/src/libgcrypt/cipher/kyber.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* kyber.c - the Kyber key encapsulation mechanism (main part) |
2 | | * Copyright (C) 2024 g10 Code GmbH |
3 | | * |
4 | | * This file was modified for use by Libgcrypt. |
5 | | * |
6 | | * This file is free software; you can redistribute it and/or modify |
7 | | * it under the terms of the GNU Lesser General Public License as |
8 | | * published by the Free Software Foundation; either version 2.1 of |
9 | | * the License, or (at your option) any later version. |
10 | | * |
11 | | * This file is distributed in the hope that it will be useful, |
12 | | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
13 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
14 | | * GNU Lesser General Public License for more details. |
15 | | * |
16 | | * You should have received a copy of the GNU Lesser General Public |
17 | | * License along with this program; if not, see <https://www.gnu.org/licenses/>. |
18 | | * SPDX-License-Identifier: LGPL-2.1-or-later |
19 | | * |
20 | | * You can also use this file under the same licence of original code. |
21 | | * SPDX-License-Identifier: CC0 OR Apache-2.0 |
22 | | * |
23 | | */ |
24 | | /* |
25 | | Original code from: |
26 | | |
27 | | Repository: https://github.com/pq-crystals/kyber.git |
28 | | Branch: standard |
29 | | Commit: 11d00ff1f20cfca1f72d819e5a45165c1e0a2816 |
30 | | |
31 | | Licence: |
32 | | Public Domain (https://creativecommons.org/share-your-work/public-domain/cc0/); |
33 | | or Apache 2.0 License (https://www.apache.org/licenses/LICENSE-2.0.html). |
34 | | |
35 | | Authors: |
36 | | Joppe Bos |
37 | | Léo Ducas |
38 | | Eike Kiltz |
39 | | Tancrède Lepoint |
40 | | Vadim Lyubashevsky |
41 | | John Schanck |
42 | | Peter Schwabe |
43 | | Gregor Seiler |
44 | | Damien Stehlé |
45 | | |
46 | | Kyber Home: https://www.pq-crystals.org/kyber/ |
47 | | */ |
48 | | /* |
49 | | * This implementation consists of four files: kyber.h (header), |
50 | | * kyber.c (this), kyber-common.c (common part), and kyber-kdep.c |
51 | | * (KYBER_K dependent part). |
52 | | * |
53 | | * It is for inclusion in libgcrypt library. Also, standalone use of |
54 | | * the implementation is possible. With KYBER_K defined, it can offer |
55 | | * the variant of that KYBER_K specified. Otherwise, three variants |
56 | | * are offered. |
57 | | * |
58 | | * From original code, following modification was made. |
59 | | * |
60 | | * - C++ style comments are changed to C-style. |
61 | | * |
62 | | * - No use of KYBER_NAMESPACE and FIPS202_NAMESPACE. Don't export |
63 | | * internal symbols. |
64 | | * |
65 | | * - "verify" routine is changed to return 1 on success, and now has |
66 | | * new name "verify1", so that the use of the routine won't need |
67 | | * negation (since negation might result non-constant-time code with |
68 | | * branch by some compiler). |
69 | | * |
70 | | * - For "xof" routines, definitions of xof_init and xof_close are |
