kris
/
pqcrypto
镜像来自 https://github.com/henrydcase/pqc.git
1
1
複製 0
程式碼 問題 1 版本發佈 2 Wiki 活動
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
568 提交
9 分支
121 MiB
 
 
 
目錄樹: 24566014fa
分支列表 標籤
${ item.name }
建立分支 ${ searchTerm }
從 '24566014fa'
${ noResults }
pqcrypto/crypto_kem/frodokem976aes/opt/matrix_aes.c

126 line
5.6 KiB
原始文件 Blame 歷史記錄 

  1. /********************************************************************************************

  2. * FrodoKEM: Learning with Errors Key Encapsulation

  3. *

  4. * Abstract: matrix arithmetic functions used by the KEM

  5. *********************************************************************************************/

  6. 

  7. #include <stdint.h>

  8. #include <string.h>

  9. 

  10. #include "aes.h"

  11. 

  12. #include "api.h"

  13. #include "common.h"

  14. #include "params.h"

  15. 

  16. int PQCLEAN_FRODOKEM976AES_OPT_mul_add_as_plus_e(uint16_t *out, const uint16_t *s, const uint16_t *e, const uint8_t *seed_A) {

  17.     // Generate-and-multiply: generate matrix A (N x N) row-wise, multiply by s on the right.

  18.     // Inputs: s, e (N x N_BAR)

  19.     // Output: out = A*s + e (N x N_BAR)

  20.     int k;

  21.     uint16_t i, j;

  22.     int16_t a_row[4 * PARAMS_N];

  23. 

  24.     for (i = 0; i < (PARAMS_N * PARAMS_NBAR); i += 2) {

  25.         *((uint32_t *)&out[i]) = *((uint32_t *)&e[i]);

  26.     }

  27. 

  28.     int16_t a_row_temp[4 * PARAMS_N] = {0};                     // Take four lines of A at once

  29.     aes128ctx ctx128;

  30. 

  31.     aes128_keyexp(&ctx128, seed_A);

  32. 

  33.     for (j = 0; j < PARAMS_N; j += PARAMS_STRIPE_STEP) {

  34.         a_row_temp[j + 1 + 0 * PARAMS_N] = PQCLEAN_FRODOKEM976AES_OPT_UINT16_TO_LE(j);     // Loading values in the little-endian order

  35.         a_row_temp[j + 1 + 1 * PARAMS_N] = PQCLEAN_FRODOKEM976AES_OPT_UINT16_TO_LE(j);

  36.         a_row_temp[j + 1 + 2 * PARAMS_N] = PQCLEAN_FRODOKEM976AES_OPT_UINT16_TO_LE(j);

  37.         a_row_temp[j + 1 + 3 * PARAMS_N] = PQCLEAN_FRODOKEM976AES_OPT_UINT16_TO_LE(j);

  38.     }

  39. 

  40.     for (i = 0; i < PARAMS_N; i += 4) {

  41.         for (j = 0; j < PARAMS_N; j += PARAMS_STRIPE_STEP) {    // Go through A, four rows at a time

  42.             a_row_temp[j + 0 * PARAMS_N] = PQCLEAN_FRODOKEM976AES_OPT_UINT16_TO_LE(i + 0); // Loading values in the little-endian order

  43.             a_row_temp[j + 1 * PARAMS_N] = PQCLEAN_FRODOKEM976AES_OPT_UINT16_TO_LE(i + 1);

  44.             a_row_temp[j + 2 * PARAMS_N] = PQCLEAN_FRODOKEM976AES_OPT_UINT16_TO_LE(i + 2);

  45.             a_row_temp[j + 3 * PARAMS_N] = PQCLEAN_FRODOKEM976AES_OPT_UINT16_TO_LE(i + 3);

  46.         }

  47.         aes128_ecb((uint8_t *)a_row, (uint8_t *)a_row_temp, 4 * PARAMS_N * sizeof(int16_t) / AES_BLOCKBYTES, &ctx128);

  48.         for (k = 0; k < 4 * PARAMS_N; k++) {

  49.             a_row[k] = PQCLEAN_FRODOKEM976AES_OPT_LE_TO_UINT16(a_row[k]);

  50.         }

  51.         for (k = 0; k < PARAMS_NBAR; k++) {

  52.             uint16_t sum[4] = {0};

  53.             for (j = 0; j < PARAMS_N; j++) {                    // Matrix-vector multiplication

  54.                 uint16_t sp = s[k * PARAMS_N + j];

  55.                 sum[0] += a_row[0 * PARAMS_N + j] * sp;         // Go through four lines with same s

  56.                 sum[1] += a_row[1 * PARAMS_N + j] * sp;

  57.                 sum[2] += a_row[2 * PARAMS_N + j] * sp;

  58.                 sum[3] += a_row[3 * PARAMS_N + j] * sp;

  59.             }

  60.             out[(i + 0)*PARAMS_NBAR + k] += sum[0];

  61.             out[(i + 2)*PARAMS_NBAR + k] += sum[2];

  62.             out[(i + 1)*PARAMS_NBAR + k] += sum[1];

  63.             out[(i + 3)*PARAMS_NBAR + k] += sum[3];

  64.         }

  65.     }

  66.     return 1;

  67. }

  68. 

