kris
/
pqcrypto
зеркало из https://github.com/henrydcase/pqc.git
1
1
Форкнуть 0
Код Задачи 1 Релизы 2 Вики Активность
Вы не можете выбрать более 25 тем Темы должны начинаться с буквы или цифры, могут содержать дефисы(-) и должны содержать не более 35 символов.
728 коммитов
9 Ветки
121 MiB
 
 
 
Дерево: aa46b5239d
Ветки Теги
${ item.name }
Создать ветку ${ searchTerm }
из 'aa46b5239d'
${ noResults }
pqcrypto/crypto_sign/dilithium3/clean/poly.c

738 строки
28 KiB
Исходник Вина История 

  1. #include "ntt.h"

  2. #include "params.h"

  3. #include "poly.h"

  4. #include "reduce.h"

  5. #include "rounding.h"

  6. #include "symmetric.h"

  7. #include <stdint.h>

  8. 

  9. 

  10. /*************************************************

  11. * Name:        PQCLEAN_DILITHIUM3_CLEAN_poly_reduce

  12. *

  13. * Description: Reduce all coefficients of input polynomial to representative

  14. *              in [0,2*Q[.

  15. *

  16. * Arguments:   - poly *a: pointer to input/output polynomial

  17. **************************************************/

  18. void PQCLEAN_DILITHIUM3_CLEAN_poly_reduce(poly *a) {

  19.     unsigned int i;

  20.     for (i = 0; i < N; ++i) {

  21.         a->coeffs[i] = PQCLEAN_DILITHIUM3_CLEAN_reduce32(a->coeffs[i]);

  22.     }

  23. }

  24. 

  25. /*************************************************

  26. * Name:        PQCLEAN_DILITHIUM3_CLEAN_poly_csubq

  27. *

  28. * Description: For all coefficients of input polynomial subtract Q if

  29. *              coefficient is bigger than Q.

  30. *

  31. * Arguments:   - poly *a: pointer to input/output polynomial

  32. **************************************************/

  33. void PQCLEAN_DILITHIUM3_CLEAN_poly_csubq(poly *a) {

  34.     unsigned int i;

  35.     for (i = 0; i < N; ++i) {

  36.         a->coeffs[i] = PQCLEAN_DILITHIUM3_CLEAN_csubq(a->coeffs[i]);

  37.     }

  38. }

  39. 

  40. /*************************************************

  41. * Name:        PQCLEAN_DILITHIUM3_CLEAN_poly_freeze

  42. *

  43. * Description: Reduce all coefficients of the polynomial to standard

  44. *              representatives.

  45. *

  46. * Arguments:   - poly *a: pointer to input/output polynomial

  47. **************************************************/

  48. void PQCLEAN_DILITHIUM3_CLEAN_poly_freeze(poly *a) {

  49.     unsigned int i;

  50.     for (i = 0; i < N; ++i) {

  51.         a->coeffs[i] = PQCLEAN_DILITHIUM3_CLEAN_freeze(a->coeffs[i]);

  52.     }

  53. }

  54. 

  55. /*************************************************

  56. * Name:        PQCLEAN_DILITHIUM3_CLEAN_poly_add

  57. *

  58. * Description: Add polynomials. No modular reduction is performed.

  59. *

  60. * Arguments:   - poly *c: pointer to output polynomial

  61. *              - const poly *a: pointer to first summand

  62. *              - const poly *b: pointer to second summand

  63. **************************************************/

  64. void PQCLEAN_DILITHIUM3_CLEAN_poly_add(poly *c, const poly *a, const poly *b)  {

  65.     unsigned int i;

  66.     for (i = 0; i < N; ++i) {

  67.         c->coeffs[i] = a->coeffs[i] + b->coeffs[i];

  68.     }

  69. }

  70. 

  71. /*************************************************

  72. * Name:        PQCLEAN_DILITHIUM3_CLEAN_poly_sub

  73. *

  74. * Description: Subtract polynomials. Assumes coefficients of second input

  75. *              polynomial to be less than 2*Q. No modular reduction is

  76. *              performed.

  77. *

  78. * Arguments:   - poly *c: pointer to output polynomial

  79. *              - const poly *a: pointer to first input polynomial

  80. *              - const poly *b: pointer to second input polynomial to be

  81. *                               subtraced from first input polynomial

  82. **************************************************/

  83. void PQCLEAN_DILITHIUM3_CLEAN_poly_sub(poly *c, const poly *a, const poly *b) {

  84.     unsigned int i;

  85.     for (i = 0; i < N; ++i) {

  86.         c->coeffs[i] = a->coeffs[i] + 2 * Q - b->coeffs[i];

  87.     }

  88. }

  89. 

  90. /*************************************************

  91. * Name:        PQCLEAN_DILITHIUM3_CLEAN_poly_shiftl

  92. *

  93. * Description: Multiply polynomial by 2^D without modular reduction. Assumes

  94. *              input coefficients to be less than 2^{32-D}.

