diff options
| author | thegeorg <thegeorg@yandex-team.com> | 2022-07-27 16:09:51 +0300 |
|---|---|---|
| committer | thegeorg <thegeorg@yandex-team.com> | 2022-07-27 16:09:51 +0300 |
| commit | 0dc775434e1179dd309778aa12d1d844bf3b98ff (patch) | |
| tree | ec70bcaa7cbd04a54ecbecd417d016b73a38d84b /contrib/restricted/aws/s2n/pq-crypto | |
| parent | 7d30339bf6ba1b5aa38c4eb03028bcd4099b2c3c (diff) | |
| download | ydb-0dc775434e1179dd309778aa12d1d844bf3b98ff.tar.gz | |
Update contrib/restricted/aws/s2n to 1.3.18
Diffstat (limited to 'contrib/restricted/aws/s2n/pq-crypto')
173 files changed, 0 insertions, 22594 deletions
diff --git a/contrib/restricted/aws/s2n/pq-crypto/README.md b/contrib/restricted/aws/s2n/pq-crypto/README.md index a7f3f68d75..f798ccc2c1 100644 --- a/contrib/restricted/aws/s2n/pq-crypto/README.md +++ b/contrib/restricted/aws/s2n/pq-crypto/README.md @@ -25,25 +25,6 @@ implements the hybrid specification from [this draft RFC](https://tools.ietf.org See also [this doc](https://docs.google.com/spreadsheets/d/12YarzaNv3XQNLnvDsWLlRKwtZFhRrDdWf36YlzwrPeg/edit#gid=0) that defines hybrid group values for interoperability. -## SIKE (Supersingular Isogeny Key Encapsulation) -The code in the pq-crypto/sike_r1 directory was taken from the [round 1 NIST submission](https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/round-1/submissions/SIKE.zip). -s2n uses the optimized portable implementation to ensure maximum comparability and ease of review. The known answer tests -are [here](https://github.com/awslabs/s2n/blob/main/tests/unit/s2n_sike_r1_kat_test.c) and use the known answer file -from the SIKEp503 round 1 submission. - -The code in the pq-crypto/sike_r2 directory was imported from [liboqs](https://github.com/open-quantum-safe/liboqs/tree/386372ba7dbef781f0b939f1cf73d33019958d6a/src/kem/sike), and -implements the [round 2 NIST submission](https://csrc.nist.gov/projects/post-quantum-cryptography/round-2-submissions). s2n is configured to use the optimized -assembly implementation on x86_64 processors, and the optimized portable implementation elsewhere. The known answer tests -are [here](https://github.com/awslabs/s2n/blob/main/tests/unit/s2n_sike_r2_kat_test.c) and use the known answer file from the SIKEP434 round 2 submission. - -## BIKE (Bit Flipping Key Encapsulation) -The code in the pq-crypto/bike directory was taken from the [additional implementation](https://bikesuite.org/files/round2/add-impl/Additional_Implementation.2019.03.30.zip). -s2n uses the "additional implementation" which ensures constant time primitives, does not use any external libraries -besides libcrypto, and does not depend on any specific hardware instructions to ensure maximum comparability and ease of -review. The known answer tests are [here](https://github.com/awslabs/s2n/blob/main/tests/unit/s2n_bike1_l1_r1_kat_test.c) -and use the BIKE1_L1.const.kat from the above Additional_Implementation.2019.03.30.zip. This implementation uses constant -time primitives on x86 and aarch64 platforms. - ## How to disable optimized assembly code for PQ Crypto Certain post-quantum KEM algorithms included in s2n use optimized assembly code for efficient computation. When compiling s2n on compatible toolchains, the optimized assembly code will significantly improve performance of the post-quantum cryptographic operations. s2n attempts to detect whether or not diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r1/LICENSE b/contrib/restricted/aws/s2n/pq-crypto/bike_r1/LICENSE deleted file mode 100755 index 7a4a3ea242..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r1/LICENSE +++ /dev/null @@ -1,202 +0,0 @@ - - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "[]" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright [yyyy] [name of copyright owner] - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License.
\ No newline at end of file diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r1/README.md b/contrib/restricted/aws/s2n/pq-crypto/bike_r1/README.md deleted file mode 100644 index 91d4b27ce4..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r1/README.md +++ /dev/null @@ -1,37 +0,0 @@ -BIKE-1 - Additional implementation of "BIKE: Bit Flipping Key Encapsulation". ------------------------------------------------------------------------------ - -This package is an "additional optimized" implementation of the Round-2 -variant of BIKE-1. - -BIKE is a submission to the Post-Quantum Cryptography -Standardization project http://csrc.nist.gov/projects/post-quantum-cryptography. - -The official BIKE website is: https://bikesuite.org - -This package offers a constant time implementations of Round-2 BIKE-1. -- A portable implementation that requires libcrypto.a (e.g., of OpenSSL) for AES256 and SHA384. - -The optimizations in this package are based on the papers: -[1] Nir Drucker, Shay Gueron, "A Toolbox for Software Optimization of QC-MDPC - Code-Based Cryptosystems." Journal of Cryptographic Engineering, January 2019, - 1–17 https://doi.org/10.1007/s13389-018-00200-4. - -[2] Chou, T.: QcBits: Constant-Time Small-Key Code-Based Cryptography. In: Gier-lichs, B., - Poschmann, A.Y. (eds.) Cryptographic Hardware and Embedded Systems– CHES 2016. pp. 280–300. - Springer Berlin Heidelberg, Berlin, Heidelberg (2016) - -[3] Guimarães, Antonio, Diego F Aranha, and Edson Borin. 2019. - “Optimized Implementation of QC-MDPC Code-Based Cryptography.” - Concurrency and Computation: Practice and Experience 31 (18): e5089. - https://doi.org/10.1002/cpe.5089. - -The decoder (in decoder/decoder.c) algorithm is the Black-Gray decoder included -in the early submission of CAKE (due to N. Sandrier and R. Misoczki). - -The analysis for the constant time implementation is given in: -[4] Nir Drucker, Shay Gueron, and Dusan Kostic, - "On constant-time QC-MDPC decoding with negligible failure rate", ePrint, 2019. - -The code is due to Nir Drucker, Shay Gueron (and Dusan Kostic for the Round-2 flows). - diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r1/aes_ctr_prf.c b/contrib/restricted/aws/s2n/pq-crypto/bike_r1/aes_ctr_prf.c deleted file mode 100644 index 2f211010df..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r1/aes_ctr_prf.c +++ /dev/null @@ -1,105 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker and Shay Gueron - * AWS Cryptographic Algorithms Group. - * (ndrucker@amazon.com, gueron@amazon.com) - */ - -#include "aes_ctr_prf.h" -#include "utilities.h" -#include <string.h> - -ret_t -init_aes_ctr_prf_state(OUT aes_ctr_prf_state_t *s, - IN const uint32_t max_invokations, - IN const seed_t *seed) -{ - if(0 == max_invokations) - { - BIKE_ERROR(E_AES_CTR_PRF_INIT_FAIL); - } - - // Set the key schedule (from seed). - // Make sure the size matches the AES256 key size - DEFER_CLEANUP(aes256_key_t key, aes256_key_cleanup); - - bike_static_assert(sizeof(*seed) == sizeof(key.raw), seed_size_equals_ky_size); - memcpy(key.raw, seed->raw, sizeof(key.raw)); - - POSIX_GUARD(aes256_key_expansion(&s->ks_ptr, &key)); - - // Initialize buffer and counter - s->ctr.u.qw[0] = 0; - s->ctr.u.qw[1] = 0; - s->buffer.u.qw[0] = 0; - s->buffer.u.qw[1] = 0; - - s->pos = AES256_BLOCK_SIZE; - s->rem_invokations = max_invokations; - - SEDMSG(" Init aes_prf_ctr state:\n"); - SEDMSG(" s.pos = %d\n", s->pos); - SEDMSG(" s.rem_invokations = %u\n", s->rem_invokations); - SEDMSG(" s.ctr = 0x\n"); - - return SUCCESS; -} - -_INLINE_ ret_t -perform_aes(OUT uint8_t *ct, IN OUT aes_ctr_prf_state_t *s) -{ - // Ensure that the CTR is big enough - bike_static_assert( - ((sizeof(s->ctr.u.qw[0]) == 8) && (BIT(33) >= MAX_AES_INVOKATION)), - ctr_size_is_too_small); - - if(0 == s->rem_invokations) - { - BIKE_ERROR(E_AES_OVER_USED); - } - - POSIX_GUARD(aes256_enc(ct, s->ctr.u.bytes, &s->ks_ptr)); - - s->ctr.u.qw[0]++; - s->rem_invokations--; - - return SUCCESS; -} - -ret_t -aes_ctr_prf(OUT uint8_t *a, IN OUT aes_ctr_prf_state_t *s, IN const uint32_t len) -{ - // When Len is smaller than whats left in the buffer - // No need in additional AES - if((len + s->pos) <= AES256_BLOCK_SIZE) - { - memcpy(a, &s->buffer.u.bytes[s->pos], len); - s->pos += len; - - return SUCCESS; - } - - // If s.pos != AES256_BLOCK_SIZE then copy whats left in the buffer - // Else copy zero bytes - uint32_t idx = AES256_BLOCK_SIZE - s->pos; - memcpy(a, &s->buffer.u.bytes[s->pos], idx); - - // Init s.pos - s->pos = 0; - - // Copy full AES blocks - while((len - idx) >= AES256_BLOCK_SIZE) - { - POSIX_GUARD(perform_aes(&a[idx], s)); - idx += AES256_BLOCK_SIZE; - } - - POSIX_GUARD(perform_aes(s->buffer.u.bytes, s)); - - // Copy the tail - s->pos = len - idx; - memcpy(&a[idx], s->buffer.u.bytes, s->pos); - - return SUCCESS; -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r1/aes_ctr_prf.h b/contrib/restricted/aws/s2n/pq-crypto/bike_r1/aes_ctr_prf.h deleted file mode 100644 index ac17d4ddd5..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r1/aes_ctr_prf.h +++ /dev/null @@ -1,49 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker and Shay Gueron - * AWS Cryptographic Algorithms Group. - * (ndrucker@amazon.com, gueron@amazon.com) - */ - -#pragma once - -#include "aes_wrap.h" - -////////////////////////////// -// Types -///////////////////////////// - -typedef struct aes_ctr_prf_state_s -{ - uint128_t ctr; - uint128_t buffer; - aes256_ks_t ks_ptr; - uint32_t rem_invokations; - uint8_t pos; -} aes_ctr_prf_state_t; - -////////////////////////////// -// Methods -///////////////////////////// - -ret_t -init_aes_ctr_prf_state(OUT aes_ctr_prf_state_t *s, - IN uint32_t max_invokations, - IN const seed_t *seed); - -ret_t -aes_ctr_prf(OUT uint8_t *a, IN OUT aes_ctr_prf_state_t *s, IN uint32_t len); - -_INLINE_ void -finalize_aes_ctr_prf(IN OUT aes_ctr_prf_state_t *s) -{ - aes256_free_ks(&s->ks_ptr); - secure_clean((uint8_t *)s, sizeof(*s)); -} - -_INLINE_ void -aes_ctr_prf_state_cleanup(IN OUT aes_ctr_prf_state_t *s) -{ - finalize_aes_ctr_prf(s); -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r1/aes_wrap.h b/contrib/restricted/aws/s2n/pq-crypto/bike_r1/aes_wrap.h deleted file mode 100644 index 26f439ac5e..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r1/aes_wrap.h +++ /dev/null @@ -1,70 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker, Shay Gueron, and Dusan Kostic, - * AWS Cryptographic Algorithms Group. - * (ndrucker@amazon.com, gueron@amazon.com, dkostic@amazon.com) - */ - -#pragma once - -#include "cleanup.h" -#include <openssl/evp.h> - -#define MAX_AES_INVOKATION (MASK(32)) - -#define AES256_KEY_SIZE (32U) -#define AES256_KEY_BITS (AES256_KEY_SIZE * 8) -#define AES256_BLOCK_SIZE (16U) -#define AES256_ROUNDS (14U) - -typedef ALIGN(16) struct aes256_key_s -{ - uint8_t raw[AES256_KEY_SIZE]; -} aes256_key_t; - -_INLINE_ void -aes256_key_cleanup(aes256_key_t *o) -{ - secure_clean(o->raw, sizeof(*o)); -} - -// Using OpenSSL structures -typedef EVP_CIPHER_CTX *aes256_ks_t; - -_INLINE_ ret_t -aes256_key_expansion(OUT aes256_ks_t *ks, IN const aes256_key_t *key) -{ - *ks = EVP_CIPHER_CTX_new(); - if(*ks == NULL) - { - BIKE_ERROR(EXTERNAL_LIB_ERROR_OPENSSL); - } - if(0 == EVP_EncryptInit_ex(*ks, EVP_aes_256_ecb(), NULL, key->raw, NULL)) - { - EVP_CIPHER_CTX_free(*ks); - BIKE_ERROR(EXTERNAL_LIB_ERROR_OPENSSL); - } - - EVP_CIPHER_CTX_set_padding(*ks, 0); - - return SUCCESS; -} - -_INLINE_ ret_t -aes256_enc(OUT uint8_t *ct, IN const uint8_t *pt, IN const aes256_ks_t *ks) -{ - int outlen = 0; - if(0 == EVP_EncryptUpdate(*ks, ct, &outlen, pt, AES256_BLOCK_SIZE)) - { - BIKE_ERROR(EXTERNAL_LIB_ERROR_OPENSSL); - } - return SUCCESS; -} - -_INLINE_ void -aes256_free_ks(OUT aes256_ks_t *ks) -{ - EVP_CIPHER_CTX_free(*ks); - *ks = NULL; -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r1/bike_defs.h b/contrib/restricted/aws/s2n/pq-crypto/bike_r1/bike_defs.h deleted file mode 100644 index c64740635e..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r1/bike_defs.h +++ /dev/null @@ -1,109 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker and Shay Gueron - * AWS Cryptographic Algorithms Group. - * (ndrucker@amazon.com, gueron@amazon.com) - */ - -#pragma once - -#include "defs.h" - -#define INDCPA -#define LEVEL 1 - -//////////////////////////////////////////// -// BIKE Parameters -/////////////////////////////////////////// -#define N0 2 - -#ifndef LEVEL -# define LEVEL 1 -#endif - -#if(LEVEL == 3) -# ifdef INDCPA -# define R_BITS 19853 -# else -# define R_BITS 24821 -# endif -# define DV 103 -# define T1 199 - -# define THRESHOLD_COEFF0 15.932 -# define THRESHOLD_COEFF1 0.0052936 - -// The gfm code is optimized to a block size in this case: -# define BLOCK_SIZE 32768 -#elif(LEVEL == 1) -// 64-bits of post-quantum security parameters (BIKE paper): -# ifdef INDCPA -# define R_BITS 10163 -# else -# define R_BITS 11779 -# endif -# define DV 71 -# define T1 134 - -# define THRESHOLD_COEFF0 13.530 -# define THRESHOLD_COEFF1 0.0069721 - -// The gfm code is optimized to a block size in this case: -# define BLOCK_SIZE (16384) -#else -# error "Bad level, choose one of 1/3" -#endif - -#ifdef INDCPA -# define NUM_OF_SEEDS 2 -#else -# define NUM_OF_SEEDS 3 -#endif - -// Round the size to the nearest byte. -// SIZE suffix, is the number of bytes (uint8_t). -#define N_BITS (R_BITS * N0) -#define R_SIZE DIVIDE_AND_CEIL(R_BITS, 8) -#define R_QW DIVIDE_AND_CEIL(R_BITS, 8 * QW_SIZE) -#define R_YMM DIVIDE_AND_CEIL(R_BITS, 8 * YMM_SIZE) -#define R_ZMM DIVIDE_AND_CEIL(R_BITS, 8 * ZMM_SIZE) - -#define N_SIZE DIVIDE_AND_CEIL(N_BITS, 8) - -#define R_BLOCKS DIVIDE_AND_CEIL(R_BITS, BLOCK_SIZE) -#define R_PADDED (R_BLOCKS * BLOCK_SIZE) -#define R_PADDED_SIZE (R_PADDED / 8) -#define R_PADDED_QW (R_PADDED / 64) - -#define N_BLOCKS DIVIDE_AND_CEIL(N_BITS, BLOCK_SIZE) -#define N_PADDED (N_BLOCKS * BLOCK_SIZE) -#define N_PADDED_SIZE (N_PADDED / 8) -#define N_PADDED_QW (N_PADDED / 64) - -#define R_DDQWORDS_BITS (DIVIDE_AND_CEIL(R_BITS, ALL_YMM_SIZE) * ALL_YMM_SIZE) -bike_static_assert((R_BITS % ALL_YMM_SIZE != 0), rbits_512_err); - -#define N_DDQWORDS_BITS (R_DDQWORDS_BITS + R_BITS) -bike_static_assert((N_BITS % ALL_YMM_SIZE != 0), nbits_512_err); - -#define LAST_R_QW_LEAD (R_BITS & MASK(6)) -#define LAST_R_QW_TRAIL (64 - LAST_R_QW_LEAD) -#define LAST_R_QW_MASK MASK(LAST_R_QW_LEAD) - -#define LAST_R_BYTE_LEAD (R_BITS & MASK(3)) -#define LAST_R_BYTE_TRAIL (8 - LAST_R_BYTE_LEAD) -#define LAST_R_BYTE_MASK MASK(LAST_R_BYTE_LEAD) - -// BIKE auxiliary functions parameters: -#define ELL_K_BITS 256 -#define ELL_K_SIZE (ELL_K_BITS / 8) - -//////////////////////////////// -// Parameters for the BG decoder. -//////////////////////////////// -#define BGF_DECODER -#define DELTA 3 -#define SLICES (LOG2_MSB(DV) + 1) - -#define BGF_DECODER diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r1/bike_r1_kem.c b/contrib/restricted/aws/s2n/pq-crypto/bike_r1/bike_r1_kem.c deleted file mode 100644 index ba43098837..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r1/bike_r1_kem.c +++ /dev/null @@ -1,304 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker and Shay Gueron - * AWS Cryptographic Algorithms Group. - * (ndrucker@amazon.com, gueron@amazon.com) - */ - -#include <string.h> - -#include "decode.h" -#include "gf2x.h" -#include "parallel_hash.h" -#include "sampling.h" -#include "tls/s2n_kem.h" -#include "pq-crypto/s2n_pq.h" - -_INLINE_ void -split_e(OUT split_e_t *splitted_e, IN const e_t *e) -{ - // Copy lower bytes (e0) - memcpy(splitted_e->val[0].raw, e->raw, R_SIZE); - - // Now load second value - for(uint32_t i = R_SIZE; i < N_SIZE; ++i) - { - splitted_e->val[1].raw[i - R_SIZE] = - ((e->raw[i] << LAST_R_BYTE_TRAIL) | (e->raw[i - 1] >> LAST_R_BYTE_LEAD)); - } - - // Fix corner case - if(N_SIZE < (2ULL * R_SIZE)) - { - splitted_e->val[1].raw[R_SIZE - 1] = (e->raw[N_SIZE - 1] >> LAST_R_BYTE_LEAD); - } - - // Fix last value - splitted_e->val[0].raw[R_SIZE - 1] &= LAST_R_BYTE_MASK; - splitted_e->val[1].raw[R_SIZE - 1] &= LAST_R_BYTE_MASK; -} - -_INLINE_ void -merge_e(OUT e_t *e, IN const split_e_t *splitted_e) -{ - memcpy(e->raw, splitted_e->val[0].raw, R_SIZE); - - e->raw[R_SIZE - 1] = ((splitted_e->val[1].raw[0] << LAST_R_BYTE_LEAD) | - (e->raw[R_SIZE - 1] & LAST_R_BYTE_MASK)); - - // Now load second value - for(uint32_t i = 1; i < R_SIZE; ++i) - { - e->raw[R_SIZE + i - 1] = - ((splitted_e->val[1].raw[i] << LAST_R_BYTE_LEAD) | - (splitted_e->val[1].raw[i - 1] >> LAST_R_BYTE_TRAIL)); - } - - // Mask last byte - if(N_SIZE == (2ULL * R_SIZE)) - { - e->raw[N_SIZE - 1] = - (splitted_e->val[1].raw[R_SIZE - 1] >> LAST_R_BYTE_TRAIL); - } -} - -_INLINE_ ret_t -encrypt(OUT ct_t *ct, - IN const pk_t *pk, - IN const seed_t *seed, - IN const split_e_t *splitted_e) -{ - DEFER_CLEANUP(padded_r_t m = {0}, padded_r_cleanup); - DEFER_CLEANUP(dbl_pad_ct_t p_ct, dbl_pad_ct_cleanup); - - // Pad the public key - pad_pk_t p_pk = {0}; - p_pk[0].val = pk->val[0]; - p_pk[1].val = pk->val[1]; - - DMSG(" Sampling m.\n"); - POSIX_GUARD(sample_uniform_r_bits(&m.val, seed, NO_RESTRICTION)); - - DMSG(" Calculating the ciphertext.\n"); - - POSIX_GUARD(gf2x_mod_mul((uint64_t *)&p_ct[0], (uint64_t *)&m, (uint64_t *)&p_pk[0])); - POSIX_GUARD(gf2x_mod_mul((uint64_t *)&p_ct[1], (uint64_t *)&m, (uint64_t *)&p_pk[1])); - - DMSG(" Addding Error to the ciphertext.\n"); - - POSIX_GUARD( - gf2x_add(p_ct[0].val.raw, p_ct[0].val.raw, splitted_e->val[0].raw, R_SIZE)); - POSIX_GUARD( - gf2x_add(p_ct[1].val.raw, p_ct[1].val.raw, splitted_e->val[1].raw, R_SIZE)); - - // Copy the data outside - ct->val[0] = p_ct[0].val; - ct->val[1] = p_ct[1].val; - - print("m: ", (uint64_t *)m.val.raw, R_BITS); - print("c0: ", (uint64_t *)p_ct[0].val.raw, R_BITS); - print("c1: ", (uint64_t *)p_ct[1].val.raw, R_BITS); - - return SUCCESS; -} - -_INLINE_ ret_t -calc_pk(OUT pk_t *pk, IN const seed_t *g_seed, IN const pad_sk_t p_sk) -{ - // PK is dbl padded because modmul require some scratch space for the - // multiplication result - dbl_pad_pk_t p_pk = {0}; - - // Intialized padding to zero - DEFER_CLEANUP(padded_r_t g = {0}, padded_r_cleanup); - - POSIX_GUARD(sample_uniform_r_bits(&g.val, g_seed, MUST_BE_ODD)); - - // Calculate (g0, g1) = (g*h1, g*h0) - POSIX_GUARD(gf2x_mod_mul((uint64_t *)&p_pk[0], (const uint64_t *)&g, - (const uint64_t *)&p_sk[1])); - POSIX_GUARD(gf2x_mod_mul((uint64_t *)&p_pk[1], (const uint64_t *)&g, - (const uint64_t *)&p_sk[0])); - - // Copy the data to the output parameters. - pk->val[0] = p_pk[0].val; - pk->val[1] = p_pk[1].val; - - print("g: ", (uint64_t *)g.val.raw, R_BITS); - print("g0: ", (uint64_t *)&p_pk[0], R_BITS); - print("g1: ", (uint64_t *)&p_pk[1], R_BITS); - - return SUCCESS; -} - -// Generate the Shared Secret (K(e)) -_INLINE_ void -get_ss(OUT ss_t *out, IN const e_t *e) -{ - DMSG(" Enter get_ss.\n"); - - // Calculate the hash - DEFER_CLEANUP(sha_hash_t hash = {0}, sha_hash_cleanup); - parallel_hash(&hash, e->raw, sizeof(*e)); - - // Truncate the final hash into K by copying only the LSBs - memcpy(out->raw, hash.u.raw, sizeof(*out)); - - secure_clean(hash.u.raw, sizeof(hash)); - DMSG(" Exit get_ss.\n"); -} - -//////////////////////////////////////////////////////////////// -// The three APIs below (keygeneration, encapsulate, decapsulate) are defined by -// NIST: In addition there are two KAT versions of this API as defined. -//////////////////////////////////////////////////////////////// -int -BIKE1_L1_R1_crypto_kem_keypair(OUT unsigned char *pk, OUT unsigned char *sk) -{ - POSIX_ENSURE(s2n_pq_is_enabled(), S2N_ERR_PQ_DISABLED); - - // Convert to this implementation types - pk_t *l_pk = (pk_t *)pk; - - DEFER_CLEANUP(ALIGN(8) sk_t l_sk = {0}, sk_cleanup); - - // For DRBG and AES_PRF - DEFER_CLEANUP(seeds_t seeds = {0}, seeds_cleanup); - DEFER_CLEANUP(aes_ctr_prf_state_t h_prf_state = {0}, aes_ctr_prf_state_cleanup); - - // Padded for internal use only (the padded data is not released). - DEFER_CLEANUP(pad_sk_t p_sk = {0}, pad_sk_cleanup); - - // Get the entropy seeds. - get_seeds(&seeds); - - DMSG(" Enter crypto_kem_keypair.\n"); - DMSG(" Calculating the secret key.\n"); - - // h0 and h1 use the same context - POSIX_GUARD(init_aes_ctr_prf_state(&h_prf_state, MAX_AES_INVOKATION, &seeds.seed[0])); - - POSIX_GUARD(generate_sparse_rep((uint64_t *)&p_sk[0], l_sk.wlist[0].val, DV, R_BITS, - sizeof(p_sk[0]), &h_prf_state)); - // Copy data - l_sk.bin[0] = p_sk[0].val; - - POSIX_GUARD(generate_sparse_rep((uint64_t *)&p_sk[1], l_sk.wlist[1].val, DV, R_BITS, - sizeof(p_sk[1]), &h_prf_state)); - - // Copy data - l_sk.bin[1] = p_sk[1].val; - - DMSG(" Calculating the public key.\n"); - - POSIX_GUARD(calc_pk(l_pk, &seeds.seed[1], p_sk)); - - memcpy(sk, &l_sk, sizeof(l_sk)); - - print("h0: ", (uint64_t *)&l_sk.bin[0], R_BITS); - print("h1: ", (uint64_t *)&l_sk.bin[1], R_BITS); - print("h0c:", (uint64_t *)&l_sk.wlist[0], SIZEOF_BITS(compressed_idx_dv_t)); - print("h1c:", (uint64_t *)&l_sk.wlist[1], SIZEOF_BITS(compressed_idx_dv_t)); - DMSG(" Exit crypto_kem_keypair.\n"); - - return SUCCESS; -} - -// Encapsulate - pk is the public key, -// ct is a key encapsulation message (ciphertext), -// ss is the shared secret. -int -BIKE1_L1_R1_crypto_kem_enc(OUT unsigned char * ct, - OUT unsigned char * ss, - IN const unsigned char *pk) -{ - DMSG(" Enter crypto_kem_enc.\n"); - POSIX_ENSURE(s2n_pq_is_enabled(), S2N_ERR_PQ_DISABLED); - - // Convert to this implementation types - const pk_t *l_pk = (const pk_t *)pk; - ct_t * l_ct = (ct_t *)ct; - ss_t * l_ss = (ss_t *)ss; - DEFER_CLEANUP(padded_e_t e = {0}, padded_e_cleanup); - - // For NIST DRBG_CTR - DEFER_CLEANUP(seeds_t seeds = {0}, seeds_cleanup); - DEFER_CLEANUP(aes_ctr_prf_state_t e_prf_state = {0}, aes_ctr_prf_state_cleanup); - - // Get the entrophy seeds - get_seeds(&seeds); - - // Random data generator - // Using first seed - POSIX_GUARD(init_aes_ctr_prf_state(&e_prf_state, MAX_AES_INVOKATION, &seeds.seed[0])); - - DMSG(" Generating error.\n"); - ALIGN(8) compressed_idx_t_t dummy; - POSIX_GUARD(generate_sparse_rep((uint64_t *)&e, dummy.val, T1, N_BITS, sizeof(e), - &e_prf_state)); - - print("e: ", (uint64_t *)&e.val, sizeof(e) * 8); - - // Split e into e0 and e1. Initialization is done in split_e - DEFER_CLEANUP(split_e_t splitted_e, split_e_cleanup); - split_e(&splitted_e, &e.val); - - print("e0: ", (uint64_t *)splitted_e.val[0].raw, R_BITS); - print("e1: ", (uint64_t *)splitted_e.val[1].raw, R_BITS); - - // Computing ct = enc(pk, e) - // Using second seed - DMSG(" Encrypting.\n"); - POSIX_GUARD(encrypt(l_ct, l_pk, &seeds.seed[1], &splitted_e)); - - DMSG(" Generating shared secret.\n"); - get_ss(l_ss, &e.val); - - print("ss: ", (uint64_t *)l_ss->raw, SIZEOF_BITS(*l_ss)); - DMSG(" Exit crypto_kem_enc.\n"); - return SUCCESS; -} - -// Decapsulate - ct is a key encapsulation message (ciphertext), -// sk is the private key, -// ss is the shared secret -int -BIKE1_L1_R1_crypto_kem_dec(OUT unsigned char * ss, - IN const unsigned char *ct, - IN const unsigned char *sk) -{ - DMSG(" Enter crypto_kem_dec.\n"); - POSIX_ENSURE(s2n_pq_is_enabled(), S2N_ERR_PQ_DISABLED); - - // Convert to this implementation types - const ct_t *l_ct = (const ct_t *)ct; - ss_t * l_ss = (ss_t *)ss; - - DEFER_CLEANUP(ALIGN(8) sk_t l_sk, sk_cleanup); - memcpy(&l_sk, sk, sizeof(l_sk)); - - // Force zero initialization - DEFER_CLEANUP(syndrome_t syndrome = {0}, syndrome_cleanup); - DEFER_CLEANUP(split_e_t e, split_e_cleanup); - DEFER_CLEANUP(e_t merged_e = {0}, e_cleanup); - - DMSG(" Computing s.\n"); - POSIX_GUARD(compute_syndrome(&syndrome, l_ct, &l_sk)); - - DMSG(" Decoding.\n"); - POSIX_GUARD(decode(&e, &syndrome, l_ct, &l_sk)); - - // Check if the error weight equals T1 - if(T1 != r_bits_vector_weight(&e.val[0]) + r_bits_vector_weight(&e.val[1])) - { - MSG(" Error weight is not t\n"); - BIKE_ERROR(E_ERROR_WEIGHT_IS_NOT_T); - } - - merge_e(&merged_e, &e); - get_ss(l_ss, &merged_e); - - DMSG(" Exit crypto_kem_dec.\n"); - return SUCCESS; -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r1/cleanup.h b/contrib/restricted/aws/s2n/pq-crypto/bike_r1/cleanup.h deleted file mode 100644 index 6bacfaa45a..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r1/cleanup.h +++ /dev/null @@ -1,131 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker and Shay Gueron - * AWS Cryptographic Algorithms Group. - * (ndrucker@amazon.com, gueron@amazon.com) - */ - -#pragma once -#include "types.h" -#include "utils/s2n_safety.h" - -_INLINE_ void -secure_clean(OUT uint8_t *p, IN const uint32_t len) -{ -#ifdef _WIN32 - SecureZeroMemory(p, len); -#else - typedef void *(*memset_t)(void *, int, size_t); - static volatile memset_t memset_func = memset; - memset_func(p, 0, len); -#endif -} - -_INLINE_ void -r_cleanup(IN OUT r_t *o) -{ - secure_clean((uint8_t *)o, sizeof(*o)); -} - -_INLINE_ void -e_cleanup(IN OUT e_t *o) -{ - secure_clean((uint8_t *)o, sizeof(*o)); -} - -_INLINE_ void -padded_r_cleanup(IN OUT padded_r_t *o) -{ - secure_clean((uint8_t *)o, sizeof(*o)); -} - -_INLINE_ void -padded_e_cleanup(IN OUT padded_e_t *o) -{ - secure_clean((uint8_t *)o, sizeof(*o)); -} - -_INLINE_ void -split_e_cleanup(IN OUT split_e_t *o) -{ - secure_clean((uint8_t *)o, sizeof(*o)); -} - -_INLINE_ void -sk_cleanup(IN OUT sk_t *o) -{ - secure_clean((uint8_t *)o, sizeof(*o)); -} - -_INLINE_ void -pad_sk_cleanup(IN OUT pad_sk_t *o) -{ - secure_clean((uint8_t *)o[0], sizeof(*o)); -} - -_INLINE_ void -pad_ct_cleanup(IN OUT pad_ct_t *o) -{ - secure_clean((uint8_t *)o[0], sizeof(*o)); -} - -_INLINE_ void -dbl_pad_ct_cleanup(IN OUT dbl_pad_ct_t *o) -{ - secure_clean((uint8_t *)o[0], sizeof(*o)); -} - -_INLINE_ void -seed_cleanup(IN OUT seed_t *o) -{ - secure_clean((uint8_t *)o, sizeof(*o)); -} - -_INLINE_ void -syndrome_cleanup(IN OUT syndrome_t *o) -{ - secure_clean((uint8_t *)o, sizeof(*o)); -} - -_INLINE_ void -dbl_pad_syndrome_cleanup(IN OUT dbl_pad_syndrome_t *o) -{ - secure_clean((uint8_t *)o[0], sizeof(*o)); -} - -_INLINE_ void -compressed_idx_t_cleanup(IN OUT compressed_idx_t_t *o) -{ - secure_clean((uint8_t *)o, sizeof(*o)); -} - -_INLINE_ void -compressed_idx_dv_ar_cleanup(IN OUT compressed_idx_dv_ar_t *o) -{ - for(int i = 0; i < N0; i++) - { - secure_clean((uint8_t *)&(*o)[i], sizeof((*o)[0])); - } -} - -_INLINE_ void -generic_param_n_cleanup(IN OUT generic_param_n_t *o) -{ - secure_clean((uint8_t *)o, sizeof(*o)); -} - -_INLINE_ void -seeds_cleanup(IN OUT seeds_t *o) -{ - for(int i = 0; i < NUM_OF_SEEDS; i++) - { - seed_cleanup(&(o->seed[i])); - } -} - -_INLINE_ void -upc_cleanup(IN OUT upc_t *o) -{ - secure_clean((uint8_t *)o, sizeof(*o)); -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r1/converts_portable.c b/contrib/restricted/aws/s2n/pq-crypto/bike_r1/converts_portable.c deleted file mode 100644 index d76900b771..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r1/converts_portable.c +++ /dev/null @@ -1,62 +0,0 @@ -/* - * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * - * Licensed under the Apache License, Version 2.0 (the "License"). - * You may not use this file except in compliance with the License. - * A copy of the License is located at - * - * http://aws.amazon.com/apache2.0 - * - * or in the "license" file accompanying this file. This file is distributed - * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either - * express or implied. See the License for the specific language governing - * permissions and limitations under the License. - * The license is detailed in the file LICENSE.md, and applies to this file. - * - * Written by Nir Drucker and Shay Gueron - * AWS Cryptographic Algorithms Group. - * (ndrucker@amazon.com, gueron@amazon.com) - */ - -#include "decode.h" -#include "utilities.h" - -// Convert a sequence of uint8_t elements which fully uses all 8-bits of -// an uint8_t element to a sequence of uint8_t which uses just a single -// bit per byte (either 0 or 1). -EXTERNC void -convert_to_redundant_rep(OUT uint8_t *out, - IN const uint8_t *in, - IN const uint64_t len) -{ - uint8_t tmp; - for(uint32_t i = 0; i < (len / 8); i++) - { - tmp = in[i]; - for(uint8_t j = 0; j < 8; j++) - { - out[8 * i + j] |= (tmp & 0x1); - tmp >>= 1; - } - } - - // Convert the reminder - tmp = in[len / 8]; - for(uint32_t j = 8 * (len / 8); j < len; j++) - { - out[j] |= (tmp & 0x1); - tmp >>= 1; - } -} - -EXTERNC uint64_t -count_ones(IN const uint8_t *in, IN const uint32_t len) -{ - uint64_t acc = 0; - for(uint32_t i = 0; i < len; i++) - { - acc += __builtin_popcount(in[i]); - } - - return acc; -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r1/decode.c b/contrib/restricted/aws/s2n/pq-crypto/bike_r1/decode.c deleted file mode 100644 index b455cd7e82..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r1/decode.c +++ /dev/null @@ -1,365 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker, Shay Gueron, and Dusan Kostic, - * AWS Cryptographic Algorithms Group. - * (ndrucker@amazon.com, gueron@amazon.com, dkostic@amazon.com) - * - * [1] The optimizations are based on the description developed in the paper: - * Drucker, Nir, and Shay Gueron. 2019. “A Toolbox for Software Optimization - * of QC-MDPC Code-Based Cryptosystems.” Journal of Cryptographic Engineering, - * January, 1–17. https://doi.org/10.1007/s13389-018-00200-4. - * - * [2] The decoder algorithm is the Black-Gray decoder in - * the early submission of CAKE (due to N. Sandrier and R Misoczki). - * - * [3] The analysis for the constant time implementation is given in - * Drucker, Nir, Shay Gueron, and Dusan Kostic. 2019. - * “On Constant-Time QC-MDPC Decoding with Negligible Failure Rate.” - * Cryptology EPrint Archive, 2019. https://eprint.iacr.org/2019/1289. - * - * [4] it was adapted to BGF in: - * Drucker, Nir, Shay Gueron, and Dusan Kostic. 2019. - * “QC-MDPC decoders with several shades of gray.” - * Cryptology EPrint Archive, 2019. To be published. - * - * [5] Chou, T.: QcBits: Constant-Time Small-Key Code-Based Cryptography. - * In: Gier-lichs, B., Poschmann, A.Y. (eds.) Cryptographic Hardware - * and Embedded Systems– CHES 2016. pp. 280–300. Springer Berlin Heidelberg, - * Berlin, Heidelberg (2016) - * - * [6] The rotate512_small funciton is a derivative of the code described in: - * Guimarães, Antonio, Diego F Aranha, and Edson Borin. 2019. - * “Optimized Implementation of QC-MDPC Code-Based Cryptography.” - * Concurrency and Computation: Practice and Experience 31 (18): - * e5089. https://doi.org/10.1002/cpe.5089. - */ - -#include "decode.h" -#include "gf2x.h" -#include "utilities.h" -#include <string.h> - -// Decoding (bit-flipping) parameter -#ifdef BG_DECODER -# if(LEVEL == 1) -# define MAX_IT 3 -# elif(LEVEL == 3) -# define MAX_IT 4 -# elif(LEVEL == 5) -# define MAX_IT 7 -# else -# error "Level can only be 1/3/5" -# endif -#elif defined(BGF_DECODER) -# if(LEVEL == 1) -# define MAX_IT 5 -# elif(LEVEL == 3) -# define MAX_IT 6 -# elif(LEVEL == 5) -# define MAX_IT 7 -# else -# error "Level can only be 1/3/5" -# endif -#endif - -// Duplicates the first R_BITS of the syndrome three times -// |------------------------------------------| -// | Third copy | Second copy | first R_BITS | -// |------------------------------------------| -// This is required by the rotate functions. -_INLINE_ void -dup(IN OUT syndrome_t *s) -{ - s->qw[R_QW - 1] = - (s->qw[0] << LAST_R_QW_LEAD) | (s->qw[R_QW - 1] & LAST_R_QW_MASK); - - for(size_t i = 0; i < (2 * R_QW) - 1; i++) - { - s->qw[R_QW + i] = - (s->qw[i] >> LAST_R_QW_TRAIL) | (s->qw[i + 1] << LAST_R_QW_LEAD); - } -} - -ret_t -compute_syndrome(OUT syndrome_t *syndrome, IN const ct_t *ct, IN const sk_t *sk) -{ - // gf2x_mod_mul requires the values to be 64bit padded and extra (dbl) space - // for the results - DEFER_CLEANUP(dbl_pad_syndrome_t pad_s, dbl_pad_syndrome_cleanup); - DEFER_CLEANUP(pad_sk_t pad_sk = {0}, pad_sk_cleanup); - pad_sk[0].val = sk->bin[0]; - pad_sk[1].val = sk->bin[1]; - - DEFER_CLEANUP(pad_ct_t pad_ct = {0}, pad_ct_cleanup); - pad_ct[0].val = ct->val[0]; - pad_ct[1].val = ct->val[1]; - - // Compute s = c0*h0 + c1*h1: - POSIX_GUARD(gf2x_mod_mul((uint64_t *)&pad_s[0], (uint64_t *)&pad_ct[0], - (uint64_t *)&pad_sk[0])); - POSIX_GUARD(gf2x_mod_mul((uint64_t *)&pad_s[1], (uint64_t *)&pad_ct[1], - (uint64_t *)&pad_sk[1])); - - POSIX_GUARD(gf2x_add(pad_s[0].val.raw, pad_s[0].val.raw, pad_s[1].val.raw, R_SIZE)); - - memcpy((uint8_t *)syndrome->qw, pad_s[0].val.raw, R_SIZE); - dup(syndrome); - - return SUCCESS; -} - -_INLINE_ ret_t -recompute_syndrome(OUT syndrome_t *syndrome, - IN const ct_t *ct, - IN const sk_t *sk, - IN const split_e_t *splitted_e) -{ - ct_t tmp_ct = *ct; - - // Adapt the ciphertext - POSIX_GUARD(gf2x_add(tmp_ct.val[0].raw, tmp_ct.val[0].raw, splitted_e->val[0].raw, - R_SIZE)); - POSIX_GUARD(gf2x_add(tmp_ct.val[1].raw, tmp_ct.val[1].raw, splitted_e->val[1].raw, - R_SIZE)); - - // Recompute the syndrome - POSIX_GUARD(compute_syndrome(syndrome, &tmp_ct, sk)); - - return SUCCESS; -} - -_INLINE_ uint8_t -get_threshold(IN const syndrome_t *s) -{ - bike_static_assert(sizeof(*s) >= sizeof(r_t), syndrome_is_large_enough); - - const uint32_t syndrome_weight = r_bits_vector_weight((const r_t *)s->qw); - - // The equations below are defined in BIKE's specification: - // https://bikesuite.org/files/round2/spec/BIKE-Spec-Round2.2019.03.30.pdf - // Page 20 Section 2.4.2 - const uint8_t threshold = - THRESHOLD_COEFF0 + (THRESHOLD_COEFF1 * syndrome_weight); - - DMSG(" Thresold: %d\n", threshold); - return threshold; -} - -// Use half-adder as described in [5]. -_INLINE_ void -bit_sliced_adder(OUT upc_t *upc, - IN OUT syndrome_t *rotated_syndrome, - IN const size_t num_of_slices) -{ - // From cache-memory perspective this loop should be the outside loop - for(size_t j = 0; j < num_of_slices; j++) - { - for(size_t i = 0; i < R_QW; i++) - { - const uint64_t carry = (upc->slice[j].u.qw[i] & rotated_syndrome->qw[i]); - upc->slice[j].u.qw[i] ^= rotated_syndrome->qw[i]; - rotated_syndrome->qw[i] = carry; - } - } -} - -_INLINE_ void -bit_slice_full_subtract(OUT upc_t *upc, IN uint8_t val) -{ - // Borrow - uint64_t br[R_QW] = {0}; - - for(size_t j = 0; j < SLICES; j++) - { - - const uint64_t lsb_mask = 0 - (val & 0x1); - val >>= 1; - - // Perform a - b with c as the input/output carry - // br = 0 0 0 0 1 1 1 1 - // a = 0 0 1 1 0 0 1 1 - // b = 0 1 0 1 0 1 0 1 - // ------------------- - // o = 0 1 1 0 0 1 1 1 - // c = 0 1 0 0 1 1 0 1 - // - // o = a^b^c - // _ __ _ _ _ _ _ - // br = abc + abc + abc + abc = abc + ((a+b))c - - for(size_t i = 0; i < R_QW; i++) - { - const uint64_t a = upc->slice[j].u.qw[i]; - const uint64_t b = lsb_mask; - const uint64_t tmp = ((~a) & b & (~br[i])) | ((((~a) | b) & br[i])); - upc->slice[j].u.qw[i] = a ^ b ^ br[i]; - br[i] = tmp; - } - } -} - -// Calculate the Unsatisfied Parity Checks (UPCs) and update the errors -// vector (e) accordingy. In addition, update the black and gray errors vector -// with the relevant values. -_INLINE_ void -find_err1(OUT split_e_t *e, - OUT split_e_t *black_e, - OUT split_e_t *gray_e, - IN const syndrome_t * syndrome, - IN const compressed_idx_dv_ar_t wlist, - IN const uint8_t threshold) -{ - // This function uses the bit-slice-adder methodology of [5]: - DEFER_CLEANUP(syndrome_t rotated_syndrome = {0}, syndrome_cleanup); - DEFER_CLEANUP(upc_t upc, upc_cleanup); - - for(uint32_t i = 0; i < N0; i++) - { - // UPC must start from zero at every iteration - memset(&upc, 0, sizeof(upc)); - - // 1) Right-rotate the syndrome for every secret key set bit index - // Then slice-add it to the UPC array. - for(size_t j = 0; j < DV; j++) - { - rotate_right(&rotated_syndrome, syndrome, wlist[i].val[j]); - bit_sliced_adder(&upc, &rotated_syndrome, LOG2_MSB(j + 1)); - } - - // 2) Subtract the threshold from the UPC counters - bit_slice_full_subtract(&upc, threshold); - - // 3) Update the errors and the black errors vectors. - // The last slice of the UPC array holds the MSB of the accumulated values - // minus the threshold. Every zero bit indicates a potential error bit. - // The errors values are stored in the black array and xored with the - // errors Of the previous iteration. - const r_t *last_slice = &(upc.slice[SLICES - 1].u.r.val); - for(size_t j = 0; j < R_SIZE; j++) - { - const uint8_t sum_msb = (~last_slice->raw[j]); - black_e->val[i].raw[j] = sum_msb; - e->val[i].raw[j] ^= sum_msb; - } - - // Ensure that the padding bits (upper bits of the last byte) are zero so - // they will not be included in the multiplication and in the hash function. - e->val[i].raw[R_SIZE - 1] &= LAST_R_BYTE_MASK; - - // 4) Calculate the gray error array by adding "DELTA" to the UPC array. - // For that we reuse the rotated_syndrome variable setting it to all "1". - for(size_t l = 0; l < DELTA; l++) - { - memset((uint8_t *)rotated_syndrome.qw, 0xff, R_SIZE); - bit_sliced_adder(&upc, &rotated_syndrome, SLICES); - } - - // 5) Update the gray list with the relevant bits that are not - // set in the black list. - for(size_t j = 0; j < R_SIZE; j++) - { - const uint8_t sum_msb = (~last_slice->raw[j]); - gray_e->val[i].raw[j] = (~(black_e->val[i].raw[j])) & sum_msb; - } - } -} - -// Recalculate the UPCs and update the errors vector (e) according to it -// and to the black/gray vectors. -_INLINE_ void -find_err2(OUT split_e_t *e, - IN split_e_t *pos_e, - IN const syndrome_t * syndrome, - IN const compressed_idx_dv_ar_t wlist, - IN const uint8_t threshold) -{ - DEFER_CLEANUP(syndrome_t rotated_syndrome = {0}, syndrome_cleanup); - DEFER_CLEANUP(upc_t upc, upc_cleanup); - - for(uint32_t i = 0; i < N0; i++) - { - // UPC must start from zero at every iteration - memset(&upc, 0, sizeof(upc)); - - // 1) Right-rotate the syndrome for every secret key set bit index - // Then slice-add it to the UPC array. - for(size_t j = 0; j < DV; j++) - { - rotate_right(&rotated_syndrome, syndrome, wlist[i].val[j]); - bit_sliced_adder(&upc, &rotated_syndrome, LOG2_MSB(j + 1)); - } - - // 2) Subtract the threshold from the UPC counters - bit_slice_full_subtract(&upc, threshold); - - // 3) Update the errors vector. - // The last slice of the UPC array holds the MSB of the accumulated values - // minus the threshold. Every zero bit indicates a potential error bit. - const r_t *last_slice = &(upc.slice[SLICES - 1].u.r.val); - for(size_t j = 0; j < R_SIZE; j++) - { - const uint8_t sum_msb = (~last_slice->raw[j]); - e->val[i].raw[j] ^= (pos_e->val[i].raw[j] & sum_msb); - } - - // Ensure that the padding bits (upper bits of the last byte) are zero so - // they will not be included in the multiplication and in the hash function. - e->val[i].raw[R_SIZE - 1] &= LAST_R_BYTE_MASK; - } -} - -ret_t -decode(OUT split_e_t *e, - IN const syndrome_t *original_s, - IN const ct_t *ct, - IN const sk_t *sk) -{ - split_e_t black_e = {0}; - split_e_t gray_e = {0}; - syndrome_t s; - - // Reset (init) the error because it is xored in the find_err funcitons. - memset(e, 0, sizeof(*e)); - s = *original_s; - dup(&s); - - for(uint32_t iter = 0; iter < MAX_IT; iter++) - { - const uint8_t threshold = get_threshold(&s); - - DMSG(" Iteration: %d\n", iter); - DMSG(" Weight of e: %lu\n", - r_bits_vector_weight(&e->val[0]) + r_bits_vector_weight(&e->val[1])); - DMSG(" Weight of syndrome: %lu\n", r_bits_vector_weight((r_t *)s.qw)); - - find_err1(e, &black_e, &gray_e, &s, sk->wlist, threshold); - POSIX_GUARD(recompute_syndrome(&s, ct, sk, e)); -#ifdef BGF_DECODER - if(iter >= 1) - { - continue; - } -#endif - DMSG(" Weight of e: %lu\n", - r_bits_vector_weight(&e->val[0]) + r_bits_vector_weight(&e->val[1])); - DMSG(" Weight of syndrome: %lu\n", r_bits_vector_weight((r_t *)s.qw)); - - find_err2(e, &black_e, &s, sk->wlist, ((DV + 1) / 2) + 1); - POSIX_GUARD(recompute_syndrome(&s, ct, sk, e)); - - DMSG(" Weight of e: %lu\n", - r_bits_vector_weight(&e->val[0]) + r_bits_vector_weight(&e->val[1])); - DMSG(" Weight of syndrome: %lu\n", r_bits_vector_weight((r_t *)s.qw)); - - find_err2(e, &gray_e, &s, sk->wlist, ((DV + 1) / 2) + 1); - POSIX_GUARD(recompute_syndrome(&s, ct, sk, e)); - } - - if(r_bits_vector_weight((r_t *)s.qw) > 0) - { - BIKE_ERROR(E_DECODING_FAILURE); - } - - return SUCCESS; -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r1/decode.h b/contrib/restricted/aws/s2n/pq-crypto/bike_r1/decode.h deleted file mode 100644 index d8809fd829..