mirror of
https://github.com/open-quantum-safe/liboqs.git
synced 2025-11-22 00:09:23 -05:00
Remove manually added Kyber
This commit is contained in:
Douglas Stebila
parent
75cd636110
commit
2cbbc8bca9
@ -44,9 +44,6 @@ endif
|
||||
if ENABLE_KEM_NEWHOPE
|
||||
liboqs_la_LIBADD += src/kem/newhopenist/libkemnewhopenist.la
|
||||
endif
|
||||
if ENABLE_KEM_KYBER
|
||||
liboqs_la_LIBADD += src/kem/kyber/libkemkyber.la
|
||||
endif
|
||||
|
||||
oqsconfigh:
|
||||
grep OQS_ config.h > src/oqsconfig.h
|
||||
@ -64,7 +61,6 @@ installheader_HEADERS= src/oqs.h \
|
||||
src/kem/frodokem/kem_frodokem.h \
|
||||
src/kem/ntru/kem_ntru.h \
|
||||
src/kem/newhopenist/kem_newhopenist.h \
|
||||
src/kem/kyber/kem_kyber.h \
|
||||
src/kem/sike/kem_sike.h \
|
||||
src/sig/sig.h \
|
||||
src/sig/picnic/sig_picnic.h \
|
||||
@ -102,7 +98,6 @@ links: oqsconfigh
|
||||
##### OQS_COPY_FROM_PQCLEAN_FRAGMENT_LINKS_END
|
||||
cp -f src/kem/sike/kem_sike.h include/oqs
|
||||
cp -f src/kem/newhopenist/kem_newhopenist.h include/oqs
|
||||
cp -f src/kem/kyber/kem_kyber.h include/oqs
|
||||
cp -f src/sig/sig.h include/oqs
|
||||
cp -f src/sig/picnic/sig_picnic.h include/oqs
|
||||
cp -f src/sig/qtesla/sig_qtesla.h include/oqs
|
||||
|
||||
@ -13,15 +13,6 @@ EXPORTS
|
||||
OQS_KEM_frodokem_640_shake_decaps
|
||||
OQS_KEM_frodokem_640_shake_encaps
|
||||
OQS_KEM_frodokem_640_shake_keypair
|
||||
OQS_KEM_kyber_512_cca_kem_keypair
|
||||
OQS_KEM_kyber_512_cca_kem_encaps
|
||||
OQS_KEM_kyber_512_cca_kem_decaps
|
||||
OQS_KEM_kyber_768_cca_kem_keypair
|
||||
OQS_KEM_kyber_768_cca_kem_encaps
|
||||
OQS_KEM_kyber_768_cca_kem_decaps
|
||||
OQS_KEM_kyber_1024_cca_kem_keypair
|
||||
OQS_KEM_kyber_1024_cca_kem_encaps
|
||||
OQS_KEM_kyber_1024_cca_kem_decaps
|
||||
OQS_KEM_newhope_1024_cca_kem_decaps
|
||||
OQS_KEM_newhope_1024_cca_kem_encaps
|
||||
OQS_KEM_newhope_1024_cca_kem_keypair
|
||||
|
||||
@ -35,7 +35,6 @@
|
||||
</ProjectConfiguration>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ClInclude Include="..\..\src\kem\kyber\kem_kyber.h" />
|
||||
<ClInclude Include="..\..\src\kem\newhopenist\kem_newhopenist.h" />
|
||||
<ClInclude Include="..\..\src\kem\kem.h" />
|
||||
<ClInclude Include="..\..\src\kem\sike\kem_sike.h" />
|
||||
@ -113,10 +112,6 @@
|
||||
<ClCompile Include="..\..\src\kem\frodokem\pqclean_frodokem1344shake_clean\matrix_shake.c" />
|
||||
<ClCompile Include="..\..\src\kem\frodokem\pqclean_frodokem1344shake_clean\noise.c" />
|
||||
<ClCompile Include="..\..\src\kem\frodokem\pqclean_frodokem1344shake_clean\util.c" />
|
||||
<ClCompile Include="..\..\src\kem\kyber\kem_kyber.c" />
|
||||
<ClCompile Include="..\..\src\kem\kyber\win_kyber1024.c" />
|
||||
<ClCompile Include="..\..\src\kem\kyber\win_kyber512.c" />
|
||||
<ClCompile Include="..\..\src\kem\kyber\win_kyber768.c" />
|
||||
<ClCompile Include="..\..\src\kem\newhopenist\kem_newhopenist.c" />
|
||||
<ClCompile Include="..\..\src\kem\kem.c" />
|
||||
<ClCompile Include="..\..\src\kem\newhopenist\win_newhope1024cca.c" />
|
||||
@ -293,7 +288,6 @@ copy "$(SolutionDir)..\src\crypto\sha3\sha3.h" "$(SolutionDir)include\oqs\"
|
||||
copy "$(SolutionDir)..\src\kem\kem.h" "$(SolutionDir)include\oqs\"
|
||||
copy "$(SolutionDir)..\src\kem\bike\kem_bike.h" "$(SolutionDir)include\oqs\"
|
||||
copy "$(SolutionDir)..\src\kem\frodokem\kem_frodokem.h" "$(SolutionDir)include\oqs\"
|
||||
copy "$(SolutionDir)..\src\kem\kyber\kem_kyber.h" "$(SolutionDir)include\oqs\"
|
||||
copy "$(SolutionDir)..\src\kem\newhopenist\kem_newhopenist.h" "$(SolutionDir)include\oqs\"
|
||||
copy "$(SolutionDir)..\src\kem\sike\kem_sike.h" "$(SolutionDir)include\oqs\"
|
||||
copy "$(SolutionDir)..\src\sig\sig.h" "$(SolutionDir)include\oqs\"
|
||||
@ -329,7 +323,6 @@ copy "$(SolutionDir)..\src\crypto\sha3\sha3.h" "$(SolutionDir)include\oqs\"
|
||||
copy "$(SolutionDir)..\src\kem\kem.h" "$(SolutionDir)include\oqs\"
|
||||
copy "$(SolutionDir)..\src\kem\bike\kem_bike.h" "$(SolutionDir)include\oqs\"
|
||||
copy "$(SolutionDir)..\src\kem\frodokem\kem_frodokem.h" "$(SolutionDir)include\oqs\"
|
||||
copy "$(SolutionDir)..\src\kem\kyber\kem_kyber.h" "$(SolutionDir)include\oqs\"
|
||||
copy "$(SolutionDir)..\src\kem\newhopenist\kem_newhopenist.h" "$(SolutionDir)include\oqs\"
|
||||
copy "$(SolutionDir)..\src\kem\sike\kem_sike.h" "$(SolutionDir)include\oqs\"
|
||||
copy "$(SolutionDir)..\src\sig\sig.h" "$(SolutionDir)include\oqs\"
|
||||
@ -365,7 +358,6 @@ copy "$(SolutionDir)..\src\crypto\sha3\sha3.h" "$(SolutionDir)include\oqs\"
|
||||
copy "$(SolutionDir)..\src\kem\kem.h" "$(SolutionDir)include\oqs\"
|
||||
copy "$(SolutionDir)..\src\kem\bike\kem_bike.h" "$(SolutionDir)include\oqs\"
|
||||
copy "$(SolutionDir)..\src\kem\frodokem\kem_frodokem.h" "$(SolutionDir)include\oqs\"
|
||||
copy "$(SolutionDir)..\src\kem\kyber\kem_kyber.h" "$(SolutionDir)include\oqs\"
|
||||
copy "$(SolutionDir)..\src\kem\newhopenist\kem_newhopenist.h" "$(SolutionDir)include\oqs\"
|
||||
copy "$(SolutionDir)..\src\kem\sike\kem_sike.h" "$(SolutionDir)include\oqs\"
|
||||
copy "$(SolutionDir)..\src\sig\sig.h" "$(SolutionDir)include\oqs\"
|
||||
@ -408,7 +400,6 @@ copy "$(SolutionDir)..\src\crypto\sha3\sha3.h" "$(SolutionDir)include\oqs\"
|
||||
copy "$(SolutionDir)..\src\kem\kem.h" "$(SolutionDir)include\oqs\"
|
||||
copy "$(SolutionDir)..\src\kem\bike\kem_bike.h" "$(SolutionDir)include\oqs\"
|
||||
copy "$(SolutionDir)..\src\kem\frodokem\kem_frodokem.h" "$(SolutionDir)include\oqs\"
|
||||
copy "$(SolutionDir)..\src\kem\kyber\kem_kyber.h" "$(SolutionDir)include\oqs\"
|
||||
copy "$(SolutionDir)..\src\kem\newhopenist\kem_newhopenist.h" "$(SolutionDir)include\oqs\"
|
||||
copy "$(SolutionDir)..\src\kem\sike\kem_sike.h" "$(SolutionDir)include\oqs\"
|
||||
copy "$(SolutionDir)..\src\sig\sig.h" "$(SolutionDir)include\oqs\"
|
||||
@ -450,7 +441,6 @@ copy "$(SolutionDir)..\src\crypto\sha3\sha3.h" "$(SolutionDir)include\oqs\"
|
||||
copy "$(SolutionDir)..\src\kem\kem.h" "$(SolutionDir)include\oqs\"
|
||||
copy "$(SolutionDir)..\src\kem\bike\kem_bike.h" "$(SolutionDir)include\oqs\"
|
||||
copy "$(SolutionDir)..\src\kem\frodokem\kem_frodokem.h" "$(SolutionDir)include\oqs\"
|
||||
copy "$(SolutionDir)..\src\kem\kyber\kem_kyber.h" "$(SolutionDir)include\oqs\"
|
||||
copy "$(SolutionDir)..\src\kem\newhopenist\kem_newhopenist.h" "$(SolutionDir)include\oqs\"
|
||||
copy "$(SolutionDir)..\src\kem\sike\kem_sike.h" "$(SolutionDir)include\oqs\"
|
||||
copy "$(SolutionDir)..\src\sig\sig.h" "$(SolutionDir)include\oqs\"
|
||||
@ -490,7 +480,6 @@ copy "$(SolutionDir)..\src\crypto\sha3\sha3.h" "$(SolutionDir)include\oqs\"
|
||||
copy "$(SolutionDir)..\src\kem\kem.h" "$(SolutionDir)include\oqs\"
|
||||
copy "$(SolutionDir)..\src\kem\bike\kem_bike.h" "$(SolutionDir)include\oqs\"
|
||||
copy "$(SolutionDir)..\src\kem\frodokem\kem_frodokem.h" "$(SolutionDir)include\oqs\"
|
||||
copy "$(SolutionDir)..\src\kem\kyber\kem_kyber.h" "$(SolutionDir)include\oqs\"
|
||||
copy "$(SolutionDir)..\src\kem\newhopenist\kem_newhopenist.h" "$(SolutionDir)include\oqs\"
|
||||
copy "$(SolutionDir)..\src\kem\sike\kem_sike.h" "$(SolutionDir)include\oqs\"
|
||||
copy "$(SolutionDir)..\src\sig\sig.h" "$(SolutionDir)include\oqs\"
|
||||
@ -530,7 +519,6 @@ copy "$(SolutionDir)..\src\crypto\sha3\sha3.h" "$(SolutionDir)include\oqs\"
|
||||
copy "$(SolutionDir)..\src\kem\kem.h" "$(SolutionDir)include\oqs\"
|
||||
copy "$(SolutionDir)..\src\kem\bike\kem_bike.h" "$(SolutionDir)include\oqs\"
|
||||
copy "$(SolutionDir)..\src\kem\frodokem\kem_frodokem.h" "$(SolutionDir)include\oqs\"
|
||||
copy "$(SolutionDir)..\src\kem\kyber\kem_kyber.h" "$(SolutionDir)include\oqs\"
|
||||
copy "$(SolutionDir)..\src\kem\newhopenist\kem_newhopenist.h" "$(SolutionDir)include\oqs\"
|
||||
copy "$(SolutionDir)..\src\kem\sike\kem_sike.h" "$(SolutionDir)include\oqs\"
|
||||
copy "$(SolutionDir)..\src\sig\sig.h" "$(SolutionDir)include\oqs\"
|
||||
@ -577,7 +565,6 @@ copy "$(SolutionDir)..\src\crypto\sha3\sha3.h" "$(SolutionDir)include\oqs\"
|
||||
copy "$(SolutionDir)..\src\kem\kem.h" "$(SolutionDir)include\oqs\"
|
||||
copy "$(SolutionDir)..\src\kem\bike\kem_bike.h" "$(SolutionDir)include\oqs\"
|
||||
copy "$(SolutionDir)..\src\kem\frodokem\kem_frodokem.h" "$(SolutionDir)include\oqs\"
|
||||
copy "$(SolutionDir)..\src\kem\kyber\kem_kyber.h" "$(SolutionDir)include\oqs\"
|
||||
copy "$(SolutionDir)..\src\kem\newhopenist\kem_newhopenist.h" "$(SolutionDir)include\oqs\"
|
||||
copy "$(SolutionDir)..\src\kem\sike\kem_sike.h" "$(SolutionDir)include\oqs\"
|
||||
copy "$(SolutionDir)..\src\sig\sig.h" "$(SolutionDir)include\oqs\"
|
||||
|
||||
@ -136,18 +136,6 @@
|
||||
<ClCompile Include="..\..\src\kem\newhopenist\win_newhope1024cca.c">
|
||||
<Filter>newhopenist</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="..\..\src\kem\kyber\kem_kyber.c">
|
||||
<Filter>kyber</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="..\..\src\kem\kyber\win_kyber512.c">
|
||||
<Filter>kyber</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="..\..\src\kem\kyber\win_kyber768.c">
|
||||
<Filter>kyber</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="..\..\src\kem\kyber\win_kyber1024.c">
|
||||
<Filter>kyber</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="..\..\src\sig\picnic\sig_picnic.c">
|
||||
<Filter>picnic</Filter>
|
||||
</ClCompile>
|
||||
@ -251,9 +239,6 @@
|
||||
<ClInclude Include="..\..\src\kem\newhopenist\kem_newhopenist.h">
|
||||
<Filter>newhopenist</Filter>
|
||||
</ClInclude>
|
||||
<ClInclude Include="..\..\src\kem\kyber\kem_kyber.h">
|
||||
<Filter>kyber</Filter>
|
||||
</ClInclude>
|
||||
<ClInclude Include="..\..\src\sig\picnic\sig_picnic.h">
|
||||
<Filter>picnic</Filter>
|
||||
</ClInclude>
|
||||
@ -349,9 +334,6 @@
|
||||
<Filter Include="newhopenist">
|
||||
<UniqueIdentifier>{cb72ff2d-77c6-4e60-a04e-6aad5fc6c328}</UniqueIdentifier>
|
||||
</Filter>
|
||||
<Filter Include="kyber">
|
||||
<UniqueIdentifier>{17171b11-2a2c-4084-a710-c555295e2484}</UniqueIdentifier>
|
||||
</Filter>
|
||||
<Filter Include="frodo\640aes">
|
||||
<UniqueIdentifier>{453e77f7-95b8-4adc-adc8-033fe561c018}</UniqueIdentifier>
|
||||
</Filter>
|
||||
|
||||
@ -4,13 +4,10 @@
|
||||
/* Enable schemes supported on Windows */
|
||||
#define OQS_ENABLE_KEM_frodokem_640_aes
|
||||
#define OQS_ENABLE_KEM_frodokem_640_shake
|
||||
/* #define OQS_ENABLE_KEM_frodokem_976_aes */
|
||||
/* #define OQS_ENABLE_KEM_frodokem_976_shake */
|
||||
/* #define OQS_ENABLE_KEM_frodokem_1344_aes */
|
||||
/* #define OQS_ENABLE_KEM_frodokem_1344_shake */
|
||||
#define OQS_ENABLE_KEM_kyber_512_cca_kem
|
||||
#define OQS_ENABLE_KEM_kyber_768_cca_kem
|
||||
#define OQS_ENABLE_KEM_kyber_1024_cca_kem
|
||||
#define OQS_ENABLE_KEM_frodokem_976_aes
|
||||
#define OQS_ENABLE_KEM_frodokem_976_shake
|
||||
#define OQS_ENABLE_KEM_frodokem_1344_aes
|
||||
#define OQS_ENABLE_KEM_frodokem_1344_shake
|
||||
#define OQS_ENABLE_KEM_newhope_1024_cca_kem
|
||||
#define OQS_ENABLE_KEM_newhope_512_cca_kem
|
||||
#define OQS_ENABLE_KEM_sike_p503
|
||||
|
||||
@ -49,7 +49,6 @@ AC_DEFUN([CONFIG_FEATURE_FLAGS],
|
||||
##### OQS_COPY_FROM_PQCLEAN_FRAGMENT_ARG_DISBL_SET_WRAP_END
|
||||
ARG_DISBL_SET_WRAP([kem-sike], [kem_sike], [ENABLE_KEM_SIKE], [src/kem/sike])
|
||||
ARG_DISBL_SET_WRAP([kem-newhope], [kem_newhope], [ENABLE_KEM_NEWHOPE], [src/kem/newhopenist])
|
||||
ARG_DISBL_SET_WRAP([kem-kyber], [kem_kyber], [ENABLE_KEM_KYBER], [src/kem/kyber])
|
||||
|
||||
ARG_DISBL_SET_WRAP([sig-picnic], [sig_picnic],
|
||||
[ENABLE_SIG_PICNIC], [src/sig/picnic])
|
||||
@ -125,11 +124,5 @@ AC_DEFUN([CONFIG_FEATURES],
|
||||
AC_DEFINE(OQS_ENABLE_KEM_newhope_512_cca_kem, 1, "Define to 1 when NewHope-512-CCA-KEM enabled")
|
||||
AC_DEFINE(OQS_ENABLE_KEM_newhope_1024_cca_kem, 1, "Define to 1 when NewHope-1024-CCA-KEM enabled")
|
||||
])
|
||||
|
||||
AM_COND_IF([ENABLE_KEM_KYBER], [
|
||||
AC_DEFINE(OQS_ENABLE_KEM_kyber_512_cca_kem, 1, "Define to 1 when Kyber-512-CCA-KEM enabled")
|
||||
AC_DEFINE(OQS_ENABLE_KEM_kyber_768_cca_kem, 1, "Define to 1 when Kyber-512-CCA-KEM enabled")
|
||||
AC_DEFINE(OQS_ENABLE_KEM_kyber_1024_cca_kem, 1, "Define to 1 when Kyber-1024-CCA-KEM enabled")
|
||||
])
|
||||
]
|
||||
)
|
||||
|
||||
@ -76,7 +76,6 @@ AC_CONFIG_FILES([Makefile
|
||||
src/kem/ntru/Makefile
|
||||
src/kem/sike/Makefile
|
||||
src/kem/newhopenist/Makefile
|
||||
src/kem/kyber/Makefile
|
||||
tests/Makefile
|
||||
])
|
||||
##### OQS_COPY_FROM_PQCLEAN_FRAGMENT_AC_CONFIG_FILES_END
|
||||
|
||||
@ -10,7 +10,6 @@ installheader_HEADERS= src/oqs.h \
|
||||
{%- for family in families %}
|
||||
src/kem/{{ family['name'] }}/kem_{{ family['name'] }}.h \{% endfor %}
|
||||
src/kem/newhopenist/kem_newhopenist.h \
|
||||
src/kem/kyber/kem_kyber.h \
|
||||
src/kem/sike/kem_sike.h \
|
||||
src/sig/sig.h \
|
||||
src/sig/picnic/sig_picnic.h \
|
||||
|
||||
@ -12,7 +12,6 @@ AC_CONFIG_FILES([Makefile
|
||||
src/kem/{{ family['name'] }}/Makefile{% endfor %}
|
||||
src/kem/sike/Makefile
|
||||
src/kem/newhopenist/Makefile
|
||||
src/kem/kyber/Makefile
|
||||
tests/Makefile
|
||||
])
|
||||
|
||||
|
||||
@ -18,7 +18,6 @@ OQS_API const char *OQS_KEM_alg_identifier(size_t i) {
|
||||
OQS_KEM_alg_ntru_hps2048509, OQS_KEM_alg_ntru_hps2048677, OQS_KEM_alg_ntru_hps4096821, OQS_KEM_alg_ntru_hrss701,
|
||||
///// OQS_COPY_FROM_PQCLEAN_FRAGMENT_ALG_IDENTIFIER_END
|
||||
OQS_KEM_alg_newhope_512_cca_kem, OQS_KEM_alg_newhope_1024_cca_kem,
|
||||
OQS_KEM_alg_kyber_512_cca_kem, OQS_KEM_alg_kyber_768_cca_kem, OQS_KEM_alg_kyber_1024_cca_kem,
|
||||
OQS_KEM_alg_sidh_p503, OQS_KEM_alg_sidh_p751,
|
||||
OQS_KEM_alg_sike_p503, OQS_KEM_alg_sike_p751};
|
||||
if (i >= OQS_KEM_algs_length) {
|
||||
@ -165,24 +164,6 @@ OQS_API OQS_KEM *OQS_KEM_new(const char *method_name) {
|
||||
return OQS_KEM_newhope_1024_cca_kem_new();
|
||||
#else
|
||||
return NULL;
|
||||
#endif
|
||||
} else if (0 == strcasecmp(method_name, OQS_KEM_alg_kyber_512_cca_kem)) {
|
||||
#ifdef OQS_ENABLE_KEM_kyber_512_cca_kem
|
||||
return OQS_KEM_kyber_512_cca_kem_new();
|
||||
#else
|
||||
return NULL;
|
||||
#endif
|
||||
} else if (0 == strcasecmp(method_name, OQS_KEM_alg_kyber_768_cca_kem)) {
|
||||
#ifdef OQS_ENABLE_KEM_kyber_768_cca_kem
|
||||
return OQS_KEM_kyber_768_cca_kem_new();
|
||||
#else
|
||||
return NULL;
|
||||
#endif
|
||||
} else if (0 == strcasecmp(method_name, OQS_KEM_alg_kyber_1024_cca_kem)) {
|
||||
#ifdef OQS_ENABLE_KEM_kyber_1024_cca_kem
|
||||
return OQS_KEM_kyber_1024_cca_kem_new();
|
||||
#else
|
||||
return NULL;
|
||||
#endif
|
||||
} else if (0 == strcasecmp(method_name, OQS_KEM_alg_sidh_p503)) {
|
||||
#ifdef OQS_ENABLE_KEM_sidh_p503
|
||||
|
||||
@ -71,12 +71,6 @@
|
||||
#define OQS_KEM_alg_newhope_512_cca_kem "NewHope-512-CCA-KEM"
|
||||
/** Algorithm identifier for NewHope-1024-CCA-KEM KEM. */
|
||||
#define OQS_KEM_alg_newhope_1024_cca_kem "NewHope-1024-CCA-KEM"
|
||||
/** Algorithm identifier for Kyber-512-CCA-KEM KEM. */
|
||||
#define OQS_KEM_alg_kyber_512_cca_kem "Kyber-512-CCA-KEM"
|
||||
/** Algorithm identifier for Kyber-768-CCA-KEM KEM. */
|
||||
#define OQS_KEM_alg_kyber_768_cca_kem "Kyber-768-CCA-KEM"
|
||||
/** Algorithm identifier for Kyber-1024-CCA-KEM KEM. */
|
||||
#define OQS_KEM_alg_kyber_1024_cca_kem "Kyber-1024-CCA-KEM"
|
||||
/** Algorithm identifier for Sidh p503 KEM. */
|
||||
#define OQS_KEM_alg_sidh_p503 "Sidh-p503"
|
||||
/** Algorithm identifier for Sidh p751 KEM. */
|
||||
@ -87,7 +81,7 @@
|
||||
#define OQS_KEM_alg_sike_p751 "Sike-p751"
|
||||
// EDIT-WHEN-ADDING-KEM
|
||||
/** Number of algorithm identifiers above. */
|
||||
#define OQS_KEM_algs_length 29
|
||||
#define OQS_KEM_algs_length 26
|
||||
/** The default KEM. */
|
||||
#define OQS_KEM_DEFAULT OQS_KEM_alg_sike_p503
|
||||
|
||||
@ -257,7 +251,6 @@ OQS_API void OQS_KEM_free(OQS_KEM *kem);
|
||||
#include <oqs/kem_ntru.h>
|
||||
///// OQS_COPY_FROM_PQCLEAN_FRAGMENT_INCLUDE_END
|
||||
#include <oqs/kem_newhopenist.h>
|
||||
#include <oqs/kem_kyber.h>
|
||||
#include <oqs/kem_sike.h>
|
||||
// EDIT-WHEN-ADDING-KEM
|
||||
|
||||
|
||||
File diff suppressed because one or more lines are too long
@ -1,6 +0,0 @@
|
||||
count = 0
|
||||
seed = 061550234D158C5EC95595FE04EF7A25767F2E24CC2BC479D09D86DC9ABCFDE7056A8C266F9EF97ED08541DBD2E1FFA1
|
||||
pk = 987D35BDD2846A9E5FE6243E9A2F6FBD4BD42087CDB4665ED9E498C37632D94705DF0AD006377BCC29E982A19328A5B53050AF9CB1FE9FCF08FFF0C676352924DC1B673708D6E27D471A314507D6E8B378D2F794B3603B6BEB3C90A4FB2695617939E183CEB322B6043359BA27F3A70FCDFB0CE9467FEAC73575BDCF4A6331F07D58F0A2A91400596DDEED0412FD770136A07A578880EBA736B6F7E770E8808D1C47D247348865E22727E35B574FCBE5ED5431B049C3784CDA15690A58227CAB93098A9A6B2AD0B3E25E639123BBC5A33D783AFF436A4BA993B3ED673159CD8AF43CEE9C13CA4CBA2DDE3B950DA5316F63EE4A4D0A8A49664097AF7DF4E409921387D7268C6C8FD31B91FC30FB5141E8B902539D51B6966EEC5B9D6ECAE738BB37993ED444568B9C95E1C3875EC43555F8CC8AEF299C9A554ACB6AED428130769D4A22EEF37E139A5514379D49389F0A9CDBB1F0A2999A42A38F1585CA194F14BDCB492F9783557E92C829E8C99D9E70577E493C712DAA096164D6AD2C293BEF7210E2076C0D18E1F31F46FE44848E3357D3E9E9CEC02770D4180F4754C92B6A1E6754DC57293E410748AA177AA810BBD4EBF64F844E11C205B1104D1F402AE5A7A16330335C22A35CE9739D86602AB73CD74BD458B36AD40EFE18DB80EC3EBA338A0956E8F3CEE313132501EE2BE0A0DD8542C9483AC6275528D845F766F4E5FE84E91612B570DA00C7883EDA3094486B4EBFBAE7121ED630B0DB8DFC1ECE98ADB3ABF52B5FF72D24BE068354D1B770C231C58A69C98C7F0E51484322464F9293C17B883B8B98DD03AA5B8B486FE4F348BF0A49C339D6C1E78266CAFAF144C71A506E91DCD4CFC3F46F29A813114635B2E30A83EC4F36AB54741B881D1EEAB30346D7ED265D2455A474F0B1725A8FA2E9E23162498A919D4ABBD5EBCAB9EC3AB51A87E3D10A9DDA0AA1D21654C2BC6EDE02E7C45EC56F4A17CECBBC2D8262A465EAFD465FC64A0C5F8F3F9003489415899D59A543D8208C54A3166529B53922
|
||||
