypto_kem/kyber1024/avx2/cdecl.inc rename to crypto_kem/kyber1024/avx2/cdecl.h index 8ded53b1..effdcdf8 100644 --- a/crypto_kem/kyber1024/avx2/cdecl.inc +++ b/crypto_kem/kyber1024/avx2/cdecl.h @@ -1,5 +1,5 @@ -#ifndef PQCLEAN_DILITHIUM2_AVX2_CDECL -#define PQCLEAN_DILITHIUM2_AVX2_CDECL +#ifndef PQCLEAN_KYBER1024_AVX2_CDECL_H +#define PQCLEAN_KYBER1024_AVX2_CDECL_H #define _16XQ 0 #define _16XQINV 16 @@ -21,10 +21,6 @@ * This define helps us get around this */ -#if defined(__WIN32__) || defined(__APPLE__) -#define cdecl(s) _##s -#else +#define _cdecl(s) _##s #define cdecl(s) s #endif - -#endif diff --git a/crypto_kem/kyber1024/avx2/consts.c b/crypto_kem/kyber1024/avx2/consts.c index dfa52c12..1beb39f6 100644 --- a/crypto_kem/kyber1024/avx2/consts.c +++ b/crypto_kem/kyber1024/avx2/consts.c @@ -1,5 +1,5 @@ -#include "params.h" #include "consts.h" +#include "params.h" #include #define Q KYBER_Q diff --git a/crypto_kem/kyber1024/avx2/consts.h b/crypto_kem/kyber1024/avx2/consts.h index ea1376c1..0d9bf87c 100644 --- a/crypto_kem/kyber1024/avx2/consts.h +++ b/crypto_kem/kyber1024/avx2/consts.h @@ -1,12 +1,11 @@ #ifndef PQCLEAN_KYBER1024_AVX2_CONSTS_H #define PQCLEAN_KYBER1024_AVX2_CONSTS_H - -#include "cdecl.inc" - +#include "cdecl.h" #include "params.h" #include #include + #define ALIGNED_UINT16_T(N) \ union { \ __m256i as_vec; \ diff --git a/crypto_kem/kyber1024/avx2/fips202x4.c b/crypto_kem/kyber1024/avx2/fips202x4.c index 82c2e4c9..66232b87 100644 --- a/crypto_kem/kyber1024/avx2/fips202x4.c +++ b/crypto_kem/kyber1024/avx2/fips202x4.c @@ -10,7 +10,7 @@ extern void KeccakF1600_StatePermute4x(__m256i *s); static inline void store64(uint8_t x[8], uint64_t u) { - unsigned int i = 0; + unsigned int i; for (i = 0; i < 8; i++) { x[i] = u >> 8 * i; @@ -25,7 +25,7 @@ static void keccakx4_absorb(__m256i s[25], const uint8_t *in3, size_t inlen, uint8_t p) { - size_t i = 0, pos = 0; + size_t i, pos = 0; __m256i t, idx; for (i = 0; i < 25; ++i) { @@ -74,8 +74,8 @@ static void keccakx4_squeezeblocks(uint8_t *out0, size_t nblocks, unsigned int r, __m256i s[25]) { - unsigned int i = 0; - uint64_t f0 = 0, f1 = 0, f2 = 0, f3 = 0; + unsigned int i; + uint64_t f0, f1, f2, f3; while (nblocks > 0) { KeccakF1600_StatePermute4x(s); @@ -137,8 +137,17 @@ void PQCLEAN_KYBER1024_AVX2_shake256x4_squeezeblocks(uint8_t *out0, state->s); } -void PQCLEAN_KYBER1024_AVX2_shake128x4(uint8_t *out0, uint8_t *out1, uint8_t *out2, uint8_t *out3, size_t outlen, const uint8_t *in0, const uint8_t *in1, const uint8_t *in2, const uint8_t *in3, size_t inlen) { - unsigned int i = 0; +void PQCLEAN_KYBER1024_AVX2_shake128x4(uint8_t *out0, + uint8_t *out1, + uint8_t *out2, + uint8_t *out3, + size_t outlen, + const uint8_t *in0, + const uint8_t *in1, + const uint8_t *in2, + const uint8_t *in3, + size_t inlen) { + unsigned int i; size_t nblocks = outlen / SHAKE128_RATE; uint8_t t[4][SHAKE128_RATE]; keccakx4_state state; @@ -163,8 +172,17 @@ void PQCLEAN_KYBER1024_AVX2_shake128x4(uint8_t *out0, uint8_t *out1, uint8_t *ou } } -void PQCLEAN_KYBER1024_AVX2_shake256x4(uint8_t *out0, uint8_t *out1, uint8_t *out2, uint8_t *out3, size_t outlen, const uint8_t *in0, const uint8_t *in1, const uint8_t *in2, const uint8_t *in3, size_t inlen) { - unsigned int i = 0; +void PQCLEAN_KYBER1024_AVX2_shake256x4(uint8_t *out0, + uint8_t *out1, + uint8_t *out2, + uint8_t *out3, + size_t outlen, + const uint8_t *in0, + const uint8_t *in1, + const uint8_t *in2, + const uint8_t *in3, + size_t inlen) { + unsigned int i; size_t nblocks = outlen / SHAKE256_RATE; uint8_t t[4][SHAKE256_RATE]; keccakx4_state state; diff --git a/crypto_kem/kyber1024/avx2/fips202x4.h b/crypto_kem/kyber1024/avx2/fips202x4.h index a2d7802c..47f3176c 100644 --- a/crypto_kem/kyber1024/avx2/fips202x4.h +++ b/crypto_kem/kyber1024/avx2/fips202x4.h @@ -1,5 +1,5 @@ -#ifndef FIPS202X4_H -#define FIPS202X4_H +#ifndef PQCLEAN_KYBER1024_AVX2_FIPS202X4_H +#define PQCLEAN_KYBER1024_AVX2_FIPS202X4_H #include #include @@ -9,17 +9,54 @@ typedef struct { __m256i s[25]; } keccakx4_state; -void PQCLEAN_KYBER1024_AVX2_shake128x4_absorb(keccakx4_state *state, const uint8_t *in0, const uint8_t *in1, const uint8_t *in2, const uint8_t *in3, size_t inlen); +void PQCLEAN_KYBER1024_AVX2_shake128x4_absorb(keccakx4_state *state, + const uint8_t *in0, + const uint8_t *in1, + const uint8_t *in2, + const uint8_t *in3, + size_t inlen); -void PQCLEAN_KYBER1024_AVX2_shake128x4_squeezeblocks(uint8_t *out0, uint8_t *out1, uint8_t *out2, uint8_t *out3, size_t nblocks, keccakx4_state *state); - -void PQCLEAN_KYBER1024_AVX2_shake256x4_absorb(keccakx4_state *state, const uint8_t *in0, const uint8_t *in1, const uint8_t *in2, const uint8_t *in3, size_t inlen); - -void PQCLEAN_KYBER1024_AVX2_shake256x4_squeezeblocks(uint8_t *out0, uint8_t *out1, uint8_t *out2, uint8_t *out3, size_t nblocks, +void PQCLEAN_KYBER1024_AVX2_shake128x4_squeezeblocks(uint8_t *out0, + uint8_t *out1, + uint8_t *out2, + uint8_t *out3, + size_t nblocks, keccakx4_state *state); -void PQCLEAN_KYBER1024_AVX2_shake128x4(uint8_t *out0, uint8_t *out1, uint8_t *out2, uint8_t *out3, size_t outlen, const uint8_t *in0, const uint8_t *in1, const uint8_t *in2, const uint8_t *in3, size_t inlen); +void PQCLEAN_KYBER1024_AVX2_shake256x4_absorb(keccakx4_state *state, + const uint8_t *in0, + const uint8_t *in1, + const uint8_t *in2, + const uint8_t *in3, + size_t inlen); -void PQCLEAN_KYBER1024_AVX2_shake256x4(uint8_t *out0, uint8_t *out1, uint8_t *out2, uint8_t *out3, size_t outlen, const uint8_t *in0, const uint8_t *in1, const uint8_t *in2, const uint8_t *in3, size_t inlen); +void PQCLEAN_KYBER1024_AVX2_shake256x4_squeezeblocks(uint8_t *out0, + uint8_t *out1, + uint8_t *out2, + uint8_t *out3, + size_t nblocks, + keccakx4_state *state); + +void PQCLEAN_KYBER1024_AVX2_shake128x4(uint8_t *out0, + uint8_t *out1, + uint8_t *out2, + uint8_t *out3, + size_t outlen, + const uint8_t *in0, + const uint8_t *in1, + const uint8_t *in2, + const uint8_t *in3, + size_t inlen); + +void PQCLEAN_KYBER1024_AVX2_shake256x4(uint8_t *out0, + uint8_t *out1, + uint8_t *out2, + uint8_t *out3, + size_t outlen, + const uint8_t *in0, + const uint8_t *in1, + const uint8_t *in2, + const uint8_t *in3, + size_t inlen); #endif diff --git a/crypto_kem/kyber1024/avx2/fq.S b/crypto_kem/kyber1024/avx2/fq.S index 1fba2bcd..3a039784 100644 --- a/crypto_kem/kyber1024/avx2/fq.S +++ b/crypto_kem/kyber1024/avx2/fq.S @@ -1,4 +1,4 @@ -#include "cdecl.inc" +#include "cdecl.h" .include "fq.inc" .text @@ -35,7 +35,9 @@ vmovdqa %ymm9,224(%rdi) ret .global cdecl(PQCLEAN_KYBER1024_AVX2_reduce_avx) +.global _cdecl(PQCLEAN_KYBER1024_AVX2_reduce_avx) cdecl(PQCLEAN_KYBER1024_AVX2_reduce_avx): +_cdecl(PQCLEAN_KYBER1024_AVX2_reduce_avx): #consts vmovdqa _16XQ*2(%rsi),%ymm0 vmovdqa _16XV*2(%rsi),%ymm1 @@ -77,7 +79,9 @@ vmovdqa %ymm8,224(%rdi) ret .global cdecl(PQCLEAN_KYBER1024_AVX2_csubq_avx) +.global _cdecl(PQCLEAN_KYBER1024_AVX2_csubq_avx) cdecl(PQCLEAN_KYBER1024_AVX2_csubq_avx): +_cdecl(PQCLEAN_KYBER1024_AVX2_csubq_avx): #consts vmovdqa _16XQ*2(%rsi),%ymm0 call csubq128_avx @@ -118,7 +122,9 @@ vmovdqa %ymm10,224(%rdi) ret .global cdecl(PQCLEAN_KYBER1024_AVX2_tomont_avx) +.global _cdecl(PQCLEAN_KYBER1024_AVX2_tomont_avx) cdecl(PQCLEAN_KYBER1024_AVX2_tomont_avx): +_cdecl(PQCLEAN_KYBER1024_AVX2_tomont_avx): #consts vmovdqa _16XQ*2(%rsi),%ymm0 vmovdqa _16XMONTSQLO*2(%rsi),%ymm1 diff --git a/crypto_kem/kyber1024/avx2/indcpa.c b/crypto_kem/kyber1024/avx2/indcpa.c index 0ec35809..4b49bdaf 100644 --- a/crypto_kem/kyber1024/avx2/indcpa.c +++ b/crypto_kem/kyber1024/avx2/indcpa.c @@ -25,7 +25,7 @@ static void pack_pk(uint8_t r[KYBER_INDCPA_PUBLICKEYBYTES], polyvec *pk, const uint8_t seed[KYBER_SYMBYTES]) { - size_t i = 0; + size_t i; PQCLEAN_KYBER1024_AVX2_polyvec_tobytes(r, pk); for (i = 0; i < KYBER_SYMBYTES; i++) { r[i + KYBER_POLYVECBYTES] = seed[i]; @@ -45,7 +45,7 @@ static void pack_pk(uint8_t r[KYBER_INDCPA_PUBLICKEYBYTES], static void unpack_pk(polyvec *pk, uint8_t seed[KYBER_SYMBYTES], const uint8_t packedpk[KYBER_INDCPA_PUBLICKEYBYTES]) { - size_t i = 0; + size_t i; PQCLEAN_KYBER1024_AVX2_polyvec_frombytes(pk, packedpk); for (i = 0; i < KYBER_SYMBYTES; i++) { seed[i] = packedpk[i + KYBER_POLYVECBYTES]; @@ -133,8 +133,8 @@ static unsigned int rej_uniform(int16_t *r, unsigned int len, const uint8_t *buf, unsigned int buflen) { - unsigned int ctr = 0, pos = 0; - uint16_t val = 0; + unsigned int ctr, pos; + uint16_t val; ctr = pos = 0; while (ctr < len && pos + 2 <= buflen) { @@ -168,7 +168,7 @@ static unsigned int rej_uniform(int16_t *r, #define GEN_MATRIX_NBLOCKS ((2*KYBER_N*(1U << 16)/(19*KYBER_Q) \ + XOF_BLOCKBYTES)/XOF_BLOCKBYTES) void PQCLEAN_KYBER1024_AVX2_gen_matrix(polyvec *a, const uint8_t seed[32], int transposed) { - unsigned int i = 0, ctr0 = 0, ctr1 = 0, ctr2 = 0, ctr3 = 0; + unsigned int i, ctr0, ctr1, ctr2, ctr3; ALIGN32_ARRAY_2D(uint8_t, 4, (GEN_MATRIX_NBLOCKS * XOF_BLOCKBYTES + 31) / 32 * 32) buf; __m256i f; keccakx4_state state; @@ -242,7 +242,7 @@ void PQCLEAN_KYBER1024_AVX2_gen_matrix(polyvec *a, const uint8_t seed[32], int t **************************************************/ void PQCLEAN_KYBER1024_AVX2_indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]) { - unsigned int i = 0; + unsigned int i; ALIGN32_ARRAY(uint8_t, 2 * KYBER_SYMBYTES) buf; const uint8_t *publicseed = buf.arr; const uint8_t *noiseseed = buf.arr + KYBER_SYMBYTES; @@ -295,7 +295,7 @@ void PQCLEAN_KYBER1024_AVX2_indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES], const uint8_t m[KYBER_INDCPA_MSGBYTES], const uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], const uint8_t coins[KYBER_SYMBYTES]) { - unsigned int i = 0; + unsigned int i; ALIGN32_ARRAY(uint8_t, KYBER_SYMBYTES) seed; polyvec sp, pkpv, ep, at[KYBER_K], bp; poly v, k, epp; diff --git a/crypto_kem/kyber1024/avx2/indcpa.h b/crypto_kem/kyber1024/avx2/indcpa.h index 1f9b9604..89105584 100644 --- a/crypto_kem/kyber1024/avx2/indcpa.h +++ b/crypto_kem/kyber1024/avx2/indcpa.h @@ -1,16 +1,20 @@ #ifndef PQCLEAN_KYBER1024_AVX2_INDCPA_H #define PQCLEAN_KYBER1024_AVX2_INDCPA_H - #include "params.h" #include "polyvec.h" #include void PQCLEAN_KYBER1024_AVX2_gen_matrix(polyvec *a, const uint8_t seed[KYBER_SYMBYTES], int transposed); +void PQCLEAN_KYBER1024_AVX2_indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], + uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]); -void PQCLEAN_KYBER1024_AVX2_indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]); +void PQCLEAN_KYBER1024_AVX2_indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES], + const uint8_t m[KYBER_INDCPA_MSGBYTES], + const uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], + const uint8_t coins[KYBER_SYMBYTES]); -void PQCLEAN_KYBER1024_AVX2_indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES], const uint8_t m[KYBER_INDCPA_MSGBYTES], const uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], const uint8_t coins[KYBER_SYMBYTES]); - -void PQCLEAN_KYBER1024_AVX2_indcpa_dec(uint8_t m[KYBER_INDCPA_MSGBYTES], const uint8_t c[KYBER_INDCPA_BYTES], const uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]); +void PQCLEAN_KYBER1024_AVX2_indcpa_dec(uint8_t m[KYBER_INDCPA_MSGBYTES], + const uint8_t c[KYBER_INDCPA_BYTES], + const uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]); #endif diff --git a/crypto_kem/kyber1024/avx2/invntt.S b/crypto_kem/kyber1024/avx2/invntt.S index 0715e88c..d6fe8915 100644 --- a/crypto_kem/kyber1024/avx2/invntt.S +++ b/crypto_kem/kyber1024/avx2/invntt.S @@ -1,4 +1,4 @@ -#include "cdecl.inc" +#include "cdecl.h" .include "shuffle.inc" .include "fq.inc" @@ -210,7 +210,9 @@ vmovdqa %ymm7,224(%rdi) ret .global cdecl(PQCLEAN_KYBER1024_AVX2_invntt_avx) +.global _cdecl(PQCLEAN_KYBER1024_AVX2_invntt_avx) cdecl(PQCLEAN_KYBER1024_AVX2_invntt_avx): +_cdecl(PQCLEAN_KYBER1024_AVX2_invntt_avx): #consts vmovdqa _16XQ*2(%rsi),%ymm0 mov %rsi,%rdx diff --git a/crypto_kem/kyber1024/avx2/kem.c b/crypto_kem/kyber1024/avx2/kem.c index cca559b5..7b603b02 100644 --- a/crypto_kem/kyber1024/avx2/kem.c +++ b/crypto_kem/kyber1024/avx2/kem.c @@ -8,7 +8,6 @@ #include #include - /************************************************* * Name: PQCLEAN_KYBER1024_AVX2_crypto_kem_keypair * @@ -23,7 +22,7 @@ * Returns 0 (success) **************************************************/ int PQCLEAN_KYBER1024_AVX2_crypto_kem_keypair(unsigned char *pk, unsigned char *sk) { - size_t i = 0; + size_t i; PQCLEAN_KYBER1024_AVX2_indcpa_keypair(pk, sk); for (i = 0; i < KYBER_INDCPA_PUBLICKEYBYTES; i++) { sk[i + KYBER_INDCPA_SECRETKEYBYTES] = pk[i]; @@ -94,8 +93,8 @@ int PQCLEAN_KYBER1024_AVX2_crypto_kem_enc(unsigned char *ct, int PQCLEAN_KYBER1024_AVX2_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk) { - size_t i = 0; - int fail = 0; + size_t i; + int fail; ALIGN32_ARRAY(uint8_t, 2 * KYBER_SYMBYTES) buf; /* Will contain key, coins */ ALIGN32_ARRAY(uint8_t, 2 * KYBER_SYMBYTES) kr; @@ -119,7 +118,7 @@ int PQCLEAN_KYBER1024_AVX2_crypto_kem_dec(unsigned char *ss, hash_h(kr.arr + KYBER_SYMBYTES, ct, KYBER_CIPHERTEXTBYTES); /* Overwrite pre-k with z on re-encryption failure */ - PQCLEAN_KYBER1024_AVX2_cmov(kr.arr, sk + KYBER_SECRETKEYBYTES - KYBER_SYMBYTES, KYBER_SYMBYTES, fail); + PQCLEAN_KYBER1024_AVX2_cmov(kr.arr, sk + KYBER_SECRETKEYBYTES - KYBER_SYMBYTES, KYBER_SYMBYTES, (uint8_t)fail); /* hash concatenation of pre-k and H(c) to k */ kdf(ss, kr.arr, 2 * KYBER_SYMBYTES); diff --git a/crypto_kem/kyber1024/avx2/kem.h b/crypto_kem/kyber1024/avx2/kem.h index 35a3c39c..f45343af 100644 --- a/crypto_kem/kyber1024/avx2/kem.h +++ b/crypto_kem/kyber1024/avx2/kem.h @@ -1,17 +1,14 @@ #ifndef PQCLEAN_KYBER1024_AVX2_KEM_H #define PQCLEAN_KYBER1024_AVX2_KEM_H - #include "params.h" int PQCLEAN_KYBER1024_AVX2_crypto_kem_keypair(unsigned char *pk, unsigned char *sk); - int PQCLEAN_KYBER1024_AVX2_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk); - int PQCLEAN_KYBER1024_AVX2_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk); diff --git a/crypto_kem/kyber1024/avx2/ntt.S b/crypto_kem/kyber1024/avx2/ntt.S index 9cc14c03..79259edb 100644 --- a/crypto_kem/kyber1024/avx2/ntt.S +++ b/crypto_kem/kyber1024/avx2/ntt.S @@ -1,4 +1,4 @@ -#include "cdecl.inc" +#include "cdecl.h" .include "shuffle.inc" .include "fq.inc" @@ -203,7 +203,9 @@ vmovdqa %ymm11,224(%rdi) ret .global cdecl(PQCLEAN_KYBER1024_AVX2_ntt_avx) +.global _cdecl(PQCLEAN_KYBER1024_AVX2_ntt_avx) cdecl(PQCLEAN_KYBER1024_AVX2_ntt_avx): +_cdecl(PQCLEAN_KYBER1024_AVX2_ntt_avx): #consts vmovdqa _16XQ*2(%rsi),%ymm0 mov %rsi,%rdx diff --git a/crypto_kem/kyber1024/avx2/ntt.h b/crypto_kem/kyber1024/avx2/ntt.h index fb7505e6..4c36d007 100644 --- a/crypto_kem/kyber1024/avx2/ntt.h +++ b/crypto_kem/kyber1024/avx2/ntt.h @@ -1,28 +1,24 @@ -#ifndef NTT_H -#define NTT_H - +#ifndef PQCLEAN_KYBER1024_AVX2_NTT_H +#define PQCLEAN_KYBER1024_AVX2_NTT_H #include "consts.h" -#include "params.h" #include - void PQCLEAN_KYBER1024_AVX2_ntt_avx(int16_t *r, const qdata_t *PQCLEAN_KYBER1024_AVX2_qdata); - void PQCLEAN_KYBER1024_AVX2_invntt_avx(int16_t *r, const qdata_t *PQCLEAN_KYBER1024_AVX2_qdata); - -void nttpack_avx(int16_t *r, const qdata_t *PQCLEAN_KYBER1024_AVX2_qdata); - +void PQCLEAN_KYBER1024_AVX2_nttpack_avx(int16_t *r, const qdata_t *PQCLEAN_KYBER1024_AVX2_qdata); void PQCLEAN_KYBER1024_AVX2_nttunpack_avx(int16_t *r, const qdata_t *PQCLEAN_KYBER1024_AVX2_qdata); - -void PQCLEAN_KYBER1024_AVX2_basemul_avx(int16_t *r, const int16_t *a, const int16_t *b, const qdata_t *PQCLEAN_KYBER1024_AVX2_qdata); - -void PQCLEAN_KYBER1024_AVX2_basemul_acc_avx(int16_t *r, const int16_t *a, const int16_t *b, const qdata_t *PQCLEAN_KYBER1024_AVX2_qdata); - +void PQCLEAN_KYBER1024_AVX2_basemul_avx(int16_t *r, + const int16_t *a, + const int16_t *b, + const qdata_t *PQCLEAN_KYBER1024_AVX2_qdata); +void PQCLEAN_KYBER1024_AVX2_basemul_acc_avx(int16_t *r, + const int16_t *a, + const int16_t *b, + const qdata_t *PQCLEAN_KYBER1024_AVX2_qdata); void PQCLEAN_KYBER1024_AVX2_ntttobytes_avx(uint8_t *r, const int16_t *a, const qdata_t *PQCLEAN_KYBER1024_AVX2_qdata); - void PQCLEAN_KYBER1024_AVX2_nttfrombytes_avx(int16_t *r, const uint8_t *a, const qdata_t *PQCLEAN_KYBER1024_AVX2_qdata); #endif diff --git a/crypto_kem/kyber1024/avx2/params.h b/crypto_kem/kyber1024/avx2/params.h index bfaecb40..3484cabd 100644 --- a/crypto_kem/kyber1024/avx2/params.h +++ b/crypto_kem/kyber1024/avx2/params.h @@ -1,6 +1,9 @@ #ifndef PQCLEAN_KYBER1024_AVX2_PARAMS_H #define PQCLEAN_KYBER1024_AVX2_PARAMS_H + + + #define KYBER_N 256 #define KYBER_Q 3329 diff --git a/crypto_kem/kyber1024/avx2/poly.c b/crypto_kem/kyber1024/avx2/poly.c index 028f303d..b50d0482 100644 --- a/crypto_kem/kyber1024/avx2/poly.c +++ b/crypto_kem/kyber1024/avx2/poly.c @@ -19,7 +19,7 @@ * - poly *a: pointer to input polynomial **************************************************/ void PQCLEAN_KYBER1024_AVX2_poly_compress(uint8_t r[KYBER_POLYCOMPRESSEDBYTES], poly *restrict a) { - unsigned int i = 0, j = 0; + unsigned int i, j; uint8_t t[8]; PQCLEAN_KYBER1024_AVX2_poly_csubq(a); @@ -50,9 +50,9 @@ void PQCLEAN_KYBER1024_AVX2_poly_compress(uint8_t r[KYBER_POLYCOMPRESSEDBYTES], **************************************************/ void PQCLEAN_KYBER1024_AVX2_poly_decompress(poly *restrict r, const uint8_t a[KYBER_POLYCOMPRESSEDBYTES]) { - unsigned int i = 0; + unsigned int i; - unsigned int j = 0; + unsigned int j; uint8_t t[8]; for (i = 0; i < KYBER_N / 8; i++) { t[0] = (a[0] >> 0); @@ -114,7 +114,7 @@ void PQCLEAN_KYBER1024_AVX2_poly_frommsg(poly *restrict r, const __m256i hqs = _mm256_set1_epi16((KYBER_Q + 1) / 2); #define FROMMSG64(i) \ - g3 = _mm256_shuffle_epi32(f,0x55*(i)); \ + g3 = _mm256_shuffle_epi32(f,0x55*(i)); \ g3 = _mm256_sllv_epi32(g3,shift); \ g3 = _mm256_shuffle_epi8(g3,idx); \ g0 = _mm256_slli_epi16(g3,12); \ @@ -136,9 +136,9 @@ void PQCLEAN_KYBER1024_AVX2_poly_frommsg(poly *restrict r, g2 = _mm256_permute2x128_si256(h0,h1,0x31); \ g1 = _mm256_permute2x128_si256(h2,h3,0x20); \ g3 = _mm256_permute2x128_si256(h2,h3,0x31); \ - _mm256_store_si256((__m256i *)&r->coeffs[ 0+32*(i)+ 0],g0); \ - _mm256_store_si256((__m256i *)&r->coeffs[ 0+32*(i)+16],g1); \ - _mm256_store_si256((__m256i *)&r->coeffs[128+32*(i)+ 0],g2); \ + _mm256_store_si256((__m256i *)&r->coeffs[ 0+32*(i)+ 0],g0); \ + _mm256_store_si256((__m256i *)&r->coeffs[ 0+32*(i)+16],g1); \ + _mm256_store_si256((__m256i *)&r->coeffs[128+32*(i)+ 0],g2); \ _mm256_store_si256((__m256i *)&r->coeffs[128+32*(i)+16],g3) f = _mm256_load_si256((__m256i *)msg); @@ -157,8 +157,8 @@ void PQCLEAN_KYBER1024_AVX2_poly_frommsg(poly *restrict r, * - poly *a: pointer to input polynomial **************************************************/ void PQCLEAN_KYBER1024_AVX2_poly_tomsg(uint8_t msg[KYBER_INDCPA_MSGBYTES], poly *restrict a) { - unsigned int i = 0; - uint32_t small = 0; + unsigned int i; + uint32_t small; __m256i f0, f1, g0, g1; const __m256i hqs = _mm256_set1_epi16((KYBER_Q - 1) / 2); const __m256i hhqs = _mm256_set1_epi16((KYBER_Q - 5) / 4); @@ -325,7 +325,7 @@ void PQCLEAN_KYBER1024_AVX2_poly_csubq(poly *r) { * - const poly *b: pointer to second input polynomial **************************************************/ void PQCLEAN_KYBER1024_AVX2_poly_add(poly *r, const poly *a, const poly *b) { - unsigned int i = 0; + unsigned int i; __m256i f0, f1; for (i = 0; i < KYBER_N; i += 16) { @@ -346,7 +346,7 @@ void PQCLEAN_KYBER1024_AVX2_poly_add(poly *r, const poly *a, const poly *b) { * - const poly *b: pointer to second input polynomial **************************************************/ void PQCLEAN_KYBER1024_AVX2_poly_sub(poly *r, const poly *a, const poly *b) { - unsigned int i = 0; + unsigned int i; __m256i f0, f1; for (i = 0; i < KYBER_N; i += 16) { diff --git a/crypto_kem/kyber1024/avx2/poly.h b/crypto_kem/kyber1024/avx2/poly.h index b2c7000d..e6cd4c65 100644 --- a/crypto_kem/kyber1024/avx2/poly.h +++ b/crypto_kem/kyber1024/avx2/poly.h @@ -1,6 +1,5 @@ #ifndef PQCLEAN_KYBER1024_AVX2_POLY_H #define PQCLEAN_KYBER1024_AVX2_POLY_H - #include "params.h" #include #include @@ -14,24 +13,16 @@ typedef union { int16_t coeffs[KYBER_N]; } poly; - void PQCLEAN_KYBER1024_AVX2_poly_compress(uint8_t r[KYBER_POLYCOMPRESSEDBYTES], poly *a); - void PQCLEAN_KYBER1024_AVX2_poly_decompress(poly *r, const uint8_t a[KYBER_POLYCOMPRESSEDBYTES]); - void PQCLEAN_KYBER1024_AVX2_poly_tobytes(uint8_t r[KYBER_POLYBYTES], poly *a); - void PQCLEAN_KYBER1024_AVX2_poly_frombytes(poly *r, const uint8_t a[KYBER_POLYBYTES]); - void PQCLEAN_KYBER1024_AVX2_poly_frommsg(poly *r, const uint8_t msg[KYBER_INDCPA_MSGBYTES]); - void PQCLEAN_KYBER1024_AVX2_poly_tomsg(uint8_t msg[KYBER_INDCPA_MSGBYTES], poly *a); - void PQCLEAN_KYBER1024_AVX2_poly_getnoise(poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t nonce); - void PQCLEAN_KYBER1024_AVX2_poly_getnoise4x(poly *r0, poly *r1, poly *r2, @@ -42,25 +33,16 @@ void PQCLEAN_KYBER1024_AVX2_poly_getnoise4x(poly *r0, uint8_t nonce2, uint8_t nonce3); - void PQCLEAN_KYBER1024_AVX2_poly_ntt(poly *r); - void PQCLEAN_KYBER1024_AVX2_poly_invntt_tomont(poly *r); - void PQCLEAN_KYBER1024_AVX2_poly_nttunpack(poly *r); - void PQCLEAN_KYBER1024_AVX2_poly_basemul_montgomery(poly *r, const poly *a, const poly *b); - void PQCLEAN_KYBER1024_AVX2_poly_tomont(poly *r); - void PQCLEAN_KYBER1024_AVX2_poly_reduce(poly *r); - void PQCLEAN_KYBER1024_AVX2_poly_csubq(poly *r); - void PQCLEAN_KYBER1024_AVX2_poly_add(poly *r, const poly *a, const poly *b); - void PQCLEAN_KYBER1024_AVX2_poly_sub(poly *r, const poly *a, const poly *b); #endif diff --git a/crypto_kem/kyber1024/avx2/polyvec.c b/crypto_kem/kyber1024/avx2/polyvec.c index 8710f90b..83dc277c 100644 --- a/crypto_kem/kyber1024/avx2/polyvec.c +++ b/crypto_kem/kyber1024/avx2/polyvec.c @@ -1,6 +1,6 @@ -#include "params.h" #include "consts.h" #include "ntt.h" +#include "params.h" #include "poly.h" #include "polyvec.h" #include @@ -16,7 +16,7 @@ **************************************************/ void PQCLEAN_KYBER1024_AVX2_polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES], polyvec *restrict a) { - unsigned int i = 0, j = 0, k = 0; + size_t i, j, k; PQCLEAN_KYBER1024_AVX2_polyvec_csubq(a); @@ -24,10 +24,8 @@ void PQCLEAN_KYBER1024_AVX2_polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBY for (i = 0; i < KYBER_K; i++) { for (j = 0; j < KYBER_N / 8; j++) { for (k = 0; k < 8; k++) { - { - t[k] = ((((uint32_t)a->vec[i].coeffs[8 * j + k] << 11) + KYBER_Q / 2) - / KYBER_Q) & 0x7ff; - } + t[k] = ((((uint32_t)a->vec[i].coeffs[8 * j + k] << 11) + KYBER_Q / 2) + / KYBER_Q) & 0x7ff; } r[ 0] = (t[0] >> 0); @@ -58,7 +56,7 @@ void PQCLEAN_KYBER1024_AVX2_polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBY **************************************************/ void PQCLEAN_KYBER1024_AVX2_polyvec_decompress(polyvec *restrict r, const uint8_t a[KYBER_POLYVECCOMPRESSEDBYTES]) { - unsigned int i = 0, j = 0, k = 0; + size_t i, j, k; uint16_t t[8]; for (i = 0; i < KYBER_K; i++) { @@ -90,7 +88,7 @@ void PQCLEAN_KYBER1024_AVX2_polyvec_decompress(polyvec *restrict r, * - polyvec *a: pointer to input vector of polynomials **************************************************/ void PQCLEAN_KYBER1024_AVX2_polyvec_tobytes(uint8_t r[KYBER_POLYVECBYTES], polyvec *a) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER1024_AVX2_poly_tobytes(r + i * KYBER_POLYBYTES, &a->vec[i]); } @@ -107,7 +105,7 @@ void PQCLEAN_KYBER1024_AVX2_polyvec_tobytes(uint8_t r[KYBER_POLYVECBYTES], polyv * (of length KYBER_POLYVECBYTES) **************************************************/ void PQCLEAN_KYBER1024_AVX2_polyvec_frombytes(polyvec *r, const uint8_t a[KYBER_POLYVECBYTES]) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER1024_AVX2_poly_frombytes(&r->vec[i], a + i * KYBER_POLYBYTES); } @@ -121,7 +119,7 @@ void PQCLEAN_KYBER1024_AVX2_polyvec_frombytes(polyvec *r, const uint8_t a[KYBER_ * Arguments: - polyvec *r: pointer to in/output vector of polynomials **************************************************/ void PQCLEAN_KYBER1024_AVX2_polyvec_ntt(polyvec *r) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER1024_AVX2_poly_ntt(&r->vec[i]); } @@ -136,7 +134,7 @@ void PQCLEAN_KYBER1024_AVX2_polyvec_ntt(polyvec *r) { * Arguments: - polyvec *r: pointer to in/output vector of polynomials **************************************************/ void PQCLEAN_KYBER1024_AVX2_polyvec_invntt_tomont(polyvec *r) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER1024_AVX2_poly_invntt_tomont(&r->vec[i]); } @@ -155,7 +153,7 @@ void PQCLEAN_KYBER1024_AVX2_polyvec_invntt_tomont(polyvec *r) { void PQCLEAN_KYBER1024_AVX2_polyvec_pointwise_acc_montgomery(poly *r, const polyvec *a, const polyvec *b) { - PQCLEAN_KYBER1024_AVX2_basemul_acc_avx(r->coeffs, a->vec->coeffs, b->vec->coeffs, &PQCLEAN_KYBER1024_AVX2_qdata); + PQCLEAN_KYBER1024_AVX2_basemul_acc_avx(r->coeffs, a->vec->coeffs, b->vec->coeffs, & PQCLEAN_KYBER1024_AVX2_qdata); } /************************************************* @@ -168,7 +166,7 @@ void PQCLEAN_KYBER1024_AVX2_polyvec_pointwise_acc_montgomery(poly *r, * Arguments: - poly *r: pointer to input/output polynomial **************************************************/ void PQCLEAN_KYBER1024_AVX2_polyvec_reduce(polyvec *r) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER1024_AVX2_poly_reduce(&r->vec[i]); } @@ -185,7 +183,7 @@ void PQCLEAN_KYBER1024_AVX2_polyvec_reduce(polyvec *r) { * Arguments: - poly *r: pointer to input/output polynomial **************************************************/ void PQCLEAN_KYBER1024_AVX2_polyvec_csubq(polyvec *r) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER1024_AVX2_poly_csubq(&r->vec[i]); } @@ -201,7 +199,7 @@ void PQCLEAN_KYBER1024_AVX2_polyvec_csubq(polyvec *r) { * - const polyvec *b: pointer to second input vector of polynomials **************************************************/ void PQCLEAN_KYBER1024_AVX2_polyvec_add(polyvec *r, const polyvec *a, const polyvec *b) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER1024_AVX2_poly_add(&r->vec[i], &a->vec[i], &b->vec[i]); } diff --git a/crypto_kem/kyber1024/avx2/polyvec.h b/crypto_kem/kyber1024/avx2/polyvec.h index 981b8a7e..189226aa 100644 --- a/crypto_kem/kyber1024/avx2/polyvec.h +++ b/crypto_kem/kyber1024/avx2/polyvec.h @@ -1,6 +1,5 @@ #ifndef PQCLEAN_KYBER1024_AVX2_POLYVEC_H #define PQCLEAN_KYBER1024_AVX2_POLYVEC_H - #include "params.h" #include "poly.h" #include @@ -9,33 +8,23 @@ typedef struct { poly vec[KYBER_K]; } polyvec; - void PQCLEAN_KYBER1024_AVX2_polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES], polyvec *a); - void PQCLEAN_KYBER1024_AVX2_polyvec_decompress(polyvec *r, const uint8_t a[KYBER_POLYVECCOMPRESSEDBYTES]); - void PQCLEAN_KYBER1024_AVX2_polyvec_tobytes(uint8_t r[KYBER_POLYVECBYTES], polyvec *a); - void PQCLEAN_KYBER1024_AVX2_polyvec_frombytes(polyvec *r, const uint8_t a[KYBER_POLYVECBYTES]); - void PQCLEAN_KYBER1024_AVX2_polyvec_ntt(polyvec *r); - void PQCLEAN_KYBER1024_AVX2_polyvec_invntt_tomont(polyvec *r); - void PQCLEAN_KYBER1024_AVX2_polyvec_pointwise_acc_montgomery(poly *r, const polyvec *a, const polyvec *b); - void PQCLEAN_KYBER1024_AVX2_polyvec_reduce(polyvec *r); - void PQCLEAN_KYBER1024_AVX2_polyvec_csubq(polyvec *r); - void PQCLEAN_KYBER1024_AVX2_polyvec_add(polyvec *r, const polyvec *a, const polyvec *b); #endif diff --git a/crypto_kem/kyber1024/avx2/reduce.h b/crypto_kem/kyber1024/avx2/reduce.h index 9daf9b7a..03a47704 100644 --- a/crypto_kem/kyber1024/avx2/reduce.h +++ b/crypto_kem/kyber1024/avx2/reduce.h @@ -1,16 +1,10 @@ -#ifndef REDUCE_H -#define REDUCE_H - +#ifndef PQCLEAN_KYBER1024_AVX2_REDUCE_H +#define PQCLEAN_KYBER1024_AVX2_REDUCE_H +#include "consts.h" #include -#include "consts.h" -#include "params.h" - - int16_t PQCLEAN_KYBER1024_AVX2_reduce_avx(int16_t *r, const qdata_t *PQCLEAN_KYBER1024_AVX2_qdata); - int16_t PQCLEAN_KYBER1024_AVX2_csubq_avx(int16_t *r, const qdata_t *PQCLEAN_KYBER1024_AVX2_qdata); - int16_t PQCLEAN_KYBER1024_AVX2_tomont_avx(int16_t *r, const qdata_t *PQCLEAN_KYBER1024_AVX2_qdata); #endif diff --git a/crypto_kem/kyber1024/avx2/rejsample.c b/crypto_kem/kyber1024/avx2/rejsample.c index b091901a..4938b245 100644 --- a/crypto_kem/kyber1024/avx2/rejsample.c +++ b/crypto_kem/kyber1024/avx2/rejsample.c @@ -2,6 +2,7 @@ #include "consts.h" #include "params.h" #include "rejsample.h" +#include #include static const ALIGN32_ARRAY_2D(uint8_t, 256, 8) idx = {.arr = { @@ -270,9 +271,9 @@ static const ALIGN32_ARRAY_2D(uint8_t, 256, 8) idx = {.arr = { #define REJ_UNIFORM_BUFLEN 672 unsigned int PQCLEAN_KYBER1024_AVX2_rej_uniform_avx(int16_t *restrict r, const uint8_t *restrict buf) { - unsigned int ctr = 0, pos = 0; - uint16_t val = 0; - uint32_t good = 0; + unsigned int ctr, pos; + uint16_t val; + uint32_t good; const __m256i bound = _mm256_set1_epi16((int16_t)(19 * KYBER_Q - 1)); const __m256i ones = _mm256_set1_epi8(1); const __m256i kyberq = _mm256_load_si256((__m256i *)&PQCLEAN_KYBER1024_AVX2_qdata.as_arr[_16XQ]); @@ -297,7 +298,7 @@ unsigned int PQCLEAN_KYBER1024_AVX2_rej_uniform_avx(int16_t *restrict r, g1 = _mm256_inserti128_si256(g1, _mm_loadl_epi64((__m128i *)&idx.arr[(good >> 24) & 0xFF]), 1); //g0 = _mm256_cvtepu8_epi64(_mm_loadl_epi64((__m128i *)&good)); - //g1 = _mm256_i64gather_epi64((long long *)idx, g0, 8); + //g1 = _mm256_i64gather_epi64((long long *)idx.arr, g0, 8); /* Barrett reduction of (still unsigned) values */ g2 = _mm256_mulhi_epu16(f0, v); diff --git a/crypto_kem/kyber1024/avx2/rejsample.h b/crypto_kem/kyber1024/avx2/rejsample.h index b4cf4d74..3c3f3aeb 100644 --- a/crypto_kem/kyber1024/avx2/rejsample.h +++ b/crypto_kem/kyber1024/avx2/rejsample.h @@ -1,10 +1,8 @@ -#ifndef REJSAMPLE_H -#define REJSAMPLE_H - +#ifndef PQCLEAN_KYBER1024_AVX2_REJSAMPLE_H +#define PQCLEAN_KYBER1024_AVX2_REJSAMPLE_H #include "params.h" #include - unsigned int PQCLEAN_KYBER1024_AVX2_rej_uniform_avx(int16_t *r, const unsigned char *buf); diff --git a/crypto_kem/kyber1024/avx2/shuffle.S b/crypto_kem/kyber1024/avx2/shuffle.S index 4224fd85..d706ccc1 100644 --- a/crypto_kem/kyber1024/avx2/shuffle.S +++ b/crypto_kem/kyber1024/avx2/shuffle.S @@ -1,4 +1,4 @@ -#include "cdecl.inc" +#include "cdecl.h" .include "fq.inc" .include "shuffle.inc" @@ -92,7 +92,9 @@ vmovdqa %ymm11,224(%rdi) ret .global cdecl(PQCLEAN_KYBER1024_AVX2_nttunpack_avx) +.global _cdecl(PQCLEAN_KYBER1024_AVX2_nttunpack_avx) cdecl(PQCLEAN_KYBER1024_AVX2_nttunpack_avx): +_cdecl(PQCLEAN_KYBER1024_AVX2_nttunpack_avx): call nttunpack128_avx add $256,%rdi call nttunpack128_avx @@ -169,7 +171,9 @@ vmovdqu %ymm9,160(%rdi) ret .global cdecl(PQCLEAN_KYBER1024_AVX2_ntttobytes_avx) +.global _cdecl(PQCLEAN_KYBER1024_AVX2_ntttobytes_avx) cdecl(PQCLEAN_KYBER1024_AVX2_ntttobytes_avx): +_cdecl(PQCLEAN_KYBER1024_AVX2_ntttobytes_avx): #consts vmovdqa _16XQ*2(%rdx),%ymm0 call ntttobytes128_avx @@ -245,7 +249,9 @@ vmovdqa %ymm1,224(%rdi) ret .global cdecl(PQCLEAN_KYBER1024_AVX2_nttfrombytes_avx) +.global _cdecl(PQCLEAN_KYBER1024_AVX2_nttfrombytes_avx) cdecl(PQCLEAN_KYBER1024_AVX2_nttfrombytes_avx): +_cdecl(PQCLEAN_KYBER1024_AVX2_nttfrombytes_avx): #consts vmovdqa _16XMASK*2(%rdx),%ymm0 call nttfrombytes128_avx diff --git a/crypto_kem/kyber1024/avx2/symmetric-shake.c b/crypto_kem/kyber1024/avx2/symmetric-shake.c index 0a7ae70a..c7c4cd5a 100644 --- a/crypto_kem/kyber1024/avx2/symmetric-shake.c +++ b/crypto_kem/kyber1024/avx2/symmetric-shake.c @@ -9,8 +9,8 @@ * * Description: Absorb step of the SHAKE128 specialized for the Kyber context. * -* Arguments: - keccak_state *state: pointer to (uninitialized) output -* Keccak state +* Arguments: - xof_state *state: pointer to (uninitialized) output +* Keccak state * - const uint8_t *seed: pointer to KYBER_SYMBYTES input * to be absorbed into state * - uint8_t i additional byte of input @@ -20,7 +20,7 @@ void PQCLEAN_KYBER1024_AVX2_kyber_shake128_absorb(xof_state *state, const uint8_t seed[KYBER_SYMBYTES], uint8_t x, uint8_t y) { - unsigned int i = 0; + unsigned int i; uint8_t extseed[KYBER_SYMBYTES + 2]; for (i = 0; i < KYBER_SYMBYTES; i++) { @@ -48,7 +48,7 @@ void PQCLEAN_KYBER1024_AVX2_kyber_shake256_prf(uint8_t *out, size_t outlen, const uint8_t key[KYBER_SYMBYTES], uint8_t nonce) { - unsigned int i = 0; + unsigned int i; uint8_t extkey[KYBER_SYMBYTES + 1]; for (i = 0; i < KYBER_SYMBYTES; i++) { diff --git a/crypto_kem/kyber1024/avx2/symmetric.h b/crypto_kem/kyber1024/avx2/symmetric.h index 31fb92c7..c7b1c5de 100644 --- a/crypto_kem/kyber1024/avx2/symmetric.h +++ b/crypto_kem/kyber1024/avx2/symmetric.h @@ -1,17 +1,16 @@ -#ifndef SYMMETRIC_H -#define SYMMETRIC_H - +#ifndef PQCLEAN_KYBER1024_AVX2_SYMMETRIC_H +#define PQCLEAN_KYBER1024_AVX2_SYMMETRIC_H +#include "fips202.h" +#include "fips202x4.h" #include "params.h" #include #include -#include "fips202.h" -#include "fips202x4.h" typedef shake128ctx xof_state; -void PQCLEAN_KYBER1024_AVX2_kyber_shake128_absorb(shake128ctx *s, +void PQCLEAN_KYBER1024_AVX2_kyber_shake128_absorb(xof_state *s, const uint8_t seed[KYBER_SYMBYTES], uint8_t x, uint8_t y); diff --git a/crypto_kem/kyber1024/avx2/verify.c b/crypto_kem/kyber1024/avx2/verify.c index 50569a32..5ec705f0 100644 --- a/crypto_kem/kyber1024/avx2/verify.c +++ b/crypto_kem/kyber1024/avx2/verify.c @@ -15,8 +15,8 @@ * Returns 0 if the byte arrays are equal, 1 otherwise **************************************************/ int PQCLEAN_KYBER1024_AVX2_verify(const uint8_t *a, const uint8_t *b, size_t len) { - size_t pos = 0; - uint64_t r = 0; + size_t pos; + uint64_t r; __m256i avec, bvec, cvec; cvec = _mm256_setzero_si256(); @@ -53,7 +53,7 @@ int PQCLEAN_KYBER1024_AVX2_verify(const uint8_t *a, const uint8_t *b, size_t len * unsigned char b: Condition bit; has to be in {0,1} **************************************************/ void PQCLEAN_KYBER1024_AVX2_cmov(uint8_t *restrict r, const uint8_t *restrict x, size_t len, uint8_t b) { - size_t pos = 0; + size_t pos; __m256i xvec, rvec, bvec; b = -b; diff --git a/crypto_kem/kyber1024/avx2/verify.h b/crypto_kem/kyber1024/avx2/verify.h index 237328bf..001680be 100644 --- a/crypto_kem/kyber1024/avx2/verify.h +++ b/crypto_kem/kyber1024/avx2/verify.h @@ -1,14 +1,11 @@ #ifndef PQCLEAN_KYBER1024_AVX2_VERIFY_H #define PQCLEAN_KYBER1024_AVX2_VERIFY_H - #include "params.h" #include #include - int PQCLEAN_KYBER1024_AVX2_verify(const uint8_t *a, const uint8_t *b, size_t len); - void PQCLEAN_KYBER1024_AVX2_cmov(uint8_t *r, const uint8_t *x, size_t len, uint8_t b); #endif diff --git a/crypto_kem/kyber1024/clean/Makefile b/crypto_kem/kyber1024/clean/Makefile index 7a5c508a..8aa87199 100644 --- a/crypto_kem/kyber1024/clean/Makefile +++ b/crypto_kem/kyber1024/clean/Makefile @@ -1,8 +1,8 @@ # This Makefile can be used with GNU Make or BSD Make LIB=libkyber1024_clean.a -HEADERS=api.h cbd.h indcpa.h kem.h ntt.h params.h poly.h polyvec.h reduce.h verify.h symmetric.h -OBJECTS=cbd.o indcpa.o kem.o ntt.o poly.o polyvec.o reduce.o verify.o symmetric-shake.o +HEADERS=api.h cbd.h indcpa.h kem.h ntt.h params.h poly.h polyvec.h reduce.h symmetric.h verify.h +OBJECTS=cbd.o indcpa.o kem.o ntt.o poly.o polyvec.o reduce.o symmetric-shake.o verify.o CFLAGS=-O3 -Wall -Wextra -Wpedantic -Werror -Wmissing-prototypes -Wredundant-decls -std=c99 -I../../../common $(EXTRAFLAGS) diff --git a/crypto_kem/kyber1024/clean/Makefile.Microsoft_nmake b/crypto_kem/kyber1024/clean/Makefile.Microsoft_nmake index b23e1b61..92feb67b 100644 --- a/crypto_kem/kyber1024/clean/Makefile.Microsoft_nmake +++ b/crypto_kem/kyber1024/clean/Makefile.Microsoft_nmake @@ -2,7 +2,7 @@ # nmake /f Makefile.Microsoft_nmake LIBRARY=libkyber1024_clean.lib -OBJECTS=cbd.obj indcpa.obj kem.obj ntt.obj poly.obj polyvec.obj reduce.obj verify.obj symmetric-shake.obj +OBJECTS=cbd.obj indcpa.obj kem.obj ntt.obj poly.obj polyvec.obj reduce.obj symmetric-shake.obj verify.obj # Warning C4146 is raised when a unary minus operator is applied to an # unsigned type; this has nonetheless been standard and portable for as diff --git a/crypto_kem/kyber1024/clean/api.h b/crypto_kem/kyber1024/clean/api.h index 31341e18..25c01382 100644 --- a/crypto_kem/kyber1024/clean/api.h +++ b/crypto_kem/kyber1024/clean/api.h @@ -15,5 +15,4 @@ int PQCLEAN_KYBER1024_CLEAN_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8 int PQCLEAN_KYBER1024_CLEAN_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); - #endif diff --git a/crypto_kem/kyber1024/clean/cbd.c b/crypto_kem/kyber1024/clean/cbd.c index 61e0115e..51a040a4 100644 --- a/crypto_kem/kyber1024/clean/cbd.c +++ b/crypto_kem/kyber1024/clean/cbd.c @@ -1,5 +1,5 @@ -#include "params.h" #include "cbd.h" +#include "params.h" #include /************************************************* @@ -13,7 +13,7 @@ * Returns 32-bit unsigned integer loaded from x **************************************************/ static uint32_t load32_littleendian(const uint8_t x[4]) { - uint32_t r = 0; + uint32_t r; r = (uint32_t)x[0]; r |= (uint32_t)x[1] << 8; r |= (uint32_t)x[2] << 16; @@ -32,9 +32,9 @@ static uint32_t load32_littleendian(const uint8_t x[4]) { * - const uint8_t *buf: pointer to input byte array **************************************************/ void PQCLEAN_KYBER1024_CLEAN_cbd(poly *r, const uint8_t buf[KYBER_ETA * KYBER_N / 4]) { - unsigned int i = 0, j = 0; - uint32_t t = 0, d = 0; - int16_t a = 0, b = 0; + unsigned int i, j; + uint32_t t, d; + int16_t a, b; for (i = 0; i < KYBER_N / 8; i++) { t = load32_littleendian(buf + 4 * i); diff --git a/crypto_kem/kyber1024/clean/cbd.h b/crypto_kem/kyber1024/clean/cbd.h index 9826089e..dcc44012 100644 --- a/crypto_kem/kyber1024/clean/cbd.h +++ b/crypto_kem/kyber1024/clean/cbd.h @@ -1,11 +1,9 @@ #ifndef PQCLEAN_KYBER1024_CLEAN_CBD_H #define PQCLEAN_KYBER1024_CLEAN_CBD_H - #include "params.h" #include "poly.h" #include - void PQCLEAN_KYBER1024_CLEAN_cbd(poly *r, const uint8_t buf[KYBER_ETA * KYBER_N / 4]); #endif diff --git a/crypto_kem/kyber1024/clean/indcpa.c b/crypto_kem/kyber1024/clean/indcpa.c index d2e3758a..1d86f8d8 100644 --- a/crypto_kem/kyber1024/clean/indcpa.c +++ b/crypto_kem/kyber1024/clean/indcpa.c @@ -22,7 +22,7 @@ static void pack_pk(uint8_t r[KYBER_INDCPA_PUBLICKEYBYTES], polyvec *pk, const uint8_t seed[KYBER_SYMBYTES]) { - size_t i = 0; + size_t i; PQCLEAN_KYBER1024_CLEAN_polyvec_tobytes(r, pk); for (i = 0; i < KYBER_SYMBYTES; i++) { r[i + KYBER_POLYVECBYTES] = seed[i]; @@ -44,7 +44,7 @@ static void pack_pk(uint8_t r[KYBER_INDCPA_PUBLICKEYBYTES], static void unpack_pk(polyvec *pk, uint8_t seed[KYBER_SYMBYTES], const uint8_t packedpk[KYBER_INDCPA_PUBLICKEYBYTES]) { - size_t i = 0; + size_t i; PQCLEAN_KYBER1024_CLEAN_polyvec_frombytes(pk, packedpk); for (i = 0; i < KYBER_SYMBYTES; i++) { seed[i] = packedpk[i + KYBER_POLYVECBYTES]; @@ -132,8 +132,8 @@ static unsigned int rej_uniform(int16_t *r, unsigned int len, const uint8_t *buf, unsigned int buflen) { - unsigned int ctr = 0, pos = 0; - uint16_t val = 0; + unsigned int ctr, pos; + uint16_t val; ctr = pos = 0; while (ctr < len && pos + 2 <= buflen) { @@ -169,8 +169,7 @@ static unsigned int rej_uniform(int16_t *r, + XOF_BLOCKBYTES)/XOF_BLOCKBYTES) // Not static for benchmarking void PQCLEAN_KYBER1024_CLEAN_gen_matrix(polyvec *a, const uint8_t seed[KYBER_SYMBYTES], int transposed) { - unsigned int ctr = 0; - uint8_t i = 0, j = 0; + unsigned int ctr, i, j; uint8_t buf[GEN_MATRIX_NBLOCKS * XOF_BLOCKBYTES]; xof_state state; @@ -208,7 +207,7 @@ void PQCLEAN_KYBER1024_CLEAN_gen_matrix(polyvec *a, const uint8_t seed[KYBER_SYM **************************************************/ void PQCLEAN_KYBER1024_CLEAN_indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]) { - unsigned int i = 0; + unsigned int i; uint8_t buf[2 * KYBER_SYMBYTES]; const uint8_t *publicseed = buf; const uint8_t *noiseseed = buf + KYBER_SYMBYTES; @@ -264,7 +263,7 @@ void PQCLEAN_KYBER1024_CLEAN_indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES], const uint8_t m[KYBER_INDCPA_MSGBYTES], const uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], const uint8_t coins[KYBER_SYMBYTES]) { - unsigned int i = 0; + unsigned int i; uint8_t seed[KYBER_SYMBYTES]; uint8_t nonce = 0; polyvec sp, pkpv, ep, at[KYBER_K], bp; diff --git a/crypto_kem/kyber1024/clean/indcpa.h b/crypto_kem/kyber1024/clean/indcpa.h index c67d62dc..e4b4cff8 100644 --- a/crypto_kem/kyber1024/clean/indcpa.h +++ b/crypto_kem/kyber1024/clean/indcpa.h @@ -1,16 +1,20 @@ #ifndef PQCLEAN_KYBER1024_CLEAN_INDCPA_H #define PQCLEAN_KYBER1024_CLEAN_INDCPA_H - #include "params.h" #include "polyvec.h" #include void PQCLEAN_KYBER1024_CLEAN_gen_matrix(polyvec *a, const uint8_t seed[KYBER_SYMBYTES], int transposed); +void PQCLEAN_KYBER1024_CLEAN_indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], + uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]); -void PQCLEAN_KYBER1024_CLEAN_indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]); +void PQCLEAN_KYBER1024_CLEAN_indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES], + const uint8_t m[KYBER_INDCPA_MSGBYTES], + const uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], + const uint8_t coins[KYBER_SYMBYTES]); -void PQCLEAN_KYBER1024_CLEAN_indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES], const uint8_t m[KYBER_INDCPA_MSGBYTES], const uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], const uint8_t coins[KYBER_SYMBYTES]); - -void PQCLEAN_KYBER1024_CLEAN_indcpa_dec(uint8_t m[KYBER_INDCPA_MSGBYTES], const uint8_t c[KYBER_INDCPA_BYTES], const uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]); +void PQCLEAN_KYBER1024_CLEAN_indcpa_dec(uint8_t m[KYBER_INDCPA_MSGBYTES], + const uint8_t c[KYBER_INDCPA_BYTES], + const uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]); #endif diff --git a/crypto_kem/kyber1024/clean/kem.c b/crypto_kem/kyber1024/clean/kem.c index 954ed0f3..436161df 100644 --- a/crypto_kem/kyber1024/clean/kem.c +++ b/crypto_kem/kyber1024/clean/kem.c @@ -21,7 +21,7 @@ * Returns 0 (success) **************************************************/ int PQCLEAN_KYBER1024_CLEAN_crypto_kem_keypair(unsigned char *pk, unsigned char *sk) { - size_t i = 0; + size_t i; PQCLEAN_KYBER1024_CLEAN_indcpa_keypair(pk, sk); for (i = 0; i < KYBER_INDCPA_PUBLICKEYBYTES; i++) { sk[i + KYBER_INDCPA_SECRETKEYBYTES] = pk[i]; @@ -92,8 +92,8 @@ int PQCLEAN_KYBER1024_CLEAN_crypto_kem_enc(unsigned char *ct, int PQCLEAN_KYBER1024_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk) { - size_t i = 0; - int fail = 0; + size_t i; + int fail; uint8_t buf[2 * KYBER_SYMBYTES]; /* Will contain key, coins */ uint8_t kr[2 * KYBER_SYMBYTES]; diff --git a/crypto_kem/kyber1024/clean/kem.h b/crypto_kem/kyber1024/clean/kem.h index 9160cf9d..6d5384d6 100644 --- a/crypto_kem/kyber1024/clean/kem.h +++ b/crypto_kem/kyber1024/clean/kem.h @@ -1,17 +1,14 @@ #ifndef PQCLEAN_KYBER1024_CLEAN_KEM_H #define PQCLEAN_KYBER1024_CLEAN_KEM_H - #include "params.h" int PQCLEAN_KYBER1024_CLEAN_crypto_kem_keypair(unsigned char *pk, unsigned char *sk); - int PQCLEAN_KYBER1024_CLEAN_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk); - int PQCLEAN_KYBER1024_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk); diff --git a/crypto_kem/kyber1024/clean/ntt.c b/crypto_kem/kyber1024/clean/ntt.c index e6d200dc..1e612a55 100644 --- a/crypto_kem/kyber1024/clean/ntt.c +++ b/crypto_kem/kyber1024/clean/ntt.c @@ -1,5 +1,5 @@ -#include "params.h" #include "ntt.h" +#include "params.h" #include "reduce.h" #include @@ -89,8 +89,8 @@ static int16_t fqmul(int16_t a, int16_t b) { * of Zq **************************************************/ void PQCLEAN_KYBER1024_CLEAN_ntt(int16_t r[256]) { - unsigned int len = 0, start = 0, j = 0, k = 0; - int16_t t = 0, zeta = 0; + unsigned int len, start, j, k; + int16_t t, zeta; k = 1; for (len = 128; len >= 2; len >>= 1) { @@ -116,8 +116,8 @@ void PQCLEAN_KYBER1024_CLEAN_ntt(int16_t r[256]) { * of Zq **************************************************/ void PQCLEAN_KYBER1024_CLEAN_invntt(int16_t r[256]) { - unsigned int start = 0, len = 0, j = 0, k = 0; - int16_t t = 0, zeta = 0; + unsigned int start, len, j, k; + int16_t t, zeta; k = 0; for (len = 2; len <= 128; len <<= 1) { @@ -148,7 +148,10 @@ void PQCLEAN_KYBER1024_CLEAN_invntt(int16_t r[256]) { * - const int16_t b[2]: pointer to the second factor * - int16_t zeta: integer defining the reduction polynomial **************************************************/ -void PQCLEAN_KYBER1024_CLEAN_basemul(int16_t r[2], const int16_t a[2], const int16_t b[2], int16_t zeta) { +void PQCLEAN_KYBER1024_CLEAN_basemul(int16_t r[2], + const int16_t a[2], + const int16_t b[2], + int16_t zeta) { r[0] = fqmul(a[1], b[1]); r[0] = fqmul(r[0], zeta); r[0] += fqmul(a[0], b[0]); diff --git a/crypto_kem/kyber1024/clean/ntt.h b/crypto_kem/kyber1024/clean/ntt.h index 69517a1a..d8eaee82 100644 --- a/crypto_kem/kyber1024/clean/ntt.h +++ b/crypto_kem/kyber1024/clean/ntt.h @@ -1,22 +1,19 @@ #ifndef PQCLEAN_KYBER1024_CLEAN_NTT_H #define PQCLEAN_KYBER1024_CLEAN_NTT_H - #include "params.h" #include - extern const int16_t PQCLEAN_KYBER1024_CLEAN_zetas[128]; - extern const int16_t PQCLEAN_KYBER1024_CLEAN_zetas_inv[128]; - void PQCLEAN_KYBER1024_CLEAN_ntt(int16_t r[256]); - void PQCLEAN_KYBER1024_CLEAN_invntt(int16_t r[256]); - -void PQCLEAN_KYBER1024_CLEAN_basemul(int16_t r[2], const int16_t a[2], const int16_t b[2], int16_t zeta); +void PQCLEAN_KYBER1024_CLEAN_basemul(int16_t r[2], + const int16_t a[2], + const int16_t b[2], + int16_t zeta); #endif diff --git a/crypto_kem/kyber1024/clean/params.h b/crypto_kem/kyber1024/clean/params.h index ad5b5a2e..b604d6d8 100644 --- a/crypto_kem/kyber1024/clean/params.h +++ b/crypto_kem/kyber1024/clean/params.h @@ -1,6 +1,9 @@ #ifndef PQCLEAN_KYBER1024_CLEAN_PARAMS_H #define PQCLEAN_KYBER1024_CLEAN_PARAMS_H + + + #define KYBER_N 256 #define KYBER_Q 3329 diff --git a/crypto_kem/kyber1024/clean/poly.c b/crypto_kem/kyber1024/clean/poly.c index 2fd6f281..e9a7b1a3 100644 --- a/crypto_kem/kyber1024/clean/poly.c +++ b/crypto_kem/kyber1024/clean/poly.c @@ -1,6 +1,6 @@ -#include "params.h" #include "cbd.h" #include "ntt.h" +#include "params.h" #include "poly.h" #include "reduce.h" #include "symmetric.h" @@ -16,7 +16,7 @@ * - poly *a: pointer to input