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r1/decode.h +++ /dev/null @@ -1,28 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker and Shay Gueron - * AWS Cryptographic Algorithms Group. - * (ndrucker@amazon.com, gueron@amazon.com) - */ - -#pragma once - -#include "types.h" - -ret_t -compute_syndrome(OUT syndrome_t *syndrome, IN const ct_t *ct, IN const sk_t *sk); - -// e should be zeroed before calling the decoder. -ret_t -decode(OUT split_e_t *e, - IN const syndrome_t *s, - IN const ct_t *ct, - IN const sk_t *sk); - -// Rotate right the first R_BITS of a syndrome. -// Assumption: the syndrome contains three R_BITS duplications. -// The output syndrome contains only one R_BITS rotation, the other -// (2 * R_BITS) bits are undefined. -void -rotate_right(OUT syndrome_t *out, IN const syndrome_t *in, IN uint32_t bitscount); diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r1/defs.h b/contrib/restricted/aws/s2n/pq-crypto/bike_r1/defs.h deleted file mode 100644 index 1a0fa46c45..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r1/defs.h +++ /dev/null @@ -1,144 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker and Shay Gueron - * AWS Cryptographic Algorithms Group. - * (ndrucker@amazon.com, gueron@amazon.com) - */ - -#pragma once - -//////////////////////////////////////////// -// Basic defs -/////////////////////////////////////////// -#define FUNC_PREFIX BIKE1_L1_R1 -#include "functions_renaming.h" - -#ifdef __cplusplus -# define EXTERNC extern "C" -#else -# define EXTERNC -#endif - -// For code clarity. -#define IN -#define OUT - -#define ALIGN(n) __attribute__((aligned(n))) -#define BIKE_UNUSED(x) (void)(x) -#define BIKE_UNUSED_ATT __attribute__((unused)) - -#define _INLINE_ static inline - -// In asm the symbols '==' and '?' are not allowed therefore if using -// divide_and_ceil in asm files we must ensure with static_assert its validity -#if(__cplusplus >= 201103L) || defined(static_assert) -# define bike_static_assert(COND, MSG) static_assert(COND, "MSG") -#else -# define bike_static_assert(COND, MSG) \ - typedef char static_assertion_##MSG[(COND) ? 1 : -1] BIKE_UNUSED_ATT -#endif - -// Divide by the divider and round up to next integer -#define DIVIDE_AND_CEIL(x, divider) (((x) + (divider)) / (divider)) - -#define BIT(len) (1ULL << (len)) - -#define MASK(len) (BIT(len) - 1) -#define SIZEOF_BITS(b) (sizeof(b) * 8) - -#define QW_SIZE 0x8 -#define XMM_SIZE 0x10 -#define YMM_SIZE 0x20 -#define ZMM_SIZE 0x40 - -#define ALL_YMM_SIZE (16 * YMM_SIZE) -#define ALL_ZMM_SIZE (32 * ZMM_SIZE) - -// Copied from (Kaz answer) -// https://stackoverflow.com/questions/466204/rounding-up-to-next-power-of-2 -#define UPTOPOW2_0(v) ((v)-1) -#define UPTOPOW2_1(v) (UPTOPOW2_0(v) | (UPTOPOW2_0(v) >> 1)) -#define UPTOPOW2_2(v) (UPTOPOW2_1(v) | (UPTOPOW2_1(v) >> 2)) -#define UPTOPOW2_3(v) (UPTOPOW2_2(v) | (UPTOPOW2_2(v) >> 4)) -#define UPTOPOW2_4(v) (UPTOPOW2_3(v) | (UPTOPOW2_3(v) >> 8)) -#define UPTOPOW2_5(v) (UPTOPOW2_4(v) | (UPTOPOW2_4(v) >> 16)) - -#define UPTOPOW2(v) (UPTOPOW2_5(v) + 1) - -// Works only for 0 < v < 512 -#define LOG2_MSB(v) \ - ((v) == 0 \ - ? 0 \ - : ((v) < 2 \ - ? 1 \ - : ((v) < 4 \ - ? 2 \ - : ((v) < 8 \ - ? 3 \ - : ((v) < 16 \ - ? 4 \ - : ((v) < 32 \ - ? 5 \ - : ((v) < 64 ? 6 \ - : ((v) < 128 \ - ? 7 \ - : ((v) < 256 \ - ? 8 \ - : 9))))))))) - -//////////////////////////////////////////// -// Debug -/////////////////////////////////////////// - -#ifndef VERBOSE -# define VERBOSE 0 -#endif - -#include <stdio.h> - -#if(VERBOSE == 4) -# define MSG(...) \ - { \ - printf(__VA_ARGS__); \ - } -# define DMSG(...) MSG(__VA_ARGS__) -# define EDMSG(...) MSG(__VA_ARGS__) -# define SEDMSG(...) MSG(__VA_ARGS__) -#elif(VERBOSE == 3) -# define MSG(...) \ - { \ - printf(__VA_ARGS__); \ - } -# define DMSG(...) MSG(__VA_ARGS__) -# define EDMSG(...) MSG(__VA_ARGS__) -# define SEDMSG(...) -#elif(VERBOSE == 2) -# define MSG(...) \ - { \ - printf(__VA_ARGS__); \ - } -# define DMSG(...) MSG(__VA_ARGS__) -# define EDMSG(...) -# define SEDMSG(...) -#elif(VERBOSE == 1) -# define MSG(...) \ - { \ - printf(__VA_ARGS__); \ - } -# define DMSG(...) -# define EDMSG(...) -# define SEDMSG(...) -#else -# define MSG(...) -# define DMSG(...) -# define EDMSG(...) -# define SEDMSG(...) -#endif - -//////////////////////////////////////////// -// Printing -/////////////////////////////////////////// -//#define PRINT_IN_BE -//#define NO_SPACE -//#define NO_NEWLINE diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r1/error.c b/contrib/restricted/aws/s2n/pq-crypto/bike_r1/error.c deleted file mode 100644 index b048fc06a2..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r1/error.c +++ /dev/null @@ -1,11 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker and Shay Gueron - * AWS Cryptographic Algorithms Group. - * (ndrucker@amazon.com, gueron@amazon.com) - */ - -#include "error.h" - -__thread _bike_err_t bike_errno; diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r1/error.h b/contrib/restricted/aws/s2n/pq-crypto/bike_r1/error.h deleted file mode 100644 index eac4e2daee..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r1/error.h +++ /dev/null @@ -1,36 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker and Shay Gueron - * AWS Cryptographic Algorithms Group. - * (ndrucker@amazon.com, gueron@amazon.com) - */ - -#pragma once - -#include "defs.h" - -#define SUCCESS 0 -#define FAIL (-1) - -#define ret_t int - -enum _bike_err -{ - E_ERROR_WEIGHT_IS_NOT_T = 1, - E_DECODING_FAILURE = 2, - E_AES_CTR_PRF_INIT_FAIL = 3, - E_AES_OVER_USED = 4, - EXTERNAL_LIB_ERROR_OPENSSL = 5, - E_FAIL_TO_GET_SEED = 6 -}; - -typedef enum _bike_err _bike_err_t; - -extern __thread _bike_err_t bike_errno; -#define BIKE_ERROR(x) \ - do \ - { \ - bike_errno = (x); \ - return FAIL; \ - } while(0) diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r1/functions_renaming.h b/contrib/restricted/aws/s2n/pq-crypto/bike_r1/functions_renaming.h deleted file mode 100644 index f11aa90e14..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r1/functions_renaming.h +++ /dev/null @@ -1,60 +0,0 @@ -/* - * Copyright 2020 Amazon.com, Inc. or its affiliates. All Rights Reserved. - * - * Licensed under the Apache License, Version 2.0 (the "License"). - * You may not use this file except in compliance with the License. - * A copy of the License is located at - * - * http://aws.amazon.com/apache2.0 - * - * or in the "license" file accompanying this file. This file is distributed - * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either - * express or implied. See the License for the specific language governing - * permissions and limitations under the License. - * The license is detailed in the file LICENSE.md, and applies to this file. - * - * Written by Nir Drucker and Shay Gueron - * AWS Cryptographic Algorithms Group. - * (ndrucker@amazon.com, gueron@amazon.com) - */ - -#ifndef __FUNCTIONS_RENAMING_H_INCLUDED__ -#define __FUNCTIONS_RENAMING_H_INCLUDED__ - -#define PASTER(x, y) x##_##y -#define EVALUATOR(x, y) PASTER(x, y) -#define RENAME_FUNC_NAME(fname) EVALUATOR(FUNC_PREFIX, fname) - -#define keypair RENAME_FUNC_NAME(keypair) -#define decaps RENAME_FUNC_NAME(decaps) -#define encaps RENAME_FUNC_NAME(encaps) - -#define aes_ctr_prf RENAME_FUNC_NAME(aes_ctr_prf) -#define sample_uniform_r_bits_with_fixed_prf_context \ - RENAME_FUNC_NAME(sample_uniform_r_bits_with_fixed_prf_context) -#define init_aes_ctr_prf_state RENAME_FUNC_NAME(init_aes_ctr_prf_state) -#define generate_sparse_rep RENAME_FUNC_NAME(generate_sparse_rep) -#define parallel_hash RENAME_FUNC_NAME(parallel_hash) -#define decode RENAME_FUNC_NAME(decode) -#define print_BE RENAME_FUNC_NAME(print_BE) -#define print_LE RENAME_FUNC_NAME(print_LE) -#define gf2x_mod_mul RENAME_FUNC_NAME(gf2x_mod_mul) -#define secure_set_bits RENAME_FUNC_NAME(secure_set_bits) -#define sha RENAME_FUNC_NAME(sha) -#define count_ones RENAME_FUNC_NAME(count_ones) -#define sha_mb RENAME_FUNC_NAME(sha_mb) -#define split_e RENAME_FUNC_NAME(split_e) -#define compute_syndrome RENAME_FUNC_NAME(compute_syndrome) -#define bike_errno RENAME_FUNC_NAME(bike_errno) -#define cyclic_product RENAME_FUNC_NAME(cyclic_product) -#define ossl_add RENAME_FUNC_NAME(ossl_add) -#define karatzuba_add1 RENAME_FUNC_NAME(karatzuba_add1) -#define karatzuba_add2 RENAME_FUNC_NAME(karatzuba_add2) -#define gf2x_add RENAME_FUNC_NAME(gf2x_add) -#define gf2_muladd_4x4 RENAME_FUNC_NAME(gf2_muladd_4x4) -#define red RENAME_FUNC_NAME(red) -#define gf2x_mul_1x1 RENAME_FUNC_NAME(gf2x_mul_1x1) -#define rotate_right RENAME_FUNC_NAME(rotate_right) -#define r_bits_vector_weight RENAME_FUNC_NAME(r_bits_vector_weight) - -#endif //__FUNCTIONS_RENAMING_H_INCLUDED__ diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r1/gf2x.h b/contrib/restricted/aws/s2n/pq-crypto/bike_r1/gf2x.h deleted file mode 100644 index 2de0050ff6..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r1/gf2x.h +++ /dev/null @@ -1,55 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker and Shay Gueron, - * AWS Cryptographic Algorithms Group. - * (ndrucker@amazon.com, gueron@amazon.com) - */ - -#pragma once - -#include "types.h" - -#ifdef USE_OPENSSL -# include "openssl_utils.h" -#endif - -#ifdef USE_OPENSSL_GF2M -// res = a*b mod (x^r - 1) -// Note: the caller must allocate twice the size of res. -_INLINE_ ret_t -gf2x_mod_mul(OUT uint64_t *res, IN const uint64_t *a, IN const uint64_t *b) -{ - return cyclic_product((uint8_t *)res, (const uint8_t *)a, (const uint8_t *)b); -} - -// A wrapper for other gf2x_add implementations. -_INLINE_ ret_t -gf2x_add(OUT uint8_t *res, - IN const uint8_t *a, - IN const uint8_t *b, - IN const uint64_t size) -{ - BIKE_UNUSED(size); - return ossl_add((uint8_t *)res, a, b); -} -#else // USE_OPENSSL_GF2M - -_INLINE_ ret_t -gf2x_add(OUT uint8_t *res, - IN const uint8_t *a, - IN const uint8_t *b, - IN const uint64_t bytelen) -{ - for(uint64_t i = 0; i < bytelen; i++) - { - res[i] = a[i] ^ b[i]; - } - return SUCCESS; -} - -// res = a*b mod (x^r - 1) -// the caller must allocate twice the size of res! -ret_t -gf2x_mod_mul(OUT uint64_t *res, IN const uint64_t *a, IN const uint64_t *b); -#endif diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r1/gf2x_internal.h b/contrib/restricted/aws/s2n/pq-crypto/bike_r1/gf2x_internal.h deleted file mode 100644 index 74fc5b9932..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r1/gf2x_internal.h +++ /dev/null @@ -1,32 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker and Shay Gueron, - * AWS Cryptographic Algorithms Group. - * (ndrucker@amazon.com, gueron@amazon.com) - */ - -#pragma once - -#include "types.h" - -EXTERNC void -karatzuba_add1(OUT uint64_t *res, - IN const uint64_t *a, - IN const uint64_t *b, - IN uint64_t n_half, - IN uint64_t *alah); - -EXTERNC void -karatzuba_add2(OUT uint64_t *res1, - OUT uint64_t *res2, - IN const uint64_t *res, - IN const uint64_t *tmp, - IN uint64_t n_half); - -EXTERNC void -red(uint64_t *res); - -void - -gf2x_mul_1x1(OUT uint64_t *res, IN uint64_t a, IN uint64_t b); diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r1/gf2x_mul.c b/contrib/restricted/aws/s2n/pq-crypto/bike_r1/gf2x_mul.c deleted file mode 100644 index 84a79589db..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r1/gf2x_mul.c +++ /dev/null @@ -1,97 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker and Shay Gueron, - * AWS Cryptographic Algorithms Group. - * (ndrucker@amazon.com, gueron@amazon.com) - */ - -#include "cleanup.h" -#include "gf2x.h" -#include "gf2x_internal.h" -#include <stdlib.h> -#include <string.h> - -#ifndef USE_OPENSSL_GF2M - -// All the temporary data (which might hold secrets) -// is stored on a secure buffer, so that it can be easily cleaned up later. -// The secure buffer required is: 3n/2 (alah|blbh|tmp) in a recursive way. -// 3n/2 + 3n/4 + 3n/8 = 3(n/2 + n/4 + n/8) < 3n -# define SECURE_BUFFER_SIZE (3 * R_PADDED_SIZE) - -// Calculate number of uint64_t values needed to store SECURE_BUFFER_SIZE bytes. Rounding up to the next whole integer. -# define SECURE_BUFFER_SIZE_64_BIT ((SECURE_BUFFER_SIZE / sizeof(uint64_t)) + ((SECURE_BUFFER_SIZE % sizeof(uint64_t)) != 0)) - -// This functions assumes that n is even. -_INLINE_ void -karatzuba(OUT uint64_t *res, - IN const uint64_t *a, - IN const uint64_t *b, - IN const uint64_t n, - uint64_t * secure_buf) -{ - if(1 == n) - { - gf2x_mul_1x1(res, a[0], b[0]); - return; - } - - const uint64_t half_n = n >> 1; - - // Define pointers for the middle of each parameter - // sepearting a=a_low and a_high (same for ba nd res) - const uint64_t *a_high = a + half_n; - const uint64_t *b_high = b + half_n; - - // Divide res into 4 parts res3|res2|res1|res in size n/2 - uint64_t *res1 = res + half_n; - uint64_t *res2 = res1 + half_n; - - // All three parameters below are allocated on the secure buffer - // All of them are in size half n - uint64_t *alah = secure_buf; - uint64_t *blbh = alah + half_n; - uint64_t *tmp = blbh + half_n; - - // Place the secure buffer ptr in the first free location, - // so the recursive function can use it. - secure_buf = tmp + half_n; - - // Calculate Z0 and store the result in res(low) - karatzuba(res, a, b, half_n, secure_buf); - - // Calculate Z2 and store the result in res(high) - karatzuba(res2, a_high, b_high, half_n, secure_buf); - - // Accomulate the results. - karatzuba_add1(res, a, b, half_n, alah); - - // (a_low + a_high)(b_low + b_high) --> res1 - karatzuba(res1, alah, blbh, half_n, secure_buf); - - karatzuba_add2(res1, res2, res, tmp, half_n); -} - -ret_t -gf2x_mod_mul(OUT uint64_t *res, IN const uint64_t *a, IN const uint64_t *b) -{ - bike_static_assert((R_PADDED_QW % 2 == 0), karatzuba_n_is_odd); - - ALIGN(sizeof(uint64_t)) uint64_t secure_buffer[SECURE_BUFFER_SIZE_64_BIT]; - - /* make sure we have the correct size allocation. */ - bike_static_assert(sizeof(secure_buffer) % sizeof(uint64_t) == 0, - secure_buffer_not_eligable_for_uint64_t); - - karatzuba(res, a, b, R_PADDED_QW, (uint64_t *)secure_buffer); - - // This function implicitly assumes that the size of res is 2*R_PADDED_QW. - red(res); - - secure_clean((uint8_t*)secure_buffer, sizeof(secure_buffer)); - - return SUCCESS; -} - -#endif // USE_OPENSSL_GF2M diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r1/gf2x_portable.c b/contrib/restricted/aws/s2n/pq-crypto/bike_r1/gf2x_portable.c deleted file mode 100644 index 1816da6e77..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r1/gf2x_portable.c +++ /dev/null @@ -1,108 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker and Shay Gueron, - * AWS Cryptographic Algorithms Group. - * (ndrucker@amazon.com, gueron@amazon.com) - */ - -#include "gf2x.h" -#include "utilities.h" - -#if !defined(USE_OPENSSL_GF2M) - -// The algorithm is based on the windowing method, for example as in: -// Brent, R. P., Gaudry, P., Thomé, E., & Zimmermann, P. (2008, May), "Faster -// multiplication in GF (2)[x]". In: International Algorithmic Number Theory -// Symposium (pp. 153-166). Springer, Berlin, Heidelberg. In this implementation, -// the last three bits are multiplied using a schoolbook multiplicaiton. -void -gf2x_mul_1x1(uint64_t *c, uint64_t a, uint64_t b) -{ - uint64_t h = 0, l = 0, u[8]; - const uint64_t w = 64; - const uint64_t s = 3; - // Multiplying 64 bits by 7 can results in an overflow of 3 bits. - // Therefore, these bits are masked out, and are treated in step 3. - const uint64_t b0 = b & 0x1fffffffffffffff; - - // Step 1: Calculate a multiplication table with 8 entries. - u[0] = 0; - u[1] = b0; - u[2] = u[1] << 1; - u[3] = u[2] ^ b0; - u[4] = u[2] << 1; - u[5] = u[4] ^ b0; - u[6] = u[3] << 1; - u[7] = u[6] ^ b0; - - // Step 2: Multiply two elements in parallel in poisitions i,i+s - l = u[a & 7] ^ (u[(a >> 3) & 7] << 3); - h = (u[(a >> 3) & 7] >> 61); - for(uint32_t i = (2 * s); i < w; i += (2 * s)) - { - uint64_t g1 = u[(a >> i) & 7]; - uint64_t g2 = u[(a >> (i + s)) & 7]; - - l ^= (g1 << i) ^ (g2 << (i + s)); - h ^= (g1 >> (w - i)) ^ (g2 >> (w - (i + s))); - } - - // Step 3: Multiply the last three bits. - for(uint8_t i = 61; i < 64; i++) - { - uint64_t mask = (-((b >> i) & 1)); - l ^= ((a << i) & mask); - h ^= ((a >> (w - i)) & mask); - } - - c[0] = l; - c[1] = h; -} - -void -karatzuba_add1(OUT const uint64_t *res, - IN const uint64_t *a, - IN const uint64_t *b, - IN const uint64_t n_half, - IN uint64_t *alah) -{ - for(uint32_t j = 0; j < n_half; j++) - { - alah[j + 0 * n_half] = a[j] ^ a[n_half + j]; - alah[j + 1 * n_half] = b[j] ^ b[n_half + j]; - alah[j + 2 * n_half] = res[n_half + j] ^ res[2 * n_half + j]; - } -} - -void -karatzuba_add2(OUT uint64_t *res1, - OUT uint64_t *res2, - IN const uint64_t *res, - IN const uint64_t *tmp, - IN const uint64_t n_half) -{ - for(uint32_t j = 0; j < n_half; j++) - { - res1[j] ^= res[j] ^ tmp[j]; - res2[j] ^= res2[n_half + j] ^ tmp[j]; - } -} - -void -red(uint64_t *a) -{ - for(uint32_t i = 0; i < R_QW; i++) - { - const uint64_t temp0 = a[R_QW + i - 1]; - const uint64_t temp1 = a[R_QW + i]; - a[i] ^= (temp0 >> LAST_R_QW_LEAD) | (temp1 << LAST_R_QW_TRAIL); - } - - a[R_QW - 1] &= LAST_R_QW_MASK; - - // Clean the secrets from the upper half of a. - secure_clean((uint8_t *)&a[R_QW], sizeof(uint64_t) * R_QW); -} - -#endif diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r1/openssl_utils.c b/contrib/restricted/aws/s2n/pq-crypto/bike_r1/openssl_utils.c deleted file mode 100644 index c80d3365cb..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r1/openssl_utils.c +++ /dev/null @@ -1,187 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker and Shay Gueron, - * AWS Cryptographic Algorithms Group. - * (ndrucker@amazon.com, gueron@amazon.com) - */ - -#include "openssl_utils.h" -#include "utilities.h" -#include <assert.h> -#include <openssl/bn.h> -#include <string.h> - -#ifdef USE_OPENSSL_GF2M - -# define MAX_OPENSSL_INV_TRIALS 1000 - -_INLINE_ void -BN_CTX_cleanup(BN_CTX *ctx) -{ - if(ctx) - { - BN_CTX_end(ctx); - BN_CTX_free(ctx); - } -} - -DEFINE_POINTER_CLEANUP_FUNC(BN_CTX *, BN_CTX_cleanup); - -// Loading (big) numbers into OpenSSL should use Big Endian representation. -// Therefore, the bytes ordering of the number should be reversed. -_INLINE_ void -reverse_endian(OUT uint8_t *res, IN const uint8_t *in, IN const uint32_t n) -{ - uint32_t i; - - for(i = 0; i < (n / 2); i++) - { - uint64_t tmp = in[i]; - res[i] = in[n - 1 - i]; - res[n - 1 - i] = tmp; - } - - // If the number of blocks is odd, swap also the middle block. - if(n % 2) - { - res[i] = in[i]; - } -} - -_INLINE_ ret_t -ossl_bn2bin(OUT uint8_t *out, IN const BIGNUM *in, IN const uint32_t size) -{ - assert(size <= N_SIZE); - uint8_t be_tmp[N_SIZE] = {0}; - - memset(out, 0, size); - - if(BN_bn2bin(in, be_tmp) == -1) - { - BIKE_ERROR(EXTERNAL_LIB_ERROR_OPENSSL); - } - reverse_endian(out, be_tmp, BN_num_bytes(in)); - - return SUCCESS; -} - -_INLINE_ ret_t -ossl_bin2bn(IN BIGNUM *out, OUT const uint8_t *in, IN const uint32_t size) -{ - assert(size <= N_SIZE); - uint8_t be_tmp[N_SIZE] = {0}; - - reverse_endian(be_tmp, in, size); - - if(BN_bin2bn(be_tmp, size, out) == 0) - { - BIKE_ERROR(EXTERNAL_LIB_ERROR_OPENSSL); - } - - return SUCCESS; -} - -ret_t -ossl_add(OUT uint8_t res_bin[R_SIZE], - IN const uint8_t a_bin[R_SIZE], - IN const uint8_t b_bin[R_SIZE]) -{ - DEFER_CLEANUP(BN_CTX *bn_ctx = BN_CTX_new(), BN_CTX_cleanup_pointer); - BIGNUM *r = NULL; - BIGNUM *a = NULL; - BIGNUM *b = NULL; - - if(NULL == bn_ctx) - { - BIKE_ERROR(EXTERNAL_LIB_ERROR_OPENSSL); - } - - BN_CTX_start(bn_ctx); - - r = BN_CTX_get(bn_ctx); - a = BN_CTX_get(bn_ctx); - b = BN_CTX_get(bn_ctx); - - if((NULL == r) || (NULL == a) || (NULL == b)) - { - BIKE_ERROR(EXTERNAL_LIB_ERROR_OPENSSL); - } - - POSIX_GUARD(ossl_bin2bn(a, a_bin, R_SIZE)); - POSIX_GUARD(ossl_bin2bn(b, b_bin, R_SIZE)); - - if(BN_GF2m_add(r, a, b) == 0) - { - BIKE_ERROR(EXTERNAL_LIB_ERROR_OPENSSL); - } - - POSIX_GUARD(ossl_bn2bin(res_bin, r, R_SIZE)); - - return SUCCESS; -} - -// Perform a cyclic product by using OpenSSL. -_INLINE_ ret_t -ossl_cyclic_product(OUT BIGNUM *r, - IN const BIGNUM *a, - IN const BIGNUM *b, - BN_CTX * bn_ctx) -{ - BIGNUM *m = BN_CTX_get(bn_ctx); - if(NULL == m) - { - BIKE_ERROR(EXTERNAL_LIB_ERROR_OPENSSL); - } - - // m = x^PARAM_R - 1 - if((BN_set_bit(m, R_BITS) == 0) || (BN_set_bit(m, 0) == 0)) - { - BIKE_ERROR(EXTERNAL_LIB_ERROR_OPENSSL); - } - - // r = a*b mod m - if(BN_GF2m_mod_mul(r, a, b, m, bn_ctx) == 0) - { - BIKE_ERROR(EXTERNAL_LIB_ERROR_OPENSSL); - } - - return SUCCESS; -} - -// Perform a cyclic product by using OpenSSL. -ret_t -cyclic_product(OUT uint8_t res_bin[R_SIZE], - IN const uint8_t a_bin[R_SIZE], - IN const uint8_t b_bin[R_SIZE]) -{ - DEFER_CLEANUP(BN_CTX *bn_ctx = BN_CTX_new(), BN_CTX_cleanup_pointer); - BIGNUM *r = NULL; - BIGNUM *a = NULL; - BIGNUM *b = NULL; - - if(NULL == bn_ctx) - { - BIKE_ERROR(EXTERNAL_LIB_ERROR_OPENSSL); - } - - BN_CTX_start(bn_ctx); - - r = BN_CTX_get(bn_ctx); - a = BN_CTX_get(bn_ctx); - b = BN_CTX_get(bn_ctx); - - if((NULL == r) || (NULL == a) || (NULL == b)) - { - BIKE_ERROR(EXTERNAL_LIB_ERROR_OPENSSL); - } - - POSIX_GUARD(ossl_bin2bn(a, a_bin, R_SIZE)); - POSIX_GUARD(ossl_bin2bn(b, b_bin, R_SIZE)); - POSIX_GUARD(ossl_cyclic_product(r, a, b, bn_ctx)); - POSIX_GUARD(ossl_bn2bin(res_bin, r, R_SIZE)); - - return SUCCESS; -} - -#endif // USE_OPENSSL_GF2M diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r1/openssl_utils.h b/contrib/restricted/aws/s2n/pq-crypto/bike_r1/openssl_utils.h deleted file mode 100644 index 59438b6d70..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r1/openssl_utils.h +++ /dev/null @@ -1,33 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker and Shay Gueron, - * AWS Cryptographic Algorithms Group. - * (ndrucker@amazon.com, gueron@amazon.com) - */ - -#pragma once - -#include "types.h" - -#ifdef USE_OPENSSL -# include <openssl/bn.h> -# ifndef OPENSSL_NO_EC2M -# define USE_OPENSSL_GF2M 1 -# endif -#endif - -#ifdef USE_OPENSSL_GF2M - -ret_t -ossl_add(OUT uint8_t res_bin[R_SIZE], - IN const uint8_t a_bin[R_SIZE], - IN const uint8_t b_bin[R_SIZE]); - -// Perform cyclic product by using OpenSSL -ret_t -cyclic_product(OUT uint8_t res_bin[R_SIZE], - IN const uint8_t a_bin[R_SIZE], - IN const uint8_t b_bin[R_SIZE]); - -#endif diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r1/parallel_hash.c b/contrib/restricted/aws/s2n/pq-crypto/bike_r1/parallel_hash.c deleted file mode 100644 index bde3752e0b..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r1/parallel_hash.c +++ /dev/null @@ -1,111 +0,0 @@ -/* - * Copyright 2020 Amazon.com, Inc. or its affiliates. All Rights Reserved. - * - * Licensed under the Apache License, Version 2.0 (the "License"). - * You may not use this file except in compliance with the License. - * A copy of the License is located at - * - * http://aws.amazon.com/apache2.0 - * - * or in the "license" file accompanying this file. This file is distributed - * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either - * express or implied. See the License for the specific language governing - * permissions and limitations under the License. - * The license is detailed in the file LICENSE.md, and applies to this file. - * - * Written by Nir Drucker and Shay Gueron - * AWS Cryptographic Algorithms Group. - * (ndrucker@amazon.com, gueron@amazon.com) - */ - -#include "parallel_hash.h" -#include "utilities.h" -#include <assert.h> -#include <string.h> - -#define MAX_REM_LEN (MAX_MB_SLICES * HASH_BLOCK_SIZE) - -// We must ensure that the compiler does not add padding between x and y, because -// the entire structore goes into the hash function. -#pragma pack(push, 1) - -// The struct below is a concatination of eight slices and Y. -typedef struct yx_s -{ - sha_hash_t x[MAX_MB_SLICES]; - // We define MAX_REM_LEN rather than lrem, in order to be consistent with the - // standard of C. - uint8_t y[MAX_REM_LEN]; -} yx_t; - -#pragma pack(pop) - -_INLINE_ uint64_t -compute_slice_len(IN const uint64_t la) -{ - assert((la / MAX_MB_SLICES) >= SLICE_REM); - - // alpha is the number of full blocks - const uint64_t alpha = (((la / MAX_MB_SLICES) - SLICE_REM) / HASH_BLOCK_SIZE); - return ((alpha * HASH_BLOCK_SIZE) + SLICE_REM); -} - -// This function assumes that m is of N_BITS length. -void -parallel_hash(OUT sha_hash_t *out_hash, IN const uint8_t *m, IN const uint32_t la) -{ - DMSG(" Enter parallel_hash.\n"); - - // Calculating how many bytes will go to "parallel" hashing - // and how many will remind as a tail for later on - const uint32_t ls = compute_slice_len(la); - const uint32_t lrem = (uint32_t)(la - (ls * MAX_MB_SLICES)); - yx_t yx = {0}; - -#ifdef WIN32 - DMSG(" Len=%u splits into %I64u logical streams (A1..A8) of length %u " - "bytes. ", - la, MAX_MB_SLICES, ls); - DMSG("Append the logically remaining buffer (Y) of %u - %I64u*%u = %u " - "bytes\n\n", - la, MAX_MB_SLICES, ls, lrem); -#else - DMSG(" Len=%u splits into %llu logical streams (A1..A8) of length %u " - "bytes. ", - la, MAX_MB_SLICES, ls); - DMSG("Append the logically remaining buffer (Y) of %u - %llu*%u = %u " - "bytes\n\n", - la, MAX_MB_SLICES, ls, lrem); -#endif - - print(" The (original) buffer is:\n ", (const uint64_t *)m, la * 8); - DMSG("\n"); - EDMSG(" The 8 SHA digests:\n"); - - // Use optimized API for 4 blocks. - const uint64_t partial_len = (NUM_OF_BLOCKS_IN_MB * ls); - sha_mb(&yx.x[0], m, partial_len, NUM_OF_BLOCKS_IN_MB); -#if NUM_OF_BLOCKS_IN_MB != MAX_MB_SLICES - sha_mb(&yx.x[NUM_OF_BLOCKS_IN_MB], &m[partial_len], partial_len, - NUM_OF_BLOCKS_IN_MB); -#endif - - for(uint32_t i = 0; i < MAX_MB_SLICES; i++) - { - print("X[i]:", (uint64_t *)&yx.x[i], SIZEOF_BITS(yx.x[i])); - } - - // Copy the reminder (Y) - memcpy(yx.y, &m[MAX_MB_SLICES * ls], lrem); - - // Compute the final hash (on YX). We explicitly use lrem instead of - // sizeof(yx.y) because yx.y is padded with zeros. - sha(out_hash, sizeof(yx.x) + lrem, (uint8_t *)&yx); - - print("\nY: ", (uint64_t *)yx.y, lrem * 8); - - // yx might contain secrets - secure_clean((uint8_t *)&yx, sizeof(yx)); - - DMSG(" Exit parallel_hash.\n"); -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r1/parallel_hash.h b/contrib/restricted/aws/s2n/pq-crypto/bike_r1/parallel_hash.h deleted file mode 100644 index 11e95cf89d..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r1/parallel_hash.h +++ /dev/null @@ -1,42 +0,0 @@ -/* - * Copyright 2020 Amazon.com, Inc. or its affiliates. All Rights Reserved. - * - * Licensed under the Apache License, Version 2.0 (the "License"). - * You may not use this file except in compliance with the License. - * A copy of the License is located at - * - * http://aws.amazon.com/apache2.0 - * - * or in the "license" file accompanying this file. This file is distributed - * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either - * express or implied. See the License for the specific language governing - * permissions and limitations under the License. - * The license is detailed in the file LICENSE.md, and applies to this file. - * - * Written by Nir Drucker and Shay Gueron - * AWS Cryptographic Algorithms Group. - * (ndrucker@amazon.com, gueron@amazon.com) - */ - -#pragma once - -#include "sha.h" - -// The parallel_hash algorithm uses the technique described in -// 1) S. Gueron, V. Krasnov. Simultaneous Hashing of Multiple Messages. -// Journal of Information Security 3:319-325 (2012). -// 2) S. Gueron. A j-Lanes Tree Hashing Mode and j-Lanes SHA-256. -// Journal of Information Security 4:7-11 (2013). -// See also: -// 3) S. Gueron. Parallelized Hashing via j-Lanes and j-Pointers Tree Modes, -// with Applications to SHA-256. -// Journal of Information Security 5:91-113 (2014). -// -// It is designed to convert the serial hashing to a parallelizeable process. -// -// This function assumes that m is of N_BITS length and that -// ((la / MAX_MB_SLICES) >= SLICE_REM) -void -parallel_hash(OUT sha_hash_t *out_hash, - IN const uint8_t *m, - IN const uint32_t la); diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r1/sampling.c b/contrib/restricted/aws/s2n/pq-crypto/bike_r1/sampling.c deleted file mode 100644 index d08fa5eea7..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r1/sampling.c +++ /dev/null @@ -1,118 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker and Shay Gueron - * AWS Cryptographic Algorithms Group. - * (ndrucker@amazon.com, gueron@amazon.com) - */ - -#include "sampling.h" -#include <assert.h> -#include <string.h> - -_INLINE_ ret_t -get_rand_mod_len(OUT uint32_t * rand_pos, - IN const uint32_t len, - IN OUT aes_ctr_prf_state_t *prf_state) -{ - const uint64_t mask = MASK(bit_scan_reverse(len)); - - do - { - // Generate 128bit of random numbers - POSIX_GUARD(aes_ctr_prf((uint8_t *)rand_pos, prf_state, sizeof(*rand_pos))); - - // Mask only relevant bits - (*rand_pos) &= mask; - - // Break if a number smaller than len is found - if((*rand_pos) < len) - { - break; - } - - } while(1); - - return SUCCESS; -} - -_INLINE_ void -make_odd_weight(IN OUT r_t *r) -{ - if(((r_bits_vector_weight(r) % 2) == 1)) - { - // Already odd - return; - } - - r->raw[0] ^= 1; -} - -// IN: must_be_odd - 1 true, 0 not -ret_t -sample_uniform_r_bits_with_fixed_prf_context(OUT r_t *r, - IN OUT - aes_ctr_prf_state_t *prf_state, - IN const must_be_odd_t must_be_odd) -{ - // Generate random data - POSIX_GUARD(aes_ctr_prf(r->raw, prf_state, R_SIZE)); - - // Mask upper bits of the MSByte - r->raw[R_SIZE - 1] &= MASK(R_BITS + 8 - (R_SIZE * 8)); - - if(must_be_odd == MUST_BE_ODD) - { - make_odd_weight(r); - } - - return SUCCESS; -} - -_INLINE_ int -is_new(IN const idx_t wlist[], IN const uint32_t ctr) -{ - for(uint32_t i = 0; i < ctr; i++) - { - if(wlist[i] == wlist[ctr]) - { - return 0; - } - } - - return 1; -} - -// Assumption 1) paddded_len % 64 = 0! -// Assumption 2) a is a len bits array. It is padded to be a padded_len -// bytes array. The padded area may be modified and should -// be ignored outside the function scope. -ret_t -generate_sparse_rep(OUT uint64_t * a, - OUT idx_t wlist[], - IN const uint32_t weight, - IN const uint32_t len, - IN const uint32_t padded_len, - IN OUT aes_ctr_prf_state_t *prf_state) -{ - assert(padded_len % 64 == 0); - // Bits comparison - assert((padded_len * 8) >= len); - - uint64_t ctr = 0; - - // Generate weight rand numbers - do - { - POSIX_GUARD(get_rand_mod_len(&wlist[ctr], len, prf_state)); - ctr += is_new(wlist, ctr); - } while(ctr < weight); - - // Initialize to zero - memset(a, 0, (len + 7) >> 3); - - // Assign values to "a" - secure_set_bits(a, wlist, padded_len, weight); - - return SUCCESS; -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r1/sampling.h b/contrib/restricted/aws/s2n/pq-crypto/bike_r1/sampling.h deleted file mode 100644 index 4ec60683de..