kris/pqcrypto
1
1
Fork 0
mirror of https://github.com/henrydcase/pqc.git synced 2024-11-22 07:35:38 +00:00
Code Issues 1 Releases Wiki Activity

Add clang-tidy, only require SCHEME where needed

Browse Source
This commit is contained in:
Thom Wiggers 2019-01-16 08:18:33 +01:00
parent 20fb166d01
commit b22a21c08a
No known key found for this signature in database
GPG Key ID: 001BB0A7CE26E363
17 changed files with 465 additions and 91 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

295
.clang-tidy Normal file
View File

@ -0,0 +1,295 @@
---
Checks: 'clang-diagnostic-*,clang-analyzer-*,clang-diagnostic-*,clang-analyzer-*,*,-hicpp-signed-bitwise,-llvm-header-guard,-hicpp-function-*,-readability-function-size'
WarningsAsErrors: '*'
HeaderFilterRegex: '.*'
AnalyzeTemporaryDtors: false
FormatStyle: file
User: thom
CheckOptions:
- key: abseil-string-find-startswith.AbseilStringsMatchHeader
value: absl/strings/match.h
- key: abseil-string-find-startswith.IncludeStyle
value: llvm
- key: abseil-string-find-startswith.StringLikeClasses
value: '::std::basic_string'
- key: bugprone-argument-comment.StrictMode
value: '0'
- key: bugprone-assert-side-effect.AssertMacros
value: assert
- key: bugprone-assert-side-effect.CheckFunctionCalls
value: '0'
- key: bugprone-dangling-handle.HandleClasses
value: 'std::basic_string_view;std::experimental::basic_string_view'
- key: bugprone-exception-escape.FunctionsThatShouldNotThrow
value: ''
- key: bugprone-exception-escape.IgnoredExceptions
value: ''
- key: bugprone-misplaced-widening-cast.CheckImplicitCasts
value: '0'
- key: bugprone-sizeof-expression.WarnOnSizeOfCompareToConstant
value: '1'
- key: bugprone-sizeof-expression.WarnOnSizeOfConstant
value: '1'
- key: bugprone-sizeof-expression.WarnOnSizeOfIntegerExpression
value: '0'
- key: bugprone-sizeof-expression.WarnOnSizeOfThis
value: '1'
- key: bugprone-string-constructor.LargeLengthThreshold
value: '8388608'
- key: bugprone-string-constructor.WarnOnLargeLength
value: '1'
- key: bugprone-suspicious-enum-usage.StrictMode
value: '0'
- key: bugprone-suspicious-missing-comma.MaxConcatenatedTokens
value: '5'
- key: bugprone-suspicious-missing-comma.RatioThreshold
value: '0.200000'
- key: bugprone-suspicious-missing-comma.SizeThreshold
value: '5'
- key: bugprone-suspicious-string-compare.StringCompareLikeFunctions
value: ''
- key: bugprone-suspicious-string-compare.WarnOnImplicitComparison
value: '1'
- key: bugprone-suspicious-string-compare.WarnOnLogicalNotComparison
value: '0'
- key: bugprone-unused-return-value.CheckedFunctions
value: '::std::async;::std::launder;::std::remove;::std::remove_if;::std::unique;::std::unique_ptr::release;::std::basic_string::empty;::std::vector::empty'
- key: cert-dcl59-cpp.HeaderFileExtensions
value: ',h,hh,hpp,hxx'
- key: cert-err09-cpp.CheckThrowTemporaries
value: '1'
- key: cert-err61-cpp.CheckThrowTemporaries
value: '1'
- key: cert-msc32-c.DisallowedSeedTypes
value: 'time_t,std::time_t'
- key: cert-msc51-cpp.DisallowedSeedTypes
value: 'time_t,std::time_t'
- key: cert-oop11-cpp.IncludeStyle
value: llvm
- key: cppcoreguidelines-no-malloc.Allocations
value: '::malloc;::calloc'
- key: cppcoreguidelines-no-malloc.Deallocations
value: '::free'
- key: cppcoreguidelines-no-malloc.Reallocations
value: '::realloc'
- key: cppcoreguidelines-owning-memory.LegacyResourceConsumers
value: '::free;::realloc;::freopen;::fclose'
- key: cppcoreguidelines-owning-memory.LegacyResourceProducers
value: '::malloc;::aligned_alloc;::realloc;::calloc;::fopen;::freopen;::tmpfile'
- key: cppcoreguidelines-pro-bounds-constant-array-index.GslHeader
value: ''
- key: cppcoreguidelines-pro-bounds-constant-array-index.IncludeStyle
value: '0'
- key: cppcoreguidelines-pro-type-member-init.IgnoreArrays
value: '0'
- key: cppcoreguidelines-special-member-functions.AllowMissingMoveFunctions
value: '0'
- key: cppcoreguidelines-special-member-functions.AllowSoleDefaultDtor
value: '0'
- key: fuchsia-header-anon-namespaces.HeaderFileExtensions
value: ',h,hh,hpp,hxx'
- key: fuchsia-restrict-system-includes.Includes
value: '*'
- key: google-build-namespaces.HeaderFileExtensions
value: ',h,hh,hpp,hxx'
- key: google-global-names-in-headers.HeaderFileExtensions
value: ',h,hh,hpp,hxx'
- key: google-readability-braces-around-statements.ShortStatementLines
value: '1'
- key: google-readability-function-size.BranchThreshold
value: '4294967295'
- key: google-readability-function-size.LineThreshold
value: '4294967295'
- key: google-readability-function-size.NestingThreshold
value: '4294967295'
- key: google-readability-function-size.ParameterThreshold
value: '4294967295'
- key: google-readability-function-size.StatementThreshold
value: '1000'
- key: google-readability-function-size.VariableThreshold
value: '4294967295'
- key: google-readability-namespace-comments.ShortNamespaceLines
value: '10'
- key: google-readability-namespace-comments.SpacesBeforeComments
value: '2'
- key: google-runtime-int.SignedTypePrefix
value: int
- key: google-runtime-int.TypeSuffix
value: ''
- key: google-runtime-int.UnsignedTypePrefix
value: uint
- key: google-runtime-references.WhiteListTypes
value: ''
- key: hicpp-braces-around-statements.ShortStatementLines
value: '0'
- key: hicpp-member-init.IgnoreArrays
value: '0'
- key: hicpp-move-const-arg.CheckTriviallyCopyableMove
value: '1'
- key: hicpp-multiway-paths-covered.WarnOnMissingElse
value: '0'
- key: hicpp-named-parameter.IgnoreFailedSplit
value: '0'
- key: hicpp-no-malloc.Allocations
value: '::malloc;::calloc'
- key: hicpp-no-malloc.Deallocations
value: '::free'
- key: hicpp-no-malloc.Reallocations
value: '::realloc'
