Coverage Report

Created: 2024-11-21 07:03

/src/libgcrypt/cipher/kyber.c
Line
Count
Source (jump to first uncovered line)
1
/* kyber.c - the Kyber key encapsulation mechanism (main part)
2
 * Copyright (C) 2024 g10 Code GmbH
3
 *
4
 * This file was modified for use by Libgcrypt.
5
 *
6
 * This file is free software; you can redistribute it and/or modify
7
 * it under the terms of the GNU Lesser General Public License as
8
 * published by the Free Software Foundation; either version 2.1 of
9
 * the License, or (at your option) any later version.
10
 *
11
 * This file is distributed in the hope that it will be useful,
12
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14
 * GNU Lesser General Public License for more details.
15
 *
16
 * You should have received a copy of the GNU Lesser General Public
17
 * License along with this program; if not, see <https://www.gnu.org/licenses/>.
18
 * SPDX-License-Identifier: LGPL-2.1-or-later
19
 *
20
 * You can also use this file under the same licence of original code.
21
 * SPDX-License-Identifier: CC0 OR Apache-2.0
22
 *
23
 */
24
/*
25
  Original code from:
26
27
  Repository: https://github.com/pq-crystals/kyber.git
28
  Branch: standard
29
  Commit: 11d00ff1f20cfca1f72d819e5a45165c1e0a2816
30
31
  Licence:
32
  Public Domain (https://creativecommons.org/share-your-work/public-domain/cc0/);
33
  or Apache 2.0 License (https://www.apache.org/licenses/LICENSE-2.0.html).
34
35
  Authors:
36
        Joppe Bos
37
        Léo Ducas
38
        Eike Kiltz
39
        Tancrède Lepoint
40
        Vadim Lyubashevsky
41
        John Schanck
42
        Peter Schwabe
43
        Gregor Seiler
44
        Damien Stehlé
45
46
  Kyber Home: https://www.pq-crystals.org/kyber/
47
 */
48
/*
49
 * This implementation consists of four files: kyber.h (header),
50
 * kyber.c (this), kyber-common.c (common part), and kyber-kdep.c
51
 * (KYBER_K dependent part).
52
 *
53
 * It is for inclusion in libgcrypt library.  Also, standalone use of
54
 * the implementation is possible.  With KYBER_K defined, it can offer
55
 * the variant of that KYBER_K specified.  Otherwise, three variants
56
 * are offered.
57
 *
58
 * From original code, following modification was made.
59
 *
60
 * - C++ style comments are changed to C-style.
61
 *
62
 * - No use of KYBER_NAMESPACE and FIPS202_NAMESPACE.  Don't export
63
 *   internal symbols.
64
 *
65
 * - "verify" routine is changed to return 1 on success, and now has
66
 *   new name "verify1", so that the use of the routine won't need
67
 *   negation (since negation might result non-constant-time code with
68
 *   branch by some compiler).
69
 *
70
 * - For "xof" routines, definitions of xof_init and xof_close are
71
 *   added, so that memory will be possible to be cleared after its
72
 *   use.
73
 *
74
 * - Different external API for shake128, having _init and _close.
75
 *
76
 * - New implementation of kyber_shake128_absorb, with the shake128
77
 *   API.
78
 *
79
 * - Added an external function: shake256v with variable arguments.
80
 *
81
 * - Macro definitions of xof_squeezeblocks, prf, and rkprf are
82
 *   modified to use the shake128 API and the shake256v function.