  95. *

  96. * Arguments:   - poly *a: pointer to input/output polynomial

  97. **************************************************/

  98. void PQCLEAN_DILITHIUM3_CLEAN_poly_shiftl(poly *a) {

  99.     unsigned int i;

  100.     for (i = 0; i < N; ++i) {

  101.         a->coeffs[i] <<= D;

  102.     }

  103. }

  104. 

  105. /*************************************************

  106. * Name:        PQCLEAN_DILITHIUM3_CLEAN_poly_ntt

  107. *

  108. * Description: Forward NTT. Output coefficients can be up to 16*Q larger than

  109. *              input coefficients.

  110. *

  111. * Arguments:   - poly *a: pointer to input/output polynomial

  112. **************************************************/

  113. void PQCLEAN_DILITHIUM3_CLEAN_poly_ntt(poly *a) {

  114.     PQCLEAN_DILITHIUM3_CLEAN_ntt(a->coeffs);

  115. }

  116. 

  117. /*************************************************

  118. * Name:        PQCLEAN_DILITHIUM3_CLEAN_poly_invntt_montgomery

  119. *

  120. * Description: Inverse NTT and multiplication with 2^{32}. Input coefficients

  121. *              need to be less than 2*Q. Output coefficients are less than 2*Q.

  122. *

  123. * Arguments:   - poly *a: pointer to input/output polynomial

  124. **************************************************/

  125. void PQCLEAN_DILITHIUM3_CLEAN_poly_invntt_montgomery(poly *a) {

  126.     PQCLEAN_DILITHIUM3_CLEAN_invntt_frominvmont(a->coeffs);

  127. }

  128. 

  129. /*************************************************

  130. * Name:        PQCLEAN_DILITHIUM3_CLEAN_poly_pointwise_invmontgomery

  131. *

  132. * Description: Pointwise multiplication of polynomials in NTT domain

  133. *              representation and multiplication of resulting polynomial

  134. *              with 2^{-32}. Output coefficients are less than 2*Q if input

  135. *              coefficient are less than 22*Q.

  136. *

  137. * Arguments:   - poly *c: pointer to output polynomial

  138. *              - const poly *a: pointer to first input polynomial

  139. *              - const poly *b: pointer to second input polynomial

  140. **************************************************/

  141. void PQCLEAN_DILITHIUM3_CLEAN_poly_pointwise_invmontgomery(poly *c, const poly *a, const poly *b) {

  142.     unsigned int i;

  143. 

  144.     for (i = 0; i < N; ++i) {

  145.         c->coeffs[i] = PQCLEAN_DILITHIUM3_CLEAN_montgomery_reduce((uint64_t)a->coeffs[i] * b->coeffs[i]);

  146.     }

  147. 

  148. }

  149. 

  150. /*************************************************

  151. * Name:        PQCLEAN_DILITHIUM3_CLEAN_poly_power2round

  152. *

  153. * Description: For all coefficients c of the input polynomial,

  154. *              compute c0, c1 such that c mod Q = c1*2^D + c0

  155. *              with -2^{D-1} < c0 <= 2^{D-1}. Assumes coefficients to be

  156. *              standard representatives.

  157. *

  158. * Arguments:   - poly *a1: pointer to output polynomial with coefficients c1

  159. *              - poly *a0: pointer to output polynomial with coefficients Q + a0

  160. *              - const poly *v: pointer to input polynomial

  161. **************************************************/

  162. void PQCLEAN_DILITHIUM3_CLEAN_poly_power2round(poly *a1, poly *a0, const poly *a) {

  163.     unsigned int i;

  164. 

  165.     for (i = 0; i < N; ++i) {

  166.         a1->coeffs[i] = PQCLEAN_DILITHIUM3_CLEAN_power2round(a->coeffs[i], &a0->coeffs[i]);

  167.     }

  168. 

  169. }

  170. 

  171. /*************************************************

  172. * Name:        PQCLEAN_DILITHIUM3_CLEAN_poly_decompose

  173. *

  174. * Description: For all coefficients c of the input polynomial,

  175. *              compute high and low bits c0, c1 such c mod Q = c1*ALPHA + c0

  176. *              with -ALPHA/2 < c0 <= ALPHA/2 except c1 = (Q-1)/ALPHA where we

  177. *              set c1 = 0 and -ALPHA/2 <= c0 = c mod Q - Q < 0.

  178. *              Assumes coefficients to be standard representatives.

  179. *

  180. * Arguments:   - poly *a1: pointer to output polynomial with coefficients c1

  181. *              - poly *a0: pointer to output polynomial with coefficients Q + a0

  182. *              - const poly *c: pointer to input polynomial

  183. **************************************************/

  184. void PQCLEAN_DILITHIUM3_CLEAN_poly_decompose(poly *a1, poly *a0, const poly *a) {

  185.     unsigned int i;

  186. 

  187.     for (i = 0; i < N; ++i) {

  188.         a1->coeffs[i] = PQCLEAN_DILITHIUM3_CLEAN_decompose(a->coeffs[i], &a0->coeffs[i]);

  189.     }

  190. 

  191. }

  192. 