sk = 4CF6FA5CBF88C855724FE47955D1EF716FC069301C198EE2B52EF92F7FCFC13922C7FCAD4B87D2933C92E0ACEE35329833501470C862973856D2F719338B928E42EE886393AACA0A9852B917887C371AB6149837B810F8D45DA527892601283EA3D9B054F170D1158D192BFA25BB16CCD8B4D0F59ED2508A0859011C3A17817F9EC9897265B33037F52785641AC73969545B49218D203242FB279AD4015545708447A6DE5438DC1A4A14F4A3926CCF349525920CBA8E64A39D0D1FBB6919306062585E176A5CC08F4E71A540D8DD01B0A580FF7297FA07017DF6B838D7CA6E1027B5BBD994C6B10E2555F4BDA2304BA70E39CFC4744676DED32CDD4215E2F5F6EADE448BE9EBBEF884FD286B6FF6C3690F09340039AFC463B0D13161046008526958A2D1FA93C10B77D87E8014A259B1189A9790A3B47536693BF7A0C43CD0F230302FBC1D02F233611D895A5DF5CE762538D2006DBE39BDDCC9455ABBB00EE696050B625E898970C6201C0FD995942689E48927778C3AA37CCF2F14161E64B3B950D4FA9C69C82F28BB7121707DA213FCF81D83AEAFEC322E77CB3644B05DE81BEE5B5022EF517A78B5F98C6A1EF0A7ADF1C60C14B9A3EBDAD7A9BAA3D5A67DE007CA07EDEE24EE1C0988D373948E8E1474095B93C32CF5ED41EE10D01A70ADAFC710805B73BF025368235E3A044EA71976926F561E78711700E33263A53D242532F99A40C36BEF8B25912FEC6717EC3A19BB128F7127985B77C42D0C80F5A9CAA37F06A8C20A32575133656A5256E7D16FBBA234A15A179697C05D4271BED268DEFA8D9E634C08E2E4EB33DF290F77530A71C3534E761CA466C9710BBCC4717E0D19993B678722818EA51100F0F220286B46C9144DBAA47F02A0BE76BC2A61BBF5670EAD60D71EDFAC5626A2309B79B3273728316B472D85D33DC56209F0B88063BC0D098ABEEBE02DDC7421634742659385DE949B6B34443CDED8C1EA9ECD7AD6B41AB58C275852CD48BEA3775B69F876C3FA83D612A71BB1269069CCE520A3DCE6C161C79A9E6D3C029733668BB46E08F327AB5B82EB4C1B659B4C4D71470AAB755660DADFC4BBB99440E6EAC5E68CD5C11C7F5E0300EB43F02E581C87152C872E0A879B86DB522CEFDB18E05ADB80165295A81328CD2B682AB8CA5E7676987D35BDD2846A9E5FE6243E9A2F6FBD4BD42087CDB4665ED9E498C37632D94705DF0AD006377BCC29E982A19328A5B53050AF9CB1FE9FCF08FFF0C676352924DC1B673708D6E27D471A314507D6E8B378D2F794B3603B6BEB3C90A4FB2695617939E183CEB322B6043359BA27F3A70FCDFB0CE9467FEAC73575BDCF4A6331F07D58F0A2A91400596DDEED0412FD770136A07A578880EBA736B6F7E770E8808D1C47D247348865E22727E35B574FCBE5ED5431B049C3784CDA15690A58227CAB93098A9A6B2AD0B3E25E639123BBC5A33D783AFF436A4BA993B3ED673159CD8AF43CEE9C13CA4CBA2DDE3B950DA5316F63EE4A4D0A8A49664097AF7DF4E409921387D7268C6C8FD31B91FC30FB5141E8B902539D51B6966EEC5B9D6ECAE738BB37993ED444568B9C95E1C3875EC43555F8CC8AEF299C9A554ACB6AED428130769D4A22EEF37E139A5514379D49389F0A9CDBB1F0A2999A42A38F1585CA194F14BDCB492F9783557E92C829E8C99D9E70577E493C712DAA096164D6AD2C293BEF7210E2076C0D18E1F31F46FE44848E3357D3E9E9CEC02770D4180F4754C92B6A1E6754DC57293E410748AA177AA810BBD4EBF64F844E11C205B1104D1F402AE5A7A16330335C22A35CE9739D86602AB73CD74BD458B36AD40EFE18DB80EC3EBA338A0956E8F3CEE313132501EE2BE0A0DD8542C9483AC6275528D845F766F4E5FE84E91612B570DA00C7883EDA3094486B4EBFBAE7121ED630B0DB8DFC1ECE98ADB3ABF52B5FF72D24BE068354D1B770C231C58A69C98C7F0E51484322464F9293C17B883B8B98DD03AA5B8B486FE4F348BF0A49C339D6C1E78266CAFAF144C71A506E91DCD4CFC3F46F29A813114635B2E30A83EC4F36AB54741B881D1EEAB30346D7ED265D2455A474F0B1725A8FA2E9E23162498A919D4ABBD5EBCAB9EC3AB51A87E3D10A9DDA0AA1D21654C2BC6EDE02E7C45EC56F4A17CECBBC2D8262A465EAFD465FC64A0C5F8F3F9003489415899D59A543D8208C54A3166529B53922CBA7FA224A9A5A50F501B47D4BEE76DCD83B933D1D0EF27E94FE7410CDD046E18626ED79D451140800E03B59B956F8210E556067407D13DC90FA9E8B872BFB8F
|
||||
ct = 268C7CE05A63CA4AB927DDF11F78D194C5FDE12312CA7CF707D5439204917C6FEB57DD12B2F9542F593DCE77CFAA3A6393E76AB08C70B8F0019FC9D1466881534E896FFA4793629120FACDB28CB923B90E7942A7952F675AE2503817748DAF90ADC19ED0EA714909D04573FBB11105B30B3CEA610204401AC5582369D69F772719766F8BC690359067DB42357DE0829DF4A7EFD8BA50C29016692B56A362523FD48A70BC905D64ED39F442343C9735D0DC88A9C2842952AF40985CAB568AA4B542C7A409E7FD0FA2662BEC70616EFB0A7B8C3CE641E06B67AC94DBFDEC2CE7629E1ED6AF263F81FAFCF29589F1043B81939BB82151E98E897B94A814B495780FE819A33E9D1BB8A997AE5B3D0875A9860D8CFC5795418740BB14B22D2DFDF482686C556269CCF6BFBAC01D221D9F0FE5090BF2EAEEA21B3110AA6FC5C40FE8152BF1FE1CDD8ED27363C21224A8448247D97FDCE8101FB956C46F3398C982AC5D61C14042F4354C7DF17BC75F4F66C548BEF13099DBF15FFB03AF2BFD06B7A3705D48B071446181B8835133A97F01B8E30353D79371E852F1A9373ADC832D9A5C10A564A9A7FF52A0DB977D4F9B667C2168F7F141664BDF7E6CDFD7744BEFE59AB9FAB1C11D5F3BCD1F54F1F3A12D3692871814810DDBEAD3942E1D9F91720DCD38D66CB53AFB7FB448766E2F351BFD5715F92A6C310AAF8C26BA33E8315F568F9DEB7E7B8A8CB8397A065701794FF75B8990B7BC37A272FB6A7E62169FAD9C947DABB23DB5EAAAEDD11744CCA7306856C5F768AAA47CAB3794A9E8192CB450E70E6882214423BEFD51F3C96F33530C988113A39270E2EAF9DD5E3072594B6D2777C983CCB4DCA2F9C33B372C011DF0533B98D7FF192278A0B3CEC9611B453DE46D2813201EB1EC2E78B760DEDCB889ABB0EF68140F41C423A448339F8265B35F28421AE86A7B2C9D56D243F5DD62744F64F4385E8198BFF38540B3CB61F43EDFB6E0C23AAF83DE708715B6E88A021BC4B390464560C33A67417BECC4B7C799C3DB589E76B6B7557F3FDA09DBFFE22DBA892A9D47910F01CC4747797060E0F1E73A64B2330FE7E9D34869C2B512CBC5572FE4B036286AA77491953A881E2911CB
|
||||
ss = 83DD730859721F8D3C8D30CFA724C682675542752035A7B85DDC4842A5AA8282
|
||||
@ -1,6 +0,0 @@
|
||||
count = 0
|
||||
seed = 061550234D158C5EC95595FE04EF7A25767F2E24CC2BC479D09D86DC9ABCFDE7056A8C266F9EF97ED08541DBD2E1FFA1
|
||||
pk = CFAA6FBDFDC92EF043D5D5117764CBCC891830B2FB677D996E120E620E355D00984EEF3566F3B7BF05335D94B72028AEE2064F28996882F5CF9D61129CD915C651F4566E8CB6D819B85ABCD0609B770BFF8E1E0ABF9CBDD7C724682C5F9F849AE55747F5FC677C7AAA6137AB5EF5784EB6BBDBD8F861122E9A1E61E5A3128D076E6EA85F32CD1454944E3C7D68D581957A00565CBB4FFA09216DE386A52F9EB28EBB8A5C4E689FE355719E29A1AB5D9484F51353C571844975EADF51AFDB55E66E466C905293FCC97AADB10B159DD33FDE73EEDFDFAA53CBD1592A704DF41B7BEDBBA5D7209E80B07DE5F55ED252DA6484C98CDF0C68B9E6AD6BDAAC53527BEB1E8FCC6E700358DBEF41DCCE31B7B8339C2F7D76F2BF2A37F3B0C25C351B51779781E17590636AFEED42099B2A0A3F66E4A1F26303031AFCEFAF1422CFB8C75C1D9FD6EDA990A7107DFDB75C1ADA199697ADBDE163DF6CDB9E93B7B833EAAA81905645E36DC00162CCABDE445380617DB995F8D03635F0296805064E36C2B99D567102E5390BDF5EECECE254D09185ED5172D97025B7F2ED2BF3D0504D27AB44F2345B80B664ED74CB8600DA5CB54C5C9F33A5F53AC9609C266ECA3DBB0917267205FC610F13FA6DB5DBED00FB06D2DE8303FCE75C9EFB178A76A8E3501BAC64D7078BF129DAEB1E8266D6B90E8091AE9DCDDC909C4BC4CDE34C2D1D96F5F732BD368FCAC921A3EFB6F92BC4BAE027D45191EE168F92F1C579E60700157B0ACC794FDCB0EEA12C1113E959B9882A3D54DAE6D4B9E19866150DFAFF60446CBA0EB96B228A2A513612A26BE1BFBE94F4FDE360237B326D8BF0C978CAA56AD7FA9AA7DCD8D8919F0A51DAFC817DD6AADC89F51DE6255978AC01EDE187603B367B7498C9A5DBAB272DFD83C2D377692A58E513C6A2B8BE40E9ED2445BFC5075750CE7ED6EB392712B66C2091AAA9C449CAF185EED08F2AC56567F4A267D58F25083B315962CE60603320FE01C2F9CFD46103AB25886560A1EA2E70EC95B5B803566EA3BA2AD88263AD45FE39AB0245A814C9B1867B9D30D7CDAC449534B4D11189E24250E9B602F29826ECF754B7ECFCA4F59262CA68BDA7425F4D14EBA8F24099801D2196C8DF0CC334A05438A9A2F977416B5D7C874A2D964AB2FE210A5F6B5471A30C9C2C4136B2E4F9677EB3207375FCB289064716440DD759661223205D9FA127CE95D014E892D01F02E17C27D2473E76908327E309E7770B648F0216D2786500FE10739174F90FFD3652681763A9603E2714B5D887438D116F1092BBE19469F5830E2E103CF0D988AAFA32EF9EA0B51F1DF4F8566B8B20D444454605833419872E3584AC89237E1412DCD8DA9A752500DDF2CEA6D350FABE0DECDDC2CC37D2BF0B5BF443499C5DC7A43D3AD56CEAEF1BD9AFD116D24AC929421E6549EF8573A36A3ED957D96AB85A6FBEE979F03EAF109F516E39D8F5D65BB0FF30991C8B5365EAFD465FC64A0C5F8F3F9003489415899D59A543D8208C54A3166529B53922
|
||||
sk = 26434A18A75AD3B03F56A87128CC4F60C43FD48EB6AA68C9B46A806624520843C645AE15BEE17EAE7CC9D16D81EDBD6B9CA09DC26191854682F1C560AA56719DD5EFEE60A4E63DA0BB51B8DA95BB5244A21A1DB13601FC8418BE1964E2AF0A84635D6B375657E69CC1EFE2ACE8F7683325856E2AAFE9D9206F1A82AEB944F6B8B1AA71E94CA1657F79464E0FD6BBD79F8944AA57ECA058FB8C82B105C9B440CBEA4684DEA170197A62401A854BDCF53536846BA290A0AB8CBA18119A3DBBC1CFF334730EC351E7D6EBAE9EA7E47158E4F41DAADC38C388C6521D14E50AC9C62C2954252B00FCB89249E64779126251B929D19B10A07CD96203CCA90D8F38AECF4290A5ED59C0268CBB2652036BE0F1251BCE6D99066F8F9D5852FB6572A537B8527B3448737862D13F1FB42C79834175AEC8F8B0CCCF6EBEA5D9969FDD6F51AA5DCF5F31CA14FD245A34C36306F07383B0B78BE157952002A704D949B31E2D805584BADE908C79499AD988823CF50B9339EAB86642E6A60159BA4272F2C3ACC367AE35E42B2AE0D73A5BA48448AED4168350322C13DCAD35C0F7820C499811985C4DD8BC5D53D264560995F871A6CAD8D0B660E32810C92F5151CD8A304DAD73B0EA02AC4A3A718B726EFD742BF4BB9E2531DC63F8A7404E9B8BB3852240BBD3D7342D575799341D9FCD14D0FD2C63AEE5F054E1DBDC51B90B4DE1F644074E16874E686E4CDF6240460B15FE4D486784235710903385EF558C62DE1DA2649DB4B0B1DE839F48F2469DBB8FA9D816BD9AB422A1F20365A74BB8F5BB32D0C33ABF376ECC0FA1958834C46C70D3C96A13A6B171FAEA589A98EBD5C8DB75B6886B12CE642D97DDBED21AB8B3DFFDF5DD5A9758FCF7E857D3910417AAF93DADBDB5D0C065291C7E75B4FB4B1D10E1443EDF8E5E960DF41A02D85D311D6ECB66A66A4DA203363F9B6D1446843D4E82330F743E04D3F72413770EB15A9CC6C630ED2453F46AABB9D36C3E5D0D3E68DE25B3D3599F0BA311E61789E2B7D99362311E768906F3F9305FDC6AB3DD943DA38D0E1FCC916FBCF22D52DE8AA1995E135611330687C95925B225D17C726FA00350BDFAB8E0B6F204FE59A5CCC3B6EC48B385808280ACCACC2500EE37FE64C5D9E1611F28DE328E6C4C6847F3D5CEC7AF62F98BBC12D44F830FC2E14AF04DF2A256C2D3CB012C74785D145A3CD6EF8A4AE194F44F56D478D1D3553BED076907D734617589787086CE2B3836413FA46ACA17316C4D64F0EAADE270ADA490AC3AC751014D6C3154A70A85A6F0980116EA5F55220198D69B6D7B3456634BB479461D3BA088E0E4C13BE2C78FEF0CC1A6CE17F3CCF7643AAE51621F643215ABC6586F0D4F3917F28028127CE07F64CF47CAEEF51532E3DF3C2AD851470EA7EC08AB2B4C0E90DD79A72C0F7EB28C33A98443AF540039E0AE7B8FC98035C6AB57826548D9DEFE39C45D5319BCC268D17D70E0225CBA76A5AB2791252E63A84B7A0091E8A95B9A391E5E8E621BF275B0D9B388A0ED8C15F1AD509409ED394F53984292902C4C70410CA0D3577C5BE3F2AD045DBBFA3BEB17534AA9380C4923257E134D796F1C753C09AB7FDEB5AA03A5CBA1748FF0BDF0E68E506051620C0E9214EED79D9CC9B6C16884A36AF1BD97CF3169A88CEF62E5891C0D08CDAD370F2AE2FFFE3774AA4E59DB39036957A32720CF18F148D23CFA01C04E34821DDE2E3B7AF4E9FB8B95516B28799A5C0B296898DE1B77281F10C113CFAA6FBDFDC92EF043D5D5117764CBCC891830B2FB677D996E120E620E355D00984EEF3566F3B7BF05335D94B72028AEE2064F28996882F5CF9D61129CD915C651F4566E8CB6D819B85ABCD0609B770BFF8E1E0ABF9CBDD7C724682C5F9F849AE55747F5FC677C7AAA6137AB5EF5784EB6BBDBD8F861122E9A1E61E5A3128D076E6EA85F32CD1454944E3C7D68D581957A00565CBB4FFA09216DE386A52F9EB28EBB8A5C4E689FE355719E29A1AB5D9484F51353C571844975EADF51AFDB55E66E466C905293FCC97AADB10B159DD33FDE73EEDFDFAA53CBD1592A704DF41B7BEDBBA5D7209E80B07DE5F55ED252DA6484C98CDF0C68B9E6AD6BDAAC53527BEB1E8FCC6E700358DBEF41DCCE31B7B8339C2F7D76F2BF2A37F3B0C25C351B51779781E17590636AFEED42099B2A0A3F66E4A1F26303031AFCEFAF1422CFB8C75C1D9FD6EDA990A7107DFDB75C1ADA199697ADBDE163DF6CDB9E93B7B833EAAA81905645E36DC00162CCABDE445380617DB995F8D03635F0296805064E36C2B99D567102E5390BDF5EECECE254D09185ED5172D97025B7F2ED2BF3D0504D27AB44F2345B80B664ED74CB8600DA5CB54C5C9F33A5F53AC9609C266ECA3DBB0917267205FC610F13FA6DB5DBED00FB06D2DE8303FCE75C9EFB178A76A8E3501BAC64D7078BF129DAEB1E8266D6B90E8091AE9DCDDC909C4BC4CDE34C2D1D96F5F732BD368FCAC921A3EFB6F92BC4BAE027D45191EE168F92F1C579E60700157B0ACC794FDCB0EEA12C1113E959B9882A3D54DAE6D4B9E19866150DFAFF60446CBA0EB96B228A2A513612A26BE1BFBE94F4FDE360237B326D8BF0C978CAA56AD7FA9AA7DCD8D8919F0A51DAFC817DD6AADC89F51DE6255978AC01EDE187603B367B7498C9A5DBAB272DFD83C2D377692A58E513C6A2B8BE40E9ED2445BFC5075750CE7ED6EB392712B66C2091AAA9C449CAF185EED08F2AC56567F4A267D58F25083B315962CE60603320FE01C2F9CFD46103AB25886560A1EA2E70EC95B5B803566EA3BA2AD88263AD45FE39AB0245A814C9B1867B9D30D7CDAC449534B4D11189E24250E9B602F29826ECF754B7ECFCA4F59262CA68BDA7425F4D14EBA8F24099801D2196C8DF0CC334A05438A9A2F977416B5D7C874A2D964AB2FE210A5F6B5471A30C9C2C4136B2E4F9677EB3207375FCB289064716440DD759661223205D9FA127CE95D014E892D01F02E17C27D2473E76908327E309E7770B648F0216D2786500FE10739174F90FFD3652681763A9603E2714B5D887438D116F1092BBE19469F5830E2E103CF0D988AAFA32EF9EA0B51F1DF4F8566B8B20D444454605833419872E3584AC89237E1412DCD8DA9A752500DDF2CEA6D350FABE0DECDDC2CC37D2BF0B5BF443499C5DC7A43D3AD56CEAEF1BD9AFD116D24AC929421E6549EF8573A36A3ED957D96AB85A6FBEE979F03EAF109F516E39D8F5D65BB0FF30991C8B5365EAFD465FC64A0C5F8F3F9003489415899D59A543D8208C54A3166529B53922617C1CF6B54E174FE3071FC33C849FF811CD5B48B5464F6DE441D822B09D46C58626ED79D451140800E03B59B956F8210E556067407D13DC90FA9E8B872BFB8F
|
||||
ct = 17F6891AF4B3F4F2DB4BB403289EFC925A81977B291CD1D8FA414604EBF546BC57ECE53349DBBA5B8133BBA53C94D8FE3714FDC5E4F445ADC68FE28E136EAE4958CBCF180E456C635EECDA82DB62544A1BA085AD6248DB551920E24A20211EE2E0E20E81CFE220B74C08FFCDCBD4B78C91BC501887CDB702E8FA95D7897E0724CBE3F7700A106D4422E80FB515A76B23C82CFAD6FBAC49A3A232265228D61AB300BFDF69DE9CD96112B6B87BEC5754D93CB5943760F9AA9F96E8D5BEC7D8BE3246664181F7473DDC1E2413B62B090B07377BB09E368C0C492032F3F4965F4B30981D7D6C658A71AD804E8905503B1C5EE1C203B3FB140F35A2E8FFADA24E56A0F5013FE23767E04540BA1659FD48B9E297CDDD1F81B0673E0E0BFA15D1C74F4B2CDF409F7D7B53E6D08EC3DE6EB6DFACC5767DF6EF8BFEBF2438312F2FAB5AE50F658AF6D746A468DDBE5734359234F9C947C232C666E50EA2C0CCFCFC2BF213C728B71E327308F55760E0EC8426EC20A9BE742EABFD56E409287B0669CF0AAAE21A3C013C417B08FC51D717AA3D68195BD0C6D93165ECF6856FAFAD97133940290D729E4750479DEE57989D13262FE679E94B8F95C193B778689E5D7E4748E7D352B7CDBEA5E13756D1286444C83C545DFE0202E57DBD2798E9AFAB4654A0951BE435A0D75BBC2E02B7CEA79DD39E3AF9A7992EA2A493A2CFF1E75E3A14492658C0DD0B5BBDF286DB9E0892EC22911FC960C83E38A256677CE6DFA78A10F316F2C1101F615042BB153068A25C905CBC19131D72AB0281DA7E1766B77A91B0A01DE305A15D433963B12B6B0E29AE933D30664E524FBFB2155AC43800A69A49BB8451FECDF208CED20A57CA5E9E358ECF765D9F396D116083726439424ADD44CBF4782D8A776EF29279D9CE04854924D010EF0EEFC2534BD8BE48531594A6114086D9BDB8DE7F9ECF2C27E7FA7C8743ECCD9AB7B7923D96182C930C7E811BC0B8A9B43D1540739A20AB8B37A8726EF9E69F37A73AA4B50BF88EF0D12E47C1AE787A951C5EA8CA3AA71003B7C4909F3D9C6BA2568FA6CB419E909D747208C680B3E79DA93169A67392F0253A3CBB01FA7263F39F7DC662EE388F3D558A4AF34183532581649F04305FE0E6120A46CCF3294FED35E3A8B0B760D71D1EE5B27D1542533115858082B8BB2F65A35AC28E89A3883383AB9607FFB3C94D75B63E23FF07F3393EC2114F8253C754BC657EFA92E5CA25996A416BF6A6A86A3FE585E7B051046E54416D2785FD32F362DD5ACC271866C66E8C2D3201B03A64272F139DEDE711E7216402B09CBD797370FD15D8E4996757698CA1552DE5C4ECE58B07B47E6E8021C074DDF2A1CA5AF60501E570FBB4C3FD49FCFB2CEDB860E23A44080A62263D144896A46FB69C67645E7889AFAD99EB0D947161B430B361C3B030FEF10CA2FFFE2EA837AEFEAD39D147CD39CA577A57D6D4D370977B7600970AC5CC2EBDB703BBFD9408F13FF06FC884D37113DDF00152642C397FA85A7C1497BE8867F63E7FA330DF2C9ACD0C9F85ADA4AA2FE51266BA8FEA4DF6116ED9C0B289F8C6BECCFE2681F724F2A03B76800E180C7301814FD5D79ED73ABB767CC4397F002F5C9D
|
||||
ss = B135B098C8EBEA0A3EC550857DF434493721DDC544D3DEA9CD3E6A5846F282EF
|
||||
@ -1,24 +0,0 @@
|
||||
AUTOMAKE_OPTIONS = foreign
|
||||
noinst_LTLIBRARIES = libkemkyber.la
|
||||
noinst_LTLIBRARIES += libkemkyber_512_cca.la libkemkyber_768_cca.la libkemkyber_1024_cca.la
|
||||
|
||||
libkemkyber_la_LIBADD = libkemkyber_512_cca.la libkemkyber_768_cca.la libkemkyber_1024_cca.la
|
||||
libkemkyber_la_SOURCES = kem_kyber.c
|
||||
|
||||
COMMON_FLAGS = $(AM_CFLAGS) -include functions_renaming.h
|
||||
libkemkyber_la_CFLAGS = $(COMMON_FLAGS)
|
||||
|
||||
KYBER_SRC_DIR = ref
|
||||
|
||||
KYBER_CSRCS = $(KYBER_SRC_DIR)/cbd.c $(KYBER_SRC_DIR)/indcpa.c $(KYBER_SRC_DIR)/kem.c
|
||||
KYBER_CSRCS += $(KYBER_SRC_DIR)/ntt.c $(KYBER_SRC_DIR)/poly.c $(KYBER_SRC_DIR)/polyvec.c
|
||||
KYBER_CSRCS += $(KYBER_SRC_DIR)/precomp.c $(KYBER_SRC_DIR)/reduce.c $(KYBER_SRC_DIR)/verify.c
|
||||
|
||||
libkemkyber_512_cca_la_SOURCES = $(KYBER_CSRCS)
|
||||
libkemkyber_1024_cca_la_SOURCES = $(KYBER_CSRCS)
|
||||
|
||||
libkemkyber_512_cca_la_CFLAGS = $(COMMON_FLAGS) -DKYBER_K=2 -DFUNC_PREFIX=OQS_KEM_kyber_512_cca_kem
|
||||
libkemkyber_1024_cca_la_CFLAGS = $(COMMON_FLAGS) -DKYBER_K=4 -DFUNC_PREFIX=OQS_KEM_kyber_1024_cca_kem
|
||||
|
||||
libkemkyber_768_cca_la_SOURCES = pqclean_kyber768_clean/cbd.c pqclean_kyber768_clean/indcpa.c pqclean_kyber768_clean/kem.c pqclean_kyber768_clean/ntt.c pqclean_kyber768_clean/poly.c pqclean_kyber768_clean/polyvec.c pqclean_kyber768_clean/precomp.c pqclean_kyber768_clean/reduce.c pqclean_kyber768_clean/verify.c
|
||||
libkemkyber_768_cca_la_CFLAGS = $(COMMON_FLAGS) -I../../common/pqclean_shims
|
||||
@ -1,53 +0,0 @@
|
||||
#ifndef __FUNCTIONS_RENAMING_H_INCLUDED__
|
||||
#define __FUNCTIONS_RENAMING_H_INCLUDED__
|
||||
|
||||
#define PASTER(x, y) x##_##y
|
||||
#define EVALUATOR(x, y) PASTER(x, y)
|
||||
#define RENAME_FUNC_NAME(fname) EVALUATOR(FUNC_PREFIX, fname)
|
||||
|
||||
#define crypto_kem_keypair RENAME_FUNC_NAME(keypair)
|
||||
#define crypto_kem_enc RENAME_FUNC_NAME(encaps)
|
||||
#define crypto_kem_dec RENAME_FUNC_NAME(decaps)
|
||||
|
||||
#define cbd RENAME_FUNC_NAME(cbd)
|
||||
|
||||
#define indcpa_keypair RENAME_FUNC_NAME(indcpa_keypair)
|
||||
#define indcpa_enc RENAME_FUNC_NAME(indcpa_enc)
|
||||
#define indcpa_dec RENAME_FUNC_NAME(indcpa_dec)
|
||||
|
||||
#define ntt RENAME_FUNC_NAME(ntt)
|
||||
#define invntt RENAME_FUNC_NAME(invntt)
|
||||
|
||||
#define poly_compress RENAME_FUNC_NAME(poly_compress)
|
||||
#define poly_decompress RENAME_FUNC_NAME(poly_decompress)
|
||||
#define poly_tobytes RENAME_FUNC_NAME(poly_tobytes)
|
||||
#define poly_frombytes RENAME_FUNC_NAME(poly_frombytes)
|
||||
#define poly_frommsg RENAME_FUNC_NAME(poly_frommsg)
|
||||
#define poly_tomsg RENAME_FUNC_NAME(poly_tomsg)
|
||||
#define poly_getnoise RENAME_FUNC_NAME(poly_getnoise)
|
||||
#define poly_ntt RENAME_FUNC_NAME(poly_ntt)
|
||||
#define poly_invntt RENAME_FUNC_NAME(poly_invntt)
|
||||
#define poly_add RENAME_FUNC_NAME(poly_add)
|
||||
#define poly_sub RENAME_FUNC_NAME(poly_sub)
|
||||
|
||||
#define polyvec_compress RENAME_FUNC_NAME(polyvec_compress)
|
||||
#define polyvec_decompress RENAME_FUNC_NAME(polyvec_decompress)
|
||||
#define polyvec_tobytes RENAME_FUNC_NAME(polyvec_tobytes)
|
||||
#define polyvec_frombytes RENAME_FUNC_NAME(polyvec_frombytes)
|
||||
#define polyvec_ntt RENAME_FUNC_NAME(polyvec_ntt)
|
||||
#define polyvec_invntt RENAME_FUNC_NAME(polyvec_invntt)
|
||||
#define polyvec_pointwise_acc RENAME_FUNC_NAME(polyvec_pointwise_acc)
|
||||
#define polyvec_add RENAME_FUNC_NAME(polyvec_add)
|
||||
|
||||
#define freeze RENAME_FUNC_NAME(freeze)
|
||||
#define montgomery_reduce RENAME_FUNC_NAME(montgomery_reduce)
|
||||
#define barrett_reduce RENAME_FUNC_NAME(barrett_reduce)
|
||||
|
||||
#define verify RENAME_FUNC_NAME(verify)
|
||||
#define cmov RENAME_FUNC_NAME(cmov)
|
||||
|
||||
#define omegas_inv_bitrev_montgomery RENAME_FUNC_NAME(omegas_inv_bitrev_montgomery)
|
||||
#define psis_inv_montgomery RENAME_FUNC_NAME(psis_inv_montgomery)
|
||||
#define zetas RENAME_FUNC_NAME(zetas)
|
||||
|
||||
#endif
|
||||
@ -1,107 +0,0 @@
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
|
||||
#include <oqs/kem_kyber.h>
|
||||
|
||||
#ifdef OQS_ENABLE_KEM_kyber_512_cca_kem
|
||||
|
||||
OQS_KEM *OQS_KEM_kyber_512_cca_kem_new() {
|
||||
|
||||
OQS_KEM *kem = malloc(sizeof(OQS_KEM));
|
||||
if (kem == NULL) {
|
||||
return NULL;
|
||||
}
|
||||
kem->method_name = OQS_KEM_alg_kyber_512_cca_kem;
|
||||
kem->alg_version = "https://github.com/pq-crystals/kyber/commit/ab996e7460e5356b0e23aa034e7c2fe6922e60e6";
|
||||
|
||||
kem->claimed_nist_level = 1;
|
||||
kem->ind_cca = true;
|
||||
|
||||
kem->length_public_key = OQS_KEM_kyber_512_cca_kem_length_public_key;
|
||||
kem->length_secret_key = OQS_KEM_kyber_512_cca_kem_length_secret_key;
|
||||
kem->length_ciphertext = OQS_KEM_kyber_512_cca_kem_length_ciphertext;
|
||||
kem->length_shared_secret = OQS_KEM_kyber_512_cca_kem_length_shared_secret;
|
||||
|
||||
kem->keypair = OQS_KEM_kyber_512_cca_kem_keypair;
|
||||
kem->encaps = OQS_KEM_kyber_512_cca_kem_encaps;
|
||||
kem->decaps = OQS_KEM_kyber_512_cca_kem_decaps;
|
||||
|
||||
return kem;
|
||||
}
|
||||
|
||||
#endif
|
||||
|
||||
#ifdef OQS_ENABLE_KEM_kyber_768_cca_kem
|
||||
|
||||
OQS_KEM *OQS_KEM_kyber_768_cca_kem_new() {
|
||||
|
||||
OQS_KEM *kem = malloc(sizeof(OQS_KEM));
|
||||
if (kem == NULL) {
|
||||
return NULL;
|
||||
}
|
||||
kem->method_name = OQS_KEM_alg_kyber_768_cca_kem;
|
||||
kem->alg_version = "https://github.com/pq-crystals/kyber/commit/ab996e7460e5356b0e23aa034e7c2fe6922e60e6";
|
||||
|
||||
kem->claimed_nist_level = 3;
|
||||
