diff options
Diffstat (limited to 'lib/liboqs/src/kem')
86 files changed, 0 insertions, 7459 deletions
diff --git a/lib/liboqs/src/kem/Makefile b/lib/liboqs/src/kem/Makefile deleted file mode 100644 index fe090f3ff..000000000 --- a/lib/liboqs/src/kem/Makefile +++ /dev/null @@ -1,49 +0,0 @@ -#! gmake -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -####################################################################### -# (1) Include initial platform-independent assignments (MANDATORY). # -####################################################################### - -include manifest.mn - -####################################################################### -# (2) Include "global" configuration information. (OPTIONAL) # -####################################################################### - -USE_GCOV = -include $(CORE_DEPTH)/coreconf/config.mk - -####################################################################### -# (3) Include "component" configuration information. (OPTIONAL) # -####################################################################### - - - -####################################################################### -# (4) Include "local" platform-dependent assignments (OPTIONAL). # -####################################################################### - -include config.mk - -####################################################################### -# (5) Execute "global" rules. (OPTIONAL) # -####################################################################### - -include $(CORE_DEPTH)/coreconf/rules.mk - -####################################################################### -# (6) Execute "component" rules. (OPTIONAL) # -####################################################################### - - - -####################################################################### -# (7) Execute "local" rules. (OPTIONAL). # -####################################################################### - -WARNING_CFLAGS = $(NULL) - diff --git a/lib/liboqs/src/kem/config.mk b/lib/liboqs/src/kem/config.mk deleted file mode 100644 index 3bd40a5ea..000000000 --- a/lib/liboqs/src/kem/config.mk +++ /dev/null @@ -1,12 +0,0 @@ -# DO NOT EDIT: generated from config.mk.subdirs.template -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -# add fixes for platform integration issues here. -# -# liboqs programs expect the public include files to be in oqs/xxxx, -# So we put liboqs in it's own module, oqs, and point to the dist files -INCLUDES += -I$(CORE_DEPTH)/lib/liboqs/src/common/pqclean_shims -I$(CORE_DEPTH)/lib/liboqs/src/common/sha3/xkcp_low/KeccakP-1600/plain-64bits -DEFINES += diff --git a/lib/liboqs/src/kem/kem.c b/lib/liboqs/src/kem/kem.c deleted file mode 100644 index 97a79025a..000000000 --- a/lib/liboqs/src/kem/kem.c +++ /dev/null @@ -1,457 +0,0 @@ -// SPDX-License-Identifier: MIT - -#include <assert.h> -#include <stdlib.h> -#if defined(_WIN32) -#include <string.h> -#define strcasecmp _stricmp -#else -#include <strings.h> -#endif - -#include <oqs/oqs.h> - -OQS_API const char *OQS_KEM_alg_identifier(size_t i) { - // EDIT-WHEN-ADDING-KEM - const char *a[OQS_KEM_algs_length] = { - OQS_KEM_alg_bike_l1, - OQS_KEM_alg_bike_l3, - OQS_KEM_alg_bike_l5, - ///// OQS_COPY_FROM_UPSTREAM_FRAGMENT_ALG_IDENTIFIER_START - OQS_KEM_alg_classic_mceliece_348864, - OQS_KEM_alg_classic_mceliece_348864f, - OQS_KEM_alg_classic_mceliece_460896, - OQS_KEM_alg_classic_mceliece_460896f, - OQS_KEM_alg_classic_mceliece_6688128, - OQS_KEM_alg_classic_mceliece_6688128f, - OQS_KEM_alg_classic_mceliece_6960119, - OQS_KEM_alg_classic_mceliece_6960119f, - OQS_KEM_alg_classic_mceliece_8192128, - OQS_KEM_alg_classic_mceliece_8192128f, - OQS_KEM_alg_hqc_128, - OQS_KEM_alg_hqc_192, - OQS_KEM_alg_hqc_256, - OQS_KEM_alg_kyber_512, - OQS_KEM_alg_kyber_768, - OQS_KEM_alg_kyber_1024, - OQS_KEM_alg_kyber_512_90s, - OQS_KEM_alg_kyber_768_90s, - OQS_KEM_alg_kyber_1024_90s, - ///// OQS_COPY_FROM_UPSTREAM_FRAGMENT_ALG_IDENTIFIER_END - OQS_KEM_alg_ntruprime_sntrup761, - OQS_KEM_alg_frodokem_640_aes, - OQS_KEM_alg_frodokem_640_shake, - OQS_KEM_alg_frodokem_976_aes, - OQS_KEM_alg_frodokem_976_shake, - OQS_KEM_alg_frodokem_1344_aes, - OQS_KEM_alg_frodokem_1344_shake, - }; - if (i >= OQS_KEM_algs_length) { - return NULL; - } else { - return a[i]; - } -} - -OQS_API int OQS_KEM_alg_count(void) { - return OQS_KEM_algs_length; -} - -OQS_API int OQS_KEM_alg_is_enabled(const char *method_name) { - if (method_name == NULL) { - return 0; - } else if (0 == strcasecmp(method_name, OQS_KEM_alg_bike_l1)) { -#ifdef OQS_ENABLE_KEM_bike_l1 - return 1; -#else - return 0; -#endif - } else if (0 == strcasecmp(method_name, OQS_KEM_alg_bike_l3)) { -#ifdef OQS_ENABLE_KEM_bike_l3 - return 1; -#else - return 0; -#endif - } else if (0 == strcasecmp(method_name, OQS_KEM_alg_bike_l5)) { -#ifdef OQS_ENABLE_KEM_bike_l5 - return 1; -#else - return 0; -#endif - ///// OQS_COPY_FROM_UPSTREAM_FRAGMENT_ENABLED_CASE_START - } else if (0 == strcasecmp(method_name, OQS_KEM_alg_classic_mceliece_348864)) { -#ifdef OQS_ENABLE_KEM_classic_mceliece_348864 - return 1; -#else - return 0; -#endif - } else if (0 == strcasecmp(method_name, OQS_KEM_alg_classic_mceliece_348864f)) { -#ifdef OQS_ENABLE_KEM_classic_mceliece_348864f - return 1; -#else - return 0; -#endif - } else if (0 == strcasecmp(method_name, OQS_KEM_alg_classic_mceliece_460896)) { -#ifdef OQS_ENABLE_KEM_classic_mceliece_460896 - return 1; -#else - return 0; -#endif - } else if (0 == strcasecmp(method_name, OQS_KEM_alg_classic_mceliece_460896f)) { -#ifdef OQS_ENABLE_KEM_classic_mceliece_460896f - return 1; -#else - return 0; -#endif - } else if (0 == strcasecmp(method_name, OQS_KEM_alg_classic_mceliece_6688128)) { -#ifdef OQS_ENABLE_KEM_classic_mceliece_6688128 - return 1; -#else - return 0; -#endif - } else if (0 == strcasecmp(method_name, OQS_KEM_alg_classic_mceliece_6688128f)) { -#ifdef OQS_ENABLE_KEM_classic_mceliece_6688128f - return 1; -#else - return 0; -#endif - } else if (0 == strcasecmp(method_name, OQS_KEM_alg_classic_mceliece_6960119)) { -#ifdef OQS_ENABLE_KEM_classic_mceliece_6960119 - return 1; -#else - return 0; -#endif - } else if (0 == strcasecmp(method_name, OQS_KEM_alg_classic_mceliece_6960119f)) { -#ifdef OQS_ENABLE_KEM_classic_mceliece_6960119f - return 1; -#else - return 0; -#endif - } else if (0 == strcasecmp(method_name, OQS_KEM_alg_classic_mceliece_8192128)) { -#ifdef OQS_ENABLE_KEM_classic_mceliece_8192128 - return 1; -#else - return 0; -#endif - } else if (0 == strcasecmp(method_name, OQS_KEM_alg_classic_mceliece_8192128f)) { -#ifdef OQS_ENABLE_KEM_classic_mceliece_8192128f - return 1; -#else - return 0; -#endif - } else if (0 == strcasecmp(method_name, OQS_KEM_alg_hqc_128)) { -#ifdef OQS_ENABLE_KEM_hqc_128 - return 1; -#else - return 0; -#endif - } else if (0 == strcasecmp(method_name, OQS_KEM_alg_hqc_192)) { -#ifdef OQS_ENABLE_KEM_hqc_192 - return 1; -#else - return 0; -#endif - } else if (0 == strcasecmp(method_name, OQS_KEM_alg_hqc_256)) { -#ifdef OQS_ENABLE_KEM_hqc_256 - return 1; -#else - return 0; -#endif - } else if (0 == strcasecmp(method_name, OQS_KEM_alg_kyber_512)) { -#ifdef OQS_ENABLE_KEM_kyber_512 - return 1; -#else - return 0; -#endif - } else if (0 == strcasecmp(method_name, OQS_KEM_alg_kyber_768)) { -#ifdef OQS_ENABLE_KEM_kyber_768 - return 1; -#else - return 0; -#endif - } else if (0 == strcasecmp(method_name, OQS_KEM_alg_kyber_1024)) { -#ifdef OQS_ENABLE_KEM_kyber_1024 - return 1; -#else - return 0; -#endif - } else if (0 == strcasecmp(method_name, OQS_KEM_alg_kyber_512_90s)) { -#ifdef OQS_ENABLE_KEM_kyber_512_90s - return 1; -#else - return 0; -#endif - } else if (0 == strcasecmp(method_name, OQS_KEM_alg_kyber_768_90s)) { -#ifdef OQS_ENABLE_KEM_kyber_768_90s - return 1; -#else - return 0; -#endif - } else if (0 == strcasecmp(method_name, OQS_KEM_alg_kyber_1024_90s)) { -#ifdef OQS_ENABLE_KEM_kyber_1024_90s - return 1; -#else - return 0; -#endif - ///// OQS_COPY_FROM_UPSTREAM_FRAGMENT_ENABLED_CASE_END - } else if (0 == strcasecmp(method_name, OQS_KEM_alg_ntruprime_sntrup761)) { -#ifdef OQS_ENABLE_KEM_ntruprime_sntrup761 - return 1; -#else - return 0; -#endif - } else if (0 == strcasecmp(method_name, OQS_KEM_alg_frodokem_640_aes)) { -#ifdef OQS_ENABLE_KEM_frodokem_640_aes - return 1; -#else - return 0; -#endif - } else if (0 == strcasecmp(method_name, OQS_KEM_alg_frodokem_640_shake)) { -#ifdef OQS_ENABLE_KEM_frodokem_640_shake - return 1; -#else - return 0; -#endif - } else if (0 == strcasecmp(method_name, OQS_KEM_alg_frodokem_976_aes)) { -#ifdef OQS_ENABLE_KEM_frodokem_976_aes - return 1; -#else - return 0; -#endif - } else if (0 == strcasecmp(method_name, OQS_KEM_alg_frodokem_976_shake)) { -#ifdef OQS_ENABLE_KEM_frodokem_976_shake - return 1; -#else - return 0; -#endif - } else if (0 == strcasecmp(method_name, OQS_KEM_alg_frodokem_1344_aes)) { -#ifdef OQS_ENABLE_KEM_frodokem_1344_aes - return 1; -#else - return 0; -#endif - } else if (0 == strcasecmp(method_name, OQS_KEM_alg_frodokem_1344_shake)) { -#ifdef OQS_ENABLE_KEM_frodokem_1344_shake - return 1; -#else - return 0; -#endif - // EDIT-WHEN-ADDING-KEM - } else { - return 0; - } -} - -OQS_API OQS_KEM *OQS_KEM_new(const char *method_name) { - if (method_name == NULL) { - return NULL; - } - if (0 == strcasecmp(method_name, OQS_KEM_alg_bike_l1)) { -#ifdef OQS_ENABLE_KEM_bike_l1 - return OQS_KEM_bike_l1_new(); -#else - return NULL; -#endif - } else if (0 == strcasecmp(method_name, OQS_KEM_alg_bike_l3)) { -#ifdef OQS_ENABLE_KEM_bike_l3 - return OQS_KEM_bike_l3_new(); -#else - return NULL; -#endif - } else if (0 == strcasecmp(method_name, OQS_KEM_alg_bike_l5)) { -#ifdef OQS_ENABLE_KEM_bike_l5 - return OQS_KEM_bike_l5_new(); -#else - return NULL; -#endif - ///// OQS_COPY_FROM_UPSTREAM_FRAGMENT_NEW_CASE_START - } else if (0 == strcasecmp(method_name, OQS_KEM_alg_classic_mceliece_348864)) { -#ifdef OQS_ENABLE_KEM_classic_mceliece_348864 - return OQS_KEM_classic_mceliece_348864_new(); -#else - return NULL; -#endif - } else if (0 == strcasecmp(method_name, OQS_KEM_alg_classic_mceliece_348864f)) { -#ifdef OQS_ENABLE_KEM_classic_mceliece_348864f - return OQS_KEM_classic_mceliece_348864f_new(); -#else - return NULL; -#endif - } else if (0 == strcasecmp(method_name, OQS_KEM_alg_classic_mceliece_460896)) { -#ifdef OQS_ENABLE_KEM_classic_mceliece_460896 - return OQS_KEM_classic_mceliece_460896_new(); -#else - return NULL; -#endif - } else if (0 == strcasecmp(method_name, OQS_KEM_alg_classic_mceliece_460896f)) { -#ifdef OQS_ENABLE_KEM_classic_mceliece_460896f - return OQS_KEM_classic_mceliece_460896f_new(); -#else - return NULL; -#endif - } else if (0 == strcasecmp(method_name, OQS_KEM_alg_classic_mceliece_6688128)) { -#ifdef OQS_ENABLE_KEM_classic_mceliece_6688128 - return OQS_KEM_classic_mceliece_6688128_new(); -#else - return NULL; -#endif - } else if (0 == strcasecmp(method_name, OQS_KEM_alg_classic_mceliece_6688128f)) { -#ifdef OQS_ENABLE_KEM_classic_mceliece_6688128f - return OQS_KEM_classic_mceliece_6688128f_new(); -#else - return NULL; -#endif - } else if (0 == strcasecmp(method_name, OQS_KEM_alg_classic_mceliece_6960119)) { -#ifdef OQS_ENABLE_KEM_classic_mceliece_6960119 - return OQS_KEM_classic_mceliece_6960119_new(); -#else - return NULL; -#endif - } else if (0 == strcasecmp(method_name, OQS_KEM_alg_classic_mceliece_6960119f)) { -#ifdef OQS_ENABLE_KEM_classic_mceliece_6960119f - return OQS_KEM_classic_mceliece_6960119f_new(); -#else - return NULL; -#endif - } else if (0 == strcasecmp(method_name, OQS_KEM_alg_classic_mceliece_8192128)) { -#ifdef OQS_ENABLE_KEM_classic_mceliece_8192128 - return OQS_KEM_classic_mceliece_8192128_new(); -#else - return NULL; -#endif - } else if (0 == strcasecmp(method_name, OQS_KEM_alg_classic_mceliece_8192128f)) { -#ifdef OQS_ENABLE_KEM_classic_mceliece_8192128f - return OQS_KEM_classic_mceliece_8192128f_new(); -#else - return NULL; -#endif - } else if (0 == strcasecmp(method_name, OQS_KEM_alg_hqc_128)) { -#ifdef OQS_ENABLE_KEM_hqc_128 - return OQS_KEM_hqc_128_new(); -#else - return NULL; -#endif - } else if (0 == strcasecmp(method_name, OQS_KEM_alg_hqc_192)) { -#ifdef OQS_ENABLE_KEM_hqc_192 - return OQS_KEM_hqc_192_new(); -#else - return NULL; -#endif - } else if (0 == strcasecmp(method_name, OQS_KEM_alg_hqc_256)) { -#ifdef OQS_ENABLE_KEM_hqc_256 - return OQS_KEM_hqc_256_new(); -#else - return NULL; -#endif - } else if (0 == strcasecmp(method_name, OQS_KEM_alg_kyber_512)) { -#ifdef OQS_ENABLE_KEM_kyber_512 - return OQS_KEM_kyber_512_new(); -#else - return NULL; -#endif - } else if (0 == strcasecmp(method_name, OQS_KEM_alg_kyber_768)) { -#ifdef OQS_ENABLE_KEM_kyber_768 - return OQS_KEM_kyber_768_new(); -#else - return NULL; -#endif - } else if (0 == strcasecmp(method_name, OQS_KEM_alg_kyber_1024)) { -#ifdef OQS_ENABLE_KEM_kyber_1024 - return OQS_KEM_kyber_1024_new(); -#else - return NULL; -#endif - } else if (0 == strcasecmp(method_name, OQS_KEM_alg_kyber_512_90s)) { -#ifdef OQS_ENABLE_KEM_kyber_512_90s - return OQS_KEM_kyber_512_90s_new(); -#else - return NULL; -#endif - } else if (0 == strcasecmp(method_name, OQS_KEM_alg_kyber_768_90s)) { -#ifdef OQS_ENABLE_KEM_kyber_768_90s - return OQS_KEM_kyber_768_90s_new(); -#else - return NULL; -#endif - } else if (0 == strcasecmp(method_name, OQS_KEM_alg_kyber_1024_90s)) { -#ifdef OQS_ENABLE_KEM_kyber_1024_90s - return OQS_KEM_kyber_1024_90s_new(); -#else - return NULL; -#endif - ///// OQS_COPY_FROM_UPSTREAM_FRAGMENT_NEW_CASE_END - } else if (0 == strcasecmp(method_name, OQS_KEM_alg_ntruprime_sntrup761)) { -#ifdef OQS_ENABLE_KEM_ntruprime_sntrup761 - return OQS_KEM_ntruprime_sntrup761_new(); -#else - return NULL; -#endif - } else if (0 == strcasecmp(method_name, OQS_KEM_alg_frodokem_640_aes)) { -#ifdef OQS_ENABLE_KEM_frodokem_640_aes - return OQS_KEM_frodokem_640_aes_new(); -#else - return NULL; -#endif - } else if (0 == strcasecmp(method_name, OQS_KEM_alg_frodokem_640_shake)) { -#ifdef OQS_ENABLE_KEM_frodokem_640_shake - return OQS_KEM_frodokem_640_shake_new(); -#else - return NULL; -#endif - } else if (0 == strcasecmp(method_name, OQS_KEM_alg_frodokem_976_aes)) { -#ifdef OQS_ENABLE_KEM_frodokem_976_aes - return OQS_KEM_frodokem_976_aes_new(); -#else - return NULL; -#endif - } else if (0 == strcasecmp(method_name, OQS_KEM_alg_frodokem_976_shake)) { -#ifdef OQS_ENABLE_KEM_frodokem_976_shake - return OQS_KEM_frodokem_976_shake_new(); -#else - return NULL; -#endif - } else if (0 == strcasecmp(method_name, OQS_KEM_alg_frodokem_1344_aes)) { -#ifdef OQS_ENABLE_KEM_frodokem_1344_aes - return OQS_KEM_frodokem_1344_aes_new(); -#else - return NULL; -#endif - } else if (0 == strcasecmp(method_name, OQS_KEM_alg_frodokem_1344_shake)) { -#ifdef OQS_ENABLE_KEM_frodokem_1344_shake - return OQS_KEM_frodokem_1344_shake_new(); -#else - return NULL; -#endif - // EDIT-WHEN-ADDING-KEM - } else { - return NULL; - } -} - -OQS_API OQS_STATUS OQS_KEM_keypair(const OQS_KEM *kem, uint8_t *public_key, uint8_t *secret_key) { - if (kem == NULL) { - return OQS_ERROR; - } else { - return kem->keypair(public_key, secret_key); - } -} - -OQS_API OQS_STATUS OQS_KEM_encaps(const OQS_KEM *kem, uint8_t *ciphertext, uint8_t *shared_secret, const uint8_t *public_key) { - if (kem == NULL) { - return OQS_ERROR; - } else { - return kem->encaps(ciphertext, shared_secret, public_key); - } -} - -OQS_API OQS_STATUS OQS_KEM_decaps(const OQS_KEM *kem, uint8_t *shared_secret, const uint8_t *ciphertext, const uint8_t *secret_key) { - if (kem == NULL) { - return OQS_ERROR; - } else { - return kem->decaps(shared_secret, ciphertext, secret_key); - } -} - -OQS_API void OQS_KEM_free(OQS_KEM *kem) { - OQS_MEM_insecure_free(kem); -} diff --git a/lib/liboqs/src/kem/kem.gyp b/lib/liboqs/src/kem/kem.gyp deleted file mode 100644 index 35632618b..000000000 --- a/lib/liboqs/src/kem/kem.gyp +++ /dev/null @@ -1,32 +0,0 @@ -# DO NOT EDIT: generated from subdir.gyp.template -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. -{ - 'includes': [ - '../../../../coreconf/config.gypi' - ], - 'targets': [ - { - 'target_name': 'oqs_src_kem', - 'type': 'static_library', - 'sources': [ - 'kem.c', - ], - 'dependencies': [ - '<(DEPTH)/exports.gyp:nss_exports' - ] - } - ], - 'target_defaults': { - 'defines': [ - ], - 'include_dirs': [ - '<(DEPTH)/lib/liboqs/src/common/pqclean_shims', - '<(DEPTH)/lib/liboqs/src/common/sha3/xkcp_low/KeccakP-1600/plain-64bits', - ] - }, - 'variables': { - 'module': 'oqs' - } -} diff --git a/lib/liboqs/src/kem/kem.h b/lib/liboqs/src/kem/kem.h deleted file mode 100644 index 2b28851f9..000000000 --- a/lib/liboqs/src/kem/kem.h +++ /dev/null @@ -1,291 +0,0 @@ -/** - * \file kem.h - * \brief Key encapsulation mechanisms - * - * The file `tests/example_kem.c` contains two examples on using the OQS_KEM API. - * - * The first example uses the individual scheme's algorithms directly and uses - * no dynamic memory allocation -- all buffers are allocated on the stack, with - * sizes indicated using preprocessor macros. Since algorithms can be disabled at - * compile-time, the programmer should wrap the code in \#ifdefs. - * - * The second example uses an OQS_KEM object to use an algorithm specified at - * runtime. Therefore it uses dynamic memory allocation -- all buffers must be - * malloc'ed by the programmer, with sizes indicated using the corresponding length - * member of the OQS_KEM object in question. Since algorithms can be disabled at - * compile-time, the programmer should check that the OQS_KEM object is not `NULL`. - * - * SPDX-License-Identifier: MIT - */ - -#ifndef OQS_KEM_H -#define OQS_KEM_H - -#include <stdbool.h> -#include <stddef.h> -#include <stdint.h> - -#include <oqs/oqs.h> - -#if defined(__cplusplus) -extern "C" { -#endif - -/** Algorithm identifier for BIKE-L1 KEM (Round-4). */ -#define OQS_KEM_alg_bike_l1 "BIKE-L1" -/** Algorithm identifier for BIKE-L3 KEM (Round-4). */ -#define OQS_KEM_alg_bike_l3 "BIKE-L3" -/** Algorithm identifier for BIKE-L5 KEM (Round-4). */ -#define OQS_KEM_alg_bike_l5 "BIKE-L5" -///// OQS_COPY_FROM_UPSTREAM_FRAGMENT_ALG_IDENTIFIER_START -/** Algorithm identifier for Classic-McEliece-348864 KEM. */ -#define OQS_KEM_alg_classic_mceliece_348864 "Classic-McEliece-348864" -/** Algorithm identifier for Classic-McEliece-348864f KEM. */ -#define OQS_KEM_alg_classic_mceliece_348864f "Classic-McEliece-348864f" -/** Algorithm identifier for Classic-McEliece-460896 KEM. */ -#define OQS_KEM_alg_classic_mceliece_460896 "Classic-McEliece-460896" -/** Algorithm identifier for Classic-McEliece-460896f KEM. */ -#define OQS_KEM_alg_classic_mceliece_460896f "Classic-McEliece-460896f" -/** Algorithm identifier for Classic-McEliece-6688128 KEM. */ -#define OQS_KEM_alg_classic_mceliece_6688128 "Classic-McEliece-6688128" -/** Algorithm identifier for Classic-McEliece-6688128f KEM. */ -#define OQS_KEM_alg_classic_mceliece_6688128f "Classic-McEliece-6688128f" -/** Algorithm identifier for Classic-McEliece-6960119 KEM. */ -#define OQS_KEM_alg_classic_mceliece_6960119 "Classic-McEliece-6960119" -/** Algorithm identifier for Classic-McEliece-6960119f KEM. */ -#define OQS_KEM_alg_classic_mceliece_6960119f "Classic-McEliece-6960119f" -/** Algorithm identifier for Classic-McEliece-8192128 KEM. */ -#define OQS_KEM_alg_classic_mceliece_8192128 "Classic-McEliece-8192128" -/** Algorithm identifier for Classic-McEliece-8192128f KEM. */ -#define OQS_KEM_alg_classic_mceliece_8192128f "Classic-McEliece-8192128f" -/** Algorithm identifier for HQC-128 KEM. */ -#define OQS_KEM_alg_hqc_128 "HQC-128" -/** Algorithm identifier for HQC-192 KEM. */ -#define OQS_KEM_alg_hqc_192 "HQC-192" -/** Algorithm identifier for HQC-256 KEM. */ -#define OQS_KEM_alg_hqc_256 "HQC-256" -/** Algorithm identifier for Kyber512 KEM. */ -#define OQS_KEM_alg_kyber_512 "Kyber512" -/** Algorithm identifier for Kyber768 KEM. */ -#define OQS_KEM_alg_kyber_768 "Kyber768" -/** Algorithm identifier for Kyber1024 KEM. */ -#define OQS_KEM_alg_kyber_1024 "Kyber1024" -/** Algorithm identifier for Kyber512-90s KEM. */ -#define OQS_KEM_alg_kyber_512_90s "Kyber512-90s" -/** Algorithm identifier for Kyber768-90s KEM. */ -#define OQS_KEM_alg_kyber_768_90s "Kyber768-90s" -/** Algorithm identifier for Kyber1024-90s KEM. */ -#define OQS_KEM_alg_kyber_1024_90s "Kyber1024-90s" -///// OQS_COPY_FROM_UPSTREAM_FRAGMENT_ALG_IDENTIFIER_END -/** Algorithm identifier for sntrup761 KEM. */ -#define OQS_KEM_alg_ntruprime_sntrup761 "sntrup761" -/** Algorithm identifier for FrodoKEM-640-AES KEM. */ -#define OQS_KEM_alg_frodokem_640_aes "FrodoKEM-640-AES" -/** Algorithm identifier for FrodoKEM-640-SHAKE KEM. */ -#define OQS_KEM_alg_frodokem_640_shake "FrodoKEM-640-SHAKE" -/** Algorithm identifier for FrodoKEM-976-AES KEM. */ -#define OQS_KEM_alg_frodokem_976_aes "FrodoKEM-976-AES" -/** Algorithm identifier for FrodoKEM-976-SHAKE KEM. */ -#define OQS_KEM_alg_frodokem_976_shake "FrodoKEM-976-SHAKE" -/** Algorithm identifier for FrodoKEM-1344-AES KEM. */ -#define OQS_KEM_alg_frodokem_1344_aes "FrodoKEM-1344-AES" -/** Algorithm identifier for FrodoKEM-1344-SHAKE KEM. */ -#define OQS_KEM_alg_frodokem_1344_shake "FrodoKEM-1344-SHAKE" -// EDIT-WHEN-ADDING-KEM -///// OQS_COPY_FROM_UPSTREAM_FRAGMENT_ALGS_LENGTH_START -/** Number of algorithm identifiers above. */ -#define OQS_KEM_algs_length 29 -///// OQS_COPY_FROM_UPSTREAM_FRAGMENT_ALGS_LENGTH_END - -/** - * Returns identifiers for available key encapsulation mechanisms in liboqs. Used with OQS_KEM_new. - * - * Note that algorithm identifiers are present in this list even when the algorithm is disabled - * at compile time. - * - * @param[in] i Index of the algorithm identifier to return, 0 <= i < OQS_KEM_algs_length - * @return Algorithm identifier as a string, or NULL. - */ -OQS_API const char *OQS_KEM_alg_identifier(size_t i); - -/** - * Returns the number of key encapsulation mechanisms in liboqs. They can be enumerated with - * OQS_KEM_alg_identifier. - * - * Note that some mechanisms may be disabled at compile time. - * - * @return The number of key encapsulation mechanisms. - */ -OQS_API int OQS_KEM_alg_count(void); - -/** - * Indicates whether the specified algorithm was enabled at compile-time or not. - * - * @param[in] method_name Name of the desired algorithm; one of the names in `OQS_KEM_algs`. - * @return 1 if enabled, 0 if disabled or not found - */ -OQS_API int OQS_KEM_alg_is_enabled(const char *method_name); - -/** - * Key encapsulation mechanism object - */ -typedef struct OQS_KEM { - - /** Printable string representing the name of the key encapsulation mechanism. */ - const char *method_name; - - /** - * Printable string representing the version of the cryptographic algorithm. - * - * Implementations with the same method_name and same alg_version will be interoperable. - * See README.md for information about algorithm compatibility. - */ - const char *alg_version; - - /** The NIST security level (1, 2, 3, 4, 5) claimed in this algorithm's original NIST submission. */ - uint8_t claimed_nist_level; - - /** Whether the KEM offers IND-CCA security (TRUE) or IND-CPA security (FALSE). */ - bool ind_cca; - - /** The (maximum) length, in bytes, of public keys for this KEM. */ - size_t length_public_key; - /** The (maximum) length, in bytes, of secret keys for this KEM. */ - size_t length_secret_key; - /** The (maximum) length, in bytes, of ciphertexts for this KEM. */ - size_t length_ciphertext; - /** The (maximum) length, in bytes, of shared secrets for this KEM. */ - size_t length_shared_secret; - - /** - * Keypair generation algorithm. - * - * Caller is responsible for allocating sufficient memory for `public_key` and - * `secret_key`, based on the `length_*` members in this object or the per-scheme - * compile-time macros `OQS_KEM_*_length_*`. - * - * @param[out] public_key The public key represented as a byte string. - * @param[out] secret_key The secret key represented as a byte string. - * @return OQS_SUCCESS or OQS_ERROR - */ - OQS_STATUS (*keypair)(uint8_t *public_key, uint8_t *secret_key); - - /** - * Encapsulation algorithm. - * - * Caller is responsible for allocating sufficient memory for `ciphertext` and - * `shared_secret`, based on the `length_*` members in this object or the per-scheme - * compile-time macros `OQS_KEM_*_length_*`. - * - * @param[out] ciphertext The ciphertext (encapsulation) represented as a byte string. - * @param[out] shared_secret The shared secret represented as a byte string. - * @param[in] public_key The public key represented as a byte string. - * @return OQS_SUCCESS or OQS_ERROR - */ - OQS_STATUS (*encaps)(uint8_t *ciphertext, uint8_t *shared_secret, const uint8_t *public_key); - - /** - * Decapsulation algorithm. - * - * Caller is responsible for allocating sufficient memory for `shared_secret`, based - * on the `length_*` members in this object or the per-scheme compile-time macros - * `OQS_KEM_*_length_*`. - * - * @param[out] shared_secret The shared secret represented as a byte string. - * @param[in] ciphertext The ciphertext (encapsulation) represented as a byte string. - * @param[in] secret_key The secret key represented as a byte string. - * @return OQS_SUCCESS or OQS_ERROR - */ - OQS_STATUS (*decaps)(uint8_t *shared_secret, const uint8_t *ciphertext, const uint8_t *secret_key); - -} OQS_KEM; - -/** - * Constructs an OQS_KEM object for a particular algorithm. - * - * Callers should always check whether the return value is `NULL`, which indicates either than an - * invalid algorithm name was provided, or that the requested algorithm was disabled at compile-time. - * - * @param[in] method_name Name of the desired algorithm; one of the names in `OQS_KEM_algs`. - * @return An OQS_KEM for the particular algorithm, or `NULL` if the algorithm has been disabled at compile-time. - */ -OQS_API OQS_KEM *OQS_KEM_new(const char *method_name); - -/** - * Keypair generation algorithm. - * - * Caller is responsible for allocating sufficient memory for `public_key` and - * `secret_key`, based on the `length_*` members in this object or the per-scheme - * compile-time macros `OQS_KEM_*_length_*`. - * - * @param[in] kem The OQS_KEM object representing the KEM. - * @param[out] public_key The public key represented as a byte string. - * @param[out] secret_key The secret key represented as a byte string. - * @return OQS_SUCCESS or OQS_ERROR - */ -OQS_API OQS_STATUS OQS_KEM_keypair(const OQS_KEM *kem, uint8_t *public_key, uint8_t *secret_key); - -/** - * Encapsulation algorithm. - * - * Caller is responsible for allocating sufficient memory for `ciphertext` and - * `shared_secret`, based on the `length_*` members in this object or the per-scheme - * compile-time macros `OQS_KEM_*_length_*`. - * - * @param[in] kem The OQS_KEM object representing the KEM. - * @param[out] ciphertext The ciphertext (encapsulation) represented as a byte string. - * @param[out] shared_secret The shared secret represented as a byte string. - * @param[in] public_key The public key represented as a byte string. - * @return OQS_SUCCESS or OQS_ERROR - */ -OQS_API OQS_STATUS OQS_KEM_encaps(const OQS_KEM *kem, uint8_t *ciphertext, uint8_t *shared_secret, const uint8_t *public_key); - -/** - * Decapsulation algorithm. - * - * Caller is responsible for allocating sufficient memory for `shared_secret`, based - * on the `length_*` members in this object or the per-scheme compile-time macros - * `OQS_KEM_*_length_*`. - * - * @param[in] kem The OQS_KEM object representing the KEM. - * @param[out] shared_secret The shared secret represented as a byte string. - * @param[in] ciphertext The ciphertext (encapsulation) represented as a byte string. - * @param[in] secret_key The secret key represented as a byte string. - * @return OQS_SUCCESS or OQS_ERROR - */ -OQS_API OQS_STATUS OQS_KEM_decaps(const OQS_KEM *kem, uint8_t *shared_secret, const uint8_t *ciphertext, const uint8_t *secret_key); - -/** - * Frees an OQS_KEM object that was constructed by OQS_KEM_new. - * - * @param[in] kem The OQS_KEM object to free. - */ -OQS_API void OQS_KEM_free(OQS_KEM *kem); - -#ifdef OQS_ENABLE_KEM_BIKE -#include <oqs/kem_bike.h> -#endif /* OQS_ENABLE_KEM_BIKE */ -///// OQS_COPY_FROM_UPSTREAM_FRAGMENT_INCLUDE_START -#ifdef OQS_ENABLE_KEM_CLASSIC_MCELIECE -#include <oqs/kem_classic_mceliece.h> -#endif /* OQS_ENABLE_KEM_CLASSIC_MCELIECE */ -#ifdef OQS_ENABLE_KEM_HQC -#include <oqs/kem_hqc.h> -#endif /* OQS_ENABLE_KEM_HQC */ -#ifdef OQS_ENABLE_KEM_KYBER -#include <oqs/kem_kyber.h> -#endif /* OQS_ENABLE_KEM_KYBER */ -///// OQS_COPY_FROM_UPSTREAM_FRAGMENT_INCLUDE_END -#ifdef OQS_ENABLE_KEM_NTRUPRIME -#include <oqs/kem_ntruprime.h> -#endif /* OQS_ENABLE_KEM_NTRUPRIME */ -#ifdef OQS_ENABLE_KEM_FRODOKEM -#include <oqs/kem_frodokem.h> -#endif /* OQS_ENABLE_KEM_FRODOKEM */ -// EDIT-WHEN-ADDING-KEM - -#if defined(__cplusplus) -} // extern "C" -#endif - -#endif // OQS_KEM_H diff --git a/lib/liboqs/src/kem/kyber/Makefile b/lib/liboqs/src/kem/kyber/Makefile deleted file mode 100644 index fe090f3ff..000000000 --- a/lib/liboqs/src/kem/kyber/Makefile +++ /dev/null @@ -1,49 +0,0 @@ -#! gmake -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -####################################################################### -# (1) Include initial platform-independent assignments (MANDATORY). # -####################################################################### - -include manifest.mn - -####################################################################### -# (2) Include "global" configuration information. (OPTIONAL) # -####################################################################### - -USE_GCOV = -include $(CORE_DEPTH)/coreconf/config.mk - -####################################################################### -# (3) Include "component" configuration information. (OPTIONAL) # -####################################################################### - - - -####################################################################### -# (4) Include "local" platform-dependent assignments (OPTIONAL). # -####################################################################### - -include config.mk - -####################################################################### -# (5) Execute "global" rules. (OPTIONAL) # -####################################################################### - -include $(CORE_DEPTH)/coreconf/rules.mk - -####################################################################### -# (6) Execute "component" rules. (OPTIONAL) # -####################################################################### - - - -####################################################################### -# (7) Execute "local" rules. (OPTIONAL). # -####################################################################### - -WARNING_CFLAGS = $(NULL) - diff --git a/lib/liboqs/src/kem/kyber/config.mk b/lib/liboqs/src/kem/kyber/config.mk deleted file mode 100644 index 7d57e4410..000000000 --- a/lib/liboqs/src/kem/kyber/config.mk +++ /dev/null @@ -1,12 +0,0 @@ -# DO NOT EDIT: generated from config.mk.subdirs.template -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -# add fixes for platform integration issues here. -# -# liboqs programs expect the public include files to be in oqs/xxxx, -# So we put liboqs in it's own module, oqs, and point to the dist files -INCLUDES += -I$(CORE_DEPTH)/lib/liboqs/src/common/pqclean_shims -I$(CORE_DEPTH)/lib/liboqs/src/common/sha3/xkcp_low/KeccakP-1600/plain-64bits -DEFINES += -DKYBER_K=4 diff --git a/lib/liboqs/src/kem/kyber/kem_kyber.h b/lib/liboqs/src/kem/kyber/kem_kyber.h deleted file mode 100644 index 1fdbf95cc..000000000 --- a/lib/liboqs/src/kem/kyber/kem_kyber.h +++ /dev/null @@ -1,75 +0,0 @@ -// SPDX-License-Identifier: MIT - -#ifndef OQS_KEM_KYBER_H -#define OQS_KEM_KYBER_H - -#include <oqs/oqs.h> - -#ifdef OQS_ENABLE_KEM_kyber_512 -#define OQS_KEM_kyber_512_length_public_key 800 -#define OQS_KEM_kyber_512_length_secret_key 1632 -#define OQS_KEM_kyber_512_length_ciphertext 768 -#define OQS_KEM_kyber_512_length_shared_secret 32 -OQS_KEM *OQS_KEM_kyber_512_new(void); -OQS_API OQS_STATUS OQS_KEM_kyber_512_keypair(uint8_t *public_key, uint8_t *secret_key); -OQS_API OQS_STATUS OQS_KEM_kyber_512_encaps(uint8_t *ciphertext, uint8_t *shared_secret, const uint8_t *public_key); -OQS_API OQS_STATUS OQS_KEM_kyber_512_decaps(uint8_t *shared_secret, const uint8_t *ciphertext, const uint8_t *secret_key); -#endif - -#ifdef OQS_ENABLE_KEM_kyber_768 -#define OQS_KEM_kyber_768_length_public_key 1184 -#define OQS_KEM_kyber_768_length_secret_key 2400 -#define OQS_KEM_kyber_768_length_ciphertext 1088 -#define OQS_KEM_kyber_768_length_shared_secret 32 -OQS_KEM *OQS_KEM_kyber_768_new(void); -OQS_API OQS_STATUS OQS_KEM_kyber_768_keypair(uint8_t *public_key, uint8_t *secret_key); -OQS_API OQS_STATUS OQS_KEM_kyber_768_encaps(uint8_t *ciphertext, uint8_t *shared_secret, const uint8_t *public_key); -OQS_API OQS_STATUS OQS_KEM_kyber_768_decaps(uint8_t *shared_secret, const uint8_t *ciphertext, const uint8_t *secret_key); -#endif - -#ifdef OQS_ENABLE_KEM_kyber_1024 -#define OQS_KEM_kyber_1024_length_public_key 1568 -#define