1
1
mirror of https://github.com/henrydcase/pqc.git synced 2024-11-22 23:48:58 +00:00

Some cleanup, expanded dependencies, removed two unnecessary files in kyber768

This commit is contained in:
Peter Schwabe 2019-02-14 15:30:55 +01:00
parent 3b73ea134d
commit 8e594f3c23
18 changed files with 64 additions and 187 deletions

View File

@ -5,7 +5,7 @@
--pad-oper --pad-oper
--pad-comma --pad-comma
--pad-header --pad-header
--unpad-paren #--unpad-paren
--align-pointer=name --align-pointer=name
--add-braces --add-braces
--convert-tabs --convert-tabs

View File

@ -111,7 +111,7 @@ int crypto_sign_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size
As noted above, PQClean is **not** meant to be built as a single library: it is a collection of source code that can be easily integrated into other libraries. The PQClean repository includes various test programs which do build various files, but you should not use the resulting binaries for any purpose. As noted above, PQClean is **not** meant to be built as a single library: it is a collection of source code that can be easily integrated into other libraries. The PQClean repository includes various test programs which do build various files, but you should not use the resulting binaries for any purpose.
List of required dependencies: ``gcc or clang, make, python3, python-yaml library, valgrind``. List of required dependencies: ``gcc or clang, make, python3, python-yaml library, valgrind, astyle (>= 3.0)``.
## Using source code from PQClean in your own project ## Using source code from PQClean in your own project

View File

@ -12,10 +12,8 @@
int PQCLEAN_KYBER768_crypto_kem_keypair(unsigned char *pk, unsigned char *sk); int PQCLEAN_KYBER768_crypto_kem_keypair(unsigned char *pk, unsigned char *sk);
int PQCLEAN_KYBER768_crypto_kem_enc(unsigned char *ct, unsigned char *ss, int PQCLEAN_KYBER768_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk);
const unsigned char *pk);
int PQCLEAN_KYBER768_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, int PQCLEAN_KYBER768_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk);
const unsigned char *sk);
#endif #endif

View File

@ -43,7 +43,7 @@ void PQCLEAN_KYBER768_cbd(poly *r, const unsigned char *buf) {
d += (t >> j) & 0x249249; d += (t >> j) & 0x249249;
} }
a[0] = d & 0x7; a[0] = d & 0x7;
b[0] = (d >> 3) & 0x7; b[0] = (d >> 3) & 0x7;
a[1] = (d >> 6) & 0x7; a[1] = (d >> 6) & 0x7;
b[1] = (d >> 9) & 0x7; b[1] = (d >> 9) & 0x7;
@ -68,7 +68,7 @@ void PQCLEAN_KYBER768_cbd(poly *r, const unsigned char *buf) {
d += (t >> j) & 0x11111111; d += (t >> j) & 0x11111111;
} }
a[0] = d & 0xf; a[0] = d & 0xf;
b[0] = (d >> 4) & 0xf; b[0] = (d >> 4) & 0xf;
a[1] = (d >> 8) & 0xf; a[1] = (d >> 8) & 0xf;
b[1] = (d >> 12) & 0xf; b[1] = (d >> 12) & 0xf;
@ -93,7 +93,7 @@ void PQCLEAN_KYBER768_cbd(poly *r, const unsigned char *buf) {
d += (t >> j) & 0x0842108421UL; d += (t >> j) & 0x0842108421UL;
} }
a[0] = d & 0x1f; a[0] = d & 0x1f;
b[0] = (d >> 5) & 0x1f; b[0] = (d >> 5) & 0x1f;
a[1] = (d >> 10) & 0x1f; a[1] = (d >> 10) & 0x1f;
b[1] = (d >> 15) & 0x1f; b[1] = (d >> 15) & 0x1f;

View File

@ -17,8 +17,7 @@
*public key const poly *pk: pointer to the input public-key *public key const poly *pk: pointer to the input public-key
*polynomial const unsigned char *seed: pointer to the input public seed *polynomial const unsigned char *seed: pointer to the input public seed
**************************************************/ **************************************************/
static void pack_pk(unsigned char *r, const polyvec *pk, static void pack_pk(unsigned char *r, const polyvec *pk, const unsigned char *seed) {
const unsigned char *seed) {
int i; int i;
PQCLEAN_KYBER768_polyvec_compress(r, pk); PQCLEAN_KYBER768_polyvec_compress(r, pk);
for (i = 0; i < KYBER_SYMBYTES; i++) { for (i = 0; i < KYBER_SYMBYTES; i++) {
@ -39,8 +38,7 @@ static void pack_pk(unsigned char *r, const polyvec *pk,
* - const unsigned char *packedpk: pointer to input serialized * - const unsigned char *packedpk: pointer to input serialized
*public key *public key
**************************************************/ **************************************************/
static void unpack_pk(polyvec *pk, unsigned char *seed, static void unpack_pk(polyvec *pk, unsigned char *seed, const unsigned char *packedpk) {
const unsigned char *packedpk) {
int i; int i;
PQCLEAN_KYBER768_polyvec_decompress(pk, packedpk); PQCLEAN_KYBER768_polyvec_decompress(pk, packedpk);
@ -110,8 +108,8 @@ static void unpack_sk(polyvec *sk, const unsigned char *packedsk) {
PQCLEAN_KYBER768_polyvec_frombytes(sk, packedsk); PQCLEAN_KYBER768_polyvec_frombytes(sk, packedsk);
} }
#define gen_a(A, B) PQCLEAN_KYBER768_gen_matrix(A, B, 0) #define gen_a(A, B) gen_matrix(A, B, 0)
#define gen_at(A, B) PQCLEAN_KYBER768_gen_matrix(A, B, 1) #define gen_at(A, B) gen_matrix(A, B, 1)
/************************************************* /*************************************************
* Name: gen_matrix * Name: gen_matrix
@ -126,8 +124,7 @@ static void unpack_sk(polyvec *sk, const unsigned char *packedsk) {
* - int transposed: boolean deciding whether A or A^T * - int transposed: boolean deciding whether A or A^T
*is generated *is generated
**************************************************/ **************************************************/
void PQCLEAN_KYBER768_gen_matrix(polyvec *a, const unsigned char *seed, static void gen_matrix(polyvec *a, const unsigned char *seed, int transposed) {
int transposed) { // Not static for benchmarking
unsigned int pos = 0, ctr; unsigned int pos = 0, ctr;
uint16_t val; uint16_t val;
unsigned int nblocks; unsigned int nblocks;