kem->ind_cca = true;
|
||||
|
||||
kem->length_public_key = OQS_KEM_kyber_768_cca_kem_length_public_key;
|
||||
kem->length_secret_key = OQS_KEM_kyber_768_cca_kem_length_secret_key;
|
||||
kem->length_ciphertext = OQS_KEM_kyber_768_cca_kem_length_ciphertext;
|
||||
kem->length_shared_secret = OQS_KEM_kyber_768_cca_kem_length_shared_secret;
|
||||
|
||||
kem->keypair = OQS_KEM_kyber_768_cca_kem_keypair;
|
||||
kem->encaps = OQS_KEM_kyber_768_cca_kem_encaps;
|
||||
kem->decaps = OQS_KEM_kyber_768_cca_kem_decaps;
|
||||
|
||||
return kem;
|
||||
}
|
||||
|
||||
int PQCLEAN_KYBER768_CLEAN_crypto_kem_keypair(unsigned char *pk, unsigned char *sk);
|
||||
int PQCLEAN_KYBER768_CLEAN_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk);
|
||||
int PQCLEAN_KYBER768_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk);
|
||||
|
||||
OQS_API OQS_STATUS OQS_KEM_kyber_768_cca_kem_keypair(uint8_t *public_key,
|
||||
uint8_t *secret_key) {
|
||||
return (OQS_STATUS) PQCLEAN_KYBER768_CLEAN_crypto_kem_keypair(public_key, secret_key);
|
||||
}
|
||||
OQS_API OQS_STATUS OQS_KEM_kyber_768_cca_kem_encaps(uint8_t *ciphertext,
|
||||
uint8_t *shared_secret,
|
||||
const uint8_t *public_key) {
|
||||
return (OQS_STATUS) PQCLEAN_KYBER768_CLEAN_crypto_kem_enc(ciphertext, shared_secret, public_key);
|
||||
}
|
||||
OQS_API OQS_STATUS OQS_KEM_kyber_768_cca_kem_decaps(uint8_t *shared_secret,
|
||||
const unsigned char *ciphertext,
|
||||
const uint8_t *secret_key) {
|
||||
return (OQS_STATUS) PQCLEAN_KYBER768_CLEAN_crypto_kem_dec(shared_secret, ciphertext, secret_key);
|
||||
}
|
||||
|
||||
#endif
|
||||
|
||||
#ifdef OQS_ENABLE_KEM_kyber_1024_cca_kem
|
||||
|
||||
OQS_KEM *OQS_KEM_kyber_1024_cca_kem_new() {
|
||||
|
||||
OQS_KEM *kem = malloc(sizeof(OQS_KEM));
|
||||
if (kem == NULL) {
|
||||
return NULL;
|
||||
}
|
||||
kem->method_name = OQS_KEM_alg_kyber_1024_cca_kem;
|
||||
kem->alg_version = "https://github.com/pq-crystals/kyber/commit/ab996e7460e5356b0e23aa034e7c2fe6922e60e6";
|
||||
|
||||
kem->claimed_nist_level = 5;
|
||||
kem->ind_cca = true;
|
||||
|
||||
kem->length_public_key = OQS_KEM_kyber_1024_cca_kem_length_public_key;
|
||||
kem->length_secret_key = OQS_KEM_kyber_1024_cca_kem_length_secret_key;
|
||||
kem->length_ciphertext = OQS_KEM_kyber_1024_cca_kem_length_ciphertext;
|
||||
kem->length_shared_secret = OQS_KEM_kyber_1024_cca_kem_length_shared_secret;
|
||||
|
||||
kem->keypair = OQS_KEM_kyber_1024_cca_kem_keypair;
|
||||
kem->encaps = OQS_KEM_kyber_1024_cca_kem_encaps;
|
||||
kem->decaps = OQS_KEM_kyber_1024_cca_kem_decaps;
|
||||
|
||||
return kem;
|
||||
}
|
||||
|
||||
#endif
|
||||
@ -1,63 +0,0 @@
|
||||
#ifndef __OQS_KEM_KYBER_H
|
||||
#define __OQS_KEM_KYBER_H
|
||||
|
||||
#include <oqs/oqs.h>
|
||||
|
||||
#ifdef OQS_ENABLE_KEM_kyber_512_cca_kem
|
||||
|
||||
#define OQS_KEM_kyber_512_cca_kem_length_secret_key 1632
|
||||
#define OQS_KEM_kyber_512_cca_kem_length_public_key 736
|
||||
#define OQS_KEM_kyber_512_cca_kem_length_ciphertext 800
|
||||
#define OQS_KEM_kyber_512_cca_kem_length_shared_secret 32
|
||||
|
||||
OQS_KEM *OQS_KEM_kyber_512_cca_kem_new();
|
||||
|
||||
OQS_API OQS_STATUS OQS_KEM_kyber_512_cca_kem_keypair(uint8_t *public_key,
|
||||
uint8_t *secret_key);
|
||||
OQS_API OQS_STATUS OQS_KEM_kyber_512_cca_kem_encaps(uint8_t *ciphertext,
|
||||
uint8_t *shared_secret,
|
||||
const uint8_t *public_key);
|
||||
OQS_API OQS_STATUS OQS_KEM_kyber_512_cca_kem_decaps(uint8_t *shared_secret,
|
||||
const unsigned char *ciphertext,
|
||||
const uint8_t *secret_key);
|
||||
#endif
|
||||
|
||||
#ifdef OQS_ENABLE_KEM_kyber_768_cca_kem
|
||||
|
||||
#define OQS_KEM_kyber_768_cca_kem_length_secret_key 2400
|
||||
#define OQS_KEM_kyber_768_cca_kem_length_public_key 1088
|
||||
#define OQS_KEM_kyber_768_cca_kem_length_ciphertext 1152
|
||||
#define OQS_KEM_kyber_768_cca_kem_length_shared_secret 32
|
||||
|
||||
OQS_KEM *OQS_KEM_kyber_768_cca_kem_new();
|
||||
|
||||
OQS_API OQS_STATUS OQS_KEM_kyber_768_cca_kem_keypair(uint8_t *public_key,
|
||||
uint8_t *secret_key);
|
||||
OQS_API OQS_STATUS OQS_KEM_kyber_768_cca_kem_encaps(uint8_t *ciphertext,
|
||||
uint8_t *shared_secret,
|
||||
const uint8_t *public_key);
|
||||
OQS_API OQS_STATUS OQS_KEM_kyber_768_cca_kem_decaps(uint8_t *shared_secret,
|
||||
const unsigned char *ciphertext,
|
||||
const uint8_t *secret_key);
|
||||
#endif
|
||||
|
||||
#ifdef OQS_ENABLE_KEM_kyber_1024_cca_kem
|
||||
|
||||
#define OQS_KEM_kyber_1024_cca_kem_length_secret_key 3168
|
||||
#define OQS_KEM_kyber_1024_cca_kem_length_public_key 1440
|
||||
#define OQS_KEM_kyber_1024_cca_kem_length_ciphertext 1504
|
||||
#define OQS_KEM_kyber_1024_cca_kem_length_shared_secret 32
|
||||
|
||||
OQS_KEM *OQS_KEM_kyber_1024_cca_kem_new();
|
||||
|
||||
OQS_API OQS_STATUS OQS_KEM_kyber_1024_cca_kem_keypair(uint8_t *public_key,
|
||||
uint8_t *secret_key);
|
||||
OQS_API OQS_STATUS OQS_KEM_kyber_1024_cca_kem_encaps(uint8_t *ciphertext,
|
||||
uint8_t *shared_secret,
|
||||
const uint8_t *public_key);
|
||||
OQS_API OQS_STATUS OQS_KEM_kyber_1024_cca_kem_decaps(uint8_t *shared_secret,
|
||||
const unsigned char *ciphertext,
|
||||
const uint8_t *secret_key);
|
||||
#endif
|
||||
|
||||
#endif
|
||||
@ -1,15 +0,0 @@
|
||||
Public Domain
|
||||
Authors: Joppe Bos,
|
||||
Léo Ducas,
|
||||
Eike Kiltz ,
|
||||
Tancrède Lepoint,
|
||||
Vadim Lyubashevsky,
|
||||
John Schanck,
|
||||
Peter Schwabe,
|
||||
Gregor Seiler,
|
||||
Damien Stehlé
|
||||
|
||||
For Keccak and AES we are using public-domain
|
||||
code from sources and by authors listed in
|
||||
comments on top of the respective files.
|
||||
|
||||
@ -1,19 +0,0 @@
|
||||
#ifndef API_H
|
||||
#define API_H
|
||||
|
||||
#include "params.h"
|
||||
|
||||
#define CRYPTO_SECRETKEYBYTES KYBER_SECRETKEYBYTES
|
||||
#define CRYPTO_PUBLICKEYBYTES KYBER_PUBLICKEYBYTES
|
||||
#define CRYPTO_CIPHERTEXTBYTES KYBER_CIPHERTEXTBYTES
|
||||
#define CRYPTO_BYTES KYBER_SYMBYTES
|
||||
|
||||
#define CRYPTO_ALGNAME "Kyber768"
|
||||
|
||||
int PQCLEAN_KYBER768_CLEAN_crypto_kem_keypair(unsigned char *pk, unsigned char *sk);
|
||||
|
||||
int PQCLEAN_KYBER768_CLEAN_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk);
|
||||
|
||||
int PQCLEAN_KYBER768_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk);
|
||||
|
||||
#endif
|
||||
@ -1,113 +0,0 @@
|
||||
#include "cbd.h"
|
||||
|
||||
/*************************************************
|
||||
* Name: load_littleendian
|
||||
*
|
||||
* Description: load bytes into a 64-bit integer
|
||||
* in little-endian order
|
||||
*
|
||||
* Arguments: - const unsigned char *x: pointer to input byte array
|
||||
* - bytes: number of bytes to load, has to be <=
|
||||
*8
|
||||
*
|
||||
* Returns 64-bit unsigned integer loaded from x
|
||||
**************************************************/
|
||||
static uint64_t load_littleendian(const unsigned char *x, int bytes) {
|
||||
int i;
|
||||
uint64_t r = x[0];
|
||||
for (i = 1; i < bytes; i++) {
|
||||
r |= (uint64_t)x[i] << (8 * i);
|
||||
}
|
||||
return r;
|
||||
}
|
||||
|
||||
/*************************************************
|
||||
* Name: cbd
|
||||
*
|
||||
* Description: Given an array of uniformly random bytes, compute
|
||||
* polynomial with coefficients distributed according to
|
||||
* a centered binomial distribution with parameter KYBER_ETA
|
||||
*
|
||||
* Arguments: - poly *r: pointer to output polynomial
|
||||
* - const unsigned char *buf: pointer to input byte array
|
||||
**************************************************/
|
||||
void PQCLEAN_KYBER768_CLEAN_cbd(poly *r, const unsigned char *buf) {
|
||||
#if KYBER_ETA == 3
|
||||
uint32_t t, d, a[4], b[4];
|
||||
int i, j;
|
||||
|
||||
for (i = 0; i < KYBER_N / 4; i++) {
|
||||
t = (uint32_t)load_littleendian(buf + 3 * i, 3);
|
||||
d = 0;
|
||||
for (j = 0; j < 3; j++) {
|
||||
d += (t >> j) & 0x249249;
|
||||
}
|
||||
|
||||
a[0] = d & 0x7;
|
||||
b[0] = (d >> 3) & 0x7;
|
||||
a[1] = (d >> 6) & 0x7;
|
||||
b[1] = (d >> 9) & 0x7;
|
||||
a[2] = (d >> 12) & 0x7;
|
||||
b[2] = (d >> 15) & 0x7;
|
||||
a[3] = (d >> 18) & 0x7;
|
||||
b[3] = (d >> 21);
|
||||
|
||||
r->coeffs[4 * i + 0] = (uint16_t)(a[0] + KYBER_Q - b[0]);
|
||||
r->coeffs[4 * i + 1] = (uint16_t)(a[1] + KYBER_Q - b[1]);
|
||||
r->coeffs[4 * i + 2] = (uint16_t)(a[2] + KYBER_Q - b[2]);
|
||||
r->coeffs[4 * i + 3] = (uint16_t)(a[3] + KYBER_Q - b[3]);
|
||||
}
|
||||
#elif KYBER_ETA == 4
|
||||
uint32_t t, d, a[4], b[4];
|
||||
int i, j;
|
||||
|
||||
for (i = 0; i < KYBER_N / 4; i++) {
|
||||
t = (uint32_t)load_littleendian(buf + 4 * i, 4);
|
||||
d = 0;
|
||||
for (j = 0; j < 4; j++) {
|
||||
d += (t >> j) & 0x11111111;
|
||||
}
|
||||
|
||||
a[0] = d & 0xf;
|
||||
b[0] = (d >> 4) & 0xf;
|
||||
a[1] = (d >> 8) & 0xf;
|
||||
b[1] = (d >> 12) & 0xf;
|
||||
a[2] = (d >> 16) & 0xf;
|
||||
b[2] = (d >> 20) & 0xf;
|
||||
a[3] = (d >> 24) & 0xf;
|
||||
b[3] = (d >> 28);
|
||||
|
||||
r->coeffs[4 * i + 0] = (uint16_t)(a[0] + KYBER_Q - b[0]);
|
||||
r->coeffs[4 * i + 1] = (uint16_t)(a[1] + KYBER_Q - b[1]);
|
||||
r->coeffs[4 * i + 2] = (uint16_t)(a[2] + KYBER_Q - b[2]);
|
||||
r->coeffs[4 * i + 3] = (uint16_t)(a[3] + KYBER_Q - b[3]);
|
||||
}
|
||||
#elif KYBER_ETA == 5
|
||||
uint64_t t, d, a[4], b[4];
|
||||
int i, j;
|
||||
|
||||
for (i = 0; i < KYBER_N / 4; i++) {
|
||||
t = load_littleendian(buf + 5 * i, 5);
|
||||
d = 0;
|
||||
for (j = 0; j < 5; j++) {
|
||||
d += (t >> j) & 0x0842108421UL;
|
||||
}
|
||||
|
||||
a[0] = d & 0x1f;
|
||||
b[0] = (d >> 5) & 0x1f;
|
||||
a[1] = (d >> 10) & 0x1f;
|
||||
b[1] = (d >> 15) & 0x1f;
|
||||
a[2] = (d >> 20) & 0x1f;
|
||||
b[2] = (d >> 25) & 0x1f;
|
||||
a[3] = (d >> 30) & 0x1f;
|
||||
b[3] = (d >> 35);
|
||||
|
||||
r->coeffs[4 * i + 0] = (uint16_t)(a[0] + KYBER_Q - b[0]);
|
||||
r->coeffs[4 * i + 1] = (uint16_t)(a[1] + KYBER_Q - b[1]);
|
||||
r->coeffs[4 * i + 2] = (uint16_t)(a[2] + KYBER_Q - b[2]);
|
||||
r->coeffs[4 * i + 3] = (uint16_t)(a[3] + KYBER_Q - b[3]);
|
||||
}
|
||||
#else
|
||||
#error "poly_getnoise in poly.c only supports eta in {3,4,5}"
|
||||
#endif
|
||||
}
|
||||
@ -1,9 +0,0 @@
|
||||
#ifndef CBD_H
|
||||
#define CBD_H
|
||||
|
||||
#include "poly.h"
|
||||
#include <stdint.h>
|
||||
|
||||
void PQCLEAN_KYBER768_CLEAN_cbd(poly *r, const unsigned char *buf);
|
||||
|
||||
#endif
|
||||
@ -1,310 +0,0 @@
|
||||
#include "indcpa.h"
|
||||
#include "fips202.h"
|
||||
#include "ntt.h"
|
||||
#include "poly.h"
|
||||
#include "polyvec.h"
|
||||
#include "randombytes.h"
|
||||
#include <string.h>
|
||||
|
||||
/*************************************************
|
||||
* Name: pack_pk
|
||||
*
|
||||
* Description: Serialize the public key as concatenation of the
|
||||
* compressed and serialized vector of polynomials pk
|
||||
* and the public seed used to generate the matrix A.
|
||||
*
|
||||
* Arguments: unsigned char *r: pointer to the output serialized
|
||||
*public key const poly *pk: pointer to the input public-key
|
||||
*polynomial const unsigned char *seed: pointer to the input public seed
|
||||
**************************************************/
|
||||
static void pack_pk(unsigned char *r, const polyvec *pk, const unsigned char *seed) {
|
||||
int i;
|
||||
PQCLEAN_KYBER768_CLEAN_polyvec_compress(r, pk);
|
||||
for (i = 0; i < KYBER_SYMBYTES; i++) {
|
||||
r[i + KYBER_POLYVECCOMPRESSEDBYTES] = seed[i];
|
||||
}
|
||||
}
|
||||
|
||||
/*************************************************
|
||||
* Name: unpack_pk
|
||||
*
|
||||
* Description: De-serialize and decompress public key from a byte array;
|
||||
* approximate inverse of pack_pk
|
||||
*
|
||||
* Arguments: - polyvec *pk: pointer to output public-key
|
||||
*vector of polynomials
|
||||
* - unsigned char *seed: pointer to output seed to
|
||||
*generate matrix A
|
||||
* - const unsigned char *packedpk: pointer to input serialized
|
||||
*public key
|
||||
**************************************************/
|
||||
static void unpack_pk(polyvec *pk, unsigned char *seed, const unsigned char *packedpk) {
|
||||
int i;
|
||||
PQCLEAN_KYBER768_CLEAN_polyvec_decompress(pk, packedpk);
|
||||
|
||||
for (i = 0; i < KYBER_SYMBYTES; i++) {
|
||||
seed[i] = packedpk[i + KYBER_POLYVECCOMPRESSEDBYTES];
|
||||
}
|
||||
}
|
||||
|
||||
/*************************************************
|
||||
* Name: pack_ciphertext
|
||||
*
|
||||
* Description: Serialize the ciphertext as concatenation of the
|
||||
* compressed and serialized vector of polynomials b
|
||||
* and the compressed and serialized polynomial v
|
||||
*
|
||||
* Arguments: unsigned char *r: pointer to the output serialized
|
||||
*ciphertext const poly *pk: pointer to the input vector of
|
||||
*polynomials b const unsigned char *seed: pointer to the input polynomial v
|
||||
**************************************************/
|
||||
static void pack_ciphertext(unsigned char *r, const polyvec *b, const poly *v) {
|
||||
PQCLEAN_KYBER768_CLEAN_polyvec_compress(r, b);
|
||||
PQCLEAN_KYBER768_CLEAN_poly_compress(r + KYBER_POLYVECCOMPRESSEDBYTES, v);
|
||||
}
|
||||
|
||||
/*************************************************
|
||||
* Name: unpack_ciphertext
|
||||
*
|
||||
* Description: De-serialize and decompress ciphertext from a byte array;
|
||||
* approximate inverse of pack_ciphertext
|
||||
*
|
||||
* Arguments: - polyvec *b: pointer to the output vector of
|
||||
*polynomials b
|
||||
* - poly *v: pointer to the output polynomial v
|
||||
* - const unsigned char *c: pointer to the input serialized
|
||||
*ciphertext
|
||||
**************************************************/
|
||||
static void unpack_ciphertext(polyvec *b, poly *v, const unsigned char *c) {
|
||||
PQCLEAN_KYBER768_CLEAN_polyvec_decompress(b, c);
|
||||
PQCLEAN_KYBER768_CLEAN_poly_decompress(v, c + KYBER_POLYVECCOMPRESSEDBYTES);
|
||||
}
|
||||
|
||||
/*************************************************
|
||||
* Name: pack_sk
|
||||
*
|
||||
* Description: Serialize the secret key
|
||||
*
|
||||
* Arguments: - unsigned char *r: pointer to output serialized secret key
|
||||
* - const polyvec *sk: pointer to input vector of polynomials
|
||||
*(secret key)
|
||||
**************************************************/
|
||||
static void pack_sk(unsigned char *r, const polyvec *sk) {
|
||||
PQCLEAN_KYBER768_CLEAN_polyvec_tobytes(r, sk);
|
||||
}
|
||||
|
||||
/*************************************************
|
||||
* Name: unpack_sk
|
||||
*
|
||||
* Description: De-serialize the secret key;
|
||||
* inverse of pack_sk
|
||||
*
|
||||
* Arguments: - polyvec *sk: pointer to output vector of
|
||||
*polynomials (secret key)
|
||||
* - const unsigned char *packedsk: pointer to input serialized
|
||||
*secret key
|
||||
**************************************************/
|
||||
static void unpack_sk(polyvec *sk, const unsigned char *packedsk) {
|
||||
PQCLEAN_KYBER768_CLEAN_polyvec_frombytes(sk, packedsk);
|
||||
}
|
||||
|
||||
#define gen_a(A, B) gen_matrix(A, B, 0)
|
||||
#define gen_at(A, B) gen_matrix(A, B, 1)
|
||||
|
||||
/*************************************************
|
||||
* Name: gen_matrix
|
||||
*
|
||||
* Description: Deterministically generate matrix A (or the transpose of A)
|
||||
* from a seed. Entries of the matrix are polynomials that look
|
||||
* uniformly random. Performs rejection sampling on output of
|
||||
* SHAKE-128
|
||||
*
|
||||
* Arguments: - polyvec *a: pointer to ouptput matrix A
|
||||
* - const unsigned char *seed: pointer to input seed
|
||||
* - int transposed: boolean deciding whether A or A^T
|
||||
*is generated
|
||||
**************************************************/
|
||||
static void gen_matrix(polyvec *a, const unsigned char *seed, int transposed) {
|
||||
unsigned int pos = 0, ctr;
|
||||
uint16_t val;
|
||||
unsigned int nblocks;
|
||||
const unsigned int maxnblocks = 4;
|
||||
uint8_t buf[SHAKE128_RATE * /* maxnblocks = */ 4];
|
||||
int i, j;
|
||||
uint64_t state[25]; // SHAKE state
|
||||
unsigned char extseed[KYBER_SYMBYTES + 2];
|
||||
|
||||
for (i = 0; i < KYBER_SYMBYTES; i++) {
|
||||
extseed[i] = seed[i];
|
||||
}
|
||||
|
||||
for (i = 0; i < KYBER_K; i++) {
|
||||
for (j = 0; j < KYBER_K; j++) {
|
||||
ctr = pos = 0;
|
||||
nblocks = maxnblocks;
|
||||
if (transposed) {
|
||||
extseed[KYBER_SYMBYTES] = (unsigned char)i;
|
||||
extseed[KYBER_SYMBYTES + 1] = (unsigned char)j;
|
||||
} else {
|
||||
extseed[KYBER_SYMBYTES] = (unsigned char)j;
|
||||
extseed[KYBER_SYMBYTES + 1] = (unsigned char)i;
|
||||
}
|
||||
|
||||
shake128_absorb(state, extseed, KYBER_SYMBYTES + 2);
|
||||
shake128_squeezeblocks(buf, nblocks, state);
|
||||
|
||||
while (ctr < KYBER_N) {
|
||||
val = (buf[pos] | ((uint16_t)buf[pos + 1] << 8)) & 0x1fff;
|
||||
if (val < KYBER_Q) {
|
||||
a[i].vec[j].coeffs[ctr++] = val;
|
||||
}
|
||||
pos += 2;
|
||||
|
||||
if (pos > SHAKE128_RATE * nblocks - 2) {
|
||||
nblocks = 1;
|
||||
shake128_squeezeblocks(buf, nblocks, state);
|
||||
pos = 0;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/*************************************************
|
||||
* Name: indcpa_keypair
|
||||
*
|
||||
* Description: Generates public and private key for the CPA-secure
|
||||
* public-key encryption scheme underlying Kyber
|
||||
*
|
||||
* Arguments: - unsigned char *pk: pointer to output public key (of length
|
||||
*KYBER_INDCPA_PUBLICKEYBYTES bytes)
|
||||
* - unsigned char *sk: pointer to output private key (of length
|
||||
*KYBER_INDCPA_SECRETKEYBYTES bytes)
|
||||
**************************************************/
|
||||
void PQCLEAN_KYBER768_CLEAN_indcpa_keypair(unsigned char *pk, unsigned char *sk) {
|
||||
polyvec a[KYBER_K], e, pkpv, skpv;
|
||||
unsigned char buf[KYBER_SYMBYTES + KYBER_SYMBYTES];
|
||||
unsigned char *publicseed = buf;
|
||||
unsigned char *noiseseed = buf + KYBER_SYMBYTES;
|
||||
int i;
|
||||
unsigned char nonce = 0;
|
||||
|
||||
randombytes(buf, KYBER_SYMBYTES);
|
||||
sha3_512(buf, buf, KYBER_SYMBYTES);
|
||||
|
||||
gen_a(a, publicseed);
|
||||
|
||||
for (i = 0; i < KYBER_K; i++) {
|
||||
PQCLEAN_KYBER768_CLEAN_poly_getnoise(skpv.vec + i, noiseseed, nonce++);
|
||||
}
|
||||
|
||||
PQCLEAN_KYBER768_CLEAN_polyvec_ntt(&skpv);
|
||||
|
||||
for (i = 0; i < KYBER_K; i++) {
|
||||
PQCLEAN_KYBER768_CLEAN_poly_getnoise(e.vec + i, noiseseed, nonce++);
|
||||
}
|
||||
|
||||
// matrix-vector multiplication
|
||||
for (i = 0; i < KYBER_K; i++) {
|
||||
PQCLEAN_KYBER768_CLEAN_polyvec_pointwise_acc(&pkpv.vec[i], &skpv, a + i);
|
||||
}
|
||||
|
||||
PQCLEAN_KYBER768_CLEAN_polyvec_invntt(&pkpv);
|
||||
PQCLEAN_KYBER768_CLEAN_polyvec_add(&pkpv, &pkpv, &e);
|
||||
|
||||
pack_sk(sk, &skpv);
|
||||
pack_pk(pk, &pkpv, publicseed);
|
||||
}
|
||||
|
||||
/*************************************************
|
||||
* Name: indcpa_enc
|
||||
*
|
||||
* Description: Encryption function of the CPA-secure
|
||||
* public-key encryption scheme underlying Kyber.
