sharpetronics/liboqs
1
0
Fork 0
mirror of https://github.com/open-quantum-safe/liboqs.git synced 2025-12-04 00:03:41 -05:00
Code Issues Projects Releases Wiki Activity

Upgraged to v2.1.1 of picnic.

Browse Source
This commit is contained in:
Christian Paquin 2019-08-29 19:56:46 -04:00
parent aeddb3ae2b
commit e3e504abd9
62 changed files with 1145 additions and 9230 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docs/algorithms/sig_picnic.md
View File

@ -31,7 +31,7 @@ Implementation
--------------
- **Source of implementation:** https://github.com/IAIK/Picnic
- **Implementation version:** https://github.com/IAIK/Picnic/tree/v2.0
- **Implementation version:** https://github.com/IAIK/Picnic/tree/v2.1.1
- **License:** MIT License
- **Language:** C
- **Constant-time:** Yes

2
src/sig/picnic/Makefile.am
View File

@ -1,7 +1,7 @@
AUTOMAKE_OPTIONS = foreign
noinst_LTLIBRARIES = libpicnic_i.la
libpicnic_i_la_SOURCES = sig_picnic.c external/aligned_alloc.c external/bitstream.c external/cpu.c external/io.c external/lowmc.c external/lowmc_pars.c external/lowmc_128_128_20.c external/lowmc_128_128_182.c external/lowmc_192_192_284.c external/lowmc_192_192_30.c external/lowmc_256_256_38.c external/lowmc_256_256_363.c external/mpc_lowmc.c external/mzd_additional.c external/picnic.c external/picnic_impl.c external/picnic2_impl.c external/picnic2_simulate.c external/picnic2_simulate_mul.c external/picnic2_tree.c external/picnic2_types.c external/sha3/KeccakHash.c external/sha3/KeccakSpongeWidth1600.c external/sha3/KeccakHashtimes4.c external/sha3/KeccakSpongeWidth1600times4.c external/sha3/opt64/KeccakP-1600-opt64.c external/sha3/opt64/KeccakP-1600-times4-on1.c
libpicnic_i_la_SOURCES = sig_picnic.c external/aligned_alloc.c external/bitstream.c external/cpu.c external/io.c external/lowmc.c external/lowmc_128_128_20.c external/lowmc_128_128_182.c external/lowmc_192_192_284.c external/lowmc_192_192_30.c external/lowmc_256_256_38.c external/lowmc_256_256_363.c external/mpc_lowmc.c external/mzd_additional.c external/picnic.c external/picnic_impl.c external/picnic2_impl.c external/picnic2_simulate.c external/picnic2_simulate_mul.c external/picnic2_tree.c external/picnic2_types.c external/sha3/KeccakHash.c external/sha3/KeccakSpongeWidth1600.c external/sha3/KeccakHashtimes4.c external/sha3/KeccakSpongeWidth1600times4.c external/sha3/opt64/KeccakP-1600-opt64.c external/sha3/opt64/KeccakP-1600-times4-on1.c
libpicnic_i_la_CFLAGS = -Iexternal -Iexternal/sha3 -Iexternal/sha3/opt64 -DPICNIC_STATIC -DOPTIMIZED_LINEAR_LAYER_EVALUATION -DREDUCED_ROUND_KEY_COMPUTATION -DWITH_LOWMC_128_128_20 -DWITH_LOWMC_192_192_30 -DWITH_LOWMC_256_256_38 -DWITH_OPT -DWITH_POPCNT

1
src/sig/picnic/external/README.md vendored
View File

@ -31,7 +31,6 @@ The cmake based build system supports the following flags:
* ``WITH_NEON``: Use NEON if available.
* ``WITH_MARCH_NATIVE``: Build with -march=native -mtune=native (if supported).
* ``WITH_LTO``: Enable link-time optimization (if supported).
* ``WITH_MUL_M4RI``: Use methods of four russians for matrix multiplication.
* ``WITH_LOWMC_OPT={OFF,ORKC,OLLE}``: Enable optimized round key computation (ORKC) or optimized linear layer evaluation (OLLE) optimizations.
* ``WITH_LOWMC_M1``: Enable LowMC instances with 1 Sbox minimizing the signature sizes.

2
src/sig/picnic/external/cpu.c vendored
View File

@ -35,7 +35,7 @@ static unsigned int init_caps(void) {
return caps;
}
#elif (defined(__x86_64__) || defined(__i386__)) && (defined(__GNUC__) || defined(_MSC_VER))
#elif (defined(__x86_64__) || defined(__i386__) || defined(_M_IX86) || defined(_M_AMD64)) && (defined(__GNUC__) || defined(_MSC_VER))
#ifdef _MSC_VER
#include <intrin.h>

58
src/sig/picnic/external/kdf_shake.h vendored
View File

@ -10,7 +10,6 @@
#ifndef KDF_SHAKE_H
#define KDF_SHAKE_H
#include <stdbool.h>
#include <stdint.h>
#if !defined(KeccakP200_excluded)
@ -27,15 +26,20 @@
#if !defined(SUPERCOP)
#include "sha3/KeccakHash.h"
#if defined(WITH_KECCAK_X4)
#include "sha3/KeccakHashtimes4.h"
#endif
#else
#include <libkeccak.a.headers/KeccakHash.h>
#if defined(WITH_KECCAK_X4)
/* Keccakx4 is not fully supported by SUPERCOP, so we need to ship it ourselves. */
#include "KeccakHashtimes4.h"
#endif
#endif
// this is not in SUPERCOP, so we ship it ourselves
#include "sha3/KeccakHashtimes4.h"
#include "picnic_impl.h"
typedef Keccak_HashInstance hash_context;
typedef Keccak_HashInstance hash_context ATTR_ALIGNED(32);
static inline void hash_init(hash_context* ctx, const picnic_instance_t* pp) {
if (pp->digest_size == 32) {
@ -63,7 +67,7 @@ static inline void hash_squeeze(hash_context* ctx, uint8_t* buffer, size_t bufle
Keccak_HashSqueeze(ctx, buffer, buflen << 3);
}
typedef Keccak_HashInstance kdf_shake_t;
typedef hash_context kdf_shake_t;
#define kdf_shake_init(ctx, pp) hash_init((ctx), (pp))
#define kdf_shake_init_prefix(ctx, pp, prefix) hash_init_prefix((ctx), (pp), (prefix))
@ -72,8 +76,45 @@ typedef Keccak_HashInstance kdf_shake_t;
#define kdf_shake_get_randomness(ctx, dst, count) hash_squeeze((ctx), (dst), (count))
#define kdf_shake_clear(ctx)
// Instances that work with 4 states in parallel
typedef Keccak_HashInstancetimes4 hash_context_x4;
#if !defined(WITH_KECCAK_X4)
/* Instances that work with 4 states in parallel using the base Keccak implementation. */
typedef struct hash_context_x4_s {
hash_context instances[4];
} hash_context_x4;
static inline void hash_init_x4(hash_context_x4* ctx, const picnic_instance_t* pp) {
for (unsigned int i = 0; i < 4; ++i) {
hash_init(&ctx->instances[i], pp);
}
}
static inline void hash_update_x4(hash_context_x4* ctx, const uint8_t** data, size_t size) {
for (unsigned int i = 0; i < 4; ++i) {
hash_update(&ctx->instances[i], data[i], size);
}
}
static inline void hash_init_prefix_x4(hash_context_x4* ctx, const picnic_instance_t* pp,
const uint8_t prefix) {
for (unsigned int i = 0; i < 4; ++i) {
hash_init_prefix(&ctx->instances[i], pp, prefix);
}
}
static inline void hash_final_x4(hash_context_x4* ctx) {
for (unsigned int i = 0; i < 4; ++i) {
hash_final(&ctx->instances[i]);
}
}
static inline void hash_squeeze_x4(hash_context_x4* ctx, uint8_t** buffer, size_t buflen) {
for (unsigned int i = 0; i < 4; ++i) {
hash_squeeze(&ctx->instances[i], buffer[i], buflen);
}
}
#else
/* Instances that work with 4 states in parallel. */
typedef Keccak_HashInstancetimes4 hash_context_x4 ATTR_ALIGNED(32);
static inline void hash_init_x4(hash_context_x4* ctx, const picnic_instance_t* pp) {
if (pp->digest_size == 32) {
@ -101,8 +142,9 @@ static inline void hash_final_x4(hash_context_x4* ctx) {
static inline void hash_squeeze_x4(hash_context_x4* ctx, uint8_t** buffer, size_t buflen) {
Keccak_HashSqueezetimes4(ctx, buffer, buflen << 3);
}
#endif
typedef Keccak_HashInstancetimes4 kdf_shake_x4_t;
typedef hash_context_x4 kdf_shake_x4_t;
#define kdf_shake_x4_init(ctx, pp) hash_init_x4((ctx), (pp))
#define kdf_shake_x4_init_prefix(ctx, pp, prefix) hash_init_prefix_x4((ctx), (pp), (prefix))

15
src/sig/picnic/external/lowmc.c vendored
View File

@ -139,7 +139,7 @@ static void sbox_layer_1_uint64(uint64_t* d) {
#define FN_ATTR ATTR_TARGET_AVX2
// L1 using AVX2
#include "lowmc_fns_s128_L1.h"
#include "lowmc_fns_s256_L1.h"
#undef LOWMC
#define LOWMC lowmc_s256_128
#include "lowmc.c.i"
@ -162,7 +162,11 @@ static void sbox_layer_1_uint64(uint64_t* d) {
#endif
lowmc_implementation_f lowmc_get_implementation(const lowmc_t* lowmc) {
#if defined(WITH_LOWMC_M1)
ASSUME(lowmc->m == 10 || lowmc->m == 1);
#else
ASSUME(lowmc->m == 10);
#endif
ASSUME(lowmc->n == 128 || lowmc->n == 192 || lowmc->n == 256);
#if defined(WITH_OPT)
@ -284,7 +288,11 @@ lowmc_implementation_f lowmc_get_implementation(const lowmc_t* lowmc) {
}
lowmc_store_implementation_f lowmc_store_get_implementation(const lowmc_t* lowmc) {
#if defined(WITH_LOWMC_M1)
ASSUME(lowmc->m == 10 || lowmc->m == 1);
#else
ASSUME(lowmc->m == 10);
#endif
ASSUME(lowmc->n == 128 || lowmc->n == 192 || lowmc->n == 256);
#if defined(WITH_OPT)
@ -406,8 +414,13 @@ lowmc_store_implementation_f lowmc_store_get_implementation(const lowmc_t* lowmc
}
lowmc_compute_aux_implementation_f lowmc_compute_aux_get_implementation(const lowmc_t* lowmc) {
#if defined(WITH_LOWMC_M1)
ASSUME(lowmc->m == 10 || lowmc->m == 1);
#else
ASSUME(lowmc->m == 10);
#endif
ASSUME(lowmc->n == 128 || lowmc->n == 192 || lowmc->n == 256);
#if defined(WITH_OPT)
#if defined(WITH_AVX2)
if (CPU_SUPPORTS_AVX2) {

2
src/sig/picnic/external/lowmc.h vendored
View File

@ -19,7 +19,7 @@ typedef struct {
// forward decleration to picnic2_types.h since we get some cyclic dependencies otherwise
typedef struct randomTape_t randomTape_t;
typedef mzd_local_t* (*lowmc_implementation_f)(lowmc_key_t const*, mzd_local_t const*);
typedef void (*lowmc_implementation_f)(lowmc_key_t const*, mzd_local_t const*, mzd_local_t*);
typedef void (*lowmc_store_implementation_f)(lowmc_key_t const*, mzd_local_t const*,
recorded_state_t* state);
typedef void (*lowmc_compute_aux_implementation_f)(lowmc_key_t const*, randomTape_t* tapes);

1470
src/sig/picnic/external/lowmc_128_128_182.c vendored
View File

File diff suppressed because it is too large Load Diff

4
src/sig/picnic/external/lowmc_128_128_182.h vendored
View File

@ -3,10 +3,6 @@
#include "lowmc_pars.h"
#if !defined(MUL_M4RI)
extern const lowmc_t lowmc_128_128_182;
#else
extern lowmc_t lowmc_128_128_182;
#endif
#endif

174
src/sig/picnic/external/lowmc_128_128_20.c vendored
View File

@ -3776,399 +3776,231 @@ static const block_t Ri_18[] = {
#endif
#if defined(MUL_M4RI)
static lowmc_round_t rounds[20] = {
#else
static const lowmc_round_t rounds[20] = {
#endif
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_1, L_0, C_0, NULL, NULL
#else
K_1, L_0, C_0
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_0, Ri_0, UINT64_C(0xffffffda40000000),
#else
#if defined(MUL_M4RI)
L_0, NULL
#else
L_0
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_2, L_1, C_1, NULL, NULL
#else
K_2, L_1, C_1
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_1, Ri_1, UINT64_C(0xffffffe700000000),
#else
#if defined(MUL_M4RI)
L_1, NULL
#else
L_1
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_3, L_2, C_2, NULL, NULL
#else
K_3, L_2, C_2
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_2, Ri_2, UINT64_C(0xfffffffa00000000),
#else
#if defined(MUL_M4RI)
L_2, NULL
#else
L_2
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_4, L_3, C_3, NULL, NULL
#else
K_4, L_3, C_3
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_3, Ri_3, UINT64_C(0xfffffff880000000),
#else
#if defined(MUL_M4RI)
L_3, NULL
#else
L_3
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_5, L_4, C_4, NULL, NULL
#else
K_5, L_4, C_4
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_4, Ri_4, UINT64_C(0xfffffffc00000000),
#else
#if defined(MUL_M4RI)
L_4, NULL
#else
L_4
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_6, L_5, C_5, NULL, NULL
#else
K_6, L_5, C_5
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_5, Ri_5, UINT64_C(0xffffffdc40000000),
#else
#if defined(MUL_M4RI)
L_5, NULL
#else
L_5
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_7, L_6, C_6, NULL, NULL
#else
K_7, L_6, C_6
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_6, Ri_6, UINT64_C(0xfffffffc00000000),
#else
#if defined(MUL_M4RI)
L_6, NULL
#else
L_6
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_8, L_7, C_7, NULL, NULL
#else
K_8, L_7, C_7
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_7, Ri_7, UINT64_C(0xfffffffa00000000),
#else
#if defined(MUL_M4RI)
L_7, NULL
#else
L_7
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_9, L_8, C_8, NULL, NULL
#else
K_9, L_8, C_8
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_8, Ri_8, UINT64_C(0xfffffffc00000000),
#else
#if defined(MUL_M4RI)
L_8, NULL
#else
L_8
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_10, L_9, C_9, NULL, NULL
#else
K_10, L_9, C_9
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_9, Ri_9, UINT64_C(0xfffffff840000000),
#else
#if defined(MUL_M4RI)
L_9, NULL
#else
L_9
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_11, L_10, C_10, NULL, NULL
#else
K_11, L_10, C_10
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_10, Ri_10, UINT64_C(0xfffffffc00000000),
#else
#if defined(MUL_M4RI)
L_10, NULL
#else
L_10
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_12, L_11, C_11, NULL, NULL
#else
K_12, L_11, C_11
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_11, Ri_11, UINT64_C(0xfffffffc00000000),
#else
#if defined(MUL_M4RI)
L_11, NULL
#else
L_11
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_13, L_12, C_12, NULL, NULL
#else
K_13, L_12, C_12
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_12, Ri_12, UINT64_C(0xfffffffa00000000),
#else
#if defined(MUL_M4RI)
L_12, NULL
#else
L_12
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_14, L_13, C_13, NULL, NULL
#else
K_14, L_13, C_13
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_13, Ri_13, UINT64_C(0xfffffffc00000000),
#else
#if defined(MUL_M4RI)
L_13, NULL
#else
L_13
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_15, L_14, C_14, NULL, NULL
#else
K_15, L_14, C_14
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_14, Ri_14, UINT64_C(0xfffffffa00000000),
#else
#if defined(MUL_M4RI)
L_14, NULL
#else
L_14
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_16, L_15, C_15, NULL, NULL
#else
K_16, L_15, C_15
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_15, Ri_15, UINT64_C(0xfffffffc00000000),
#else
#if defined(MUL_M4RI)
L_15, NULL
#else
L_15
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_17, L_16, C_16, NULL, NULL
#else
K_17, L_16, C_16
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_16, Ri_16, UINT64_C(0xfffffffa00000000),
#else
#if defined(MUL_M4RI)
L_16, NULL
#else
L_16
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_18, L_17, C_17, NULL, NULL
#else
K_18, L_17, C_17
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_17, Ri_17, UINT64_C(0xfffffffc00000000),
#else
#if defined(MUL_M4RI)
L_17, NULL
#else
L_17
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_19, L_18, C_18, NULL, NULL
#else
K_19, L_18, C_18
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_18, Ri_18, UINT64_C(0xffffffe580000000),
#else
#if defined(MUL_M4RI)
L_18, NULL
#else
L_18
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_20, L_19, C_19, NULL, NULL
#else
K_20, L_19, C_19
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
NULL, NULL, 0,
#else
#if defined(MUL_M4RI)
L_19, NULL
#else
L_19
#endif
#endif
#endif
},
};
#if defined(MUL_M4RI)
lowmc_t lowmc_128_128_20 = {
#else
const lowmc_t lowmc_128_128_20 = {
#endif
10, 128, 20, 128,
#if defined(REDUCED_ROUND_KEY_COMPUTATION)
precomputed_round_key_matrix_linear_part,
@ -4177,16 +4009,10 @@ const lowmc_t lowmc_128_128_20 = {
#endif
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Z_r,
#endif
#if defined(MUL_M4RI)
NULL,
#endif
rounds,
#if defined(REDUCED_ROUND_KEY_COMPUTATION)
precomputed_round_key_matrix_non_linear_part,
#if defined(MUL_M4RI)
NULL,
#endif
precomputed_constant_linear_part,
precomputed_constant_non_linear_part,
#endif

4
src/sig/picnic/external/lowmc_128_128_20.h vendored
View File

@ -3,10 +3,6 @@
#include "lowmc_pars.h"
#if !defined(MUL_M4RI)
extern const lowmc_t lowmc_128_128_20;
#else
extern lowmc_t lowmc_128_128_20;
#endif
#endif

2286
src/sig/picnic/external/lowmc_192_192_284.c vendored
View File

File diff suppressed because it is too large Load Diff

4
src/sig/picnic/external/lowmc_192_192_284.h vendored
View File

@ -3,10 +3,6 @@
#include "lowmc_pars.h"
#if !defined(MUL_M4RI)
extern const lowmc_t lowmc_192_192_284;
#else
extern lowmc_t lowmc_192_192_284;
#endif
#endif

254
src/sig/picnic/external/lowmc_192_192_30.c vendored
View File

@ -14504,589 +14504,341 @@ static const block_t Ri_28[] = {
#endif
#if defined(MUL_M4RI)
static lowmc_round_t rounds[30] = {
#else
static const lowmc_round_t rounds[30] = {
#endif
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_1, L_0, C_0, NULL, NULL
#else
K_1, L_0, C_0
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_0, Ri_0, UINT64_C(0xffffffde00000000),
#else
#if defined(MUL_M4RI)
L_0, NULL
#else
L_0
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_2, L_1, C_1, NULL, NULL
#else
K_2, L_1, C_1
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_1, Ri_1, UINT64_C(0xffffffde00000000),
#else
#if defined(MUL_M4RI)
L_1, NULL
#else
L_1
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_3, L_2, C_2, NULL, NULL
#else
K_3, L_2, C_2
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_2, Ri_2, UINT64_C(0xfffffffc00000000),
#else
#if defined(MUL_M4RI)
L_2, NULL
#else
L_2
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_4, L_3, C_3, NULL, NULL
#else
K_4, L_3, C_3
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_3, Ri_3, UINT64_C(0xffffffed00000000),
#else
#if defined(MUL_M4RI)
L_3, NULL
#else
L_3
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_5, L_4, C_4, NULL, NULL
#else
K_5, L_4, C_4
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_4, Ri_4, UINT64_C(0xffffffbd00000000),
#else
#if defined(MUL_M4RI)
L_4, NULL
#else
L_4
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_6, L_5, C_5, NULL, NULL
#else
K_6, L_5, C_5
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_5, Ri_5, UINT64_C(0xfffffff210000000),
#else
#if defined(MUL_M4RI)
L_5, NULL
#else
L_5
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_7, L_6, C_6, NULL, NULL
#else
K_7, L_6, C_6
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_6, Ri_6, UINT64_C(0xffffffec80000000),
#else
#if defined(MUL_M4RI)
L_6, NULL
#else
L_6
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_8, L_7, C_7, NULL, NULL
#else
K_8, L_7, C_7
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_7, Ri_7, UINT64_C(0xfffffff880000000),
#else
#if defined(MUL_M4RI)
L_7, NULL
#else
L_7
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_9, L_8, C_8, NULL, NULL
#else
K_9, L_8, C_8
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_8, Ri_8, UINT64_C(0xfffffff500000000),
#else
#if defined(MUL_M4RI)
L_8, NULL
#else
L_8
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_10, L_9, C_9, NULL, NULL
#else
K_10, L_9, C_9
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_9, Ri_9, UINT64_C(0xffffffdc20000000),
#else
#if defined(MUL_M4RI)
L_9, NULL
#else
L_9
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_11, L_10, C_10, NULL, NULL
#else
K_11, L_10, C_10
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_10, Ri_10, UINT64_C(0xfffffff900000000),
#else
#if defined(MUL_M4RI)
L_10, NULL
#else
L_10
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_12, L_11, C_11, NULL, NULL
#else
K_12, L_11, C_11
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_11, Ri_11, UINT64_C(0xffffffde00000000),
#else
#if defined(MUL_M4RI)
L_11, NULL
#else
L_11
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_13, L_12, C_12, NULL, NULL
#else
K_13, L_12, C_12
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_12, Ri_12, UINT64_C(0xfffffff900000000),
#else
#if defined(MUL_M4RI)
L_12, NULL
#else
L_12
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_14, L_13, C_13, NULL, NULL
#else
K_14, L_13, C_13
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_13, Ri_13, UINT64_C(0xfffffff500000000),
#else
#if defined(MUL_M4RI)
L_13, NULL
#else
L_13
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_15, L_14, C_14, NULL, NULL
#else
K_15, L_14, C_14
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_14, Ri_14, UINT64_C(0xfffffff900000000),
#else
#if defined(MUL_M4RI)
L_14, NULL
#else
L_14
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_16, L_15, C_15, NULL, NULL
#else
K_16, L_15, C_15
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_15, Ri_15, UINT64_C(0xfffffff808000000),
#else
#if defined(MUL_M4RI)
L_15, NULL
#else
L_15
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_17, L_16, C_16, NULL, NULL
#else
K_17, L_16, C_16
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_16, Ri_16, UINT64_C(0xffffffaf00000000),
#else
#if defined(MUL_M4RI)
L_16, NULL
#else
L_16
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_18, L_17, C_17, NULL, NULL
#else
K_18, L_17, C_17
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_17, Ri_17, UINT64_C(0xffffffee00000000),
#else
#if defined(MUL_M4RI)
L_17, NULL
#else
L_17
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_19, L_18, C_18, NULL, NULL
#else
K_19, L_18, C_18
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_18, Ri_18, UINT64_C(0xfffffffc00000000),
#else
#if defined(MUL_M4RI)
L_18, NULL
#else
L_18
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_20, L_19, C_19, NULL, NULL
#else
K_20, L_19, C_19
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_19, Ri_19, UINT64_C(0xfffffff900000000),
#else
#if defined(MUL_M4RI)
L_19, NULL
#else
L_19
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_21, L_20, C_20, NULL, NULL
#else
K_21, L_20, C_20
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_20, Ri_20, UINT64_C(0xffffff7620000000),
#else
#if defined(MUL_M4RI)
L_20, NULL
#else
L_20
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_22, L_21, C_21, NULL, NULL
#else
K_22, L_21, C_21
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_21, Ri_21, UINT64_C(0xfffffff280000000),
#else
#if defined(MUL_M4RI)
L_21, NULL
#else
L_21
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_23, L_22, C_22, NULL, NULL
#else
K_23, L_22, C_22
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_22, Ri_22, UINT64_C(0xffffffee00000000),
#else
#if defined(MUL_M4RI)
L_22, NULL
#else
L_22
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_24, L_23, C_23, NULL, NULL
#else
K_24, L_23, C_23
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_23, Ri_23, UINT64_C(0xfffffffc00000000),
#else
#if defined(MUL_M4RI)
L_23, NULL
#else
L_23
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_25, L_24, C_24, NULL, NULL
#else
K_25, L_24, C_24
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_24, Ri_24, UINT64_C(0xfffffff600000000),
#else
#if defined(MUL_M4RI)
L_24, NULL
#else
L_24
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_26, L_25, C_25, NULL, NULL
#else
K_26, L_25, C_25
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_25, Ri_25, UINT64_C(0xffffff7e00000000),
#else
#if defined(MUL_M4RI)
L_25, NULL
#else
L_25
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_27, L_26, C_26, NULL, NULL
#else
K_27, L_26, C_26
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_26, Ri_26, UINT64_C(0xfffffff500000000),
#else
#if defined(MUL_M4RI)
L_26, NULL
#else
L_26
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_28, L_27, C_27, NULL, NULL
#else
K_28, L_27, C_27
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_27, Ri_27, UINT64_C(0xfffffffa00000000),
#else
#if defined(MUL_M4RI)
L_27, NULL
#else
L_27
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_29, L_28, C_28, NULL, NULL
#else
K_29, L_28, C_28
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_28, Ri_28, UINT64_C(0xfffffff600000000),
#else
#if defined(MUL_M4RI)
L_28, NULL
#else
L_28
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_30, L_29, C_29, NULL, NULL
#else
K_30, L_29, C_29
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
NULL, NULL, 0,
#else
#if defined(MUL_M4RI)
L_29, NULL
#else
L_29
#endif
#endif
#endif
},
};
#if defined(MUL_M4RI)
lowmc_t lowmc_192_192_30 = {
#else
const lowmc_t lowmc_192_192_30 = {
#endif
10, 192, 30, 192,
#if defined(REDUCED_ROUND_KEY_COMPUTATION)
precomputed_round_key_matrix_linear_part,
@ -15095,16 +14847,10 @@ const lowmc_t lowmc_192_192_30 = {
#endif
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Z_r,
#endif
#if defined(MUL_M4RI)
NULL,
#endif
rounds,
#if defined(REDUCED_ROUND_KEY_COMPUTATION)
precomputed_round_key_matrix_non_linear_part,
#if defined(MUL_M4RI)
NULL,
#endif
precomputed_constant_linear_part,
precomputed_constant_non_linear_part,
#endif