View File

@ -1,13 +1,16 @@
#ifndef INDCPA_H #ifndef INDCPA_H
#define INDCPA_H #define INDCPA_H
void PQCLEAN_KYBER768_indcpa_keypair(unsigned char *pk, unsigned char *sk); void PQCLEAN_KYBER768_indcpa_keypair(unsigned char *pk,
unsigned char *sk);
void PQCLEAN_KYBER768_indcpa_enc(unsigned char *c, const unsigned char *m, void PQCLEAN_KYBER768_indcpa_enc(unsigned char *c,
const unsigned char *m,
const unsigned char *pk, const unsigned char *pk,
const unsigned char *coins); const unsigned char *coins);
void PQCLEAN_KYBER768_indcpa_dec(unsigned char *m, const unsigned char *c, void PQCLEAN_KYBER768_indcpa_dec(unsigned char *m,
const unsigned char *c,
const unsigned char *sk); const unsigned char *sk);
#endif #endif

View File

@ -24,11 +24,8 @@ int PQCLEAN_KYBER768_crypto_kem_keypair(unsigned char *pk, unsigned char *sk) {
for (i = 0; i < KYBER_INDCPA_PUBLICKEYBYTES; i++) { for (i = 0; i < KYBER_INDCPA_PUBLICKEYBYTES; i++) {
sk[i + KYBER_INDCPA_SECRETKEYBYTES] = pk[i]; sk[i + KYBER_INDCPA_SECRETKEYBYTES] = pk[i];
} }
sha3_256(sk + KYBER_SECRETKEYBYTES - 2 * KYBER_SYMBYTES, pk, sha3_256(sk + KYBER_SECRETKEYBYTES - 2 * KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES);
KYBER_PUBLICKEYBYTES); randombytes(sk + KYBER_SECRETKEYBYTES - KYBER_SYMBYTES, KYBER_SYMBYTES); /* Value z for pseudo-random output on reject */
randombytes(
sk + KYBER_SECRETKEYBYTES - KYBER_SYMBYTES,
KYBER_SYMBYTES); /* Value z for pseudo-random output on reject */
return 0; return 0;
} }
@ -47,27 +44,20 @@ int PQCLEAN_KYBER768_crypto_kem_keypair(unsigned char *pk, unsigned char *sk) {
* *
* Returns 0 (success) * Returns 0 (success)
**************************************************/ **************************************************/
int PQCLEAN_KYBER768_crypto_kem_enc(unsigned char *ct, unsigned char *ss, int PQCLEAN_KYBER768_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk) {
const unsigned char *pk) {
unsigned char kr[2 * KYBER_SYMBYTES]; /* Will contain key, coins */ unsigned char kr[2 * KYBER_SYMBYTES]; /* Will contain key, coins */
unsigned char buf[2 * KYBER_SYMBYTES]; unsigned char buf[2 * KYBER_SYMBYTES];
randombytes(buf, KYBER_SYMBYTES); randombytes(buf, KYBER_SYMBYTES);
sha3_256(buf, buf, KYBER_SYMBYTES); /* Don't release system RNG output */ sha3_256(buf, buf, KYBER_SYMBYTES); /* Don't release system RNG output */
sha3_256(buf + KYBER_SYMBYTES, pk, sha3_256(buf + KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES); /* Multitarget countermeasure for coins + contributory KEM */
KYBER_PUBLICKEYBYTES); /* Multitarget countermeasure for coins +
contributory KEM */
sha3_512(kr, buf, 2 * KYBER_SYMBYTES); sha3_512(kr, buf, 2 * KYBER_SYMBYTES);
PQCLEAN_KYBER768_indcpa_enc( PQCLEAN_KYBER768_indcpa_enc(ct, buf, pk, kr + KYBER_SYMBYTES); /* coins are in kr+KYBER_SYMBYTES */
ct, buf, pk, kr + KYBER_SYMBYTES); /* coins are in kr+KYBER_SYMBYTES */
sha3_256(kr + KYBER_SYMBYTES, ct, sha3_256(kr + KYBER_SYMBYTES, ct, KYBER_CIPHERTEXTBYTES); /* overwrite coins in kr with H(c) */
KYBER_CIPHERTEXTBYTES); /* overwrite coins in kr with H(c) */ sha3_256(ss, kr, 2 * KYBER_SYMBYTES); /* hash concatenation of pre-k and H(c) to k */
sha3_256(
ss, kr,
2 * KYBER_SYMBYTES); /* hash concatenation of pre-k and H(c) to k */
return 0; return 0;
} }
@ -88,40 +78,31 @@ int PQCLEAN_KYBER768_crypto_kem_enc(unsigned char *ct, unsigned char *ss,
* *
* On failure, ss will contain a pseudo-random value. * On failure, ss will contain a pseudo-random value.
**************************************************/ **************************************************/
int PQCLEAN_KYBER768_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, int PQCLEAN_KYBER768_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk) {
const unsigned char *sk) {
size_t i; size_t i;
int fail; int fail;
unsigned char cmp[KYBER_CIPHERTEXTBYTES]; unsigned char cmp[KYBER_CIPHERTEXTBYTES];
unsigned char buf[2 * KYBER_SYMBYTES]; unsigned char buf[2 * KYBER_SYMBYTES];
unsigned char unsigned char
kr[2 * KYBER_SYMBYTES]; /* Will contain key, coins, qrom-hash */ kr[2 * KYBER_SYMBYTES]; /* Will contain key, coins, qrom-hash */
const unsigned char *pk = sk + KYBER_INDCPA_SECRETKEYBYTES; const unsigned char *pk = sk + KYBER_INDCPA_SECRETKEYBYTES;
PQCLEAN_KYBER768_indcpa_dec(buf, ct, sk); PQCLEAN_KYBER768_indcpa_dec(buf, ct, sk);
for (i = 0; i < KYBER_SYMBYTES; for (i = 0; i < KYBER_SYMBYTES; i++) { /* Multitarget countermeasure for coins + contributory KEM */
i++) { /* Multitarget countermeasure for coins + contributory KEM */ buf[KYBER_SYMBYTES + i] = sk[KYBER_SECRETKEYBYTES - 2 * KYBER_SYMBYTES + i]; /* Save hash by storing H(pk) in sk */
buf[KYBER_SYMBYTES + i] = sk[KYBER_SECRETKEYBYTES - 2 * KYBER_SYMBYTES +
i]; /* Save hash by storing H(pk) in sk */
} }
sha3_512(kr, buf, 2 * KYBER_SYMBYTES); sha3_512(kr, buf, 2 * KYBER_SYMBYTES);
PQCLEAN_KYBER768_indcpa_enc( PQCLEAN_KYBER768_indcpa_enc(cmp, buf, pk, kr + KYBER_SYMBYTES); /* coins are in kr+KYBER_SYMBYTES */
cmp, buf, pk, kr + KYBER_SYMBYTES); /* coins are in kr+KYBER_SYMBYTES */
fail = PQCLEAN_KYBER768_verify(ct, cmp, KYBER_CIPHERTEXTBYTES); fail = PQCLEAN_KYBER768_verify(ct, cmp, KYBER_CIPHERTEXTBYTES);
sha3_256(kr + KYBER_SYMBYTES, ct, sha3_256(kr + KYBER_SYMBYTES, ct, KYBER_CIPHERTEXTBYTES); /* overwrite coins in kr with H(c) */
KYBER_CIPHERTEXTBYTES); /* overwrite coins in kr with H(c) */
PQCLEAN_KYBER768_cmov( PQCLEAN_KYBER768_cmov(kr, sk + KYBER_SECRETKEYBYTES - KYBER_SYMBYTES, KYBER_SYMBYTES, fail); /* Overwrite pre-k with z on re-encryption failure */
kr, sk + KYBER_SECRETKEYBYTES - KYBER_SYMBYTES, KYBER_SYMBYTES,
fail); /* Overwrite pre-k with z on re-encryption failure */
sha3_256( sha3_256(ss, kr, 2 * KYBER_SYMBYTES); /* hash concatenation of pre-k and H(c) to k */
ss, kr,
2 * KYBER_SYMBYTES); /* hash concatenation of pre-k and H(c) to k */
return 0; return 0;
} }

