kris
/
pqcrypto
дзеркало https://github.com/henrydcase/pqc.git
1
1
Форк 0
Код Проблеми 1 Релізи 2 Вікі Активність
Ви не можете вибрати більше 25 тем Теми мають розпочинатися з літери або цифри, можуть містити дефіси (-) і не повинні перевищувати 35 символів.
532 Коміти
9 Гілки
132 MiB
 
 
 
Дерево: cc551546bf
Гілки Теги
${ item.name }
Створити гілку ${ searchTerm }
з 'cc551546bf'
${ noResults }
pqcrypto/crypto_kem/ntruhps4096821/clean/poly.c

346 рядки
10 KiB
Неформатований Звинувачення Історія 

  1. #include "poly.h"

  2. #include "fips202.h"

  3. #include "verify.h"

  4. 

  5. uint16_t PQCLEAN_NTRUHPS4096821_CLEAN_mod3(uint16_t a) {

  6.     uint16_t r;

  7.     int16_t t, c;

  8. 

  9.     r = (a >> 8) + (a & 0xff); // r mod 255 == a mod 255

  10.     r = (r >> 4) + (r & 0xf); // r' mod 15 == r mod 15

  11.     r = (r >> 2) + (r & 0x3); // r' mod 3 == r mod 3

  12.     r = (r >> 2) + (r & 0x3); // r' mod 3 == r mod 3

  13. 

  14.     t = r - 3;

  15.     c = t >> 15;

  16. 

  17.     return (c & r) ^ (~c & t);

  18. }

  19. 

  20. /* Map {0, 1, 2} -> {0,1,q-1} in place */

  21. void PQCLEAN_NTRUHPS4096821_CLEAN_poly_Z3_to_Zq(poly *r) {

  22.     int i;

  23.     for (i = 0; i < NTRU_N; i++) {

  24.         r->coeffs[i] = r->coeffs[i] | ((-(r->coeffs[i] >> 1)) & (NTRU_Q - 1));

  25.     }

  26. }

  27. 

  28. /* Map {0, 1, q-1} -> {0,1,2} in place */

  29. void PQCLEAN_NTRUHPS4096821_CLEAN_poly_trinary_Zq_to_Z3(poly *r) {

  30.     int i;

  31.     for (i = 0; i < NTRU_N; i++) {

  32.         r->coeffs[i] = 3 & (r->coeffs[i] ^ (r->coeffs[i] >> (NTRU_LOGQ - 1)));

  33.     }

  34. }

  35. 

  36. void PQCLEAN_NTRUHPS4096821_CLEAN_poly_Rq_mul(poly *r, const poly *a, const poly *b) {

  37.     int k, i;

  38. 

  39.     for (k = 0; k < NTRU_N; k++) {

  40.         r->coeffs[k] = 0;

  41.         for (i = 1; i < NTRU_N - k; i++) {

  42.             r->coeffs[k] += a->coeffs[k + i] * b->coeffs[NTRU_N - i];

  43.         }

  44.         for (i = 0; i < k + 1; i++) {

  45.             r->coeffs[k] += a->coeffs[k - i] * b->coeffs[i];

  46.         }

  47.         r->coeffs[k] = MODQ(r->coeffs[k]);

  48.     }

  49. }

  50. 

  51. void PQCLEAN_NTRUHPS4096821_CLEAN_poly_Sq_mul(poly *r, const poly *a, const poly *b) {

  52.     int i;

  53.     PQCLEAN_NTRUHPS4096821_CLEAN_poly_Rq_mul(r, a, b);

  54.     for (i = 0; i < NTRU_N; i++) {

  55.         r->coeffs[i] = MODQ(r->coeffs[i] - r->coeffs[NTRU_N - 1]);

  56.     }

  57. }

  58. 

  59. void PQCLEAN_NTRUHPS4096821_CLEAN_poly_S3_mul(poly *r, const poly *a, const poly *b) {

  60.     int k, i;

  61. 

  62.     for (k = 0; k < NTRU_N; k++) {

  63.         r->coeffs[k] = 0;

  64.         for (i = 1; i < NTRU_N - k; i++) {

  65.             r->coeffs[k] += a->coeffs[k + i] * b->coeffs[NTRU_N - i];

  66.         }

  67.         for (i = 0; i < k + 1; i++) {

  68.             r->coeffs[k] += a->coeffs[k - i] * b->coeffs[i];

  69.         }

  70.     }

  71.     for (k = 0; k < NTRU_N; k++) {

  72.         r->coeffs[k] = PQCLEAN_NTRUHPS4096821_CLEAN_mod3(r->coeffs[k] + 2 * r->coeffs[NTRU_N - 1]);

  73.     }

  74. }

  75. 

