CMakeLists.txt

@@ -2,7 +2,7 @@ project(cellframe-sdk C)
 cmake_minimum_required(VERSION 2.8)
 
 set(CMAKE_C_STANDARD 11)
-set(CELLFRAME_SDK_NATIVE_VERSION "2.2-1")
+set(CELLFRAME_SDK_NATIVE_VERSION "2.3-1")
 add_definitions ("-DCELLFRAME_SDK_VERSION=\"${CELLFRAME_SDK_NATIVE_VERSION}\"")
 
 set(DAPSDK_MODULES "")

dap-sdk/core/libdap.pri

@@ -2,19 +2,21 @@ QMAKE_CFLAGS_DEBUG = -std=gnu11
 QMAKE_CFLAGS_RELEASE = -std=gnu11
 unix {
     include(src/unix/unix.pri)
+    DEFINES += DAP_OS_UNIX
     LIBS += -lrt
 }
 darwin {
     include(src/darwin/darwin.pri)
+    DEFINES += DAP_OS_DARWIN
     LIBS -= -lrt
 }
 
 win32 {
     include(src/win32/win32.pri)
     LIBS += -lpsapi
+    DEFINES += DAP_OS_WINDOWS
 }
 
-DEFINES += DAP_LOG_MT
 HEADERS += $$PWD/include/dap_common.h \
     $$PWD/include/dap_config.h \
     $$PWD/include/dap_math_ops.h \

dap-sdk/core/src/unix/linux/linux.pri

@@ -3,3 +3,4 @@ HEADERS += $$PWD/dap_network_monitor.h \
 SOURCES += $$PWD/dap_network_monitor.c \
 
 INCLUDEPATH += $$PWD
+DEFINES += DAP_OS_LINUX

dap-sdk/crypto/CMakeLists.txt

@@ -16,6 +16,7 @@ file( GLOB CRYPTO_SRCS
       src/sha3/*.c
       src/msrln/*.c
       src/defeo_scheme/*.c
+      src/newhope/*.c
       src/sig_bliss/*.c
       src/sig_tesla/*.c
       src/sig_picnic/*.c
@@ -35,6 +36,7 @@ file( GLOB CRYPTO_HEADERS
       src/sha3/*.h
       src/msrln/*.h
       src/defeo_scheme/*.h
+      src/newhope/*.h
       src/sig_bliss/*.h
       src/sig_tesla/*.h
       src/sig_picnic/*.h

dap-sdk/crypto/include/dap_enc_SEED.h

@@ -3,7 +3,7 @@
 
 #include <stddef.h>
 #include "dap_enc_key.h"
-#include "seed.h"
+#include "seed/seed.h"
 
 #ifdef __cplusplus
 extern "C" {

dap-sdk/crypto/include/dap_enc_newhope.h

+/*
+ * Authors:
+ * Dmitriy A. Gearasimov <naeper@demlabs.net>
+ * Demlabs Limited   https://demlabs.net
+ * Sources community https://gitlab.demlabs.net/cellframe/cellframe-sdk/dap-sdk
+ * Copyright  (c) 2017-2020
+ * All rights reserved.
+
+ This file is part of DAP SDK the open source project
+
+    DAP SDK is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    DAP is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with any DAP based project.  If not, see <http://www.gnu.org/licenses/>.
+*/
+#pragma once
+
+#include "newhope/newhope_cpakem.h"
+#include "dap_enc_key.h"
+
+
+///========================================================================
+typedef enum{
+    NEWHOPE_TOY = 0, NEWHOPE_1024
+}DAP_NEWHOPE_SIGN_SECURITY;
+
+typedef struct {
+  DAP_NEWHOPE_SIGN_SECURITY kind;                 /* the kind of ringct20       */
+  unsigned char *data;
+}newhope_public_key_t;
+
+
+typedef struct {
+  DAP_NEWHOPE_SIGN_SECURITY kind;    //  the kind of Dilithium (i.e. *this* choice of parameters)
+} newhope_param_t;
+
+///==========================================================================================
+typedef struct {
+  DAP_NEWHOPE_SIGN_SECURITY kind;                 /* the kind of ringct20       */
+  unsigned char *data;
+} newhope_private_key_t;
+
+typedef struct {
+  DAP_NEWHOPE_SIGN_SECURITY kind;                      /* the kind of ringct20       */
+  unsigned char *sig_data;
+  unsigned long long sig_len;
+} newhope_signature_t;
+
+
+void dap_enc_newhope_pke_set_type(DAP_NEWHOPE_SIGN_SECURITY type);
+
+void dap_enc_newhope_kem_key_new(struct dap_enc_key *key);
+
+void dap_enc_newhope_kem_key_new_generate(struct dap_enc_key * key, const void *kex_buf,
+                                    size_t kex_size, const void * seed, size_t seed_size,
+                                    size_t key_size);
+
+size_t dap_enc_newhope_pbk_enc(struct dap_enc_key * a_key, const void * a_pub,
+        size_t a_pub_size, void ** b_pub);
+size_t dap_enc_newhope_prk_dec(struct dap_enc_key * a_key, const void *a_priv,
+                               size_t b_pub_size, unsigned char *b_pub);
+void dap_enc_newhope_kem_key_delete(struct dap_enc_key * key);
+
+//size_t dap_enc_newhope_calc_signature_unserialized_size(void);
+
+//static inline size_t dap_enc_newhope_calc_signagture_size(newhope_signature_t* a_sign)
+//{
+//    return sizeof(size_t) + sizeof(newhope_kind_t) + a_sign->sig_len + sizeof(unsigned long long);
+//}
+
+//uint8_t* dap_enc_newhope_write_signature(newhope_signature_t* a_sign, size_t *a_sign_out);
+//newhope_signature_t* dap_enc_newhope_read_signature(uint8_t *a_buf, size_t a_buflen);
+//uint8_t* dap_enc_newhope_write_private_key(const newhope_private_key_t* a_private_key, size_t *a_buflen_out);
+//uint8_t* dap_enc_newhope_write_public_key(const newhope_public_key_t* a_public_key, size_t *a_buflen_out);
+//newhope_private_key_t* dap_enc_newhope_read_private_key(const uint8_t *a_buf, size_t a_buflen);
+//newhope_public_key_t* dap_enc_newhope_read_public_key(const uint8_t *a_buf, size_t a_buflen);
+

dap-sdk/crypto/libdap-crypto.pri

@@ -13,6 +13,7 @@ include (src/sig_tesla/sig_tesla.pri)
 include (src/sig_dilithium/sig_dilithium.pri)
 include (src/ringct20/ringct20.pri)
 include (src/seed/seed.pri)
+include (src/newhope/newhope.pri)
 
