From 9532164d495d2be10a432582d959f28409f6f382 Mon Sep 17 00:00:00 2001
From: "ivan.fedorov" <ivan.fedorov@demlabs.net>
Date: Sun, 19 Apr 2020 19:00:16 +0300
Subject: [PATCH] ringct
---
CMakeLists.txt | 4 +
include/dap_enc_ringct20.h | 38 +
src/dap_enc_ringct20.c | 592 +++++++
src/ringct20/aes.c | 308 ++++
src/ringct20/aes.h | 120 ++
src/ringct20/aes_c.c | 434 +++++
src/ringct20/aes_local.h | 54 +
src/ringct20/api.h | 25 +
src/ringct20/common.c | 44 +
src/ringct20/common.h | 107 ++
src/ringct20/cryptoConfig.h | 31 +
src/ringct20/fips202.h | 13 +
src/ringct20/ntt.c | 204 +++
src/ringct20/ntt.h | 18 +
src/ringct20/optimized/api.h | 0
src/ringct20/optimized/cpapke.h | 16 +
src/ringct20/optimized/fips202.h | 13 +
src/ringct20/optimized/ntt.h | 16 +
src/ringct20/optimized/params.h | 25 +
src/ringct20/optimized/poly.h | 38 +
src/ringct20/optimized/reduce.h | 8 +
src/ringct20/optimized/verify.h | 12 +
src/ringct20/oqs.h | 18 +
src/ringct20/params.h | 26 +
src/ringct20/poly.c | 476 ++++++
src/ringct20/poly.h | 50 +
src/ringct20/precomp.c | 436 +++++
src/ringct20/rand.c | 121 ++
src/ringct20/rand.h | 63 +
src/ringct20/rand_nist.c | 131 ++
src/ringct20/reduce.c | 26 +
src/ringct20/reduce.h | 8 +
src/ringct20/ring.c | 722 ++++++++
src/ringct20/ring.h | 128 ++
src/ringct20/ring_test.c | 428 +++++
src/ringct20/ring_test.h | 30 +
src/ringct20/ringct20_params.h | 111 ++
src/ringct20/sha256.c | 220 +++
src/ringct20/sha256.h | 31 +
src/ringct20/sha3.c | 2452 +++++++++++++++++++++++++++
src/ringct20/sha3.h | 300 ++++
src/ringct20/targetver.h | Bin 0 -> 370 bytes
src/ringct20/verify.c | 52 +
src/ringct20/verify.h | 12 +
test/crypto/dap_enc_ringct20_test.c | 59 +
test/crypto/dap_enc_ringct20_test.h | 5 +
test/crypto/main.c | 14 +-
47 files changed, 8034 insertions(+), 5 deletions(-)
create mode 100644 include/dap_enc_ringct20.h
create mode 100644 src/dap_enc_ringct20.c
create mode 100644 src/ringct20/aes.c
create mode 100644 src/ringct20/aes.h
create mode 100644 src/ringct20/aes_c.c
create mode 100644 src/ringct20/aes_local.h
create mode 100644 src/ringct20/api.h
create mode 100644 src/ringct20/common.c
create mode 100644 src/ringct20/common.h
create mode 100644 src/ringct20/cryptoConfig.h
create mode 100644 src/ringct20/fips202.h
create mode 100644 src/ringct20/ntt.c
create mode 100644 src/ringct20/ntt.h
create mode 100644 src/ringct20/optimized/api.h
create mode 100644 src/ringct20/optimized/cpapke.h
create mode 100644 src/ringct20/optimized/fips202.h
create mode 100644 src/ringct20/optimized/ntt.h
create mode 100644 src/ringct20/optimized/params.h
create mode 100644 src/ringct20/optimized/poly.h
create mode 100644 src/ringct20/optimized/reduce.h
create mode 100644 src/ringct20/optimized/verify.h
create mode 100644 src/ringct20/oqs.h
create mode 100644 src/ringct20/params.h
create mode 100644 src/ringct20/poly.c
create mode 100644 src/ringct20/poly.h
create mode 100644 src/ringct20/precomp.c
create mode 100644 src/ringct20/rand.c
create mode 100644 src/ringct20/rand.h
create mode 100644 src/ringct20/rand_nist.c
create mode 100644 src/ringct20/reduce.c
create mode 100644 src/ringct20/reduce.h
create mode 100644 src/ringct20/ring.c
create mode 100644 src/ringct20/ring.h
create mode 100644 src/ringct20/ring_test.c
create mode 100644 src/ringct20/ring_test.h
create mode 100644 src/ringct20/ringct20_params.h
create mode 100644 src/ringct20/sha256.c
create mode 100644 src/ringct20/sha256.h
create mode 100644 src/ringct20/sha3.c
create mode 100644 src/ringct20/sha3.h
create mode 100644 src/ringct20/targetver.h
create mode 100644 src/ringct20/verify.c
create mode 100644 src/ringct20/verify.h
create mode 100644 test/crypto/dap_enc_ringct20_test.c
create mode 100644 test/crypto/dap_enc_ringct20_test.h
diff --git a/CMakeLists.txt b/CMakeLists.txt
index c185157..9e54128 100755
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -47,6 +47,7 @@ file( GLOB CRYPTO_SRCS
src/sig_tesla/*.c
src/sig_picnic/*.c
src/sig_dilithium/*.c
+ src/ringct20/*.c
)
file( GLOB CRYPTO_HEADERS
@@ -61,6 +62,7 @@ file( GLOB CRYPTO_HEADERS
src/sig_tesla/*.h
src/sig_picnic/*.h
src/sig_dilithium/*.h
+ src/ringct20/*.h
include/*.h
)
@@ -278,6 +280,8 @@ if(UNIX)
target_link_libraries(dap_crypto dap_core m)
endif()
+set(BUILD_CRYPTO_TESTS ON)
+
if(BUILD_CRYPTO_TESTS)
enable_testing()
add_subdirectory(test)
diff --git a/include/dap_enc_ringct20.h b/include/dap_enc_ringct20.h
new file mode 100644
index 0000000..98c9d6e
--- /dev/null
+++ b/include/dap_enc_ringct20.h
@@ -0,0 +1,38 @@
+#ifndef DAP_ENC_RINGCT20_H
+#define DAP_ENC_RINGCT20_H
+
+#include "ringct20/ringct20_params.h"
+#include "dap_enc_key.h"
+
+
+enum DAP_RINGCT20_SIGN_SECURITY {
+ RINGCT20_TOY = 0, RINGCT20_MAX_SPEED, RINGCT20_MIN_SIZE, RINGCT20_MAX_SECURITY
+};
+
+void dap_enc_sig_ringct20_set_type(enum DAP_RINGCT20_SIGN_SECURITY type);
+
+void dap_enc_sig_ringct20_key_new(struct dap_enc_key *key);
+
+void dap_enc_sig_ringct20_key_new_generate(struct dap_enc_key * key, const void *kex_buf,
+ size_t kex_size, const void * seed, size_t seed_size,
+ size_t key_size);
+
+size_t dap_enc_sig_ringct20_get_sign(struct dap_enc_key * key,const void * msg,
+ const size_t msg_size, void * signature, const size_t signature_size);
+
+size_t dap_enc_sig_ringct20_verify_sign(struct dap_enc_key * key,const void * msg,
+ const size_t msg_size, void * signature, const size_t signature_size);
+
+void dap_enc_sig_ringct20_key_delete(struct dap_enc_key * key);
+
+size_t dap_enc_ringct20_calc_signature_size(void);
+
+uint8_t* dap_enc_ringct20_write_signature(ringct20_signature_t* a_sign, size_t *a_sign_out);
+ringct20_signature_t* dap_enc_ringct20_read_signature(uint8_t *a_buf, size_t a_buflen);
+uint8_t* dap_enc_ringct20_write_private_key(const ringct20_private_key_t* a_private_key, size_t *a_buflen_out);
+uint8_t* dap_enc_ringct20_write_public_key(const ringct20_public_key_t* a_public_key, size_t *a_buflen_out);
+ringct20_private_key_t* dap_enc_ringct20_read_private_key(const uint8_t *a_buf, size_t a_buflen);
+ringct20_public_key_t* dap_enc_ringct20_read_public_key(const uint8_t *a_buf, size_t a_buflen);
+
+
+#endif // DAP_ENC_RINGCT20_H
diff --git a/src/dap_enc_ringct20.c b/src/dap_enc_ringct20.c
new file mode 100644
index 0000000..9fbb1ee
--- /dev/null
+++ b/src/dap_enc_ringct20.c
@@ -0,0 +1,592 @@
+#include <assert.h>
+#include <inttypes.h>
+#include <string.h>
+
+#include "dap_enc_ringct20.h"
+#include "dap_common.h"
+#include "dap_rand.h"
+
+
+
+#define LOG_TAG "dap_enc_sig_ringct20"
+
+static enum DAP_RINGCT20_SIGN_SECURITY _ringct20_type = RINGCT20_MIN_SIZE; // by default
+poly_ringct20 Afixed[10];
+poly_ringct20 Hfixed[10];
+bool ringct20_params_init(ringct20_param_t *ringct20_p, ringct20_kind_t kind)
+{
+ static int first_init = 1;//CRUTCH
+ if(first_init)
+ {
+ LRCT_Setup(Afixed,Hfixed, 10);
+ first_init = 0;
+ }
+ if(kind != MODERINGCT20_0)
+ return false;
+ ringct20_p->M = 3;
+
+ ringct20_p->mLen = ringct20_p->M-1;
+ if(ringct20_p->mLen > 10)
+ return false;
+ ringct20_p->wLen = 3;
+ ringct20_p->kind = kind;
+ ringct20_p->POLY_RINGCT20_SIZE_PACKED = NEWHOPE_POLYBYTES;
+ ringct20_p->POLY_RINGCT20_SIZE = NEWHOPE_N*sizeof(uint16_t);
+ ringct20_p->A = malloc(ringct20_p->POLY_RINGCT20_SIZE * ringct20_p->mLen);//CRUTCH//dont forget to free
+ ringct20_p->H = malloc(ringct20_p->POLY_RINGCT20_SIZE * ringct20_p->mLen);//CRUTCH//dont forget to free
+ poly_copy(ringct20_p->A, Afixed, ringct20_p->mLen);
+ poly_copy(ringct20_p->H, Hfixed, ringct20_p->mLen);
+ ringct20_p->RINGCT20_PBK_SIZE = ringct20_p->POLY_RINGCT20_SIZE_PACKED;
+ ringct20_p->RINGCT20_PRK_SIZE = ringct20_p->mLen*ringct20_p->POLY_RINGCT20_SIZE_PACKED;
+ ringct20_p->RINGCT20_SIG_SIZE = (ringct20_p->wLen +
+ ringct20_p->M*ringct20_p->wLen + 1 +1)*ringct20_p->POLY_RINGCT20_SIZE_PACKED;
+
+
+ return true;
+}
+void ringct20_params_free(ringct20_param_t *ringct20_p)
+{
+ if(ringct20_p->A != NULL)
+ free(ringct20_p->A);
+ if(ringct20_p->H != NULL)
+ free(ringct20_p->H);
+ free(ringct20_p);
+}
+void ringct20_pack_prk(uint8_t *prk, const poly_ringct20 *S, const ringct20_param_t *rct_p)
+{
+ for(int i = 0; i < rct_p->M - 1; ++i)
+ poly_tobytes(prk + i*rct_p->POLY_RINGCT20_SIZE_PACKED, S +i);
+
+}
+void ringct20_unpack_prk(const uint8_t *prk, poly_ringct20 *S, const ringct20_param_t *rct_p)
+{
+ for(int i = 0; i < rct_p->M - 1; ++i)
+ poly_frombytes(S +i, prk + i*rct_p->POLY_RINGCT20_SIZE_PACKED);
+
+}
+
+void ringct20_pack_pbk(uint8_t *pbk, const poly_ringct20 *a, const ringct20_param_t *rct_p)
+{
+ uint32_t packed_size = 0;
+ //pack a
+ poly_tobytes(pbk + packed_size, a);
+ packed_size += rct_p->POLY_RINGCT20_SIZE_PACKED;
+
+}
+void ringct20_unpack_pbk(const uint8_t *pbk, poly_ringct20 *a, const ringct20_param_t *rct_p)
+{
+ uint32_t unpacked_size = 0;
+ //unpack a
+ poly_frombytes(a, pbk + unpacked_size);
+ unpacked_size += rct_p->POLY_RINGCT20_SIZE_PACKED;
+}
+
+void ringct20_unpack_sig(const uint8_t *sig, poly_ringct20 *a_list,
+ poly_ringct20 *c1, poly_ringct20 **t, poly_ringct20 *h, const ringct20_param_t *rct_p)
+{
+ uint32_t unpacked_size = 0;
+ //unpack a_list
+ for(int i = 0; i < rct_p->wLen; ++i)
+ {
+ poly_frombytes(a_list + i, sig + unpacked_size);
+ unpacked_size += rct_p->POLY_RINGCT20_SIZE_PACKED;
+ }
+ //unpack t[W][M]
+ for(int j = 0; j < rct_p->wLen; ++j)
+ {
+ for(int i = 0; i < rct_p->M; ++i)
+ {
+ poly_frombytes(t[j] + i, sig + unpacked_size);
+ unpacked_size += rct_p->POLY_RINGCT20_SIZE_PACKED;
+ }
+ }
+ //unpack h
+ poly_frombytes(h, sig + unpacked_size);
+ unpacked_size += rct_p->POLY_RINGCT20_SIZE_PACKED;
+ //unpack c1
+ poly_frombytes(c1, sig + unpacked_size);
+ unpacked_size += rct_p->POLY_RINGCT20_SIZE_PACKED;
+}
+
+void ringct20_pack_sig(uint8_t *sig, const poly_ringct20 *a_list,
+ const poly_ringct20 *c1, const poly_ringct20 **t, const poly_ringct20 *h, const ringct20_param_t *rct_p)
+{
+ uint32_t packed_size = 0;
+ //pack a_list
+ for(int i = 0; i < rct_p->wLen; ++i)
+ {
+ poly_tobytes(sig + packed_size, a_list + i);
+ packed_size += rct_p->POLY_RINGCT20_SIZE_PACKED;
+ }
+ //pack t[W][M]
+ for(int j = 0; j < rct_p->wLen; ++j)
+ {
+ for(int i = 0; i < rct_p->M; ++i)
+ {
+ poly_tobytes(sig + packed_size,t[j] + i);
+ packed_size += rct_p->POLY_RINGCT20_SIZE_PACKED;
+ }
+ }
+ //pack h
+ poly_tobytes(sig + packed_size, h);
+ packed_size += rct_p->POLY_RINGCT20_SIZE_PACKED;
+ //pack c1
+ poly_tobytes(sig + packed_size, c1);
+ packed_size += rct_p->POLY_RINGCT20_SIZE_PACKED;
+}
+
+int ringct20_crypto_sign( ringct20_signature_t *sig, const unsigned char *m, unsigned long long mlen, const ringct20_private_key_t *private_key)
+{
+ ringct20_param_t *p = calloc(sizeof(ringct20_param_t),1);
+ if (! ringct20_params_init( p, private_key->kind)){
+ ringct20_params_free(p);
+ return -1;
+ }
+
+ uint32_t Pi;
+ randombytes(&Pi, sizeof(Pi));
+ //Pi %= p->wLen;//
+ //CRUTCH
+ Pi = 1 + Pi%(p->wLen - 1);
+ printf("Pi = %d\n", Pi);
+ poly_ringct20 *aList = malloc(p->POLY_RINGCT20_SIZE*p->wLen);
+ poly_ringct20 *S = malloc(p->POLY_RINGCT20_SIZE*p->mLen);
+ ringct20_unpack_prk(private_key->data,S,p);
+
+ LRCT_KeyGen(aList + Pi, p->A,S,p->mLen);
+ //CRUTCH
+ //get a list of some pbk
+ {
+ poly_ringct20 *Stmp = malloc(p->POLY_RINGCT20_SIZE*p->mLen);
+ for(int i = 0; i < p->wLen; ++i)
+ {
+ if(i == Pi)
+ continue;
+ LRCT_SampleKey(Stmp, p->mLen);
+ LRCT_KeyGen(aList + i, p->A, Stmp, p->mLen);
+ }
+ free(Stmp);
+ }
+ poly_ringct20 h;
+ poly_ringct20 *u = malloc(p->POLY_RINGCT20_SIZE*p->M);
+ poly_ringct20 c1;
+ poly_ringct20** t;//[w][M]//TOCORRECT to *t;
+ t = malloc(p->wLen*sizeof(poly_ringct20*));
+ for(int i = 0; i < p->wLen; ++i)
+ t[i] = malloc(p->M*p->POLY_RINGCT20_SIZE);
+
+ unsigned char *bt = malloc(NEWHOPE_POLYBYTES);
+
+ for (int i = 0; i < p->wLen; i++)
+ {
+ for (int k = 0; k < p->M; k++)
+ {
+ poly_init(t[i] + k);
+ }
+
+ }
+
+ for (int k = 0; k < p->M; k++)
+ {
+ OQS_randombytes(bt, NEWHOPE_POLYBYTES);
+ poly_frombytes(u + k, bt);
+ poly_serial(u + k);
+ //poly_print(u+k);
+ }
+
+ free(bt);
+ LRCT_SigGen(&c1, t, &h, p->A, p->H, S, u, p->mLen, aList, p->wLen, Pi, m, mlen);
+ sig->sig_len = p->RINGCT20_SIG_SIZE;// + mlen;
+ sig->sig_data = malloc(sig->sig_len);
+// memcpy(sig->sig_data,m,mlen);//TOCORRECT
+ ringct20_pack_sig(sig->sig_data,aList,&c1, t, &h, p);
+
+
+ free(aList);
+ free(S);
+ free(u);
+
+ for(int i = 0; i < p->wLen; ++i)
+ free(t[i]);
+ free(t);
+
+ ringct20_params_free(p);
+ return 0;
+}
+void ringct20_signature_delete(ringct20_signature_t *sig){
+ assert(sig != NULL);
+
+ free(sig->sig_data);
+ sig->sig_data = NULL;
+}
+int ringct20_crypto_sign_open( const unsigned char * msg, const unsigned long long msg_size, const ringct20_signature_t * sig, const ringct20_public_key_t* public_key)
+{
+ ringct20_param_t *p = calloc(sizeof(ringct20_param_t),1);
+ if (! ringct20_params_init( p, public_key->kind)){
+ ringct20_params_free(p);
+ return -1;
+ }
+ if(sig->sig_len < p->RINGCT20_SIG_SIZE)
+ {
+ return -1;
+ }
+
+ poly_ringct20 *aList = malloc(p->POLY_RINGCT20_SIZE*p->wLen);
+
+ poly_ringct20 h;
+ poly_ringct20 c1;
+ poly_ringct20** t;//[w][M]//TOCORRECT to *t;
+ t = malloc(p->wLen*sizeof(poly_ringct20*));
+ for(int i = 0; i < p->wLen; ++i)
+ t[i] = malloc(p->M*p->POLY_RINGCT20_SIZE);
+ ringct20_unpack_sig(sig->sig_data,aList,&c1, t, &h, p);
+ //CRUTCH ADD test pbk in aList
+ int pbk_in_aList = 0;
+ poly_ringct20 a_pi;
+ ringct20_unpack_pbk(public_key->data, &a_pi, p);
+ for(int i = 0; i < p->wLen; ++i)
+ {
+ if(poly_equal(&a_pi, aList + i))
+ {
+ pbk_in_aList = 1;
+ break;
+ }
+ }
+
+ int result = 1;
+
+ if(pbk_in_aList)
+ result = 1 ^ LRCT_SigVer(&c1, t, p->A, p->H, p->mLen, &h, aList, p->wLen, msg, msg_size);
+
+
+ printf("result = %d\n", result);
+ free(aList);
+
+ for(int i = 0; i < p->wLen; ++i)
+ free(t[i]);
+ free(t);
+ ringct20_params_free(p);
+ return result;
+}
+
+
+
+int ringct20_crypto_sign_keypair(ringct20_public_key_t *pbk, ringct20_private_key_t *prk, ringct20_kind_t kind)
+{
+ ringct20_param_t *p;
+ p = calloc(sizeof (ringct20_param_t),1);
+ ringct20_params_init(p, kind);
+ if(ringct20_private_and_public_keys_init(prk,pbk,p) != 0)
+ {
+ ringct20_params_free(p);//free(p);
+ return -1;
+ }
+
+
+ poly_ringct20 *S;
+ poly_ringct20 *a;
+ S = (poly_ringct20*)malloc(sizeof(poly_ringct20)*p->mLen);
+ a = (poly_ringct20*)malloc(sizeof(poly_ringct20));
+
+ // LRCT_Setup(A,H,p->mLen);
+ LRCT_SampleKey(S, p->mLen);
+ LRCT_KeyGen(a, p->A, S, p->mLen);
+ ringct20_pack_pbk(pbk->data, a, p);
+ ringct20_pack_prk(prk->data, S, p);
+
+ free(S);
+ free(a);
+
+
+ ringct20_params_free(p);
+ return 0;
+
+}
+
+void ringct20_private_key_delete(ringct20_private_key_t *private_key)
+{
+
+ if(private_key) {
+ free(private_key->data);
+ private_key->data = NULL;
+ free(private_key);
+ }
+}
+
+void ringct20_public_key_delete(ringct20_public_key_t *public_key)
+{
+ if(public_key) {
+ free(public_key->data);
+ public_key->data = NULL;
+ free(public_key);
+ }
+}
+
+void ringct20_private_and_public_keys_delete(ringct20_private_key_t *private_key, ringct20_public_key_t *public_key){
+
+ free(private_key->data);
+ private_key->data = NULL;
+ free(public_key->data);
+ public_key->data = NULL;
+}
+int32_t ringct20_private_and_public_keys_init(ringct20_private_key_t *private_key, ringct20_public_key_t *public_key, ringct20_param_t *p){
+
+ unsigned char *f = NULL, *g = NULL;
+
+ f = calloc(p->RINGCT20_PBK_SIZE, sizeof(char));
+ if (f == NULL) {
+ free(f);
+// free(g);
+ return -1;
+ }
+ public_key->kind = p->kind;
+ public_key->data = f;
+
+ g = calloc(p->RINGCT20_PRK_SIZE, sizeof(char));
+ if (g == NULL) {
+ free(f);
+ free(g);
+ return -1;
+ }
+
+ private_key->kind = p->kind;
+ private_key->data = g;
+
+ return 0;
+}
+
+void dap_enc_sig_ringct20_set_type(enum DAP_RINGCT20_SIGN_SECURITY type)
+{
+ _ringct20_type = type;
+}
+
+void dap_enc_sig_ringct20_key_new(struct dap_enc_key *key) {
+
+ key->type = DAP_ENC_KEY_TYPE_SIG_RINGCT20;
+ key->enc = NULL;
+ key->enc_na = (dap_enc_callback_dataop_na_t) dap_enc_sig_ringct20_get_sign;
+ key->dec_na = (dap_enc_callback_dataop_na_t) dap_enc_sig_ringct20_verify_sign;
+// key->gen_bob_shared_key = (dap_enc_gen_bob_shared_key) dap_enc_sig_ringct20_get_sign;
+// key->gen_alice_shared_key = (dap_enc_gen_alice_shared_key) dap_enc_sig_ringct20_verify_sign;
+}
+
+// generation key pair for sign Alice
+// OUTPUT:
+// a_key->data --- Alice's public key
+// alice_priv --- Alice's private key
+// alice_msg_len --- Alice's private key length
+
+
+void dap_enc_sig_ringct20_key_new_generate(struct dap_enc_key * key, const void *kex_buf,
+ size_t kex_size, const void * seed, size_t seed_size,
+ size_t key_size)
+{
+// (void) kex_buf;
+// (void) kex_size;
+// (void) key_size;
+
+ int32_t retcode;
+
+ int ringct20_type = RINGCT20_TOY;//(seed && seed_size >= sizeof(uint8_t)) ? ((uint8_t*)seed)[0] % (RINGCT20_MAX_SECURITY + 1) :
+ // RINGCT20_MIN_SIZE;
+ dap_enc_sig_ringct20_set_type(ringct20_type);
+
+
+ //int32_t type = 2;
+ key->priv_key_data_size = sizeof(ringct20_private_key_t);
+ key->pub_key_data_size = sizeof(ringct20_public_key_t);
+ key->priv_key_data = malloc(key->priv_key_data_size);
+ key->pub_key_data = malloc(key->pub_key_data_size);
+
+ retcode = ringct20_crypto_sign_keypair((ringct20_public_key_t *) key->pub_key_data,
+ (ringct20_private_key_t *) key->priv_key_data, _ringct20_type);
+ if(retcode != 0) {
+ ringct20_private_and_public_keys_delete((ringct20_private_key_t *) key->pub_key_data,
+ (ringct20_public_key_t *) key->pub_key_data);
+ log_it(L_CRITICAL, "Error");
+ return;
+ }
+}
+
+size_t dap_enc_sig_ringct20_get_sign(struct dap_enc_key * key, const void * msg,
+ const size_t msg_size, void * signature, const size_t signature_size)
+{
+ if(signature_size < sizeof(ringct20_signature_t)) {
+ log_it(L_ERROR, "bad signature size");
+ return 0;
+ }
+
+ if(!ringct20_crypto_sign((ringct20_signature_t *) signature, (const unsigned char *) msg, msg_size, key->priv_key_data))
+ return signature_size;
+ else
+ return 0;
+}
+
+size_t dap_enc_sig_ringct20_verify_sign(struct dap_enc_key * key, const void * msg,
+ const size_t msg_size, void * signature, const size_t signature_size)
+{
+ if(signature_size < sizeof(ringct20_signature_t)) {
+ log_it(L_ERROR, "bad signature size");
+ return 0;
+ }
+
+ return (ringct20_crypto_sign_open( (unsigned char *) msg, msg_size, (ringct20_signature_t *) signature, key->pub_key_data));
+}
+
+void dap_enc_sig_ringct20_key_delete(struct dap_enc_key * key)
+{
+ ringct20_private_and_public_keys_delete((ringct20_private_key_t *) key->priv_key_data,
+ (ringct20_public_key_t *) key->pub_key_data);
+}
+
+size_t dap_enc_ringct20_calc_signature_size(void)
+{
+ return sizeof(ringct20_signature_t);
+}
+
+/* Serialize a signature */
+uint8_t* dap_enc_ringct20_write_signature(ringct20_signature_t* a_sign, size_t *a_sign_out)
+{
+ if(!a_sign || *a_sign_out!=sizeof(ringct20_signature_t)) {
+ return NULL ;
+ }
+ size_t l_shift_mem = 0;
+ size_t l_buflen = sizeof(size_t) + sizeof(ringct20_kind_t) + a_sign->sig_len + sizeof(unsigned long long);
+
+ uint8_t *l_buf = DAP_NEW_SIZE(uint8_t, l_buflen);
+ memcpy(l_buf, &l_buflen, sizeof(size_t));
+ l_shift_mem += sizeof(size_t);
+ memcpy(l_buf + l_shift_mem, &a_sign->kind, sizeof(ringct20_kind_t));
+ l_shift_mem += sizeof(ringct20_kind_t);
+ memcpy(l_buf + l_shift_mem, &a_sign->sig_len, sizeof(unsigned long long));
+ l_shift_mem += sizeof(unsigned long long);
+ memcpy(l_buf + l_shift_mem, a_sign->sig_data, a_sign->sig_len );
+ l_shift_mem += a_sign->sig_len ;
+
+ if(a_sign_out)
+ *a_sign_out = l_buflen;
+ return l_buf;
+}
+
+/* Deserialize a signature */
+ringct20_signature_t* dap_enc_ringct20_read_signature(uint8_t *a_buf, size_t a_buflen)
+{
+ if(!a_buf || a_buflen < (sizeof(size_t) + sizeof(ringct20_kind_t)))
+ return NULL ;
+ ringct20_kind_t kind;
+ size_t l_buflen = 0;
+ memcpy(&l_buflen, a_buf, sizeof(size_t));
+ memcpy(&kind, a_buf + sizeof(size_t), sizeof(ringct20_kind_t));
+ if(l_buflen != a_buflen)
+ return NULL ;
+ ringct20_param_t p;
+ if(!ringct20_params_init(&p, kind))
+ return NULL ;
+
+ ringct20_signature_t* l_sign = DAP_NEW(ringct20_signature_t);
+ l_sign->kind = kind;
+ size_t l_shift_mem = sizeof(size_t) + sizeof(ringct20_kind_t);
+ memcpy(&l_sign->sig_len, a_buf + l_shift_mem, sizeof(unsigned long long));
+ l_shift_mem += sizeof(unsigned long long);
+ l_sign->sig_data = DAP_NEW_SIZE(unsigned char, l_sign->sig_len);
+ memcpy(l_sign->sig_data, a_buf + l_shift_mem, l_sign->sig_len);
+ l_shift_mem += l_sign->sig_len;
+ return l_sign;
+}
+
+/* Serialize a private key. */
+uint8_t* dap_enc_ringct20_write_private_key(const ringct20_private_key_t* a_private_key, size_t *a_buflen_out)
+{
+ ringct20_param_t *p = calloc(sizeof(ringct20_param_t),1);
+ if(!ringct20_params_init(p, a_private_key->kind))
+ {
+ ringct20_params_free(p);
+
+ return NULL;
+ }
+ size_t l_buflen = sizeof(size_t) + sizeof(ringct20_kind_t) + p->RINGCT20_PRK_SIZE; //CRYPTO_PUBLICKEYBYTES;
+ uint8_t *l_buf = DAP_NEW_SIZE(uint8_t, l_buflen);
+ memcpy(l_buf, &l_buflen, sizeof(size_t));
+ memcpy(l_buf + sizeof(size_t), &a_private_key->kind, sizeof(ringct20_kind_t));
+ memcpy(l_buf + sizeof(size_t) + sizeof(ringct20_kind_t), a_private_key->data, p->RINGCT20_PRK_SIZE);
+ if(a_buflen_out)
+ *a_buflen_out = l_buflen;
+ ringct20_params_free(p);
+ return l_buf;
+}
+
+/* Serialize a public key. */
+uint8_t* dap_enc_ringct20_write_public_key(const ringct20_public_key_t* a_public_key, size_t *a_buflen_out)
+{
+ ringct20_param_t *p = calloc(sizeof(ringct20_param_t),1);
+ if(!ringct20_params_init(p, a_public_key->kind))
+ {
+ ringct20_params_free(p);
+
+ return NULL;
+ }
+
+ size_t l_buflen = sizeof(size_t) + sizeof(ringct20_kind_t) + p->RINGCT20_PBK_SIZE;//.CRYPTO_PUBLICKEYBYTES;
+ uint8_t *l_buf = DAP_NEW_SIZE(uint8_t, l_buflen);
+ memcpy(l_buf, &l_buflen, sizeof(size_t));
+ memcpy(l_buf + sizeof(size_t), &a_public_key->kind, sizeof(ringct20_kind_t));
+ memcpy(l_buf + sizeof(size_t) + sizeof(ringct20_kind_t), a_public_key->data, p->RINGCT20_PBK_SIZE);//.CRYPTO_PUBLICKEYBYTES);
+ if(a_buflen_out)
+ *a_buflen_out = l_buflen;
+ ringct20_params_free(p);
+ return l_buf;
+}
+
+/* Deserialize a private key. */
+ringct20_private_key_t* dap_enc_ringct20_read_private_key(const uint8_t *a_buf, size_t a_buflen)
+{
+ if(!a_buf || a_buflen < (sizeof(size_t) + sizeof(ringct20_kind_t)))
+ return NULL;
+ ringct20_kind_t kind;
+ size_t l_buflen = 0;
+ memcpy(&l_buflen, a_buf, sizeof(size_t));
+ memcpy(&kind, a_buf + sizeof(size_t), sizeof(ringct20_kind_t));
+ if(l_buflen != a_buflen)
+ return NULL;
+ ringct20_param_t *p = calloc(sizeof(ringct20_param_t),1);
+ if(!ringct20_params_init(p, kind))
+ {
+ ringct20_params_free(p);
+
+ return NULL;
+ }
+ ringct20_private_key_t* l_private_key = DAP_NEW(ringct20_private_key_t);
+ l_private_key->kind = kind;
+
+ l_private_key->data = DAP_NEW_SIZE(unsigned char, p->RINGCT20_PRK_SIZE);//.CRYPTO_SECRETKEYBYTES);
+ memcpy(l_private_key->data, a_buf + sizeof(size_t) + sizeof(ringct20_kind_t), p->RINGCT20_PRK_SIZE);//.CRYPTO_SECRETKEYBYTES);
+
+ ringct20_params_free(p);
+ return l_private_key;
+}
+
+/* Deserialize a public key. */
+ringct20_public_key_t* dap_enc_ringct20_read_public_key(const uint8_t *a_buf, size_t a_buflen)
+{
+ if(!a_buf || a_buflen < (sizeof(size_t) + sizeof(ringct20_kind_t)))
+ return NULL;
+ ringct20_kind_t kind;
+ size_t l_buflen = 0;
+ memcpy(&l_buflen, a_buf, sizeof(size_t));
+ memcpy(&kind, a_buf + sizeof(size_t), sizeof(ringct20_kind_t));
+ if(l_buflen != a_buflen)
+ return NULL;
+ ringct20_param_t *p = calloc(sizeof(ringct20_param_t),1);
+ if(!ringct20_params_init(p, kind))
+ {
+ ringct20_params_free(p);
+ return NULL;
+ }
+ ringct20_public_key_t* l_public_key = DAP_NEW(ringct20_public_key_t);
+ l_public_key->kind = kind;
+
+ l_public_key->data = DAP_NEW_SIZE(unsigned char, p->RINGCT20_PBK_SIZE);//.CRYPTO_PUBLICKEYBYTES);
+ memcpy(l_public_key->data, a_buf + sizeof(size_t) + sizeof(ringct20_kind_t), p->RINGCT20_PBK_SIZE);//.CRYPTO_PUBLICKEYBYTES);
+ ringct20_params_free(p);
+ return l_public_key;
+}
diff --git a/src/ringct20/aes.c b/src/ringct20/aes.c
new file mode 100644
index 0000000..bb36c51
--- /dev/null
+++ b/src/ringct20/aes.c
@@ -0,0 +1,308 @@
+#include <assert.h>
+
+#include "aes.h"
+#include "aes_local.h"
+
+void OQS_AES128_load_schedule(const uint8_t *key, void **schedule, UNUSED int for_encryption) {
+#ifdef USE_OPENSSL
+ oqs_aes128_load_schedule_ossl(key, schedule, for_encryption);
+#elif defined(AES_ENABLE_NI)
+ oqs_aes128_load_schedule_ni(key, schedule);
+#else
+ oqs_aes128_load_schedule_c(key, schedule);
+#endif
+}
+
+void OQS_AES128_free_schedule(void *schedule) {
+#ifdef USE_OPENSSL
+ oqs_aes128_free_schedule_ossl(schedule);
+#elif defined(AES_ENABLE_NI)
+ oqs_aes128_free_schedule_ni(schedule);
+#else
+ oqs_aes128_free_schedule_c(schedule);
+#endif
+}
+
+void OQS_AES128_ECB_enc(const uint8_t *plaintext, const size_t plaintext_len, const uint8_t *key, uint8_t *ciphertext) {
+#ifdef USE_OPENSSL
+ oqs_aes128_ecb_enc_ossl(plaintext, plaintext_len, key, ciphertext);
+#elif defined(AES_ENABLE_NI)
+ oqs_aes128_ecb_enc_ni(plaintext, plaintext_len, key, ciphertext);
+#else
+ oqs_aes128_ecb_enc_c(plaintext, plaintext_len, key, ciphertext);
+#endif
+}
+
+void OQS_AES128_ECB_dec(const uint8_t *ciphertext, const size_t ciphertext_len, const uint8_t *key, uint8_t *plaintext) {
+#ifdef USE_OPENSSL
+ oqs_aes128_ecb_dec_ossl(ciphertext, ciphertext_len, key, plaintext);
+#elif defined(AES_ENABLE_NI)
+ oqs_aes128_ecb_dec_ni(ciphertext, ciphertext_len, key, plaintext);
+#else
+ oqs_aes128_ecb_dec_c(ciphertext, ciphertext_len, key, plaintext);
+#endif
+}
+
+void OQS_AES128_ECB_enc_sch(const uint8_t *plaintext, const size_t plaintext_len, const void *schedule, uint8_t *ciphertext) {
+#ifdef USE_OPENSSL
+ oqs_aes128_ecb_enc_sch_ossl(plaintext, plaintext_len, schedule, ciphertext);
+#elif defined(AES_ENABLE_NI)
+ oqs_aes128_ecb_enc_sch_ni(plaintext, plaintext_len, schedule, ciphertext);
+#else
+ oqs_aes128_ecb_enc_sch_c(plaintext, plaintext_len, schedule, ciphertext);
+#endif
+}
+
+void OQS_AES128_ECB_dec_sch(const uint8_t *ciphertext, const size_t ciphertext_len, const void *schedule, uint8_t *plaintext) {
+#ifdef USE_OPENSSL
+ oqs_aes128_ecb_dec_sch_ossl(ciphertext, ciphertext_len, schedule, plaintext);
+#elif defined(AES_ENABLE_NI)
+ oqs_aes128_ecb_dec_sch_ni(ciphertext, ciphertext_len, schedule, plaintext);
+#else
+ oqs_aes128_ecb_dec_sch_c(ciphertext, ciphertext_len, schedule, plaintext);
+#endif
+}
+
+#ifdef AES_ENABLE_NI
+void oqs_aes128_ecb_enc_ni(const uint8_t *plaintext, const size_t plaintext_len, const uint8_t *key, uint8_t *ciphertext) {
+ void *schedule = NULL;
+ oqs_aes128_load_schedule_ni(key, &schedule);
+ oqs_aes128_ecb_enc_sch_ni(plaintext, plaintext_len, schedule, ciphertext);
+ oqs_aes128_free_schedule_ni(schedule);
+}
+#endif
+
+void oqs_aes128_ecb_enc_c(const uint8_t *plaintext, const size_t plaintext_len, const uint8_t *key, uint8_t *ciphertext) {
+ void *schedule = NULL;
+ oqs_aes128_load_schedule_c(key, &schedule);
+ oqs_aes128_ecb_enc_sch_c(plaintext, plaintext_len, schedule, ciphertext);
+ oqs_aes128_free_schedule_c(schedule);
+}
+
+#ifdef AES_ENABLE_NI
+void oqs_aes128_ecb_enc_sch_ni(const uint8_t *plaintext, const size_t plaintext_len, const void *schedule, uint8_t *ciphertext) {
+ assert(plaintext_len % 16 == 0);
+ for (size_t block = 0; block < plaintext_len / 16; block++) {
+ oqs_aes128_enc_ni(plaintext + (16 * block), schedule, ciphertext + (16 * block));
+ }
+}
+#endif
+
+void oqs_aes128_ecb_enc_sch_c(const uint8_t *plaintext, const size_t plaintext_len, const void *schedule, uint8_t *ciphertext) {
+ assert(plaintext_len % 16 == 0);
+ for (size_t block = 0; block < plaintext_len / 16; block++) {
+ oqs_aes128_enc_c(plaintext + (16 * block), schedule, ciphertext + (16 * block));
+ }
+}
+
+#ifdef AES_ENABLE_NI
+void oqs_aes128_ecb_dec_ni(const uint8_t *ciphertext, const size_t ciphertext_len, const uint8_t *key, uint8_t *plaintext) {
+ void *schedule = NULL;
+ oqs_aes128_load_schedule_ni(key, &schedule);
+ oqs_aes128_ecb_dec_sch_ni(ciphertext, ciphertext_len, schedule, plaintext);
+ oqs_aes128_free_schedule_ni(schedule);
+}
+#endif
+
+void oqs_aes128_ecb_dec_c(const uint8_t *ciphertext, const size_t ciphertext_len, const uint8_t *key, uint8_t *plaintext) {
+ void *schedule = NULL;
+ oqs_aes128_load_schedule_c(key, &schedule);
+ oqs_aes128_ecb_dec_sch_c(ciphertext, ciphertext_len, schedule, plaintext);
+ oqs_aes128_free_schedule_c(schedule);
+}
+
+#ifdef AES_ENABLE_NI
+void oqs_aes128_ecb_dec_sch_ni(const uint8_t *ciphertext, const size_t ciphertext_len, const void *schedule, uint8_t *plaintext) {
+ assert(ciphertext_len % 16 == 0);
+ for (size_t block = 0; block < ciphertext_len / 16; block++) {
+ oqs_aes128_dec_ni(ciphertext + (16 * block), schedule, plaintext + (16 * block));
+ }
+}
+#endif
+
+void oqs_aes128_ecb_dec_sch_c(const uint8_t *ciphertext, const size_t ciphertext_len, const void *schedule, uint8_t *plaintext) {
+ assert(ciphertext_len % 16 == 0);
+ for (size_t block = 0; block < ciphertext_len / 16; block++) {
+ oqs_aes128_dec_c(ciphertext + (16 * block), schedule, plaintext + (16 * block));
+ }
+}
+
+#ifdef USE_OPENSSL
+#include <openssl/evp.h>
+
+void oqs_aes128_load_schedule_ossl(const uint8_t *key, void **schedule, int for_encryption) {
+ EVP_CIPHER_CTX *aes_ctx = EVP_CIPHER_CTX_new();
+ assert(aes_ctx != NULL);
+ if (for_encryption) {
+ assert(1 == EVP_EncryptInit_ex(aes_ctx, EVP_aes_128_ecb(), NULL, key, NULL));
+ } else {
+ assert(1 == EVP_DecryptInit_ex(aes_ctx, EVP_aes_128_ecb(), NULL, key, NULL));
+ }
+ EVP_CIPHER_CTX_set_padding(aes_ctx, 0);
+ *schedule = aes_ctx;
+}
+
+void oqs_aes128_free_schedule_ossl(void *schedule) {
+ if (schedule != NULL) {
+ EVP_CIPHER_CTX_free((EVP_CIPHER_CTX *) schedule);
+ }
+}
+
+void oqs_aes128_ecb_enc_ossl(const uint8_t *plaintext, const size_t plaintext_len, const uint8_t *key, uint8_t *ciphertext) {
+ void *schedule = NULL;
+ oqs_aes128_load_schedule_ossl(key, &schedule, 1);
+ oqs_aes128_ecb_enc_sch_ossl(plaintext, plaintext_len, schedule, ciphertext);
+ oqs_aes128_free_schedule_ossl(schedule);
+}
+
+void oqs_aes128_ecb_dec_ossl(const uint8_t *ciphertext, const size_t ciphertext_len, const uint8_t *key, uint8_t *plaintext) {
+ void *schedule = NULL;
+ oqs_aes128_load_schedule_ossl(key, &schedule, 0);
+ oqs_aes128_ecb_dec_sch_ossl(ciphertext, ciphertext_len, schedule, plaintext);
+ oqs_aes128_free_schedule_ossl(schedule);
+}
+
+void oqs_aes128_ecb_enc_sch_ossl(const uint8_t *plaintext, const size_t plaintext_len, const void *schedule, uint8_t *ciphertext) {
+ assert(plaintext_len % 16 == 0);
+ int outlen;
+ assert(1 == EVP_EncryptUpdate((EVP_CIPHER_CTX *) schedule, ciphertext, &outlen, plaintext, plaintext_len));
+ assert((size_t) outlen == plaintext_len);
+ assert(1 == EVP_EncryptFinal_ex((EVP_CIPHER_CTX *) schedule, ciphertext, &outlen));
+}
+
+void oqs_aes128_ecb_dec_sch_ossl(const uint8_t *ciphertext, const size_t ciphertext_len, const void *schedule, uint8_t *plaintext) {
+ assert(ciphertext_len % 16 == 0);
+ int outlen;
+ assert(1 == EVP_DecryptUpdate((EVP_CIPHER_CTX *) schedule, plaintext, &outlen, ciphertext, ciphertext_len));
+ assert((size_t) outlen == ciphertext_len);
+ assert(1 == EVP_DecryptFinal_ex((EVP_CIPHER_CTX *) schedule, plaintext, &outlen));
+}
+
+#endif
+
+void OQS_AES256_load_schedule(const uint8_t *key, void **schedule, UNUSED int for_encryption) {
+#ifdef USE_OPENSSL
+ oqs_aes256_load_schedule_ossl(key, schedule, for_encryption);
+#else
+ oqs_aes256_load_schedule_c(key, schedule);
+#endif
+}
+
+void OQS_AES256_free_schedule(void *schedule) {
+#ifdef USE_OPENSSL
+ oqs_aes256_free_schedule_ossl(schedule);
+#else
+ oqs_aes256_free_schedule_c(schedule);
+#endif
+}
+
+void OQS_AES256_ECB_enc(const uint8_t *plaintext, const size_t plaintext_len, const uint8_t *key, uint8_t *ciphertext) {
+#ifdef USE_OPENSSL
+ oqs_aes256_ecb_enc_ossl(plaintext, plaintext_len, key, ciphertext);
+#else
+ oqs_aes256_ecb_enc_c(plaintext, plaintext_len, key, ciphertext);
+#endif
+}
+
+void OQS_AES256_ECB_dec(const uint8_t *ciphertext, const size_t ciphertext_len, const uint8_t *key, uint8_t *plaintext) {
+#ifdef USE_OPENSSL
+ oqs_aes256_ecb_dec_ossl(ciphertext, ciphertext_len, key, plaintext);
+#else
+ oqs_aes256_ecb_dec_c(ciphertext, ciphertext_len, key, plaintext);
+#endif
+}
+
+void OQS_AES256_ECB_enc_sch(const uint8_t *plaintext, const size_t plaintext_len, const void *schedule, uint8_t *ciphertext) {
+#ifdef USE_OPENSSL
+ oqs_aes256_ecb_enc_sch_ossl(plaintext, plaintext_len, schedule, ciphertext);
+#else
+ oqs_aes256_ecb_enc_sch_c(plaintext, plaintext_len, schedule, ciphertext);
+#endif
+}
+
+void OQS_AES256_ECB_dec_sch(const uint8_t *ciphertext, const size_t ciphertext_len, const void *schedule, uint8_t *plaintext) {
+#ifdef USE_OPENSSL
+ oqs_aes256_ecb_dec_sch_ossl(ciphertext, ciphertext_len, schedule, plaintext);
+#else
+ oqs_aes256_ecb_dec_sch_c(ciphertext, ciphertext_len, schedule, plaintext);
+#endif
+}
+
+void oqs_aes256_ecb_enc_c(const uint8_t *plaintext, const size_t plaintext_len, const uint8_t *key, uint8_t *ciphertext) {
+ void *schedule = NULL;
+ oqs_aes256_load_schedule_c(key, &schedule);
+ oqs_aes256_ecb_enc_sch_c(plaintext, plaintext_len, schedule, ciphertext);
+ oqs_aes256_free_schedule_c(schedule);
+}
+
+void oqs_aes256_ecb_enc_sch_c(const uint8_t *plaintext, const size_t plaintext_len, const void *schedule, uint8_t *ciphertext) {
+ assert(plaintext_len % 16 == 0);
+ for (size_t block = 0; block < plaintext_len / 16; block++) {
+ oqs_aes256_enc_c(plaintext + (16 * block), schedule, ciphertext + (16 * block));
+ }
+}
+
+void oqs_aes256_ecb_dec_c(const uint8_t *ciphertext, const size_t ciphertext_len, const uint8_t *key, uint8_t *plaintext) {
+ void *schedule = NULL;
+ oqs_aes256_load_schedule_c(key, &schedule);
+ oqs_aes256_ecb_dec_sch_c(ciphertext, ciphertext_len, schedule, plaintext);
+ oqs_aes256_free_schedule_c(schedule);
+}
+
+void oqs_aes256_ecb_dec_sch_c(const uint8_t *ciphertext, const size_t ciphertext_len, const void *schedule, uint8_t *plaintext) {
+ assert(ciphertext_len % 16 == 0);
+ for (size_t block = 0; block < ciphertext_len / 16; block++) {
+ oqs_aes256_dec_c(ciphertext + (16 * block), schedule, plaintext + (16 * block));
+ }
+}
+
+#ifdef USE_OPENSSL
+void oqs_aes256_load_schedule_ossl(const uint8_t *key, void **schedule, int for_encryption) {
+ EVP_CIPHER_CTX *aes_ctx = EVP_CIPHER_CTX_new();
+ assert(aes_ctx != NULL);
+ if (for_encryption) {
+ assert(1 == EVP_EncryptInit_ex(aes_ctx, EVP_aes_256_ecb(), NULL, key, NULL));
+ } else {
+ assert(1 == EVP_DecryptInit_ex(aes_ctx, EVP_aes_256_ecb(), NULL, key, NULL));
+ }
+ EVP_CIPHER_CTX_set_padding(aes_ctx, 0);
+ *schedule = aes_ctx;
+}
+
+void oqs_aes256_free_schedule_ossl(void *schedule) {
+ if (schedule != NULL) {
+ EVP_CIPHER_CTX_free((EVP_CIPHER_CTX *) schedule);
+ }
+}
+
+void oqs_aes256_ecb_enc_ossl(const uint8_t *plaintext, const size_t plaintext_len, const uint8_t *key, uint8_t *ciphertext) {
+ void *schedule = NULL;
+ oqs_aes256_load_schedule_ossl(key, &schedule, 1);
+ oqs_aes256_ecb_enc_sch_ossl(plaintext, plaintext_len, schedule, ciphertext);
+ oqs_aes256_free_schedule_ossl(schedule);
+}
+
+void oqs_aes256_ecb_dec_ossl(const uint8_t *ciphertext, const size_t ciphertext_len, const uint8_t *key, uint8_t *plaintext) {
+ void *schedule = NULL;
+ oqs_aes256_load_schedule_ossl(key, &schedule, 0);
+ oqs_aes256_ecb_dec_sch_ossl(ciphertext, ciphertext_len, schedule, plaintext);
+ oqs_aes256_free_schedule_ossl(schedule);
+}
+
+void oqs_aes256_ecb_enc_sch_ossl(const uint8_t *plaintext, const size_t plaintext_len, const void *schedule, uint8_t *ciphertext) {
+ assert(plaintext_len % 16 == 0);
+ int outlen;
+ assert(1 == EVP_EncryptUpdate((EVP_CIPHER_CTX *) schedule, ciphertext, &outlen, plaintext, plaintext_len));
+ assert((size_t) outlen == plaintext_len);
+ assert(1 == EVP_EncryptFinal_ex((EVP_CIPHER_CTX *) schedule, ciphertext, &outlen));
+}
+
+void oqs_aes256_ecb_dec_sch_ossl(const uint8_t *ciphertext, const size_t ciphertext_len, const void *schedule, uint8_t *plaintext) {
+ assert(ciphertext_len % 16 == 0);
+ int outlen;
+ assert(1 == EVP_DecryptUpdate((EVP_CIPHER_CTX *) schedule, plaintext, &outlen, ciphertext, ciphertext_len));
+ assert((size_t) outlen == ciphertext_len);
+ assert(1 == EVP_DecryptFinal_ex((EVP_CIPHER_CTX *) schedule, plaintext, &outlen));
+}
+
+#endif
diff --git a/src/ringct20/aes.h b/src/ringct20/aes.h
new file mode 100644
index 0000000..8581e46
--- /dev/null
+++ b/src/ringct20/aes.h
@@ -0,0 +1,120 @@
+/**
+ * \file aes.h
+ * \brief Header defining the API for OQS AES
+ */
+
+#ifndef __OQS_AES_H
+#define __OQS_AES_H
+
+#include <stdint.h>
+#include <stdlib.h>
+
+/**
+ * Function to fill a key schedule given an initial key.
+ *
+ * @param key Initial Key.
+ * @param schedule Abstract data structure for a key schedule.
+ * @param for_encryption 1 if key schedule is for encryption, 0 if for decryption.
+ */
+void OQS_AES128_load_schedule(const uint8_t *key, void **schedule, int for_encryption);
+
+/**
+ * Function to free a key schedule.
+ *
+ * @param schedule Schedule generated with OQS_AES128_load_schedule().
+ */
+void OQS_AES128_free_schedule(void *schedule);
+
+/**
+ * Function to encrypt blocks of plaintext using ECB mode.
+ * A schedule based on the key is generated and used internally.
+ *
+ * @param plaintext Plaintext to be encrypted.
+ * @param plaintext_len Length on the plaintext in bytes. Must be a multiple of 16.
+ * @param key Key to be used for encryption.
+ * @param ciphertext Pointer to a block of memory which >= in size to the plaintext block. The result will be written here.
+ */
+void OQS_AES128_ECB_enc(const uint8_t *plaintext, const size_t plaintext_len, const uint8_t *key, uint8_t *ciphertext);
+
+/**
+ * Function to decrypt blocks of plaintext using ECB mode.
+ * A schedule based on the key is generated and used internally.
+ *
+ * @param ciphertext Ciphertext to be decrypted.
+ * @param ciphertext_len Length on the ciphertext in bytes. Must be a multiple of 16.
+ * @param key Key to be used for encryption.
+ * @param plaintext Pointer to a block of memory which >= in size to the ciphertext block. The result will be written here.
+ */
+void OQS_AES128_ECB_dec(const uint8_t *ciphertext, const size_t ciphertext_len, const uint8_t *key, uint8_t *plaintext);
+
+/**
+ * Same as OQS_AES128_ECB_enc() except a schedule generated by
+ * OQS_AES128_load_schedule() is passed rather then a key. This is faster
+ * if the same schedule is used for multiple encryptions since it does
+ * not have to be regenerated from the key.
+ */
+void OQS_AES128_ECB_enc_sch(const uint8_t *plaintext, const size_t plaintext_len, const void *schedule, uint8_t *ciphertext);
+
+/**
+ * Same as OQS_AES128_ECB_dec() except a schedule generated by
+ * OQS_AES128_load_schedule() is passed rather then a key. This is faster
+ * if the same schedule is used for multiple encryptions since it does
+ * not have to be regenerated from the key.
+ */
+void OQS_AES128_ECB_dec_sch(const uint8_t *ciphertext, const size_t ciphertext_len, const void *schedule, uint8_t *plaintext);
+
+/**
+ * Function to fill a key schedule given an initial key.
+ *
+ * @param key Initial Key.
+ * @param schedule Abstract data structure for a key schedule.
+ * @param for_encryption 1 if key schedule is for encryption, 0 if for decryption.
+ */
+void OQS_AES256_load_schedule(const uint8_t *key, void **schedule, int for_encryption);
+
+/**
+ * Function to free a key schedule.