71 | | * added, so that memory will be possible to be cleared after its |
72 | | * use. |
73 | | * |
74 | | * - Different external API for shake128, having _init and _close. |
75 | | * |
76 | | * - New implementation of kyber_shake128_absorb, with the shake128 |
77 | | * API. |
78 | | * |
79 | | * - Added an external function: shake256v with variable arguments. |
80 | | * |
81 | | * - Macro definitions of xof_squeezeblocks, prf, and rkprf are |
82 | | * modified to use the shake128 API and the shake256v function. |
83 | | * |
84 | | */ |
85 | | |
86 | | #ifdef HAVE_CONFIG_H |
87 | | #include <config.h> |
88 | | #endif |
89 | | |
90 | | #include <stddef.h> |
91 | | #include <stdint.h> |
92 | | #include <string.h> |
93 | | |
94 | | #ifdef _GCRYPT_IN_LIBGCRYPT |
95 | | #include <stdarg.h> |
96 | | #include <gpg-error.h> |
97 | | |
98 | | #include "types.h" |
99 | | #include "g10lib.h" |
100 | | #include "gcrypt-int.h" |
101 | | #include "const-time.h" |
102 | | #include "kyber.h" |
103 | | |
104 | | static int crypto_kem_keypair_derand_2(uint8_t *pk, uint8_t *sk, |
105 | | const uint8_t *coins); |
106 | | static int crypto_kem_keypair_derand_3(uint8_t *pk, uint8_t *sk, |
107 | | const uint8_t *coins); |
108 | | static int crypto_kem_keypair_derand_4(uint8_t *pk, uint8_t *sk, |
109 | | const uint8_t *coins); |
110 | | |
111 | | static int crypto_kem_keypair_2(uint8_t *pk, uint8_t *sk); |
112 | | static int crypto_kem_keypair_3(uint8_t *pk, uint8_t *sk); |
113 | | static int crypto_kem_keypair_4(uint8_t *pk, uint8_t *sk); |
114 | | |
115 | | static int crypto_kem_enc_derand_2(uint8_t *ct, uint8_t *ss, const uint8_t *pk, |
116 | | const uint8_t *coins); |
117 | | static int crypto_kem_enc_derand_3(uint8_t *ct, uint8_t *ss, const uint8_t *pk, |
118 | | const uint8_t *coins); |
119 | | static int crypto_kem_enc_derand_4(uint8_t *ct, uint8_t *ss, const uint8_t *pk, |
120 | | const uint8_t *coins); |
121 | | |
122 | | static int crypto_kem_enc_2(uint8_t *ct, uint8_t *ss, const uint8_t *pk); |
123 | | static int crypto_kem_enc_3(uint8_t *ct, uint8_t *ss, const uint8_t *pk); |
124 | | static int crypto_kem_enc_4(uint8_t *ct, uint8_t *ss, const uint8_t *pk); |
125 | | |
126 | | static int crypto_kem_dec_2(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); |
127 | | static int crypto_kem_dec_3(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); |
128 | | static int crypto_kem_dec_4(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); |
129 | | |
130 | | void |
131 | | kyber_keypair (int algo, uint8_t *pk, uint8_t *sk, const uint8_t *coins) |
132 | 0 | { |
133 | 0 | switch (algo) |
134 | 0 | { |
135 | 0 | case GCRY_KEM_MLKEM512: |
136 | 0 | if (coins) |
137 | 0 | crypto_kem_keypair_derand_2 (pk, sk, coins); |
138 | 0 | else |
139 | 0 | crypto_kem_keypair_2 (pk, sk); |
140 | 0 | break; |
141 | 0 | case GCRY_KEM_MLKEM768: |
142 | 0 | default: |
143 | 0 | if (coins) |
144 | 0 | crypto_kem_keypair_derand_3 (pk, sk, coins); |
145 | 0 | else |