  193. /*************************************************

  194. * Name:        PQCLEAN_DILITHIUM3_CLEAN_poly_make_hint

  195. *

  196. * Description: Compute hint polynomial. The coefficients of which indicate

  197. *              whether the low bits of the corresponding coefficient of

  198. *              the input polynomial overflow into the high bits.

  199. *

  200. * Arguments:   - poly *h: pointer to output hint polynomial

  201. *              - const poly *a0: pointer to low part of input polynomial

  202. *              - const poly *a1: pointer to high part of input polynomial

  203. *

  204. * Returns number of 1 bits.

  205. **************************************************/

  206. unsigned int PQCLEAN_DILITHIUM3_CLEAN_poly_make_hint(poly *h, const poly *a0, const poly *a1) {

  207.     unsigned int i, s = 0;

  208. 

  209.     for (i = 0; i < N; ++i) {

  210.         h->coeffs[i] = PQCLEAN_DILITHIUM3_CLEAN_make_hint(a0->coeffs[i], a1->coeffs[i]);

  211.         s += h->coeffs[i];

  212.     }

  213. 

  214.     return s;

  215. }

  216. 

  217. /*************************************************

  218. * Name:        PQCLEAN_DILITHIUM3_CLEAN_poly_use_hint

  219. *

  220. * Description: Use hint polynomial to correct the high bits of a polynomial.

  221. *

  222. * Arguments:   - poly *a: pointer to output polynomial with corrected high bits

  223. *              - const poly *b: pointer to input polynomial

  224. *              - const poly *h: pointer to input hint polynomial

  225. **************************************************/

  226. void PQCLEAN_DILITHIUM3_CLEAN_poly_use_hint(poly *a, const poly *b, const poly *h) {

  227.     unsigned int i;

  228. 

  229.     for (i = 0; i < N; ++i) {

  230.         a->coeffs[i] = PQCLEAN_DILITHIUM3_CLEAN_use_hint(b->coeffs[i], h->coeffs[i]);

  231.     }

  232. 

  233. }

  234. 

  235. /*************************************************

  236. * Name:        PQCLEAN_DILITHIUM3_CLEAN_poly_chknorm

  237. *

  238. * Description: Check infinity norm of polynomial against given bound.

  239. *              Assumes input coefficients to be standard representatives.

  240. *

  241. * Arguments:   - const poly *a: pointer to polynomial

  242. *              - uint32_t B: norm bound

  243. *

  244. * Returns 0 if norm is strictly smaller than B and 1 otherwise.

  245. **************************************************/

  246. int PQCLEAN_DILITHIUM3_CLEAN_poly_chknorm(const poly *a, uint32_t B) {

  247.     unsigned int i;

  248.     int32_t t;

  249. 

  250.     /* It is ok to leak which coefficient violates the bound since

  251.        the probability for each coefficient is independent of secret

  252.        data but we must not leak the sign of the centralized representative. */

  253.     for (i = 0; i < N; ++i) {

  254.         /* Absolute value of centralized representative */

  255.         t = (int32_t) ((Q - 1) / 2 - a->coeffs[i]);

  256.         t ^= (t >> 31);

  257.         t = (Q - 1) / 2 - t;

  258. 

  259.         if ((uint32_t)t >= B) {

  260.             return 1;

  261.         }

  262.     }

  263. 

  264.     return 0;

  265. }

  266. 

  267. /*************************************************

  268. * Name:        rej_uniform

  269. *

  270. * Description: Sample uniformly random coefficients in [0, Q-1] by

  271. *              performing rejection sampling using array of random bytes.

  272. *

  273. * Arguments:   - uint32_t *a: pointer to output array (allocated)

  274. *              - unsigned int len: number of coefficients to be sampled

  275. *              - const unsigned char *buf: array of random bytes

  276. *              - unsigned int buflen: length of array of random bytes

  277. *

  278. * Returns number of sampled coefficients. Can be smaller than len if not enough

  279. * random bytes were given.

  280. **************************************************/

  281. static unsigned int rej_uniform(uint32_t *a,

  282.                                 unsigned int len,

  283.                                 const unsigned char *buf,

  284.                                 unsigned int buflen) {

  285.     unsigned int ctr, pos;

  286.     uint32_t t;

  287. 

  288.     ctr = pos = 0;

  289.     while (ctr < len && pos + 3 <= buflen) {

  290.         t  = buf[pos++];

  291.         t |= (uint32_t)buf[pos++] << 8;

  292.         t |= (uint32_t)buf[pos++] << 16;

  293.         t &= 0x7FFFFF;

  294. 

  295.         if (t < Q) {

  296.             a[ctr++] = t;

  297.         }

  298.     }

  299. 

  300.     return ctr;

  301. }

  302. 

  303. /*************************************************

  304. * Name:        PQCLEAN_DILITHIUM3_CLEAN_poly_uniform

  305. *

  306. * Description: Sample polynomial with uniformly random coefficients

  307. *              in [0,Q-1] by performing rejection sampling using the

  308. *              output stream from SHAKE256(seed|nonce).