View File

@ -1,58 +0,0 @@
#include "kex.h"
#include "fips202.h"
#include "verify.h"
void PQCLEAN_KYBER768_kyber_uake_initA(u8 *send, u8 *tk, u8 *sk,
const u8 *pkb) {
PQCLEAN_KYBER768_crypto_kem_keypair(send, sk);
PQCLEAN_KYBER768_crypto_kem_enc(send + KYBER_PUBLICKEYBYTES, tk, pkb);
}
void PQCLEAN_KYBER768_kyber_uake_sharedB(u8 *send, u8 *k, const u8 *recv,
const u8 *skb) {
unsigned char buf[2 * KYBER_SYMBYTES];
PQCLEAN_KYBER768_crypto_kem_enc(send, buf, recv);
PQCLEAN_KYBER768_crypto_kem_dec(buf + KYBER_SYMBYTES,
recv + KYBER_PUBLICKEYBYTES, skb);
shake256(k, KYBER_SYMBYTES, buf, 2 * KYBER_SYMBYTES);
}
void PQCLEAN_KYBER768_kyber_uake_sharedA(u8 *k, const u8 *recv, const u8 *tk,
const u8 *sk) {
unsigned char buf[2 * KYBER_SYMBYTES];
int i;
PQCLEAN_KYBER768_crypto_kem_dec(buf, recv, sk);
for (i = 0; i < KYBER_SYMBYTES; i++) {
buf[i + KYBER_SYMBYTES] = tk[i];
}
shake256(k, KYBER_SYMBYTES, buf, 2 * KYBER_SYMBYTES);
}
void PQCLEAN_KYBER768_kyber_ake_initA(u8 *send, u8 *tk, u8 *sk, const u8 *pkb) {
PQCLEAN_KYBER768_crypto_kem_keypair(send, sk);
PQCLEAN_KYBER768_crypto_kem_enc(send + KYBER_PUBLICKEYBYTES, tk, pkb);
}
void PQCLEAN_KYBER768_kyber_ake_sharedB(u8 *send, u8 *k, const u8 *recv,
const u8 *skb, const u8 *pka) {
unsigned char buf[3 * KYBER_SYMBYTES];
PQCLEAN_KYBER768_crypto_kem_enc(send, buf, recv);
PQCLEAN_KYBER768_crypto_kem_enc(send + KYBER_CIPHERTEXTBYTES,
buf + KYBER_SYMBYTES, pka);
PQCLEAN_KYBER768_crypto_kem_dec(buf + 2 * KYBER_SYMBYTES,
recv + KYBER_PUBLICKEYBYTES, skb);
shake256(k, KYBER_SYMBYTES, buf, 3 * KYBER_SYMBYTES);
}
void PQCLEAN_KYBER768_kyber_ake_sharedA(u8 *k, const u8 *recv, const u8 *tk,
const u8 *sk, const u8 *ska) {
unsigned char buf[3 * KYBER_SYMBYTES];
int i;
PQCLEAN_KYBER768_crypto_kem_dec(buf, recv, sk);
PQCLEAN_KYBER768_crypto_kem_dec(buf + KYBER_SYMBYTES,
recv + KYBER_CIPHERTEXTBYTES, ska);
for (i = 0; i < KYBER_SYMBYTES; i++) {
buf[i + 2 * KYBER_SYMBYTES] = tk[i];
}
shake256(k, KYBER_SYMBYTES, buf, 3 * KYBER_SYMBYTES);
}