146 | 0 | crypto_kem_keypair_3 (pk, sk); |
147 | 0 | break; |
148 | 0 | case GCRY_KEM_MLKEM1024: |
149 | 0 | if (coins) |
150 | 0 | crypto_kem_keypair_derand_4 (pk, sk, coins); |
151 | 0 | else |
152 | 0 | crypto_kem_keypair_4 (pk, sk); |
153 | 0 | break; |
154 | 0 | } |
155 | 0 | } |
156 | | |
157 | | void |
158 | | kyber_encap (int algo, uint8_t *ct, uint8_t *ss, const uint8_t *pk, |
159 | | const uint8_t *coins) |
160 | 0 | { |
161 | 0 | switch (algo) |
162 | 0 | { |
163 | 0 | case GCRY_KEM_MLKEM512: |
164 | 0 | if (coins) |
165 | 0 | crypto_kem_enc_derand_2 (ct, ss, pk, coins); |
166 | 0 | else |
167 | 0 | crypto_kem_enc_2 (ct, ss, pk); |
168 | 0 | break; |
169 | 0 | case GCRY_KEM_MLKEM768: |
170 | 0 | default: |
171 | 0 | if (coins) |
172 | 0 | crypto_kem_enc_derand_3 (ct, ss, pk, coins); |
173 | 0 | else |
174 | 0 | crypto_kem_enc_3 (ct, ss, pk); |
175 | 0 | break; |
176 | 0 | case GCRY_KEM_MLKEM1024: |
177 | 0 | if (coins) |
178 | 0 | crypto_kem_enc_derand_4 (ct, ss, pk, coins); |
179 | 0 | else |
180 | 0 | crypto_kem_enc_4 (ct, ss, pk); |
181 | 0 | break; |
182 | 0 | } |
183 | 0 | } |
184 | | |
185 | | void |
186 | | kyber_decap (int algo, uint8_t *ss, const uint8_t *ct, const uint8_t *sk) |
187 | 0 | { |
188 | 0 | switch (algo) |
189 | 0 | { |
190 | 0 | case GCRY_KEM_MLKEM512: |
191 | 0 | crypto_kem_dec_2 (ss, ct, sk); |
192 | 0 | break; |
193 | 0 | case GCRY_KEM_MLKEM768: |
194 | 0 | default: |
195 | 0 | crypto_kem_dec_3 (ss, ct, sk); |
196 | 0 | break; |
197 | 0 | case GCRY_KEM_MLKEM1024: |
198 | 0 | crypto_kem_dec_4 (ss, ct, sk); |
199 | 0 | break; |
200 | 0 | } |
201 | 0 | } |
202 | | |
203 | | static void |
204 | | randombytes (uint8_t *out, size_t outlen) |
205 | 0 | { |
206 | 0 | _gcry_randomize (out, outlen, GCRY_VERY_STRONG_RANDOM); |
207 | 0 | } |
208 | | |
209 | | typedef struct { |
210 | | gcry_md_hd_t h; |
211 | | } keccak_state; |
212 | | |
213 | | static void |
214 | | shake128_init (keccak_state *state) |
215 | 0 | { |
216 | 0 | gcry_err_code_t ec; |
217 | |
|
218 | 0 | ec = _gcry_md_open (&state->h, GCRY_MD_SHAKE128, 0); |
219 | 0 | if (ec) |
220 | 0 | log_fatal ("internal md_open failed: %d\n", ec); |
221 | 0 | } |
222 | | |
223 | | static void |
224 | | shake128_absorb (keccak_state *state, const uint8_t *in, size_t inlen) |
225 | 0 | { |
226 | 0 | _gcry_md_write (state->h, in, inlen); |
227 | 0 | } |
228 | | |
229 | | static void |
230 | | shake128_finalize (keccak_state *state) |
231 | 0 | { |
232 | 0 | (void)state; |
233 | 0 | } |
234 | | |
235 | | static void |
236 | | shake128_squeeze (keccak_state *state, uint8_t *out, size_t outlen) |
237 | 0 | { |
238 | 0 | _gcry_md_extract (state->h, GCRY_MD_SHAKE128, out, outlen); |
239 | 0 | } |
240 | | |
241 | | static void |
242 | | shake128_close (keccak_state *state) |
243 | 0 | { |
244 | 0 | _gcry_md_close (state->h); |
245 | 0 | } |
246 | | |
247 | 0 | #define MAX_ARGS 16 |
248 | | static void |
249 | | shake256v (uint8_t *out, size_t outlen, ...) |
250 | 0 | { |