|
||||
*
|
||||
* Arguments: - unsigned char *c: pointer to output ciphertext (of
|
||||
*length KYBER_INDCPA_BYTES bytes)
|
||||
* - const unsigned char *m: pointer to input message (of length
|
||||
*KYBER_INDCPA_MSGBYTES bytes)
|
||||
* - const unsigned char *pk: pointer to input public key (of
|
||||
*length KYBER_INDCPA_PUBLICKEYBYTES bytes)
|
||||
* - const unsigned char *coin: pointer to input random coins used
|
||||
*as seed (of length KYBER_SYMBYTES bytes) to deterministically generate all
|
||||
*randomness
|
||||
**************************************************/
|
||||
void PQCLEAN_KYBER768_CLEAN_indcpa_enc(unsigned char *c, const unsigned char *m,
|
||||
const unsigned char *pk,
|
||||
const unsigned char *coins) {
|
||||
polyvec sp, pkpv, ep, at[KYBER_K], bp;
|
||||
poly v, k, epp;
|
||||
unsigned char seed[KYBER_SYMBYTES];
|
||||
int i;
|
||||
unsigned char nonce = 0;
|
||||
|
||||
unpack_pk(&pkpv, seed, pk);
|
||||
|
||||
PQCLEAN_KYBER768_CLEAN_poly_frommsg(&k, m);
|
||||
|
||||
PQCLEAN_KYBER768_CLEAN_polyvec_ntt(&pkpv);
|
||||
|
||||
gen_at(at, seed);
|
||||
|
||||
for (i = 0; i < KYBER_K; i++) {
|
||||
PQCLEAN_KYBER768_CLEAN_poly_getnoise(sp.vec + i, coins, nonce++);
|
||||
}
|
||||
|
||||
PQCLEAN_KYBER768_CLEAN_polyvec_ntt(&sp);
|
||||
|
||||
for (i = 0; i < KYBER_K; i++) {
|
||||
PQCLEAN_KYBER768_CLEAN_poly_getnoise(ep.vec + i, coins, nonce++);
|
||||
}
|
||||
|
||||
// matrix-vector multiplication
|
||||
for (i = 0; i < KYBER_K; i++) {
|
||||
PQCLEAN_KYBER768_CLEAN_polyvec_pointwise_acc(&bp.vec[i], &sp, at + i);
|
||||
}
|
||||
|
||||
PQCLEAN_KYBER768_CLEAN_polyvec_invntt(&bp);
|
||||
PQCLEAN_KYBER768_CLEAN_polyvec_add(&bp, &bp, &ep);
|
||||
|
||||
PQCLEAN_KYBER768_CLEAN_polyvec_pointwise_acc(&v, &pkpv, &sp);
|
||||
PQCLEAN_KYBER768_CLEAN_poly_invntt(&v);
|
||||
|
||||
PQCLEAN_KYBER768_CLEAN_poly_getnoise(&epp, coins, nonce++);
|
||||
|
||||
PQCLEAN_KYBER768_CLEAN_poly_add(&v, &v, &epp);
|
||||
PQCLEAN_KYBER768_CLEAN_poly_add(&v, &v, &k);
|
||||
|
||||
pack_ciphertext(c, &bp, &v);
|
||||
}
|
||||
|
||||
/*************************************************
|
||||
* Name: indcpa_dec
|
||||
*
|
||||
* Description: Decryption function of the CPA-secure
|
||||
* public-key encryption scheme underlying Kyber.
|
||||
*
|
||||
* Arguments: - unsigned char *m: pointer to output decrypted message
|
||||
*(of length KYBER_INDCPA_MSGBYTES)
|
||||
* - const unsigned char *c: pointer to input ciphertext (of
|
||||
*length KYBER_INDCPA_BYTES)
|
||||
* - const unsigned char *sk: pointer to input secret key (of
|
||||
*length KYBER_INDCPA_SECRETKEYBYTES)
|
||||
**************************************************/
|
||||
void PQCLEAN_KYBER768_CLEAN_indcpa_dec(unsigned char *m, const unsigned char *c,
|
||||
const unsigned char *sk) {
|
||||
polyvec bp, skpv;
|
||||
poly v, mp;
|
||||
|
||||
unpack_ciphertext(&bp, &v, c);
|
||||
unpack_sk(&skpv, sk);
|
||||
|
||||
PQCLEAN_KYBER768_CLEAN_polyvec_ntt(&bp);
|
||||
|
||||
PQCLEAN_KYBER768_CLEAN_polyvec_pointwise_acc(&mp, &skpv, &bp);
|
||||
PQCLEAN_KYBER768_CLEAN_poly_invntt(&mp);
|
||||
|
||||
PQCLEAN_KYBER768_CLEAN_poly_sub(&mp, &mp, &v);
|
||||
|
||||
PQCLEAN_KYBER768_CLEAN_poly_tomsg(m, &mp);
|
||||
}
|
||||
@ -1,16 +0,0 @@
|
||||
#ifndef INDCPA_H
|
||||
#define INDCPA_H
|
||||
|
||||
void PQCLEAN_KYBER768_CLEAN_indcpa_keypair(unsigned char *pk,
|
||||
unsigned char *sk);
|
||||
|
||||
void PQCLEAN_KYBER768_CLEAN_indcpa_enc(unsigned char *c,
|
||||
const unsigned char *m,
|
||||
const unsigned char *pk,
|
||||
const unsigned char *coins);
|
||||
|
||||
void PQCLEAN_KYBER768_CLEAN_indcpa_dec(unsigned char *m,
|
||||
const unsigned char *c,
|
||||
const unsigned char *sk);
|
||||
|
||||
#endif
|
||||
@ -1,108 +0,0 @@
|
||||
#include "api.h"
|
||||
#include "fips202.h"
|
||||
#include "indcpa.h"
|
||||
#include "params.h"
|
||||
#include "randombytes.h"
|
||||
#include "verify.h"
|
||||
|
||||
/*************************************************
|
||||
* Name: crypto_kem_keypair
|
||||
*
|
||||
* Description: Generates public and private key
|
||||
* for CCA-secure Kyber key encapsulation mechanism
|
||||
*
|
||||
* Arguments: - unsigned char *pk: pointer to output public key (an already
|
||||
*allocated array of CRYPTO_PUBLICKEYBYTES bytes)
|
||||
* - unsigned char *sk: pointer to output private key (an already
|
||||
*allocated array of CRYPTO_SECRETKEYBYTES bytes)
|
||||
*
|
||||
* Returns 0 (success)
|
||||
**************************************************/
|
||||
int PQCLEAN_KYBER768_CLEAN_crypto_kem_keypair(unsigned char *pk, unsigned char *sk) {
|
||||
size_t i;
|
||||
PQCLEAN_KYBER768_CLEAN_indcpa_keypair(pk, sk);
|
||||
for (i = 0; i < KYBER_INDCPA_PUBLICKEYBYTES; i++) {
|
||||
sk[i + KYBER_INDCPA_SECRETKEYBYTES] = pk[i];
|
||||
}
|
||||
sha3_256(sk + KYBER_SECRETKEYBYTES - 2 * KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES);
|
||||
randombytes(sk + KYBER_SECRETKEYBYTES - KYBER_SYMBYTES, KYBER_SYMBYTES); /* Value z for pseudo-random output on reject */
|
||||
return 0;
|
||||
}
|
||||
|
||||
/*************************************************
|
||||
* Name: crypto_kem_enc
|
||||
*
|
||||
* Description: Generates cipher text and shared
|
||||
* secret for given public key
|
||||
*
|
||||
* Arguments: - unsigned char *ct: pointer to output cipher text (an
|
||||
*already allocated array of CRYPTO_CIPHERTEXTBYTES bytes)
|
||||
* - unsigned char *ss: pointer to output shared secret (an
|
||||
*already allocated array of CRYPTO_BYTES bytes)
|
||||
* - const unsigned char *pk: pointer to input public key (an
|
||||
*already allocated array of CRYPTO_PUBLICKEYBYTES bytes)
|
||||
*
|
||||
* Returns 0 (success)
|
||||
**************************************************/
|
||||
int PQCLEAN_KYBER768_CLEAN_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk) {
|
||||
unsigned char kr[2 * KYBER_SYMBYTES]; /* Will contain key, coins */
|
||||
unsigned char buf[2 * KYBER_SYMBYTES];
|
||||
|
||||
randombytes(buf, KYBER_SYMBYTES);
|
||||
sha3_256(buf, buf, KYBER_SYMBYTES); /* Don't release system RNG output */
|
||||
|
||||
sha3_256(buf + KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES); /* Multitarget countermeasure for coins + contributory KEM */
|
||||
sha3_512(kr, buf, 2 * KYBER_SYMBYTES);
|
||||
|
||||
PQCLEAN_KYBER768_CLEAN_indcpa_enc(ct, buf, pk, kr + KYBER_SYMBYTES); /* coins are in kr+KYBER_SYMBYTES */
|
||||
|
||||
sha3_256(kr + KYBER_SYMBYTES, ct, KYBER_CIPHERTEXTBYTES); /* overwrite coins in kr with H(c) */
|
||||
sha3_256(ss, kr, 2 * KYBER_SYMBYTES); /* hash concatenation of pre-k and H(c) to k */
|
||||
return 0;
|
||||
}
|
||||
|
||||
/*************************************************
|
||||
* Name: crypto_kem_dec
|
||||
*
|
||||
* Description: Generates shared secret for given
|
||||
* cipher text and private key
|
||||
*
|
||||
* Arguments: - unsigned char *ss: pointer to output shared secret (an
|
||||
*already allocated array of CRYPTO_BYTES bytes)
|
||||
* - const unsigned char *ct: pointer to input cipher text (an
|
||||
*already allocated array of CRYPTO_CIPHERTEXTBYTES bytes)
|
||||
* - const unsigned char *sk: pointer to input private key (an
|
||||
*already allocated array of CRYPTO_SECRETKEYBYTES bytes)
|
||||
*
|
||||
* Returns 0.
|
||||
*
|
||||
* On failure, ss will contain a pseudo-random value.
|
||||
**************************************************/
|
||||
int PQCLEAN_KYBER768_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk) {
|
||||
size_t i;
|
||||
int fail;
|
||||
unsigned char cmp[KYBER_CIPHERTEXTBYTES];
|
||||
unsigned char buf[2 * KYBER_SYMBYTES];
|
||||
unsigned char
|
||||
kr[2 * KYBER_SYMBYTES]; /* Will contain key, coins, qrom-hash */
|
||||
const unsigned char *pk = sk + KYBER_INDCPA_SECRETKEYBYTES;
|
||||
|
||||
PQCLEAN_KYBER768_CLEAN_indcpa_dec(buf, ct, sk);
|
||||
|
||||
for (i = 0; i < KYBER_SYMBYTES; i++) { /* Multitarget countermeasure for coins + contributory KEM */
|
||||
buf[KYBER_SYMBYTES + i] = sk[KYBER_SECRETKEYBYTES - 2 * KYBER_SYMBYTES + i]; /* Save hash by storing H(pk) in sk */
|
||||
}
|
||||
sha3_512(kr, buf, 2 * KYBER_SYMBYTES);
|
||||
|
||||
PQCLEAN_KYBER768_CLEAN_indcpa_enc(cmp, buf, pk, kr + KYBER_SYMBYTES); /* coins are in kr+KYBER_SYMBYTES */
|
||||
|
||||
fail = PQCLEAN_KYBER768_CLEAN_verify(ct, cmp, KYBER_CIPHERTEXTBYTES);
|
||||
|
||||
sha3_256(kr + KYBER_SYMBYTES, ct, KYBER_CIPHERTEXTBYTES); /* overwrite coins in kr with H(c) */
|
||||
|
||||
PQCLEAN_KYBER768_CLEAN_cmov(kr, sk + KYBER_SECRETKEYBYTES - KYBER_SYMBYTES, KYBER_SYMBYTES, (unsigned char)fail); /* Overwrite pre-k with z on re-encryption failure */
|
||||
|
||||
sha3_256(ss, kr, 2 * KYBER_SYMBYTES); /* hash concatenation of pre-k and H(c) to k */
|
||||
|
||||
return 0;
|
||||
}
|
||||
@ -1,80 +0,0 @@
|
||||
#include "ntt.h"
|
||||
#include "inttypes.h"
|
||||
#include "params.h"
|
||||
#include "reduce.h"
|
||||
|
||||
extern const uint16_t PQCLEAN_KYBER768_CLEAN_omegas_inv_bitrev_montgomery[];
|
||||
extern const uint16_t PQCLEAN_KYBER768_CLEAN_psis_inv_montgomery[];
|
||||
extern const uint16_t PQCLEAN_KYBER768_CLEAN_zetas[];
|
||||
|
||||
/*************************************************
|
||||
* Name: ntt
|
||||
*
|
||||
* Description: Computes negacyclic number-theoretic transform (NTT) of
|
||||
* a polynomial (vector of 256 coefficients) in place;
|
||||
* inputs assumed to be in normal order, output in bitreversed
|
||||
*order
|
||||
*
|
||||
* Arguments: - uint16_t *p: pointer to in/output polynomial
|
||||
**************************************************/
|
||||
void PQCLEAN_KYBER768_CLEAN_ntt(uint16_t *p) {
|
||||
int level, start, j, k;
|
||||
uint16_t zeta, t;
|
||||
|
||||
k = 1;
|
||||
for (level = 7; level >= 0; level--) {
|
||||
for (start = 0; start < KYBER_N; start = j + (1 << level)) {
|
||||
zeta = PQCLEAN_KYBER768_CLEAN_zetas[k++];
|
||||
for (j = start; j < start + (1 << level); ++j) {
|
||||
t = PQCLEAN_KYBER768_CLEAN_montgomery_reduce((uint32_t)zeta * p[j + (1 << level)]);
|
||||
|
||||
p[j + (1 << level)] = PQCLEAN_KYBER768_CLEAN_barrett_reduce(p[j] + 4 * KYBER_Q - t);
|
||||
|
||||
if (level & 1) { /* odd level */
|
||||
p[j] = p[j] + t; /* Omit reduction (be lazy) */
|
||||
} else {
|
||||
p[j] = PQCLEAN_KYBER768_CLEAN_barrett_reduce(p[j] + t);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/*************************************************
|
||||
* Name: invntt
|
||||
*
|
||||
* Description: Computes inverse of negacyclic number-theoretic transform (NTT)
|
||||
*of a polynomial (vector of 256 coefficients) in place; inputs assumed to be in
|
||||
*bitreversed order, output in normal order
|
||||
*
|
||||
* Arguments: - uint16_t *a: pointer to in/output polynomial
|
||||
**************************************************/
|
||||
void PQCLEAN_KYBER768_CLEAN_invntt(uint16_t *a) {
|
||||
int start, j, jTwiddle, level;
|
||||
uint16_t temp, W;
|
||||
uint32_t t;
|
||||
|
||||
for (level = 0; level < 8; level++) {
|
||||
for (start = 0; start < (1 << level); start++) {
|
||||
jTwiddle = 0;
|
||||
for (j = start; j < KYBER_N - 1; j += 2 * (1 << level)) {
|
||||
W = PQCLEAN_KYBER768_CLEAN_omegas_inv_bitrev_montgomery[jTwiddle++];
|
||||
temp = a[j];
|
||||
|
||||
if (level & 1) { /* odd level */
|
||||
a[j] = PQCLEAN_KYBER768_CLEAN_barrett_reduce((temp + a[j + (1 << level)]));
|
||||
} else {
|
||||
a[j] = (temp + a[j + (1 << level)]); /* Omit reduction (be lazy) */
|
||||
}
|
||||
|
||||
t = (W * ((uint32_t)temp + 4 * KYBER_Q - a[j + (1 << level)]));
|
||||
|
||||
a[j + (1 << level)] = PQCLEAN_KYBER768_CLEAN_montgomery_reduce(t);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
for (j = 0; j < KYBER_N; j++) {
|
||||
a[j] = PQCLEAN_KYBER768_CLEAN_montgomery_reduce((a[j] * PQCLEAN_KYBER768_CLEAN_psis_inv_montgomery[j]));
|
||||
}
|
||||
}
|
||||
@ -1,9 +0,0 @@
|
||||
#ifndef NTT_H
|
||||
#define NTT_H
|
||||
|
||||
#include <stdint.h>
|
||||
|
||||
void PQCLEAN_KYBER768_CLEAN_ntt(uint16_t *p);
|
||||
void PQCLEAN_KYBER768_CLEAN_invntt(uint16_t *a);
|
||||
|
||||
#endif
|
||||
@ -1,27 +0,0 @@
|
||||
#ifndef PARAMS_H
|
||||
#define PARAMS_H
|
||||
|
||||
#define KYBER_K 3
|
||||
|
||||
#define KYBER_N 256
|
||||
#define KYBER_Q 7681
|
||||
|
||||
#define KYBER_ETA 4
|
||||
|
||||
#define KYBER_SYMBYTES 32 /* size in bytes of shared key, hashes, and seeds */
|
||||
|
||||
#define KYBER_POLYBYTES 416
|
||||
#define KYBER_POLYCOMPRESSEDBYTES 96
|
||||
#define KYBER_POLYVECBYTES (KYBER_K * KYBER_POLYBYTES)
|
||||
#define KYBER_POLYVECCOMPRESSEDBYTES (KYBER_K * 352)
|
||||
|
||||
#define KYBER_INDCPA_MSGBYTES KYBER_SYMBYTES
|
||||
#define KYBER_INDCPA_PUBLICKEYBYTES (KYBER_POLYVECCOMPRESSEDBYTES + KYBER_SYMBYTES)
|
||||
#define KYBER_INDCPA_SECRETKEYBYTES (KYBER_POLYVECBYTES)
|
||||
#define KYBER_INDCPA_BYTES (KYBER_POLYVECCOMPRESSEDBYTES + KYBER_POLYCOMPRESSEDBYTES)
|
||||
|
||||
#define KYBER_PUBLICKEYBYTES (KYBER_INDCPA_PUBLICKEYBYTES)
|
||||
#define KYBER_SECRETKEYBYTES (KYBER_INDCPA_SECRETKEYBYTES + KYBER_INDCPA_PUBLICKEYBYTES + 2 * KYBER_SYMBYTES) /* 32 bytes of additional space to save H(pk) */
|
||||
#define KYBER_CIPHERTEXTBYTES KYBER_INDCPA_BYTES
|
||||
|
||||
#endif
|
||||
@ -1,236 +0,0 @@
|
||||
#include "poly.h"
|
||||
#include "cbd.h"
|
||||
#include "fips202.h"
|
||||
#include "ntt.h"
|
||||
#include "polyvec.h"
|
||||
#include "reduce.h"
|
||||
#include <stdio.h>
|
||||
|
||||
/*************************************************
|
||||
* Name: poly_compress
|
||||
*
|
||||
* Description: Compression and subsequent serialization of a polynomial
|
||||
*
|
||||
* Arguments: - unsigned char *r: pointer to output byte array
|
||||
* - const poly *a: pointer to input polynomial
|
||||
**************************************************/
|
||||
void PQCLEAN_KYBER768_CLEAN_poly_compress(unsigned char *r, const poly *a) {
|
||||
uint32_t t[8];
|
||||
unsigned int i, j, k = 0;
|
||||
|
||||
for (i = 0; i < KYBER_N; i += 8) {
|
||||
for (j = 0; j < 8; j++) {
|
||||
t[j] = (((PQCLEAN_KYBER768_CLEAN_freeze(a->coeffs[i + j]) << 3) + KYBER_Q / 2) / KYBER_Q) & 7;
|
||||
}
|
||||
|
||||
r[k] = (unsigned char)( t[0] | (t[1] << 3) | (t[2] << 6));
|
||||
r[k + 1] = (unsigned char)((t[2] >> 2) | (t[3] << 1) | (t[4] << 4) | (t[5] << 7));
|
||||
r[k + 2] = (unsigned char)((t[5] >> 1) | (t[6] << 2) | (t[7] << 5));
|
||||
k += 3;
|
||||
}
|
||||
}
|
||||
|
||||
/*************************************************
|
||||
* Name: poly_decompress
|
||||
*
|
||||
* Description: De-serialization and subsequent decompression of a polynomial;
|
||||
* approximate inverse of poly_compress
|
||||
*
|
||||
* Arguments: - poly *r: pointer to output polynomial
|
||||
* - const unsigned char *a: pointer to input byte array
|
||||
**************************************************/
|
||||
void PQCLEAN_KYBER768_CLEAN_poly_decompress(poly *r, const unsigned char *a) {
|
||||
unsigned int i;
|
||||
for (i = 0; i < KYBER_N; i += 8) {
|
||||
r->coeffs[i + 0] = (((a[0] & 7) * KYBER_Q) + 4) >> 3;
|
||||
r->coeffs[i + 1] = ((((a[0] >> 3) & 7) * KYBER_Q) + 4) >> 3;
|
||||
r->coeffs[i + 2] = ((((a[0] >> 6) | ((a[1] << 2) & 4)) * KYBER_Q) + 4) >> 3;
|
||||
r->coeffs[i + 3] = ((((a[1] >> 1) & 7) * KYBER_Q) + 4) >> 3;
|
||||
r->coeffs[i + 4] = ((((a[1] >> 4) & 7) * KYBER_Q) + 4) >> 3;
|
||||
r->coeffs[i + 5] = ((((a[1] >> 7) | ((a[2] << 1) & 6)) * KYBER_Q) + 4) >> 3;
|
||||
r->coeffs[i + 6] = ((((a[2] >> 2) & 7) * KYBER_Q) + 4) >> 3;
|
||||
r->coeffs[i + 7] = ((((a[2] >> 5)) * KYBER_Q) + 4) >> 3;
|
||||
a += 3;
|
||||
}
|
||||
}
|
||||
|
||||
/*************************************************
|
||||
* Name: poly_tobytes
|
||||
*
|
||||
* Description: Serialization of a polynomial
|
||||
*
|
||||
* Arguments: - unsigned char *r: pointer to output byte array
|
||||
* - const poly *a: pointer to input polynomial
|
||||
**************************************************/
|
||||
void PQCLEAN_KYBER768_CLEAN_poly_tobytes(unsigned char *r, const poly *a) {
|
||||
int i, j;
|
||||
uint16_t t[8];
|
||||
|
||||
for (i = 0; i < KYBER_N / 8; i++) {
|
||||
for (j = 0; j < 8; j++) {
|
||||
t[j] = PQCLEAN_KYBER768_CLEAN_freeze(a->coeffs[8 * i + j]);
|
||||
}
|
||||
|
||||
r[13 * i + 0] = (unsigned char)( t[0] & 0xff);
|
||||
r[13 * i + 1] = (unsigned char)((t[0] >> 8) | ((t[1] & 0x07) << 5));
|
||||
r[13 * i + 2] = (unsigned char)((t[1] >> 3) & 0xff);
|
||||
r[13 * i + 3] = (unsigned char)((t[1] >> 11) | ((t[2] & 0x3f) << 2));
|
||||
r[13 * i + 4] = (unsigned char)((t[2] >> 6) | ((t[3] & 0x01) << 7));
|
||||
r[13 * i + 5] = (unsigned char)((t[3] >> 1) & 0xff);
|
||||
r[13 * i + 6] = (unsigned char)((t[3] >> 9) | ((t[4] & 0x0f) << 4));
|
||||
r[13 * i + 7] = (unsigned char)((t[4] >> 4) & 0xff);
|
||||
r[13 * i + 8] = (unsigned char)((t[4] >> 12) | ((t[5] & 0x7f) << 1));
|
||||
r[13 * i + 9] = (unsigned char)((t[5] >> 7) | ((t[6] & 0x03) << 6));
|
||||
r[13 * i + 10] = (unsigned char)((t[6] >> 2) & 0xff);
|
||||
r[13 * i + 11] = (unsigned char)((t[6] >> 10) | ((t[7] & 0x1f) << 3));
|
||||
r[13 * i + 12] = (unsigned char)((t[7] >> 5));
|
||||
}
|
||||
}
|
||||
|
||||
/*************************************************
|
||||
* Name: poly_frombytes
|
||||
*
|
||||
* Description: De-serialization of a polynomial;
|
||||
* inverse of poly_tobytes
|
||||
*
|
||||
* Arguments: - poly *r: pointer to output polynomial
|
||||
* - const unsigned char *a: pointer to input byte array
|
||||
**************************************************/
|
||||
void PQCLEAN_KYBER768_CLEAN_poly_frombytes(poly *r, const unsigned char *a) {
|
||||
int i;
|
||||
for (i = 0; i < KYBER_N / 8; i++) {
|
||||
r->coeffs[8 * i + 0] = a[13 * i + 0] | (((uint16_t)a[13 * i + 1] & 0x1f) << 8);
|
||||
r->coeffs[8 * i + 1] = (a[13 * i + 1] >> 5) | (((uint16_t)a[13 * i + 2]) << 3) | (((uint16_t)a[13 * i + 3] & 0x03) << 11);
|
||||
r->coeffs[8 * i + 2] = (a[13 * i + 3] >> 2) | (((uint16_t)a[13 * i + 4] & 0x7f) << 6);
|
||||
r->coeffs[8 * i + 3] = (a[13 * i + 4] >> 7) | (((uint16_t)a[13 * i + 5]) << 1) | (((uint16_t)a[13 * i + 6] & 0x0f) << 9);
|
||||
r->coeffs[8 * i + 4] = (a[13 * i + 6] >> 4) | (((uint16_t)a[13 * i + 7]) << 4) | (((uint16_t)a[13 * i + 8] & 0x01) << 12);
|
||||
r->coeffs[8 * i + 5] = (a[13 * i + 8] >> 1) | (((uint16_t)a[13 * i + 9] & 0x3f) << 7);
|
||||
r->coeffs[8 * i + 6] = (a[13 * i + 9] >> 6) | (((uint16_t)a[13 * i + 10]) << 2) | (((uint16_t)a[13 * i + 11] & 0x07) << 10);
|
||||
r->coeffs[8 * i + 7] = (a[13 * i + 11] >> 3) | (((uint16_t)a[13 * i + 12]) << 5);
|
||||
}
|
||||
}
|
||||
|
||||
/*************************************************
|
||||
* Name: poly_getnoise
|
||||
*
|
||||
* Description: Sample a polynomial deterministically from a seed and a nonce,
|
||||
* with output polynomial close to centered binomial distribution
|
||||
* with parameter KYBER_ETA
|
||||
*
|
||||
* Arguments: - poly *r: pointer to output polynomial
|
||||
* - const unsigned char *seed: pointer to input seed
|
||||
* - unsigned char nonce: one-byte input nonce
|
||||
**************************************************/
|
||||
void PQCLEAN_KYBER768_CLEAN_poly_getnoise(poly *r, const unsigned char *seed, unsigned char nonce) {
|
||||
unsigned char buf[KYBER_ETA * KYBER_N / 4];
|
||||
unsigned char extseed[KYBER_SYMBYTES + 1];
|
||||
int i;
|
||||
|
||||
for (i = 0; i < KYBER_SYMBYTES; i++) {
|
||||
extseed[i] = seed[i];
|
||||
}
|
||||
extseed[KYBER_SYMBYTES] = nonce;
|
||||
|
||||
shake256(buf, KYBER_ETA * KYBER_N / 4, extseed, KYBER_SYMBYTES + 1);
|
||||
|
||||
PQCLEAN_KYBER768_CLEAN_cbd(r, buf);
|
||||
}
|
||||
|
||||
/*************************************************
|
||||
* Name: poly_ntt
|
||||
*
|
||||
* Description: Computes negacyclic number-theoretic transform (NTT) of
|
||||
* a polynomial in place;
|
||||
* inputs assumed to be in normal order, output in bitreversed
|
||||
*order
|
||||
*
|
||||
* Arguments: - uint16_t *r: pointer to in/output polynomial
|
||||
**************************************************/
|
||||
void PQCLEAN_KYBER768_CLEAN_poly_ntt(poly *r) {
|
||||
PQCLEAN_KYBER768_CLEAN_ntt(r->coeffs);
|
||||