polynomial **************************************************/ void PQCLEAN_KYBER1024_CLEAN_poly_compress(uint8_t r[KYBER_POLYCOMPRESSEDBYTES], poly *a) { - unsigned int i = 0, j = 0; + size_t i, j; uint8_t t[8]; PQCLEAN_KYBER1024_CLEAN_poly_csubq(a); @@ -46,9 +46,9 @@ void PQCLEAN_KYBER1024_CLEAN_poly_compress(uint8_t r[KYBER_POLYCOMPRESSEDBYTES], * (of length KYBER_POLYCOMPRESSEDBYTES bytes) **************************************************/ void PQCLEAN_KYBER1024_CLEAN_poly_decompress(poly *r, const uint8_t a[KYBER_POLYCOMPRESSEDBYTES]) { - unsigned int i = 0; + size_t i; - unsigned int j = 0; + size_t j; uint8_t t[8]; for (i = 0; i < KYBER_N / 8; i++) { t[0] = (a[0] >> 0); @@ -77,8 +77,8 @@ void PQCLEAN_KYBER1024_CLEAN_poly_decompress(poly *r, const uint8_t a[KYBER_POLY * - poly *a: pointer to input polynomial **************************************************/ void PQCLEAN_KYBER1024_CLEAN_poly_tobytes(uint8_t r[KYBER_POLYBYTES], poly *a) { - unsigned int i = 0; - uint16_t t0 = 0, t1 = 0; + size_t i; + uint16_t t0, t1; PQCLEAN_KYBER1024_CLEAN_poly_csubq(a); @@ -102,7 +102,7 @@ void PQCLEAN_KYBER1024_CLEAN_poly_tobytes(uint8_t r[KYBER_POLYBYTES], poly *a) { * (of KYBER_POLYBYTES bytes) **************************************************/ void PQCLEAN_KYBER1024_CLEAN_poly_frombytes(poly *r, const uint8_t a[KYBER_POLYBYTES]) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_N / 2; i++) { r->coeffs[2 * i] = ((a[3 * i + 0] >> 0) | ((uint16_t)a[3 * i + 1] << 8)) & 0xFFF; r->coeffs[2 * i + 1] = ((a[3 * i + 1] >> 4) | ((uint16_t)a[3 * i + 2] << 4)) & 0xFFF; @@ -118,8 +118,8 @@ void PQCLEAN_KYBER1024_CLEAN_poly_frombytes(poly *r, const uint8_t a[KYBER_POLYB * - const uint8_t *msg: pointer to input message **************************************************/ void PQCLEAN_KYBER1024_CLEAN_poly_frommsg(poly *r, const uint8_t msg[KYBER_INDCPA_MSGBYTES]) { - unsigned int i = 0, j = 0; - int16_t mask = 0; + size_t i, j; + int16_t mask; for (i = 0; i < KYBER_N / 8; i++) { for (j = 0; j < 8; j++) { @@ -138,8 +138,8 @@ void PQCLEAN_KYBER1024_CLEAN_poly_frommsg(poly *r, const uint8_t msg[KYBER_INDCP * - poly *a: pointer to input polynomial **************************************************/ void PQCLEAN_KYBER1024_CLEAN_poly_tomsg(uint8_t msg[KYBER_INDCPA_MSGBYTES], poly *a) { - unsigned int i = 0, j = 0; - uint16_t t = 0; + size_t i, j; + uint16_t t; PQCLEAN_KYBER1024_CLEAN_poly_csubq(a); @@ -207,7 +207,7 @@ void PQCLEAN_KYBER1024_CLEAN_poly_invntt_tomont(poly *r) { * - const poly *b: pointer to second input polynomial **************************************************/ void PQCLEAN_KYBER1024_CLEAN_poly_basemul_montgomery(poly *r, const poly *a, const poly *b) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_N / 4; i++) { PQCLEAN_KYBER1024_CLEAN_basemul(&r->coeffs[4 * i], &a->coeffs[4 * i], &b->coeffs[4 * i], PQCLEAN_KYBER1024_CLEAN_zetas[64 + i]); PQCLEAN_KYBER1024_CLEAN_basemul(&r->coeffs[4 * i + 2], &a->coeffs[4 * i + 2], &b->coeffs[4 * i + 2], @@ -224,7 +224,7 @@ void PQCLEAN_KYBER1024_CLEAN_poly_basemul_montgomery(poly *r, const poly *a, con * Arguments: - poly *r: pointer to input/output polynomial **************************************************/ void PQCLEAN_KYBER1024_CLEAN_poly_tomont(poly *r) { - unsigned int i = 0; + size_t i; const int16_t f = (1ULL << 32) % KYBER_Q; for (i = 0; i < KYBER_N; i++) { r->coeffs[i] = PQCLEAN_KYBER1024_CLEAN_montgomery_reduce((int32_t)r->coeffs[i] * f); @@ -240,7 +240,7 @@ void PQCLEAN_KYBER1024_CLEAN_poly_tomont(poly *r) { * Arguments: - poly *r: pointer to input/output polynomial **************************************************/ void PQCLEAN_KYBER1024_CLEAN_poly_reduce(poly *r) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_N; i++) { r->coeffs[i] = PQCLEAN_KYBER1024_CLEAN_barrett_reduce(r->coeffs[i]); } @@ -256,7 +256,7 @@ void PQCLEAN_KYBER1024_CLEAN_poly_reduce(poly *r) { * Arguments: - poly *r: pointer to input/output polynomial **************************************************/ void PQCLEAN_KYBER1024_CLEAN_poly_csubq(poly *r) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_N; i++) { r->coeffs[i] = PQCLEAN_KYBER1024_CLEAN_csubq(r->coeffs[i]); } @@ -272,7 +272,7 @@ void PQCLEAN_KYBER1024_CLEAN_poly_csubq(poly *r) { * - const poly *b: pointer to second input polynomial **************************************************/ void PQCLEAN_KYBER1024_CLEAN_poly_add(poly *r, const poly *a, const poly *b) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_N; i++) { r->coeffs[i] = a->coeffs[i] + b->coeffs[i]; } @@ -288,7 +288,7 @@ void PQCLEAN_KYBER1024_CLEAN_poly_add(poly *r, const poly *a, const poly *b) { * - const poly *b: pointer to second input polynomial **************************************************/ void PQCLEAN_KYBER1024_CLEAN_poly_sub(poly *r, const poly *a, const poly *b) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_N; i++) { r->coeffs[i] = a->coeffs[i] - b->coeffs[i]; } diff --git a/crypto_kem/kyber1024/clean/poly.h b/crypto_kem/kyber1024/clean/poly.h index 6a896e22..52d7e7e3 100644 --- a/crypto_kem/kyber1024/clean/poly.h +++ b/crypto_kem/kyber1024/clean/poly.h @@ -1,6 +1,5 @@ #ifndef PQCLEAN_KYBER1024_CLEAN_POLY_H #define PQCLEAN_KYBER1024_CLEAN_POLY_H - #include "params.h" #include @@ -12,41 +11,26 @@ typedef struct { int16_t coeffs[KYBER_N]; } poly; - void PQCLEAN_KYBER1024_CLEAN_poly_compress(uint8_t r[KYBER_POLYCOMPRESSEDBYTES], poly *a); - void PQCLEAN_KYBER1024_CLEAN_poly_decompress(poly *r, const uint8_t a[KYBER_POLYCOMPRESSEDBYTES]); - void PQCLEAN_KYBER1024_CLEAN_poly_tobytes(uint8_t r[KYBER_POLYBYTES], poly *a); - void PQCLEAN_KYBER1024_CLEAN_poly_frombytes(poly *r, const uint8_t a[KYBER_POLYBYTES]); - void PQCLEAN_KYBER1024_CLEAN_poly_frommsg(poly *r, const uint8_t msg[KYBER_INDCPA_MSGBYTES]); - void PQCLEAN_KYBER1024_CLEAN_poly_tomsg(uint8_t msg[KYBER_INDCPA_MSGBYTES], poly *a); - void PQCLEAN_KYBER1024_CLEAN_poly_getnoise(poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t nonce); - void PQCLEAN_KYBER1024_CLEAN_poly_ntt(poly *r); - void PQCLEAN_KYBER1024_CLEAN_poly_invntt_tomont(poly *r); - void PQCLEAN_KYBER1024_CLEAN_poly_basemul_montgomery(poly *r, const poly *a, const poly *b); - void PQCLEAN_KYBER1024_CLEAN_poly_tomont(poly *r); - void PQCLEAN_KYBER1024_CLEAN_poly_reduce(poly *r); - void PQCLEAN_KYBER1024_CLEAN_poly_csubq(poly *r); - void PQCLEAN_KYBER1024_CLEAN_poly_add(poly *r, const poly *a, const poly *b); - void PQCLEAN_KYBER1024_CLEAN_poly_sub(poly *r, const poly *a, const poly *b); #endif diff --git a/crypto_kem/kyber1024/clean/polyvec.c b/crypto_kem/kyber1024/clean/polyvec.c index 3a67207b..dac115b7 100644 --- a/crypto_kem/kyber1024/clean/polyvec.c +++ b/crypto_kem/kyber1024/clean/polyvec.c @@ -13,7 +13,7 @@ * - polyvec *a: pointer to input vector of polynomials **************************************************/ void PQCLEAN_KYBER1024_CLEAN_polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES], polyvec *a) { - unsigned int i = 0, j = 0, k = 0; + unsigned int i, j, k; PQCLEAN_KYBER1024_CLEAN_polyvec_csubq(a); @@ -21,10 +21,8 @@ void PQCLEAN_KYBER1024_CLEAN_polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDB for (i = 0; i < KYBER_K; i++) { for (j = 0; j < KYBER_N / 8; j++) { for (k = 0; k < 8; k++) { - { - t[k] = ((((uint32_t)a->vec[i].coeffs[8 * j + k] << 11) + KYBER_Q / 2) - / KYBER_Q) & 0x7ff; - } + t[k] = ((((uint32_t)a->vec[i].coeffs[8 * j + k] << 11) + KYBER_Q / 2) + / KYBER_Q) & 0x7ff; } r[ 0] = (uint8_t)(t[0] >> 0); @@ -55,7 +53,7 @@ void PQCLEAN_KYBER1024_CLEAN_polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDB **************************************************/ void PQCLEAN_KYBER1024_CLEAN_polyvec_decompress(polyvec *r, const uint8_t a[KYBER_POLYVECCOMPRESSEDBYTES]) { - unsigned int i = 0, j = 0, k = 0; + unsigned int i, j, k; uint16_t t[8]; for (i = 0; i < KYBER_K; i++) { @@ -87,7 +85,7 @@ void PQCLEAN_KYBER1024_CLEAN_polyvec_decompress(polyvec *r, * - polyvec *a: pointer to input vector of polynomials **************************************************/ void PQCLEAN_KYBER1024_CLEAN_polyvec_tobytes(uint8_t r[KYBER_POLYVECBYTES], polyvec *a) { - unsigned int i = 0; + unsigned int i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER1024_CLEAN_poly_tobytes(r + i * KYBER_POLYBYTES, &a->vec[i]); } @@ -104,7 +102,7 @@ void PQCLEAN_KYBER1024_CLEAN_polyvec_tobytes(uint8_t r[KYBER_POLYVECBYTES], poly * (of length KYBER_POLYVECBYTES) **************************************************/ void PQCLEAN_KYBER1024_CLEAN_polyvec_frombytes(polyvec *r, const uint8_t a[KYBER_POLYVECBYTES]) { - unsigned int i = 0; + unsigned int i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER1024_CLEAN_poly_frombytes(&r->vec[i], a + i * KYBER_POLYBYTES); } @@ -118,7 +116,7 @@ void PQCLEAN_KYBER1024_CLEAN_polyvec_frombytes(polyvec *r, const uint8_t a[KYBER * Arguments: - polyvec *r: pointer to in/output vector of polynomials **************************************************/ void PQCLEAN_KYBER1024_CLEAN_polyvec_ntt(polyvec *r) { - unsigned int i = 0; + unsigned int i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER1024_CLEAN_poly_ntt(&r->vec[i]); } @@ -133,7 +131,7 @@ void PQCLEAN_KYBER1024_CLEAN_polyvec_ntt(polyvec *r) { * Arguments: - polyvec *r: pointer to in/output vector of polynomials **************************************************/ void PQCLEAN_KYBER1024_CLEAN_polyvec_invntt_tomont(polyvec *r) { - unsigned int i = 0; + unsigned int i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER1024_CLEAN_poly_invntt_tomont(&r->vec[i]); } @@ -152,7 +150,7 @@ void PQCLEAN_KYBER1024_CLEAN_polyvec_invntt_tomont(polyvec *r) { void PQCLEAN_KYBER1024_CLEAN_polyvec_pointwise_acc_montgomery(poly *r, const polyvec *a, const polyvec *b) { - unsigned int i = 0; + unsigned int i; poly t; PQCLEAN_KYBER1024_CLEAN_poly_basemul_montgomery(r, &a->vec[0], &b->vec[0]); @@ -174,7 +172,7 @@ void PQCLEAN_KYBER1024_CLEAN_polyvec_pointwise_acc_montgomery(poly *r, * Arguments: - poly *r: pointer to input/output polynomial **************************************************/ void PQCLEAN_KYBER1024_CLEAN_polyvec_reduce(polyvec *r) { - unsigned int i = 0; + unsigned int i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER1024_CLEAN_poly_reduce(&r->vec[i]); } @@ -191,7 +189,7 @@ void PQCLEAN_KYBER1024_CLEAN_polyvec_reduce(polyvec *r) { * Arguments: - poly *r: pointer to input/output polynomial **************************************************/ void PQCLEAN_KYBER1024_CLEAN_polyvec_csubq(polyvec *r) { - unsigned int i = 0; + unsigned int i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER1024_CLEAN_poly_csubq(&r->vec[i]); } @@ -207,7 +205,7 @@ void PQCLEAN_KYBER1024_CLEAN_polyvec_csubq(polyvec *r) { * - const polyvec *b: pointer to second input vector of polynomials **************************************************/ void PQCLEAN_KYBER1024_CLEAN_polyvec_add(polyvec *r, const polyvec *a, const polyvec *b) { - unsigned int i = 0; + unsigned int i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER1024_CLEAN_poly_add(&r->vec[i], &a->vec[i], &b->vec[i]); } diff --git a/crypto_kem/kyber1024/clean/polyvec.h b/crypto_kem/kyber1024/clean/polyvec.h index b1281275..fc6477c5 100644 --- a/crypto_kem/kyber1024/clean/polyvec.h +++ b/crypto_kem/kyber1024/clean/polyvec.h @@ -1,6 +1,5 @@ #ifndef PQCLEAN_KYBER1024_CLEAN_POLYVEC_H #define PQCLEAN_KYBER1024_CLEAN_POLYVEC_H - #include "params.h" #include "poly.h" #include @@ -9,33 +8,23 @@ typedef struct { poly vec[KYBER_K]; } polyvec; - void PQCLEAN_KYBER1024_CLEAN_polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES], polyvec *a); - void PQCLEAN_KYBER1024_CLEAN_polyvec_decompress(polyvec *r, const uint8_t a[KYBER_POLYVECCOMPRESSEDBYTES]); - void PQCLEAN_KYBER1024_CLEAN_polyvec_tobytes(uint8_t r[KYBER_POLYVECBYTES], polyvec *a); - void PQCLEAN_KYBER1024_CLEAN_polyvec_frombytes(polyvec *r, const uint8_t a[KYBER_POLYVECBYTES]); - void PQCLEAN_KYBER1024_CLEAN_polyvec_ntt(polyvec *r); - void PQCLEAN_KYBER1024_CLEAN_polyvec_invntt_tomont(polyvec *r); - void PQCLEAN_KYBER1024_CLEAN_polyvec_pointwise_acc_montgomery(poly *r, const polyvec *a, const polyvec *b); - void PQCLEAN_KYBER1024_CLEAN_polyvec_reduce(polyvec *r); - void PQCLEAN_KYBER1024_CLEAN_polyvec_csubq(polyvec *r); - void PQCLEAN_KYBER1024_CLEAN_polyvec_add(polyvec *r, const polyvec *a, const polyvec *b); #endif diff --git a/crypto_kem/kyber1024/clean/reduce.c b/crypto_kem/kyber1024/clean/reduce.c index fedeab74..35dadb26 100644 --- a/crypto_kem/kyber1024/clean/reduce.c +++ b/crypto_kem/kyber1024/clean/reduce.c @@ -15,8 +15,8 @@ * Returns: integer in {-q+1,...,q-1} congruent to a * R^-1 modulo q. **************************************************/ int16_t PQCLEAN_KYBER1024_CLEAN_montgomery_reduce(int32_t a) { - int32_t t = 0; - int16_t u = 0; + int32_t t; + int16_t u; u = (int16_t)(a * (int64_t)QINV); t = (int32_t)u * KYBER_Q; @@ -36,7 +36,7 @@ int16_t PQCLEAN_KYBER1024_CLEAN_montgomery_reduce(int32_t a) { * Returns: integer in {0,...,q} congruent to a modulo q. **************************************************/ int16_t PQCLEAN_KYBER1024_CLEAN_barrett_reduce(int16_t a) { - int16_t t = 0; + int16_t t; const int16_t v = ((1U << 26) + KYBER_Q / 2) / KYBER_Q; t = (int32_t)v * a >> 26; diff --git a/crypto_kem/kyber1024/clean/reduce.h b/crypto_kem/kyber1024/clean/reduce.h index 3148e692..7bfc2c30 100644 --- a/crypto_kem/kyber1024/clean/reduce.h +++ b/crypto_kem/kyber1024/clean/reduce.h @@ -1,19 +1,15 @@ #ifndef PQCLEAN_KYBER1024_CLEAN_REDUCE_H #define PQCLEAN_KYBER1024_CLEAN_REDUCE_H - #include "params.h" #include #define MONT 2285 // 2^16 mod q #define QINV 62209 // q^-1 mod 2^16 - int16_t PQCLEAN_KYBER1024_CLEAN_montgomery_reduce(int32_t a); - int16_t PQCLEAN_KYBER1024_CLEAN_barrett_reduce(int16_t a); - int16_t PQCLEAN_KYBER1024_CLEAN_csubq(int16_t a); #endif diff --git a/crypto_kem/kyber1024/clean/symmetric-shake.c b/crypto_kem/kyber1024/clean/symmetric-shake.c index ee5622e9..ff85bdd0 100644 --- a/crypto_kem/kyber1024/clean/symmetric-shake.c +++ b/crypto_kem/kyber1024/clean/symmetric-shake.c @@ -9,8 +9,8 @@ * * Description: Absorb step of the SHAKE128 specialized for the Kyber context. * -* Arguments: - keccak_state *state: pointer to (uninitialized) output -* Keccak state +* Arguments: - xof_state *state: pointer to (uninitialized) output +* Keccak state * - const uint8_t *seed: pointer to KYBER_SYMBYTES input * to be absorbed into state * - uint8_t i additional byte of input @@ -20,7 +20,7 @@ void PQCLEAN_KYBER1024_CLEAN_kyber_shake128_absorb(xof_state *state, const uint8_t seed[KYBER_SYMBYTES], uint8_t x, uint8_t y) { - unsigned int i = 0; + unsigned int i; uint8_t extseed[KYBER_SYMBYTES + 2]; for (i = 0; i < KYBER_SYMBYTES; i++) { @@ -48,7 +48,7 @@ void PQCLEAN_KYBER1024_CLEAN_kyber_shake256_prf(uint8_t *out, size_t outlen, const uint8_t key[KYBER_SYMBYTES], uint8_t nonce) { - unsigned int i = 0; + unsigned int i; uint8_t extkey[KYBER_SYMBYTES + 1]; for (i = 0; i < KYBER_SYMBYTES; i++) { diff --git a/crypto_kem/kyber1024/clean/symmetric.h b/crypto_kem/kyber1024/clean/symmetric.h index 263574ad..650ce3f0 100644 --- a/crypto_kem/kyber1024/clean/symmetric.h +++ b/crypto_kem/kyber1024/clean/symmetric.h @@ -1,12 +1,11 @@ -#ifndef SYMMETRIC_H -#define SYMMETRIC_H - +#ifndef PQCLEAN_KYBER1024_CLEAN_SYMMETRIC_H +#define PQCLEAN_KYBER1024_CLEAN_SYMMETRIC_H +#include "fips202.h" #include "params.h" #include #include -#include "fips202.h" typedef shake128ctx xof_state; diff --git a/crypto_kem/kyber1024/clean/verify.c b/crypto_kem/kyber1024/clean/verify.c index bd1dc887..1c99d185 100644 --- a/crypto_kem/kyber1024/clean/verify.c +++ b/crypto_kem/kyber1024/clean/verify.c @@ -14,7 +14,7 @@ * Returns 0 if the byte arrays are equal, 1 otherwise **************************************************/ int PQCLEAN_KYBER1024_CLEAN_verify(const uint8_t *a, const uint8_t *b, size_t len) { - size_t i = 0; + size_t i; uint8_t r = 0; for (i = 0; i < len; i++) { @@ -38,7 +38,7 @@ int PQCLEAN_KYBER1024_CLEAN_verify(const uint8_t *a, const uint8_t *b, size_t le * uint8_t b: Condition bit; has to be in {0,1} **************************************************/ void PQCLEAN_KYBER1024_CLEAN_cmov(uint8_t *r, const uint8_t *x, size_t len, uint8_t b) { - size_t i = 0; + size_t i; b = -b; for (i = 0; i < len; i++) { diff --git a/crypto_kem/kyber1024/clean/verify.h b/crypto_kem/kyber1024/clean/verify.h index d24f4fe0..c8b24b08 100644 --- a/crypto_kem/kyber1024/clean/verify.h +++ b/crypto_kem/kyber1024/clean/verify.h @@ -1,14 +1,11 @@ #ifndef PQCLEAN_KYBER1024_CLEAN_VERIFY_H #define PQCLEAN_KYBER1024_CLEAN_VERIFY_H - #include "params.h" #include #include - int PQCLEAN_KYBER1024_CLEAN_verify(const uint8_t *a, const uint8_t *b, size_t len); - void PQCLEAN_KYBER1024_CLEAN_cmov(uint8_t *r, const uint8_t *x, size_t len, uint8_t b); #endif diff --git a/crypto_kem/kyber512-90s/META.yml b/crypto_kem/kyber512-90s/META.yml index 5902a9c4..e58eac45 100644 --- a/crypto_kem/kyber512-90s/META.yml +++ b/crypto_kem/kyber512-90s/META.yml @@ -21,16 +21,16 @@ auxiliary-submitters: - Damien Stehlé implementations: - name: clean - version: https://github.com/pq-crystals/kyber/commit/46e283ab575ec92dfe82fb12229ae2d9d6246682 + version: https://github.com/pq-crystals/kyber/commit/844057468e69527bd15b17fbe03f4b61f9a22065 via https://github.com/jschanck/package-pqclean/tree/b45068b8/kyber - name: avx2 - version: https://github.com/pq-crystals/kyber/commit/46e283ab575ec92dfe82fb12229ae2d9d6246682 + version: https://github.com/pq-crystals/kyber/commit/844057468e69527bd15b17fbe03f4b61f9a22065 via https://github.com/jschanck/package-pqclean/tree/b45068b8/kyber supported_platforms: - architecture: x86_64 operating_systems: - - Linux - - Darwin + - Linux + - Darwin required_flags: - - aes - - avx2 - - bmi2 - - popcnt + - aes + - avx2 + - bmi2 + - popcnt diff --git a/crypto_kem/kyber512-90s/avx2/Makefile b/crypto_kem/kyber512-90s/avx2/Makefile index d8906ce5..accd0759 100644 --- a/crypto_kem/kyber512-90s/avx2/Makefile +++ b/crypto_kem/kyber512-90s/avx2/Makefile @@ -1,44 +1,11 @@ # This Makefile can be used with GNU Make or BSD Make LIB=libkyber512-90s_avx2.a -HEADERS= \ - aes256ctr.h \ - align.h \ - api.h \ - cbd.h \ - cdecl.inc \ - consts.h \ - fq.inc \ - indcpa.h \ - kem.h \ - ntt.h \ - params.h \ - poly.h \ - polyvec.h \ - reduce.h \ - rejsample.h \ - shuffle.inc \ - symmetric.h \ - verify.h -OBJECTS= \ - aes256ctr.o \ - basemul.o \ - cbd.o \ - consts.o \ - fq.o \ - indcpa.o \ - invntt.o \ - kem.o \ - ntt.o \ - poly.o \ - polyvec.o \ - rejsample.o \ - shuffle.o \ - verify.o - +HEADERS=aes256ctr.h align.h api.h cbd.h cdecl.h consts.h indcpa.h kem.h ntt.h params.h poly.h polyvec.h reduce.h rejsample.h symmetric.h verify.h fq.inc shuffle.inc +OBJECTS=aes256ctr.o cbd.o consts.o indcpa.o kem.o poly.o polyvec.o rejsample.o verify.o basemul.o fq.o invntt.o ntt.o shuffle.o CFLAGS=-mavx2 -maes -mbmi2 -mpopcnt -O3 -Wall -Wextra -Wpedantic -Werror \ - -Wmissing-prototypes -Wredundant-decls -std=c99 \ - -I../../../common $(EXTRAFLAGS) + -Wmissing-prototypes -Wredundant-decls -std=c99 \ + -I../../../common $(EXTRAFLAGS) all: $(LIB) diff --git a/crypto_kem/kyber512-90s/avx2/aes256ctr.c b/crypto_kem/kyber512-90s/avx2/aes256ctr.c index e1428f2b..51c625ab 100644 --- a/crypto_kem/kyber512-90s/avx2/aes256ctr.c +++ b/crypto_kem/kyber512-90s/avx2/aes256ctr.c @@ -1,3 +1,7 @@ +#include "aes256ctr.h" +#include +#include +#include /* Based heavily on public-domain code by Romain Dolbeau Different handling of nonce+counter than original version @@ -5,10 +9,6 @@ Public Domain */ -#include "aes256ctr.h" -#include -#include -#include static inline void aesni_encrypt4(uint8_t out[64], __m128i *n, @@ -114,7 +114,7 @@ void PQCLEAN_KYBER51290S_AVX2_aes256ctr_init(aes256ctr_ctx *state, const uint8_t void PQCLEAN_KYBER51290S_AVX2_aes256ctr_squeezeblocks(uint8_t *out, size_t nblocks, aes256ctr_ctx *state) { - size_t i = 0; + size_t i; for (i = 0; i < nblocks; i++) { aesni_encrypt4(out, &state->n, state->rkeys); out += 64; @@ -123,13 +123,13 @@ void PQCLEAN_KYBER51290S_AVX2_aes256ctr_squeezeblocks(uint8_t *out, void PQCLEAN_KYBER51290S_AVX2_aes256ctr_prf(uint8_t *out, size_t outlen, - const uint8_t seed[32], + const uint8_t key[32], uint64_t nonce) { - unsigned int i = 0; + unsigned int i; uint8_t buf[64]; aes256ctr_ctx state; - PQCLEAN_KYBER51290S_AVX2_aes256ctr_init(&state, seed, nonce); + PQCLEAN_KYBER51290S_AVX2_aes256ctr_init(&state, key, nonce); while (outlen >= 64) { aesni_encrypt4(out, &state.n, state.rkeys); diff --git a/crypto_kem/kyber512-90s/avx2/aes256ctr.h b/crypto_kem/kyber512-90s/avx2/aes256ctr.h index c6a58d87..8e5b1b6c 100644 --- a/crypto_kem/kyber512-90s/avx2/aes256ctr.h +++ b/crypto_kem/kyber512-90s/avx2/aes256ctr.h @@ -1,11 +1,10 @@ -#ifndef AES256CTR_H -#define AES256CTR_H +#ifndef PQCLEAN_KYBER51290S_AVX2_AES256CTR_H +#define PQCLEAN_KYBER51290S_AVX2_AES256CTR_H #include #include #include -#define AES256CTR_NAMESPACE(s) pqcrystals_aes256ctr_avx2##s #define AES256CTR_BLOCKBYTES 64 @@ -14,8 +13,17 @@ typedef struct { __m128i n; } aes256ctr_ctx; -void PQCLEAN_KYBER51290S_AVX2_aes256ctr_init(aes256ctr_ctx *state, const uint8_t key[32], uint64_t nonce); -void PQCLEAN_KYBER51290S_AVX2_aes256ctr_squeezeblocks(uint8_t *out, size_t nblocks, aes256ctr_ctx *state); -void PQCLEAN_KYBER51290S_AVX2_aes256ctr_prf(uint8_t *out, size_t outlen, const uint8_t seed[32], uint64_t nonce); +void PQCLEAN_KYBER51290S_AVX2_aes256ctr_init(aes256ctr_ctx *state, + const uint8_t key[32], + uint64_t nonce); + +void PQCLEAN_KYBER51290S_AVX2_aes256ctr_squeezeblocks(uint8_t *out, + size_t nblocks, + aes256ctr_ctx *state); + +void PQCLEAN_KYBER51290S_AVX2_aes256ctr_prf(uint8_t *out, + size_t outlen, + const uint8_t key[32], + uint64_t nonce); #endif diff --git a/crypto_kem/kyber512-90s/avx2/align.h b/crypto_kem/kyber512-90s/avx2/align.h index 1581af7a..c6e88d68 100644 --- a/crypto_kem/kyber512-90s/avx2/align.h +++ b/crypto_kem/kyber512-90s/avx2/align.h @@ -1,5 +1,6 @@ #ifndef PQCLEAN_KYBER51290S_AVX2_ALIGN_H #define PQCLEAN_KYBER51290S_AVX2_ALIGN_H + #include #define ALIGN16_TYPE(t) \ diff --git a/crypto_kem/kyber512-90s/avx2/api.h b/crypto_kem/kyber512-90s/avx2/api.h index 934664a3..9fe45e18 100644 --- a/crypto_kem/kyber512-90s/avx2/api.h +++ b/crypto_kem/kyber512-90s/avx2/api.h @@ -15,5 +15,4 @@ int PQCLEAN_KYBER51290S_AVX2_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint int PQCLEAN_KYBER51290S_AVX2_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); - #endif diff --git a/crypto_kem/kyber512-90s/avx2/basemul.S b/crypto_kem/kyber512-90s/avx2/basemul.S index 0c17514f..a3f2ec5e 100644 --- a/crypto_kem/kyber512-90s/avx2/basemul.S +++ b/crypto_kem/kyber512-90s/avx2/basemul.S @@ -1,5 +1,5 @@ +#include "cdecl.h" #include "params.h" -#include "cdecl.inc" .macro schoolbook off,sign #load @@ -133,7 +133,9 @@ vmovdqa %ymm5,96(%rdi) ret .global cdecl(PQCLEAN_KYBER51290S_AVX2_basemul_acc_avx) +.global _cdecl(PQCLEAN_KYBER51290S_AVX2_basemul_acc_avx) cdecl(PQCLEAN_KYBER51290S_AVX2_basemul_acc_avx): +_cdecl(PQCLEAN_KYBER51290S_AVX2_basemul_acc_avx): #consts vmovdqa _16XQ*2(%rcx),%ymm0 vmovdqa _16XQINV*2(%rcx),%ymm1 @@ -183,7 +185,9 @@ vmovdqa %ymm12,96(%rdi) ret .global cdecl(PQCLEAN_KYBER51290S_AVX2_basemul_avx) +.global _cdecl(PQCLEAN_KYBER51290S_AVX2_basemul_avx) cdecl(PQCLEAN_KYBER51290S_AVX2_basemul_avx): +_cdecl(PQCLEAN_KYBER51290S_AVX2_basemul_avx): #consts vmovdqa _16XQ*2(%rcx),%ymm0 vmovdqa _16XQINV*2(%rcx),%ymm1 diff --git a/crypto_kem/kyber512-90s/avx2/cbd.c b/crypto_kem/kyber512-90s/avx2/cbd.c index b23f5263..33a14f63 100644 --- a/crypto_kem/kyber512-90s/avx2/cbd.c +++ b/crypto_kem/kyber512-90s/avx2/cbd.c @@ -1,5 +1,5 @@ -#include "params.h" #include "cbd.h" +#include "params.h" #include #include @@ -14,7 +14,7 @@ * - const unsigned char *buf: pointer to input byte array **************************************************/ void PQCLEAN_KYBER51290S_AVX2_cbd(poly *restrict r, const uint8_t *restrict buf) { - unsigned int i = 0; + unsigned int i; __m256i vec0, vec1, vec2, vec3, tmp; const __m256i mask55 = _mm256_set1_epi32(0x55555555); const __m256i mask33 = _mm256_set1_epi32(0x33333333); diff --git a/crypto_kem/kyber512-90s/avx2/cbd.h b/crypto_kem/kyber512-90s/avx2/cbd.h index 040a26a6..2415f5fd 100644 --- a/crypto_kem/kyber512-90s/avx2/cbd.h +++ b/crypto_kem/kyber512-90s/avx2/cbd.h @@ -1,11 +1,9 @@ #ifndef PQCLEAN_KYBER51290S_AVX2_CBD_H #define PQCLEAN_KYBER51290S_AVX2_CBD_H - #include "params.h" #include "poly.h" #include - void PQCLEAN_KYBER51290S_AVX2_cbd(poly *r, const uint8_t buf[KYBER_ETA * KYBER_N / 4]); #endif diff --git a/crypto_kem/kyber512-90s/avx2/cdecl.inc b/crypto_kem/kyber512-90s/avx2/cdecl.h similarity index 78% rename from crypto_kem/kyber512-90s/avx2/cdecl.inc rename to crypto_kem/kyber512-90s/avx2/cdecl.h index 8ded53b1..79fd29ba 100644 --- a/crypto_kem/kyber512-90s/avx2/cdecl.inc +++ b/crypto_kem/kyber512-90s/avx2/cdecl.h @@ -1,5 +1,5 @@ -#ifndef PQCLEAN_DILITHIUM2_AVX2_CDECL -#define PQCLEAN_DILITHIUM2_AVX2_CDECL +#ifndef PQCLEAN_KYBER51290S_AVX2_CDECL_H +#define PQCLEAN_KYBER51290S_AVX2_CDECL_H #define _16XQ 0 #define _16XQINV 16 @@ -21,10 +21,6 @@ * This define helps us get around this */ -#if defined(__WIN32__) || defined(__APPLE__) -#define cdecl(s) _##s -#else +#define _cdecl(s) _##s #define cdecl(s) s #endif - -#endif diff --git a/crypto_kem/kyber512-90s/avx2/consts.c b/crypto_kem/kyber512-90s/avx2/consts.c index 30d81bef..05e4122d 100644 --- a/crypto_kem/kyber512-90s/avx2/consts.c +++ b/crypto_kem/kyber512-90s/avx2/consts.c @@ -1,5 +1,5 @@ -#include "params.h" #include "consts.h" +#include "params.h" #include #define Q KYBER_Q diff --git a/crypto_kem/kyber512-90s/avx2/consts.h b/crypto_kem/kyber512-90s/avx2/consts.h index c00f2983..49272952 100644 --- a/crypto_kem/kyber512-90s/avx2/consts.h +++ b/crypto_kem/kyber512-90s/avx2/consts.h @@ -1,12 +1,11 @@ #ifndef PQCLEAN_KYBER51290S_AVX2_CONSTS_H #define PQCLEAN_KYBER51290S_AVX2_CONSTS_H - -#include "cdecl.inc" - +#include "cdecl.h" #include "params.h" #include #include + #define ALIGNED_UINT16_T(N) \ union { \ __m256i as_vec; \ diff --git a/crypto_kem/kyber512-90s/avx2/fq.S b/crypto_kem/kyber512-90s/avx2/fq.S index 78670c10..2655380c 100644 --- a/crypto_kem/kyber512-90s/avx2/fq.S +++ b/crypto_kem/kyber512-90s/avx2/fq.S @@ -1,4 +1,4 @@ -#include "cdecl.inc" +#include "cdecl.h" .include "fq.inc" .text @@ -35,7 +35,9 @@ vmovdqa %ymm9,224(%rdi) ret .global cdecl(PQCLEAN_KYBER51290S_AVX2_reduce_avx) +.global _cdecl(PQCLEAN_KYBER51290S_AVX2_reduce_avx) cdecl(PQCLEAN_KYBER51290S_AVX2_reduce_avx): +_cdecl(PQCLEAN_KYBER51290S_AVX2_reduce_avx): #consts vmovdqa _16XQ*2(%rsi),%ymm0 vmovdqa _16XV*2(%rsi),%ymm1 @@ -77,7 +79,9 @@ vmovdqa %ymm8,224(%rdi) ret .global cdecl(PQCLEAN_KYBER51290S_AVX2_csubq_avx) +.global _cdecl(PQCLEAN_KYBER51290S_AVX2_csubq_avx) cdecl(PQCLEAN_KYBER51290S_AVX2_csubq_avx): +_cdecl(PQCLEAN_KYBER51290S_AVX2_csubq_avx): #consts vmovdqa _16XQ*2(%rsi),%ymm0 call csubq128_avx @@ -118,7 +122,9 @@ vmovdqa %ymm10,224(%rdi) ret .global cdecl(PQCLEAN_KYBER51290S_AVX2_tomont_avx) +.global _cdecl(PQCLEAN_KYBER51290S_AVX2_tomont_avx) cdecl(PQCLEAN_KYBER51290S_AVX2_tomont_avx): +_cdecl(PQCLEAN_KYBER51290S_AVX2_tomont_avx): #consts vmovdqa _16XQ*2(%rsi),%ymm0 vmovdqa _16XMONTSQLO*2(%rsi),%ymm1 diff --git a/crypto_kem/kyber512-90s/avx2/indcpa.c b/crypto_kem/kyber512-90s/avx2/indcpa.c index 944969e5..a0756386 100644 --- a/crypto_kem/kyber512-90s/avx2/indcpa.c +++ b/crypto_kem/kyber512-90s/avx2/indcpa.c @@ -25,7 +25,7 @@ static void pack_pk(uint8_t r[KYBER_INDCPA_PUBLICKEYBYTES], polyvec *pk, const uint8_t seed[KYBER_SYMBYTES]) { - size_t i = 0; + size_t i; PQCLEAN_KYBER51290S_AVX2_polyvec_tobytes(r, pk); for (i = 0; i < KYBER_SYMBYTES; i++) { r[i + KYBER_POLYVECBYTES] = seed[i]; @@ -45,7 +45,7 @@ static void pack_pk(uint8_t r[KYBER_INDCPA_PUBLICKEYBYTES], static void unpack_pk(polyvec *pk, uint8_t seed[KYBER_SYMBYTES], const uint8_t packedpk[KYBER_INDCPA_PUBLICKEYBYTES]) { - size_t i = 0; + size_t i; PQCLEAN_KYBER51290S_AVX2_polyvec_frombytes(pk, packedpk); for (i = 0; i < KYBER_SYMBYTES; i++) { seed[i] = packedpk[i + KYBER_POLYVECBYTES]; @@ -133,8 +133,8 @@ static unsigned int rej_uniform(int16_t *r, unsigned int len, const uint8_t *buf, unsigned int buflen) { - unsigned int ctr = 0, pos = 0; - uint16_t val = 0; + unsigned int ctr, pos; + uint16_t val; ctr = pos = 0; while (ctr < len && pos + 2 <= buflen) { @@ -168,7 +168,7 @@ static unsigned int rej_uniform(int16_t *r, #define GEN_MATRIX_NBLOCKS ((2*KYBER_N*(1U << 16)/(19*KYBER_Q) \ + XOF_BLOCKBYTES)/XOF_BLOCKBYTES) void PQCLEAN_KYBER51290S_AVX2_gen_matrix(polyvec *a, const uint8_t seed[KYBER_SYMBYTES], int transposed) { - unsigned int ctr = 0, i = 0, j = 0; + unsigned int ctr, i, j; ALIGN16_TYPE(uint64_t) nonce = {.orig = 0}; ALIGN32_ARRAY(uint8_t, GEN_MATRIX_NBLOCKS * XOF_BLOCKBYTES) buf; aes256ctr_ctx state; @@ -211,7 +211,7 @@ void PQCLEAN_KYBER51290S_AVX2_gen_matrix(polyvec *a, const uint8_t seed[KYBER_SY **************************************************/ void PQCLEAN_KYBER51290S_AVX2_indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]) { - unsigned int i = 0; + unsigned int i; ALIGN32_ARRAY(uint8_t, 2 * KYBER_SYMBYTES) buf; const uint8_t *publicseed = buf.arr; const uint8_t *noiseseed = buf.arr + KYBER_SYMBYTES; @@ -276,7 +276,7 @@ void PQCLEAN_KYBER51290S_AVX2_indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES], const uint8_t m[KYBER_INDCPA_MSGBYTES], const uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], const uint8_t coins[KYBER_SYMBYTES]) { - unsigned int i = 0; + unsigned int i; ALIGN32_ARRAY(uint8_t, KYBER_SYMBYTES) seed; polyvec sp, pkpv, ep, at[KYBER_K], bp; poly v, k, epp; diff --git a/crypto_kem/kyber512-90s/avx2/indcpa.h b/crypto_kem/kyber512-90s/avx2/indcpa.h index 34aa1ffc..f2b8709b 100644 --- a/crypto_kem/kyber512-90s/avx2/indcpa.h +++ b/crypto_kem/kyber512-90s/avx2/indcpa.h @@ -1,16 +1,20 @@ #ifndef PQCLEAN_KYBER51290S_AVX2_INDCPA_H #define PQCLEAN_KYBER51290S_AVX2_INDCPA_H - #include "params.h" #include "polyvec.h" #include void PQCLEAN_KYBER51290S_AVX2_gen_matrix(polyvec *a, const uint8_t seed[KYBER_SYMBYTES], int transposed); +void PQCLEAN_KYBER51290S_AVX2_indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], + uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]); -void PQCLEAN_KYBER51290S_AVX2_indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]); +void PQCLEAN_KYBER51290S_AVX2_indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES], + const uint8_t m[KYBER_INDCPA_MSGBYTES], + const uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], + const uint8_t coins[KYBER_SYMBYTES]); -void PQCLEAN_KYBER51290S_AVX2_indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES], const uint8_t m[KYBER_INDCPA_MSGBYTES], const uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], const uint8_t coins[KYBER_SYMBYTES]); - -void PQCLEAN_KYBER51290S_AVX2_indcpa_dec(uint8_t m[KYBER_INDCPA_MSGBYTES], const uint8_t c[KYBER_INDCPA_BYTES], const uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]); +void PQCLEAN_KYBER51290S_AVX2_indcpa_dec(uint8_t m[KYBER_INDCPA_MSGBYTES], + const uint8_t c[KYBER_INDCPA_BYTES], + const uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]); #endif diff --git a/crypto_kem/kyber512-90s/avx2/invntt.S b/crypto_kem/kyber512-90s/avx2/invntt.S index 48974cf8..0a1f28e1 100644 --- a/crypto_kem/kyber512-90s/avx2/invntt.S +++ b/crypto_kem/kyber512-90s/avx2/invntt.S @@ -1,4 +1,4 @@ -#include "cdecl.inc" +#include "cdecl.h" .include "shuffle.inc" .include "fq.inc" @@ -210,7 +210,9 @@ vmovdqa %ymm7,224(%rdi) ret .global cdecl(PQCLEAN_KYBER51290S_AVX2_invntt_avx) +.global _cdecl(PQCLEAN_KYBER51290S_AVX2_invntt_avx) cdecl(PQCLEAN_KYBER51290S_AVX2_invntt_avx): +_cdecl(PQCLEAN_KYBER51290S_AVX2_invntt_avx): #consts vmovdqa _16XQ*2(%rsi),%ymm0 mov %rsi,%rdx diff --git a/crypto_kem/kyber512-90s/avx2/kem.c b/crypto_kem/kyber512-90s/avx2/kem.c index 169224ac..890a6206 100644 --- a/crypto_kem/kyber512-90s/avx2/kem.c +++ b/crypto_kem/kyber512-90s/avx2/kem.c @@ -8,7 +8,6 @@ #include #include - /************************************************* * Name: PQCLEAN_KYBER51290S_AVX2_crypto_kem_keypair * @@ -23,7 +22,7 @@ * Returns 0 (success) **************************************************/ int PQCLEAN_KYBER51290S_AVX2_crypto_kem_keypair(unsigned char *pk, unsigned char *sk) { - size_t i = 0; + size_t i; PQCLEAN_KYBER51290S_AVX2_indcpa_keypair(pk, sk); for (i = 0; i < KYBER_INDCPA_PUBLICKEYBYTES; i++) { sk[i + KYBER_INDCPA_SECRETKEYBYTES] = pk[i]; @@ -94,8 +93,8 @@ int PQCLEAN_KYBER51290S_AVX2_crypto_kem_enc(unsigned char *ct, int PQCLEAN_KYBER51290S_AVX2_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk) { - size_t i = 0; - int fail = 0; + size_t i; + int fail; ALIGN32_ARRAY(uint8_t, 2 * KYBER_SYMBYTES) buf; /* Will contain key, coins */ ALIGN32_ARRAY(uint8_t, 2 * KYBER_SYMBYTES) kr; @@ -119,7 +118,7 @@ int PQCLEAN_KYBER51290S_AVX2_crypto_kem_dec(unsigned char *ss, hash_h(kr.arr + KYBER_SYMBYTES, ct, KYBER_CIPHERTEXTBYTES); /* Overwrite pre-k with z on re-encryption failure */ - PQCLEAN_KYBER51290S_AVX2_cmov(kr.arr, sk + KYBER_SECRETKEYBYTES - KYBER_SYMBYTES, KYBER_SYMBYTES, fail); + PQCLEAN_KYBER51290S_AVX2_cmov(kr.arr, sk + KYBER_SECRETKEYBYTES - KYBER_SYMBYTES, KYBER_SYMBYTES, (uint8_t)fail); /* hash concatenation of pre-k and H(c) to k */ kdf(ss, kr.arr, 2 * KYBER_SYMBYTES); diff --git a/crypto_kem/kyber512-90s/avx2/kem.h b/crypto_kem/kyber512-90s/avx2/kem.h index ecbd1259..deae78e7 100644 --- a/crypto_kem/kyber512-90s/avx2/kem.h +++ b/crypto_kem/kyber512-90s/avx2/kem.h @@ -1,17 +1,14 @@ #ifndef PQCLEAN_KYBER51290S_AVX2_KEM_H #define PQCLEAN_KYBER51290S_AVX2_KEM_H - #include "params.h" int PQCLEAN_KYBER51290S_AVX2_crypto_kem_keypair(unsigned char *pk, unsigned char *sk); - int PQCLEAN_KYBER51290S_AVX2_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk); - int PQCLEAN_KYBER51290S_AVX2_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk); diff --git a/crypto_kem/kyber512-90s/avx2/ntt.S b/crypto_kem/kyber512-90s/avx2/ntt.S index 477143a1..51510563 100644 --- a/crypto_kem/kyber512-90s/avx2/ntt.S +++ b/crypto_kem/kyber512-90s/avx2/ntt.S @@ -1,4 +1,4 @@ -#include "cdecl.inc" +#include "cdecl.h" .include "shuffle.inc" .include "fq.inc" @@ -203,7 +203,9 @@ vmovdqa %ymm11,224(%rdi) ret .global cdecl(PQCLEAN_KYBER51290S_AVX2_ntt_avx) +.global _cdecl(PQCLEAN_KYBER51290S_AVX2_ntt_avx) cdecl(PQCLEAN_KYBER51290S_AVX2_ntt_avx): +_cdecl(PQCLEAN_KYBER51290S_AVX2_ntt_avx): #consts vmovdqa _16XQ*2(%rsi),%ymm0 mov %rsi,%rdx diff --git a/crypto_kem/kyber512-90s/avx2/ntt.h b/crypto_kem/kyber512-90s/avx2/ntt.h index b3f560ab..9b8698a4 100644 --- a/crypto_kem/kyber512-90s/avx2/ntt.h +++ b/crypto_kem/kyber512-90s/avx2/ntt.h @@ -1,28 +1,24 @@ -#ifndef NTT_H -#define NTT_H - +#ifndef PQCLEAN_KYBER51290S_AVX2_NTT_H +#define PQCLEAN_KYBER51290S_AVX2_NTT_H #include "consts.h" -#include "params.h" #include - void PQCLEAN_KYBER51290S_AVX2_ntt_avx(int16_t *r, const qdata_t *PQCLEAN_KYBER51290S_AVX2_qdata); - void PQCLEAN_KYBER51290S_AVX2_invntt_avx(int16_t *r, const qdata_t *PQCLEAN_KYBER51290S_AVX2_qdata); - -void nttpack_avx(int16_t *r, const qdata_t *PQCLEAN_KYBER51290S_AVX2_qdata); - +void PQCLEAN_KYBER51290S_AVX2_nttpack_avx(int16_t *r, const qdata_t *PQCLEAN_KYBER51290S_AVX2_qdata); void PQCLEAN_KYBER51290S_AVX2_nttunpack_avx(int16_t *r, const qdata_t *PQCLEAN_KYBER51290S_AVX2_qdata); - -void PQCLEAN_KYBER51290S_AVX2_basemul_avx(int16_t *r, const int16_t *a, const int16_t *b, const qdata_t *PQCLEAN_KYBER51290S_AVX2_qdata); - -void PQCLEAN_KYBER51290S_AVX2_basemul_acc_avx(int16_t *r, const int16_t *a, const int16_t *b, const qdata_t *PQCLEAN_KYBER51290S_AVX2_qdata); - +void PQCLEAN_KYBER51290S_AVX2_basemul_avx(int16_t *r, + const int16_t *a, + const int16_t *b, + const qdata_t *PQCLEAN_KYBER51290S_AVX2_qdata); +void PQCLEAN_KYBER51290S_AVX2_basemul_acc_avx(int16_t *r, + const int16_t *a, + const int16_t *b, + const qdata_t *PQCLEAN_KYBER51290S_AVX2_qdata); void PQCLEAN_KYBER51290S_AVX2_ntttobytes_avx(uint8_t *r, const int16_t *a, const qdata_t *PQCLEAN_KYBER51290S_AVX2_qdata); - void PQCLEAN_KYBER51290S_AVX2_nttfrombytes_avx(int16_t *r, const uint8_t *a, const qdata_t *PQCLEAN_KYBER51290S_AVX2_qdata); #endif diff --git a/crypto_kem/kyber512-90s/avx2/params.h b/crypto_kem/kyber512-90s/avx2/params.h index ef580d09..58767b6c 100644 --- a/crypto_kem/kyber512-90s/avx2/params.h +++ b/crypto_kem/kyber512-90s/avx2/params.h @@ -1,6 +1,9 @@ #ifndef PQCLEAN_KYBER51290S_AVX2_PARAMS_H #define PQCLEAN_KYBER51290S_AVX2_PARAMS_H + + + #define KYBER_N 256 #define KYBER_Q 3329 diff --git a/crypto_kem/kyber512-90s/avx2/poly.c b/crypto_kem/kyber512-90s/avx2/poly.c index 1aa0f7b1..93bfdfeb 100644 --- a/crypto_kem/kyber512-90s/avx2/poly.c +++ b/crypto_kem/kyber512-90s/avx2/poly.c @@ -19,7 +19,7 @@ * - poly *a: pointer to input polynomial **************************************************/ void PQCLEAN_KYBER51290S_AVX2_poly_compress(uint8_t r[KYBER_POLYCOMPRESSEDBYTES], poly *restrict a) { - unsigned int i = 0, j = 0; + unsigned int i, j; uint8_t t[8]; PQCLEAN_KYBER51290S_AVX2_poly_csubq(a); @@ -48,9 +48,9 @@ void PQCLEAN_KYBER51290S_AVX2_poly_compress(uint8_t r[KYBER_POLYCOMPRESSEDBYTES] **************************************************/ void PQCLEAN_KYBER51290S_AVX2_poly_decompress(poly *restrict r, const uint8_t a[KYBER_POLYCOMPRESSEDBYTES]) { - unsigned int i = 0; + unsigned int i; - unsigned int j = 0; + unsigned int j; uint8_t t[8]; for (i = 0; i < KYBER_N / 8; i++) { t[0] = (a[0] >> 0); @@ -112,7 +112,7 @@ void PQCLEAN_KYBER51290S_AVX2_poly_frommsg(poly *restrict r, const __m256i hqs = _mm256_set1_epi16((KYBER_Q + 1) / 2); #define FROMMSG64(i) \ - g3 = _mm256_shuffle_epi32(f,0x55*(i)); \ + g3 = _mm256_shuffle_epi32(f,0x55*(i)); \ g3 = _mm256_sllv_epi32(g3,shift); \ g3 = _mm256_shuffle_epi8(g3,idx); \ g0 = _mm256_slli_epi16(g3,12); \ @@ -134,9 +134,9 @@ void PQCLEAN_KYBER51290S_AVX2_poly_frommsg(poly *restrict r, g2 = _mm256_permute2x128_si256(h0,h1,0x31); \ g1 = _mm256_permute2x128_si256(h2,h3,0x20); \ g3 = _mm256_permute2x128_si256(h2,h3,0x31); \ - _mm256_store_si256((__m256i *)&r->coeffs[ 0+32*(i)+ 0],g0); \ - _mm256_store_si256((__m256i *)&r->coeffs[ 0+32*(i)+16],g1); \ - _mm256_store_si256((__m256i *)&r->coeffs[128+32*(i)+ 0],g2); \ + _mm256_store_si256((__m256i *)&r->coeffs[ 0+32*(i)+ 0],g0); \ + _mm256_store_si256((__m256i *)&r->coeffs[ 0+32*(i)+16],g1); \ + _mm256_store_si256((__m256i *)&r->coeffs[128+32*(i)+ 0],g2); \ _mm256_store_si256((__m256i *)&r->coeffs[128+32*(i)+16],g3) f = _mm256_load_si256((__m256i *)msg); @@ -155,8 +155,8 @@ void PQCLEAN_KYBER51290S_AVX2_poly_frommsg(poly *restrict r, * - poly *a: pointer to input polynomial **************************************************/ void PQCLEAN_KYBER51290S_AVX2_poly_tomsg(uint8_t msg[KYBER_INDCPA_MSGBYTES], poly *restrict a) { - unsigned int i = 0; - uint32_t small = 0; + unsigned int i; + uint32_t small; __m256i f0, f1, g0, g1; const __m256i hqs = _mm256_set1_epi16((KYBER_Q - 1) / 2); const __m256i hhqs = _mm256_set1_epi16((KYBER_Q - 5) / 4); @@ -291,7 +291,7 @@ void PQCLEAN_KYBER51290S_AVX2_poly_csubq(poly *r) { * - const poly *b: pointer to second input polynomial **************************************************/ void PQCLEAN_KYBER51290S_AVX2_poly_add(poly *r, const poly *a, const poly *b) { - unsigned int i = 0; + unsigned int i; __m256i f0, f1; for (i = 0; i < KYBER_N; i += 16) { @@ -312,7 +312,7 @@ void PQCLEAN_KYBER51290S_AVX2_poly_add(poly *r, const poly *a, const poly *b) { * - const poly *b: pointer to second input polynomial **************************************************/ void PQCLEAN_KYBER51290S_AVX2_poly_sub(poly *r, const poly *a, const poly *b) { - unsigned int i = 0; + unsigned int i; __m256i f0, f1; for (i = 0; i < KYBER_N; i += 16) { diff --git a/crypto_kem/kyber512-90s/avx2/poly.h b/crypto_kem/kyber512-90s/avx2/poly.h index 6e4e5a16..0638a97c 100644 --- a/crypto_kem/kyber512-90s/avx2/poly.h +++ b/crypto_kem/kyber512-90s/avx2/poly.h @@ -1,6 +1,5 @@ #ifndef PQCLEAN_KYBER51290S_AVX2_POLY_H #define PQCLEAN_KYBER51290S_AVX2_POLY_H - #include "params.h" #include #include @@ -14,43 +13,27 @@ typedef union { int16_t coeffs[KYBER_N]; } poly; - void PQCLEAN_KYBER51290S_AVX2_poly_compress(uint8_t r[KYBER_POLYCOMPRESSEDBYTES], poly *a); - void PQCLEAN_KYBER51290S_AVX2_poly_decompress(poly *r, const uint8_t a[KYBER_POLYCOMPRESSEDBYTES]); - void PQCLEAN_KYBER51290S_AVX2_poly_tobytes(uint8_t r[KYBER_POLYBYTES], poly *a); - void PQCLEAN_KYBER51290S_AVX2_poly_frombytes(poly *r, const uint8_t a[KYBER_POLYBYTES]); - void PQCLEAN_KYBER51290S_AVX2_poly_frommsg(poly *r, const uint8_t msg[KYBER_INDCPA_MSGBYTES]); - void PQCLEAN_KYBER51290S_AVX2_poly_tomsg(uint8_t msg[KYBER_INDCPA_MSGBYTES], poly *a); - void PQCLEAN_KYBER51290S_AVX2_poly_getnoise(poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t nonce); - void PQCLEAN_KYBER51290S_AVX2_poly_ntt(poly *r); - void PQCLEAN_KYBER51290S_AVX2_poly_invntt_tomont(poly *r); - void PQCLEAN_KYBER51290S_AVX2_poly_nttunpack(poly *r); - void PQCLEAN_KYBER51290S_AVX2_poly_basemul_montgomery(poly *r, const poly *a, const poly *b); - void PQCLEAN_KYBER51290S_AVX2_poly_tomont(poly *r); - void PQCLEAN_KYBER51290S_AVX2_poly_reduce(poly *r); - void PQCLEAN_KYBER51290S_AVX2_poly_csubq(poly *r); - void PQCLEAN_KYBER51290S_AVX2_poly_add(poly *r, const poly *a, const poly *b); - void PQCLEAN_KYBER51290S_AVX2_poly_sub(poly *r, const poly *a, const poly *b); #endif diff --git a/crypto_kem/kyber512-90s/avx2/polyvec.c b/crypto_kem/kyber512-90s/avx2/polyvec.c index bbc8289c..698b8803 100644 --- a/crypto_kem/kyber512-90s/avx2/polyvec.c +++ b/crypto_kem/kyber512-90s/avx2/polyvec.c @@ -1,6 +1,6 @@ -#include "params.h" #include "consts.h" #include "ntt.h" +#include "params.h" #include "poly.h" #include "polyvec.h" #include @@ -16,7 +16,7 @@ **************************************************/ void PQCLEAN_KYBER51290S_AVX2_polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES], polyvec *restrict a) { - unsigned int i = 0, j = 0, k = 0; + size_t i, j, k; PQCLEAN_KYBER51290S_AVX2_polyvec_csubq(a); @@ -24,10 +24,8 @@ void PQCLEAN_KYBER51290S_AVX2_polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSED for (i = 0; i < KYBER_K; i++) { for (j = 0; j < KYBER_N / 4; j++) { for (k = 0; k < 4; k++) { - { - t[k] = ((((uint32_t)a->vec[i].coeffs[4 * j + k] << 10) + KYBER_Q / 2) - / KYBER_Q) & 0x3ff; - } + t[k] = ((((uint32_t)a->vec[i].coeffs[4 * j + k] << 10) + KYBER_Q / 2) + / KYBER_Q) & 0x3ff; } r[0] = (t[0] >> 0); @@ -52,7 +50,7 @@ void PQCLEAN_KYBER51290S_AVX2_polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSED **************************************************/ void PQCLEAN_KYBER51290S_AVX2_polyvec_decompress(polyvec *restrict r, const uint8_t a[KYBER_POLYVECCOMPRESSEDBYTES]) { - unsigned int i = 0, j = 0, k = 0; + size_t i, j, k; uint16_t t[4]; for (i = 0; i < KYBER_K; i++) { @@ -80,7 +78,7 @@ void PQCLEAN_KYBER51290S_AVX2_polyvec_decompress(polyvec *restrict r, * - polyvec *a: pointer to input vector of polynomials **************************************************/ void PQCLEAN_KYBER51290S_AVX2_polyvec_tobytes(uint8_t r[KYBER_POLYVECBYTES], polyvec *a) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER51290S_AVX2_poly_tobytes(r + i * KYBER_POLYBYTES, &a->vec[i]); } @@ -97,7 +95,7 @@ void PQCLEAN_KYBER51290S_AVX2_polyvec_tobytes(uint8_t r[KYBER_POLYVECBYTES], pol * (of length KYBER_POLYVECBYTES) **************************************************/ void PQCLEAN_KYBER51290S_AVX2_polyvec_frombytes(polyvec *r, const uint8_t a[KYBER_POLYVECBYTES]) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER51290S_AVX2_poly_frombytes(&r->vec[i], a + i * KYBER_POLYBYTES); } @@ -111,7 +109,7 @@ void PQCLEAN_KYBER51290S_AVX2_polyvec_frombytes(polyvec *r, const uint8_t a[KYBE * Arguments: - polyvec *r: pointer to in/output vector of polynomials **************************************************/ void PQCLEAN_KYBER51290S_AVX2_polyvec_ntt(polyvec *r) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER51290S_AVX2_poly_ntt(&r->vec[i]); } @@ -126,7 +124,7 @@ void PQCLEAN_KYBER51290S_AVX2_polyvec_ntt(polyvec *r) { * Arguments: - polyvec *r: pointer to in/output vector of polynomials **************************************************/ void PQCLEAN_KYBER51290S_AVX2_polyvec_invntt_tomont(polyvec *r) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER51290S_AVX2_poly_invntt_tomont(&r->vec[i]); } @@ -145,7 +143,7 @@ void PQCLEAN_KYBER51290S_AVX2_polyvec_invntt_tomont(polyvec *r) { void PQCLEAN_KYBER51290S_AVX2_polyvec_pointwise_acc_montgomery(poly *r, const polyvec *a, const polyvec *b) { - PQCLEAN_KYBER51290S_AVX2_basemul_acc_avx(r->coeffs, a->vec->coeffs, b->vec->coeffs, &PQCLEAN_KYBER51290S_AVX2_qdata); + PQCLEAN_KYBER51290S_AVX2_basemul_acc_avx(r->coeffs, a->vec->coeffs, b->vec->coeffs, & PQCLEAN_KYBER51290S_AVX2_qdata); } /************************************************* @@ -158,7 +156,7 @@ void PQCLEAN_KYBER51290S_AVX2_polyvec_pointwise_acc_montgomery(poly *r, * Arguments: - poly *r: pointer to input/output polynomial **************************************************/ void PQCLEAN_KYBER51290S_AVX2_polyvec_reduce(polyvec *r) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER51290S_AVX2_poly_reduce(&r->vec[i]); } @@ -175,7 +173,7 @@ void PQCLEAN_KYBER51290S_AVX2_polyvec_reduce(polyvec *r) { * Arguments: - poly *r: pointer to input/output polynomial **************************************************/ void PQCLEAN_KYBER51290S_AVX2_polyvec_csubq(polyvec *r) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER51290S_AVX2_poly_csubq(&r->vec[i]); } @@ -191,7 +189,7 @@ void PQCLEAN_KYBER51290S_AVX2_polyvec_csubq(polyvec *r) { * - const polyvec *b: pointer to second input vector of polynomials **************************************************/ void PQCLEAN_KYBER51290S_AVX2_polyvec_add(polyvec *r, const polyvec *a, const polyvec *b) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER51290S_AVX2_poly_add(&r->vec[i], &a->vec[i], &b->vec[i]); } diff --git a/crypto_kem/kyber512-90s/avx2/polyvec.h b/crypto_kem/kyber512-90s/avx2/polyvec.h index 2e18524f..ab3004e5 100644 --- a/crypto_kem/kyber512-90s/avx2/polyvec.h +++ b/crypto_kem/kyber512-90s/avx2/polyvec.h @@ -1,6 +1,5 @@ #ifndef PQCLEAN_KYBER51290S_AVX2_POLYVEC_H #define PQCLEAN_KYBER51290S_AVX2_POLYVEC_H - #include "params.h" #include "poly.h" #include @@ -9,33 +8,23 @@ typedef struct { poly vec[KYBER_K]; } polyvec; - void PQCLEAN_KYBER51290S_AVX2_polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES], polyvec *a); - void PQCLEAN_KYBER51290S_AVX2_polyvec_decompress(polyvec *r, const uint8_t a[KYBER_POLYVECCOMPRESSEDBYTES]); - void PQCLEAN_KYBER51290S_AVX2_polyvec_tobytes(uint8_t r[KYBER_POLYVECBYTES], polyvec *a); - void PQCLEAN_KYBER51290S_AVX2_polyvec_frombytes(polyvec *r, const uint8_t a[KYBER_POLYVECBYTES]); - void PQCLEAN_KYBER51290S_AVX2_polyvec_ntt(polyvec *r); - void PQCLEAN_KYBER51290S_AVX2_polyvec_invntt_tomont(polyvec *r); - void PQCLEAN_KYBER51290S_AVX2_polyvec_pointwise_acc_montgomery(poly *r, const polyvec *a, const polyvec *b); - void PQCLEAN_KYBER51290S_AVX2_polyvec_reduce(polyvec *r); - void PQCLEAN_KYBER51290S_AVX2_polyvec_csubq(polyvec *r); - void PQCLEAN_KYBER51290S_AVX2_polyvec_add(polyvec *r, const polyvec *a, const polyvec *b); #endif diff --git a/crypto_kem/kyber512-90s/avx2/reduce.h b/crypto_kem/kyber512-90s/avx2/reduce.h index ea30af38..d91d158b 100644 --- a/crypto_kem/kyber512-90s/avx2/reduce.h +++ b/crypto_kem/kyber512-90s/avx2/reduce.h @@ -1,16 +1,10 @@ -#ifndef REDUCE_H -#define REDUCE_H - +#ifndef PQCLEAN_KYBER51290S_AVX2_REDUCE_H +#define PQCLEAN_KYBER51290S_AVX2_REDUCE_H +#include "consts.h" #include -#include "consts.h" -#include "params.h" - - int16_t PQCLEAN_KYBER51290S_AVX2_reduce_avx(int16_t *r, const qdata_t *PQCLEAN_KYBER51290S_AVX2_qdata); - int16_t PQCLEAN_KYBER51290S_AVX2_csubq_avx(int16_t *r, const qdata_t *PQCLEAN_KYBER51290S_AVX2_qdata); - int16_t PQCLEAN_KYBER51290S_AVX2_tomont_avx(int16_t *r, const qdata_t *PQCLEAN_KYBER51290S_AVX2_qdata); #endif diff --git a/crypto_kem/kyber512-90s/avx2/rejsample.c b/crypto_kem/kyber512-90s/avx2/rejsample.c index b676af83..8735b944 100644 --- a/crypto_kem/kyber512-90s/avx2/rejsample.c +++ b/crypto_kem/kyber512-90s/avx2/rejsample.c @@ -2,6 +2,7 @@ #include "consts.h" #include "params.h" #include "rejsample.h" +#include #include static const ALIGN32_ARRAY_2D(uint8_t, 256, 8) idx = {.arr = { @@ -270,9 +271,9 @@ static const ALIGN32_ARRAY_2D(uint8_t, 256, 8) idx = {.arr = { #define REJ_UNIFORM_BUFLEN 576 unsigned int PQCLEAN_KYBER51290S_AVX2_rej_uniform_avx(int16_t *restrict r, const uint8_t *restrict buf) { - unsigned int ctr = 0, pos = 0; - uint16_t val = 0; - uint32_t good = 0; + unsigned int ctr, pos; + uint16_t val; + uint32_t good; const __m256i bound = _mm256_set1_epi16((int16_t)(19 * KYBER_Q - 1)); const __m256i ones = _mm256_set1_epi8(1); const __m256i kyberq = _mm256_load_si256((__m256i *)&PQCLEAN_KYBER51290S_AVX2_qdata.as_arr[_16XQ]); @@ -297,7 +298,7 @@ unsigned int PQCLEAN_KYBER51290S_AVX2_rej_uniform_avx(int16_t *restrict r, g1 = _mm256_inserti128_si256(g1, _mm_loadl_epi64((__m128i *)&idx.arr[(good >> 24) & 0xFF]), 1); //g0 = _mm256_cvtepu8_epi64(_mm_loadl_epi64((__m128i *)&good)); - //g1 = _mm256_i64gather_epi64((long long *)idx, g0, 8); + //g1 = _mm256_i64gather_epi64((long long *)idx.arr, g0, 8); /* Barrett reduction of (still unsigned) values */ g2 = _mm256_mulhi_epu16(f0, v); diff --git a/crypto_kem/kyber512-90s/avx2/rejsample.h b/crypto_kem/kyber512-90s/avx2/rejsample.h index eddd5096..5c981845 100644 --- a/crypto_kem/kyber512-90s/avx2/rejsample.h +++ b/crypto_kem/kyber512-90s/avx2/rejsample.h @@ -1,10 +1,8 @@ -#ifndef REJSAMPLE_H -#define REJSAMPLE_H - +#ifndef PQCLEAN_KYBER51290S_AVX2_REJSAMPLE_H +#define PQCLEAN_KYBER51290S_AVX2_REJSAMPLE_H #include "params.h" #include - unsigned int PQCLEAN_KYBER51290S_AVX2_rej_uniform_avx(int16_t *r, const unsigned char *buf); diff --git a/crypto_kem/kyber512-90s/avx2/shuffle.S b/crypto_kem/kyber512-90s/avx2/shuffle.S index ff87dd54..01eeea32 100644 --- a/crypto_kem/kyber512-90s/avx2/shuffle.S +++ b/crypto_kem/kyber512-90s/avx2/shuffle.S @@ -1,4 +1,4 @@ -#include "cdecl.inc" +#include "cdecl.h" .include "fq.inc" .include "shuffle.inc" @@ -92,7 +92,9 @@ vmovdqa %ymm11,224(%rdi) ret .global cdecl(PQCLEAN_KYBER51290S_AVX2_nttunpack_avx) +.global _cdecl(PQCLEAN_KYBER51290S_AVX2_nttunpack_avx) cdecl(PQCLEAN_KYBER51290S_AVX2_nttunpack_avx): +_cdecl(PQCLEAN_KYBER51290S_AVX2_nttunpack_avx): call nttunpack128_avx add $256,%rdi call nttunpack128_avx @@ -169,7 +171,9 @@ vmovdqu %ymm9,160(%rdi) ret .global cdecl(PQCLEAN_KYBER51290S_AVX2_ntttobytes_avx) +.global _cdecl(PQCLEAN_KYBER51290S_AVX2_ntttobytes_avx) cdecl(PQCLEAN_KYBER51290S_AVX2_ntttobytes_avx): +_cdecl(PQCLEAN_KYBER51290S_AVX2_ntttobytes_avx): #consts vmovdqa _16XQ*2(%rdx),%ymm0 call ntttobytes128_avx @@ -245,7 +249,9 @@ vmovdqa %ymm1,224(%rdi) ret .global cdecl(PQCLEAN_KYBER51290S_AVX2_nttfrombytes_avx) +.global _cdecl(PQCLEAN_KYBER51290S_AVX2_nttfrombytes_avx) cdecl(PQCLEAN_KYBER51290S_AVX2_nttfrombytes_avx): +_cdecl(PQCLEAN_KYBER51290S_AVX2_nttfrombytes_avx): #consts vmovdqa _16XMASK*2(%rdx),%ymm0 call nttfrombytes128_avx diff --git a/crypto_kem/kyber512-90s/avx2/symmetric.h b/crypto_kem/kyber512-90s/avx2/symmetric.h index b6a1109c..93af0198 100644 --- a/crypto_kem/kyber512-90s/avx2/symmetric.h +++ b/crypto_kem/kyber512-90s/avx2/symmetric.h @@ -1,13 +1,12 @@ -#ifndef SYMMETRIC_H -#define SYMMETRIC_H - +#ifndef PQCLEAN_KYBER51290S_AVX2_SYMMETRIC_H +#define PQCLEAN_KYBER51290S_AVX2_SYMMETRIC_H +#include "aes256ctr.h" #include "params.h" +#include "sha2.h" #include #include -#include "aes256ctr.h" -#include "sha2.h" typedef aes256ctr_ctx xof_state; diff --git a/crypto_kem/kyber512-90s/avx2/verify.c b/crypto_kem/kyber512-90s/avx2/verify.c index 92e0f317..bec349b4 100644 --- a/crypto_kem/kyber512-90s/avx2/verify.c +++ b/crypto_kem/kyber512-90s/avx2/verify.c @@ -15,8 +15,8 @@ * Returns 0 if the byte arrays are equal, 1 otherwise **************************************************/ int PQCLEAN_KYBER51290S_AVX2_verify(const uint8_t *a, const uint8_t *b, size_t len) { - size_t pos = 0; - uint64_t r = 0; + size_t pos; + uint64_t r; __m256i avec, bvec, cvec; cvec = _mm256_setzero_si256(); @@ -53,7 +53,7 @@ int PQCLEAN_KYBER51290S_AVX2_verify(const uint8_t *a, const uint8_t *b, size_t l * unsigned char b: Condition bit; has to be in {0,1} **************************************************/ void PQCLEAN_KYBER51290S_AVX2_cmov(uint8_t *restrict r, const uint8_t *restrict x, size_t len, uint8_t b) { - size_t pos = 0; + size_t pos; __m256i xvec, rvec, bvec; b = -b; diff --git a/crypto_kem/kyber512-90s/avx2/verify.h b/crypto_kem/kyber512-90s/avx2/verify.h index 300077db..493c5b50 100644 --- a/crypto_kem/kyber512-90s/avx2/verify.h +++ b/crypto_kem/kyber512-90s/avx2/verify.h @@ -1,14 +1,11 @@ #ifndef PQCLEAN_KYBER51290S_AVX2_VERIFY_H #define PQCLEAN_KYBER51290S_AVX2_VERIFY_H - #include "params.h" #include #include - int PQCLEAN_KYBER51290S_AVX2_verify(const uint8_t *a, const uint8_t *b, size_t len); - void PQCLEAN_KYBER51290S_AVX2_cmov(uint8_t *r, const uint8_t *x, size_t len, uint8_t b); #endif diff --git a/crypto_kem/kyber512-90s/clean/Makefile b/crypto_kem/kyber512-90s/clean/Makefile index 7f676006..192b7758 100644 --- a/crypto_kem/kyber512-90s/clean/Makefile +++ b/crypto_kem/kyber512-90s/clean/Makefile @@ -1,29 +1,8 @@ # This Makefile can be used with GNU Make or BSD Make LIB=libkyber512-90s_clean.a -HEADERS= \ - api.h \ - cbd.h \ - indcpa.h \ - kem.h \ - ntt.h \ - params.h \ - poly.h \ - polyvec.h \ - reduce.h \ - symmetric-aes.h \ - symmetric.h \ - verify.h -OBJECTS= \ - cbd.o \ - indcpa.o \ - kem.o \ - ntt.o \ - poly.o \ - polyvec.o \ - reduce.o \ - verify.o \ - symmetric-aes.o +HEADERS=api.h cbd.h indcpa.h kem.h ntt.h params.h poly.h polyvec.h reduce.h symmetric-aes.h symmetric.h verify.h +OBJECTS=cbd.o indcpa.o kem.o ntt.o poly.o polyvec.o reduce.o symmetric-aes.o verify.o CFLAGS=-O3 -Wall -Wextra -Wpedantic -Werror -Wmissing-prototypes -Wredundant-decls -std=c99 -I../../../common $(EXTRAFLAGS) diff --git a/crypto_kem/kyber512-90s/clean/Makefile.Microsoft_nmake b/crypto_kem/kyber512-90s/clean/Makefile.Microsoft_nmake index 481a831d..c2ecfa3f 100644 --- a/crypto_kem/kyber512-90s/clean/Makefile.Microsoft_nmake +++ b/crypto_kem/kyber512-90s/clean/Makefile.Microsoft_nmake @@ -2,7 +2,7 @@ # nmake /f Makefile.Microsoft_nmake LIBRARY=libkyber512-90s_clean.lib -OBJECTS=cbd.obj indcpa.obj kem.obj ntt.obj poly.obj polyvec.obj reduce.obj verify.obj symmetric-aes.obj +OBJECTS=cbd.obj indcpa.obj kem.obj ntt.obj poly.obj polyvec.obj reduce.obj symmetric-aes.obj verify.obj # Warning C4146 is raised when a unary minus operator is applied to an # unsigned type; this has nonetheless been standard and portable for as diff --git a/crypto_kem/kyber512-90s/clean/api.h b/crypto_kem/kyber512-90s/clean/api.h index 37dd682b..757a5bc6 100644 --- a/crypto_kem/kyber512-90s/clean/api.h +++ b/crypto_kem/kyber512-90s/clean/api.h @@ -15,5 +15,4 @@ int PQCLEAN_KYBER51290S_CLEAN_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uin int PQCLEAN_KYBER51290S_CLEAN_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); - #endif diff --git a/crypto_kem/kyber512-90s/clean/cbd.c b/crypto_kem/kyber512-90s/clean/cbd.c index bf8f5bef..8dd938fe 100644 --- a/crypto_kem/kyber512-90s/clean/cbd.c +++ b/crypto_kem/kyber512-90s/clean/cbd.c @@ -1,5 +1,5 @@ -#include "params.h" #include "cbd.h" +#include "params.h" #include /************************************************* @@ -13,7 +13,7 @@ * Returns 32-bit unsigned integer loaded from x **************************************************/ static uint32_t load32_littleendian(const uint8_t x[4]) { - uint32_t r = 0; + uint32_t r; r = (uint32_t)x[0]; r |= (uint32_t)x[1] << 8; r |= (uint32_t)x[2] << 16; @@ -32,9 +32,9 @@ static uint32_t load32_littleendian(const uint8_t x[4]) { * - const uint8_t *buf: pointer to input byte array **************************************************/ void PQCLEAN_KYBER51290S_CLEAN_cbd(poly *r, const uint8_t buf[KYBER_ETA * KYBER_N / 4]) { - unsigned int i = 0, j = 0; - uint32_t t = 0, d = 0; - int16_t a = 0, b = 0; + unsigned int i, j; + uint32_t t, d; + int16_t a, b; for (i = 0; i < KYBER_N / 8; i++) { t = load32_littleendian(buf + 4 * i); diff --git a/crypto_kem/kyber512-90s/clean/cbd.h b/crypto_kem/kyber512-90s/clean/cbd.h index 676cddcc..7601ab56 100644 --- a/crypto_kem/kyber512-90s/clean/cbd.h +++ b/crypto_kem/kyber512-90s/clean/cbd.h @@ -1,11 +1,9 @@ #ifndef PQCLEAN_KYBER51290S_CLEAN_CBD_H #define PQCLEAN_KYBER51290S_CLEAN_CBD_H - #include "params.h" #include "poly.h" #include - void PQCLEAN_KYBER51290S_CLEAN_cbd(poly *r, const uint8_t buf[KYBER_ETA * KYBER_N / 4]); #endif diff --git a/crypto_kem/kyber512-90s/clean/indcpa.c b/crypto_kem/kyber512-90s/clean/indcpa.c index 6edbfe36..bb5712ef 100644 --- a/crypto_kem/kyber512-90s/clean/indcpa.c +++ b/crypto_kem/kyber512-90s/clean/indcpa.c @@ -22,7 +22,7 @@ static void pack_pk(uint8_t r[KYBER_INDCPA_PUBLICKEYBYTES], polyvec *pk, const uint8_t seed[KYBER_SYMBYTES]) { - size_t i = 0; + size_t i; PQCLEAN_KYBER51290S_CLEAN_polyvec_tobytes(r, pk); for (i = 0; i < KYBER_SYMBYTES; i++) { r[i + KYBER_POLYVECBYTES] = seed[i]; @@ -44,7 +44,7 @@ static void pack_pk(uint8_t r[KYBER_INDCPA_PUBLICKEYBYTES], static void unpack_pk(polyvec *pk, uint8_t seed[KYBER_SYMBYTES], const uint8_t packedpk[KYBER_INDCPA_PUBLICKEYBYTES]) { - size_t i = 0; + size_t i; PQCLEAN_KYBER51290S_CLEAN_polyvec_frombytes(pk, packedpk); for (i = 0; i < KYBER_SYMBYTES; i++) { seed[i] = packedpk[i + KYBER_POLYVECBYTES]; @@ -132,8 +132,8 @@ static unsigned int rej_uniform(int16_t *r, unsigned int len, const uint8_t *buf, unsigned int buflen) { - unsigned int ctr = 0, pos = 0; - uint16_t val = 0; + unsigned int ctr, pos; + uint16_t val; ctr = pos = 0; while (ctr < len && pos + 2 <= buflen) { @@ -169,8 +169,7 @@ static unsigned int rej_uniform(int16_t *r, + XOF_BLOCKBYTES)/XOF_BLOCKBYTES) // Not static for benchmarking void PQCLEAN_KYBER51290S_CLEAN_gen_matrix(polyvec *a, const uint8_t seed[KYBER_SYMBYTES], int transposed) { - unsigned int ctr = 0; - uint8_t i = 0, j = 0; + unsigned int ctr, i, j; uint8_t buf[GEN_MATRIX_NBLOCKS * XOF_BLOCKBYTES]; xof_state state; @@ -208,7 +207,7 @@ void PQCLEAN_KYBER51290S_CLEAN_gen_matrix(polyvec *a, const uint8_t seed[KYBER_S **************************************************/ void PQCLEAN_KYBER51290S_CLEAN_indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]) { - unsigned int i = 0; + unsigned int i; uint8_t buf[2 * KYBER_SYMBYTES]; const uint8_t *publicseed = buf; const uint8_t *noiseseed = buf + KYBER_SYMBYTES; @@ -264,7 +263,7 @@ void PQCLEAN_KYBER51290S_CLEAN_indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES], const uint8_t m[KYBER_INDCPA_MSGBYTES], const uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], const uint8_t coins[KYBER_SYMBYTES]) { - unsigned int i = 0; + unsigned int i; uint8_t seed[KYBER_SYMBYTES]; uint8_t nonce = 0; polyvec sp, pkpv, ep, at[KYBER_K], bp; diff --git a/crypto_kem/kyber512-90s/clean/indcpa.h b/crypto_kem/kyber512-90s/clean/indcpa.h index 8d3571b4..9f56d841 100644 --- a/crypto_kem/kyber512-90s/clean/indcpa.h +++ b/crypto_kem/kyber512-90s/clean/indcpa.h @@ -1,16 +1,20 @@ #ifndef PQCLEAN_KYBER51290S_CLEAN_INDCPA_H #define PQCLEAN_KYBER51290S_CLEAN_INDCPA_H - #include "params.h" #include "polyvec.h" #include void PQCLEAN_KYBER51290S_CLEAN_gen_matrix(polyvec *a, const uint8_t seed[KYBER_SYMBYTES], int transposed); +void PQCLEAN_KYBER51290S_CLEAN_indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], + uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]); -void PQCLEAN_KYBER51290S_CLEAN_indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]); +void PQCLEAN_KYBER51290S_CLEAN_indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES], + const uint8_t m[KYBER_INDCPA_MSGBYTES], + const uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], + const uint8_t coins[KYBER_SYMBYTES]); -void PQCLEAN_KYBER51290S_CLEAN_indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES], const uint8_t m[KYBER_INDCPA_MSGBYTES], const uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], const uint8_t coins[KYBER_SYMBYTES]); - -void PQCLEAN_KYBER51290S_CLEAN_indcpa_dec(uint8_t m[KYBER_INDCPA_MSGBYTES], const uint8_t c[KYBER_INDCPA_BYTES], const uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]); +void PQCLEAN_KYBER51290S_CLEAN_indcpa_dec(uint8_t m[KYBER_INDCPA_MSGBYTES], + const uint8_t c[KYBER_INDCPA_BYTES], + const uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]); #endif diff --git a/crypto_kem/kyber512-90s/clean/kem.c b/crypto_kem/kyber512-90s/clean/kem.c index b58a00df..9e27c337 100644 --- a/crypto_kem/kyber512-90s/clean/kem.c +++ b/crypto_kem/kyber512-90s/clean/kem.c @@ -21,7 +21,7 @@ * Returns 0 (success) **************************************************/ int PQCLEAN_KYBER51290S_CLEAN_crypto_kem_keypair(unsigned char *pk, unsigned char *sk) { - size_t i = 0; + size_t i; PQCLEAN_KYBER51290S_CLEAN_indcpa_keypair(pk, sk); for (i = 0; i < KYBER_INDCPA_PUBLICKEYBYTES; i++) { sk[i + KYBER_INDCPA_SECRETKEYBYTES] = pk[i]; @@ -92,8 +92,8 @@ int PQCLEAN_KYBER51290S_CLEAN_crypto_kem_enc(unsigned char *ct, int PQCLEAN_KYBER51290S_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk) { - size_t i = 0; - int fail = 0; + size_t i; + int fail; uint8_t buf[2 * KYBER_SYMBYTES]; /* Will contain key, coins */ uint8_t kr[2 * KYBER_SYMBYTES]; diff --git a/crypto_kem/kyber512-90s/clean/kem.h b/crypto_kem/kyber512-90s/clean/kem.h index 9373b40d..e2ce0069 100644 --- a/crypto_kem/kyber512-90s/clean/kem.h +++ b/crypto_kem/kyber512-90s/clean/kem.h @@ -1,17 +1,14 @@ #ifndef PQCLEAN_KYBER51290S_CLEAN_KEM_H #define PQCLEAN_KYBER51290S_CLEAN_KEM_H - #include "params.h" int PQCLEAN_KYBER51290S_CLEAN_crypto_kem_keypair(unsigned char *pk, unsigned char *sk); - int PQCLEAN_KYBER51290S_CLEAN_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk); - int PQCLEAN_KYBER51290S_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk); diff --git a/crypto_kem/kyber512-90s/clean/ntt.c b/crypto_kem/kyber512-90s/clean/ntt.c index f2a7ecf1..dcdf4d1e 100644 --- a/crypto_kem/kyber512-90s/clean/ntt.c +++ b/crypto_kem/kyber512-90s/clean/ntt.c @@ -1,5 +1,5 @@ -#include "params.h" #include "ntt.h" +#include "params.h" #include "reduce.h" #include @@ -89,8 +89,8 @@ static int16_t fqmul(int16_t a, int16_t b) { * of Zq **************************************************/ void PQCLEAN_KYBER51290S_CLEAN_ntt(int16_t r[256]) { - unsigned int len = 0, start = 0, j = 0, k = 0; - int16_t t = 0, zeta = 0; + unsigned int len, start, j, k; + int16_t t, zeta; k = 1; for (len = 128; len >= 2; len >>= 1) { @@ -116,8 +116,8 @@ void PQCLEAN_KYBER51290S_CLEAN_ntt(int16_t r[256]) { * of Zq **************************************************/ void PQCLEAN_KYBER51290S_CLEAN_invntt(int16_t r[256]) { - unsigned int start = 0, len = 0, j = 0, k = 0; - int16_t t = 0, zeta = 0; + unsigned int start, len, j, k; + int16_t t, zeta; k = 0; for (len = 2; len <= 128; len <<= 1) { @@ -148,7 +148,10 @@ void PQCLEAN_KYBER51290S_CLEAN_invntt(int16_t r[256]) { * - const int16_t b[2]: pointer to the second factor * - int16_t zeta: integer defining the reduction polynomial **************************************************/ -void PQCLEAN_KYBER51290S_CLEAN_basemul(int16_t r[2], const int16_t a[2], const int16_t b[2], int16_t zeta) { +void PQCLEAN_KYBER51290S_CLEAN_basemul(int16_t r[2], + const int16_t a[2], + const int16_t b[2], + int16_t zeta) { r[0] = fqmul(a[1], b[1]); r[0] = fqmul(r[0], zeta); r[0] += fqmul(a[0], b[0]); diff --git a/crypto_kem/kyber512-90s/clean/ntt.h b/crypto_kem/kyber512-90s/clean/ntt.h index 8a96c3d4..bcb98594 100644 --- a/crypto_kem/kyber512-90s/clean/ntt.h +++ b/crypto_kem/kyber512-90s/clean/ntt.h @@ -1,22 +1,19 @@ #ifndef PQCLEAN_KYBER51290S_CLEAN_NTT_H #define PQCLEAN_KYBER51290S_CLEAN_NTT_H - #include "params.h" #include - extern const int16_t PQCLEAN_KYBER51290S_CLEAN_zetas[128]; - extern const int16_t PQCLEAN_KYBER51290S_CLEAN_zetas_inv[128]; - void PQCLEAN_KYBER51290S_CLEAN_ntt(int16_t r[256]); - void PQCLEAN_KYBER51290S_CLEAN_invntt(int16_t r[256]); - -void PQCLEAN_KYBER51290S_CLEAN_basemul(int16_t r[2], const int16_t a[2], const int16_t b[2], int16_t zeta); +void PQCLEAN_KYBER51290S_CLEAN_basemul(int16_t r[2], + const int16_t a[2], + const int16_t b[2], + int16_t zeta); #endif diff --git a/crypto_kem/kyber512-90s/clean/params.h b/crypto_kem/kyber512-90s/clean/params.h index 16775a59..ea083a4a 100644 --- a/crypto_kem/kyber512-90s/clean/params.h +++ b/crypto_kem/kyber512-90s/clean/params.h @@ -1,6 +1,9 @@ #ifndef PQCLEAN_KYBER51290S_CLEAN_PARAMS_H #define PQCLEAN_KYBER51290S_CLEAN_PARAMS_H + + + #define KYBER_N 256 #define KYBER_Q 3329 diff --git a/crypto_kem/kyber512-90s/clean/poly.c b/crypto_kem/kyber512-90s/clean/poly.c index c2c64b4f..41f54df9 100644 --- a/crypto_kem/kyber512-90s/clean/poly.c +++ b/crypto_kem/kyber512-90s/clean/poly.c @@ -1,6 +1,6 @@ -#include "params.h" #include "cbd.h" #include "ntt.h" +#include "params.h" #include "poly.h" #include "reduce.h" #include "symmetric.h" @@ -16,7 +16,7 @@ * - poly *a: pointer to input polynomial **************************************************/ void PQCLEAN_KYBER51290S_CLEAN_poly_compress(uint8_t r[KYBER_POLYCOMPRESSEDBYTES], poly *a) { - unsigned int i = 0, j = 0; + size_t i, j; uint8_t t[8]; PQCLEAN_KYBER51290S_CLEAN_poly_csubq(a); @@ -44,9 +44,9 @@ void PQCLEAN_KYBER51290S_CLEAN_poly_compress(uint8_t r[KYBER_POLYCOMPRESSEDBYTES * (of length KYBER_POLYCOMPRESSEDBYTES bytes) **************************************************/ void PQCLEAN_KYBER51290S_CLEAN_poly_decompress(poly *r, const uint8_t a[KYBER_POLYCOMPRESSEDBYTES]) { - unsigned int i = 0; + size_t i; - unsigned int j = 0; + size_t j; uint8_t t[8]; for (i = 0; i < KYBER_N / 8; i++) { t[0] = (a[0] >> 0); @@ -75,8 +75,8 @@ void PQCLEAN_KYBER51290S_CLEAN_poly_decompress(poly *r, const uint8_t a[KYBER_PO * - poly *a: pointer to input polynomial **************************************************/ void PQCLEAN_KYBER51290S_CLEAN_poly_tobytes(uint8_t r[KYBER_POLYBYTES], poly *a) { - unsigned int i = 0; - uint16_t t0 = 0, t1 = 0; + size_t i; + uint16_t t0, t1; PQCLEAN_KYBER51290S_CLEAN_poly_csubq(a); @@ -100,7 +100,7 @@ void PQCLEAN_KYBER51290S_CLEAN_poly_tobytes(uint8_t r[KYBER_POLYBYTES], poly *a) * (of KYBER_POLYBYTES bytes) **************************************************/ void PQCLEAN_KYBER51290S_CLEAN_poly_frombytes(poly *r, const uint8_t a[KYBER_POLYBYTES]) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_N / 2; i++) { r->coeffs[2 * i] = ((a[3 * i + 0] >> 0) | ((uint16_t)a[3 * i + 1] << 8)) & 0xFFF; r->coeffs[2 * i + 1] = ((a[3 * i + 1] >> 4) | ((uint16_t)a[3 * i + 2] << 4)) & 0xFFF; @@ -116,8 +116,8 @@ void PQCLEAN_KYBER51290S_CLEAN_poly_frombytes(poly *r, const uint8_t a[KYBER_POL * - const uint8_t *msg: pointer to input message **************************************************/ void PQCLEAN_KYBER51290S_CLEAN_poly_frommsg(poly *r, const uint8_t msg[KYBER_INDCPA_MSGBYTES]) { - unsigned int i = 0, j = 0; - int16_t mask = 0; + size_t i, j; + int16_t mask; for (i = 0; i < KYBER_N / 8; i++) { for (j = 0; j < 8; j++) { @@ -136,8 +136,8 @@ void PQCLEAN_KYBER51290S_CLEAN_poly_frommsg(poly *r, const uint8_t msg[KYBER_IND * - poly *a: pointer to input polynomial **************************************************/ void PQCLEAN_KYBER51290S_CLEAN_poly_tomsg(uint8_t msg[KYBER_INDCPA_MSGBYTES], poly *a) { - unsigned int i = 0, j = 0; - uint16_t t = 0; + size_t i, j; + uint16_t t; PQCLEAN_KYBER51290S_CLEAN_poly_csubq(a); @@ -205,7 +205,7 @@ void PQCLEAN_KYBER51290S_CLEAN_poly_invntt_tomont(poly *r) { * - const poly *b: pointer to second input polynomial **************************************************/ void PQCLEAN_KYBER51290S_CLEAN_poly_basemul_montgomery(poly *r, const poly *a, const poly *b) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_N / 4; i++) { PQCLEAN_KYBER51290S_CLEAN_basemul(&r->coeffs[4 * i], &a->coeffs[4 * i], &b->coeffs[4 * i], PQCLEAN_KYBER51290S_CLEAN_zetas[64 + i]); PQCLEAN_KYBER51290S_CLEAN_basemul(&r->coeffs[4 * i + 2], &a->coeffs[4 * i + 2], &b->coeffs[4 * i + 2], @@ -222,7 +222,7 @@ void PQCLEAN_KYBER51290S_CLEAN_poly_basemul_montgomery(poly *r, const poly *a, c * Arguments: - poly *r: pointer to input/output polynomial **************************************************/ void PQCLEAN_KYBER51290S_CLEAN_poly_tomont(poly *r) { - unsigned int i = 0; + size_t i; const int16_t f = (1ULL << 32) % KYBER_Q; for (i = 0; i < KYBER_N; i++) { r->coeffs[i] = PQCLEAN_KYBER51290S_CLEAN_montgomery_reduce((int32_t)r->coeffs[i] * f); @@ -238,7 +238,7 @@ void PQCLEAN_KYBER51290S_CLEAN_poly_tomont(poly *r) { * Arguments: - poly *r: pointer to input/output polynomial **************************************************/ void PQCLEAN_KYBER51290S_CLEAN_poly_reduce(poly *r) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_N; i++) { r->coeffs[i] = PQCLEAN_KYBER51290S_CLEAN_barrett_reduce(r->coeffs[i]); } @@ -254,7 +254,7 @@ void PQCLEAN_KYBER51290S_CLEAN_poly_reduce(poly *r) { * Arguments: - poly *r: pointer to input/output polynomial **************************************************/ void PQCLEAN_KYBER51290S_CLEAN_poly_csubq(poly *r) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_N; i++) { r->coeffs[i] = PQCLEAN_KYBER51290S_CLEAN_csubq(r->coeffs[i]); } @@ -270,7 +270,7 @@ void PQCLEAN_KYBER51290S_CLEAN_poly_csubq(poly *r) { * - const poly *b: pointer to second input polynomial **************************************************/ void PQCLEAN_KYBER51290S_CLEAN_poly_add(poly *r, const poly *a, const poly *b) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_N; i++) { r->coeffs[i] = a->coeffs[i] + b->coeffs[i]; } @@ -286,7 +286,7 @@ void PQCLEAN_KYBER51290S_CLEAN_poly_add(poly *r, const poly *a, const poly *b) { * - const poly *b: pointer to second input polynomial **************************************************/ void PQCLEAN_KYBER51290S_CLEAN_poly_sub(poly *r, const poly *a, const poly *b) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_N; i++) { r->coeffs[i] = a->coeffs[i] - b->coeffs[i]; } diff --git a/crypto_kem/kyber512-90s/clean/poly.h b/crypto_kem/kyber512-90s/clean/poly.h index dc968ea7..4f9a0aef 100644 --- a/crypto_kem/kyber512-90s/clean/poly.h +++ b/crypto_kem/kyber512-90s/clean/poly.h @@ -1,6 +1,5 @@ #ifndef PQCLEAN_KYBER51290S_CLEAN_POLY_H #define PQCLEAN_KYBER51290S_CLEAN_POLY_H - #include "params.h" #include @@ -12,41 +11,26 @@ typedef struct { int16_t coeffs[KYBER_N]; } poly; - void PQCLEAN_KYBER51290S_CLEAN_poly_compress(uint8_t r[KYBER_POLYCOMPRESSEDBYTES], poly *a); - void PQCLEAN_KYBER51290S_CLEAN_poly_decompress(poly *r, const uint8_t a[KYBER_POLYCOMPRESSEDBYTES]); - void PQCLEAN_KYBER51290S_CLEAN_poly_tobytes(uint8_t r[KYBER_POLYBYTES], poly *a); - void PQCLEAN_KYBER51290S_CLEAN_poly_frombytes(poly *r, const uint8_t a[KYBER_POLYBYTES]); - void PQCLEAN_KYBER51290S_CLEAN_poly_frommsg(poly *r, const uint8_t msg[KYBER_INDCPA_MSGBYTES]); - void PQCLEAN_KYBER51290S_CLEAN_poly_tomsg(uint8_t msg[KYBER_INDCPA_MSGBYTES], poly *a); - void PQCLEAN_KYBER51290S_CLEAN_poly_getnoise(poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t nonce); - void PQCLEAN_KYBER51290S_CLEAN_poly_ntt(poly *r); - void PQCLEAN_KYBER51290S_CLEAN_poly_invntt_tomont(poly *r); - void PQCLEAN_KYBER51290S_CLEAN_poly_basemul_montgomery(poly *r, const poly *a, const poly *b); - void PQCLEAN_KYBER51290S_CLEAN_poly_tomont(poly *r); - void PQCLEAN_KYBER51290S_CLEAN_poly_reduce(poly *r); - void PQCLEAN_KYBER51290S_CLEAN_poly_csubq(poly *r); - void PQCLEAN_KYBER51290S_CLEAN_poly_add(poly *r, const poly *a, const poly *b); - void PQCLEAN_KYBER51290S_CLEAN_poly_sub(poly *r, const poly *a, const poly *b); #endif diff --git a/crypto_kem/kyber512-90s/clean/polyvec.c b/crypto_kem/kyber512-90s/clean/polyvec.c index 0a4dfc29..b6414f7a 100644 --- a/crypto_kem/kyber512-90s/clean/polyvec.c +++ b/crypto_kem/kyber512-90s/clean/polyvec.c @@ -13,7 +13,7 @@ * - polyvec *a: pointer to input vector of polynomials **************************************************/ void PQCLEAN_KYBER51290S_CLEAN_polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES], polyvec *a) { - unsigned int i = 0, j = 0, k = 0; + unsigned int i, j, k; PQCLEAN_KYBER51290S_CLEAN_polyvec_csubq(a); @@ -21,10 +21,8 @@ void PQCLEAN_KYBER51290S_CLEAN_polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSE for (i = 0; i < KYBER_K; i++) { for (j = 0; j < KYBER_N / 4; j++) { for (k = 0; k < 4; k++) { - { - t[k] = ((((uint32_t)a->vec[i].coeffs[4 * j + k] << 10) + KYBER_Q / 2) - / KYBER_Q) & 0x3ff; - } + t[k] = ((((uint32_t)a->vec[i].coeffs[4 * j + k] << 10) + KYBER_Q / 2) + / KYBER_Q) & 0x3ff; } r[0] = (uint8_t)(t[0] >> 0); @@ -49,7 +47,7 @@ void PQCLEAN_KYBER51290S_CLEAN_polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSE **************************************************/ void PQCLEAN_KYBER51290S_CLEAN_polyvec_decompress(polyvec *r, const uint8_t a[KYBER_POLYVECCOMPRESSEDBYTES]) { - unsigned int i = 0, j = 0, k = 0; + unsigned int i, j, k; uint16_t t[4]; for (i = 0; i < KYBER_K; i++) { @@ -77,7 +75,7 @@ void PQCLEAN_KYBER51290S_CLEAN_polyvec_decompress(polyvec *r, * - polyvec *a: pointer to input vector of polynomials **************************************************/ void PQCLEAN_KYBER51290S_CLEAN_polyvec_tobytes(uint8_t r[KYBER_POLYVECBYTES], polyvec *a) { - unsigned int i = 0; + unsigned int i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER51290S_CLEAN_poly_tobytes(r + i * KYBER_POLYBYTES, &a->vec[i]); } @@ -94,7 +92,7 @@ void PQCLEAN_KYBER51290S_CLEAN_polyvec_tobytes(uint8_t r[KYBER_POLYVECBYTES], po * (of length KYBER_POLYVECBYTES) **************************************************/ void PQCLEAN_KYBER51290S_CLEAN_polyvec_frombytes(polyvec *r, const uint8_t a[KYBER_POLYVECBYTES]) { - unsigned int i = 0; + unsigned int i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER51290S_CLEAN_poly_frombytes(&r->vec[i], a + i * KYBER_POLYBYTES); } @@ -108,7 +106,7 @@ void PQCLEAN_KYBER51290S_CLEAN_polyvec_frombytes(polyvec *r, const uint8_t a[KYB * Arguments: - polyvec *r: pointer to in/output vector of polynomials **************************************************/ void PQCLEAN_KYBER51290S_CLEAN_polyvec_ntt(polyvec *r) { - unsigned int i = 0; + unsigned int i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER51290S_CLEAN_poly_ntt(&r->vec[i]); } @@ -123,7 +121,7 @@ void PQCLEAN_KYBER51290S_CLEAN_polyvec_ntt(polyvec *r) { * Arguments: - polyvec *r: pointer to in/output vector of polynomials **************************************************/ void PQCLEAN_KYBER51290S_CLEAN_polyvec_invntt_tomont(polyvec *r) { - unsigned int i = 0; + unsigned int i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER51290S_CLEAN_poly_invntt_tomont(&r->vec[i]); } @@ -142,7 +140,7 @@ void PQCLEAN_KYBER51290S_CLEAN_polyvec_invntt_tomont(polyvec *r) { void PQCLEAN_KYBER51290S_CLEAN_polyvec_pointwise_acc_montgomery(poly *r, const polyvec *a, const polyvec *b) { - unsigned int i = 0; + unsigned int i; poly t; PQCLEAN_KYBER51290S_CLEAN_poly_basemul_montgomery(r, &a->vec[0], &b->vec[0]); @@ -164,7 +162,7 @@ void PQCLEAN_KYBER51290S_CLEAN_polyvec_pointwise_acc_montgomery(poly *r, * Arguments: - poly *r: pointer to input/output polynomial **************************************************/ void PQCLEAN_KYBER51290S_CLEAN_polyvec_reduce(polyvec *r) { - unsigned int i = 0; + unsigned int i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER51290S_CLEAN_poly_reduce(&r->vec[i]); } @@ -181,7 +179,7 @@ void PQCLEAN_KYBER51290S_CLEAN_polyvec_reduce(polyvec *r) { * Arguments: - poly *r: pointer to input/output polynomial **************************************************/ void PQCLEAN_KYBER51290S_CLEAN_polyvec_csubq(polyvec *r) { - unsigned int i = 0; + unsigned int i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER51290S_CLEAN_poly_csubq(&r->vec[i]); } @@ -197,7 +195,7 @@ void PQCLEAN_KYBER51290S_CLEAN_polyvec_csubq(polyvec *r) { * - const polyvec *b: pointer to second input vector of polynomials **************************************************/ void PQCLEAN_KYBER51290S_CLEAN_polyvec_add(polyvec *r, const polyvec *a, const polyvec *b) { - unsigned int i = 0; + unsigned int i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER51290S_CLEAN_poly_add(&r->vec[i], &a->vec[i], &b->vec[i]); } diff --git a/crypto_kem/kyber512-90s/clean/polyvec.h b/crypto_kem/kyber512-90s/clean/polyvec.h index 57ce4507..dd78deb7 100644 --- a/crypto_kem/kyber512-90s/clean/polyvec.h +++ b/crypto_kem/kyber512-90s/clean/polyvec.h @@ -1,6 +1,5 @@ #ifndef PQCLEAN_KYBER51290S_CLEAN_POLYVEC_H #define PQCLEAN_KYBER51290S_CLEAN_POLYVEC_H - #include "params.h" #include "poly.h" #include @@ -9,33 +8,23 @@ typedef struct { poly vec[KYBER_K]; } polyvec; - void PQCLEAN_KYBER51290S_CLEAN_polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES], polyvec *a); - void PQCLEAN_KYBER51290S_CLEAN_polyvec_decompress(polyvec *r, const uint8_t a[KYBER_POLYVECCOMPRESSEDBYTES]); - void PQCLEAN_KYBER51290S_CLEAN_polyvec_tobytes(uint8_t r[KYBER_POLYVECBYTES], polyvec *a); - void PQCLEAN_KYBER51290S_CLEAN_polyvec_frombytes(polyvec *r, const uint8_t a[KYBER_POLYVECBYTES]); - void PQCLEAN_KYBER51290S_CLEAN_polyvec_ntt(polyvec *r); - void PQCLEAN_KYBER51290S_CLEAN_polyvec_invntt_tomont(polyvec *r); - void PQCLEAN_KYBER51290S_CLEAN_polyvec_pointwise_acc_montgomery(poly *r, const polyvec *a, const polyvec *b); - void PQCLEAN_KYBER51290S_CLEAN_polyvec_reduce(polyvec *r); - void PQCLEAN_KYBER51290S_CLEAN_polyvec_csubq(polyvec *r); - void PQCLEAN_KYBER51290S_CLEAN_polyvec_add(polyvec *r, const polyvec *a, const polyvec *b); #endif diff --git a/crypto_kem/kyber512-90s/clean/reduce.c b/crypto_kem/kyber512-90s/clean/reduce.c index deb735cd..cbd9d790 100644 --- a/crypto_kem/kyber512-90s/clean/reduce.c +++ b/crypto_kem/kyber512-90s/clean/reduce.c @@ -15,8 +15,8 @@ * Returns: integer in {-q+1,...,q-1} congruent to a * R^-1 modulo q. **************************************************/ int16_t PQCLEAN_KYBER51290S_CLEAN_montgomery_reduce(int32_t a) { - int32_t t = 0; - int16_t u = 0; + int32_t t; + int16_t u; u = (int16_t)(a * (int64_t)QINV); t = (int32_t)u * KYBER_Q; @@ -36,7 +36,7 @@ int16_t PQCLEAN_KYBER51290S_CLEAN_montgomery_reduce(int32_t a) { * Returns: integer in {0,...,q} congruent to a modulo q. **************************************************/ int16_t PQCLEAN_KYBER51290S_CLEAN_barrett_reduce(int16_t a) { - int16_t t = 0; + int16_t t; const int16_t v = ((1U << 26) + KYBER_Q / 2) / KYBER_Q; t = (int32_t)v * a >> 26; diff --git a/crypto_kem/kyber512-90s/clean/reduce.h b/crypto_kem/kyber512-90s/clean/reduce.h index d79f51f3..bf1b009f 100644 --- a/crypto_kem/kyber512-90s/clean/reduce.h +++ b/crypto_kem/kyber512-90s/clean/reduce.h @@ -1,19 +1,15 @@ #ifndef PQCLEAN_KYBER51290S_CLEAN_REDUCE_H #define PQCLEAN_KYBER51290S_CLEAN_REDUCE_H - #include "params.h" #include #define MONT 2285 // 2^16 mod q #define QINV 62209 // q^-1 mod 2^16 - int16_t PQCLEAN_KYBER51290S_CLEAN_montgomery_reduce(int32_t a); - int16_t PQCLEAN_KYBER51290S_CLEAN_barrett_reduce(int16_t a); - int16_t PQCLEAN_KYBER51290S_CLEAN_csubq(int16_t a); #endif diff --git a/crypto_kem/kyber512-90s/clean/symmetric-aes.c b/crypto_kem/kyber512-90s/clean/symmetric-aes.c index a492b66d..a62e233e 100644 --- a/crypto_kem/kyber512-90s/clean/symmetric-aes.c +++ b/crypto_kem/kyber512-90s/clean/symmetric-aes.c @@ -1,5 +1,6 @@ -#include "symmetric-aes.h" #include "aes.h" +#include "params.h" +#include "symmetric.h" #include #include #include @@ -34,7 +35,7 @@ static void aes256_ctr_xof(unsigned char *out, size_t outlen, const unsigned cha } /************************************************* -* Name: aes256_prf +* Name: PQCLEAN_KYBER51290S_CLEAN_aes256_prf * * Description: AES256 stream generation in CTR mode using 32-bit counter, * nonce is zero-padded to 12 bytes, counter starts at zero @@ -58,7 +59,7 @@ void PQCLEAN_KYBER51290S_CLEAN_aes256_prf(uint8_t *output, size_t outlen, const } /************************************************* -* Name: aes256xof_absorb +* Name: PQCLEAN_KYBER51290S_CLEAN_aes256xof_absorb * * Description: AES256 CTR used as a replacement for a XOF; this function * "absorbs" a 32-byte key and two additional bytes that are zero-padded @@ -80,7 +81,7 @@ void PQCLEAN_KYBER51290S_CLEAN_aes256xof_absorb(aes256xof_ctx *s, const uint8_t } /************************************************* -* Name: aes256xof_squeezeblocks +* Name: PQCLEAN_KYBER51290S_CLEAN_aes256xof_squeezeblocks * * Description: AES256 CTR used as a replacement for a XOF; this function * generates 4 blocks out AES256-CTR output diff --git a/crypto_kem/kyber512-90s/clean/symmetric-aes.h b/crypto_kem/kyber512-90s/clean/symmetric-aes.h index 3efa2567..57550e19 100644 --- a/crypto_kem/kyber512-90s/clean/symmetric-aes.h +++ b/crypto_kem/kyber512-90s/clean/symmetric-aes.h @@ -1,11 +1,10 @@ -#ifndef AES256CTR_H -#define AES256CTR_H - +#ifndef PQCLEAN_KYBER51290S_CLEAN_SYMMETRIC_AES_H +#define PQCLEAN_KYBER51290S_CLEAN_SYMMETRIC_AES_H #include "aes.h" - #include #include + typedef struct { aes256ctx sk_exp; uint8_t iv[12]; diff --git a/crypto_kem/kyber512-90s/clean/symmetric.h b/crypto_kem/kyber512-90s/clean/symmetric.h index e16c8145..5e189c16 100644 --- a/crypto_kem/kyber512-90s/clean/symmetric.h +++ b/crypto_kem/kyber512-90s/clean/symmetric.h @@ -1,13 +1,12 @@ -#ifndef SYMMETRIC_H -#define SYMMETRIC_H - +#ifndef PQCLEAN_KYBER51290S_CLEAN_SYMMETRIC_H +#define PQCLEAN_KYBER51290S_CLEAN_SYMMETRIC_H #include "params.h" +#include "sha2.h" +#include "symmetric-aes.h" #include #include -#include "sha2.h" -#include "symmetric-aes.h" typedef aes256xof_ctx xof_state; diff --git a/crypto_kem/kyber512-90s/clean/verify.c b/crypto_kem/kyber512-90s/clean/verify.c index 18186fa9..837325e2 100644 --- a/crypto_kem/kyber512-90s/clean/verify.c +++ b/crypto_kem/kyber512-90s/clean/verify.c @@ -14,7 +14,7 @@ * Returns 0 if the byte arrays are equal, 1 otherwise **************************************************/ int PQCLEAN_KYBER51290S_CLEAN_verify(const uint8_t *a, const uint8_t *b, size_t len) { - size_t i = 0; + size_t i; uint8_t r = 0; for (i = 0; i < len; i++) { @@ -38,7 +38,7 @@ int PQCLEAN_KYBER51290S_CLEAN_verify(const uint8_t *a, const uint8_t *b, size_t * uint8_t b: Condition bit; has to be in {0,1} **************************************************/ void PQCLEAN_KYBER51290S_CLEAN_cmov(uint8_t *r, const uint8_t *x, size_t len, uint8_t b) { - size_t i = 0; + size_t i; b = -b; for (i = 0; i < len; i++) { diff --git a/crypto_kem/kyber512-90s/clean/verify.h b/crypto_kem/kyber512-90s/clean/verify.h index c911c51c..02c90dfd 100644 --- a/crypto_kem/kyber512-90s/clean/verify.h +++ b/crypto_kem/kyber512-90s/clean/verify.h @@ -1,14 +1,11 @@ #ifndef PQCLEAN_KYBER51290S_CLEAN_VERIFY_H #define PQCLEAN_KYBER51290S_CLEAN_VERIFY_H - #include "params.h" #include #include - int PQCLEAN_KYBER51290S_CLEAN_verify(const uint8_t *a, const uint8_t *b, size_t len); - void PQCLEAN_KYBER51290S_CLEAN_cmov(uint8_t *r, const uint8_t *x, size_t len, uint8_t b); #endif diff --git a/crypto_kem/kyber512/META.yml b/crypto_kem/kyber512/META.yml index 9de99b60..b40fcd66 100644 --- a/crypto_kem/kyber512/META.yml +++ b/crypto_kem/kyber512/META.yml @@ -20,15 +20,17 @@ auxiliary-submitters: - Gregor Seiler - Damien Stehlé implementations: - - name: clean - version: https://github.com/pq-crystals/kyber/commit/46e283ab575ec92dfe82fb12229ae2d9d6246682 - - name: avx2 - version: https://github.com/pq-crystals/kyber/commit/46e283ab575ec92dfe82fb12229ae2d9d6246682 - supported_platforms: - - architecture: x86_64 - operating_systems: - - Linux - - Darwin - required_flags: - - avx2 - - bmi2 + - name: clean + version: https://github.com/pq-crystals/kyber/commit/844057468e69527bd15b17fbe03f4b61f9a22065 via https://github.com/jschanck/package-pqclean/tree/b45068b8/kyber + - name: avx2 + version: https://github.com/pq-crystals/kyber/commit/844057468e69527bd15b17fbe03f4b61f9a22065 via https://github.com/jschanck/package-pqclean/tree/b45068b8/kyber + supported_platforms: + - architecture: x86_64 + operating_systems: + - Linux + - Darwin + required_flags: + - aes + - avx2 + - bmi2 + - popcnt diff --git a/crypto_kem/kyber512/avx2/Makefile b/crypto_kem/kyber512/avx2/Makefile index b619b1c2..22136ca3 100644 --- a/crypto_kem/kyber512/avx2/Makefile +++ b/crypto_kem/kyber512/avx2/Makefile @@ -1,50 +1,16 @@ # This Makefile can be used with GNU Make or BSD Make LIB=libkyber512_avx2.a -HEADERS= \ - align.h \ - api.h \ - cbd.h \ - cdecl.inc \ - consts.h \ - fips202x4.h \ - fq.inc \ - indcpa.h \ - kem.h \ - ntt.h \ - params.h \ - poly.h \ - polyvec.h \ - reduce.h \ - rejsample.h \ - shuffle.inc \ - symmetric.h \ - verify.h -OBJECTS= \ - basemul.o \ - cbd.o \ - consts.o \ - fips202x4.o \ - fq.o \ - indcpa.o \ - invntt.o \ - kem.o \ - ntt.o \ - poly.o \ - polyvec.o \ - rejsample.o \ - shuffle.o \ - symmetric-shake.o \ - verify.o - +HEADERS=align.h api.h cbd.h cdecl.h consts.h fips202x4.h indcpa.h kem.h ntt.h params.h poly.h polyvec.h reduce.h rejsample.h symmetric.h verify.h fq.inc shuffle.inc +OBJECTS=cbd.o consts.o fips202x4.o indcpa.o kem.o poly.o polyvec.o rejsample.o symmetric-shake.o verify.o basemul.o fq.o invntt.o ntt.o shuffle.o KECCAK4XDIR=../../../common/keccak4x KECCAK4XOBJ=KeccakP-1600-times4-SIMD256.o KECCAK4X=$(KECCAK4XDIR)/$(KECCAK4XOBJ) CFLAGS=-mavx2 -mbmi2 -mpopcnt -O3 -Wall -Wextra -Wpedantic -Werror \ - -Wmissing-prototypes -Wredundant-decls \ - -Wpointer-arith -Wshadow \ - -std=c99 -I../../../common $(EXTRAFLAGS) + -Wmissing-prototypes -Wredundant-decls \ + -Wpointer-arith -Wshadow \ + -std=c99 -I../../../common $(EXTRAFLAGS) all: $(LIB) diff --git a/crypto_kem/kyber512/avx2/align.h b/crypto_kem/kyber512/avx2/align.h index 88623df4..fb553ac5 100644 --- a/crypto_kem/kyber512/avx2/align.h +++ b/crypto_kem/kyber512/avx2/align.h @@ -1,5 +1,6 @@ #ifndef PQCLEAN_KYBER512_AVX2_ALIGN_H #define PQCLEAN_KYBER512_AVX2_ALIGN_H + #include #define ALIGN16_TYPE(t) \ diff --git a/crypto_kem/kyber512/avx2/api.h b/crypto_kem/kyber512/avx2/api.h index d6b3c622..07cc6289 100644 --- a/crypto_kem/kyber512/avx2/api.h +++ b/crypto_kem/kyber512/avx2/api.h @@ -15,5 +15,4 @@ int PQCLEAN_KYBER512_AVX2_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t int PQCLEAN_KYBER512_AVX2_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); - #endif diff --git a/crypto_kem/kyber512/avx2/basemul.S b/crypto_kem/kyber512/avx2/basemul.S index fd513a51..c8c86d0a 100644 --- a/crypto_kem/kyber512/avx2/basemul.S +++ b/crypto_kem/kyber512/avx2/basemul.S @@ -1,5 +1,5 @@ +#include "cdecl.h" #include "params.h" -#include "cdecl.inc" .macro schoolbook off,sign #load @@ -133,7 +133,9 @@ vmovdqa %ymm5,96(%rdi) ret .global cdecl(PQCLEAN_KYBER512_AVX2_basemul_acc_avx) +.global _cdecl(PQCLEAN_KYBER512_AVX2_basemul_acc_avx) cdecl(PQCLEAN_KYBER512_AVX2_basemul_acc_avx): +_cdecl(PQCLEAN_KYBER512_AVX2_basemul_acc_avx): #consts vmovdqa _16XQ*2(%rcx),%ymm0 vmovdqa _16XQINV*2(%rcx),%ymm1 @@ -183,7 +185,9 @@ vmovdqa %ymm12,96(%rdi) ret .global cdecl(PQCLEAN_KYBER512_AVX2_basemul_avx) +.global _cdecl(PQCLEAN_KYBER512_AVX2_basemul_avx) cdecl(PQCLEAN_KYBER512_AVX2_basemul_avx): +_cdecl(PQCLEAN_KYBER512_AVX2_basemul_avx): #consts vmovdqa _16XQ*2(%rcx),%ymm0 vmovdqa _16XQINV*2(%rcx),%ymm1 diff --git a/crypto_kem/kyber512/avx2/cbd.c b/crypto_kem/kyber512/avx2/cbd.c index be5771f0..a9d7ae86 100644 --- a/crypto_kem/kyber512/avx2/cbd.c +++ b/crypto_kem/kyber512/avx2/cbd.c @@ -1,5 +1,5 @@ -#include "params.h" #include "cbd.h" +#include "params.h" #include #include @@ -14,7 +14,7 @@ * - const unsigned char *buf: pointer to input byte array **************************************************/ void PQCLEAN_KYBER512_AVX2_cbd(poly *restrict r, const uint8_t *restrict buf) { - unsigned int i = 0; + unsigned int i; __m256i vec0, vec1, vec2, vec3, tmp; const __m256i mask55 = _mm256_set1_epi32(0x55555555); const __m256i mask33 = _mm256_set1_epi32(0x33333333); diff --git a/crypto_kem/kyber512/avx2/cbd.h b/crypto_kem/kyber512/avx2/cbd.h index 70a3a134..af290f88 100644 --- a/crypto_kem/kyber512/avx2/cbd.h +++ b/crypto_kem/kyber512/avx2/cbd.h @@ -1,11 +1,9 @@ #ifndef PQCLEAN_KYBER512_AVX2_CBD_H #define PQCLEAN_KYBER512_AVX2_CBD_H - #include "params.h" #include "poly.h" #include - void PQCLEAN_KYBER512_AVX2_cbd(poly *r, const uint8_t buf[KYBER_ETA * KYBER_N / 4]); #endif diff --git a/crypto_kem/kyber512/avx2/cdecl.inc b/crypto_kem/kyber512/avx2/cdecl.h similarity index 78% rename from crypto_kem/kyber512/avx2/cdecl.inc rename to crypto_kem/kyber512/avx2/cdecl.h index 8ded53b1..34f4ab57 100644 --- a/crypto_kem/kyber512/avx2/cdecl.inc +++ b/crypto_kem/kyber512/avx2/cdecl.h @@ -1,5 +1,5 @@ -#ifndef PQCLEAN_DILITHIUM2_AVX2_CDECL -#define PQCLEAN_DILITHIUM2_AVX2_CDECL +#ifndef PQCLEAN_KYBER512_AVX2_CDECL_H +#define PQCLEAN_KYBER512_AVX2_CDECL_H #define _16XQ 0 #define _16XQINV 16 @@ -21,10 +21,6 @@ * This define helps us get around this */ -#if defined(__WIN32__) || defined(__APPLE__) -#define cdecl(s) _##s -#else +#define _cdecl(s) _##s #define cdecl(s) s #endif - -#endif diff --git a/crypto_kem/kyber512/avx2/consts.c b/crypto_kem/kyber512/avx2/consts.c index 74edb379..85731362 100644 --- a/crypto_kem/kyber512/avx2/consts.c +++ b/crypto_kem/kyber512/avx2/consts.c @@ -1,5 +1,5 @@ -#include "params.h" #include "consts.h" +#include "params.h" #include #define Q KYBER_Q diff --git a/crypto_kem/kyber512/avx2/consts.h b/crypto_kem/kyber512/avx2/consts.h index 050400ee..cd45b1b3 100644 --- a/crypto_kem/kyber512/avx2/consts.h +++ b/crypto_kem/kyber512/avx2/consts.h @@ -1,12 +1,11 @@ #ifndef PQCLEAN_KYBER512_AVX2_CONSTS_H #define PQCLEAN_KYBER512_AVX2_CONSTS_H - -#include "cdecl.inc" - +#include "cdecl.h" #include "params.h" #include #include + #define ALIGNED_UINT16_T(N) \ union { \ __m256i as_vec; \ diff --git a/crypto_kem/kyber512/avx2/fips202x4.c b/crypto_kem/kyber512/avx2/fips202x4.c index 73c4b416..2a3b5686 100644 --- a/crypto_kem/kyber512/avx2/fips202x4.c +++ b/crypto_kem/kyber512/avx2/fips202x4.c @@ -10,7 +10,7 @@ extern void KeccakF1600_StatePermute4x(__m256i *s); static inline void store64(uint8_t x[8], uint64_t u) { - unsigned int i = 0; + unsigned int i; for (i = 0; i < 8; i++) { x[i] = u >> 8 * i; @@ -25,7 +25,7 @@ static void keccakx4_absorb(__m256i s[25], const uint8_t *in3, size_t inlen, uint8_t p) { - size_t i = 0, pos = 0; + size_t i, pos = 0; __m256i t, idx; for (i = 0; i < 25; ++i) { @@ -74,8 +74,8 @@ static void keccakx4_squeezeblocks(uint8_t *out0, size_t nblocks, unsigned int r, __m256i s[25]) { - unsigned int i = 0; - uint64_t f0 = 0, f1 = 0, f2 = 0, f3 = 0; + unsigned int i; + uint64_t f0, f1, f2, f3; while (nblocks > 0) { KeccakF1600_StatePermute4x(s); @@ -137,8 +137,17 @@ void PQCLEAN_KYBER512_AVX2_shake256x4_squeezeblocks(uint8_t *out0, state->s); } -void PQCLEAN_KYBER512_AVX2_shake128x4(uint8_t *out0, uint8_t *out1, uint8_t *out2, uint8_t *out3, size_t outlen, const uint8_t *in0, const uint8_t *in1, const uint8_t *in2, const uint8_t *in3, size_t inlen) { - unsigned int i = 0; +void PQCLEAN_KYBER512_AVX2_shake128x4(uint8_t *out0, + uint8_t *out1, + uint8_t *out2, + uint8_t *out3, + size_t outlen, + const uint8_t *in0, + const uint8_t *in1, + const uint8_t *in2, + const uint8_t *in3, + size_t inlen) { + unsigned int i; size_t nblocks = outlen / SHAKE128_RATE; uint8_t t[4][SHAKE128_RATE]; keccakx4_state state; @@ -163,8 +172,17 @@ void PQCLEAN_KYBER512_AVX2_shake128x4(uint8_t *out0, uint8_t *out1, uint8_t *out } } -void PQCLEAN_KYBER512_AVX2_shake256x4(uint8_t *out0, uint8_t *out1, uint8_t *out2, uint8_t *out3, size_t outlen, const uint8_t *in0, const uint8_t *in1, const uint8_t *in2, const uint8_t *in3, size_t inlen) { - unsigned int i = 0; +void PQCLEAN_KYBER512_AVX2_shake256x4(uint8_t *out0, + uint8_t *out1, + uint8_t *out2, + uint8_t *out3, + size_t outlen, + const uint8_t *in0, + const uint8_t *in1, + const