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r1/sampling.h +++ /dev/null @@ -1,78 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker and Shay Gueron - * AWS Cryptographic Algorithms Group. - * (ndrucker@amazon.com, gueron@amazon.com) - */ - -#pragma once - -#include "aes_ctr_prf.h" -#include "pq-crypto/s2n_pq_random.h" -#include "utils/s2n_result.h" -#include "utilities.h" - -typedef enum -{ - NO_RESTRICTION = 0, - MUST_BE_ODD = 1 -} must_be_odd_t; - -_INLINE_ ret_t -get_seeds(OUT seeds_t *seeds) -{ - if(s2n_result_is_ok(s2n_get_random_bytes(seeds->seed[0].raw, sizeof(seeds_t)))) - { - return SUCCESS; - } - else - { - BIKE_ERROR(E_FAIL_TO_GET_SEED); - } -} - -// Return's an array of r pseudorandom bits -// No restrictions exist for the top or bottom bits - -// in case an odd number is required then set must_be_odd=1 -// Uses the provided prf context -ret_t -sample_uniform_r_bits_with_fixed_prf_context(OUT r_t *r, - IN OUT - aes_ctr_prf_state_t *prf_state, - IN must_be_odd_t must_be_odd); - -// Return's an array of r pseudorandom bits -// No restrictions exist for the top or bottom bits - -// in case an odd number is required then set must_be_odd=1 -_INLINE_ ret_t -sample_uniform_r_bits(OUT r_t *r, - IN const seed_t * seed, - IN const must_be_odd_t must_be_odd) -{ - // For the seedexpander - DEFER_CLEANUP(aes_ctr_prf_state_t prf_state = {0}, aes_ctr_prf_state_cleanup); - - POSIX_GUARD(init_aes_ctr_prf_state(&prf_state, MAX_AES_INVOKATION, seed)); - - POSIX_GUARD(sample_uniform_r_bits_with_fixed_prf_context(r, &prf_state, must_be_odd)); - - return SUCCESS; -} - -// Generate a pseudorandom r of length len with a set weight -// Using the pseudorandom ctx supplied -// Outputs also a compressed (not ordered) list of indices -ret_t -generate_sparse_rep(OUT uint64_t *a, - OUT idx_t wlist[], - IN uint32_t weight, - IN uint32_t len, - IN uint32_t padded_len, - IN OUT aes_ctr_prf_state_t *prf_state); - -EXTERNC void -secure_set_bits(IN OUT uint64_t *a, - IN const idx_t wlist[], - IN uint32_t a_len, - IN uint32_t weight); diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r1/sampling_portable.c b/contrib/restricted/aws/s2n/pq-crypto/bike_r1/sampling_portable.c deleted file mode 100644 index 1ae7a6f247..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r1/sampling_portable.c +++ /dev/null @@ -1,48 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker and Shay Gueron - * AWS Cryptographic Algorithms Group. - * (ndrucker@amazon.com, gueron@amazon.com) - */ - -#include "sampling.h" -#include <assert.h> - -#define MAX_WEIGHT (T1 > DV ? T1 : DV) - -// This implementation assumes that the wlist contains fake list -void -secure_set_bits(IN OUT uint64_t * a, - IN const idx_t wlist[], - IN const uint32_t a_len_bytes, - IN const uint32_t weight) -{ - assert(a_len_bytes % 8 == 0); - - // Set arrays to the maximum possible for the stack protector - assert(weight <= MAX_WEIGHT); - uint64_t qw_pos[MAX_WEIGHT]; - uint64_t bit_pos[MAX_WEIGHT]; - - // 1. Identify the QW position of each value and the bit position inside this - // QW. - for(uint32_t j = 0; j < weight; j++) - { - qw_pos[j] = wlist[j] >> 6; - bit_pos[j] = BIT(wlist[j] & 0x3f); - } - - // 2. Fill each QW in a constant time. - for(uint32_t qw = 0; qw < (a_len_bytes / 8); qw++) - { - uint64_t tmp = 0; - for(uint32_t j = 0; j < weight; j++) - { - uint64_t mask = (-1ULL) + (!secure_cmp32(qw_pos[j], qw)); - tmp |= (bit_pos[j] & mask); - } - // Set the bit in a masked way - a[qw] |= tmp; - } -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r1/secure_decode_portable.c b/contrib/restricted/aws/s2n/pq-crypto/bike_r1/secure_decode_portable.c deleted file mode 100644 index 963c3257b7..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r1/secure_decode_portable.c +++ /dev/null @@ -1,66 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker and Shay Gueron - * AWS Cryptographic Algorithms Group. - * (ndrucker@amazon.com, gueron@amazon.com) - */ - -#include "decode.h" -#include "utilities.h" - -#define R_QW_HALF_LOG2 UPTOPOW2(R_QW / 2) - -_INLINE_ void -rotr_big(OUT syndrome_t *out, IN const syndrome_t *in, IN size_t qw_num) -{ - // For preventing overflows (comparison in bytes) - bike_static_assert(sizeof(*out) > 8 * (R_QW + (2 * R_QW_HALF_LOG2)), - rotr_big_err); - - memcpy(out, in, sizeof(*in)); - - for(uint32_t idx = R_QW_HALF_LOG2; idx >= 1; idx >>= 1) - { - // Convert 32 bit mask to 64 bit mask - const uint64_t mask = ((uint32_t)secure_l32_mask(qw_num, idx) + 1U) - 1ULL; - qw_num = qw_num - (idx & mask); - - // Rotate R_QW quadwords and another idx quadwords needed by the next - // iteration - for(size_t i = 0; i < (R_QW + idx); i++) - { - out->qw[i] = (out->qw[i] & (~mask)) | (out->qw[i + idx] & mask); - } - } -} - -_INLINE_ void -rotr_small(OUT syndrome_t *out, IN const syndrome_t *in, IN const size_t bits) -{ - bike_static_assert(bits < 64, rotr_small_err); - bike_static_assert(sizeof(*out) > (8 * R_QW), rotr_small_qw_err); - - // Convert |bits| to 0/1 by using !!bits then create a mask of 0 or 0xffffffffff - // Use high_shift to avoid undefined behaviour when doing x << 64; - const uint64_t mask = (0 - (!!bits)); - const uint64_t high_shift = (64 - bits) & mask; - - for(size_t i = 0; i < R_QW; i++) - { - const uint64_t low_part = in->qw[i] >> bits; - const uint64_t high_part = (in->qw[i + 1] << high_shift) & mask; - out->qw[i] = low_part | high_part; - } -} - -void -rotate_right(OUT syndrome_t *out, - IN const syndrome_t *in, - IN const uint32_t bitscount) -{ - // Rotate (64-bit) quad-words - rotr_big(out, in, (bitscount / 64)); - // Rotate bits (less than 64) - rotr_small(out, out, (bitscount % 64)); -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r1/sha.h b/contrib/restricted/aws/s2n/pq-crypto/bike_r1/sha.h deleted file mode 100644 index a1cc55e04a..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r1/sha.h +++ /dev/null @@ -1,61 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker and Shay Gueron - * AWS Cryptographic Algorithms Group. - * (ndrucker@amazon.com, gueron@amazon.com) - */ - -#pragma once - -#include "cleanup.h" -#include "types.h" -#include "utilities.h" -#include <openssl/sha.h> - -#define SHA384_HASH_SIZE 48ULL -#define SHA384_HASH_QWORDS (SHA384_HASH_SIZE / 8) - -typedef struct sha384_hash_s -{ - union { - uint8_t raw[SHA384_HASH_SIZE]; - uint64_t qw[SHA384_HASH_QWORDS]; - } u; -} sha384_hash_t; -bike_static_assert(sizeof(sha384_hash_t) == SHA384_HASH_SIZE, sha384_hash_size); - -typedef sha384_hash_t sha_hash_t; - -_INLINE_ void -sha_hash_cleanup(IN OUT sha_hash_t *o) -{ - secure_clean(o->u.raw, sizeof(*o)); -} - -#define NUM_OF_BLOCKS_IN_MB 4ULL -#define SLICE_REM 111ULL -#define MAX_MB_SLICES 8ULL -#define HASH_BLOCK_SIZE 128ULL - -_INLINE_ int -sha(OUT sha_hash_t *hash_out, IN const uint32_t byte_len, IN const uint8_t *msg) -{ - SHA384(msg, byte_len, hash_out->u.raw); - return 1; -} - -_INLINE_ void -sha_mb(OUT sha_hash_t *hash_out, - IN const uint8_t *msg, - IN const uint32_t byte_len, - IN const uint32_t num) -{ - const uint32_t ls = (byte_len / NUM_OF_BLOCKS_IN_MB); - - // Hash each block (X[i]) - for(uint32_t i = 0; i < num; i++) - { - SHA384(&msg[i * ls], ls, hash_out[i].u.raw); - } -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r1/types.h b/contrib/restricted/aws/s2n/pq-crypto/bike_r1/types.h deleted file mode 100644 index 044b7ee38e..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r1/types.h +++ /dev/null @@ -1,139 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker and Shay Gueron - * AWS Cryptographic Algorithms Group. - * (ndrucker@amazon.com, gueron@amazon.com) - */ - -#pragma once - -#include "bike_defs.h" -#include "error.h" -#include <stdint.h> - -typedef struct uint128_s -{ - union { - uint8_t bytes[16]; - uint32_t dw[4]; - uint64_t qw[2]; - } u; -} uint128_t; - -// Make sure no compiler optimizations. -#pragma pack(push, 1) - -typedef struct seed_s -{ - uint8_t raw[32]; -} seed_t; - -typedef struct seeds_s -{ - seed_t seed[NUM_OF_SEEDS]; -} seeds_t; - -typedef struct r_s -{ - uint8_t raw[R_SIZE]; -} r_t; - -typedef struct e_s -{ - uint8_t raw[N_SIZE]; -} e_t; - -typedef struct generic_param_n_s -{ - r_t val[N0]; -} generic_param_n_t; - -typedef generic_param_n_t ct_t; -typedef generic_param_n_t pk_t; -typedef generic_param_n_t split_e_t; - -typedef uint32_t idx_t; - -typedef struct compressed_idx_dv_s -{ - idx_t val[DV]; -} compressed_idx_dv_t; - -typedef compressed_idx_dv_t compressed_idx_dv_ar_t[N0]; - -typedef struct compressed_idx_t_t -{ - idx_t val[T1]; -} compressed_idx_t_t; - -// The secret key holds both representation for avoiding -// the compression in the decaps stage -typedef struct sk_s -{ - compressed_idx_dv_ar_t wlist; - r_t bin[N0]; -#ifndef INDCPA - r_t sigma0; - r_t sigma1; -#endif -} sk_t; - -// Pad e to the next Block -typedef ALIGN(8) struct padded_e_s -{ - e_t val; - uint8_t pad[N_PADDED_SIZE - N_SIZE]; -} padded_e_t; - -// Pad r to the next Block -typedef ALIGN(8) struct padded_r_s -{ - r_t val; - uint8_t pad[R_PADDED_SIZE - R_SIZE]; -} padded_r_t; - -typedef padded_r_t padded_param_n_t[N0]; -typedef padded_param_n_t pad_sk_t; -typedef padded_param_n_t pad_pk_t; -typedef padded_param_n_t pad_ct_t; - -// Need to allocate twice the room for the results -typedef ALIGN(8) struct dbl_padded_r_s -{ - r_t val; - uint8_t pad[(2 * R_PADDED_SIZE) - R_SIZE]; -} dbl_padded_r_t; - -typedef dbl_padded_r_t dbl_padded_param_n_t[N0]; -typedef dbl_padded_param_n_t dbl_pad_pk_t; -typedef dbl_padded_param_n_t dbl_pad_ct_t; -typedef dbl_padded_param_n_t dbl_pad_syndrome_t; - -typedef struct ss_s -{ - uint8_t raw[ELL_K_SIZE]; -} ss_t; - -// For optimization purposes -// 1- For a faster rotate we duplicate the syndrome (dup1/2) -// 2- We extend it to fit the boundary of DDQW -typedef ALIGN(64) struct syndrome_s -{ - uint64_t qw[3 * R_QW]; -} syndrome_t; - -typedef struct upc_slice_s -{ - union { - padded_r_t r; - uint64_t qw[sizeof(padded_r_t) / 8]; - } u; -} upc_slice_t; - -typedef struct upc_s -{ - upc_slice_t slice[SLICES]; -} upc_t; - -#pragma pack(pop) diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r1/utilities.c b/contrib/restricted/aws/s2n/pq-crypto/bike_r1/utilities.c deleted file mode 100644 index 4f049af86a..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r1/utilities.c +++ /dev/null @@ -1,160 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker and Shay Gueron - * AWS Cryptographic Algorithms Group. - * (ndrucker@amazon.com, gueron@amazon.com) - */ - -#include "utilities.h" -#include <inttypes.h> - -#define BITS_IN_QW 64ULL -#define BITS_IN_BYTE 8ULL - -// Print a new line only if we prints in qw blocks -_INLINE_ void -print_newline(IN const uint64_t qw_pos) -{ -#ifndef NO_NEWLINE - if((qw_pos % 4) == 3) - { - printf("\n "); - } -#endif -} - -// This function is stitched for R_BITS vector -uint64_t -r_bits_vector_weight(IN const r_t *in) -{ - uint64_t acc = 0; - for(size_t i = 0; i < (R_SIZE - 1); i++) - { - acc += __builtin_popcount(in->raw[i]); - } - - acc += __builtin_popcount(in->raw[R_SIZE - 1] & LAST_R_BYTE_MASK); - return acc; -} - -// Prints a QW in LE/BE in win/linux format -_INLINE_ void -print_uint64(IN const uint64_t val) -{ -// If printing in BE is required swap the order of bytes -#ifdef PRINT_IN_BE - uint64_t tmp = bswap_64(val); -#else - uint64_t tmp = val; -#endif - - printf("%.16" PRIx64, tmp); - -#ifndef NO_SPACE - printf(" "); -#endif -} - -// Last block requires a special handling as we should zero mask all the bits -// above the desired number endien - 0 - BE, 1 - LE Return 1 if last block was -// printed else 0 -_INLINE_ uint8_t -print_last_block(IN const uint8_t *last_bytes, - IN const uint32_t bits_num, - IN const uint32_t endien) -{ - // Floor of bits/64 the reminder is in the next QW - const uint32_t qw_num = bits_num / BITS_IN_QW; - - // How many bits to pad with zero - const uint32_t rem_bits = bits_num - (BITS_IN_QW * qw_num); - - // We read byte byte and not the whole QW to avoid reading bad memory address - const uint32_t bytes_num = ((rem_bits % 8) == 0) ? rem_bits / BITS_IN_BYTE - : 1 + rem_bits / BITS_IN_BYTE; - - // Must be signed for the LE loop - int i; - - if(0 == rem_bits) - { - return 0; - } - - // Mask unneeded bits - const uint8_t last_byte = (rem_bits % 8 == 0) - ? last_bytes[bytes_num - 1] - : last_bytes[bytes_num - 1] & MASK(rem_bits % 8); - // BE - if(0 == endien) - { - for(i = 0; (uint32_t)i < (bytes_num - 1); i++) - { - printf("%.2x", last_bytes[i]); - } - - printf("%.2x", last_byte); - - for(i++; (uint32_t)i < sizeof(uint64_t); i++) - { - printf("__"); - } - } - else - { - for(i = sizeof(uint64_t) - 1; (uint32_t)i >= bytes_num; i--) - { - printf("__"); - } - - printf("%.2x", last_byte); - - for(i--; i >= 0; i--) - { - printf("%.2x", last_bytes[i]); - } - } - -#ifndef NO_SPACE - printf(" "); -#endif - - return 1; -} - -void -print_LE(IN const uint64_t *in, IN const uint32_t bits_num) -{ - const uint32_t qw_num = bits_num / BITS_IN_QW; - - // Print the MSB QW - uint32_t qw_pos = print_last_block((const uint8_t *)&in[qw_num], bits_num, 1); - - // Print each 8 bytes separated by space (if required) - for(int i = ((int)qw_num) - 1; i >= 0; i--, qw_pos++) - { - print_uint64(in[i]); - print_newline(qw_pos); - } - - printf("\n"); -} - -void -print_BE(IN const uint64_t *in, IN const uint32_t bits_num) -{ - const uint32_t qw_num = bits_num / BITS_IN_QW; - - // Print each 16 numbers separatly - for(uint32_t i = 0; i < qw_num; ++i) - { - print_uint64(in[i]); - print_newline(i); - } - - // Print the MSB QW - print_last_block((const uint8_t *)&in[qw_num], bits_num, 0); - - printf("\n"); -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r1/utilities.h b/contrib/restricted/aws/s2n/pq-crypto/bike_r1/utilities.h deleted file mode 100644 index be8f4b9b10..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r1/utilities.h +++ /dev/null @@ -1,158 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker and Shay Gueron - * AWS Cryptographic Algorithms Group. - * (ndrucker@amazon.com, gueron@amazon.com) - */ - -#pragma once - -#include "cleanup.h" - -#ifndef bswap_64 -# define bswap_64(x) __builtin_bswap64(x) -#endif - -// Printing values in Little Endian -void -print_LE(IN const uint64_t *in, IN uint32_t bits_num); - -// Printing values in Big Endian -void -print_BE(IN const uint64_t *in, IN uint32_t bits_num); - -// Printing number is required only in verbose level 2 or above -#if VERBOSE >= 2 -# ifdef PRINT_IN_BE -// Print in Big Endian -# define print(name, in, bits_num) \ - do \ - { \ - EDMSG(name); \ - print_BE(in, bits_num); \ - } while(0) -# else -// Print in Little Endian -# define print(name, in, bits_num) \ - do \ - { \ - EDMSG(name); \ - print_LE(in, bits_num); \ - } while(0) -# endif -#else -// No prints at all -# define print(name, in, bits_num) -#endif - -// Comparing value in a constant time manner -_INLINE_ uint32_t -secure_cmp(IN const uint8_t *a, IN const uint8_t *b, IN const uint32_t size) -{ - volatile uint8_t res = 0; - - for(uint32_t i = 0; i < size; ++i) - { - res |= (a[i] ^ b[i]); - } - - return (0 == res); -} - -uint64_t -r_bits_vector_weight(IN const r_t *in); - -// Constant time -_INLINE_ uint32_t -iszero(IN const uint8_t *s, IN const uint32_t len) -{ - volatile uint32_t res = 0; - for(uint64_t i = 0; i < len; i++) - { - res |= s[i]; - } - return (0 == res); -} - -// BSR returns ceil(log2(val)) -_INLINE_ uint8_t -bit_scan_reverse(uint64_t val) -{ - // index is always smaller than 64 - uint8_t index = 0; - - while(val != 0) - { - val >>= 1; - index++; - } - - return index; -} - -// Return 1 if equal 0 otherwise -_INLINE_ uint32_t -secure_cmp32(IN const uint32_t v1, IN const uint32_t v2) -{ -#if defined(__aarch64__) - uint32_t res; - __asm__ __volatile__("cmp %w1, %w2; \n " - "cset %w0, EQ; \n" - : "=r"(res) - : "r"(v1), "r"(v2) - :); - return res; -#elif defined(__x86_64__) || defined(__i386__) - uint32_t res; - __asm__ __volatile__("xor %%edx, %%edx; \n" - "cmp %1, %2; \n " - "sete %%dl; \n" - "mov %%edx, %0; \n" - : "=r"(res) - : "r"(v1), "r"(v2) - : "rdx"); - return res; -#else - // Insecure comparison: The main purpose of secure_cmp32 is to avoid - // branches and thus to prevent potential side channel attacks. To do that - // we normally leverage some CPU special instructions such as "sete" - // (for __x86_64__) and "cset" (for __aarch64__). When dealing with general - // CPU architectures, the interpretation of the line below is left for the - // compiler, which may lead to an insecure branch. - return (v1 == v2 ? 1 : 0); -#endif -} - -// Return 0 if v1 < v2, (-1) otherwise -_INLINE_ uint32_t -secure_l32_mask(IN const uint32_t v1, IN const uint32_t v2) -{ -#if defined(__aarch64__) - uint32_t res; - __asm__ __volatile__("cmp %w2, %w1; \n " - "cset %w0, HI; \n" - : "=r"(res) - : "r"(v1), "r"(v2) - :); - return (res - 1); -#elif defined(__x86_64__) || defined(__i386__) - uint32_t res; - __asm__ __volatile__("xor %%edx, %%edx; \n" - "cmp %1, %2; \n " - "setl %%dl; \n" - "dec %%edx; \n" - "mov %%edx, %0; \n" - - : "=r"(res) - : "r"(v2), "r"(v1) - : "rdx"); - - return res; -#else - // If v1 >= v2 then the subtraction result is 0^32||(v1-v2) - // else it will be 1^32||(v2-v1+1). Subsequently, negating the upper - // 32 bits gives 0 if v1 < v2 and otherwise (-1). - return ~((uint32_t)(((uint64_t)v1 - (uint64_t)v2) >> 32)); -#endif -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r2/LICENSE b/contrib/restricted/aws/s2n/pq-crypto/bike_r2/LICENSE deleted file mode 100644 index 7a4a3ea242..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r2/LICENSE +++ /dev/null @@ -1,202 +0,0 @@ - - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "[]" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright [yyyy] [name of copyright owner] - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License.
\ No newline at end of file diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r2/README.md b/contrib/restricted/aws/s2n/pq-crypto/bike_r2/README.md deleted file mode 100644 index 91d4b27ce4..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r2/README.md +++ /dev/null @@ -1,37 +0,0 @@ -BIKE-1 - Additional implementation of "BIKE: Bit Flipping Key Encapsulation". ------------------------------------------------------------------------------ - -This package is an "additional optimized" implementation of the Round-2 -variant of BIKE-1. - -BIKE is a submission to the Post-Quantum Cryptography -Standardization project http://csrc.nist.gov/projects/post-quantum-cryptography. - -The official BIKE website is: https://bikesuite.org - -This package offers a constant time implementations of Round-2 BIKE-1. -- A portable implementation that requires libcrypto.a (e.g., of OpenSSL) for AES256 and SHA384. - -The optimizations in this package are based on the papers: -[1] Nir Drucker, Shay Gueron, "A Toolbox for Software Optimization of QC-MDPC - Code-Based Cryptosystems." Journal of Cryptographic Engineering, January 2019, - 1–17 https://doi.org/10.1007/s13389-018-00200-4. - -[2] Chou, T.: QcBits: Constant-Time Small-Key Code-Based Cryptography. In: Gier-lichs, B., - Poschmann, A.Y. (eds.) Cryptographic Hardware and Embedded Systems– CHES 2016. pp. 280–300. - Springer Berlin Heidelberg, Berlin, Heidelberg (2016) - -[3] Guimarães, Antonio, Diego F Aranha, and Edson Borin. 2019. - “Optimized Implementation of QC-MDPC Code-Based Cryptography.” - Concurrency and Computation: Practice and Experience 31 (18): e5089. - https://doi.org/10.1002/cpe.5089. - -The decoder (in decoder/decoder.c) algorithm is the Black-Gray decoder included -in the early submission of CAKE (due to N. Sandrier and R. Misoczki). - -The analysis for the constant time implementation is given in: -[4] Nir Drucker, Shay Gueron, and Dusan Kostic, - "On constant-time QC-MDPC decoding with negligible failure rate", ePrint, 2019. - -The code is due to Nir Drucker, Shay Gueron (and Dusan Kostic for the Round-2 flows). - diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r2/aes_ctr_prf.c b/contrib/restricted/aws/s2n/pq-crypto/bike_r2/aes_ctr_prf.c deleted file mode 100644 index 2f211010df..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r2/aes_ctr_prf.c +++ /dev/null @@ -1,105 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker and Shay Gueron - * AWS Cryptographic Algorithms Group. - * (ndrucker@amazon.com, gueron@amazon.com) - */ - -#include "aes_ctr_prf.h" -#include "utilities.h" -#include <string.h> - -ret_t -init_aes_ctr_prf_state(OUT aes_ctr_prf_state_t *s, - IN const uint32_t max_invokations, - IN const seed_t *seed) -{ - if(0 == max_invokations) - { - BIKE_ERROR(E_AES_CTR_PRF_INIT_FAIL); - } - - // Set the key schedule (from seed). - // Make sure the size matches the AES256 key size - DEFER_CLEANUP(aes256_key_t key, aes256_key_cleanup); - - bike_static_assert(sizeof(*seed) == sizeof(key.raw), seed_size_equals_ky_size); - memcpy(key.raw, seed->raw, sizeof(key.raw)); - - POSIX_GUARD(aes256_key_expansion(&s->ks_ptr, &key)); - - // Initialize buffer and counter - s->ctr.u.qw[0] = 0; - s->ctr.u.qw[1] = 0; - s->buffer.u.qw[0] = 0; - s->buffer.u.qw[1] = 0; - - s->pos = AES256_BLOCK_SIZE; - s->rem_invokations = max_invokations; - - SEDMSG(" Init aes_prf_ctr state:\n"); - SEDMSG(" s.pos = %d\n", s->pos); - SEDMSG(" s.rem_invokations = %u\n", s->rem_invokations); - SEDMSG(" s.ctr = 0x\n"); - - return SUCCESS; -} - -_INLINE_ ret_t -perform_aes(OUT uint8_t *ct, IN OUT aes_ctr_prf_state_t *s) -{ - // Ensure that the CTR is big enough - bike_static_assert( - ((sizeof(s->ctr.u.qw[0]) == 8) && (BIT(33) >= MAX_AES_INVOKATION)), - ctr_size_is_too_small); - - if(0 == s->rem_invokations) - { - BIKE_ERROR(E_AES_OVER_USED); - } - - POSIX_GUARD(aes256_enc(ct, s->ctr.u.bytes, &s->ks_ptr)); - - s->ctr.u.qw[0]++; - s->rem_invokations--; - - return SUCCESS; -} - -ret_t -aes_ctr_prf(OUT uint8_t *a, IN OUT aes_ctr_prf_state_t *s, IN const uint32_t len) -{ - // When Len is smaller than whats left in the buffer - // No need in additional AES - if((len + s->pos) <= AES256_BLOCK_SIZE) - { - memcpy(a, &s->buffer.u.bytes[s->pos], len); - s->pos += len; - - return SUCCESS; - } - - // If s.pos != AES256_BLOCK_SIZE then copy whats left in the buffer - // Else copy zero bytes - uint32_t idx = AES256_BLOCK_SIZE - s->pos; - memcpy(a, &s->buffer.u.bytes[s->pos], idx); - - // Init s.pos - s->pos = 0; - - // Copy full AES blocks - while((len - idx) >= AES256_BLOCK_SIZE) - { - POSIX_GUARD(perform_aes(&a[idx], s)); - idx += AES256_BLOCK_SIZE; - } - - POSIX_GUARD(perform_aes(s->buffer.u.bytes, s)); - - // Copy the tail - s->pos = len - idx; - memcpy(&a[idx], s->buffer.u.bytes, s->pos); - - return SUCCESS; -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r2/aes_ctr_prf.h b/contrib/restricted/aws/s2n/pq-crypto/bike_r2/aes_ctr_prf.h deleted file mode 100644 index ac17d4ddd5..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r2/aes_ctr_prf.h +++ /dev/null @@ -1,49 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker and Shay Gueron - * AWS Cryptographic Algorithms Group. - * (ndrucker@amazon.com, gueron@amazon.com) - */ - -#pragma once - -#include "aes_wrap.h" - -////////////////////////////// -// Types -///////////////////////////// - -typedef struct aes_ctr_prf_state_s -{ - uint128_t ctr; - uint128_t buffer; - aes256_ks_t ks_ptr; - uint32_t rem_invokations; - uint8_t pos; -} aes_ctr_prf_state_t; - -////////////////////////////// -// Methods -///////////////////////////// - -ret_t -init_aes_ctr_prf_state(OUT aes_ctr_prf_state_t *s, - IN uint32_t max_invokations, - IN const seed_t *seed); - -ret_t -aes_ctr_prf(OUT uint8_t *a, IN OUT aes_ctr_prf_state_t *s, IN uint32_t len); - -_INLINE_ void -finalize_aes_ctr_prf(IN OUT aes_ctr_prf_state_t *s) -{ - aes256_free_ks(&s->ks_ptr); - secure_clean((uint8_t *)s, sizeof(*s)); -} - -_INLINE_ void -aes_ctr_prf_state_cleanup(IN OUT aes_ctr_prf_state_t *s) -{ - finalize_aes_ctr_prf(s); -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r2/aes_wrap.h b/contrib/restricted/aws/s2n/pq-crypto/bike_r2/aes_wrap.h deleted file mode 100644 index f0adc0bb52..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r2/aes_wrap.h +++ /dev/null @@ -1,71 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker, Shay Gueron, and Dusan Kostic, - * AWS Cryptographic Algorithms Group. - * (ndrucker@amazon.com, gueron@amazon.com, dkostic@amazon.com) - */ - -#pragma once - -#include "cleanup.h" -#include <openssl/evp.h> - -#define MAX_AES_INVOKATION (MASK(32)) - -#define AES256_KEY_SIZE (32U) -#define AES256_KEY_BITS (AES256_KEY_SIZE * 8) -#define AES256_BLOCK_SIZE (16U) -#define AES256_ROUNDS (14U) - -typedef ALIGN(16) struct aes256_key_s -{ - uint8_t raw[AES256_KEY_SIZE]; -} aes256_key_t; - -_INLINE_ void -aes256_key_cleanup(aes256_key_t *o) -{ - secure_clean(o->raw, sizeof(*o)); -} - -// Using OpenSSL structures -typedef EVP_CIPHER_CTX *aes256_ks_t; - -_INLINE_ ret_t -aes256_key_expansion(OUT aes256_ks_t *ks, IN const aes256_key_t *key) -{ - *ks = EVP_CIPHER_CTX_new(); - if(*ks == NULL) - { - BIKE_ERROR(EXTERNAL_LIB_ERROR_OPENSSL); - } - if(0 == EVP_EncryptInit_ex(*ks, EVP_aes_256_ecb(), NULL, key->raw, NULL)) - { - EVP_CIPHER_CTX_free(*ks); - *ks = NULL; - BIKE_ERROR(EXTERNAL_LIB_ERROR_OPENSSL); - } - - EVP_CIPHER_CTX_set_padding(*ks, 0); - - return SUCCESS; -} - -_INLINE_ ret_t -aes256_enc(OUT uint8_t *ct, IN const uint8_t *pt, IN const aes256_ks_t *ks) -{ - int outlen = 0; - if(0 == EVP_EncryptUpdate(*ks, ct, &outlen, pt, AES256_BLOCK_SIZE)) - { - BIKE_ERROR(EXTERNAL_LIB_ERROR_OPENSSL); - } - return SUCCESS; -} - -_INLINE_ void -aes256_free_ks(OUT aes256_ks_t *ks) -{ - EVP_CIPHER_CTX_free(*ks); - *ks = NULL; -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r2/bike_defs.h b/contrib/restricted/aws/s2n/pq-crypto/bike_r2/bike_defs.h deleted file mode 100644 index 34a221462b..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r2/bike_defs.h +++ /dev/null @@ -1,107 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker and Shay Gueron - * AWS Cryptographic Algorithms Group. - * (ndrucker@amazon.com, gueron@amazon.com) - */ - -#pragma once - -#include "defs.h" - -#define LEVEL 1 - -//////////////////////////////////////////// -// BIKE Parameters -/////////////////////////////////////////// -#define N0 2 - -#ifndef LEVEL -# define LEVEL 1 -#endif - -#if(LEVEL == 3) -# ifdef INDCPA -# define R_BITS 19853 -# else -# define R_BITS 24821 -# endif -# define DV 103 -# define T1 199 - -# define THRESHOLD_COEFF0 15.932 -# define THRESHOLD_COEFF1 0.0052936 - -// The gfm code is optimized to a block size in this case: -# define BLOCK_SIZE 32768 -#elif(LEVEL == 1) -// 64-bits of post-quantum security parameters (BIKE paper): -# ifdef INDCPA -# define R_BITS 10163 -# else -# define R_BITS 11779 -# endif -# define DV 71 -# define T1 134 - -# define THRESHOLD_COEFF0 13.530 -# define THRESHOLD_COEFF1 0.0069721 - -// The gfm code is optimized to a block size in this case: -# define BLOCK_SIZE (16384) -#else -# error "Bad level, choose one of 1/3" -#endif - -#ifdef INDCPA -# define NUM_OF_SEEDS 2 -#else -# define NUM_OF_SEEDS 3 -#endif - -// Round the size to the nearest byte. -// SIZE suffix, is the number of bytes (uint8_t). -#define N_BITS (R_BITS * N0) -#define R_SIZE DIVIDE_AND_CEIL(R_BITS, 8) -#define R_QW DIVIDE_AND_CEIL(R_BITS, 8 * QW_SIZE) -#define R_YMM DIVIDE_AND_CEIL(R_BITS, 8 * YMM_SIZE) -#define R_ZMM DIVIDE_AND_CEIL(R_BITS, 8 * ZMM_SIZE) - -#define N_SIZE DIVIDE_AND_CEIL(N_BITS, 8) - -#define R_BLOCKS DIVIDE_AND_CEIL(R_BITS, BLOCK_SIZE) -#define R_PADDED (R_BLOCKS * BLOCK_SIZE) -#define R_PADDED_SIZE (R_PADDED / 8) -#define R_PADDED_QW (R_PADDED / 64) - -#define N_BLOCKS DIVIDE_AND_CEIL(N_BITS, BLOCK_SIZE) -#define N_PADDED (N_BLOCKS * BLOCK_SIZE) -#define N_PADDED_SIZE (N_PADDED / 8) -#define N_PADDED_QW (N_PADDED / 64) - -#define R_DDQWORDS_BITS (DIVIDE_AND_CEIL(R_BITS, ALL_YMM_SIZE) * ALL_YMM_SIZE) -bike_static_assert((R_BITS % ALL_YMM_SIZE != 0), rbits_512_err); - -#define N_DDQWORDS_BITS (R_DDQWORDS_BITS + R_BITS) -bike_static_assert((N_BITS % ALL_YMM_SIZE != 0), nbits_512_err); - -#define LAST_R_QW_LEAD (R_BITS & MASK(6)) -#define LAST_R_QW_TRAIL (64 - LAST_R_QW_LEAD) -#define LAST_R_QW_MASK MASK(LAST_R_QW_LEAD) - -#define LAST_R_BYTE_LEAD (R_BITS & MASK(3)) -#define LAST_R_BYTE_TRAIL (8 - LAST_R_BYTE_LEAD) -#define LAST_R_BYTE_MASK MASK(LAST_R_BYTE_LEAD) - -// BIKE auxiliary functions parameters: -#define ELL_K_BITS 256 -#define ELL_K_SIZE (ELL_K_BITS / 8) - -//////////////////////////////// -// Parameters for the BG decoder. -//////////////////////////////// -#define DELTA 3 -#define SLICES (LOG2_MSB(DV) + 1) - -#define BGF_DECODER diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r2/bike_r2_kem.c b/contrib/restricted/aws/s2n/pq-crypto/bike_r2/bike_r2_kem.c deleted file mode 100644 index e7797848a0..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r2/bike_r2_kem.c +++ /dev/null @@ -1,379 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker, Shay Gueron, and Dusan Kostic, - * AWS Cryptographic Algorithms Group. - * (ndrucker@amazon.com, gueron@amazon.com, dkostic@amazon.com) - */ - -#include "decode.h" -#include "gf2x.h" -#include "sampling.h" -#include "sha.h" -#include "tls/s2n_kem.h" -#include "pq-crypto/s2n_pq.h" - -_INLINE_ void -split_e(OUT split_e_t *splitted_e, IN const e_t *e) -{ - // Copy lower bytes (e0) - memcpy(splitted_e->val[0].raw, e->raw, R_SIZE); - - // Now load second value - for(uint32_t i = R_SIZE; i < N_SIZE; ++i) - { - splitted_e->val[1].raw[i - R_SIZE] = - ((e->raw[i] << LAST_R_BYTE_TRAIL) | (e->raw[i - 1] >> LAST_R_BYTE_LEAD)); - } - - // Fix corner case - if(N_SIZE < (2ULL * R_SIZE)) - { - splitted_e->val[1].raw[R_SIZE - 1] = (e->raw[N_SIZE - 1] >> LAST_R_BYTE_LEAD); - } - - // Fix last value - splitted_e->val[0].raw[R_SIZE - 1] &= LAST_R_BYTE_MASK; - splitted_e->val[1].raw[R_SIZE - 1] &= LAST_R_BYTE_MASK; -} - -_INLINE_ void -translate_hash_to_ss(OUT ss_t *ss, IN sha_hash_t *hash) -{ - bike_static_assert(sizeof(*hash) >= sizeof(*ss), hash_size_lt_ss_size); - memcpy(ss->raw, hash->u.raw, sizeof(*ss)); -} - -_INLINE_ void -translate_hash_to_seed(OUT seed_t *seed, IN sha_hash_t *hash) -{ - bike_static_assert(sizeof(*hash) >= sizeof(*seed), hash_size_lt_seed_size); - memcpy(seed->raw, hash->u.raw, sizeof(*seed)); -} - -_INLINE_ ret_t -calc_pk(OUT pk_t *pk, IN const seed_t *g_seed, IN const pad_sk_t p_sk) -{ - // PK is dbl padded because modmul require some scratch space for the - // multiplication result - dbl_pad_pk_t p_pk = {0}; - - // Intialized padding to zero - DEFER_CLEANUP(padded_r_t g = {0}, padded_r_cleanup); - - POSIX_GUARD(sample_uniform_r_bits(&g.val, g_seed, MUST_BE_ODD)); - - // Calculate (g0, g1) = (g*h1, g*h0) - POSIX_GUARD(gf2x_mod_mul((uint64_t *)&p_pk[0], (const uint64_t *)&g, - (const uint64_t *)&p_sk[1])); - POSIX_GUARD(gf2x_mod_mul((uint64_t *)&p_pk[1], (const uint64_t *)&g, - (const uint64_t *)&p_sk[0])); - - // Copy the data to the output parameters. - pk->val[0] = p_pk[0].val; - pk->val[1] = p_pk[1].val; - - print("g: ", (const uint64_t *)g.val.raw, R_BITS); - print("g0: ", (const uint64_t *)&p_pk[0], R_BITS); - print("g1: ", (uint64_t *)&p_pk[1], R_BITS); - - return SUCCESS; -} - -// The function H is required by BIKE-1- Round 2 variant. It uses the -// extract-then-expand paradigm, based on SHA384 and AES256-CTR PRNG, to produce -// e from (m*f0, m*f1): -_INLINE_ ret_t -function_h(OUT split_e_t *splitted_e, IN const r_t *in0, IN const r_t *in1) -{ - DEFER_CLEANUP(generic_param_n_t tmp, generic_param_n_cleanup); - DEFER_CLEANUP(sha_hash_t hash_seed = {0}, sha_hash_cleanup); - DEFER_CLEANUP(seed_t seed_for_hash, seed_cleanup); - DEFER_CLEANUP(aes_ctr_prf_state_t prf_state = {0}, finalize_aes_ctr_prf); - - tmp.val[0] = *in0; - tmp.val[1] = *in1; - - // Hash (m*f0, m*f1) to generate a seed: - sha(&hash_seed, sizeof(tmp), (uint8_t *)&tmp); - - // Format the seed as a 32-bytes input: - translate_hash_to_seed(&seed_for_hash, &hash_seed); - - // Use the seed to generate a sparse error vector e: - DMSG(" Generating random error.\n"); - POSIX_GUARD(init_aes_ctr_prf_state(&prf_state, MAX_AES_INVOKATION, &seed_for_hash)); - - DEFER_CLEANUP(padded_e_t e, padded_e_cleanup); - DEFER_CLEANUP(ALIGN(8) compressed_idx_t_t dummy, compressed_idx_t_cleanup); - - POSIX_GUARD(generate_sparse_rep((uint64_t *)&e, dummy.val, T1, N_BITS, sizeof(e), - &prf_state)); - split_e(splitted_e, &e.val); - - return SUCCESS; -} - -_INLINE_ ret_t -encrypt(OUT ct_t *ct, OUT split_e_t *mf, IN const pk_t *pk, IN const seed_t *seed) -{ - DEFER_CLEANUP(padded_r_t m = {0}, padded_r_cleanup); - - DMSG(" Sampling m.\n"); - POSIX_GUARD(sample_uniform_r_bits(&m.val, seed, NO_RESTRICTION)); - - // Pad the public key - pad_pk_t p_pk = {0}; - p_pk[0].val = pk->val[0]; - p_pk[1].val = pk->val[1]; - - // Pad the ciphertext - pad_ct_t p_ct = {0}; - p_ct[0].val = ct->val[0]; - p_ct[1].val = ct->val[1]; - - DEFER_CLEANUP(dbl_pad_ct_t mf_int = {0}, dbl_pad_ct_cleanup); - - DMSG(" Computing m*f0 and m*f1.\n"); - POSIX_GUARD( - gf2x_mod_mul((uint64_t *)&mf_int[0], (uint64_t *)&m, (uint64_t *)&p_pk[0])); - POSIX_GUARD( - gf2x_mod_mul((uint64_t *)&mf_int[1], (uint64_t *)&m, (uint64_t *)&p_pk[1])); - - DEFER_CLEANUP(split_e_t splitted_e, split_e_cleanup); - - DMSG(" Computing the hash function e <- H(m*f0, m*f1).\n"); - POSIX_GUARD(function_h(&splitted_e, &mf_int[0].val, &mf_int[1].val)); - - DMSG(" Addding Error to the ciphertext.\n"); - POSIX_GUARD(gf2x_add(p_ct[0].val.raw, mf_int[0].val.raw, splitted_e.val[0].raw, - R_SIZE)); - POSIX_GUARD(gf2x_add(p_ct[1].val.raw, mf_int[1].val.raw, splitted_e.val[1].raw, - R_SIZE)); - - // Copy the data to the output parameters. - ct->val[0] = p_ct[0].val; - ct->val[1] = p_ct[1].val; - - // Copy the internal mf to the output parameters. - mf->val[0] = mf_int[0].val; - mf->val[1] = mf_int[1].val; - - print("e0: ", (uint64_t *)splitted_e.val[0].raw, R_BITS); - print("e1: ", (uint64_t *)splitted_e.val[1].raw, R_BITS); - print("c0: ", (uint64_t *)p_ct[0].val.raw, R_BITS); - print("c1: ", (uint64_t *)p_ct[1].val.raw, R_BITS); - - return SUCCESS; -} - -_INLINE_ ret_t -reencrypt(OUT pad_ct_t ce, - OUT split_e_t *e2, - IN const split_e_t *e, - IN const ct_t *l_ct) -{ - // Compute (c0 + e0') and (c1 + e1') - POSIX_GUARD(gf2x_add(ce[0].val.raw, l_ct->val[0].raw, e->val[0].raw, R_SIZE)); - POSIX_GUARD(gf2x_add(ce[1].val.raw, l_ct->val[1].raw, e->val[1].raw, R_SIZE)); - - // (e0'', e1'') <-- H(c0 + e0', c1 + e1') - POSIX_GUARD(function_h(e2, &ce[0].val, &ce[1].val)); - - return SUCCESS; -} - -// Generate the Shared Secret K(mf0, mf1, c) by either -// K(c0+e0', c1+e1', c) or K(sigma0, sigma1, c) -_INLINE_ void -get_ss(OUT ss_t *out, IN const r_t *in0, IN const r_t *in1, IN const ct_t *ct) -{ - DMSG(" Enter get_ss.\n"); - - uint8_t tmp[4 * R_SIZE]; - memcpy(tmp, in0->raw, R_SIZE); - memcpy(tmp + R_SIZE, in1->raw, R_SIZE); - memcpy(tmp + 2 * R_SIZE, ct, sizeof(*ct)); - - // Calculate the hash digest - DEFER_CLEANUP(sha_hash_t hash = {0}, sha_hash_cleanup); - sha(&hash, sizeof(tmp), tmp); - - // Truncate the resulting digest, to produce the key K, by copying only the - // desired number of LSBs. - translate_hash_to_ss(out, &hash); - - secure_clean(tmp, sizeof(tmp)); - DMSG(" Exit get_ss.\n"); -} -//////////////////////////////////////////////////////////////////////////////// -// The three APIs below (keypair, encapsulate, decapsulate) are defined by NIST: -//////////////////////////////////////////////////////////////////////////////// -int -BIKE1_L1_R2_crypto_kem_keypair(OUT unsigned char *pk, OUT unsigned char *sk) -{ - POSIX_ENSURE(s2n_pq_is_enabled(), S2N_ERR_PQ_DISABLED); - - POSIX_ENSURE_REF(sk); - POSIX_ENSURE_REF(pk); - - // Convert to this implementation types - pk_t *l_pk = (pk_t *)pk; - DEFER_CLEANUP(ALIGN(8) sk_t l_sk = {0}, sk_cleanup); - - // For DRBG and AES_PRF - DEFER_CLEANUP(seeds_t seeds = {0}, seeds_cleanup); - DEFER_CLEANUP(aes_ctr_prf_state_t h_prf_state = {0}, aes_ctr_prf_state_cleanup); - - // For sigma0/1/2 - DEFER_CLEANUP(aes_ctr_prf_state_t s_prf_state = {0}, aes_ctr_prf_state_cleanup); - - // Padded for internal use only (the padded data is not released). - DEFER_CLEANUP(pad_sk_t p_sk = {0}, pad_sk_cleanup); - - // Get the entropy seeds. - POSIX_GUARD(get_seeds(&seeds)); - - DMSG(" Enter crypto_kem_keypair.