OQS_KEM_kyber_1024_length_secret_key 3168 -#define OQS_KEM_kyber_1024_length_ciphertext 1568 -#define OQS_KEM_kyber_1024_length_shared_secret 32 -OQS_KEM *OQS_KEM_kyber_1024_new(void); -OQS_API OQS_STATUS OQS_KEM_kyber_1024_keypair(uint8_t *public_key, uint8_t *secret_key); -OQS_API OQS_STATUS OQS_KEM_kyber_1024_encaps(uint8_t *ciphertext, uint8_t *shared_secret, const uint8_t *public_key); -OQS_API OQS_STATUS OQS_KEM_kyber_1024_decaps(uint8_t *shared_secret, const uint8_t *ciphertext, const uint8_t *secret_key); -#endif - -#ifdef OQS_ENABLE_KEM_kyber_512_90s -#define OQS_KEM_kyber_512_90s_length_public_key 800 -#define OQS_KEM_kyber_512_90s_length_secret_key 1632 -#define OQS_KEM_kyber_512_90s_length_ciphertext 768 -#define OQS_KEM_kyber_512_90s_length_shared_secret 32 -OQS_KEM *OQS_KEM_kyber_512_90s_new(void); -OQS_API OQS_STATUS OQS_KEM_kyber_512_90s_keypair(uint8_t *public_key, uint8_t *secret_key); -OQS_API OQS_STATUS OQS_KEM_kyber_512_90s_encaps(uint8_t *ciphertext, uint8_t *shared_secret, const uint8_t *public_key); -OQS_API OQS_STATUS OQS_KEM_kyber_512_90s_decaps(uint8_t *shared_secret, const uint8_t *ciphertext, const uint8_t *secret_key); -#endif - -#ifdef OQS_ENABLE_KEM_kyber_768_90s -#define OQS_KEM_kyber_768_90s_length_public_key 1184 -#define OQS_KEM_kyber_768_90s_length_secret_key 2400 -#define OQS_KEM_kyber_768_90s_length_ciphertext 1088 -#define OQS_KEM_kyber_768_90s_length_shared_secret 32 -OQS_KEM *OQS_KEM_kyber_768_90s_new(void); -OQS_API OQS_STATUS OQS_KEM_kyber_768_90s_keypair(uint8_t *public_key, uint8_t *secret_key); -OQS_API OQS_STATUS OQS_KEM_kyber_768_90s_encaps(uint8_t *ciphertext, uint8_t *shared_secret, const uint8_t *public_key); -OQS_API OQS_STATUS OQS_KEM_kyber_768_90s_decaps(uint8_t *shared_secret, const uint8_t *ciphertext, const uint8_t *secret_key); -#endif - -#ifdef OQS_ENABLE_KEM_kyber_1024_90s -#define OQS_KEM_kyber_1024_90s_length_public_key 1568 -#define OQS_KEM_kyber_1024_90s_length_secret_key 3168 -#define OQS_KEM_kyber_1024_90s_length_ciphertext 1568 -#define OQS_KEM_kyber_1024_90s_length_shared_secret 32 -OQS_KEM *OQS_KEM_kyber_1024_90s_new(void); -OQS_API OQS_STATUS OQS_KEM_kyber_1024_90s_keypair(uint8_t *public_key, uint8_t *secret_key); -OQS_API OQS_STATUS OQS_KEM_kyber_1024_90s_encaps(uint8_t *ciphertext, uint8_t *shared_secret, const uint8_t *public_key); -OQS_API OQS_STATUS OQS_KEM_kyber_1024_90s_decaps(uint8_t *shared_secret, const uint8_t *ciphertext, const uint8_t *secret_key); -#endif - -#endif - diff --git a/lib/liboqs/src/kem/kyber/kem_kyber_1024.c b/lib/liboqs/src/kem/kyber/kem_kyber_1024.c deleted file mode 100644 index db72b23cd..000000000 --- a/lib/liboqs/src/kem/kyber/kem_kyber_1024.c +++ /dev/null @@ -1,127 +0,0 @@ -// SPDX-License-Identifier: MIT - -#include <stdlib.h> - -#include <oqs/kem_kyber.h> - -#if defined(OQS_ENABLE_KEM_kyber_1024) - -OQS_KEM *OQS_KEM_kyber_1024_new(void) { - - OQS_KEM *kem = malloc(sizeof(OQS_KEM)); - if (kem == NULL) { - return NULL; - } - kem->method_name = OQS_KEM_alg_kyber_1024; - kem->alg_version = "https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff"; - - kem->claimed_nist_level = 5; - kem->ind_cca = true; - - kem->length_public_key = OQS_KEM_kyber_1024_length_public_key; - kem->length_secret_key = OQS_KEM_kyber_1024_length_secret_key; - kem->length_ciphertext = OQS_KEM_kyber_1024_length_ciphertext; - kem->length_shared_secret = OQS_KEM_kyber_1024_length_shared_secret; - - kem->keypair = OQS_KEM_kyber_1024_keypair; - kem->encaps = OQS_KEM_kyber_1024_encaps; - kem->decaps = OQS_KEM_kyber_1024_decaps; - - return kem; -} - -extern int pqcrystals_kyber1024_ref_keypair(uint8_t *pk, uint8_t *sk); -extern int pqcrystals_kyber1024_ref_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); -extern int pqcrystals_kyber1024_ref_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); - -#if defined(OQS_ENABLE_KEM_kyber_1024_avx2) -extern int pqcrystals_kyber1024_avx2_keypair(uint8_t *pk, uint8_t *sk); -extern int pqcrystals_kyber1024_avx2_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); -extern int pqcrystals_kyber1024_avx2_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); -#endif - -#if defined(OQS_ENABLE_KEM_kyber_1024_aarch64) -extern int PQCLEAN_KYBER1024_AARCH64_crypto_kem_keypair(uint8_t *pk, uint8_t *sk); -extern int PQCLEAN_KYBER1024_AARCH64_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); -extern int PQCLEAN_KYBER1024_AARCH64_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); -#endif - -OQS_API OQS_STATUS OQS_KEM_kyber_1024_keypair(uint8_t *public_key, uint8_t *secret_key) { -#if defined(OQS_ENABLE_KEM_kyber_1024_avx2) -#if defined(OQS_DIST_BUILD) - if (OQS_CPU_has_extension(OQS_CPU_EXT_AVX2) && OQS_CPU_has_extension(OQS_CPU_EXT_BMI2) && OQS_CPU_has_extension(OQS_CPU_EXT_POPCNT)) { -#endif /* OQS_DIST_BUILD */ - return (OQS_STATUS) pqcrystals_kyber1024_avx2_keypair(public_key, secret_key); -#if defined(OQS_DIST_BUILD) - } else { - return (OQS_STATUS) pqcrystals_kyber1024_ref_keypair(public_key, secret_key); - } -#endif /* OQS_DIST_BUILD */ -#elif defined(OQS_ENABLE_KEM_kyber_1024_aarch64) -#if defined(OQS_DIST_BUILD) - if (OQS_CPU_has_extension(OQS_CPU_EXT_ARM_NEON)) { -#endif /* OQS_DIST_BUILD */ - return (OQS_STATUS) PQCLEAN_KYBER1024_AARCH64_crypto_kem_keypair(public_key, secret_key); -#if defined(OQS_DIST_BUILD) - } else { - return (OQS_STATUS) pqcrystals_kyber1024_ref_keypair(public_key, secret_key); - } -#endif /* OQS_DIST_BUILD */ -#else - return (OQS_STATUS) pqcrystals_kyber1024_ref_keypair(public_key, secret_key); -#endif -} - -OQS_API OQS_STATUS OQS_KEM_kyber_1024_encaps(uint8_t *ciphertext, uint8_t *shared_secret, const uint8_t *public_key) { -#if defined(OQS_ENABLE_KEM_kyber_1024_avx2) -#if defined(OQS_DIST_BUILD) - if (OQS_CPU_has_extension(OQS_CPU_EXT_AVX2) && OQS_CPU_has_extension(OQS_CPU_EXT_BMI2) && OQS_CPU_has_extension(OQS_CPU_EXT_POPCNT)) { -#endif /* OQS_DIST_BUILD */ - return (OQS_STATUS) pqcrystals_kyber1024_avx2_enc(ciphertext, shared_secret, public_key); -#if defined(OQS_DIST_BUILD) - } else { - return (OQS_STATUS) pqcrystals_kyber1024_ref_enc(ciphertext, shared_secret, public_key); - } -#endif /* OQS_DIST_BUILD */ -#elif defined(OQS_ENABLE_KEM_kyber_1024_aarch64) -#if defined(OQS_DIST_BUILD) - if (OQS_CPU_has_extension(OQS_CPU_EXT_ARM_NEON)) { -#endif /* OQS_DIST_BUILD */ - return (OQS_STATUS) PQCLEAN_KYBER1024_AARCH64_crypto_kem_enc(ciphertext, shared_secret, public_key); -#if defined(OQS_DIST_BUILD) - } else { - return (OQS_STATUS) pqcrystals_kyber1024_ref_enc(ciphertext, shared_secret, public_key); - } -#endif /* OQS_DIST_BUILD */ -#else - return (OQS_STATUS) pqcrystals_kyber1024_ref_enc(ciphertext, shared_secret, public_key); -#endif -} - -OQS_API OQS_STATUS OQS_KEM_kyber_1024_decaps(uint8_t *shared_secret, const uint8_t *ciphertext, const uint8_t *secret_key) { -#if defined(OQS_ENABLE_KEM_kyber_1024_avx2) -#if defined(OQS_DIST_BUILD) - if (OQS_CPU_has_extension(OQS_CPU_EXT_AVX2) && OQS_CPU_has_extension(OQS_CPU_EXT_BMI2) && OQS_CPU_has_extension(OQS_CPU_EXT_POPCNT)) { -#endif /* OQS_DIST_BUILD */ - return (OQS_STATUS) pqcrystals_kyber1024_avx2_dec(shared_secret, ciphertext, secret_key); -#if defined(OQS_DIST_BUILD) - } else { - return (OQS_STATUS) pqcrystals_kyber1024_ref_dec(shared_secret, ciphertext, secret_key); - } -#endif /* OQS_DIST_BUILD */ -#elif defined(OQS_ENABLE_KEM_kyber_1024_aarch64) -#if defined(OQS_DIST_BUILD) - if (OQS_CPU_has_extension(OQS_CPU_EXT_ARM_NEON)) { -#endif /* OQS_DIST_BUILD */ - return (OQS_STATUS) PQCLEAN_KYBER1024_AARCH64_crypto_kem_dec(shared_secret, ciphertext, secret_key); -#if defined(OQS_DIST_BUILD) - } else { - return (OQS_STATUS) pqcrystals_kyber1024_ref_dec(shared_secret, ciphertext, secret_key); - } -#endif /* OQS_DIST_BUILD */ -#else - return (OQS_STATUS) pqcrystals_kyber1024_ref_dec(shared_secret, ciphertext, secret_key); -#endif -} - -#endif diff --git a/lib/liboqs/src/kem/kyber/kem_kyber_512.c b/lib/liboqs/src/kem/kyber/kem_kyber_512.c deleted file mode 100644 index a226787f6..000000000 --- a/lib/liboqs/src/kem/kyber/kem_kyber_512.c +++ /dev/null @@ -1,127 +0,0 @@ -// SPDX-License-Identifier: MIT - -#include <stdlib.h> - -#include <oqs/kem_kyber.h> - -#if defined(OQS_ENABLE_KEM_kyber_512) - -OQS_KEM *OQS_KEM_kyber_512_new(void) { - - OQS_KEM *kem = malloc(sizeof(OQS_KEM)); - if (kem == NULL) { - return NULL; - } - kem->method_name = OQS_KEM_alg_kyber_512; - kem->alg_version = "https://github.com/pq-crystals/kyber/commit/74cad307858b61e434490c75f812cb9b9ef7279b"; - - kem->claimed_nist_level = 1; - kem->ind_cca = true; - - kem->length_public_key = OQS_KEM_kyber_512_length_public_key; - kem->length_secret_key = OQS_KEM_kyber_512_length_secret_key; - kem->length_ciphertext = OQS_KEM_kyber_512_length_ciphertext; - kem->length_shared_secret = OQS_KEM_kyber_512_length_shared_secret; - - kem->keypair = OQS_KEM_kyber_512_keypair; - kem->encaps = OQS_KEM_kyber_512_encaps; - kem->decaps = OQS_KEM_kyber_512_decaps; - - return kem; -} - -extern int pqcrystals_kyber512_ref_keypair(uint8_t *pk, uint8_t *sk); -extern int pqcrystals_kyber512_ref_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); -extern int pqcrystals_kyber512_ref_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); - -#if defined(OQS_ENABLE_KEM_kyber_512_avx2) -extern int pqcrystals_kyber512_avx2_keypair(uint8_t *pk, uint8_t *sk); -extern int pqcrystals_kyber512_avx2_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); -extern int pqcrystals_kyber512_avx2_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); -#endif - -#if defined(OQS_ENABLE_KEM_kyber_512_aarch64) -extern int PQCLEAN_KYBER512_AARCH64_crypto_kem_keypair(uint8_t *pk, uint8_t *sk); -extern int PQCLEAN_KYBER512_AARCH64_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); -extern int PQCLEAN_KYBER512_AARCH64_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); -#endif - -OQS_API OQS_STATUS OQS_KEM_kyber_512_keypair(uint8_t *public_key, uint8_t *secret_key) { -#if defined(OQS_ENABLE_KEM_kyber_512_avx2) -#if defined(OQS_DIST_BUILD) - if (OQS_CPU_has_extension(OQS_CPU_EXT_AVX2) && OQS_CPU_has_extension(OQS_CPU_EXT_BMI2) && OQS_CPU_has_extension(OQS_CPU_EXT_POPCNT)) { -#endif /* OQS_DIST_BUILD */ - return (OQS_STATUS) pqcrystals_kyber512_avx2_keypair(public_key, secret_key); -#if defined(OQS_DIST_BUILD) - } else { - return (OQS_STATUS) pqcrystals_kyber512_ref_keypair(public_key, secret_key); - } -#endif /* OQS_DIST_BUILD */ -#elif defined(OQS_ENABLE_KEM_kyber_512_aarch64) -#if defined(OQS_DIST_BUILD) - if (OQS_CPU_has_extension(OQS_CPU_EXT_ARM_NEON)) { -#endif /* OQS_DIST_BUILD */ - return (OQS_STATUS) PQCLEAN_KYBER512_AARCH64_crypto_kem_keypair(public_key, secret_key); -#if defined(OQS_DIST_BUILD) - } else { - return (OQS_STATUS) pqcrystals_kyber512_ref_keypair(public_key, secret_key); - } -#endif /* OQS_DIST_BUILD */ -#else - return (OQS_STATUS) pqcrystals_kyber512_ref_keypair(public_key, secret_key); -#endif -} - -OQS_API OQS_STATUS OQS_KEM_kyber_512_encaps(uint8_t *ciphertext, uint8_t *shared_secret, const uint8_t *public_key) { -#if defined(OQS_ENABLE_KEM_kyber_512_avx2) -#if defined(OQS_DIST_BUILD) - if (OQS_CPU_has_extension(OQS_CPU_EXT_AVX2) && OQS_CPU_has_extension(OQS_CPU_EXT_BMI2) && OQS_CPU_has_extension(OQS_CPU_EXT_POPCNT)) { -#endif /* OQS_DIST_BUILD */ - return (OQS_STATUS) pqcrystals_kyber512_avx2_enc(ciphertext, shared_secret, public_key); -#if defined(OQS_DIST_BUILD) - } else { - return (OQS_STATUS) pqcrystals_kyber512_ref_enc(ciphertext, shared_secret, public_key); - } -#endif /* OQS_DIST_BUILD */ -#elif defined(OQS_ENABLE_KEM_kyber_512_aarch64) -#if defined(OQS_DIST_BUILD) - if (OQS_CPU_has_extension(OQS_CPU_EXT_ARM_NEON)) { -#endif /* OQS_DIST_BUILD */ - return (OQS_STATUS) PQCLEAN_KYBER512_AARCH64_crypto_kem_enc(ciphertext, shared_secret, public_key); -#if defined(OQS_DIST_BUILD) - } else { - return (OQS_STATUS) pqcrystals_kyber512_ref_enc(ciphertext, shared_secret, public_key); - } -#endif /* OQS_DIST_BUILD */ -#else - return (OQS_STATUS) pqcrystals_kyber512_ref_enc(ciphertext, shared_secret, public_key); -#endif -} - -OQS_API OQS_STATUS OQS_KEM_kyber_512_decaps(uint8_t *shared_secret, const uint8_t *ciphertext, const uint8_t *secret_key) { -#if defined(OQS_ENABLE_KEM_kyber_512_avx2) -#if defined(OQS_DIST_BUILD) - if (OQS_CPU_has_extension(OQS_CPU_EXT_AVX2) && OQS_CPU_has_extension(OQS_CPU_EXT_BMI2) && OQS_CPU_has_extension(OQS_CPU_EXT_POPCNT)) { -#endif /* OQS_DIST_BUILD */ - return (OQS_STATUS) pqcrystals_kyber512_avx2_dec(shared_secret, ciphertext, secret_key); -#if defined(OQS_DIST_BUILD) - } else { - return (OQS_STATUS) pqcrystals_kyber512_ref_dec(shared_secret, ciphertext, secret_key); - } -#endif /* OQS_DIST_BUILD */ -#elif defined(OQS_ENABLE_KEM_kyber_512_aarch64) -#if defined(OQS_DIST_BUILD) - if (OQS_CPU_has_extension(OQS_CPU_EXT_ARM_NEON)) { -#endif /* OQS_DIST_BUILD */ - return (OQS_STATUS) PQCLEAN_KYBER512_AARCH64_crypto_kem_dec(shared_secret, ciphertext, secret_key); -#if defined(OQS_DIST_BUILD) - } else { - return (OQS_STATUS) pqcrystals_kyber512_ref_dec(shared_secret, ciphertext, secret_key); - } -#endif /* OQS_DIST_BUILD */ -#else - return (OQS_STATUS) pqcrystals_kyber512_ref_dec(shared_secret, ciphertext, secret_key); -#endif -} - -#endif diff --git a/lib/liboqs/src/kem/kyber/kem_kyber_768.c b/lib/liboqs/src/kem/kyber/kem_kyber_768.c deleted file mode 100644 index bc21b0038..000000000 --- a/lib/liboqs/src/kem/kyber/kem_kyber_768.c +++ /dev/null @@ -1,127 +0,0 @@ -// SPDX-License-Identifier: MIT - -#include <stdlib.h> - -#include <oqs/kem_kyber.h> - -#if defined(OQS_ENABLE_KEM_kyber_768) - -OQS_KEM *OQS_KEM_kyber_768_new(void) { - - OQS_KEM *kem = malloc(sizeof(OQS_KEM)); - if (kem == NULL) { - return NULL; - } - kem->method_name = OQS_KEM_alg_kyber_768; - kem->alg_version = "https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff"; - - kem->claimed_nist_level = 3; - kem->ind_cca = true; - - kem->length_public_key = OQS_KEM_kyber_768_length_public_key; - kem->length_secret_key = OQS_KEM_kyber_768_length_secret_key; - kem->length_ciphertext = OQS_KEM_kyber_768_length_ciphertext; - kem->length_shared_secret = OQS_KEM_kyber_768_length_shared_secret; - - kem->keypair = OQS_KEM_kyber_768_keypair; - kem->encaps = OQS_KEM_kyber_768_encaps; - kem->decaps = OQS_KEM_kyber_768_decaps; - - return kem; -} - -extern int pqcrystals_kyber768_ref_keypair(uint8_t *pk, uint8_t *sk); -extern int pqcrystals_kyber768_ref_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); -extern int pqcrystals_kyber768_ref_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); - -#if defined(OQS_ENABLE_KEM_kyber_768_avx2) -extern int pqcrystals_kyber768_avx2_keypair(uint8_t *pk, uint8_t *sk); -extern int pqcrystals_kyber768_avx2_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); -extern int pqcrystals_kyber768_avx2_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); -#endif - -#if defined(OQS_ENABLE_KEM_kyber_768_aarch64) -extern int PQCLEAN_KYBER768_AARCH64_crypto_kem_keypair(uint8_t *pk, uint8_t *sk); -extern int PQCLEAN_KYBER768_AARCH64_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); -extern int PQCLEAN_KYBER768_AARCH64_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); -#endif - -OQS_API OQS_STATUS OQS_KEM_kyber_768_keypair(uint8_t *public_key, uint8_t *secret_key) { -#if defined(OQS_ENABLE_KEM_kyber_768_avx2) -#if defined(OQS_DIST_BUILD) - if (OQS_CPU_has_extension(OQS_CPU_EXT_AVX2) && OQS_CPU_has_extension(OQS_CPU_EXT_BMI2) && OQS_CPU_has_extension(OQS_CPU_EXT_POPCNT)) { -#endif /* OQS_DIST_BUILD */ - return (OQS_STATUS) pqcrystals_kyber768_avx2_keypair(public_key, secret_key); -#if defined(OQS_DIST_BUILD) - } else { - return (OQS_STATUS) pqcrystals_kyber768_ref_keypair(public_key, secret_key); - } -#endif /* OQS_DIST_BUILD */ -#elif defined(OQS_ENABLE_KEM_kyber_768_aarch64) -#if defined(OQS_DIST_BUILD) - if (OQS_CPU_has_extension(OQS_CPU_EXT_ARM_NEON)) { -#endif /* OQS_DIST_BUILD */ - return (OQS_STATUS) PQCLEAN_KYBER768_AARCH64_crypto_kem_keypair(public_key, secret_key); -#if defined(OQS_DIST_BUILD) - } else { - return (OQS_STATUS) pqcrystals_kyber768_ref_keypair(public_key, secret_key); - } -#endif /* OQS_DIST_BUILD */ -#else - return (OQS_STATUS) pqcrystals_kyber768_ref_keypair(public_key, secret_key); -#endif -} - -OQS_API OQS_STATUS OQS_KEM_kyber_768_encaps(uint8_t *ciphertext, uint8_t *shared_secret, const uint8_t *public_key) { -#if defined(OQS_ENABLE_KEM_kyber_768_avx2) -#if defined(OQS_DIST_BUILD) - if (OQS_CPU_has_extension(OQS_CPU_EXT_AVX2) && OQS_CPU_has_extension(OQS_CPU_EXT_BMI2) && OQS_CPU_has_extension(OQS_CPU_EXT_POPCNT)) { -#endif /* OQS_DIST_BUILD */ - return (OQS_STATUS) pqcrystals_kyber768_avx2_enc(ciphertext, shared_secret, public_key); -#if defined(OQS_DIST_BUILD) - } else { - return (OQS_STATUS) pqcrystals_kyber768_ref_enc(ciphertext, shared_secret, public_key); - } -#endif /* OQS_DIST_BUILD */ -#elif defined(OQS_ENABLE_KEM_kyber_768_aarch64) -#if defined(OQS_DIST_BUILD) - if (OQS_CPU_has_extension(OQS_CPU_EXT_ARM_NEON)) { -#endif /* OQS_DIST_BUILD */ - return (OQS_STATUS) PQCLEAN_KYBER768_AARCH64_crypto_kem_enc(ciphertext, shared_secret, public_key); -#if defined(OQS_DIST_BUILD) - } else { - return (OQS_STATUS) pqcrystals_kyber768_ref_enc(ciphertext, shared_secret, public_key); - } -#endif /* OQS_DIST_BUILD */ -#else - return (OQS_STATUS) pqcrystals_kyber768_ref_enc(ciphertext, shared_secret, public_key); -#endif -} - -OQS_API OQS_STATUS OQS_KEM_kyber_768_decaps(uint8_t *shared_secret, const uint8_t *ciphertext, const uint8_t *secret_key) { -#if defined(OQS_ENABLE_KEM_kyber_768_avx2) -#if defined(OQS_DIST_BUILD) - if (OQS_CPU_has_extension(OQS_CPU_EXT_AVX2) && OQS_CPU_has_extension(OQS_CPU_EXT_BMI2) && OQS_CPU_has_extension(OQS_CPU_EXT_POPCNT)) { -#endif /* OQS_DIST_BUILD */ - return (OQS_STATUS) pqcrystals_kyber768_avx2_dec(shared_secret, ciphertext, secret_key); -#if defined(OQS_DIST_BUILD) - } else { - return (OQS_STATUS) pqcrystals_kyber768_ref_dec(shared_secret, ciphertext, secret_key); - } -#endif /* OQS_DIST_BUILD */ -#elif defined(OQS_ENABLE_KEM_kyber_768_aarch64) -#if defined(OQS_DIST_BUILD) - if (OQS_CPU_has_extension(OQS_CPU_EXT_ARM_NEON)) { -#endif /* OQS_DIST_BUILD */ - return (OQS_STATUS) PQCLEAN_KYBER768_AARCH64_crypto_kem_dec(shared_secret, ciphertext, secret_key); -#if defined(OQS_DIST_BUILD) - } else { - return (OQS_STATUS) pqcrystals_kyber768_ref_dec(shared_secret, ciphertext, secret_key); - } -#endif /* OQS_DIST_BUILD */ -#else - return (OQS_STATUS) pqcrystals_kyber768_ref_dec(shared_secret, ciphertext, secret_key); -#endif -} - -#endif diff --git a/lib/liboqs/src/kem/kyber/kyber.gyp b/lib/liboqs/src/kem/kyber/kyber.gyp deleted file mode 100644 index 85cff9545..000000000 --- a/lib/liboqs/src/kem/kyber/kyber.gyp +++ /dev/null @@ -1,35 +0,0 @@ -# DO NOT EDIT: generated from subdir.gyp.template -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. -{ - 'includes': [ - '../../../../../coreconf/config.gypi' - ], - 'targets': [ - { - 'target_name': 'oqs_src_kem_kyber', - 'type': 'static_library', - 'sources': [ - 'kem_kyber_512.c', - 'kem_kyber_768.c', - 'kem_kyber_1024.c', - ], - 'dependencies': [ - '<(DEPTH)/exports.gyp:nss_exports' - ] - } - ], - 'target_defaults': { - 'defines': [ - 'KYBER_K=4', - ], - 'include_dirs': [ - '<(DEPTH)/lib/liboqs/src/common/pqclean_shims', - '<(DEPTH)/lib/liboqs/src/common/sha3/xkcp_low/KeccakP-1600/plain-64bits', - ] - }, - 'variables': { - 'module': 'oqs' - } -} diff --git a/lib/liboqs/src/kem/kyber/manifest.mn b/lib/liboqs/src/kem/kyber/manifest.mn deleted file mode 100644 index bbe293db6..000000000 --- a/lib/liboqs/src/kem/kyber/manifest.mn +++ /dev/null @@ -1,25 +0,0 @@ -# DO NOT EDIT: generated from manifest.mn.subdirs.template -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. -CORE_DEPTH = ../../../../.. - -MODULE = oqs - -LIBRARY_NAME = oqs_src_kem_kyber -SHARED_LIBRARY = $(NULL) - -CSRCS = \ - kem_kyber_512.c \ - kem_kyber_768.c \ - kem_kyber_1024.c \ - $(NULL) - -# only add module debugging in opt builds if DEBUG_PKCS11 is set -ifdef DEBUG_PKCS11 - DEFINES += -DDEBUG_MODULE -endif - -# This part of the code, including all sub-dirs, can be optimized for size -export ALLOW_OPT_CODE_SIZE = 1 diff --git a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/Makefile b/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/Makefile deleted file mode 100644 index fe090f3ff..000000000 --- a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/Makefile +++ /dev/null @@ -1,49 +0,0 @@ -#! gmake -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -####################################################################### -# (1) Include initial platform-independent assignments (MANDATORY). # -####################################################################### - -include manifest.mn - -####################################################################### -# (2) Include "global" configuration information. (OPTIONAL) # -####################################################################### - -USE_GCOV = -include $(CORE_DEPTH)/coreconf/config.mk - -####################################################################### -# (3) Include "component" configuration information. (OPTIONAL) # -####################################################################### - - - -####################################################################### -# (4) Include "local" platform-dependent assignments (OPTIONAL). # -####################################################################### - -include config.mk - -####################################################################### -# (5) Execute "global" rules. (OPTIONAL) # -####################################################################### - -include $(CORE_DEPTH)/coreconf/rules.mk - -####################################################################### -# (6) Execute "component" rules. (OPTIONAL) # -####################################################################### - - - -####################################################################### -# (7) Execute "local" rules. (OPTIONAL). # -####################################################################### - -WARNING_CFLAGS = $(NULL) - diff --git a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/api.h b/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/api.h deleted file mode 100644 index b34eab970..000000000 --- a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/api.h +++ /dev/null @@ -1,75 +0,0 @@ -#ifndef API_H -#define API_H - -#include <stdint.h> - -#define pqcrystals_kyber512_SECRETKEYBYTES 1632 -#define pqcrystals_kyber512_PUBLICKEYBYTES 800 -#define pqcrystals_kyber512_CIPHERTEXTBYTES 768 -#define pqcrystals_kyber512_BYTES 32 - -#define pqcrystals_kyber512_ref_SECRETKEYBYTES pqcrystals_kyber512_SECRETKEYBYTES -#define pqcrystals_kyber512_ref_PUBLICKEYBYTES pqcrystals_kyber512_PUBLICKEYBYTES -#define pqcrystals_kyber512_ref_CIPHERTEXTBYTES pqcrystals_kyber512_CIPHERTEXTBYTES -#define pqcrystals_kyber512_ref_BYTES pqcrystals_kyber512_BYTES - -int pqcrystals_kyber512_ref_keypair(uint8_t *pk, uint8_t *sk); -int pqcrystals_kyber512_ref_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); -int pqcrystals_kyber512_ref_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); - -#define pqcrystals_kyber512_90s_ref_SECRETKEYBYTES pqcrystals_kyber512_SECRETKEYBYTES -#define pqcrystals_kyber512_90s_ref_PUBLICKEYBYTES pqcrystals_kyber512_PUBLICKEYBYTES -#define pqcrystals_kyber512_90s_ref_CIPHERTEXTBYTES pqcrystals_kyber512_CIPHERTEXTBYTES -#define pqcrystals_kyber512_90s_ref_BYTES pqcrystals_kyber512_BYTES - -int pqcrystals_kyber512_90s_ref_keypair(uint8_t *pk, uint8_t *sk); -int pqcrystals_kyber512_90s_ref_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); -int pqcrystals_kyber512_90s_ref_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); - -#define pqcrystals_kyber768_SECRETKEYBYTES 2400 -#define pqcrystals_kyber768_PUBLICKEYBYTES 1184 -#define pqcrystals_kyber768_CIPHERTEXTBYTES 1088 -#define pqcrystals_kyber768_BYTES 32 - -#define pqcrystals_kyber768_ref_SECRETKEYBYTES pqcrystals_kyber768_SECRETKEYBYTES -#define pqcrystals_kyber768_ref_PUBLICKEYBYTES pqcrystals_kyber768_PUBLICKEYBYTES -#define pqcrystals_kyber768_ref_CIPHERTEXTBYTES pqcrystals_kyber768_CIPHERTEXTBYTES -#define pqcrystals_kyber768_ref_BYTES pqcrystals_kyber768_BYTES - -int pqcrystals_kyber768_ref_keypair(uint8_t *pk, uint8_t *sk); -int pqcrystals_kyber768_ref_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); -int pqcrystals_kyber768_ref_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); - -#define pqcrystals_kyber768_90s_ref_SECRETKEYBYTES pqcrystals_kyber768_SECRETKEYBYTES -#define pqcrystals_kyber768_90s_ref_PUBLICKEYBYTES pqcrystals_kyber768_PUBLICKEYBYTES -#define pqcrystals_kyber768_90s_ref_CIPHERTEXTBYTES pqcrystals_kyber768_CIPHERTEXTBYTES -#define pqcrystals_kyber768_90s_ref_BYTES pqcrystals_kyber768_BYTES - -int pqcrystals_kyber768_90s_ref_keypair(uint8_t *pk, uint8_t *sk); -int pqcrystals_kyber768_90s_ref_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); -int pqcrystals_kyber768_90s_ref_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); - -#define pqcrystals_kyber1024_SECRETKEYBYTES 3168 -#define pqcrystals_kyber1024_PUBLICKEYBYTES 1568 -#define pqcrystals_kyber1024_CIPHERTEXTBYTES 1568 -#define pqcrystals_kyber1024_BYTES 32 - -#define pqcrystals_kyber1024_ref_SECRETKEYBYTES pqcrystals_kyber1024_SECRETKEYBYTES -#define pqcrystals_kyber1024_ref_PUBLICKEYBYTES pqcrystals_kyber1024_PUBLICKEYBYTES -#define pqcrystals_kyber1024_ref_CIPHERTEXTBYTES pqcrystals_kyber1024_CIPHERTEXTBYTES -#define pqcrystals_kyber1024_ref_BYTES pqcrystals_kyber1024_BYTES - -int pqcrystals_kyber1024_ref_keypair(uint8_t *pk, uint8_t *sk); -int pqcrystals_kyber1024_ref_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); -int pqcrystals_kyber1024_ref_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); - -#define pqcrystals_kyber1024_90s_ref_SECRETKEYBYTES pqcrystals_kyber1024_SECRETKEYBYTES -#define pqcrystals_kyber1024_90s_ref_PUBLICKEYBYTES pqcrystals_kyber1024_PUBLICKEYBYTES -#define pqcrystals_kyber1024_90s_ref_CIPHERTEXTBYTES pqcrystals_kyber1024_CIPHERTEXTBYTES -#define pqcrystals_kyber1024_90s_ref_BYTES pqcrystals_kyber1024_BYTES - -int pqcrystals_kyber1024_90s_ref_keypair(uint8_t *pk, uint8_t *sk); -int pqcrystals_kyber1024_90s_ref_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); -int pqcrystals_kyber1024_90s_ref_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); - -#endif diff --git a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/cbd.c b/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/cbd.c deleted file mode 100644 index 1500ffea5..000000000 --- a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/cbd.c +++ /dev/null @@ -1,128 +0,0 @@ -#include <stdint.h> -#include "params.h" -#include "cbd.h" - -/************************************************* -* Name: load32_littleendian -* -* Description: load 4 bytes into a 32-bit integer -* in little-endian order -* -* Arguments: - const uint8_t *x: pointer to input byte array -* -* Returns 32-bit unsigned integer loaded from x -**************************************************/ -static uint32_t load32_littleendian(const uint8_t x[4]) -{ - uint32_t r; - r = (uint32_t)x[0]; - r |= (uint32_t)x[1] << 8; - r |= (uint32_t)x[2] << 16; - r |= (uint32_t)x[3] << 24; - return r; -} - -/************************************************* -* Name: load24_littleendian -* -* Description: load 3 bytes into a 32-bit integer -* in little-endian order. -* This function is only needed for Kyber-512 -* -* Arguments: - const uint8_t *x: pointer to input byte array -* -* Returns 32-bit unsigned integer loaded from x (most significant byte is zero) -**************************************************/ -#if KYBER_ETA1 == 3 -static uint32_t load24_littleendian(const uint8_t x[3]) -{ - uint32_t r; - r = (uint32_t)x[0]; - r |= (uint32_t)x[1] << 8; - r |= (uint32_t)x[2] << 16; - return r; -} -#endif - - -/************************************************* -* Name: cbd2 -* -* Description: Given an array of uniformly random bytes, compute -* polynomial with coefficients distributed according to -* a centered binomial distribution with parameter eta=2 -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *buf: pointer to input byte array -**************************************************/ -static void cbd2(poly *r, const uint8_t buf[2*KYBER_N/4]) -{ - unsigned int i,j; - uint32_t t,d; - int16_t a,b; - - for(i=0;i<KYBER_N/8;i++) { - t = load32_littleendian(buf+4*i); - d = t & 0x55555555; - d += (t>>1) & 0x55555555; - - for(j=0;j<8;j++) { - a = (d >> (4*j+0)) & 0x3; - b = (d >> (4*j+2)) & 0x3; - r->coeffs[8*i+j] = a - b; - } - } -} - -/************************************************* -* Name: cbd3 -* -* Description: Given an array of uniformly random bytes, compute -* polynomial with coefficients distributed according to -* a centered binomial distribution with parameter eta=3. -* This function is only needed for Kyber-512 -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *buf: pointer to input byte array -**************************************************/ -#if KYBER_ETA1 == 3 -static void cbd3(poly *r, const uint8_t buf[3*KYBER_N/4]) -{ - unsigned int i,j; - uint32_t t,d; - int16_t a,b; - - for(i=0;i<KYBER_N/4;i++) { - t = load24_littleendian(buf+3*i); - d = t & 0x00249249; - d += (t>>1) & 0x00249249; - d += (t>>2) & 0x00249249; - - for(j=0;j<4;j++) { - a = (d >> (6*j+0)) & 0x7; - b = (d >> (6*j+3)) & 0x7; - r->coeffs[4*i+j] = a - b; - } - } -} -#endif - -void poly_cbd_eta1(poly *r, const uint8_t buf[KYBER_ETA1*KYBER_N/4]) -{ -#if KYBER_ETA1 == 2 - cbd2(r, buf); -#elif KYBER_ETA1 == 3 - cbd3(r, buf); -#else -#error "This implementation requires eta1 in {2,3}" -#endif -} - -void poly_cbd_eta2(poly *r, const uint8_t buf[KYBER_ETA2*KYBER_N/4]) -{ -#if KYBER_ETA2 == 2 - cbd2(r, buf); -#else -#error "This implementation requires eta2 = 2" -#endif -} diff --git a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/cbd.h b/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/cbd.h deleted file mode 100644 index 7b677d745..000000000 --- a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/cbd.h +++ /dev/null @@ -1,14 +0,0 @@ -#ifndef CBD_H -#define CBD_H - -#include <stdint.h> -#include "params.h" -#include "poly.h" - -#define poly_cbd_eta1 KYBER_NAMESPACE(poly_cbd_eta1) -void poly_cbd_eta1(poly *r, const uint8_t buf[KYBER_ETA1*KYBER_N/4]); - -#define poly_cbd_eta2 KYBER_NAMESPACE(poly_cbd_eta2) -void poly_cbd_eta2(poly *r, const uint8_t buf[KYBER_ETA2*KYBER_N/4]); - -#endif diff --git a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/config.mk b/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/config.mk deleted file mode 100644 index 7d57e4410..000000000 --- a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/config.mk +++ /dev/null @@ -1,12 +0,0 @@ -# DO NOT EDIT: generated from config.mk.subdirs.template -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -# add fixes for platform integration issues here. -# -# liboqs programs expect the public include files to be in oqs/xxxx, -# So we put liboqs in it's own module, oqs, and point to the dist files -INCLUDES += -I$(CORE_DEPTH)/lib/liboqs/src/common/pqclean_shims -I$(CORE_DEPTH)/lib/liboqs/src/common/sha3/xkcp_low/KeccakP-1600/plain-64bits -DEFINES += -DKYBER_K=4 diff --git a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/indcpa.c b/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/indcpa.c deleted file mode 100644 index f0129aa04..000000000 --- a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/indcpa.c +++ /dev/null @@ -1,331 +0,0 @@ -#include <stddef.h> -#include <stdint.h> -#include "params.h" -#include "indcpa.h" -#include "polyvec.h" -#include "poly.h" -#include "ntt.h" -#include "symmetric.h" -#include "randombytes.h" - -/************************************************* -* Name: pack_pk -* -* Description: Serialize the public key as concatenation of the -* serialized vector of polynomials pk -* and the public seed used to generate the matrix A. -* -* Arguments: uint8_t *r: pointer to the output serialized public key -* polyvec *pk: pointer to the input public-key polyvec -* const uint8_t *seed: pointer to the input public seed -**************************************************/ -static void pack_pk(uint8_t r[KYBER_INDCPA_PUBLICKEYBYTES], - polyvec *pk, - const uint8_t seed[KYBER_SYMBYTES]) -{ - size_t i; - polyvec_tobytes(r, pk); - for(i=0;i<KYBER_SYMBYTES;i++) - r[i+KYBER_POLYVECBYTES] = seed[i]; -} - -/************************************************* -* Name: unpack_pk -* -* Description: De-serialize public key from a byte array; -* approximate inverse of pack_pk -* -* Arguments: - polyvec *pk: pointer to output public-key polynomial vector -* - uint8_t *seed: pointer to output seed to generate matrix A -* - const uint8_t *packedpk: pointer to input serialized public key -**************************************************/ -static void unpack_pk(polyvec *pk, - uint8_t seed[KYBER_SYMBYTES], - const uint8_t packedpk[KYBER_INDCPA_PUBLICKEYBYTES]) -{ - size_t i; - polyvec_frombytes(pk, packedpk); - for(i=0;i<KYBER_SYMBYTES;i++) - seed[i] = packedpk[i+KYBER_POLYVECBYTES]; -} - -/************************************************* -* Name: pack_sk -* -* Description: Serialize the secret key -* -* Arguments: - uint8_t *r: pointer to output serialized secret key -* - polyvec *sk: pointer to input vector of polynomials (secret key) -**************************************************/ -static void pack_sk(uint8_t r[KYBER_INDCPA_SECRETKEYBYTES], polyvec *sk) -{ - polyvec_tobytes(r, sk); -} - -/************************************************* -* Name: unpack_sk -* -* Description: De-serialize the secret key; inverse of pack_sk -* -* Arguments: - polyvec *sk: pointer to output vector of polynomials (secret key) -* - const uint8_t *packedsk: pointer to input serialized secret key -**************************************************/ -static void unpack_sk(polyvec *sk, const uint8_t packedsk[KYBER_INDCPA_SECRETKEYBYTES]) -{ - polyvec_frombytes(sk, packedsk); -} - -/************************************************* -* Name: pack_ciphertext -* -* Description: Serialize the ciphertext as concatenation of the -* compressed and serialized vector of polynomials b -* and the compressed and serialized polynomial v -* -* Arguments: uint8_t *r: pointer to the output serialized ciphertext -* poly *pk: pointer to the input vector of polynomials b -* poly *v: pointer to the input polynomial v -**************************************************/ -static void pack_ciphertext(uint8_t r[KYBER_INDCPA_BYTES], polyvec *b, poly *v) -{ - polyvec_compress(r, b); - poly_compress(r+KYBER_POLYVECCOMPRESSEDBYTES, v); -} - -/************************************************* -* Name: unpack_ciphertext -* -* Description: De-serialize and decompress ciphertext from a byte array; -* approximate inverse of pack_ciphertext -* -* Arguments: - polyvec *b: pointer to the output vector of polynomials b -* - poly *v: pointer to the output polynomial v -* - const uint8_t *c: pointer to the input serialized ciphertext -**************************************************/ -static void unpack_ciphertext(polyvec *b, poly *v, const uint8_t c[KYBER_INDCPA_BYTES]) -{ - polyvec_decompress(b, c); - poly_decompress(v, c+KYBER_POLYVECCOMPRESSEDBYTES); -} - -/************************************************* -* Name: rej_uniform -* -* Description: Run rejection sampling on uniform random bytes to generate -* uniform random integers mod q -* -* Arguments: - int16_t *r: pointer to output buffer -* - unsigned int len: requested number of 16-bit integers (uniform mod q) -* - const uint8_t *buf: pointer to input buffer (assumed to be uniformly random bytes) -* - unsigned int buflen: length of input buffer in bytes -* -* Returns number of sampled 16-bit integers (at most len) -**************************************************/ -static unsigned int rej_uniform(int16_t *r, - unsigned int len, - const uint8_t *buf, - unsigned int buflen) -{ - unsigned int ctr, pos; - uint16_t val0, val1; - - ctr = pos = 0; - while(ctr < len && pos + 3 <= buflen) { - val0 = ((buf[pos+0] >> 0) | ((uint16_t)buf[pos+1] << 8)) & 0xFFF; - val1 = ((buf[pos+1] >> 4) | ((uint16_t)buf[pos+2] << 4)) & 0xFFF; - pos += 3; - - if(val0 < KYBER_Q) - r[ctr++] = val0; - if(ctr < len && val1 < KYBER_Q) - r[ctr++] = val1; - } - - return ctr; -} - -#define gen_a(A,B) gen_matrix(A,B,0) -#define gen_at(A,B) gen_matrix(A,B,1) - -/************************************************* -* Name: gen_matrix -* -* Description: Deterministically generate matrix A (or the transpose of A) -* from a seed. Entries of the matrix are polynomials that look -* uniformly random. Performs rejection sampling on output of -* a XOF -* -* Arguments: - polyvec *a: pointer to ouptput matrix A -* - const uint8_t *seed: pointer to input seed -* - int transposed: boolean deciding whether A or A^T is generated -**************************************************/ -#define GEN_MATRIX_NBLOCKS ((12*KYBER_N/8*(1 << 12)/KYBER_Q + XOF_BLOCKBYTES)/XOF_BLOCKBYTES) -// Not static for benchmarking -void gen_matrix(polyvec *a, const uint8_t seed[KYBER_SYMBYTES], int transposed) -{ - unsigned int ctr, i, j, k; - unsigned int buflen, off; - uint8_t buf[GEN_MATRIX_NBLOCKS*XOF_BLOCKBYTES+2]; - xof_state state; - xof_init(&state, seed); - - for(i=0;i<KYBER_K;i++) { - for(j=0;j<KYBER_K;j++) { - if(transposed) - xof_absorb(&state, seed, i, j); - else - xof_absorb(&state, seed, j, i); - - xof_squeezeblocks(buf, GEN_MATRIX_NBLOCKS, &state); - buflen = GEN_MATRIX_NBLOCKS*XOF_BLOCKBYTES; - ctr = rej_uniform(a[i].vec[j].coeffs, KYBER_N, buf, buflen); - - while(ctr < KYBER_N) { - off = buflen % 3; - for(k = 0; k < off; k++) - buf[k] = buf[buflen - off + k]; - xof_squeezeblocks(buf + off, 1, &state); - buflen = off + XOF_BLOCKBYTES; - ctr += rej_uniform(a[i].vec[j].coeffs + ctr, KYBER_N - ctr, buf, buflen); - } - } - } - xof_release(&state); -} - -/************************************************* -* Name: indcpa_keypair -* -* Description: Generates public and private key for the CPA-secure -* public-key encryption scheme underlying Kyber -* -* Arguments: - uint8_t *pk: pointer to output public key -* (of length KYBER_INDCPA_PUBLICKEYBYTES bytes) -* - uint8_t *sk: pointer to output private key - (of length KYBER_INDCPA_SECRETKEYBYTES bytes) -**************************************************/ -void indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], - uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]) -{ - unsigned int i; - uint8_t buf[2*KYBER_SYMBYTES]; - const uint8_t *publicseed = buf; - const uint8_t *noiseseed = buf+KYBER_SYMBYTES; - uint8_t nonce = 0; - polyvec a[KYBER_K], e, pkpv, skpv; - - randombytes(buf, KYBER_SYMBYTES); - hash_g(buf, buf, KYBER_SYMBYTES); - - gen_a(a, publicseed); - - for(i=0;i<KYBER_K;i++) - poly_getnoise_eta1(&skpv.vec[i], noiseseed, nonce++); - for(i=0;i<KYBER_K;i++) - poly_getnoise_eta1(&e.vec[i], noiseseed, nonce++); - - polyvec_ntt(&skpv); - polyvec_ntt(&e); - - // matrix-vector multiplication - for(i=0;i<KYBER_K;i++) { - polyvec_basemul_acc_montgomery(&pkpv.vec[i], &a[i], &skpv); - poly_tomont(&pkpv.vec[i]); - } - - polyvec_add(&pkpv, &pkpv, &e); - polyvec_reduce(&pkpv); - - pack_sk(sk, &skpv); - pack_pk(pk, &pkpv, publicseed); -} - -/************************************************* -* Name: indcpa_enc -* -* Description: Encryption function of the CPA-secure -* public-key encryption scheme underlying Kyber. -* -* Arguments: - uint8_t *c: pointer to output ciphertext -* (of length KYBER_INDCPA_BYTES bytes) -* - const uint8_t *m: pointer to input message -* (of length KYBER_INDCPA_MSGBYTES bytes) -* - const uint8_t *pk: pointer to input public key -* (of length KYBER_INDCPA_PUBLICKEYBYTES) -* - const uint8_t *coins: pointer to input random coins used as seed -* (of length KYBER_SYMBYTES) to deterministically -* generate all randomness -**************************************************/ -void indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES], - const uint8_t m[KYBER_INDCPA_MSGBYTES], - const uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], - const uint8_t coins[KYBER_SYMBYTES]) -{ - unsigned int i; - uint8_t seed[KYBER_SYMBYTES]; - uint8_t nonce = 0; - polyvec sp, pkpv, ep, at[KYBER_K], b; - poly v, k, epp; - - unpack_pk(&pkpv, seed, pk); - poly_frommsg(&k, m); - gen_at(at, seed); - - for(i=0;i<KYBER_K;i++) - poly_getnoise_eta1(sp.vec+i, coins, nonce++); - for(i=0;i<KYBER_K;i++) - poly_getnoise_eta2(ep.vec+i, coins, nonce++); - poly_getnoise_eta2(&epp, coins, nonce++); - - polyvec_ntt(&sp); - - // matrix-vector multiplication - for(i=0;i<KYBER_K;i++) - polyvec_basemul_acc_montgomery(&b.vec[i], &at[i], &sp); - - polyvec_basemul_acc_montgomery(&v, &pkpv, &sp); - - polyvec_invntt_tomont(&b); - poly_invntt_tomont(&v); - - polyvec_add(&b, &b, &ep); - poly_add(&v, &v, &epp); - poly_add(&v, &v, &k); - polyvec_reduce(&b); - poly_reduce(&v); - - pack_ciphertext(c, &b, &v); -} - -/************************************************* -* Name: indcpa_dec -* -* Description: Decryption function of the CPA-secure -* public-key encryption scheme underlying Kyber. -* -* Arguments: - uint8_t *m: pointer to output decrypted message -* (of length KYBER_INDCPA_MSGBYTES) -* - const uint8_t *c: pointer to input ciphertext -* (of length KYBER_INDCPA_BYTES) -* - const uint8_t *sk: pointer to input secret key -* (of length KYBER_INDCPA_SECRETKEYBYTES) -**************************************************/ -void indcpa_dec(uint8_t m[KYBER_INDCPA_MSGBYTES], - const uint8_t c[KYBER_INDCPA_BYTES], - const uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]) -{ - polyvec b, skpv; - poly v, mp; - - unpack_ciphertext(&b, &v, c); - unpack_sk(&skpv, sk); - - polyvec_ntt(&b); - polyvec_basemul_acc_montgomery(&mp, &skpv, &b); - poly_invntt_tomont(&mp); - - poly_sub(&mp, &v, &mp); - poly_reduce(&mp); - - poly_tomsg(m, &mp); -} diff --git a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/indcpa.h b/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/indcpa.h deleted file mode 100644 index 57bd5ead3..000000000 --- a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/indcpa.h +++ /dev/null @@ -1,25 +0,0 @@ -#ifndef INDCPA_H -#define INDCPA_H - -#include <stdint.h> -#include "params.h" -#include "polyvec.h" - -#define gen_matrix KYBER_NAMESPACE(gen_matrix) -void gen_matrix(polyvec *a, const uint8_t seed[KYBER_SYMBYTES], int transposed); -#define indcpa_keypair KYBER_NAMESPACE(indcpa_keypair) -void indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], - uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]); - -#define indcpa_enc KYBER_NAMESPACE(indcpa_enc) -void indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES], - const uint8_t m[KYBER_INDCPA_MSGBYTES], - const uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], - const uint8_t coins[KYBER_SYMBYTES]); - -#define indcpa_dec KYBER_NAMESPACE(indcpa_dec) -void indcpa_dec(uint8_t m[KYBER_INDCPA_MSGBYTES], - const uint8_t c[KYBER_INDCPA_BYTES], - const uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]); - -#endif diff --git a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/kem.c b/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/kem.c deleted file mode 100644 index f376bd236..000000000 --- a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/kem.c +++ /dev/null @@ -1,127 +0,0 @@ -#include <stddef.h> -#include <stdint.h> -#include "params.h" -#include "kem.h" -#include "indcpa.h" -#include "verify.h" -#include "symmetric.h" -#include "randombytes.h" - -/************************************************* -* Name: crypto_kem_keypair -* -* Description: Generates public and private key -* for CCA-secure Kyber key encapsulation mechanism -* -* Arguments: - uint8_t *pk: pointer to output public key -* (an already allocated array of KYBER_PUBLICKEYBYTES bytes) -* - uint8_t *sk: pointer to output private key -* (an already allocated array of KYBER_SECRETKEYBYTES bytes) -* -* Returns 0 (success) -**************************************************/ -int crypto_kem_keypair(uint8_t *pk, - uint8_t *sk) -{ - size_t i; - indcpa_keypair(pk, sk); - for(i=0;i<KYBER_INDCPA_PUBLICKEYBYTES;i++) - sk[i+KYBER_INDCPA_SECRETKEYBYTES] = pk[i]; - hash_h(sk+KYBER_SECRETKEYBYTES-2*KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES); - /* Value z for pseudo-random output on reject */ - randombytes(sk+KYBER_SECRETKEYBYTES-KYBER_SYMBYTES, KYBER_SYMBYTES); - return 0; -} - -/************************************************* -* Name: crypto_kem_enc -* -* Description: Generates cipher text and shared -* secret for given public key -* -* Arguments: - uint8_t *ct: pointer to output cipher text -* (an already allocated array of KYBER_CIPHERTEXTBYTES bytes) -* - uint8_t *ss: pointer to output shared secret -* (an already allocated array of KYBER_SSBYTES bytes) -* - const uint8_t *pk: pointer to input public key -* (an already allocated array of KYBER_PUBLICKEYBYTES bytes) -* -* Returns 0 (success) -**************************************************/ -int crypto_kem_enc(uint8_t *ct, - uint8_t *ss, - const uint8_t *pk) -{ - uint8_t buf[2*KYBER_SYMBYTES]; - /* Will contain key, coins */ - uint8_t kr[2*KYBER_SYMBYTES]; - - randombytes(buf, KYBER_SYMBYTES); - /* Don't release system RNG output */ - hash_h(buf, buf, KYBER_SYMBYTES); - - /* Multitarget countermeasure for coins + contributory KEM */ - hash_h(buf+KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES); - hash_g(kr, buf, 2*KYBER_SYMBYTES); - - /* coins are in kr+KYBER_SYMBYTES */ - indcpa_enc(ct, buf, pk, kr+KYBER_SYMBYTES); - - /* overwrite coins in kr with H(c) */ - hash_h(kr+KYBER_SYMBYTES, ct, KYBER_CIPHERTEXTBYTES); - /* hash concatenation of pre-k and H(c) to k */ - kdf(ss, kr, 2*KYBER_SYMBYTES); - return 0; -} - -/************************************************* -* Name: crypto_kem_dec -* -* Description: Generates shared secret for given -* cipher text and private key -* -* Arguments: - uint8_t *ss: pointer to output shared secret -* (an already allocated array of KYBER_SSBYTES bytes) -* - const uint8_t *ct: pointer to input cipher text -* (an already allocated array of KYBER_CIPHERTEXTBYTES bytes) -* - const uint8_t *sk: pointer to input private key -* (an already allocated array of KYBER_SECRETKEYBYTES bytes) -* -* Returns 0. -* -* On failure, ss will contain a pseudo-random value. -**************************************************/ -int crypto_kem_dec(uint8_t *ss, - const uint8_t *ct, - const uint8_t *sk) -{ - size_t i; - int fail; - uint8_t buf[2*KYBER_SYMBYTES]; - /* Will contain key, coins */ - uint8_t kr[2*KYBER_SYMBYTES]; - uint8_t cmp[KYBER_CIPHERTEXTBYTES]; - const uint8_t *pk = sk+KYBER_INDCPA_SECRETKEYBYTES; - - indcpa_dec(buf, ct, sk); - - /* Multitarget countermeasure for coins + contributory KEM */ - for(i=0;i<KYBER_SYMBYTES;i++) - buf[KYBER_SYMBYTES+i] = sk[KYBER_SECRETKEYBYTES-2*KYBER_SYMBYTES+i]; - hash_g(kr, buf, 2*KYBER_SYMBYTES); - - /* coins are in kr+KYBER_SYMBYTES */ - indcpa_enc(cmp, buf, pk, kr+KYBER_SYMBYTES); - - fail = verify(ct, cmp, KYBER_CIPHERTEXTBYTES); - - /* overwrite coins in kr with H(c) */ - hash_h(kr+KYBER_SYMBYTES, ct, KYBER_CIPHERTEXTBYTES); - - /* Overwrite pre-k with z on re-encryption failure */ - cmov(kr, sk+KYBER_SECRETKEYBYTES-KYBER_SYMBYTES, KYBER_SYMBYTES, fail); - - /* hash concatenation of pre-k and H(c) to k */ - kdf(ss, kr, 2*KYBER_SYMBYTES); - return 0; -} diff --git a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/kem.h b/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/kem.h deleted file mode 100644 index 3f3eff697..000000000 --- a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/kem.h +++ /dev/null @@ -1,41 +0,0 @@ -#ifndef KEM_H -#define KEM_H - -#include <stdint.h> -#include "params.h" - -#define CRYPTO_SECRETKEYBYTES KYBER_SECRETKEYBYTES -#define CRYPTO_PUBLICKEYBYTES KYBER_PUBLICKEYBYTES -#define CRYPTO_CIPHERTEXTBYTES KYBER_CIPHERTEXTBYTES -#define CRYPTO_BYTES KYBER_SSBYTES - -#if (KYBER_K == 2) -#ifdef KYBER_90S -#define CRYPTO_ALGNAME "Kyber512-90s" -#else -#define CRYPTO_ALGNAME "Kyber512" -#endif -#elif (KYBER_K == 3) -#ifdef KYBER_90S -#define CRYPTO_ALGNAME "Kyber768-90s" -#else -#define CRYPTO_ALGNAME "Kyber768" -#endif -#elif (KYBER_K == 4) -#ifdef KYBER_90S -#define CRYPTO_ALGNAME "Kyber1024-90s" -#else -#define CRYPTO_ALGNAME "Kyber1024" -#endif -#endif - -#define crypto_kem_keypair KYBER_NAMESPACE(keypair) -int crypto_kem_keypair(uint8_t *pk, uint8_t *sk); - -#define crypto_kem_enc KYBER_NAMESPACE(enc) -int crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); - -#define crypto_kem_dec KYBER_NAMESPACE(dec) -int crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); - -#endif diff --git a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/manifest.mn b/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/manifest.mn deleted file mode 100644 index 84aed832f..000000000 --- a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/manifest.mn +++ /dev/null @@ -1,31 +0,0 @@ -# DO NOT EDIT: generated from manifest.mn.subdirs.template -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. -CORE_DEPTH = ../../../../../.. - -MODULE = oqs - -LIBRARY_NAME = oqs_src_kem_kyber_pqcrystals-kyber_kyber1024_ref -SHARED_LIBRARY = $(NULL) - -CSRCS = \ - cbd.c \ - indcpa.c \ - kem.c \ - ntt.c \ - poly.c \ - polyvec.c \ - reduce.c \ - symmetric-shake.c \ - verify.c \ - $(NULL) - -# only add module debugging in opt builds if DEBUG_PKCS11 is set -ifdef DEBUG_PKCS11 - DEFINES += -DDEBUG_MODULE -endif - -# This part of the code, including all sub-dirs, can be optimized for size -export ALLOW_OPT_CODE_SIZE = 1 diff --git a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/ntt.c b/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/ntt.c deleted file mode 100644 index 2f2eb10b2..000000000 --- a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/ntt.c +++ /dev/null @@ -1,146 +0,0 @@ -#include <stdint.h> -#include "params.h" -#include "ntt.h" -#include "reduce.h" - -/* Code to generate zetas and zetas_inv used in the number-theoretic transform: - -#define KYBER_ROOT_OF_UNITY 17 - -static const uint8_t tree[128] = { - 0, 64, 32, 96, 16, 80, 48, 112, 8, 72, 40, 104, 24, 88, 56, 120, - 4, 68, 36, 100, 20, 84, 52, 116, 12, 76, 44, 108, 28, 92, 60, 124, - 2, 66, 34, 98, 18, 82, 50, 114, 10, 74, 42, 106, 26, 90, 58, 122, - 6, 70, 38, 102, 22, 86, 54, 118, 14, 78, 46, 110, 30, 94, 62, 126, - 1, 65, 33, 97, 17, 81, 49, 113, 9, 73, 41, 105, 25, 89, 57, 121, - 5, 69, 37, 101, 21, 85, 53, 117, 13, 77, 45, 109, 29, 93, 61, 125, - 3, 67, 35, 99, 19, 83, 51, 115, 11, 75, 43, 107, 27, 91, 59, 123, - 7, 71, 39, 103, 23, 87, 55, 119, 15, 79, 47, 111, 31, 95, 63, 127 -}; - -void init_ntt() { - unsigned int i; - int16_t tmp[128]; - - tmp[0] = MONT; - for(i=1;i<128;i++) - tmp[i] = fqmul(tmp[i-1],MONT*KYBER_ROOT_OF_UNITY % KYBER_Q); - - for(i=0;i<128;i++) { - zetas[i] = tmp[tree[i]]; - if(zetas[i] > KYBER_Q/2) - zetas[i] -= KYBER_Q; - if(zetas[i] < -KYBER_Q/2) - zetas[i] += KYBER_Q; - } -} -*/ - -const int16_t zetas[128] = { - -1044, -758, -359, -1517, 1493, 1422, 287, 202, - -171, 622, 1577, 182, 962, -1202, -1474, 1468, - 573, -1325, 264, 383, -829, 1458, -1602, -130, - -681, 1017, 732, 608, -1542, 411, -205, -1571, - 1223, 652, -552, 1015, -1293, 1491, -282, -1544, - 516, -8, -320, -666, -1618, -1162, 126, 1469, - -853, -90, -271, 830, 107, -1421, -247, -951, - -398, 961, -1508, -725, 448, -1065, 677, -1275, - -1103, 430, 555, 843, -1251, 871, 1550, 105, - 422, 587, 177, -235, -291, -460, 1574, 1653, - -246, 778, 1159, -147, -777, 1483, -602, 1119, - -1590, 644, -872, 349, 418, 329, -156, -75, - 817, 1097, 603, 610, 1322, -1285, -1465, 384, - -1215, -136, 1218, -1335, -874, 220, -1187, -1659, - -1185, -1530, -1278, 794, -1510, -854, -870, 478, - -108, -308, 996, 991, 958, -1460, 1522, 1628 -}; - -/************************************************* -* Name: fqmul -* -* Description: Multiplication followed by Montgomery reduction -* -* Arguments: - int16_t a: first factor -* - int16_t b: second factor -* -* Returns 16-bit integer congruent to a*b*R^{-1} mod q -**************************************************/ -static int16_t fqmul(int16_t a, int16_t b) { - return montgomery_reduce((int32_t)a*b); -} - -/************************************************* -* Name: ntt -* -* Description: Inplace number-theoretic transform (NTT) in Rq. -* input is in standard order, output is in bitreversed order -* -* Arguments: - int16_t r[256]: pointer to input/output vector of elements of Zq -**************************************************/ -void ntt(int16_t r[256]) { - unsigned int len, start, j, k; - int16_t t, zeta; - - k = 1; - for(len = 128; len >= 2; len >>= 1) { - for(start = 0; start < 256; start = j + len) { - zeta = zetas[k++]; - for(j = start; j < start + len; j++) { - t = fqmul(zeta, r[j + len]); - r[j + len] = r[j] - t; - r[j] = r[j] + t; - } - } - } -} - -/************************************************* -* Name: invntt_tomont -* -* Description: Inplace inverse number-theoretic transform in Rq and -* multiplication by Montgomery factor 2^16. -* Input is in bitreversed order, output is in standard order -* -* Arguments: - int16_t r[256]: pointer to input/output vector of elements of Zq -**************************************************/ -void invntt(int16_t r[256]) { - unsigned int start, len, j, k; - int16_t t, zeta; - const int16_t f = 1441; // mont^2/128 - - k = 127; - for(len = 2; len <= 128; len <<= 1) { - for(start = 0; start < 256; start = j + len) { - zeta = zetas[k--]; - for(j = start; j < start + len; j++) { - t = r[j]; - r[j] = barrett_reduce(t + r[j + len]); - r[j + len] = r[j + len] - t; - r[j + len] = fqmul(zeta, r[j + len]); - } - } - } - - for(j = 0; j < 256; j++) - r[j] = fqmul(r[j], f); -} - -/************************************************* -* Name: basemul -* -* Description: Multiplication of polynomials in Zq[X]/(X^2-zeta) -* used for multiplication of elements in Rq in NTT domain -* -* Arguments: - int16_t r[2]: pointer to the output polynomial -* - const int16_t a[2]: pointer to the first factor -* - const int16_t b[2]: pointer to the second factor -* - int16_t zeta: integer defining the reduction polynomial -**************************************************/ -void basemul(int16_t r[2], const int16_t a[2], const int16_t b[2], int16_t zeta) -{ - r[0] = fqmul(a[1], b[1]); - r[0] = fqmul(r[0], zeta); - r[0] += fqmul(a[0], b[0]); - r[1] = fqmul(a[0], b[1]); - r[1] += fqmul(a[1], b[0]); -} diff --git a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/ntt.h b/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/ntt.h deleted file mode 100644 index 227ea74f0..000000000 --- a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/ntt.h +++ /dev/null @@ -1,19 +0,0 @@ -#ifndef NTT_H -#define NTT_H - -#include <stdint.h> -#include "params.h" - -#define zetas KYBER_NAMESPACE(zetas) -extern const int16_t zetas[128]; - -#define ntt KYBER_NAMESPACE(ntt) -void ntt(int16_t poly[256]); - -#define invntt KYBER_NAMESPACE(invntt) -void invntt(int16_t poly[256]); - -#define basemul KYBER_NAMESPACE(basemul) -void basemul(int16_t r[2], const int16_t a[2], const int16_t b[2], int16_t zeta); - -#endif diff --git a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/params.h b/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/params.h deleted file mode 100644 index 3d02a0f9e..000000000 --- a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/params.h +++ /dev/null @@ -1,68 +0,0 @@ -#ifndef PARAMS_H -#define PARAMS_H - -#ifndef KYBER_K -#define KYBER_K 3 /* Change this for different security strengths */ -#endif - -//#define KYBER_90S /* Uncomment this if you want the 90S variant */ - -/* Don't change parameters below this line */ -#if (KYBER_K == 2) -#ifdef KYBER_90S -#define KYBER_NAMESPACE(s) pqcrystals_kyber512_90s_ref_##s -#else -#define KYBER_NAMESPACE(s) pqcrystals_kyber512_ref_##s -#endif -#elif (KYBER_K == 3) -#ifdef KYBER_90S -#define KYBER_NAMESPACE(s) pqcrystals_kyber768_90s_ref_##s -#else -#define KYBER_NAMESPACE(s) pqcrystals_kyber768_ref_##s -#endif -#elif (KYBER_K == 4) -#ifdef KYBER_90S -#define KYBER_NAMESPACE(s) pqcrystals_kyber1024_90s_ref_##s -#else -#define KYBER_NAMESPACE(s) pqcrystals_kyber1024_ref_##s -#endif -#else -#error "KYBER_K must be in {2,3,4}" -#endif - -#define KYBER_N 256 -#define KYBER_Q 3329 - -#define KYBER_SYMBYTES 32 /* size in bytes of hashes, and seeds */ -#define KYBER_SSBYTES 32 /* size in bytes of shared key */ - -#define KYBER_POLYBYTES 384 -#define KYBER_POLYVECBYTES (KYBER_K * KYBER_POLYBYTES) - -#if KYBER_K == 2 -#define KYBER_ETA1 3 -#define KYBER_POLYCOMPRESSEDBYTES 128 -#define KYBER_POLYVECCOMPRESSEDBYTES (KYBER_K * 320) -#elif KYBER_K == 3 -#define KYBER_ETA1 2 -#define KYBER_POLYCOMPRESSEDBYTES 128 -#define KYBER_POLYVECCOMPRESSEDBYTES (KYBER_K * 320) -#elif KYBER_K == 4 -#define KYBER_ETA1 2 -#define KYBER_POLYCOMPRESSEDBYTES 160 -#define KYBER_POLYVECCOMPRESSEDBYTES (KYBER_K * 352) -#endif - -#define KYBER_ETA2 2 - -#define KYBER_INDCPA_MSGBYTES (KYBER_SYMBYTES) -#define KYBER_INDCPA_PUBLICKEYBYTES (KYBER_POLYVECBYTES + KYBER_SYMBYTES) -#define KYBER_INDCPA_SECRETKEYBYTES (KYBER_POLYVECBYTES) -#define KYBER_INDCPA_BYTES (KYBER_POLYVECCOMPRESSEDBYTES + KYBER_POLYCOMPRESSEDBYTES) - -#define KYBER_PUBLICKEYBYTES (KYBER_INDCPA_PUBLICKEYBYTES) -/* 32 bytes of additional space to save H(pk) */ -#define KYBER_SECRETKEYBYTES (KYBER_INDCPA_SECRETKEYBYTES + KYBER_INDCPA_PUBLICKEYBYTES + 2*KYBER_SYMBYTES) -#define KYBER_CIPHERTEXTBYTES (KYBER_INDCPA_BYTES) - -#endif diff --git a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/poly.c b/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/poly.c deleted file mode 100644 index 9556ee517..000000000 --- a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/poly.c +++ /dev/null @@ -1,343 +0,0 @@ -#include <stdint.h> -#include "params.h" -#include "poly.h" -#include "ntt.h" -#include "reduce.h" -#include "cbd.h" -#include "symmetric.h" - -/************************************************* -* Name: poly_compress -* -* Description: Compression and subsequent serialization of a polynomial -* -* Arguments: - uint8_t *r: pointer to output byte array -* (of length KYBER_POLYCOMPRESSEDBYTES) -* - const poly *a: pointer to input polynomial -**************************************************/ -void poly_compress(uint8_t r[KYBER_POLYCOMPRESSEDBYTES], const poly *a) -{ - unsigned int i,j; - int16_t u; - uint8_t t[8]; - -#if (KYBER_POLYCOMPRESSEDBYTES == 128) - for(i=0;i<KYBER_N/8;i++) { - for(j=0;j<8;j++) { - // map to positive standard representatives - u = a->coeffs[8*i+j]; - u += (u >> 15) & KYBER_Q; - t[j] = ((((uint16_t)u << 4) + KYBER_Q/2)/KYBER_Q) & 15; - } - - r[0] = t[0] | (t[1] << 4); - r[1] = t[2] | (t[3] << 4); - r[2] = t[4] | (t[5] << 4); - r[3] = t[6] | (t[7] << 4); - r += 4; - } -#elif (KYBER_POLYCOMPRESSEDBYTES == 160) - for(i=0;i<KYBER_N/8;i++) { - for(j=0;j<8;j++) { - // map to positive standard representatives - u = a->coeffs[8*i+j]; - u += (u >> 15) & KYBER_Q; - t[j] = ((((uint32_t)u << 5) + KYBER_Q/2)/KYBER_Q) & 31; - } - - r[0] = (t[0] >> 0) | (t[1] << 5); - r[1] = (t[1] >> 3) | (t[2] << 2) | (t[3] << 7); - r[2] = (t[3] >> 1) | (t[4] << 4); - r[3] = (t[4] >> 4) | (t[5] << 1) | (t[6] << 6); - r[4] = (t[6] >> 2) | (t[7] << 3); - r += 5; - } -#else -#error "KYBER_POLYCOMPRESSEDBYTES needs to be in {128, 160}" -#endif -} - -/************************************************* -* Name: poly_decompress -* -* Description: De-serialization and subsequent decompression of a polynomial; -* approximate inverse of poly_compress -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *a: pointer to input byte array -* (of length KYBER_POLYCOMPRESSEDBYTES bytes) -**************************************************/ -void poly_decompress(poly *r, const uint8_t a[KYBER_POLYCOMPRESSEDBYTES]) -{ - unsigned int i; - -#if (KYBER_POLYCOMPRESSEDBYTES == 128) - for(i=0;i<KYBER_N/2;i++) { - r->coeffs[2*i+0] = (((uint16_t)(a[0] & 15)*KYBER_Q) + 8) >> 4; - r->coeffs[2*i+1] = (((uint16_t)(a[0] >> 4)*KYBER_Q) + 8) >> 4; - a += 1; - } -#elif (KYBER_POLYCOMPRESSEDBYTES == 160) - unsigned int j; - uint8_t t[8]; - for(i=0;i<KYBER_N/8;i++) { - t[0] = (a[0] >> 0); - t[1] = (a[0] >> 5) | (a[1] << 3); - t[2] = (a[1] >> 2); - t[3] = (a[1] >> 7) | (a[2] << 1); - t[4] = (a[2] >> 4) | (a[3] << 4); - t[5] = (a[3] >> 1); - t[6] = (a[3] >> 6) | (a[4] << 2); - t[7] = (a[4] >> 3); - a += 5; - - for(j=0;j<8;j++) - r->coeffs[8*i+j] = ((uint32_t)(t[j] & 31)*KYBER_Q + 16) >> 5; - } -#else -#error "KYBER_POLYCOMPRESSEDBYTES needs to be in {128, 160}" -#endif -} - -/************************************************* -* Name: poly_tobytes -* -* Description: Serialization of a polynomial -* -* Arguments: - uint8_t *r: pointer to output byte array -* (needs space for KYBER_POLYBYTES bytes) -* - const poly *a: pointer to input polynomial -**************************************************/ -void poly_tobytes(uint8_t r[KYBER_POLYBYTES], const poly *a) -{ - unsigned int i; - uint16_t t0, t1; - - for(i=0;i<KYBER_N/2;i++) { - // map to positive standard representatives - t0 = a->coeffs[2*i]; - t0 += ((int16_t)t0 >> 15) & KYBER_Q; - t1 = a->coeffs[2*i+1]; - t1 += ((int16_t)t1 >> 15) & KYBER_Q; - r[3*i+0] = (t0 >> 0); - r[3*i+1] = (t0 >> 8) | (t1 << 4); - r[3*i+2] = (t1 >> 4); - } -} - -/************************************************* -* Name: poly_frombytes -* -* Description: De-serialization of a polynomial; -* inverse of poly_tobytes -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *a: pointer to input byte array -* (of KYBER_POLYBYTES bytes) -**************************************************/ -void poly_frombytes(poly *r, const uint8_t a[KYBER_POLYBYTES]) -{ - unsigned int i; - for(i=0;i<KYBER_N/2;i++) { - r->coeffs[2*i] = ((a[3*i+0] >> 0) | ((uint16_t)a[3*i+1] << 8)) & 0xFFF; - r->coeffs[2*i+1] = ((a[3*i+1] >> 4) | ((uint16_t)a[3*i+2] << 4)) & 0xFFF; - } -} - -/************************************************* -* Name: poly_frommsg -* -* Description: Convert 32-byte message to polynomial -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *msg: pointer to input message -**************************************************/ -void poly_frommsg(poly *r, const uint8_t msg[KYBER_INDCPA_MSGBYTES]) -{ - unsigned int i,j; - int16_t mask; - -#if (KYBER_INDCPA_MSGBYTES != KYBER_N/8) -#error "KYBER_INDCPA_MSGBYTES must be equal to KYBER_N/8 bytes!" -#endif - - for(i=0;i<KYBER_N/8;i++) { - for(j=0;j<8;j++) { - mask = -(int16_t)((msg[i] >> j)&1); - r->coeffs[8*i+j] = mask & ((KYBER_Q+1)/2); - } - } -} - -/************************************************* -* Name: poly_tomsg -* -* Description: Convert polynomial to 32-byte message -* -* Arguments: - uint8_t *msg: pointer to output message -* - const poly *a: pointer to input polynomial -**************************************************/ -void poly_tomsg(uint8_t msg[KYBER_INDCPA_MSGBYTES], const poly *a) -{ - unsigned int i,j; - uint16_t t; - - for(i=0;i<KYBER_N/8;i++) { - msg[i] = 0; - for(j=0;j<8;j++) { - t = a->coeffs[8*i+j]; - t += ((int16_t)t >> 15) & KYBER_Q; - t = (((t << 1) + KYBER_Q/2)/KYBER_Q) & 1; - msg[i] |= t << j; - } - } -} - -/************************************************* -* Name: poly_getnoise_eta1 -* -* Description: Sample a polynomial deterministically from a seed and a nonce, -* with output polynomial close to centered binomial distribution -* with parameter KYBER_ETA1 -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *seed: pointer to input seed -* (of length KYBER_SYMBYTES bytes) -* - uint8_t nonce: one-byte input nonce -**************************************************/ -void poly_getnoise_eta1(poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t nonce) -{ - uint8_t buf[KYBER_ETA1*KYBER_N/4]; - prf(buf, sizeof(buf), seed, nonce); - poly_cbd_eta1(r, buf); -} - -/************************************************* -* Name: poly_getnoise_eta2 -* -* Description: Sample a polynomial deterministically from a seed and a nonce, -* with output polynomial close to centered binomial distribution -* with parameter KYBER_ETA2 -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *seed: pointer to input seed -* (of length KYBER_SYMBYTES bytes) -* - uint8_t nonce: one-byte input nonce -**************************************************/ -void poly_getnoise_eta2(poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t nonce) -{ - uint8_t buf[KYBER_ETA2*KYBER_N/4]; - prf(buf, sizeof(buf), seed, nonce); - poly_cbd_eta2(r, buf); -} - - -/************************************************* -* Name: poly_ntt -* -* Description: Computes negacyclic number-theoretic transform (NTT) of -* a polynomial in place; -* inputs assumed to be in normal order, output in bitreversed order -* -* Arguments: - uint16_t *r: pointer to in/output polynomial -**************************************************/ -void poly_ntt(poly *r) -{ - ntt(r->coeffs); - poly_reduce(r); -} - -/************************************************* -* Name: poly_invntt_tomont -* -* Description: Computes inverse of negacyclic number-theoretic transform (NTT) -* of a polynomial in place; -* inputs assumed to be in bitreversed order, output in normal order -* -* Arguments: - uint16_t *a: pointer to in/output polynomial -**************************************************/ -void poly_invntt_tomont(poly *r) -{ - invntt(r->coeffs); -} - -/************************************************* -* Name: poly_basemul_montgomery -* -* Description: Multiplication of two polynomials in NTT domain -* -* Arguments: - poly *r: pointer to output polynomial -* - const poly *a: pointer to first input polynomial -* - const poly *b: pointer to second input polynomial -**************************************************/ -void poly_basemul_montgomery(poly *r, const poly *a, const poly *b) -{ - unsigned int i; - for(i=0;i<KYBER_N/4;i++) { - basemul(&r->coeffs[4*i], &a->coeffs[4*i], &b->coeffs[4*i], zetas[64+i]); - basemul(&r->coeffs[4*i+2], &a->coeffs[4*i+2], &b->coeffs[4*i+2], -zetas[64+i]); - } -} - -/************************************************* -* Name: poly_tomont -* -* Description: Inplace conversion of all coefficients of a polynomial -* from normal domain to Montgomery domain -* -* Arguments: - poly *r: pointer to input/output polynomial -**************************************************/ -void poly_tomont(poly *r) -{ - unsigned int i; - const int16_t f = (1ULL << 32) % KYBER_Q; - for(i=0;i<KYBER_N;i++) - r->coeffs[i] = montgomery_reduce((int32_t)r->coeffs[i]*f); -} - -/************************************************* -* Name: poly_reduce -* -* Description: Applies Barrett reduction to all coefficients of a polynomial -* for details of the Barrett reduction see comments in reduce.c -* -* Arguments: - poly *r: pointer to input/output polynomial -**************************************************/ -void poly_reduce(poly *r) -{ - unsigned int i; - for(i=0;i<KYBER_N;i++) - r->coeffs[i] = barrett_reduce(r->coeffs[i]); -} - -/************************************************* -* Name: poly_add -* -* Description: Add two polynomials; no modular reduction is performed -* -* Arguments: - poly *r: pointer to output polynomial -* - const poly *a: pointer to first input polynomial -* - const poly *b: pointer to second input polynomial -**************************************************/ -void poly_add(poly *r, const poly *a, const poly *b) -{ - unsigned int i; - for(i=0;i<KYBER_N;i++) - r->coeffs[i] = a->coeffs[i] + b->coeffs[i]; -} - -/************************************************* -* Name: poly_sub -* -* Description: Subtract two polynomials; no modular reduction is performed -* -* Arguments: - poly *r: pointer to output polynomial -* - const poly *a: pointer to first input polynomial -* - const poly *b: pointer to second input polynomial -**************************************************/ -void poly_sub(poly *r, const poly *a, const poly *b) -{ - unsigned int i; - for(i=0;i<KYBER_N;i++) - r->coeffs[i] = a->coeffs[i] - b->coeffs[i]; -} diff --git a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/poly.h b/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/poly.h deleted file mode 100644 index 9a99c7cda..000000000 --- a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/poly.h +++ /dev/null @@ -1,53 +0,0 @@ -#ifndef POLY_H -#define POLY_H - -#include <stdint.h> -#include "params.h" - -/* - * Elements of R_q = Z_q[X]/(X^n + 1). Represents polynomial - * coeffs[0] + X*coeffs[1] + X^2*coeffs[2] + ... + X^{n-1}*coeffs[n-1] - */ -typedef struct{ - int16_t coeffs[KYBER_N]; -} poly; - -#define poly_compress KYBER_NAMESPACE(poly_compress) -void poly_compress(uint8_t r[KYBER_POLYCOMPRESSEDBYTES], const poly *a); -#define poly_decompress KYBER_NAMESPACE(poly_decompress) -void poly_decompress(poly *r, const uint8_t a[KYBER_POLYCOMPRESSEDBYTES]); - -#define poly_tobytes KYBER_NAMESPACE(poly_tobytes) -void poly_tobytes(uint8_t r[KYBER_POLYBYTES], const poly *a); -#define poly_frombytes KYBER_NAMESPACE(poly_frombytes) -void poly_frombytes(poly *r, const uint8_t a[KYBER_POLYBYTES]); - -#define poly_frommsg KYBER_NAMESPACE(poly_frommsg) -void poly_frommsg(poly *r, const uint8_t msg[KYBER_INDCPA_MSGBYTES]); -#define poly_tomsg KYBER_NAMESPACE(poly_tomsg) -void poly_tomsg(uint8_t msg[KYBER_INDCPA_MSGBYTES], const poly *r); - -#define poly_getnoise_eta1 KYBER_NAMESPACE(poly_getnoise_eta1) -void poly_getnoise_eta1(poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t nonce); - -#define poly_getnoise_eta2 KYBER_NAMESPACE(poly_getnoise_eta2) -void poly_getnoise_eta2(poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t nonce); - -#define poly_ntt KYBER_NAMESPACE(poly_ntt) -void poly_ntt(poly *r); -#define poly_invntt_tomont KYBER_NAMESPACE(poly_invntt_tomont) -void poly_invntt_tomont(poly *r); -#define poly_basemul_montgomery KYBER_NAMESPACE(poly_basemul_montgomery) -void poly_basemul_montgomery(poly *r, const poly *a, const poly *b); -#define poly_tomont KYBER_NAMESPACE(poly_tomont) -void poly_tomont(poly *r); - -#define poly_reduce KYBER_NAMESPACE(poly_reduce) -void poly_reduce(poly *r); - -#define poly_add KYBER_NAMESPACE(poly_add) -void poly_add(poly *r, const poly *a, const poly *b); -#define poly_sub KYBER_NAMESPACE(poly_sub) -void poly_sub(poly *r, const poly *a, const poly *b); - -#endif diff --git a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/polyvec.c b/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/polyvec.c deleted file mode 100644 index 8420d069c..000000000 --- a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/polyvec.c +++ /dev/null @@ -1,233 +0,0 @@ -#include <stdint.h> -#include "params.h" -#include "poly.h" -#include "polyvec.h" - -/************************************************* -* Name: polyvec_compress -* -* Description: Compress and serialize vector of polynomials -* -* Arguments: - uint8_t *r: pointer to output byte array -* (needs space for KYBER_POLYVECCOMPRESSEDBYTES) -* - const polyvec *a: pointer to input vector of polynomials -**************************************************/ -void polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES], const polyvec *a) -{ - unsigned int i,j,k; - -#if (KYBER_POLYVECCOMPRESSEDBYTES == (KYBER_K * 352)) - uint16_t t[8]; - for(i=0;i<KYBER_K;i++) { - for(j=0;j<KYBER_N/8;j++) { - for(k=0;k<8;k++) { - t[k] = a->vec[i].coeffs[8*j+k]; - t[k] += ((int16_t)t[k] >> 15) & KYBER_Q; - t[k] = ((((uint32_t)t[k] << 11) + KYBER_Q/2)/KYBER_Q) & 0x7ff; - } - - r[ 0] = (t[0] >> 0); - r[ 1] = (t[0] >> 8) | (t[1] << 3); - r[ 2] = (t[1] >> 5) | (t[2] << 6); - r[ 3] = (t[2] >> 2); - r[ 4] = (t[2] >> 10) | (t[3] << 1); - r[ 5] = (t[3] >> 7) | (t[4] << 4); - r[ 6] = (t[4] >> 4) | (t[5] << 7); - r[ 7] = (t[5] >> 1); - r[ 8] = (t[5] >> 9) | (t[6] << 2); - r[ 9] = (t[6] >> 6) | (t[7] << 5); - r[10] = (t[7] >> 3); - r += 11; - } - } -#elif (KYBER_POLYVECCOMPRESSEDBYTES == (KYBER_K * 320)) - uint16_t t[4]; - for(i=0;i<KYBER_K;i++) { - for(j=0;j<KYBER_N/4;j++) { - for(k=0;k<4;k++) { - t[k] = a->vec[i].coeffs[4*j+k]; - t[k] += ((int16_t)t[k] >> 15) & KYBER_Q; - t[k] = ((((uint32_t)t[k] << 10) + KYBER_Q/2)/ KYBER_Q) & 0x3ff; - } - - r[0] = (t[0] >> 0); - r[1] = (t[0] >> 8) | (t[1] << 2); - r[2] = (t[1] >> 6) | (t[2] << 4); - r[3] = (t[2] >> 4) | (t[3] << 6); - r[4] = (t[3] >> 2); - r += 5; - } - } -#else -#error "KYBER_POLYVECCOMPRESSEDBYTES needs to be in {320*KYBER_K, 352*KYBER_K}" -#endif -} - -/************************************************* -* Name: polyvec_decompress -* -* Description: De-serialize and decompress vector of polynomials; -* approximate inverse of polyvec_compress -* -* Arguments: - polyvec *r: pointer to output vector of polynomials -* - const uint8_t *a: pointer to input byte array -* (of length KYBER_POLYVECCOMPRESSEDBYTES) -**************************************************/ -void polyvec_decompress(polyvec *r, const uint8_t a[KYBER_POLYVECCOMPRESSEDBYTES]) -{ - unsigned int i,j,k; - -#if (KYBER_POLYVECCOMPRESSEDBYTES == (KYBER_K * 352)) - uint16_t t[8]; - for(i=0;i<KYBER_K;i++) { - for(j=0;j<KYBER_N/8;j++) { - t[0] = (a[0] >> 0) | ((uint16_t)a[ 1] << 8); - t[1] = (a[1] >> 3) | ((uint16_t)a[ 2] << 5); - t[2] = (a[2] >> 6) | ((uint16_t)a[ 3] << 2) | ((uint16_t)a[4] << 10); - t[3] = (a[4] >> 1) | ((uint16_t)a[ 5] << 7); - t[4] = (a[5] >> 4) | ((uint16_t)a[ 6] << 4); - t[5] = (a[6] >> 7) | ((uint16_t)a[ 7] << 1) | ((uint16_t)a[8] << 9); - t[6] = (a[8] >> 2) | ((uint16_t)a[ 9] << 6); - t[7] = (a[9] >> 5) | ((uint16_t)a[10] << 3); - a += 11; - - for(k=0;k<8;k++) - r->vec[i].coeffs[8*j+k] = ((uint32_t)(t[k] & 0x7FF)*KYBER_Q + 1024) >> 11; - } - } -#elif (KYBER_POLYVECCOMPRESSEDBYTES == (KYBER_K * 320)) - uint16_t t[4]; - for(i=0;i<KYBER_K;i++) { - for(j=0;j<KYBER_N/4;j++) { - t[0] = (a[0] >> 0) | ((uint16_t)a[1] << 8); - t[1] = (a[1] >> 2) | ((uint16_t)a[2] << 6); - t[2] = (a[2] >> 4) | ((uint16_t)a[3] << 4); - t[3] = (a[3] >> 6) | ((uint16_t)a[4] << 2); - a += 5; - - for(k=0;k<4;k++) - r->vec[i].coeffs[4*j+k] = ((uint32_t)(t[k] & 0x3FF)*KYBER_Q + 512) >> 10; - } - } -#else -#error "KYBER_POLYVECCOMPRESSEDBYTES needs to be in {320*KYBER_K, 352*KYBER_K}" -#endif -} - -/************************************************* -* Name: polyvec_tobytes -* -* Description: Serialize vector of polynomials -* -* Arguments: - uint8_t *r: pointer to output byte array -* (needs space for KYBER_POLYVECBYTES) -* - const polyvec *a: pointer to input vector of polynomials -**************************************************/ -void polyvec_tobytes(uint8_t r[KYBER_POLYVECBYTES], const polyvec *a) -{ - unsigned int i; - for(i=0;i<KYBER_K;i++) - poly_tobytes(r+i*KYBER_POLYBYTES, &a->vec[i]); -} - -/************************************************* -* Name: polyvec_frombytes -* -* Description: De-serialize vector of polynomials; -* inverse of polyvec_tobytes -* -* Arguments: - uint8_t *r: pointer to output byte array -* - const polyvec *a: pointer to input vector of polynomials -* (of length KYBER_POLYVECBYTES) -**************************************************/ -void polyvec_frombytes(polyvec *r, const uint8_t a[KYBER_POLYVECBYTES]) -{ - unsigned int i; - for(i=0;i<KYBER_K;i++) - poly_frombytes(&r->vec[i], a+i*KYBER_POLYBYTES); -} - -/************************************************* -* Name: polyvec_ntt -* -* Description: Apply forward NTT to all elements of a vector of polynomials -* -* Arguments: - polyvec *r: pointer to in/output vector of polynomials -**************************************************/ -void polyvec_ntt(polyvec *r) -{ - unsigned int i; - for(i=0;i<KYBER_K;i++) - poly_ntt(&r->vec[i]); -} - -/************************************************* -* Name: polyvec_invntt_tomont -* -* Description: Apply inverse NTT to all elements of a vector of polynomials -* and multiply by Montgomery factor 2^16 -* -* Arguments: - polyvec *r: pointer to in/output vector of polynomials -**************************************************/ -void polyvec_invntt_tomont(polyvec *r) -{ - unsigned int i; - for(i=0;i<KYBER_K;i++) - poly_invntt_tomont(&r->vec[i]); -} - -/************************************************* -* Name: polyvec_basemul_acc_montgomery -* -* Description: Multiply elements of a and b in NTT domain, accumulate into r, -* and multiply by 2^-16. -* -* Arguments: - poly *r: pointer to output polynomial -* - const polyvec *a: pointer to first input vector of polynomials -* - const polyvec *b: pointer to second input vector of polynomials -**************************************************/ -void polyvec_basemul_acc_montgomery(poly *r, const polyvec *a, const polyvec *b) -{ - unsigned int i; - poly t; - - poly_basemul_montgomery(r, &a->vec[0], &b->vec[0]); - for(i=1;i<KYBER_K;i++) { - poly_basemul_montgomery(&t, &a->vec[i], &b->vec[i]); - poly_add(r, r, &t); - } - - poly_reduce(r); -} - -/************************************************* -* Name: polyvec_reduce -* -* Description: Applies Barrett reduction to each coefficient -* of each element of a vector of polynomials; -* for details of the Barrett reduction see comments in reduce.c -* -* Arguments: - polyvec *r: pointer to input/output polynomial -**************************************************/ -void polyvec_reduce(polyvec *r) -{ - unsigned int i; - for(i=0;i<KYBER_K;i++) - poly_reduce(&r->vec[i]); -} - -/************************************************* -* Name: polyvec_add -* -* Description: Add vectors of polynomials -* -* Arguments: - polyvec *r: pointer to output vector of polynomials -* - const polyvec *a: pointer to first input vector of polynomials -* - const polyvec *b: pointer to second input vector of polynomials -**************************************************/ -void polyvec_add(polyvec *r, const polyvec *a, const polyvec *b) -{ - unsigned int i; - for(i=0;i<KYBER_K;i++) - poly_add(&r->vec[i], &a->vec[i], &b->vec[i]); -} diff --git a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/polyvec.h b/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/polyvec.h deleted file mode 100644 index 57b605494..000000000 --- a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/polyvec.h +++ /dev/null @@ -1,36 +0,0 @@ -#ifndef POLYVEC_H -#define POLYVEC_H - -#include <stdint.h> -#include "params.h" -#include "poly.h" - -typedef struct{ - poly vec[KYBER_K]; -} polyvec; - -#define polyvec_compress KYBER_NAMESPACE(polyvec_compress) -void polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES], const polyvec *a); -#define polyvec_decompress KYBER_NAMESPACE(polyvec_decompress) -void polyvec_decompress(polyvec *r, const uint8_t a[KYBER_POLYVECCOMPRESSEDBYTES]); - -#define polyvec_tobytes KYBER_NAMESPACE(polyvec_tobytes) -void polyvec_tobytes(uint8_t r[KYBER_POLYVECBYTES], const polyvec *a); -#define polyvec_frombytes KYBER_NAMESPACE(polyvec_frombytes) -void polyvec_frombytes(polyvec *r, const uint8_t a[KYBER_POLYVECBYTES]); - -#define polyvec_ntt KYBER_NAMESPACE(polyvec_ntt) -void polyvec_ntt(polyvec *r); -#define polyvec_invntt_tomont KYBER_NAMESPACE(polyvec_invntt_tomont) -void polyvec_invntt_tomont(polyvec *r); - -#define polyvec_basemul_acc_montgomery KYBER_NAMESPACE(polyvec_basemul_acc_montgomery) -void polyvec_basemul_acc_montgomery(poly *r, const polyvec *a, const polyvec *b); - -#define polyvec_reduce KYBER_NAMESPACE(polyvec_reduce) -void polyvec_reduce(polyvec *r); - -#define polyvec_add KYBER_NAMESPACE(polyvec_add) -void polyvec_add(polyvec *r, const polyvec *a, const polyvec *b); - -#endif diff --git a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/pqcrystals-kyber_kyber1024_ref.gyp b/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/pqcrystals-kyber_kyber1024_ref.gyp deleted file mode 100644 index 917954f69..000000000 --- a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/pqcrystals-kyber_kyber1024_ref.gyp +++ /dev/null @@ -1,41 +0,0 @@ -# DO NOT EDIT: generated from subdir.gyp.template -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. -{ - 'includes': [ - '../../../../../../coreconf/config.gypi' - ], - 'targets': [ - { - 'target_name': 'oqs_src_kem_kyber_pqcrystals-kyber_kyber1024_ref', - 'type': 'static_library', - 'sources': [ - 'cbd.c', - 'indcpa.c', - 'kem.c', - 'ntt.c', - 'poly.c', - 'polyvec.c', - 'reduce.c', - 'symmetric-shake.c', - 'verify.c', - ], - 'dependencies': [ - '<(DEPTH)/exports.gyp:nss_exports' - ] - } - ], - 'target_defaults': { - 'defines': [ - 'KYBER_K=4', - ], - 'include_dirs': [ - '<(DEPTH)/lib/liboqs/src/common/pqclean_shims', - '<(DEPTH)/lib/liboqs/src/common/sha3/xkcp_low/KeccakP-1600/plain-64bits', - ] - }, - 'variables': { - 'module': 'oqs' - } -} diff --git a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/reduce.c b/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/reduce.c deleted file mode 100644 index 9d8e7edf8..000000000 --- a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/reduce.c +++ /dev/null @@ -1,42 +0,0 @@ -#include <stdint.h> -#include "params.h" -#include "reduce.h" - -/************************************************* -* Name: montgomery_reduce -* -* Description: Montgomery reduction; given a 32-bit integer a, computes -* 16-bit integer congruent to a * R^-1 mod q, where R=2^16 -* -* Arguments: - int32_t a: input integer to be reduced; -* has to be in {-q2^15,...,q2^15-1} -* -* Returns: integer in {-q+1,...,q-1} congruent to a * R^-1 modulo q. -**************************************************/ -int16_t montgomery_reduce(int32_t a) -{ - int16_t t; - - t = (int16_t)a*QINV; - t = (a - (int32_t)t*KYBER_Q) >> 16; - return t; -} - -/************************************************* -* Name: barrett_reduce -* -* Description: Barrett reduction; given a 16-bit integer a, computes -* centered representative congruent to a mod q in {-(q-1)/2,...,(q-1)/2} -* -* Arguments: - int16_t a: input integer to be reduced -* -* Returns: integer in {-(q-1)/2,...,(q-1)/2} congruent to a modulo q. -**************************************************/ -int16_t barrett_reduce(int16_t a) { - int16_t t; - const int16_t v = ((1<<26) + KYBER_Q/2)/KYBER_Q; - - t = ((int32_t)v*a + (1<<25)) >> 26; - t *= KYBER_Q; - return a - t; -} diff --git a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/reduce.h b/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/reduce.h deleted file mode 100644 index c1bc1e4c7..000000000 --- a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/reduce.h +++ /dev/null @@ -1,16 +0,0 @@ -#ifndef REDUCE_H -#define REDUCE_H - -#include <stdint.h> -#include "params.h" - -#define MONT -1044 // 2^16 mod q -#define QINV -3327 // q^-1 mod 2^16 - -#define montgomery_reduce KYBER_NAMESPACE(montgomery_reduce) -int16_t montgomery_reduce(int32_t a); - -#define barrett_reduce KYBER_NAMESPACE(barrett_reduce) -int16_t barrett_reduce(int16_t a); - -#endif diff --git a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/symmetric-shake.c b/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/symmetric-shake.c deleted file mode 100644 index 2317c0627..000000000 --- a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/symmetric-shake.c +++ /dev/null @@ -1,51 +0,0 @@ -#include <stddef.h> -#include <stdint.h> -#include <string.h> -#include "params.h" -#include "symmetric.h" -#include "fips202.h" - -/************************************************* -* Name: kyber_shake128_absorb -* -* Description: Absorb step of the SHAKE128 specialized for the Kyber context. -* -* Arguments: - keccak_state *state: pointer to (uninitialized) output Keccak state -* - const uint8_t *seed: pointer to KYBER_SYMBYTES input to be absorbed into state -* - uint8_t i: additional byte of input -* - uint8_t j: additional byte of input -**************************************************/ -void kyber_shake128_absorb(shake128incctx *state, - const uint8_t seed[KYBER_SYMBYTES], - uint8_t x, - uint8_t y) -{ - uint8_t extseed[KYBER_SYMBYTES+2]; - - memcpy(extseed, seed, KYBER_SYMBYTES); - extseed[KYBER_SYMBYTES+0] = x; - extseed[KYBER_SYMBYTES+1] = y; - - shake128_absorb_once(state, extseed, sizeof(extseed)); -} - -/************************************************* -* Name: kyber_shake256_prf -* -* Description: Usage of SHAKE256 as a PRF, concatenates secret and public input -* and then generates outlen bytes of SHAKE256 output -* -* Arguments: - uint8_t *out: pointer to output -* - size_t outlen: number of requested output bytes -* - const uint8_t *key: pointer to the key (of length KYBER_SYMBYTES) -* - uint8_t nonce: single-byte nonce (public PRF input) -**************************************************/ -void kyber_shake256_prf(uint8_t *out, size_t outlen, const uint8_t key[KYBER_SYMBYTES], uint8_t nonce) -{ - uint8_t extkey[KYBER_SYMBYTES+1]; - - memcpy(extkey, key, KYBER_SYMBYTES); - extkey[KYBER_SYMBYTES] = nonce; - - shake256(out, outlen, extkey, sizeof(extkey)); -} diff --git a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/symmetric.h b/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/symmetric.h deleted file mode 100644 index 2f2fb6364..000000000 --- a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/symmetric.h +++ /dev/null @@ -1,64 +0,0 @@ -#ifndef SYMMETRIC_H -#define SYMMETRIC_H - -#include <stddef.h> -#include <stdint.h> -#include "params.h" - -#ifdef KYBER_90S - -#include "aes256ctr.h" -#include "sha2.h" - -#if (KYBER_SSBYTES != 32) -#error "90s variant of Kyber can only generate keys of length 256 bits" -#endif - -typedef aes256ctr_ctx xof_state; - -#define kyber_aes256xof_absorb KYBER_NAMESPACE(kyber_aes256xof_absorb) -void kyber_aes256xof_absorb(aes256ctr_ctx *state, const uint8_t seed[32], uint8_t x, uint8_t y); - -#define kyber_aes256ctr_prf KYBER_NAMESPACE(kyber_aes256ctr_prf) -void kyber_aes256ctr_prf(uint8_t *out, size_t outlen, const uint8_t key[32], uint8_t nonce); - -#define XOF_BLOCKBYTES AES256CTR_BLOCKBYTES - -#define hash_h(OUT, IN, INBYTES) sha256(OUT, IN, INBYTES) -#define hash_g(OUT, IN, INBYTES) sha512(OUT, IN, INBYTES) -#define xof_init(STATE, SEED) aes256ctr_init_key(STATE, SEED) -#define xof_absorb(STATE, SEED, X, Y) kyber_aes256xof_absorb(STATE, SEED, X, Y) -#define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE) -#define xof_release(STATE) aes256_ctx_release(STATE) -#define prf(OUT, OUTBYTES, KEY, NONCE) kyber_aes256ctr_prf(OUT, OUTBYTES, KEY, NONCE) -#define kdf(OUT, IN, INBYTES) sha256(OUT, IN, INBYTES) - -#else - -#include "fips202.h" - -typedef shake128incctx xof_state; - -#define kyber_shake128_absorb KYBER_NAMESPACE(kyber_shake128_absorb) -void kyber_shake128_absorb(shake128incctx *s, - const uint8_t seed[KYBER_SYMBYTES], - uint8_t x, - uint8_t y); - -#define kyber_shake256_prf KYBER_NAMESPACE(kyber_shake256_prf) -void kyber_shake256_prf(uint8_t *out, size_t outlen, const uint8_t key[KYBER_SYMBYTES], uint8_t nonce); - -#define XOF_BLOCKBYTES SHAKE128_RATE - -#define hash_h(OUT, IN, INBYTES) sha3_256(OUT, IN, INBYTES) -#define hash_g(OUT, IN, INBYTES) sha3_512(OUT, IN, INBYTES) -#define xof_init(STATE, SEED) shake128_inc_init(STATE) -#define xof_absorb(STATE, SEED, X, Y) kyber_shake128_absorb(STATE, SEED, X, Y) -#define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) shake128_squeezeblocks(OUT, OUTBLOCKS, STATE) -#define xof_release(STATE) shake128_inc_ctx_release(STATE) -#define prf(OUT, OUTBYTES, KEY, NONCE) kyber_shake256_prf(OUT, OUTBYTES, KEY, NONCE) -#define kdf(OUT, IN, INBYTES) shake256(OUT, KYBER_SSBYTES, IN, INBYTES) - -#endif /* KYBER_90S */ - -#endif /* SYMMETRIC_H */ diff --git a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/verify.c b/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/verify.c deleted file mode 100644 index ed4a6541f..000000000 --- a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/verify.c +++ /dev/null @@ -1,47 +0,0 @@ -#include <stddef.h> -#include <stdint.h> -#include "verify.h" - -/************************************************* -* Name: verify -* -* Description: Compare two arrays for equality in constant time. -* -* Arguments: const uint8_t *a: pointer to first byte array -* const uint8_t *b: pointer to second byte array -* size_t len: length of the byte arrays -* -* Returns 0 if the byte arrays are equal, 1 otherwise -**************************************************/ -int verify(const uint8_t *a, const uint8_t *b, size_t len) -{ - size_t i; - uint8_t r = 0; - - for(i=0;i<len;i++) - r |= a[i] ^ b[i]; - - return (-(uint64_t)r) >> 63; -} - -/************************************************* -* Name: cmov -* -* Description: Copy len bytes from x to r if b is 1; -* don't modify x if b is 0. Requires b to be in {0,1}; -* assumes two's complement representation of negative integers. -* Runs in constant time. -* -* Arguments: uint8_t *r: pointer to output byte array -* const uint8_t *x: pointer to input byte array -* size_t len: Amount of bytes to be copied -* uint8_t b: Condition bit; has to be in {0,1} -**************************************************/ -void cmov(uint8_t *r, const uint8_t *x, size_t len, uint8_t b) -{ - size_t i; - - b = -b; - for(i=0;i<len;i++) - r[i] ^= b & (r[i] ^ x[i]); -} diff --git a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/verify.h b/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/verify.h deleted file mode 100644 index f95ac1b84..000000000 --- a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/verify.h +++ /dev/null @@ -1,14 +0,0 @@ -#ifndef VERIFY_H -#define VERIFY_H - -#include <stddef.h> -#include <stdint.h> -#include "params.h" - -#define verify KYBER_NAMESPACE(verify) -int verify(const uint8_t *a, const uint8_t *b, size_t len); - -#define cmov KYBER_NAMESPACE(cmov) -void cmov(uint8_t *r, const uint8_t *x, size_t len, uint8_t b); - -#endif diff --git a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber512_ref/Makefile b/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber512_ref/Makefile deleted file mode 100644 index fe090f3ff..000000000 --- a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber512_ref/Makefile +++ /dev/null @@ -1,49 +0,0 @@ -#! gmake -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -####################################################################### -# (1) Include initial platform-independent assignments (MANDATORY). # -####################################################################### - -include manifest.mn - -####################################################################### -# (2) Include "global" configuration information. (OPTIONAL) # -####################################################################### - -USE_GCOV = -include $(CORE_DEPTH)/coreconf/config.mk - -####################################################################### -# (3) Include "component" configuration information. (OPTIONAL) # -####################################################################### - - - -####################################################################### -# (4) Include "local" platform-dependent assignments (OPTIONAL). # -####################################################################### - -include config.mk - -####################################################################### -# (5) Execute "global" rules. (OPTIONAL) # -####################################################################### - -include $(CORE_DEPTH)/coreconf/rules.mk - -####################################################################### -# (6) Execute "component" rules. (OPTIONAL) # -####################################################################### - - - -####################################################################### -# (7) Execute "local" rules. (OPTIONAL). # -####################################################################### - -WARNING_CFLAGS = $(NULL) - diff --git a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber512_ref/api.h b/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber512_ref/api.h deleted file mode 100644 index b34eab970..000000000 --- a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber512_ref/api.h +++ /dev/null @@ -1,75 +0,0 @@ -#ifndef API_H -#define API_H - -#include <stdint.h> - -#define pqcrystals_kyber512_SECRETKEYBYTES 1632 -#define pqcrystals_kyber512_PUBLICKEYBYTES 800 -#define pqcrystals_kyber512_CIPHERTEXTBYTES 768 -#define pqcrystals_kyber512_BYTES 32 - -#define pqcrystals_kyber512_ref_SECRETKEYBYTES pqcrystals_kyber512_SECRETKEYBYTES -#define pqcrystals_kyber512_ref_PUBLICKEYBYTES pqcrystals_kyber512_PUBLICKEYBYTES -#define pqcrystals_kyber512_ref_CIPHERTEXTBYTES pqcrystals_kyber512_CIPHERTEXTBYTES -#define pqcrystals_kyber512_ref_BYTES pqcrystals_kyber512_BYTES - -int pqcrystals_kyber512_ref_keypair(uint8_t *pk, uint8_t *sk); -int pqcrystals_kyber512_ref_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); -int pqcrystals_kyber512_ref_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); - -#define pqcrystals_kyber512_90s_ref_SECRETKEYBYTES pqcrystals_kyber512_SECRETKEYBYTES -#define pqcrystals_kyber512_90s_ref_PUBLICKEYBYTES pqcrystals_kyber512_PUBLICKEYBYTES -#define pqcrystals_kyber512_90s_ref_CIPHERTEXTBYTES pqcrystals_kyber512_CIPHERTEXTBYTES -#define pqcrystals_kyber512_90s_ref_BYTES pqcrystals_kyber512_BYTES - -int pqcrystals_kyber512_90s_ref_keypair(uint8_t *pk, uint8_t *sk); -int pqcrystals_kyber512_90s_ref_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); -int pqcrystals_kyber512_90s_ref_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); - -#define pqcrystals_kyber768_SECRETKEYBYTES 2400 -#define pqcrystals_kyber768_PUBLICKEYBYTES 1184 -#define pqcrystals_kyber768_CIPHERTEXTBYTES 1088 -#define pqcrystals_kyber768_BYTES 32 - -#define pqcrystals_kyber768_ref_SECRETKEYBYTES pqcrystals_kyber768_SECRETKEYBYTES -#define pqcrystals_kyber768_ref_PUBLICKEYBYTES pqcrystals_kyber768_PUBLICKEYBYTES -#define pqcrystals_kyber768_ref_CIPHERTEXTBYTES pqcrystals_kyber768_CIPHERTEXTBYTES -#define pqcrystals_kyber768_ref_BYTES pqcrystals_kyber768_BYTES - -int pqcrystals_kyber768_ref_keypair(uint8_t *pk, uint8_t *sk); -int pqcrystals_kyber768_ref_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); -int pqcrystals_kyber768_ref_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); - -#define pqcrystals_kyber768_90s_ref_SECRETKEYBYTES pqcrystals_kyber768_SECRETKEYBYTES -#define pqcrystals_kyber768_90s_ref_PUBLICKEYBYTES pqcrystals_kyber768_PUBLICKEYBYTES -#define pqcrystals_kyber768_90s_ref_CIPHERTEXTBYTES pqcrystals_kyber768_CIPHERTEXTBYTES -#define pqcrystals_kyber768_90s_ref_BYTES pqcrystals_kyber768_BYTES - -int pqcrystals_kyber768_90s_ref_keypair(uint8_t *pk, uint8_t *sk); -int pqcrystals_kyber768_90s_ref_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); -int pqcrystals_kyber768_90s_ref_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); - -#define pqcrystals_kyber1024_SECRETKEYBYTES 3168 -#define pqcrystals_kyber1024_PUBLICKEYBYTES 1568 -#define pqcrystals_kyber1024_CIPHERTEXTBYTES 1568 -#define pqcrystals_kyber1024_BYTES 32 - -#define pqcrystals_kyber1024_ref_SECRETKEYBYTES pqcrystals_kyber1024_SECRETKEYBYTES -#define pqcrystals_kyber1024_ref_PUBLICKEYBYTES pqcrystals_kyber1024_PUBLICKEYBYTES -#define pqcrystals_kyber1024_ref_CIPHERTEXTBYTES pqcrystals_kyber1024_CIPHERTEXTBYTES -#define pqcrystals_kyber1024_ref_BYTES pqcrystals_kyber1024_BYTES - -int pqcrystals_kyber1024_ref_keypair(uint8_t *pk, uint8_t *sk); -int pqcrystals_kyber1024_ref_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); -int pqcrystals_kyber1024_ref_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); - -#define pqcrystals_kyber1024_90s_ref_SECRETKEYBYTES pqcrystals_kyber1024_SECRETKEYBYTES -#define pqcrystals_kyber1024_90s_ref_PUBLICKEYBYTES pqcrystals_kyber1024_PUBLICKEYBYTES -#define pqcrystals_kyber1024_90s_ref_CIPHERTEXTBYTES pqcrystals_kyber1024_CIPHERTEXTBYTES -#define pqcrystals_kyber1024_90s_ref_BYTES pqcrystals_kyber1024_BYTES - -int pqcrystals_kyber1024_90s_ref_keypair(uint8_t *pk, uint8_t *sk); -int pqcrystals_kyber1024_90s_ref_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); -int pqcrystals_kyber1024_90s_ref_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); - -#endif diff --git a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber512_ref/cbd.c b/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber512_ref/cbd.c deleted file mode 100644 index 1500ffea5..000000000 --- a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber512_ref/cbd.c +++ /dev/null @@ -1,128 +0,0 @@ -#include <stdint.h> -#include "params.h" -#include "cbd.h" - -/************************************************* -* Name: load32_littleendian -* -* Description: load 4 bytes into a 32-bit integer -* in little-endian order -* -* Arguments: - const uint8_t *x: pointer to input byte array -* -* Returns 32-bit unsigned integer loaded from x -**************************************************/ -static uint32_t load32_littleendian(const uint8_t x[4]) -{ - uint32_t r; - r = (uint32_t)x[0]; - r |= (uint32_t)x[1] << 8; - r |= (uint32_t)x[2] << 16; - r |= (uint32_t)x[3] << 24; - return r; -} - -/************************************************* -* Name: load24_littleendian -* -* Description: load 3 bytes into a 32-bit integer -* in little-endian order. -* This function is only needed for Kyber-512 -* -* Arguments: - const uint8_t *x: pointer to input byte array -* -* Returns 32-bit unsigned integer loaded from x (most significant byte is zero) -**************************************************/ -#if KYBER_ETA1 == 3 -static uint32_t load24_littleendian(const uint8_t x[3]) -{ - uint32_t r; - r = (uint32_t)x[0]; - r |= (uint32_t)x[1] << 8; - r |= (uint32_t)x[2] << 16; - return r; -} -#endif - - -/************************************************* -* Name: cbd2 -* -* Description: Given an array of uniformly random bytes, compute -* polynomial with coefficients distributed according to -* a centered binomial distribution with parameter eta=2 -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *buf: pointer to input byte array -**************************************************/ -static void cbd2(poly *r, const uint8_t buf[2*KYBER_N/4]) -{ - unsigned int i,j; - uint32_t t,d; - int16_t a,b; - - for(i=0;i<KYBER_N/8;i++) { - t = load32_littleendian(buf+4*i); - d = t & 0x55555555; - d += (t>>1) & 0x55555555; - - for(j=0;j<8;j++) { - a = (d >> (4*j+0)) & 0x3; - b = (d >> (4*j+2)) & 0x3; - r->coeffs[8*i+j] = a - b; - } - } -} - -/************************************************* -* Name: cbd3 -* -* Description: Given an array of uniformly random bytes, compute -* polynomial with coefficients distributed according to -* a centered binomial distribution with parameter eta=3. -* This function is only needed for Kyber-512 -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *buf: pointer to input byte array -**************************************************/ -#if KYBER_ETA1 == 3 -static void cbd3(poly *r, const uint8_t buf[3*KYBER_N/4]) -{ - unsigned int i,j; - uint32_t t,d; - int16_t