kris
/
pqcrypto
mirror of https://github.com/henrydcase/pqc.git
1
1
Fork 0
Code Issues 1 Releases 2 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
834 Commits
9 Branches
76 MiB
 
 
 
Tree: cf5107b69f
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'cf5107b69f'
${ noResults }
pqcrypto/crypto_kem/ledakemlt12/leaktime/gf2x_arith.c

253 lines
8.2 KiB
Raw Blame History 

  1. #include "gf2x_arith.h"

  2. 

  3. #include <string.h>  // memset(...)

  4. 

  5. void PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_add(DIGIT Res[], const DIGIT A[], const DIGIT B[], size_t n) {

  6.     for (size_t i = 0; i < n; i++) {

  7.         Res[i] = A[i] ^ B[i];

  8.     }

  9. }

  10. 

  11. /* copies len digits from a to r if b == 1 */

  12. void PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_cmov(DIGIT *r, const DIGIT *a, size_t len, int c) {

  13.     DIGIT mask = (DIGIT)(-c);

  14.     for (size_t i = 0; i < len; i++) {

  15.         r[i] ^= mask & (a[i] ^ r[i]);

  16.     }

  17. }

  18. 

  19. /* PRE: MAX ALLOWED ROTATION AMOUNT : DIGIT_SIZE_b */

  20. void PQCLEAN_LEDAKEMLT12_LEAKTIME_right_bit_shift_n(size_t length, DIGIT in[], size_t amount) {

  21.     if ( amount == 0 ) {

  22.         return;

  23.     }

  24.     size_t j;

  25.     DIGIT mask;

  26.     mask = ((DIGIT)0x01 << amount) - 1;

  27.     for (j = length - 1; j > 0; j--) {

  28.         in[j] >>= amount;

  29.         in[j] |=  (in[j - 1] & mask) << (DIGIT_SIZE_b - amount);

  30.     }

  31.     in[j] >>= amount;

  32. }

  33. 

  34. /* PRE: MAX ALLOWED ROTATION AMOUNT : DIGIT_SIZE_b */

  35. void PQCLEAN_LEDAKEMLT12_LEAKTIME_left_bit_shift_n(size_t length, DIGIT in[], size_t amount) {

  36.     if ( amount == 0 ) {

  37.         return;

  38.     }

  39.     size_t j;

  40.     DIGIT mask;

  41.     mask = ~(((DIGIT)0x01 << (DIGIT_SIZE_b - amount)) - 1);

  42.     for (j = 0 ; j < length - 1; j++) {

  43.         in[j] <<= amount;

  44.         in[j] |=  (in[j + 1] & mask) >> (DIGIT_SIZE_b - amount);

  45.     }

  46.     in[j] <<= amount;

  47. }

  48. 

  49. 

  50. static void gf2x_mul1(DIGIT *R, const DIGIT A, const DIGIT B) {

  51.     DIGIT tmp;

  52. 

  53.     R[0] = 0;

  54.     R[1] = (A & 1) * B;

  55.     for (uint8_t i = 1; i < DIGIT_SIZE_b; i++) {

  56.         tmp = ((A >> i) & 1) * B;

  57.         R[1] ^= tmp << i;

  58.         R[0] ^= tmp >> (DIGIT_SIZE_b - i);

  59.     }

  60. }

  61. 

  62. static void gf2x_mul_n(DIGIT *R, const DIGIT *A, const DIGIT *B, size_t n) {

  63.     DIGIT tmp[2];

  64. 

  65.     memset(R, 0x00, 2 * n * sizeof(DIGIT));

  66.     for (size_t i = 0; i < n; i++) {

  67.         for (size_t j = 0; j < n; j++) {

  68.             gf2x_mul1(tmp, A[i], B[j]);

  69.             R[i + j] ^= tmp[0];

  70.             R[i + j + 1] ^= tmp[1];

  71.         }

  72.     }

  73. }

  74. 

  75. static void gf2x_cpy(DIGIT *R, const DIGIT *A, size_t len) {

  76.     for (size_t i = 0; i < len; i++) {

  77.         R[i] = A[i];

  78.     }

  79. }

  80. 

  81. /* Accumulate */

  82. #define gf2x_add(R, A, B, n) PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_add(R, A, B, n)

  83. #define gf2x_acc(R, B, n) PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_add(R, R, B, n)

  84. 

  85. /* allows the operands to be of different size

  86.  * first operand must be the bigger one.

