mirror of
https://github.com/henrydcase/pqc.git
synced 2024-11-22 23:48:58 +00:00
Fix tidy for signing
This commit is contained in:
parent
64b0c8c8de
commit
6a8a9a0bf3
4
.gitattributes
vendored
4
.gitattributes
vendored
@ -1,6 +1,6 @@
|
|||||||
* text=auto
|
* text=auto
|
||||||
*.[ch] text whitespacestrict
|
*.[ch] text whitespacestrict
|
||||||
*.yaml text whitespacestrict
|
*.yaml text whitespacestrict
|
||||||
Makefile text whitespace="tabwidth=4,-tab-in-indent"
|
Makefile text whitespace="tabwidth=4,-tab-in-indent,indent-with-non-tab"
|
||||||
|
|
||||||
[attr]whitespacestrict whitespace="trailing-space,indent-with-non-tab,space-before-tab,tabwidth=4"
|
[attr]whitespacestrict whitespace="trailing-space,tab-in-indent,space-before-tab,tabwidth=4"
|
||||||
|
30
Makefile
30
Makefile
@ -1,7 +1,7 @@
|
|||||||
# This -Wall was supported by the European Commission through the ERC Starting Grant 805031 (EPOQUE)
|
# This -Wall was supported by the European Commission through the ERC Starting Grant 805031 (EPOQUE)
|
||||||
CFLAGS=-Wall -Wextra -Wpedantic -Werror -std=c99 $(EXTRAFLAGS)
|
CFLAGS=-Wall -Wextra -Wpedantic -Werror -std=c99 $(EXTRAFLAGS)
|
||||||
|
|
||||||
functest: require_scheme $(dir $(SCHEME))test.c $(wildcard $(SCHEME)/clean/*.c) $(wildcard $(SCHEME)/clean/*.h)
|
bin/functest_$(subst /,_,$(SCHEME)): $(dir $(SCHEME))test.c $(wildcard $(SCHEME)/clean/*.c) $(wildcard $(SCHEME)/clean/*.h) | require_scheme
|
||||||
mkdir -p bin
|
mkdir -p bin
|
||||||
$(CC) $(CFLAGS) \
|
$(CC) $(CFLAGS) \
|
||||||
-iquote "./common/" \
|
-iquote "./common/" \
|
||||||
@ -11,6 +11,13 @@ functest: require_scheme $(dir $(SCHEME))test.c $(wildcard $(SCHEME)/clean/*.c)
|
|||||||
$(SCHEME)/clean/*.c \
|
$(SCHEME)/clean/*.c \
|
||||||
$<
|
$<
|
||||||
|
|
||||||
|
.PHONY: functest
|
||||||
|
functest: bin/functest_$(subst /,_,$(SCHEME))
|
||||||
|
|
||||||
|
.PHONY: run-functest
|
||||||
|
run-functest: bin/functest_$(subst /,_,$(SCHEME))
|
||||||
|
./$<
|
||||||
|
|
||||||
.PHONY: clean
|
.PHONY: clean
|
||||||
clean:
|
clean:
|
||||||
rm -rf bin
|
rm -rf bin
|
||||||
@ -23,7 +30,7 @@ format:
|
|||||||
tidy: require_scheme
|
tidy: require_scheme
|
||||||
clang-tidy \
|
clang-tidy \
|
||||||
$(SCHEME)/clean/*.c \
|
$(SCHEME)/clean/*.c \
|
||||||
crypto_kem/test.c \
|
$(SCHEME)/../test.c \
|
||||||
common/*.c \
|
common/*.c \
|
||||||
$(.TIDY_FIX) \
|
$(.TIDY_FIX) \
|
||||||
-- -iquote "common/" -iquote "$(SCHEME)/clean"
|
-- -iquote "common/" -iquote "$(SCHEME)/clean"
|
||||||
@ -46,3 +53,22 @@ require_scheme:
|
|||||||
ifndef SCHEME
|
ifndef SCHEME
|
||||||
$(error The SCHEME variable is not set. Example: SCHEME=crypto_kem/kyber768)
|
$(error The SCHEME variable is not set. Example: SCHEME=crypto_kem/kyber768)
|
||||||
endif
|
endif
|
||||||
|
|
||||||
|
.PHONY: build-functests
|
||||||
|
build-functests:
|
||||||
|
find crypto_kem/ crypto_sign/ -mindepth 1 -maxdepth 1 -type d -exec make functest SCHEME={} \;
|
||||||
|
|
||||||
|
.PHONY: run-functests
|
||||||
|
run-functests:
|
||||||
|
find crypto_kem/ crypto_sign/ -mindepth 1 -maxdepth 1 -type d -exec make run-functest SCHEME={} \;
|
||||||
|
|
||||||
|
.PHONY: test-all
|
||||||
|
test-all: run-functests
|
||||||
|
|
||||||
|
.PHONY: tidy-all
|
||||||
|
tidy-all:
|
||||||
|
find crypto_kem/ crypto_sign/ -mindepth 1 -maxdepth 1 -type d -exec make tidy SCHEME={} \;
|
||||||
|
|
||||||
|
.PHONY: applytidy-all
|
||||||
|
apply-tidy-all:
|
||||||
|
find crypto_kem/ crypto_sign/ -mindepth 1 -maxdepth 1 -type d -exec make apply-tidy SCHEME={} \;
|
||||||
|
@ -50,16 +50,15 @@ static int test_keys(void) {
|
|||||||
|
|
||||||
if (memcmp(key_a + 8, key_b + 8, CRYPTO_BYTES) != 0) {
|
if (memcmp(key_a + 8, key_b + 8, CRYPTO_BYTES) != 0) {
|
||||||
printf("ERROR KEYS\n");
|
printf("ERROR KEYS\n");
|
||||||
} else if (check_canary(key_a) ||
|
return 1;
|
||||||
check_canary(key_a + sizeof(key_a) - 8) ||
|
}
|
||||||
check_canary(key_b) ||
|
if (check_canary(key_a) || check_canary(key_a + sizeof(key_a) - 8) ||
|
||||||
check_canary(key_b + sizeof(key_b) - 8) ||
|
check_canary(key_b) || check_canary(key_b + sizeof(key_b) - 8) ||
|
||||||
check_canary(pk) || check_canary(pk + sizeof(pk) - 8) ||
|
check_canary(pk) || check_canary(pk + sizeof(pk) - 8) ||
|
||||||
check_canary(sendb) ||
|
check_canary(sendb) || check_canary(sendb + sizeof(sendb) - 8) ||
|
||||||
check_canary(sendb + sizeof(sendb) - 8) ||
|
check_canary(sk_a) || check_canary(sk_a + sizeof(sk_a) - 8)) {
|
||||||
check_canary(sk_a) ||
|
|
||||||
check_canary(sk_a + sizeof(sk_a) - 8)) {
|
|
||||||
printf("ERROR canary overwritten\n");
|
printf("ERROR canary overwritten\n");
|
||||||
|
return 1;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -88,6 +87,7 @@ static int test_invalid_sk_a(void) {
|
|||||||
|
|
||||||
if (!memcmp(key_a, key_b, CRYPTO_BYTES)) {
|
if (!memcmp(key_a, key_b, CRYPTO_BYTES)) {
|
||||||
printf("ERROR invalid sk_a\n");
|
printf("ERROR invalid sk_a\n");
|
||||||
|
return 1;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -119,6 +119,7 @@ static int test_invalid_ciphertext(void) {
|
|||||||
|
|
||||||
if (!memcmp(key_a, key_b, CRYPTO_BYTES)) {
|
if (!memcmp(key_a, key_b, CRYPTO_BYTES)) {
|
||||||
printf("ERROR invalid ciphertext\n");
|
printf("ERROR invalid ciphertext\n");
|
||||||
|
return 1;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -126,9 +127,13 @@ static int test_invalid_ciphertext(void) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
int main(void) {
|
int main(void) {
|
||||||
test_keys();
|
int result = 0;
|
||||||
test_invalid_sk_a();
|
result += test_keys();
|
||||||
test_invalid_ciphertext();
|
result += test_invalid_sk_a();
|
||||||
|
result += test_invalid_ciphertext();
|
||||||
|
|
||||||
return 0;
|
if (result != 0) {
|
||||||
|
puts("Errors occurred");
|
||||||
|
}
|
||||||
|
return result;
|
||||||
}
|
}
|
||||||
|
@ -16,13 +16,15 @@ void pack_pk(unsigned char pk[CRYPTO_PUBLICKEYBYTES],
|
|||||||
const unsigned char rho[SEEDBYTES], const polyveck *t1) {
|
const unsigned char rho[SEEDBYTES], const polyveck *t1) {
|
||||||
unsigned int i;
|
unsigned int i;
|
||||||
|
|
||||||
for (i = 0; i < SEEDBYTES; ++i)
|
for (i = 0; i < SEEDBYTES; ++i) {
|
||||||
pk[i] = rho[i];
|
pk[i] = rho[i];
|