- key: hicpp-special-member-functions.AllowMissingMoveFunctions
value: '0'
- key: hicpp-special-member-functions.AllowSoleDefaultDtor
value: '0'
- key: hicpp-use-auto.MinTypeNameLength
value: '5'
- key: hicpp-use-auto.RemoveStars
value: '0'
- key: hicpp-use-emplace.ContainersWithPushBack
value: '::std::vector;::std::list;::std::deque'
- key: hicpp-use-emplace.SmartPointers
value: '::std::shared_ptr;::std::unique_ptr;::std::auto_ptr;::std::weak_ptr'
- key: hicpp-use-emplace.TupleMakeFunctions
value: '::std::make_pair;::std::make_tuple'
- key: hicpp-use-emplace.TupleTypes
value: '::std::pair;::std::tuple'
- key: hicpp-use-equals-default.IgnoreMacros
value: '1'
- key: hicpp-use-noexcept.ReplacementString
value: ''
- key: hicpp-use-noexcept.UseNoexceptFalse
value: '1'
- key: hicpp-use-nullptr.NullMacros
value: ''
- key: llvm-namespace-comment.ShortNamespaceLines
value: '1'
- key: llvm-namespace-comment.SpacesBeforeComments
value: '1'
- key: misc-definitions-in-headers.HeaderFileExtensions
value: ',h,hh,hpp,hxx'
- key: misc-definitions-in-headers.UseHeaderFileExtension
value: '1'
- key: misc-throw-by-value-catch-by-reference.CheckThrowTemporaries
value: '1'
- key: misc-unused-parameters.StrictMode
value: '0'
- key: modernize-loop-convert.MaxCopySize
value: '16'
- key: modernize-loop-convert.MinConfidence
value: reasonable
- key: modernize-loop-convert.NamingStyle
value: CamelCase
- key: modernize-make-shared.IgnoreMacros
value: '1'
- key: modernize-make-shared.IncludeStyle
value: '0'
- key: modernize-make-shared.MakeSmartPtrFunction
value: 'std::make_shared'
- key: modernize-make-shared.MakeSmartPtrFunctionHeader
value: memory
- key: modernize-make-unique.IgnoreMacros
value: '1'
- key: modernize-make-unique.IncludeStyle
value: '0'
- key: modernize-make-unique.MakeSmartPtrFunction
value: 'std::make_unique'
- key: modernize-make-unique.MakeSmartPtrFunctionHeader
value: memory
- key: modernize-pass-by-value.IncludeStyle
value: llvm
- key: modernize-pass-by-value.ValuesOnly
value: '0'
- key: modernize-raw-string-literal.ReplaceShorterLiterals
value: '0'
- key: modernize-replace-auto-ptr.IncludeStyle
value: llvm
- key: modernize-replace-random-shuffle.IncludeStyle
value: llvm
- key: modernize-use-auto.MinTypeNameLength
value: '5'
- key: modernize-use-auto.RemoveStars
value: '0'
- key: modernize-use-default-member-init.IgnoreMacros
value: '1'
- key: modernize-use-default-member-init.UseAssignment
value: '0'
- key: modernize-use-emplace.ContainersWithPushBack
value: '::std::vector;::std::list;::std::deque'
- key: modernize-use-emplace.SmartPointers
value: '::std::shared_ptr;::std::unique_ptr;::std::auto_ptr;::std::weak_ptr'
- key: modernize-use-emplace.TupleMakeFunctions
value: '::std::make_pair;::std::make_tuple'
- key: modernize-use-emplace.TupleTypes
value: '::std::pair;::std::tuple'
- key: modernize-use-equals-default.IgnoreMacros
value: '1'
- key: modernize-use-noexcept.ReplacementString
value: ''
- key: modernize-use-noexcept.UseNoexceptFalse
value: '1'
- key: modernize-use-nullptr.NullMacros
value: 'NULL'
- key: modernize-use-transparent-functors.SafeMode
value: '0'
- key: modernize-use-using.IgnoreMacros
value: '1'
- key: objc-forbidden-subclassing.ForbiddenSuperClassNames
value: 'ABNewPersonViewController;ABPeoplePickerNavigationController;ABPersonViewController;ABUnknownPersonViewController;NSHashTable;NSMapTable;NSPointerArray;NSPointerFunctions;NSTimer;UIActionSheet;UIAlertView;UIImagePickerController;UITextInputMode;UIWebView'
- key: objc-property-declaration.Acronyms
value: ''
- key: objc-property-declaration.IncludeDefaultAcronyms
value: '1'
- key: performance-faster-string-find.StringLikeClasses
value: 'std::basic_string'
- key: performance-for-range-copy.WarnOnAllAutoCopies
value: '0'
- key: performance-inefficient-string-concatenation.StrictMode
value: '0'
- key: performance-inefficient-vector-operation.VectorLikeClasses
value: '::std::vector'
- key: performance-move-const-arg.CheckTriviallyCopyableMove
value: '1'
- key: performance-move-constructor-init.IncludeStyle
value: llvm
- key: performance-type-promotion-in-math-fn.IncludeStyle
value: llvm
- key: performance-unnecessary-value-param.IncludeStyle
value: llvm
- key: portability-simd-intrinsics.Std
value: ''
- key: portability-simd-intrinsics.Suggest
value: '0'
- key: readability-braces-around-statements.ShortStatementLines
value: '0'
- key: readability-function-size.BranchThreshold
value: '4294967295'
- key: readability-function-size.LineThreshold
value: '4294967295'
- key: readability-function-size.NestingThreshold
value: '4294967295'
- key: readability-function-size.ParameterThreshold
value: '4294967295'
- key: readability-function-size.StatementThreshold
value: '800'
- key: readability-function-size.VariableThreshold
value: '4294967295'
- key: readability-identifier-naming.IgnoreFailedSplit
value: '0'
- key: readability-implicit-bool-conversion.AllowIntegerConditions
value: '0'
- key: readability-implicit-bool-conversion.AllowPointerConditions
value: '0'
- key: readability-inconsistent-declaration-parameter-name.IgnoreMacros
value: '1'
- key: readability-inconsistent-declaration-parameter-name.Strict
value: '0'
- key: readability-simplify-boolean-expr.ChainedConditionalAssignment
value: '0'
- key: readability-simplify-boolean-expr.ChainedConditionalReturn
value: '0'
- key: readability-simplify-subscript-expr.Types
value: '::std::basic_string;::std::basic_string_view;::std::vector;::std::array'
- key: readability-static-accessed-through-instance.NameSpecifierNestingThreshold
value: '3'
- key: zircon-temporary-objects.Names
value: ''
...