+ *
+ * @param schedule Schedule generated with OQS_AES256_load_schedule().
+ */
+void OQS_AES256_free_schedule(void *schedule);
+
+/**
+ * Function to encrypt blocks of plaintext using ECB mode.
+ * A schedule based on the key is generated and used internally.
+ *
+ * @param plaintext Plaintext to be encrypted.
+ * @param plaintext_len Length on the plaintext in bytes. Must be a multiple of 16.
+ * @param key Key to be used for encryption.
+ * @param ciphertext Pointer to a block of memory which >= in size to the plaintext block. The result will be written here.
+ */
+void OQS_AES256_ECB_enc(const uint8_t *plaintext, const size_t plaintext_len, const uint8_t *key, uint8_t *ciphertext);
+
+/**
+ * Function to decrypt blocks of plaintext using ECB mode.
+ * A schedule based on the key is generated and used internally.
+ *
+ * @param ciphertext Ciphertext to be decrypted.
+ * @param ciphertext_len Length on the ciphertext in bytes. Must be a multiple of 16.
+ * @param key Key to be used for encryption.
+ * @param plaintext Pointer to a block of memory which >= in size to the ciphertext block. The result will be written here.
+ */
+void OQS_AES256_ECB_dec(const uint8_t *ciphertext, const size_t ciphertext_len, const uint8_t *key, uint8_t *plaintext);
+
+/**
+ * Same as OQS_AES256_ECB_enc() except a schedule generated by
+ * OQS_AES256_load_schedule() is passed rather then a key. This is faster
+ * if the same schedule is used for multiple encryptions since it does
+ * not have to be regenerated from the key.
+ */
+void OQS_AES256_ECB_enc_sch(const uint8_t *plaintext, const size_t plaintext_len, const void *schedule, uint8_t *ciphertext);
+
+/**
+ * Same as OQS_AES256_ECB_dec() except a schedule generated by
+ * OQS_AES256_load_schedule() is passed rather then a key. This is faster
+ * if the same schedule is used for multiple encryptions since it does
+ * not have to be regenerated from the key.
+ */
+void OQS_AES256_ECB_dec_sch(const uint8_t *ciphertext, const size_t ciphertext_len, const void *schedule, uint8_t *plaintext);
+
+#endif
diff --git a/src/ringct20/aes_c.c b/src/ringct20/aes_c.c
new file mode 100644
index 0000000..be543ca
--- /dev/null
+++ b/src/ringct20/aes_c.c
@@ -0,0 +1,434 @@
+// Simple, thoroughly commented implementation of 128-bit AES / Rijndael using C
+// Chris Hulbert - chris.hulbert@gmail.com - http://splinter.com.au/blog
+// References:
+// http://en.wikipedia.org/wiki/Advanced_Encryption_Standard
+// http://en.wikipedia.org/wiki/Rijndael_key_schedule
+// http://en.wikipedia.org/wiki/Rijndael_mix_columns
+// http://en.wikipedia.org/wiki/Rijndael_S-box
+// This code is public domain, or any OSI-approved license, your choice. No warranty.
+
+#include <assert.h>
+#include <stdio.h>
+#include <string.h>
+
+#include "aes.h"
+#include "common.h"
+
+typedef unsigned char byte;
+
+// Here are all the lookup tables for the row shifts, rcon, s-boxes, and galois field multiplications
+static const byte shift_rows_table[] = {0, 5, 10, 15, 4, 9, 14, 3, 8, 13, 2, 7, 12, 1, 6, 11};
+static const byte shift_rows_table_inv[] = {0, 13, 10, 7, 4, 1, 14, 11, 8, 5, 2, 15, 12, 9, 6, 3};
+static const byte lookup_rcon[] = {
+ 0x8d, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36, 0x6c, 0xd8, 0xab, 0x4d, 0x9a};
+static const byte lookup_sbox[] = {
+ 0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76,
+ 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0, 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0,
+ 0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc, 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15,
+ 0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a, 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75,
+ 0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0, 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84,
+ 0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b, 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf,
+ 0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85, 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8,
+ 0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5, 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2,
+ 0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17, 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73,
+ 0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88, 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb,
+ 0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c, 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79,
+ 0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9, 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08,
+ 0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6, 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a,
+ 0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e, 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e,
+ 0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94, 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf,
+ 0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68, 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16};
+static const byte lookup_sbox_inv[] = {
+ 0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38, 0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb,
+ 0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87, 0x34, 0x8e, 0x43, 0x44, 0xc4, 0xde, 0xe9, 0xcb,
+ 0x54, 0x7b, 0x94, 0x32, 0xa6, 0xc2, 0x23, 0x3d, 0xee, 0x4c, 0x95, 0x0b, 0x42, 0xfa, 0xc3, 0x4e,
+ 0x08, 0x2e, 0xa1, 0x66, 0x28, 0xd9, 0x24, 0xb2, 0x76, 0x5b, 0xa2, 0x49, 0x6d, 0x8b, 0xd1, 0x25,
+ 0x72, 0xf8, 0xf6, 0x64, 0x86, 0x68, 0x98, 0x16, 0xd4, 0xa4, 0x5c, 0xcc, 0x5d, 0x65, 0xb6, 0x92,
+ 0x6c, 0x70, 0x48, 0x50, 0xfd, 0xed, 0xb9, 0xda, 0x5e, 0x15, 0x46, 0x57, 0xa7, 0x8d, 0x9d, 0x84,
+ 0x90, 0xd8, 0xab, 0x00, 0x8c, 0xbc, 0xd3, 0x0a, 0xf7, 0xe4, 0x58, 0x05, 0xb8, 0xb3, 0x45, 0x06,
+ 0xd0, 0x2c, 0x1e, 0x8f, 0xca, 0x3f, 0x0f, 0x02, 0xc1, 0xaf, 0xbd, 0x03, 0x01, 0x13, 0x8a, 0x6b,
+ 0x3a, 0x91, 0x11, 0x41, 0x4f, 0x67, 0xdc, 0xea, 0x97, 0xf2, 0xcf, 0xce, 0xf0, 0xb4, 0xe6, 0x73,
+ 0x96, 0xac, 0x74, 0x22, 0xe7, 0xad, 0x35, 0x85, 0xe2, 0xf9, 0x37, 0xe8, 0x1c, 0x75, 0xdf, 0x6e,
+ 0x47, 0xf1, 0x1a, 0x71, 0x1d, 0x29, 0xc5, 0x89, 0x6f, 0xb7, 0x62, 0x0e, 0xaa, 0x18, 0xbe, 0x1b,
+ 0xfc, 0x56, 0x3e, 0x4b, 0xc6, 0xd2, 0x79, 0x20, 0x9a, 0xdb, 0xc0, 0xfe, 0x78, 0xcd, 0x5a, 0xf4,
+ 0x1f, 0xdd, 0xa8, 0x33, 0x88, 0x07, 0xc7, 0x31, 0xb1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xec, 0x5f,
+ 0x60, 0x51, 0x7f, 0xa9, 0x19, 0xb5, 0x4a, 0x0d, 0x2d, 0xe5, 0x7a, 0x9f, 0x93, 0xc9, 0x9c, 0xef,
+ 0xa0, 0xe0, 0x3b, 0x4d, 0xae, 0x2a, 0xf5, 0xb0, 0xc8, 0xeb, 0xbb, 0x3c, 0x83, 0x53, 0x99, 0x61,
+ 0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6, 0x26, 0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d};
+static const byte lookup_g2[] = {
+ 0x00, 0x02, 0x04, 0x06, 0x08, 0x0a, 0x0c, 0x0e, 0x10, 0x12, 0x14, 0x16, 0x18, 0x1a, 0x1c, 0x1e,
+ 0x20, 0x22, 0x24, 0x26, 0x28, 0x2a, 0x2c, 0x2e, 0x30, 0x32, 0x34, 0x36, 0x38, 0x3a, 0x3c, 0x3e,
+ 0x40, 0x42, 0x44, 0x46, 0x48, 0x4a, 0x4c, 0x4e, 0x50, 0x52, 0x54, 0x56, 0x58, 0x5a, 0x5c, 0x5e,
+ 0x60, 0x62, 0x64, 0x66, 0x68, 0x6a, 0x6c, 0x6e, 0x70, 0x72, 0x74, 0x76, 0x78, 0x7a, 0x7c, 0x7e,
+ 0x80, 0x82, 0x84, 0x86, 0x88, 0x8a, 0x8c, 0x8e, 0x90, 0x92, 0x94, 0x96, 0x98, 0x9a, 0x9c, 0x9e,
+ 0xa0, 0xa2, 0xa4, 0xa6, 0xa8, 0xaa, 0xac, 0xae, 0xb0, 0xb2, 0xb4, 0xb6, 0xb8, 0xba, 0xbc, 0xbe,
+ 0xc0, 0xc2, 0xc4, 0xc6, 0xc8, 0xca, 0xcc, 0xce, 0xd0, 0xd2, 0xd4, 0xd6, 0xd8, 0xda, 0xdc, 0xde,
+ 0xe0, 0xe2, 0xe4, 0xe6, 0xe8, 0xea, 0xec, 0xee, 0xf0, 0xf2, 0xf4, 0xf6, 0xf8, 0xfa, 0xfc, 0xfe,
+ 0x1b, 0x19, 0x1f, 0x1d, 0x13, 0x11, 0x17, 0x15, 0x0b, 0x09, 0x0f, 0x0d, 0x03, 0x01, 0x07, 0x05,
+ 0x3b, 0x39, 0x3f, 0x3d, 0x33, 0x31, 0x37, 0x35, 0x2b, 0x29, 0x2f, 0x2d, 0x23, 0x21, 0x27, 0x25,
+ 0x5b, 0x59, 0x5f, 0x5d, 0x53, 0x51, 0x57, 0x55, 0x4b, 0x49, 0x4f, 0x4d, 0x43, 0x41, 0x47, 0x45,
+ 0x7b, 0x79, 0x7f, 0x7d, 0x73, 0x71, 0x77, 0x75, 0x6b, 0x69, 0x6f, 0x6d, 0x63, 0x61, 0x67, 0x65,
+ 0x9b, 0x99, 0x9f, 0x9d, 0x93, 0x91, 0x97, 0x95, 0x8b, 0x89, 0x8f, 0x8d, 0x83, 0x81, 0x87, 0x85,
+ 0xbb, 0xb9, 0xbf, 0xbd, 0xb3, 0xb1, 0xb7, 0xb5, 0xab, 0xa9, 0xaf, 0xad, 0xa3, 0xa1, 0xa7, 0xa5,
+ 0xdb, 0xd9, 0xdf, 0xdd, 0xd3, 0xd1, 0xd7, 0xd5, 0xcb, 0xc9, 0xcf, 0xcd, 0xc3, 0xc1, 0xc7, 0xc5,
+ 0xfb, 0xf9, 0xff, 0xfd, 0xf3, 0xf1, 0xf7, 0xf5, 0xeb, 0xe9, 0xef, 0xed, 0xe3, 0xe1, 0xe7, 0xe5};
+static const byte lookup_g3[] = {
+ 0x00, 0x03, 0x06, 0x05, 0x0c, 0x0f, 0x0a, 0x09, 0x18, 0x1b, 0x1e, 0x1d, 0x14, 0x17, 0x12, 0x11,
+ 0x30, 0x33, 0x36, 0x35, 0x3c, 0x3f, 0x3a, 0x39, 0x28, 0x2b, 0x2e, 0x2d, 0x24, 0x27, 0x22, 0x21,
+ 0x60, 0x63, 0x66, 0x65, 0x6c, 0x6f, 0x6a, 0x69, 0x78, 0x7b, 0x7e, 0x7d, 0x74, 0x77, 0x72, 0x71,
+ 0x50, 0x53, 0x56, 0x55, 0x5c, 0x5f, 0x5a, 0x59, 0x48, 0x4b, 0x4e, 0x4d, 0x44, 0x47, 0x42, 0x41,
+ 0xc0, 0xc3, 0xc6, 0xc5, 0xcc, 0xcf, 0xca, 0xc9, 0xd8, 0xdb, 0xde, 0xdd, 0xd4, 0xd7, 0xd2, 0xd1,
+ 0xf0, 0xf3, 0xf6, 0xf5, 0xfc, 0xff, 0xfa, 0xf9, 0xe8, 0xeb, 0xee, 0xed, 0xe4, 0xe7, 0xe2, 0xe1,
+ 0xa0, 0xa3, 0xa6, 0xa5, 0xac, 0xaf, 0xaa, 0xa9, 0xb8, 0xbb, 0xbe, 0xbd, 0xb4, 0xb7, 0xb2, 0xb1,
+ 0x90, 0x93, 0x96, 0x95, 0x9c, 0x9f, 0x9a, 0x99, 0x88, 0x8b, 0x8e, 0x8d, 0x84, 0x87, 0x82, 0x81,
+ 0x9b, 0x98, 0x9d, 0x9e, 0x97, 0x94, 0x91, 0x92, 0x83, 0x80, 0x85, 0x86, 0x8f, 0x8c, 0x89, 0x8a,
+ 0xab, 0xa8, 0xad, 0xae, 0xa7, 0xa4, 0xa1, 0xa2, 0xb3, 0xb0, 0xb5, 0xb6, 0xbf, 0xbc, 0xb9, 0xba,
+ 0xfb, 0xf8, 0xfd, 0xfe, 0xf7, 0xf4, 0xf1, 0xf2, 0xe3, 0xe0, 0xe5, 0xe6, 0xef, 0xec, 0xe9, 0xea,
+ 0xcb, 0xc8, 0xcd, 0xce, 0xc7, 0xc4, 0xc1, 0xc2, 0xd3, 0xd0, 0xd5, 0xd6, 0xdf, 0xdc, 0xd9, 0xda,
+ 0x5b, 0x58, 0x5d, 0x5e, 0x57, 0x54, 0x51, 0x52, 0x43, 0x40, 0x45, 0x46, 0x4f, 0x4c, 0x49, 0x4a,
+ 0x6b, 0x68, 0x6d, 0x6e, 0x67, 0x64, 0x61, 0x62, 0x73, 0x70, 0x75, 0x76, 0x7f, 0x7c, 0x79, 0x7a,
+ 0x3b, 0x38, 0x3d, 0x3e, 0x37, 0x34, 0x31, 0x32, 0x23, 0x20, 0x25, 0x26, 0x2f, 0x2c, 0x29, 0x2a,
+ 0x0b, 0x08, 0x0d, 0x0e, 0x07, 0x04, 0x01, 0x02, 0x13, 0x10, 0x15, 0x16, 0x1f, 0x1c, 0x19, 0x1a};
+static const byte lookup_g9[] = {
+ 0x00, 0x09, 0x12, 0x1b, 0x24, 0x2d, 0x36, 0x3f, 0x48, 0x41, 0x5a, 0x53, 0x6c, 0x65, 0x7e, 0x77,
+ 0x90, 0x99, 0x82, 0x8b, 0xb4, 0xbd, 0xa6, 0xaf, 0xd8, 0xd1, 0xca, 0xc3, 0xfc, 0xf5, 0xee, 0xe7,
+ 0x3b, 0x32, 0x29, 0x20, 0x1f, 0x16, 0x0d, 0x04, 0x73, 0x7a, 0x61, 0x68, 0x57, 0x5e, 0x45, 0x4c,
+ 0xab, 0xa2, 0xb9, 0xb0, 0x8f, 0x86, 0x9d, 0x94, 0xe3, 0xea, 0xf1, 0xf8, 0xc7, 0xce, 0xd5, 0xdc,
+ 0x76, 0x7f, 0x64, 0x6d, 0x52, 0x5b, 0x40, 0x49, 0x3e, 0x37, 0x2c, 0x25, 0x1a, 0x13, 0x08, 0x01,
+ 0xe6, 0xef, 0xf4, 0xfd, 0xc2, 0xcb, 0xd0, 0xd9, 0xae, 0xa7, 0xbc, 0xb5, 0x8a, 0x83, 0x98, 0x91,
+ 0x4d, 0x44, 0x5f, 0x56, 0x69, 0x60, 0x7b, 0x72, 0x05, 0x0c, 0x17, 0x1e, 0x21, 0x28, 0x33, 0x3a,
+ 0xdd, 0xd4, 0xcf, 0xc6, 0xf9, 0xf0, 0xeb, 0xe2, 0x95, 0x9c, 0x87, 0x8e, 0xb1, 0xb8, 0xa3, 0xaa,
+ 0xec, 0xe5, 0xfe, 0xf7, 0xc8, 0xc1, 0xda, 0xd3, 0xa4, 0xad, 0xb6, 0xbf, 0x80, 0x89, 0x92, 0x9b,
+ 0x7c, 0x75, 0x6e, 0x67, 0x58, 0x51, 0x4a, 0x43, 0x34, 0x3d, 0x26, 0x2f, 0x10, 0x19, 0x02, 0x0b,
+ 0xd7, 0xde, 0xc5, 0xcc, 0xf3, 0xfa, 0xe1, 0xe8, 0x9f, 0x96, 0x8d, 0x84, 0xbb, 0xb2, 0xa9, 0xa0,
+ 0x47, 0x4e, 0x55, 0x5c, 0x63, 0x6a, 0x71, 0x78, 0x0f, 0x06, 0x1d, 0x14, 0x2b, 0x22, 0x39, 0x30,
+ 0x9a, 0x93, 0x88, 0x81, 0xbe, 0xb7, 0xac, 0xa5, 0xd2, 0xdb, 0xc0, 0xc9, 0xf6, 0xff, 0xe4, 0xed,
+ 0x0a, 0x03, 0x18, 0x11, 0x2e, 0x27, 0x3c, 0x35, 0x42, 0x4b, 0x50, 0x59, 0x66, 0x6f, 0x74, 0x7d,
+ 0xa1, 0xa8, 0xb3, 0xba, 0x85, 0x8c, 0x97, 0x9e, 0xe9, 0xe0, 0xfb, 0xf2, 0xcd, 0xc4, 0xdf, 0xd6,
+ 0x31, 0x38, 0x23, 0x2a, 0x15, 0x1c, 0x07, 0x0e, 0x79, 0x70, 0x6b, 0x62, 0x5d, 0x54, 0x4f, 0x46};
+static const byte lookup_g11[] = {
+ 0x00, 0x0b, 0x16, 0x1d, 0x2c, 0x27, 0x3a, 0x31, 0x58, 0x53, 0x4e, 0x45, 0x74, 0x7f, 0x62, 0x69,
+ 0xb0, 0xbb, 0xa6, 0xad, 0x9c, 0x97, 0x8a, 0x81, 0xe8, 0xe3, 0xfe, 0xf5, 0xc4, 0xcf, 0xd2, 0xd9,
+ 0x7b, 0x70, 0x6d, 0x66, 0x57, 0x5c, 0x41, 0x4a, 0x23, 0x28, 0x35, 0x3e, 0x0f, 0x04, 0x19, 0x12,
+ 0xcb, 0xc0, 0xdd, 0xd6, 0xe7, 0xec, 0xf1, 0xfa, 0x93, 0x98, 0x85, 0x8e, 0xbf, 0xb4, 0xa9, 0xa2,
+ 0xf6, 0xfd, 0xe0, 0xeb, 0xda, 0xd1, 0xcc, 0xc7, 0xae, 0xa5, 0xb8, 0xb3, 0x82, 0x89, 0x94, 0x9f,
+ 0x46, 0x4d, 0x50, 0x5b, 0x6a, 0x61, 0x7c, 0x77, 0x1e, 0x15, 0x08, 0x03, 0x32, 0x39, 0x24, 0x2f,
+ 0x8d, 0x86, 0x9b, 0x90, 0xa1, 0xaa, 0xb7, 0xbc, 0xd5, 0xde, 0xc3, 0xc8, 0xf9, 0xf2, 0xef, 0xe4,
+ 0x3d, 0x36, 0x2b, 0x20, 0x11, 0x1a, 0x07, 0x0c, 0x65, 0x6e, 0x73, 0x78, 0x49, 0x42, 0x5f, 0x54,
+ 0xf7, 0xfc, 0xe1, 0xea, 0xdb, 0xd0, 0xcd, 0xc6, 0xaf, 0xa4, 0xb9, 0xb2, 0x83, 0x88, 0x95, 0x9e,
+ 0x47, 0x4c, 0x51, 0x5a, 0x6b, 0x60, 0x7d, 0x76, 0x1f, 0x14, 0x09, 0x02, 0x33, 0x38, 0x25, 0x2e,
+ 0x8c, 0x87, 0x9a, 0x91, 0xa0, 0xab, 0xb6, 0xbd, 0xd4, 0xdf, 0xc2, 0xc9, 0xf8, 0xf3, 0xee, 0xe5,
+ 0x3c, 0x37, 0x2a, 0x21, 0x10, 0x1b, 0x06, 0x0d, 0x64, 0x6f, 0x72, 0x79, 0x48, 0x43, 0x5e, 0x55,
+ 0x01, 0x0a, 0x17, 0x1c, 0x2d, 0x26, 0x3b, 0x30, 0x59, 0x52, 0x4f, 0x44, 0x75, 0x7e, 0x63, 0x68,
+ 0xb1, 0xba, 0xa7, 0xac, 0x9d, 0x96, 0x8b, 0x80, 0xe9, 0xe2, 0xff, 0xf4, 0xc5, 0xce, 0xd3, 0xd8,
+ 0x7a, 0x71, 0x6c, 0x67, 0x56, 0x5d, 0x40, 0x4b, 0x22, 0x29, 0x34, 0x3f, 0x0e, 0x05, 0x18, 0x13,
+ 0xca, 0xc1, 0xdc, 0xd7, 0xe6, 0xed, 0xf0, 0xfb, 0x92, 0x99, 0x84, 0x8f, 0xbe, 0xb5, 0xa8, 0xa3};
+static const byte lookup_g13[] = {
+ 0x00, 0x0d, 0x1a, 0x17, 0x34, 0x39, 0x2e, 0x23, 0x68, 0x65, 0x72, 0x7f, 0x5c, 0x51, 0x46, 0x4b,
+ 0xd0, 0xdd, 0xca, 0xc7, 0xe4, 0xe9, 0xfe, 0xf3, 0xb8, 0xb5, 0xa2, 0xaf, 0x8c, 0x81, 0x96, 0x9b,
+ 0xbb, 0xb6, 0xa1, 0xac, 0x8f, 0x82, 0x95, 0x98, 0xd3, 0xde, 0xc9, 0xc4, 0xe7, 0xea, 0xfd, 0xf0,
+ 0x6b, 0x66, 0x71, 0x7c, 0x5f, 0x52, 0x45, 0x48, 0x03, 0x0e, 0x19, 0x14, 0x37, 0x3a, 0x2d, 0x20,
+ 0x6d, 0x60, 0x77, 0x7a, 0x59, 0x54, 0x43, 0x4e, 0x05, 0x08, 0x1f, 0x12, 0x31, 0x3c, 0x2b, 0x26,
+ 0xbd, 0xb0, 0xa7, 0xaa, 0x89, 0x84, 0x93, 0x9e, 0xd5, 0xd8, 0xcf, 0xc2, 0xe1, 0xec, 0xfb, 0xf6,
+ 0xd6, 0xdb, 0xcc, 0xc1, 0xe2, 0xef, 0xf8, 0xf5, 0xbe, 0xb3, 0xa4, 0xa9, 0x8a, 0x87, 0x90, 0x9d,
+ 0x06, 0x0b, 0x1c, 0x11, 0x32, 0x3f, 0x28, 0x25, 0x6e, 0x63, 0x74, 0x79, 0x5a, 0x57, 0x40, 0x4d,
+ 0xda, 0xd7, 0xc0, 0xcd, 0xee, 0xe3, 0xf4, 0xf9, 0xb2, 0xbf, 0xa8, 0xa5, 0x86, 0x8b, 0x9c, 0x91,
+ 0x0a, 0x07, 0x10, 0x1d, 0x3e, 0x33, 0x24, 0x29, 0x62, 0x6f, 0x78, 0x75, 0x56, 0x5b, 0x4c, 0x41,
+ 0x61, 0x6c, 0x7b, 0x76, 0x55, 0x58, 0x4f, 0x42, 0x09, 0x04, 0x13, 0x1e, 0x3d, 0x30, 0x27, 0x2a,
+ 0xb1, 0xbc, 0xab, 0xa6, 0x85, 0x88, 0x9f, 0x92, 0xd9, 0xd4, 0xc3, 0xce, 0xed, 0xe0, 0xf7, 0xfa,
+ 0xb7, 0xba, 0xad, 0xa0, 0x83, 0x8e, 0x99, 0x94, 0xdf, 0xd2, 0xc5, 0xc8, 0xeb, 0xe6, 0xf1, 0xfc,
+ 0x67, 0x6a, 0x7d, 0x70, 0x53, 0x5e, 0x49, 0x44, 0x0f, 0x02, 0x15, 0x18, 0x3b, 0x36, 0x21, 0x2c,
+ 0x0c, 0x01, 0x16, 0x1b, 0x38, 0x35, 0x22, 0x2f, 0x64, 0x69, 0x7e, 0x73, 0x50, 0x5d, 0x4a, 0x47,
+ 0xdc, 0xd1, 0xc6, 0xcb, 0xe8, 0xe5, 0xf2, 0xff, 0xb4, 0xb9, 0xae, 0xa3, 0x80, 0x8d, 0x9a, 0x97};
+static const byte lookup_g14[] = {
+ 0x00, 0x0e, 0x1c, 0x12, 0x38, 0x36, 0x24, 0x2a, 0x70, 0x7e, 0x6c, 0x62, 0x48, 0x46, 0x54, 0x5a,
+ 0xe0, 0xee, 0xfc, 0xf2, 0xd8, 0xd6, 0xc4, 0xca, 0x90, 0x9e, 0x8c, 0x82, 0xa8, 0xa6, 0xb4, 0xba,
+ 0xdb, 0xd5, 0xc7, 0xc9, 0xe3, 0xed, 0xff, 0xf1, 0xab, 0xa5, 0xb7, 0xb9, 0x93, 0x9d, 0x8f, 0x81,
+ 0x3b, 0x35, 0x27, 0x29, 0x03, 0x0d, 0x1f, 0x11, 0x4b, 0x45, 0x57, 0x59, 0x73, 0x7d, 0x6f, 0x61,
+ 0xad, 0xa3, 0xb1, 0xbf, 0x95, 0x9b, 0x89, 0x87, 0xdd, 0xd3, 0xc1, 0xcf, 0xe5, 0xeb, 0xf9, 0xf7,
+ 0x4d, 0x43, 0x51, 0x5f, 0x75, 0x7b, 0x69, 0x67, 0x3d, 0x33, 0x21, 0x2f, 0x05, 0x0b, 0x19, 0x17,
+ 0x76, 0x78, 0x6a, 0x64, 0x4e, 0x40, 0x52, 0x5c, 0x06, 0x08, 0x1a, 0x14, 0x3e, 0x30, 0x22, 0x2c,
+ 0x96, 0x98, 0x8a, 0x84, 0xae, 0xa0, 0xb2, 0xbc, 0xe6, 0xe8, 0xfa, 0xf4, 0xde, 0xd0, 0xc2, 0xcc,
+ 0x41, 0x4f, 0x5d, 0x53, 0x79, 0x77, 0x65, 0x6b, 0x31, 0x3f, 0x2d, 0x23, 0x09, 0x07, 0x15, 0x1b,
+ 0xa1, 0xaf, 0xbd, 0xb3, 0x99, 0x97, 0x85, 0x8b, 0xd1, 0xdf, 0xcd, 0xc3, 0xe9, 0xe7, 0xf5, 0xfb,
+ 0x9a, 0x94, 0x86, 0x88, 0xa2, 0xac, 0xbe, 0xb0, 0xea, 0xe4, 0xf6, 0xf8, 0xd2, 0xdc, 0xce, 0xc0,
+ 0x7a, 0x74, 0x66, 0x68, 0x42, 0x4c, 0x5e, 0x50, 0x0a, 0x04, 0x16, 0x18, 0x32, 0x3c, 0x2e, 0x20,
+ 0xec, 0xe2, 0xf0, 0xfe, 0xd4, 0xda, 0xc8, 0xc6, 0x9c, 0x92, 0x80, 0x8e, 0xa4, 0xaa, 0xb8, 0xb6,
+ 0x0c, 0x02, 0x10, 0x1e, 0x34, 0x3a, 0x28, 0x26, 0x7c, 0x72, 0x60, 0x6e, 0x44, 0x4a, 0x58, 0x56,
+ 0x37, 0x39, 0x2b, 0x25, 0x0f, 0x01, 0x13, 0x1d, 0x47, 0x49, 0x5b, 0x55, 0x7f, 0x71, 0x63, 0x6d,
+ 0xd7, 0xd9, 0xcb, 0xc5, 0xef, 0xe1, 0xf3, 0xfd, 0xa7, 0xa9, 0xbb, 0xb5, 0x9f, 0x91, 0x83, 0x8d};
+
+// Xor's all elements in a n byte array a by b
+static void xor (byte * a, const byte *b, int n) {
+ int i;
+ for (i = 0; i < n; i++) {
+ a[i] ^= b[i];
+ }
+}
+
+ // Xor the current cipher state by a specific round key
+ static void xor_round_key(byte *state, const byte *keys, int round) {
+ xor(state, keys + round * 16, 16);
+}
+
+// Apply the rijndael s-box to all elements in an array
+// http://en.wikipedia.org/wiki/Rijndael_S-box
+static void sub_bytes(byte *a, int n) {
+ int i;
+ for (i = 0; i < n; i++) {
+ a[i] = lookup_sbox[a[i]];
+ }
+}
+static void sub_bytes_inv(byte *a, int n) {
+ int i;
+ for (i = 0; i < n; i++) {
+ a[i] = lookup_sbox_inv[a[i]];
+ }
+}
+
+// Rotate the first four bytes of the input eight bits to the left
+static void rot_word(byte *a) {
+ byte temp = a[0];
+ a[0] = a[1];
+ a[1] = a[2];
+ a[2] = a[3];
+ a[3] = temp;
+}
+
+// Perform the core key schedule transform on 4 bytes, as part of the key expansion process
+// http://en.wikipedia.org/wiki/Rijndael_key_schedule#Key_schedule_core
+static void key_schedule_core(byte *a, int i) {
+ byte temp = a[0]; // Rotate the output eight bits to the left
+ a[0] = a[1];
+ a[1] = a[2];
+ a[2] = a[3];
+ a[3] = temp;
+ sub_bytes(a, 4); // Apply Rijndael's S-box on all four individual bytes in the output word
+ a[0] ^= lookup_rcon[i]; // On just the first (leftmost) byte of the output word, perform the rcon operation with i
+ // as the input, and exclusive or the rcon output with the first byte of the output word
+}
+
+// Expand the 16-byte key to 11 round keys (176 bytes)
+// http://en.wikipedia.org/wiki/Rijndael_key_schedule#The_key_schedule
+void oqs_aes128_load_schedule_c(const uint8_t *key, void **_schedule) {
+ *_schedule = malloc(16 * 11);
+ assert(*_schedule != NULL);
+ uint8_t *schedule = (uint8_t *) *_schedule;
+ int bytes = 16; // The count of how many bytes we've created so far
+ int i = 1; // The rcon iteration value i is set to 1
+ int j; // For repeating the second stage 3 times
+ byte t[4]; // Temporary working area known as 't' in the Wiki article
+ memcpy(schedule, key, 16); // The first 16 bytes of the expanded key are simply the encryption key
+
+ while (bytes < 176) { // Until we have 176 bytes of expanded key, we do the following:
+ memcpy(t, schedule + bytes - 4, 4); // We assign the value of the previous four bytes in the expanded key to t
+ key_schedule_core(t, i); // We perform the key schedule core on t, with i as the rcon iteration value
+ i++; // We increment i by 1
+ xor(t, schedule + bytes - 16, 4); // We exclusive-or t with the four-byte block 16 bytes before the new expanded key.
+ memcpy(schedule + bytes, t, 4); // This becomes the next 4 bytes in the expanded key
+ bytes += 4; // Keep track of how many expanded key bytes we've added
+
+ // We then do the following three times to create the next twelve bytes
+ for (j = 0; j < 3; j++) {
+ memcpy(t, schedule + bytes - 4, 4); // We assign the value of the previous 4 bytes in the expanded key to t
+ xor(t, schedule + bytes - 16, 4); // We exclusive-or t with the four-byte block n bytes before
+ memcpy(schedule + bytes, t, 4); // This becomes the next 4 bytes in the expanded key
+ bytes += 4; // Keep track of how many expanded key bytes we've added
+ }
+ }
+}
+
+void oqs_aes128_free_schedule_c(void *schedule) {
+ if (schedule != NULL) {
+ OQS_MEM_secure_free(schedule, 176);
+ }
+}
+
+// Expand the 16-byte key to 15 round keys (240 bytes)
+// http://en.wikipedia.org/wiki/Rijndael_key_schedule#The_key_schedule
+void oqs_aes256_load_schedule_c(const uint8_t *key, void **_schedule) {
+ *_schedule = malloc(16 * 15);
+ assert(*_schedule != NULL);
+ uint8_t *schedule = (uint8_t *) *_schedule;
+ int i = 0; // The count of how many iterations we've done
+ uint8_t t[4]; // Temporary working area
+
+ // The first 32 bytes of the expanded key are simply the encryption key
+ memcpy(schedule, key, 8 * 4);
+
+ // The remaining 240-32 bytes of the expanded key are computed in one of three ways:
+ for (i = 8; i < 4 * 15; i++) {
+ if (i % 8 == 0) {
+ memcpy(t, schedule + 4 * (i - 1), 4); // We assign the value of the previous 4 bytes in the expanded key to t
+ sub_bytes(t, 4); // We apply byte-wise substitution to t
+ rot_word(t); // We rotate t one byte left
+ t[0] ^= lookup_rcon[i / 8]; // We xor in the round constant
+ xor(t, schedule + 4 * (i - 8), 4); // We xor in the four-byte block n bytes before
+ memcpy(schedule + 4 * i, t, 4); // This becomes the next 4 bytes in the expanded key
+ } else if (i % 8 == 4) {
+ memcpy(t, schedule + 4 * (i - 1), 4); // We assign the value of the previous 4 bytes in the expanded key to t
+ sub_bytes(t, 4); // We apply byte-wise substitution to t
+ xor(t, schedule + 4 * (i - 8), 4); // We xor in the four-byte block n bytes before
+ memcpy(schedule + 4 * i, t, 4); // This becomes the next 4 bytes in the expanded key
+ } else {
+ memcpy(t, schedule + 4 * (i - 1), 4); // We assign the value of the previous 4 bytes in the expanded key to t
+ xor(t, schedule + 4 * (i - 8), 4); // We xor in the four-byte block n bytes before
+ memcpy(schedule + 4 * i, t, 4); // This becomes the next 4 bytes in the expanded key
+ }
+ }
+}
+
+void oqs_aes256_free_schedule_c(void *schedule) {
+ if (schedule != NULL) {
+ OQS_MEM_secure_free(schedule, 16 * 15);
+ }
+}
+
+// Apply the shift rows step on the 16 byte cipher state
+// http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#The_ShiftRows_step
+static void shift_rows(byte *state) {
+ int i;
+ byte temp[16];
+ memcpy(temp, state, 16);
+ for (i = 0; i < 16; i++) {
+ state[i] = temp[shift_rows_table[i]];
+ }
+}
+static void shift_rows_inv(byte *state) {
+ int i;
+ byte temp[16];
+ memcpy(temp, state, 16);
+ for (i = 0; i < 16; i++) {
+ state[i] = temp[shift_rows_table_inv[i]];
+ }
+}
+
+// Perform the mix columns matrix on one column of 4 bytes
+// http://en.wikipedia.org/wiki/Rijndael_mix_columns
+static void mix_col(byte *state) {
+ byte a0 = state[0];
+ byte a1 = state[1];
+ byte a2 = state[2];
+ byte a3 = state[3];
+ state[0] = lookup_g2[a0] ^ lookup_g3[a1] ^ a2 ^ a3;
+ state[1] = lookup_g2[a1] ^ lookup_g3[a2] ^ a3 ^ a0;
+ state[2] = lookup_g2[a2] ^ lookup_g3[a3] ^ a0 ^ a1;
+ state[3] = lookup_g2[a3] ^ lookup_g3[a0] ^ a1 ^ a2;
+}
+
+// Perform the mix columns matrix on each column of the 16 bytes
+static void mix_cols(byte *state) {
+ mix_col(state);
+ mix_col(state + 4);
+ mix_col(state + 8);
+ mix_col(state + 12);
+}
+
+// Perform the inverse mix columns matrix on one column of 4 bytes
+// http://en.wikipedia.org/wiki/Rijndael_mix_columns
+static void mix_col_inv(byte *state) {
+ byte a0 = state[0];
+ byte a1 = state[1];
+ byte a2 = state[2];
+ byte a3 = state[3];
+ state[0] = lookup_g14[a0] ^ lookup_g9[a3] ^ lookup_g13[a2] ^ lookup_g11[a1];
+ state[1] = lookup_g14[a1] ^ lookup_g9[a0] ^ lookup_g13[a3] ^ lookup_g11[a2];
+ state[2] = lookup_g14[a2] ^ lookup_g9[a1] ^ lookup_g13[a0] ^ lookup_g11[a3];
+ state[3] = lookup_g14[a3] ^ lookup_g9[a2] ^ lookup_g13[a1] ^ lookup_g11[a0];
+}
+
+// Perform the inverse mix columns matrix on each column of the 16 bytes
+static void mix_cols_inv(byte *state) {
+ mix_col_inv(state);
+ mix_col_inv(state + 4);
+ mix_col_inv(state + 8);
+ mix_col_inv(state + 12);
+}
+
+void oqs_aes128_enc_c(const uint8_t *plaintext, const void *_schedule, uint8_t *ciphertext) {
+ const uint8_t *schedule = (const uint8_t *) _schedule;
+ int i; // To count the rounds
+
+ // First Round
+ memcpy(ciphertext, plaintext, 16);
+ xor_round_key(ciphertext, schedule, 0);
+
+ // Middle rounds
+ for (i = 0; i < 9; i++) {
+ sub_bytes(ciphertext, 16);
+ shift_rows(ciphertext);
+ mix_cols(ciphertext);
+ xor_round_key(ciphertext, schedule, i + 1);
+ }
+
+ // Final Round
+ sub_bytes(ciphertext, 16);
+ shift_rows(ciphertext);
+ xor_round_key(ciphertext, schedule, 10);
+}
+
+void oqs_aes128_dec_c(const uint8_t *ciphertext, const void *_schedule, uint8_t *plaintext) {
+ const uint8_t *schedule = (const uint8_t *) _schedule;
+ int i; // To count the rounds
+
+ // Reverse the final Round
+ memcpy(plaintext, ciphertext, 16);
+ xor_round_key(plaintext, schedule, 10);
+ shift_rows_inv(plaintext);
+ sub_bytes_inv(plaintext, 16);
+
+ // Reverse the middle rounds
+ for (i = 0; i < 9; i++) {
+ xor_round_key(plaintext, schedule, 9 - i);
+ mix_cols_inv(plaintext);
+ shift_rows_inv(plaintext);
+ sub_bytes_inv(plaintext, 16);
+ }
+
+ // Reverse the first Round
+ xor_round_key(plaintext, schedule, 0);
+}
+
+void oqs_aes256_enc_c(const uint8_t *plaintext, const void *_schedule, uint8_t *ciphertext) {
+ const uint8_t *schedule = (const uint8_t *) _schedule;
+ int i; // To count the rounds
+
+ // First Round
+ memcpy(ciphertext, plaintext, 16);
+ xor_round_key(ciphertext, schedule, 0);
+
+ // Middle rounds
+ for (i = 0; i < 13; i++) {
+ sub_bytes(ciphertext, 16);
+ shift_rows(ciphertext);
+ mix_cols(ciphertext);
+ xor_round_key(ciphertext, schedule, i + 1);
+ }
+
+ // Final Round
+ sub_bytes(ciphertext, 16);
+ shift_rows(ciphertext);
+ xor_round_key(ciphertext, schedule, 14);
+}
+
+void oqs_aes256_dec_c(const uint8_t *ciphertext, const void *_schedule, uint8_t *plaintext) {
+ const uint8_t *schedule = (const uint8_t *) _schedule;
+ int i; // To count the rounds
+
+ // Reverse the final Round
+ memcpy(plaintext, ciphertext, 16);
+ xor_round_key(plaintext, schedule, 14);
+ shift_rows_inv(plaintext);
+ sub_bytes_inv(plaintext, 16);
+
+ // Reverse the middle rounds
+ for (i = 0; i < 13; i++) {
+ xor_round_key(plaintext, schedule, 13 - i);
+ mix_cols_inv(plaintext);
+ shift_rows_inv(plaintext);
+ sub_bytes_inv(plaintext, 16);
+ }
+
+ // Reverse the first Round
+ xor_round_key(plaintext, schedule, 0);
+}
diff --git a/src/ringct20/aes_local.h b/src/ringct20/aes_local.h
new file mode 100644
index 0000000..b5b5438
--- /dev/null
+++ b/src/ringct20/aes_local.h
@@ -0,0 +1,54 @@
+/**
+ * \file aes_local.h
+ * \brief Header defining additional internal functions for OQS AES
+ */
+
+#ifndef __OQS_AES_LOCAL_H
+#define __OQS_AES_LOCAL_H
+
+#include <stdint.h>
+#include <stdlib.h>
+#include "common.h"
+
+void oqs_aes128_ecb_enc_ni(const uint8_t *plaintext, const size_t plaintext_len, const uint8_t *key, uint8_t *ciphertext);
+void oqs_aes128_ecb_dec_ni(const uint8_t *ciphertext, const size_t ciphertext_len, const uint8_t *key, uint8_t *plaintext);
+void oqs_aes128_ecb_enc_sch_ni(const uint8_t *plaintext, const size_t plaintext_len, const void *schedule, uint8_t *ciphertext);
+void oqs_aes128_ecb_dec_sch_ni(const uint8_t *ciphertext, const size_t ciphertext_len, const void *schedule, uint8_t *plaintext);
+
+void oqs_aes128_load_schedule_c(const uint8_t *key, void **schedule);
+void oqs_aes128_free_schedule_c(void *schedule);
+void oqs_aes128_enc_c(const uint8_t *plaintext, const void *schedule, uint8_t *ciphertext);
+void oqs_aes128_dec_c(const uint8_t *ciphertext, const void *schedule, uint8_t *plaintext);
+void oqs_aes128_ecb_enc_c(const uint8_t *plaintext, const size_t plaintext_len, const uint8_t *key, uint8_t *ciphertext);
+void oqs_aes128_ecb_dec_c(const uint8_t *ciphertext, const size_t ciphertext_len, const uint8_t *key, uint8_t *plaintext);
+void oqs_aes128_ecb_enc_sch_c(const uint8_t *plaintext, const size_t plaintext_len, const void *schedule, uint8_t *ciphertext);
+void oqs_aes128_ecb_dec_sch_c(const uint8_t *ciphertext, const size_t ciphertext_len, const void *schedule, uint8_t *plaintext);
+
+#ifdef USE_OPENSSL
+void oqs_aes128_load_schedule_ossl(const uint8_t *key, void **schedule, int for_encryption);
+void oqs_aes128_free_schedule_ossl(void *schedule);
+void oqs_aes128_ecb_enc_ossl(const uint8_t *plaintext, const size_t plaintext_len, const uint8_t *key, uint8_t *ciphertext);
+void oqs_aes128_ecb_dec_ossl(const uint8_t *ciphertext, const size_t ciphertext_len, const uint8_t *key, uint8_t *plaintext);
+void oqs_aes128_ecb_enc_sch_ossl(const uint8_t *plaintext, const size_t plaintext_len, const void *schedule, uint8_t *ciphertext);
+void oqs_aes128_ecb_dec_sch_ossl(const uint8_t *ciphertext, const size_t ciphertext_len, const void *schedule, uint8_t *plaintext);
+#endif
+
+void oqs_aes256_load_schedule_c(const uint8_t *key, void **schedule);
+void oqs_aes256_free_schedule_c(void *schedule);
+void oqs_aes256_enc_c(const uint8_t *plaintext, const void *schedule, uint8_t *ciphertext);
+void oqs_aes256_dec_c(const uint8_t *ciphertext, const void *schedule, uint8_t *plaintext);
+void oqs_aes256_ecb_enc_c(const uint8_t *plaintext, const size_t plaintext_len, const uint8_t *key, uint8_t *ciphertext);
+void oqs_aes256_ecb_dec_c(const uint8_t *ciphertext, const size_t ciphertext_len, const uint8_t *key, uint8_t *plaintext);
+void oqs_aes256_ecb_enc_sch_c(const uint8_t *plaintext, const size_t plaintext_len, const void *schedule, uint8_t *ciphertext);
+void oqs_aes256_ecb_dec_sch_c(const uint8_t *ciphertext, const size_t ciphertext_len, const void *schedule, uint8_t *plaintext);
+
+#ifdef USE_OPENSSL
+void oqs_aes256_load_schedule_ossl(const uint8_t *key, void **schedule, int for_encryption);
+void oqs_aes256_free_schedule_ossl(void *schedule);
+void oqs_aes256_ecb_enc_ossl(const uint8_t *plaintext, const size_t plaintext_len, const uint8_t *key, uint8_t *ciphertext);
+void oqs_aes256_ecb_dec_ossl(const uint8_t *ciphertext, const size_t ciphertext_len, const uint8_t *key, uint8_t *plaintext);
+void oqs_aes256_ecb_enc_sch_ossl(const uint8_t *plaintext, const size_t plaintext_len, const void *schedule, uint8_t *ciphertext);
+void oqs_aes256_ecb_dec_sch_ossl(const uint8_t *ciphertext, const size_t ciphertext_len, const void *schedule, uint8_t *plaintext);
+#endif
+
+#endif
diff --git a/src/ringct20/api.h b/src/ringct20/api.h
new file mode 100644
index 0000000..252c450
--- /dev/null
+++ b/src/ringct20/api.h
@@ -0,0 +1,25 @@
+#ifndef API_H
+#define API_H
+
+#include "params.h"
+
+#define CRYPTO_SECRETKEYBYTES NEWHOPE_CCAKEM_SECRETKEYBYTES
+#define CRYPTO_PUBLICKEYBYTES NEWHOPE_CCAKEM_PUBLICKEYBYTES
+#define CRYPTO_CIPHERTEXTBYTES NEWHOPE_CCAKEM_CIPHERTEXTBYTES
+#define CRYPTO_BYTES NEWHOPE_SYMBYTES
+
+#if (NEWHOPE_N == 512)
+#define CRYPTO_ALGNAME "NewHope-512-CCA-KEM"
+#elif (NEWHOPE_N == 1024)
+#define CRYPTO_ALGNAME "NewHope-1024-CCA-KEM"
+#else
+#error "NEWHOPE_N must be either 512 or 1024"
+#endif
+
+int crypto_kem_keypair(unsigned char *pk, unsigned char *sk);
+
+int crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk);
+
+int crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk);
+
+#endif
diff --git a/src/ringct20/common.c b/src/ringct20/common.c
new file mode 100644
index 0000000..0175384
--- /dev/null
+++ b/src/ringct20/common.c
@@ -0,0 +1,44 @@
+#include "common.h"
+
+#include <stdint.h>
+#include <stdio.h>
+#include <string.h>
+
+#if defined(_WIN32)
+#include <windows.h>
+#endif
+
+OQS_API void OQS_MEM_cleanse(void *ptr, size_t len) {
+#if defined(_WIN32)
+ SecureZeroMemory(ptr, len);
+#elif defined(HAVE_MEMSET_S)
+ if (0U < len && memset_s(ptr, (rsize_t) len, 0, (rsize_t) len) != 0) {
+ abort();
+ }
+#else
+ typedef void *(*memset_t)(void *, int, size_t);
+ static volatile memset_t memset_func = memset;
+ memset_func(ptr, 0, len);
+#endif
+}
+
+OQS_API void OQS_MEM_secure_free(void *ptr, size_t len) {
+ if (ptr != NULL) {
+ OQS_MEM_cleanse(ptr, len);
+ free(ptr); // IGNORE free-check
+ }
+}
+
+OQS_API void OQS_MEM_insecure_free(void *ptr) {
+ free(ptr); // IGNORE free-check
+}
+
+void BytePrint(unsigned char *bBuff, size_t len)
+{
+ size_t i = 0;
+ for (i = 0; i < len; i++)
+ {
+ printf("%02X", bBuff[i]);
+ }
+ printf("\n");
+}
diff --git a/src/ringct20/common.h b/src/ringct20/common.h
new file mode 100644
index 0000000..de3174e
--- /dev/null
+++ b/src/ringct20/common.h
@@ -0,0 +1,107 @@
+/**
+ * \file common.h
+ * \brief Utility functions for use in liboqs.
+ */
+
+#ifndef __OQS_COMMON_H
+#define __OQS_COMMON_H
+
+#include <stdint.h>
+#include <stdlib.h>
+
+
+
+/**
+ * Defines which functions should be exposed outside the LibOQS library
+ *
+ * By default the visibility of all the symbols is defined to "hidden"
+ * Only the library API should be marked as default
+ *
+ * Example: OQS_API return_value function_name(void);
+ */
+#if defined(_WIN32)
+#define OQS_API
+#else
+#define OQS_API __attribute__((visibility("default")))
+#endif
+
+/**
+ * Represents return values from functions.
+ *
+ * Callers should compare with the symbol rather than the individual value.
+ * For example,
+ *
+ * ret = OQS_KEM_encaps(...);
+ * if (ret == OQS_SUCCESS) { ... }
+ *
+ * rather than
+ *
+ * if (!OQS_KEM_encaps(...) { ... }
+ *
+ */
+typedef enum {
+ /** Used to indicate that some undefined error occurred. */
+ OQS_ERROR = -1,
+ /** Used to indicate successful return from function. */
+ OQS_SUCCESS = 0,
+ /** Used to indicate failures in external libraries (e.g., OpenSSL). */
+ OQS_EXTERNAL_LIB_ERROR_OPENSSL = 50,
+} OQS_STATUS;
+
+/**
+ * Zeros out `len` bytes of memory starting at `ptr`.
+ *
+ * Designed to be protected against optimizing compilers which try to remove "unnecessary"
+ * operations. Should be used for all buffers containing secret data.
+ *
+ * @param[in] ptr The start of the memory to zero out.
+ * @param[in] len The number of bytes to zero out.
+ */
+OQS_API void OQS_MEM_cleanse(void *ptr, size_t len);
+
+/**
+ * Zeros out `len` bytes of memory starting at `ptr`, then frees `ptr`.
+ *
+ * Can be called with `ptr = NULL`, in which case no operation is performed.
+ *
+ * Designed to be protected against optimizing compilers which try to remove "unnecessary"
+ * operations. Should be used for all buffers containing secret data.
+ *
+ * @param[in] ptr The start of the memory to zero out and free.
+ * @param[in] len The number of bytes to zero out.
+ */
+OQS_API void OQS_MEM_secure_free(void *ptr, size_t len);
+
+/**
+ * Frees `ptr`.
+ *
+ * Can be called with `ptr = NULL`, in which case no operation is performed.
+ *
+ * Should only be used on non-secret data.
+ *
+ * @param[in] ptr The start of the memory to free.
+ */
+OQS_API void OQS_MEM_insecure_free(void *ptr);
+
+/**
+*function: print bBuff array
+*@param[in] bBuff The array will be printed
+*@param[in] len the number of bytes
+*/
+void BytePrint(unsigned char *bBuff, size_t len);
+
+
+
+/**
+ * Macros that indicates a function argument may be unused. Used to comply with
+ * an API specification but when an implementation doesn't actually use the argument
+ * and we'd get a compiler warning otherwise.
