From a3dc986d45475d463e3d66eb6add1ee94cc14b5b Mon Sep 17 00:00:00 2001
From: Station <arcticshine@gmail.com>
Date: Fri, 6 Sep 2019 21:31:04 +0400
Subject: [PATCH] XKCP ready
---
CMakeLists.txt | 241 ++++++-
include/dap_crypto_common.h | 12 +-
.../lib/high/Keccak/FIPS202/SimpleFIPS202.c | 19 +
.../lib/high/Keccak/FIPS202/SimpleFIPS202.h | 11 +-
.../SIMD128/KeccakP-1600-times2-SIMD128.c | 10 +
src/dap_enc.c | 1 -
src/dap_enc_iaes.c | 10 +-
src/msrln/kex.c | 32 +-
src/msrln/msrln.h | 1 -
src/msrln/random.c | 31 +-
src/sha3/fips202.c | 587 ------------------
src/sha3/fips202.h | 3 +
src/sig_bliss/bliss_b.h | 5 +-
src/sig_bliss/bliss_b_signatures.c | 10 +-
src/sig_bliss/entropy.c | 2 +-
src/sig_dilithium/dilithium_poly.c | 51 +-
src/sig_dilithium/dilithium_sign.c | 41 +-
src/sig_tesla/poly.c | 63 +-
src/sig_tesla/sample.c | 108 ++--
src/sig_tesla/sign.c | 12 +-
20 files changed, 524 insertions(+), 726 deletions(-)
delete mode 100755 src/sha3/fips202.c
diff --git a/CMakeLists.txt b/CMakeLists.txt
index a0fb81f..32fd82a 100755
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -4,8 +4,12 @@ project (dap_crypto)
# fix implicit declaration warnings
add_definitions ("-D_GNU_SOURCE")
-set(CMAKE_C_FLAGS "-std=c11 -O2 -Wall -Wextra -fPIC -fno-pie -no-pie")
-set(CMAKE_ASM_FLAGS "-std=c11 -O2 -Wall -Wextra -fPIC -fno-pie -no-pie")
+#set(CMAKE_C_FLAGS "-std=c11 -O2 -Wall -Wextra -fPIC -fno-pie -no-pie -fno-ident ")
+#set(CMAKE_ASM_FLAGS "-std=c11 -O2 -Wall -Wextra -fPIC -fno-pie -no-pie -fno-ident ")
+#set(CMAKE_C_FLAGS "-std=c11 -O3 -Wall -Wextra -fPIC -fno-pie -no-pie -fno-ident -ffast-math -ftree-vectorize -mfpmath=sse -mmmx -msse2 -fno-asynchronous-unwind-tables -ffunction-sections -Wl,--gc-sections -Wl,--strip-all")
+#set(CMAKE_ASM_FLAGS "-std=c11 -O3 -Wall -Wextra -fPIC -fno-pie -no-pie -fno-ident -ffast-math -ftree-vectorize -mfpmath=sse -mmmx -msse2 -fno-asynchronous-unwind-tables -ffunction-sections -Wl,--gc-sections -Wl,--strip-all")
+#set(CMAKE_C_FLAGS "-static -Wall -O3 -fno-ident -ffast-math -ftree-vectorize -mfpmath=sse -mmmx -msse2 -fno-asynchronous-unwind-tables -ffunction-sections -Wl,--gc-sections -Wl,--strip-all")
+#set(CMAKE_ASM_FLAGS "-static -Wall -O3 -fno-ident -ffast-math -ftree-vectorize -mfpmath=sse -mmmx -msse2 -fno-asynchronous-unwind-tables -ffunction-sections -Wl,--gc-sections -Wl,--strip-all")
if(NOT (${SUBMODULES_NO_BUILD} MATCHES ON))
@@ -64,8 +68,9 @@ enable_language(ASM)
file( GLOB XKCP_SRCS
src/XKCP/lib/high/Keccak/FIPS202/KeccakHash.c
- src/XKCP/lib/high/Keccak/FIPS202/SimpleFIPS202.c
src/XKCP/lib/high/Keccak/KeccakSpongeWidth1600.c
+ src/XKCP/lib/high/Keccak/SP800-185/SP800-185.c
+ src/XKCP/lib/high/Keccak/FIPS202/SimpleFIPS202.c
)
if(WIN32)
@@ -89,24 +94,134 @@ add_library(${PROJECT_NAME} STATIC ${CRYPTO_SRCS} ${XKCP_SRCS} ${XKCP_SRCS2} ${C
target_include_directories(dap_crypto PRIVATE src/rand src/iaes src/oaes sha3 src/msrln src/defeo_scheme src/sig_bliss src/sig_tesla src/sig_picnic src/sig_dilithium src include)
target_include_directories(dap_crypto INTERFACE src/ src/sha3 include/)
-target_include_directories(dap_crypto INTERFACE src/XKCP/lib/common)
-target_include_directories(dap_crypto INTERFACE src/XKCP/lib/low/common)
-target_include_directories(dap_crypto INTERFACE src/XKCP/lib/high/Keccak)
-target_include_directories(dap_crypto INTERFACE src/XKCP/lib/high/Keccak/FIPS202)
-target_include_directories(dap_crypto INTERFACE src/XKCP/lib/low/KeccakP-1600/Optimized)
-target_include_directories(dap_crypto PRIVATE src/XKCP/lib/common)
-target_include_directories(dap_crypto PRIVATE src/XKCP/lib/low/common)
-target_include_directories(dap_crypto PRIVATE src/XKCP/lib/high/Keccak)
-target_include_directories(dap_crypto PRIVATE src/XKCP/lib/high/Keccak/FIPS202)
-target_include_directories(dap_crypto PRIVATE src/XKCP/lib/low/KeccakP-1600/Optimized)
+target_include_directories(dap_crypto INTERFACE
+ src/XKCP/lib/common
+ src/XKCP/lib/low/common
+ src/XKCP/lib/high/Keccak
+ src/XKCP/lib/high/common
+ src/XKCP/lib/high/Keccak/FIPS202
+ src/XKCP/lib/high/Keccak/SP800-185
+ src/XKCP/lib/low/KeccakP-1600/Optimized
+)
+
+target_include_directories(dap_crypto PRIVATE
+ src/XKCP/lib/common
+ src/XKCP/lib/low/common
+ src/XKCP/lib/high/Keccak
+ src/XKCP/lib/high/common
+ src/XKCP/lib/high/Keccak/FIPS202
+ src/XKCP/lib/high/Keccak/SP800-185
+ src/XKCP/lib/low/KeccakP-1600/Optimized
+)
if(WIN32)
if(BUILD_64)
+
target_include_directories(dap_crypto INTERFACE src/XKCP/lib/low/KeccakP-1600/OptimizedAsmX86-64/win32)
target_include_directories(dap_crypto PRIVATE src/XKCP/lib/low/KeccakP-1600/OptimizedAsmX86-64/win32)
+
+ if(__AVX2__)
+ target_include_directories(dap_crypto INTERFACE src/XKCP/lib/low/KeccakP-1600-times2/SIMD512)
+ target_include_directories(dap_crypto INTERFACE src/XKCP/lib/low/KeccakP-1600-times2/SIMD512/AVX512ufull)
+ target_include_directories(dap_crypto PRIVATE src/XKCP/lib/low/KeccakP-1600-times2/SIMD512)
+ target_include_directories(dap_crypto PRIVATE src/XKCP/lib/low/KeccakP-1600-times2/SIMD512/AVX512ufull)
+ elseif(__SSE4_1__)
+ target_include_directories(dap_crypto INTERFACE src/XKCP/lib/low/KeccakP-1600-times2/SIMD128)
+ target_include_directories(dap_crypto INTERFACE src/XKCP/lib/low/KeccakP-1600-times2/SIMD128/SSE2ufull)
+ target_include_directories(dap_crypto PRIVATE src/XKCP/lib/low/KeccakP-1600-times2/SIMD128)
+ target_include_directories(dap_crypto PRIVATE src/XKCP/lib/low/KeccakP-1600-times2/SIMD128/SSE2ufull)
+ else()
+ target_include_directories(dap_crypto INTERFACE src/XKCP/lib/low/KeccakP-1600-times2/FallbackOn1)
+ target_include_directories(dap_crypto PRIVATE src/XKCP/lib/low/KeccakP-1600-times2/FallbackOn1)
+ endif()
+
+ if(__AVX2__)
+ target_include_directories(dap_crypto INTERFACE src/XKCP/lib/low/KeccakP-1600-times4/SIMD512)
+ target_include_directories(dap_crypto INTERFACE src/XKCP/lib/low/KeccakP-1600-times4/SIMD512/AVX512ufull)
+ target_include_directories(dap_crypto PRIVATE src/XKCP/lib/low/KeccakP-1600-times4/SIMD512)
+ target_include_directories(dap_crypto PRIVATE src/XKCP/lib/low/KeccakP-1600-times4/SIMD512/AVX512ufull)
+ elseif(__AVX__)
+ target_include_directories(dap_crypto INTERFACE src/XKCP/lib/low/KeccakP-1600-times4/SIMD256)
+ target_include_directories(dap_crypto INTERFACE src/XKCP/lib/low/KeccakP-1600-times4/SIMD512/AVX2ufull)
+ target_include_directories(dap_crypto PRIVATE src/XKCP/lib/low/KeccakP-1600-times4/SIMD256)
+ target_include_directories(dap_crypto PRIVATE src/XKCP/lib/low/KeccakP-1600-times4/SIMD512/AVX2ufull)
+ elseif(__SSE4_1__)
+ target_include_directories(dap_crypto INTERFACE src/XKCP/lib/low/KeccakP-1600-times4/FallbackOn2)
+ target_include_directories(dap_crypto PRIVATE src/XKCP/lib/low/KeccakP-1600-times4/FallbackOn2)
+ else()
+ target_include_directories(dap_crypto INTERFACE src/XKCP/lib/low/KeccakP-1600-times4/FallbackOn1)
+ target_include_directories(dap_crypto PRIVATE src/XKCP/lib/low/KeccakP-1600-times4/FallbackOn1)
+ endif()
+
+ if(__AVX2__)
+ target_include_directories(dap_crypto INTERFACE src/XKCP/lib/low/KeccakP-1600-times8/SIMD512)
+ target_include_directories(dap_crypto INTERFACE src/XKCP/lib/low/KeccakP-1600-times8/SIMD512/AVX512ufull)
+ target_include_directories(dap_crypto PRIVATE src/XKCP/lib/low/KeccakP-1600-times8/SIMD512)
+ target_include_directories(dap_crypto PRIVATE src/XKCP/lib/low/KeccakP-1600-times8/SIMD512/AVX512ufull)
+ elseif(__AVX__)
+ target_include_directories(dap_crypto INTERFACE src/XKCP/lib/low/KeccakP-1600-times8/FallbackOn4)
+ target_include_directories(dap_crypto PRIVATE src/XKCP/lib/low/KeccakP-1600-times8/FallbackOn4)
+ elseif(__SSE4_1__)
+ target_include_directories(dap_crypto INTERFACE src/XKCP/lib/low/KeccakP-1600-times8/FallbackOn2)
+ target_include_directories(dap_crypto PRIVATE src/XKCP/lib/low/KeccakP-1600-times8/FallbackOn2)
+ else()
+ target_include_directories(dap_crypto INTERFACE src/XKCP/lib/low/KeccakP-1600-times8/FallbackOn1)
+ target_include_directories(dap_crypto PRIVATE src/XKCP/lib/low/KeccakP-1600-times8/FallbackOn1)
+ endif()
+
else()
target_include_directories(dap_crypto INTERFACE src/XKCP/lib/low/KeccakP-1600/Inplace32BI)
target_include_directories(dap_crypto PRIVATE src/XKCP/lib/low/KeccakP-1600/Inplace32BI)
+
+ if(__AVX2__)
+ target_include_directories(dap_crypto INTERFACE src/XKCP/lib/low/KeccakP-1600-times2/SIMD512)
+ target_include_directories(dap_crypto INTERFACE src/XKCP/lib/low/KeccakP-1600-times2/SIMD512/AVX512ufull)
+ target_include_directories(dap_crypto PRIVATE src/XKCP/lib/low/KeccakP-1600-times2/SIMD512)
+ target_include_directories(dap_crypto PRIVATE src/XKCP/lib/low/KeccakP-1600-times2/SIMD512/AVX512ufull)
+ elseif(__SSE4_1__)
+ target_include_directories(dap_crypto INTERFACE src/XKCP/lib/low/KeccakP-1600-times2/SIMD128)