4
src/sig/picnic/external/lowmc_192_192_30.h vendored
View File

@ -3,10 +3,6 @@
#include "lowmc_pars.h"
#if !defined(MUL_M4RI)
extern const lowmc_t lowmc_192_192_30;
#else
extern lowmc_t lowmc_192_192_30;
#endif
#endif

2918
src/sig/picnic/external/lowmc_256_256_363.c vendored
View File

File diff suppressed because it is too large Load Diff

4
src/sig/picnic/external/lowmc_256_256_363.h vendored
View File

@ -3,10 +3,6 @@
#include "lowmc_pars.h"
#if !defined(MUL_M4RI)
extern const lowmc_t lowmc_256_256_363;
#else
extern lowmc_t lowmc_256_256_363;
#endif
#endif

318
src/sig/picnic/external/lowmc_256_256_38.c vendored
View File

@ -23296,741 +23296,429 @@ static const block_t Ri_36[] = {
#endif
#if defined(MUL_M4RI)
static lowmc_round_t rounds[38] = {
#else
static const lowmc_round_t rounds[38] = {
#endif
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_1, L_0, C_0, NULL, NULL
#else
K_1, L_0, C_0
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_0, Ri_0, UINT64_C(0xffffffee00000000),
#else
#if defined(MUL_M4RI)
L_0, NULL
#else
L_0
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_2, L_1, C_1, NULL, NULL
#else
K_2, L_1, C_1
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_1, Ri_1, UINT64_C(0xffffffdc40000000),
#else
#if defined(MUL_M4RI)
L_1, NULL
#else
L_1
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_3, L_2, C_2, NULL, NULL
#else
K_3, L_2, C_2
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_2, Ri_2, UINT64_C(0xfffffff880000000),
#else
#if defined(MUL_M4RI)
L_2, NULL
#else
L_2
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_4, L_3, C_3, NULL, NULL
#else
K_4, L_3, C_3
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_3, Ri_3, UINT64_C(0xffffffee00000000),
#else
#if defined(MUL_M4RI)
L_3, NULL
#else
L_3
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_5, L_4, C_4, NULL, NULL
#else
K_5, L_4, C_4
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_4, Ri_4, UINT64_C(0xfffffffc00000000),
#else
#if defined(MUL_M4RI)
L_4, NULL
#else
L_4
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_6, L_5, C_5, NULL, NULL
#else
K_6, L_5, C_5
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_5, Ri_5, UINT64_C(0xffffffe980000000),
#else
#if defined(MUL_M4RI)
L_5, NULL
#else
L_5
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_7, L_6, C_6, NULL, NULL
#else
K_7, L_6, C_6
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_6, Ri_6, UINT64_C(0xfffffffc00000000),
#else
#if defined(MUL_M4RI)
L_6, NULL
#else
L_6
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_8, L_7, C_7, NULL, NULL
#else
K_8, L_7, C_7
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_7, Ri_7, UINT64_C(0xfffffffc00000000),
#else
#if defined(MUL_M4RI)
L_7, NULL
#else
L_7
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_9, L_8, C_8, NULL, NULL
#else
K_9, L_8, C_8
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_8, Ri_8, UINT64_C(0xfffffffc00000000),
#else
#if defined(MUL_M4RI)
L_8, NULL
#else
L_8
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_10, L_9, C_9, NULL, NULL
#else
K_10, L_9, C_9
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_9, Ri_9, UINT64_C(0xfffffffa00000000),
#else
#if defined(MUL_M4RI)
L_9, NULL
#else
L_9
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_11, L_10, C_10, NULL, NULL
#else
K_11, L_10, C_10
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_10, Ri_10, UINT64_C(0xffffffb700000000),
#else
#if defined(MUL_M4RI)
L_10, NULL
#else
L_10
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_12, L_11, C_11, NULL, NULL
#else
K_12, L_11, C_11
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_11, Ri_11, UINT64_C(0xffffffd508000000),
#else
#if defined(MUL_M4RI)
L_11, NULL
#else
L_11
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_13, L_12, C_12, NULL, NULL
#else
K_13, L_12, C_12
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_12, Ri_12, UINT64_C(0xfffffff900000000),
#else
#if defined(MUL_M4RI)
L_12, NULL
#else
L_12
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_14, L_13, C_13, NULL, NULL
#else
K_14, L_13, C_13
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_13, Ri_13, UINT64_C(0xfffffffa00000000),
#else
#if defined(MUL_M4RI)
L_13, NULL
#else
L_13
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_15, L_14, C_14, NULL, NULL
#else
K_15, L_14, C_14
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_14, Ri_14, UINT64_C(0xfffffff900000000),
#else
#if defined(MUL_M4RI)
L_14, NULL
#else
L_14
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_16, L_15, C_15, NULL, NULL
#else
K_16, L_15, C_15
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_15, Ri_15, UINT64_C(0xfffffffc00000000),
#else
#if defined(MUL_M4RI)
L_15, NULL
#else
L_15
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_17, L_16, C_16, NULL, NULL
#else
K_17, L_16, C_16
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_16, Ri_16, UINT64_C(0xfffffffc00000000),
#else
#if defined(MUL_M4RI)
L_16, NULL
#else
L_16
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_18, L_17, C_17, NULL, NULL
#else
K_18, L_17, C_17
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_17, Ri_17, UINT64_C(0xffffffde00000000),
#else
#if defined(MUL_M4RI)
L_17, NULL
#else
L_17
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_19, L_18, C_18, NULL, NULL
#else
K_19, L_18, C_18
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_18, Ri_18, UINT64_C(0xfffffff900000000),
#else
#if defined(MUL_M4RI)
L_18, NULL
#else
L_18
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_20, L_19, C_19, NULL, NULL
#else
K_20, L_19, C_19
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_19, Ri_19, UINT64_C(0xfffffff300000000),
#else
#if defined(MUL_M4RI)
L_19, NULL
#else
L_19
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_21, L_20, C_20, NULL, NULL
#else
K_21, L_20, C_20
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_20, Ri_20, UINT64_C(0xffffffed00000000),
#else
#if defined(MUL_M4RI)
L_20, NULL
#else
L_20
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_22, L_21, C_21, NULL, NULL
#else
K_22, L_21, C_21
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_21, Ri_21, UINT64_C(0xfffffff300000000),
#else
#if defined(MUL_M4RI)
L_21, NULL
#else
L_21
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_23, L_22, C_22, NULL, NULL
#else
K_23, L_22, C_22
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_22, Ri_22, UINT64_C(0xfffffffa00000000),
#else
#if defined(MUL_M4RI)
L_22, NULL
#else
L_22
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_24, L_23, C_23, NULL, NULL
#else
K_24, L_23, C_23
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_23, Ri_23, UINT64_C(0xffffffec20000000),
#else
#if defined(MUL_M4RI)
L_23, NULL
#else
L_23
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_25, L_24, C_24, NULL, NULL
#else
K_25, L_24, C_24
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_24, Ri_24, UINT64_C(0xfffffff900000000),
#else
#if defined(MUL_M4RI)
L_24, NULL
#else
L_24
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_26, L_25, C_25, NULL, NULL
#else
K_26, L_25, C_25
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_25, Ri_25, UINT64_C(0xfffffff880000000),
#else
#if defined(MUL_M4RI)
L_25, NULL
#else
L_25
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_27, L_26, C_26, NULL, NULL
#else
K_27, L_26, C_26
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_26, Ri_26, UINT64_C(0xfffffff600000000),
#else
#if defined(MUL_M4RI)
L_26, NULL
#else
L_26
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_28, L_27, C_27, NULL, NULL
#else
K_28, L_27, C_27
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_27, Ri_27, UINT64_C(0xfffffffc00000000),
#else
#if defined(MUL_M4RI)
L_27, NULL
#else
L_27
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_29, L_28, C_28, NULL, NULL
#else
K_29, L_28, C_28
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_28, Ri_28, UINT64_C(0xfffffffc00000000),
#else
#if defined(MUL_M4RI)
L_28, NULL
#else
L_28
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_30, L_29, C_29, NULL, NULL
#else
K_30, L_29, C_29
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_29, Ri_29, UINT64_C(0xffffff7700000000),
#else
#if defined(MUL_M4RI)
L_29, NULL
#else
L_29
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_31, L_30, C_30, NULL, NULL
#else
K_31, L_30, C_30
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_30, Ri_30, UINT64_C(0xfffffff600000000),
#else
#if defined(MUL_M4RI)
L_30, NULL
#else
L_30
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_32, L_31, C_31, NULL, NULL
#else
K_32, L_31, C_31
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_31, Ri_31, UINT64_C(0xffffffbc40000000),
#else
#if defined(MUL_M4RI)
L_31, NULL
#else
L_31
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_33, L_32, C_32, NULL, NULL
#else
K_33, L_32, C_32
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_32, Ri_32, UINT64_C(0xfffffffa00000000),
#else
#if defined(MUL_M4RI)
L_32, NULL
#else
L_32
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_34, L_33, C_33, NULL, NULL
#else
K_34, L_33, C_33
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_33, Ri_33, UINT64_C(0xfffffffc00000000),
#else
#if defined(MUL_M4RI)
L_33, NULL
#else
L_33
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_35, L_34, C_34, NULL, NULL
#else
K_35, L_34, C_34
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_34, Ri_34, UINT64_C(0xfffffff600000000),
#else
#if defined(MUL_M4RI)
L_34, NULL
#else
L_34
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_36, L_35, C_35, NULL, NULL
#else
K_36, L_35, C_35
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_35, Ri_35, UINT64_C(0xfffffffc00000000),
#else
#if defined(MUL_M4RI)
L_35, NULL
#else
L_35
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_37, L_36, C_36, NULL, NULL
#else
K_37, L_36, C_36
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Zi_36, Ri_36, UINT64_C(0xffffffe700000000),
#else
#if defined(MUL_M4RI)
L_36, NULL
#else
L_36
#endif
#endif
#endif
},
{
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
#if defined(MUL_M4RI)
K_38, L_37, C_37, NULL, NULL
#else
K_38, L_37, C_37
#endif
#else
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
NULL, NULL, 0,
#else
#if defined(MUL_M4RI)
L_37, NULL
#else
L_37
#endif
#endif
#endif
},
};
#if defined(MUL_M4RI)
lowmc_t lowmc_256_256_38 = {
#else
const lowmc_t lowmc_256_256_38 = {
#endif
10, 256, 38, 256,
#if defined(REDUCED_ROUND_KEY_COMPUTATION)
precomputed_round_key_matrix_linear_part,
@ -24039,16 +23727,10 @@ const lowmc_t lowmc_256_256_38 = {
#endif
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
Z_r,
#endif
#if defined(MUL_M4RI)
NULL,
#endif
rounds,
#if defined(REDUCED_ROUND_KEY_COMPUTATION)
precomputed_round_key_matrix_non_linear_part,
#if defined(MUL_M4RI)
NULL,
#endif
precomputed_constant_linear_part,
precomputed_constant_non_linear_part,
#endif

4
src/sig/picnic/external/lowmc_256_256_38.h vendored
View File

@ -3,10 +3,6 @@
#include "lowmc_pars.h"
#if !defined(MUL_M4RI)
extern const lowmc_t lowmc_256_256_38;
#else
extern lowmc_t lowmc_256_256_38;
#endif
#endif

8
src/sig/picnic/external/lowmc_fns_s128_L1.h vendored
View File

@ -9,14 +9,14 @@
#include "lowmc_fns_undef.h"
#define ADDMUL SELECT_V_VL(mzd_addmul_v_s128_128, mzd_addmul_vl_s128_128)
#define MUL SELECT_V_VL(mzd_mul_v_s128_128, mzd_mul_vl_s128_128)
#define ADDMUL mzd_addmul_v_s128_128
#define MUL mzd_mul_v_s128_128
#define SHUFFLE mzd_shuffle_128
#define XOR mzd_xor_s128_128
#define COPY mzd_copy_s128_128
#define MUL_MC_1 SELECT_V_VL(mzd_mul_v_s128_128_640, mzd_mul_vl_s128_128_640)
#define MUL_MC_10 SELECT_V_VL(mzd_mul_v_s128_128_640, mzd_mul_vl_s128_128_640)
#define MUL_MC_1 mzd_mul_v_s128_128_640
#define MUL_MC_10 mzd_mul_v_s128_128_640
#define ADDMUL_R_1 mzd_addmul_v_s128_3_128
#define ADDMUL_R_10 mzd_addmul_v_s128_30_128
#define MUL_Z_1 mzd_mul_v_parity_uint64_128_3

8
src/sig/picnic/external/lowmc_fns_s128_L3.h vendored
View File

@ -9,14 +9,14 @@
#include "lowmc_fns_undef.h"
#define ADDMUL SELECT_V_VL(mzd_addmul_v_s128_192, mzd_addmul_vl_s128_192)
#define MUL SELECT_V_VL(mzd_mul_v_s128_192, mzd_mul_vl_s128_192)
#define ADDMUL mzd_addmul_v_s128_192
#define MUL mzd_mul_v_s128_192
#define SHUFFLE mzd_shuffle_192
#define XOR mzd_xor_s128_256
#define COPY mzd_copy_s128_256
#define MUL_MC_1 SELECT_V_VL(mzd_mul_v_s128_192_896, mzd_mul_vl_s128_192_896)
#define MUL_MC_10 SELECT_V_VL(mzd_mul_v_s128_192_1024, mzd_mul_vl_s128_192_1024)
#define MUL_MC_1 mzd_mul_v_s128_192_896
#define MUL_MC_10 mzd_mul_v_s128_192_1024
#define ADDMUL_R_1 mzd_addmul_v_s128_3_192
#define ADDMUL_R_10 mzd_addmul_v_s128_30_192
#define MUL_Z_1 mzd_mul_v_parity_uint64_192_3

8
src/sig/picnic/external/lowmc_fns_s128_L5.h vendored
View File

@ -9,14 +9,14 @@
#include "lowmc_fns_undef.h"
#define ADDMUL SELECT_V_VL(mzd_addmul_v_s128_256, mzd_addmul_vl_s128_256)
#define MUL SELECT_V_VL(mzd_mul_v_s128_256, mzd_mul_vl_s128_256)
#define ADDMUL mzd_addmul_v_s128_256
#define MUL mzd_mul_v_s128_256
#define SHUFFLE mzd_shuffle_256
#define XOR mzd_xor_s128_256
#define COPY mzd_copy_s128_256
#define MUL_MC_1 SELECT_V_VL(mzd_mul_v_s128_256_1152, mzd_mul_vl_s128_256_1152)
#define MUL_MC_10 SELECT_V_VL(mzd_mul_v_s128_256_1280, mzd_mul_vl_s128_256_1280)
#define MUL_MC_1 mzd_mul_v_s128_256_1152
#define MUL_MC_10 mzd_mul_v_s128_256_1280
#define ADDMUL_R_1 mzd_addmul_v_s128_3_256
#define ADDMUL_R_10 mzd_addmul_v_s128_30_256
#define MUL_Z_1 mzd_mul_v_parity_uint64_256_3

8
src/sig/picnic/external/lowmc_fns_s256_L1.h vendored
View File

@ -9,14 +9,14 @@
#include "lowmc_fns_undef.h"
#define ADDMUL SELECT_V_VL(mzd_addmul_v_s256_128, mzd_addmul_vl_s256_128)
#define MUL SELECT_V_VL(mzd_mul_v_s256_128, mzd_mul_vl_s256_128)
#define ADDMUL mzd_addmul_v_s256_128
#define MUL mzd_mul_v_s256_128
#define SHUFFLE mzd_shuffle_pext_128
#define XOR mzd_xor_s256_128
#define COPY mzd_copy_s256_128
#define MUL_MC_1 SELECT_V_VL(mzd_mul_v_s256_128_768, mzd_mul_vl_s256_128_768)
#define MUL_MC_10 SELECT_V_VL(mzd_mul_v_s256_128_768, mzd_mul_vl_s256_128_768)
#define MUL_MC_1 mzd_mul_v_s256_128_768
#define MUL_MC_10 mzd_mul_v_s256_128_768
#define ADDMUL_R_1 mzd_addmul_v_s256_3_128
#define ADDMUL_R_10 mzd_addmul_v_s256_30_128
#define MUL_Z_1 mzd_mul_v_parity_uint64_128_3

8
src/sig/picnic/external/lowmc_fns_s256_L3.h vendored
View File

@ -9,14 +9,14 @@
#include "lowmc_fns_undef.h"
#define ADDMUL SELECT_V_VL(mzd_addmul_v_s256_192, mzd_addmul_vl_s256_192)
#define MUL SELECT_V_VL(mzd_mul_v_s256_192, mzd_mul_vl_s256_192)
#define ADDMUL mzd_addmul_v_s256_192
#define MUL mzd_mul_v_s256_192
#define SHUFFLE mzd_shuffle_pext_192
#define XOR mzd_xor_s256_256
#define COPY mzd_copy_s256_256
#define MUL_MC_1 SELECT_V_VL(mzd_mul_v_s256_192_1024, mzd_mul_vl_s256_192_1024)
#define MUL_MC_10 SELECT_V_VL(mzd_mul_v_s256_192_1024, mzd_mul_vl_s256_192_1024)
#define MUL_MC_1 mzd_mul_v_s256_192_1024
#define MUL_MC_10 mzd_mul_v_s256_192_1024
#define ADDMUL_R_1 mzd_addmul_v_s256_3_192
#define ADDMUL_R_10 mzd_addmul_v_s256_30_192
#define MUL_Z_1 mzd_mul_v_parity_uint64_192_3

8
src/sig/picnic/external/lowmc_fns_s256_L5.h vendored
View File

@ -9,14 +9,14 @@
#include "lowmc_fns_undef.h"
#define ADDMUL SELECT_V_VL(mzd_addmul_v_s256_256, mzd_addmul_vl_s256_256)
#define MUL SELECT_V_VL(mzd_mul_v_s256_256, mzd_mul_vl_s256_256)
#define ADDMUL mzd_addmul_v_s256_256
#define MUL mzd_mul_v_s256_256
#define SHUFFLE mzd_shuffle_pext_256
#define XOR mzd_xor_s256_256
#define COPY mzd_copy_s256_256
#define MUL_MC_1 SELECT_V_VL(mzd_mul_v_s256_256_1280, mzd_mul_vl_s256_256_1280)
#define MUL_MC_10 SELECT_V_VL(mzd_mul_v_s256_256_1280, mzd_mul_vl_s256_256_1280)
#define MUL_MC_1 mzd_mul_v_s256_256_1280
#define MUL_MC_10 mzd_mul_v_s256_256_1280
#define ADDMUL_R_1 mzd_addmul_v_s256_3_256
#define ADDMUL_R_10 mzd_addmul_v_s256_30_256
#define MUL_Z_1 mzd_mul_v_parity_uint64_256_3

8
src/sig/picnic/external/lowmc_fns_uint64_L1.h vendored
View File

@ -9,14 +9,14 @@
#include "lowmc_fns_undef.h"
#define ADDMUL SELECT_V_VL(mzd_addmul_v_uint64_128, mzd_addmul_vl_uint64_128)
#define MUL SELECT_V_VL(mzd_mul_v_uint64_128, mzd_mul_vl_uint64_128)
#define ADDMUL mzd_addmul_v_uint64_128
#define MUL mzd_mul_v_uint64_128
#define XOR mzd_xor_uint64_128
#define SHUFFLE mzd_shuffle_128
#define COPY mzd_copy_uint64_128
#define MUL_MC_1 SELECT_V_VL(mzd_mul_v_uint64_128_576, mzd_mul_vl_uint64_128_576)
#define MUL_MC_10 SELECT_V_VL(mzd_mul_v_uint64_128_640, mzd_mul_vl_uint64_128_640)
#define MUL_MC_1 mzd_mul_v_uint64_128_576
#define MUL_MC_10 mzd_mul_v_uint64_128_640
#define ADDMUL_R_1 mzd_addmul_v_uint64_3_128
#define ADDMUL_R_10 mzd_addmul_v_uint64_30_128
#define MUL_Z_1 mzd_mul_v_parity_uint64_128_3

8
src/sig/picnic/external/lowmc_fns_uint64_L3.h vendored
View File

@ -9,14 +9,14 @@
#include "lowmc_fns_undef.h"
#define ADDMUL SELECT_V_VL(mzd_addmul_v_uint64_192, mzd_addmul_vl_uint64_192)
#define MUL SELECT_V_VL(mzd_mul_v_uint64_192, mzd_mul_vl_uint64_192)
#define ADDMUL mzd_addmul_v_uint64_192
#define MUL mzd_mul_v_uint64_192
#define SHUFFLE mzd_shuffle_192
#define XOR mzd_xor_uint64_192
#define COPY mzd_copy_uint64_192
#define MUL_MC_1 SELECT_V_VL(mzd_mul_v_uint64_192_896, mzd_mul_vl_uint64_192_896)
#define MUL_MC_10 SELECT_V_VL(mzd_mul_v_uint64_192_960, mzd_mul_vl_uint64_192_960)
#define MUL_MC_1 mzd_mul_v_uint64_192_896
#define MUL_MC_10 mzd_mul_v_uint64_192_960
#define ADDMUL_R_1 mzd_addmul_v_uint64_3_192
#define ADDMUL_R_10 mzd_addmul_v_uint64_30_192
#define MUL_Z_1 mzd_mul_v_parity_uint64_192_3

8
src/sig/picnic/external/lowmc_fns_uint64_L5.h vendored
View File

@ -9,14 +9,14 @@
#include "lowmc_fns_undef.h"
#define ADDMUL SELECT_V_VL(mzd_addmul_v_uint64_256, mzd_addmul_vl_uint64_256)
#define MUL SELECT_V_VL(mzd_mul_v_uint64_256, mzd_mul_vl_uint64_256)
#define ADDMUL mzd_addmul_v_uint64_256
#define MUL mzd_mul_v_uint64_256
#define SHUFFLE mzd_shuffle_256
#define XOR mzd_xor_uint64_256
#define COPY mzd_copy_uint64_256
#define MUL_MC_1 SELECT_V_VL(mzd_mul_v_uint64_256_1152, mzd_mul_vl_uint64_256_1152)
#define MUL_MC_10 SELECT_V_VL(mzd_mul_v_uint64_256_1216, mzd_mul_vl_uint64_256_1216)
#define MUL_MC_1 mzd_mul_v_uint64_256_1152
#define MUL_MC_10 mzd_mul_v_uint64_256_1216
#define ADDMUL_R_1 mzd_addmul_v_uint64_3_256
#define ADDMUL_R_10 mzd_addmul_v_uint64_30_256
#define MUL_Z_1 mzd_mul_v_parity_uint64_256_3

36
src/sig/picnic/external/lowmc_impl.c.i vendored
View File

@ -11,8 +11,6 @@
#error "OLLE is only implemented for 1 or 10 Sboxes"
#endif
// TODO: fix PICNIC2_AUX_COMPUTATION for OFF & ORKC
#if defined(FN_ATTR)
FN_ATTR
#endif
@ -22,7 +20,7 @@ static void N_LOWMC(lowmc_key_t const* lowmc_key, randomTape_t* tapes) {
#if defined(RECORD_STATE)
static void N_LOWMC(lowmc_key_t const* lowmc_key, mzd_local_t const* p, recorded_state_t* state) {
#else
static mzd_local_t* N_LOWMC(lowmc_key_t const* lowmc_key, mzd_local_t const* p) {
static void N_LOWMC(lowmc_key_t const* lowmc_key, mzd_local_t const* p, mzd_local_t* c) {
#endif
#endif
mzd_local_t x[((LOWMC_N) + 255) / 256];
@ -36,12 +34,12 @@ static mzd_local_t* N_LOWMC(lowmc_key_t const* lowmc_key, mzd_local_t const* p)
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION) // LOWMC_OPT=OLLE
#if defined(PICNIC2_AUX_COMPUTATION)
MUL(x, lowmc_key, CONCAT(LOWMC_INSTANCE.k0, matrix_postfix));
MUL_MC(nl_part, lowmc_key, CONCAT(LOWMC_INSTANCE.precomputed_non_linear_part, matrix_postfix));
MUL(x, lowmc_key, LOWMC_INSTANCE.k0_matrix);
MUL_MC(nl_part, lowmc_key, LOWMC_INSTANCE.precomputed_non_linear_part_matrix);
#else
XOR(x, p, LOWMC_INSTANCE.precomputed_constant_linear);
ADDMUL(x, lowmc_key, CONCAT(LOWMC_INSTANCE.k0, matrix_postfix));
MUL_MC(nl_part, lowmc_key, CONCAT(LOWMC_INSTANCE.precomputed_non_linear_part, matrix_postfix));
ADDMUL(x, lowmc_key, LOWMC_INSTANCE.k0_matrix);
MUL_MC(nl_part, lowmc_key, LOWMC_INSTANCE.precomputed_non_linear_part_matrix);
XOR_MC(nl_part, nl_part, LOWMC_INSTANCE.precomputed_constant_non_linear);
#endif
@ -99,17 +97,17 @@ static mzd_local_t* N_LOWMC(lowmc_key_t const* lowmc_key, mzd_local_t const* p)
BLOCK(x, 0)->w64[(LOWMC_N) / (sizeof(word) * 8) - 1] ^=
(nl << ((20 - (i % 21)) * 3)) & WORD_C(0xE000000000000000);
#endif
MUL(y, x, CONCAT(LOWMC_INSTANCE.zr, matrix_postfix));
MUL(y, x, LOWMC_INSTANCE.zr_matrix);
COPY(x, y);
#endif
#else // LOWMC_OPT=ORKC
#if defined(PICNIC2_AUX_COMPUTATION)
MUL(x, lowmc_key, CONCAT(LOWMC_INSTANCE.k0, matrix_postfix));
MUL_MC(nl_part, lowmc_key, CONCAT(LOWMC_INSTANCE.precomputed_non_linear_part, matrix_postfix));
MUL(x, lowmc_key, LOWMC_INSTANCE.k0_matrix);
MUL_MC(nl_part, lowmc_key, LOWMC_INSTANCE.precomputed_non_linear_part_matrix);
#else
XOR(x, p, LOWMC_INSTANCE.precomputed_constant_linear);
ADDMUL(x, lowmc_key, CONCAT(LOWMC_INSTANCE.k0, matrix_postfix));
MUL_MC(nl_part, lowmc_key, CONCAT(LOWMC_INSTANCE.precomputed_non_linear_part, matrix_postfix));
ADDMUL(x, lowmc_key, LOWMC_INSTANCE.k0_matrix);
MUL_MC(nl_part, lowmc_key, LOWMC_INSTANCE.precomputed_non_linear_part_matrix);
XOR_MC(nl_part, nl_part, LOWMC_INSTANCE.precomputed_constant_non_linear);
#endif
@ -133,16 +131,16 @@ static mzd_local_t* N_LOWMC(lowmc_key_t const* lowmc_key, mzd_local_t const* p)
BLOCK(x, 0)->w64[(LOWMC_N) / (sizeof(word) * 8) - 1] ^=
(nl << ((20 - (i % 21)) * 3)) & WORD_C(0xE000000000000000);
#endif
MUL(y, x, CONCAT(round->l, matrix_postfix));
MUL(y, x, round->l_matrix);
COPY(x, y);
}
#endif
#else // LOWMC_OPT=OFF
#if defined(PICNIC2_AUX_COMPUTATION)
MUL(x, lowmc_key, CONCAT(LOWMC_INSTANCE.k0, matrix_postfix));
MUL(x, lowmc_key, LOWMC_INSTANCE.k0_matrix);
#else
COPY(x, p);
ADDMUL(x, lowmc_key, CONCAT(LOWMC_INSTANCE.k0, matrix_postfix));
ADDMUL(x, lowmc_key, LOWMC_INSTANCE.k0_matrix);
#endif
lowmc_round_t const* round = LOWMC_INSTANCE.rounds;
@ -156,13 +154,13 @@ static mzd_local_t* N_LOWMC(lowmc_key_t const* lowmc_key, mzd_local_t const* p)
SBOX(x);
#endif
MUL(y, x, CONCAT(round->l, matrix_postfix));
MUL(y, x, round->l_matrix);
#if !defined(PICNIC2_AUX_COMPUTATION)
XOR(x, y, round->constant);
#else
COPY(x, y);
#endif
ADDMUL(x, lowmc_key, CONCAT(round->k, matrix_postfix));
ADDMUL(x, lowmc_key, round->k_matrix);
}
#endif
@ -170,9 +168,7 @@ static mzd_local_t* N_LOWMC(lowmc_key_t const* lowmc_key, mzd_local_t const* p)
#if defined(RECORD_STATE)
COPY(state->state[LOWMC_R], x);
#else
mzd_local_t* res = mzd_local_init_ex(1, LOWMC_N, false);
COPY(res, x);
return res;
COPY(c, x);
#endif
#endif
}