\n"); - DMSG(" Calculating the secret key.\n"); - - // h0 and h1 use the same context - POSIX_GUARD(init_aes_ctr_prf_state(&h_prf_state, MAX_AES_INVOKATION, &seeds.seed[0])); - - // sigma0/1/2 use the same context. - POSIX_GUARD(init_aes_ctr_prf_state(&s_prf_state, MAX_AES_INVOKATION, &seeds.seed[2])); - - POSIX_GUARD(generate_sparse_rep((uint64_t *)&p_sk[0], l_sk.wlist[0].val, DV, R_BITS, - sizeof(p_sk[0]), &h_prf_state)); - - // Sample the sigmas - POSIX_GUARD(sample_uniform_r_bits_with_fixed_prf_context(&l_sk.sigma0, &s_prf_state, - NO_RESTRICTION)); - POSIX_GUARD(sample_uniform_r_bits_with_fixed_prf_context(&l_sk.sigma1, &s_prf_state, - NO_RESTRICTION)); - - POSIX_GUARD(generate_sparse_rep((uint64_t *)&p_sk[1], l_sk.wlist[1].val, DV, R_BITS, - sizeof(p_sk[1]), &h_prf_state)); - - // Copy data - l_sk.bin[0] = p_sk[0].val; - l_sk.bin[1] = p_sk[1].val; - - DMSG(" Calculating the public key.\n"); - - POSIX_GUARD(calc_pk(l_pk, &seeds.seed[1], p_sk)); - - memcpy(sk, &l_sk, sizeof(l_sk)); - - print("h0: ", (uint64_t *)&l_sk.bin[0], R_BITS); - print("h1: ", (uint64_t *)&l_sk.bin[1], R_BITS); - print("h0c:", (uint64_t *)&l_sk.wlist[0], SIZEOF_BITS(compressed_idx_dv_t)); - print("h1c:", (uint64_t *)&l_sk.wlist[1], SIZEOF_BITS(compressed_idx_dv_t)); - print("sigma0: ", (uint64_t *)l_sk.sigma0.raw, R_BITS); - print("sigma1: ", (uint64_t *)l_sk.sigma1.raw, R_BITS); - - DMSG(" Exit crypto_kem_keypair.\n"); - - return SUCCESS; -} - -// Encapsulate - pk is the public key, -// ct is a key encapsulation message (ciphertext), -// ss is the shared secret. -int -BIKE1_L1_R2_crypto_kem_enc(OUT unsigned char * ct, - OUT unsigned char * ss, - IN const unsigned char *pk) -{ - DMSG(" Enter crypto_kem_enc.\n"); - POSIX_ENSURE(s2n_pq_is_enabled(), S2N_ERR_PQ_DISABLED); - - // Convert to the types that are used by this implementation - const pk_t *l_pk = (const pk_t *)pk; - ct_t * l_ct = (ct_t *)ct; - ss_t * l_ss = (ss_t *)ss; - - POSIX_ENSURE_REF(pk); - POSIX_ENSURE_REF(ct); - POSIX_ENSURE_REF(ss); - - // For NIST DRBG_CTR - DEFER_CLEANUP(seeds_t seeds = {0}, seeds_cleanup); - - // Get the entropy seeds. - POSIX_GUARD(get_seeds(&seeds)); - - DMSG(" Encrypting.\n"); - // In fact, seed[0] should be used. - // Here, we stay consistent with BIKE's reference code - // that chooses the seconde seed. - DEFER_CLEANUP(split_e_t mf, split_e_cleanup); - POSIX_GUARD(encrypt(l_ct, &mf, l_pk, &seeds.seed[1])); - - DMSG(" Generating shared secret.\n"); - get_ss(l_ss, &mf.val[0], &mf.val[1], l_ct); - - print("ss: ", (uint64_t *)l_ss->raw, SIZEOF_BITS(*l_ss)); - DMSG(" Exit crypto_kem_enc.\n"); - return SUCCESS; -} - -// Decapsulate - ct is a key encapsulation message (ciphertext), -// sk is the private key, -// ss is the shared secret -int -BIKE1_L1_R2_crypto_kem_dec(OUT unsigned char * ss, - IN const unsigned char *ct, - IN const unsigned char *sk) -{ - DMSG(" Enter crypto_kem_dec.\n"); - POSIX_ENSURE(s2n_pq_is_enabled(), S2N_ERR_PQ_DISABLED); - - // Convert to the types used by this implementation - const ct_t *l_ct = (const ct_t *)ct; - ss_t * l_ss = (ss_t *)ss; - POSIX_ENSURE_REF(sk); - POSIX_ENSURE_REF(ct); - POSIX_ENSURE_REF(ss); - - DEFER_CLEANUP(ALIGN(8) sk_t l_sk, sk_cleanup); - memcpy(&l_sk, sk, sizeof(l_sk)); - - // Force zero initialization. - DEFER_CLEANUP(syndrome_t syndrome = {0}, syndrome_cleanup); - DEFER_CLEANUP(split_e_t e, split_e_cleanup); - - DMSG(" Computing s.\n"); - POSIX_GUARD(compute_syndrome(&syndrome, l_ct, &l_sk)); - - DMSG(" Decoding.\n"); - uint32_t dec_ret = decode(&e, &syndrome, l_ct, &l_sk) != SUCCESS ? 0 : 1; - - DEFER_CLEANUP(split_e_t e2, split_e_cleanup); - DEFER_CLEANUP(pad_ct_t ce, pad_ct_cleanup); - POSIX_GUARD(reencrypt(ce, &e2, &e, l_ct)); - - // Check if the decoding is successful. - // Check if the error weight equals T1. - // Check if (e0', e1') == (e0'', e1''). - volatile uint32_t success_cond; - success_cond = dec_ret; - success_cond &= secure_cmp32(T1, r_bits_vector_weight(&e.val[0]) + - r_bits_vector_weight(&e.val[1])); - success_cond &= secure_cmp((uint8_t *)&e, (uint8_t *)&e2, sizeof(e)); - - ss_t ss_succ = {0}; - ss_t ss_fail = {0}; - - get_ss(&ss_succ, &ce[0].val, &ce[1].val, l_ct); - get_ss(&ss_fail, &l_sk.sigma0, &l_sk.sigma1, l_ct); - - uint8_t mask = ~secure_l32_mask(0, success_cond); - for(uint32_t i = 0; i < sizeof(*l_ss); i++) - { - l_ss->raw[i] = (mask & ss_succ.raw[i]) | (~mask & ss_fail.raw[i]); - } - - DMSG(" Exit crypto_kem_dec.\n"); - return SUCCESS; -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r2/cleanup.h b/contrib/restricted/aws/s2n/pq-crypto/bike_r2/cleanup.h deleted file mode 100644 index 6bacfaa45a..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r2/cleanup.h +++ /dev/null @@ -1,131 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker and Shay Gueron - * AWS Cryptographic Algorithms Group. - * (ndrucker@amazon.com, gueron@amazon.com) - */ - -#pragma once -#include "types.h" -#include "utils/s2n_safety.h" - -_INLINE_ void -secure_clean(OUT uint8_t *p, IN const uint32_t len) -{ -#ifdef _WIN32 - SecureZeroMemory(p, len); -#else - typedef void *(*memset_t)(void *, int, size_t); - static volatile memset_t memset_func = memset; - memset_func(p, 0, len); -#endif -} - -_INLINE_ void -r_cleanup(IN OUT r_t *o) -{ - secure_clean((uint8_t *)o, sizeof(*o)); -} - -_INLINE_ void -e_cleanup(IN OUT e_t *o) -{ - secure_clean((uint8_t *)o, sizeof(*o)); -} - -_INLINE_ void -padded_r_cleanup(IN OUT padded_r_t *o) -{ - secure_clean((uint8_t *)o, sizeof(*o)); -} - -_INLINE_ void -padded_e_cleanup(IN OUT padded_e_t *o) -{ - secure_clean((uint8_t *)o, sizeof(*o)); -} - -_INLINE_ void -split_e_cleanup(IN OUT split_e_t *o) -{ - secure_clean((uint8_t *)o, sizeof(*o)); -} - -_INLINE_ void -sk_cleanup(IN OUT sk_t *o) -{ - secure_clean((uint8_t *)o, sizeof(*o)); -} - -_INLINE_ void -pad_sk_cleanup(IN OUT pad_sk_t *o) -{ - secure_clean((uint8_t *)o[0], sizeof(*o)); -} - -_INLINE_ void -pad_ct_cleanup(IN OUT pad_ct_t *o) -{ - secure_clean((uint8_t *)o[0], sizeof(*o)); -} - -_INLINE_ void -dbl_pad_ct_cleanup(IN OUT dbl_pad_ct_t *o) -{ - secure_clean((uint8_t *)o[0], sizeof(*o)); -} - -_INLINE_ void -seed_cleanup(IN OUT seed_t *o) -{ - secure_clean((uint8_t *)o, sizeof(*o)); -} - -_INLINE_ void -syndrome_cleanup(IN OUT syndrome_t *o) -{ - secure_clean((uint8_t *)o, sizeof(*o)); -} - -_INLINE_ void -dbl_pad_syndrome_cleanup(IN OUT dbl_pad_syndrome_t *o) -{ - secure_clean((uint8_t *)o[0], sizeof(*o)); -} - -_INLINE_ void -compressed_idx_t_cleanup(IN OUT compressed_idx_t_t *o) -{ - secure_clean((uint8_t *)o, sizeof(*o)); -} - -_INLINE_ void -compressed_idx_dv_ar_cleanup(IN OUT compressed_idx_dv_ar_t *o) -{ - for(int i = 0; i < N0; i++) - { - secure_clean((uint8_t *)&(*o)[i], sizeof((*o)[0])); - } -} - -_INLINE_ void -generic_param_n_cleanup(IN OUT generic_param_n_t *o) -{ - secure_clean((uint8_t *)o, sizeof(*o)); -} - -_INLINE_ void -seeds_cleanup(IN OUT seeds_t *o) -{ - for(int i = 0; i < NUM_OF_SEEDS; i++) - { - seed_cleanup(&(o->seed[i])); - } -} - -_INLINE_ void -upc_cleanup(IN OUT upc_t *o) -{ - secure_clean((uint8_t *)o, sizeof(*o)); -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r2/decode.c b/contrib/restricted/aws/s2n/pq-crypto/bike_r2/decode.c deleted file mode 100644 index b455cd7e82..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r2/decode.c +++ /dev/null @@ -1,365 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker, Shay Gueron, and Dusan Kostic, - * AWS Cryptographic Algorithms Group. - * (ndrucker@amazon.com, gueron@amazon.com, dkostic@amazon.com) - * - * [1] The optimizations are based on the description developed in the paper: - * Drucker, Nir, and Shay Gueron. 2019. “A Toolbox for Software Optimization - * of QC-MDPC Code-Based Cryptosystems.” Journal of Cryptographic Engineering, - * January, 1–17. https://doi.org/10.1007/s13389-018-00200-4. - * - * [2] The decoder algorithm is the Black-Gray decoder in - * the early submission of CAKE (due to N. Sandrier and R Misoczki). - * - * [3] The analysis for the constant time implementation is given in - * Drucker, Nir, Shay Gueron, and Dusan Kostic. 2019. - * “On Constant-Time QC-MDPC Decoding with Negligible Failure Rate.” - * Cryptology EPrint Archive, 2019. https://eprint.iacr.org/2019/1289. - * - * [4] it was adapted to BGF in: - * Drucker, Nir, Shay Gueron, and Dusan Kostic. 2019. - * “QC-MDPC decoders with several shades of gray.” - * Cryptology EPrint Archive, 2019. To be published. - * - * [5] Chou, T.: QcBits: Constant-Time Small-Key Code-Based Cryptography. - * In: Gier-lichs, B., Poschmann, A.Y. (eds.) Cryptographic Hardware - * and Embedded Systems– CHES 2016. pp. 280–300. Springer Berlin Heidelberg, - * Berlin, Heidelberg (2016) - * - * [6] The rotate512_small funciton is a derivative of the code described in: - * Guimarães, Antonio, Diego F Aranha, and Edson Borin. 2019. - * “Optimized Implementation of QC-MDPC Code-Based Cryptography.” - * Concurrency and Computation: Practice and Experience 31 (18): - * e5089. https://doi.org/10.1002/cpe.5089. - */ - -#include "decode.h" -#include "gf2x.h" -#include "utilities.h" -#include <string.h> - -// Decoding (bit-flipping) parameter -#ifdef BG_DECODER -# if(LEVEL == 1) -# define MAX_IT 3 -# elif(LEVEL == 3) -# define MAX_IT 4 -# elif(LEVEL == 5) -# define MAX_IT 7 -# else -# error "Level can only be 1/3/5" -# endif -#elif defined(BGF_DECODER) -# if(LEVEL == 1) -# define MAX_IT 5 -# elif(LEVEL == 3) -# define MAX_IT 6 -# elif(LEVEL == 5) -# define MAX_IT 7 -# else -# error "Level can only be 1/3/5" -# endif -#endif - -// Duplicates the first R_BITS of the syndrome three times -// |------------------------------------------| -// | Third copy | Second copy | first R_BITS | -// |------------------------------------------| -// This is required by the rotate functions. -_INLINE_ void -dup(IN OUT syndrome_t *s) -{ - s->qw[R_QW - 1] = - (s->qw[0] << LAST_R_QW_LEAD) | (s->qw[R_QW - 1] & LAST_R_QW_MASK); - - for(size_t i = 0; i < (2 * R_QW) - 1; i++) - { - s->qw[R_QW + i] = - (s->qw[i] >> LAST_R_QW_TRAIL) | (s->qw[i + 1] << LAST_R_QW_LEAD); - } -} - -ret_t -compute_syndrome(OUT syndrome_t *syndrome, IN const ct_t *ct, IN const sk_t *sk) -{ - // gf2x_mod_mul requires the values to be 64bit padded and extra (dbl) space - // for the results - DEFER_CLEANUP(dbl_pad_syndrome_t pad_s, dbl_pad_syndrome_cleanup); - DEFER_CLEANUP(pad_sk_t pad_sk = {0}, pad_sk_cleanup); - pad_sk[0].val = sk->bin[0]; - pad_sk[1].val = sk->bin[1]; - - DEFER_CLEANUP(pad_ct_t pad_ct = {0}, pad_ct_cleanup); - pad_ct[0].val = ct->val[0]; - pad_ct[1].val = ct->val[1]; - - // Compute s = c0*h0 + c1*h1: - POSIX_GUARD(gf2x_mod_mul((uint64_t *)&pad_s[0], (uint64_t *)&pad_ct[0], - (uint64_t *)&pad_sk[0])); - POSIX_GUARD(gf2x_mod_mul((uint64_t *)&pad_s[1], (uint64_t *)&pad_ct[1], - (uint64_t *)&pad_sk[1])); - - POSIX_GUARD(gf2x_add(pad_s[0].val.raw, pad_s[0].val.raw, pad_s[1].val.raw, R_SIZE)); - - memcpy((uint8_t *)syndrome->qw, pad_s[0].val.raw, R_SIZE); - dup(syndrome); - - return SUCCESS; -} - -_INLINE_ ret_t -recompute_syndrome(OUT syndrome_t *syndrome, - IN const ct_t *ct, - IN const sk_t *sk, - IN const split_e_t *splitted_e) -{ - ct_t tmp_ct = *ct; - - // Adapt the ciphertext - POSIX_GUARD(gf2x_add(tmp_ct.val[0].raw, tmp_ct.val[0].raw, splitted_e->val[0].raw, - R_SIZE)); - POSIX_GUARD(gf2x_add(tmp_ct.val[1].raw, tmp_ct.val[1].raw, splitted_e->val[1].raw, - R_SIZE)); - - // Recompute the syndrome - POSIX_GUARD(compute_syndrome(syndrome, &tmp_ct, sk)); - - return SUCCESS; -} - -_INLINE_ uint8_t -get_threshold(IN const syndrome_t *s) -{ - bike_static_assert(sizeof(*s) >= sizeof(r_t), syndrome_is_large_enough); - - const uint32_t syndrome_weight = r_bits_vector_weight((const r_t *)s->qw); - - // The equations below are defined in BIKE's specification: - // https://bikesuite.org/files/round2/spec/BIKE-Spec-Round2.2019.03.30.pdf - // Page 20 Section 2.4.2 - const uint8_t threshold = - THRESHOLD_COEFF0 + (THRESHOLD_COEFF1 * syndrome_weight); - - DMSG(" Thresold: %d\n", threshold); - return threshold; -} - -// Use half-adder as described in [5]. -_INLINE_ void -bit_sliced_adder(OUT upc_t *upc, - IN OUT syndrome_t *rotated_syndrome, - IN const size_t num_of_slices) -{ - // From cache-memory perspective this loop should be the outside loop - for(size_t j = 0; j < num_of_slices; j++) - { - for(size_t i = 0; i < R_QW; i++) - { - const uint64_t carry = (upc->slice[j].u.qw[i] & rotated_syndrome->qw[i]); - upc->slice[j].u.qw[i] ^= rotated_syndrome->qw[i]; - rotated_syndrome->qw[i] = carry; - } - } -} - -_INLINE_ void -bit_slice_full_subtract(OUT upc_t *upc, IN uint8_t val) -{ - // Borrow - uint64_t br[R_QW] = {0}; - - for(size_t j = 0; j < SLICES; j++) - { - - const uint64_t lsb_mask = 0 - (val & 0x1); - val >>= 1; - - // Perform a - b with c as the input/output carry - // br = 0 0 0 0 1 1 1 1 - // a = 0 0 1 1 0 0 1 1 - // b = 0 1 0 1 0 1 0 1 - // ------------------- - // o = 0 1 1 0 0 1 1 1 - // c = 0 1 0 0 1 1 0 1 - // - // o = a^b^c - // _ __ _ _ _ _ _ - // br = abc + abc + abc + abc = abc + ((a+b))c - - for(size_t i = 0; i < R_QW; i++) - { - const uint64_t a = upc->slice[j].u.qw[i]; - const uint64_t b = lsb_mask; - const uint64_t tmp = ((~a) & b & (~br[i])) | ((((~a) | b) & br[i])); - upc->slice[j].u.qw[i] = a ^ b ^ br[i]; - br[i] = tmp; - } - } -} - -// Calculate the Unsatisfied Parity Checks (UPCs) and update the errors -// vector (e) accordingy. In addition, update the black and gray errors vector -// with the relevant values. -_INLINE_ void -find_err1(OUT split_e_t *e, - OUT split_e_t *black_e, - OUT split_e_t *gray_e, - IN const syndrome_t * syndrome, - IN const compressed_idx_dv_ar_t wlist, - IN const uint8_t threshold) -{ - // This function uses the bit-slice-adder methodology of [5]: - DEFER_CLEANUP(syndrome_t rotated_syndrome = {0}, syndrome_cleanup); - DEFER_CLEANUP(upc_t upc, upc_cleanup); - - for(uint32_t i = 0; i < N0; i++) - { - // UPC must start from zero at every iteration - memset(&upc, 0, sizeof(upc)); - - // 1) Right-rotate the syndrome for every secret key set bit index - // Then slice-add it to the UPC array. - for(size_t j = 0; j < DV; j++) - { - rotate_right(&rotated_syndrome, syndrome, wlist[i].val[j]); - bit_sliced_adder(&upc, &rotated_syndrome, LOG2_MSB(j + 1)); - } - - // 2) Subtract the threshold from the UPC counters - bit_slice_full_subtract(&upc, threshold); - - // 3) Update the errors and the black errors vectors. - // The last slice of the UPC array holds the MSB of the accumulated values - // minus the threshold. Every zero bit indicates a potential error bit. - // The errors values are stored in the black array and xored with the - // errors Of the previous iteration. - const r_t *last_slice = &(upc.slice[SLICES - 1].u.r.val); - for(size_t j = 0; j < R_SIZE; j++) - { - const uint8_t sum_msb = (~last_slice->raw[j]); - black_e->val[i].raw[j] = sum_msb; - e->val[i].raw[j] ^= sum_msb; - } - - // Ensure that the padding bits (upper bits of the last byte) are zero so - // they will not be included in the multiplication and in the hash function. - e->val[i].raw[R_SIZE - 1] &= LAST_R_BYTE_MASK; - - // 4) Calculate the gray error array by adding "DELTA" to the UPC array. - // For that we reuse the rotated_syndrome variable setting it to all "1". - for(size_t l = 0; l < DELTA; l++) - { - memset((uint8_t *)rotated_syndrome.qw, 0xff, R_SIZE); - bit_sliced_adder(&upc, &rotated_syndrome, SLICES); - } - - // 5) Update the gray list with the relevant bits that are not - // set in the black list. - for(size_t j = 0; j < R_SIZE; j++) - { - const uint8_t sum_msb = (~last_slice->raw[j]); - gray_e->val[i].raw[j] = (~(black_e->val[i].raw[j])) & sum_msb; - } - } -} - -// Recalculate the UPCs and update the errors vector (e) according to it -// and to the black/gray vectors. -_INLINE_ void -find_err2(OUT split_e_t *e, - IN split_e_t *pos_e, - IN const syndrome_t * syndrome, - IN const compressed_idx_dv_ar_t wlist, - IN const uint8_t threshold) -{ - DEFER_CLEANUP(syndrome_t rotated_syndrome = {0}, syndrome_cleanup); - DEFER_CLEANUP(upc_t upc, upc_cleanup); - - for(uint32_t i = 0; i < N0; i++) - { - // UPC must start from zero at every iteration - memset(&upc, 0, sizeof(upc)); - - // 1) Right-rotate the syndrome for every secret key set bit index - // Then slice-add it to the UPC array. - for(size_t j = 0; j < DV; j++) - { - rotate_right(&rotated_syndrome, syndrome, wlist[i].val[j]); - bit_sliced_adder(&upc, &rotated_syndrome, LOG2_MSB(j + 1)); - } - - // 2) Subtract the threshold from the UPC counters - bit_slice_full_subtract(&upc, threshold); - - // 3) Update the errors vector. - // The last slice of the UPC array holds the MSB of the accumulated values - // minus the threshold. Every zero bit indicates a potential error bit. - const r_t *last_slice = &(upc.slice[SLICES - 1].u.r.val); - for(size_t j = 0; j < R_SIZE; j++) - { - const uint8_t sum_msb = (~last_slice->raw[j]); - e->val[i].raw[j] ^= (pos_e->val[i].raw[j] & sum_msb); - } - - // Ensure that the padding bits (upper bits of the last byte) are zero so - // they will not be included in the multiplication and in the hash function. - e->val[i].raw[R_SIZE - 1] &= LAST_R_BYTE_MASK; - } -} - -ret_t -decode(OUT split_e_t *e, - IN const syndrome_t *original_s, - IN const ct_t *ct, - IN const sk_t *sk) -{ - split_e_t black_e = {0}; - split_e_t gray_e = {0}; - syndrome_t s; - - // Reset (init) the error because it is xored in the find_err funcitons. - memset(e, 0, sizeof(*e)); - s = *original_s; - dup(&s); - - for(uint32_t iter = 0; iter < MAX_IT; iter++) - { - const uint8_t threshold = get_threshold(&s); - - DMSG(" Iteration: %d\n", iter); - DMSG(" Weight of e: %lu\n", - r_bits_vector_weight(&e->val[0]) + r_bits_vector_weight(&e->val[1])); - DMSG(" Weight of syndrome: %lu\n", r_bits_vector_weight((r_t *)s.qw)); - - find_err1(e, &black_e, &gray_e, &s, sk->wlist, threshold); - POSIX_GUARD(recompute_syndrome(&s, ct, sk, e)); -#ifdef BGF_DECODER - if(iter >= 1) - { - continue; - } -#endif - DMSG(" Weight of e: %lu\n", - r_bits_vector_weight(&e->val[0]) + r_bits_vector_weight(&e->val[1])); - DMSG(" Weight of syndrome: %lu\n", r_bits_vector_weight((r_t *)s.qw)); - - find_err2(e, &black_e, &s, sk->wlist, ((DV + 1) / 2) + 1); - POSIX_GUARD(recompute_syndrome(&s, ct, sk, e)); - - DMSG(" Weight of e: %lu\n", - r_bits_vector_weight(&e->val[0]) + r_bits_vector_weight(&e->val[1])); - DMSG(" Weight of syndrome: %lu\n", r_bits_vector_weight((r_t *)s.qw)); - - find_err2(e, &gray_e, &s, sk->wlist, ((DV + 1) / 2) + 1); - POSIX_GUARD(recompute_syndrome(&s, ct, sk, e)); - } - - if(r_bits_vector_weight((r_t *)s.qw) > 0) - { - BIKE_ERROR(E_DECODING_FAILURE); - } - - return SUCCESS; -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r2/decode.h b/contrib/restricted/aws/s2n/pq-crypto/bike_r2/decode.h deleted file mode 100644 index d8809fd829..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r2/decode.h +++ /dev/null @@ -1,28 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker and Shay Gueron - * AWS Cryptographic Algorithms Group. - * (ndrucker@amazon.com, gueron@amazon.com) - */ - -#pragma once - -#include "types.h" - -ret_t -compute_syndrome(OUT syndrome_t *syndrome, IN const ct_t *ct, IN const sk_t *sk); - -// e should be zeroed before calling the decoder. -ret_t -decode(OUT split_e_t *e, - IN const syndrome_t *s, - IN const ct_t *ct, - IN const sk_t *sk); - -// Rotate right the first R_BITS of a syndrome. -// Assumption: the syndrome contains three R_BITS duplications. -// The output syndrome contains only one R_BITS rotation, the other -// (2 * R_BITS) bits are undefined. -void -rotate_right(OUT syndrome_t *out, IN const syndrome_t *in, IN uint32_t bitscount); diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r2/defs.h b/contrib/restricted/aws/s2n/pq-crypto/bike_r2/defs.h deleted file mode 100644 index 0b74bb1131..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r2/defs.h +++ /dev/null @@ -1,144 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker and Shay Gueron - * AWS Cryptographic Algorithms Group. - * (ndrucker@amazon.com, gueron@amazon.com) - */ - -#pragma once - -//////////////////////////////////////////// -// Basic defs -/////////////////////////////////////////// -#define FUNC_PREFIX BIKE1_L1_R2 -#include "functions_renaming.h" - -#ifdef __cplusplus -# define EXTERNC extern "C" -#else -# define EXTERNC -#endif - -// For code clarity. -#define IN -#define OUT - -#define ALIGN(n) __attribute__((aligned(n))) -#define BIKE_UNUSED(x) (void)(x) -#define BIKE_UNUSED_ATT __attribute__((unused)) - -#define _INLINE_ static inline - -// In asm the symbols '==' and '?' are not allowed therefore if using -// divide_and_ceil in asm files we must ensure with static_assert its validity -#if(__cplusplus >= 201103L) || defined(static_assert) -# define bike_static_assert(COND, MSG) static_assert(COND, "MSG") -#else -# define bike_static_assert(COND, MSG) \ - typedef char static_assertion_##MSG[(COND) ? 1 : -1] BIKE_UNUSED_ATT -#endif - -// Divide by the divider and round up to next integer -#define DIVIDE_AND_CEIL(x, divider) (((x) + (divider)) / (divider)) - -#define BIT(len) (1ULL << (len)) - -#define MASK(len) (BIT(len) - 1) -#define SIZEOF_BITS(b) (sizeof(b) * 8) - -#define QW_SIZE 0x8 -#define XMM_SIZE 0x10 -#define YMM_SIZE 0x20 -#define ZMM_SIZE 0x40 - -#define ALL_YMM_SIZE (16 * YMM_SIZE) -#define ALL_ZMM_SIZE (32 * ZMM_SIZE) - -// Copied from (Kaz answer) -// https://stackoverflow.com/questions/466204/rounding-up-to-next-power-of-2 -#define UPTOPOW2_0(v) ((v)-1) -#define UPTOPOW2_1(v) (UPTOPOW2_0(v) | (UPTOPOW2_0(v) >> 1)) -#define UPTOPOW2_2(v) (UPTOPOW2_1(v) | (UPTOPOW2_1(v) >> 2)) -#define UPTOPOW2_3(v) (UPTOPOW2_2(v) | (UPTOPOW2_2(v) >> 4)) -#define UPTOPOW2_4(v) (UPTOPOW2_3(v) | (UPTOPOW2_3(v) >> 8)) -#define UPTOPOW2_5(v) (UPTOPOW2_4(v) | (UPTOPOW2_4(v) >> 16)) - -#define UPTOPOW2(v) (UPTOPOW2_5(v) + 1) - -// Works only for 0 < v < 512 -#define LOG2_MSB(v) \ - ((v) == 0 \ - ? 0 \ - : ((v) < 2 \ - ? 1 \ - : ((v) < 4 \ - ? 2 \ - : ((v) < 8 \ - ? 3 \ - : ((v) < 16 \ - ? 4 \ - : ((v) < 32 \ - ? 5 \ - : ((v) < 64 ? 6 \ - : ((v) < 128 \ - ? 7 \ - : ((v) < 256 \ - ? 8 \ - : 9))))))))) - -//////////////////////////////////////////// -// Debug -/////////////////////////////////////////// - -#ifndef VERBOSE -# define VERBOSE 0 -#endif - -#include <stdio.h> - -#if(VERBOSE == 4) -# define MSG(...) \ - { \ - printf(__VA_ARGS__); \ - } -# define DMSG(...) MSG(__VA_ARGS__) -# define EDMSG(...) MSG(__VA_ARGS__) -# define SEDMSG(...) MSG(__VA_ARGS__) -#elif(VERBOSE == 3) -# define MSG(...) \ - { \ - printf(__VA_ARGS__); \ - } -# define DMSG(...) MSG(__VA_ARGS__) -# define EDMSG(...) MSG(__VA_ARGS__) -# define SEDMSG(...) -#elif(VERBOSE == 2) -# define MSG(...) \ - { \ - printf(__VA_ARGS__); \ - } -# define DMSG(...) MSG(__VA_ARGS__) -# define EDMSG(...) -# define SEDMSG(...) -#elif(VERBOSE == 1) -# define MSG(...) \ - { \ - printf(__VA_ARGS__); \ - } -# define DMSG(...) -# define EDMSG(...) -# define SEDMSG(...) -#else -# define MSG(...) -# define DMSG(...) -# define EDMSG(...) -# define SEDMSG(...) -#endif - -//////////////////////////////////////////// -// Printing -/////////////////////////////////////////// -//#define PRINT_IN_BE -//#define NO_SPACE -//#define NO_NEWLINE diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r2/error.c b/contrib/restricted/aws/s2n/pq-crypto/bike_r2/error.c deleted file mode 100644 index b048fc06a2..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r2/error.c +++ /dev/null @@ -1,11 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker and Shay Gueron - * AWS Cryptographic Algorithms Group. - * (ndrucker@amazon.com, gueron@amazon.com) - */ - -#include "error.h" - -__thread _bike_err_t bike_errno; diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r2/error.h b/contrib/restricted/aws/s2n/pq-crypto/bike_r2/error.h deleted file mode 100644 index eac4e2daee..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r2/error.h +++ /dev/null @@ -1,36 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker and Shay Gueron - * AWS Cryptographic Algorithms Group. - * (ndrucker@amazon.com, gueron@amazon.com) - */ - -#pragma once - -#include "defs.h" - -#define SUCCESS 0 -#define FAIL (-1) - -#define ret_t int - -enum _bike_err -{ - E_ERROR_WEIGHT_IS_NOT_T = 1, - E_DECODING_FAILURE = 2, - E_AES_CTR_PRF_INIT_FAIL = 3, - E_AES_OVER_USED = 4, - EXTERNAL_LIB_ERROR_OPENSSL = 5, - E_FAIL_TO_GET_SEED = 6 -}; - -typedef enum _bike_err _bike_err_t; - -extern __thread _bike_err_t bike_errno; -#define BIKE_ERROR(x) \ - do \ - { \ - bike_errno = (x); \ - return FAIL; \ - } while(0) diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r2/functions_renaming.h b/contrib/restricted/aws/s2n/pq-crypto/bike_r2/functions_renaming.h deleted file mode 100644 index f11aa90e14..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r2/functions_renaming.h +++ /dev/null @@ -1,60 +0,0 @@ -/* - * Copyright 2020 Amazon.com, Inc. or its affiliates. All Rights Reserved. - * - * Licensed under the Apache License, Version 2.0 (the "License"). - * You may not use this file except in compliance with the License. - * A copy of the License is located at - * - * http://aws.amazon.com/apache2.0 - * - * or in the "license" file accompanying this file. This file is distributed - * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either - * express or implied. See the License for the specific language governing - * permissions and limitations under the License. - * The license is detailed in the file LICENSE.md, and applies to this file. - * - * Written by Nir Drucker and Shay Gueron - * AWS Cryptographic Algorithms Group. - * (ndrucker@amazon.com, gueron@amazon.com) - */ - -#ifndef __FUNCTIONS_RENAMING_H_INCLUDED__ -#define __FUNCTIONS_RENAMING_H_INCLUDED__ - -#define PASTER(x, y) x##_##y -#define EVALUATOR(x, y) PASTER(x, y) -#define RENAME_FUNC_NAME(fname) EVALUATOR(FUNC_PREFIX, fname) - -#define keypair RENAME_FUNC_NAME(keypair) -#define decaps RENAME_FUNC_NAME(decaps) -#define encaps RENAME_FUNC_NAME(encaps) - -#define aes_ctr_prf RENAME_FUNC_NAME(aes_ctr_prf) -#define sample_uniform_r_bits_with_fixed_prf_context \ - RENAME_FUNC_NAME(sample_uniform_r_bits_with_fixed_prf_context) -#define init_aes_ctr_prf_state RENAME_FUNC_NAME(init_aes_ctr_prf_state) -#define generate_sparse_rep RENAME_FUNC_NAME(generate_sparse_rep) -#define parallel_hash RENAME_FUNC_NAME(parallel_hash) -#define decode RENAME_FUNC_NAME(decode) -#define print_BE RENAME_FUNC_NAME(print_BE) -#define print_LE RENAME_FUNC_NAME(print_LE) -#define gf2x_mod_mul RENAME_FUNC_NAME(gf2x_mod_mul) -#define secure_set_bits RENAME_FUNC_NAME(secure_set_bits) -#define sha RENAME_FUNC_NAME(sha) -#define count_ones RENAME_FUNC_NAME(count_ones) -#define sha_mb RENAME_FUNC_NAME(sha_mb) -#define split_e RENAME_FUNC_NAME(split_e) -#define compute_syndrome RENAME_FUNC_NAME(compute_syndrome) -#define bike_errno RENAME_FUNC_NAME(bike_errno) -#define cyclic_product RENAME_FUNC_NAME(cyclic_product) -#define ossl_add RENAME_FUNC_NAME(ossl_add) -#define karatzuba_add1 RENAME_FUNC_NAME(karatzuba_add1) -#define karatzuba_add2 RENAME_FUNC_NAME(karatzuba_add2) -#define gf2x_add RENAME_FUNC_NAME(gf2x_add) -#define gf2_muladd_4x4 RENAME_FUNC_NAME(gf2_muladd_4x4) -#define red RENAME_FUNC_NAME(red) -#define gf2x_mul_1x1 RENAME_FUNC_NAME(gf2x_mul_1x1) -#define rotate_right RENAME_FUNC_NAME(rotate_right) -#define r_bits_vector_weight RENAME_FUNC_NAME(r_bits_vector_weight) - -#endif //__FUNCTIONS_RENAMING_H_INCLUDED__ diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r2/gf2x.h b/contrib/restricted/aws/s2n/pq-crypto/bike_r2/gf2x.h deleted file mode 100644 index 2de0050ff6..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r2/gf2x.h +++ /dev/null @@ -1,55 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker and Shay Gueron, - * AWS Cryptographic Algorithms Group. - * (ndrucker@amazon.com, gueron@amazon.com) - */ - -#pragma once - -#include "types.h" - -#ifdef USE_OPENSSL -# include "openssl_utils.h" -#endif - -#ifdef USE_OPENSSL_GF2M -// res = a*b mod (x^r - 1) -// Note: the caller must allocate twice the size of res. -_INLINE_ ret_t -gf2x_mod_mul(OUT uint64_t *res, IN const uint64_t *a, IN const uint64_t *b) -{ - return cyclic_product((uint8_t *)res, (const uint8_t *)a, (const uint8_t *)b); -} - -// A wrapper for other gf2x_add implementations. -_INLINE_ ret_t -gf2x_add(OUT uint8_t *res, - IN const uint8_t *a, - IN const uint8_t *b, - IN const uint64_t size) -{ - BIKE_UNUSED(size); - return ossl_add((uint8_t *)res, a, b); -} -#else // USE_OPENSSL_GF2M - -_INLINE_ ret_t -gf2x_add(OUT uint8_t *res, - IN const uint8_t *a, - IN const uint8_t *b, - IN const uint64_t bytelen) -{ - for(uint64_t i = 0; i < bytelen; i++) - { - res[i] = a[i] ^ b[i]; - } - return SUCCESS; -} - -// res = a*b mod (x^r - 1) -// the caller must allocate twice the size of res! -ret_t -gf2x_mod_mul(OUT uint64_t *res, IN const uint64_t *a, IN const uint64_t *b); -#endif diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r2/gf2x_internal.h b/contrib/restricted/aws/s2n/pq-crypto/bike_r2/gf2x_internal.h deleted file mode 100644 index 74fc5b9932..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r2/gf2x_internal.h +++ /dev/null @@ -1,32 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker and Shay Gueron, - * AWS Cryptographic Algorithms Group. - * (ndrucker@amazon.com, gueron@amazon.com) - */ - -#pragma once - -#include "types.h" - -EXTERNC void -karatzuba_add1(OUT uint64_t *res, - IN const uint64_t *a, - IN const uint64_t *b, - IN uint64_t n_half, - IN uint64_t *alah); - -EXTERNC void -karatzuba_add2(OUT uint64_t *res1, - OUT uint64_t *res2, - IN const uint64_t *res, - IN const uint64_t *tmp, - IN uint64_t n_half); - -EXTERNC void -red(uint64_t *res); - -void - -gf2x_mul_1x1(OUT uint64_t *res, IN uint64_t a, IN uint64_t b); diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r2/gf2x_mul.c b/contrib/restricted/aws/s2n/pq-crypto/bike_r2/gf2x_mul.c deleted file mode 100644 index 84a79589db..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r2/gf2x_mul.c +++ /dev/null @@ -1,97 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker and Shay Gueron, - * AWS Cryptographic Algorithms Group. - * (ndrucker@amazon.com, gueron@amazon.com) - */ - -#include "cleanup.h" -#include "gf2x.h" -#include "gf2x_internal.h" -#include <stdlib.h> -#include <string.h> - -#ifndef USE_OPENSSL_GF2M - -// All the temporary data (which might hold secrets) -// is stored on a secure buffer, so that it can be easily cleaned up later. -// The secure buffer required is: 3n/2 (alah|blbh|tmp) in a recursive way. -// 3n/2 + 3n/4 + 3n/8 = 3(n/2 + n/4 + n/8) < 3n -# define SECURE_BUFFER_SIZE (3 * R_PADDED_SIZE) - -// Calculate number of uint64_t values needed to store SECURE_BUFFER_SIZE bytes. Rounding up to the next whole integer. -# define SECURE_BUFFER_SIZE_64_BIT ((SECURE_BUFFER_SIZE / sizeof(uint64_t)) + ((SECURE_BUFFER_SIZE % sizeof(uint64_t)) != 0)) - -// This functions assumes that n is even. -_INLINE_ void -karatzuba(OUT uint64_t *res, - IN const uint64_t *a, - IN const uint64_t *b, - IN const uint64_t n, - uint64_t * secure_buf) -{ - if(1 == n) - { - gf2x_mul_1x1(res, a[0], b[0]); - return; - } - - const uint64_t half_n = n >> 1; - - // Define pointers for the middle of each parameter - // sepearting a=a_low and a_high (same for ba nd res) - const uint64_t *a_high = a + half_n; - const uint64_t *b_high = b + half_n; - - // Divide res into 4 parts res3|res2|res1|res in size n/2 - uint64_t *res1 = res + half_n; - uint64_t *res2 = res1 + half_n; - - // All three parameters below are allocated on the secure buffer - // All of them are in size half n - uint64_t *alah = secure_buf; - uint64_t *blbh = alah + half_n; - uint64_t *tmp = blbh + half_n; - - // Place the secure buffer ptr in the first free location, - // so the recursive function can use it. - secure_buf = tmp + half_n; - - // Calculate Z0 and store the result in res(low) - karatzuba(res, a, b, half_n, secure_buf); - - // Calculate Z2 and store the result in res(high) - karatzuba(res2, a_high, b_high, half_n, secure_buf); - - // Accomulate the results. - karatzuba_add1(res, a, b, half_n, alah); - - // (a_low + a_high)(b_low + b_high) --> res1 - karatzuba(res1, alah, blbh, half_n, secure_buf); - - karatzuba_add2(res1, res2, res, tmp, half_n); -} - -ret_t -gf2x_mod_mul(OUT uint64_t *res, IN const uint64_t *a, IN const uint64_t *b) -{ - bike_static_assert((R_PADDED_QW % 2 == 0), karatzuba_n_is_odd); - - ALIGN(sizeof(uint64_t)) uint64_t secure_buffer[SECURE_BUFFER_SIZE_64_BIT]; - - /* make sure we have the correct size allocation. */ - bike_static_assert(sizeof(secure_buffer) % sizeof(uint64_t) == 0, - secure_buffer_not_eligable_for_uint64_t); - - karatzuba(res, a, b, R_PADDED_QW, (uint64_t *)secure_buffer); - - // This function implicitly assumes that the size of res is 2*R_PADDED_QW. - red(res); - - secure_clean((uint8_t*)secure_buffer, sizeof(secure_buffer)); - - return SUCCESS; -} - -#endif // USE_OPENSSL_GF2M diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r2/gf2x_portable.c b/contrib/restricted/aws/s2n/pq-crypto/bike_r2/gf2x_portable.c deleted file mode 100644 index 1816da6e77..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r2/gf2x_portable.c +++ /dev/null @@ -1,108 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker and Shay Gueron, - * AWS Cryptographic Algorithms Group. - * (ndrucker@amazon.com, gueron@amazon.com) - */ - -#include "gf2x.h" -#include "utilities.h" - -#if !defined(USE_OPENSSL_GF2M) - -// The algorithm is based on the windowing method, for example as in: -// Brent, R. P., Gaudry, P., Thomé, E., & Zimmermann, P. (2008, May), "Faster -// multiplication in GF (2)[x]". In: International Algorithmic Number Theory -// Symposium (pp. 153-166). Springer, Berlin, Heidelberg. In this implementation, -// the last three bits are multiplied using a schoolbook multiplicaiton. -void -gf2x_mul_1x1(uint64_t *c, uint64_t a, uint64_t b) -{ - uint64_t h = 0, l = 0, u[8]; - const uint64_t w = 64; - const uint64_t s = 3; - // Multiplying 64 bits by 7 can results in an overflow of 3 bits. - // Therefore, these bits are masked out, and are treated in step 3. - const uint64_t b0 = b & 0x1fffffffffffffff; - - // Step 1: Calculate a multiplication table with 8 entries. - u[0] = 0; - u[1] = b0; - u[2] = u[1] << 1; - u[3] = u[2] ^ b0; - u[4] = u[2] << 1; - u[5] = u[4] ^ b0; - u[6] = u[3] << 1; - u[7] = u[6] ^ b0; - - // Step 2: Multiply two elements in parallel in poisitions i,i+s - l = u[a & 7] ^ (u[(a >> 3) & 7] << 3); - h = (u[(a >> 3) & 7] >> 61); - for(uint32_t i = (2 * s); i < w; i += (2 * s)) - { - uint64_t g1 = u[(a >> i) & 7]; - uint64_t g2 = u[(a >> (i + s)) & 7]; - - l ^= (g1 << i) ^ (g2 << (i + s)); - h ^= (g1 >> (w - i)) ^ (g2 >> (w - (i + s))); - } - - // Step 3: Multiply the last three bits. - for(uint8_t i = 61; i < 64; i++) - { - uint64_t mask = (-((b >> i) & 1)); - l ^= ((a << i) & mask); - h ^= ((a >> (w - i)) & mask); - } - - c[0] = l; - c[1] = h; -} - -void -karatzuba_add1(OUT const uint64_t *res, - IN const uint64_t *a, - IN const uint64_t *b, - IN const uint64_t n_half, - IN uint64_t *alah) -{ - for(uint32_t j = 0; j < n_half; j++) - { - alah[j + 0 * n_half] = a[j] ^ a[n_half + j]; - alah[j + 1 * n_half] = b[j] ^ b[n_half + j]; - alah[j + 2 * n_half] = res[n_half + j] ^ res[2 * n_half + j]; - } -} - -void -karatzuba_add2(OUT uint64_t *res1, - OUT uint64_t *res2, - IN const uint64_t *res, - IN const uint64_t *tmp, - IN const uint64_t n_half) -{ - for(uint32_t j = 0; j < n_half; j++) - { - res1[j] ^= res[j] ^ tmp[j]; - res2[j] ^= res2[n_half + j] ^ tmp[j]; - } -} - -void -red(uint64_t *a) -{ - for(uint32_t i = 0; i < R_QW; i++) - { - const uint64_t temp0 = a[R_QW + i - 1]; - const uint64_t temp1 = a[R_QW + i]; - a[i] ^= (temp0 >> LAST_R_QW_LEAD) | (temp1 << LAST_R_QW_TRAIL); - } - - a[R_QW - 1] &= LAST_R_QW_MASK; - - // Clean the secrets from the upper half of a. - secure_clean((uint8_t *)&a[R_QW], sizeof(uint64_t) * R_QW); -} - -#endif diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r2/openssl_utils.c b/contrib/restricted/aws/s2n/pq-crypto/bike_r2/openssl_utils.c deleted file mode 100644 index c80d3365cb..