+ target_include_directories(dap_crypto INTERFACE src/XKCP/lib/low/KeccakP-1600-times2/SIMD128/SSE2ufull)
+ target_include_directories(dap_crypto PRIVATE src/XKCP/lib/low/KeccakP-1600-times2/SIMD128)
+ target_include_directories(dap_crypto PRIVATE src/XKCP/lib/low/KeccakP-1600-times2/SIMD128/SSE2ufull)
+ else()
+ target_include_directories(dap_crypto INTERFACE src/XKCP/lib/low/KeccakP-1600-times2/FallbackOn1)
+ target_include_directories(dap_crypto PRIVATE src/XKCP/lib/low/KeccakP-1600-times2/FallbackOn1)
+ endif()
+
+ if(__AVX2__)
+ target_include_directories(dap_crypto INTERFACE src/XKCP/lib/low/KeccakP-1600-times4/SIMD512)
+ target_include_directories(dap_crypto INTERFACE src/XKCP/lib/low/KeccakP-1600-times4/SIMD512/AVX512ufull)
+ target_include_directories(dap_crypto PRIVATE src/XKCP/lib/low/KeccakP-1600-times4/SIMD512)
+ target_include_directories(dap_crypto PRIVATE src/XKCP/lib/low/KeccakP-1600-times4/SIMD512/AVX512ufull)
+ elseif(__AVX__)
+ target_include_directories(dap_crypto INTERFACE src/XKCP/lib/low/KeccakP-1600-times4/SIMD256)
+ target_include_directories(dap_crypto INTERFACE src/XKCP/lib/low/KeccakP-1600-times4/SIMD512/AVX2ufull)
+ target_include_directories(dap_crypto PRIVATE src/XKCP/lib/low/KeccakP-1600-times4/SIMD256)
+ target_include_directories(dap_crypto PRIVATE src/XKCP/lib/low/KeccakP-1600-times4/SIMD512/AVX2ufull)
+ elseif(__SSE4_1__)
+ target_include_directories(dap_crypto INTERFACE src/XKCP/lib/low/KeccakP-1600-times4/FallbackOn2)
+ target_include_directories(dap_crypto PRIVATE src/XKCP/lib/low/KeccakP-1600-times4/FallbackOn2)
+ else()
+ target_include_directories(dap_crypto INTERFACE src/XKCP/lib/low/KeccakP-1600-times4/FallbackOn1)
+ target_include_directories(dap_crypto PRIVATE src/XKCP/lib/low/KeccakP-1600-times4/FallbackOn1)
+ endif()
+
+ if(__AVX2__)
+ target_include_directories(dap_crypto INTERFACE src/XKCP/lib/low/KeccakP-1600-times8/SIMD512)
+ target_include_directories(dap_crypto INTERFACE src/XKCP/lib/low/KeccakP-1600-times8/SIMD512/AVX512ufull)
+ target_include_directories(dap_crypto PRIVATE src/XKCP/lib/low/KeccakP-1600-times8/SIMD512)
+ target_include_directories(dap_crypto PRIVATE src/XKCP/lib/low/KeccakP-1600-times8/SIMD512/AVX512ufull)
+ elseif(__AVX__)
+ target_include_directories(dap_crypto INTERFACE src/XKCP/lib/low/KeccakP-1600-times8/FallbackOn4)
+ target_include_directories(dap_crypto PRIVATE src/XKCP/lib/low/KeccakP-1600-times8/FallbackOn4)
+ elseif(__SSE4_1__)
+ target_include_directories(dap_crypto INTERFACE src/XKCP/lib/low/KeccakP-1600-times8/FallbackOn2)
+ target_include_directories(dap_crypto PRIVATE src/XKCP/lib/low/KeccakP-1600-times8/FallbackOn2)
+ else()
+ target_include_directories(dap_crypto INTERFACE src/XKCP/lib/low/KeccakP-1600-times8/FallbackOn1)
+ target_include_directories(dap_crypto PRIVATE src/XKCP/lib/low/KeccakP-1600-times8/FallbackOn1)
+ endif()
+
endif()
endif()
@@ -114,9 +229,109 @@ if(UNIX)
if(BUILD_64)
target_include_directories(dap_crypto INTERFACE src/XKCP/lib/low/KeccakP-1600/OptimizedAsmX86-64)
target_include_directories(dap_crypto PRIVATE src/XKCP/lib/low/KeccakP-1600/OptimizedAsmX86-64)
+
+ if(__AVX2__)
+ target_include_directories(dap_crypto INTERFACE src/XKCP/lib/low/KeccakP-1600-times2/SIMD512)
+ target_include_directories(dap_crypto INTERFACE src/XKCP/lib/low/KeccakP-1600-times2/SIMD512/AVX512ufull)
+ target_include_directories(dap_crypto PRIVATE src/XKCP/lib/low/KeccakP-1600-times2/SIMD512)
+ target_include_directories(dap_crypto PRIVATE src/XKCP/lib/low/KeccakP-1600-times2/SIMD512/AVX512ufull)
+ elseif(__SSE4_1__)
+ target_include_directories(dap_crypto INTERFACE src/XKCP/lib/low/KeccakP-1600-times2/SIMD128)
+ target_include_directories(dap_crypto INTERFACE src/XKCP/lib/low/KeccakP-1600-times2/SIMD128/SSE2ufull)
+ target_include_directories(dap_crypto PRIVATE src/XKCP/lib/low/KeccakP-1600-times2/SIMD128)
+ target_include_directories(dap_crypto PRIVATE src/XKCP/lib/low/KeccakP-1600-times2/SIMD128/SSE2ufull)
+ else()
+ target_include_directories(dap_crypto INTERFACE src/XKCP/lib/low/KeccakP-1600-times2/FallbackOn1)
+ target_include_directories(dap_crypto PRIVATE src/XKCP/lib/low/KeccakP-1600-times2/FallbackOn1)
+ endif()
+
+ if(__AVX2__)
+ target_include_directories(dap_crypto INTERFACE src/XKCP/lib/low/KeccakP-1600-times4/SIMD512)
+ target_include_directories(dap_crypto INTERFACE src/XKCP/lib/low/KeccakP-1600-times4/SIMD512/AVX512ufull)
+ target_include_directories(dap_crypto PRIVATE src/XKCP/lib/low/KeccakP-1600-times4/SIMD512)
+ target_include_directories(dap_crypto PRIVATE src/XKCP/lib/low/KeccakP-1600-times4/SIMD512/AVX512ufull)
+ elseif(__AVX__)
+ target_include_directories(dap_crypto INTERFACE src/XKCP/lib/low/KeccakP-1600-times4/SIMD256)
+ target_include_directories(dap_crypto INTERFACE src/XKCP/lib/low/KeccakP-1600-times4/SIMD512/AVX2ufull)
+ target_include_directories(dap_crypto PRIVATE src/XKCP/lib/low/KeccakP-1600-times4/SIMD256)
+ target_include_directories(dap_crypto PRIVATE src/XKCP/lib/low/KeccakP-1600-times4/SIMD512/AVX2ufull)
+ elseif(__SSE4_1__)
+ target_include_directories(dap_crypto INTERFACE src/XKCP/lib/low/KeccakP-1600-times4/FallbackOn2)
+ target_include_directories(dap_crypto PRIVATE src/XKCP/lib/low/KeccakP-1600-times4/FallbackOn2)
+ else()
+ target_include_directories(dap_crypto INTERFACE src/XKCP/lib/low/KeccakP-1600-times4/FallbackOn1)
+ target_include_directories(dap_crypto PRIVATE src/XKCP/lib/low/KeccakP-1600-times4/FallbackOn1)
+ endif()
+
+ if(__AVX2__)
+ target_include_directories(dap_crypto INTERFACE src/XKCP/lib/low/KeccakP-1600-times8/SIMD512)
+ target_include_directories(dap_crypto INTERFACE src/XKCP/lib/low/KeccakP-1600-times8/SIMD512/AVX512ufull)
+ target_include_directories(dap_crypto PRIVATE src/XKCP/lib/low/KeccakP-1600-times8/SIMD512)
+ target_include_directories(dap_crypto PRIVATE src/XKCP/lib/low/KeccakP-1600-times8/SIMD512/AVX512ufull)
+ elseif(__AVX__)
+ target_include_directories(dap_crypto INTERFACE src/XKCP/lib/low/KeccakP-1600-times8/FallbackOn4)
+ target_include_directories(dap_crypto PRIVATE src/XKCP/lib/low/KeccakP-1600-times8/FallbackOn4)
+ elseif(__SSE4_1__)
+ target_include_directories(dap_crypto INTERFACE src/XKCP/lib/low/KeccakP-1600-times8/FallbackOn2)
+ target_include_directories(dap_crypto PRIVATE src/XKCP/lib/low/KeccakP-1600-times8/FallbackOn2)
+ else()
+ target_include_directories(dap_crypto INTERFACE src/XKCP/lib/low/KeccakP-1600-times8/FallbackOn1)
+ target_include_directories(dap_crypto PRIVATE src/XKCP/lib/low/KeccakP-1600-times8/FallbackOn1)
+ endif()
+
else()
target_include_directories(dap_crypto INTERFACE src/XKCP/lib/low/KeccakP-1600/Inplace32BI)
target_include_directories(dap_crypto PRIVATE src/XKCP/lib/low/KeccakP-1600/Inplace32BI)
+
+ if(__AVX2__)
+ target_include_directories(dap_crypto INTERFACE src/XKCP/lib/low/KeccakP-1600-times2/SIMD512)
+ target_include_directories(dap_crypto INTERFACE src/XKCP/lib/low/KeccakP-1600-times2/SIMD512/AVX512ufull)
+ target_include_directories(dap_crypto PRIVATE src/XKCP/lib/low/KeccakP-1600-times2/SIMD512)
+ target_include_directories(dap_crypto PRIVATE src/XKCP/lib/low/KeccakP-1600-times2/SIMD512/AVX512ufull)
+ elseif(__SSE4_1__)
+ target_include_directories(dap_crypto INTERFACE src/XKCP/lib/low/KeccakP-1600-times2/SIMD128)
+ target_include_directories(dap_crypto INTERFACE src/XKCP/lib/low/KeccakP-1600-times2/SIMD128/SSE2ufull)
+ target_include_directories(dap_crypto PRIVATE src/XKCP/lib/low/KeccakP-1600-times2/SIMD128)
+ target_include_directories(dap_crypto PRIVATE src/XKCP/lib/low/KeccakP-1600-times2/SIMD128/SSE2ufull)
+ else()
+ target_include_directories(dap_crypto INTERFACE src/XKCP/lib/low/KeccakP-1600-times2/FallbackOn1)
+ target_include_directories(dap_crypto PRIVATE src/XKCP/lib/low/KeccakP-1600-times2/FallbackOn1)
+ endif()
+
+ if(__AVX2__)
+ target_include_directories(dap_crypto INTERFACE src/XKCP/lib/low/KeccakP-1600-times4/SIMD512)
+ target_include_directories(dap_crypto INTERFACE src/XKCP/lib/low/KeccakP-1600-times4/SIMD512/AVX512ufull)
+ target_include_directories(dap_crypto PRIVATE src/XKCP/lib/low/KeccakP-1600-times4/SIMD512)
+ target_include_directories(dap_crypto PRIVATE src/XKCP/lib/low/KeccakP-1600-times4/SIMD512/AVX512ufull)
+ elseif(__AVX__)
+ target_include_directories(dap_crypto INTERFACE src/XKCP/lib/low/KeccakP-1600-times4/SIMD256)
+ target_include_directories(dap_crypto INTERFACE src/XKCP/lib/low/KeccakP-1600-times4/SIMD512/AVX2ufull)
+ target_include_directories(dap_crypto PRIVATE src/XKCP/lib/low/KeccakP-1600-times4/SIMD256)
+ target_include_directories(dap_crypto PRIVATE src/XKCP/lib/low/KeccakP-1600-times4/SIMD512/AVX2ufull)
+ elseif(__SSE4_1__)
+ target_include_directories(dap_crypto INTERFACE src/XKCP/lib/low/KeccakP-1600-times4/FallbackOn2)
+ target_include_directories(dap_crypto PRIVATE src/XKCP/lib/low/KeccakP-1600-times4/FallbackOn2)