  76. void PQCLEAN_NTRUHPS4096821_CLEAN_poly_Rq_mul_x_minus_1(poly *r, const poly *a) {

  77.     int i;

  78.     uint16_t last_coeff = a->coeffs[NTRU_N - 1];

  79. 

  80.     for (i = NTRU_N - 1; i > 0; i--) {

  81.         r->coeffs[i] = MODQ(a->coeffs[i - 1] + (NTRU_Q - a->coeffs[i]));

  82.     }

  83.     r->coeffs[0] = MODQ(last_coeff + (NTRU_Q - a->coeffs[0]));

  84. }

  85. 

  86. void PQCLEAN_NTRUHPS4096821_CLEAN_poly_lift(poly *r, const poly *a) {

  87.     int i;

  88.     for (i = 0; i < NTRU_N; i++) {

  89.         r->coeffs[i] = a->coeffs[i];

  90.     }

  91.     PQCLEAN_NTRUHPS4096821_CLEAN_poly_Z3_to_Zq(r);

  92. }

  93. 

  94. void PQCLEAN_NTRUHPS4096821_CLEAN_poly_Rq_to_S3(poly *r, const poly *a) {

  95.     /* NOTE: Assumes input is in [0,Q-1]^N */

  96.     /*       Produces output in {0,1,2}^N */

  97.     int i;

  98. 

  99.     /* Center coeffs around 3Q: [0, Q-1] -> [3Q - Q/2, 3Q + Q/2) */

  100.     for (i = 0; i < NTRU_N; i++) {

  101.         r->coeffs[i] = ((a->coeffs[i] >> (NTRU_LOGQ - 1)) ^ 3) << NTRU_LOGQ;

  102.         r->coeffs[i] += a->coeffs[i];

  103.     }

  104.     /* Reduce mod (3, Phi) */

  105.     r->coeffs[NTRU_N - 1] = PQCLEAN_NTRUHPS4096821_CLEAN_mod3(r->coeffs[NTRU_N - 1]);

  106.     for (i = 0; i < NTRU_N; i++) {

  107.         r->coeffs[i] = PQCLEAN_NTRUHPS4096821_CLEAN_mod3(r->coeffs[i] + 2 * r->coeffs[NTRU_N - 1]);

  108.     }

  109. }

  110. 

  111. #define POLY_R2_ADD(I,A,B,S) \

  112.     for ((I)=0; (I)<NTRU_N; (I)++) { \

  113.         (A).coeffs[(I)] ^= (B).coeffs[(I)] * (S); \

  114.     }

  115. 

  116. static void cswappoly(poly *a, poly *b, int swap) {

  117.     int i;

  118.     uint16_t t;

  119.     swap = -swap;

  120.     for (i = 0; i < NTRU_N; i++) {

  121.         t = (a->coeffs[i] ^ b->coeffs[i]) & swap;

  122.         a->coeffs[i] ^= t;

  123.         b->coeffs[i] ^= t;

  124.     }

  125. }

  126. 

  127. static inline void poly_divx(poly *a, int s) {

  128.     int i;

  129. 

  130.     for (i = 1; i < NTRU_N; i++) {

  131.         a->coeffs[i - 1] = (unsigned char) ((s * a->coeffs[i]) | (!s * a->coeffs[i - 1]));

  132.     }

  133.     a->coeffs[NTRU_N - 1] = (!s * a->coeffs[NTRU_N - 1]);

  134. }

  135. 

  136. static inline void poly_mulx(poly *a, int s) {

  137.     int i;

  138. 

  139.     for (i = 1; i < NTRU_N; i++) {

  140.         a->coeffs[NTRU_N - i] = (unsigned char) ((s * a->coeffs[NTRU_N - i - 1]) | (!s * a->coeffs[NTRU_N - i]));

  141.     }

  142.     a->coeffs[0] = (!s * a->coeffs[0]);

  143. }

  144. 

  145. static void poly_R2_inv(poly *r, const poly *a) {

  146.     /* Schroeppel--Orman--O'Malley--Spatscheck

  147.      * "Almost Inverse" algorithm as described

  148.      * by Silverman in NTRU Tech Report #14 */

  149.     // with several modifications to make it run in constant-time

  150.     int i, j;

  151.     int k = 0;

  152.     uint16_t degf = NTRU_N - 1;

  153.     uint16_t degg = NTRU_N - 1;

  154.     int sign, t, swap;

  155.     int16_t done = 0;

  156.     poly b, f, g;

  157.     poly *c = r; // save some stack space

  158.     poly *temp_r = &f;

  159. 

  160.     /* b(X) := 1 */

  161.     for (i = 1; i < NTRU_N; i++) {

  162.         b.coeffs[i] = 0;

  163.     }

  164.     b.coeffs[0] = 1;

  165. 