53
Makefile
View File

@ -1,27 +1,48 @@
# assumes a SCHEME variable; e.g. make functest_kem SCHEME=crypto_kem/kyber768
ifndef SCHEME
# TODO make this more granular, i.e. make clean should not require SCHEME
$(error SCHEME variable is not set)
endif
# This -Wall was supported by the European Commission through the ERC Starting Grant 805031 (EPOQUE)
CFLAGS=-Wall -Wextra -Wpedantic -Werror -std=c99
CFLAGS=-Wall -Wextra -Wpedantic -Werror -std=c99 $(EXTRAFLAGS)
functest: $(dir $(SCHEME))test.c $(wildcard $(SCHEME)/clean/*.c) $(wildcard $(SCHEME)/clean/*.h)
functest: require_scheme $(dir $(SCHEME))test.c $(wildcard $(SCHEME)/clean/*.c) $(wildcard $(SCHEME)/clean/*.h)
mkdir -p bin
$(CC) $(CFLAGS)\
-I"./common/"\
-I"$(SCHEME)/clean/"\
-o bin/functest_$(subst /,_,$(SCHEME))\
common/*.c\
$(SCHEME)/clean/*.c\
$(CC) $(CFLAGS) \
-iquote "./common/" \
-iquote "$(SCHEME)/clean/" \
-o bin/functest_$(subst /,_,$(SCHEME)) \
common/*.c \
$(SCHEME)/clean/*.c \
$<
.PHONY: clean
clean:
rm -rf bin
.PHONY: format
format:
find . -iname *.h -o -iname *.c | xargs clang-format -i -style=file
.PHONY: tidy
tidy: require_scheme
clang-tidy \
$(SCHEME)/clean/*.c \
crypto_kem/test.c \
common/*.c \
$(.TIDY_FIX) \
-- -iquote "common/" -iquote "$(SCHEME)/clean"
.PHONY: fix-tidy
apply-tidy: | $(eval .TIDY_FIX = -fix) tidy
.PHONY: help
help:
@echo make functest SCHEME=scheme run functional tests for SCHEME
@echo make clean clean up the bin/ folder
@echo make format Automatically formats all the source code
@echo make tidy SCHEME=scheme Runs the clang-tidy linter against SCHEME
@echo make fix-tidy SCHEME=scheme Tries to automatically fix the issues found by clang-tidy in SCHEME
@echo make help Displays this message
.PHONY: require_scheme
require_scheme:
# assumes a SCHEME variable; e.g. make functest_kem SCHEME=crypto_kem/kyber768
ifndef SCHEME
$(error The SCHEME variable is not set. Example: SCHEME=crypto_kem/kyber768)
endif