||||||
|
}
|
||||||
pk += SEEDBYTES;
|
pk += SEEDBYTES;
|
||||||
|
|
||||||
for (i = 0; i < K; ++i)
|
for (i = 0; i < K; ++i) {
|
||||||
polyt1_pack(pk + i * POLT1_SIZE_PACKED, t1->vec + i);
|
polyt1_pack(pk + i * POLT1_SIZE_PACKED, t1->vec + i);
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/*************************************************
|
/*************************************************
|
||||||
* Name: unpack_pk
|
* Name: unpack_pk
|
||||||
@ -37,13 +39,15 @@ void unpack_pk(unsigned char rho[SEEDBYTES], polyveck *t1,
|
|||||||
const unsigned char pk[CRYPTO_PUBLICKEYBYTES]) {
|
const unsigned char pk[CRYPTO_PUBLICKEYBYTES]) {
|
||||||
unsigned int i;
|
unsigned int i;
|
||||||
|
|
||||||
for (i = 0; i < SEEDBYTES; ++i)
|
for (i = 0; i < SEEDBYTES; ++i) {
|
||||||
rho[i] = pk[i];
|
rho[i] = pk[i];
|
||||||
|
}
|
||||||
pk += SEEDBYTES;
|
pk += SEEDBYTES;
|
||||||
|
|
||||||
for (i = 0; i < K; ++i)
|
for (i = 0; i < K; ++i) {
|
||||||
polyt1_unpack(t1->vec + i, pk + i * POLT1_SIZE_PACKED);
|
polyt1_unpack(t1->vec + i, pk + i * POLT1_SIZE_PACKED);
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/*************************************************
|
/*************************************************
|
||||||
* Name: pack_sk
|
* Name: pack_sk
|
||||||
@ -65,29 +69,35 @@ void pack_sk(unsigned char sk[CRYPTO_SECRETKEYBYTES],
|
|||||||
const polyveck *s2, const polyveck *t0) {
|
const polyveck *s2, const polyveck *t0) {
|
||||||
unsigned int i;
|
unsigned int i;
|
||||||
|
|
||||||
for (i = 0; i < SEEDBYTES; ++i)
|
for (i = 0; i < SEEDBYTES; ++i) {
|
||||||
sk[i] = rho[i];
|
sk[i] = rho[i];
|
||||||
|
}
|
||||||
sk += SEEDBYTES;
|
sk += SEEDBYTES;
|
||||||
|
|
||||||
for (i = 0; i < SEEDBYTES; ++i)
|
for (i = 0; i < SEEDBYTES; ++i) {
|
||||||
sk[i] = key[i];
|
sk[i] = key[i];
|
||||||
|
}
|
||||||
sk += SEEDBYTES;
|
sk += SEEDBYTES;
|
||||||
|
|
||||||
for (i = 0; i < CRHBYTES; ++i)
|
for (i = 0; i < CRHBYTES; ++i) {
|
||||||
sk[i] = tr[i];
|
sk[i] = tr[i];
|
||||||
|
}
|
||||||
sk += CRHBYTES;
|
sk += CRHBYTES;
|
||||||
|
|
||||||
for (i = 0; i < L; ++i)
|
for (i = 0; i < L; ++i) {
|
||||||
polyeta_pack(sk + i * POLETA_SIZE_PACKED, s1->vec + i);
|
polyeta_pack(sk + i * POLETA_SIZE_PACKED, s1->vec + i);
|
||||||
|
}
|
||||||
sk += L * POLETA_SIZE_PACKED;
|
sk += L * POLETA_SIZE_PACKED;
|
||||||
|
|
||||||
for (i = 0; i < K; ++i)
|
for (i = 0; i < K; ++i) {
|
||||||
polyeta_pack(sk + i * POLETA_SIZE_PACKED, s2->vec + i);
|
polyeta_pack(sk + i * POLETA_SIZE_PACKED, s2->vec + i);
|
||||||
|
}
|
||||||
sk += K * POLETA_SIZE_PACKED;
|
sk += K * POLETA_SIZE_PACKED;
|
||||||
|
|
||||||
for (i = 0; i < K; ++i)
|
for (i = 0; i < K; ++i) {
|
||||||
polyt0_pack(sk + i * POLT0_SIZE_PACKED, t0->vec + i);
|
polyt0_pack(sk + i * POLT0_SIZE_PACKED, t0->vec + i);
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/*************************************************
|
/*************************************************
|
||||||
* Name: unpack_sk
|
* Name: unpack_sk
|
||||||
@ -107,29 +117,35 @@ void unpack_sk(unsigned char rho[SEEDBYTES], unsigned char key[SEEDBYTES],
|
|||||||
polyveck *t0, const unsigned char sk[CRYPTO_SECRETKEYBYTES]) {
|
polyveck *t0, const unsigned char sk[CRYPTO_SECRETKEYBYTES]) {
|
||||||
unsigned int i;
|
unsigned int i;
|
||||||
|
|
||||||
for (i = 0; i < SEEDBYTES; ++i)
|
for (i = 0; i < SEEDBYTES; ++i) {
|
||||||
rho[i] = sk[i];
|
rho[i] = sk[i];
|
||||||
|
}
|
||||||
sk += SEEDBYTES;
|
sk += SEEDBYTES;
|
||||||
|
|
||||||
for (i = 0; i < SEEDBYTES; ++i)
|
for (i = 0; i < SEEDBYTES; ++i) {
|
||||||
key[i] = sk[i];
|
key[i] = sk[i];
|
||||||
|
}
|
||||||
sk += SEEDBYTES;
|
sk += SEEDBYTES;
|
||||||
|
|
||||||
for (i = 0; i < CRHBYTES; ++i)
|
for (i = 0; i < CRHBYTES; ++i) {
|
||||||
tr[i] = sk[i];
|
tr[i] = sk[i];
|
||||||
|
}
|
||||||
sk += CRHBYTES;
|
sk += CRHBYTES;
|
||||||
|
|
||||||
for (i = 0; i < L; ++i)
|
for (i = 0; i < L; ++i) {
|
||||||
polyeta_unpack(s1->vec + i, sk + i * POLETA_SIZE_PACKED);
|
polyeta_unpack(s1->vec + i, sk + i * POLETA_SIZE_PACKED);
|
||||||
|
}
|
||||||
sk += L * POLETA_SIZE_PACKED;
|
sk += L * POLETA_SIZE_PACKED;
|
||||||
|
|
||||||
for (i = 0; i < K; ++i)
|
for (i = 0; i < K; ++i) {
|
||||||
polyeta_unpack(s2->vec + i, sk + i * POLETA_SIZE_PACKED);
|
polyeta_unpack(s2->vec + i, sk + i * POLETA_SIZE_PACKED);
|
||||||
|
}
|
||||||
sk += K * POLETA_SIZE_PACKED;
|
sk += K * POLETA_SIZE_PACKED;
|
||||||
|
|
||||||
for (i = 0; i < K; ++i)
|
for (i = 0; i < K; ++i) {
|
||||||
polyt0_unpack(t0->vec + i, sk + i * POLT0_SIZE_PACKED);
|
polyt0_unpack(t0->vec + i, sk + i * POLT0_SIZE_PACKED);
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/*************************************************
|
/*************************************************
|
||||||
* Name: pack_sig
|
* Name: pack_sig
|
||||||
@ -146,21 +162,25 @@ void pack_sig(unsigned char sig[CRYPTO_BYTES], const polyvecl *z,
|
|||||||
unsigned int i, j, k;
|
unsigned int i, j, k;
|
||||||
uint64_t signs, mask;
|
uint64_t signs, mask;
|
||||||
|
|
||||||
for (i = 0; i < L; ++i)
|
for (i = 0; i < L; ++i) {
|
||||||
polyz_pack(sig + i * POLZ_SIZE_PACKED, z->vec + i);
|
polyz_pack(sig + i * POLZ_SIZE_PACKED, z->vec + i);
|
||||||
|
}
|
||||||
sig += L * POLZ_SIZE_PACKED;
|
sig += L * POLZ_SIZE_PACKED;
|
||||||
|
|
||||||
/* Encode h */
|
/* Encode h */
|
||||||
k = 0;
|
k = 0;
|
||||||
for (i = 0; i < K; ++i) {
|
for (i = 0; i < K; ++i) {
|
||||||
for (j = 0; j < N; ++j)
|
for (j = 0; j < N; ++j) {
|
||||||
if (h->vec[i].coeffs[j] != 0)
|
if (h->vec[i].coeffs[j] != 0) {
|
||||||
sig[k++] = j;
|
sig[k++] = j;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
sig[OMEGA + i] = k;
|
sig[OMEGA + i] = k;
|
||||||
}
|
}
|
||||||
while (k < OMEGA)
|
while (k < OMEGA) {
|
||||||
sig[k++] = 0;
|
sig[k++] = 0;
|
||||||
|
}
|
||||||
sig += OMEGA + K;
|
sig += OMEGA + K;
|
||||||
|
|
||||||
/* Encode c */
|
/* Encode c */
|
||||||
@ -171,16 +191,18 @@ void pack_sig(unsigned char sig[CRYPTO_BYTES], const polyvecl *z,
|
|||||||
for (j = 0; j < 8; ++j) {
|
for (j = 0; j < 8; ++j) {
|
||||||
if (c->coeffs[8 * i + j] != 0) {
|
if (c->coeffs[8 * i + j] != 0) {
|
||||||
sig[i] |= (1U << j);
|
sig[i] |= (1U << j);
|
||||||
if (c->coeffs[8 * i + j] == (Q - 1))
