1
1
mirror of https://github.com/henrydcase/pqc.git synced 2024-12-02 12:21:23 +00:00
pqcrypto/crypto_sign/qtesla-p-I/clean/gauss.c
Sebastian 56a0fcb135 qTESLA (#239)
* Copied qTESLA-p-I round2 (2019-08-19) code

* Code compiles, NIST-KAT works

* Included detached signature API

* Generated testvectors

* Fixed name in api.h

* code style

* Fixed error in Makefile

* Passing pytest

* Fixing types (uint8_t bytes and size_t indices)

* Replaced SHAKE with SHAKE128 where necessary

* Fixed bug: (signed) integer overflow

* Added qTESLA-p-III

* Code is now independent of machine endianness

* repaired Microsoft makefile
2019-10-21 14:26:27 +02:00

45 lines
1.8 KiB
C

/*************************************************************************************
* qTESLA: an efficient post-quantum signature scheme based on the R-LWE problem
*
* Abstract: portable, constant-time Gaussian sampler
**************************************************************************************/
#include "api.h"
#include "CDT32.h"
#include "gauss.h"
#include "sp800-185.h"
#include <string.h>
void PQCLEAN_QTESLAPI_CLEAN_sample_gauss_poly(poly z, const uint8_t *seed, uint16_t nonce) {
uint16_t dmsp = (uint16_t)(nonce << 8);
int32_t samp[CHUNK_SIZE * CDT_COLS], c[CDT_COLS], borrow, sign;
const int32_t mask = (int32_t)((uint32_t)(-1) >> 1);
uint8_t buf[CHUNK_SIZE * CDT_COLS * sizeof(int32_t)];
for (size_t chunk = 0; chunk < PARAM_N; chunk += CHUNK_SIZE) {
uint8_t dmsp_bytes[2];
dmsp_bytes[0] = (uint8_t)(dmsp & 0xff);
dmsp_bytes[1] = (uint8_t)(dmsp >> 8);
cSHAKE(buf, CHUNK_SIZE * CDT_COLS * sizeof(int32_t), (uint8_t *)NULL, 0, dmsp_bytes, 2, seed, CRYPTO_RANDOMBYTES);
++dmsp;
for (size_t i = 0, j = 0; i < CHUNK_SIZE * CDT_COLS; i += 1, j += 4) {
samp[i] = (int32_t)(buf[j] | (buf[j + 1] << 8) | (buf[j + 2] << 16) | (buf[j + 3] << 24));
}
for (size_t i = 0; i < CHUNK_SIZE; i++) {
z[chunk + i] = 0;
for (size_t j = 1; j < CDT_ROWS; j++) {
borrow = 0;
for (size_t k = CDT_COLS; k > 0; ) {
k--;
c[k] = (samp[i * CDT_COLS + k] & mask) - (cdt_v[j * CDT_COLS + k] + borrow);
borrow = c[k] >> (RADIX32 - 1);
}
z[chunk + i] += ~borrow & 1;
}
sign = samp[i * CDT_COLS] >> (RADIX32 - 1);
z[chunk + i] = (sign & -z[chunk + i]) | (~sign & z[chunk + i]);
}
}
}