+ else()
+ target_include_directories(dap_crypto INTERFACE src/XKCP/lib/low/KeccakP-1600-times4/FallbackOn1)
+ target_include_directories(dap_crypto PRIVATE src/XKCP/lib/low/KeccakP-1600-times4/FallbackOn1)
+ endif()
+
+ if(__AVX2__)
+ target_include_directories(dap_crypto INTERFACE src/XKCP/lib/low/KeccakP-1600-times8/SIMD512)
+ target_include_directories(dap_crypto INTERFACE src/XKCP/lib/low/KeccakP-1600-times8/SIMD512/AVX512ufull)
+ target_include_directories(dap_crypto PRIVATE src/XKCP/lib/low/KeccakP-1600-times8/SIMD512)
+ target_include_directories(dap_crypto PRIVATE src/XKCP/lib/low/KeccakP-1600-times8/SIMD512/AVX512ufull)
+ elseif(__AVX__)
+ target_include_directories(dap_crypto INTERFACE src/XKCP/lib/low/KeccakP-1600-times8/FallbackOn4)
+ target_include_directories(dap_crypto PRIVATE src/XKCP/lib/low/KeccakP-1600-times8/FallbackOn4)
+ elseif(__SSE4_1__)
+ target_include_directories(dap_crypto INTERFACE src/XKCP/lib/low/KeccakP-1600-times8/FallbackOn2)
+ target_include_directories(dap_crypto PRIVATE src/XKCP/lib/low/KeccakP-1600-times8/FallbackOn2)
+ else()
+ target_include_directories(dap_crypto INTERFACE src/XKCP/lib/low/KeccakP-1600-times8/FallbackOn1)
+ target_include_directories(dap_crypto PRIVATE src/XKCP/lib/low/KeccakP-1600-times8/FallbackOn1)
+ endif()
+
endif()
endif()
diff --git a/include/dap_crypto_common.h b/include/dap_crypto_common.h
index f1d09a2..ce80839 100755
--- a/include/dap_crypto_common.h
+++ b/include/dap_crypto_common.h
@@ -7,13 +7,21 @@
extern "C" {
#endif
-
#include <stdint.h>
#include <stdbool.h>
#include <stddef.h>
-#include "rand/dap_rand.h"
+
+#include "dap_common.h"
+
#include "sha3/fips202.h"
+#include "KeccakHash.h"
+#include "SimpleFIPS202.h"
+#include "SP800-185.h"
+
+#include "rand/dap_rand.h"
+
+
// Definition of operating system
#define OS_WIN 1
diff --git a/src/XKCP/lib/high/Keccak/FIPS202/SimpleFIPS202.c b/src/XKCP/lib/high/Keccak/FIPS202/SimpleFIPS202.c
index 6dc9423..3336f68 100755
--- a/src/XKCP/lib/high/Keccak/FIPS202/SimpleFIPS202.c
+++ b/src/XKCP/lib/high/Keccak/FIPS202/SimpleFIPS202.c
@@ -16,6 +16,25 @@ int SHAKE128(unsigned char *output, size_t outputByteLen, const unsigned char *i
return KeccakWidth1600_Sponge(1344, 256, input, inputByteLen, 0x1F, output, outputByteLen);
}
+void SHAKE128_InitAbsorb(Keccak_HashInstance *ks, const unsigned char *input, size_t inputByteLen)
+{
+ Keccak_HashInitialize_SHAKE128( ks );
+ Keccak_HashUpdate( &ks, input, inputByteLen * 8 );
+ Keccak_HashFinal( &ks, input );
+}
+
+void SHAKE256_InitAbsorb(Keccak_HashInstance *ks, const unsigned char *input, size_t inputByteLen)
+{
+ Keccak_HashInitialize_SHAKE256( ks );
+ Keccak_HashUpdate( &ks, input, inputByteLen * 8 );
+ Keccak_HashFinal( &ks, input );
+}
+
+void KECCAK_HashSqueeze(Keccak_HashInstance *ks, const unsigned char *out, size_t outByteLen)
+{
+ Keccak_HashSqueeze( &ks, (unsigned char *)out, outByteLen * 8 );
+}
+
int SHAKE256(unsigned char *output, size_t outputByteLen, const unsigned char *input, size_t inputByteLen)
{
return KeccakWidth1600_Sponge(1088, 512, input, inputByteLen, 0x1F, output, outputByteLen);
diff --git a/src/XKCP/lib/high/Keccak/FIPS202/SimpleFIPS202.h b/src/XKCP/lib/high/Keccak/FIPS202/SimpleFIPS202.h
index b451f3e..a2fa944 100755
--- a/src/XKCP/lib/high/Keccak/FIPS202/SimpleFIPS202.h
+++ b/src/XKCP/lib/high/Keccak/FIPS202/SimpleFIPS202.h
@@ -12,6 +12,7 @@ http://creativecommons.org/publicdomain/zero/1.0/
#ifndef _SimpleFIPS202_h_
#define _SimpleFIPS202_h_
+#include "KeccakHash.h"
#include "KeccakSpongeWidth1600.h"
#include <string.h>
@@ -60,15 +61,15 @@ http://creativecommons.org/publicdomain/zero/1.0/
*/
int SHAKE128(unsigned char *output, size_t outputByteLen, const unsigned char *input, size_t inputByteLen);
-
int SHAKE256(unsigned char *output, size_t outputByteLen, const unsigned char *input, size_t inputByteLen);
-
int SHA3_224(unsigned char *output, const unsigned char *input, size_t inputByteLen);
-
int SHA3_256(unsigned char *output, const unsigned char *input, size_t inputByteLen);
-
int SHA3_384(unsigned char *output, const unsigned char *input, size_t inputByteLen);
-
int SHA3_512(unsigned char *output, const unsigned char *input, size_t inputByteLen);
+void SHAKE128_InitAbsorb( Keccak_HashInstance *ks, const unsigned char *input, size_t inputByteLen );
+void SHAKE256_InitAbsorb( Keccak_HashInstance *ks, const unsigned char *input, size_t inputByteLen );
+void KECCAK_HashSqueeze(Keccak_HashInstance *ks, const unsigned char *out, size_t outByteLen);
+
+
#endif
diff --git a/src/XKCP/lib/low/KeccakP-1600-times2/SIMD128/KeccakP-1600-times2-SIMD128.c b/src/XKCP/lib/low/KeccakP-1600-times2/SIMD128/KeccakP-1600-times2-SIMD128.c
index 99e59c6..47d4ca5 100755
--- a/src/XKCP/lib/low/KeccakP-1600-times2/SIMD128/KeccakP-1600-times2-SIMD128.c
+++ b/src/XKCP/lib/low/KeccakP-1600-times2/SIMD128/KeccakP-1600-times2-SIMD128.c
@@ -21,6 +21,16 @@ Please refer to LowLevel.build for the exact list of other files it must be comb
#include <stdlib.h>
#include <string.h>
#include <x86intrin.h>
+// #include <x86intrin.h>
+
+//#include <smmintrin.h>
+//#include <wmmintrin.h>
+//#include <immintrin.h>
+//#include <emmintrin.h>
+
+// #include <mmintrin.h>
+// #include <emmintrin.h>
+
#include "align.h"
#include "KeccakP-1600-times2-SnP.h"
#include "SIMD128-config.h"
diff --git a/src/dap_enc.c b/src/dap_enc.c
index 93404a8..8ad781c 100755
--- a/src/dap_enc.c
+++ b/src/dap_enc.c
@@ -18,7 +18,6 @@
along with any DAP based project. If not, see <http://www.gnu.org/licenses/>.
*/
-
#ifndef _WIN32
#include <arpa/inet.h>
#endif
diff --git a/src/dap_enc_iaes.c b/src/dap_enc_iaes.c
index 5decb17..bdd4a25 100755
--- a/src/dap_enc_iaes.c
+++ b/src/dap_enc_iaes.c
@@ -3,7 +3,11 @@
#include <string.h>
#include "dap_enc_key.h"
#include "dap_enc_iaes.h"
-#include "sha3/fips202.h"
+//#include "sha3/fips202.h"
+
+#include "KeccakHash.h"
+#include "SimpleFIPS202.h"
+
#include "dap_common.h"
@@ -52,8 +56,8 @@ void dap_enc_aes_key_generate(struct dap_enc_key * a_key, const void *kex_buf,
memcpy(id_concat_kex,seed, seed_size);
memcpy(id_concat_kex + seed_size, kex_buf, kex_size);
- shake256(a_key->priv_key_data, IAES_KEYSIZE, id_concat_kex, (kex_size + seed_size));
- shake128(DAP_ENC_AES_KEY(a_key)->ivec, IAES_BLOCK_SIZE, seed, seed_size);
+ SHAKE256(a_key->priv_key_data, IAES_KEYSIZE, id_concat_kex, (kex_size + seed_size));
+ SHAKE128(DAP_ENC_AES_KEY(a_key)->ivec, IAES_BLOCK_SIZE, seed, seed_size);
free(id_concat_kex);
}
diff --git a/src/msrln/kex.c b/src/msrln/kex.c
index 558f3cb..942c5ae 100755
--- a/src/msrln/kex.c
+++ b/src/msrln/kex.c
@@ -5,6 +5,9 @@
#include <malloc.h>
#endif
+#include "KeccakHash.h"
+#include "SimpleFIPS202.h"
+
// N^-1 * prime_scale^-8
const int32_t MSRLN_Ninv8_ntt1024_12289 = 8350;
@@ -383,12 +386,12 @@ static __inline uint32_t LDDecode(int32_t* t)
uint32_t mask1, mask2, value;
int32_t cneg = -8*PARAMETER_Q;
- for (i = 0; i < 4; i++) {
+ for (i = 0; i < 4; i++) {
mask1 = t[i] >> 31; // If t[i] < 0 then mask2 = 0xff...ff, else mask2 = 0
mask2 = (4*PARAMETER_Q - (int32_t)Abs(t[i])) >> 31; // If 4*PARAMETER_Q > Abs(t[i]) then mask2 = 0, else mask2 = 0xff...ff
value = ((mask1 & (8*PARAMETER_Q ^ cneg)) ^ cneg);
- norm += Abs(t[i] + (mask2 & value));
+ norm += Abs(t[i] + (mask2 & value));
}
return ((8*PARAMETER_Q - norm) >> 31) ^ 1; // If norm < PARAMETER_Q then return 1, else return 0
@@ -464,9 +467,21 @@ CRYPTO_MSRLN_STATUS generate_a(uint32_t* a, const unsigned char* seed, Extendabl
uint16_t val;
unsigned int nblocks = 16;
uint8_t buf[SHAKE128_RATE * 16]; // was * nblocks, but VS doesn't like this buf init
- uint64_t state[SHA3_STATESIZE] = {0};
- shake128_absorb(state, seed, SEED_BYTES);
- shake128_squeezeblocks((unsigned char *) buf, nblocks, state);
+ Keccak_HashInstance ks;
+
+// uint64_t state[SHA3_STATESIZE] = {0};
+// shake128_absorb(state, seed, SEED_BYTES);
+// shake128_squeezeblocks((unsigned char *) buf, nblocks, state);
+
+ #ifdef _WIN32
+ SHAKE128_InitAbsorb( &ks, seed, SEED_BYTES );
+ KECCAK_HashSqueeze( &ks, (unsigned char *) buf, nblocks * 8 );
+ #else
+ Keccak_HashInitialize_SHAKE128(&ks);
+ Keccak_HashUpdate( &ks, seed, SEED_BYTES * 8 );
+ Keccak_HashFinal( &ks, seed );
+ Keccak_HashSqueeze( &ks, (unsigned char *) buf, nblocks * 8 * 8 );
+ #endif
while (ctr < PARAMETER_N) {
val = (buf[pos] | ((uint16_t) buf[pos + 1] << 8)) & 0x3fff;
@@ -476,7 +491,12 @@ CRYPTO_MSRLN_STATUS generate_a(uint32_t* a, const unsigned char* seed, Extendabl
pos += 2;
if (pos > SHAKE128_RATE * nblocks - 2) {
nblocks = 1;
- shake128_squeezeblocks((unsigned char *) buf, nblocks, state);
+// shake128_squeezeblocks((unsigned char *) buf, nblocks, state);
+ #ifdef _WIN32
+ KECCAK_HashSqueeze( &ks, (unsigned char *) buf, nblocks * 8 );
+ #else