 DEFINES += KeccakP1600timesN_excluded
 
@@ -33,6 +34,7 @@ HEADERS += $$PWD/include/dap_enc.h \
     $$PWD/include/dap_enc_ringct20.h \
     $$PWD/include/dap_enc_salsa2012.h \
     $$PWD/include/dap_enc_SEED.h \
+    $$PWD/include/dap_enc_newhope.h \
     $$PWD/include/dap_crypto_common.h \
     $$PWD/include/dap_cert.h \
     $$PWD/include/dap_cert_file.h \
@@ -70,6 +72,7 @@ SOURCES += $$PWD/src/dap_enc.c \
     $$PWD/src/dap_hash_fusion.c \
     $$PWD/src/dap_hash_keccak.c \
     $$PWD/src/dap_enc_SEED.c \
+    $$PWD/src/dap_enc_newhope.c \
     $$PWD/src/XKCP/lib/high/Keccak/FIPS202/SimpleFIPS202.c \
     $$PWD/src/XKCP/lib/high/Keccak/SP800-185/SP800-185.c \
     $$PWD/src/XKCP/lib/high/Keccak/SP800-185/SP800-185.inc

dap-sdk/crypto/src/dap_enc_key.c

@@ -36,7 +36,7 @@
 #include "dap_enc_bliss.h"
 #include "dap_enc_tesla.h"
 #include "dap_enc_dilithium.h"
-//#include "dap_enc_newhope.h"
+#include "dap_enc_newhope.h"
 
 #include "dap_enc_ringct20.h"
 
@@ -236,24 +236,24 @@ struct dap_enc_key_callbacks{
         .sign_get = NULL,
         .sign_verify = NULL
     },
-//    [DAP_ENC_KEY_TYPE_RLWE_NEWHOPE_CPA_KEM]={
-//        .name = "NEWHOPE_CPA_KEM",
-//        .enc = NULL,
-//        .dec = NULL,
-//        .enc_na = NULL,
-//        .dec_na = NULL,
-//        .gen_key_public = NULL,
-//        .gen_key_public_size = NULL,
-//        .gen_bob_shared_key = dap_enc_newhope_pbk_enc,
-//        .gen_alice_shared_key = dap_enc_newhope_prk_dec,
-//        .new_callback = dap_enc_newhope_kem_key_new,
-//        .delete_callback = dap_enc_newhope_kem_key_delete,
-//        .new_generate_callback = dap_enc_newhope_kem_key_new_generate,
-//        .enc_out_size = NULL,
-//        .dec_out_size = NULL,
-//        .sign_get = NULL,
-//        .sign_verify = NULL
-//    },
+    [DAP_ENC_KEY_TYPE_RLWE_NEWHOPE_CPA_KEM]={
+        .name = "NEWHOPE_CPA_KEM",
+        .enc = NULL,
+        .dec = NULL,
+        .enc_na = NULL,
+        .dec_na = NULL,
+        .gen_key_public = NULL,
+        .gen_key_public_size = NULL,
+        .gen_bob_shared_key = dap_enc_newhope_pbk_enc,
+        .gen_alice_shared_key = dap_enc_newhope_prk_dec,
+        .new_callback = dap_enc_newhope_kem_key_new,
+        .delete_callback = dap_enc_newhope_kem_key_delete,
+        .new_generate_callback = dap_enc_newhope_kem_key_new_generate,
+        .enc_out_size = NULL,
+        .dec_out_size = NULL,
+        .sign_get = NULL,
+        .sign_verify = NULL
+    },
     //------Signatures---------------------------
     [DAP_ENC_KEY_TYPE_SIG_PICNIC]={
         .name = "PICNIC",