View File

@ -1,31 +0,0 @@
#ifndef KEX_H
#define KEX_H
#include "api.h"
#include "params.h"
#define KYBER_UAKE_SENDABYTES (KYBER_PUBLICKEYBYTES + KYBER_CIPHERTEXTBYTES)
#define KYBER_UAKE_SENDBBYTES (KYBER_CIPHERTEXTBYTES)
#define KYBER_AKE_SENDABYTES (KYBER_PUBLICKEYBYTES + KYBER_CIPHERTEXTBYTES)
#define KYBER_AKE_SENDBBYTES (2 * KYBER_CIPHERTEXTBYTES)
typedef unsigned char u8;
void PQCLEAN_KYBER768_kyber_uake_initA(u8 *send, u8 *tk, u8 *sk, const u8 *pkb);
void PQCLEAN_KYBER768_kyber_uake_sharedB(u8 *send, u8 *k, const u8 *recv,
const u8 *skb);
void PQCLEAN_KYBER768_kyber_uake_sharedA(u8 *k, const u8 *recv, const u8 *tk,
const u8 *sk);
void PQCLEAN_KYBER768_kyber_ake_initA(u8 *send, u8 *tk, u8 *sk, const u8 *pkb);
void PQCLEAN_KYBER768_kyber_ake_sharedB(u8 *send, u8 *k, const u8 *recv,
const u8 *skb, const u8 *pka);
void PQCLEAN_KYBER768_kyber_ake_sharedA(u8 *k, const u8 *recv, const u8 *tk,
const u8 *sk, const u8 *ska);
#endif

View File

@ -62,8 +62,7 @@ void PQCLEAN_KYBER768_invntt(uint16_t *a) {
temp = a[j]; temp = a[j];
if (level & 1) { /* odd level */ if (level & 1) { /* odd level */
a[j] = PQCLEAN_KYBER768_barrett_reduce( a[j] = PQCLEAN_KYBER768_barrett_reduce((temp + a[j + (1 << level)]));
(temp + a[j + (1 << level)]));
} else { } else {
a[j] = (temp + a[j + (1 << level)]); /* Omit reduction (be lazy) */ a[j] = (temp + a[j + (1 << level)]); /* Omit reduction (be lazy) */
} }
@ -76,7 +75,6 @@ void PQCLEAN_KYBER768_invntt(uint16_t *a) {
} }
for (j = 0; j < KYBER_N; j++) { for (j = 0; j < KYBER_N; j++) {
a[j] = PQCLEAN_KYBER768_montgomery_reduce( a[j] = PQCLEAN_KYBER768_montgomery_reduce((a[j] * PQCLEAN_KYBER768_psis_inv_montgomery[j]));
(a[j] * PQCLEAN_KYBER768_psis_inv_montgomery[j]));
} }
} }

View File

@ -21,7 +21,7 @@
#define KYBER_INDCPA_BYTES (KYBER_POLYVECCOMPRESSEDBYTES + KYBER_POLYCOMPRESSEDBYTES) #define KYBER_INDCPA_BYTES (KYBER_POLYVECCOMPRESSEDBYTES + KYBER_POLYCOMPRESSEDBYTES)
#define KYBER_PUBLICKEYBYTES (KYBER_INDCPA_PUBLICKEYBYTES) #define KYBER_PUBLICKEYBYTES (KYBER_INDCPA_PUBLICKEYBYTES)
#define KYBER_SECRETKEYBYTES (KYBER_INDCPA_SECRETKEYBYTES + KYBER_INDCPA_PUBLICKEYBYTES + 2*KYBER_SYMBYTES) /* 32 bytes of additional space to save H(pk) */ #define KYBER_SECRETKEYBYTES (KYBER_INDCPA_SECRETKEYBYTES + KYBER_INDCPA_PUBLICKEYBYTES + 2 * KYBER_SYMBYTES) /* 32 bytes of additional space to save H(pk) */
#define KYBER_CIPHERTEXTBYTES KYBER_INDCPA_BYTES #define KYBER_CIPHERTEXTBYTES KYBER_INDCPA_BYTES
#endif #endif