+ Keccak_HashSqueeze( &ks, (unsigned char *) buf, nblocks * 8 * 8 );
+ #endif
pos = 0;
}
}
diff --git a/src/msrln/msrln.h b/src/msrln/msrln.h
index ab41100..5b54822 100755
--- a/src/msrln/msrln.h
+++ b/src/msrln/msrln.h
@@ -7,7 +7,6 @@
extern "C" {
#endif
-
#include <stdint.h>
#include <stdbool.h>
#include <stddef.h>
diff --git a/src/msrln/random.c b/src/msrln/random.c
index 4ab40d8..e5a760c 100755
--- a/src/msrln/random.c
+++ b/src/msrln/random.c
@@ -1,5 +1,10 @@
#include "msrln_priv.h"
+//#include "KeccakHash.h"
+//#include "SimpleFIPS202.h"
+
+#define LOG_TAG "RANDOM"
+
CRYPTO_MSRLN_STATUS MSRLN_generate_a(const unsigned char* seed, unsigned int seed_nbytes, unsigned int array_ndigits, uint32_t* a)
{
// Generation of parameter a
@@ -7,9 +12,21 @@ CRYPTO_MSRLN_STATUS MSRLN_generate_a(const unsigned char* seed, unsigned int see
uint16_t val;
unsigned int nblocks = 16;
uint8_t buf[SHAKE128_RATE * 16]; // was * nblocks, but VS doesn't like this buf init
- uint64_t state[SHA3_STATESIZE];
- shake128_absorb(state, seed, seed_nbytes);
- shake128_squeezeblocks((unsigned char *) buf, nblocks, state);
+ Keccak_HashInstance ks;
+
+// uint64_t state[SHA3_STATESIZE];
+// shake128_absorb(state, seed, seed_nbytes);
+// shake128_squeezeblocks((unsigned char *) buf, nblocks, state);
+
+ #ifdef _WIN32
+ SHAKE128_InitAbsorb( &ks, seed, seed_nbytes );
+ KECCAK_HashSqueeze( &ks, (unsigned char *) buf, nblocks * 8 );
+ #else
+ Keccak_HashInitialize_SHAKE128(&ks);
+ Keccak_HashUpdate( &ks, seed, seed_nbytes * 8 );
+ Keccak_HashFinal( &ks, seed );
+ Keccak_HashSqueeze( &ks, (unsigned char *) buf, nblocks * 8 * 8 );
+ #endif
while (ctr < array_ndigits) {
val = (buf[pos] | ((uint16_t) buf[pos + 1] << 8)) & 0x3fff;
@@ -19,10 +36,16 @@ CRYPTO_MSRLN_STATUS MSRLN_generate_a(const unsigned char* seed, unsigned int see
pos += 2;
if (pos > SHAKE128_RATE * nblocks - 2) {
nblocks = 1;
- shake128_squeezeblocks((unsigned char *) buf, nblocks, state);
+// shake128_squeezeblocks((unsigned char *) buf, nblocks, state);
+ #ifdef _WIN32
+ KECCAK_HashSqueeze( &ks, (unsigned char *) buf, nblocks * 8 );
+ #else
+ Keccak_HashSqueeze( &ks, (unsigned char *) buf, nblocks * 8 * 8 );
+ #endif
pos = 0;
}
}
+
return CRYPTO_MSRLN_SUCCESS;
}
diff --git a/src/sha3/fips202.c b/src/sha3/fips202.c
deleted file mode 100755
index 022be71..0000000
--- a/src/sha3/fips202.c
+++ /dev/null
@@ -1,587 +0,0 @@
-/********************************************************************************************
-* SHA3-derived functions: SHAKE and cSHAKE
-*
-* Based on the public domain implementation in crypto_hash/keccakc512/simple/
-* from http://bench.cr.yp.to/supercop.html by Ronny Van Keer
-* and the public domain "TweetFips202" implementation from https://twitter.com/tweetfips202
-* by Gilles Van Assche, Daniel J. Bernstein, and Peter Schwabe
-*
-* See NIST Special Publication 800-185 for more information:
-* http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-185.pdf
-*
-*********************************************************************************************/
-
-#include <stdint.h>
-#include <assert.h>
-#include "fips202.h"
-
-#define NROUNDS 24
-#define ROL(a, offset) ((a << offset) ^ (a >> (64-offset)))
-
-
-static uint64_t load64(const unsigned char *x)
-{
- unsigned long long r = 0, i;
-
- for (i = 0; i < 8; ++i) {
- r |= (unsigned long long)x[i] << 8 * i;
- }
- return r;
-}
-
-
-static void store64(uint8_t *x, uint64_t u)
-{
- unsigned int i;
-
- for (i = 0; i < 8; ++i) {
- x[i] = (uint8_t)u;
- u >>= 8;
- }
-}
-
-
-static const uint64_t KeccakF_RoundConstants[NROUNDS] =
-{
- (uint64_t)0x0000000000000001ULL,
- (uint64_t)0x0000000000008082ULL,
- (uint64_t)0x800000000000808aULL,
- (uint64_t)0x8000000080008000ULL,
- (uint64_t)0x000000000000808bULL,
- (uint64_t)0x0000000080000001ULL,
- (uint64_t)0x8000000080008081ULL,
- (uint64_t)0x8000000000008009ULL,
- (uint64_t)0x000000000000008aULL,
- (uint64_t)0x0000000000000088ULL,
- (uint64_t)0x0000000080008009ULL,
- (uint64_t)0x000000008000000aULL,
- (uint64_t)0x000000008000808bULL,
- (uint64_t)0x800000000000008bULL,
- (uint64_t)0x8000000000008089ULL,
- (uint64_t)0x8000000000008003ULL,
- (uint64_t)0x8000000000008002ULL,
- (uint64_t)0x8000000000000080ULL,
- (uint64_t)0x000000000000800aULL,
- (uint64_t)0x800000008000000aULL,
- (uint64_t)0x8000000080008081ULL,
- (uint64_t)0x8000000000008080ULL,
- (uint64_t)0x0000000080000001ULL,
- (uint64_t)0x8000000080008008ULL
-};
-
-
-void KeccakF1600_StatePermute(uint64_t * state)
-{
- int round;
-
- uint64_t Aba, Abe, Abi, Abo, Abu;
- uint64_t Aga, Age, Agi, Ago, Agu;
- uint64_t Aka, Ake, Aki, Ako, Aku;
- uint64_t Ama, Ame, Ami, Amo, Amu;
- uint64_t Asa, Ase, Asi, Aso, Asu;
- uint64_t BCa, BCe, BCi, BCo, BCu;
- uint64_t Da, De, Di, Do, Du;
- uint64_t Eba, Ebe, Ebi, Ebo, Ebu;
- uint64_t Ega, Ege, Egi, Ego, Egu;
- uint64_t Eka, Eke, Eki, Eko, Eku;
- uint64_t Ema, Eme, Emi, Emo, Emu;
- uint64_t Esa, Ese, Esi, Eso, Esu;
-
- //copyFromState(A, state)
- Aba = state[ 0];
- Abe = state[ 1];
- Abi = state[ 2];
- Abo = state[ 3];
- Abu = state[ 4];
- Aga = state[ 5];
- Age = state[ 6];
- Agi = state[ 7];
- Ago = state[ 8];
- Agu = state[ 9];
- Aka = state[10];
- Ake = state[11];
- Aki = state[12];
- Ako = state[13];
- Aku = state[14];
- Ama = state[15];
- Ame = state[16];
- Ami = state[17];
- Amo = state[18];
- Amu = state[19];
- Asa = state[20];
- Ase = state[21];
- Asi = state[22];
- Aso = state[23];
- Asu = state[24];
-
- for( round = 0; round < NROUNDS; round += 2 )
- {
- // prepareTheta
- BCa = Aba^Aga^Aka^Ama^Asa;
- BCe = Abe^Age^Ake^Ame^Ase;
- BCi = Abi^Agi^Aki^Ami^Asi;
- BCo = Abo^Ago^Ako^Amo^Aso;
- BCu = Abu^Agu^Aku^Amu^Asu;
-
- //thetaRhoPiChiIotaPrepareTheta(round , A, E)
- Da = BCu^ROL(BCe, 1);
- De = BCa^ROL(BCi, 1);
- Di = BCe^ROL(BCo, 1);
- Do = BCi^ROL(BCu, 1);
- Du = BCo^ROL(BCa, 1);
-
- Aba ^= Da;
- BCa = Aba;
- Age ^= De;
- BCe = ROL(Age, 44);
- Aki ^= Di;
- BCi = ROL(Aki, 43);
- Amo ^= Do;
- BCo = ROL(Amo, 21);
- Asu ^= Du;
- BCu = ROL(Asu, 14);
- Eba = BCa ^((~BCe)& BCi );
- Eba ^= (uint64_t)KeccakF_RoundConstants[round];
- Ebe = BCe ^((~BCi)& BCo );
- Ebi = BCi ^((~BCo)& BCu );
- Ebo = BCo ^((~BCu)& BCa );
- Ebu = BCu ^((~BCa)& BCe );
-
- Abo ^= Do;
- BCa = ROL(Abo, 28);
- Agu ^= Du;
- BCe = ROL(Agu, 20);
- Aka ^= Da;
- BCi = ROL(Aka, 3);
- Ame ^= De;
- BCo = ROL(Ame, 45);
- Asi ^= Di;
- BCu = ROL(Asi, 61);
- Ega = BCa ^((~BCe)& BCi );
- Ege = BCe ^((~BCi)& BCo );
- Egi = BCi ^((~BCo)& BCu );
- Ego = BCo ^((~BCu)& BCa );
- Egu = BCu ^((~BCa)& BCe );
-
- Abe ^= De;
- BCa = ROL(Abe, 1);
- Agi ^= Di;
- BCe = ROL(Agi, 6);
- Ako ^= Do;
- BCi = ROL(Ako, 25);
- Amu ^= Du;
- BCo = ROL(Amu, 8);
- Asa ^= Da;
- BCu = ROL(Asa, 18);
- Eka = BCa ^((~BCe)& BCi );
- Eke = BCe ^((~BCi)& BCo );
- Eki = BCi ^((~BCo)& BCu );
- Eko = BCo ^((~BCu)& BCa );
- Eku = BCu ^((~BCa)& BCe );
-
- Abu ^= Du;
- BCa = ROL(Abu, 27);
- Aga ^= Da;
- BCe = ROL(Aga, 36);
- Ake ^= De;
- BCi = ROL(Ake, 10);
- Ami ^= Di;
- BCo = ROL(Ami, 15);
- Aso ^= Do;
- BCu = ROL(Aso, 56);
- Ema = BCa ^((~BCe)& BCi );
- Eme = BCe ^((~BCi)& BCo );
- Emi = BCi ^((~BCo)& BCu );
- Emo = BCo ^((~BCu)& BCa );
- Emu = BCu ^((~BCa)& BCe );
-
- Abi ^= Di;
- BCa = ROL(Abi, 62);
- Ago ^= Do;
- BCe = ROL(Ago, 55);
- Aku ^= Du;
- BCi = ROL(Aku, 39);
- Ama ^= Da;
- BCo = ROL(Ama, 41);
- Ase ^= De;
- BCu = ROL(Ase, 2);
- Esa = BCa ^((~BCe)& BCi );
- Ese = BCe ^((~BCi)& BCo );
- Esi = BCi ^((~BCo)& BCu );
- Eso = BCo ^((~BCu)& BCa );
- Esu = BCu ^((~BCa)& BCe );
-
- // prepareTheta
- BCa = Eba^Ega^Eka^Ema^Esa;
- BCe = Ebe^Ege^Eke^Eme^Ese;
- BCi = Ebi^Egi^Eki^Emi^Esi;
- BCo = Ebo^Ego^Eko^Emo^Eso;
- BCu = Ebu^Egu^Eku^Emu^Esu;
-
- //thetaRhoPiChiIotaPrepareTheta(round+1, E, A)
- Da = BCu^ROL(BCe, 1);
- De = BCa^ROL(BCi, 1);
- Di = BCe^ROL(BCo, 1);
- Do = BCi^ROL(BCu, 1);
- Du = BCo^ROL(BCa, 1);
-
- Eba ^= Da;
- BCa = Eba;
- Ege ^= De;
- BCe = ROL(Ege, 44);
- Eki ^= Di;
- BCi = ROL(Eki, 43);
- Emo ^= Do;
- BCo = ROL(Emo, 21);
- Esu ^= Du;
- BCu = ROL(Esu, 14);
- Aba = BCa ^((~BCe)& BCi );
- Aba ^= (uint64_t)KeccakF_RoundConstants[round+1];
- Abe = BCe ^((~BCi)& BCo );
- Abi = BCi ^((~BCo)& BCu );
- Abo = BCo ^((~BCu)& BCa );
- Abu = BCu ^((~BCa)& BCe );
-
- Ebo ^= Do;
- BCa = ROL(Ebo, 28);
- Egu ^= Du;
- BCe = ROL(Egu, 20);
- Eka ^= Da;
- BCi = ROL(Eka, 3);
- Eme ^= De;
- BCo = ROL(Eme, 45);
- Esi ^= Di;
- BCu = ROL(Esi, 61);
- Aga = BCa ^((~BCe)& BCi );
- Age = BCe ^((~BCi)& BCo );
- Agi = BCi ^((~BCo)& BCu );
- Ago = BCo ^((~BCu)& BCa );
- Agu = BCu ^((~BCa)& BCe );
-
- Ebe ^= De;
- BCa = ROL(Ebe, 1);
- Egi ^= Di;
- BCe = ROL(Egi, 6);
- Eko ^= Do;
- BCi = ROL(Eko, 25);
- Emu ^= Du;
- BCo = ROL(Emu, 8);
- Esa ^= Da;
- BCu = ROL(Esa, 18);
- Aka = BCa ^((~BCe)& BCi );
- Ake = BCe ^((~BCi)& BCo );
- Aki = BCi ^((~BCo)& BCu );
- Ako = BCo ^((~BCu)& BCa );