dap-sdk/crypto/src/dap_enc_newhope.c

+/*
+ * Authors:
+ * Dmitriy A. Gearasimov <naeper@demlabs.net>
+ * Demlabs Limited   https://demlabs.net
+ * Sources community https://gitlab.demlabs.net/cellframe/cellframe-sdk/dap-sdk
+ * Copyright  (c) 2017-2020
+ * All rights reserved.
+
+ This file is part of DAP SDK the open source project
+
+    DAP SDK is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    DAP is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with any DAP based project.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include <stdio.h>
+#include <string.h>
+#include <assert.h>
+#include <inttypes.h>
+
+#include "dap_enc_newhope.h"
+#include "dap_common.h"
+#include "rand/dap_rand.h"
+#include "newhope/newhope_cpapke.h"
+#include "newhope/newhope_params.h"
+
+
+#define LOG_TAG "dap_enc_newhope_pke"
+
+DAP_NEWHOPE_SIGN_SECURITY _newhope_type = NEWHOPE_1024; // by default
+
+
+void dap_enc_newhope_pke_set_type(DAP_NEWHOPE_SIGN_SECURITY type)
+{
+    _newhope_type = type;
+}
+
+void dap_enc_newhope_kem_key_new(struct dap_enc_key *key) {
+
+    key->type = DAP_ENC_KEY_TYPE_RLWE_NEWHOPE_CPA_KEM;
+    key->enc = NULL;
+    key->enc_na = NULL;
+    key->dec_na = NULL;
+    key->gen_bob_shared_key= dap_enc_newhope_pbk_enc;
+    key->gen_alice_shared_key = dap_enc_newhope_prk_dec;
+    key->priv_key_data  = NULL;
+    key->pub_key_data   = NULL;
+
+}
+
+void dap_enc_newhope_kem_key_new_generate(struct dap_enc_key * a_key, const void *kex_buf,
+        size_t kex_size, const void * seed, size_t seed_size,
+        size_t key_size)
+{
+    UNUSED(kex_buf);
+    UNUSED(key_size);
+    UNUSED(seed);
+    DAP_NEWHOPE_SIGN_SECURITY newhope_type = NEWHOPE_1024;
+    dap_enc_newhope_pke_set_type(newhope_type);
+
+
+    a_key->priv_key_data_size = sizeof(newhope_private_key_t);
+    a_key->pub_key_data_size = sizeof(newhope_public_key_t);
+    a_key->priv_key_data = DAP_NEW_SIZE(uint8_t, a_key->priv_key_data_size);
+    a_key->pub_key_data = DAP_NEW_SIZE(uint8_t, a_key->pub_key_data_size);
+    newhope_private_key_t *sk = (newhope_private_key_t *)a_key->priv_key_data;
+    newhope_public_key_t  *pk = (newhope_public_key_t  *)a_key->pub_key_data;
+    sk->kind = newhope_type;
+    sk->data = DAP_NEW_SIZE(uint8_t, NEWHOPE_CPAPKE_SECRETKEYBYTES);
+    pk->kind = newhope_type;
+    pk->data = DAP_NEW_SIZE(uint8_t, NEWHOPE_CPAPKE_PUBLICKEYBYTES);
+    cpapke_keypair(pk->data, sk->data);
+    return;
+}
+
+size_t dap_enc_newhope_pbk_enc(struct dap_enc_key * a_key, const void * a_pub,
+        size_t a_pub_size, void ** a_sendb)
+{
+    if(a_pub_size != sizeof (newhope_public_key_t))
+    {
+        log_it(L_ERROR, "newhope wrong a_pub_size");
+        return 0;
+    }
+    newhope_public_key_t *pk = (newhope_public_key_t*)a_pub;
+
+    *a_sendb = DAP_NEW_SIZE(uint8_t, NEWHOPE_CPAKEM_CIPHERTEXTBYTES);
+            //Bob derives a secret key and creates a response
+    uint8_t key_b[NEWHOPE_SYMBYTES];
+    crypto_kem_enc(*a_sendb, key_b, pk->data);
+    //Save Bob shared key
+    a_key->priv_key_data_size = NEWHOPE_SYMBYTES;
+    a_key->priv_key_data = DAP_NEW_SIZE(uint8_t, a_key->priv_key_data_size);
+    a_key->pub_key_data_size = sizeof(newhope_public_key_t);
+    a_key->pub_key_data = DAP_NEW_SIZE(uint8_t, a_key->pub_key_data_size);
+    newhope_public_key_t *cur_pk = (newhope_public_key_t*)a_key->pub_key_data;
+    cur_pk->data = NULL;
+    cur_pk->kind = pk->kind;
+
+    memcpy(a_key->priv_key_data, key_b, a_key->priv_key_data_size);
+    return NEWHOPE_CPAKEM_CIPHERTEXTBYTES;
+}
+
+size_t dap_enc_newhope_prk_dec(struct dap_enc_key * a_key, const void *a_priv,
+                               size_t a_sendb_size, unsigned char *a_sendb)
+{
+    if(a_sendb_size != NEWHOPE_CPAKEM_CIPHERTEXTBYTES)
+    {
+        log_it(L_ERROR, "newhope wrong size of ciphertext (Bob send");
+        return 0;
+    }
+    newhope_private_key_t *sk = a_key->priv_key_data;
+
+    uint8_t key_a[NEWHOPE_SYMBYTES];
+    uint8_t sendb[NEWHOPE_CPAKEM_CIPHERTEXTBYTES];
+    memcpy(sendb, a_sendb, NEWHOPE_CPAKEM_CIPHERTEXTBYTES);
+    crypto_kem_dec(key_a, sendb, sk->data);
+    DAP_DEL_Z(sk->data);
+    a_key->priv_key_data_size = NEWHOPE_SYMBYTES;
+    a_key->priv_key_data = DAP_NEW_SIZE(uint8_t,a_key->priv_key_data_size);
+    memcpy(a_key->priv_key_data, key_a, a_key->priv_key_data_size);
+
+    return NEWHOPE_SYMBYTES;//return (newhope_crypto_sign_open( (unsigned char *) msg, msg_size, (newhope_signature_t *) signature, a_key->pub_key_data));
+}
+
+void dap_enc_newhope_kem_key_delete(struct dap_enc_key * a_key)
+{
+
+    newhope_private_key_t *sk = (newhope_private_key_t *)a_key->priv_key_data;
+    newhope_public_key_t  *pk = (newhope_public_key_t  *)a_key->pub_key_data;
+    if(sk != NULL && a_key->priv_key_data_size != NEWHOPE_SYMBYTES)
+        DAP_DEL_Z(sk->data);
+    if(pk != NULL)
+        DAP_DEL_Z(pk->data);
+}
+

dap-sdk/crypto/src/defeo_scheme/defeo_config.h

@@ -32,10 +32,12 @@
 #define NBYTES_TO_NWORDS(nbytes)    (((nbytes)+sizeof(digit_t)-1)/sizeof(digit_t))           // Conversion macro from number of bytes to number of computer words
 
 // Macro to avoid compiler warnings when detecting unreferenced parameters
+#ifndef UNREFERENCED_PARAMETER
 #define UNREFERENCED_PARAMETER(PAR) ((void)(PAR))
+#endif
 
-#define PASSED    0
-#define FAILED    1
+#define PASSED_DEFEO    0
+#define FAILED_DEFEO  1
 
 /********************** Constant-time unsigned comparisons ***********************/
 

dap-sdk/crypto/src/msrln/msrln_priv.h

@@ -28,7 +28,9 @@ extern "C" {
 #define NBYTES_TO_NWORDS(nbytes)    (((nbytes)+sizeof(digit_t)-1)/sizeof(digit_t))           // Conversion macro from number of bytes to number of computer words
 