39
common/fips202.c
View File

@ -10,7 +10,7 @@
#include <stdint.h>
#define NROUNDS 24
#define ROL(a, offset) ((a << offset) ^ (a >> (64 - offset)))
#define ROL(a, offset) (((a) << (offset)) ^ ((a) >> (64 - (offset))))
/*************************************************
* Name: load64
@ -25,8 +25,9 @@ static uint64_t load64(const unsigned char *x) {
unsigned int i;
uint64_t r = 0;
for (i = 0; i < 8; ++i)
for (i = 0; i < 8; ++i) {
r |= (uint64_t)x[i] << 8 * i;
}
return r;
}
@ -42,8 +43,9 @@ static uint64_t load64(const unsigned char *x) {
static void store64(uint8_t *x, uint64_t u) {
unsigned int i;
for (i = 0; i < 8; ++i)
for (i = 0; i < 8; ++i) {
x[i] = u >> 8 * i;
}
}
/* Keccak round constants */
@ -137,7 +139,7 @@ static void KeccakF1600_StatePermute(uint64_t *state) {
Asu ^= Du;
BCu = ROL(Asu, 14);
Eba = BCa ^ ((~BCe) & BCi);
Eba ^= (uint64_t)KeccakF_RoundConstants[round];
Eba ^= KeccakF_RoundConstants[round];
Ebe = BCe ^ ((~BCi) & BCo);
Ebi = BCi ^ ((~BCo) & BCu);
Ebo = BCo ^ ((~BCu) & BCa);
@ -232,7 +234,7 @@ static void KeccakF1600_StatePermute(uint64_t *state) {
Esu ^= Du;
BCu = ROL(Esu, 14);
Aba = BCa ^ ((~BCe) & BCi);
Aba ^= (uint64_t)KeccakF_RoundConstants[round + 1];
Aba ^= KeccakF_RoundConstants[round + 1];
Abe = BCe ^ ((~BCi) & BCo);
Abi = BCi ^ ((~BCo) & BCu);
Abo = BCo ^ ((~BCu) & BCa);
@ -350,26 +352,31 @@ static void keccak_absorb(uint64_t *s, unsigned int r, const unsigned char *m,
unsigned char t[200];
/* Zero state */
for (i = 0; i < 25; ++i)
for (i = 0; i < 25; ++i) {
s[i] = 0;
}
while (mlen >= r) {
for (i = 0; i < r / 8; ++i)
for (i = 0; i < r / 8; ++i) {
s[i] ^= load64(m + 8 * i);
}
KeccakF1600_StatePermute(s);
mlen -= r;
m += r;
}
for (i = 0; i < r; ++i)
for (i = 0; i < r; ++i) {
t[i] = 0;
for (i = 0; i < mlen; ++i)
}
for (i = 0; i < mlen; ++i) {
t[i] = m[i];
}
t[i] = p;
t[r - 1] |= 128;
for (i = 0; i < r / 8; ++i)
for (i = 0; i < r / 8; ++i) {
s[i] ^= load64(t + 8 * i);
}
}
/*************************************************
@ -490,8 +497,9 @@ void shake128(unsigned char *output, unsigned long long outlen,
if (outlen) {
shake128_squeezeblocks(t, 1, s);
for (i = 0; i < outlen; ++i)
for (i = 0; i < outlen; ++i) {
output[i] = t[i];
}
}
}
@ -520,8 +528,9 @@ void shake256(unsigned char *output, unsigned long long outlen,
if (outlen) {
shake256_squeezeblocks(t, 1, s);
for (i = 0; i < outlen; ++i)
for (i = 0; i < outlen; ++i) {
output[i] = t[i];
}
}
}
@ -546,8 +555,9 @@ void sha3_256(unsigned char *output, const unsigned char *input,
/* Squeeze output */
keccak_squeezeblocks(t, 1, s, SHA3_256_RATE);
for (i = 0; i < 32; i++)
for (i = 0; i < 32; i++) {
output[i] = t[i];
}
}
/*************************************************
@ -571,6 +581,7 @@ void sha3_512(unsigned char *output, const unsigned char *input,
/* Squeeze output */
keccak_squeezeblocks(t, 1, s, SHA3_512_RATE);
for (i = 0; i < 64; i++)
for (i = 0; i < 64; i++) {
output[i] = t[i];
}
}

18
common/notrandombytes.c
View File

@ -27,10 +27,12 @@ static void surf(void) {
int32_t i;
int32_t loop;
for (i = 0; i < 12; ++i)
for (i = 0; i < 12; ++i) {
t[i] = in[i] ^ seed[12 + i];
for (i = 0; i < 8; ++i)
}
for (i = 0; i < 8; ++i) {
out[i] = seed[24 + i];
}
x = t[11];
for (loop = 0; loop < 2; ++loop) {
for (r = 0; r < 16; ++r) {
@ -48,18 +50,22 @@ static void surf(void) {
MUSH(10, 9)
MUSH(11, 13)
}
for (i = 0; i < 8; ++i)
for (i = 0; i < 8; ++i) {
out[i] ^= t[i + 4];
}
}
}
void randombytes(uint8_t *x, uint64_t xlen) {
while (xlen > 0) {
if (!outleft) {
if (!++in[0])
if (!++in[1])
if (!++in[2])
if (!++in[0]) {
if (!++in[1]) {
if (!++in[2]) {
++in[3];
}
}
}
surf();
outleft = 8;
}

