From c8394987d8f1def399346c21d500e91f3543f5ad Mon Sep 17 00:00:00 2001 From: "Matthias J. Kannwischer" Date: Fri, 23 Feb 2024 10:55:57 +0800 Subject: [PATCH 1/7] update PQClean --- mupq | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mupq b/mupq index 14f4e132..dbe94161 160000 --- a/mupq +++ b/mupq @@ -1 +1 @@ -Subproject commit 14f4e13261f792c82caeee90d9d160b4000f9502 +Subproject commit dbe9416182ce4f4d9cdb9a42da31dbf5ba5e6e4c From 5087fd85011b9b9fa5772634e496c0820f13e938 Mon Sep 17 00:00:00 2001 From: "Matthias J. Kannwischer" Date: Fri, 23 Feb 2024 10:56:33 +0800 Subject: [PATCH 2/7] remove Kyber-90s; won't be standardized --- crypto_kem/kyber1024-90s/m4fspeed/aes256ctr.c | 1 - crypto_kem/kyber1024-90s/m4fspeed/aes256ctr.h | 1 - crypto_kem/kyber1024-90s/m4fspeed/api.h | 1 - crypto_kem/kyber1024-90s/m4fspeed/cbd.c | 1 - crypto_kem/kyber1024-90s/m4fspeed/cbd.h | 1 - .../kyber1024-90s/m4fspeed/fastaddsub.S | 1 - .../kyber1024-90s/m4fspeed/fastbasemul.S | 1 - .../kyber1024-90s/m4fspeed/fastinvntt.S | 1 - crypto_kem/kyber1024-90s/m4fspeed/fastntt.S | 1 - crypto_kem/kyber1024-90s/m4fspeed/indcpa.c | 1 - crypto_kem/kyber1024-90s/m4fspeed/indcpa.h | 1 - crypto_kem/kyber1024-90s/m4fspeed/kem.c | 1 - crypto_kem/kyber1024-90s/m4fspeed/macros.i | 1 - crypto_kem/kyber1024-90s/m4fspeed/matacc.c | 1 - crypto_kem/kyber1024-90s/m4fspeed/matacc.h | 1 - crypto_kem/kyber1024-90s/m4fspeed/matacc.i | 1 - .../kyber1024-90s/m4fspeed/matacc_asm.S | 1 - crypto_kem/kyber1024-90s/m4fspeed/ntt.c | 1 - crypto_kem/kyber1024-90s/m4fspeed/ntt.h | 1 - crypto_kem/kyber1024-90s/m4fspeed/params.h | 1 - crypto_kem/kyber1024-90s/m4fspeed/poly.c | 1 - crypto_kem/kyber1024-90s/m4fspeed/poly.h | 1 - crypto_kem/kyber1024-90s/m4fspeed/poly_asm.S | 1 - crypto_kem/kyber1024-90s/m4fspeed/polyvec.c | 1 - crypto_kem/kyber1024-90s/m4fspeed/polyvec.h | 1 - crypto_kem/kyber1024-90s/m4fspeed/reduce.S | 1 - crypto_kem/kyber1024-90s/m4fspeed/symmetric.h | 1 - crypto_kem/kyber1024-90s/m4fspeed/verify.c | 1 - crypto_kem/kyber1024-90s/m4fspeed/verify.h | 1 - crypto_kem/kyber1024-90s/m4fstack/aes256ctr.c | 1 - crypto_kem/kyber1024-90s/m4fstack/aes256ctr.h | 1 - crypto_kem/kyber1024-90s/m4fstack/api.h | 1 - crypto_kem/kyber1024-90s/m4fstack/cbd.c | 1 - crypto_kem/kyber1024-90s/m4fstack/cbd.h | 1 - .../kyber1024-90s/m4fstack/fastaddsub.S | 1 - .../kyber1024-90s/m4fstack/fastbasemul.S | 1 - .../kyber1024-90s/m4fstack/fastinvntt.S | 1 - crypto_kem/kyber1024-90s/m4fstack/fastntt.S | 1 - crypto_kem/kyber1024-90s/m4fstack/indcpa.c | 1 - crypto_kem/kyber1024-90s/m4fstack/indcpa.h | 1 - crypto_kem/kyber1024-90s/m4fstack/kem.c | 1 - crypto_kem/kyber1024-90s/m4fstack/macros.i | 1 - crypto_kem/kyber1024-90s/m4fstack/matacc.c | 1 - crypto_kem/kyber1024-90s/m4fstack/matacc.h | 1 - crypto_kem/kyber1024-90s/m4fstack/matacc.i | 1 - .../kyber1024-90s/m4fstack/matacc_asm.S | 1 - crypto_kem/kyber1024-90s/m4fstack/ntt.c | 1 - crypto_kem/kyber1024-90s/m4fstack/ntt.h | 1 - crypto_kem/kyber1024-90s/m4fstack/params.h | 1 - crypto_kem/kyber1024-90s/m4fstack/poly.c | 1 - crypto_kem/kyber1024-90s/m4fstack/poly.h | 1 - crypto_kem/kyber1024-90s/m4fstack/poly_asm.S | 1 - crypto_kem/kyber1024-90s/m4fstack/polyvec.c | 1 - crypto_kem/kyber1024-90s/m4fstack/polyvec.h | 1 - crypto_kem/kyber1024-90s/m4fstack/reduce.S | 1 - crypto_kem/kyber1024-90s/m4fstack/symmetric.h | 1 - crypto_kem/kyber1024-90s/m4fstack/verify.c | 1 - crypto_kem/kyber1024-90s/m4fstack/verify.h | 1 - crypto_kem/kyber512-90s/m4fspeed/aes256ctr.c | 1 - crypto_kem/kyber512-90s/m4fspeed/aes256ctr.h | 1 - crypto_kem/kyber512-90s/m4fspeed/api.h | 1 - crypto_kem/kyber512-90s/m4fspeed/cbd.c | 1 - crypto_kem/kyber512-90s/m4fspeed/cbd.h | 1 - crypto_kem/kyber512-90s/m4fspeed/fastaddsub.S | 1 - .../kyber512-90s/m4fspeed/fastbasemul.S | 1 - crypto_kem/kyber512-90s/m4fspeed/fastinvntt.S | 1 - crypto_kem/kyber512-90s/m4fspeed/fastntt.S | 1 - crypto_kem/kyber512-90s/m4fspeed/indcpa.c | 1 - crypto_kem/kyber512-90s/m4fspeed/indcpa.h | 1 - crypto_kem/kyber512-90s/m4fspeed/kem.c | 1 - crypto_kem/kyber512-90s/m4fspeed/macros.i | 1 - crypto_kem/kyber512-90s/m4fspeed/matacc.c | 1 - crypto_kem/kyber512-90s/m4fspeed/matacc.h | 1 - crypto_kem/kyber512-90s/m4fspeed/matacc.i | 1 - crypto_kem/kyber512-90s/m4fspeed/matacc_asm.S | 1 - crypto_kem/kyber512-90s/m4fspeed/ntt.c | 1 - crypto_kem/kyber512-90s/m4fspeed/ntt.h | 1 - crypto_kem/kyber512-90s/m4fspeed/params.h | 1 - crypto_kem/kyber512-90s/m4fspeed/poly.c | 1 - crypto_kem/kyber512-90s/m4fspeed/poly.h | 1 - crypto_kem/kyber512-90s/m4fspeed/poly_asm.S | 1 - crypto_kem/kyber512-90s/m4fspeed/polyvec.c | 1 - crypto_kem/kyber512-90s/m4fspeed/polyvec.h | 1 - crypto_kem/kyber512-90s/m4fspeed/reduce.S | 1 - crypto_kem/kyber512-90s/m4fspeed/symmetric.h | 1 - crypto_kem/kyber512-90s/m4fspeed/verify.c | 1 - crypto_kem/kyber512-90s/m4fspeed/verify.h | 1 - crypto_kem/kyber512-90s/m4fstack/aes256ctr.c | 1 - crypto_kem/kyber512-90s/m4fstack/aes256ctr.h | 1 - crypto_kem/kyber512-90s/m4fstack/api.h | 1 - crypto_kem/kyber512-90s/m4fstack/cbd.c | 1 - crypto_kem/kyber512-90s/m4fstack/cbd.h | 1 - crypto_kem/kyber512-90s/m4fstack/fastaddsub.S | 1 - .../kyber512-90s/m4fstack/fastbasemul.S | 1 - crypto_kem/kyber512-90s/m4fstack/fastinvntt.S | 1 - crypto_kem/kyber512-90s/m4fstack/fastntt.S | 1 - crypto_kem/kyber512-90s/m4fstack/indcpa.c | 1 - crypto_kem/kyber512-90s/m4fstack/indcpa.h | 1 - crypto_kem/kyber512-90s/m4fstack/kem.c | 1 - crypto_kem/kyber512-90s/m4fstack/macros.i | 1 - crypto_kem/kyber512-90s/m4fstack/matacc.c | 1 - crypto_kem/kyber512-90s/m4fstack/matacc.h | 1 - crypto_kem/kyber512-90s/m4fstack/matacc.i | 1 - crypto_kem/kyber512-90s/m4fstack/matacc_asm.S | 1 - crypto_kem/kyber512-90s/m4fstack/ntt.c | 1 - crypto_kem/kyber512-90s/m4fstack/ntt.h | 1 - crypto_kem/kyber512-90s/m4fstack/params.h | 1 - crypto_kem/kyber512-90s/m4fstack/poly.c | 1 - crypto_kem/kyber512-90s/m4fstack/poly.h | 1 - crypto_kem/kyber512-90s/m4fstack/poly_asm.S | 1 - crypto_kem/kyber512-90s/m4fstack/polyvec.c | 1 - crypto_kem/kyber512-90s/m4fstack/polyvec.h | 1 - crypto_kem/kyber512-90s/m4fstack/reduce.S | 1 - crypto_kem/kyber512-90s/m4fstack/symmetric.h | 1 - crypto_kem/kyber512-90s/m4fstack/verify.c | 1 - crypto_kem/kyber512-90s/m4fstack/verify.h | 1 - crypto_kem/kyber768-90s/m4fspeed/aes256ctr.c | 96 ----- crypto_kem/kyber768-90s/m4fspeed/aes256ctr.h | 19 - crypto_kem/kyber768-90s/m4fspeed/api.h | 1 - crypto_kem/kyber768-90s/m4fspeed/cbd.c | 1 - crypto_kem/kyber768-90s/m4fspeed/cbd.h | 1 - crypto_kem/kyber768-90s/m4fspeed/fastaddsub.S | 1 - .../kyber768-90s/m4fspeed/fastbasemul.S | 1 - crypto_kem/kyber768-90s/m4fspeed/fastinvntt.S | 1 - crypto_kem/kyber768-90s/m4fspeed/fastntt.S | 1 - crypto_kem/kyber768-90s/m4fspeed/indcpa.c | 1 - crypto_kem/kyber768-90s/m4fspeed/indcpa.h | 1 - crypto_kem/kyber768-90s/m4fspeed/kem.c | 1 - crypto_kem/kyber768-90s/m4fspeed/macros.i | 1 - crypto_kem/kyber768-90s/m4fspeed/matacc.c | 92 ---- crypto_kem/kyber768-90s/m4fspeed/matacc.h | 63 --- crypto_kem/kyber768-90s/m4fspeed/matacc.i | 1 - crypto_kem/kyber768-90s/m4fspeed/matacc_asm.S | 403 ------------------ crypto_kem/kyber768-90s/m4fspeed/ntt.c | 1 - crypto_kem/kyber768-90s/m4fspeed/ntt.h | 1 - crypto_kem/kyber768-90s/m4fspeed/params.h | 1 - crypto_kem/kyber768-90s/m4fspeed/poly.c | 1 - crypto_kem/kyber768-90s/m4fspeed/poly.h | 1 - crypto_kem/kyber768-90s/m4fspeed/poly_asm.S | 1 - crypto_kem/kyber768-90s/m4fspeed/polyvec.c | 1 - crypto_kem/kyber768-90s/m4fspeed/polyvec.h | 1 - crypto_kem/kyber768-90s/m4fspeed/reduce.S | 1 - crypto_kem/kyber768-90s/m4fspeed/symmetric.h | 25 -- crypto_kem/kyber768-90s/m4fspeed/verify.c | 1 - crypto_kem/kyber768-90s/m4fspeed/verify.h | 1 - crypto_kem/kyber768-90s/m4fstack/aes256ctr.c | 1 - crypto_kem/kyber768-90s/m4fstack/aes256ctr.h | 1 - crypto_kem/kyber768-90s/m4fstack/api.h | 1 - crypto_kem/kyber768-90s/m4fstack/cbd.c | 1 - crypto_kem/kyber768-90s/m4fstack/cbd.h | 1 - crypto_kem/kyber768-90s/m4fstack/fastaddsub.S | 1 - .../kyber768-90s/m4fstack/fastbasemul.S | 1 - crypto_kem/kyber768-90s/m4fstack/fastinvntt.S | 1 - crypto_kem/kyber768-90s/m4fstack/fastntt.S | 1 - crypto_kem/kyber768-90s/m4fstack/indcpa.c | 1 - crypto_kem/kyber768-90s/m4fstack/indcpa.h | 1 - crypto_kem/kyber768-90s/m4fstack/kem.c | 1 - crypto_kem/kyber768-90s/m4fstack/macros.i | 1 - crypto_kem/kyber768-90s/m4fstack/matacc.c | 45 -- crypto_kem/kyber768-90s/m4fstack/matacc.h | 26 -- crypto_kem/kyber768-90s/m4fstack/matacc.i | 1 - crypto_kem/kyber768-90s/m4fstack/matacc_asm.S | 159 ------- crypto_kem/kyber768-90s/m4fstack/ntt.c | 1 - crypto_kem/kyber768-90s/m4fstack/ntt.h | 1 - crypto_kem/kyber768-90s/m4fstack/params.h | 1 - crypto_kem/kyber768-90s/m4fstack/poly.c | 1 - crypto_kem/kyber768-90s/m4fstack/poly.h | 1 - crypto_kem/kyber768-90s/m4fstack/poly_asm.S | 1 - crypto_kem/kyber768-90s/m4fstack/polyvec.c | 1 - crypto_kem/kyber768-90s/m4fstack/polyvec.h | 1 - crypto_kem/kyber768-90s/m4fstack/reduce.S | 1 - crypto_kem/kyber768-90s/m4fstack/symmetric.h | 1 - crypto_kem/kyber768-90s/m4fstack/verify.c | 1 - crypto_kem/kyber768-90s/m4fstack/verify.h | 1 - 174 files changed, 1093 deletions(-) delete mode 120000 crypto_kem/kyber1024-90s/m4fspeed/aes256ctr.c delete mode 120000 crypto_kem/kyber1024-90s/m4fspeed/aes256ctr.h delete mode 120000 crypto_kem/kyber1024-90s/m4fspeed/api.h delete mode 120000 crypto_kem/kyber1024-90s/m4fspeed/cbd.c delete mode 120000 crypto_kem/kyber1024-90s/m4fspeed/cbd.h delete mode 120000 crypto_kem/kyber1024-90s/m4fspeed/fastaddsub.S delete mode 120000 crypto_kem/kyber1024-90s/m4fspeed/fastbasemul.S delete mode 120000 crypto_kem/kyber1024-90s/m4fspeed/fastinvntt.S delete mode 120000 crypto_kem/kyber1024-90s/m4fspeed/fastntt.S delete mode 120000 crypto_kem/kyber1024-90s/m4fspeed/indcpa.c delete mode 120000 crypto_kem/kyber1024-90s/m4fspeed/indcpa.h delete mode 120000 crypto_kem/kyber1024-90s/m4fspeed/kem.c delete mode 120000 crypto_kem/kyber1024-90s/m4fspeed/macros.i delete mode 120000 crypto_kem/kyber1024-90s/m4fspeed/matacc.c delete mode 120000 crypto_kem/kyber1024-90s/m4fspeed/matacc.h delete mode 120000 crypto_kem/kyber1024-90s/m4fspeed/matacc.i delete mode 120000 crypto_kem/kyber1024-90s/m4fspeed/matacc_asm.S delete mode 120000 crypto_kem/kyber1024-90s/m4fspeed/ntt.c delete mode 120000 crypto_kem/kyber1024-90s/m4fspeed/ntt.h delete mode 120000 crypto_kem/kyber1024-90s/m4fspeed/params.h delete mode 120000 crypto_kem/kyber1024-90s/m4fspeed/poly.c delete mode 120000 crypto_kem/kyber1024-90s/m4fspeed/poly.h delete mode 120000 crypto_kem/kyber1024-90s/m4fspeed/poly_asm.S delete mode 120000 crypto_kem/kyber1024-90s/m4fspeed/polyvec.c delete mode 120000 crypto_kem/kyber1024-90s/m4fspeed/polyvec.h delete mode 120000 crypto_kem/kyber1024-90s/m4fspeed/reduce.S delete mode 120000 crypto_kem/kyber1024-90s/m4fspeed/symmetric.h delete mode 120000 crypto_kem/kyber1024-90s/m4fspeed/verify.c delete mode 120000 crypto_kem/kyber1024-90s/m4fspeed/verify.h delete mode 120000 crypto_kem/kyber1024-90s/m4fstack/aes256ctr.c delete mode 120000 crypto_kem/kyber1024-90s/m4fstack/aes256ctr.h delete mode 120000 crypto_kem/kyber1024-90s/m4fstack/api.h delete mode 120000 crypto_kem/kyber1024-90s/m4fstack/cbd.c delete mode 120000 crypto_kem/kyber1024-90s/m4fstack/cbd.h delete mode 120000 crypto_kem/kyber1024-90s/m4fstack/fastaddsub.S delete mode 120000 crypto_kem/kyber1024-90s/m4fstack/fastbasemul.S delete mode 120000 crypto_kem/kyber1024-90s/m4fstack/fastinvntt.S delete mode 120000 crypto_kem/kyber1024-90s/m4fstack/fastntt.S delete mode 120000 crypto_kem/kyber1024-90s/m4fstack/indcpa.c delete mode 120000 crypto_kem/kyber1024-90s/m4fstack/indcpa.h delete mode 120000 crypto_kem/kyber1024-90s/m4fstack/kem.c delete mode 120000 crypto_kem/kyber1024-90s/m4fstack/macros.i delete mode 120000 crypto_kem/kyber1024-90s/m4fstack/matacc.c delete mode 120000 crypto_kem/kyber1024-90s/m4fstack/matacc.h delete mode 120000 crypto_kem/kyber1024-90s/m4fstack/matacc.i delete mode 120000 crypto_kem/kyber1024-90s/m4fstack/matacc_asm.S delete mode 120000 crypto_kem/kyber1024-90s/m4fstack/ntt.c delete mode 120000 crypto_kem/kyber1024-90s/m4fstack/ntt.h delete mode 120000 crypto_kem/kyber1024-90s/m4fstack/params.h delete mode 120000 crypto_kem/kyber1024-90s/m4fstack/poly.c delete mode 120000 crypto_kem/kyber1024-90s/m4fstack/poly.h delete mode 120000 crypto_kem/kyber1024-90s/m4fstack/poly_asm.S delete mode 120000 crypto_kem/kyber1024-90s/m4fstack/polyvec.c delete mode 120000 crypto_kem/kyber1024-90s/m4fstack/polyvec.h delete mode 120000 crypto_kem/kyber1024-90s/m4fstack/reduce.S delete mode 120000 crypto_kem/kyber1024-90s/m4fstack/symmetric.h delete mode 120000 crypto_kem/kyber1024-90s/m4fstack/verify.c delete mode 120000 crypto_kem/kyber1024-90s/m4fstack/verify.h delete mode 120000 crypto_kem/kyber512-90s/m4fspeed/aes256ctr.c delete mode 120000 crypto_kem/kyber512-90s/m4fspeed/aes256ctr.h delete mode 120000 crypto_kem/kyber512-90s/m4fspeed/api.h delete mode 120000 crypto_kem/kyber512-90s/m4fspeed/cbd.c delete mode 120000 crypto_kem/kyber512-90s/m4fspeed/cbd.h delete mode 120000 crypto_kem/kyber512-90s/m4fspeed/fastaddsub.S delete mode 120000 crypto_kem/kyber512-90s/m4fspeed/fastbasemul.S delete mode 120000 crypto_kem/kyber512-90s/m4fspeed/fastinvntt.S delete mode 120000 crypto_kem/kyber512-90s/m4fspeed/fastntt.S delete mode 120000 crypto_kem/kyber512-90s/m4fspeed/indcpa.c delete mode 120000 crypto_kem/kyber512-90s/m4fspeed/indcpa.h delete mode 120000 crypto_kem/kyber512-90s/m4fspeed/kem.c delete mode 120000 crypto_kem/kyber512-90s/m4fspeed/macros.i delete mode 120000 crypto_kem/kyber512-90s/m4fspeed/matacc.c delete mode 120000 crypto_kem/kyber512-90s/m4fspeed/matacc.h delete mode 120000 crypto_kem/kyber512-90s/m4fspeed/matacc.i delete mode 120000 crypto_kem/kyber512-90s/m4fspeed/matacc_asm.S delete mode 120000 crypto_kem/kyber512-90s/m4fspeed/ntt.c delete mode 120000 crypto_kem/kyber512-90s/m4fspeed/ntt.h delete mode 120000 crypto_kem/kyber512-90s/m4fspeed/params.h delete mode 120000 crypto_kem/kyber512-90s/m4fspeed/poly.c delete mode 120000 crypto_kem/kyber512-90s/m4fspeed/poly.h delete mode 120000 crypto_kem/kyber512-90s/m4fspeed/poly_asm.S delete mode 120000 crypto_kem/kyber512-90s/m4fspeed/polyvec.c delete mode 120000 crypto_kem/kyber512-90s/m4fspeed/polyvec.h delete mode 120000 crypto_kem/kyber512-90s/m4fspeed/reduce.S delete mode 120000 crypto_kem/kyber512-90s/m4fspeed/symmetric.h delete mode 120000 crypto_kem/kyber512-90s/m4fspeed/verify.c delete mode 120000 crypto_kem/kyber512-90s/m4fspeed/verify.h delete mode 120000 crypto_kem/kyber512-90s/m4fstack/aes256ctr.c delete mode 120000 crypto_kem/kyber512-90s/m4fstack/aes256ctr.h delete mode 120000 crypto_kem/kyber512-90s/m4fstack/api.h delete mode 120000 crypto_kem/kyber512-90s/m4fstack/cbd.c delete mode 120000 crypto_kem/kyber512-90s/m4fstack/cbd.h delete mode 120000 crypto_kem/kyber512-90s/m4fstack/fastaddsub.S delete mode 120000 crypto_kem/kyber512-90s/m4fstack/fastbasemul.S delete mode 120000 crypto_kem/kyber512-90s/m4fstack/fastinvntt.S delete mode 120000 crypto_kem/kyber512-90s/m4fstack/fastntt.S delete mode 120000 crypto_kem/kyber512-90s/m4fstack/indcpa.c delete mode 120000 crypto_kem/kyber512-90s/m4fstack/indcpa.h delete mode 120000 crypto_kem/kyber512-90s/m4fstack/kem.c delete mode 120000 crypto_kem/kyber512-90s/m4fstack/macros.i delete mode 120000 crypto_kem/kyber512-90s/m4fstack/matacc.c delete mode 120000 crypto_kem/kyber512-90s/m4fstack/matacc.h delete mode 120000 crypto_kem/kyber512-90s/m4fstack/matacc.i delete mode 120000 crypto_kem/kyber512-90s/m4fstack/matacc_asm.S delete mode 120000 crypto_kem/kyber512-90s/m4fstack/ntt.c delete mode 120000 crypto_kem/kyber512-90s/m4fstack/ntt.h delete mode 120000 crypto_kem/kyber512-90s/m4fstack/params.h delete mode 120000 crypto_kem/kyber512-90s/m4fstack/poly.c delete mode 120000 crypto_kem/kyber512-90s/m4fstack/poly.h delete mode 120000 crypto_kem/kyber512-90s/m4fstack/poly_asm.S delete mode 120000 crypto_kem/kyber512-90s/m4fstack/polyvec.c delete mode 120000 crypto_kem/kyber512-90s/m4fstack/polyvec.h delete mode 120000 crypto_kem/kyber512-90s/m4fstack/reduce.S delete mode 120000 crypto_kem/kyber512-90s/m4fstack/symmetric.h delete mode 120000 crypto_kem/kyber512-90s/m4fstack/verify.c delete mode 120000 crypto_kem/kyber512-90s/m4fstack/verify.h delete mode 100644 crypto_kem/kyber768-90s/m4fspeed/aes256ctr.c delete mode 100644 crypto_kem/kyber768-90s/m4fspeed/aes256ctr.h delete mode 120000 crypto_kem/kyber768-90s/m4fspeed/api.h delete mode 120000 crypto_kem/kyber768-90s/m4fspeed/cbd.c delete mode 120000 crypto_kem/kyber768-90s/m4fspeed/cbd.h delete mode 120000 crypto_kem/kyber768-90s/m4fspeed/fastaddsub.S delete mode 120000 crypto_kem/kyber768-90s/m4fspeed/fastbasemul.S delete mode 120000 crypto_kem/kyber768-90s/m4fspeed/fastinvntt.S delete mode 120000 crypto_kem/kyber768-90s/m4fspeed/fastntt.S delete mode 120000 crypto_kem/kyber768-90s/m4fspeed/indcpa.c delete mode 120000 crypto_kem/kyber768-90s/m4fspeed/indcpa.h delete mode 120000 crypto_kem/kyber768-90s/m4fspeed/kem.c delete mode 120000 crypto_kem/kyber768-90s/m4fspeed/macros.i delete mode 100644 crypto_kem/kyber768-90s/m4fspeed/matacc.c delete mode 100644 crypto_kem/kyber768-90s/m4fspeed/matacc.h delete mode 120000 crypto_kem/kyber768-90s/m4fspeed/matacc.i delete mode 100644 crypto_kem/kyber768-90s/m4fspeed/matacc_asm.S delete mode 120000 crypto_kem/kyber768-90s/m4fspeed/ntt.c delete mode 120000 crypto_kem/kyber768-90s/m4fspeed/ntt.h delete mode 120000 crypto_kem/kyber768-90s/m4fspeed/params.h delete mode 120000 crypto_kem/kyber768-90s/m4fspeed/poly.c delete mode 120000 crypto_kem/kyber768-90s/m4fspeed/poly.h delete mode 120000 crypto_kem/kyber768-90s/m4fspeed/poly_asm.S delete mode 120000 crypto_kem/kyber768-90s/m4fspeed/polyvec.c delete mode 120000 crypto_kem/kyber768-90s/m4fspeed/polyvec.h delete mode 120000 crypto_kem/kyber768-90s/m4fspeed/reduce.S delete mode 100644 crypto_kem/kyber768-90s/m4fspeed/symmetric.h delete mode 120000 crypto_kem/kyber768-90s/m4fspeed/verify.c delete mode 120000 crypto_kem/kyber768-90s/m4fspeed/verify.h delete mode 120000 crypto_kem/kyber768-90s/m4fstack/aes256ctr.c delete mode 120000 crypto_kem/kyber768-90s/m4fstack/aes256ctr.h delete mode 120000 crypto_kem/kyber768-90s/m4fstack/api.h delete mode 120000 crypto_kem/kyber768-90s/m4fstack/cbd.c delete mode 120000 crypto_kem/kyber768-90s/m4fstack/cbd.h delete mode 120000 crypto_kem/kyber768-90s/m4fstack/fastaddsub.S delete mode 120000 crypto_kem/kyber768-90s/m4fstack/fastbasemul.S delete mode 120000 crypto_kem/kyber768-90s/m4fstack/fastinvntt.S delete mode 120000 crypto_kem/kyber768-90s/m4fstack/fastntt.S delete mode 120000 crypto_kem/kyber768-90s/m4fstack/indcpa.c delete mode 120000 crypto_kem/kyber768-90s/m4fstack/indcpa.h delete mode 120000 crypto_kem/kyber768-90s/m4fstack/kem.c delete mode 120000 crypto_kem/kyber768-90s/m4fstack/macros.i delete mode 100644 crypto_kem/kyber768-90s/m4fstack/matacc.c delete mode 100644 crypto_kem/kyber768-90s/m4fstack/matacc.h delete mode 120000 crypto_kem/kyber768-90s/m4fstack/matacc.i delete mode 100644 crypto_kem/kyber768-90s/m4fstack/matacc_asm.S delete mode 120000 crypto_kem/kyber768-90s/m4fstack/ntt.c delete mode 120000 crypto_kem/kyber768-90s/m4fstack/ntt.h delete mode 120000 crypto_kem/kyber768-90s/m4fstack/params.h delete mode 120000 crypto_kem/kyber768-90s/m4fstack/poly.c delete mode 120000 crypto_kem/kyber768-90s/m4fstack/poly.h delete mode 120000 crypto_kem/kyber768-90s/m4fstack/poly_asm.S delete mode 120000 crypto_kem/kyber768-90s/m4fstack/polyvec.c delete mode 120000 crypto_kem/kyber768-90s/m4fstack/polyvec.h delete mode 120000 crypto_kem/kyber768-90s/m4fstack/reduce.S delete mode 120000 crypto_kem/kyber768-90s/m4fstack/symmetric.h delete mode 120000 crypto_kem/kyber768-90s/m4fstack/verify.c delete mode 120000 crypto_kem/kyber768-90s/m4fstack/verify.h diff --git a/crypto_kem/kyber1024-90s/m4fspeed/aes256ctr.c b/crypto_kem/kyber1024-90s/m4fspeed/aes256ctr.c deleted file mode 120000 index d7413cfa..00000000 --- a/crypto_kem/kyber1024-90s/m4fspeed/aes256ctr.c +++ /dev/null @@ -1 +0,0 @@ -../../kyber768-90s/m4fspeed/aes256ctr.c \ No newline at end of file diff --git a/crypto_kem/kyber1024-90s/m4fspeed/aes256ctr.h b/crypto_kem/kyber1024-90s/m4fspeed/aes256ctr.h deleted file mode 120000 index 4b8193b8..00000000 --- a/crypto_kem/kyber1024-90s/m4fspeed/aes256ctr.h +++ /dev/null @@ -1 +0,0 @@ -../../kyber768-90s/m4fspeed/aes256ctr.h \ No newline at end of file diff --git a/crypto_kem/kyber1024-90s/m4fspeed/api.h b/crypto_kem/kyber1024-90s/m4fspeed/api.h deleted file mode 120000 index 35f9f710..00000000 --- a/crypto_kem/kyber1024-90s/m4fspeed/api.h +++ /dev/null @@ -1 +0,0 @@ -../../kyber1024/m4fspeed/api.h \ No newline at end of file diff --git a/crypto_kem/kyber1024-90s/m4fspeed/cbd.c b/crypto_kem/kyber1024-90s/m4fspeed/cbd.c deleted file mode 120000 index 37d243ad..00000000 --- a/crypto_kem/kyber1024-90s/m4fspeed/cbd.c +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/cbd.c \ No newline at end of file diff --git a/crypto_kem/kyber1024-90s/m4fspeed/cbd.h b/crypto_kem/kyber1024-90s/m4fspeed/cbd.h deleted file mode 120000 index c00c0559..00000000 --- a/crypto_kem/kyber1024-90s/m4fspeed/cbd.h +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/cbd.h \ No newline at end of file diff --git a/crypto_kem/kyber1024-90s/m4fspeed/fastaddsub.S b/crypto_kem/kyber1024-90s/m4fspeed/fastaddsub.S deleted file mode 120000 index 462644bb..00000000 --- a/crypto_kem/kyber1024-90s/m4fspeed/fastaddsub.S +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/fastaddsub.S \ No newline at end of file diff --git a/crypto_kem/kyber1024-90s/m4fspeed/fastbasemul.S b/crypto_kem/kyber1024-90s/m4fspeed/fastbasemul.S deleted file mode 120000 index 7156a2a8..00000000 --- a/crypto_kem/kyber1024-90s/m4fspeed/fastbasemul.S +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/fastbasemul.S \ No newline at end of file diff --git a/crypto_kem/kyber1024-90s/m4fspeed/fastinvntt.S b/crypto_kem/kyber1024-90s/m4fspeed/fastinvntt.S deleted file mode 120000 index 38ea2e36..00000000 --- a/crypto_kem/kyber1024-90s/m4fspeed/fastinvntt.S +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/fastinvntt.S \ No newline at end of file diff --git a/crypto_kem/kyber1024-90s/m4fspeed/fastntt.S b/crypto_kem/kyber1024-90s/m4fspeed/fastntt.S deleted file mode 120000 index 6314b554..00000000 --- a/crypto_kem/kyber1024-90s/m4fspeed/fastntt.S +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/fastntt.S \ No newline at end of file diff --git a/crypto_kem/kyber1024-90s/m4fspeed/indcpa.c b/crypto_kem/kyber1024-90s/m4fspeed/indcpa.c deleted file mode 120000 index 04181f8d..00000000 --- a/crypto_kem/kyber1024-90s/m4fspeed/indcpa.c +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/indcpa.c \ No newline at end of file diff --git a/crypto_kem/kyber1024-90s/m4fspeed/indcpa.h b/crypto_kem/kyber1024-90s/m4fspeed/indcpa.h deleted file mode 120000 index 86639d83..00000000 --- a/crypto_kem/kyber1024-90s/m4fspeed/indcpa.h +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/indcpa.h \ No newline at end of file diff --git a/crypto_kem/kyber1024-90s/m4fspeed/kem.c b/crypto_kem/kyber1024-90s/m4fspeed/kem.c deleted file mode 120000 index fba83bf4..00000000 --- a/crypto_kem/kyber1024-90s/m4fspeed/kem.c +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/kem.c \ No newline at end of file diff --git a/crypto_kem/kyber1024-90s/m4fspeed/macros.i b/crypto_kem/kyber1024-90s/m4fspeed/macros.i deleted file mode 120000 index d184a0fa..00000000 --- a/crypto_kem/kyber1024-90s/m4fspeed/macros.i +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/macros.i \ No newline at end of file diff --git a/crypto_kem/kyber1024-90s/m4fspeed/matacc.c b/crypto_kem/kyber1024-90s/m4fspeed/matacc.c deleted file mode 120000 index 84bf5550..00000000 --- a/crypto_kem/kyber1024-90s/m4fspeed/matacc.c +++ /dev/null @@ -1 +0,0 @@ -../../kyber768-90s/m4fspeed/matacc.c \ No newline at end of file diff --git a/crypto_kem/kyber1024-90s/m4fspeed/matacc.h b/crypto_kem/kyber1024-90s/m4fspeed/matacc.h deleted file mode 120000 index 6cd6abe5..00000000 --- a/crypto_kem/kyber1024-90s/m4fspeed/matacc.h +++ /dev/null @@ -1 +0,0 @@ -../../kyber768-90s/m4fspeed/matacc.h \ No newline at end of file diff --git a/crypto_kem/kyber1024-90s/m4fspeed/matacc.i b/crypto_kem/kyber1024-90s/m4fspeed/matacc.i deleted file mode 120000 index e388a0ad..00000000 --- a/crypto_kem/kyber1024-90s/m4fspeed/matacc.i +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/matacc.i \ No newline at end of file diff --git a/crypto_kem/kyber1024-90s/m4fspeed/matacc_asm.S b/crypto_kem/kyber1024-90s/m4fspeed/matacc_asm.S deleted file mode 120000 index 8e6ccb39..00000000 --- a/crypto_kem/kyber1024-90s/m4fspeed/matacc_asm.S +++ /dev/null @@ -1 +0,0 @@ -../../kyber768-90s/m4fspeed/matacc_asm.S \ No newline at end of file diff --git a/crypto_kem/kyber1024-90s/m4fspeed/ntt.c b/crypto_kem/kyber1024-90s/m4fspeed/ntt.c deleted file mode 120000 index 21c83bdf..00000000 --- a/crypto_kem/kyber1024-90s/m4fspeed/ntt.c +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/ntt.c \ No newline at end of file diff --git a/crypto_kem/kyber1024-90s/m4fspeed/ntt.h b/crypto_kem/kyber1024-90s/m4fspeed/ntt.h deleted file mode 120000 index bd203902..00000000 --- a/crypto_kem/kyber1024-90s/m4fspeed/ntt.h +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/ntt.h \ No newline at end of file diff --git a/crypto_kem/kyber1024-90s/m4fspeed/params.h b/crypto_kem/kyber1024-90s/m4fspeed/params.h deleted file mode 120000 index 5d6db01e..00000000 --- a/crypto_kem/kyber1024-90s/m4fspeed/params.h +++ /dev/null @@ -1 +0,0 @@ -../../kyber1024/m4fspeed/params.h \ No newline at end of file diff --git a/crypto_kem/kyber1024-90s/m4fspeed/poly.c b/crypto_kem/kyber1024-90s/m4fspeed/poly.c deleted file mode 120000 index ed549db6..00000000 --- a/crypto_kem/kyber1024-90s/m4fspeed/poly.c +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/poly.c \ No newline at end of file diff --git a/crypto_kem/kyber1024-90s/m4fspeed/poly.h b/crypto_kem/kyber1024-90s/m4fspeed/poly.h deleted file mode 120000 index 6f495407..00000000 --- a/crypto_kem/kyber1024-90s/m4fspeed/poly.h +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/poly.h \ No newline at end of file diff --git a/crypto_kem/kyber1024-90s/m4fspeed/poly_asm.S b/crypto_kem/kyber1024-90s/m4fspeed/poly_asm.S deleted file mode 120000 index 4424e11a..00000000 --- a/crypto_kem/kyber1024-90s/m4fspeed/poly_asm.S +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/poly_asm.S \ No newline at end of file diff --git a/crypto_kem/kyber1024-90s/m4fspeed/polyvec.c b/crypto_kem/kyber1024-90s/m4fspeed/polyvec.c deleted file mode 120000 index 0aedeeef..00000000 --- a/crypto_kem/kyber1024-90s/m4fspeed/polyvec.c +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/polyvec.c \ No newline at end of file diff --git a/crypto_kem/kyber1024-90s/m4fspeed/polyvec.h b/crypto_kem/kyber1024-90s/m4fspeed/polyvec.h deleted file mode 120000 index cee9bc6f..00000000 --- a/crypto_kem/kyber1024-90s/m4fspeed/polyvec.h +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/polyvec.h \ No newline at end of file diff --git a/crypto_kem/kyber1024-90s/m4fspeed/reduce.S b/crypto_kem/kyber1024-90s/m4fspeed/reduce.S deleted file mode 120000 index 0b00788a..00000000 --- a/crypto_kem/kyber1024-90s/m4fspeed/reduce.S +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/reduce.S \ No newline at end of file diff --git a/crypto_kem/kyber1024-90s/m4fspeed/symmetric.h b/crypto_kem/kyber1024-90s/m4fspeed/symmetric.h deleted file mode 120000 index 1c2c04a2..00000000 --- a/crypto_kem/kyber1024-90s/m4fspeed/symmetric.h +++ /dev/null @@ -1 +0,0 @@ -../../kyber768-90s/m4fspeed/symmetric.h \ No newline at end of file diff --git a/crypto_kem/kyber1024-90s/m4fspeed/verify.c b/crypto_kem/kyber1024-90s/m4fspeed/verify.c deleted file mode 120000 index 56596267..00000000 --- a/crypto_kem/kyber1024-90s/m4fspeed/verify.c +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/verify.c \ No newline at end of file diff --git a/crypto_kem/kyber1024-90s/m4fspeed/verify.h b/crypto_kem/kyber1024-90s/m4fspeed/verify.h deleted file mode 120000 index 72b107fb..00000000 --- a/crypto_kem/kyber1024-90s/m4fspeed/verify.h +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/verify.h \ No newline at end of file diff --git a/crypto_kem/kyber1024-90s/m4fstack/aes256ctr.c b/crypto_kem/kyber1024-90s/m4fstack/aes256ctr.c deleted file mode 120000 index d7413cfa..00000000 --- a/crypto_kem/kyber1024-90s/m4fstack/aes256ctr.c +++ /dev/null @@ -1 +0,0 @@ -../../kyber768-90s/m4fspeed/aes256ctr.c \ No newline at end of file diff --git a/crypto_kem/kyber1024-90s/m4fstack/aes256ctr.h b/crypto_kem/kyber1024-90s/m4fstack/aes256ctr.h deleted file mode 120000 index 4b8193b8..00000000 --- a/crypto_kem/kyber1024-90s/m4fstack/aes256ctr.h +++ /dev/null @@ -1 +0,0 @@ -../../kyber768-90s/m4fspeed/aes256ctr.h \ No newline at end of file diff --git a/crypto_kem/kyber1024-90s/m4fstack/api.h b/crypto_kem/kyber1024-90s/m4fstack/api.h deleted file mode 120000 index 35f9f710..00000000 --- a/crypto_kem/kyber1024-90s/m4fstack/api.h +++ /dev/null @@ -1 +0,0 @@ -../../kyber1024/m4fspeed/api.h \ No newline at end of file diff --git a/crypto_kem/kyber1024-90s/m4fstack/cbd.c b/crypto_kem/kyber1024-90s/m4fstack/cbd.c deleted file mode 120000 index 37d243ad..00000000 --- a/crypto_kem/kyber1024-90s/m4fstack/cbd.c +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/cbd.c \ No newline at end of file diff --git a/crypto_kem/kyber1024-90s/m4fstack/cbd.h b/crypto_kem/kyber1024-90s/m4fstack/cbd.h deleted file mode 120000 index c00c0559..00000000 --- a/crypto_kem/kyber1024-90s/m4fstack/cbd.h +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/cbd.h \ No newline at end of file diff --git a/crypto_kem/kyber1024-90s/m4fstack/fastaddsub.S b/crypto_kem/kyber1024-90s/m4fstack/fastaddsub.S deleted file mode 120000 index 462644bb..00000000 --- a/crypto_kem/kyber1024-90s/m4fstack/fastaddsub.S +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/fastaddsub.S \ No newline at end of file diff --git a/crypto_kem/kyber1024-90s/m4fstack/fastbasemul.S b/crypto_kem/kyber1024-90s/m4fstack/fastbasemul.S deleted file mode 120000 index 7ba7f7e4..00000000 --- a/crypto_kem/kyber1024-90s/m4fstack/fastbasemul.S +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fstack/fastbasemul.S \ No newline at end of file diff --git a/crypto_kem/kyber1024-90s/m4fstack/fastinvntt.S b/crypto_kem/kyber1024-90s/m4fstack/fastinvntt.S deleted file mode 120000 index 8d3a7e52..00000000 --- a/crypto_kem/kyber1024-90s/m4fstack/fastinvntt.S +++ /dev/null @@ -1 +0,0 @@ -../../kyber1024/m4fstack/fastinvntt.S \ No newline at end of file diff --git a/crypto_kem/kyber1024-90s/m4fstack/fastntt.S b/crypto_kem/kyber1024-90s/m4fstack/fastntt.S deleted file mode 120000 index 6314b554..00000000 --- a/crypto_kem/kyber1024-90s/m4fstack/fastntt.S +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/fastntt.S \ No newline at end of file diff --git a/crypto_kem/kyber1024-90s/m4fstack/indcpa.c b/crypto_kem/kyber1024-90s/m4fstack/indcpa.c deleted file mode 120000 index 7d86b771..00000000 --- a/crypto_kem/kyber1024-90s/m4fstack/indcpa.c +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fstack/indcpa.c \ No newline at end of file diff --git a/crypto_kem/kyber1024-90s/m4fstack/indcpa.h b/crypto_kem/kyber1024-90s/m4fstack/indcpa.h deleted file mode 120000 index 86639d83..00000000 --- a/crypto_kem/kyber1024-90s/m4fstack/indcpa.h +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/indcpa.h \ No newline at end of file diff --git a/crypto_kem/kyber1024-90s/m4fstack/kem.c b/crypto_kem/kyber1024-90s/m4fstack/kem.c deleted file mode 120000 index fba83bf4..00000000 --- a/crypto_kem/kyber1024-90s/m4fstack/kem.c +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/kem.c \ No newline at end of file diff --git a/crypto_kem/kyber1024-90s/m4fstack/macros.i b/crypto_kem/kyber1024-90s/m4fstack/macros.i deleted file mode 120000 index 6e838919..00000000 --- a/crypto_kem/kyber1024-90s/m4fstack/macros.i +++ /dev/null @@ -1 +0,0 @@ -../m4fspeed/macros.i \ No newline at end of file diff --git a/crypto_kem/kyber1024-90s/m4fstack/matacc.c b/crypto_kem/kyber1024-90s/m4fstack/matacc.c deleted file mode 120000 index b1cfe3c1..00000000 --- a/crypto_kem/kyber1024-90s/m4fstack/matacc.c +++ /dev/null @@ -1 +0,0 @@ -../../kyber768-90s/m4fstack/matacc.c \ No newline at end of file diff --git a/crypto_kem/kyber1024-90s/m4fstack/matacc.h b/crypto_kem/kyber1024-90s/m4fstack/matacc.h deleted file mode 120000 index f4274b16..00000000 --- a/crypto_kem/kyber1024-90s/m4fstack/matacc.h +++ /dev/null @@ -1 +0,0 @@ -../../kyber768-90s/m4fstack/matacc.h \ No newline at end of file diff --git a/crypto_kem/kyber1024-90s/m4fstack/matacc.i b/crypto_kem/kyber1024-90s/m4fstack/matacc.i deleted file mode 120000 index 3804c85d..00000000 --- a/crypto_kem/kyber1024-90s/m4fstack/matacc.i +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fstack/matacc.i \ No newline at end of file diff --git a/crypto_kem/kyber1024-90s/m4fstack/matacc_asm.S b/crypto_kem/kyber1024-90s/m4fstack/matacc_asm.S deleted file mode 120000 index c3f105c1..00000000 --- a/crypto_kem/kyber1024-90s/m4fstack/matacc_asm.S +++ /dev/null @@ -1 +0,0 @@ -../../kyber768-90s/m4fstack/matacc_asm.S \ No newline at end of file diff --git a/crypto_kem/kyber1024-90s/m4fstack/ntt.c b/crypto_kem/kyber1024-90s/m4fstack/ntt.c deleted file mode 120000 index 21c83bdf..00000000 --- a/crypto_kem/kyber1024-90s/m4fstack/ntt.c +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/ntt.c \ No newline at end of file diff --git a/crypto_kem/kyber1024-90s/m4fstack/ntt.h b/crypto_kem/kyber1024-90s/m4fstack/ntt.h deleted file mode 120000 index bd203902..00000000 --- a/crypto_kem/kyber1024-90s/m4fstack/ntt.h +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/ntt.h \ No newline at end of file diff --git a/crypto_kem/kyber1024-90s/m4fstack/params.h b/crypto_kem/kyber1024-90s/m4fstack/params.h deleted file mode 120000 index 5d6db01e..00000000 --- a/crypto_kem/kyber1024-90s/m4fstack/params.h +++ /dev/null @@ -1 +0,0 @@ -../../kyber1024/m4fspeed/params.h \ No newline at end of file diff --git a/crypto_kem/kyber1024-90s/m4fstack/poly.c b/crypto_kem/kyber1024-90s/m4fstack/poly.c deleted file mode 120000 index 209dba88..00000000 --- a/crypto_kem/kyber1024-90s/m4fstack/poly.c +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fstack/poly.c \ No newline at end of file diff --git a/crypto_kem/kyber1024-90s/m4fstack/poly.h b/crypto_kem/kyber1024-90s/m4fstack/poly.h deleted file mode 120000 index e02915ca..00000000 --- a/crypto_kem/kyber1024-90s/m4fstack/poly.h +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fstack/poly.h \ No newline at end of file diff --git a/crypto_kem/kyber1024-90s/m4fstack/poly_asm.S b/crypto_kem/kyber1024-90s/m4fstack/poly_asm.S deleted file mode 120000 index 9b529775..00000000 --- a/crypto_kem/kyber1024-90s/m4fstack/poly_asm.S +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fstack/poly_asm.S \ No newline at end of file diff --git a/crypto_kem/kyber1024-90s/m4fstack/polyvec.c b/crypto_kem/kyber1024-90s/m4fstack/polyvec.c deleted file mode 120000 index 0aedeeef..00000000 --- a/crypto_kem/kyber1024-90s/m4fstack/polyvec.c +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/polyvec.c \ No newline at end of file diff --git a/crypto_kem/kyber1024-90s/m4fstack/polyvec.h b/crypto_kem/kyber1024-90s/m4fstack/polyvec.h deleted file mode 120000 index cee9bc6f..00000000 --- a/crypto_kem/kyber1024-90s/m4fstack/polyvec.h +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/polyvec.h \ No newline at end of file diff --git a/crypto_kem/kyber1024-90s/m4fstack/reduce.S b/crypto_kem/kyber1024-90s/m4fstack/reduce.S deleted file mode 120000 index 0b00788a..00000000 --- a/crypto_kem/kyber1024-90s/m4fstack/reduce.S +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/reduce.S \ No newline at end of file diff --git a/crypto_kem/kyber1024-90s/m4fstack/symmetric.h b/crypto_kem/kyber1024-90s/m4fstack/symmetric.h deleted file mode 120000 index 1c2c04a2..00000000 --- a/crypto_kem/kyber1024-90s/m4fstack/symmetric.h +++ /dev/null @@ -1 +0,0 @@ -../../kyber768-90s/m4fspeed/symmetric.h \ No newline at end of file diff --git a/crypto_kem/kyber1024-90s/m4fstack/verify.c b/crypto_kem/kyber1024-90s/m4fstack/verify.c deleted file mode 120000 index 56596267..00000000 --- a/crypto_kem/kyber1024-90s/m4fstack/verify.c +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/verify.c \ No newline at end of file diff --git a/crypto_kem/kyber1024-90s/m4fstack/verify.h b/crypto_kem/kyber1024-90s/m4fstack/verify.h deleted file mode 120000 index 72b107fb..00000000 --- a/crypto_kem/kyber1024-90s/m4fstack/verify.h +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/verify.h \ No newline at end of file diff --git a/crypto_kem/kyber512-90s/m4fspeed/aes256ctr.c b/crypto_kem/kyber512-90s/m4fspeed/aes256ctr.c deleted file mode 120000 index d7413cfa..00000000 --- a/crypto_kem/kyber512-90s/m4fspeed/aes256ctr.c +++ /dev/null @@ -1 +0,0 @@ -../../kyber768-90s/m4fspeed/aes256ctr.c \ No newline at end of file diff --git a/crypto_kem/kyber512-90s/m4fspeed/aes256ctr.h b/crypto_kem/kyber512-90s/m4fspeed/aes256ctr.h deleted file mode 120000 index 4b8193b8..00000000 --- a/crypto_kem/kyber512-90s/m4fspeed/aes256ctr.h +++ /dev/null @@ -1 +0,0 @@ -../../kyber768-90s/m4fspeed/aes256ctr.h \ No newline at end of file diff --git a/crypto_kem/kyber512-90s/m4fspeed/api.h b/crypto_kem/kyber512-90s/m4fspeed/api.h deleted file mode 120000 index b5cb28ed..00000000 --- a/crypto_kem/kyber512-90s/m4fspeed/api.h +++ /dev/null @@ -1 +0,0 @@ -../../kyber512/m4fspeed/api.h \ No newline at end of file diff --git a/crypto_kem/kyber512-90s/m4fspeed/cbd.c b/crypto_kem/kyber512-90s/m4fspeed/cbd.c deleted file mode 120000 index e47a1c19..00000000 --- a/crypto_kem/kyber512-90s/m4fspeed/cbd.c +++ /dev/null @@ -1 +0,0 @@ -../../kyber512/m4fspeed/cbd.c \ No newline at end of file diff --git a/crypto_kem/kyber512-90s/m4fspeed/cbd.h b/crypto_kem/kyber512-90s/m4fspeed/cbd.h deleted file mode 120000 index c817e33a..00000000 --- a/crypto_kem/kyber512-90s/m4fspeed/cbd.h +++ /dev/null @@ -1 +0,0 @@ -../../kyber512/m4fspeed/cbd.h \ No newline at end of file diff --git a/crypto_kem/kyber512-90s/m4fspeed/fastaddsub.S b/crypto_kem/kyber512-90s/m4fspeed/fastaddsub.S deleted file mode 120000 index 462644bb..00000000 --- a/crypto_kem/kyber512-90s/m4fspeed/fastaddsub.S +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/fastaddsub.S \ No newline at end of file diff --git a/crypto_kem/kyber512-90s/m4fspeed/fastbasemul.S b/crypto_kem/kyber512-90s/m4fspeed/fastbasemul.S deleted file mode 120000 index 7156a2a8..00000000 --- a/crypto_kem/kyber512-90s/m4fspeed/fastbasemul.S +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/fastbasemul.S \ No newline at end of file diff --git a/crypto_kem/kyber512-90s/m4fspeed/fastinvntt.S b/crypto_kem/kyber512-90s/m4fspeed/fastinvntt.S deleted file mode 120000 index 38ea2e36..00000000 --- a/crypto_kem/kyber512-90s/m4fspeed/fastinvntt.S +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/fastinvntt.S \ No newline at end of file diff --git a/crypto_kem/kyber512-90s/m4fspeed/fastntt.S b/crypto_kem/kyber512-90s/m4fspeed/fastntt.S deleted file mode 120000 index 6314b554..00000000 --- a/crypto_kem/kyber512-90s/m4fspeed/fastntt.S +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/fastntt.S \ No newline at end of file diff --git a/crypto_kem/kyber512-90s/m4fspeed/indcpa.c b/crypto_kem/kyber512-90s/m4fspeed/indcpa.c deleted file mode 120000 index 024ac9eb..00000000 --- a/crypto_kem/kyber512-90s/m4fspeed/indcpa.c +++ /dev/null @@ -1 +0,0 @@ -../../kyber512/m4fspeed/indcpa.c \ No newline at end of file diff --git a/crypto_kem/kyber512-90s/m4fspeed/indcpa.h b/crypto_kem/kyber512-90s/m4fspeed/indcpa.h deleted file mode 120000 index 86639d83..00000000 --- a/crypto_kem/kyber512-90s/m4fspeed/indcpa.h +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/indcpa.h \ No newline at end of file diff --git a/crypto_kem/kyber512-90s/m4fspeed/kem.c b/crypto_kem/kyber512-90s/m4fspeed/kem.c deleted file mode 120000 index fba83bf4..00000000 --- a/crypto_kem/kyber512-90s/m4fspeed/kem.c +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/kem.c \ No newline at end of file diff --git a/crypto_kem/kyber512-90s/m4fspeed/macros.i b/crypto_kem/kyber512-90s/m4fspeed/macros.i deleted file mode 120000 index d184a0fa..00000000 --- a/crypto_kem/kyber512-90s/m4fspeed/macros.i +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/macros.i \ No newline at end of file diff --git a/crypto_kem/kyber512-90s/m4fspeed/matacc.c b/crypto_kem/kyber512-90s/m4fspeed/matacc.c deleted file mode 120000 index 84bf5550..00000000 --- a/crypto_kem/kyber512-90s/m4fspeed/matacc.c +++ /dev/null @@ -1 +0,0 @@ -../../kyber768-90s/m4fspeed/matacc.c \ No newline at end of file diff --git a/crypto_kem/kyber512-90s/m4fspeed/matacc.h b/crypto_kem/kyber512-90s/m4fspeed/matacc.h deleted file mode 120000 index 6cd6abe5..00000000 --- a/crypto_kem/kyber512-90s/m4fspeed/matacc.h +++ /dev/null @@ -1 +0,0 @@ -../../kyber768-90s/m4fspeed/matacc.h \ No