 // Macro to avoid compiler warnings when detecting unreferenced parameters
+#ifndef UNREFERENCED_PARAMETER
 #define UNREFERENCED_PARAMETER(PAR) ((void)PAR)
+#endif
 
 
 /******************** Function prototypes *******************/

dap-sdk/crypto/src/newhope/newhope.pri

+INCLUDEPATH += $$PW
+HEADERS += $$PWD/newhope_api.h  $$PWD/newhope_cpakem.h  $$PWD/newhope_cpapke.h  $$PWD/newhope_ntt.h  $$PWD/newhope_params.h  $$PWD/newhope_poly.h  $$PWD/newhope_reduce.h
+SOURCES += $$PWD/newhope_cpakem.c  $$PWD/newhope_cpapke.c  $$PWD/newhope_ntt.c  $$PWD/newhope_poly.c  $$PWD/newhope_precomp.c  $$PWD/newhope_reduce.c

dap-sdk/crypto/src/newhope/newhope_api.h

+#pragma once
+#include "newhope_cpakem.h"
+

dap-sdk/crypto/src/newhope/newhope_cpakem.c

+#include <string.h>
+#include "newhope_api.h"
+#include "newhope_cpapke.h"
+#include "newhope_params.h"
+#include "rand/dap_rand.h"
+#include "sha3/fips202.h"
+
+/*************************************************
+* Name:        crypto_kem_keypair
+*
+* Description: Generates public and private key
+*              for CCA secure NewHope key encapsulation
+*              mechanism
+*
+* Arguments:   - unsigned char *pk: pointer to output public key (an already allocated array of CRYPTO_PUBLICKEYBYTES bytes)
+*              - unsigned char *sk: pointer to output private key (an already allocated array of CRYPTO_SECRETKEYBYTES bytes)
+*
+* Returns 0 (success)
+**************************************************/
+int crypto_kem_keypair(unsigned char *pk, unsigned char *sk)
+{
+  cpapke_keypair(pk, sk);                                                        /* First put the actual secret key into sk */
+
+  return 0;
+}
+
+/*************************************************
+* Name:        crypto_kem_enc
+*
+* Description: Generates cipher text and shared
+*              secret for given public key
+*
+* Arguments:   - unsigned char *ct:       pointer to output cipher text (an already allocated array of CRYPTO_CIPHERTEXTBYTES bytes)
+*              - unsigned char *ss:       pointer to output shared secret (an already allocated array of CRYPTO_BYTES bytes)
+*              - const unsigned char *pk: pointer to input public key (an already allocated array of CRYPTO_PUBLICKEYBYTES bytes)
+*
+* Returns 0 (success)
+**************************************************/
+int crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk)
+{
+  unsigned char buf[2*NEWHOPE_SYMBYTES];
+
+  buf[0] = 0x02;
+  randombytes(buf+1,NEWHOPE_SYMBYTES);
+
+  shake256(buf,2*NEWHOPE_SYMBYTES,buf,NEWHOPE_SYMBYTES + 1);                     /* Don't release system RNG output */
+
+  cpapke_enc(ct, buf, pk, buf+NEWHOPE_SYMBYTES);                                 /* coins are in buf+NEWHOPE_SYMBYTES */
+
+  shake256(ss, NEWHOPE_SYMBYTES, buf, NEWHOPE_SYMBYTES);                         /* hash pre-k to ss */
+  return 0;
+}
+
+
+/*************************************************
+* Name:        crypto_kem_dec
+*
+* Description: Generates shared secret for given
+*              cipher text and private key
+*
+* Arguments:   - unsigned char *ss:       pointer to output shared secret (an already allocated array of CRYPTO_BYTES bytes)
+*              - const unsigned char *ct: pointer to input cipher text (an already allocated array of CRYPTO_CIPHERTEXTBYTES bytes)
+*              - const unsigned char *sk: pointer to input private key (an already allocated array of CRYPTO_SECRETKEYBYTES bytes)
+*
+* Returns 0 (success)
+**************************************************/
+int crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk)
+{
+  cpapke_dec(ss, ct, sk);
+
+  shake256(ss, NEWHOPE_SYMBYTES, ss, NEWHOPE_SYMBYTES);                          /* hash pre-k to ss */
+
+  return 0;
+}

dap-sdk/crypto/src/newhope/newhope_cpakem.h

+#pragma once
+#include "newhope_params.h"
+
+#define CRYPTO_SECRETKEYBYTES  NEWHOPE_CPAKEM_SECRETKEYBYTES
+#define CRYPTO_PUBLICKEYBYTES  NEWHOPE_CPAKEM_PUBLICKEYBYTES
+#define CRYPTO_CIPHERTEXTBYTES NEWHOPE_CPAKEM_CIPHERTEXTBYTES
+#define CRYPTO_BYTES           NEWHOPE_SYMBYTES
+
+#if   (NEWHOPE_N == 512)
+#define CRYPTO_ALGNAME "NewHope512-CPAKEM"
+#elif (NEWHOPE_N == 1024)
+#define CRYPTO_ALGNAME "NewHope1024-CPAKEM"
+#else
+#error "NEWHOPE_N must be either 512 or 1024"
+#endif
+
+int crypto_kem_keypair(unsigned char *pk, unsigned char *sk);
+
+int crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk);
+
+int crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk);
+