251 | 0 | gcry_buffer_t iov[MAX_ARGS]; |
252 | 0 | va_list ap; |
253 | 0 | int i; |
254 | 0 | void *p; |
255 | 0 | size_t len; |
256 | |
|
257 | 0 | va_start (ap, outlen); |
258 | 0 | for (i = 0; i < MAX_ARGS; i++) |
259 | 0 | { |
260 | 0 | p = va_arg (ap, void *); |
261 | 0 | len = va_arg (ap, size_t); |
262 | 0 | if (!p) |
263 | 0 | break; |
264 | | |
265 | 0 | iov[i].size = 0; |
266 | 0 | iov[i].data = p; |
267 | 0 | iov[i].off = 0; |
268 | 0 | iov[i].len = len; |
269 | 0 | } |
270 | 0 | va_end (ap); |
271 | |
|
272 | 0 | _gcry_md_hash_buffers_extract (GCRY_MD_SHAKE256, 0, out, outlen, |
273 | 0 | iov, i); |
274 | 0 | } |
275 | | |
276 | | static void |
277 | | sha3_256 (uint8_t h[32], const uint8_t *in, size_t inlen) |
278 | 0 | { |
279 | 0 | _gcry_md_hash_buffer (GCRY_MD_SHA3_256, h, in, inlen); |
280 | 0 | } |
281 | | |
282 | | static void |
283 | | sha3_512 (uint8_t h[64], const uint8_t *in, size_t inlen) |
284 | 0 | { |
285 | 0 | _gcry_md_hash_buffer (GCRY_MD_SHA3_512, h, in, inlen); |
286 | 0 | } |
287 | | |
288 | 0 | #define verify1 ct_memequal |
289 | 0 | #define cmov ct_memmov_cond |
290 | | #else |
291 | | #include "kyber.h" |
292 | | |
293 | | void randombytes (uint8_t *out, size_t outlen); |
294 | | |
295 | | typedef struct { |
296 | | uint64_t s[25]; |
297 | | unsigned int pos; |
298 | | } keccak_state; |
299 | | |
300 | | void shake128_init (keccak_state *state); |
301 | | void shake128_absorb (keccak_state *state, const uint8_t *in, size_t inlen); |
302 | | void shake128_finalize (keccak_state *state); |
303 | | void shake128_squeeze (keccak_state *state, uint8_t *out, size_t outlen); |
304 | | void shake128_close (keccak_state *state); |
305 | | |
306 | | void shake256v (uint8_t *out, size_t outlen, ...); |
307 | | void sha3_256 (uint8_t h[32], const uint8_t *in, size_t inlen); |
308 | | void sha3_512 (uint8_t h[64], const uint8_t *in, size_t inlen); |
309 | | |
310 | | /* Return 1 when success, 0 otherwise. */ |
311 | | unsigned int verify1 (const uint8_t *a, const uint8_t *b, size_t len); |
312 | | /* Conditional move. */ |
313 | | void cmov (uint8_t *r, const uint8_t *x, size_t len, uint8_t b); |
314 | | /* Select V0 when OP_ENABLE == 1, V1 otherwise. */ |
315 | | int16_t ct_int16_select (int16_t v0, int16_t v1, unsigned long op_enable); |
316 | | #endif |
317 | | |
318 | | /*************** kyber/ref/fips202.h */ |
319 | 0 | #define SHAKE128_RATE 168 |
320 | | |
321 | | /*************** kyber/ref/params.h */ |
322 | 0 | #define KYBER_N 256 |
323 | 0 | #define KYBER_Q 3329 |
324 | | |
325 | 0 | #define KYBER_SYMBYTES 32 /* size in bytes of hashes, and seeds */ |
326 | 0 | #define KYBER_SSBYTES 32 /* size in bytes of shared key */ |
327 | | |
328 | 0 | #define KYBER_POLYBYTES 384 |
329 | | |
330 | | #define KYBER_ETA2 2 |
331 | | |
332 | | #define KYBER_INDCPA_MSGBYTES (KYBER_SYMBYTES) |
333 | | |
334 | | /* KYBER_K dependent values (part 1) */ |
335 | | #define KYBER_ETA1_2 3 |
336 | | #define KYBER_ETA1_3_4 2 |