63
src/sig/picnic/external/lowmc_pars.c vendored
View File

@ -1,63 +0,0 @@
/*
* This file is part of the optimized implementation of the Picnic signature scheme.
* See the accompanying documentation for complete details.
*
* The code is provided under the MIT license, see LICENSE for
* more details.
* SPDX-License-Identifier: MIT
*/
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
#include "lowmc_pars.h"
#include "macros.h"
#include "mzd_additional.h"
#if defined(MUL_M4RI)
bool lowmc_init(lowmc_t* lowmc) {
if (!lowmc) {
return false;
}
if (lowmc->n - 3 * lowmc->m < 2 || lowmc->n != lowmc->k) {
return false;
}
lowmc->k0_lookup = mzd_precompute_matrix_lookup(lowmc->k0_matrix, lowmc->n, lowmc->n);
#if defined(REDUCED_ROUND_KEY_COMPUTATION)
const unsigned int cols = lowmc->m == 1 ? ((lowmc->r + 20) / 21) * 64 : lowmc->r * 32;
lowmc->precomputed_non_linear_part_lookup =
mzd_precompute_matrix_lookup(lowmc->precomputed_non_linear_part_matrix, lowmc->n, cols);
#endif
for (unsigned int i = 0; i < lowmc->r; ++i) {
lowmc->rounds[i].l_lookup =
mzd_precompute_matrix_lookup(lowmc->rounds[i].l_matrix, lowmc->n, lowmc->n);
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
lowmc->rounds[i].k_lookup =
mzd_precompute_matrix_lookup(lowmc->rounds[i].k_matrix, lowmc->n, lowmc->n);
#endif
}
return true;
}
#endif
void lowmc_clear(lowmc_t* lowmc) {
for (unsigned int i = 0; i < lowmc->r; ++i) {
#if defined(MUL_M4RI)
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
mzd_local_free(lowmc->rounds[i].k_lookup);
#endif
mzd_local_free(lowmc->rounds[i].l_lookup);
#endif
}
#if defined(MUL_M4RI)
mzd_local_free(lowmc->k0_lookup);
#if defined(REDUCED_ROUND_KEY_COMPUTATION)
mzd_local_free(lowmc->precomputed_non_linear_part_lookup);
#endif
#endif
}

34
src/sig/picnic/external/lowmc_pars.h vendored
View File

@ -79,13 +79,6 @@ typedef struct {
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
const mzd_local_t* constant;
#endif
#if defined(MUL_M4RI)
#if !defined(REDUCED_ROUND_KEY_COMPUTATION)
mzd_local_t* k_lookup;
#endif
mzd_local_t* l_lookup;
#endif
} lowmc_round_t;
/**
@ -101,40 +94,13 @@ typedef struct {
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
const mzd_local_t* zr_matrix; // combined linear layers
#endif
#if defined(MUL_M4RI)
mzd_local_t* k0_lookup;
#endif
#if defined(MUL_M4RI)
lowmc_round_t* rounds;
#else
const lowmc_round_t* rounds;
#endif
#if defined(REDUCED_ROUND_KEY_COMPUTATION)
const mzd_local_t* precomputed_non_linear_part_matrix;
#if defined(MUL_M4RI)
mzd_local_t* precomputed_non_linear_part_lookup;
#endif
const mzd_local_t* precomputed_constant_linear;
const mzd_local_t* precomputed_constant_non_linear;
#endif
} lowmc_t;
#if defined(MUL_M4RI)
/**
* Initiaizes lookup tables of a LowMC instance
*
* \return parameters defining a LowMC instance
*/
bool lowmc_init(lowmc_t* lowmc);
#endif
/**
* Clears the allocated LowMC parameters
*
* \param lowmc the LowMC parameters to be cleared
*/
void lowmc_clear(lowmc_t* lowmc);
#endif

17
src/sig/picnic/external/macros.h vendored
View File

@ -89,6 +89,10 @@
#define ATTR_ALIGNED(i)
#endif
/* round size to meet alignment requirements */
#define ALIGNT(s, t) (((s) + sizeof(t) - 1) & ~(sizeof(t) - 1))
#define ALIGNU64T(s) ALIGNT(s, uint64_t)
/* unreachable builtin */
#if GNUC_CHECK(4, 5) || __has_builtin(__builtin_unreachable)
#define UNREACHABLE __builtin_unreachable()
@ -154,19 +158,6 @@
#define CONCAT2(a, b) a##_##b
#define CONCAT(a, b) CONCAT2(a, b)
/* helper macros to select matrices and multiplicatiion functions */
#if defined(MUL_M4RI)
#define matrix_postfix lookup
#else
#define matrix_postfix matrix
#endif
#if defined(MUL_M4RI)
#define SELECT_V_VL(v, vl) vl
#else
#define SELECT_V_VL(v, vl) v
#endif
/* helper macros/functions for checked integer subtraction */
#if GNUC_CHECK(5, 0) || __has_builtin(__builtin_add_overflow)
#define sub_overflow_size_t(x, y, diff) __builtin_sub_overflow(x, y, diff)

8
src/sig/picnic/external/mpc_lowmc.c vendored
View File

@ -330,7 +330,11 @@ static void mpc_sbox_layer_bitsliced_verify_uint64_1(uint64_t* in, view_t* view,
#endif
zkbpp_lowmc_implementation_f get_zkbpp_lowmc_implementation(const lowmc_t* lowmc) {
#if defined(WITH_LOWMC_M1)
ASSUME(lowmc->m == 10 || lowmc->m == 1);
#else
ASSUME(lowmc->m == 10);
#endif
ASSUME(lowmc->n == 128 || lowmc->n == 192 || lowmc->n == 256);
#if defined(WITH_OPT)
@ -452,7 +456,11 @@ zkbpp_lowmc_implementation_f get_zkbpp_lowmc_implementation(const lowmc_t* lowmc
}
zkbpp_lowmc_verify_implementation_f get_zkbpp_lowmc_verify_implementation(const lowmc_t* lowmc) {
#if defined(WITH_LOWMC_M1)
ASSUME(lowmc->m == 10 || lowmc->m == 1);
#else
ASSUME(lowmc->m == 10);
#endif
ASSUME(lowmc->n == 128 || lowmc->n == 192 || lowmc->n == 256);
#if defined(WITH_OPT)

4
src/sig/picnic/external/mpc_lowmc_impl.c.i vendored
View File

@ -47,7 +47,7 @@ static void N_SIGN(mpc_lowmc_key_t const* lowmc_key, mzd_local_t const* p, view_
mzd_local_t x[SC_PROOF][((LOWMC_N) + 255) / 256];
mzd_local_t y[SC_PROOF][((LOWMC_N) + 255) / 256];
MPC_LOOP_CONST(MUL, x, lowmc_key, CONCAT(LOWMC_INSTANCE.k0, matrix_postfix), reduced_shares);
MPC_LOOP_CONST(MUL, x, lowmc_key, LOWMC_INSTANCE.k0_matrix, reduced_shares);
MPC_LOOP_CONST_C(XOR, x, x, p, reduced_shares, ch);
#include "mpc_lowmc_loop.c.i"
@ -80,7 +80,7 @@ static void N_VERIFY(mzd_local_t const* p, view_t* views, in_out_shares_t* in_ou
mzd_local_t x[SC_VERIFY][((LOWMC_N) + 255) / 256];
mzd_local_t y[SC_VERIFY][((LOWMC_N) + 255) / 256];
MPC_LOOP_CONST(MUL, x, lowmc_key, CONCAT(LOWMC_INSTANCE.k0, matrix_postfix), SC_VERIFY);
MPC_LOOP_CONST(MUL, x, lowmc_key, LOWMC_INSTANCE.k0_matrix, SC_VERIFY);
MPC_LOOP_CONST_C(XOR, x, x, p, SC_VERIFY, ch);
#include "mpc_lowmc_loop.c.i"

16
src/sig/picnic/external/mpc_lowmc_loop.c.i vendored
View File

@ -21,7 +21,7 @@ lowmc_round_t const* round = LOWMC_INSTANCE.rounds;
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
MPC_LOOP_CONST_C(XOR, x, x, LOWMC_INSTANCE.precomputed_constant_linear, reduced_shares, ch);
MPC_LOOP_CONST(MUL_MC, nl_part, lowmc_key,
CONCAT(LOWMC_INSTANCE.precomputed_non_linear_part, matrix_postfix), reduced_shares);
LOWMC_INSTANCE.precomputed_non_linear_part_matrix, reduced_shares);
MPC_LOOP_CONST_C(XOR_MC, nl_part, nl_part, LOWMC_INSTANCE.precomputed_constant_non_linear, reduced_shares, ch);
for (unsigned i = 0; i < (LOWMC_R-1); ++i, ++views, ++round) {
RANDTAPE;
@ -39,13 +39,13 @@ lowmc_round_t const* round = LOWMC_INSTANCE.rounds;
BLOCK(y[k], 0)->w64[(LOWMC_N) / (sizeof(word) * 8) - 1] ^= (nl << ((20-(i%21))*3)) & WORD_C(0xE000000000000000);
#endif
}
MPC_LOOP_CONST(MUL_Z, x, y, CONCAT(round->z, matrix_postfix), reduced_shares);
MPC_LOOP_CONST(MUL_Z, x, y, round->z_matrix, reduced_shares);
for(unsigned int k = 0; k < reduced_shares; ++k) {
MZD_SHUFFLE(y[k], round->r_mask);
}
MPC_LOOP_CONST(ADDMUL_R, x, y, CONCAT(round->r, matrix_postfix), reduced_shares);
MPC_LOOP_CONST(ADDMUL_R, x, y, round->r_matrix, reduced_shares);
for(unsigned int k = 0; k < reduced_shares; ++k) {
#if defined(M_FIXED_10)
BLOCK(y[k], 0)->w64[(LOWMC_N) / (sizeof(word) * 8) - 1] &= WORD_C(0x00000003FFFFFFFF); //clear nl part
@ -72,11 +72,11 @@ lowmc_round_t const* round = LOWMC_INSTANCE.rounds;
BLOCK(y[k], 0)->w64[(LOWMC_N) / (sizeof(word) * 8) - 1] ^= (nl << ((20-(i%21))*3)) & WORD_C(0xE000000000000000);
#endif
}
MPC_LOOP_CONST(MUL, x, y, CONCAT(LOWMC_INSTANCE.zr, matrix_postfix), reduced_shares);
MPC_LOOP_CONST(MUL, x, y, LOWMC_INSTANCE.zr_matrix, reduced_shares);
#else
MPC_LOOP_CONST_C(XOR, x, x, LOWMC_INSTANCE.precomputed_constant_linear, reduced_shares, ch);
MPC_LOOP_CONST(MUL_MC, nl_part, lowmc_key,
CONCAT(LOWMC_INSTANCE.precomputed_non_linear_part, matrix_postfix), reduced_shares);
LOWMC_INSTANCE.precomputed_non_linear_part_matrix, reduced_shares);
MPC_LOOP_CONST_C(XOR_MC, nl_part, nl_part, LOWMC_INSTANCE.precomputed_constant_non_linear, reduced_shares, ch);
for (unsigned i = 0; i < (LOWMC_R); ++i, ++views, ++round) {
RANDTAPE;
@ -94,7 +94,7 @@ lowmc_round_t const* round = LOWMC_INSTANCE.rounds;
BLOCK(y[k], 0)->w64[(LOWMC_N) / (sizeof(word) * 8) - 1] ^= (nl << ((20-(i%21))*3)) & WORD_C(0xE000000000000000);
#endif
}
MPC_LOOP_CONST(MUL, x, y, CONCAT(round->l, matrix_postfix), reduced_shares);
MPC_LOOP_CONST(MUL, x, y, round->l_matrix, reduced_shares);
}
#endif
#else
@ -104,9 +104,9 @@ for (unsigned i = 0; i < (LOWMC_R); ++i, ++views, ++round) {
RECOVER_FROM_STATE(x, i);
#endif
SBOX(sbox, y, x, views, r, LOWMC_N, shares, reduced_shares);
MPC_LOOP_CONST(MUL, x, y, CONCAT(round->l, matrix_postfix), reduced_shares);
MPC_LOOP_CONST(MUL, x, y, round->l_matrix, reduced_shares);
MPC_LOOP_CONST_C(XOR, x, x, round->constant, reduced_shares, ch);
MPC_LOOP_CONST(ADDMUL, x, lowmc_key, CONCAT(round->k, matrix_postfix), reduced_shares);
MPC_LOOP_CONST(ADDMUL, x, lowmc_key, round->k_matrix, reduced_shares);
}
#endif
#if defined(RECOVER_FROM_STATE)