uint8_t *in2, + const uint8_t *in3, + size_t inlen) { + unsigned int i; size_t nblocks = outlen / SHAKE256_RATE; uint8_t t[4][SHAKE256_RATE]; keccakx4_state state; diff --git a/crypto_kem/kyber512/avx2/fips202x4.h b/crypto_kem/kyber512/avx2/fips202x4.h index 4f1bd110..237e2903 100644 --- a/crypto_kem/kyber512/avx2/fips202x4.h +++ b/crypto_kem/kyber512/avx2/fips202x4.h @@ -1,5 +1,5 @@ -#ifndef FIPS202X4_H -#define FIPS202X4_H +#ifndef PQCLEAN_KYBER512_AVX2_FIPS202X4_H +#define PQCLEAN_KYBER512_AVX2_FIPS202X4_H #include #include @@ -9,17 +9,54 @@ typedef struct { __m256i s[25]; } keccakx4_state; -void PQCLEAN_KYBER512_AVX2_shake128x4_absorb(keccakx4_state *state, const uint8_t *in0, const uint8_t *in1, const uint8_t *in2, const uint8_t *in3, size_t inlen); +void PQCLEAN_KYBER512_AVX2_shake128x4_absorb(keccakx4_state *state, + const uint8_t *in0, + const uint8_t *in1, + const uint8_t *in2, + const uint8_t *in3, + size_t inlen); -void PQCLEAN_KYBER512_AVX2_shake128x4_squeezeblocks(uint8_t *out0, uint8_t *out1, uint8_t *out2, uint8_t *out3, size_t nblocks, keccakx4_state *state); - -void PQCLEAN_KYBER512_AVX2_shake256x4_absorb(keccakx4_state *state, const uint8_t *in0, const uint8_t *in1, const uint8_t *in2, const uint8_t *in3, size_t inlen); - -void PQCLEAN_KYBER512_AVX2_shake256x4_squeezeblocks(uint8_t *out0, uint8_t *out1, uint8_t *out2, uint8_t *out3, size_t nblocks, +void PQCLEAN_KYBER512_AVX2_shake128x4_squeezeblocks(uint8_t *out0, + uint8_t *out1, + uint8_t *out2, + uint8_t *out3, + size_t nblocks, keccakx4_state *state); -void PQCLEAN_KYBER512_AVX2_shake128x4(uint8_t *out0, uint8_t *out1, uint8_t *out2, uint8_t *out3, size_t outlen, const uint8_t *in0, const uint8_t *in1, const uint8_t *in2, const uint8_t *in3, size_t inlen); +void PQCLEAN_KYBER512_AVX2_shake256x4_absorb(keccakx4_state *state, + const uint8_t *in0, + const uint8_t *in1, + const uint8_t *in2, + const uint8_t *in3, + size_t inlen); -void PQCLEAN_KYBER512_AVX2_shake256x4(uint8_t *out0, uint8_t *out1, uint8_t *out2, uint8_t *out3, size_t outlen, const uint8_t *in0, const uint8_t *in1, const uint8_t *in2, const uint8_t *in3, size_t inlen); +void PQCLEAN_KYBER512_AVX2_shake256x4_squeezeblocks(uint8_t *out0, + uint8_t *out1, + uint8_t *out2, + uint8_t *out3, + size_t nblocks, + keccakx4_state *state); + +void PQCLEAN_KYBER512_AVX2_shake128x4(uint8_t *out0, + uint8_t *out1, + uint8_t *out2, + uint8_t *out3, + size_t outlen, + const uint8_t *in0, + const uint8_t *in1, + const uint8_t *in2, + const uint8_t *in3, + size_t inlen); + +void PQCLEAN_KYBER512_AVX2_shake256x4(uint8_t *out0, + uint8_t *out1, + uint8_t *out2, + uint8_t *out3, + size_t outlen, + const uint8_t *in0, + const uint8_t *in1, + const uint8_t *in2, + const uint8_t *in3, + size_t inlen); #endif diff --git a/crypto_kem/kyber512/avx2/fq.S b/crypto_kem/kyber512/avx2/fq.S index 00a3a599..4bb716db 100644 --- a/crypto_kem/kyber512/avx2/fq.S +++ b/crypto_kem/kyber512/avx2/fq.S @@ -1,4 +1,4 @@ -#include "cdecl.inc" +#include "cdecl.h" .include "fq.inc" .text @@ -35,7 +35,9 @@ vmovdqa %ymm9,224(%rdi) ret .global cdecl(PQCLEAN_KYBER512_AVX2_reduce_avx) +.global _cdecl(PQCLEAN_KYBER512_AVX2_reduce_avx) cdecl(PQCLEAN_KYBER512_AVX2_reduce_avx): +_cdecl(PQCLEAN_KYBER512_AVX2_reduce_avx): #consts vmovdqa _16XQ*2(%rsi),%ymm0 vmovdqa _16XV*2(%rsi),%ymm1 @@ -77,7 +79,9 @@ vmovdqa %ymm8,224(%rdi) ret .global cdecl(PQCLEAN_KYBER512_AVX2_csubq_avx) +.global _cdecl(PQCLEAN_KYBER512_AVX2_csubq_avx) cdecl(PQCLEAN_KYBER512_AVX2_csubq_avx): +_cdecl(PQCLEAN_KYBER512_AVX2_csubq_avx): #consts vmovdqa _16XQ*2(%rsi),%ymm0 call csubq128_avx @@ -118,7 +122,9 @@ vmovdqa %ymm10,224(%rdi) ret .global cdecl(PQCLEAN_KYBER512_AVX2_tomont_avx) +.global _cdecl(PQCLEAN_KYBER512_AVX2_tomont_avx) cdecl(PQCLEAN_KYBER512_AVX2_tomont_avx): +_cdecl(PQCLEAN_KYBER512_AVX2_tomont_avx): #consts vmovdqa _16XQ*2(%rsi),%ymm0 vmovdqa _16XMONTSQLO*2(%rsi),%ymm1 diff --git a/crypto_kem/kyber512/avx2/indcpa.c b/crypto_kem/kyber512/avx2/indcpa.c index f0e04088..7a5d74ae 100644 --- a/crypto_kem/kyber512/avx2/indcpa.c +++ b/crypto_kem/kyber512/avx2/indcpa.c @@ -25,7 +25,7 @@ static void pack_pk(uint8_t r[KYBER_INDCPA_PUBLICKEYBYTES], polyvec *pk, const uint8_t seed[KYBER_SYMBYTES]) { - size_t i = 0; + size_t i; PQCLEAN_KYBER512_AVX2_polyvec_tobytes(r, pk); for (i = 0; i < KYBER_SYMBYTES; i++) { r[i + KYBER_POLYVECBYTES] = seed[i]; @@ -45,7 +45,7 @@ static void pack_pk(uint8_t r[KYBER_INDCPA_PUBLICKEYBYTES], static void unpack_pk(polyvec *pk, uint8_t seed[KYBER_SYMBYTES], const uint8_t packedpk[KYBER_INDCPA_PUBLICKEYBYTES]) { - size_t i = 0; + size_t i; PQCLEAN_KYBER512_AVX2_polyvec_frombytes(pk, packedpk); for (i = 0; i < KYBER_SYMBYTES; i++) { seed[i] = packedpk[i + KYBER_POLYVECBYTES]; @@ -133,8 +133,8 @@ static unsigned int rej_uniform(int16_t *r, unsigned int len, const uint8_t *buf, unsigned int buflen) { - unsigned int ctr = 0, pos = 0; - uint16_t val = 0; + unsigned int ctr, pos; + uint16_t val; ctr = pos = 0; while (ctr < len && pos + 2 <= buflen) { @@ -168,7 +168,7 @@ static unsigned int rej_uniform(int16_t *r, #define GEN_MATRIX_NBLOCKS ((2*KYBER_N*(1U << 16)/(19*KYBER_Q) \ + XOF_BLOCKBYTES)/XOF_BLOCKBYTES) void PQCLEAN_KYBER512_AVX2_gen_matrix(polyvec *a, const uint8_t seed[32], int transposed) { - unsigned int ctr0 = 0, ctr1 = 0, ctr2 = 0, ctr3 = 0; + unsigned int ctr0, ctr1, ctr2, ctr3; ALIGN32_ARRAY_2D(uint8_t, 4, (GEN_MATRIX_NBLOCKS * XOF_BLOCKBYTES + 31) / 32 * 32) buf; __m256i f; keccakx4_state state; @@ -240,7 +240,7 @@ void PQCLEAN_KYBER512_AVX2_gen_matrix(polyvec *a, const uint8_t seed[32], int tr **************************************************/ void PQCLEAN_KYBER512_AVX2_indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]) { - unsigned int i = 0; + unsigned int i; ALIGN32_ARRAY(uint8_t, 2 * KYBER_SYMBYTES) buf; const uint8_t *publicseed = buf.arr; const uint8_t *noiseseed = buf.arr + KYBER_SYMBYTES; @@ -291,7 +291,7 @@ void PQCLEAN_KYBER512_AVX2_indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES], const uint8_t m[KYBER_INDCPA_MSGBYTES], const uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], const uint8_t coins[KYBER_SYMBYTES]) { - unsigned int i = 0; + unsigned int i; ALIGN32_ARRAY(uint8_t, KYBER_SYMBYTES) seed; polyvec sp, pkpv, ep, at[KYBER_K], bp; poly v, k, epp; diff --git a/crypto_kem/kyber512/avx2/indcpa.h b/crypto_kem/kyber512/avx2/indcpa.h index d0933b2f..cb66c869 100644 --- a/crypto_kem/kyber512/avx2/indcpa.h +++ b/crypto_kem/kyber512/avx2/indcpa.h @@ -1,16 +1,20 @@ #ifndef PQCLEAN_KYBER512_AVX2_INDCPA_H #define PQCLEAN_KYBER512_AVX2_INDCPA_H - #include "params.h" #include "polyvec.h" #include void PQCLEAN_KYBER512_AVX2_gen_matrix(polyvec *a, const uint8_t seed[KYBER_SYMBYTES], int transposed); +void PQCLEAN_KYBER512_AVX2_indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], + uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]); -void PQCLEAN_KYBER512_AVX2_indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]); +void PQCLEAN_KYBER512_AVX2_indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES], + const uint8_t m[KYBER_INDCPA_MSGBYTES], + const uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], + const uint8_t coins[KYBER_SYMBYTES]); -void PQCLEAN_KYBER512_AVX2_indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES], const uint8_t m[KYBER_INDCPA_MSGBYTES], const uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], const uint8_t coins[KYBER_SYMBYTES]); - -void PQCLEAN_KYBER512_AVX2_indcpa_dec(uint8_t m[KYBER_INDCPA_MSGBYTES], const uint8_t c[KYBER_INDCPA_BYTES], const uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]); +void PQCLEAN_KYBER512_AVX2_indcpa_dec(uint8_t m[KYBER_INDCPA_MSGBYTES], + const uint8_t c[KYBER_INDCPA_BYTES], + const uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]); #endif diff --git a/crypto_kem/kyber512/avx2/invntt.S b/crypto_kem/kyber512/avx2/invntt.S index fa4707a4..a191797e 100644 --- a/crypto_kem/kyber512/avx2/invntt.S +++ b/crypto_kem/kyber512/avx2/invntt.S @@ -1,4 +1,4 @@ -#include "cdecl.inc" +#include "cdecl.h" .include "shuffle.inc" .include "fq.inc" @@ -210,7 +210,9 @@ vmovdqa %ymm7,224(%rdi) ret .global cdecl(PQCLEAN_KYBER512_AVX2_invntt_avx) +.global _cdecl(PQCLEAN_KYBER512_AVX2_invntt_avx) cdecl(PQCLEAN_KYBER512_AVX2_invntt_avx): +_cdecl(PQCLEAN_KYBER512_AVX2_invntt_avx): #consts vmovdqa _16XQ*2(%rsi),%ymm0 mov %rsi,%rdx diff --git a/crypto_kem/kyber512/avx2/kem.c b/crypto_kem/kyber512/avx2/kem.c index 4e723c98..a52e286f 100644 --- a/crypto_kem/kyber512/avx2/kem.c +++ b/crypto_kem/kyber512/avx2/kem.c @@ -8,7 +8,6 @@ #include #include - /************************************************* * Name: PQCLEAN_KYBER512_AVX2_crypto_kem_keypair * @@ -23,7 +22,7 @@ * Returns 0 (success) **************************************************/ int PQCLEAN_KYBER512_AVX2_crypto_kem_keypair(unsigned char *pk, unsigned char *sk) { - size_t i = 0; + size_t i; PQCLEAN_KYBER512_AVX2_indcpa_keypair(pk, sk); for (i = 0; i < KYBER_INDCPA_PUBLICKEYBYTES; i++) { sk[i + KYBER_INDCPA_SECRETKEYBYTES] = pk[i]; @@ -94,8 +93,8 @@ int PQCLEAN_KYBER512_AVX2_crypto_kem_enc(unsigned char *ct, int PQCLEAN_KYBER512_AVX2_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk) { - size_t i = 0; - int fail = 0; + size_t i; + int fail; ALIGN32_ARRAY(uint8_t, 2 * KYBER_SYMBYTES) buf; /* Will contain key, coins */ ALIGN32_ARRAY(uint8_t, 2 * KYBER_SYMBYTES) kr; @@ -119,7 +118,7 @@ int PQCLEAN_KYBER512_AVX2_crypto_kem_dec(unsigned char *ss, hash_h(kr.arr + KYBER_SYMBYTES, ct, KYBER_CIPHERTEXTBYTES); /* Overwrite pre-k with z on re-encryption failure */ - PQCLEAN_KYBER512_AVX2_cmov(kr.arr, sk + KYBER_SECRETKEYBYTES - KYBER_SYMBYTES, KYBER_SYMBYTES, fail); + PQCLEAN_KYBER512_AVX2_cmov(kr.arr, sk + KYBER_SECRETKEYBYTES - KYBER_SYMBYTES, KYBER_SYMBYTES, (uint8_t)fail); /* hash concatenation of pre-k and H(c) to k */ kdf(ss, kr.arr, 2 * KYBER_SYMBYTES); diff --git a/crypto_kem/kyber512/avx2/kem.h b/crypto_kem/kyber512/avx2/kem.h index e85d945c..f72f5d06 100644 --- a/crypto_kem/kyber512/avx2/kem.h +++ b/crypto_kem/kyber512/avx2/kem.h @@ -1,17 +1,14 @@ #ifndef PQCLEAN_KYBER512_AVX2_KEM_H #define PQCLEAN_KYBER512_AVX2_KEM_H - #include "params.h" int PQCLEAN_KYBER512_AVX2_crypto_kem_keypair(unsigned char *pk, unsigned char *sk); - int PQCLEAN_KYBER512_AVX2_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk); - int PQCLEAN_KYBER512_AVX2_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk); diff --git a/crypto_kem/kyber512/avx2/ntt.S b/crypto_kem/kyber512/avx2/ntt.S index 35a933b3..02107bc4 100644 --- a/crypto_kem/kyber512/avx2/ntt.S +++ b/crypto_kem/kyber512/avx2/ntt.S @@ -1,4 +1,4 @@ -#include "cdecl.inc" +#include "cdecl.h" .include "shuffle.inc" .include "fq.inc" @@ -203,7 +203,9 @@ vmovdqa %ymm11,224(%rdi) ret .global cdecl(PQCLEAN_KYBER512_AVX2_ntt_avx) +.global _cdecl(PQCLEAN_KYBER512_AVX2_ntt_avx) cdecl(PQCLEAN_KYBER512_AVX2_ntt_avx): +_cdecl(PQCLEAN_KYBER512_AVX2_ntt_avx): #consts vmovdqa _16XQ*2(%rsi),%ymm0 mov %rsi,%rdx diff --git a/crypto_kem/kyber512/avx2/ntt.h b/crypto_kem/kyber512/avx2/ntt.h index a559287c..142e282c 100644 --- a/crypto_kem/kyber512/avx2/ntt.h +++ b/crypto_kem/kyber512/avx2/ntt.h @@ -1,28 +1,24 @@ -#ifndef NTT_H -#define NTT_H - +#ifndef PQCLEAN_KYBER512_AVX2_NTT_H +#define PQCLEAN_KYBER512_AVX2_NTT_H #include "consts.h" -#include "params.h" #include - void PQCLEAN_KYBER512_AVX2_ntt_avx(int16_t *r, const qdata_t *PQCLEAN_KYBER512_AVX2_qdata); - void PQCLEAN_KYBER512_AVX2_invntt_avx(int16_t *r, const qdata_t *PQCLEAN_KYBER512_AVX2_qdata); - -void nttpack_avx(int16_t *r, const qdata_t *PQCLEAN_KYBER512_AVX2_qdata); - +void PQCLEAN_KYBER512_AVX2_nttpack_avx(int16_t *r, const qdata_t *PQCLEAN_KYBER512_AVX2_qdata); void PQCLEAN_KYBER512_AVX2_nttunpack_avx(int16_t *r, const qdata_t *PQCLEAN_KYBER512_AVX2_qdata); - -void PQCLEAN_KYBER512_AVX2_basemul_avx(int16_t *r, const int16_t *a, const int16_t *b, const qdata_t *PQCLEAN_KYBER512_AVX2_qdata); - -void PQCLEAN_KYBER512_AVX2_basemul_acc_avx(int16_t *r, const int16_t *a, const int16_t *b, const qdata_t *PQCLEAN_KYBER512_AVX2_qdata); - +void PQCLEAN_KYBER512_AVX2_basemul_avx(int16_t *r, + const int16_t *a, + const int16_t *b, + const qdata_t *PQCLEAN_KYBER512_AVX2_qdata); +void PQCLEAN_KYBER512_AVX2_basemul_acc_avx(int16_t *r, + const int16_t *a, + const int16_t *b, + const qdata_t *PQCLEAN_KYBER512_AVX2_qdata); void PQCLEAN_KYBER512_AVX2_ntttobytes_avx(uint8_t *r, const int16_t *a, const qdata_t *PQCLEAN_KYBER512_AVX2_qdata); - void PQCLEAN_KYBER512_AVX2_nttfrombytes_avx(int16_t *r, const uint8_t *a, const qdata_t *PQCLEAN_KYBER512_AVX2_qdata); #endif diff --git a/crypto_kem/kyber512/avx2/params.h b/crypto_kem/kyber512/avx2/params.h index 034b9cdd..5d0b9aae 100644 --- a/crypto_kem/kyber512/avx2/params.h +++ b/crypto_kem/kyber512/avx2/params.h @@ -1,6 +1,9 @@ #ifndef PQCLEAN_KYBER512_AVX2_PARAMS_H #define PQCLEAN_KYBER512_AVX2_PARAMS_H + + + #define KYBER_N 256 #define KYBER_Q 3329 diff --git a/crypto_kem/kyber512/avx2/poly.c b/crypto_kem/kyber512/avx2/poly.c index 7fad1476..c651e73a 100644 --- a/crypto_kem/kyber512/avx2/poly.c +++ b/crypto_kem/kyber512/avx2/poly.c @@ -19,7 +19,7 @@ * - poly *a: pointer to input polynomial **************************************************/ void PQCLEAN_KYBER512_AVX2_poly_compress(uint8_t r[KYBER_POLYCOMPRESSEDBYTES], poly *restrict a) { - unsigned int i = 0, j = 0; + unsigned int i, j; uint8_t t[8]; PQCLEAN_KYBER512_AVX2_poly_csubq(a); @@ -48,9 +48,9 @@ void PQCLEAN_KYBER512_AVX2_poly_compress(uint8_t r[KYBER_POLYCOMPRESSEDBYTES], p **************************************************/ void PQCLEAN_KYBER512_AVX2_poly_decompress(poly *restrict r, const uint8_t a[KYBER_POLYCOMPRESSEDBYTES]) { - unsigned int i = 0; + unsigned int i; - unsigned int j = 0; + unsigned int j; uint8_t t[8]; for (i = 0; i < KYBER_N / 8; i++) { t[0] = (a[0] >> 0); @@ -112,7 +112,7 @@ void PQCLEAN_KYBER512_AVX2_poly_frommsg(poly *restrict r, const __m256i hqs = _mm256_set1_epi16((KYBER_Q + 1) / 2); #define FROMMSG64(i) \ - g3 = _mm256_shuffle_epi32(f,0x55*(i)); \ + g3 = _mm256_shuffle_epi32(f,0x55*(i)); \ g3 = _mm256_sllv_epi32(g3,shift); \ g3 = _mm256_shuffle_epi8(g3,idx); \ g0 = _mm256_slli_epi16(g3,12); \ @@ -134,9 +134,9 @@ void PQCLEAN_KYBER512_AVX2_poly_frommsg(poly *restrict r, g2 = _mm256_permute2x128_si256(h0,h1,0x31); \ g1 = _mm256_permute2x128_si256(h2,h3,0x20); \ g3 = _mm256_permute2x128_si256(h2,h3,0x31); \ - _mm256_store_si256((__m256i *)&r->coeffs[ 0+32*(i)+ 0],g0); \ - _mm256_store_si256((__m256i *)&r->coeffs[ 0+32*(i)+16],g1); \ - _mm256_store_si256((__m256i *)&r->coeffs[128+32*(i)+ 0],g2); \ + _mm256_store_si256((__m256i *)&r->coeffs[ 0+32*(i)+ 0],g0); \ + _mm256_store_si256((__m256i *)&r->coeffs[ 0+32*(i)+16],g1); \ + _mm256_store_si256((__m256i *)&r->coeffs[128+32*(i)+ 0],g2); \ _mm256_store_si256((__m256i *)&r->coeffs[128+32*(i)+16],g3) f = _mm256_load_si256((__m256i *)msg); @@ -155,8 +155,8 @@ void PQCLEAN_KYBER512_AVX2_poly_frommsg(poly *restrict r, * - poly *a: pointer to input polynomial **************************************************/ void PQCLEAN_KYBER512_AVX2_poly_tomsg(uint8_t msg[KYBER_INDCPA_MSGBYTES], poly *restrict a) { - unsigned int i = 0; - uint32_t small = 0; + unsigned int i; + uint32_t small; __m256i f0, f1, g0, g1; const __m256i hqs = _mm256_set1_epi16((KYBER_Q - 1) / 2); const __m256i hhqs = _mm256_set1_epi16((KYBER_Q - 5) / 4); @@ -323,7 +323,7 @@ void PQCLEAN_KYBER512_AVX2_poly_csubq(poly *r) { * - const poly *b: pointer to second input polynomial **************************************************/ void PQCLEAN_KYBER512_AVX2_poly_add(poly *r, const poly *a, const poly *b) { - unsigned int i = 0; + unsigned int i; __m256i f0, f1; for (i = 0; i < KYBER_N; i += 16) { @@ -344,7 +344,7 @@ void PQCLEAN_KYBER512_AVX2_poly_add(poly *r, const poly *a, const poly *b) { * - const poly *b: pointer to second input polynomial **************************************************/ void PQCLEAN_KYBER512_AVX2_poly_sub(poly *r, const poly *a, const poly *b) { - unsigned int i = 0; + unsigned int i; __m256i f0, f1; for (i = 0; i < KYBER_N; i += 16) { diff --git a/crypto_kem/kyber512/avx2/poly.h b/crypto_kem/kyber512/avx2/poly.h index e5c603f8..046bd83f 100644 --- a/crypto_kem/kyber512/avx2/poly.h +++ b/crypto_kem/kyber512/avx2/poly.h @@ -1,6 +1,5 @@ #ifndef PQCLEAN_KYBER512_AVX2_POLY_H #define PQCLEAN_KYBER512_AVX2_POLY_H - #include "params.h" #include #include @@ -14,24 +13,16 @@ typedef union { int16_t coeffs[KYBER_N]; } poly; - void PQCLEAN_KYBER512_AVX2_poly_compress(uint8_t r[KYBER_POLYCOMPRESSEDBYTES], poly *a); - void PQCLEAN_KYBER512_AVX2_poly_decompress(poly *r, const uint8_t a[KYBER_POLYCOMPRESSEDBYTES]); - void PQCLEAN_KYBER512_AVX2_poly_tobytes(uint8_t r[KYBER_POLYBYTES], poly *a); - void PQCLEAN_KYBER512_AVX2_poly_frombytes(poly *r, const uint8_t a[KYBER_POLYBYTES]); - void PQCLEAN_KYBER512_AVX2_poly_frommsg(poly *r, const uint8_t msg[KYBER_INDCPA_MSGBYTES]); - void PQCLEAN_KYBER512_AVX2_poly_tomsg(uint8_t msg[KYBER_INDCPA_MSGBYTES], poly *a); - void PQCLEAN_KYBER512_AVX2_poly_getnoise(poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t nonce); - void PQCLEAN_KYBER512_AVX2_poly_getnoise4x(poly *r0, poly *r1, poly *r2, @@ -42,25 +33,16 @@ void PQCLEAN_KYBER512_AVX2_poly_getnoise4x(poly *r0, uint8_t nonce2, uint8_t nonce3); - void PQCLEAN_KYBER512_AVX2_poly_ntt(poly *r); - void PQCLEAN_KYBER512_AVX2_poly_invntt_tomont(poly *r); - void PQCLEAN_KYBER512_AVX2_poly_nttunpack(poly *r); - void PQCLEAN_KYBER512_AVX2_poly_basemul_montgomery(poly *r, const poly *a, const poly *b); - void PQCLEAN_KYBER512_AVX2_poly_tomont(poly *r); - void PQCLEAN_KYBER512_AVX2_poly_reduce(poly *r); - void PQCLEAN_KYBER512_AVX2_poly_csubq(poly *r); - void PQCLEAN_KYBER512_AVX2_poly_add(poly *r, const poly *a, const poly *b); - void PQCLEAN_KYBER512_AVX2_poly_sub(poly *r, const poly *a, const poly *b); #endif diff --git a/crypto_kem/kyber512/avx2/polyvec.c b/crypto_kem/kyber512/avx2/polyvec.c index 19a85a0e..4cc60aa6 100644 --- a/crypto_kem/kyber512/avx2/polyvec.c +++ b/crypto_kem/kyber512/avx2/polyvec.c @@ -1,6 +1,6 @@ -#include "params.h" #include "consts.h" #include "ntt.h" +#include "params.h" #include "poly.h" #include "polyvec.h" #include @@ -16,7 +16,7 @@ **************************************************/ void PQCLEAN_KYBER512_AVX2_polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES], polyvec *restrict a) { - unsigned int i = 0, j = 0, k = 0; + size_t i, j, k; PQCLEAN_KYBER512_AVX2_polyvec_csubq(a); @@ -24,10 +24,8 @@ void PQCLEAN_KYBER512_AVX2_polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYT for (i = 0; i < KYBER_K; i++) { for (j = 0; j < KYBER_N / 4; j++) { for (k = 0; k < 4; k++) { - { - t[k] = ((((uint32_t)a->vec[i].coeffs[4 * j + k] << 10) + KYBER_Q / 2) - / KYBER_Q) & 0x3ff; - } + t[k] = ((((uint32_t)a->vec[i].coeffs[4 * j + k] << 10) + KYBER_Q / 2) + / KYBER_Q) & 0x3ff; } r[0] = (t[0] >> 0); @@ -52,7 +50,7 @@ void PQCLEAN_KYBER512_AVX2_polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYT **************************************************/ void PQCLEAN_KYBER512_AVX2_polyvec_decompress(polyvec *restrict r, const uint8_t a[KYBER_POLYVECCOMPRESSEDBYTES]) { - unsigned int i = 0, j = 0, k = 0; + size_t i, j, k; uint16_t t[4]; for (i = 0; i < KYBER_K; i++) { @@ -80,7 +78,7 @@ void PQCLEAN_KYBER512_AVX2_polyvec_decompress(polyvec *restrict r, * - polyvec *a: pointer to input vector of polynomials **************************************************/ void PQCLEAN_KYBER512_AVX2_polyvec_tobytes(uint8_t r[KYBER_POLYVECBYTES], polyvec *a) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER512_AVX2_poly_tobytes(r + i * KYBER_POLYBYTES, &a->vec[i]); } @@ -97,7 +95,7 @@ void PQCLEAN_KYBER512_AVX2_polyvec_tobytes(uint8_t r[KYBER_POLYVECBYTES], polyve * (of length KYBER_POLYVECBYTES) **************************************************/ void PQCLEAN_KYBER512_AVX2_polyvec_frombytes(polyvec *r, const uint8_t a[KYBER_POLYVECBYTES]) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER512_AVX2_poly_frombytes(&r->vec[i], a + i * KYBER_POLYBYTES); } @@ -111,7 +109,7 @@ void PQCLEAN_KYBER512_AVX2_polyvec_frombytes(polyvec *r, const uint8_t a[KYBER_P * Arguments: - polyvec *r: pointer to in/output vector of polynomials **************************************************/ void PQCLEAN_KYBER512_AVX2_polyvec_ntt(polyvec *r) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER512_AVX2_poly_ntt(&r->vec[i]); } @@ -126,7 +124,7 @@ void PQCLEAN_KYBER512_AVX2_polyvec_ntt(polyvec *r) { * Arguments: - polyvec *r: pointer to in/output vector of polynomials **************************************************/ void PQCLEAN_KYBER512_AVX2_polyvec_invntt_tomont(polyvec *r) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER512_AVX2_poly_invntt_tomont(&r->vec[i]); } @@ -145,7 +143,7 @@ void PQCLEAN_KYBER512_AVX2_polyvec_invntt_tomont(polyvec *r) { void PQCLEAN_KYBER512_AVX2_polyvec_pointwise_acc_montgomery(poly *r, const polyvec *a, const polyvec *b) { - PQCLEAN_KYBER512_AVX2_basemul_acc_avx(r->coeffs, a->vec->coeffs, b->vec->coeffs, &PQCLEAN_KYBER512_AVX2_qdata); + PQCLEAN_KYBER512_AVX2_basemul_acc_avx(r->coeffs, a->vec->coeffs, b->vec->coeffs, & PQCLEAN_KYBER512_AVX2_qdata); } /************************************************* @@ -158,7 +156,7 @@ void PQCLEAN_KYBER512_AVX2_polyvec_pointwise_acc_montgomery(poly *r, * Arguments: - poly *r: pointer to input/output polynomial **************************************************/ void PQCLEAN_KYBER512_AVX2_polyvec_reduce(polyvec *r) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER512_AVX2_poly_reduce(&r->vec[i]); } @@ -175,7 +173,7 @@ void PQCLEAN_KYBER512_AVX2_polyvec_reduce(polyvec *r) { * Arguments: - poly *r: pointer to input/output polynomial **************************************************/ void PQCLEAN_KYBER512_AVX2_polyvec_csubq(polyvec *r) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER512_AVX2_poly_csubq(&r->vec[i]); } @@ -191,7 +189,7 @@ void PQCLEAN_KYBER512_AVX2_polyvec_csubq(polyvec *r) { * - const polyvec *b: pointer to second input vector of polynomials **************************************************/ void PQCLEAN_KYBER512_AVX2_polyvec_add(polyvec *r, const polyvec *a, const polyvec *b) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER512_AVX2_poly_add(&r->vec[i], &a->vec[i], &b->vec[i]); } diff --git a/crypto_kem/kyber512/avx2/polyvec.h b/crypto_kem/kyber512/avx2/polyvec.h index ccdf2172..12928a76 100644 --- a/crypto_kem/kyber512/avx2/polyvec.h +++ b/crypto_kem/kyber512/avx2/polyvec.h @@ -1,6 +1,5 @@ #ifndef PQCLEAN_KYBER512_AVX2_POLYVEC_H #define PQCLEAN_KYBER512_AVX2_POLYVEC_H - #include "params.h" #include "poly.h" #include @@ -9,33 +8,23 @@ typedef struct { poly vec[KYBER_K]; } polyvec; - void PQCLEAN_KYBER512_AVX2_polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES], polyvec *a); - void PQCLEAN_KYBER512_AVX2_polyvec_decompress(polyvec *r, const uint8_t a[KYBER_POLYVECCOMPRESSEDBYTES]); - void PQCLEAN_KYBER512_AVX2_polyvec_tobytes(uint8_t r[KYBER_POLYVECBYTES], polyvec *a); - void PQCLEAN_KYBER512_AVX2_polyvec_frombytes(polyvec *r, const uint8_t a[KYBER_POLYVECBYTES]); - void PQCLEAN_KYBER512_AVX2_polyvec_ntt(polyvec *r); - void PQCLEAN_KYBER512_AVX2_polyvec_invntt_tomont(polyvec *r); - void PQCLEAN_KYBER512_AVX2_polyvec_pointwise_acc_montgomery(poly *r, const polyvec *a, const polyvec *b); - void PQCLEAN_KYBER512_AVX2_polyvec_reduce(polyvec *r); - void PQCLEAN_KYBER512_AVX2_polyvec_csubq(polyvec *r); - void PQCLEAN_KYBER512_AVX2_polyvec_add(polyvec *r, const polyvec *a, const polyvec *b); #endif diff --git a/crypto_kem/kyber512/avx2/reduce.h b/crypto_kem/kyber512/avx2/reduce.h index 55bc800d..fad9114d 100644 --- a/crypto_kem/kyber512/avx2/reduce.h +++ b/crypto_kem/kyber512/avx2/reduce.h @@ -1,16 +1,10 @@ -#ifndef REDUCE_H -#define REDUCE_H - +#ifndef PQCLEAN_KYBER512_AVX2_REDUCE_H +#define PQCLEAN_KYBER512_AVX2_REDUCE_H +#include "consts.h" #include -#include "consts.h" -#include "params.h" - - int16_t PQCLEAN_KYBER512_AVX2_reduce_avx(int16_t *r, const qdata_t *PQCLEAN_KYBER512_AVX2_qdata); - int16_t PQCLEAN_KYBER512_AVX2_csubq_avx(int16_t *r, const qdata_t *PQCLEAN_KYBER512_AVX2_qdata); - int16_t PQCLEAN_KYBER512_AVX2_tomont_avx(int16_t *r, const qdata_t *PQCLEAN_KYBER512_AVX2_qdata); #endif diff --git a/crypto_kem/kyber512/avx2/rejsample.c b/crypto_kem/kyber512/avx2/rejsample.c index ea4b16bc..52f2c691 100644 --- a/crypto_kem/kyber512/avx2/rejsample.c +++ b/crypto_kem/kyber512/avx2/rejsample.c @@ -2,6 +2,7 @@ #include "consts.h" #include "params.h" #include "rejsample.h" +#include #include static const ALIGN32_ARRAY_2D(uint8_t, 256, 8) idx = {.arr = { @@ -270,9 +271,9 @@ static const ALIGN32_ARRAY_2D(uint8_t, 256, 8) idx = {.arr = { #define REJ_UNIFORM_BUFLEN 672 unsigned int PQCLEAN_KYBER512_AVX2_rej_uniform_avx(int16_t *restrict r, const uint8_t *restrict buf) { - unsigned int ctr = 0, pos = 0; - uint16_t val = 0; - uint32_t good = 0; + unsigned int ctr, pos; + uint16_t val; + uint32_t good; const __m256i bound = _mm256_set1_epi16((int16_t)(19 * KYBER_Q - 1)); const __m256i ones = _mm256_set1_epi8(1); const __m256i kyberq = _mm256_load_si256((__m256i *)&PQCLEAN_KYBER512_AVX2_qdata.as_arr[_16XQ]); @@ -297,7 +298,7 @@ unsigned int PQCLEAN_KYBER512_AVX2_rej_uniform_avx(int16_t *restrict r, g1 = _mm256_inserti128_si256(g1, _mm_loadl_epi64((__m128i *)&idx.arr[(good >> 24) & 0xFF]), 1); //g0 = _mm256_cvtepu8_epi64(_mm_loadl_epi64((__m128i *)&good)); - //g1 = _mm256_i64gather_epi64((long long *)idx, g0, 8); + //g1 = _mm256_i64gather_epi64((long long *)idx.arr, g0, 8); /* Barrett reduction of (still unsigned) values */ g2 = _mm256_mulhi_epu16(f0, v); diff --git a/crypto_kem/kyber512/avx2/rejsample.h b/crypto_kem/kyber512/avx2/rejsample.h index a832f82d..dba49d6d 100644 --- a/crypto_kem/kyber512/avx2/rejsample.h +++ b/crypto_kem/kyber512/avx2/rejsample.h @@ -1,10 +1,8 @@ -#ifndef REJSAMPLE_H -#define REJSAMPLE_H - +#ifndef PQCLEAN_KYBER512_AVX2_REJSAMPLE_H +#define PQCLEAN_KYBER512_AVX2_REJSAMPLE_H #include "params.h" #include - unsigned int PQCLEAN_KYBER512_AVX2_rej_uniform_avx(int16_t *r, const unsigned char *buf); diff --git a/crypto_kem/kyber512/avx2/shuffle.S b/crypto_kem/kyber512/avx2/shuffle.S index e6c8e413..997d4bb5 100644 --- a/crypto_kem/kyber512/avx2/shuffle.S +++ b/crypto_kem/kyber512/avx2/shuffle.S @@ -1,4 +1,4 @@ -#include "cdecl.inc" +#include "cdecl.h" .include "fq.inc" .include "shuffle.inc" @@ -92,7 +92,9 @@ vmovdqa %ymm11,224(%rdi) ret .global cdecl(PQCLEAN_KYBER512_AVX2_nttunpack_avx) +.global _cdecl(PQCLEAN_KYBER512_AVX2_nttunpack_avx) cdecl(PQCLEAN_KYBER512_AVX2_nttunpack_avx): +_cdecl(PQCLEAN_KYBER512_AVX2_nttunpack_avx): call nttunpack128_avx add $256,%rdi call nttunpack128_avx @@ -169,7 +171,9 @@ vmovdqu %ymm9,160(%rdi) ret .global cdecl(PQCLEAN_KYBER512_AVX2_ntttobytes_avx) +.global _cdecl(PQCLEAN_KYBER512_AVX2_ntttobytes_avx) cdecl(PQCLEAN_KYBER512_AVX2_ntttobytes_avx): +_cdecl(PQCLEAN_KYBER512_AVX2_ntttobytes_avx): #consts vmovdqa _16XQ*2(%rdx),%ymm0 call ntttobytes128_avx @@ -245,7 +249,9 @@ vmovdqa %ymm1,224(%rdi) ret .global cdecl(PQCLEAN_KYBER512_AVX2_nttfrombytes_avx) +.global _cdecl(PQCLEAN_KYBER512_AVX2_nttfrombytes_avx) cdecl(PQCLEAN_KYBER512_AVX2_nttfrombytes_avx): +_cdecl(PQCLEAN_KYBER512_AVX2_nttfrombytes_avx): #consts vmovdqa _16XMASK*2(%rdx),%ymm0 call nttfrombytes128_avx diff --git a/crypto_kem/kyber512/avx2/symmetric-shake.c b/crypto_kem/kyber512/avx2/symmetric-shake.c index e18e8c5b..99b7921b 100644 --- a/crypto_kem/kyber512/avx2/symmetric-shake.c +++ b/crypto_kem/kyber512/avx2/symmetric-shake.c @@ -9,8 +9,8 @@ * * Description: Absorb step of the SHAKE128 specialized for the Kyber context. * -* Arguments: - keccak_state *state: pointer to (uninitialized) output -* Keccak state +* Arguments: - xof_state *state: pointer to (uninitialized) output +* Keccak state * - const uint8_t *seed: pointer to KYBER_SYMBYTES input * to be absorbed into state * - uint8_t i additional byte of input @@ -20,7 +20,7 @@ void PQCLEAN_KYBER512_AVX2_kyber_shake128_absorb(xof_state *state, const uint8_t seed[KYBER_SYMBYTES], uint8_t x, uint8_t y) { - unsigned int i = 0; + unsigned int i; uint8_t extseed[KYBER_SYMBYTES + 2]; for (i = 0; i < KYBER_SYMBYTES; i++) { @@ -48,7 +48,7 @@ void PQCLEAN_KYBER512_AVX2_kyber_shake256_prf(uint8_t *out, size_t outlen, const uint8_t key[KYBER_SYMBYTES], uint8_t nonce) { - unsigned int i = 0; + unsigned int i; uint8_t extkey[KYBER_SYMBYTES + 1]; for (i = 0; i < KYBER_SYMBYTES; i++) { diff --git a/crypto_kem/kyber512/avx2/symmetric.h b/crypto_kem/kyber512/avx2/symmetric.h index 4b80e85c..bc2e5a4c 100644 --- a/crypto_kem/kyber512/avx2/symmetric.h +++ b/crypto_kem/kyber512/avx2/symmetric.h @@ -1,17 +1,16 @@ -#ifndef SYMMETRIC_H -#define SYMMETRIC_H - +#ifndef PQCLEAN_KYBER512_AVX2_SYMMETRIC_H +#define PQCLEAN_KYBER512_AVX2_SYMMETRIC_H +#include "fips202.h" +#include "fips202x4.h" #include "params.h" #include #include -#include "fips202.h" -#include "fips202x4.h" typedef shake128ctx xof_state; -void PQCLEAN_KYBER512_AVX2_kyber_shake128_absorb(shake128ctx *s, +void PQCLEAN_KYBER512_AVX2_kyber_shake128_absorb(xof_state *s, const uint8_t seed[KYBER_SYMBYTES], uint8_t x, uint8_t y); diff --git a/crypto_kem/kyber512/avx2/verify.c b/crypto_kem/kyber512/avx2/verify.c index f1658093..1ce71b35 100644 --- a/crypto_kem/kyber512/avx2/verify.c +++ b/crypto_kem/kyber512/avx2/verify.c @@ -15,8 +15,8 @@ * Returns 0 if the byte arrays are equal, 1 otherwise **************************************************/ int PQCLEAN_KYBER512_AVX2_verify(const uint8_t *a, const uint8_t *b, size_t len) { - size_t pos = 0; - uint64_t r = 0; + size_t pos; + uint64_t r; __m256i avec, bvec, cvec; cvec = _mm256_setzero_si256(); @@ -53,7 +53,7 @@ int PQCLEAN_KYBER512_AVX2_verify(const uint8_t *a, const uint8_t *b, size_t len) * unsigned char b: Condition bit; has to be in {0,1} **************************************************/ void PQCLEAN_KYBER512_AVX2_cmov(uint8_t *restrict r, const uint8_t *restrict x, size_t len, uint8_t b) { - size_t pos = 0; + size_t pos; __m256i xvec, rvec, bvec; b = -b; diff --git a/crypto_kem/kyber512/avx2/verify.h b/crypto_kem/kyber512/avx2/verify.h index 38c02db6..cadb6989 100644 --- a/crypto_kem/kyber512/avx2/verify.h +++ b/crypto_kem/kyber512/avx2/verify.h @@ -1,14 +1,11 @@ #ifndef PQCLEAN_KYBER512_AVX2_VERIFY_H #define PQCLEAN_KYBER512_AVX2_VERIFY_H - #include "params.h" #include #include - int PQCLEAN_KYBER512_AVX2_verify(const uint8_t *a, const uint8_t *b, size_t len); - void PQCLEAN_KYBER512_AVX2_cmov(uint8_t *r, const uint8_t *x, size_t len, uint8_t b); #endif diff --git a/crypto_kem/kyber512/clean/Makefile b/crypto_kem/kyber512/clean/Makefile index 1f187f0d..18712bde 100644 --- a/crypto_kem/kyber512/clean/Makefile +++ b/crypto_kem/kyber512/clean/Makefile @@ -1,8 +1,8 @@ # This Makefile can be used with GNU Make or BSD Make LIB=libkyber512_clean.a -HEADERS=api.h cbd.h indcpa.h kem.h ntt.h params.h poly.h polyvec.h reduce.h verify.h symmetric.h -OBJECTS=cbd.o indcpa.o kem.o ntt.o poly.o polyvec.o reduce.o verify.o symmetric-shake.o +HEADERS=api.h cbd.h indcpa.h kem.h ntt.h params.h poly.h polyvec.h reduce.h symmetric.h verify.h +OBJECTS=cbd.o indcpa.o kem.o ntt.o poly.o polyvec.o reduce.o symmetric-shake.o verify.o CFLAGS=-O3 -Wall -Wextra -Wpedantic -Werror -Wmissing-prototypes -Wredundant-decls -std=c99 -I../../../common $(EXTRAFLAGS) diff --git a/crypto_kem/kyber512/clean/Makefile.Microsoft_nmake b/crypto_kem/kyber512/clean/Makefile.Microsoft_nmake index 2f8c6221..61d98361 100644 --- a/crypto_kem/kyber512/clean/Makefile.Microsoft_nmake +++ b/crypto_kem/kyber512/clean/Makefile.Microsoft_nmake @@ -2,7 +2,7 @@ # nmake /f Makefile.Microsoft_nmake LIBRARY=libkyber512_clean.lib -OBJECTS=cbd.obj indcpa.obj kem.obj ntt.obj poly.obj polyvec.obj reduce.obj verify.obj symmetric-shake.obj +OBJECTS=cbd.obj indcpa.obj kem.obj ntt.obj poly.obj polyvec.obj reduce.obj symmetric-shake.obj verify.obj # Warning C4146 is raised when a unary minus operator is applied to an # unsigned type; this has nonetheless been standard and portable for as diff --git a/crypto_kem/kyber512/clean/api.h b/crypto_kem/kyber512/clean/api.h index 7ab7799d..e14c7d96 100644 --- a/crypto_kem/kyber512/clean/api.h +++ b/crypto_kem/kyber512/clean/api.h @@ -15,5 +15,4 @@ int PQCLEAN_KYBER512_CLEAN_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_ int PQCLEAN_KYBER512_CLEAN_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); - #endif diff --git a/crypto_kem/kyber512/clean/cbd.c b/crypto_kem/kyber512/clean/cbd.c index 3bed346f..cd88cf05 100644 --- a/crypto_kem/kyber512/clean/cbd.c +++ b/crypto_kem/kyber512/clean/cbd.c @@ -1,5 +1,5 @@ -#include "params.h" #include "cbd.h" +#include "params.h" #include /************************************************* @@ -13,7 +13,7 @@ * Returns 32-bit unsigned integer loaded from x **************************************************/ static uint32_t load32_littleendian(const uint8_t x[4]) { - uint32_t r = 0; + uint32_t r; r = (uint32_t)x[0]; r |= (uint32_t)x[1] << 8; r |= (uint32_t)x[2] << 16; @@ -32,9 +32,9 @@ static uint32_t load32_littleendian(const uint8_t x[4]) { * - const uint8_t *buf: pointer to input byte array **************************************************/ void PQCLEAN_KYBER512_CLEAN_cbd(poly *r, const uint8_t buf[KYBER_ETA * KYBER_N / 4]) { - unsigned int i = 0, j = 0; - uint32_t t = 0, d = 0; - int16_t a = 0, b = 0; + unsigned int i, j; + uint32_t t, d; + int16_t a, b; for (i = 0; i < KYBER_N / 8; i++) { t = load32_littleendian(buf + 4 * i); diff --git a/crypto_kem/kyber512/clean/cbd.h b/crypto_kem/kyber512/clean/cbd.h index 1a4f3ef4..b3d184ba 100644 --- a/crypto_kem/kyber512/clean/cbd.h +++ b/crypto_kem/kyber512/clean/cbd.h @@ -1,11 +1,9 @@ #ifndef PQCLEAN_KYBER512_CLEAN_CBD_H #define PQCLEAN_KYBER512_CLEAN_CBD_H - #include "params.h" #include "poly.h" #include - void PQCLEAN_KYBER512_CLEAN_cbd(poly *r, const uint8_t buf[KYBER_ETA * KYBER_N / 4]); #endif diff --git a/crypto_kem/kyber512/clean/indcpa.c b/crypto_kem/kyber512/clean/indcpa.c index bb49e76d..8da03b43 100644 --- a/crypto_kem/kyber512/clean/indcpa.c +++ b/crypto_kem/kyber512/clean/indcpa.c @@ -22,7 +22,7 @@ static void pack_pk(uint8_t r[KYBER_INDCPA_PUBLICKEYBYTES], polyvec *pk, const uint8_t seed[KYBER_SYMBYTES]) { - size_t i = 0; + size_t i; PQCLEAN_KYBER512_CLEAN_polyvec_tobytes(r, pk); for (i = 0; i < KYBER_SYMBYTES; i++) { r[i + KYBER_POLYVECBYTES] = seed[i]; @@ -44,7 +44,7 @@ static void pack_pk(uint8_t r[KYBER_INDCPA_PUBLICKEYBYTES], static void unpack_pk(polyvec *pk, uint8_t seed[KYBER_SYMBYTES], const uint8_t packedpk[KYBER_INDCPA_PUBLICKEYBYTES]) { - size_t i = 0; + size_t i; PQCLEAN_KYBER512_CLEAN_polyvec_frombytes(pk, packedpk); for (i = 0; i < KYBER_SYMBYTES; i++) { seed[i] = packedpk[i + KYBER_POLYVECBYTES]; @@ -132,8 +132,8 @@ static unsigned int rej_uniform(int16_t *r, unsigned int len, const uint8_t *buf, unsigned int buflen) { - unsigned int ctr = 0, pos = 0; - uint16_t val = 0; + unsigned int ctr, pos; + uint16_t val; ctr = pos = 0; while (ctr < len && pos + 2 <= buflen) { @@ -169,8 +169,7 @@ static unsigned int rej_uniform(int16_t *r, + XOF_BLOCKBYTES)/XOF_BLOCKBYTES) // Not static for benchmarking void PQCLEAN_KYBER512_CLEAN_gen_matrix(polyvec *a, const uint8_t seed[KYBER_SYMBYTES], int transposed) { - unsigned int ctr = 0; - uint8_t i = 0, j = 0; + unsigned int ctr, i, j; uint8_t buf[GEN_MATRIX_NBLOCKS * XOF_BLOCKBYTES]; xof_state state; @@ -208,7 +207,7 @@ void PQCLEAN_KYBER512_CLEAN_gen_matrix(polyvec *a, const uint8_t seed[KYBER_SYMB **************************************************/ void PQCLEAN_KYBER512_CLEAN_indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]) { - unsigned int i = 0; + unsigned int i; uint8_t buf[2 * KYBER_SYMBYTES]; const uint8_t *publicseed = buf; const uint8_t *noiseseed = buf + KYBER_SYMBYTES; @@ -264,7 +263,7 @@ void PQCLEAN_KYBER512_CLEAN_indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES], const uint8_t m[KYBER_INDCPA_MSGBYTES], const uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], const uint8_t coins[KYBER_SYMBYTES]) { - unsigned int i = 0; + unsigned int i; uint8_t seed[KYBER_SYMBYTES]; uint8_t nonce = 0; polyvec sp, pkpv, ep, at[KYBER_K], bp; diff --git a/crypto_kem/kyber512/clean/indcpa.h b/crypto_kem/kyber512/clean/indcpa.h index cb865942..84464a93 100644 --- a/crypto_kem/kyber512/clean/indcpa.h +++ b/crypto_kem/kyber512/clean/indcpa.h @@ -1,16 +1,20 @@ #ifndef PQCLEAN_KYBER512_CLEAN_INDCPA_H #define PQCLEAN_KYBER512_CLEAN_INDCPA_H - #include "params.h" #include "polyvec.h" #include void PQCLEAN_KYBER512_CLEAN_gen_matrix(polyvec *a, const uint8_t seed[KYBER_SYMBYTES], int transposed); +void PQCLEAN_KYBER512_CLEAN_indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], + uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]); -void PQCLEAN_KYBER512_CLEAN_indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]); +void PQCLEAN_KYBER512_CLEAN_indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES], + const uint8_t m[KYBER_INDCPA_MSGBYTES], + const uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], + const uint8_t coins[KYBER_SYMBYTES]); -void PQCLEAN_KYBER512_CLEAN_indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES], const uint8_t m[KYBER_INDCPA_MSGBYTES], const uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], const uint8_t coins[KYBER_SYMBYTES]); - -void PQCLEAN_KYBER512_CLEAN_indcpa_dec(uint8_t m[KYBER_INDCPA_MSGBYTES], const uint8_t c[KYBER_INDCPA_BYTES], const uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]); +void PQCLEAN_KYBER512_CLEAN_indcpa_dec(uint8_t m[KYBER_INDCPA_MSGBYTES], + const uint8_t c[KYBER_INDCPA_BYTES], + const uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]); #endif diff --git a/crypto_kem/kyber512/clean/kem.c b/crypto_kem/kyber512/clean/kem.c index 7d01cc45..db097438 100644 --- a/crypto_kem/kyber512/clean/kem.c +++ b/crypto_kem/kyber512/clean/kem.c @@ -21,7 +21,7 @@ * Returns 0 (success) **************************************************/ int PQCLEAN_KYBER512_CLEAN_crypto_kem_keypair(unsigned char *pk, unsigned char *sk) { - size_t i = 0; + size_t i; PQCLEAN_KYBER512_CLEAN_indcpa_keypair(pk, sk); for (i = 0; i < KYBER_INDCPA_PUBLICKEYBYTES; i++) { sk[i + KYBER_INDCPA_SECRETKEYBYTES] = pk[i]; @@ -92,8 +92,8 @@ int PQCLEAN_KYBER512_CLEAN_crypto_kem_enc(unsigned char *ct, int PQCLEAN_KYBER512_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk) { - size_t i = 0; - int fail = 0; + size_t i; + int fail; uint8_t buf[2 * KYBER_SYMBYTES]; /* Will contain key, coins */ uint8_t kr[2 * KYBER_SYMBYTES]; diff --git a/crypto_kem/kyber512/clean/kem.h b/crypto_kem/kyber512/clean/kem.h index c3a98378..a73c9698 100644 --- a/crypto_kem/kyber512/clean/kem.h +++ b/crypto_kem/kyber512/clean/kem.h @@ -1,17 +1,14 @@ #ifndef PQCLEAN_KYBER512_CLEAN_KEM_H #define PQCLEAN_KYBER512_CLEAN_KEM_H - #include "params.h" int PQCLEAN_KYBER512_CLEAN_crypto_kem_keypair(unsigned char *pk, unsigned char *sk); - int PQCLEAN_KYBER512_CLEAN_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk); - int PQCLEAN_KYBER512_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk); diff --git a/crypto_kem/kyber512/clean/ntt.c b/crypto_kem/kyber512/clean/ntt.c index 99f1257f..44e94b9a 100644 --- a/crypto_kem/kyber512/clean/ntt.c +++ b/crypto_kem/kyber512/clean/ntt.c @@ -1,5 +1,5 @@ -#include "params.h" #include "ntt.h" +#include "params.h" #include "reduce.h" #include @@ -89,8 +89,8 @@ static int16_t fqmul(int16_t a, int16_t b) { * of Zq **************************************************/ void PQCLEAN_KYBER512_CLEAN_ntt(int16_t r[256]) { - unsigned int len = 0, start = 0, j = 0, k = 0; - int16_t t = 0, zeta = 0; + unsigned int len, start, j, k; + int16_t t, zeta; k = 1; for (len = 128; len >= 2; len >>= 1) { @@ -116,8 +116,8 @@ void PQCLEAN_KYBER512_CLEAN_ntt(int16_t r[256]) { * of Zq **************************************************/ void PQCLEAN_KYBER512_CLEAN_invntt(int16_t r[256]) { - unsigned int start = 0, len = 0, j = 0, k = 0; - int16_t t = 0, zeta = 0; + unsigned int start, len, j, k; + int16_t t, zeta; k = 0; for (len = 2; len <= 128; len <<= 1) { @@ -148,7 +148,10 @@ void PQCLEAN_KYBER512_CLEAN_invntt(int16_t r[256]) { * - const int16_t b[2]: pointer to the second factor * - int16_t zeta: integer defining the reduction polynomial **************************************************/ -void PQCLEAN_KYBER512_CLEAN_basemul(int16_t r[2], const int16_t a[2], const int16_t b[2], int16_t zeta) { +void PQCLEAN_KYBER512_CLEAN_basemul(int16_t r[2], + const int16_t a[2], + const int16_t b[2], + int16_t zeta) { r[0] = fqmul(a[1], b[1]); r[0] = fqmul(r[0], zeta); r[0] += fqmul(a[0], b[0]); diff --git a/crypto_kem/kyber512/clean/ntt.h b/crypto_kem/kyber512/clean/ntt.h index 5f22c401..34c43c17 100644 --- a/crypto_kem/kyber512/clean/ntt.h +++ b/crypto_kem/kyber512/clean/ntt.h @@ -1,22 +1,19 @@ #ifndef PQCLEAN_KYBER512_CLEAN_NTT_H #define PQCLEAN_KYBER512_CLEAN_NTT_H - #include "params.h" #include - extern const int16_t PQCLEAN_KYBER512_CLEAN_zetas[128]; - extern const int16_t PQCLEAN_KYBER512_CLEAN_zetas_inv[128]; - void PQCLEAN_KYBER512_CLEAN_ntt(int16_t r[256]); - void PQCLEAN_KYBER512_CLEAN_invntt(int16_t r[256]); - -void PQCLEAN_KYBER512_CLEAN_basemul(int16_t r[2], const int16_t a[2], const int16_t b[2], int16_t zeta); +void PQCLEAN_KYBER512_CLEAN_basemul(int16_t r[2], + const int16_t a[2], + const int16_t b[2], + int16_t zeta); #endif diff --git a/crypto_kem/kyber512/clean/params.h b/crypto_kem/kyber512/clean/params.h index d189bf85..c774d397 100644 --- a/crypto_kem/kyber512/clean/params.h +++ b/crypto_kem/kyber512/clean/params.h @@ -1,6 +1,9 @@ #ifndef PQCLEAN_KYBER512_CLEAN_PARAMS_H #define PQCLEAN_KYBER512_CLEAN_PARAMS_H + + + #define KYBER_N 256 #define KYBER_Q 3329 diff --git a/crypto_kem/kyber512/clean/poly.c b/crypto_kem/kyber512/clean/poly.c index 08c72d84..0bc99a97 100644 --- a/crypto_kem/kyber512/clean/poly.c +++ b/crypto_kem/kyber512/clean/poly.c @@ -1,6 +1,6 @@ -#include "params.h" #include "cbd.h" #include "ntt.h" +#include "params.h" #include "poly.h" #include "reduce.h" #include "symmetric.h" @@ -16,7 +16,7 @@ * - poly *a: pointer to input polynomial **************************************************/ void PQCLEAN_KYBER512_CLEAN_poly_compress(uint8_t r[KYBER_POLYCOMPRESSEDBYTES], poly *a) { - unsigned int i = 0, j = 0; + size_t i, j; uint8_t t[8]; PQCLEAN_KYBER512_CLEAN_poly_csubq(a); @@ -44,9 +44,9 @@ void PQCLEAN_KYBER512_CLEAN_poly_compress(uint8_t r[KYBER_POLYCOMPRESSEDBYTES], * (of length KYBER_POLYCOMPRESSEDBYTES bytes) **************************************************/ void PQCLEAN_KYBER512_CLEAN_poly_decompress(poly *r, const uint8_t a[KYBER_POLYCOMPRESSEDBYTES]) { - unsigned int i = 0; + size_t i; - unsigned int j = 0; + size_t j; uint8_t t[8]; for (i = 0; i < KYBER_N / 8; i++) { t[0] = (a[0] >> 0); @@ -75,8 +75,8 @@ void PQCLEAN_KYBER512_CLEAN_poly_decompress(poly *r, const uint8_t a[KYBER_POLYC * - poly *a: pointer to input polynomial **************************************************/ void PQCLEAN_KYBER512_CLEAN_poly_tobytes(uint8_t r[KYBER_POLYBYTES], poly *a) { - unsigned int i = 0; - uint16_t t0 = 0, t1 = 0; + size_t i; + uint16_t t0, t1; PQCLEAN_KYBER512_CLEAN_poly_csubq(a); @@ -100,7 +100,7 @@ void PQCLEAN_KYBER512_CLEAN_poly_tobytes(uint8_t r[KYBER_POLYBYTES], poly *a) { * (of KYBER_POLYBYTES bytes) **************************************************/ void PQCLEAN_KYBER512_CLEAN_poly_frombytes(poly *r, const uint8_t a[KYBER_POLYBYTES]) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_N / 2; i++) { r->coeffs[2 * i] = ((a[3 * i + 0] >> 0) | ((uint16_t)a[3 * i + 1] << 8)) & 0xFFF; r->coeffs[2 * i + 1] = ((a[3 * i + 1] >> 4) | ((uint16_t)a[3 * i + 2] << 4)) & 0xFFF; @@ -116,8 +116,8 @@ void PQCLEAN_KYBER512_CLEAN_poly_frombytes(poly *r, const uint8_t a[KYBER_POLYBY * - const uint8_t *msg: pointer to input message **************************************************/ void PQCLEAN_KYBER512_CLEAN_poly_frommsg(poly *r, const uint8_t msg[KYBER_INDCPA_MSGBYTES]) { - unsigned int i = 0, j = 0; - int16_t mask = 0; + size_t i, j; + int16_t mask; for (i = 0; i < KYBER_N / 8; i++) { for (j = 0; j < 8; j++) { @@ -136,8 +136,8 @@ void PQCLEAN_KYBER512_CLEAN_poly_frommsg(poly *r, const uint8_t msg[KYBER_INDCPA * - poly *a: pointer to input polynomial **************************************************/ void PQCLEAN_KYBER512_CLEAN_poly_tomsg(uint8_t msg[KYBER_INDCPA_MSGBYTES], poly *a) { - unsigned int i = 0, j = 0; - uint16_t t = 0; + size_t i, j; + uint16_t t; PQCLEAN_KYBER512_CLEAN_poly_csubq(a); @@ -205,7 +205,7 @@ void PQCLEAN_KYBER512_CLEAN_poly_invntt_tomont(poly *r) { * - const poly *b: pointer to second input polynomial **************************************************/ void PQCLEAN_KYBER512_CLEAN_poly_basemul_montgomery(poly *r, const poly *a, const poly *b) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_N / 4; i++) { PQCLEAN_KYBER512_CLEAN_basemul(&r->coeffs[4 * i], &a->coeffs[4 * i], &b->coeffs[4 * i], PQCLEAN_KYBER512_CLEAN_zetas[64 + i]); PQCLEAN_KYBER512_CLEAN_basemul(&r->coeffs[4 * i + 2], &a->coeffs[4 * i + 2], &b->coeffs[4 * i + 2], @@ -222,7 +222,7 @@ void PQCLEAN_KYBER512_CLEAN_poly_basemul_montgomery(poly *r, const poly *a, cons * Arguments: - poly *r: pointer to input/output polynomial **************************************************/ void PQCLEAN_KYBER512_CLEAN_poly_tomont(poly *r) { - unsigned int i = 0; + size_t i; const int16_t f = (1ULL << 32) % KYBER_Q; for (i = 0; i < KYBER_N; i++) { r->coeffs[i] = PQCLEAN_KYBER512_CLEAN_montgomery_reduce((int32_t)r->coeffs[i] * f); @@ -238,7 +238,7 @@ void PQCLEAN_KYBER512_CLEAN_poly_tomont(poly *r) { * Arguments: - poly *r: pointer to input/output polynomial **************************************************/ void PQCLEAN_KYBER512_CLEAN_poly_reduce(poly *r) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_N; i++) { r->coeffs[i] = PQCLEAN_KYBER512_CLEAN_barrett_reduce(r->coeffs[i]); } @@ -254,7 +254,7 @@ void