dap-sdk/crypto/src/newhope/newhope_cpapke.c

+#include <stdio.h>
+#include "newhope_api.h"
+#include "newhope_poly.h"
+#include "rand/dap_rand.h"
+#include "sha3/fips202.h"
+
+/*************************************************
+* Name:        encode_pk
+* 
+* Description: Serialize the public key as concatenation of the
+*              serialization of the polynomial pk and the public seed
+*              used to generete the polynomial a.
+*
+* Arguments:   unsigned char *r:          pointer to the output serialized public key
+*              const poly_newhope *pk:            pointer to the input public-key polynomial
+*              const unsigned char *seed: pointer to the input public seed
+**************************************************/
+static void encode_pk(unsigned char *r, const poly_newhope *pk, const unsigned char *seed)
+{
+  int i;
+  poly_newhope_tobytes(r, pk);
+  for(i=0;i<NEWHOPE_SYMBYTES;i++)
+    r[NEWHOPE_POLYBYTES+i] = seed[i];
+}
+
+/*************************************************
+* Name:        decode_pk
+* 
+* Description: De-serialize the public key; inverse of encode_pk
+*
+* Arguments:   poly_newhope *pk:               pointer to output public-key polynomial
+*              unsigned char *seed:    pointer to output public seed
+*              const unsigned char *r: pointer to input byte array
+**************************************************/
+static void decode_pk(poly_newhope *pk, unsigned char *seed, const unsigned char *r)
+{
+  int i;
+  poly_newhope_frombytes(pk, r);
+  for(i=0;i<NEWHOPE_SYMBYTES;i++)
+    seed[i] = r[NEWHOPE_POLYBYTES+i];
+}
+
+/*************************************************
+* Name:        encode_c
+* 
+* Description: Serialize the ciphertext as concatenation of the
+*              serialization of the polynomial b and serialization
+*              of the compressed polynomial v
+*
+* Arguments:   - unsigned char *r: pointer to the output serialized ciphertext
+*              - const poly_newhope *b:    pointer to the input polynomial b
+*              - const poly_newhope *v:    pointer to the input polynomial v
+**************************************************/
+static void encode_c(unsigned char *r, const poly_newhope *b, const poly_newhope *v)
+{
+  poly_newhope_tobytes(r,b);
+  poly_newhope_compress(r+NEWHOPE_POLYBYTES,v);
+}
+
+/*************************************************
+* Name:        decode_c
+* 
+* Description: de-serialize the ciphertext; inverse of encode_c
+*
+* Arguments:   - poly_newhope *b:                pointer to output polynomial b
+*              - poly_newhope *v:                pointer to output polynomial v
+*              - const unsigned char *r: pointer to input byte array
+**************************************************/
+static void decode_c(poly_newhope *b, poly_newhope *v, const unsigned char *r)
+{
+  poly_newhope_frombytes(b, r);
+  poly_newhope_decompress(v, r+NEWHOPE_POLYBYTES);
+}
+
+/*************************************************
+* Name:        gen_a
+* 
+* Description: Deterministically generate public polynomial a from seed
+*
+* Arguments:   - poly_newhope *a:                   pointer to output polynomial a
+*              - const unsigned char *seed: pointer to input seed
+**************************************************/
+static void gen_a(poly_newhope *a, const unsigned char *seed)
+{
+  poly_newhope_uniform(a,seed);
+}
+
+
+/*************************************************
+* Name:        cpapke_keypair
+* 
+* Description: Generates public and private key 
+*              for the CPA public-key encryption scheme underlying
+*              the NewHope KEMs
+*
+* Arguments:   - unsigned char *pk: pointer to output public key
+*              - unsigned char *sk: pointer to output private key
+**************************************************/
+void cpapke_keypair(unsigned char *pk,
+                    unsigned char *sk)
+{
+  poly_newhope ahat, ehat, ahat_shat, bhat, shat;
+  unsigned char z[2*NEWHOPE_SYMBYTES];
+  unsigned char *publicseed = z;
+  unsigned char *noiseseed = z+NEWHOPE_SYMBYTES;
+
+  z[0] = 0x01;
+  randombytes(z+1, NEWHOPE_SYMBYTES);
+  shake256(z, 2*NEWHOPE_SYMBYTES, z, NEWHOPE_SYMBYTES + 1);
+
+  gen_a(&ahat, publicseed);
+
+  poly_newhope_sample(&shat, noiseseed, 0);
+  poly_newhope_ntt_newhope(&shat);
+
+  poly_newhope_sample(&ehat, noiseseed, 1);
+  poly_newhope_ntt_newhope(&ehat);
+
+  poly_newhope_mul_pointwise(&ahat_shat, &shat, &ahat);
+  poly_newhope_add(&bhat, &ehat, &ahat_shat);
+
+  poly_newhope_tobytes(sk, &shat);
+  encode_pk(pk, &bhat, publicseed);
+}
+
+/*************************************************
+* Name:        cpapke_enc
+* 
+* Description: Encryption function of
+*              the CPA public-key encryption scheme underlying
+*              the NewHope KEMs
+*
+* Arguments:   - unsigned char *c:          pointer to output ciphertext
+*              - const unsigned char *m:    pointer to input message (of length NEWHOPE_SYMBYTES bytes)
+*              - const unsigned char *pk:   pointer to input public key
+*              - const unsigned char *coin: pointer to input random coins used as seed
+*                                           to deterministically generate all randomness
+**************************************************/
+void cpapke_enc(unsigned char *c,
+                const unsigned char *m,
+                const unsigned char *pk,
+                const unsigned char *coin)
+{
+  poly_newhope sprime, eprime, vprime, ahat, bhat, eprimeprime, uhat, v;
+  unsigned char publicseed[NEWHOPE_SYMBYTES];
+
+  poly_newhope_frommsg(&v, m);
+
+  decode_pk(&bhat, publicseed, pk);
+  gen_a(&ahat, publicseed);
+
+  poly_newhope_sample(&sprime, coin, 0);
+  poly_newhope_sample(&eprime, coin, 1);
+  poly_newhope_sample(&eprimeprime, coin, 2);
+
+  poly_newhope_ntt_newhope(&sprime);
+  poly_newhope_ntt_newhope(&eprime);
+
+  poly_newhope_mul_pointwise(&uhat, &ahat, &sprime);
+  poly_newhope_add(&uhat, &uhat, &eprime);
+
+  poly_newhope_mul_pointwise(&vprime, &bhat, &sprime);
+  poly_newhope_invntt_newhope(&vprime);
+
+  poly_newhope_add(&vprime, &vprime, &eprimeprime);
+  poly_newhope_add(&vprime, &vprime, &v); // add message
+
+  encode_c(c, &uhat, &vprime);
+}
+
+
+/*************************************************
+* Name:        cpapke_dec
+* 
+* Description: Decryption function of
+*              the CPA public-key encryption scheme underlying
+*              the NewHope KEMs
+*
+* Arguments:   - unsigned char *m:        pointer to output decrypted message
+*              - const unsigned char *c:  pointer to input ciphertext
+*              - const unsigned char *sk: pointer to input secret key
+**************************************************/
+void cpapke_dec(unsigned char *m,
+                const unsigned char *c,
+                const unsigned char *sk)
+{
+  poly_newhope vprime, uhat, tmp, shat;
+
+  poly_newhope_frombytes(&shat, sk);
+
+  decode_c(&uhat, &vprime, c);
+  poly_newhope_mul_pointwise(&tmp, &shat, &uhat);
+  poly_newhope_invntt_newhope(&tmp);
+
+  poly_newhope_sub(&tmp, &tmp, &vprime);
+
+  poly_newhope_tomsg(m, &tmp);
+}