  309. *

  310. * Arguments:   - poly *a: pointer to output polynomial

  311. *              - const unsigned char seed[]: byte array with seed of length

  312. *                                            SEEDBYTES

  313. *              - uint16_t nonce: 2-byte nonce

  314. **************************************************/

  315. #define POLY_UNIFORM_NBLOCKS ((769 + STREAM128_BLOCKBYTES)/STREAM128_BLOCKBYTES)

  316. #define POLY_UNIFORM_BUFLEN  (POLY_UNIFORM_NBLOCKS * STREAM128_BLOCKBYTES)

  317. void PQCLEAN_DILITHIUM3_CLEAN_poly_uniform(poly *a,

  318.         const unsigned char seed[SEEDBYTES],

  319.         uint16_t nonce) {

  320.     unsigned int i, ctr, off;

  321.     unsigned int buflen = POLY_UNIFORM_BUFLEN;

  322.     unsigned char buf[POLY_UNIFORM_BUFLEN + 2];

  323.     shake128ctx state;

  324. 

  325.     stream128_init(&state, seed, nonce);

  326.     stream128_squeezeblocks(buf, POLY_UNIFORM_NBLOCKS, &state);

  327. 

  328.     ctr = rej_uniform(a->coeffs, N, buf, buflen);

  329. 

  330.     while (ctr < N) {

  331.         off = buflen % 3;

  332.         for (i = 0; i < off; ++i) {

  333.             buf[i] = buf[buflen - off + i];

  334.         }

  335. 

  336.         buflen = STREAM128_BLOCKBYTES + off;

  337.         stream128_squeezeblocks(buf + off, 1, &state);

  338.         ctr += rej_uniform(a->coeffs + ctr, N - ctr, buf, buflen);

  339.     }

  340. }

  341. 

  342. /*************************************************

  343. * Name:        rej_eta

  344. *

  345. * Description: Sample uniformly random coefficients in [-ETA, ETA] by

  346. *              performing rejection sampling using array of random bytes.

  347. *

  348. * Arguments:   - uint32_t *a: pointer to output array (allocated)

  349. *              - unsigned int len: number of coefficients to be sampled

  350. *              - const unsigned char *buf: array of random bytes

  351. *              - unsigned int buflen: length of array of random bytes

  352. *

  353. * Returns number of sampled coefficients. Can be smaller than len if not enough

  354. * random bytes were given.

  355. **************************************************/

  356. static unsigned int rej_eta(uint32_t *a,

  357.                             unsigned int len,

  358.                             const unsigned char *buf,

  359.                             unsigned int buflen) {

  360.     unsigned int ctr, pos;

  361.     uint32_t t0, t1;

  362. 

  363.     ctr = pos = 0;

  364.     while (ctr < len && pos < buflen) {

  365.         t0 = buf[pos] & 0x0F;

  366.         t1 = buf[pos++] >> 4;

  367. 

  368.         if (t0 <= 2 * ETA) {

  369.             a[ctr++] = Q + ETA - t0;

  370.         }

  371.         if (t1 <= 2 * ETA && ctr < len) {

  372.             a[ctr++] = Q + ETA - t1;

  373.         }

  374.     }

  375. 

  376.     return ctr;

  377. }

  378. 

  379. /*************************************************

  380. * Name:        PQCLEAN_DILITHIUM3_CLEAN_poly_uniform_eta

  381. *

  382. * Description: Sample polynomial with uniformly random coefficients

  383. *              in [-ETA,ETA] by performing rejection sampling using the

  384. *              output stream from SHAKE256(seed|nonce).

  385. *

  386. * Arguments:   - poly *a: pointer to output polynomial

  387. *              - const unsigned char seed[]: byte array with seed of length

  388. *                                            SEEDBYTES

  389. *              - uint16_t nonce: 2-byte nonce

  390. **************************************************/

  391. #define POLY_UNIFORM_ETA_NBLOCKS (((N/2 * (1U << SETABITS)) / (2*ETA + 1)\

  392.                                    + STREAM128_BLOCKBYTES) / STREAM128_BLOCKBYTES)

  393. #define POLY_UNIFORM_ETA_BUFLEN (POLY_UNIFORM_ETA_NBLOCKS*STREAM128_BLOCKBYTES)

  394. void PQCLEAN_DILITHIUM3_CLEAN_poly_uniform_eta(poly *a,

  395.         const unsigned char seed[SEEDBYTES],

  396.         uint16_t nonce) {

  397.     unsigned int ctr;

  398.     unsigned char buf[POLY_UNIFORM_ETA_BUFLEN];

  399.     shake128ctx state;

  400. 

  401.     stream128_init(&state, seed, nonce);

  402.     stream128_squeezeblocks(buf, POLY_UNIFORM_ETA_NBLOCKS, &state);

  403. 

  404.     ctr = rej_eta(a->coeffs, N, buf, POLY_UNIFORM_ETA_BUFLEN);

  405. 