718
src/sig/picnic/external/mzd_additional.c vendored
View File

@ -1105,724 +1105,6 @@ void mzd_mul_v_uint64_256_1216(mzd_local_t* c, mzd_local_t const* v, mzd_local_t
}
}
#if defined(MUL_M4RI)
#include <stdio.h>
static void xor_comb(const unsigned int len, const unsigned int rowstride, block_t* Bblock,
mzd_local_t const* A, unsigned int r_offset, unsigned comb) {
for (; comb; comb >>= 1, ++r_offset) {
if (comb & 0x1) {
const block_t* Ablock = CONST_BLOCK(A, r_offset * rowstride / 4);
unsigned int i = 0;
unsigned int j = len;
for (; i < len / 4; ++i, j -= 4) {
mzd_xor_uint64_block(&Bblock[i], &Bblock[i], &Ablock[i], 4);
}
mzd_xor_uint64_block(&Bblock[i], &Bblock[i], &Ablock[i], j);
}
}
}
static void xor_comb_128(block_t* Bblock, const unsigned int boffset, mzd_local_t const* A,
unsigned int r_offset, unsigned comb) {
for (; comb; comb >>= 1, ++r_offset) {
if (comb & 0x1) {
const block_t* Ablock = CONST_BLOCK(A, r_offset / 2);
const unsigned int aoffset = (r_offset & 0x1) << 1;
Bblock->w64[boffset] ^= Ablock->w64[aoffset];
Bblock->w64[boffset + 1] ^= Ablock->w64[aoffset + 1];
}
}
}
/**
* Pre-compute matrices for faster mzd_addmul_v computions.
*/
mzd_local_t* mzd_precompute_matrix_lookup(mzd_local_t const* A, unsigned int rows,
unsigned int cols) {
mzd_local_t* B = mzd_local_init_ex(32 * rows, cols, true);
const unsigned int len = calculate_width(cols);
const unsigned int rowstride = calculate_rowstride(len);
for (unsigned int r = 0; r < 32 * rows; ++r) {
const unsigned int comb = r & 0xff;
const unsigned int r_offset = (r >> 8) << 3;
if (!comb) {
continue;
}
if (len == 2) {
/* 128 columns are special. they have two rows per block */
xor_comb_128(BLOCK(B, r / 2), (r & 0x1) << 1, A, r_offset, comb);
} else {
xor_comb(len, rowstride, BLOCK(B, r * rowstride / 4), A, r_offset, comb);
}
}
return B;
}
#if defined(WITH_OPT)
#if defined(WITH_SSE2) || defined(WITH_NEON)
ATTR_TARGET_S128
void mzd_addmul_vl_s128_128(mzd_local_t* c, mzd_local_t const* v, mzd_local_t const* A) {
static const unsigned int moff2 = 128;
block_t* cblock = BLOCK(c, 0);
const block_t* Ablock = CONST_BLOCK(A, 0);
word const* vptr = CONST_BLOCK(v, 0)->w64;
word128 cval[2] ATTR_ALIGNED(alignof(word128)) = {cblock->w128[0], mm128_zero};
for (unsigned int w = 2; w; --w, ++vptr) {
word idx = *vptr;
for (unsigned int s = sizeof(word); s; s -= 2, idx >>= 16) {
cval[0] = mm128_xor(cval[0], Ablock[(idx >> 1) & 0x7f].w128[idx & 0x1]);
Ablock += moff2;
cval[1] = mm128_xor(cval[1], Ablock[(idx >> 9) & 0x7f].w128[(idx >> 8) & 0x1]);
Ablock += moff2;
}
}
cblock->w128[0] = mm128_xor(cval[0], cval[1]);
}
ATTR_TARGET_S128
void mzd_mul_vl_s128_128(mzd_local_t* c, mzd_local_t const* v, mzd_local_t const* A) {
static const unsigned int moff2 = 128;
block_t* cblock = BLOCK(c, 0);
const block_t* Ablock = CONST_BLOCK(A, 0);
word const* vptr = CONST_BLOCK(v, 0)->w64;
word128 cval[2] ATTR_ALIGNED(alignof(word128)) = {mm128_zero, mm128_zero};
for (unsigned int w = 2; w; --w, ++vptr) {
word idx = *vptr;
for (unsigned int s = sizeof(word); s; s -= 2, idx >>= 16) {
cval[0] = mm128_xor(cval[0], Ablock[(idx >> 1) & 0x7f].w128[idx & 0x1]);
Ablock += moff2;
cval[1] = mm128_xor(cval[1], Ablock[(idx >> 9) & 0x7f].w128[(idx >> 8) & 0x1]);
Ablock += moff2;
}
}
cblock->w128[0] = mm128_xor(cval[0], cval[1]);
}
ATTR_TARGET_S128
void mzd_addmul_vl_s128_192(mzd_local_t* c, mzd_local_t const* v, mzd_local_t const* A) {
static const unsigned int moff2 = 256;
block_t* cblock = BLOCK(c, 0);
const block_t* Ablock = CONST_BLOCK(A, 0);
word const* vptr = CONST_BLOCK(v, 0)->w64;
word128 cval[4] ATTR_ALIGNED(alignof(word128)) = {cblock->w128[0], cblock->w128[1], mm128_zero,
mm128_zero};
for (unsigned int w = 3; w; --w, ++vptr) {
word idx = *vptr;
for (unsigned int s = sizeof(word); s; s -= 2, idx >>= 16) {
mm128_xor_region(&cval[0], Ablock[(idx >> 0) & 0xff].w128, 2);
Ablock += moff2;
mm128_xor_region(&cval[2], Ablock[(idx >> 8) & 0xff].w128, 2);
Ablock += moff2;
}
}
cblock->w128[0] = mm128_xor(cval[0], cval[2]);
cblock->w128[1] = mm128_xor(cval[1], cval[3]);
}
ATTR_TARGET_S128
void mzd_mul_vl_s128_192(mzd_local_t* c, mzd_local_t const* v, mzd_local_t const* A) {
static const unsigned int moff2 = 256;
block_t* cblock = BLOCK(c, 0);
const block_t* Ablock = CONST_BLOCK(A, 0);
word const* vptr = CONST_BLOCK(v, 0)->w64;
word128 cval[4] ATTR_ALIGNED(alignof(word128)) = {mm128_zero, mm128_zero, mm128_zero, mm128_zero};
for (unsigned int w = 3; w; --w, ++vptr) {
word idx = *vptr;
for (unsigned int s = sizeof(word); s; s -= 2, idx >>= 16) {
mm128_xor_region(&cval[0], Ablock[(idx >> 0) & 0xff].w128, 2);
Ablock += moff2;
mm128_xor_region(&cval[2], Ablock[(idx >> 8) & 0xff].w128, 2);
Ablock += moff2;
}
}
cblock->w128[0] = mm128_xor(cval[0], cval[2]);
cblock->w128[1] = mm128_xor(cval[1], cval[3]);
}
ATTR_TARGET_S128
void mzd_addmul_vl_s128_256(mzd_local_t* c, mzd_local_t const* v, mzd_local_t const* A) {
static const unsigned int moff2 = 256;
block_t* cblock = BLOCK(c, 0);
const block_t* Ablock = CONST_BLOCK(A, 0);
word const* vptr = CONST_BLOCK(v, 0)->w64;
word128 cval[4] ATTR_ALIGNED(alignof(word128)) = {cblock->w128[0], cblock->w128[1], mm128_zero,
mm128_zero};
for (unsigned int w = 4; w; --w, ++vptr) {
word idx = *vptr;
for (unsigned int s = sizeof(word); s; s -= 2, idx >>= 16) {
mm128_xor_region(&cval[0], Ablock[(idx >> 0) & 0xff].w128, 2);
Ablock += moff2;
mm128_xor_region(&cval[2], Ablock[(idx >> 8) & 0xff].w128, 2);
Ablock += moff2;
}
}
cblock->w128[0] = mm128_xor(cval[0], cval[2]);
cblock->w128[1] = mm128_xor(cval[1], cval[3]);
}
ATTR_TARGET_S128
void mzd_mul_vl_s128_256(mzd_local_t* c, mzd_local_t const* v, mzd_local_t const* A) {
static const unsigned int moff2 = 256;
block_t* cblock = BLOCK(c, 0);
const block_t* Ablock = CONST_BLOCK(A, 0);
word const* vptr = CONST_BLOCK(v, 0)->w64;
word128 cval[4] ATTR_ALIGNED(alignof(word128)) = {mm128_zero, mm128_zero, mm128_zero, mm128_zero};
for (unsigned int w = 4; w; --w, ++vptr) {
word idx = *vptr;
for (unsigned int s = sizeof(word); s; s -= 2, idx >>= 16) {
mm128_xor_region(&cval[0], Ablock[(idx >> 0) & 0xff].w128, 2);
Ablock += moff2;
mm128_xor_region(&cval[2], Ablock[(idx >> 8) & 0xff].w128, 2);
Ablock += moff2;
}
}
cblock->w128[0] = mm128_xor(cval[0], cval[2]);
cblock->w128[1] = mm128_xor(cval[1], cval[3]);
}
ATTR_TARGET_S128
void mzd_mul_vl_s128_128_640(mzd_local_t* c, mzd_local_t const* v, mzd_local_t const* A) {
static const unsigned int moff2 = 256 * 3;
block_t* cblock = BLOCK(c, 0);
const block_t* Ablock = CONST_BLOCK(A, 0);
word const* vptr = CONST_BLOCK(v, 0)->w64;
for (unsigned int j = 0; j < 2; ++j) {
BLOCK(c, j)->w128[0] = BLOCK(c, j)->w128[1] = mm128_zero;
}
BLOCK(c, 2)->w128[0] = mm128_zero;
for (unsigned int w = 2; w; --w, ++vptr) {
word idx = *vptr;
for (unsigned int s = sizeof(word); s; s -= 2, idx >>= 16) {
const block_t* Ablock1 = &Ablock[((idx >> 0) & 0xff) * 3];
mzd_xor_s128_blocks(cblock, cblock, Ablock1, 2);
cblock[2].w128[0] = mm128_xor(cblock[2].w128[0], Ablock1[2].w128[0]);
Ablock += moff2;
const block_t* Ablock2 = &Ablock[((idx >> 8) & 0xff) * 3];
mzd_xor_s128_blocks(cblock, cblock, Ablock2, 2);
cblock[2].w128[0] = mm128_xor(cblock[2].w128[0], Ablock2[2].w128[0]);
Ablock += moff2;
}
}
}
ATTR_TARGET_S128
void mzd_mul_vl_s128_192_896(mzd_local_t* c, mzd_local_t const* v, mzd_local_t const* A) {
static const unsigned int moff2 = 256 * 4;
block_t* cblock = BLOCK(c, 0);
const block_t* Ablock = CONST_BLOCK(A, 0);
word const* vptr = CONST_BLOCK(v, 0)->w64;
for (unsigned int j = 0; j < 3; ++j) {
BLOCK(c, j)->w128[0] = BLOCK(c, j)->w128[1] = mm128_zero;
}
BLOCK(c, 3)->w128[0] = mm128_zero;
for (unsigned int w = 3; w; --w, ++vptr) {
word idx = *vptr;
for (unsigned int s = sizeof(word); s; s -= 2, idx >>= 16) {
const block_t* Ablock1 = &Ablock[((idx >> 0) & 0xff) * 4];
mzd_xor_s128_blocks(cblock, cblock, Ablock1, 3);
cblock[3].w128[0] = mm128_xor(cblock[3].w128[0], Ablock1[3].w128[0]);
Ablock += moff2;
const block_t* Ablock2 = &Ablock[((idx >> 8) & 0xff) * 4];
mzd_xor_s128_blocks(cblock, cblock, Ablock2, 3);
cblock[3].w128[0] = mm128_xor(cblock[3].w128[0], Ablock2[3].w128[0]);
Ablock += moff2;
}
}
}
ATTR_TARGET_S128
void mzd_mul_vl_s128_192_1024(mzd_local_t* c, mzd_local_t const* v, mzd_local_t const* A) {
static const unsigned int moff2 = 256 * 4;
block_t* cblock = BLOCK(c, 0);
const block_t* Ablock = CONST_BLOCK(A, 0);
word const* vptr = CONST_BLOCK(v, 0)->w64;
for (unsigned int j = 0; j < 4; ++j) {
BLOCK(c, j)->w128[0] = BLOCK(c, j)->w128[1] = mm128_zero;
}
for (unsigned int w = 3; w; --w, ++vptr) {
word idx = *vptr;
for (unsigned int s = sizeof(word); s; s -= 2, idx >>= 16) {
const block_t* Ablock1 = &Ablock[((idx >> 0) & 0xff) * 4];
mzd_xor_s128_blocks(cblock, cblock, Ablock1, 4);
Ablock += moff2;
const block_t* Ablock2 = &Ablock[((idx >> 8) & 0xff) * 4];
mzd_xor_s128_blocks(cblock, cblock, Ablock2, 4);
Ablock += moff2;
}
}
}
ATTR_TARGET_S128
void mzd_mul_vl_s128_256_1152(mzd_local_t* c, mzd_local_t const* v, mzd_local_t const* A) {
static const unsigned int moff2 = 256 * 5;
block_t* cblock = BLOCK(c, 0);
const block_t* Ablock = CONST_BLOCK(A, 0);
word const* vptr = CONST_BLOCK(v, 0)->w64;
for (unsigned int j = 0; j < 4; ++j) {
BLOCK(c, j)->w128[0] = BLOCK(c, j)->w128[1] = mm128_zero;
}
BLOCK(c, 4)->w128[0] = mm128_zero;
for (unsigned int w = 4; w; --w, ++vptr) {
word idx = *vptr;
for (unsigned int s = sizeof(word); s; s -= 2, idx >>= 16) {
const block_t* Ablock1 = &Ablock[((idx >> 0) & 0xff) * 5];
mzd_xor_s128_blocks(cblock, cblock, Ablock1, 4);
cblock[4].w128[0] = mm128_xor(cblock[4].w128[0], Ablock1[4].w128[0]);
Ablock += moff2;
const block_t* Ablock2 = &Ablock[((idx >> 8) & 0xff) * 5];
mzd_xor_s128_blocks(cblock, cblock, Ablock2, 4);
cblock[4].w128[0] = mm128_xor(cblock[4].w128[0], Ablock2[4].w128[0]);
Ablock += moff2;
}
}
}
ATTR_TARGET_S128
void mzd_mul_vl_s128_256_1280(mzd_local_t* c, mzd_local_t const* v, mzd_local_t const* A) {
static const unsigned int moff2 = 256 * 5;
block_t* cblock = BLOCK(c, 0);
const block_t* Ablock = CONST_BLOCK(A, 0);
word const* vptr = CONST_BLOCK(v, 0)->w64;
for (unsigned int j = 0; j < 5; ++j) {
BLOCK(c, j)->w128[0] = BLOCK(c, j)->w128[1] = mm128_zero;
}
for (unsigned int w = 4; w; --w, ++vptr) {
word idx = *vptr;
for (unsigned int s = sizeof(word); s; s -= 2, idx >>= 16) {
const block_t* Ablock1 = &Ablock[((idx >> 0) & 0xff) * 5];
mzd_xor_s128_blocks(cblock, cblock, Ablock1, 5);
Ablock += moff2;
const block_t* Ablock2 = &Ablock[((idx >> 8) & 0xff) * 5];
mzd_xor_s128_blocks(cblock, cblock, Ablock2, 5);
Ablock += moff2;
}
}
}
#endif
#if defined(WITH_AVX2)
ATTR_TARGET_AVX2
void mzd_mul_vl_s256_256(mzd_local_t* c, mzd_local_t const* v, mzd_local_t const* A) {
static const unsigned int moff2 = 256;
block_t* cblock = BLOCK(c, 0);
const block_t* Ablock = CONST_BLOCK(A, 0);
word const* vptr = CONST_BLOCK(v, 0)->w64;
word256 cval[2] ATTR_ALIGNED(alignof(word256)) = {mm256_zero, mm256_zero};
for (unsigned int w = 4; w; --w, ++vptr) {
word idx = *vptr;
for (unsigned int s = sizeof(word); s; s -= 2, idx >>= 16) {
cval[0] = mm256_xor(cval[0], Ablock[(idx >> 0) & 0xff].w256);
Ablock += moff2;
cval[1] = mm256_xor(cval[1], Ablock[(idx >> 8) & 0xff].w256);
Ablock += moff2;
}
}
cblock->w256 = _mm256_xor_si256(cval[0], cval[1]);
}
ATTR_TARGET_AVX2
void mzd_addmul_vl_s256_256(mzd_local_t* c, mzd_local_t const* v, mzd_local_t const* A) {
static const unsigned int moff2 = 256;
block_t* cblock = BLOCK(c, 0);
const block_t* Ablock = CONST_BLOCK(A, 0);
word const* vptr = CONST_BLOCK(v, 0)->w64;
word256 cval[2] ATTR_ALIGNED(alignof(word256)) = {cblock->w256, mm256_zero};
for (unsigned int w = 4; w; --w, ++vptr) {
word idx = *vptr;
for (unsigned int s = sizeof(word); s; s -= 2, idx >>= 16) {
cval[0] = mm256_xor(cval[0], Ablock[(idx >> 0) & 0xff].w256);
Ablock += moff2;
cval[1] = mm256_xor(cval[1], Ablock[(idx >> 8) & 0xff].w256);
Ablock += moff2;
}
}
cblock->w256 = _mm256_xor_si256(cval[0], cval[1]);
}
ATTR_TARGET_AVX2
void mzd_mul_vl_s256_192(mzd_local_t* c, mzd_local_t const* v, mzd_local_t const* A) {
static const unsigned int moff2 = 256;
block_t* cblock = BLOCK(c, 0);
const block_t* Ablock = CONST_BLOCK(A, 0);
word const* vptr = CONST_BLOCK(v, 0)->w64;
word256 cval[2] ATTR_ALIGNED(alignof(word256)) = {mm256_zero, mm256_zero};
for (unsigned int w = 3; w; --w, ++vptr) {
word idx = *vptr;
for (unsigned int s = sizeof(word); s; s -= 2, idx >>= 16) {
cval[0] = mm256_xor(cval[0], Ablock[(idx >> 0) & 0xff].w256);
Ablock += moff2;
cval[1] = mm256_xor(cval[1], Ablock[(idx >> 8) & 0xff].w256);
Ablock += moff2;
}
}
cblock->w256 = _mm256_xor_si256(cval[0], cval[1]);
}
ATTR_TARGET_AVX2
void mzd_addmul_vl_s256_192(mzd_local_t* c, mzd_local_t const* v, mzd_local_t const* A) {
static const unsigned int moff2 = 256;
block_t* cblock = BLOCK(c, 0);
const block_t* Ablock = CONST_BLOCK(A, 0);
word const* vptr = CONST_BLOCK(v, 0)->w64;
word256 cval[2] ATTR_ALIGNED(alignof(word256)) = {cblock->w256, mm256_zero};
for (unsigned int w = 3; w; --w, ++vptr) {
word idx = *vptr;
for (unsigned int s = sizeof(word); s; s -= 2, idx >>= 16) {
cval[0] = mm256_xor(cval[0], Ablock[(idx >> 0) & 0xff].w256);
Ablock += moff2;
cval[1] = mm256_xor(cval[1], Ablock[(idx >> 8) & 0xff].w256);
Ablock += moff2;
}
}
cblock->w256 = _mm256_xor_si256(cval[0], cval[1]);
}
ATTR_TARGET_AVX2
void mzd_mul_vl_s256_128(mzd_local_t* c, mzd_local_t const* v, mzd_local_t const* A) {
static const unsigned int moff2 = 128;
block_t* cblock = BLOCK(c, 0);
const block_t* Ablock = CONST_BLOCK(A, 0);
word const* vptr = CONST_BLOCK(v, 0)->w64;
word256 cval[2] ATTR_ALIGNED(alignof(word256)) = {mm256_zero, mm256_zero};
for (unsigned int w = 2; w; --w, ++vptr) {
word idx = *vptr;
for (unsigned int s = sizeof(word); s; s -= 4, idx >>= 32) {
const word256 t1 =
_mm256_set_m128i(Ablock[(idx >> 1) & 0x7f].w128[idx & 0x1],
Ablock[((idx >> 9) & 0x7f) + moff2].w128[(idx >> 8) & 0x1]);
cval[0] = mm256_xor(cval[0], t1);
Ablock += 2 * moff2;
const word256 t2 =
_mm256_set_m128i(Ablock[(idx >> 17) & 0x7f].w128[(idx >> 16) & 0x1],
Ablock[((idx >> 25) & 0x7f) + moff2].w128[(idx >> 24) & 0x1]);
cval[1] = mm256_xor(cval[1], t2);
Ablock += 2 * moff2;
}
}
cval[0] = mm256_xor(cval[0], cval[1]);
cblock->w128[0] =
mm128_xor(_mm256_extractf128_si256(cval[0], 0), _mm256_extractf128_si256(cval[0], 1));
}
ATTR_TARGET_AVX2
void mzd_addmul_vl_s256_128(mzd_local_t* c, mzd_local_t const* v, mzd_local_t const* A) {
static const unsigned int moff2 = 128;
block_t* cblock = BLOCK(c, 0);
const block_t* Ablock = CONST_BLOCK(A, 0);
word const* vptr = CONST_BLOCK(v, 0)->w64;
word256 cval[2] ATTR_ALIGNED(alignof(word256)) = {_mm256_castsi128_si256(cblock->w128[0]),
mm256_zero};
for (unsigned int w = 2; w; --w, ++vptr) {
word idx = *vptr;
for (unsigned int s = sizeof(word); s; s -= 4, idx >>= 32) {
const word256 t1 =
_mm256_set_m128i(Ablock[(idx >> 1) & 0x7f].w128[idx & 0x1],
Ablock[((idx >> 9) & 0x7f) + moff2].w128[(idx >> 8) & 0x1]);
cval[0] = mm256_xor(cval[0], t1);
Ablock += 2 * moff2;
const word256 t2 =
_mm256_set_m128i(Ablock[(idx >> 17) & 0x7f].w128[(idx >> 16) & 0x1],
Ablock[((idx >> 25) & 0x7f) + moff2].w128[(idx >> 24) & 0x1]);
cval[1] = mm256_xor(cval[1], t2);
Ablock += 2 * moff2;
}
}
cval[0] = mm256_xor(cval[0], cval[1]);
cblock->w128[0] =
mm128_xor(_mm256_extractf128_si256(cval[0], 0), _mm256_extractf128_si256(cval[0], 1));
}
ATTR_TARGET_AVX2
void mzd_mul_vl_s256_128_768(mzd_local_t* c, mzd_local_t const* v, mzd_local_t const* A) {
static const unsigned int moff2 = 256 * 3;
const block_t* Ablock = CONST_BLOCK(A, 0);
word const* vptr = CONST_BLOCK(v, 0)->w64;
for (unsigned int j = 0; j < 3; ++j) {
BLOCK(c, j)->w256 = mm256_zero;
}
for (unsigned int w = 2; w; --w, ++vptr) {
word idx = *vptr;
for (unsigned int s = sizeof(word); s; s -= 2, idx >>= 16) {
mzd_xor_s256_blocks(BLOCK(c, 0), CONST_BLOCK(c, 0), &Ablock[((idx >> 0) & 0xff) * 3], 3);
Ablock += moff2;
mzd_xor_s256_blocks(BLOCK(c, 0), CONST_BLOCK(c, 0), &Ablock[((idx >> 8) & 0xff) * 3], 3);
Ablock += moff2;
}
}
}
ATTR_TARGET_AVX2
void mzd_mul_vl_s256_192_1024(mzd_local_t* c, mzd_local_t const* v, mzd_local_t const* A) {
static const unsigned int moff2 = 256 * 4;
const block_t* Ablock = CONST_BLOCK(A, 0);
word const* vptr = CONST_BLOCK(v, 0)->w64;
for (unsigned int j = 0; j < 4; ++j) {
BLOCK(c, j)->w256 = mm256_zero;
}
for (unsigned int w = 3; w; --w, ++vptr) {
word idx = *vptr;
for (unsigned int s = sizeof(word); s; s -= 2, idx >>= 16) {
mzd_xor_s256_blocks(BLOCK(c, 0), CONST_BLOCK(c, 0), &Ablock[((idx >> 0) & 0xff) * 4], 4);
Ablock += moff2;
mzd_xor_s256_blocks(BLOCK(c, 0), CONST_BLOCK(c, 0), &Ablock[((idx >> 8) & 0xff) * 4], 4);
Ablock += moff2;
}
}
}
ATTR_TARGET_AVX2
void mzd_mul_vl_s256_256_1280(mzd_local_t* c, mzd_local_t const* v, mzd_local_t const* A) {
static const unsigned int moff2 = 256 * 5;
const block_t* Ablock = CONST_BLOCK(A, 0);
word const* vptr = CONST_BLOCK(v, 0)->w64;
for (unsigned int j = 0; j < 5; ++j) {
BLOCK(c, j)->w256 = mm256_zero;
}
for (unsigned int w = 4; w; --w, ++vptr) {
word idx = *vptr;
for (unsigned int s = sizeof(word); s; s -= 2, idx >>= 16) {
mzd_xor_s256_blocks(BLOCK(c, 0), CONST_BLOCK(c, 0), &Ablock[((idx >> 0) & 0xff) * 5], 5);
Ablock += moff2;
mzd_xor_s256_blocks(BLOCK(c, 0), CONST_BLOCK(c, 0), &Ablock[((idx >> 8) & 0xff) * 5], 5);
Ablock += moff2;
}
}
}
#endif
#endif
void mzd_addmul_vl_uint64_128(mzd_local_t* c, mzd_local_t const* v, mzd_local_t const* A) {
block_t* cblock = BLOCK(c, 0);
word const* vptr = CONST_BLOCK(v, 0)->w64;
for (unsigned int w = 0; w < 2; ++w, ++vptr) {
unsigned int add = 0;
for (word idx = *vptr; idx; idx >>= 8, add += 128) {
const word comb = idx & 0xff;
const unsigned int aoffset = (comb & 0x1) << 1;
const block_t* Ablock = CONST_BLOCK(A, w * sizeof(word) * 8 * 16 + add + (comb >> 1));
cblock->w64[0] ^= Ablock->w64[aoffset];
cblock->w64[1] ^= Ablock->w64[aoffset + 1];
}
}
}
void mzd_mul_vl_uint64_128(mzd_local_t* c, mzd_local_t const* v, mzd_local_t const* A) {
clear_uint64_block(BLOCK(c, 0), 2);
mzd_addmul_vl_uint64_128(c, v, A);
}
static void mzd_addmul_vl_uint64_256_len(mzd_local_t* c, mzd_local_t const* v, mzd_local_t const* A,
const unsigned int len) {
block_t* cblock = BLOCK(c, 0);
word const* vptr = CONST_BLOCK(v, 0)->w64;
for (unsigned int w = 0; w < len; ++w, ++vptr) {
unsigned int add = 0;
for (word idx = *vptr; idx; idx >>= 8, add += 256) {
const word comb = idx & 0xff;
mzd_xor_uint64_block(cblock, cblock, CONST_BLOCK(A, w * sizeof(word) * 8 * 32 + add + comb),
len);
}
}
}
void mzd_addmul_vl_uint64_192(mzd_local_t* c, mzd_local_t const* v, mzd_local_t const* A) {
mzd_addmul_vl_uint64_256_len(c, v, A, 3);
}
void mzd_mul_vl_uint64_192(mzd_local_t* c, mzd_local_t const* v, mzd_local_t const* A) {
clear_uint64_block(BLOCK(c, 0), 3);
mzd_addmul_vl_uint64_192(c, v, A);
}
void mzd_addmul_vl_uint64_256(mzd_local_t* c, mzd_local_t const* v, mzd_local_t const* A) {
mzd_addmul_vl_uint64_256_len(c, v, A, 4);
}
void mzd_mul_vl_uint64_256(mzd_local_t* c, mzd_local_t const* v, mzd_local_t const* A) {
clear_uint64_block(BLOCK(c, 0), 4);
mzd_addmul_vl_uint64_256(c, v, A);
}
void mzd_mul_vl_uint64_128_576(mzd_local_t* c, mzd_local_t const* v, mzd_local_t const* A) {
block_t* cblock = BLOCK(c, 0);
word const* vptr = CONST_BLOCK(v, 0)->w64;
clear_uint64_blocks(cblock, 2);
clear_uint64_block(&cblock[2], 1);
for (unsigned int w = 0; w < 2; ++w, ++vptr) {
unsigned int add = 0;
for (word idx = *vptr; idx; idx >>= 8, add += 256) {
const word comb = idx & 0xff;
const block_t* Ablock = CONST_BLOCK(A, (w * sizeof(word) * 8 * 32 + add + comb) * 3);
mzd_xor_uint64_blocks(cblock, cblock, Ablock, 2);
mzd_xor_uint64_block(&cblock[2], &cblock[2], &Ablock[2], 1);
}
}
}
void mzd_mul_vl_uint64_128_640(mzd_local_t* c, mzd_local_t const* v, mzd_local_t const* A) {
block_t* cblock = BLOCK(c, 0);
word const* vptr = CONST_BLOCK(v, 0)->w64;
clear_uint64_blocks(cblock, 2);
clear_uint64_block(&cblock[2], 2);
for (unsigned int w = 0; w < 2; ++w, ++vptr) {
unsigned int add = 0;
for (word idx = *vptr; idx; idx >>= 8, add += 256) {
const word comb = idx & 0xff;
const block_t* Ablock = CONST_BLOCK(A, (w * sizeof(word) * 8 * 32 + add + comb) * 3);
mzd_xor_uint64_blocks(cblock, cblock, Ablock, 2);
mzd_xor_uint64_block(&cblock[2], &cblock[2], &Ablock[2], 2);
}
}
}
void mzd_mul_vl_uint64_192_896(mzd_local_t* c, mzd_local_t const* v, mzd_local_t const* A) {
block_t* cblock = BLOCK(c, 0);
word const* vptr = CONST_BLOCK(v, 0)->w64;
clear_uint64_blocks(cblock, 3);
clear_uint64_block(&cblock[3], 2);
for (unsigned int w = 0; w < 3; ++w, ++vptr) {
unsigned int add = 0;
for (word idx = *vptr; idx; idx >>= 8, add += 256) {
const word comb = idx & 0xff;
const block_t* Ablock = CONST_BLOCK(A, (w * sizeof(word) * 8 * 32 + add + comb) * 4);
mzd_xor_uint64_blocks(cblock, cblock, Ablock, 3);
mzd_xor_uint64_block(&cblock[3], &cblock[3], &Ablock[3], 2);
}
}
}
void mzd_mul_vl_uint64_192_960(mzd_local_t* c, mzd_local_t const* v, mzd_local_t const* A) {
block_t* cblock = BLOCK(c, 0);
word const* vptr = CONST_BLOCK(v, 0)->w64;
clear_uint64_blocks(cblock, 3);
clear_uint64_block(&cblock[3], 3);
for (unsigned int w = 0; w < 3; ++w, ++vptr) {
unsigned int add = 0;
for (word idx = *vptr; idx; idx >>= 8, add += 256) {
const word comb = idx & 0xff;
const block_t* Ablock = CONST_BLOCK(A, (w * sizeof(word) * 8 * 32 + add + comb) * 4);
mzd_xor_uint64_blocks(cblock, cblock, Ablock, 3);
mzd_xor_uint64_block(&cblock[3], &cblock[3], &Ablock[3], 3);
}
}
}
void mzd_mul_vl_uint64_256_1152(mzd_local_t* c, mzd_local_t const* v, mzd_local_t const* A) {
block_t* cblock = BLOCK(c, 0);
word const* vptr = CONST_BLOCK(v, 0)->w64;
clear_uint64_blocks(cblock, 4);
clear_uint64_block(&cblock[4], 2);
for (unsigned int w = 0; w < 4; ++w, ++vptr) {
unsigned int add = 0;
for (word idx = *vptr; idx; idx >>= 8, add += 256) {
const word comb = idx & 0xff;
const block_t* Ablock = CONST_BLOCK(A, (w * sizeof(word) * 8 * 32 + add + comb) * 5);
mzd_xor_uint64_blocks(cblock, cblock, Ablock, 4);
mzd_xor_uint64_block(&cblock[4], &cblock[4], &Ablock[4], 2);
}
}
}
void mzd_mul_vl_uint64_256_1216(mzd_local_t* c, mzd_local_t const* v, mzd_local_t const* A) {
block_t* cblock = BLOCK(c, 0);
word const* vptr = CONST_BLOCK(v, 0)->w64;
clear_uint64_blocks(cblock, 4);
clear_uint64_block(&cblock[4], 3);
for (unsigned int w = 0; w < 4; ++w, ++vptr) {
unsigned int add = 0;
for (word idx = *vptr; idx; idx >>= 8, add += 256) {
const word comb = idx & 0xff;
const block_t* Ablock = CONST_BLOCK(A, (w * sizeof(word) * 8 * 32 + add + comb) * 5);
mzd_xor_uint64_blocks(cblock, cblock, Ablock, 4);
mzd_xor_uint64_block(&cblock[4], &cblock[4], &Ablock[4], 3);
}
}
}
#endif
// specific instances
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
// bit extract, non-constant time for mask, but mask is public in our calls

70
src/sig/picnic/external/mzd_additional.h vendored
View File

@ -236,76 +236,6 @@ void mzd_addmul_v_s256_128(mzd_local_t* c, mzd_local_t const* v, mzd_local_t con
void mzd_addmul_v_s256_192(mzd_local_t* c, mzd_local_t const* v, mzd_local_t const* A) ATTR_NONNULL;
void mzd_addmul_v_s256_256(mzd_local_t* c, mzd_local_t const* v, mzd_local_t const* A) ATTR_NONNULL;
#if defined(MUL_M4RI)
/**
* Compute v * A optimized for v being a vector.
*/
void mzd_mul_vl_uint64_128(mzd_local_t* c, mzd_local_t const* v, mzd_local_t const* A) ATTR_NONNULL;
void mzd_mul_vl_uint64_128_576(mzd_local_t* c, mzd_local_t const* v,
mzd_local_t const* A) ATTR_NONNULL;
void mzd_mul_vl_uint64_128_640(mzd_local_t* c, mzd_local_t const* v,
mzd_local_t const* A) ATTR_NONNULL;
void mzd_mul_vl_uint64_192(mzd_local_t* c, mzd_local_t const* v, mzd_local_t const* A) ATTR_NONNULL;
void mzd_mul_vl_uint64_192_896(mzd_local_t* c, mzd_local_t const* v,
mzd_local_t const* A) ATTR_NONNULL;
void mzd_mul_vl_uint64_192_960(mzd_local_t* c, mzd_local_t const* v,
mzd_local_t const* A) ATTR_NONNULL;
void mzd_mul_vl_uint64_256(mzd_local_t* c, mzd_local_t const* v, mzd_local_t const* A) ATTR_NONNULL;
void mzd_mul_vl_uint64_256_1152(mzd_local_t* c, mzd_local_t const* v,
mzd_local_t const* A) ATTR_NONNULL;
void mzd_mul_vl_uint64_256_1216(mzd_local_t* c, mzd_local_t const* v,
mzd_local_t const* A) ATTR_NONNULL;
void mzd_mul_vl_s128_128(mzd_local_t* c, mzd_local_t const* v, mzd_local_t const* A) ATTR_NONNULL;
void mzd_mul_vl_s128_128_640(mzd_local_t* c, mzd_local_t const* v,
mzd_local_t const* A) ATTR_NONNULL;
void mzd_mul_vl_s128_192(mzd_local_t* c, mzd_local_t const* v, mzd_local_t const* A) ATTR_NONNULL;
void mzd_mul_vl_s128_192_896(mzd_local_t* c, mzd_local_t const* v,
mzd_local_t const* A) ATTR_NONNULL;
void mzd_mul_vl_s128_192_1024(mzd_local_t* c, mzd_local_t const* v,
mzd_local_t const* A) ATTR_NONNULL;
void mzd_mul_vl_s128_256(mzd_local_t* c, mzd_local_t const* v, mzd_local_t const* A) ATTR_NONNULL;
void mzd_mul_vl_s128_256_1152(mzd_local_t* c, mzd_local_t const* v,
mzd_local_t const* A) ATTR_NONNULL;
void mzd_mul_vl_s128_256_1280(mzd_local_t* c, mzd_local_t const* v,
mzd_local_t const* A) ATTR_NONNULL;
void mzd_mul_vl_s256_128(mzd_local_t* c, mzd_local_t const* v, mzd_local_t const* A) ATTR_NONNULL;
void mzd_mul_vl_s256_128_768(mzd_local_t* c, mzd_local_t const* v,
mzd_local_t const* A) ATTR_NONNULL;
void mzd_mul_vl_s256_192(mzd_local_t* c, mzd_local_t const* v, mzd_local_t const* A) ATTR_NONNULL;
void mzd_mul_vl_s256_192_1024(mzd_local_t* c, mzd_local_t const* v,
mzd_local_t const* A) ATTR_NONNULL;
void mzd_mul_vl_s256_256(mzd_local_t* c, mzd_local_t const* v, mzd_local_t const* A) ATTR_NONNULL;
void mzd_mul_vl_s256_256_1280(mzd_local_t* c, mzd_local_t const* v,
mzd_local_t const* A) ATTR_NONNULL;
/**
* Compute c + v * A optimized for c and v being vectors.
*/
void mzd_addmul_vl_uint64_128(mzd_local_t* c, mzd_local_t const* v,
mzd_local_t const* A) ATTR_NONNULL;
void mzd_addmul_vl_uint64_192(mzd_local_t* c, mzd_local_t const* v,
mzd_local_t const* A) ATTR_NONNULL;
void mzd_addmul_vl_uint64_256(mzd_local_t* c, mzd_local_t const* v,
mzd_local_t const* A) ATTR_NONNULL;
void mzd_addmul_vl_s128_128(mzd_local_t* c, mzd_local_t const* v,
mzd_local_t const* A) ATTR_NONNULL;
void mzd_addmul_vl_s128_192(mzd_local_t* c, mzd_local_t const* v,
mzd_local_t const* A) ATTR_NONNULL;
void mzd_addmul_vl_s128_256(mzd_local_t* c, mzd_local_t const* v,
mzd_local_t const* A) ATTR_NONNULL;
void mzd_addmul_vl_s256_128(mzd_local_t* c, mzd_local_t const* v,
mzd_local_t const* A) ATTR_NONNULL;
void mzd_addmul_vl_s256_192(mzd_local_t* c, mzd_local_t const* v,
mzd_local_t const* A) ATTR_NONNULL;
void mzd_addmul_vl_s256_256(mzd_local_t* c, mzd_local_t const* v,
mzd_local_t const* A) ATTR_NONNULL;
/**
* Pre-compute matrices for mzd_{add,}mul_vl computions.
*/
mzd_local_t* mzd_precompute_matrix_lookup(mzd_local_t const* A, unsigned int r,
unsigned int c) ATTR_NONNULL;
#endif
/**
* Shuffle vector x according to info in mask. Needed for OLLE optimiztaions.
*/