newline at end of file diff --git a/crypto_kem/kyber512-90s/m4fspeed/matacc.i b/crypto_kem/kyber512-90s/m4fspeed/matacc.i deleted file mode 120000 index e388a0ad..00000000 --- a/crypto_kem/kyber512-90s/m4fspeed/matacc.i +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/matacc.i \ No newline at end of file diff --git a/crypto_kem/kyber512-90s/m4fspeed/matacc_asm.S b/crypto_kem/kyber512-90s/m4fspeed/matacc_asm.S deleted file mode 120000 index 8e6ccb39..00000000 --- a/crypto_kem/kyber512-90s/m4fspeed/matacc_asm.S +++ /dev/null @@ -1 +0,0 @@ -../../kyber768-90s/m4fspeed/matacc_asm.S \ No newline at end of file diff --git a/crypto_kem/kyber512-90s/m4fspeed/ntt.c b/crypto_kem/kyber512-90s/m4fspeed/ntt.c deleted file mode 120000 index 21c83bdf..00000000 --- a/crypto_kem/kyber512-90s/m4fspeed/ntt.c +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/ntt.c \ No newline at end of file diff --git a/crypto_kem/kyber512-90s/m4fspeed/ntt.h b/crypto_kem/kyber512-90s/m4fspeed/ntt.h deleted file mode 120000 index bd203902..00000000 --- a/crypto_kem/kyber512-90s/m4fspeed/ntt.h +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/ntt.h \ No newline at end of file diff --git a/crypto_kem/kyber512-90s/m4fspeed/params.h b/crypto_kem/kyber512-90s/m4fspeed/params.h deleted file mode 120000 index fa4f5338..00000000 --- a/crypto_kem/kyber512-90s/m4fspeed/params.h +++ /dev/null @@ -1 +0,0 @@ -../../kyber512/m4fspeed/params.h \ No newline at end of file diff --git a/crypto_kem/kyber512-90s/m4fspeed/poly.c b/crypto_kem/kyber512-90s/m4fspeed/poly.c deleted file mode 120000 index de46a5b5..00000000 --- a/crypto_kem/kyber512-90s/m4fspeed/poly.c +++ /dev/null @@ -1 +0,0 @@ -../../kyber512/m4fspeed/poly.c \ No newline at end of file diff --git a/crypto_kem/kyber512-90s/m4fspeed/poly.h b/crypto_kem/kyber512-90s/m4fspeed/poly.h deleted file mode 120000 index f4a411b6..00000000 --- a/crypto_kem/kyber512-90s/m4fspeed/poly.h +++ /dev/null @@ -1 +0,0 @@ -../../kyber512/m4fspeed/poly.h \ No newline at end of file diff --git a/crypto_kem/kyber512-90s/m4fspeed/poly_asm.S b/crypto_kem/kyber512-90s/m4fspeed/poly_asm.S deleted file mode 120000 index e0377ff5..00000000 --- a/crypto_kem/kyber512-90s/m4fspeed/poly_asm.S +++ /dev/null @@ -1 +0,0 @@ -../../kyber768-90s/m4fspeed/poly_asm.S \ No newline at end of file diff --git a/crypto_kem/kyber512-90s/m4fspeed/polyvec.c b/crypto_kem/kyber512-90s/m4fspeed/polyvec.c deleted file mode 120000 index 0aedeeef..00000000 --- a/crypto_kem/kyber512-90s/m4fspeed/polyvec.c +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/polyvec.c \ No newline at end of file diff --git a/crypto_kem/kyber512-90s/m4fspeed/polyvec.h b/crypto_kem/kyber512-90s/m4fspeed/polyvec.h deleted file mode 120000 index cee9bc6f..00000000 --- a/crypto_kem/kyber512-90s/m4fspeed/polyvec.h +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/polyvec.h \ No newline at end of file diff --git a/crypto_kem/kyber512-90s/m4fspeed/reduce.S b/crypto_kem/kyber512-90s/m4fspeed/reduce.S deleted file mode 120000 index 0b00788a..00000000 --- a/crypto_kem/kyber512-90s/m4fspeed/reduce.S +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/reduce.S \ No newline at end of file diff --git a/crypto_kem/kyber512-90s/m4fspeed/symmetric.h b/crypto_kem/kyber512-90s/m4fspeed/symmetric.h deleted file mode 120000 index 1c2c04a2..00000000 --- a/crypto_kem/kyber512-90s/m4fspeed/symmetric.h +++ /dev/null @@ -1 +0,0 @@ -../../kyber768-90s/m4fspeed/symmetric.h \ No newline at end of file diff --git a/crypto_kem/kyber512-90s/m4fspeed/verify.c b/crypto_kem/kyber512-90s/m4fspeed/verify.c deleted file mode 120000 index 56596267..00000000 --- a/crypto_kem/kyber512-90s/m4fspeed/verify.c +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/verify.c \ No newline at end of file diff --git a/crypto_kem/kyber512-90s/m4fspeed/verify.h b/crypto_kem/kyber512-90s/m4fspeed/verify.h deleted file mode 120000 index 72b107fb..00000000 --- a/crypto_kem/kyber512-90s/m4fspeed/verify.h +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/verify.h \ No newline at end of file diff --git a/crypto_kem/kyber512-90s/m4fstack/aes256ctr.c b/crypto_kem/kyber512-90s/m4fstack/aes256ctr.c deleted file mode 120000 index d7413cfa..00000000 --- a/crypto_kem/kyber512-90s/m4fstack/aes256ctr.c +++ /dev/null @@ -1 +0,0 @@ -../../kyber768-90s/m4fspeed/aes256ctr.c \ No newline at end of file diff --git a/crypto_kem/kyber512-90s/m4fstack/aes256ctr.h b/crypto_kem/kyber512-90s/m4fstack/aes256ctr.h deleted file mode 120000 index 4b8193b8..00000000 --- a/crypto_kem/kyber512-90s/m4fstack/aes256ctr.h +++ /dev/null @@ -1 +0,0 @@ -../../kyber768-90s/m4fspeed/aes256ctr.h \ No newline at end of file diff --git a/crypto_kem/kyber512-90s/m4fstack/api.h b/crypto_kem/kyber512-90s/m4fstack/api.h deleted file mode 120000 index b5cb28ed..00000000 --- a/crypto_kem/kyber512-90s/m4fstack/api.h +++ /dev/null @@ -1 +0,0 @@ -../../kyber512/m4fspeed/api.h \ No newline at end of file diff --git a/crypto_kem/kyber512-90s/m4fstack/cbd.c b/crypto_kem/kyber512-90s/m4fstack/cbd.c deleted file mode 120000 index e47a1c19..00000000 --- a/crypto_kem/kyber512-90s/m4fstack/cbd.c +++ /dev/null @@ -1 +0,0 @@ -../../kyber512/m4fspeed/cbd.c \ No newline at end of file diff --git a/crypto_kem/kyber512-90s/m4fstack/cbd.h b/crypto_kem/kyber512-90s/m4fstack/cbd.h deleted file mode 120000 index c817e33a..00000000 --- a/crypto_kem/kyber512-90s/m4fstack/cbd.h +++ /dev/null @@ -1 +0,0 @@ -../../kyber512/m4fspeed/cbd.h \ No newline at end of file diff --git a/crypto_kem/kyber512-90s/m4fstack/fastaddsub.S b/crypto_kem/kyber512-90s/m4fstack/fastaddsub.S deleted file mode 120000 index 462644bb..00000000 --- a/crypto_kem/kyber512-90s/m4fstack/fastaddsub.S +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/fastaddsub.S \ No newline at end of file diff --git a/crypto_kem/kyber512-90s/m4fstack/fastbasemul.S b/crypto_kem/kyber512-90s/m4fstack/fastbasemul.S deleted file mode 120000 index 7ba7f7e4..00000000 --- a/crypto_kem/kyber512-90s/m4fstack/fastbasemul.S +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fstack/fastbasemul.S \ No newline at end of file diff --git a/crypto_kem/kyber512-90s/m4fstack/fastinvntt.S b/crypto_kem/kyber512-90s/m4fstack/fastinvntt.S deleted file mode 120000 index 0ebaf18e..00000000 --- a/crypto_kem/kyber512-90s/m4fstack/fastinvntt.S +++ /dev/null @@ -1 +0,0 @@ -../../kyber512/m4fstack/fastinvntt.S \ No newline at end of file diff --git a/crypto_kem/kyber512-90s/m4fstack/fastntt.S b/crypto_kem/kyber512-90s/m4fstack/fastntt.S deleted file mode 120000 index 6314b554..00000000 --- a/crypto_kem/kyber512-90s/m4fstack/fastntt.S +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/fastntt.S \ No newline at end of file diff --git a/crypto_kem/kyber512-90s/m4fstack/indcpa.c b/crypto_kem/kyber512-90s/m4fstack/indcpa.c deleted file mode 120000 index 87420787..00000000 --- a/crypto_kem/kyber512-90s/m4fstack/indcpa.c +++ /dev/null @@ -1 +0,0 @@ -../../kyber512/m4fstack/indcpa.c \ No newline at end of file diff --git a/crypto_kem/kyber512-90s/m4fstack/indcpa.h b/crypto_kem/kyber512-90s/m4fstack/indcpa.h deleted file mode 120000 index 86639d83..00000000 --- a/crypto_kem/kyber512-90s/m4fstack/indcpa.h +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/indcpa.h \ No newline at end of file diff --git a/crypto_kem/kyber512-90s/m4fstack/kem.c b/crypto_kem/kyber512-90s/m4fstack/kem.c deleted file mode 120000 index fba83bf4..00000000 --- a/crypto_kem/kyber512-90s/m4fstack/kem.c +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/kem.c \ No newline at end of file diff --git a/crypto_kem/kyber512-90s/m4fstack/macros.i b/crypto_kem/kyber512-90s/m4fstack/macros.i deleted file mode 120000 index d184a0fa..00000000 --- a/crypto_kem/kyber512-90s/m4fstack/macros.i +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/macros.i \ No newline at end of file diff --git a/crypto_kem/kyber512-90s/m4fstack/matacc.c b/crypto_kem/kyber512-90s/m4fstack/matacc.c deleted file mode 120000 index b1cfe3c1..00000000 --- a/crypto_kem/kyber512-90s/m4fstack/matacc.c +++ /dev/null @@ -1 +0,0 @@ -../../kyber768-90s/m4fstack/matacc.c \ No newline at end of file diff --git a/crypto_kem/kyber512-90s/m4fstack/matacc.h b/crypto_kem/kyber512-90s/m4fstack/matacc.h deleted file mode 120000 index f4274b16..00000000 --- a/crypto_kem/kyber512-90s/m4fstack/matacc.h +++ /dev/null @@ -1 +0,0 @@ -../../kyber768-90s/m4fstack/matacc.h \ No newline at end of file diff --git a/crypto_kem/kyber512-90s/m4fstack/matacc.i b/crypto_kem/kyber512-90s/m4fstack/matacc.i deleted file mode 120000 index fb867f14..00000000 --- a/crypto_kem/kyber512-90s/m4fstack/matacc.i +++ /dev/null @@ -1 +0,0 @@ -../../kyber768-90s/m4fstack/matacc.i \ No newline at end of file diff --git a/crypto_kem/kyber512-90s/m4fstack/matacc_asm.S b/crypto_kem/kyber512-90s/m4fstack/matacc_asm.S deleted file mode 120000 index c3f105c1..00000000 --- a/crypto_kem/kyber512-90s/m4fstack/matacc_asm.S +++ /dev/null @@ -1 +0,0 @@ -../../kyber768-90s/m4fstack/matacc_asm.S \ No newline at end of file diff --git a/crypto_kem/kyber512-90s/m4fstack/ntt.c b/crypto_kem/kyber512-90s/m4fstack/ntt.c deleted file mode 120000 index 812f843b..00000000 --- a/crypto_kem/kyber512-90s/m4fstack/ntt.c +++ /dev/null @@ -1 +0,0 @@ -../../kyber768-90s/m4fspeed/ntt.c \ No newline at end of file diff --git a/crypto_kem/kyber512-90s/m4fstack/ntt.h b/crypto_kem/kyber512-90s/m4fstack/ntt.h deleted file mode 120000 index 67b48eb7..00000000 --- a/crypto_kem/kyber512-90s/m4fstack/ntt.h +++ /dev/null @@ -1 +0,0 @@ -../../kyber768-90s/m4fspeed/ntt.h \ No newline at end of file diff --git a/crypto_kem/kyber512-90s/m4fstack/params.h b/crypto_kem/kyber512-90s/m4fstack/params.h deleted file mode 120000 index fa4f5338..00000000 --- a/crypto_kem/kyber512-90s/m4fstack/params.h +++ /dev/null @@ -1 +0,0 @@ -../../kyber512/m4fspeed/params.h \ No newline at end of file diff --git a/crypto_kem/kyber512-90s/m4fstack/poly.c b/crypto_kem/kyber512-90s/m4fstack/poly.c deleted file mode 120000 index 645f8c91..00000000 --- a/crypto_kem/kyber512-90s/m4fstack/poly.c +++ /dev/null @@ -1 +0,0 @@ -../../kyber512/m4fstack/poly.c \ No newline at end of file diff --git a/crypto_kem/kyber512-90s/m4fstack/poly.h b/crypto_kem/kyber512-90s/m4fstack/poly.h deleted file mode 120000 index db24efb8..00000000 --- a/crypto_kem/kyber512-90s/m4fstack/poly.h +++ /dev/null @@ -1 +0,0 @@ -../../kyber512/m4fstack/poly.h \ No newline at end of file diff --git a/crypto_kem/kyber512-90s/m4fstack/poly_asm.S b/crypto_kem/kyber512-90s/m4fstack/poly_asm.S deleted file mode 120000 index 3e764454..00000000 --- a/crypto_kem/kyber512-90s/m4fstack/poly_asm.S +++ /dev/null @@ -1 +0,0 @@ -../../kyber768-90s/m4fstack/poly_asm.S \ No newline at end of file diff --git a/crypto_kem/kyber512-90s/m4fstack/polyvec.c b/crypto_kem/kyber512-90s/m4fstack/polyvec.c deleted file mode 120000 index 0aedeeef..00000000 --- a/crypto_kem/kyber512-90s/m4fstack/polyvec.c +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/polyvec.c \ No newline at end of file diff --git a/crypto_kem/kyber512-90s/m4fstack/polyvec.h b/crypto_kem/kyber512-90s/m4fstack/polyvec.h deleted file mode 120000 index cee9bc6f..00000000 --- a/crypto_kem/kyber512-90s/m4fstack/polyvec.h +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/polyvec.h \ No newline at end of file diff --git a/crypto_kem/kyber512-90s/m4fstack/reduce.S b/crypto_kem/kyber512-90s/m4fstack/reduce.S deleted file mode 120000 index 0b00788a..00000000 --- a/crypto_kem/kyber512-90s/m4fstack/reduce.S +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/reduce.S \ No newline at end of file diff --git a/crypto_kem/kyber512-90s/m4fstack/symmetric.h b/crypto_kem/kyber512-90s/m4fstack/symmetric.h deleted file mode 120000 index 1c2c04a2..00000000 --- a/crypto_kem/kyber512-90s/m4fstack/symmetric.h +++ /dev/null @@ -1 +0,0 @@ -../../kyber768-90s/m4fspeed/symmetric.h \ No newline at end of file diff --git a/crypto_kem/kyber512-90s/m4fstack/verify.c b/crypto_kem/kyber512-90s/m4fstack/verify.c deleted file mode 120000 index 56596267..00000000 --- a/crypto_kem/kyber512-90s/m4fstack/verify.c +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/verify.c \ No newline at end of file diff --git a/crypto_kem/kyber512-90s/m4fstack/verify.h b/crypto_kem/kyber512-90s/m4fstack/verify.h deleted file mode 120000 index 72b107fb..00000000 --- a/crypto_kem/kyber512-90s/m4fstack/verify.h +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/verify.h \ No newline at end of file diff --git a/crypto_kem/kyber768-90s/m4fspeed/aes256ctr.c b/crypto_kem/kyber768-90s/m4fspeed/aes256ctr.c deleted file mode 100644 index 35e5be84..00000000 --- a/crypto_kem/kyber768-90s/m4fspeed/aes256ctr.c +++ /dev/null @@ -1,96 +0,0 @@ -#include "aes256ctr.h" -#include "aes.h" -#include "aes-publicinputs.h" -#include -#include -#include - -static inline void br_enc32be(unsigned char *dst, uint32_t x) { - dst[3] = (unsigned char)x; - dst[2] = (unsigned char)(x >> 8); - dst[1] = (unsigned char)(x >> 16); - dst[0] = (unsigned char)(x >> 24); -} - -static void aes256_ctr_xof(unsigned char *out, size_t outlen, const unsigned char *iv, uint32_t ctr, const aes256ctx_publicinputs *ctx) { - uint8_t ivw[16]; - uint8_t buf[AES_BLOCKBYTES]; - size_t i; - - memcpy(ivw, iv, AESCTR_NONCEBYTES); - br_enc32be(ivw + AESCTR_NONCEBYTES, ctr); - - while (outlen > AES_BLOCKBYTES) { - aes256_ecb_publicinputs(out, ivw, 1, ctx); - br_enc32be(ivw + AESCTR_NONCEBYTES, ++ctr); - out += AES_BLOCKBYTES; - outlen -= AES_BLOCKBYTES; - } - if (outlen > 0) { - aes256_ecb_publicinputs(buf, ivw, 1, ctx); - for (i = 0; i < outlen; i++) { - out[i] = buf[i]; - } - } -} - -/************************************************* -* Name: aes256_prf -* -* Description: AES256 stream generation in CTR mode using 32-bit counter, -* nonce is zero-padded to 12 bytes, counter starts at zero -* -* Arguments: - uint8_t *output: pointer to output -* - size_t outlen: length of requested output in bytes -* - const uint8_t *key: pointer to 32-byte key -* - uint8_t nonce: 1-byte nonce (will be zero-padded to 12 bytes) -**************************************************/ -void aes256_prf(uint8_t *output, size_t outlen, const uint8_t *key, uint8_t nonce) { - uint8_t iv[12]; - for (int i = 1; i < 12; i++) { - iv[i] = 0; - } - iv[0] = nonce; - - aes256ctx ctx; - aes256_ctr_keyexp(&ctx, key); - aes256_ctr(output, outlen, iv, &ctx); - aes256_ctx_release(&ctx); -} - -/************************************************* -* Name: aes256xof_absorb -* -* Description: AES256 CTR used as a replacement for a XOF; this function -* "absorbs" a 32-byte key and two additional bytes that are zero-padded -* to a 12-byte nonce -* -* Arguments: - aes256xof_ctx *s: pointer to state to "absorb" key and IV into -* - const uint8_t *key: pointer to 32-byte key -* - uint8_t x: first additional byte to "absorb" -* - uint8_t y: second additional byte to "absorb" -**************************************************/ -void aes256xof_absorb(aes256xof_ctx *s, const uint8_t *key, uint8_t x, uint8_t y) { - aes256_ctr_keyexp_publicinputs(&s->sk_exp, key); - for (int i = 2; i < 12; i++) { - s->iv[i] = 0; - } - s->iv[0] = x; - s->iv[1] = y; - s->ctr = 0; -} - -/************************************************* -* Name: aes256xof_squeezeblocks -* -* Description: AES256 CTR used as a replacement for a XOF; this function -* generates 4 blocks out AES256-CTR output -* -* Arguments: - uint8_t *out: pointer to output -* - size_t nblocks: number of reqested 64-byte output blocks -* - aes256xof_ctx *s: AES "state", i.e. expanded key and IV -**************************************************/ -void aes256xof_squeezeblocks(uint8_t *out, size_t nblocks, aes256xof_ctx *s) { - aes256_ctr_xof(out, nblocks * 64, s->iv, s->ctr, &s->sk_exp); - s->ctr += 4 * nblocks; -} diff --git a/crypto_kem/kyber768-90s/m4fspeed/aes256ctr.h b/crypto_kem/kyber768-90s/m4fspeed/aes256ctr.h deleted file mode 100644 index 6f596197..00000000 --- a/crypto_kem/kyber768-90s/m4fspeed/aes256ctr.h +++ /dev/null @@ -1,19 +0,0 @@ -#ifndef AES256CTR_H -#define AES256CTR_H - -#include "aes-publicinputs.h" - -#include -#include - -typedef struct { - aes256ctx_publicinputs sk_exp; - uint8_t iv[12]; - uint32_t ctr; -} aes256xof_ctx; - -void aes256_prf(uint8_t *output, size_t outlen, const uint8_t *key, uint8_t nonce); -void aes256xof_absorb(aes256xof_ctx *s, const uint8_t *key, uint8_t x, uint8_t y); -void aes256xof_squeezeblocks(uint8_t *out, size_t nblocks, aes256xof_ctx *s); - -#endif diff --git a/crypto_kem/kyber768-90s/m4fspeed/api.h b/crypto_kem/kyber768-90s/m4fspeed/api.h deleted file mode 120000 index eb61c624..00000000 --- a/crypto_kem/kyber768-90s/m4fspeed/api.h +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/api.h \ No newline at end of file diff --git a/crypto_kem/kyber768-90s/m4fspeed/cbd.c b/crypto_kem/kyber768-90s/m4fspeed/cbd.c deleted file mode 120000 index 37d243ad..00000000 --- a/crypto_kem/kyber768-90s/m4fspeed/cbd.c +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/cbd.c \ No newline at end of file diff --git a/crypto_kem/kyber768-90s/m4fspeed/cbd.h b/crypto_kem/kyber768-90s/m4fspeed/cbd.h deleted file mode 120000 index c00c0559..00000000 --- a/crypto_kem/kyber768-90s/m4fspeed/cbd.h +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/cbd.h \ No newline at end of file diff --git a/crypto_kem/kyber768-90s/m4fspeed/fastaddsub.S b/crypto_kem/kyber768-90s/m4fspeed/fastaddsub.S deleted file mode 120000 index 462644bb..00000000 --- a/crypto_kem/kyber768-90s/m4fspeed/fastaddsub.S +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/fastaddsub.S \ No newline at end of file diff --git a/crypto_kem/kyber768-90s/m4fspeed/fastbasemul.S b/crypto_kem/kyber768-90s/m4fspeed/fastbasemul.S deleted file mode 120000 index 7156a2a8..00000000 --- a/crypto_kem/kyber768-90s/m4fspeed/fastbasemul.S +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/fastbasemul.S \ No newline at end of file diff --git a/crypto_kem/kyber768-90s/m4fspeed/fastinvntt.S b/crypto_kem/kyber768-90s/m4fspeed/fastinvntt.S deleted file mode 120000 index 38ea2e36..00000000 --- a/crypto_kem/kyber768-90s/m4fspeed/fastinvntt.S +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/fastinvntt.S \ No newline at end of file diff --git a/crypto_kem/kyber768-90s/m4fspeed/fastntt.S b/crypto_kem/kyber768-90s/m4fspeed/fastntt.S deleted file mode 120000 index 6314b554..00000000 --- a/crypto_kem/kyber768-90s/m4fspeed/fastntt.S +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/fastntt.S \ No newline at end of file diff --git a/crypto_kem/kyber768-90s/m4fspeed/indcpa.c b/crypto_kem/kyber768-90s/m4fspeed/indcpa.c deleted file mode 120000 index 04181f8d..00000000 --- a/crypto_kem/kyber768-90s/m4fspeed/indcpa.c +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/indcpa.c \ No newline at end of file diff --git a/crypto_kem/kyber768-90s/m4fspeed/indcpa.h b/crypto_kem/kyber768-90s/m4fspeed/indcpa.h deleted file mode 120000 index 86639d83..00000000 --- a/crypto_kem/kyber768-90s/m4fspeed/indcpa.h +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/indcpa.h \ No newline at end of file diff --git a/crypto_kem/kyber768-90s/m4fspeed/kem.c b/crypto_kem/kyber768-90s/m4fspeed/kem.c deleted file mode 120000 index fba83bf4..00000000 --- a/crypto_kem/kyber768-90s/m4fspeed/kem.c +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/kem.c \ No newline at end of file diff --git a/crypto_kem/kyber768-90s/m4fspeed/macros.i b/crypto_kem/kyber768-90s/m4fspeed/macros.i deleted file mode 120000 index d184a0fa..00000000 --- a/crypto_kem/kyber768-90s/m4fspeed/macros.i +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/macros.i \ No newline at end of file diff --git a/crypto_kem/kyber768-90s/m4fspeed/matacc.c b/crypto_kem/kyber768-90s/m4fspeed/matacc.c deleted file mode 100644 index 0e265874..00000000 --- a/crypto_kem/kyber768-90s/m4fspeed/matacc.c +++ /dev/null @@ -1,92 +0,0 @@ -#include "ntt.h" -#include "poly.h" -#include "polyvec.h" -#include "symmetric.h" -#include "matacc.h" - -void matacc_cache32(poly* r, const polyvec *b, polyvec *b_prime, unsigned char i, const unsigned char *seed, int transposed) { - unsigned char buf[XOF_BLOCKBYTES+2]; - xof_state state; - int16_t c[4]; - int32_t r_tmp[KYBER_N]; // stores intermediate accumulated values to save reductions - int j = 0; - unsigned int buflen; - - // 16-32 - buflen = XOF_BLOCKBYTES; - if (transposed) - xof_absorb(&state, seed, i, j); - else - xof_absorb(&state, seed, j, i); - - xof_squeezeblocks(buf, 1, &state); - - matacc_asm_cache_16_32(r_tmp, b->vec[j].coeffs, c, buf, zetas, &state, b_prime->vec[j].coeffs, &buflen); - - // 