  406.     while (ctr < N) {

  407.         stream128_squeezeblocks(buf, 1, &state);

  408.         ctr += rej_eta(a->coeffs + ctr, N - ctr, buf, STREAM128_BLOCKBYTES);

  409.     }

  410. }

  411. 

  412. /*************************************************

  413. * Name:        rej_gamma1m1

  414. *

  415. * Description: Sample uniformly random coefficients

  416. *              in [-(GAMMA1 - 1), GAMMA1 - 1] by performing rejection sampling

  417. *              using array of random bytes.

  418. *

  419. * Arguments:   - uint32_t *a: pointer to output array (allocated)

  420. *              - unsigned int len: number of coefficients to be sampled

  421. *              - const unsigned char *buf: array of random bytes

  422. *              - unsigned int buflen: length of array of random bytes

  423. *

  424. * Returns number of sampled coefficients. Can be smaller than len if not enough

  425. * random bytes were given.

  426. **************************************************/

  427. static unsigned int rej_gamma1m1(uint32_t *a,

  428.                                  unsigned int len,

  429.                                  const unsigned char *buf,

  430.                                  unsigned int buflen) {

  431.     unsigned int ctr, pos;

  432.     uint32_t t0, t1;

  433. 

  434.     ctr = pos = 0;

  435.     while (ctr < len && pos + 5 <= buflen) {

  436.         t0  = buf[pos];

  437.         t0 |= (uint32_t)buf[pos + 1] << 8;

  438.         t0 |= (uint32_t)buf[pos + 2] << 16;

  439.         t0 &= 0xFFFFF;

  440. 

  441.         t1  = buf[pos + 2] >> 4;

  442.         t1 |= (uint32_t)buf[pos + 3] << 4;

  443.         t1 |= (uint32_t)buf[pos + 4] << 12;

  444. 

  445.         pos += 5;

  446. 

  447.         if (t0 <= 2 * GAMMA1 - 2) {

  448.             a[ctr++] = Q + GAMMA1 - 1 - t0;

  449.         }

  450.         if (t1 <= 2 * GAMMA1 - 2 && ctr < len) {

  451.             a[ctr++] = Q + GAMMA1 - 1 - t1;

  452.         }

  453.     }

  454. 

  455.     return ctr;

  456. }

  457. 

  458. /*************************************************

  459. * Name:        PQCLEAN_DILITHIUM3_CLEAN_poly_uniform_gamma1m1

  460. *

  461. * Description: Sample polynomial with uniformly random coefficients

  462. *              in [-(GAMMA1 - 1), GAMMA1 - 1] by performing rejection

  463. *              sampling on output stream of SHAKE256(seed|nonce).

  464. *

  465. * Arguments:   - poly *a: pointer to output polynomial

  466. *              - const unsigned char seed[]: byte array with seed of length

  467. *                                            CRHBYTES

  468. *              - uint16_t nonce: 16-bit nonce

  469. **************************************************/

  470. #define POLY_UNIFORM_GAMMA1M1_NBLOCKS ((641 + STREAM256_BLOCKBYTES) / STREAM256_BLOCKBYTES)

  471. #define POLY_UNIFORM_GAMMA1M1_BUFLEN (POLY_UNIFORM_GAMMA1M1_NBLOCKS * STREAM256_BLOCKBYTES)

  472. void PQCLEAN_DILITHIUM3_CLEAN_poly_uniform_gamma1m1(poly *a,

  473.         const unsigned char seed[CRHBYTES],

  474.         uint16_t nonce) {

  475.     unsigned int i, ctr, off;

  476.     unsigned int buflen = POLY_UNIFORM_GAMMA1M1_BUFLEN;

  477.     unsigned char buf[POLY_UNIFORM_GAMMA1M1_BUFLEN + 4];

  478.     shake256ctx state;

  479. 

  480.     stream256_init(&state, seed, nonce);

  481.     stream256_squeezeblocks(buf, POLY_UNIFORM_GAMMA1M1_NBLOCKS, &state);

  482. 

  483.     ctr = rej_gamma1m1(a->coeffs, N, buf, buflen);

  484. 

  485.     while (ctr < N) {

  486.         off = buflen % 5;

  487.         for (i = 0; i < off; ++i) {

  488.             buf[i] = buf[buflen - off + i];

  489.         }

  490. 

  491.         buflen = STREAM256_BLOCKBYTES + off;

  492.         stream256_squeezeblocks(buf + off, 1, &state);

  493.         ctr += rej_gamma1m1(a->coeffs + ctr, N - ctr, buf, buflen);

  494.     }

  495. }

  496. 

  497. /*************************************************

  498. * Name:        PQCLEAN_DILITHIUM3_CLEAN_polyeta_pack

  499. *

  500. * Description: Bit-pack polynomial with coefficients in [-ETA,ETA].

  501. *              Input coefficients are assumed to lie in [Q-ETA,Q+ETA].

  502. *

  503. * Arguments:   - unsigned char *r: pointer to output byte array with at least

  504. *                                  POLETA_SIZE_PACKED bytes

  505. *              - const poly *a: pointer to input polynomial

  506. **************************************************/

  507. void PQCLEAN_DILITHIUM3_CLEAN_polyeta_pack(unsigned char *r, const poly *a) {

  508.     unsigned int i;

  509.     unsigned char t[8];

  510. 