}
|
||||
|
||||
/*************************************************
|
||||
* Name: poly_invntt
|
||||
*
|
||||
* Description: Computes inverse of negacyclic number-theoretic transform (NTT)
|
||||
*of a polynomial in place; inputs assumed to be in bitreversed order, output in
|
||||
*normal order
|
||||
*
|
||||
* Arguments: - uint16_t *a: pointer to in/output polynomial
|
||||
**************************************************/
|
||||
void PQCLEAN_KYBER768_CLEAN_poly_invntt(poly *r) {
|
||||
PQCLEAN_KYBER768_CLEAN_invntt(r->coeffs);
|
||||
}
|
||||
|
||||
/*************************************************
|
||||
* Name: poly_add
|
||||
*
|
||||
* Description: Add two polynomials
|
||||
*
|
||||
* Arguments: - poly *r: pointer to output polynomial
|
||||
* - const poly *a: pointer to first input polynomial
|
||||
* - const poly *b: pointer to second input polynomial
|
||||
**************************************************/
|
||||
void PQCLEAN_KYBER768_CLEAN_poly_add(poly *r, const poly *a, const poly *b) {
|
||||
int i;
|
||||
for (i = 0; i < KYBER_N; i++) {
|
||||
r->coeffs[i] = PQCLEAN_KYBER768_CLEAN_barrett_reduce(a->coeffs[i] + b->coeffs[i]);
|
||||
}
|
||||
}
|
||||
|
||||
/*************************************************
|
||||
* Name: poly_sub
|
||||
*
|
||||
* Description: Subtract two polynomials
|
||||
*
|
||||
* Arguments: - poly *r: pointer to output polynomial
|
||||
* - const poly *a: pointer to first input polynomial
|
||||
* - const poly *b: pointer to second input polynomial
|
||||
**************************************************/
|
||||
void PQCLEAN_KYBER768_CLEAN_poly_sub(poly *r, const poly *a, const poly *b) {
|
||||
int i;
|
||||
for (i = 0; i < KYBER_N; i++) {
|
||||
r->coeffs[i] = PQCLEAN_KYBER768_CLEAN_barrett_reduce(a->coeffs[i] + 3 * KYBER_Q - b->coeffs[i]);
|
||||
}
|
||||
}
|
||||
|
||||
/*************************************************
|
||||
* Name: poly_frommsg
|
||||
*
|
||||
* Description: Convert 32-byte message to polynomial
|
||||
*
|
||||
* Arguments: - poly *r: pointer to output polynomial
|
||||
* - const unsigned char *msg: pointer to input message
|
||||
**************************************************/
|
||||
void PQCLEAN_KYBER768_CLEAN_poly_frommsg(poly *r, const unsigned char msg[KYBER_SYMBYTES]) {
|
||||
uint16_t i, j, mask;
|
||||
|
||||
for (i = 0; i < KYBER_SYMBYTES; i++) {
|
||||
for (j = 0; j < 8; j++) {
|
||||
mask = -((msg[i] >> j) & 1);
|
||||
r->coeffs[8 * i + j] = mask & ((KYBER_Q + 1) / 2);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/*************************************************
|
||||
* Name: poly_tomsg
|
||||
*
|
||||
* Description: Convert polynomial to 32-byte message
|
||||
*
|
||||
* Arguments: - unsigned char *msg: pointer to output message
|
||||
* - const poly *a: pointer to input polynomial
|
||||
**************************************************/
|
||||
void PQCLEAN_KYBER768_CLEAN_poly_tomsg(unsigned char msg[KYBER_SYMBYTES], const poly *a) {
|
||||
uint16_t t;
|
||||
int i, j;
|
||||
|
||||
for (i = 0; i < KYBER_SYMBYTES; i++) {
|
||||
msg[i] = 0;
|
||||
for (j = 0; j < 8; j++) {
|
||||
t = (((PQCLEAN_KYBER768_CLEAN_freeze(a->coeffs[8 * i + j]) << 1) + KYBER_Q / 2) / KYBER_Q) & 1;
|
||||
msg[i] |= t << j;
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -1,32 +0,0 @@
|
||||
#ifndef POLY_H
|
||||
#define POLY_H
|
||||
|
||||
#include "params.h"
|
||||
#include <stdint.h>
|
||||
|
||||
/*
|
||||
* Elements of R_q = Z_q[X]/(X^n + 1). Represents polynomial
|
||||
* coeffs[0] + X*coeffs[1] + X^2*xoeffs[2] + ... + X^{n-1}*coeffs[n-1]
|
||||
*/
|
||||
typedef struct {
|
||||
uint16_t coeffs[KYBER_N];
|
||||
} poly;
|
||||
|
||||
void PQCLEAN_KYBER768_CLEAN_poly_compress(unsigned char *r, const poly *a);
|
||||
void PQCLEAN_KYBER768_CLEAN_poly_decompress(poly *r, const unsigned char *a);
|
||||
|
||||
void PQCLEAN_KYBER768_CLEAN_poly_tobytes(unsigned char *r, const poly *a);
|
||||
void PQCLEAN_KYBER768_CLEAN_poly_frombytes(poly *r, const unsigned char *a);
|
||||
|
||||
void PQCLEAN_KYBER768_CLEAN_poly_frommsg(poly *r, const unsigned char msg[KYBER_SYMBYTES]);
|
||||
void PQCLEAN_KYBER768_CLEAN_poly_tomsg(unsigned char msg[KYBER_SYMBYTES], const poly *a);
|
||||
|
||||
void PQCLEAN_KYBER768_CLEAN_poly_getnoise(poly *r, const unsigned char *seed, unsigned char nonce);
|
||||
|
||||
void PQCLEAN_KYBER768_CLEAN_poly_ntt(poly *r);
|
||||
void PQCLEAN_KYBER768_CLEAN_poly_invntt(poly *r);
|
||||
|
||||
void PQCLEAN_KYBER768_CLEAN_poly_add(poly *r, const poly *a, const poly *b);
|
||||
void PQCLEAN_KYBER768_CLEAN_poly_sub(poly *r, const poly *a, const poly *b);
|
||||
|
||||
#endif
|
||||
@ -1,162 +0,0 @@
|
||||
#include "polyvec.h"
|
||||
#include "cbd.h"
|
||||
#include "fips202.h"
|
||||
#include "reduce.h"
|
||||
#include <stdio.h>
|
||||
|
||||
/*************************************************
|
||||
* Name: polyvec_compress
|
||||
*
|
||||
* Description: Compress and serialize vector of polynomials
|
||||
*
|
||||
* Arguments: - unsigned char *r: pointer to output byte array
|
||||
* - const polyvec *a: pointer to input vector of polynomials
|
||||
**************************************************/
|
||||
void PQCLEAN_KYBER768_CLEAN_polyvec_compress(unsigned char *r, const polyvec *a) {
|
||||
int i, j, k;
|
||||
uint16_t t[8];
|
||||
for (i = 0; i < KYBER_K; i++) {
|
||||
for (j = 0; j < KYBER_N / 8; j++) {
|
||||
for (k = 0; k < 8; k++) {
|
||||
t[k] = ((((uint32_t)PQCLEAN_KYBER768_CLEAN_freeze(a->vec[i].coeffs[8 * j + k]) << 11) + KYBER_Q / 2) / KYBER_Q) & 0x7ff;
|
||||
}
|
||||
|
||||
r[11 * j + 0] = (unsigned char)( t[0] & 0xff);
|
||||
r[11 * j + 1] = (unsigned char)((t[0] >> 8) | ((t[1] & 0x1f) << 3));
|
||||
r[11 * j + 2] = (unsigned char)((t[1] >> 5) | ((t[2] & 0x03) << 6));
|
||||
r[11 * j + 3] = (unsigned char)((t[2] >> 2) & 0xff);
|
||||
r[11 * j + 4] = (unsigned char)((t[2] >> 10) | ((t[3] & 0x7f) << 1));
|
||||
r[11 * j + 5] = (unsigned char)((t[3] >> 7) | ((t[4] & 0x0f) << 4));
|
||||
r[11 * j + 6] = (unsigned char)((t[4] >> 4) | ((t[5] & 0x01) << 7));
|
||||
r[11 * j + 7] = (unsigned char)((t[5] >> 1) & 0xff);
|
||||
r[11 * j + 8] = (unsigned char)((t[5] >> 9) | ((t[6] & 0x3f) << 2));
|
||||
r[11 * j + 9] = (unsigned char)((t[6] >> 6) | ((t[7] & 0x07) << 5));
|
||||
r[11 * j + 10] = (unsigned char)((t[7] >> 3));
|
||||
}
|
||||
r += 352;
|
||||
}
|
||||
}
|
||||
|
||||
/*************************************************
|
||||
* Name: polyvec_decompress
|
||||
*
|
||||
* Description: De-serialize and decompress vector of polynomials;
|
||||
* approximate inverse of polyvec_compress
|
||||
*
|
||||
* Arguments: - polyvec *r: pointer to output vector of polynomials
|
||||
* - unsigned char *a: pointer to input byte array
|
||||
**************************************************/
|
||||
void PQCLEAN_KYBER768_CLEAN_polyvec_decompress(polyvec *r, const unsigned char *a) {
|
||||
int i, j;
|
||||
for (i = 0; i < KYBER_K; i++) {
|
||||
for (j = 0; j < KYBER_N / 8; j++) {
|
||||
r->vec[i].coeffs[8 * j + 0] = (((a[11 * j + 0] | (((uint32_t)a[11 * j + 1] & 0x07) << 8)) * KYBER_Q) + 1024) >> 11;
|
||||
r->vec[i].coeffs[8 * j + 1] = ((((a[11 * j + 1] >> 3) | (((uint32_t)a[11 * j + 2] & 0x3f) << 5)) * KYBER_Q) + 1024) >> 11;
|
||||
r->vec[i].coeffs[8 * j + 2] = ((((a[11 * j + 2] >> 6) | (((uint32_t)a[11 * j + 3] & 0xff) << 2) | (((uint32_t)a[11 * j + 4] & 0x01) << 10)) * KYBER_Q) + 1024) >> 11;
|
||||
r->vec[i].coeffs[8 * j + 3] = ((((a[11 * j + 4] >> 1) | (((uint32_t)a[11 * j + 5] & 0x0f) << 7)) * KYBER_Q) + 1024) >> 11;
|
||||
r->vec[i].coeffs[8 * j + 4] = ((((a[11 * j + 5] >> 4) | (((uint32_t)a[11 * j + 6] & 0x7f) << 4)) * KYBER_Q) + 1024) >> 11;
|
||||
r->vec[i].coeffs[8 * j + 5] = ((((a[11 * j + 6] >> 7) | (((uint32_t)a[11 * j + 7] & 0xff) << 1) | (((uint32_t)a[11 * j + 8] & 0x03) << 9)) * KYBER_Q) + 1024) >> 11;
|
||||
r->vec[i].coeffs[8 * j + 6] = ((((a[11 * j + 8] >> 2) | (((uint32_t)a[11 * j + 9] & 0x1f) << 6)) * KYBER_Q) + 1024) >> 11;
|
||||
r->vec[i].coeffs[8 * j + 7] = ((((a[11 * j + 9] >> 5) | (((uint32_t)a[11 * j + 10] & 0xff) << 3)) * KYBER_Q) + 1024) >> 11;
|
||||
}
|
||||
a += 352;
|
||||
}
|
||||
}
|
||||
|
||||
/*************************************************
|
||||
* Name: polyvec_tobytes
|
||||
*
|
||||
* Description: Serialize vector of polynomials
|
||||
*
|
||||
* Arguments: - unsigned char *r: pointer to output byte array
|
||||
* - const polyvec *a: pointer to input vector of polynomials
|
||||
**************************************************/
|
||||
void PQCLEAN_KYBER768_CLEAN_polyvec_tobytes(unsigned char *r, const polyvec *a) {
|
||||
int i;
|
||||
for (i = 0; i < KYBER_K; i++) {
|
||||
PQCLEAN_KYBER768_CLEAN_poly_tobytes(r + i * KYBER_POLYBYTES, &a->vec[i]);
|
||||
}
|
||||
}
|
||||
|
||||
/*************************************************
|
||||
* Name: polyvec_frombytes
|
||||
*
|
||||
* Description: De-serialize vector of polynomials;
|
||||
* inverse of polyvec_tobytes
|
||||
*
|
||||
* Arguments: - unsigned char *r: pointer to output byte array
|
||||
* - const polyvec *a: pointer to input vector of polynomials
|
||||
**************************************************/
|
||||
void PQCLEAN_KYBER768_CLEAN_polyvec_frombytes(polyvec *r, const unsigned char *a) {
|
||||
int i;
|
||||
for (i = 0; i < KYBER_K; i++) {
|
||||
PQCLEAN_KYBER768_CLEAN_poly_frombytes(&r->vec[i], a + i * KYBER_POLYBYTES);
|
||||
}
|
||||
}
|
||||
|
||||
/*************************************************
|
||||
* Name: polyvec_ntt
|
||||
*
|
||||
* Description: Apply forward NTT to all elements of a vector of polynomials
|
||||
*
|
||||
* Arguments: - polyvec *r: pointer to in/output vector of polynomials
|
||||
**************************************************/
|
||||
void PQCLEAN_KYBER768_CLEAN_polyvec_ntt(polyvec *r) {
|
||||
int i;
|
||||
for (i = 0; i < KYBER_K; i++) {
|
||||
PQCLEAN_KYBER768_CLEAN_poly_ntt(&r->vec[i]);
|
||||
}
|
||||
}
|
||||
|
||||
/*************************************************
|
||||
* Name: polyvec_invntt
|
||||
*
|
||||
* Description: Apply inverse NTT to all elements of a vector of polynomials
|
||||
*
|
||||
* Arguments: - polyvec *r: pointer to in/output vector of polynomials
|
||||
**************************************************/
|
||||
void PQCLEAN_KYBER768_CLEAN_polyvec_invntt(polyvec *r) {
|
||||
int i;
|
||||
for (i = 0; i < KYBER_K; i++) {
|
||||
PQCLEAN_KYBER768_CLEAN_poly_invntt(&r->vec[i]);
|
||||
}
|
||||
}
|
||||
|
||||
/*************************************************
|
||||
* Name: polyvec_pointwise_acc
|
||||
*
|
||||
* Description: Pointwise multiply elements of a and b and accumulate into r
|
||||
*
|
||||
* Arguments: - poly *r: pointer to output polynomial
|
||||
* - const polyvec *a: pointer to first input vector of polynomials
|
||||
* - const polyvec *b: pointer to second input vector of polynomials
|
||||
**************************************************/
|
||||
void PQCLEAN_KYBER768_CLEAN_polyvec_pointwise_acc(poly *r, const polyvec *a, const polyvec *b) {
|
||||
int i, j;
|
||||
uint16_t t;
|
||||
for (j = 0; j < KYBER_N; j++) {
|
||||
t = PQCLEAN_KYBER768_CLEAN_montgomery_reduce(4613 * (uint32_t)b->vec[0].coeffs[j]); // 4613 = 2^{2*18} % q
|
||||
r->coeffs[j] = PQCLEAN_KYBER768_CLEAN_montgomery_reduce(a->vec[0].coeffs[j] * t);
|
||||
for (i = 1; i < KYBER_K; i++) {
|
||||
t = PQCLEAN_KYBER768_CLEAN_montgomery_reduce(4613 * (uint32_t)b->vec[i].coeffs[j]);
|
||||
r->coeffs[j] += PQCLEAN_KYBER768_CLEAN_montgomery_reduce(a->vec[i].coeffs[j] * t);
|
||||
}
|
||||
r->coeffs[j] = PQCLEAN_KYBER768_CLEAN_barrett_reduce(r->coeffs[j]);
|
||||
}
|
||||
}
|
||||
|
||||
/*************************************************
|
||||
* Name: polyvec_add
|
||||
*
|
||||
* Description: Add vectors of polynomials
|
||||
*
|
||||
* Arguments: - polyvec *r: pointer to output vector of polynomials
|
||||
* - const polyvec *a: pointer to first input vector of polynomials
|
||||
* - const polyvec *b: pointer to second input vector of polynomials
|
||||
**************************************************/
|
||||
void PQCLEAN_KYBER768_CLEAN_polyvec_add(polyvec *r, const polyvec *a, const polyvec *b) {
|
||||
int i;
|
||||
for (i = 0; i < KYBER_K; i++) {
|
||||
PQCLEAN_KYBER768_CLEAN_poly_add(&r->vec[i], &a->vec[i], &b->vec[i]);
|
||||
}
|
||||
}
|
||||
@ -1,24 +0,0 @@
|
||||
#ifndef POLYVEC_H
|
||||
#define POLYVEC_H
|
||||
|
||||
#include "params.h"
|
||||
#include "poly.h"
|
||||
|
||||
typedef struct {
|
||||
poly vec[KYBER_K];
|
||||
} polyvec;
|
||||
|
||||
void PQCLEAN_KYBER768_CLEAN_polyvec_compress(unsigned char *r, const polyvec *a);
|
||||
void PQCLEAN_KYBER768_CLEAN_polyvec_decompress(polyvec *r, const unsigned char *a);
|
||||
|
||||
void PQCLEAN_KYBER768_CLEAN_polyvec_tobytes(unsigned char *r, const polyvec *a);
|
||||
void PQCLEAN_KYBER768_CLEAN_polyvec_frombytes(polyvec *r, const unsigned char *a);
|
||||
|
||||
void PQCLEAN_KYBER768_CLEAN_polyvec_ntt(polyvec *r);
|
||||
void PQCLEAN_KYBER768_CLEAN_polyvec_invntt(polyvec *r);
|
||||
|
||||
void PQCLEAN_KYBER768_CLEAN_polyvec_pointwise_acc(poly *r, const polyvec *a, const polyvec *b);
|
||||
|
||||
void PQCLEAN_KYBER768_CLEAN_polyvec_add(polyvec *r, const polyvec *a, const polyvec *b);
|
||||
|
||||
#endif
|
||||
@ -1,100 +0,0 @@
|
||||
#include "inttypes.h"
|
||||
#include "ntt.h"
|
||||
#include "params.h"
|
||||
|
||||
/* Precomputed constants for the forward NTT and inverse NTT.
|
||||
* Computed using Pari/GP as follows:
|
||||
*
|
||||
brv=[0,128,64,192,32,160,96,224,16,144,80,208,48,176,112,240, \
|
||||
8,136,72,200,40,168,104,232,24,152,88,216,56,184,120,248, \
|
||||
4,132,68,196,36,164,100,228,20,148,84,212,52,180,116,244, \
|
||||
12,140,76,204,44,172,108,236,28,156,92,220,60,188,124,252, \
|
||||
2,130,66,194,34,162,98,226,18,146,82,210,50,178,114,242, \
|
||||
10,138,74,202,42,170,106,234,26,154,90,218,58,186,122,250, \
|
||||
6,134,70,198,38,166,102,230,22,150,86,214,54,182,118,246, \
|
||||
14,142,78,206,46,174,110,238,30,158,94,222,62,190,126,254, \
|
||||
1,129,65,193,33,161,97,225,17,145,81,209,49,177,113,241, \
|
||||
9,137,73,201,41,169,105,233,25,153,89,217,57,185,121,249, \
|
||||
5,133,69,197,37,165,101,229,21,149,85,213,53,181,117,245, \
|
||||
13,141,77,205,45,173,109,237,29,157,93,221,61,189,125,253, \
|
||||
3,131,67,195,35,163,99,227,19,147,83,211,51,179,115,243, \
|
||||
11,139,75,203,43,171,107,235,27,155,91,219,59,187,123,251, \
|
||||
7,135,71,199,39,167,103,231,23,151,87,215,55,183,119,247, \
|
||||
15,143,79,207,47,175,111,239,31,159,95,223,63,191,127,255];
|
||||
|
||||
q = 7681;
|
||||
n = 256;
|
||||
mont = Mod(2^18,q);
|
||||
|
||||
g=0; for(i=2,q-1,if(znorder(Mod(i,q)) == 2*n, g=Mod(i,q); break))
|
||||
|
||||
zetas = lift(vector(n, i, g^(brv[i])*mont))
|
||||
omegas_inv_bitrev_montgomery = lift(vector(n/2, i,
|
||||
(g^2)^(-brv[2*(i-1)+1])*mont)) psis_inv_montgomery = lift(vector(n, i,
|
||||
g^(-(i-1))/n*mont))
|
||||
|
||||
*/
|
||||
|
||||
const uint16_t PQCLEAN_KYBER768_CLEAN_zetas[KYBER_N] = {
|
||||
990, 7427, 2634, 6819, 578, 3281, 2143, 1095, 484, 6362, 3336, 5382,
|
||||
6086, 3823, 877, 5656, 3583, 7010, 6414, 263, 1285, 291, 7143, 7338,
|
||||
1581, 5134, 5184, 5932, 4042, 5775, 2468, 3, 606, 729, 5383, 962,
|
||||
3240, 7548, 5129, 7653, 5929, 4965, 2461, 641, 1584, 2666, 1142, 157,
|
||||
7407, 5222, 5602, 5142, 6140, 5485, 4931, 1559, 2085, 5284, 2056, 3538,
|
||||
7269, 3535, 7190, 1957, 3465, 6792, 1538, 4664, 2023, 7643, 3660, 7673,
|
||||
1694, 6905, 3995, 3475, 5939, 1859, 6910, 4434, 1019, 1492, 7087, 4761,
|
||||
657, 4859, 5798, 2640, 1693, 2607, 2782, 5400, 6466, 1010, 957, 3851,
|
||||
2121, 6392, 7319, 3367, 3659, 3375, 6430, 7583, 1549, 5856, 4773, 6084,
|
||||
5544, 1650, 3997, 4390, 6722, 2915, 4245, 2635, 6128, 7676, 5737, 1616,
|
||||
3457, 3132, 7196, 4702, 6239, 851, 2122, 3009, 7613, 7295, 2007, 323,
|
||||
5112, 3716, 2289, 6442, 6965, 2713, 7126, 3401, 963, 6596, 607, 5027,
|
||||
7078, 4484, 5937, 944, 2860, 2680, 5049, 1777, 5850, 3387, 6487, 6777,
|
||||
4812, 4724, 7077, 186, 6848, 6793, 3463, 5877, 1174, 7116, 3077, 5945,
|
||||
6591, 590, 6643, 1337, 6036, 3991, 1675, 2053, 6055, 1162, 1679, 3883,
|
||||
4311, 2106, 6163, 4486, 6374, 5006, 4576, 4288, 5180, 4102, 282, 6119,
|
||||
7443, 6330, 3184, 4971, 2530, 5325, 4171, 7185, 5175, 5655, 1898, 382,
|
||||
7211, 43, 5965, 6073, 1730, 332, 1577, 3304, 2329, 1699, 6150, 2379,
|
||||
5113, 333, 3502, 4517, 1480, 1172, 5567, 651, 925, 4573, 599, 1367,
|
||||
4109, 1863, 6929, 1605, 3866, 2065, 4048, 839, 5764, 2447, 2022, 3345,
|
||||
1990, 4067, 2036, 2069, 3567, 7371, 2368, 339, 6947, 2159, 654, 7327,
|
||||
2768, 6676, 987, 2214
|
||||
};
|
||||
|
||||
const uint16_t PQCLEAN_KYBER768_CLEAN_omegas_inv_bitrev_montgomery[KYBER_N / 2] = {
|
||||
990, 254, 862, 5047, 6586, 5538, 4400, 7103, 2025, 6804, 3858, 1595,
|
||||
2299, 4345, 1319, 7197, 7678, 5213, 1906, 3639, 1749, 2497, 2547, 6100,
|
||||
343, 538, 7390, 6396, 7418, 1267, 671, 4098, 5724, 491, 4146, 412,
|
||||
4143, 5625, 2397, 5596, 6122, 2750, 2196, 1541, 2539, 2079, 2459, 274,
|
||||
7524, 6539, 5015, 6097, 7040, 5220, 2716, 1752, 28, 2552, 133, 4441,
|
||||
6719, 2298, 6952, 7075, 4672, 5559, 6830, 1442, 2979, 485, 4549, 4224,
|
||||
6065, 1944, 5, 1553, 5046, 3436, 4766, 959, 3291, 3684, 6031, 2137,
|
||||
1597, 2908, 1825, 6132, 98, 1251, 4306, 4022, 4314, 362, 1289, 5560,
|
||||
3830, 6724, 6671, 1215, 2281, 4899, 5074, 5988, 5041, 1883, 2822, 7024,
|
||||
2920, 594, 6189, 6662, 3247, 771, 5822, 1742, 4206, 3686, 776, 5987,
|
||||
8, 4021, 38, 5658, 3017, 6143, 889, 4216
|
||||
};
|
||||
|
||||
const uint16_t PQCLEAN_KYBER768_CLEAN_psis_inv_montgomery[KYBER_N] = {
|
||||
1024, 4972, 5779, 6907, 4943, 4168, 315, 5580, 90, 497, 1123, 142,
|
||||
4710, 5527, 2443, 4871, 698, 2489, 2394, 4003, 684, 2241, 2390, 7224,
|
||||
5072, 2064, 4741, 1687, 6841, 482, 7441, 1235, 2126, 4742, 2802, 5744,
|
||||
6287, 4933, 699, 3604, 1297, 2127, 5857, 1705, 3868, 3779, 4397, 2177,
|
||||
159, 622, 2240, 1275, 640, 6948, 4572, 5277, 209, 2605, 1157, 7328,
|
||||
5817, 3191, 1662, 2009, 4864, 574, 2487, 164, 6197, 4436, 7257, 3462,
|
||||
4268, 4281, 3414, 4515, 3170, 1290, 2003, 5855, 7156, 6062, 7531, 1732,
|
||||
3249, 4884, 7512, 3590, 1049, 2123, 1397, 6093, 3691, 6130, 6541, 3946,
|
||||
6258, 3322, 1788, 4241, 4900, 2309, 1400, 1757, 400, 502, 6698, 2338,
|
||||
3011, 668, 7444, 4580, 6516, 6795, 2959, 4136, 3040, 2279, 6355, 3943,
|
||||
2913, 6613, 7416, 4084, 6508, 5556, 4054, 3782, 61, 6567, 2212, 779,
|
||||
632, 5709, 5667, 4923, 4911, 6893, 4695, 4164, 3536, 2287, 7594, 2848,
|
||||
3267, 1911, 3128, 546, 1991, 156, 4958, 5531, 6903, 483, 875, 138,
|
||||
250, 2234, 2266, 7222, 2842, 4258, 812, 6703, 232, 5207, 6650, 2585,
|
||||
1900, 6225, 4932, 7265, 4701, 3173, 4635, 6393, 227, 7313, 4454, 4284,
|
||||
6759, 1224, 5223, 1447, 395, 2608, 4502, 4037, 189, 3348, 54, 6443,
|
||||
2210, 6230, 2826, 1780, 3002, 5995, 1955, 6102, 6045, 3938, 5019, 4417,
|
||||
1434, 1262, 1507, 5847, 5917, 7157, 7177, 6434, 7537, 741, 4348, 1309,
|
||||
145, 374, 2236, 4496, 5028, 6771, 6923, 7421, 1978, 1023, 3857, 6876,
|
||||
1102, 7451, 4704, 6518, 1344, 765, 384, 5705, 1207, 1630, 4734, 1563,
|
||||
6839, 5933, 1954, 4987, 7142, 5814, 7527, 4953, 7637, 4707, 2182, 5734,
|
||||
2818, 541, 4097, 5641
|
||||
};
|
||||
@ -1,70 +0,0 @@
|
||||
#include "reduce.h"
|
||||
#include "params.h"
|
||||
|
||||
static const uint32_t qinv = 7679; // -inverse_mod(q,2^18)
|
||||
static const uint32_t rlog = 18;
|
||||
|
||||
/*************************************************
|
||||
* Name: montgomery_reduce
|
||||
*
|
||||
* Description: Montgomery reduction; given a 32-bit integer a, computes
|
||||
* 16-bit integer congruent to a * R^-1 mod q,
|
||||
* where R=2^18 (see value of rlog)
|
||||
*
|
||||
* Arguments: - uint32_t a: input unsigned integer to be reduced; has to be in
|
||||
*{0,...,2281446912}
|
||||
*
|
||||
* Returns: unsigned integer in {0,...,2^13-1} congruent to a * R^-1 modulo
|
||||
*q.