32-32 KYBER_K - 2 times - for(j=1;jvec[j].coeffs, c, buf, zetas, &state, b_prime->vec[j].coeffs, &buflen); - } - - // 32-16 - buflen = XOF_BLOCKBYTES; - if (transposed) - xof_absorb(&state, seed, i, j); - else - xof_absorb(&state, seed, j, i); - - xof_squeezeblocks(buf, 1, &state); - - matacc_asm_cache_32_16(r->coeffs, b->vec[j].coeffs, c, buf, zetas, &state, b_prime->vec[j].coeffs, r_tmp, &buflen); -} - -void matacc_opt32(poly* r, const polyvec *b, const polyvec *b_prime, unsigned char i, const unsigned char *seed, int transposed) { - unsigned char buf[XOF_BLOCKBYTES+2]; - xof_state state; - int16_t c[4]; - int32_t r_tmp[KYBER_N]; // stores intermediate accumulated values to save reductions - int j = 0; - unsigned int buflen; - // 16-32 - buflen = XOF_BLOCKBYTES; - if (transposed) - xof_absorb(&state, seed, i, j); - else - xof_absorb(&state, seed, j, i); - - xof_squeezeblocks(buf, 1, &state); - - matacc_asm_opt_16_32(r_tmp, b->vec[j].coeffs, c, buf, &state, b_prime->vec[j].coeffs, &buflen); - - // 32-32 KYBER_K - 2 times - for(j=1;jvec[j].coeffs, c, buf, &state, b_prime->vec[j].coeffs, &buflen); - } - - // 32-16 - buflen = XOF_BLOCKBYTES; - if (transposed) - xof_absorb(&state, seed, i, j); - else - xof_absorb(&state, seed, j, i); - - xof_squeezeblocks(buf, 1, &state); - - matacc_asm_opt_32_16(r->coeffs, b->vec[j].coeffs, c, buf, &state, b_prime->vec[j].coeffs, r_tmp, &buflen); -} diff --git a/crypto_kem/kyber768-90s/m4fspeed/matacc.h b/crypto_kem/kyber768-90s/m4fspeed/matacc.h deleted file mode 100644 index 6d7127af..00000000 --- a/crypto_kem/kyber768-90s/m4fspeed/matacc.h +++ /dev/null @@ -1,63 +0,0 @@ -#ifndef MATACC_H -#define MATACC_H -#include "poly.h" -#include "polyvec.h" -#include "symmetric.h" - -extern void matacc_asm_cache_16_32(int32_t *r_tmp, const int16_t *b, int16_t c[4], unsigned char buf[XOF_BLOCKBYTES+2], const int32_t zetas[64], xof_state *state, int16_t *aprimeptr, unsigned int *buflen); -static inline void _matacc_asm_cache_16_32(int32_t *r_tmp, const int16_t *b, int16_t c[4], unsigned char buf[XOF_BLOCKBYTES+2], const int32_t _zetas[64], xof_state *state, int16_t *aprimeptr, unsigned int *buflen) -{ - // floating point registers clobbered by assembly function - asm volatile("" : : : "s16", "s17", "s18", "s19", "s20", "s21", "s22", "s23", "s26", "s27", "s28", "s29"); - matacc_asm_cache_16_32(r_tmp, b, c, buf, _zetas, state, aprimeptr, buflen); -} -#define matacc_asm_cache_16_32 _matacc_asm_cache_16_32 - -extern void matacc_asm_cache_32_32(int32_t *r_tmp, const int16_t *b, int16_t c[4], unsigned char buf[XOF_BLOCKBYTES+2], const int32_t zetas[64], xof_state *state, int16_t *aprimeptr, unsigned int *buflen); -static inline void _matacc_asm_cache_32_32(int32_t *r_tmp, const int16_t *b, int16_t c[4], unsigned char buf[XOF_BLOCKBYTES+2], const int32_t _zetas[64], xof_state *state, int16_t *aprimeptr, unsigned int *buflen) -{ - // floating point registers clobbered by assembly function - asm volatile("" : : : "s16", "s17", "s18", "s19", "s20", "s21", "s22", "s23", "s26", "s27", "s28", "s29"); - matacc_asm_cache_32_32(r_tmp, b, c, buf, _zetas, state, aprimeptr, buflen); -} -#define matacc_asm_cache_32_32 _matacc_asm_cache_32_32 - -extern void matacc_asm_cache_32_16(int16_t *r, const int16_t *b, int16_t c[4], unsigned char buf[XOF_BLOCKBYTES+2], const int32_t zetas[64], xof_state *state, int16_t *aprimeptr, int32_t *r_tmp, unsigned int *buflen); -static inline void _matacc_asm_cache_32_16(int16_t *r, const int16_t *b, int16_t c[4], unsigned char buf[XOF_BLOCKBYTES+2], const int32_t _zetas[64], xof_state *state, int16_t *aprimeptr, int32_t *r_tmp, unsigned int *buflen) -{ - // floating point registers clobbered by assembly function - asm volatile("" : : : "s16", "s17", "s18", "s19", "s20", "s21", "s22", "s23", "s26", "s27", "s28", "s29"); - matacc_asm_cache_32_16(r, b, c, buf, _zetas, state, aprimeptr, r_tmp, buflen); -} -#define matacc_asm_cache_32_16 _matacc_asm_cache_32_16 - -extern void matacc_asm_opt_16_32(int32_t *r_tmp, const int16_t *b, int16_t c[4], unsigned char buf[XOF_BLOCKBYTES+2], xof_state *state, const int16_t *aprimeptr, unsigned int *buflen); -static inline void _matacc_asm_opt_16_32(int32_t *r_tmp, const int16_t *b, int16_t c[4], unsigned char buf[XOF_BLOCKBYTES+2], xof_state *state, const int16_t *aprimeptr, unsigned int *buflen) -{ - // floating point registers clobbered by assembly function - asm volatile("" : : : "s16", "s17", "s18", "s19", "s20", "s21", "s22", "s23", "s26", "s27", "s28", "s29"); - matacc_asm_opt_16_32(r_tmp, b, c, buf, state, aprimeptr, buflen); -} -#define matacc_asm_opt_16_32 _matacc_asm_opt_16_32 - -extern void matacc_asm_opt_32_32(int32_t *r_tmp, const int16_t *b, int16_t c[4], unsigned char buf[XOF_BLOCKBYTES+2], xof_state *state, const int16_t *aprimeptr, unsigned int *buflen); -static inline void _matacc_asm_opt_32_32(int32_t *r_tmp, const int16_t *b, int16_t c[4], unsigned char buf[XOF_BLOCKBYTES+2], xof_state *state, const int16_t *aprimeptr, unsigned int *buflen) -{ - // floating point registers clobbered by assembly function - asm volatile("" : : : "s16", "s17", "s18", "s19", "s20", "s21", "s22", "s23", "s26", "s27", "s28", "s29"); - matacc_asm_opt_32_32(r_tmp, b, c, buf, state, aprimeptr, buflen); -} -#define matacc_asm_opt_32_32 _matacc_asm_opt_32_32 - -extern void matacc_asm_opt_32_16(int16_t *r, const int16_t *b, int16_t c[4], unsigned char buf[XOF_BLOCKBYTES+2], xof_state *state, const int16_t *aprimeptr, int32_t *r_tmp, unsigned int *buflen); -static inline void _matacc_asm_opt_32_16(int16_t *r, const int16_t *b, int16_t c[4], unsigned char buf[XOF_BLOCKBYTES+2], xof_state *state, const int16_t *aprimeptr, int32_t *r_tmp, unsigned int *buflen) -{ - // floating point registers clobbered by assembly function - asm volatile("" : : : "s16", "s17", "s18", "s19", "s20", "s21", "s22", "s23", "s26", "s27", "s28", "s29"); - matacc_asm_opt_32_16(r, b, c, buf, state, aprimeptr, r_tmp, buflen); -} -#define matacc_asm_opt_32_16 _matacc_asm_opt_32_16 - -void matacc_opt32(poly* r, const polyvec *b, const polyvec *b_prime, unsigned char i, const unsigned char *seed, int transposed); -void matacc_cache32(poly* r, const polyvec *b, polyvec *b_prime, unsigned char i, const unsigned char *seed, int transposed); -#endif \ No newline at end of file diff --git a/crypto_kem/kyber768-90s/m4fspeed/matacc.i b/crypto_kem/kyber768-90s/m4fspeed/matacc.i deleted file mode 120000 index e388a0ad..00000000 --- a/crypto_kem/kyber768-90s/m4fspeed/matacc.i +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/matacc.i \ No newline at end of file diff --git a/crypto_kem/kyber768-90s/m4fspeed/matacc_asm.S b/crypto_kem/kyber768-90s/m4fspeed/matacc_asm.S deleted file mode 100644 index a4fe78d6..00000000 --- a/crypto_kem/kyber768-90s/m4fspeed/matacc_asm.S +++ /dev/null @@ -1,403 +0,0 @@ -#include "matacc.i" -.extern aes256xof_squeezeblocks - -.syntax unified -.cpu cortex-m4 -.thumb - -// aes256xof_squeezeblocks into buffer if (almost) all bytes have been used -.macro update_buf_loop_finish tmp, tmp2, tmp3, val0, val1, bufptr, ctr, buflenval - // if (pos + 3 > buflen - vmov s23, \tmp3 - vmov \tmp2, \buflenval // get buflen value - vmov \tmp, s17 - sub \tmp3, \bufptr, \tmp // compute pos - add \tmp3, #3 // pos + 3 - cmp.w \tmp3, \tmp2 - ble.w 3f - // && ctr < KYBER_N/4) - cmp.w \ctr, #256/4 - bge.w 3f - // tmp = buffer start - // tmp2 = buffer end - add.w \tmp2, \tmp, \tmp2 // buffer start + buf len = last address of xof output byte - - // copy remaining bytes to start of buffer - ldr.w \tmp3, [\bufptr] - str.w \tmp3, [\tmp] - sub \tmp3, \tmp2, \bufptr - add.w \tmp, \tmp, \tmp3 - - // compute buflen - vmov \val0, s17 // get buf addr - sub \val0, tmp, \val0 - add.w \val0, #64 // XOF_BLOCKBYTES=64 - vmov \buflenval, \val0 - - vmov s18, r0 - vmov s19, r1 - vmov s20, r2 - vmov s21, r12 - vmov s22, lr - - mov.w r0, \tmp // buf + off implicitly after copying loop - mov r1, #1 - vmov r2, s26 // get state ptr - bl aes256xof_squeezeblocks - - vmov r0, s18 - vmov r1, s19 - vmov r2, s20 - vmov r12, s21 - vmov lr, s22 - // pos = 0; - vmov \bufptr, s17 // reset buffer pointer to start -> only after squeezeblocks - 3: - vmov \tmp3, s23 - cmp \ctr, #256/4 - blt.w 1b -.endm - -// void matacc_asm_cache_16_32(int32_t *r_tmp, const int16_t *b, int16_t c[4], unsigned char buf[XOF_BLOCKBYTES+2], const int16_t zetas[64], xof_state *state, int16_t *aprimeptr, unsigned int *buflen) -.global matacc_asm_cache_16_32 -.type matacc_asm_cache_16_32, %function -.align 2 -matacc_asm_cache_16_32: - push {r0-r11, r14} - rptr .req r0 - bptr .req r1 - cptr .req r2 - bufptr .req r3 - zetaptr .req r4 - val0 .req r5 - val1 .req r6 - tmp .req r7 - tmp2 .req r8 - k .req r9 - q .req r10 - qa .req r11 - qinv .req r12 - ctr .req r14 - - movw qa, #26632 - movw q, #3329 - ### qinv=0x6ba8f301 - movw qinv, #62209 - movt qinv, #27560 - movw k, #0 - - ldr.w zetaptr, [sp, #13*4] // load zetaptr from stack - ldr.w tmp, [sp, #14*4] // load state from stack - vmov s26, tmp - - ldr.w tmp, [sp, #15*4] // load aprimeptr from stack - vmov s27, tmp - - movw tmp2, #64 // XOF_BLOCKBYTES - vmov s29, tmp2 - - // outer while loop - movw ctr, #0 - vmov s17, bufptr // save bufptr to check later - 1: - - load_vals val0, val1, bufptr, tmp - - first_if doublebasemul_asm_cache_16_32, tmp, tmp2, val0, val1, rptr, bptr, cptr, bufptr, zetaptr, k, q, qa, qinv, ctr - - second_if doublebasemul_asm_cache_16_32, tmp, tmp2, val0, val1, rptr, bptr, cptr, bufptr, zetaptr, k, q, qa, qinv, ctr - - update_buf_loop_finish tmp, tmp2, k, val0, val1, bufptr, ctr, s29 - - pop {r0-r11, pc} -.size matacc_asm_cache_16_32, . - matacc_asm_cache_16_32 - -// void matacc_asm_cache_32_32(int32_t *r_tmp, const int16_t *b, int16_t c[4], unsigned char buf[XOF_BLOCKBYTES+2], const int16_t zetas[64], xof_state *state, int16_t *aprimeptr, unsigned int *buflen) -.global matacc_asm_cache_32_32 -.type matacc_asm_cache_32_32, %function -.align 2 -matacc_asm_cache_32_32: - push {r0-r11, r14} - rptr .req r0 - bptr .req r1 - cptr .req r2 - bufptr .req r3 - zetaptr .req r4 - val0 .req r5 - val1 .req r6 - tmp .req r7 - tmp2 .req r8 - k .req r9 - q .req r10 - qa .req r11 - qinv .req r12 - ctr .req r14 - - movw qa, #26632 - movw q, #3329 - ### qinv=0x6ba8f301 - movw qinv, #62209 - movt qinv, #27560 - movw k, #0 - - ldr.w zetaptr, [sp, #13*4] // load zetaptr from stack - ldr.w tmp, [sp, #14*4] // load state from stack - vmov s26, tmp - - ldr.w tmp, [sp, #15*4] // load aprimeptr from stack - vmov s27, tmp - - movw tmp2, #64 // XOF_BLOCKBYTES - vmov s29, tmp2 - - // outer while loop - movw ctr, #0 - vmov s17, bufptr // save bufptr to check later - 1: - - load_vals val0, val1, bufptr, tmp - - first_if doublebasemul_asm_acc_cache_32_32, tmp, tmp2, val0, val1, rptr, bptr, cptr, bufptr, zetaptr, k, q, qa, qinv, ctr - - second_if doublebasemul_asm_acc_cache_32_32, tmp, tmp2, val0, val1, rptr, bptr, cptr, bufptr, zetaptr, k, q, qa, qinv, ctr - - update_buf_loop_finish tmp, tmp2, k, val0, val1, bufptr, ctr, s29 - - pop {r0-r11, pc} -.size matacc_asm_cache_32_32, . - matacc_asm_cache_32_32 - -// void matacc_asm_cache_32_16(int16_t *r, const int16_t *b, int16_t c[4], unsigned char buf[XOF_BLOCKBYTES+2], const int16_t zetas[64], xof_state *state, int16_t *aprimeptr, const int32_t *r_tmp, unsigned int *buflen) -.global matacc_asm_cache_32_16 -.type matacc_asm_cache_32_16, %function -.align 2 -matacc_asm_cache_32_16: - push {r0-r11, r14} - rptr .req r0 - bptr .req r1 - cptr .req r2 - bufptr .req r3 - zetaptr .req r4 - val0 .req r5 - val1 .req r6 - tmp .req r7 - tmp2 .req r8 - k .req r9 - q .req r10 - qa .req r11 - qinv .req r12 - ctr .req r14 - - movw qa, #26632 - movw q, #3329 - ### qinv=0x6ba8f301 - movw qinv, #62209 - movt qinv, #27560 - movw k, #0 - - ldr.w zetaptr, [sp, #13*4] // load zetaptr from stack - - ldr.w tmp, [sp, #14*4] // load state from stack - vmov s26, tmp - - ldr.w tmp, [sp, #15*4] // load aprimeptr from stack - vmov s27, tmp - - vmov s28, rptr // store "real" destinaton in FP - vmov s29, rptr // backup - ldr.w rptr, [sp, #16*4] - - movw tmp2, #64 // XOF_BLOCKBYTES - vmov s16, tmp2 - - // outer while loop - movw ctr, #0 - vmov s17, bufptr // save bufptr to check later - 1: - - load_vals val0, val1, bufptr, tmp - - first_if doublebasemul_asm_acc_cache_32_16, tmp, tmp2, val0, val1, rptr, bptr, cptr, bufptr, zetaptr, k, q, qa, qinv, ctr - - second_if doublebasemul_asm_acc_cache_32_16, tmp, tmp2, val0, val1, rptr, bptr, cptr, bufptr, zetaptr, k, q, qa, qinv, ctr - - update_buf_loop_finish tmp, tmp2, k, val0, val1, bufptr, ctr, s16 - - vmov rptr, s29 - - pop {r0-r11, pc} -.size matacc_asm_cache_32_16, . - matacc_asm_cache_32_16 - -.unreq zetaptr - -// void matacc_asm_opt_16_32(int32_t *r_tmp, const int16_t *b, int16_t c[4], unsigned char buf[XOF_BLOCKBYTES+2], xof_state *state, const int16_t *aprimeptr, unsigned int *buflen) -.global matacc_asm_opt_16_32 -.type matacc_asm_opt_16_32, %function -.align 2 -matacc_asm_opt_16_32: - push {r0-r11, r14} - rptr .req r0 - bptr .req r1 - cptr .req r2 - bufptr .req r3 - tmp3 .req r4 - val0 .req r5 - val1 .req r6 - tmp .req r7 - tmp2 .req r8 - k .req r9 - q .req r10 - qa .req r11 - qinv .req r12 - ctr .req r14 - - movw qa, #26632 - movw q, #3329 - ### qinv=0x6ba8f301 - movw qinv, #62209 - movt qinv, #27560 - movw k, #0 - - ldr.w tmp, [sp, #13*4] // load state from stack - vmov s26, tmp - - ldr.w tmp, [sp, #14*4] // load aprimeptr from stack - vmov s27, tmp - - movw tmp2, #64 // XOF_BLOCKBYTES - vmov s29, tmp2 - - // outer while loop - movw ctr, #0 - vmov s17, bufptr // save bufptr to check later - 1: - - load_vals val0, val1, bufptr, tmp - - first_if doublebasemul_asm_opt_16_32, tmp, tmp2, val0, val1, rptr, bptr, cptr, bufptr, tmp3, k, q, qa, qinv, ctr - - second_if doublebasemul_asm_opt_16_32, tmp, tmp2, val0, val1, rptr, bptr, cptr, bufptr, tmp3, k, q, qa, qinv, ctr - - update_buf_loop_finish tmp, tmp2, k, val0, val1, bufptr, ctr, s29 - - pop {r0-r11, pc} -.size matacc_asm_opt_16_32, . - matacc_asm_opt_16_32 - -.unreq ctr -.unreq tmp -.unreq tmp2 - -// void matacc_asm_opt_32_32(int32_t *r_tmp, const int16_t *b, int16_t c[4], unsigned char buf[XOF_BLOCKBYTES+2], xof_state *state, const int16_t *aprimeptr, unsigned int *buflen) -.global matacc_asm_opt_32_32 -.type matacc_asm_opt_32_32, %function -.align 2 -matacc_asm_opt_32_32: - push {r0-r11, r14} - rptr .req r0 - bptr .req r1 - cptr .req r2 - bufptr .req r3 - tmp3 .req r4 - val0 .req r5 - val1 .req r6 - tmp .req r7 - tmp2 .req r8 - k .req r9 - q .req r10 - qa .req r11 - qinv .req r12 - ctr .req r14 - - movw qa, #26632 - movw q, #3329 - ### qinv=0x6ba8f301 - movw qinv, #62209 - movt qinv, #27560 - movw k, #0 - - ldr.w tmp, [sp, #13*4] // load state from stack - vmov s26, tmp - - ldr.w tmp, [sp, #14*4] // load aprimeptr from stack - vmov s27, tmp - - movw tmp2, #64 // XOF_BLOCKBYTES - vmov s29, tmp2 - - // outer while loop - movw ctr, #0 - vmov s17, bufptr // save bufptr to check later - 1: - - load_vals val0, val1, bufptr, tmp - - first_if doublebasemul_asm_acc_opt_32_32, tmp, tmp2, val0, val1, rptr, bptr, cptr, bufptr, tmp3, k, q, qa, qinv, ctr - - second_if doublebasemul_asm_acc_opt_32_32, tmp, tmp2, val0, val1, rptr, bptr, cptr, bufptr, tmp3, k, q, qa, qinv, ctr - - update_buf_loop_finish tmp, tmp2, k, val0, val1, bufptr, ctr, s29 - - pop {r0-r11, pc} -.size matacc_asm_opt_32_32, . - matacc_asm_opt_32_32 - -.unreq ctr -.unreq tmp -.unreq tmp2 - -// void matacc_asm_opt_32_16(int16_t *r, const int16_t *b, int16_t c[4], unsigned char buf[XOF_BLOCKBYTES+2], xof_state *state, const int16_t *aprimeptr, const int32_t *r_tmp, unsigned int *buflen) -.global matacc_asm_opt_32_16 -.type matacc_asm_opt_32_16, %function -.align 2 -matacc_asm_opt_32_16: - push {r0-r11, r14} - rptr .req r0 - bptr .req r1 - cptr .req r2 - bufptr .req r3 - tmp3 .req r4 - val0 .req r5 - val1 .req r6 - tmp .req r7 - tmp2 .req r8 - k .req r9 - q .req r10 - qa .req r11 - qinv .req r12 - ctr .req r14 - - movw qa, #26632 - movw q, #3329 - ### qinv=0x6ba8f301 - movw qinv, #62209 - movt qinv, #27560 - movw k, #0 - - ldr.w tmp, [sp, #13*4] // load state from stack - vmov s26, tmp - - ldr.w tmp, [sp, #14*4] // load aprimeptr from stack - vmov s27, tmp - - vmov s28, rptr // store "real" destinaton in FP - vmov s29, rptr // backup - ldr.w rptr, [sp, #15*4] - - movw tmp2, #64 // XOF_BLOCKBYTES - vmov s16, tmp2 - - // outer while loop - movw ctr, #0 - vmov s17, bufptr // save bufptr to check later - 1: - - load_vals val0, val1, bufptr, tmp - - first_if doublebasemul_asm_acc_opt_32_16, tmp, tmp2, val0, val1, rptr, bptr, cptr, bufptr, tmp3, k, q, qa, qinv, ctr - - second_if doublebasemul_asm_acc_opt_32_16, tmp, tmp2, val0, val1, rptr, bptr, cptr, bufptr, tmp3, k, q, qa, qinv, ctr - - update_buf_loop_finish tmp, tmp2, k, val0, val1, bufptr, ctr, s16 - - vmov rptr, s29 - - pop {r0-r11, pc} -.size matacc_asm_opt_32_16, . - matacc_asm_opt_32_16 \ No newline at end of file diff --git a/crypto_kem/kyber768-90s/m4fspeed/ntt.c b/crypto_kem/kyber768-90s/m4fspeed/ntt.c deleted file mode 120000 index 21c83bdf..00000000 --- a/crypto_kem/kyber768-90s/m4fspeed/ntt.c +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/ntt.c \ No newline at end of file diff --git a/crypto_kem/kyber768-90s/m4fspeed/ntt.h b/crypto_kem/kyber768-90s/m4fspeed/ntt.h deleted file mode 120000 index bd203902..00000000 --- a/crypto_kem/kyber768-90s/m4fspeed/ntt.h +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/ntt.h \ No newline at end of file diff --git a/crypto_kem/kyber768-90s/m4fspeed/params.h b/crypto_kem/kyber768-90s/m4fspeed/params.h deleted file mode 120000 index 1b04f0d7..00000000 --- a/crypto_kem/kyber768-90s/m4fspeed/params.h +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/params.h \ No newline at end of file diff --git a/crypto_kem/kyber768-90s/m4fspeed/poly.c b/crypto_kem/kyber768-90s/m4fspeed/poly.c deleted file mode 120000 index ed549db6..00000000 --- a/crypto_kem/kyber768-90s/m4fspeed/poly.c +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/poly.c \ No newline at end of file diff --git a/crypto_kem/kyber768-90s/m4fspeed/poly.h b/crypto_kem/kyber768-90s/m4fspeed/poly.h deleted file mode 120000 index 6f495407..00000000 --- a/crypto_kem/kyber768-90s/m4fspeed/poly.h +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/poly.h \ No newline at end of file diff --git a/crypto_kem/kyber768-90s/m4fspeed/poly_asm.S b/crypto_kem/kyber768-90s/m4fspeed/poly_asm.S deleted file mode 120000 index 4424e11a..00000000 --- a/crypto_kem/kyber768-90s/m4fspeed/poly_asm.S +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/poly_asm.S \ No newline at end of file diff --git a/crypto_kem/kyber768-90s/m4fspeed/polyvec.c b/crypto_kem/kyber768-90s/m4fspeed/polyvec.c deleted file mode 120000 index 0aedeeef..00000000 --- a/crypto_kem/kyber768-90s/m4fspeed/polyvec.c +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/polyvec.c \ No newline at end of file diff --git a/crypto_kem/kyber768-90s/m4fspeed/polyvec.h b/crypto_kem/kyber768-90s/m4fspeed/polyvec.h deleted file mode 120000 index cee9bc6f..00000000 --- a/crypto_kem/kyber768-90s/m4fspeed/polyvec.h +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/polyvec.h \ No newline at end of file diff --git a/crypto_kem/kyber768-90s/m4fspeed/reduce.S b/crypto_kem/kyber768-90s/m4fspeed/reduce.S deleted file mode 120000 index 0b00788a..00000000 --- a/crypto_kem/kyber768-90s/m4fspeed/reduce.S +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/reduce.S \ No newline at end of file diff --git a/crypto_kem/kyber768-90s/m4fspeed/symmetric.h b/crypto_kem/kyber768-90s/m4fspeed/symmetric.h deleted file mode 100644 index 76a1b448..00000000 --- a/crypto_kem/kyber768-90s/m4fspeed/symmetric.h +++ /dev/null @@ -1,25 +0,0 @@ -#ifndef SYMMETRIC_H -#define SYMMETRIC_H - -#include "params.h" - - -#include "aes256ctr.h" -#include "sha2.h" - -#if (KYBER_SSBYTES != 32) -#error "90s variant of Kyber can only generate keys of length 256 bits" -#endif - -#define hash_h(OUT, IN, INBYTES) sha256(OUT, IN, INBYTES) -#define hash_g(OUT, IN, INBYTES) sha512(OUT, IN, INBYTES) -#define xof_absorb(STATE, IN, X, Y) aes256xof_absorb(STATE, IN, X, Y) -#define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) aes256xof_squeezeblocks(OUT, OUTBLOCKS, STATE) -#define prf(OUT, OUTBYTES, KEY, NONCE) aes256_prf(OUT, OUTBYTES, KEY, NONCE) -#define kdf(OUT, IN, INBYTES) sha256(OUT, IN, INBYTES) - -#define XOF_BLOCKBYTES 64 - -typedef aes256xof_ctx xof_state; - -#endif /* SYMMETRIC_H */ diff --git a/crypto_kem/kyber768-90s/m4fspeed/verify.c