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r2/openssl_utils.c +++ /dev/null @@ -1,187 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker and Shay Gueron, - * AWS Cryptographic Algorithms Group. - * (ndrucker@amazon.com, gueron@amazon.com) - */ - -#include "openssl_utils.h" -#include "utilities.h" -#include <assert.h> -#include <openssl/bn.h> -#include <string.h> - -#ifdef USE_OPENSSL_GF2M - -# define MAX_OPENSSL_INV_TRIALS 1000 - -_INLINE_ void -BN_CTX_cleanup(BN_CTX *ctx) -{ - if(ctx) - { - BN_CTX_end(ctx); - BN_CTX_free(ctx); - } -} - -DEFINE_POINTER_CLEANUP_FUNC(BN_CTX *, BN_CTX_cleanup); - -// Loading (big) numbers into OpenSSL should use Big Endian representation. -// Therefore, the bytes ordering of the number should be reversed. -_INLINE_ void -reverse_endian(OUT uint8_t *res, IN const uint8_t *in, IN const uint32_t n) -{ - uint32_t i; - - for(i = 0; i < (n / 2); i++) - { - uint64_t tmp = in[i]; - res[i] = in[n - 1 - i]; - res[n - 1 - i] = tmp; - } - - // If the number of blocks is odd, swap also the middle block. - if(n % 2) - { - res[i] = in[i]; - } -} - -_INLINE_ ret_t -ossl_bn2bin(OUT uint8_t *out, IN const BIGNUM *in, IN const uint32_t size) -{ - assert(size <= N_SIZE); - uint8_t be_tmp[N_SIZE] = {0}; - - memset(out, 0, size); - - if(BN_bn2bin(in, be_tmp) == -1) - { - BIKE_ERROR(EXTERNAL_LIB_ERROR_OPENSSL); - } - reverse_endian(out, be_tmp, BN_num_bytes(in)); - - return SUCCESS; -} - -_INLINE_ ret_t -ossl_bin2bn(IN BIGNUM *out, OUT const uint8_t *in, IN const uint32_t size) -{ - assert(size <= N_SIZE); - uint8_t be_tmp[N_SIZE] = {0}; - - reverse_endian(be_tmp, in, size); - - if(BN_bin2bn(be_tmp, size, out) == 0) - { - BIKE_ERROR(EXTERNAL_LIB_ERROR_OPENSSL); - } - - return SUCCESS; -} - -ret_t -ossl_add(OUT uint8_t res_bin[R_SIZE], - IN const uint8_t a_bin[R_SIZE], - IN const uint8_t b_bin[R_SIZE]) -{ - DEFER_CLEANUP(BN_CTX *bn_ctx = BN_CTX_new(), BN_CTX_cleanup_pointer); - BIGNUM *r = NULL; - BIGNUM *a = NULL; - BIGNUM *b = NULL; - - if(NULL == bn_ctx) - { - BIKE_ERROR(EXTERNAL_LIB_ERROR_OPENSSL); - } - - BN_CTX_start(bn_ctx); - - r = BN_CTX_get(bn_ctx); - a = BN_CTX_get(bn_ctx); - b = BN_CTX_get(bn_ctx); - - if((NULL == r) || (NULL == a) || (NULL == b)) - { - BIKE_ERROR(EXTERNAL_LIB_ERROR_OPENSSL); - } - - POSIX_GUARD(ossl_bin2bn(a, a_bin, R_SIZE)); - POSIX_GUARD(ossl_bin2bn(b, b_bin, R_SIZE)); - - if(BN_GF2m_add(r, a, b) == 0) - { - BIKE_ERROR(EXTERNAL_LIB_ERROR_OPENSSL); - } - - POSIX_GUARD(ossl_bn2bin(res_bin, r, R_SIZE)); - - return SUCCESS; -} - -// Perform a cyclic product by using OpenSSL. -_INLINE_ ret_t -ossl_cyclic_product(OUT BIGNUM *r, - IN const BIGNUM *a, - IN const BIGNUM *b, - BN_CTX * bn_ctx) -{ - BIGNUM *m = BN_CTX_get(bn_ctx); - if(NULL == m) - { - BIKE_ERROR(EXTERNAL_LIB_ERROR_OPENSSL); - } - - // m = x^PARAM_R - 1 - if((BN_set_bit(m, R_BITS) == 0) || (BN_set_bit(m, 0) == 0)) - { - BIKE_ERROR(EXTERNAL_LIB_ERROR_OPENSSL); - } - - // r = a*b mod m - if(BN_GF2m_mod_mul(r, a, b, m, bn_ctx) == 0) - { - BIKE_ERROR(EXTERNAL_LIB_ERROR_OPENSSL); - } - - return SUCCESS; -} - -// Perform a cyclic product by using OpenSSL. -ret_t -cyclic_product(OUT uint8_t res_bin[R_SIZE], - IN const uint8_t a_bin[R_SIZE], - IN const uint8_t b_bin[R_SIZE]) -{ - DEFER_CLEANUP(BN_CTX *bn_ctx = BN_CTX_new(), BN_CTX_cleanup_pointer); - BIGNUM *r = NULL; - BIGNUM *a = NULL; - BIGNUM *b = NULL; - - if(NULL == bn_ctx) - { - BIKE_ERROR(EXTERNAL_LIB_ERROR_OPENSSL); - } - - BN_CTX_start(bn_ctx); - - r = BN_CTX_get(bn_ctx); - a = BN_CTX_get(bn_ctx); - b = BN_CTX_get(bn_ctx); - - if((NULL == r) || (NULL == a) || (NULL == b)) - { - BIKE_ERROR(EXTERNAL_LIB_ERROR_OPENSSL); - } - - POSIX_GUARD(ossl_bin2bn(a, a_bin, R_SIZE)); - POSIX_GUARD(ossl_bin2bn(b, b_bin, R_SIZE)); - POSIX_GUARD(ossl_cyclic_product(r, a, b, bn_ctx)); - POSIX_GUARD(ossl_bn2bin(res_bin, r, R_SIZE)); - - return SUCCESS; -} - -#endif // USE_OPENSSL_GF2M diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r2/openssl_utils.h b/contrib/restricted/aws/s2n/pq-crypto/bike_r2/openssl_utils.h deleted file mode 100644 index 59438b6d70..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r2/openssl_utils.h +++ /dev/null @@ -1,33 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker and Shay Gueron, - * AWS Cryptographic Algorithms Group. - * (ndrucker@amazon.com, gueron@amazon.com) - */ - -#pragma once - -#include "types.h" - -#ifdef USE_OPENSSL -# include <openssl/bn.h> -# ifndef OPENSSL_NO_EC2M -# define USE_OPENSSL_GF2M 1 -# endif -#endif - -#ifdef USE_OPENSSL_GF2M - -ret_t -ossl_add(OUT uint8_t res_bin[R_SIZE], - IN const uint8_t a_bin[R_SIZE], - IN const uint8_t b_bin[R_SIZE]); - -// Perform cyclic product by using OpenSSL -ret_t -cyclic_product(OUT uint8_t res_bin[R_SIZE], - IN const uint8_t a_bin[R_SIZE], - IN const uint8_t b_bin[R_SIZE]); - -#endif diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r2/sampling.c b/contrib/restricted/aws/s2n/pq-crypto/bike_r2/sampling.c deleted file mode 100644 index d08fa5eea7..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r2/sampling.c +++ /dev/null @@ -1,118 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker and Shay Gueron - * AWS Cryptographic Algorithms Group. - * (ndrucker@amazon.com, gueron@amazon.com) - */ - -#include "sampling.h" -#include <assert.h> -#include <string.h> - -_INLINE_ ret_t -get_rand_mod_len(OUT uint32_t * rand_pos, - IN const uint32_t len, - IN OUT aes_ctr_prf_state_t *prf_state) -{ - const uint64_t mask = MASK(bit_scan_reverse(len)); - - do - { - // Generate 128bit of random numbers - POSIX_GUARD(aes_ctr_prf((uint8_t *)rand_pos, prf_state, sizeof(*rand_pos))); - - // Mask only relevant bits - (*rand_pos) &= mask; - - // Break if a number smaller than len is found - if((*rand_pos) < len) - { - break; - } - - } while(1); - - return SUCCESS; -} - -_INLINE_ void -make_odd_weight(IN OUT r_t *r) -{ - if(((r_bits_vector_weight(r) % 2) == 1)) - { - // Already odd - return; - } - - r->raw[0] ^= 1; -} - -// IN: must_be_odd - 1 true, 0 not -ret_t -sample_uniform_r_bits_with_fixed_prf_context(OUT r_t *r, - IN OUT - aes_ctr_prf_state_t *prf_state, - IN const must_be_odd_t must_be_odd) -{ - // Generate random data - POSIX_GUARD(aes_ctr_prf(r->raw, prf_state, R_SIZE)); - - // Mask upper bits of the MSByte - r->raw[R_SIZE - 1] &= MASK(R_BITS + 8 - (R_SIZE * 8)); - - if(must_be_odd == MUST_BE_ODD) - { - make_odd_weight(r); - } - - return SUCCESS; -} - -_INLINE_ int -is_new(IN const idx_t wlist[], IN const uint32_t ctr) -{ - for(uint32_t i = 0; i < ctr; i++) - { - if(wlist[i] == wlist[ctr]) - { - return 0; - } - } - - return 1; -} - -// Assumption 1) paddded_len % 64 = 0! -// Assumption 2) a is a len bits array. It is padded to be a padded_len -// bytes array. The padded area may be modified and should -// be ignored outside the function scope. -ret_t -generate_sparse_rep(OUT uint64_t * a, - OUT idx_t wlist[], - IN const uint32_t weight, - IN const uint32_t len, - IN const uint32_t padded_len, - IN OUT aes_ctr_prf_state_t *prf_state) -{ - assert(padded_len % 64 == 0); - // Bits comparison - assert((padded_len * 8) >= len); - - uint64_t ctr = 0; - - // Generate weight rand numbers - do - { - POSIX_GUARD(get_rand_mod_len(&wlist[ctr], len, prf_state)); - ctr += is_new(wlist, ctr); - } while(ctr < weight); - - // Initialize to zero - memset(a, 0, (len + 7) >> 3); - - // Assign values to "a" - secure_set_bits(a, wlist, padded_len, weight); - - return SUCCESS; -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r2/sampling.h b/contrib/restricted/aws/s2n/pq-crypto/bike_r2/sampling.h deleted file mode 100644 index 4ec60683de..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r2/sampling.h +++ /dev/null @@ -1,78 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker and Shay Gueron - * AWS Cryptographic Algorithms Group. - * (ndrucker@amazon.com, gueron@amazon.com) - */ - -#pragma once - -#include "aes_ctr_prf.h" -#include "pq-crypto/s2n_pq_random.h" -#include "utils/s2n_result.h" -#include "utilities.h" - -typedef enum -{ - NO_RESTRICTION = 0, - MUST_BE_ODD = 1 -} must_be_odd_t; - -_INLINE_ ret_t -get_seeds(OUT seeds_t *seeds) -{ - if(s2n_result_is_ok(s2n_get_random_bytes(seeds->seed[0].raw, sizeof(seeds_t)))) - { - return SUCCESS; - } - else - { - BIKE_ERROR(E_FAIL_TO_GET_SEED); - } -} - -// Return's an array of r pseudorandom bits -// No restrictions exist for the top or bottom bits - -// in case an odd number is required then set must_be_odd=1 -// Uses the provided prf context -ret_t -sample_uniform_r_bits_with_fixed_prf_context(OUT r_t *r, - IN OUT - aes_ctr_prf_state_t *prf_state, - IN must_be_odd_t must_be_odd); - -// Return's an array of r pseudorandom bits -// No restrictions exist for the top or bottom bits - -// in case an odd number is required then set must_be_odd=1 -_INLINE_ ret_t -sample_uniform_r_bits(OUT r_t *r, - IN const seed_t * seed, - IN const must_be_odd_t must_be_odd) -{ - // For the seedexpander - DEFER_CLEANUP(aes_ctr_prf_state_t prf_state = {0}, aes_ctr_prf_state_cleanup); - - POSIX_GUARD(init_aes_ctr_prf_state(&prf_state, MAX_AES_INVOKATION, seed)); - - POSIX_GUARD(sample_uniform_r_bits_with_fixed_prf_context(r, &prf_state, must_be_odd)); - - return SUCCESS; -} - -// Generate a pseudorandom r of length len with a set weight -// Using the pseudorandom ctx supplied -// Outputs also a compressed (not ordered) list of indices -ret_t -generate_sparse_rep(OUT uint64_t *a, - OUT idx_t wlist[], - IN uint32_t weight, - IN uint32_t len, - IN uint32_t padded_len, - IN OUT aes_ctr_prf_state_t *prf_state); - -EXTERNC void -secure_set_bits(IN OUT uint64_t *a, - IN const idx_t wlist[], - IN uint32_t a_len, - IN uint32_t weight); diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r2/sampling_portable.c b/contrib/restricted/aws/s2n/pq-crypto/bike_r2/sampling_portable.c deleted file mode 100644 index 1ae7a6f247..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r2/sampling_portable.c +++ /dev/null @@ -1,48 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker and Shay Gueron - * AWS Cryptographic Algorithms Group. - * (ndrucker@amazon.com, gueron@amazon.com) - */ - -#include "sampling.h" -#include <assert.h> - -#define MAX_WEIGHT (T1 > DV ? T1 : DV) - -// This implementation assumes that the wlist contains fake list -void -secure_set_bits(IN OUT uint64_t * a, - IN const idx_t wlist[], - IN const uint32_t a_len_bytes, - IN const uint32_t weight) -{ - assert(a_len_bytes % 8 == 0); - - // Set arrays to the maximum possible for the stack protector - assert(weight <= MAX_WEIGHT); - uint64_t qw_pos[MAX_WEIGHT]; - uint64_t bit_pos[MAX_WEIGHT]; - - // 1. Identify the QW position of each value and the bit position inside this - // QW. - for(uint32_t j = 0; j < weight; j++) - { - qw_pos[j] = wlist[j] >> 6; - bit_pos[j] = BIT(wlist[j] & 0x3f); - } - - // 2. Fill each QW in a constant time. - for(uint32_t qw = 0; qw < (a_len_bytes / 8); qw++) - { - uint64_t tmp = 0; - for(uint32_t j = 0; j < weight; j++) - { - uint64_t mask = (-1ULL) + (!secure_cmp32(qw_pos[j], qw)); - tmp |= (bit_pos[j] & mask); - } - // Set the bit in a masked way - a[qw] |= tmp; - } -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r2/secure_decode_portable.c b/contrib/restricted/aws/s2n/pq-crypto/bike_r2/secure_decode_portable.c deleted file mode 100644 index 963c3257b7..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r2/secure_decode_portable.c +++ /dev/null @@ -1,66 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker and Shay Gueron - * AWS Cryptographic Algorithms Group. - * (ndrucker@amazon.com, gueron@amazon.com) - */ - -#include "decode.h" -#include "utilities.h" - -#define R_QW_HALF_LOG2 UPTOPOW2(R_QW / 2) - -_INLINE_ void -rotr_big(OUT syndrome_t *out, IN const syndrome_t *in, IN size_t qw_num) -{ - // For preventing overflows (comparison in bytes) - bike_static_assert(sizeof(*out) > 8 * (R_QW + (2 * R_QW_HALF_LOG2)), - rotr_big_err); - - memcpy(out, in, sizeof(*in)); - - for(uint32_t idx = R_QW_HALF_LOG2; idx >= 1; idx >>= 1) - { - // Convert 32 bit mask to 64 bit mask - const uint64_t mask = ((uint32_t)secure_l32_mask(qw_num, idx) + 1U) - 1ULL; - qw_num = qw_num - (idx & mask); - - // Rotate R_QW quadwords and another idx quadwords needed by the next - // iteration - for(size_t i = 0; i < (R_QW + idx); i++) - { - out->qw[i] = (out->qw[i] & (~mask)) | (out->qw[i + idx] & mask); - } - } -} - -_INLINE_ void -rotr_small(OUT syndrome_t *out, IN const syndrome_t *in, IN const size_t bits) -{ - bike_static_assert(bits < 64, rotr_small_err); - bike_static_assert(sizeof(*out) > (8 * R_QW), rotr_small_qw_err); - - // Convert |bits| to 0/1 by using !!bits then create a mask of 0 or 0xffffffffff - // Use high_shift to avoid undefined behaviour when doing x << 64; - const uint64_t mask = (0 - (!!bits)); - const uint64_t high_shift = (64 - bits) & mask; - - for(size_t i = 0; i < R_QW; i++) - { - const uint64_t low_part = in->qw[i] >> bits; - const uint64_t high_part = (in->qw[i + 1] << high_shift) & mask; - out->qw[i] = low_part | high_part; - } -} - -void -rotate_right(OUT syndrome_t *out, - IN const syndrome_t *in, - IN const uint32_t bitscount) -{ - // Rotate (64-bit) quad-words - rotr_big(out, in, (bitscount / 64)); - // Rotate bits (less than 64) - rotr_small(out, out, (bitscount % 64)); -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r2/sha.h b/contrib/restricted/aws/s2n/pq-crypto/bike_r2/sha.h deleted file mode 100644 index 63687055f2..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r2/sha.h +++ /dev/null @@ -1,41 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker and Shay Gueron - * AWS Cryptographic Algorithms Group. - * (ndrucker@amazon.com, gueron@amazon.com) - */ - -#pragma once - -#include "cleanup.h" -#include "types.h" -#include "utilities.h" -#include <openssl/sha.h> - -#define SHA384_HASH_SIZE 48ULL -#define SHA384_HASH_QWORDS (SHA384_HASH_SIZE / 8) - -typedef struct sha384_hash_s -{ - union { - uint8_t raw[SHA384_HASH_SIZE]; - uint64_t qw[SHA384_HASH_QWORDS]; - } u; -} sha384_hash_t; -bike_static_assert(sizeof(sha384_hash_t) == SHA384_HASH_SIZE, sha384_hash_size); - -typedef sha384_hash_t sha_hash_t; - -_INLINE_ void -sha_hash_cleanup(IN OUT sha_hash_t *o) -{ - secure_clean(o->u.raw, sizeof(*o)); -} - -_INLINE_ int -sha(OUT sha_hash_t *hash_out, IN const uint32_t byte_len, IN const uint8_t *msg) -{ - SHA384(msg, byte_len, hash_out->u.raw); - return 1; -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r2/types.h b/contrib/restricted/aws/s2n/pq-crypto/bike_r2/types.h deleted file mode 100644 index 044b7ee38e..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r2/types.h +++ /dev/null @@ -1,139 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker and Shay Gueron - * AWS Cryptographic Algorithms Group. - * (ndrucker@amazon.com, gueron@amazon.com) - */ - -#pragma once - -#include "bike_defs.h" -#include "error.h" -#include <stdint.h> - -typedef struct uint128_s -{ - union { - uint8_t bytes[16]; - uint32_t dw[4]; - uint64_t qw[2]; - } u; -} uint128_t; - -// Make sure no compiler optimizations. -#pragma pack(push, 1) - -typedef struct seed_s -{ - uint8_t raw[32]; -} seed_t; - -typedef struct seeds_s -{ - seed_t seed[NUM_OF_SEEDS]; -} seeds_t; - -typedef struct r_s -{ - uint8_t raw[R_SIZE]; -} r_t; - -typedef struct e_s -{ - uint8_t raw[N_SIZE]; -} e_t; - -typedef struct generic_param_n_s -{ - r_t val[N0]; -} generic_param_n_t; - -typedef generic_param_n_t ct_t; -typedef generic_param_n_t pk_t; -typedef generic_param_n_t split_e_t; - -typedef uint32_t idx_t; - -typedef struct compressed_idx_dv_s -{ - idx_t val[DV]; -} compressed_idx_dv_t; - -typedef compressed_idx_dv_t compressed_idx_dv_ar_t[N0]; - -typedef struct compressed_idx_t_t -{ - idx_t val[T1]; -} compressed_idx_t_t; - -// The secret key holds both representation for avoiding -// the compression in the decaps stage -typedef struct sk_s -{ - compressed_idx_dv_ar_t wlist; - r_t bin[N0]; -#ifndef INDCPA - r_t sigma0; - r_t sigma1; -#endif -} sk_t; - -// Pad e to the next Block -typedef ALIGN(8) struct padded_e_s -{ - e_t val; - uint8_t pad[N_PADDED_SIZE - N_SIZE]; -} padded_e_t; - -// Pad r to the next Block -typedef ALIGN(8) struct padded_r_s -{ - r_t val; - uint8_t pad[R_PADDED_SIZE - R_SIZE]; -} padded_r_t; - -typedef padded_r_t padded_param_n_t[N0]; -typedef padded_param_n_t pad_sk_t; -typedef padded_param_n_t pad_pk_t; -typedef padded_param_n_t pad_ct_t; - -// Need to allocate twice the room for the results -typedef ALIGN(8) struct dbl_padded_r_s -{ - r_t val; - uint8_t pad[(2 * R_PADDED_SIZE) - R_SIZE]; -} dbl_padded_r_t; - -typedef dbl_padded_r_t dbl_padded_param_n_t[N0]; -typedef dbl_padded_param_n_t dbl_pad_pk_t; -typedef dbl_padded_param_n_t dbl_pad_ct_t; -typedef dbl_padded_param_n_t dbl_pad_syndrome_t; - -typedef struct ss_s -{ - uint8_t raw[ELL_K_SIZE]; -} ss_t; - -// For optimization purposes -// 1- For a faster rotate we duplicate the syndrome (dup1/2) -// 2- We extend it to fit the boundary of DDQW -typedef ALIGN(64) struct syndrome_s -{ - uint64_t qw[3 * R_QW]; -} syndrome_t; - -typedef struct upc_slice_s -{ - union { - padded_r_t r; - uint64_t qw[sizeof(padded_r_t) / 8]; - } u; -} upc_slice_t; - -typedef struct upc_s -{ - upc_slice_t slice[SLICES]; -} upc_t; - -#pragma pack(pop) diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r2/utilities.c b/contrib/restricted/aws/s2n/pq-crypto/bike_r2/utilities.c deleted file mode 100644 index 4f049af86a..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r2/utilities.c +++ /dev/null @@ -1,160 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker and Shay Gueron - * AWS Cryptographic Algorithms Group. - * (ndrucker@amazon.com, gueron@amazon.com) - */ - -#include "utilities.h" -#include <inttypes.h> - -#define BITS_IN_QW 64ULL -#define BITS_IN_BYTE 8ULL - -// Print a new line only if we prints in qw blocks -_INLINE_ void -print_newline(IN const uint64_t qw_pos) -{ -#ifndef NO_NEWLINE - if((qw_pos % 4) == 3) - { - printf("\n "); - } -#endif -} - -// This function is stitched for R_BITS vector -uint64_t -r_bits_vector_weight(IN const r_t *in) -{ - uint64_t acc = 0; - for(size_t i = 0; i < (R_SIZE - 1); i++) - { - acc += __builtin_popcount(in->raw[i]); - } - - acc += __builtin_popcount(in->raw[R_SIZE - 1] & LAST_R_BYTE_MASK); - return acc; -} - -// Prints a QW in LE/BE in win/linux format -_INLINE_ void -print_uint64(IN const uint64_t val) -{ -// If printing in BE is required swap the order of bytes -#ifdef PRINT_IN_BE - uint64_t tmp = bswap_64(val); -#else - uint64_t tmp = val; -#endif - - printf("%.16" PRIx64, tmp); - -#ifndef NO_SPACE - printf(" "); -#endif -} - -// Last block requires a special handling as we should zero mask all the bits -// above the desired number endien - 0 - BE, 1 - LE Return 1 if last block was -// printed else 0 -_INLINE_ uint8_t -print_last_block(IN const uint8_t *last_bytes, - IN const uint32_t bits_num, - IN const uint32_t endien) -{ - // Floor of bits/64 the reminder is in the next QW - const uint32_t qw_num = bits_num / BITS_IN_QW; - - // How many bits to pad with zero - const uint32_t rem_bits = bits_num - (BITS_IN_QW * qw_num); - - // We read byte byte and not the whole QW to avoid reading bad memory address - const uint32_t bytes_num = ((rem_bits % 8) == 0) ? rem_bits / BITS_IN_BYTE - : 1 + rem_bits / BITS_IN_BYTE; - - // Must be signed for the LE loop - int i; - - if(0 == rem_bits) - { - return 0; - } - - // Mask unneeded bits - const uint8_t last_byte = (rem_bits % 8 == 0) - ? last_bytes[bytes_num - 1] - : last_bytes[bytes_num - 1] & MASK(rem_bits % 8); - // BE - if(0 == endien) - { - for(i = 0; (uint32_t)i < (bytes_num - 1); i++) - { - printf("%.2x", last_bytes[i]); - } - - printf("%.2x", last_byte); - - for(i++; (uint32_t)i < sizeof(uint64_t); i++) - { - printf("__"); - } - } - else - { - for(i = sizeof(uint64_t) - 1; (uint32_t)i >= bytes_num; i--) - { - printf("__"); - } - - printf("%.2x", last_byte); - - for(i--; i >= 0; i--) - { - printf("%.2x", last_bytes[i]); - } - } - -#ifndef NO_SPACE - printf(" "); -#endif - - return 1; -} - -void -print_LE(IN const uint64_t *in, IN const uint32_t bits_num) -{ - const uint32_t qw_num = bits_num / BITS_IN_QW; - - // Print the MSB QW - uint32_t qw_pos = print_last_block((const uint8_t *)&in[qw_num], bits_num, 1); - - // Print each 8 bytes separated by space (if required) - for(int i = ((int)qw_num) - 1; i >= 0; i--, qw_pos++) - { - print_uint64(in[i]); - print_newline(qw_pos); - } - - printf("\n"); -} - -void -print_BE(IN const uint64_t *in, IN const uint32_t bits_num) -{ - const uint32_t qw_num = bits_num / BITS_IN_QW; - - // Print each 16 numbers separatly - for(uint32_t i = 0; i < qw_num; ++i) - { - print_uint64(in[i]); - print_newline(i); - } - - // Print the MSB QW - print_last_block((const uint8_t *)&in[qw_num], bits_num, 0); - - printf("\n"); -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r2/utilities.h b/contrib/restricted/aws/s2n/pq-crypto/bike_r2/utilities.h deleted file mode 100644 index be8f4b9b10..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r2/utilities.h +++ /dev/null @@ -1,158 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker and Shay Gueron - * AWS Cryptographic Algorithms Group. - * (ndrucker@amazon.com, gueron@amazon.com) - */ - -#pragma once - -#include "cleanup.h" - -#ifndef bswap_64 -# define bswap_64(x) __builtin_bswap64(x) -#endif - -// Printing values in Little Endian -void -print_LE(IN const uint64_t *in, IN uint32_t bits_num); - -// Printing values in Big Endian -void -print_BE(IN const uint64_t *in, IN uint32_t bits_num); - -// Printing number is required only in verbose level 2 or above -#if VERBOSE >= 2 -# ifdef PRINT_IN_BE -// Print in Big Endian -# define print(name, in, bits_num) \ - do \ - { \ - EDMSG(name); \ - print_BE(in, bits_num); \ - } while(0) -# else -// Print in Little Endian -# define print(name, in, bits_num) \ - do \ - { \ - EDMSG(name); \ - print_LE(in, bits_num); \ - } while(0) -# endif -#else -// No prints at all -# define print(name, in, bits_num) -#endif - -// Comparing value in a constant time manner -_INLINE_ uint32_t -secure_cmp(IN const uint8_t *a, IN const uint8_t *b, IN const uint32_t size) -{ - volatile uint8_t res = 0; - - for(uint32_t i = 0; i < size; ++i) - { - res |= (a[i] ^ b[i]); - } - - return (0 == res); -} - -uint64_t -r_bits_vector_weight(IN const r_t *in); - -// Constant time -_INLINE_ uint32_t -iszero(IN const uint8_t *s, IN const uint32_t len) -{ - volatile uint32_t res = 0; - for(uint64_t i = 0; i < len; i++) - { - res |= s[i]; - } - return (0 == res); -} - -// BSR returns ceil(log2(val)) -_INLINE_ uint8_t -bit_scan_reverse(uint64_t val) -{ - // index is always smaller than 64 - uint8_t index = 0; - - while(val != 0) - { - val >>= 1; - index++; - } - - return index; -} - -// Return 1 if equal 0 otherwise -_INLINE_ uint32_t -secure_cmp32(IN const uint32_t v1, IN const uint32_t v2) -{ -#if defined(__aarch64__) - uint32_t res; - __asm__ __volatile__("cmp %w1, %w2; \n " - "cset %w0, EQ; \n" - : "=r"(res) - : "r"(v1), "r"(v2) - :); - return res; -#elif defined(__x86_64__) || defined(__i386__) - uint32_t res; - __asm__ __volatile__("xor %%edx, %%edx; \n" - "cmp %1, %2; \n " - "sete %%dl; \n" - "mov %%edx, %0; \n" - : "=r"(res) - : "r"(v1), "r"(v2) - : "rdx"); - return res; -#else - // Insecure comparison: The main purpose of secure_cmp32 is to avoid - // branches and thus to prevent potential side channel attacks. To do that - // we normally leverage some CPU special instructions such as "sete" - // (for __x86_64__) and "cset" (for __aarch64__). When dealing with general - // CPU architectures, the interpretation of the line below is left for the - // compiler, which may lead to an insecure branch. - return (v1 == v2 ? 1 : 0); -#endif -} - -// Return 0 if v1 < v2, (-1) otherwise -_INLINE_ uint32_t -secure_l32_mask(IN const uint32_t v1, IN const uint32_t v2) -{ -#if defined(__aarch64__) - uint32_t res; - __asm__ __volatile__("cmp %w2, %w1; \n " - "cset %w0, HI; \n" - : "=r"(res) - : "r"(v1), "r"(v2) - :); - return (res - 1); -#elif defined(__x86_64__) || defined(__i386__) - uint32_t res; - __asm__ __volatile__("xor %%edx, %%edx; \n" - "cmp %1, %2; \n " - "setl %%dl; \n" - "dec %%edx; \n" - "mov %%edx, %0; \n" - - : "=r"(res) - : "r"(v2), "r"(v1) - : "rdx"); - - return res; -#else - // If v1 >= v2 then the subtraction result is 0^32||(v1-v2) - // else it will be 1^32||(v2-v1+1). Subsequently, negating the upper - // 32 bits gives 0 if v1 < v2 and otherwise (-1). - return ~((uint32_t)(((uint64_t)v1 - (uint64_t)v2) >> 32)); -#endif -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/LICENSE b/contrib/restricted/aws/s2n/pq-crypto/bike_r3/LICENSE deleted file mode 100644 index 7a4a3ea242..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/LICENSE +++ /dev/null @@ -1,202 +0,0 @@ - - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "[]" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright [yyyy] [name of copyright owner] - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License.
\ No newline at end of file diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/aes.h b/contrib/restricted/aws/s2n/pq-crypto/bike_r3/aes.h deleted file mode 100644 index b8b04c3655..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/aes.h +++ /dev/null @@ -1,62 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker, Shay Gueron and Dusan Kostic, - * AWS Cryptographic Algorithms Group. - */ - -#pragma once - -#include <openssl/evp.h> - -#include "cleanup.h" - -#define MAX_AES_INVOKATION (MASK(32)) - -#define AES256_KEY_BYTES (32U) -#define AES256_KEY_BITS (AES256_KEY_BYTES * 8) -#define AES256_BLOCK_BYTES (16U) -#define AES256_ROUNDS (14U) - -typedef ALIGN(16) struct aes256_key_s { - uint8_t raw[AES256_KEY_BYTES]; -} aes256_key_t; - -CLEANUP_FUNC(aes256_key, aes256_key_t) - -// Using OpenSSL structures -typedef EVP_CIPHER_CTX *aes256_ks_t; - -_INLINE_ ret_t aes256_key_expansion(OUT aes256_ks_t *ks, - IN const aes256_key_t *key) -{ - *ks = EVP_CIPHER_CTX_new(); - if(*ks == NULL) { - BIKE_ERROR(EXTERNAL_LIB_ERROR_OPENSSL); - } - if(0 == EVP_EncryptInit_ex(*ks, EVP_aes_256_ecb(), NULL, key->raw, NULL)) { - EVP_CIPHER_CTX_free(*ks); - BIKE_ERROR(EXTERNAL_LIB_ERROR_OPENSSL); - } - - EVP_CIPHER_CTX_set_padding(*ks, 0); - - return SUCCESS; -} - -_INLINE_ ret_t aes256_enc(OUT uint8_t *ct, - IN const uint8_t *pt, - IN const aes256_ks_t *ks) -{ - int outlen = 0; - if(0 == EVP_EncryptUpdate(*ks, ct, &outlen, pt, AES256_BLOCK_BYTES)) { - BIKE_ERROR(EXTERNAL_LIB_ERROR_OPENSSL); - } - return SUCCESS; -} - -_INLINE_ void aes256_free_ks(OUT aes256_ks_t *ks) -{ - EVP_CIPHER_CTX_free(*ks); - ks = NULL; -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/aes_ctr_prf.c b/contrib/restricted/aws/s2n/pq-crypto/bike_r3/aes_ctr_prf.c deleted file mode 100644 index 9b50469ef1..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/aes_ctr_prf.c +++ /dev/null @@ -1,97 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker, Shay Gueron and Dusan Kostic, - * AWS Cryptographic Algorithms Group. - */ - -#include "aes_ctr_prf.h" -#include "utilities.h" - -ret_t init_aes_ctr_prf_state(OUT aes_ctr_prf_state_t *s, - IN const uint32_t max_invokations, - IN const seed_t *seed) -{ - if(0 == max_invokations) { - BIKE_ERROR(E_AES_CTR_PRF_INIT_FAIL); - } - - // Set the key schedule (from seed). - // Make sure the size matches the AES256 key size. - DEFER_CLEANUP(aes256_key_t key, aes256_key_cleanup); - - bike_static_assert(sizeof(*seed) == sizeof(key.raw), seed_size_equals_ky_size); - bike_memcpy(key.raw, seed->raw, sizeof(key.raw)); - - POSIX_GUARD(aes256_key_expansion(&s->ks, &key)); - - // Initialize buffer and counter - s->ctr.u.qw[0] = 0; - s->ctr.u.qw[1] = 0; - s->buffer.u.qw[0] = 0; - s->buffer.u.qw[1] = 0; - - s->pos = AES256_BLOCK_BYTES; - s->rem_invokations = max_invokations; - - DMSG(" Init aes_prf_ctr state:\n"); - DMSG(" s.pos = %d\n", s->pos); - DMSG(" s.rem_invokations = %u\n", s->rem_invokations); - - return SUCCESS; -} - -_INLINE_ ret_t perform_aes(OUT uint8_t *ct, IN OUT aes_ctr_prf_state_t *s) -{ - // Ensure that the CTR is large enough - bike_static_assert( - ((sizeof(s->ctr.u.qw[0]) == 8) && (BIT(33) >= MAX_AES_INVOKATION)), - ctr_size_is_too_small); - - if(0 == s->rem_invokations) { - BIKE_ERROR(E_AES_OVER_USED); - } - - POSIX_GUARD(aes256_enc(ct, s->ctr.u.bytes, &s->ks)); - - s->ctr.u.qw[0]++; - s->rem_invokations--; - - return SUCCESS; -} - -ret_t aes_ctr_prf(OUT uint8_t *a, - IN OUT aes_ctr_prf_state_t *s, - IN const uint32_t len) -{ - // When Len is smaller than use what's left in the buffer, - // there is no need for additional AES invocations. - if((len + s->pos) <= AES256_BLOCK_BYTES) { - bike_memcpy(a, &s->buffer.u.bytes[s->pos], len); - s->pos += len; - - return SUCCESS; - } - - // If s.pos != AES256_BLOCK_BYTES then copy what's left in the buffer. - // Else copy zero bytes - uint32_t idx = AES256_BLOCK_BYTES - s->pos; - bike_memcpy(a, &s->buffer.u.bytes[s->pos], idx); - - // Init s.pos - s->pos = 0; - - // Copy full AES blocks - while((len - idx) >= AES256_BLOCK_BYTES) { - POSIX_GUARD(perform_aes(&a[idx], s)); - idx += AES256_BLOCK_BYTES; - } - - POSIX_GUARD(perform_aes(s->buffer.u.bytes, s)); - - // Copy the tail - s->pos = len - idx; - bike_memcpy(&a[idx], s->buffer.u.bytes, s->pos); - - return SUCCESS; -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/aes_ctr_prf.h b/contrib/restricted/aws/s2n/pq-crypto/bike_r3/aes_ctr_prf.h deleted file mode 100644 index 684a52a6fc..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/aes_ctr_prf.h +++ /dev/null @@ -1,43 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker, Shay Gueron and Dusan Kostic, - * AWS Cryptographic Algorithms Group. - */ - -#pragma once - -#include "aes.h" - -////////////////////////////// -// Types -///////////////////////////// - -typedef struct aes_ctr_prf_state_s { - uint128_t ctr; - uint128_t buffer; - aes256_ks_t ks; - uint32_t rem_invokations; - uint8_t pos; -} aes_ctr_prf_state_t; - -////////////////////////////// -// Methods -///////////////////////////// - -ret_t init_aes_ctr_prf_state(OUT aes_ctr_prf_state_t *s, - IN uint32_t max_invokations, - IN const seed_t *seed); - -ret_t aes_ctr_prf(OUT uint8_t *a, IN OUT aes_ctr_prf_state_t *s, IN uint32_t len); - -_INLINE_ void finalize_aes_ctr_prf(IN OUT aes_ctr_prf_state_t *s) -{ - aes256_free_ks(&s->ks); - secure_clean((uint8_t *)s, sizeof(*s)); -} - -_INLINE_ void aes_ctr_prf_state_cleanup(IN OUT aes_ctr_prf_state_t *s) -{ - finalize_aes_ctr_prf(s); -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/bike_defs.h b/contrib/restricted/aws/s2n/pq-crypto/bike_r3/bike_defs.h deleted file mode 100644 index 697efd0627..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/bike_defs.h +++ /dev/null @@ -1,91 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker, Shay Gueron and Dusan Kostic, - * AWS Cryptographic Algorithms Group. - */ - -#pragma once - -#include "defs.h" - -//////////////////////////////////////////// -// BIKE Parameters -/////////////////////////////////////////// -#define N0 2 - -#if !defined(LEVEL) -# define LEVEL 1 -#endif - -#if(LEVEL == 3) -# define R_BITS 24659 -# define DV 103 -# define T1 199 - -# define THRESHOLD_COEFF0 15.2588 -# define THRESHOLD_COEFF1 0.005265 -# define THRESHOLD_MIN 52 - -// The gf2m code is optimized to a block in this case: -# define BLOCK_BITS 32768 -#elif(LEVEL == 1) -// 64-bits of post-quantum security parameters (BIKE paper): -# define R_BITS 12323 -# define DV 71 -# define T1 134 - -# define THRESHOLD_COEFF0 13.530 -# define THRESHOLD_COEFF1 0.0069722 -# define THRESHOLD_MIN 36 - -// The gf2x code is optimized to a block in this case: -# define BLOCK_BITS (16384) -#else -# error "Bad level, choose one of 1/3/5" -#endif - -#define NUM_OF_SEEDS 2 - -// Round the size to the nearest byte. -// SIZE suffix, is the number of bytes (uint8_t). -#define N_BITS (R_BITS * N0) -#define R_BYTES DIVIDE_AND_CEIL(R_BITS, 8) -#define R_QWORDS DIVIDE_AND_CEIL(R_BITS, 8 * BYTES_IN_QWORD) -#define R_XMM DIVIDE_AND_CEIL(R_BITS, 8 * BYTES_IN_XMM) -#define R_YMM DIVIDE_AND_CEIL(R_BITS, 8 * BYTES_IN_YMM) -#define R_ZMM DIVIDE_AND_CEIL(R_BITS, 8 * BYTES_IN_ZMM) - -#define R_BLOCKS DIVIDE_AND_CEIL(R_BITS, BLOCK_BITS) -#define R_PADDED (R_BLOCKS * BLOCK_BITS) -#define R_PADDED_BYTES (R_PADDED / 8) -#define R_PADDED_QWORDS (R_PADDED / 64) - -#define LAST_R_QWORD_LEAD (R_BITS & MASK(6)) -#define LAST_R_QWORD_TRAIL (64 - LAST_R_QWORD_LEAD) -#define LAST_R_QWORD_MASK MASK(LAST_R_QWORD_LEAD) - -#define LAST_R_BYTE_LEAD (R_BITS & MASK(3)) -#define LAST_R_BYTE_TRAIL (8 - LAST_R_BYTE_LEAD) -#define LAST_R_BYTE_MASK MASK(LAST_R_BYTE_LEAD) - -// Data alignement -#define ALIGN_BYTES (BYTES_IN_ZMM) - -#define M_BITS 256 -#define M_BYTES (M_BITS / 8) - -#define SS_BITS 256 -#define SS_BYTES (SS_BITS / 8) - -#define SEED_BYTES (256 / 8) - -////////////////////////////////// -// Parameters for the BGF decoder. -////////////////////////////////// -#define BGF_DECODER -#define DELTA 3 -#define SLICES (LOG2_MSB(DV) + 1) - -// GF2X inversion can only handle R < 32768 -bike_static_assert((R_BITS < 32768), r_too_large_for_inversion); diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/bike_r3_kem.c b/contrib/restricted/aws/s2n/pq-crypto/bike_r3/bike_r3_kem.c deleted file mode 100644 index 328bb52db8..