mirror of
https://github.com/henrydcase/pqc.git
synced 2024-11-22 23:48:58 +00:00
Add clang-tidy, only require SCHEME where needed
This commit is contained in:
parent
20fb166d01
commit
b22a21c08a
295
.clang-tidy
Normal file
295
.clang-tidy
Normal file
@ -0,0 +1,295 @@
|
|||||||
|
---
|
||||||
|
Checks: 'clang-diagnostic-*,clang-analyzer-*,clang-diagnostic-*,clang-analyzer-*,*,-hicpp-signed-bitwise,-llvm-header-guard,-hicpp-function-*,-readability-function-size'
|
||||||
|
WarningsAsErrors: '*'
|
||||||
|
HeaderFilterRegex: '.*'
|
||||||
|
AnalyzeTemporaryDtors: false
|
||||||
|
FormatStyle: file
|
||||||
|
User: thom
|
||||||
|
CheckOptions:
|
||||||
|
- key: abseil-string-find-startswith.AbseilStringsMatchHeader
|
||||||
|
value: absl/strings/match.h
|
||||||
|
- key: abseil-string-find-startswith.IncludeStyle
|
||||||
|
value: llvm
|
||||||
|
- key: abseil-string-find-startswith.StringLikeClasses
|
||||||
|
value: '::std::basic_string'
|
||||||
|
- key: bugprone-argument-comment.StrictMode
|
||||||
|
value: '0'
|
||||||
|
- key: bugprone-assert-side-effect.AssertMacros
|
||||||
|
value: assert
|
||||||
|
- key: bugprone-assert-side-effect.CheckFunctionCalls
|
||||||
|
value: '0'
|
||||||
|
- key: bugprone-dangling-handle.HandleClasses
|
||||||
|
value: 'std::basic_string_view;std::experimental::basic_string_view'
|
||||||
|
- key: bugprone-exception-escape.FunctionsThatShouldNotThrow
|
||||||
|
value: ''
|
||||||
|
- key: bugprone-exception-escape.IgnoredExceptions
|
||||||
|
value: ''
|
||||||
|
- key: bugprone-misplaced-widening-cast.CheckImplicitCasts
|
||||||
|
value: '0'
|
||||||
|
- key: bugprone-sizeof-expression.WarnOnSizeOfCompareToConstant
|
||||||
|
value: '1'
|
||||||
|
- key: bugprone-sizeof-expression.WarnOnSizeOfConstant
|
||||||
|
value: '1'
|
||||||
|
- key: bugprone-sizeof-expression.WarnOnSizeOfIntegerExpression
|
||||||
|
value: '0'
|
||||||
|
- key: bugprone-sizeof-expression.WarnOnSizeOfThis
|
||||||
|
value: '1'
|
||||||
|
- key: bugprone-string-constructor.LargeLengthThreshold
|
||||||
|
value: '8388608'
|
||||||
|
- key: bugprone-string-constructor.WarnOnLargeLength
|
||||||
|
value: '1'
|
||||||
|
- key: bugprone-suspicious-enum-usage.StrictMode
|
||||||
|
value: '0'
|
||||||
|
- key: bugprone-suspicious-missing-comma.MaxConcatenatedTokens
|
||||||
|
value: '5'
|
||||||
|
- key: bugprone-suspicious-missing-comma.RatioThreshold
|
||||||
|
value: '0.200000'
|
||||||
|
- key: bugprone-suspicious-missing-comma.SizeThreshold
|
||||||
|
value: '5'
|
||||||
|
- key: bugprone-suspicious-string-compare.StringCompareLikeFunctions
|
||||||
|
value: ''
|
||||||
|
- key: bugprone-suspicious-string-compare.WarnOnImplicitComparison
|
||||||
|
value: '1'
|
||||||
|
- key: bugprone-suspicious-string-compare.WarnOnLogicalNotComparison
|
||||||
|
value: '0'
|
||||||
|
- key: bugprone-unused-return-value.CheckedFunctions
|
||||||
|
value: '::std::async;::std::launder;::std::remove;::std::remove_if;::std::unique;::std::unique_ptr::release;::std::basic_string::empty;::std::vector::empty'
|
||||||
|
- key: cert-dcl59-cpp.HeaderFileExtensions
|
||||||
|
value: ',h,hh,hpp,hxx'
|
||||||
|
- key: cert-err09-cpp.CheckThrowTemporaries
|
||||||
|
value: '1'
|
||||||
|
- key: cert-err61-cpp.CheckThrowTemporaries
|
||||||
|
value: '1'
|
||||||
|
- key: cert-msc32-c.DisallowedSeedTypes
|
||||||
|
value: 'time_t,std::time_t'
|
||||||
|
- key: cert-msc51-cpp.DisallowedSeedTypes
|
||||||
|
value: 'time_t,std::time_t'
|
||||||
|
- key: cert-oop11-cpp.IncludeStyle
|
||||||
|
value: llvm
|
||||||
|
- key: cppcoreguidelines-no-malloc.Allocations
|
||||||
|
value: '::malloc;::calloc'
|
||||||
|
- key: cppcoreguidelines-no-malloc.Deallocations
|
||||||
|
value: '::free'
|
||||||
|
- key: cppcoreguidelines-no-malloc.Reallocations
|
||||||
|
value: '::realloc'
|
||||||
|
- key: cppcoreguidelines-owning-memory.LegacyResourceConsumers
|
||||||
|
value: '::free;::realloc;::freopen;::fclose'
|
||||||
|
- key: cppcoreguidelines-owning-memory.LegacyResourceProducers
|
||||||
|
value: '::malloc;::aligned_alloc;::realloc;::calloc;::fopen;::freopen;::tmpfile'
|
||||||
|
- key: cppcoreguidelines-pro-bounds-constant-array-index.GslHeader
|
||||||
|
value: ''
|
||||||
|
- key: cppcoreguidelines-pro-bounds-constant-array-index.IncludeStyle
|
||||||
|
value: '0'
|
||||||
|
- key: cppcoreguidelines-pro-type-member-init.IgnoreArrays
|
||||||
|
value: '0'
|
||||||
|
- key: cppcoreguidelines-special-member-functions.AllowMissingMoveFunctions
|
||||||
|
value: '0'
|
||||||
|
- key: cppcoreguidelines-special-member-functions.AllowSoleDefaultDtor
|
||||||
|
value: '0'
|
||||||
|
- key: fuchsia-header-anon-namespaces.HeaderFileExtensions
|
||||||
|
value: ',h,hh,hpp,hxx'
|
||||||
|
- key: fuchsia-restrict-system-includes.Includes
|
||||||
|
value: '*'
|
||||||
|
- key: google-build-namespaces.HeaderFileExtensions
|
||||||
|
value: ',h,hh,hpp,hxx'
|
||||||
|
- key: google-global-names-in-headers.HeaderFileExtensions
|
||||||
|
value: ',h,hh,hpp,hxx'
|
||||||
|
- key: google-readability-braces-around-statements.ShortStatementLines
|
||||||
|
value: '1'
|
||||||
|
- key: google-readability-function-size.BranchThreshold
|
||||||
|
value: '4294967295'
|
||||||
|
- key: google-readability-function-size.LineThreshold
|
||||||
|
value: '4294967295'
|
||||||
|
- key: google-readability-function-size.NestingThreshold
|
||||||
|
value: '4294967295'
|
||||||
|
- key: google-readability-function-size.ParameterThreshold
|
||||||
|
value: '4294967295'
|
||||||
|
- key: google-readability-function-size.StatementThreshold
|
||||||
|
value: '1000'
|
||||||
|
- key: google-readability-function-size.VariableThreshold
|
||||||
|
value: '4294967295'
|
||||||
|
- key: google-readability-namespace-comments.ShortNamespaceLines
|
||||||
|
value: '10'
|
||||||
|
- key: google-readability-namespace-comments.SpacesBeforeComments
|
||||||
|
value: '2'
|
||||||
|
- key: google-runtime-int.SignedTypePrefix
|
||||||
|
value: int
|
||||||
|
- key: google-runtime-int.TypeSuffix
|
||||||
|
value: ''
|
||||||
|
- key: google-runtime-int.UnsignedTypePrefix
|
||||||
|
value: uint
|
||||||
|
- key: google-runtime-references.WhiteListTypes
|
||||||
|
value: ''
|
||||||
|
- key: hicpp-braces-around-statements.ShortStatementLines
|
||||||
|
value: '0'
|
||||||
|
- key: hicpp-member-init.IgnoreArrays
|
||||||
|
value: '0'
|
||||||
|
- key: hicpp-move-const-arg.CheckTriviallyCopyableMove
|
||||||
|
value: '1'
|
||||||
|
- key: hicpp-multiway-paths-covered.WarnOnMissingElse
|
||||||
|
value: '0'
|
||||||
|
- key: hicpp-named-parameter.IgnoreFailedSplit
|
||||||
|
value: '0'
|
||||||
|
- key: hicpp-no-malloc.Allocations
|
||||||
|
value: '::malloc;::calloc'
|
||||||
|
- key: hicpp-no-malloc.Deallocations
|
||||||
|
value: '::free'
|
||||||
|
- key: hicpp-no-malloc.Reallocations
|
||||||
|
value: '::realloc'
|
||||||
|
- key: hicpp-special-member-functions.AllowMissingMoveFunctions
|
||||||
|
value: '0'
|
||||||
|
- key: hicpp-special-member-functions.AllowSoleDefaultDtor
|
||||||
|
value: '0'
|
||||||
|
- key: hicpp-use-auto.MinTypeNameLength