View File

@ -23,7 +23,7 @@ void PQCLEAN_KYBER768_poly_compress(unsigned char *r, const poly *a) {
t[j] = (((PQCLEAN_KYBER768_freeze(a->coeffs[i + j]) << 3) + KYBER_Q / 2) / KYBER_Q) & 7; t[j] = (((PQCLEAN_KYBER768_freeze(a->coeffs[i + j]) << 3) + KYBER_Q / 2) / KYBER_Q) & 7;
} }
r[k] = t[0] | (t[1] << 3) | (t[2] << 6); r[k] = t[0] | (t[1] << 3) | (t[2] << 6);
r[k + 1] = (t[2] >> 2) | (t[3] << 1) | (t[4] << 4) | (t[5] << 7); r[k + 1] = (t[2] >> 2) | (t[3] << 1) | (t[4] << 4) | (t[5] << 7);
r[k + 2] = (t[5] >> 1) | (t[6] << 2) | (t[7] << 5); r[k + 2] = (t[5] >> 1) | (t[6] << 2) | (t[7] << 5);
k += 3; k += 3;
@ -42,7 +42,7 @@ void PQCLEAN_KYBER768_poly_compress(unsigned char *r, const poly *a) {
void PQCLEAN_KYBER768_poly_decompress(poly *r, const unsigned char *a) { void PQCLEAN_KYBER768_poly_decompress(poly *r, const unsigned char *a) {
unsigned int i; unsigned int i;
for (i = 0; i < KYBER_N; i += 8) { for (i = 0; i < KYBER_N; i += 8) {
r->coeffs[i + 0] = (((a[0] & 7) * KYBER_Q) + 4) >> 3; r->coeffs[i + 0] = (((a[0] & 7) * KYBER_Q) + 4) >> 3;
r->coeffs[i + 1] = ((((a[0] >> 3) & 7) * KYBER_Q) + 4) >> 3; r->coeffs[i + 1] = ((((a[0] >> 3) & 7) * KYBER_Q) + 4) >> 3;
r->coeffs[i + 2] = ((((a[0] >> 6) | ((a[1] << 2) & 4)) * KYBER_Q) + 4) >> 3; r->coeffs[i + 2] = ((((a[0] >> 6) | ((a[1] << 2) & 4)) * KYBER_Q) + 4) >> 3;
r->coeffs[i + 3] = ((((a[1] >> 1) & 7) * KYBER_Q) + 4) >> 3; r->coeffs[i + 3] = ((((a[1] >> 1) & 7) * KYBER_Q) + 4) >> 3;
@ -71,7 +71,7 @@ void PQCLEAN_KYBER768_poly_tobytes(unsigned char *r, const poly *a) {
t[j] = PQCLEAN_KYBER768_freeze(a->coeffs[8 * i + j]); t[j] = PQCLEAN_KYBER768_freeze(a->coeffs[8 * i + j]);
} }
r[13 * i + 0] = t[0] & 0xff; r[13 * i + 0] = t[0] & 0xff;
r[13 * i + 1] = (t[0] >> 8) | ((t[1] & 0x07) << 5); r[13 * i + 1] = (t[0] >> 8) | ((t[1] & 0x07) << 5);
r[13 * i + 2] = (t[1] >> 3) & 0xff; r[13 * i + 2] = (t[1] >> 3) & 0xff;
r[13 * i + 3] = (t[1] >> 11) | ((t[2] & 0x3f) << 2); r[13 * i + 3] = (t[1] >> 11) | ((t[2] & 0x3f) << 2);
@ -99,7 +99,7 @@ void PQCLEAN_KYBER768_poly_tobytes(unsigned char *r, const poly *a) {
void PQCLEAN_KYBER768_poly_frombytes(poly *r, const unsigned char *a) { void PQCLEAN_KYBER768_poly_frombytes(poly *r, const unsigned char *a) {
int i; int i;
for (i = 0; i < KYBER_N / 8; i++) { for (i = 0; i < KYBER_N / 8; i++) {
r->coeffs[8 * i + 0] = a[13 * i + 0] | (((uint16_t)a[13 * i + 1] & 0x1f) << 8); r->coeffs[8 * i + 0] = a[13 * i + 0] | (((uint16_t)a[13 * i + 1] & 0x1f) << 8);
r->coeffs[8 * i + 1] = (a[13 * i + 1] >> 5) | (((uint16_t)a[13 * i + 2]) << 3) | (((uint16_t)a[13 * i + 3] & 0x03) << 11); r->coeffs[8 * i + 1] = (a[13 * i + 1] >> 5) | (((uint16_t)a[13 * i + 2]) << 3) | (((uint16_t)a[13 * i + 3] & 0x03) << 11);
r->coeffs[8 * i + 2] = (a[13 * i + 3] >> 2) | (((uint16_t)a[13 * i + 4] & 0x7f) << 6); r->coeffs[8 * i + 2] = (a[13 * i + 3] >> 2) | (((uint16_t)a[13 * i + 4] & 0x7f) << 6);
r->coeffs[8 * i + 3] = (a[13 * i + 4] >> 7) | (((uint16_t)a[13 * i + 5]) << 1) | (((uint16_t)a[13 * i + 6] & 0x0f) << 9); r->coeffs[8 * i + 3] = (a[13 * i + 4] >> 7) | (((uint16_t)a[13 * i + 5]) << 1) | (((uint16_t)a[13 * i + 6] & 0x0f) << 9);
@ -121,8 +121,7 @@ void PQCLEAN_KYBER768_poly_frombytes(poly *r, const unsigned char *a) {
* - const unsigned char *seed: pointer to input seed * - const unsigned char *seed: pointer to input seed
* - unsigned char nonce: one-byte input nonce * - unsigned char nonce: one-byte input nonce
**************************************************/ **************************************************/
void PQCLEAN_KYBER768_poly_getnoise(poly *r, const unsigned char *seed, void PQCLEAN_KYBER768_poly_getnoise(poly *r, const unsigned char *seed, unsigned char nonce) {
unsigned char nonce) {
unsigned char buf[KYBER_ETA * KYBER_N / 4]; unsigned char buf[KYBER_ETA * KYBER_N / 4];
unsigned char extseed[KYBER_SYMBYTES + 1]; unsigned char extseed[KYBER_SYMBYTES + 1];
int i; int i;
@ -204,8 +203,7 @@ void PQCLEAN_KYBER768_poly_sub(poly *r, const poly *a, const poly *b) {
* Arguments: - poly *r: pointer to output polynomial * Arguments: - poly *r: pointer to output polynomial
* - const unsigned char *msg: pointer to input message * - const unsigned char *msg: pointer to input message
**************************************************/ **************************************************/
void PQCLEAN_KYBER768_poly_frommsg(poly *r, void PQCLEAN_KYBER768_poly_frommsg(poly *r, const unsigned char msg[KYBER_SYMBYTES]) {
const unsigned char msg[KYBER_SYMBYTES]) {
uint16_t i, j, mask; uint16_t i, j, mask;
for (i = 0; i < KYBER_SYMBYTES; i++) { for (i = 0; i < KYBER_SYMBYTES; i++) {
@ -224,8 +222,7 @@ void PQCLEAN_KYBER768_poly_frommsg(poly *r,
* Arguments: - unsigned char *msg: pointer to output message * Arguments: - unsigned char *msg: pointer to output message
* - const poly *a: pointer to input polynomial * - const poly *a: pointer to input polynomial
**************************************************/ **************************************************/
void PQCLEAN_KYBER768_poly_tomsg(unsigned char msg[KYBER_SYMBYTES], void PQCLEAN_KYBER768_poly_tomsg(unsigned char msg[KYBER_SYMBYTES], const poly *a) {
const poly *a) {
uint16_t t; uint16_t t;
int i, j; int i, j;