- Aku = BCu ^((~BCa)& BCe );
-
- Ebu ^= Du;
- BCa = ROL(Ebu, 27);
- Ega ^= Da;
- BCe = ROL(Ega, 36);
- Eke ^= De;
- BCi = ROL(Eke, 10);
- Emi ^= Di;
- BCo = ROL(Emi, 15);
- Eso ^= Do;
- BCu = ROL(Eso, 56);
- Ama = BCa ^((~BCe)& BCi );
- Ame = BCe ^((~BCi)& BCo );
- Ami = BCi ^((~BCo)& BCu );
- Amo = BCo ^((~BCu)& BCa );
- Amu = BCu ^((~BCa)& BCe );
-
- Ebi ^= Di;
- BCa = ROL(Ebi, 62);
- Ego ^= Do;
- BCe = ROL(Ego, 55);
- Eku ^= Du;
- BCi = ROL(Eku, 39);
- Ema ^= Da;
- BCo = ROL(Ema, 41);
- Ese ^= De;
- BCu = ROL(Ese, 2);
- Asa = BCa ^((~BCe)& BCi );
- Ase = BCe ^((~BCi)& BCo );
- Asi = BCi ^((~BCo)& BCu );
- Aso = BCo ^((~BCu)& BCa );
- Asu = BCu ^((~BCa)& BCe );
- }
-
- //copyToState(state, A)
- state[ 0] = Aba;
- state[ 1] = Abe;
- state[ 2] = Abi;
- state[ 3] = Abo;
- state[ 4] = Abu;
- state[ 5] = Aga;
- state[ 6] = Age;
- state[ 7] = Agi;
- state[ 8] = Ago;
- state[ 9] = Agu;
- state[10] = Aka;
- state[11] = Ake;
- state[12] = Aki;
- state[13] = Ako;
- state[14] = Aku;
- state[15] = Ama;
- state[16] = Ame;
- state[17] = Ami;
- state[18] = Amo;
- state[19] = Amu;
- state[20] = Asa;
- state[21] = Ase;
- state[22] = Asi;
- state[23] = Aso;
- state[24] = Asu;
-
- #undef round
-}
-
-#include <string.h>
-#define MIN(a, b) ((a) < (b) ? (a) : (b))
-
-
-static void keccak_absorb(uint64_t *s, unsigned int r, const unsigned char *m, unsigned long long int mlen, unsigned char p)
-{
- unsigned long long i;
- unsigned char t[200];
-
- while (mlen >= r)
- {
- for (i = 0; i < r / 8; ++i)
- s[i] ^= load64(m + 8 * i);
-
- KeccakF1600_StatePermute(s);
- mlen -= r;
- m += r;
- }
-
- for (i = 0; i < r; ++i)
- t[i] = 0;
- for (i = 0; i < mlen; ++i)
- t[i] = m[i];
- t[i] = p;
- t[r - 1] |= 128;
- for (i = 0; i < r / 8; ++i)
- s[i] ^= load64(t + 8 * i);
-}
-
-
-static void keccak_squeezeblocks(unsigned char *h, unsigned long long int nblocks, uint64_t *s, unsigned int r)
-{
- unsigned int i;
-
- while(nblocks > 0)
- {
- KeccakF1600_StatePermute(s);
- for (i = 0; i < (r>>3); i++)
- {
- store64(h+8*i, s[i]);
- }
- h += r;
- nblocks--;
- }
-}
-
-
-/********** SHAKE128 ***********/
-
-void shake128_absorb(uint64_t *s, const unsigned char *input, unsigned int inputByteLen)
-{
- keccak_absorb(s, SHAKE128_RATE, input, inputByteLen, 0x1F);
-}
-
-
-void shake128_squeezeblocks(unsigned char *output, unsigned long long nblocks, uint64_t *s)
-{
- keccak_squeezeblocks(output, nblocks, s, SHAKE128_RATE);
-}
-
-
-void shake128(unsigned char *output, unsigned long long outlen, const unsigned char *input, unsigned long long inlen)
-{
- uint64_t s[25] = {0};
- unsigned char t[SHAKE128_RATE];
- unsigned long long nblocks = outlen/SHAKE128_RATE;
- size_t i;
-
- /* Absorb input */
- keccak_absorb(s, SHAKE128_RATE, input, inlen, 0x1F);
-
- /* Squeeze output */
- keccak_squeezeblocks(output, nblocks, s, SHAKE128_RATE);
-
- output += nblocks*SHAKE128_RATE;
- outlen -= nblocks*SHAKE128_RATE;
-
- if (outlen)
- {
- keccak_squeezeblocks(t, 1, s, SHAKE128_RATE);
- for (i = 0; i < outlen; i++)
- output[i] = t[i];
- }
-}
-
-
-/********** cSHAKE128 ***********/
-
-void cshake128_simple_absorb(uint64_t s[25], uint16_t cstm, const unsigned char *in, unsigned long long inlen)
-{
- unsigned char *sep = (unsigned char*)s;
-
- /* Absorb customization (domain-separation) string */
- sep[0] = 0x01;
- sep[1] = 0xa8;
- sep[2] = 0x01;
- sep[3] = 0x00;
- sep[4] = 0x01;
- sep[5] = 16; // fixed bitlen of cstm
- sep[6] = cstm & 0xff;
- sep[7] = cstm >> 8;
-
- KeccakF1600_StatePermute(s);
-
- /* Absorb input */
- keccak_absorb(s, SHAKE128_RATE, in, inlen, 0x04);
-}
-
-
-void cshake128_simple_squeezeblocks(unsigned char *output, unsigned long long nblocks, uint64_t *s)
-{
- keccak_squeezeblocks(output, nblocks, s, SHAKE128_RATE);
-}
-
-
-void cshake128_simple(unsigned char *output, unsigned long long outlen, uint16_t cstm, const unsigned char *in, unsigned long long inlen)
-{
- uint64_t s[25] = {0};
- unsigned char t[SHAKE128_RATE];
- unsigned int i;
-
- cshake128_simple_absorb(s, cstm, in, inlen);
-
- /* Squeeze output */
- keccak_squeezeblocks(output, outlen/SHAKE128_RATE, s, SHAKE128_RATE);
- output += (outlen/SHAKE128_RATE)*SHAKE128_RATE;
-
- if (outlen%SHAKE128_RATE)
- {
- keccak_squeezeblocks(t, 1, s, SHAKE128_RATE);
- for (i = 0; i < outlen%SHAKE128_RATE; i++)
- output[i] = t[i];
- }
-}
-
-
-/********** SHAKE256 ***********/
-
-void shake256_absorb(uint64_t *s, const unsigned char *input, unsigned int inputByteLen)
-{
- keccak_absorb(s, SHAKE256_RATE, input, inputByteLen, 0x1F);
-}
-
-
-void shake256_squeezeblocks(unsigned char *output, unsigned long long nblocks, uint64_t *s)
-{
- keccak_squeezeblocks(output, nblocks, s, SHAKE256_RATE);
-}
-
-
-void shake256(unsigned char *output, unsigned long long outlen, const unsigned char *input, unsigned long long inlen)
-{
- uint64_t s[25] = {0};
- unsigned char t[SHAKE256_RATE];
- unsigned long long nblocks = outlen/SHAKE256_RATE;
- size_t i;
-
- /* Absorb input */
- keccak_absorb(s, SHAKE256_RATE, input, inlen, 0x1F);
-
- /* Squeeze output */
- keccak_squeezeblocks(output, nblocks, s, SHAKE256_RATE);
-
- output += nblocks*SHAKE256_RATE;
- outlen -= nblocks*SHAKE256_RATE;
-
- if (outlen)
- {
- keccak_squeezeblocks(t, 1, s, SHAKE256_RATE);
- for (i = 0; i < outlen; i++)
- output[i] = t[i];
- }
-}
-
-
-/********** cSHAKE256 ***********/
-
-void cshake256_simple_absorb(uint64_t s[25], uint16_t cstm, const unsigned char *in, unsigned long long inlen)
-{
- unsigned char *sep = (unsigned char*)s;
-
- /* Absorb customization (domain-separation) string */
- sep[0] = 0x01;
- sep[1] = 0x88;
- sep[2] = 0x01;
- sep[3] = 0x00;
- sep[4] = 0x01;
- sep[5] = 16; // fixed bitlen of cstm
- sep[6] = cstm & 0xff;
- sep[7] = cstm >> 8;
-
- KeccakF1600_StatePermute(s);
-
- /* Absorb input */
- keccak_absorb(s, SHAKE256_RATE, in, inlen, 0x04);
-}
-
-
-void cshake256_simple_squeezeblocks(unsigned char *output, unsigned long long nblocks, uint64_t *s)
-{
- keccak_squeezeblocks(output, nblocks, s, SHAKE256_RATE);
-}
-
-
-void cshake256_simple(unsigned char *output, unsigned long long outlen, uint16_t cstm, const unsigned char *in, unsigned long long inlen)
-{
- uint64_t s[25] = {0};
- unsigned char t[SHAKE256_RATE];
- unsigned int i;
-
- cshake256_simple_absorb(s, cstm, in, inlen);
-
- /* Squeeze output */
- keccak_squeezeblocks(output, outlen/SHAKE256_RATE, s, SHAKE256_RATE);
- output += (outlen/SHAKE256_RATE)*SHAKE256_RATE;
-
- if(outlen%SHAKE256_RATE)
- {
- keccak_squeezeblocks(t, 1, s, SHAKE256_RATE);
- for (i = 0; i < outlen%SHAKE256_RATE; i++)
- output[i] = t[i];
- }
-}
-
-void sha3_256(unsigned char *output, const unsigned char *input, unsigned int inputByteLen)
-{
- uint64_t s[25] = {0};
- unsigned char t[SHA3_256_RATE];
- int i;
-
- keccak_absorb(s, SHA3_256_RATE, input, inputByteLen, 0x06);
- keccak_squeezeblocks(t, 1, s, SHA3_256_RATE);
- for(i=0;i<32;i++)
- output[i] = t[i];
-}
-
-void sha3_512(unsigned char *output, const unsigned char *input, unsigned int inputByteLen)
-{
- uint64_t s[25] = {0};
- unsigned char t[SHA3_512_RATE];
- uint32_t i;
-
- keccak_absorb(s, SHA3_512_RATE, input, inputByteLen, 0x06);
- keccak_squeezeblocks(t, 1, s, SHA3_512_RATE);
- for(i=0;i<64;i++)
- output[i] = t[i];
-}
-
diff --git a/src/sha3/fips202.h b/src/sha3/fips202.h
index e38de9b..40b3fa7 100755
--- a/src/sha3/fips202.h
+++ b/src/sha3/fips202.h
@@ -12,6 +12,7 @@
#define SHA3_256_RATE 136
+#if 0
void shake128_absorb(uint64_t *s, const unsigned char *input, unsigned int inputByteLen);
void shake128_squeezeblocks(unsigned char *output, unsigned long long nblocks, uint64_t *s);
void shake128(unsigned char *output, unsigned long long outlen, const unsigned char *input, unsigned long long inlen);
@@ -30,5 +31,7 @@ void cshake256_simple(unsigned char *output, unsigned long long outlen, uint16_t
void sha3_256(unsigned char *output, const unsigned char *input, unsigned int inputByteLen);
void sha3_512(unsigned char *output, const unsigned char *input, unsigned int inputByteLen);
+#endif
+
#endif
diff --git a/src/sig_bliss/bliss_b.h b/src/sig_bliss/bliss_b.h
index f31f6a3..c60800b 100755
--- a/src/sig_bliss/bliss_b.h
+++ b/src/sig_bliss/bliss_b.h
@@ -5,7 +5,10 @@
#include <stddef.h>
#include <stdlib.h>
#include <assert.h>
-#include "../sha3/fips202.h"
+//#include "../sha3/fips202.h"
+
+#include "KeccakHash.h"
+#include "SimpleFIPS202.h"
#define BLISS_B_CRYPTO_SECRETKEYBYTES 256
#define BLISS_B_CRYPTO_PUBLICKEYBYTES 85
diff --git a/src/sig_bliss/bliss_b_signatures.c b/src/sig_bliss/bliss_b_signatures.c
index 712fa78..4feee4e 100755
--- a/src/sig_bliss/bliss_b_signatures.c
+++ b/src/sig_bliss/bliss_b_signatures.c
@@ -134,7 +134,7 @@ static void generateC(uint32_t *indices, uint32_t kappa, const int32_t *n_vector
* (so that n_vector[n-1] is taken into account).