a,b; - - for(i=0;i<KYBER_N/4;i++) { - t = load24_littleendian(buf+3*i); - d = t & 0x00249249; - d += (t>>1) & 0x00249249; - d += (t>>2) & 0x00249249; - - for(j=0;j<4;j++) { - a = (d >> (6*j+0)) & 0x7; - b = (d >> (6*j+3)) & 0x7; - r->coeffs[4*i+j] = a - b; - } - } -} -#endif - -void poly_cbd_eta1(poly *r, const uint8_t buf[KYBER_ETA1*KYBER_N/4]) -{ -#if KYBER_ETA1 == 2 - cbd2(r, buf); -#elif KYBER_ETA1 == 3 - cbd3(r, buf); -#else -#error "This implementation requires eta1 in {2,3}" -#endif -} - -void poly_cbd_eta2(poly *r, const uint8_t buf[KYBER_ETA2*KYBER_N/4]) -{ -#if KYBER_ETA2 == 2 - cbd2(r, buf); -#else -#error "This implementation requires eta2 = 2" -#endif -} diff --git a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber512_ref/cbd.h b/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber512_ref/cbd.h deleted file mode 100644 index 7b677d745..000000000 --- a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber512_ref/cbd.h +++ /dev/null @@ -1,14 +0,0 @@ -#ifndef CBD_H -#define CBD_H - -#include <stdint.h> -#include "params.h" -#include "poly.h" - -#define poly_cbd_eta1 KYBER_NAMESPACE(poly_cbd_eta1) -void poly_cbd_eta1(poly *r, const uint8_t buf[KYBER_ETA1*KYBER_N/4]); - -#define poly_cbd_eta2 KYBER_NAMESPACE(poly_cbd_eta2) -void poly_cbd_eta2(poly *r, const uint8_t buf[KYBER_ETA2*KYBER_N/4]); - -#endif diff --git a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber512_ref/config.mk b/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber512_ref/config.mk deleted file mode 100644 index 5d0f71e3e..000000000 --- a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber512_ref/config.mk +++ /dev/null @@ -1,12 +0,0 @@ -# DO NOT EDIT: generated from config.mk.subdirs.template -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -# add fixes for platform integration issues here. -# -# liboqs programs expect the public include files to be in oqs/xxxx, -# So we put liboqs in it's own module, oqs, and point to the dist files -INCLUDES += -I$(CORE_DEPTH)/lib/liboqs/src/common/pqclean_shims -I$(CORE_DEPTH)/lib/liboqs/src/common/sha3/xkcp_low/KeccakP-1600/plain-64bits -DEFINES += -DKYBER_K=2 diff --git a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber512_ref/indcpa.c b/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber512_ref/indcpa.c deleted file mode 100644 index f0129aa04..000000000 --- a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber512_ref/indcpa.c +++ /dev/null @@ -1,331 +0,0 @@ -#include <stddef.h> -#include <stdint.h> -#include "params.h" -#include "indcpa.h" -#include "polyvec.h" -#include "poly.h" -#include "ntt.h" -#include "symmetric.h" -#include "randombytes.h" - -/************************************************* -* Name: pack_pk -* -* Description: Serialize the public key as concatenation of the -* serialized vector of polynomials pk -* and the public seed used to generate the matrix A. -* -* Arguments: uint8_t *r: pointer to the output serialized public key -* polyvec *pk: pointer to the input public-key polyvec -* const uint8_t *seed: pointer to the input public seed -**************************************************/ -static void pack_pk(uint8_t r[KYBER_INDCPA_PUBLICKEYBYTES], - polyvec *pk, - const uint8_t seed[KYBER_SYMBYTES]) -{ - size_t i; - polyvec_tobytes(r, pk); - for(i=0;i<KYBER_SYMBYTES;i++) - r[i+KYBER_POLYVECBYTES] = seed[i]; -} - -/************************************************* -* Name: unpack_pk -* -* Description: De-serialize public key from a byte array; -* approximate inverse of pack_pk -* -* Arguments: - polyvec *pk: pointer to output public-key polynomial vector -* - uint8_t *seed: pointer to output seed to generate matrix A -* - const uint8_t *packedpk: pointer to input serialized public key -**************************************************/ -static void unpack_pk(polyvec *pk, - uint8_t seed[KYBER_SYMBYTES], - const uint8_t packedpk[KYBER_INDCPA_PUBLICKEYBYTES]) -{ - size_t i; - polyvec_frombytes(pk, packedpk); - for(i=0;i<KYBER_SYMBYTES;i++) - seed[i] = packedpk[i+KYBER_POLYVECBYTES]; -} - -/************************************************* -* Name: pack_sk -* -* Description: Serialize the secret key -* -* Arguments: - uint8_t *r: pointer to output serialized secret key -* - polyvec *sk: pointer to input vector of polynomials (secret key) -**************************************************/ -static void pack_sk(uint8_t r[KYBER_INDCPA_SECRETKEYBYTES], polyvec *sk) -{ - polyvec_tobytes(r, sk); -} - -/************************************************* -* Name: unpack_sk -* -* Description: De-serialize the secret key; inverse of pack_sk -* -* Arguments: - polyvec *sk: pointer to output vector of polynomials (secret key) -* - const uint8_t *packedsk: pointer to input serialized secret key -**************************************************/ -static void unpack_sk(polyvec *sk, const uint8_t packedsk[KYBER_INDCPA_SECRETKEYBYTES]) -{ - polyvec_frombytes(sk, packedsk); -} - -/************************************************* -* Name: pack_ciphertext -* -* Description: Serialize the ciphertext as concatenation of the -* compressed and serialized vector of polynomials b -* and the compressed and serialized polynomial v -* -* Arguments: uint8_t *r: pointer to the output serialized ciphertext -* poly *pk: pointer to the input vector of polynomials b -* poly *v: pointer to the input polynomial v -**************************************************/ -static void pack_ciphertext(uint8_t r[KYBER_INDCPA_BYTES], polyvec *b, poly *v) -{ - polyvec_compress(r, b); - poly_compress(r+KYBER_POLYVECCOMPRESSEDBYTES, v); -} - -/************************************************* -* Name: unpack_ciphertext -* -* Description: De-serialize and decompress ciphertext from a byte array; -* approximate inverse of pack_ciphertext -* -* Arguments: - polyvec *b: pointer to the output vector of polynomials b -* - poly *v: pointer to the output polynomial v -* - const uint8_t *c: pointer to the input serialized ciphertext -**************************************************/ -static void unpack_ciphertext(polyvec *b, poly *v, const uint8_t c[KYBER_INDCPA_BYTES]) -{ - polyvec_decompress(b, c); - poly_decompress(v, c+KYBER_POLYVECCOMPRESSEDBYTES); -} - -/************************************************* -* Name: rej_uniform -* -* Description: Run rejection sampling on uniform random bytes to generate -* uniform random integers mod q -* -* Arguments: - int16_t *r: pointer to output buffer -* - unsigned int len: requested number of 16-bit integers (uniform mod q) -* - const uint8_t *buf: pointer to input buffer (assumed to be uniformly random bytes) -* - unsigned int buflen: length of input buffer in bytes -* -* Returns number of sampled 16-bit integers (at most len) -**************************************************/ -static unsigned int rej_uniform(int16_t *r, - unsigned int len, - const uint8_t *buf, - unsigned int buflen) -{ - unsigned int ctr, pos; - uint16_t val0, val1; - - ctr = pos = 0; - while(ctr < len && pos + 3 <= buflen) { - val0 = ((buf[pos+0] >> 0) | ((uint16_t)buf[pos+1] << 8)) & 0xFFF; - val1 = ((buf[pos+1] >> 4) | ((uint16_t)buf[pos+2] << 4)) & 0xFFF; - pos += 3; - - if(val0 < KYBER_Q) - r[ctr++] = val0; - if(ctr < len && val1 < KYBER_Q) - r[ctr++] = val1; - } - - return ctr; -} - -#define gen_a(A,B) gen_matrix(A,B,0) -#define gen_at(A,B) gen_matrix(A,B,1) - -/************************************************* -* Name: gen_matrix -* -* Description: Deterministically generate matrix A (or the transpose of A) -* from a seed. Entries of the matrix are polynomials that look -* uniformly random. Performs rejection sampling on output of -* a XOF -* -* Arguments: - polyvec *a: pointer to ouptput matrix A -* - const uint8_t *seed: pointer to input seed -* - int transposed: boolean deciding whether A or A^T is generated -**************************************************/ -#define GEN_MATRIX_NBLOCKS ((12*KYBER_N/8*(1 << 12)/KYBER_Q + XOF_BLOCKBYTES)/XOF_BLOCKBYTES) -// Not static for benchmarking -void gen_matrix(polyvec *a, const uint8_t seed[KYBER_SYMBYTES], int transposed) -{ - unsigned int ctr, i, j, k; - unsigned int buflen, off; - uint8_t buf[GEN_MATRIX_NBLOCKS*XOF_BLOCKBYTES+2]; - xof_state state; - xof_init(&state, seed); - - for(i=0;i<KYBER_K;i++) { - for(j=0;j<KYBER_K;j++) { - if(transposed) - xof_absorb(&state, seed, i, j); - else - xof_absorb(&state, seed, j, i); - - xof_squeezeblocks(buf, GEN_MATRIX_NBLOCKS, &state); - buflen = GEN_MATRIX_NBLOCKS*XOF_BLOCKBYTES; - ctr = rej_uniform(a[i].vec[j].coeffs, KYBER_N, buf, buflen); - - while(ctr < KYBER_N) { - off = buflen % 3; - for(k = 0; k < off; k++) - buf[k] = buf[buflen - off + k]; - xof_squeezeblocks(buf + off, 1, &state); - buflen = off + XOF_BLOCKBYTES; - ctr += rej_uniform(a[i].vec[j].coeffs + ctr, KYBER_N - ctr, buf, buflen); - } - } - } - xof_release(&state); -} - -/************************************************* -* Name: indcpa_keypair -* -* Description: Generates public and private key for the CPA-secure -* public-key encryption scheme underlying Kyber -* -* Arguments: - uint8_t *pk: pointer to output public key -* (of length KYBER_INDCPA_PUBLICKEYBYTES bytes) -* - uint8_t *sk: pointer to output private key - (of length KYBER_INDCPA_SECRETKEYBYTES bytes) -**************************************************/ -void indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], - uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]) -{ - unsigned int i; - uint8_t buf[2*KYBER_SYMBYTES]; - const uint8_t *publicseed = buf; - const uint8_t *noiseseed = buf+KYBER_SYMBYTES; - uint8_t nonce = 0; - polyvec a[KYBER_K], e, pkpv, skpv; - - randombytes(buf, KYBER_SYMBYTES); - hash_g(buf, buf, KYBER_SYMBYTES); - - gen_a(a, publicseed); - - for(i=0;i<KYBER_K;i++) - poly_getnoise_eta1(&skpv.vec[i], noiseseed, nonce++); - for(i=0;i<KYBER_K;i++) - poly_getnoise_eta1(&e.vec[i], noiseseed, nonce++); - - polyvec_ntt(&skpv); - polyvec_ntt(&e); - - // matrix-vector multiplication - for(i=0;i<KYBER_K;i++) { - polyvec_basemul_acc_montgomery(&pkpv.vec[i], &a[i], &skpv); - poly_tomont(&pkpv.vec[i]); - } - - polyvec_add(&pkpv, &pkpv, &e); - polyvec_reduce(&pkpv); - - pack_sk(sk, &skpv); - pack_pk(pk, &pkpv, publicseed); -} - -/************************************************* -* Name: indcpa_enc -* -* Description: Encryption function of the CPA-secure -* public-key encryption scheme underlying Kyber. -* -* Arguments: - uint8_t *c: pointer to output ciphertext -* (of length KYBER_INDCPA_BYTES bytes) -* - const uint8_t *m: pointer to input message -* (of length KYBER_INDCPA_MSGBYTES bytes) -* - const uint8_t *pk: pointer to input public key -* (of length KYBER_INDCPA_PUBLICKEYBYTES) -* - const uint8_t *coins: pointer to input random coins used as seed -* (of length KYBER_SYMBYTES) to deterministically -* generate all randomness -**************************************************/ -void indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES], - const uint8_t m[KYBER_INDCPA_MSGBYTES], - const uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], - const uint8_t coins[KYBER_SYMBYTES]) -{ - unsigned int i; - uint8_t seed[KYBER_SYMBYTES]; - uint8_t nonce = 0; - polyvec sp, pkpv, ep, at[KYBER_K], b; - poly v, k, epp; - - unpack_pk(&pkpv, seed, pk); - poly_frommsg(&k, m); - gen_at(at, seed); - - for(i=0;i<KYBER_K;i++) - poly_getnoise_eta1(sp.vec+i, coins, nonce++); - for(i=0;i<KYBER_K;i++) - poly_getnoise_eta2(ep.vec+i, coins, nonce++); - poly_getnoise_eta2(&epp, coins, nonce++); - - polyvec_ntt(&sp); - - // matrix-vector multiplication - for(i=0;i<KYBER_K;i++) - polyvec_basemul_acc_montgomery(&b.vec[i], &at[i], &sp); - - polyvec_basemul_acc_montgomery(&v, &pkpv, &sp); - - polyvec_invntt_tomont(&b); - poly_invntt_tomont(&v); - - polyvec_add(&b, &b, &ep); - poly_add(&v, &v, &epp); - poly_add(&v, &v, &k); - polyvec_reduce(&b); - poly_reduce(&v); - - pack_ciphertext(c, &b, &v); -} - -/************************************************* -* Name: indcpa_dec -* -* Description: Decryption function of the CPA-secure -* public-key encryption scheme underlying Kyber. -* -* Arguments: - uint8_t *m: pointer to output decrypted message -* (of length KYBER_INDCPA_MSGBYTES) -* - const uint8_t *c: pointer to input ciphertext -* (of length KYBER_INDCPA_BYTES) -* - const uint8_t *sk: pointer to input secret key -* (of length KYBER_INDCPA_SECRETKEYBYTES) -**************************************************/ -void indcpa_dec(uint8_t m[KYBER_INDCPA_MSGBYTES], - const uint8_t c[KYBER_INDCPA_BYTES], - const uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]) -{ - polyvec b, skpv; - poly v, mp; - - unpack_ciphertext(&b, &v, c); - unpack_sk(&skpv, sk); - - polyvec_ntt(&b); - polyvec_basemul_acc_montgomery(&mp, &skpv, &b); - poly_invntt_tomont(&mp); - - poly_sub(&mp, &v, &mp); - poly_reduce(&mp); - - poly_tomsg(m, &mp); -} diff --git a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber512_ref/indcpa.h b/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber512_ref/indcpa.h deleted file mode 100644 index 57bd5ead3..000000000 --- a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber512_ref/indcpa.h +++ /dev/null @@ -1,25 +0,0 @@ -#ifndef INDCPA_H -#define INDCPA_H - -#include <stdint.h> -#include "params.h" -#include "polyvec.h" - -#define gen_matrix KYBER_NAMESPACE(gen_matrix) -void gen_matrix(polyvec *a, const uint8_t seed[KYBER_SYMBYTES], int transposed); -#define indcpa_keypair KYBER_NAMESPACE(indcpa_keypair) -void indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], - uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]); - -#define indcpa_enc KYBER_NAMESPACE(indcpa_enc) -void indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES], - const uint8_t m[KYBER_INDCPA_MSGBYTES], - const uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], - const uint8_t coins[KYBER_SYMBYTES]); - -#define indcpa_dec KYBER_NAMESPACE(indcpa_dec) -void indcpa_dec(uint8_t m[KYBER_INDCPA_MSGBYTES], - const uint8_t c[KYBER_INDCPA_BYTES], - const uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]); - -#endif diff --git a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber512_ref/kem.c b/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber512_ref/kem.c deleted file mode 100644 index f376bd236..000000000 --- a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber512_ref/kem.c +++ /dev/null @@ -1,127 +0,0 @@ -#include <stddef.h> -#include <stdint.h> -#include "params.h" -#include "kem.h" -#include "indcpa.h" -#include "verify.h" -#include "symmetric.h" -#include "randombytes.h" - -/************************************************* -* Name: crypto_kem_keypair -* -* Description: Generates public and private key -* for CCA-secure Kyber key encapsulation mechanism -* -* Arguments: - uint8_t *pk: pointer to output public key -* (an already allocated array of KYBER_PUBLICKEYBYTES bytes) -* - uint8_t *sk: pointer to output private key -* (an already allocated array of KYBER_SECRETKEYBYTES bytes) -* -* Returns 0 (success) -**************************************************/ -int crypto_kem_keypair(uint8_t *pk, - uint8_t *sk) -{ - size_t i; - indcpa_keypair(pk, sk); - for(i=0;i<KYBER_INDCPA_PUBLICKEYBYTES;i++) - sk[i+KYBER_INDCPA_SECRETKEYBYTES] = pk[i]; - hash_h(sk+KYBER_SECRETKEYBYTES-2*KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES); - /* Value z for pseudo-random output on reject */ - randombytes(sk+KYBER_SECRETKEYBYTES-KYBER_SYMBYTES, KYBER_SYMBYTES); - return 0; -} - -/************************************************* -* Name: crypto_kem_enc -* -* Description: Generates cipher text and shared -* secret for given public key -* -* Arguments: - uint8_t *ct: pointer to output cipher text -* (an already allocated array of KYBER_CIPHERTEXTBYTES bytes) -* - uint8_t *ss: pointer to output shared secret -* (an already allocated array of KYBER_SSBYTES bytes) -* - const uint8_t *pk: pointer to input public key -* (an already allocated array of KYBER_PUBLICKEYBYTES bytes) -* -* Returns 0 (success) -**************************************************/ -int crypto_kem_enc(uint8_t *ct, - uint8_t *ss, - const uint8_t *pk) -{ - uint8_t buf[2*KYBER_SYMBYTES]; - /* Will contain key, coins */ - uint8_t kr[2*KYBER_SYMBYTES]; - - randombytes(buf, KYBER_SYMBYTES); - /* Don't release system RNG output */ - hash_h(buf, buf, KYBER_SYMBYTES); - - /* Multitarget countermeasure for coins + contributory KEM */ - hash_h(buf+KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES); - hash_g(kr, buf, 2*KYBER_SYMBYTES); - - /* coins are in kr+KYBER_SYMBYTES */ - indcpa_enc(ct, buf, pk, kr+KYBER_SYMBYTES); - - /* overwrite coins in kr with H(c) */ - hash_h(kr+KYBER_SYMBYTES, ct, KYBER_CIPHERTEXTBYTES); - /* hash concatenation of pre-k and H(c) to k */ - kdf(ss, kr, 2*KYBER_SYMBYTES); - return 0; -} - -/************************************************* -* Name: crypto_kem_dec -* -* Description: Generates shared secret for given -* cipher text and private key -* -* Arguments: - uint8_t *ss: pointer to output shared secret -* (an already allocated array of KYBER_SSBYTES bytes) -* - const uint8_t *ct: pointer to input cipher text -* (an already allocated array of KYBER_CIPHERTEXTBYTES bytes) -* - const uint8_t *sk: pointer to input private key -* (an already allocated array of KYBER_SECRETKEYBYTES bytes) -* -* Returns 0. -* -* On failure, ss will contain a pseudo-random value. -**************************************************/ -int crypto_kem_dec(uint8_t *ss, - const uint8_t *ct, - const uint8_t *sk) -{ - size_t i; - int fail; - uint8_t buf[2*KYBER_SYMBYTES]; - /* Will contain key, coins */ - uint8_t kr[2*KYBER_SYMBYTES]; - uint8_t cmp[KYBER_CIPHERTEXTBYTES]; - const uint8_t *pk = sk+KYBER_INDCPA_SECRETKEYBYTES; - - indcpa_dec(buf, ct, sk); - - /* Multitarget countermeasure for coins + contributory KEM */ - for(i=0;i<KYBER_SYMBYTES;i++) - buf[KYBER_SYMBYTES+i] = sk[KYBER_SECRETKEYBYTES-2*KYBER_SYMBYTES+i]; - hash_g(kr, buf, 2*KYBER_SYMBYTES); - - /* coins are in kr+KYBER_SYMBYTES */ - indcpa_enc(cmp, buf, pk, kr+KYBER_SYMBYTES); - - fail = verify(ct, cmp, KYBER_CIPHERTEXTBYTES); - - /* overwrite coins in kr with H(c) */ - hash_h(kr+KYBER_SYMBYTES, ct, KYBER_CIPHERTEXTBYTES); - - /* Overwrite pre-k with z on re-encryption failure */ - cmov(kr, sk+KYBER_SECRETKEYBYTES-KYBER_SYMBYTES, KYBER_SYMBYTES, fail); - - /* hash concatenation of pre-k and H(c) to k */ - kdf(ss, kr, 2*KYBER_SYMBYTES); - return 0; -} diff --git a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber512_ref/kem.h b/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber512_ref/kem.h deleted file mode 100644 index 3f3eff697..000000000 --- a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber512_ref/kem.h +++ /dev/null @@ -1,41 +0,0 @@ -#ifndef KEM_H -#define KEM_H - -#include <stdint.h> -#include "params.h" - -#define CRYPTO_SECRETKEYBYTES KYBER_SECRETKEYBYTES -#define CRYPTO_PUBLICKEYBYTES KYBER_PUBLICKEYBYTES -#define CRYPTO_CIPHERTEXTBYTES KYBER_CIPHERTEXTBYTES -#define CRYPTO_BYTES KYBER_SSBYTES - -#if (KYBER_K == 2) -#ifdef KYBER_90S -#define CRYPTO_ALGNAME "Kyber512-90s" -#else -#define CRYPTO_ALGNAME "Kyber512" -#endif -#elif (KYBER_K == 3) -#ifdef KYBER_90S -#define CRYPTO_ALGNAME "Kyber768-90s" -#else -#define CRYPTO_ALGNAME "Kyber768" -#endif -#elif (KYBER_K == 4) -#ifdef KYBER_90S -#define CRYPTO_ALGNAME "Kyber1024-90s" -#else -#define CRYPTO_ALGNAME "Kyber1024" -#endif -#endif - -#define crypto_kem_keypair KYBER_NAMESPACE(keypair) -int crypto_kem_keypair(uint8_t *pk, uint8_t *sk); - -#define crypto_kem_enc KYBER_NAMESPACE(enc) -int crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); - -#define crypto_kem_dec KYBER_NAMESPACE(dec) -int crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); - -#endif diff --git a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber512_ref/manifest.mn b/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber512_ref/manifest.mn deleted file mode 100644 index bdd42c01b..000000000 --- a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber512_ref/manifest.mn +++ /dev/null @@ -1,31 +0,0 @@ -# DO NOT EDIT: generated from manifest.mn.subdirs.template -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. -CORE_DEPTH = ../../../../../.. - -MODULE = oqs - -LIBRARY_NAME = oqs_src_kem_kyber_pqcrystals-kyber_kyber512_ref -SHARED_LIBRARY = $(NULL) - -CSRCS = \ - cbd.c \ - indcpa.c \ - kem.c \ - ntt.c \ - poly.c \ - polyvec.c \ - reduce.c \ - symmetric-shake.c \ - verify.c \ - $(NULL) - -# only add module debugging in opt builds if DEBUG_PKCS11 is set -ifdef DEBUG_PKCS11 - DEFINES += -DDEBUG_MODULE -endif - -# This part of the code, including all sub-dirs, can be optimized for size -export ALLOW_OPT_CODE_SIZE = 1 diff --git a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber512_ref/ntt.c b/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber512_ref/ntt.c deleted file mode 100644 index 2f2eb10b2..000000000 --- a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber512_ref/ntt.c +++ /dev/null @@ -1,146 +0,0 @@ -#include <stdint.h> -#include "params.h" -#include "ntt.h" -#include "reduce.h" - -/* Code to generate zetas and zetas_inv used in the number-theoretic transform: - -#define KYBER_ROOT_OF_UNITY 17 - -static const uint8_t tree[128] = { - 0, 64, 32, 96, 16, 80, 48, 112, 8, 72, 40, 104, 24, 88, 56, 120, - 4, 68, 36, 100, 20, 84, 52, 116, 12, 76, 44, 108, 28, 92, 60, 124, - 2, 66, 34, 98, 18, 82, 50, 114, 10, 74, 42, 106, 26, 90, 58, 122, - 6, 70, 38, 102, 22, 86, 54, 118, 14, 78, 46, 110, 30, 94, 62, 126, - 1, 65, 33, 97, 17, 81, 49, 113, 9, 73, 41, 105, 25, 89, 57, 121, - 5, 69, 37, 101, 21, 85, 53, 117, 13, 77, 45, 109, 29, 93, 61, 125, - 3, 67, 35, 99, 19, 83, 51, 115, 11, 75, 43, 107, 27, 91, 59, 123, - 7, 71, 39, 103, 23, 87, 55, 119, 15, 79, 47, 111, 31, 95, 63, 127 -}; - -void init_ntt() { - unsigned int i; - int16_t tmp[128]; - - tmp[0] = MONT; - for(i=1;i<128;i++) - tmp[i] = fqmul(tmp[i-1],MONT*KYBER_ROOT_OF_UNITY % KYBER_Q); - - for(i=0;i<128;i++) { - zetas[i] = tmp[tree[i]]; - if(zetas[i] > KYBER_Q/2) - zetas[i] -= KYBER_Q; - if(zetas[i] < -KYBER_Q/2) - zetas[i] += KYBER_Q; - } -} -*/ - -const int16_t zetas[128] = { - -1044, -758, -359, -1517, 1493, 1422, 287, 202, - -171, 622, 1577, 182, 962, -1202, -1474, 1468, - 573, -1325, 264, 383, -829, 1458, -1602, -130, - -681, 1017, 732, 608, -1542, 411, -205, -1571, - 1223, 652, -552, 1015, -1293, 1491, -282, -1544, - 516, -8, -320, -666, -1618, -1162, 126, 1469, - -853, -90, -271, 830, 107, -1421, -247, -951, - -398, 961, -1508, -725, 448, -1065, 677, -1275, - -1103, 430, 555, 843, -1251, 871, 1550, 105, - 422, 587, 177, -235, -291, -460, 1574, 1653, - -246, 778, 1159, -147, -777, 1483, -602, 1119, - -1590, 644, -872, 349, 418, 329, -156, -75, - 817, 1097, 603, 610, 1322, -1285, -1465, 384, - -1215, -136, 1218, -1335, -874, 220, -1187, -1659, - -1185, -1530, -1278, 794, -1510, -854, -870, 478, - -108, -308, 996, 991, 958, -1460, 1522, 1628 -}; - -/************************************************* -* Name: fqmul -* -* Description: Multiplication followed by Montgomery reduction -* -* Arguments: - int16_t a: first factor -* - int16_t b: second factor -* -* Returns 16-bit integer congruent to a*b*R^{-1} mod q -**************************************************/ -static int16_t fqmul(int16_t a, int16_t b) { - return montgomery_reduce((int32_t)a*b); -} - -/************************************************* -* Name: ntt -* -* Description: Inplace number-theoretic transform (NTT) in Rq. -* input is in standard order, output is in bitreversed order -* -* Arguments: - int16_t r[256]: pointer to input/output vector of elements of Zq -**************************************************/ -void ntt(int16_t r[256]) { - unsigned int len, start, j, k; - int16_t t, zeta; - - k = 1; - for(len = 128; len >= 2; len >>= 1) { - for(start = 0; start < 256; start = j + len) { - zeta = zetas[k++]; - for(j = start; j < start + len; j++) { - t = fqmul(zeta, r[j + len]); - r[j + len] = r[j] - t; - r[j] = r[j] + t; - } - } - } -} - -/************************************************* -* Name: invntt_tomont -* -* Description: Inplace inverse number-theoretic transform in Rq and -* multiplication by Montgomery factor 2^16. -* Input is in bitreversed order, output is in standard order -* -* Arguments: - int16_t r[256]: pointer to input/output vector of elements of Zq -**************************************************/ -void invntt(int16_t r[256]) { - unsigned int start, len, j, k; - int16_t t, zeta; - const int16_t f = 1441; // mont^2/128 - - k = 127; - for(len = 2; len <= 128; len <<= 1) { - for(start = 0; start < 256; start = j + len) { - zeta = zetas[k--]; - for(j = start; j < start + len; j++) { - t = r[j]; - r[j] = barrett_reduce(t + r[j + len]); - r[j + len] = r[j + len] - t; - r[j + len] = fqmul(zeta, r[j + len]); - } - } - } - - for(j = 0; j < 256; j++) - r[j] = fqmul(r[j], f); -} - -/************************************************* -* Name: basemul -* -* Description: Multiplication of polynomials in Zq[X]/(X^2-zeta) -* used for multiplication of elements in Rq in NTT domain -* -* Arguments: - int16_t r[2]: pointer to the output polynomial -* - const int16_t a[2]: pointer to the first factor -* - const int16_t b[2]: pointer to the second factor -* - int16_t zeta: integer defining the reduction polynomial -**************************************************/ -void basemul(int16_t r[2], const int16_t a[2], const int16_t b[2], int16_t zeta) -{ - r[0] = fqmul(a[1], b[1]); - r[0] = fqmul(r[0], zeta); - r[0] += fqmul(a[0], b[0]); - r[1] = fqmul(a[0], b[1]); - r[1] += fqmul(a[1], b[0]); -} diff --git a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber512_ref/ntt.h b/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber512_ref/ntt.h deleted file mode 100644 index 227ea74f0..000000000 --- a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber512_ref/ntt.h +++ /dev/null @@ -1,19 +0,0 @@ -#ifndef NTT_H -#define NTT_H - -#include <stdint.h> -#include "params.h" - -#define zetas KYBER_NAMESPACE(zetas) -extern const int16_t zetas[128]; - -#define ntt KYBER_NAMESPACE(ntt) -void ntt(int16_t poly[256]); - -#define invntt KYBER_NAMESPACE(invntt) -void invntt(int16_t poly[256]); - -#define basemul KYBER_NAMESPACE(basemul) -void basemul(int16_t r[2], const int16_t a[2], const int16_t b[2], int16_t zeta); - -#endif diff --git a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber512_ref/params.h b/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber512_ref/params.h deleted file mode 100644 index 3d02a0f9e..000000000 --- a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber512_ref/params.h +++ /dev/null @@ -1,68 +0,0 @@ -#ifndef PARAMS_H -#define PARAMS_H - -#ifndef KYBER_K -#define KYBER_K 3 /* Change this for different security strengths */ -#endif - -//#define KYBER_90S /* Uncomment this if you want the 90S variant */ - -/* Don't change parameters below this line */ -#if (KYBER_K == 2) -#ifdef KYBER_90S -#define KYBER_NAMESPACE(s) pqcrystals_kyber512_90s_ref_##s -#else -#define KYBER_NAMESPACE(s) pqcrystals_kyber512_ref_##s -#endif -#elif (KYBER_K == 3) -#ifdef KYBER_90S -#define KYBER_NAMESPACE(s) pqcrystals_kyber768_90s_ref_##s -#else -#define KYBER_NAMESPACE(s) pqcrystals_kyber768_ref_##s -#endif -#elif (KYBER_K == 4) -#ifdef KYBER_90S -#define KYBER_NAMESPACE(s) pqcrystals_kyber1024_90s_ref_##s -#else -#define KYBER_NAMESPACE(s) pqcrystals_kyber1024_ref_##s -#endif -#else -#error "KYBER_K must be in {2,3,4}" -#endif - -#define KYBER_N 256 -#define KYBER_Q 3329 - -#define KYBER_SYMBYTES 32 /* size in bytes of hashes, and seeds */ -#define KYBER_SSBYTES 32 /* size in bytes of shared key */ - -#define KYBER_POLYBYTES 384 -#define KYBER_POLYVECBYTES (KYBER_K * KYBER_POLYBYTES) - -#if KYBER_K == 2 -#define KYBER_ETA1 3 -#define KYBER_POLYCOMPRESSEDBYTES 128 -#define KYBER_POLYVECCOMPRESSEDBYTES (KYBER_K * 320) -#elif KYBER_K == 3 -#define KYBER_ETA1 2 -#define KYBER_POLYCOMPRESSEDBYTES 128 -#define KYBER_POLYVECCOMPRESSEDBYTES (KYBER_K * 320) -#elif KYBER_K == 4 -#define KYBER_ETA1 2 -#define KYBER_POLYCOMPRESSEDBYTES 160 -#define KYBER_POLYVECCOMPRESSEDBYTES (KYBER_K * 352) -#endif - -#define KYBER_ETA2 2 - -#define KYBER_INDCPA_MSGBYTES (KYBER_SYMBYTES) -#define KYBER_INDCPA_PUBLICKEYBYTES (KYBER_POLYVECBYTES + KYBER_SYMBYTES) -#define KYBER_INDCPA_SECRETKEYBYTES (KYBER_POLYVECBYTES) -#define KYBER_INDCPA_BYTES (KYBER_POLYVECCOMPRESSEDBYTES + KYBER_POLYCOMPRESSEDBYTES) - -#define KYBER_PUBLICKEYBYTES (KYBER_INDCPA_PUBLICKEYBYTES) -/* 32 bytes of additional space to save H(pk) */ -#define KYBER_SECRETKEYBYTES (KYBER_INDCPA_SECRETKEYBYTES + KYBER_INDCPA_PUBLICKEYBYTES + 2*KYBER_SYMBYTES) -#define KYBER_CIPHERTEXTBYTES (KYBER_INDCPA_BYTES) - -#endif diff --git a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber512_ref/poly.c b/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber512_ref/poly.c deleted file mode 100644 index 9556ee517..000000000 --- a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber512_ref/poly.c +++ /dev/null @@ -1,343 +0,0 @@ -#include <stdint.h> -#include "params.h" -#include "poly.h" -#include "ntt.h" -#include "reduce.h" -#include "cbd.h" -#include "symmetric.h" - -/************************************************* -* Name: poly_compress -* -* Description: Compression and subsequent serialization of a polynomial -* -* Arguments: - uint8_t *r: pointer to output byte array -* (of length KYBER_POLYCOMPRESSEDBYTES) -* - const poly *a: pointer to input polynomial -**************************************************/ -void poly_compress(uint8_t r[KYBER_POLYCOMPRESSEDBYTES], const poly *a) -{ - unsigned int i,j; - int16_t u; - uint8_t t[8]; - -#if (KYBER_POLYCOMPRESSEDBYTES == 128) - for(i=0;i<KYBER_N/8;i++) { - for(j=0;j<8;j++) { - // map to positive standard representatives - u = a->coeffs[8*i+j]; - u += (u >> 15) & KYBER_Q; - t[j] = ((((uint16_t)u << 4) + KYBER_Q/2)/KYBER_Q) & 15; - } - - r[0] = t[0] | (t[1] << 4); - r[1] = t[2] | (t[3] << 4); - r[2] = t[4] | (t[5] << 4); - r[3] = t[6] | (t[7] << 4); - r += 4; - } -#elif (KYBER_POLYCOMPRESSEDBYTES == 160) - for(i=0;i<KYBER_N/8;i++) { - for(j=0;j<8;j++) { - // map to positive standard representatives - u = a->coeffs[8*i+j]; - u += (u >> 15) & KYBER_Q; - t[j] = ((((uint32_t)u << 5) + KYBER_Q/2)/KYBER_Q) & 31; - } - - r[0] = (t[0] >> 0) | (t[1] << 5); - r[1] = (t[1] >> 3) | (t[2] << 2) | (t[3] << 7); - r[2] = (t[3] >> 1) | (t[4] << 4); - r[3] = (t[4] >> 4) | (t[5] << 1) | (t[6] << 6); - r[4] = (t[6] >> 2) | (t[7] << 3); - r += 5; - } -#else -#error "KYBER_POLYCOMPRESSEDBYTES needs to be in {128, 160}" -#endif -} - -/************************************************* -* Name: poly_decompress -* -* Description: De-serialization and subsequent decompression of a polynomial; -* approximate inverse of poly_compress -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *a: pointer to input byte array -* (of length KYBER_POLYCOMPRESSEDBYTES bytes) -**************************************************/ -void poly_decompress(poly *r, const uint8_t a[KYBER_POLYCOMPRESSEDBYTES]) -{ - unsigned int i; - -#if (KYBER_POLYCOMPRESSEDBYTES == 128) - for(i=0;i<KYBER_N/2;i++) { - r->coeffs[2*i+0] = (((uint16_t)(a[0] & 15)*KYBER_Q) + 8) >> 4; - r->coeffs[2*i+1] = (((uint16_t)(a[0] >> 4)*KYBER_Q) + 8) >> 4; - a += 1; - } -#elif (KYBER_POLYCOMPRESSEDBYTES == 160) - unsigned int j; - uint8_t t[8]; - for(i=0;i<KYBER_N/8;i++) { - t[0] = (a[0] >> 0); - t[1] = (a[0] >> 5) | (a[1] << 3); - t[2] = (a[1] >> 2); - t[3] = (a[1] >> 7) | (a[2] << 1); - t[4] = (a[2] >> 4) | (a[3] << 4); - t[5] = (a[3] >> 1); - t[6] = (a[3] >> 6) | (a[4] << 2); - t[7] = (a[4] >> 3); - a += 5; - - for(j=0;j<8;j++) - r->coeffs[8*i+j] = ((uint32_t)(t[j] & 31)*KYBER_Q + 16) >> 5; - } -#else -#error "KYBER_POLYCOMPRESSEDBYTES needs to be in {128, 160}" -#endif -} - -/************************************************* -* Name: poly_tobytes -* -* Description: Serialization of a polynomial -* -* Arguments: - uint8_t *r: pointer to output byte array -* (needs space for KYBER_POLYBYTES bytes) -* - const poly *a: pointer to input polynomial -**************************************************/ -void poly_tobytes(uint8_t r[KYBER_POLYBYTES], const poly *a) -{ - unsigned int i; - uint16_t t0, t1; - - for(i=0;i<KYBER_N/2;i++) { - // map to positive standard representatives - t0 = a->coeffs[2*i]; - t0 += ((int16_t)t0 >> 15) & KYBER_Q; - t1 = a->coeffs[2*i+1]; - t1 += ((int16_t)t1 >> 15) & KYBER_Q; - r[3*i+0] = (t0 >> 0); - r[3*i+1] = (t0 >> 8) | (t1 << 4); - r[3*i+2] = (t1 >> 4); - } -} - -/************************************************* -* Name: poly_frombytes -* -* Description: De-serialization of a polynomial; -* inverse of poly_tobytes -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *a: pointer to input byte array -* (of KYBER_POLYBYTES bytes) -**************************************************/ -void poly_frombytes(poly *r, const uint8_t a[KYBER_POLYBYTES]) -{ - unsigned int i; - for(i=0;i<KYBER_N/2;i++) { - r->coeffs[2*i] = ((a[3*i+0] >> 