View File

@ -18,13 +18,10 @@ void PQCLEAN_KYBER768_poly_decompress(poly *r, const unsigned char *a);
void PQCLEAN_KYBER768_poly_tobytes(unsigned char *r, const poly *a); void PQCLEAN_KYBER768_poly_tobytes(unsigned char *r, const poly *a);
void PQCLEAN_KYBER768_poly_frombytes(poly *r, const unsigned char *a); void PQCLEAN_KYBER768_poly_frombytes(poly *r, const unsigned char *a);
void PQCLEAN_KYBER768_poly_frommsg(poly *r, void PQCLEAN_KYBER768_poly_frommsg(poly *r, const unsigned char msg[KYBER_SYMBYTES]);
const unsigned char msg[KYBER_SYMBYTES]); void PQCLEAN_KYBER768_poly_tomsg(unsigned char msg[KYBER_SYMBYTES], const poly *a);
void PQCLEAN_KYBER768_poly_tomsg(unsigned char msg[KYBER_SYMBYTES],
const poly *a);
void PQCLEAN_KYBER768_poly_getnoise(poly *r, const unsigned char *seed, void PQCLEAN_KYBER768_poly_getnoise(poly *r, const unsigned char *seed, unsigned char nonce);
unsigned char nonce);
void PQCLEAN_KYBER768_poly_ntt(poly *r); void PQCLEAN_KYBER768_poly_ntt(poly *r);
void PQCLEAN_KYBER768_poly_invntt(poly *r); void PQCLEAN_KYBER768_poly_invntt(poly *r);

