From 7b5a4c494b053b05be52fe766dfc7c0f05f80f99 Mon Sep 17 00:00:00 2001 From: "John M. Schanck" Date: Mon, 31 Aug 2020 10:22:31 -0400 Subject: [PATCH] NTRU Prime: Match the NIST submission's sequence of calls to randombytes --- crypto_kem/ntrulpr653/avx2/kem.c | 18 ++++++++++++++++-- crypto_kem/ntrulpr653/clean/kem.c | 18 ++++++++++++++++-- crypto_kem/ntrulpr761/avx2/kem.c | 18 ++++++++++++++++-- crypto_kem/ntrulpr761/clean/kem.c | 18 ++++++++++++++++-- crypto_kem/ntrulpr857/avx2/kem.c | 18 ++++++++++++++++-- crypto_kem/ntrulpr857/clean/kem.c | 18 ++++++++++++++++-- crypto_kem/sntrup653/avx2/kem.c | 22 ++++++++++++++++++---- crypto_kem/sntrup653/clean/kem.c | 22 ++++++++++++++++++---- crypto_kem/sntrup761/avx2/kem.c | 22 ++++++++++++++++++---- crypto_kem/sntrup761/avx2/params.h | 2 +- crypto_kem/sntrup761/clean/kem.c | 22 ++++++++++++++++++---- crypto_kem/sntrup761/clean/params.h | 2 +- crypto_kem/sntrup857/avx2/kem.c | 22 ++++++++++++++++++---- crypto_kem/sntrup857/clean/kem.c | 22 ++++++++++++++++++---- 14 files changed, 206 insertions(+), 38 deletions(-) diff --git a/crypto_kem/ntrulpr653/avx2/kem.c b/crypto_kem/ntrulpr653/avx2/kem.c index 70d6a0ce..19ae250f 100644 --- a/crypto_kem/ntrulpr653/avx2/kem.c +++ b/crypto_kem/ntrulpr653/avx2/kem.c @@ -107,11 +107,25 @@ static void Hash(unsigned char *out, const unsigned char *in, int inlen) { /* ----- higher-level randomness */ +static uint32 urandom32(void) { + unsigned char c[4]; + uint32 out[4]; + + randombytes(c, 4); + out[0] = (uint32)c[0]; + out[1] = ((uint32)c[1]) << 8; + out[2] = ((uint32)c[2]) << 16; + out[3] = ((uint32)c[3]) << 24; + return out[0] + out[1] + out[2] + out[3]; +} + static void Short_random(small *out) { uint32 L[p]; + int i; - randombytes((unsigned char *) L, sizeof L); - crypto_decode_pxint32(L, (unsigned char *) L); + for (i = 0; i < p; ++i) { + L[i] = urandom32(); + } Short_fromlist(out, L); } diff --git a/crypto_kem/ntrulpr653/clean/kem.c b/crypto_kem/ntrulpr653/clean/kem.c index 1da750e0..6d4eaa4a 100644 --- a/crypto_kem/ntrulpr653/clean/kem.c +++ b/crypto_kem/ntrulpr653/clean/kem.c @@ -107,11 +107,25 @@ static void Hash(unsigned char *out, const unsigned char *in, int inlen) { /* ----- higher-level randomness */ +static uint32 urandom32(void) { + unsigned char c[4]; + uint32 out[4]; + + randombytes(c, 4); + out[0] = (uint32)c[0]; + out[1] = ((uint32)c[1]) << 8; + out[2] = ((uint32)c[2]) << 16; + out[3] = ((uint32)c[3]) << 24; + return out[0] + out[1] + out[2] + out[3]; +} + static void Short_random(small *out) { uint32 L[p]; + int i; - randombytes((unsigned char *) L, sizeof L); - crypto_decode_pxint32(L, (unsigned char *) L); + for (i = 0; i < p; ++i) { + L[i] = urandom32(); + } Short_fromlist(out, L); } diff --git a/crypto_kem/ntrulpr761/avx2/kem.c b/crypto_kem/ntrulpr761/avx2/kem.c index 2c5dbbf6..e42cf7d0 100644 --- a/crypto_kem/ntrulpr761/avx2/kem.c +++ b/crypto_kem/ntrulpr761/avx2/kem.c @@ -107,11 +107,25 @@ static void Hash(unsigned char *out, const unsigned char *in, int inlen) { /* ----- higher-level randomness */ +static uint32 urandom32(void) { + unsigned char c[4]; + uint32 out[4]; + + randombytes(c, 4); + out[0] = (uint32)c[0]; + out[1] = ((uint32)c[1]) << 8; + out[2] = ((uint32)c[2]) << 16; + out[3] = ((uint32)c[3]) << 24; + return out[0] + out[1] + out[2] + out[3]; +} + static void Short_random(small *out) { uint32 L[p]; + int i; - randombytes((unsigned char *) L, sizeof