337 | | |
338 | | #define KYBER_POLYCOMPRESSEDBYTES_2_3 128 |
339 | | #define KYBER_POLYCOMPRESSEDBYTES_4 160 |
340 | | |
341 | | /*************** kyber/ref/poly.h */ |
342 | | /* |
343 | | * Elements of R_q = Z_q[X]/(X^n + 1). Represents polynomial |
344 | | * coeffs[0] + X*coeffs[1] + X^2*coeffs[2] + ... + X^{n-1}*coeffs[n-1] |
345 | | */ |
346 | | typedef struct{ |
347 | | int16_t coeffs[KYBER_N]; |
348 | | } poly; |
349 | | |
350 | | #if !defined(KYBER_K) || KYBER_K == 2 || KYBER_K == 3 |
351 | | static void poly_compress_128(uint8_t r[KYBER_POLYCOMPRESSEDBYTES_2_3], const poly *a); |
352 | | static void poly_decompress_128(poly *r, const uint8_t a[KYBER_POLYCOMPRESSEDBYTES_2_3]); |
353 | | #endif |
354 | | #if !defined(KYBER_K) || KYBER_K == 4 |
355 | | static void poly_compress_160(uint8_t r[KYBER_POLYCOMPRESSEDBYTES_4], const poly *a); |
356 | | static void poly_decompress_160(poly *r, const uint8_t a[KYBER_POLYCOMPRESSEDBYTES_4]); |
357 | | #endif |
358 | | static void poly_tobytes(uint8_t r[KYBER_POLYBYTES], const poly *a); |
359 | | static void poly_frombytes(poly *r, const uint8_t a[KYBER_POLYBYTES]); |
360 | | |
361 | | static void poly_frommsg(poly *r, const uint8_t msg[KYBER_INDCPA_MSGBYTES]); |
362 | | static void poly_tomsg(uint8_t msg[KYBER_INDCPA_MSGBYTES], const poly *r); |
363 | | #if !defined(KYBER_K) || KYBER_K == 2 |
364 | | static void poly_getnoise_eta1_2(poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t nonce); |
365 | | #endif |
366 | | #if !defined(KYBER_K) || KYBER_K == 3 || KYBER_K == 4 |
367 | | static void poly_getnoise_eta1_3_4(poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t nonce); |
368 | | #endif |
369 | | static void poly_getnoise_eta2(poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t nonce); |
370 | | |
371 | | static void poly_ntt(poly *r); |
372 | | static void poly_invntt_tomont(poly *r); |
373 | | static void poly_basemul_montgomery(poly *r, const poly *a, const poly *b); |
374 | | static void poly_tomont(poly *r); |
375 | | |
376 | | static void poly_reduce(poly *r); |
377 | | |
378 | | static void poly_add(poly *r, const poly *a, const poly *b); |
379 | | static void poly_sub(poly *r, const poly *a, const poly *b); |
380 | | |
381 | | /*************** kyber/ref/ntt.h */ |
382 | | static const int16_t zetas[128]; |
383 | | |
384 | | static void ntt(int16_t poly[256]); |
385 | | |
386 | | static void invntt(int16_t poly[256]); |
387 | | |
388 | | static void basemul(int16_t r[2], const int16_t a[2], const int16_t b[2], int16_t zeta); |
389 | | |
390 | | /*************** kyber/ref/reduce.h */ |
391 | | #define MONT -1044 /* 2^16 mod q */ |
392 | 0 | #define QINV -3327 /* q^-1 mod 2^16 */ |
393 | | |
394 | | static int16_t montgomery_reduce(int32_t a); |
395 | | |
396 | | static int16_t barrett_reduce(int16_t a); |
397 | | |
398 | | /*************** kyber/ref/symmetric.h */ |
399 | | typedef keccak_state xof_state; |
400 | | |
401 | | static void kyber_shake128_absorb (keccak_state *state, |