2
common/randombytes.h
View File

@ -1,6 +1,6 @@
#include <stdint.h>
#ifndef RANDOMBYTES_H
#define RANDOMBYTES_H
#include <stdint.h>
void randombytes(uint8_t *x, uint64_t xlen);

38
common/sha2.c
View File

@ -34,14 +34,14 @@ static void store_bigendian(unsigned char *x, uint64 u) {
#define SHR(x, c) ((x) >> (c))
#define ROTR(x, c) (((x) >> (c)) | ((x) << (64 - (c))))
#define Ch(x, y, z) ((x & y) ^ (~x & z))
#define Maj(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
#define Ch(x, y, z) (((x) & (y)) ^ (~(x) & (z)))
#define Maj(x, y, z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
#define Sigma0(x) (ROTR(x, 28) ^ ROTR(x, 34) ^ ROTR(x, 39))
#define Sigma1(x) (ROTR(x, 14) ^ ROTR(x, 18) ^ ROTR(x, 41))
#define sigma0(x) (ROTR(x, 1) ^ ROTR(x, 8) ^ SHR(x, 7))
#define sigma1(x) (ROTR(x, 19) ^ ROTR(x, 61) ^ SHR(x, 6))
#define M(w0, w14, w9, w1) w0 = sigma1(w14) + w9 + sigma0(w1) + w0;
#define M(w0, w14, w9, w1) w0 = sigma1(w14) + (w9) + sigma0(w1) + (w0);
#define EXPAND \
M(w0, w14, w9, w1) \
@ -62,7 +62,7 @@ static void store_bigendian(unsigned char *x, uint64 u) {
M(w15, w13, w8, w0)
#define F(w, k) \
T1 = h + Sigma1(e) + Ch(e, f, g) + k + w; \
T1 = h + Sigma1(e) + Ch(e, f, g) + (k) + (w); \
T2 = Sigma0(a) + Maj(a, b, c); \
h = g; \
g = f; \
@ -275,21 +275,24 @@ int sha384(unsigned char *out, const unsigned char *in,
unsigned int i;
unsigned long long bytes = inlen;
for (i = 0; i < 64; ++i)
for (i = 0; i < 64; ++i) {
h[i] = iv_384[i];
}
blocks(h, in, inlen);
in += inlen;
inlen &= 127;
in -= inlen;
for (i = 0; i < inlen; ++i)
for (i = 0; i < inlen; ++i) {
padded[i] = in[i];
}
padded[inlen] = 0x80;
if (inlen < 112) {
for (i = inlen + 1; i < 119; ++i)
for (i = inlen + 1; i < 119; ++i) {
padded[i] = 0;
}
padded[119] = bytes >> 61;
padded[120] = bytes >> 53;
padded[121] = bytes >> 45;
@ -301,8 +304,9 @@ int sha384(unsigned char *out, const unsigned char *in,
padded[127] = bytes << 3;
blocks(h, padded, 128);
} else {
for (i = inlen + 1; i < 247; ++i)
for (i = inlen + 1; i < 247; ++i) {
padded[i] = 0;
}
padded[247] = bytes >> 61;
padded[248] = bytes >> 53;
padded[249] = bytes >> 45;
@ -315,8 +319,9 @@ int sha384(unsigned char *out, const unsigned char *in,
blocks(h, padded, 256);
}
for (i = 0; i < 48; ++i)
for (i = 0; i < 48; ++i) {
out[i] = h[i];
}
return 0;
}
@ -328,21 +333,24 @@ int sha512(unsigned char *out, const unsigned char *in,
unsigned int i;
unsigned long long bytes = inlen;
for (i = 0; i < 64; ++i)
for (i = 0; i < 64; ++i) {
h[i] = iv_512[i];
}
blocks(h, in, inlen);
in += inlen;
inlen &= 127;
in -= inlen;
for (i = 0; i < inlen; ++i)
for (i = 0; i < inlen; ++i) {
padded[i] = in[i];
}
padded[inlen] = 0x80;
if (inlen < 112) {
for (i = inlen + 1; i < 119; ++i)
for (i = inlen + 1; i < 119; ++i) {
padded[i] = 0;
}
padded[119] = bytes >> 61;
padded[120] = bytes >> 53;
padded[121] = bytes >> 45;
@ -354,8 +362,9 @@ int sha512(unsigned char *out, const unsigned char *in,
padded[127] = bytes << 3;
blocks(h, padded, 128);
} else {
for (i = inlen + 1; i < 247; ++i)
for (i = inlen + 1; i < 247; ++i) {
padded[i] = 0;
}
padded[247] = bytes >> 61;
padded[248] = bytes >> 53;
padded[249] = bytes >> 45;
@ -368,8 +377,9 @@ int sha512(unsigned char *out, const unsigned char *in,
blocks(h, padded, 256);
}
for (i = 0; i < 64; ++i)
for (i = 0; i < 64; ++i) {
out[i] = h[i];
}
return 0;
}