|
||||||
|
value: '5'
|
||||||
|
- key: hicpp-use-auto.RemoveStars
|
||||||
|
value: '0'
|
||||||
|
- key: hicpp-use-emplace.ContainersWithPushBack
|
||||||
|
value: '::std::vector;::std::list;::std::deque'
|
||||||
|
- key: hicpp-use-emplace.SmartPointers
|
||||||
|
value: '::std::shared_ptr;::std::unique_ptr;::std::auto_ptr;::std::weak_ptr'
|
||||||
|
- key: hicpp-use-emplace.TupleMakeFunctions
|
||||||
|
value: '::std::make_pair;::std::make_tuple'
|
||||||
|
- key: hicpp-use-emplace.TupleTypes
|
||||||
|
value: '::std::pair;::std::tuple'
|
||||||
|
- key: hicpp-use-equals-default.IgnoreMacros
|
||||||
|
value: '1'
|
||||||
|
- key: hicpp-use-noexcept.ReplacementString
|
||||||
|
value: ''
|
||||||
|
- key: hicpp-use-noexcept.UseNoexceptFalse
|
||||||
|
value: '1'
|
||||||
|
- key: hicpp-use-nullptr.NullMacros
|
||||||
|
value: ''
|
||||||
|
- key: llvm-namespace-comment.ShortNamespaceLines
|
||||||
|
value: '1'
|
||||||
|
- key: llvm-namespace-comment.SpacesBeforeComments
|
||||||
|
value: '1'
|
||||||
|
- key: misc-definitions-in-headers.HeaderFileExtensions
|
||||||
|
value: ',h,hh,hpp,hxx'
|
||||||
|
- key: misc-definitions-in-headers.UseHeaderFileExtension
|
||||||
|
value: '1'
|
||||||
|
- key: misc-throw-by-value-catch-by-reference.CheckThrowTemporaries
|
||||||
|
value: '1'
|
||||||
|
- key: misc-unused-parameters.StrictMode
|
||||||
|
value: '0'
|
||||||
|
- key: modernize-loop-convert.MaxCopySize
|
||||||
|
value: '16'
|
||||||
|
- key: modernize-loop-convert.MinConfidence
|
||||||
|
value: reasonable
|
||||||
|
- key: modernize-loop-convert.NamingStyle
|
||||||
|
value: CamelCase
|
||||||
|
- key: modernize-make-shared.IgnoreMacros
|
||||||
|
value: '1'
|
||||||
|
- key: modernize-make-shared.IncludeStyle
|
||||||
|
value: '0'
|
||||||
|
- key: modernize-make-shared.MakeSmartPtrFunction
|
||||||
|
value: 'std::make_shared'
|
||||||
|
- key: modernize-make-shared.MakeSmartPtrFunctionHeader
|
||||||
|
value: memory
|
||||||
|
- key: modernize-make-unique.IgnoreMacros
|
||||||
|
value: '1'
|
||||||
|
- key: modernize-make-unique.IncludeStyle
|
||||||
|
value: '0'
|
||||||
|
- key: modernize-make-unique.MakeSmartPtrFunction
|
||||||
|
value: 'std::make_unique'
|
||||||
|
- key: modernize-make-unique.MakeSmartPtrFunctionHeader
|
||||||
|
value: memory
|
||||||
|
- key: modernize-pass-by-value.IncludeStyle
|
||||||
|
value: llvm
|
||||||
|
- key: modernize-pass-by-value.ValuesOnly
|
||||||
|
value: '0'
|
||||||
|
- key: modernize-raw-string-literal.ReplaceShorterLiterals
|
||||||
|
value: '0'
|
||||||
|
- key: modernize-replace-auto-ptr.IncludeStyle
|
||||||
|
value: llvm
|
||||||
|
- key: modernize-replace-random-shuffle.IncludeStyle
|
||||||
|
value: llvm
|
||||||
|
- key: modernize-use-auto.MinTypeNameLength
|
||||||
|
value: '5'
|
||||||
|
- key: modernize-use-auto.RemoveStars
|
||||||
|
value: '0'
|
||||||
|
- key: modernize-use-default-member-init.IgnoreMacros
|
||||||
|
value: '1'
|
||||||
|
- key: modernize-use-default-member-init.UseAssignment
|
||||||
|
value: '0'
|
||||||
|
- key: modernize-use-emplace.ContainersWithPushBack
|
||||||
|
value: '::std::vector;::std::list;::std::deque'
|
||||||
|
- key: modernize-use-emplace.SmartPointers
|
||||||
|
value: '::std::shared_ptr;::std::unique_ptr;::std::auto_ptr;::std::weak_ptr'
|
||||||
|
- key: modernize-use-emplace.TupleMakeFunctions
|
||||||
|
value: '::std::make_pair;::std::make_tuple'
|
||||||
|
- key: modernize-use-emplace.TupleTypes
|
||||||
|
value: '::std::pair;::std::tuple'
|
||||||
|
- key: modernize-use-equals-default.IgnoreMacros
|
||||||
|
value: '1'
|
||||||
|
- key: modernize-use-noexcept.ReplacementString
|
||||||
|
value: ''
|
||||||
|
- key: modernize-use-noexcept.UseNoexceptFalse
|
||||||
|
value: '1'
|
||||||
|
- key: modernize-use-nullptr.NullMacros
|
||||||
|
value: 'NULL'
|
||||||
|
- key: modernize-use-transparent-functors.SafeMode
|
||||||
|
value: '0'
|
||||||
|
- key: modernize-use-using.IgnoreMacros
|
||||||
|
value: '1'
|
||||||
|
- key: objc-forbidden-subclassing.ForbiddenSuperClassNames
|
||||||
|
value: 'ABNewPersonViewController;ABPeoplePickerNavigationController;ABPersonViewController;ABUnknownPersonViewController;NSHashTable;NSMapTable;NSPointerArray;NSPointerFunctions;NSTimer;UIActionSheet;UIAlertView;UIImagePickerController;UITextInputMode;UIWebView'
|
||||||
|
- key: objc-property-declaration.Acronyms
|
||||||
|
value: ''
|
||||||
|
- key: objc-property-declaration.IncludeDefaultAcronyms
|
||||||
|
value: '1'
|
||||||
|
- key: performance-faster-string-find.StringLikeClasses
|
||||||
|
value: 'std::basic_string'
|
||||||
|
- key: performance-for-range-copy.WarnOnAllAutoCopies
|
||||||
|
value: '0'
|
||||||
|
- key: performance-inefficient-string-concatenation.StrictMode
|
||||||
|
value: '0'
|
||||||
|
- key: performance-inefficient-vector-operation.VectorLikeClasses
|
||||||
|
value: '::std::vector'
|
||||||
|
- key: performance-move-const-arg.CheckTriviallyCopyableMove
|
||||||
|
value: '1'
|
||||||
|
- key: performance-move-constructor-init.IncludeStyle
|
||||||
|
value: llvm
|
||||||
|
- key: performance-type-promotion-in-math-fn.IncludeStyle
|
||||||
|
value: llvm
|
||||||
|
- key: performance-unnecessary-value-param.IncludeStyle
|
||||||
|
value: llvm
|
||||||
|
- key: portability-simd-intrinsics.Std
|
||||||
|
value: ''
|
||||||
|
- key: portability-simd-intrinsics.Suggest
|
||||||
|
value: '0'
|
||||||
|
- key: readability-braces-around-statements.ShortStatementLines
|
||||||
|
value: '0'
|
||||||
|
- key: readability-function-size.BranchThreshold
|
||||||
|
value: '4294967295'
|
||||||
|
- key: readability-function-size.LineThreshold
|
||||||
|
value: '4294967295'
|
||||||
|
- key: readability-function-size.NestingThreshold
|
||||||
|
value: '4294967295'
|
||||||
|
- key: readability-function-size.ParameterThreshold
|
||||||
|
value: '4294967295'
|
||||||
|
- key: readability-function-size.StatementThreshold
|
||||||
|
value: '800'
|
||||||
|
- key: readability-function-size.VariableThreshold
|
||||||
|
value: '4294967295'
|
||||||
|
- key: readability-identifier-naming.IgnoreFailedSplit
|
||||||
|
value: '0'
|
||||||
|
- key: readability-implicit-bool-conversion.AllowIntegerConditions
|
||||||
|
value: '0'
|
||||||
|
- key: readability-implicit-bool-conversion.AllowPointerConditions
|
||||||
|
value: '0'
|
||||||
|
- key: readability-inconsistent-declaration-parameter-name.IgnoreMacros
|
||||||
|
value: '1'
|
||||||
|
- key: readability-inconsistent-declaration-parameter-name.Strict
|
||||||
|
value: '0'
|
||||||
|
- key: readability-simplify-boolean-expr.ChainedConditionalAssignment
|
||||||
|
value: '0'
|
||||||
|
- key: readability-simplify-boolean-expr.ChainedConditionalReturn
|
||||||
|
value: '0'
|
||||||
|
- key: readability-simplify-subscript-expr.Types
|
||||||
|
value: '::std::basic_string;::std::basic_string_view;::std::vector;::std::array'
|
||||||
|
- key: readability-static-accessed-through-instance.NameSpecifierNestingThreshold
|
||||||
|
value: '3'
|
||||||
|
- key: zircon-temporary-objects.Names
|
||||||
|
value: ''
|
||||||
|
...