402 | | const uint8_t seed[KYBER_SYMBYTES], |
403 | | uint8_t x, uint8_t y) |
404 | 0 | { |
405 | 0 | shake128_absorb (state, seed, KYBER_SYMBYTES); |
406 | 0 | shake128_absorb (state, &x, 1); |
407 | 0 | shake128_absorb (state, &y, 1); |
408 | 0 | shake128_finalize (state); |
409 | 0 | } |
410 | | |
411 | 0 | #define XOF_BLOCKBYTES SHAKE128_RATE |
412 | | |
413 | 0 | #define hash_h(OUT, IN, INBYTES) sha3_256(OUT, IN, INBYTES) |
414 | 0 | #define hash_g(OUT, IN, INBYTES) sha3_512(OUT, IN, INBYTES) |
415 | 0 | #define xof_init(STATE) shake128_init(STATE) |
416 | 0 | #define xof_close(STATE) shake128_close(STATE) |
417 | 0 | #define xof_absorb(STATE, SEED, X, Y) kyber_shake128_absorb(STATE, SEED, X, Y) |
418 | 0 | #define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) shake128_squeeze(STATE, OUT, SHAKE128_RATE * OUTBLOCKS) |
419 | | #define prf(OUT, OUTBYTES, KEY, NONCE) \ |
420 | 0 | shake256v(OUT, OUTBYTES, (void *)(KEY), (size_t)KYBER_SYMBYTES, \ |
421 | 0 | (void *)&(NONCE), (size_t)1, \ |
422 | 0 | NULL, (size_t)0) |
423 | | #define rkprf(OUT, KEY, INPUT) \ |
424 | 0 | shake256v(OUT, KYBER_SSBYTES, (void *)(KEY), (size_t)KYBER_SYMBYTES, \ |
425 | 0 | (void *)(INPUT), (size_t)KYBER_CIPHERTEXTBYTES, \ |
426 | 0 | NULL, (size_t)0) |
427 | | |
428 | | #include "kyber-common.c" |
429 | | |
430 | 0 | #define VARIANT2(name) name ## _2 |
431 | 0 | #define VARIANT3(name) name ## _3 |
432 | 0 | #define VARIANT4(name) name ## _4 |
433 | | |
434 | | /* KYBER_K dependent values (part 2) */ |
435 | 0 | #define KYBER_POLYVECBYTES (KYBER_K * KYBER_POLYBYTES) |
436 | 0 | #define KYBER_INDCPA_PUBLICKEYBYTES (KYBER_POLYVECBYTES + KYBER_SYMBYTES) |
437 | 0 | #define KYBER_INDCPA_SECRETKEYBYTES (KYBER_POLYVECBYTES) |
438 | 0 | #define KYBER_INDCPA_BYTES (KYBER_POLYVECCOMPRESSEDBYTES + KYBER_POLYCOMPRESSEDBYTES) |
439 | | |
440 | 0 | #define KYBER_PUBLICKEYBYTES (KYBER_INDCPA_PUBLICKEYBYTES) |
441 | | /* 32 bytes of additional space to save H(pk) */ |
442 | 0 | #define KYBER_SECRETKEYBYTES (KYBER_INDCPA_SECRETKEYBYTES + KYBER_INDCPA_PUBLICKEYBYTES + 2*KYBER_SYMBYTES) |
443 | 0 | #define KYBER_CIPHERTEXTBYTES (KYBER_INDCPA_BYTES) |
444 | | |
445 | | #ifdef KYBER_K |
446 | | # if KYBER_K == 2 |
447 | | # define KYBER_POLYCOMPRESSEDBYTES 128 |
448 | | # define KYBER_POLYVECCOMPRESSEDBYTES (KYBER_K * 320) |
449 | | # define poly_compress poly_compress_128 |
450 | | # define poly_decompress poly_decompress_128 |
451 | | # define poly_getnoise_eta1 poly_getnoise_eta1_2 |
452 | | # elif KYBER_K == 3 |
453 | | # define KYBER_POLYCOMPRESSEDBYTES 128 |
454 | | # define KYBER_POLYVECCOMPRESSEDBYTES (KYBER_K * 320) |
455 | | # define poly_compress poly_compress_128 |
456 | | # define poly_decompress poly_decompress_128 |
457 | | # define poly_getnoise_eta1 poly_getnoise_eta1_3_4 |
458 | | # elif KYBER_K == 4 |
459 | | # define KYBER_POLYCOMPRESSEDBYTES 160 |
460 | | # define KYBER_POLYVECCOMPRESSEDBYTES (KYBER_K * 352) |