  87.  * aligns last array elements */

  88. static inline void gf2x_add_asymm(DIGIT *R,

  89.                                   size_t na, const DIGIT *A,

  90.                                   size_t nb, const DIGIT *B) {

  91.     size_t delta = na - nb;

  92.     gf2x_cpy(R, A, delta);

  93.     gf2x_add(R + delta, A + delta, B, nb);;

  94. }

  95. 

  96. /* aligns first array elements */

  97. static inline void gf2x_add_asymm2(DIGIT *R,

  98.                                    size_t na, const DIGIT *A,

  99.                                    size_t nb, const DIGIT *B) {

  100.     size_t delta = na - nb;

  101.     gf2x_add(R, A, B, nb);

  102.     gf2x_cpy(R + nb, A + nb, delta);

  103. }

  104. 

  105. /*  Karatsuba with lowered space complexity

  106.  *  T(n) = 3 * ceil(n/2) + T(ceil(n / 2)) */

  107. static void gf2x_mul_kar(DIGIT *R,

  108.                          const DIGIT *A,

  109.                          const DIGIT *B,

  110.                          size_t n,

  111.                          DIGIT *stack) {

  112. 

  113.     if (n < MIN_KAR_DIGITS) {

  114.         gf2x_mul_n(R, A, B, n);

  115.         return;

  116.     }

  117. 

  118.     size_t l = (n + 1) / 2; // limb size = ceil(n / 2)

  119.     size_t d = n & 1;

  120. 

  121.     const DIGIT *a1 = A;            // length n - d

  122.     const DIGIT *a0 = A + l - d;    // length n

  123.     const DIGIT *b1 = B;

  124.     const DIGIT *b0 = B + l - d;

  125. 

  126.     DIGIT *aa = stack;

  127.     DIGIT *bb = aa + l;

  128.     DIGIT *cc = bb + l;

  129.     stack = cc + l; // 3l space requirement at each level

  130. 

  131.     DIGIT *c3 = R + l - 2 * d;

  132.     DIGIT *c2 = c3 + l;

  133.     DIGIT *c1 = c2 + l;

  134. 

  135.     gf2x_mul_kar(c2, a0, b0, l, stack);      // L in low part of R

  136.     gf2x_mul_kar(R, a1, b1, l - d, stack);   // H in higher part of R

  137.     gf2x_add_asymm(aa, l, a0, l - d, a1);    // AH + AL

  138.     gf2x_add_asymm(bb, l, b0, l - d, b1);    // BH + BL

  139.     gf2x_add(cc, c3, c2, l);                 // HL + LH in cc

  140.     gf2x_mul_kar(c3, aa, bb, l, stack);      // M = (AH + AL) x (BH + BL)

  141.     gf2x_add_asymm(c3, l, c3, l - 2 * d, R); // add HH

  142.     gf2x_acc(c2, c1, l);                     // add LL

  143.     gf2x_acc(c3, cc, l);                     // add HL + LH

  144.     gf2x_acc(c2, cc, l);                     // add HL + LH

  145. }

  146. 

  147. static void gf2x_div_w_plus_one(DIGIT *A, size_t n) {

  148.     size_t i;

  149.     for (i = 0; i < n - 2; i++) {

  150.         A[i + 1] ^= A[i]; // runs n - 2 times

  151.     }

  152. }

  153. 

  154. static void gf2x_shift_left_w(DIGIT *A, size_t n) {

  155.     size_t i;

  156.     for (i = 0; i < n - 1; i++) {

  157.         A[i] = A[i + 1];

  158.     }

  159.     A[i] = 0;

  160. }

  161. 

  162. /* Word-aligned Toom-Cook 3, source:

  163.  * Brent, Richard P., et al. "Faster multiplication in GF (2)[x]."

  164.  * International Algorithmic Number Theory Symposium.

  165.  * Springer, Berlin, Heidelberg, 2008. */

  166. static void gf2x_mul_tc3w(DIGIT *R,

  167.                           const DIGIT *A,

  168.                           const DIGIT *B,

  169.                           size_t n,

  170.                           DIGIT *stack) {

  171. 

  172.     if (n < MIN_TOOM_DIGITS) {

  173.         gf2x_mul_kar(R, A, B, n, stack);

  174.         return;

  175.     }

  176. 

  177.     size_t l = (n + 2) / 3;                     // size of a0, a1, b0, b1

  178.     size_t r = n - 2 * l;                       // remaining sizes (a2, b2)

  179.     size_t x = 2 * l + 4;                       // size of c1, c2, c3, c4

  180.     size_t z = r + 2 > l + 1 ? r + 2 : l + 1;   // size of c5

  181. 