PQCLEAN_KYBER512_CLEAN_poly_reduce(poly *r) { * Arguments: - poly *r: pointer to input/output polynomial **************************************************/ void PQCLEAN_KYBER512_CLEAN_poly_csubq(poly *r) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_N; i++) { r->coeffs[i] = PQCLEAN_KYBER512_CLEAN_csubq(r->coeffs[i]); } @@ -270,7 +270,7 @@ void PQCLEAN_KYBER512_CLEAN_poly_csubq(poly *r) { * - const poly *b: pointer to second input polynomial **************************************************/ void PQCLEAN_KYBER512_CLEAN_poly_add(poly *r, const poly *a, const poly *b) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_N; i++) { r->coeffs[i] = a->coeffs[i] + b->coeffs[i]; } @@ -286,7 +286,7 @@ void PQCLEAN_KYBER512_CLEAN_poly_add(poly *r, const poly *a, const poly *b) { * - const poly *b: pointer to second input polynomial **************************************************/ void PQCLEAN_KYBER512_CLEAN_poly_sub(poly *r, const poly *a, const poly *b) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_N; i++) { r->coeffs[i] = a->coeffs[i] - b->coeffs[i]; } diff --git a/crypto_kem/kyber512/clean/poly.h b/crypto_kem/kyber512/clean/poly.h index 1cd9d235..1446d212 100644 --- a/crypto_kem/kyber512/clean/poly.h +++ b/crypto_kem/kyber512/clean/poly.h @@ -1,6 +1,5 @@ #ifndef PQCLEAN_KYBER512_CLEAN_POLY_H #define PQCLEAN_KYBER512_CLEAN_POLY_H - #include "params.h" #include @@ -12,41 +11,26 @@ typedef struct { int16_t coeffs[KYBER_N]; } poly; - void PQCLEAN_KYBER512_CLEAN_poly_compress(uint8_t r[KYBER_POLYCOMPRESSEDBYTES], poly *a); - void PQCLEAN_KYBER512_CLEAN_poly_decompress(poly *r, const uint8_t a[KYBER_POLYCOMPRESSEDBYTES]); - void PQCLEAN_KYBER512_CLEAN_poly_tobytes(uint8_t r[KYBER_POLYBYTES], poly *a); - void PQCLEAN_KYBER512_CLEAN_poly_frombytes(poly *r, const uint8_t a[KYBER_POLYBYTES]); - void PQCLEAN_KYBER512_CLEAN_poly_frommsg(poly *r, const uint8_t msg[KYBER_INDCPA_MSGBYTES]); - void PQCLEAN_KYBER512_CLEAN_poly_tomsg(uint8_t msg[KYBER_INDCPA_MSGBYTES], poly *a); - void PQCLEAN_KYBER512_CLEAN_poly_getnoise(poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t nonce); - void PQCLEAN_KYBER512_CLEAN_poly_ntt(poly *r); - void PQCLEAN_KYBER512_CLEAN_poly_invntt_tomont(poly *r); - void PQCLEAN_KYBER512_CLEAN_poly_basemul_montgomery(poly *r, const poly *a, const poly *b); - void PQCLEAN_KYBER512_CLEAN_poly_tomont(poly *r); - void PQCLEAN_KYBER512_CLEAN_poly_reduce(poly *r); - void PQCLEAN_KYBER512_CLEAN_poly_csubq(poly *r); - void PQCLEAN_KYBER512_CLEAN_poly_add(poly *r, const poly *a, const poly *b); - void PQCLEAN_KYBER512_CLEAN_poly_sub(poly *r, const poly *a, const poly *b); #endif diff --git a/crypto_kem/kyber512/clean/polyvec.c b/crypto_kem/kyber512/clean/polyvec.c index 68224c7e..29eee439 100644 --- a/crypto_kem/kyber512/clean/polyvec.c +++ b/crypto_kem/kyber512/clean/polyvec.c @@ -13,7 +13,7 @@ * - polyvec *a: pointer to input vector of polynomials **************************************************/ void PQCLEAN_KYBER512_CLEAN_polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES], polyvec *a) { - unsigned int i = 0, j = 0, k = 0; + unsigned int i, j, k; PQCLEAN_KYBER512_CLEAN_polyvec_csubq(a); @@ -21,10 +21,8 @@ void PQCLEAN_KYBER512_CLEAN_polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBY for (i = 0; i < KYBER_K; i++) { for (j = 0; j < KYBER_N / 4; j++) { for (k = 0; k < 4; k++) { - { - t[k] = ((((uint32_t)a->vec[i].coeffs[4 * j + k] << 10) + KYBER_Q / 2) - / KYBER_Q) & 0x3ff; - } + t[k] = ((((uint32_t)a->vec[i].coeffs[4 * j + k] << 10) + KYBER_Q / 2) + / KYBER_Q) & 0x3ff; } r[0] = (uint8_t)(t[0] >> 0); @@ -49,7 +47,7 @@ void PQCLEAN_KYBER512_CLEAN_polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBY **************************************************/ void PQCLEAN_KYBER512_CLEAN_polyvec_decompress(polyvec *r, const uint8_t a[KYBER_POLYVECCOMPRESSEDBYTES]) { - unsigned int i = 0, j = 0, k = 0; + unsigned int i, j, k; uint16_t t[4]; for (i = 0; i < KYBER_K; i++) { @@ -77,7 +75,7 @@ void PQCLEAN_KYBER512_CLEAN_polyvec_decompress(polyvec *r, * - polyvec *a: pointer to input vector of polynomials **************************************************/ void PQCLEAN_KYBER512_CLEAN_polyvec_tobytes(uint8_t r[KYBER_POLYVECBYTES], polyvec *a) { - unsigned int i = 0; + unsigned int i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER512_CLEAN_poly_tobytes(r + i * KYBER_POLYBYTES, &a->vec[i]); } @@ -94,7 +92,7 @@ void PQCLEAN_KYBER512_CLEAN_polyvec_tobytes(uint8_t r[KYBER_POLYVECBYTES], polyv * (of length KYBER_POLYVECBYTES) **************************************************/ void PQCLEAN_KYBER512_CLEAN_polyvec_frombytes(polyvec *r, const uint8_t a[KYBER_POLYVECBYTES]) { - unsigned int i = 0; + unsigned int i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER512_CLEAN_poly_frombytes(&r->vec[i], a + i * KYBER_POLYBYTES); } @@ -108,7 +106,7 @@ void PQCLEAN_KYBER512_CLEAN_polyvec_frombytes(polyvec *r, const uint8_t a[KYBER_ * Arguments: - polyvec *r: pointer to in/output vector of polynomials **************************************************/ void PQCLEAN_KYBER512_CLEAN_polyvec_ntt(polyvec *r) { - unsigned int i = 0; + unsigned int i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER512_CLEAN_poly_ntt(&r->vec[i]); } @@ -123,7 +121,7 @@ void PQCLEAN_KYBER512_CLEAN_polyvec_ntt(polyvec *r) { * Arguments: - polyvec *r: pointer to in/output vector of polynomials **************************************************/ void PQCLEAN_KYBER512_CLEAN_polyvec_invntt_tomont(polyvec *r) { - unsigned int i = 0; + unsigned int i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER512_CLEAN_poly_invntt_tomont(&r->vec[i]); } @@ -142,7 +140,7 @@ void PQCLEAN_KYBER512_CLEAN_polyvec_invntt_tomont(polyvec *r) { void PQCLEAN_KYBER512_CLEAN_polyvec_pointwise_acc_montgomery(poly *r, const polyvec *a, const polyvec *b) { - unsigned int i = 0; + unsigned int i; poly t; PQCLEAN_KYBER512_CLEAN_poly_basemul_montgomery(r, &a->vec[0], &b->vec[0]); @@ -164,7 +162,7 @@ void PQCLEAN_KYBER512_CLEAN_polyvec_pointwise_acc_montgomery(poly *r, * Arguments: - poly *r: pointer to input/output polynomial **************************************************/ void PQCLEAN_KYBER512_CLEAN_polyvec_reduce(polyvec *r) { - unsigned int i = 0; + unsigned int i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER512_CLEAN_poly_reduce(&r->vec[i]); } @@ -181,7 +179,7 @@ void PQCLEAN_KYBER512_CLEAN_polyvec_reduce(polyvec *r) { * Arguments: - poly *r: pointer to input/output polynomial **************************************************/ void PQCLEAN_KYBER512_CLEAN_polyvec_csubq(polyvec *r) { - unsigned int i = 0; + unsigned int i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER512_CLEAN_poly_csubq(&r->vec[i]); } @@ -197,7 +195,7 @@ void PQCLEAN_KYBER512_CLEAN_polyvec_csubq(polyvec *r) { * - const polyvec *b: pointer to second input vector of polynomials **************************************************/ void PQCLEAN_KYBER512_CLEAN_polyvec_add(polyvec *r, const polyvec *a, const polyvec *b) { - unsigned int i = 0; + unsigned int i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER512_CLEAN_poly_add(&r->vec[i], &a->vec[i], &b->vec[i]); } diff --git a/crypto_kem/kyber512/clean/polyvec.h b/crypto_kem/kyber512/clean/polyvec.h index 33b27cb8..f26e149c 100644 --- a/crypto_kem/kyber512/clean/polyvec.h +++ b/crypto_kem/kyber512/clean/polyvec.h @@ -1,6 +1,5 @@ #ifndef PQCLEAN_KYBER512_CLEAN_POLYVEC_H #define PQCLEAN_KYBER512_CLEAN_POLYVEC_H - #include "params.h" #include "poly.h" #include @@ -9,33 +8,23 @@ typedef struct { poly vec[KYBER_K]; } polyvec; - void PQCLEAN_KYBER512_CLEAN_polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES], polyvec *a); - void PQCLEAN_KYBER512_CLEAN_polyvec_decompress(polyvec *r, const uint8_t a[KYBER_POLYVECCOMPRESSEDBYTES]); - void PQCLEAN_KYBER512_CLEAN_polyvec_tobytes(uint8_t r[KYBER_POLYVECBYTES], polyvec *a); - void PQCLEAN_KYBER512_CLEAN_polyvec_frombytes(polyvec *r, const uint8_t a[KYBER_POLYVECBYTES]); - void PQCLEAN_KYBER512_CLEAN_polyvec_ntt(polyvec *r); - void PQCLEAN_KYBER512_CLEAN_polyvec_invntt_tomont(polyvec *r); - void PQCLEAN_KYBER512_CLEAN_polyvec_pointwise_acc_montgomery(poly *r, const polyvec *a, const polyvec *b); - void PQCLEAN_KYBER512_CLEAN_polyvec_reduce(polyvec *r); - void PQCLEAN_KYBER512_CLEAN_polyvec_csubq(polyvec *r); - void PQCLEAN_KYBER512_CLEAN_polyvec_add(polyvec *r, const polyvec *a, const polyvec *b); #endif diff --git a/crypto_kem/kyber512/clean/reduce.c b/crypto_kem/kyber512/clean/reduce.c index a979a2ad..c9afbdd0 100644 --- a/crypto_kem/kyber512/clean/reduce.c +++ b/crypto_kem/kyber512/clean/reduce.c @@ -15,8 +15,8 @@ * Returns: integer in {-q+1,...,q-1} congruent to a * R^-1 modulo q. **************************************************/ int16_t PQCLEAN_KYBER512_CLEAN_montgomery_reduce(int32_t a) { - int32_t t = 0; - int16_t u = 0; + int32_t t; + int16_t u; u = (int16_t)(a * (int64_t)QINV); t = (int32_t)u * KYBER_Q; @@ -36,7 +36,7 @@ int16_t PQCLEAN_KYBER512_CLEAN_montgomery_reduce(int32_t a) { * Returns: integer in {0,...,q} congruent to a modulo q. **************************************************/ int16_t PQCLEAN_KYBER512_CLEAN_barrett_reduce(int16_t a) { - int16_t t = 0; + int16_t t; const int16_t v = ((1U << 26) + KYBER_Q / 2) / KYBER_Q; t = (int32_t)v * a >> 26; diff --git a/crypto_kem/kyber512/clean/reduce.h b/crypto_kem/kyber512/clean/reduce.h index c7db6ba5..27f68b34 100644 --- a/crypto_kem/kyber512/clean/reduce.h +++ b/crypto_kem/kyber512/clean/reduce.h @@ -1,19 +1,15 @@ #ifndef PQCLEAN_KYBER512_CLEAN_REDUCE_H #define PQCLEAN_KYBER512_CLEAN_REDUCE_H - #include "params.h" #include #define MONT 2285 // 2^16 mod q #define QINV 62209 // q^-1 mod 2^16 - int16_t PQCLEAN_KYBER512_CLEAN_montgomery_reduce(int32_t a); - int16_t PQCLEAN_KYBER512_CLEAN_barrett_reduce(int16_t a); - int16_t PQCLEAN_KYBER512_CLEAN_csubq(int16_t a); #endif diff --git a/crypto_kem/kyber512/clean/symmetric-shake.c b/crypto_kem/kyber512/clean/symmetric-shake.c index 9e6f203f..363b24b5 100644 --- a/crypto_kem/kyber512/clean/symmetric-shake.c +++ b/crypto_kem/kyber512/clean/symmetric-shake.c @@ -9,8 +9,8 @@ * * Description: Absorb step of the SHAKE128 specialized for the Kyber context. * -* Arguments: - keccak_state *state: pointer to (uninitialized) output -* Keccak state +* Arguments: - xof_state *state: pointer to (uninitialized) output +* Keccak state * - const uint8_t *seed: pointer to KYBER_SYMBYTES input * to be absorbed into state * - uint8_t i additional byte of input @@ -20,7 +20,7 @@ void PQCLEAN_KYBER512_CLEAN_kyber_shake128_absorb(xof_state *state, const uint8_t seed[KYBER_SYMBYTES], uint8_t x, uint8_t y) { - unsigned int i = 0; + unsigned int i; uint8_t extseed[KYBER_SYMBYTES + 2]; for (i = 0; i < KYBER_SYMBYTES; i++) { @@ -48,7 +48,7 @@ void PQCLEAN_KYBER512_CLEAN_kyber_shake256_prf(uint8_t *out, size_t outlen, const uint8_t key[KYBER_SYMBYTES], uint8_t nonce) { - unsigned int i = 0; + unsigned int i; uint8_t extkey[KYBER_SYMBYTES + 1]; for (i = 0; i < KYBER_SYMBYTES; i++) { diff --git a/crypto_kem/kyber512/clean/symmetric.h b/crypto_kem/kyber512/clean/symmetric.h index 1d787d82..d011c556 100644 --- a/crypto_kem/kyber512/clean/symmetric.h +++ b/crypto_kem/kyber512/clean/symmetric.h @@ -1,12 +1,11 @@ -#ifndef SYMMETRIC_H -#define SYMMETRIC_H - +#ifndef PQCLEAN_KYBER512_CLEAN_SYMMETRIC_H +#define PQCLEAN_KYBER512_CLEAN_SYMMETRIC_H +#include "fips202.h" #include "params.h" #include #include -#include "fips202.h" typedef shake128ctx xof_state; diff --git a/crypto_kem/kyber512/clean/verify.c b/crypto_kem/kyber512/clean/verify.c index 619f1a2b..772293f0 100644 --- a/crypto_kem/kyber512/clean/verify.c +++ b/crypto_kem/kyber512/clean/verify.c @@ -14,7 +14,7 @@ * Returns 0 if the byte arrays are equal, 1 otherwise **************************************************/ int PQCLEAN_KYBER512_CLEAN_verify(const uint8_t *a, const uint8_t *b, size_t len) { - size_t i = 0; + size_t i; uint8_t r = 0; for (i = 0; i < len; i++) { @@ -38,7 +38,7 @@ int PQCLEAN_KYBER512_CLEAN_verify(const uint8_t *a, const uint8_t *b, size_t len * uint8_t b: Condition bit; has to be in {0,1} **************************************************/ void PQCLEAN_KYBER512_CLEAN_cmov(uint8_t *r, const uint8_t *x, size_t len, uint8_t b) { - size_t i = 0; + size_t i; b = -b; for (i = 0; i < len; i++) { diff --git a/crypto_kem/kyber512/clean/verify.h b/crypto_kem/kyber512/clean/verify.h index 0664f357..47c5579a 100644 --- a/crypto_kem/kyber512/clean/verify.h +++ b/crypto_kem/kyber512/clean/verify.h @@ -1,14 +1,11 @@ #ifndef PQCLEAN_KYBER512_CLEAN_VERIFY_H #define PQCLEAN_KYBER512_CLEAN_VERIFY_H - #include "params.h" #include #include - int PQCLEAN_KYBER512_CLEAN_verify(const uint8_t *a, const uint8_t *b, size_t len); - void PQCLEAN_KYBER512_CLEAN_cmov(uint8_t *r, const uint8_t *x, size_t len, uint8_t b); #endif diff --git a/crypto_kem/kyber768-90s/META.yml b/crypto_kem/kyber768-90s/META.yml index eda3e3f1..2c1b4b5d 100644 --- a/crypto_kem/kyber768-90s/META.yml +++ b/crypto_kem/kyber768-90s/META.yml @@ -20,17 +20,17 @@ auxiliary-submitters: - Gregor Seiler - Damien Stehlé implementations: - - name: clean - version: https://github.com/pq-crystals/kyber/commit/46e283ab575ec92dfe82fb12229ae2d9d6246682 - - name: avx2 - version: https://github.com/pq-crystals/kyber/commit/46e283ab575ec92dfe82fb12229ae2d9d6246682 - supported_platforms: - - architecture: x86_64 - operating_systems: - - Linux - - Darwin - required_flags: - - aes - - avx2 - - bmi2 - - popcnt + - name: clean + version: https://github.com/pq-crystals/kyber/commit/844057468e69527bd15b17fbe03f4b61f9a22065 via https://github.com/jschanck/package-pqclean/tree/b45068b8/kyber + - name: avx2 + version: https://github.com/pq-crystals/kyber/commit/844057468e69527bd15b17fbe03f4b61f9a22065 via https://github.com/jschanck/package-pqclean/tree/b45068b8/kyber + supported_platforms: + - architecture: x86_64 + operating_systems: + - Linux + - Darwin + required_flags: + - aes + - avx2 + - bmi2 + - popcnt diff --git a/crypto_kem/kyber768-90s/avx2/Makefile b/crypto_kem/kyber768-90s/avx2/Makefile index 4689bf26..60e5d9d9 100644 --- a/crypto_kem/kyber768-90s/avx2/Makefile +++ b/crypto_kem/kyber768-90s/avx2/Makefile @@ -1,44 +1,11 @@ # This Makefile can be used with GNU Make or BSD Make LIB=libkyber768-90s_avx2.a -HEADERS= \ - aes256ctr.h \ - align.h \ - api.h \ - cbd.h \ - cdecl.inc \ - consts.h \ - fq.inc \ - indcpa.h \ - kem.h \ - ntt.h \ - params.h \ - poly.h \ - polyvec.h \ - reduce.h \ - rejsample.h \ - shuffle.inc \ - symmetric.h \ - verify.h -OBJECTS= \ - aes256ctr.o \ - basemul.o \ - cbd.o \ - consts.o \ - fq.o \ - indcpa.o \ - invntt.o \ - kem.o \ - ntt.o \ - poly.o \ - polyvec.o \ - rejsample.o \ - shuffle.o \ - verify.o - +HEADERS=aes256ctr.h align.h api.h cbd.h cdecl.h consts.h indcpa.h kem.h ntt.h params.h poly.h polyvec.h reduce.h rejsample.h symmetric.h verify.h fq.inc shuffle.inc +OBJECTS=aes256ctr.o cbd.o consts.o indcpa.o kem.o poly.o polyvec.o rejsample.o verify.o basemul.o fq.o invntt.o ntt.o shuffle.o CFLAGS=-mavx2 -maes -mbmi2 -mpopcnt -O3 -Wall -Wextra -Wpedantic -Werror \ - -Wmissing-prototypes -Wredundant-decls -std=c99 \ - -I../../../common $(EXTRAFLAGS) + -Wmissing-prototypes -Wredundant-decls -std=c99 \ + -I../../../common $(EXTRAFLAGS) all: $(LIB) diff --git a/crypto_kem/kyber768-90s/avx2/aes256ctr.c b/crypto_kem/kyber768-90s/avx2/aes256ctr.c index 4b5522a2..a8c70e91 100644 --- a/crypto_kem/kyber768-90s/avx2/aes256ctr.c +++ b/crypto_kem/kyber768-90s/avx2/aes256ctr.c @@ -1,3 +1,7 @@ +#include "aes256ctr.h" +#include +#include +#include /* Based heavily on public-domain code by Romain Dolbeau Different handling of nonce+counter than original version @@ -5,10 +9,6 @@ Public Domain */ -#include "aes256ctr.h" -#include -#include -#include static inline void aesni_encrypt4(uint8_t out[64], __m128i *n, @@ -114,7 +114,7 @@ void PQCLEAN_KYBER76890S_AVX2_aes256ctr_init(aes256ctr_ctx *state, const uint8_t void PQCLEAN_KYBER76890S_AVX2_aes256ctr_squeezeblocks(uint8_t *out, size_t nblocks, aes256ctr_ctx *state) { - size_t i = 0; + size_t i; for (i = 0; i < nblocks; i++) { aesni_encrypt4(out, &state->n, state->rkeys); out += 64; @@ -123,13 +123,13 @@ void PQCLEAN_KYBER76890S_AVX2_aes256ctr_squeezeblocks(uint8_t *out, void PQCLEAN_KYBER76890S_AVX2_aes256ctr_prf(uint8_t *out, size_t outlen, - const uint8_t seed[32], + const uint8_t key[32], uint64_t nonce) { - unsigned int i = 0; + unsigned int i; uint8_t buf[64]; aes256ctr_ctx state; - PQCLEAN_KYBER76890S_AVX2_aes256ctr_init(&state, seed, nonce); + PQCLEAN_KYBER76890S_AVX2_aes256ctr_init(&state, key, nonce); while (outlen >= 64) { aesni_encrypt4(out, &state.n, state.rkeys); diff --git a/crypto_kem/kyber768-90s/avx2/aes256ctr.h b/crypto_kem/kyber768-90s/avx2/aes256ctr.h index 5725b5a6..74d928d6 100644 --- a/crypto_kem/kyber768-90s/avx2/aes256ctr.h +++ b/crypto_kem/kyber768-90s/avx2/aes256ctr.h @@ -1,11 +1,10 @@ -#ifndef AES256CTR_H -#define AES256CTR_H +#ifndef PQCLEAN_KYBER76890S_AVX2_AES256CTR_H +#define PQCLEAN_KYBER76890S_AVX2_AES256CTR_H #include #include #include -#define AES256CTR_NAMESPACE(s) pqcrystals_aes256ctr_avx2##s #define AES256CTR_BLOCKBYTES 64 @@ -14,8 +13,17 @@ typedef struct { __m128i n; } aes256ctr_ctx; -void PQCLEAN_KYBER76890S_AVX2_aes256ctr_init(aes256ctr_ctx *state, const uint8_t key[32], uint64_t nonce); -void PQCLEAN_KYBER76890S_AVX2_aes256ctr_squeezeblocks(uint8_t *out, size_t nblocks, aes256ctr_ctx *state); -void PQCLEAN_KYBER76890S_AVX2_aes256ctr_prf(uint8_t *out, size_t outlen, const uint8_t seed[32], uint64_t nonce); +void PQCLEAN_KYBER76890S_AVX2_aes256ctr_init(aes256ctr_ctx *state, + const uint8_t key[32], + uint64_t nonce); + +void PQCLEAN_KYBER76890S_AVX2_aes256ctr_squeezeblocks(uint8_t *out, + size_t nblocks, + aes256ctr_ctx *state); + +void PQCLEAN_KYBER76890S_AVX2_aes256ctr_prf(uint8_t *out, + size_t outlen, + const uint8_t key[32], + uint64_t nonce); #endif diff --git a/crypto_kem/kyber768-90s/avx2/align.h b/crypto_kem/kyber768-90s/avx2/align.h index 898b1183..50e576f7 100644 --- a/crypto_kem/kyber768-90s/avx2/align.h +++ b/crypto_kem/kyber768-90s/avx2/align.h @@ -1,5 +1,6 @@ #ifndef PQCLEAN_KYBER76890S_AVX2_ALIGN_H #define PQCLEAN_KYBER76890S_AVX2_ALIGN_H + #include #define ALIGN16_TYPE(t) \ diff --git a/crypto_kem/kyber768-90s/avx2/api.h b/crypto_kem/kyber768-90s/avx2/api.h index 5594f5bf..5966b442 100644 --- a/crypto_kem/kyber768-90s/avx2/api.h +++ b/crypto_kem/kyber768-90s/avx2/api.h @@ -15,5 +15,4 @@ int PQCLEAN_KYBER76890S_AVX2_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint int PQCLEAN_KYBER76890S_AVX2_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); - #endif diff --git a/crypto_kem/kyber768-90s/avx2/basemul.S b/crypto_kem/kyber768-90s/avx2/basemul.S index cf11d6c5..99296569 100644 --- a/crypto_kem/kyber768-90s/avx2/basemul.S +++ b/crypto_kem/kyber768-90s/avx2/basemul.S @@ -1,5 +1,5 @@ +#include "cdecl.h" #include "params.h" -#include "cdecl.inc" .macro schoolbook off,sign #load @@ -149,7 +149,9 @@ vmovdqa %ymm5,96(%rdi) ret .global cdecl(PQCLEAN_KYBER76890S_AVX2_basemul_acc_avx) +.global _cdecl(PQCLEAN_KYBER76890S_AVX2_basemul_acc_avx) cdecl(PQCLEAN_KYBER76890S_AVX2_basemul_acc_avx): +_cdecl(PQCLEAN_KYBER76890S_AVX2_basemul_acc_avx): #consts vmovdqa _16XQ*2(%rcx),%ymm0 vmovdqa _16XQINV*2(%rcx),%ymm1 @@ -199,7 +201,9 @@ vmovdqa %ymm12,96(%rdi) ret .global cdecl(PQCLEAN_KYBER76890S_AVX2_basemul_avx) +.global _cdecl(PQCLEAN_KYBER76890S_AVX2_basemul_avx) cdecl(PQCLEAN_KYBER76890S_AVX2_basemul_avx): +_cdecl(PQCLEAN_KYBER76890S_AVX2_basemul_avx): #consts vmovdqa _16XQ*2(%rcx),%ymm0 vmovdqa _16XQINV*2(%rcx),%ymm1 diff --git a/crypto_kem/kyber768-90s/avx2/cbd.c b/crypto_kem/kyber768-90s/avx2/cbd.c index 65716707..a69a2eda 100644 --- a/crypto_kem/kyber768-90s/avx2/cbd.c +++ b/crypto_kem/kyber768-90s/avx2/cbd.c @@ -1,5 +1,5 @@ -#include "params.h" #include "cbd.h" +#include "params.h" #include #include @@ -14,7 +14,7 @@ * - const unsigned char *buf: pointer to input byte array **************************************************/ void PQCLEAN_KYBER76890S_AVX2_cbd(poly *restrict r, const uint8_t *restrict buf) { - unsigned int i = 0; + unsigned int i; __m256i vec0, vec1, vec2, vec3, tmp; const __m256i mask55 = _mm256_set1_epi32(0x55555555); const __m256i mask33 = _mm256_set1_epi32(0x33333333); diff --git a/crypto_kem/kyber768-90s/avx2/cbd.h b/crypto_kem/kyber768-90s/avx2/cbd.h index 2a88f4cc..6a300bf7 100644 --- a/crypto_kem/kyber768-90s/avx2/cbd.h +++ b/crypto_kem/kyber768-90s/avx2/cbd.h @@ -1,11 +1,9 @@ #ifndef PQCLEAN_KYBER76890S_AVX2_CBD_H #define PQCLEAN_KYBER76890S_AVX2_CBD_H - #include "params.h" #include "poly.h" #include - void PQCLEAN_KYBER76890S_AVX2_cbd(poly *r, const uint8_t buf[KYBER_ETA * KYBER_N / 4]); #endif diff --git a/crypto_kem/kyber768-90s/avx2/cdecl.h b/crypto_kem/kyber768-90s/avx2/cdecl.h new file mode 100644 index 00000000..40500f53 --- /dev/null +++ b/crypto_kem/kyber768-90s/avx2/cdecl.h @@ -0,0 +1,26 @@ +#ifndef PQCLEAN_KYBER76890S_AVX2_CDECL_H +#define PQCLEAN_KYBER76890S_AVX2_CDECL_H + +#define _16XQ 0 +#define _16XQINV 16 +#define _16XV 32 +#define _16XFLO 48 +#define _16XFHI 64 +#define _16XMONTSQLO 80 +#define _16XMONTSQHI 96 +#define _16XMASK 112 +#define _ZETAS_EXP 128 +#define _ZETAS_INV_EXP 528 + + +/* The C ABI on MacOS exports all symbols with a leading + * underscore. This means that any symbols we refer to from + * C files (functions) can't be found, and all symbols we + * refer to from ASM also can't be found (nttconsts.c). + * + * This define helps us get around this + */ + +#define _cdecl(s) _##s +#define cdecl(s) s +#endif diff --git a/crypto_kem/kyber768-90s/avx2/cdecl.inc b/crypto_kem/kyber768-90s/avx2/cdecl.inc deleted file mode 100644 index 8ded53b1..00000000 --- a/crypto_kem/kyber768-90s/avx2/cdecl.inc +++ /dev/null @@ -1,30 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM2_AVX2_CDECL -#define PQCLEAN_DILITHIUM2_AVX2_CDECL - -#define _16XQ 0 -#define _16XQINV 16 -#define _16XV 32 -#define _16XFLO 48 -#define _16XFHI 64 -#define _16XMONTSQLO 80 -#define _16XMONTSQHI 96 -#define _16XMASK 112 -#define _ZETAS_EXP 128 -#define _ZETAS_INV_EXP 528 - - -/* The C ABI on MacOS exports all symbols with a leading - * underscore. This means that any symbols we refer to from - * C files (functions) can't be found, and all symbols we - * refer to from ASM also can't be found (nttconsts.c). - * - * This define helps us get around this - */ - -#if defined(__WIN32__) || defined(__APPLE__) -#define cdecl(s) _##s -#else -#define cdecl(s) s -#endif - -#endif diff --git a/crypto_kem/kyber768-90s/avx2/consts.c b/crypto_kem/kyber768-90s/avx2/consts.c index 9e28d64d..7a8e798b 100644 --- a/crypto_kem/kyber768-90s/avx2/consts.c +++ b/crypto_kem/kyber768-90s/avx2/consts.c @@ -1,5 +1,5 @@ -#include "params.h" #include "consts.h" +#include "params.h" #include #define Q KYBER_Q diff --git a/crypto_kem/kyber768-90s/avx2/consts.h b/crypto_kem/kyber768-90s/avx2/consts.h index 739cd184..3bcce40b 100644 --- a/crypto_kem/kyber768-90s/avx2/consts.h +++ b/crypto_kem/kyber768-90s/avx2/consts.h @@ -1,12 +1,11 @@ #ifndef PQCLEAN_KYBER76890S_AVX2_CONSTS_H #define PQCLEAN_KYBER76890S_AVX2_CONSTS_H - -#include "cdecl.inc" - +#include "cdecl.h" #include "params.h" #include #include + #define ALIGNED_UINT16_T(N) \ union { \ __m256i as_vec; \ diff --git a/crypto_kem/kyber768-90s/avx2/fq.S b/crypto_kem/kyber768-90s/avx2/fq.S index ec603823..ccada6de 100644 --- a/crypto_kem/kyber768-90s/avx2/fq.S +++ b/crypto_kem/kyber768-90s/avx2/fq.S @@ -1,4 +1,4 @@ -#include "cdecl.inc" +#include "cdecl.h" .include "fq.inc" .text @@ -35,7 +35,9 @@ vmovdqa %ymm9,224(%rdi) ret .global cdecl(PQCLEAN_KYBER76890S_AVX2_reduce_avx) +.global _cdecl(PQCLEAN_KYBER76890S_AVX2_reduce_avx) cdecl(PQCLEAN_KYBER76890S_AVX2_reduce_avx): +_cdecl(PQCLEAN_KYBER76890S_AVX2_reduce_avx): #consts vmovdqa _16XQ*2(%rsi),%ymm0 vmovdqa _16XV*2(%rsi),%ymm1 @@ -77,7 +79,9 @@ vmovdqa %ymm8,224(%rdi) ret .global cdecl(PQCLEAN_KYBER76890S_AVX2_csubq_avx) +.global _cdecl(PQCLEAN_KYBER76890S_AVX2_csubq_avx) cdecl(PQCLEAN_KYBER76890S_AVX2_csubq_avx): +_cdecl(PQCLEAN_KYBER76890S_AVX2_csubq_avx): #consts vmovdqa _16XQ*2(%rsi),%ymm0 call csubq128_avx @@ -118,7 +122,9 @@ vmovdqa %ymm10,224(%rdi) ret .global cdecl(PQCLEAN_KYBER76890S_AVX2_tomont_avx) +.global _cdecl(PQCLEAN_KYBER76890S_AVX2_tomont_avx) cdecl(PQCLEAN_KYBER76890S_AVX2_tomont_avx): +_cdecl(PQCLEAN_KYBER76890S_AVX2_tomont_avx): #consts vmovdqa _16XQ*2(%rsi),%ymm0 vmovdqa _16XMONTSQLO*2(%rsi),%ymm1 diff --git a/crypto_kem/kyber768-90s/avx2/indcpa.c b/crypto_kem/kyber768-90s/avx2/indcpa.c index 90dca8ac..d189d841 100644 --- a/crypto_kem/kyber768-90s/avx2/indcpa.c +++ b/crypto_kem/kyber768-90s/avx2/indcpa.c @@ -25,7 +25,7 @@ static void pack_pk(uint8_t r[KYBER_INDCPA_PUBLICKEYBYTES], polyvec *pk, const uint8_t seed[KYBER_SYMBYTES]) { - size_t i = 0; + size_t i; PQCLEAN_KYBER76890S_AVX2_polyvec_tobytes(r, pk); for (i = 0; i < KYBER_SYMBYTES; i++) { r[i + KYBER_POLYVECBYTES] = seed[i]; @@ -45,7 +45,7 @@ static void pack_pk(uint8_t r[KYBER_INDCPA_PUBLICKEYBYTES], static void unpack_pk(polyvec *pk, uint8_t seed[KYBER_SYMBYTES], const uint8_t packedpk[KYBER_INDCPA_PUBLICKEYBYTES]) { - size_t i = 0; + size_t i; PQCLEAN_KYBER76890S_AVX2_polyvec_frombytes(pk, packedpk); for (i = 0; i < KYBER_SYMBYTES; i++) { seed[i] = packedpk[i + KYBER_POLYVECBYTES]; @@ -133,8 +133,8 @@ static unsigned int rej_uniform(int16_t *r, unsigned int len, const uint8_t *buf, unsigned int buflen) { - unsigned int ctr = 0, pos = 0; - uint16_t val = 0; + unsigned int ctr, pos; + uint16_t val; ctr = pos = 0; while (ctr < len && pos + 2 <= buflen) { @@ -168,7 +168,7 @@ static unsigned int rej_uniform(int16_t *r, #define GEN_MATRIX_NBLOCKS ((2*KYBER_N*(1U << 16)/(19*KYBER_Q) \ + XOF_BLOCKBYTES)/XOF_BLOCKBYTES) void PQCLEAN_KYBER76890S_AVX2_gen_matrix(polyvec *a, const uint8_t seed[KYBER_SYMBYTES], int transposed) { - unsigned int ctr = 0, i = 0, j = 0; + unsigned int ctr, i, j; ALIGN16_TYPE(uint64_t) nonce = {.orig = 0}; ALIGN32_ARRAY(uint8_t, GEN_MATRIX_NBLOCKS * XOF_BLOCKBYTES) buf; aes256ctr_ctx state; @@ -211,7 +211,7 @@ void PQCLEAN_KYBER76890S_AVX2_gen_matrix(polyvec *a, const uint8_t seed[KYBER_SY **************************************************/ void PQCLEAN_KYBER76890S_AVX2_indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]) { - unsigned int i = 0; + unsigned int i; ALIGN32_ARRAY(uint8_t, 2 * KYBER_SYMBYTES) buf; const uint8_t *publicseed = buf.arr; const uint8_t *noiseseed = buf.arr + KYBER_SYMBYTES; @@ -276,7 +276,7 @@ void PQCLEAN_KYBER76890S_AVX2_indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES], const uint8_t m[KYBER_INDCPA_MSGBYTES], const uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], const uint8_t coins[KYBER_SYMBYTES]) { - unsigned int i = 0; + unsigned int i; ALIGN32_ARRAY(uint8_t, KYBER_SYMBYTES) seed; polyvec sp, pkpv, ep, at[KYBER_K], bp; poly v, k, epp; diff --git a/crypto_kem/kyber768-90s/avx2/indcpa.h b/crypto_kem/kyber768-90s/avx2/indcpa.h index 27686743..5f37f2ed 100644 --- a/crypto_kem/kyber768-90s/avx2/indcpa.h +++ b/crypto_kem/kyber768-90s/avx2/indcpa.h @@ -1,16 +1,20 @@ #ifndef PQCLEAN_KYBER76890S_AVX2_INDCPA_H #define PQCLEAN_KYBER76890S_AVX2_INDCPA_H - #include "params.h" #include "polyvec.h" #include void PQCLEAN_KYBER76890S_AVX2_gen_matrix(polyvec *a, const uint8_t seed[KYBER_SYMBYTES], int transposed); +void PQCLEAN_KYBER76890S_AVX2_indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], + uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]); -void PQCLEAN_KYBER76890S_AVX2_indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]); +void PQCLEAN_KYBER76890S_AVX2_indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES], + const uint8_t m[KYBER_INDCPA_MSGBYTES], + const uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], + const uint8_t coins[KYBER_SYMBYTES]); -void PQCLEAN_KYBER76890S_AVX2_indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES], const uint8_t m[KYBER_INDCPA_MSGBYTES], const uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], const uint8_t coins[KYBER_SYMBYTES]); - -void PQCLEAN_KYBER76890S_AVX2_indcpa_dec(uint8_t m[KYBER_INDCPA_MSGBYTES], const uint8_t c[KYBER_INDCPA_BYTES], const uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]); +void PQCLEAN_KYBER76890S_AVX2_indcpa_dec(uint8_t m[KYBER_INDCPA_MSGBYTES], + const uint8_t c[KYBER_INDCPA_BYTES], + const uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]); #endif diff --git a/crypto_kem/kyber768-90s/avx2/invntt.S b/crypto_kem/kyber768-90s/avx2/invntt.S index b7c786e6..42e82545 100644 --- a/crypto_kem/kyber768-90s/avx2/invntt.S +++ b/crypto_kem/kyber768-90s/avx2/invntt.S @@ -1,4 +1,4 @@ -#include "cdecl.inc" +#include "cdecl.h" .include "shuffle.inc" .include "fq.inc" @@ -210,7 +210,9 @@ vmovdqa %ymm7,224(%rdi) ret .global cdecl(PQCLEAN_KYBER76890S_AVX2_invntt_avx) +.global _cdecl(PQCLEAN_KYBER76890S_AVX2_invntt_avx) cdecl(PQCLEAN_KYBER76890S_AVX2_invntt_avx): +_cdecl(PQCLEAN_KYBER76890S_AVX2_invntt_avx): #consts vmovdqa _16XQ*2(%rsi),%ymm0 mov %rsi,%rdx diff --git a/crypto_kem/kyber768-90s/avx2/kem.c b/crypto_kem/kyber768-90s/avx2/kem.c index cabbbdbe..04a3b412 100644 --- a/crypto_kem/kyber768-90s/avx2/kem.c +++ b/crypto_kem/kyber768-90s/avx2/kem.c @@ -8,7 +8,6 @@ #include #include - /************************************************* * Name: PQCLEAN_KYBER76890S_AVX2_crypto_kem_keypair * @@ -23,7 +22,7 @@ * Returns 0 (success) **************************************************/ int PQCLEAN_KYBER76890S_AVX2_crypto_kem_keypair(unsigned char *pk, unsigned char *sk) { - size_t i = 0; + size_t i; PQCLEAN_KYBER76890S_AVX2_indcpa_keypair(pk, sk); for (i = 0; i < KYBER_INDCPA_PUBLICKEYBYTES; i++) { sk[i + KYBER_INDCPA_SECRETKEYBYTES] = pk[i]; @@ -94,8 +93,8 @@ int PQCLEAN_KYBER76890S_AVX2_crypto_kem_enc(unsigned char *ct, int PQCLEAN_KYBER76890S_AVX2_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk) { - size_t i = 0; - int fail = 0; + size_t i; + int fail; ALIGN32_ARRAY(uint8_t, 2 * KYBER_SYMBYTES) buf; /* Will contain key, coins */ ALIGN32_ARRAY(uint8_t, 2 * KYBER_SYMBYTES) kr; @@ -119,7 +118,7 @@ int PQCLEAN_KYBER76890S_AVX2_crypto_kem_dec(unsigned char *ss, hash_h(kr.arr + KYBER_SYMBYTES, ct, KYBER_CIPHERTEXTBYTES); /* Overwrite pre-k with z on re-encryption failure */ - PQCLEAN_KYBER76890S_AVX2_cmov(kr.arr, sk + KYBER_SECRETKEYBYTES - KYBER_SYMBYTES, KYBER_SYMBYTES, fail); + PQCLEAN_KYBER76890S_AVX2_cmov(kr.arr, sk + KYBER_SECRETKEYBYTES - KYBER_SYMBYTES, KYBER_SYMBYTES, (uint8_t)fail); /* hash concatenation of pre-k and H(c) to k */ kdf(ss, kr.arr, 2 * KYBER_SYMBYTES); diff --git a/crypto_kem/kyber768-90s/avx2/kem.h b/crypto_kem/kyber768-90s/avx2/kem.h index f34e549e..0bc9cf68 100644 --- a/crypto_kem/kyber768-90s/avx2/kem.h +++ b/crypto_kem/kyber768-90s/avx2/kem.h @@ -1,17 +1,14 @@ #ifndef PQCLEAN_KYBER76890S_AVX2_KEM_H #define PQCLEAN_KYBER76890S_AVX2_KEM_H - #include "params.h" int PQCLEAN_KYBER76890S_AVX2_crypto_kem_keypair(unsigned char *pk, unsigned char *sk); - int PQCLEAN_KYBER76890S_AVX2_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk); - int PQCLEAN_KYBER76890S_AVX2_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk); diff --git a/crypto_kem/kyber768-90s/avx2/ntt.S b/crypto_kem/kyber768-90s/avx2/ntt.S index 45b8a6a5..1f62b2a6 100644 --- a/crypto_kem/kyber768-90s/avx2/ntt.S +++ b/crypto_kem/kyber768-90s/avx2/ntt.S @@ -1,4 +1,4 @@ -#include "cdecl.inc" +#include "cdecl.h" .include "shuffle.inc" .include "fq.inc" @@ -203,7 +203,9 @@ vmovdqa %ymm11,224(%rdi) ret .global cdecl(PQCLEAN_KYBER76890S_AVX2_ntt_avx) +.global _cdecl(PQCLEAN_KYBER76890S_AVX2_ntt_avx) cdecl(PQCLEAN_KYBER76890S_AVX2_ntt_avx): +_cdecl(PQCLEAN_KYBER76890S_AVX2_ntt_avx): #consts vmovdqa _16XQ*2(%rsi),%ymm0 mov %rsi,%rdx diff --git a/crypto_kem/kyber768-90s/avx2/ntt.h b/crypto_kem/kyber768-90s/avx2/ntt.h index 2184fa6f..2148419b 100644 --- a/crypto_kem/kyber768-90s/avx2/ntt.h +++ b/crypto_kem/kyber768-90s/avx2/ntt.h @@ -1,28 +1,24 @@ -#ifndef NTT_H -#define NTT_H - +#ifndef PQCLEAN_KYBER76890S_AVX2_NTT_H +#define PQCLEAN_KYBER76890S_AVX2_NTT_H #include "consts.h" -#include "params.h" #include - void PQCLEAN_KYBER76890S_AVX2_ntt_avx(int16_t *r, const qdata_t *PQCLEAN_KYBER76890S_AVX2_qdata); - void PQCLEAN_KYBER76890S_AVX2_invntt_avx(int16_t *r, const qdata_t *PQCLEAN_KYBER76890S_AVX2_qdata); - -void nttpack_avx(int16_t *r, const qdata_t *PQCLEAN_KYBER76890S_AVX2_qdata); - +void PQCLEAN_KYBER76890S_AVX2_nttpack_avx(int16_t *r, const qdata_t *PQCLEAN_KYBER76890S_AVX2_qdata); void PQCLEAN_KYBER76890S_AVX2_nttunpack_avx(int16_t *r, const qdata_t *PQCLEAN_KYBER76890S_AVX2_qdata); - -void PQCLEAN_KYBER76890S_AVX2_basemul_avx(int16_t *r, const int16_t *a, const int16_t *b, const qdata_t *PQCLEAN_KYBER76890S_AVX2_qdata); - -void PQCLEAN_KYBER76890S_AVX2_basemul_acc_avx(int16_t *r, const int16_t *a, const int16_t *b, const qdata_t *PQCLEAN_KYBER76890S_AVX2_qdata); - +void PQCLEAN_KYBER76890S_AVX2_basemul_avx(int16_t *r, + const int16_t *a, + const int16_t *b, + const qdata_t *PQCLEAN_KYBER76890S_AVX2_qdata); +void PQCLEAN_KYBER76890S_AVX2_basemul_acc_avx(int16_t *r, + const int16_t *a, + const int16_t *b, + const qdata_t *PQCLEAN_KYBER76890S_AVX2_qdata); void PQCLEAN_KYBER76890S_AVX2_ntttobytes_avx(uint8_t *r, const int16_t *a, const qdata_t *PQCLEAN_KYBER76890S_AVX2_qdata); - void PQCLEAN_KYBER76890S_AVX2_nttfrombytes_avx(int16_t *r, const uint8_t *a, const qdata_t *PQCLEAN_KYBER76890S_AVX2_qdata); #endif diff --git a/crypto_kem/kyber768-90s/avx2/params.h b/crypto_kem/kyber768-90s/avx2/params.h index 20acde49..72a2e0fe 100644 --- a/crypto_kem/kyber768-90s/avx2/params.h +++ b/crypto_kem/kyber768-90s/avx2/params.h @@ -1,6 +1,9 @@ #ifndef PQCLEAN_KYBER76890S_AVX2_PARAMS_H #define PQCLEAN_KYBER76890S_AVX2_PARAMS_H + + + #define KYBER_N 256 #define KYBER_Q 3329 diff --git a/crypto_kem/kyber768-90s/avx2/poly.c b/crypto_kem/kyber768-90s/avx2/poly.c index 6653818b..db0b0ff2 100644 --- a/crypto_kem/kyber768-90s/avx2/poly.c +++ b/crypto_kem/kyber768-90s/avx2/poly.c @@ -19,7 +19,7 @@ * - poly *a: pointer to input polynomial **************************************************/ void PQCLEAN_KYBER76890S_AVX2_poly_compress(uint8_t r[KYBER_POLYCOMPRESSEDBYTES], poly *restrict a) { - unsigned int i = 0, j = 0; + unsigned int i, j; uint8_t t[8]; PQCLEAN_KYBER76890S_AVX2_poly_csubq(a); @@ -49,7 +49,7 @@ void PQCLEAN_KYBER76890S_AVX2_poly_compress(uint8_t r[KYBER_POLYCOMPRESSEDBYTES] **************************************************/ void PQCLEAN_KYBER76890S_AVX2_poly_decompress(poly *restrict r, const uint8_t a[KYBER_POLYCOMPRESSEDBYTES]) { - unsigned int i = 0; + unsigned int i; for (i = 0; i < KYBER_N / 2; i++) { r->coeffs[2 * i + 0] = (((uint16_t)(a[0] & 15) * KYBER_Q) + 8) >> 4; @@ -101,7 +101,7 @@ void PQCLEAN_KYBER76890S_AVX2_poly_frommsg(poly *restrict r, const __m256i hqs = _mm256_set1_epi16((KYBER_Q + 1) / 2); #define FROMMSG64(i) \ - g3 = _mm256_shuffle_epi32(f,0x55*(i)); \ + g3 = _mm256_shuffle_epi32(f,0x55*(i)); \ g3 = _mm256_sllv_epi32(g3,shift); \ g3 = _mm256_shuffle_epi8(g3,idx); \ g0 = _mm256_slli_epi16(g3,12); \ @@ -123,9 +123,9 @@ void PQCLEAN_KYBER76890S_AVX2_poly_frommsg(poly *restrict r, g2 = _mm256_permute2x128_si256(h0,h1,0x31); \ g1 = _mm256_permute2x128_si256(h2,h3,0x20); \ g3 = _mm256_permute2x128_si256(h2,h3,0x31); \ - _mm256_store_si256((__m256i *)&r->coeffs[ 0+32*(i)+ 0],g0); \ - _mm256_store_si256((__m256i *)&r->coeffs[ 0+32*(i)+16],g1); \ - _mm256_store_si256((__m256i *)&r->coeffs[128+32*(i)+ 0],g2); \ + _mm256_store_si256((__m256i *)&r->coeffs[ 0+32*(i)+ 0],g0); \ + _mm256_store_si256((__m256i *)&r->coeffs[ 0+32*(i)+16],g1); \ + _mm256_store_si256((__m256i *)&r->coeffs[128+32*(i)+ 0],g2); \ _mm256_store_si256((__m256i *)&r->coeffs[128+32*(i)+16],g3) f = _mm256_load_si256((__m256i *)msg); @@ -144,8 +144,8 @@ void PQCLEAN_KYBER76890S_AVX2_poly_frommsg(poly *restrict r, * - poly *a: pointer to input polynomial **************************************************/ void PQCLEAN_KYBER76890S_AVX2_poly_tomsg(uint8_t msg[KYBER_INDCPA_MSGBYTES], poly *restrict a) { - unsigned int i = 0; - uint32_t small = 0; + unsigned int i; + uint32_t small; __m256i f0, f1, g0, g1; const __m256i hqs = _mm256_set1_epi16((KYBER_Q - 1) / 2); const __m256i hhqs = _mm256_set1_epi16((KYBER_Q - 5) / 4); @@ -280,7 +280,7 @@ void PQCLEAN_KYBER76890S_AVX2_poly_csubq(poly *r) { * - const poly *b: pointer to second input polynomial **************************************************/ void PQCLEAN_KYBER76890S_AVX2_poly_add(poly *r, const poly *a, const poly *b) { - unsigned int i = 0; + unsigned int i; __m256i f0, f1; for (i = 0; i < KYBER_N; i += 16) { @@ -301,7 +301,7 @@ void PQCLEAN_KYBER76890S_AVX2_poly_add(poly *r, const poly *a, const poly *b) { * - const poly *b: pointer to second input polynomial **************************************************/ void PQCLEAN_KYBER76890S_AVX2_poly_sub(poly *r, const poly *a, const poly *b) { - unsigned int i = 0; + unsigned int i; __m256i f0, f1; for (i = 0; i < KYBER_N; i += 16) { diff --git a/crypto_kem/kyber768-90s/avx2/poly.h b/crypto_kem/kyber768-90s/avx2/poly.h index fb2e94ef..03d799be 100644 --- a/crypto_kem/kyber768-90s/avx2/poly.h +++ b/crypto_kem/kyber768-90s/avx2/poly.h @@ -1,6 +1,5 @@ #ifndef PQCLEAN_KYBER76890S_AVX2_POLY_H #define PQCLEAN_KYBER76890S_AVX2_POLY_H - #include "params.h" #include #include @@ -14,43 +13,27 @@ typedef union { int16_t coeffs[KYBER_N]; } poly; - void PQCLEAN_KYBER76890S_AVX2_poly_compress(uint8_t r[KYBER_POLYCOMPRESSEDBYTES], poly *a); - void PQCLEAN_KYBER76890S_AVX2_poly_decompress(poly *r, const uint8_t a[KYBER_POLYCOMPRESSEDBYTES]); - void PQCLEAN_KYBER76890S_AVX2_poly_tobytes(uint8_t r[KYBER_POLYBYTES], poly *a); - void PQCLEAN_KYBER76890S_AVX2_poly_frombytes(poly *r, const uint8_t a[KYBER_POLYBYTES]); - void PQCLEAN_KYBER76890S_AVX2_poly_frommsg(poly *r, const uint8_t msg[KYBER_INDCPA_MSGBYTES]); - void PQCLEAN_KYBER76890S_AVX2_poly_tomsg(uint8_t msg[KYBER_INDCPA_MSGBYTES], poly *a); - void PQCLEAN_KYBER76890S_AVX2_poly_getnoise(poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t nonce); - void PQCLEAN_KYBER76890S_AVX2_poly_ntt(poly *r); - void PQCLEAN_KYBER76890S_AVX2_poly_invntt_tomont(poly *r); - void PQCLEAN_KYBER76890S_AVX2_poly_nttunpack(poly *r); - void PQCLEAN_KYBER76890S_AVX2_poly_basemul_montgomery(poly *r, const poly *a, const poly *b); - void PQCLEAN_KYBER76890S_AVX2_poly_tomont(poly *r); - void PQCLEAN_KYBER76890S_AVX2_poly_reduce(poly *r); - void PQCLEAN_KYBER76890S_AVX2_poly_csubq(poly *r); - void PQCLEAN_KYBER76890S_AVX2_poly_add(poly *r, const poly *a, const poly *b); - void PQCLEAN_KYBER76890S_AVX2_poly_sub(poly *r, const poly *a, const poly *b); #endif diff --git a/crypto_kem/kyber768-90s/avx2/polyvec.c b/crypto_kem/kyber768-90s/avx2/polyvec.c index f61832b8..86af2e57 100644 --- a/crypto_kem/kyber768-90s/avx2/polyvec.c +++ b/crypto_kem/kyber768-90s/avx2/polyvec.c @@ -1,6 +1,6 @@ -#include "params.h" #include "consts.h" #include "ntt.h" +#include "params.h" #include "poly.h" #include "polyvec.h" #include @@ -16,7 +16,7 @@ **************************************************/ void PQCLEAN_KYBER76890S_AVX2_polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES], polyvec *restrict a) { - unsigned int i = 0, j = 0, k = 0; + size_t i, j, k; PQCLEAN_KYBER76890S_AVX2_polyvec_csubq(a); @@ -24,10 +24,8 @@ void PQCLEAN_KYBER76890S_AVX2_polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSED for (i = 0; i < KYBER_K; i++) { for (j = 0; j < KYBER_N / 4; j++) { for (k = 0; k < 4; k++) { - { - t[k] = ((((uint32_t)a->vec[i].coeffs[4 * j + k] << 10) + KYBER_Q / 2) - / KYBER_Q) & 0x3ff; - } + t[k] = ((((uint32_t)a->vec[i].coeffs[4 * j + k] << 10) + KYBER_Q / 2) + / KYBER_Q) & 0x3ff; } r[0] = (t[0] >> 0); @@ -52,7 +50,7 @@ void PQCLEAN_KYBER76890S_AVX2_polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSED **************************************************/ void PQCLEAN_KYBER76890S_AVX2_polyvec_decompress(polyvec *restrict r, const uint8_t a[KYBER_POLYVECCOMPRESSEDBYTES]) { - unsigned int i = 0, j = 0, k = 0; + size_t i, j, k; uint16_t t[4]; for (i = 0; i < KYBER_K; i++) { @@ -80,7 +78,7 @@ void PQCLEAN_KYBER76890S_AVX2_polyvec_decompress(polyvec *restrict r, * - polyvec *a: pointer to input vector of polynomials **************************************************/ void PQCLEAN_KYBER76890S_AVX2_polyvec_tobytes(uint8_t r[KYBER_POLYVECBYTES], polyvec *a) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER76890S_AVX2_poly_tobytes(r + i * KYBER_POLYBYTES, &a->vec[i]); } @@ -97,7 +95,7 @@ void PQCLEAN_KYBER76890S_AVX2_polyvec_tobytes(uint8_t r[KYBER_POLYVECBYTES], pol * (of length KYBER_POLYVECBYTES) **************************************************/ void PQCLEAN_KYBER76890S_AVX2_polyvec_frombytes(polyvec *r, const uint8_t a[KYBER_POLYVECBYTES]) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER76890S_AVX2_poly_frombytes(&r->vec[i], a + i * KYBER_POLYBYTES); } @@ -111,7 +109,7 @@ void PQCLEAN_KYBER76890S_AVX2_polyvec_frombytes(polyvec *r, const uint8_t a[KYBE * Arguments: - polyvec *r: pointer to in/output vector of polynomials **************************************************/ void PQCLEAN_KYBER76890S_AVX2_polyvec_ntt(polyvec *r) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER76890S_AVX2_poly_ntt(&r->vec[i]); } @@ -126,7 +124,7 @@ void PQCLEAN_KYBER76890S_AVX2_polyvec_ntt(polyvec *r) { * Arguments: - polyvec *r: pointer to in/output vector of polynomials **************************************************/ void PQCLEAN_KYBER76890S_AVX2_polyvec_invntt_tomont(polyvec *r) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER76890S_AVX2_poly_invntt_tomont(&r->vec[i]); } @@ -145,7 +143,7 @@ void PQCLEAN_KYBER76890S_AVX2_polyvec_invntt_tomont(polyvec *r) { void PQCLEAN_KYBER76890S_AVX2_polyvec_pointwise_acc_montgomery(poly *r, const polyvec *a, const polyvec *b) { - PQCLEAN_KYBER76890S_AVX2_basemul_acc_avx(r->coeffs, a->vec->coeffs, b->vec->coeffs, &PQCLEAN_KYBER76890S_AVX2_qdata); + PQCLEAN_KYBER76890S_AVX2_basemul_acc_avx(r->coeffs, a->vec->coeffs, b->vec->coeffs, & PQCLEAN_KYBER76890S_AVX2_qdata); } /************************************************* @@ -158,7 +156,7 @@ void PQCLEAN_KYBER76890S_AVX2_polyvec_pointwise_acc_montgomery(poly *r, * Arguments: - poly *r: pointer to input/output polynomial **************************************************/ void PQCLEAN_KYBER76890S_AVX2_polyvec_reduce(polyvec *r) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER76890S_AVX2_poly_reduce(&r->vec[i]); } @@ -175,7 +173,7 @@ void PQCLEAN_KYBER76890S_AVX2_polyvec_reduce(polyvec *r) { * Arguments: - poly *r: pointer to input/output polynomial **************************************************/ void PQCLEAN_KYBER76890S_AVX2_polyvec_csubq(polyvec *r) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER76890S_AVX2_poly_csubq(&r->vec[i]); } @@ -191,7 +189,7 @@ void PQCLEAN_KYBER76890S_AVX2_polyvec_csubq(polyvec *r) { * - const polyvec *b: pointer to second input vector of polynomials **************************************************/ void PQCLEAN_KYBER76890S_AVX2_polyvec_add(polyvec *r, const polyvec *a, const polyvec *b) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER76890S_AVX2_poly_add(&r->vec[i], &a->vec[i], &b->vec[i]); } diff --git a/crypto_kem/kyber768-90s/avx2/polyvec.h b/crypto_kem/kyber768-90s/avx2/polyvec.h index 386db8c1..0984febd 100644 --- a/crypto_kem/kyber768-90s/avx2/polyvec.h +++ b/crypto_kem/kyber768-90s/avx2/polyvec.h @@ -1,6 +1,5 @@ #ifndef PQCLEAN_KYBER76890S_AVX2_POLYVEC_H #define PQCLEAN_KYBER76890S_AVX2_POLYVEC_H - #include "params.h" #include "poly.h" #include @@ -9,33 +8,23 @@ typedef struct { poly vec[KYBER_K]; } polyvec; - void PQCLEAN_KYBER76890S_AVX2_polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES], polyvec *a); - void PQCLEAN_KYBER76890S_AVX2_polyvec_decompress(polyvec *r, const uint8_t a[KYBER_POLYVECCOMPRESSEDBYTES]); - void PQCLEAN_KYBER76890S_AVX2_polyvec_tobytes(uint8_t r[KYBER_POLYVECBYTES], polyvec *a); - void PQCLEAN_KYBER76890S_AVX2_polyvec_frombytes(polyvec *r, const uint8_t a[KYBER_POLYVECBYTES]); - void PQCLEAN_KYBER76890S_AVX2_polyvec_ntt(polyvec *r); - void PQCLEAN_KYBER76890S_AVX2_polyvec_invntt_tomont(polyvec *r); - void PQCLEAN_KYBER76890S_AVX2_polyvec_pointwise_acc_montgomery(poly *r, const polyvec *a, const polyvec *b); - void PQCLEAN_KYBER76890S_AVX2_polyvec_reduce(polyvec *r); - void PQCLEAN_KYBER76890S_AVX2_polyvec_csubq(polyvec *r); - void PQCLEAN_KYBER76890S_AVX2_polyvec_add(polyvec *r, const polyvec *a, const polyvec *b); #endif diff --git a/crypto_kem/kyber768-90s/avx2/reduce.h b/crypto_kem/kyber768-90s/avx2/reduce.h index db8eb984..334b851f 100644 --- a/crypto_kem/kyber768-90s/avx2/reduce.h +++ b/crypto_kem/kyber768-90s/avx2/reduce.h @@ -1,16 +1,10 @@ -#ifndef REDUCE_H -#define REDUCE_H - +#ifndef PQCLEAN_KYBER76890S_AVX2_REDUCE_H +#define PQCLEAN_KYBER76890S_AVX2_REDUCE_H +#include "consts.h" #include -#include "consts.h" -#include "params.h" - - int16_t PQCLEAN_KYBER76890S_AVX2_reduce_avx(int16_t *r, const qdata_t *PQCLEAN_KYBER76890S_AVX2_qdata); - int16_t PQCLEAN_KYBER76890S_AVX2_csubq_avx(int16_t *r, const qdata_t *PQCLEAN_KYBER76890S_AVX2_qdata); - int16_t PQCLEAN_KYBER76890S_AVX2_tomont_avx(int16_t *r, const qdata_t *PQCLEAN_KYBER76890S_AVX2_qdata); #endif diff --git a/crypto_kem/kyber768-90s/avx2/rejsample.c b/crypto_kem/kyber768-90s/avx2/rejsample.c index c85eff40..bb78eaae 100644 --- a/crypto_kem/kyber768-90s/avx2/rejsample.c +++ b/crypto_kem/kyber768-90s/avx2/rejsample.c @@ -2,6 +2,7 @@ #include "consts.h" #include "params.h" #include "rejsample.h" +#include #include static const ALIGN32_ARRAY_2D(uint8_t, 256, 8) idx = {.arr = { @@ -270,9 +271,9 @@ static const ALIGN32_ARRAY_2D(uint8_t, 256, 8) idx = {.arr = { #define REJ_UNIFORM_BUFLEN 576 unsigned int PQCLEAN_KYBER76890S_AVX2_rej_uniform_avx(int16_t *restrict r, const uint8_t *restrict buf) { - unsigned int ctr = 0, pos = 0; - uint16_t val = 0; - uint32_t good = 0; + unsigned int ctr, pos; + uint16_t val; + uint32_t