83
 *
84
 */
85
86
#ifdef HAVE_CONFIG_H
87
#include <config.h>
88
#endif
89
90
#include <stddef.h>
91
#include <stdint.h>
92
#include <string.h>
93
94
#ifdef _GCRYPT_IN_LIBGCRYPT
95
#include <stdarg.h>
96
#include <gpg-error.h>
97
98
#include "types.h"
99
#include "g10lib.h"
100
#include "gcrypt-int.h"
101
#include "const-time.h"
102
#include "kyber.h"
103
104
static int crypto_kem_keypair_derand_2(uint8_t *pk, uint8_t *sk,
105
                                       const uint8_t *coins);
106
static int crypto_kem_keypair_derand_3(uint8_t *pk, uint8_t *sk,
107
                                       const uint8_t *coins);
108
static int crypto_kem_keypair_derand_4(uint8_t *pk, uint8_t *sk,
109
                                       const uint8_t *coins);
110
111
static int crypto_kem_keypair_2(uint8_t *pk, uint8_t *sk);
112
static int crypto_kem_keypair_3(uint8_t *pk, uint8_t *sk);
113
static int crypto_kem_keypair_4(uint8_t *pk, uint8_t *sk);
114
115
static int crypto_kem_enc_derand_2(uint8_t *ct, uint8_t *ss, const uint8_t *pk,
116
                                   const uint8_t *coins);
117
static int crypto_kem_enc_derand_3(uint8_t *ct, uint8_t *ss, const uint8_t *pk,
118
                                   const uint8_t *coins);
119
static int crypto_kem_enc_derand_4(uint8_t *ct, uint8_t *ss, const uint8_t *pk,
120
                                   const uint8_t *coins);
121
122
static int crypto_kem_enc_2(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
123
static int crypto_kem_enc_3(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
124
static int crypto_kem_enc_4(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
125
126
static int crypto_kem_dec_2(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
127
static int crypto_kem_dec_3(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
128
static int crypto_kem_dec_4(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
129
130
void
131
kyber_keypair (int algo, uint8_t *pk, uint8_t *sk, const uint8_t *coins)
132
0
{
133
0
  switch (algo)
134
0
    {
135
0
    case GCRY_KEM_MLKEM512:
136
0
      if (coins)
137
0
        crypto_kem_keypair_derand_2 (pk, sk, coins);
138
0
      else
139
0
        crypto_kem_keypair_2 (pk, sk);
140
0
      break;
141
0
    case GCRY_KEM_MLKEM768:
142
0
    default:
143
0
      if (coins)
144
0
        crypto_kem_keypair_derand_3 (pk, sk, coins);
145
0
      else
146
0
        crypto_kem_keypair_3 (pk, sk);
147
0
      break;
148
0
    case GCRY_KEM_MLKEM1024:
149
0
      if (coins)
150
0
        crypto_kem_keypair_derand_4 (pk, sk, coins);
151
0
      else
152
0
        crypto_kem_keypair_4 (pk, sk);
153
0
      break;
154
0
    }
155
0
}
156
157
void
158
kyber_encap (int algo, uint8_t *ct, uint8_t *ss, const uint8_t *pk,
159
             const uint8_t *coins)
160
0
{
161
0
  switch (algo)
162
0
    {
163
0
    case GCRY_KEM_MLKEM512:
164
0
      if (coins)
165
0
        crypto_kem_enc_derand_2 (ct, ss, pk, coins);
166
0
      else
167
0
        crypto_kem_enc_2 (ct, ss, pk);
168
0
      break;
169
0
    case GCRY_KEM_MLKEM768:
170
0
    default:
171
0
      if (coins)
172
0
        crypto_kem_enc_derand_3 (ct, ss, pk, coins);
173
0
      else
174
0
        crypto_kem_enc_3 (ct, ss, pk);
175
0
      break;
176
0
    case GCRY_KEM_MLKEM1024:
177
0
      if (coins)
178
0
        crypto_kem_enc_derand_4 (ct, ss, pk, coins);
179
0
      else
180
0
        crypto_kem_enc_4 (ct, ss, pk);
181
0
      break;
182
0
    }
183
0
}
184
185
void
186
kyber_decap (int algo, uint8_t *ss, const uint8_t *ct, const uint8_t *sk)
187
0
{
188
0
  switch (algo)
189
0
    {
190
0
    case GCRY_KEM_MLKEM512:
191
0
      crypto_kem_dec_2 (ss, ct, sk);
192
0
      break;
193
0
    case GCRY_KEM_MLKEM768:
194
0
    default:
195
0
      crypto_kem_dec_3 (ss, ct, sk);
196
0
      break;
197
0
    case GCRY_KEM_MLKEM1024:
198
0
      crypto_kem_dec_4 (ss, ct, sk);
199
0
      break;
200
0
    }
201
0
}
202
203
static void
204
randombytes (uint8_t *out, size_t outlen)
205
0
{
206
0
  _gcry_randomize (out, outlen, GCRY_VERY_STRONG_RANDOM);
207
0
}
208
209
typedef struct {
210
  gcry_md_hd_t h;
211
} keccak_state;
212
213
static void
214
shake128_init (keccak_state *state)
215
0
{
216
0
  gcry_err_code_t ec;
217
218
0
  ec = _gcry_md_open (&state->h, GCRY_MD_SHAKE128, 0);
219
0
  if (ec)
220
0
    log_fatal ("internal md_open failed: %d\n", ec);
221
0
}
222
223
static void
224
shake128_absorb (keccak_state *state, const uint8_t *in, size_t inlen)
225
0
{
226
0
  _gcry_md_write (state->h, in, inlen);
227
0
}
228
229
static void
230
shake128_finalize (keccak_state *state)
231
0
{
232
0
  (void)state;
233
0
}
234
235
static void
236
shake128_squeeze (keccak_state *state, uint8_t *out, size_t outlen)
237
0
{
238
0
  _gcry_md_extract (state->h, GCRY_MD_SHAKE128, out, outlen);
239
0
}
240
241
static void
242
shake128_close (keccak_state *state)
243
0
{
244
0
  _gcry_md_close (state->h);
245
0
}
246
247
0
#define MAX_ARGS 16
248
static void
249
shake256v (uint8_t *out, size_t outlen, ...)
250
0
{
251
0
  gcry_buffer_t iov[MAX_ARGS];
252
0
  va_list ap;
253
0
  int i;
254
0
  void *p;
255
0
  size_t len;
256
257
0
  va_start (ap, outlen);
258
0
  for (i = 0; i < MAX_ARGS; i++)
259
0
    {
260
0
      p = va_arg (ap, void *);
261
0
      len = va_arg (ap, size_t);
262
0
      if (!p)
263
0
        break;
264
265
0
      iov[i].size = 0;
266
0
      iov[i].data = p;
267
0
      iov[i].off = 0;
268
0
      iov[i].len = len;
269
0
    }
270
0
  va_end (ap);
271
272
0
  _gcry_md_hash_buffers_extract (GCRY_MD_SHAKE256, 0, out, outlen,
273
0
                                 iov, i);
274
0
}
275
276
static void
277
sha3_256 (uint8_t h[32], const uint8_t *in, size_t inlen)
278
0
{
279
0
  _gcry_md_hash_buffer (GCRY_MD_SHA3_256, h, in, inlen);
280
0
}
281
282
static void
283
sha3_512 (uint8_t h[64], const uint8_t *in, size_t inlen)
284
0
{
285
0
  _gcry_md_hash_buffer (GCRY_MD_SHA3_512, h, in, inlen);
286
0
}
287
288
0
#define verify1 ct_memequal
289
0
#define cmov    ct_memmov_cond
290
#else
291
#include "kyber.h"
292
293
void randombytes (uint8_t *out, size_t outlen);
294
295