+ */
+#if defined(_WIN32)
+#define UNUSED
+// __attribute__ not supported in VS
+#else
+#define UNUSED __attribute__((unused))
+#endif
+
+#endif // __OQS_COMMON_H
diff --git a/src/ringct20/cryptoConfig.h b/src/ringct20/cryptoConfig.h
new file mode 100644
index 0000000..d4157e6
--- /dev/null
+++ b/src/ringct20/cryptoConfig.h
@@ -0,0 +1,31 @@
+#ifndef _CRYPTOCONFIG_H
+#define _CRYPTOCONFIG_H
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+/******************************************************************************/
+typedef unsigned __int64 uint64;
+typedef unsigned long uint32;
+typedef unsigned char uint8;
+
+//rotate left(circular left shift) operation
+#define ROTL(value, bits) (((value) << (bits)) | ((value) >> (32-bits)))
+//rotate right(circular right shift) operation
+#define ROTR(value, bits) (((value) >> (bits)) | ((value) << (32-bits)))
+//right left operation
+#define SHL(value, bits) ((value) << (bits))
+//right shift operation
+#define SHR(value, bits) ((value) >> (bits))
+
+#define MAX(a, b) ((a) > (b)) ? (a) : (b)
+#define MIN(a, b) ((a) < (b)) ? (a) : (b)
+
+/******************************************************************************/
+
+
+#define USE_SHA256
+
+
+#endif/* _CRYPTOCONFIG_H */
\ No newline at end of file
diff --git a/src/ringct20/fips202.h b/src/ringct20/fips202.h
new file mode 100644
index 0000000..19f1fc1
--- /dev/null
+++ b/src/ringct20/fips202.h
@@ -0,0 +1,13 @@
+#ifndef FIPS202_H
+#define FIPS202_H
+
+#include <stdint.h>
+
+#define SHAKE128_RATE 168
+#define SHAKE256_RATE 136
+
+void shake128_absorb(uint64_t *s, const unsigned char *input, unsigned long long inputByteLen);
+void shake128_squeezeblocks(unsigned char *output, unsigned long long nblocks, uint64_t *s);
+void shake256(unsigned char *output, unsigned long long outputByteLen, const unsigned char *input, unsigned long long inputByteLen);
+
+#endif
diff --git a/src/ringct20/ntt.c b/src/ringct20/ntt.c
new file mode 100644
index 0000000..c96eb15
--- /dev/null
+++ b/src/ringct20/ntt.c
@@ -0,0 +1,204 @@
+#include "inttypes.h"
+#include "ntt.h"
+#include "params.h"
+#include "reduce.h"
+
+#if (NEWHOPE_N == 512)
+/************************************************************
+* Name: bitrev_table
+*
+* Description: Contains bit-reversed 9-bit indices to be used to re-order
+* polynomials before number theoratic transform
+************************************************************/
+static uint16_t bitrev_table[512] = {
+ 0, 256, 128, 384, 64, 320, 192, 448, 32, 288, 160, 416, 96, 352, 224, 480, 16, 272, 144, 400, 80, 336, 208, 464, 48, 304, 176, 432, 112, 368, 240, 496, 8,
+ 264, 136, 392, 72, 328, 200, 456, 40, 296, 168, 424, 104, 360, 232, 488, 24, 280, 152, 408, 88, 344, 216, 472, 56, 312, 184, 440, 120, 376, 248, 504, 4,
+ 260, 132, 388, 68, 324, 196, 452, 36, 292, 164, 420, 100, 356, 228, 484, 20, 276, 148, 404, 84, 340, 212, 468, 52, 308, 180, 436, 116, 372, 244, 500, 12,
+ 268, 140, 396, 76, 332, 204, 460, 44, 300, 172, 428, 108, 364, 236, 492, 28, 284, 156, 412, 92, 348, 220, 476, 60, 316, 188, 444, 124, 380, 252, 508, 2,
+ 258, 130, 386, 66, 322, 194, 450, 34, 290, 162, 418, 98, 354, 226, 482, 18, 274, 146, 402, 82, 338, 210, 466, 50, 306, 178, 434, 114, 370, 242, 498, 10,
+ 266, 138, 394, 74, 330, 202, 458, 42, 298, 170, 426, 106, 362, 234, 490, 26, 282, 154, 410, 90, 346, 218, 474, 58, 314, 186, 442, 122, 378, 250, 506, 6,
+ 262, 134, 390, 70, 326, 198, 454, 38, 294, 166, 422, 102, 358, 230, 486, 22, 278, 150, 406, 86, 342, 214, 470, 54, 310, 182, 438, 118, 374, 246, 502, 14,
+ 270, 142, 398, 78, 334, 206, 462, 46, 302, 174, 430, 110, 366, 238, 494, 30, 286, 158, 414, 94, 350, 222, 478, 62, 318, 190, 446, 126, 382, 254, 510, 1,
+ 257, 129, 385, 65, 321, 193, 449, 33, 289, 161, 417, 97, 353, 225, 481, 17, 273, 145, 401, 81, 337, 209, 465, 49, 305, 177, 433, 113, 369, 241, 497, 9,
+ 265, 137, 393, 73, 329, 201, 457, 41, 297, 169, 425, 105, 361, 233, 489, 25, 281, 153, 409, 89, 345, 217, 473, 57, 313, 185, 441, 121, 377, 249, 505, 5,
+ 261, 133, 389, 69, 325, 197, 453, 37, 293, 165, 421, 101, 357, 229, 485, 21, 277, 149, 405, 85, 341, 213, 469, 53, 309, 181, 437, 117, 373, 245, 501, 13,
+ 269, 141, 397, 77, 333, 205, 461, 45, 301, 173, 429, 109, 365, 237, 493, 29, 285, 157, 413, 93, 349, 221, 477, 61, 317, 189, 445, 125, 381, 253, 509, 3,
+ 259, 131, 387, 67, 323, 195, 451, 35, 291, 163, 419, 99, 355, 227, 483, 19, 275, 147, 403, 83, 339, 211, 467, 51, 307, 179, 435, 115, 371, 243, 499, 11,
+ 267, 139, 395, 75, 331, 203, 459, 43, 299, 171, 427, 107, 363, 235, 491, 27, 283, 155, 411, 91, 347, 219, 475, 59, 315, 187, 443, 123, 379, 251, 507, 7,
+ 263, 135, 391, 71, 327, 199, 455, 39, 295, 167, 423, 103, 359, 231, 487, 23, 279, 151, 407, 87, 343, 215, 471, 55, 311, 183, 439, 119, 375, 247, 503, 15,
+ 271, 143, 399, 79, 335, 207, 463, 47, 303, 175, 431, 111, 367, 239, 495, 31, 287, 159, 415, 95, 351, 223, 479, 63, 319, 191, 447, 127, 383, 255, 511};
+
+#elif (NEWHOPE_N == 1024)
+/************************************************************
+* Name: bitrev_table
+*
+* Description: Contains bit-reversed 10-bit indices to be used to re-order
+* polynomials before number theoratic transform
+************************************************************/
+static uint16_t bitrev_table[NEWHOPE_N] = {
+ 0, 512, 256, 768, 128, 640, 384, 896, 64, 576, 320, 832, 192, 704, 448, 960, 32, 544, 288, 800, 160, 672, 416, 928, 96, 608, 352, 864, 224, 736, 480, 992,
+ 16, 528, 272, 784, 144, 656, 400, 912, 80, 592, 336, 848, 208, 720, 464, 976, 48, 560, 304, 816, 176, 688, 432, 944, 112, 624, 368, 880, 240, 752, 496, 1008,
+ 8, 520, 264, 776, 136, 648, 392, 904, 72, 584, 328, 840, 200, 712, 456, 968, 40, 552, 296, 808, 168, 680, 424, 936, 104, 616, 360, 872, 232, 744, 488, 1000,
+ 24, 536, 280, 792, 152, 664, 408, 920, 88, 600, 344, 856, 216, 728, 472, 984, 56, 568, 312, 824, 184, 696, 440, 952, 120, 632, 376, 888, 248, 760, 504, 1016,
+ 4, 516, 260, 772, 132, 644, 388, 900, 68, 580, 324, 836, 196, 708, 452, 964, 36, 548, 292, 804, 164, 676, 420, 932, 100, 612, 356, 868, 228, 740, 484, 996,
+ 20, 532, 276, 788, 148, 660, 404, 916, 84, 596, 340, 852, 212, 724, 468, 980, 52, 564, 308, 820, 180, 692, 436, 948, 116, 628, 372, 884, 244, 756, 500, 1012,
+ 12, 524, 268, 780, 140, 652, 396, 908, 76, 588, 332, 844, 204, 716, 460, 972, 44, 556, 300, 812, 172, 684, 428, 940, 108, 620, 364, 876, 236, 748, 492, 1004,
+ 28, 540, 284, 796, 156, 668, 412, 924, 92, 604, 348, 860, 220, 732, 476, 988, 60, 572, 316, 828, 188, 700, 444, 956, 124, 636, 380, 892, 252, 764, 508, 1020,
+ 2, 514, 258, 770, 130, 642, 386, 898, 66, 578, 322, 834, 194, 706, 450, 962, 34, 546, 290, 802, 162, 674, 418, 930, 98, 610, 354, 866, 226, 738, 482, 994,
+ 18, 530, 274, 786, 146, 658, 402, 914, 82, 594, 338, 850, 210, 722, 466, 978, 50, 562, 306, 818, 178, 690, 434, 946, 114, 626, 370, 882, 242, 754, 498, 1010,
+ 10, 522, 266, 778, 138, 650, 394, 906, 74, 586, 330, 842, 202, 714, 458, 970, 42, 554, 298, 810, 170, 682, 426, 938, 106, 618, 362, 874, 234, 746, 490, 1002,
+ 26, 538, 282, 794, 154, 666, 410, 922, 90, 602, 346, 858, 218, 730, 474, 986, 58, 570, 314, 826, 186, 698, 442, 954, 122, 634, 378, 890, 250, 762, 506, 1018,
+ 6, 518, 262, 774, 134, 646, 390, 902, 70, 582, 326, 838, 198, 710, 454, 966, 38, 550, 294, 806, 166, 678, 422, 934, 102, 614, 358, 870, 230, 742, 486, 998,
+ 22, 534, 278, 790, 150, 662, 406, 918, 86, 598, 342, 854, 214, 726, 470, 982, 54, 566, 310, 822, 182, 694, 438, 950, 118, 630, 374, 886, 246, 758, 502, 1014,
+ 14, 526, 270, 782, 142, 654, 398, 910, 78, 590, 334, 846, 206, 718, 462, 974, 46, 558, 302, 814, 174, 686, 430, 942, 110, 622, 366, 878, 238, 750, 494, 1006,
+ 30, 542, 286, 798, 158, 670, 414, 926, 94, 606, 350, 862, 222, 734, 478, 990, 62, 574, 318, 830, 190, 702, 446, 958, 126, 638, 382, 894, 254, 766, 510, 1022,
+ 1, 513, 257, 769, 129, 641, 385, 897, 65, 577, 321, 833, 193, 705, 449, 961, 33, 545, 289, 801, 161, 673, 417, 929, 97, 609, 353, 865, 225, 737, 481, 993,
+ 17, 529, 273, 785, 145, 657, 401, 913, 81, 593, 337, 849, 209, 721, 465, 977, 49, 561, 305, 817, 177, 689, 433, 945, 113, 625, 369, 881, 241, 753, 497, 1009,
+ 9, 521, 265, 777, 137, 649, 393, 905, 73, 585, 329, 841, 201, 713, 457, 969, 41, 553, 297, 809, 169, 681, 425, 937, 105, 617, 361, 873, 233, 745, 489, 1001,
+ 25, 537, 281, 793, 153, 665, 409, 921, 89, 601, 345, 857, 217, 729, 473, 985, 57, 569, 313, 825, 185, 697, 441, 953, 121, 633, 377, 889, 249, 761, 505, 1017,
+ 5, 517, 261, 773, 133, 645, 389, 901, 69, 581, 325, 837, 197, 709, 453, 965, 37, 549, 293, 805, 165, 677, 421, 933, 101, 613, 357, 869, 229, 741, 485, 997,
+ 21, 533, 277, 789, 149, 661, 405, 917, 85, 597, 341, 853, 213, 725, 469, 981, 53, 565, 309, 821, 181, 693, 437, 949, 117, 629, 373, 885, 245, 757, 501, 1013,
+ 13, 525, 269, 781, 141, 653, 397, 909, 77, 589, 333, 845, 205, 717, 461, 973, 45, 557, 301, 813, 173, 685, 429, 941, 109, 621, 365, 877, 237, 749, 493, 1005,
+ 29, 541, 285, 797, 157, 669, 413, 925, 93, 605, 349, 861, 221, 733, 477, 989, 61, 573, 317, 829, 189, 701, 445, 957, 125, 637, 381, 893, 253, 765, 509, 1021,
+ 3, 515, 259, 771, 131, 643, 387, 899, 67, 579, 323, 835, 195, 707, 451, 963, 35, 547, 291, 803, 163, 675, 419, 931, 99, 611, 355, 867, 227, 739, 483, 995,
+ 19, 531, 275, 787, 147, 659, 403, 915, 83, 595, 339, 851, 211, 723, 467, 979, 51, 563, 307, 819, 179, 691, 435, 947, 115, 627, 371, 883, 243, 755, 499, 1011,
+ 11, 523, 267, 779, 139, 651, 395, 907, 75, 587, 331, 843, 203, 715, 459, 971, 43, 555, 299, 811, 171, 683, 427, 939, 107, 619, 363, 875, 235, 747, 491, 1003,
+ 27, 539, 283, 795, 155, 667, 411, 923, 91, 603, 347, 859, 219, 731, 475, 987, 59, 571, 315, 827, 187, 699, 443, 955, 123, 635, 379, 891, 251, 763, 507, 1019,
+ 7, 519, 263, 775, 135, 647, 391, 903, 71, 583, 327, 839, 199, 711, 455, 967, 39, 551, 295, 807, 167, 679, 423, 935, 103, 615, 359, 871, 231, 743, 487, 999,
+ 23, 535, 279, 791, 151, 663, 407, 919, 87, 599, 343, 855, 215, 727, 471, 983, 55, 567, 311, 823, 183, 695, 439, 951, 119, 631, 375, 887, 247, 759, 503, 1015,
+ 15, 527, 271, 783, 143, 655, 399, 911, 79, 591, 335, 847, 207, 719, 463, 975, 47, 559, 303, 815, 175, 687, 431, 943, 111, 623, 367, 879, 239, 751, 495, 1007,
+ 31, 543, 287, 799, 159, 671, 415, 927, 95, 607, 351, 863, 223, 735, 479, 991, 63, 575, 319, 831, 191, 703, 447, 959, 127, 639, 383, 895, 255, 767, 511, 1023};
+
+#else
+#error "NEWHOPE_N must be either 512 or 1024"
+#endif
+
+/*************************************************
+* Name: bitrev_vector
+*
+* Description: Permutes coefficients of a polynomial into bitreversed order
+*
+* Arguments: - uint16_t* poly_ringct20: pointer to in/output polynomial
+**************************************************/
+void bitrev_vector(uint16_t *poly_ringct20) {
+ unsigned int i, r;
+ uint16_t tmp;
+
+ for (i = 0; i < NEWHOPE_N; i++) {
+ r = bitrev_table[i];
+ if (i < r) {
+ tmp = poly_ringct20[i];
+ poly_ringct20[i] = poly_ringct20[r];
+ poly_ringct20[r] = tmp;
+ }
+ }
+}
+
+/*************************************************
+* Name: mul_coefficients
+*
+* Description: Performs pointwise (coefficient-wise) multiplication
+* of two polynomials
+* Arguments: - uint16_t* poly_ringct20: pointer to in/output polynomial
+* - const uint16_t* factors: pointer to input polynomial, coefficients
+* are assumed to be in Montgomery representation
+**************************************************/
+void mul_coefficients(uint16_t *poly_ringct20, const uint16_t *factors) {
+ unsigned int i;
+
+ for (i = 0; i < NEWHOPE_N; i++)
+ poly_ringct20[i] = montgomery_reduce_32_16((poly_ringct20[i] * factors[i]));
+}
+
+#if (NEWHOPE_N == 512)
+
+/*************************************************
+* Name: ntt_ringct20
+*
+* Description: Computes number-theoretic transform (ntt_ringct20) of
+* a polynomial in place; inputs assumed to be in
+* bitreversed order, output in normal order
+*
+* Arguments: - uint16_t * a: pointer to in/output polynomial
+* - const uint16_t* omega: pointer to input powers of root of unity omega;
+* assumed to be in Montgomery domain
+**************************************************/
+void ntt_ringct20(uint16_t *a, const uint16_t *omega) {
+ int i, start, j, jTwiddle, distance;
+ uint16_t temp, W;
+
+ for (i = 0; i < 9; i += 2) {
+ // Even level
+ distance = (1 << i);
+ for (start = 0; start < distance; start++) {
+ jTwiddle = 0;
+ for (j = start; j < NEWHOPE_N - 1; j += 2 * distance) {
+ W = omega[jTwiddle++];
+ temp = a[j];
+ a[j] = (temp + a[j + distance]); // Omit reduction (be lazy)
+ a[j + distance] = montgomery_reduce_32_16((W * ((uint32_t) temp + 3 * NEWHOPE_Q - a[j + distance])));
+ }
+ }
+ if (i + 1 < 9) {
+ // Odd level
+ distance <<= 1;
+ for (start = 0; start < distance; start++) {
+ jTwiddle = 0;
+ for (j = start; j < NEWHOPE_N - 1; j += 2 * distance) {
+ W = omega[jTwiddle++];
+ temp = a[j];
+ a[j] = (temp + a[j + distance]) % NEWHOPE_Q;
+ a[j + distance] = montgomery_reduce_32_16((W * ((uint32_t) temp + 3 * NEWHOPE_Q - a[j + distance])));
+ }
+ }
+ }
+ }
+}
+
+#elif (NEWHOPE_N == 1024)
+
+void /*************************************************
+* Name: ntt_ringct20
+*
+* Description: Computes number-theoretic transform (ntt_ringct20) of
+* a polynomial in place; inputs assumed to be in
+* bitreversed order, output in normal order
+*
+* Arguments: - uint16_t * a: pointer to in/output polynomial
+* - const uint16_t* omega: pointer to input powers of root of unity omega;
+* assumed to be in Montgomery domain
+**************************************************/
+ ntt_ringct20(uint16_t *a, const uint16_t *omega) {
+ int i, start, j, jTwiddle, distance;
+ uint16_t temp, W;
+
+ for (i = 0; i < 10; i += 2) {
+ // Even level
+ distance = (1 << i);
+ for (start = 0; start < distance; start++) {
+ jTwiddle = 0;
+ for (j = start; j < NEWHOPE_N - 1; j += 2 * distance) {
+ W = omega[jTwiddle++];
+ temp = a[j];
+ a[j] = (temp + a[j + distance]); // Omit reduction (be lazy)
+ a[j + distance] = montgomery_reduce_32_16((W * ((uint32_t) temp + 3 * NEWHOPE_Q - a[j + distance])));
+ }
+ }
+
+ // Odd level
+ distance <<= 1;
+ for (start = 0; start < distance; start++) {
+ jTwiddle = 0;
+ for (j = start; j < NEWHOPE_N - 1; j += 2 * distance) {
+ W = omega[jTwiddle++];
+ temp = a[j];
+ a[j] = (temp + a[j + distance]) % NEWHOPE_Q;
+ a[j + distance] = montgomery_reduce_32_16((W * ((uint32_t) temp + 3 * NEWHOPE_Q - a[j + distance])));
+ }
+ }
+ }
+}
+
+#else
+#error "NEWHOPE_N must be either 512 or 1024"
+#endif
diff --git a/src/ringct20/ntt.h b/src/ringct20/ntt.h
new file mode 100644
index 0000000..4054b2f
--- /dev/null
+++ b/src/ringct20/ntt.h
@@ -0,0 +1,18 @@
+#ifndef NTT_H
+#define NTT_H
+
+#include "inttypes.h"
+
+extern uint16_t omegas_bitrev_montgomery[];
+extern uint16_t omegas_inv_bitrev_montgomery[];
+
+extern uint16_t psis_bitrev_montgomery[];
+extern uint16_t psis_inv_montgomery[];
+
+void bitrev_vector(uint16_t *poly_ringct20);
+void mul_coefficients(uint16_t *poly_ringct20, const uint16_t *factors);
+void ntt_ringct20(uint16_t *poly_ringct20, const uint16_t *omegas);
+
+
+
+#endif
diff --git a/src/ringct20/optimized/api.h b/src/ringct20/optimized/api.h
new file mode 100644
index 0000000..e69de29
diff --git a/src/ringct20/optimized/cpapke.h b/src/ringct20/optimized/cpapke.h
new file mode 100644
index 0000000..f039be6
--- /dev/null
+++ b/src/ringct20/optimized/cpapke.h
@@ -0,0 +1,16 @@
+#ifndef INDCPA_H
+#define INDCPA_H
+
+void cpapke_keypair(unsigned char *pk,
+ unsigned char *sk);
+
+void cpapke_enc(unsigned char *c,
+ const unsigned char *m,
+ const unsigned char *pk,
+ const unsigned char *coins);
+
+void cpapke_dec(unsigned char *m,
+ const unsigned char *c,
+ const unsigned char *sk);
+
+#endif
diff --git a/src/ringct20/optimized/fips202.h b/src/ringct20/optimized/fips202.h
new file mode 100644
index 0000000..19f1fc1
--- /dev/null
+++ b/src/ringct20/optimized/fips202.h
@@ -0,0 +1,13 @@
+#ifndef FIPS202_H
+#define FIPS202_H
+
+#include <stdint.h>
+
+#define SHAKE128_RATE 168
+#define SHAKE256_RATE 136
+
+void shake128_absorb(uint64_t *s, const unsigned char *input, unsigned long long inputByteLen);
+void shake128_squeezeblocks(unsigned char *output, unsigned long long nblocks, uint64_t *s);
+void shake256(unsigned char *output, unsigned long long outputByteLen, const unsigned char *input, unsigned long long inputByteLen);
+
+#endif
diff --git a/src/ringct20/optimized/ntt.h b/src/ringct20/optimized/ntt.h
new file mode 100644
index 0000000..8e61004
--- /dev/null
+++ b/src/ringct20/optimized/ntt.h
@@ -0,0 +1,16 @@
+#ifndef NTT_H
+#define NTT_H
+
+#include "inttypes.h"
+
+extern uint16_t omegas_bitrev_montgomery[];
+extern uint16_t omegas_inv_bitrev_montgomery[];
+
+extern uint16_t psis_bitrev_montgomery[];
+extern uint16_t psis_inv_montgomery[];
+
+void bitrev_vector(uint16_t *poly_ringct20);
+void mul_coefficients(uint16_t *poly_ringct20, const uint16_t *factors);
+void ntt_ringct20(uint16_t *poly_ringct20, const uint16_t *omegas);
+
+#endif
diff --git a/src/ringct20/optimized/params.h b/src/ringct20/optimized/params.h
new file mode 100644
index 0000000..e83b249
--- /dev/null
+++ b/src/ringct20/optimized/params.h
@@ -0,0 +1,25 @@
+#ifndef PARAMS_H
+#define PARAMS_H
+
+#define NEWHOPE_Q 12289
+#define NEWHOPE_K 8 /* used in noise sampling */
+#define NEWHOPE_N 512/**/
+
+#define NEWHOPE_SYMBYTES 32 /* size of shared key, seeds/coins, and hashes */
+
+#define NEWHOPE_POLYBYTES ((14 * NEWHOPE_N) / 8)
+#define NEWHOPE_POLYCOMPRESSEDBYTES ((3 * NEWHOPE_N) / 8)
+
+#define NEWHOPE_CPAPKE_PUBLICKEYBYTES (NEWHOPE_POLYBYTES + NEWHOPE_SYMBYTES)
+#define NEWHOPE_CPAPKE_SECRETKEYBYTES (NEWHOPE_POLYBYTES)
+#define NEWHOPE_CPAPKE_CIPHERTEXTBYTES (NEWHOPE_POLYBYTES + NEWHOPE_POLYCOMPRESSEDBYTES)
+
+#define NEWHOPE_CPAKEM_PUBLICKEYBYTES NEWHOPE_CPAPKE_PUBLICKEYBYTES
+#define NEWHOPE_CPAKEM_SECRETKEYBYTES NEWHOPE_CPAPKE_SECRETKEYBYTES
+#define NEWHOPE_CPAKEM_CIPHERTEXTBYTES NEWHOPE_CPAPKE_CIPHERTEXTBYTES
+
+#define NEWHOPE_CCAKEM_PUBLICKEYBYTES NEWHOPE_CPAPKE_PUBLICKEYBYTES
+#define NEWHOPE_CCAKEM_SECRETKEYBYTES (NEWHOPE_CPAPKE_SECRETKEYBYTES + NEWHOPE_CPAPKE_PUBLICKEYBYTES + 2 * NEWHOPE_SYMBYTES)
+#define NEWHOPE_CCAKEM_CIPHERTEXTBYTES (NEWHOPE_CPAPKE_CIPHERTEXTBYTES + NEWHOPE_SYMBYTES) /* Second part is for Targhi-Unruh */
+
+#endif
diff --git a/src/ringct20/optimized/poly.h b/src/ringct20/optimized/poly.h
new file mode 100644
index 0000000..68298e7
--- /dev/null
+++ b/src/ringct20/optimized/poly.h
@@ -0,0 +1,38 @@
+#ifndef POLY_H
+#define POLY_H
+
+#include <stdint.h>
+#include "params.h"
+
+/*
+ * Elements of R_q = Z_q[X]/(X^n + 1). Represents polynomial
+ * coeffs[0] + X*coeffs[1] + X^2*xoeffs[2] + ... + X^{n-1}*coeffs[n-1]
+ */
+typedef struct {
+ uint16_t coeffs[NEWHOPE_N];
+} poly_ringct20
+
+#if !defined(_WIN32)
+ __attribute__((aligned(32)));
+#else
+ ;
+#endif
+
+void poly_uniform_ringct20(poly_ringct20 *a, const unsigned char *seed);
+void poly_sample(poly_ringct20 *r, const unsigned char *seed, unsigned char nonce);
+void poly_add_ringct20(poly_ringct20 *r, const poly_ringct20 *a, const poly_ringct20 *b);
+
+void poly_ntt_ringct20(poly_ringct20 *r);
+void poly_invntt(poly_ringct20 *r);
+void poly_mul_pointwise(poly_ringct20 *r, const poly_ringct20 *a, const poly_ringct20 *b);
+
+void poly_frombytes(poly_ringct20 *r, const unsigned char *a);
+void poly_tobytes(unsigned char *r, const poly_ringct20 *p);
+void poly_compress(unsigned char *r, const poly_ringct20 *p);
+void poly_decompress(poly_ringct20 *r, const unsigned char *a);
+
+void poly_frommsg(poly_ringct20 *r, const unsigned char *msg);
+void poly_tomsg(unsigned char *msg, const poly_ringct20 *x);
+void poly_sub_ringct20(poly_ringct20 *r, const poly_ringct20 *a, const poly_ringct20 *b);
+
+#endif
diff --git a/src/ringct20/optimized/reduce.h b/src/ringct20/optimized/reduce.h
new file mode 100644
index 0000000..6f716e3
--- /dev/null
+++ b/src/ringct20/optimized/reduce.h
@@ -0,0 +1,8 @@
+#ifndef REDUCE_H
+#define REDUCE_H
+
+#include <stdint.h>
+
+uint16_t montgomery_reduce_32_16(uint32_t a);
+
+#endif
diff --git a/src/ringct20/optimized/verify.h b/src/ringct20/optimized/verify.h
new file mode 100644
index 0000000..007eaa3
--- /dev/null
+++ b/src/ringct20/optimized/verify.h
@@ -0,0 +1,12 @@
+#ifndef VERIFY_H
+#define VERIFY_H
+
+#include <stdio.h>
+
+/* returns 0 for equal strings, 1 for non-equal strings */
+int verify_ringct20(const unsigned char *a, const unsigned char *b, size_t len);
+
+/* b = 1 means mov, b = 0 means don't mov*/
+void cmov(unsigned char *r, const unsigned char *x, size_t len, unsigned char b);
+
+#endif
diff --git a/src/ringct20/oqs.h b/src/ringct20/oqs.h
new file mode 100644
index 0000000..fc0a3dc
--- /dev/null
+++ b/src/ringct20/oqs.h
@@ -0,0 +1,18 @@
+/**
+ * \file oqs.h
+ * \brief Overall header file for liboqs.
+ *
+ * C programs using liboqs can include just this one file, and it will include all
+ * other necessary headers from liboqs.
+ */
+
+#ifndef __OQS_H
+#define __OQS_H
+
+#include "common.h"
+#include "aes.h"
+#include "sha3.h"
+#include "rand.h"
+
+
+#endif // __OQS_H
diff --git a/src/ringct20/params.h b/src/ringct20/params.h
new file mode 100644
index 0000000..d3be8c6
--- /dev/null
+++ b/src/ringct20/params.h
@@ -0,0 +1,26 @@
+#ifndef PARAMS_H
+#define PARAMS_H
+
+#define NEWHOPE_Q 12289
+#define NEWHOPE_2Q 24578
+#define NEWHOPE_K 8 /* used in noise sampling */
+#define NEWHOPE_N 512
+
+#define NEWHOPE_SYMBYTES 32 /* size of shared key, seeds/coins, and hashes */
+
+#define NEWHOPE_POLYBYTES ((14 * NEWHOPE_N) / 8)
+#define NEWHOPE_POLYCOMPRESSEDBYTES ((3 * NEWHOPE_N) / 8)
+
+#define NEWHOPE_CPAPKE_PUBLICKEYBYTES (NEWHOPE_POLYBYTES + NEWHOPE_SYMBYTES)
+#define NEWHOPE_CPAPKE_SECRETKEYBYTES (NEWHOPE_POLYBYTES)
+#define NEWHOPE_CPAPKE_CIPHERTEXTBYTES (NEWHOPE_POLYBYTES + NEWHOPE_POLYCOMPRESSEDBYTES)
+
+#define NEWHOPE_CPAKEM_PUBLICKEYBYTES NEWHOPE_CPAPKE_PUBLICKEYBYTES
+#define NEWHOPE_CPAKEM_SECRETKEYBYTES NEWHOPE_CPAPKE_SECRETKEYBYTES
+#define NEWHOPE_CPAKEM_CIPHERTEXTBYTES NEWHOPE_CPAPKE_CIPHERTEXTBYTES
+
+#define NEWHOPE_CCAKEM_PUBLICKEYBYTES NEWHOPE_CPAPKE_PUBLICKEYBYTES
+#define NEWHOPE_CCAKEM_SECRETKEYBYTES (NEWHOPE_CPAPKE_SECRETKEYBYTES + NEWHOPE_CPAPKE_PUBLICKEYBYTES + 2 * NEWHOPE_SYMBYTES)
+#define NEWHOPE_CCAKEM_CIPHERTEXTBYTES (NEWHOPE_CPAPKE_CIPHERTEXTBYTES + NEWHOPE_SYMBYTES) /* Second part is for Targhi-Unruh */
+
+#endif
diff --git a/src/ringct20/poly.c b/src/ringct20/poly.c
new file mode 100644
index 0000000..d954590
--- /dev/null
+++ b/src/ringct20/poly.c
@@ -0,0 +1,476 @@
+#include "poly.h"
+#include "ntt.h"
+#include "reduce.h"
+
+#include "sha3.h"
+
+
+void poly_init(poly_ringct20 *r)
+{
+ size_t i;
+ for ( i = 0; i < NEWHOPE_N; i++)
+ {
+ r->coeffs[i] = 0;
+ }
+}
+void poly_setValue(poly_ringct20 *r, uint16_t v)
+{
+ size_t i;
+ for (i = 0; i < NEWHOPE_N; i++)
+ {
+ r->coeffs[i] = v;
+ }
+}
+/*************************************************
+* Name: coeff_freeze
+*
+* Description: Fully reduces an integer modulo q in constant time
+*
+* Arguments: uint16_t x: input integer to be reduced
+*
+* Returns integer in {0,...,q-1} congruent to x modulo q
+**************************************************/
+ uint16_t coeff_freeze(uint16_t x) {
+ uint16_t m, r;
+ int16_t c;
+ r = x % NEWHOPE_Q;
+
+ m = r - NEWHOPE_Q;
+ c = m;
+ c >>= 15;
+ r = m ^ ((r ^ m) & c);
+
+ return r;
+}
+ uint16_t coeff_freeze2Q(uint16_t x)
+ {
+ uint16_t m, r;
+ int16_t c;
+ r = x % NEWHOPE_2Q;
+
+ m = r - NEWHOPE_2Q;
+ c = m;
+ c >>= 15;
+ r = m ^ ((r ^ m) & c);
+
+ return r;
+ }
+
+/*************************************************
+* Name: flipabs
+*
+* Description: Computes |(x mod q) - Q/2|
+*
+* Arguments: uint16_t x: input coefficient
+*
+* Returns |(x mod q) - Q/2|
+**************************************************/
+static uint16_t flipabs(uint16_t x) {
+ int16_t r, m;
+ r = coeff_freeze(x);
+
+ r = r - NEWHOPE_Q / 2;
+ m = r >> 15;
+ return (r + m) ^ m;
+}
+
+/*************************************************
+* Name: poly_frombytes
+*
+* Description: De-serialization of a polynomial
+*
+* Arguments: - poly_ringct20 *r: pointer to output polynomial
+* - const unsigned char *a: pointer to input byte array
+**************************************************/
+void poly_frombytes(poly_ringct20 *r, const unsigned char *a) {
+ int i;
+ for (i = 0; i < NEWHOPE_N / 4; i++) {
+ r->coeffs[4 * i + 0] = a[7 * i + 0] | (((uint16_t) a[7 * i + 1] & 0x3f) << 8);
+ r->coeffs[4 * i + 1] = (a[7 * i + 1] >> 6) | (((uint16_t) a[7 * i + 2]) << 2) | (((uint16_t) a[7 * i + 3] & 0x0f) << 10);
+ r->coeffs[4 * i + 2] = (a[7 * i + 3] >> 4) | (((uint16_t) a[7 * i + 4]) << 4) | (((uint16_t) a[7 * i + 5] & 0x03) << 12);
+ r->coeffs[4 * i + 3] = (a[7 * i + 5] >> 2) | (((uint16_t) a[7 * i + 6]) << 6);
+ }
+}
+
+/*************************************************
+* Name: poly_tobytes
+*
+* Description: Serialization of a polynomial
+*
+* Arguments: - unsigned char *r: pointer to output byte array
+* - const poly_ringct20 *p: pointer to input polynomial
+**************************************************/
+void poly_tobytes(unsigned char *r, const poly_ringct20 *p) {
+ int i;
+ uint16_t t0, t1, t2, t3;
+ for (i = 0; i < NEWHOPE_N / 4; i++) {
+ t0 = coeff_freeze(p->coeffs[4 * i + 0]);
+ t1 = coeff_freeze(p->coeffs[4 * i + 1]);
+ t2 = coeff_freeze(p->coeffs[4 * i + 2]);
+ t3 = coeff_freeze(p->coeffs[4 * i + 3]);
+
+ r[7 * i + 0] = t0 & 0xff;
+ r[7 * i + 1] = (t0 >> 8) | (t1 << 6);
+ r[7 * i + 2] = (t1 >> 2);
+ r[7 * i + 3] = (t1 >> 10) | (t2 << 4);
+ r[7 * i + 4] = (t2 >> 4);
+ r[7 * i + 5] = (t2 >> 12) | (t3 << 2);
+ r[7 * i + 6] = (t3 >> 6);
+ }
+}
+
+/*************************************************
+* Name: poly_compress
+*
+* Description: Compression and subsequent serialization of a polynomial
+*
+* Arguments: - unsigned char *r: pointer to output byte array
+* - const poly_ringct20 *p: pointer to input polynomial
+**************************************************/
+void poly_compress(unsigned char *r, const poly_ringct20 *p) {
+ unsigned int i, j, k = 0;
+
+ uint32_t t[8];
+
+ for (i = 0; i < NEWHOPE_N; i += 8) {
+ for (j = 0; j < 8; j++) {
+ t[j] = coeff_freeze(p->coeffs[i + j]);
+ t[j] = (((t[j] << 3) + NEWHOPE_Q / 2) / NEWHOPE_Q) & 0x7;
+ }
+
+ r[k] = t[0] | (t[1] << 3) | (t[2] << 6);
+ r[k + 1] = (t[2] >> 2) | (t[3] << 1) | (t[4] << 4) | (t[5] << 7);
+ r[k + 2] = (t[5] >> 1) | (t[6] << 2) | (t[7] << 5);
+ k += 3;
+ }
+}
+
+/*************************************************
+* Name: poly_decompress
+*
+* Description: De-serialization and subsequent decompression of a polynomial;
+* approximate inverse of poly_compress
+*
+* Arguments: - poly_ringct20 *r: pointer to output polynomial
+* - const unsigned char *a: pointer to input byte array
+**************************************************/
+void poly_decompress(poly_ringct20 *r, const unsigned char *a) {
+ unsigned int i, j;
+ for (i = 0; i < NEWHOPE_N; i += 8) {
+ r->coeffs[i + 0] = a[0] & 7;
+ r->coeffs[i + 1] = (a[0] >> 3) & 7;
+ r->coeffs[i + 2] = (a[0] >> 6) | ((a[1] << 2) & 4);
+ r->coeffs[i + 3] = (a[1] >> 1) & 7;
+ r->coeffs[i + 4] = (a[1] >> 4) & 7;
+ r->coeffs[i + 5] = (a[1] >> 7) | ((a[2] << 1) & 6);
+ r->coeffs[i + 6] = (a[2] >> 2) & 7;
+ r->coeffs[i + 7] = (a[2] >> 5);
+ a += 3;
+ for (j = 0; j < 8; j++)
+ r->coeffs[i + j] = ((uint32_t) r->coeffs[i + j] * NEWHOPE_Q + 4) >> 3;
+ }
+}
+
+/*************************************************
+* Name: poly_frommsg
+*
+* Description: Convert 32-byte message to polynomial
+*
+* Arguments: - poly_ringct20 *r: pointer to output polynomial
+* - const unsigned char *msg: pointer to input message
+**************************************************/
+void poly_frommsg(poly_ringct20 *r, const unsigned char *msg) {
+ unsigned int i, j, mask;
+ for (i = 0; i < 32; i++) // XXX: MACRO for 32
+ {
+ for (j = 0; j < 8; j++) {
+ mask = -((msg[i] >> j) & 1);
+ r->coeffs[8 * i + j + 0] = mask & (NEWHOPE_Q / 2);
+ r->coeffs[8 * i + j + 256] = mask & (NEWHOPE_Q / 2);
+#if (NEWHOPE_N == 1024)
+ r->coeffs[8 * i + j + 512] = mask & (NEWHOPE_Q / 2);
+ r->coeffs[8 * i + j + 768] = mask & (NEWHOPE_Q / 2);
+#endif
+ }
+ }
+}
+
+/*************************************************
+* Name: poly_tomsg
+*
+* Description: Convert polynomial to 32-byte message
+*
+* Arguments: - unsigned char *msg: pointer to output message
+* - const poly_ringct20 *x: pointer to input polynomial
+**************************************************/
+void poly_tomsg(unsigned char *msg, const poly_ringct20 *x) {
+ unsigned int i;
+ uint16_t t;
+
+ for (i = 0; i < 32; i++)
+ msg[i] = 0;
+
+ for (i = 0; i < 256; i++) {
+ t = flipabs(x->coeffs[i + 0]);
+ t += flipabs(x->coeffs[i + 256]);
+#if (NEWHOPE_N == 1024)
+ t += flipabs(x->coeffs[i + 512]);
+ t += flipabs(x->coeffs[i + 768]);
+ t = ((t - NEWHOPE_Q));
+#else
+ t = ((t - NEWHOPE_Q / 2));
+#endif
+
+ t >>= 15;
+ msg[i >> 3] |= t << (i & 7);
+ }
+}
+
+/*************************************************
+* Name: poly_uniform_ringct20
+*
+* Description: Sample a polynomial deterministically from a seed,
+* with output polynomial looking uniformly random
+*
+* Arguments: - poly_ringct20 *a: pointer to output polynomial
+* - const unsigned char *seed: pointer to input seed
+**************************************************/
+void poly_uniform_ringct20(poly_ringct20 *a, const unsigned char *seed) {
+ unsigned int ctr = 0;
+ uint16_t val;
+ uint64_t state[OQS_SHA3_STATESIZE];
+ uint8_t buf[OQS_SHA3_CSHAKE128_RATE];
+ uint8_t extseed[NEWHOPE_SYMBYTES + 1];
+ int i, j, k;
+
+ for (i = 0; i < NEWHOPE_SYMBYTES; i++)
+ extseed[i] = seed[i];
+
+ for (i = 0; i < OQS_SHA3_STATESIZE; ++i)
+ state[i] = 0;
+
+ for (i = 0; i < NEWHOPE_N / 64; i++) /* generate a in blocks of 64 coefficients */
+ {
+ ctr = 0;
+ extseed[NEWHOPE_SYMBYTES] = i; /* domain-separate the 16 independent calls */
+ for (k = 0; k < OQS_SHA3_STATESIZE; ++k)
+ state[k] = 0;
+ OQS_SHA3_shake128_absorb(state, extseed, NEWHOPE_SYMBYTES + 1);
+ while (ctr < 64) /* Very unlikely to run more than once */
+ {
+ OQS_SHA3_shake128_squeezeblocks(buf, 1, state);
+ for (j = 0; j < OQS_SHA3_CSHAKE128_RATE && ctr < 64; j += 2) {
+ val = (buf[j] | ((uint16_t) buf[j + 1] << 8));
+ if (val < 5 * NEWHOPE_Q) {
+ a->coeffs[i * 64 + ctr] = val;
+ ctr++;
+ }
+ }
+ }
+ }
+}
+
+/*************************************************
+* Name: hw
+*
+* Description: Compute the Hamming weight of a byte
+*
+* Arguments: - unsigned char a: input byte
+**************************************************/
+static unsigned char hw(unsigned char a) {
+ unsigned char i, r = 0;
+ for (i = 0; i < 8; i++)
+ r += (a >> i) & 1;
+ return r;
+}
+
+/*************************************************
+* Name: poly_sample
+*
+* Description: Sample a polynomial deterministically from a seed and a nonce,
+* with output polynomial close to centered binomial distribution
+* with parameter k=8
+*
+* Arguments: - poly_ringct20 *r: pointer to output polynomial
+* - const unsigned char *seed: pointer to input seed
+* - unsigned char nonce: one-byte input nonce
+**************************************************/
+void poly_sample(poly_ringct20 *r, const unsigned char *seed, unsigned char nonce) {
+#if NEWHOPE_K != 8
+#error "poly_sample in poly_ringct20.c only supports k=8"
+#endif
+ unsigned char buf[128], a, b;
+ // uint32_t t, d, a, b, c;
+ int i, j;
+
+ unsigned char extseed[NEWHOPE_SYMBYTES + 2];
+
+ for (i = 0; i < NEWHOPE_SYMBYTES; i++)
+ extseed[i] = seed[i];
+ extseed[NEWHOPE_SYMBYTES] = nonce;
+
+ for (i = 0; i < NEWHOPE_N / 64; i++) /* Generate noise in blocks of 64 coefficients */
+ {
+ extseed[NEWHOPE_SYMBYTES + 1] = i;
+ OQS_SHA3_shake256(buf, 128, extseed, NEWHOPE_SYMBYTES + 2);
+ for (j = 0; j < 64; j++) {
+ a = buf[2 * j];
+ b = buf[2 * j + 1];
+ r->coeffs[64 * i + j] = hw(a) + NEWHOPE_Q - hw(b);
+ }
+ }
+}
+
+/*************************************************
+* Name: poly_pointwise
+*
+* Description: Multiply two polynomials pointwise (i.e., coefficient-wise).