  511.     for (i = 0; i < N / 2; ++i) {

  512.         t[0] = (uint8_t) (Q + ETA - a->coeffs[2 * i + 0]);

  513.         t[1] = (uint8_t) (Q + ETA - a->coeffs[2 * i + 1]);

  514.         r[i] = (uint8_t) (t[0] | (t[1] << 4));

  515.     }

  516. }

  517. 

  518. /*************************************************

  519. * Name:        PQCLEAN_DILITHIUM3_CLEAN_polyeta_unpack

  520. *

  521. * Description: Unpack polynomial with coefficients in [-ETA,ETA].

  522. *              Output coefficients lie in [Q-ETA,Q+ETA].

  523. *

  524. * Arguments:   - poly *r: pointer to output polynomial

  525. *              - const unsigned char *a: byte array with bit-packed polynomial

  526. **************************************************/

  527. void PQCLEAN_DILITHIUM3_CLEAN_polyeta_unpack(poly *r, const unsigned char *a) {

  528.     unsigned int i;

  529.     for (i = 0; i < N / 2; ++i) {

  530.         r->coeffs[2 * i + 0] = a[i] & 0x0F;

  531.         r->coeffs[2 * i + 1] = a[i] >> 4;

  532.         r->coeffs[2 * i + 0] = Q + ETA - r->coeffs[2 * i + 0];

  533.         r->coeffs[2 * i + 1] = Q + ETA - r->coeffs[2 * i + 1];

  534.     }

  535. }

  536. 

  537. /*************************************************

  538. * Name:        polyt1_pack

  539. *

  540. * Description: Bit-pack polynomial t1 with coefficients fitting in 9 bits.

  541. *              Input coefficients are assumed to be standard representatives.

  542. *

  543. * Arguments:   - unsigned char *r: pointer to output byte array with at least

  544. *                                  POLT1_SIZE_PACKED bytes

  545. *              - const poly *a: pointer to input polynomial

  546. **************************************************/

  547. void PQCLEAN_DILITHIUM3_CLEAN_polyt1_pack(unsigned char *r, const poly *a) {

  548.     unsigned int i;

  549. 

  550.     for (i = 0; i < N / 8; ++i) {

  551.         r[9 * i + 0]  = (uint8_t) ((a->coeffs[8 * i + 0] >> 0));

  552.         r[9 * i + 1]  = (uint8_t) ((a->coeffs[8 * i + 0] >> 8) | (a->coeffs[8 * i + 1] << 1));

  553.         r[9 * i + 2]  = (uint8_t) ((a->coeffs[8 * i + 1] >> 7) | (a->coeffs[8 * i + 2] << 2));

  554.         r[9 * i + 3]  = (uint8_t) ((a->coeffs[8 * i + 2] >> 6) | (a->coeffs[8 * i + 3] << 3));

  555.         r[9 * i + 4]  = (uint8_t) ((a->coeffs[8 * i + 3] >> 5) | (a->coeffs[8 * i + 4] << 4));

  556.         r[9 * i + 5]  = (uint8_t) ((a->coeffs[8 * i + 4] >> 4) | (a->coeffs[8 * i + 5] << 5));

  557.         r[9 * i + 6]  = (uint8_t) ((a->coeffs[8 * i + 5] >> 3) | (a->coeffs[8 * i + 6] << 6));

  558.         r[9 * i + 7]  = (uint8_t) ((a->coeffs[8 * i + 6] >> 2) | (a->coeffs[8 * i + 7] << 7));

  559.         r[9 * i + 8]  = (uint8_t) ((a->coeffs[8 * i + 7] >> 1));

  560.     }

  561. 

  562. }

  563. 

  564. /*************************************************

  565. * Name:        polyt1_unpack

  566. *

  567. * Description: Unpack polynomial t1 with 9-bit coefficients.

  568. *              Output coefficients are standard representatives.

  569. *

  570. * Arguments:   - poly *r: pointer to output polynomial

  571. *              - const unsigned char *a: byte array with bit-packed polynomial

  572. **************************************************/

  573. void PQCLEAN_DILITHIUM3_CLEAN_polyt1_unpack(poly *r, const unsigned char *a) {

  574.     unsigned int i;

  575. 