|
if (c->coeffs[8 * i + j] == (Q - 1)) {
|
||||||
signs |= mask;
|
signs |= mask;
|
||||||
|
}
|
||||||
mask <<= 1;
|
mask <<= 1;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
sig += N / 8;
|
sig += N / 8;
|
||||||
for (i = 0; i < 8; ++i)
|
for (i = 0; i < 8; ++i) {
|
||||||
sig[i] = signs >> 8 * i;
|
sig[i] = signs >> 8 * i;
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/*************************************************
|
/*************************************************
|
||||||
* Name: unpack_sig
|
* Name: unpack_sig
|
||||||
@ -200,23 +222,27 @@ int unpack_sig(polyvecl *z, polyveck *h, poly *c,
|
|||||||
unsigned int i, j, k;
|
unsigned int i, j, k;
|
||||||
uint64_t signs, mask;
|
uint64_t signs, mask;
|
||||||
|
|
||||||
for (i = 0; i < L; ++i)
|
for (i = 0; i < L; ++i) {
|
||||||
polyz_unpack(z->vec + i, sig + i * POLZ_SIZE_PACKED);
|
polyz_unpack(z->vec + i, sig + i * POLZ_SIZE_PACKED);
|
||||||
|
}
|
||||||
sig += L * POLZ_SIZE_PACKED;
|
sig += L * POLZ_SIZE_PACKED;
|
||||||
|
|
||||||
/* Decode h */
|
/* Decode h */
|
||||||
k = 0;
|
k = 0;
|
||||||
for (i = 0; i < K; ++i) {
|
for (i = 0; i < K; ++i) {
|
||||||
for (j = 0; j < N; ++j)
|
for (j = 0; j < N; ++j) {
|
||||||
h->vec[i].coeffs[j] = 0;
|
h->vec[i].coeffs[j] = 0;
|
||||||
|
}
|
||||||
|
|
||||||
if (sig[OMEGA + i] < k || sig[OMEGA + i] > OMEGA)
|
if (sig[OMEGA + i] < k || sig[OMEGA + i] > OMEGA) {
|
||||||
return 1;
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
for (j = k; j < sig[OMEGA + i]; ++j) {
|
for (j = k; j < sig[OMEGA + i]; ++j) {
|
||||||
/* Coefficients are ordered for strong unforgeability */
|
/* Coefficients are ordered for strong unforgeability */
|
||||||
if (j > k && sig[j] <= sig[j - 1])
|
if (j > k && sig[j] <= sig[j - 1]) {
|
||||||
return 1;
|
return 1;
|
||||||
|
}
|
||||||
h->vec[i].coeffs[sig[j]] = 1;
|
h->vec[i].coeffs[sig[j]] = 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -224,23 +250,28 @@ int unpack_sig(polyvecl *z, polyveck *h, poly *c,
|
|||||||
}
|
}
|
||||||
|
|
||||||
/* Extra indices are zero for strong unforgeability */
|
/* Extra indices are zero for strong unforgeability */
|
||||||
for (j = k; j < OMEGA; ++j)
|
for (j = k; j < OMEGA; ++j) {
|
||||||
if (sig[j])
|
if (sig[j]) {
|
||||||
return 1;
|
return 1;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
sig += OMEGA + K;
|
sig += OMEGA + K;
|
||||||
|
|
||||||
/* Decode c */
|
/* Decode c */
|
||||||
for (i = 0; i < N; ++i)
|
for (i = 0; i < N; ++i) {
|
||||||
c->coeffs[i] = 0;
|
c->coeffs[i] = 0;
|
||||||
|
}
|
||||||
|
|
||||||
signs = 0;
|
signs = 0;
|
||||||
for (i = 0; i < 8; ++i)
|
for (i = 0; i < 8; ++i) {
|
||||||
signs |= (uint64_t)sig[N / 8 + i] << 8 * i;
|
signs |= (uint64_t)sig[N / 8 + i] << 8 * i;
|
||||||
|
}
|
||||||
|
|
||||||
/* Extra sign bits are zero for strong unforgeability */
|
/* Extra sign bits are zero for strong unforgeability */
|
||||||
if (signs >> 60)
|
if (signs >> 60) {
|
||||||
return 1;
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
mask = 1;
|
mask = 1;
|
||||||
for (i = 0; i < N / 8; ++i) {
|
for (i = 0; i < N / 8; ++i) {
|
||||||
|
@ -17,9 +17,10 @@
|
|||||||
void poly_reduce(poly *a) {
|
void poly_reduce(poly *a) {
|
||||||
unsigned int i;
|
unsigned int i;
|
||||||
|
|
||||||
for (i = 0; i < N; ++i)
|
for (i = 0; i < N; ++i) {
|
||||||
a->coeffs[i] = reduce32(a->coeffs[i]);
|
a->coeffs[i] = reduce32(a->coeffs[i]);
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/*************************************************
|
/*************************************************
|
||||||
* Name: poly_csubq
|
* Name: poly_csubq
|
||||||
@ -32,9 +33,10 @@ void poly_reduce(poly *a) {
|
|||||||
void poly_csubq(poly *a) {
|
void poly_csubq(poly *a) {
|
||||||
unsigned int i;
|
unsigned int i;
|
||||||
|
|
||||||
for (i = 0; i < N; ++i)
|
for (i = 0; i < N; ++i) {
|
||||||
a->coeffs[i] = csubq(a->coeffs[i]);
|
a->coeffs[i] = csubq(a->coeffs[i]);
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/*************************************************
|
/*************************************************
|
||||||
* Name: poly_freeze
|
* Name: poly_freeze
|
||||||
@ -47,9 +49,10 @@ void poly_csubq(poly *a) {
|
|||||||
void poly_freeze(poly *a) {
|
void poly_freeze(poly *a) {
|
||||||
unsigned int i;
|
unsigned int i;
|
||||||
|
|
||||||
for (i = 0; i < N; ++i)
|
for (i = 0; i < N; ++i) {
|
||||||
a->coeffs[i] = freeze(a->coeffs[i]);
|
a->coeffs[i] = freeze(a->coeffs[i]);
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/*************************************************
|
/*************************************************
|
||||||
* Name: poly_add
|
* Name: poly_add
|
||||||
@ -63,9 +66,10 @@ void poly_freeze(poly *a) {
|
|||||||
void poly_add(poly *c, const poly *a, const poly *b) {
|
void poly_add(poly *c, const poly *a, const poly *b) {
|
||||||
unsigned int i;
|
unsigned int i;
|
||||||
|
|
||||||
for (i = 0; i < N; ++i)
|
for (i = 0; i < N; ++i) {
|
||||||
c->coeffs[i] = a->coeffs[i] + b->coeffs[i];
|
c->coeffs[i] = a->coeffs[i] + b->coeffs[i];
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/*************************************************
|
/*************************************************
|
||||||
* Name: poly_sub
|
* Name: poly_sub
|
||||||
@ -82,9 +86,10 @@ void poly_add(poly *c, const poly *a, const poly *b) {
|
|||||||
void poly_sub(poly *c, const poly *a, const poly *b) {
|
void poly_sub(poly *c, const poly *a, const poly *b) {
|
||||||
unsigned int i;
|
unsigned int i;
|
||||||
|
|
||||||
for (i = 0; i < N; ++i)
|
for (i = 0; i < N; ++i) {
|
||||||
c->coeffs[i] = a->coeffs[i] + 2 * Q - b->coeffs[i];
|
c->coeffs[i] = a->coeffs[i] + 2 * Q - b->coeffs[i];
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/*************************************************
|
/*************************************************
|
||||||
* Name: poly_neg
|
* Name: poly_neg
|
||||||
@ -97,9 +102,10 @@ void poly_sub(poly *c, const poly *a, const poly *b) {
|
|||||||
void poly_neg(poly *a) {
|
void poly_neg(poly *a) {
|
||||||
unsigned int i;
|
unsigned int i;
|
||||||
|
|
||||||
for (i = 0; i < N; ++i)
|
for (i = 0; i < N; ++i) {
|
||||||
a->coeffs[i] = Q - a->coeffs[i];
|
a->coeffs[i] = Q - a->coeffs[i];