+*
+* Arguments: - poly_ringct20 *r: pointer to output polynomial
+* - const poly_ringct20 *a: pointer to first input polynomial
+* - const poly_ringct20 *b: pointer to second input polynomial
+**************************************************/
+void poly_mul_pointwise(poly_ringct20 *r, const poly_ringct20 *a, const poly_ringct20 *b) {
+ int i;
+ uint16_t t;
+
+ for (i = 0; i < NEWHOPE_N; i++) {
+ t = montgomery_reduce_32_16(3186 * b->coeffs[i]); /* t is now in Montgomery domain */
+ r->coeffs[i] = montgomery_reduce_32_16(a->coeffs[i] * t); /* r->coeffs[i] is back in normal domain */
+ }
+
+}
+
+/*************************************************
+* Name: poly_add_ringct20
+*
+* Description: Add two polynomials
+*
+* Arguments: - poly_ringct20 *r: pointer to output polynomial
+* - const poly_ringct20 *a: pointer to first input polynomial
+* - const poly_ringct20 *b: pointer to second input polynomial
+**************************************************/
+void poly_add_ringct20(poly_ringct20 *r, const poly_ringct20 *a, const poly_ringct20 *b) {
+ int i;
+ for (i = 0; i < NEWHOPE_N; i++)
+ r->coeffs[i] = (a->coeffs[i] + b->coeffs[i]) % NEWHOPE_Q;
+}
+
+/*************************************************
+* Name: poly_sub_ringct20
+*
+* Description: Subtract two polynomials
+*
+* Arguments: - poly_ringct20 *r: pointer to output polynomial
+* - const poly_ringct20 *a: pointer to first input polynomial
+* - const poly_ringct20 *b: pointer to second input polynomial
+**************************************************/
+void poly_sub_ringct20(poly_ringct20 *r, const poly_ringct20 *a, const poly_ringct20 *b) {
+ int i;
+ for (i = 0; i < NEWHOPE_N; i++)
+ r->coeffs[i] = (a->coeffs[i] + 3 * NEWHOPE_Q - b->coeffs[i]) % NEWHOPE_Q;
+}
+
+/*************************************************
+* Name: poly_ntt_ringct20
+*
+* Description: Forward ntt_ringct20 transform of a polynomial in place
+* Input is assumed to have coefficients in bitreversed order
+* Output has coefficients in normal order
+*
+* Arguments: - poly_ringct20 *r: pointer to in/output polynomial
+**************************************************/
+void poly_ntt_ringct20(poly_ringct20 *r) {
+ bitrev_vector(r->coeffs);//////
+ mul_coefficients(r->coeffs, psis_bitrev_montgomery);
+ //bitrev_vector(r->coeffs);//////
+ ntt_ringct20((uint16_t *) r->coeffs, omegas_bitrev_montgomery);
+}
+
+/*************************************************
+* Name: poly_invntt
+*
+* Description: Inverse ntt_ringct20 transform of a polynomial in place
+* Input is assumed to have coefficients in normal order
+* Output has coefficients in normal order
+*
+* Arguments: - poly_ringct20 *r: pointer to in/output polynomial
+**************************************************/
+void poly_invntt(poly_ringct20 *r) {
+ bitrev_vector(r->coeffs);
+ ntt_ringct20((uint16_t *) r->coeffs, omegas_inv_bitrev_montgomery);
+ mul_coefficients(r->coeffs, psis_inv_montgomery);
+}
+
+/**
+* Name:
+* Description: print poly_ringct20
+
+*/
+void poly_print(const poly_ringct20 *r)
+{
+ size_t i = 0;
+ for ( i = 0; i < NEWHOPE_N; i++)
+ {
+ printf("%04X", r->coeffs[i]);
+ }
+ printf("\n");
+}
+
+void poly_serial(poly_ringct20 *r)
+{
+ size_t i;
+ for ( i = 0; i < NEWHOPE_N; i++)
+ {
+ r->coeffs[i] = coeff_freeze(r->coeffs[i]);
+ }
+}
+void poly_cofcopy(poly_ringct20 *des, poly_ringct20 *sour)
+{
+ size_t i;
+ for ( i = 0; i < NEWHOPE_N; i++)
+ {
+ des->coeffs[i] = sour->coeffs[i];
+ }
+}
+
+void poly_copy(poly_ringct20 *des, poly_ringct20 *sou, size_t mLen)
+{
+ size_t i;
+ for ( i = 0; i < mLen; i++)
+ {
+ poly_cofcopy(des + i, sou + i);
+ }
+}
+int poly_equal(const poly_ringct20 *a, const poly_ringct20 *b)
+{
+ size_t i;
+ for ( i = 0; i < NEWHOPE_N; i++)
+ {
+ if (a->coeffs[i] != b->coeffs[i])
+ {
+ return 0;
+ }
+ }
+ return 1;
+}
+
+void poly_constmul(poly_ringct20 *r, const poly_ringct20 *a, uint16_t cof)
+{
+ size_t i;
+ uint32_t tmp = 0;
+ for (i = 0; i < NEWHOPE_N; i++)
+ {
+ tmp = cof * a->coeffs[i];
+ r->coeffs[i] = tmp%NEWHOPE_2Q;
+ }
+}
+//shift
+void poly_shift(poly_ringct20 *des, const poly_ringct20 *r, int iNumber)
+{
+ poly_ringct20 tmp;
+ poly_init(&tmp);
+ tmp.coeffs[iNumber] = 1;
+ poly_ntt_ringct20(&tmp);
+ poly_mul_pointwise(des, r, &tmp);
+}
diff --git a/src/ringct20/poly.h b/src/ringct20/poly.h
new file mode 100644
index 0000000..0073b29
--- /dev/null
+++ b/src/ringct20/poly.h
@@ -0,0 +1,50 @@
+#ifndef POLY_H
+#define POLY_H
+
+#include <stdint.h>
+#include "params.h"
+
+/*
+ * Elements of R_q = Z_q[X]/(X^n + 1). Represents polynomial
+ * coeffs[0] + X*coeffs[1] + X^2*xoeffs[2] + ... + X^{n-1}*coeffs[n-1]
+ */
+typedef struct {
+ uint16_t coeffs[NEWHOPE_N];
+} poly_ringct20
+
+#if !defined(_WIN32)
+ __attribute__((aligned(32)));
+#else
+ ;
+#endif
+
+uint16_t coeff_freeze(uint16_t x);
+uint16_t coeff_freeze2Q(uint16_t x);
+void poly_init(poly_ringct20 *r);
+void poly_setValue(poly_ringct20 *r, uint16_t v);
+void poly_uniform_ringct20(poly_ringct20 *a, const unsigned char *seed);
+void poly_sample(poly_ringct20 *r, const unsigned char *seed, unsigned char nonce);
+void poly_add_ringct20(poly_ringct20 *r, const poly_ringct20 *a, const poly_ringct20 *b);
+
+void poly_ntt_ringct20(poly_ringct20 *r);
+void poly_invntt(poly_ringct20 *r);
+void poly_mul_pointwise(poly_ringct20 *r, const poly_ringct20 *a, const poly_ringct20 *b);
+
+void poly_frombytes(poly_ringct20 *r, const unsigned char *a);
+void poly_tobytes(unsigned char *r, const poly_ringct20 *p);
+void poly_compress(unsigned char *r, const poly_ringct20 *p);
+void poly_decompress(poly_ringct20 *r, const unsigned char *a);
+
+void poly_frommsg(poly_ringct20 *r, const unsigned char *msg);
+void poly_tomsg(unsigned char *msg, const poly_ringct20 *x);
+void poly_sub_ringct20(poly_ringct20 *r, const poly_ringct20 *a, const poly_ringct20 *b);
+
+void poly_print(const poly_ringct20 *r);
+int poly_equal(const poly_ringct20 *a, const poly_ringct20 *b);
+//
+void poly_constmul(poly_ringct20 *r, const poly_ringct20 *a, uint16_t cof);
+void poly_serial(poly_ringct20 *r);
+void poly_cofcopy(poly_ringct20 *des, poly_ringct20 *sour);
+void poly_copy(poly_ringct20 *des, poly_ringct20 *sour, size_t mLen);
+void poly_shift(poly_ringct20 *des, const poly_ringct20 *r, int iNumber);
+#endif
diff --git a/src/ringct20/precomp.c b/src/ringct20/precomp.c
new file mode 100644
index 0000000..d571ba3
--- /dev/null
+++ b/src/ringct20/precomp.c
@@ -0,0 +1,436 @@
+#include "inttypes.h"
+#include "ntt.h"
+#include "params.h"
+
+/* Precomputed ntt_ringct20 contants generated by Pari/GP script as follows:
+ *
+ * For n = 512:
+ *
+ * brv = [0,256,128,384,64,320,192,448,32,288,160,416,96,352,224,480,16,272,144,400,80,336,208,464,48,304,176,432,112,368,240,496,8,
+ * 264,136,392,72,328,200,456,40,296,168,424,104,360,232,488,24,280,152,408,88,344,216,472,56,312,184,440,120,376,248,504,4,
+ * 260,132,388,68,324,196,452,36,292,164,420,100,356,228,484,20,276,148,404,84,340,212,468,52,308,180,436,116,372,244,500,12,
+ * 268,140,396,76,332,204,460,44,300,172,428,108,364,236,492,28,284,156,412,92,348,220,476,60,316,188,444,124,380,252,508,2,
+ * 258,130,386,66,322,194,450,34,290,162,418,98,354,226,482,18,274,146,402,82,338,210,466,50,306,178,434,114,370,242,498,10,
+ * 266,138,394,74,330,202,458,42,298,170,426,106,362,234,490,26,282,154,410,90,346,218,474,58,314,186,442,122,378,250,506,6,
+ * 262,134,390,70,326,198,454,38,294,166,422,102,358,230,486,22,278,150,406,86,342,214,470,54,310,182,438,118,374,246,502,14,
+ * 270,142,398,78,334,206,462,46,302,174,430,110,366,238,494,30,286,158,414,94,350,222,478,62,318,190,446,126,382,254,510,1,
+ * 257,129,385,65,321,193,449,33,289,161,417,97,353,225,481,17,273,145,401,81,337,209,465,49,305,177,433,113,369,241,497,9,
+ * 265,137,393,73,329,201,457,41,297,169,425,105,361,233,489,25,281,153,409,89,345,217,473,57,313,185,441,121,377,249,505,5,
+ * 261,133,389,69,325,197,453,37,293,165,421,101,357,229,485,21,277,149,405,85,341,213,469,53,309,181,437,117,373,245,501,13,
+ * 269,141,397,77,333,205,461,45,301,173,429,109,365,237,493,29,285,157,413,93,349,221,477,61,317,189,445,125,381,253,509,3,
+ * 259,131,387,67,323,195,451,35,291,163,419,99,355,227,483,19,275,147,403,83,339,211,467,51,307,179,435,115,371,243,499,11,
+ * 267,139,395,75,331,203,459,43,299,171,427,107,363,235,491,27,283,155,411,91,347,219,475,59,315,187,443,123,379,251,507,7,
+ * 263,135,391,71,327,199,455,39,295,167,423,103,359,231,487,23,279,151,407,87,343,215,471,55,311,183,439,119,375,247,503,15,
+ * 271,143,399,79,335,207,463,47,303,175,431,111,367,239,495,31,287,159,415,95,351,223,479,63,319,191,447,127,383,255,511
+ * n = 1024; q = 12289; mont=2^18
+ * g=0; for(i=2,q-1,if(znorder(Mod(i,q)) == 2*n, g=Mod(i,q); break))
+ * omegas_bitrev_montgomery = lift(vector(n/2, i, g^(brv[i])*mont))
+ * omegas_inv_bitrev_montgomery = lift(vector(n/2, i, (g^2)^(-brv[2*(i-1)+1])*mont))
+ * psis_bitrev_montgomery = lift(vector(n, i, g^(brv[i])*mont))
+ * psis_inv_montgomery = lift(vector(n, i, g^(-(i-1))/n*mont))
+ *
+ *
+ * For n = 1024:
+ *
+ * brv = [0,512,256,768,128,640,384,896,64,576,320,832,192,704,448,960,32,544,288,800,160,672,416,928,96,608,352,864,224,736,480,992, \
+ * 16,528,272,784,144,656,400,912,80,592,336,848,208,720,464,976,48,560,304,816,176,688,432,944,112,624,368,880,240,752,496,1008, \
+ * 8,520,264,776,136,648,392,904,72,584,328,840,200,712,456,968,40,552,296,808,168,680,424,936,104,616,360,872,232,744,488,1000, \
+ * 24,536,280,792,152,664,408,920,88,600,344,856,216,728,472,984,56,568,312,824,184,696,440,952,120,632,376,888,248,760,504,1016, \
+ * 4,516,260,772,132,644,388,900,68,580,324,836,196,708,452,964,36,548,292,804,164,676,420,932,100,612,356,868,228,740,484,996, \
+ * 20,532,276,788,148,660,404,916,84,596,340,852,212,724,468,980,52,564,308,820,180,692,436,948,116,628,372,884,244,756,500,1012, \
+ * 12,524,268,780,140,652,396,908,76,588,332,844,204,716,460,972,44,556,300,812,172,684,428,940,108,620,364,876,236,748,492,1004, \
+ * 28,540,284,796,156,668,412,924,92,604,348,860,220,732,476,988,60,572,316,828,188,700,444,956,124,636,380,892,252,764,508,1020, \
+ * 2,514,258,770,130,642,386,898,66,578,322,834,194,706,450,962,34,546,290,802,162,674,418,930,98,610,354,866,226,738,482,994, \
+ * 18,530,274,786,146,658,402,914,82,594,338,850,210,722,466,978,50,562,306,818,178,690,434,946,114,626,370,882,242,754,498,1010, \
+ * 10,522,266,778,138,650,394,906,74,586,330,842,202,714,458,970,42,554,298,810,170,682,426,938,106,618,362,874,234,746,490,1002, \
+ * 26,538,282,794,154,666,410,922,90,602,346,858,218,730,474,986,58,570,314,826,186,698,442,954,122,634,378,890,250,762,506,1018, \
+ * 6,518,262,774,134,646,390,902,70,582,326,838,198,710,454,966,38,550,294,806,166,678,422,934,102,614,358,870,230,742,486,998, \
+ * 22,534,278,790,150,662,406,918,86,598,342,854,214,726,470,982,54,566,310,822,182,694,438,950,118,630,374,886,246,758,502,1014, \
+ * 14,526,270,782,142,654,398,910,78,590,334,846,206,718,462,974,46,558,302,814,174,686,430,942,110,622,366,878,238,750,494,1006, \
+ * 30,542,286,798,158,670,414,926,94,606,350,862,222,734,478,990,62,574,318,830,190,702,446,958,126,638,382,894,254,766,510,1022, \
+ * 1,513,257,769,129,641,385,897,65,577,321,833,193,705,449,961,33,545,289,801,161,673,417,929,97,609,353,865,225,737,481,993, \
+ * 17,529,273,785,145,657,401,913,81,593,337,849,209,721,465,977,49,561,305,817,177,689,433,945,113,625,369,881,241,753,497,1009, \
+ * 9,521,265,777,137,649,393,905,73,585,329,841,201,713,457,969,41,553,297,809,169,681,425,937,105,617,361,873,233,745,489,1001, \
+ * 25,537,281,793,153,665,409,921,89,601,345,857,217,729,473,985,57,569,313,825,185,697,441,953,121,633,377,889,249,761,505,1017, \
+ * 5,517,261,773,133,645,389,901,69,581,325,837,197,709,453,965,37,549,293,805,165,677,421,933,101,613,357,869,229,741,485,997, \
+ * 21,533,277,789,149,661,405,917,85,597,341,853,213,725,469,981,53,565,309,821,181,693,437,949,117,629,373,885,245,757,501,1013, \
+ * 13,525,269,781,141,653,397,909,77,589,333,845,205,717,461,973,45,557,301,813,173,685,429,941,109,621,365,877,237,749,493,1005, \
+ * 29,541,285,797,157,669,413,925,93,605,349,861,221,733,477,989,61,573,317,829,189,701,445,957,125,637,381,893,253,765,509,1021, \
+ * 3,515,259,771,131,643,387,899,67,579,323,835,195,707,451,963,35,547,291,803,163,675,419,931,99,611,355,867,227,739,483,995, \
+ * 19,531,275,787,147,659,403,915,83,595,339,851,211,723,467,979,51,563,307,819,179,691,435,947,115,627,371,883,243,755,499,1011, \
+ * 11,523,267,779,139,651,395,907,75,587,331,843,203,715,459,971,43,555,299,811,171,683,427,939,107,619,363,875,235,747,491,1003, \
+ * 27,539,283,795,155,667,411,923,91,603,347,859,219,731,475,987,59,571,315,827,187,699,443,955,123,635,379,891,251,763,507,1019, \
+ * 7,519,263,775,135,647,391,903,71,583,327,839,199,711,455,967,39,551,295,807,167,679,423,935,103,615,359,871,231,743,487,999, \
+ * 23,535,279,791,151,663,407,919,87,599,343,855,215,727,471,983,55,567,311,823,183,695,439,951,119,631,375,887,247,759,503,1015, \
+ * 15,527,271,783,143,655,399,911,79,591,335,847,207,719,463,975,47,559,303,815,175,687,431,943,111,623,367,879,239,751,495,1007, \
+ * 31,543,287,799,159,671,415,927,95,607,351,863,223,735,479,991,63,575,319,831,191,703,447,959,127,639,383,895,255,767,511,1023]
+ *
+ * n = 1024; q = 12289; mont=2^18
+ * g=0; for(i=2,q-1,if(znorder(Mod(i,q)) == 2*n, g=Mod(i,q); break))
+ * omegas_bitrev_montgomery = lift(vector(n/2, i, g^(brv[i])*mont))
+ * omegas_inv_bitrev_montgomery = lift(vector(n/2, i, (g^2)^(-brv[2*(i-1)+1])*mont))
+ * psis_bitrev_montgomery = lift(vector(n, i, g^(brv[i])*mont))
+ * psis_inv_montgomery = lift(vector(n, i, g^(-(i-1))/n*mont))
+*/
+
+#if (NEWHOPE_N == 512)
+/************************************************************
+* Name: omegas_bitrev_montgomery
+*
+* Description: Contains powers of nth root of unity in Montgomery
+* domain with R=2^18 in bit-reversed order
+************************************************************/
+uint16_t omegas_bitrev_montgomery[NEWHOPE_N / 2] = {
+ 4075, 5315, 7965, 7373, 522, 10120, 9027, 5079, 2344, 1278, 1973, 5574, 1018, 6364, 11248, 8775,
+ 7500, 7822, 5537, 4749, 8500, 12142, 5456, 7840, 5445, 3860, 4536, 11239, 6171, 8471, 2683, 11099,
+ 10561, 400, 6137, 7341, 5415, 8646, 6136, 5862, 5529, 5206, 56, 9090, 8724, 11635, 1702, 10302,
+ 5339, 6843, 6093, 3710, 316, 382, 11821, 8301, 10930, 5435, 11035, 973, 8291, 10256, 8410, 1922,
+ 12097, 10968, 10240, 4912, 4698, 5057, 7509, 8844, 8807, 11502, 5468, 1010, 9162, 8120, 2920, 5241,
+ 6055, 8953, 677, 5874, 2766, 10966, 12237, 9115, 12138, 10162, 3957, 2839, 6383, 2505, 11858, 1579,
+ 9026, 3600, 6077, 4624, 11868, 4080, 6068, 3602, 605, 9987, 504, 8076, 4782, 6403, 3029, 6695,
+ 11184, 142, 5681, 8812, 2844, 3438, 8077, 975, 58, 12048, 1003, 8757, 885, 6281, 1956, 5009,
+ 12225, 3656, 11606, 9830, 1566, 5782, 2503, 2948, 7032, 3834, 5919, 4433, 3054, 6803, 9166, 1747,
+ 10211, 11177, 4322, 1958, 922, 11848, 4079, 11231, 4046, 11580, 1319, 9139, 6224, 835, 8049, 8719,
+ 7105, 1200, 6122, 9734, 3956, 1360, 6119, 5297, 4298, 3329, 168, 2692, 1594, 10327, 5106, 6328,
+ 3728, 8240, 5990, 11130, 948, 1146, 10885, 325, 8212, 4016, 8527, 2919, 295, 6190, 652, 5766,
+ 11713, 8326, 6142, 2447, 1805, 2882, 10238, 1954, 1843, 9928, 4115, 3030, 2908, 12071, 8760, 3434,
+ 5876, 2281, 2031, 5333, 8298, 8320, 12133, 2767, 11836, 5908, 11871, 8517, 6860, 7515, 10996, 4737,
+ 2500, 10800, 5942, 1583, 11026, 12240, 5915, 10806, 1815, 5383, 1512, 11939, 2057, 6920, 9087, 7796,
+ 8974, 426, 4754, 1858, 8532, 10314, 11942, 2925, 174, 11566, 3009, 1693, 2655, 6554, 5868, 2738,
+};
+
+/************************************************************
+* Name: omegas_inv_bitrev_montgomery
+*
+* Description: Contains inverses of powers of nth root of unity
+* in Montgomery domain with R=2^18 in bit-reversed order
+************************************************************/
+uint16_t omegas_inv_bitrev_montgomery[NEWHOPE_N / 2] = {
+ 4075, 6974, 4916, 4324, 7210, 3262, 2169, 11767, 3514, 1041, 5925, 11271, 6715, 10316, 11011, 9945,
+ 1190, 9606, 3818, 6118, 1050, 7753, 8429, 6844, 4449, 6833, 147, 3789, 7540, 6752, 4467, 4789,
+ 10367, 3879, 2033, 3998, 11316, 1254, 6854, 1359, 3988, 468, 11907, 11973, 8579, 6196, 5446, 6950,
+ 1987, 10587, 654, 3565, 3199, 12233, 7083, 6760, 6427, 6153, 3643, 6874, 4948, 6152, 11889, 1728,
+ 7280, 10333, 6008, 11404, 3532, 11286, 241, 12231, 11314, 4212, 8851, 9445, 3477, 6608, 12147, 1105,
+ 5594, 9260, 5886, 7507, 4213, 11785, 2302, 11684, 8687, 6221, 8209, 421, 7665, 6212, 8689, 3263,
+ 10710, 431, 9784, 5906, 9450, 8332, 2127, 151, 3174, 52, 1323, 9523, 6415, 11612, 3336, 6234,
+ 7048, 9369, 4169, 3127, 11279, 6821, 787, 3482, 3445, 4780, 7232, 7591, 7377, 2049, 1321, 192,
+ 9551, 6421, 5735, 9634, 10596, 9280, 723, 12115, 9364, 347, 1975, 3757, 10431, 7535, 11863, 3315,
+ 4493, 3202, 5369, 10232, 350, 10777, 6906, 10474, 1483, 6374, 49, 1263, 10706, 6347, 1489, 9789,
+ 7552, 1293, 4774, 5429, 3772, 418, 6381, 453, 9522, 156, 3969, 3991, 6956, 10258, 10008, 6413,
+ 8855, 3529, 218, 9381, 9259, 8174, 2361, 10446, 10335, 2051, 9407, 10484, 9842, 6147, 3963, 576,
+ 6523, 11637, 6099, 11994, 9370, 3762, 8273, 4077, 11964, 1404, 11143, 11341, 1159, 6299, 4049, 8561,
+ 5961, 7183, 1962, 10695, 9597, 12121, 8960, 7991, 6992, 6170, 10929, 8333, 2555, 6167, 11089, 5184,
+ 3570, 4240, 11454, 6065, 3150, 10970, 709, 8243, 1058, 8210, 441, 11367, 10331, 7967, 1112, 2078,
+ 10542, 3123, 5486, 9235, 7856, 6370, 8455, 5257, 9341, 9786, 6507, 10723, 2459, 683, 8633, 64,
+};
+
+/************************************************************
+* Name: psis_bitrev_montgomery
+*
+* Description: Contains powers of nth root of -1 in Montgomery
+* domain with R=2^18 in bit-reversed order
+************************************************************/
+uint16_t psis_bitrev_montgomery[NEWHOPE_N] = {
+ 4075, 5315, 7965, 7373, 522, 10120, 9027, 5079, 2344, 1278, 1973, 5574, 1018, 6364, 11248, 8775,
+ 7500, 7822, 5537, 4749, 8500, 12142, 5456, 7840, 5445, 3860, 4536, 11239, 6171, 8471, 2683, 11099,
+ 10561, 400, 6137, 7341, 5415, 8646, 6136, 5862, 5529, 5206, 56, 9090, 8724, 11635, 1702, 10302,
+ 5339, 6843, 6093, 3710, 316, 382, 11821, 8301, 10930, 5435, 11035, 973, 8291, 10256, 8410, 1922,
+ 12097, 10968, 10240, 4912, 4698, 5057, 7509, 8844, 8807, 11502, 5468, 1010, 9162, 8120, 2920, 5241,
+ 6055, 8953, 677, 5874, 2766, 10966, 12237, 9115, 12138, 10162, 3957, 2839, 6383, 2505, 11858, 1579,
+ 9026, 3600, 6077, 4624, 11868, 4080, 6068, 3602, 605, 9987, 504, 8076, 4782, 6403, 3029, 6695,
+ 11184, 142, 5681, 8812, 2844, 3438, 8077, 975, 58, 12048, 1003, 8757, 885, 6281, 1956, 5009,
+ 12225, 3656, 11606, 9830, 1566, 5782, 2503, 2948, 7032, 3834, 5919, 4433, 3054, 6803, 9166, 1747,
+ 10211, 11177, 4322, 1958, 922, 11848, 4079, 11231, 4046, 11580, 1319, 9139, 6224, 835, 8049, 8719,
+ 7105, 1200, 6122, 9734, 3956, 1360, 6119, 5297, 4298, 3329, 168, 2692, 1594, 10327, 5106, 6328,
+ 3728, 8240, 5990, 11130, 948, 1146, 10885, 325, 8212, 4016, 8527, 2919, 295, 6190, 652, 5766,
+ 11713, 8326, 6142, 2447, 1805, 2882, 10238, 1954, 1843, 9928, 4115, 3030, 2908, 12071, 8760, 3434,
+ 5876, 2281, 2031, 5333, 8298, 8320, 12133, 2767, 11836, 5908, 11871, 8517, 6860, 7515, 10996, 4737,
+ 2500, 10800, 5942, 1583, 11026, 12240, 5915, 10806, 1815, 5383, 1512, 11939, 2057, 6920, 9087, 7796,
+ 8974, 426, 4754, 1858, 8532, 10314, 11942, 2925, 174, 11566, 3009, 1693, 2655, 6554, 5868, 2738,
+ 11796, 8193, 9908, 5444, 10911, 1912, 7952, 435, 404, 7644, 11224, 10146, 7012, 11121, 11082, 9041,
+ 9723, 2187, 9867, 6250, 3646, 9852, 6267, 2987, 8509, 875, 4976, 10682, 8005, 5088, 7278, 11287,
+ 9223, 27, 3763, 10849, 11272, 7404, 5084, 10657, 8146, 4714, 12047, 10752, 2678, 3704, 545, 7270,
+ 1067, 5101, 442, 2401, 390, 11516, 3778, 8456, 1045, 9430, 9808, 5012, 9377, 6591, 11935, 4861,
+ 7852, 3, 3149, 12129, 12176, 4919, 10123, 3915, 3636, 7351, 2704, 5291, 1663, 1777, 1426, 7635,
+ 1484, 7394, 2780, 7094, 8236, 2645, 7247, 2305, 2847, 7875, 7917, 10115, 10600, 8925, 4057, 3271,
+ 9273, 243, 9289, 11618, 3136, 5191, 8889, 9890, 11869, 5559, 10111, 10745, 11813, 8758, 4905, 3985,
+ 9603, 9042, 3978, 9320, 3510, 5332, 9424, 2370, 9405, 11136, 2249, 8241, 10659, 10163, 9103, 6882,
+ 10810, 1, 5146, 4043, 8155, 5736, 11567, 1305, 1212, 10643, 9094, 5860, 8747, 8785, 8668, 2545,
+ 4591, 6561, 5023, 6461, 10938, 4978, 6512, 8961, 949, 2625, 2639, 7468, 11726, 2975, 9545, 9283,
+ 3091, 81, 11289, 7969, 9238, 9923, 2963, 7393, 12149, 1853, 11563, 7678, 8034, 11112, 1635, 9521,
+ 3201, 3014, 1326, 7203, 1170, 9970, 11334, 790, 3135, 3712, 4846, 2747, 3553, 7484, 11227, 2294,
+ 11267, 9, 9447, 11809, 11950, 2468, 5791, 11745, 10908, 9764, 8112, 3584, 4989, 5331, 4278, 10616,
+ 4452, 9893, 8340, 8993, 130, 7935, 9452, 6915, 8541, 11336, 11462, 5767, 7222, 2197, 12171, 9813,
+ 3241, 729, 3289, 10276, 9408, 3284, 2089, 5092, 11029, 4388, 5755, 7657, 10861, 1696, 2426, 11955,
+ 4231, 2548, 11934, 3382, 10530, 3707, 3694, 7110, 3637, 8830, 6747, 145, 7399, 5911, 2731, 8357,
+};
+
+/************************************************************
+* Name: psis_inv_montgomery
+*
+* Description: Contains inverses of powers of nth root of -1
+* divided by n in Montgomery domain with R=2^18
+************************************************************/
+uint16_t psis_inv_montgomery[NEWHOPE_N] = {
+ 512, 3944, 4267, 5411, 9615, 5900, 3205, 6063, 9261, 2021, 3087, 4770, 1029, 1590, 343, 530,
+ 8307, 4273, 2769, 9617, 923, 7302, 4404, 2434, 1468, 9004, 8682, 11194, 2894, 11924, 5061, 8071,
+ 1687, 10883, 8755, 7724, 11111, 6671, 7800, 6320, 2600, 6203, 4963, 6164, 9847, 6151, 11475, 10243,
+ 3825, 11607, 1275, 3869, 425, 5386, 4238, 9988, 5509, 11522, 10029, 7937, 3343, 6742, 9307, 10440,
+ 11295, 3480, 3765, 1160, 1255, 4483, 8611, 9687, 11063, 3229, 7784, 9269, 6691, 7186, 10423, 10588,
+ 11667, 11722, 3889, 12100, 9489, 12226, 3163, 12268, 9247, 12282, 11275, 4094, 11951, 5461, 8080, 10013,
+ 10886, 7434, 7725, 2478, 2575, 826, 9051, 8468, 3017, 6919, 5102, 10499, 5797, 7596, 10125, 2532,
+ 3375, 844, 1125, 8474, 375, 6921, 125, 2307, 4138, 769, 9572, 8449, 7287, 11009, 2429, 7766,
+ 4906, 6685, 9828, 10421, 3276, 7570, 1092, 10716, 364, 3572, 8314, 5287, 10964, 9955, 7751, 11511,
+ 6680, 3837, 6323, 1279, 6204, 8619, 2068, 2873, 8882, 5054, 7057, 5781, 10545, 1927, 3515, 8835,
+ 5268, 2945, 1756, 5078, 8778, 5789, 2926, 6026, 9168, 6105, 3056, 2035, 5115, 8871, 1705, 2957,
+ 8761, 5082, 11113, 1694, 11897, 4661, 8062, 5650, 10880, 10076, 7723, 7455, 10767, 2485, 3589, 9021,
+ 9389, 3007, 7226, 9195, 6505, 3065, 10361, 5118, 7550, 1706, 6613, 4665, 10397, 1555, 7562, 8711,
+ 6617, 7000, 6302, 10526, 6197, 7605, 6162, 2535, 2054, 845, 4781, 4378, 5690, 9652, 5993, 11410,
+ 6094, 11996, 10224, 8095, 3408, 10891, 1136, 11823, 4475, 3941, 5588, 5410, 5959, 9996, 10179, 3332,
+ 3393, 5207, 1131, 5832, 377, 1944, 4222, 648, 9600, 216, 3200, 72, 5163, 24, 1721, 8,
+ 4670, 4099, 5653, 9559, 10077, 11379, 3359, 3793, 5216, 9457, 5835, 11345, 1945, 7878, 8841, 2626,
+ 2947, 9068, 9175, 7119, 11251, 2373, 11943, 791, 3981, 4360, 1327, 9646, 8635, 11408, 11071, 7899,
+ 11883, 2633, 3961, 4974, 9513, 1658, 3171, 4649, 1057, 5646, 8545, 1882, 11041, 8820, 11873, 2940,
+ 8054, 980, 6781, 4423, 10453, 9667, 11677, 11415, 12085, 3805, 12221, 9461, 8170, 7250, 10916, 6513,
+ 7735, 2171, 10771, 4820, 11783, 5703, 8024, 1901, 6771, 4730, 2257, 5673, 8945, 1891, 7078, 8823,
+ 10552, 2941, 11710, 9173, 12096, 7154, 4032, 6481, 1344, 10353, 448, 3451, 8342, 9343, 6877, 11307,
+ 10485, 3769, 3495, 9449, 1165, 7246, 8581, 10608, 11053, 3536, 11877, 5275, 3959, 9951, 5416, 3317,
+ 9998, 5202, 7429, 1734, 10669, 578, 11749, 4289, 12109, 5526, 12229, 1842, 12269, 614, 8186, 4301,
+ 6825, 5530, 2275, 10036, 8951, 11538, 7080, 3846, 2360, 1282, 4883, 8620, 5724, 11066, 1908, 7785,
+ 636, 2595, 212, 865, 4167, 8481, 1389, 2827, 463, 9135, 8347, 3045, 10975, 1015, 11851, 8531,
+ 12143, 6940, 8144, 10506, 6811, 3502, 10463, 9360, 7584, 3120, 2528, 1040, 4939, 4443, 9839, 1481,
+ 7376, 4590, 6555, 1530, 2185, 510, 8921, 170, 7070, 4153, 6453, 9577, 2151, 11385, 717, 3795,
+ 239, 1265, 4176, 4518, 1392, 1506, 464, 502, 4251, 8360, 1417, 6883, 8665, 10487, 11081, 7592,
+ 7790, 6627, 6693, 2209, 2231, 8929, 4840, 11169, 9806, 3723, 7365, 1241, 2455, 4510, 9011, 9696,
+ 7100, 3232, 6463, 9270, 10347, 3090, 3449, 1030, 5246, 8536, 5845, 11038, 10141, 11872, 11573, 12150,
+ 7954, 4050, 10844, 1350, 7711, 450, 10763, 150, 7684, 50, 10754, 4113, 7681, 1371, 10753, 457,
+};
+
+#elif (NEWHOPE_N == 1024)
+/************************************************************
+* Name: omegas_bitrev_montgomery
+*
+* Description: Contains powers of nth root of unity in Montgomery
+* domain with R=2^18 in bit-reversed order
+************************************************************/
+uint16_t omegas_bitrev_montgomery[NEWHOPE_N / 2] = {
+ 4075, 6974, 7373, 7965, 3262, 5079, 522, 2169, 6364, 1018, 1041, 8775, 2344, 11011, 5574, 1973,
+ 4536, 1050, 6844, 3860, 3818, 6118, 2683, 1190, 4789, 7822, 7540, 6752, 5456, 4449, 3789, 12142,
+ 11973, 382, 3988, 468, 6843, 5339, 6196, 3710, 11316, 1254, 5435, 10930, 3998, 10256, 10367, 3879,
+ 11889, 1728, 6137, 4948, 5862, 6136, 3643, 6874, 8724, 654, 10302, 1702, 7083, 6760, 56, 3199,
+ 9987, 605, 11785, 8076, 5594, 9260, 6403, 4782, 6212, 4624, 9026, 8689, 4080, 11868, 6221, 3602,
+ 975, 8077, 8851, 9445, 5681, 3477, 1105, 142, 241, 12231, 1003, 3532, 5009, 1956, 6008, 11404,
+ 7377, 2049, 10968, 12097, 7591, 5057, 3445, 4780, 2920, 7048, 3127, 8120, 11279, 6821, 11502, 8807,
+ 12138, 2127, 2839, 3957, 431, 1579, 6383, 9784, 5874, 677, 3336, 6234, 2766, 1323, 9115, 12237,
+ 2031, 6956, 6413, 2281, 3969, 3991, 12133, 9522, 4737, 10996, 4774, 5429, 11871, 3772, 453, 5908,
+ 2882, 1805, 2051, 1954, 11713, 3963, 2447, 6142, 8174, 3030, 1843, 2361, 12071, 2908, 3529, 3434,
+ 3202, 7796, 2057, 5369, 11939, 1512, 6906, 10474, 11026, 49, 10806, 5915, 1489, 9789, 5942, 10706,
+ 10431, 7535, 426, 8974, 3757, 10314, 9364, 347, 5868, 9551, 9634, 6554, 10596, 9280, 11566, 174,
+ 2948, 2503, 6507, 10723, 11606, 2459, 64, 3656, 8455, 5257, 5919, 7856, 1747, 9166, 5486, 9235,
+ 6065, 835, 3570, 4240, 11580, 4046, 10970, 9139, 1058, 8210, 11848, 922, 7967, 1958, 10211, 1112,
+ 3728, 4049, 11130, 5990, 1404, 325, 948, 11143, 6190, 295, 11637, 5766, 8212, 8273, 2919, 8527,
+ 6119, 6992, 8333, 1360, 2555, 6167, 1200, 7105, 7991, 3329, 9597, 12121, 5106, 5961, 10695, 10327,
+ 3051, 9923, 4896, 9326, 81, 3091, 1000, 7969, 4611, 726, 1853, 12149, 4255, 11112, 2768, 10654,
+ 1062, 2294, 3553, 4805, 2747, 4846, 8577, 9154, 1170, 2319, 790, 11334, 9275, 9088, 1326, 5086,
+ 9094, 6429, 11077, 10643, 3504, 3542, 8668, 9744, 1479, 1, 8246, 7143, 11567, 10984, 4134, 5736,
+ 4978, 10938, 5777, 8961, 4591, 5728, 6461, 5023, 9650, 7468, 949, 9664, 2975, 11726, 2744, 9283,
+ 10092, 5067, 12171, 2476, 3748, 11336, 6522, 827, 9452, 5374, 12159, 7935, 3296, 3949, 9893, 4452,
+ 10908, 2525, 3584, 8112, 8011, 10616, 4989, 6958, 11809, 9447, 12280, 1022, 11950, 9821, 11745, 5791,
+ 5092, 2089, 9005, 2881, 3289, 2013, 9048, 729, 7901, 1260, 5755, 4632, 11955, 2426, 10593, 1428,
+ 4890, 5911, 3932, 9558, 8830, 3637, 5542, 145, 5179, 8595, 3707, 10530, 355, 3382, 4231, 9741,
+ 1207, 9041, 7012, 1168, 10146, 11224, 4645, 11885, 10911, 10377, 435, 7952, 4096, 493, 9908, 6845,
+ 6039, 2422, 2187, 9723, 8643, 9852, 9302, 6022, 7278, 1002, 4284, 5088, 1607, 7313, 875, 8509,
+ 9430, 1045, 2481, 5012, 7428, 354, 6591, 9377, 11847, 2401, 1067, 7188, 11516, 390, 8511, 8456,
+ 7270, 545, 8585, 9611, 12047, 1537, 4143, 4714, 4885, 1017, 5084, 1632, 3066, 27, 1440, 8526,
+ 9273, 12046, 11618, 9289, 3400, 9890, 3136, 7098, 8758, 11813, 7384, 3985, 11869, 6730, 10745, 10111,
+ 2249, 4048, 2884, 11136, 2126, 1630, 9103, 5407, 2686, 9042, 2969, 8311, 9424, 9919, 8779, 5332,
+ 10626, 1777, 4654, 10863, 7351, 3636, 9585, 5291, 8374, 2166, 4919, 12176, 9140, 12129, 7852, 12286,
+ 4895, 10805, 2780, 5195, 2305, 7247, 9644, 4053, 10600, 3364, 3271, 4057, 4414, 9442, 7917, 2174};
+
+/************************************************************
+* Name: omegas_inv_bitrev_montgomery
+*
+* Description: Contains inverses of powers of nth root of unity
+* in Montgomery domain with R=2^18 in bit-reversed order
+************************************************************/
+uint16_t omegas_inv_bitrev_montgomery[NEWHOPE_N / 2] = {
+ 4075, 5315, 4324, 4916, 10120, 11767, 7210, 9027, 10316, 6715, 1278, 9945, 3514, 11248, 11271, 5925,
+ 147, 8500, 7840, 6833, 5537, 4749, 4467, 7500, 11099, 9606, 6171, 8471, 8429, 5445, 11239, 7753,
+ 9090, 12233, 5529, 5206, 10587, 1987, 11635, 3565, 5415, 8646, 6153, 6427, 7341, 6152, 10561, 400,
+ 8410, 1922, 2033, 8291, 1359, 6854, 11035, 973, 8579, 6093, 6950, 5446, 11821, 8301, 11907, 316,
+ 52, 3174, 10966, 9523, 6055, 8953, 11612, 6415, 2505, 5906, 10710, 11858, 8332, 9450, 10162, 151,
+ 3482, 787, 5468, 1010, 4169, 9162, 5241, 9369, 7509, 8844, 7232, 4698, 192, 1321, 10240, 4912,
+ 885, 6281, 10333, 7280, 8757, 11286, 58, 12048, 12147, 11184, 8812, 6608, 2844, 3438, 4212, 11314,
+ 8687, 6068, 421, 8209, 3600, 3263, 7665, 6077, 7507, 5886, 3029, 6695, 4213, 504, 11684, 2302,
+ 1962, 1594, 6328, 7183, 168, 2692, 8960, 4298, 5184, 11089, 6122, 9734, 10929, 3956, 5297, 6170,
+ 3762, 9370, 4016, 4077, 6523, 652, 11994, 6099, 1146, 11341, 11964, 10885, 6299, 1159, 8240, 8561,
+ 11177, 2078, 10331, 4322, 11367, 441, 4079, 11231, 3150, 1319, 8243, 709, 8049, 8719, 11454, 6224,
+ 3054, 6803, 3123, 10542, 4433, 6370, 7032, 3834, 8633, 12225, 9830, 683, 1566, 5782, 9786, 9341,
+ 12115, 723, 3009, 1693, 5735, 2655, 2738, 6421, 11942, 2925, 1975, 8532, 3315, 11863, 4754, 1858,
+ 1583, 6347, 2500, 10800, 6374, 1483, 12240, 1263, 1815, 5383, 10777, 350, 6920, 10232, 4493, 9087,
+ 8855, 8760, 9381, 218, 9928, 10446, 9259, 4115, 6147, 9842, 8326, 576, 10335, 10238, 10484, 9407,
+ 6381, 11836, 8517, 418, 6860, 7515, 1293, 7552, 2767, 156, 8298, 8320, 10008, 5876, 5333, 10258,
+ 10115, 4372, 2847, 7875, 8232, 9018, 8925, 1689, 8236, 2645, 5042, 9984, 7094, 9509, 1484, 7394,
+ 3, 4437, 160, 3149, 113, 7370, 10123, 3915, 6998, 2704, 8653, 4938, 1426, 7635, 10512, 1663,
+ 6957, 3510, 2370, 2865, 3978, 9320, 3247, 9603, 6882, 3186, 10659, 10163, 1153, 9405, 8241, 10040,
+ 2178, 1544, 5559, 420, 8304, 4905, 476, 3531, 5191, 9153, 2399, 8889, 3000, 671, 243, 3016,
+ 3763, 10849, 12262, 9223, 10657, 7205, 11272, 7404, 7575, 8146, 10752, 242, 2678, 3704, 11744, 5019,
+ 3833, 3778, 11899, 773, 5101, 11222, 9888, 442, 2912, 5698, 11935, 4861, 7277, 9808, 11244, 2859,
+ 3780, 11414, 4976, 10682, 7201, 8005, 11287, 5011, 6267, 2987, 2437, 3646, 2566, 10102, 9867, 6250,
+ 5444, 2381, 11796, 8193, 4337, 11854, 1912, 1378, 404, 7644, 1065, 2143, 11121, 5277, 3248, 11082,
+ 2548, 8058, 8907, 11934, 1759, 8582, 3694, 7110, 12144, 6747, 8652, 3459, 2731, 8357, 6378, 7399,
+ 10861, 1696, 9863, 334, 7657, 6534, 11029, 4388, 11560, 3241, 10276, 9000, 9408, 3284, 10200, 7197,
+ 6498, 544, 2468, 339, 11267, 9, 2842, 480, 5331, 7300, 1673, 4278, 4177, 8705, 9764, 1381,
+ 7837, 2396, 8340, 8993, 4354, 130, 6915, 2837, 11462, 5767, 953, 8541, 9813, 118, 7222, 2197,
+ 3006, 9545, 563, 9314, 2625, 11340, 4821, 2639, 7266, 5828, 6561, 7698, 3328, 6512, 1351, 7311,
+ 6553, 8155, 1305, 722, 5146, 4043, 12288, 10810, 2545, 3621, 8747, 8785, 1646, 1212, 5860, 3195,
+ 7203, 10963, 3201, 3014, 955, 11499, 9970, 11119, 3135, 3712, 7443, 9542, 7484, 8736, 9995, 11227,
+ 1635, 9521, 1177, 8034, 140, 10436, 11563, 7678, 4320, 11289, 9198, 12208, 2963, 7393, 2366, 9238};
+
+/************************************************************
+* Name: psis_bitrev_montgomery
+*
+* Description: Contains powers of nth root of -1 in Montgomery
+* domain with R=2^18 in bit-reversed order
+************************************************************/
+uint16_t psis_bitrev_montgomery[NEWHOPE_N] = {
+ 4075, 6974, 7373, 7965, 3262, 5079, 522, 2169, 6364, 1018, 1041, 8775, 2344, 11011, 5574, 1973,
+ 4536, 1050, 6844, 3860, 3818, 6118, 2683, 1190, 4789, 7822, 7540, 6752, 5456, 4449, 3789, 12142,
+ 11973, 382, 3988, 468, 6843, 5339, 6196, 3710, 11316, 1254, 5435, 10930, 3998, 10256, 10367, 3879,
+ 11889, 1728, 6137, 4948, 5862, 6136, 3643, 6874, 8724, 654, 10302, 1702, 7083, 6760, 56, 3199,
+ 9987, 605, 11785, 8076, 5594, 9260, 6403, 4782, 6212, 4624, 9026, 8689, 4080, 11868, 6221, 3602,
+ 975, 8077, 8851, 9445, 5681, 3477, 1105, 142, 241, 12231, 1003, 3532, 5009, 1956, 6008, 11404,
+ 7377, 2049, 10968, 12097, 7591, 5057, 3445, 4780, 2920, 7048, 3127, 8120, 11279, 6821, 11502, 8807,
+ 12138, 2127, 2839, 3957, 431, 1579, 6383, 9784, 5874, 677, 3336, 6234, 2766, 1323, 9115, 12237,
+ 2031, 6956, 6413, 2281, 3969, 3991, 12133, 9522, 4737, 10996, 4774, 5429, 11871, 3772, 453, 5908,
+ 2882, 1805, 2051, 1954, 11713, 3963, 2447, 6142, 8174, 3030, 1843, 2361, 12071, 2908, 3529, 3434,
+ 3202, 7796, 2057, 5369, 11939, 1512, 6906, 10474, 11026, 49, 10806, 5915, 1489, 9789, 5942, 10706,
+ 10431, 7535, 426, 8974, 3757, 10314, 9364, 347, 5868, 9551, 9634, 6554, 10596, 9280, 11566, 174,
+ 2948, 2503, 6507, 10723, 11606, 2459, 64, 3656, 8455, 5257, 5919, 7856, 1747, 9166, 5486, 9235,
+ 6065, 835, 3570, 4240, 11580, 4046, 10970, 9139, 1058, 8210, 11848, 922, 7967, 1958, 10211, 1112,
+ 3728, 4049, 11130, 5990, 1404, 325, 948, 11143, 6190, 295, 11637, 5766, 8212, 8273, 2919, 8527,
+ 6119, 6992, 8333, 1360, 2555, 6167, 1200, 7105, 7991, 3329, 9597, 12121, 5106, 5961, 10695, 10327,
+ 3051, 9923, 4896, 9326, 81, 3091, 1000, 7969, 4611, 726, 1853, 12149, 4255, 11112, 2768, 10654,
+ 1062, 2294, 3553, 4805, 2747, 4846, 8577, 9154, 1170, 2319, 790, 11334, 9275, 9088, 1326, 5086,
+ 9094, 6429, 11077, 10643, 3504, 3542, 8668, 9744, 1479, 1, 8246, 7143, 11567, 10984, 4134, 5736,
+ 4978, 10938, 5777, 8961, 4591, 5728, 6461, 5023, 9650, 7468, 949, 9664, 2975, 11726, 2744, 9283,
+ 10092, 5067, 12171, 2476, 3748, 11336, 6522, 827, 9452, 5374, 12159, 7935, 3296, 3949, 9893, 4452,
+ 10908, 2525, 3584, 8112, 8011, 10616, 4989, 6958, 11809, 9447, 12280, 1022, 11950, 9821, 11745, 5791,
+ 5092, 2089, 9005, 2881, 3289, 2013, 9048, 729, 7901, 1260, 5755, 4632, 11955, 2426, 10593, 1428,
+ 4890, 5911, 3932, 9558, 8830, 3637, 5542, 145, 5179, 8595, 3707, 10530, 355, 3382, 4231, 9741,
+ 1207, 9041, 7012, 1168, 10146, 11224, 4645, 11885, 10911, 10377, 435, 7952, 4096, 493, 9908, 6845,
+ 6039, 2422, 2187, 9723, 8643, 9852, 9302, 6022, 7278, 1002, 4284, 5088, 1607, 7313, 875, 8509,
+ 9430, 1045, 2481, 5012, 7428, 354, 6591, 9377, 11847, 2401, 1067, 7188, 11516, 390, 8511, 8456,
+ 7270, 545, 8585, 9611, 12047, 1537, 4143, 4714, 4885, 1017, 5084, 1632, 3066, 27, 1440, 8526,
+ 9273, 12046, 11618, 9289, 3400, 9890, 3136, 7098, 8758, 11813, 7384, 3985, 11869, 6730, 10745, 10111,
+ 2249, 4048, 2884, 11136, 2126, 1630, 9103, 5407, 2686, 9042, 2969, 8311, 9424, 9919, 8779, 5332,
+ 10626, 1777, 4654, 10863, 7351, 3636, 9585, 5291, 8374, 2166, 4919, 12176, 9140, 12129, 7852, 12286,
+ 4895, 10805, 2780, 5195, 2305, 7247, 9644, 4053, 10600, 3364, 3271, 4057, 4414, 9442, 7917, 2174,
+ 3947, 11951, 2455, 6599, 10545, 10975, 3654, 2894, 7681, 7126, 7287, 12269, 4119, 3343, 2151, 1522,
+ 7174, 7350, 11041, 2442, 2148, 5959, 6492, 8330, 8945, 5598, 3624, 10397, 1325, 6565, 1945, 11260,
+ 10077, 2674, 3338, 3276, 11034, 506, 6505, 1392, 5478, 8778, 1178, 2776, 3408, 10347, 11124, 2575,
+ 9489, 12096, 6092, 10058, 4167, 6085, 923, 11251, 11912, 4578, 10669, 11914, 425, 10453, 392, 10104,
+ 8464, 4235, 8761, 7376, 2291, 3375, 7954, 8896, 6617, 7790, 1737, 11667, 3982, 9342, 6680, 636,
+ 6825, 7383, 512, 4670, 2900, 12050, 7735, 994, 1687, 11883, 7021, 146, 10485, 1403, 5189, 6094,
+ 2483, 2054, 3042, 10945, 3981, 10821, 11826, 8882, 8151, 180, 9600, 7684, 5219, 10880, 6780, 204,
+ 11232, 2600, 7584, 3121, 3017, 11053, 7814, 7043, 4251, 4739, 11063, 6771, 7073, 9261, 2360, 11925,
+ 1928, 11825, 8024, 3678, 3205, 3359, 11197, 5209, 8581, 3238, 8840, 1136, 9363, 1826, 3171, 4489,
+ 7885, 346, 2068, 1389, 8257, 3163, 4840, 6127, 8062, 8921, 612, 4238, 10763, 8067, 125, 11749,
+ 10125, 5416, 2110, 716, 9839, 10584, 11475, 11873, 3448, 343, 1908, 4538, 10423, 7078, 4727, 1208,
+ 11572, 3589, 2982, 1373, 1721, 10753, 4103, 2429, 4209, 5412, 5993, 9011, 438, 3515, 7228, 1218,
+ 8347, 5232, 8682, 1327, 7508, 4924, 448, 1014, 10029, 12221, 4566, 5836, 12229, 2717, 1535, 3200,
+ 5588, 5845, 412, 5102, 7326, 3744, 3056, 2528, 7406, 8314, 9202, 6454, 6613, 1417, 10032, 7784,
+ 1518, 3765, 4176, 5063, 9828, 2275, 6636, 4267, 6463, 2065, 7725, 3495, 8328, 8755, 8144, 10533,
+ 5966, 12077, 9175, 9520, 5596, 6302, 8400, 579, 6781, 11014, 5734, 11113, 11164, 4860, 1131, 10844,
+ 9068, 8016, 9694, 3837, 567, 9348, 7000, 6627, 7699, 5082, 682, 11309, 5207, 4050, 7087, 844,
+ 7434, 3769, 293, 9057, 6940, 9344, 10883, 2633, 8190, 3944, 5530, 5604, 3480, 2171, 9282, 11024,
+ 2213, 8136, 3805, 767, 12239, 216, 11520, 6763, 10353, 7, 8566, 845, 7235, 3154, 4360, 3285,
+ 10268, 2832, 3572, 1282, 7559, 3229, 8360, 10583, 6105, 3120, 6643, 6203, 8536, 8348, 6919, 3536,
+ 9199, 10891, 11463, 5043, 1658, 5618, 8787, 5789, 4719, 751, 11379, 6389, 10783, 3065, 7806, 6586,
+ 2622, 5386, 510, 7628, 6921, 578, 10345, 11839, 8929, 4684, 12226, 7154, 9916, 7302, 8481, 3670,
+ 11066, 2334, 1590, 7878, 10734, 1802, 1891, 5103, 6151, 8820, 3418, 7846, 9951, 4693, 417, 9996,
+ 9652, 4510, 2946, 5461, 365, 881, 1927, 1015, 11675, 11009, 1371, 12265, 2485, 11385, 5039, 6742,
+ 8449, 1842, 12217, 8176, 9577, 4834, 7937, 9461, 2643, 11194, 3045, 6508, 4094, 3451, 7911, 11048,
+ 5406, 4665, 3020, 6616, 11345, 7519, 3669, 5287, 1790, 7014, 5410, 11038, 11249, 2035, 6125, 10407,
+ 4565, 7315, 5078, 10506, 2840, 2478, 9270, 4194, 9195, 4518, 7469, 1160, 6878, 2730, 10421, 10036,
+ 1734, 3815, 10939, 5832, 10595, 10759, 4423, 8420, 9617, 7119, 11010, 11424, 9173, 189, 10080, 10526,
+ 3466, 10588, 7592, 3578, 11511, 7785, 9663, 530, 12150, 8957, 2532, 3317, 9349, 10243, 1481, 9332,
+ 3454, 3758, 7899, 4218, 2593, 11410, 2276, 982, 6513, 1849, 8494, 9021, 4523, 7988, 8, 457,
+ 648, 150, 8000, 2307, 2301, 874, 5650, 170, 9462, 2873, 9855, 11498, 2535, 11169, 5808, 12268,
+ 9687, 1901, 7171, 11787, 3846, 1573, 6063, 3793, 466, 11259, 10608, 3821, 6320, 4649, 6263, 2929};
+
+/************************************************************
+* Name: psis_inv_montgomery
+*
+* Description: Contains inverses of powers of nth root of -1
+* divided by n in Montgomery domain with R=2^18
+************************************************************/
+uint16_t psis_inv_montgomery[NEWHOPE_N] = {
+ 256, 10570, 1510, 7238, 1034, 7170, 6291, 7921, 11665, 3422, 4000, 2327, 2088, 5565, 795, 10647,
+ 1521, 5484, 2539, 7385, 1055, 7173, 8047, 11683, 1669, 1994, 3796, 5809, 4341, 9398, 11876, 12230,
+ 10525, 12037, 12253, 3506, 4012, 9351, 4847, 2448, 7372, 9831, 3160, 2207, 5582, 2553, 7387, 6322,
+ 9681, 1383, 10731, 1533, 219, 5298, 4268, 7632, 6357, 9686, 8406, 4712, 9451, 10128, 4958, 5975,
+ 11387, 8649, 11769, 6948, 11526, 12180, 1740, 10782, 6807, 2728, 7412, 4570, 4164, 4106, 11120, 12122,
+ 8754, 11784, 3439, 5758, 11356, 6889, 9762, 11928, 1704, 1999, 10819, 12079, 12259, 7018, 11536, 1648,
+ 1991, 2040, 2047, 2048, 10826, 12080, 8748, 8272, 8204, 1172, 1923, 7297, 2798, 7422, 6327, 4415,
+ 7653, 6360, 11442, 12168, 7005, 8023, 9924, 8440, 8228, 2931, 7441, 1063, 3663, 5790, 9605, 10150,
+ 1450, 8985, 11817, 10466, 10273, 12001, 3470, 7518, 1074, 1909, 7295, 9820, 4914, 702, 5367, 7789,
+ 8135, 9940, 1420, 3714, 11064, 12114, 12264, 1752, 5517, 9566, 11900, 1700, 3754, 5803, 829, 1874,
+ 7290, 2797, 10933, 5073, 7747, 8129, 6428, 6185, 11417, 1631, 233, 5300, 9535, 10140, 11982, 8734,
+ 8270, 2937, 10953, 8587, 8249, 2934, 9197, 4825, 5956, 4362, 9401, 1343, 3703, 529, 10609, 12049,
+ 6988, 6265, 895, 3639, 4031, 4087, 4095, 585, 10617, 8539, 4731, 4187, 9376, 3095, 9220, 10095,
+ 10220, 1460, 10742, 12068, 1724, 5513, 11321, 6884, 2739, 5658, 6075, 4379, 11159, 10372, 8504, 4726,
+ 9453, 3106, 7466, 11600, 10435, 8513, 9994, 8450, 9985, 3182, 10988, 8592, 2983, 9204, 4826, 2445,
+ 5616, 6069, 867, 3635, 5786, 11360, 5134, 2489, 10889, 12089, 1727, 7269, 2794, 9177, 1311, 5454,
+ 9557, 6632, 2703, 9164, 10087, 1441, 3717, 531, 3587, 2268, 324, 5313, 759, 1864, 5533, 2546,
+ 7386, 9833, 8427, 4715, 11207, 1601, 7251, 4547, 11183, 12131, 1733, 10781, 10318, 1474, 10744, 5046,
+ 4232, 11138, 10369, 6748, 964, 7160, 4534, 7670, 8118, 8182, 4680, 11202, 6867, 981, 8918, 1274,
+ 182, 26, 7026, 8026, 11680, 12202, 10521, 1503, 7237, 4545, 5916, 9623, 8397, 11733, 10454, 3249,
+ 9242, 6587, 941, 1890, 270, 10572, 6777, 9746, 6659, 6218, 6155, 6146, 878, 1881, 7291, 11575,
+ 12187, 1741, 7271, 8061, 11685, 6936, 4502, 9421, 4857, 4205, 7623, 1089, 10689, 1527, 8996, 10063,
+ 11971, 10488, 6765, 2722, 3900, 9335, 11867, 6962, 11528, 5158, 4248, 4118, 5855, 2592, 5637, 6072,
+ 2623, 7397, 8079, 9932, 4930, 5971, 853, 3633, 519, 8852, 11798, 3441, 11025, 1575, 225, 8810,
+ 11792, 12218, 3501, 9278, 3081, 9218, 4828, 7712, 8124, 11694, 12204, 3499, 4011, 573, 3593, 5780,
+ 7848, 9899, 10192, 1456, 208, 7052, 2763, 7417, 11593, 10434, 12024, 8740, 11782, 10461, 3250, 5731,
+ 7841, 9898, 1414, 202, 3540, 7528, 2831, 2160, 10842, 5060, 4234, 4116, 588, 84, 12, 7024,
+ 2759, 9172, 6577, 11473, 1639, 9012, 3043, 7457, 6332, 11438, 1634, 1989, 9062, 11828, 8712, 11778,
+ 12216, 10523, 6770, 9745, 10170, 4964, 9487, 6622, 946, 8913, 6540, 6201, 4397, 9406, 8366, 9973,
+ 8447, 8229, 11709, 8695, 10020, 3187, 5722, 2573, 10901, 6824, 4486, 4152, 9371, 8361, 2950, 2177,
+ 311, 1800, 9035, 8313, 11721, 3430, 490, 70, 10, 1757, 251, 3547, 7529, 11609, 3414, 7510,
+ 4584, 4166, 9373, 1339, 5458, 7802, 11648, 1664, 7260, 9815, 10180, 6721, 9738, 10169, 8475, 8233,
+ 9954, 1422, 8981, 1283, 5450, 11312, 1616, 3742, 11068, 10359, 4991, 713, 3613, 9294, 8350, 4704,
+ 672, 96, 7036, 9783, 11931, 3460, 5761, 823, 10651, 12055, 10500, 1500, 5481, 783, 3623, 11051,
+ 8601, 8251, 8201, 11705, 10450, 5004, 4226, 7626, 2845, 2162, 3820, 7568, 9859, 3164, 452, 10598,
+ 1514, 5483, 6050, 6131, 4387, 7649, 8115, 6426, 918, 8909, 8295, 1185, 5436, 11310, 8638, 1234,
+ 5443, 11311, 5127, 2488, 2111, 10835, 5059, 7745, 2862, 3920, 560, 80, 1767, 2008, 3798, 11076,
+ 6849, 2734, 10924, 12094, 8750, 1250, 10712, 6797, 971, 7161, 1023, 8924, 4786, 7706, 4612, 4170,
+ 7618, 6355, 4419, 5898, 11376, 10403, 10264, 6733, 4473, 639, 5358, 2521, 9138, 3061, 5704, 4326,
+ 618, 5355, 765, 5376, 768, 7132, 4530, 9425, 3102, 9221, 6584, 11474, 10417, 10266, 12000, 6981,
+ 6264, 4406, 2385, 7363, 4563, 4163, 7617, 9866, 3165, 9230, 11852, 10471, 5007, 5982, 11388, 5138,
+ 734, 3616, 11050, 12112, 6997, 11533, 12181, 10518, 12036, 3475, 2252, 7344, 9827, 4915, 9480, 6621,
+ 4457, 7659, 9872, 6677, 4465, 4149, 7615, 4599, 657, 3605, 515, 10607, 6782, 4480, 640, 1847,
+ 3775, 5806, 2585, 5636, 9583, 1369, 10729, 8555, 10000, 11962, 5220, 7768, 8132, 8184, 9947, 1421,
+ 203, 29, 8782, 11788, 1684, 10774, 10317, 4985, 9490, 8378, 4708, 11206, 5112, 5997, 7879, 11659,
+ 12199, 8765, 10030, 4944, 5973, 6120, 6141, 6144, 7900, 11662, 1666, 238, 34, 3516, 5769, 9602,
+ 8394, 9977, 6692, 956, 10670, 6791, 9748, 11926, 8726, 11780, 5194, 742, 106, 8793, 10034, 3189,
+ 10989, 5081, 4237, 5872, 4350, 2377, 10873, 6820, 6241, 11425, 10410, 10265, 3222, 5727, 9596, 4882,
+ 2453, 2106, 3812, 11078, 12116, 5242, 4260, 11142, 8614, 11764, 12214, 5256, 4262, 4120, 11122, 5100,
+ 11262, 5120, 2487, 5622, 9581, 8391, 8221, 2930, 10952, 12098, 6995, 6266, 9673, 4893, 699, 3611,
+ 4027, 5842, 11368, 1624, 232, 8811, 8281, 1183, 169, 8802, 3013, 2186, 5579, 797, 3625, 4029,
+ 11109, 1587, 7249, 11569, 8675, 6506, 2685, 10917, 12093, 12261, 12285, 1755, 7273, 1039, 1904, 272,
+ 3550, 9285, 3082, 5707, 6082, 4380, 7648, 11626, 5172, 4250, 9385, 8363, 8217, 4685, 5936, 848,
+ 8899, 6538, 934, 1889, 3781, 9318, 10109, 10222, 6727, 961, 5404, 772, 5377, 9546, 8386, 1198,
+ 8949, 3034, 2189, 7335, 4559, 5918, 2601, 10905, 5069, 9502, 3113, 7467, 8089, 11689, 5181, 9518,
+ 8382, 2953, 3933, 4073, 4093, 7607, 8109, 2914, 5683, 4323, 11151, 1593, 10761, 6804, 972, 3650,
+ 2277, 5592, 4310, 7638, 9869, 4921, 703, 1856, 9043, 4803, 9464, 1352, 8971, 11815, 5199, 7765,
+ 6376, 4422, 7654, 2849, 407, 8836, 6529, 7955, 2892, 9191, 1313, 10721, 12065, 12257, 1751, 9028,
+ 8312, 2943, 2176, 3822, 546, 78, 8789, 11789, 10462, 12028, 6985, 4509, 9422, 1346, 5459, 4291,
+ 613, 10621, 6784, 9747, 3148, 7472, 2823, 5670, 810, 7138, 8042, 4660, 7688, 6365, 6176, 6149,
+ 2634, 5643, 9584, 10147, 11983, 5223, 9524, 11894, 10477, 8519, 1217, 3685, 2282, 326, 10580, 3267,
+ 7489, 4581, 2410, 5611, 11335, 6886, 8006, 8166, 11700, 3427, 11023, 8597, 10006, 3185, 455, 65,
+ 5276, 7776, 4622, 5927, 7869, 9902, 11948, 5218, 2501, 5624, 2559, 10899, 1557, 1978, 10816, 10323,
+ 8497, 4725, 675, 1852, 10798, 12076, 10503, 3256, 9243, 3076, 2195, 10847, 12083, 10504, 12034, 10497};
+
+#else
+#error "NEWHOPE_N must be either 512 or 1024"
+#endif
diff --git a/src/ringct20/rand.c b/src/ringct20/rand.c
new file mode 100644
index 0000000..3b65786
--- /dev/null
+++ b/src/ringct20/rand.c
@@ -0,0 +1,121 @@
+#include <stdio.h>
+#if defined(_WIN32)
+#include <windows.h>
+#include <Wincrypt.h>
+#include <assert.h>
+#define strcasecmp _stricmp
+#else
+#include <stdlib.h>
+#include <unistd.h>
+#include <strings.h>
+#if defined(__APPLE__)
+#include <sys/random.h>
+#else
+#include <unistd.h>
+#endif
+#endif
+#include <fcntl.h>
+
+#include "oqs.h"
+
+void OQS_randombytes_system(uint8_t *random_array, size_t bytes_to_read);
+void OQS_randombytes_nist_kat(uint8_t *random_array, size_t bytes_to_read);
+#ifdef USE_OPENSSL
+void OQS_randombytes_openssl(uint8_t *random_array, size_t bytes_to_read);
+#endif
+
+#ifdef USE_OPENSSL
+#include <openssl/rand.h>
+// Use OpenSSL's RAND_bytes as the default PRNG
+static void (*oqs_randombytes_algorithm)(uint8_t *, size_t) = &OQS_randombytes_openssl;
+#else
+static void (*oqs_randombytes_algorithm)(uint8_t *, size_t) = &OQS_randombytes_system;
+#endif
+
+OQS_API OQS_STATUS OQS_randombytes_switch_algorithm(const char *algorithm) {
+ if (0 == strcasecmp(OQS_RAND_alg_system, algorithm)) {
+ oqs_randombytes_algorithm = &OQS_randombytes_system;
+ return OQS_SUCCESS;
+// } else if (0 == strcasecmp(OQS_RAND_alg_nist_kat, algorithm)) {
+// oqs_randombytes_algorithm = &OQS_randombytes_nist_kat;
+// return OQS_SUCCESS;
+ } else if (0 == strcasecmp(OQS_RAND_alg_openssl, algorithm)) {
+#ifdef USE_OPENSSL
+ oqs_randombytes_algorithm = &OQS_randombytes_openssl;
+ return OQS_SUCCESS;
+#else
+ return OQS_ERROR;
+#endif
+ } else {
+ return OQS_ERROR;
+ }
+}
+
+OQS_API void OQS_randombytes_custom_algorithm(void (*algorithm_ptr)(uint8_t *, size_t)) {
+ oqs_randombytes_algorithm = algorithm_ptr;
+}
+
+OQS_API void OQS_randombytes(uint8_t *random_array, size_t bytes_to_read) {
+ oqs_randombytes_algorithm(random_array, bytes_to_read);
+}
+
+#if !defined(_WIN32)
+#if defined(HAVE_GETENTROPY)
+void OQS_randombytes_system(uint8_t *random_array, size_t bytes_to_read) {
+
+ int rc;
+ do {
+ rc = getentropy(random_array, bytes_to_read);
+ } while (rc != 0);
+}
+#else
+static __inline void delay(unsigned int count) {
+ while (count--) {
+ }
+}
+
+void OQS_randombytes_system(uint8_t *random_array, size_t bytes_to_read) {
+
+ FILE *handle;
+ do {
+ handle = fopen("/dev/urandom", "rb");
+ if (handle == NULL) {
+ delay(0xFFFFF);
+ }
+ } while (handle == NULL);
+
+ int bytes_last_read, bytes_total_read, bytes_left_to_read;
+ bytes_total_read = 0;
+ bytes_left_to_read = bytes_to_read;
+ while (bytes_left_to_read > 0) {
+ do {
+ bytes_last_read = fread(random_array + bytes_total_read, 1, bytes_left_to_read, handle);
+ if (bytes_last_read <= 0) {
+ delay(0xFFFF);
+ }
+ } while (bytes_last_read <= 0);
+ bytes_total_read += bytes_last_read;
+ bytes_left_to_read -= bytes_last_read;
+ }
+ fclose(handle);
+}
+#endif
+#else
+void OQS_randombytes_system(uint8_t *random_array, size_t bytes_to_read) {
+ HCRYPTPROV hCryptProv;
+ if (!CryptAcquireContext(&hCryptProv, NULL, NULL, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT) ||
+ !CryptGenRandom(hCryptProv, (DWORD) bytes_to_read, random_array)) {
+ assert(0); // no other way to return an error; better fail than return bad random data
+ }
+ CryptReleaseContext(hCryptProv, 0);
+}
+#endif
+
+#ifdef USE_OPENSSL
+void OQS_randombytes_openssl(uint8_t *random_array, size_t bytes_to_read) {
+ int rc;
+ do {
+ rc = RAND_bytes(random_array, bytes_to_read);
+ } while (rc != 1);
+}
+#endif
diff --git a/src/ringct20/rand.h b/src/ringct20/rand.h
new file mode 100644
index 0000000..662f7f2
--- /dev/null
+++ b/src/ringct20/rand.h
@@ -0,0 +1,63 @@
+/**
+ * \file rand.h
+ * \brief Random number generator.