|
53
Makefile
53
Makefile
@ -1,27 +1,48 @@
|
|||||||
|
|
||||||
# assumes a SCHEME variable; e.g. make functest_kem SCHEME=crypto_kem/kyber768
|
|
||||||
ifndef SCHEME
|
|
||||||
# TODO make this more granular, i.e. make clean should not require SCHEME
|
|
||||||
$(error SCHEME variable is not set)
|
|
||||||
endif
|
|
||||||
|
|
||||||
# This -Wall was supported by the European Commission through the ERC Starting Grant 805031 (EPOQUE)
|
# This -Wall was supported by the European Commission through the ERC Starting Grant 805031 (EPOQUE)
|
||||||
CFLAGS=-Wall -Wextra -Wpedantic -Werror -std=c99
|
CFLAGS=-Wall -Wextra -Wpedantic -Werror -std=c99 $(EXTRAFLAGS)
|
||||||
|
|
||||||
functest: $(dir $(SCHEME))test.c $(wildcard $(SCHEME)/clean/*.c) $(wildcard $(SCHEME)/clean/*.h)
|
functest: require_scheme $(dir $(SCHEME))test.c $(wildcard $(SCHEME)/clean/*.c) $(wildcard $(SCHEME)/clean/*.h)
|
||||||
mkdir -p bin
|
mkdir -p bin
|
||||||
$(CC) $(CFLAGS)\
|
$(CC) $(CFLAGS) \
|
||||||
-I"./common/"\
|
-iquote "./common/" \
|
||||||
-I"$(SCHEME)/clean/"\
|
-iquote "$(SCHEME)/clean/" \
|
||||||
-o bin/functest_$(subst /,_,$(SCHEME))\
|
-o bin/functest_$(subst /,_,$(SCHEME)) \
|
||||||
common/*.c\
|
common/*.c \
|
||||||
$(SCHEME)/clean/*.c\
|
$(SCHEME)/clean/*.c \
|
||||||
$<
|
$<
|
||||||
|
|
||||||
.PHONY: clean
|
.PHONY: clean
|
||||||
|
|
||||||
clean:
|
clean:
|
||||||
rm -rf bin
|
rm -rf bin
|
||||||
|
|
||||||
|
.PHONY: format
|
||||||
format:
|
format:
|
||||||
find . -iname *.h -o -iname *.c | xargs clang-format -i -style=file
|
find . -iname *.h -o -iname *.c | xargs clang-format -i -style=file
|
||||||
|
|
||||||
|
.PHONY: tidy
|
||||||
|
tidy: require_scheme
|
||||||
|
clang-tidy \
|
||||||
|
$(SCHEME)/clean/*.c \
|
||||||
|
crypto_kem/test.c \
|
||||||
|
common/*.c \
|
||||||
|
$(.TIDY_FIX) \
|
||||||
|
-- -iquote "common/" -iquote "$(SCHEME)/clean"
|
||||||
|
|
||||||
|
.PHONY: fix-tidy
|
||||||
|
apply-tidy: | $(eval .TIDY_FIX = -fix) tidy
|
||||||
|
|
||||||
|
.PHONY: help
|
||||||
|
help:
|
||||||
|
@echo make functest SCHEME=scheme run functional tests for SCHEME
|
||||||
|
@echo make clean clean up the bin/ folder
|
||||||
|
@echo make format Automatically formats all the source code
|
||||||
|
@echo make tidy SCHEME=scheme Runs the clang-tidy linter against SCHEME
|
||||||
|
@echo make fix-tidy SCHEME=scheme Tries to automatically fix the issues found by clang-tidy in SCHEME
|
||||||
|
@echo make help Displays this message
|
||||||
|
|
||||||
|
.PHONY: require_scheme
|
||||||
|
require_scheme:
|
||||||
|
# assumes a SCHEME variable; e.g. make functest_kem SCHEME=crypto_kem/kyber768
|
||||||
|
ifndef SCHEME
|
||||||
|
$(error The SCHEME variable is not set. Example: SCHEME=crypto_kem/kyber768)
|
||||||
|
endif
|
||||||
|
@ -10,7 +10,7 @@
|
|||||||
#include <stdint.h>
|
#include <stdint.h>
|
||||||
|
|
||||||
#define NROUNDS 24
|
#define NROUNDS 24
|
||||||
#define ROL(a, offset) ((a << offset) ^ (a >> (64 - offset)))
|
#define ROL(a, offset) (((a) << (offset)) ^ ((a) >> (64 - (offset))))
|
||||||
|
|
||||||
/*************************************************
|
/*************************************************
|
||||||
* Name: load64
|
* Name: load64
|
||||||
@ -25,8 +25,9 @@ static uint64_t load64(const unsigned char *x) {
|
|||||||
unsigned int i;
|
unsigned int i;
|
||||||
uint64_t r = 0;
|
uint64_t r = 0;
|
||||||
|
|
||||||
for (i = 0; i < 8; ++i)
|
for (i = 0; i < 8; ++i) {
|
||||||
r |= (uint64_t)x[i] << 8 * i;
|
r |= (uint64_t)x[i] << 8 * i;
|
||||||
|
}
|
||||||
|
|
||||||
return r;
|
return r;
|
||||||
}
|
}
|
||||||
@ -42,8 +43,9 @@ static uint64_t load64(const unsigned char *x) {
|
|||||||
static void store64(uint8_t *x, uint64_t u) {
|
static void store64(uint8_t *x, uint64_t u) {
|
||||||
unsigned int i;
|
unsigned int i;
|
||||||
|
|
||||||
for (i = 0; i < 8; ++i)
|
for (i = 0; i < 8; ++i) {
|
||||||
x[i] = u >> 8 * i;
|
x[i] = u >> 8 * i;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Keccak round constants */
|
/* Keccak round constants */
|
||||||
@ -137,7 +139,7 @@ static void KeccakF1600_StatePermute(uint64_t *state) {
|
|||||||
Asu ^= Du;
|
Asu ^= Du;
|
||||||
BCu = ROL(Asu, 14);
|
BCu = ROL(Asu, 14);
|
||||||
Eba = BCa ^ ((~BCe) & BCi);
|
Eba = BCa ^ ((~BCe) & BCi);
|
||||||
Eba ^= (uint64_t)KeccakF_RoundConstants[round];
|
Eba ^= KeccakF_RoundConstants[round];
|
||||||
Ebe = BCe ^ ((~BCi) & BCo);
|
Ebe = BCe ^ ((~BCi) & BCo);
|
||||||
Ebi = BCi ^ ((~BCo) & BCu);
|
Ebi = BCi ^ ((~BCo) & BCu);
|
||||||
Ebo = BCo ^ ((~BCu) & BCa);
|
Ebo = BCo ^ ((~BCu) & BCa);
|
||||||
@ -232,7 +234,7 @@ static void KeccakF1600_StatePermute(uint64_t *state) {
|
|||||||
Esu ^= Du;
|
Esu ^= Du;
|
||||||
BCu = ROL(Esu, 14);
|
BCu = ROL(Esu, 14);
|
||||||
Aba = BCa ^ ((~BCe) & BCi);
|
Aba = BCa ^ ((~BCe) & BCi);
|
||||||
Aba ^= (uint64_t)KeccakF_RoundConstants[round + 1];
|
Aba ^= KeccakF_RoundConstants[round + 1];
|
||||||
Abe = BCe ^ ((~BCi) & BCo);
|
Abe = BCe ^ ((~BCi) & BCo);
|
||||||
Abi = BCi ^ ((~BCo) & BCu);
|
Abi = BCi ^ ((~BCo) & BCu);
|
||||||
Abo = BCo ^ ((~BCu) & BCa);
|
Abo = BCo ^ ((~BCu) & BCa);
|
||||||
@ -350,26 +352,31 @@ static void keccak_absorb(uint64_t *s, unsigned int r, const unsigned char *m,
|
|||||||
unsigned char t[200];
|
unsigned char t[200];
|
||||||
|
|
||||||
/* Zero state */
|
/* Zero state */
|
||||||
for (i = 0; i < 25; ++i)
|
for (i = 0; i < 25; ++i) {
|
||||||
s[i] = 0;
|
s[i] = 0;
|
||||||
|
}
|
||||||
|
|
||||||
while (mlen >= r) {
|
while (mlen >= r) {
|
||||||
for (i = 0; i < r / 8; ++i)
|
for (i = 0; i < r / 8; ++i) {
|
||||||
s[i] ^= load64(m + 8 * i);
|
s[i] ^= load64(m + 8 * i);
|
||||||
|
}
|
||||||
|
|
||||||
KeccakF1600_StatePermute(s);
|
KeccakF1600_StatePermute(s);
|
||||||
mlen -= r;
|
mlen -= r;
|
||||||
m += r;
|
m += r;
|
||||||
}
|
}
|
||||||
|
|
||||||
for (i = 0; i < r; ++i)
|
for (i = 0; i < r; ++i) {
|
||||||
t[i] = 0;
|
t[i] = 0;
|
||||||
for (i = 0; i < mlen; ++i)