|
||||
**************************************************/
|
||||
uint16_t PQCLEAN_KYBER768_CLEAN_montgomery_reduce(uint32_t a) {
|
||||
uint32_t u;
|
||||
|
||||
u = (a * qinv);
|
||||
u &= ((1 << rlog) - 1);
|
||||
u *= KYBER_Q;
|
||||
a = a + u;
|
||||
return (uint16_t)(a >> rlog);
|
||||
}
|
||||
|
||||
/*************************************************
|
||||
* Name: barrett_reduce
|
||||
*
|
||||
* Description: Barrett reduction; given a 16-bit integer a, computes
|
||||
* 16-bit integer congruent to a mod q in {0,...,11768}
|
||||
*
|
||||
* Arguments: - uint16_t a: input unsigned integer to be reduced
|
||||
*
|
||||
* Returns: unsigned integer in {0,...,11768} congruent to a modulo q.
|
||||
**************************************************/
|
||||
uint16_t PQCLEAN_KYBER768_CLEAN_barrett_reduce(uint16_t a) {
|
||||
uint16_t u;
|
||||
|
||||
u = a >> 13; //((uint32_t) a * sinv) >> 16;
|
||||
u *= KYBER_Q;
|
||||
a -= u;
|
||||
return a;
|
||||
}
|
||||
|
||||
/*************************************************
|
||||
* Name: freeze
|
||||
*
|
||||
* Description: Full reduction; given a 16-bit integer a, computes
|
||||
* unsigned integer a mod q.
|
||||
*
|
||||
* Arguments: - uint16_t x: input unsigned integer to be reduced
|
||||
*
|
||||
* Returns: unsigned integer in {0,...,q-1} congruent to a modulo q.
|
||||
**************************************************/
|
||||
uint16_t PQCLEAN_KYBER768_CLEAN_freeze(uint16_t x) {
|
||||
uint16_t m, r;
|
||||
int16_t c;
|
||||
r = PQCLEAN_KYBER768_CLEAN_barrett_reduce(x);
|
||||
|
||||
m = r - KYBER_Q;
|
||||
c = m;
|
||||
c >>= 15;
|
||||
r = m ^ ((r ^ m) & c);
|
||||
|
||||
return r;
|
||||
}
|
||||
@ -1,12 +0,0 @@
|
||||
#ifndef REDUCE_H
|
||||
#define REDUCE_H
|
||||
|
||||
#include <stdint.h>
|
||||
|
||||
uint16_t PQCLEAN_KYBER768_CLEAN_freeze(uint16_t x);
|
||||
|
||||
uint16_t PQCLEAN_KYBER768_CLEAN_montgomery_reduce(uint32_t a);
|
||||
|
||||
uint16_t PQCLEAN_KYBER768_CLEAN_barrett_reduce(uint16_t a);
|
||||
|
||||
#endif
|
||||
@ -1,48 +0,0 @@
|
||||
#include <stdint.h>
|
||||
#include <string.h>
|
||||
|
||||
/*************************************************
|
||||
* Name: verify
|
||||
*
|
||||
* Description: Compare two arrays for equality in constant time.
|
||||
*
|
||||
* Arguments: const unsigned char *a: pointer to first byte array
|
||||
* const unsigned char *b: pointer to second byte array
|
||||
* size_t len: length of the byte arrays
|
||||
*
|
||||
* Returns 0 if the byte arrays are equal, 1 otherwise
|
||||
**************************************************/
|
||||
int PQCLEAN_KYBER768_CLEAN_verify(const unsigned char *a, const unsigned char *b, size_t len) {
|
||||
uint64_t r;
|
||||
size_t i;
|
||||
r = 0;
|
||||
|
||||
for (i = 0; i < len; i++) {
|
||||
r |= a[i] ^ b[i];
|
||||
}
|
||||
|
||||
r = (-(int64_t)r) >> 63;
|
||||
return (int)r;
|
||||
}
|
||||
|
||||
/*************************************************
|
||||
* Name: cmov
|
||||
*
|
||||
* Description: Copy len bytes from x to r if b is 1;
|
||||
* don't modify x if b is 0. Requires b to be in {0,1};
|
||||
* assumes two's complement representation of negative integers.
|
||||
* Runs in constant time.
|
||||
*
|
||||
* Arguments: unsigned char *r: pointer to output byte array
|
||||
* const unsigned char *x: pointer to input byte array
|
||||
* size_t len: Amount of bytes to be copied
|
||||
* unsigned char b: Condition bit; has to be in {0,1}
|
||||
**************************************************/
|
||||
void PQCLEAN_KYBER768_CLEAN_cmov(unsigned char *r, const unsigned char *x, size_t len, unsigned char b) {
|
||||
size_t i;
|
||||
|
||||
b = -b;
|
||||
for (i = 0; i < len; i++) {
|
||||
r[i] ^= b & (x[i] ^ r[i]);
|
||||
}
|
||||
}
|
||||
@ -1,10 +0,0 @@
|
||||
#ifndef VERIFY_H
|
||||
#define VERIFY_H
|
||||
|
||||
#include <stdio.h>
|
||||
|
||||
int PQCLEAN_KYBER768_CLEAN_verify(const unsigned char *a, const unsigned char *b, size_t len);
|
||||
|
||||
void PQCLEAN_KYBER768_CLEAN_cmov(unsigned char *r, const unsigned char *x, size_t len, unsigned char b);
|
||||
|
||||
#endif
|
||||
@ -1,27 +0,0 @@
|
||||
#ifndef API_H
|
||||
#define API_H
|
||||
|
||||
#include "params.h"
|
||||
|
||||
#define CRYPTO_SECRETKEYBYTES KYBER_SECRETKEYBYTES
|
||||
#define CRYPTO_PUBLICKEYBYTES KYBER_PUBLICKEYBYTES
|
||||
#define CRYPTO_CIPHERTEXTBYTES KYBER_CIPHERTEXTBYTES
|
||||
#define CRYPTO_BYTES KYBER_SYMBYTES
|
||||
|
||||
#if (KYBER_K == 2)
|
||||
#define CRYPTO_ALGNAME "Kyber512"
|
||||
#elif (KYBER_K == 3)
|
||||
#define CRYPTO_ALGNAME "Kyber768"
|
||||
#elif (KYBER_K == 4)
|
||||
#define CRYPTO_ALGNAME "Kyber1024"
|
||||
#else
|
||||
#error "KYBER_K must be in {2,3,4}"
|
||||
#endif
|
||||
|
||||
int crypto_kem_keypair(unsigned char *pk, unsigned char *sk);
|
||||
|
||||
int crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk);
|
||||
|
||||
int crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk);
|
||||
|
||||
#endif
|
||||
@ -1,108 +0,0 @@
|
||||
#include "cbd.h"
|
||||
|
||||
/*************************************************
|
||||
* Name: load_littleendian
|
||||
*
|
||||
* Description: load bytes into a 64-bit integer
|
||||
* in little-endian order
|
||||
*
|
||||
* Arguments: - const unsigned char *x: pointer to input byte array
|
||||
* - bytes: number of bytes to load, has to be <= 8
|
||||
*
|
||||
* Returns 64-bit unsigned integer loaded from x
|
||||
**************************************************/
|
||||
static uint64_t load_littleendian(const unsigned char *x, int bytes) {
|
||||
int i;
|
||||
uint64_t r = x[0];
|
||||
for (i = 1; i < bytes; i++)
|
||||
r |= (uint64_t) x[i] << (8 * i);
|
||||
return r;
|
||||
}
|
||||
|
||||
/*************************************************
|
||||
* Name: cbd
|
||||
*
|
||||
* Description: Given an array of uniformly random bytes, compute
|
||||
* polynomial with coefficients distributed according to
|
||||
* a centered binomial distribution with parameter KYBER_ETA
|
||||
*
|
||||
* Arguments: - poly *r: pointer to output polynomial
|
||||
* - const unsigned char *buf: pointer to input byte array
|
||||
**************************************************/
|
||||
void cbd(poly *r, const unsigned char *buf) {
|
||||
#if KYBER_ETA == 3
|
||||
uint32_t t, d, a[4], b[4];
|
||||
int i, j;
|
||||
|
||||
for (i = 0; i < KYBER_N / 4; i++) {
|
||||
t = load_littleendian(buf + 3 * i, 3);
|
||||
d = 0;
|
||||
for (j = 0; j < 3; j++)
|
||||
d += (t >> j) & 0x249249;
|
||||
|
||||
a[0] = d & 0x7;
|
||||
b[0] = (d >> 3) & 0x7;
|
||||
a[1] = (d >> 6) & 0x7;
|
||||
b[1] = (d >> 9) & 0x7;
|
||||
a[2] = (d >> 12) & 0x7;
|
||||
b[2] = (d >> 15) & 0x7;
|
||||
a[3] = (d >> 18) & 0x7;
|
||||
b[3] = (d >> 21);
|
||||
|
||||
r->coeffs[4 * i + 0] = a[0] + KYBER_Q - b[0];
|
||||
r->coeffs[4 * i + 1] = a[1] + KYBER_Q - b[1];
|
||||
r->coeffs[4 * i + 2] = a[2] + KYBER_Q - b[2];
|
||||
r->coeffs[4 * i + 3] = a[3] + KYBER_Q - b[3];
|
||||
}
|
||||
#elif KYBER_ETA == 4
|
||||
uint32_t t, d, a[4], b[4];
|
||||
int i, j;
|
||||
|
||||
for (i = 0; i < KYBER_N / 4; i++) {
|
||||
t = load_littleendian(buf + 4 * i, 4);
|
||||
d = 0;
|
||||
for (j = 0; j < 4; j++)
|
||||
d += (t >> j) & 0x11111111;
|
||||
|
||||
a[0] = d & 0xf;
|
||||
b[0] = (d >> 4) & 0xf;
|
||||
a[1] = (d >> 8) & 0xf;
|
||||
b[1] = (d >> 12) & 0xf;
|
||||
a[2] = (d >> 16) & 0xf;
|
||||
b[2] = (d >> 20) & 0xf;
|
||||
a[3] = (d >> 24) & 0xf;
|
||||
b[3] = (d >> 28);
|
||||
|
||||
r->coeffs[4 * i + 0] = a[0] + KYBER_Q - b[0];
|
||||
r->coeffs[4 * i + 1] = a[1] + KYBER_Q - b[1];
|
||||
r->coeffs[4 * i + 2] = a[2] + KYBER_Q - b[2];
|
||||
r->coeffs[4 * i + 3] = a[3] + KYBER_Q - b[3];
|
||||
}
|
||||
#elif KYBER_ETA == 5
|
||||
uint64_t t, d, a[4], b[4];
|
||||
int i, j;
|
||||
|
||||
for (i = 0; i < KYBER_N / 4; i++) {
|
||||
t = load_littleendian(buf + 5 * i, 5);
|
||||
d = 0;
|
||||
for (j = 0; j < 5; j++)
|
||||
d += (t >> j) & 0x0842108421UL;
|
||||
|
||||
a[0] = d & 0x1f;
|
||||
b[0] = (d >> 5) & 0x1f;
|
||||
a[1] = (d >> 10) & 0x1f;
|
||||
b[1] = (d >> 15) & 0x1f;
|
||||
a[2] = (d >> 20) & 0x1f;
|
||||
b[2] = (d >> 25) & 0x1f;
|
||||
a[3] = (d >> 30) & 0x1f;
|
||||
b[3] = (d >> 35);
|
||||
|
||||
r->coeffs[4 * i + 0] = a[0] + KYBER_Q - b[0];
|
||||
r->coeffs[4 * i + 1] = a[1] + KYBER_Q - b[1];
|
||||
r->coeffs[4 * i + 2] = a[2] + KYBER_Q - b[2];
|
||||
r->coeffs[4 * i + 3] = a[3] + KYBER_Q - b[3];
|
||||
}
|
||||
#else
|
||||
#error "poly_getnoise in poly.c only supports eta in {3,4,5}"
|
||||
#endif
|
||||
}
|
||||
@ -1,9 +0,0 @@
|
||||
#ifndef CBD_H
|
||||
#define CBD_H
|
||||
|
||||
#include <stdint.h>
|
||||
#include "poly.h"
|
||||
|
||||
void cbd(poly *r, const unsigned char *buf);
|
||||
|
||||
#endif
|
||||
@ -1,305 +0,0 @@
|
||||
#include "indcpa.h"
|
||||
#include "poly.h"
|
||||
#include "polyvec.h"
|
||||
#include "ntt.h"
|
||||
|
||||
#include "oqs/rand.h"
|
||||
#include "oqs/sha3.h"
|
||||
|
||||
/*************************************************
|
||||
* Name: pack_pk
|
||||
*
|
||||
* Description: Serialize the public key as concatenation of the
|
||||
* compressed and serialized vector of polynomials pk
|
||||
* and the public seed used to generate the matrix A.
|
||||
*
|
||||
* Arguments: unsigned char *r: pointer to the output serialized public key
|
||||
* const poly *pk: pointer to the input public-key polynomial
|
||||
* const unsigned char *seed: pointer to the input public seed
|
||||
**************************************************/
|
||||
static void pack_pk(unsigned char *r, const polyvec *pk, const unsigned char *seed) {
|
||||
int i;
|
||||
polyvec_compress(r, pk);
|
||||
for (i = 0; i < KYBER_SYMBYTES; i++)
|
||||
r[i + KYBER_POLYVECCOMPRESSEDBYTES] = seed[i];
|
||||
}
|
||||
|
||||
/*************************************************
|
||||
* Name: unpack_pk
|
||||
*
|
||||
* Description: De-serialize and decompress public key from a byte array;
|
||||
* approximate inverse of pack_pk
|
||||
*
|
||||
* Arguments: - polyvec *pk: pointer to output public-key vector of polynomials
|
||||
* - unsigned char *seed: pointer to output seed to generate matrix A
|
||||
* - const unsigned char *packedpk: pointer to input serialized public key
|
||||
**************************************************/
|
||||
static void unpack_pk(polyvec *pk, unsigned char *seed, const unsigned char *packedpk) {
|
||||
int i;
|
||||
polyvec_decompress(pk, packedpk);
|
||||
|
||||
for (i = 0; i < KYBER_SYMBYTES; i++)
|
||||
seed[i] = packedpk[i + KYBER_POLYVECCOMPRESSEDBYTES];
|
||||
}
|
||||
|
||||
/*************************************************
|
||||
* Name: pack_ciphertext
|
||||
*
|
||||
* Description: Serialize the ciphertext as concatenation of the
|
||||
* compressed and serialized vector of polynomials b
|
||||
* and the compressed and serialized polynomial v
|
||||
*
|
||||
* Arguments: unsigned char *r: pointer to the output serialized ciphertext
|
||||
* const poly *pk: pointer to the input vector of polynomials b
|
||||
* const unsigned char *seed: pointer to the input polynomial v
|
||||
**************************************************/
|
||||
static void pack_ciphertext(unsigned char *r, const polyvec *b, const poly *v) {
|
||||
polyvec_compress(r, b);
|
||||
poly_compress(r + KYBER_POLYVECCOMPRESSEDBYTES, v);
|
||||
}
|
||||
|
||||
/*************************************************
|
||||
* Name: unpack_ciphertext
|
||||
*
|
||||
* Description: De-serialize and decompress ciphertext from a byte array;
|
||||
* approximate inverse of pack_ciphertext
|
||||
*
|
||||
* Arguments: - polyvec *b: pointer to the output vector of polynomials b
|
||||
* - poly *v: pointer to the output polynomial v
|
||||
* - const unsigned char *c: pointer to the input serialized ciphertext
|
||||
**************************************************/
|
||||
static void unpack_ciphertext(polyvec *b, poly *v, const unsigned char *c) {
|
||||
polyvec_decompress(b, c);
|
||||
poly_decompress(v, c + KYBER_POLYVECCOMPRESSEDBYTES);
|
||||
}
|
||||
|
||||
/*************************************************
|
||||
* Name: pack_sk
|
||||
*
|
||||
* Description: Serialize the secret key
|
||||
*
|
||||
* Arguments: - unsigned char *r: pointer to output serialized secret key
|
||||
* - const polyvec *sk: pointer to input vector of polynomials (secret key)
|
||||
**************************************************/
|
||||
static void pack_sk(unsigned char *r, const polyvec *sk) {
|
||||
polyvec_tobytes(r, sk);
|
||||
}
|
||||
|
||||
/*************************************************
|
||||
* Name: unpack_sk
|
||||
*
|
||||
* Description: De-serialize the secret key;
|
||||
* inverse of pack_sk
|
||||
*
|
||||
* Arguments: - polyvec *sk: pointer to output vector of polynomials (secret key)
|
||||
* - const unsigned char *packedsk: pointer to input serialized secret key
|
||||
**************************************************/
|
||||
static void unpack_sk(polyvec *sk, const unsigned char *packedsk) {
|
||||
polyvec_frombytes(sk, packedsk);
|
||||
}
|
||||
|
||||
#define gen_a(A, B) gen_matrix(A, B, 0)
|
||||
#define gen_at(A, B) gen_matrix(A, B, 1)
|
||||
|
||||
/*************************************************
|
||||
* Name: gen_matrix
|
||||
*
|
||||
* Description: Deterministically generate matrix A (or the transpose of A)
|
||||
* from a seed. Entries of the matrix are polynomials that look
|
||||
* uniformly random. Performs rejection sampling on output of
|
||||
* SHAKE-128
|
||||
*
|
||||
* Arguments: - polyvec *a: pointer to ouptput matrix A
|
||||
* - const unsigned char *seed: pointer to input seed
|
||||
* - int transposed: boolean deciding whether A or A^T is generated
|
||||
**************************************************/
|
||||
static void gen_matrix(polyvec *a, const unsigned char *seed, int transposed) // Not static for benchmarking
|
||||
{
|
||||
unsigned int pos = 0, ctr;
|
||||
uint16_t val;
|
||||
unsigned int nblocks;
|
||||
const unsigned int maxnblocks = 4;
|
||||
uint8_t buf[OQS_SHA3_SHAKE128_RATE * 4]; /* was '* maxnblocks' but this is not a contant expr on WIN32 */
|
||||
int i, j, k;
|
||||
uint64_t state[25]; // SHAKE state
|
||||
unsigned char extseed[KYBER_SYMBYTES + 2];
|
||||
|
||||
for (i = 0; i < KYBER_SYMBYTES; i++)
|
||||
extseed[i] = seed[i];
|
||||
|
||||
for (i = 0; i < KYBER_K; i++) {
|
||||
for (j = 0; j < KYBER_K; j++) {
|
||||
ctr = pos = 0;
|
||||
nblocks = maxnblocks;
|
||||
if (transposed) {
|
||||
extseed[KYBER_SYMBYTES] = i;
|
||||
extseed[KYBER_SYMBYTES + 1] = j;
|
||||
} else {
|
||||
extseed[KYBER_SYMBYTES] = j;
|
||||
extseed[KYBER_SYMBYTES + 1] = i;
|
||||
}
|
||||
|
||||
for (k = 0; k < 25; k++)
|
||||
state[k] = 0;
|
||||
|
||||
OQS_SHA3_shake128_absorb(state, extseed, KYBER_SYMBYTES + 2);
|
||||
OQS_SHA3_shake128_squeezeblocks(buf, nblocks, state);
|
||||
|
||||
while (ctr < KYBER_N) {
|
||||
val = (buf[pos] | ((uint16_t) buf[pos + 1] << 8)) & 0x1fff;
|
||||
if (val < KYBER_Q) {
|
||||
a[i].vec[j].coeffs[ctr++] = val;
|
||||
}
|
||||
pos += 2;
|
||||
|
||||
if (pos > OQS_SHA3_SHAKE128_RATE * nblocks - 2) {
|
||||
nblocks = 1;
|
||||
OQS_SHA3_shake128_squeezeblocks(buf, nblocks, state);
|
||||
pos = 0;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/*************************************************
|
||||
* Name: indcpa_keypair
|
||||
*
|
||||
* Description: Generates public and private key for the CPA-secure
|
||||
* public-key encryption scheme underlying Kyber
|
||||
*
|
||||
* Arguments: - unsigned char *pk: pointer to output public key (of length KYBER_INDCPA_PUBLICKEYBYTES bytes)
|
||||
* - unsigned char *sk: pointer to output private key (of length KYBER_INDCPA_SECRETKEYBYTES bytes)
|
||||
**************************************************/
|
||||
void indcpa_keypair(unsigned char *pk,
|
||||
unsigned char *sk) {
|
||||
polyvec a[KYBER_K], e, pkpv, skpv;
|
||||
unsigned char buf[2 * KYBER_SYMBYTES];
|
||||
unsigned char *publicseed = buf;
|
||||
unsigned char *noiseseed = buf + KYBER_SYMBYTES;
|
||||
int i;
|
||||
unsigned char nonce = 0;
|
||||
|
||||
OQS_randombytes(buf, KYBER_SYMBYTES);
|
||||
OQS_SHA3_sha3512(buf, buf, KYBER_SYMBYTES);
|
||||
|
||||
gen_a(a, publicseed);
|
||||
|
||||
for (i = 0; i < KYBER_K; i++)
|
||||
poly_getnoise(skpv.vec + i, noiseseed, nonce++);
|
||||
|
||||
polyvec_ntt(&skpv);
|
||||
|
||||
for (i = 0; i < KYBER_K; i++)
|
||||
poly_getnoise(e.vec + i, noiseseed, nonce++);
|
||||
|
||||
// matrix-vector multiplication
|
||||
for (i = 0; i < KYBER_K; i++)
|
||||
polyvec_pointwise_acc(&pkpv.vec[i], &skpv, a + i);
|
||||
|
||||
polyvec_invntt(&pkpv);
|
||||
polyvec_add(&pkpv, &pkpv, &e);
|
||||
|
||||
pack_sk(sk, &skpv);
|
||||
pack_pk(pk, &pkpv, publicseed);
|
||||
|
||||
OQS_MEM_cleanse((void *) &e, sizeof(polyvec));
|
||||
OQS_MEM_cleanse((void *) &skpv, sizeof(polyvec));
|
||||
OQS_MEM_cleanse((void *) buf, 2 * KYBER_SYMBYTES);
|
||||
OQS_MEM_cleanse((void *) &pkpv, sizeof(polyvec)); /* Is this required? Coefficients of pkpv aren't frozen */
|
||||
}
|
||||
|
||||
/*************************************************
|
||||
* Name: indcpa_enc
|
||||
*
|
||||
* Description: Encryption function of the CPA-secure
|
||||
* public-key encryption scheme underlying Kyber.
|
||||
*
|
||||
* Arguments: - unsigned char *c: pointer to output ciphertext (of length KYBER_INDCPA_BYTES bytes)
|
||||
* - const unsigned char *m: pointer to input message (of length KYBER_INDCPA_MSGBYTES bytes)
|
||||
* - const unsigned char *pk: pointer to input public key (of length KYBER_INDCPA_PUBLICKEYBYTES bytes)
|
||||
* - const unsigned char *coin: pointer to input random coins used as seed (of length KYBER_SYMBYTES bytes)
|
||||
* to deterministically generate all randomness
|
||||
**************************************************/
|
||||
void indcpa_enc(unsigned char *c,
|
||||
const unsigned char *m,
|
||||
const unsigned char *pk,
|
||||
const unsigned char *coins) {
|
||||
polyvec sp, pkpv, ep, at[KYBER_K], bp;
|
||||
poly v, k, epp;
|
||||
unsigned char seed[KYBER_SYMBYTES];
|
||||
int i;
|
||||
unsigned char nonce = 0;
|
||||
|
||||
unpack_pk(&pkpv, seed, pk);
|
||||
|
||||
poly_frommsg(&k, m);
|
||||
|
||||
polyvec_ntt(&pkpv);
|
||||
|
||||
gen_at(at, seed);
|
||||
|
||||
for (i = 0; i < KYBER_K; i++)
|
||||
poly_getnoise(sp.vec + i, coins, nonce++);
|
||||
|
||||
polyvec_ntt(&sp);
|
||||
|
||||
for (i = 0; i < KYBER_K; i++)
|
||||
poly_getnoise(ep.vec + i, coins, nonce++);
|
||||
|
||||
// matrix-vector multiplication
|
||||
for (i = 0; i < KYBER_K; i++)
|
||||
polyvec_pointwise_acc(&bp.vec[i], &sp, at + i);
|
||||
|
||||
polyvec_invntt(&bp);
|
||||
polyvec_add(&bp, &bp, &ep);
|
||||
|
||||
polyvec_pointwise_acc(&v, &pkpv, &sp);
|
||||
poly_invntt(&v);
|
||||
|
||||
poly_getnoise(&epp, coins, nonce++);
|
||||
|
||||
poly_add(&v, &v, &epp);
|
||||
poly_add(&v, &v, &k);
|
||||
|
||||
pack_ciphertext(c, &bp, &v);
|
||||
|
||||
OQS_MEM_cleanse((void *) &sp, sizeof(polyvec));
|
||||
OQS_MEM_cleanse((void *) &ep, sizeof(polyvec));
|
||||
OQS_MEM_cleanse((void *) &k, sizeof(poly));
|
||||
OQS_MEM_cleanse((void *) &epp, sizeof(poly));
|
||||
OQS_MEM_cleanse((void *) &bp, sizeof(polyvec)); /* Is this required? Coefficients of bp aren't frozen */
|
||||
OQS_MEM_cleanse((void *) &v, sizeof(poly)); /* Is this required? Coefficients of v aren't frozen */
|
||||
}
|
||||
|
||||
/*************************************************
|
||||
* Name: indcpa_dec
|
||||
*
|
||||
* Description: Decryption function of the CPA-secure
|
||||
* public-key encryption scheme underlying Kyber.