461 | | # define poly_compress poly_compress_160 |
462 | | # define poly_decompress poly_decompress_160 |
463 | | # define poly_getnoise_eta1 poly_getnoise_eta1_3_4 |
464 | | # endif |
465 | | # include "kyber-kdep.c" |
466 | | # else |
467 | 0 | # define KYBER_K 2 |
468 | 0 | # define KYBER_POLYCOMPRESSEDBYTES 128 |
469 | 0 | # define KYBER_POLYVECCOMPRESSEDBYTES (KYBER_K * 320) |
470 | 0 | # define poly_compress poly_compress_128 |
471 | 0 | # define poly_decompress poly_decompress_128 |
472 | 0 | # define poly_getnoise_eta1 poly_getnoise_eta1_2 |
473 | 0 | # define crypto_kem_keypair_derand VARIANT2(crypto_kem_keypair_derand) |
474 | 0 | # define crypto_kem_enc_derand VARIANT2(crypto_kem_enc_derand) |
475 | | # define crypto_kem_keypair VARIANT2(crypto_kem_keypair) |
476 | | # define crypto_kem_enc VARIANT2(crypto_kem_enc) |
477 | | # define crypto_kem_dec VARIANT2(crypto_kem_dec) |
478 | 0 | # define polyvec VARIANT2(polyvec) |
479 | 0 | # define polyvec_compress VARIANT2(polyvec_compress) |
480 | 0 | # define polyvec_decompress VARIANT2(polyvec_decompress) |
481 | 0 | # define polyvec_tobytes VARIANT2(polyvec_tobytes) |
482 | 0 | # define polyvec_frombytes VARIANT2(polyvec_frombytes) |
483 | 0 | # define polyvec_ntt VARIANT2(polyvec_ntt) |
484 | 0 | # define polyvec_invntt_tomont VARIANT2(polyvec_invntt_tomont) |
485 | 0 | # define polyvec_basemul_acc_montgomery VARIANT2(polyvec_basemul_acc_montgomery) |
486 | 0 | # define polyvec_reduce VARIANT2(polyvec_reduce) |
487 | 0 | # define polyvec_add VARIANT2(polyvec_add) |
488 | 0 | # define pack_pk VARIANT2(pack_pk) |
489 | 0 | # define unpack_pk VARIANT2(unpack_pk) |
490 | 0 | # define pack_sk VARIANT2(pack_sk) |
491 | 0 | # define unpack_sk VARIANT2(unpack_sk) |
492 | 0 | # define pack_ciphertext VARIANT2(pack_ciphertext) |
493 | 0 | # define unpack_ciphertext VARIANT2(unpack_ciphertext) |
494 | 0 | # define gen_matrix VARIANT2(gen_matrix) |
495 | 0 | # define indcpa_keypair_derand VARIANT2(indcpa_keypair_derand) |
496 | 0 | # define indcpa_enc VARIANT2(indcpa_enc) |
497 | 0 | # define indcpa_dec VARIANT2(indcpa_dec) |
498 | | # include "kyber-kdep.c" |
499 | | |
500 | 0 | # define KYBER_K 3 |
501 | 0 | # define KYBER_POLYCOMPRESSEDBYTES 128 |
502 | 0 | # define KYBER_POLYVECCOMPRESSEDBYTES (KYBER_K * 320) |
503 | 0 | # define poly_compress poly_compress_128 |
504 | 0 | # define poly_decompress poly_decompress_128 |
505 | 0 | # define poly_getnoise_eta1 poly_getnoise_eta1_3_4 |
506 | 0 | # define crypto_kem_keypair_derand VARIANT3(crypto_kem_keypair_derand) |
507 | 0 | # define crypto_kem_enc_derand VARIANT3(crypto_kem_enc_derand) |
508 | | # define crypto_kem_keypair VARIANT3(crypto_kem_keypair) |
509 | | # define crypto_kem_enc VARIANT3(crypto_kem_enc) |
510 | | # define crypto_kem_dec VARIANT3(crypto_kem_dec) |
511 | 0 | # define polyvec VARIANT3(polyvec) |
512 | 0 | # define polyvec_compress VARIANT3(polyvec_compress) |
513 | 0 | # define polyvec_decompress VARIANT3(polyvec_decompress) |