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/bike_r3_kem.c +++ /dev/null @@ -1,288 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker, Shay Gueron, and Dusan Kostic, - * AWS Cryptographic Algorithms Group. - */ - -#include "decode.h" -#include "gf2x.h" -#include "sampling.h" -#include "sha.h" -#include "tls/s2n_kem.h" -#include "pq-crypto/s2n_pq.h" - -// m_t and seed_t have the same size and thus can be considered -// to be of the same type. However, for security reasons we distinguish -// these types, even on the costs of small extra complexity. -_INLINE_ void convert_seed_to_m_type(OUT m_t *m, IN const seed_t *seed) -{ - bike_static_assert(sizeof(*m) == sizeof(*seed), m_size_eq_seed_size); - bike_memcpy(m->raw, seed->raw, sizeof(*m)); -} - -_INLINE_ void convert_m_to_seed_type(OUT seed_t *seed, IN const m_t *m) -{ - bike_static_assert(sizeof(*m) == sizeof(*seed), m_size_eq_seed_size); - bike_memcpy(seed->raw, m->raw, sizeof(*seed)); -} - -// (e0, e1) = H(m) -_INLINE_ ret_t function_h(OUT pad_e_t *e, IN const m_t *m) -{ - DEFER_CLEANUP(seed_t seed = {0}, seed_cleanup); - - convert_m_to_seed_type(&seed, m); - return generate_error_vector(e, &seed); -} - -// out = L(e) -_INLINE_ ret_t function_l(OUT m_t *out, IN const pad_e_t *e) -{ - DEFER_CLEANUP(sha_dgst_t dgst = {0}, sha_dgst_cleanup); - DEFER_CLEANUP(e_t tmp, e_cleanup); - - // Take the padding away - tmp.val[0] = e->val[0].val; - tmp.val[1] = e->val[1].val; - - POSIX_GUARD(sha(&dgst, sizeof(tmp), (uint8_t *)&tmp)); - - // Truncate the SHA384 digest to a 256-bits m_t - bike_static_assert(sizeof(dgst) >= sizeof(*out), dgst_size_lt_m_size); - bike_memcpy(out->raw, dgst.u.raw, sizeof(*out)); - - return SUCCESS; -} - -// Generate the Shared Secret K(m, c0, c1) -_INLINE_ ret_t function_k(OUT ss_t *out, IN const m_t *m, IN const ct_t *ct) -{ - DEFER_CLEANUP(func_k_t tmp, func_k_cleanup); - DEFER_CLEANUP(sha_dgst_t dgst = {0}, sha_dgst_cleanup); - - // Copy every element, padded to the nearest byte - tmp.m = *m; - tmp.c0 = ct->c0; - tmp.c1 = ct->c1; - - POSIX_GUARD(sha(&dgst, sizeof(tmp), (uint8_t *)&tmp)); - - // Truncate the SHA384 digest to a 256-bits value - // to subsequently use it as a seed. - bike_static_assert(sizeof(dgst) >= sizeof(*out), dgst_size_lt_out_size); - bike_memcpy(out->raw, dgst.u.raw, sizeof(*out)); - - return SUCCESS; -} - -_INLINE_ ret_t encrypt(OUT ct_t *ct, - IN const pad_e_t *e, - IN const pk_t *pk, - IN const m_t *m) -{ - // Pad the public key and the ciphertext - pad_r_t p_ct = {0}; - pad_r_t p_pk = {0}; - p_pk.val = *pk; - - // Generate the ciphertext - // ct = pk * e1 + e0 - gf2x_mod_mul(&p_ct, &e->val[1], &p_pk); - gf2x_mod_add(&p_ct, &p_ct, &e->val[0]); - - ct->c0 = p_ct.val; - - // c1 = L(e0, e1) - POSIX_GUARD(function_l(&ct->c1, e)); - - // m xor L(e0, e1) - for(size_t i = 0; i < sizeof(*m); i++) { - ct->c1.raw[i] ^= m->raw[i]; - } - - return SUCCESS; -} - -_INLINE_ ret_t reencrypt(OUT m_t *m, IN const pad_e_t *e, IN const ct_t *l_ct) -{ - DEFER_CLEANUP(m_t tmp, m_cleanup); - - POSIX_GUARD(function_l(&tmp, e)); - - // m' = c1 ^ L(e') - for(size_t i = 0; i < sizeof(*m); i++) { - m->raw[i] = tmp.raw[i] ^ l_ct->c1.raw[i]; - } - - return SUCCESS; -} - -//////////////////////////////////////////////////////////////////////////////// -// The three APIs below (keypair, encapsulate, decapsulate) are defined by NIST: -//////////////////////////////////////////////////////////////////////////////// -int BIKE_L1_R3_crypto_kem_keypair(OUT unsigned char *pk, OUT unsigned char *sk) -{ - POSIX_ENSURE(s2n_pq_is_enabled(), S2N_ERR_PQ_DISABLED); - POSIX_ENSURE_REF(sk); - POSIX_ENSURE_REF(pk); - - DEFER_CLEANUP(aligned_sk_t l_sk = {0}, sk_cleanup); - - // The secret key is (h0, h1), - // and the public key h=(h0^-1 * h1). - // Padded structures are used internally, and are required by the - // decoder and the gf2x multiplication. - DEFER_CLEANUP(pad_r_t h0 = {0}, pad_r_cleanup); - DEFER_CLEANUP(pad_r_t h1 = {0}, pad_r_cleanup); - DEFER_CLEANUP(pad_r_t h0inv = {0}, pad_r_cleanup); - DEFER_CLEANUP(pad_r_t h = {0}, pad_r_cleanup); - - // The randomness of the key generation - DEFER_CLEANUP(seeds_t seeds = {0}, seeds_cleanup); - - // An AES_PRF state for the secret key - DEFER_CLEANUP(aes_ctr_prf_state_t h_prf_state = {0}, aes_ctr_prf_state_cleanup); - - POSIX_GUARD(get_seeds(&seeds)); - POSIX_GUARD(init_aes_ctr_prf_state(&h_prf_state, MAX_AES_INVOKATION, &seeds.seed[0])); - - // Generate the secret key (h0, h1) with weight w/2 - POSIX_GUARD(generate_sparse_rep(&h0, l_sk.wlist[0].val, &h_prf_state)); - POSIX_GUARD(generate_sparse_rep(&h1, l_sk.wlist[1].val, &h_prf_state)); - - // Generate sigma - convert_seed_to_m_type(&l_sk.sigma, &seeds.seed[1]); - - // Calculate the public key - gf2x_mod_inv(&h0inv, &h0); - gf2x_mod_mul(&h, &h1, &h0inv); - - // Fill the secret key data structure with contents - cancel the padding - l_sk.bin[0] = h0.val; - l_sk.bin[1] = h1.val; - l_sk.pk = h.val; - - // Copy the data to the output buffers - bike_memcpy(sk, &l_sk, sizeof(l_sk)); - bike_memcpy(pk, &l_sk.pk, sizeof(l_sk.pk)); - - return SUCCESS; -} - -// Encapsulate - pk is the public key, -// ct is a key encapsulation message (ciphertext), -// ss is the shared secret. -int BIKE_L1_R3_crypto_kem_enc(OUT unsigned char * ct, - OUT unsigned char * ss, - IN const unsigned char *pk) -{ - POSIX_ENSURE(s2n_pq_is_enabled(), S2N_ERR_PQ_DISABLED); - POSIX_ENSURE_REF(pk); - POSIX_ENSURE_REF(ct); - POSIX_ENSURE_REF(ss); - - // Public values (they do not require cleanup on exit). - pk_t l_pk; - ct_t l_ct; - - DEFER_CLEANUP(m_t m, m_cleanup); - DEFER_CLEANUP(ss_t l_ss, ss_cleanup); - DEFER_CLEANUP(seeds_t seeds = {0}, seeds_cleanup); - DEFER_CLEANUP(pad_e_t e, pad_e_cleanup); - - // Copy the data from the input buffer. This is required in order to avoid - // alignment issues on non x86_64 processors. - bike_memcpy(&l_pk, pk, sizeof(l_pk)); - - POSIX_GUARD(get_seeds(&seeds)); - - // e = H(m) = H(seed[0]) - convert_seed_to_m_type(&m, &seeds.seed[0]); - POSIX_GUARD(function_h(&e, &m)); - - // Calculate the ciphertext - POSIX_GUARD(encrypt(&l_ct, &e, &l_pk, &m)); - - // Generate the shared secret - POSIX_GUARD(function_k(&l_ss, &m, &l_ct)); - - // Copy the data to the output buffers - bike_memcpy(ct, &l_ct, sizeof(l_ct)); - bike_memcpy(ss, &l_ss, sizeof(l_ss)); - - return SUCCESS; -} - -// Decapsulate - ct is a key encapsulation message (ciphertext), -// sk is the private key, -// ss is the shared secret -int BIKE_L1_R3_crypto_kem_dec(OUT unsigned char * ss, - IN const unsigned char *ct, - IN const unsigned char *sk) -{ - POSIX_ENSURE(s2n_pq_is_enabled(), S2N_ERR_PQ_DISABLED); - POSIX_ENSURE_REF(sk); - POSIX_ENSURE_REF(ct); - POSIX_ENSURE_REF(ss); - - // Public values, does not require a cleanup on exit - ct_t l_ct; - - DEFER_CLEANUP(seeds_t seeds = {0}, seeds_cleanup); - - DEFER_CLEANUP(ss_t l_ss, ss_cleanup); - DEFER_CLEANUP(aligned_sk_t l_sk, sk_cleanup); - DEFER_CLEANUP(e_t e, e_cleanup); - DEFER_CLEANUP(m_t m_prime, m_cleanup); - DEFER_CLEANUP(pad_e_t e_tmp, pad_e_cleanup); - DEFER_CLEANUP(pad_e_t e_prime, pad_e_cleanup); - - // Copy the data from the input buffers. This is required in order to avoid - // alignment issues on non x86_64 processors. - bike_memcpy(&l_ct, ct, sizeof(l_ct)); - bike_memcpy(&l_sk, sk, sizeof(l_sk)); - - // Generate a random error vector to be used in case of decoding failure - // (Note: possibly, a "fixed" zeroed error vector could suffice too, - // and serve this generation) - POSIX_GUARD(get_seeds(&seeds)); - POSIX_GUARD(generate_error_vector(&e_prime, &seeds.seed[0])); - - // Decode and on success check if |e|=T (all in constant-time) - volatile uint32_t success_cond = (decode(&e, &l_ct, &l_sk) == SUCCESS); - success_cond &= secure_cmp32(T1, r_bits_vector_weight(&e.val[0]) + - r_bits_vector_weight(&e.val[1])); - - // Set appropriate error based on the success condition - uint8_t mask = ~secure_l32_mask(0, success_cond); - for(size_t i = 0; i < R_BYTES; i++) { - PE0_RAW(&e_prime)[i] &= u8_barrier(~mask); - PE0_RAW(&e_prime)[i] |= (u8_barrier(mask) & E0_RAW(&e)[i]); - PE1_RAW(&e_prime)[i] &= u8_barrier(~mask); - PE1_RAW(&e_prime)[i] |= (u8_barrier(mask) & E1_RAW(&e)[i]); - } - - POSIX_GUARD(reencrypt(&m_prime, &e_prime, &l_ct)); - - // Check if H(m') is equal to (e0', e1') - // (in constant-time) - POSIX_GUARD(function_h(&e_tmp, &m_prime)); - success_cond = secure_cmp(PE0_RAW(&e_prime), PE0_RAW(&e_tmp), R_BYTES); - success_cond &= secure_cmp(PE1_RAW(&e_prime), PE1_RAW(&e_tmp), R_BYTES); - - // Compute either K(m', C) or K(sigma, C) based on the success condition - mask = secure_l32_mask(0, success_cond); - for(size_t i = 0; i < M_BYTES; i++) { - m_prime.raw[i] &= u8_barrier(~mask); - m_prime.raw[i] |= (u8_barrier(mask) & l_sk.sigma.raw[i]); - } - - // Generate the shared secret - POSIX_GUARD(function_k(&l_ss, &m_prime, &l_ct)); - - // Copy the data into the output buffer - bike_memcpy(ss, &l_ss, sizeof(l_ss)); - - return SUCCESS; -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/cleanup.h b/contrib/restricted/aws/s2n/pq-crypto/bike_r3/cleanup.h deleted file mode 100644 index 22e8c44250..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/cleanup.h +++ /dev/null @@ -1,63 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker, Shay Gueron and Dusan Kostic, - * AWS Cryptographic Algorithms Group. - */ - -#pragma once - -#include "utilities.h" - -/* Runs _thecleanup function on _thealloc once _thealloc went out of scope */ -#define DEFER_CLEANUP(_thealloc, _thecleanup) \ - __attribute__((cleanup(_thecleanup))) _thealloc - -// len is bytes length of in -_INLINE_ void secure_clean(OUT uint8_t *p, IN const uint32_t len) -{ -#if defined(_WIN32) - SecureZeroMemory(p, len); -#else - typedef void *(*memset_t)(void *, int, size_t); - static volatile memset_t memset_func = bike_memset; - memset_func(p, 0, len); -#endif -} - -#define CLEANUP_FUNC(name, type) \ - _INLINE_ void name##_cleanup(IN OUT type *o) \ - { \ - secure_clean((uint8_t *)o, sizeof(*o)); \ - } - -CLEANUP_FUNC(r, r_t) -CLEANUP_FUNC(m, m_t) -CLEANUP_FUNC(e, e_t) -CLEANUP_FUNC(sk, sk_t) -CLEANUP_FUNC(ss, ss_t) -CLEANUP_FUNC(ct, ct_t) -CLEANUP_FUNC(pad_r, pad_r_t) -CLEANUP_FUNC(pad_e, pad_e_t) -CLEANUP_FUNC(seed, seed_t) -CLEANUP_FUNC(syndrome, syndrome_t) -CLEANUP_FUNC(upc, upc_t) -CLEANUP_FUNC(func_k, func_k_t) -CLEANUP_FUNC(dbl_pad_r, dbl_pad_r_t) - -// The functions below require special handling because we deal -// with arrays and not structures. - -_INLINE_ void compressed_idx_d_ar_cleanup(IN OUT compressed_idx_d_ar_t *o) -{ - for(int i = 0; i < N0; i++) { - secure_clean((uint8_t *)&(*o)[i], sizeof((*o)[0])); - } -} - -_INLINE_ void seeds_cleanup(IN OUT seeds_t *o) -{ - for(int i = 0; i < NUM_OF_SEEDS; i++) { - seed_cleanup(&(o->seed[i])); - } -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/decode.c b/contrib/restricted/aws/s2n/pq-crypto/bike_r3/decode.c deleted file mode 100644 index c280b95f03..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/decode.c +++ /dev/null @@ -1,280 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker, Shay Gueron and Dusan Kostic, - * AWS Cryptographic Algorithms Group. - * - * [1] The optimizations are based on the description developed in the paper: - * Drucker, Nir, and Shay Gueron. 2019. “A Toolbox for Software Optimization - * of QC-MDPC Code-Based Cryptosystems.” Journal of Cryptographic Engineering, - * January, 1–17. https://doi.org/10.1007/s13389-018-00200-4. - * - * [2] The decoder algorithm is the Black-Gray decoder in - * the early submission of CAKE (due to N. Sandrier and R Misoczki). - * - * [3] The analysis for the constant time implementation is given in - * Drucker, Nir, Shay Gueron, and Dusan Kostic. 2019. - * “On Constant-Time QC-MDPC Decoding with Negligible Failure Rate.” - * Cryptology EPrint Archive, 2019. https://eprint.iacr.org/2019/1289. - * - * [4] it was adapted to BGF in: - * Drucker, Nir, Shay Gueron, and Dusan Kostic. 2019. - * “QC-MDPC decoders with several shades of gray.” - * Cryptology EPrint Archive, 2019. To be published. - * - * [5] Chou, T.: QcBits: Constant-Time Small-Key Code-Based Cryptography. - * In: Gier-lichs, B., Poschmann, A.Y. (eds.) Cryptographic Hardware - * and Embedded Systems– CHES 2016. pp. 280–300. Springer Berlin Heidelberg, - * Berlin, Heidelberg (2016) - * - * [6] The rotate512_small funciton is a derivative of the code described in: - * Guimarães, Antonio, Diego F Aranha, and Edson Borin. 2019. - * “Optimized Implementation of QC-MDPC Code-Based Cryptography.” - * Concurrency and Computation: Practice and Experience 31 (18): - * e5089. https://doi.org/10.1002/cpe.5089. - */ - -#include "decode.h" -#include "cleanup.h" -#include "decode_internal.h" -#include "gf2x.h" -#include "utilities.h" - -// Decoding (bit-flipping) parameter -#if defined(BG_DECODER) -# if(LEVEL == 1) -# define MAX_IT 3 -# elif(LEVEL == 3) -# define MAX_IT 4 -# else -# error "Level can only be 1/3" -# endif -#elif defined(BGF_DECODER) -# if(LEVEL == 1) -# define MAX_IT 5 -# elif(LEVEL == 3) -# define MAX_IT 5 -# else -# error "Level can only be 1/3" -# endif -#endif - -ret_t compute_syndrome(OUT syndrome_t *syndrome, - IN const pad_r_t *c0, - IN const pad_r_t *h0, - IN const decode_ctx *ctx) -{ - DEFER_CLEANUP(pad_r_t pad_s, pad_r_cleanup); - - gf2x_mod_mul(&pad_s, c0, h0); - - bike_memcpy((uint8_t *)syndrome->qw, pad_s.val.raw, R_BYTES); - ctx->dup(syndrome); - - return SUCCESS; -} - -_INLINE_ ret_t recompute_syndrome(OUT syndrome_t *syndrome, - IN const pad_r_t *c0, - IN const pad_r_t *h0, - IN const pad_r_t *pk, - IN const e_t *e, - IN const decode_ctx *ctx) -{ - DEFER_CLEANUP(pad_r_t tmp_c0, pad_r_cleanup); - DEFER_CLEANUP(pad_r_t e0 = {0}, pad_r_cleanup); - DEFER_CLEANUP(pad_r_t e1 = {0}, pad_r_cleanup); - - e0.val = e->val[0]; - e1.val = e->val[1]; - - // tmp_c0 = pk * e1 + c0 + e0 - gf2x_mod_mul(&tmp_c0, &e1, pk); - gf2x_mod_add(&tmp_c0, &tmp_c0, c0); - gf2x_mod_add(&tmp_c0, &tmp_c0, &e0); - - // Recompute the syndrome using the updated ciphertext - POSIX_GUARD(compute_syndrome(syndrome, &tmp_c0, h0, ctx)); - - return SUCCESS; -} - -_INLINE_ uint8_t get_threshold(IN const syndrome_t *s) -{ - bike_static_assert(sizeof(*s) >= sizeof(r_t), syndrome_is_large_enough); - - const uint32_t syndrome_weight = r_bits_vector_weight((const r_t *)s->qw); - - // The equations below are defined in BIKE's specification p. 16, Section 5.2 - uint32_t thr = THRESHOLD_COEFF0 + (THRESHOLD_COEFF1 * syndrome_weight); - const uint32_t mask = secure_l32_mask(thr, THRESHOLD_MIN); - thr = (u32_barrier(mask) & thr) | (u32_barrier(~mask) & THRESHOLD_MIN); - - DMSG(" Threshold: %d\n", thr); - return thr; -} - -// Calculate the Unsatisfied Parity Checks (UPCs) and update the errors -// vector (e) accordingly. In addition, update the black and gray errors vector -// with the relevant values. -_INLINE_ void find_err1(OUT e_t *e, - OUT e_t *black_e, - OUT e_t *gray_e, - IN const syndrome_t * syndrome, - IN const compressed_idx_d_ar_t wlist, - IN const uint8_t threshold, - IN const decode_ctx *ctx) -{ - // This function uses the bit-slice-adder methodology of [5]: - DEFER_CLEANUP(syndrome_t rotated_syndrome = {0}, syndrome_cleanup); - DEFER_CLEANUP(upc_t upc, upc_cleanup); - - for(uint32_t i = 0; i < N0; i++) { - // UPC must start from zero at every iteration - bike_memset(&upc, 0, sizeof(upc)); - - // 1) Right-rotate the syndrome for every secret key set bit index - // Then slice-add it to the UPC array. - for(size_t j = 0; j < DV; j++) { - ctx->rotate_right(&rotated_syndrome, syndrome, wlist[i].val[j]); - ctx->bit_sliced_adder(&upc, &rotated_syndrome, LOG2_MSB(j + 1)); - } - - // 2) Subtract the threshold from the UPC counters - ctx->bit_slice_full_subtract(&upc, threshold); - - // 3) Update the errors and the black errors vectors. - // The last slice of the UPC array holds the MSB of the accumulated values - // minus the threshold. Every zero bit indicates a potential error bit. - // The errors values are stored in the black array and xored with the - // errors Of the previous iteration. - const r_t *last_slice = &(upc.slice[SLICES - 1].u.r.val); - for(size_t j = 0; j < R_BYTES; j++) { - const uint8_t sum_msb = (~last_slice->raw[j]); - black_e->val[i].raw[j] = sum_msb; - e->val[i].raw[j] ^= sum_msb; - } - - // Ensure that the padding bits (upper bits of the last byte) are zero so - // they will not be included in the multiplication and in the hash function. - e->val[i].raw[R_BYTES - 1] &= LAST_R_BYTE_MASK; - - // 4) Calculate the gray error array by adding "DELTA" to the UPC array. - // For that we reuse the rotated_syndrome variable setting it to all "1". - for(size_t l = 0; l < DELTA; l++) { - bike_memset((uint8_t *)rotated_syndrome.qw, 0xff, R_BYTES); - ctx->bit_sliced_adder(&upc, &rotated_syndrome, SLICES); - } - - // 5) Update the gray list with the relevant bits that are not - // set in the black list. - for(size_t j = 0; j < R_BYTES; j++) { - const uint8_t sum_msb = (~last_slice->raw[j]); - gray_e->val[i].raw[j] = (~(black_e->val[i].raw[j])) & sum_msb; - } - } -} - -// Recalculate the UPCs and update the errors vector (e) according to it -// and to the black/gray vectors. -_INLINE_ void find_err2(OUT e_t *e, - IN e_t * pos_e, - IN const syndrome_t * syndrome, - IN const compressed_idx_d_ar_t wlist, - IN const uint8_t threshold, - IN const decode_ctx *ctx) -{ - DEFER_CLEANUP(syndrome_t rotated_syndrome = {0}, syndrome_cleanup); - DEFER_CLEANUP(upc_t upc, upc_cleanup); - - for(uint32_t i = 0; i < N0; i++) { - // UPC must start from zero at every iteration - bike_memset(&upc, 0, sizeof(upc)); - - // 1) Right-rotate the syndrome, for every index of a set bit in the secret - // key. Then slice-add it to the UPC array. - for(size_t j = 0; j < DV; j++) { - ctx->rotate_right(&rotated_syndrome, syndrome, wlist[i].val[j]); - ctx->bit_sliced_adder(&upc, &rotated_syndrome, LOG2_MSB(j + 1)); - } - - // 2) Subtract the threshold from the UPC counters - ctx->bit_slice_full_subtract(&upc, threshold); - - // 3) Update the errors vector. - // The last slice of the UPC array holds the MSB of the accumulated values - // minus the threshold. Every zero bit indicates a potential error bit. - const r_t *last_slice = &(upc.slice[SLICES - 1].u.r.val); - for(size_t j = 0; j < R_BYTES; j++) { - const uint8_t sum_msb = (~last_slice->raw[j]); - e->val[i].raw[j] ^= (pos_e->val[i].raw[j] & sum_msb); - } - - // Ensure that the padding bits (upper bits of the last byte) are zero, so - // they are not included in the multiplication, and in the hash function. - e->val[i].raw[R_BYTES - 1] &= LAST_R_BYTE_MASK; - } -} - -ret_t decode(OUT e_t *e, IN const ct_t *ct, IN const sk_t *sk) -{ - // Initialize the decode methods struct - decode_ctx ctx; - decode_ctx_init(&ctx); - - DEFER_CLEANUP(e_t black_e = {0}, e_cleanup); - DEFER_CLEANUP(e_t gray_e = {0}, e_cleanup); - - DEFER_CLEANUP(pad_r_t c0 = {0}, pad_r_cleanup); - DEFER_CLEANUP(pad_r_t h0 = {0}, pad_r_cleanup); - pad_r_t pk = {0}; - - // Pad ciphertext (c0), secret key (h0), and public key (h) - c0.val = ct->c0; - h0.val = sk->bin[0]; - pk.val = sk->pk; - - DEFER_CLEANUP(syndrome_t s = {0}, syndrome_cleanup); - DMSG(" Computing s.\n"); - POSIX_GUARD(compute_syndrome(&s, &c0, &h0, &ctx)); - ctx.dup(&s); - - // Reset (init) the error because it is xored in the find_err functions. - bike_memset(e, 0, sizeof(*e)); - - for(uint32_t iter = 0; iter < MAX_IT; iter++) { - const uint8_t threshold = get_threshold(&s); - - DMSG(" Iteration: %d\n", iter); - DMSG(" Weight of e: %lu\n", - r_bits_vector_weight(&e->val[0]) + r_bits_vector_weight(&e->val[1])); - DMSG(" Weight of syndrome: %lu\n", r_bits_vector_weight((r_t *)s.qw)); - - find_err1(e, &black_e, &gray_e, &s, sk->wlist, threshold, &ctx); - POSIX_GUARD(recompute_syndrome(&s, &c0, &h0, &pk, e, &ctx)); -#if defined(BGF_DECODER) - if(iter >= 1) { - continue; - } -#endif - DMSG(" Weight of e: %lu\n", - r_bits_vector_weight(&e->val[0]) + r_bits_vector_weight(&e->val[1])); - DMSG(" Weight of syndrome: %lu\n", r_bits_vector_weight((r_t *)s.qw)); - - find_err2(e, &black_e, &s, sk->wlist, ((DV + 1) / 2) + 1, &ctx); - POSIX_GUARD(recompute_syndrome(&s, &c0, &h0, &pk, e, &ctx)); - - DMSG(" Weight of e: %lu\n", - r_bits_vector_weight(&e->val[0]) + r_bits_vector_weight(&e->val[1])); - DMSG(" Weight of syndrome: %lu\n", r_bits_vector_weight((r_t *)s.qw)); - - find_err2(e, &gray_e, &s, sk->wlist, ((DV + 1) / 2) + 1, &ctx); - POSIX_GUARD(recompute_syndrome(&s, &c0, &h0, &pk, e, &ctx)); - } - - if(r_bits_vector_weight((r_t *)s.qw) > 0) { - BIKE_ERROR(E_DECODING_FAILURE); - } - - return SUCCESS; -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/decode.h b/contrib/restricted/aws/s2n/pq-crypto/bike_r3/decode.h deleted file mode 100644 index 8e405ea12e..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/decode.h +++ /dev/null @@ -1,12 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker, Shay Gueron and Dusan Kostic, - * AWS Cryptographic Algorithms Group. - */ - -#pragma once - -#include "types.h" - -ret_t decode(OUT e_t *e, IN const ct_t *ct, IN const sk_t *sk); diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/decode_avx2.c b/contrib/restricted/aws/s2n/pq-crypto/bike_r3/decode_avx2.c deleted file mode 100644 index ea8b91a499..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/decode_avx2.c +++ /dev/null @@ -1,173 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker, Shay Gueron and Dusan Kostic, - * AWS Cryptographic Algorithms Group. - * - * The rotate functions are based on the Barrel shifter described in [1] and - * some code snippets from [2]: - * - * [1] Chou, T.: QcBits: Constant-Time Small-Key Code-Based Cryptography. - * In: Gier-lichs, B., Poschmann, A.Y. (eds.) Cryptographic Hardware - * and Embedded Systems– CHES 2016. pp. 280–300. Springer Berlin Heidelberg, - * Berlin, Heidelberg (2016) - * - * [2] Guimarães, Antonio, Diego F Aranha, and Edson Borin. 2019. - * “Optimized Implementation of QC-MDPC Code-Based Cryptography.” - * Concurrency and Computation: Practice and Experience 31 (18): - * e5089. https://doi.org/10.1002/cpe.5089. - */ - -#if defined(S2N_BIKE_R3_AVX2) - -#include "decode.h" -#include "decode_internal.h" -#include "utilities.h" - -#define AVX2_INTERNAL -#include "x86_64_intrinsic.h" - -#define R_YMM_HALF_LOG2 UPTOPOW2(R_YMM / 2) - -_INLINE_ void -rotate256_big(OUT syndrome_t *out, IN const syndrome_t *in, IN size_t ymm_num) -{ - // For preventing overflows (comparison in bytes) - bike_static_assert(sizeof(*out) > - (BYTES_IN_YMM * (R_YMM + (2 * R_YMM_HALF_LOG2))), - rotr_big_err); - - *out = *in; - - for(uint32_t idx = R_YMM_HALF_LOG2; idx >= 1; idx >>= 1) { - const uint8_t mask = secure_l32_mask(ymm_num, idx); - const __m256i blend_mask = SET1_I8(mask); - ymm_num = ymm_num - (idx & mask); - - for(size_t i = 0; i < (R_YMM + idx); i++) { - __m256i a = LOAD(&out->qw[4 * (i + idx)]); - __m256i b = LOAD(&out->qw[4 * i]); - b = BLENDV_I8(b, a, blend_mask); - STORE(&out->qw[4 * i], b); - } - } -} - -_INLINE_ void -rotate256_small(OUT syndrome_t *out, IN const syndrome_t *in, size_t count) -{ - __m256i carry_in = SET_ZERO; - const int count64 = (int)count & 0x3f; - const uint64_t count_mask = (count >> 5) & 0xe; - - __m256i idx = SET_I32(7, 6, 5, 4, 3, 2, 1, 0); - const __m256i zero_mask = SET_I64(-1, -1, -1, 0); - const __m256i count_vet = SET1_I8(count_mask); - - ALIGN(ALIGN_BYTES) - const uint8_t zero_mask2_buf[] = { - 0x86, 0x86, 0x86, 0x86, 0x86, 0x86, 0x86, 0x86, 0x84, 0x84, 0x84, - 0x84, 0x84, 0x84, 0x84, 0x84, 0x82, 0x82, 0x82, 0x82, 0x82, 0x82, - 0x82, 0x82, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80}; - __m256i zero_mask2 = LOAD(zero_mask2_buf); - - zero_mask2 = SUB_I8(zero_mask2, count_vet); - idx = ADD_I8(idx, count_vet); - - for(int i = R_YMM; i >= 0; i--) { - // Load the next 256 bits - __m256i in256 = LOAD(&in->qw[4 * i]); - - // Rotate the current and previous 256 registers so that their quadwords - // would be in the right positions. - __m256i carry_out = PERMVAR_I32(in256, idx); - in256 = BLENDV_I8(carry_in, carry_out, zero_mask2); - - // Shift less than 64 (quadwords internal) - __m256i inner_carry = BLENDV_I8(carry_in, in256, zero_mask); - inner_carry = PERM_I64(inner_carry, 0x39); - const __m256i out256 = - SRLI_I64(in256, count64) | SLLI_I64(inner_carry, (int)64 - count64); - - // Store the rotated value - STORE(&out->qw[4 * i], out256); - carry_in = carry_out; - } -} - -void rotate_right_avx2(OUT syndrome_t *out, - IN const syndrome_t *in, - IN const uint32_t bitscount) -{ - // 1) Rotate in granularity of 256 bits blocks, using YMMs - rotate256_big(out, in, (bitscount / BITS_IN_YMM)); - // 2) Rotate in smaller granularity (less than 256 bits), using YMMs - rotate256_small(out, out, (bitscount % BITS_IN_YMM)); -} - -// Duplicates the first R_BITS of the syndrome three times -// |------------------------------------------| -// | Third copy | Second copy | first R_BITS | -// |------------------------------------------| -// This is required by the rotate functions. -void dup_avx2(IN OUT syndrome_t *s) -{ - s->qw[R_QWORDS - 1] = - (s->qw[0] << LAST_R_QWORD_LEAD) | (s->qw[R_QWORDS - 1] & LAST_R_QWORD_MASK); - - for(size_t i = 0; i < (2 * R_QWORDS) - 1; i++) { - s->qw[R_QWORDS + i] = - (s->qw[i] >> LAST_R_QWORD_TRAIL) | (s->qw[i + 1] << LAST_R_QWORD_LEAD); - } -} - -// Use half-adder as described in [1]. -void bit_sliced_adder_avx2(OUT upc_t *upc, - IN OUT syndrome_t *rotated_syndrome, - IN const size_t num_of_slices) -{ - // From cache-memory perspective this loop should be the outside loop - for(size_t j = 0; j < num_of_slices; j++) { - for(size_t i = 0; i < R_QWORDS; i++) { - const uint64_t carry = (upc->slice[j].u.qw[i] & rotated_syndrome->qw[i]); - upc->slice[j].u.qw[i] ^= rotated_syndrome->qw[i]; - rotated_syndrome->qw[i] = carry; - } - } -} - -void bit_slice_full_subtract_avx2(OUT upc_t *upc, IN uint8_t val) -{ - // Borrow - uint64_t br[R_QWORDS] = {0}; - - for(size_t j = 0; j < SLICES; j++) { - - const uint64_t lsb_mask = 0 - (val & 0x1); - val >>= 1; - - // Perform a - b with c as the input/output carry - // br = 0 0 0 0 1 1 1 1 - // a = 0 0 1 1 0 0 1 1 - // b = 0 1 0 1 0 1 0 1 - // ------------------- - // o = 0 1 1 0 0 1 1 1 - // c = 0 1 0 0 1 1 0 1 - // - // o = a^b^c - // _ __ _ _ _ _ _ - // br = abc + abc + abc + abc = abc + ((a+b))c - - for(size_t i = 0; i < R_QWORDS; i++) { - const uint64_t a = upc->slice[j].u.qw[i]; - const uint64_t b = lsb_mask; - const uint64_t tmp = ((~a) & b & (~br[i])) | ((((~a) | b) & br[i])); - upc->slice[j].u.qw[i] = a ^ b ^ br[i]; - br[i] = tmp; - } - } -} - -#endif - -typedef int dummy_typedef_to_avoid_empty_translation_unit_warning; diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/decode_avx512.c b/contrib/restricted/aws/s2n/pq-crypto/bike_r3/decode_avx512.c deleted file mode 100644 index ef7f6d29d5..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/decode_avx512.c +++ /dev/null @@ -1,167 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker, Shay Gueron and Dusan Kostic, - * AWS Cryptographic Algorithms Group. - * - * The rotation functions are based on the Barrel shifter described in [1] - * and some modifed snippet from [2] - * [1] Chou, T.: QcBits: Constant-Time Small-Key Code-Based Cryptography. - * In: Gier-lichs, B., Poschmann, A.Y. (eds.) Cryptographic Hardware - * and Embedded Systems– CHES 2016. pp. 280–300. Springer Berlin Heidelberg, - * Berlin, Heidelberg (2016) - * - * [2] Guimarães, Antonio, Diego F Aranha, and Edson Borin. 2019. - * “Optimized Implementation of QC-MDPC Code-Based Cryptography.” - * Concurrency and Computation: Practice and Experience 31 (18): - * e5089. https://doi.org/10.1002/cpe.5089. - */ - -#if defined(S2N_BIKE_R3_AVX512) - -#include "decode.h" -#include "decode_internal.h" -#include "utilities.h" - -#define AVX512_INTERNAL -#include "x86_64_intrinsic.h" - -#define R_ZMM_HALF_LOG2 UPTOPOW2(R_ZMM / 2) - -_INLINE_ void -rotate512_big(OUT syndrome_t *out, IN const syndrome_t *in, size_t zmm_num) -{ - // For preventing overflows (comparison in bytes) - bike_static_assert(sizeof(*out) > - (BYTES_IN_ZMM * (R_ZMM + (2 * R_ZMM_HALF_LOG2))), - rotr_big_err); - *out = *in; - - for(uint32_t idx = R_ZMM_HALF_LOG2; idx >= 1; idx >>= 1) { - const uint8_t mask = secure_l32_mask(zmm_num, idx); - zmm_num = zmm_num - (idx & mask); - - for(size_t i = 0; i < (R_ZMM + idx); i++) { - const __m512i a = LOAD(&out->qw[8 * (i + idx)]); - MSTORE(&out->qw[8 * i], mask, a); - } - } -} - -// The rotate512_small function is a derivative of the code described in [1] -_INLINE_ void -rotate512_small(OUT syndrome_t *out, IN const syndrome_t *in, size_t bitscount) -{ - __m512i previous = SET_ZERO; - const int count64 = (int)bitscount & 0x3f; - const __m512i count64_512 = SET1_I64(count64); - const __m512i count64_512r = SET1_I64((int)64 - count64); - - const __m512i num_full_qw = SET1_I64(bitscount >> 6); - const __m512i one = SET1_I64(1); - __m512i a0, a1; - - __m512i idx = SET_I64(7, 6, 5, 4, 3, 2, 1, 0); - - // Positions above 7 are taken from the second register in - // _mm512_permutex2var_epi64 - idx = ADD_I64(idx, num_full_qw); - __m512i idx1 = ADD_I64(idx, one); - - for(int i = R_ZMM; i >= 0; i--) { - // Load the next 512 bits - const __m512i in512 = LOAD(&in->qw[8 * i]); - - // Rotate the current and previous 512 registers so that their quadwords - // would be in the right positions. - a0 = PERMX2VAR_I64(in512, idx, previous); - a1 = PERMX2VAR_I64(in512, idx1, previous); - - a0 = SRLV_I64(a0, count64_512); - a1 = SLLV_I64(a1, count64_512r); - - // Shift less than 64 (quadwords internal) - const __m512i out512 = a0 | a1; - - // Store the rotated value - STORE(&out->qw[8 * i], out512); - previous = in512; - } -} - -void rotate_right_avx512(OUT syndrome_t *out, - IN const syndrome_t *in, - IN const uint32_t bitscount) -{ - // 1) Rotate in granularity of 512 bits blocks, using ZMMs - rotate512_big(out, in, (bitscount / BITS_IN_ZMM)); - // 2) Rotate in smaller granularity (less than 512 bits), using ZMMs - rotate512_small(out, out, (bitscount % BITS_IN_ZMM)); -} - -// Duplicates the first R_BITS of the syndrome three times -// |------------------------------------------| -// | Third copy | Second copy | first R_BITS | -// |------------------------------------------| -// This is required by the rotate functions. -void dup_avx512(IN OUT syndrome_t *s) -{ - s->qw[R_QWORDS - 1] = - (s->qw[0] << LAST_R_QWORD_LEAD) | (s->qw[R_QWORDS - 1] & LAST_R_QWORD_MASK); - - for(size_t i = 0; i < (2 * R_QWORDS) - 1; i++) { - s->qw[R_QWORDS + i] = - (s->qw[i] >> LAST_R_QWORD_TRAIL) | (s->qw[i + 1] << LAST_R_QWORD_LEAD); - } -} - -// Use half-adder as described in [1]. -void bit_sliced_adder_avx512(OUT upc_t *upc, - IN OUT syndrome_t *rotated_syndrome, - IN const size_t num_of_slices) -{ - // From cache-memory perspective this loop should be the outside loop - for(size_t j = 0; j < num_of_slices; j++) { - for(size_t i = 0; i < R_QWORDS; i++) { - const uint64_t carry = (upc->slice[j].u.qw[i] & rotated_syndrome->qw[i]); - upc->slice[j].u.qw[i] ^= rotated_syndrome->qw[i]; - rotated_syndrome->qw[i] = carry; - } - } -} - -void bit_slice_full_subtract_avx512(OUT upc_t *upc, IN uint8_t val) -{ - // Borrow - uint64_t br[R_QWORDS] = {0}; - - for(size_t j = 0; j < SLICES; j++) { - - const uint64_t lsb_mask = 0 - (val & 0x1); - val >>= 1; - - // Perform a - b with c as the input/output carry - // br = 0 0 0 0 1 1 1 1 - // a = 0 0 1 1 0 0 1 1 - // b = 0 1 0 1 0 1 0 1 - // ------------------- - // o = 0 1 1 0 0 1 1 1 - // c = 0 1 0 0 1 1 0 1 - // - // o = a^b^c - // _ __ _ _ _ _ _ - // br = abc + abc + abc + abc = abc + ((a+b))c - - for(size_t i = 0; i < R_QWORDS; i++) { - const uint64_t a = upc->slice[j].u.qw[i]; - const uint64_t b = lsb_mask; - const uint64_t tmp = ((~a) & b & (~br[i])) | ((((~a) | b) & br[i])); - upc->slice[j].u.qw[i] = a ^ b ^ br[i]; - br[i] = tmp; - } - } -} - -#endif - -typedef int dummy_typedef_to_avoid_empty_translation_unit_warning; diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/decode_internal.h b/contrib/restricted/aws/s2n/pq-crypto/bike_r3/decode_internal.h deleted file mode 100644 index 817cc4603a..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/decode_internal.h +++ /dev/null @@ -1,86 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker, Shay Gueron and Dusan Kostic, - * AWS Cryptographic Algorithms Group. - */ - -#pragma once - -#include "pq-crypto/s2n_pq.h" -#include "defs.h" -#include "types.h" - -// Rotate right the first R_BITS of a syndrome. -// At input, the syndrome is stored as three R_BITS triplicate. -// (this makes rotation easier to implement) -// For the output: the output syndrome has only one R_BITS rotation, the remaining -// (2 * R_BITS) bits are undefined. -void rotate_right_port(OUT syndrome_t *out, - IN const syndrome_t *in, - IN uint32_t bitscount); -void dup_port(IN OUT syndrome_t *s); -void bit_sliced_adder_port(OUT upc_t *upc, - IN OUT syndrome_t *rotated_syndrome, - IN const size_t num_of_slices); -void bit_slice_full_subtract_port(OUT upc_t *upc, IN uint8_t val); - -#if defined(S2N_BIKE_R3_AVX2) -void rotate_right_avx2(OUT syndrome_t *out, - IN const syndrome_t *in, - IN uint32_t bitscount); -void dup_avx2(IN OUT syndrome_t *s); -void bit_sliced_adder_avx2(OUT upc_t *upc, - IN OUT syndrome_t *rotated_syndrome, - IN const size_t num_of_slices); -void bit_slice_full_subtract_avx2(OUT upc_t *upc, IN uint8_t val); -#endif - -#if defined(S2N_BIKE_R3_AVX512) -void rotate_right_avx512(OUT syndrome_t *out, - IN const syndrome_t *in, - IN uint32_t bitscount); -void dup_avx512(IN OUT syndrome_t *s); -void bit_sliced_adder_avx512(OUT upc_t *upc, - IN OUT syndrome_t *rotated_syndrome, - IN const size_t num_of_slices); -void bit_slice_full_subtract_avx512(OUT upc_t *upc, IN uint8_t val); -#endif - -// Decode methods struct -typedef struct decode_ctx_st { - void (*rotate_right)(OUT syndrome_t *out, - IN const syndrome_t *in, - IN uint32_t bitscount); - void (*dup)(IN OUT syndrome_t *s); - void (*bit_sliced_adder)(OUT upc_t *upc, - IN OUT syndrome_t *rotated_syndrom, - IN const size_t num_of_slices); - void (*bit_slice_full_subtract)(OUT upc_t *upc, IN uint8_t val); -} decode_ctx; - -_INLINE_ void decode_ctx_init(decode_ctx *ctx) -{ -#if defined(S2N_BIKE_R3_AVX512) - if(s2n_bike_r3_is_avx512_enabled()) { - ctx->rotate_right = rotate_right_avx512; - ctx->dup = dup_avx512; - ctx->bit_sliced_adder = bit_sliced_adder_avx512; - ctx->bit_slice_full_subtract = bit_slice_full_subtract_avx512; - } else -#endif -#if defined(S2N_BIKE_R3_AVX2) - if(s2n_bike_r3_is_avx2_enabled()) { - ctx->rotate_right = rotate_right_avx2; - ctx->dup = dup_avx2; - ctx->bit_sliced_adder = bit_sliced_adder_avx2; - ctx->bit_slice_full_subtract = bit_slice_full_subtract_avx2; - } else -#endif - { - ctx->rotate_right = rotate_right_port; - ctx->dup = dup_port; - ctx->bit_sliced_adder = bit_sliced_adder_port; - ctx->bit_slice_full_subtract = bit_slice_full_subtract_port; - } -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/decode_portable.c b/contrib/restricted/aws/s2n/pq-crypto/bike_r3/decode_portable.c deleted file mode 100644 index 846818386d..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/decode_portable.c +++ /dev/null @@ -1,126 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker, Shay Gueron and Dusan Kostic, - * AWS Cryptographic Algorithms Group. - */ - -#include "decode.h" -#include "decode_internal.h" -#include "utilities.h" - -#define R_QWORDS_HALF_LOG2 UPTOPOW2(R_QWORDS / 2) - -_INLINE_ void -rotr_big(OUT syndrome_t *out, IN const syndrome_t *in, IN size_t qw_num) -{ - // For preventing overflows (comparison in bytes) - bike_static_assert(sizeof(*out) > 8 * (R_QWORDS + (2 * R_QWORDS_HALF_LOG2)), - rotr_big_err); - - *out = *in; - - for(uint32_t idx = R_QWORDS_HALF_LOG2; idx >= 1; idx >>= 1) { - // Convert 32 bit mask to 64 bit mask - const uint64_t mask = ((uint32_t)secure_l32_mask(qw_num, idx) + 1U) - 1ULL; - qw_num = qw_num - (idx & u64_barrier(mask)); - - // Rotate R_QWORDS quadwords and another idx quadwords, - // as needed by the next iteration. - for(size_t i = 0; i < (R_QWORDS + idx); i++) { - out->qw[i] = (out->qw[i] & u64_barrier(~mask)) | - (out->qw[i + idx] & u64_barrier(mask)); - } - } -} - -_INLINE_ void -rotr_small(OUT syndrome_t *out, IN const syndrome_t *in, IN const size_t bits) -{ - bike_static_assert(bits < 64, rotr_small_err); - bike_static_assert(sizeof(*out) > (8 * R_QWORDS), rotr_small_qw_err); - - // Convert |bits| to 0/1 by using !!bits; then create a mask of 0 or - // 0xffffffffff Use high_shift to avoid undefined behaviour when doing x << 64; - const uint64_t mask = (0 - (!!bits)); - const uint64_t high_shift = (64 - bits) & u64_barrier(mask); - - for(size_t i = 0; i < R_QWORDS; i++) { - const uint64_t low_part = in->qw[i] >> bits; - const uint64_t high_part = (in->qw[i + 1] << high_shift) & u64_barrier(mask); - out->qw[i] = low_part | high_part; - } -} - -void rotate_right_port(OUT syndrome_t *out, - IN const syndrome_t *in, - IN const uint32_t bitscount) -{ - // Rotate (64-bit) quad-words - rotr_big(out, in, (bitscount / 64)); - // Rotate bits (less than 64) - rotr_small(out, out, (bitscount % 64)); -} - -// Duplicates the first R_BITS of the syndrome three times -// |------------------------------------------| -// | Third copy | Second copy | first R_BITS | -// |------------------------------------------| -// This is required by the rotate functions. -void dup_port(IN OUT syndrome_t *s) -{ - s->qw[R_QWORDS - 1] = - (s->qw[0] << LAST_R_QWORD_LEAD) | (s->qw[R_QWORDS - 1] & LAST_R_QWORD_MASK); - - for(size_t i = 0; i < (2 * R_QWORDS) - 1; i++) { - s->qw[R_QWORDS + i] = - (s->qw[i] >> LAST_R_QWORD_TRAIL) | (s->qw[i + 1] << LAST_R_QWORD_LEAD); - } -} - -// Use half-adder as described in [1]. -void bit_sliced_adder_port(OUT upc_t *upc, - IN OUT syndrome_t *rotated_syndrome, - IN const size_t num_of_slices) -{ - // From cache-memory perspective this loop should be the outside loop - for(size_t j = 0; j < num_of_slices; j++) { - for(size_t i = 0; i < R_QWORDS; i++) { - const uint64_t carry = (upc->slice[j].u.qw[i] & rotated_syndrome->qw[i]); - upc->slice[j].u.qw[i] ^= rotated_syndrome->qw[i]; - rotated_syndrome->qw[i] = carry; - } - } -} - -void bit_slice_full_subtract_port(OUT upc_t *upc, IN uint8_t val) -{ - // Borrow - uint64_t br[R_QWORDS] = {0}; - - for(size_t j = 0; j < SLICES; j++) { - - const uint64_t lsb_mask = 0 - (val & 0x1); - val >>= 1; - - // Perform a - b with c as the input/output carry - // br = 0 0 0 0 1 1 1 1 - // a = 0 0 1 1 0 0 1 1 - // b = 0 1 0 1 0 1 0 1 - // ------------------- - // o = 0 1 1 0 0 1 1 1 - // c = 0 1 0 0 1 1 0 1 - // - // o = a^b^c - // _ __ _ _ _ _ _ - // br = abc + abc + abc + abc = abc + ((a+b))c - - for(size_t i = 0; i < R_QWORDS; i++) { - const uint64_t a = upc->slice[j].u.qw[i]; - const uint64_t b = lsb_mask; - const uint64_t tmp = ((~a) & b & (~br[i])) | ((((~a) | b) & br[i])); - upc->slice[j].u.qw[i] = a ^ b ^ br[i]; - br[i] = tmp; - } - } -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/defs.h b/contrib/restricted/aws/s2n/pq-crypto/bike_r3/defs.h deleted file mode 100644 index ab3f5c7a32..