b/crypto_kem/kyber768-90s/m4fspeed/verify.c deleted file mode 120000 index 56596267..00000000 --- a/crypto_kem/kyber768-90s/m4fspeed/verify.c +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/verify.c \ No newline at end of file diff --git a/crypto_kem/kyber768-90s/m4fspeed/verify.h b/crypto_kem/kyber768-90s/m4fspeed/verify.h deleted file mode 120000 index 72b107fb..00000000 --- a/crypto_kem/kyber768-90s/m4fspeed/verify.h +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/verify.h \ No newline at end of file diff --git a/crypto_kem/kyber768-90s/m4fstack/aes256ctr.c b/crypto_kem/kyber768-90s/m4fstack/aes256ctr.c deleted file mode 120000 index 38c1834b..00000000 --- a/crypto_kem/kyber768-90s/m4fstack/aes256ctr.c +++ /dev/null @@ -1 +0,0 @@ -../m4fspeed/aes256ctr.c \ No newline at end of file diff --git a/crypto_kem/kyber768-90s/m4fstack/aes256ctr.h b/crypto_kem/kyber768-90s/m4fstack/aes256ctr.h deleted file mode 120000 index d9d79ac8..00000000 --- a/crypto_kem/kyber768-90s/m4fstack/aes256ctr.h +++ /dev/null @@ -1 +0,0 @@ -../m4fspeed/aes256ctr.h \ No newline at end of file diff --git a/crypto_kem/kyber768-90s/m4fstack/api.h b/crypto_kem/kyber768-90s/m4fstack/api.h deleted file mode 120000 index eb61c624..00000000 --- a/crypto_kem/kyber768-90s/m4fstack/api.h +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/api.h \ No newline at end of file diff --git a/crypto_kem/kyber768-90s/m4fstack/cbd.c b/crypto_kem/kyber768-90s/m4fstack/cbd.c deleted file mode 120000 index 37d243ad..00000000 --- a/crypto_kem/kyber768-90s/m4fstack/cbd.c +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/cbd.c \ No newline at end of file diff --git a/crypto_kem/kyber768-90s/m4fstack/cbd.h b/crypto_kem/kyber768-90s/m4fstack/cbd.h deleted file mode 120000 index c00c0559..00000000 --- a/crypto_kem/kyber768-90s/m4fstack/cbd.h +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/cbd.h \ No newline at end of file diff --git a/crypto_kem/kyber768-90s/m4fstack/fastaddsub.S b/crypto_kem/kyber768-90s/m4fstack/fastaddsub.S deleted file mode 120000 index 462644bb..00000000 --- a/crypto_kem/kyber768-90s/m4fstack/fastaddsub.S +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/fastaddsub.S \ No newline at end of file diff --git a/crypto_kem/kyber768-90s/m4fstack/fastbasemul.S b/crypto_kem/kyber768-90s/m4fstack/fastbasemul.S deleted file mode 120000 index 7ba7f7e4..00000000 --- a/crypto_kem/kyber768-90s/m4fstack/fastbasemul.S +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fstack/fastbasemul.S \ No newline at end of file diff --git a/crypto_kem/kyber768-90s/m4fstack/fastinvntt.S b/crypto_kem/kyber768-90s/m4fstack/fastinvntt.S deleted file mode 120000 index 8b242d6c..00000000 --- a/crypto_kem/kyber768-90s/m4fstack/fastinvntt.S +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fstack/fastinvntt.S \ No newline at end of file diff --git a/crypto_kem/kyber768-90s/m4fstack/fastntt.S b/crypto_kem/kyber768-90s/m4fstack/fastntt.S deleted file mode 120000 index 6314b554..00000000 --- a/crypto_kem/kyber768-90s/m4fstack/fastntt.S +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/fastntt.S \ No newline at end of file diff --git a/crypto_kem/kyber768-90s/m4fstack/indcpa.c b/crypto_kem/kyber768-90s/m4fstack/indcpa.c deleted file mode 120000 index 7d86b771..00000000 --- a/crypto_kem/kyber768-90s/m4fstack/indcpa.c +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fstack/indcpa.c \ No newline at end of file diff --git a/crypto_kem/kyber768-90s/m4fstack/indcpa.h b/crypto_kem/kyber768-90s/m4fstack/indcpa.h deleted file mode 120000 index 5893b12b..00000000 --- a/crypto_kem/kyber768-90s/m4fstack/indcpa.h +++ /dev/null @@ -1 +0,0 @@ -../m4fspeed/indcpa.h \ No newline at end of file diff --git a/crypto_kem/kyber768-90s/m4fstack/kem.c b/crypto_kem/kyber768-90s/m4fstack/kem.c deleted file mode 120000 index fba83bf4..00000000 --- a/crypto_kem/kyber768-90s/m4fstack/kem.c +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/kem.c \ No newline at end of file diff --git a/crypto_kem/kyber768-90s/m4fstack/macros.i b/crypto_kem/kyber768-90s/m4fstack/macros.i deleted file mode 120000 index d184a0fa..00000000 --- a/crypto_kem/kyber768-90s/m4fstack/macros.i +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/macros.i \ No newline at end of file diff --git a/crypto_kem/kyber768-90s/m4fstack/matacc.c b/crypto_kem/kyber768-90s/m4fstack/matacc.c deleted file mode 100644 index be644379..00000000 --- a/crypto_kem/kyber768-90s/m4fstack/matacc.c +++ /dev/null @@ -1,45 +0,0 @@ -#include "ntt.h" -#include "poly.h" -#include "polyvec.h" -#include "symmetric.h" -#include "matacc.h" - -/************************************************* -* Name: matacc -* -* Description: Multiplies a row of A or A^T, generated on-the-fly, -* with a vector of polynomials and accumulates into the result. -* -* Arguments: - poly *r: pointer to output polynomial to accumulate in -* - polyvec *b: pointer to input vector of polynomials to multiply with -* - unsigned char i: byte to indicate the index < KYBER_K of the row of A or A^T -* - const unsigned char *seed: pointer to the public seed used to generate A -* - int transposed: boolean indicatin whether A or A^T is generated -**************************************************/ -void matacc(poly* r, const polyvec *b, unsigned char i, const unsigned char *seed, int transposed) { - unsigned char buf[XOF_BLOCKBYTES+2]; - xof_state state; - int16_t c[4]; - int j = 0; - unsigned int buflen; - - buflen = XOF_BLOCKBYTES; - if (transposed) - xof_absorb(&state, seed, i, j); - else - xof_absorb(&state, seed, j, i); - - xof_squeezeblocks(buf, 1, &state); - matacc_asm(r->coeffs, b->vec[j].coeffs, c, buf, zetas, &state, &buflen); - for(j=1;jcoeffs, b->vec[j].coeffs, c, buf, zetas, &state, &buflen); - } -} \ No newline at end of file diff --git a/crypto_kem/kyber768-90s/m4fstack/matacc.h b/crypto_kem/kyber768-90s/m4fstack/matacc.h deleted file mode 100644 index bac8633e..00000000 --- a/crypto_kem/kyber768-90s/m4fstack/matacc.h +++ /dev/null @@ -1,26 +0,0 @@ -#ifndef MATACC_H -#define MATACC_H -#include "poly.h" -#include "polyvec.h" -#include "symmetric.h" - -extern void matacc_asm(int16_t *r, const int16_t *b, int16_t c[4], unsigned char buf[XOF_BLOCKBYTES + 2], const int32_t zetas[64], xof_state *state, unsigned int *buflen); -static inline void _matacc_asm(int16_t *r, const int16_t *b, int16_t c[4], unsigned char buf[XOF_BLOCKBYTES + 2], const int32_t _zetas[64], xof_state *state, unsigned int *buflen) -{ - // floating point registers clobbered by assembly function - asm volatile("" : : : "s16", "s17", "s18", "s19", "s20", "s21", "s22", "s23", "s26", "s27"); - matacc_asm(r, b, c, buf, _zetas, state, buflen); -} -#define matacc_asm _matacc_asm - -extern void matacc_asm_acc(int16_t *r, const int16_t *b, int16_t c[4], unsigned char buf[XOF_BLOCKBYTES + 2], const int32_t zetas[64], xof_state *state, unsigned int *buflen); -static inline void _matacc_asm_acc(int16_t *r, const int16_t *b, int16_t c[4], unsigned char buf[XOF_BLOCKBYTES + 2], const int32_t _zetas[64], xof_state *state, unsigned int *buflen) -{ - // floating point registers clobbered by assembly function - asm volatile("" : : : "s16", "s17", "s18", "s19", "s20", "s21", "s22", "s23", "s26", "s27"); - matacc_asm_acc(r, b, c, buf, _zetas, state, buflen); -} -#define matacc_asm_acc _matacc_asm_acc - -void matacc(poly *r, const polyvec *b, unsigned char i, const unsigned char *seed, int transposed); -#endif \ No newline at end of file diff --git a/crypto_kem/kyber768-90s/m4fstack/matacc.i b/crypto_kem/kyber768-90s/m4fstack/matacc.i deleted file mode 120000 index 3804c85d..00000000 --- a/crypto_kem/kyber768-90s/m4fstack/matacc.i +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fstack/matacc.i \ No newline at end of file diff --git a/crypto_kem/kyber768-90s/m4fstack/matacc_asm.S b/crypto_kem/kyber768-90s/m4fstack/matacc_asm.S deleted file mode 100644 index c4baa40b..00000000 --- a/crypto_kem/kyber768-90s/m4fstack/matacc_asm.S +++ /dev/null @@ -1,159 +0,0 @@ -#include "matacc.i" -.extern aes256xof_squeezeblocks - -.syntax unified -.cpu cortex-m4 -.thumb - -.macro update_buf_loop_finish tmp, tmp2, tmp3, val0, val1, bufptr, ctr, buflenval - // if (pos + 3 > buflen - vmov s23, \tmp3 - vmov \tmp2, \buflenval // get buflen value - vmov \tmp, s17 - sub \tmp3, \bufptr, \tmp // compute pos - add \tmp3, #3 // pos + 3 - cmp.w \tmp3, \tmp2 - ble.w 3f - // && ctr < KYBER_N/4) { - cmp.w \ctr, #256/4 - bge.w 3f - // tmp = buffer start - // tmp2 = buffer end - add \tmp2, \tmp, \tmp2 // buffer start + buf len = last address of xof output byte - - // copy remaining bytes to start of buffer - ldr.w \tmp3, [\bufptr] - str.w \tmp3, [\tmp] - sub \tmp3, \tmp2, \bufptr - add \tmp, \tmp, \tmp3 - - // compute buflen - vmov \val0, s17 // get buf addr - sub \val0, tmp, \val0 - add.w \val0, #64 // XOF_BLOCKBYTES=64 - vmov \buflenval, \val0 - - vmov s18, r0 - vmov s19, r1 - vmov s20, r2 - vmov s21, r12 - vmov s22, lr - - mov r0, \tmp // buf + off implicitly after copying loop - mov r1, #1 - vmov r2, s26 // get state ptr - bl aes256xof_squeezeblocks - - vmov r0, s18 - vmov r1, s19 - vmov r2, s20 - vmov r12, s21 - vmov lr, s22 - // pos = 0; - vmov \bufptr, s17 // reset buffer pointer to start -> only after squeezeblocks - 3: - vmov \tmp3, s23 - cmp \ctr, #256/4 - blt.w 1b -.endm - -// void matacc_asm(int16_t *r, const int16_t *b, int16_t c[4], unsigned char buf[XOF_BLOCKBYTES+2], const int32_t zetas[64], xof_state *state) -.global matacc_asm -.type matacc_asm, %function -.align 2 -matacc_asm: - push {r0-r11, r14} - rptr .req r0 - bptr .req r1 - cptr .req r2 - bufptr .req r3 - zetaptr .req r4 - val0 .req r5 - val1 .req r6 - tmp .req r7 - tmp2 .req r8 - k .req r9 - q .req r10 - qa .req r11 - qinv .req r12 - ctr .req r14 - - ldr.w zetaptr, [sp, #13*4] // load zetaptr from stack - ldr.w tmp, [sp, #14*4] // load state from stack - vmov s26, tmp - - movw qa, #26632 - movw q, #3329 - ### qinv=0x6ba8f301 - movw qinv, #62209 - movt qinv, #27560 - movw k, #0 - - movw tmp2, #64 // XOF_BLOCKBYTES - vmov s27, tmp2 - - // outer while loop - movw ctr, #0 - vmov s17, bufptr // save bufptr to check later - 1: - - load_vals val0, val1, bufptr, tmp - - first_if doublebasemul_asm, tmp, tmp2, val0, val1, rptr, bptr, cptr, bufptr, zetaptr, k, q, qa, qinv, ctr - - second_if doublebasemul_asm, tmp, tmp2, val0, val1, rptr, bptr, cptr, bufptr, zetaptr, k, q, qa, qinv, ctr - - update_buf_loop_finish tmp, tmp2, k, val0, val1, bufptr, ctr, s27 - - pop {r0-r11, pc} -.size matacc_asm, . - matacc_asm - -// void matacc_asm(int16_t *r, const int16_t *b, int16_t c[4], unsigned char buf[XOF_BLOCKBYTES+2], const int32_t zetas[64], xof_state *state) -.global matacc_asm_acc -.type matacc_asm_acc, %function -.align 2 -matacc_asm_acc: - push {r0-r11, r14} - rptr .req r0 - bptr .req r1 - cptr .req r2 - bufptr .req r3 - zetaptr .req r4 - val0 .req r5 - val1 .req r6 - tmp .req r7 - tmp2 .req r8 - k .req r9 - q .req r10 - qa .req r11 - qinv .req r12 - ctr .req r14 - - ldr.w zetaptr, [sp, #13*4] // load zetaptr from stack - ldr.w tmp, [sp, #14*4] // load state from stack - vmov s26, tmp - - movw qa, #26632 - movw q, #3329 - ### qinv=0x6ba8f301 - movw qinv, #62209 - movt qinv, #27560 - movw k, #0 - - movw tmp2, #64 // XOF_BLOCKBYTES - vmov s27, tmp2 - - // outer while loop - movw ctr, #0 - vmov s17, bufptr // save bufptr to check later - 1: - - load_vals val0, val1, bufptr, tmp - - first_if doublebasemul_asm_acc, tmp, tmp2, val0, val1, rptr, bptr, cptr, bufptr, zetaptr, k, q, qa, qinv, ctr - - second_if doublebasemul_asm_acc, tmp, tmp2, val0, val1, rptr, bptr, cptr, bufptr, zetaptr, k, q, qa, qinv, ctr - - update_buf_loop_finish tmp, tmp2, k, val0, val1, bufptr, ctr, s27 - pop {r0-r11, pc} -.size matacc_asm_acc, . - matacc_asm_acc diff --git a/crypto_kem/kyber768-90s/m4fstack/ntt.c b/crypto_kem/kyber768-90s/m4fstack/ntt.c deleted file mode 120000 index 21c83bdf..00000000 --- a/crypto_kem/kyber768-90s/m4fstack/ntt.c +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/ntt.c \ No newline at end of file diff --git a/crypto_kem/kyber768-90s/m4fstack/ntt.h b/crypto_kem/kyber768-90s/m4fstack/ntt.h deleted file mode 120000 index bd203902..00000000 --- a/crypto_kem/kyber768-90s/m4fstack/ntt.h +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/ntt.h \ No newline at end of file diff --git a/crypto_kem/kyber768-90s/m4fstack/params.h b/crypto_kem/kyber768-90s/m4fstack/params.h deleted file mode 120000 index 1b04f0d7..00000000 --- a/crypto_kem/kyber768-90s/m4fstack/params.h +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/params.h \ No newline at end of file diff --git a/crypto_kem/kyber768-90s/m4fstack/poly.c b/crypto_kem/kyber768-90s/m4fstack/poly.c deleted file mode 120000 index 209dba88..00000000 --- a/crypto_kem/kyber768-90s/m4fstack/poly.c +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fstack/poly.c \ No newline at end of file diff --git a/crypto_kem/kyber768-90s/m4fstack/poly.h b/crypto_kem/kyber768-90s/m4fstack/poly.h deleted file mode 120000 index e02915ca..00000000 --- a/crypto_kem/kyber768-90s/m4fstack/poly.h +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fstack/poly.h \ No newline at end of file diff --git a/crypto_kem/kyber768-90s/m4fstack/poly_asm.S b/crypto_kem/kyber768-90s/m4fstack/poly_asm.S deleted file mode 120000 index 9b529775..00000000 --- a/crypto_kem/kyber768-90s/m4fstack/poly_asm.S +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fstack/poly_asm.S \ No newline at end of file diff --git a/crypto_kem/kyber768-90s/m4fstack/polyvec.c b/crypto_kem/kyber768-90s/m4fstack/polyvec.c deleted file mode 120000 index 0aedeeef..00000000 --- a/crypto_kem/kyber768-90s/m4fstack/polyvec.c +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/polyvec.c \ No newline at end of file diff --git a/crypto_kem/kyber768-90s/m4fstack/polyvec.h b/crypto_kem/kyber768-90s/m4fstack/polyvec.h deleted file mode 120000 index cee9bc6f..00000000 --- a/crypto_kem/kyber768-90s/m4fstack/polyvec.h +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/polyvec.h \ No newline at end of file diff --git a/crypto_kem/kyber768-90s/m4fstack/reduce.S b/crypto_kem/kyber768-90s/m4fstack/reduce.S deleted file mode 120000 index 0b00788a..00000000 --- a/crypto_kem/kyber768-90s/m4fstack/reduce.S +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/reduce.S \ No newline at end of file diff --git a/crypto_kem/kyber768-90s/m4fstack/symmetric.h b/crypto_kem/kyber768-90s/m4fstack/symmetric.h deleted file mode 120000 index 28c6facf..00000000 --- a/crypto_kem/kyber768-90s/m4fstack/symmetric.h +++ /dev/null @@ -1 +0,0 @@ -../m4fspeed/symmetric.h \ No newline at end of file diff --git a/crypto_kem/kyber768-90s/m4fstack/verify.c b/crypto_kem/kyber768-90s/m4fstack/verify.c deleted file mode 120000 index 56596267..00000000 --- a/crypto_kem/kyber768-90s/m4fstack/verify.c +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/verify.c \ No newline at end of file diff --git a/crypto_kem/kyber768-90s/m4fstack/verify.h b/crypto_kem/kyber768-90s/m4fstack/verify.h deleted file mode 120000 index 72b107fb..00000000 --- a/crypto_kem/kyber768-90s/m4fstack/verify.h +++ /dev/null @@ -1 +0,0 @@ -../../kyber768/m4fspeed/verify.h \ No newline at end of file From f418bf6b8af69f2998daccaf761c11b612e767ab Mon Sep 17 00:00:00 2001 From: "Matthias J. Kannwischer" Date: Fri, 23 Feb 2024 10:56:55 +0800 Subject: [PATCH 3/7] update M4 Kyber to be compatible with NIST Draft --- crypto_kem/kyber512/m4fspeed/indcpa.c | 18 ++- crypto_kem/kyber512/m4fstack/indcpa.c | 7 +- crypto_kem/kyber768/m4fspeed/indcpa.c | 18 ++- crypto_kem/kyber768/m4fspeed/indcpa.h | 5 +- crypto_kem/kyber768/m4fspeed/kem.c | 129 +++++++++++++----- crypto_kem/kyber768/m4fspeed/matacc_asm.S | 6 +- .../kyber768/m4fspeed/symmetric-fips202.c | 85 ++++++------ crypto_kem/kyber768/m4fspeed/symmetric.h | 30 ++-- crypto_kem/kyber768/m4fstack/indcpa.c | 7 +- crypto_kem/kyber768/m4fstack/matacc.i | 2 +- crypto_kem/kyber768/m4fstack/matacc_asm.S | 2 +- 11 files changed, 199 insertions(+), 110 deletions(-) diff --git a/crypto_kem/kyber512/m4fspeed/indcpa.c b/crypto_kem/kyber512/m4fspeed/indcpa.c index 8f83c7e0..5e7fd5ca 100644 --- a/crypto_kem/kyber512/m4fspeed/indcpa.c +++ b/crypto_kem/kyber512/m4fspeed/indcpa.c @@ -9,16 +9,23 @@ #include #include + /************************************************* -* Name: indcpa_keypair +* Name: indcpa_keypair_derand * * Description: Generates public and private key for the CPA-secure * public-key encryption scheme underlying Kyber * -* Arguments: - unsigned char *pk: pointer to output public key (of length KYBER_INDCPA_PUBLICKEYBYTES bytes) -* - unsigned char *sk: pointer to output private key (of length KYBER_INDCPA_SECRETKEYBYTES bytes) +* Arguments: - uint8_t *pk: pointer to output public key +* (of length KYBER_INDCPA_PUBLICKEYBYTES bytes) +* - uint8_t *sk: pointer to output private key +* (of length KYBER_INDCPA_SECRETKEYBYTES bytes) +* - const uint8_t *coins: pointer to input randomness +* (of length KYBER_SYMBYTES bytes) **************************************************/ -void indcpa_keypair(unsigned char *pk, unsigned char *sk) { +void indcpa_keypair_derand(unsigned char *pk, + unsigned char *sk, + const unsigned char *coins){ polyvec skpv, skpv_prime; poly pkp; unsigned char buf[2 * KYBER_SYMBYTES]; @@ -27,8 +34,7 @@ void indcpa_keypair(unsigned char *pk, unsigned char *sk) { int i; unsigned char nonce = 0; - randombytes(buf, KYBER_SYMBYTES); - hash_g(buf, buf, KYBER_SYMBYTES); + hash_g(buf, coins, KYBER_SYMBYTES); for (i = 0; i < KYBER_K; i++) poly_getnoise_eta1(skpv.vec + i, noiseseed, nonce++); diff --git a/crypto_kem/kyber512/m4fstack/indcpa.c b/crypto_kem/kyber512/m4fstack/indcpa.c index 02973e7c..764d494d 100644 --- a/crypto_kem/kyber512/m4fstack/indcpa.c +++ b/crypto_kem/kyber512/m4fstack/indcpa.c @@ -18,7 +18,9 @@ * Arguments: - unsigned char *pk: pointer to output public key (of length KYBER_INDCPA_PUBLICKEYBYTES bytes) * - unsigned char *sk: pointer to output private key (of length KYBER_INDCPA_SECRETKEYBYTES bytes) **************************************************/ -void indcpa_keypair(unsigned char *pk, unsigned char *sk) { +void indcpa_keypair_derand(unsigned char *pk, + unsigned char *sk, + const unsigned char *coins){ polyvec skpv; poly pkp; unsigned char buf[2 * KYBER_SYMBYTES]; @@ -27,8 +29,7 @@ void indcpa_keypair(unsigned char *pk, unsigned char *sk) { int i; unsigned char nonce = 0; - randombytes(buf, KYBER_SYMBYTES); - hash_g(buf, buf, KYBER_SYMBYTES); + hash_g(buf, coins, KYBER_SYMBYTES); for (i = 0; i < KYBER_K; i++) poly_getnoise_eta1(skpv.vec + i, noiseseed, nonce++); diff --git a/crypto_kem/kyber768/m4fspeed/indcpa.c b/crypto_kem/kyber768/m4fspeed/indcpa.c index 3bf815ad..6e9d5b06 100644 --- a/crypto_kem/kyber768/m4fspeed/indcpa.c +++ b/crypto_kem/kyber768/m4fspeed/indcpa.c @@ -8,17 +8,22 @@ #include #include - /************************************************* -* Name: indcpa_keypair +* Name: indcpa_keypair_derand * * Description: Generates public and private key for the CPA-secure * public-key encryption scheme underlying Kyber * -* Arguments: - unsigned char *pk: pointer to output public key (of length KYBER_INDCPA_PUBLICKEYBYTES bytes) -* - unsigned char *sk: pointer to output private key (of length KYBER_INDCPA_SECRETKEYBYTES bytes) +* Arguments: - uint8_t *pk: pointer to output public key +* (of length KYBER_INDCPA_PUBLICKEYBYTES bytes) +* - uint8_t *sk: pointer to output private key +* (of length KYBER_INDCPA_SECRETKEYBYTES bytes) +* - const uint8_t *coins: pointer to input randomness +* (of length KYBER_SYMBYTES bytes) **************************************************/ -void indcpa_keypair(unsigned char *pk, unsigned char *sk) { +void indcpa_keypair_derand(unsigned char *pk, + unsigned char *sk, + const unsigned char *coins){ polyvec skpv, skpv_prime; poly pkp; unsigned char buf[2 * KYBER_SYMBYTES]; @@ -27,8 +32,7 @@ void indcpa_keypair(unsigned char *pk, unsigned char *sk) { int i; unsigned char nonce = 0; - randombytes(buf, KYBER_SYMBYTES); - hash_g(buf, buf, KYBER_SYMBYTES); + hash_g(buf, coins, KYBER_SYMBYTES); for (i = 0; i < KYBER_K; i++) poly_getnoise(skpv.vec + i, noiseseed, nonce++); diff --git a/crypto_kem/kyber768/m4fspeed/indcpa.h b/crypto_kem/kyber768/m4fspeed/indcpa.h index fcf6aa0d..6d5588a7 100644 --- a/crypto_kem/kyber768/m4fspeed/indcpa.h +++ b/crypto_kem/kyber768/m4fspeed/indcpa.h @@ -1,8 +1,9 @@ #ifndef INDCPA_H #define INDCPA_H -void indcpa_keypair(unsigned char *pk, - unsigned char *sk); +void indcpa_keypair_derand(unsigned char *pk, + unsigned char *sk, + const