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/*************************************************
|
/*************************************************
|
||||||
* Name: poly_shiftl
|
* Name: poly_shiftl
|
||||||
@ -113,9 +119,10 @@ void poly_neg(poly *a) {
|
|||||||
void poly_shiftl(poly *a, unsigned int k) {
|
void poly_shiftl(poly *a, unsigned int k) {
|
||||||
unsigned int i;
|
unsigned int i;
|
||||||
|
|
||||||
for (i = 0; i < N; ++i)
|
for (i = 0; i < N; ++i) {
|
||||||
a->coeffs[i] <<= k;
|
a->coeffs[i] <<= k;
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/*************************************************
|
/*************************************************
|
||||||
* Name: poly_ntt
|
* Name: poly_ntt
|
||||||
@ -156,9 +163,10 @@ void poly_invntt_montgomery(poly *a) {
|
|||||||
void poly_pointwise_invmontgomery(poly *c, const poly *a, const poly *b) {
|
void poly_pointwise_invmontgomery(poly *c, const poly *a, const poly *b) {
|
||||||
unsigned int i;
|
unsigned int i;
|
||||||
|
|
||||||
for (i = 0; i < N; ++i)
|
for (i = 0; i < N; ++i) {
|
||||||
c->coeffs[i] = montgomery_reduce((uint64_t)a->coeffs[i] * b->coeffs[i]);
|
c->coeffs[i] = montgomery_reduce((uint64_t)a->coeffs[i] * b->coeffs[i]);
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/*************************************************
|
/*************************************************
|
||||||
* Name: poly_power2round
|
* Name: poly_power2round
|
||||||
@ -176,9 +184,10 @@ void poly_pointwise_invmontgomery(poly *c, const poly *a, const poly *b) {
|
|||||||
void poly_power2round(poly *a1, poly *a0, const poly *a) {
|
void poly_power2round(poly *a1, poly *a0, const poly *a) {
|
||||||
unsigned int i;
|
unsigned int i;
|
||||||
|
|
||||||
for (i = 0; i < N; ++i)
|
for (i = 0; i < N; ++i) {
|
||||||
a1->coeffs[i] = power2round(a->coeffs[i], a0->coeffs + i);
|
a1->coeffs[i] = power2round(a->coeffs[i], a0->coeffs + i);
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/*************************************************
|
/*************************************************
|
||||||
* Name: poly_decompose
|
* Name: poly_decompose
|
||||||
@ -197,9 +206,10 @@ void poly_power2round(poly *a1, poly *a0, const poly *a) {
|
|||||||
void poly_decompose(poly *a1, poly *a0, const poly *a) {
|
void poly_decompose(poly *a1, poly *a0, const poly *a) {
|
||||||
unsigned int i;
|
unsigned int i;
|
||||||
|
|
||||||
for (i = 0; i < N; ++i)
|
for (i = 0; i < N; ++i) {
|
||||||
a1->coeffs[i] = decompose(a->coeffs[i], a0->coeffs + i);
|
a1->coeffs[i] = decompose(a->coeffs[i], a0->coeffs + i);
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/*************************************************
|
/*************************************************
|
||||||
* Name: poly_make_hint
|
* Name: poly_make_hint
|
||||||
@ -237,9 +247,10 @@ unsigned int poly_make_hint(poly *h, const poly *a, const poly *b) {
|
|||||||
void poly_use_hint(poly *a, const poly *b, const poly *h) {
|
void poly_use_hint(poly *a, const poly *b, const poly *h) {
|
||||||
unsigned int i;
|
unsigned int i;
|
||||||
|
|
||||||
for (i = 0; i < N; ++i)
|
for (i = 0; i < N; ++i) {
|
||||||
a->coeffs[i] = use_hint(b->coeffs[i], h->coeffs[i]);
|
a->coeffs[i] = use_hint(b->coeffs[i], h->coeffs[i]);
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/*************************************************
|
/*************************************************
|
||||||
* Name: poly_chknorm
|
* Name: poly_chknorm
|
||||||
@ -293,10 +304,11 @@ void poly_uniform(poly *a, const unsigned char *buf) {
|
|||||||
t |= (uint32_t)buf[pos++] << 16;
|
t |= (uint32_t)buf[pos++] << 16;
|
||||||
t &= 0x7FFFFF;
|
t &= 0x7FFFFF;
|
||||||
|
|
||||||
if (t < Q)
|
if (t < Q) {
|
||||||
a->coeffs[ctr++] = t;
|
a->coeffs[ctr++] = t;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/*************************************************
|
/*************************************************
|
||||||
* Name: rej_eta
|
* Name: rej_eta
|
||||||
@ -330,11 +342,13 @@ static unsigned int rej_eta(uint32_t *a, unsigned int len,
|
|||||||
t1 = buf[pos++] >> 4;
|
t1 = buf[pos++] >> 4;
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
if (t0 <= 2 * ETA)
|
if (t0 <= 2 * ETA) {
|
||||||
a[ctr++] = Q + ETA - t0;
|
a[ctr++] = Q + ETA - t0;
|
||||||
if (t1 <= 2 * ETA && ctr < len)
|
}
|
||||||
|
if (t1 <= 2 * ETA && ctr < len) {
|
||||||
a[ctr++] = Q + ETA - t1;
|
a[ctr++] = Q + ETA - t1;
|
||||||
}
|
}
|
||||||
|
}
|
||||||
return ctr;
|
return ctr;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -359,8 +373,9 @@ void poly_uniform_eta(poly *a, const unsigned char seed[SEEDBYTES],
|
|||||||
unsigned char outbuf[2 * SHAKE256_RATE];
|
unsigned char outbuf[2 * SHAKE256_RATE];
|
||||||
uint64_t state[25];
|
uint64_t state[25];
|
||||||
|
|
||||||
for (i = 0; i < SEEDBYTES; ++i)
|
for (i = 0; i < SEEDBYTES; ++i) {
|
||||||
inbuf[i] = seed[i];
|
inbuf[i] = seed[i];
|
||||||
|
}
|
||||||
inbuf[SEEDBYTES] = nonce;
|
inbuf[SEEDBYTES] = nonce;
|
||||||
|
|
||||||
shake256_absorb(state, inbuf, SEEDBYTES + 1);
|
shake256_absorb(state, inbuf, SEEDBYTES + 1);
|
||||||
@ -410,11 +425,13 @@ static unsigned int rej_gamma1m1(uint32_t *a, unsigned int len,
|
|||||||
|
|
||||||
pos += 5;
|
pos += 5;
|
||||||
|
|
||||||
if (t0 <= 2 * GAMMA1 - 2)
|
if (t0 <= 2 * GAMMA1 - 2) {
|
||||||
a[ctr++] = Q + GAMMA1 - 1 - t0;
|
a[ctr++] = Q + GAMMA1 - 1 - t0;
|
||||||
if (t1 <= 2 * GAMMA1 - 2 && ctr < len)
|
}
|
||||||
|
if (t1 <= 2 * GAMMA1 - 2 && ctr < len) {
|
||||||
a[ctr++] = Q + GAMMA1 - 1 - t1;
|
a[ctr++] = Q + GAMMA1 - 1 - t1;
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
return ctr;
|
return ctr;
|
||||||
}
|
}
|
||||||
@ -441,8 +458,9 @@ void poly_uniform_gamma1m1(poly *a,
|
|||||||
unsigned char outbuf[5 * SHAKE256_RATE];
|
unsigned char outbuf[5 * SHAKE256_RATE];
|
||||||
uint64_t state[25];
|
uint64_t state[25];
|
||||||
|
|
||||||
for (i = 0; i < SEEDBYTES + CRHBYTES; ++i)
|
for (i = 0; i < SEEDBYTES + CRHBYTES; ++i) {
|
||||||
inbuf[i] = seed[i];
|
inbuf[i] = seed[i];
|
||||||
|
}
|
||||||
inbuf[SEEDBYTES + CRHBYTES] = nonce & 0xFF;
|
inbuf[SEEDBYTES + CRHBYTES] = nonce & 0xFF;
|
||||||
inbuf[SEEDBYTES + CRHBYTES + 1] = nonce >> 8;
|