|
}
|
||||||
|
for (i = 0; i < mlen; ++i) {
|
||||||
t[i] = m[i];
|
t[i] = m[i];
|
||||||
|
}
|
||||||
t[i] = p;
|
t[i] = p;
|
||||||
t[r - 1] |= 128;
|
t[r - 1] |= 128;
|
||||||
for (i = 0; i < r / 8; ++i)
|
for (i = 0; i < r / 8; ++i) {
|
||||||
s[i] ^= load64(t + 8 * i);
|
s[i] ^= load64(t + 8 * i);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/*************************************************
|
/*************************************************
|
||||||
@ -490,9 +497,10 @@ void shake128(unsigned char *output, unsigned long long outlen,
|
|||||||
|
|
||||||
if (outlen) {
|
if (outlen) {
|
||||||
shake128_squeezeblocks(t, 1, s);
|
shake128_squeezeblocks(t, 1, s);
|
||||||
for (i = 0; i < outlen; ++i)
|
for (i = 0; i < outlen; ++i) {
|
||||||
output[i] = t[i];
|
output[i] = t[i];
|
||||||
}
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/*************************************************
|
/*************************************************
|
||||||
@ -520,9 +528,10 @@ void shake256(unsigned char *output, unsigned long long outlen,
|
|||||||
|
|
||||||
if (outlen) {
|
if (outlen) {
|
||||||
shake256_squeezeblocks(t, 1, s);
|
shake256_squeezeblocks(t, 1, s);
|
||||||
for (i = 0; i < outlen; ++i)
|
for (i = 0; i < outlen; ++i) {
|
||||||
output[i] = t[i];
|
output[i] = t[i];
|
||||||
}
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/*************************************************
|
/*************************************************
|
||||||
@ -546,8 +555,9 @@ void sha3_256(unsigned char *output, const unsigned char *input,
|
|||||||
/* Squeeze output */
|
/* Squeeze output */
|
||||||
keccak_squeezeblocks(t, 1, s, SHA3_256_RATE);
|
keccak_squeezeblocks(t, 1, s, SHA3_256_RATE);
|
||||||
|
|
||||||
for (i = 0; i < 32; i++)
|
for (i = 0; i < 32; i++) {
|
||||||
output[i] = t[i];
|
output[i] = t[i];
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/*************************************************
|
/*************************************************
|
||||||
@ -571,6 +581,7 @@ void sha3_512(unsigned char *output, const unsigned char *input,
|
|||||||
/* Squeeze output */
|
/* Squeeze output */
|
||||||
keccak_squeezeblocks(t, 1, s, SHA3_512_RATE);
|
keccak_squeezeblocks(t, 1, s, SHA3_512_RATE);
|
||||||
|
|
||||||
for (i = 0; i < 64; i++)
|
for (i = 0; i < 64; i++) {
|
||||||
output[i] = t[i];
|
output[i] = t[i];
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
@ -27,10 +27,12 @@ static void surf(void) {
|
|||||||
int32_t i;
|
int32_t i;
|
||||||
int32_t loop;
|
int32_t loop;
|
||||||
|
|
||||||
for (i = 0; i < 12; ++i)
|
for (i = 0; i < 12; ++i) {
|
||||||
t[i] = in[i] ^ seed[12 + i];
|
t[i] = in[i] ^ seed[12 + i];
|
||||||
for (i = 0; i < 8; ++i)
|
}
|
||||||
|
for (i = 0; i < 8; ++i) {
|
||||||
out[i] = seed[24 + i];
|
out[i] = seed[24 + i];
|
||||||
|
}
|
||||||
x = t[11];
|
x = t[11];
|
||||||
for (loop = 0; loop < 2; ++loop) {
|
for (loop = 0; loop < 2; ++loop) {
|
||||||
for (r = 0; r < 16; ++r) {
|
for (r = 0; r < 16; ++r) {
|
||||||
@ -48,18 +50,22 @@ static void surf(void) {
|
|||||||
MUSH(10, 9)
|
MUSH(10, 9)
|
||||||
MUSH(11, 13)
|
MUSH(11, 13)
|
||||||
}
|
}
|
||||||
for (i = 0; i < 8; ++i)
|
for (i = 0; i < 8; ++i) {
|
||||||
out[i] ^= t[i + 4];
|
out[i] ^= t[i + 4];
|
||||||
}
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
void randombytes(uint8_t *x, uint64_t xlen) {
|
void randombytes(uint8_t *x, uint64_t xlen) {
|
||||||
while (xlen > 0) {
|
while (xlen > 0) {
|
||||||
if (!outleft) {
|
if (!outleft) {
|
||||||
if (!++in[0])
|
if (!++in[0]) {
|
||||||
if (!++in[1])
|
if (!++in[1]) {
|
||||||
if (!++in[2])
|
if (!++in[2]) {
|
||||||
++in[3];
|
++in[3];
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
surf();
|
surf();
|
||||||
outleft = 8;
|
outleft = 8;
|
||||||
}
|
}
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
#include <stdint.h>
|
|
||||||
#ifndef RANDOMBYTES_H
|
#ifndef RANDOMBYTES_H
|
||||||
#define RANDOMBYTES_H
|
#define RANDOMBYTES_H
|
||||||
|
#include <stdint.h>
|
||||||
|
|
||||||
void randombytes(uint8_t *x, uint64_t xlen);
|
void randombytes(uint8_t *x, uint64_t xlen);
|
||||||
|
|
||||||
|
@ -34,14 +34,14 @@ static void store_bigendian(unsigned char *x, uint64 u) {
|
|||||||
#define SHR(x, c) ((x) >> (c))
|
#define SHR(x, c) ((x) >> (c))
|
||||||
#define ROTR(x, c) (((x) >> (c)) | ((x) << (64 - (c))))
|
#define ROTR(x, c) (((x) >> (c)) | ((x) << (64 - (c))))
|
||||||
|
|
||||||
#define Ch(x, y, z) ((x & y) ^ (~x & z))
|
#define Ch(x, y, z) (((x) & (y)) ^ (~(x) & (z)))
|
||||||
#define Maj(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
|
#define Maj(x, y, z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
|
||||||
#define Sigma0(x) (ROTR(x, 28) ^ ROTR(x, 34) ^ ROTR(x, 39))
|
#define Sigma0(x) (ROTR(x, 28) ^ ROTR(x, 34) ^ ROTR(x, 39))
|
||||||
#define Sigma1(x) (ROTR(x, 14) ^ ROTR(x, 18) ^ ROTR(x, 41))
|
#define Sigma1(x) (ROTR(x, 14) ^ ROTR(x, 18) ^ ROTR(x, 41))
|
||||||
#define sigma0(x) (ROTR(x, 1) ^ ROTR(x, 8) ^ SHR(x, 7))
|
#define sigma0(x) (ROTR(x, 1) ^ ROTR(x, 8) ^ SHR(x, 7))
|
||||||
#define sigma1(x) (ROTR(x, 19) ^ ROTR(x, 61) ^ SHR(x, 6))
|
#define sigma1(x) (ROTR(x, 19) ^ ROTR(x, 61) ^ SHR(x, 6))
|
||||||
|
|
||||||
#define M(w0, w14, w9, w1) w0 = sigma1(w14) + w9 + sigma0(w1) + w0;
|
#define M(w0, w14, w9, w1) w0 = sigma1(w14) + (w9) + sigma0(w1) + (w0);
|
||||||
|
|
||||||
#define EXPAND \
|
#define EXPAND \
|
||||||
M(w0, w14, w9, w1) \
|
M(w0, w14, w9, w1) \
|
||||||
@ -62,7 +62,7 @@ static void store_bigendian(unsigned char *x, uint64 u) {
|
|||||||
M(w15, w13, w8, w0)
|
M(w15, w13, w8, w0)
|
||||||
|
|
||||||
#define F(w, k) \
|
#define F(w, k) \
|
||||||
T1 = h + Sigma1(e) + Ch(e, f, g) + k + w; \
|
T1 = h + Sigma1(e) + Ch(e, f, g) + (k) + (w); \
|
||||||
T2 = Sigma0(a) + Maj(a, b, c); \
|
T2 = Sigma0(a) + Maj(a, b, c); \
|
||||||
h = g; \
|
h = g; \
|
||||||
g = f; \
|
g = f; \
|
||||||