  166.     /* c(X) := 0 */

  167.     for (i = 0; i < NTRU_N; i++) {

  168.         c->coeffs[i] = 0;

  169.     }

  170. 

  171.     /* f(X) := a(X) */

  172.     for (i = 0; i < NTRU_N; i++) {

  173.         f.coeffs[i] = a->coeffs[i] & 1;

  174.     }

  175. 

  176.     /* g(X) := 1 + X + X^2 + ... + X^{N-1} */

  177.     for (i = 0; i < NTRU_N; i++) {

  178.         g.coeffs[i] = 1;

  179.     }

  180. 

  181.     for (j = 0; j < 2 * (NTRU_N - 1) - 1; j++) {

  182.         sign = f.coeffs[0];

  183.         swap = sign & !done & ((degf - degg) >> 15);

  184. 

  185.         cswappoly(&f, &g, swap);

  186.         cswappoly(&b, c, swap);

  187.         t = (degf ^ degg) & (-swap);

  188.         degf ^= t;

  189.         degg ^= t;

  190. 

  191.         POLY_R2_ADD(i, f, g, sign * (!done));

  192.         POLY_R2_ADD(i, b, (*c), sign * (!done));

  193. 

  194.         poly_divx(&f, !done);

  195.         poly_mulx(c, !done);

  196.         degf -= !done;

  197.         k += !done;

  198. 

  199.         done = 1 - (((uint16_t) - degf) >> 15);

  200.     }

  201. 

  202.     k = k - NTRU_N * ((uint16_t)(NTRU_N - k - 1) >> 15);

  203. 

  204.     /* Return X^{N-k} * b(X) */

  205.     /* This is a k-coefficient rotation. We do this by looking at the binary

  206.        representation of k, rotating for every power of 2, and performing a cmov

  207.        if the respective bit is set. */

  208.     for (i = 0; i < NTRU_N; i++) {

  209.         r->coeffs[i] = b.coeffs[i];

  210.     }

  211. 

  212.     for (i = 0; i < 10; i++) {

  213.         for (j = 0; j < NTRU_N; j++) {

  214.             temp_r->coeffs[j] = r->coeffs[(j + (1 << i)) % NTRU_N];

  215.         }

  216.         PQCLEAN_NTRUHPS4096821_CLEAN_cmov((unsigned char *) & (r->coeffs),

  217.                                           (unsigned char *) & (temp_r->coeffs), sizeof(uint16_t) * NTRU_N, k & 1);

  218.         k >>= 1;

  219.     }

  220. }

  221. 

  222. static void poly_R2_inv_to_Rq_inv(poly *r, const poly *ai, const poly *a) {

  223. 

  224.     int i;

  225.     poly b, c;

  226.     poly s;

  227. 

  228.     // for 0..4

  229.     //    ai = ai * (2 - a*ai)  mod q

  230.     for (i = 0; i < NTRU_N; i++) {

  231.         b.coeffs[i] = MODQ(NTRU_Q - a->coeffs[i]); // b = -a

  232.     }

  233. 

  234.     for (i = 0; i < NTRU_N; i++) {

  235.         r->coeffs[i] = ai->coeffs[i];

  236.     }

  237. 

  238.     PQCLEAN_NTRUHPS4096821_CLEAN_poly_Rq_mul(&c, r, &b);

  239.     c.coeffs[0] += 2; // c = 2 - a*ai

  240.     PQCLEAN_NTRUHPS4096821_CLEAN_poly_Rq_mul(&s, &c, r); // s = ai*c

  241. 

  242.     PQCLEAN_NTRUHPS4096821_CLEAN_poly_Rq_mul(&c, &s, &b);

  243.     c.coeffs[0] += 2; // c = 2 - a*s

  244.     PQCLEAN_NTRUHPS4096821_CLEAN_poly_Rq_mul(r, &c, &s); // r = s*c

  245. 

  246.     PQCLEAN_NTRUHPS4096821_CLEAN_poly_Rq_mul(&c, r, &b);

  247.     c.coeffs[0] += 2; // c = 2 - a*r

  248.     PQCLEAN_NTRUHPS4096821_CLEAN_poly_Rq_mul(&s, &c, r); // s = r*c

  249. 

  250.     PQCLEAN_NTRUHPS4096821_CLEAN_poly_Rq_mul(&c, &s, &b);

  251.     c.coeffs[0] += 2; // c = 2 - a*s

  252.     PQCLEAN_NTRUHPS4096821_CLEAN_poly_Rq_mul(r, &c, &s); // r = s*c

  253. }

  254. 