L); - crypto_decode_pxint32(L, (unsigned char *) L); + for (i = 0; i < p; ++i) { + L[i] = urandom32(); + } Short_fromlist(out, L); } diff --git a/crypto_kem/ntrulpr761/clean/kem.c b/crypto_kem/ntrulpr761/clean/kem.c index e2ecdd28..16f24b4a 100644 --- a/crypto_kem/ntrulpr761/clean/kem.c +++ b/crypto_kem/ntrulpr761/clean/kem.c @@ -107,11 +107,25 @@ static void Hash(unsigned char *out, const unsigned char *in, int inlen) { /* ----- higher-level randomness */ +static uint32 urandom32(void) { + unsigned char c[4]; + uint32 out[4]; + + randombytes(c, 4); + out[0] = (uint32)c[0]; + out[1] = ((uint32)c[1]) << 8; + out[2] = ((uint32)c[2]) << 16; + out[3] = ((uint32)c[3]) << 24; + return out[0] + out[1] + out[2] + out[3]; +} + static void Short_random(small *out) { uint32 L[p]; + int i; - randombytes((unsigned char *) L, sizeof L); - crypto_decode_pxint32(L, (unsigned char *) L); + for (i = 0; i < p; ++i) { + L[i] = urandom32(); + } Short_fromlist(out, L); } diff --git a/crypto_kem/ntrulpr857/avx2/kem.c b/crypto_kem/ntrulpr857/avx2/kem.c index c13eebf7..4946b7a1 100644 --- a/crypto_kem/ntrulpr857/avx2/kem.c +++ b/crypto_kem/ntrulpr857/avx2/kem.c @@ -107,11 +107,25 @@ static void Hash(unsigned char *out, const unsigned char *in, int inlen) { /* ----- higher-level randomness */ +static uint32 urandom32(void) { + unsigned char c[4]; + uint32 out[4]; + + randombytes(c, 4); + out[0] = (uint32)c[0]; + out[1] = ((uint32)c[1]) << 8; + out[2] = ((uint32)c[2]) << 16; + out[3] = ((uint32)c[3]) << 24; + return out[0] + out[1] + out[2] + out[3]; +} + static void Short_random(small *out) { uint32 L[p]; + int i; - randombytes((unsigned char *) L, sizeof L); - crypto_decode_pxint32(L, (unsigned char *) L); + for (i = 0; i < p; ++i) { + L[i] = urandom32(); + } Short_fromlist(out, L); } diff --git a/crypto_kem/ntrulpr857/clean/kem.c b/crypto_kem/ntrulpr857/clean/kem.c index 5fe4d188..3b7db820 100644 --- a/crypto_kem/ntrulpr857/clean/kem.c +++ b/crypto_kem/ntrulpr857/clean/kem.c @@ -107,11 +107,25 @@ static void Hash(unsigned char *out, const unsigned char *in, int inlen) { /* ----- higher-level randomness */ +static uint32 urandom32(void) { + unsigned char c[4]; + uint32 out[4]; + + randombytes(c, 4); + out[0] = (uint32)c[0]; + out[1] = ((uint32)c[1]) << 8; + out[2] = ((uint32)c[2]) << 16; + out[3] = ((uint32)c[3]) << 24; + return out[0] + out[1] + out[2] + out[3]; +} + static void Short_random(small *out) { uint32 L[p]; + int i; - randombytes((unsigned char *) L, sizeof L); - crypto_decode_pxint32(L, (unsigned char *) L); + for (i = 0; i < p; ++i) { + L[i] = urandom32(); + } Short_fromlist(out, L); } diff --git a/crypto_kem/sntrup653/avx2/kem.c b/crypto_kem/sntrup653/avx2/kem.c index b9c026c5..6c53b32e 100644 --- a/crypto_kem/sntrup653/avx2/kem.c +++ b/crypto_kem/sntrup653/avx2/kem.c @@ -73,12 +73,25 @@ static void Hash(unsigned char *out, const unsigned char *in, int inlen) { /* ----- higher-level randomness */ +static uint32 urandom32(void) { + unsigned char c[4]; + uint32 out[4]; + + randombytes(c, 4); + out[0] = (uint32)c[0]; + out[1] = ((uint32)c[1]) << 8; + out[2] = ((uint32)c[2]) << 16; + out[3] = ((uint32)c[3]) << 24; + return out[0] + out[1] + out[2] + out[3]; +} + static void Short_random(small *out) { uint32 L[ppadsort]; int i; - randombytes((unsigned char *) L, 4 * p); - crypto_decode_pxint32(L, (unsigned char *) L); + for (i = 0; i < ppadsort; ++i) { + L[i] = urandom32(); + } for (i = 0; i < w; ++i) { L[i] = L[i] & (uint32) - 2; } @@ -98,8 +111,9 @@ static void Small_random(small *out) { uint32 L[p]; int i; - randombytes((unsigned char *) L, sizeof L); - crypto_decode_pxint32(L, (unsigned char *) L); + for (i = 0; i < p; ++i) { + L[i] = urandom32(); + } for (i = 0; i < p; ++i) { out[i] = (((L[i] & 0x3fffffff) * 3) >> 30) - 1; } diff --git a/crypto_kem/sntrup653/clean/kem.c b/crypto_kem/sntrup653/clean/kem.c index 6f269166..9ade99fb 100644 --- a/crypto_kem/sntrup653/clean/kem.c +++ b/crypto_kem/sntrup653/clean/kem.c @@ -73,12 +73,25 @@ static void Hash(unsigned char *out, const unsigned char *in, int inlen) { /* ----- higher-level randomness */ +static uint32 urandom32(void) { + unsigned char c[4]; + uint32 out[4]; + + randombytes(c, 4); + out[0] = (uint32)c[0]; + out[1] = ((uint32)c[1]) << 8; + out[2] = ((uint32)c[2]) << 16; + out[3] = ((uint32)c[3]) << 24; + return out[0] + out[1] + out[2] + out[3]; +} + static void Short_random(small *out) { uint32 L[ppadsort]; int i; - randombytes((unsigned char *) L, 4 * p); - crypto_decode_pxint32(L, (unsigned char *) L); + for (i = 0; i < ppadsort; ++i) { + L[i] = urandom32(); + } for (i = 0; i < w; ++i) { L[i] = L[i] & (uint32) - 2; } @@ -98,8 +111,9 @@ static void Small_random(small *out) { uint32 L[p]; int i; - randombytes((unsigned char *) L, sizeof L); - crypto_decode_pxint32(L, (unsigned char *) L); + for (i = 0; i < p; ++i) { + L[i] = urandom32(); + } for (i = 0; i < p; ++i) { out[i] = (((L[i] & 0x3fffffff) * 3) >> 30) - 1; } diff --git a/crypto_kem/sntrup761/avx2/kem.c b/crypto_kem/sntrup761/avx2/kem.c index 7d0d0152..6eeeb496 100644 --- a/crypto_kem/sntrup761/avx2/kem.c +++ b/crypto_kem/sntrup761/avx2/kem.c @@ -73,12 +73,25 @@ static void Hash(unsigned char *out, const unsigned char *in, int inlen) { /* ----- higher-level randomness */ +static uint32 urandom32(void) { + unsigned char c[4]; + uint32 out[4]; + + randombytes(c, 4); + out[0] = (uint32)c[0]; + out[1] = ((uint32)c[1]) << 8; + out[2] = ((uint32)c[2]) << 16; + out[3] = ((uint32)c[3]) << 24; + return out[0] + out[1] + out[2] + out[3]; +} + static void Short_random(small *out) { uint32 L[ppadsort]; int i; - randombytes((unsigned char *) L, 4 * p); - crypto_decode_pxint32(L, (unsigned char *) L); + for (i = 0; i < ppadsort; ++i) { + L[i] = urandom32(); + } for (i = 0; i < w; ++i) { L[i] = L[i] & (uint32) - 2; } @@ -98,8 +111,9 @@ static void Small_random(small *out) { uint32 L[p]; int i; - randombytes((unsigned char *) L, sizeof L); - crypto_decode_pxint32(L, (unsigned char *) L); + for (i = 0; i < p; ++i) { + L[i] = urandom32(); + } for (i = 0; i < p; ++i) { out[i] = (((L[i] & 0x3fffffff) * 3) >> 30) - 1; } diff --git a/crypto_kem/sntrup761/avx2/params.h b/crypto_kem/sntrup761/avx2/params.h index 7d1c63d8..cfc95319 100644 --- a/crypto_kem/sntrup761/avx2/params.h +++ b/crypto_kem/sntrup761/avx2/params.h @@ -31,7 +31,7 @@ #define q 4591 #define w 286 -#define ppadsort 768 +#define ppadsort 761 #define crypto_verify_clen PQCLEAN_SNTRUP761_AVX2_crypto_verify_1039 diff --git a/crypto_kem/sntrup761/clean/kem.c b/crypto_kem/sntrup761/clean/kem.c index 7e545aa7..fd9f1f63 100644 --- a/crypto_kem/sntrup761/clean/kem.c +++ b/crypto_kem/sntrup761/clean/kem.c @@ -73,12 +73,25 @@ static void Hash(unsigned char *out, const unsigned char *in, int inlen) { /* ----- higher-level randomness */ +static uint32 urandom32(void) { + unsigned char c[4]; + uint32 out[4]; + + randombytes(c, 