dap-sdk/crypto/src/newhope/newhope_cpapke.h

+#pragma once
+
+void cpapke_keypair(unsigned char *pk, 
+                    unsigned char *sk);
+
+void cpapke_enc(unsigned char *c,
+               const unsigned char *m,
+               const unsigned char *pk,
+               const unsigned char *coins);
+
+void cpapke_dec(unsigned char *m,
+               const unsigned char *c,
+               const unsigned char *sk);
+

dap-sdk/crypto/src/newhope/newhope_ntt.c

+#include "inttypes.h"
+#include "newhope_ntt.h"
+#include "newhope_params.h"
+#include "newhope_reduce.h"
+
+#if (NEWHOPE_N == 512)
+/************************************************************
+* Name:        bitrev_table
+*
+* Description: Contains bit-reversed 9-bit indices to be used to re-order 
+*              polynomials before number theoratic transform
+************************************************************/
+static uint16_t bitrev_table [512] = {
+  0,256,128,384,64,320,192,448,32,288,160,416,96,352,224,480,16,272,144,400,80,336,208,464,48,304,176,432,112,368,240,496,8,
+  264,136,392,72,328,200,456,40,296,168,424,104,360,232,488,24,280,152,408,88,344,216,472,56,312,184,440,120,376,248,504,4,
+  260,132,388,68,324,196,452,36,292,164,420,100,356,228,484,20,276,148,404,84,340,212,468,52,308,180,436,116,372,244,500,12,
+  268,140,396,76,332,204,460,44,300,172,428,108,364,236,492,28,284,156,412,92,348,220,476,60,316,188,444,124,380,252,508,2,
+  258,130,386,66,322,194,450,34,290,162,418,98,354,226,482,18,274,146,402,82,338,210,466,50,306,178,434,114,370,242,498,10,
+  266,138,394,74,330,202,458,42,298,170,426,106,362,234,490,26,282,154,410,90,346,218,474,58,314,186,442,122,378,250,506,6,
+  262,134,390,70,326,198,454,38,294,166,422,102,358,230,486,22,278,150,406,86,342,214,470,54,310,182,438,118,374,246,502,14,
+  270,142,398,78,334,206,462,46,302,174,430,110,366,238,494,30,286,158,414,94,350,222,478,62,318,190,446,126,382,254,510,1,
+  257,129,385,65,321,193,449,33,289,161,417,97,353,225,481,17,273,145,401,81,337,209,465,49,305,177,433,113,369,241,497,9,
+  265,137,393,73,329,201,457,41,297,169,425,105,361,233,489,25,281,153,409,89,345,217,473,57,313,185,441,121,377,249,505,5,
+  261,133,389,69,325,197,453,37,293,165,421,101,357,229,485,21,277,149,405,85,341,213,469,53,309,181,437,117,373,245,501,13,
+  269,141,397,77,333,205,461,45,301,173,429,109,365,237,493,29,285,157,413,93,349,221,477,61,317,189,445,125,381,253,509,3,
+  259,131,387,67,323,195,451,35,291,163,419,99,355,227,483,19,275,147,403,83,339,211,467,51,307,179,435,115,371,243,499,11,
+  267,139,395,75,331,203,459,43,299,171,427,107,363,235,491,27,283,155,411,91,347,219,475,59,315,187,443,123,379,251,507,7,
+  263,135,391,71,327,199,455,39,295,167,423,103,359,231,487,23,279,151,407,87,343,215,471,55,311,183,439,119,375,247,503,15,
+  271,143,399,79,335,207,463,47,303,175,431,111,367,239,495,31,287,159,415,95,351,223,479,63,319,191,447,127,383,255,511
+};
+
+#elif (NEWHOPE_N == 1024)
+/************************************************************
+* Name:        bitrev_table
+*
+* Description: Contains bit-reversed 10-bit indices to be used to re-order 
+*              polynomials before number theoratic transform
+************************************************************/
+static uint16_t bitrev_table[NEWHOPE_N] = {
+  0,512,256,768,128,640,384,896,64,576,320,832,192,704,448,960,32,544,288,800,160,672,416,928,96,608,352,864,224,736,480,992,
+  16,528,272,784,144,656,400,912,80,592,336,848,208,720,464,976,48,560,304,816,176,688,432,944,112,624,368,880,240,752,496,1008,
+  8,520,264,776,136,648,392,904,72,584,328,840,200,712,456,968,40,552,296,808,168,680,424,936,104,616,360,872,232,744,488,1000,
+  24,536,280,792,152,664,408,920,88,600,344,856,216,728,472,984,56,568,312,824,184,696,440,952,120,632,376,888,248,760,504,1016,
+  4,516,260,772,132,644,388,900,68,580,324,836,196,708,452,964,36,548,292,804,164,676,420,932,100,612,356,868,228,740,484,996,
+  20,532,276,788,148,660,404,916,84,596,340,852,212,724,468,980,52,564,308,820,180,692,436,948,116,628,372,884,244,756,500,1012,
+  12,524,268,780,140,652,396,908,76,588,332,844,204,716,460,972,44,556,300,812,172,684,428,940,108,620,364,876,236,748,492,1004,
+  28,540,284,796,156,668,412,924,92,604,348,860,220,732,476,988,60,572,316,828,188,700,444,956,124,636,380,892,252,764,508,1020,
+  2,514,258,770,130,642,386,898,66,578,322,834,194,706,450,962,34,546,290,802,162,674,418,930,98,610,354,866,226,738,482,994,
+  18,530,274,786,146,658,402,914,82,594,338,850,210,722,466,978,50,562,306,818,178,690,434,946,114,626,370,882,242,754,498,1010,
+  10,522,266,778,138,650,394,906,74,586,330,842,202,714,458,970,42,554,298,810,170,682,426,938,106,618,362,874,234,746,490,1002,
+  26,538,282,794,154,666,410,922,90,602,346,858,218,730,474,986,58,570,314,826,186,698,442,954,122,634,378,890,250,762,506,1018,
+  6,518,262,774,134,646,390,902,70,582,326,838,198,710,454,966,38,550,294,806,166,678,422,934,102,614,358,870,230,742,486,998,
+  22,534,278,790,150,662,406,918,86,598,342,854,214,726,470,982,54,566,310,822,182,694,438,950,118,630,374,886,246,758,502,1014,
+  14,526,270,782,142,654,398,910,78,590,334,846,206,718,462,974,46,558,302,814,174,686,430,942,110,622,366,878,238,750,494,1006,
+  30,542,286,798,158,670,414,926,94,606,350,862,222,734,478,990,62,574,318,830,190,702,446,958,126,638,382,894,254,766,510,1022,
+  1,513,257,769,129,641,385,897,65,577,321,833,193,705,449,961,33,545,289,801,161,673,417,929,97,609,353,865,225,737,481,993,
+  17,529,273,785,145,657,401,913,81,593,337,849,209,721,465,977,49,561,305,817,177,689,433,945,113,625,369,881,241,753,497,1009,
+  9,521,265,777,137,649,393,905,73,585,329,841,201,713,457,969,41,553,297,809,169,681,425,937,105,617,361,873,233,745,489,1001,
+  25,537,281,793,153,665,409,921,89,601,345,857,217,729,473,985,57,569,313,825,185,697,441,953,121,633,377,889,249,761,505,1017,
+  5,517,261,773,133,645,389,901,69,581,325,837,197,709,453,965,37,549,293,805,165,677,421,933,101,613,357,869,229,741,485,997,