typedef struct {
296
  uint64_t s[25];
297
  unsigned int pos;
298
} keccak_state;
299
300
void shake128_init (keccak_state *state);
301
void shake128_absorb (keccak_state *state, const uint8_t *in, size_t inlen);
302
void shake128_finalize (keccak_state *state);
303
void shake128_squeeze (keccak_state *state, uint8_t *out, size_t outlen);
304
void shake128_close (keccak_state *state);
305
306
void shake256v (uint8_t *out, size_t outlen, ...);
307
void sha3_256 (uint8_t h[32], const uint8_t *in, size_t inlen);
308
void sha3_512 (uint8_t h[64], const uint8_t *in, size_t inlen);
309
310
/* Return 1 when success, 0 otherwise.  */
311
unsigned int verify1 (const uint8_t *a, const uint8_t *b, size_t len);
312
/* Conditional move.  */
313
void cmov (uint8_t *r, const uint8_t *x, size_t len, uint8_t b);
314
/* Select V0 when OP_ENABLE == 1, V1 otherwise.  */
315
int16_t ct_int16_select (int16_t v0, int16_t v1, unsigned long op_enable);
316
#endif
317
318
/*************** kyber/ref/fips202.h */
319
0
#define SHAKE128_RATE 168
320
321
/*************** kyber/ref/params.h */
322
0
#define KYBER_N 256
323
0
#define KYBER_Q 3329
324
325
0
#define KYBER_SYMBYTES 32   /* size in bytes of hashes, and seeds */
326
0
#define KYBER_SSBYTES  32   /* size in bytes of shared key */
327
328
0
#define KYBER_POLYBYTES          384
329
330
#define KYBER_ETA2 2
331
332
#define KYBER_INDCPA_MSGBYTES       (KYBER_SYMBYTES)
333
334
/* KYBER_K dependent values (part 1) */
335
#define KYBER_ETA1_2   3
336
#define KYBER_ETA1_3_4 2
337
338
#define KYBER_POLYCOMPRESSEDBYTES_2_3 128
339
#define KYBER_POLYCOMPRESSEDBYTES_4   160
340
341
/*************** kyber/ref/poly.h */
342
/*
343
 * Elements of R_q = Z_q[X]/(X^n + 1). Represents polynomial
344
 * coeffs[0] + X*coeffs[1] + X^2*coeffs[2] + ... + X^{n-1}*coeffs[n-1]
345
 */
346
typedef struct{
347
  int16_t coeffs[KYBER_N];
348
} poly;
349
350
#if !defined(KYBER_K) || KYBER_K == 2 || KYBER_K == 3
351
static void poly_compress_128(uint8_t r[KYBER_POLYCOMPRESSEDBYTES_2_3], const poly *a);
352
static void poly_decompress_128(poly *r, const uint8_t a[KYBER_POLYCOMPRESSEDBYTES_2_3]);
353
#endif
354
#if !defined(KYBER_K) || KYBER_K == 4
355
static void poly_compress_160(uint8_t r[KYBER_POLYCOMPRESSEDBYTES_4], const poly *a);
356
static void poly_decompress_160(poly *r, const uint8_t a[KYBER_POLYCOMPRESSEDBYTES_4]);
357
#endif
358
static void poly_tobytes(uint8_t r[KYBER_POLYBYTES], const poly *a);
359
static void poly_frombytes(poly *r, const uint8_t a[KYBER_POLYBYTES]);
360
361
static void poly_frommsg(poly *r, const uint8_t msg[KYBER_INDCPA_MSGBYTES]);
362
static void poly_tomsg(uint8_t msg[KYBER_INDCPA_MSGBYTES], const poly *r);
363
#if !defined(KYBER_K) || KYBER_K == 2
364
static void poly_getnoise_eta1_2(poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t nonce);
365
#endif
366
#if !defined(KYBER_K) || KYBER_K == 3 || KYBER_K == 4
367
static void poly_getnoise_eta1_3_4(poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t nonce);
368
#endif
369