6
crypto_kem/kyber768/clean/cbd.c
View File

@ -15,8 +15,9 @@
static uint64_t load_littleendian(const unsigned char *x, int bytes) {
int i;
uint64_t r = x[0];
for (i = 1; i < bytes; i++)
for (i = 1; i < bytes; i++) {
r |= (uint64_t)x[i] << (8 * i);
}
return r;
}
@ -62,8 +63,9 @@ void cbd(poly *r, const unsigned char *buf) {
for (i = 0; i < KYBER_N / 4; i++) {
t = load_littleendian(buf + 4 * i, 4);
d = 0;
for (j = 0; j < 4; j++)
for (j = 0; j < 4; j++) {
d += (t >> j) & 0x11111111;
}
a[0] = d & 0xf;
b[0] = (d >> 4) & 0xf;

27
crypto_kem/kyber768/clean/indcpa.c
View File

@ -21,8 +21,9 @@ static void pack_pk(unsigned char *r, const polyvec *pk,
const unsigned char *seed) {
int i;
polyvec_compress(r, pk);
for (i = 0; i < KYBER_SYMBYTES; i++)
for (i = 0; i < KYBER_SYMBYTES; i++) {
r[i + KYBER_POLYVECCOMPRESSEDBYTES] = seed[i];
}
}
/*************************************************
@ -43,8 +44,9 @@ static void unpack_pk(polyvec *pk, unsigned char *seed,
int i;
polyvec_decompress(pk, packedpk);
for (i = 0; i < KYBER_SYMBYTES; i++)
for (i = 0; i < KYBER_SYMBYTES; i++) {
seed[i] = packedpk[i + KYBER_POLYVECCOMPRESSEDBYTES];
}
}
/*************************************************
@ -136,8 +138,9 @@ void gen_matrix(polyvec *a, const unsigned char *seed,
uint64_t state[25]; // SHAKE state
unsigned char extseed[KYBER_SYMBYTES + 2];
for (i = 0; i < KYBER_SYMBYTES; i++)
for (i = 0; i < KYBER_SYMBYTES; i++) {
extseed[i] = seed[i];
}
for (i = 0; i < KYBER_K; i++) {
for (j = 0; j < KYBER_K; j++) {
@ -195,17 +198,20 @@ void indcpa_keypair(unsigned char *pk, unsigned char *sk) {
gen_a(a, publicseed);
for (i = 0; i < KYBER_K; i++)
for (i = 0; i < KYBER_K; i++) {
poly_getnoise(skpv.vec + i, noiseseed, nonce++);
}
polyvec_ntt(&skpv);
for (i = 0; i < KYBER_K; i++)
for (i = 0; i < KYBER_K; i++) {
poly_getnoise(e.vec + i, noiseseed, nonce++);
}
// matrix-vector multiplication
for (i = 0; i < KYBER_K; i++)
for (i = 0; i < KYBER_K; i++) {
polyvec_pointwise_acc(&pkpv.vec[i], &skpv, a + i);
}
polyvec_invntt(&pkpv);
polyvec_add(&pkpv, &pkpv, &e);
@ -246,17 +252,20 @@ void indcpa_enc(unsigned char *c, const unsigned char *m,
gen_at(at, seed);
for (i = 0; i < KYBER_K; i++)
for (i = 0; i < KYBER_K; i++) {
poly_getnoise(sp.vec + i, coins, nonce++);
}
polyvec_ntt(&sp);
for (i = 0; i < KYBER_K; i++)
for (i = 0; i < KYBER_K; i++) {
poly_getnoise(ep.vec + i, coins, nonce++);
}
// matrix-vector multiplication
for (i = 0; i < KYBER_K; i++)
for (i = 0; i < KYBER_K; i++) {
polyvec_pointwise_acc(&bp.vec[i], &sp, at + i);
}
polyvec_invntt(&bp);
polyvec_add(&bp, &bp, &ep);

6
crypto_kem/kyber768/clean/kem.c
View File

@ -21,8 +21,9 @@
int crypto_kem_keypair(unsigned char *pk, unsigned char *sk) {
size_t i;
indcpa_keypair(pk, sk);
for (i = 0; i < KYBER_INDCPA_PUBLICKEYBYTES; i++)
for (i = 0; i < KYBER_INDCPA_PUBLICKEYBYTES; i++) {
sk[i + KYBER_INDCPA_SECRETKEYBYTES] = pk[i];
}
sha3_256(sk + KYBER_SECRETKEYBYTES - 2 * KYBER_SYMBYTES, pk,
KYBER_PUBLICKEYBYTES);
randombytes(sk + KYBER_SECRETKEYBYTES - KYBER_SYMBYTES,
@ -97,9 +98,10 @@ int crypto_kem_dec(unsigned char *ss, const unsigned char *ct,
indcpa_dec(buf, ct, sk);
for (i = 0; i < KYBER_SYMBYTES;
i++) /* Multitarget countermeasure for coins + contributory KEM */
i++) { /* Multitarget countermeasure for coins + contributory KEM */
buf[KYBER_SYMBYTES + i] = sk[KYBER_SECRETKEYBYTES - 2 * KYBER_SYMBYTES +
i]; /* Save hash by storing H(pk) in sk */
}
sha3_512(kr, buf, 2 * KYBER_SYMBYTES);
indcpa_enc(cmp, buf, pk,