0) | ((uint16_t)a[3*i+1] << 8)) & 0xFFF; - r->coeffs[2*i+1] = ((a[3*i+1] >> 4) | ((uint16_t)a[3*i+2] << 4)) & 0xFFF; - } -} - -/************************************************* -* Name: poly_frommsg -* -* Description: Convert 32-byte message to polynomial -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *msg: pointer to input message -**************************************************/ -void poly_frommsg(poly *r, const uint8_t msg[KYBER_INDCPA_MSGBYTES]) -{ - unsigned int i,j; - int16_t mask; - -#if (KYBER_INDCPA_MSGBYTES != KYBER_N/8) -#error "KYBER_INDCPA_MSGBYTES must be equal to KYBER_N/8 bytes!" -#endif - - for(i=0;i<KYBER_N/8;i++) { - for(j=0;j<8;j++) { - mask = -(int16_t)((msg[i] >> j)&1); - r->coeffs[8*i+j] = mask & ((KYBER_Q+1)/2); - } - } -} - -/************************************************* -* Name: poly_tomsg -* -* Description: Convert polynomial to 32-byte message -* -* Arguments: - uint8_t *msg: pointer to output message -* - const poly *a: pointer to input polynomial -**************************************************/ -void poly_tomsg(uint8_t msg[KYBER_INDCPA_MSGBYTES], const poly *a) -{ - unsigned int i,j; - uint16_t t; - - for(i=0;i<KYBER_N/8;i++) { - msg[i] = 0; - for(j=0;j<8;j++) { - t = a->coeffs[8*i+j]; - t += ((int16_t)t >> 15) & KYBER_Q; - t = (((t << 1) + KYBER_Q/2)/KYBER_Q) & 1; - msg[i] |= t << j; - } - } -} - -/************************************************* -* Name: poly_getnoise_eta1 -* -* Description: Sample a polynomial deterministically from a seed and a nonce, -* with output polynomial close to centered binomial distribution -* with parameter KYBER_ETA1 -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *seed: pointer to input seed -* (of length KYBER_SYMBYTES bytes) -* - uint8_t nonce: one-byte input nonce -**************************************************/ -void poly_getnoise_eta1(poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t nonce) -{ - uint8_t buf[KYBER_ETA1*KYBER_N/4]; - prf(buf, sizeof(buf), seed, nonce); - poly_cbd_eta1(r, buf); -} - -/************************************************* -* Name: poly_getnoise_eta2 -* -* Description: Sample a polynomial deterministically from a seed and a nonce, -* with output polynomial close to centered binomial distribution -* with parameter KYBER_ETA2 -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *seed: pointer to input seed -* (of length KYBER_SYMBYTES bytes) -* - uint8_t nonce: one-byte input nonce -**************************************************/ -void poly_getnoise_eta2(poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t nonce) -{ - uint8_t buf[KYBER_ETA2*KYBER_N/4]; - prf(buf, sizeof(buf), seed, nonce); - poly_cbd_eta2(r, buf); -} - - -/************************************************* -* Name: poly_ntt -* -* Description: Computes negacyclic number-theoretic transform (NTT) of -* a polynomial in place; -* inputs assumed to be in normal order, output in bitreversed order -* -* Arguments: - uint16_t *r: pointer to in/output polynomial -**************************************************/ -void poly_ntt(poly *r) -{ - ntt(r->coeffs); - poly_reduce(r); -} - -/************************************************* -* Name: poly_invntt_tomont -* -* Description: Computes inverse of negacyclic number-theoretic transform (NTT) -* of a polynomial in place; -* inputs assumed to be in bitreversed order, output in normal order -* -* Arguments: - uint16_t *a: pointer to in/output polynomial -**************************************************/ -void poly_invntt_tomont(poly *r) -{ - invntt(r->coeffs); -} - -/************************************************* -* Name: poly_basemul_montgomery -* -* Description: Multiplication of two polynomials in NTT domain -* -* Arguments: - poly *r: pointer to output polynomial -* - const poly *a: pointer to first input polynomial -* - const poly *b: pointer to second input polynomial -**************************************************/ -void poly_basemul_montgomery(poly *r, const poly *a, const poly *b) -{ - unsigned int i; - for(i=0;i<KYBER_N/4;i++) { - basemul(&r->coeffs[4*i], &a->coeffs[4*i], &b->coeffs[4*i], zetas[64+i]); - basemul(&r->coeffs[4*i+2], &a->coeffs[4*i+2], &b->coeffs[4*i+2], -zetas[64+i]); - } -} - -/************************************************* -* Name: poly_tomont -* -* Description: Inplace conversion of all coefficients of a polynomial -* from normal domain to Montgomery domain -* -* Arguments: - poly *r: pointer to input/output polynomial -**************************************************/ -void poly_tomont(poly *r) -{ - unsigned int i; - const int16_t f = (1ULL << 32) % KYBER_Q; - for(i=0;i<KYBER_N;i++) - r->coeffs[i] = montgomery_reduce((int32_t)r->coeffs[i]*f); -} - -/************************************************* -* Name: poly_reduce -* -* Description: Applies Barrett reduction to all coefficients of a polynomial -* for details of the Barrett reduction see comments in reduce.c -* -* Arguments: - poly *r: pointer to input/output polynomial -**************************************************/ -void poly_reduce(poly *r) -{ - unsigned int i; - for(i=0;i<KYBER_N;i++) - r->coeffs[i] = barrett_reduce(r->coeffs[i]); -} - -/************************************************* -* Name: poly_add -* -* Description: Add two polynomials; no modular reduction is performed -* -* Arguments: - poly *r: pointer to output polynomial -* - const poly *a: pointer to first input polynomial -* - const poly *b: pointer to second input polynomial -**************************************************/ -void poly_add(poly *r, const poly *a, const poly *b) -{ - unsigned int i; - for(i=0;i<KYBER_N;i++) - r->coeffs[i] = a->coeffs[i] + b->coeffs[i]; -} - -/************************************************* -* Name: poly_sub -* -* Description: Subtract two polynomials; no modular reduction is performed -* -* Arguments: - poly *r: pointer to output polynomial -* - const poly *a: pointer to first input polynomial -* - const poly *b: pointer to second input polynomial -**************************************************/ -void poly_sub(poly *r, const poly *a, const poly *b) -{ - unsigned int i; - for(i=0;i<KYBER_N;i++) - r->coeffs[i] = a->coeffs[i] - b->coeffs[i]; -} diff --git a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber512_ref/poly.h b/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber512_ref/poly.h deleted file mode 100644 index 9a99c7cda..000000000 --- a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber512_ref/poly.h +++ /dev/null @@ -1,53 +0,0 @@ -#ifndef POLY_H -#define POLY_H - -#include <stdint.h> -#include "params.h" - -/* - * Elements of R_q = Z_q[X]/(X^n + 1). Represents polynomial - * coeffs[0] + X*coeffs[1] + X^2*coeffs[2] + ... + X^{n-1}*coeffs[n-1] - */ -typedef struct{ - int16_t coeffs[KYBER_N]; -} poly; - -#define poly_compress KYBER_NAMESPACE(poly_compress) -void poly_compress(uint8_t r[KYBER_POLYCOMPRESSEDBYTES], const poly *a); -#define poly_decompress KYBER_NAMESPACE(poly_decompress) -void poly_decompress(poly *r, const uint8_t a[KYBER_POLYCOMPRESSEDBYTES]); - -#define poly_tobytes KYBER_NAMESPACE(poly_tobytes) -void poly_tobytes(uint8_t r[KYBER_POLYBYTES], const poly *a); -#define poly_frombytes KYBER_NAMESPACE(poly_frombytes) -void poly_frombytes(poly *r, const uint8_t a[KYBER_POLYBYTES]); - -#define poly_frommsg KYBER_NAMESPACE(poly_frommsg) -void poly_frommsg(poly *r, const uint8_t msg[KYBER_INDCPA_MSGBYTES]); -#define poly_tomsg KYBER_NAMESPACE(poly_tomsg) -void poly_tomsg(uint8_t msg[KYBER_INDCPA_MSGBYTES], const poly *r); - -#define poly_getnoise_eta1 KYBER_NAMESPACE(poly_getnoise_eta1) -void poly_getnoise_eta1(poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t nonce); - -#define poly_getnoise_eta2 KYBER_NAMESPACE(poly_getnoise_eta2) -void poly_getnoise_eta2(poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t nonce); - -#define poly_ntt KYBER_NAMESPACE(poly_ntt) -void poly_ntt(poly *r); -#define poly_invntt_tomont KYBER_NAMESPACE(poly_invntt_tomont) -void poly_invntt_tomont(poly *r); -#define poly_basemul_montgomery KYBER_NAMESPACE(poly_basemul_montgomery) -void poly_basemul_montgomery(poly *r, const poly *a, const poly *b); -#define poly_tomont KYBER_NAMESPACE(poly_tomont) -void poly_tomont(poly *r); - -#define poly_reduce KYBER_NAMESPACE(poly_reduce) -void poly_reduce(poly *r); - -#define poly_add KYBER_NAMESPACE(poly_add) -void poly_add(poly *r, const poly *a, const poly *b); -#define poly_sub KYBER_NAMESPACE(poly_sub) -void poly_sub(poly *r, const poly *a, const poly *b); - -#endif diff --git a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber512_ref/polyvec.c b/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber512_ref/polyvec.c deleted file mode 100644 index 8420d069c..000000000 --- a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber512_ref/polyvec.c +++ /dev/null @@ -1,233 +0,0 @@ -#include <stdint.h> -#include "params.h" -#include "poly.h" -#include "polyvec.h" - -/************************************************* -* Name: polyvec_compress -* -* Description: Compress and serialize vector of polynomials -* -* Arguments: - uint8_t *r: pointer to output byte array -* (needs space for KYBER_POLYVECCOMPRESSEDBYTES) -* - const polyvec *a: pointer to input vector of polynomials -**************************************************/ -void polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES], const polyvec *a) -{ - unsigned int i,j,k; - -#if (KYBER_POLYVECCOMPRESSEDBYTES == (KYBER_K * 352)) - uint16_t t[8]; - for(i=0;i<KYBER_K;i++) { - for(j=0;j<KYBER_N/8;j++) { - for(k=0;k<8;k++) { - t[k] = a->vec[i].coeffs[8*j+k]; - t[k] += ((int16_t)t[k] >> 15) & KYBER_Q; - t[k] = ((((uint32_t)t[k] << 11) + KYBER_Q/2)/KYBER_Q) & 0x7ff; - } - - r[ 0] = (t[0] >> 0); - r[ 1] = (t[0] >> 8) | (t[1] << 3); - r[ 2] = (t[1] >> 5) | (t[2] << 6); - r[ 3] = (t[2] >> 2); - r[ 4] = (t[2] >> 10) | (t[3] << 1); - r[ 5] = (t[3] >> 7) | (t[4] << 4); - r[ 6] = (t[4] >> 4) | (t[5] << 7); - r[ 7] = (t[5] >> 1); - r[ 8] = (t[5] >> 9) | (t[6] << 2); - r[ 9] = (t[6] >> 6) | (t[7] << 5); - r[10] = (t[7] >> 3); - r += 11; - } - } -#elif (KYBER_POLYVECCOMPRESSEDBYTES == (KYBER_K * 320)) - uint16_t t[4]; - for(i=0;i<KYBER_K;i++) { - for(j=0;j<KYBER_N/4;j++) { - for(k=0;k<4;k++) { - t[k] = a->vec[i].coeffs[4*j+k]; - t[k] += ((int16_t)t[k] >> 15) & KYBER_Q; - t[k] = ((((uint32_t)t[k] << 10) + KYBER_Q/2)/ KYBER_Q) & 0x3ff; - } - - r[0] = (t[0] >> 0); - r[1] = (t[0] >> 8) | (t[1] << 2); - r[2] = (t[1] >> 6) | (t[2] << 4); - r[3] = (t[2] >> 4) | (t[3] << 6); - r[4] = (t[3] >> 2); - r += 5; - } - } -#else -#error "KYBER_POLYVECCOMPRESSEDBYTES needs to be in {320*KYBER_K, 352*KYBER_K}" -#endif -} - -/************************************************* -* Name: polyvec_decompress -* -* Description: De-serialize and decompress vector of polynomials; -* approximate inverse of polyvec_compress -* -* Arguments: - polyvec *r: pointer to output vector of polynomials -* - const uint8_t *a: pointer to input byte array -* (of length KYBER_POLYVECCOMPRESSEDBYTES) -**************************************************/ -void polyvec_decompress(polyvec *r, const uint8_t a[KYBER_POLYVECCOMPRESSEDBYTES]) -{ - unsigned int i,j,k; - -#if (KYBER_POLYVECCOMPRESSEDBYTES == (KYBER_K * 352)) - uint16_t t[8]; - for(i=0;i<KYBER_K;i++) { - for(j=0;j<KYBER_N/8;j++) { - t[0] = (a[0] >> 0) | ((uint16_t)a[ 1] << 8); - t[1] = (a[1] >> 3) | ((uint16_t)a[ 2] << 5); - t[2] = (a[2] >> 6) | ((uint16_t)a[ 3] << 2) | ((uint16_t)a[4] << 10); - t[3] = (a[4] >> 1) | ((uint16_t)a[ 5] << 7); - t[4] = (a[5] >> 4) | ((uint16_t)a[ 6] << 4); - t[5] = (a[6] >> 7) | ((uint16_t)a[ 7] << 1) | ((uint16_t)a[8] << 9); - t[6] = (a[8] >> 2) | ((uint16_t)a[ 9] << 6); - t[7] = (a[9] >> 5) | ((uint16_t)a[10] << 3); - a += 11; - - for(k=0;k<8;k++) - r->vec[i].coeffs[8*j+k] = ((uint32_t)(t[k] & 0x7FF)*KYBER_Q + 1024) >> 11; - } - } -#elif (KYBER_POLYVECCOMPRESSEDBYTES == (KYBER_K * 320)) - uint16_t t[4]; - for(i=0;i<KYBER_K;i++) { - for(j=0;j<KYBER_N/4;j++) { - t[0] = (a[0] >> 0) | ((uint16_t)a[1] << 8); - t[1] = (a[1] >> 2) | ((uint16_t)a[2] << 6); - t[2] = (a[2] >> 4) | ((uint16_t)a[3] << 4); - t[3] = (a[3] >> 6) | ((uint16_t)a[4] << 2); - a += 5; - - for(k=0;k<4;k++) - r->vec[i].coeffs[4*j+k] = ((uint32_t)(t[k] & 0x3FF)*KYBER_Q + 512) >> 10; - } - } -#else -#error "KYBER_POLYVECCOMPRESSEDBYTES needs to be in {320*KYBER_K, 352*KYBER_K}" -#endif -} - -/************************************************* -* Name: polyvec_tobytes -* -* Description: Serialize vector of polynomials -* -* Arguments: - uint8_t *r: pointer to output byte array -* (needs space for KYBER_POLYVECBYTES) -* - const polyvec *a: pointer to input vector of polynomials -**************************************************/ -void polyvec_tobytes(uint8_t r[KYBER_POLYVECBYTES], const polyvec *a) -{ - unsigned int i; - for(i=0;i<KYBER_K;i++) - poly_tobytes(r+i*KYBER_POLYBYTES, &a->vec[i]); -} - -/************************************************* -* Name: polyvec_frombytes -* -* Description: De-serialize vector of polynomials; -* inverse of polyvec_tobytes -* -* Arguments: - uint8_t *r: pointer to output byte array -* - const polyvec *a: pointer to input vector of polynomials -* (of length KYBER_POLYVECBYTES) -**************************************************/ -void polyvec_frombytes(polyvec *r, const uint8_t a[KYBER_POLYVECBYTES]) -{ - unsigned int i; - for(i=0;i<KYBER_K;i++) - poly_frombytes(&r->vec[i], a+i*KYBER_POLYBYTES); -} - -/************************************************* -* Name: polyvec_ntt -* -* Description: Apply forward NTT to all elements of a vector of polynomials -* -* Arguments: - polyvec *r: pointer to in/output vector of polynomials -**************************************************/ -void polyvec_ntt(polyvec *r) -{ - unsigned int i; - for(i=0;i<KYBER_K;i++) - poly_ntt(&r->vec[i]); -} - -/************************************************* -* Name: polyvec_invntt_tomont -* -* Description: Apply inverse NTT to all elements of a vector of polynomials -* and multiply by Montgomery factor 2^16 -* -* Arguments: - polyvec *r: pointer to in/output vector of polynomials -**************************************************/ -void polyvec_invntt_tomont(polyvec *r) -{ - unsigned int i; - for(i=0;i<KYBER_K;i++) - poly_invntt_tomont(&r->vec[i]); -} - -/************************************************* -* Name: polyvec_basemul_acc_montgomery -* -* Description: Multiply elements of a and b in NTT domain, accumulate into r, -* and multiply by 2^-16. -* -* Arguments: - poly *r: pointer to output polynomial -* - const polyvec *a: pointer to first input vector of polynomials -* - const polyvec *b: pointer to second input vector of polynomials -**************************************************/ -void polyvec_basemul_acc_montgomery(poly *r, const polyvec *a, const polyvec *b) -{ - unsigned int i; - poly t; - - poly_basemul_montgomery(r, &a->vec[0], &b->vec[0]); - for(i=1;i<KYBER_K;i++) { - poly_basemul_montgomery(&t, &a->vec[i], &b->vec[i]); - poly_add(r, r, &t); - } - - poly_reduce(r); -} - -/************************************************* -* Name: polyvec_reduce -* -* Description: Applies Barrett reduction to each coefficient -* of each element of a vector of polynomials; -* for details of the Barrett reduction see comments in reduce.c -* -* Arguments: - polyvec *r: pointer to input/output polynomial -**************************************************/ -void polyvec_reduce(polyvec *r) -{ - unsigned int i; - for(i=0;i<KYBER_K;i++) - poly_reduce(&r->vec[i]); -} - -/************************************************* -* Name: polyvec_add -* -* Description: Add vectors of polynomials -* -* Arguments: - polyvec *r: pointer to output vector of polynomials -* - const polyvec *a: pointer to first input vector of polynomials -* - const polyvec *b: pointer to second input vector of polynomials -**************************************************/ -void polyvec_add(polyvec *r, const polyvec *a, const polyvec *b) -{ - unsigned int i; - for(i=0;i<KYBER_K;i++) - poly_add(&r->vec[i], &a->vec[i], &b->vec[i]); -} diff --git a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber512_ref/polyvec.h b/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber512_ref/polyvec.h deleted file mode 100644 index 57b605494..000000000 --- a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber512_ref/polyvec.h +++ /dev/null @@ -1,36 +0,0 @@ -#ifndef POLYVEC_H -#define POLYVEC_H - -#include <stdint.h> -#include "params.h" -#include "poly.h" - -typedef struct{ - poly vec[KYBER_K]; -} polyvec; - -#define polyvec_compress KYBER_NAMESPACE(polyvec_compress) -void polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES], const polyvec *a); -#define polyvec_decompress KYBER_NAMESPACE(polyvec_decompress) -void polyvec_decompress(polyvec *r, const uint8_t a[KYBER_POLYVECCOMPRESSEDBYTES]); - -#define polyvec_tobytes KYBER_NAMESPACE(polyvec_tobytes) -void polyvec_tobytes(uint8_t r[KYBER_POLYVECBYTES], const polyvec *a); -#define polyvec_frombytes KYBER_NAMESPACE(polyvec_frombytes) -void polyvec_frombytes(polyvec *r, const uint8_t a[KYBER_POLYVECBYTES]); - -#define polyvec_ntt KYBER_NAMESPACE(polyvec_ntt) -void polyvec_ntt(polyvec *r); -#define polyvec_invntt_tomont KYBER_NAMESPACE(polyvec_invntt_tomont) -void polyvec_invntt_tomont(polyvec *r); - -#define polyvec_basemul_acc_montgomery KYBER_NAMESPACE(polyvec_basemul_acc_montgomery) -void polyvec_basemul_acc_montgomery(poly *r, const polyvec *a, const polyvec *b); - -#define polyvec_reduce KYBER_NAMESPACE(polyvec_reduce) -void polyvec_reduce(polyvec *r); - -#define polyvec_add KYBER_NAMESPACE(polyvec_add) -void polyvec_add(polyvec *r, const polyvec *a, const polyvec *b); - -#endif diff --git a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber512_ref/pqcrystals-kyber_kyber512_ref.gyp b/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber512_ref/pqcrystals-kyber_kyber512_ref.gyp deleted file mode 100644 index dafac1337..000000000 --- a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber512_ref/pqcrystals-kyber_kyber512_ref.gyp +++ /dev/null @@ -1,41 +0,0 @@ -# DO NOT EDIT: generated from subdir.gyp.template -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. -{ - 'includes': [ - '../../../../../../coreconf/config.gypi' - ], - 'targets': [ - { - 'target_name': 'oqs_src_kem_kyber_pqcrystals-kyber_kyber512_ref', - 'type': 'static_library', - 'sources': [ - 'cbd.c', - 'indcpa.c', - 'kem.c', - 'ntt.c', - 'poly.c', - 'polyvec.c', - 'reduce.c', - 'symmetric-shake.c', - 'verify.c', - ], - 'dependencies': [ - '<(DEPTH)/exports.gyp:nss_exports' - ] - } - ], - 'target_defaults': { - 'defines': [ - 'KYBER_K=2', - ], - 'include_dirs': [ - '<(DEPTH)/lib/liboqs/src/common/pqclean_shims', - '<(DEPTH)/lib/liboqs/src/common/sha3/xkcp_low/KeccakP-1600/plain-64bits', - ] - }, - 'variables': { - 'module': 'oqs' - } -} diff --git a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber512_ref/reduce.c b/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber512_ref/reduce.c deleted file mode 100644 index 9d8e7edf8..000000000 --- a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber512_ref/reduce.c +++ /dev/null @@ -1,42 +0,0 @@ -#include <stdint.h> -#include "params.h" -#include "reduce.h" - -/************************************************* -* Name: montgomery_reduce -* -* Description: Montgomery reduction; given a 32-bit integer a, computes -* 16-bit integer congruent to a * R^-1 mod q, where R=2^16 -* -* Arguments: - int32_t a: input integer to be reduced; -* has to be in {-q2^15,...,q2^15-1} -* -* Returns: integer in {-q+1,...,q-1} congruent to a * R^-1 modulo q. -**************************************************/ -int16_t montgomery_reduce(int32_t a) -{ - int16_t t; - - t = (int16_t)a*QINV; - t = (a - (int32_t)t*KYBER_Q) >> 16; - return t; -} - -/************************************************* -* Name: barrett_reduce -* -* Description: Barrett reduction; given a 16-bit integer a, computes -* centered representative congruent to a mod q in {-(q-1)/2,...,(q-1)/2} -* -* Arguments: - int16_t a: input integer to be reduced -* -* Returns: integer in {-(q-1)/2,...,(q-1)/2} congruent to a modulo q. -**************************************************/ -int16_t barrett_reduce(int16_t a) { - int16_t t; - const int16_t v = ((1<<26) + KYBER_Q/2)/KYBER_Q; - - t = ((int32_t)v*a + (1<<25)) >> 26; - t *= KYBER_Q; - return a - t; -} diff --git a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber512_ref/reduce.h b/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber512_ref/reduce.h deleted file mode 100644 index c1bc1e4c7..000000000 --- a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber512_ref/reduce.h +++ /dev/null @@ -1,16 +0,0 @@ -#ifndef REDUCE_H -#define REDUCE_H - -#include <stdint.h> -#include "params.h" - -#define MONT -1044 // 2^16 mod q -#define QINV -3327 // q^-1 mod 2^16 - -#define montgomery_reduce KYBER_NAMESPACE(montgomery_reduce) -int16_t montgomery_reduce(int32_t a); - -#define barrett_reduce KYBER_NAMESPACE(barrett_reduce) -int16_t barrett_reduce(int16_t a); - -#endif diff --git a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber512_ref/symmetric-shake.c b/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber512_ref/symmetric-shake.c deleted file mode 100644 index 2317c0627..000000000 --- a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber512_ref/symmetric-shake.c +++ /dev/null @@ -1,51 +0,0 @@ -#include <stddef.h> -#include <stdint.h> -#include <string.h> -#include "params.h" -#include "symmetric.h" -#include "fips202.h" - -/************************************************* -* Name: kyber_shake128_absorb -* -* Description: Absorb step of the SHAKE128 specialized for the Kyber context. -* -* Arguments: - keccak_state *state: pointer to (uninitialized) output Keccak state -* - const uint8_t *seed: pointer to KYBER_SYMBYTES input to be absorbed into state -* - uint8_t i: additional byte of input -* - uint8_t j: additional byte of input -**************************************************/ -void kyber_shake128_absorb(shake128incctx *state, - const uint8_t seed[KYBER_SYMBYTES], - uint8_t x, - uint8_t y) -{ - uint8_t extseed[KYBER_SYMBYTES+2]; - - memcpy(extseed, seed, KYBER_SYMBYTES); - extseed[KYBER_SYMBYTES+0] = x; - extseed[KYBER_SYMBYTES+1] = y; - - shake128_absorb_once(state, extseed, sizeof(extseed)); -} - -/************************************************* -* Name: kyber_shake256_prf -* -* Description: Usage of SHAKE256 as a PRF, concatenates secret and public input -* and then generates outlen bytes of SHAKE256 output -* -* Arguments: - uint8_t *out: pointer to output -* - size_t outlen: number of requested output bytes -* - const uint8_t *key: pointer to the key (of length KYBER_SYMBYTES) -* - uint8_t nonce: single-byte nonce (public PRF input) -**************************************************/ -void kyber_shake256_prf(uint8_t *out, size_t outlen, const uint8_t key[KYBER_SYMBYTES], uint8_t nonce) -{ - uint8_t extkey[KYBER_SYMBYTES+1]; - - memcpy(extkey, key, KYBER_SYMBYTES); - extkey[KYBER_SYMBYTES] = nonce; - - shake256(out, outlen, extkey, sizeof(extkey)); -} diff --git a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber512_ref/symmetric.h b/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber512_ref/symmetric.h deleted file mode 100644 index 2f2fb6364..000000000 --- a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber512_ref/symmetric.h +++ /dev/null @@ -1,64 +0,0 @@ -#ifndef SYMMETRIC_H -#define SYMMETRIC_H - -#include <stddef.h> -#include <stdint.h> -#include "params.h" - -#ifdef KYBER_90S - -#include "aes256ctr.h" -#include "sha2.h" - -#if (KYBER_SSBYTES != 32) -#error "90s variant of Kyber can only generate keys of length 256 bits" -#endif - -typedef aes256ctr_ctx xof_state; - -#define kyber_aes256xof_absorb KYBER_NAMESPACE(kyber_aes256xof_absorb) -void kyber_aes256xof_absorb(aes256ctr_ctx *state, const uint8_t seed[32], uint8_t x, uint8_t y); - -#define kyber_aes256ctr_prf KYBER_NAMESPACE(kyber_aes256ctr_prf) -void kyber_aes256ctr_prf(uint8_t *out, size_t outlen, const uint8_t key[32], uint8_t nonce); - -#define XOF_BLOCKBYTES AES256CTR_BLOCKBYTES - -#define hash_h(OUT, IN, INBYTES) sha256(OUT, IN, INBYTES) -#define hash_g(OUT, IN, INBYTES) sha512(OUT, IN, INBYTES) -#define xof_init(STATE, SEED) aes256ctr_init_key(STATE, SEED) -#define xof_absorb(STATE, SEED, X, Y) kyber_aes256xof_absorb(STATE, SEED, X, Y) -#define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE) -#define xof_release(STATE) aes256_ctx_release(STATE) -#define prf(OUT, OUTBYTES, KEY, NONCE) kyber_aes256ctr_prf(OUT, OUTBYTES, KEY, NONCE) -#define kdf(OUT, IN, INBYTES) sha256(OUT, IN, INBYTES) - -#else - -#include "fips202.h" - -typedef shake128incctx xof_state; - -#define kyber_shake128_absorb KYBER_NAMESPACE(kyber_shake128_absorb) -void kyber_shake128_absorb(shake128incctx *s, - const uint8_t seed[KYBER_SYMBYTES], - uint8_t x, - uint8_t y); - -#define kyber_shake256_prf KYBER_NAMESPACE(kyber_shake256_prf) -void kyber_shake256_prf(uint8_t *out, size_t outlen, const uint8_t key[KYBER_SYMBYTES], uint8_t nonce); - -#define XOF_BLOCKBYTES SHAKE128_RATE - -#define hash_h(OUT, IN, INBYTES) sha3_256(OUT, IN, INBYTES) -#define hash_g(OUT, IN, INBYTES) sha3_512(OUT, IN, INBYTES) -#define xof_init(STATE, SEED) shake128_inc_init(STATE) -#define xof_absorb(STATE, SEED, X, Y) kyber_shake128_absorb(STATE, SEED, X, Y) -#define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) shake128_squeezeblocks(OUT, OUTBLOCKS, STATE) -#define xof_release(STATE) shake128_inc_ctx_release(STATE) -#define prf(OUT, OUTBYTES, KEY, NONCE) kyber_shake256_prf(OUT, OUTBYTES, KEY, NONCE) -#define kdf(OUT, IN, INBYTES) shake256(OUT, KYBER_SSBYTES, IN, INBYTES) - -#endif /* KYBER_90S */ - -#endif /* SYMMETRIC_H */ diff --git a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber512_ref/verify.c b/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber512_ref/verify.c deleted file mode 100644 index ed4a6541f..000000000 --- a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber512_ref/verify.c +++ /dev/null @@ -1,47 +0,0 @@ -#include <stddef.h> -#include <stdint.h> -#include "verify.h" - -/************************************************* -* Name: verify -* -* Description: Compare two arrays for equality in constant time. -* -* Arguments: const uint8_t *a: pointer to first byte array -* const uint8_t *b: pointer to second byte array -* size_t len: length of the byte arrays -* -* Returns 0 if the byte arrays are equal, 1 otherwise -**************************************************/ -int verify(const uint8_t *a, const uint8_t *b, size_t len) -{ - size_t i; - uint8_t r = 0; - - for(i=0;i<len;i++) - r |= a[i] ^ b[i]; - - return (-(uint64_t)r) >> 63; -} - -/************************************************* -* Name: cmov -* -* Description: Copy len bytes from x to r if b is 1; -* don't modify x if b is 0. Requires b to be in {0,1}; -* assumes two's complement representation of negative integers. -* Runs in constant time. -* -* Arguments: uint8_t *r: pointer to output byte array -* const uint8_t *x: pointer to input byte array -* size_t len: Amount of bytes to be copied -* uint8_t b: Condition bit; has to be in {0,1} -**************************************************/ -void cmov(uint8_t *r, const uint8_t *x, size_t len, uint8_t b) -{ - size_t i; - - b = -b; - for(i=0;i<len;i++) - r[i] ^= b & (r[i] ^ x[i]); -} diff --git a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber512_ref/verify.h b/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber512_ref/verify.h deleted file mode 100644 index f95ac1b84..000000000 --- a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber512_ref/verify.h +++ /dev/null @@ -1,14 +0,0 @@ -#ifndef VERIFY_H -#define VERIFY_H - -#include <stddef.h> -#include <stdint.h> -#include "params.h" - -#define verify KYBER_NAMESPACE(verify) -int verify(const uint8_t *a, const uint8_t *b, size_t len); - -#define cmov KYBER_NAMESPACE(cmov) -void cmov(uint8_t *r, const uint8_t *x, size_t len, uint8_t b); - -#endif diff --git a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber768_ref/Makefile b/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber768_ref/Makefile deleted file mode 100644 index fe090f3ff..000000000 --- a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber768_ref/Makefile +++ /dev/null @@ -1,49 +0,0 @@ -#! gmake -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -####################################################################### -# (1) Include initial platform-independent assignments (MANDATORY). # -####################################################################### - -include manifest.mn - -####################################################################### -# (2) Include "global" configuration information. (OPTIONAL) # -####################################################################### - -USE_GCOV = -include $(CORE_DEPTH)/coreconf/config.mk - -####################################################################### -# (3) Include "component" configuration information. (OPTIONAL) # -####################################################################### - - - -####################################################################### -# (4) Include "local" platform-dependent assignments (OPTIONAL). # -####################################################################### - -include config.mk - -####################################################################### -# (5) Execute "global" rules. (OPTIONAL) # -####################################################################### - -include $(CORE_DEPTH)/coreconf/rules.mk - -####################################################################### -# (6) Execute "component" rules. (OPTIONAL) # -####################################################################### - - - -####################################################################### -# (7) Execute "local" rules. (OPTIONAL). # -####################################################################### - -WARNING_CFLAGS = $(NULL) - diff --git a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber768_ref/api.h b/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber768_ref/api.h deleted file mode 100644 index b34eab970..000000000 --- a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber768_ref/api.h +++ /dev/null @@ -1,75 +0,0 @@ -#ifndef API_H -#define API_H - -#include <stdint.h> - -#define pqcrystals_kyber512_SECRETKEYBYTES 1632 -#define pqcrystals_kyber512_PUBLICKEYBYTES 800 -#define pqcrystals_kyber512_CIPHERTEXTBYTES 768 -#define pqcrystals_kyber512_BYTES 32 - -#define pqcrystals_kyber512_ref_SECRETKEYBYTES pqcrystals_kyber512_SECRETKEYBYTES -#define pqcrystals_kyber512_ref_PUBLICKEYBYTES pqcrystals_kyber512_PUBLICKEYBYTES -#define pqcrystals_kyber512_ref_CIPHERTEXTBYTES pqcrystals_kyber512_CIPHERTEXTBYTES -#define pqcrystals_kyber512_ref_BYTES pqcrystals_kyber512_BYTES - -int pqcrystals_kyber512_ref_keypair(uint8_t *pk, uint8_t *sk); -int pqcrystals_kyber512_ref_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); -int pqcrystals_kyber512_ref_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); - -#define pqcrystals_kyber512_90s_ref_SECRETKEYBYTES pqcrystals_kyber512_SECRETKEYBYTES -#define pqcrystals_kyber512_90s_ref_PUBLICKEYBYTES pqcrystals_kyber512_PUBLICKEYBYTES -#define pqcrystals_kyber512_90s_ref_CIPHERTEXTBYTES pqcrystals_kyber512_CIPHERTEXTBYTES -#define pqcrystals_kyber512_90s_ref_BYTES pqcrystals_kyber512_BYTES - -int pqcrystals_kyber512_90s_ref_keypair(uint8_t *pk, uint8_t *sk); -int pqcrystals_kyber512_90s_ref_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); -int pqcrystals_kyber512_90s_ref_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); - -#define pqcrystals_kyber768_SECRETKEYBYTES 2400 -#define pqcrystals_kyber768_PUBLICKEYBYTES 1184 -#define pqcrystals_kyber768_CIPHERTEXTBYTES 1088 -#define pqcrystals_kyber768_BYTES 32 - -#define pqcrystals_kyber768_ref_SECRETKEYBYTES pqcrystals_kyber768_SECRETKEYBYTES -#define pqcrystals_kyber768_ref_PUBLICKEYBYTES pqcrystals_kyber768_PUBLICKEYBYTES -#define pqcrystals_kyber768_ref_CIPHERTEXTBYTES pqcrystals_kyber768_CIPHERTEXTBYTES -#define pqcrystals_kyber768_ref_BYTES pqcrystals_kyber768_BYTES - -int pqcrystals_kyber768_ref_keypair(uint8_t *pk, uint8_t *sk); -int pqcrystals_kyber768_ref_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); -int pqcrystals_kyber768_ref_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); - -#define pqcrystals_kyber768_90s_ref_SECRETKEYBYTES pqcrystals_kyber768_SECRETKEYBYTES -#define pqcrystals_kyber768_90s_ref_PUBLICKEYBYTES pqcrystals_kyber768_PUBLICKEYBYTES -#define pqcrystals_kyber768_90s_ref_CIPHERTEXTBYTES pqcrystals_kyber768_CIPHERTEXTBYTES -#define pqcrystals_kyber768_90s_ref_BYTES pqcrystals_kyber768_BYTES - -int pqcrystals_kyber768_90s_ref_keypair(uint8_t *pk, uint8_t *sk); -int pqcrystals_kyber768_90s_ref_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); -int