unsigned char *coins); void indcpa_enc(unsigned char *c, const unsigned char *m, diff --git a/crypto_kem/kyber768/m4fspeed/kem.c b/crypto_kem/kyber768/m4fspeed/kem.c index 31f16e3f..7e6474e2 100644 --- a/crypto_kem/kyber768/m4fspeed/kem.c +++ b/crypto_kem/kyber768/m4fspeed/kem.c @@ -9,6 +9,35 @@ #include +#include + + +/************************************************* +* Name: crypto_kem_keypair_derand +* +* Description: Generates public and private key +* for CCA-secure Kyber key encapsulation mechanism +* +* Arguments: - uint8_t *pk: pointer to output public key +* (an already allocated array of KYBER_PUBLICKEYBYTES bytes) +* - uint8_t *sk: pointer to output private key +* (an already allocated array of KYBER_SECRETKEYBYTES bytes) +* - uint8_t *coins: pointer to input randomness +* (an already allocated array filled with 2*KYBER_SYMBYTES random bytes) +** +* Returns 0 (success) +**************************************************/ +static int crypto_kem_keypair_derand(uint8_t *pk, + uint8_t *sk, + const uint8_t *coins) { + indcpa_keypair_derand(pk, sk, coins); + memcpy(sk + KYBER_INDCPA_SECRETKEYBYTES, pk, KYBER_PUBLICKEYBYTES); + hash_h(sk + KYBER_SECRETKEYBYTES - 2 * KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES); + /* Value z for pseudo-random output on reject */ + memcpy(sk + KYBER_SECRETKEYBYTES - KYBER_SYMBYTES, coins + KYBER_SYMBYTES, KYBER_SYMBYTES); + return 0; +} + /************************************************* * Name: crypto_kem_keypair * @@ -21,42 +50,72 @@ * Returns 0 (success) **************************************************/ int crypto_kem_keypair(unsigned char *pk, unsigned char *sk) { - size_t i; - indcpa_keypair(pk, sk); - for (i = 0; i < KYBER_INDCPA_PUBLICKEYBYTES; i++) { - sk[i + KYBER_INDCPA_SECRETKEYBYTES] = pk[i]; - } - hash_h(sk + KYBER_SECRETKEYBYTES - 2 * KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES); - randombytes(sk + KYBER_SECRETKEYBYTES - KYBER_SYMBYTES, KYBER_SYMBYTES); /* Value z for pseudo-random output on reject */ + uint8_t coins[2 * KYBER_SYMBYTES]; + randombytes(coins, 2 * KYBER_SYMBYTES); + crypto_kem_keypair_derand(pk, sk, coins); return 0; } + /************************************************* -* Name: crypto_kem_enc +* Name: crypto_kem_enc_derand * * Description: Generates cipher text and shared * secret for given public key * -* Arguments: - unsigned char *ct: pointer to output cipher text (an already allocated array of CRYPTO_CIPHERTEXTBYTES bytes) -* - unsigned char *ss: pointer to output shared secret (an already allocated array of CRYPTO_BYTES bytes) -* - const unsigned char *pk: pointer to input public key (an already allocated array of CRYPTO_PUBLICKEYBYTES bytes) -* +* Arguments: - uint8_t *ct: pointer to output cipher text +* (an already allocated array of KYBER_CIPHERTEXTBYTES bytes) +* - uint8_t *ss: pointer to output shared secret +* (an already allocated array of KYBER_SSBYTES bytes) +* - const uint8_t *pk: pointer to input public key +* (an already allocated array of KYBER_PUBLICKEYBYTES bytes) +* - const uint8_t *coins: pointer to input randomness +* (an already allocated array filled with KYBER_SYMBYTES random bytes) +** * Returns 0 (success) **************************************************/ -int crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk) { - unsigned char kr[2 * KYBER_SYMBYTES]; /* Will contain key, coins */ - unsigned char buf[2 * KYBER_SYMBYTES]; +static int crypto_kem_enc_derand(uint8_t *ct, + uint8_t *ss, + const uint8_t *pk, + const uint8_t *coins) { + uint8_t buf[2 * KYBER_SYMBYTES]; + /* Will contain key, coins */ + uint8_t kr[2 * KYBER_SYMBYTES]; - randombytes(buf, KYBER_SYMBYTES); - hash_h(buf, buf, KYBER_SYMBYTES); /* Don't release system RNG output */ + memcpy(buf, coins, KYBER_SYMBYTES); - hash_h(buf + KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES); /* Multitarget countermeasure for coins + contributory KEM */ + /* Multitarget countermeasure for coins + contributory KEM */ + hash_h(buf + KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES); hash_g(kr, buf, 2 * KYBER_SYMBYTES); - indcpa_enc(ct, buf, pk, kr + KYBER_SYMBYTES); /* coins are in kr+KYBER_SYMBYTES */ + /* coins are in kr+KYBER_SYMBYTES */ + indcpa_enc(ct, buf, pk, kr + KYBER_SYMBYTES); - hash_h(kr + KYBER_SYMBYTES, ct, KYBER_CIPHERTEXTBYTES); /* overwrite coins in kr with H(c) */ - kdf(ss, kr, 2 * KYBER_SYMBYTES); /* hash concatenation of pre-k and H(c) to k */ + memcpy(ss, kr, KYBER_SYMBYTES); + return 0; +} + +/************************************************* +* Name: crypto_kem_enc +* +* Description: Generates cipher text and shared +* secret for given public key +* +* Arguments: - uint8_t *ct: pointer to output cipher text +* (an already allocated array of KYBER_CIPHERTEXTBYTES bytes) +* - uint8_t *ss: pointer to output shared secret +* (an already allocated array of KYBER_SSBYTES bytes) +* - const uint8_t *pk: pointer to input public key +* (an already allocated array of KYBER_PUBLICKEYBYTES bytes) +* +* Returns 0 (success) +**************************************************/ +int crypto_kem_enc(uint8_t *ct, + uint8_t *ss, + const uint8_t *pk) { + uint8_t coins[KYBER_SYMBYTES]; + randombytes(coins, KYBER_SYMBYTES); + crypto_kem_enc_derand(ct, ss, pk, coins); return 0; } @@ -75,25 +134,29 @@ int crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk * On failure, ss will contain a pseudo-random value. **************************************************/ int crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk) { - size_t i; - unsigned char fail; - unsigned char buf[2 * KYBER_SYMBYTES]; - unsigned char kr[2 * KYBER_SYMBYTES]; /* Will contain key, coins */ - const unsigned char *pk = sk + KYBER_INDCPA_SECRETKEYBYTES; + int fail; + uint8_t buf[2 * KYBER_SYMBYTES]; + /* Will contain key, coins */ + uint8_t kr[2 * KYBER_SYMBYTES]; + uint8_t cmp[KYBER_CIPHERTEXTBYTES + KYBER_SYMBYTES]; + const uint8_t *pk = sk + KYBER_INDCPA_SECRETKEYBYTES; indcpa_dec(buf, ct, sk); - for (i = 0; i < KYBER_SYMBYTES; i++) { /* Multitarget countermeasure for coins + contributory KEM */ - buf[KYBER_SYMBYTES + i] = sk[KYBER_SECRETKEYBYTES - 2 * KYBER_SYMBYTES + i]; /* Save hash by storing H(pk) in sk */ - } + /* Multitarget countermeasure for coins + contributory KEM */ + memcpy(buf + KYBER_SYMBYTES, sk + KYBER_SECRETKEYBYTES - 2 * KYBER_SYMBYTES, KYBER_SYMBYTES); hash_g(kr, buf, 2 * KYBER_SYMBYTES); - fail = indcpa_enc_cmp(ct, buf, pk, kr + KYBER_SYMBYTES); /* coins are in kr+KYBER_SYMBYTES */ + /* coins are in kr+KYBER_SYMBYTES */ + indcpa_enc(cmp, buf, pk, kr + KYBER_SYMBYTES); + + fail = verify(ct, cmp, KYBER_CIPHERTEXTBYTES); - hash_h(kr + KYBER_SYMBYTES, ct, KYBER_CIPHERTEXTBYTES); /* overwrite coins in kr with H(c) */ + /* Compute rejection key */ + rkprf(ss, sk + KYBER_SECRETKEYBYTES - KYBER_SYMBYTES, ct); - cmov(kr, sk + KYBER_SECRETKEYBYTES - KYBER_SYMBYTES, KYBER_SYMBYTES, fail); /* Overwrite pre-k with z on re-encryption failure */ + /* Copy true key to return buffer if fail is false */ + cmov(ss, kr, KYBER_SYMBYTES, (uint8_t) (1 - fail)); - kdf(ss, kr, 2 * KYBER_SYMBYTES); /* hash concatenation of pre-k and H(c) to k */ return 0; } diff --git a/crypto_kem/kyber768/m4fspeed/matacc_asm.S b/crypto_kem/kyber768/m4fspeed/matacc_asm.S index c4c4e855..f77ae605 100644 --- a/crypto_kem/kyber768/m4fspeed/matacc_asm.S +++ b/crypto_kem/kyber768/m4fspeed/matacc_asm.S @@ -1,11 +1,11 @@ #include "matacc.i" -.extern kyber_shake128_squeezeblocks +.extern shake128_squeezeblocks .syntax unified .cpu cortex-m4 .thumb -// kyber_shake128_squeezeblocks into buffer if all bytes have been used +// shake128_squeezeblocks into buffer if all bytes have been used .macro third_if tmp, tmp2, rptr, bptr, cptr, bufptr, ctr // if (pos + 3 > buflen && ctr < KYBER_N/4) vmov \tmp, s17 @@ -27,7 +27,7 @@ movw \bptr, #1 vmov \cptr, s26 // load state - bl kyber_shake128_squeezeblocks + bl shake128_squeezeblocks vmov r12, s16 vmov \rptr, s18 diff --git a/crypto_kem/kyber768/m4fspeed/symmetric-fips202.c b/crypto_kem/kyber768/m4fspeed/symmetric-fips202.c index 311d33f0..4ee07233 100644 --- a/crypto_kem/kyber768/m4fspeed/symmetric-fips202.c +++ b/crypto_kem/kyber768/m4fspeed/symmetric-fips202.c @@ -1,64 +1,71 @@ #include "fips202.h" +#include "params.h" #include "symmetric.h" - -#include +#include +#include +#include /************************************************* * Name: kyber_shake128_absorb * * Description: Absorb step of the SHAKE128 specialized for the Kyber context. * -* Arguments: - shake128ctx *s: pointer to (uninitialized) output Keccak state -* - const unsigned char *input: pointer to KYBER_SYMBYTES input to be absorbed into s -* - unsigned char i additional byte of input -* - unsigned char j additional byte of input +* Arguments: - xof_state *state: pointer to (uninitialized) output Keccak state +* - const uint8_t *seed: pointer to KYBER_SYMBYTES input to be absorbed into state +* - uint8_t i: additional byte of input +* - uint8_t j: additional byte of input **************************************************/ -void kyber_shake128_absorb(shake128ctx *s, const unsigned char *input, unsigned char x, unsigned char y) { - unsigned char extseed[KYBER_SYMBYTES + 2]; - int i; +void kyber_shake128_absorb(xof_state *state, + const uint8_t seed[KYBER_SYMBYTES], + uint8_t x, + uint8_t y) { + uint8_t extseed[KYBER_SYMBYTES + 2]; + + memcpy(extseed, seed, KYBER_SYMBYTES); + extseed[KYBER_SYMBYTES + 0] = x; + extseed[KYBER_SYMBYTES + 1] = y; - for (i = 0; i < KYBER_SYMBYTES; i++) { - extseed[i] = input[i]; - } - extseed[i++] = x; - extseed[i] = y; - shake128_absorb(s, extseed, KYBER_SYMBYTES + 2); + shake128_absorb(state, extseed, sizeof(extseed)); } /************************************************* -* Name: kyber_shake128_squeezeblocks +* Name: kyber_shake256_prf * -* Description: Squeeze step of SHAKE128 XOF. Squeezes full blocks of SHAKE128_RATE bytes each. -* Modifies the state. Can be called multiple times to keep squeezing, -* i.e., is incremental. +* Description: Usage of SHAKE256 as a PRF, concatenates secret and public input +* and then generates outlen bytes of SHAKE256 output * -* Arguments: - unsigned char *output: pointer to output blocks -* - size_t nblocks: number of blocks to be squeezed (written to output) -* - shake128ctx *s: pointer to in/output Keccak state +* Arguments: - uint8_t *out: pointer to output +* - size_t outlen: number of requested output bytes +* - const uint8_t *key: pointer to the key (of length KYBER_SYMBYTES) +* - uint8_t nonce: single-byte nonce (public PRF input) **************************************************/ -void kyber_shake128_squeezeblocks(unsigned char *output, size_t nblocks, shake128ctx *s) { - shake128_squeezeblocks(output, nblocks, s); +void kyber_shake256_prf(uint8_t *out, size_t outlen, const uint8_t key[KYBER_SYMBYTES], uint8_t nonce) { + uint8_t extkey[KYBER_SYMBYTES + 1]; + + memcpy(extkey, key, KYBER_SYMBYTES); + extkey[KYBER_SYMBYTES] = nonce; + + shake256(out, outlen, extkey, sizeof(extkey)); } /************************************************* -* Name: shake256_prf +* Name: kyber_shake256_prf * * Description: Usage of SHAKE256 as a PRF, concatenates secret and public input * and then generates outlen bytes of SHAKE256 output * -* Arguments: - unsigned char *output: pointer to output -* - size_t outlen: number of requested output bytes -* - const unsigned char * key: pointer to the key (of length KYBER_SYMBYTES) -* - const unsigned char nonce: single-byte nonce (public PRF input) +* Arguments: - uint8_t *out: pointer to output +* - size_t outlen: number of requested output bytes +* - const uint8_t *key: pointer to the key (of length KYBER_SYMBYTES) +* - uint8_t nonce: single-byte nonce (public PRF input) **************************************************/ -void shake256_prf(unsigned char *output, size_t outlen, const unsigned char *key, unsigned char nonce) { - unsigned char extkey[KYBER_SYMBYTES + 1]; - size_t i; +void kyber_shake256_rkprf(uint8_t out[KYBER_SSBYTES], const uint8_t key[KYBER_SYMBYTES], const uint8_t input[KYBER_CIPHERTEXTBYTES]) { + shake256incctx s; - for (i = 0; i < KYBER_SYMBYTES; i++) { - extkey[i] = key[i]; - } - extkey[i] = nonce; - - shake256(output, outlen, extkey, KYBER_SYMBYTES + 1); -} + shake256_inc_init(&s); + shake256_inc_absorb(&s, key, KYBER_SYMBYTES); + shake256_inc_absorb(&s, input, KYBER_CIPHERTEXTBYTES); + shake256_inc_finalize(&s); + shake256_inc_squeeze(out, KYBER_SSBYTES, &s); + shake256_inc_ctx_release(&s); +} \ No newline at end of file diff --git a/crypto_kem/kyber768/m4fspeed/symmetric.h b/crypto_kem/kyber768/m4fspeed/symmetric.h index d396466d..8441c837 100644 --- a/crypto_kem/kyber768/m4fspeed/symmetric.h +++ b/crypto_kem/kyber768/m4fspeed/symmetric.h @@ -1,23 +1,29 @@ #ifndef SYMMETRIC_H #define SYMMETRIC_H - #include "fips202.h" #include "params.h" #include +#include -void kyber_shake128_absorb(shake128ctx *s, const unsigned char *input, unsigned char x, unsigned char y); -void kyber_shake128_squeezeblocks(unsigned char *output, size_t nblocks, shake128ctx *s); -void shake256_prf(unsigned char *output, size_t outlen, const unsigned char *key, unsigned char nonce); +typedef shake128ctx xof_state; -#define hash_h(OUT, IN, INBYTES) sha3_256(OUT, IN, INBYTES) -#define hash_g(OUT, IN, INBYTES) sha3_512(OUT, IN, INBYTES) -#define xof_absorb(STATE, IN, X, Y) kyber_shake128_absorb(STATE, IN, X, Y) -#define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) kyber_shake128_squeezeblocks(OUT, OUTBLOCKS, STATE) -#define prf(OUT, OUTBYTES, KEY, NONCE) shake256_prf(OUT, OUTBYTES, KEY, NONCE) -#define kdf(OUT, IN, INBYTES) shake256(OUT, KYBER_SSBYTES, IN, INBYTES) +void kyber_shake128_absorb(xof_state *s, + const uint8_t seed[KYBER_SYMBYTES], + uint8_t x, + uint8_t y); -#define XOF_BLOCKBYTES 168 +void kyber_shake256_prf(uint8_t *out, size_t outlen, const uint8_t key[KYBER_SYMBYTES], uint8_t nonce); -typedef shake128ctx xof_state; +void kyber_shake256_rkprf(uint8_t out[KYBER_SSBYTES], const uint8_t key[KYBER_SYMBYTES], const uint8_t input[KYBER_CIPHERTEXTBYTES]); + +#define XOF_BLOCKBYTES SHAKE128_RATE + +#define hash_h(OUT, IN, INBYTES) sha3_256(OUT, IN, INBYTES) +#define hash_g(OUT, IN, INBYTES) sha3_512(OUT, IN, INBYTES) +#define xof_absorb(STATE, SEED, X, Y) kyber_shake128_absorb(STATE, SEED, X, Y) +#define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) shake128_squeezeblocks(OUT, OUTBLOCKS, STATE) +#define xof_ctx_release(STATE) shake128_ctx_release(STATE) +#define prf(OUT, OUTBYTES, KEY, NONCE) kyber_shake256_prf(OUT, OUTBYTES, KEY, NONCE) +#define rkprf(OUT, KEY, INPUT) kyber_shake256_rkprf(OUT, KEY, INPUT) #endif /* SYMMETRIC_H */ diff --git a/crypto_kem/kyber768/m4fstack/indcpa.c b/crypto_kem/kyber768/m4fstack/indcpa.c index d558df08..bb0ce408 100644 --- a/crypto_kem/kyber768/m4fstack/indcpa.c +++ b/crypto_kem/kyber768/m4fstack/indcpa.c @@ -18,7 +18,9 @@ * Arguments: - unsigned char *pk: pointer to output public key (of length KYBER_INDCPA_PUBLICKEYBYTES bytes) * - unsigned char *sk: pointer to output private key (of length KYBER_INDCPA_SECRETKEYBYTES bytes) **************************************************/ -void indcpa_keypair(unsigned char *pk, unsigned char *sk) { +void indcpa_keypair_derand(unsigned char *pk, + unsigned char *sk, + const unsigned char *coins){ polyvec skpv; poly pkp; unsigned char buf[2 * KYBER_SYMBYTES]; @@ -27,8 +29,7 @@ void indcpa_keypair(unsigned char *pk, unsigned char *sk) { int i; unsigned char nonce = 0; - randombytes(buf, KYBER_SYMBYTES); - hash_g(buf, buf, KYBER_SYMBYTES); + hash_g(buf, coins, KYBER_SYMBYTES); for (i = 0; i < KYBER_K; i++) poly_getnoise(skpv.vec + i, noiseseed, nonce++); diff --git a/crypto_kem/kyber768/m4fstack/matacc.i b/crypto_kem/kyber768/m4fstack/matacc.i index bb080277..237ee469 100644 --- a/crypto_kem/kyber768/m4fstack/matacc.i +++ b/crypto_kem/kyber768/m4fstack/matacc.i @@ -98,7 +98,7 @@ movw \bptr, #1 vmov \cptr, s26 // load state #ifndef nohash - bl kyber_shake128_squeezeblocks + bl shake128_squeezeblocks #endif vmov r12, s16 diff --git a/crypto_kem/kyber768/m4fstack/matacc_asm.S b/crypto_kem/kyber768/m4fstack/matacc_asm.S index b5610180..2a5a3074 100644 --- a/crypto_kem/kyber768/m4fstack/matacc_asm.S +++ b/crypto_kem/kyber768/m4fstack/matacc_asm.S @@ -1,5 +1,5 @@ #include "matacc.i" -.extern kyber_shake128_squeezeblocks +.extern shake128_squeezeblocks .syntax unified .cpu cortex-m4 From edcf6f6af44c680c435c6d9c258e93aa285f28f2 Mon Sep 17 00:00:00 2001 From: "Matthias J. Kannwischer" Date: Fri, 23 Feb 2024 11:11:58 +0800 Subject: [PATCH 4/7] eliminate / KYBER_Q that may result in variable time division This applies the patches from upstream to poly_compress and polyvec_compress See https://github.com/pq-crystals/kyber/commit/272125f6acc8e8b6850fd68ceb901a660ff48196 https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/ldX0ThYJuBo/m/ovODsdY7AwAJ --- crypto_kem/kyber512/m4fspeed/poly.c | 154 ++++++++++++++++++------- crypto_kem/kyber512/m4fspeed/poly.h | 2 +- crypto_kem/kyber512/m4fstack/poly.c | 154 ++++++++++++++++++------- crypto_kem/kyber512/m4fstack/poly.h | 2 +- crypto_kem/kyber768/m4fspeed/poly.c | 150 ++++++++++++++++++------ crypto_kem/kyber768/m4fspeed/poly.h | 2 +- crypto_kem/kyber768/m4fspeed/polyvec.c | 82 +++++++------ crypto_kem/kyber768/m4fspeed/polyvec.h | 2 +- crypto_kem/kyber768/m4fstack/poly.c | 150 ++++++++++++++++++------ crypto_kem/kyber768/m4fstack/poly.h | 2 +- 10 files changed, 510 insertions(+), 190 deletions(-) diff --git a/crypto_kem/kyber512/m4fspeed/poly.c b/crypto_kem/kyber512/m4fspeed/poly.c index 1b74c0c9..f9d408b8 100644 --- a/crypto_kem/kyber512/m4fspeed/poly.c +++ b/crypto_kem/kyber512/m4fspeed/poly.c @@ -16,38 +16,56 @@ * Arguments: - unsigned char *r: pointer to output byte array (of length KYBER_POLYCOMPRESSEDBYTES) * - const poly *a: pointer to input polynomial to be serialized *************************************************/ -void poly_compress(unsigned char *r, poly *a) +void poly_compress(unsigned char *r, const poly *a) { + unsigned int i,j; + int16_t u; + uint32_t d0; uint8_t t[8]; - int i,j,k=0; #if (KYBER_POLYCOMPRESSEDBYTES == 128) - for(i=0;icoeffs[i+j] << 4) + KYBER_Q/2) / KYBER_Q) & 15; - - r[k] = t[0] | (t[1] << 4); - r[k+1] = t[2] | (t[3] << 4); - r[k+2] = t[4] | (t[5] << 4); - r[k+3] = t[6] | (t[7] << 4); - k += 4; + for(i=0;icoeffs[8*i+j]; + u += (u >> 15) & KYBER_Q; +/* t[j] = ((((uint16_t)u << 4) + KYBER_Q/2)/KYBER_Q) & 15; */ + d0 = u << 4; + d0 += 1665; + d0 *= 80635; + d0 >>= 28; + t[j] = d0 & 0xf; + } + + r[0] = t[0] | (t[1] << 4); + r[1] = t[2] | (t[3] << 4); + r[2] = t[4] | (t[5] << 4); + r[3] = t[6] | (t[7] << 4); + r += 4; } #elif (KYBER_POLYCOMPRESSEDBYTES == 160) - for(i=0;icoeffs[i+j] << 5) + KYBER_Q/2) / KYBER_Q) & 31; - - r[k] = t[0] | (t[1] << 5); - r[k+1] = (t[1] >> 3) | (t[2] << 2) | (t[3] << 7); - r[k+2] = (t[3] >> 1) | (t[4] << 4); - r[k+3] = (t[4] >> 4) | (t[5] << 1) | (t[6] << 6); - r[k+4] = (t[6] >> 2) | (t[7] << 3); - k += 5; + for(i=0;icoeffs[8*i+j]; + u += (u >> 15) & KYBER_Q; +/* t[j] = ((((uint32_t)u << 5) + KYBER_Q/2)/KYBER_Q) & 31; */ + d0 = u << 5; + d0 += 1664; + d0 *= 40318; + d0 >>= 27; + t[j] = d0 & 0x1f; + } + + r[0] = (t[0] >> 0) | (t[1] << 5); + r[1] = (t[1] >> 3) | (t[2] << 2) | (t[3] << 7); + r[2] = (t[3] >> 1) | (t[4] << 4); + r[3] = (t[4] >> 4) | (t[5] << 1) | (t[6] << 6); + r[4] = (t[6] >> 2) | (t[7] << 3); + r += 5; } #else -#error "KYBER_POLYCOMPRESSEDBYTES needs to be in {96, 128, 160}" +#error "KYBER_POLYCOMPRESSEDBYTES needs to be in {128, 160}" #endif } @@ -107,13 +125,24 @@ void poly_decompress(poly *r, const unsigned char *a) **************************************************/ void poly_packcompress(unsigned char *r, poly *a, int i) { int j, k; + uint64_t d0; #if (KYBER_POLYVECCOMPRESSEDBYTES == (KYBER_K * 352)) uint16_t t[8]; for(j=0;jcoeffs[8*j+k] << 11) + KYBER_Q/2) / KYBER_Q) & 0x7ff; + for(k=0;k<8;k++) { + t[k] = a->coeffs[8*j+k]; + t[k] += ((int16_t)t[k] >> 15) & KYBER_Q; +/* t[k] = ((((uint32_t)t[k] << 11) + KYBER_Q/2)/KYBER_Q) & 0x7ff; */ + d0 = t[k]; + d0 <<= 11; + d0 += 1664; + d0 *= 645084; + d0 >>= 31; + t[k] = d0 & 0x7ff; + } + r[352*i+11*j+ 0] = t[0] & 0xff; r[352*i+11*j+ 1] = (t[0] >> 8) | ((t[1] & 0x1f) << 3); @@ -131,9 +160,17 @@ void poly_packcompress(unsigned char *r, poly *a, int i) { uint16_t t[4]; for (j = 0; j < KYBER_N / 4; j++) { - for (k = 0; k < 4; k++) - t[k] = ((((uint32_t)a->coeffs[4 * j + k] << 10) + KYBER_Q / 2) / KYBER_Q) & 0x3ff; - + for(k=0;k<4;k++) { + t[k] = a->coeffs[4*j+k]; + t[k] += ((int16_t)t[k] >> 15) & KYBER_Q; + /* t[k] = ((((uint32_t)t[k] << 