@ -275,21 +275,24 @@ int sha384(unsigned char *out, const unsigned char *in,
|
|||||||
unsigned int i;
|
unsigned int i;
|
||||||
unsigned long long bytes = inlen;
|
unsigned long long bytes = inlen;
|
||||||
|
|
||||||
for (i = 0; i < 64; ++i)
|
for (i = 0; i < 64; ++i) {
|
||||||
h[i] = iv_384[i];
|
h[i] = iv_384[i];
|
||||||
|
}
|
||||||
|
|
||||||
blocks(h, in, inlen);
|
blocks(h, in, inlen);
|
||||||
in += inlen;
|
in += inlen;
|
||||||
inlen &= 127;
|
inlen &= 127;
|
||||||
in -= inlen;
|
in -= inlen;
|
||||||
|
|
||||||
for (i = 0; i < inlen; ++i)
|
for (i = 0; i < inlen; ++i) {
|
||||||
padded[i] = in[i];
|
padded[i] = in[i];
|
||||||
|
}
|
||||||
padded[inlen] = 0x80;
|
padded[inlen] = 0x80;
|
||||||
|
|
||||||
if (inlen < 112) {
|
if (inlen < 112) {
|
||||||
for (i = inlen + 1; i < 119; ++i)
|
for (i = inlen + 1; i < 119; ++i) {
|
||||||
padded[i] = 0;
|
padded[i] = 0;
|
||||||
|
}
|
||||||
padded[119] = bytes >> 61;
|
padded[119] = bytes >> 61;
|
||||||
padded[120] = bytes >> 53;
|
padded[120] = bytes >> 53;
|
||||||
padded[121] = bytes >> 45;
|
padded[121] = bytes >> 45;
|
||||||
@ -301,8 +304,9 @@ int sha384(unsigned char *out, const unsigned char *in,
|
|||||||
padded[127] = bytes << 3;
|
padded[127] = bytes << 3;
|
||||||
blocks(h, padded, 128);
|
blocks(h, padded, 128);
|
||||||
} else {
|
} else {
|
||||||
for (i = inlen + 1; i < 247; ++i)
|
for (i = inlen + 1; i < 247; ++i) {
|
||||||
padded[i] = 0;
|
padded[i] = 0;
|
||||||
|
}
|
||||||
padded[247] = bytes >> 61;
|
padded[247] = bytes >> 61;
|
||||||
padded[248] = bytes >> 53;
|
padded[248] = bytes >> 53;
|
||||||
padded[249] = bytes >> 45;
|
padded[249] = bytes >> 45;
|
||||||
@ -315,8 +319,9 @@ int sha384(unsigned char *out, const unsigned char *in,
|
|||||||
blocks(h, padded, 256);
|
blocks(h, padded, 256);
|
||||||
}
|
}
|
||||||
|
|
||||||
for (i = 0; i < 48; ++i)
|
for (i = 0; i < 48; ++i) {
|
||||||
out[i] = h[i];
|
out[i] = h[i];
|
||||||
|
}
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
@ -328,21 +333,24 @@ int sha512(unsigned char *out, const unsigned char *in,
|
|||||||
unsigned int i;
|
unsigned int i;
|
||||||
unsigned long long bytes = inlen;
|
unsigned long long bytes = inlen;
|
||||||
|
|
||||||
for (i = 0; i < 64; ++i)
|
for (i = 0; i < 64; ++i) {
|
||||||
h[i] = iv_512[i];
|
h[i] = iv_512[i];
|
||||||
|
}
|
||||||
|
|
||||||
blocks(h, in, inlen);
|
blocks(h, in, inlen);
|
||||||
in += inlen;
|
in += inlen;
|
||||||
inlen &= 127;
|
inlen &= 127;
|
||||||
in -= inlen;
|
in -= inlen;
|
||||||
|
|
||||||
for (i = 0; i < inlen; ++i)
|
for (i = 0; i < inlen; ++i) {
|
||||||
padded[i] = in[i];
|
padded[i] = in[i];
|
||||||
|
}
|
||||||
padded[inlen] = 0x80;
|
padded[inlen] = 0x80;
|
||||||
|
|
||||||
if (inlen < 112) {
|
if (inlen < 112) {
|
||||||
for (i = inlen + 1; i < 119; ++i)
|
for (i = inlen + 1; i < 119; ++i) {
|
||||||
padded[i] = 0;
|
padded[i] = 0;
|
||||||
|
}
|
||||||
padded[119] = bytes >> 61;
|
padded[119] = bytes >> 61;
|
||||||
padded[120] = bytes >> 53;
|
padded[120] = bytes >> 53;
|
||||||
padded[121] = bytes >> 45;
|
padded[121] = bytes >> 45;
|
||||||
@ -354,8 +362,9 @@ int sha512(unsigned char *out, const unsigned char *in,
|
|||||||
padded[127] = bytes << 3;
|
padded[127] = bytes << 3;
|
||||||
blocks(h, padded, 128);
|
blocks(h, padded, 128);
|
||||||
} else {
|
} else {
|
||||||
for (i = inlen + 1; i < 247; ++i)
|
for (i = inlen + 1; i < 247; ++i) {
|
||||||
padded[i] = 0;
|
padded[i] = 0;
|
||||||
|
}
|
||||||
padded[247] = bytes >> 61;
|
padded[247] = bytes >> 61;
|
||||||
padded[248] = bytes >> 53;
|
padded[248] = bytes >> 53;
|
||||||
padded[249] = bytes >> 45;
|
padded[249] = bytes >> 45;
|
||||||
@ -368,8 +377,9 @@ int sha512(unsigned char *out, const unsigned char *in,
|
|||||||
blocks(h, padded, 256);
|
blocks(h, padded, 256);
|
||||||
}
|
}
|
||||||
|
|
||||||
for (i = 0; i < 64; ++i)
|
for (i = 0; i < 64; ++i) {
|
||||||
out[i] = h[i];
|
out[i] = h[i];
|
||||||
|
}
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
@ -15,8 +15,9 @@
|
|||||||
static uint64_t load_littleendian(const unsigned char *x, int bytes) {
|
static uint64_t load_littleendian(const unsigned char *x, int bytes) {
|
||||||
int i;
|
int i;
|
||||||
uint64_t r = x[0];
|
uint64_t r = x[0];
|
||||||
for (i = 1; i < bytes; i++)
|
for (i = 1; i < bytes; i++) {
|
||||||
r |= (uint64_t)x[i] << (8 * i);
|
r |= (uint64_t)x[i] << (8 * i);
|
||||||
|
}
|
||||||
return r;
|
return r;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -62,8 +63,9 @@ void cbd(poly *r, const unsigned char *buf) {
|
|||||||
for (i = 0; i < KYBER_N / 4; i++) {
|
for (i = 0; i < KYBER_N / 4; i++) {
|
||||||
t = load_littleendian(buf + 4 * i, 4);
|
t = load_littleendian(buf + 4 * i, 4);
|
||||||
d = 0;
|
d = 0;
|
||||||
for (j = 0; j < 4; j++)
|
for (j = 0; j < 4; j++) {
|
||||||
d += (t >> j) & 0x11111111;
|
d += (t >> j) & 0x11111111;
|
||||||
|
}
|
||||||
|
|
||||||
a[0] = d & 0xf;
|
a[0] = d & 0xf;
|
||||||
b[0] = (d >> 4) & 0xf;
|
b[0] = (d >> 4) & 0xf;
|
||||||
|
@ -21,8 +21,9 @@ static void pack_pk(unsigned char *r, const polyvec *pk,
|
|||||||
const unsigned char *seed) {
|
const unsigned char *seed) {
|
||||||
int i;
|
int i;
|
||||||
polyvec_compress(r, pk);
|
polyvec_compress(r, pk);
|
||||||
for (i = 0; i < KYBER_SYMBYTES; i++)
|
for (i = 0; i < KYBER_SYMBYTES; i++) {
|
||||||
r[i + KYBER_POLYVECCOMPRESSEDBYTES] = seed[i];
|
r[i + KYBER_POLYVECCOMPRESSEDBYTES] = seed[i];
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/*************************************************
|
/*************************************************
|
||||||
@ -43,8 +44,9 @@ static void unpack_pk(polyvec *pk, unsigned char *seed,
|
|||||||
int i;
|
int i;
|
||||||
polyvec_decompress(pk, packedpk);
|
polyvec_decompress(pk, packedpk);
|
||||||
|
|
||||||
for (i = 0; i < KYBER_SYMBYTES; i++)
|
for (i = 0; i < KYBER_SYMBYTES; i++) {
|
||||||
seed[i] = packedpk[i + KYBER_POLYVECCOMPRESSEDBYTES];
|
seed[i] = packedpk[i + KYBER_POLYVECCOMPRESSEDBYTES];