+  21,533,277,789,149,661,405,917,85,597,341,853,213,725,469,981,53,565,309,821,181,693,437,949,117,629,373,885,245,757,501,1013,
+  13,525,269,781,141,653,397,909,77,589,333,845,205,717,461,973,45,557,301,813,173,685,429,941,109,621,365,877,237,749,493,1005,
+  29,541,285,797,157,669,413,925,93,605,349,861,221,733,477,989,61,573,317,829,189,701,445,957,125,637,381,893,253,765,509,1021,
+  3,515,259,771,131,643,387,899,67,579,323,835,195,707,451,963,35,547,291,803,163,675,419,931,99,611,355,867,227,739,483,995,
+  19,531,275,787,147,659,403,915,83,595,339,851,211,723,467,979,51,563,307,819,179,691,435,947,115,627,371,883,243,755,499,1011,
+  11,523,267,779,139,651,395,907,75,587,331,843,203,715,459,971,43,555,299,811,171,683,427,939,107,619,363,875,235,747,491,1003,
+  27,539,283,795,155,667,411,923,91,603,347,859,219,731,475,987,59,571,315,827,187,699,443,955,123,635,379,891,251,763,507,1019,
+  7,519,263,775,135,647,391,903,71,583,327,839,199,711,455,967,39,551,295,807,167,679,423,935,103,615,359,871,231,743,487,999,
+  23,535,279,791,151,663,407,919,87,599,343,855,215,727,471,983,55,567,311,823,183,695,439,951,119,631,375,887,247,759,503,1015,
+  15,527,271,783,143,655,399,911,79,591,335,847,207,719,463,975,47,559,303,815,175,687,431,943,111,623,367,879,239,751,495,1007,
+  31,543,287,799,159,671,415,927,95,607,351,863,223,735,479,991,63,575,319,831,191,703,447,959,127,639,383,895,255,767,511,1023
+};
+
+#else
+#error "NEWHOPE_N must be either 512 or 1024"
+#endif
+
+/*************************************************
+* Name:        bitrev_vector_newhope
+* 
+* Description: Permutes coefficients of a polynomial into bitreversed order
+*
+* Arguments:   - uint16_t* poly_newhope: pointer to in/output polynomial
+**************************************************/
+void bitrev_vector_newhope(uint16_t* poly_newhope)
+{
+    unsigned int i,r;
+    uint16_t tmp;
+
+    for(i = 0; i < NEWHOPE_N; i++)
+    {
+        r = bitrev_table[i];
+        if (i < r)
+        {
+          tmp = poly_newhope[i];
+          poly_newhope[i] = poly_newhope[r];
+          poly_newhope[r] = tmp;
+        }
+    }
+}
+
+/*************************************************
+* Name:        mul_coefficients_newhope
+* 
+* Description: Performs pointwise (coefficient-wise) multiplication
+*              of two polynomials
+* Arguments:   - uint16_t* poly_newhope:          pointer to in/output polynomial
+*              - const uint16_t* factors: pointer to input polynomial, coefficients
+*                                         are assumed to be in Montgomery representation
+**************************************************/
+void mul_coefficients_newhope(uint16_t* poly_newhope, const uint16_t* factors)
+{
+    unsigned int i;
+
+    for(i = 0; i < NEWHOPE_N; i++)
+      poly_newhope[i] = montgomery_reduce_newhope((poly_newhope[i] * factors[i]));
+}
+
+#if (NEWHOPE_N == 512)
+
+/*************************************************
+* Name:        ntt
+* 
+* Description: Computes number-theoretic transform (NTT) of
+*              a polynomial in place; inputs assumed to be in
+*              bitreversed order, output in normal order
+*
+* Arguments:   - uint16_t * a:          pointer to in/output polynomial
+*              - const uint16_t* omega: pointer to input powers of root of unity omega;
+*                                       assumed to be in Montgomery domain
+**************************************************/
+void ntt(uint16_t * a, const uint16_t* omega)
+{
+  int i, start, j, jTwiddle, distance;
+  uint16_t temp, W;
+
+
+  for(i=0;i<9;i+=2)
+  {
+    // Even level
+    distance = (1<<i);
+    for(start = 0; start < distance;start++)
+    {
+      jTwiddle = 0;
+      for(j=start;j<NEWHOPE_N-1;j+=2*distance)
+      {
+        W = omega[jTwiddle++];
+        temp = a[j];
+        a[j] = (temp + a[j + distance]); // Omit reduction (be lazy)
+        a[j + distance] = montgomery_reduce_newhope((W * ((uint32_t)temp + 3*NEWHOPE_Q - a[j + distance])));
+      }
+    }
+    if(i+1<9){
+      // Odd level
+      distance <<= 1;
+      for(start = 0; start < distance;start++)
+      {
+        jTwiddle = 0;
+        for(j=start;j<NEWHOPE_N-1;j+=2*distance)
+        {
+          W = omega[jTwiddle++];
+          temp = a[j];
+          a[j] = (temp + a[j + distance]) % NEWHOPE_Q;
+          a[j + distance] = montgomery_reduce_newhope((W * ((uint32_t)temp + 3*NEWHOPE_Q - a[j + distance])));
+        }
+      }
+    }
+  }
+}
+
+#elif (NEWHOPE_N == 1024)
+
+void /*************************************************
+* Name:        ntt
+* 
+* Description: Computes number-theoretic transform (NTT) of
+*              a polynomial in place; inputs assumed to be in
+*              bitreversed order, output in normal order
+*
+* Arguments:   - uint16_t * a:          pointer to in/output polynomial
+*              - const uint16_t* omega: pointer to input powers of root of unity omega;
+*                                       assumed to be in Montgomery domain
+**************************************************/
+ntt_newhope(uint16_t * a, const uint16_t* omega)
+{
+  int i, start, j, jTwiddle, distance;
+  uint16_t temp, W;
+
+
+  for(i=0;i<10;i+=2)
+  {
+    // Even level
+    distance = (1<<i);
+    for(start = 0; start < distance;start++)
+    {
+      jTwiddle = 0;
+      for(j=start;j<NEWHOPE_N-1;j+=2*distance)
+      {
+        W = omega[jTwiddle++];
+        temp = a[j];
+        a[j] = (temp + a[j + distance]); // Omit reduction (be lazy)
+        a[j + distance] = montgomery_reduce_newhope((W * ((uint32_t)temp + 3*NEWHOPE_Q - a[j + distance])));
+      }
+    }
+
+    // Odd level
+    distance <<= 1;
+    for(start = 0; start < distance;start++)
+    {
+      jTwiddle = 0;
+      for(j=start;j<NEWHOPE_N-1;j+=2*distance)
+      {
+        W = omega[jTwiddle++];
+        temp = a[j];
+        a[j] = (temp + a[j + distance]) % NEWHOPE_Q;
+        a[j + distance] = montgomery_reduce_newhope((W * ((uint32_t)temp + 3*NEWHOPE_Q - a[j + distance])));
+      }
+    }
+  }
+}
+
+#else
+#error "NEWHOPE_N must be either 512 or 1024"
+#endif