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/defs.h +++ /dev/null @@ -1,107 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker, Shay Gueron and Dusan Kostic, - * AWS Cryptographic Algorithms Group. - */ - -#pragma once - -//////////////////////////////////////////// -// Basic defs -/////////////////////////////////////////// - -// For code clarity. -#define IN -#define OUT - -#define ALIGN(n) __attribute__((aligned(n))) -#define BIKE_UNUSED_ATT __attribute__((unused)) - -#define _INLINE_ static inline - -// In asm the symbols '==' and '?' are not allowed. Therefore, if using -// divide_and_ceil in asm files, we must ensure with static_assert its validity. -#if(__cplusplus >= 201103L) || defined(static_assert) -# define bike_static_assert(COND, MSG) static_assert(COND, "MSG") -#else -# define bike_static_assert(COND, MSG) \ - typedef char static_assertion_##MSG[(COND) ? 1 : -1] BIKE_UNUSED_ATT -#endif - -// Divide by the divider and round up to next integer -#define DIVIDE_AND_CEIL(x, divider) (((x) + (divider) - 1) / (divider)) - -// Bit manipulations -// Linux Assemblies, except for Ubuntu, cannot understand what ULL mean. -// Therefore, in that case len must be smaller than 31. -#define BIT(len) (1ULL << (len)) -#define MASK(len) (BIT(len) - 1) -#define SIZEOF_BITS(b) (sizeof(b) * 8) - -#define BYTES_IN_QWORD 0x8 -#define BYTES_IN_XMM 0x10 -#define BYTES_IN_YMM 0x20 -#define BYTES_IN_ZMM 0x40 - -#define BITS_IN_YMM (BYTES_IN_YMM * 8) -#define BITS_IN_ZMM (BYTES_IN_ZMM * 8) - -#define WORDS_IN_YMM (BYTES_IN_YMM / sizeof(uint16_t)) -#define WORDS_IN_ZMM (BYTES_IN_ZMM / sizeof(uint16_t)) - -#define QWORDS_IN_XMM (BYTES_IN_XMM / sizeof(uint64_t)) -#define QWORDS_IN_YMM (BYTES_IN_YMM / sizeof(uint64_t)) -#define QWORDS_IN_ZMM (BYTES_IN_ZMM / sizeof(uint64_t)) - -// Copied from (Kaz answer) -// https://stackoverflow.com/questions/466204/rounding-up-to-next-power-of-2 -#define UPTOPOW2_0(v) ((v)-1) -#define UPTOPOW2_1(v) (UPTOPOW2_0(v) | (UPTOPOW2_0(v) >> 1)) -#define UPTOPOW2_2(v) (UPTOPOW2_1(v) | (UPTOPOW2_1(v) >> 2)) -#define UPTOPOW2_3(v) (UPTOPOW2_2(v) | (UPTOPOW2_2(v) >> 4)) -#define UPTOPOW2_4(v) (UPTOPOW2_3(v) | (UPTOPOW2_3(v) >> 8)) -#define UPTOPOW2_5(v) (UPTOPOW2_4(v) | (UPTOPOW2_4(v) >> 16)) - -#define UPTOPOW2(v) (UPTOPOW2_5(v) + 1) - -// Works only for 0 < v < 512 -#define LOG2_MSB(v) \ - ((v) == 0 \ - ? 0 \ - : ((v) < 2 \ - ? 1 \ - : ((v) < 4 \ - ? 2 \ - : ((v) < 8 \ - ? 3 \ - : ((v) < 16 \ - ? 4 \ - : ((v) < 32 \ - ? 5 \ - : ((v) < 64 \ - ? 6 \ - : ((v) < 128 ? 7 \ - : ((v) < 256 ? 8 : 9))))))))) - -//////////////////////////////////////////// -// Debug -/////////////////////////////////////////// - -#if defined(VERBOSE) -# include <stdio.h> - -# define DMSG(...) \ - { \ - printf(__VA_ARGS__); \ - } -#else -# define DMSG(...) -#endif - -//////////////////////////////////////////// -// Printing -/////////////////////////////////////////// -//#define PRINT_IN_BE -//#define NO_SPACE -//#define NO_NEWLINE diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/error.c b/contrib/restricted/aws/s2n/pq-crypto/bike_r3/error.c deleted file mode 100644 index 9f779b7df9..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/error.c +++ /dev/null @@ -1,10 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker, Shay Gueron and Dusan Kostic, - * AWS Cryptographic Algorithms Group. - */ - -#include "error.h" - -__thread _bike_err_t bike_errno; diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/error.h b/contrib/restricted/aws/s2n/pq-crypto/bike_r3/error.h deleted file mode 100644 index b1b9db6d5e..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/error.h +++ /dev/null @@ -1,33 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker, Shay Gueron and Dusan Kostic, - * AWS Cryptographic Algorithms Group. - */ - -#pragma once - -#include "utils/s2n_safety.h" - -#define SUCCESS 0 -#define FAIL (-1) - -#define ret_t int __attribute__((warn_unused_result)) - -enum _bike_err -{ - E_DECODING_FAILURE = 1, - E_AES_CTR_PRF_INIT_FAIL = 2, - E_AES_OVER_USED = 3, - EXTERNAL_LIB_ERROR_OPENSSL = 4, - E_FAIL_TO_GET_SEED = 5 -}; - -typedef enum _bike_err _bike_err_t; - -extern __thread _bike_err_t bike_errno; -#define BIKE_ERROR(x) \ - do { \ - bike_errno = (x); \ - return FAIL; \ - } while(0) diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/gf2x.h b/contrib/restricted/aws/s2n/pq-crypto/bike_r3/gf2x.h deleted file mode 100644 index f4cdb53a80..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/gf2x.h +++ /dev/null @@ -1,29 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker, Shay Gueron and Dusan Kostic, - * AWS Cryptographic Algorithms Group. - */ - -#pragma once - -#include "types.h" - -// c = a+b mod (x^r - 1) -_INLINE_ void -gf2x_mod_add(OUT pad_r_t *c, IN const pad_r_t *a, IN const pad_r_t *b) -{ - const uint64_t *a_qwords = (const uint64_t *)a; - const uint64_t *b_qwords = (const uint64_t *)b; - uint64_t * c_qwords = (uint64_t *)c; - - for(size_t i = 0; i < R_PADDED_QWORDS; i++) { - c_qwords[i] = a_qwords[i] ^ b_qwords[i]; - } -} - -// c = a*b mod (x^r - 1) -void gf2x_mod_mul(OUT pad_r_t *c, IN const pad_r_t *a, IN const pad_r_t *b); - -// c = a^-1 mod (x^r - 1) -void gf2x_mod_inv(OUT pad_r_t *c, IN const pad_r_t *a); diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/gf2x_internal.h b/contrib/restricted/aws/s2n/pq-crypto/bike_r3/gf2x_internal.h deleted file mode 100644 index a87478aba1..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/gf2x_internal.h +++ /dev/null @@ -1,177 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker, Shay Gueron and Dusan Kostic, - * AWS Cryptographic Algorithms Group. - */ - -#pragma once - -// For size_t -#include <stdlib.h> - -#include "pq-crypto/s2n_pq.h" -#include "types.h" - -// The size in quadwords of the operands in the gf2x_mul_base function -// for different implementations. -#define GF2X_PORT_BASE_QWORDS (1) -#define GF2X_PCLMUL_BASE_QWORDS (8) -#define GF2X_VPCLMUL_BASE_QWORDS (16) - -// ------------------ FUNCTIONS NEEDED FOR GF2X MULTIPLICATION ------------------ -// GF2X multiplication of a and b of size GF2X_BASE_QWORDS, c = a * b -void gf2x_mul_base_port(OUT uint64_t *c, - IN const uint64_t *a, - IN const uint64_t *b); -void karatzuba_add1_port(OUT uint64_t *alah, - OUT uint64_t *blbh, - IN const uint64_t *a, - IN const uint64_t *b, - IN const size_t qwords_len); -void karatzuba_add2_port(OUT uint64_t *z, - IN const uint64_t *x, - IN const uint64_t *y, - IN const size_t qwords_len); -void karatzuba_add3_port(OUT uint64_t *c, - IN const uint64_t *mid, - IN const size_t qwords_len); - -// -------------------- FUNCTIONS NEEDED FOR GF2X INVERSION -------------------- -// c = a^2 -void gf2x_sqr_port(OUT dbl_pad_r_t *c, IN const pad_r_t *a); -// The k-squaring function computes c = a^(2^k) % (x^r - 1), -// It is required by inversion, where l_param is derived from k. -void k_sqr_port(OUT pad_r_t *c, IN const pad_r_t *a, IN size_t l_param); -// c = a mod (x^r - 1) -void gf2x_red_port(OUT pad_r_t *c, IN const dbl_pad_r_t *a); - -// AVX2 versions of the functions -#if defined(S2N_BIKE_R3_AVX2) -void karatzuba_add1_avx2(OUT uint64_t *alah, - OUT uint64_t *blbh, - IN const uint64_t *a, - IN const uint64_t *b, - IN const size_t qwords_len); -void karatzuba_add2_avx2(OUT uint64_t *z, - IN const uint64_t *x, - IN const uint64_t *y, - IN const size_t qwords_len); -void karatzuba_add3_avx2(OUT uint64_t *c, - IN const uint64_t *mid, - IN const size_t qwords_len); -void k_sqr_avx2(OUT pad_r_t *c, IN const pad_r_t *a, IN size_t l_param); -void gf2x_red_avx2(OUT pad_r_t *c, IN const dbl_pad_r_t *a); -#endif - -// AVX512 versions of the functions -#if defined(S2N_BIKE_R3_AVX512) -void karatzuba_add1_avx512(OUT uint64_t *alah, - OUT uint64_t *blbh, - IN const uint64_t *a, - IN const uint64_t *b, - IN const size_t qwords_len); -void karatzuba_add2_avx512(OUT uint64_t *z, - IN const uint64_t *x, - IN const uint64_t *y, - IN const size_t qwords_len); -void karatzuba_add3_avx512(OUT uint64_t *c, - IN const uint64_t *mid, - IN const size_t qwords_len); -void k_sqr_avx512(OUT pad_r_t *c, IN const pad_r_t *a, IN size_t l_param); -void gf2x_red_avx512(OUT pad_r_t *c, IN const dbl_pad_r_t *a); -#endif - -// PCLMUL based multiplication -#if defined(S2N_BIKE_R3_PCLMUL) -void gf2x_mul_base_pclmul(OUT uint64_t *c, - IN const uint64_t *a, - IN const uint64_t *b); -void gf2x_sqr_pclmul(OUT dbl_pad_r_t *c, IN const pad_r_t *a); -#endif - -// VPCLMUL based multiplication -#if defined(S2N_BIKE_R3_VPCLMUL) -void gf2x_mul_base_vpclmul(OUT uint64_t *c, - IN const uint64_t *a, - IN const uint64_t *b); -void gf2x_sqr_vpclmul(OUT dbl_pad_r_t *c, IN const pad_r_t *a); -#endif - -// GF2X methods struct -typedef struct gf2x_ctx_st { - size_t mul_base_qwords; - void (*mul_base)(OUT uint64_t *c, IN const uint64_t *a, IN const uint64_t *b); - void (*karatzuba_add1)(OUT uint64_t *alah, - OUT uint64_t *blbh, - IN const uint64_t *a, - IN const uint64_t *b, - IN const size_t qwords_len); - void (*karatzuba_add2)(OUT uint64_t *z, - IN const uint64_t *x, - IN const uint64_t *y, - IN const size_t qwords_len); - void (*karatzuba_add3)(OUT uint64_t *c, - IN const uint64_t *mid, - IN const size_t qwords_len); - - void (*sqr)(OUT dbl_pad_r_t *c, IN const pad_r_t *a); - void (*k_sqr)(OUT pad_r_t *c, IN const pad_r_t *a, IN size_t l_param); - - void (*red)(OUT pad_r_t *c, IN const dbl_pad_r_t *a); -} gf2x_ctx; - -// Used in gf2x_inv.c to avoid initializing the context many times. -void gf2x_mod_mul_with_ctx(OUT pad_r_t *c, - IN const pad_r_t *a, - IN const pad_r_t *b, - IN const gf2x_ctx *ctx); - -_INLINE_ void gf2x_ctx_init(gf2x_ctx *ctx) -{ -#if defined(S2N_BIKE_R3_AVX512) - if(s2n_bike_r3_is_avx512_enabled()) { - ctx->karatzuba_add1 = karatzuba_add1_avx512; - ctx->karatzuba_add2 = karatzuba_add2_avx512; - ctx->karatzuba_add3 = karatzuba_add3_avx512; - ctx->k_sqr = k_sqr_avx512; - ctx->red = gf2x_red_avx512; - } else -#endif -#if defined(S2N_BIKE_R3_AVX2) - if(s2n_bike_r3_is_avx2_enabled()) { - ctx->karatzuba_add1 = karatzuba_add1_avx2; - ctx->karatzuba_add2 = karatzuba_add2_avx2; - ctx->karatzuba_add3 = karatzuba_add3_avx2; - ctx->k_sqr = k_sqr_avx2; - ctx->red = gf2x_red_avx2; - } else -#endif - { - ctx->karatzuba_add1 = karatzuba_add1_port; - ctx->karatzuba_add2 = karatzuba_add2_port; - ctx->karatzuba_add3 = karatzuba_add3_port; - ctx->k_sqr = k_sqr_port; - ctx->red = gf2x_red_port; - } - -#if defined(S2N_BIKE_R3_VPCLMUL) - if(s2n_bike_r3_is_vpclmul_enabled()) { - ctx->mul_base_qwords = GF2X_VPCLMUL_BASE_QWORDS; - ctx->mul_base = gf2x_mul_base_vpclmul; - ctx->sqr = gf2x_sqr_vpclmul; - } else -#endif -#if defined(S2N_BIKE_R3_PCLMUL) - if(s2n_bike_r3_is_pclmul_enabled()) { - ctx->mul_base_qwords = GF2X_PCLMUL_BASE_QWORDS; - ctx->mul_base = gf2x_mul_base_pclmul; - ctx->sqr = gf2x_sqr_pclmul; - } else -#endif - { - ctx->mul_base_qwords = GF2X_PORT_BASE_QWORDS; - ctx->mul_base = gf2x_mul_base_port; - ctx->sqr = gf2x_sqr_port; - } -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/gf2x_inv.c b/contrib/restricted/aws/s2n/pq-crypto/bike_r3/gf2x_inv.c deleted file mode 100644 index bea7ee84b1..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/gf2x_inv.c +++ /dev/null @@ -1,156 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker, Shay Gueron and Dusan Kostic, - * AWS Cryptographic Algorithms Group. - * - * The inversion algorithm in this file is based on: - * [1] Nir Drucker, Shay Gueron, and Dusan Kostic. 2020. "Fast polynomial - * inversion for post quantum QC-MDPC cryptography". Cryptology ePrint Archive, - * 2020. https://eprint.iacr.org/2020/298.pdf - */ - -#include "cleanup.h" -#include "gf2x.h" -#include "gf2x_internal.h" - -// a = a^2 mod (x^r - 1) -_INLINE_ void gf2x_mod_sqr_in_place(IN OUT pad_r_t *a, - OUT dbl_pad_r_t *secure_buffer, - IN const gf2x_ctx *ctx) -{ - ctx->sqr(secure_buffer, a); - ctx->red(a, secure_buffer); -} - -// c = a^2^2^num_sqrs -_INLINE_ void repeated_squaring(OUT pad_r_t *c, - IN pad_r_t * a, - IN const size_t num_sqrs, - OUT dbl_pad_r_t *sec_buf, - IN const gf2x_ctx *ctx) -{ - c->val = a->val; - - for(size_t i = 0; i < num_sqrs; i++) { - gf2x_mod_sqr_in_place(c, sec_buf, ctx); - } -} - -// The gf2x_mod_inv function implements inversion in F_2[x]/(x^R - 1) -// based on [1](Algorithm 2). - -// In every iteration, [1](Algorithm 2) performs two exponentiations: -// exponentiation 0 (exp0) and exponentiation 1 (exp1) of the form f^(2^k). -// These exponentiations are computed either by repeated squaring of f, k times, -// or by a single k-squaring of f. The method for a specific value of k -// is chosen based on the performance of squaring and k-squaring. -// -// Benchmarks on several platforms indicate that a good threshold -// for switching from repeated squaring to k-squaring is k = 64. -#define K_SQR_THR (64) - -// k-squaring is computed by a permutation of bits of the input polynomial, -// as defined in [1](Observation 1). The required parameter for the permutation -// is l = (2^k)^-1 % R. -// Therefore, there are two sets of parameters for every exponentiation: -// - exp0_k and exp1_k -// - exp0_l and exp1_l - -// Exponentiation 0 computes f^2^2^(i-1) for 0 < i < MAX_I. -// Exponentiation 1 computes f^2^((r-2) % 2^i) for 0 < i < MAX_I, -// only when the i-th bit of (r-2) is 1. Therefore, the value 0 in -// exp1_k[i] and exp1_l[i] means that exp1 is skipped in i-th iteration. - -// To quickly generate all the required parameters in Sage: -// r = DESIRED_R -// max_i = floor(log(r-2, 2)) + 1 -// exp0_k = [2^i for i in range(max_i)] -// exp0_l = [inverse_mod((2^k) % r, r) for k in exp0_k] -// exp1_k = [(r-2)%(2^i) if ((r-2) & (1<<i)) else 0 for i in range(max_i)] -// exp1_l = [inverse_mod((2^k) % r, r) if k != 0 else 0 for k in exp1_k] - -#if(LEVEL == 1) -// The parameters below are hard-coded for R=12323 -bike_static_assert((R_BITS == 12323), gf2x_inv_r_doesnt_match_parameters); - -// MAX_I = floor(log(r-2)) + 1 -# define MAX_I (14) -# define EXP0_K_VALS \ - 1, 2, 4, 8, 16, 32, 64, 128, 256, 512, 1024, 2048, 4096, 8192 -# define EXP0_L_VALS \ - 6162, 3081, 3851, 5632, 22, 484, 119, 1838, 1742, 3106, 10650, 1608, 10157, \ - 8816 -# define EXP1_K_VALS 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 33, 4129 -# define EXP1_L_VALS 0, 0, 0, 0, 0, 6162, 0, 0, 0, 0, 0, 0, 242, 5717 - -#else -// The parameters below are hard-coded for R=24659 -bike_static_assert((R_BITS == 24659), gf2x_inv_r_doesnt_match_parameters); - -// MAX_I = floor(log(r-2)) + 1 -# define MAX_I (15) -# define EXP0_K_VALS \ - 1, 2, 4, 8, 16, 32, 64, 128, 256, 512, 1024, 2048, 4096, 8192, 16384 -# define EXP0_L_VALS \ - 12330, 6165, 7706, 3564, 2711, 1139, 15053, 1258, 4388, 20524, 9538, 6393, \ - 10486, 1715, 6804 -# define EXP1_K_VALS 0, 0, 0, 0, 1, 0, 17, 0, 0, 0, 0, 0, 0, 81, 8273 -# define EXP1_L_VALS 0, 0, 0, 0, 12330, 0, 13685, 0, 0, 0, 0, 0, 0, 23678, 19056 - -#endif - -// Inversion in F_2[x]/(x^R - 1), [1](Algorithm 2). -// c = a^{-1} mod x^r-1 -void gf2x_mod_inv(OUT pad_r_t *c, IN const pad_r_t *a) -{ - // Initialize gf2x methods struct - gf2x_ctx ctx = {0}; - gf2x_ctx_init(&ctx); - - // Note that exp0/1_k/l are predefined constants that depend only on the value - // of R. This value is public. Therefore, branches in this function, which - // depends on R, are also "public". Code that releases these branches - // (taken/not-taken) does not leak secret information. - const size_t exp0_k[MAX_I] = {EXP0_K_VALS}; - const size_t exp0_l[MAX_I] = {EXP0_L_VALS}; - const size_t exp1_k[MAX_I] = {EXP1_K_VALS}; - const size_t exp1_l[MAX_I] = {EXP1_L_VALS}; - - DEFER_CLEANUP(pad_r_t f = {0}, pad_r_cleanup); - DEFER_CLEANUP(pad_r_t g = {0}, pad_r_cleanup); - DEFER_CLEANUP(pad_r_t t = {0}, pad_r_cleanup); - DEFER_CLEANUP(dbl_pad_r_t sec_buf = {0}, dbl_pad_r_cleanup); - - // Steps 2 and 3 in [1](Algorithm 2) - f.val = a->val; - t.val = a->val; - - for(size_t i = 1; i < MAX_I; i++) { - // Step 5 in [1](Algorithm 2), exponentiation 0: g = f^2^2^(i-1) - if(exp0_k[i - 1] <= K_SQR_THR) { - repeated_squaring(&g, &f, exp0_k[i - 1], &sec_buf, &ctx); - } else { - ctx.k_sqr(&g, &f, exp0_l[i - 1]); - } - - // Step 6, [1](Algorithm 2): f = f*g - gf2x_mod_mul_with_ctx(&f, &g, &f, &ctx); - - if(exp1_k[i] != 0) { - // Step 8, [1](Algorithm 2), exponentiation 1: g = f^2^((r-2) % 2^i) - if(exp1_k[i] <= K_SQR_THR) { - repeated_squaring(&g, &f, exp1_k[i], &sec_buf, &ctx); - } else { - ctx.k_sqr(&g, &f, exp1_l[i]); - } - - // Step 9, [1](Algorithm 2): t = t*g; - gf2x_mod_mul_with_ctx(&t, &g, &t, &ctx); - } - } - - // Step 10, [1](Algorithm 2): c = t^2 - gf2x_mod_sqr_in_place(&t, &sec_buf, &ctx); - c->val = t.val; -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/gf2x_ksqr_avx2.c b/contrib/restricted/aws/s2n/pq-crypto/bike_r3/gf2x_ksqr_avx2.c deleted file mode 100644 index 91ed73d3f2..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/gf2x_ksqr_avx2.c +++ /dev/null @@ -1,188 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker, Shay Gueron and Dusan Kostic, - * AWS Cryptographic Algorithms Group. - * - * The k-squaring algorithm in this file is based on: - * [1] Nir Drucker, Shay Gueron, and Dusan Kostic. 2020. "Fast polynomial - * inversion for post quantum QC-MDPC cryptography". Cryptology ePrint Archive, - * 2020. https://eprint.iacr.org/2020/298.pdf - */ - -#if defined(S2N_BIKE_R3_AVX2) - -#include "cleanup.h" -#include "gf2x_internal.h" - -#define AVX2_INTERNAL -#include "x86_64_intrinsic.h" - -#define NUM_YMMS (2) -#define NUM_OF_VALS (NUM_YMMS * WORDS_IN_YMM) - -_INLINE_ void generate_map(OUT uint16_t *map, IN const uint16_t l_param) -{ - __m256i vmap[NUM_YMMS], vtmp[NUM_YMMS], vr, inc, zero; - - // The permutation map is generated in the following way: - // 1. for i = 0 to map size: - // 2. map[i] = (i * l_param) % r - // However, to avoid the expensive multiplication and modulo operations - // we modify the algorithm to: - // 1. map[0] = l_param - // 2. for i = 1 to map size: - // 3. map[i] = map[i - 1] + l_param - // 4. if map[i] >= r: - // 5. map[i] = map[i] - r - // This algorithm is parallelized with vector instructions by processing - // certain number of values (NUM_OF_VALS) in parallel. Therefore, - // in the beginning we need to initialize the first NUM_OF_VALS elements. - for(size_t i = 0; i < NUM_OF_VALS; i++) { - map[i] = (i * l_param) % R_BITS; - } - - vr = SET1_I16(R_BITS); - zero = SET_ZERO; - - // Set the increment vector such that adding it to vmap vectors - // gives the next NUM_OF_VALS elements of the map. AVX2 does not - // support comparison of vectors where vector elements are considered - // as unsigned integers. This is a problem when r > 2^14 because - // sum of two values can be greater than 2^15 which would make the it - // a negative number when considered as a signed 16-bit integer, - // and therefore, the condition in step 4 of the algorithm would be - // evaluated incorrectly. So, we use the following trick: - // we subtract R from the increment and modify the algorithm: - // 1. map[0] = l_param - // 2. for i = 1 to map size: - // 3. map[i] = map[i - 1] + (l_param - r) - // 4. if map[i] < 0: - // 5. map[i] = map[i] + r - inc = SET1_I16((l_param * NUM_OF_VALS) % R_BITS); - inc = SUB_I16(inc, vr); - - // Load the first NUM_OF_VALS elements in the vmap vectors - for(size_t i = 0; i < NUM_YMMS; i++) { - vmap[i] = LOAD(&map[i * WORDS_IN_YMM]); - } - - for(size_t i = NUM_YMMS; i < (R_PADDED / WORDS_IN_YMM); i += NUM_YMMS) { - for(size_t j = 0; j < NUM_YMMS; j++) { - vmap[j] = ADD_I16(vmap[j], inc); - vtmp[j] = CMPGT_I16(zero, vmap[j]); - vmap[j] = ADD_I16(vmap[j], vtmp[j] & vr); - - STORE(&map[(i + j) * WORDS_IN_YMM], vmap[j]); - } - } -} - -// Convert from bytes representation, where every byte holds a single bit, -// of the polynomial, to a binary representation where every byte -// holds 8 bits of the polynomial. -_INLINE_ void bytes_to_bin(OUT pad_r_t *bin_buf, IN const uint8_t *bytes_buf) -{ - uint32_t *bin32 = (uint32_t *)bin_buf; - - for(size_t i = 0; i < R_QWORDS * 2; i++) { - __m256i t = LOAD(&bytes_buf[i * BYTES_IN_YMM]); - bin32[i] = MOVEMASK(t); - } -} - -// Convert from binary representation where every byte holds 8 bits -// of the polynomial, to byte representation where -// every byte holds a single bit of the polynomial. -_INLINE_ void bin_to_bytes(OUT uint8_t *bytes_buf, IN const pad_r_t *bin_buf) -{ - // The algorithm works by taking every 32 bits of the input and converting - // them to 32 bytes where each byte holds one of the bits. The first step is - // to broadcast a 32-bit value (call it a) to all elements of vector t. - // Then t contains bytes of a in the following order: - // t = [ a3 a2 a1 a0 ... a3 a2 a1 a0 ] - // where a0 contains the first 8 bits of a, a1 the second 8 bits, etc. - // Let the output vector be [ out31 out30 ... out0 ]. We want to store - // bit 0 of a in out0 byte, bit 1 of a in out1 byte, ect. (note that - // we want to store the bit in the most significant position of a byte - // because this is required by MOVEMASK instruction used in bytes_to_bin.) - // - // Ideally, we would shuffle the bytes of t such that the byte in - // i-th position contains i-th bit of val, shift t appropriately and obtain - // the result. However, AVX2 doesn't support shift operation on bytes, only - // shifts of individual QWORDS (64 bit) and DWORDS (32 bit) are allowed. - // Consider the two least significant DWORDS of t: - // t = [ ... | a3 a2 a1 a0 | a3 a2 a1 a0 ] - // and shift them by 6 and 4 to the left, respectively, to obtain: - // t = [ ... | t7 t6 t5 t4 | t3 t2 t1 t0 ] - // where t3 = a3 << 6, t2 = a2 << 6, t1 = a1 << 6, t0 = a0 << 6, - // and t7 = a3 << 4, t6 = a2 << 4, t5 = a1 << 4, t4 = a0 << 4. - // Now we shuffle vector t to obtain vector p such that: - // p = [ ... | t12 t12 t8 t8 | t4 t4 t0 t0 ] - // Note that in every even position of the vector p we have the right byte - // of the input shifted by the required shift. The values in the odd - // positions contain the right bytes of the input but they need to be shifted - // one more time to the left by 1. By shifting each DWORD of p by 1 we get: - // q = [ ... | p7 p6 p5 p4 | p3 p2 p1 p0 ] - // where p1 = t0 << 1 = a0 << 7, p3 = t4 << 1 = 5, etc. Therefore, by - // blending p and q (taking even positions from p and odd positions from q) - // we obtain the desired result. - - __m256i t, p, q; - - const __m256i shift_mask = SET_I32(0, 2, 4, 6, 0, 2, 4, 6); - - const __m256i shuffle_mask = - SET_I8(15, 15, 11, 11, 7, 7, 3, 3, 14, 14, 10, 10, 6, 6, 2, 2, 13, 13, 9, 9, - 5, 5, 1, 1, 12, 12, 8, 8, 4, 4, 0, 0); - - const __m256i blend_mask = SET1_I16(0x00ff); - - const uint32_t *bin32 = (const uint32_t *)bin_buf; - - for(size_t i = 0; i < R_QWORDS * 2; i++) { - t = SET1_I32(bin32[i]); - t = SLLV_I32(t, shift_mask); - - p = SHUF_I8(t, shuffle_mask); - q = SLLI_I32(p, 1); - - STORE(&bytes_buf[i * 32], BLENDV_I8(p, q, blend_mask)); - } -} - -// The k-squaring function computes c = a^(2^k) % (x^r - 1). -// By [1](Observation 1), if -// a = sum_{j in supp(a)} x^j, -// then -// a^(2^k) % (x^r - 1) = sum_{j in supp(a)} x^((j * 2^k) % r). -// Therefore, k-squaring can be computed as permutation of the bits of "a": -// pi0 : j --> (j * 2^k) % r. -// For improved performance, we compute the result by inverted permutation pi1: -// pi1 : (j * 2^-k) % r --> j. -// Input argument l_param is defined as the value (2^-k) % r. -void k_sqr_avx2(OUT pad_r_t *c, IN const pad_r_t *a, IN const size_t l_param) -{ - ALIGN(ALIGN_BYTES) uint16_t map[R_PADDED]; - ALIGN(ALIGN_BYTES) uint8_t a_bytes[R_PADDED]; - ALIGN(ALIGN_BYTES) uint8_t c_bytes[R_PADDED] = {0}; - - // Generate the permutation map defined by pi1 and l_param. - generate_map(map, l_param); - - bin_to_bytes(a_bytes, a); - - // Permute "a" using the generated permutation map. - for(size_t i = 0; i < R_BITS; i++) { - c_bytes[i] = a_bytes[map[i]]; - } - - bytes_to_bin(c, c_bytes); - - secure_clean(a_bytes, sizeof(a_bytes)); - secure_clean(c_bytes, sizeof(c_bytes)); -} - -#endif - -typedef int dummy_typedef_to_avoid_empty_translation_unit_warning; diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/gf2x_ksqr_avx512.c b/contrib/restricted/aws/s2n/pq-crypto/bike_r3/gf2x_ksqr_avx512.c deleted file mode 100644 index af2c5738a8..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/gf2x_ksqr_avx512.c +++ /dev/null @@ -1,135 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker, Shay Gueron and Dusan Kostic, - * AWS Cryptographic Algorithms Group. - * - * The k-squaring algorithm in this file is based on: - * [1] Nir Drucker, Shay Gueron, and Dusan Kostic. 2020. "Fast polynomial - * inversion for post quantum QC-MDPC cryptography". Cryptology ePrint Archive, - * 2020. https://eprint.iacr.org/2020/298.pdf - */ - -#if defined(S2N_BIKE_R3_AVX512) - -#include "cleanup.h" -#include "gf2x_internal.h" - -#define AVX512_INTERNAL -#include "x86_64_intrinsic.h" - -#define NUM_ZMMS (2) -#define NUM_OF_VALS (NUM_ZMMS * WORDS_IN_ZMM) - -// clang-3.9 doesn't recognize these two macros -#if !defined(_MM_CMPINT_EQ) -# define _MM_CMPINT_EQ (0) -#endif - -#if !defined(_MM_CMPINT_NLT) -# define _MM_CMPINT_NLT (5) -#endif - -_INLINE_ void generate_map(OUT uint16_t *map, IN const size_t l_param) -{ - __m512i vmap[NUM_ZMMS], vr, inc; - __mmask32 mask[NUM_ZMMS]; - - // The permutation map is generated in the following way: - // 1. for i = 0 to map size: - // 2. map[i] = (i * l_param) % r - // However, to avoid the expensive multiplication and modulo operations - // we modify the algorithm to: - // 1. map[0] = l_param - // 2. for i = 1 to map size: - // 3. map[i] = map[i - 1] + l_param - // 4. if map[i] >= r: - // 5. map[i] = map[i] - r - // This algorithm is parallelized with vector instructions by processing - // certain number of values (NUM_OF_VALS) in parallel. Therefore, - // in the beginning we need to initialize the first NUM_OF_VALS elements. - for(size_t i = 0; i < NUM_OF_VALS; i++) { - map[i] = (i * l_param) % R_BITS; - } - - // Set the increment vector such that by adding it to vmap vectors - // we will obtain the next NUM_OF_VALS elements of the map. - inc = SET1_I16((l_param * NUM_OF_VALS) % R_BITS); - vr = SET1_I16(R_BITS); - - // Load the first NUM_OF_VALS elements in the vmap vectors - for(size_t i = 0; i < NUM_ZMMS; i++) { - vmap[i] = LOAD(&map[i * WORDS_IN_ZMM]); - } - - for(size_t i = NUM_ZMMS; i < (R_PADDED / WORDS_IN_ZMM); i += NUM_ZMMS) { - for(size_t j = 0; j < NUM_ZMMS; j++) { - vmap[j] = ADD_I16(vmap[j], inc); - mask[j] = CMPM_U16(vmap[j], vr, _MM_CMPINT_NLT); - vmap[j] = MSUB_I16(vmap[j], mask[j], vmap[j], vr); - - STORE(&map[(i + j) * WORDS_IN_ZMM], vmap[j]); - } - } -} - -// Convert from bytes representation where each byte holds a single bit -// to binary representation where each byte holds 8 bits of the polynomial -_INLINE_ void bytes_to_bin(OUT pad_r_t *bin_buf, IN const uint8_t *bytes_buf) -{ - uint64_t *bin64 = (uint64_t *)bin_buf; - - __m512i first_bit_mask = SET1_I8(1); - for(size_t i = 0; i < R_QWORDS; i++) { - __m512i t = LOAD(&bytes_buf[i * BYTES_IN_ZMM]); - bin64[i] = CMPM_U8(t, first_bit_mask, _MM_CMPINT_EQ); - } -} - -// Convert from binary representation where each byte holds 8 bits -// to byte representation where each byte holds a single bit of the polynomial -_INLINE_ void bin_to_bytes(OUT uint8_t *bytes_buf, IN const pad_r_t *bin_buf) -{ - const uint64_t *bin64 = (const uint64_t *)bin_buf; - - for(size_t i = 0; i < R_QWORDS; i++) { - __m512i t = SET1MZ_I8(bin64[i], 1); - STORE(&bytes_buf[i * BYTES_IN_ZMM], t); - } -} - -// The k-squaring function computes c = a^(2^k) % (x^r - 1), -// By [1](Observation 1), if -// a = sum_{j in supp(a)} x^j, -// then -// a^(2^k) % (x^r - 1) = sum_{j in supp(a)} x^((j * 2^k) % r). -// Therefore, k-squaring can be computed as permutation of the bits of "a": -// pi0 : j --> (j * 2^k) % r. -// For improved performance, we compute the result by inverted permutation pi1: -// pi1 : (j * 2^-k) % r --> j. -// Input argument l_param is defined as the value (2^-k) % r. -void k_sqr_avx512(OUT pad_r_t *c, IN const pad_r_t *a, IN const size_t l_param) -{ - ALIGN(ALIGN_BYTES) uint16_t map[R_PADDED]; - ALIGN(ALIGN_BYTES) uint8_t a_bytes[R_PADDED]; - ALIGN(ALIGN_BYTES) uint8_t c_bytes[R_PADDED] = {0}; - - // Generate the permutation map defined by pi1 and l_param. - generate_map(map, l_param); - - bin_to_bytes(a_bytes, a); - - // Permute "a" using the generated permutation map. - for(size_t i = 0; i < R_BITS; i++) { - c_bytes[i] = a_bytes[map[i]]; - } - - bytes_to_bin(c, c_bytes); - - secure_clean(a_bytes, sizeof(a_bytes)); - secure_clean(c_bytes, sizeof(c_bytes)); -} - -#endif - -typedef int dummy_typedef_to_avoid_empty_translation_unit_warning; diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/gf2x_ksqr_portable.c b/contrib/restricted/aws/s2n/pq-crypto/bike_r3/gf2x_ksqr_portable.c deleted file mode 100644 index c757687f58..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/gf2x_ksqr_portable.c +++ /dev/null @@ -1,48 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker, Shay Gueron and Dusan Kostic, - * AWS Cryptographic Algorithms Group. - * - * The k-squaring algorithm in this file is based on: - * [1] Nir Drucker, Shay Gueron, and Dusan Kostic. 2020. "Fast polynomial - * inversion for post quantum QC-MDPC cryptography". Cryptology ePrint Archive, - * 2020. https://eprint.iacr.org/2020/298.pdf - */ - -#include "gf2x_internal.h" -#include "utilities.h" - -#define BITS_IN_BYTE (8) - -// The k-squaring function computes c = a^(2^k) % (x^r - 1), -// By [1](Observation 1), if -// a = sum_{j in supp(a)} x^j, -// then -// a^(2^k) % (x^r - 1) = sum_{j in supp(a)} x^((j * 2^k) % r). -// Therefore, k-squaring can be computed as permutation of the bits of "a": -// pi0 : j --> (j * 2^k) % r. -// For improved performance, we compute the result by inverted permutation pi1: -// pi1 : (j * 2^-k) % r --> j. -// Input argument l_param is defined as the value (2^-k) % r. -void k_sqr_port(OUT pad_r_t *c, IN const pad_r_t *a, IN const size_t l_param) -{ - bike_memset(c->val.raw, 0, sizeof(c->val)); - - // Compute the result byte by byte - size_t idx = 0; - for(size_t i = 0; i < R_BYTES; i++) { - for(size_t j = 0; j < BITS_IN_BYTE; j++, idx++) { - // Bit of "c" at position idx is set to the value of - // the bit of "a" at position pi1(idx) = (l_param * idx) % R_BITS. - size_t pos = (l_param * idx) % R_BITS; - - size_t pos_byte = pos >> 3; - size_t pos_bit = pos & 7; - uint8_t bit = (a->val.raw[pos_byte] >> pos_bit) & 1; - - c->val.raw[i] |= (bit << j); - } - } - c->val.raw[R_BYTES - 1] &= LAST_R_BYTE_MASK; -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/gf2x_mul.c b/contrib/restricted/aws/s2n/pq-crypto/bike_r3/gf2x_mul.c deleted file mode 100644 index ae1d7a510a..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/gf2x_mul.c +++ /dev/null @@ -1,113 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker, Shay Gueron and Dusan Kostic, - * AWS Cryptographic Algorithms Group. - */ - -#include <assert.h> - -#include "cleanup.h" -#include "gf2x.h" -#include "gf2x_internal.h" - -// The secure buffer size required for Karatsuba is computed by: -// size(n) = 3*n/2 + size(n/2) = 3*sum_{i}{n/2^i} < 3n -#define SECURE_BUFFER_QWORDS (3 * R_PADDED_QWORDS) - -// Karatsuba multiplication algorithm. -// Input arguments a and b are padded with zeros, here: -// - n: real number of digits in a and b (R_QWORDS) -// - n_padded: padded number of digits of a and b (assumed to be power of 2) -// A buffer sec_buf is used for storing temporary data between recursion calls. -// It might contain secrets, and therefore should be securely cleaned after -// completion. -_INLINE_ void karatzuba(OUT uint64_t *c, - IN const uint64_t *a, - IN const uint64_t *b, - IN const size_t qwords_len, - IN const size_t qwords_len_pad, - uint64_t * sec_buf, - IN const gf2x_ctx *ctx) -{ - if(qwords_len <= ctx->mul_base_qwords) { - ctx->mul_base(c, a, b); - return; - } - - const size_t half_qw_len = qwords_len_pad >> 1; - - // Split a and b into low and high parts of size n_padded/2 - const uint64_t *a_lo = a; - const uint64_t *b_lo = b; - const uint64_t *a_hi = &a[half_qw_len]; - const uint64_t *b_hi = &b[half_qw_len]; - - // Split c into 4 parts of size n_padded/2 (the last ptr is not needed) - uint64_t *c0 = c; - uint64_t *c1 = &c[half_qw_len]; - uint64_t *c2 = &c[half_qw_len * 2]; - - // Allocate 3 ptrs of size n_padded/2 on sec_buf - uint64_t *alah = sec_buf; - uint64_t *blbh = &sec_buf[half_qw_len]; - uint64_t *tmp = &sec_buf[half_qw_len * 2]; - - // Move sec_buf ptr to the first free location for the next recursion call - sec_buf = &sec_buf[half_qw_len * 3]; - - // Compute a_lo*b_lo and store the result in (c1|c0) - karatzuba(c0, a_lo, b_lo, half_qw_len, half_qw_len, sec_buf, ctx); - - // If the real number of digits n is less or equal to n_padded/2 then: - // a_hi = 0 and b_hi = 0 - // and - // (a_hi|a_lo)*(b_hi|b_lo) = a_lo*b_lo - // so we can skip the remaining two multiplications - if(qwords_len > half_qw_len) { - // Compute a_hi*b_hi and store the result in (c3|c2) - karatzuba(c2, a_hi, b_hi, qwords_len - half_qw_len, half_qw_len, sec_buf, - ctx); - - // Compute alah = (a_lo + a_hi) and blbh = (b_lo + b_hi) - ctx->karatzuba_add1(alah, blbh, a, b, half_qw_len); - - // Compute (c1 + c2) and store the result in tmp - ctx->karatzuba_add2(tmp, c1, c2, half_qw_len); - - // Compute alah*blbh and store the result in (c2|c1) - karatzuba(c1, alah, blbh, half_qw_len, half_qw_len, sec_buf, ctx); - - // Add (tmp|tmp) and (c3|c0) to (c2|c1) - ctx->karatzuba_add3(c0, tmp, half_qw_len); - } -} - -void gf2x_mod_mul_with_ctx(OUT pad_r_t *c, - IN const pad_r_t *a, - IN const pad_r_t *b, - IN const gf2x_ctx *ctx) -{ - bike_static_assert((R_PADDED_BYTES % 2 == 0), karatzuba_n_is_odd); - - DEFER_CLEANUP(dbl_pad_r_t t = {0}, dbl_pad_r_cleanup); - ALIGN(ALIGN_BYTES) uint64_t secure_buffer[SECURE_BUFFER_QWORDS]; - - karatzuba((uint64_t *)&t, (const uint64_t *)a, (const uint64_t *)b, R_QWORDS, - R_PADDED_QWORDS, secure_buffer, ctx); - - ctx->red(c, &t); - - secure_clean((uint8_t *)secure_buffer, sizeof(secure_buffer)); -} - -void gf2x_mod_mul(OUT pad_r_t *c, IN const pad_r_t *a, IN const pad_r_t *b) -{ - bike_static_assert((R_PADDED_BYTES % 2 == 0), karatzuba_n_is_odd); - - // Initialize gf2x methods struct - gf2x_ctx ctx = {0}; - gf2x_ctx_init(&ctx); - - gf2x_mod_mul_with_ctx(c, a, b, &ctx); -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/gf2x_mul_avx2.c b/contrib/restricted/aws/s2n/pq-crypto/bike_r3/gf2x_mul_avx2.c deleted file mode 100644 index 8f9c17dc09..