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/*************************************************
|
/*************************************************
|
||||||
@ -136,8 +138,9 @@ void gen_matrix(polyvec *a, const unsigned char *seed,
|
|||||||
uint64_t state[25]; // SHAKE state
|
uint64_t state[25]; // SHAKE state
|
||||||
unsigned char extseed[KYBER_SYMBYTES + 2];
|
unsigned char extseed[KYBER_SYMBYTES + 2];
|
||||||
|
|
||||||
for (i = 0; i < KYBER_SYMBYTES; i++)
|
for (i = 0; i < KYBER_SYMBYTES; i++) {
|
||||||
extseed[i] = seed[i];
|
extseed[i] = seed[i];
|
||||||
|
}
|
||||||
|
|
||||||
for (i = 0; i < KYBER_K; i++) {
|
for (i = 0; i < KYBER_K; i++) {
|
||||||
for (j = 0; j < KYBER_K; j++) {
|
for (j = 0; j < KYBER_K; j++) {
|
||||||
@ -195,17 +198,20 @@ void indcpa_keypair(unsigned char *pk, unsigned char *sk) {
|
|||||||
|
|
||||||
gen_a(a, publicseed);
|
gen_a(a, publicseed);
|
||||||
|
|
||||||
for (i = 0; i < KYBER_K; i++)
|
for (i = 0; i < KYBER_K; i++) {
|
||||||
poly_getnoise(skpv.vec + i, noiseseed, nonce++);
|
poly_getnoise(skpv.vec + i, noiseseed, nonce++);
|
||||||
|
}
|
||||||
|
|
||||||
polyvec_ntt(&skpv);
|
polyvec_ntt(&skpv);
|
||||||
|
|
||||||
for (i = 0; i < KYBER_K; i++)
|
for (i = 0; i < KYBER_K; i++) {
|
||||||
poly_getnoise(e.vec + i, noiseseed, nonce++);
|
poly_getnoise(e.vec + i, noiseseed, nonce++);
|
||||||
|
}
|
||||||
|
|
||||||
// matrix-vector multiplication
|
// matrix-vector multiplication
|
||||||
for (i = 0; i < KYBER_K; i++)
|
for (i = 0; i < KYBER_K; i++) {
|
||||||
polyvec_pointwise_acc(&pkpv.vec[i], &skpv, a + i);
|
polyvec_pointwise_acc(&pkpv.vec[i], &skpv, a + i);
|
||||||
|
}
|
||||||
|
|
||||||
polyvec_invntt(&pkpv);
|
polyvec_invntt(&pkpv);
|
||||||
polyvec_add(&pkpv, &pkpv, &e);
|
polyvec_add(&pkpv, &pkpv, &e);
|
||||||
@ -246,17 +252,20 @@ void indcpa_enc(unsigned char *c, const unsigned char *m,
|
|||||||
|
|
||||||
gen_at(at, seed);
|
gen_at(at, seed);
|
||||||
|
|
||||||
for (i = 0; i < KYBER_K; i++)
|
for (i = 0; i < KYBER_K; i++) {
|
||||||
poly_getnoise(sp.vec + i, coins, nonce++);
|
poly_getnoise(sp.vec + i, coins, nonce++);
|
||||||
|
}
|
||||||
|
|
||||||
polyvec_ntt(&sp);
|
polyvec_ntt(&sp);
|
||||||
|
|
||||||
for (i = 0; i < KYBER_K; i++)
|
for (i = 0; i < KYBER_K; i++) {
|
||||||
poly_getnoise(ep.vec + i, coins, nonce++);
|
poly_getnoise(ep.vec + i, coins, nonce++);
|
||||||
|
}
|
||||||
|
|
||||||
// matrix-vector multiplication
|
// matrix-vector multiplication
|
||||||
for (i = 0; i < KYBER_K; i++)
|
for (i = 0; i < KYBER_K; i++) {
|
||||||
polyvec_pointwise_acc(&bp.vec[i], &sp, at + i);
|
polyvec_pointwise_acc(&bp.vec[i], &sp, at + i);
|
||||||
|
}
|
||||||
|
|
||||||
polyvec_invntt(&bp);
|
polyvec_invntt(&bp);
|
||||||
polyvec_add(&bp, &bp, &ep);
|
polyvec_add(&bp, &bp, &ep);
|
||||||
|
@ -21,8 +21,9 @@
|
|||||||
int crypto_kem_keypair(unsigned char *pk, unsigned char *sk) {
|
int crypto_kem_keypair(unsigned char *pk, unsigned char *sk) {
|
||||||
size_t i;
|
size_t i;
|
||||||
indcpa_keypair(pk, sk);
|
indcpa_keypair(pk, sk);
|
||||||
for (i = 0; i < KYBER_INDCPA_PUBLICKEYBYTES; i++)
|
for (i = 0; i < KYBER_INDCPA_PUBLICKEYBYTES; i++) {
|
||||||
sk[i + KYBER_INDCPA_SECRETKEYBYTES] = pk[i];
|
sk[i + KYBER_INDCPA_SECRETKEYBYTES] = pk[i];
|
||||||
|
}
|
||||||
sha3_256(sk + KYBER_SECRETKEYBYTES - 2 * KYBER_SYMBYTES, pk,
|
sha3_256(sk + KYBER_SECRETKEYBYTES - 2 * KYBER_SYMBYTES, pk,
|
||||||
KYBER_PUBLICKEYBYTES);
|
KYBER_PUBLICKEYBYTES);
|
||||||
randombytes(sk + KYBER_SECRETKEYBYTES - KYBER_SYMBYTES,
|
randombytes(sk + KYBER_SECRETKEYBYTES - KYBER_SYMBYTES,
|
||||||
@ -97,9 +98,10 @@ int crypto_kem_dec(unsigned char *ss, const unsigned char *ct,
|
|||||||
indcpa_dec(buf, ct, sk);
|
indcpa_dec(buf, ct, sk);
|
||||||
|
|
||||||
for (i = 0; i < KYBER_SYMBYTES;
|
for (i = 0; i < KYBER_SYMBYTES;
|
||||||
i++) /* Multitarget countermeasure for coins + contributory KEM */
|
i++) { /* Multitarget countermeasure for coins + contributory KEM */
|
||||||
buf[KYBER_SYMBYTES + i] = sk[KYBER_SECRETKEYBYTES - 2 * KYBER_SYMBYTES +
|
buf[KYBER_SYMBYTES + i] = sk[KYBER_SECRETKEYBYTES - 2 * KYBER_SYMBYTES +
|
||||||
i]; /* Save hash by storing H(pk) in sk */
|
i]; /* Save hash by storing H(pk) in sk */
|
||||||
|
}
|
||||||
sha3_512(kr, buf, 2 * KYBER_SYMBYTES);
|
sha3_512(kr, buf, 2 * KYBER_SYMBYTES);
|
||||||
|
|
||||||
indcpa_enc(cmp, buf, pk,
|
indcpa_enc(cmp, buf, pk,
|
||||||
|
@ -18,8 +18,9 @@ void kyber_uake_sharedA(u8 *k, const u8 *recv, const u8 *tk, const u8 *sk) {
|
|||||||
unsigned char buf[2 * KYBER_SYMBYTES];
|
unsigned char buf[2 * KYBER_SYMBYTES];
|
||||||
int i;
|
int i;
|
||||||
crypto_kem_dec(buf, recv, sk);
|
crypto_kem_dec(buf, recv, sk);
|
||||||
for (i = 0; i < KYBER_SYMBYTES; i++)
|
for (i = 0; i < KYBER_SYMBYTES; i++) {
|
||||||
buf[i + KYBER_SYMBYTES] = tk[i];
|
buf[i + KYBER_SYMBYTES] = tk[i];
|
||||||
|
}
|
||||||
shake256(k, KYBER_SYMBYTES, buf, 2 * KYBER_SYMBYTES);
|
shake256(k, KYBER_SYMBYTES, buf, 2 * KYBER_SYMBYTES);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -43,7 +44,8 @@ void kyber_ake_sharedA(u8 *k, const u8 *recv, const u8 *tk, const u8 *sk,
|
|||||||
int i;
|
int i;
|
||||||
crypto_kem_dec(buf, recv, sk);
|
crypto_kem_dec(buf, recv, sk);
|
||||||
crypto_kem_dec(buf + KYBER_SYMBYTES, recv + KYBER_CIPHERTEXTBYTES, ska);
|
crypto_kem_dec(buf + KYBER_SYMBYTES, recv + KYBER_CIPHERTEXTBYTES, ska);
|
||||||
for (i = 0; i < KYBER_SYMBYTES; i++)
|
for (i = 0; i < KYBER_SYMBYTES; i++) {
|
||||||
buf[i + 2 * KYBER_SYMBYTES] = tk[i];
|
buf[i + 2 * KYBER_SYMBYTES] = tk[i];
|
||||||
|
}
|
||||||
shake256(k, KYBER_SYMBYTES, buf, 3 * KYBER_SYMBYTES);
|
shake256(k, KYBER_SYMBYTES, buf, 3 * KYBER_SYMBYTES);
|
||||||
}
|
}
|
||||||
|
@ -30,13 +30,14 @@ void ntt(uint16_t *p) {
|
|||||||
|
|
||||||
p[j + (1 << level)] = barrett_reduce(p[j] + 4 * KYBER_Q - t);
|
p[j + (1 << level)] = barrett_reduce(p[j] + 4 * KYBER_Q - t);
|