pqcrystals_kyber768_90s_ref_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); - -#define pqcrystals_kyber1024_SECRETKEYBYTES 3168 -#define pqcrystals_kyber1024_PUBLICKEYBYTES 1568 -#define pqcrystals_kyber1024_CIPHERTEXTBYTES 1568 -#define pqcrystals_kyber1024_BYTES 32 - -#define pqcrystals_kyber1024_ref_SECRETKEYBYTES pqcrystals_kyber1024_SECRETKEYBYTES -#define pqcrystals_kyber1024_ref_PUBLICKEYBYTES pqcrystals_kyber1024_PUBLICKEYBYTES -#define pqcrystals_kyber1024_ref_CIPHERTEXTBYTES pqcrystals_kyber1024_CIPHERTEXTBYTES -#define pqcrystals_kyber1024_ref_BYTES pqcrystals_kyber1024_BYTES - -int pqcrystals_kyber1024_ref_keypair(uint8_t *pk, uint8_t *sk); -int pqcrystals_kyber1024_ref_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); -int pqcrystals_kyber1024_ref_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); - -#define pqcrystals_kyber1024_90s_ref_SECRETKEYBYTES pqcrystals_kyber1024_SECRETKEYBYTES -#define pqcrystals_kyber1024_90s_ref_PUBLICKEYBYTES pqcrystals_kyber1024_PUBLICKEYBYTES -#define pqcrystals_kyber1024_90s_ref_CIPHERTEXTBYTES pqcrystals_kyber1024_CIPHERTEXTBYTES -#define pqcrystals_kyber1024_90s_ref_BYTES pqcrystals_kyber1024_BYTES - -int pqcrystals_kyber1024_90s_ref_keypair(uint8_t *pk, uint8_t *sk); -int pqcrystals_kyber1024_90s_ref_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); -int pqcrystals_kyber1024_90s_ref_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); - -#endif diff --git a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber768_ref/cbd.c b/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber768_ref/cbd.c deleted file mode 100644 index 1500ffea5..000000000 --- a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber768_ref/cbd.c +++ /dev/null @@ -1,128 +0,0 @@ -#include <stdint.h> -#include "params.h" -#include "cbd.h" - -/************************************************* -* Name: load32_littleendian -* -* Description: load 4 bytes into a 32-bit integer -* in little-endian order -* -* Arguments: - const uint8_t *x: pointer to input byte array -* -* Returns 32-bit unsigned integer loaded from x -**************************************************/ -static uint32_t load32_littleendian(const uint8_t x[4]) -{ - uint32_t r; - r = (uint32_t)x[0]; - r |= (uint32_t)x[1] << 8; - r |= (uint32_t)x[2] << 16; - r |= (uint32_t)x[3] << 24; - return r; -} - -/************************************************* -* Name: load24_littleendian -* -* Description: load 3 bytes into a 32-bit integer -* in little-endian order. -* This function is only needed for Kyber-512 -* -* Arguments: - const uint8_t *x: pointer to input byte array -* -* Returns 32-bit unsigned integer loaded from x (most significant byte is zero) -**************************************************/ -#if KYBER_ETA1 == 3 -static uint32_t load24_littleendian(const uint8_t x[3]) -{ - uint32_t r; - r = (uint32_t)x[0]; - r |= (uint32_t)x[1] << 8; - r |= (uint32_t)x[2] << 16; - return r; -} -#endif - - -/************************************************* -* Name: cbd2 -* -* Description: Given an array of uniformly random bytes, compute -* polynomial with coefficients distributed according to -* a centered binomial distribution with parameter eta=2 -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *buf: pointer to input byte array -**************************************************/ -static void cbd2(poly *r, const uint8_t buf[2*KYBER_N/4]) -{ - unsigned int i,j; - uint32_t t,d; - int16_t a,b; - - for(i=0;i<KYBER_N/8;i++) { - t = load32_littleendian(buf+4*i); - d = t & 0x55555555; - d += (t>>1) & 0x55555555; - - for(j=0;j<8;j++) { - a = (d >> (4*j+0)) & 0x3; - b = (d >> (4*j+2)) & 0x3; - r->coeffs[8*i+j] = a - b; - } - } -} - -/************************************************* -* Name: cbd3 -* -* Description: Given an array of uniformly random bytes, compute -* polynomial with coefficients distributed according to -* a centered binomial distribution with parameter eta=3. -* This function is only needed for Kyber-512 -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *buf: pointer to input byte array -**************************************************/ -#if KYBER_ETA1 == 3 -static void cbd3(poly *r, const uint8_t buf[3*KYBER_N/4]) -{ - unsigned int i,j; - uint32_t t,d; - int16_t a,b; - - for(i=0;i<KYBER_N/4;i++) { - t = load24_littleendian(buf+3*i); - d = t & 0x00249249; - d += (t>>1) & 0x00249249; - d += (t>>2) & 0x00249249; - - for(j=0;j<4;j++) { - a = (d >> (6*j+0)) & 0x7; - b = (d >> (6*j+3)) & 0x7; - r->coeffs[4*i+j] = a - b; - } - } -} -#endif - -void poly_cbd_eta1(poly *r, const uint8_t buf[KYBER_ETA1*KYBER_N/4]) -{ -#if KYBER_ETA1 == 2 - cbd2(r, buf); -#elif KYBER_ETA1 == 3 - cbd3(r, buf); -#else -#error "This implementation requires eta1 in {2,3}" -#endif -} - -void poly_cbd_eta2(poly *r, const uint8_t buf[KYBER_ETA2*KYBER_N/4]) -{ -#if KYBER_ETA2 == 2 - cbd2(r, buf); -#else -#error "This implementation requires eta2 = 2" -#endif -} diff --git a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber768_ref/cbd.h b/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber768_ref/cbd.h deleted file mode 100644 index 7b677d745..000000000 --- a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber768_ref/cbd.h +++ /dev/null @@ -1,14 +0,0 @@ -#ifndef CBD_H -#define CBD_H - -#include <stdint.h> -#include "params.h" -#include "poly.h" - -#define poly_cbd_eta1 KYBER_NAMESPACE(poly_cbd_eta1) -void poly_cbd_eta1(poly *r, const uint8_t buf[KYBER_ETA1*KYBER_N/4]); - -#define poly_cbd_eta2 KYBER_NAMESPACE(poly_cbd_eta2) -void poly_cbd_eta2(poly *r, const uint8_t buf[KYBER_ETA2*KYBER_N/4]); - -#endif diff --git a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber768_ref/config.mk b/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber768_ref/config.mk deleted file mode 100644 index 9bfd9680f..000000000 --- a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber768_ref/config.mk +++ /dev/null @@ -1,12 +0,0 @@ -# DO NOT EDIT: generated from config.mk.subdirs.template -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -# add fixes for platform integration issues here. -# -# liboqs programs expect the public include files to be in oqs/xxxx, -# So we put liboqs in it's own module, oqs, and point to the dist files -INCLUDES += -I$(CORE_DEPTH)/lib/liboqs/src/common/pqclean_shims -I$(CORE_DEPTH)/lib/liboqs/src/common/sha3/xkcp_low/KeccakP-1600/plain-64bits -DEFINES += -DKYBER_K=3 diff --git a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber768_ref/indcpa.c b/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber768_ref/indcpa.c deleted file mode 100644 index f0129aa04..000000000 --- a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber768_ref/indcpa.c +++ /dev/null @@ -1,331 +0,0 @@ -#include <stddef.h> -#include <stdint.h> -#include "params.h" -#include "indcpa.h" -#include "polyvec.h" -#include "poly.h" -#include "ntt.h" -#include "symmetric.h" -#include "randombytes.h" - -/************************************************* -* Name: pack_pk -* -* Description: Serialize the public key as concatenation of the -* serialized vector of polynomials pk -* and the public seed used to generate the matrix A. -* -* Arguments: uint8_t *r: pointer to the output serialized public key -* polyvec *pk: pointer to the input public-key polyvec -* const uint8_t *seed: pointer to the input public seed -**************************************************/ -static void pack_pk(uint8_t r[KYBER_INDCPA_PUBLICKEYBYTES], - polyvec *pk, - const uint8_t seed[KYBER_SYMBYTES]) -{ - size_t i; - polyvec_tobytes(r, pk); - for(i=0;i<KYBER_SYMBYTES;i++) - r[i+KYBER_POLYVECBYTES] = seed[i]; -} - -/************************************************* -* Name: unpack_pk -* -* Description: De-serialize public key from a byte array; -* approximate inverse of pack_pk -* -* Arguments: - polyvec *pk: pointer to output public-key polynomial vector -* - uint8_t *seed: pointer to output seed to generate matrix A -* - const uint8_t *packedpk: pointer to input serialized public key -**************************************************/ -static void unpack_pk(polyvec *pk, - uint8_t seed[KYBER_SYMBYTES], - const uint8_t packedpk[KYBER_INDCPA_PUBLICKEYBYTES]) -{ - size_t i; - polyvec_frombytes(pk, packedpk); - for(i=0;i<KYBER_SYMBYTES;i++) - seed[i] = packedpk[i+KYBER_POLYVECBYTES]; -} - -/************************************************* -* Name: pack_sk -* -* Description: Serialize the secret key -* -* Arguments: - uint8_t *r: pointer to output serialized secret key -* - polyvec *sk: pointer to input vector of polynomials (secret key) -**************************************************/ -static void pack_sk(uint8_t r[KYBER_INDCPA_SECRETKEYBYTES], polyvec *sk) -{ - polyvec_tobytes(r, sk); -} - -/************************************************* -* Name: unpack_sk -* -* Description: De-serialize the secret key; inverse of pack_sk -* -* Arguments: - polyvec *sk: pointer to output vector of polynomials (secret key) -* - const uint8_t *packedsk: pointer to input serialized secret key -**************************************************/ -static void unpack_sk(polyvec *sk, const uint8_t packedsk[KYBER_INDCPA_SECRETKEYBYTES]) -{ - polyvec_frombytes(sk, packedsk); -} - -/************************************************* -* Name: pack_ciphertext -* -* Description: Serialize the ciphertext as concatenation of the -* compressed and serialized vector of polynomials b -* and the compressed and serialized polynomial v -* -* Arguments: uint8_t *r: pointer to the output serialized ciphertext -* poly *pk: pointer to the input vector of polynomials b -* poly *v: pointer to the input polynomial v -**************************************************/ -static void pack_ciphertext(uint8_t r[KYBER_INDCPA_BYTES], polyvec *b, poly *v) -{ - polyvec_compress(r, b); - poly_compress(r+KYBER_POLYVECCOMPRESSEDBYTES, v); -} - -/************************************************* -* Name: unpack_ciphertext -* -* Description: De-serialize and decompress ciphertext from a byte array; -* approximate inverse of pack_ciphertext -* -* Arguments: - polyvec *b: pointer to the output vector of polynomials b -* - poly *v: pointer to the output polynomial v -* - const uint8_t *c: pointer to the input serialized ciphertext -**************************************************/ -static void unpack_ciphertext(polyvec *b, poly *v, const uint8_t c[KYBER_INDCPA_BYTES]) -{ - polyvec_decompress(b, c); - poly_decompress(v, c+KYBER_POLYVECCOMPRESSEDBYTES); -} - -/************************************************* -* Name: rej_uniform -* -* Description: Run rejection sampling on uniform random bytes to generate -* uniform random integers mod q -* -* Arguments: - int16_t *r: pointer to output buffer -* - unsigned int len: requested number of 16-bit integers (uniform mod q) -* - const uint8_t *buf: pointer to input buffer (assumed to be uniformly random bytes) -* - unsigned int buflen: length of input buffer in bytes -* -* Returns number of sampled 16-bit integers (at most len) -**************************************************/ -static unsigned int rej_uniform(int16_t *r, - unsigned int len, - const uint8_t *buf, - unsigned int buflen) -{ - unsigned int ctr, pos; - uint16_t val0, val1; - - ctr = pos = 0; - while(ctr < len && pos + 3 <= buflen) { - val0 = ((buf[pos+0] >> 0) | ((uint16_t)buf[pos+1] << 8)) & 0xFFF; - val1 = ((buf[pos+1] >> 4) | ((uint16_t)buf[pos+2] << 4)) & 0xFFF; - pos += 3; - - if(val0 < KYBER_Q) - r[ctr++] = val0; - if(ctr < len && val1 < KYBER_Q) - r[ctr++] = val1; - } - - return ctr; -} - -#define gen_a(A,B) gen_matrix(A,B,0) -#define gen_at(A,B) gen_matrix(A,B,1) - -/************************************************* -* Name: gen_matrix -* -* Description: Deterministically generate matrix A (or the transpose of A) -* from a seed. Entries of the matrix are polynomials that look -* uniformly random. Performs rejection sampling on output of -* a XOF -* -* Arguments: - polyvec *a: pointer to ouptput matrix A -* - const uint8_t *seed: pointer to input seed -* - int transposed: boolean deciding whether A or A^T is generated -**************************************************/ -#define GEN_MATRIX_NBLOCKS ((12*KYBER_N/8*(1 << 12)/KYBER_Q + XOF_BLOCKBYTES)/XOF_BLOCKBYTES) -// Not static for benchmarking -void gen_matrix(polyvec *a, const uint8_t seed[KYBER_SYMBYTES], int transposed) -{ - unsigned int ctr, i, j, k; - unsigned int buflen, off; - uint8_t buf[GEN_MATRIX_NBLOCKS*XOF_BLOCKBYTES+2]; - xof_state state; - xof_init(&state, seed); - - for(i=0;i<KYBER_K;i++) { - for(j=0;j<KYBER_K;j++) { - if(transposed) - xof_absorb(&state, seed, i, j); - else - xof_absorb(&state, seed, j, i); - - xof_squeezeblocks(buf, GEN_MATRIX_NBLOCKS, &state); - buflen = GEN_MATRIX_NBLOCKS*XOF_BLOCKBYTES; - ctr = rej_uniform(a[i].vec[j].coeffs, KYBER_N, buf, buflen); - - while(ctr < KYBER_N) { - off = buflen % 3; - for(k = 0; k < off; k++) - buf[k] = buf[buflen - off + k]; - xof_squeezeblocks(buf + off, 1, &state); - buflen = off + XOF_BLOCKBYTES; - ctr += rej_uniform(a[i].vec[j].coeffs + ctr, KYBER_N - ctr, buf, buflen); - } - } - } - xof_release(&state); -} - -/************************************************* -* Name: indcpa_keypair -* -* Description: Generates public and private key for the CPA-secure -* public-key encryption scheme underlying Kyber -* -* Arguments: - uint8_t *pk: pointer to output public key -* (of length KYBER_INDCPA_PUBLICKEYBYTES bytes) -* - uint8_t *sk: pointer to output private key - (of length KYBER_INDCPA_SECRETKEYBYTES bytes) -**************************************************/ -void indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], - uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]) -{ - unsigned int i; - uint8_t buf[2*KYBER_SYMBYTES]; - const uint8_t *publicseed = buf; - const uint8_t *noiseseed = buf+KYBER_SYMBYTES; - uint8_t nonce = 0; - polyvec a[KYBER_K], e, pkpv, skpv; - - randombytes(buf, KYBER_SYMBYTES); - hash_g(buf, buf, KYBER_SYMBYTES); - - gen_a(a, publicseed); - - for(i=0;i<KYBER_K;i++) - poly_getnoise_eta1(&skpv.vec[i], noiseseed, nonce++); - for(i=0;i<KYBER_K;i++) - poly_getnoise_eta1(&e.vec[i], noiseseed, nonce++); - - polyvec_ntt(&skpv); - polyvec_ntt(&e); - - // matrix-vector multiplication - for(i=0;i<KYBER_K;i++) { - polyvec_basemul_acc_montgomery(&pkpv.vec[i], &a[i], &skpv); - poly_tomont(&pkpv.vec[i]); - } - - polyvec_add(&pkpv, &pkpv, &e); - polyvec_reduce(&pkpv); - - pack_sk(sk, &skpv); - pack_pk(pk, &pkpv, publicseed); -} - -/************************************************* -* Name: indcpa_enc -* -* Description: Encryption function of the CPA-secure -* public-key encryption scheme underlying Kyber. -* -* Arguments: - uint8_t *c: pointer to output ciphertext -* (of length KYBER_INDCPA_BYTES bytes) -* - const uint8_t *m: pointer to input message -* (of length KYBER_INDCPA_MSGBYTES bytes) -* - const uint8_t *pk: pointer to input public key -* (of length KYBER_INDCPA_PUBLICKEYBYTES) -* - const uint8_t *coins: pointer to input random coins used as seed -* (of length KYBER_SYMBYTES) to deterministically -* generate all randomness -**************************************************/ -void indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES], - const uint8_t m[KYBER_INDCPA_MSGBYTES], - const uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], - const uint8_t coins[KYBER_SYMBYTES]) -{ - unsigned int i; - uint8_t seed[KYBER_SYMBYTES]; - uint8_t nonce = 0; - polyvec sp, pkpv, ep, at[KYBER_K], b; - poly v, k, epp; - - unpack_pk(&pkpv, seed, pk); - poly_frommsg(&k, m); - gen_at(at, seed); - - for(i=0;i<KYBER_K;i++) - poly_getnoise_eta1(sp.vec+i, coins, nonce++); - for(i=0;i<KYBER_K;i++) - poly_getnoise_eta2(ep.vec+i, coins, nonce++); - poly_getnoise_eta2(&epp, coins, nonce++); - - polyvec_ntt(&sp); - - // matrix-vector multiplication - for(i=0;i<KYBER_K;i++) - polyvec_basemul_acc_montgomery(&b.vec[i], &at[i], &sp); - - polyvec_basemul_acc_montgomery(&v, &pkpv, &sp); - - polyvec_invntt_tomont(&b); - poly_invntt_tomont(&v); - - polyvec_add(&b, &b, &ep); - poly_add(&v, &v, &epp); - poly_add(&v, &v, &k); - polyvec_reduce(&b); - poly_reduce(&v); - - pack_ciphertext(c, &b, &v); -} - -/************************************************* -* Name: indcpa_dec -* -* Description: Decryption function of the CPA-secure -* public-key encryption scheme underlying Kyber. -* -* Arguments: - uint8_t *m: pointer to output decrypted message -* (of length KYBER_INDCPA_MSGBYTES) -* - const uint8_t *c: pointer to input ciphertext -* (of length KYBER_INDCPA_BYTES) -* - const uint8_t *sk: pointer to input secret key -* (of length KYBER_INDCPA_SECRETKEYBYTES) -**************************************************/ -void indcpa_dec(uint8_t m[KYBER_INDCPA_MSGBYTES], - const uint8_t c[KYBER_INDCPA_BYTES], - const uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]) -{ - polyvec b, skpv; - poly v, mp; - - unpack_ciphertext(&b, &v, c); - unpack_sk(&skpv, sk); - - polyvec_ntt(&b); - polyvec_basemul_acc_montgomery(&mp, &skpv, &b); - poly_invntt_tomont(&mp); - - poly_sub(&mp, &v, &mp); - poly_reduce(&mp); - - poly_tomsg(m, &mp); -} diff --git a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber768_ref/indcpa.h b/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber768_ref/indcpa.h deleted file mode 100644 index 57bd5ead3..000000000 --- a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber768_ref/indcpa.h +++ /dev/null @@ -1,25 +0,0 @@ -#ifndef INDCPA_H -#define INDCPA_H - -#include <stdint.h> -#include "params.h" -#include "polyvec.h" - -#define gen_matrix KYBER_NAMESPACE(gen_matrix) -void gen_matrix(polyvec *a, const uint8_t seed[KYBER_SYMBYTES], int transposed); -#define indcpa_keypair KYBER_NAMESPACE(indcpa_keypair) -void indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], - uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]); - -#define indcpa_enc KYBER_NAMESPACE(indcpa_enc) -void indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES], - const uint8_t m[KYBER_INDCPA_MSGBYTES], - const uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], - const uint8_t coins[KYBER_SYMBYTES]); - -#define indcpa_dec KYBER_NAMESPACE(indcpa_dec) -void indcpa_dec(uint8_t m[KYBER_INDCPA_MSGBYTES], - const uint8_t c[KYBER_INDCPA_BYTES], - const uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]); - -#endif diff --git a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber768_ref/kem.c b/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber768_ref/kem.c deleted file mode 100644 index f376bd236..000000000 --- a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber768_ref/kem.c +++ /dev/null @@ -1,127 +0,0 @@ -#include <stddef.h> -#include <stdint.h> -#include "params.h" -#include "kem.h" -#include "indcpa.h" -#include "verify.h" -#include "symmetric.h" -#include "randombytes.h" - -/************************************************* -* Name: crypto_kem_keypair -* -* Description: Generates public and private key -* for CCA-secure Kyber key encapsulation mechanism -* -* Arguments: - uint8_t *pk: pointer to output public key -* (an already allocated array of KYBER_PUBLICKEYBYTES bytes) -* - uint8_t *sk: pointer to output private key -* (an already allocated array of KYBER_SECRETKEYBYTES bytes) -* -* Returns 0 (success) -**************************************************/ -int crypto_kem_keypair(uint8_t *pk, - uint8_t *sk) -{ - size_t i; - indcpa_keypair(pk, sk); - for(i=0;i<KYBER_INDCPA_PUBLICKEYBYTES;i++) - sk[i+KYBER_INDCPA_SECRETKEYBYTES] = pk[i]; - hash_h(sk+KYBER_SECRETKEYBYTES-2*KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES); - /* Value z for pseudo-random output on reject */ - randombytes(sk+KYBER_SECRETKEYBYTES-KYBER_SYMBYTES, KYBER_SYMBYTES); - return 0; -} - -/************************************************* -* Name: crypto_kem_enc -* -* Description: Generates cipher text and shared -* secret for given public key -* -* Arguments: - uint8_t *ct: pointer to output cipher text -* (an already allocated array of KYBER_CIPHERTEXTBYTES bytes) -* - uint8_t *ss: pointer to output shared secret -* (an already allocated array of KYBER_SSBYTES bytes) -* - const uint8_t *pk: pointer to input public key -* (an already allocated array of KYBER_PUBLICKEYBYTES bytes) -* -* Returns 0 (success) -**************************************************/ -int crypto_kem_enc(uint8_t *ct, - uint8_t *ss, - const uint8_t *pk) -{ - uint8_t buf[2*KYBER_SYMBYTES]; - /* Will contain key, coins */ - uint8_t kr[2*KYBER_SYMBYTES]; - - randombytes(buf, KYBER_SYMBYTES); - /* Don't release system RNG output */ - hash_h(buf, buf, KYBER_SYMBYTES); - - /* Multitarget countermeasure for coins + contributory KEM */ - hash_h(buf+KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES); - hash_g(kr, buf, 2*KYBER_SYMBYTES); - - /* coins are in kr+KYBER_SYMBYTES */ - indcpa_enc(ct, buf, pk, kr+KYBER_SYMBYTES); - - /* overwrite coins in kr with H(c) */ - hash_h(kr+KYBER_SYMBYTES, ct, KYBER_CIPHERTEXTBYTES); - /* hash concatenation of pre-k and H(c) to k */ - kdf(ss, kr, 2*KYBER_SYMBYTES); - return 0; -} - -/************************************************* -* Name: crypto_kem_dec -* -* Description: Generates shared secret for given -* cipher text and private key -* -* Arguments: - uint8_t *ss: pointer to output shared secret -* (an already allocated array of KYBER_SSBYTES bytes) -* - const uint8_t *ct: pointer to input cipher text -* (an already allocated array of KYBER_CIPHERTEXTBYTES bytes) -* - const uint8_t *sk: pointer to input private key -* (an already allocated array of KYBER_SECRETKEYBYTES bytes) -* -* Returns 0. -* -* On failure, ss will contain a pseudo-random value. -**************************************************/ -int crypto_kem_dec(uint8_t *ss, - const uint8_t *ct, - const uint8_t *sk) -{ - size_t i; - int fail; - uint8_t buf[2*KYBER_SYMBYTES]; - /* Will contain key, coins */ - uint8_t kr[2*KYBER_SYMBYTES]; - uint8_t cmp[KYBER_CIPHERTEXTBYTES]; - const uint8_t *pk = sk+KYBER_INDCPA_SECRETKEYBYTES; - - indcpa_dec(buf, ct, sk); - - /* Multitarget countermeasure for coins + contributory KEM */ - for(i=0;i<KYBER_SYMBYTES;i++) - buf[KYBER_SYMBYTES+i] = sk[KYBER_SECRETKEYBYTES-2*KYBER_SYMBYTES+i]; - hash_g(kr, buf, 2*KYBER_SYMBYTES); - - /* coins are in kr+KYBER_SYMBYTES */ - indcpa_enc(cmp, buf, pk, kr+KYBER_SYMBYTES); - - fail = verify(ct, cmp, KYBER_CIPHERTEXTBYTES); - - /* overwrite coins in kr with H(c) */ - hash_h(kr+KYBER_SYMBYTES, ct, KYBER_CIPHERTEXTBYTES); - - /* Overwrite pre-k with z on re-encryption failure */ - cmov(kr, sk+KYBER_SECRETKEYBYTES-KYBER_SYMBYTES, KYBER_SYMBYTES, fail); - - /* hash concatenation of pre-k and H(c) to k */ - kdf(ss, kr, 2*KYBER_SYMBYTES); - return 0; -} diff --git a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber768_ref/kem.h b/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber768_ref/kem.h deleted file mode 100644 index 3f3eff697..000000000 --- a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber768_ref/kem.h +++ /dev/null @@ -1,41 +0,0 @@ -#ifndef KEM_H -#define KEM_H - -#include <stdint.h> -#include "params.h" - -#define CRYPTO_SECRETKEYBYTES KYBER_SECRETKEYBYTES -#define CRYPTO_PUBLICKEYBYTES KYBER_PUBLICKEYBYTES -#define CRYPTO_CIPHERTEXTBYTES KYBER_CIPHERTEXTBYTES -#define CRYPTO_BYTES KYBER_SSBYTES - -#if (KYBER_K == 2) -#ifdef KYBER_90S -#define CRYPTO_ALGNAME "Kyber512-90s" -#else -#define CRYPTO_ALGNAME "Kyber512" -#endif -#elif (KYBER_K == 3) -#ifdef KYBER_90S -#define CRYPTO_ALGNAME "Kyber768-90s" -#else -#define CRYPTO_ALGNAME "Kyber768" -#endif -#elif (KYBER_K == 4) -#ifdef KYBER_90S -#define CRYPTO_ALGNAME "Kyber1024-90s" -#else -#define CRYPTO_ALGNAME "Kyber1024" -#endif -#endif - -#define crypto_kem_keypair KYBER_NAMESPACE(keypair) -int crypto_kem_keypair(uint8_t *pk, uint8_t *sk); - -#define crypto_kem_enc KYBER_NAMESPACE(enc) -int crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); - -#define crypto_kem_dec KYBER_NAMESPACE(dec) -int crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); - -#endif diff --git a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber768_ref/manifest.mn b/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber768_ref/manifest.mn deleted file mode 100644 index 5e26028be..000000000 --- a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber768_ref/manifest.mn +++ /dev/null @@ -1,31 +0,0 @@ -# DO NOT EDIT: generated from manifest.mn.subdirs.template -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. -CORE_DEPTH = ../../../../../.. - -MODULE = oqs - -LIBRARY_NAME = oqs_src_kem_kyber_pqcrystals-kyber_kyber768_ref -SHARED_LIBRARY = $(NULL) - -CSRCS = \ - cbd.c \ - indcpa.c \ - kem.c \ - ntt.c \ - poly.c \ - polyvec.c \ - reduce.c \ - symmetric-shake.c \ - verify.c \ - $(NULL) - -# only add module debugging in opt builds if DEBUG_PKCS11 is set -ifdef DEBUG_PKCS11 - DEFINES += -DDEBUG_MODULE -endif - -# This part of the code, including all sub-dirs, can be optimized for size -export ALLOW_OPT_CODE_SIZE = 1 diff --git a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber768_ref/ntt.c b/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber768_ref/ntt.c deleted file mode 100644 index 2f2eb10b2..000000000 --- a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber768_ref/ntt.c +++ /dev/null @@ -1,146 +0,0 @@ -#include <stdint.h> -#include "params.h" -#include "ntt.h" -#include "reduce.h" - -/* Code to generate zetas and zetas_inv used in the number-theoretic transform: - -#define KYBER_ROOT_OF_UNITY 17 - -static const uint8_t tree[128] = { - 0, 64, 32, 96, 16, 80, 48, 112, 8, 72, 40, 104, 24, 88, 56, 120, - 4, 68, 36, 100, 20, 84, 52, 116, 12, 76, 44, 108, 28, 92, 60, 124, - 2, 66, 34, 98, 18, 82, 50, 114, 10, 74, 42, 106, 26, 90, 58, 122, - 6, 70, 38, 102, 22, 86, 54, 118, 14, 78, 46, 110, 30, 94, 62, 126, - 1, 65, 33, 97, 17, 81, 49, 113, 9, 73, 41, 105, 25, 89, 57, 121, - 5, 69, 37, 101, 21, 85, 53, 117, 13, 77, 45, 109, 29, 93, 61, 125, - 3, 67, 35, 99, 19, 83, 51, 115, 11, 75, 43, 107, 27, 91, 59, 123, - 7, 71, 39, 103, 23, 87, 55, 119, 15, 79, 47, 111, 31, 95, 63, 127 -}; - -void init_ntt() { - unsigned int i; - int16_t tmp[128]; - - tmp[0] = MONT; - for(i=1;i<128;i++) - tmp[i] = fqmul(tmp[i-1],MONT*KYBER_ROOT_OF_UNITY % KYBER_Q); - - for(i=0;i<128;i++) { - zetas[i] = tmp[tree[i]]; - if(zetas[i] > KYBER_Q/2) - zetas[i] -= KYBER_Q; - if(zetas[i] < -KYBER_Q/2) - zetas[i] += KYBER_Q; - } -} -*/ - -const int16_t zetas[128] = { - -1044, -758, -359, -1517, 1493, 1422, 287, 202, - -171, 622, 1577, 182, 962, -1202, -1474, 1468, - 573, -1325, 264, 383, -829, 1458, -1602, -130, - -681, 1017, 732, 608, -1542, 411, -205, -1571, - 1223, 652, -552, 1015, -1293, 1491, -282, -1544, - 516, -8, -320, -666, -1618, -1162, 126, 1469, - -853, -90, -271, 830, 107, -1421, -247, -951, - -398, 961, -1508, -725, 448, -1065, 677, -1275, - -1103, 430, 555, 843, -1251, 871, 1550, 105, - 422, 587, 177, -235, -291, -460, 1574, 1653, - -246, 778, 1159, -147, -777, 1483, -602, 1119, - -1590, 644, -872, 349, 418, 329, -156, -75, - 817, 1097, 603, 610, 1322, -1285, -1465, 384, - -1215, -136, 1218, -1335, -874, 220, -1187, -1659, - -1185, -1530, -1278, 794, -1510, -854, -870, 478, - -108, -308, 996, 991, 958, -1460, 1522, 1628 -}; - -/************************************************* -* Name: fqmul -* -* Description: Multiplication followed by Montgomery reduction -* -* Arguments: - int16_t a: first factor -* - int16_t b: second factor -* -* Returns 16-bit integer congruent to a*b*R^{-1} mod q -**************************************************/ -static int16_t fqmul(int16_t a, int16_t b) { - return montgomery_reduce((int32_t)a*b); -} - -/************************************************* -* Name: ntt -* -* Description: Inplace number-theoretic transform (NTT) in Rq. -* input is in standard order, output is in bitreversed order -* -* Arguments: - int16_t r[256]: pointer to input/output vector of elements of Zq -**************************************************/ -void ntt(int16_t r[256]) { - unsigned int len, start, j, k; - int16_t t, zeta; - - k = 1; - for(len = 128; len >= 2; len >>= 1) { - for(start = 0; start < 256; start = j + len) { - zeta = zetas[k++]; - for(j = start; j < start + len; j++) { - t = fqmul(zeta, r[j + len]); - r[j + len] = r[j] - t; - r[j] = r[j] + t; - } - } - } -} - -/************************************************* -* Name: invntt_tomont -* -* Description: Inplace inverse number-theoretic transform in Rq and -* multiplication by Montgomery factor 2^16. -* Input is in bitreversed order, output is in standard order -* -* Arguments: - int16_t r[256]: pointer to input/output vector of elements of Zq -**************************************************/ -void invntt(int16_t r[256]) { - unsigned int start, len, j, k; - int16_t t, zeta; - const int16_t f = 1441; // mont^2/128 - - k = 127; - for(len = 2; len <= 128; len <<= 1) { - for(start = 0; start < 256; start = j + len) { - zeta = zetas[k--]; - for(j = start; j < start + len; j++) { - t = r[j]; - r[j] = barrett_reduce(t + r[j + len]); - r[j + len] = r[j + len] - t; - r[j + len] = fqmul(zeta, r[j + len]); - } - } - } - - for(j = 0; j < 256; j++) - r[j] = fqmul(r[j], f); -} - -/************************************************* -* Name: basemul -* -* Description: Multiplication of polynomials in Zq[X]/(X^2-zeta) -* used for multiplication of elements in Rq in NTT domain -* -* Arguments: - int16_t r[2]: pointer to the output polynomial -* - const int16_t a[2]: pointer to the first factor -* - const int16_t b[2]: pointer to the second factor -* - int16_t zeta: integer defining the reduction polynomial -**************************************************/ -void basemul(int16_t r[2], const int16_t a[2], const int16_t b[2], int16_t zeta) -{ - r[0] = fqmul(a[1], b[1]); - r[0] = fqmul(r[0], zeta); - r[0] += fqmul(a[0], b[0]); - r[1] = fqmul(a[0], b[1]); - r[1] += fqmul(a[1], b[0]); -} diff --git a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber768_ref/ntt.h b/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber768_ref/ntt.h deleted file mode 100644 index 227ea74f0..000000000 --- a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber768_ref/ntt.h +++ /dev/null @@ -1,19 +0,0 @@ -#ifndef NTT_H -#define NTT_H - -#include <stdint.h> -#include "params.h" - -#define zetas KYBER_NAMESPACE(zetas) -extern const int16_t zetas[128]; - -#define ntt KYBER_NAMESPACE(ntt) -void ntt(int16_t poly[256]); - -#define invntt KYBER_NAMESPACE(invntt) -void invntt(int16_t poly[256]); - -#define basemul KYBER_NAMESPACE(basemul) -void basemul(int16_t r[2], const int16_t a[2], const int16_t b[2], int16_t zeta); - -#endif diff --git a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber768_ref/params.h b/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber768_ref/params.h deleted file mode 100644 index 3d02a0f9e..000000000 --- a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber768_ref/params.h +++ /dev/null @@ -1,68 +0,0 @@ -#ifndef PARAMS_H -#define PARAMS_H - -#ifndef KYBER_K -#define KYBER_K 3 /* Change this for different security strengths */ -#endif - -//#define KYBER_90S /* Uncomment this if you want the 90S variant */ - -/* Don't change parameters below this line */ -#if (KYBER_K == 2) -#ifdef KYBER_90S -#define KYBER_NAMESPACE(s) pqcrystals_kyber512_90s_ref_##s -#else -#define KYBER_NAMESPACE(s) pqcrystals_kyber512_ref_##s -#endif -#elif (KYBER_K == 3) -#ifdef KYBER_90S -#define KYBER_NAMESPACE(s) pqcrystals_kyber768_90s_ref_##s -#else -#define KYBER_NAMESPACE(s) pqcrystals_kyber768_ref_##s -#endif -#elif (KYBER_K == 4) -#ifdef KYBER_90S -#define KYBER_NAMESPACE(s) pqcrystals_kyber1024_90s_ref_##s -#else -#define KYBER_NAMESPACE(s) pqcrystals_kyber1024_ref_##s -#endif -#else -#error "KYBER_K must be in {2,3,4}" -#endif - -#define KYBER_N 256 -#define KYBER_Q 3329 - -#define KYBER_SYMBYTES 32 /* size in bytes of hashes, and seeds */ -#define KYBER_SSBYTES 32 /* size in bytes of shared key */ - -#define KYBER_POLYBYTES 384 -#define KYBER_POLYVECBYTES (KYBER_K * KYBER_POLYBYTES) - -#if KYBER_K == 2 -#define KYBER_ETA1 3 -#define KYBER_POLYCOMPRESSEDBYTES 128 -#define KYBER_POLYVECCOMPRESSEDBYTES (KYBER_K * 320) -#elif KYBER_K == 3 -#define KYBER_ETA1 2 -#define KYBER_POLYCOMPRESSEDBYTES 128 -#define KYBER_POLYVECCOMPRESSEDBYTES (KYBER_K * 320) -#elif KYBER_K == 4 -#define KYBER_ETA1 2 -#define KYBER_POLYCOMPRESSEDBYTES 160 -#define KYBER_POLYVECCOMPRESSEDBYTES (KYBER_K * 352) -#endif - -#define KYBER_ETA2 2 - -#define KYBER_INDCPA_MSGBYTES (KYBER_SYMBYTES) -#define KYBER_INDCPA_PUBLICKEYBYTES (KYBER_POLYVECBYTES + KYBER_SYMBYTES) -#define KYBER_INDCPA_SECRETKEYBYTES (KYBER_POLYVECBYTES) -#define KYBER_INDCPA_BYTES (KYBER_POLYVECCOMPRESSEDBYTES + KYBER_POLYCOMPRESSEDBYTES) - -#define KYBER_PUBLICKEYBYTES (KYBER_INDCPA_PUBLICKEYBYTES) -/* 32 bytes of additional space to save H(pk) */ -#define KYBER_SECRETKEYBYTES (KYBER_INDCPA_SECRETKEYBYTES + KYBER_INDCPA_PUBLICKEYBYTES + 2*KYBER_SYMBYTES) -#define KYBER_CIPHERTEXTBYTES (KYBER_INDCPA_BYTES) - -#endif diff --git