*/
hash[hash_sz - 1]++;
- sha3_512(whash, hash, hash_sz);
+ SHA3_512(whash, hash, hash_sz);
memset(array, 0, n);
@@ -234,7 +234,7 @@ static void submul_c(int32_t *z, uint32_t n, const int32_t *s, const uint32_t *c
* (2 * zeta * a * z1 + zeta * q * c + z2) == v mod 2q
*/
static void check_before_drop(const bliss_private_key_t *key, uint8_t *hash, uint32_t hash_sz,
- const int32_t *v, const int32_t *y1, const int32_t *y2, bliss_param_t *p, ntt_state_t state) {
+ const int32_t *v, const int32_t *y1, const int32_t *y2, bliss_param_t *p, ntt_state_t state) {
int32_t z1[512], z2[512], aux[512];
uint32_t c[40];
int32_t q;
@@ -473,7 +473,8 @@ int32_t bliss_b_sign(bliss_signature_t *signature, const bliss_private_key_t *p
}
/* 0: compute the hash of the msg */
- sha3_512(hash, msg, msg_sz);
+
+ SHA3_512(hash, msg, msg_sz);
// for debugging
if (false) {
@@ -828,7 +829,8 @@ int32_t bliss_b_verify(const bliss_signature_t *signature, const bliss_public_k
}
/* hash the message into the first SHA3_512_DIGEST_LENGTH bytes of the hash */
- sha3_512(hash, msg, msg_sz);
+
+ SHA3_512(hash, msg, msg_sz);
if (false) {
printf("verify hash\n");
diff --git a/src/sig_bliss/entropy.c b/src/sig_bliss/entropy.c
index 74d26e7..e7fbf3d 100755
--- a/src/sig_bliss/entropy.c
+++ b/src/sig_bliss/entropy.c
@@ -23,7 +23,7 @@ static void refresh(entropy_t *entropy, uint8_t *hash, uint32_t n) {
assert(n > 0);
while (n > 0) {
- sha3_512(hash, entropy->seed, SHA3_512_DIGEST_LENGTH);
+ SHA3_512(hash, entropy->seed, SHA3_512_DIGEST_LENGTH);
increment_seed(entropy);
hash += SHA3_512_DIGEST_LENGTH;
n --;
diff --git a/src/sig_dilithium/dilithium_poly.c b/src/sig_dilithium/dilithium_poly.c
index 4199f35..d9392df 100755
--- a/src/sig_dilithium/dilithium_poly.c
+++ b/src/sig_dilithium/dilithium_poly.c
@@ -1,6 +1,9 @@
#include <stdint.h>
#include "dilithium_poly.h"
+#include "KeccakHash.h"
+#include "SimpleFIPS202.h"
+
/*************************************************/
void poly_reduce(poly *a) {
unsigned int i;
@@ -181,18 +184,34 @@ void poly_uniform_eta(poly *a, const unsigned char seed[SEEDBYTES], unsigned cha
unsigned char inbuf[SEEDBYTES + 1];
unsigned char outbuf[2*SHAKE256_RATE];
- uint64_t state[25] = {0};
+// uint64_t state[25] = {0};
+ Keccak_HashInstance ks;
for(i= 0; i < SEEDBYTES; ++i)
inbuf[i] = seed[i];
inbuf[SEEDBYTES] = nonce;
- shake256_absorb(state, inbuf, SEEDBYTES + 1);
- shake256_squeezeblocks(outbuf, 2, state);
+// shake256_absorb(state, inbuf, SEEDBYTES + 1);
+// shake256_squeezeblocks(outbuf, 2, state);
+
+ #ifdef _WIN32
+ SHAKE256_InitAbsorb( &ks, inbuf, SEEDBYTES + 1 );
+ KECCAK_HashSqueeze( &ks, outbuf, 2 * 8 );
+ #else
+ Keccak_HashInitialize_SHAKE256( &ks );
+ Keccak_HashUpdate( &ks, inbuf, (SEEDBYTES + 1) * 8 );
+ Keccak_HashFinal( &ks, inbuf );
+ Keccak_HashSqueeze( &ks, outbuf, 2 * 8 * 8 );
+ #endif
ctr = rej_eta(a->coeffs, NN, outbuf, 2*SHAKE256_RATE, p);
if(ctr < NN) {
- shake256_squeezeblocks(outbuf, 1, state);
+// shake256_squeezeblocks(outbuf, 1, state);
+ #ifdef _WIN32
+ KECCAK_HashSqueeze( &ks, outbuf, 1 * 8 );
+ #else
+ Keccak_HashSqueeze( &ks, outbuf, 1 * 8 * 8 );
+ #endif
rej_eta(a->coeffs + ctr, NN - ctr, outbuf, SHAKE256_RATE, p);
}
}
@@ -234,20 +253,36 @@ void poly_uniform_gamma1m1(poly *a, const unsigned char seed[SEEDBYTES + CRHBYTE
unsigned char inbuf[SEEDBYTES + CRHBYTES + 2];
unsigned char outbuf[5*SHAKE256_RATE];
- uint64_t state[25] = {0};
+// uint64_t state[25] = {0};
+ Keccak_HashInstance ks;
for(i = 0; i < SEEDBYTES + CRHBYTES; ++i)
inbuf[i] = seed[i];
inbuf[SEEDBYTES + CRHBYTES] = nonce & 0xFF;
inbuf[SEEDBYTES + CRHBYTES + 1] = nonce >> 8;
- shake256_absorb(state, inbuf, SEEDBYTES + CRHBYTES + 2);
- shake256_squeezeblocks(outbuf, 5, state);
+// shake256_absorb(state, inbuf, SEEDBYTES + CRHBYTES + 2);
+// shake256_squeezeblocks(outbuf, 5, state);
+
+ #ifdef _WIN32
+ SHAKE256_InitAbsorb( &ks, inbuf, SEEDBYTES + CRHBYTES + 2 );
+ KECCAK_HashSqueeze( &ks, outbuf, 5 * 8 );
+ #else
+ Keccak_HashInitialize_SHAKE128( &ks );
+ Keccak_HashUpdate( &ks, inbuf, (SEEDBYTES + CRHBYTES + 2) * 8 );
+ Keccak_HashFinal( &ks, inbuf );
+ Keccak_HashSqueeze( &ks, outbuf, 5 * 8 * 8 );
+ #endif
ctr = rej_gamma1m1(a->coeffs, NN, outbuf, 5*SHAKE256_RATE);
if(ctr < NN) {
- shake256_squeezeblocks(outbuf, 1, state);
+// shake256_squeezeblocks(outbuf, 1, state);
+ #ifdef _WIN32
+ KECCAK_HashSqueeze( &ks, outbuf, 1 * 8 );
+ #else
+ Keccak_HashSqueeze( &ks, outbuf, 1 * 8 * 8 );
+ #endif
rej_gamma1m1(a->coeffs + ctr, NN - ctr, outbuf, SHAKE256_RATE);
}
}
diff --git a/src/sig_dilithium/dilithium_sign.c b/src/sig_dilithium/dilithium_sign.c
index d5a4543..ae0c52a 100755
--- a/src/sig_dilithium/dilithium_sign.c
+++ b/src/sig_dilithium/dilithium_sign.c
@@ -1,6 +1,9 @@
#include <stdint.h>
#include "dilithium_sign.h"
+#include "KeccakHash.h"
+#include "SimpleFIPS202.h"
+
/********************************************************************************************/
void expand_mat(polyvecl mat[], const unsigned char rho[SEEDBYTES], dilithium_param_t *p)
{
@@ -15,7 +18,7 @@ void expand_mat(polyvecl mat[], const unsigned char rho[SEEDBYTES], dilithium_pa
for(i = 0; i < p->PARAM_K; ++i) {
for(j = 0; j < p->PARAM_L; ++j) {
inbuf[SEEDBYTES] = i + (j << 4);
- shake128(outbuf, sizeof(outbuf), inbuf, SEEDBYTES + 1);
+ SHAKE128(outbuf, sizeof(outbuf), inbuf, SEEDBYTES + 1);
dilithium_poly_uniform(mat[i].vec + j, outbuf);
}
}
@@ -27,15 +30,27 @@ void challenge(poly *c, const unsigned char mu[CRHBYTES], const polyveck *w1, di
unsigned int i, b, pos;
unsigned char inbuf[CRHBYTES + p->PARAM_K * p->PARAM_POLW1_SIZE_PACKED];
unsigned char outbuf[SHAKE256_RATE];
- uint64_t state[25] = {0}, signs, mask;
+// uint64_t state[25] = {0}, signs, mask;
+ uint64_t signs, mask;
+ Keccak_HashInstance ks;
for(i = 0; i < CRHBYTES; ++i)
inbuf[i] = mu[i];
for(i = 0; i < p->PARAM_K; ++i)
polyw1_pack(inbuf + CRHBYTES + i * p->PARAM_POLW1_SIZE_PACKED, w1->vec + i);
- shake256_absorb(state, inbuf, sizeof(inbuf));
- shake256_squeezeblocks(outbuf, 1, state);
+// shake256_absorb(state, inbuf, sizeof(inbuf));
+// shake256_squeezeblocks(outbuf, 1, state);
+
+ #ifdef _WIN32
+ SHAKE256_InitAbsorb( &ks, inbuf, sizeof(inbuf) );
+ KECCAK_HashSqueeze( &ks, outbuf, 1 * 8 );
+ #else
+ Keccak_HashInitialize_SHAKE256( &ks );
+ Keccak_HashUpdate( &ks, inbuf, sizeof(inbuf) * 8 );
+ Keccak_HashFinal( &ks, inbuf );
+ Keccak_HashSqueeze( &ks, outbuf, 1 * 8 * 8 );
+ #endif
signs = 0;
for(i = 0; i < 8; ++i)
@@ -50,7 +65,13 @@ void challenge(poly *c, const unsigned char mu[CRHBYTES], const polyveck *w1, di
for(i = 196; i < 256; ++i) {
do {
if(pos >= SHAKE256_RATE) {
- shake256_squeezeblocks(outbuf, 1, state);
+// shake256_squeezeblocks(outbuf, 1, state);
+ #ifdef _WIN32
+ KECCAK_HashSqueeze( &ks, outbuf, 1 * 8 );
+ #else
+ Keccak_HashSqueeze( &ks, outbuf, 1 * 8 * 8 );
+ #endif
+
pos = 0;
}
@@ -143,7 +164,7 @@ int dilithium_crypto_sign_keypair(dilithium_public_key_t *public_key, dilithium_
randombytes(seedbuf, SEEDBYTES);
- shake256(seedbuf, 3*SEEDBYTES, seedbuf, SEEDBYTES);
+ SHAKE256(seedbuf, 3*SEEDBYTES, seedbuf, SEEDBYTES);
rho = seedbuf;
rhoprime = rho + SEEDBYTES;
key = rho + 2*SEEDBYTES;
@@ -169,7 +190,7 @@ int dilithium_crypto_sign_keypair(dilithium_public_key_t *public_key, dilithium_
polyveck_power2round(&t1, &t0, &t, p);
dilithium_pack_pk(public_key->data, rho, &t1, p);