inbuf[SEEDBYTES + CRHBYTES + 1] = nonce >> 8;
|
||||||
|
|
||||||
@ -761,6 +779,7 @@ void polyz_unpack(poly *r, const unsigned char *a) {
|
|||||||
void polyw1_pack(unsigned char *r, const poly *a) {
|
void polyw1_pack(unsigned char *r, const poly *a) {
|
||||||
unsigned int i;
|
unsigned int i;
|
||||||
|
|
||||||
for (i = 0; i < N / 2; ++i)
|
for (i = 0; i < N / 2; ++i) {
|
||||||
r[i] = a->coeffs[2 * i + 0] | (a->coeffs[2 * i + 1] << 4);
|
r[i] = a->coeffs[2 * i + 0] | (a->coeffs[2 * i + 1] << 4);
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
@ -18,9 +18,10 @@
|
|||||||
void polyvecl_freeze(polyvecl *v) {
|
void polyvecl_freeze(polyvecl *v) {
|
||||||
unsigned int i;
|
unsigned int i;
|
||||||
|
|
||||||
for (i = 0; i < L; ++i)
|
for (i = 0; i < L; ++i) {
|
||||||
poly_freeze(v->vec + i);
|
poly_freeze(v->vec + i);
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/*************************************************
|
/*************************************************
|
||||||
* Name: polyvecl_add
|
* Name: polyvecl_add
|
||||||
@ -35,9 +36,10 @@ void polyvecl_freeze(polyvecl *v) {
|
|||||||
void polyvecl_add(polyvecl *w, const polyvecl *u, const polyvecl *v) {
|
void polyvecl_add(polyvecl *w, const polyvecl *u, const polyvecl *v) {
|
||||||
unsigned int i;
|
unsigned int i;
|
||||||
|
|
||||||
for (i = 0; i < L; ++i)
|
for (i = 0; i < L; ++i) {
|
||||||
poly_add(w->vec + i, u->vec + i, v->vec + i);
|
poly_add(w->vec + i, u->vec + i, v->vec + i);
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/*************************************************
|
/*************************************************
|
||||||
* Name: polyvecl_ntt
|
* Name: polyvecl_ntt
|
||||||
@ -50,9 +52,10 @@ void polyvecl_add(polyvecl *w, const polyvecl *u, const polyvecl *v) {
|
|||||||
void polyvecl_ntt(polyvecl *v) {
|
void polyvecl_ntt(polyvecl *v) {
|
||||||
unsigned int i;
|
unsigned int i;
|
||||||
|
|
||||||
for (i = 0; i < L; ++i)
|
for (i = 0; i < L; ++i) {
|
||||||
poly_ntt(v->vec + i);
|
poly_ntt(v->vec + i);
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/*************************************************
|
/*************************************************
|
||||||
* Name: polyvecl_pointwise_acc_invmontgomery
|
* Name: polyvecl_pointwise_acc_invmontgomery
|
||||||
@ -96,8 +99,9 @@ int polyvecl_chknorm(const polyvecl *v, uint32_t bound) {
|
|||||||
unsigned int i;
|
unsigned int i;
|
||||||
int ret = 0;
|
int ret = 0;
|
||||||
|
|
||||||
for (i = 0; i < L; ++i)
|
for (i = 0; i < L; ++i) {
|
||||||
ret |= poly_chknorm(v->vec + i, bound);
|
ret |= poly_chknorm(v->vec + i, bound);
|
||||||
|
}
|
||||||
|
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
@ -117,9 +121,10 @@ int polyvecl_chknorm(const polyvecl *v, uint32_t bound) {
|
|||||||
void polyveck_reduce(polyveck *v) {
|
void polyveck_reduce(polyveck *v) {
|
||||||
unsigned int i;
|
unsigned int i;
|
||||||
|
|
||||||
for (i = 0; i < K; ++i)
|
for (i = 0; i < K; ++i) {
|
||||||
poly_reduce(v->vec + i);
|
poly_reduce(v->vec + i);
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/*************************************************
|
/*************************************************
|
||||||
* Name: polyveck_csubq
|
* Name: polyveck_csubq
|
||||||
@ -132,9 +137,10 @@ void polyveck_reduce(polyveck *v) {
|
|||||||
void polyveck_csubq(polyveck *v) {
|
void polyveck_csubq(polyveck *v) {
|
||||||
unsigned int i;
|
unsigned int i;
|
||||||
|
|
||||||
for (i = 0; i < K; ++i)
|
for (i = 0; i < K; ++i) {
|
||||||
poly_csubq(v->vec + i);
|
poly_csubq(v->vec + i);
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/*************************************************
|
/*************************************************
|
||||||
* Name: polyveck_freeze
|
* Name: polyveck_freeze
|
||||||
@ -147,9 +153,10 @@ void polyveck_csubq(polyveck *v) {
|
|||||||
void polyveck_freeze(polyveck *v) {
|
void polyveck_freeze(polyveck *v) {
|
||||||
unsigned int i;
|
unsigned int i;
|
||||||
|
|
||||||
for (i = 0; i < K; ++i)
|
for (i = 0; i < K; ++i) {
|
||||||
poly_freeze(v->vec + i);
|
poly_freeze(v->vec + i);
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/*************************************************
|
/*************************************************
|
||||||
* Name: polyveck_add
|
* Name: polyveck_add
|
||||||
@ -164,9 +171,10 @@ void polyveck_freeze(polyveck *v) {
|
|||||||
void polyveck_add(polyveck *w, const polyveck *u, const polyveck *v) {
|
void polyveck_add(polyveck *w, const polyveck *u, const polyveck *v) {
|
||||||
unsigned int i;
|
unsigned int i;
|
||||||
|
|
||||||
for (i = 0; i < K; ++i)
|
for (i = 0; i < K; ++i) {
|
||||||
poly_add(w->vec + i, u->vec + i, v->vec + i);
|
poly_add(w->vec + i, u->vec + i, v->vec + i);
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/*************************************************
|
/*************************************************
|
||||||
* Name: polyveck_sub
|
* Name: polyveck_sub
|
||||||
@ -183,9 +191,10 @@ void polyveck_add(polyveck *w, const polyveck *u, const polyveck *v) {
|
|||||||
void polyveck_sub(polyveck *w, const polyveck *u, const polyveck *v) {
|
void polyveck_sub(polyveck *w, const polyveck *u, const polyveck *v) {
|
||||||
unsigned int i;
|
unsigned int i;
|
||||||
|
|
||||||
for (i = 0; i < K; ++i)
|
for (i = 0; i < K; ++i) {
|
||||||
poly_sub(w->vec + i, u->vec + i, v->vec + i);
|
poly_sub(w->vec + i, u->vec + i, v->vec + i);
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/*************************************************
|
/*************************************************
|
||||||
* Name: polyveck_shiftl
|
* Name: polyveck_shiftl
|
||||||
@ -199,9 +208,10 @@ void polyveck_sub(polyveck *w, const polyveck *u, const polyveck *v) {
|
|||||||
void polyveck_shiftl(polyveck *v, unsigned int k) {
|
void polyveck_shiftl(polyveck *v, unsigned int k) {
|
||||||
unsigned int i;
|
unsigned int i;
|
||||||
|
|
||||||
for (i = 0; i < K; ++i)
|
for (i = 0; i < K; ++i) {
|
||||||
poly_shiftl(v->vec + i, k);
|
poly_shiftl(v->vec + i, k);
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/*************************************************
|
/*************************************************
|
||||||
* Name: polyveck_ntt
|
* Name: polyveck_ntt