  69. 

  70. 

  71. 

  72. int PQCLEAN_FRODOKEM976AES_OPT_mul_add_sa_plus_e(uint16_t *out, const uint16_t *s, const uint16_t *e, const uint8_t *seed_A) {

  73.     // Generate-and-multiply: generate matrix A (N x N) column-wise, multiply by s' on the left.

  74.     // Inputs: s', e' (N_BAR x N)

  75.     // Output: out = s'*A + e' (N_BAR x N)

  76.     int j;

  77.     uint16_t i, kk;

  78.     for (i = 0; i < (PARAMS_N * PARAMS_NBAR); i += 2) {

  79.         *((uint32_t *)&out[i]) = *((uint32_t *)&e[i]);

  80.     }

  81. 

  82.     int k;

  83.     uint16_t a_cols[PARAMS_N * PARAMS_STRIPE_STEP] = {0};

  84.     uint16_t a_cols_t[PARAMS_N * PARAMS_STRIPE_STEP];

  85.     uint16_t a_cols_temp[PARAMS_N * PARAMS_STRIPE_STEP] = {0};

  86.     aes128ctx ctx128;

  87. 

  88.     aes128_keyexp(&ctx128, seed_A);

  89. 

  90.     for (i = 0, j = 0; i < PARAMS_N; i++, j += PARAMS_STRIPE_STEP) {

  91.         a_cols_temp[j] = PQCLEAN_FRODOKEM976AES_OPT_UINT16_TO_LE(i);                       // Loading values in the little-endian order

  92.     }

  93. 

  94.     for (kk = 0; kk < PARAMS_N; kk += PARAMS_STRIPE_STEP) {     // Go through A's columns, 8 (== PARAMS_STRIPE_STEP) columns at a time.

  95.         for (i = 0; i < (PARAMS_N * PARAMS_STRIPE_STEP); i += PARAMS_STRIPE_STEP) {

  96.             a_cols_temp[i + 1] = PQCLEAN_FRODOKEM976AES_OPT_UINT16_TO_LE(kk);              // Loading values in the little-endian order

  97.         }

  98. 

  99.         aes128_ecb((uint8_t *)a_cols, (uint8_t *)a_cols_temp, PARAMS_N * PARAMS_STRIPE_STEP * sizeof(int16_t) / AES_BLOCKBYTES, &ctx128);

  100. 

  101.         for (i = 0; i < PARAMS_N; i++) {                        // Transpose a_cols to have access to it in the column-major order.

  102.             for (k = 0; k < PARAMS_STRIPE_STEP; k++) {

  103.                 a_cols_t[k * PARAMS_N + i] = PQCLEAN_FRODOKEM976AES_OPT_LE_TO_UINT16(a_cols[i * PARAMS_STRIPE_STEP + k]);

  104.             }

  105.         }

  106. 

  107.         for (i = 0; i < PARAMS_NBAR; i++) {

  108.             for (k = 0; k < PARAMS_STRIPE_STEP; k += PARAMS_PARALLEL) {

  109.                 uint16_t sum[PARAMS_PARALLEL] = {0};

  110.                 for (j = 0; j < PARAMS_N; j++) {                // Matrix-vector multiplication

  111.                     uint16_t sp = s[i * PARAMS_N + j];

  112.                     sum[0] += sp * a_cols_t[(k + 0) * PARAMS_N + j];

  113.                     sum[1] += sp * a_cols_t[(k + 1) * PARAMS_N + j];

  114.                     sum[2] += sp * a_cols_t[(k + 2) * PARAMS_N + j];

  115.                     sum[3] += sp * a_cols_t[(k + 3) * PARAMS_N + j];

  116.                 }

  117.                 out[i * PARAMS_N + kk + k + 0] += sum[0];

  118.                 out[i * PARAMS_N + kk + k + 2] += sum[2];

  119.                 out[i * PARAMS_N + kk + k + 1] += sum[1];

  120.                 out[i * PARAMS_N + kk + k + 3] += sum[3];

  121.             }

  122.         }

  123.     }

  124.     return 1;

  125. }