||||||
|
|
||||||
if (level & 1) /* odd level */
|
if (level & 1) { /* odd level */
|
||||||
p[j] = p[j] + t; /* Omit reduction (be lazy) */
|
p[j] = p[j] + t; /* Omit reduction (be lazy) */
|
||||||
else
|
} else {
|
||||||
p[j] = barrett_reduce(p[j] + t);
|
p[j] = barrett_reduce(p[j] + t);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/*************************************************
|
/*************************************************
|
||||||
@ -60,10 +61,11 @@ void invntt(uint16_t *a) {
|
|||||||
W = omegas_inv_bitrev_montgomery[jTwiddle++];
|
W = omegas_inv_bitrev_montgomery[jTwiddle++];
|
||||||
temp = a[j];
|
temp = a[j];
|
||||||
|
|
||||||
if (level & 1) /* odd level */
|
if (level & 1) { /* odd level */
|
||||||
a[j] = barrett_reduce((temp + a[j + (1 << level)]));
|
a[j] = barrett_reduce((temp + a[j + (1 << level)]));
|
||||||
else
|
} else {
|
||||||
a[j] = (temp + a[j + (1 << level)]); /* Omit reduction (be lazy) */
|
a[j] = (temp + a[j + (1 << level)]); /* Omit reduction (be lazy) */
|
||||||
|
}
|
||||||
|
|
||||||
t = (W * ((uint32_t)temp + 4 * KYBER_Q - a[j + (1 << level)]));
|
t = (W * ((uint32_t)temp + 4 * KYBER_Q - a[j + (1 << level)]));
|
||||||
|
|
||||||
@ -72,6 +74,7 @@ void invntt(uint16_t *a) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
for (j = 0; j < KYBER_N; j++)
|
for (j = 0; j < KYBER_N; j++) {
|
||||||
a[j] = montgomery_reduce((a[j] * psis_inv_montgomery[j]));
|
a[j] = montgomery_reduce((a[j] * psis_inv_montgomery[j]));
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
@ -4,6 +4,6 @@
|
|||||||
#include <stdint.h>
|
#include <stdint.h>
|
||||||
|
|
||||||
void ntt(uint16_t *poly);
|
void ntt(uint16_t *poly);
|
||||||
void invntt(uint16_t *poly);
|
void invntt(uint16_t *a);
|
||||||
|
|
||||||
#endif
|
#endif
|
||||||
|
@ -19,8 +19,9 @@ void poly_compress(unsigned char *r, const poly *a) {
|
|||||||
unsigned int i, j, k = 0;
|
unsigned int i, j, k = 0;
|
||||||
|
|
||||||
for (i = 0; i < KYBER_N; i += 8) {
|
for (i = 0; i < KYBER_N; i += 8) {
|
||||||
for (j = 0; j < 8; j++)
|
for (j = 0; j < 8; j++) {
|
||||||
t[j] = (((freeze(a->coeffs[i + j]) << 3) + KYBER_Q / 2) / KYBER_Q) & 7;
|
t[j] = (((freeze(a->coeffs[i + j]) << 3) + KYBER_Q / 2) / KYBER_Q) & 7;
|
||||||
|
}
|
||||||
|
|
||||||
r[k] = t[0] | (t[1] << 3) | (t[2] << 6);
|
r[k] = t[0] | (t[1] << 3) | (t[2] << 6);
|
||||||
r[k + 1] = (t[2] >> 2) | (t[3] << 1) | (t[4] << 4) | (t[5] << 7);
|
r[k + 1] = (t[2] >> 2) | (t[3] << 1) | (t[4] << 4) | (t[5] << 7);
|
||||||
@ -66,8 +67,9 @@ void poly_tobytes(unsigned char *r, const poly *a) {
|
|||||||
uint16_t t[8];
|
uint16_t t[8];
|
||||||
|
|
||||||
for (i = 0; i < KYBER_N / 8; i++) {
|
for (i = 0; i < KYBER_N / 8; i++) {
|
||||||
for (j = 0; j < 8; j++)
|
for (j = 0; j < 8; j++) {
|
||||||
t[j] = freeze(a->coeffs[8 * i + j]);
|
t[j] = freeze(a->coeffs[8 * i + j]);
|
||||||
|
}
|
||||||
|
|
||||||
r[13 * i + 0] = t[0] & 0xff;
|
r[13 * i + 0] = t[0] & 0xff;
|
||||||
r[13 * i + 1] = (t[0] >> 8) | ((t[1] & 0x07) << 5);
|
r[13 * i + 1] = (t[0] >> 8) | ((t[1] & 0x07) << 5);
|
||||||
@ -136,8 +138,9 @@ void poly_getnoise(poly *r, const unsigned char *seed, unsigned char nonce) {
|
|||||||
unsigned char extseed[KYBER_SYMBYTES + 1];
|
unsigned char extseed[KYBER_SYMBYTES + 1];
|
||||||
int i;
|
int i;
|
||||||
|
|
||||||
for (i = 0; i < KYBER_SYMBYTES; i++)
|
for (i = 0; i < KYBER_SYMBYTES; i++) {
|
||||||
extseed[i] = seed[i];
|
extseed[i] = seed[i];
|
||||||
|
}
|
||||||
extseed[KYBER_SYMBYTES] = nonce;
|
extseed[KYBER_SYMBYTES] = nonce;
|
||||||
|
|
||||||
shake256(buf, KYBER_ETA * KYBER_N / 4, extseed, KYBER_SYMBYTES + 1);
|
shake256(buf, KYBER_ETA * KYBER_N / 4, extseed, KYBER_SYMBYTES + 1);
|
||||||
@ -183,8 +186,9 @@ void poly_invntt(poly *r) {
|
|||||||
**************************************************/
|
**************************************************/
|
||||||
void poly_add(poly *r, const poly *a, const poly *b) {
|
void poly_add(poly *r, const poly *a, const poly *b) {
|
||||||
int i;
|
int i;
|
||||||
for (i = 0; i < KYBER_N; i++)
|
for (i = 0; i < KYBER_N; i++) {
|
||||||
r->coeffs[i] = barrett_reduce(a->coeffs[i] + b->coeffs[i]);
|
r->coeffs[i] = barrett_reduce(a->coeffs[i] + b->coeffs[i]);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/*************************************************
|
/*************************************************
|
||||||
@ -198,8 +202,9 @@ void poly_add(poly *r, const poly *a, const poly *b) {
|
|||||||
**************************************************/
|
**************************************************/
|
||||||
void poly_sub(poly *r, const poly *a, const poly *b) {
|
void poly_sub(poly *r, const poly *a, const poly *b) {
|
||||||
int i;
|
int i;
|
||||||
for (i = 0; i < KYBER_N; i++)
|
for (i = 0; i < KYBER_N; i++) {
|
||||||
r->coeffs[i] = barrett_reduce(a->coeffs[i] + 3 * KYBER_Q - b->coeffs[i]);
|
r->coeffs[i] = barrett_reduce(a->coeffs[i] + 3 * KYBER_Q - b->coeffs[i]);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/*************************************************
|
/*************************************************
|
||||||
|
@ -19,7 +19,7 @@ void poly_tobytes(unsigned char *r, const poly *a);
|
|||||||
void poly_frombytes(poly *r, const unsigned char *a);
|
void poly_frombytes(poly *r, const unsigned char *a);
|
||||||
|
|
||||||
void poly_frommsg(poly *r, const unsigned char msg[KYBER_SYMBYTES]);
|
void poly_frommsg(poly *r, const unsigned char msg[KYBER_SYMBYTES]);
|
||||||
void poly_tomsg(unsigned char msg[KYBER_SYMBYTES], const poly *r);
|
void poly_tomsg(unsigned char msg[KYBER_SYMBYTES], const poly *a);
|
||||||
|
|
||||||
void poly_getnoise(poly *r, const unsigned char *seed, unsigned char nonce);
|
void poly_getnoise(poly *r, const unsigned char *seed, unsigned char nonce);
|
||||||
|
|
||||||
|
@ -17,11 +17,12 @@ void polyvec_compress(unsigned char *r, const polyvec *a) {
|
|||||||
uint16_t t[8];
|
uint16_t t[8];
|