|
||||||
@ -214,9 +224,10 @@ void polyveck_shiftl(polyveck *v, unsigned int k) {
|
|||||||
void polyveck_ntt(polyveck *v) {
|
void polyveck_ntt(polyveck *v) {
|
||||||
unsigned int i;
|
unsigned int i;
|
||||||
|
|
||||||
for (i = 0; i < K; ++i)
|
for (i = 0; i < K; ++i) {
|
||||||
poly_ntt(v->vec + i);
|
poly_ntt(v->vec + i);
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/*************************************************
|
/*************************************************
|
||||||
* Name: polyveck_invntt_montgomery
|
* Name: polyveck_invntt_montgomery
|
||||||
@ -230,9 +241,10 @@ void polyveck_ntt(polyveck *v) {
|
|||||||
void polyveck_invntt_montgomery(polyveck *v) {
|
void polyveck_invntt_montgomery(polyveck *v) {
|
||||||
unsigned int i;
|
unsigned int i;
|
||||||
|
|
||||||
for (i = 0; i < K; ++i)
|
for (i = 0; i < K; ++i) {
|
||||||
poly_invntt_montgomery(v->vec + i);
|
poly_invntt_montgomery(v->vec + i);
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/*************************************************
|
/*************************************************
|
||||||
* Name: polyveck_chknorm
|
* Name: polyveck_chknorm
|
||||||
@ -250,8 +262,9 @@ int polyveck_chknorm(const polyveck *v, uint32_t bound) {
|
|||||||
unsigned int i;
|
unsigned int i;
|
||||||
int ret = 0;
|
int ret = 0;
|
||||||
|
|
||||||
for (i = 0; i < K; ++i)
|
for (i = 0; i < K; ++i) {
|
||||||
ret |= poly_chknorm(v->vec + i, bound);
|
ret |= poly_chknorm(v->vec + i, bound);
|
||||||
|
}
|
||||||
|
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
@ -273,9 +286,10 @@ int polyveck_chknorm(const polyveck *v, uint32_t bound) {
|
|||||||
void polyveck_power2round(polyveck *v1, polyveck *v0, const polyveck *v) {
|
void polyveck_power2round(polyveck *v1, polyveck *v0, const polyveck *v) {
|
||||||
unsigned int i;
|
unsigned int i;
|
||||||
|
|
||||||
for (i = 0; i < K; ++i)
|
for (i = 0; i < K; ++i) {
|
||||||
poly_power2round(v1->vec + i, v0->vec + i, v->vec + i);
|
poly_power2round(v1->vec + i, v0->vec + i, v->vec + i);
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/*************************************************
|
/*************************************************
|
||||||
* Name: polyveck_decompose
|
* Name: polyveck_decompose
|
||||||
@ -295,9 +309,10 @@ void polyveck_power2round(polyveck *v1, polyveck *v0, const polyveck *v) {
|
|||||||
void polyveck_decompose(polyveck *v1, polyveck *v0, const polyveck *v) {
|
void polyveck_decompose(polyveck *v1, polyveck *v0, const polyveck *v) {
|
||||||
unsigned int i;
|
unsigned int i;
|
||||||
|
|
||||||
for (i = 0; i < K; ++i)
|
for (i = 0; i < K; ++i) {
|
||||||
poly_decompose(v1->vec + i, v0->vec + i, v->vec + i);
|
poly_decompose(v1->vec + i, v0->vec + i, v->vec + i);
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/*************************************************
|
/*************************************************
|
||||||
* Name: polyveck_make_hint
|
* Name: polyveck_make_hint
|
||||||
@ -314,8 +329,9 @@ unsigned int polyveck_make_hint(polyveck *h, const polyveck *u,
|
|||||||
const polyveck *v) {
|
const polyveck *v) {
|
||||||
unsigned int i, s = 0;
|
unsigned int i, s = 0;
|
||||||
|
|
||||||
for (i = 0; i < K; ++i)
|
for (i = 0; i < K; ++i) {
|
||||||
s += poly_make_hint(h->vec + i, u->vec + i, v->vec + i);
|
s += poly_make_hint(h->vec + i, u->vec + i, v->vec + i);
|
||||||
|
}
|
||||||
|
|
||||||
return s;
|
return s;
|
||||||
}
|
}
|
||||||
@ -333,6 +349,7 @@ unsigned int polyveck_make_hint(polyveck *h, const polyveck *u,
|
|||||||
void polyveck_use_hint(polyveck *w, const polyveck *u, const polyveck *h) {
|
void polyveck_use_hint(polyveck *w, const polyveck *u, const polyveck *h) {
|
||||||
unsigned int i;
|
unsigned int i;
|
||||||
|
|
||||||
for (i = 0; i < K; ++i)
|
for (i = 0; i < K; ++i) {
|
||||||
poly_use_hint(w->vec + i, u->vec + i, h->vec + i);
|
poly_use_hint(w->vec + i, u->vec + i, h->vec + i);
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
@ -42,6 +42,6 @@ void polyveck_power2round(polyveck *v1, polyveck *v0, const polyveck *v);
|
|||||||
void polyveck_decompose(polyveck *v1, polyveck *v0, const polyveck *v);
|
void polyveck_decompose(polyveck *v1, polyveck *v0, const polyveck *v);
|
||||||
unsigned int polyveck_make_hint(polyveck *h, const polyveck *u,
|
unsigned int polyveck_make_hint(polyveck *h, const polyveck *u,
|
||||||
const polyveck *v);
|
const polyveck *v);
|
||||||
void polyveck_use_hint(polyveck *w, const polyveck *v, const polyveck *h);
|
void polyveck_use_hint(polyveck *w, const polyveck *u, const polyveck *h);
|
||||||
|
|
||||||
#endif
|
#endif
|
||||||
|
@ -97,12 +97,14 @@ uint32_t use_hint(const uint32_t a, const unsigned int hint) {
|
|||||||
uint32_t a0, a1;
|
uint32_t a0, a1;
|
||||||
|
|
||||||
a1 = decompose(a, &a0);
|
a1 = decompose(a, &a0);
|
||||||
if (hint == 0)
|
if (hint == 0) {
|
||||||
return a1;
|
return a1;
|
||||||
else if (a0 > Q)
|
}
|
||||||
|
if (a0 > Q) {
|
||||||
return (a1 + 1) & 0xF;
|
return (a1 + 1) & 0xF;
|
||||||
else
|
} else {
|
||||||
return (a1 - 1) & 0xF;
|
return (a1 - 1) & 0xF;
|
||||||
|
}
|
||||||
|
|
||||||
/* If decompose does not divide out ALPHA:
|
/* If decompose does not divide out ALPHA:
|
||||||
if(hint == 0)
|
if(hint == 0)
|
||||||
|
@ -3,9 +3,9 @@
|
|||||||
|
|
||||||
#include <stdint.h>
|
#include <stdint.h>
|
||||||
|
|
||||||
uint32_t power2round(const uint32_t a, uint32_t *a0);
|
uint32_t power2round(uint32_t a, uint32_t *a0);
|
||||||
uint32_t decompose(uint32_t a, uint32_t *a0);
|
uint32_t decompose(uint32_t a, uint32_t *a0);
|
||||||
unsigned int make_hint(const uint32_t a, const uint32_t b);
|
unsigned int make_hint(uint32_t a, uint32_t b);
|
||||||
uint32_t use_hint(const uint32_t a, const unsigned int hint);
|
uint32_t use_hint(uint32_t a, unsigned int hint);
|
||||||
|
|
||||||
#endif
|
#endif
|
||||||
|
@ -26,8 +26,9 @@ void expand_mat(polyvecl mat[K], const unsigned char rho[SEEDBYTES]) {
|
|||||||
* Probability that we need more than 6 blocks: < 2^{-546}. */
|
* Probability that we need more than 6 blocks: < 2^{-546}. */
|
||||||
unsigned char outbuf[5 * SHAKE128_RATE];
|
unsigned char outbuf[5 * SHAKE128_RATE];
|
||||||
|
|
||||||
for (i = 0; i < SEEDBYTES; ++i)
|