514 | 0 | # define polyvec_tobytes VARIANT3(polyvec_tobytes) |
515 | 0 | # define polyvec_frombytes VARIANT3(polyvec_frombytes) |
516 | 0 | # define polyvec_ntt VARIANT3(polyvec_ntt) |
517 | 0 | # define polyvec_invntt_tomont VARIANT3(polyvec_invntt_tomont) |
518 | 0 | # define polyvec_basemul_acc_montgomery VARIANT3(polyvec_basemul_acc_montgomery) |
519 | 0 | # define polyvec_reduce VARIANT3(polyvec_reduce) |
520 | 0 | # define polyvec_add VARIANT3(polyvec_add) |
521 | 0 | # define pack_pk VARIANT3(pack_pk) |
522 | 0 | # define unpack_pk VARIANT3(unpack_pk) |
523 | 0 | # define pack_sk VARIANT3(pack_sk) |
524 | 0 | # define unpack_sk VARIANT3(unpack_sk) |
525 | 0 | # define pack_ciphertext VARIANT3(pack_ciphertext) |
526 | 0 | # define unpack_ciphertext VARIANT3(unpack_ciphertext) |
527 | 0 | # define gen_matrix VARIANT3(gen_matrix) |
528 | 0 | # define indcpa_keypair_derand VARIANT3(indcpa_keypair_derand) |
529 | 0 | # define indcpa_enc VARIANT3(indcpa_enc) |
530 | 0 | # define indcpa_dec VARIANT3(indcpa_dec) |
531 | | # include "kyber-kdep.c" |
532 | | |
533 | 0 | # define KYBER_K 4 |
534 | 0 | # define KYBER_POLYCOMPRESSEDBYTES 160 |
535 | 0 | # define KYBER_POLYVECCOMPRESSEDBYTES (KYBER_K * 352) |
536 | 0 | # define poly_compress poly_compress_160 |
537 | 0 | # define poly_decompress poly_decompress_160 |
538 | 0 | # define poly_getnoise_eta1 poly_getnoise_eta1_3_4 |
539 | 0 | # define crypto_kem_keypair_derand VARIANT4(crypto_kem_keypair_derand) |
540 | 0 | # define crypto_kem_enc_derand VARIANT4(crypto_kem_enc_derand) |
541 | | # define crypto_kem_keypair VARIANT4(crypto_kem_keypair) |
542 | | # define crypto_kem_enc VARIANT4(crypto_kem_enc) |
543 | | # define crypto_kem_dec VARIANT4(crypto_kem_dec) |
544 | 0 | # define polyvec VARIANT4(polyvec) |
545 | 0 | # define polyvec_compress VARIANT4(polyvec_compress) |
546 | 0 | # define polyvec_decompress VARIANT4(polyvec_decompress) |
547 | 0 | # define polyvec_tobytes VARIANT4(polyvec_tobytes) |
548 | 0 | # define polyvec_frombytes VARIANT4(polyvec_frombytes) |
549 | 0 | # define polyvec_ntt VARIANT4(polyvec_ntt) |
550 | 0 | # define polyvec_invntt_tomont VARIANT4(polyvec_invntt_tomont) |
551 | 0 | # define polyvec_basemul_acc_montgomery VARIANT4(polyvec_basemul_acc_montgomery) |
552 | 0 | # define polyvec_reduce VARIANT4(polyvec_reduce) |
553 | 0 | # define polyvec_add VARIANT4(polyvec_add) |
554 | 0 | # define pack_pk VARIANT4(pack_pk) |
555 | 0 | # define unpack_pk VARIANT4(unpack_pk) |
556 | 0 | # define pack_sk VARIANT4(pack_sk) |
557 | 0 | # define unpack_sk VARIANT4(unpack_sk) |
558 | 0 | # define pack_ciphertext VARIANT4(pack_ciphertext) |
559 | 0 | # define unpack_ciphertext VARIANT4(unpack_ciphertext) |
560 | 0 | # define gen_matrix VARIANT4(gen_matrix) |
561 | 0 | # define indcpa_keypair_derand VARIANT4(indcpa_keypair_derand) |
562 | 0 | # define indcpa_enc VARIANT4(indcpa_enc) |
563 | 0 | # define indcpa_dec VARIANT4(indcpa_dec) |
564 | | # include "kyber-kdep.c" |
565 | | #endif |