10) + KYBER_Q/2)/ KYBER_Q) & 0x3ff; */ + d0 = t[k]; + d0 <<= 10; + d0 += 1665; + d0 *= 1290167; + d0 >>= 32; + t[k] = d0 & 0x3ff; + } r[320*i+5*j+0] = t[0] & 0xff; r[320*i+5*j+1] = (t[0] >> 8) | ((t[1] & 0x3f) << 2); r[320*i+5*j+2] = ((t[1] >> 6) | ((t[2] & 0x0f) << 4)) & 0xff; @@ -194,14 +231,24 @@ void poly_unpackdecompress(poly *r, const unsigned char *a, int i) { **************************************************/ int cmp_poly_compress(const unsigned char *r, poly *a) { unsigned char rc = 0; + int16_t u; + uint32_t d0; uint8_t t[8]; int i, j, k = 0; #if (KYBER_POLYCOMPRESSEDBYTES == 128) for (i = 0; i < KYBER_N; i += 8) { - for (j = 0; j < 8; j++) - t[j] = ((((uint32_t)a->coeffs[i + j] << 4) + KYBER_Q / 2) / KYBER_Q) & 15; - + for(j=0;j<8;j++) { + // map to positive standard representatives + u = a->coeffs[8*i+j]; + u += (u >> 15) & KYBER_Q; +/* t[j] = ((((uint16_t)u << 4) + KYBER_Q/2)/KYBER_Q) & 15; */ + d0 = u << 4; + d0 += 1665; + d0 *= 80635; + d0 >>= 28; + t[j] = d0 & 0xf; + } rc |= r[k] ^ (t[0] | (t[1] << 4)); rc |= r[k + 1] ^ (t[2] | (t[3] << 4)); rc |= r[k + 2] ^ (t[4] | (t[5] << 4)); @@ -211,8 +258,18 @@ int cmp_poly_compress(const unsigned char *r, poly *a) { #elif (KYBER_POLYCOMPRESSEDBYTES == 160) for(i=0;icoeffs[i+j] << 5) + KYBER_Q/2) / KYBER_Q) & 31; + for(j=0;j<8;j++) { + // map to positive standard representatives + u = a->coeffs[8*i+j]; + u += (u >> 15) & KYBER_Q; +/* t[j] = ((((uint32_t)u << 5) + KYBER_Q/2)/KYBER_Q) & 31; */ + d0 = u << 5; + d0 += 1664; + d0 *= 40318; + d0 >>= 27; + t[j] = d0 & 0x1f; + } + rc |= r[k] ^ (t[0] | (t[1] << 5)); rc |= r[k+1] ^ ((t[1] >> 3) | (t[2] << 2) | (t[3] << 7)); @@ -222,7 +279,7 @@ int cmp_poly_compress(const unsigned char *r, poly *a) { k += 5; } #else -#error "KYBER_POLYCOMPRESSEDBYTES needs to be in {96, 128, 160}" +#error "KYBER_POLYCOMPRESSEDBYTES needs to be in {128, 160}" #endif return rc; } @@ -241,13 +298,23 @@ int cmp_poly_compress(const unsigned char *r, poly *a) { int cmp_poly_packcompress(const unsigned char *r, poly *a, int i) { unsigned char rc = 0; int j, k; + uint64_t d0; #if (KYBER_POLYVECCOMPRESSEDBYTES == (KYBER_K * 352)) uint16_t t[8]; for(j=0;jcoeffs[8*j+k] << 11) + KYBER_Q/2) / KYBER_Q) & 0x7ff; + for(k=0;k<8;k++) { + t[k] = a->coeffs[8*j+k]; + t[k] += ((int16_t)t[k] >> 15) & KYBER_Q; +/* t[k] = ((((uint32_t)t[k] << 11) + KYBER_Q/2)/KYBER_Q) & 0x7ff; */ + d0 = t[k]; + d0 <<= 11; + d0 += 1664; + d0 *= 645084; + d0 >>= 31; + t[k] = d0 & 0x7ff; + } rc |= r[352*i+11*j+ 0] ^ (t[0] & 0xff); rc |= r[352*i+11*j+ 1] ^ ((t[0] >> 8) | ((t[1] & 0x1f) << 3)); @@ -264,8 +331,17 @@ int cmp_poly_packcompress(const unsigned char *r, poly *a, int i) { #elif (KYBER_POLYVECCOMPRESSEDBYTES == (KYBER_K * 320)) uint16_t t[4]; for (j = 0; j < KYBER_N / 4; j++) { - for (k = 0; k < 4; k++) - t[k] = ((((uint32_t)a->coeffs[4 * j + k] << 10) + KYBER_Q / 2) / KYBER_Q) & 0x3ff; + for(k=0;k<4;k++) { + t[k] = a->coeffs[4*j+k]; + t[k] += ((int16_t)t[k] >> 15) & KYBER_Q; + /* t[k] = ((((uint32_t)t[k] << 10) + KYBER_Q/2)/ KYBER_Q) & 0x3ff; */ + d0 = t[k]; + d0 <<= 10; + d0 += 1665; + d0 *= 1290167; + d0 >>= 32; + t[k] = d0 & 0x3ff; + } rc |= r[320*i+5*j+0] ^ (t[0] & 0xff); rc |= r[320*i+5*j+1] ^ ((t[0] >> 8) | ((t[1] & 0x3f) << 2)); diff --git a/crypto_kem/kyber512/m4fspeed/poly.h b/crypto_kem/kyber512/m4fspeed/poly.h index d4d6b29f..4994d871 100644 --- a/crypto_kem/kyber512/m4fspeed/poly.h +++ b/crypto_kem/kyber512/m4fspeed/poly.h @@ -18,7 +18,7 @@ typedef struct { int16_t coeffs[KYBER_N]; } poly; -void poly_compress(unsigned char *r, poly *a); +void poly_compress(unsigned char *r, const poly *a); void poly_decompress(poly *r, const unsigned char *a); void poly_packcompress(unsigned char *r, poly *a, int i); diff --git a/crypto_kem/kyber512/m4fstack/poly.c b/crypto_kem/kyber512/m4fstack/poly.c index 0c449a46..f42154ff 100644 --- a/crypto_kem/kyber512/m4fstack/poly.c +++ b/crypto_kem/kyber512/m4fstack/poly.c @@ -16,38 +16,56 @@ * Arguments: - unsigned char *r: pointer to output byte array (of length KYBER_POLYCOMPRESSEDBYTES) * - const poly *a: pointer to input polynomial to be serialized *************************************************/ -void poly_compress(unsigned char *r, poly *a) +void poly_compress(unsigned char *r, const poly *a) { + unsigned int i,j; + int16_t u; + uint32_t d0; uint8_t t[8]; - int i,j,k=0; #if (KYBER_POLYCOMPRESSEDBYTES == 128) - for(i=0;icoeffs[i+j] << 4) + KYBER_Q/2) / KYBER_Q) & 15; - - r[k] = t[0] | (t[1] << 4); - r[k+1] = t[2] | (t[3] << 4); - r[k+2] = t[4] | (t[5] << 4); - r[k+3] = t[6] | (t[7] << 4); - k += 4; + for(i=0;icoeffs[8*i+j]; + u += (u >> 15) & KYBER_Q; +/* t[j] = ((((uint16_t)u << 4) + KYBER_Q/2)/KYBER_Q) & 15; */ + d0 = u << 4; + d0 += 1665; + d0 *= 80635; + d0 >>= 28; + t[j] = d0 & 0xf; + } + + r[0] = t[0] | (t[1] << 4); + r[1] = t[2] | (t[3] << 4); + r[2] = t[4] | (t[5] << 4); + r[3] = t[6] | (t[7] << 4); + r += 4; } #elif (KYBER_POLYCOMPRESSEDBYTES == 160) - for(i=0;icoeffs[i+j] << 5) + KYBER_Q/2) / KYBER_Q) & 31; - - r[k] = t[0] | (t[1] << 5); - r[k+1] = (t[1] >> 3) | (t[2] << 2) | (t[3] << 7); - r[k+2] = (t[3] >> 1) | (t[4] << 4); - r[k+3] = (t[4] >> 4) | (t[5] << 1) | (t[6] << 6); - r[k+4] = (t[6] >> 2) | (t[7] << 3); - k += 5; + for(i=0;icoeffs[8*i+j]; + u += (u >> 15) & KYBER_Q; +/* t[j] = ((((uint32_t)u << 5) + KYBER_Q/2)/KYBER_Q) & 31; */ + d0 = u << 5; + d0 += 1664; + d0 *= 40318; + d0 >>= 27; + t[j] = d0 & 0x1f; + } + + r[0] = (t[0] >> 0) | (t[1] << 5); + r[1] = (t[1] >> 3) | (t[2] << 2) | (t[3] << 7); + r[2] = (t[3] >> 1) | (t[4] << 4); + r[3] = (t[4] >> 4) | (t[5] << 1) | (t[6] << 6); + r[4] = (t[6] >> 2) | (t[7] << 3); + r += 5; } #else -#error "KYBER_POLYCOMPRESSEDBYTES needs to be in {96, 128, 160}" +#error "KYBER_POLYCOMPRESSEDBYTES needs to be in {128, 160}" #endif } @@ -107,13 +125,24 @@ void poly_decompress(poly *r, const unsigned char *a) **************************************************/ void poly_packcompress(unsigned char *r, poly *a, int i) { int j, k; + uint64_t d0; #if (KYBER_POLYVECCOMPRESSEDBYTES == (KYBER_K * 352)) uint16_t t[8]; for(j=0;jcoeffs[8*j+k] << 11) + KYBER_Q/2) / KYBER_Q) & 0x7ff; + for(k=0;k<8;k++) { + t[k] = a->coeffs[8*j+k]; + t[k] += ((int16_t)t[k] >> 15) & KYBER_Q; +/* t[k] = ((((uint32_t)t[k] << 11) + KYBER_Q/2)/KYBER_Q) & 0x7ff; */ + d0 = t[k]; + d0 <<= 11; + d0 += 1664; + d0 *= 645084; + d0 >>= 31; + t[k] = d0 & 0x7ff; + } + r[352*i+11*j+ 0] = t[0] & 0xff; r[352*i+11*j+ 1] = (t[0] >> 8) | ((t[1] & 0x1f) << 3); @@ -131,9 +160,17 @@ void poly_packcompress(unsigned char *r, poly *a, int i) { uint16_t t[4]; for (j = 0; j < KYBER_N / 4; j++) { - for (k = 0; k < 4; k++) - t[k] = ((((uint32_t)a->coeffs[4 * j + k] << 10) + KYBER_Q / 2) / KYBER_Q) & 0x3ff; - + for(k=0;k<4;k++) { + t[k] = a->coeffs[4*j+k]; + t[k] += ((int16_t)t[k] >> 15) & KYBER_Q; + /* t[k] = ((((uint32_t)t[k] << 10) + KYBER_Q/2)/ KYBER_Q) & 0x3ff; */ + d0 = t[k]; + d0 <<= 10; + d0 += 1665; + d0 *= 1290167; + d0 >>= 32; + t[k] = d0 & 0x3ff; + } r[320*i+5*j+0] = t[0] & 0xff; r[320*i+5*j+1] = (t[0] >> 8) | ((t[1] & 0x3f) << 2); r[320*i+5*j+2] = ((t[1] >> 6) | ((t[2] & 0x0f) << 4)) & 0xff; @@ -194,14 +231,24 @@ void poly_unpackdecompress(poly *r, const unsigned char *a, int i) { **************************************************/ int cmp_poly_compress(const unsigned char *r, poly *a) { unsigned char rc = 0; + int16_t u; + uint32_t d0; uint8_t t[8]; int i, j, k = 0; #if (KYBER_POLYCOMPRESSEDBYTES == 128) for (i = 0; i < KYBER_N; i += 8) { - for (j = 0; j < 8; j++) - t[j] = ((((uint32_t)a->coeffs[i + j] << 4) + KYBER_Q / 2) / KYBER_Q) & 15; - + for(j=0;j<8;j++) { + // map to positive standard representatives + u = a->coeffs[8*i+j]; + u += (u >> 15) & KYBER_Q; +/* t[j] = ((((uint16_t)u << 4) + KYBER_Q/2)/KYBER_Q) & 15; */ + d0 = u << 4; + d0 += 1665; + d0 *= 80635; + d0 >>= 28; + t[j] = d0 & 0xf; + } rc |= r[k] ^ (t[0] | (t[1] << 4)); rc |= r[k + 1] ^ (t[2] | (t[3] << 4)); rc |= r[k + 2] ^ (t[4] | (t[5] << 4)); @@ -211,8 +258,18 @@ int cmp_poly_compress(const unsigned char *r, poly *a) { #elif (KYBER_POLYCOMPRESSEDBYTES == 160) for(i=0;icoeffs[i+j] << 5) + KYBER_Q/2) / KYBER_Q) & 31; + for(j=0;j<8;j++) { + // map to positive standard representatives + u = a->coeffs[8*i+j]; + u += (u >> 15) & KYBER_Q; +/* t[j] = ((((uint32_t)u << 5) + KYBER_Q/2)/KYBER_Q) & 31; */ + d0 = u << 5; + d0 += 1664; + d0 *= 40318; + d0 >>= 27; + t[j] = d0 & 0x1f; + } + rc |= r[k] ^ (t[0] | (t[1] << 5)); rc |= r[k+1] ^ ((t[1] >> 3) | (t[2] << 2) | (t[3] << 7)); @@ -222,7 +279,7 @@ int cmp_poly_compress(const unsigned char *r, poly *a) { k += 5; } #else -#error "KYBER_POLYCOMPRESSEDBYTES needs to be in {96, 128, 160}" +#error "KYBER_POLYCOMPRESSEDBYTES needs to be in {128, 160}" #endif return rc; } @@ -241,13 +298,23 @@ int cmp_poly_compress(const unsigned char *r, poly *a) { int cmp_poly_packcompress(const unsigned char *r, poly *a, int i) { unsigned char rc = 0; int j, k; + uint64_t d0; #if (KYBER_POLYVECCOMPRESSEDBYTES == (KYBER_K * 352)) uint16_t t[8]; for(j=0;jcoeffs[8*j+k] << 11) + KYBER_Q/2) / KYBER_Q) & 0x7ff; + for(k=0;k<8;k++) { + t[k] = a->coeffs[8*j+k]; + t[k] += ((int16_t)t[k] >> 15) & KYBER_Q; +/* t[k] = ((((uint32_t)t[k] << 11) + KYBER_Q/2)/KYBER_Q) & 0x7ff; */ + d0 = t[k]; + d0 <<= 11; + d0 += 1664; + d0 *= 645084; + d0 >>= 31; + t[k] = d0 & 0x7ff; + } rc |= r[352*i+11*j+ 0] ^ (t[0] & 0xff); rc |= r[352*i+11*j+ 1] ^ ((t[0] >> 8) | ((t[1] & 0x1f) << 3)); @@ -264,8 +331,17 @@ int cmp_poly_packcompress(const unsigned char *r, poly *a, int i) { #elif (KYBER_POLYVECCOMPRESSEDBYTES == (KYBER_K * 320)) uint16_t t[4]; for (j = 0; j < KYBER_N / 4; j++) { - for (k = 0; k < 4; k++) - t[k] = ((((uint32_t)a->coeffs[4 * j + k] << 10) + KYBER_Q / 2) / KYBER_Q) & 0x3ff; + for(k=0;k<4;k++) { + t[k] = a->coeffs[4*j+k]; + t[k] += ((int16_t)t[k] >> 15) & KYBER_Q; + /* t[k] = ((((uint32_t)t[k] << 10) + KYBER_Q/2)/ KYBER_Q) & 0x3ff; */ + d0 = t[k]; + d0 <<= 10; + d0 += 1665; + d0 *= 1290167; + d0 >>= 32; + t[k] = d0 & 0x3ff; + } rc |= r[320*i+5*j+0] ^ (t[0] & 0xff); rc |= r[320*i+5*j+1] ^ ((t[0] >> 8) | ((t[1] & 0x3f) << 2)); diff --git a/crypto_kem/kyber512/m4fstack/poly.h b/crypto_kem/kyber512/m4fstack/poly.h index 2a58b678..d62e9661 100644 --- a/crypto_kem/kyber512/m4fstack/poly.h +++ b/crypto_kem/kyber512/m4fstack/poly.h @@ -18,7 +18,7 @@ typedef struct { int16_t coeffs[KYBER_N]; } poly; -void poly_compress(unsigned char *r, poly *a); +void poly_compress(unsigned char *r, const poly *a); void poly_decompress(poly *r, const unsigned char *a); void poly_packcompress(unsigned char *r, poly *a, int i); diff --git a/crypto_kem/kyber768/m4fspeed/poly.c b/crypto_kem/kyber768/m4fspeed/poly.c index d7c63bc6..9864534a 100644 --- a/crypto_kem/kyber768/m4fspeed/poly.c +++ b/crypto_kem/kyber768/m4fspeed/poly.c @@ -16,35 +16,53 @@ * Arguments: - unsigned char *r: pointer to output byte array (of length KYBER_POLYCOMPRESSEDBYTES) * - const poly *a: pointer to input polynomial to be serialized *************************************************/ -void poly_compress(unsigned char *r, poly *a) +void poly_compress(unsigned char *r, const poly *a) { + unsigned int i,j; + int16_t u; + uint32_t d0; uint8_t t[8]; - int i,j,k=0; #if (KYBER_POLYCOMPRESSEDBYTES == 128) - for(i=0;icoeffs[i+j] << 4) + KYBER_Q/2) / KYBER_Q) & 15; - - r[k] = t[0] | (t[1] << 4); - r[k+1] = t[2] | (t[3] << 4); - r[k+2] = t[4] | (t[5] << 4); - r[k+3] = t[6] | (t[7] << 4); - k += 4; + for(i=0;icoeffs[8*i+j]; + u += (u >> 15) & KYBER_Q; +/* t[j] = ((((uint16_t)u << 4) + KYBER_Q/2)/KYBER_Q) & 15; */ + d0 = u << 4; + d0 += 1665; + d0 *= 80635; + d0 >>= 28; + t[j] = d0 & 0xf; + } + + r[0] = t[0] | (t[1] << 4); + r[1] = t[2] | (t[3] << 4); + r[2] = t[4] | (t[5] << 4); + r[3] = t[6] | (t[7] << 4); + r += 4; } #elif (KYBER_POLYCOMPRESSEDBYTES == 160) - for(i=0;icoeffs[i+j] << 5) + KYBER_Q/2) / KYBER_Q) & 31; - - r[k] = t[0] | (t[1] << 5); - r[k+1] = (t[1] >> 3) | (t[2] << 2) | (t[3] << 7); - r[k+2] = (t[3] >> 1) | (t[4] << 4); - r[k+3] = (t[4] >> 4) | (t[5] << 1) | (t[6] << 6); - r[k+4] = (t[6] >> 2) | (t[7] << 3); - k += 5; + for(i=0;icoeffs[8*i+j]; + u += (u >> 15) & KYBER_Q; +/* t[j] = ((((uint32_t)u << 5) + KYBER_Q/2)/KYBER_Q) & 31; */ + d0 = u << 5; + d0 += 1664; + d0 *= 40318; + d0 >>= 27; + t[j] = d0 & 0x1f; + } + + r[0] = (t[0] >> 0) | (t[1] << 5); + r[1] = (t[1] >> 3) | (t[2] << 2) | (t[3] << 7); + r[2] = (t[3] >> 1) | (t[4] << 4); + r[3] = (t[4] >> 4) | (t[5] << 1) | (t[6] << 6); + r[4] = (t[6] >> 2) | (t[7] << 3); + r += 5; } #else #error "KYBER_POLYCOMPRESSEDBYTES needs to be in {128, 160}" @@ -107,13 +125,24 @@ void poly_decompress(poly *r, const unsigned char *a) **************************************************/ void poly_packcompress(unsigned char *r, poly *a, int i) { int j, k; + uint64_t d0; #if (KYBER_POLYVECCOMPRESSEDBYTES == (KYBER_K * 352)) uint16_t t[8]; for(j=0;jcoeffs[8*j+k] << 11) + KYBER_Q/2) / KYBER_Q) & 0x7ff; + for(k=0;k<8;k++) { + t[k] = a->coeffs[8*j+k]; + t[k] += ((int16_t)t[k] >> 15) & KYBER_Q; +/* t[k] = ((((uint32_t)t[k] << 11) + KYBER_Q/2)/KYBER_Q) & 0x7ff; */ + d0 = t[k]; + d0 <<= 11; + d0 += 1664; + d0 *= 645084; + d0 >>= 31; + t[k] = d0 & 0x7ff; + } + r[352*i+11*j+ 0] = t[0] & 0xff; r[352*i+11*j+ 1] = (t[0] >> 8) | ((t[1] & 0x1f) << 3); @@ -131,9 +160,17 @@ void poly_packcompress(unsigned char *r, poly *a, int i) { uint16_t t[4]; for (j = 0; j < KYBER_N / 4; j++) { - for (k = 0; k < 4; k++) - t[k] = ((((uint32_t)a->coeffs[4 * j + k] << 10) + KYBER_Q / 2) / KYBER_Q) & 0x3ff; - + for(k=0;k<4;k++) { + t[k] = a->coeffs[4*j+k]; + t[k] += ((int16_t)t[k] >> 15) & KYBER_Q; + /* t[k] = ((((uint32_t)t[k] << 10) + KYBER_Q/2)/ KYBER_Q) & 0x3ff; */ + d0 = t[k]; + d0 <<= 10; + d0 += 1665; + d0 *= 1290167; + d0 >>= 32; + t[k] = d0 & 0x3ff; + } r[320*i+5*j+0] = t[0] & 0xff; r[320*i+5*j+1] = (t[0] >> 8) | ((t[1] & 0x3f) << 2); r[320*i+5*j+2] = ((t[1] >> 6) | ((t[2] & 0x0f) << 4)) & 0xff; @@ -194,14 +231,24 @@ void poly_unpackdecompress(poly *r, const unsigned char *a, int i) { **************************************************/ int cmp_poly_compress(const unsigned char *r, poly *a) { unsigned char rc = 0; + int16_t u; + uint32_t d0; uint8_t t[8]; int i, j, k = 0; #if (KYBER_POLYCOMPRESSEDBYTES == 128) for (i = 0; i < KYBER_N; i += 8) { - for (j = 0; j < 8; j++) - t[j] = ((((uint32_t)a->coeffs[i + j] << 4) + KYBER_Q / 2) / KYBER_Q) & 15; - + for(j=0;j<8;j++) { + // map to positive standard representatives + u = a->coeffs[8*i+j]; + u += (u >> 15) & KYBER_Q; +/* t[j] = ((((uint16_t)u << 4) + KYBER_Q/2)/KYBER_Q) & 15; */ + d0 = u << 4; + d0 += 1665; + d0 *= 80635; + d0 >>= 28; + t[j] = d0 & 0xf; + } rc |= r[k] ^ (t[0] | (t[1] << 4)); rc |= r[k + 1] ^ (t[2] | (t[3] << 4)); rc |= r[k + 2] ^ (t[4] | (t[5] << 4)); @@ -211,8 +258,18 @@ int cmp_poly_compress(const unsigned char *r, poly *a) { #elif (KYBER_POLYCOMPRESSEDBYTES == 160) for(i=0;icoeffs[i+j] << 5) + KYBER_Q/2) / KYBER_Q) & 31; + for(j=0;j<8;j++) { + // map to positive standard representatives + u = a->coeffs[8*i+j]; + u += (u >> 15) & KYBER_Q; +/* t[j] = ((((uint32_t)u << 5) + KYBER_Q/2)/KYBER_Q) & 31; */ + d0 = u << 5; + d0 += 1664; + d0 *= 40318; + d0 >>= 27; + t[j] = d0 & 0x1f; + } + rc |= r[k] ^ (t[0] | (t[1] << 5)); rc |= r[k+1] ^ ((t[1] >> 3) | (t[2] << 2) | (t[3] << 7)); @@ -241,13 +298,23 @@ int cmp_poly_compress(const unsigned char *r, poly *a) { int cmp_poly_packcompress(const unsigned char *r, poly *a, int i) { unsigned char rc = 0; int j, k; + uint64_t d0; #if (KYBER_POLYVECCOMPRESSEDBYTES == (KYBER_K * 352)) uint16_t t[8]; for(j=0;jcoeffs[8*j+k] << 11) + KYBER_Q/2) / KYBER_Q) & 0x7ff; + for(k=0;k<8;k++) { + t[k] = a->coeffs[8*j+k]; + t[k] += ((int16_t)t[k] >> 15) & KYBER_Q; +/* t[k] = ((((uint32_t)t[k] << 11) + KYBER_Q/2)/KYBER_Q) & 0x7ff; */ + d0 = t[k]; + d0 <<= 11; + d0 += 1664; + d0 *= 645084; + d0 >>= 31; + t[k] = d0 & 0x7ff; + } rc |= r[352*i+11*j+ 0] ^ (t[0] & 0xff); rc |= r[352*i+11*j+ 1] ^ ((t[0] >> 8) | ((t[1] & 0x1f) << 3)); @@ -264,8 +331,17 @@ int cmp_poly_packcompress(const unsigned char *r, poly *a, int i) { #elif (KYBER_POLYVECCOMPRESSEDBYTES == (KYBER_K * 320)) uint16_t t[4]; for (j = 0; j < KYBER_N / 4; j++) { - for (k = 0; k < 4; k++) - t[k] = ((((uint32_t)a->coeffs[4 * j + k] << 10) + KYBER_Q / 2) / KYBER_Q) & 0x3ff; + for(k=0;k<4;k++) { + t[k] = a->coeffs[4*j+k]; + t[k] += ((int16_t)t[k] >> 15) & KYBER_Q; + /* t[k] = ((((uint32_t)t[k] << 10) + KYBER_Q/2)/ KYBER_Q) & 0x3ff; */ + d0 = t[k]; + d0 <<= 10; + d0 += 1665; + d0 *= 1290167; + d0 >>= 32; + t[k] = d0 & 0x3ff; + } rc |= r[320*i+5*j+0] ^ (t[0] & 0xff); rc |= r[320*i+5*j+1] ^ ((t[0] >> 8) | ((t[1] & 0x3f) << 2)); diff --git a/crypto_kem/kyber768/m4fspeed/poly.h b/crypto_kem/kyber768/m4fspeed/poly.h index 4c7b1e47..fc61dd51 100644 --- a/crypto_kem/kyber768/m4fspeed/poly.h +++ b/crypto_kem/kyber768/m4fspeed/poly.h @@ -16,7 +16,7 @@ typedef struct { int16_t coeffs[KYBER_N]; } poly; -void poly_compress(unsigned char *r, poly *a); +void poly_compress(unsigned char *r, const poly *a); void poly_decompress(poly *r, const unsigned char *a); void poly_packcompress(unsigned char *r, poly *a, int i); diff --git a/crypto_kem/kyber768/m4fspeed/polyvec.c b/crypto_kem/kyber768/m4fspeed/polyvec.c index b1e387a2..a405e919 100644 --- a/crypto_kem/kyber768/m4fspeed/polyvec.c +++ b/crypto_kem/kyber768/m4fspeed/polyvec.c @@ -7,52 +7,68 @@ * * Description: Compress and serialize vector of polynomials * -* Arguments: - unsigned char *r: pointer to output byte array (needs space for KYBER_POLYVECCOMPRESSEDBYTES) +* Arguments: - uint8_t *r: pointer to output byte array +* (needs space for KYBER_POLYVECCOMPRESSEDBYTES) * - const polyvec *a: pointer to input vector of polynomials **************************************************/ -void polyvec_compress(unsigned char *r, polyvec *a) +void polyvec_compress(unsigned char *r, const polyvec *a) { - int i,j,k; + unsigned int i,j,k; + uint64_t d0; #if (KYBER_POLYVECCOMPRESSEDBYTES == (KYBER_K * 352)) uint16_t t[8]; - for(i=0;ivec[i].coeffs[8*j+k] << 11) + KYBER_Q/2) / KYBER_Q) & 0x7ff; + for(i=0;ivec[i].coeffs[8*j+k]; + t[k] += ((int16_t)t[k] >> 15) & KYBER_Q; +/* t[k] = ((((uint32_t)t[k] << 11) + KYBER_Q/2)/KYBER_Q) & 0x7ff; */ + d0 = t[k]; + d0 <<= 11; + d0 += 1664; + d0 *= 645084; + d0 >>= 31; + t[k] = d0 & 0x7ff; + } - r[11*j+ 0] = t[0] & 0xff; - r[11*j+ 1] = (t[0] >> 8) | ((t[1] & 0x1f) << 3); - r[11*j+ 2] = (t[1] >> 5) | ((t[2] & 0x03) << 6); - r[11*j+ 3] = (t[2] >> 2) & 0xff; - r[11*j+ 4] = (t[2] >> 10) | ((t[3] & 0x7f) << 1); - r[11*j+ 5] = (t[3] >> 7) | ((t[4] & 0x0f) << 4); - r[11*j+ 6] = (t[4] >> 4) | ((t[5] & 0x01) << 7); - r[11*j+ 7] = (t[5] >> 1) & 0xff; - r[11*j+ 8] = (t[5] >> 9) | ((t[6] & 0x3f) << 2); - r[11*j+ 9] = (t[6] >> 6) | ((t[7] & 0x07) << 5); - r[11*j+10] = (t[7] >> 3); + r[ 0] = (t[0] >> 0); + r[ 1] = (t[0] >> 8) | (t[1] << 3); + r[ 2] = (t[1] >> 5) | (t[2] << 6); + r[ 3] = (t[2] >> 2); + r[ 4] = (t[2] >> 10) | (t[3] << 1); + r[ 5] = (t[3] >> 7) | (t[4] << 4); + r[ 6] = (t[4] >> 4) | (t[5] << 7); + r[ 7] = (t[5] >> 1); + r[ 8] = (t[5] >> 9) | (t[6] << 2); + r[ 9] = (t[6] >> 6) | (t[7] << 5); + r[10] = (t[7] >> 3); + r += 11; } - r += 352; } #elif (KYBER_POLYVECCOMPRESSEDBYTES == (KYBER_K * 320)) uint16_t t[4]; - for(i=0;ivec[i].coeffs[4*j+k] << 10) + KYBER_Q/2) / KYBER_Q) & 0x3ff; + for(i=0;ivec[i].coeffs[4*j+k]; + t[k] += ((int16_t)t[k] >> 15) & KYBER_Q; +/* t[k] = ((((uint32_t)t[k] << 10) + KYBER_Q/2)/ KYBER_Q) & 0x3ff; */ + d0 = t[k]; + d0 <<= 10; + d0 += 1665; + d0 *= 1290167; + d0 >>= 32; + t[k] = d0 & 0x3ff; + } - r[5*j+ 0] = t[0] & 0xff; - r[5*j+ 1] = (t[0] >> 8) | ((t[1] & 0x3f) << 2); - r[5*j+ 2] = (t[1] >> 6) | ((t[2] & 0x0f) << 4); - r[5*j+ 3] = (t[2] >> 4) | ((t[3] & 0x03) << 6); - r[5*j+ 4] = (t[3] >> 2); + r[0] = (t[0] >> 0); + r[1] = (t[0] >> 8) | (t[1] << 2); + r[2] = (t[1] >> 6) | (t[2] << 4); + r[3] = (t[2] >> 4) | (t[3] << 6); + r[4] = (t[3] >> 2); + r += 5; } - r += 320; } #else #error "KYBER_POLYVECCOMPRESSEDBYTES needs to be in {320*KYBER_K, 352*KYBER_K}" diff --git a/crypto_kem/kyber768/m4fspeed/polyvec.h b/crypto_kem/kyber768/m4fspeed/polyvec.h index 22713053..0be7873f 100644 --- a/crypto_kem/kyber768/m4fspeed/polyvec.h +++ b/crypto_kem/kyber768/m4fspeed/polyvec.h @@ -8,7 +8,7 @@ typedef struct { poly vec[KYBER_K]; } polyvec; -void polyvec_compress(unsigned char *r, polyvec *a); +void polyvec_compress(unsigned char *r, const polyvec *a); void polyvec_decompress(polyvec *r, const unsigned char *a); void polyvec_tobytes(unsigned char *r, polyvec *a); diff --git a/crypto_kem/kyber768/m4fstack/poly.c b/crypto_kem/kyber768/m4fstack/poly.c index 84b1deb8..91fab840 100644 --- a/crypto_kem/kyber768/m4fstack/poly.c +++ b/crypto_kem/kyber768/m4fstack/poly.c @@ -16,35 +16,53 @@ * Arguments: - unsigned char *r: pointer to output byte array (of length KYBER_POLYCOMPRESSEDBYTES) * - const poly *a: pointer to input polynomial to be serialized *************************************************/ -void poly_compress(unsigned char *r, poly *a) +void poly_compress(unsigned char *r, const poly *a) { + unsigned int i,j; + int16_t u; + uint32_t d0; uint8_t t[8]; - int i,j,k=0; #if (KYBER_POLYCOMPRESSEDBYTES == 128) - for(i=0;icoeffs[i+j] << 4) + KYBER_Q/2) / KYBER_Q) & 15; - - r[k] = t[0] | (t[1] << 4); - r[k+1] = t[2] | (t[3] << 4); - r[k+2] = t[4] | (t[5] << 4); - r[k+3] = t[6] | (t[7] << 4); - k += 4; + for(i=0;icoeffs[8*i+j]; + u += (u >> 15) & KYBER_Q; +/* t[j] = ((((uint16_t)u << 4) + KYBER_Q/2)/KYBER_Q) & 15; */ + d0 = u << 4; + d0 += 1665; + d0 *= 80635; + d0 >>= 28; + t[j] = d0 & 0xf; + } + + r[0] = t[0] | (t[1] << 4); + r[1] = t[2] | (t[3] << 4); + r[2] = t[4] | (t[5] << 4); + r[3] = t[6] | (t[7] << 4); + r += 4; } #elif (KYBER_POLYCOMPRESSEDBYTES == 160) - for(i=0;icoeffs[i+j] << 5) + KYBER_Q/2) / KYBER_Q) & 31; - - r[k] = t[0] | (t[1] << 5); - r[k+1] = (t[1] >> 3) | (t[2] << 2) | (t[3] << 7); - r[k+2] = (t[3] >> 1) | (t[4] << 4); - r[k+3] = (t[4] >> 4) | (t[5] << 1) | (t[6] << 6); - r[k+4] = (t[6] >> 2) | (t[7] << 3); - k += 5; + for(i=0;icoeffs[8*i+j]; + u += (u >> 15) & KYBER_Q; +/* t[j] = ((((uint32_t)u << 5) + KYBER_Q/2)/KYBER_Q) & 31; */ + d0 = u << 5; + d0 += 1664; + d0 *= 40318; + d0 >>= 27; + t[j] = d0 & 0x1f; + } + + r[0] = (t[0] >> 0) | (t[1] << 5); + r[1] = (t[1] >> 3) | (t[2] << 2) | (t[3] << 7); + r[2] = (t[3] >> 1) | (t[4] << 4); + r[3] = (t[4] >> 4) | (t[5] << 1) | (t[6] << 6); + r[4] = (t[6] >> 2) | (t[7] << 3); + r += 5; } #else #error "KYBER_POLYCOMPRESSEDBYTES needs to be in {128, 160}" @@ -107,13 +125,24 @@ void poly_decompress(poly *r, const unsigned char *a) **************************************************/ void poly_packcompress(unsigned char *r, poly *a, int i) { int j, k; + uint64_t d0; #if (KYBER_POLYVECCOMPRESSEDBYTES == (KYBER_K * 352)) uint16_t t[8]; for(j=0;jcoeffs[8*j+k] << 11) + KYBER_Q/2) / KYBER_Q) & 0x7ff; + for(k=0;k<8;k++) { + t[k] = a->coeffs[8*j+k]; + t[k] += ((int16_t)t[k] >> 15) & KYBER_Q; +/* t[k] = ((((uint32_t)t[k] << 11) + KYBER_Q/2)/KYBER_Q) & 0x7ff; */ + d0 = t[k]; + d0 <<= 11; + d0 += 1664; + d0 *= 645084; + d0 >>= 31; + t[k] = d0 & 0x7ff; + } + r[352*i+11*j+ 0] = t[0] & 0xff; r[352*i+11*j+ 1] = (t[0] >> 8) | ((t[1] & 0x1f) << 3); @@ -131,9 +160,17 @@ void poly_packcompress(unsigned char *r, poly *a, int i) { uint16_t t[4]; for (j = 0; j < KYBER_N / 4; j++) { - for (k = 0; k < 4; k++) - t[k] = ((((uint32_t)a->coeffs[4 * j + k] << 10) + KYBER_Q / 2) / KYBER_Q) & 0x3ff; - + for(k=0;k<4;k++) { + t[k] = a->coeffs[4*j+k]; + t[k] += ((int16_t)t[k] >> 15) & KYBER_Q; + /* t[k] = ((((uint32_t)t[k] << 10) + KYBER_Q/2)/ KYBER_Q) & 0x3ff; */ + d0 = t[k]; + d0 <<= 10; + d0 += 1665; + d0 *= 1290167; + d0 >>= 32; + t[k] = d0 & 0x3ff; + } r[320*i+5*j+0] = t[0] & 0xff; r[320*i+5*j+1] = (t[0] >> 8) | ((t[1] & 0x3f) << 2); r[320*i+5*j+2] = ((t[1] >> 6) | ((t[2] & 0x0f) << 4)) & 0xff; @@ -194,14 +231,24 @@ void poly_unpackdecompress(poly *r, const unsigned char *a, int i) { **************************************************/ int cmp_poly_compress(const unsigned char *r, poly *a) { unsigned char rc = 0; + int16_t u; + uint32_t d0; uint8_t t[8]; int i, j, k = 0; #if (KYBER_POLYCOMPRESSEDBYTES == 128) for (i = 0; i < KYBER_N; i += 8) { - for (j = 0; j < 8; j++) - t[j] = ((((uint32_t)a->coeffs[i + j] << 4) + KYBER_Q / 2) / KYBER_Q) & 15; - + for(j=0;j<8;j++) { + // map to positive standard representatives + u = a->coeffs[8*i+j]; + u += (u >> 15) & KYBER_Q; +/* t[j] = ((((uint16_t)u << 4) + KYBER_Q/2)/KYBER_Q) & 15; */ + d0 = u << 4; + d0 += 1665; + d0 *= 80635; + d0 >>= 28; + t[j] = d0 & 0xf; + } rc |= r[k] ^ (t[0] | (t[1] << 4)); rc |= r[k + 1] ^ (t[2] | (t[3] << 4)); rc |= r[k + 2] ^ (t[4] | (t[5] << 4)); @@ -211,8 +258,18 @@ int cmp_poly_compress(const unsigned char *r, poly *a) { #elif (KYBER_POLYCOMPRESSEDBYTES == 160) for(i=0;icoeffs[i+j] << 5) + KYBER_Q/2) / KYBER_Q) & 31; + for(j=0;j<8;j++) { + // map to positive standard representatives + u = a->coeffs[8*i+j]; + u += (u >> 15) & KYBER_Q; +/* t[j] = ((((uint32_t)u << 5) + KYBER_Q/2)/KYBER_Q) & 31; */ + d0 = u << 5; + d0 += 1664; + d0 *= 40318; + d0 >>= 27; + t[j] = d0 & 0x1f; + } + rc |= r[k] ^ (t[0] | (t[1] << 5)); rc |= r[k+1] ^ ((t[1] >> 3) | (t[2] << 2) | (t[3] << 7)); @@ -241,13 +298,23 @@ int cmp_poly_compress(const unsigned char *r, poly *a) { int cmp_poly_packcompress(const unsigned char *r, poly *a, int i) { unsigned char rc = 0; int j, k; + uint64_t d0; #if (KYBER_POLYVECCOMPRESSEDBYTES == (KYBER_K * 352)) uint16_t t[8]; for(j=0;jcoeffs[8*j+k] << 11) + KYBER_Q/2) / KYBER_Q) & 0x7ff; + for(k=0;k<8;k++) { + t[k] = a->coeffs[8*j+k]; + t[k] += ((int16_t)t[k] >> 15) & KYBER_Q; +/* t[k] = ((((uint32_t)t[k] << 11) + KYBER_Q/2)/KYBER_Q) & 0x7ff; */ + d0 = t[k]; + d0 <<= 11; + d0 += 1664; + d0 *= 645084; + d0 >>= 31; + t[k] = d0 & 0x7ff; + } rc |= r[352*i+11*j+ 0] ^ (t[0] & 0xff); rc |= r[352*i+11*j+ 1] ^ ((t[0] >> 8) | ((t[1] & 0x1f) << 3)); @@ -264,8 +331,17 @@ int cmp_poly_packcompress(const unsigned char *r, poly *a, int i) { #elif (KYBER_POLYVECCOMPRESSEDBYTES == (KYBER_K * 320)) uint16_t t[4]; for (j = 0; j < KYBER_N / 4; j++) { - for (k = 0; k < 4; k++) - t[k] = ((((uint32_t)a->coeffs[4 * j + k] << 10) + KYBER_Q / 2) / KYBER_Q) & 0x3ff; + for(k=0;k<4;k++) { + t[k] = a->coeffs[4*j+k]; + t[k] += ((int16_t)t[k] >> 15) & KYBER_Q; + /* t[k] = ((((uint32_t)t[k] << 10) + KYBER_Q/2)/ KYBER_Q) & 0x3ff; */ + d0 = t[k]; + d0 <<= 10; + d0 += 1665; + d0 *= 1290167; + d0 >>= 32; + t[k] = d0 & 0x3ff; + } rc |= r[320*i+5*j+0] ^ (t[0] & 0xff); rc |= r[320*i+5*j+1] ^ ((t[0] >> 8) | ((t[1] & 0x3f) << 2)); diff --git a/crypto_kem/kyber768/m4fstack/poly.h b/crypto_kem/kyber768/m4fstack/poly.h index 3aef4c45..635abe9f 100644 --- a/crypto_kem/kyber768/m4fstack/poly.h +++ b/crypto_kem/kyber768/m4fstack/poly.h @@ -16,7 +16,7 @@ typedef struct { int16_t coeffs[KYBER_N]; } poly; -void poly_compress(unsigned char *r, poly *a); +void poly_compress(unsigned char *r, const poly *a); void poly_decompress(poly *r, const unsigned char *a); void poly_packcompress(unsigned char *r, poly *a, int i); From 0fa8f561d410d9032b9c27052840d89ffb4a33c4 Mon Sep 17 00:00:00 2001 From: "Matthias J. Kannwischer" Date: Fri, 23 Feb 2024 13:14:13 +0800 Subject: [PATCH 5/7] Dilithium compatibility with NIST draft --- crypto_sign/dilithium2/m4f/packing.c | 39 +++++++++++++------------- crypto_sign/dilithium2/m4f/packing.h | 10 +++---- crypto_sign/dilithium2/m4f/params.h | 15 ++++++---- crypto_sign/dilithium2/m4f/poly.c | 6 ++-- crypto_sign/dilithium2/m4f/polyvec.c | 3 +- crypto_sign/dilithium2/m4f/sign.c | 41 ++++++++++++++-------------- 6 files changed, 59 insertions(+), 55 deletions(-) diff --git a/crypto_sign/dilithium2/m4f/packing.c b/crypto_sign/dilithium2/m4f/packing.c index 869822c4..8aaff2a3 100644 --- a/crypto_sign/dilithium2/m4f/packing.c +++ b/crypto_sign/dilithium2/m4f/packing.c @@ -64,7 +64,7 @@ void unpack_pk(uint8_t rho[SEEDBYTES], **************************************************/ void pack_sk(uint8_t sk[CRYPTO_SECRETKEYBYTES], const uint8_t rho[SEEDBYTES], - const uint8_t tr[SEEDBYTES], + const uint8_t tr[TRBYTES], const uint8_t key[SEEDBYTES], const polyveck *t0, const polyvecl *s1, @@ -80,9 +80,9 @@ void pack_sk(uint8_t sk[CRYPTO_SECRETKEYBYTES], sk[i] = key[i]; sk += SEEDBYTES; - for(i = 0; i < SEEDBYTES; ++i) + for(i = 0; i < TRBYTES; ++i) sk[i] = tr[i]; - sk += SEEDBYTES; + sk += TRBYTES; for(i = 0; i < L; ++i) polyeta_pack(sk + i*POLYETA_PACKEDBYTES, &s1->vec[i]); @@ -110,7 +110,7 @@ void pack_sk(uint8_t sk[CRYPTO_SECRETKEYBYTES], * - uint8_t sk[]: byte array containing bit-packed sk **************************************************/ void unpack_sk(uint8_t rho[SEEDBYTES], - uint8_t tr[SEEDBYTES], + uint8_t tr[TRBYTES], uint8_t key[SEEDBYTES], polyveck *t0, smallpoly s1[L], @@ -127,9 +127,9 @@ void unpack_sk(uint8_t rho[SEEDBYTES], key[i] = sk[i]; sk += SEEDBYTES; - for(i = 0; i < SEEDBYTES; ++i) + for(i = 0; i < TRBYTES; ++i) tr[i] = sk[i]; - sk += SEEDBYTES; + sk += TRBYTES; for(i=0; i < L; ++i) small_polyeta_unpack(&s1[i], sk + i*POLYETA_PACKEDBYTES); @@ -143,6 +143,7 @@ void unpack_sk(uint8_t rho[SEEDBYTES], polyt0_unpack(&t0->vec[i], sk + i*POLYT0_PACKEDBYTES); } + /************************************************* * Name: pack_sig * @@ -154,15 +155,15 @@ void unpack_sk(uint8_t rho[SEEDBYTES], * - const polyveck *h: pointer to hint vector h **************************************************/ void pack_sig(uint8_t sig[CRYPTO_BYTES], - const uint8_t c[SEEDBYTES], + const uint8_t c[CTILDEBYTES], const polyvecl *z, const polyveck *h) { unsigned int i, j, k; - for(i=0; i < SEEDBYTES; ++i) + for(i=0; i < CTILDEBYTES; ++i) sig[i] = c[i]; - sig += SEEDBYTES; + sig += CTILDEBYTES; for(i = 0; i < L; ++i) polyz_pack(sig + i*POLYZ_PACKEDBYTES, &z->vec[i]); @@ -183,20 +184,20 @@ void pack_sig(uint8_t sig[CRYPTO_BYTES], } void pack_sig_c(uint8_t sig[CRYPTO_BYTES], - const uint8_t c[SEEDBYTES]) + const uint8_t c[CTILDEBYTES]) { unsigned int i; - for(i=0; i < SEEDBYTES; ++i) + for(i=0; i < CTILDEBYTES; ++i) sig[i] = c[i]; - sig += SEEDBYTES; + sig += CTILDEBYTES; } void pack_sig_z(uint8_t sig[CRYPTO_BYTES], const polyvecl *z) { unsigned int i; - sig += SEEDBYTES; + sig += CTILDEBYTES; for(i = 0; i < L; ++i) polyz_pack(sig + i*POLYZ_PACKEDBYTES, &z->vec[i]); } @@ -207,7 +208,7 @@ void pack_sig_h(unsigned char sig[CRYPTO_BYTES], const unsigned int idx, unsigned int *hints_written) { - sig += SEEDBYTES; + sig += CTILDEBYTES; sig += L*POLYZ_PACKEDBYTES; // Encode h @@ -222,7 +223,7 @@ void pack_sig_h(unsigned char sig[CRYPTO_BYTES], void pack_sig_h_zero(unsigned char sig[CRYPTO_BYTES], unsigned int *hints_written) { - sig += SEEDBYTES; + sig += CTILDEBYTES; sig += L * POLYZ_PACKEDBYTES; while (*hints_written < OMEGA) { sig[*hints_written] = 0; @@ -243,16 +244,16 @@ void pack_sig_h_zero(unsigned char sig[CRYPTO_BYTES], * * Returns 1 in case of malformed signature; otherwise 0. **************************************************/ -int unpack_sig(uint8_t c[SEEDBYTES], +int unpack_sig(uint8_t c[CTILDEBYTES], polyvecl *z, polyveck *h, const uint8_t sig[CRYPTO_BYTES]) { unsigned int i, j, k; - for(i = 0; i < SEEDBYTES; ++i) + for(i = 0; i < CTILDEBYTES; ++i) c[i] = sig[i]; - sig += SEEDBYTES; + sig += CTILDEBYTES; for(i = 0; i < L; ++i) polyz_unpack(&z->vec[i], sig + i*POLYZ_PACKEDBYTES); @@ -282,4 +283,4 @@ int unpack_sig(uint8_t c[SEEDBYTES], return 1; return 0; -} +} \ No newline at end of file diff --git a/crypto_sign/dilithium2/m4f/packing.h b/crypto_sign/dilithium2/m4f/packing.h index 030d31c5..35553545 100644 --- a/crypto_sign/dilithium2/m4f/packing.h +++ b/crypto_sign/dilithium2/m4f/packing.h @@ -12,21 +12,21 @@ void pack_pk(uint8_t pk[CRYPTO_PUBLICKEYBYTES], const uint8_t rho[SEEDBYTES], co #define pack_sk DILITHIUM_NAMESPACE(pack_sk) void pack_sk(uint8_t sk[CRYPTO_SECRETKEYBYTES], const uint8_t rho[SEEDBYTES], - const uint8_t tr[SEEDBYTES], + const uint8_t tr[TRBYTES], const uint8_t key[SEEDBYTES], const polyveck *t0, const polyvecl *s1, const polyveck *s2); #define pack_sig DILITHIUM_NAMESPACE(pack_sig) -void pack_sig(uint8_t sig[CRYPTO_BYTES], const uint8_t c[SEEDBYTES], const polyvecl *z, const polyveck *h); +void pack_sig(uint8_t sig[CRYPTO_BYTES], const uint8_t c[CTILDEBYTES], const polyvecl *z, const polyveck *h); #define unpack_pk DILITHIUM_NAMESPACE(unpack_pk) void unpack_pk(uint8_t rho[SEEDBYTES], polyveck *t1, const uint8_t pk[CRYPTO_PUBLICKEYBYTES]); #define unpack_sk DILITHIUM_NAMESPACE(unpack_sk) void unpack_sk(uint8_t rho[SEEDBYTES], - uint8_t tr[SEEDBYTES], + uint8_t tr[TRBYTES], uint8_t key[SEEDBYTES], polyveck *t0, smallpoly s1[L], @@ -34,10 +34,10 @@ void unpack_sk(uint8_t rho[SEEDBYTES], const uint8_t sk[CRYPTO_SECRETKEYBYTES]); #define unpack_sig DILITHIUM_NAMESPACE(unpack_sig) -int unpack_sig(uint8_t c[SEEDBYTES], polyvecl *z, polyveck *h, const uint8_t sig[CRYPTO_BYTES]); +int unpack_sig(uint8_t c[CTILDEBYTES], polyvecl *z, polyveck *h, const uint8_t sig[CRYPTO_BYTES]); #define pack_sig_c DILITHIUM_NAMESPACE(pack_sig_c) -void pack_sig_c(uint8_t sig[CRYPTO_BYTES], const uint8_t c[SEEDBYTES]); +void pack_sig_c(uint8_t sig[CRYPTO_BYTES], const uint8_t c[CTILDEBYTES]); #define pack_sig_z DILITHIUM_NAMESPACE(pack_sig_z) void pack_sig_z(uint8_t sig[CRYPTO_BYTES], const polyvecl *z); diff --git a/crypto_sign/dilithium2/m4f/params.h b/crypto_sign/dilithium2/m4f/params.h index f51f901e..507de467 100644 --- a/crypto_sign/dilithium2/m4f/params.h +++ b/crypto_sign/dilithium2/m4f/params.h @@ -8,6 +8,8 @@ #define SEEDBYTES 32 #define CRHBYTES 64 +#define TRBYTES 64 +#define RNDBYTES 32 #define N 256 #define Q 8380417 #define D 13 @@ -22,7 +24,7 @@ #define GAMMA1 (1 << 17) #define GAMMA2 ((Q-1)/88) #define OMEGA 80 -#define CRYPTO_ALGNAME "Dilithium2" +#define CTILDEBYTES 32 #elif DILITHIUM_MODE == 3 #define K 6 @@ -33,7 +35,7 @@ #define GAMMA1 (1 << 19) #define GAMMA2 ((Q-1)/32) #define OMEGA 55 -#define CRYPTO_ALGNAME "Dilithium3" +#define CTILDEBYTES 48 #elif DILITHIUM_MODE == 5 #define K 8 @@ -44,7 +46,7 @@ #define GAMMA1 (1 << 19) #define GAMMA2 ((Q-1)/32) #define OMEGA 75 -#define CRYPTO_ALGNAME "Dilithium5" +#define CTILDEBYTES 64 #endif @@ -71,10 +73,11 @@ #endif #define CRYPTO_PUBLICKEYBYTES (SEEDBYTES + K*POLYT1_PACKEDBYTES) -#define CRYPTO_SECRETKEYBYTES (3*SEEDBYTES \ +#define CRYPTO_SECRETKEYBYTES (2*SEEDBYTES \ + + TRBYTES \ + L*POLYETA_PACKEDBYTES \ + K*POLYETA_PACKEDBYTES \ + K*POLYT0_PACKEDBYTES) -#define CRYPTO_BYTES (SEEDBYTES + L*POLYZ_PACKEDBYTES + POLYVECH_PACKEDBYTES) +#define CRYPTO_BYTES (CTILDEBYTES + L*POLYZ_PACKEDBYTES + POLYVECH_PACKEDBYTES) -#endif +#endif \ No newline at end of file diff --git a/crypto_sign/dilithium2/m4f/poly.c b/crypto_sign/dilithium2/m4f/poly.c index eae636e2..0d40fda3 100644 --- a/crypto_sign/dilithium2/m4f/poly.c +++ b/crypto_sign/dilithium2/m4f/poly.c @@ -323,7 +323,7 @@ int poly_chknorm(const poly *a, int32_t B) { * * Description: Sample polynomial with uniformly random coefficients * in [0,Q-1] by performing rejection sampling on the -* output stream of SHAKE256(seed|nonce) or AES256CTR(seed,nonce). +* output stream of SHAKE256(seed|nonce). * * Arguments: - poly *a: pointer to output polynomial * - const uint8_t seed[]: byte array with seed of length SEEDBYTES @@ -409,7 +409,7 @@ static unsigned int rej_eta(int32_t *a, * * Description: Sample polynomial with uniformly random coefficients * in [-ETA,ETA] by performing rejection sampling on the -* output stream from SHAKE256(seed|nonce) or AES256CTR(seed,nonce). +* output stream from SHAKE256(seed|nonce). * * Arguments: - poly *a: pointer to output polynomial * - const uint8_t seed[]: byte array with seed of length SEEDBYTES @@ -444,7 +444,7 @@ void poly_uniform_eta(poly *a, * * Description: Sample polynomial with uniformly random coefficients * in [-(GAMMA1 - 1), GAMMA1] by unpacking output stream -* of SHAKE256(seed|nonce) or AES256CTR(seed,nonce). +* of SHAKE256(seed|nonce). * * Arguments: - poly *a: pointer to output polynomial * - const uint8_t seed[]: byte array with seed of length CRHBYTES diff --git a/crypto_sign/dilithium2/m4f/polyvec.c b/crypto_sign/dilithium2/m4f/polyvec.c index b19d0b9a..e20749c0 100644 --- a/crypto_sign/dilithium2/m4f/polyvec.c +++ b/crypto_sign/dilithium2/m4f/polyvec.c @@ -11,8 +11,7 @@ * * Description: Implementation of ExpandA. Generates matrix A with uniformly * random coefficients a_{i,j} by performing rejection -* sampling on the output stream of SHAKE128(rho|j|i) -* or AES256CTR(rho,j|i). +* sampling on the output stream of SHAKE128(rho|j|i). * * Arguments: - polyvecl mat[K]: output matrix * - const uint8_t rho[]: byte array containing seed rho diff --git a/crypto_sign/dilithium2/m4f/sign.c b/crypto_sign/dilithium2/m4f/sign.c index 0573f5d3..04bec45c 100644 --- a/crypto_sign/dilithium2/m4f/sign.c +++ b/crypto_sign/dilithium2/m4f/sign.c @@ -22,7 +22,7 @@ **************************************************/ int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) { uint8_t seedbuf[2*SEEDBYTES + CRHBYTES]; - uint8_t tr[SEEDBYTES]; + uint8_t tr[TRBYTES]; const uint8_t *rho, *rhoprime, *key; polyvecl mat[K]; polyvecl s1, s1hat; @@ -58,7 +58,7 @@ int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) { pack_pk(pk, rho, &t1); /* Compute H(rho, t1) and write secret key */ - shake256(tr, SEEDBYTES, pk, CRYPTO_PUBLICKEYBYTES); + shake256(tr, TRBYTES, pk, CRYPTO_PUBLICKEYBYTES); pack_sk(sk, rho, tr, key, &t0, &s1, &s2); return 0; @@ -84,9 +84,10 @@ int crypto_sign_signature(uint8_t *sig, size_t mlen, const uint8_t *sk) { - uint8_t seedbuf[3*SEEDBYTES + 2*CRHBYTES]; - uint8_t *rho, *tr, *key, *mu, *rhoprime; + uint8_t seedbuf[2 * SEEDBYTES + TRBYTES + RNDBYTES + 2 * CRHBYTES]; + uint8_t *rho, *tr, *key, *mu, *rhoprime, *rnd; uint16_t nonce = 0; + unsigned int n; polyvecl mat[K], y, z; polyveck t0, w1, w0; poly cp; @@ -99,23 +100,23 @@ int crypto_sign_signature(uint8_t *sig, rho = seedbuf; tr = rho + SEEDBYTES; - key = tr + SEEDBYTES; - mu = key + SEEDBYTES; + key = tr + TRBYTES; + rnd = key + SEEDBYTES; + mu = rnd + RNDBYTES; rhoprime = mu + CRHBYTES; unpack_sk(rho, tr, key, &t0, s1_prime, s2_prime, sk); - /* Compute CRH(tr, msg) */ + /* Compute mu = CRH(tr, msg) */ shake256_inc_init(&state); - shake256_inc_absorb(&state, tr, SEEDBYTES); + shake256_inc_absorb(&state, tr, TRBYTES); shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(mu, CRHBYTES, &state); -#ifdef DILITHIUM_RANDOMIZED_SIGNING - randombytes(rhoprime, CRHBYTES); -#else - shake256(rhoprime, CRHBYTES, key, SEEDBYTES + CRHBYTES); -#endif + for (n = 0; n < RNDBYTES; n++) { + rnd[n] = 0; + } + shake256(rhoprime, CRHBYTES, key, SEEDBYTES + RNDBYTES + CRHBYTES); /* Expand matrix and transform vectors */ polyvec_matrix_expand(mat, rho); @@ -144,7 +145,7 @@ int crypto_sign_signature(uint8_t *sig, shake256_inc_absorb(&state, mu, CRHBYTES); shake256_inc_absorb(&state, sig, K*POLYW1_PACKEDBYTES); shake256_inc_finalize(&state); - shake256_inc_squeeze(sig, SEEDBYTES, &state); + shake256_inc_squeeze(sig, CTILDEBYTES, &state); poly_challenge(&cp, sig); poly_small_ntt_precomp(&cp_small, &cp_small_prime, &cp); @@ -248,8 +249,8 @@ int crypto_sign_verify(const uint8_t *sig, uint8_t buf[K*POLYW1_PACKEDBYTES]; uint8_t rho[SEEDBYTES]; uint8_t mu[CRHBYTES]; - uint8_t c[SEEDBYTES]; - uint8_t c2[SEEDBYTES]; + uint8_t c[CTILDEBYTES]; + uint8_t c2[CTILDEBYTES]; poly cp; polyvecl mat[K], z; polyveck t1, w1, h; @@ -265,9 +266,9 @@ int crypto_sign_verify(const uint8_t *sig, return -1; /* Compute CRH(h(rho, t1), msg) */ - shake256(mu, SEEDBYTES, pk, CRYPTO_PUBLICKEYBYTES); + shake256(mu, CRHBYTES, pk, CRYPTO_PUBLICKEYBYTES); shake256_inc_init(&state); - shake256_inc_absorb(&state, mu, SEEDBYTES); + shake256_inc_absorb(&state, mu, CRHBYTES); shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(mu, CRHBYTES, &state); @@ -298,8 +299,8 @@ int crypto_sign_verify(const uint8_t *sig, shake256_inc_absorb(&state, mu, CRHBYTES); shake256_inc_absorb(&state, buf, K*POLYW1_PACKEDBYTES); shake256_inc_finalize(&state); - shake256_inc_squeeze(c2, SEEDBYTES, &state); - for(i = 0; i < SEEDBYTES; ++i) + shake256_inc_squeeze(c2, CTILDEBYTES, &state); + for(i = 0; i < CTILDEBYTES; ++i) if(c[i] != c2[i]) return -1; From 619a125887edf8c5ccae423c90ef853ad45c4f3b Mon Sep 17 00:00:00 2001 From: "Matthias J. Kannwischer" Date: Fri, 23 Feb 2024 15:51:41 +0800 Subject: [PATCH 6/7] include compat.h to allow SPHINCS+ to build --- mupq | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mupq b/mupq index dbe94161..28350a51 160000 --- a/mupq +++ b/mupq @@ -1 +1 @@ -Subproject commit dbe9416182ce4f4d9cdb9a42da31dbf5ba5e6e4c +Subproject commit 28350a519b5788741347b956a497f64b7a954fd7 From c4fd63c4349a0e8d06b51f11c5a7ec09ff77bf39 Mon Sep 17 00:00:00 2001 From: "Matthias J. Kannwischer" Date: Fri, 23 Feb 2024 15:51:58 +0800 Subject: [PATCH 7/7] fix build on stm32f4discovery --- mk/stm32f4discovery.mk | 2 ++ 1 file changed, 2 insertions(+) diff --git a/mk/stm32f4discovery.mk b/mk/stm32f4discovery.mk index 6c819423..2b10ef4b 100644 --- a/mk/stm32f4discovery.mk +++ b/mk/stm32f4discovery.mk @@ -4,6 +4,8 @@ OPENCM3_TARGET=lib/stm32/f4 EXCLUDED_SCHEMES = \ mupq/pqclean/crypto_kem/mceliece% \ mupq/crypto_sign/tuov% \ + mupq/crypto_sign/ov-Ip% \ + crypto_sign/ov-Ip% \ mupq/crypto_sign/falcon-1024-tree% include mk/opencm3.mk