for (i = 0; i < SEEDBYTES; ++i) {
|
||||||
inbuf[i] = rho[i];
|
inbuf[i] = rho[i];
|
||||||
|
}
|
||||||
|
|
||||||
for (i = 0; i < K; ++i) {
|
for (i = 0; i < K; ++i) {
|
||||||
for (j = 0; j < L; ++j) {
|
for (j = 0; j < L; ++j) {
|
||||||
@ -55,23 +56,27 @@ void challenge(poly *c, const unsigned char mu[CRHBYTES], const polyveck *w1) {
|
|||||||
unsigned char outbuf[SHAKE256_RATE];
|
unsigned char outbuf[SHAKE256_RATE];
|
||||||
uint64_t state[25], signs, mask;
|
uint64_t state[25], signs, mask;
|
||||||
|
|
||||||
for (i = 0; i < CRHBYTES; ++i)
|
for (i = 0; i < CRHBYTES; ++i) {
|
||||||
inbuf[i] = mu[i];
|
inbuf[i] = mu[i];
|
||||||
for (i = 0; i < K; ++i)
|
}
|
||||||
|
for (i = 0; i < K; ++i) {
|
||||||
polyw1_pack(inbuf + CRHBYTES + i * POLW1_SIZE_PACKED, w1->vec + i);
|
polyw1_pack(inbuf + CRHBYTES + i * POLW1_SIZE_PACKED, w1->vec + i);
|
||||||
|
}
|
||||||
|
|
||||||
shake256_absorb(state, inbuf, sizeof(inbuf));
|
shake256_absorb(state, inbuf, sizeof(inbuf));
|
||||||
shake256_squeezeblocks(outbuf, 1, state);
|
shake256_squeezeblocks(outbuf, 1, state);
|
||||||
|
|
||||||
signs = 0;
|
signs = 0;
|
||||||
for (i = 0; i < 8; ++i)
|
for (i = 0; i < 8; ++i) {
|
||||||
signs |= (uint64_t)outbuf[i] << 8 * i;
|
signs |= (uint64_t)outbuf[i] << 8 * i;
|
||||||
|
}
|
||||||
|
|
||||||
pos = 8;
|
pos = 8;
|
||||||
mask = 1;
|
mask = 1;
|
||||||
|
|
||||||
for (i = 0; i < N; ++i)
|
for (i = 0; i < N; ++i) {
|
||||||
c->coeffs[i] = 0;
|
c->coeffs[i] = 0;
|
||||||
|
}
|
||||||
|
|
||||||
for (i = 196; i < 256; ++i) {
|
for (i = 196; i < 256; ++i) {
|
||||||
do {
|
do {
|
||||||
@ -122,10 +127,12 @@ int crypto_sign_keypair(unsigned char *pk, unsigned char *sk) {
|
|||||||
expand_mat(mat, rho);
|
expand_mat(mat, rho);
|
||||||
|
|
||||||
/* Sample short vectors s1 and s2 */
|
/* Sample short vectors s1 and s2 */
|
||||||
for (i = 0; i < L; ++i)
|
for (i = 0; i < L; ++i) {
|
||||||
poly_uniform_eta(s1.vec + i, rhoprime, nonce++);
|
poly_uniform_eta(s1.vec + i, rhoprime, nonce++);
|
||||||
for (i = 0; i < K; ++i)
|
}
|
||||||
|
for (i = 0; i < K; ++i) {
|
||||||
poly_uniform_eta(s2.vec + i, rhoprime, nonce++);
|
poly_uniform_eta(s2.vec + i, rhoprime, nonce++);
|
||||||
|
}
|
||||||
|
|
||||||
/* Matrix-vector multiplication */
|
/* Matrix-vector multiplication */
|
||||||
s1hat = s1;
|
s1hat = s1;
|
||||||
@ -173,7 +180,7 @@ int crypto_sign(unsigned char *sm, unsigned long long *smlen,
|
|||||||
unsigned long long i, j;
|
unsigned long long i, j;
|
||||||
unsigned int n;
|
unsigned int n;
|
||||||
unsigned char
|
unsigned char
|
||||||
seedbuf[2 * SEEDBYTES + CRHBYTES]; // TODO: nonce in seedbuf (2x)
|
seedbuf[2 * SEEDBYTES + CRHBYTES]; // TODO(thom): nonce in seedbuf (2x)
|
||||||
unsigned char tr[CRHBYTES];
|
unsigned char tr[CRHBYTES];
|
||||||
unsigned char *rho, *key, *mu;
|
unsigned char *rho, *key, *mu;
|
||||||
uint16_t nonce = 0;
|
uint16_t nonce = 0;
|
||||||
@ -189,10 +196,12 @@ int crypto_sign(unsigned char *sm, unsigned long long *smlen,
|
|||||||
|
|
||||||
/* Copy tr and message into the sm buffer,
|
/* Copy tr and message into the sm buffer,
|
||||||
* backwards since m and sm can be equal in SUPERCOP API */
|
* backwards since m and sm can be equal in SUPERCOP API */
|
||||||
for (i = 1; i <= mlen; ++i)
|
for (i = 1; i <= mlen; ++i) {
|
||||||
sm[CRYPTO_BYTES + mlen - i] = m[mlen - i];
|
sm[CRYPTO_BYTES + mlen - i] = m[mlen - i];
|
||||||
for (i = 0; i < CRHBYTES; ++i)
|
}
|
||||||
|
for (i = 0; i < CRHBYTES; ++i) {
|
||||||
sm[CRYPTO_BYTES - CRHBYTES + i] = tr[i];
|
sm[CRYPTO_BYTES - CRHBYTES + i] = tr[i];
|
||||||
|
}
|
||||||
|
|
||||||
/* Compute CRH(tr, msg) */
|
/* Compute CRH(tr, msg) */
|
||||||
shake256(mu, CRHBYTES, sm + CRYPTO_BYTES - CRHBYTES, CRHBYTES + mlen);
|
shake256(mu, CRHBYTES, sm + CRYPTO_BYTES - CRHBYTES, CRHBYTES + mlen);
|
||||||
@ -205,8 +214,9 @@ int crypto_sign(unsigned char *sm, unsigned long long *smlen,
|
|||||||
|
|
||||||
rej:
|
rej:
|
||||||
/* Sample intermediate vector y */
|
/* Sample intermediate vector y */
|
||||||
for (i = 0; i < L; ++i)
|
for (i = 0; i < L; ++i) {
|
||||||
poly_uniform_gamma1m1(y.vec + i, key, nonce++);
|
poly_uniform_gamma1m1(y.vec + i, key, nonce++);
|
||||||
|
}
|
||||||
|
|
||||||
/* Matrix-vector multiplication */
|
/* Matrix-vector multiplication */
|
||||||
yhat = y;
|
yhat = y;
|
||||||
@ -231,8 +241,9 @@ rej:
|
|||||||
}
|
}
|
||||||
polyvecl_add(&z, &z, &y);
|
polyvecl_add(&z, &z, &y);
|
||||||
polyvecl_freeze(&z);
|
polyvecl_freeze(&z);
|
||||||
if (polyvecl_chknorm(&z, GAMMA1 - BETA))
|
if (polyvecl_chknorm(&z, GAMMA1 - BETA)) {
|
||||||
goto rej;
|
goto rej;
|
||||||
|
}
|
||||||
|
|
||||||
/* Compute w - cs2, reject if w1 can not be computed from it */
|
/* Compute w - cs2, reject if w1 can not be computed from it */
|
||||||
for (i = 0; i < K; ++i) {
|
for (i = 0; i < K; ++i) {
|
||||||
@ -243,13 +254,17 @@ rej:
|
|||||||
polyveck_freeze(&wcs2);
|
polyveck_freeze(&wcs2);
|
||||||
polyveck_decompose(&tmp, &wcs20, &wcs2);
|
polyveck_decompose(&tmp, &wcs20, &wcs2);
|
||||||
polyveck_csubq(&wcs20);
|
polyveck_csubq(&wcs20);
|
||||||
if (polyveck_chknorm(&wcs20, GAMMA2 - BETA))
|
if (polyveck_chknorm(&wcs20, GAMMA2 - BETA)) {
|
||||||
goto rej;
|
goto rej;
|
||||||
|
}
|
||||||
|
|
||||||
for (i = 0; i < K; ++i)
|
for (i = 0; i < K; ++i) {
|
||||||
for (j = 0; j < N; ++j)
|
for (j = 0; j < N; ++j) {
|
||||||
if (tmp.vec[i].coeffs[j] != w1.vec[i].coeffs[j])
|
if (tmp.vec[i].coeffs[j] != w1.vec[i].coeffs[j]) {
|
||||||
goto rej;
|
goto rej;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/* Compute hints for w1 */
|
/* Compute hints for w1 */
|
||||||
for (i = 0; i < K; ++i) {
|
for (i = 0; i < K; ++i) {
|
||||||
@ -258,14 +273,16 @@ rej:
|
|||||||
}
|
}
|
||||||
|
|
||||||
polyveck_csubq(&ct0);
|
polyveck_csubq(&ct0);
|
||||||
if (polyveck_chknorm(&ct0, GAMMA2))
|
if (polyveck_chknorm(&ct0, GAMMA2)) {
|
||||||
goto rej;
|
goto rej;
|
||||||
|
}
|
||||||
|
|
||||||
polyveck_add(&tmp, &wcs2, &ct0);
|
polyveck_add(&tmp, &wcs2, &ct0);
|
||||||
polyveck_csubq(&tmp);
|
polyveck_csubq(&tmp);
|
||||||
n = polyveck_make_hint(&h, &wcs2, &tmp);
|
n = polyveck_make_hint(&h, &wcs2, &tmp);
|
||||||
if (n > OMEGA)
|
if (n > OMEGA) {
|
||||||
goto rej;
|
goto rej;