28
src/sig/picnic/external/picnic.c vendored
View File

@ -120,30 +120,26 @@ int PICNIC_CALLING_CONVENTION picnic_sk_to_pk(const picnic_privatekey_t* sk,
const size_t input_size = instance->input_size;
const size_t output_size = instance->output_size;
const lowmc_t* lowmc = instance->lowmc;
const uint8_t* sk_sk = SK_SK(sk);
uint8_t* pk_c = PK_C(pk);
uint8_t* pk_pt = PK_PT(pk);
const uint8_t* sk_pt = SK_PT(sk);
mzd_local_t* plaintext = mzd_local_init_ex(1, lowmc->n, false);
mzd_local_t* privkey = mzd_local_init_ex(1, lowmc->k, false);
mzd_local_t plaintext[(MAX_LOWMC_BLOCK_SIZE_BITS + 255) / 256];
mzd_local_t privkey[(MAX_LOWMC_BLOCK_SIZE_BITS + 255) / 256];
mzd_local_t ciphertext[(MAX_LOWMC_BLOCK_SIZE_BITS + 255) / 256];
mzd_from_char_array(plaintext, sk_pt, output_size);
mzd_from_char_array(privkey, sk_sk, input_size);
// compute public key
mzd_local_t* ciphertext = instance->impls.lowmc(privkey, plaintext);
instance->impls.lowmc(privkey, plaintext, ciphertext);
pk->data[0] = param;
memcpy(pk_pt, sk_pt, output_size);
mzd_to_char_array(pk_c, ciphertext, output_size);
mzd_local_free(ciphertext);
mzd_local_free(privkey);
mzd_local_free(plaintext);
return 0;
}
@ -161,7 +157,6 @@ int PICNIC_CALLING_CONVENTION picnic_validate_keypair(const picnic_privatekey_t*
const size_t input_size = instance->input_size;
const size_t output_size = instance->output_size;
const lowmc_t* lowmc = instance->lowmc;
const uint8_t* sk_sk = SK_SK(sk);
const uint8_t* sk_pt = SK_PT(sk);
const uint8_t* sk_c = SK_C(sk);
@ -174,22 +169,19 @@ int PICNIC_CALLING_CONVENTION picnic_validate_keypair(const picnic_privatekey_t*
return -1;
}
mzd_local_t* plaintext = mzd_local_init_ex(1, lowmc->n, false);
mzd_local_t* privkey = mzd_local_init_ex(1, lowmc->k, false);
mzd_local_t plaintext[(MAX_LOWMC_BLOCK_SIZE_BITS + 255) / 256];
mzd_local_t privkey[(MAX_LOWMC_BLOCK_SIZE_BITS + 255) / 256];
mzd_local_t ciphertext[(MAX_LOWMC_BLOCK_SIZE_BITS + 255) / 256];
mzd_from_char_array(plaintext, sk_pt, instance->output_size);
mzd_from_char_array(privkey, sk_sk, instance->input_size);
// compute public key
mzd_local_t* ciphertext = instance->impls.lowmc(privkey, plaintext);
instance->impls.lowmc(privkey, plaintext, ciphertext);
uint8_t buffer[MAX_LOWMC_BLOCK_SIZE];
mzd_to_char_array(buffer, ciphertext, output_size);
mzd_local_free(ciphertext);
mzd_local_free(privkey);
mzd_local_free(plaintext);
return memcmp(buffer, pk_c, output_size);
}
@ -215,7 +207,7 @@ int PICNIC_CALLING_CONVENTION picnic_sign(const picnic_privatekey_t* sk, const u
if (param == Picnic2_L1_FS || param == Picnic2_L3_FS || param == Picnic2_L5_FS)
return impl_sign_picnic2(instance, sk_pt, sk_sk, sk_c, message, message_len, signature,
signature_len);
signature_len);
else
return impl_sign(instance, sk_pt, sk_sk, sk_c, message, message_len, signature, signature_len);
}
@ -240,7 +232,7 @@ int PICNIC_CALLING_CONVENTION picnic_verify(const picnic_publickey_t* pk, const
if (param == Picnic2_L1_FS || param == Picnic2_L3_FS || param == Picnic2_L5_FS)
return impl_verify_picnic2(instance, pk_pt, pk_c, message, message_len, signature,
signature_len);
signature_len);
else
return impl_verify(instance, pk_pt, pk_c, message, message_len, signature, signature_len);
}

1
src/sig/picnic/external/picnic2_L1_FS/api.h vendored
View File

@ -5,6 +5,7 @@
#define CRYPTO_PUBLICKEYBYTES (1 + 2 * 16)
#define CRYPTO_BYTES (4 + 13802)
#define CRYPTO_ALGNAME "picnic2l1fs"
#define CRYPTO_DETERMINISTIC 1
int crypto_sign_keypair(unsigned char* pk, unsigned char* sk);
int crypto_sign(unsigned char* sm, unsigned long long* smlen, const unsigned char* m,

1
src/sig/picnic/external/picnic2_L3_FS/api.h vendored
View File

@ -5,6 +5,7 @@
#define CRYPTO_PUBLICKEYBYTES (1 + 2 * 24)
#define CRYPTO_BYTES (4 + 29750)
#define CRYPTO_ALGNAME "picnic2l3fs"
#define CRYPTO_DETERMINISTIC 1
int crypto_sign_keypair(unsigned char* pk, unsigned char* sk);
int crypto_sign(unsigned char* sm, unsigned long long* smlen, const unsigned char* m,

1
src/sig/picnic/external/picnic2_L5_FS/api.h vendored
View File

@ -5,6 +5,7 @@
#define CRYPTO_PUBLICKEYBYTES (1 + 2 * 32)
#define CRYPTO_BYTES (4 + 54732)
#define CRYPTO_ALGNAME "picnic2l5fs"
#define CRYPTO_DETERMINISTIC 1
int crypto_sign_keypair(unsigned char* pk, unsigned char* sk);
int crypto_sign(unsigned char* sm, unsigned long long* smlen, const unsigned char* m,

375
src/sig/picnic/external/picnic2_impl.c vendored
View File

@ -10,22 +10,22 @@
* SPDX-License-Identifier: MIT
*/
#include <assert.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <assert.h>
#include "io.h"
#include "kdf_shake.h"
#include "macros.h"
#include "picnic_impl.h"
#include "picnic2_impl.h"
#include "picnic.h"
#include "picnic2_types.h"
#include "picnic2_tree.h"
#include "picnic2_impl.h"
#include "picnic2_simulate_mul.h"
#include "io.h"
#include "picnic2_tree.h"
#include "picnic2_types.h"
#include "picnic_impl.h"
#define LOWMC_MAX_KEY_BITS 256
#define LOWMC_MAX_AND_GATES (3 * 38 * 10 + 4) /* Rounded to nearest byte */
@ -40,7 +40,7 @@ static uint32_t numBytes(uint32_t numBits) {
static void createRandomTapes(randomTape_t* tapes, uint8_t** seeds, uint8_t* salt, size_t t,
const picnic_instance_t* params) {
Keccak_HashInstancetimes4 ctx;
hash_context_x4 ctx;
size_t tapeSizeBytes = 2 * params->view_size + params->input_size;
@ -54,14 +54,15 @@ static void createRandomTapes(randomTape_t* tapes, uint8_t** seeds, uint8_t* sal
const uint8_t* salt_ptr[4] = {salt, salt, salt, salt};
hash_update_x4(&ctx, salt_ptr, SALT_SIZE);
uint16_t tLE = htole16((uint16_t)t);
const uint8_t* tLE_ptr[4] = {(const uint8_t*)&tLE, (const uint8_t*)&tLE, (const uint8_t*)&tLE, (const uint8_t*)&tLE};
const uint8_t* tLE_ptr[4] = {(const uint8_t*)&tLE, (const uint8_t*)&tLE, (const uint8_t*)&tLE,
(const uint8_t*)&tLE};
hash_update_x4(&ctx, tLE_ptr, sizeof(uint16_t));
uint16_t iLE0 = htole16((uint16_t)(i + 0));
uint16_t iLE1 = htole16((uint16_t)(i + 1));
uint16_t iLE2 = htole16((uint16_t)(i + 2));
uint16_t iLE3 = htole16((uint16_t)(i + 3));
const uint8_t* iLE_ptr[4] = {(const uint8_t*)&iLE0, (const uint8_t*)&iLE1, (const uint8_t*)&iLE2,
(const uint8_t*)&iLE3};
const uint8_t* iLE_ptr[4] = {(const uint8_t*)&iLE0, (const uint8_t*)&iLE1,
(const uint8_t*)&iLE2, (const uint8_t*)&iLE3};
hash_update_x4(&ctx, iLE_ptr, sizeof(uint16_t));
hash_final_x4(&ctx);
@ -82,47 +83,62 @@ static void tapesToWords(shares_t* shares, randomTape_t* tapes) {
}
}
static uint64_t aux_mpc_AND(uint64_t mask_a, uint64_t mask_b, randomTape_t* tapes) {
// uint64_t mask_a = parity64_uint64(a); //inputs are already parity
// uint64_t mask_b = parity64_uint64(b); //inputs are already parity
uint64_t fresh_output_mask = tapesToWord(tapes);
static void aux_mpc_AND_bitsliced(uint64_t mask_a, uint64_t mask_b, uint64_t mask_c, uint64_t* ab,
uint64_t* bc, uint64_t* ca, randomTape_t* tapes) {
uint64_t and_helper = tapesToWord(tapes);
for (int i = 0; i < 10; i++) {
uint64_t fresh_output_maks_ab = tapesToParityOfWord(tapes, 0);
uint64_t and_helper_ab = tapesToParityOfWord(tapes, 1);
uint64_t fresh_output_maks_bc = tapesToParityOfWord(tapes, 0);
uint64_t and_helper_bc = tapesToParityOfWord(tapes, 1);
uint64_t fresh_output_maks_ca = tapesToParityOfWord(tapes, 0);
uint64_t and_helper_ca = tapesToParityOfWord(tapes, 1);
/* Zero the last party's share of the helper value, compute it based on the
* input masks; then update the tape. */
setBit((uint8_t*)&and_helper, 63, 0);
uint64_t aux_bit = (mask_a & mask_b) ^ parity64_uint64(and_helper);
size_t lastParty = tapes->nTapes - 1;
setBit(tapes->tape[lastParty], tapes->pos - 1, (uint8_t)aux_bit);
uint64_t aux_bit_ab = (((mask_a & mask_b) >> (63 - 3 * i)) & 1) ^ and_helper_ab;
uint64_t aux_bit_bc = (((mask_b & mask_c) >> (63 - 3 * i)) & 1) ^ and_helper_bc;
uint64_t aux_bit_ca = (((mask_c & mask_a) >> (63 - 3 * i)) & 1) ^ and_helper_ca;
return fresh_output_mask;
setBit(tapes->tape[63], tapes->pos - 5, (uint8_t)aux_bit_ab);
setBit(tapes->tape[63], tapes->pos - 3, (uint8_t)aux_bit_bc);
setBit(tapes->tape[63], tapes->pos - 1, (uint8_t)aux_bit_ca);
setBit(tapes->aux_bits, tapes->aux_pos++, (uint8_t)aux_bit_ab);
setBit(tapes->aux_bits, tapes->aux_pos++, (uint8_t)aux_bit_bc);
setBit(tapes->aux_bits, tapes->aux_pos++, (uint8_t)aux_bit_ca);
*ab <<= 3;
*ab |= fresh_output_maks_ab;
*bc <<= 3;
*bc |= fresh_output_maks_bc;
*ca <<= 3;
*ca |= fresh_output_maks_ca;
}
*ab <<= 36;
*bc <<= 36;
*ca <<= 36;
}
/**
* S-box for m = 10, for Picnic2 aux computation
* S-box for m = 10, for Picnic2 aux computation, as bitsliced as possible
*/
void sbox_layer_10_uint64_aux(uint64_t* d, randomTape_t* tapes) {
uint64_t dBE = htobe64(*d);
uint8_t state[sizeof(dBE)];
memcpy(state, &dBE, sizeof(dBE));
uint64_t in = *d;
for (uint32_t i = 0; i < 30; i += 3) {
const uint8_t a = getBit(state, i + 2);
const uint8_t b = getBit(state, i + 1);
const uint8_t c = getBit(state, i + 0);
// a, b, c
const uint64_t x0s = (in & MASK_X0I) << 2;
const uint64_t x1s = (in & MASK_X1I) << 1;
const uint64_t x2m = in & MASK_X2I;
const uint8_t ab = parity64_uint64(aux_mpc_AND(a, b, tapes));
const uint8_t bc = parity64_uint64(aux_mpc_AND(b, c, tapes));
const uint8_t ca = parity64_uint64(aux_mpc_AND(c, a, tapes));
uint64_t ab = 0, bc = 0, ca = 0;
aux_mpc_AND_bitsliced(x0s, x1s, x2m, &ab, &bc, &ca, tapes);
setBit(state, i + 2, a ^ bc);
setBit(state, i + 1, a ^ b ^ ca);
setBit(state, i + 0, a ^ b ^ c ^ ab);
}
// (b & c) ^ a
const uint64_t t0 = (bc) ^ x0s;
// (c & a) ^ a ^ b
const uint64_t t1 = (ca) ^ x0s ^ x1s;
// (a & b) ^ a ^ b ^c
const uint64_t t2 = (ab) ^ x0s ^ x1s ^ x2m;
memcpy(&dBE, state, sizeof(dBE));
*d = be64toh(dBE);
*d = (in & MASK_MASK) ^ (t0 >> 2) ^ (t1 >> 1) ^ t2;
}
/* Input is the tapes for one parallel repitition; i.e., tapes[t]
@ -131,37 +147,36 @@ void sbox_layer_10_uint64_aux(uint64_t* d, randomTape_t* tapes) {
* holds on the mask values.
*/
static void computeAuxTape(randomTape_t* tapes, const picnic_instance_t* params) {
shares_t* key = allocateShares(params->lowmc->n);
mzd_local_t* lowmc_key = mzd_local_init_ex(params->lowmc->n, 1, true);
tapesToWords(key, tapes);
uint8_t temp[32] = {
0,
};
// combine into key shares and calculate lowmc evaluation in plain
for (uint32_t i = 0; i < params->lowmc->n; i++) {
uint8_t key_bit = parity64_uint64(key->shares[i]);
setBit(temp, i, key_bit);
for (size_t i = 0; i < params->num_MPC_parties; i++) {
for (size_t j = 0; j < params->input_size; j++) {
temp[j] ^= tapes->tape[i][j];
}
}
mzd_from_char_array(lowmc_key, temp, params->lowmc->n / 8);
tapes->pos = params->lowmc->n;
lowmc_compute_aux_implementation_f lowmc_aux_impl = params->impls.lowmc_aux;
// Perform LowMC evaluation and record state before AND gates
// Perform LowMC evaluation and fix AND masks for all AND gates
lowmc_aux_impl(lowmc_key, tapes);
// Reset the random tape counter so that the online execution uses the
// same random bits as when computing the aux shares
tapes->pos = 0;
freeShares(key);
mzd_local_free(lowmc_key);
}
static void commit(uint8_t* digest, const uint8_t* seed, const uint8_t* aux, const uint8_t* salt,
size_t t, size_t j, const picnic_instance_t* params) {
/* Compute C[t][j]; as digest = H(seed||[aux]) aux is optional */
Keccak_HashInstance ctx;
hash_context ctx;
hash_init(&ctx, params);
hash_update(&ctx, seed, params->seed_size);
@ -178,10 +193,10 @@ static void commit(uint8_t* digest, const uint8_t* seed, const uint8_t* aux, con
hash_squeeze(&ctx, digest, params->digest_size);
}
static void commit_x4(uint8_t** digest, const uint8_t** seed, const uint8_t* salt, size_t t, size_t j,
const picnic_instance_t* params) {
static void commit_x4(uint8_t** digest, const uint8_t** seed, const uint8_t* salt, size_t t,
size_t j, const picnic_instance_t* params) {
/* Compute C[t][j]; as digest = H(seed||[aux]) aux is optional */
Keccak_HashInstancetimes4 ctx;
hash_context_x4 ctx;
hash_init_x4(&ctx, params);
hash_update_x4(&ctx, seed, params->seed_size);
@ -203,20 +218,37 @@ static void commit_x4(uint8_t** digest, const uint8_t** seed, const uint8_t* sal
}
static void commit_h(uint8_t* digest, const commitments_t* C, const picnic_instance_t* params) {
Keccak_HashInstance ctx;
hash_context ctx;
hash_init(&ctx, params);
for (size_t i = 0; i < params->num_MPC_parties; i++) {
hash_update(&ctx, C->hashes[i], params->seed_size);
hash_update(&ctx, C->hashes[i], params->digest_size);
}
hash_final(&ctx);
hash_squeeze(&ctx, digest, params->digest_size);
}
static void commit_h_x4(uint8_t** digest, const commitments_t* C, const picnic_instance_t* params) {
hash_context_x4 ctx;
hash_init_x4(&ctx, params);
for (size_t i = 0; i < params->num_MPC_parties; i++) {
const uint8_t* data[4] = {
C[0].hashes[i],
C[1].hashes[i],
C[2].hashes[i],
C[3].hashes[i],
};
hash_update_x4(&ctx, data, params->digest_size);
}
hash_final_x4(&ctx);
hash_squeeze_x4(&ctx, digest, params->digest_size);
}
// Commit to the views for one parallel rep
static void commit_v(uint8_t* digest, const uint8_t* input, const msgs_t* msgs,
const picnic_instance_t* params) {
Keccak_HashInstance ctx;
hash_context ctx;
hash_init(&ctx, params);
hash_update(&ctx, input, params->input_size);
@ -227,6 +259,26 @@ static void commit_v(uint8_t* digest, const uint8_t* input, const msgs_t* msgs,
hash_squeeze(&ctx, digest, params->digest_size);
}
static void commit_v_x4(uint8_t** digest, const uint8_t** input, const msgs_t* msgs,
const picnic_instance_t* params) {
hash_context_x4 ctx;
hash_init_x4(&ctx, params);
hash_update_x4(&ctx, input, params->input_size);
for (size_t i = 0; i < params->num_MPC_parties; i++) {
assert(msgs[0].pos == msgs[1].pos && msgs[2].pos == msgs[3].pos && msgs[0].pos == msgs[2].pos);
const uint8_t* data[4] = {
msgs[0].msgs[i],
msgs[1].msgs[i],
msgs[2].msgs[i],
msgs[3].msgs[i],
};
hash_update_x4(&ctx, data, numBytes(msgs->pos));
}
hash_final_x4(&ctx);
hash_squeeze_x4(&ctx, digest, params->digest_size);
}
static int contains(const uint16_t* list, size_t len, uint16_t value) {
for (size_t i = 0; i < len; i++) {
if (list[i] == value) {
@ -246,20 +298,6 @@ static int indexOf(const uint16_t* list, size_t len, uint16_t value) {
return -1;
}
static void getAuxBits(uint8_t* output, randomTape_t* tapes, const picnic_instance_t* params) {
size_t firstAuxIndex = params->lowmc->n + 1;
size_t last = params->num_MPC_parties - 1;
size_t pos = 0;
memset(output, 0, params->view_size);
size_t andSizeBits = 3 * params->lowmc->r * params->lowmc->m;
for (size_t i = 0; i < andSizeBits * 2; i += 2) {
uint8_t auxBit = getBit(tapes->tape[last], firstAuxIndex + i);
setBit(output, pos, auxBit);
pos++;
}
}
static void setAuxBits(randomTape_t* tapes, uint8_t* input, const picnic_instance_t* params) {
size_t firstAuxIndex = params->lowmc->n + 1;
size_t last = params->num_MPC_parties - 1;
@ -310,7 +348,7 @@ static size_t appendUnique(uint16_t* list, uint16_t value, size_t position) {
static void HCP(uint16_t* challengeC, uint16_t* challengeP, commitments_t* Ch, uint8_t* hCv,
uint8_t* salt, const uint32_t* pubKey, const uint32_t* plaintext,
const uint8_t* message, size_t messageByteLength, const picnic_instance_t* params) {
Keccak_HashInstance ctx;
hash_context ctx;
uint8_t h[MAX_DIGEST_SIZE] = {0};
assert(params->num_opened_rounds < params->num_rounds);
@ -331,7 +369,7 @@ static void HCP(uint16_t* challengeC, uint16_t* challengeP, commitments_t* Ch, u
// Populate C
uint32_t bitsPerChunkC = ceil_log2(params->num_rounds);
uint32_t bitsPerChunkP = ceil_log2(params->num_MPC_parties);
uint16_t* chunks = calloc(params->digest_size * 8 / bitsPerChunkP, sizeof(uint16_t));
uint16_t* chunks = calloc(params->digest_size * 8 / MIN(bitsPerChunkP,bitsPerChunkC), sizeof(uint16_t));
size_t countC = 0;
while (countC < params->num_opened_rounds) {
@ -393,10 +431,12 @@ static uint16_t* getMissingLeavesList(uint16_t* challengeC, const picnic_instanc
int verify_picnic2(signature2_t* sig, const uint32_t* pubKey, const uint32_t* plaintext,
const uint8_t* message, size_t messageByteLength,
const picnic_instance_t* params) {
commitments_t* C = allocateCommitments(params, 0);
commitments_t Ch = {0};
commitments_t Cv = {0};
msgs_t* msgs = allocateMsgs(params);
commitments_t C[4] = {0,};
allocateCommitments2(&C[0], params, params->num_MPC_parties);
allocateCommitments2(&C[1], params, params->num_MPC_parties);
allocateCommitments2(&C[2], params, params->num_MPC_parties);
allocateCommitments2(&C[3], params, params->num_MPC_parties);
msgs_t* msgs = allocateMsgsVerify(params);
tree_t* treeCv = createTree(params->num_rounds, params->digest_size);
size_t challengeSizeBytes = params->num_opened_rounds * sizeof(uint16_t);
uint16_t* challengeC = malloc(challengeSizeBytes);
@ -406,8 +446,18 @@ int verify_picnic2(signature2_t* sig, const uint32_t* pubKey, const uint32_t* pl
tree_t* iSeedsTree = createTree(params->num_rounds, params->seed_size);
int ret = reconstructSeeds(iSeedsTree, sig->challengeC, params->num_opened_rounds, sig->iSeedInfo,
sig->iSeedInfoLen, sig->salt, 0, params);
const size_t last = params->num_MPC_parties - 1;
lowmc_simulate_online_f simulateOnline = params->impls.lowmc_simulate_online;
commitments_t Ch = {0};
allocateCommitments2(&Ch, params, params->num_rounds);
commitments_t Cv = {0};
allocateCommitments2(&Cv, params, params->num_rounds);
shares_t* mask_shares = allocateShares(params->lowmc->n);
mzd_local_t* m_plaintext = mzd_local_init_ex(1, params->lowmc->n, false);
mzd_local_t* m_maskedKey = mzd_local_init_ex(1, params->lowmc->k, false);
mzd_from_char_array(m_plaintext, (const uint8_t*)plaintext, params->output_size);
if (ret != 0) {
ret = -1;
goto Exit;
@ -436,17 +486,14 @@ int verify_picnic2(signature2_t* sig, const uint32_t* pubKey, const uint32_t* pl
goto Exit;
}
}
}
/* Commit */
/* Commit */
size_t last = params->num_MPC_parties - 1;
uint8_t auxBits[MAX_AUX_BYTES];
for (size_t t = 0; t < params->num_rounds; t++) {
/* Compute random tapes for all parties. One party for each repitition
* challengeC will have a bogus seed; but we won't use that party's
* random tape. */
createRandomTapes(&tapes[t], getLeaves(seeds[t]), sig->salt, t, params);
if (!contains(sig->challengeC, params->num_opened_rounds, t)) {
/* We're given iSeed, have expanded the seeds, compute aux from scratch so we can comnpte
* Com[t] */
@ -454,10 +501,12 @@ int verify_picnic2(signature2_t* sig, const uint32_t* pubKey, const uint32_t* pl
for (size_t j = 0; j < params->num_MPC_parties; j += 4) {
const uint8_t* seed_ptr[4] = {getLeaf(seeds[t], j + 0), getLeaf(seeds[t], j + 1),
getLeaf(seeds[t], j + 2), getLeaf(seeds[t], j + 3)};
commit_x4(C[t].hashes + j, seed_ptr, sig->salt, t, j, params);
commit_x4(C[t%4].hashes + j, seed_ptr, sig->salt, t, j, params);
}
getAuxBits(auxBits, &tapes[t], params);
commit(C[t].hashes[last], getLeaf(seeds[t], last), auxBits, sig->salt, t, last, params);
commit(C[t%4].hashes[last], getLeaf(seeds[t], last), tapes[t].aux_bits, sig->salt, t, last,
params);
/* after we have checked the tape, we do not need it anymore for this opened iteration */
freeRandomTape(&tapes[t]);
} else {
/* We're given all seeds and aux bits, execpt for the unopened
* party, we get their commitment */
@ -465,27 +514,25 @@ int verify_picnic2(signature2_t* sig, const uint32_t* pubKey, const uint32_t* pl
for (size_t j = 0; j < params->num_MPC_parties; j += 4) {
const uint8_t* seed_ptr[4] = {getLeaf(seeds[t], j + 0), getLeaf(seeds[t], j + 1),
getLeaf(seeds[t], j + 2), getLeaf(seeds[t], j + 3)};
commit_x4(C[t].hashes + j, seed_ptr, sig->salt, t, j, params);
commit_x4(C[t%4].hashes + j, seed_ptr, sig->salt, t, j, params);
}
if (last != unopened) {
commit(C[t].hashes[last], getLeaf(seeds[t], last), sig->proofs[t].aux, sig->salt, t, last,
commit(C[t%4].hashes[last], getLeaf(seeds[t], last), sig->proofs[t].aux, sig->salt, t, last,
params);
}
memcpy(C[t].hashes[unopened], sig->proofs[t].C, params->digest_size);
memcpy(C[t%4].hashes[unopened], sig->proofs[t].C, params->digest_size);
}
}
/* hash commitments every four iterations if possible, for the last few do single commitments */
if(t >= params->num_rounds / 4 * 4) {
commit_h(Ch.hashes[t], &C[t%4], params);
} else if ((t + 1) % 4 == 0) {
size_t t4 = t / 4 * 4;
commit_h_x4(&Ch.hashes[t4], &C[0], params);
}
freeTree(seeds[t]);
/* Commit to the commitments */
allocateCommitments2(&Ch, params, params->num_rounds);
for (size_t t = 0; t < params->num_rounds; t++) {
commit_h(Ch.hashes[t], &C[t], params);
}
/* Commit to the views */
allocateCommitments2(&Cv, params, params->num_rounds);
shares_t* mask_shares = allocateShares(params->lowmc->n);
for (size_t t = 0; t < params->num_rounds; t++) {
/* Commit to the views */
if (contains(sig->challengeC, params->num_opened_rounds, t)) {
/* 2. When t is in C, we have everything we need to re-compute the view, as an honest signer
* would.
@ -495,26 +542,28 @@ int verify_picnic2(signature2_t* sig, const uint32_t* pubKey, const uint32_t* pl
size_t tapeLengthBytes = 2 * params->view_size + params->input_size;
setAuxBits(&tapes[t], sig->proofs[t].aux, params);
memset(tapes[t].tape[unopened], 0, tapeLengthBytes);
memcpy(msgs[t].msgs[unopened], sig->proofs[t].msgs, params->view_size + params->input_size);
msgs[t].unopened = unopened;
memcpy(msgs->msgs[unopened], sig->proofs[t].msgs, params->view_size + params->input_size);
msgs->pos = 0;
msgs->unopened = unopened;
tapesToWords(mask_shares, &tapes[t]);
ret = simulateOnline((uint32_t*)sig->proofs[t].input, mask_shares, &tapes[t], &msgs[t],
plaintext, pubKey, params);
mzd_from_char_array(m_maskedKey, sig->proofs[t].input, params->input_size);
ret = simulateOnline(m_maskedKey, mask_shares, &tapes[t], msgs,
m_plaintext, pubKey, params);
freeRandomTape(&tapes[t]);
if (ret != 0) {
#if !defined(NDEBUG)
printf("MPC simulation failed for round %lu, signature invalid\n", t);
#endif
ret = -1;
freeShares(mask_shares);
goto Exit;
}
commit_v(Cv.hashes[t], sig->proofs[t].input, &msgs[t], params);
commit_v(Cv.hashes[t], sig->proofs[t].input, msgs, params);
} else {
Cv.hashes[t] = NULL;
}
}
freeShares(mask_shares);
size_t missingLeavesSize = params->num_rounds - params->num_opened_rounds;
uint16_t* missingLeaves = getMissingLeavesList(sig->challengeC, params);
@ -549,18 +598,20 @@ int verify_picnic2(signature2_t* sig, const uint32_t* pubKey, const uint32_t* pl
Exit:
mzd_local_free(m_plaintext);
mzd_local_free(m_maskedKey);
freeShares(mask_shares);
free(challengeC);
free(challengeP);
freeCommitments(C);
freeCommitments2(&C[0]);
freeCommitments2(&C[1]);
freeCommitments2(&C[2]);
freeCommitments2(&C[3]);
freeCommitments2(&Cv);
freeCommitments2(&Ch);
freeMsgs(msgs);
freeTree(treeCv);
freeTree(iSeedsTree);
for (size_t t = 0; t < params->num_rounds; t++) {
freeRandomTape(&tapes[t]);
freeTree(seeds[t]);
}
free(seeds);
free(tapes);
@ -571,7 +622,7 @@ static void computeSaltAndRootSeed(uint8_t* saltAndRoot, size_t saltAndRootLengt
uint32_t* privateKey, uint32_t* pubKey, uint32_t* plaintext,
const uint8_t* message, size_t messageByteLength,
const picnic_instance_t* params) {
Keccak_HashInstance ctx;
hash_context ctx;
hash_init(&ctx, params);
hash_update(&ctx, (const uint8_t*)privateKey, params->input_size);
@ -600,63 +651,78 @@ int sign_picnic2(uint32_t* privateKey, uint32_t* pubKey, uint32_t* plaintext,
randomTape_t* tapes = malloc(params->num_rounds * sizeof(randomTape_t));
tree_t** seeds = malloc(params->num_rounds * sizeof(tree_t*));
for (size_t t = 0; t < params->num_rounds; t++) {
seeds[t] = generateSeeds(params->num_MPC_parties, iSeeds[t], sig->salt, t, params);
createRandomTapes(&tapes[t], getLeaves(seeds[t]), sig->salt, t, params);
}
commitments_t C[4];
allocateCommitments2(&C[0], params, params->num_MPC_parties);
allocateCommitments2(&C[1], params, params->num_MPC_parties);
allocateCommitments2(&C[2], params, params->num_MPC_parties);
allocateCommitments2(&C[3], params, params->num_MPC_parties);
/* Preprocessing; compute aux tape for the N-th player, for each parallel rep */
uint8_t auxBits[MAX_AUX_BYTES];
for (size_t t = 0; t < params->num_rounds; t++) {
computeAuxTape(&tapes[t], params);
}
/* Commit to seeds and aux bits */
commitments_t* C = allocateCommitments(params, 0);
for (size_t t = 0; t < params->num_rounds; t++) {
assert(params->num_MPC_parties % 4 == 0);
for (size_t j = 0; j < params->num_MPC_parties; j += 4) {
const uint8_t* seed_ptr[4] = {getLeaf(seeds[t], j + 0), getLeaf(seeds[t], j + 1),
getLeaf(seeds[t], j + 2), getLeaf(seeds[t], j + 3)};
commit_x4(C[t].hashes + j, seed_ptr, sig->salt, t, j, params);
}
size_t last = params->num_MPC_parties - 1;
getAuxBits(auxBits, &tapes[t], params);
commit(C[t].hashes[last], getLeaf(seeds[t], last), auxBits, sig->salt, t, last, params);
}
/* Simulate the online phase of the MPC */
lowmc_simulate_online_f simulateOnline = params->impls.lowmc_simulate_online;
inputs_t inputs = allocateInputs(params);
msgs_t* msgs = allocateMsgs(params);
shares_t* mask_shares = allocateShares(params->lowmc->n);
/* Commitments to the commitments and views */
commitments_t Ch;
allocateCommitments2(&Ch, params, params->num_rounds);
commitments_t Cv;
allocateCommitments2(&Cv, params, params->num_rounds);
mzd_local_t* m_plaintext = mzd_local_init_ex(1, params->lowmc->n, false);
mzd_local_t* m_maskedKey = mzd_local_init_ex(1, params->lowmc->k, false);
mzd_from_char_array(m_plaintext, (const uint8_t*)plaintext, params->output_size);
for (size_t t = 0; t < params->num_rounds; t++) {
seeds[t] = generateSeeds(params->num_MPC_parties, iSeeds[t], sig->salt, t, params);
createRandomTapes(&tapes[t], getLeaves(seeds[t]), sig->salt, t, params);
/* Preprocessing; compute aux tape for the N-th player, for each parallel rep */
computeAuxTape(&tapes[t], params);
/* Commit to seeds and aux bits */
assert(params->num_MPC_parties % 4 == 0);
for (size_t j = 0; j < params->num_MPC_parties; j += 4) {
const uint8_t* seed_ptr[4] = {getLeaf(seeds[t], j + 0), getLeaf(seeds[t], j + 1),
getLeaf(seeds[t], j + 2), getLeaf(seeds[t], j + 3)};
commit_x4(C[t%4].hashes + j, seed_ptr, sig->salt, t, j, params);
}
const size_t last = params->num_MPC_parties - 1;
commit(C[t%4].hashes[last], getLeaf(seeds[t], last), tapes[t].aux_bits, sig->salt, t, last,
params);
/* Simulate the online phase of the MPC */
uint32_t* maskedKey = (uint32_t*)inputs[t];
tapesToWords(mask_shares, &tapes[t]);
reconstructShares(maskedKey, mask_shares); // maskedKey = masks
xor_word_array(maskedKey, maskedKey, privateKey,
(params->input_size / 4)); // maskedKey += privateKey
mzd_from_char_array(m_maskedKey, (const uint8_t*)maskedKey, params->input_size);
int rv = simulateOnline(maskedKey, mask_shares, &tapes[t], &msgs[t], plaintext, pubKey, params);
int rv = simulateOnline(m_maskedKey, mask_shares, &tapes[t], &msgs[t], m_plaintext, pubKey, params);
if (rv != 0) {
#if !defined(NDEBUG)
printf("MPC simulation failed, aborting signature\n");
#endif
ret = -1;
}
/* free the expanded random tape and associated buffers to reduce memory usage,
however, we are keeping the calculated aux bits for later (hence partial) */
partialFreeRandomTape(&tapes[t]);
/* hash commitments every four iterations if possible, for the last few do single commitments */
if(t >= params->num_rounds / 4 * 4) {
commit_h(Ch.hashes[t], &C[t%4], params);
commit_v(Cv.hashes[t], inputs[t], &msgs[t], params);
} else if ((t + 1) % 4 == 0) {
size_t t4 = t / 4 * 4;
commit_h_x4(&Ch.hashes[t4], &C[0], params);
commit_v_x4(&Cv.hashes[t4], (const uint8_t**)&inputs[t4], &msgs[t4], params);
}
}
freeShares(mask_shares);
/* Commit to the commitments and views */
commitments_t Ch;
allocateCommitments2(&Ch, params, params->num_rounds);
commitments_t Cv;
allocateCommitments2(&Cv, params, params->num_rounds);
for (size_t t = 0; t < params->num_rounds; t++) {
commit_h(Ch.hashes[t], &C[t], params);
commit_v(Cv.hashes[t], inputs[t], &msgs[t], params);
}
mzd_local_free(m_maskedKey);
mzd_local_free(m_plaintext);
/* Create a Merkle tree with Cv as the leaves */
tree_t* treeCv = createTree(params->num_rounds, params->digest_size);
@ -701,20 +767,28 @@ int sign_picnic2(uint32_t* privateKey, uint32_t* pubKey, uint32_t* plaintext,
size_t last = params->num_MPC_parties - 1;
if (challengeP[P_index] != last) {
getAuxBits(proofs[t].aux, &tapes[t], params);
memcpy(proofs[t].aux, tapes[t].aux_bits, params->view_size);
}
memcpy(proofs[t].input, inputs[t], params->input_size);
memcpy(proofs[t].msgs, msgs[t].msgs[challengeP[P_index]],
params->view_size + params->input_size);
memcpy(proofs[t].C, C[t].hashes[proofs[t].unOpenedIndex], params->digest_size);
/* recompute commitment of unopened party since we did not store it for memory optimization */
if (proofs[t].unOpenedIndex == params->num_MPC_parties - 1) {
commit(proofs[t].C, getLeaf(seeds[t], proofs[t].unOpenedIndex),
tapes[t].aux_bits, sig->salt, t, proofs[t].unOpenedIndex, params);
} else {
commit(proofs[t].C, getLeaf(seeds[t], proofs[t].unOpenedIndex),
NULL, sig->salt, t, proofs[t].unOpenedIndex, params);
}
}
}
sig->proofs = proofs;
for (size_t t = 0; t < params->num_rounds; t++) {
freeRandomTape(&tapes[t]);
finalFreeRandomTape(&tapes[t]);
freeTree(seeds[t]);
}
free(tapes);
@ -722,9 +796,12 @@ int sign_picnic2(uint32_t* privateKey, uint32_t* pubKey, uint32_t* plaintext,
freeTree(iSeedsTree);
freeTree(treeCv);
freeCommitments(C);
freeCommitments2(&Ch);
freeCommitments2(&Cv);
freeCommitments2(&C[0]);
freeCommitments2(&C[1]);
freeCommitments2(&C[2]);
freeCommitments2(&C[3]);
freeInputs(inputs);
freeMsgs(msgs);