4); + out[0] = (uint32)c[0]; + out[1] = ((uint32)c[1]) << 8; + out[2] = ((uint32)c[2]) << 16; + out[3] = ((uint32)c[3]) << 24; + return out[0] + out[1] + out[2] + out[3]; +} + static void Short_random(small *out) { uint32 L[ppadsort]; int i; - randombytes((unsigned char *) L, 4 * p); - crypto_decode_pxint32(L, (unsigned char *) L); + for (i = 0; i < ppadsort; ++i) { + L[i] = urandom32(); + } for (i = 0; i < w; ++i) { L[i] = L[i] & (uint32) - 2; } @@ -98,8 +111,9 @@ static void Small_random(small *out) { uint32 L[p]; int i; - randombytes((unsigned char *) L, sizeof L); - crypto_decode_pxint32(L, (unsigned char *) L); + for (i = 0; i < p; ++i) { + L[i] = urandom32(); + } for (i = 0; i < p; ++i) { out[i] = (((L[i] & 0x3fffffff) * 3) >> 30) - 1; } diff --git a/crypto_kem/sntrup761/clean/params.h b/crypto_kem/sntrup761/clean/params.h index f64a7454..af77a621 100644 --- a/crypto_kem/sntrup761/clean/params.h +++ b/crypto_kem/sntrup761/clean/params.h @@ -28,7 +28,7 @@ #define q 4591 #define w 286 -#define ppadsort 768 +#define ppadsort 761 #define crypto_verify_clen PQCLEAN_SNTRUP761_CLEAN_crypto_verify_1039 diff --git a/crypto_kem/sntrup857/avx2/kem.c b/crypto_kem/sntrup857/avx2/kem.c index bbf3abc4..1cbfdf24 100644 --- a/crypto_kem/sntrup857/avx2/kem.c +++ b/crypto_kem/sntrup857/avx2/kem.c @@ -73,12 +73,25 @@ static void Hash(unsigned char *out, const unsigned char *in, int inlen) { /* ----- higher-level randomness */ +static uint32 urandom32(void) { + unsigned char c[4]; + uint32 out[4]; + + randombytes(c, 4); + out[0] = (uint32)c[0]; + out[1] = ((uint32)c[1]) << 8; + out[2] = ((uint32)c[2]) << 16; + out[3] = ((uint32)c[3]) << 24; + return out[0] + out[1] + out[2] + out[3]; +} + static void Short_random(small *out) { uint32 L[ppadsort]; int i; - randombytes((unsigned char *) L, 4 * p); - crypto_decode_pxint32(L, (unsigned char *) L); + for (i = 0; i < ppadsort; ++i) { + L[i] = urandom32(); + } for (i = 0; i < w; ++i) { L[i] = L[i] & (uint32) - 2; } @@ -98,8 +111,9 @@ static void Small_random(small *out) { uint32 L[p]; int i; - randombytes((unsigned char *) L, sizeof L); - crypto_decode_pxint32(L, (unsigned char *) L); + for (i = 0; i < p; ++i) { + L[i] = urandom32(); + } for (i = 0; i < p; ++i) { out[i] = (((L[i] & 0x3fffffff) * 3) >> 30) - 1; } diff --git a/crypto_kem/sntrup857/clean/kem.c b/crypto_kem/sntrup857/clean/kem.c index 74cc1acd..a555e254 100644 --- a/crypto_kem/sntrup857/clean/kem.c +++ b/crypto_kem/sntrup857/clean/kem.c @@ -73,12 +73,25 @@ static void Hash(unsigned char *out, const unsigned char *in, int inlen) { /* ----- higher-level randomness */ +static uint32 urandom32(void) { + unsigned char c[4]; + uint32 out[4]; + + randombytes(c, 4); + out[0] = (uint32)c[0]; + out[1] = ((uint32)c[1]) << 8; + out[2] = ((uint32)c[2]) << 16; + out[3] = ((uint32)c[3]) << 24; + return out[0] + out[1] + out[2] + out[3]; +} + static void Short_random(small *out) { uint32 L[ppadsort]; int i; - randombytes((unsigned char *) L, 4 * p); - crypto_decode_pxint32(L, (unsigned char *) L); + for (i = 0; i < ppadsort; ++i) { + L[i] = urandom32(); + } for (i = 0; i < w; ++i) { L[i] = L[i] & (uint32) - 2; } @@ -98,8 +111,9 @@ static void Small_random(small *out) { uint32 L[p]; int i; - randombytes((unsigned char *) L, sizeof L); - crypto_decode_pxint32(L, (unsigned char *) L); + for (i = 0; i < p; ++i) { + L[i] = urandom32(); + } for (i = 0; i < p; ++i) { out[i] = (((L[i] & 0x3fffffff) * 3) >> 30) - 1; }