good; const __m256i bound = _mm256_set1_epi16((int16_t)(19 * KYBER_Q - 1)); const __m256i ones = _mm256_set1_epi8(1); const __m256i kyberq = _mm256_load_si256((__m256i *)&PQCLEAN_KYBER76890S_AVX2_qdata.as_arr[_16XQ]); @@ -297,7 +298,7 @@ unsigned int PQCLEAN_KYBER76890S_AVX2_rej_uniform_avx(int16_t *restrict r, g1 = _mm256_inserti128_si256(g1, _mm_loadl_epi64((__m128i *)&idx.arr[(good >> 24) & 0xFF]), 1); //g0 = _mm256_cvtepu8_epi64(_mm_loadl_epi64((__m128i *)&good)); - //g1 = _mm256_i64gather_epi64((long long *)idx, g0, 8); + //g1 = _mm256_i64gather_epi64((long long *)idx.arr, g0, 8); /* Barrett reduction of (still unsigned) values */ g2 = _mm256_mulhi_epu16(f0, v); diff --git a/crypto_kem/kyber768-90s/avx2/rejsample.h b/crypto_kem/kyber768-90s/avx2/rejsample.h index 3fe092a9..49f47d57 100644 --- a/crypto_kem/kyber768-90s/avx2/rejsample.h +++ b/crypto_kem/kyber768-90s/avx2/rejsample.h @@ -1,10 +1,8 @@ -#ifndef REJSAMPLE_H -#define REJSAMPLE_H - +#ifndef PQCLEAN_KYBER76890S_AVX2_REJSAMPLE_H +#define PQCLEAN_KYBER76890S_AVX2_REJSAMPLE_H #include "params.h" #include - unsigned int PQCLEAN_KYBER76890S_AVX2_rej_uniform_avx(int16_t *r, const unsigned char *buf); diff --git a/crypto_kem/kyber768-90s/avx2/shuffle.S b/crypto_kem/kyber768-90s/avx2/shuffle.S index d4b097c9..31e7c7c2 100644 --- a/crypto_kem/kyber768-90s/avx2/shuffle.S +++ b/crypto_kem/kyber768-90s/avx2/shuffle.S @@ -1,4 +1,4 @@ -#include "cdecl.inc" +#include "cdecl.h" .include "fq.inc" .include "shuffle.inc" @@ -92,7 +92,9 @@ vmovdqa %ymm11,224(%rdi) ret .global cdecl(PQCLEAN_KYBER76890S_AVX2_nttunpack_avx) +.global _cdecl(PQCLEAN_KYBER76890S_AVX2_nttunpack_avx) cdecl(PQCLEAN_KYBER76890S_AVX2_nttunpack_avx): +_cdecl(PQCLEAN_KYBER76890S_AVX2_nttunpack_avx): call nttunpack128_avx add $256,%rdi call nttunpack128_avx @@ -169,7 +171,9 @@ vmovdqu %ymm9,160(%rdi) ret .global cdecl(PQCLEAN_KYBER76890S_AVX2_ntttobytes_avx) +.global _cdecl(PQCLEAN_KYBER76890S_AVX2_ntttobytes_avx) cdecl(PQCLEAN_KYBER76890S_AVX2_ntttobytes_avx): +_cdecl(PQCLEAN_KYBER76890S_AVX2_ntttobytes_avx): #consts vmovdqa _16XQ*2(%rdx),%ymm0 call ntttobytes128_avx @@ -245,7 +249,9 @@ vmovdqa %ymm1,224(%rdi) ret .global cdecl(PQCLEAN_KYBER76890S_AVX2_nttfrombytes_avx) +.global _cdecl(PQCLEAN_KYBER76890S_AVX2_nttfrombytes_avx) cdecl(PQCLEAN_KYBER76890S_AVX2_nttfrombytes_avx): +_cdecl(PQCLEAN_KYBER76890S_AVX2_nttfrombytes_avx): #consts vmovdqa _16XMASK*2(%rdx),%ymm0 call nttfrombytes128_avx diff --git a/crypto_kem/kyber768-90s/avx2/symmetric.h b/crypto_kem/kyber768-90s/avx2/symmetric.h index de4cbb63..cd0f7687 100644 --- a/crypto_kem/kyber768-90s/avx2/symmetric.h +++ b/crypto_kem/kyber768-90s/avx2/symmetric.h @@ -1,13 +1,12 @@ -#ifndef SYMMETRIC_H -#define SYMMETRIC_H - +#ifndef PQCLEAN_KYBER76890S_AVX2_SYMMETRIC_H +#define PQCLEAN_KYBER76890S_AVX2_SYMMETRIC_H +#include "aes256ctr.h" #include "params.h" +#include "sha2.h" #include #include -#include "aes256ctr.h" -#include "sha2.h" typedef aes256ctr_ctx xof_state; diff --git a/crypto_kem/kyber768-90s/avx2/verify.c b/crypto_kem/kyber768-90s/avx2/verify.c index 41469aed..2117bea7 100644 --- a/crypto_kem/kyber768-90s/avx2/verify.c +++ b/crypto_kem/kyber768-90s/avx2/verify.c @@ -15,8 +15,8 @@ * Returns 0 if the byte arrays are equal, 1 otherwise **************************************************/ int PQCLEAN_KYBER76890S_AVX2_verify(const uint8_t *a, const uint8_t *b, size_t len) { - size_t pos = 0; - uint64_t r = 0; + size_t pos; + uint64_t r; __m256i avec, bvec, cvec; cvec = _mm256_setzero_si256(); @@ -53,7 +53,7 @@ int PQCLEAN_KYBER76890S_AVX2_verify(const uint8_t *a, const uint8_t *b, size_t l * unsigned char b: Condition bit; has to be in {0,1} **************************************************/ void PQCLEAN_KYBER76890S_AVX2_cmov(uint8_t *restrict r, const uint8_t *restrict x, size_t len, uint8_t b) { - size_t pos = 0; + size_t pos; __m256i xvec, rvec, bvec; b = -b; diff --git a/crypto_kem/kyber768-90s/avx2/verify.h b/crypto_kem/kyber768-90s/avx2/verify.h index 40e0da15..2b556e54 100644 --- a/crypto_kem/kyber768-90s/avx2/verify.h +++ b/crypto_kem/kyber768-90s/avx2/verify.h @@ -1,14 +1,11 @@ #ifndef PQCLEAN_KYBER76890S_AVX2_VERIFY_H #define PQCLEAN_KYBER76890S_AVX2_VERIFY_H - #include "params.h" #include #include - int PQCLEAN_KYBER76890S_AVX2_verify(const uint8_t *a, const uint8_t *b, size_t len); - void PQCLEAN_KYBER76890S_AVX2_cmov(uint8_t *r, const uint8_t *x, size_t len, uint8_t b); #endif diff --git a/crypto_kem/kyber768-90s/clean/Makefile b/crypto_kem/kyber768-90s/clean/Makefile index ce63bd78..8b223086 100644 --- a/crypto_kem/kyber768-90s/clean/Makefile +++ b/crypto_kem/kyber768-90s/clean/Makefile @@ -1,29 +1,8 @@ # This Makefile can be used with GNU Make or BSD Make LIB=libkyber768-90s_clean.a -HEADERS= \ - api.h \ - cbd.h \ - indcpa.h \ - kem.h \ - ntt.h \ - params.h \ - poly.h \ - polyvec.h \ - reduce.h \ - symmetric-aes.h \ - symmetric.h \ - verify.h -OBJECTS= \ - cbd.o \ - indcpa.o \ - kem.o \ - ntt.o \ - poly.o \ - polyvec.o \ - reduce.o \ - verify.o \ - symmetric-aes.o +HEADERS=api.h cbd.h indcpa.h kem.h ntt.h params.h poly.h polyvec.h reduce.h symmetric-aes.h symmetric.h verify.h +OBJECTS=cbd.o indcpa.o kem.o ntt.o poly.o polyvec.o reduce.o symmetric-aes.o verify.o CFLAGS=-O3 -Wall -Wextra -Wpedantic -Werror -Wmissing-prototypes -Wredundant-decls -std=c99 -I../../../common $(EXTRAFLAGS) diff --git a/crypto_kem/kyber768-90s/clean/Makefile.Microsoft_nmake b/crypto_kem/kyber768-90s/clean/Makefile.Microsoft_nmake index 56fe18a7..381f983f 100644 --- a/crypto_kem/kyber768-90s/clean/Makefile.Microsoft_nmake +++ b/crypto_kem/kyber768-90s/clean/Makefile.Microsoft_nmake @@ -2,7 +2,7 @@ # nmake /f Makefile.Microsoft_nmake LIBRARY=libkyber768-90s_clean.lib -OBJECTS=cbd.obj indcpa.obj kem.obj ntt.obj poly.obj polyvec.obj reduce.obj verify.obj symmetric-aes.obj +OBJECTS=cbd.obj indcpa.obj kem.obj ntt.obj poly.obj polyvec.obj reduce.obj symmetric-aes.obj verify.obj # Warning C4146 is raised when a unary minus operator is applied to an # unsigned type; this has nonetheless been standard and portable for as diff --git a/crypto_kem/kyber768-90s/clean/api.h b/crypto_kem/kyber768-90s/clean/api.h index 079f1641..d45b646b 100644 --- a/crypto_kem/kyber768-90s/clean/api.h +++ b/crypto_kem/kyber768-90s/clean/api.h @@ -15,5 +15,4 @@ int PQCLEAN_KYBER76890S_CLEAN_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uin int PQCLEAN_KYBER76890S_CLEAN_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); - #endif diff --git a/crypto_kem/kyber768-90s/clean/cbd.c b/crypto_kem/kyber768-90s/clean/cbd.c index 993e8fa6..7d527ffb 100644 --- a/crypto_kem/kyber768-90s/clean/cbd.c +++ b/crypto_kem/kyber768-90s/clean/cbd.c @@ -1,5 +1,5 @@ -#include "params.h" #include "cbd.h" +#include "params.h" #include /************************************************* @@ -13,7 +13,7 @@ * Returns 32-bit unsigned integer loaded from x **************************************************/ static uint32_t load32_littleendian(const uint8_t x[4]) { - uint32_t r = 0; + uint32_t r; r = (uint32_t)x[0]; r |= (uint32_t)x[1] << 8; r |= (uint32_t)x[2] << 16; @@ -32,9 +32,9 @@ static uint32_t load32_littleendian(const uint8_t x[4]) { * - const uint8_t *buf: pointer to input byte array **************************************************/ void PQCLEAN_KYBER76890S_CLEAN_cbd(poly *r, const uint8_t buf[KYBER_ETA * KYBER_N / 4]) { - unsigned int i = 0, j = 0; - uint32_t t = 0, d = 0; - int16_t a = 0, b = 0; + unsigned int i, j; + uint32_t t, d; + int16_t a, b; for (i = 0; i < KYBER_N / 8; i++) { t = load32_littleendian(buf + 4 * i); diff --git a/crypto_kem/kyber768-90s/clean/cbd.h b/crypto_kem/kyber768-90s/clean/cbd.h index bb651eb0..41007b06 100644 --- a/crypto_kem/kyber768-90s/clean/cbd.h +++ b/crypto_kem/kyber768-90s/clean/cbd.h @@ -1,11 +1,9 @@ #ifndef PQCLEAN_KYBER76890S_CLEAN_CBD_H #define PQCLEAN_KYBER76890S_CLEAN_CBD_H - #include "params.h" #include "poly.h" #include - void PQCLEAN_KYBER76890S_CLEAN_cbd(poly *r, const uint8_t buf[KYBER_ETA * KYBER_N / 4]); #endif diff --git a/crypto_kem/kyber768-90s/clean/indcpa.c b/crypto_kem/kyber768-90s/clean/indcpa.c index a83f91da..57abc00f 100644 --- a/crypto_kem/kyber768-90s/clean/indcpa.c +++ b/crypto_kem/kyber768-90s/clean/indcpa.c @@ -22,7 +22,7 @@ static void pack_pk(uint8_t r[KYBER_INDCPA_PUBLICKEYBYTES], polyvec *pk, const uint8_t seed[KYBER_SYMBYTES]) { - size_t i = 0; + size_t i; PQCLEAN_KYBER76890S_CLEAN_polyvec_tobytes(r, pk); for (i = 0; i < KYBER_SYMBYTES; i++) { r[i + KYBER_POLYVECBYTES] = seed[i]; @@ -44,7 +44,7 @@ static void pack_pk(uint8_t r[KYBER_INDCPA_PUBLICKEYBYTES], static void unpack_pk(polyvec *pk, uint8_t seed[KYBER_SYMBYTES], const uint8_t packedpk[KYBER_INDCPA_PUBLICKEYBYTES]) { - size_t i = 0; + size_t i; PQCLEAN_KYBER76890S_CLEAN_polyvec_frombytes(pk, packedpk); for (i = 0; i < KYBER_SYMBYTES; i++) { seed[i] = packedpk[i + KYBER_POLYVECBYTES]; @@ -132,8 +132,8 @@ static unsigned int rej_uniform(int16_t *r, unsigned int len, const uint8_t *buf, unsigned int buflen) { - unsigned int ctr = 0, pos = 0; - uint16_t val = 0; + unsigned int ctr, pos; + uint16_t val; ctr = pos = 0; while (ctr < len && pos + 2 <= buflen) { @@ -169,8 +169,7 @@ static unsigned int rej_uniform(int16_t *r, + XOF_BLOCKBYTES)/XOF_BLOCKBYTES) // Not static for benchmarking void PQCLEAN_KYBER76890S_CLEAN_gen_matrix(polyvec *a, const uint8_t seed[KYBER_SYMBYTES], int transposed) { - unsigned int ctr = 0; - uint8_t i = 0, j = 0; + unsigned int ctr, i, j; uint8_t buf[GEN_MATRIX_NBLOCKS * XOF_BLOCKBYTES]; xof_state state; @@ -208,7 +207,7 @@ void PQCLEAN_KYBER76890S_CLEAN_gen_matrix(polyvec *a, const uint8_t seed[KYBER_S **************************************************/ void PQCLEAN_KYBER76890S_CLEAN_indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]) { - unsigned int i = 0; + unsigned int i; uint8_t buf[2 * KYBER_SYMBYTES]; const uint8_t *publicseed = buf; const uint8_t *noiseseed = buf + KYBER_SYMBYTES; @@ -264,7 +263,7 @@ void PQCLEAN_KYBER76890S_CLEAN_indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES], const uint8_t m[KYBER_INDCPA_MSGBYTES], const uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], const uint8_t coins[KYBER_SYMBYTES]) { - unsigned int i = 0; + unsigned int i; uint8_t seed[KYBER_SYMBYTES]; uint8_t nonce = 0; polyvec sp, pkpv, ep, at[KYBER_K], bp; diff --git a/crypto_kem/kyber768-90s/clean/indcpa.h b/crypto_kem/kyber768-90s/clean/indcpa.h index 85782d60..ac4d8c4a 100644 --- a/crypto_kem/kyber768-90s/clean/indcpa.h +++ b/crypto_kem/kyber768-90s/clean/indcpa.h @@ -1,16 +1,20 @@ #ifndef PQCLEAN_KYBER76890S_CLEAN_INDCPA_H #define PQCLEAN_KYBER76890S_CLEAN_INDCPA_H - #include "params.h" #include "polyvec.h" #include void PQCLEAN_KYBER76890S_CLEAN_gen_matrix(polyvec *a, const uint8_t seed[KYBER_SYMBYTES], int transposed); +void PQCLEAN_KYBER76890S_CLEAN_indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], + uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]); -void PQCLEAN_KYBER76890S_CLEAN_indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]); +void PQCLEAN_KYBER76890S_CLEAN_indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES], + const uint8_t m[KYBER_INDCPA_MSGBYTES], + const uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], + const uint8_t coins[KYBER_SYMBYTES]); -void PQCLEAN_KYBER76890S_CLEAN_indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES], const uint8_t m[KYBER_INDCPA_MSGBYTES], const uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], const uint8_t coins[KYBER_SYMBYTES]); - -void PQCLEAN_KYBER76890S_CLEAN_indcpa_dec(uint8_t m[KYBER_INDCPA_MSGBYTES], const uint8_t c[KYBER_INDCPA_BYTES], const uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]); +void PQCLEAN_KYBER76890S_CLEAN_indcpa_dec(uint8_t m[KYBER_INDCPA_MSGBYTES], + const uint8_t c[KYBER_INDCPA_BYTES], + const uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]); #endif diff --git a/crypto_kem/kyber768-90s/clean/kem.c b/crypto_kem/kyber768-90s/clean/kem.c index 09710069..528d5080 100644 --- a/crypto_kem/kyber768-90s/clean/kem.c +++ b/crypto_kem/kyber768-90s/clean/kem.c @@ -21,7 +21,7 @@ * Returns 0 (success) **************************************************/ int PQCLEAN_KYBER76890S_CLEAN_crypto_kem_keypair(unsigned char *pk, unsigned char *sk) { - size_t i = 0; + size_t i; PQCLEAN_KYBER76890S_CLEAN_indcpa_keypair(pk, sk); for (i = 0; i < KYBER_INDCPA_PUBLICKEYBYTES; i++) { sk[i + KYBER_INDCPA_SECRETKEYBYTES] = pk[i]; @@ -92,8 +92,8 @@ int PQCLEAN_KYBER76890S_CLEAN_crypto_kem_enc(unsigned char *ct, int PQCLEAN_KYBER76890S_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk) { - size_t i = 0; - int fail = 0; + size_t i; + int fail; uint8_t buf[2 * KYBER_SYMBYTES]; /* Will contain key, coins */ uint8_t kr[2 * KYBER_SYMBYTES]; diff --git a/crypto_kem/kyber768-90s/clean/kem.h b/crypto_kem/kyber768-90s/clean/kem.h index 6548f8ec..bfe7609a 100644 --- a/crypto_kem/kyber768-90s/clean/kem.h +++ b/crypto_kem/kyber768-90s/clean/kem.h @@ -1,17 +1,14 @@ #ifndef PQCLEAN_KYBER76890S_CLEAN_KEM_H #define PQCLEAN_KYBER76890S_CLEAN_KEM_H - #include "params.h" int PQCLEAN_KYBER76890S_CLEAN_crypto_kem_keypair(unsigned char *pk, unsigned char *sk); - int PQCLEAN_KYBER76890S_CLEAN_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk); - int PQCLEAN_KYBER76890S_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk); diff --git a/crypto_kem/kyber768-90s/clean/ntt.c b/crypto_kem/kyber768-90s/clean/ntt.c index 1d65a104..a51fd5b5 100644 --- a/crypto_kem/kyber768-90s/clean/ntt.c +++ b/crypto_kem/kyber768-90s/clean/ntt.c @@ -1,5 +1,5 @@ -#include "params.h" #include "ntt.h" +#include "params.h" #include "reduce.h" #include @@ -89,8 +89,8 @@ static int16_t fqmul(int16_t a, int16_t b) { * of Zq **************************************************/ void PQCLEAN_KYBER76890S_CLEAN_ntt(int16_t r[256]) { - unsigned int len = 0, start = 0, j = 0, k = 0; - int16_t t = 0, zeta = 0; + unsigned int len, start, j, k; + int16_t t, zeta; k = 1; for (len = 128; len >= 2; len >>= 1) { @@ -116,8 +116,8 @@ void PQCLEAN_KYBER76890S_CLEAN_ntt(int16_t r[256]) { * of Zq **************************************************/ void PQCLEAN_KYBER76890S_CLEAN_invntt(int16_t r[256]) { - unsigned int start = 0, len = 0, j = 0, k = 0; - int16_t t = 0, zeta = 0; + unsigned int start, len, j, k; + int16_t t, zeta; k = 0; for (len = 2; len <= 128; len <<= 1) { @@ -148,7 +148,10 @@ void PQCLEAN_KYBER76890S_CLEAN_invntt(int16_t r[256]) { * - const int16_t b[2]: pointer to the second factor * - int16_t zeta: integer defining the reduction polynomial **************************************************/ -void PQCLEAN_KYBER76890S_CLEAN_basemul(int16_t r[2], const int16_t a[2], const int16_t b[2], int16_t zeta) { +void PQCLEAN_KYBER76890S_CLEAN_basemul(int16_t r[2], + const int16_t a[2], + const int16_t b[2], + int16_t zeta) { r[0] = fqmul(a[1], b[1]); r[0] = fqmul(r[0], zeta); r[0] += fqmul(a[0], b[0]); diff --git a/crypto_kem/kyber768-90s/clean/ntt.h b/crypto_kem/kyber768-90s/clean/ntt.h index cd5c868e..8a744408 100644 --- a/crypto_kem/kyber768-90s/clean/ntt.h +++ b/crypto_kem/kyber768-90s/clean/ntt.h @@ -1,22 +1,19 @@ #ifndef PQCLEAN_KYBER76890S_CLEAN_NTT_H #define PQCLEAN_KYBER76890S_CLEAN_NTT_H - #include "params.h" #include - extern const int16_t PQCLEAN_KYBER76890S_CLEAN_zetas[128]; - extern const int16_t PQCLEAN_KYBER76890S_CLEAN_zetas_inv[128]; - void PQCLEAN_KYBER76890S_CLEAN_ntt(int16_t r[256]); - void PQCLEAN_KYBER76890S_CLEAN_invntt(int16_t r[256]); - -void PQCLEAN_KYBER76890S_CLEAN_basemul(int16_t r[2], const int16_t a[2], const int16_t b[2], int16_t zeta); +void PQCLEAN_KYBER76890S_CLEAN_basemul(int16_t r[2], + const int16_t a[2], + const int16_t b[2], + int16_t zeta); #endif diff --git a/crypto_kem/kyber768-90s/clean/params.h b/crypto_kem/kyber768-90s/clean/params.h index f33f77f4..678358d8 100644 --- a/crypto_kem/kyber768-90s/clean/params.h +++ b/crypto_kem/kyber768-90s/clean/params.h @@ -1,6 +1,9 @@ #ifndef PQCLEAN_KYBER76890S_CLEAN_PARAMS_H #define PQCLEAN_KYBER76890S_CLEAN_PARAMS_H + + + #define KYBER_N 256 #define KYBER_Q 3329 diff --git a/crypto_kem/kyber768-90s/clean/poly.c b/crypto_kem/kyber768-90s/clean/poly.c index c0d8b67b..324de5d5 100644 --- a/crypto_kem/kyber768-90s/clean/poly.c +++ b/crypto_kem/kyber768-90s/clean/poly.c @@ -1,6 +1,6 @@ -#include "params.h" #include "cbd.h" #include "ntt.h" +#include "params.h" #include "poly.h" #include "reduce.h" #include "symmetric.h" @@ -16,7 +16,7 @@ * - poly *a: pointer to input polynomial **************************************************/ void PQCLEAN_KYBER76890S_CLEAN_poly_compress(uint8_t r[KYBER_POLYCOMPRESSEDBYTES], poly *a) { - unsigned int i = 0, j = 0; + size_t i, j; uint8_t t[8]; PQCLEAN_KYBER76890S_CLEAN_poly_csubq(a); @@ -45,7 +45,7 @@ void PQCLEAN_KYBER76890S_CLEAN_poly_compress(uint8_t r[KYBER_POLYCOMPRESSEDBYTES * (of length KYBER_POLYCOMPRESSEDBYTES bytes) **************************************************/ void PQCLEAN_KYBER76890S_CLEAN_poly_decompress(poly *r, const uint8_t a[KYBER_POLYCOMPRESSEDBYTES]) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_N / 2; i++) { r->coeffs[2 * i + 0] = (((uint16_t)(a[0] & 15) * KYBER_Q) + 8) >> 4; @@ -64,8 +64,8 @@ void PQCLEAN_KYBER76890S_CLEAN_poly_decompress(poly *r, const uint8_t a[KYBER_PO * - poly *a: pointer to input polynomial **************************************************/ void PQCLEAN_KYBER76890S_CLEAN_poly_tobytes(uint8_t r[KYBER_POLYBYTES], poly *a) { - unsigned int i = 0; - uint16_t t0 = 0, t1 = 0; + size_t i; + uint16_t t0, t1; PQCLEAN_KYBER76890S_CLEAN_poly_csubq(a); @@ -89,7 +89,7 @@ void PQCLEAN_KYBER76890S_CLEAN_poly_tobytes(uint8_t r[KYBER_POLYBYTES], poly *a) * (of KYBER_POLYBYTES bytes) **************************************************/ void PQCLEAN_KYBER76890S_CLEAN_poly_frombytes(poly *r, const uint8_t a[KYBER_POLYBYTES]) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_N / 2; i++) { r->coeffs[2 * i] = ((a[3 * i + 0] >> 0) | ((uint16_t)a[3 * i + 1] << 8)) & 0xFFF; r->coeffs[2 * i + 1] = ((a[3 * i + 1] >> 4) | ((uint16_t)a[3 * i + 2] << 4)) & 0xFFF; @@ -105,8 +105,8 @@ void PQCLEAN_KYBER76890S_CLEAN_poly_frombytes(poly *r, const uint8_t a[KYBER_POL * - const uint8_t *msg: pointer to input message **************************************************/ void PQCLEAN_KYBER76890S_CLEAN_poly_frommsg(poly *r, const uint8_t msg[KYBER_INDCPA_MSGBYTES]) { - unsigned int i = 0, j = 0; - int16_t mask = 0; + size_t i, j; + int16_t mask; for (i = 0; i < KYBER_N / 8; i++) { for (j = 0; j < 8; j++) { @@ -125,8 +125,8 @@ void PQCLEAN_KYBER76890S_CLEAN_poly_frommsg(poly *r, const uint8_t msg[KYBER_IND * - poly *a: pointer to input polynomial **************************************************/ void PQCLEAN_KYBER76890S_CLEAN_poly_tomsg(uint8_t msg[KYBER_INDCPA_MSGBYTES], poly *a) { - unsigned int i = 0, j = 0; - uint16_t t = 0; + size_t i, j; + uint16_t t; PQCLEAN_KYBER76890S_CLEAN_poly_csubq(a); @@ -194,7 +194,7 @@ void PQCLEAN_KYBER76890S_CLEAN_poly_invntt_tomont(poly *r) { * - const poly *b: pointer to second input polynomial **************************************************/ void PQCLEAN_KYBER76890S_CLEAN_poly_basemul_montgomery(poly *r, const poly *a, const poly *b) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_N / 4; i++) { PQCLEAN_KYBER76890S_CLEAN_basemul(&r->coeffs[4 * i], &a->coeffs[4 * i], &b->coeffs[4 * i], PQCLEAN_KYBER76890S_CLEAN_zetas[64 + i]); PQCLEAN_KYBER76890S_CLEAN_basemul(&r->coeffs[4 * i + 2], &a->coeffs[4 * i + 2], &b->coeffs[4 * i + 2], @@ -211,7 +211,7 @@ void PQCLEAN_KYBER76890S_CLEAN_poly_basemul_montgomery(poly *r, const poly *a, c * Arguments: - poly *r: pointer to input/output polynomial **************************************************/ void PQCLEAN_KYBER76890S_CLEAN_poly_tomont(poly *r) { - unsigned int i = 0; + size_t i; const int16_t f = (1ULL << 32) % KYBER_Q; for (i = 0; i < KYBER_N; i++) { r->coeffs[i] = PQCLEAN_KYBER76890S_CLEAN_montgomery_reduce((int32_t)r->coeffs[i] * f); @@ -227,7 +227,7 @@ void PQCLEAN_KYBER76890S_CLEAN_poly_tomont(poly *r) { * Arguments: - poly *r: pointer to input/output polynomial **************************************************/ void PQCLEAN_KYBER76890S_CLEAN_poly_reduce(poly *r) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_N; i++) { r->coeffs[i] = PQCLEAN_KYBER76890S_CLEAN_barrett_reduce(r->coeffs[i]); } @@ -243,7 +243,7 @@ void PQCLEAN_KYBER76890S_CLEAN_poly_reduce(poly *r) { * Arguments: - poly *r: pointer to input/output polynomial **************************************************/ void PQCLEAN_KYBER76890S_CLEAN_poly_csubq(poly *r) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_N; i++) { r->coeffs[i] = PQCLEAN_KYBER76890S_CLEAN_csubq(r->coeffs[i]); } @@ -259,7 +259,7 @@ void PQCLEAN_KYBER76890S_CLEAN_poly_csubq(poly *r) { * - const poly *b: pointer to second input polynomial **************************************************/ void PQCLEAN_KYBER76890S_CLEAN_poly_add(poly *r, const poly *a, const poly *b) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_N; i++) { r->coeffs[i] = a->coeffs[i] + b->coeffs[i]; } @@ -275,7 +275,7 @@ void PQCLEAN_KYBER76890S_CLEAN_poly_add(poly *r, const poly *a, const poly *b) { * - const poly *b: pointer to second input polynomial **************************************************/ void PQCLEAN_KYBER76890S_CLEAN_poly_sub(poly *r, const poly *a, const poly *b) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_N; i++) { r->coeffs[i] = a->coeffs[i] - b->coeffs[i]; } diff --git a/crypto_kem/kyber768-90s/clean/poly.h b/crypto_kem/kyber768-90s/clean/poly.h index 54398da3..39e0e042 100644 --- a/crypto_kem/kyber768-90s/clean/poly.h +++ b/crypto_kem/kyber768-90s/clean/poly.h @@ -1,6 +1,5 @@ #ifndef PQCLEAN_KYBER76890S_CLEAN_POLY_H #define PQCLEAN_KYBER76890S_CLEAN_POLY_H - #include "params.h" #include @@ -12,41 +11,26 @@ typedef struct { int16_t coeffs[KYBER_N]; } poly; - void PQCLEAN_KYBER76890S_CLEAN_poly_compress(uint8_t r[KYBER_POLYCOMPRESSEDBYTES], poly *a); - void PQCLEAN_KYBER76890S_CLEAN_poly_decompress(poly *r, const uint8_t a[KYBER_POLYCOMPRESSEDBYTES]); - void PQCLEAN_KYBER76890S_CLEAN_poly_tobytes(uint8_t r[KYBER_POLYBYTES], poly *a); - void PQCLEAN_KYBER76890S_CLEAN_poly_frombytes(poly *r, const uint8_t a[KYBER_POLYBYTES]); - void PQCLEAN_KYBER76890S_CLEAN_poly_frommsg(poly *r, const uint8_t msg[KYBER_INDCPA_MSGBYTES]); - void PQCLEAN_KYBER76890S_CLEAN_poly_tomsg(uint8_t msg[KYBER_INDCPA_MSGBYTES], poly *a); - void PQCLEAN_KYBER76890S_CLEAN_poly_getnoise(poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t nonce); - void PQCLEAN_KYBER76890S_CLEAN_poly_ntt(poly *r); - void PQCLEAN_KYBER76890S_CLEAN_poly_invntt_tomont(poly *r); - void PQCLEAN_KYBER76890S_CLEAN_poly_basemul_montgomery(poly *r, const poly *a, const poly *b); - void PQCLEAN_KYBER76890S_CLEAN_poly_tomont(poly *r); - void PQCLEAN_KYBER76890S_CLEAN_poly_reduce(poly *r); - void PQCLEAN_KYBER76890S_CLEAN_poly_csubq(poly *r); - void PQCLEAN_KYBER76890S_CLEAN_poly_add(poly *r, const poly *a, const poly *b); - void PQCLEAN_KYBER76890S_CLEAN_poly_sub(poly *r, const poly *a, const poly *b); #endif diff --git a/crypto_kem/kyber768-90s/clean/polyvec.c b/crypto_kem/kyber768-90s/clean/polyvec.c index 79de7d77..5f647b81 100644 --- a/crypto_kem/kyber768-90s/clean/polyvec.c +++ b/crypto_kem/kyber768-90s/clean/polyvec.c @@ -13,7 +13,7 @@ * - polyvec *a: pointer to input vector of polynomials **************************************************/ void PQCLEAN_KYBER76890S_CLEAN_polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES], polyvec *a) { - unsigned int i = 0, j = 0, k = 0; + unsigned int i, j, k; PQCLEAN_KYBER76890S_CLEAN_polyvec_csubq(a); @@ -21,10 +21,8 @@ void PQCLEAN_KYBER76890S_CLEAN_polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSE for (i = 0; i < KYBER_K; i++) { for (j = 0; j < KYBER_N / 4; j++) { for (k = 0; k < 4; k++) { - { - t[k] = ((((uint32_t)a->vec[i].coeffs[4 * j + k] << 10) + KYBER_Q / 2) - / KYBER_Q) & 0x3ff; - } + t[k] = ((((uint32_t)a->vec[i].coeffs[4 * j + k] << 10) + KYBER_Q / 2) + / KYBER_Q) & 0x3ff; } r[0] = (uint8_t)(t[0] >> 0); @@ -49,7 +47,7 @@ void PQCLEAN_KYBER76890S_CLEAN_polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSE **************************************************/ void PQCLEAN_KYBER76890S_CLEAN_polyvec_decompress(polyvec *r, const uint8_t a[KYBER_POLYVECCOMPRESSEDBYTES]) { - unsigned int i = 0, j = 0, k = 0; + unsigned int i, j, k; uint16_t t[4]; for (i = 0; i < KYBER_K; i++) { @@ -77,7 +75,7 @@ void PQCLEAN_KYBER76890S_CLEAN_polyvec_decompress(polyvec *r, * - polyvec *a: pointer to input vector of polynomials **************************************************/ void PQCLEAN_KYBER76890S_CLEAN_polyvec_tobytes(uint8_t r[KYBER_POLYVECBYTES], polyvec *a) { - unsigned int i = 0; + unsigned int i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER76890S_CLEAN_poly_tobytes(r + i * KYBER_POLYBYTES, &a->vec[i]); } @@ -94,7 +92,7 @@ void PQCLEAN_KYBER76890S_CLEAN_polyvec_tobytes(uint8_t r[KYBER_POLYVECBYTES], po * (of length KYBER_POLYVECBYTES) **************************************************/ void PQCLEAN_KYBER76890S_CLEAN_polyvec_frombytes(polyvec *r, const uint8_t a[KYBER_POLYVECBYTES]) { - unsigned int i = 0; + unsigned int i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER76890S_CLEAN_poly_frombytes(&r->vec[i], a + i * KYBER_POLYBYTES); } @@ -108,7 +106,7 @@ void PQCLEAN_KYBER76890S_CLEAN_polyvec_frombytes(polyvec *r, const uint8_t a[KYB * Arguments: - polyvec *r: pointer to in/output vector of polynomials **************************************************/ void PQCLEAN_KYBER76890S_CLEAN_polyvec_ntt(polyvec *r) { - unsigned int i = 0; + unsigned int i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER76890S_CLEAN_poly_ntt(&r->vec[i]); } @@ -123,7 +121,7 @@ void PQCLEAN_KYBER76890S_CLEAN_polyvec_ntt(polyvec *r) { * Arguments: - polyvec *r: pointer to in/output vector of polynomials **************************************************/ void PQCLEAN_KYBER76890S_CLEAN_polyvec_invntt_tomont(polyvec *r) { - unsigned int i = 0; + unsigned int i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER76890S_CLEAN_poly_invntt_tomont(&r->vec[i]); } @@ -142,7 +140,7 @@ void PQCLEAN_KYBER76890S_CLEAN_polyvec_invntt_tomont(polyvec *r) { void PQCLEAN_KYBER76890S_CLEAN_polyvec_pointwise_acc_montgomery(poly *r, const polyvec *a, const polyvec *b) { - unsigned int i = 0; + unsigned int i; poly t; PQCLEAN_KYBER76890S_CLEAN_poly_basemul_montgomery(r, &a->vec[0], &b->vec[0]); @@ -164,7 +162,7 @@ void PQCLEAN_KYBER76890S_CLEAN_polyvec_pointwise_acc_montgomery(poly *r, * Arguments: - poly *r: pointer to input/output polynomial **************************************************/ void PQCLEAN_KYBER76890S_CLEAN_polyvec_reduce(polyvec *r) { - unsigned int i = 0; + unsigned int i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER76890S_CLEAN_poly_reduce(&r->vec[i]); } @@ -181,7 +179,7 @@ void PQCLEAN_KYBER76890S_CLEAN_polyvec_reduce(polyvec *r) { * Arguments: - poly *r: pointer to input/output polynomial **************************************************/ void PQCLEAN_KYBER76890S_CLEAN_polyvec_csubq(polyvec *r) { - unsigned int i = 0; + unsigned int i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER76890S_CLEAN_poly_csubq(&r->vec[i]); } @@ -197,7 +195,7 @@ void PQCLEAN_KYBER76890S_CLEAN_polyvec_csubq(polyvec *r) { * - const polyvec *b: pointer to second input vector of polynomials **************************************************/ void PQCLEAN_KYBER76890S_CLEAN_polyvec_add(polyvec *r, const polyvec *a, const polyvec *b) { - unsigned int i = 0; + unsigned int i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER76890S_CLEAN_poly_add(&r->vec[i], &a->vec[i], &b->vec[i]); } diff --git a/crypto_kem/kyber768-90s/clean/polyvec.h b/crypto_kem/kyber768-90s/clean/polyvec.h index 2ade476f..e59174d3 100644 --- a/crypto_kem/kyber768-90s/clean/polyvec.h +++ b/crypto_kem/kyber768-90s/clean/polyvec.h @@ -1,6 +1,5 @@ #ifndef PQCLEAN_KYBER76890S_CLEAN_POLYVEC_H #define PQCLEAN_KYBER76890S_CLEAN_POLYVEC_H - #include "params.h" #include "poly.h" #include @@ -9,33 +8,23 @@ typedef struct { poly vec[KYBER_K]; } polyvec; - void PQCLEAN_KYBER76890S_CLEAN_polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES], polyvec *a); - void PQCLEAN_KYBER76890S_CLEAN_polyvec_decompress(polyvec *r, const uint8_t a[KYBER_POLYVECCOMPRESSEDBYTES]); - void PQCLEAN_KYBER76890S_CLEAN_polyvec_tobytes(uint8_t r[KYBER_POLYVECBYTES], polyvec *a); - void PQCLEAN_KYBER76890S_CLEAN_polyvec_frombytes(polyvec *r, const uint8_t a[KYBER_POLYVECBYTES]); - void PQCLEAN_KYBER76890S_CLEAN_polyvec_ntt(polyvec *r); - void PQCLEAN_KYBER76890S_CLEAN_polyvec_invntt_tomont(polyvec *r); - void PQCLEAN_KYBER76890S_CLEAN_polyvec_pointwise_acc_montgomery(poly *r, const polyvec *a, const polyvec *b); - void PQCLEAN_KYBER76890S_CLEAN_polyvec_reduce(polyvec *r); - void PQCLEAN_KYBER76890S_CLEAN_polyvec_csubq(polyvec *r); - void PQCLEAN_KYBER76890S_CLEAN_polyvec_add(polyvec *r, const polyvec *a, const polyvec *b); #endif diff --git a/crypto_kem/kyber768-90s/clean/reduce.c b/crypto_kem/kyber768-90s/clean/reduce.c index 3967a765..47854ad7 100644 --- a/crypto_kem/kyber768-90s/clean/reduce.c +++ b/crypto_kem/kyber768-90s/clean/reduce.c @@ -15,8 +15,8 @@ * Returns: integer in {-q+1,...,q-1} congruent to a * R^-1 modulo q. **************************************************/ int16_t PQCLEAN_KYBER76890S_CLEAN_montgomery_reduce(int32_t a) { - int32_t t = 0; - int16_t u = 0; + int32_t t; + int16_t u; u = (int16_t)(a * (int64_t)QINV); t = (int32_t)u * KYBER_Q; @@ -36,7 +36,7 @@ int16_t PQCLEAN_KYBER76890S_CLEAN_montgomery_reduce(int32_t a) { * Returns: integer in {0,...,q} congruent to a modulo q. **************************************************/ int16_t PQCLEAN_KYBER76890S_CLEAN_barrett_reduce(int16_t a) { - int16_t t = 0; + int16_t t; const int16_t v = ((1U << 26) + KYBER_Q / 2) / KYBER_Q; t = (int32_t)v * a >> 26; diff --git a/crypto_kem/kyber768-90s/clean/reduce.h b/crypto_kem/kyber768-90s/clean/reduce.h index f08b032c..cd282cc7 100644 --- a/crypto_kem/kyber768-90s/clean/reduce.h +++ b/crypto_kem/kyber768-90s/clean/reduce.h @@ -1,19 +1,15 @@ #ifndef PQCLEAN_KYBER76890S_CLEAN_REDUCE_H #define PQCLEAN_KYBER76890S_CLEAN_REDUCE_H - #include "params.h" #include #define MONT 2285 // 2^16 mod q #define QINV 62209 // q^-1 mod 2^16 - int16_t PQCLEAN_KYBER76890S_CLEAN_montgomery_reduce(int32_t a); - int16_t PQCLEAN_KYBER76890S_CLEAN_barrett_reduce(int16_t a); - int16_t PQCLEAN_KYBER76890S_CLEAN_csubq(int16_t a); #endif diff --git a/crypto_kem/kyber768-90s/clean/symmetric-aes.c b/crypto_kem/kyber768-90s/clean/symmetric-aes.c index e1ef178c..281d33d0 100644 --- a/crypto_kem/kyber768-90s/clean/symmetric-aes.c +++ b/crypto_kem/kyber768-90s/clean/symmetric-aes.c @@ -1,5 +1,6 @@ -#include "symmetric-aes.h" #include "aes.h" +#include "params.h" +#include "symmetric.h" #include #include #include @@ -34,7 +35,7 @@ static void aes256_ctr_xof(unsigned char *out, size_t outlen, const unsigned cha } /************************************************* -* Name: aes256_prf +* Name: PQCLEAN_KYBER76890S_CLEAN_aes256_prf * * Description: AES256 stream generation in CTR mode using 32-bit counter, * nonce is zero-padded to 12 bytes, counter starts at zero @@ -58,7 +59,7 @@ void PQCLEAN_KYBER76890S_CLEAN_aes256_prf(uint8_t *output, size_t outlen, const } /************************************************* -* Name: aes256xof_absorb +* Name: PQCLEAN_KYBER76890S_CLEAN_aes256xof_absorb * * Description: AES256 CTR used as a replacement for a XOF; this function * "absorbs" a 32-byte key and two additional bytes that are zero-padded @@ -80,7 +81,7 @@ void PQCLEAN_KYBER76890S_CLEAN_aes256xof_absorb(aes256xof_ctx *s, const uint8_t } /************************************************* -* Name: aes256xof_squeezeblocks +* Name: PQCLEAN_KYBER76890S_CLEAN_aes256xof_squeezeblocks * * Description: AES256 CTR used as a replacement for a XOF; this function * generates 4 blocks out AES256-CTR output diff --git a/crypto_kem/kyber768-90s/clean/symmetric-aes.h b/crypto_kem/kyber768-90s/clean/symmetric-aes.h index 35facbeb..c2aa588b 100644 --- a/crypto_kem/kyber768-90s/clean/symmetric-aes.h +++ b/crypto_kem/kyber768-90s/clean/symmetric-aes.h @@ -1,11 +1,10 @@ -#ifndef AES256CTR_H -#define AES256CTR_H - +#ifndef PQCLEAN_KYBER76890S_CLEAN_SYMMETRIC_AES_H +#define PQCLEAN_KYBER76890S_CLEAN_SYMMETRIC_AES_H #include "aes.h" - #include #include + typedef struct { aes256ctx sk_exp; uint8_t iv[12]; diff --git a/crypto_kem/kyber768-90s/clean/symmetric.h b/crypto_kem/kyber768-90s/clean/symmetric.h index 9e46b337..8965c639 100644 --- a/crypto_kem/kyber768-90s/clean/symmetric.h +++ b/crypto_kem/kyber768-90s/clean/symmetric.h @@ -1,13 +1,12 @@ -#ifndef SYMMETRIC_H -#define SYMMETRIC_H - +#ifndef PQCLEAN_KYBER76890S_CLEAN_SYMMETRIC_H +#define PQCLEAN_KYBER76890S_CLEAN_SYMMETRIC_H #include "params.h" +#include "sha2.h" +#include "symmetric-aes.h" #include #include -#include "sha2.h" -#include "symmetric-aes.h" typedef aes256xof_ctx xof_state; diff --git a/crypto_kem/kyber768-90s/clean/verify.c b/crypto_kem/kyber768-90s/clean/verify.c index ec472fe3..05d4d5d5 100644 --- a/crypto_kem/kyber768-90s/clean/verify.c +++ b/crypto_kem/kyber768-90s/clean/verify.c @@ -14,7 +14,7 @@ * Returns 0 if the byte arrays are equal, 1 otherwise **************************************************/ int PQCLEAN_KYBER76890S_CLEAN_verify(const uint8_t *a, const uint8_t *b, size_t len) { - size_t i = 0; + size_t i; uint8_t r = 0; for (i = 0; i < len; i++) { @@ -38,7 +38,7 @@ int PQCLEAN_KYBER76890S_CLEAN_verify(const uint8_t *a, const uint8_t *b, size_t * uint8_t b: Condition bit; has to be in {0,1} **************************************************/ void PQCLEAN_KYBER76890S_CLEAN_cmov(uint8_t *r, const uint8_t *x, size_t len, uint8_t b) { - size_t i = 0; + size_t i; b = -b; for (i = 0; i < len; i++) { diff --git a/crypto_kem/kyber768-90s/clean/verify.h b/crypto_kem/kyber768-90s/clean/verify.h index 216f2792..783aa44e 100644 --- a/crypto_kem/kyber768-90s/clean/verify.h +++ b/crypto_kem/kyber768-90s/clean/verify.h @@ -1,14 +1,11 @@ #ifndef PQCLEAN_KYBER76890S_CLEAN_VERIFY_H #define PQCLEAN_KYBER76890S_CLEAN_VERIFY_H - #include "params.h" #include #include - int PQCLEAN_KYBER76890S_CLEAN_verify(const uint8_t *a, const uint8_t *b, size_t len); - void PQCLEAN_KYBER76890S_CLEAN_cmov(uint8_t *r, const uint8_t *x, size_t len, uint8_t b); #endif diff --git a/crypto_kem/kyber768/META.yml b/crypto_kem/kyber768/META.yml index 34af9744..a4b60867 100644 --- a/crypto_kem/kyber768/META.yml +++ b/crypto_kem/kyber768/META.yml @@ -20,16 +20,17 @@ auxiliary-submitters: - Gregor Seiler - Damien Stehlé implementations: - - name: clean - version: https://github.com/pq-crystals/kyber/commit/46e283ab575ec92dfe82fb12229ae2d9d6246682 - - name: avx2 - version: https://github.com/pq-crystals/kyber/commit/46e283ab575ec92dfe82fb12229ae2d9d6246682 - supported_platforms: - - architecture: x86_64 - operating_systems: - - Linux - - Darwin - required_flags: - - avx2 - - bmi2 - - popcnt + - name: clean + version: https://github.com/pq-crystals/kyber/commit/844057468e69527bd15b17fbe03f4b61f9a22065 via https://github.com/jschanck/package-pqclean/tree/b45068b8/kyber + - name: avx2 + version: https://github.com/pq-crystals/kyber/commit/844057468e69527bd15b17fbe03f4b61f9a22065 via https://github.com/jschanck/package-pqclean/tree/b45068b8/kyber + supported_platforms: + - architecture: x86_64 + operating_systems: + - Linux + - Darwin + required_flags: + - aes + - avx2 + - bmi2 + - popcnt diff --git a/crypto_kem/kyber768/avx2/Makefile b/crypto_kem/kyber768/avx2/Makefile index 2008206d..24c28b8f 100644 --- a/crypto_kem/kyber768/avx2/Makefile +++ b/crypto_kem/kyber768/avx2/Makefile @@ -1,50 +1,16 @@ # This Makefile can be used with GNU Make or BSD Make LIB=libkyber768_avx2.a -HEADERS= \ - align.h \ - api.h \ - cbd.h \ - cdecl.inc \ - consts.h \ - fips202x4.h \ - fq.inc \ - indcpa.h \ - kem.h \ - ntt.h \ - params.h \ - poly.h \ - polyvec.h \ - reduce.h \ - rejsample.h \ - shuffle.inc \ - symmetric.h \ - verify.h -OBJECTS= \ - basemul.o \ - cbd.o \ - consts.o \ - fips202x4.o \ - fq.o \ - indcpa.o \ - invntt.o \ - kem.o \ - ntt.o \ - poly.o \ - polyvec.o \ - rejsample.o \ - shuffle.o \ - symmetric-shake.o \ - verify.o - +HEADERS=align.h api.h cbd.h cdecl.h consts.h fips202x4.h indcpa.h kem.h ntt.h params.h poly.h polyvec.h reduce.h rejsample.h symmetric.h verify.h fq.inc shuffle.inc +OBJECTS=cbd.o consts.o fips202x4.o indcpa.o kem.o poly.o polyvec.o rejsample.o symmetric-shake.o verify.o basemul.o fq.o invntt.o ntt.o shuffle.o KECCAK4XDIR=../../../common/keccak4x KECCAK4XOBJ=KeccakP-1600-times4-SIMD256.o KECCAK4X=$(KECCAK4XDIR)/$(KECCAK4XOBJ) CFLAGS=-mavx2 -mbmi2 -mpopcnt -O3 -Wall -Wextra -Wpedantic -Werror \ - -Wmissing-prototypes -Wredundant-decls \ - -Wpointer-arith -Wshadow \ - -std=c99 -I../../../common $(EXTRAFLAGS) + -Wmissing-prototypes -Wredundant-decls \ + -Wpointer-arith -Wshadow \ + -std=c99 -I../../../common $(EXTRAFLAGS) all: $(LIB) diff --git a/crypto_kem/kyber768/avx2/align.h b/crypto_kem/kyber768/avx2/align.h index 517fb939..7194d2b3 100644 --- a/crypto_kem/kyber768/avx2/align.h +++ b/crypto_kem/kyber768/avx2/align.h @@ -1,5 +1,6 @@ #ifndef PQCLEAN_KYBER768_AVX2_ALIGN_H #define PQCLEAN_KYBER768_AVX2_ALIGN_H + #include #define ALIGN16_TYPE(t) \ diff --git a/crypto_kem/kyber768/avx2/api.h b/crypto_kem/kyber768/avx2/api.h index f1cd7343..4c956203 100644 --- a/crypto_kem/kyber768/avx2/api.h +++ b/crypto_kem/kyber768/avx2/api.h @@ -15,5 +15,4 @@ int PQCLEAN_KYBER768_AVX2_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t int PQCLEAN_KYBER768_AVX2_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); - #endif diff --git a/crypto_kem/kyber768/avx2/basemul.S b/crypto_kem/kyber768/avx2/basemul.S index 487f3fd6..5b630782 100644 --- a/crypto_kem/kyber768/avx2/basemul.S +++ b/crypto_kem/kyber768/avx2/basemul.S @@ -1,5 +1,5 @@ +#include "cdecl.h" #include "params.h" -#include "cdecl.inc" .macro schoolbook off,sign #load @@ -149,7 +149,9 @@ vmovdqa %ymm5,96(%rdi) ret .global cdecl(PQCLEAN_KYBER768_AVX2_basemul_acc_avx) +.global _cdecl(PQCLEAN_KYBER768_AVX2_basemul_acc_avx) cdecl(PQCLEAN_KYBER768_AVX2_basemul_acc_avx): +_cdecl(PQCLEAN_KYBER768_AVX2_basemul_acc_avx): #consts vmovdqa _16XQ*2(%rcx),%ymm0 vmovdqa _16XQINV*2(%rcx),%ymm1 @@ -199,7 +201,9 @@ vmovdqa %ymm12,96(%rdi) ret .global cdecl(PQCLEAN_KYBER768_AVX2_basemul_avx) +.global _cdecl(PQCLEAN_KYBER768_AVX2_basemul_avx) cdecl(PQCLEAN_KYBER768_AVX2_basemul_avx): +_cdecl(PQCLEAN_KYBER768_AVX2_basemul_avx): #consts vmovdqa _16XQ*2(%rcx),%ymm0 vmovdqa _16XQINV*2(%rcx),%ymm1 diff --git a/crypto_kem/kyber768/avx2/cbd.c b/crypto_kem/kyber768/avx2/cbd.c index 7d4a3b30..ea2d1926 100644 --- a/crypto_kem/kyber768/avx2/cbd.c +++ b/crypto_kem/kyber768/avx2/cbd.c @@ -1,5 +1,5 @@ -#include "params.h" #include "cbd.h" +#include "params.h" #include #include @@ -14,7 +14,7 @@ * - const unsigned char *buf: pointer to input byte array **************************************************/ void PQCLEAN_KYBER768_AVX2_cbd(poly *restrict r, const uint8_t *restrict buf) { - unsigned int i = 0; + unsigned int i; __m256i vec0, vec1, vec2, vec3, tmp; const __m256i mask55 = _mm256_set1_epi32(0x55555555); const __m256i mask33 = _mm256_set1_epi32(0x33333333); diff --git a/crypto_kem/kyber768/avx2/cbd.h b/crypto_kem/kyber768/avx2/cbd.h index 4bbb86e8..2d254413 100644 --- a/crypto_kem/kyber768/avx2/cbd.h +++ b/crypto_kem/kyber768/avx2/cbd.h @@ -1,11 +1,9 @@ #ifndef PQCLEAN_KYBER768_AVX2_CBD_H #define PQCLEAN_KYBER768_AVX2_CBD_H - #include "params.h" #include "poly.h" #include - void PQCLEAN_KYBER768_AVX2_cbd(poly *r, const uint8_t buf[KYBER_ETA * KYBER_N / 4]); #endif diff --git a/crypto_kem/kyber768/avx2/cdecl.h b/crypto_kem/kyber768/avx2/cdecl.h new file mode 100644 index 00000000..3a6004a8 --- /dev/null +++ b/crypto_kem/kyber768/avx2/cdecl.h @@ -0,0 +1,26 @@ +#ifndef PQCLEAN_KYBER768_AVX2_CDECL_H +#define PQCLEAN_KYBER768_AVX2_CDECL_H + +#define _16XQ 0 +#define _16XQINV 16 +#define _16XV 32 +#define _16XFLO 48 +#define _16XFHI 64 +#define _16XMONTSQLO 80 +#define _16XMONTSQHI 96 +#define _16XMASK 112 +#define _ZETAS_EXP 128 +#define _ZETAS_INV_EXP 528 + + +/* The C ABI on MacOS exports all symbols with a leading + * underscore. This means that any symbols we refer to from + * C files (functions) can't be found, and all symbols we + * refer to from ASM also can't be found (nttconsts.c). + * + * This define helps us get around this + */ + +#define _cdecl(s) _##s +#define cdecl(s) s +#endif diff --git a/crypto_kem/kyber768/avx2/cdecl.inc b/crypto_kem/kyber768/avx2/cdecl.inc deleted file mode 100644 index 8ded53b1..00000000 --- a/crypto_kem/kyber768/avx2/cdecl.inc +++ /dev/null @@ -1,30 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM2_AVX2_CDECL -#define PQCLEAN_DILITHIUM2_AVX2_CDECL - -#define _16XQ 0 -#define _16XQINV 16 -#define _16XV 32 -#define _16XFLO 48 -#define _16XFHI 64 -#define _16XMONTSQLO 80 -#define _16XMONTSQHI 96 -#define _16XMASK 112 -#define _ZETAS_EXP 128 -#define _ZETAS_INV_EXP 528 - - -/* The C ABI on MacOS exports all symbols with a leading - * underscore. This means that any symbols we refer to from - * C files (functions) can't be found, and all symbols we - * refer to from ASM also can't be found (nttconsts.c). - * - * This define helps us get around this - */ - -#if defined(__WIN32__) || defined(__APPLE__) -#define cdecl(s) _##s -#else -#define cdecl(s) s -#endif - -#endif diff --git a/crypto_kem/kyber768/avx2/consts.c b/crypto_kem/kyber768/avx2/consts.c index f0652610..39201de5 100644 --- a/crypto_kem/kyber768/avx2/consts.c +++ b/crypto_kem/kyber768/avx2/consts.c @@ -1,5 +1,5 @@ -#include "params.h" #include "consts.h" +#include "params.h" #include #define Q KYBER_Q diff --git a/crypto_kem/kyber768/avx2/consts.h b/crypto_kem/kyber768/avx2/consts.h index f7bcfb7c..c0d5093f 100644 --- a/crypto_kem/kyber768/avx2/consts.h +++ b/crypto_kem/kyber768/avx2/consts.h @@ -1,12 +1,11 @@ #ifndef PQCLEAN_KYBER768_AVX2_CONSTS_H #define PQCLEAN_KYBER768_AVX2_CONSTS_H - -#include "cdecl.inc" - +#include "cdecl.h" #include "params.h" #include #include + #define ALIGNED_UINT16_T(N) \ union { \ __m256i as_vec; \ diff --git a/crypto_kem/kyber768/avx2/fips202x4.c b/crypto_kem/kyber768/avx2/fips202x4.c index 80f89aa7..7e7631e3 100644 --- a/crypto_kem/kyber768/avx2/fips202x4.c +++ b/crypto_kem/kyber768/avx2/fips202x4.c @@ -10,7 +10,7 @@ extern void KeccakF1600_StatePermute4x(__m256i *s); static inline void store64(uint8_t x[8], uint64_t u) { - unsigned int i = 0; + unsigned int i; for (i = 0; i < 8; i++) { x[i] = u >> 8 * i; @@ -25,7 +25,7 @@ static void keccakx4_absorb(__m256i s[25], const uint8_t *in3, size_t inlen, uint8_t p) { - size_t i = 0, pos = 0; + size_t i, pos = 0; __m256i t, idx; for (i = 0; i < 25; ++i) { @@ -74,8 +74,8 @@ static void keccakx4_squeezeblocks(uint8_t *out0, size_t nblocks, unsigned int r, __m256i s[25]) { - unsigned int i = 0; - uint64_t f0 = 0, f1 = 0, f2 = 0, f3 = 0; + unsigned int i; + uint64_t f0, f1, f2, f3; while (nblocks > 0) { KeccakF1600_StatePermute4x(s); @@ -137,8 +137,17 @@ void PQCLEAN_KYBER768_AVX2_shake256x4_squeezeblocks(uint8_t *out0, state->s); } -void PQCLEAN_KYBER768_AVX2_shake128x4(uint8_t *out0, uint8_t *out1, uint8_t *out2, uint8_t *out3, size_t outlen, const uint8_t *in0, const uint8_t *in1, const uint8_t *in2, const uint8_t *in3, size_t inlen) { - unsigned int i = 0; +void PQCLEAN_KYBER768_AVX2_shake128x4(uint8_t *out0, + uint8_t *out1, + uint8_t *out2, + uint8_t *out3, + size_t outlen, + const uint8_t *in0, + const uint8_t *in1, + const uint8_t *in2, + const uint8_t *in3, + size_t inlen) { + unsigned int i; size_t nblocks = outlen / SHAKE128_RATE; uint8_t t[4][SHAKE128_RATE]; keccakx4_state state; @@ -163,8 +172,17 @@ void PQCLEAN_KYBER768_AVX2_shake128x4(uint8_t *out0, uint8_t *out1, uint8_t *out } } -void PQCLEAN_KYBER768_AVX2_shake256x4(uint8_t *out0, uint8_t *out1, uint8_t *out2, uint8_t *out3, size_t outlen, const uint8_t *in0, const uint8_t *in1, const uint8_t *in2, const uint8_t *in3, size_t inlen) { - unsigned int i = 0; +void PQCLEAN_KYBER768_AVX2_shake256x4(uint8_t *out0, + uint8_t *out1, + uint8_t *out2, + uint8_t *out3, + size_t outlen, + const uint8_t *in0, + const uint8_t *in1, + const uint8_t *in2, + const uint8_t *in3, + size_t inlen) { + unsigned int i; size_t nblocks = outlen / SHAKE256_RATE; uint8_t t[4][SHAKE256_RATE]; keccakx4_state state; diff --git a/crypto_kem/kyber768/avx2/fips202x4.h b/crypto_kem/kyber768/avx2/fips202x4.h index 2f525dc8..e65e7540 100644 --- a/crypto_kem/kyber768/avx2/fips202x4.h +++ b/crypto_kem/kyber768/avx2/fips202x4.h @@ -1,5 +1,5 @@ -#ifndef FIPS202X4_H -#define FIPS202X4_H +#ifndef PQCLEAN_KYBER768_AVX2_FIPS202X4_H +#define PQCLEAN_KYBER768_AVX2_FIPS202X4_H #include #include @@ -9,17 +9,54 @@ typedef struct { __m256i s[25]; } keccakx4_state; -void PQCLEAN_KYBER768_AVX2_shake128x4_absorb(keccakx4_state *state, const uint8_t *in0, const uint8_t *in1, const uint8_t *in2, const uint8_t *in3, size_t inlen); +void PQCLEAN_KYBER768_AVX2_shake128x4_absorb(keccakx4_state *state, + const uint8_t *in0, + const uint8_t *in1, + const uint8_t *in2, + const uint8_t *in3, + size_t inlen); -void PQCLEAN_KYBER768_AVX2_shake128x4_squeezeblocks(uint8_t *out0, uint8_t *out1, uint8_t *out2, uint8_t *out3, size_t nblocks, keccakx4_state *state); - -void PQCLEAN_KYBER768_AVX2_shake256x4_absorb(keccakx4_state *state, const uint8_t *in0, const uint8_t *in1, const uint8_t *in2, const uint8_t *in3, size_t inlen); - -void PQCLEAN_KYBER768_AVX2_shake256x4_squeezeblocks(uint8_t *out0, uint8_t *out1, uint8_t *out2, uint8_t *out3, size_t nblocks, +void PQCLEAN_KYBER768_AVX2_shake128x4_squeezeblocks(uint8_t *out0, + uint8_t *out1, + uint8_t *out2, + uint8_t *out3, + size_t nblocks, keccakx4_state *state); -void PQCLEAN_KYBER768_AVX2_shake128x4(uint8_t *out0, uint8_t *out1, uint8_t *out2, uint8_t *out3, size_t outlen, const uint8_t *in0, const uint8_t *in1, const