  182.     const DIGIT *a0 = A;

  183.     const DIGIT *a1 = A + l;

  184.     const DIGIT *a2 = A + 2 * l;

  185.     const DIGIT *b0 = B;

  186.     const DIGIT *b1 = B + l;

  187.     const DIGIT *b2 = B + 2 * l;

  188. 

  189.     DIGIT *c0 = R;                              // c0 and c4 in the result

  190.     DIGIT *c4 = R + 4 * l;

  191.     DIGIT *c1 = stack;                          // the rest in the stack

  192.     DIGIT *c2 = c1 + x;

  193.     DIGIT *c3 = c2 + x;

  194.     DIGIT *c5 = c3 + x;

  195.     stack = c5 + z;                             // Worst-case 7l + 14

  196. 

  197.     // Evaluation

  198.     c0[0] = 0;                                  // c0[z] = a1*W + a2*W^2

  199.     c0[l + 1] = 0;

  200.     gf2x_cpy(c0 + 1, a1, l);

  201.     gf2x_acc(c0 + 2, a2, r);

  202. 

  203.     c4[0] = 0;                                  // c4[z] = b1*W + b2*W^2

  204.     c4[l + 1] = 0;

  205.     gf2x_cpy(c4 + 1, b1, l);

  206.     gf2x_acc(c4 + 2, b2, r);

  207. 

  208.     gf2x_cpy(c5, a0, l);                        // c5[l] = a0 + a1 + a2

  209.     gf2x_acc(c5, a1, l);

  210.     gf2x_acc(c5, a2, r);

  211. 

  212.     gf2x_cpy(c2, b0, l);                        // c2[l] = b0 + b1 + b2

  213.     gf2x_acc(c2, b1, l);

  214.     gf2x_acc(c2, b2, r);

  215. 

  216.     gf2x_mul_tc3w(c1, c2, c5, l, stack);        // c1[2l] = c2 * c5

  217.     gf2x_add_asymm2(c5, z, c0, l, c5);          // c5[z] += c0, z >= l

  218.     gf2x_add_asymm2(c2, z, c4, l, c2);          // c2[z] += c4, idem

  219.     gf2x_acc(c0, a0, l);                        // c0[l] += a0

  220.     gf2x_acc(c4, b0, l);                        // c4[l] += b0

  221.     gf2x_mul_tc3w(c3, c2, c5, z, stack);        // c3[2z] = c2 * c5

  222.     gf2x_mul_tc3w(c2, c0, c4, z, stack);        // c2[2z] = c0 * c4

  223.     gf2x_mul_tc3w(c0, a0, b0, l, stack);        // c0[2l] = a0 * b0

  224.     gf2x_mul_tc3w(c4, a2, b2, r, stack);        // c4[2r] = a2 * b2

  225. 

  226.     // Interpolation

  227.     gf2x_acc(c3, c2, 2 * z);                    // c3[2z] += c2

  228.     gf2x_acc(c2, c0, 2 * l);                    // c2[2z] += c0

  229.     gf2x_shift_left_w(c2, 2 * z);               // c2[2z] = c2/y + c3

  230.     gf2x_acc(c2, c3, 2 * z);

  231.     gf2x_acc(c2, c4, 2 * r);                    // c2[2z] += c4 + c4**3

  232.     gf2x_acc(c2 + 3, c4, 2 * r);

  233.     gf2x_div_w_plus_one(c2, 2 * z);             // c2[2z-1] = c2/(W+1)

  234.     gf2x_acc(c1, c0, 2 * l);                    // c1[2l] += c0

  235.     gf2x_acc(c3, c1, 2 * l);                    // c3[2z] += c1

  236.     gf2x_shift_left_w(c3, 2 * z);               // c3[2z-2] = c3/(W^2 + W)

  237.     gf2x_div_w_plus_one(c3, 2 * z - 1);

  238.     gf2x_add_asymm2(c1, 2 * z, c2, 2 * l, c1);  // c1[2z-1] += c2 + c4

  239.     gf2x_acc(c1, c4, 2 * r);                    // size c2 >= c1 >= c4

  240.     gf2x_acc(c2, c3, 2 * z - 1);                // c2[2z-1] += c3

  241. 

  242.     // Recombination

  243.     gf2x_cpy(R + 2 * l, c2, 2 * l);

  244.     gf2x_acc(R + l, c1, 2 * z - 1);

  245.     gf2x_acc(R + 3 * l, c3, 2 * z - 1);

  246. }

  247. 

  248. void PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_mul(DIGIT *R, const DIGIT *A, const DIGIT *B, size_t n) {

  249.     DIGIT stack[STACK_WORDS];

  250.     gf2x_mul_tc3w(R, A, B, n, stack);

  251. }