  255. void PQCLEAN_NTRUHPS4096821_CLEAN_poly_Rq_inv(poly *r, const poly *a) {

  256.     poly ai2;

  257.     poly_R2_inv(&ai2, a);

  258.     poly_R2_inv_to_Rq_inv(r, &ai2, a);

  259. }

  260. 

  261. void PQCLEAN_NTRUHPS4096821_CLEAN_poly_S3_inv(poly *r, const poly *a) {

  262.     /* Schroeppel--Orman--O'Malley--Spatscheck

  263.      * "Almost Inverse" algorithm as described

  264.      * by Silverman in NTRU Tech Report #14 */

  265.     // with several modifications to make it run in constant-time

  266.     int i, j;

  267.     uint16_t k = 0;

  268.     uint16_t degf = NTRU_N - 1;

  269.     uint16_t degg = NTRU_N - 1;

  270.     int sign, fsign = 0, t, swap;

  271.     int16_t done = 0;

  272.     poly b, c, f, g;

  273.     poly *temp_r = &f;

  274. 

  275.     /* b(X) := 1 */

  276.     for (i = 1; i < NTRU_N; i++) {

  277.         b.coeffs[i] = 0;

  278.     }

  279.     b.coeffs[0] = 1;

  280. 

  281.     /* c(X) := 0 */

  282.     for (i = 0; i < NTRU_N; i++) {

  283.         c.coeffs[i] = 0;

  284.     }

  285. 

  286.     /* f(X) := a(X) */

  287.     for (i = 0; i < NTRU_N; i++) {

  288.         f.coeffs[i] = a->coeffs[i];

  289.     }

  290. 

  291.     /* g(X) := 1 + X + X^2 + ... + X^{N-1} */

  292.     for (i = 0; i < NTRU_N; i++) {

  293.         g.coeffs[i] = 1;

  294.     }

  295. 

  296.     for (j = 0; j < 2 * (NTRU_N - 1) - 1; j++) {

  297.         sign = PQCLEAN_NTRUHPS4096821_CLEAN_mod3(2 * g.coeffs[0] * f.coeffs[0]);

  298.         swap = (((sign & 2) >> 1) | sign) & !done & ((degf - degg) >> 15);

  299. 

  300.         cswappoly(&f, &g, swap);

  301.         cswappoly(&b, &c, swap);

  302.         t = (degf ^ degg) & (-swap);

  303.         degf ^= t;

  304.         degg ^= t;

  305. 

  306.         for (i = 0; i < NTRU_N; i++) {

  307.             f.coeffs[i] = PQCLEAN_NTRUHPS4096821_CLEAN_mod3(f.coeffs[i] + ((uint16_t) (sign * (!done))) * g.coeffs[i]);

  308.         }

  309.         for (i = 0; i < NTRU_N; i++) {

  310.             b.coeffs[i] = PQCLEAN_NTRUHPS4096821_CLEAN_mod3(b.coeffs[i] + ((uint16_t) (sign * (!done))) * c.coeffs[i]);

  311.         }

  312. 

  313.         poly_divx(&f, !done);

  314.         poly_mulx(&c, !done);

  315.         degf -= !done;

  316.         k += !done;

  317. 

  318.         done = 1 - (((uint16_t) - degf) >> 15);

  319.     }

  320. 

  321.     fsign = f.coeffs[0];

  322.     k = k - NTRU_N * ((uint16_t)(NTRU_N - k - 1) >> 15);

  323. 

  324.     /* Return X^{N-k} * b(X) */

  325.     /* This is a k-coefficient rotation. We do this by looking at the binary

  326.        representation of k, rotating for every power of 2, and performing a cmov

  327.        if the respective bit is set. */

  328.     for (i = 0; i < NTRU_N; i++) {

  329.         r->coeffs[i] = PQCLEAN_NTRUHPS4096821_CLEAN_mod3((uint16_t) fsign * b.coeffs[i]);

  330.     }

  331. 

  332.     for (i = 0; i < 10; i++) {

  333.         for (j = 0; j < NTRU_N; j++) {

  334.             temp_r->coeffs[j] = r->coeffs[(j + (1 << i)) % NTRU_N];

  335.         }

  336.         PQCLEAN_NTRUHPS4096821_CLEAN_cmov((unsigned char *) & (r->coeffs),

  337.                                           (unsigned char *) & (temp_r->coeffs), sizeof(uint16_t) * NTRU_N, k & 1);

  338.         k >>= 1;

  339.     }

  340. 

  341.     /* Reduce modulo Phi_n */

  342.     for (i = 0; i < NTRU_N; i++) {

  343.         r->coeffs[i] = PQCLEAN_NTRUHPS4096821_CLEAN_mod3(r->coeffs[i] + 2 * r->coeffs[NTRU_N - 1]);

  344.     }

  345. }