static void poly_getnoise_eta2(poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t nonce);
370
371
static void poly_ntt(poly *r);
372
static void poly_invntt_tomont(poly *r);
373
static void poly_basemul_montgomery(poly *r, const poly *a, const poly *b);
374
static void poly_tomont(poly *r);
375
376
static void poly_reduce(poly *r);
377
378
static void poly_add(poly *r, const poly *a, const poly *b);
379
static void poly_sub(poly *r, const poly *a, const poly *b);
380
381
/*************** kyber/ref/ntt.h */
382
static const int16_t zetas[128];
383
384
static void ntt(int16_t poly[256]);
385
386
static void invntt(int16_t poly[256]);
387
388
static void basemul(int16_t r[2], const int16_t a[2], const int16_t b[2], int16_t zeta);
389
390
/*************** kyber/ref/reduce.h */
391
#define MONT -1044 /* 2^16 mod q */
392
0
#define QINV -3327 /* q^-1 mod 2^16 */
393
394
static int16_t montgomery_reduce(int32_t a);
395
396
static int16_t barrett_reduce(int16_t a);
397
398
/*************** kyber/ref/symmetric.h */
399
typedef keccak_state xof_state;
400
401
static void kyber_shake128_absorb (keccak_state *state,
402
                                   const uint8_t seed[KYBER_SYMBYTES],
403
                                   uint8_t x, uint8_t y)
404
0
{
405
0
  shake128_absorb (state, seed, KYBER_SYMBYTES);
406
0
  shake128_absorb (state, &x, 1);
407
0
  shake128_absorb (state, &y, 1);
408
0
  shake128_finalize (state);
409
0
}
410
411
0
#define XOF_BLOCKBYTES SHAKE128_RATE
412
413
0
#define hash_h(OUT, IN, INBYTES) sha3_256(OUT, IN, INBYTES)
414
0
#define hash_g(OUT, IN, INBYTES) sha3_512(OUT, IN, INBYTES)
415
0
#define xof_init(STATE) shake128_init(STATE)
416
0
#define xof_close(STATE) shake128_close(STATE)
417
0
#define xof_absorb(STATE, SEED, X, Y) kyber_shake128_absorb(STATE, SEED, X, Y)
418
0
#define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) shake128_squeeze(STATE, OUT, SHAKE128_RATE * OUTBLOCKS)
419
#define prf(OUT, OUTBYTES, KEY, NONCE) \
420
0
  shake256v(OUT, OUTBYTES, (void *)(KEY), (size_t)KYBER_SYMBYTES, \
421
0
         (void *)&(NONCE), (size_t)1, \
422
0
         NULL, (size_t)0)
423
#define rkprf(OUT, KEY, INPUT) \
424
0
  shake256v(OUT, KYBER_SSBYTES, (void *)(KEY), (size_t)KYBER_SYMBYTES, \
425
0
        (void *)(INPUT), (size_t)KYBER_CIPHERTEXTBYTES, \
426
0
        NULL, (size_t)0)
427
428
#include "kyber-common.c"
429
430
0
#define VARIANT2(name) name ## _2
431
0
#define VARIANT3(name) name ## _3
432
0
#define VARIANT4(name) name ## _4
433
434
/* KYBER_K dependent values (part 2) */
435
0
#define KYBER_POLYVECBYTES      (KYBER_K * KYBER_POLYBYTES)
436
0
#define KYBER_INDCPA_PUBLICKEYBYTES (KYBER_POLYVECBYTES + KYBER_SYMBYTES)
437
0
#define KYBER_INDCPA_SECRETKEYBYTES (KYBER_POLYVECBYTES)
438
0
#define KYBER_INDCPA_BYTES          (KYBER_POLYVECCOMPRESSEDBYTES + KYBER_POLYCOMPRESSEDBYTES)
439
440
0
#define KYBER_PUBLICKEYBYTES  (KYBER_INDCPA_PUBLICKEYBYTES)
441
/* 32 bytes of additional space to save H(pk) */
442
0
#define KYBER_SECRETKEYBYTES  (KYBER_INDCPA_SECRETKEYBYTES + KYBER_INDCPA_PUBLICKEYBYTES + 2*KYBER_SYMBYTES)
443
0