View File

@ -21,7 +21,7 @@ void PQCLEAN_KYBER768_polyvec_compress(unsigned char *r, const polyvec *a) {
t[k] = ((((uint32_t)PQCLEAN_KYBER768_freeze(a->vec[i].coeffs[8 * j + k]) << 11) + KYBER_Q / 2) / KYBER_Q) & 0x7ff; t[k] = ((((uint32_t)PQCLEAN_KYBER768_freeze(a->vec[i].coeffs[8 * j + k]) << 11) + KYBER_Q / 2) / KYBER_Q) & 0x7ff;
} }
r[11 * j + 0] = t[0] & 0xff; r[11 * j + 0] = t[0] & 0xff;
r[11 * j + 1] = (t[0] >> 8) | ((t[1] & 0x1f) << 3); r[11 * j + 1] = (t[0] >> 8) | ((t[1] & 0x1f) << 3);
r[11 * j + 2] = (t[1] >> 5) | ((t[2] & 0x03) << 6); r[11 * j + 2] = (t[1] >> 5) | ((t[2] & 0x03) << 6);
r[11 * j + 3] = (t[2] >> 2) & 0xff; r[11 * j + 3] = (t[2] >> 2) & 0xff;
@ -50,12 +50,12 @@ void PQCLEAN_KYBER768_polyvec_decompress(polyvec *r, const unsigned char *a) {
int i, j; int i, j;
for (i = 0; i < KYBER_K; i++) { for (i = 0; i < KYBER_K; i++) {
for (j = 0; j < KYBER_N / 8; j++) { for (j = 0; j < KYBER_N / 8; j++) {
r->vec[i].coeffs[8 * j + 0] = (((a[11 * j + 0] | (((uint32_t)a[11 * j + 1] & 0x07) << 8)) * KYBER_Q) + 1024) >> 11; r->vec[i].coeffs[8 * j + 0] = (((a[11 * j + 0] | (((uint32_t)a[11 * j + 1] & 0x07) << 8)) * KYBER_Q) + 1024) >> 11;
r->vec[i].coeffs[8 * j + 1] = ((((a[11 * j + 1] >> 3) | (((uint32_t)a[11 * j + 2] & 0x3f) << 5)) * KYBER_Q) + 1024) >> 11; r->vec[i].coeffs[8 * j + 1] = ((((a[11 * j + 1] >> 3) | (((uint32_t)a[11 * j + 2] & 0x3f) << 5)) * KYBER_Q) + 1024) >> 11;
r->vec[i].coeffs[8 * j + 2] = ((((a[11 * j + 2] >> 6) | (((uint32_t)a[11 * j + 3] & 0xff) << 2) | (((uint32_t)a[11 * j + 4] & 0x01) << 10)) * KYBER_Q) + 1024) >> 11; r->vec[i].coeffs[8 * j + 2] = ((((a[11 * j + 2] >> 6) | (((uint32_t)a[11 * j + 3] & 0xff) << 2) | (((uint32_t)a[11 * j + 4] & 0x01) << 10)) * KYBER_Q) + 1024) >> 11;
r->vec[i].coeffs[8 * j + 3] = ((((a[11 * j + 4] >> 1) | (((uint32_t)a[11 * j + 5] & 0x0f) << 7)) * KYBER_Q) + 1024) >> 11; r->vec[i].coeffs[8 * j + 3] = ((((a[11 * j + 4] >> 1) | (((uint32_t)a[11 * j + 5] & 0x0f) << 7)) * KYBER_Q) + 1024) >> 11;
r->vec[i].coeffs[8 * j + 4] = ((((a[11 * j + 5] >> 4) | (((uint32_t)a[11 * j + 6] & 0x7f) << 4)) * KYBER_Q) + 1024) >> 11; r->vec[i].coeffs[8 * j + 4] = ((((a[11 * j + 5] >> 4) | (((uint32_t)a[11 * j + 6] & 0x7f) << 4)) * KYBER_Q) + 1024) >> 11;
r->vec[i].coeffs[8 * j + 5] = ((((a[11 * j + 6] >> 7) | (((uint32_t)a[11 * j + 7] & 0xff) << 1) | (((uint32_t)a[11 * j + 8] & 0x03) << 9)) * KYBER_Q) + 1024) >> 11; r->vec[i].coeffs[8 * j + 5] = ((((a[11 * j + 6] >> 7) | (((uint32_t)a[11 * j + 7] & 0xff) << 1) | (((uint32_t)a[11 * j + 8] & 0x03) << 9)) * KYBER_Q) + 1024) >> 11;
r->vec[i].coeffs[8 * j + 6] = ((((a[11 * j + 8] >> 2) | (((uint32_t)a[11 * j + 9] & 0x1f) << 6)) * KYBER_Q) + 1024) >> 11; r->vec[i].coeffs[8 * j + 6] = ((((a[11 * j + 8] >> 2) | (((uint32_t)a[11 * j + 9] & 0x1f) << 6)) * KYBER_Q) + 1024) >> 11;
r->vec[i].coeffs[8 * j + 7] = ((((a[11 * j + 9] >> 5) | (((uint32_t)a[11 * j + 10] & 0xff) << 3)) * KYBER_Q) + 1024) >> 11; r->vec[i].coeffs[8 * j + 7] = ((((a[11 * j + 9] >> 5) | (((uint32_t)a[11 * j + 10] & 0xff) << 3)) * KYBER_Q) + 1024) >> 11;
} }
@ -131,8 +131,7 @@ void PQCLEAN_KYBER768_polyvec_invntt(polyvec *r) {
* - const polyvec *a: pointer to first input vector of polynomials * - const polyvec *a: pointer to first input vector of polynomials
* - const polyvec *b: pointer to second input vector of polynomials * - const polyvec *b: pointer to second input vector of polynomials
**************************************************/ **************************************************/
void PQCLEAN_KYBER768_polyvec_pointwise_acc(poly *r, const polyvec *a, void PQCLEAN_KYBER768_polyvec_pointwise_acc(poly *r, const polyvec *a, const polyvec *b) {
const polyvec *b) {
int i, j; int i, j;
uint16_t t; uint16_t t;
for (j = 0; j < KYBER_N; j++) { for (j = 0; j < KYBER_N; j++) {
@ -155,8 +154,7 @@ void PQCLEAN_KYBER768_polyvec_pointwise_acc(poly *r, const polyvec *a,
* - const polyvec *a: pointer to first input vector of polynomials * - const polyvec *a: pointer to first input vector of polynomials
* - const polyvec *b: pointer to second input vector of polynomials * - const polyvec *b: pointer to second input vector of polynomials
**************************************************/ **************************************************/
void PQCLEAN_KYBER768_polyvec_add(polyvec *r, const polyvec *a, void PQCLEAN_KYBER768_polyvec_add(polyvec *r, const polyvec *a, const polyvec *b) {
const polyvec *b) {
int i; int i;
for (i = 0; i < KYBER_K; i++) { for (i = 0; i < KYBER_K; i++) {
PQCLEAN_KYBER768_poly_add(&r->vec[i], &a->vec[i], &b->vec[i]); PQCLEAN_KYBER768_poly_add(&r->vec[i], &a->vec[i], &b->vec[i]);

View File

@ -17,10 +17,8 @@ void PQCLEAN_KYBER768_polyvec_frombytes(polyvec *r, const unsigned char *a);
void PQCLEAN_KYBER768_polyvec_ntt(polyvec *r); void PQCLEAN_KYBER768_polyvec_ntt(polyvec *r);
void PQCLEAN_KYBER768_polyvec_invntt(polyvec *r); void PQCLEAN_KYBER768_polyvec_invntt(polyvec *r);
void PQCLEAN_KYBER768_polyvec_pointwise_acc(poly *r, const polyvec *a, void PQCLEAN_KYBER768_polyvec_pointwise_acc(poly *r, const polyvec *a, const polyvec *b);
const polyvec *b);
void PQCLEAN_KYBER768_polyvec_add(polyvec *r, const polyvec *a, void PQCLEAN_KYBER768_polyvec_add(polyvec *r, const polyvec *a, const polyvec *b);
const polyvec *b);
#endif #endif