|
||||
*
|
||||
* Arguments: - unsigned char *m: pointer to output decrypted message (of length KYBER_INDCPA_MSGBYTES)
|
||||
* - const unsigned char *c: pointer to input ciphertext (of length KYBER_INDCPA_BYTES)
|
||||
* - const unsigned char *sk: pointer to input secret key (of length KYBER_INDCPA_SECRETKEYBYTES)
|
||||
**************************************************/
|
||||
void indcpa_dec(unsigned char *m,
|
||||
const unsigned char *c,
|
||||
const unsigned char *sk) {
|
||||
polyvec bp, skpv;
|
||||
poly v, mp;
|
||||
|
||||
unpack_ciphertext(&bp, &v, c);
|
||||
unpack_sk(&skpv, sk);
|
||||
|
||||
polyvec_ntt(&bp);
|
||||
|
||||
polyvec_pointwise_acc(&mp, &skpv, &bp);
|
||||
poly_invntt(&mp);
|
||||
|
||||
poly_sub(&mp, &mp, &v);
|
||||
|
||||
poly_tomsg(m, &mp);
|
||||
|
||||
OQS_MEM_cleanse((void *) &skpv, sizeof(polyvec));
|
||||
OQS_MEM_cleanse((void *) &mp, sizeof(poly));
|
||||
}
|
||||
@ -1,16 +0,0 @@
|
||||
#ifndef INDCPA_H
|
||||
#define INDCPA_H
|
||||
|
||||
void indcpa_keypair(unsigned char *pk,
|
||||
unsigned char *sk);
|
||||
|
||||
void indcpa_enc(unsigned char *c,
|
||||
const unsigned char *m,
|
||||
const unsigned char *pk,
|
||||
const unsigned char *coins);
|
||||
|
||||
void indcpa_dec(unsigned char *m,
|
||||
const unsigned char *c,
|
||||
const unsigned char *sk);
|
||||
|
||||
#endif
|
||||
@ -1,107 +0,0 @@
|
||||
#include "api.h"
|
||||
#include "params.h"
|
||||
#include "verify.h"
|
||||
#include "indcpa.h"
|
||||
|
||||
#include "oqs/rand.h"
|
||||
#include "oqs/sha3.h"
|
||||
|
||||
/*************************************************
|
||||
* Name: crypto_kem_keypair
|
||||
*
|
||||
* Description: Generates public and private key
|
||||
* for CCA-secure Kyber key encapsulation mechanism
|
||||
*
|
||||
* Arguments: - unsigned char *pk: pointer to output public key (an already allocated array of CRYPTO_PUBLICKEYBYTES bytes)
|
||||
* - unsigned char *sk: pointer to output private key (an already allocated array of CRYPTO_SECRETKEYBYTES bytes)
|
||||
*
|
||||
* Returns 0 (success)
|
||||
**************************************************/
|
||||
OQS_API OQS_STATUS crypto_kem_keypair(unsigned char *pk, unsigned char *sk) {
|
||||
size_t i;
|
||||
indcpa_keypair(pk, sk);
|
||||
for (i = 0; i < KYBER_INDCPA_PUBLICKEYBYTES; i++)
|
||||
sk[i + KYBER_INDCPA_SECRETKEYBYTES] = pk[i];
|
||||
OQS_SHA3_sha3256(sk + KYBER_SECRETKEYBYTES - 2 * KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES);
|
||||
OQS_randombytes(sk + KYBER_SECRETKEYBYTES - KYBER_SYMBYTES, KYBER_SYMBYTES); /* Value z for pseudo-random output on reject */
|
||||
|
||||
return OQS_SUCCESS;
|
||||
}
|
||||
|
||||
/*************************************************
|
||||
* Name: crypto_kem_enc
|
||||
*
|
||||
* Description: Generates cipher text and shared
|
||||
* secret for given public key
|
||||
*
|
||||
* Arguments: - unsigned char *ct: pointer to output cipher text (an already allocated array of CRYPTO_CIPHERTEXTBYTES bytes)
|
||||
* - unsigned char *ss: pointer to output shared secret (an already allocated array of CRYPTO_BYTES bytes)
|
||||
* - const unsigned char *pk: pointer to input public key (an already allocated array of CRYPTO_PUBLICKEYBYTES bytes)
|
||||
*
|
||||
* Returns 0 (success)
|
||||
**************************************************/
|
||||
OQS_API OQS_STATUS crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk) {
|
||||
unsigned char kr[2 * KYBER_SYMBYTES]; /* Will contain key, coins */
|
||||
unsigned char buf[2 * KYBER_SYMBYTES];
|
||||
|
||||
OQS_randombytes(buf, KYBER_SYMBYTES);
|
||||
OQS_SHA3_sha3256(buf, buf, KYBER_SYMBYTES); /* Don't release system RNG output */
|
||||
|
||||
OQS_SHA3_sha3256(buf + KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES); /* Multitarget countermeasure for coins + contributory KEM */
|
||||
OQS_SHA3_sha3512(kr, buf, 2 * KYBER_SYMBYTES);
|
||||
|
||||
indcpa_enc(ct, buf, pk, kr + KYBER_SYMBYTES); /* coins are in kr+KYBER_SYMBYTES */
|
||||
|
||||
OQS_SHA3_sha3256(kr + KYBER_SYMBYTES, ct, KYBER_CIPHERTEXTBYTES); /* overwrite coins in kr with H(c) */
|
||||
OQS_SHA3_sha3256(ss, kr, 2 * KYBER_SYMBYTES); /* hash concatenation of pre-k and H(c) to k */
|
||||
|
||||
OQS_MEM_cleanse((void *) kr, 2 * KYBER_SYMBYTES);
|
||||
OQS_MEM_cleanse((void *) buf, 2 * KYBER_SYMBYTES);
|
||||
|
||||
return OQS_SUCCESS;
|
||||
}
|
||||
|
||||
/*************************************************
|
||||
* Name: crypto_kem_dec
|
||||
*
|
||||
* Description: Generates shared secret for given
|
||||
* cipher text and private key
|
||||
*
|
||||
* Arguments: - unsigned char *ss: pointer to output shared secret (an already allocated array of CRYPTO_BYTES bytes)
|
||||
* - const unsigned char *ct: pointer to input cipher text (an already allocated array of CRYPTO_CIPHERTEXTBYTES bytes)
|
||||
* - const unsigned char *sk: pointer to input private key (an already allocated array of CRYPTO_SECRETKEYBYTES bytes)
|
||||
*
|
||||
* Returns 0.
|
||||
*
|
||||
* On failure, ss will contain a pseudo-random value.
|
||||
**************************************************/
|
||||
OQS_API OQS_STATUS crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk) {
|
||||
size_t i;
|
||||
int fail;
|
||||
unsigned char cmp[KYBER_CIPHERTEXTBYTES];
|
||||
unsigned char buf[2 * KYBER_SYMBYTES];
|
||||
unsigned char kr[2 * KYBER_SYMBYTES]; /* Will contain key and coins */
|
||||
const unsigned char *pk = sk + KYBER_INDCPA_SECRETKEYBYTES;
|
||||
|
||||
indcpa_dec(buf, ct, sk);
|
||||
|
||||
for (i = 0; i < KYBER_SYMBYTES; i++) /* Multitarget countermeasure for coins + contributory KEM */
|
||||
buf[KYBER_SYMBYTES + i] = sk[KYBER_SECRETKEYBYTES - 2 * KYBER_SYMBYTES + i]; /* Save hash by storing H(pk) in sk */
|
||||
OQS_SHA3_sha3512(kr, buf, 2 * KYBER_SYMBYTES);
|
||||
|
||||
indcpa_enc(cmp, buf, pk, kr + KYBER_SYMBYTES); /* coins are in kr+KYBER_SYMBYTES */
|
||||
|
||||
fail = verify(ct, cmp, KYBER_CIPHERTEXTBYTES);
|
||||
|
||||
OQS_SHA3_sha3256(kr + KYBER_SYMBYTES, ct, KYBER_CIPHERTEXTBYTES); /* overwrite coins in kr with H(c) */
|
||||
|
||||
cmov(kr, sk + KYBER_SECRETKEYBYTES - KYBER_SYMBYTES, KYBER_SYMBYTES, fail); /* Overwrite pre-k with z on re-encryption failure */
|
||||
|
||||
OQS_SHA3_sha3256(ss, kr, 2 * KYBER_SYMBYTES); /* hash concatenation of pre-k and H(c) to k */
|
||||
|
||||
OQS_MEM_cleanse((void *) buf, 2 * KYBER_SYMBYTES);
|
||||
OQS_MEM_cleanse((void *) kr, 2 * KYBER_SYMBYTES);
|
||||
OQS_MEM_cleanse((void *) &fail, sizeof(int));
|
||||
|
||||
return OQS_SUCCESS;
|
||||
}
|
||||
@ -1,76 +0,0 @@
|
||||
#include "inttypes.h"
|
||||
#include "ntt.h"
|
||||
#include "params.h"
|
||||
#include "reduce.h"
|
||||
|
||||
extern const uint16_t omegas_inv_bitrev_montgomery[];
|
||||
extern const uint16_t psis_inv_montgomery[];
|
||||
extern const uint16_t zetas[];
|
||||
|
||||
/*************************************************
|
||||
* Name: ntt
|
||||
*
|
||||
* Description: Computes negacyclic number-theoretic transform (NTT) of
|
||||
* a polynomial (vector of 256 coefficients) in place;
|
||||
* inputs assumed to be in normal order, output in bitreversed order
|
||||
*
|
||||
* Arguments: - uint16_t *p: pointer to in/output polynomial
|
||||
**************************************************/
|
||||
void ntt(uint16_t *p) {
|
||||
int level, start, j, k;
|
||||
uint16_t zeta, t;
|
||||
|
||||
k = 1;
|
||||
for (level = 7; level >= 0; level--) {
|
||||
for (start = 0; start < KYBER_N; start = j + (1 << level)) {
|
||||
zeta = zetas[k++];
|
||||
for (j = start; j < start + (1 << level); ++j) {
|
||||
t = montgomery_reduce((uint32_t) zeta * p[j + (1 << level)]);
|
||||
|
||||
p[j + (1 << level)] = barrett_reduce(p[j] + 4 * KYBER_Q - t);
|
||||
|
||||
if (level & 1) /* odd level */
|
||||
p[j] = p[j] + t; /* Omit reduction (be lazy) */
|
||||
else
|
||||
p[j] = barrett_reduce(p[j] + t);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/*************************************************
|
||||
* Name: invntt
|
||||
*
|
||||
* Description: Computes inverse of negacyclic number-theoretic transform (NTT) of
|
||||
* a polynomial (vector of 256 coefficients) in place;
|
||||
* inputs assumed to be in bitreversed order, output in normal order
|
||||
*
|
||||
* Arguments: - uint16_t *a: pointer to in/output polynomial
|
||||
**************************************************/
|
||||
void invntt(uint16_t *a) {
|
||||
int start, j, jTwiddle, level;
|
||||
uint16_t temp, W;
|
||||
uint32_t t;
|
||||
|
||||
for (level = 0; level < 8; level++) {
|
||||
for (start = 0; start < (1 << level); start++) {
|
||||
jTwiddle = 0;
|
||||
for (j = start; j < KYBER_N - 1; j += 2 * (1 << level)) {
|
||||
W = omegas_inv_bitrev_montgomery[jTwiddle++];
|
||||
temp = a[j];
|
||||
|
||||
if (level & 1) /* odd level */
|
||||
a[j] = barrett_reduce((temp + a[j + (1 << level)]));
|
||||
else
|
||||
a[j] = (temp + a[j + (1 << level)]); /* Omit reduction (be lazy) */
|
||||
|
||||
t = (W * ((uint32_t) temp + 4 * KYBER_Q - a[j + (1 << level)]));
|
||||
|
||||
a[j + (1 << level)] = montgomery_reduce(t);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
for (j = 0; j < KYBER_N; j++)
|
||||
a[j] = montgomery_reduce((a[j] * psis_inv_montgomery[j]));
|
||||
}
|
||||
@ -1,9 +0,0 @@
|
||||
#ifndef NTT_H
|
||||
#define NTT_H
|
||||
|
||||
#include <stdint.h>
|
||||
|
||||
void ntt(uint16_t *poly);
|
||||
void invntt(uint16_t *poly);
|
||||
|
||||
#endif
|
||||
@ -1,39 +0,0 @@
|
||||
#ifndef PARAMS_H
|
||||
#define PARAMS_H
|
||||
|
||||
#ifndef KYBER_K
|
||||
#define KYBER_K 3 /* Change this for different security strengths */
|
||||
#endif
|
||||
|
||||
/* Don't change parameters below this line */
|
||||
|
||||
#define KYBER_N 256
|
||||
#define KYBER_Q 7681
|
||||
|
||||
#if (KYBER_K == 2) /* Kyber512 */
|
||||
#define KYBER_ETA 5
|
||||
#elif (KYBER_K == 3) /* Kyber768 */
|
||||
#define KYBER_ETA 4
|
||||
#elif (KYBER_K == 4) /*KYBER1024 */
|
||||
#define KYBER_ETA 3
|
||||
#else
|
||||
#error "KYBER_K must be in {2,3,4}"
|
||||
#endif
|
||||
|
||||
#define KYBER_SYMBYTES 32 /* size in bytes of shared key, hashes, and seeds */
|
||||
|
||||
#define KYBER_POLYBYTES 416
|
||||
#define KYBER_POLYCOMPRESSEDBYTES 96
|
||||
#define KYBER_POLYVECBYTES (KYBER_K * KYBER_POLYBYTES)
|
||||
#define KYBER_POLYVECCOMPRESSEDBYTES (KYBER_K * 352)
|
||||
|
||||
#define KYBER_INDCPA_MSGBYTES KYBER_SYMBYTES
|
||||
#define KYBER_INDCPA_PUBLICKEYBYTES (KYBER_POLYVECCOMPRESSEDBYTES + KYBER_SYMBYTES)
|
||||
#define KYBER_INDCPA_SECRETKEYBYTES (KYBER_POLYVECBYTES)
|
||||
#define KYBER_INDCPA_BYTES (KYBER_POLYVECCOMPRESSEDBYTES + KYBER_POLYCOMPRESSEDBYTES)
|
||||
|
||||
#define KYBER_PUBLICKEYBYTES (KYBER_INDCPA_PUBLICKEYBYTES)
|
||||
#define KYBER_SECRETKEYBYTES (KYBER_INDCPA_SECRETKEYBYTES + KYBER_INDCPA_PUBLICKEYBYTES + 2 * KYBER_SYMBYTES) /* 32 bytes of additional space to save H(pk) */
|
||||
#define KYBER_CIPHERTEXTBYTES KYBER_INDCPA_BYTES
|
||||
|
||||
#endif
|
||||
@ -1,240 +0,0 @@
|
||||
#include "poly.h"
|
||||
#include "ntt.h"
|
||||
#include "polyvec.h"
|
||||
#include "reduce.h"
|
||||
#include "cbd.h"
|
||||
|
||||
#include "oqs/rand.h"
|
||||
#include "oqs/sha3.h"
|
||||
|
||||
/*************************************************
|
||||
* Name: poly_compress
|
||||
*
|
||||
* Description: Compression and subsequent serialization of a polynomial
|
||||
*
|
||||
* Arguments: - unsigned char *r: pointer to output byte array
|
||||
* - const poly *a: pointer to input polynomial
|
||||
**************************************************/
|
||||
void poly_compress(unsigned char *r, const poly *a) {
|
||||
uint32_t t[8];
|
||||
unsigned int i, j, k = 0;
|
||||
|
||||
for (i = 0; i < KYBER_N; i += 8) {
|
||||
for (j = 0; j < 8; j++)
|
||||
t[j] = (((freeze(a->coeffs[i + j]) << 3) + KYBER_Q / 2) / KYBER_Q) & 7;
|
||||
|
||||
r[k] = t[0] | (t[1] << 3) | (t[2] << 6);
|
||||
r[k + 1] = (t[2] >> 2) | (t[3] << 1) | (t[4] << 4) | (t[5] << 7);
|
||||
r[k + 2] = (t[5] >> 1) | (t[6] << 2) | (t[7] << 5);
|
||||
k += 3;
|
||||
}
|
||||
|
||||
OQS_MEM_cleanse((void *) t, 8);
|
||||
}
|
||||
|
||||
/*************************************************
|
||||
* Name: poly_decompress
|
||||
*
|
||||
* Description: De-serialization and subsequent decompression of a polynomial;
|
||||
* approximate inverse of poly_compress
|
||||
*
|
||||
* Arguments: - poly *r: pointer to output polynomial
|
||||
* - const unsigned char *a: pointer to input byte array
|
||||
**************************************************/
|
||||
void poly_decompress(poly *r, const unsigned char *a) {
|
||||
unsigned int i;
|
||||
for (i = 0; i < KYBER_N; i += 8) {
|
||||
r->coeffs[i + 0] = (((a[0] & 7) * KYBER_Q) + 4) >> 3;
|
||||
r->coeffs[i + 1] = ((((a[0] >> 3) & 7) * KYBER_Q) + 4) >> 3;
|
||||
r->coeffs[i + 2] = ((((a[0] >> 6) | ((a[1] << 2) & 4)) * KYBER_Q) + 4) >> 3;
|
||||
r->coeffs[i + 3] = ((((a[1] >> 1) & 7) * KYBER_Q) + 4) >> 3;
|
||||
r->coeffs[i + 4] = ((((a[1] >> 4) & 7) * KYBER_Q) + 4) >> 3;
|
||||
r->coeffs[i + 5] = ((((a[1] >> 7) | ((a[2] << 1) & 6)) * KYBER_Q) + 4) >> 3;
|
||||
r->coeffs[i + 6] = ((((a[2] >> 2) & 7) * KYBER_Q) + 4) >> 3;
|
||||
r->coeffs[i + 7] = ((((a[2] >> 5)) * KYBER_Q) + 4) >> 3;
|
||||
a += 3;
|
||||
}
|
||||
}
|
||||
|
||||
/*************************************************
|
||||
* Name: poly_tobytes
|
||||
*
|
||||
* Description: Serialization of a polynomial
|
||||
*
|
||||
* Arguments: - unsigned char *r: pointer to output byte array
|
||||
* - const poly *a: pointer to input polynomial
|
||||
**************************************************/
|
||||
void poly_tobytes(unsigned char *r, const poly *a) {
|
||||
int i, j;
|
||||
uint16_t t[8];
|
||||
|
||||
for (i = 0; i < KYBER_N / 8; i++) {
|
||||
for (j = 0; j < 8; j++)
|
||||
t[j] = freeze(a->coeffs[8 * i + j]);
|
||||
|
||||
r[13 * i + 0] = t[0] & 0xff;
|
||||
r[13 * i + 1] = (t[0] >> 8) | ((t[1] & 0x07) << 5);
|
||||
r[13 * i + 2] = (t[1] >> 3) & 0xff;
|
||||
r[13 * i + 3] = (t[1] >> 11) | ((t[2] & 0x3f) << 2);
|
||||
r[13 * i + 4] = (t[2] >> 6) | ((t[3] & 0x01) << 7);
|
||||
r[13 * i + 5] = (t[3] >> 1) & 0xff;
|
||||
r[13 * i + 6] = (t[3] >> 9) | ((t[4] & 0x0f) << 4);
|
||||
r[13 * i + 7] = (t[4] >> 4) & 0xff;
|
||||
r[13 * i + 8] = (t[4] >> 12) | ((t[5] & 0x7f) << 1);
|
||||
r[13 * i + 9] = (t[5] >> 7) | ((t[6] & 0x03) << 6);
|
||||
r[13 * i + 10] = (t[6] >> 2) & 0xff;
|
||||
r[13 * i + 11] = (t[6] >> 10) | ((t[7] & 0x1f) << 3);
|
||||
r[13 * i + 12] = (t[7] >> 5);
|
||||
}
|
||||
|
||||
OQS_MEM_cleanse((void *) t, 8);
|
||||
}
|
||||
|
||||
/*************************************************
|
||||
* Name: poly_frombytes
|
||||
*
|
||||
* Description: De-serialization of a polynomial;
|
||||
* inverse of poly_tobytes
|
||||
*
|
||||
* Arguments: - poly *r: pointer to output polynomial
|
||||
* - const unsigned char *a: pointer to input byte array
|
||||
**************************************************/
|
||||
void poly_frombytes(poly *r, const unsigned char *a) {
|
||||
int i;
|
||||
for (i = 0; i < KYBER_N / 8; i++) {
|
||||
r->coeffs[8 * i + 0] = a[13 * i + 0] | (((uint16_t) a[13 * i + 1] & 0x1f) << 8);
|
||||
r->coeffs[8 * i + 1] = (a[13 * i + 1] >> 5) | (((uint16_t) a[13 * i + 2]) << 3) | (((uint16_t) a[13 * i + 3] & 0x03) << 11);
|
||||
r->coeffs[8 * i + 2] = (a[13 * i + 3] >> 2) | (((uint16_t) a[13 * i + 4] & 0x7f) << 6);
|
||||
r->coeffs[8 * i + 3] = (a[13 * i + 4] >> 7) | (((uint16_t) a[13 * i + 5]) << 1) | (((uint16_t) a[13 * i + 6] & 0x0f) << 9);
|
||||
r->coeffs[8 * i + 4] = (a[13 * i + 6] >> 4) | (((uint16_t) a[13 * i + 7]) << 4) | (((uint16_t) a[13 * i + 8] & 0x01) << 12);
|
||||
r->coeffs[8 * i + 5] = (a[13 * i + 8] >> 1) | (((uint16_t) a[13 * i + 9] & 0x3f) << 7);
|
||||
r->coeffs[8 * i + 6] = (a[13 * i + 9] >> 6) | (((uint16_t) a[13 * i + 10]) << 2) | (((uint16_t) a[13 * i + 11] & 0x07) << 10);
|
||||
r->coeffs[8 * i + 7] = (a[13 * i + 11] >> 3) | (((uint16_t) a[13 * i + 12]) << 5);
|
||||
}
|
||||
}
|
||||
|
||||
/*************************************************
|
||||
* Name: poly_getnoise
|
||||
*
|
||||
* Description: Sample a polynomial deterministically from a seed and a nonce,
|
||||
* with output polynomial close to centered binomial distribution
|
||||
* with parameter KYBER_ETA
|
||||
*
|
||||
* Arguments: - poly *r: pointer to output polynomial
|
||||
* - const unsigned char *seed: pointer to input seed
|
||||
* - unsigned char nonce: one-byte input nonce
|
||||
**************************************************/
|
||||
void poly_getnoise(poly *r, const unsigned char *seed, unsigned char nonce) {
|
||||
unsigned char buf[KYBER_ETA * KYBER_N / 4];
|
||||
unsigned char extseed[KYBER_SYMBYTES + 1];
|
||||
int i;
|
||||
|
||||
for (i = 0; i < KYBER_SYMBYTES; i++)
|
||||
extseed[i] = seed[i];
|
||||
extseed[KYBER_SYMBYTES] = nonce;
|
||||
|
||||
OQS_SHA3_shake256(buf, KYBER_ETA * KYBER_N / 4, extseed, KYBER_SYMBYTES + 1);
|
||||
|
||||
cbd(r, buf);
|
||||
|
||||
OQS_MEM_cleanse((void *) buf, KYBER_ETA * KYBER_N / 4);
|
||||
OQS_MEM_cleanse((void *) extseed, KYBER_SYMBYTES + 1);
|
||||
}
|
||||
|
||||
/*************************************************
|
||||
* Name: poly_ntt
|
||||
*
|
||||
* Description: Computes negacyclic number-theoretic transform (NTT) of
|
||||
* a polynomial in place;
|
||||
* inputs assumed to be in normal order, output in bitreversed order
|
||||
*
|
||||
* Arguments: - uint16_t *r: pointer to in/output polynomial
|
||||
**************************************************/
|
||||
void poly_ntt(poly *r) {
|
||||
ntt(r->coeffs);
|
||||
}
|
||||
|
||||
/*************************************************
|
||||
* Name: poly_invntt
|
||||
*
|
||||
* Description: Computes inverse of negacyclic number-theoretic transform (NTT) of
|
||||
* a polynomial in place;
|
||||
* inputs assumed to be in bitreversed order, output in normal order
|
||||
*
|
||||
* Arguments: - uint16_t *a: pointer to in/output polynomial
|
||||
**************************************************/
|
||||
void poly_invntt(poly *r) {
|
||||
invntt(r->coeffs);
|
||||
}
|
||||
|
||||
/*************************************************
|
||||
* Name: poly_add
|
||||
*
|
||||
* Description: Add two polynomials
|
||||
*
|
||||
* Arguments: - poly *r: pointer to output polynomial
|
||||
* - const poly *a: pointer to first input polynomial
|
||||
* - const poly *b: pointer to second input polynomial
|
||||
**************************************************/
|
||||
void poly_add(poly *r, const poly *a, const poly *b) {
|
||||
int i;
|
||||
for (i = 0; i < KYBER_N; i++)
|
||||
r->coeffs[i] = barrett_reduce(a->coeffs[i] + b->coeffs[i]);
|
||||
}
|
||||
|
||||
/*************************************************
|
||||
* Name: poly_sub
|
||||
*
|
||||
* Description: Subtract two polynomials
|
||||
*
|
||||
* Arguments: - poly *r: pointer to output polynomial
|
||||
* - const poly *a: pointer to first input polynomial
|
||||
* - const poly *b: pointer to second input polynomial
|
||||
**************************************************/
|
||||
void poly_sub(poly *r, const poly *a, const poly *b) {
|
||||
int i;
|
||||
for (i = 0; i < KYBER_N; i++)
|
||||
r->coeffs[i] = barrett_reduce(a->coeffs[i] + 3 * KYBER_Q - b->coeffs[i]);
|
||||
}
|
||||
|
||||
/*************************************************
|
||||
* Name: poly_frommsg
|
||||
*
|
||||
* Description: Convert 32-byte message to polynomial
|
||||
*
|
||||
* Arguments: - poly *r: pointer to output polynomial
|
||||
* - const unsigned char *msg: pointer to input message
|
||||
**************************************************/
|
||||
void poly_frommsg(poly *r, const unsigned char msg[KYBER_SYMBYTES]) {
|
||||
uint16_t i, j, mask;
|
||||
|
||||
for (i = 0; i < KYBER_SYMBYTES; i++) {
|
||||
for (j = 0; j < 8; j++) {
|
||||
mask = -((msg[i] >> j) & 1);
|
||||
r->coeffs[8 * i + j] = mask & ((KYBER_Q + 1) / 2);
|
||||
}
|
||||
}
|
||||
|
||||
OQS_MEM_cleanse((void *) &mask, sizeof(uint16_t));
|
||||
}
|
||||
|
||||
/*************************************************
|
||||
* Name: poly_tomsg
|
||||
*
|
||||
* Description: Convert polynomial to 32-byte message
|
||||
*
|
||||
* Arguments: - unsigned char *msg: pointer to output message
|
||||
* - const poly *a: pointer to input polynomial
|
||||
**************************************************/
|
||||
void poly_tomsg(unsigned char msg[KYBER_SYMBYTES], const poly *a) {
|
||||
uint16_t t;
|
||||
int i, j;
|
||||
|
||||
for (i = 0; i < KYBER_SYMBYTES; i++) {
|
||||
msg[i] = 0;
|
||||
for (j = 0; j < 8; j++) {
|
||||
t = (((freeze(a->coeffs[8 * i + j]) << 1) + KYBER_Q / 2) / KYBER_Q) & 1;
|
||||
msg[i] |= t << j;
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -1,32 +0,0 @@
|
||||
#ifndef POLY_H
|
||||
#define POLY_H
|
||||
|
||||
#include <stdint.h>
|
||||
#include "params.h"
|
||||
|
||||
/*
|
||||