- shake256(tr, CRHBYTES, public_key->data, p->CRYPTO_PUBLICKEYBYTES);
+ SHAKE256(tr, CRHBYTES, public_key->data, p->CRYPTO_PUBLICKEYBYTES);
dilithium_pack_sk(private_key->data, rho, key, tr, &s1, &s2, &t0, p);
free(p);
@@ -211,7 +232,7 @@ int dilithium_crypto_sign( dilithium_signature_t *sig, const unsigned char *m, u
for(i = 0; i < CRHBYTES; ++i)
sig->sig_data[p->CRYPTO_BYTES - CRHBYTES + i] = tr[i];
- shake256(mu, CRHBYTES, sig->sig_data + p->CRYPTO_BYTES - CRHBYTES, CRHBYTES + mlen);
+ SHAKE256(mu, CRHBYTES, sig->sig_data + p->CRYPTO_BYTES - CRHBYTES, CRHBYTES + mlen);
expand_mat(mat, rho, p);
polyvecl_ntt(&s1, p);
@@ -336,8 +357,8 @@ int dilithium_crypto_sign_open( unsigned char *m, unsigned long long mlen, dilit
for(i = 0; i < mlen; ++i)
tmp_m[CRHBYTES + i] = m[i];
- shake256(tmp_m, CRHBYTES, public_key->data, p->CRYPTO_PUBLICKEYBYTES);
- shake256(mu, CRHBYTES, tmp_m, CRHBYTES + mlen);
+ SHAKE256(tmp_m, CRHBYTES, public_key->data, p->CRYPTO_PUBLICKEYBYTES);
+ SHAKE256(mu, CRHBYTES, tmp_m, CRHBYTES + mlen);
free(tmp_m);
expand_mat(mat, rho, p);
diff --git a/src/sig_tesla/poly.c b/src/sig_tesla/poly.c
index 42aaa1c..996e88a 100755
--- a/src/sig_tesla/poly.c
+++ b/src/sig_tesla/poly.c
@@ -12,14 +12,14 @@ int64_t reduce(int64_t a, tesla_param_t *p) { // Montgomery reduction
u = (a * (int64_t)(p->PARAM_QINV)) & 0xFFFFFFFF;
u *= (int64_t)(p->PARAM_Q);
- a += u;
- return a >> 32;
+ a += u;
+ return a >> 32;
}
int64_t barr_reduce(int64_t a, tesla_param_t *p) { // Barrett reduction
int64_t u = ((a * (int64_t)(p->PARAM_BARR_MULT)) >> (int64_t)(p->PARAM_BARR_DIV)) * (int64_t)(p->PARAM_Q);
- return a - u;
+ return a - u;
}
void ntt(poly *a, const poly *w, tesla_param_t *p) { // Forward NTT transform
@@ -27,11 +27,11 @@ void ntt(poly *a, const poly *w, tesla_param_t *p) { // Forward NTT transform
int Par_Q = (int)(p->PARAM_Q);
int NumoProblems = p->PARAM_N >> 1, jTwiddle = 0;
- for (; NumoProblems > 0; NumoProblems >>= 1) {
- uint32_t jFirst, j = 0;
+ for (; NumoProblems > 0; NumoProblems >>= 1) {
+ uint32_t jFirst, j = 0;
for (jFirst = 0; jFirst < p->PARAM_N; jFirst = j + NumoProblems) {
- int W = w[jTwiddle++];
- for (j = jFirst; j < jFirst + NumoProblems; j++) {
+ int W = w[jTwiddle++];
+ for (j = jFirst; j < jFirst + NumoProblems; j++) {
if(p->kind <= 3) {
int temp = reduce(W * a[j + NumoProblems], p);
a[j + NumoProblems] = a[j] + (Par_Q - temp);
@@ -42,8 +42,8 @@ void ntt(poly *a, const poly *w, tesla_param_t *p) { // Forward NTT transform
a[j + NumoProblems] = barr_reduce(a[j] + (2LL * Par_Q - temp), p);
a[j] = barr_reduce(temp + a[j], p);
}
- }
- }
+ }
+ }
}
}
@@ -93,7 +93,7 @@ void nttinv(poly *a, const poly *w, tesla_param_t *p) { // Inverse NTT transform
}
}
}
- }
+ }
}
void poly_pointwise(poly *result, const poly *x, const poly *y, tesla_param_t *p) { // Pointwise polynomial multiplication result = x.y
@@ -113,7 +113,7 @@ void poly_ntt(poly *x_ntt, const poly *x, tesla_param_t *p) { // Call to NTT fun
init_mass_poly( zeta, zetainv, p);
for (i = 0; i < p->PARAM_N; i++)
- x_ntt[i] = x[i];
+ x_ntt[i] = x[i];
ntt(x_ntt, zeta, p);
free(zeta);
@@ -123,7 +123,7 @@ void poly_ntt(poly *x_ntt, const poly *x, tesla_param_t *p) { // Call to NTT fun
}
void poly_mul(poly *result, const poly *x, const poly *y, tesla_param_t *p) { // Polynomial multiplication result = x*y, with in place reduction for (X^N+1)
- // The inputs x and y are assumed to be in NTT form
+ // The inputs x and y are assumed to be in NTT form
poly *zeta = malloc(p->PARAM_N * sizeof(int64_t));
poly *zetainv = malloc(p->PARAM_N * sizeof(int64_t));
@@ -158,7 +158,7 @@ void poly_add(poly *result, const poly *x, const poly *y, tesla_param_t *p) { //
unsigned int i;
for (i = 0; i < p->PARAM_N; i++)
- result[i] = x[i] + y[i];
+ result[i] = x[i] + y[i];
}
void poly_sub(poly *result, const poly *x, const poly *y, tesla_param_t *p) { // Polynomial subtraction result = x-y
@@ -180,24 +180,27 @@ void poly_uniform(poly_k *a, const unsigned char *seed, tesla_param_t *p) {
unsigned int nblocks = p->PARAM_GEN_A;
uint32_t val1, val2, val3, val4, mask = (uint32_t)(1 << p->PARAM_Q_LOG) - 1;
unsigned char *buf = malloc(SHAKE128_RATE * nblocks * sizeof(char));
- uint16_t dmsp = 0;
-
- cshake128_simple( buf, SHAKE128_RATE * nblocks, dmsp++, seed, CRYPTO_RANDOMBYTES);
+ uint16_t dmsp = 0;
+// cshake128_simple( buf, SHAKE128_RATE * nblocks, dmsp++, seed, CRYPTO_RANDOMBYTES);
+ cSHAKE128( seed, CRYPTO_RANDOMBYTES * 8, buf, SHAKE128_RATE * nblocks * 8, NULL, 0, &dmsp, 16 );
+ ++ dmsp;
while (i < p->PARAM_K * p->PARAM_N) {
- if (pos > SHAKE128_RATE * nblocks - 4 * nbytes) {
- nblocks = 1;
- cshake128_simple(buf, SHAKE128_RATE * nblocks, dmsp++, seed, CRYPTO_RANDOMBYTES);
- pos = 0;
- }
- val1 = (*(uint32_t *) (buf + pos)) & mask;
- pos += nbytes;
- val2 = (*(uint32_t *) (buf + pos)) & mask;
- pos += nbytes;
- val3 = (*(uint32_t *) (buf + pos)) & mask;
- pos += nbytes;
- val4 = (*(uint32_t *) (buf + pos)) & mask;
- pos += nbytes;
+ if (pos > SHAKE128_RATE * nblocks - 4 * nbytes) {
+ nblocks = 1;
+// cshake128_simple(buf, SHAKE128_RATE * nblocks, dmsp++, seed, CRYPTO_RANDOMBYTES);
+ cSHAKE128( seed, CRYPTO_RANDOMBYTES * 8, buf, SHAKE128_RATE * nblocks * 8, NULL, 0, &dmsp, 16 );
+ ++ dmsp;
+ pos = 0;
+ }
+ val1 = (*(uint32_t *) (buf + pos)) & mask;
+ pos += nbytes;
+ val2 = (*(uint32_t *) (buf + pos)) & mask;
+ pos += nbytes;
+ val3 = (*(uint32_t *) (buf + pos)) & mask;
+ pos += nbytes;
+ val4 = (*(uint32_t *) (buf + pos)) & mask;
+ pos += nbytes;
if (val1 < p->PARAM_Q && i < p->PARAM_K * p->PARAM_N)
a[i++] = reduce((int64_t) val1 * p->PARAM_R2_INVN, p);
if (val2 < p->PARAM_Q && i < p->PARAM_K * p->PARAM_N)
@@ -206,7 +209,7 @@ void poly_uniform(poly_k *a, const unsigned char *seed, tesla_param_t *p) {
a[i++] = reduce((int64_t) val3 * p->PARAM_R2_INVN, p);
if (val4 < p->PARAM_Q && i < p->PARAM_K * p->PARAM_N)
a[i++] = reduce((int64_t) val4 * p->PARAM_R2_INVN, p);
- }
+ }
free(buf);
buf = NULL;
}
diff --git a/src/sig_tesla/sample.c b/src/sig_tesla/sample.c
index 9bba56a..a72fb90 100755
--- a/src/sig_tesla/sample.c
+++ b/src/sig_tesla/sample.c
@@ -13,54 +13,62 @@ void sample_y(int64_t *y, const unsigned char *seed, int nonce, tesla_param_t *p
unsigned int i = 0, pos = 0, nblocks = p->PARAM_N;
unsigned int nbytes = ((p->PARAM_B_BITS + 1) + 7) / 8;
unsigned char *buf = malloc(p->PARAM_N * nbytes * sizeof(char) + 1);
- int16_t dmsp = (int16_t)(nonce << 8);
+ int16_t dmsp = (int16_t)(nonce << 8);
uint32_t NBLOCKS_SHAKE = 0;
if(p->kind == 0 || p->kind == 3) {
- cshake128_simple((uint8_t *) buf, p->PARAM_N * nbytes, dmsp++, seed, CRYPTO_RANDOMBYTES);
+// cshake128_simple((uint8_t *) buf, p->PARAM_N * nbytes, dmsp++, seed, CRYPTO_RANDOMBYTES);
+ cSHAKE128( seed, CRYPTO_RANDOMBYTES * 8, (uint8_t *) buf, p->PARAM_N * nbytes * 8, NULL, 0, &dmsp, 16 );
+ ++dmsp;
NBLOCKS_SHAKE = SHAKE128_RATE / (((p->PARAM_B_BITS + 1) + 7) / 8);
}
else {
- cshake256_simple((uint8_t *) buf, p->PARAM_N * nbytes, dmsp++, seed, CRYPTO_RANDOMBYTES);
+// cshake256_simple((uint8_t *) buf, p->PARAM_N * nbytes, dmsp++, seed, CRYPTO_RANDOMBYTES);
+ cSHAKE256( seed, CRYPTO_RANDOMBYTES * 8, (uint8_t *) buf, p->PARAM_N * nbytes * 8, NULL, 0, &dmsp, 16 );
+ ++dmsp;
NBLOCKS_SHAKE = SHAKE256_RATE / (((p->PARAM_B_BITS + 1) + 7) / 8);
}
while (i < p->PARAM_N) {
- if (pos >= nblocks * nbytes) {
+ if (pos >= nblocks * nbytes) {
if(p->kind == 0 || p->kind == 3) {