+ */
+
+#ifndef __OQS_RANDOM_H
+#define __OQS_RANDOM_H
+
+#include <stdbool.h>
+#include <stddef.h>
+#include <stdint.h>
+
+#include "common.h"
+
+/** Algorithm identifier for system PRNG. */
+#define OQS_RAND_alg_system "system"
+/** Algorithm identifier for NIST deterministic RNG for KATs. */
+#define OQS_RAND_alg_nist_kat "NIST-KAT"
+/** Algorithm identifier for using OpenSSL's PRNG. */
+#define OQS_RAND_alg_openssl "OpenSSL"
+
+/**
+ * Switches OQS_randombytes to use the specified algorithm.
+ *
+ * @param[in] algorithm The name of the algorithm to use.
+ * @return OQS_SUCCESS if `algorithm` is a supported algorithm name, OQS_ERROR otherwise.
+ */
+OQS_API OQS_STATUS OQS_randombytes_switch_algorithm(const char *algorithm);
+
+/**
+ * Switches OQS_randombytes to use the given function.
+ *
+ * This allows additional custom RNGs besides the provided ones. The provided RNG
+ * function must have the same signature as `OQS_randombytes`.
+ *
+ * @param[in] algorithm_ptr Pointer to the RNG function to use.
+ */
+OQS_API void OQS_randombytes_custom_algorithm(void (*algorithm_ptr)(uint8_t *, size_t));
+
+/**
+ * Fills the given memory with the requested number of (pseudo)random bytes.
+ *
+ * This implementation uses whichever algorithm has been selected by
+ * OQS_randombytes_switch_algorithm. The default is OQS_randombytes_system, which
+ * reads bytes directly from `/dev/urandom`.
+ *
+ * The caller is responsible for providing a buffer allocated with sufficient room.
+ *
+ * @param[out] random_array Pointer to the memory to fill with (pseudo)random bytes
+ * @param[in] bytes_to_read The number of random bytes to read into memory
+ */
+OQS_API void OQS_randombytes(uint8_t *random_array, size_t bytes_to_read);
+
+/**
+ * Initializes the NIST DRBG with a given seed.
+ *
+ * @param[in] entropy_input The seed; must be exactly 48 bytes
+ * @param[in] personalization_string An optional personalization string; may be NULL
+ * @param[in] security_strength The required security strength; must be 256
+ */
+OQS_API void OQS_randombytes_nist_kat_init(const uint8_t *entropy_input, const uint8_t *personalization_string, int security_strength);
+
+#endif // __OQS_RANDOM_H
diff --git a/src/ringct20/rand_nist.c b/src/ringct20/rand_nist.c
new file mode 100644
index 0000000..be4f91c
--- /dev/null
+++ b/src/ringct20/rand_nist.c
@@ -0,0 +1,131 @@
+//
+// rng.c
+//
+// Created by Bassham, Lawrence E (Fed) on 8/29/17.
+// Copyright © 2017 Bassham, Lawrence E (Fed). All rights reserved.
+// Modified for liboqs by Douglas Stebila
+//
+
+#include <assert.h>
+#include <string.h>
+
+#include "common.h"
+
+#if USE_OPENSSL
+#include <openssl/conf.h>
+#include <openssl/evp.h>
+#include <openssl/err.h>
+#else
+#include "aes.h"
+#endif
+
+typedef struct {
+ unsigned char Key[32];
+ unsigned char V[16];
+ int reseed_counter;
+} AES256_CTR_DRBG_struct;
+
+static AES256_CTR_DRBG_struct DRBG_ctx;
+static void AES256_CTR_DRBG_Update(unsigned char *provided_data, unsigned char *Key, unsigned char *V);
+
+#ifdef USE_OPENSSL
+static void handleErrors(void) {
+ ERR_print_errors_fp(stderr);
+ abort();
+}
+#endif
+
+// Use whatever AES implementation you have. This uses AES from openSSL library
+// key - 256-bit AES key
+// ctr - a 128-bit plaintext value
+// buffer - a 128-bit ciphertext value
+static void AES256_ECB(unsigned char *key, unsigned char *ctr, unsigned char *buffer) {
+#ifdef USE_OPENSSL
+ EVP_CIPHER_CTX *ctx;
+
+ int len;
+
+ /* Create and initialise the context */
+ if (!(ctx = EVP_CIPHER_CTX_new()))
+ handleErrors();
+
+ if (1 != EVP_EncryptInit_ex(ctx, EVP_aes_256_ecb(), NULL, key, NULL))
+ handleErrors();
+
+ if (1 != EVP_EncryptUpdate(ctx, buffer, &len, ctr, 16))
+ handleErrors();
+
+ /* Clean up */
+ EVP_CIPHER_CTX_free(ctx);
+#else
+ void *schedule = NULL;
+ OQS_AES256_load_schedule(key, &schedule, 1);
+ OQS_AES256_ECB_enc(ctr, 16, key, buffer);
+ OQS_AES256_free_schedule(schedule);
+#endif
+}
+
+OQS_API void OQS_randombytes_nist_kat_init(unsigned char *entropy_input, unsigned char *personalization_string, int security_strength) {
+ unsigned char seed_material[48];
+
+ assert(security_strength == 256);
+ memcpy(seed_material, entropy_input, 48);
+ if (personalization_string)
+ for (int i = 0; i < 48; i++)
+ seed_material[i] ^= personalization_string[i];
+ memset(DRBG_ctx.Key, 0x00, 32);
+ memset(DRBG_ctx.V, 0x00, 16);
+ AES256_CTR_DRBG_Update(seed_material, DRBG_ctx.Key, DRBG_ctx.V);
+ DRBG_ctx.reseed_counter = 1;
+}
+
+void OQS_randombytes_nist_kat(unsigned char *x, unsigned long long xlen) {
+ unsigned char block[16];
+ int i = 0;
+
+ while (xlen > 0) {
+ //increment V
+ for (int j = 15; j >= 0; j--) {
+ if (DRBG_ctx.V[j] == 0xff)
+ DRBG_ctx.V[j] = 0x00;
+ else {
+ DRBG_ctx.V[j]++;
+ break;
+ }
+ }
+ AES256_ECB(DRBG_ctx.Key, DRBG_ctx.V, block);
+ if (xlen > 15) {
+ memcpy(x + i, block, 16);
+ i += 16;
+ xlen -= 16;
+ } else {
+ memcpy(x + i, block, xlen);
+ xlen = 0;
+ }
+ }
+ AES256_CTR_DRBG_Update(NULL, DRBG_ctx.Key, DRBG_ctx.V);
+ DRBG_ctx.reseed_counter++;
+}
+
+static void AES256_CTR_DRBG_Update(unsigned char *provided_data, unsigned char *Key, unsigned char *V) {
+ unsigned char temp[48];
+
+ for (int i = 0; i < 3; i++) {
+ //increment V
+ for (int j = 15; j >= 0; j--) {
+ if (V[j] == 0xff)
+ V[j] = 0x00;
+ else {
+ V[j]++;
+ break;
+ }
+ }
+
+ AES256_ECB(Key, V, temp + 16 * i);
+ }
+ if (provided_data != NULL)
+ for (int i = 0; i < 48; i++)
+ temp[i] ^= provided_data[i];
+ memcpy(Key, temp, 32);
+ memcpy(V, temp + 32, 16);
+}
diff --git a/src/ringct20/reduce.c b/src/ringct20/reduce.c
new file mode 100644
index 0000000..410a04d
--- /dev/null
+++ b/src/ringct20/reduce.c
@@ -0,0 +1,26 @@
+#include "reduce.h"
+#include "params.h"
+
+static const uint32_t qinv = 12287; // -inverse_mod(p,2^18)
+static const uint32_t rlog = 18;
+
+/*************************************************
+* Name: verify_ringct20
+*
+* Description: Montgomery reduction; given a 32-bit integer a, computes
+* 16-bit integer congruent to a * R^-1 mod q,
+* where R=2^18 (see value of rlog)
+*
+* Arguments: - uint32_t a: input unsigned integer to be reduced; has to be in {0,...,1073491968}
+*
+* Returns: unsigned integer in {0,...,2^14-1} congruent to a * R^-1 modulo q.
+**************************************************/
+uint16_t montgomery_reduce_32_16(uint32_t a) {
+ uint32_t u;
+
+ u = (a * qinv);
+ u &= ((1 << rlog) - 1);
+ u *= NEWHOPE_Q;
+ a = a + u;
+ return a >> 18;
+}
diff --git a/src/ringct20/reduce.h b/src/ringct20/reduce.h
new file mode 100644
index 0000000..6f716e3
--- /dev/null
+++ b/src/ringct20/reduce.h
@@ -0,0 +1,8 @@
+#ifndef REDUCE_H
+#define REDUCE_H
+
+#include <stdint.h>
+
+uint16_t montgomery_reduce_32_16(uint32_t a);
+
+#endif
diff --git a/src/ringct20/ring.c b/src/ringct20/ring.c
new file mode 100644
index 0000000..fc81178
--- /dev/null
+++ b/src/ringct20/ring.c
@@ -0,0 +1,722 @@
+#include <stdio.h>
+#include "ring.h"
+#include "rand.h"
+#include "common.h"
+#include "sha256.h"
+
+
+void LRCT_SampleKey(poly_ringct20 *r, size_t mLen)
+{
+ uint8_t seed[NEWHOPE_SYMBYTES] = { 0 };
+ size_t i;
+ for ( i = 0; i < mLen; i++)
+ {
+ OQS_randombytes(seed, NEWHOPE_SYMBYTES);
+ for (size_t j = 0; j < NEWHOPE_SYMBYTES; j++)
+ {
+
+ r[i].coeffs[j * 8 + 0] = (seed[j] & 0x01);
+ r[i].coeffs[j * 8 + 1] = (seed[j] & 0x02)>>1;
+ r[i].coeffs[j * 8 + 2] = (seed[j] & 0x04)>>2;
+ r[i].coeffs[j * 8 + 3] = (seed[j] & 0x08)>>3;
+ r[i].coeffs[j * 8 + 4] = (seed[j] & 0x10)>>4;
+ r[i].coeffs[j * 8 + 5] = (seed[j] & 0x20)>>5;
+ r[i].coeffs[j * 8 + 6] = (seed[j] & 0x40)>>6;
+ r[i].coeffs[j * 8 + 7] = (seed[j] & 0x80)>>7;
+ }
+ OQS_randombytes(seed, NEWHOPE_SYMBYTES);
+ for (size_t j = 0; j < NEWHOPE_SYMBYTES; j++)
+ {
+
+ r[i].coeffs[NEWHOPE_SYMBYTES * 8 + j * 8 + 0] = (seed[j] & 0x01);
+ r[i].coeffs[NEWHOPE_SYMBYTES * 8 + j * 8 + 1] = (seed[j] & 0x02)>>1;
+ r[i].coeffs[NEWHOPE_SYMBYTES * 8 + j * 8 + 2] = (seed[j] & 0x04)>>2;
+ r[i].coeffs[NEWHOPE_SYMBYTES * 8 + j * 8 + 3] = (seed[j] & 0x08)>>3;
+ r[i].coeffs[NEWHOPE_SYMBYTES * 8 + j * 8 + 4] = (seed[j] & 0x10)>>4;
+ r[i].coeffs[NEWHOPE_SYMBYTES * 8 + j * 8 + 5] = (seed[j] & 0x20)>>5;
+ r[i].coeffs[NEWHOPE_SYMBYTES * 8 + j * 8 + 6] = (seed[j] & 0x40)>>6;
+ r[i].coeffs[NEWHOPE_SYMBYTES * 8 + j * 8 + 7] = (seed[j] & 0x80)>>7;
+ }
+
+ }
+
+}
+void LRCT_Setup(poly_ringct20 *A, poly_ringct20 *H, size_t mLen)
+{
+
+ uint8_t seed[NEWHOPE_SYMBYTES] = { 0 };
+ size_t i = 0;
+
+ for ( i = 0; i < mLen; i++)
+ {
+ OQS_randombytes(seed, NEWHOPE_SYMBYTES);
+ poly_uniform_ringct20(A + i, seed);
+ poly_serial(A + i);
+ OQS_randombytes(seed, NEWHOPE_SYMBYTES);
+ poly_uniform_ringct20(H + i, seed);
+ poly_serial(H + i);
+ }
+}
+
+void LRCT_KeyGen(poly_ringct20 *a, poly_ringct20 *A, poly_ringct20 *S, size_t mLen)
+{
+ LRCT_MatrixMulPoly(a, A, S, mLen);
+ poly_serial(a);
+}
+
+void LRCT_SigGen(poly_ringct20 *c1, poly_ringct20 **t, poly_ringct20 *h, poly_ringct20 *A, poly_ringct20 *H, poly_ringct20 *S, poly_ringct20 *u, size_t mLen, poly_ringct20 *L, uint8_t w, uint8_t pai, unsigned char *msg, int msgLen)
+{
+ //H2q
+ size_t i, j, k;
+ poly_ringct20 *H2q = (poly_ringct20 *)malloc((mLen + 1) * sizeof(poly_ringct20));
+ poly_ringct20 *S2q = (poly_ringct20 *)malloc((mLen + 1) * sizeof(poly_ringct20));
+ poly_ringct20 *A2qp = (poly_ringct20 *)malloc((mLen + 1) * sizeof(poly_ringct20));
+ poly_ringct20 *tmp2q = (poly_ringct20 *)malloc((mLen + 1) * sizeof(poly_ringct20));
+ poly_ringct20 tmp, tmp1;
+ poly_ringct20 c, cpai;
+ SHA256_CTX ctx;
+ unsigned char bHash[32] = { 0 };
+ unsigned char bpoly[NEWHOPE_POLYBYTES] = { 0 };
+ unsigned char bt[NEWHOPE_POLYBYTES] = { 0 };
+ uint8_t coin = 0;
+ for ( i = 0; i < (mLen+1); i++)
+ {
+ poly_init(H2q + i);
+ poly_init(S2q + i);
+ poly_init(A2qp + i);
+ poly_init(tmp2q + i);
+ }
+ ///////////1.
+ LRCT_MatrixMulPoly(h, H, S, mLen);//h = HS_{pai}
+ LRCT_Lift(H2q, H, h, mLen);//H_{2q}
+ poly_copy(S2q, S, mLen);
+ poly_setValue(S2q + mLen, 1);//S_{2q}
+ ///////////2.
+ LRCT_Lift(A2qp, A, L + pai, mLen);
+ SHA256_Init(&ctx);
+ for (i = 0; i < w; i++)
+ {
+ poly_tobytes(bpoly, L + i);
+ SHA256_Update(&ctx, bpoly, NEWHOPE_POLYBYTES);
+ }
+ for ( i = 0; i < mLen+1; i++)
+ {
+ poly_tobytes(bpoly, H2q + i);
+ SHA256_Update(&ctx, bpoly, NEWHOPE_POLYBYTES);
+ }
+ SHA256_Update(&ctx, msg, msgLen);//msg
+
+ LRCT_MatrixMulPoly(&tmp, A2qp, u, mLen + 1);
+ poly_tobytes(bpoly, &tmp);
+ SHA256_Update(&ctx, bpoly, NEWHOPE_POLYBYTES);//A2qb*U
+
+ LRCT_MatrixMulPoly(&tmp, H2q, u, mLen + 1);
+ poly_tobytes(bpoly, &tmp);
+ SHA256_Update(&ctx, bpoly, NEWHOPE_POLYBYTES);//H2q*U
+ SHA256_Final(bHash, &ctx);//C_(pai+1)
+ SHA256_KDF(bHash, 32, NEWHOPE_POLYBYTES, bt);
+ poly_frombytes(&c, bt);
+ poly_serial(&c);
+ //poly_print(&c);
+ /////////////////////////////////////
+ for ( i = 0; i < (w-1); i++)
+ {
+ j = (pai + i+1) % w;
+ if (j == 0)
+ {
+ poly_cofcopy(c1, &c);
+ }
+ LRCT_Lift(tmp2q, A, L + j, mLen);
+ SHA256_Init(&ctx);
+ for (k = 0; k < w; k++)
+ {
+ poly_tobytes(bpoly, L + k);
+ SHA256_Update(&ctx, bpoly, NEWHOPE_POLYBYTES);
+ }
+ for (k = 0; k < mLen+1; k++)
+ {
+ poly_tobytes(bpoly, H2q + k);
+ SHA256_Update(&ctx, bpoly, NEWHOPE_POLYBYTES);
+ }
+ SHA256_Update(&ctx, msg, msgLen);//msg
+
+ for ( k = 0; k < mLen+1; k++)
+ {
+ OQS_randombytes(bt, NEWHOPE_POLYBYTES);
+ poly_frombytes(t[j] + k, bt);
+ poly_serial(t[j] + k);
+ }
+ LRCT_MatrixMulPoly(&tmp, tmp2q, t[j], mLen + 1);
+ poly_constmul(&tmp1, &c, NEWHOPE_Q);
+ poly_add_ringct20(&tmp, &tmp, &tmp1);//(+ qC_i)% Q
+ poly_tobytes(bpoly, &tmp);
+ SHA256_Update(&ctx, bpoly, NEWHOPE_POLYBYTES);//
+
+ LRCT_MatrixMulPoly(&tmp, H2q, t[j], mLen + 1);
+ poly_add_ringct20(&tmp, &tmp, &tmp1);//(+ qC_i)% Q
+ poly_tobytes(bpoly, &tmp);
+ SHA256_Update(&ctx, bpoly, NEWHOPE_POLYBYTES);//H2q*U
+ SHA256_Final(bHash, &ctx);//C_(pai+1)
+ printf("sign bHash======================%d:\n", j);
+ BytePrint(bHash, 32);
+
+ SHA256_KDF(bHash, 32, NEWHOPE_POLYBYTES, bt);
+ poly_frombytes(&c, bt);
+ poly_serial(&c);//C_{j+1}
+ if (j == (pai-1))
+ {
+ poly_cofcopy(&cpai, &c);
+ break;
+ }
+
+ }
+ OQS_randombytes(&coin, 1);
+ LRCT_PolyMultMatrix(tmp2q, &cpai, S2q, mLen + 1);//S2qpai *c_pai
+ if (coin&0x01)//b =1
+ {
+ LRCT_MatrixSubMatrix(t[pai], u, tmp2q, mLen + 1);
+ }
+ else {
+ LRCT_MatrixAddMatrix(t[pai], u, tmp2q, mLen + 1);
+ }
+
+ free(H2q);
+ free(S2q);
+ free(A2qp);
+ free(tmp2q);
+}
+int LRCT_SigVer(const poly_ringct20 *c1, poly_ringct20 **t, poly_ringct20 *A, poly_ringct20 *H, size_t mLen, poly_ringct20 *h, poly_ringct20 *L,
+ uint8_t w, unsigned char *msg, int msgLen)
+{
+ size_t i,k;
+ poly_ringct20 *H2q = (poly_ringct20 *)malloc((mLen + 1) * sizeof(poly_ringct20));
+ poly_ringct20 *A2qp = (poly_ringct20 *)malloc((mLen + 1) * sizeof(poly_ringct20));
+ poly_ringct20 c, tmp, tmp1;
+ SHA256_CTX ctx;
+ unsigned char bHash[32] = { 0 };
+ unsigned char bpoly[NEWHOPE_POLYBYTES] = { 0 };
+ for (i = 0; i < (mLen + 1); i++)
+ {
+ poly_init(H2q + i);
+ //poly_init(S2q + i);
+ poly_init(A2qp + i);
+ }
+ LRCT_Lift(H2q, H, h, mLen);
+ poly_cofcopy(&c, c1);
+ for ( i = 0; i < w; i++)
+ {
+ LRCT_Lift(A2qp, A, L+i, mLen);
+ SHA256_Init(&ctx);
+ for (k = 0; k < w; k++)
+ {
+ poly_tobytes(bpoly, L + k);
+ SHA256_Update(&ctx, bpoly, NEWHOPE_POLYBYTES);
+ }
+ for (k = 0; k < mLen+1; k++)
+ {
+ poly_tobytes(bpoly, H2q + k);
+ SHA256_Update(&ctx, bpoly, NEWHOPE_POLYBYTES);
+ }
+ SHA256_Update(&ctx, msg, msgLen);//msg
+
+ poly_constmul(&tmp1, &c, NEWHOPE_Q);
+
+ LRCT_MatrixMulPoly(&tmp, A2qp, t[i], mLen + 1);
+ poly_add_ringct20(&tmp, &tmp, &tmp1);//(+ qC_i)% Q
+ poly_tobytes(bpoly, &tmp);
+ SHA256_Update(&ctx, bpoly, NEWHOPE_POLYBYTES);//A2qb*U
+
+ LRCT_MatrixMulPoly(&tmp, H2q, t[i], mLen + 1);
+ poly_add_ringct20(&tmp, &tmp, &tmp1);//(+ qC_i)% Q
+ poly_serial(&tmp);
+ poly_tobytes(bpoly, &tmp);
+ SHA256_Update(&ctx, bpoly, NEWHOPE_POLYBYTES);//H2q*U
+ SHA256_Final(bHash, &ctx);//C_(pai+1)
+ printf("bHash======================%d:\n", i);
+ BytePrint(bHash, 32);
+ SHA256_KDF(bHash, 32, NEWHOPE_POLYBYTES, bpoly);
+ poly_frombytes(&c, bpoly);
+ poly_serial(&c);
+ }
+ free(H2q);
+ free(A2qp);
+ if (poly_equal(&c, c1) ==1)
+ {
+ return 1;
+ }
+ return 0;
+}
+
+void LRCT_Mint(IW *iw, poly_ringct20 *ck, poly_ringct20 *a, poly_ringct20 *A, size_t mLen, unsigned char* bMessage, size_t msglen)
+{
+ LRCT_SampleKey(ck, mLen);
+ LRCT_nttCom(&(iw->cn), A, ck, mLen, bMessage, msglen);
+ poly_cofcopy(&(iw->a), a);
+}
+void LRCT_Spend(IW *iwOA, poly_ringct20 *ckOA, poly_ringct20 *c1, poly_ringct20 **t, poly_ringct20 *h, poly_ringct20 *L, unsigned char* bSignMess, size_t sigMsgLen, IW *iws, size_t iwsLen,
+ int PaiInd, poly_ringct20 *skPai, poly_ringct20 *ckPai, unsigned char* bVal, size_t bvalLen, poly_ringct20 *OA, poly_ringct20 *A, poly_ringct20 *H, size_t mLen)
+{
+
+ poly_ringct20 *u = (poly_ringct20 *)malloc((mLen+1)*sizeof(poly_ringct20));
+ poly_ringct20 *S = (poly_ringct20 *)malloc((mLen) * sizeof(poly_ringct20));
+ size_t i;
+ poly_ringct20 tmp;
+ LRCT_Mint(iwOA, ckOA, OA, A, mLen, bVal, bvalLen);
+
+ for ( i = 0; i < iwsLen; i++)
+ {
+ poly_add_ringct20(&tmp, &iws[i].a, &iws[i].cn);
+ poly_sub_ringct20(L + i, &tmp, &(iwOA->cn));
+ }
+ LRCT_SampleKey(u, mLen + 1);
+ LRCT_MatrixAddMatrix(S, skPai, ckPai, mLen);
+ LRCT_MatrixSubMatrix(S, S, ckOA, mLen);
+ LRCT_SigGen(c1, t, h, A, H, S, u, mLen, L, iwsLen, PaiInd, bSignMess, sigMsgLen);
+
+ free(u);
+ free(S);
+}
+int LRCT_Verify(poly_ringct20 *c1, poly_ringct20 **t, poly_ringct20 *h, poly_ringct20* A, poly_ringct20 *H, size_t mLen,
+ unsigned char* bSignMess, size_t sigMsgLen, poly_ringct20 *L, size_t iwsLen)
+{
+ int result = 0;
+ result = LRCT_SigVer(c1, t, A, H, mLen, h, L, iwsLen, bSignMess, sigMsgLen);
+ return result;
+}
+/////multiple
+void MIMO_LRCT_Setup(poly_ringct20 *A, poly_ringct20 *H, size_t mLen)
+{
+ uint8_t seed[NEWHOPE_SYMBYTES] = { 0 };
+ size_t i = 0;
+
+ for (i = 0; i < mLen; i++)
+ {
+ OQS_randombytes(seed, NEWHOPE_SYMBYTES);
+ poly_uniform_ringct20(A + i, seed);
+ poly_serial(A + i);
+ OQS_randombytes(seed, NEWHOPE_SYMBYTES);
+ poly_uniform_ringct20(H + i, seed);
+ poly_serial(H + i);
+ }
+}
+void MIMO_LRCT_KeyGen(poly_ringct20 *a, poly_ringct20 *A, poly_ringct20 *S, size_t mLen)
+{
+ LRCT_MatrixMulPoly(a, A, S, mLen);
+ poly_serial(a);
+}
+void MIMO_LRCT_Mint(IW *iw, poly_ringct20 *ck, poly_ringct20 *a, poly_ringct20 *A, size_t mLen, unsigned char* bMessage, size_t msglen)
+{
+ LRCT_SampleKey(ck, mLen);
+ LRCT_nttCom(&(iw->cn), A, ck, mLen, bMessage, msglen);
+ poly_cofcopy(&(iw->a), a);
+}
+void MIMO_LRCT_Hash(int *pTable, poly_ringct20 *cn, poly_ringct20 *a, poly_ringct20 *ia, int beta)
+{
+ SHA256_CTX ctx;
+ unsigned char bHash[32] = { 0 };
+ unsigned char bpoly[NEWHOPE_POLYBYTES] = { 0 };
+ unsigned char bt[576] = { 0 };
+ int i;
+ int tmpTable[NEWHOPE_N] = { 0 };
+ for ( i = 0; i < NEWHOPE_N; i++)
+ {
+ tmpTable[i] = i;
+ }
+ SHA256_Init(&ctx);
+ ////H(L)
+ for (i = 0; i < beta; i++)
+ {
+ poly_tobytes(bpoly, cn + i);
+ SHA256_Update(&ctx, bpoly, NEWHOPE_POLYBYTES);
+ poly_tobytes(bpoly, a + i);
+ SHA256_Update(&ctx, bpoly, NEWHOPE_POLYBYTES);
+ poly_tobytes(bpoly, ia + i);
+ SHA256_Update(&ctx, bpoly, NEWHOPE_POLYBYTES);
+ }///H_1(L||)
+ SHA256_Final(bHash, &ctx);//C_(pai)
+ SHA256_KDF(bHash, 32, 576, bt);
+
+
+}
+////
+
+void ZKP_OR(poly_ringct20 *ck, int bit, int betaLen)
+{}
+//////
+void MIMO_LRCT_SigGen(poly_ringct20 *c1, poly_ringct20 *tList, poly_ringct20 *hList, poly_ringct20 *SList, int NLen,
+ poly_ringct20 *A, poly_ringct20 *H, int mLen, poly_ringct20 *LList, int wLen, uint8_t pai, unsigned char *msg, int msgLen)
+{
+ poly_ringct20 *H2q = (poly_ringct20 *)malloc(NLen*(mLen + 1) * sizeof(poly_ringct20));
+ poly_ringct20 *A2qp = (poly_ringct20 *)malloc((mLen + 1) * sizeof(poly_ringct20));
+ poly_ringct20 *tmp2q = (poly_ringct20 *)malloc((mLen + 1) * sizeof(poly_ringct20));
+ poly_ringct20 *u = (poly_ringct20 *)malloc(NLen*(mLen + 1) * sizeof(poly_ringct20));
+ poly_ringct20 *S2q = (poly_ringct20 *)malloc((mLen + 1) * sizeof(poly_ringct20));
+ /////
+ SHA256_CTX ctx;
+ poly_ringct20 tmp, tmp1, ctmp;
+ poly_ringct20 c, cpai;
+ unsigned char bHash[32] = { 0 };
+ unsigned char bpoly[NEWHOPE_POLYBYTES] = { 0 };
+ unsigned char bt[NEWHOPE_POLYBYTES] = { 0 };
+ uint8_t coin = 0;
+ int i = 0;
+ int k = 0;
+ int j = 0;
+ int index = 0;
+ //init dynamic variables
+ for (i = 0; i < (mLen + 1); i++)
+ {
+ poly_init(A2qp + i);
+ poly_init(S2q + i);
+ poly_init(tmp2q + i);
+ }
+ for ( i = 0; i < NLen*(mLen+1); i++)
+ {
+ poly_init(H2q + i);
+ poly_init(u+i);
+ }
+ /////
+ SHA256_Init(&ctx);
+ ////H(L)
+ for ( i = 0; i < wLen*NLen; i++)
+ {
+ poly_tobytes(bpoly, LList + i);
+ SHA256_Update(&ctx, bpoly, NEWHOPE_POLYBYTES);
+ }///H_1(L||)
+ ///H(L||H2q..)
+ for (i = 0; i < NLen; i++)
+ {
+ LRCT_MatrixMulPoly(hList + i, H, SList + i * mLen, mLen);
+ LRCT_Lift(H2q + i * (mLen + 1), A, hList + i, mLen);
+ for (k = 0; k < mLen + 1; k++)
+ {
+ poly_tobytes(bpoly, H2q + i * (mLen + 1) + k);
+ SHA256_Update(&ctx, bpoly, NEWHOPE_POLYBYTES);
+ }
+ }
+ ////H(L||...||mu)
+ SHA256_Update(&ctx, msg, msgLen);
+ /////u
+ for ( i = 0; i < NLen; i++)
+ {
+ for (k = 0; k < mLen + 1; k++)
+ {
+ OQS_randombytes(bt, NEWHOPE_POLYBYTES);
+ poly_frombytes(u + i * (mLen + 1) + k, bt);
+ poly_serial(u + i * (mLen + 1) + k);
+ }
+ }
+ //////H(L||...||mu||(A2qp*U ,H2q*U)...||)
+ for (i = 0; i < NLen; i++)
+ {
+ LRCT_Lift(A2qp, A, LList + i*wLen + (pai - 1), mLen);
+ LRCT_MatrixMulPoly(&tmp, A2qp, u + i * (mLen + 1), mLen + 1);
+
+ LRCT_MatrixMulPoly(&tmp1, H2q + i * (mLen + 1), u+ i * (mLen + 1), mLen + 1);
+ poly_tobytes(bpoly, &tmp);
+ SHA256_Update(&ctx, bpoly, NEWHOPE_POLYBYTES);
+ poly_tobytes(bpoly, &tmp1);
+ SHA256_Update(&ctx, bpoly, NEWHOPE_POLYBYTES);
+ }
+ SHA256_Final(bHash, &ctx);//C_(pai)
+ SHA256_KDF(bHash, 32, NEWHOPE_POLYBYTES, bt);
+ poly_frombytes(&c, bt);
+ poly_serial(&c);
+ //////////////////////
+ poly_cofcopy(&ctmp, &c);
+ for (i = 0; i < (wLen-1) ; i++)
+ {
+ index = (pai + i ) % (wLen);
+ if (index == 0)
+ {
+ poly_cofcopy(c1, &ctmp);
+ }
+
+ SHA256_Init(&ctx);
+ ////H_1(L||)
+ for (j = 0; j < wLen*NLen; j++)
+ {
+ poly_tobytes(bpoly, LList + j);
+ SHA256_Update(&ctx, bpoly, NEWHOPE_POLYBYTES);
+ }
+ for (j = 0; j < NLen; j++)
+ {
+ for (k = 0; k < mLen + 1; k++)
+ {
+ poly_tobytes(bpoly, H2q + j * (mLen + 1) + k);
+ SHA256_Update(&ctx, bpoly, NEWHOPE_POLYBYTES);
+ }
+ }//H_1(L||H2q)
+ SHA256_Update(&ctx, msg, msgLen);//H(L||...||mu)
+
+ poly_constmul(&tmp1, &ctmp, NEWHOPE_Q);//qC_i
+ for (j = 0; j < NLen; j++)
+ {
+ LRCT_Lift(tmp2q, A, LList + j * wLen + index, mLen);
+ for (k = 0; k < mLen + 1; k++)
+ {
+ OQS_randombytes(bt, NEWHOPE_POLYBYTES);
+ poly_frombytes(tList + j * wLen*(mLen + 1) + index * (mLen + 1) + k, bt);
+ poly_serial(tList + j * wLen*(mLen + 1) + index * (mLen+1)+ k);
+ }
+ LRCT_MatrixMulPoly(&tmp, tmp2q, tList + j * wLen*(mLen + 1) + index * (mLen + 1), mLen + 1);
+
+ poly_add_ringct20(&tmp, &tmp, &tmp1);//(+ qC_i)% Q
+ poly_tobytes(bpoly, &tmp);
+ SHA256_Update(&ctx, bpoly, NEWHOPE_POLYBYTES);//
+ ////////
+ LRCT_MatrixMulPoly(&tmp, H2q + j * (mLen + 1), tList + j * wLen*(mLen + 1) + index * (mLen + 1), mLen + 1);
+ poly_add_ringct20(&tmp, &tmp, &tmp1);//(+ qC_i)% Q
+ poly_tobytes(bpoly, &tmp);
+ SHA256_Update(&ctx, bpoly, NEWHOPE_POLYBYTES);//H2q*U
+ }
+ SHA256_Final(bHash, &ctx);//
+ SHA256_KDF(bHash, 32, NEWHOPE_POLYBYTES, bt);
+ poly_frombytes(&ctmp, bt);
+ poly_serial(&ctmp);//C_{index+1}
+ if (index == (pai - 2))
+ {
+ poly_cofcopy(&cpai, &ctmp);
+ break;
+ }
+ }
+ for ( i = 0; i < NLen; i++)
+ {
+ poly_copy(S2q, SList+i*mLen, mLen);
+ poly_setValue(S2q + mLen, 1);//S_{2q}
+ //////
+ OQS_randombytes(&coin, 1);
+ LRCT_PolyMultMatrix(tmp2q, &cpai, S2q, mLen + 1);//S2qpai *c_pai
+ if (coin & 0x01)//b =1
+ {
+ LRCT_MatrixSubMatrix(tList + i * wLen*(mLen + 1) + (pai-1) * (mLen + 1), u + i * (mLen + 1), tmp2q, mLen + 1);
+ }
+ else {
+ LRCT_MatrixAddMatrix(tList + i * wLen*(mLen + 1) + (pai - 1) * (mLen + 1), u+ i * (mLen + 1), tmp2q, mLen + 1);
+ }
+ }
+ /////
+ //free variables
+ free(A2qp);
+ free(S2q);
+ free(tmp2q);
+ free(H2q );
+ free(u);
+
+
+}
+int MIMO_LRCT_SigVer(poly_ringct20 *c1, poly_ringct20 *tList, poly_ringct20 *hList, int NLen, poly_ringct20 *A, poly_ringct20 *H,
+ size_t mLen, poly_ringct20 *LList, int wLen, unsigned char *msg, int msgLen)
+{
+ size_t i,j, k;
+ poly_ringct20 *H2q = (poly_ringct20 *)malloc(NLen*(mLen + 1) * sizeof(poly_ringct20));
+ poly_ringct20 *A2qp = (poly_ringct20 *)malloc((mLen + 1) * sizeof(poly_ringct20));
+ poly_ringct20 ctmp,tmp, tmp1;
+ SHA256_CTX ctx;
+ unsigned char bHash[32] = { 0 };
+ unsigned char bpoly[NEWHOPE_POLYBYTES] = { 0 };
+ /////////
+ poly_cofcopy(&ctmp, c1);
+ for (i = 0; i < NLen; i++)
+ {
+ LRCT_Lift(H2q + i * (mLen + 1), A, hList + i, mLen);
+ }
+ //////
+ for (i = 0; i < wLen; i++)
+ {
+ SHA256_Init(&ctx);
+ for (k = 0; k < wLen*NLen; k++)
+ {
+ poly_tobytes(bpoly, LList + k);
+ SHA256_Update(&ctx, bpoly, NEWHOPE_POLYBYTES);
+ }///H_1(L||)
+ for (j = 0; j< NLen; j++)
+ {
+ for (k = 0; k < (mLen + 1); k++)
+ {
+ poly_tobytes(bpoly, H2q + j * (mLen + 1) + k);
+ SHA256_Update(&ctx, bpoly, NEWHOPE_POLYBYTES);
+ }
+ }
+ SHA256_Update(&ctx, msg, msgLen);//H(L||...||mu)
+
+ poly_constmul(&tmp1, &ctmp, NEWHOPE_Q);//qC_i
+ for ( j = 0; j < NLen; j++)
+ {
+ LRCT_Lift(A2qp, A, LList + j * wLen + i , mLen);
+ LRCT_MatrixMulPoly(&tmp, A2qp, tList + j * wLen*(mLen + 1) + i * (mLen + 1), mLen + 1);
+ poly_add_ringct20(&tmp, &tmp, &tmp1);//(+ qC_i)% Q
+ poly_tobytes(bpoly, &tmp);
+ SHA256_Update(&ctx, bpoly, NEWHOPE_POLYBYTES);
+
+ LRCT_MatrixMulPoly(&tmp, H2q + j * (mLen + 1), tList + j * wLen*(mLen + 1) + i* (mLen + 1), mLen + 1);
+ poly_add_ringct20(&tmp, &tmp, &tmp1);//(+ qC_i)% Q
+ poly_tobytes(bpoly, &tmp);
+ SHA256_Update(&ctx, bpoly, NEWHOPE_POLYBYTES);//H2q*U
+ }
+ SHA256_Final(bHash, &ctx);//
+ SHA256_KDF(bHash, 32, NEWHOPE_POLYBYTES, bpoly);
+ poly_frombytes(&ctmp, bpoly);
+ poly_serial(&ctmp);//
+ }
+ if (poly_equal(&ctmp, c1) == 1)
+ {
+ return 1;
+ }
+ return 0;
+}
+
+
+
+
+
+void LRCT_Lift(poly_ringct20 *LA, poly_ringct20 *A, poly_ringct20 *a, size_t mLen)
+{
+ size_t i = 0;
+ size_t j = 0;
+ int16_t tmp = 0;
+ for ( i = 0; i < mLen; i++)
+ {
+ for ( j = 0; j < NEWHOPE_N; j++)
+ {
+ LA[i].coeffs[j] = 2 * A[i].coeffs[j];
+ }
+ }
+ for ( j = 0; j < NEWHOPE_N; j++)
+ {
+ LA[mLen].coeffs[j] = coeff_freeze2Q(NEWHOPE_2Q+ NEWHOPE_Q - a->coeffs[j] * 2);
+ }
+}
+
+void LRCT_Com(poly_ringct20 *r, poly_ringct20 *A, poly_ringct20 *sk, size_t mLen, unsigned char *bMessage, size_t msglen)
+{
+ poly_ringct20 tmp;
+ size_t j;
+
+ LRCT_MatrixMulPoly(&tmp, A, sk, mLen);
+ poly_cofcopy(r, &tmp);
+ for (j = 0; j < msglen; j++)
+ {
+
+ r->coeffs[j * 8 + 0] = (tmp.coeffs[j * 8 + 0] + (bMessage[j]&0x01))%NEWHOPE_Q;
+ r->coeffs[j * 8 + 1] = (tmp.coeffs[j * 8 + 1] + ((bMessage[j] & 0x02) >> 1)) % NEWHOPE_Q;
+ r->coeffs[j * 8 + 2] = (tmp.coeffs[j * 8 + 2] + ((bMessage[j] & 0x04) >> 2)) % NEWHOPE_Q;
+ r->coeffs[j * 8 + 3] = (tmp.coeffs[j * 8 + 3] + ((bMessage[j] & 0x08) >> 3)) % NEWHOPE_Q;
+ r->coeffs[j * 8 + 4] = (tmp.coeffs[j * 8 + 4] + ((bMessage[j] & 0x10) >> 4)) % NEWHOPE_Q;
+ r->coeffs[j * 8 + 5] = (tmp.coeffs[j * 8 + 5] + ((bMessage[j] & 0x20) >> 5)) % NEWHOPE_Q;
+ r->coeffs[j * 8 + 6] = (tmp.coeffs[j * 8 + 6] + ((bMessage[j] & 0x40) >> 6)) % NEWHOPE_Q;
+ r->coeffs[j * 8 + 7] = (tmp.coeffs[j * 8 + 7] + ((bMessage[j] & 0x80) >> 7)) % NEWHOPE_Q;
+ }
+
+}
+void LRCT_nttCom(poly_ringct20 *r, poly_ringct20 *A, poly_ringct20 *sk, size_t mLen, unsigned char *bMessage, size_t msglen)
+{
+ poly_ringct20 tmp, pMess;
+ size_t j;
+ poly_init(&pMess);
+ LRCT_MatrixMulPoly(&tmp, A, sk, mLen);
+ //poly_cofcopy(r, &tmp);
+ for (j = 0; j < msglen; j++)
+ {
+
+ pMess.coeffs[j * 8 + 0] = (bMessage[j] & 0x01) % NEWHOPE_Q;
+ pMess.coeffs[j * 8 + 1] = (((bMessage[j] & 0x02) >> 1)) % NEWHOPE_Q;
+ pMess.coeffs[j * 8 + 2] = (((bMessage[j] & 0x04) >> 2)) % NEWHOPE_Q;
+ pMess.coeffs[j * 8 + 3] = ( ((bMessage[j] & 0x08) >> 3)) % NEWHOPE_Q;
+ pMess.coeffs[j * 8 + 4] = ( ((bMessage[j] & 0x10) >> 4)) % NEWHOPE_Q;
+ pMess.coeffs[j * 8 + 5] = ( ((bMessage[j] & 0x20) >> 5)) % NEWHOPE_Q;
+ pMess.coeffs[j * 8 + 6] = (((bMessage[j] & 0x40) >> 6)) % NEWHOPE_Q;
+ pMess.coeffs[j * 8 + 7] = ( ((bMessage[j] & 0x80) >> 7)) % NEWHOPE_Q;
+ }
+ poly_ntt_ringct20(&pMess);
+ poly_add_ringct20(r, &tmp, &pMess);
+}
+
+
+
+//N*M mul M*1
+void LRCT_MatrixMulPoly(poly_ringct20 *r, poly_ringct20 *A, poly_ringct20 *s, size_t mLen)
+{
+ size_t i;
+ poly_ringct20 tmp, tmpA, tmps;
+ poly_init(r);
+ for ( i = 0; i < mLen; i++)
+ {
+ poly_cofcopy(&tmpA, A + i);
+ poly_cofcopy(&tmps, s + i);
+ // poly_ntt_ringct20(&tmpA);
+ //poly_ntt_ringct20(&tmps);
+ poly_mul_pointwise(&tmp, &tmpA, &tmps);
+ poly_add_ringct20(r, r, &tmp);
+ }
+ //poly_invntt(r);
+}
+//M*N mul N*1
+void LRCT_PolyMultMatrix(poly_ringct20 *r, poly_ringct20 *p, poly_ringct20 *A, size_t mLen)
+{
+ size_t i;
+ for ( i = 0; i < mLen; i++)
+ {
+ poly_mul_pointwise(r+i, A+i, p);
+ }
+}
+
+void LRCT_MatrixAddMatrix(poly_ringct20 *R, poly_ringct20 *A, poly_ringct20 *B, size_t mLen)
+{
+ size_t i;
+ for ( i = 0; i < mLen; i++)
+ {
+ poly_add_ringct20(R + i, A + i, B + i);
+ }
+}
+void LRCT_MatrixSubMatrix(poly_ringct20 *R, poly_ringct20 *A, poly_ringct20 *B, size_t mLen)
+{
+ size_t i;
+ for (i = 0; i < mLen; i++)
+ {
+ poly_sub_ringct20(R + i, A + i, B + i);
+ }
+}
+
+void LRCT_ConstMulMatrix(poly_ringct20 *r, const poly_ringct20 *A, uint16_t cof, size_t mLen)
+{
+ size_t i, j;
+ for (i = 0; i < mLen; i++)
+ {
+ for ( j = 0; j < NEWHOPE_N; j++)
+ {
+ r[i].coeffs[j] = cof * A[i].coeffs[j];
+ }
+
+ }
+}
+///
+void LRCT_MatrixShift(poly_ringct20 *desCK, poly_ringct20* rCK, size_t mLen, int iNumber)
+{
+ size_t i;
+ for ( i = 0; i < mLen; i++)
+ {
+ poly_shift(desCK + i, rCK + i, iNumber);
+ }
+}
+
+void LRCT_GetCK0(poly_ringct20 *CK0, poly_ringct20 * CK, size_t mLen, poly_ringct20* CKi, int messBitLen)
+{
+ size_t i;
+ poly_ringct20 *tmp = (poly_ringct20 *)malloc((mLen) * sizeof(poly_ringct20));
+ poly_ringct20 *desCK = (poly_ringct20 *)malloc((mLen) * sizeof(poly_ringct20));
+ for (i = 0; i < (mLen); i++)
+ {
+ poly_init(tmp + i);
+ poly_init(desCK + i);
+ }
+
+ for ( i = 0; i < messBitLen; i++)
+ {
+ LRCT_MatrixShift(desCK, CKi + i * mLen, mLen, i + 1);
+ LRCT_MatrixAddMatrix(tmp, tmp, desCK, mLen);
+ }
+ LRCT_MatrixSubMatrix(CK0, CK, tmp, mLen);
+ free(tmp);
+ free(desCK);
+}
diff --git a/src/ringct20/ring.h b/src/ringct20/ring.h
new file mode 100644
index 0000000..e2c480b
--- /dev/null
+++ b/src/ringct20/ring.h
@@ -0,0 +1,128 @@
+#ifndef RING_H
+#define RING_H
+
+
+#include "params.h"
+#include "poly.h"
+
+/**
+*function: setup
+
+*/
+
+typedef struct {
+ poly_ringct20 a;
+ poly_ringct20 cn;
+} IW;
+
+void LRCT_Setup(poly_ringct20 *A, poly_ringct20 *H, size_t mLen);
+void LRCT_KeyGen(poly_ringct20 *a, poly_ringct20 *A, poly_ringct20 *S, size_t mLen);
+void LRCT_SigGen(poly_ringct20 *c1, poly_ringct20 **t, poly_ringct20 *h, poly_ringct20 *A, poly_ringct20 *H,
+ poly_ringct20 *S, poly_ringct20 *u, size_t mLen, poly_ringct20 *L, uint8_t w,
+ uint8_t pai, unsigned char *msg, int msgLen);
+int LRCT_SigVer(const poly_ringct20 *c1, poly_ringct20 **t, poly_ringct20 *A, poly_ringct20 *H, size_t mLen, poly_ringct20 *h, poly_ringct20 *L,
+ uint8_t w, unsigned char *msg, int msgLen);
+/////Single output trading scheme
+/*
+plan description:
+*/
+void LRCT_Mint(IW *iw, poly_ringct20 *ck, poly_ringct20 *a, poly_ringct20 *A, size_t mLen, unsigned char* bMessage, size_t msglen);
+void LRCT_Spend(IW *iwOA, poly_ringct20 *ckOA, poly_ringct20 *c1, poly_ringct20 **t, poly_ringct20 *h, poly_ringct20 *L, unsigned char* bSignMess, size_t sigMsgLen, IW *iws, size_t iwsLen,
+ int PaiInd, poly_ringct20 *skPai, poly_ringct20 *ckPai, unsigned char* bVal, size_t bvalLen, poly_ringct20 *OA, poly_ringct20 *A, poly_ringct20 *H, size_t mLen);
+int LRCT_Verify(poly_ringct20 *c1, poly_ringct20 **t, poly_ringct20 *h, poly_ringct20* A, poly_ringct20 *H, size_t mLen,
+ unsigned char* bSignMess, size_t sigMsgLen, poly_ringct20 *L, size_t iwsLen);
+
+//
+/*
+MIMO SCheme
+*/
+
+/*
+Function declaration: system initialization, generating public parameters
+Output: public matrix A, H, row number mLen
+*/
+void MIMO_LRCT_Setup(poly_ringct20 *A, poly_ringct20 *H, size_t mLen);
+/*
+Function declaration: key generation.
+Input: matrix A, private key S, matrix row number mLen
+Output: user public key
+*/
+void MIMO_LRCT_KeyGen(poly_ringct20 *a, poly_ringct20 *A, poly_ringct20 *S, size_t mLen);
+/*
+Function declaration: signature generation
+Input: private key list SList, length NLen, public parameters A, H, matrix width mLen, public key list LList, length wLen, trader position pai, signature message msg, message length msgLen
+Output: polynomial c1, t-list tList, h-list hList.