84
src/sig/picnic/external/picnic2_simulate.c vendored
View File

@ -20,6 +20,7 @@
#include "io.h"
#include "picnic2_simulate.h"
#include "picnic2_simulate_mul.h"
#include "compat.h"
static void wordToMsgsNoTranspose(uint64_t w, msgs_t* msgs) {
((uint64_t*)msgs->msgs[msgs->pos % 64])[msgs->pos / 64] = w;
@ -27,26 +28,26 @@ static void wordToMsgsNoTranspose(uint64_t w, msgs_t* msgs) {
}
static void msgsTranspose(msgs_t* msgs) {
uint64_t buffer_in[64];
uint64_t buffer_out[64];
uint64_t* buffer = aligned_alloc(32, 64 * sizeof(uint64_t));
size_t pos;
for (pos = 0; pos < msgs->pos / 64; pos++) {
for (size_t i = 0; i < 64; i++) {
buffer_in[i / 8 * 8 + 7 - i % 8] = ((uint64_t*)msgs->msgs[i])[pos];
buffer[i] = ((uint64_t*)msgs->msgs[i])[pos];
}
transpose_64_64(buffer_in, buffer_out);
transpose_64_64(buffer, buffer);
for (size_t i = 0; i < 64; i++) {
((uint64_t*)msgs->msgs[i])[pos] = buffer_out[(i) / 8 * 8 + 7 - (i) % 8];
((uint64_t*)msgs->msgs[i])[pos] = buffer[i];
}
}
memset(&buffer_in, 0, 64 * sizeof(uint64_t));
memset(buffer, 0, 64 * sizeof(uint64_t));
for (size_t i = 0; i < msgs->pos % 64; i++) {
buffer_in[i / 8 * 8 + 7 - i % 8] = ((uint64_t*)msgs->msgs[i])[pos];
buffer[i] = ((uint64_t*)msgs->msgs[i])[pos];
}
transpose_64_64(buffer_in, buffer_out);
transpose_64_64(buffer, buffer);
for (size_t i = 0; i < 64; i++) {
((uint64_t*)msgs->msgs[i])[pos] = buffer_out[(i) / 8 * 8 + 7 - (i) % 8];
((uint64_t*)msgs->msgs[i])[pos] = buffer[i];
}
aligned_free(buffer);
}
/* For each word in shares; write player i's share to their stream of msgs */
@ -56,6 +57,12 @@ static void broadcast(shares_t* shares, msgs_t* msgs) {
}
}
/* For an input bit b = 0 or 1, return the word of all b bits, i.e.,
* extend(1) = 0xFFFFFFFFFFFFFFFF
* extend(0) = 0x0000000000000000
* Assumes inputs are always 0 or 1. If this doesn't hold, add "& 1" to the
* input.
*/
static inline uint64_t extend(uint64_t bit) {
return ~(bit - 1);
}
@ -80,8 +87,10 @@ static uint8_t mpc_AND(uint8_t a, uint8_t b, uint64_t mask_a, uint64_t mask_b, r
return (uint8_t)(parity64_uint64(s_shares) ^ (a & b));
}
static void mpc_sbox(uint32_t* state, shares_t* state_masks, randomTape_t* tapes, msgs_t* msgs,
static void mpc_sbox(mzd_local_t* statein, shares_t* state_masks, randomTape_t* tapes, msgs_t* msgs,
uint8_t* unopenened_msg, const picnic_instance_t* params) {
uint8_t state[32];
mzd_to_char_array(state, statein, params->lowmc->n / 8);
for (size_t i = 0; i < params->lowmc->m * 3; i += 3) {
uint8_t a = getBit((uint8_t*)state, i + 2);
uint64_t mask_a = state_masks->shares[i + 2];
@ -105,6 +114,7 @@ static void mpc_sbox(uint32_t* state, shares_t* state_masks, randomTape_t* tapes
setBit((uint8_t*)state, i, a ^ b ^ c ^ ab);
state_masks->shares[i] = mask_a ^ mask_b ^ mask_c ^ ab_mask;
}
mzd_from_char_array(statein, state, params->lowmc->n / 8);
}
#if defined(REDUCED_ROUND_KEY_COMPUTATION)
@ -114,18 +124,21 @@ static void mpc_xor_masks_nl(shares_t* out, const shares_t* a, const shares_t* b
out->shares[i] = a->shares[i] ^ b->shares[index + num - 1 - i];
}
}
static void mpc_xor2_nl(uint32_t* output, shares_t* output_masks, const uint32_t* x,
const shares_t* x_masks, const uint32_t* y, const shares_t* y_masks,
size_t index, size_t num) {
xor_array_RC((uint8_t*)output, (uint8_t*)x, (uint8_t*)&y[index / 32], 4);
// xor masks
mpc_xor_masks_nl(output_masks, x_masks, y_masks, index, num);
}
#endif
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
static void mpc_shuffle(uint8_t* state, shares_t* mask_shares, uint64_t r_mask) {
static void mpc_shuffle(mzd_local_t* state, shares_t* mask_shares, uint64_t r_mask) {
if (mask_shares->numWords == 128) {
mzd_shuffle_128_30(state, r_mask);
}
else if (mask_shares->numWords == 192) {
mzd_shuffle_192_30(state, r_mask);
}
else if (mask_shares->numWords == 256) {
mzd_shuffle_256_30(state, r_mask);
} else {
assert(false && "invalid state size");
}
for (int i = 63; i >= 0 && r_mask != UINT64_C(0xFFFFFFFC00000000); i--) {
if (!((r_mask >> i) & 1)) { // bit is not set
// find next 1 and swap all entries until then
@ -135,10 +148,6 @@ static void mpc_shuffle(uint8_t* state, shares_t* mask_shares, uint64_t r_mask)
uint64_t t = mask_shares->shares[63 - k];
mask_shares->shares[63 - k] = mask_shares->shares[63 - k - 1];
mask_shares->shares[63 - k - 1] = t;
uint8_t bit = getBit(state, 63 - k);
setBit(state, 63 - k, getBit(state, 63 - k - 1));
setBit(state, 63 - k - 1, bit);
}
r_mask |= (UINT64_C(1) << i); // set bit i
r_mask &= ~(UINT64_C(1) << j); // clear bit j
@ -158,16 +167,10 @@ static void mpc_xor_masks(shares_t* out, const shares_t* a, const shares_t* b) {
out->shares[i] = a->shares[i] ^ b->shares[i];
}
}
static void mpc_xor2(uint32_t* output, shares_t* output_masks, const uint32_t* x,
const shares_t* x_masks, const uint32_t* y, const shares_t* y_masks,
const picnic_instance_t* params) {
xor_word_array(output, x, y, (params->input_size / 4));
mpc_xor_masks(output_masks, x_masks, y_masks);
}
#endif
/* PICNIC2_L1_FS */
#define XOR mzd_xor_uint64_128
#define MPC_MUL mpc_matrix_mul_uint64_128
#define MPC_MUL_MC mpc_matrix_mul_nl_part_uint64_128
#define MPC_ADDMUL_R mpc_matrix_addmul_r_uint64_128
@ -181,6 +184,7 @@ static void mpc_xor2(uint32_t* output, shares_t* output_masks, const uint32_t* x
#define SIM_ONLINE lowmc_simulate_online_uint64_128_10
#include "picnic2_simulate.c.i"
#endif
#undef XOR
#undef MPC_MUL
#undef MPC_MUL_MC
#undef MPC_ADDMUL_R
@ -191,6 +195,7 @@ static void mpc_xor2(uint32_t* output, shares_t* output_masks, const uint32_t* x
#undef SIM_ONLINE
/* PICNIC2_L3_FS */
#define XOR mzd_xor_uint64_192
#define MPC_MUL mpc_matrix_mul_uint64_192
#define MPC_MUL_MC mpc_matrix_mul_nl_part_uint64_192
#define MPC_ADDMUL_R mpc_matrix_addmul_r_uint64_192
@ -204,6 +209,7 @@ static void mpc_xor2(uint32_t* output, shares_t* output_masks, const uint32_t* x
#define SIM_ONLINE lowmc_simulate_online_uint64_192_10
#include "picnic2_simulate.c.i"
#endif
#undef XOR
#undef MPC_MUL
#undef MPC_MUL_MC
#undef MPC_ADDMUL_R
@ -214,6 +220,7 @@ static void mpc_xor2(uint32_t* output, shares_t* output_masks, const uint32_t* x
#undef SIM_ONLINE
/* PICNIC2_L5_FS */
#define XOR mzd_xor_uint64_256
#define MPC_MUL mpc_matrix_mul_uint64_256
#define MPC_MUL_MC mpc_matrix_mul_nl_part_uint64_256
#define MPC_ADDMUL_R mpc_matrix_addmul_r_uint64_256
@ -227,6 +234,7 @@ static void mpc_xor2(uint32_t* output, shares_t* output_masks, const uint32_t* x
#define SIM_ONLINE lowmc_simulate_online_uint64_256_10
#include "picnic2_simulate.c.i"
#endif
#undef XOR
#undef MPC_MUL
#undef MPC_MUL_MC
#undef MPC_ADDMUL_R
@ -242,6 +250,7 @@ static void mpc_xor2(uint32_t* output, shares_t* output_masks, const uint32_t* x
#define FN_ATTR ATTR_TARGET_SSE2
#endif
/* PICNIC2_L1_FS */
#define XOR mzd_xor_s128_128
#define MPC_MUL mpc_matrix_mul_s128_128
#define MPC_MUL_MC mpc_matrix_mul_nl_part_s128_128
#define MPC_ADDMUL_R mpc_matrix_addmul_r_s128_128
@ -255,6 +264,7 @@ static void mpc_xor2(uint32_t* output, shares_t* output_masks, const uint32_t* x
#define SIM_ONLINE lowmc_simulate_online_s128_128_10
#include "picnic2_simulate.c.i"
#endif
#undef XOR
#undef MPC_MUL
#undef MPC_MUL_MC
#undef MPC_ADDMUL_R
@ -265,6 +275,7 @@ static void mpc_xor2(uint32_t* output, shares_t* output_masks, const uint32_t* x
#undef SIM_ONLINE
/* PICNIC2_L3_FS */
#define XOR mzd_xor_s128_256
#define MPC_MUL mpc_matrix_mul_s128_192
#define MPC_MUL_MC mpc_matrix_mul_nl_part_s128_192
#define MPC_ADDMUL_R mpc_matrix_addmul_r_s128_192
@ -278,6 +289,7 @@ static void mpc_xor2(uint32_t* output, shares_t* output_masks, const uint32_t* x
#define SIM_ONLINE lowmc_simulate_online_s128_192_10
#include "picnic2_simulate.c.i"
#endif
#undef XOR
#undef MPC_MUL
#undef MPC_MUL_MC
#undef MPC_ADDMUL_R
@ -288,6 +300,7 @@ static void mpc_xor2(uint32_t* output, shares_t* output_masks, const uint32_t* x
#undef SIM_ONLINE
/* PICNIC2_L5_FS */
#define XOR mzd_xor_s128_256
#define MPC_MUL mpc_matrix_mul_s128_256
#define MPC_MUL_MC mpc_matrix_mul_nl_part_s128_256
#define MPC_ADDMUL_R mpc_matrix_addmul_r_s128_256
@ -301,6 +314,7 @@ static void mpc_xor2(uint32_t* output, shares_t* output_masks, const uint32_t* x
#define SIM_ONLINE lowmc_simulate_online_s128_256_10
#include "picnic2_simulate.c.i"
#endif
#undef XOR
#undef MPC_MUL
#undef MPC_MUL_MC
#undef MPC_ADDMUL_R
@ -316,6 +330,7 @@ static void mpc_xor2(uint32_t* output, shares_t* output_masks, const uint32_t* x
#if defined(WITH_AVX2)
#define FN_ATTR ATTR_TARGET_AVX2
/* PICNIC2_L1_FS */
#define XOR mzd_xor_s256_128
#define MPC_MUL mpc_matrix_mul_s256_128
#define MPC_MUL_MC mpc_matrix_mul_nl_part_s256_128
#define MPC_ADDMUL_R mpc_matrix_addmul_r_s256_128
@ -329,6 +344,7 @@ static void mpc_xor2(uint32_t* output, shares_t* output_masks, const uint32_t* x
#define SIM_ONLINE lowmc_simulate_online_s256_128_10
#include "picnic2_simulate.c.i"
#endif
#undef XOR
#undef MPC_MUL
#undef MPC_MUL_MC
#undef MPC_ADDMUL_R
@ -339,6 +355,7 @@ static void mpc_xor2(uint32_t* output, shares_t* output_masks, const uint32_t* x
#undef SIM_ONLINE
/* PICNIC2_L3_FS */
#define XOR mzd_xor_s256_256
#define MPC_MUL mpc_matrix_mul_s256_192
#define MPC_MUL_MC mpc_matrix_mul_nl_part_s256_192
#define MPC_ADDMUL_R mpc_matrix_addmul_r_s256_192
@ -352,6 +369,7 @@ static void mpc_xor2(uint32_t* output, shares_t* output_masks, const uint32_t* x
#define SIM_ONLINE lowmc_simulate_online_s256_192_10
#include "picnic2_simulate.c.i"
#endif
#undef XOR
#undef MPC_MUL
#undef MPC_MUL_MC
#undef MPC_ADDMUL_R
@ -362,6 +380,7 @@ static void mpc_xor2(uint32_t* output, shares_t* output_masks, const uint32_t* x
#undef SIM_ONLINE
/* PICNIC2_L5_FS */
#define XOR mzd_xor_s256_256
#define MPC_MUL mpc_matrix_mul_s256_256
#define MPC_MUL_MC mpc_matrix_mul_nl_part_s256_256
#define MPC_ADDMUL_R mpc_matrix_addmul_r_s256_256
@ -375,6 +394,7 @@ static void mpc_xor2(uint32_t* output, shares_t* output_masks, const uint32_t* x
#define SIM_ONLINE lowmc_simulate_online_s256_256_10
#include "picnic2_simulate.c.i"
#endif
#undef XOR
#undef MPC_MUL
#undef MPC_MUL_MC
#undef MPC_ADDMUL_R
@ -389,7 +409,11 @@ static void mpc_xor2(uint32_t* output, shares_t* output_masks, const uint32_t* x
#endif // WITH_OPT
lowmc_simulate_online_f lowmc_simulate_online_get_implementation(const lowmc_t* lowmc) {
#if defined(WITH_LOWMC_M1)
ASSUME(lowmc->m == 10 || lowmc->m == 1);
#else
ASSUME(lowmc->m == 10);
#endif
ASSUME(lowmc->n == 128 || lowmc->n == 192 || lowmc->n == 256);
#if defined(WITH_OPT)