6
crypto_kem/kyber768/clean/kex.c
View File

@ -18,8 +18,9 @@ void kyber_uake_sharedA(u8 *k, const u8 *recv, const u8 *tk, const u8 *sk) {
unsigned char buf[2 * KYBER_SYMBYTES];
int i;
crypto_kem_dec(buf, recv, sk);
for (i = 0; i < KYBER_SYMBYTES; i++)
for (i = 0; i < KYBER_SYMBYTES; i++) {
buf[i + KYBER_SYMBYTES] = tk[i];
}
shake256(k, KYBER_SYMBYTES, buf, 2 * KYBER_SYMBYTES);
}
@ -43,7 +44,8 @@ void kyber_ake_sharedA(u8 *k, const u8 *recv, const u8 *tk, const u8 *sk,
int i;
crypto_kem_dec(buf, recv, sk);
crypto_kem_dec(buf + KYBER_SYMBYTES, recv + KYBER_CIPHERTEXTBYTES, ska);
for (i = 0; i < KYBER_SYMBYTES; i++)
for (i = 0; i < KYBER_SYMBYTES; i++) {
buf[i + 2 * KYBER_SYMBYTES] = tk[i];
}
shake256(k, KYBER_SYMBYTES, buf, 3 * KYBER_SYMBYTES);
}

13
crypto_kem/kyber768/clean/ntt.c
View File

@ -30,10 +30,11 @@ void ntt(uint16_t *p) {
p[j + (1 << level)] = barrett_reduce(p[j] + 4 * KYBER_Q - t);
if (level & 1) /* odd level */
if (level & 1) { /* odd level */
p[j] = p[j] + t; /* Omit reduction (be lazy) */
else
} else {
p[j] = barrett_reduce(p[j] + t);
}
}
}
}
@ -60,10 +61,11 @@ void invntt(uint16_t *a) {
W = omegas_inv_bitrev_montgomery[jTwiddle++];
temp = a[j];
if (level & 1) /* odd level */
if (level & 1) { /* odd level */
a[j] = barrett_reduce((temp + a[j + (1 << level)]));
else
} else {
a[j] = (temp + a[j + (1 << level)]); /* Omit reduction (be lazy) */
}
t = (W * ((uint32_t)temp + 4 * KYBER_Q - a[j + (1 << level)]));
@ -72,6 +74,7 @@ void invntt(uint16_t *a) {
}
}
for (j = 0; j < KYBER_N; j++)
for (j = 0; j < KYBER_N; j++) {
a[j] = montgomery_reduce((a[j] * psis_inv_montgomery[j]));
}
}

2
crypto_kem/kyber768/clean/ntt.h
View File

@ -4,6 +4,6 @@
#include <stdint.h>
void ntt(uint16_t *poly);
void invntt(uint16_t *poly);
void invntt(uint16_t *a);
#endif

15
crypto_kem/kyber768/clean/poly.c
View File

@ -19,8 +19,9 @@ void poly_compress(unsigned char *r, const poly *a) {
unsigned int i, j, k = 0;
for (i = 0; i < KYBER_N; i += 8) {
for (j = 0; j < 8; j++)
for (j = 0; j < 8; j++) {
t[j] = (((freeze(a->coeffs[i + j]) << 3) + KYBER_Q / 2) / KYBER_Q) & 7;
}
r[k] = t[0] | (t[1] << 3) | (t[2] << 6);
r[k + 1] = (t[2] >> 2) | (t[3] << 1) | (t[4] << 4) | (t[5] << 7);
@ -66,8 +67,9 @@ void poly_tobytes(unsigned char *r, const poly *a) {
uint16_t t[8];
for (i = 0; i < KYBER_N / 8; i++) {
for (j = 0; j < 8; j++)
for (j = 0; j < 8; j++) {
t[j] = freeze(a->coeffs[8 * i + j]);
}
r[13 * i + 0] = t[0] & 0xff;
r[13 * i + 1] = (t[0] >> 8) | ((t[1] & 0x07) << 5);
@ -136,8 +138,9 @@ void poly_getnoise(poly *r, const unsigned char *seed, unsigned char nonce) {
unsigned char extseed[KYBER_SYMBYTES + 1];
int i;
for (i = 0; i < KYBER_SYMBYTES; i++)
for (i = 0; i < KYBER_SYMBYTES; i++) {
extseed[i] = seed[i];
}
extseed[KYBER_SYMBYTES] = nonce;
shake256(buf, KYBER_ETA * KYBER_N / 4, extseed, KYBER_SYMBYTES + 1);
@ -183,8 +186,9 @@ void poly_invntt(poly *r) {
**************************************************/
void poly_add(poly *r, const poly *a, const poly *b) {
int i;
for (i = 0; i < KYBER_N; i++)
for (i = 0; i < KYBER_N; i++) {
r->coeffs[i] = barrett_reduce(a->coeffs[i] + b->coeffs[i]);
}
}
/*************************************************
@ -198,8 +202,9 @@ void poly_add(poly *r, const poly *a, const poly *b) {
**************************************************/
void poly_sub(poly *r, const poly *a, const poly *b) {
int i;
for (i = 0; i < KYBER_N; i++)
for (i = 0; i < KYBER_N; i++) {
r->coeffs[i] = barrett_reduce(a->coeffs[i] + 3 * KYBER_Q - b->coeffs[i]);
}
}
/*************************************************