+*/
+void MIMO_LRCT_SigGen(poly_ringct20 *c1, poly_ringct20 *tList, poly_ringct20 *hList, poly_ringct20 *SList, int NLen,
+ poly_ringct20 *A, poly_ringct20 *H, int mLen, poly_ringct20 *LList, int wLen, uint8_t pai, unsigned char *msg, int msgLen);
+/*
+Function declaration: signature verification
+Input: signature (c1, t-list tList, h-list: hList, number of transactions, public parameters A, H, matrix width mLen, public key list LList, list length wLen, signature message, message length)
+*/
+int MIMO_LRCT_SigVer(poly_ringct20 *c1, poly_ringct20 *tList, poly_ringct20 *hList, int NLen, poly_ringct20 *A, poly_ringct20 *H,
+ size_t mLen, poly_ringct20 *LList, int wLen, unsigned char *msg, int msgLen);
+/*
+
+*/
+void MIMO_LRCT_Mint(IW *iw, poly_ringct20 *ck, poly_ringct20 *a, poly_ringct20 *A, size_t mLen, unsigned char* bMessage, size_t msglen);
+///
+void MIMO_LRCT_Hash(int *pTable, poly_ringct20 *cn, poly_ringct20 *a, poly_ringct20 *ia, int beta);
+
+//////
+void ZKP_OR(poly_ringct20 *ck , int bit, int betaLen);
+////////////
+
+void LRCT_Lift(poly_ringct20 *LA, poly_ringct20 *A, poly_ringct20 *a, size_t mLen);
+/*
+Function declaration: promise message m, r = A * sk + m
+Input: public matrix A, private key sk, matrix row number mLen, acknowledge message m, message length bMessage
+Output: Commitment r (polynomial N * 1)
+*/
+void LRCT_Com(poly_ringct20 *r, poly_ringct20 *A, poly_ringct20 *sk, size_t mLen, unsigned char *bMessage, size_t msglen);
+void LRCT_nttCom(poly_ringct20 *r, poly_ringct20 *A, poly_ringct20 *sk, size_t mLen, unsigned char *bMessage, size_t msglen);
+
+/*
+Function declaration: matrix A (N * M) * matrix s (M * 1)
+Input: matrix A, matrix s, matrix rows mLen
+Output: matrix r = A * s (N * 1)
+*/
+void LRCT_MatrixMulPoly(poly_ringct20 *r, poly_ringct20 *A, poly_ringct20 *s, size_t mLen);
+/*
+Function declaration: constant * matrix
+Input: constant cof, matrix A, number of matrix rows (mLen)
+Output: matrix r
+*/
+void LRCT_ConstMulMatrix(poly_ringct20 *r, const poly_ringct20 *A, uint16_t cof, size_t mLen);
+/*
+Function declaration: matrix A (M rows and N columns) * polynomial p (N rows and 1 column)
+Input: polynomial p, matrix A, matrix rows mLen
+Output: polynomial r (M rows and 1 column)
+*/
+void LRCT_PolyMultMatrix(poly_ringct20 *r, poly_ringct20 *p, poly_ringct20 *A, size_t mLen);
+/*
+Function declaration: matrix addition (A + B)
+Input: matrix A, matrix B, matrix size mLen
+Output: Matrix R = (A + B)
+*/
+void LRCT_MatrixAddMatrix(poly_ringct20 *R, poly_ringct20 *A, poly_ringct20 *B, size_t mLen);
+/*
+Function declaration: Matrix subtraction (A-B)
+Input: matrix A, matrix B, matrix size mLen
+Output: Matrix R = (A-B)
+*/
+void LRCT_MatrixSubMatrix(poly_ringct20 *R, poly_ringct20 *A, poly_ringct20 *B, size_t mLen);
+
+///////////////////*
+/*
+Function declaration: key extraction function
+Input: Key length mLen
+Output: polynomial matrix r (n * mLen)
+*/
+/////////////////
+void LRCT_SampleKey(poly_ringct20 *r, size_t mLen);
+
+void LRCT_MatrixShift(poly_ringct20 *desCK, poly_ringct20* rCK, size_t mLen, int iNumber);
+
+void LRCT_GetCK0(poly_ringct20 *CK0, poly_ringct20 * CK, size_t mLen, poly_ringct20* CKi, int messBitLen);
+#endif
+
diff --git a/src/ringct20/ring_test.c b/src/ringct20/ring_test.c
new file mode 100644
index 0000000..30cedf1
--- /dev/null
+++ b/src/ringct20/ring_test.c
@@ -0,0 +1,428 @@
+#include "ring.h"
+#include "rand.h"
+#include "common.h"
+
+#define MSIZE 2
+#define WSIZE 3
+#define NSIZE 3
+
+void LRCT_Byte_Test()
+{
+ poly_ringct20 a, ra;
+ uint8_t seed[NEWHOPE_SYMBYTES] = { 0 };
+ unsigned char bCof[NEWHOPE_POLYBYTES] = { 0 };
+ OQS_randombytes(seed, NEWHOPE_SYMBYTES);
+ poly_uniform_ringct20(&a, seed);
+ printf("begin:\n");
+ poly_print(&a);
+ printf("serial:\n");
+ poly_serial(&a);
+ poly_print(&a);
+ poly_tobytes(bCof, &a);
+ printf("ra:\n");
+ poly_frombytes(&ra, bCof);
+ poly_print(&ra);
+
+
+}
+
+
+void LRCT_Setup_Test()
+{
+ poly_ringct20 A[2], H[2];
+ poly_ringct20 S[2];
+ poly_ringct20 L[2];
+ poly_ringct20 h;
+ poly_ringct20 u[3];
+ poly_ringct20 c1;
+ poly_ringct20* t[2];
+ unsigned char msg[2] = { 0x01, 0x02 };
+ int msgLen = 2;
+ unsigned char bt[NEWHOPE_POLYBYTES] = { 0 };
+ size_t mLen = 2;
+ size_t i = 0;
+ size_t k = 0;
+ int result = 0;
+ int w = 2;
+ int pai = 1;
+
+ t[0] = (poly_ringct20 *)malloc((3) * sizeof(poly_ringct20));
+ t[1] = (poly_ringct20 *)malloc((3) * sizeof(poly_ringct20));
+
+ for (i = 0; i < 2; i++)
+ {
+ for (k = 0; k < 3; k++)
+ {
+ poly_init(t[i] + k);
+ }
+
+ }
+ LRCT_Setup(A, H, 2);
+ LRCT_SampleKey(S, 2);
+ LRCT_KeyGen(L, A, S, 2);
+ LRCT_SampleKey(S, 2);
+ LRCT_KeyGen(L+1, A, S, 2);
+
+ for (k = 0; k < 3; k++)
+ {
+ OQS_randombytes(bt, NEWHOPE_POLYBYTES);
+ poly_frombytes(u + k, bt);
+ poly_serial(u + k);
+ ///poly_print(u+k);
+ }
+ //printf("====================================\n");
+ LRCT_SigGen(&c1, t, &h, A, H,S, u, mLen, L, w,pai, msg, msgLen);
+ // printf("c1\n");
+ // poly_print(&c1);
+ //printf("=================\n");
+ result = LRCT_SigVer(&c1, t, A, H, mLen, &h, L,w, msg, msgLen);
+ if (result ==1)
+ {
+ printf("Successful!\n");
+ }
+ else
+ {
+ printf("fail\n");
+ }
+ free(t[0]);
+ free(t[1]);
+
+}
+
+void MIMO_LRCT_Setup_Test()
+{
+ poly_ringct20 A[MSIZE], H[MSIZE];
+ poly_ringct20 SList[MSIZE*NSIZE];
+ poly_ringct20 S[MSIZE];
+ poly_ringct20 LList[NSIZE*WSIZE];
+ poly_ringct20 hList[NSIZE];
+ poly_ringct20 c1;
+ poly_ringct20 tList[NSIZE*WSIZE*(MSIZE+1)];
+ int i, j, k;
+ int pai = 2;
+ unsigned char msg[2] = { 0x01, 0x02 };
+ int msgLen = 2;
+ int result = 0;
+ MIMO_LRCT_Setup(A, H, MSIZE);
+ for ( i = 0; i < NSIZE; i++)
+ {
+ LRCT_SampleKey(SList + i*MSIZE, MSIZE);
+ MIMO_LRCT_KeyGen(LList + i*WSIZE + (pai-1) , A, SList + i * MSIZE, MSIZE);
+ }
+ for ( i = 0; i < WSIZE; i++)
+ {
+ if (i != pai-1)
+ {
+ for (j = 0; j < NSIZE; j++)
+ {
+ LRCT_SampleKey(S, MSIZE);
+ MIMO_LRCT_KeyGen(LList + j* WSIZE + i, A, S, MSIZE);
+ }
+ }
+
+ }
+ MIMO_LRCT_SigGen(&c1, tList, hList, SList, NSIZE, A, H, MSIZE, LList, WSIZE, pai, msg, msgLen);
+ result = MIMO_LRCT_SigVer(&c1, tList, hList, NSIZE, A, H, MSIZE, LList, WSIZE, msg, msgLen);
+ if (result == 1)
+ {
+ printf("Successful!\n");
+ }
+ else
+ {
+ printf("fail\n");
+ }
+
+}
+///spent coins
+void LRCT_Spent_Test()
+{
+ poly_ringct20 A[MSIZE], H[MSIZE];
+ poly_ringct20 skPai[MSIZE], pkPai;
+ poly_ringct20 ckPai[MSIZE];
+ poly_ringct20* t[WSIZE];
+ unsigned char bMessage[4] = { 0x01, 0x02, 0x03, 0x4 };
+ size_t msglen = 4;
+ IW iw;
+ //////////////////
+ poly_ringct20 skOA[MSIZE];
+ poly_ringct20 pkOA;
+ IW iwOA;
+ poly_ringct20 ckOA[MSIZE];
+ ////////////////////
+ IW iwList[WSIZE];
+ poly_ringct20 skTmp[MSIZE];
+ poly_ringct20 pkList[WSIZE];
+ poly_ringct20 ckList[WSIZE][MSIZE];
+ unsigned char bListMessage[2] = { 0x01, 0x02};
+ size_t msgListlen = 2;
+ int i = 0;
+ ///////////////////
+ poly_ringct20 L[WSIZE];
+ int paiIndex = 1;
+ poly_ringct20 c1, h;
+ unsigned char bSignMessage[3] = { 0x01, 0x02, 0x03 };
+ size_t msgSignlen = 3;
+ int result =0;
+ size_t k = 0;
+ /////////////////
+ for ( i = 0; i < WSIZE; i++)
+ {
+ t[i] = (poly_ringct20 *)malloc((MSIZE+1) * sizeof(poly_ringct20));
+ for (k = 0; k < MSIZE+1; k++)
+ {
+ poly_init(t[i] + k);
+ }
+ }
+ ///////////////////
+ LRCT_Setup(A, H, MSIZE);
+ LRCT_SampleKey(skPai, MSIZE);
+ LRCT_KeyGen(&pkPai, A, skPai, MSIZE);//A*S+0
+ LRCT_Mint(&iw, ckPai, &pkPai, A, MSIZE, bMessage, msglen);//A*ck + $
+ ///
+ LRCT_SampleKey(skOA, MSIZE);
+ LRCT_KeyGen(&pkOA, A, skOA, MSIZE);//
+ //LRCT_Mint(&iwOA, ckOA, &pkOA, A, MSIZE, bMessage, msglen);
+ //////
+ for( i = 0; i < WSIZE; i++)
+ {
+ if (i == paiIndex)
+ {
+ poly_cofcopy(&iwList[i].a, &iw.a);
+ poly_cofcopy(&iwList[i].cn, &iw.cn);
+ }
+ else
+ {
+ LRCT_SampleKey(skTmp, MSIZE);
+ LRCT_KeyGen(pkList + i, A, skTmp, MSIZE);//A*S+0
+ LRCT_Mint(iwList + i, ckList[i], pkList + i, A, MSIZE, bListMessage, msgListlen);
+ }
+
+ }
+ LRCT_Spend(&iwOA, ckOA, &c1, t, &h, L, bSignMessage, msgSignlen, iwList, WSIZE, paiIndex, skPai, ckPai, bMessage, msglen, &pkOA, A, H, MSIZE);
+ result = LRCT_Verify(&c1, t, &h, A, H, MSIZE, bSignMessage, msgSignlen, L, WSIZE);
+ if (result == 1)
+ {
+ printf("Successful!\n");
+ }
+ else
+ {
+ printf("fail\n");
+ }
+ for (i = 0; i < WSIZE; i++)
+ {
+ free(t[i]);
+ }
+}
+
+
+void LRCT_Mul_Test()
+{
+ poly_ringct20 A[2], H[2], H2[2];
+ poly_ringct20 h,h1,r;
+ poly_ringct20 S[2];
+ LRCT_Setup(A, H, 2);
+ LRCT_SampleKey(S, 2);
+
+ LRCT_MatrixMulPoly(&h, H, S, 2);
+
+
+ for (size_t i = 0; i < NEWHOPE_N; i++)
+ {
+ h.coeffs[i] = coeff_freeze2Q(NEWHOPE_2Q + NEWHOPE_Q - h.coeffs[i] * 2);
+ }
+ LRCT_ConstMulMatrix(H2, H, 2, 2);
+ LRCT_MatrixMulPoly(&h1, H2, S, 2);
+ poly_add_ringct20(&r, &h1, &h);
+ poly_print(&r);
+
+
+}
+void LRCT_MatrixMulVect_Test()
+{
+ poly_ringct20 A[2], H[2];
+ LRCT_Setup(A, H, 2);
+ uint8_t bt[2] = { 0 };
+ bt[0] = 1;
+ bt[1] = 2;
+
+
+}
+void LRCT_Lift_Test()
+{
+ poly_ringct20 A[2], H[2], LA[3], H2[3];
+ poly_ringct20 h;
+ poly_ringct20 S[2];
+ LRCT_SampleKey(S, 2);
+ LRCT_Setup(A, H, 2);
+ LRCT_MatrixMulPoly(&h, H, S, 2);
+ LRCT_Lift(LA, H, &h, 2);
+ ////////////////////////////////////
+ LRCT_ConstMulMatrix(H2, H, 2, 2);
+ for (size_t i = 0; i < NEWHOPE_N; i++)
+ {
+ H2[2].coeffs[i] = coeff_freeze2Q(NEWHOPE_2Q + NEWHOPE_Q - h.coeffs[i] * 2);
+ }
+ for (size_t i = 0; i < 3; i++)
+ {
+ if (poly_equal(LA + i, H2 + i) != 1)
+ {
+ printf("Lift error_%d!\n", i);
+ }
+ }
+}
+void LRCT_KDF_Test()
+{
+
+}
+
+void LRCT_Com_Test()
+{
+ IW iw;
+ poly_ringct20 ck[2];
+ size_t mLen = 2;
+ poly_ringct20 A[2], H[2], sk[2];
+ unsigned char bMessage[4] = { 0x01, 0x02, 0x03, 0x4 };
+ size_t msglen = 4;
+ poly_ringct20 a;
+ LRCT_Setup(A, H, mLen);
+ LRCT_SampleKey(sk, mLen);
+ LRCT_KeyGen(&a, A, sk, mLen);
+ printf("public key:");
+ poly_print(&a);
+ LRCT_Mint(&iw, ck, &a, A, mLen, bMessage, msglen);
+ printf("a:\n");
+ poly_print(&(iw.a));
+ printf("cn:\n");
+ poly_print(&(iw.cn));
+}
+//ntt_ringct20 transformation test
+void LRCT_Fun_Test()
+{
+ uint8_t seed[NEWHOPE_SYMBYTES] = { 0 };
+ poly_ringct20 a;
+ OQS_randombytes(seed, NEWHOPE_SYMBYTES);
+ poly_uniform_ringct20(&a, seed);
+ poly_serial(&a);
+ ////////////
+ printf("begin:\n");
+ poly_print(&a);
+ //////
+ poly_ntt_ringct20(&a);
+ printf("after:\n");
+ poly_print(&a);
+ ////
+ poly_invntt(&a);
+ printf("recover:\n");
+ poly_print(&a);
+
+}
+//Shift test
+void LRCT_Shift_Test()
+{
+ poly_ringct20 r, a;
+ poly_init(&r);
+ poly_init(&a);
+ r.coeffs[NEWHOPE_N - 1] = 1;
+ r.coeffs[0] = 1;
+
+ poly_ntt_ringct20(&r);
+ poly_shift(&a, &r, 1);
+ poly_invntt(&a);
+
+ poly_serial(&a);
+ poly_print(&a);
+}
+void LRCT_ComHom_Test()
+{
+ unsigned char message[2] = { 0xF0, 0x0F };
+ int messLen = 2;
+ int messBitLen = messLen*8;
+ int i = 0;
+ unsigned char bitTmp = 0;
+ poly_ringct20 *CKi = (poly_ringct20 *)malloc((MSIZE*(messBitLen)) * sizeof(poly_ringct20));
+ poly_ringct20 *comList = (poly_ringct20 *)malloc(((messBitLen)) * sizeof(poly_ringct20));
+ poly_ringct20 A[MSIZE], H[MSIZE], sk[MSIZE], ck0[MSIZE], tmpM[MSIZE];
+ poly_ringct20 a, r, tmp;
+
+ poly_init(&a);
+ poly_init(&tmp);
+ poly_init(&r);
+ for ( i = 0; i < MSIZE; i++)
+ {
+ poly_init(ck0 + i);
+ }
+ LRCT_Setup(A, H, MSIZE);
+ LRCT_SampleKey(sk, MSIZE);
+ //left
+ LRCT_nttCom(&r, A, sk, MSIZE, message, messLen);
+ //right
+ for (i = 1; i < messBitLen; i++)
+ {
+ LRCT_SampleKey(CKi + i*MSIZE, MSIZE);
+ }
+
+ LRCT_GetCK0(CKi, sk, MSIZE, CKi+MSIZE, messBitLen-1);
+
+ for ( i = 0; i < messBitLen; i++)
+ {
+ LRCT_MatrixShift(tmpM, CKi+i*MSIZE, MSIZE, i);
+ LRCT_MatrixAddMatrix(ck0, ck0, tmpM, MSIZE);
+ }
+ for ( i = 0; i < MSIZE; i++)
+ {
+ if (poly_equal(ck0 + i, sk + i) != 1)
+ {
+ printf("error\n");
+ break;
+ }
+ }
+
+ for ( i = 0; i < messLen; i++)
+ {
+ bitTmp = (message[i] & 0x01);
+ LRCT_nttCom(comList + i * 8, A, CKi + (i * 8) * MSIZE, MSIZE, &bitTmp, 1);
+ //////////////////////////////
+ bitTmp = (message[i] & 0x02)>>1;
+ LRCT_nttCom(comList + i * 8 + 1, A, CKi + (i * 8 + 1) * MSIZE, MSIZE, &bitTmp, 1);
+ ////////////
+ bitTmp = (message[i] & 0x04)>>2;
+ LRCT_nttCom(comList + i * 8 + 2, A, CKi + (i * 8 + 2) * MSIZE, MSIZE, &bitTmp, 1);
+ ////////////
+ bitTmp = (message[i] & 0x08)>>3;
+ LRCT_nttCom(comList + i * 8 + 3, A, CKi + (i * 8 + 3) * MSIZE, MSIZE, &bitTmp, 1);
+
+ ////////////
+ bitTmp = (message[i] & 0x10)>>4;
+ LRCT_nttCom(comList + i * 8 + 4, A, CKi + (i * 8 + 4) * MSIZE, MSIZE, &bitTmp, 1);
+
+ ////////////
+ bitTmp = (message[i] & 0x20)>>5;
+ LRCT_nttCom(comList + i * 8 + 5, A, CKi + (i * 8 + 5) * MSIZE, MSIZE, &bitTmp, 1);
+
+ ////////////
+ bitTmp = (message[i] & 0x40)>>6;
+ LRCT_nttCom(comList + i * 8 + 6, A, CKi + (i * 8 + 6) * MSIZE, MSIZE, &bitTmp, 1);
+
+ ////////////
+ bitTmp = (message[i] & 0x80)>>7;
+ LRCT_nttCom(comList + i * 8 + 7, A, CKi + (i * 8 + 7) * MSIZE, MSIZE, &bitTmp, 1);
+ }
+ //poly_cofcopy(&a, comList);
+ for ( i = 0; i < messBitLen; i++)
+ {
+ poly_shift(&tmp, comList + i, i);
+ poly_add_ringct20(&a, &a, &tmp);
+ }
+ printf("a:\n");
+ poly_print(&a);
+ printf("r:\n");
+ poly_print(&r);
+ if (poly_equal(&a, &r) == 1)
+ {
+ printf("successfull\n");
+ }
+ else
+ printf("\nfail\n");
+ free(CKi);
+ free(comList);
+}
diff --git a/src/ringct20/ring_test.h b/src/ringct20/ring_test.h
new file mode 100644
index 0000000..263ac05
--- /dev/null
+++ b/src/ringct20/ring_test.h
@@ -0,0 +1,30 @@
+#ifndef RING_TEST_H
+#define RING_TEST_H
+
+#include "ring.h"
+
+
+/**/
+void LRCT_Byte_Test();
+/***function: setup test*/
+void LRCT_Setup_Test();
+void LRCT_Spent_Test();
+void MIMO_LRCT_Setup_Test();
+/***/
+void LRCT_Com_Test();
+//
+void LRCT_Mul_Test();
+void LRCT_MatrixMulVect_Test();
+//
+void LRCT_Lift_Test();
+//
+void LRCT_KDF_Test();
+//
+void LRCT_Fun_Test();
+void LRCT_Shift_Test();
+void LRCT_ComHom_Test();
+
+
+
+#endif
+#pragma once
diff --git a/src/ringct20/ringct20_params.h b/src/ringct20/ringct20_params.h
new file mode 100644
index 0000000..4adad49
--- /dev/null
+++ b/src/ringct20/ringct20_params.h
@@ -0,0 +1,111 @@
+#ifndef __RINGCT20_PARAMS__
+#define __RINGCT20_PARAMS__
+
+#include <assert.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <stdio.h>
+#include "dap_crypto_common.h"
+#include "poly.h"
+#include "ring.h"
+
+
+/*
+#define SEEDBYTES 32U
+#define CRHBYTES 48U
+
+//#ifdef N
+//#error N defined
+//#endif
+
+#define NN 256U
+
+#define Q 8380417U
+#define QBITS 23U
+#define ROOT_OF_UNITY 1753U
+#define D 14U
+#define GAMMA1 ((Q - 1U)/16U)
+#define GAMMA2 (GAMMA1/2U)
+#define ALPHA (2U*GAMMA2)
+
+*/
+
+
+
+///========================================================================
+/* Names for the four varieties of Ring CT2.0 */
+typedef enum { MODERINGCT20_0, MODERINGCT20_1, MODERINGCT20_2, MODERINGCT20_3 } ringct20_kind_t;
+
+typedef struct {
+ ringct20_kind_t kind; // the kind of Dilithium (i.e. *this* choice of parameters)
+ uint32_t M;
+ uint32_t mLen;
+ uint32_t wLen;//number of public key
+ uint32_t Pi;//number of our key//known prk
+ poly_ringct20 *A;//fixed PubParams
+ poly_ringct20 *H;//fixed PubParams
+
+ uint32_t POLY_RINGCT20_SIZE_PACKED;
+ uint32_t POLY_RINGCT20_SIZE;
+ uint32_t RINGCT20_PBK_SIZE;
+ uint32_t RINGCT20_PRK_SIZE;
+ uint32_t RINGCT20_SIG_SIZE;
+
+/* uint32_t PARAM_K;
+ uint32_t PARAM_L;
+ uint32_t PARAM_ETA;
+ uint32_t PARAM_SETABITS;
+ uint32_t PARAM_BETA;
+ uint32_t PARAM_OMEGA;
+
+ uint32_t PARAM_POL_SIZE_PACKED;
+ uint32_t PARAM_POLT1_SIZE_PACKED;
+ uint32_t PARAM_POLT0_SIZE_PACKED;
+ uint32_t PARAM_POLETA_SIZE_PACKED;
+ uint32_t PARAM_POLZ_SIZE_PACKED;
+ uint32_t PARAM_POLW1_SIZE_PACKED;
+ uint32_t PARAM_POLVECK_SIZE_PACKED;
+ uint32_t PARAM_POLVECL_SIZE_PACKED;
+
+ uint32_t CRYPTO_BYTES;
+*/
+} ringct20_param_t;
+
+///==========================================================================================
+typedef struct {
+ ringct20_kind_t kind; /* the kind of ringct20 */
+ unsigned char *data;
+} ringct20_private_key_t;
+
+typedef struct {
+ ringct20_kind_t kind; /* the kind of ringct20 */
+ unsigned char *data;
+} ringct20_public_key_t;
+
+typedef struct {
+ ringct20_kind_t kind; /* the kind of ringct20 */
+ unsigned char *sig_data;
+ unsigned long long sig_len;
+} ringct20_signature_t;
+
+
+///==========================================================================================
+bool ringct20_params_init(ringct20_param_t *, ringct20_kind_t );
+
+int ringct20_crypto_sign_keypair(ringct20_public_key_t *, ringct20_private_key_t *, ringct20_kind_t );
+
+int ringct20_crypto_sign(ringct20_signature_t *, const unsigned char *, unsigned long long, const ringct20_private_key_t *);
+
+int ringct20_crypto_sign_open(const unsigned char *, const unsigned long long,const ringct20_signature_t *, const ringct20_public_key_t *);
+
+void ringct20_private_key_delete(ringct20_private_key_t *private_key);
+void ringct20_public_key_delete(ringct20_public_key_t *public_key);
+void ringct20_private_and_public_keys_delete(ringct20_private_key_t *private_key, ringct20_public_key_t *public_key);
+
+void ringct20_signature_delete(ringct20_signature_t *sig);
+
+///==========================================================================================
+
+#endif
+
+
diff --git a/src/ringct20/sha256.c b/src/ringct20/sha256.c
new file mode 100644
index 0000000..75e8874
--- /dev/null
+++ b/src/ringct20/sha256.c
@@ -0,0 +1,220 @@
+#include "sha256.h"
+
+#ifdef USE_SHA256
+
+static void uint32_to_uint8(uint8 *output, const uint32 *input, const size_t len)
+{
+ for(size_t i = 0, j = 0; j < len; i++, j += 4)
+ for (int k = 0; k < 4; k++)
+ output[j + k] = (uint8)(input[i] >> (24 - 8 * k) & 0xFF);
+}
+
+static void uint8_to_uint32(uint32 *output, const uint8 *input, const size_t len)
+{
+ for(size_t i = 0, j = 0; j < len; i++, j += 4)
+ {
+ output[i] = 0;
+ for (int k = 0; k < 4; k++)
+ output[i] |= ((uint64)input[j + k]) << (24 - 8 * k);
+ }
+}
+
+#define CH(x, y, z) (((x) & (y)) ^ (~(x) & (z)))
+#define MAJ(x, y, z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
+#define F0(x) (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22))
+#define F1(x) (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25))
+#define G0(x) (ROTR(x, 7) ^ ROTR(x, 18) ^ SHR(x, 3))
+#define G1(x) (ROTR(x, 17) ^ ROTR(x, 19) ^ SHR(x, 10))
+
+static const uint32 K[64] = {
+ 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
+ 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
+ 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
+ 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
+ 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
+ 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
+ 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
+ 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
+};
+
+static void SHA256_compress(SHA256_CTX *ctx)
+{
+ uint32 W[64], M[16], a, b, c, d, e, f, g, h, T1, T2;
+ //printf("==============================================================\nBlock Contents:\n");
+
+ a = ctx->state[0];
+ b = ctx->state[1];
+ c = ctx->state[2];
+ d = ctx->state[3];
+ e = ctx->state[4];
+ f = ctx->state[5];
+ g = ctx->state[6];
+ h = ctx->state[7];
+ uint8_to_uint32(M, ctx->buf, 64);
+
+ for (int i = 0; i < 64; i++)
+ {
+ if (i < 16)
+ {
+ W[i] = M[i];
+ //printf("M[%d] = %08X\n", i, W[i]);
+ }
+ else
+ W[i] = G1(W[i-2]) + W[i-7] + G0(W[i-15]) + W[i-16];
+ T1 = h + F1(e) + CH(e, f, g) + K[i] + W[i];
+ T2 = F0(a) + MAJ(a, b, c);
+ h = g;
+ g = f;
+ f = e;
+ e = d + T1;
+ d = c;
+ c = b;
+ b = a;
+ a = T1 + T2;
+ }
+
+ ctx->state[0] += a;
+ ctx->state[1] += b;
+ ctx->state[2] += c;
+ ctx->state[3] += d;
+ ctx->state[4] += e;
+ ctx->state[5] += f;
+ ctx->state[6] += g;
+ ctx->state[7] += h;
+ ctx->curlen = 0;
+
+ return ;
+}
+
+int SHA256_Init(SHA256_CTX *ctx)
+{
+ ctx->state[0] = 0x6a09e667;
+ ctx->state[1] = 0xbb67ae85;
+ ctx->state[2] = 0x3c6ef372;
+ ctx->state[3] = 0xa54ff53a;
+ ctx->state[4] = 0x510e527f;
+ ctx->state[5] = 0x9b05688c;
+ ctx->state[6] = 0x1f83d9ab;
+ ctx->state[7] = 0x5be0cd19;
+ ctx->length[0] = 0;
+ ctx->length[1] = 0;
+ ctx->curlen = 0;
+ memset(ctx->buf, 0, 64);
+ /*
+ printf("==============================================================\nInitial hash value:\n");
+ for (int i = 0; i < 8; i++)
+ printf("H[%d] = %08X\n", i, ctx->state[i]);
+ */
+ return 1;
+}
+
+int SHA256_Update(SHA256_CTX *ctx, const unsigned char *data, size_t len)
+{
+ size_t n;
+ ctx->length[0] += len >> 29;
+ ctx->length[1] += len << 3;
+ if (ctx->length[1] < (len << 3))
+ ctx->length[0]++;
+
+ while (len > 0)
+ {
+ n = MIN(len, (64 - ctx->curlen));
+ memcpy(ctx->buf + ctx->curlen, data, n);
+ ctx->curlen += n;
+ data += n;
+ len -= n;
+
+ if (ctx->curlen == 64)
+ SHA256_compress(ctx);
+ }
+ return 1;
+}
+
+int SHA256_Final(unsigned char *md, SHA256_CTX *ctx)
+{
+ uint8 length[8];
+ const uint8 PAD[64] = { 0x80 };
+
+ uint32_to_uint8(length, ctx->length, 8);
+ memcpy(ctx->buf + ctx->curlen, PAD, 64 - ctx->curlen);
+ if (ctx->curlen >= 56)
+ {
+ SHA256_compress(ctx);
+ memset(ctx->buf, 0, 56);
+ }
+ memcpy(ctx->buf + 56, length, 8);
+ SHA256_compress(ctx);
+ uint32_to_uint8(md, ctx->state, SHA256_DIGEST_SIZE);
+
+ return 1;
+}
+
+unsigned char *SHA256(unsigned char *md, const unsigned char *data, size_t len)
+{
+ SHA256_CTX ctx;
+ if (!SHA256_Init(&ctx))
+ return NULL;
+ if (!SHA256_Update(&ctx, data, len))
+ return NULL;
+ if (!SHA256_Final(md, &ctx))
+ return NULL;
+ return md;
+}
+
+void SHA256_KDF(unsigned char *Z, unsigned short zlen, unsigned short klen, unsigned char *K)
+{
+ unsigned short i, j, t;
+ unsigned int bitklen;
+ SHA256_CTX md;
+ unsigned char Ha[SHA256_len / 8];
+ unsigned char ct[4] = { 0,0,0,1 };
+ bitklen = klen * 8;
+ //set number of output blocks
+ if (bitklen%SHA256_len)
+ t = bitklen / SHA256_len + 1;
+ else
+ t = bitklen / SHA256_len;
+ //s4: K=Ha1||Ha2||...
+ for (i = 1; i<t; i++)
+ {
+ //s2: Hai=Hv(Z||ct)
+ SHA256_Init(&md);
+ SHA256_Update(&md, Z, zlen);
+ SHA256_Update(&md, ct, 4);
+ SHA256_Final(Ha, &md);
+ memcpy((K + (SHA256_len / 8)*(i - 1)), Ha, SHA256_len / 8);
+ if (ct[3] == 0xff)
+ {
+ ct[3] = 0;
+ if (ct[2] == 0xff)
+ {
+ ct[2] = 0;
+ if (ct[1] == 0xff)
+ {
+ ct[1] = 0;
+ ct[0]++;
+ }
+ else ct[1]++;
+ }
+ else ct[2]++;
+ }
+ else ct[3]++;
+ }
+ //s3: klen/v proccessing part block?
+ SHA256_Init(&md);
+ SHA256_Update(&md, Z, zlen);
+ SHA256_Update(&md, ct, 4);
+ SHA256_Final(Ha, &md);
+ if (bitklen%SHA256_len)
+ {
+ i = (SHA256_len - bitklen + SHA256_len * (bitklen / SHA256_len)) / 8;
+ j = (bitklen - SHA256_len * (bitklen / SHA256_len)) / 8;
+ memcpy((K + (SHA256_len / 8)*(t - 1)), Ha, j);
+ }
+ else
+ {
+ memcpy((K + (SHA256_len / 8)*(t - 1)), Ha, SHA256_len / 8);
+ }
+}
+
+#endif/* USE_SHA256 */
diff --git a/src/ringct20/sha256.h b/src/ringct20/sha256.h
new file mode 100644
index 0000000..80967da
--- /dev/null
+++ b/src/ringct20/sha256.h
@@ -0,0 +1,31 @@
+#ifndef _DIGEST_H
+#define _DIGEST_H
+
+#include "cryptoConfig.h"
+
+
+/******************************************************************************/
+
+#ifdef USE_SHA256
+
+#define SHA256_DIGEST_SIZE 32
+#define SHA256_len 256
+typedef struct SHA256_state_st
+{
+ uint32 length[2];
+ uint32 state[8];
+ size_t curlen;
+ unsigned char buf[64];
+} SHA256_CTX;
+
+int SHA256_Init(SHA256_CTX *ctx);
+int SHA256_Update(SHA256_CTX *ctx, const unsigned char *data, size_t len);
+int SHA256_Final(unsigned char *md, SHA256_CTX *ctx);
+unsigned char *SHA256(unsigned char *md, const unsigned char *data, size_t len);
+
+void SHA256_KDF(unsigned char *Z, unsigned short zlen, unsigned short klen, unsigned char *K);
+
+#endif/* USE_SHA256 */
+/******************************************************************************/
+
+#endif/* _DIGEST_H */
\ No newline at end of file
diff --git a/src/ringct20/sha3.c b/src/ringct20/sha3.c
new file mode 100644
index 0000000..9529497
--- /dev/null
+++ b/src/ringct20/sha3.c
@@ -0,0 +1,2452 @@
+/********************************************************************************************
+* SHA3-derived functions: SHA3-256, SHA3-512, SHAKE, and cSHAKE
+*
+* Based on the public domain implementation in crypto_hash/keccakc512/simple/
+* from http://bench.cr.yp.to/supercop.html by Ronny Van Keer
+* and the public domain "TweetFips202" implementation from https://twitter.com/tweetfips202
+* by Gilles Van Assche, Daniel J. Bernstein, and Peter Schwabe
+*
+* See NIST Special Publication 800-185 for more information:
+* http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-185.pdf
+*
+* Updated by John Underhill, December 24, 2017
+*********************************************************************************************/
+
+#include "sha3.h"
+
+#define SHA3_CSHAKE_DOMAIN 0x04
+#define SHA3_CSHAKE128_RATE 168
+#define SHA3_CSHAKE256_RATE 136
+#define SHA3_SHA3_DOMAIN 0x06
+#define SHA3_SHA3_256_RATE 136
+#define SHA3_SHA3_512_RATE 72
+#define SHA3_SHAKE_DOMAIN 0x1F
+#define SHA3_SHAKE128_RATE 168
+#define SHA3_SHAKE256_RATE 136
+#define SHA3_STATESIZE 25
+
+/* Internal */
+
+static uint64_t load64(const uint8_t *a) {
+ uint64_t r = 0;
+ size_t i;
+
+ for (i = 0; i < 8; ++i) {
+ r |= (uint64_t) a[i] << 8 * i;
+ }
+
+ return r;
+}
+
+static uint64_t rotl64(const uint64_t x, uint32_t shift) {
+ return (x << shift) | (x >> (64 - shift));
+}
+
+static void store64(uint8_t *a, uint64_t x) {
+ size_t i;
+
+ for (i = 0; i < 8; ++i) {
+ a[i] = x & 0xFF;
+ x >>= 8;
+ }
+}
+
+/* SHA3 */
+
+void OQS_SHA3_keccak_permute(uint64_t *state) {
+ uint64_t Aba = state[0];
+ uint64_t Abe = state[1];
+ uint64_t Abi = state[2];
+ uint64_t Abo = state[3];
+ uint64_t Abu = state[4];
+ uint64_t Aga = state[5];
+ uint64_t Age = state[6];
+ uint64_t Agi = state[7];
+ uint64_t Ago = state[8];
+ uint64_t Agu = state[9];
+ uint64_t Aka = state[10];
+ uint64_t Ake = state[11];
+ uint64_t Aki = state[12];
+ uint64_t Ako = state[13];
+ uint64_t Aku = state[14];
+ uint64_t Ama = state[15];
+ uint64_t Ame = state[16];
+ uint64_t Ami = state[17];
+ uint64_t Amo = state[18];
+ uint64_t Amu = state[19];
+ uint64_t Asa = state[20];
+ uint64_t Ase = state[21];
+ uint64_t Asi = state[22];
+ uint64_t Aso = state[23];
+ uint64_t Asu = state[24];
+
+ /* round 1 */
+ uint64_t Ca = Aba ^ Aga ^ Aka ^ Ama ^ Asa;
+ uint64_t Ce = Abe ^ Age ^ Ake ^ Ame ^ Ase;
+ uint64_t Ci = Abi ^ Agi ^ Aki ^ Ami ^ Asi;
+ uint64_t Co = Abo ^ Ago ^ Ako ^ Amo ^ Aso;
+ uint64_t Cu = Abu ^ Agu ^ Aku ^ Amu ^ Asu;
+ uint64_t Da = Cu ^ rotl64(Ce, 1);
+ uint64_t De = Ca ^ rotl64(Ci, 1);
+ uint64_t Di = Ce ^ rotl64(Co, 1);
+ uint64_t Do = Ci ^ rotl64(Cu, 1);
+ uint64_t Du = Co ^ rotl64(Ca, 1);
+ Aba ^= Da;
+ Ca = Aba;
+ Age ^= De;
+ Ce = rotl64(Age, 44);
+ Aki ^= Di;
+ Ci = rotl64(Aki, 43);
+ Amo ^= Do;
+ Co = rotl64(Amo, 21);
+ Asu ^= Du;
+ Cu = rotl64(Asu, 14);
+ uint64_t Eba = Ca ^ ((~Ce) & Ci);
+ Eba ^= 0x0000000000000001ULL;
+ uint64_t Ebe = Ce ^ ((~Ci) & Co);
+ uint64_t Ebi = Ci ^ ((~Co) & Cu);
+ uint64_t Ebo = Co ^ ((~Cu) & Ca);
+ uint64_t Ebu = Cu ^ ((~Ca) & Ce);
+ Abo ^= Do;
+ Ca = rotl64(Abo, 28);
+ Agu ^= Du;
+ Ce = rotl64(Agu, 20);
+ Aka ^= Da;
+ Ci = rotl64(Aka, 3);
+ Ame ^= De;
+ Co = rotl64(Ame, 45);
+ Asi ^= Di;
+ Cu = rotl64(Asi, 61);
+ uint64_t Ega = Ca ^ ((~Ce) & Ci);
+ uint64_t Ege = Ce ^ ((~Ci) & Co);
+ uint64_t Egi = Ci ^ ((~Co) & Cu);
+ uint64_t Ego = Co ^ ((~Cu) & Ca);
+ uint64_t Egu = Cu ^ ((~Ca) & Ce);
+ Abe ^= De;
+ Ca = rotl64(Abe, 1);
+ Agi ^= Di;
+ Ce = rotl64(Agi, 6);
+ Ako ^= Do;
+ Ci = rotl64(Ako, 25);
+ Amu ^= Du;
+ Co = rotl64(Amu, 8);
+ Asa ^= Da;
+ Cu = rotl64(Asa, 18);
+ uint64_t Eka = Ca ^ ((~Ce) & Ci);
+ uint64_t Eke = Ce ^ ((~Ci) & Co);
+ uint64_t Eki = Ci ^ ((~Co) & Cu);
+ uint64_t Eko = Co ^ ((~Cu) & Ca);
+ uint64_t Eku = Cu ^ ((~Ca) & Ce);
+ Abu ^= Du;
+ Ca = rotl64(Abu, 27);
+ Aga ^= Da;
+ Ce = rotl64(Aga, 36);
+ Ake ^= De;
+ Ci = rotl64(Ake, 10);
+ Ami ^= Di;
+ Co = rotl64(Ami, 15);
+ Aso ^= Do;
+ Cu = rotl64(Aso, 56);
+ uint64_t Ema = Ca ^ ((~Ce) & Ci);
+ uint64_t Eme = Ce ^ ((~Ci) & Co);
+ uint64_t Emi = Ci ^ ((~Co) & Cu);
+ uint64_t Emo = Co ^ ((~Cu) & Ca);
+ uint64_t Emu = Cu ^ ((~Ca) & Ce);
+ Abi ^= Di;
+ Ca = rotl64(Abi, 62);
+ Ago ^= Do;
+ Ce = rotl64(Ago, 55);
+ Aku ^= Du;
+ Ci = rotl64(Aku, 39);
+ Ama ^= Da;
+ Co = rotl64(Ama, 41);
+ Ase ^= De;
+ Cu = rotl64(Ase, 2);
+ uint64_t Esa = Ca ^ ((~Ce) & Ci);
+ uint64_t Ese = Ce ^ ((~Ci) & Co);
+ uint64_t Esi = Ci ^ ((~Co) & Cu);
+ uint64_t Eso = Co ^ ((~Cu) & Ca);
+ uint64_t Esu = Cu ^ ((~Ca) & Ce);
+ /* round 2 */
+ Ca = Eba ^ Ega ^ Eka ^ Ema ^ Esa;
+ Ce = Ebe ^ Ege ^ Eke ^ Eme ^ Ese;
+ Ci = Ebi ^ Egi ^ Eki ^ Emi ^ Esi;
+ Co = Ebo ^ Ego ^ Eko ^ Emo ^ Eso;
+ Cu = Ebu ^ Egu ^ Eku ^ Emu ^ Esu;
+ Da = Cu ^ rotl64(Ce, 1);
+ De = Ca ^ rotl64(Ci, 1);
+ Di = Ce ^ rotl64(Co, 1);
+ Do = Ci ^ rotl64(Cu, 1);
+ Du = Co ^ rotl64(Ca, 1);
+ Eba ^= Da;
+ Ca = Eba;
+ Ege ^= De;
+ Ce = rotl64(Ege, 44);
+ Eki ^= Di;
+ Ci = rotl64(Eki, 43);
+ Emo ^= Do;
+ Co = rotl64(Emo, 21);
+ Esu ^= Du;
+ Cu = rotl64(Esu, 14);
+ Aba = Ca ^ ((~Ce) & Ci);
+ Aba ^= 0x0000000000008082ULL;
+ Abe = Ce ^ ((~Ci) & Co);
+ Abi = Ci ^ ((~Co) & Cu);
+ Abo = Co ^ ((~Cu) & Ca);
+ Abu = Cu ^ ((~Ca) & Ce);
+ Ebo ^= Do;
+ Ca = rotl64(Ebo, 28);
+ Egu ^= Du;
+ Ce = rotl64(Egu, 20);
+ Eka ^= Da;
+ Ci = rotl64(Eka, 3);
+ Eme ^= De;
+ Co = rotl64(Eme, 45);
+ Esi ^= Di;
+ Cu = rotl64(Esi, 61);
+ Aga = Ca ^ ((~Ce) & Ci);
+ Age = Ce ^ ((~Ci) & Co);
+ Agi = Ci ^ ((~Co) & Cu);
+ Ago = Co ^ ((~Cu) & Ca);
+ Agu = Cu ^ ((~Ca) & Ce);
+ Ebe ^= De;
+ Ca = rotl64(Ebe, 1);
+ Egi ^= Di;
+ Ce = rotl64(Egi, 6);
+ Eko ^= Do;
+ Ci = rotl64(Eko, 25);
+ Emu ^= Du;
+ Co = rotl64(Emu, 8);
+ Esa ^= Da;
+ Cu = rotl64(Esa, 18);
+ Aka = Ca ^ ((~Ce) & Ci);
+ Ake = Ce ^ ((~Ci) & Co);
+ Aki = Ci ^ ((~Co) & Cu);
+ Ako = Co ^ ((~Cu) & Ca);
+ Aku = Cu ^ ((~Ca) & Ce);
+ Ebu ^= Du;
+ Ca = rotl64(Ebu, 27);
+ Ega ^= Da;
+ Ce = rotl64(Ega, 36);
+ Eke ^= De;
+ Ci = rotl64(Eke, 10);
+ Emi ^= Di;
+ Co = rotl64(Emi, 15);
+ Eso ^= Do;
+ Cu = rotl64(Eso, 56);
+ Ama = Ca ^ ((~Ce) & Ci);
+ Ame = Ce ^ ((~Ci) & Co);
+ Ami = Ci ^ ((~Co) & Cu);
+ Amo = Co ^ ((~Cu) & Ca);
+ Amu = Cu ^ ((~Ca) & Ce);
+ Ebi ^= Di;
+ Ca = rotl64(Ebi, 62);
+ Ego ^= Do;
+ Ce = rotl64(Ego, 55);
+ Eku ^= Du;
+ Ci = rotl64(Eku, 39);
+ Ema ^= Da;
+ Co = rotl64(Ema, 41);
+ Ese ^= De;
+ Cu = rotl64(Ese, 2);
+ Asa = Ca ^ ((~Ce) & Ci);
+ Ase = Ce ^ ((~Ci) & Co);
+ Asi = Ci ^ ((~Co) & Cu);
+ Aso = Co ^ ((~Cu) & Ca);
+ Asu = Cu ^ ((~Ca) & Ce);
+ /* round 3 */
+ Ca = Aba ^ Aga ^ Aka ^ Ama ^ Asa;
+ Ce = Abe ^ Age ^ Ake ^ Ame ^ Ase;
+ Ci = Abi ^ Agi ^ Aki ^ Ami ^ Asi;
+ Co = Abo ^ Ago ^ Ako ^ Amo ^ Aso;
+ Cu = Abu ^ Agu ^ Aku ^ Amu ^ Asu;
+ Da = Cu ^ rotl64(Ce, 1);
+ De = Ca ^ rotl64(Ci, 1);
+ Di = Ce ^ rotl64(Co, 1);
+ Do = Ci ^ rotl64(Cu, 1);
+ Du = Co ^ rotl64(Ca, 1);
+ Aba ^= Da;
+ Ca = Aba;
+ Age ^= De;
+ Ce = rotl64(Age, 44);
+ Aki ^= Di;
+ Ci = rotl64(Aki, 43);
+ Amo ^= Do;
+ Co = rotl64(Amo, 21);
+ Asu ^= Du;
+ Cu = rotl64(Asu, 14);
+ Eba = Ca ^ ((~Ce) & Ci);
+ Eba ^= 0x800000000000808AULL;
+ Ebe = Ce ^ ((~Ci) & Co);
+ Ebi = Ci ^ ((~Co) & Cu);
+ Ebo = Co ^ ((~Cu) & Ca);
+ Ebu = Cu ^ ((~Ca) & Ce);
+ Abo ^= Do;
+ Ca = rotl64(Abo, 28);
+ Agu ^= Du;
+ Ce = rotl64(Agu, 20);
+ Aka ^= Da;
+ Ci = rotl64(Aka, 3);
+ Ame ^= De;
+ Co = rotl64(Ame, 45);
+ Asi ^= Di;
+ Cu = rotl64(Asi, 61);
+ Ega = Ca ^ ((~Ce) & Ci);
+ Ege = Ce ^ ((~Ci) & Co);
+ Egi = Ci ^ ((~Co) & Cu);
+ Ego = Co ^ ((~Cu) & Ca);
+ Egu = Cu ^ ((~Ca) & Ce);
+ Abe ^= De;
+ Ca = rotl64(Abe, 1);
+ Agi ^= Di;
+ Ce = rotl64(Agi, 6);
+ Ako ^= Do;
+ Ci = rotl64(Ako, 25);
+ Amu ^= Du;
+ Co = rotl64(Amu, 8);
+ Asa ^= Da;
+ Cu = rotl64(Asa, 18);
+ Eka = Ca ^ ((~Ce) & Ci);
+ Eke = Ce ^ ((~Ci) & Co);
+ Eki = Ci ^ ((~Co) & Cu);
+ Eko = Co ^ ((~Cu) & Ca);
+ Eku = Cu ^ ((~Ca) & Ce);
+ Abu ^= Du;
+ Ca = rotl64(Abu, 27);
+ Aga ^= Da;
+ Ce = rotl64(Aga, 36);
+ Ake ^= De;
+ Ci = rotl64(Ake, 10);
+ Ami ^= Di;
+ Co = rotl64(Ami, 15);
+ Aso ^= Do;
+ Cu = rotl64(Aso, 56);
+ Ema = Ca ^ ((~Ce) & Ci);
+ Eme = Ce ^ ((~Ci) & Co);
+ Emi = Ci ^ ((~Co) & Cu);
+ Emo = Co ^ ((~Cu) & Ca);
+ Emu = Cu ^ ((~Ca) & Ce);
+ Abi ^= Di;
+ Ca = rotl64(Abi, 62);
+ Ago ^= Do;
+ Ce = rotl64(Ago, 55);
+ Aku ^= Du;
+ Ci = rotl64(Aku, 39);
+ Ama ^= Da;
+ Co = rotl64(Ama, 41);
+ Ase ^= De;
+ Cu = rotl64(Ase, 2);
+ Esa = Ca ^ ((~Ce) & Ci);
+ Ese = Ce ^ ((~Ci) & Co);
+ Esi = Ci ^ ((~Co) & Cu);
+ Eso = Co ^ ((~Cu) & Ca);