nblocks = NBLOCKS_SHAKE;
- cshake128_simple((uint8_t *) buf, SHAKE128_RATE, dmsp++, seed, CRYPTO_RANDOMBYTES);
+// cshake128_simple((uint8_t *) buf, SHAKE128_RATE, dmsp++, seed, CRYPTO_RANDOMBYTES);
+ cSHAKE128( seed, CRYPTO_RANDOMBYTES * 8, (uint8_t *) buf, SHAKE128_RATE * 8, NULL, 0, &dmsp, 16 );
+ ++dmsp;
}
else {
nblocks = NBLOCKS_SHAKE;
- cshake256_simple((uint8_t *) buf, SHAKE256_RATE, dmsp++, seed, CRYPTO_RANDOMBYTES);
+// cshake256_simple((uint8_t *) buf, SHAKE256_RATE, dmsp++, seed, CRYPTO_RANDOMBYTES);
+ cSHAKE256( seed, CRYPTO_RANDOMBYTES * 8, (uint8_t *) buf, SHAKE256_RATE * 8, NULL, 0, &dmsp, 16 );
+ ++dmsp;
}
- pos = 0;
- }
+ pos = 0;
+ }
y[i] = (*(uint32_t *) (buf + pos)) & ((1 << (p->PARAM_B_BITS + 1)) - 1);
y[i] -= (int64_t)(p->PARAM_B);
if (y[i] != (1 << p->PARAM_B_BITS))
- i++;
- pos += nbytes;
- }
+ i++;
+ pos += nbytes;
+ }
free(buf);
buf = NULL;
}
static int64_t mod7(int64_t k) { // Compute k modulo 7
- int64_t i = k;
+ int64_t i = k;
int j;
for ( j = 0; j < 2; j++) {
- i = (i & 7) + (i >> 3);
- }
- // i <= 7 at this point. If (i == 7) return 0, else return i
- return ((i - 7) >> 3) & i;
+ i = (i & 7) + (i >> 3);
+ }
+ // i <= 7 at this point. If (i == 7) return 0, else return i
+ return ((i - 7) >> 3) & i;
}
static uint32_t Bernoulli(int64_t r, int64_t t, tesla_param_t *p) { // Sample a bit from Bernoulli
- // Restriction: 20-bit exponent
+ // Restriction: 20-bit exponent
if(p->kind == 0) {
static const double exp[3][32] = {
{
@@ -669,11 +677,15 @@ void sample_gauss_poly(int64_t *x, const unsigned char *seed, int nonce, tesla_p
{0x0321020100200100LL, 0x0200010000200001LL},
};
- cshake128_simple(seed_ex, (p->PARAM_N) * 8, dmsp++, seed, CRYPTO_RANDOMBYTES);
+// cshake128_simple(seed_ex, (p->PARAM_N) * 8, dmsp++, seed, CRYPTO_RANDOMBYTES);
+ cSHAKE128( seed, CRYPTO_RANDOMBYTES * 8, seed_ex, (p->PARAM_N) * 8 * 8, NULL, 0, &dmsp, 16 );
+ ++dmsp;
for (x_ind = 0; x_ind < (int64_t)(p->PARAM_N); x_ind++) {
if ((j + 46) > (int64_t)(p->PARAM_N)) {
- cshake128_simple((uint8_t *) buf, (p->PARAM_N) * 8, dmsp++, seed, CRYPTO_RANDOMBYTES);
+// cshake128_simple((uint8_t *) buf, (p->PARAM_N) * 8, dmsp++, seed, CRYPTO_RANDOMBYTES);
+ cSHAKE128( seed, CRYPTO_RANDOMBYTES * 8, (uint8_t *) buf, (p->PARAM_N) * 8 * 8, NULL, 0, &dmsp, 16 );
+ ++dmsp;
j = 0;
}
do {
@@ -760,11 +772,15 @@ void sample_gauss_poly(int64_t *x, const unsigned char *seed, int nonce, tesla_p
{0x0000032102010020LL, 0x0100020001000020LL, 0x0001000002000001LL},
};
- cshake256_simple(seed_ex, (p->PARAM_N) * 8, dmsp++, seed, CRYPTO_RANDOMBYTES);
+// cshake256_simple(seed_ex, (p->PARAM_N) * 8, dmsp++, seed, CRYPTO_RANDOMBYTES);
+ cSHAKE256( seed, CRYPTO_RANDOMBYTES * 8, seed_ex, (p->PARAM_N) * 8 * 8, NULL, 0, &dmsp, 16 );
+ ++dmsp;
for (x_ind = 0; x_ind < (int64_t)(p->PARAM_N); x_ind++) {
if ((j + 46) > (int64_t)(p->PARAM_N)) {
- cshake256_simple((uint8_t *) buf, (p->PARAM_N) * 8, dmsp++, seed, CRYPTO_RANDOMBYTES);
+// cshake256_simple((uint8_t *) buf, (p->PARAM_N) * 8, dmsp++, seed, CRYPTO_RANDOMBYTES);
+ cSHAKE256( seed, CRYPTO_RANDOMBYTES * 8, (uint8_t *) buf, (p->PARAM_N) * 8 * 8, NULL, 0, &dmsp, 16 );
+ ++dmsp;
j = 0;
}
@@ -846,38 +862,42 @@ void sample_gauss_poly(int64_t *x, const unsigned char *seed, int nonce, tesla_p
void encode_c(uint32_t *pos_list, int16_t *sign_list, unsigned char *c_bin, tesla_param_t *p) { // Encoding of c' by mapping the output of the hash function H to an N-element vector with entries {-1,0,1}
uint32_t i;
- int pos, cnt = 0;
+ int pos, cnt = 0;
int16_t *c = malloc(p->PARAM_N * sizeof(int16_t));
- const int RLENGTH = SHAKE128_RATE;
+ const int RLENGTH = SHAKE128_RATE;
unsigned char *r = malloc(RLENGTH * sizeof(char));
- uint16_t dmsp = 0;
+ uint16_t dmsp = 0;
- // Use the hash value as key to generate some randomness
- cshake128_simple(r, RLENGTH, dmsp++, c_bin, CRYPTO_RANDOMBYTES);
+ // Use the hash value as key to generate some randomness
+// cshake128_simple(r, RLENGTH, dmsp++, c_bin, CRYPTO_RANDOMBYTES);
+ cSHAKE128( c_bin, CRYPTO_RANDOMBYTES * 8, r, RLENGTH * 8, NULL, 0, &dmsp, 16 );
+ ++dmsp;
- // Use rejection sampling to determine positions to be set in the new vector
+ // Use rejection sampling to determine positions to be set in the new vector
for (i = 0; i < p->PARAM_N; i++)
- c[i] = 0;
+ c[i] = 0;
for (i = 0; i < p->PARAM_W;) { // Sample a unique position k times. Use two bytes
- if (cnt > (RLENGTH - 3)) {
- cshake128_simple(r, RLENGTH, dmsp++, c_bin, CRYPTO_RANDOMBYTES);
- cnt = 0;
- }
- pos = (r[cnt] << 8) | (r[cnt + 1]);
+ if (cnt > (RLENGTH - 3)) {
+// cshake128_simple(r, RLENGTH, dmsp++, c_bin, CRYPTO_RANDOMBYTES);
+ cSHAKE128( c_bin, CRYPTO_RANDOMBYTES * 8, r, RLENGTH * 8, NULL, 0, &dmsp, 16 );
+ ++dmsp;
+ cnt = 0;
+ }
+ pos = (r[cnt] << 8) | (r[cnt + 1]);
pos = pos & ((p->PARAM_N) - 1); // Position is in the range [0,N-1]
- if (c[pos] == 0) { // Position has not been set yet. Determine sign
- if ((r[cnt + 2] & 1) == 1)
- c[pos] = -1;
- else
- c[pos] = 1;
- pos_list[i] = pos;
- sign_list[i] = c[pos];
- i++;
- }
- cnt += 3;
- }
+ if (c[pos] == 0) { // Position has not been set yet. Determine sign
+ if ((r[cnt + 2] & 1) == 1)
+ c[pos] = -1;
+ else
+ c[pos] = 1;
+ pos_list[i] = pos;
+ sign_list[i] = c[pos];
+ i++;
+ }
+ cnt += 3;
+ }
free(c);
free(r);
c = NULL;
diff --git a/src/sig_tesla/sign.c b/src/sig_tesla/sign.c
index 059c799..2575b1c 100755
--- a/src/sig_tesla/sign.c
+++ b/src/sig_tesla/sign.c
@@ -389,9 +389,9 @@ void hash_vm(unsigned char *c_bin, poly_k *v, const unsigned char *m, unsigned l
memcpy(&t[p->PARAM_K * p->PARAM_N], m, mlen);
if(p->kind == 0 || p->kind == 3)
- shake128(c_bin, CRYPTO_C_BYTES, t, p->PARAM_K * p->PARAM_N + mlen);
+ SHAKE128(c_bin, CRYPTO_C_BYTES, t, p->PARAM_K * p->PARAM_N + mlen);
else
- shake256(c_bin, CRYPTO_C_BYTES, t, p->PARAM_K * p->PARAM_N + mlen);
+ SHAKE256(c_bin, CRYPTO_C_BYTES, t, p->PARAM_K * p->PARAM_N + mlen);
free(t);
t = NULL;
@@ -667,9 +667,9 @@ int tesla_crypto_sign_keypair(tesla_public_key_t *public_key, tesla_private_key_
randombytes(randomness, CRYPTO_RANDOMBYTES);
if(p->kind == 0 || p->kind == 3)
- shake128(randomness_extended, ((p->PARAM_K) + 3) * CRYPTO_SEEDBYTES, randomness, CRYPTO_RANDOMBYTES);
+ SHAKE128(randomness_extended, ((p->PARAM_K) + 3) * CRYPTO_SEEDBYTES, randomness, CRYPTO_RANDOMBYTES);
else
- shake256(randomness_extended, ((p->PARAM_K) + 3) * CRYPTO_SEEDBYTES, randomness, CRYPTO_RANDOMBYTES);
+ SHAKE256(randomness_extended, ((p->PARAM_K) + 3) * CRYPTO_SEEDBYTES, randomness, CRYPTO_RANDOMBYTES);
poly *s = malloc(p->PARAM_N * sizeof(int64_t));
poly *s_ntt = malloc(p->PARAM_N * sizeof(int64_t));
@@ -769,9 +769,9 @@ int tesla_crypto_sign( tesla_signature_t *sig, const unsigned char *m, unsigned
memcpy(randomness_input + CRYPTO_RANDOMBYTES + CRYPTO_SEEDBYTES, m, mlen);
if(p->kind == 0 || p->kind == 3)
- shake128(randomness, CRYPTO_SEEDBYTES, randomness_input, CRYPTO_RANDOMBYTES + CRYPTO_SEEDBYTES + mlen);
+ SHAKE128(randomness, CRYPTO_SEEDBYTES, randomness_input, CRYPTO_RANDOMBYTES + CRYPTO_SEEDBYTES + mlen);
else
- shake256(randomness, CRYPTO_SEEDBYTES, randomness_input, CRYPTO_RANDOMBYTES + CRYPTO_SEEDBYTES + mlen);
+ SHAKE256(randomness, CRYPTO_SEEDBYTES, randomness_input, CRYPTO_RANDOMBYTES + CRYPTO_SEEDBYTES + mlen);
uint32_t *pos_list = malloc(p->PARAM_W * sizeof(uint32_t));
int16_t *sign_list = malloc(p->PARAM_W * sizeof(uint16_t));
--
GitLab