dap-sdk/crypto/src/newhope/newhope_ntt.h

+#pragma once
+
+#include "inttypes.h"
+
+extern uint16_t omegas_inv_bitrev_montgomery_newhope[];
+extern uint16_t gammas_bitrev_montgomery[];
+extern uint16_t gammas_inv_montgomery[];
+
+void bitrev_vector_newhope(uint16_t* poly_newhope);
+void mul_coefficients_newhope(uint16_t* poly_newhope, const uint16_t* factors);
+void ntt_newhope(uint16_t* poly_newhope, const uint16_t* omegas);
+

dap-sdk/crypto/src/newhope/newhope_params.h

+#pragma once
+
+#ifndef NEWHOPE_N
+#define NEWHOPE_N 1024
+#endif
+
+#define NEWHOPE_Q 12289 
+#define NEWHOPE_K 8           /* used in noise sampling */
+
+#define NEWHOPE_SYMBYTES 32   /* size of shared key, seeds/coins, and hashes */
+
+#define NEWHOPE_POLYBYTES            ((14*NEWHOPE_N)/8)
+#define NEWHOPE_POLYCOMPRESSEDBYTES  (( 3*NEWHOPE_N)/8)
+
+#define NEWHOPE_CPAPKE_PUBLICKEYBYTES  (NEWHOPE_POLYBYTES + NEWHOPE_SYMBYTES)
+#define NEWHOPE_CPAPKE_SECRETKEYBYTES  (NEWHOPE_POLYBYTES)
+#define NEWHOPE_CPAPKE_CIPHERTEXTBYTES (NEWHOPE_POLYBYTES + NEWHOPE_POLYCOMPRESSEDBYTES)
+
+#define NEWHOPE_CPAKEM_PUBLICKEYBYTES NEWHOPE_CPAPKE_PUBLICKEYBYTES
+#define NEWHOPE_CPAKEM_SECRETKEYBYTES NEWHOPE_CPAPKE_SECRETKEYBYTES
+#define NEWHOPE_CPAKEM_CIPHERTEXTBYTES NEWHOPE_CPAPKE_CIPHERTEXTBYTES
+
+#define NEWHOPE_CCAKEM_PUBLICKEYBYTES NEWHOPE_CPAPKE_PUBLICKEYBYTES
+#define NEWHOPE_CCAKEM_SECRETKEYBYTES (NEWHOPE_CPAPKE_SECRETKEYBYTES + NEWHOPE_CPAPKE_PUBLICKEYBYTES + 2*NEWHOPE_SYMBYTES)
+#define NEWHOPE_CCAKEM_CIPHERTEXTBYTES (NEWHOPE_CPAPKE_CIPHERTEXTBYTES + NEWHOPE_SYMBYTES)  /* Second part is for Targhi-Unruh */