2
crypto_kem/kyber768/clean/poly.h
View File

@ -19,7 +19,7 @@ void poly_tobytes(unsigned char *r, const poly *a);
void poly_frombytes(poly *r, const unsigned char *a);
void poly_frommsg(poly *r, const unsigned char msg[KYBER_SYMBYTES]);
void poly_tomsg(unsigned char msg[KYBER_SYMBYTES], const poly *r);
void poly_tomsg(unsigned char msg[KYBER_SYMBYTES], const poly *a);
void poly_getnoise(poly *r, const unsigned char *seed, unsigned char nonce);

18
crypto_kem/kyber768/clean/polyvec.c
View File

@ -17,11 +17,12 @@ void polyvec_compress(unsigned char *r, const polyvec *a) {
uint16_t t[8];
for (i = 0; i < KYBER_K; i++) {
for (j = 0; j < KYBER_N / 8; j++) {
for (k = 0; k < 8; k++)
for (k = 0; k < 8; k++) {
t[k] = ((((uint32_t)freeze(a->vec[i].coeffs[8 * j + k]) << 11) +
KYBER_Q / 2) /
KYBER_Q) &
0x7ff;
}
r[11 * j + 0] = t[0] & 0xff;
r[11 * j + 1] = (t[0] >> 8) | ((t[1] & 0x1f) << 3);
@ -109,8 +110,9 @@ void polyvec_decompress(polyvec *r, const unsigned char *a) {
**************************************************/
void polyvec_tobytes(unsigned char *r, const polyvec *a) {
int i;
for (i = 0; i < KYBER_K; i++)
for (i = 0; i < KYBER_K; i++) {
poly_tobytes(r + i * KYBER_POLYBYTES, &a->vec[i]);
}
}
/*************************************************
@ -124,8 +126,9 @@ void polyvec_tobytes(unsigned char *r, const polyvec *a) {
**************************************************/
void polyvec_frombytes(polyvec *r, const unsigned char *a) {
int i;
for (i = 0; i < KYBER_K; i++)
for (i = 0; i < KYBER_K; i++) {
poly_frombytes(&r->vec[i], a + i * KYBER_POLYBYTES);
}
}
/*************************************************
@ -137,8 +140,9 @@ void polyvec_frombytes(polyvec *r, const unsigned char *a) {
**************************************************/
void polyvec_ntt(polyvec *r) {
int i;
for (i = 0; i < KYBER_K; i++)
for (i = 0; i < KYBER_K; i++) {
poly_ntt(&r->vec[i]);
}
}
/*************************************************
@ -150,8 +154,9 @@ void polyvec_ntt(polyvec *r) {
**************************************************/
void polyvec_invntt(polyvec *r) {
int i;
for (i = 0; i < KYBER_K; i++)
for (i = 0; i < KYBER_K; i++) {
poly_invntt(&r->vec[i]);
}
}
/*************************************************
@ -189,6 +194,7 @@ void polyvec_pointwise_acc(poly *r, const polyvec *a, const polyvec *b) {
**************************************************/
void polyvec_add(polyvec *r, const polyvec *a, const polyvec *b) {
int i;
for (i = 0; i < KYBER_K; i++)
for (i = 0; i < KYBER_K; i++) {
poly_add(&r->vec[i], &a->vec[i], &b->vec[i]);
}
}

6
crypto_kem/kyber768/clean/verify.c
View File

@ -17,8 +17,9 @@ int verify(const unsigned char *a, const unsigned char *b, size_t len) {
size_t i;
r = 0;
for (i = 0; i < len; i++)
for (i = 0; i < len; i++) {
r |= a[i] ^ b[i];
}
r = (-r) >> 63;
return r;
@ -42,6 +43,7 @@ void cmov(unsigned char *r, const unsigned char *x, size_t len,
size_t i;
b = -b;
for (i = 0; i < len; i++)
for (i = 0; i < len; i++) {
r[i] ^= b & (x[i] ^ r[i]);
}
}

10
crypto_kem/test.c
View File

@ -12,11 +12,11 @@ static void write_canary(unsigned char *d) {
*((uint64_t *)d) = 0x0123456789ABCDEF;
}
static int check_canary(unsigned char *d) {
if (*(uint64_t *)d != 0x0123456789ABCDEF)
static int check_canary(const unsigned char *d) {
if (*(uint64_t *)d != 0x0123456789ABCDEF) {
return -1;
else
return 0;
}
{ return 0; }
}
static int test_keys(void) {
@ -48,7 +48,7 @@ static int test_keys(void) {
// Alice uses Bobs response to get her secret key
crypto_kem_dec(key_a + 8, sendb + 8, sk_a + 8);
if (memcmp(key_a + 8, key_b + 8, CRYPTO_BYTES)) {
if (memcmp(key_a + 8, key_b + 8, CRYPTO_BYTES) != 0) {
printf("ERROR KEYS\n");
} else if (check_canary(key_a) || check_canary(key_a + sizeof(key_a) - 8) ||
check_canary(key_b) || check_canary(key_b + sizeof(key_b) - 8) ||