#define KYBER_CIPHERTEXTBYTES (KYBER_INDCPA_BYTES)
444
445
#ifdef KYBER_K
446
# if KYBER_K == 2
447
#  define KYBER_POLYCOMPRESSEDBYTES    128
448
#  define KYBER_POLYVECCOMPRESSEDBYTES (KYBER_K * 320)
449
#  define poly_compress poly_compress_128
450
#  define poly_decompress poly_decompress_128
451
#  define poly_getnoise_eta1 poly_getnoise_eta1_2
452
# elif KYBER_K == 3
453
#  define KYBER_POLYCOMPRESSEDBYTES    128
454
#  define KYBER_POLYVECCOMPRESSEDBYTES (KYBER_K * 320)
455
#  define poly_compress poly_compress_128
456
#  define poly_decompress poly_decompress_128
457
#  define poly_getnoise_eta1 poly_getnoise_eta1_3_4
458
# elif KYBER_K == 4
459
#  define KYBER_POLYCOMPRESSEDBYTES    160
460
#  define KYBER_POLYVECCOMPRESSEDBYTES (KYBER_K * 352)
461
#  define poly_compress poly_compress_160
462
#  define poly_decompress poly_decompress_160
463
#  define poly_getnoise_eta1 poly_getnoise_eta1_3_4
464
# endif
465
# include "kyber-kdep.c"
466
# else
467
0
# define KYBER_K 2
468
0
# define KYBER_POLYCOMPRESSEDBYTES    128
469
0
# define KYBER_POLYVECCOMPRESSEDBYTES (KYBER_K * 320)
470
0
# define poly_compress poly_compress_128
471
0
# define poly_decompress poly_decompress_128
472
0
# define poly_getnoise_eta1 poly_getnoise_eta1_2
473
0
# define crypto_kem_keypair_derand VARIANT2(crypto_kem_keypair_derand)
474
0
# define crypto_kem_enc_derand VARIANT2(crypto_kem_enc_derand)
475
# define crypto_kem_keypair VARIANT2(crypto_kem_keypair)
476
# define crypto_kem_enc VARIANT2(crypto_kem_enc)
477
# define crypto_kem_dec VARIANT2(crypto_kem_dec)
478
0
# define polyvec VARIANT2(polyvec)
479
0
# define polyvec_compress VARIANT2(polyvec_compress)
480
0
# define polyvec_decompress VARIANT2(polyvec_decompress)
481
0
# define polyvec_tobytes VARIANT2(polyvec_tobytes)
482
0
# define polyvec_frombytes VARIANT2(polyvec_frombytes)
483
0
# define polyvec_ntt VARIANT2(polyvec_ntt)
484
0
# define polyvec_invntt_tomont VARIANT2(polyvec_invntt_tomont)
485
0
# define polyvec_basemul_acc_montgomery VARIANT2(polyvec_basemul_acc_montgomery)
486
0
# define polyvec_reduce VARIANT2(polyvec_reduce)
487
0
# define polyvec_add VARIANT2(polyvec_add)
488
0
# define pack_pk VARIANT2(pack_pk)
489
0
# define unpack_pk VARIANT2(unpack_pk)
490
0
# define pack_sk VARIANT2(pack_sk)
491
0
# define unpack_sk VARIANT2(unpack_sk)
492
0
# define pack_ciphertext VARIANT2(pack_ciphertext)
493
0
# define unpack_ciphertext VARIANT2(unpack_ciphertext)
494
0
# define gen_matrix VARIANT2(gen_matrix)
495
0
# define indcpa_keypair_derand VARIANT2(indcpa_keypair_derand)
496
0
# define indcpa_enc VARIANT2(indcpa_enc)
497
0
# define indcpa_dec VARIANT2(indcpa_dec)
498
# include "kyber-kdep.c"
499
500
0
# define KYBER_K 3
501
0
# define KYBER_POLYCOMPRESSEDBYTES    128
502
0
# define KYBER_POLYVECCOMPRESSEDBYTES (KYBER_K * 320)
503
0
# define poly_compress poly_compress_128
504
0
# define poly_decompress poly_decompress_128
505
0
# define poly_getnoise_eta1 poly_getnoise_eta1_3_4
506
0
# define crypto_kem_keypair_derand VARIANT3(crypto_kem_keypair_derand)
507
0