a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber768_ref/poly.c b/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber768_ref/poly.c deleted file mode 100644 index 9556ee517..000000000 --- a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber768_ref/poly.c +++ /dev/null @@ -1,343 +0,0 @@ -#include <stdint.h> -#include "params.h" -#include "poly.h" -#include "ntt.h" -#include "reduce.h" -#include "cbd.h" -#include "symmetric.h" - -/************************************************* -* Name: poly_compress -* -* Description: Compression and subsequent serialization of a polynomial -* -* Arguments: - uint8_t *r: pointer to output byte array -* (of length KYBER_POLYCOMPRESSEDBYTES) -* - const poly *a: pointer to input polynomial -**************************************************/ -void poly_compress(uint8_t r[KYBER_POLYCOMPRESSEDBYTES], const poly *a) -{ - unsigned int i,j; - int16_t u; - uint8_t t[8]; - -#if (KYBER_POLYCOMPRESSEDBYTES == 128) - for(i=0;i<KYBER_N/8;i++) { - for(j=0;j<8;j++) { - // map to positive standard representatives - u = a->coeffs[8*i+j]; - u += (u >> 15) & KYBER_Q; - t[j] = ((((uint16_t)u << 4) + KYBER_Q/2)/KYBER_Q) & 15; - } - - r[0] = t[0] | (t[1] << 4); - r[1] = t[2] | (t[3] << 4); - r[2] = t[4] | (t[5] << 4); - r[3] = t[6] | (t[7] << 4); - r += 4; - } -#elif (KYBER_POLYCOMPRESSEDBYTES == 160) - for(i=0;i<KYBER_N/8;i++) { - for(j=0;j<8;j++) { - // map to positive standard representatives - u = a->coeffs[8*i+j]; - u += (u >> 15) & KYBER_Q; - t[j] = ((((uint32_t)u << 5) + KYBER_Q/2)/KYBER_Q) & 31; - } - - r[0] = (t[0] >> 0) | (t[1] << 5); - r[1] = (t[1] >> 3) | (t[2] << 2) | (t[3] << 7); - r[2] = (t[3] >> 1) | (t[4] << 4); - r[3] = (t[4] >> 4) | (t[5] << 1) | (t[6] << 6); - r[4] = (t[6] >> 2) | (t[7] << 3); - r += 5; - } -#else -#error "KYBER_POLYCOMPRESSEDBYTES needs to be in {128, 160}" -#endif -} - -/************************************************* -* Name: poly_decompress -* -* Description: De-serialization and subsequent decompression of a polynomial; -* approximate inverse of poly_compress -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *a: pointer to input byte array -* (of length KYBER_POLYCOMPRESSEDBYTES bytes) -**************************************************/ -void poly_decompress(poly *r, const uint8_t a[KYBER_POLYCOMPRESSEDBYTES]) -{ - unsigned int i; - -#if (KYBER_POLYCOMPRESSEDBYTES == 128) - for(i=0;i<KYBER_N/2;i++) { - r->coeffs[2*i+0] = (((uint16_t)(a[0] & 15)*KYBER_Q) + 8) >> 4; - r->coeffs[2*i+1] = (((uint16_t)(a[0] >> 4)*KYBER_Q) + 8) >> 4; - a += 1; - } -#elif (KYBER_POLYCOMPRESSEDBYTES == 160) - unsigned int j; - uint8_t t[8]; - for(i=0;i<KYBER_N/8;i++) { - t[0] = (a[0] >> 0); - t[1] = (a[0] >> 5) | (a[1] << 3); - t[2] = (a[1] >> 2); - t[3] = (a[1] >> 7) | (a[2] << 1); - t[4] = (a[2] >> 4) | (a[3] << 4); - t[5] = (a[3] >> 1); - t[6] = (a[3] >> 6) | (a[4] << 2); - t[7] = (a[4] >> 3); - a += 5; - - for(j=0;j<8;j++) - r->coeffs[8*i+j] = ((uint32_t)(t[j] & 31)*KYBER_Q + 16) >> 5; - } -#else -#error "KYBER_POLYCOMPRESSEDBYTES needs to be in {128, 160}" -#endif -} - -/************************************************* -* Name: poly_tobytes -* -* Description: Serialization of a polynomial -* -* Arguments: - uint8_t *r: pointer to output byte array -* (needs space for KYBER_POLYBYTES bytes) -* - const poly *a: pointer to input polynomial -**************************************************/ -void poly_tobytes(uint8_t r[KYBER_POLYBYTES], const poly *a) -{ - unsigned int i; - uint16_t t0, t1; - - for(i=0;i<KYBER_N/2;i++) { - // map to positive standard representatives - t0 = a->coeffs[2*i]; - t0 += ((int16_t)t0 >> 15) & KYBER_Q; - t1 = a->coeffs[2*i+1]; - t1 += ((int16_t)t1 >> 15) & KYBER_Q; - r[3*i+0] = (t0 >> 0); - r[3*i+1] = (t0 >> 8) | (t1 << 4); - r[3*i+2] = (t1 >> 4); - } -} - -/************************************************* -* Name: poly_frombytes -* -* Description: De-serialization of a polynomial; -* inverse of poly_tobytes -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *a: pointer to input byte array -* (of KYBER_POLYBYTES bytes) -**************************************************/ -void poly_frombytes(poly *r, const uint8_t a[KYBER_POLYBYTES]) -{ - unsigned int i; - for(i=0;i<KYBER_N/2;i++) { - r->coeffs[2*i] = ((a[3*i+0] >> 0) | ((uint16_t)a[3*i+1] << 8)) & 0xFFF; - r->coeffs[2*i+1] = ((a[3*i+1] >> 4) | ((uint16_t)a[3*i+2] << 4)) & 0xFFF; - } -} - -/************************************************* -* Name: poly_frommsg -* -* Description: Convert 32-byte message to polynomial -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *msg: pointer to input message -**************************************************/ -void poly_frommsg(poly *r, const uint8_t msg[KYBER_INDCPA_MSGBYTES]) -{ - unsigned int i,j; - int16_t mask; - -#if (KYBER_INDCPA_MSGBYTES != KYBER_N/8) -#error "KYBER_INDCPA_MSGBYTES must be equal to KYBER_N/8 bytes!" -#endif - - for(i=0;i<KYBER_N/8;i++) { - for(j=0;j<8;j++) { - mask = -(int16_t)((msg[i] >> j)&1); - r->coeffs[8*i+j] = mask & ((KYBER_Q+1)/2); - } - } -} - -/************************************************* -* Name: poly_tomsg -* -* Description: Convert polynomial to 32-byte message -* -* Arguments: - uint8_t *msg: pointer to output message -* - const poly *a: pointer to input polynomial -**************************************************/ -void poly_tomsg(uint8_t msg[KYBER_INDCPA_MSGBYTES], const poly *a) -{ - unsigned int i,j; - uint16_t t; - - for(i=0;i<KYBER_N/8;i++) { - msg[i] = 0; - for(j=0;j<8;j++) { - t = a->coeffs[8*i+j]; - t += ((int16_t)t >> 15) & KYBER_Q; - t = (((t << 1) + KYBER_Q/2)/KYBER_Q) & 1; - msg[i] |= t << j; - } - } -} - -/************************************************* -* Name: poly_getnoise_eta1 -* -* Description: Sample a polynomial deterministically from a seed and a nonce, -* with output polynomial close to centered binomial distribution -* with parameter KYBER_ETA1 -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *seed: pointer to input seed -* (of length KYBER_SYMBYTES bytes) -* - uint8_t nonce: one-byte input nonce -**************************************************/ -void poly_getnoise_eta1(poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t nonce) -{ - uint8_t buf[KYBER_ETA1*KYBER_N/4]; - prf(buf, sizeof(buf), seed, nonce); - poly_cbd_eta1(r, buf); -} - -/************************************************* -* Name: poly_getnoise_eta2 -* -* Description: Sample a polynomial deterministically from a seed and a nonce, -* with output polynomial close to centered binomial distribution -* with parameter KYBER_ETA2 -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *seed: pointer to input seed -* (of length KYBER_SYMBYTES bytes) -* - uint8_t nonce: one-byte input nonce -**************************************************/ -void poly_getnoise_eta2(poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t nonce) -{ - uint8_t buf[KYBER_ETA2*KYBER_N/4]; - prf(buf, sizeof(buf), seed, nonce); - poly_cbd_eta2(r, buf); -} - - -/************************************************* -* Name: poly_ntt -* -* Description: Computes negacyclic number-theoretic transform (NTT) of -* a polynomial in place; -* inputs assumed to be in normal order, output in bitreversed order -* -* Arguments: - uint16_t *r: pointer to in/output polynomial -**************************************************/ -void poly_ntt(poly *r) -{ - ntt(r->coeffs); - poly_reduce(r); -} - -/************************************************* -* Name: poly_invntt_tomont -* -* Description: Computes inverse of negacyclic number-theoretic transform (NTT) -* of a polynomial in place; -* inputs assumed to be in bitreversed order, output in normal order -* -* Arguments: - uint16_t *a: pointer to in/output polynomial -**************************************************/ -void poly_invntt_tomont(poly *r) -{ - invntt(r->coeffs); -} - -/************************************************* -* Name: poly_basemul_montgomery -* -* Description: Multiplication of two polynomials in NTT domain -* -* Arguments: - poly *r: pointer to output polynomial -* - const poly *a: pointer to first input polynomial -* - const poly *b: pointer to second input polynomial -**************************************************/ -void poly_basemul_montgomery(poly *r, const poly *a, const poly *b) -{ - unsigned int i; - for(i=0;i<KYBER_N/4;i++) { - basemul(&r->coeffs[4*i], &a->coeffs[4*i], &b->coeffs[4*i], zetas[64+i]); - basemul(&r->coeffs[4*i+2], &a->coeffs[4*i+2], &b->coeffs[4*i+2], -zetas[64+i]); - } -} - -/************************************************* -* Name: poly_tomont -* -* Description: Inplace conversion of all coefficients of a polynomial -* from normal domain to Montgomery domain -* -* Arguments: - poly *r: pointer to input/output polynomial -**************************************************/ -void poly_tomont(poly *r) -{ - unsigned int i; - const int16_t f = (1ULL << 32) % KYBER_Q; - for(i=0;i<KYBER_N;i++) - r->coeffs[i] = montgomery_reduce((int32_t)r->coeffs[i]*f); -} - -/************************************************* -* Name: poly_reduce -* -* Description: Applies Barrett reduction to all coefficients of a polynomial -* for details of the Barrett reduction see comments in reduce.c -* -* Arguments: - poly *r: pointer to input/output polynomial -**************************************************/ -void poly_reduce(poly *r) -{ - unsigned int i; - for(i=0;i<KYBER_N;i++) - r->coeffs[i] = barrett_reduce(r->coeffs[i]); -} - -/************************************************* -* Name: poly_add -* -* Description: Add two polynomials; no modular reduction is performed -* -* Arguments: - poly *r: pointer to output polynomial -* - const poly *a: pointer to first input polynomial -* - const poly *b: pointer to second input polynomial -**************************************************/ -void poly_add(poly *r, const poly *a, const poly *b) -{ - unsigned int i; - for(i=0;i<KYBER_N;i++) - r->coeffs[i] = a->coeffs[i] + b->coeffs[i]; -} - -/************************************************* -* Name: poly_sub -* -* Description: Subtract two polynomials; no modular reduction is performed -* -* Arguments: - poly *r: pointer to output polynomial -* - const poly *a: pointer to first input polynomial -* - const poly *b: pointer to second input polynomial -**************************************************/ -void poly_sub(poly *r, const poly *a, const poly *b) -{ - unsigned int i; - for(i=0;i<KYBER_N;i++) - r->coeffs[i] = a->coeffs[i] - b->coeffs[i]; -} diff --git a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber768_ref/poly.h b/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber768_ref/poly.h deleted file mode 100644 index 9a99c7cda..000000000 --- a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber768_ref/poly.h +++ /dev/null @@ -1,53 +0,0 @@ -#ifndef POLY_H -#define POLY_H - -#include <stdint.h> -#include "params.h" - -/* - * Elements of R_q = Z_q[X]/(X^n + 1). Represents polynomial - * coeffs[0] + X*coeffs[1] + X^2*coeffs[2] + ... + X^{n-1}*coeffs[n-1] - */ -typedef struct{ - int16_t coeffs[KYBER_N]; -} poly; - -#define poly_compress KYBER_NAMESPACE(poly_compress) -void poly_compress(uint8_t r[KYBER_POLYCOMPRESSEDBYTES], const poly *a); -#define poly_decompress KYBER_NAMESPACE(poly_decompress) -void poly_decompress(poly *r, const uint8_t a[KYBER_POLYCOMPRESSEDBYTES]); - -#define poly_tobytes KYBER_NAMESPACE(poly_tobytes) -void poly_tobytes(uint8_t r[KYBER_POLYBYTES], const poly *a); -#define poly_frombytes KYBER_NAMESPACE(poly_frombytes) -void poly_frombytes(poly *r, const uint8_t a[KYBER_POLYBYTES]); - -#define poly_frommsg KYBER_NAMESPACE(poly_frommsg) -void poly_frommsg(poly *r, const uint8_t msg[KYBER_INDCPA_MSGBYTES]); -#define poly_tomsg KYBER_NAMESPACE(poly_tomsg) -void poly_tomsg(uint8_t msg[KYBER_INDCPA_MSGBYTES], const poly *r); - -#define poly_getnoise_eta1 KYBER_NAMESPACE(poly_getnoise_eta1) -void poly_getnoise_eta1(poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t nonce); - -#define poly_getnoise_eta2 KYBER_NAMESPACE(poly_getnoise_eta2) -void poly_getnoise_eta2(poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t nonce); - -#define poly_ntt KYBER_NAMESPACE(poly_ntt) -void poly_ntt(poly *r); -#define poly_invntt_tomont KYBER_NAMESPACE(poly_invntt_tomont) -void poly_invntt_tomont(poly *r); -#define poly_basemul_montgomery KYBER_NAMESPACE(poly_basemul_montgomery) -void poly_basemul_montgomery(poly *r, const poly *a, const poly *b); -#define poly_tomont KYBER_NAMESPACE(poly_tomont) -void poly_tomont(poly *r); - -#define poly_reduce KYBER_NAMESPACE(poly_reduce) -void poly_reduce(poly *r); - -#define poly_add KYBER_NAMESPACE(poly_add) -void poly_add(poly *r, const poly *a, const poly *b); -#define poly_sub KYBER_NAMESPACE(poly_sub) -void poly_sub(poly *r, const poly *a, const poly *b); - -#endif diff --git a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber768_ref/polyvec.c b/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber768_ref/polyvec.c deleted file mode 100644 index 8420d069c..000000000 --- a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber768_ref/polyvec.c +++ /dev/null @@ -1,233 +0,0 @@ -#include <stdint.h> -#include "params.h" -#include "poly.h" -#include "polyvec.h" - -/************************************************* -* Name: polyvec_compress -* -* Description: Compress and serialize vector of polynomials -* -* Arguments: - uint8_t *r: pointer to output byte array -* (needs space for KYBER_POLYVECCOMPRESSEDBYTES) -* - const polyvec *a: pointer to input vector of polynomials -**************************************************/ -void polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES], const polyvec *a) -{ - unsigned int i,j,k; - -#if (KYBER_POLYVECCOMPRESSEDBYTES == (KYBER_K * 352)) - uint16_t t[8]; - for(i=0;i<KYBER_K;i++) { - for(j=0;j<KYBER_N/8;j++) { - for(k=0;k<8;k++) { - t[k] = a->vec[i].coeffs[8*j+k]; - t[k] += ((int16_t)t[k] >> 15) & KYBER_Q; - t[k] = ((((uint32_t)t[k] << 11) + KYBER_Q/2)/KYBER_Q) & 0x7ff; - } - - r[ 0] = (t[0] >> 0); - r[ 1] = (t[0] >> 8) | (t[1] << 3); - r[ 2] = (t[1] >> 5) | (t[2] << 6); - r[ 3] = (t[2] >> 2); - r[ 4] = (t[2] >> 10) | (t[3] << 1); - r[ 5] = (t[3] >> 7) | (t[4] << 4); - r[ 6] = (t[4] >> 4) | (t[5] << 7); - r[ 7] = (t[5] >> 1); - r[ 8] = (t[5] >> 9) | (t[6] << 2); - r[ 9] = (t[6] >> 6) | (t[7] << 5); - r[10] = (t[7] >> 3); - r += 11; - } - } -#elif (KYBER_POLYVECCOMPRESSEDBYTES == (KYBER_K * 320)) - uint16_t t[4]; - for(i=0;i<KYBER_K;i++) { - for(j=0;j<KYBER_N/4;j++) { - for(k=0;k<4;k++) { - t[k] = a->vec[i].coeffs[4*j+k]; - t[k] += ((int16_t)t[k] >> 15) & KYBER_Q; - t[k] = ((((uint32_t)t[k] << 10) + KYBER_Q/2)/ KYBER_Q) & 0x3ff; - } - - r[0] = (t[0] >> 0); - r[1] = (t[0] >> 8) | (t[1] << 2); - r[2] = (t[1] >> 6) | (t[2] << 4); - r[3] = (t[2] >> 4) | (t[3] << 6); - r[4] = (t[3] >> 2); - r += 5; - } - } -#else -#error "KYBER_POLYVECCOMPRESSEDBYTES needs to be in {320*KYBER_K, 352*KYBER_K}" -#endif -} - -/************************************************* -* Name: polyvec_decompress -* -* Description: De-serialize and decompress vector of polynomials; -* approximate inverse of polyvec_compress -* -* Arguments: - polyvec *r: pointer to output vector of polynomials -* - const uint8_t *a: pointer to input byte array -* (of length KYBER_POLYVECCOMPRESSEDBYTES) -**************************************************/ -void polyvec_decompress(polyvec *r, const uint8_t a[KYBER_POLYVECCOMPRESSEDBYTES]) -{ - unsigned int i,j,k; - -#if (KYBER_POLYVECCOMPRESSEDBYTES == (KYBER_K * 352)) - uint16_t t[8]; - for(i=0;i<KYBER_K;i++) { - for(j=0;j<KYBER_N/8;j++) { - t[0] = (a[0] >> 0) | ((uint16_t)a[ 1] << 8); - t[1] = (a[1] >> 3) | ((uint16_t)a[ 2] << 5); - t[2] = (a[2] >> 6) | ((uint16_t)a[ 3] << 2) | ((uint16_t)a[4] << 10); - t[3] = (a[4] >> 1) | ((uint16_t)a[ 5] << 7); - t[4] = (a[5] >> 4) | ((uint16_t)a[ 6] << 4); - t[5] = (a[6] >> 7) | ((uint16_t)a[ 7] << 1) | ((uint16_t)a[8] << 9); - t[6] = (a[8] >> 2) | ((uint16_t)a[ 9] << 6); - t[7] = (a[9] >> 5) | ((uint16_t)a[10] << 3); - a += 11; - - for(k=0;k<8;k++) - r->vec[i].coeffs[8*j+k] = ((uint32_t)(t[k] & 0x7FF)*KYBER_Q + 1024) >> 11; - } - } -#elif (KYBER_POLYVECCOMPRESSEDBYTES == (KYBER_K * 320)) - uint16_t t[4]; - for(i=0;i<KYBER_K;i++) { - for(j=0;j<KYBER_N/4;j++) { - t[0] = (a[0] >> 0) | ((uint16_t)a[1] << 8); - t[1] = (a[1] >> 2) | ((uint16_t)a[2] << 6); - t[2] = (a[2] >> 4) | ((uint16_t)a[3] << 4); - t[3] = (a[3] >> 6) | ((uint16_t)a[4] << 2); - a += 5; - - for(k=0;k<4;k++) - r->vec[i].coeffs[4*j+k] = ((uint32_t)(t[k] & 0x3FF)*KYBER_Q + 512) >> 10; - } - } -#else -#error "KYBER_POLYVECCOMPRESSEDBYTES needs to be in {320*KYBER_K, 352*KYBER_K}" -#endif -} - -/************************************************* -* Name: polyvec_tobytes -* -* Description: Serialize vector of polynomials -* -* Arguments: - uint8_t *r: pointer to output byte array -* (needs space for KYBER_POLYVECBYTES) -* - const polyvec *a: pointer to input vector of polynomials -**************************************************/ -void polyvec_tobytes(uint8_t r[KYBER_POLYVECBYTES], const polyvec *a) -{ - unsigned int i; - for(i=0;i<KYBER_K;i++) - poly_tobytes(r+i*KYBER_POLYBYTES, &a->vec[i]); -} - -/************************************************* -* Name: polyvec_frombytes -* -* Description: De-serialize vector of polynomials; -* inverse of polyvec_tobytes -* -* Arguments: - uint8_t *r: pointer to output byte array -* - const polyvec *a: pointer to input vector of polynomials -* (of length KYBER_POLYVECBYTES) -**************************************************/ -void polyvec_frombytes(polyvec *r, const uint8_t a[KYBER_POLYVECBYTES]) -{ - unsigned int i; - for(i=0;i<KYBER_K;i++) - poly_frombytes(&r->vec[i], a+i*KYBER_POLYBYTES); -} - -/************************************************* -* Name: polyvec_ntt -* -* Description: Apply forward NTT to all elements of a vector of polynomials -* -* Arguments: - polyvec *r: pointer to in/output vector of polynomials -**************************************************/ -void polyvec_ntt(polyvec *r) -{ - unsigned int i; - for(i=0;i<KYBER_K;i++) - poly_ntt(&r->vec[i]); -} - -/************************************************* -* Name: polyvec_invntt_tomont -* -* Description: Apply inverse NTT to all elements of a vector of polynomials -* and multiply by Montgomery factor 2^16 -* -* Arguments: - polyvec *r: pointer to in/output vector of polynomials -**************************************************/ -void polyvec_invntt_tomont(polyvec *r) -{ - unsigned int i; - for(i=0;i<KYBER_K;i++) - poly_invntt_tomont(&r->vec[i]); -} - -/************************************************* -* Name: polyvec_basemul_acc_montgomery -* -* Description: Multiply elements of a and b in NTT domain, accumulate into r, -* and multiply by 2^-16. -* -* Arguments: - poly *r: pointer to output polynomial -* - const polyvec *a: pointer to first input vector of polynomials -* - const polyvec *b: pointer to second input vector of polynomials -**************************************************/ -void polyvec_basemul_acc_montgomery(poly *r, const polyvec *a, const polyvec *b) -{ - unsigned int i; - poly t; - - poly_basemul_montgomery(r, &a->vec[0], &b->vec[0]); - for(i=1;i<KYBER_K;i++) { - poly_basemul_montgomery(&t, &a->vec[i], &b->vec[i]); - poly_add(r, r, &t); - } - - poly_reduce(r); -} - -/************************************************* -* Name: polyvec_reduce -* -* Description: Applies Barrett reduction to each coefficient -* of each element of a vector of polynomials; -* for details of the Barrett reduction see comments in reduce.c -* -* Arguments: - polyvec *r: pointer to input/output polynomial -**************************************************/ -void polyvec_reduce(polyvec *r) -{ - unsigned int i; - for(i=0;i<KYBER_K;i++) - poly_reduce(&r->vec[i]); -} - -/************************************************* -* Name: polyvec_add -* -* Description: Add vectors of polynomials -* -* Arguments: - polyvec *r: pointer to output vector of polynomials -* - const polyvec *a: pointer to first input vector of polynomials -* - const polyvec *b: pointer to second input vector of polynomials -**************************************************/ -void polyvec_add(polyvec *r, const polyvec *a, const polyvec *b) -{ - unsigned int i; - for(i=0;i<KYBER_K;i++) - poly_add(&r->vec[i], &a->vec[i], &b->vec[i]); -} diff --git a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber768_ref/polyvec.h b/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber768_ref/polyvec.h deleted file mode 100644 index 57b605494..000000000 --- a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber768_ref/polyvec.h +++ /dev/null @@ -1,36 +0,0 @@ -#ifndef POLYVEC_H -#define POLYVEC_H - -#include <stdint.h> -#include "params.h" -#include "poly.h" - -typedef struct{ - poly vec[KYBER_K]; -} polyvec; - -#define polyvec_compress KYBER_NAMESPACE(polyvec_compress) -void polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES], const polyvec *a); -#define polyvec_decompress KYBER_NAMESPACE(polyvec_decompress) -void polyvec_decompress(polyvec *r, const uint8_t a[KYBER_POLYVECCOMPRESSEDBYTES]); - -#define polyvec_tobytes KYBER_NAMESPACE(polyvec_tobytes) -void polyvec_tobytes(uint8_t r[KYBER_POLYVECBYTES], const polyvec *a); -#define polyvec_frombytes KYBER_NAMESPACE(polyvec_frombytes) -void polyvec_frombytes(polyvec *r, const uint8_t a[KYBER_POLYVECBYTES]); - -#define polyvec_ntt KYBER_NAMESPACE(polyvec_ntt) -void polyvec_ntt(polyvec *r); -#define polyvec_invntt_tomont KYBER_NAMESPACE(polyvec_invntt_tomont) -void polyvec_invntt_tomont(polyvec *r); - -#define polyvec_basemul_acc_montgomery KYBER_NAMESPACE(polyvec_basemul_acc_montgomery) -void polyvec_basemul_acc_montgomery(poly *r, const polyvec *a, const polyvec *b); - -#define polyvec_reduce KYBER_NAMESPACE(polyvec_reduce) -void polyvec_reduce(polyvec *r); - -#define polyvec_add KYBER_NAMESPACE(polyvec_add) -void polyvec_add(polyvec *r, const polyvec *a, const polyvec *b); - -#endif diff --git a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber768_ref/pqcrystals-kyber_kyber768_ref.gyp b/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber768_ref/pqcrystals-kyber_kyber768_ref.gyp deleted file mode 100644 index c6893d729..000000000 --- a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber768_ref/pqcrystals-kyber_kyber768_ref.gyp +++ /dev/null @@ -1,41 +0,0 @@ -# DO NOT EDIT: generated from subdir.gyp.template -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. -{ - 'includes': [ - '../../../../../../coreconf/config.gypi' - ], - 'targets': [ - { - 'target_name': 'oqs_src_kem_kyber_pqcrystals-kyber_kyber768_ref', - 'type': 'static_library', - 'sources': [ - 'cbd.c', - 'indcpa.c', - 'kem.c', - 'ntt.c', - 'poly.c', - 'polyvec.c', - 'reduce.c', - 'symmetric-shake.c', - 'verify.c', - ], - 'dependencies': [ - '<(DEPTH)/exports.gyp:nss_exports' - ] - } - ], - 'target_defaults': { - 'defines': [ - 'KYBER_K=3', - ], - 'include_dirs': [ - '<(DEPTH)/lib/liboqs/src/common/pqclean_shims', - '<(DEPTH)/lib/liboqs/src/common/sha3/xkcp_low/KeccakP-1600/plain-64bits', - ] - }, - 'variables': { - 'module': 'oqs' - } -} diff --git a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber768_ref/reduce.c b/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber768_ref/reduce.c deleted file mode 100644 index 9d8e7edf8..000000000 --- a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber768_ref/reduce.c +++ /dev/null @@ -1,42 +0,0 @@ -#include <stdint.h> -#include "params.h" -#include "reduce.h" - -/************************************************* -* Name: montgomery_reduce -* -* Description: Montgomery reduction; given a 32-bit integer a, computes -* 16-bit integer congruent to a * R^-1 mod q, where R=2^16 -* -* Arguments: - int32_t a: input integer to be reduced; -* has to be in {-q2^15,...,q2^15-1} -* -* Returns: integer in {-q+1,...,q-1} congruent to a * R^-1 modulo q. -**************************************************/ -int16_t montgomery_reduce(int32_t a) -{ - int16_t t; - - t = (int16_t)a*QINV; - t = (a - (int32_t)t*KYBER_Q) >> 16; - return t; -} - -/************************************************* -* Name: barrett_reduce -* -* Description: Barrett reduction; given a 16-bit integer a, computes -* centered representative congruent to a mod q in {-(q-1)/2,...,(q-1)/2} -* -* Arguments: - int16_t a: input integer to be reduced -* -* Returns: integer in {-(q-1)/2,...,(q-1)/2} congruent to a modulo q. -**************************************************/ -int16_t barrett_reduce(int16_t a) { - int16_t t; - const int16_t v = ((1<<26) + KYBER_Q/2)/KYBER_Q; - - t = ((int32_t)v*a + (1<<25)) >> 26; - t *= KYBER_Q; - return a - t; -} diff --git a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber768_ref/reduce.h b/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber768_ref/reduce.h deleted file mode 100644 index c1bc1e4c7..000000000 --- a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber768_ref/reduce.h +++ /dev/null @@ -1,16 +0,0 @@ -#ifndef REDUCE_H -#define REDUCE_H - -#include <stdint.h> -#include "params.h" - -#define MONT -1044 // 2^16 mod q -#define QINV -3327 // q^-1 mod 2^16 - -#define montgomery_reduce KYBER_NAMESPACE(montgomery_reduce) -int16_t montgomery_reduce(int32_t a); - -#define barrett_reduce KYBER_NAMESPACE(barrett_reduce) -int16_t barrett_reduce(int16_t a); - -#endif diff --git a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber768_ref/symmetric-shake.c b/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber768_ref/symmetric-shake.c deleted file mode 100644 index 2317c0627..000000000 --- a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber768_ref/symmetric-shake.c +++ /dev/null @@ -1,51 +0,0 @@ -#include <stddef.h> -#include <stdint.h> -#include <string.h> -#include "params.h" -#include "symmetric.h" -#include "fips202.h" - -/************************************************* -* Name: kyber_shake128_absorb -* -* Description: Absorb step of the SHAKE128 specialized for the Kyber context. -* -* Arguments: - keccak_state *state: pointer to (uninitialized) output Keccak state -* - const uint8_t *seed: pointer to KYBER_SYMBYTES input to be absorbed into state -* - uint8_t i: additional byte of input -* - uint8_t j: additional byte of input -**************************************************/ -void kyber_shake128_absorb(shake128incctx *state, - const uint8_t seed[KYBER_SYMBYTES], - uint8_t x, - uint8_t y) -{ - uint8_t extseed[KYBER_SYMBYTES+2]; - - memcpy(extseed, seed, KYBER_SYMBYTES); - extseed[KYBER_SYMBYTES+0] = x; - extseed[KYBER_SYMBYTES+1] = y; - - shake128_absorb_once(state, extseed, sizeof(extseed)); -} - -/************************************************* -* Name: kyber_shake256_prf -* -* Description: Usage of SHAKE256 as a PRF, concatenates secret and public input -* and then generates outlen bytes of SHAKE256 output -* -* Arguments: - uint8_t *out: pointer to output -* - size_t outlen: number of requested output bytes -* - const uint8_t *key: pointer to the key (of length KYBER_SYMBYTES) -* - uint8_t nonce: single-byte nonce (public PRF input) -**************************************************/ -void kyber_shake256_prf(uint8_t *out, size_t outlen, const uint8_t key[KYBER_SYMBYTES], uint8_t nonce) -{ - uint8_t extkey[KYBER_SYMBYTES+1]; - - memcpy(extkey, key, KYBER_SYMBYTES); - extkey[KYBER_SYMBYTES] = nonce; - - shake256(out, outlen, extkey, sizeof(extkey)); -} diff --git a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber768_ref/symmetric.h b/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber768_ref/symmetric.h deleted file mode 100644 index 2f2fb6364..000000000 --- a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber768_ref/symmetric.h +++ /dev/null @@ -1,64 +0,0 @@ -#ifndef SYMMETRIC_H -#define SYMMETRIC_H - -#include <stddef.h> -#include <stdint.h> -#include "params.h" - -#ifdef KYBER_90S - -#include "aes256ctr.h" -#include "sha2.h" - -#if (KYBER_SSBYTES != 32) -#error "90s variant of Kyber can only generate keys of length 256 bits" -#endif - -typedef aes256ctr_ctx xof_state; - -#define kyber_aes256xof_absorb KYBER_NAMESPACE(kyber_aes256xof_absorb) -void kyber_aes256xof_absorb(aes256ctr_ctx *state, const uint8_t seed[32], uint8_t x, uint8_t y); - -#define kyber_aes256ctr_prf KYBER_NAMESPACE(kyber_aes256ctr_prf) -void kyber_aes256ctr_prf(uint8_t *out, size_t outlen, const uint8_t key[32], uint8_t nonce); - -#define XOF_BLOCKBYTES AES256CTR_BLOCKBYTES - -#define hash_h(OUT, IN, INBYTES) sha256(OUT, IN, INBYTES) -#define hash_g(OUT, IN, INBYTES) sha512(OUT, IN, INBYTES) -#define xof_init(STATE, SEED) aes256ctr_init_key(STATE, SEED) -#define xof_absorb(STATE, SEED, X, Y) kyber_aes256xof_absorb(STATE, SEED, X, Y) -#define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE) -#define xof_release(STATE) aes256_ctx_release(STATE) -#define prf(OUT, OUTBYTES, KEY, NONCE) kyber_aes256ctr_prf(OUT, OUTBYTES, KEY, NONCE) -#define kdf(OUT, IN, INBYTES) sha256(OUT, IN, INBYTES) - -#else - -#include "fips202.h" - -typedef shake128incctx xof_state; - -#define kyber_shake128_absorb KYBER_NAMESPACE(kyber_shake128_absorb) -void kyber_shake128_absorb(shake128incctx *s, - const uint8_t seed[KYBER_SYMBYTES], - uint8_t x, - uint8_t y); - -#define kyber_shake256_prf KYBER_NAMESPACE(kyber_shake256_prf) -void kyber_shake256_prf(uint8_t *out, size_t outlen, const uint8_t key[KYBER_SYMBYTES], uint8_t nonce); - -#define XOF_BLOCKBYTES SHAKE128_RATE - -#define hash_h(OUT, IN, INBYTES) sha3_256(OUT, IN, INBYTES) -#define hash_g(OUT, IN, INBYTES) sha3_512(OUT, IN, INBYTES) -#define xof_init(STATE, SEED) shake128_inc_init(STATE) -#define xof_absorb(STATE, SEED, X, Y) kyber_shake128_absorb(STATE, SEED, X, Y) -#define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) shake128_squeezeblocks(OUT, OUTBLOCKS, STATE) -#define xof_release(STATE) shake128_inc_ctx_release(STATE) -#define prf(OUT, OUTBYTES, KEY, NONCE) kyber_shake256_prf(OUT, OUTBYTES, KEY, NONCE) -#define kdf(OUT, IN, INBYTES) shake256(OUT, KYBER_SSBYTES, IN, INBYTES) - -#endif /* KYBER_90S */ - -#endif /* SYMMETRIC_H */ diff --git a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber768_ref/verify.c b/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber768_ref/verify.c deleted file mode 100644 index ed4a6541f..000000000 --- a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber768_ref/verify.c +++ /dev/null @@ -1,47 +0,0 @@ -#include <stddef.h> -#include <stdint.h> -#include "verify.h" - -/************************************************* -* Name: verify -* -* Description: Compare two arrays for equality in constant time. -* -* Arguments: const uint8_t *a: pointer to first byte array -* const uint8_t *b: pointer to second byte array -* size_t len: length of the byte arrays -* -* Returns 0 if the byte arrays are equal, 1 otherwise -**************************************************/ -int verify(const uint8_t *a, const uint8_t *b, size_t len) -{ - size_t i; - uint8_t r = 0; - - for(i=0;i<len;i++) - r |= a[i] ^ b[i]; - - return (-(uint64_t)r) >> 63; -} - -/************************************************* -* Name: cmov -* -* Description: Copy len bytes from x to r if b is 1; -* don't modify x if b is 0. Requires b to be in {0,1}; -* assumes two's complement representation of negative integers. -* Runs in constant time. -* -* Arguments: uint8_t *r: pointer to output byte array -* const uint8_t *x: pointer to input byte array -* size_t len: Amount of bytes to be copied -* uint8_t b: Condition bit; has to be in {0,1} -**************************************************/ -void cmov(uint8_t *r, const uint8_t *x, size_t len, uint8_t b) -{ - size_t i; - - b = -b; - for(i=0;i<len;i++) - r[i] ^= b & (r[i] ^ x[i]); -} diff --git a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber768_ref/verify.h b/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber768_ref/verify.h deleted file mode 100644 index f95ac1b84..000000000 --- a/lib/liboqs/src/kem/kyber/pqcrystals-kyber_kyber768_ref/verify.h +++ /dev/null @@ -1,14 +0,0 @@ -#ifndef VERIFY_H -#define VERIFY_H - -#include <stddef.h> -#include <stdint.h> -#include "params.h" - -#define verify KYBER_NAMESPACE(verify) -int verify(const uint8_t *a, const uint8_t *b, size_t len); - -#define cmov KYBER_NAMESPACE(cmov) -void cmov(uint8_t *r, const uint8_t *x, size_t len, uint8_t b); - -#endif diff --git a/lib/liboqs/src/kem/manifest.mn b/lib/liboqs/src/kem/manifest.mn deleted file mode 100644 index 3d8679e1c..000000000 --- a/lib/liboqs/src/kem/manifest.mn +++ /dev/null @@ -1,23 +0,0 @@ -# DO NOT EDIT: generated from manifest.mn.subdirs.template -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. -CORE_DEPTH = ../../../.. - -MODULE = oqs - -LIBRARY_NAME = oqs_src_kem -SHARED_LIBRARY = $(NULL) - -CSRCS = \ - kem.c \ - $(NULL) - -# only add module debugging in opt builds if DEBUG_PKCS11 is set -ifdef DEBUG_PKCS11 - DEFINES += -DDEBUG_MODULE -endif - -# This part of the code, including all sub-dirs, can be optimized for size -export ALLOW_OPT_CODE_SIZE = 1 |