  576.     for (i = 0; i < N / 8; ++i) {

  577.         r->coeffs[8 * i + 0] = ((a[9 * i + 0]     ) | ((uint32_t)a[9 * i + 1] << 8)) & 0x1FF;

  578.         r->coeffs[8 * i + 1] = ((a[9 * i + 1] >> 1) | ((uint32_t)a[9 * i + 2] << 7)) & 0x1FF;

  579.         r->coeffs[8 * i + 2] = ((a[9 * i + 2] >> 2) | ((uint32_t)a[9 * i + 3] << 6)) & 0x1FF;

  580.         r->coeffs[8 * i + 3] = ((a[9 * i + 3] >> 3) | ((uint32_t)a[9 * i + 4] << 5)) & 0x1FF;

  581.         r->coeffs[8 * i + 4] = ((a[9 * i + 4] >> 4) | ((uint32_t)a[9 * i + 5] << 4)) & 0x1FF;

  582.         r->coeffs[8 * i + 5] = ((a[9 * i + 5] >> 5) | ((uint32_t)a[9 * i + 6] << 3)) & 0x1FF;

  583.         r->coeffs[8 * i + 6] = ((a[9 * i + 6] >> 6) | ((uint32_t)a[9 * i + 7] << 2)) & 0x1FF;

  584.         r->coeffs[8 * i + 7] = ((a[9 * i + 7] >> 7) | ((uint32_t)a[9 * i + 8] << 1)) & 0x1FF;

  585.     }

  586. 

  587. }

  588. 

  589. /*************************************************

  590. * Name:        PQCLEAN_DILITHIUM3_CLEAN_polyt0_pack

  591. *

  592. * Description: Bit-pack polynomial t0 with coefficients in ]-2^{D-1}, 2^{D-1}].

  593. *              Input coefficients are assumed to lie in ]Q-2^{D-1}, Q+2^{D-1}].

  594. *

  595. * Arguments:   - unsigned char *r: pointer to output byte array with at least

  596. *                                  POLT0_SIZE_PACKED bytes

  597. *              - const poly *a: pointer to input polynomial

  598. **************************************************/

  599. void PQCLEAN_DILITHIUM3_CLEAN_polyt0_pack(unsigned char *r, const poly *a) {

  600.     unsigned int i;

  601.     uint32_t t[4];

  602. 

  603.     for (i = 0; i < N / 4; ++i) {

  604.         t[0] = Q + (1U << (D - 1)) - a->coeffs[4 * i + 0];

  605.         t[1] = Q + (1U << (D - 1)) - a->coeffs[4 * i + 1];

  606.         t[2] = Q + (1U << (D - 1)) - a->coeffs[4 * i + 2];

  607.         t[3] = Q + (1U << (D - 1)) - a->coeffs[4 * i + 3];

  608. 

  609.         r[7 * i + 0]  = (uint8_t) (t[0]);

  610.         r[7 * i + 1]  = (uint8_t) (t[0] >> 8);

  611.         r[7 * i + 1] |= (uint8_t) (t[1] << 6);

  612.         r[7 * i + 2]  = (uint8_t) (t[1] >> 2);

  613.         r[7 * i + 3]  = (uint8_t) (t[1] >> 10);

  614.         r[7 * i + 3] |= (uint8_t) (t[2] << 4);

  615.         r[7 * i + 4]  = (uint8_t) (t[2] >> 4);

  616.         r[7 * i + 5]  = (uint8_t) (t[2] >> 12);

  617.         r[7 * i + 5] |= (uint8_t) (t[3] << 2);

  618.         r[7 * i + 6]  = (uint8_t) (t[3] >> 6);

  619.     }

  620. 

  621. }

  622. 

  623. /*************************************************

  624. * Name:        PQCLEAN_DILITHIUM3_CLEAN_polyt0_unpack

  625. *

  626. * Description: Unpack polynomial t0 with coefficients in ]-2^{D-1}, 2^{D-1}].

  627. *              Output coefficients lie in ]Q-2^{D-1},Q+2^{D-1}].

  628. *

  629. * Arguments:   - poly *r: pointer to output polynomial

  630. *              - const unsigned char *a: byte array with bit-packed polynomial

  631. **************************************************/

  632. void PQCLEAN_DILITHIUM3_CLEAN_polyt0_unpack(poly *r, const unsigned char *a) {

  633.     unsigned int i;

  634. 

  635.     for (i = 0; i < N / 4; ++i) {

  636.         r->coeffs[4 * i + 0]  = a[7 * i + 0];

  637.         r->coeffs[4 * i + 0] |= (uint32_t)(a[7 * i + 1] & 0x3F) << 8;

  638. 

  639.         r->coeffs[4 * i + 1]  = a[7 * i + 1] >> 6;

  640.         r->coeffs[4 * i + 1] |= (uint32_t)a[7 * i + 2] << 2;

  641.         r->coeffs[4 * i + 1] |= (uint32_t)(a[7 * i + 3] & 0x0F) << 10;

  642. 

  643.         r->coeffs[4 * i + 2]  = a[7 * i + 3] >> 4;

  644.         r->coeffs[4 * i + 2] |= (uint32_t)a[7 * i + 4] << 4;

  645.         r->coeffs[4 * i + 2] |= (uint32_t)(a[7 * i + 5] & 0x03) << 12;

  646. 

  647.         r->coeffs[4 * i + 3]  = a[7 * i + 5] >> 2;

  648.         r->coeffs[4 * i + 3] |= (uint32_t)a[7 * i + 6] << 6;

  649. 