uint8_t *in2, const uint8_t *in3, size_t inlen); +void PQCLEAN_KYBER768_AVX2_shake256x4_absorb(keccakx4_state *state, + const uint8_t *in0, + const uint8_t *in1, + const uint8_t *in2, + const uint8_t *in3, + size_t inlen); -void PQCLEAN_KYBER768_AVX2_shake256x4(uint8_t *out0, uint8_t *out1, uint8_t *out2, uint8_t *out3, size_t outlen, const uint8_t *in0, const uint8_t *in1, const uint8_t *in2, const uint8_t *in3, size_t inlen); +void PQCLEAN_KYBER768_AVX2_shake256x4_squeezeblocks(uint8_t *out0, + uint8_t *out1, + uint8_t *out2, + uint8_t *out3, + size_t nblocks, + keccakx4_state *state); + +void PQCLEAN_KYBER768_AVX2_shake128x4(uint8_t *out0, + uint8_t *out1, + uint8_t *out2, + uint8_t *out3, + size_t outlen, + const uint8_t *in0, + const uint8_t *in1, + const uint8_t *in2, + const uint8_t *in3, + size_t inlen); + +void PQCLEAN_KYBER768_AVX2_shake256x4(uint8_t *out0, + uint8_t *out1, + uint8_t *out2, + uint8_t *out3, + size_t outlen, + const uint8_t *in0, + const uint8_t *in1, + const uint8_t *in2, + const uint8_t *in3, + size_t inlen); #endif diff --git a/crypto_kem/kyber768/avx2/fq.S b/crypto_kem/kyber768/avx2/fq.S index fc038a73..1f50c56b 100644 --- a/crypto_kem/kyber768/avx2/fq.S +++ b/crypto_kem/kyber768/avx2/fq.S @@ -1,4 +1,4 @@ -#include "cdecl.inc" +#include "cdecl.h" .include "fq.inc" .text @@ -35,7 +35,9 @@ vmovdqa %ymm9,224(%rdi) ret .global cdecl(PQCLEAN_KYBER768_AVX2_reduce_avx) +.global _cdecl(PQCLEAN_KYBER768_AVX2_reduce_avx) cdecl(PQCLEAN_KYBER768_AVX2_reduce_avx): +_cdecl(PQCLEAN_KYBER768_AVX2_reduce_avx): #consts vmovdqa _16XQ*2(%rsi),%ymm0 vmovdqa _16XV*2(%rsi),%ymm1 @@ -77,7 +79,9 @@ vmovdqa %ymm8,224(%rdi) ret .global cdecl(PQCLEAN_KYBER768_AVX2_csubq_avx) +.global _cdecl(PQCLEAN_KYBER768_AVX2_csubq_avx) cdecl(PQCLEAN_KYBER768_AVX2_csubq_avx): +_cdecl(PQCLEAN_KYBER768_AVX2_csubq_avx): #consts vmovdqa _16XQ*2(%rsi),%ymm0 call csubq128_avx @@ -118,7 +122,9 @@ vmovdqa %ymm10,224(%rdi) ret .global cdecl(PQCLEAN_KYBER768_AVX2_tomont_avx) +.global _cdecl(PQCLEAN_KYBER768_AVX2_tomont_avx) cdecl(PQCLEAN_KYBER768_AVX2_tomont_avx): +_cdecl(PQCLEAN_KYBER768_AVX2_tomont_avx): #consts vmovdqa _16XQ*2(%rsi),%ymm0 vmovdqa _16XMONTSQLO*2(%rsi),%ymm1 diff --git a/crypto_kem/kyber768/avx2/indcpa.c b/crypto_kem/kyber768/avx2/indcpa.c index cbc8a6f8..9ac7dd64 100644 --- a/crypto_kem/kyber768/avx2/indcpa.c +++ b/crypto_kem/kyber768/avx2/indcpa.c @@ -25,7 +25,7 @@ static void pack_pk(uint8_t r[KYBER_INDCPA_PUBLICKEYBYTES], polyvec *pk, const uint8_t seed[KYBER_SYMBYTES]) { - size_t i = 0; + size_t i; PQCLEAN_KYBER768_AVX2_polyvec_tobytes(r, pk); for (i = 0; i < KYBER_SYMBYTES; i++) { r[i + KYBER_POLYVECBYTES] = seed[i]; @@ -45,7 +45,7 @@ static void pack_pk(uint8_t r[KYBER_INDCPA_PUBLICKEYBYTES], static void unpack_pk(polyvec *pk, uint8_t seed[KYBER_SYMBYTES], const uint8_t packedpk[KYBER_INDCPA_PUBLICKEYBYTES]) { - size_t i = 0; + size_t i; PQCLEAN_KYBER768_AVX2_polyvec_frombytes(pk, packedpk); for (i = 0; i < KYBER_SYMBYTES; i++) { seed[i] = packedpk[i + KYBER_POLYVECBYTES]; @@ -133,8 +133,8 @@ static unsigned int rej_uniform(int16_t *r, unsigned int len, const uint8_t *buf, unsigned int buflen) { - unsigned int ctr = 0, pos = 0; - uint16_t val = 0; + unsigned int ctr, pos; + uint16_t val; ctr = pos = 0; while (ctr < len && pos + 2 <= buflen) { @@ -168,7 +168,7 @@ static unsigned int rej_uniform(int16_t *r, #define GEN_MATRIX_NBLOCKS ((2*KYBER_N*(1U << 16)/(19*KYBER_Q) \ + XOF_BLOCKBYTES)/XOF_BLOCKBYTES) void PQCLEAN_KYBER768_AVX2_gen_matrix(polyvec *a, const uint8_t seed[32], int transposed) { - unsigned int ctr0 = 0, ctr1 = 0, ctr2 = 0, ctr3 = 0; + unsigned int ctr0, ctr1, ctr2, ctr3; ALIGN32_ARRAY_2D(uint8_t, 4, (GEN_MATRIX_NBLOCKS * XOF_BLOCKBYTES + 31) / 32 * 32) buf; __m256i f; keccakx4_state state; @@ -310,7 +310,7 @@ void PQCLEAN_KYBER768_AVX2_gen_matrix(polyvec *a, const uint8_t seed[32], int tr **************************************************/ void PQCLEAN_KYBER768_AVX2_indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]) { - unsigned int i = 0; + unsigned int i; ALIGN32_ARRAY(uint8_t, 2 * KYBER_SYMBYTES) buf; const uint8_t *publicseed = buf.arr; const uint8_t *noiseseed = buf.arr + KYBER_SYMBYTES; @@ -363,7 +363,7 @@ void PQCLEAN_KYBER768_AVX2_indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES], const uint8_t m[KYBER_INDCPA_MSGBYTES], const uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], const uint8_t coins[KYBER_SYMBYTES]) { - unsigned int i = 0; + unsigned int i; ALIGN32_ARRAY(uint8_t, KYBER_SYMBYTES) seed; polyvec sp, pkpv, ep, at[KYBER_K], bp; poly v, k, epp; diff --git a/crypto_kem/kyber768/avx2/indcpa.h b/crypto_kem/kyber768/avx2/indcpa.h index 144c999b..345fc4cc 100644 --- a/crypto_kem/kyber768/avx2/indcpa.h +++ b/crypto_kem/kyber768/avx2/indcpa.h @@ -1,16 +1,20 @@ #ifndef PQCLEAN_KYBER768_AVX2_INDCPA_H #define PQCLEAN_KYBER768_AVX2_INDCPA_H - #include "params.h" #include "polyvec.h" #include void PQCLEAN_KYBER768_AVX2_gen_matrix(polyvec *a, const uint8_t seed[KYBER_SYMBYTES], int transposed); +void PQCLEAN_KYBER768_AVX2_indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], + uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]); -void PQCLEAN_KYBER768_AVX2_indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]); +void PQCLEAN_KYBER768_AVX2_indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES], + const uint8_t m[KYBER_INDCPA_MSGBYTES], + const uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], + const uint8_t coins[KYBER_SYMBYTES]); -void PQCLEAN_KYBER768_AVX2_indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES], const uint8_t m[KYBER_INDCPA_MSGBYTES], const uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], const uint8_t coins[KYBER_SYMBYTES]); - -void PQCLEAN_KYBER768_AVX2_indcpa_dec(uint8_t m[KYBER_INDCPA_MSGBYTES], const uint8_t c[KYBER_INDCPA_BYTES], const uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]); +void PQCLEAN_KYBER768_AVX2_indcpa_dec(uint8_t m[KYBER_INDCPA_MSGBYTES], + const uint8_t c[KYBER_INDCPA_BYTES], + const uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]); #endif diff --git a/crypto_kem/kyber768/avx2/invntt.S b/crypto_kem/kyber768/avx2/invntt.S index e7344b38..ea0260f1 100644 --- a/crypto_kem/kyber768/avx2/invntt.S +++ b/crypto_kem/kyber768/avx2/invntt.S @@ -1,4 +1,4 @@ -#include "cdecl.inc" +#include "cdecl.h" .include "shuffle.inc" .include "fq.inc" @@ -210,7 +210,9 @@ vmovdqa %ymm7,224(%rdi) ret .global cdecl(PQCLEAN_KYBER768_AVX2_invntt_avx) +.global _cdecl(PQCLEAN_KYBER768_AVX2_invntt_avx) cdecl(PQCLEAN_KYBER768_AVX2_invntt_avx): +_cdecl(PQCLEAN_KYBER768_AVX2_invntt_avx): #consts vmovdqa _16XQ*2(%rsi),%ymm0 mov %rsi,%rdx diff --git a/crypto_kem/kyber768/avx2/kem.c b/crypto_kem/kyber768/avx2/kem.c index 10b3a615..cc8d6b6b 100644 --- a/crypto_kem/kyber768/avx2/kem.c +++ b/crypto_kem/kyber768/avx2/kem.c @@ -8,7 +8,6 @@ #include #include - /************************************************* * Name: PQCLEAN_KYBER768_AVX2_crypto_kem_keypair * @@ -23,7 +22,7 @@ * Returns 0 (success) **************************************************/ int PQCLEAN_KYBER768_AVX2_crypto_kem_keypair(unsigned char *pk, unsigned char *sk) { - size_t i = 0; + size_t i; PQCLEAN_KYBER768_AVX2_indcpa_keypair(pk, sk); for (i = 0; i < KYBER_INDCPA_PUBLICKEYBYTES; i++) { sk[i + KYBER_INDCPA_SECRETKEYBYTES] = pk[i]; @@ -94,8 +93,8 @@ int PQCLEAN_KYBER768_AVX2_crypto_kem_enc(unsigned char *ct, int PQCLEAN_KYBER768_AVX2_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk) { - size_t i = 0; - int fail = 0; + size_t i; + int fail; ALIGN32_ARRAY(uint8_t, 2 * KYBER_SYMBYTES) buf; /* Will contain key, coins */ ALIGN32_ARRAY(uint8_t, 2 * KYBER_SYMBYTES) kr; @@ -119,7 +118,7 @@ int PQCLEAN_KYBER768_AVX2_crypto_kem_dec(unsigned char *ss, hash_h(kr.arr + KYBER_SYMBYTES, ct, KYBER_CIPHERTEXTBYTES); /* Overwrite pre-k with z on re-encryption failure */ - PQCLEAN_KYBER768_AVX2_cmov(kr.arr, sk + KYBER_SECRETKEYBYTES - KYBER_SYMBYTES, KYBER_SYMBYTES, fail); + PQCLEAN_KYBER768_AVX2_cmov(kr.arr, sk + KYBER_SECRETKEYBYTES - KYBER_SYMBYTES, KYBER_SYMBYTES, (uint8_t)fail); /* hash concatenation of pre-k and H(c) to k */ kdf(ss, kr.arr, 2 * KYBER_SYMBYTES); diff --git a/crypto_kem/kyber768/avx2/kem.h b/crypto_kem/kyber768/avx2/kem.h index 2ba9873a..c1b69686 100644 --- a/crypto_kem/kyber768/avx2/kem.h +++ b/crypto_kem/kyber768/avx2/kem.h @@ -1,17 +1,14 @@ #ifndef PQCLEAN_KYBER768_AVX2_KEM_H #define PQCLEAN_KYBER768_AVX2_KEM_H - #include "params.h" int PQCLEAN_KYBER768_AVX2_crypto_kem_keypair(unsigned char *pk, unsigned char *sk); - int PQCLEAN_KYBER768_AVX2_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk); - int PQCLEAN_KYBER768_AVX2_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk); diff --git a/crypto_kem/kyber768/avx2/ntt.S b/crypto_kem/kyber768/avx2/ntt.S index eaf9355e..2665ab59 100644 --- a/crypto_kem/kyber768/avx2/ntt.S +++ b/crypto_kem/kyber768/avx2/ntt.S @@ -1,4 +1,4 @@ -#include "cdecl.inc" +#include "cdecl.h" .include "shuffle.inc" .include "fq.inc" @@ -203,7 +203,9 @@ vmovdqa %ymm11,224(%rdi) ret .global cdecl(PQCLEAN_KYBER768_AVX2_ntt_avx) +.global _cdecl(PQCLEAN_KYBER768_AVX2_ntt_avx) cdecl(PQCLEAN_KYBER768_AVX2_ntt_avx): +_cdecl(PQCLEAN_KYBER768_AVX2_ntt_avx): #consts vmovdqa _16XQ*2(%rsi),%ymm0 mov %rsi,%rdx diff --git a/crypto_kem/kyber768/avx2/ntt.h b/crypto_kem/kyber768/avx2/ntt.h index 206f3a4e..c0bfaa8f 100644 --- a/crypto_kem/kyber768/avx2/ntt.h +++ b/crypto_kem/kyber768/avx2/ntt.h @@ -1,28 +1,24 @@ -#ifndef NTT_H -#define NTT_H - +#ifndef PQCLEAN_KYBER768_AVX2_NTT_H +#define PQCLEAN_KYBER768_AVX2_NTT_H #include "consts.h" -#include "params.h" #include - void PQCLEAN_KYBER768_AVX2_ntt_avx(int16_t *r, const qdata_t *PQCLEAN_KYBER768_AVX2_qdata); - void PQCLEAN_KYBER768_AVX2_invntt_avx(int16_t *r, const qdata_t *PQCLEAN_KYBER768_AVX2_qdata); - -void nttpack_avx(int16_t *r, const qdata_t *PQCLEAN_KYBER768_AVX2_qdata); - +void PQCLEAN_KYBER768_AVX2_nttpack_avx(int16_t *r, const qdata_t *PQCLEAN_KYBER768_AVX2_qdata); void PQCLEAN_KYBER768_AVX2_nttunpack_avx(int16_t *r, const qdata_t *PQCLEAN_KYBER768_AVX2_qdata); - -void PQCLEAN_KYBER768_AVX2_basemul_avx(int16_t *r, const int16_t *a, const int16_t *b, const qdata_t *PQCLEAN_KYBER768_AVX2_qdata); - -void PQCLEAN_KYBER768_AVX2_basemul_acc_avx(int16_t *r, const int16_t *a, const int16_t *b, const qdata_t *PQCLEAN_KYBER768_AVX2_qdata); - +void PQCLEAN_KYBER768_AVX2_basemul_avx(int16_t *r, + const int16_t *a, + const int16_t *b, + const qdata_t *PQCLEAN_KYBER768_AVX2_qdata); +void PQCLEAN_KYBER768_AVX2_basemul_acc_avx(int16_t *r, + const int16_t *a, + const int16_t *b, + const qdata_t *PQCLEAN_KYBER768_AVX2_qdata); void PQCLEAN_KYBER768_AVX2_ntttobytes_avx(uint8_t *r, const int16_t *a, const qdata_t *PQCLEAN_KYBER768_AVX2_qdata); - void PQCLEAN_KYBER768_AVX2_nttfrombytes_avx(int16_t *r, const uint8_t *a, const qdata_t *PQCLEAN_KYBER768_AVX2_qdata); #endif diff --git a/crypto_kem/kyber768/avx2/params.h b/crypto_kem/kyber768/avx2/params.h index 1eb4c5f9..b0ff9ab9 100644 --- a/crypto_kem/kyber768/avx2/params.h +++ b/crypto_kem/kyber768/avx2/params.h @@ -1,6 +1,9 @@ #ifndef PQCLEAN_KYBER768_AVX2_PARAMS_H #define PQCLEAN_KYBER768_AVX2_PARAMS_H + + + #define KYBER_N 256 #define KYBER_Q 3329 diff --git a/crypto_kem/kyber768/avx2/poly.c b/crypto_kem/kyber768/avx2/poly.c index eca0cf27..06cb40d0 100644 --- a/crypto_kem/kyber768/avx2/poly.c +++ b/crypto_kem/kyber768/avx2/poly.c @@ -19,7 +19,7 @@ * - poly *a: pointer to input polynomial **************************************************/ void PQCLEAN_KYBER768_AVX2_poly_compress(uint8_t r[KYBER_POLYCOMPRESSEDBYTES], poly *restrict a) { - unsigned int i = 0, j = 0; + unsigned int i, j; uint8_t t[8]; PQCLEAN_KYBER768_AVX2_poly_csubq(a); @@ -49,7 +49,7 @@ void PQCLEAN_KYBER768_AVX2_poly_compress(uint8_t r[KYBER_POLYCOMPRESSEDBYTES], p **************************************************/ void PQCLEAN_KYBER768_AVX2_poly_decompress(poly *restrict r, const uint8_t a[KYBER_POLYCOMPRESSEDBYTES]) { - unsigned int i = 0; + unsigned int i; for (i = 0; i < KYBER_N / 2; i++) { r->coeffs[2 * i + 0] = (((uint16_t)(a[0] & 15) * KYBER_Q) + 8) >> 4; @@ -101,7 +101,7 @@ void PQCLEAN_KYBER768_AVX2_poly_frommsg(poly *restrict r, const __m256i hqs = _mm256_set1_epi16((KYBER_Q + 1) / 2); #define FROMMSG64(i) \ - g3 = _mm256_shuffle_epi32(f,0x55*(i)); \ + g3 = _mm256_shuffle_epi32(f,0x55*(i)); \ g3 = _mm256_sllv_epi32(g3,shift); \ g3 = _mm256_shuffle_epi8(g3,idx); \ g0 = _mm256_slli_epi16(g3,12); \ @@ -123,9 +123,9 @@ void PQCLEAN_KYBER768_AVX2_poly_frommsg(poly *restrict r, g2 = _mm256_permute2x128_si256(h0,h1,0x31); \ g1 = _mm256_permute2x128_si256(h2,h3,0x20); \ g3 = _mm256_permute2x128_si256(h2,h3,0x31); \ - _mm256_store_si256((__m256i *)&r->coeffs[ 0+32*(i)+ 0],g0); \ - _mm256_store_si256((__m256i *)&r->coeffs[ 0+32*(i)+16],g1); \ - _mm256_store_si256((__m256i *)&r->coeffs[128+32*(i)+ 0],g2); \ + _mm256_store_si256((__m256i *)&r->coeffs[ 0+32*(i)+ 0],g0); \ + _mm256_store_si256((__m256i *)&r->coeffs[ 0+32*(i)+16],g1); \ + _mm256_store_si256((__m256i *)&r->coeffs[128+32*(i)+ 0],g2); \ _mm256_store_si256((__m256i *)&r->coeffs[128+32*(i)+16],g3) f = _mm256_load_si256((__m256i *)msg); @@ -144,8 +144,8 @@ void PQCLEAN_KYBER768_AVX2_poly_frommsg(poly *restrict r, * - poly *a: pointer to input polynomial **************************************************/ void PQCLEAN_KYBER768_AVX2_poly_tomsg(uint8_t msg[KYBER_INDCPA_MSGBYTES], poly *restrict a) { - unsigned int i = 0; - uint32_t small = 0; + unsigned int i; + uint32_t small; __m256i f0, f1, g0, g1; const __m256i hqs = _mm256_set1_epi16((KYBER_Q - 1) / 2); const __m256i hhqs = _mm256_set1_epi16((KYBER_Q - 5) / 4); @@ -312,7 +312,7 @@ void PQCLEAN_KYBER768_AVX2_poly_csubq(poly *r) { * - const poly *b: pointer to second input polynomial **************************************************/ void PQCLEAN_KYBER768_AVX2_poly_add(poly *r, const poly *a, const poly *b) { - unsigned int i = 0; + unsigned int i; __m256i f0, f1; for (i = 0; i < KYBER_N; i += 16) { @@ -333,7 +333,7 @@ void PQCLEAN_KYBER768_AVX2_poly_add(poly *r, const poly *a, const poly *b) { * - const poly *b: pointer to second input polynomial **************************************************/ void PQCLEAN_KYBER768_AVX2_poly_sub(poly *r, const poly *a, const poly *b) { - unsigned int i = 0; + unsigned int i; __m256i f0, f1; for (i = 0; i < KYBER_N; i += 16) { diff --git a/crypto_kem/kyber768/avx2/poly.h b/crypto_kem/kyber768/avx2/poly.h index 6cce5615..8ab56448 100644 --- a/crypto_kem/kyber768/avx2/poly.h +++ b/crypto_kem/kyber768/avx2/poly.h @@ -1,6 +1,5 @@ #ifndef PQCLEAN_KYBER768_AVX2_POLY_H #define PQCLEAN_KYBER768_AVX2_POLY_H - #include "params.h" #include #include @@ -14,24 +13,16 @@ typedef union { int16_t coeffs[KYBER_N]; } poly; - void PQCLEAN_KYBER768_AVX2_poly_compress(uint8_t r[KYBER_POLYCOMPRESSEDBYTES], poly *a); - void PQCLEAN_KYBER768_AVX2_poly_decompress(poly *r, const uint8_t a[KYBER_POLYCOMPRESSEDBYTES]); - void PQCLEAN_KYBER768_AVX2_poly_tobytes(uint8_t r[KYBER_POLYBYTES], poly *a); - void PQCLEAN_KYBER768_AVX2_poly_frombytes(poly *r, const uint8_t a[KYBER_POLYBYTES]); - void PQCLEAN_KYBER768_AVX2_poly_frommsg(poly *r, const uint8_t msg[KYBER_INDCPA_MSGBYTES]); - void PQCLEAN_KYBER768_AVX2_poly_tomsg(uint8_t msg[KYBER_INDCPA_MSGBYTES], poly *a); - void PQCLEAN_KYBER768_AVX2_poly_getnoise(poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t nonce); - void PQCLEAN_KYBER768_AVX2_poly_getnoise4x(poly *r0, poly *r1, poly *r2, @@ -42,25 +33,16 @@ void PQCLEAN_KYBER768_AVX2_poly_getnoise4x(poly *r0, uint8_t nonce2, uint8_t nonce3); - void PQCLEAN_KYBER768_AVX2_poly_ntt(poly *r); - void PQCLEAN_KYBER768_AVX2_poly_invntt_tomont(poly *r); - void PQCLEAN_KYBER768_AVX2_poly_nttunpack(poly *r); - void PQCLEAN_KYBER768_AVX2_poly_basemul_montgomery(poly *r, const poly *a, const poly *b); - void PQCLEAN_KYBER768_AVX2_poly_tomont(poly *r); - void PQCLEAN_KYBER768_AVX2_poly_reduce(poly *r); - void PQCLEAN_KYBER768_AVX2_poly_csubq(poly *r); - void PQCLEAN_KYBER768_AVX2_poly_add(poly *r, const poly *a, const poly *b); - void PQCLEAN_KYBER768_AVX2_poly_sub(poly *r, const poly *a, const poly *b); #endif diff --git a/crypto_kem/kyber768/avx2/polyvec.c b/crypto_kem/kyber768/avx2/polyvec.c index 6b83eba7..b63ca47a 100644 --- a/crypto_kem/kyber768/avx2/polyvec.c +++ b/crypto_kem/kyber768/avx2/polyvec.c @@ -1,6 +1,6 @@ -#include "params.h" #include "consts.h" #include "ntt.h" +#include "params.h" #include "poly.h" #include "polyvec.h" #include @@ -16,7 +16,7 @@ **************************************************/ void PQCLEAN_KYBER768_AVX2_polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES], polyvec *restrict a) { - unsigned int i = 0, j = 0, k = 0; + size_t i, j, k; PQCLEAN_KYBER768_AVX2_polyvec_csubq(a); @@ -24,10 +24,8 @@ void PQCLEAN_KYBER768_AVX2_polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYT for (i = 0; i < KYBER_K; i++) { for (j = 0; j < KYBER_N / 4; j++) { for (k = 0; k < 4; k++) { - { - t[k] = ((((uint32_t)a->vec[i].coeffs[4 * j + k] << 10) + KYBER_Q / 2) - / KYBER_Q) & 0x3ff; - } + t[k] = ((((uint32_t)a->vec[i].coeffs[4 * j + k] << 10) + KYBER_Q / 2) + / KYBER_Q) & 0x3ff; } r[0] = (t[0] >> 0); @@ -52,7 +50,7 @@ void PQCLEAN_KYBER768_AVX2_polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYT **************************************************/ void PQCLEAN_KYBER768_AVX2_polyvec_decompress(polyvec *restrict r, const uint8_t a[KYBER_POLYVECCOMPRESSEDBYTES]) { - unsigned int i = 0, j = 0, k = 0; + size_t i, j, k; uint16_t t[4]; for (i = 0; i < KYBER_K; i++) { @@ -80,7 +78,7 @@ void PQCLEAN_KYBER768_AVX2_polyvec_decompress(polyvec *restrict r, * - polyvec *a: pointer to input vector of polynomials **************************************************/ void PQCLEAN_KYBER768_AVX2_polyvec_tobytes(uint8_t r[KYBER_POLYVECBYTES], polyvec *a) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER768_AVX2_poly_tobytes(r + i * KYBER_POLYBYTES, &a->vec[i]); } @@ -97,7 +95,7 @@ void PQCLEAN_KYBER768_AVX2_polyvec_tobytes(uint8_t r[KYBER_POLYVECBYTES], polyve * (of length KYBER_POLYVECBYTES) **************************************************/ void PQCLEAN_KYBER768_AVX2_polyvec_frombytes(polyvec *r, const uint8_t a[KYBER_POLYVECBYTES]) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER768_AVX2_poly_frombytes(&r->vec[i], a + i * KYBER_POLYBYTES); } @@ -111,7 +109,7 @@ void PQCLEAN_KYBER768_AVX2_polyvec_frombytes(polyvec *r, const uint8_t a[KYBER_P * Arguments: - polyvec *r: pointer to in/output vector of polynomials **************************************************/ void PQCLEAN_KYBER768_AVX2_polyvec_ntt(polyvec *r) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER768_AVX2_poly_ntt(&r->vec[i]); } @@ -126,7 +124,7 @@ void PQCLEAN_KYBER768_AVX2_polyvec_ntt(polyvec *r) { * Arguments: - polyvec *r: pointer to in/output vector of polynomials **************************************************/ void PQCLEAN_KYBER768_AVX2_polyvec_invntt_tomont(polyvec *r) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER768_AVX2_poly_invntt_tomont(&r->vec[i]); } @@ -145,7 +143,7 @@ void PQCLEAN_KYBER768_AVX2_polyvec_invntt_tomont(polyvec *r) { void PQCLEAN_KYBER768_AVX2_polyvec_pointwise_acc_montgomery(poly *r, const polyvec *a, const polyvec *b) { - PQCLEAN_KYBER768_AVX2_basemul_acc_avx(r->coeffs, a->vec->coeffs, b->vec->coeffs, &PQCLEAN_KYBER768_AVX2_qdata); + PQCLEAN_KYBER768_AVX2_basemul_acc_avx(r->coeffs, a->vec->coeffs, b->vec->coeffs, & PQCLEAN_KYBER768_AVX2_qdata); } /************************************************* @@ -158,7 +156,7 @@ void PQCLEAN_KYBER768_AVX2_polyvec_pointwise_acc_montgomery(poly *r, * Arguments: - poly *r: pointer to input/output polynomial **************************************************/ void PQCLEAN_KYBER768_AVX2_polyvec_reduce(polyvec *r) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER768_AVX2_poly_reduce(&r->vec[i]); } @@ -175,7 +173,7 @@ void PQCLEAN_KYBER768_AVX2_polyvec_reduce(polyvec *r) { * Arguments: - poly *r: pointer to input/output polynomial **************************************************/ void PQCLEAN_KYBER768_AVX2_polyvec_csubq(polyvec *r) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER768_AVX2_poly_csubq(&r->vec[i]); } @@ -191,7 +189,7 @@ void PQCLEAN_KYBER768_AVX2_polyvec_csubq(polyvec *r) { * - const polyvec *b: pointer to second input vector of polynomials **************************************************/ void PQCLEAN_KYBER768_AVX2_polyvec_add(polyvec *r, const polyvec *a, const polyvec *b) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER768_AVX2_poly_add(&r->vec[i], &a->vec[i], &b->vec[i]); } diff --git a/crypto_kem/kyber768/avx2/polyvec.h b/crypto_kem/kyber768/avx2/polyvec.h index 15b983d7..8bd8ef7f 100644 --- a/crypto_kem/kyber768/avx2/polyvec.h +++ b/crypto_kem/kyber768/avx2/polyvec.h @@ -1,6 +1,5 @@ #ifndef PQCLEAN_KYBER768_AVX2_POLYVEC_H #define PQCLEAN_KYBER768_AVX2_POLYVEC_H - #include "params.h" #include "poly.h" #include @@ -9,33 +8,23 @@ typedef struct { poly vec[KYBER_K]; } polyvec; - void PQCLEAN_KYBER768_AVX2_polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES], polyvec *a); - void PQCLEAN_KYBER768_AVX2_polyvec_decompress(polyvec *r, const uint8_t a[KYBER_POLYVECCOMPRESSEDBYTES]); - void PQCLEAN_KYBER768_AVX2_polyvec_tobytes(uint8_t r[KYBER_POLYVECBYTES], polyvec *a); - void PQCLEAN_KYBER768_AVX2_polyvec_frombytes(polyvec *r, const uint8_t a[KYBER_POLYVECBYTES]); - void PQCLEAN_KYBER768_AVX2_polyvec_ntt(polyvec *r); - void PQCLEAN_KYBER768_AVX2_polyvec_invntt_tomont(polyvec *r); - void PQCLEAN_KYBER768_AVX2_polyvec_pointwise_acc_montgomery(poly *r, const polyvec *a, const polyvec *b); - void PQCLEAN_KYBER768_AVX2_polyvec_reduce(polyvec *r); - void PQCLEAN_KYBER768_AVX2_polyvec_csubq(polyvec *r); - void PQCLEAN_KYBER768_AVX2_polyvec_add(polyvec *r, const polyvec *a, const polyvec *b); #endif diff --git a/crypto_kem/kyber768/avx2/reduce.h b/crypto_kem/kyber768/avx2/reduce.h index 1b9a96d9..1630ec28 100644 --- a/crypto_kem/kyber768/avx2/reduce.h +++ b/crypto_kem/kyber768/avx2/reduce.h @@ -1,16 +1,10 @@ -#ifndef REDUCE_H -#define REDUCE_H - +#ifndef PQCLEAN_KYBER768_AVX2_REDUCE_H +#define PQCLEAN_KYBER768_AVX2_REDUCE_H +#include "consts.h" #include -#include "consts.h" -#include "params.h" - - int16_t PQCLEAN_KYBER768_AVX2_reduce_avx(int16_t *r, const qdata_t *PQCLEAN_KYBER768_AVX2_qdata); - int16_t PQCLEAN_KYBER768_AVX2_csubq_avx(int16_t *r, const qdata_t *PQCLEAN_KYBER768_AVX2_qdata); - int16_t PQCLEAN_KYBER768_AVX2_tomont_avx(int16_t *r, const qdata_t *PQCLEAN_KYBER768_AVX2_qdata); #endif diff --git a/crypto_kem/kyber768/avx2/rejsample.c b/crypto_kem/kyber768/avx2/rejsample.c index dc112183..1475428a 100644 --- a/crypto_kem/kyber768/avx2/rejsample.c +++ b/crypto_kem/kyber768/avx2/rejsample.c @@ -2,6 +2,7 @@ #include "consts.h" #include "params.h" #include "rejsample.h" +#include #include static const ALIGN32_ARRAY_2D(uint8_t, 256, 8) idx = {.arr = { @@ -270,9 +271,9 @@ static const ALIGN32_ARRAY_2D(uint8_t, 256, 8) idx = {.arr = { #define REJ_UNIFORM_BUFLEN 672 unsigned int PQCLEAN_KYBER768_AVX2_rej_uniform_avx(int16_t *restrict r, const uint8_t *restrict buf) { - unsigned int ctr = 0, pos = 0; - uint16_t val = 0; - uint32_t good = 0; + unsigned int ctr, pos; + uint16_t val; + uint32_t good; const __m256i bound = _mm256_set1_epi16((int16_t)(19 * KYBER_Q - 1)); const __m256i ones = _mm256_set1_epi8(1); const __m256i kyberq = _mm256_load_si256((__m256i *)&PQCLEAN_KYBER768_AVX2_qdata.as_arr[_16XQ]); @@ -297,7 +298,7 @@ unsigned int PQCLEAN_KYBER768_AVX2_rej_uniform_avx(int16_t *restrict r, g1 = _mm256_inserti128_si256(g1, _mm_loadl_epi64((__m128i *)&idx.arr[(good >> 24) & 0xFF]), 1); //g0 = _mm256_cvtepu8_epi64(_mm_loadl_epi64((__m128i *)&good)); - //g1 = _mm256_i64gather_epi64((long long *)idx, g0, 8); + //g1 = _mm256_i64gather_epi64((long long *)idx.arr, g0, 8); /* Barrett reduction of (still unsigned) values */ g2 = _mm256_mulhi_epu16(f0, v); diff --git a/crypto_kem/kyber768/avx2/rejsample.h b/crypto_kem/kyber768/avx2/rejsample.h index b92b5035..bb11cb83 100644 --- a/crypto_kem/kyber768/avx2/rejsample.h +++ b/crypto_kem/kyber768/avx2/rejsample.h @@ -1,10 +1,8 @@ -#ifndef REJSAMPLE_H -#define REJSAMPLE_H - +#ifndef PQCLEAN_KYBER768_AVX2_REJSAMPLE_H +#define PQCLEAN_KYBER768_AVX2_REJSAMPLE_H #include "params.h" #include - unsigned int PQCLEAN_KYBER768_AVX2_rej_uniform_avx(int16_t *r, const unsigned char *buf); diff --git a/crypto_kem/kyber768/avx2/shuffle.S b/crypto_kem/kyber768/avx2/shuffle.S index 34d3b980..f06a8c6a 100644 --- a/crypto_kem/kyber768/avx2/shuffle.S +++ b/crypto_kem/kyber768/avx2/shuffle.S @@ -1,4 +1,4 @@ -#include "cdecl.inc" +#include "cdecl.h" .include "fq.inc" .include "shuffle.inc" @@ -92,7 +92,9 @@ vmovdqa %ymm11,224(%rdi) ret .global cdecl(PQCLEAN_KYBER768_AVX2_nttunpack_avx) +.global _cdecl(PQCLEAN_KYBER768_AVX2_nttunpack_avx) cdecl(PQCLEAN_KYBER768_AVX2_nttunpack_avx): +_cdecl(PQCLEAN_KYBER768_AVX2_nttunpack_avx): call nttunpack128_avx add $256,%rdi call nttunpack128_avx @@ -169,7 +171,9 @@ vmovdqu %ymm9,160(%rdi) ret .global cdecl(PQCLEAN_KYBER768_AVX2_ntttobytes_avx) +.global _cdecl(PQCLEAN_KYBER768_AVX2_ntttobytes_avx) cdecl(PQCLEAN_KYBER768_AVX2_ntttobytes_avx): +_cdecl(PQCLEAN_KYBER768_AVX2_ntttobytes_avx): #consts vmovdqa _16XQ*2(%rdx),%ymm0 call ntttobytes128_avx @@ -245,7 +249,9 @@ vmovdqa %ymm1,224(%rdi) ret .global cdecl(PQCLEAN_KYBER768_AVX2_nttfrombytes_avx) +.global _cdecl(PQCLEAN_KYBER768_AVX2_nttfrombytes_avx) cdecl(PQCLEAN_KYBER768_AVX2_nttfrombytes_avx): +_cdecl(PQCLEAN_KYBER768_AVX2_nttfrombytes_avx): #consts vmovdqa _16XMASK*2(%rdx),%ymm0 call nttfrombytes128_avx diff --git a/crypto_kem/kyber768/avx2/symmetric-shake.c b/crypto_kem/kyber768/avx2/symmetric-shake.c index bc980363..a953b40b 100644 --- a/crypto_kem/kyber768/avx2/symmetric-shake.c +++ b/crypto_kem/kyber768/avx2/symmetric-shake.c @@ -9,8 +9,8 @@ * * Description: Absorb step of the SHAKE128 specialized for the Kyber context. * -* Arguments: - keccak_state *state: pointer to (uninitialized) output -* Keccak state +* Arguments: - xof_state *state: pointer to (uninitialized) output +* Keccak state * - const uint8_t *seed: pointer to KYBER_SYMBYTES input * to be absorbed into state * - uint8_t i additional byte of input @@ -20,7 +20,7 @@ void PQCLEAN_KYBER768_AVX2_kyber_shake128_absorb(xof_state *state, const uint8_t seed[KYBER_SYMBYTES], uint8_t x, uint8_t y) { - unsigned int i = 0; + unsigned int i; uint8_t extseed[KYBER_SYMBYTES + 2]; for (i = 0; i < KYBER_SYMBYTES; i++) { @@ -48,7 +48,7 @@ void PQCLEAN_KYBER768_AVX2_kyber_shake256_prf(uint8_t *out, size_t outlen, const uint8_t key[KYBER_SYMBYTES], uint8_t nonce) { - unsigned int i = 0; + unsigned int i; uint8_t extkey[KYBER_SYMBYTES + 1]; for (i = 0; i < KYBER_SYMBYTES; i++) { diff --git a/crypto_kem/kyber768/avx2/symmetric.h b/crypto_kem/kyber768/avx2/symmetric.h index 6b4816dd..bd4a6e36 100644 --- a/crypto_kem/kyber768/avx2/symmetric.h +++ b/crypto_kem/kyber768/avx2/symmetric.h @@ -1,17 +1,16 @@ -#ifndef SYMMETRIC_H -#define SYMMETRIC_H - +#ifndef PQCLEAN_KYBER768_AVX2_SYMMETRIC_H +#define PQCLEAN_KYBER768_AVX2_SYMMETRIC_H +#include "fips202.h" +#include "fips202x4.h" #include "params.h" #include #include -#include "fips202.h" -#include "fips202x4.h" typedef shake128ctx xof_state; -void PQCLEAN_KYBER768_AVX2_kyber_shake128_absorb(shake128ctx *s, +void PQCLEAN_KYBER768_AVX2_kyber_shake128_absorb(xof_state *s, const uint8_t seed[KYBER_SYMBYTES], uint8_t x, uint8_t y); diff --git a/crypto_kem/kyber768/avx2/verify.c b/crypto_kem/kyber768/avx2/verify.c index de7be324..ab36495a 100644 --- a/crypto_kem/kyber768/avx2/verify.c +++ b/crypto_kem/kyber768/avx2/verify.c @@ -15,8 +15,8 @@ * Returns 0 if the byte arrays are equal, 1 otherwise **************************************************/ int PQCLEAN_KYBER768_AVX2_verify(const uint8_t *a, const uint8_t *b, size_t len) { - size_t pos = 0; - uint64_t r = 0; + size_t pos; + uint64_t r; __m256i avec, bvec, cvec; cvec = _mm256_setzero_si256(); @@ -53,7 +53,7 @@ int PQCLEAN_KYBER768_AVX2_verify(const uint8_t *a, const uint8_t *b, size_t len) * unsigned char b: Condition bit; has to be in {0,1} **************************************************/ void PQCLEAN_KYBER768_AVX2_cmov(uint8_t *restrict r, const uint8_t *restrict x, size_t len, uint8_t b) { - size_t pos = 0; + size_t pos; __m256i xvec, rvec, bvec; b = -b; diff --git a/crypto_kem/kyber768/avx2/verify.h b/crypto_kem/kyber768/avx2/verify.h index 54c986d1..82626691 100644 --- a/crypto_kem/kyber768/avx2/verify.h +++ b/crypto_kem/kyber768/avx2/verify.h @@ -1,14 +1,11 @@ #ifndef PQCLEAN_KYBER768_AVX2_VERIFY_H #define PQCLEAN_KYBER768_AVX2_VERIFY_H - #include "params.h" #include #include - int PQCLEAN_KYBER768_AVX2_verify(const uint8_t *a, const uint8_t *b, size_t len); - void PQCLEAN_KYBER768_AVX2_cmov(uint8_t *r, const uint8_t *x, size_t len, uint8_t b); #endif diff --git a/crypto_kem/kyber768/clean/Makefile b/crypto_kem/kyber768/clean/Makefile index f8c1c5db..ee39a943 100644 --- a/crypto_kem/kyber768/clean/Makefile +++ b/crypto_kem/kyber768/clean/Makefile @@ -1,8 +1,8 @@ # This Makefile can be used with GNU Make or BSD Make LIB=libkyber768_clean.a -HEADERS=api.h cbd.h indcpa.h kem.h ntt.h params.h poly.h polyvec.h reduce.h verify.h symmetric.h -OBJECTS=cbd.o indcpa.o kem.o ntt.o poly.o polyvec.o reduce.o verify.o symmetric-shake.o +HEADERS=api.h cbd.h indcpa.h kem.h ntt.h params.h poly.h polyvec.h reduce.h symmetric.h verify.h +OBJECTS=cbd.o indcpa.o kem.o ntt.o poly.o polyvec.o reduce.o symmetric-shake.o verify.o CFLAGS=-O3 -Wall -Wextra -Wpedantic -Werror -Wmissing-prototypes -Wredundant-decls -std=c99 -I../../../common $(EXTRAFLAGS) diff --git a/crypto_kem/kyber768/clean/Makefile.Microsoft_nmake b/crypto_kem/kyber768/clean/Makefile.Microsoft_nmake index 394bc4cf..a3c7523e 100644 --- a/crypto_kem/kyber768/clean/Makefile.Microsoft_nmake +++ b/crypto_kem/kyber768/clean/Makefile.Microsoft_nmake @@ -2,7 +2,7 @@ # nmake /f Makefile.Microsoft_nmake LIBRARY=libkyber768_clean.lib -OBJECTS=cbd.obj indcpa.obj kem.obj ntt.obj poly.obj polyvec.obj reduce.obj verify.obj symmetric-shake.obj +OBJECTS=cbd.obj indcpa.obj kem.obj ntt.obj poly.obj polyvec.obj reduce.obj symmetric-shake.obj verify.obj # Warning C4146 is raised when a unary minus operator is applied to an # unsigned type; this has nonetheless been standard and portable for as diff --git a/crypto_kem/kyber768/clean/api.h b/crypto_kem/kyber768/clean/api.h index 84a7e08e..b393607e 100644 --- a/crypto_kem/kyber768/clean/api.h +++ b/crypto_kem/kyber768/clean/api.h @@ -15,5 +15,4 @@ int PQCLEAN_KYBER768_CLEAN_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_ int PQCLEAN_KYBER768_CLEAN_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); - #endif diff --git a/crypto_kem/kyber768/clean/cbd.c b/crypto_kem/kyber768/clean/cbd.c index 90e20195..22100fa0 100644 --- a/crypto_kem/kyber768/clean/cbd.c +++ b/crypto_kem/kyber768/clean/cbd.c @@ -1,5 +1,5 @@ -#include "params.h" #include "cbd.h" +#include "params.h" #include /************************************************* @@ -13,7 +13,7 @@ * Returns 32-bit unsigned integer loaded from x **************************************************/ static uint32_t load32_littleendian(const uint8_t x[4]) { - uint32_t r = 0; + uint32_t r; r = (uint32_t)x[0]; r |= (uint32_t)x[1] << 8; r |= (uint32_t)x[2] << 16; @@ -32,9 +32,9 @@ static uint32_t load32_littleendian(const uint8_t x[4]) { * - const uint8_t *buf: pointer to input byte array **************************************************/ void PQCLEAN_KYBER768_CLEAN_cbd(poly *r, const uint8_t buf[KYBER_ETA * KYBER_N / 4]) { - unsigned int i = 0, j = 0; - uint32_t t = 0, d = 0; - int16_t a = 0, b = 0; + unsigned int i, j; + uint32_t t, d; + int16_t a, b; for (i = 0; i < KYBER_N / 8; i++) { t = load32_littleendian(buf + 4 * i); diff --git a/crypto_kem/kyber768/clean/cbd.h b/crypto_kem/kyber768/clean/cbd.h index 26818803..7e59c9c8 100644 --- a/crypto_kem/kyber768/clean/cbd.h +++ b/crypto_kem/kyber768/clean/cbd.h @@ -1,11 +1,9 @@ #ifndef PQCLEAN_KYBER768_CLEAN_CBD_H #define PQCLEAN_KYBER768_CLEAN_CBD_H - #include "params.h" #include "poly.h" #include - void PQCLEAN_KYBER768_CLEAN_cbd(poly *r, const uint8_t buf[KYBER_ETA * KYBER_N / 4]); #endif diff --git a/crypto_kem/kyber768/clean/indcpa.c b/crypto_kem/kyber768/clean/indcpa.c index bd6e0d8b..f111358f 100644 --- a/crypto_kem/kyber768/clean/indcpa.c +++ b/crypto_kem/kyber768/clean/indcpa.c @@ -22,7 +22,7 @@ static void pack_pk(uint8_t r[KYBER_INDCPA_PUBLICKEYBYTES], polyvec *pk, const uint8_t seed[KYBER_SYMBYTES]) { - size_t i = 0; + size_t i; PQCLEAN_KYBER768_CLEAN_polyvec_tobytes(r, pk); for (i = 0; i < KYBER_SYMBYTES; i++) { r[i + KYBER_POLYVECBYTES] = seed[i]; @@ -44,7 +44,7 @@ static void pack_pk(uint8_t r[KYBER_INDCPA_PUBLICKEYBYTES], static void unpack_pk(polyvec *pk, uint8_t seed[KYBER_SYMBYTES], const uint8_t packedpk[KYBER_INDCPA_PUBLICKEYBYTES]) { - size_t i = 0; + size_t i; PQCLEAN_KYBER768_CLEAN_polyvec_frombytes(pk, packedpk); for (i = 0; i < KYBER_SYMBYTES; i++) { seed[i] = packedpk[i + KYBER_POLYVECBYTES]; @@ -132,8 +132,8 @@ static unsigned int rej_uniform(int16_t *r, unsigned int len, const uint8_t *buf, unsigned int buflen) { - unsigned int ctr = 0, pos = 0; - uint16_t val = 0; + unsigned int ctr, pos; + uint16_t val; ctr = pos = 0; while (ctr < len && pos + 2 <= buflen) { @@ -169,8 +169,7 @@ static unsigned int rej_uniform(int16_t *r, + XOF_BLOCKBYTES)/XOF_BLOCKBYTES) // Not static for benchmarking void PQCLEAN_KYBER768_CLEAN_gen_matrix(polyvec *a, const uint8_t seed[KYBER_SYMBYTES], int transposed) { - unsigned int ctr = 0; - uint8_t i = 0, j = 0; + unsigned int ctr, i, j; uint8_t buf[GEN_MATRIX_NBLOCKS * XOF_BLOCKBYTES]; xof_state state; @@ -208,7 +207,7 @@ void PQCLEAN_KYBER768_CLEAN_gen_matrix(polyvec *a, const uint8_t seed[KYBER_SYMB **************************************************/ void PQCLEAN_KYBER768_CLEAN_indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]) { - unsigned int i = 0; + unsigned int i; uint8_t buf[2 * KYBER_SYMBYTES]; const uint8_t *publicseed = buf; const uint8_t *noiseseed = buf + KYBER_SYMBYTES; @@ -264,7 +263,7 @@ void PQCLEAN_KYBER768_CLEAN_indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES], const uint8_t m[KYBER_INDCPA_MSGBYTES], const uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], const uint8_t coins[KYBER_SYMBYTES]) { - unsigned int i = 0; + unsigned int i; uint8_t seed[KYBER_SYMBYTES]; uint8_t nonce = 0; polyvec sp, pkpv, ep, at[KYBER_K], bp; diff --git a/crypto_kem/kyber768/clean/indcpa.h b/crypto_kem/kyber768/clean/indcpa.h index e07ba93f..c1d7aa16 100644 --- a/crypto_kem/kyber768/clean/indcpa.h +++ b/crypto_kem/kyber768/clean/indcpa.h @@ -1,16 +1,20 @@ #ifndef PQCLEAN_KYBER768_CLEAN_INDCPA_H #define PQCLEAN_KYBER768_CLEAN_INDCPA_H - #include "params.h" #include "polyvec.h" #include void PQCLEAN_KYBER768_CLEAN_gen_matrix(polyvec *a, const uint8_t seed[KYBER_SYMBYTES], int transposed); +void PQCLEAN_KYBER768_CLEAN_indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], + uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]); -void PQCLEAN_KYBER768_CLEAN_indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]); +void PQCLEAN_KYBER768_CLEAN_indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES], + const uint8_t m[KYBER_INDCPA_MSGBYTES], + const uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], + const uint8_t coins[KYBER_SYMBYTES]); -void PQCLEAN_KYBER768_CLEAN_indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES], const uint8_t m[KYBER_INDCPA_MSGBYTES], const uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], const uint8_t coins[KYBER_SYMBYTES]); - -void PQCLEAN_KYBER768_CLEAN_indcpa_dec(uint8_t m[KYBER_INDCPA_MSGBYTES], const uint8_t c[KYBER_INDCPA_BYTES], const uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]); +void PQCLEAN_KYBER768_CLEAN_indcpa_dec(uint8_t m[KYBER_INDCPA_MSGBYTES], + const uint8_t c[KYBER_INDCPA_BYTES], + const uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]); #endif diff --git a/crypto_kem/kyber768/clean/kem.c b/crypto_kem/kyber768/clean/kem.c index 3cd08c61..eb652689 100644 --- a/crypto_kem/kyber768/clean/kem.c +++ b/crypto_kem/kyber768/clean/kem.c @@ -21,7 +21,7 @@ * Returns 0 (success) **************************************************/ int PQCLEAN_KYBER768_CLEAN_crypto_kem_keypair(unsigned char *pk, unsigned char *sk) { - size_t i = 0; + size_t i; PQCLEAN_KYBER768_CLEAN_indcpa_keypair(pk, sk); for (i = 0; i < KYBER_INDCPA_PUBLICKEYBYTES; i++) { sk[i + KYBER_INDCPA_SECRETKEYBYTES] = pk[i]; @@ -92,8 +92,8 @@ int PQCLEAN_KYBER768_CLEAN_crypto_kem_enc(unsigned char *ct, int PQCLEAN_KYBER768_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk) { - size_t i = 0; - int fail = 0; + size_t i; + int fail; uint8_t buf[2 * KYBER_SYMBYTES]; /* Will contain key, coins */ uint8_t kr[2 * KYBER_SYMBYTES]; diff --git a/crypto_kem/kyber768/clean/kem.h b/crypto_kem/kyber768/clean/kem.h index 75c79892..42a8f97e 100644 --- a/crypto_kem/kyber768/clean/kem.h +++ b/crypto_kem/kyber768/clean/kem.h @@ -1,17 +1,14 @@ #ifndef PQCLEAN_KYBER768_CLEAN_KEM_H #define PQCLEAN_KYBER768_CLEAN_KEM_H - #include "params.h" int PQCLEAN_KYBER768_CLEAN_crypto_kem_keypair(unsigned char *pk, unsigned char *sk); - int PQCLEAN_KYBER768_CLEAN_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk); - int PQCLEAN_KYBER768_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk); diff --git a/crypto_kem/kyber768/clean/ntt.c b/crypto_kem/kyber768/clean/ntt.c index f9b44a29..06862578 100644 --- a/crypto_kem/kyber768/clean/ntt.c +++ b/crypto_kem/kyber768/clean/ntt.c @@ -1,5 +1,5 @@ -#include "params.h" #include "ntt.h" +#include "params.h" #include "reduce.h" #include @@ -89,8 +89,8 @@ static int16_t fqmul(int16_t a, int16_t b) { * of Zq **************************************************/ void PQCLEAN_KYBER768_CLEAN_ntt(int16_t r[256]) { - unsigned int len = 0, start = 0, j = 0, k = 0; - int16_t t = 0, zeta = 0; + unsigned int len, start, j, k; + int16_t t, zeta; k = 1; for (len = 128; len >= 2; len >>= 1) { @@ -116,8 +116,8 @@ void PQCLEAN_KYBER768_CLEAN_ntt(int16_t r[256]) { * of Zq **************************************************/ void PQCLEAN_KYBER768_CLEAN_invntt(int16_t r[256]) { - unsigned int start = 0, len = 0, j = 0, k = 0; - int16_t t = 0, zeta = 0; + unsigned int start, len, j, k; + int16_t t, zeta; k = 0; for (len = 2; len <= 128; len <<= 1) { @@ -148,7 +148,10 @@ void PQCLEAN_KYBER768_CLEAN_invntt(int16_t r[256]) { * - const int16_t b[2]: pointer to the second factor * - int16_t zeta: integer defining the reduction polynomial **************************************************/ -void PQCLEAN_KYBER768_CLEAN_basemul(int16_t r[2], const int16_t a[2], const int16_t b[2], int16_t zeta) { +void PQCLEAN_KYBER768_CLEAN_basemul(int16_t r[2], + const int16_t a[2], + const int16_t b[2], + int16_t zeta) { r[0] = fqmul(a[1], b[1]); r[0] = fqmul(r[0], zeta); r[0] += fqmul(a[0], b[0]); diff --git a/crypto_kem/kyber768/clean/ntt.h b/crypto_kem/kyber768/clean/ntt.h index d3ca297c..4097a791 100644 --- a/crypto_kem/kyber768/clean/ntt.h +++ b/crypto_kem/kyber768/clean/ntt.h @@ -1,22 +1,19 @@ #ifndef PQCLEAN_KYBER768_CLEAN_NTT_H #define PQCLEAN_KYBER768_CLEAN_NTT_H - #include "params.h" #include - extern const int16_t PQCLEAN_KYBER768_CLEAN_zetas[128]; - extern const int16_t PQCLEAN_KYBER768_CLEAN_zetas_inv[128]; - void PQCLEAN_KYBER768_CLEAN_ntt(int16_t r[256]); - void PQCLEAN_KYBER768_CLEAN_invntt(int16_t r[256]); - -void PQCLEAN_KYBER768_CLEAN_basemul(int16_t r[2], const int16_t a[2], const int16_t b[2], int16_t zeta); +void PQCLEAN_KYBER768_CLEAN_basemul(int16_t r[2], + const int16_t a[2], + const int16_t b[2], + int16_t zeta); #endif diff --git a/crypto_kem/kyber768/clean/params.h b/crypto_kem/kyber768/clean/params.h index 81873d6e..c711c62d 100644 --- a/crypto_kem/kyber768/clean/params.h +++ b/crypto_kem/kyber768/clean/params.h @@ -1,6 +1,9 @@ #ifndef PQCLEAN_KYBER768_CLEAN_PARAMS_H #define PQCLEAN_KYBER768_CLEAN_PARAMS_H + + + #define KYBER_N 256 #define KYBER_Q 3329 diff --git a/crypto_kem/kyber768/clean/poly.c b/crypto_kem/kyber768/clean/poly.c index 68d1c305..3fe4f680 100644 --- a/crypto_kem/kyber768/clean/poly.c +++ b/crypto_kem/kyber768/clean/poly.c @@ -1,6 +1,6 @@ -#include "params.h" #include "cbd.h" #include "ntt.h" +#include "params.h" #include "poly.h" #include "reduce.h" #include "symmetric.h" @@ -16,7 +16,7 @@ * - poly *a: pointer to input polynomial **************************************************/ void PQCLEAN_KYBER768_CLEAN_poly_compress(uint8_t r[KYBER_POLYCOMPRESSEDBYTES], poly *a) { - unsigned int i = 0, j = 0; + size_t i, j; uint8_t t[8]; PQCLEAN_KYBER768_CLEAN_poly_csubq(a); @@ -45,7 +45,7 @@ void PQCLEAN_KYBER768_CLEAN_poly_compress(uint8_t r[KYBER_POLYCOMPRESSEDBYTES], * (of length KYBER_POLYCOMPRESSEDBYTES bytes) **************************************************/ void PQCLEAN_KYBER768_CLEAN_poly_decompress(poly *r, const uint8_t a[KYBER_POLYCOMPRESSEDBYTES]) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_N / 2; i++) { r->coeffs[2 * i + 0] = (((uint16_t)(a[0] & 15) * KYBER_Q) + 8) >> 4; @@ -64,8 +64,8 @@ void PQCLEAN_KYBER768_CLEAN_poly_decompress(poly *r, const uint8_t a[KYBER_POLYC * - poly *a: pointer to input polynomial **************************************************/ void PQCLEAN_KYBER768_CLEAN_poly_tobytes(uint8_t r[KYBER_POLYBYTES], poly *a) { - unsigned int i = 0; - uint16_t t0 = 0, t1 = 0; + size_t i; + uint16_t t0, t1; PQCLEAN_KYBER768_CLEAN_poly_csubq(a); @@ -89,7 +89,7 @@ void PQCLEAN_KYBER768_CLEAN_poly_tobytes(uint8_t r[KYBER_POLYBYTES], poly *a) { * (of KYBER_POLYBYTES bytes) **************************************************/ void PQCLEAN_KYBER768_CLEAN_poly_frombytes(poly *r, const uint8_t a[KYBER_POLYBYTES]) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_N / 2; i++) { r->coeffs[2 * i] = ((a[3 * i + 0] >> 0) | ((uint16_t)a[3 * i + 1] << 8)) & 0xFFF; r->coeffs[2 * i + 1] = ((a[3 * i + 1] >> 4) | ((uint16_t)a[3 * i + 2] << 4)) & 0xFFF; @@ -105,8 +105,8 @@ void PQCLEAN_KYBER768_CLEAN_poly_frombytes(poly *r, const uint8_t a[KYBER_POLYBY * - const uint8_t *msg: pointer to input message **************************************************/ void PQCLEAN_KYBER768_CLEAN_poly_frommsg(poly *r, const uint8_t msg[KYBER_INDCPA_MSGBYTES]) { - unsigned int i = 0, j = 0; - int16_t mask = 0; + size_t i, j; + int16_t mask; for (i = 0; i < KYBER_N / 8; i++) { for (j = 0; j < 8; j++) { @@ -125,8 +125,8 @@ void PQCLEAN_KYBER768_CLEAN_poly_frommsg(poly *r, const uint8_t msg[KYBER_INDCPA * - poly *a: pointer to input polynomial **************************************************/ void PQCLEAN_KYBER768_CLEAN_poly_tomsg(uint8_t msg[KYBER_INDCPA_MSGBYTES], poly *a) { - unsigned int i = 0, j = 0; - uint16_t t = 0; + size_t i, j; + uint16_t t; PQCLEAN_KYBER768_CLEAN_poly_csubq(a); @@ -194,7 +194,7 @@ void PQCLEAN_KYBER768_CLEAN_poly_invntt_tomont(poly *r) { * - const poly *b: pointer to second input polynomial **************************************************/ void PQCLEAN_KYBER768_CLEAN_poly_basemul_montgomery(poly *r, const poly *a, const poly *b) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_N / 4; i++) { PQCLEAN_KYBER768_CLEAN_basemul(&r->coeffs[4 * i], &a->coeffs[4 * i], &b->coeffs[4 * i], PQCLEAN_KYBER768_CLEAN_zetas[64 + i]); PQCLEAN_KYBER768_CLEAN_basemul(&r->coeffs[4 * i + 2], &a->coeffs[4 * i + 2], &b->coeffs[4 * i + 2], @@ -211,7 +211,7 @@ void PQCLEAN_KYBER768_CLEAN_poly_basemul_montgomery(poly *r, const poly *a, cons * Arguments: - poly *r: pointer to input/output polynomial **************************************************/ void PQCLEAN_KYBER768_CLEAN_poly_tomont(poly *r) { - unsigned int i = 0; + size_t i; const int16_t f = (1ULL << 32) % KYBER_Q; for (i = 0; i < KYBER_N; i++) { r->coeffs[i] = PQCLEAN_KYBER768_CLEAN_montgomery_reduce((int32_t)r->coeffs[i] * f); @@ -227,7 +227,7 @@ void PQCLEAN_KYBER768_CLEAN_poly_tomont(poly *r) { * Arguments: - poly *r: pointer to input/output polynomial **************************************************/ void PQCLEAN_KYBER768_CLEAN_poly_reduce(poly *r) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_N; i++) { r->coeffs[i] = PQCLEAN_KYBER768_CLEAN_barrett_reduce(r->coeffs[i]); } @@ -243,7 +243,7 @@ void PQCLEAN_KYBER768_CLEAN_poly_reduce(poly *r) { * Arguments: - poly *r: pointer to input/output polynomial **************************************************/ void PQCLEAN_KYBER768_CLEAN_poly_csubq(poly *r) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_N; i++) { r->coeffs[i] = PQCLEAN_KYBER768_CLEAN_csubq(r->coeffs[i]); } @@ -259,7 +259,7 @@ void PQCLEAN_KYBER768_CLEAN_poly_csubq(poly *r) { * - const poly *b: pointer to second input polynomial **************************************************/ void PQCLEAN_KYBER768_CLEAN_poly_add(poly *r, const poly *a, const poly *b) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_N; i++) { r->coeffs[i] = a->coeffs[i] + b->coeffs[i]; } @@ -275,7 +275,7 @@ void PQCLEAN_KYBER768_CLEAN_poly_add(poly *r, const poly *a, const poly *b) { * - const poly *b: pointer to second input polynomial **************************************************/ void PQCLEAN_KYBER768_CLEAN_poly_sub(poly *r, const poly *a, const poly *b) { - unsigned int i = 0; + size_t i; for (i = 0; i < KYBER_N; i++) { r->coeffs[i] = a->coeffs[i] - b->coeffs[i]; } diff --git a/crypto_kem/kyber768/clean/poly.h b/crypto_kem/kyber768/clean/poly.h index 350bc8de..a592a742 100644 --- a/crypto_kem/kyber768/clean/poly.h +++ b/crypto_kem/kyber768/clean/poly.h @@ -1,6 +1,5 @@ #ifndef PQCLEAN_KYBER768_CLEAN_POLY_H #define PQCLEAN_KYBER768_CLEAN_POLY_H - #include "params.h" #include @@ -12,41 +11,26 @@ typedef struct { int16_t coeffs[KYBER_N]; } poly; - void PQCLEAN_KYBER768_CLEAN_poly_compress(uint8_t r[KYBER_POLYCOMPRESSEDBYTES], poly *a); - void PQCLEAN_KYBER768_CLEAN_poly_decompress(poly *r, const uint8_t a[KYBER_POLYCOMPRESSEDBYTES]); - void PQCLEAN_KYBER768_CLEAN_poly_tobytes(uint8_t r[KYBER_POLYBYTES], poly *a); - void PQCLEAN_KYBER768_CLEAN_poly_frombytes(poly *r, const uint8_t a[KYBER_POLYBYTES]); - void PQCLEAN_KYBER768_CLEAN_poly_frommsg(poly *r, const uint8_t msg[KYBER_INDCPA_MSGBYTES]); - void PQCLEAN_KYBER768_CLEAN_poly_tomsg(uint8_t msg[KYBER_INDCPA_MSGBYTES], poly *a); - void PQCLEAN_KYBER768_CLEAN_poly_getnoise(poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t nonce); - void PQCLEAN_KYBER768_CLEAN_poly_ntt(poly *r); - void PQCLEAN_KYBER768_CLEAN_poly_invntt_tomont(poly *r); - void PQCLEAN_KYBER768_CLEAN_poly_basemul_montgomery(poly *r, const poly *a, const poly *b); - void PQCLEAN_KYBER768_CLEAN_poly_tomont(poly *r); - void PQCLEAN_KYBER768_CLEAN_poly_reduce(poly *r); - void PQCLEAN_KYBER768_CLEAN_poly_csubq(poly *r); - void PQCLEAN_KYBER768_CLEAN_poly_add(poly *r, const poly *a, const poly *b); - void PQCLEAN_KYBER768_CLEAN_poly_sub(poly *r, const poly *a, const poly *b); #endif diff --git a/crypto_kem/kyber768/clean/polyvec.c b/crypto_kem/kyber768/clean/polyvec.c index b754eb95..ff167608 100644 --- a/crypto_kem/kyber768/clean/polyvec.c +++ b/crypto_kem/kyber768/clean/polyvec.c @@ -13,7 +13,7 @@ * - polyvec *a: pointer to input vector of polynomials **************************************************/ void PQCLEAN_KYBER768_CLEAN_polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES], polyvec *a) { - unsigned int i = 0, j = 0, k = 0; + unsigned int i, j, k; PQCLEAN_KYBER768_CLEAN_polyvec_csubq(a); @@ -21,10 +21,8 @@ void PQCLEAN_KYBER768_CLEAN_polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBY for (i = 0; i < KYBER_K; i++) { for (j = 0; j < KYBER_N / 4; j++) { for (k = 0; k < 4; k++) { - { - t[k] = ((((uint32_t)a->vec[i].coeffs[4 * j + k] << 10) + KYBER_Q / 2) - / KYBER_Q) & 0x3ff; - } + t[k] = ((((uint32_t)a->vec[i].coeffs[4 * j + k] << 10) + KYBER_Q / 2) + / KYBER_Q) & 0x3ff; } r[0] = (uint8_t)(t[0] >> 0); @@ -49,7 +47,7 @@ void PQCLEAN_KYBER768_CLEAN_polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBY **************************************************/ void PQCLEAN_KYBER768_CLEAN_polyvec_decompress(polyvec *r, const uint8_t a[KYBER_POLYVECCOMPRESSEDBYTES]) { - unsigned int i = 0, j = 0, k = 0; + unsigned int i, j, k; uint16_t t[4]; for (i = 0; i < KYBER_K; i++) { @@ -77,7 +75,7 @@ void PQCLEAN_KYBER768_CLEAN_polyvec_decompress(polyvec *r, * - polyvec *a: pointer to input vector of polynomials **************************************************/ void PQCLEAN_KYBER768_CLEAN_polyvec_tobytes(uint8_t r[KYBER_POLYVECBYTES], polyvec *a) { - unsigned int i = 0; + unsigned int i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER768_CLEAN_poly_tobytes(r + i * KYBER_POLYBYTES, &a->vec[i]); } @@ -94,7 +92,7 @@ void PQCLEAN_KYBER768_CLEAN_polyvec_tobytes(uint8_t r[KYBER_POLYVECBYTES], polyv * (of length KYBER_POLYVECBYTES) **************************************************/ void PQCLEAN_KYBER768_CLEAN_polyvec_frombytes(polyvec *r, const uint8_t a[KYBER_POLYVECBYTES]) { - unsigned int i = 0; + unsigned int i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER768_CLEAN_poly_frombytes(&r->vec[i], a + i * KYBER_POLYBYTES); } @@ -108,7 +106,7 @@ void PQCLEAN_KYBER768_CLEAN_polyvec_frombytes(polyvec *r, const uint8_t a[KYBER_ * Arguments: - polyvec *r: pointer to in/output vector of polynomials **************************************************/ void PQCLEAN_KYBER768_CLEAN_polyvec_ntt(polyvec *r) { - unsigned int i = 0; + unsigned int i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER768_CLEAN_poly_ntt(&r->vec[i]); } @@ -123,7 +121,7 @@ void PQCLEAN_KYBER768_CLEAN_polyvec_ntt(polyvec *r) { * Arguments: - polyvec *r: pointer to in/output vector of polynomials **************************************************/ void PQCLEAN_KYBER768_CLEAN_polyvec_invntt_tomont(polyvec *r) { - unsigned int i = 0; + unsigned int i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER768_CLEAN_poly_invntt_tomont(&r->vec[i]); } @@ -142,7 +140,7 @@ void PQCLEAN_KYBER768_CLEAN_polyvec_invntt_tomont(polyvec *r) { void PQCLEAN_KYBER768_CLEAN_polyvec_pointwise_acc_montgomery(poly *r, const polyvec *a, const polyvec *b) { - unsigned int i = 0; + unsigned int i; poly t; PQCLEAN_KYBER768_CLEAN_poly_basemul_montgomery(r, &a->vec[0], &b->vec[0]); @@ -164,7 +162,7 @@ void PQCLEAN_KYBER768_CLEAN_polyvec_pointwise_acc_montgomery(poly *r, * Arguments: - poly *r: pointer to input/output polynomial **************************************************/ void PQCLEAN_KYBER768_CLEAN_polyvec_reduce(polyvec *r) { - unsigned int i = 0; + unsigned int i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER768_CLEAN_poly_reduce(&r->vec[i]); } @@ -181,7 +179,7 @@ void PQCLEAN_KYBER768_CLEAN_polyvec_reduce(polyvec *r) { * Arguments: - poly *r: pointer to input/output polynomial **************************************************/ void PQCLEAN_KYBER768_CLEAN_polyvec_csubq(polyvec *r) { - unsigned int i = 0; + unsigned int i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER768_CLEAN_poly_csubq(&r->vec[i]); } @@ -197,7 +195,7 @@ void PQCLEAN_KYBER768_CLEAN_polyvec_csubq(polyvec *r) { * - const polyvec *b: pointer to second input vector of polynomials **************************************************/ void PQCLEAN_KYBER768_CLEAN_polyvec_add(polyvec *r, const polyvec *a, const polyvec *b) { - unsigned int i = 0; + unsigned int i; for (i = 0; i < KYBER_K; i++) { PQCLEAN_KYBER768_CLEAN_poly_add(&r->vec[i], &a->vec[i], &b->vec[i]); } diff --git a/crypto_kem/kyber768/clean/polyvec.h b/crypto_kem/kyber768/clean/polyvec.h index 70d4b0fe..c879ad76 100644 --- a/crypto_kem/kyber768/clean/polyvec.h +++ b/crypto_kem/kyber768/clean/polyvec.h @@ -1,6 +1,5 @@ #ifndef PQCLEAN_KYBER768_CLEAN_POLYVEC_H #define PQCLEAN_KYBER768_CLEAN_POLYVEC_H - #include "params.h" #include "poly.h" #include @@ -9,33 +8,23 @@ typedef struct { poly vec[KYBER_K]; } polyvec; - void PQCLEAN_KYBER768_CLEAN_polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES], polyvec *a); - void PQCLEAN_KYBER768_CLEAN_polyvec_decompress(polyvec *r, const uint8_t a[KYBER_POLYVECCOMPRESSEDBYTES]); - void PQCLEAN_KYBER768_CLEAN_polyvec_tobytes(uint8_t r[KYBER_POLYVECBYTES], polyvec *a); - void PQCLEAN_KYBER768_CLEAN_polyvec_frombytes(polyvec *r, const uint8_t a[KYBER_POLYVECBYTES]); - void PQCLEAN_KYBER768_CLEAN_polyvec_ntt(polyvec *r); - void PQCLEAN_KYBER768_CLEAN_polyvec_invntt_tomont(polyvec *r); - void PQCLEAN_KYBER768_CLEAN_polyvec_pointwise_acc_montgomery(poly *r, const polyvec *a, const polyvec *b); - void PQCLEAN_KYBER768_CLEAN_polyvec_reduce(polyvec *r); - void PQCLEAN_KYBER768_CLEAN_polyvec_csubq(polyvec *r); - void PQCLEAN_KYBER768_CLEAN_polyvec_add(polyvec *r, const polyvec *a, const polyvec *b); #endif diff --git a/crypto_kem/kyber768/clean/reduce.c b/crypto_kem/kyber768/clean/reduce.c index 72babc2c..245fe36b 100644 --- a/crypto_kem/kyber768/clean/reduce.c +++ b/crypto_kem/kyber768/clean/reduce.c @@ -15,8 +15,8 @@ * Returns: integer in {-q+1,...,q-1} congruent to a * R^-1 modulo q. **************************************************/ int16_t PQCLEAN_KYBER768_CLEAN_montgomery_reduce(int32_t a) { - int32_t t = 0; - int16_t u = 0; + int32_t t; + int16_t u; u = (int16_t)(a * (int64_t)QINV); t = (int32_t)u * KYBER_Q; @@ -36,7 +36,7 @@ int16_t PQCLEAN_KYBER768_CLEAN_montgomery_reduce(int32_t a) { * Returns: integer in {0,...,q} congruent to a modulo q. **************************************************/ int16_t PQCLEAN_KYBER768_CLEAN_barrett_reduce(int16_t a) { - int16_t t = 0; + int16_t t; const int16_t v = ((1U << 26) + KYBER_Q / 2) / KYBER_Q; t = (int32_t)v * a >> 26; diff --git a/crypto_kem/kyber768/clean/reduce.h b/crypto_kem/kyber768/clean/reduce.h index 120002d7..4a865ea5 100644 --- a/crypto_kem/kyber768/clean/reduce.h +++ b/crypto_kem/kyber768/clean/reduce.h @@ -1,19 +1,15 @@ #ifndef PQCLEAN_KYBER768_CLEAN_REDUCE_H #define PQCLEAN_KYBER768_CLEAN_REDUCE_H - #include "params.h" #include #define MONT 2285 // 2^16 mod q #define QINV 62209 // q^-1 mod 2^16 - int16_t PQCLEAN_KYBER768_CLEAN_montgomery_reduce(int32_t a); - int16_t PQCLEAN_KYBER768_CLEAN_barrett_reduce(int16_t a); - int16_t PQCLEAN_KYBER768_CLEAN_csubq(int16_t a); #endif diff --git a/crypto_kem/kyber768/clean/symmetric-shake.c b/crypto_kem/kyber768/clean/symmetric-shake.c index 3dc60426..dacd6fa5 100644 --- a/crypto_kem/kyber768/clean/symmetric-shake.c +++ b/crypto_kem/kyber768/clean/symmetric-shake.c @@ -9,8 +9,8 @@ * * Description: Absorb step of the SHAKE128 specialized for the Kyber context. * -* Arguments: - keccak_state *state: pointer to (uninitialized) output -* Keccak state +* Arguments: - xof_state *state: pointer to (uninitialized) output +* Keccak state * - const uint8_t *seed: pointer to KYBER_SYMBYTES input * to be absorbed into state * - uint8_t i additional byte of input @@ -20,7 +20,7 @@ void PQCLEAN_KYBER768_CLEAN_kyber_shake128_absorb(xof_state *state, const uint8_t seed[KYBER_SYMBYTES], uint8_t x, uint8_t y) { - unsigned int i = 0; + unsigned int i; uint8_t extseed[KYBER_SYMBYTES + 2]; for (i = 0; i < KYBER_SYMBYTES; i++) { @@ -48,7 +48,7 @@ void PQCLEAN_KYBER768_CLEAN_kyber_shake256_prf(uint8_t *out, size_t outlen, const uint8_t key[KYBER_SYMBYTES], uint8_t nonce) { - unsigned int i = 0; + unsigned int i; uint8_t extkey[KYBER_SYMBYTES + 1]; for (i = 0; i < KYBER_SYMBYTES; i++) { diff --git a/crypto_kem/kyber768/clean/symmetric.h b/crypto_kem/kyber768/clean/symmetric.h index b446aebe..3ee19aef 100644 --- a/crypto_kem/kyber768/clean/symmetric.h +++ b/crypto_kem/kyber768/clean/symmetric.h @@ -1,12 +1,11 @@ -#ifndef SYMMETRIC_H -#define SYMMETRIC_H - +#ifndef PQCLEAN_KYBER768_CLEAN_SYMMETRIC_H +#define PQCLEAN_KYBER768_CLEAN_SYMMETRIC_H +#include "fips202.h" #include "params.h" #include #include -#include "fips202.h" typedef shake128ctx xof_state; diff --git a/crypto_kem/kyber768/clean/verify.c b/crypto_kem/kyber768/clean/verify.c index 03e3573e..426c3fae 100644 --- a/crypto_kem/kyber768/clean/verify.c +++ b/crypto_kem/kyber768/clean/verify.c @@ -14,7 +14,7 @@ * Returns 0 if the byte arrays are equal, 1 otherwise **************************************************/ int PQCLEAN_KYBER768_CLEAN_verify(const uint8_t *a, const uint8_t *b, size_t len) { - size_t i = 0; + size_t i; uint8_t r = 0; for (i = 0; i < len; i++) { @@ -38,7 +38,7 @@ int PQCLEAN_KYBER768_CLEAN_verify(const uint8_t *a, const uint8_t *b, size_t len * uint8_t b: Condition bit; has to be in {0,1} **************************************************/ void PQCLEAN_KYBER768_CLEAN_cmov(uint8_t *r, const uint8_t *x, size_t len, uint8_t b) { - size_t i = 0; + size_t i; b = -b; for (i = 0; i < len; i++) { diff --git a/crypto_kem/kyber768/clean/verify.h b/crypto_kem/kyber768/clean/verify.h index 430ca7b3..6361d8e4 100644 --- a/crypto_kem/kyber768/clean/verify.h +++ b/crypto_kem/kyber768/clean/verify.h @@ -1,14 +1,11 @@ #ifndef PQCLEAN_KYBER768_CLEAN_VERIFY_H #define PQCLEAN_KYBER768_CLEAN_VERIFY_H - #include "params.h" #include #include - int PQCLEAN_KYBER768_CLEAN_verify(const uint8_t *a, const uint8_t *b, size_t len); - void PQCLEAN_KYBER768_CLEAN_cmov(uint8_t *r, const uint8_t *x, size_t len, uint8_t b); #endif diff --git a/test/duplicate_consistency/kyber1024-90s_avx2.yml b/test/duplicate_consistency/kyber1024-90s_avx2.yml index 9fa0aae7..cde8ef37 100644 --- a/test/duplicate_consistency/kyber1024-90s_avx2.yml +++ b/test/duplicate_consistency/kyber1024-90s_avx2.yml @@ -1,67 +1,167 @@ consistency_checks: -- source: - scheme: kyber1024 - implementation: clean - files: - - LICENSE - - cbd.h - - indcpa.h - - params.h - - polyvec.h - - verify.h -- source: - scheme: kyber768 - implementation: avx2 - files: - - cbd.c - - cbd.h - - consts.c - - consts.h - - fq.inc - - fq.S - - indcpa.h - - invntt.S - - ntt.h - - ntt.S - - polyvec.h - - reduce.h - - rejsample.h - - shuffle.inc - - shuffle.S - - verify.c - - verify.h -- source: - scheme: kyber1024-90s - implementation: clean - files: - - LICENSE - - cbd.h - - indcpa.h - - params.h - - polyvec.h - - verify.h -- source: - scheme: kyber768-90s - implementation: avx2 - files: - - aes256ctr.c - - aes256ctr.h - - cbd.c - - cbd.h - - consts.c - - consts.h - - fq.inc - - fq.S - - indcpa.h - - invntt.S - - ntt.h - - ntt.S - - poly.h - - polyvec.h - - reduce.h - - rejsample.h - - shuffle.inc - - shuffle.S - - symmetric.h - - verify.c - - verify.h + - source: + scheme: kyber512 + implementation: clean + files: + - cbd.h + - indcpa.h + - kem.h + - polyvec.h + - verify.h + - source: + scheme: kyber512 + implementation: avx2 + files: + - align.h + - cbd.h + - cdecl.h + - consts.h + - indcpa.h + - kem.h + - ntt.h + - polyvec.h + - reduce.h + - rejsample.h + - verify.h + - cbd.c + - consts.c + - kem.c + - verify.c + - source: + scheme: kyber512-90s + implementation: clean + files: + - cbd.h + - indcpa.h + - kem.h + - polyvec.h + - verify.h + - source: + scheme: kyber512-90s + implementation: avx2 + files: + - aes256ctr.h + - align.h + - cbd.h + - cdecl.h + - consts.h + - indcpa.h + - kem.h + - ntt.h + - poly.h + - polyvec.h + - reduce.h + - rejsample.h + - symmetric.h + - verify.h + - aes256ctr.c + - cbd.c + - consts.c + - indcpa.c + - kem.c + - rejsample.c + - verify.c + - source: + scheme: kyber768 + implementation: clean + files: + - cbd.h + - indcpa.h + - kem.h + - polyvec.h + - verify.h + - source: + scheme: kyber768 + implementation: avx2 + files: + - align.h + - cbd.h + - cdecl.h + - consts.h + - indcpa.h + - kem.h + - ntt.h + - polyvec.h + - reduce.h + - rejsample.h + - verify.h + - cbd.c + - consts.c + - kem.c + - verify.c + - source: + scheme: kyber768-90s + implementation: clean + files: + - cbd.h + - indcpa.h + - kem.h + - polyvec.h + - verify.h + - source: + scheme: kyber768-90s + implementation: avx2 + files: + - aes256ctr.h + - align.h + - cbd.h + - cdecl.h + - consts.h + - indcpa.h + - kem.h + - ntt.h + - poly.h + - polyvec.h + - reduce.h + - rejsample.h + - symmetric.h + - verify.h + - aes256ctr.c + - cbd.c + - consts.c + - indcpa.c + - kem.c + - rejsample.c + - verify.c + - source: + scheme: kyber1024 + implementation: clean + files: + - cbd.h + - indcpa.h + - kem.h + - params.h + - polyvec.h + - verify.h + - source: + scheme: kyber1024 + implementation: avx2 + files: + - align.h + - cbd.h + - cdecl.h + - consts.h + - indcpa.h + - kem.h + - ntt.h + - params.h + - polyvec.h + - reduce.h + - rejsample.h + - verify.h + - cbd.c + - consts.c + - kem.c + - polyvec.c + - verify.c + - source: + scheme: kyber1024-90s + implementation: clean + files: + - api.h + - cbd.h + - indcpa.h + - kem.h + - params.h + - polyvec.h + - verify.h diff --git a/test/duplicate_consistency/kyber1024-90s_clean.yml b/test/duplicate_consistency/kyber1024-90s_clean.yml new file mode 100644 index 00000000..7442010a --- /dev/null +++ b/test/duplicate_consistency/kyber1024-90s_clean.yml @@ -0,0 +1,157 @@ +consistency_checks: + - source: + scheme: kyber512 + implementation: clean + files: + - cbd.h + - indcpa.h + - kem.h + - ntt.h + - poly.h + - polyvec.h + - reduce.h + - verify.h + - cbd.c + - indcpa.c + - kem.c + - ntt.c + - reduce.c + - verify.c + - source: + scheme: kyber512 + implementation: avx2 + files: + - cbd.h + - indcpa.h + - kem.h + - polyvec.h + - verify.h + - source: + scheme: kyber512-90s + implementation: clean + files: + - cbd.h + - indcpa.h + - kem.h + - ntt.h + - poly.h + - polyvec.h + - reduce.h + - symmetric-aes.h + - symmetric.h + - verify.h + - cbd.c + - indcpa.c + - kem.c + - ntt.c + - reduce.c + - symmetric-aes.c + - verify.c + - source: + scheme: kyber512-90s + implementation: avx2 + files: + - cbd.h + - indcpa.h + - kem.h + - polyvec.h + - verify.h + - source: + scheme: kyber768 + implementation: clean + files: + - cbd.h + - indcpa.h + - kem.h + - ntt.h + - poly.h + - polyvec.h + - reduce.h + - verify.h + - cbd.c + - indcpa.c + - kem.c + - ntt.c + - reduce.c + - verify.c + - source: + scheme: kyber768 + implementation: avx2 + files: + - cbd.h + - indcpa.h + - kem.h + - polyvec.h + - verify.h + - source: + scheme: kyber768-90s + implementation: clean + files: + - cbd.h + - indcpa.h + - kem.h + - ntt.h + - poly.h + - polyvec.h + - reduce.h + - symmetric-aes.h + - symmetric.h + - verify.h + - cbd.c + - indcpa.c + - kem.c + - ntt.c + - reduce.c + - symmetric-aes.c + - verify.c + - source: + scheme: kyber768-90s + implementation: avx2 + files: + - cbd.h + - indcpa.h + - kem.h + - polyvec.h + - verify.h + - source: + scheme: kyber1024 + implementation: clean + files: + - cbd.h + - indcpa.h + - kem.h + - ntt.h + - params.h + - poly.h + - polyvec.h + - reduce.h + - verify.h + - cbd.c + - indcpa.c + - kem.c + - ntt.c + - poly.c + - polyvec.c + - reduce.c + - verify.c + - source: + scheme: kyber1024 + implementation: avx2 + files: + - cbd.h + - indcpa.h + - kem.h + - params.h + - polyvec.h + - verify.h + - source: + scheme: kyber1024-90s + implementation: avx2 + files: + - api.h + - cbd.h + - indcpa.h + - kem.h + - params.h + - polyvec.h + - verify.h diff --git a/test/duplicate_consistency/kyber1024_avx2.yml b/test/duplicate_consistency/kyber1024_avx2.yml index 6e45bb97..5f9cc86b 100644 --- a/test/duplicate_consistency/kyber1024_avx2.yml +++ b/test/duplicate_consistency/kyber1024_avx2.yml @@ -1,39 +1,170 @@ consistency_checks: -- source: - scheme: kyber1024 - implementation: clean - files: - - LICENSE - - cbd.h - - indcpa.h - - params.h - - polyvec.h - - symmetric-shake.c - - verify.h -- source: - scheme: kyber768 - implementation: avx2 - files: - - cbd.c - - cbd.h - - consts.c - - consts.h - - fips202x4.c - - fips202x4.h - - fq.inc - - fq.S - - indcpa.h - - invntt.S - - ntt.h - - ntt.S - - poly.h - - polyvec.h - - reduce.h - - rejsample.c - - rejsample.h - - shuffle.inc - - shuffle.S - - symmetric-shake.c - - symmetric.h - - verify.c - - verify.h + - source: + scheme: kyber512 + implementation: clean + files: + - cbd.h + - indcpa.h + - kem.h + - polyvec.h + - verify.h + - symmetric-shake.c + - source: + scheme: kyber512 + implementation: avx2 + files: + - align.h + - cbd.h + - cdecl.h + - consts.h + - fips202x4.h + - indcpa.h + - kem.h + - ntt.h + - poly.h + - polyvec.h + - reduce.h + - rejsample.h + - symmetric.h + - verify.h + - cbd.c + - consts.c + - fips202x4.c + - kem.c + - rejsample.c + - symmetric-shake.c + - verify.c + - source: + scheme: kyber512-90s + implementation: clean + files: + - cbd.h + - indcpa.h + - kem.h + - polyvec.h + - verify.h + - source: + scheme: kyber512-90s + implementation: avx2 + files: + - align.h + - cbd.h + - cdecl.h + - consts.h + - indcpa.h + - kem.h + - ntt.h + - polyvec.h + - reduce.h + - rejsample.h + - verify.h + - cbd.c + - consts.c + - kem.c + - verify.c + - source: + scheme: kyber768 + implementation: clean + files: + - cbd.h + - indcpa.h + - kem.h + - polyvec.h + - verify.h + - symmetric-shake.c + - source: + scheme: kyber768 + implementation: avx2 + files: + - align.h + - cbd.h + - cdecl.h + - consts.h + - fips202x4.h + - indcpa.h + - kem.h + - ntt.h + - poly.h + - polyvec.h + - reduce.h + - rejsample.h + - symmetric.h + - verify.h + - cbd.c + - consts.c + - fips202x4.c + - kem.c + - rejsample.c + - symmetric-shake.c + - verify.c + - source: + scheme: kyber768-90s + implementation: clean + files: + - cbd.h + - indcpa.h + - kem.h + - polyvec.h + - verify.h + - source: + scheme: kyber768-90s + implementation: avx2 + files: + - align.h + - cbd.h + - cdecl.h + - consts.h + - indcpa.h + - kem.h + - ntt.h + - polyvec.h + - reduce.h + - rejsample.h + - verify.h + - cbd.c + - consts.c + - kem.c + - verify.c + - source: + scheme: kyber1024 + implementation: clean + files: + - api.h + - cbd.h + - indcpa.h + - kem.h + - params.h + - polyvec.h + - verify.h + - symmetric-shake.c + - source: + scheme: kyber1024-90s + implementation: clean + files: + - cbd.h + - indcpa.h + - kem.h + - params.h + - polyvec.h + - verify.h + - source: + scheme: kyber1024-90s + implementation: avx2 + files: + - align.h + - cbd.h + - cdecl.h + - consts.h + - indcpa.h + - kem.h + - ntt.h + - params.h + - polyvec.h + - reduce.h + - rejsample.h + - verify.h + - cbd.c + - consts.c + - kem.c + - polyvec.c + - verify.c diff --git a/test/duplicate_consistency/kyber1024_clean.yml b/test/duplicate_consistency/kyber1024_clean.yml index 2bf1c2dc..39afa358 100644 --- a/test/duplicate_consistency/kyber1024_clean.yml +++ b/test/duplicate_consistency/kyber1024_clean.yml @@ -1,20 +1,158 @@ consistency_checks: -- source: - scheme: kyber768 - implementation: clean - files: - - LICENSE - - cbd.c - - cbd.h - - indcpa.h - - kem.c - - ntt.c - - ntt.h - - poly.h - - polyvec.h - - reduce.c - - reduce.h - - symmetric-shake.c - - symmetric.h - - verify.c - - verify.h + - source: + scheme: kyber512 + implementation: clean + files: + - cbd.h + - indcpa.h + - kem.h + - ntt.h + - poly.h + - polyvec.h + - reduce.h + - symmetric.h + - verify.h + - cbd.c + - indcpa.c + - kem.c + - ntt.c + - reduce.c + - symmetric-shake.c + - verify.c + - source: + scheme: kyber512 + implementation: avx2 + files: + - cbd.h + - indcpa.h + - kem.h + - polyvec.h + - verify.h + - symmetric-shake.c + - source: + scheme: kyber512-90s + implementation: clean + files: + - cbd.h + - indcpa.h + - kem.h + - ntt.h + - poly.h + - polyvec.h + - reduce.h + - verify.h + - cbd.c + - indcpa.c + - kem.c + - ntt.c + - reduce.c + - verify.c + - source: + scheme: kyber512-90s + implementation: avx2 + files: + - cbd.h + - indcpa.h + - kem.h + - polyvec.h + - verify.h + - source: + scheme: kyber768 + implementation: clean + files: + - cbd.h + - indcpa.h + - kem.h + - ntt.h + - poly.h + - polyvec.h + - reduce.h + - symmetric.h + - verify.h + - cbd.c + - indcpa.c + - kem.c + - ntt.c + - reduce.c + - symmetric-shake.c + - verify.c + - source: + scheme: kyber768 + implementation: avx2 + files: + - cbd.h + - indcpa.h + - kem.h + - polyvec.h + - verify.h + - symmetric-shake.c + - source: + scheme: kyber768-90s + implementation: clean + files: + - cbd.h + - indcpa.h + - kem.h + - ntt.h + - poly.h + - polyvec.h + - reduce.h + - verify.h + - cbd.c + - indcpa.c + - kem.c + - ntt.c + - reduce.c + - verify.c + - source: + scheme: kyber768-90s + implementation: avx2 + files: + - cbd.h + - indcpa.h + - kem.h + - polyvec.h + - verify.h + - source: + scheme: kyber1024 + implementation: avx2 + files: + - api.h + - cbd.h + - indcpa.h + - kem.h + - params.h + - polyvec.h + - verify.h + - symmetric-shake.c + - source: + scheme: kyber1024-90s + implementation: clean + files: + - cbd.h + - indcpa.h + - kem.h + - ntt.h + - params.h + - poly.h + - polyvec.h + - reduce.h + - verify.h + - cbd.c + - indcpa.c + - kem.c + - ntt.c + - poly.c + - polyvec.c + - reduce.c + - verify.c + - source: + scheme: kyber1024-90s + implementation: avx2 + files: + - cbd.h + - indcpa.h + - kem.h + - params.h + - polyvec.h + - verify.h diff --git a/test/duplicate_consistency/kyber512-90s_avx2.yml b/test/duplicate_consistency/kyber512-90s_avx2.yml index 8c2a8ffd..05728ea6 100644 --- a/test/duplicate_consistency/kyber512-90s_avx2.yml +++ b/test/duplicate_consistency/kyber512-90s_avx2.yml @@ -1,68 +1,169 @@ consistency_checks: -- source: - scheme: kyber512 - implementation: avx2 - files: - - LICENSE - - cbd.h - - indcpa.h - - params.h - - polyvec.h - - verify.h -- source: - scheme: kyber768 - implementation: avx2 - files: - - cbd.c - - cbd.h - - consts.c - - consts.h - - fq.inc - - fq.S - - indcpa.h - - invntt.S - - ntt.h - - ntt.S - - polyvec.h - - reduce.h - - rejsample.h - - shuffle.inc - - shuffle.S - - verify.c - - verify.h -- source: - scheme: kyber512-90s - implementation: clean - files: - - LICENSE - - cbd.h - - indcpa.h - - params.h - - polyvec.h - - verify.h -- source: - scheme: kyber768-90s - implementation: avx2 - files: - - aes256ctr.c - - aes256ctr.h - - cbd.c - - cbd.h - - consts.c - - consts.h - - fq.inc - - fq.S - - indcpa.h - - invntt.S - - ntt.h - - ntt.S - - poly.h - - polyvec.h - - reduce.h - - rejsample.c - - rejsample.h - - shuffle.inc - - shuffle.S - - symmetric.h - - verify.c - - verify.h + - source: + scheme: kyber512 + implementation: clean + files: + - cbd.h + - indcpa.h + - kem.h + - params.h + - polyvec.h + - verify.h + - source: + scheme: kyber512 + implementation: avx2 + files: + - align.h + - cbd.h + - cdecl.h + - consts.h + - indcpa.h + - kem.h + - ntt.h + - params.h + - polyvec.h + - reduce.h + - rejsample.h + - verify.h + - cbd.c + - consts.c + - kem.c + - polyvec.c + - verify.c + - source: + scheme: kyber512-90s + implementation: clean + files: + - api.h + - cbd.h + - indcpa.h + - kem.h + - params.h + - polyvec.h + - verify.h + - source: + scheme: kyber768 + implementation: clean + files: + - cbd.h + - indcpa.h + - kem.h + - polyvec.h + - verify.h + - source: + scheme: kyber768 + implementation: avx2 + files: + - align.h + - cbd.h + - cdecl.h + - consts.h + - indcpa.h + - kem.h + - ntt.h + - polyvec.h + - reduce.h + - rejsample.h + - verify.h + - cbd.c + - consts.c + - kem.c + - polyvec.c + - verify.c + - source: + scheme: kyber768-90s + implementation: clean + files: + - cbd.h + - indcpa.h + - kem.h + - polyvec.h + - verify.h + - source: + scheme: kyber768-90s + implementation: avx2 + files: + - aes256ctr.h + - align.h + - cbd.h + - cdecl.h + - consts.h + - indcpa.h + - kem.h + - ntt.h + - poly.h + - polyvec.h + - reduce.h + - rejsample.h + - symmetric.h + - verify.h + - aes256ctr.c + - cbd.c + - consts.c + - indcpa.c + - kem.c + - polyvec.c + - rejsample.c + - verify.c + - source: + scheme: kyber1024 + implementation: clean + files: + - cbd.h + - indcpa.h + - kem.h + - polyvec.h + - verify.h + - source: + scheme: kyber1024 + implementation: avx2 + files: + - align.h + - cbd.h + - cdecl.h + - consts.h + - indcpa.h + - kem.h + - ntt.h + - polyvec.h + - reduce.h + - rejsample.h + - verify.h + - cbd.c + - consts.c + - kem.c + - verify.c + - source: + scheme: kyber1024-90s + implementation: clean + files: + - cbd.h + - indcpa.h + - kem.h + - polyvec.h + - verify.h + - source: + scheme: kyber1024-90s + implementation: avx2 + files: + - aes256ctr.h + - align.h + - cbd.h + - cdecl.h + - consts.h + - indcpa.h + - kem.h + - ntt.h + - poly.h + - polyvec.h + - reduce.h + - rejsample.h + - symmetric.h + - verify.h + - aes256ctr.c + - cbd.c + - consts.c + - indcpa.c + - kem.c + - rejsample.c + - verify.c diff --git a/test/duplicate_consistency/kyber512-90s_clean.yml b/test/duplicate_consistency/kyber512-90s_clean.yml new file mode 100644 index 00000000..1455269e --- /dev/null +++ b/test/duplicate_consistency/kyber512-90s_clean.yml @@ -0,0 +1,159 @@ +consistency_checks: + - source: + scheme: kyber512 + implementation: clean + files: + - cbd.h + - indcpa.h + - kem.h + - ntt.h + - params.h + - poly.h + - polyvec.h + - reduce.h + - verify.h + - cbd.c + - indcpa.c + - kem.c + - ntt.c + - poly.c + - polyvec.c + - reduce.c + - verify.c + - source: + scheme: kyber512 + implementation: avx2 + files: + - cbd.h + - indcpa.h + - kem.h + - params.h + - polyvec.h + - verify.h + - source: + scheme: kyber512-90s + implementation: avx2 + files: + - api.h + - cbd.h + - indcpa.h + - kem.h + - params.h + - polyvec.h + - verify.h + - source: + scheme: kyber768 + implementation: clean + files: + - cbd.h + - indcpa.h + - kem.h + - ntt.h + - poly.h + - polyvec.h + - reduce.h + - verify.h + - cbd.c + - indcpa.c + - kem.c + - ntt.c + - polyvec.c + - reduce.c + - verify.c + - source: + scheme: kyber768 + implementation: avx2 + files: + - cbd.h + - indcpa.h + - kem.h + - polyvec.h + - verify.h + - source: + scheme: kyber768-90s + implementation: clean + files: + - cbd.h + - indcpa.h + - kem.h + - ntt.h + - poly.h + - polyvec.h + - reduce.h + - symmetric-aes.h + - symmetric.h + - verify.h + - cbd.c + - indcpa.c + - kem.c + - ntt.c + - polyvec.c + - reduce.c + - symmetric-aes.c + - verify.c + - source: + scheme: kyber768-90s + implementation: avx2 + files: + - cbd.h + - indcpa.h + - kem.h + - polyvec.h + - verify.h + - source: + scheme: kyber1024 + implementation: clean + files: + - cbd.h + - indcpa.h + - kem.h + - ntt.h + - poly.h + - polyvec.h + - reduce.h + - verify.h + - cbd.c + - indcpa.c + - kem.c + - ntt.c + - reduce.c + - verify.c + - source: + scheme: kyber1024 + implementation: avx2 + files: + - cbd.h + - indcpa.h + - kem.h + - polyvec.h + - verify.h + - source: + scheme: kyber1024-90s + implementation: clean + files: + - cbd.h + - indcpa.h + - kem.h + - ntt.h + - poly.h + - polyvec.h + - reduce.h + - symmetric-aes.h + - symmetric.h + - verify.h + - cbd.c + - indcpa.c + - kem.c + - ntt.c + - reduce.c + - symmetric-aes.c + - verify.c + - source: + scheme: kyber1024-90s + implementation: avx2 + files: + - cbd.h + - indcpa.h + - kem.h + - polyvec.h + - verify.h diff --git a/test/duplicate_consistency/kyber512_avx2.yml b/test/duplicate_consistency/kyber512_avx2.yml index a154ac68..0520bfd5 100644 --- a/test/duplicate_consistency/kyber512_avx2.yml +++ b/test/duplicate_consistency/kyber512_avx2.yml @@ -1,39 +1,172 @@ consistency_checks: -- source: - scheme: kyber512 - implementation: clean - files: - - LICENSE - - cbd.h - - indcpa.h - - params.h - - polyvec.h - - symmetric-shake.c - - verify.h -- source: - scheme: kyber768 - implementation: avx2 - files: - - cbd.c - - cbd.h - - consts.c - - consts.h - - fips202x4.c - - fips202x4.h - - fq.inc - - fq.S - - indcpa.h - - invntt.S - - ntt.h - - ntt.S - - poly.h - - polyvec.h - - reduce.h - - rejsample.c - - rejsample.h - - shuffle.inc - - shuffle.S - - symmetric-shake.c - - symmetric.h - - verify.c - - verify.h + - source: + scheme: kyber512 + implementation: clean + files: + - api.h + - cbd.h + - indcpa.h + - kem.h + - params.h + - polyvec.h + - verify.h + - symmetric-shake.c + - source: + scheme: kyber512-90s + implementation: clean + files: + - cbd.h + - indcpa.h + - kem.h + - params.h + - polyvec.h + - verify.h + - source: + scheme: kyber512-90s + implementation: avx2 + files: + - align.h + - cbd.h + - cdecl.h + - consts.h + - indcpa.h + - kem.h + - ntt.h + - params.h + - polyvec.h + - reduce.h + - rejsample.h + - verify.h + - cbd.c + - consts.c + - kem.c + - polyvec.c + - verify.c + - source: + scheme: kyber768 + implementation: clean + files: + - cbd.h + - indcpa.h + - kem.h + - polyvec.h + - verify.h + - symmetric-shake.c + - source: + scheme: kyber768 + implementation: avx2 + files: + - align.h + - cbd.h + - cdecl.h + - consts.h + - fips202x4.h + - indcpa.h + - kem.h + - ntt.h + - poly.h + - polyvec.h + - reduce.h + - rejsample.h + - symmetric.h + - verify.h + - cbd.c + - consts.c + - fips202x4.c + - kem.c + - polyvec.c + - rejsample.c + - symmetric-shake.c + - verify.c + - source: + scheme: kyber768-90s + implementation: clean + files: + - cbd.h + - indcpa.h + - kem.h + - polyvec.h + - verify.h + - source: + scheme: kyber768-90s + implementation: avx2 + files: + - align.h + - cbd.h + - cdecl.h + - consts.h + - indcpa.h + - kem.h + - ntt.h + - polyvec.h + - reduce.h + - rejsample.h + - verify.h + - cbd.c + - consts.c + - kem.c + - polyvec.c + - verify.c + - source: + scheme: kyber1024 + implementation: clean + files: + - cbd.h + - indcpa.h + - kem.h + - polyvec.h + - verify.h + - symmetric-shake.c + - source: + scheme: kyber1024 + implementation: avx2 + files: + - align.h + - cbd.h + - cdecl.h + - consts.h + - fips202x4.h + - indcpa.h + - kem.h + - ntt.h + - poly.h + - polyvec.h + - reduce.h + - rejsample.h + - symmetric.h + - verify.h + - cbd.c + - consts.c + - fips202x4.c + - kem.c + - rejsample.c + - symmetric-shake.c + - verify.c + - source: + scheme: kyber1024-90s + implementation: clean + files: + - cbd.h + - indcpa.h + - kem.h + - polyvec.h + - verify.h + - source: + scheme: kyber1024-90s + implementation: avx2 + files: + - align.h + - cbd.h + - cdecl.h + - consts.h + - indcpa.h + - kem.h + - ntt.h + - polyvec.h + - reduce.h + - rejsample.h + - verify.h + - cbd.c + - consts.c + - kem.c + - verify.c diff --git a/test/duplicate_consistency/kyber512_clean.yml b/test/duplicate_consistency/kyber512_clean.yml index 2bf1c2dc..c543f9a9 100644 --- a/test/duplicate_consistency/kyber512_clean.yml +++ b/test/duplicate_consistency/kyber512_clean.yml @@ -1,20 +1,160 @@ consistency_checks: -- source: - scheme: kyber768 - implementation: clean - files: - - LICENSE - - cbd.c - - cbd.h - - indcpa.h - - kem.c - - ntt.c - - ntt.h - - poly.h - - polyvec.h - - reduce.c - - reduce.h - - symmetric-shake.c - - symmetric.h - - verify.c - - verify.h + - source: + scheme: kyber512 + implementation: avx2 + files: + - api.h + - cbd.h + - indcpa.h + - kem.h + - params.h + - polyvec.h + - verify.h + - symmetric-shake.c + - source: + scheme: kyber512-90s + implementation: clean + files: + - cbd.h + - indcpa.h + - kem.h + - ntt.h + - params.h + - poly.h + - polyvec.h + - reduce.h + - verify.h + - cbd.c + - indcpa.c + - kem.c + - ntt.c + - poly.c + - polyvec.c + - reduce.c + - verify.c + - source: + scheme: kyber512-90s + implementation: avx2 + files: + - cbd.h + - indcpa.h + - kem.h + - params.h + - polyvec.h + - verify.h + - source: + scheme: kyber768 + implementation: clean + files: + - cbd.h + - indcpa.h + - kem.h + - ntt.h + - poly.h + - polyvec.h + - reduce.h + - symmetric.h + - verify.h + - cbd.c + - indcpa.c + - kem.c + - ntt.c + - polyvec.c + - reduce.c + - symmetric-shake.c + - verify.c + - source: + scheme: kyber768 + implementation: avx2 + files: + - cbd.h + - indcpa.h + - kem.h + - polyvec.h + - verify.h + - symmetric-shake.c + - source: + scheme: kyber768-90s + implementation: clean + files: + - cbd.h + - indcpa.h + - kem.h + - ntt.h + - poly.h + - polyvec.h + - reduce.h + - verify.h + - cbd.c + - indcpa.c + - kem.c + - ntt.c + - polyvec.c + - reduce.c + - verify.c + - source: + scheme: kyber768-90s + implementation: avx2 + files: + - cbd.h + - indcpa.h + - kem.h + - polyvec.h + - verify.h + - source: + scheme: kyber1024 + implementation: clean + files: + - cbd.h + - indcpa.h + - kem.h + - ntt.h + - poly.h + - polyvec.h + - reduce.h + - symmetric.h + - verify.h + - cbd.c + - indcpa.c + - kem.c + - ntt.c + - reduce.c + - symmetric-shake.c + - verify.c + - source: + scheme: kyber1024 + implementation: avx2 + files: + - cbd.h + - indcpa.h + - kem.h + - polyvec.h + - verify.h + - symmetric-shake.c + - source: + scheme: kyber1024-90s + implementation: clean + files: + - cbd.h + - indcpa.h + - kem.h + - ntt.h + - poly.h + - polyvec.h + - reduce.h + - verify.h + - cbd.c + - indcpa.c + - kem.c + - ntt.c + - reduce.c + - verify.c + - source: + scheme: kyber1024-90s + implementation: avx2 + files: + - cbd.h + - indcpa.h + - kem.h + - polyvec.h + - verify.h diff --git a/test/duplicate_consistency/kyber768-90s_avx2.yml b/test/duplicate_consistency/kyber768-90s_avx2.yml index fe370670..4f5f1e08 100644 --- a/test/duplicate_consistency/kyber768-90s_avx2.yml +++ b/test/duplicate_consistency/kyber768-90s_avx2.yml @@ -1,69 +1,169 @@ consistency_checks: -- source: - scheme: kyber768 - implementation: clean - files: - - LICENSE - - cbd.h - - indcpa.h - - params.h - - polyvec.h - - verify.h -- source: - scheme: kyber512 - implementation: avx2 - files: - - cbd.c - - cbd.h - - consts.c - - consts.h - - fq.inc - - fq.S - - indcpa.h - - invntt.S - - ntt.h - - ntt.S - - polyvec.h - - reduce.h - - rejsample.c - - rejsample.h - - shuffle.inc - - shuffle.S - - verify.c - - verify.h -consistency_checks: -- source: - scheme: kyber768-90s - implementation: clean - files: - - LICENSE - - cbd.h - - indcpa.h - - params.h - - polyvec.h - - verify.h -- source: - scheme: kyber512-90s - implementation: avx2 - files: - - aes256ctr.c - - aes256ctr.h - - cbd.c - - cbd.h - - consts.c - - consts.h - - fq.inc - - fq.S - - indcpa.h - - invntt.S - - ntt.h - - ntt.S - - poly.h - - polyvec.h - - reduce.h - - rejsample.h - - shuffle.inc - - shuffle.S - - symmetric.h - - verify.c - - verify.h + - source: + scheme: kyber512 + implementation: clean + files: + - cbd.h + - indcpa.h + - kem.h + - polyvec.h + - verify.h + - source: + scheme: kyber512 + implementation: avx2 + files: + - align.h + - cbd.h + - cdecl.h + - consts.h + - indcpa.h + - kem.h + - ntt.h + - polyvec.h + - reduce.h + - rejsample.h + - verify.h + - cbd.c + - consts.c + - kem.c + - polyvec.c + - verify.c + - source: + scheme: kyber512-90s + implementation: clean + files: + - cbd.h + - indcpa.h + - kem.h + - polyvec.h + - verify.h + - source: + scheme: kyber512-90s + implementation: avx2 + files: + - aes256ctr.h + - align.h + - cbd.h + - cdecl.h + - consts.h + - indcpa.h + - kem.h + - ntt.h + - poly.h + - polyvec.h + - reduce.h + - rejsample.h + - symmetric.h + - verify.h + - aes256ctr.c + - cbd.c + - consts.c + - indcpa.c + - kem.c + - polyvec.c + - rejsample.c + - verify.c + - source: + scheme: kyber768 + implementation: clean + files: + - cbd.h + - indcpa.h + - kem.h + - params.h + - polyvec.h + - verify.h + - source: + scheme: kyber768 + implementation: avx2 + files: + - align.h + - cbd.h + - cdecl.h + - consts.h + - indcpa.h + - kem.h + - ntt.h + - params.h + - polyvec.h + - reduce.h + - rejsample.h + - verify.h + - cbd.c + - consts.c + - kem.c + - polyvec.c + - verify.c + - source: + scheme: kyber768-90s + implementation: clean + files: + - api.h + - cbd.h + - indcpa.h + - kem.h + - params.h + - polyvec.h + - verify.h + - source: + scheme: kyber1024 + implementation: clean + files: + - cbd.h + - indcpa.h + - kem.h + - polyvec.h + - verify.h + - source: + scheme: kyber1024 + implementation: avx2 + files: + - align.h + - cbd.h + - cdecl.h + - consts.h + - indcpa.h + - kem.h + - ntt.h + - polyvec.h + - reduce.h + - rejsample.h + - verify.h + - cbd.c + - consts.c + - kem.c + - verify.c + - source: + scheme: kyber1024-90s + implementation: clean + files: + - cbd.h + - indcpa.h + - kem.h + - polyvec.h + - verify.h + - source: + scheme: kyber1024-90s + implementation: avx2 + files: + - aes256ctr.h + - align.h + - cbd.h + - cdecl.h + - consts.h + - indcpa.h + - kem.h + - ntt.h + - poly.h + - polyvec.h + - reduce.h + - rejsample.h + - symmetric.h + - verify.h + - aes256ctr.c + - cbd.c + - consts.c + - indcpa.c + - kem.c + - rejsample.c + - verify.c diff --git a/test/duplicate_consistency/kyber768-90s_clean.yml b/test/duplicate_consistency/kyber768-90s_clean.yml new file mode 100644 index 00000000..7334f01f --- /dev/null +++ b/test/duplicate_consistency/kyber768-90s_clean.yml @@ -0,0 +1,159 @@ +consistency_checks: + - source: + scheme: kyber512 + implementation: clean + files: + - cbd.h + - indcpa.h + - kem.h + - ntt.h + - poly.h + - polyvec.h + - reduce.h + - verify.h + - cbd.c + - indcpa.c + - kem.c + - ntt.c + - polyvec.c + - reduce.c + - verify.c + - source: + scheme: kyber512 + implementation: avx2 + files: + - cbd.h + - indcpa.h + - kem.h + - polyvec.h + - verify.h + - source: + scheme: kyber512-90s + implementation: clean + files: + - cbd.h + - indcpa.h + - kem.h + - ntt.h + - poly.h + - polyvec.h + - reduce.h + - symmetric-aes.h + - symmetric.h + - verify.h + - cbd.c + - indcpa.c + - kem.c + - ntt.c + - polyvec.c + - reduce.c + - symmetric-aes.c + - verify.c + - source: + scheme: kyber512-90s + implementation: avx2 + files: + - cbd.h + - indcpa.h + - kem.h + - polyvec.h + - verify.h + - source: + scheme: kyber768 + implementation: clean + files: + - cbd.h + - indcpa.h + - kem.h + - ntt.h + - params.h + - poly.h + - polyvec.h + - reduce.h + - verify.h + - cbd.c + - indcpa.c + - kem.c + - ntt.c + - poly.c + - polyvec.c + - reduce.c + - verify.c + - source: + scheme: kyber768 + implementation: avx2 + files: + - cbd.h + - indcpa.h + - kem.h + - params.h + - polyvec.h + - verify.h + - source: + scheme: kyber768-90s + implementation: avx2 + files: + - api.h + - cbd.h + - indcpa.h + - kem.h + - params.h + - polyvec.h + - verify.h + - source: + scheme: kyber1024 + implementation: clean + files: + - cbd.h + - indcpa.h + - kem.h + - ntt.h + - poly.h + - polyvec.h + - reduce.h + - verify.h + - cbd.c + - indcpa.c + - kem.c + - ntt.c + - reduce.c + - verify.c + - source: + scheme: kyber1024 + implementation: avx2 + files: + - cbd.h + - indcpa.h + - kem.h + - polyvec.h + - verify.h + - source: + scheme: kyber1024-90s + implementation: clean + files: + - cbd.h + - indcpa.h + - kem.h + - ntt.h + - poly.h + - polyvec.h + - reduce.h + - symmetric-aes.h + - symmetric.h + - verify.h + - cbd.c + - indcpa.c + - kem.c + - ntt.c + - reduce.c + - symmetric-aes.c + - verify.c + - source: + scheme: kyber1024-90s + implementation: avx2 + files: + - cbd.h + - indcpa.h + - kem.h + - polyvec.h + - verify.h diff --git a/test/duplicate_consistency/kyber768_avx2.yml b/test/duplicate_consistency/kyber768_avx2.yml index e1c67def..e6ef217a 100644 --- a/test/duplicate_consistency/kyber768_avx2.yml +++ b/test/duplicate_consistency/kyber768_avx2.yml @@ -1,39 +1,172 @@ consistency_checks: -- source: - scheme: kyber768 - implementation: clean - files: - - LICENSE - - cbd.h - - indcpa.h - - params.h - - polyvec.h - - symmetric-shake.c - - verify.h -- source: - scheme: kyber512 - implementation: avx2 - files: - - cbd.c - - cbd.h - - consts.c - - consts.h - - fips202x4.c - - fips202x4.h - - fq.inc - - fq.S - - indcpa.h - - invntt.S - - ntt.h - - ntt.S - - poly.h - - polyvec.h - - reduce.h - - rejsample.c - - rejsample.h - - shuffle.inc - - shuffle.S - - symmetric-shake.c - - symmetric.h - - verify.c - - verify.h + - source: + scheme: kyber512 + implementation: clean + files: + - cbd.h + - indcpa.h + - kem.h + - polyvec.h + - verify.h + - symmetric-shake.c + - source: + scheme: kyber512 + implementation: avx2 + files: + - align.h + - cbd.h + - cdecl.h + - consts.h + - fips202x4.h + - indcpa.h + - kem.h + - ntt.h + - poly.h + - polyvec.h + - reduce.h + - rejsample.h + - symmetric.h + - verify.h + - cbd.c + - consts.c + - fips202x4.c + - kem.c + - polyvec.c + - rejsample.c + - symmetric-shake.c + - verify.c + - source: + scheme: kyber512-90s + implementation: clean + files: + - cbd.h + - indcpa.h + - kem.h + - polyvec.h + - verify.h + - source: + scheme: kyber512-90s + implementation: avx2 + files: + - align.h + - cbd.h + - cdecl.h + - consts.h + - indcpa.h + - kem.h + - ntt.h + - polyvec.h + - reduce.h + - rejsample.h + - verify.h + - cbd.c + - consts.c + - kem.c + - polyvec.c + - verify.c + - source: + scheme: kyber768 + implementation: clean + files: + - api.h + - cbd.h + - indcpa.h + - kem.h + - params.h + - polyvec.h + - verify.h + - symmetric-shake.c + - source: + scheme: kyber768-90s + implementation: clean + files: + - cbd.h + - indcpa.h + - kem.h + - params.h + - polyvec.h + - verify.h + - source: + scheme: kyber768-90s + implementation: avx2 + files: + - align.h + - cbd.h + - cdecl.h + - consts.h + - indcpa.h + - kem.h + - ntt.h + - params.h + - polyvec.h + - reduce.h + - rejsample.h + - verify.h + - cbd.c + - consts.c + - kem.c + - polyvec.c + - verify.c + - source: + scheme: kyber1024 + implementation: clean + files: + - cbd.h + - indcpa.h + - kem.h + - polyvec.h + - verify.h + - symmetric-shake.c + - source: + scheme: kyber1024 + implementation: avx2 + files: + - align.h + - cbd.h + - cdecl.h + - consts.h + - fips202x4.h + - indcpa.h + - kem.h + - ntt.h + - poly.h + - polyvec.h + - reduce.h + - rejsample.h + - symmetric.h + - verify.h + - cbd.c + - consts.c + - fips202x4.c + - kem.c + - rejsample.c + - symmetric-shake.c + - verify.c + - source: + scheme: kyber1024-90s + implementation: clean + files: + - cbd.h + - indcpa.h + - kem.h + - polyvec.h + - verify.h + - source: + scheme: kyber1024-90s + implementation: avx2 + files: + - align.h + - cbd.h + - cdecl.h + - consts.h + - indcpa.h + - kem.h + - ntt.h + - polyvec.h + - reduce.h + - rejsample.h + - verify.h + - cbd.c + - consts.c + - kem.c + - verify.c diff --git a/test/duplicate_consistency/kyber768_clean.yml b/test/duplicate_consistency/kyber768_clean.yml index f4c7518a..7eb8e985 100644 --- a/test/duplicate_consistency/kyber768_clean.yml +++ b/test/duplicate_consistency/kyber768_clean.yml @@ -1,20 +1,160 @@ consistency_checks: -- source: - scheme: kyber1024 - implementation: clean - files: - - LICENSE - - cbd.c - - cbd.h - - indcpa.h - - kem.c - - ntt.c - - ntt.h - - poly.h - - polyvec.h - - reduce.c - - reduce.h - - symmetric-shake.c - - symmetric.h - - verify.c - - verify.h + - source: + scheme: kyber512 + implementation: clean + files: + - cbd.h + - indcpa.h + - kem.h + - ntt.h + - poly.h + - polyvec.h + - reduce.h + - symmetric.h + - verify.h + - cbd.c + - indcpa.c + - kem.c + - ntt.c + - polyvec.c + - reduce.c + - symmetric-shake.c + - verify.c + - source: + scheme: kyber512 + implementation: avx2 + files: + - cbd.h + - indcpa.h + - kem.h + - polyvec.h + - verify.h + - symmetric-shake.c + - source: + scheme: kyber512-90s + implementation: clean + files: + - cbd.h + - indcpa.h + - kem.h + - ntt.h + - poly.h + - polyvec.h + - reduce.h + - verify.h + - cbd.c + - indcpa.c + - kem.c + - ntt.c + - polyvec.c + - reduce.c + - verify.c + - source: + scheme: kyber512-90s + implementation: avx2 + files: + - cbd.h + - indcpa.h + - kem.h + - polyvec.h + - verify.h + - source: + scheme: kyber768 + implementation: avx2 + files: + - api.h + - cbd.h + - indcpa.h + - kem.h + - params.h + - polyvec.h + - verify.h + - symmetric-shake.c + - source: + scheme: kyber768-90s + implementation: clean + files: + - cbd.h + - indcpa.h + - kem.h + - ntt.h + - params.h + - poly.h + - polyvec.h + - reduce.h + - verify.h + - cbd.c + - indcpa.c + - kem.c + - ntt.c + - poly.c + - polyvec.c + - reduce.c + - verify.c + - source: + scheme: kyber768-90s + implementation: avx2 + files: + - cbd.h + - indcpa.h + - kem.h + - params.h + - polyvec.h + - verify.h + - source: + scheme: kyber1024 + implementation: clean + files: + - cbd.h + - indcpa.h + - kem.h + - ntt.h + - poly.h + - polyvec.h + - reduce.h + - symmetric.h + - verify.h + - cbd.c + - indcpa.c + - kem.c + - ntt.c + - reduce.c + - symmetric-shake.c + - verify.c + - source: + scheme: kyber1024 + implementation: avx2 + files: + - cbd.h + - indcpa.h + - kem.h + - polyvec.h + - verify.h + - symmetric-shake.c + - source: + scheme: kyber1024-90s + implementation: clean + files: + - cbd.h + - indcpa.h + - kem.h + - ntt.h + - poly.h + - polyvec.h + - reduce.h + - verify.h + - cbd.c + - indcpa.c + - kem.c + - ntt.c + - reduce.c + - verify.c + - source: + scheme: kyber1024-90s + implementation: avx2 + files: + - cbd.h + - indcpa.h + - kem.h + - polyvec.h + - verify.h