# define crypto_kem_enc_derand VARIANT3(crypto_kem_enc_derand)
508
# define crypto_kem_keypair VARIANT3(crypto_kem_keypair)
509
# define crypto_kem_enc VARIANT3(crypto_kem_enc)
510
# define crypto_kem_dec VARIANT3(crypto_kem_dec)
511
0
# define polyvec VARIANT3(polyvec)
512
0
# define polyvec_compress VARIANT3(polyvec_compress)
513
0
# define polyvec_decompress VARIANT3(polyvec_decompress)
514
0
# define polyvec_tobytes VARIANT3(polyvec_tobytes)
515
0
# define polyvec_frombytes VARIANT3(polyvec_frombytes)
516
0
# define polyvec_ntt VARIANT3(polyvec_ntt)
517
0
# define polyvec_invntt_tomont VARIANT3(polyvec_invntt_tomont)
518
0
# define polyvec_basemul_acc_montgomery VARIANT3(polyvec_basemul_acc_montgomery)
519
0
# define polyvec_reduce VARIANT3(polyvec_reduce)
520
0
# define polyvec_add VARIANT3(polyvec_add)
521
0
# define pack_pk VARIANT3(pack_pk)
522
0
# define unpack_pk VARIANT3(unpack_pk)
523
0
# define pack_sk VARIANT3(pack_sk)
524
0
# define unpack_sk VARIANT3(unpack_sk)
525
0
# define pack_ciphertext VARIANT3(pack_ciphertext)
526
0
# define unpack_ciphertext VARIANT3(unpack_ciphertext)
527
0
# define gen_matrix VARIANT3(gen_matrix)
528
0
# define indcpa_keypair_derand VARIANT3(indcpa_keypair_derand)
529
0
# define indcpa_enc VARIANT3(indcpa_enc)
530
0
# define indcpa_dec VARIANT3(indcpa_dec)
531
# include "kyber-kdep.c"
532
533
0
# define KYBER_K 4
534
0
# define KYBER_POLYCOMPRESSEDBYTES    160
535
0
# define KYBER_POLYVECCOMPRESSEDBYTES (KYBER_K * 352)
536
0
# define poly_compress poly_compress_160
537
0
# define poly_decompress poly_decompress_160
538
0
# define poly_getnoise_eta1 poly_getnoise_eta1_3_4
539
0
# define crypto_kem_keypair_derand VARIANT4(crypto_kem_keypair_derand)
540
0
# define crypto_kem_enc_derand VARIANT4(crypto_kem_enc_derand)
541
# define crypto_kem_keypair VARIANT4(crypto_kem_keypair)
542
# define crypto_kem_enc VARIANT4(crypto_kem_enc)
543
# define crypto_kem_dec VARIANT4(crypto_kem_dec)
544
0
# define polyvec VARIANT4(polyvec)
545
0
# define polyvec_compress VARIANT4(polyvec_compress)
546
0
# define polyvec_decompress VARIANT4(polyvec_decompress)
547
0
# define polyvec_tobytes VARIANT4(polyvec_tobytes)
548
0
# define polyvec_frombytes VARIANT4(polyvec_frombytes)
549
0
# define polyvec_ntt VARIANT4(polyvec_ntt)
550
0
# define polyvec_invntt_tomont VARIANT4(polyvec_invntt_tomont)
551
0
# define polyvec_basemul_acc_montgomery VARIANT4(polyvec_basemul_acc_montgomery)
552
0
# define polyvec_reduce VARIANT4(polyvec_reduce)
553
0
# define polyvec_add VARIANT4(polyvec_add)
554
0
# define pack_pk VARIANT4(pack_pk)
555
0
# define unpack_pk VARIANT4(unpack_pk)
556
0
# define pack_sk VARIANT4(pack_sk)
557
0
# define unpack_sk VARIANT4(unpack_sk)
558
0
# define pack_ciphertext VARIANT4(pack_ciphertext)
559
0
# define unpack_ciphertext VARIANT4(unpack_ciphertext)
560
0
# define gen_matrix VARIANT4(gen_matrix)
561
0
# define indcpa_keypair_derand VARIANT4(indcpa_keypair_derand)
562
0
# define indcpa_enc VARIANT4(indcpa_enc)
563
0
# define indcpa_dec VARIANT4(indcpa_dec)
564
# include "kyber-kdep.c"
565
#endif