96
src/sig/picnic/external/picnic2_simulate.c.i vendored
View File

@ -16,6 +16,9 @@
#include <stdlib.h>
#include <string.h>
#include <assert.h>
#if !defined(_MSC_VER)
#include <stdalign.h>
#endif
#include "kdf_shake.h"
#include "macros.h"
@ -26,18 +29,17 @@
#include "picnic2_tree.h"
#include "io.h"
#if defined(FN_ATTR)
FN_ATTR
#endif
static int SIM_ONLINE(uint32_t* maskedKey, shares_t* mask_shares, randomTape_t* tapes, msgs_t* msgs,
const uint32_t* plaintext, const uint32_t* pubKey,
static int SIM_ONLINE(mzd_local_t* maskedKey, shares_t* mask_shares, randomTape_t* tapes, msgs_t* msgs,
const mzd_local_t* plaintext, const uint32_t* pubKey,
const picnic_instance_t* params) {
int ret = 0;
uint32_t* roundKey = malloc(LOWMC_N / 8);
uint32_t* state = malloc(LOWMC_N / 8);
uint32_t* state2 = malloc(LOWMC_N / 8);
uint32_t* nl_part = malloc(LOWMC_R * sizeof(uint32_t));
mzd_local_t* state = mzd_local_init_ex(1, LOWMC_N, false);
mzd_local_t* state2 = mzd_local_init_ex(1, LOWMC_N, false);
mzd_local_t* roundKey = mzd_local_init_ex(1, LOWMC_N, false);
mzd_local_t* nl_part = mzd_local_init_ex(1, (LOWMC_R * 32), false);
shares_t* nl_part_masks = allocateShares(LOWMC_R * 32);
shares_t* key_masks = allocateShares(LOWMC_N); // Make a copy to use when computing each round key
shares_t* mask2_shares = allocateShares(LOWMC_N);
@ -51,60 +53,66 @@ static int SIM_ONLINE(uint32_t* maskedKey, shares_t* mask_shares, randomTape_t*
copyShares(key_masks, mask_shares);
#if defined(REDUCED_ROUND_KEY_COMPUTATION)
MPC_MUL(state, maskedKey, LOWMC_INSTANCE.k0_matrix->w64,
MPC_MUL(state, maskedKey, LOWMC_INSTANCE.k0_matrix,
mask_shares); // roundKey = maskedKey * KMatrix[0]
xor_word_array(state, state, plaintext, (LOWMC_N / 32)); // state = plaintext + roundKey
xor_array_RC((uint8_t*)state, (uint8_t*)state,
(uint8_t*)LOWMC_INSTANCE.precomputed_constant_linear,
LOWMC_N / 8); // state = state + precomp_const
MPC_MUL_MC(nl_part, maskedKey, LOWMC_INSTANCE.precomputed_non_linear_part_matrix->w64,
LOWMC_INSTANCE.precomputed_constant_non_linear->w64, nl_part_masks, key_masks);
XOR(state, state, plaintext);
XOR(state, state, LOWMC_INSTANCE.precomputed_constant_linear);
MPC_MUL_MC(nl_part, maskedKey, LOWMC_INSTANCE.precomputed_non_linear_part_matrix,
LOWMC_INSTANCE.precomputed_constant_non_linear, nl_part_masks, key_masks);
#if defined(OPTIMIZED_LINEAR_LAYER_EVALUATION)
for (uint32_t r = 0; r < LOWMC_R - 1; r++) {
mpc_sbox(state, mask_shares, tapes, msgs, unopened_msgs, params);
mpc_xor2_nl(state, mask_shares, state, mask_shares, nl_part, nl_part_masks, r * 32 + 2,
30); // state += roundKey
MPC_MUL_Z(state2, state, mask2_shares, mask_shares, LOWMC_INSTANCE.rounds[r].z_matrix->w64);
mpc_shuffle((uint8_t*)state, mask_shares, LOWMC_INSTANCE.rounds[r].r_mask);
MPC_ADDMUL_R(state2, state, mask2_shares, mask_shares, LOWMC_INSTANCE.rounds[r].r_matrix->w64);
mpc_xor_masks_nl(mask_shares, mask_shares, nl_part_masks, r*32 + 2, 30);
const word nl = CONST_BLOCK(nl_part, r >> 3)->w64[(r & 0x7) >> 1];
BLOCK(state, 0)->w64[(LOWMC_N) / (sizeof(word) * 8) - 1] ^=
(nl << (1 - (r & 1)) * 32) & WORD_C(0xFFFFFFFF00000000);
MPC_MUL_Z(state2, state, mask2_shares, mask_shares, LOWMC_INSTANCE.rounds[r].z_matrix);
mpc_shuffle(state, mask_shares, LOWMC_INSTANCE.rounds[r].r_mask);
MPC_ADDMUL_R(state2, state, mask2_shares, mask_shares, LOWMC_INSTANCE.rounds[r].r_matrix);
for (uint32_t i = 0; i < 30; i++) {
mask_shares->shares[i] = 0;
setBit((uint8_t*)state, i, 0);
}
mpc_xor2(state, mask_shares, state, mask_shares, state2, mask2_shares, params);
BLOCK(state, 0)->w64[(LOWMC_N) / (sizeof(word) * 8) - 1] &=
WORD_C(0x00000003FFFFFFFF); // clear nl part
XOR(state, state, state2);
mpc_xor_masks(mask_shares, mask_shares, mask2_shares);
}
mpc_sbox(state, mask_shares, tapes, msgs, unopened_msgs, params);
mpc_xor2_nl(state, mask_shares, state, mask_shares, nl_part, nl_part_masks,
(LOWMC_R - 1) * 32 + 2, 30); // state += roundKey
MPC_MUL(state, state, LOWMC_INSTANCE.zr_matrix->w64,
mpc_xor_masks_nl(mask_shares, mask_shares, nl_part_masks, (LOWMC_R-1)*32 + 2, 30);
const word nl = CONST_BLOCK(nl_part, (LOWMC_R-1) >> 3)->w64[((LOWMC_R-1) & 0x7) >> 1];
BLOCK(state, 0)->w64[(LOWMC_N) / (sizeof(word) * 8) - 1] ^=
(nl << (1 - ((LOWMC_R-1) & 1)) * 32) & WORD_C(0xFFFFFFFF00000000);
MPC_MUL(state, state, LOWMC_INSTANCE.zr_matrix,
mask_shares); // state = state * LMatrix (r-1)
#else
for (uint32_t r = 0; r < LOWMC_R; r++) {
mpc_sbox(state, mask_shares, tapes, msgs, unopened_msgs, params);
mpc_xor2_nl(state, mask_shares, state, mask_shares, nl_part, nl_part_masks, r * 32 + 2,
30); // state += roundKey
MPC_MUL(state, state, LOWMC_INSTANCE.rounds[r].l_matrix->w64,
mpc_xor_masks_nl(mask_shares, mask_shares, nl_part_masks, r*32 + 2, 30);
const word nl = CONST_BLOCK(nl_part, r >> 3)->w64[(r & 0x7) >> 1];
BLOCK(state, 0)->w64[(LOWMC_N) / (sizeof(word) * 8) - 1] ^=
(nl << (1 - (r & 1)) * 32) & WORD_C(0xFFFFFFFF00000000);
MPC_MUL(state, state, LOWMC_INSTANCE.rounds[r].l_matrix,
mask_shares); // state = state * LMatrix (r-1)
}
#endif
#else
MPC_MUL(roundKey, maskedKey, LOWMC_INSTANCE.k0_matrix->w64,
MPC_MUL(roundKey, maskedKey, LOWMC_INSTANCE.k0_matrix,
mask_shares); // roundKey = maskedKey * KMatrix[0]
xor_word_array(state, roundKey, plaintext, (LOWMC_N / 32)); // state = plaintext + roundKey
XOR(state, roundKey, plaintext);
shares_t* round_key_masks = allocateShares(mask_shares->numWords);
for (uint32_t r = 0; r < LOWMC_R; r++) {
copyShares(round_key_masks, key_masks);
MPC_MUL(roundKey, maskedKey, LOWMC_INSTANCE.rounds[r].k_matrix->w64, round_key_masks);
MPC_MUL(roundKey, maskedKey, LOWMC_INSTANCE.rounds[r].k_matrix, round_key_masks);
mpc_sbox(state, mask_shares, tapes, msgs, unopened_msgs, params);
MPC_MUL(state, state, LOWMC_INSTANCE.rounds[r].l_matrix->w64,
MPC_MUL(state, state, LOWMC_INSTANCE.rounds[r].l_matrix,
mask_shares); // state = state * LMatrix (r-1)
xor_array_RC((uint8_t*)state, (uint8_t*)state,
(const uint8_t*)(LOWMC_INSTANCE.rounds[r].constant->w64),
LOWMC_N / 8); // state += RConstant
mpc_xor2(state, mask_shares, roundKey, round_key_masks, state, mask_shares,
params); // state += roundKey
XOR(state, state, LOWMC_INSTANCE.rounds[r].constant);
XOR(state, state, roundKey);
mpc_xor_masks(mask_shares, mask_shares, round_key_masks);
}
freeShares(round_key_masks);
#endif
@ -118,19 +126,19 @@ static int SIM_ONLINE(uint32_t* maskedKey, shares_t* mask_shares, randomTape_t*
setBit((uint8_t*)&mask_shares->shares[i], msgs->unopened, share);
}
}
uint32_t output[LOWMC_N / 8];
uint32_t output[LOWMC_N / 32];
uint32_t outstate[LOWMC_N / 32];
mzd_to_char_array((uint8_t*)outstate, state, LOWMC_N/8);
reconstructShares(output, mask_shares);
xor_word_array(output, output, state, (LOWMC_N / 32));
xor_word_array(output, output, outstate, (LOWMC_N / 32));
if (memcmp(output, pubKey, LOWMC_N / 8) != 0) {
#if !defined(NDEBUG)
printf("%s: output does not match pubKey\n", __func__);
/*
printf("pubKey: ");
print_hex(stdout, (uint8_t*)pubKey, LOWMC_N / 8);
printf("\noutput: ");
print_hex(stdout, (uint8_t*)output, LOWMC_N / 8);
*/
printf("\n");
#endif
ret = -1;
@ -141,10 +149,10 @@ static int SIM_ONLINE(uint32_t* maskedKey, shares_t* mask_shares, randomTape_t*
msgsTranspose(msgs);
free(unopened_msgs);
free(state);
free(state2);
free(roundKey);
free(nl_part);
mzd_local_free(state);
mzd_local_free(state2);
mzd_local_free(roundKey);
mzd_local_free(nl_part);
freeShares(key_masks);
freeShares(mask2_shares);
freeShares(nl_part_masks);

4
src/sig/picnic/external/picnic2_simulate.h vendored
View File

@ -17,8 +17,8 @@ typedef struct shares_t shares_t;
typedef struct msgs_t msgs_t;
typedef struct picnic_instance_t picnic_instance_t;
typedef int (*lowmc_simulate_online_f)(uint32_t* maskedKey, shares_t* mask_shares,
randomTape_t* tapes, msgs_t* msgs, const uint32_t* plaintext,
typedef int (*lowmc_simulate_online_f)(mzd_local_t* maskedKey, shares_t* mask_shares,
randomTape_t* tapes, msgs_t* msgs, const mzd_local_t* plaintext,
const uint32_t* pubKey, const picnic_instance_t* params);
lowmc_simulate_online_f lowmc_simulate_online_get_implementation(const lowmc_t* lowmc);

776
src/sig/picnic/external/picnic2_simulate_mul.c vendored
View File

File diff suppressed because it is too large Load Diff

146
src/sig/picnic/external/picnic2_simulate_mul.h vendored
View File

@ -12,98 +12,98 @@
#include "picnic2_types.h"
void mpc_matrix_mul_uint64_128(uint32_t* output, const uint32_t* vec, const uint64_t* matrix,
void mpc_matrix_mul_uint64_128(mzd_local_t* output, const mzd_local_t* vec, const mzd_local_t* matrix,
shares_t* mask_shares);
void mpc_matrix_mul_uint64_192(uint32_t* output, const uint32_t* vec, const uint64_t* matrix,
void mpc_matrix_mul_uint64_192(mzd_local_t* output, const mzd_local_t* vec, const mzd_local_t* matrix,
shares_t* mask_shares);
void mpc_matrix_mul_uint64_256(uint32_t* output, const uint32_t* vec, const uint64_t* matrix,
void mpc_matrix_mul_uint64_256(mzd_local_t* output, const mzd_local_t* vec, const mzd_local_t* matrix,
shares_t* mask_shares);
void mpc_matrix_mul_s128_128(uint32_t* output, const uint32_t* vec, const uint64_t* matrix,
void mpc_matrix_mul_s128_128(mzd_local_t* output, const mzd_local_t* vec, const mzd_local_t* matrix,
shares_t* mask_shares);
void mpc_matrix_mul_s128_192(uint32_t* output, const uint32_t* vec, const uint64_t* matrix,
void mpc_matrix_mul_s128_192(mzd_local_t* output, const mzd_local_t* vec, const mzd_local_t* matrix,
shares_t* mask_shares);
void mpc_matrix_mul_s128_256(uint32_t* output, const uint32_t* vec, const uint64_t* matrix,
void mpc_matrix_mul_s128_256(mzd_local_t* output, const mzd_local_t* vec, const mzd_local_t* matrix,
shares_t* mask_shares);
void mpc_matrix_mul_s256_128(uint32_t* output, const uint32_t* vec, const uint64_t* matrix,
void mpc_matrix_mul_s256_128(mzd_local_t* output, const mzd_local_t* vec, const mzd_local_t* matrix,
shares_t* mask_shares);
void mpc_matrix_mul_s256_192(uint32_t* output, const uint32_t* vec, const uint64_t* matrix,
void mpc_matrix_mul_s256_192(mzd_local_t* output, const mzd_local_t* vec, const mzd_local_t* matrix,
shares_t* mask_shares);
void mpc_matrix_mul_s256_256(uint32_t* output, const uint32_t* vec, const uint64_t* matrix,
void mpc_matrix_mul_s256_256(mzd_local_t* output, const mzd_local_t* vec, const mzd_local_t* matrix,
shares_t* mask_shares);
void mpc_matrix_mul_z_uint64_128(uint32_t* state2, const uint32_t* state, shares_t* mask2_shares,
const shares_t* mask_shares, const uint64_t* matrix);
void mpc_matrix_mul_z_uint64_192(uint32_t* state2, const uint32_t* state, shares_t* mask2_shares,
const shares_t* mask_shares, const uint64_t* matrix);
void mpc_matrix_mul_z_uint64_256(uint32_t* state2, const uint32_t* state, shares_t* mask2_shares,
const shares_t* mask_shares, const uint64_t* matrix);
void mpc_matrix_mul_z_s128_128(uint32_t* state2, const uint32_t* state, shares_t* mask2_shares,
const shares_t* mask_shares, const uint64_t* matrix);
void mpc_matrix_mul_z_s128_192(uint32_t* state2, const uint32_t* state, shares_t* mask2_shares,
const shares_t* mask_shares, const uint64_t* matrix);
void mpc_matrix_mul_z_s128_256(uint32_t* state2, const uint32_t* state, shares_t* mask2_shares,
const shares_t* mask_shares, const uint64_t* matrix);
void mpc_matrix_mul_z_s256_128(uint32_t* state2, const uint32_t* state, shares_t* mask2_shares,
const shares_t* mask_shares, const uint64_t* matrix);
void mpc_matrix_mul_z_s256_192(uint32_t* state2, const uint32_t* state, shares_t* mask2_shares,
const shares_t* mask_shares, const uint64_t* matrix);
void mpc_matrix_mul_z_s256_256(uint32_t* state2, const uint32_t* state, shares_t* mask2_shares,
const shares_t* mask_shares, const uint64_t* matrix);
void mpc_matrix_mul_z_uint64_128(mzd_local_t* state2, const mzd_local_t* state, shares_t* mask2_shares,
const shares_t* mask_shares, const mzd_local_t* matrix);
void mpc_matrix_mul_z_uint64_192(mzd_local_t* state2, const mzd_local_t* state, shares_t* mask2_shares,
const shares_t* mask_shares, const mzd_local_t* matrix);
void mpc_matrix_mul_z_uint64_256(mzd_local_t* state2, const mzd_local_t* state, shares_t* mask2_shares,
const shares_t* mask_shares, const mzd_local_t* matrix);
void mpc_matrix_mul_z_s128_128(mzd_local_t* state2, const mzd_local_t* state, shares_t* mask2_shares,
const shares_t* mask_shares, const mzd_local_t* matrix);
void mpc_matrix_mul_z_s128_192(mzd_local_t* state2, const mzd_local_t* state, shares_t* mask2_shares,
const shares_t* mask_shares, const mzd_local_t* matrix);
void mpc_matrix_mul_z_s128_256(mzd_local_t* state2, const mzd_local_t* state, shares_t* mask2_shares,
const shares_t* mask_shares, const mzd_local_t* matrix);
void mpc_matrix_mul_z_s256_128(mzd_local_t* state2, const mzd_local_t* state, shares_t* mask2_shares,
const shares_t* mask_shares, const mzd_local_t* matrix);
void mpc_matrix_mul_z_s256_192(mzd_local_t* state2, const mzd_local_t* state, shares_t* mask2_shares,
const shares_t* mask_shares, const mzd_local_t* matrix);
void mpc_matrix_mul_z_s256_256(mzd_local_t* state2, const mzd_local_t* state, shares_t* mask2_shares,
const shares_t* mask_shares, const mzd_local_t* matrix);
void mpc_matrix_addmul_r_uint64_128(uint32_t* state2, const uint32_t* state, shares_t* mask2_shares,
shares_t* mask_shares, const uint64_t* matrix);
void mpc_matrix_addmul_r_uint64_192(uint32_t* state2, const uint32_t* state, shares_t* mask2_shares,
shares_t* mask_shares, const uint64_t* matrix);
void mpc_matrix_addmul_r_uint64_256(uint32_t* state2, const uint32_t* state, shares_t* mask2_shares,
shares_t* mask_shares, const uint64_t* matrix);
void mpc_matrix_addmul_r_s128_128(uint32_t* state2, const uint32_t* state, shares_t* mask2_shares,
shares_t* mask_shares, const uint64_t* matrix);
void mpc_matrix_addmul_r_s128_192(uint32_t* state2, const uint32_t* state, shares_t* mask2_shares,
shares_t* mask_shares, const uint64_t* matrix);
void mpc_matrix_addmul_r_s128_256(uint32_t* state2, const uint32_t* state, shares_t* mask2_shares,
shares_t* mask_shares, const uint64_t* matrix);
void mpc_matrix_addmul_r_s256_128(uint32_t* state2, const uint32_t* state, shares_t* mask2_shares,
shares_t* mask_shares, const uint64_t* matrix);
void mpc_matrix_addmul_r_s256_192(uint32_t* state2, const uint32_t* state, shares_t* mask2_shares,
shares_t* mask_shares, const uint64_t* matrix);
void mpc_matrix_addmul_r_s256_256(uint32_t* state2, const uint32_t* state, shares_t* mask2_shares,
shares_t* mask_shares, const uint64_t* matrix);
void mpc_matrix_addmul_r_uint64_128(mzd_local_t* state2, const mzd_local_t* state, shares_t* mask2_shares,
shares_t* mask_shares, const mzd_local_t* matrix);
void mpc_matrix_addmul_r_uint64_192(mzd_local_t* state2, const mzd_local_t* state, shares_t* mask2_shares,
shares_t* mask_shares, const mzd_local_t* matrix);
void mpc_matrix_addmul_r_uint64_256(mzd_local_t* state2, const mzd_local_t* state, shares_t* mask2_shares,
shares_t* mask_shares, const mzd_local_t* matrix);
void mpc_matrix_addmul_r_s128_128(mzd_local_t* state2, const mzd_local_t* state, shares_t* mask2_shares,
shares_t* mask_shares, const mzd_local_t* matrix);
void mpc_matrix_addmul_r_s128_192(mzd_local_t* state2, const mzd_local_t* state, shares_t* mask2_shares,
shares_t* mask_shares, const mzd_local_t* matrix);
void mpc_matrix_addmul_r_s128_256(mzd_local_t* state2, const mzd_local_t* state, shares_t* mask2_shares,
shares_t* mask_shares, const mzd_local_t* matrix);
void mpc_matrix_addmul_r_s256_128(mzd_local_t* state2, const mzd_local_t* state, shares_t* mask2_shares,
shares_t* mask_shares, const mzd_local_t* matrix);
void mpc_matrix_addmul_r_s256_192(mzd_local_t* state2, const mzd_local_t* state, shares_t* mask2_shares,
shares_t* mask_shares, const mzd_local_t* matrix);
void mpc_matrix_addmul_r_s256_256(mzd_local_t* state2, const mzd_local_t* state, shares_t* mask2_shares,
shares_t* mask_shares, const mzd_local_t* matrix);
void mpc_matrix_mul_nl_part_uint64_128(uint32_t* nl_part, const uint32_t* key,
const uint64_t* precomputed_nl_matrix,
const uint64_t* precomputed_constant_nl,
void mpc_matrix_mul_nl_part_uint64_128(mzd_local_t* nl_part, const mzd_local_t* key,
const mzd_local_t* precomputed_nl_matrix,
const mzd_local_t* precomputed_constant_nl,
shares_t* nl_part_masks, const shares_t* key_masks);
void mpc_matrix_mul_nl_part_uint64_192(uint32_t* nl_part, const uint32_t* key,
const uint64_t* precomputed_nl_matrix,
const uint64_t* precomputed_constant_nl,
void mpc_matrix_mul_nl_part_uint64_192(mzd_local_t* nl_part, const mzd_local_t* key,
const mzd_local_t* precomputed_nl_matrix,
const mzd_local_t* precomputed_constant_nl,
shares_t* nl_part_masks, const shares_t* key_masks);
void mpc_matrix_mul_nl_part_uint64_256(uint32_t* nl_part, const uint32_t* key,
const uint64_t* precomputed_nl_matrix,
const uint64_t* precomputed_constant_nl,
void mpc_matrix_mul_nl_part_uint64_256(mzd_local_t* nl_part, const mzd_local_t* key,
const mzd_local_t* precomputed_nl_matrix,
const mzd_local_t* precomputed_constant_nl,
shares_t* nl_part_masks, const shares_t* key_masks);
void mpc_matrix_mul_nl_part_s128_128(uint32_t* nl_part, const uint32_t* key,
const uint64_t* precomputed_nl_matrix,
const uint64_t* precomputed_constant_nl,
void mpc_matrix_mul_nl_part_s128_128(mzd_local_t* nl_part, const mzd_local_t* key,
const mzd_local_t* precomputed_nl_matrix,
const mzd_local_t* precomputed_constant_nl,
shares_t* nl_part_masks, const shares_t* key_masks);
void mpc_matrix_mul_nl_part_s128_192(uint32_t* nl_part, const uint32_t* key,
const uint64_t* precomputed_nl_matrix,
const uint64_t* precomputed_constant_nl,
void mpc_matrix_mul_nl_part_s128_192(mzd_local_t* nl_part, const mzd_local_t* key,
const mzd_local_t* precomputed_nl_matrix,
const mzd_local_t* precomputed_constant_nl,
shares_t* nl_part_masks, const shares_t* key_masks);
void mpc_matrix_mul_nl_part_s128_256(uint32_t* nl_part, const uint32_t* key,
const uint64_t* precomputed_nl_matrix,
const uint64_t* precomputed_constant_nl,
void mpc_matrix_mul_nl_part_s128_256(mzd_local_t* nl_part, const mzd_local_t* key,
const mzd_local_t* precomputed_nl_matrix,
const mzd_local_t* precomputed_constant_nl,
shares_t* nl_part_masks, const shares_t* key_masks);
void mpc_matrix_mul_nl_part_s256_128(uint32_t* nl_part, const uint32_t* key,
const uint64_t* precomputed_nl_matrix,
const uint64_t* precomputed_constant_nl,
void mpc_matrix_mul_nl_part_s256_128(mzd_local_t* nl_part, const mzd_local_t* key,
const mzd_local_t* precomputed_nl_matrix,
const mzd_local_t* precomputed_constant_nl,
shares_t* nl_part_masks, const shares_t* key_masks);
void mpc_matrix_mul_nl_part_s256_192(uint32_t* nl_part, const uint32_t* key,
const uint64_t* precomputed_nl_matrix,
const uint64_t* precomputed_constant_nl,
void mpc_matrix_mul_nl_part_s256_192(mzd_local_t* nl_part, const mzd_local_t* key,
const mzd_local_t* precomputed_nl_matrix,
const mzd_local_t* precomputed_constant_nl,
shares_t* nl_part_masks, const shares_t* key_masks);
void mpc_matrix_mul_nl_part_s256_256(uint32_t* nl_part, const uint32_t* key,
const uint64_t* precomputed_nl_matrix,
const uint64_t* precomputed_constant_nl,
void mpc_matrix_mul_nl_part_s256_256(mzd_local_t* nl_part, const mzd_local_t* key,
const mzd_local_t* precomputed_nl_matrix,
const mzd_local_t* precomputed_constant_nl,
shares_t* nl_part_masks, const shares_t* key_masks);
/* helper functions */
@ -113,7 +113,9 @@ void setBit(uint8_t* bytes, uint32_t bitNumber, uint8_t val);
void xor_word_array(uint32_t* out, const uint32_t* in1, const uint32_t* in2, uint32_t length);
void xor_array_RC(uint8_t* out, const uint8_t* in1, const uint8_t* in2, uint32_t length);
uint64_t tapesToWord(randomTape_t* tapes);
uint64_t tapesToParityOfWord(randomTape_t* tapes, uint8_t without_last);
void reconstructShares(uint32_t* output, shares_t* shares);
void transpose_64_64_lsb(const uint64_t* in, uint64_t* out);
void transpose_64_64(const uint64_t* in, uint64_t* out);
#endif