View File

@ -57,7 +57,8 @@ const uint16_t PQCLEAN_KYBER768_zetas[KYBER_N] = {
5113, 333, 3502, 4517, 1480, 1172, 5567, 651, 925, 4573, 599, 1367, 5113, 333, 3502, 4517, 1480, 1172, 5567, 651, 925, 4573, 599, 1367,
4109, 1863, 6929, 1605, 3866, 2065, 4048, 839, 5764, 2447, 2022, 3345, 4109, 1863, 6929, 1605, 3866, 2065, 4048, 839, 5764, 2447, 2022, 3345,
1990, 4067, 2036, 2069, 3567, 7371, 2368, 339, 6947, 2159, 654, 7327, 1990, 4067, 2036, 2069, 3567, 7371, 2368, 339, 6947, 2159, 654, 7327,
2768, 6676, 987, 2214}; 2768, 6676, 987, 2214
};
const uint16_t PQCLEAN_KYBER768_omegas_inv_bitrev_montgomery[KYBER_N / 2] = { const uint16_t PQCLEAN_KYBER768_omegas_inv_bitrev_montgomery[KYBER_N / 2] = {
990, 254, 862, 5047, 6586, 5538, 4400, 7103, 2025, 6804, 3858, 1595, 990, 254, 862, 5047, 6586, 5538, 4400, 7103, 2025, 6804, 3858, 1595,
@ -70,7 +71,8 @@ const uint16_t PQCLEAN_KYBER768_omegas_inv_bitrev_montgomery[KYBER_N / 2] = {
1597, 2908, 1825, 6132, 98, 1251, 4306, 4022, 4314, 362, 1289, 5560, 1597, 2908, 1825, 6132, 98, 1251, 4306, 4022, 4314, 362, 1289, 5560,
3830, 6724, 6671, 1215, 2281, 4899, 5074, 5988, 5041, 1883, 2822, 7024, 3830, 6724, 6671, 1215, 2281, 4899, 5074, 5988, 5041, 1883, 2822, 7024,
2920, 594, 6189, 6662, 3247, 771, 5822, 1742, 4206, 3686, 776, 5987, 2920, 594, 6189, 6662, 3247, 771, 5822, 1742, 4206, 3686, 776, 5987,
8, 4021, 38, 5658, 3017, 6143, 889, 4216}; 8, 4021, 38, 5658, 3017, 6143, 889, 4216
};
const uint16_t PQCLEAN_KYBER768_psis_inv_montgomery[KYBER_N] = { const uint16_t PQCLEAN_KYBER768_psis_inv_montgomery[KYBER_N] = {
1024, 4972, 5779, 6907, 4943, 4168, 315, 5580, 90, 497, 1123, 142, 1024, 4972, 5779, 6907, 4943, 4168, 315, 5580, 90, 497, 1123, 142,
@ -94,4 +96,5 @@ const uint16_t PQCLEAN_KYBER768_psis_inv_montgomery[KYBER_N] = {
145, 374, 2236, 4496, 5028, 6771, 6923, 7421, 1978, 1023, 3857, 6876, 145, 374, 2236, 4496, 5028, 6771, 6923, 7421, 1978, 1023, 3857, 6876,
1102, 7451, 4704, 6518, 1344, 765, 384, 5705, 1207, 1630, 4734, 1563, 1102, 7451, 4704, 6518, 1344, 765, 384, 5705, 1207, 1630, 4734, 1563,
6839, 5933, 1954, 4987, 7142, 5814, 7527, 4953, 7637, 4707, 2182, 5734, 6839, 5933, 1954, 4987, 7142, 5814, 7527, 4953, 7637, 4707, 2182, 5734,
2818, 541, 4097, 5641}; 2818, 541, 4097, 5641
};

View File

@ -12,8 +12,7 @@
* *
* Returns 0 if the byte arrays are equal, 1 otherwise * Returns 0 if the byte arrays are equal, 1 otherwise
**************************************************/ **************************************************/
int PQCLEAN_KYBER768_verify(const unsigned char *a, const unsigned char *b, int PQCLEAN_KYBER768_verify(const unsigned char *a, const unsigned char *b, size_t len) {
size_t len) {
uint64_t r; uint64_t r;
size_t i; size_t i;
r = 0; r = 0;
@ -39,8 +38,7 @@ int PQCLEAN_KYBER768_verify(const unsigned char *a, const unsigned char *b,
* size_t len: Amount of bytes to be copied * size_t len: Amount of bytes to be copied
* unsigned char b: Condition bit; has to be in {0,1} * unsigned char b: Condition bit; has to be in {0,1}
**************************************************/ **************************************************/
void PQCLEAN_KYBER768_cmov(unsigned char *r, const unsigned char *x, size_t len, void PQCLEAN_KYBER768_cmov(unsigned char *r, const unsigned char *x, size_t len, unsigned char b) {
unsigned char b) {
size_t i; size_t i;
b = -b; b = -b;

View File

@ -3,10 +3,8 @@
#include <stdio.h> #include <stdio.h>
int PQCLEAN_KYBER768_verify(const unsigned char *a, const unsigned char *b, int PQCLEAN_KYBER768_verify(const unsigned char *a, const unsigned char *b, size_t len);
size_t len);
void PQCLEAN_KYBER768_cmov(unsigned char *r, const unsigned char *x, size_t len, void PQCLEAN_KYBER768_cmov(unsigned char *r, const unsigned char *x, size_t len, unsigned char b);
unsigned char b);
#endif #endif