* Elements of R_q = Z_q[X]/(X^n + 1). Represents polynomial
|
||||
* coeffs[0] + X*coeffs[1] + X^2*xoeffs[2] + ... + X^{n-1}*coeffs[n-1]
|
||||
*/
|
||||
typedef struct {
|
||||
uint16_t coeffs[KYBER_N];
|
||||
} poly;
|
||||
|
||||
void poly_compress(unsigned char *r, const poly *a);
|
||||
void poly_decompress(poly *r, const unsigned char *a);
|
||||
|
||||
void poly_tobytes(unsigned char *r, const poly *a);
|
||||
void poly_frombytes(poly *r, const unsigned char *a);
|
||||
|
||||
void poly_frommsg(poly *r, const unsigned char msg[KYBER_SYMBYTES]);
|
||||
void poly_tomsg(unsigned char msg[KYBER_SYMBYTES], const poly *r);
|
||||
|
||||
void poly_getnoise(poly *r, const unsigned char *seed, unsigned char nonce);
|
||||
|
||||
void poly_ntt(poly *r);
|
||||
void poly_invntt(poly *r);
|
||||
|
||||
void poly_add(poly *r, const poly *a, const poly *b);
|
||||
void poly_sub(poly *r, const poly *a, const poly *b);
|
||||
|
||||
#endif
|
||||
@ -1,167 +0,0 @@
|
||||
#include "polyvec.h"
|
||||
#include "cbd.h"
|
||||
#include "reduce.h"
|
||||
|
||||
#include "oqs/rand.h"
|
||||
#include "oqs/sha3.h"
|
||||
|
||||
#if (KYBER_POLYVECCOMPRESSEDBYTES == (KYBER_K * 352))
|
||||
|
||||
/*************************************************
|
||||
* Name: polyvec_compress
|
||||
*
|
||||
* Description: Compress and serialize vector of polynomials
|
||||
*
|
||||
* Arguments: - unsigned char *r: pointer to output byte array
|
||||
* - const polyvec *a: pointer to input vector of polynomials
|
||||
**************************************************/
|
||||
void polyvec_compress(unsigned char *r, const polyvec *a) {
|
||||
int i, j, k;
|
||||
uint16_t t[8];
|
||||
for (i = 0; i < KYBER_K; i++) {
|
||||
for (j = 0; j < KYBER_N / 8; j++) {
|
||||
for (k = 0; k < 8; k++)
|
||||
t[k] = ((((uint32_t) freeze(a->vec[i].coeffs[8 * j + k]) << 11) + KYBER_Q / 2) / KYBER_Q) & 0x7ff;
|
||||
|
||||
r[11 * j + 0] = t[0] & 0xff;
|
||||
r[11 * j + 1] = (t[0] >> 8) | ((t[1] & 0x1f) << 3);
|
||||
r[11 * j + 2] = (t[1] >> 5) | ((t[2] & 0x03) << 6);
|
||||
r[11 * j + 3] = (t[2] >> 2) & 0xff;
|
||||
r[11 * j + 4] = (t[2] >> 10) | ((t[3] & 0x7f) << 1);
|
||||
r[11 * j + 5] = (t[3] >> 7) | ((t[4] & 0x0f) << 4);
|
||||
r[11 * j + 6] = (t[4] >> 4) | ((t[5] & 0x01) << 7);
|
||||
r[11 * j + 7] = (t[5] >> 1) & 0xff;
|
||||
r[11 * j + 8] = (t[5] >> 9) | ((t[6] & 0x3f) << 2);
|
||||
r[11 * j + 9] = (t[6] >> 6) | ((t[7] & 0x07) << 5);
|
||||
r[11 * j + 10] = (t[7] >> 3);
|
||||
}
|
||||
r += 352;
|
||||
}
|
||||
|
||||
OQS_MEM_cleanse((void *) t, 8);
|
||||
}
|
||||
|
||||
/*************************************************
|
||||
* Name: polyvec_decompress
|
||||
*
|
||||
* Description: De-serialize and decompress vector of polynomials;
|
||||
* approximate inverse of polyvec_compress
|
||||
*
|
||||
* Arguments: - polyvec *r: pointer to output vector of polynomials
|
||||
* - unsigned char *a: pointer to input byte array
|
||||
**************************************************/
|
||||
void polyvec_decompress(polyvec *r, const unsigned char *a) {
|
||||
int i, j;
|
||||
for (i = 0; i < KYBER_K; i++) {
|
||||
for (j = 0; j < KYBER_N / 8; j++) {
|
||||
r->vec[i].coeffs[8 * j + 0] = (((a[11 * j + 0] | (((uint32_t) a[11 * j + 1] & 0x07) << 8)) * KYBER_Q) + 1024) >> 11;
|
||||
r->vec[i].coeffs[8 * j + 1] = ((((a[11 * j + 1] >> 3) | (((uint32_t) a[11 * j + 2] & 0x3f) << 5)) * KYBER_Q) + 1024) >> 11;
|
||||
r->vec[i].coeffs[8 * j + 2] = ((((a[11 * j + 2] >> 6) | (((uint32_t) a[11 * j + 3] & 0xff) << 2) | (((uint32_t) a[11 * j + 4] & 0x01) << 10)) * KYBER_Q) + 1024) >> 11;
|
||||
r->vec[i].coeffs[8 * j + 3] = ((((a[11 * j + 4] >> 1) | (((uint32_t) a[11 * j + 5] & 0x0f) << 7)) * KYBER_Q) + 1024) >> 11;
|
||||
r->vec[i].coeffs[8 * j + 4] = ((((a[11 * j + 5] >> 4) | (((uint32_t) a[11 * j + 6] & 0x7f) << 4)) * KYBER_Q) + 1024) >> 11;
|
||||
r->vec[i].coeffs[8 * j + 5] = ((((a[11 * j + 6] >> 7) | (((uint32_t) a[11 * j + 7] & 0xff) << 1) | (((uint32_t) a[11 * j + 8] & 0x03) << 9)) * KYBER_Q) + 1024) >> 11;
|
||||
r->vec[i].coeffs[8 * j + 6] = ((((a[11 * j + 8] >> 2) | (((uint32_t) a[11 * j + 9] & 0x1f) << 6)) * KYBER_Q) + 1024) >> 11;
|
||||
r->vec[i].coeffs[8 * j + 7] = ((((a[11 * j + 9] >> 5) | (((uint32_t) a[11 * j + 10] & 0xff) << 3)) * KYBER_Q) + 1024) >> 11;
|
||||
}
|
||||
a += 352;
|
||||
}
|
||||
}
|
||||
|
||||
#else
|
||||
#error "Unsupported compression of polyvec"
|
||||
#endif
|
||||
|
||||
/*************************************************
|
||||
* Name: polyvec_tobytes
|
||||
*
|
||||
* Description: Serialize vector of polynomials
|
||||
*
|
||||
* Arguments: - unsigned char *r: pointer to output byte array
|
||||
* - const polyvec *a: pointer to input vector of polynomials
|
||||
**************************************************/
|
||||
void polyvec_tobytes(unsigned char *r, const polyvec *a) {
|
||||
int i;
|
||||
for (i = 0; i < KYBER_K; i++)
|
||||
poly_tobytes(r + i * KYBER_POLYBYTES, &a->vec[i]);
|
||||
}
|
||||
|
||||
/*************************************************
|
||||
* Name: polyvec_frombytes
|
||||
*
|
||||
* Description: De-serialize vector of polynomials;
|
||||
* inverse of polyvec_tobytes
|
||||
*
|
||||
* Arguments: - unsigned char *r: pointer to output byte array
|
||||
* - const polyvec *a: pointer to input vector of polynomials
|
||||
**************************************************/
|
||||
void polyvec_frombytes(polyvec *r, const unsigned char *a) {
|
||||
int i;
|
||||
for (i = 0; i < KYBER_K; i++)
|
||||
poly_frombytes(&r->vec[i], a + i * KYBER_POLYBYTES);
|
||||
}
|
||||
|
||||
/*************************************************
|
||||
* Name: polyvec_ntt
|
||||
*
|
||||
* Description: Apply forward NTT to all elements of a vector of polynomials
|
||||
*
|
||||
* Arguments: - polyvec *r: pointer to in/output vector of polynomials
|
||||
**************************************************/
|
||||
void polyvec_ntt(polyvec *r) {
|
||||
int i;
|
||||
for (i = 0; i < KYBER_K; i++)
|
||||
poly_ntt(&r->vec[i]);
|
||||
}
|
||||
|
||||
/*************************************************
|
||||
* Name: polyvec_invntt
|
||||
*
|
||||
* Description: Apply inverse NTT to all elements of a vector of polynomials
|
||||
*
|
||||
* Arguments: - polyvec *r: pointer to in/output vector of polynomials
|
||||
**************************************************/
|
||||
void polyvec_invntt(polyvec *r) {
|
||||
int i;
|
||||
for (i = 0; i < KYBER_K; i++)
|
||||
poly_invntt(&r->vec[i]);
|
||||
}
|
||||
|
||||
/*************************************************
|
||||
* Name: polyvec_pointwise_acc
|
||||
*
|
||||
* Description: Pointwise multiply elements of a and b and accumulate into r
|
||||
*
|
||||
* Arguments: - poly *r: pointer to output polynomial
|
||||
* - const polyvec *a: pointer to first input vector of polynomials
|
||||
* - const polyvec *b: pointer to second input vector of polynomials
|
||||
**************************************************/
|
||||
void polyvec_pointwise_acc(poly *r, const polyvec *a, const polyvec *b) {
|
||||
int i, j;
|
||||
uint16_t t;
|
||||
for (j = 0; j < KYBER_N; j++) {
|
||||
t = montgomery_reduce(4613 * (uint32_t) b->vec[0].coeffs[j]); // 4613 = 2^{2*18} % q
|
||||
r->coeffs[j] = montgomery_reduce(a->vec[0].coeffs[j] * t);
|
||||
for (i = 1; i < KYBER_K; i++) {
|
||||
t = montgomery_reduce(4613 * (uint32_t) b->vec[i].coeffs[j]);
|
||||
r->coeffs[j] += montgomery_reduce(a->vec[i].coeffs[j] * t);
|
||||
}
|
||||
r->coeffs[j] = barrett_reduce(r->coeffs[j]);
|
||||
}
|
||||
|
||||
OQS_MEM_cleanse((void *) &t, sizeof(uint16_t));
|
||||
}
|
||||
|
||||
/*************************************************
|
||||
* Name: polyvec_add
|
||||
*
|
||||
* Description: Add vectors of polynomials
|
||||
*
|
||||
* Arguments: - polyvec *r: pointer to output vector of polynomials
|
||||
* - const polyvec *a: pointer to first input vector of polynomials
|
||||
* - const polyvec *b: pointer to second input vector of polynomials
|
||||
**************************************************/
|
||||
void polyvec_add(polyvec *r, const polyvec *a, const polyvec *b) {
|
||||
int i;
|
||||
for (i = 0; i < KYBER_K; i++)
|
||||
poly_add(&r->vec[i], &a->vec[i], &b->vec[i]);
|
||||
}
|
||||
@ -1,24 +0,0 @@
|
||||
#ifndef POLYVEC_H
|
||||
#define POLYVEC_H
|
||||
|
||||
#include "params.h"
|
||||
#include "poly.h"
|
||||
|
||||
typedef struct {
|
||||
poly vec[KYBER_K];
|
||||
} polyvec;
|
||||
|
||||
void polyvec_compress(unsigned char *r, const polyvec *a);
|
||||
void polyvec_decompress(polyvec *r, const unsigned char *a);
|
||||
|
||||
void polyvec_tobytes(unsigned char *r, const polyvec *a);
|
||||
void polyvec_frombytes(polyvec *r, const unsigned char *a);
|
||||
|
||||
void polyvec_ntt(polyvec *r);
|
||||
void polyvec_invntt(polyvec *r);
|
||||
|
||||
void polyvec_pointwise_acc(poly *r, const polyvec *a, const polyvec *b);
|
||||
|
||||
void polyvec_add(polyvec *r, const polyvec *a, const polyvec *b);
|
||||
|
||||
#endif
|
||||
@ -1,81 +0,0 @@
|
||||
#include "inttypes.h"
|
||||
#include "ntt.h"
|
||||
#include "params.h"
|
||||
|
||||
/* Precomputed constants for the forward NTT and inverse NTT.
|
||||
* Computed using Pari/GP as follows:
|
||||
*
|
||||
brv=[0,128,64,192,32,160,96,224,16,144,80,208,48,176,112,240, \
|
||||
8,136,72,200,40,168,104,232,24,152,88,216,56,184,120,248, \
|
||||
4,132,68,196,36,164,100,228,20,148,84,212,52,180,116,244, \
|
||||
12,140,76,204,44,172,108,236,28,156,92,220,60,188,124,252, \
|
||||
2,130,66,194,34,162,98,226,18,146,82,210,50,178,114,242, \
|
||||
10,138,74,202,42,170,106,234,26,154,90,218,58,186,122,250, \
|
||||
6,134,70,198,38,166,102,230,22,150,86,214,54,182,118,246, \
|
||||
14,142,78,206,46,174,110,238,30,158,94,222,62,190,126,254, \
|
||||
1,129,65,193,33,161,97,225,17,145,81,209,49,177,113,241, \
|
||||
9,137,73,201,41,169,105,233,25,153,89,217,57,185,121,249, \
|
||||
5,133,69,197,37,165,101,229,21,149,85,213,53,181,117,245, \
|
||||
13,141,77,205,45,173,109,237,29,157,93,221,61,189,125,253, \
|
||||
3,131,67,195,35,163,99,227,19,147,83,211,51,179,115,243, \
|
||||
11,139,75,203,43,171,107,235,27,155,91,219,59,187,123,251, \
|
||||
7,135,71,199,39,167,103,231,23,151,87,215,55,183,119,247, \
|
||||
15,143,79,207,47,175,111,239,31,159,95,223,63,191,127,255];
|
||||
|
||||
q = 7681;
|
||||
n = 256;
|
||||
mont = Mod(2^18,q);
|
||||
|
||||
g=0; for(i=2,q-1,if(znorder(Mod(i,q)) == 2*n, g=Mod(i,q); break))
|
||||
|
||||
zetas = lift(vector(n, i, g^(brv[i])*mont))
|
||||
omegas_inv_bitrev_montgomery = lift(vector(n/2, i, (g^2)^(-brv[2*(i-1)+1])*mont))
|
||||
psis_inv_montgomery = lift(vector(n, i, g^(-(i-1))/n*mont))
|
||||
|
||||
*/
|
||||
|
||||
const uint16_t zetas[KYBER_N] = {
|
||||
990, 7427, 2634, 6819, 578, 3281, 2143, 1095, 484, 6362, 3336, 5382, 6086, 3823, 877, 5656,
|
||||
3583, 7010, 6414, 263, 1285, 291, 7143, 7338, 1581, 5134, 5184, 5932, 4042, 5775, 2468, 3,
|
||||
606, 729, 5383, 962, 3240, 7548, 5129, 7653, 5929, 4965, 2461, 641, 1584, 2666, 1142, 157,
|
||||
7407, 5222, 5602, 5142, 6140, 5485, 4931, 1559, 2085, 5284, 2056, 3538, 7269, 3535, 7190, 1957,
|
||||
3465, 6792, 1538, 4664, 2023, 7643, 3660, 7673, 1694, 6905, 3995, 3475, 5939, 1859, 6910, 4434,
|
||||
1019, 1492, 7087, 4761, 657, 4859, 5798, 2640, 1693, 2607, 2782, 5400, 6466, 1010, 957, 3851,
|
||||
2121, 6392, 7319, 3367, 3659, 3375, 6430, 7583, 1549, 5856, 4773, 6084, 5544, 1650, 3997, 4390,
|
||||
6722, 2915, 4245, 2635, 6128, 7676, 5737, 1616, 3457, 3132, 7196, 4702, 6239, 851, 2122, 3009,
|
||||
7613, 7295, 2007, 323, 5112, 3716, 2289, 6442, 6965, 2713, 7126, 3401, 963, 6596, 607, 5027,
|
||||
7078, 4484, 5937, 944, 2860, 2680, 5049, 1777, 5850, 3387, 6487, 6777, 4812, 4724, 7077, 186,
|
||||
6848, 6793, 3463, 5877, 1174, 7116, 3077, 5945, 6591, 590, 6643, 1337, 6036, 3991, 1675, 2053,
|
||||
6055, 1162, 1679, 3883, 4311, 2106, 6163, 4486, 6374, 5006, 4576, 4288, 5180, 4102, 282, 6119,
|
||||
7443, 6330, 3184, 4971, 2530, 5325, 4171, 7185, 5175, 5655, 1898, 382, 7211, 43, 5965, 6073,
|
||||
1730, 332, 1577, 3304, 2329, 1699, 6150, 2379, 5113, 333, 3502, 4517, 1480, 1172, 5567, 651,
|
||||
925, 4573, 599, 1367, 4109, 1863, 6929, 1605, 3866, 2065, 4048, 839, 5764, 2447, 2022, 3345,
|
||||
1990, 4067, 2036, 2069, 3567, 7371, 2368, 339, 6947, 2159, 654, 7327, 2768, 6676, 987, 2214};
|
||||
|
||||
const uint16_t omegas_inv_bitrev_montgomery[KYBER_N / 2] = {
|
||||
990, 254, 862, 5047, 6586, 5538, 4400, 7103, 2025, 6804, 3858, 1595, 2299, 4345, 1319, 7197,
|
||||
7678, 5213, 1906, 3639, 1749, 2497, 2547, 6100, 343, 538, 7390, 6396, 7418, 1267, 671, 4098,
|
||||
5724, 491, 4146, 412, 4143, 5625, 2397, 5596, 6122, 2750, 2196, 1541, 2539, 2079, 2459, 274,
|
||||
7524, 6539, 5015, 6097, 7040, 5220, 2716, 1752, 28, 2552, 133, 4441, 6719, 2298, 6952, 7075,
|
||||
4672, 5559, 6830, 1442, 2979, 485, 4549, 4224, 6065, 1944, 5, 1553, 5046, 3436, 4766, 959,
|
||||
3291, 3684, 6031, 2137, 1597, 2908, 1825, 6132, 98, 1251, 4306, 4022, 4314, 362, 1289, 5560,
|
||||
3830, 6724, 6671, 1215, 2281, 4899, 5074, 5988, 5041, 1883, 2822, 7024, 2920, 594, 6189, 6662,
|
||||
3247, 771, 5822, 1742, 4206, 3686, 776, 5987, 8, 4021, 38, 5658, 3017, 6143, 889, 4216};
|
||||
|
||||
const uint16_t psis_inv_montgomery[KYBER_N] = {
|
||||
1024, 4972, 5779, 6907, 4943, 4168, 315, 5580, 90, 497, 1123, 142, 4710, 5527, 2443, 4871,
|
||||
698, 2489, 2394, 4003, 684, 2241, 2390, 7224, 5072, 2064, 4741, 1687, 6841, 482, 7441, 1235,
|
||||
2126, 4742, 2802, 5744, 6287, 4933, 699, 3604, 1297, 2127, 5857, 1705, 3868, 3779, 4397, 2177,
|
||||
159, 622, 2240, 1275, 640, 6948, 4572, 5277, 209, 2605, 1157, 7328, 5817, 3191, 1662, 2009,
|
||||
4864, 574, 2487, 164, 6197, 4436, 7257, 3462, 4268, 4281, 3414, 4515, 3170, 1290, 2003, 5855,
|
||||
7156, 6062, 7531, 1732, 3249, 4884, 7512, 3590, 1049, 2123, 1397, 6093, 3691, 6130, 6541, 3946,
|
||||
6258, 3322, 1788, 4241, 4900, 2309, 1400, 1757, 400, 502, 6698, 2338, 3011, 668, 7444, 4580,
|
||||
6516, 6795, 2959, 4136, 3040, 2279, 6355, 3943, 2913, 6613, 7416, 4084, 6508, 5556, 4054, 3782,
|
||||
61, 6567, 2212, 779, 632, 5709, 5667, 4923, 4911, 6893, 4695, 4164, 3536, 2287, 7594, 2848,
|
||||
3267, 1911, 3128, 546, 1991, 156, 4958, 5531, 6903, 483, 875, 138, 250, 2234, 2266, 7222,
|
||||
2842, 4258, 812, 6703, 232, 5207, 6650, 2585, 1900, 6225, 4932, 7265, 4701, 3173, 4635, 6393,
|
||||
227, 7313, 4454, 4284, 6759, 1224, 5223, 1447, 395, 2608, 4502, 4037, 189, 3348, 54, 6443,
|
||||
2210, 6230, 2826, 1780, 3002, 5995, 1955, 6102, 6045, 3938, 5019, 4417, 1434, 1262, 1507, 5847,
|
||||
5917, 7157, 7177, 6434, 7537, 741, 4348, 1309, 145, 374, 2236, 4496, 5028, 6771, 6923, 7421,
|
||||
1978, 1023, 3857, 6876, 1102, 7451, 4704, 6518, 1344, 765, 384, 5705, 1207, 1630, 4734, 1563,
|
||||
6839, 5933, 1954, 4987, 7142, 5814, 7527, 4953, 7637, 4707, 2182, 5734, 2818, 541, 4097, 5641};
|
||||
@ -1,68 +0,0 @@
|
||||
#include "reduce.h"
|
||||
#include "params.h"
|
||||
|
||||
static const uint32_t qinv = 7679; // -inverse_mod(q,2^18)
|
||||
static const uint32_t rlog = 18;
|
||||
|
||||
/*************************************************
|
||||
* Name: montgomery_reduce
|
||||
*
|
||||
* Description: Montgomery reduction; given a 32-bit integer a, computes
|
||||
* 16-bit integer congruent to a * R^-1 mod q,
|
||||
* where R=2^18 (see value of rlog)
|
||||
*
|
||||
* Arguments: - uint32_t a: input unsigned integer to be reduced; has to be in {0,...,2281446912}
|
||||
*
|
||||
* Returns: unsigned integer in {0,...,2^13-1} congruent to a * R^-1 modulo q.
|
||||
**************************************************/
|
||||
uint16_t montgomery_reduce(uint32_t a) {
|
||||
uint32_t u;
|
||||
|
||||
u = (a * qinv);
|
||||
u &= ((1 << rlog) - 1);
|
||||
u *= KYBER_Q;
|
||||
a = a + u;
|
||||
return a >> rlog;
|
||||
}
|
||||
|
||||
/*************************************************
|
||||
* Name: barrett_reduce
|
||||
*
|
||||
* Description: Barrett reduction; given a 16-bit integer a, computes
|
||||
* 16-bit integer congruent to a mod q in {0,...,11768}
|
||||
*
|
||||
* Arguments: - uint16_t a: input unsigned integer to be reduced
|
||||
*
|
||||
* Returns: unsigned integer in {0,...,11768} congruent to a modulo q.
|
||||
**************************************************/
|
||||
uint16_t barrett_reduce(uint16_t a) {
|
||||
uint32_t u;
|
||||
|
||||
u = a >> 13; //((uint32_t) a * sinv) >> 16;
|
||||
u *= KYBER_Q;
|
||||
a -= u;
|
||||
return a;
|
||||
}
|
||||
|
||||
/*************************************************
|
||||
* Name: freeze
|
||||
*
|
||||
* Description: Full reduction; given a 16-bit integer a, computes
|
||||
* unsigned integer a mod q.
|
||||
*
|
||||
* Arguments: - uint16_t x: input unsigned integer to be reduced
|
||||
*
|
||||
* Returns: unsigned integer in {0,...,q-1} congruent to a modulo q.
|
||||
**************************************************/
|
||||
uint16_t freeze(uint16_t x) {
|
||||
uint16_t m, r;
|
||||
int16_t c;
|
||||
r = barrett_reduce(x);
|
||||
|
||||
m = r - KYBER_Q;
|
||||
c = m;
|
||||
c >>= 15;
|
||||
r = m ^ ((r ^ m) & c);
|
||||
|
||||
return r;
|
||||
}
|
||||
@ -1,12 +0,0 @@
|
||||
#ifndef REDUCE_H
|
||||
#define REDUCE_H
|
||||
|
||||
#include <stdint.h>
|
||||
|
||||
uint16_t freeze(uint16_t x);
|
||||
|
||||
uint16_t montgomery_reduce(uint32_t a);
|
||||
|
||||
uint16_t barrett_reduce(uint16_t a);
|
||||
|
||||
#endif
|
||||
@ -1,46 +0,0 @@
|
||||
#include <string.h>
|
||||
#include <stdint.h>
|
||||
|
||||
/*************************************************
|
||||
* Name: verify
|
||||
*
|
||||
* Description: Compare two arrays for equality in constant time.
|
||||
*
|
||||
* Arguments: const unsigned char *a: pointer to first byte array
|
||||
* const unsigned char *b: pointer to second byte array
|
||||
* size_t len: length of the byte arrays
|
||||
*
|
||||
* Returns 0 if the byte arrays are equal, 1 otherwise
|
||||
**************************************************/
|
||||
int verify(const unsigned char *a, const unsigned char *b, size_t len) {
|
||||
uint64_t r;
|
||||
size_t i;
|
||||
r = 0;
|
||||
|
||||
for (i = 0; i < len; i++)
|
||||
r |= a[i] ^ b[i];
|
||||
|
||||
r = (-r) >> 63;
|
||||
return r;
|
||||
}
|
||||
|
||||
/*************************************************
|
||||
* Name: cmov
|
||||
*
|
||||
* Description: Copy len bytes from x to r if b is 1;
|
||||
* don't modify x if b is 0. Requires b to be in {0,1};
|
||||
* assumes two's complement representation of negative integers.
|
||||
* Runs in constant time.
|
||||
*
|
||||
* Arguments: unsigned char *r: pointer to output byte array
|
||||
* const unsigned char *x: pointer to input byte array
|
||||
* size_t len: Amount of bytes to be copied
|
||||
* unsigned char b: Condition bit; has to be in {0,1}
|
||||
**************************************************/
|
||||
void cmov(unsigned char *r, const unsigned char *x, size_t len, unsigned char b) {
|
||||
size_t i;
|
||||
|
||||
b = -b;
|
||||
for (i = 0; i < len; i++)
|
||||
r[i] ^= b & (x[i] ^ r[i]);
|
||||
}
|
||||
@ -1,10 +0,0 @@
|
||||
#ifndef VERIFY_H
|
||||
#define VERIFY_H
|
||||
|
||||
#include <stdio.h>
|
||||
|
||||
int verify(const unsigned char *a, const unsigned char *b, size_t len);
|
||||
|
||||
void cmov(unsigned char *r, const unsigned char *x, size_t len, unsigned char b);
|
||||
|
||||
#endif
|
||||
@ -1,15 +0,0 @@
|
||||
/* Kyber1024 compilation file for Windows */
|
||||
|
||||
#define KYBER_K 4
|
||||
#define FUNC_PREFIX OQS_KEM_kyber_1024_cca_kem
|
||||
|
||||
#include "functions_renaming.h"
|
||||
#include "ref/cbd.c"
|
||||
#include "ref/indcpa.c"
|
||||
#include "ref/kem.c"
|
||||
#include "ref/ntt.c"
|
||||
#include "ref/poly.c"
|
||||
#include "ref/polyvec.c"
|
||||
#include "ref/precomp.c"
|
||||
#include "ref/reduce.c"
|
||||
#include "ref/verify.c"
|
||||
@ -1,15 +0,0 @@
|
||||
/* Kyber512 compilation file for Windows */
|
||||
|
||||
#define KYBER_K 2
|
||||
#define FUNC_PREFIX OQS_KEM_kyber_512_cca_kem
|
||||
|
||||
#include "functions_renaming.h"
|
||||
#include "ref/cbd.c"
|
||||
#include "ref/indcpa.c"
|
||||
#include "ref/kem.c"
|
||||
#include "ref/ntt.c"
|
||||
#include "ref/poly.c"
|
||||
#include "ref/polyvec.c"
|
||||
#include "ref/precomp.c"
|
||||
#include "ref/reduce.c"
|
||||
#include "ref/verify.c"
|
||||
@ -1,11 +0,0 @@
|
||||
/* Kyber768 compilation file for Windows */
|
||||
|
||||
#include "pqclean_kyber768_clean/cbd.c"
|
||||
#include "pqclean_kyber768_clean/indcpa.c"
|
||||
#include "pqclean_kyber768_clean/kem.c"
|
||||
#include "pqclean_kyber768_clean/ntt.c"
|
||||
#include "pqclean_kyber768_clean/poly.c"
|
||||
#include "pqclean_kyber768_clean/polyvec.c"
|
||||
#include "pqclean_kyber768_clean/precomp.c"
|
||||
#include "pqclean_kyber768_clean/reduce.c"
|
||||
#include "pqclean_kyber768_clean/verify.c"
|
||||
Loading…
x
Reference in New Issue
Block a user