93
src/sig/picnic/external/picnic2_tree.c vendored
View File

@ -11,15 +11,15 @@
*/
#include <assert.h>
#include <stdlib.h>
#include <limits.h>
#include <stdlib.h>
#include "endian_compat.h"
#include "kdf_shake.h"
#include "picnic.h"
#include "picnic_impl.h"
#include "picnic2_tree.h"
#include "picnic2_types.h"
#include "picnic_impl.h"
static int contains(size_t* list, size_t len, size_t value) {
for (size_t i = 0; i < len; i++) {
@ -94,12 +94,13 @@ static int hasRightChild(tree_t* tree, size_t node) {
static size_t getParent(size_t node) {
assert(node != 0);
return ((node + 1) >> 1) - 1;
if (isLeftChild(node)) {
/* (node - 1) / 2, but since node % 2 == 1, that's the same as node / 2 */
return node >> 1;
}
return (node - 2) / 2;
//if (isLeftChild(node)) {
// /* (node - 1) / 2, but since node % 2 == 1, that's the same as node / 2 */
// return node >> 1;
//}
//return (node - 2) / 2;
}
uint8_t** getLeaves(tree_t* tree) {
@ -114,7 +115,7 @@ uint8_t* getLeaf(tree_t* tree, size_t leafIndex) {
static void hashSeed(uint8_t* digest, const uint8_t* inputSeed, uint8_t* salt, uint8_t hashPrefix,
size_t repIndex, size_t nodeIndex, const picnic_instance_t* params) {
Keccak_HashInstance ctx;
hash_context ctx;
hash_init_prefix(&ctx, params, hashPrefix);
hash_update(&ctx, inputSeed, params->seed_size);
@ -127,15 +128,85 @@ static void hashSeed(uint8_t* digest, const uint8_t* inputSeed, uint8_t* salt, u
hash_squeeze(&ctx, digest, 2 * params->seed_size);
}
static void hashSeed_x4(uint8_t** digest, const uint8_t** inputSeed, uint8_t* salt,
uint8_t hashPrefix, size_t repIndex, size_t nodeIndex,
const picnic_instance_t* params) {
hash_context_x4 ctx;
hash_init_prefix_x4(&ctx, params, hashPrefix);
hash_update_x4(&ctx, inputSeed, params->seed_size);
const uint8_t* salts[4] = {salt, salt, salt, salt};
hash_update_x4(&ctx, salts, SALT_SIZE);
uint16_t repIndexLE = htole16((uint16_t)repIndex);
const uint8_t* reps[4] = {(uint8_t*)&repIndexLE, (uint8_t*)&repIndexLE, (uint8_t*)&repIndexLE,
(uint8_t*)&repIndexLE};
hash_update_x4(&ctx, reps, sizeof(uint16_t));
uint16_t nodeIndexLE[4] = {htole16((uint16_t)nodeIndex), htole16((uint16_t)nodeIndex + 1),
htole16((uint16_t)nodeIndex + 2), htole16((uint16_t)nodeIndex + 3)};
const uint8_t* nodes[4] = {(uint8_t*)&nodeIndexLE[0], (uint8_t*)&nodeIndexLE[1],
(uint8_t*)&nodeIndexLE[2], (uint8_t*)&nodeIndexLE[3]};
hash_update_x4(&ctx, nodes, sizeof(uint16_t));
hash_final_x4(&ctx);
hash_squeeze_x4(&ctx, digest, 2 * params->seed_size);
}
static void expandSeeds(tree_t* tree, uint8_t* salt, size_t repIndex,
const picnic_instance_t* params) {
uint8_t tmp[2 * MAX_SEED_SIZE_BYTES];
uint8_t tmp[4 * 2 * MAX_SEED_SIZE_BYTES];
uint8_t* tmp_ptr[4] = {&tmp[0], &tmp[2 * MAX_SEED_SIZE_BYTES], &tmp[2 * 2 * MAX_SEED_SIZE_BYTES],
&tmp[3 * 2 * MAX_SEED_SIZE_BYTES]};
/* Walk the tree, expanding seeds where possible. Compute children of
* non-leaf nodes. */
size_t lastNonLeaf = getParent(tree->numNodes - 1);
size_t i = 0;
/* expand the first 4 seeds*/
for (; i <= 2; i++) {
if (!tree->haveNode[i]) {
continue;
}
for (size_t i = 0; i <= lastNonLeaf; i++) {
hashSeed(tmp, tree->nodes[i], salt, HASH_PREFIX_1, repIndex, i, params);
if (!tree->haveNode[2 * i + 1]) {
/* left child = H_left(seed_i || salt || t || i) */
memcpy(tree->nodes[2 * i + 1], tmp, params->seed_size);
tree->haveNode[2 * i + 1] = 1;
}
/* The last non-leaf node will only have a left child when there are an odd number of leaves */
if (exists(tree, 2 * i + 2) && !tree->haveNode[2 * i + 2]) {
/* right child = H_right(seed_i || salt || t || i) */
memcpy(tree->nodes[2 * i + 2], tmp + params->seed_size, params->seed_size);
tree->haveNode[2 * i + 2] = 1;
}
}
/* now hash in groups of 4 for faster hashing */
for (; i <= lastNonLeaf / 4 * 4; i += 4) {
hashSeed_x4(tmp_ptr, (const uint8_t**) &tree->nodes[i], salt, HASH_PREFIX_1, repIndex, i, params);
for (size_t j = i; j < i + 4; j++) {
if (!tree->haveNode[j]) {
continue;
}
if (!tree->haveNode[2 * j + 1]) {
/* left child = H_left(seed_i || salt || t || j) */
memcpy(tree->nodes[2 * j + 1], tmp_ptr[j-i], params->seed_size);
tree->haveNode[2 * j + 1] = 1;
}
/* The last non-leaf node will only have a left child when there are an odd number of leaves
*/
if (exists(tree, 2 * j + 2) && !tree->haveNode[2 * j + 2]) {
/* right child = H_right(seed_i || salt || t || j) */
memcpy(tree->nodes[2 * j + 2], tmp_ptr[j-i] + params->seed_size, params->seed_size);
tree->haveNode[2 * j + 2] = 1;
}
}
}
/* handle last few, which are not a multiple of 4 */
for (; i <= lastNonLeaf; i++) {
if (!tree->haveNode[i]) {
continue;
}
@ -350,7 +421,7 @@ static void computeParentHash(tree_t* tree, size_t child, uint8_t* salt,
}
/* Compute parent data = H(left child data || [right child data] || salt || parent idx) */
Keccak_HashInstance ctx;
hash_context ctx;
hash_init_prefix(&ctx, params, HASH_PREFIX_3);
hash_update(&ctx, tree->nodes[2 * parent + 1], params->digest_size);

51
src/sig/picnic/external/picnic2_types.c vendored
View File

@ -12,10 +12,10 @@
#include "picnic2_types.h"
#include "compat.h"
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <assert.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
shares_t* allocateShares(size_t count) {
shares_t* shares = malloc(sizeof(shares_t));
@ -33,20 +33,39 @@ void freeShares(shares_t* shares) {
void allocateRandomTape(randomTape_t* tape, const picnic_instance_t* params) {
tape->nTapes = params->num_MPC_parties;
tape->tape = malloc(tape->nTapes * sizeof(uint8_t*));
tape->aux_bits = calloc(1, params->view_size);
tape->buffer = aligned_alloc(32, tape->nTapes * sizeof(uint64_t));
size_t tapeSizeBytes = 2 * params->view_size + params->input_size;
tapeSizeBytes = ((tapeSizeBytes + 7) / 8) * 8;
uint8_t* slab = calloc(1, tape->nTapes * tapeSizeBytes);
tapeSizeBytes = ((tapeSizeBytes + 7) / 8) * 8; // round up to multiple of 64 bit for transpose
uint8_t* slab = calloc(1, tape->nTapes * tapeSizeBytes);
for (uint8_t i = 0; i < tape->nTapes; i++) {
tape->tape[i] = slab;
slab += tapeSizeBytes;
}
tape->pos = 0;
tape->pos = 0;
tape->aux_pos = 0;
}
void freeRandomTape(randomTape_t* tape) {
if (tape != NULL) {
free(tape->tape[0]);
free(tape->tape);
aligned_free(tape->buffer);
free(tape->aux_bits);
}
}
void partialFreeRandomTape(randomTape_t* tape) {
if (tape != NULL) {
free(tape->tape[0]);
free(tape->tape);
aligned_free(tape->buffer);
}
}
void finalFreeRandomTape(randomTape_t* tape) {
if (tape != NULL) {
free(tape->aux_bits);
}
}
@ -181,6 +200,26 @@ msgs_t* allocateMsgs(const picnic_instance_t* params) {
return msgs;
}
msgs_t* allocateMsgsVerify(const picnic_instance_t* params) {
msgs_t* msgs = malloc(sizeof(msgs_t));
uint8_t* slab =
calloc(1, (params->num_MPC_parties * ((params->view_size + params->input_size + 7) / 8 * 8) +
params->num_MPC_parties * sizeof(uint8_t*)));
msgs->pos = 0;
msgs->unopened = -1;
msgs->msgs = (uint8_t**)slab;
slab += params->num_MPC_parties * sizeof(uint8_t*);
for (uint32_t j = 0; j < params->num_MPC_parties; j++) {
msgs->msgs[j] = slab;
slab += (params->view_size + params->input_size + 7) / 8 * 8;
}
return msgs;
}
void freeMsgs(msgs_t* msgs) {
free(msgs[0].msgs);
free(msgs);

7
src/sig/picnic/external/picnic2_types.h vendored
View File

@ -18,9 +18,11 @@
/* Type definitions */
typedef struct randomTape_t {
uint8_t** tape;
uint8_t* aux_bits;
uint32_t pos;
uint32_t aux_pos;
size_t nTapes;
uint64_t buffer[64];
uint64_t* buffer;
} randomTape_t;
typedef struct commitments_t {
@ -45,6 +47,8 @@ typedef struct shares_t {
void allocateRandomTape(randomTape_t* tape, const picnic_instance_t* params);
void freeRandomTape(randomTape_t* tape);
void partialFreeRandomTape(randomTape_t* tape);
void finalFreeRandomTape(randomTape_t* tape);
void allocateProof2(proof2_t* proof, const picnic_instance_t* params);
void freeProof2(proof2_t* proof);
@ -60,6 +64,7 @@ inputs_t allocateInputs(const picnic_instance_t* params);
void freeInputs(inputs_t inputs);
msgs_t* allocateMsgs(const picnic_instance_t* params);
msgs_t* allocateMsgsVerify(const picnic_instance_t* params);
void freeMsgs(msgs_t* msgs);
shares_t* allocateShares(size_t count);

1
src/sig/picnic/external/picnic_L1_FS/api.h vendored
View File

@ -5,6 +5,7 @@
#define CRYPTO_PUBLICKEYBYTES (1 + 2 * 16)
#define CRYPTO_BYTES (4 + 34032)
#define CRYPTO_ALGNAME "picnicl1fs"
#define CRYPTO_DETERMINISTIC 1
int crypto_sign_keypair(unsigned char* pk, unsigned char* sk);
int crypto_sign(unsigned char* sm, unsigned long long* smlen, const unsigned char* m,

1
src/sig/picnic/external/picnic_L1_UR/api.h vendored
View File

@ -5,6 +5,7 @@
#define CRYPTO_PUBLICKEYBYTES (1 + 2 * 16)
#define CRYPTO_BYTES (4 + 53961)
#define CRYPTO_ALGNAME "picnicl1ur"
#define CRYPTO_DETERMINISTIC 1
int crypto_sign_keypair(unsigned char* pk, unsigned char* sk);
int crypto_sign(unsigned char* sm, unsigned long long* smlen, const unsigned char* m,

1
src/sig/picnic/external/picnic_L3_FS/api.h vendored
View File

@ -5,6 +5,7 @@
#define CRYPTO_PUBLICKEYBYTES (1 + 2 * 24)
#define CRYPTO_BYTES (4 + 76772)
#define CRYPTO_ALGNAME "picnicl3fs"
#define CRYPTO_DETERMINISTIC 1
int crypto_sign_keypair(unsigned char* pk, unsigned char* sk);
int crypto_sign(unsigned char* sm, unsigned long long* smlen, const unsigned char* m,

1
src/sig/picnic/external/picnic_L3_UR/api.h vendored
View File

@ -5,6 +5,7 @@
#define CRYPTO_PUBLICKEYBYTES (1 + 2 * 24)
#define CRYPTO_BYTES (4 + 121845)
#define CRYPTO_ALGNAME "picnicl3ur"
#define CRYPTO_DETERMINISTIC 1
int crypto_sign_keypair(unsigned char* pk, unsigned char* sk);
int crypto_sign(unsigned char* sm, unsigned long long* smlen, const unsigned char* m,

1
src/sig/picnic/external/picnic_L5_FS/api.h vendored
View File

@ -5,6 +5,7 @@
#define CRYPTO_PUBLICKEYBYTES (1 + 2 * 32)
#define CRYPTO_BYTES (4 + 132856)
#define CRYPTO_ALGNAME "picnicl5fs"
#define CRYPTO_DETERMINISTIC 1
int crypto_sign_keypair(unsigned char* pk, unsigned char* sk);
int crypto_sign(unsigned char* sm, unsigned long long* smlen, const unsigned char* m,

1
src/sig/picnic/external/picnic_L5_UR/api.h vendored
View File

@ -5,6 +5,7 @@
#define CRYPTO_PUBLICKEYBYTES (1 + 2 * 32)
#define CRYPTO_BYTES (4 + 209506)
#define CRYPTO_ALGNAME "picnicl5ur"
#define CRYPTO_DETERMINISTIC 1
int crypto_sign_keypair(unsigned char* pk, unsigned char* sk);
int crypto_sign(unsigned char* sm, unsigned long long* smlen, const unsigned char* m,

105
src/sig/picnic/external/picnic_impl.c vendored
View File

@ -53,8 +53,6 @@ const uint8_t HASH_PREFIX_3 = 3;
const uint8_t HASH_PREFIX_4 = 4;
const uint8_t HASH_PREFIX_5 = 5;
#define LOWMC_UNSPECFIED_ARG UINT32_MAX
/**
* Collapse challenge from one char per challenge to bit array.
*/
@ -96,9 +94,6 @@ static bool expand_challenge(uint8_t* challenge, const picnic_instance_t* pp,
return true;
}
#define ALIGNT(s, t) (((s) + sizeof(t) - 1) & ~(sizeof(t) - 1))
#define ALIGNU64T(s) ALIGNT(s, uint64_t)
static sig_proof_t* proof_new(const picnic_instance_t* pp) {
const size_t digest_size = pp->digest_size;
const size_t seed_size = pp->seed_size;
@ -468,7 +463,7 @@ static void hash_commitment_x4(const picnic_instance_t* pp, proof_round_t* prf_r
/**
* Compute commitment to 4 views, for verification
*/
static void hash_commitment_x4_verify(const picnic_instance_t* pp, sorting_helper_t* helper,
static void hash_commitment_x4_verify(const picnic_instance_t* pp, const sorting_helper_t* helper,
const unsigned int vidx) {
const size_t hashlen = pp->digest_size;
@ -767,7 +762,7 @@ static void unruh_G_x4(const picnic_instance_t* pp, proof_round_t* prf_round, un
/*
* 4x G permutation for Unruh transform, for verification
*/
static void unruh_G_x4_verify(const picnic_instance_t* pp, sorting_helper_t* helper,
static void unruh_G_x4_verify(const picnic_instance_t* pp, const sorting_helper_t* helper,
unsigned int vidx, bool include_is) {
hash_context_x4 ctx;
@ -999,7 +994,7 @@ static void generate_seeds(const picnic_instance_t* pp, const uint8_t* private_k
#if defined(WITH_EXTRA_RANDOMNESS)
// Add extra randomn bytes for fault attack mitigation
unsigned char buffer[2 * MAX_DIGEST_SIZE];
rand_bytes(buffer, 2 * seed_size);
OQS_randombytes(buffer, 2 * seed_size);
kdf_shake_update_key(&ctx, buffer, 2 * seed_size);
#endif
kdf_shake_finalize_key(&ctx);
@ -1055,7 +1050,7 @@ static int sign_impl(const picnic_instance_t* pp, const uint8_t* private_key,
proof_round_t* round = prf->round;
// use 4 parallel instances of keccak for speedup
uint8_t* tape_bytes_x4[SC_PROOF][4];
for (unsigned k = 0; k < SC_PROOF; k++) { /* OQS note: changed i to k to avoid shadowing i */
for (unsigned k = 0; k < SC_PROOF; k++) {
for (unsigned j = 0; j < 4; j++) {
tape_bytes_x4[k][j] = malloc(view_size);
}
@ -1163,8 +1158,8 @@ static int sign_impl(const picnic_instance_t* pp, const uint8_t* private_key,
const int ret = sig_proof_to_char_array(pp, prf, sig, siglen);
// clean up
for (unsigned k = 0; k < SC_PROOF; k++) {
for (unsigned j = 0; j < 4; j++) {
for (unsigned int k = 0; k < SC_PROOF; ++k) {
for (unsigned int j = 0; j < 4; ++j) {
free(tape_bytes_x4[k][j]);
}
}
@ -1229,8 +1224,8 @@ static int verify_impl(const picnic_instance_t* pp, const uint8_t* plaintext, mz
num_current_rounds++;
}
}
unsigned int i = 0;
sorting_helper_t* helper = sorted_rounds;
unsigned int i = 0;
const sorting_helper_t* helper = sorted_rounds;
for (; i < (num_current_rounds / 4) * 4; i += 4, helper += 4) {
const unsigned int a_i = current_chal;
const unsigned int b_i = (a_i + 1) % 3;
@ -1457,15 +1452,6 @@ int impl_verify(const picnic_instance_t* pp, const uint8_t* plaintext, const uin
#define LOWMC_L5_1_OR_NULL NULL
#endif
#if defined(MUL_M4RI)
static bool lowmc_instances_initialized[6];
static lowmc_t* const lowmc_instances[6] = {
#else
static const lowmc_t* const lowmc_instances[6] = {
#endif
LOWMC_L1_OR_NULL, LOWMC_L3_OR_NULL, LOWMC_L5_OR_NULL,
LOWMC_L1_1_OR_NULL, LOWMC_L3_1_OR_NULL, LOWMC_L5_1_OR_NULL};
#define NULL_FNS \
{ NULL, NULL, NULL, NULL, NULL, NULL, NULL }
@ -1505,70 +1491,8 @@ static picnic_instance_t instances[PARAMETER_SET_MAX_INDEX] = {
PICNIC_SIGNATURE_SIZE_Picnic_L5_1_UR, Picnic_L5_1_UR, TRANSFORM_UR, NULL_FNS}};
static bool instance_initialized[PARAMETER_SET_MAX_INDEX];
static const lowmc_t* lowmc_get_instance(unsigned int idx) {
#if defined(MUL_M4RI)
if (!lowmc_instances_initialized[idx]) {
if (lowmc_init(lowmc_instances[idx])) {
lowmc_instances_initialized[idx] = true;
return lowmc_instances[idx];
}
return NULL;
}
#endif
return lowmc_instances[idx];
}
#if defined(MUL_M4RI)
static void clear_lowmc_instance(unsigned int idx) {
if (lowmc_instances_initialized[idx]) {
lowmc_clear(lowmc_instances[idx]);
lowmc_instances_initialized[idx] = false;
}
}
#endif
static bool create_instance(picnic_instance_t* pp, picnic_params_t param) {
const lowmc_t* lowmc_instance = NULL;
switch (param) {
case Picnic_L1_FS:
case Picnic_L1_UR:
case Picnic2_L1_FS:
lowmc_instance = lowmc_get_instance(0);
break;
case Picnic_L3_FS:
case Picnic_L3_UR:
case Picnic2_L3_FS:
lowmc_instance = lowmc_get_instance(1);
break;
case Picnic_L5_FS:
case Picnic_L5_UR:
case Picnic2_L5_FS:
lowmc_instance = lowmc_get_instance(2);
break;
case Picnic_L1_1_FS:
case Picnic_L1_1_UR:
lowmc_instance = lowmc_get_instance(3);
break;
case Picnic_L3_1_FS:
case Picnic_L3_1_UR:
lowmc_instance = lowmc_get_instance(4);
break;
case Picnic_L5_1_FS:
case Picnic_L5_1_UR:
lowmc_instance = lowmc_get_instance(5);
break;
default:
return false;
}
if (!lowmc_instance) {
static bool create_instance(picnic_instance_t* pp) {
if (!pp->lowmc) {
return false;
}
@ -1589,7 +1513,7 @@ const picnic_instance_t* picnic_instance_get(picnic_params_t param) {
}
if (!instance_initialized[param]) {
if (!create_instance(&instances[param], param)) {
if (!create_instance(&instances[param])) {
return NULL;
}
instance_initialized[param] = true;
@ -1604,11 +1528,4 @@ ATTR_DTOR static void clear_instances(void) {
instance_initialized[p] = false;
}
}
#if defined(MUL_M4RI)
for (unsigned int i = 0;
i < sizeof(lowmc_instances_initialized) / sizeof(lowmc_instances_initialized[0]); ++i) {
clear_lowmc_instance(i);
}
#endif
}

1
src/sig/picnic/external/picnic_impl.h vendored
View File

@ -17,6 +17,7 @@
#define MAX_DIGEST_SIZE 64
#define MAX_NUM_ROUNDS 438
#define MAX_LOWMC_BLOCK_SIZE_BITS (MAX_LOWMC_BLOCK_SIZE * 8)
typedef enum { TRANSFORM_FS, TRANSFORM_UR } transform_t;

18
src/sig/picnic/sig_picnic.c
View File

@ -113,7 +113,7 @@ OQS_SIG *OQS_SIG_picnic_L1_FS_new() {
return NULL;
}
sig->method_name = OQS_SIG_alg_picnic_L1_FS;
sig->alg_version = "https://github.com/IAIK/Picnic/tree/v2.0";
sig->alg_version = "https://github.com/IAIK/Picnic/tree/v2.1.1";
sig->claimed_nist_level = 1;
sig->euf_cma = true;
@ -152,7 +152,7 @@ OQS_SIG *OQS_SIG_picnic_L1_UR_new() {
return NULL;
}
sig->method_name = OQS_SIG_alg_picnic_L1_UR;
sig->alg_version = "https://github.com/IAIK/Picnic/tree/v2.0";
sig->alg_version = "https://github.com/IAIK/Picnic/tree/v2.1.1";
sig->claimed_nist_level = 1;
sig->euf_cma = true;
@ -191,7 +191,7 @@ OQS_SIG *OQS_SIG_picnic_L3_FS_new() {
return NULL;
}
sig->method_name = OQS_SIG_alg_picnic_L3_FS;
sig->alg_version = "https://github.com/IAIK/Picnic/tree/v2.0";
sig->alg_version = "https://github.com/IAIK/Picnic/tree/v2.1.1";
sig->claimed_nist_level = 3;
sig->euf_cma = true;
@ -230,7 +230,7 @@ OQS_SIG *OQS_SIG_picnic_L3_UR_new() {
return NULL;
}
sig->method_name = OQS_SIG_alg_picnic_L3_UR;
sig->alg_version = "https://github.com/IAIK/Picnic/tree/v2.0";
sig->alg_version = "https://github.com/IAIK/Picnic/tree/v2.1.1";
sig->claimed_nist_level = 3;
sig->euf_cma = true;
@ -269,7 +269,7 @@ OQS_SIG *OQS_SIG_picnic_L5_FS_new() {
return NULL;
}
sig->method_name = OQS_SIG_alg_picnic_L5_FS;
sig->alg_version = "https://github.com/IAIK/Picnic/tree/v2.0";
sig->alg_version = "https://github.com/IAIK/Picnic/tree/v2.1.1";
sig->claimed_nist_level = 5;
sig->euf_cma = true;
@ -309,7 +309,7 @@ OQS_SIG *OQS_SIG_picnic_L5_UR_new() {
}
sig->method_name = OQS_SIG_alg_picnic_L5_UR;
sig->alg_version = "https://github.com/IAIK/Picnic/tree/v2.0";
sig->alg_version = "https://github.com/IAIK/Picnic/tree/v2.1.1";
sig->claimed_nist_level = 5;
sig->euf_cma = true;
@ -346,7 +346,7 @@ OQS_SIG *OQS_SIG_picnic2_L1_FS_new() {
return NULL;
}
sig->method_name = OQS_SIG_alg_picnic2_L1_FS;
sig->alg_version = "https://github.com/IAIK/Picnic/tree/v2.0";
sig->alg_version = "https://github.com/IAIK/Picnic/tree/v2.1.1";
sig->claimed_nist_level = 1;
sig->euf_cma = true;
@ -384,7 +384,7 @@ OQS_SIG *OQS_SIG_picnic2_L3_FS_new() {
return NULL;
}
sig->method_name = OQS_SIG_alg_picnic2_L3_FS;
sig->alg_version = "https://github.com/IAIK/Picnic/tree/v2.0";
sig->alg_version = "https://github.com/IAIK/Picnic/tree/v2.1.1";
sig->claimed_nist_level = 3;
sig->euf_cma = true;
@ -422,7 +422,7 @@ OQS_SIG *OQS_SIG_picnic2_L5_FS_new() {
return NULL;
}
sig->method_name = OQS_SIG_alg_picnic2_L5_FS;
sig->alg_version = "https://github.com/IAIK/Picnic/tree/v2.0";
sig->alg_version = "https://github.com/IAIK/Picnic/tree/v2.1.1";
sig->claimed_nist_level = 5;
sig->euf_cma = true;

6
tests/KATs/sig/picnic2_L1_FS.kat
View File

File diff suppressed because one or more lines are too long

6
tests/KATs/sig/picnic2_L3_FS.kat
View File

File diff suppressed because one or more lines are too long

6
tests/KATs/sig/picnic2_L5_FS.kat
View File

File diff suppressed because one or more lines are too long