  650.         r->coeffs[4 * i + 0] = Q + (1U << (D - 1)) - r->coeffs[4 * i + 0];

  651.         r->coeffs[4 * i + 1] = Q + (1U << (D - 1)) - r->coeffs[4 * i + 1];

  652.         r->coeffs[4 * i + 2] = Q + (1U << (D - 1)) - r->coeffs[4 * i + 2];

  653.         r->coeffs[4 * i + 3] = Q + (1U << (D - 1)) - r->coeffs[4 * i + 3];

  654.     }

  655. 

  656. }

  657. 

  658. /*************************************************

  659. * Name:        PQCLEAN_DILITHIUM3_CLEAN_polyz_pack

  660. *

  661. * Description: Bit-pack polynomial z with coefficients

  662. *              in [-(GAMMA1 - 1), GAMMA1 - 1].

  663. *              Input coefficients are assumed to be standard representatives.

  664. *

  665. * Arguments:   - unsigned char *r: pointer to output byte array with at least

  666. *                                  POLZ_SIZE_PACKED bytes

  667. *              - const poly *a: pointer to input polynomial

  668. **************************************************/

  669. void PQCLEAN_DILITHIUM3_CLEAN_polyz_pack(unsigned char *r, const poly *a) {

  670.     unsigned int i;

  671.     uint32_t t[2];

  672. 

  673.     for (i = 0; i < N / 2; ++i) {

  674.         /* Map to {0,...,2*GAMMA1 - 2} */

  675.         t[0] = GAMMA1 - 1 - a->coeffs[2 * i + 0];

  676.         t[0] += ((int32_t)t[0] >> 31) & Q;

  677.         t[1] = GAMMA1 - 1 - a->coeffs[2 * i + 1];

  678.         t[1] += ((int32_t)t[1] >> 31) & Q;

  679. 

  680.         r[5 * i + 0]  = (uint8_t) (t[0]);

  681.         r[5 * i + 1]  = (uint8_t) (t[0] >> 8);

  682.         r[5 * i + 2]  = (uint8_t) (t[0] >> 16);

  683.         r[5 * i + 2] |= (uint8_t) (t[1] << 4);

  684.         r[5 * i + 3]  = (uint8_t) (t[1] >> 4);

  685.         r[5 * i + 4]  = (uint8_t) (t[1] >> 12);

  686.     }

  687. 

  688. }

  689. 

  690. /*************************************************

  691. * Name:        PQCLEAN_DILITHIUM3_CLEAN_polyz_unpack

  692. *

  693. * Description: Unpack polynomial z with coefficients

  694. *              in [-(GAMMA1 - 1), GAMMA1 - 1].

  695. *              Output coefficients are standard representatives.

  696. *

  697. * Arguments:   - poly *r: pointer to output polynomial

  698. *              - const unsigned char *a: byte array with bit-packed polynomial

  699. **************************************************/

  700. void PQCLEAN_DILITHIUM3_CLEAN_polyz_unpack(poly *r, const unsigned char *a) {

  701.     unsigned int i;

  702. 

  703.     for (i = 0; i < N / 2; ++i) {

  704.         r->coeffs[2 * i + 0]  = a[5 * i + 0];

  705.         r->coeffs[2 * i + 0] |= (uint32_t)a[5 * i + 1] << 8;

  706.         r->coeffs[2 * i + 0] |= (uint32_t)(a[5 * i + 2] & 0x0F) << 16;

  707. 

  708.         r->coeffs[2 * i + 1]  = a[5 * i + 2] >> 4;

  709.         r->coeffs[2 * i + 1] |= (uint32_t)a[5 * i + 3] << 4;

  710.         r->coeffs[2 * i + 1] |= (uint32_t)a[5 * i + 4] << 12;

  711. 

  712.         r->coeffs[2 * i + 0] = GAMMA1 - 1 - r->coeffs[2 * i + 0];

  713.         r->coeffs[2 * i + 0] += ((int32_t)r->coeffs[2 * i + 0] >> 31) & Q;

  714.         r->coeffs[2 * i + 1] = GAMMA1 - 1 - r->coeffs[2 * i + 1];

  715.         r->coeffs[2 * i + 1] += ((int32_t)r->coeffs[2 * i + 1] >> 31) & Q;

  716.     }

  717. 

  718. }

  719. 

  720. /*************************************************

  721. * Name:        PQCLEAN_DILITHIUM3_CLEAN_polyw1_pack

  722. *

  723. * Description: Bit-pack polynomial w1 with coefficients in [0, 15].

  724. *              Input coefficients are assumed to be standard representatives.

  725. *

  726. * Arguments:   - unsigned char *r: pointer to output byte array with at least

  727. *                                  POLW1_SIZE_PACKED bytes

  728. *              - const poly *a: pointer to input polynomial

  729. **************************************************/

  730. void PQCLEAN_DILITHIUM3_CLEAN_polyw1_pack(unsigned char *r, const poly *a) {

  731.     unsigned int i;

  732. 

  733.     for (i = 0; i < N / 2; ++i) {

  734.         r[i] = (uint8_t) (a->coeffs[2 * i + 0] | (a->coeffs[2 * i + 1] << 4));

  735.     }

  736. 

  737. }