+ Esu = Cu ^ ((~Ca) & Ce);
+ /* round 4 */
+ Ca = Eba ^ Ega ^ Eka ^ Ema ^ Esa;
+ Ce = Ebe ^ Ege ^ Eke ^ Eme ^ Ese;
+ Ci = Ebi ^ Egi ^ Eki ^ Emi ^ Esi;
+ Co = Ebo ^ Ego ^ Eko ^ Emo ^ Eso;
+ Cu = Ebu ^ Egu ^ Eku ^ Emu ^ Esu;
+ Da = Cu ^ rotl64(Ce, 1);
+ De = Ca ^ rotl64(Ci, 1);
+ Di = Ce ^ rotl64(Co, 1);
+ Do = Ci ^ rotl64(Cu, 1);
+ Du = Co ^ rotl64(Ca, 1);
+ Eba ^= Da;
+ Ca = Eba;
+ Ege ^= De;
+ Ce = rotl64(Ege, 44);
+ Eki ^= Di;
+ Ci = rotl64(Eki, 43);
+ Emo ^= Do;
+ Co = rotl64(Emo, 21);
+ Esu ^= Du;
+ Cu = rotl64(Esu, 14);
+ Aba = Ca ^ ((~Ce) & Ci);
+ Aba ^= 0x8000000080008000ULL;
+ Abe = Ce ^ ((~Ci) & Co);
+ Abi = Ci ^ ((~Co) & Cu);
+ Abo = Co ^ ((~Cu) & Ca);
+ Abu = Cu ^ ((~Ca) & Ce);
+ Ebo ^= Do;
+ Ca = rotl64(Ebo, 28);
+ Egu ^= Du;
+ Ce = rotl64(Egu, 20);
+ Eka ^= Da;
+ Ci = rotl64(Eka, 3);
+ Eme ^= De;
+ Co = rotl64(Eme, 45);
+ Esi ^= Di;
+ Cu = rotl64(Esi, 61);
+ Aga = Ca ^ ((~Ce) & Ci);
+ Age = Ce ^ ((~Ci) & Co);
+ Agi = Ci ^ ((~Co) & Cu);
+ Ago = Co ^ ((~Cu) & Ca);
+ Agu = Cu ^ ((~Ca) & Ce);
+ Ebe ^= De;
+ Ca = rotl64(Ebe, 1);
+ Egi ^= Di;
+ Ce = rotl64(Egi, 6);
+ Eko ^= Do;
+ Ci = rotl64(Eko, 25);
+ Emu ^= Du;
+ Co = rotl64(Emu, 8);
+ Esa ^= Da;
+ Cu = rotl64(Esa, 18);
+ Aka = Ca ^ ((~Ce) & Ci);
+ Ake = Ce ^ ((~Ci) & Co);
+ Aki = Ci ^ ((~Co) & Cu);
+ Ako = Co ^ ((~Cu) & Ca);
+ Aku = Cu ^ ((~Ca) & Ce);
+ Ebu ^= Du;
+ Ca = rotl64(Ebu, 27);
+ Ega ^= Da;
+ Ce = rotl64(Ega, 36);
+ Eke ^= De;
+ Ci = rotl64(Eke, 10);
+ Emi ^= Di;
+ Co = rotl64(Emi, 15);
+ Eso ^= Do;
+ Cu = rotl64(Eso, 56);
+ Ama = Ca ^ ((~Ce) & Ci);
+ Ame = Ce ^ ((~Ci) & Co);
+ Ami = Ci ^ ((~Co) & Cu);
+ Amo = Co ^ ((~Cu) & Ca);
+ Amu = Cu ^ ((~Ca) & Ce);
+ Ebi ^= Di;
+ Ca = rotl64(Ebi, 62);
+ Ego ^= Do;
+ Ce = rotl64(Ego, 55);
+ Eku ^= Du;
+ Ci = rotl64(Eku, 39);
+ Ema ^= Da;
+ Co = rotl64(Ema, 41);
+ Ese ^= De;
+ Cu = rotl64(Ese, 2);
+ Asa = Ca ^ ((~Ce) & Ci);
+ Ase = Ce ^ ((~Ci) & Co);
+ Asi = Ci ^ ((~Co) & Cu);
+ Aso = Co ^ ((~Cu) & Ca);
+ Asu = Cu ^ ((~Ca) & Ce);
+ /* round 5 */
+ Ca = Aba ^ Aga ^ Aka ^ Ama ^ Asa;
+ Ce = Abe ^ Age ^ Ake ^ Ame ^ Ase;
+ Ci = Abi ^ Agi ^ Aki ^ Ami ^ Asi;
+ Co = Abo ^ Ago ^ Ako ^ Amo ^ Aso;
+ Cu = Abu ^ Agu ^ Aku ^ Amu ^ Asu;
+ Da = Cu ^ rotl64(Ce, 1);
+ De = Ca ^ rotl64(Ci, 1);
+ Di = Ce ^ rotl64(Co, 1);
+ Do = Ci ^ rotl64(Cu, 1);
+ Du = Co ^ rotl64(Ca, 1);
+ Aba ^= Da;
+ Ca = Aba;
+ Age ^= De;
+ Ce = rotl64(Age, 44);
+ Aki ^= Di;
+ Ci = rotl64(Aki, 43);
+ Amo ^= Do;
+ Co = rotl64(Amo, 21);
+ Asu ^= Du;
+ Cu = rotl64(Asu, 14);
+ Eba = Ca ^ ((~Ce) & Ci);
+ Eba ^= 0x000000000000808BULL;
+ Ebe = Ce ^ ((~Ci) & Co);
+ Ebi = Ci ^ ((~Co) & Cu);
+ Ebo = Co ^ ((~Cu) & Ca);
+ Ebu = Cu ^ ((~Ca) & Ce);
+ Abo ^= Do;
+ Ca = rotl64(Abo, 28);
+ Agu ^= Du;
+ Ce = rotl64(Agu, 20);
+ Aka ^= Da;
+ Ci = rotl64(Aka, 3);
+ Ame ^= De;
+ Co = rotl64(Ame, 45);
+ Asi ^= Di;
+ Cu = rotl64(Asi, 61);
+ Ega = Ca ^ ((~Ce) & Ci);
+ Ege = Ce ^ ((~Ci) & Co);
+ Egi = Ci ^ ((~Co) & Cu);
+ Ego = Co ^ ((~Cu) & Ca);
+ Egu = Cu ^ ((~Ca) & Ce);
+ Abe ^= De;
+ Ca = rotl64(Abe, 1);
+ Agi ^= Di;
+ Ce = rotl64(Agi, 6);
+ Ako ^= Do;
+ Ci = rotl64(Ako, 25);
+ Amu ^= Du;
+ Co = rotl64(Amu, 8);
+ Asa ^= Da;
+ Cu = rotl64(Asa, 18);
+ Eka = Ca ^ ((~Ce) & Ci);
+ Eke = Ce ^ ((~Ci) & Co);
+ Eki = Ci ^ ((~Co) & Cu);
+ Eko = Co ^ ((~Cu) & Ca);
+ Eku = Cu ^ ((~Ca) & Ce);
+ Abu ^= Du;
+ Ca = rotl64(Abu, 27);
+ Aga ^= Da;
+ Ce = rotl64(Aga, 36);
+ Ake ^= De;
+ Ci = rotl64(Ake, 10);
+ Ami ^= Di;
+ Co = rotl64(Ami, 15);
+ Aso ^= Do;
+ Cu = rotl64(Aso, 56);
+ Ema = Ca ^ ((~Ce) & Ci);
+ Eme = Ce ^ ((~Ci) & Co);
+ Emi = Ci ^ ((~Co) & Cu);
+ Emo = Co ^ ((~Cu) & Ca);
+ Emu = Cu ^ ((~Ca) & Ce);
+ Abi ^= Di;
+ Ca = rotl64(Abi, 62);
+ Ago ^= Do;
+ Ce = rotl64(Ago, 55);
+ Aku ^= Du;
+ Ci = rotl64(Aku, 39);
+ Ama ^= Da;
+ Co = rotl64(Ama, 41);
+ Ase ^= De;
+ Cu = rotl64(Ase, 2);
+ Esa = Ca ^ ((~Ce) & Ci);
+ Ese = Ce ^ ((~Ci) & Co);
+ Esi = Ci ^ ((~Co) & Cu);
+ Eso = Co ^ ((~Cu) & Ca);
+ Esu = Cu ^ ((~Ca) & Ce);
+ /* round 6 */
+ Ca = Eba ^ Ega ^ Eka ^ Ema ^ Esa;
+ Ce = Ebe ^ Ege ^ Eke ^ Eme ^ Ese;
+ Ci = Ebi ^ Egi ^ Eki ^ Emi ^ Esi;
+ Co = Ebo ^ Ego ^ Eko ^ Emo ^ Eso;
+ Cu = Ebu ^ Egu ^ Eku ^ Emu ^ Esu;
+ Da = Cu ^ rotl64(Ce, 1);
+ De = Ca ^ rotl64(Ci, 1);
+ Di = Ce ^ rotl64(Co, 1);
+ Do = Ci ^ rotl64(Cu, 1);
+ Du = Co ^ rotl64(Ca, 1);
+ Eba ^= Da;
+ Ca = Eba;
+ Ege ^= De;
+ Ce = rotl64(Ege, 44);
+ Eki ^= Di;
+ Ci = rotl64(Eki, 43);
+ Emo ^= Do;
+ Co = rotl64(Emo, 21);
+ Esu ^= Du;
+ Cu = rotl64(Esu, 14);
+ Aba = Ca ^ ((~Ce) & Ci);
+ Aba ^= 0x0000000080000001ULL;
+ Abe = Ce ^ ((~Ci) & Co);
+ Abi = Ci ^ ((~Co) & Cu);
+ Abo = Co ^ ((~Cu) & Ca);
+ Abu = Cu ^ ((~Ca) & Ce);
+ Ebo ^= Do;
+ Ca = rotl64(Ebo, 28);
+ Egu ^= Du;
+ Ce = rotl64(Egu, 20);
+ Eka ^= Da;
+ Ci = rotl64(Eka, 3);
+ Eme ^= De;
+ Co = rotl64(Eme, 45);
+ Esi ^= Di;
+ Cu = rotl64(Esi, 61);
+ Aga = Ca ^ ((~Ce) & Ci);
+ Age = Ce ^ ((~Ci) & Co);
+ Agi = Ci ^ ((~Co) & Cu);
+ Ago = Co ^ ((~Cu) & Ca);
+ Agu = Cu ^ ((~Ca) & Ce);
+ Ebe ^= De;
+ Ca = rotl64(Ebe, 1);
+ Egi ^= Di;
+ Ce = rotl64(Egi, 6);
+ Eko ^= Do;
+ Ci = rotl64(Eko, 25);
+ Emu ^= Du;
+ Co = rotl64(Emu, 8);
+ Esa ^= Da;
+ Cu = rotl64(Esa, 18);
+ Aka = Ca ^ ((~Ce) & Ci);
+ Ake = Ce ^ ((~Ci) & Co);
+ Aki = Ci ^ ((~Co) & Cu);
+ Ako = Co ^ ((~Cu) & Ca);
+ Aku = Cu ^ ((~Ca) & Ce);
+ Ebu ^= Du;
+ Ca = rotl64(Ebu, 27);
+ Ega ^= Da;
+ Ce = rotl64(Ega, 36);
+ Eke ^= De;
+ Ci = rotl64(Eke, 10);
+ Emi ^= Di;
+ Co = rotl64(Emi, 15);
+ Eso ^= Do;
+ Cu = rotl64(Eso, 56);
+ Ama = Ca ^ ((~Ce) & Ci);
+ Ame = Ce ^ ((~Ci) & Co);
+ Ami = Ci ^ ((~Co) & Cu);
+ Amo = Co ^ ((~Cu) & Ca);
+ Amu = Cu ^ ((~Ca) & Ce);
+ Ebi ^= Di;
+ Ca = rotl64(Ebi, 62);
+ Ego ^= Do;
+ Ce = rotl64(Ego, 55);
+ Eku ^= Du;
+ Ci = rotl64(Eku, 39);
+ Ema ^= Da;
+ Co = rotl64(Ema, 41);
+ Ese ^= De;
+ Cu = rotl64(Ese, 2);
+ Asa = Ca ^ ((~Ce) & Ci);
+ Ase = Ce ^ ((~Ci) & Co);
+ Asi = Ci ^ ((~Co) & Cu);
+ Aso = Co ^ ((~Cu) & Ca);
+ Asu = Cu ^ ((~Ca) & Ce);
+ /* round 7 */
+ Ca = Aba ^ Aga ^ Aka ^ Ama ^ Asa;
+ Ce = Abe ^ Age ^ Ake ^ Ame ^ Ase;
+ Ci = Abi ^ Agi ^ Aki ^ Ami ^ Asi;
+ Co = Abo ^ Ago ^ Ako ^ Amo ^ Aso;
+ Cu = Abu ^ Agu ^ Aku ^ Amu ^ Asu;
+ Da = Cu ^ rotl64(Ce, 1);
+ De = Ca ^ rotl64(Ci, 1);
+ Di = Ce ^ rotl64(Co, 1);
+ Do = Ci ^ rotl64(Cu, 1);
+ Du = Co ^ rotl64(Ca, 1);
+ Aba ^= Da;
+ Ca = Aba;
+ Age ^= De;
+ Ce = rotl64(Age, 44);
+ Aki ^= Di;
+ Ci = rotl64(Aki, 43);
+ Amo ^= Do;
+ Co = rotl64(Amo, 21);
+ Asu ^= Du;
+ Cu = rotl64(Asu, 14);
+ Eba = Ca ^ ((~Ce) & Ci);
+ Eba ^= 0x8000000080008081ULL;
+ Ebe = Ce ^ ((~Ci) & Co);
+ Ebi = Ci ^ ((~Co) & Cu);
+ Ebo = Co ^ ((~Cu) & Ca);
+ Ebu = Cu ^ ((~Ca) & Ce);
+ Abo ^= Do;
+ Ca = rotl64(Abo, 28);
+ Agu ^= Du;
+ Ce = rotl64(Agu, 20);
+ Aka ^= Da;
+ Ci = rotl64(Aka, 3);
+ Ame ^= De;
+ Co = rotl64(Ame, 45);
+ Asi ^= Di;
+ Cu = rotl64(Asi, 61);
+ Ega = Ca ^ ((~Ce) & Ci);
+ Ege = Ce ^ ((~Ci) & Co);
+ Egi = Ci ^ ((~Co) & Cu);
+ Ego = Co ^ ((~Cu) & Ca);
+ Egu = Cu ^ ((~Ca) & Ce);
+ Abe ^= De;
+ Ca = rotl64(Abe, 1);
+ Agi ^= Di;
+ Ce = rotl64(Agi, 6);
+ Ako ^= Do;
+ Ci = rotl64(Ako, 25);
+ Amu ^= Du;
+ Co = rotl64(Amu, 8);
+ Asa ^= Da;
+ Cu = rotl64(Asa, 18);
+ Eka = Ca ^ ((~Ce) & Ci);
+ Eke = Ce ^ ((~Ci) & Co);
+ Eki = Ci ^ ((~Co) & Cu);
+ Eko = Co ^ ((~Cu) & Ca);
+ Eku = Cu ^ ((~Ca) & Ce);
+ Abu ^= Du;
+ Ca = rotl64(Abu, 27);
+ Aga ^= Da;
+ Ce = rotl64(Aga, 36);
+ Ake ^= De;
+ Ci = rotl64(Ake, 10);
+ Ami ^= Di;
+ Co = rotl64(Ami, 15);
+ Aso ^= Do;
+ Cu = rotl64(Aso, 56);
+ Ema = Ca ^ ((~Ce) & Ci);
+ Eme = Ce ^ ((~Ci) & Co);
+ Emi = Ci ^ ((~Co) & Cu);
+ Emo = Co ^ ((~Cu) & Ca);
+ Emu = Cu ^ ((~Ca) & Ce);
+ Abi ^= Di;
+ Ca = rotl64(Abi, 62);
+ Ago ^= Do;
+ Ce = rotl64(Ago, 55);
+ Aku ^= Du;
+ Ci = rotl64(Aku, 39);
+ Ama ^= Da;
+ Co = rotl64(Ama, 41);
+ Ase ^= De;
+ Cu = rotl64(Ase, 2);
+ Esa = Ca ^ ((~Ce) & Ci);
+ Ese = Ce ^ ((~Ci) & Co);
+ Esi = Ci ^ ((~Co) & Cu);
+ Eso = Co ^ ((~Cu) & Ca);
+ Esu = Cu ^ ((~Ca) & Ce);
+ /* round 8 */
+ Ca = Eba ^ Ega ^ Eka ^ Ema ^ Esa;
+ Ce = Ebe ^ Ege ^ Eke ^ Eme ^ Ese;
+ Ci = Ebi ^ Egi ^ Eki ^ Emi ^ Esi;
+ Co = Ebo ^ Ego ^ Eko ^ Emo ^ Eso;
+ Cu = Ebu ^ Egu ^ Eku ^ Emu ^ Esu;
+ Da = Cu ^ rotl64(Ce, 1);
+ De = Ca ^ rotl64(Ci, 1);
+ Di = Ce ^ rotl64(Co, 1);
+ Do = Ci ^ rotl64(Cu, 1);
+ Du = Co ^ rotl64(Ca, 1);
+ Eba ^= Da;
+ Ca = Eba;
+ Ege ^= De;
+ Ce = rotl64(Ege, 44);
+ Eki ^= Di;
+ Ci = rotl64(Eki, 43);
+ Emo ^= Do;
+ Co = rotl64(Emo, 21);
+ Esu ^= Du;
+ Cu = rotl64(Esu, 14);
+ Aba = Ca ^ ((~Ce) & Ci);
+ Aba ^= 0x8000000000008009ULL;
+ Abe = Ce ^ ((~Ci) & Co);
+ Abi = Ci ^ ((~Co) & Cu);
+ Abo = Co ^ ((~Cu) & Ca);
+ Abu = Cu ^ ((~Ca) & Ce);
+ Ebo ^= Do;
+ Ca = rotl64(Ebo, 28);
+ Egu ^= Du;
+ Ce = rotl64(Egu, 20);
+ Eka ^= Da;
+ Ci = rotl64(Eka, 3);
+ Eme ^= De;
+ Co = rotl64(Eme, 45);
+ Esi ^= Di;
+ Cu = rotl64(Esi, 61);
+ Aga = Ca ^ ((~Ce) & Ci);
+ Age = Ce ^ ((~Ci) & Co);
+ Agi = Ci ^ ((~Co) & Cu);
+ Ago = Co ^ ((~Cu) & Ca);
+ Agu = Cu ^ ((~Ca) & Ce);
+ Ebe ^= De;
+ Ca = rotl64(Ebe, 1);
+ Egi ^= Di;
+ Ce = rotl64(Egi, 6);
+ Eko ^= Do;
+ Ci = rotl64(Eko, 25);
+ Emu ^= Du;
+ Co = rotl64(Emu, 8);
+ Esa ^= Da;
+ Cu = rotl64(Esa, 18);
+ Aka = Ca ^ ((~Ce) & Ci);
+ Ake = Ce ^ ((~Ci) & Co);
+ Aki = Ci ^ ((~Co) & Cu);
+ Ako = Co ^ ((~Cu) & Ca);
+ Aku = Cu ^ ((~Ca) & Ce);
+ Ebu ^= Du;
+ Ca = rotl64(Ebu, 27);
+ Ega ^= Da;
+ Ce = rotl64(Ega, 36);
+ Eke ^= De;
+ Ci = rotl64(Eke, 10);
+ Emi ^= Di;
+ Co = rotl64(Emi, 15);
+ Eso ^= Do;
+ Cu = rotl64(Eso, 56);
+ Ama = Ca ^ ((~Ce) & Ci);
+ Ame = Ce ^ ((~Ci) & Co);
+ Ami = Ci ^ ((~Co) & Cu);
+ Amo = Co ^ ((~Cu) & Ca);
+ Amu = Cu ^ ((~Ca) & Ce);
+ Ebi ^= Di;
+ Ca = rotl64(Ebi, 62);
+ Ego ^= Do;
+ Ce = rotl64(Ego, 55);
+ Eku ^= Du;
+ Ci = rotl64(Eku, 39);
+ Ema ^= Da;
+ Co = rotl64(Ema, 41);
+ Ese ^= De;
+ Cu = rotl64(Ese, 2);
+ Asa = Ca ^ ((~Ce) & Ci);
+ Ase = Ce ^ ((~Ci) & Co);
+ Asi = Ci ^ ((~Co) & Cu);
+ Aso = Co ^ ((~Cu) & Ca);
+ Asu = Cu ^ ((~Ca) & Ce);
+ /* round 9 */
+ Ca = Aba ^ Aga ^ Aka ^ Ama ^ Asa;
+ Ce = Abe ^ Age ^ Ake ^ Ame ^ Ase;
+ Ci = Abi ^ Agi ^ Aki ^ Ami ^ Asi;
+ Co = Abo ^ Ago ^ Ako ^ Amo ^ Aso;
+ Cu = Abu ^ Agu ^ Aku ^ Amu ^ Asu;
+ Da = Cu ^ rotl64(Ce, 1);
+ De = Ca ^ rotl64(Ci, 1);
+ Di = Ce ^ rotl64(Co, 1);
+ Do = Ci ^ rotl64(Cu, 1);
+ Du = Co ^ rotl64(Ca, 1);
+ Aba ^= Da;
+ Ca = Aba;
+ Age ^= De;
+ Ce = rotl64(Age, 44);
+ Aki ^= Di;
+ Ci = rotl64(Aki, 43);
+ Amo ^= Do;
+ Co = rotl64(Amo, 21);
+ Asu ^= Du;
+ Cu = rotl64(Asu, 14);
+ Eba = Ca ^ ((~Ce) & Ci);
+ Eba ^= 0x000000000000008AULL;
+ Ebe = Ce ^ ((~Ci) & Co);
+ Ebi = Ci ^ ((~Co) & Cu);
+ Ebo = Co ^ ((~Cu) & Ca);
+ Ebu = Cu ^ ((~Ca) & Ce);
+ Abo ^= Do;
+ Ca = rotl64(Abo, 28);
+ Agu ^= Du;
+ Ce = rotl64(Agu, 20);
+ Aka ^= Da;
+ Ci = rotl64(Aka, 3);
+ Ame ^= De;
+ Co = rotl64(Ame, 45);
+ Asi ^= Di;
+ Cu = rotl64(Asi, 61);
+ Ega = Ca ^ ((~Ce) & Ci);
+ Ege = Ce ^ ((~Ci) & Co);
+ Egi = Ci ^ ((~Co) & Cu);
+ Ego = Co ^ ((~Cu) & Ca);
+ Egu = Cu ^ ((~Ca) & Ce);
+ Abe ^= De;
+ Ca = rotl64(Abe, 1);
+ Agi ^= Di;
+ Ce = rotl64(Agi, 6);
+ Ako ^= Do;
+ Ci = rotl64(Ako, 25);
+ Amu ^= Du;
+ Co = rotl64(Amu, 8);
+ Asa ^= Da;
+ Cu = rotl64(Asa, 18);
+ Eka = Ca ^ ((~Ce) & Ci);
+ Eke = Ce ^ ((~Ci) & Co);
+ Eki = Ci ^ ((~Co) & Cu);
+ Eko = Co ^ ((~Cu) & Ca);
+ Eku = Cu ^ ((~Ca) & Ce);
+ Abu ^= Du;
+ Ca = rotl64(Abu, 27);
+ Aga ^= Da;
+ Ce = rotl64(Aga, 36);
+ Ake ^= De;
+ Ci = rotl64(Ake, 10);
+ Ami ^= Di;
+ Co = rotl64(Ami, 15);
+ Aso ^= Do;
+ Cu = rotl64(Aso, 56);
+ Ema = Ca ^ ((~Ce) & Ci);
+ Eme = Ce ^ ((~Ci) & Co);
+ Emi = Ci ^ ((~Co) & Cu);
+ Emo = Co ^ ((~Cu) & Ca);
+ Emu = Cu ^ ((~Ca) & Ce);
+ Abi ^= Di;
+ Ca = rotl64(Abi, 62);
+ Ago ^= Do;
+ Ce = rotl64(Ago, 55);
+ Aku ^= Du;
+ Ci = rotl64(Aku, 39);
+ Ama ^= Da;
+ Co = rotl64(Ama, 41);
+ Ase ^= De;
+ Cu = rotl64(Ase, 2);
+ Esa = Ca ^ ((~Ce) & Ci);
+ Ese = Ce ^ ((~Ci) & Co);
+ Esi = Ci ^ ((~Co) & Cu);
+ Eso = Co ^ ((~Cu) & Ca);
+ Esu = Cu ^ ((~Ca) & Ce);
+ /* round 10 */
+ Ca = Eba ^ Ega ^ Eka ^ Ema ^ Esa;
+ Ce = Ebe ^ Ege ^ Eke ^ Eme ^ Ese;
+ Ci = Ebi ^ Egi ^ Eki ^ Emi ^ Esi;
+ Co = Ebo ^ Ego ^ Eko ^ Emo ^ Eso;
+ Cu = Ebu ^ Egu ^ Eku ^ Emu ^ Esu;
+ Da = Cu ^ rotl64(Ce, 1);
+ De = Ca ^ rotl64(Ci, 1);
+ Di = Ce ^ rotl64(Co, 1);
+ Do = Ci ^ rotl64(Cu, 1);
+ Du = Co ^ rotl64(Ca, 1);
+ Eba ^= Da;
+ Ca = Eba;
+ Ege ^= De;
+ Ce = rotl64(Ege, 44);
+ Eki ^= Di;
+ Ci = rotl64(Eki, 43);
+ Emo ^= Do;
+ Co = rotl64(Emo, 21);
+ Esu ^= Du;
+ Cu = rotl64(Esu, 14);
+ Aba = Ca ^ ((~Ce) & Ci);
+ Aba ^= 0x0000000000000088ULL;
+ Abe = Ce ^ ((~Ci) & Co);
+ Abi = Ci ^ ((~Co) & Cu);
+ Abo = Co ^ ((~Cu) & Ca);
+ Abu = Cu ^ ((~Ca) & Ce);
+ Ebo ^= Do;
+ Ca = rotl64(Ebo, 28);
+ Egu ^= Du;
+ Ce = rotl64(Egu, 20);
+ Eka ^= Da;
+ Ci = rotl64(Eka, 3);
+ Eme ^= De;
+ Co = rotl64(Eme, 45);
+ Esi ^= Di;
+ Cu = rotl64(Esi, 61);
+ Aga = Ca ^ ((~Ce) & Ci);
+ Age = Ce ^ ((~Ci) & Co);
+ Agi = Ci ^ ((~Co) & Cu);
+ Ago = Co ^ ((~Cu) & Ca);
+ Agu = Cu ^ ((~Ca) & Ce);
+ Ebe ^= De;
+ Ca = rotl64(Ebe, 1);
+ Egi ^= Di;
+ Ce = rotl64(Egi, 6);
+ Eko ^= Do;
+ Ci = rotl64(Eko, 25);
+ Emu ^= Du;
+ Co = rotl64(Emu, 8);
+ Esa ^= Da;
+ Cu = rotl64(Esa, 18);
+ Aka = Ca ^ ((~Ce) & Ci);
+ Ake = Ce ^ ((~Ci) & Co);
+ Aki = Ci ^ ((~Co) & Cu);
+ Ako = Co ^ ((~Cu) & Ca);
+ Aku = Cu ^ ((~Ca) & Ce);
+ Ebu ^= Du;
+ Ca = rotl64(Ebu, 27);
+ Ega ^= Da;
+ Ce = rotl64(Ega, 36);
+ Eke ^= De;
+ Ci = rotl64(Eke, 10);
+ Emi ^= Di;
+ Co = rotl64(Emi, 15);
+ Eso ^= Do;
+ Cu = rotl64(Eso, 56);
+ Ama = Ca ^ ((~Ce) & Ci);
+ Ame = Ce ^ ((~Ci) & Co);
+ Ami = Ci ^ ((~Co) & Cu);
+ Amo = Co ^ ((~Cu) & Ca);
+ Amu = Cu ^ ((~Ca) & Ce);
+ Ebi ^= Di;
+ Ca = rotl64(Ebi, 62);
+ Ego ^= Do;
+ Ce = rotl64(Ego, 55);
+ Eku ^= Du;
+ Ci = rotl64(Eku, 39);
+ Ema ^= Da;
+ Co = rotl64(Ema, 41);
+ Ese ^= De;
+ Cu = rotl64(Ese, 2);
+ Asa = Ca ^ ((~Ce) & Ci);
+ Ase = Ce ^ ((~Ci) & Co);
+ Asi = Ci ^ ((~Co) & Cu);
+ Aso = Co ^ ((~Cu) & Ca);
+ Asu = Cu ^ ((~Ca) & Ce);
+ /* round 11 */
+ Ca = Aba ^ Aga ^ Aka ^ Ama ^ Asa;
+ Ce = Abe ^ Age ^ Ake ^ Ame ^ Ase;
+ Ci = Abi ^ Agi ^ Aki ^ Ami ^ Asi;
+ Co = Abo ^ Ago ^ Ako ^ Amo ^ Aso;
+ Cu = Abu ^ Agu ^ Aku ^ Amu ^ Asu;
+ Da = Cu ^ rotl64(Ce, 1);
+ De = Ca ^ rotl64(Ci, 1);
+ Di = Ce ^ rotl64(Co, 1);
+ Do = Ci ^ rotl64(Cu, 1);
+ Du = Co ^ rotl64(Ca, 1);
+ Aba ^= Da;
+ Ca = Aba;
+ Age ^= De;
+ Ce = rotl64(Age, 44);
+ Aki ^= Di;
+ Ci = rotl64(Aki, 43);
+ Amo ^= Do;
+ Co = rotl64(Amo, 21);
+ Asu ^= Du;
+ Cu = rotl64(Asu, 14);
+ Eba = Ca ^ ((~Ce) & Ci);
+ Eba ^= 0x0000000080008009ULL;
+ Ebe = Ce ^ ((~Ci) & Co);
+ Ebi = Ci ^ ((~Co) & Cu);
+ Ebo = Co ^ ((~Cu) & Ca);
+ Ebu = Cu ^ ((~Ca) & Ce);
+ Abo ^= Do;
+ Ca = rotl64(Abo, 28);
+ Agu ^= Du;
+ Ce = rotl64(Agu, 20);
+ Aka ^= Da;
+ Ci = rotl64(Aka, 3);
+ Ame ^= De;
+ Co = rotl64(Ame, 45);
+ Asi ^= Di;
+ Cu = rotl64(Asi, 61);
+ Ega = Ca ^ ((~Ce) & Ci);
+ Ege = Ce ^ ((~Ci) & Co);
+ Egi = Ci ^ ((~Co) & Cu);
+ Ego = Co ^ ((~Cu) & Ca);
+ Egu = Cu ^ ((~Ca) & Ce);
+ Abe ^= De;
+ Ca = rotl64(Abe, 1);
+ Agi ^= Di;
+ Ce = rotl64(Agi, 6);
+ Ako ^= Do;
+ Ci = rotl64(Ako, 25);
+ Amu ^= Du;
+ Co = rotl64(Amu, 8);
+ Asa ^= Da;
+ Cu = rotl64(Asa, 18);
+ Eka = Ca ^ ((~Ce) & Ci);
+ Eke = Ce ^ ((~Ci) & Co);
+ Eki = Ci ^ ((~Co) & Cu);
+ Eko = Co ^ ((~Cu) & Ca);
+ Eku = Cu ^ ((~Ca) & Ce);
+ Abu ^= Du;
+ Ca = rotl64(Abu, 27);
+ Aga ^= Da;
+ Ce = rotl64(Aga, 36);
+ Ake ^= De;
+ Ci = rotl64(Ake, 10);
+ Ami ^= Di;
+ Co = rotl64(Ami, 15);
+ Aso ^= Do;
+ Cu = rotl64(Aso, 56);
+ Ema = Ca ^ ((~Ce) & Ci);
+ Eme = Ce ^ ((~Ci) & Co);
+ Emi = Ci ^ ((~Co) & Cu);
+ Emo = Co ^ ((~Cu) & Ca);
+ Emu = Cu ^ ((~Ca) & Ce);
+ Abi ^= Di;
+ Ca = rotl64(Abi, 62);
+ Ago ^= Do;
+ Ce = rotl64(Ago, 55);
+ Aku ^= Du;
+ Ci = rotl64(Aku, 39);
+ Ama ^= Da;
+ Co = rotl64(Ama, 41);
+ Ase ^= De;
+ Cu = rotl64(Ase, 2);
+ Esa = Ca ^ ((~Ce) & Ci);
+ Ese = Ce ^ ((~Ci) & Co);
+ Esi = Ci ^ ((~Co) & Cu);
+ Eso = Co ^ ((~Cu) & Ca);
+ Esu = Cu ^ ((~Ca) & Ce);
+ /* round 12 */
+ Ca = Eba ^ Ega ^ Eka ^ Ema ^ Esa;
+ Ce = Ebe ^ Ege ^ Eke ^ Eme ^ Ese;
+ Ci = Ebi ^ Egi ^ Eki ^ Emi ^ Esi;
+ Co = Ebo ^ Ego ^ Eko ^ Emo ^ Eso;
+ Cu = Ebu ^ Egu ^ Eku ^ Emu ^ Esu;
+ Da = Cu ^ rotl64(Ce, 1);
+ De = Ca ^ rotl64(Ci, 1);
+ Di = Ce ^ rotl64(Co, 1);
+ Do = Ci ^ rotl64(Cu, 1);
+ Du = Co ^ rotl64(Ca, 1);
+ Eba ^= Da;
+ Ca = Eba;
+ Ege ^= De;
+ Ce = rotl64(Ege, 44);
+ Eki ^= Di;
+ Ci = rotl64(Eki, 43);
+ Emo ^= Do;
+ Co = rotl64(Emo, 21);
+ Esu ^= Du;
+ Cu = rotl64(Esu, 14);
+ Aba = Ca ^ ((~Ce) & Ci);
+ Aba ^= 0x000000008000000AULL;
+ Abe = Ce ^ ((~Ci) & Co);
+ Abi = Ci ^ ((~Co) & Cu);
+ Abo = Co ^ ((~Cu) & Ca);
+ Abu = Cu ^ ((~Ca) & Ce);
+ Ebo ^= Do;
+ Ca = rotl64(Ebo, 28);
+ Egu ^= Du;
+ Ce = rotl64(Egu, 20);
+ Eka ^= Da;
+ Ci = rotl64(Eka, 3);
+ Eme ^= De;
+ Co = rotl64(Eme, 45);
+ Esi ^= Di;
+ Cu = rotl64(Esi, 61);
+ Aga = Ca ^ ((~Ce) & Ci);
+ Age = Ce ^ ((~Ci) & Co);
+ Agi = Ci ^ ((~Co) & Cu);
+ Ago = Co ^ ((~Cu) & Ca);
+ Agu = Cu ^ ((~Ca) & Ce);
+ Ebe ^= De;
+ Ca = rotl64(Ebe, 1);
+ Egi ^= Di;
+ Ce = rotl64(Egi, 6);
+ Eko ^= Do;
+ Ci = rotl64(Eko, 25);
+ Emu ^= Du;
+ Co = rotl64(Emu, 8);
+ Esa ^= Da;
+ Cu = rotl64(Esa, 18);
+ Aka = Ca ^ ((~Ce) & Ci);
+ Ake = Ce ^ ((~Ci) & Co);
+ Aki = Ci ^ ((~Co) & Cu);
+ Ako = Co ^ ((~Cu) & Ca);
+ Aku = Cu ^ ((~Ca) & Ce);
+ Ebu ^= Du;
+ Ca = rotl64(Ebu, 27);
+ Ega ^= Da;
+ Ce = rotl64(Ega, 36);
+ Eke ^= De;
+ Ci = rotl64(Eke, 10);
+ Emi ^= Di;
+ Co = rotl64(Emi, 15);
+ Eso ^= Do;
+ Cu = rotl64(Eso, 56);
+ Ama = Ca ^ ((~Ce) & Ci);
+ Ame = Ce ^ ((~Ci) & Co);
+ Ami = Ci ^ ((~Co) & Cu);
+ Amo = Co ^ ((~Cu) & Ca);
+ Amu = Cu ^ ((~Ca) & Ce);
+ Ebi ^= Di;
+ Ca = rotl64(Ebi, 62);
+ Ego ^= Do;
+ Ce = rotl64(Ego, 55);
+ Eku ^= Du;
+ Ci = rotl64(Eku, 39);
+ Ema ^= Da;
+ Co = rotl64(Ema, 41);
+ Ese ^= De;
+ Cu = rotl64(Ese, 2);
+ Asa = Ca ^ ((~Ce) & Ci);
+ Ase = Ce ^ ((~Ci) & Co);
+ Asi = Ci ^ ((~Co) & Cu);
+ Aso = Co ^ ((~Cu) & Ca);
+ Asu = Cu ^ ((~Ca) & Ce);
+ /* round 13 */
+ Ca = Aba ^ Aga ^ Aka ^ Ama ^ Asa;
+ Ce = Abe ^ Age ^ Ake ^ Ame ^ Ase;
+ Ci = Abi ^ Agi ^ Aki ^ Ami ^ Asi;
+ Co = Abo ^ Ago ^ Ako ^ Amo ^ Aso;
+ Cu = Abu ^ Agu ^ Aku ^ Amu ^ Asu;
+ Da = Cu ^ rotl64(Ce, 1);
+ De = Ca ^ rotl64(Ci, 1);
+ Di = Ce ^ rotl64(Co, 1);
+ Do = Ci ^ rotl64(Cu, 1);
+ Du = Co ^ rotl64(Ca, 1);
+ Aba ^= Da;
+ Ca = Aba;
+ Age ^= De;
+ Ce = rotl64(Age, 44);
+ Aki ^= Di;
+ Ci = rotl64(Aki, 43);
+ Amo ^= Do;
+ Co = rotl64(Amo, 21);
+ Asu ^= Du;
+ Cu = rotl64(Asu, 14);
+ Eba = Ca ^ ((~Ce) & Ci);
+ Eba ^= 0x000000008000808BULL;
+ Ebe = Ce ^ ((~Ci) & Co);
+ Ebi = Ci ^ ((~Co) & Cu);
+ Ebo = Co ^ ((~Cu) & Ca);
+ Ebu = Cu ^ ((~Ca) & Ce);
+ Abo ^= Do;
+ Ca = rotl64(Abo, 28);
+ Agu ^= Du;
+ Ce = rotl64(Agu, 20);
+ Aka ^= Da;
+ Ci = rotl64(Aka, 3);
+ Ame ^= De;
+ Co = rotl64(Ame, 45);
+ Asi ^= Di;
+ Cu = rotl64(Asi, 61);
+ Ega = Ca ^ ((~Ce) & Ci);
+ Ege = Ce ^ ((~Ci) & Co);
+ Egi = Ci ^ ((~Co) & Cu);
+ Ego = Co ^ ((~Cu) & Ca);
+ Egu = Cu ^ ((~Ca) & Ce);
+ Abe ^= De;
+ Ca = rotl64(Abe, 1);
+ Agi ^= Di;
+ Ce = rotl64(Agi, 6);
+ Ako ^= Do;
+ Ci = rotl64(Ako, 25);
+ Amu ^= Du;
+ Co = rotl64(Amu, 8);
+ Asa ^= Da;
+ Cu = rotl64(Asa, 18);
+ Eka = Ca ^ ((~Ce) & Ci);
+ Eke = Ce ^ ((~Ci) & Co);
+ Eki = Ci ^ ((~Co) & Cu);
+ Eko = Co ^ ((~Cu) & Ca);
+ Eku = Cu ^ ((~Ca) & Ce);
+ Abu ^= Du;
+ Ca = rotl64(Abu, 27);
+ Aga ^= Da;
+ Ce = rotl64(Aga, 36);
+ Ake ^= De;
+ Ci = rotl64(Ake, 10);
+ Ami ^= Di;
+ Co = rotl64(Ami, 15);
+ Aso ^= Do;
+ Cu = rotl64(Aso, 56);
+ Ema = Ca ^ ((~Ce) & Ci);
+ Eme = Ce ^ ((~Ci) & Co);
+ Emi = Ci ^ ((~Co) & Cu);
+ Emo = Co ^ ((~Cu) & Ca);
+ Emu = Cu ^ ((~Ca) & Ce);
+ Abi ^= Di;
+ Ca = rotl64(Abi, 62);
+ Ago ^= Do;
+ Ce = rotl64(Ago, 55);
+ Aku ^= Du;
+ Ci = rotl64(Aku, 39);
+ Ama ^= Da;
+ Co = rotl64(Ama, 41);
+ Ase ^= De;
+ Cu = rotl64(Ase, 2);
+ Esa = Ca ^ ((~Ce) & Ci);
+ Ese = Ce ^ ((~Ci) & Co);
+ Esi = Ci ^ ((~Co) & Cu);
+ Eso = Co ^ ((~Cu) & Ca);
+ Esu = Cu ^ ((~Ca) & Ce);
+ /* round 14 */
+ Ca = Eba ^ Ega ^ Eka ^ Ema ^ Esa;
+ Ce = Ebe ^ Ege ^ Eke ^ Eme ^ Ese;
+ Ci = Ebi ^ Egi ^ Eki ^ Emi ^ Esi;
+ Co = Ebo ^ Ego ^ Eko ^ Emo ^ Eso;
+ Cu = Ebu ^ Egu ^ Eku ^ Emu ^ Esu;
+ Da = Cu ^ rotl64(Ce, 1);
+ De = Ca ^ rotl64(Ci, 1);
+ Di = Ce ^ rotl64(Co, 1);
+ Do = Ci ^ rotl64(Cu, 1);
+ Du = Co ^ rotl64(Ca, 1);
+ Eba ^= Da;
+ Ca = Eba;
+ Ege ^= De;
+ Ce = rotl64(Ege, 44);
+ Eki ^= Di;
+ Ci = rotl64(Eki, 43);
+ Emo ^= Do;
+ Co = rotl64(Emo, 21);
+ Esu ^= Du;
+ Cu = rotl64(Esu, 14);
+ Aba = Ca ^ ((~Ce) & Ci);
+ Aba ^= 0x800000000000008BULL;
+ Abe = Ce ^ ((~Ci) & Co);
+ Abi = Ci ^ ((~Co) & Cu);
+ Abo = Co ^ ((~Cu) & Ca);
+ Abu = Cu ^ ((~Ca) & Ce);
+ Ebo ^= Do;
+ Ca = rotl64(Ebo, 28);
+ Egu ^= Du;
+ Ce = rotl64(Egu, 20);
+ Eka ^= Da;
+ Ci = rotl64(Eka, 3);
+ Eme ^= De;
+ Co = rotl64(Eme, 45);
+ Esi ^= Di;
+ Cu = rotl64(Esi, 61);
+ Aga = Ca ^ ((~Ce) & Ci);
+ Age = Ce ^ ((~Ci) & Co);
+ Agi = Ci ^ ((~Co) & Cu);
+ Ago = Co ^ ((~Cu) & Ca);
+ Agu = Cu ^ ((~Ca) & Ce);
+ Ebe ^= De;
+ Ca = rotl64(Ebe, 1);
+ Egi ^= Di;
+ Ce = rotl64(Egi, 6);
+ Eko ^= Do;
+ Ci = rotl64(Eko, 25);
+ Emu ^= Du;
+ Co = rotl64(Emu, 8);
+ Esa ^= Da;
+ Cu = rotl64(Esa, 18);
+ Aka = Ca ^ ((~Ce) & Ci);
+ Ake = Ce ^ ((~Ci) & Co);
+ Aki = Ci ^ ((~Co) & Cu);
+ Ako = Co ^ ((~Cu) & Ca);
+ Aku = Cu ^ ((~Ca) & Ce);
+ Ebu ^= Du;
+ Ca = rotl64(Ebu, 27);
+ Ega ^= Da;
+ Ce = rotl64(Ega, 36);
+ Eke ^= De;
+ Ci = rotl64(Eke, 10);
+ Emi ^= Di;
+ Co = rotl64(Emi, 15);
+ Eso ^= Do;
+ Cu = rotl64(Eso, 56);
+ Ama = Ca ^ ((~Ce) & Ci);
+ Ame = Ce ^ ((~Ci) & Co);
+ Ami = Ci ^ ((~Co) & Cu);
+ Amo = Co ^ ((~Cu) & Ca);
+ Amu = Cu ^ ((~Ca) & Ce);
+ Ebi ^= Di;
+ Ca = rotl64(Ebi, 62);
+ Ego ^= Do;
+ Ce = rotl64(Ego, 55);
+ Eku ^= Du;
+ Ci = rotl64(Eku, 39);
+ Ema ^= Da;
+ Co = rotl64(Ema, 41);
+ Ese ^= De;
+ Cu = rotl64(Ese, 2);
+ Asa = Ca ^ ((~Ce) & Ci);
+ Ase = Ce ^ ((~Ci) & Co);
+ Asi = Ci ^ ((~Co) & Cu);
+ Aso = Co ^ ((~Cu) & Ca);
+ Asu = Cu ^ ((~Ca) & Ce);
+ /* round 15 */
+ Ca = Aba ^ Aga ^ Aka ^ Ama ^ Asa;
+ Ce = Abe ^ Age ^ Ake ^ Ame ^ Ase;
+ Ci = Abi ^ Agi ^ Aki ^ Ami ^ Asi;
+ Co = Abo ^ Ago ^ Ako ^ Amo ^ Aso;
+ Cu = Abu ^ Agu ^ Aku ^ Amu ^ Asu;
+ Da = Cu ^ rotl64(Ce, 1);
+ De = Ca ^ rotl64(Ci, 1);
+ Di = Ce ^ rotl64(Co, 1);
+ Do = Ci ^ rotl64(Cu, 1);
+ Du = Co ^ rotl64(Ca, 1);
+ Aba ^= Da;
+ Ca = Aba;
+ Age ^= De;
+ Ce = rotl64(Age, 44);
+ Aki ^= Di;
+ Ci = rotl64(Aki, 43);
+ Amo ^= Do;
+ Co = rotl64(Amo, 21);
+ Asu ^= Du;
+ Cu = rotl64(Asu, 14);
+ Eba = Ca ^ ((~Ce) & Ci);
+ Eba ^= 0x8000000000008089ULL;
+ Ebe = Ce ^ ((~Ci) & Co);
+ Ebi = Ci ^ ((~Co) & Cu);
+ Ebo = Co ^ ((~Cu) & Ca);
+ Ebu = Cu ^ ((~Ca) & Ce);
+ Abo ^= Do;
+ Ca = rotl64(Abo, 28);
+ Agu ^= Du;
+ Ce = rotl64(Agu, 20);
+ Aka ^= Da;
+ Ci = rotl64(Aka, 3);
+ Ame ^= De;
+ Co = rotl64(Ame, 45);
+ Asi ^= Di;
+ Cu = rotl64(Asi, 61);
+ Ega = Ca ^ ((~Ce) & Ci);
+ Ege = Ce ^ ((~Ci) & Co);
+ Egi = Ci ^ ((~Co) & Cu);
+ Ego = Co ^ ((~Cu) & Ca);
+ Egu = Cu ^ ((~Ca) & Ce);
+ Abe ^= De;
+ Ca = rotl64(Abe, 1);
+ Agi ^= Di;
+ Ce = rotl64(Agi, 6);
+ Ako ^= Do;
+ Ci = rotl64(Ako, 25);
+ Amu ^= Du;
+ Co = rotl64(Amu, 8);
+ Asa ^= Da;
+ Cu = rotl64(Asa, 18);
+ Eka = Ca ^ ((~Ce) & Ci);
+ Eke = Ce ^ ((~Ci) & Co);
+ Eki = Ci ^ ((~Co) & Cu);
+ Eko = Co ^ ((~Cu) & Ca);
+ Eku = Cu ^ ((~Ca) & Ce);
+ Abu ^= Du;
+ Ca = rotl64(Abu, 27);
+ Aga ^= Da;
+ Ce = rotl64(Aga, 36);
+ Ake ^= De;
+ Ci = rotl64(Ake, 10);
+ Ami ^= Di;
+ Co = rotl64(Ami, 15);
+ Aso ^= Do;
+ Cu = rotl64(Aso, 56);
+ Ema = Ca ^ ((~Ce) & Ci);
+ Eme = Ce ^ ((~Ci) & Co);
+ Emi = Ci ^ ((~Co) & Cu);
+ Emo = Co ^ ((~Cu) & Ca);
+ Emu = Cu ^ ((~Ca) & Ce);
+ Abi ^= Di;
+ Ca = rotl64(Abi, 62);
+ Ago ^= Do;
+ Ce = rotl64(Ago, 55);
+ Aku ^= Du;
+ Ci = rotl64(Aku, 39);
+ Ama ^= Da;
+ Co = rotl64(Ama, 41);
+ Ase ^= De;
+ Cu = rotl64(Ase, 2);
+ Esa = Ca ^ ((~Ce) & Ci);
+ Ese = Ce ^ ((~Ci) & Co);
+ Esi = Ci ^ ((~Co) & Cu);
+ Eso = Co ^ ((~Cu) & Ca);
+ Esu = Cu ^ ((~Ca) & Ce);
+ /* round 16 */
+ Ca = Eba ^ Ega ^ Eka ^ Ema ^ Esa;
+ Ce = Ebe ^ Ege ^ Eke ^ Eme ^ Ese;
+ Ci = Ebi ^ Egi ^ Eki ^ Emi ^ Esi;
+ Co = Ebo ^ Ego ^ Eko ^ Emo ^ Eso;
+ Cu = Ebu ^ Egu ^ Eku ^ Emu ^ Esu;
+ Da = Cu ^ rotl64(Ce, 1);
+ De = Ca ^ rotl64(Ci, 1);
+ Di = Ce ^ rotl64(Co, 1);
+ Do = Ci ^ rotl64(Cu, 1);
+ Du = Co ^ rotl64(Ca, 1);
+ Eba ^= Da;
+ Ca = Eba;
+ Ege ^= De;
+ Ce = rotl64(Ege, 44);
+ Eki ^= Di;
+ Ci = rotl64(Eki, 43);
+ Emo ^= Do;
+ Co = rotl64(Emo, 21);
+ Esu ^= Du;
+ Cu = rotl64(Esu, 14);
+ Aba = Ca ^ ((~Ce) & Ci);
+ Aba ^= 0x8000000000008003ULL;
+ Abe = Ce ^ ((~Ci) & Co);
+ Abi = Ci ^ ((~Co) & Cu);
+ Abo = Co ^ ((~Cu) & Ca);
+ Abu = Cu ^ ((~Ca) & Ce);
+ Ebo ^= Do;
+ Ca = rotl64(Ebo, 28);
+ Egu ^= Du;
+ Ce = rotl64(Egu, 20);
+ Eka ^= Da;
+ Ci = rotl64(Eka, 3);
+ Eme ^= De;
+ Co = rotl64(Eme, 45);
+ Esi ^= Di;
+ Cu = rotl64(Esi, 61);
+ Aga = Ca ^ ((~Ce) & Ci);
+ Age = Ce ^ ((~Ci) & Co);
+ Agi = Ci ^ ((~Co) & Cu);
+ Ago = Co ^ ((~Cu) & Ca);
+ Agu = Cu ^ ((~Ca) & Ce);
+ Ebe ^= De;
+ Ca = rotl64(Ebe, 1);
+ Egi ^= Di;
+ Ce = rotl64(Egi, 6);
+ Eko ^= Do;
+ Ci = rotl64(Eko, 25);
+ Emu ^= Du;
+ Co = rotl64(Emu, 8);
+ Esa ^= Da;
+ Cu = rotl64(Esa, 18);
+ Aka = Ca ^ ((~Ce) & Ci);
+ Ake = Ce ^ ((~Ci) & Co);
+ Aki = Ci ^ ((~Co) & Cu);
+ Ako = Co ^ ((~Cu) & Ca);
+ Aku = Cu ^ ((~Ca) & Ce);
+ Ebu ^= Du;
+ Ca = rotl64(Ebu, 27);
+ Ega ^= Da;
+ Ce = rotl64(Ega, 36);
+ Eke ^= De;
+ Ci = rotl64(Eke, 10);
+ Emi ^= Di;
+ Co = rotl64(Emi, 15);
+ Eso ^= Do;
+ Cu = rotl64(Eso, 56);
+ Ama = Ca ^ ((~Ce) & Ci);
+ Ame = Ce ^ ((~Ci) & Co);
+ Ami = Ci ^ ((~Co) & Cu);
+ Amo = Co ^ ((~Cu) & Ca);
+ Amu = Cu ^ ((~Ca) & Ce);
+ Ebi ^= Di;
+ Ca = rotl64(Ebi, 62);
+ Ego ^= Do;
+ Ce = rotl64(Ego, 55);
+ Eku ^= Du;
+ Ci = rotl64(Eku, 39);
+ Ema ^= Da;
+ Co = rotl64(Ema, 41);
+ Ese ^= De;
+ Cu = rotl64(Ese, 2);
+ Asa = Ca ^ ((~Ce) & Ci);
+ Ase = Ce ^ ((~Ci) & Co);
+ Asi = Ci ^ ((~Co) & Cu);
+ Aso = Co ^ ((~Cu) & Ca);
+ Asu = Cu ^ ((~Ca) & Ce);
+ /* round 17 */
+ Ca = Aba ^ Aga ^ Aka ^ Ama ^ Asa;
+ Ce = Abe ^ Age ^ Ake ^ Ame ^ Ase;
+ Ci = Abi ^ Agi ^ Aki ^ Ami ^ Asi;
+ Co = Abo ^ Ago ^ Ako ^ Amo ^ Aso;
+ Cu = Abu ^ Agu ^ Aku ^ Amu ^ Asu;
+ Da = Cu ^ rotl64(Ce, 1);
+ De = Ca ^ rotl64(Ci, 1);
+ Di = Ce ^ rotl64(Co, 1);
+ Do = Ci ^ rotl64(Cu, 1);
+ Du = Co ^ rotl64(Ca, 1);
+ Aba ^= Da;
+ Ca = Aba;
+ Age ^= De;
+ Ce = rotl64(Age, 44);
+ Aki ^= Di;
+ Ci = rotl64(Aki, 43);
+ Amo ^= Do;
+ Co = rotl64(Amo, 21);
+ Asu ^= Du;
+ Cu = rotl64(Asu, 14);
+ Eba = Ca ^ ((~Ce) & Ci);
+ Eba ^= 0x8000000000008002ULL;
+ Ebe = Ce ^ ((~Ci) & Co);
+ Ebi = Ci ^ ((~Co) & Cu);
+ Ebo = Co ^ ((~Cu) & Ca);
+ Ebu = Cu ^ ((~Ca) & Ce);
+ Abo ^= Do;
+ Ca = rotl64(Abo, 28);
+ Agu ^= Du;
+ Ce = rotl64(Agu, 20);
+ Aka ^= Da;
+ Ci = rotl64(Aka, 3);
+ Ame ^= De;
+ Co = rotl64(Ame, 45);
+ Asi ^= Di;
+ Cu = rotl64(Asi, 61);
+ Ega = Ca ^ ((~Ce) & Ci);
+ Ege = Ce ^ ((~Ci) & Co);
+ Egi = Ci ^ ((~Co) & Cu);
+ Ego = Co ^ ((~Cu) & Ca);
+ Egu = Cu ^ ((~Ca) & Ce);
+ Abe ^= De;
+ Ca = rotl64(Abe, 1);
+ Agi ^= Di;
+ Ce = rotl64(Agi, 6);
+ Ako ^= Do;
+ Ci = rotl64(Ako, 25);
+ Amu ^= Du;
+ Co = rotl64(Amu, 8);
+ Asa ^= Da;
+ Cu = rotl64(Asa, 18);
+ Eka = Ca ^ ((~Ce) & Ci);
+ Eke = Ce ^ ((~Ci) & Co);
+ Eki = Ci ^ ((~Co) & Cu);
+ Eko = Co ^ ((~Cu) & Ca);
+ Eku = Cu ^ ((~Ca) & Ce);
+ Abu ^= Du;
+ Ca = rotl64(Abu, 27);
+ Aga ^= Da;
+ Ce = rotl64(Aga, 36);
+ Ake ^= De;
+ Ci = rotl64(Ake, 10);
+ Ami ^= Di;
+ Co = rotl64(Ami, 15);
+ Aso ^= Do;
+ Cu = rotl64(Aso, 56);
+ Ema = Ca ^ ((~Ce) & Ci);
+ Eme = Ce ^ ((~Ci) & Co);
+ Emi = Ci ^ ((~Co) & Cu);
+ Emo = Co ^ ((~Cu) & Ca);
+ Emu = Cu ^ ((~Ca) & Ce);
+ Abi ^= Di;
+ Ca = rotl64(Abi, 62);
+ Ago ^= Do;
+ Ce = rotl64(Ago, 55);
+ Aku ^= Du;
+ Ci = rotl64(Aku, 39);
+ Ama ^= Da;
+ Co = rotl64(Ama, 41);
+ Ase ^= De;
+ Cu = rotl64(Ase, 2);
+ Esa = Ca ^ ((~Ce) & Ci);
+ Ese = Ce ^ ((~Ci) & Co);
+ Esi = Ci ^ ((~Co) & Cu);
+ Eso = Co ^ ((~Cu) & Ca);
+ Esu = Cu ^ ((~Ca) & Ce);
+ /* round 18 */
+ Ca = Eba ^ Ega ^ Eka ^ Ema ^ Esa;
+ Ce = Ebe ^ Ege ^ Eke ^ Eme ^ Ese;
+ Ci = Ebi ^ Egi ^ Eki ^ Emi ^ Esi;
+ Co = Ebo ^ Ego ^ Eko ^ Emo ^ Eso;
+ Cu = Ebu ^ Egu ^ Eku ^ Emu ^ Esu;
+ Da = Cu ^ rotl64(Ce, 1);
+ De = Ca ^ rotl64(Ci, 1);
+ Di = Ce ^ rotl64(Co, 1);
+ Do = Ci ^ rotl64(Cu, 1);
+ Du = Co ^ rotl64(Ca, 1);
+ Eba ^= Da;
+ Ca = Eba;
+ Ege ^= De;
+ Ce = rotl64(Ege, 44);
+ Eki ^= Di;
+ Ci = rotl64(Eki, 43);
+ Emo ^= Do;
+ Co = rotl64(Emo, 21);
+ Esu ^= Du;
+ Cu = rotl64(Esu, 14);
+ Aba = Ca ^ ((~Ce) & Ci);
+ Aba ^= 0x8000000000000080ULL;
+ Abe = Ce ^ ((~Ci) & Co);
+ Abi = Ci ^ ((~Co) & Cu);
+ Abo = Co ^ ((~Cu) & Ca);
+ Abu = Cu ^ ((~Ca) & Ce);
+ Ebo ^= Do;
+ Ca = rotl64(Ebo, 28);
+ Egu ^= Du;
+ Ce = rotl64(Egu, 20);
+ Eka ^= Da;
+ Ci = rotl64(Eka, 3);
+ Eme ^= De;
+ Co = rotl64(Eme, 45);
+ Esi ^= Di;
+ Cu = rotl64(Esi, 61);
+ Aga = Ca ^ ((~Ce) & Ci);
+ Age = Ce ^ ((~Ci) & Co);
+ Agi = Ci ^ ((~Co) & Cu);
+ Ago = Co ^ ((~Cu) & Ca);
+ Agu = Cu ^ ((~Ca) & Ce);
+ Ebe ^= De;
+ Ca = rotl64(Ebe, 1);
+ Egi ^= Di;
+ Ce = rotl64(Egi, 6);
+ Eko ^= Do;
+ Ci = rotl64(Eko, 25);
+ Emu ^= Du;
+ Co = rotl64(Emu, 8);
+ Esa ^= Da;
+ Cu = rotl64(Esa, 18);
+ Aka = Ca ^ ((~Ce) & Ci);
+ Ake = Ce ^ ((~Ci) & Co);
+ Aki = Ci ^ ((~Co) & Cu);
+ Ako = Co ^ ((~Cu) & Ca);
+ Aku = Cu ^ ((~Ca) & Ce);
+ Ebu ^= Du;
+ Ca = rotl64(Ebu, 27);
+ Ega ^= Da;
+ Ce = rotl64(Ega, 36);
+ Eke ^= De;
+ Ci = rotl64(Eke, 10);
+ Emi ^= Di;
+ Co = rotl64(Emi, 15);
+ Eso ^= Do;
+ Cu = rotl64(Eso, 56);
+ Ama = Ca ^ ((~Ce) & Ci);
+ Ame = Ce ^ ((~Ci) & Co);
+ Ami = Ci ^ ((~Co) & Cu);
+ Amo = Co ^ ((~Cu) & Ca);
+ Amu = Cu ^ ((~Ca) & Ce);
+ Ebi ^= Di;
+ Ca = rotl64(Ebi, 62);
+ Ego ^= Do;
+ Ce = rotl64(Ego, 55);
+ Eku ^= Du;
+ Ci = rotl64(Eku, 39);
+ Ema ^= Da;
+ Co = rotl64(Ema, 41);
+ Ese ^= De;
+ Cu = rotl64(Ese, 2);
+ Asa = Ca ^ ((~Ce) & Ci);
+ Ase = Ce ^ ((~Ci) & Co);
+ Asi = Ci ^ ((~Co) & Cu);
+ Aso = Co ^ ((~Cu) & Ca);
+ Asu = Cu ^ ((~Ca) & Ce);
+ /* round 19 */
+ Ca = Aba ^ Aga ^ Aka ^ Ama ^ Asa;
+ Ce = Abe ^ Age ^ Ake ^ Ame ^ Ase;
+ Ci = Abi ^ Agi ^ Aki ^ Ami ^ Asi;
+ Co = Abo ^ Ago ^ Ako ^ Amo ^ Aso;
+ Cu = Abu ^ Agu ^ Aku ^ Amu ^ Asu;
+ Da = Cu ^ rotl64(Ce, 1);
+ De = Ca ^ rotl64(Ci, 1);
+ Di = Ce ^ rotl64(Co, 1);
+ Do = Ci ^ rotl64(Cu, 1);
+ Du = Co ^ rotl64(Ca, 1);
+ Aba ^= Da;
+ Ca = Aba;
+ Age ^= De;
+ Ce = rotl64(Age, 44);
+ Aki ^= Di;
+ Ci = rotl64(Aki, 43);
+ Amo ^= Do;
+ Co = rotl64(Amo, 21);
+ Asu ^= Du;
+ Cu = rotl64(Asu, 14);
+ Eba = Ca ^ ((~Ce) & Ci);
+ Eba ^= 0x000000000000800AULL;
+ Ebe = Ce ^ ((~Ci) & Co);
+ Ebi = Ci ^ ((~Co) & Cu);
+ Ebo = Co ^ ((~Cu) & Ca);
+ Ebu = Cu ^ ((~Ca) & Ce);
+ Abo ^= Do;
+ Ca = rotl64(Abo, 28);
+ Agu ^= Du;
+ Ce = rotl64(Agu, 20);
+ Aka ^= Da;
+ Ci = rotl64(Aka, 3);
+ Ame ^= De;
+ Co = rotl64(Ame, 45);
+ Asi ^= Di;
+ Cu = rotl64(Asi, 61);
+ Ega = Ca ^ ((~Ce) & Ci);
+ Ege = Ce ^ ((~Ci) & Co);
+ Egi = Ci ^ ((~Co) & Cu);
+ Ego = Co ^ ((~Cu) & Ca);
+ Egu = Cu ^ ((~Ca) & Ce);
+ Abe ^= De;
+ Ca = rotl64(Abe, 1);
+ Agi ^= Di;
+ Ce = rotl64(Agi, 6);
+ Ako ^= Do;
+ Ci = rotl64(Ako, 25);
+ Amu ^= Du;
+ Co = rotl64(Amu, 8);
+ Asa ^= Da;
+ Cu = rotl64(Asa, 18);
+ Eka = Ca ^ ((~Ce) & Ci);
+ Eke = Ce ^ ((~Ci) & Co);
+ Eki = Ci ^ ((~Co) & Cu);
+ Eko = Co ^ ((~Cu) & Ca);
+ Eku = Cu ^ ((~Ca) & Ce);
+ Abu ^= Du;
+ Ca = rotl64(Abu, 27);
+ Aga ^= Da;
+ Ce = rotl64(Aga, 36);
+ Ake ^= De;
+ Ci = rotl64(Ake, 10);
+ Ami ^= Di;
+ Co = rotl64(Ami, 15);
+ Aso ^= Do;
+ Cu = rotl64(Aso, 56);
+ Ema = Ca ^ ((~Ce) & Ci);
+ Eme = Ce ^ ((~Ci) & Co);
+ Emi = Ci ^ ((~Co) & Cu);
+ Emo = Co ^ ((~Cu) & Ca);
+ Emu = Cu ^ ((~Ca) & Ce);
+ Abi ^= Di;
+ Ca = rotl64(Abi, 62);
+ Ago ^= Do;
+ Ce = rotl64(Ago, 55);
+ Aku ^= Du;
+ Ci = rotl64(Aku, 39);
+ Ama ^= Da;
+ Co = rotl64(Ama, 41);
+ Ase ^= De;
+ Cu = rotl64(Ase, 2);
+ Esa = Ca ^ ((~Ce) & Ci);
+ Ese = Ce ^ ((~Ci) & Co);
+ Esi = Ci ^ ((~Co) & Cu);
+ Eso = Co ^ ((~Cu) & Ca);
+ Esu = Cu ^ ((~Ca) & Ce);
+ /* round 20 */
+ Ca = Eba ^ Ega ^ Eka ^ Ema ^ Esa;
+ Ce = Ebe ^ Ege ^ Eke ^ Eme ^ Ese;
+ Ci = Ebi ^ Egi ^ Eki ^ Emi ^ Esi;
+ Co = Ebo ^ Ego ^ Eko ^ Emo ^ Eso;
+ Cu = Ebu ^ Egu ^ Eku ^ Emu ^ Esu;
+ Da = Cu ^ rotl64(Ce, 1);
+ De = Ca ^ rotl64(Ci, 1);
+ Di = Ce ^ rotl64(Co, 1);
+ Do = Ci ^ rotl64(Cu, 1);
+ Du = Co ^ rotl64(Ca, 1);
+ Eba ^= Da;
+ Ca = Eba;
+ Ege ^= De;
+ Ce = rotl64(Ege, 44);
+ Eki ^= Di;
+ Ci = rotl64(Eki, 43);
+ Emo ^= Do;
+ Co = rotl64(Emo, 21);
+ Esu ^= Du;
+ Cu = rotl64(Esu, 14);
+ Aba = Ca ^ ((~Ce) & Ci);
+ Aba ^= 0x800000008000000AULL;
+ Abe = Ce ^ ((~Ci) & Co);
+ Abi = Ci ^ ((~Co) & Cu);
+ Abo = Co ^ ((~Cu) & Ca);
+ Abu = Cu ^ ((~Ca) & Ce);
+ Ebo ^= Do;
+ Ca = rotl64(Ebo, 28);
+ Egu ^= Du;
+ Ce = rotl64(Egu, 20);
+ Eka ^= Da;
+ Ci = rotl64(Eka, 3);
+ Eme ^= De;
+ Co = rotl64(Eme, 45);
+ Esi ^= Di;
+ Cu = rotl64(Esi, 61);
+ Aga = Ca ^ ((~Ce) & Ci);
+ Age = Ce ^ ((~Ci) & Co);
+ Agi = Ci ^ ((~Co) & Cu);
+ Ago = Co ^ ((~Cu) & Ca);
+ Agu = Cu ^ ((~Ca) & Ce);
+ Ebe ^= De;
+ Ca = rotl64(Ebe, 1);