|
||||||
|
}
|
||||||
|
|
||||||
/* Write signature */
|
/* Write signature */
|
||||||
pack_sig(sm, &z, &h, &c);
|
pack_sig(sm, &z, &h, &c);
|
||||||
@ -298,21 +315,26 @@ int crypto_sign_open(unsigned char *m, unsigned long long *mlen,
|
|||||||
polyvecl mat[K], z;
|
polyvecl mat[K], z;
|
||||||
polyveck t1, w1, h, tmp1, tmp2;
|
polyveck t1, w1, h, tmp1, tmp2;
|
||||||
|
|
||||||
if (smlen < CRYPTO_BYTES)
|
if (smlen < CRYPTO_BYTES) {
|
||||||
goto badsig;
|
goto badsig;
|
||||||
|
}
|
||||||
|
|
||||||
*mlen = smlen - CRYPTO_BYTES;
|
*mlen = smlen - CRYPTO_BYTES;
|
||||||
|
|
||||||
unpack_pk(rho, &t1, pk);
|
unpack_pk(rho, &t1, pk);
|
||||||
if (unpack_sig(&z, &h, &c, sm))
|
if (unpack_sig(&z, &h, &c, sm)) {
|
||||||
goto badsig;
|
goto badsig;
|
||||||
if (polyvecl_chknorm(&z, GAMMA1 - BETA))
|
}
|
||||||
|
if (polyvecl_chknorm(&z, GAMMA1 - BETA)) {
|
||||||
goto badsig;
|
goto badsig;
|
||||||
|
}
|
||||||
|
|
||||||
/* Compute CRH(CRH(rho, t1), msg) using m as "playground" buffer */
|
/* Compute CRH(CRH(rho, t1), msg) using m as "playground" buffer */
|
||||||
if (sm != m)
|
if (sm != m) {
|
||||||
for (i = 0; i < *mlen; ++i)
|
for (i = 0; i < *mlen; ++i) {
|
||||||
m[CRYPTO_BYTES + i] = sm[CRYPTO_BYTES + i];
|
m[CRYPTO_BYTES + i] = sm[CRYPTO_BYTES + i];
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
shake256(m + CRYPTO_BYTES - CRHBYTES, CRHBYTES, pk, CRYPTO_PUBLICKEYBYTES);
|
shake256(m + CRYPTO_BYTES - CRHBYTES, CRHBYTES, pk, CRYPTO_PUBLICKEYBYTES);
|
||||||
shake256(mu, CRHBYTES, m + CRYPTO_BYTES - CRHBYTES, CRHBYTES + *mlen);
|
shake256(mu, CRHBYTES, m + CRYPTO_BYTES - CRHBYTES, CRHBYTES + *mlen);
|
||||||
@ -320,15 +342,17 @@ int crypto_sign_open(unsigned char *m, unsigned long long *mlen,
|
|||||||
/* Matrix-vector multiplication; compute Az - c2^dt1 */
|
/* Matrix-vector multiplication; compute Az - c2^dt1 */
|
||||||
expand_mat(mat, rho);
|
expand_mat(mat, rho);
|
||||||
polyvecl_ntt(&z);
|
polyvecl_ntt(&z);
|
||||||
for (i = 0; i < K; ++i)
|
for (i = 0; i < K; ++i) {
|
||||||
polyvecl_pointwise_acc_invmontgomery(tmp1.vec + i, mat + i, &z);
|
polyvecl_pointwise_acc_invmontgomery(tmp1.vec + i, mat + i, &z);
|
||||||
|
}
|
||||||
|
|
||||||
chat = c;
|
chat = c;
|
||||||
poly_ntt(&chat);
|
poly_ntt(&chat);
|
||||||
polyveck_shiftl(&t1, D);
|
polyveck_shiftl(&t1, D);
|
||||||
polyveck_ntt(&t1);
|
polyveck_ntt(&t1);
|
||||||
for (i = 0; i < K; ++i)
|
for (i = 0; i < K; ++i) {
|
||||||
poly_pointwise_invmontgomery(tmp2.vec + i, &chat, t1.vec + i);
|
poly_pointwise_invmontgomery(tmp2.vec + i, &chat, t1.vec + i);
|
||||||
|
}
|
||||||
|
|
||||||
polyveck_sub(&tmp1, &tmp1, &tmp2);
|
polyveck_sub(&tmp1, &tmp1, &tmp2);
|
||||||
polyveck_reduce(&tmp1);
|
polyveck_reduce(&tmp1);
|
||||||
@ -340,21 +364,25 @@ int crypto_sign_open(unsigned char *m, unsigned long long *mlen,
|
|||||||
|
|
||||||
/* Call random oracle and verify challenge */
|
/* Call random oracle and verify challenge */
|
||||||
challenge(&cp, mu, &w1);
|
challenge(&cp, mu, &w1);
|
||||||
for (i = 0; i < N; ++i)
|
for (i = 0; i < N; ++i) {
|
||||||
if (c.coeffs[i] != cp.coeffs[i])
|
if (c.coeffs[i] != cp.coeffs[i]) {
|
||||||
goto badsig;
|
goto badsig;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/* All good, copy msg, return 0 */
|
/* All good, copy msg, return 0 */
|
||||||
for (i = 0; i < *mlen; ++i)
|
for (i = 0; i < *mlen; ++i) {
|
||||||
m[i] = sm[CRYPTO_BYTES + i];
|
m[i] = sm[CRYPTO_BYTES + i];
|
||||||
|
}
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
/* Signature verification failed */
|
/* Signature verification failed */
|
||||||
badsig:
|
badsig:
|
||||||
*mlen = (unsigned long long)-1;
|
*mlen = (unsigned long long)-1;
|
||||||
for (i = 0; i < smlen; ++i)
|
for (i = 0; i < smlen; ++i) {
|
||||||
m[i] = 0;
|
m[i] = 0;
|
||||||
|
}
|
||||||
|
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
@ -13,10 +13,10 @@ static void write_canary(unsigned char *d) {
|
|||||||
*((uint64_t *)d) = 0x0123456789ABCDEF;
|
*((uint64_t *)d) = 0x0123456789ABCDEF;
|
||||||
}
|
}
|
||||||
|
|
||||||
static int check_canary(unsigned char *d) {
|
static int check_canary(const unsigned char *d) {
|
||||||
if (*(uint64_t *)d != 0x0123456789ABCDEF)
|
if (*(uint64_t *)d != 0x0123456789ABCDEF) {
|
||||||
return -1;
|
return -1;
|
||||||
else
|
}
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
static int test_sign(void) {
|
static int test_sign(void) {
|
||||||
@ -48,11 +48,14 @@ static int test_sign(void) {
|
|||||||
// twice
|
// twice
|
||||||
if (crypto_sign_open(sm + 8, &mlen, sm + 8, smlen, pk + 8)) {
|
if (crypto_sign_open(sm + 8, &mlen, sm + 8, smlen, pk + 8)) {
|
||||||
printf("ERROR Signature did not verify correctly!\n");
|
printf("ERROR Signature did not verify correctly!\n");
|
||||||
} else if (check_canary(pk) || check_canary(pk + sizeof(pk) - 8) ||
|
return 1;
|
||||||
|
}
|
||||||
|
if (check_canary(pk) || check_canary(pk + sizeof(pk) - 8) ||
|
||||||
check_canary(sk) || check_canary(sk + sizeof(sk) - 8) ||
|
check_canary(sk) || check_canary(sk + sizeof(sk) - 8) ||
|
||||||
check_canary(sm) || check_canary(sm + sizeof(sm) - 8) ||
|
check_canary(sm) || check_canary(sm + sizeof(sm) - 8) ||
|
||||||
check_canary(m) || check_canary(m + sizeof(m) - 8)) {
|
check_canary(m) || check_canary(m + sizeof(m) - 8)) {
|
||||||
printf("ERROR canary overwritten\n");
|
printf("ERROR canary overwritten\n");
|
||||||
|
return 1;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -84,6 +87,7 @@ static int test_wrong_pk(void) {
|
|||||||
if (!crypto_sign_open(sm, &mlen, sm, smlen, pk2)) {
|
if (!crypto_sign_open(sm, &mlen, sm, smlen, pk2)) {
|
||||||
printf("ERROR Signature did verify correctly under wrong public "
|
printf("ERROR Signature did verify correctly under wrong public "
|
||||||
"key!\n");
|
"key!\n");
|
||||||
|
return 1;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -91,8 +95,9 @@ static int test_wrong_pk(void) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
int main(void) {
|
int main(void) {
|
||||||
test_sign();
|
int result = 0;
|
||||||
test_wrong_pk();
|
result += test_sign();
|
||||||
|
result += test_wrong_pk();
|
||||||
|
|
||||||
return 0;
|
return result;
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user