||||||
for (i = 0; i < KYBER_K; i++) {
|
for (i = 0; i < KYBER_K; i++) {
|
||||||
for (j = 0; j < KYBER_N / 8; j++) {
|
for (j = 0; j < KYBER_N / 8; j++) {
|
||||||
for (k = 0; k < 8; k++)
|
for (k = 0; k < 8; k++) {
|
||||||
t[k] = ((((uint32_t)freeze(a->vec[i].coeffs[8 * j + k]) << 11) +
|
t[k] = ((((uint32_t)freeze(a->vec[i].coeffs[8 * j + k]) << 11) +
|
||||||
KYBER_Q / 2) /
|
KYBER_Q / 2) /
|
||||||
KYBER_Q) &
|
KYBER_Q) &
|
||||||
0x7ff;
|
0x7ff;
|
||||||
|
}
|
||||||
|
|
||||||
r[11 * j + 0] = t[0] & 0xff;
|
r[11 * j + 0] = t[0] & 0xff;
|
||||||
r[11 * j + 1] = (t[0] >> 8) | ((t[1] & 0x1f) << 3);
|
r[11 * j + 1] = (t[0] >> 8) | ((t[1] & 0x1f) << 3);
|
||||||
@ -109,8 +110,9 @@ void polyvec_decompress(polyvec *r, const unsigned char *a) {
|
|||||||
**************************************************/
|
**************************************************/
|
||||||
void polyvec_tobytes(unsigned char *r, const polyvec *a) {
|
void polyvec_tobytes(unsigned char *r, const polyvec *a) {
|
||||||
int i;
|
int i;
|
||||||
for (i = 0; i < KYBER_K; i++)
|
for (i = 0; i < KYBER_K; i++) {
|
||||||
poly_tobytes(r + i * KYBER_POLYBYTES, &a->vec[i]);
|
poly_tobytes(r + i * KYBER_POLYBYTES, &a->vec[i]);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/*************************************************
|
/*************************************************
|
||||||
@ -124,8 +126,9 @@ void polyvec_tobytes(unsigned char *r, const polyvec *a) {
|
|||||||
**************************************************/
|
**************************************************/
|
||||||
void polyvec_frombytes(polyvec *r, const unsigned char *a) {
|
void polyvec_frombytes(polyvec *r, const unsigned char *a) {
|
||||||
int i;
|
int i;
|
||||||
for (i = 0; i < KYBER_K; i++)
|
for (i = 0; i < KYBER_K; i++) {
|
||||||
poly_frombytes(&r->vec[i], a + i * KYBER_POLYBYTES);
|
poly_frombytes(&r->vec[i], a + i * KYBER_POLYBYTES);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/*************************************************
|
/*************************************************
|
||||||
@ -137,8 +140,9 @@ void polyvec_frombytes(polyvec *r, const unsigned char *a) {
|
|||||||
**************************************************/
|
**************************************************/
|
||||||
void polyvec_ntt(polyvec *r) {
|
void polyvec_ntt(polyvec *r) {
|
||||||
int i;
|
int i;
|
||||||
for (i = 0; i < KYBER_K; i++)
|
for (i = 0; i < KYBER_K; i++) {
|
||||||
poly_ntt(&r->vec[i]);
|
poly_ntt(&r->vec[i]);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/*************************************************
|
/*************************************************
|
||||||
@ -150,8 +154,9 @@ void polyvec_ntt(polyvec *r) {
|
|||||||
**************************************************/
|
**************************************************/
|
||||||
void polyvec_invntt(polyvec *r) {
|
void polyvec_invntt(polyvec *r) {
|
||||||
int i;
|
int i;
|
||||||
for (i = 0; i < KYBER_K; i++)
|
for (i = 0; i < KYBER_K; i++) {
|
||||||
poly_invntt(&r->vec[i]);
|
poly_invntt(&r->vec[i]);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/*************************************************
|
/*************************************************
|
||||||
@ -189,6 +194,7 @@ void polyvec_pointwise_acc(poly *r, const polyvec *a, const polyvec *b) {
|
|||||||
**************************************************/
|
**************************************************/
|
||||||
void polyvec_add(polyvec *r, const polyvec *a, const polyvec *b) {
|
void polyvec_add(polyvec *r, const polyvec *a, const polyvec *b) {
|
||||||
int i;
|
int i;
|
||||||
for (i = 0; i < KYBER_K; i++)
|
for (i = 0; i < KYBER_K; i++) {
|
||||||
poly_add(&r->vec[i], &a->vec[i], &b->vec[i]);
|
poly_add(&r->vec[i], &a->vec[i], &b->vec[i]);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
@ -17,8 +17,9 @@ int verify(const unsigned char *a, const unsigned char *b, size_t len) {
|
|||||||
size_t i;
|
size_t i;
|
||||||
r = 0;
|
r = 0;
|
||||||
|
|
||||||
for (i = 0; i < len; i++)
|
for (i = 0; i < len; i++) {
|
||||||
r |= a[i] ^ b[i];
|
r |= a[i] ^ b[i];
|
||||||
|
}
|
||||||
|
|
||||||
r = (-r) >> 63;
|
r = (-r) >> 63;
|
||||||
return r;
|
return r;
|
||||||
@ -42,6 +43,7 @@ void cmov(unsigned char *r, const unsigned char *x, size_t len,
|
|||||||
size_t i;
|
size_t i;
|
||||||
|
|
||||||
b = -b;
|
b = -b;
|
||||||
for (i = 0; i < len; i++)
|
for (i = 0; i < len; i++) {
|
||||||
r[i] ^= b & (x[i] ^ r[i]);
|
r[i] ^= b & (x[i] ^ r[i]);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
@ -12,11 +12,11 @@ static void write_canary(unsigned char *d) {
|
|||||||
*((uint64_t *)d) = 0x0123456789ABCDEF;
|
*((uint64_t *)d) = 0x0123456789ABCDEF;
|
||||||
}
|
}
|
||||||
|
|
||||||
static int check_canary(unsigned char *d) {
|
static int check_canary(const unsigned char *d) {
|
||||||
if (*(uint64_t *)d != 0x0123456789ABCDEF)
|
if (*(uint64_t *)d != 0x0123456789ABCDEF) {
|
||||||
return -1;
|
return -1;
|
||||||
else
|
}
|
||||||
return 0;
|
{ return 0; }
|
||||||
}
|
}
|
||||||
|
|
||||||
static int test_keys(void) {
|
static int test_keys(void) {
|
||||||
@ -48,7 +48,7 @@ static int test_keys(void) {
|
|||||||
// Alice uses Bobs response to get her secret key
|
// Alice uses Bobs response to get her secret key
|
||||||
crypto_kem_dec(key_a + 8, sendb + 8, sk_a + 8);
|
crypto_kem_dec(key_a + 8, sendb + 8, sk_a + 8);
|
||||||
|
|
||||||
if (memcmp(key_a + 8, key_b + 8, CRYPTO_BYTES)) {
|
if (memcmp(key_a + 8, key_b + 8, CRYPTO_BYTES) != 0) {
|
||||||
printf("ERROR KEYS\n");
|
printf("ERROR KEYS\n");
|
||||||
} else if (check_canary(key_a) || check_canary(key_a + sizeof(key_a) - 8) ||
|
} else if (check_canary(key_a) || check_canary(key_a + sizeof(key_a) - 8) ||
|
||||||
check_canary(key_b) || check_canary(key_b + sizeof(key_b) - 8) ||
|
check_canary(key_b) || check_canary(key_b + sizeof(key_b) - 8) ||
|
||||||
|
Loading…
Reference in New Issue
Block a user