+ Egi ^= Di;
+ Ce = rotl64(Egi, 6);
+ Eko ^= Do;
+ Ci = rotl64(Eko, 25);
+ Emu ^= Du;
+ Co = rotl64(Emu, 8);
+ Esa ^= Da;
+ Cu = rotl64(Esa, 18);
+ Aka = Ca ^ ((~Ce) & Ci);
+ Ake = Ce ^ ((~Ci) & Co);
+ Aki = Ci ^ ((~Co) & Cu);
+ Ako = Co ^ ((~Cu) & Ca);
+ Aku = Cu ^ ((~Ca) & Ce);
+ Ebu ^= Du;
+ Ca = rotl64(Ebu, 27);
+ Ega ^= Da;
+ Ce = rotl64(Ega, 36);
+ Eke ^= De;
+ Ci = rotl64(Eke, 10);
+ Emi ^= Di;
+ Co = rotl64(Emi, 15);
+ Eso ^= Do;
+ Cu = rotl64(Eso, 56);
+ Ama = Ca ^ ((~Ce) & Ci);
+ Ame = Ce ^ ((~Ci) & Co);
+ Ami = Ci ^ ((~Co) & Cu);
+ Amo = Co ^ ((~Cu) & Ca);
+ Amu = Cu ^ ((~Ca) & Ce);
+ Ebi ^= Di;
+ Ca = rotl64(Ebi, 62);
+ Ego ^= Do;
+ Ce = rotl64(Ego, 55);
+ Eku ^= Du;
+ Ci = rotl64(Eku, 39);
+ Ema ^= Da;
+ Co = rotl64(Ema, 41);
+ Ese ^= De;
+ Cu = rotl64(Ese, 2);
+ Asa = Ca ^ ((~Ce) & Ci);
+ Ase = Ce ^ ((~Ci) & Co);
+ Asi = Ci ^ ((~Co) & Cu);
+ Aso = Co ^ ((~Cu) & Ca);
+ Asu = Cu ^ ((~Ca) & Ce);
+ /* round 21 */
+ Ca = Aba ^ Aga ^ Aka ^ Ama ^ Asa;
+ Ce = Abe ^ Age ^ Ake ^ Ame ^ Ase;
+ Ci = Abi ^ Agi ^ Aki ^ Ami ^ Asi;
+ Co = Abo ^ Ago ^ Ako ^ Amo ^ Aso;
+ Cu = Abu ^ Agu ^ Aku ^ Amu ^ Asu;
+ Da = Cu ^ rotl64(Ce, 1);
+ De = Ca ^ rotl64(Ci, 1);
+ Di = Ce ^ rotl64(Co, 1);
+ Do = Ci ^ rotl64(Cu, 1);
+ Du = Co ^ rotl64(Ca, 1);
+ Aba ^= Da;
+ Ca = Aba;
+ Age ^= De;
+ Ce = rotl64(Age, 44);
+ Aki ^= Di;
+ Ci = rotl64(Aki, 43);
+ Amo ^= Do;
+ Co = rotl64(Amo, 21);
+ Asu ^= Du;
+ Cu = rotl64(Asu, 14);
+ Eba = Ca ^ ((~Ce) & Ci);
+ Eba ^= 0x8000000080008081ULL;
+ Ebe = Ce ^ ((~Ci) & Co);
+ Ebi = Ci ^ ((~Co) & Cu);
+ Ebo = Co ^ ((~Cu) & Ca);
+ Ebu = Cu ^ ((~Ca) & Ce);
+ Abo ^= Do;
+ Ca = rotl64(Abo, 28);
+ Agu ^= Du;
+ Ce = rotl64(Agu, 20);
+ Aka ^= Da;
+ Ci = rotl64(Aka, 3);
+ Ame ^= De;
+ Co = rotl64(Ame, 45);
+ Asi ^= Di;
+ Cu = rotl64(Asi, 61);
+ Ega = Ca ^ ((~Ce) & Ci);
+ Ege = Ce ^ ((~Ci) & Co);
+ Egi = Ci ^ ((~Co) & Cu);
+ Ego = Co ^ ((~Cu) & Ca);
+ Egu = Cu ^ ((~Ca) & Ce);
+ Abe ^= De;
+ Ca = rotl64(Abe, 1);
+ Agi ^= Di;
+ Ce = rotl64(Agi, 6);
+ Ako ^= Do;
+ Ci = rotl64(Ako, 25);
+ Amu ^= Du;
+ Co = rotl64(Amu, 8);
+ Asa ^= Da;
+ Cu = rotl64(Asa, 18);
+ Eka = Ca ^ ((~Ce) & Ci);
+ Eke = Ce ^ ((~Ci) & Co);
+ Eki = Ci ^ ((~Co) & Cu);
+ Eko = Co ^ ((~Cu) & Ca);
+ Eku = Cu ^ ((~Ca) & Ce);
+ Abu ^= Du;
+ Ca = rotl64(Abu, 27);
+ Aga ^= Da;
+ Ce = rotl64(Aga, 36);
+ Ake ^= De;
+ Ci = rotl64(Ake, 10);
+ Ami ^= Di;
+ Co = rotl64(Ami, 15);
+ Aso ^= Do;
+ Cu = rotl64(Aso, 56);
+ Ema = Ca ^ ((~Ce) & Ci);
+ Eme = Ce ^ ((~Ci) & Co);
+ Emi = Ci ^ ((~Co) & Cu);
+ Emo = Co ^ ((~Cu) & Ca);
+ Emu = Cu ^ ((~Ca) & Ce);
+ Abi ^= Di;
+ Ca = rotl64(Abi, 62);
+ Ago ^= Do;
+ Ce = rotl64(Ago, 55);
+ Aku ^= Du;
+ Ci = rotl64(Aku, 39);
+ Ama ^= Da;
+ Co = rotl64(Ama, 41);
+ Ase ^= De;
+ Cu = rotl64(Ase, 2);
+ Esa = Ca ^ ((~Ce) & Ci);
+ Ese = Ce ^ ((~Ci) & Co);
+ Esi = Ci ^ ((~Co) & Cu);
+ Eso = Co ^ ((~Cu) & Ca);
+ Esu = Cu ^ ((~Ca) & Ce);
+ /* round 22 */
+ Ca = Eba ^ Ega ^ Eka ^ Ema ^ Esa;
+ Ce = Ebe ^ Ege ^ Eke ^ Eme ^ Ese;
+ Ci = Ebi ^ Egi ^ Eki ^ Emi ^ Esi;
+ Co = Ebo ^ Ego ^ Eko ^ Emo ^ Eso;
+ Cu = Ebu ^ Egu ^ Eku ^ Emu ^ Esu;
+ Da = Cu ^ rotl64(Ce, 1);
+ De = Ca ^ rotl64(Ci, 1);
+ Di = Ce ^ rotl64(Co, 1);
+ Do = Ci ^ rotl64(Cu, 1);
+ Du = Co ^ rotl64(Ca, 1);
+ Eba ^= Da;
+ Ca = Eba;
+ Ege ^= De;
+ Ce = rotl64(Ege, 44);
+ Eki ^= Di;
+ Ci = rotl64(Eki, 43);
+ Emo ^= Do;
+ Co = rotl64(Emo, 21);
+ Esu ^= Du;
+ Cu = rotl64(Esu, 14);
+ Aba = Ca ^ ((~Ce) & Ci);
+ Aba ^= 0x8000000000008080ULL;
+ Abe = Ce ^ ((~Ci) & Co);
+ Abi = Ci ^ ((~Co) & Cu);
+ Abo = Co ^ ((~Cu) & Ca);
+ Abu = Cu ^ ((~Ca) & Ce);
+ Ebo ^= Do;
+ Ca = rotl64(Ebo, 28);
+ Egu ^= Du;
+ Ce = rotl64(Egu, 20);
+ Eka ^= Da;
+ Ci = rotl64(Eka, 3);
+ Eme ^= De;
+ Co = rotl64(Eme, 45);
+ Esi ^= Di;
+ Cu = rotl64(Esi, 61);
+ Aga = Ca ^ ((~Ce) & Ci);
+ Age = Ce ^ ((~Ci) & Co);
+ Agi = Ci ^ ((~Co) & Cu);
+ Ago = Co ^ ((~Cu) & Ca);
+ Agu = Cu ^ ((~Ca) & Ce);
+ Ebe ^= De;
+ Ca = rotl64(Ebe, 1);
+ Egi ^= Di;
+ Ce = rotl64(Egi, 6);
+ Eko ^= Do;
+ Ci = rotl64(Eko, 25);
+ Emu ^= Du;
+ Co = rotl64(Emu, 8);
+ Esa ^= Da;
+ Cu = rotl64(Esa, 18);
+ Aka = Ca ^ ((~Ce) & Ci);
+ Ake = Ce ^ ((~Ci) & Co);
+ Aki = Ci ^ ((~Co) & Cu);
+ Ako = Co ^ ((~Cu) & Ca);
+ Aku = Cu ^ ((~Ca) & Ce);
+ Ebu ^= Du;
+ Ca = rotl64(Ebu, 27);
+ Ega ^= Da;
+ Ce = rotl64(Ega, 36);
+ Eke ^= De;
+ Ci = rotl64(Eke, 10);
+ Emi ^= Di;
+ Co = rotl64(Emi, 15);
+ Eso ^= Do;
+ Cu = rotl64(Eso, 56);
+ Ama = Ca ^ ((~Ce) & Ci);
+ Ame = Ce ^ ((~Ci) & Co);
+ Ami = Ci ^ ((~Co) & Cu);
+ Amo = Co ^ ((~Cu) & Ca);
+ Amu = Cu ^ ((~Ca) & Ce);
+ Ebi ^= Di;
+ Ca = rotl64(Ebi, 62);
+ Ego ^= Do;
+ Ce = rotl64(Ego, 55);
+ Eku ^= Du;
+ Ci = rotl64(Eku, 39);
+ Ema ^= Da;
+ Co = rotl64(Ema, 41);
+ Ese ^= De;
+ Cu = rotl64(Ese, 2);
+ Asa = Ca ^ ((~Ce) & Ci);
+ Ase = Ce ^ ((~Ci) & Co);
+ Asi = Ci ^ ((~Co) & Cu);
+ Aso = Co ^ ((~Cu) & Ca);
+ Asu = Cu ^ ((~Ca) & Ce);
+ /* round 23 */
+ Ca = Aba ^ Aga ^ Aka ^ Ama ^ Asa;
+ Ce = Abe ^ Age ^ Ake ^ Ame ^ Ase;
+ Ci = Abi ^ Agi ^ Aki ^ Ami ^ Asi;
+ Co = Abo ^ Ago ^ Ako ^ Amo ^ Aso;
+ Cu = Abu ^ Agu ^ Aku ^ Amu ^ Asu;
+ Da = Cu ^ rotl64(Ce, 1);
+ De = Ca ^ rotl64(Ci, 1);
+ Di = Ce ^ rotl64(Co, 1);
+ Do = Ci ^ rotl64(Cu, 1);
+ Du = Co ^ rotl64(Ca, 1);
+ Aba ^= Da;
+ Ca = Aba;
+ Age ^= De;
+ Ce = rotl64(Age, 44);
+ Aki ^= Di;
+ Ci = rotl64(Aki, 43);
+ Amo ^= Do;
+ Co = rotl64(Amo, 21);
+ Asu ^= Du;
+ Cu = rotl64(Asu, 14);
+ Eba = Ca ^ ((~Ce) & Ci);
+ Eba ^= 0x0000000080000001ULL;
+ Ebe = Ce ^ ((~Ci) & Co);
+ Ebi = Ci ^ ((~Co) & Cu);
+ Ebo = Co ^ ((~Cu) & Ca);
+ Ebu = Cu ^ ((~Ca) & Ce);
+ Abo ^= Do;
+ Ca = rotl64(Abo, 28);
+ Agu ^= Du;
+ Ce = rotl64(Agu, 20);
+ Aka ^= Da;
+ Ci = rotl64(Aka, 3);
+ Ame ^= De;
+ Co = rotl64(Ame, 45);
+ Asi ^= Di;
+ Cu = rotl64(Asi, 61);
+ Ega = Ca ^ ((~Ce) & Ci);
+ Ege = Ce ^ ((~Ci) & Co);
+ Egi = Ci ^ ((~Co) & Cu);
+ Ego = Co ^ ((~Cu) & Ca);
+ Egu = Cu ^ ((~Ca) & Ce);
+ Abe ^= De;
+ Ca = rotl64(Abe, 1);
+ Agi ^= Di;
+ Ce = rotl64(Agi, 6);
+ Ako ^= Do;
+ Ci = rotl64(Ako, 25);
+ Amu ^= Du;
+ Co = rotl64(Amu, 8);
+ Asa ^= Da;
+ Cu = rotl64(Asa, 18);
+ Eka = Ca ^ ((~Ce) & Ci);
+ Eke = Ce ^ ((~Ci) & Co);
+ Eki = Ci ^ ((~Co) & Cu);
+ Eko = Co ^ ((~Cu) & Ca);
+ Eku = Cu ^ ((~Ca) & Ce);
+ Abu ^= Du;
+ Ca = rotl64(Abu, 27);
+ Aga ^= Da;
+ Ce = rotl64(Aga, 36);
+ Ake ^= De;
+ Ci = rotl64(Ake, 10);
+ Ami ^= Di;
+ Co = rotl64(Ami, 15);
+ Aso ^= Do;
+ Cu = rotl64(Aso, 56);
+ Ema = Ca ^ ((~Ce) & Ci);
+ Eme = Ce ^ ((~Ci) & Co);
+ Emi = Ci ^ ((~Co) & Cu);
+ Emo = Co ^ ((~Cu) & Ca);
+ Emu = Cu ^ ((~Ca) & Ce);
+ Abi ^= Di;
+ Ca = rotl64(Abi, 62);
+ Ago ^= Do;
+ Ce = rotl64(Ago, 55);
+ Aku ^= Du;
+ Ci = rotl64(Aku, 39);
+ Ama ^= Da;
+ Co = rotl64(Ama, 41);
+ Ase ^= De;
+ Cu = rotl64(Ase, 2);
+ Esa = Ca ^ ((~Ce) & Ci);
+ Ese = Ce ^ ((~Ci) & Co);
+ Esi = Ci ^ ((~Co) & Cu);
+ Eso = Co ^ ((~Cu) & Ca);
+ Esu = Cu ^ ((~Ca) & Ce);
+ /* round 24 */
+ Ca = Eba ^ Ega ^ Eka ^ Ema ^ Esa;
+ Ce = Ebe ^ Ege ^ Eke ^ Eme ^ Ese;
+ Ci = Ebi ^ Egi ^ Eki ^ Emi ^ Esi;
+ Co = Ebo ^ Ego ^ Eko ^ Emo ^ Eso;
+ Cu = Ebu ^ Egu ^ Eku ^ Emu ^ Esu;
+ Da = Cu ^ rotl64(Ce, 1);
+ De = Ca ^ rotl64(Ci, 1);
+ Di = Ce ^ rotl64(Co, 1);
+ Do = Ci ^ rotl64(Cu, 1);
+ Du = Co ^ rotl64(Ca, 1);
+ Eba ^= Da;
+ Ca = Eba;
+ Ege ^= De;
+ Ce = rotl64(Ege, 44);
+ Eki ^= Di;
+ Ci = rotl64(Eki, 43);
+ Emo ^= Do;
+ Co = rotl64(Emo, 21);
+ Esu ^= Du;
+ Cu = rotl64(Esu, 14);
+ Aba = Ca ^ ((~Ce) & Ci);
+ Aba ^= 0x8000000080008008ULL;
+ Abe = Ce ^ ((~Ci) & Co);
+ Abi = Ci ^ ((~Co) & Cu);
+ Abo = Co ^ ((~Cu) & Ca);
+ Abu = Cu ^ ((~Ca) & Ce);
+ Ebo ^= Do;
+ Ca = rotl64(Ebo, 28);
+ Egu ^= Du;
+ Ce = rotl64(Egu, 20);
+ Eka ^= Da;
+ Ci = rotl64(Eka, 3);
+ Eme ^= De;
+ Co = rotl64(Eme, 45);
+ Esi ^= Di;
+ Cu = rotl64(Esi, 61);
+ Aga = Ca ^ ((~Ce) & Ci);
+ Age = Ce ^ ((~Ci) & Co);
+ Agi = Ci ^ ((~Co) & Cu);
+ Ago = Co ^ ((~Cu) & Ca);
+ Agu = Cu ^ ((~Ca) & Ce);
+ Ebe ^= De;
+ Ca = rotl64(Ebe, 1);
+ Egi ^= Di;
+ Ce = rotl64(Egi, 6);
+ Eko ^= Do;
+ Ci = rotl64(Eko, 25);
+ Emu ^= Du;
+ Co = rotl64(Emu, 8);
+ Esa ^= Da;
+ Cu = rotl64(Esa, 18);
+ Aka = Ca ^ ((~Ce) & Ci);
+ Ake = Ce ^ ((~Ci) & Co);
+ Aki = Ci ^ ((~Co) & Cu);
+ Ako = Co ^ ((~Cu) & Ca);
+ Aku = Cu ^ ((~Ca) & Ce);
+ Ebu ^= Du;
+ Ca = rotl64(Ebu, 27);
+ Ega ^= Da;
+ Ce = rotl64(Ega, 36);
+ Eke ^= De;
+ Ci = rotl64(Eke, 10);
+ Emi ^= Di;
+ Co = rotl64(Emi, 15);
+ Eso ^= Do;
+ Cu = rotl64(Eso, 56);
+ Ama = Ca ^ ((~Ce) & Ci);
+ Ame = Ce ^ ((~Ci) & Co);
+ Ami = Ci ^ ((~Co) & Cu);
+ Amo = Co ^ ((~Cu) & Ca);
+ Amu = Cu ^ ((~Ca) & Ce);
+ Ebi ^= Di;
+ Ca = rotl64(Ebi, 62);
+ Ego ^= Do;
+ Ce = rotl64(Ego, 55);
+ Eku ^= Du;
+ Ci = rotl64(Eku, 39);
+ Ema ^= Da;
+ Co = rotl64(Ema, 41);
+ Ese ^= De;
+ Cu = rotl64(Ese, 2);
+ Asa = Ca ^ ((~Ce) & Ci);
+ Ase = Ce ^ ((~Ci) & Co);
+ Asi = Ci ^ ((~Co) & Cu);
+ Aso = Co ^ ((~Cu) & Ca);
+ Asu = Cu ^ ((~Ca) & Ce);
+
+ state[0] = Aba;
+ state[1] = Abe;
+ state[2] = Abi;
+ state[3] = Abo;
+ state[4] = Abu;
+ state[5] = Aga;
+ state[6] = Age;
+ state[7] = Agi;
+ state[8] = Ago;
+ state[9] = Agu;
+ state[10] = Aka;
+ state[11] = Ake;
+ state[12] = Aki;
+ state[13] = Ako;
+ state[14] = Aku;
+ state[15] = Ama;
+ state[16] = Ame;
+ state[17] = Ami;
+ state[18] = Amo;
+ state[19] = Amu;
+ state[20] = Asa;
+ state[21] = Ase;
+ state[22] = Asi;
+ state[23] = Aso;
+ state[24] = Asu;
+}
+
+void OQS_SHA3_keccak_absorb(uint64_t *state, size_t rate, const uint8_t *input, size_t inplen, uint8_t domain) {
+ uint8_t msg[200];
+ size_t i;
+
+ while (inplen >= rate) {
+ for (i = 0; i < rate / 8; ++i) {
+ state[i] ^= load64(input + (8 * i));
+ }
+
+ OQS_SHA3_keccak_permute(state);
+
+ inplen -= rate;
+ input += rate;
+ }
+
+ for (i = 0; i < inplen; ++i) {
+ msg[i] = input[i];
+ }
+
+ msg[inplen] = domain;
+
+ for (i = inplen + 1; i < rate; ++i) {
+ msg[i] = 0;
+ }
+
+ msg[rate - 1] |= 128;
+
+ for (i = 0; i < rate / 8; ++i) {
+ state[i] ^= load64(msg + (8 * i));
+ }
+}
+
+void OQS_SHA3_sha3256(uint8_t *output, const uint8_t *input, size_t inplen) {
+ uint64_t state[SHA3_STATESIZE];
+ uint8_t hash[SHA3_SHA3_256_RATE];
+ size_t i;
+
+ for (i = 0; i < SHA3_STATESIZE; ++i) {
+ state[i] = 0;
+ }
+
+ OQS_SHA3_keccak_absorb(state, SHA3_SHA3_256_RATE, input, inplen, SHA3_SHA3_DOMAIN);
+ OQS_SHA3_keccak_squeezeblocks(hash, 1, state, SHA3_SHA3_256_RATE);
+
+ for (i = 0; i < 32; i++) {
+ output[i] = hash[i];
+ }
+}
+
+void OQS_SHA3_sha3512(uint8_t *output, const uint8_t *input, size_t inplen) {
+ uint64_t state[SHA3_STATESIZE];
+ uint8_t hash[SHA3_SHA3_512_RATE];
+ size_t i;
+
+ for (i = 0; i < SHA3_STATESIZE; ++i) {
+ state[i] = 0;
+ }
+
+ OQS_SHA3_keccak_absorb(state, SHA3_SHA3_512_RATE, input, inplen, SHA3_SHA3_DOMAIN);
+ OQS_SHA3_keccak_squeezeblocks(hash, 1, state, SHA3_SHA3_512_RATE);
+
+ for (i = 0; i < 64; i++) {
+ output[i] = hash[i];
+ }
+}
+
+void OQS_SHA3_keccak_squeezeblocks(uint8_t *output, size_t nblocks, uint64_t *state, size_t rate) {
+ size_t i;
+
+ while (nblocks > 0) {
+ OQS_SHA3_keccak_permute(state);
+
+ for (i = 0; i < (rate >> 3); i++) {
+ store64(output + 8 * i, state[i]);
+ }
+
+ output += rate;
+ nblocks--;
+ }
+}
+
+/* SHAKE */
+
+void OQS_SHA3_shake128(uint8_t *output, size_t outlen, const uint8_t *input, size_t inplen) {
+ size_t nblocks = outlen / SHA3_SHAKE128_RATE;
+ uint64_t state[SHA3_STATESIZE];
+ uint8_t hash[SHA3_SHAKE128_RATE];
+ size_t i;
+
+ for (i = 0; i < SHA3_STATESIZE; ++i) {
+ state[i] = 0;
+ }
+
+ OQS_SHA3_keccak_absorb(state, SHA3_SHAKE128_RATE, input, inplen, SHA3_SHAKE_DOMAIN);
+ OQS_SHA3_keccak_squeezeblocks(output, nblocks, state, SHA3_SHAKE128_RATE);
+
+ output += (nblocks * SHA3_SHAKE128_RATE);
+ outlen -= (nblocks * SHA3_SHAKE128_RATE);
+
+ if (outlen != 0) {
+ OQS_SHA3_keccak_squeezeblocks(hash, 1, state, SHA3_SHAKE128_RATE);
+
+ for (i = 0; i < outlen; i++) {
+ output[i] = hash[i];
+ }
+ }
+}
+
+void OQS_SHA3_shake128_absorb(uint64_t *state, const uint8_t *input, size_t inplen) {
+ OQS_SHA3_keccak_absorb(state, SHA3_SHAKE128_RATE, input, inplen, SHA3_SHAKE_DOMAIN);
+}
+
+void OQS_SHA3_shake128_squeezeblocks(uint8_t *output, size_t nblocks, uint64_t *state) {
+ OQS_SHA3_keccak_squeezeblocks(output, nblocks, state, SHA3_SHAKE128_RATE);
+}
+
+void OQS_SHA3_shake256(uint8_t *output, size_t outlen, const uint8_t *input, size_t inplen) {
+ size_t nblocks = outlen / SHA3_SHAKE256_RATE;
+ uint64_t state[SHA3_STATESIZE];
+ uint8_t hash[SHA3_SHAKE256_RATE];
+ size_t i;
+
+ for (i = 0; i < SHA3_STATESIZE; ++i) {
+ state[i] = 0;
+ }
+
+ OQS_SHA3_keccak_absorb(state, SHA3_SHAKE256_RATE, input, inplen, SHA3_SHAKE_DOMAIN);
+ OQS_SHA3_keccak_squeezeblocks(output, nblocks, state, SHA3_SHAKE256_RATE);
+
+ output += (nblocks * SHA3_SHAKE256_RATE);
+ outlen -= (nblocks * SHA3_SHAKE256_RATE);
+
+ if (outlen != 0) {
+ OQS_SHA3_keccak_squeezeblocks(hash, 1, state, SHA3_SHAKE256_RATE);
+
+ for (i = 0; i < outlen; i++) {
+ output[i] = hash[i];
+ }
+ }
+}
+
+void OQS_SHA3_shake256_absorb(uint64_t *state, const uint8_t *input, size_t inplen) {
+ OQS_SHA3_keccak_absorb(state, SHA3_SHAKE256_RATE, input, inplen, SHA3_SHAKE_DOMAIN);
+}
+
+void OQS_SHA3_shake256_squeezeblocks(uint8_t *output, size_t nblocks, uint64_t *state) {
+ OQS_SHA3_keccak_squeezeblocks(output, nblocks, state, SHA3_SHAKE256_RATE);
+}
+
+/* cSHAKE */
+
+void OQS_SHA3_cshake128_simple(uint8_t *output, size_t outlen, uint16_t cstm, const uint8_t *input, size_t inplen) {
+ size_t nblocks = outlen / SHA3_CSHAKE128_RATE;
+ uint64_t state[SHA3_STATESIZE];
+ uint8_t hash[SHA3_CSHAKE128_RATE];
+ size_t i;
+
+ for (i = 0; i < SHA3_STATESIZE; ++i) {
+ state[i] = 0;
+ }
+
+ OQS_SHA3_cshake128_simple_absorb(state, cstm, input, inplen);
+ OQS_SHA3_keccak_squeezeblocks(output, nblocks, state, SHA3_CSHAKE128_RATE);
+
+ output += (nblocks * SHA3_CSHAKE128_RATE);
+ outlen -= (nblocks * SHA3_CSHAKE128_RATE);
+
+ if (outlen != 0) {
+ OQS_SHA3_keccak_squeezeblocks(hash, 1, state, SHA3_CSHAKE128_RATE);
+
+ for (i = 0; i < outlen; i++) {
+ output[i] = hash[i];
+ }
+ }
+}
+
+void OQS_SHA3_cshake128_simple_absorb(uint64_t *state, uint16_t cstm, const uint8_t *input, size_t inplen) {
+ /* Note: This function doesn't align exactly to cSHAKE (SP800-185 3.2), which should produce
+ SHAKE output if S and N = zero (sort of a customized custom-SHAKE function).
+ Padding is hard-coded as the first 32 bits, plus 16 bits of fixed S,
+ and 16 bits of counter, equivalant to S=cstm, N=0.
+ The short integer optimizes this function for a digest counter configuration */
+
+ uint8_t sep[8];
+ sep[0] = 0x01; /* bytepad */
+ sep[1] = 0xA8;
+ sep[2] = 0x01;
+ sep[3] = 0x00;
+ sep[4] = 0x01;
+ sep[5] = 0x10; /* bitlen of cstm */
+ sep[6] = cstm & 0xFF;
+ sep[7] = cstm >> 8;
+
+ state[0] = load64(sep);
+
+ /* transform the domain string */
+ OQS_SHA3_keccak_permute(state);
+
+ /* absorb the state */
+ OQS_SHA3_keccak_absorb(state, SHA3_CSHAKE128_RATE, input, inplen, SHA3_CSHAKE_DOMAIN);
+}
+
+void OQS_SHA3_cshake128_simple_squeezeblocks(uint8_t *output, size_t nblocks, uint64_t *state) {
+ OQS_SHA3_keccak_squeezeblocks(output, nblocks, state, SHA3_CSHAKE128_RATE);
+}
+
+void OQS_SHA3_cshake256_simple(uint8_t *output, size_t outlen, uint16_t cstm, const uint8_t *input, size_t inplen) {
+ size_t nblocks = outlen / SHA3_CSHAKE256_RATE;
+ uint64_t state[SHA3_STATESIZE];
+ uint8_t hash[SHA3_CSHAKE256_RATE];
+ size_t i;
+
+ for (i = 0; i < SHA3_STATESIZE; ++i) {
+ state[i] = 0;
+ }
+
+ OQS_SHA3_cshake256_simple_absorb(state, cstm, input, inplen);
+ OQS_SHA3_keccak_squeezeblocks(output, nblocks, state, SHA3_CSHAKE256_RATE);
+
+ output += (nblocks * SHA3_CSHAKE256_RATE);
+ outlen -= (nblocks * SHA3_CSHAKE256_RATE);
+
+ if (outlen != 0) {
+ OQS_SHA3_keccak_squeezeblocks(hash, 1, state, SHA3_CSHAKE256_RATE);
+
+ for (i = 0; i < outlen; i++) {
+ output[i] = hash[i];
+ }
+ }
+}
+
+void OQS_SHA3_cshake256_simple_absorb(uint64_t *state, uint16_t cstm, const uint8_t *input, size_t inplen) {
+ uint8_t sep[8];
+ sep[0] = 0x01; /* bytepad */
+ sep[1] = 0x88;
+ sep[2] = 0x01;
+ sep[3] = 0x00;
+ sep[4] = 0x01;
+ sep[5] = 0x10; /* bitlen of cstm */
+ sep[6] = cstm & 0xFF;
+ sep[7] = cstm >> 8;
+
+ state[0] = load64(sep);
+
+ /* transform the domain string */
+ OQS_SHA3_keccak_permute(state);
+
+ /* absorb the state */
+ OQS_SHA3_keccak_absorb(state, SHA3_CSHAKE256_RATE, input, inplen, SHA3_CSHAKE_DOMAIN);
+}
+
+void OQS_SHA3_cshake256_simple_squeezeblocks(uint8_t *output, size_t nblocks, uint64_t *state) {
+ OQS_SHA3_keccak_squeezeblocks(output, nblocks, state, SHA3_CSHAKE256_RATE);
+}
diff --git a/src/ringct20/sha3.h b/src/ringct20/sha3.h
new file mode 100644
index 0000000..0cd139d
--- /dev/null
+++ b/src/ringct20/sha3.h
@@ -0,0 +1,300 @@
+/**
+* \file sha3.h
+* \brief <b>SHA3 header definition</b> \n
+* Contains the public api and documentation for SHA3 digest and SHAKE implementations.
+*
+* \author John Underhill
+* \date December 29, 2017
+* \remarks For usage examples, see sha3_test.h
+*/
+
+#ifndef OQS_SHA3_H
+#define OQS_SHA3_H
+
+#include <stddef.h>
+#include <stdint.h>
+
+/*!
+\def OQS_SHA3_CSHAKE_DOMAIN
+* The cSHAKE function domain code
+*/
+#define OQS_SHA3_CSHAKE_DOMAIN 0x04
+
+/*!
+\def OQS_SHA3_CSHAKE128_RATE
+* The cSHAKE-128 byte absorption rate
+*/
+#define OQS_SHA3_CSHAKE128_RATE 168
+
+/*!
+\def OQS_SHA3_CSHAKE256_RATE
+* The cSHAKE-256 byte absorption rate
+*/
+#define OQS_SHA3_CSHAKE256_RATE 136
+
+/*!
+\def OQS_SHA3_SHA3_DOMAIN
+* The SHA3 function domain code
+*/
+#define OQS_SHA3_SHA3_DOMAIN 0x06
+
+/*!
+\def OQS_SHA3_SHA3_256_RATE
+* The SHA-256 byte absorption rate
+*/
+#define OQS_SHA3_SHA3_256_RATE 136
+
+/*!
+\def OQS_SHA3_SHA3_512_RATE
+* The SHA-512 byte absorption rate
+*/
+#define OQS_SHA3_SHA3_512_RATE 72
+
+/*!
+\def OQS_SHA3_SHAKE_DOMAIN
+* The function domain code
+*/
+#define OQS_SHA3_SHAKE_DOMAIN 0x1F
+
+/*!
+\def OQS_SHA3_SHAKE128_RATE
+* The SHAKE-128 byte absorption rate
+*/
+#define OQS_SHA3_SHAKE128_RATE 168
+
+/*!
+\def OQS_SHA3_SHAKE256_RATE
+* The SHAKE-256 byte absorption rate
+*/
+#define OQS_SHA3_SHAKE256_RATE 136
+
+/*!
+\def OQS_SHA3_STATESIZE
+* The Keccak SHA3 state array size
+*/
+#define OQS_SHA3_STATESIZE 25
+
+/* SHA3 */
+
+/**
+* \brief Process a message with SHA3-256 and return the hash code in the output byte array.
+*
+* \warning The output array must be at least 32 bytes in length.
+*
+* \param output The output byte array
+* \param input The message input byte array
+* \param inplen The number of message bytes to process
+*/
+void OQS_SHA3_sha3256(uint8_t *output, const uint8_t *input, size_t inplen);
+
+/**
+* \brief Process a message with SHA3-512 and return the hash code in the output byte array.
+*
+* \warning The output array must be at least 64 bytes in length.
+*
+* \param output The output byte array
+* \param input The message input byte array
+* \param inplen The number of message bytes to process
+*/
+void OQS_SHA3_sha3512(uint8_t *output, const uint8_t *input, size_t inplen);
+
+/**
+* \brief The Keccak absorb function.
+* Absorb an input message array directly into the state.
+*
+* \warning Finalizes the message state, can not be used in consecutive calls. \n
+* State must be initialized (and zeroed) by the caller.
+*
+* \param state The function state; must be initialized
+* \param rate The rate of absorption, in bytes
+* \param input The input message byte array
+* \param inplen The number of message bytes to process
+* \param domain The domain seperation code (SHA3=0x06, SHAKE=0x1F, cSHAKE=0x04)
+*/
+void OQS_SHA3_keccak_absorb(uint64_t *state, size_t rate, const uint8_t *input, size_t inplen, uint8_t domain);
+
+/**
+* \brief The Keccak permute function.
+* Permutes the state array, can be used in conjunction with the keccak_absorb function.
+*
+* \param state The function state; must be initialized
+*/
+void OQS_SHA3_keccak_permute(uint64_t *state);
+
+/**
+* \brief The Keccak squeeze function.
+* Permutes and extracts the state to an output byte array.
+*
+* \warning Output array must be initialized to a multiple of the byte rate.
+*
+* \param output The output byte array
+* \param nblocks The number of blocks to extract
+* \param state The function state; must be pre-initialized
+* \param rate The rate of absorption, in bytes
+*/
+void OQS_SHA3_keccak_squeezeblocks(uint8_t *output, size_t nblocks, uint64_t *state, size_t rate);
+
+/* SHAKE */
+
+/**
+* \brief Seed a SHAKE-128 instance, and generate an array of pseudo-random bytes.
+*
+* \warning The output array length must not be zero.
+*
+* \param output The output byte array
+* \param outlen The number of output bytes to generate
+* \param input The input seed byte array
+* \param inplen The number of seed bytes to process
+*/
+void OQS_SHA3_shake128(uint8_t *output, size_t outlen, const uint8_t *input, size_t inplen);
+
+/**
+* \brief The SHAKE-128 absorb function.
+* Absorb and finalize an input seed byte array.
+* Should be used in conjunction with the shake128_squeezeblocks function.
+*
+* \warning Finalizes the seed state, should not be used in consecutive calls. \n
+* State must be initialized (and zeroed) by the caller.
+*
+* \param state The function state; must be pre-initialized
+* \param input The input seed byte array
+* \param inplen The number of seed bytes to process
+*/
+void OQS_SHA3_shake128_absorb(uint64_t *state, const uint8_t *input, size_t inplen);
+
+/**
+* \brief The SHAKE-128 squeeze function.
+* Permutes and extracts the state to an output byte array.
+* Should be used in conjunction with the shake128_absorb function.
+*
+* \warning Output array must be initialized to a multiple of the byte rate.
+*
+* \param output The output byte array
+* \param nblocks The number of blocks to extract
+* \param state The function state; must be pre-initialized
+*/
+void OQS_SHA3_shake128_squeezeblocks(uint8_t *output, size_t nblocks, uint64_t *state);
+
+/**
+* \brief Seed a SHAKE-256 instance, and generate an array of pseudo-random bytes.
+*
+* \warning The output array length must not be zero.
+*
+* \param output The output byte array
+* \param outlen The number of output bytes to generate
+* \param input The input seed byte array
+* \param inplen The number of seed bytes to process
+*/
+void OQS_SHA3_shake256(uint8_t *output, size_t outlen, const uint8_t *input, size_t inplen);
+
+/**
+* \brief The SHAKE-256 absorb function.
+* Absorb and finalize an input seed byte array.
+* Should be used in conjunction with the shake256_squeezeblocks function.
+*
+* \warning Finalizes the seed state, should not be used in consecutive calls. \n
+* State must be initialized (and zeroed) by the caller.
+*
+* \param state The function state; must be pre-initialized
+* \param input The input seed byte array
+* \param inplen The number of seed bytes to process
+*/
+void OQS_SHA3_shake256_absorb(uint64_t *state, const uint8_t *input, size_t inplen);
+
+/**
+* \brief The SHAKE-256 squeeze function.
+* Permutes and extracts the state to an output byte array.
+*
+* \warning Output array must be initialized to a multiple of the byte rate.
+*
+* \param output The output byte array
+* \param nblocks The number of blocks to extract
+* \param state The function state; must be pre-initialized
+*/
+void OQS_SHA3_shake256_squeezeblocks(uint8_t *output, size_t nblocks, uint64_t *state);
+
+/* cSHAKE */
+
+/**
+* \brief Seed a cSHAKE-128 instance and generate pseudo-random output.
+* Permutes and extracts the state to an output byte array.
+*
+* \warning This function has a counter period of 2^16.
+*
+* \param output The output byte array
+* \param outlen The number of output bytes to generate
+* \param cstm The 16bit customization integer
+* \param input The input seed byte array
+* \param inplen The number of seed bytes to process
+*/
+void OQS_SHA3_cshake128_simple(uint8_t *output, size_t outlen, uint16_t cstm, const uint8_t *input, size_t inplen);
+
+/**
+* \brief The cSHAKE-128 simple absorb function.
+* Absorb and finalize an input seed directly into the state.
+* Should be used in conjunction with the cshake128_simple_squeezeblocks function.
+*
+* \warning Finalizes the seed state, should not be used in consecutive calls. \n
+* State must be initialized (and zeroed) by the caller.
+*
+* \param state The function state; must be pre-initialized
+* \param cstm The 16bit customization integer
+* \param input The input seed byte array
+* \param inplen The number of seed bytes to process
+*/
+void OQS_SHA3_cshake128_simple_absorb(uint64_t *state, uint16_t cstm, const uint8_t *input, size_t inplen);
+
+/**
+* \brief The cSHAKE-128 simple squeeze function.
+* Permutes and extracts blocks of state to an output byte array.
+*
+* \warning Output array must be initialized to a multiple of the byte rate.
+*
+* \param output The output byte array
+* \param nblocks The number of blocks to extract
+* \param state The function state; must be pre-initialized
+*/
+void OQS_SHA3_cshake128_simple_squeezeblocks(uint8_t *output, size_t nblocks, uint64_t *state);
+
+/**
+* \brief Seed a cSHAKE-256 instance and generate pseudo-random output.
+* Permutes and extracts the state to an output byte array.
+*
+* \warning This function has a counter period of 2^16.
+*
+* \param output The output byte array
+* \param outlen The number of output bytes to generate
+* \param cstm The 16bit customization integer
+* \param input The input seed byte array
+* \param inplen The number of seed bytes to process
+*/
+void OQS_SHA3_cshake256_simple(uint8_t *output, size_t outlen, uint16_t cstm, const uint8_t *input, size_t inplen);
+
+/**
+* \brief The cSHAKE-256 simple absorb function.
+* Absorb and finalize an input seed directly into the state.
+* Should be used in conjunction with the cshake256_simple_squeezeblocks function.
+*
+* \warning Finalizes the seed state, should not be used in consecutive calls. \n
+* State must be initialized (and zeroed) by the caller.
+*
+* \param state The function state; must be pre-initialized
+* \param cstm The 16bit customization integer
+* \param input The input seed byte array
+* \param inplen The number of seed bytes to process
+*/
+void OQS_SHA3_cshake256_simple_absorb(uint64_t *state, uint16_t cstm, const uint8_t *input, size_t inplen);
+
+/**
+* \brief The cSHAKE-256 simple squeeze function.
+* Permutes and extracts blocks of state to an output byte array.
+*
+* \warning Output array must be initialized to a multiple of the byte rate.
+*
+* \param output The output byte array
+* \param nblocks The number of blocks to extract
+* \param state The function state; must be pre-initialized
+*/
+void OQS_SHA3_cshake256_simple_squeezeblocks(uint8_t *output, size_t nblocks, uint64_t *state);
+
+#endif
diff --git a/src/ringct20/targetver.h b/src/ringct20/targetver.h
new file mode 100644
index 0000000000000000000000000000000000000000..e2da66c055b4ed740ac1cdda9493502afe5573b6
GIT binary patch
literal 370
zcmezWPnn^Bp@<=oA)O%?NGdSoGvqNOGo&)`GH`*hK7&3`lr{KGk^)08gA0Q<5QE4t
zpqe5EJ%$XREL+U1XivZQ!5XD4Wen*zW_c9pq_>nQFoZK?0!>Q+npw_J3{+Pf_aT_c
z0M+EC$T{haomPHN{d|LP>5(rLNSYF-QOaG_AIJ0mdpE>25Yr)ULb!(Ke_0$`49E_M
z%h_TS7~+90@nrC0FlI1<v;7!CfG+Bf-q)R1Z{^q6sh`T2+)@T|A<uuaLcWmRKzx2i
b_(B=%$7F^ahEkwUQ-NmM;0Px>aCia$sR&Y~
literal 0
HcmV?d00001
diff --git a/src/ringct20/verify.c b/src/ringct20/verify.c
new file mode 100644
index 0000000..f87691a
--- /dev/null
+++ b/src/ringct20/verify.c
@@ -0,0 +1,52 @@
+#include <string.h>
+#include <stdint.h>
+
+/*************************************************
+* Name: verify_ringct20
+*
+* Description: Compare two arrays for equality in constant time.
+*
+* Arguments: const unsigned char *a: pointer to first byte array
+* const unsigned char *b: pointer to second byte array
+* size_t len: length of the byte arrays
+*
+* Returns 0 if the byte arrays are equal, 1 otherwise
+**************************************************/
+int verify_ringct20(const unsigned char *a, const unsigned char *b, size_t len) {
+ uint64_t r;
+ size_t i;
+ r = 0;
+ i = 0;
+ while (i < len)
+ {
+ if (a[i] != b[i])
+ {
+ r = 1;
+ break;
+ }
+ i++;
+ }
+
+ return r;
+}
+
+/*************************************************
+* Name: cmov
+*
+* Description: Copy len bytes from x to r if b is 1;
+* don't modify x if b is 0. Requires b to be in {0,1};
+* assumes two's complement representation of negative integers.
+* Runs in constant time.
+*
+* Arguments: unsigned char *r: pointer to output byte array
+* const unsigned char *x: pointer to input byte array
+* size_t len: Amount of bytes to be copied
+* unsigned char b: Condition bit; has to be in {0,1}
+**************************************************/
+void cmov(unsigned char *r, const unsigned char *x, size_t len, unsigned char b) {
+ size_t i;
+
+ b = -b;
+ for (i = 0; i < len; i++)
+ r[i] ^= b & (x[i] ^ r[i]);
+}
diff --git a/src/ringct20/verify.h b/src/ringct20/verify.h
new file mode 100644
index 0000000..007eaa3
--- /dev/null
+++ b/src/ringct20/verify.h
@@ -0,0 +1,12 @@
+#ifndef VERIFY_H
+#define VERIFY_H
+
+#include <stdio.h>
+
+/* returns 0 for equal strings, 1 for non-equal strings */
+int verify_ringct20(const unsigned char *a, const unsigned char *b, size_t len);
+
+/* b = 1 means mov, b = 0 means don't mov*/
+void cmov(unsigned char *r, const unsigned char *x, size_t len, unsigned char b);
+
+#endif
diff --git a/test/crypto/dap_enc_ringct20_test.c b/test/crypto/dap_enc_ringct20_test.c
new file mode 100644
index 0000000..60e13fe
--- /dev/null
+++ b/test/crypto/dap_enc_ringct20_test.c
@@ -0,0 +1,59 @@
+#include "dap_test_generator.h"
+#include "dap_enc_ringct20_test.h"
+#include "dap_enc_ringct20.h"
+#include "ringct20/ringct20_params.h"
+
+static void test_signing_verifying(void)
+{
+ static size_t source_size = 0;
+ size_t seed_size = sizeof(uint8_t);
+ uint8_t seed[seed_size];
+
+ generate_random_byte_array(seed, seed_size);
+
+ dap_enc_key_t* key = dap_enc_key_new_generate(DAP_ENC_KEY_TYPE_SIG_RINGCT20, NULL, 0, seed, seed_size, 0);
+
+ size_t max_signature_size = dap_enc_ringct20_calc_signature_size();
+ uint8_t* sig = calloc(max_signature_size, 1);
+
+ int step = 1 + (rand() % 20);
+ source_size += (size_t) step;
+
+ uint8_t source[source_size];
+ generate_random_byte_array(source, source_size);
+
+ size_t siglen = key->enc_na(key, source, source_size, sig, max_signature_size);
+ dap_assert_PIF(siglen > 0, "Signing message");
+
+ size_t verify = key->dec_na(key, source, source_size, sig, siglen);
+
+ dap_assert_PIF(!verify, "Verifying signature");
+
+ ringct20_signature_delete((ringct20_signature_t*)sig);
+ free(sig);
+ dap_enc_key_delete(key);
+}
+
+static void init_test_case()
+{
+ srand((uint32_t) time(NULL));
+ dap_enc_key_init();
+}
+
+static void cleanup_test_case()
+{
+ dap_enc_key_deinit();
+}
+
+void dap_enc_ringct20_tests_run(const int times)
+{
+ dap_print_module_name("dap_enc_ringct20");
+ init_test_case();
+ char print_buf[512];
+ sprintf_s(print_buf, 512, "Signing and verifying message %d time", times);
+
+ benchmark_mgs_time(print_buf, benchmark_test_time(test_signing_verifying, times));
+
+ cleanup_test_case();
+}
+
diff --git a/test/crypto/dap_enc_ringct20_test.h b/test/crypto/dap_enc_ringct20_test.h
new file mode 100644
index 0000000..0650af3
--- /dev/null
+++ b/test/crypto/dap_enc_ringct20_test.h
@@ -0,0 +1,5 @@
+#pragma once
+#include "dap_enc_key.h"
+#include "dap_test.h"
+
+void dap_enc_ringct20_tests_run(const int);
diff --git a/test/crypto/main.c b/test/crypto/main.c
index 8088a5e..a9e705a 100755
--- a/test/crypto/main.c
+++ b/test/crypto/main.c
@@ -9,25 +9,29 @@
#include "dap_enc_picnic_test.h"
#include "dap_enc_tesla_test.h"
#include "dap_enc_dilithium_test.h"
+#include "dap_enc_ringct20_test.h"
#include "dap_enc_sign_multi_test.h"
#include "rand/dap_rand.h"
#include "dap_common.h"
-
+#include"ringct20/ring_test.h"
int main(void)
{
// switch off debug info from library
dap_log_level_set(L_CRITICAL);
- dap_enc_aes_tests_run();
+ //LRCT_Setup_Test();
+ dap_enc_ringct20_tests_run(100);
+ //dap_enc_picnic_tests_run();
+ //dap_enc_sig_bliss_tests_run(10);
+ //dap_enc_dilithium_tests_run(10);
+/* dap_enc_aes_tests_run();
dap_enc_oaes_tests_run();
dap_enc_base64_tests_run();
dap_enc_base58_tests_run();
dap_enc_msrln_tests_run();
dap_enc_tests_run();
- dap_enc_sig_bliss_tests_run();
dap_enc_defeo_tests_run();
dap_enc_tesla_tests_run();
- dap_enc_picnic_tests_run();
- dap_enc_dilithium_tests_run();
dap_enc_multi_sign_tests_run();
+*/
}
--
GitLab