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/gf2x_mul_avx2.c +++ /dev/null @@ -1,109 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker, Shay Gueron and Dusan Kostic, - * AWS Cryptographic Algorithms Group. - */ - -#if defined(S2N_BIKE_R3_AVX2) - -#include <assert.h> - -#include "cleanup.h" -#include "gf2x_internal.h" - -#define AVX2_INTERNAL -#include "x86_64_intrinsic.h" - -void karatzuba_add1_avx2(OUT uint64_t *alah, - OUT uint64_t *blbh, - IN const uint64_t *a, - IN const uint64_t *b, - IN const size_t qwords_len) -{ - assert(qwords_len % REG_QWORDS == 0); - - REG_T va0, va1, vb0, vb1; - - for(size_t i = 0; i < qwords_len; i += REG_QWORDS) { - va0 = LOAD(&a[i]); - va1 = LOAD(&a[i + qwords_len]); - vb0 = LOAD(&b[i]); - vb1 = LOAD(&b[i + qwords_len]); - - STORE(&alah[i], va0 ^ va1); - STORE(&blbh[i], vb0 ^ vb1); - } -} - -void karatzuba_add2_avx2(OUT uint64_t *z, - IN const uint64_t *x, - IN const uint64_t *y, - IN const size_t qwords_len) -{ - assert(qwords_len % REG_QWORDS == 0); - - REG_T vx, vy; - - for(size_t i = 0; i < qwords_len; i += REG_QWORDS) { - vx = LOAD(&x[i]); - vy = LOAD(&y[i]); - - STORE(&z[i], vx ^ vy); - } -} - -void karatzuba_add3_avx2(OUT uint64_t *c, - IN const uint64_t *mid, - IN const size_t qwords_len) -{ - assert(qwords_len % REG_QWORDS == 0); - - REG_T vr0, vr1, vr2, vr3, vt; - - uint64_t *c0 = c; - uint64_t *c1 = &c[qwords_len]; - uint64_t *c2 = &c[2 * qwords_len]; - uint64_t *c3 = &c[3 * qwords_len]; - - for(size_t i = 0; i < qwords_len; i += REG_QWORDS) { - vr0 = LOAD(&c0[i]); - vr1 = LOAD(&c1[i]); - vr2 = LOAD(&c2[i]); - vr3 = LOAD(&c3[i]); - vt = LOAD(&mid[i]); - - STORE(&c1[i], vt ^ vr0 ^ vr1); - STORE(&c2[i], vt ^ vr2 ^ vr3); - } -} - -// c = a mod (x^r - 1) -void gf2x_red_avx2(OUT pad_r_t *c, IN const dbl_pad_r_t *a) -{ - const uint64_t *a64 = (const uint64_t *)a; - uint64_t * c64 = (uint64_t *)c; - - for(size_t i = 0; i < R_QWORDS; i += REG_QWORDS) { - REG_T vt0 = LOAD(&a64[i]); - REG_T vt1 = LOAD(&a64[i + R_QWORDS]); - REG_T vt2 = LOAD(&a64[i + R_QWORDS - 1]); - - vt1 = SLLI_I64(vt1, LAST_R_QWORD_TRAIL); - vt2 = SRLI_I64(vt2, LAST_R_QWORD_LEAD); - - vt0 ^= (vt1 | vt2); - - STORE(&c64[i], vt0); - } - - c64[R_QWORDS - 1] &= LAST_R_QWORD_MASK; - - // Clean the secrets from the upper part of c - secure_clean((uint8_t *)&c64[R_QWORDS], - (R_PADDED_QWORDS - R_QWORDS) * sizeof(uint64_t)); -} - -#endif - -typedef int dummy_typedef_to_avoid_empty_translation_unit_warning; diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/gf2x_mul_avx512.c b/contrib/restricted/aws/s2n/pq-crypto/bike_r3/gf2x_mul_avx512.c deleted file mode 100644 index 78ce9683ad..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/gf2x_mul_avx512.c +++ /dev/null @@ -1,109 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker, Shay Gueron and Dusan Kostic, - * AWS Cryptographic Algorithms Group. - */ - -#if defined(S2N_BIKE_R3_AVX512) - -#include <assert.h> - -#include "cleanup.h" -#include "gf2x_internal.h" - -#define AVX512_INTERNAL -#include "x86_64_intrinsic.h" - -void karatzuba_add1_avx512(OUT uint64_t *alah, - OUT uint64_t *blbh, - IN const uint64_t *a, - IN const uint64_t *b, - IN const size_t qwords_len) -{ - assert(qwords_len % REG_QWORDS == 0); - - REG_T va0, va1, vb0, vb1; - - for(size_t i = 0; i < qwords_len; i += REG_QWORDS) { - va0 = LOAD(&a[i]); - va1 = LOAD(&a[i + qwords_len]); - vb0 = LOAD(&b[i]); - vb1 = LOAD(&b[i + qwords_len]); - - STORE(&alah[i], va0 ^ va1); - STORE(&blbh[i], vb0 ^ vb1); - } -} - -void karatzuba_add2_avx512(OUT uint64_t *z, - IN const uint64_t *x, - IN const uint64_t *y, - IN const size_t qwords_len) -{ - assert(qwords_len % REG_QWORDS == 0); - - REG_T vx, vy; - - for(size_t i = 0; i < qwords_len; i += REG_QWORDS) { - vx = LOAD(&x[i]); - vy = LOAD(&y[i]); - - STORE(&z[i], vx ^ vy); - } -} - -void karatzuba_add3_avx512(OUT uint64_t *c, - IN const uint64_t *mid, - IN const size_t qwords_len) -{ - assert(qwords_len % REG_QWORDS == 0); - - REG_T vr0, vr1, vr2, vr3, vt; - - uint64_t *c0 = c; - uint64_t *c1 = &c[qwords_len]; - uint64_t *c2 = &c[2 * qwords_len]; - uint64_t *c3 = &c[3 * qwords_len]; - - for(size_t i = 0; i < qwords_len; i += REG_QWORDS) { - vr0 = LOAD(&c0[i]); - vr1 = LOAD(&c1[i]); - vr2 = LOAD(&c2[i]); - vr3 = LOAD(&c3[i]); - vt = LOAD(&mid[i]); - - STORE(&c1[i], vt ^ vr0 ^ vr1); - STORE(&c2[i], vt ^ vr2 ^ vr3); - } -} - -// c = a mod (x^r - 1) -void gf2x_red_avx512(OUT pad_r_t *c, IN const dbl_pad_r_t *a) -{ - const uint64_t *a64 = (const uint64_t *)a; - uint64_t * c64 = (uint64_t *)c; - - for(size_t i = 0; i < R_QWORDS; i += REG_QWORDS) { - REG_T vt0 = LOAD(&a64[i]); - REG_T vt1 = LOAD(&a64[i + R_QWORDS]); - REG_T vt2 = LOAD(&a64[i + R_QWORDS - 1]); - - vt1 = SLLI_I64(vt1, LAST_R_QWORD_TRAIL); - vt2 = SRLI_I64(vt2, LAST_R_QWORD_LEAD); - - vt0 ^= (vt1 | vt2); - - STORE(&c64[i], vt0); - } - - c64[R_QWORDS - 1] &= LAST_R_QWORD_MASK; - - // Clean the secrets from the upper part of c - secure_clean((uint8_t *)&c64[R_QWORDS], - (R_PADDED_QWORDS - R_QWORDS) * sizeof(uint64_t)); -} - -#endif - -typedef int dummy_typedef_to_avoid_empty_translation_unit_warning; diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/gf2x_mul_base_pclmul.c b/contrib/restricted/aws/s2n/pq-crypto/bike_r3/gf2x_mul_base_pclmul.c deleted file mode 100644 index 1d4553997c..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/gf2x_mul_base_pclmul.c +++ /dev/null @@ -1,155 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker, Shay Gueron and Dusan Kostic, - * AWS Cryptographic Algorithms Group. - */ - -#if defined(S2N_BIKE_R3_PCLMUL) - -#include <immintrin.h> - -#include "gf2x_internal.h" - -#define LOAD128(mem) _mm_loadu_si128((const void *)(mem)) -#define STORE128(mem, reg) _mm_storeu_si128((void *)(mem), (reg)) -#define UNPACKLO(x, y) _mm_unpacklo_epi64((x), (y)) -#define UNPACKHI(x, y) _mm_unpackhi_epi64((x), (y)) -#define CLMUL(x, y, imm) _mm_clmulepi64_si128((x), (y), (imm)) -#define BSRLI(x, imm) _mm_srli_si128((x), (imm)) -#define BSLLI(x, imm) _mm_slli_si128((x), (imm)) - -// 4x4 Karatsuba multiplication -_INLINE_ void gf2x_mul4_int(OUT __m128i c[4], - IN const __m128i a_lo, - IN const __m128i a_hi, - IN const __m128i b_lo, - IN const __m128i b_hi) -{ - // a_lo = [a1 | a0]; a_hi = [a3 | a2]; - // b_lo = [b1 | b0]; b_hi = [b3 | b2]; - // 4x4 Karatsuba requires three 2x2 multiplications: - // (1) a_lo * b_lo - // (2) a_hi * b_hi - // (3) aa * bb = (a_lo + a_hi) * (b_lo + b_hi) - // Each of the three 2x2 multiplications requires three 1x1 multiplications: - // (1) is computed by a0*b0, a1*b1, (a0+a1)*(b0+b1) - // (2) is computed by a2*b2, a3*b3, (a2+a3)*(b2+b3) - // (3) is computed by aa0*bb0, aa1*bb1, (aa0+aa1)*(bb0+bb1) - // All the required additions are performed in the end. - - __m128i aa, bb; - __m128i xx, yy, uu, vv, m; - __m128i lo[2], hi[2], mi[2]; - __m128i t[9]; - - aa = a_lo ^ a_hi; - bb = b_lo ^ b_hi; - - // xx <-- [(a2+a3) | (a0+a1)] - // yy <-- [(b2+b3) | (b0+b1)] - xx = UNPACKLO(a_lo, a_hi); - yy = UNPACKLO(b_lo, b_hi); - xx = xx ^ UNPACKHI(a_lo, a_hi); - yy = yy ^ UNPACKHI(b_lo, b_hi); - - // uu <-- [ 0 | (aa0+aa1)] - // vv <-- [ 0 | (bb0+bb1)] - uu = aa ^ BSRLI(aa, 8); - vv = bb ^ BSRLI(bb, 8); - - // 9 multiplications - t[0] = CLMUL(a_lo, b_lo, 0x00); - t[1] = CLMUL(a_lo, b_lo, 0x11); - t[2] = CLMUL(a_hi, b_hi, 0x00); - t[3] = CLMUL(a_hi, b_hi, 0x11); - t[4] = CLMUL(xx, yy, 0x00); - t[5] = CLMUL(xx, yy, 0x11); - t[6] = CLMUL(aa, bb, 0x00); - t[7] = CLMUL(aa, bb, 0x11); - t[8] = CLMUL(uu, vv, 0x00); - - t[4] ^= (t[0] ^ t[1]); - t[5] ^= (t[2] ^ t[3]); - t[8] ^= (t[6] ^ t[7]); - - lo[0] = t[0] ^ BSLLI(t[4], 8); - lo[1] = t[1] ^ BSRLI(t[4], 8); - hi[0] = t[2] ^ BSLLI(t[5], 8); - hi[1] = t[3] ^ BSRLI(t[5], 8); - mi[0] = t[6] ^ BSLLI(t[8], 8); - mi[1] = t[7] ^ BSRLI(t[8], 8); - - m = lo[1] ^ hi[0]; - - c[0] = lo[0]; - c[1] = lo[0] ^ mi[0] ^ m; - c[2] = hi[1] ^ mi[1] ^ m; - c[3] = hi[1]; -} - -// 512x512bit multiplication performed by Karatsuba algorithm -// where a and b are considered as having 8 digits of size 64 bits. -void gf2x_mul_base_pclmul(OUT uint64_t *c, - IN const uint64_t *a, - IN const uint64_t *b) -{ - __m128i va[4], vb[4]; - __m128i aa[2], bb[2]; - __m128i lo[4], hi[4], mi[4], m[2]; - - for(size_t i = 0; i < 4; i++) { - va[i] = LOAD128(&a[QWORDS_IN_XMM * i]); - vb[i] = LOAD128(&b[QWORDS_IN_XMM * i]); - } - - // Multiply the low and the high halves of a and b - // lo <-- a_lo * b_lo - // hi <-- a_hi * b_hi - gf2x_mul4_int(lo, va[0], va[1], vb[0], vb[1]); - gf2x_mul4_int(hi, va[2], va[3], vb[2], vb[3]); - - // Compute the middle multiplication - // aa <-- a_lo + a_hi - // bb <-- b_lo + b_hi - // mi <-- aa * bb - aa[0] = va[0] ^ va[2]; - aa[1] = va[1] ^ va[3]; - bb[0] = vb[0] ^ vb[2]; - bb[1] = vb[1] ^ vb[3]; - gf2x_mul4_int(mi, aa[0], aa[1], bb[0], bb[1]); - - m[0] = lo[2] ^ hi[0]; - m[1] = lo[3] ^ hi[1]; - - STORE128(&c[0 * QWORDS_IN_XMM], lo[0]); - STORE128(&c[1 * QWORDS_IN_XMM], lo[1]); - STORE128(&c[2 * QWORDS_IN_XMM], mi[0] ^ lo[0] ^ m[0]); - STORE128(&c[3 * QWORDS_IN_XMM], mi[1] ^ lo[1] ^ m[1]); - STORE128(&c[4 * QWORDS_IN_XMM], mi[2] ^ hi[2] ^ m[0]); - STORE128(&c[5 * QWORDS_IN_XMM], mi[3] ^ hi[3] ^ m[1]); - STORE128(&c[6 * QWORDS_IN_XMM], hi[2]); - STORE128(&c[7 * QWORDS_IN_XMM], hi[3]); -} - -void gf2x_sqr_pclmul(OUT dbl_pad_r_t *c, IN const pad_r_t *a) -{ - __m128i va, vr0, vr1; - - const uint64_t *a64 = (const uint64_t *)a; - uint64_t * c64 = (uint64_t *)c; - - for(size_t i = 0; i < (R_XMM * QWORDS_IN_XMM); i += QWORDS_IN_XMM) { - va = LOAD128(&a64[i]); - - vr0 = CLMUL(va, va, 0x00); - vr1 = CLMUL(va, va, 0x11); - - STORE128(&c64[i * 2], vr0); - STORE128(&c64[i * 2 + QWORDS_IN_XMM], vr1); - } -} - -#endif - -typedef int dummy_typedef_to_avoid_empty_translation_unit_warning; diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/gf2x_mul_base_portable.c b/contrib/restricted/aws/s2n/pq-crypto/bike_r3/gf2x_mul_base_portable.c deleted file mode 100644 index 86c21a1e28..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/gf2x_mul_base_portable.c +++ /dev/null @@ -1,77 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker, Shay Gueron and Dusan Kostic, - * AWS Cryptographic Algorithms Group. - */ - -#include "gf2x_internal.h" -#include "utilities.h" - -#define LSB3(x) ((x)&7) - -// 64x64 bit multiplication -// The algorithm is based on the windowing method, for example as in: -// Brent, R. P., Gaudry, P., Thomé, E., & Zimmermann, P. (2008, May), "Faster -// multiplication in GF (2)[x]". In: International Algorithmic Number Theory -// Symposium (pp. 153-166). Springer, Berlin, Heidelberg. In this implementation, -// the last three bits are multiplied using a schoolbook multiplication. -void gf2x_mul_base_port(OUT uint64_t *c, - IN const uint64_t *a, - IN const uint64_t *b) -{ - uint64_t h = 0, l = 0, g1, g2, u[8]; - const uint64_t w = 64; - const uint64_t s = 3; - const uint64_t a0 = a[0]; - const uint64_t b0 = b[0]; - - // Multiplying 64 bits by 7 can results in an overflow of 3 bits. - // Therefore, these bits are masked out, and are treated in step 3. - const uint64_t b0m = b0 & MASK(61); - - // Step 1: Calculate a multiplication table with 8 entries. - u[0] = 0; - u[1] = b0m; - u[2] = u[1] << 1; - u[3] = u[2] ^ b0m; - u[4] = u[2] << 1; - u[5] = u[4] ^ b0m; - u[6] = u[3] << 1; - u[7] = u[6] ^ b0m; - - // Step 2: Multiply two elements in parallel in positions i, i+s - l = u[LSB3(a0)] ^ (u[LSB3(a0 >> 3)] << 3); - h = (u[LSB3(a0 >> 3)] >> 61); - - for(size_t i = (2 * s); i < w; i += (2 * s)) { - const size_t i2 = (i + s); - - g1 = u[LSB3(a0 >> i)]; - g2 = u[LSB3(a0 >> i2)]; - - l ^= (g1 << i) ^ (g2 << i2); - h ^= (g1 >> (w - i)) ^ (g2 >> (w - i2)); - } - - // Step 3: Multiply the last three bits. - for(size_t i = 61; i < 64; i++) { - uint64_t mask = (-((b0 >> i) & 1)); - l ^= ((a0 << i) & mask); - h ^= ((a0 >> (w - i)) & mask); - } - - c[0] = l; - c[1] = h; -} - -// c = a^2 -void gf2x_sqr_port(OUT dbl_pad_r_t *c, IN const pad_r_t *a) -{ - const uint64_t *a64 = (const uint64_t *)a; - uint64_t * c64 = (uint64_t *)c; - - for(size_t i = 0; i < R_QWORDS; i++) { - gf2x_mul_base_port(&c64[2 * i], &a64[i], &a64[i]); - } -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/gf2x_mul_base_vpclmul.c b/contrib/restricted/aws/s2n/pq-crypto/bike_r3/gf2x_mul_base_vpclmul.c deleted file mode 100644 index c321bf355f..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/gf2x_mul_base_vpclmul.c +++ /dev/null @@ -1,135 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker, Shay Gueron and Dusan Kostic, - * AWS Cryptographic Algorithms Group. - */ - -#if defined(S2N_BIKE_R3_VPCLMUL) - -#include "gf2x_internal.h" - -#define AVX512_INTERNAL -#include "x86_64_intrinsic.h" - -#define CLMUL(x, y, imm) _mm512_clmulepi64_epi128((x), (y), (imm)) - -_INLINE_ void -mul2_512(OUT __m512i *h, OUT __m512i *l, IN const __m512i a, IN const __m512i b) -{ - const __m512i mask_abq = SET_I64(6, 7, 4, 5, 2, 3, 0, 1); - const __m512i s1 = a ^ PERMX_I64(a, _MM_SHUFFLE(2, 3, 0, 1)); - const __m512i s2 = b ^ PERMX_I64(b, _MM_SHUFFLE(2, 3, 0, 1)); - - __m512i lq = CLMUL(a, b, 0x00); - __m512i hq = CLMUL(a, b, 0x11); - __m512i abq = lq ^ hq ^ CLMUL(s1, s2, 0x00); - abq = PERMXVAR_I64(mask_abq, abq); - *l = MXOR_I64(lq, 0xaa, lq, abq); - *h = MXOR_I64(hq, 0x55, hq, abq); -} - -// 8x8 Karatsuba multiplication -_INLINE_ void gf2x_mul8_512_int(OUT __m512i *zh, - OUT __m512i * zl, - IN const __m512i a, - IN const __m512i b) -{ - const __m512i mask0 = SET_I64(13, 12, 5, 4, 9, 8, 1, 0); - const __m512i mask1 = SET_I64(15, 14, 7, 6, 11, 10, 3, 2); - const __m512i mask2 = SET_I64(3, 2, 1, 0, 7, 6, 5, 4); - const __m512i mask3 = SET_I64(11, 10, 9, 8, 3, 2, 1, 0); - const __m512i mask4 = SET_I64(15, 14, 13, 12, 7, 6, 5, 4); - const __m512i mask_s1 = SET_I64(7, 6, 5, 4, 1, 0, 3, 2); - const __m512i mask_s2 = SET_I64(3, 2, 7, 6, 5, 4, 1, 0); - - __m512i xl, xh, xabl, xabh, xab, xab1, xab2; - __m512i yl, yh, yabl, yabh, yab; - __m512i t[4]; - - // Calculate: - // AX1^AX3|| AX2^AX3 || AX0^AX2 || AX0^AX1 - // BX1^BX3|| BX2^BX3 || BX0^BX2 || BX0^BX1 - // Where (AX1^AX3 || AX0^AX2) stands for (AX1 || AX0)^(AX3 || AX2) = AY0^AY1 - t[0] = PERMXVAR_I64(mask_s1, a) ^ PERMXVAR_I64(mask_s2, a); - t[1] = PERMXVAR_I64(mask_s1, b) ^ PERMXVAR_I64(mask_s2, b); - - // Calculate: - // Don't care || AX1^AX3^AX0^AX2 - // Don't care || BX1^BX3^BX0^BX2 - t[2] = t[0] ^ VALIGN(t[0], t[0], 4); - t[3] = t[1] ^ VALIGN(t[1], t[1], 4); - - mul2_512(&xh, &xl, a, b); - mul2_512(&xabh, &xabl, t[0], t[1]); - mul2_512(&yabh, &yabl, t[2], t[3]); - - xab = xl ^ xh ^ PERMX2VAR_I64(xabl, mask0, xabh); - yl = PERMX2VAR_I64(xl, mask3, xh); - yh = PERMX2VAR_I64(xl, mask4, xh); - xab1 = VALIGN(xab, xab, 6); - xab2 = VALIGN(xab, xab, 2); - yl = MXOR_I64(yl, 0x3c, yl, xab1); - yh = MXOR_I64(yh, 0x3c, yh, xab2); - - __m512i oxh = PERMX2VAR_I64(xabl, mask1, xabh); - __m512i oxl = VALIGN(oxh, oxh, 4); - yab = oxl ^ oxh ^ PERMX2VAR_I64(yabl, mask0, yabh); - yab = MXOR_I64(oxh, 0x3c, oxh, VALIGN(yab, yab, 2)); - yab ^= yl ^ yh; - - // Z0 (yl) + Z1 (yab) + Z2 (yh) - yab = PERMXVAR_I64(mask2, yab); - *zl = MXOR_I64(yl, 0xf0, yl, yab); - *zh = MXOR_I64(yh, 0x0f, yh, yab); -} - -// 1024x1024 bit multiplication performed by Karatsuba algorithm. -// Here, a and b are considered as having 16 digits of size 64 bits. -void gf2x_mul_base_vpclmul(OUT uint64_t *c, - IN const uint64_t *a, - IN const uint64_t *b) -{ - const __m512i a0 = LOAD(a); - const __m512i a1 = LOAD(&a[QWORDS_IN_ZMM]); - const __m512i b0 = LOAD(b); - const __m512i b1 = LOAD(&b[QWORDS_IN_ZMM]); - - __m512i hi[2], lo[2], mi[2]; - - gf2x_mul8_512_int(&lo[1], &lo[0], a0, b0); - gf2x_mul8_512_int(&hi[1], &hi[0], a1, b1); - gf2x_mul8_512_int(&mi[1], &mi[0], a0 ^ a1, b0 ^ b1); - - __m512i m = lo[1] ^ hi[0]; - - STORE(&c[0 * QWORDS_IN_ZMM], lo[0]); - STORE(&c[1 * QWORDS_IN_ZMM], mi[0] ^ lo[0] ^ m); - STORE(&c[2 * QWORDS_IN_ZMM], mi[1] ^ hi[1] ^ m); - STORE(&c[3 * QWORDS_IN_ZMM], hi[1]); -} - -void gf2x_sqr_vpclmul(OUT dbl_pad_r_t *c, IN const pad_r_t *a) -{ - __m512i va, vm, vr0, vr1; - - const uint64_t *a64 = (const uint64_t *)a; - uint64_t * c64 = (uint64_t *)c; - - vm = SET_I64(7, 3, 6, 2, 5, 1, 4, 0); - - for(size_t i = 0; i < (R_ZMM * QWORDS_IN_ZMM); i += QWORDS_IN_ZMM) { - va = LOAD(&a64[i]); - va = PERMXVAR_I64(vm, va); - - vr0 = CLMUL(va, va, 0x00); - vr1 = CLMUL(va, va, 0x11); - - STORE(&c64[i * 2], vr0); - STORE(&c64[i * 2 + QWORDS_IN_ZMM], vr1); - } -} - -#endif - -typedef int dummy_typedef_to_avoid_empty_translation_unit_warning; diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/gf2x_mul_portable.c b/contrib/restricted/aws/s2n/pq-crypto/bike_r3/gf2x_mul_portable.c deleted file mode 100644 index 187042d44c..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/gf2x_mul_portable.c +++ /dev/null @@ -1,103 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker, Shay Gueron and Dusan Kostic, - * AWS Cryptographic Algorithms Group. - */ - -#include <assert.h> - -#include "cleanup.h" -#include "gf2x_internal.h" - -#define PORTABLE_INTERNAL -#include "x86_64_intrinsic.h" - -void karatzuba_add1_port(OUT uint64_t *alah, - OUT uint64_t *blbh, - IN const uint64_t *a, - IN const uint64_t *b, - IN const size_t qwords_len) -{ - assert(qwords_len % REG_QWORDS == 0); - - REG_T va0, va1, vb0, vb1; - - for(size_t i = 0; i < qwords_len; i += REG_QWORDS) { - va0 = LOAD(&a[i]); - va1 = LOAD(&a[i + qwords_len]); - vb0 = LOAD(&b[i]); - vb1 = LOAD(&b[i + qwords_len]); - - STORE(&alah[i], va0 ^ va1); - STORE(&blbh[i], vb0 ^ vb1); - } -} - -void karatzuba_add2_port(OUT uint64_t *z, - IN const uint64_t *x, - IN const uint64_t *y, - IN const size_t qwords_len) -{ - assert(qwords_len % REG_QWORDS == 0); - - REG_T vx, vy; - - for(size_t i = 0; i < qwords_len; i += REG_QWORDS) { - vx = LOAD(&x[i]); - vy = LOAD(&y[i]); - - STORE(&z[i], vx ^ vy); - } -} - -void karatzuba_add3_port(OUT uint64_t *c, - IN const uint64_t *mid, - IN const size_t qwords_len) -{ - assert(qwords_len % REG_QWORDS == 0); - - REG_T vr0, vr1, vr2, vr3, vt; - - uint64_t *c0 = c; - uint64_t *c1 = &c[qwords_len]; - uint64_t *c2 = &c[2 * qwords_len]; - uint64_t *c3 = &c[3 * qwords_len]; - - for(size_t i = 0; i < qwords_len; i += REG_QWORDS) { - vr0 = LOAD(&c0[i]); - vr1 = LOAD(&c1[i]); - vr2 = LOAD(&c2[i]); - vr3 = LOAD(&c3[i]); - vt = LOAD(&mid[i]); - - STORE(&c1[i], vt ^ vr0 ^ vr1); - STORE(&c2[i], vt ^ vr2 ^ vr3); - } -} - -// c = a mod (x^r - 1) -void gf2x_red_port(OUT pad_r_t *c, IN const dbl_pad_r_t *a) -{ - const uint64_t *a64 = (const uint64_t *)a; - uint64_t * c64 = (uint64_t *)c; - - for(size_t i = 0; i < R_QWORDS; i += REG_QWORDS) { - REG_T vt0 = LOAD(&a64[i]); - REG_T vt1 = LOAD(&a64[i + R_QWORDS]); - REG_T vt2 = LOAD(&a64[i + R_QWORDS - 1]); - - vt1 = SLLI_I64(vt1, LAST_R_QWORD_TRAIL); - vt2 = SRLI_I64(vt2, LAST_R_QWORD_LEAD); - - vt0 ^= (vt1 | vt2); - - STORE(&c64[i], vt0); - } - - c64[R_QWORDS - 1] &= LAST_R_QWORD_MASK; - - // Clean the secrets from the upper part of c - secure_clean((uint8_t *)&c64[R_QWORDS], - (R_PADDED_QWORDS - R_QWORDS) * sizeof(uint64_t)); -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/sampling.c b/contrib/restricted/aws/s2n/pq-crypto/bike_r3/sampling.c deleted file mode 100644 index a76a31ef87..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/sampling.c +++ /dev/null @@ -1,170 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker, Shay Gueron and Dusan Kostic, - * AWS Cryptographic Algorithms Group. - */ - -#include <assert.h> - -#include "sampling.h" -#include "sampling_internal.h" - -// SIMD implementation of is_new function requires the size of wlist -// to be a multiple of the number of DWORDS in a SIMD register (REG_DWORDS). -// The function is used both for generating DV and T1 random numbers so we define -// two separate macros. -#define AVX512_REG_DWORDS (16) -#define WLIST_SIZE_ADJUSTED_D \ - (AVX512_REG_DWORDS * DIVIDE_AND_CEIL(DV, AVX512_REG_DWORDS)) -#define WLIST_SIZE_ADJUSTED_T \ - (AVX512_REG_DWORDS * DIVIDE_AND_CEIL(T1, AVX512_REG_DWORDS)) - -// BSR returns ceil(log2(val)) -_INLINE_ uint8_t bit_scan_reverse_vartime(IN uint64_t val) -{ - // index is always smaller than 64 - uint8_t index = 0; - - while(val != 0) { - val >>= 1; - index++; - } - - return index; -} - -_INLINE_ ret_t get_rand_mod_len(OUT uint32_t * rand_pos, - IN const uint32_t len, - IN OUT aes_ctr_prf_state_t *prf_state) -{ - const uint64_t mask = MASK(bit_scan_reverse_vartime(len)); - - do { - // Generate a 32 bits (pseudo) random value. - // This can be optimized to take only 16 bits. - POSIX_GUARD(aes_ctr_prf((uint8_t *)rand_pos, prf_state, sizeof(*rand_pos))); - - // Mask relevant bits only - (*rand_pos) &= mask; - - // Break if a number that is smaller than len is found - if((*rand_pos) < len) { - break; - } - - } while(1 == 1); - - return SUCCESS; -} - -_INLINE_ void make_odd_weight(IN OUT r_t *r) -{ - if(((r_bits_vector_weight(r) % 2) == 1)) { - // Already odd - return; - } - - r->raw[0] ^= 1; -} - -// Returns an array of r pseudorandom bits. -// No restrictions exist for the top or bottom bits. -// If the generation requires an odd number, then set must_be_odd=1. -// The function uses the provided prf context. -ret_t sample_uniform_r_bits_with_fixed_prf_context( - OUT r_t *r, - IN OUT aes_ctr_prf_state_t *prf_state, - IN const must_be_odd_t must_be_odd) -{ - // Generate random data - POSIX_GUARD(aes_ctr_prf(r->raw, prf_state, R_BYTES)); - - // Mask upper bits of the MSByte - r->raw[R_BYTES - 1] &= MASK(R_BITS + 8 - (R_BYTES * 8)); - - if(must_be_odd == MUST_BE_ODD) { - make_odd_weight(r); - } - - return SUCCESS; -} - -ret_t generate_indices_mod_z(OUT idx_t * out, - IN const size_t num_indices, - IN const size_t z, - IN OUT aes_ctr_prf_state_t *prf_state, - IN const sampling_ctx *ctx) -{ - size_t ctr = 0; - - // Generate num_indices unique (pseudo) random numbers modulo z - do { - POSIX_GUARD(get_rand_mod_len(&out[ctr], z, prf_state)); - ctr += ctx->is_new(out, ctr); - } while(ctr < num_indices); - - return SUCCESS; -} - -// Returns an array of r pseudorandom bits. -// No restrictions exist for the top or bottom bits. -// If the generation requires an odd number, then set must_be_odd = MUST_BE_ODD -ret_t sample_uniform_r_bits(OUT r_t *r, - IN const seed_t * seed, - IN const must_be_odd_t must_be_odd) -{ - // For the seedexpander - DEFER_CLEANUP(aes_ctr_prf_state_t prf_state = {0}, aes_ctr_prf_state_cleanup); - - POSIX_GUARD(init_aes_ctr_prf_state(&prf_state, MAX_AES_INVOKATION, seed)); - - POSIX_GUARD(sample_uniform_r_bits_with_fixed_prf_context(r, &prf_state, must_be_odd)); - - return SUCCESS; -} - -ret_t generate_sparse_rep(OUT pad_r_t *r, - OUT idx_t *wlist, - IN OUT aes_ctr_prf_state_t *prf_state) -{ - - // Initialize the sampling context - sampling_ctx ctx; - sampling_ctx_init(&ctx); - - idx_t wlist_temp[WLIST_SIZE_ADJUSTED_D] = {0}; - - POSIX_GUARD(generate_indices_mod_z(wlist_temp, DV, R_BITS, prf_state, &ctx)); - - bike_memcpy(wlist, wlist_temp, DV * sizeof(idx_t)); - ctx.secure_set_bits(r, 0, wlist, DV); - - return SUCCESS; -} - -ret_t generate_error_vector(OUT pad_e_t *e, IN const seed_t *seed) -{ - DEFER_CLEANUP(aes_ctr_prf_state_t prf_state = {0}, aes_ctr_prf_state_cleanup); - - POSIX_GUARD(init_aes_ctr_prf_state(&prf_state, MAX_AES_INVOKATION, seed)); - - // Initialize the sampling context - sampling_ctx ctx; - sampling_ctx_init(&ctx); - - idx_t wlist[WLIST_SIZE_ADJUSTED_T] = {0}; - POSIX_GUARD(generate_indices_mod_z(wlist, T1, N_BITS, &prf_state, &ctx)); - - // (e0, e1) hold bits 0..R_BITS-1 and R_BITS..2*R_BITS-1 of the error, resp. - ctx.secure_set_bits(&e->val[0], 0, wlist, T1); - ctx.secure_set_bits(&e->val[1], R_BITS, wlist, T1); - - // Clean the padding of the elements - PE0_RAW(e)[R_BYTES - 1] &= LAST_R_BYTE_MASK; - PE1_RAW(e)[R_BYTES - 1] &= LAST_R_BYTE_MASK; - bike_memset(&PE0_RAW(e)[R_BYTES], 0, R_PADDED_BYTES - R_BYTES); - bike_memset(&PE1_RAW(e)[R_BYTES], 0, R_PADDED_BYTES - R_BYTES); - - return SUCCESS; -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/sampling.h b/contrib/restricted/aws/s2n/pq-crypto/bike_r3/sampling.h deleted file mode 100644 index a9d50c9bc2..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/sampling.h +++ /dev/null @@ -1,40 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker, Shay Gueron and Dusan Kostic, - * AWS Cryptographic Algorithms Group. - */ - -#pragma once - -#include <stdlib.h> -#include "aes_ctr_prf.h" -#include "pq-crypto/s2n_pq_random.h" -#include "utils/s2n_result.h" -#include "utilities.h" - -typedef enum -{ - NO_RESTRICTION = 0, - MUST_BE_ODD = 1 -} must_be_odd_t; - -_INLINE_ ret_t get_seeds(OUT seeds_t *seeds) { - if(s2n_result_is_ok(s2n_get_random_bytes(seeds->seed[0].raw, sizeof(seeds_t)))) { - return SUCCESS; - } else { - BIKE_ERROR(E_FAIL_TO_GET_SEED); - } -} - -// Returns an array of r pseudorandom bits. If an odd -// weight of r is required, set must_be_odd to MUST_BE_ODD. -ret_t sample_uniform_r_bits(OUT r_t *r, - IN const seed_t *seed, - IN must_be_odd_t must_be_odd); - -ret_t generate_sparse_rep(OUT pad_r_t *r, - OUT idx_t *wlist, - IN OUT aes_ctr_prf_state_t *prf_state); - -ret_t generate_error_vector(OUT pad_e_t *e, IN const seed_t *seed); diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/sampling_avx2.c b/contrib/restricted/aws/s2n/pq-crypto/bike_r3/sampling_avx2.c deleted file mode 100644 index c23be2e86e..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/sampling_avx2.c +++ /dev/null @@ -1,123 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker, Shay Gueron and Dusan Kostic, - * AWS Cryptographic Algorithms Group. - */ - -#if defined(S2N_BIKE_R3_AVX2) - -#include <assert.h> - -#include "sampling_internal.h" - -#define AVX2_INTERNAL -#include "x86_64_intrinsic.h" - -// For improved performance, we process NUM_YMMS amount of data in parallel. -#define NUM_YMMS (4) -#define YMMS_QWORDS (QWORDS_IN_YMM * NUM_YMMS) - -void secure_set_bits_avx2(OUT pad_r_t * r, - IN const size_t first_pos, - IN const idx_t *wlist, - IN const size_t w_size) -{ - // The function assumes that the size of r is a multiple - // of the cumulative size of used YMM registers. - assert((sizeof(*r) / sizeof(uint64_t)) % YMMS_QWORDS == 0); - - // va vectors hold the bits of the output array "r" - // va_pos_qw vectors hold the qw position indices of "r" - // The algorithm works as follows: - // 1. Initialize va_pos_qw with starting positions of qw's of "r" - // va_pos_qw = (3, 2, 1, 0); - // 2. While the size of "r" is not exceeded: - // 3. For each w in wlist: - // 4. Compare the pos_qw of w with positions in va_pos_qw - // and for the position which is equal set the appropriate - // bit in va vector. - // 5. Set va_pos_qw to the next qw positions of "r" - __m256i va[NUM_YMMS], va_pos_qw[NUM_YMMS], va_mask; - __m256i w_pos_qw, w_pos_bit; - __m256i one, inc; - - uint64_t *r64 = (uint64_t *)r; - - one = SET1_I64(1); - inc = SET1_I64(QWORDS_IN_YMM); - - // 1. Initialize - va_pos_qw[0] = SET_I64(3, 2, 1, 0); - for(size_t i = 1; i < NUM_YMMS; i++) { - va_pos_qw[i] = ADD_I64(va_pos_qw[i - 1], inc); - } - - // va_pos_qw vectors hold qw positions 0 .. (NUM_YMMS * QWORDS_IN_YMM - 1) - // Therefore, we set the increment vector inc such that by adding it to - // va_pos_qw vectors, they hold the next YMM_QWORDS qw positions. - inc = SET1_I64(YMMS_QWORDS); - - for(size_t i = 0; i < (sizeof(*r) / sizeof(uint64_t)); i += YMMS_QWORDS) { - for(size_t va_iter = 0; va_iter < NUM_YMMS; va_iter++) { - va[va_iter] = SET_ZERO; - } - - for(size_t w_iter = 0; w_iter < w_size; w_iter++) { - int32_t w = wlist[w_iter] - first_pos; - w_pos_qw = SET1_I64(w >> 6); - w_pos_bit = SLLI_I64(one, w & MASK(6)); - - // 4. Compare the positions in va_pos_qw with w_pos_qw - // and set the appropriate bit in va - for(size_t va_iter = 0; va_iter < NUM_YMMS; va_iter++) { - va_mask = CMPEQ_I64(va_pos_qw[va_iter], w_pos_qw); - va[va_iter] |= (va_mask & w_pos_bit); - } - } - - // 5. Set the va_pos_qw to the next qw positions of r - // and store the previously computed data in r - for(size_t va_iter = 0; va_iter < NUM_YMMS; va_iter++) { - STORE(&r64[i + (va_iter * QWORDS_IN_YMM)], va[va_iter]); - va_pos_qw[va_iter] = ADD_I64(va_pos_qw[va_iter], inc); - } - } -} - -int is_new_avx2(IN const idx_t *wlist, IN const size_t ctr) -{ - bike_static_assert((sizeof(idx_t) == sizeof(uint32_t)), idx_t_is_not_uint32_t); - - REG_T idx_ctr = SET1_I32(wlist[ctr]); - - for(size_t i = 0; i < ctr; i += REG_DWORDS) { - // Comparisons are done with SIMD instructions with each SIMD register - // containing REG_DWORDS elements. We compare registers element-wise: - // idx_ctr = {8 repetitions of wlist[ctr]}, with - // idx_cur = {8 consecutive elements from wlist}. - // In the last iteration we consider wlist elements only up to ctr. - - REG_T idx_cur = LOAD(&wlist[i]); - REG_T cmp_res = CMPEQ_I32(idx_ctr, idx_cur); - uint32_t check = MOVEMASK(cmp_res); - - // Handle the last iteration by appropriate masking. - if(ctr < (i + REG_DWORDS)) { - // MOVEMASK instruction in AVX2 compares corresponding bytes from - // two given vector registers and produces a 32-bit mask. On the other hand, - // we compare idx_t elements, not bytes, so we multiply by sizeof(idx_t). - check &= MASK((ctr - i) * sizeof(idx_t)); - } - - if(check != 0) { - return 0; - } - } - - return 1; -} - -#endif - -typedef int dummy_typedef_to_avoid_empty_translation_unit_warning; diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/sampling_avx512.c b/contrib/restricted/aws/s2n/pq-crypto/bike_r3/sampling_avx512.c deleted file mode 100644 index 6cab4cffea..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/sampling_avx512.c +++ /dev/null @@ -1,123 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker, Shay Gueron and Dusan Kostic, - * AWS Cryptographic Algorithms Group. - */ - -#if defined(S2N_BIKE_R3_AVX512) - -#include <assert.h> - -#include "sampling_internal.h" - -#define AVX512_INTERNAL -#include "x86_64_intrinsic.h" - -// For improved performance, we process NUM_ZMMS amount of data in parallel. -#define NUM_ZMMS (8) -#define ZMMS_QWORDS (QWORDS_IN_ZMM * NUM_ZMMS) - -void secure_set_bits_avx512(OUT pad_r_t * r, - IN const size_t first_pos, - IN const idx_t *wlist, - IN const size_t w_size) -{ - // The function assumes that the size of r is a multiple - // of the cumulative size of used ZMM registers. - assert((sizeof(*r) / sizeof(uint64_t)) % ZMMS_QWORDS == 0); - - // va vectors hold the bits of the output array "r" - // va_pos_qw vectors hold the qw position indices of "r" - // The algorithm works as follows: - // 1. Initialize va_pos_qw with starting positions of qw's of "r" - // va_pos_qw = (7, 6, 5, 4, 3, 2, 1, 0); - // 2. While the size of "r" is not exceeded: - // 3. For each w in wlist: - // 4. Compare the pos_qw of w with positions in va_pos_qw - // and for the position which is equal set the appropriate - // bit in va vector. - // 5. Set va_pos_qw to the next qw positions of "r" - __m512i va[NUM_ZMMS], va_pos_qw[NUM_ZMMS]; - __m512i w_pos_qw, w_pos_bit, one, inc; - __mmask8 va_mask; - - uint64_t *r64 = (uint64_t *)r; - - one = SET1_I64(1); - inc = SET1_I64(QWORDS_IN_ZMM); - - // 1. Initialize - va_pos_qw[0] = SET_I64(7, 6, 5, 4, 3, 2, 1, 0); - for(size_t i = 1; i < NUM_ZMMS; i++) { - va_pos_qw[i] = ADD_I64(va_pos_qw[i - 1], inc); - } - - // va_pos_qw vectors hold qw positions 0 .. (NUM_ZMMS * QWORDS_IN_ZMM - 1) - // Therefore, we set the increment vector inc such that by adding it to - // va_pos_qw vectors they hold the next ZMMS_QWORDS qw positions. - inc = SET1_I64(ZMMS_QWORDS); - - for(size_t i = 0; i < (sizeof(*r) / sizeof(uint64_t)); i += ZMMS_QWORDS) { - for(size_t va_iter = 0; va_iter < NUM_ZMMS; va_iter++) { - va[va_iter] = SET_ZERO; - } - - for(size_t w_iter = 0; w_iter < w_size; w_iter++) { - int32_t w = wlist[w_iter] - first_pos; - w_pos_qw = SET1_I64(w >> 6); -#if (defined(__GNUC__) && ((__GNUC__ == 6) || (__GNUC__ == 5)) && !defined(__clang__)) || (defined(__clang__) && __clang_major__ == 3 && __clang_minor__ == 9) - // Workaround for gcc-6, gcc-5, and clang < 3.9, which do not allowing the second - // argument of SLLI to be non-immediate value. - __m512i temp = SET1_I64(w & MASK(6)); - w_pos_bit = SLLV_I64(one, temp); -#else - w_pos_bit = SLLI_I64(one, w & MASK(6)); -#endif - - // 4. Compare the positions in va_pos_qw with w_pos_qw - // and set the appropriate bit in va - for(size_t va_iter = 0; va_iter < NUM_ZMMS; va_iter++) { - va_mask = CMPMEQ_I64(va_pos_qw[va_iter], w_pos_qw); - va[va_iter] = MOR_I64(va[va_iter], va_mask, va[va_iter], w_pos_bit); - } - } - - // 5. Set the va_pos_qw to the next qw positions of r - // and store the previously computed data in r - for(size_t va_iter = 0; va_iter < NUM_ZMMS; va_iter++) { - STORE(&r64[i + (va_iter * QWORDS_IN_ZMM)], va[va_iter]); - va_pos_qw[va_iter] = ADD_I64(va_pos_qw[va_iter], inc); - } - } -} - -int is_new_avx512(IN const idx_t *wlist, IN const size_t ctr) -{ - bike_static_assert((sizeof(idx_t) == sizeof(uint32_t)), idx_t_is_not_uint32_t); - - REG_T idx_ctr = SET1_I32(wlist[ctr]); - - for(size_t i = 0; i < ctr; i += REG_DWORDS) { - // Comparisons are done with SIMD instructions with each SIMD register - // containing REG_DWORDS elements. We compare registers element-wise: - // idx_ctr = {8 repetitions of wlist[ctr]}, with - // idx_cur = {8 consecutive elements from wlist}. - // In the last iteration we consider wlist elements only up to ctr. - - REG_T idx_cur = LOAD(&wlist[i]); - - uint16_t mask = (ctr < (i + REG_DWORDS)) ? MASK(ctr - i) : 0xffff; - uint16_t check = MCMPMEQ_I32(mask, idx_ctr, idx_cur); - - if(check != 0) { - return 0; - } - } - - return 1; -} - -#endif - -typedef int dummy_typedef_to_avoid_empty_translation_unit_warning; diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/sampling_internal.h b/contrib/restricted/aws/s2n/pq-crypto/bike_r3/sampling_internal.h deleted file mode 100644 index 3fd68354f2..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/sampling_internal.h +++ /dev/null @@ -1,66 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker, Shay Gueron and Dusan Kostic, - * AWS Cryptographic Algorithms Group. - */ - -#pragma once - -#include "pq-crypto/s2n_pq.h" -#include "defs.h" -#include "types.h" - -void secure_set_bits_port(OUT pad_r_t *r, - IN size_t first_pos, - IN const idx_t *wlist, - IN size_t w_size); - -// Compares wlist[ctr] to w[i] for all i < ctr. -// Returns 0 if wlist[ctr] is contained in wlist, returns 1 otherwise. -int is_new_port(IN const idx_t *wlist, IN const size_t ctr); - -#if defined(S2N_BIKE_R3_AVX2) -void secure_set_bits_avx2(OUT pad_r_t *r, - IN size_t first_pos, - IN const idx_t *wlist, - IN size_t w_size); - -int is_new_avx2(IN const idx_t *wlist, IN const size_t ctr); -#endif - -#if defined(S2N_BIKE_R3_AVX512) -void secure_set_bits_avx512(OUT pad_r_t *r, - IN size_t first_pos, - IN const idx_t *wlist, - IN size_t w_size); -int is_new_avx512(IN const idx_t *wlist, IN const size_t ctr); -#endif - -typedef struct sampling_ctx_st { - void (*secure_set_bits)(OUT pad_r_t *r, - IN size_t first_pos, - IN const idx_t *wlist, - IN size_t w_size); - int (*is_new)(IN const idx_t *wlist, IN const size_t ctr); -} sampling_ctx; - -_INLINE_ void sampling_ctx_init(sampling_ctx *ctx) -{ -#if defined(S2N_BIKE_R3_AVX512) - if(s2n_bike_r3_is_avx512_enabled()) { - ctx->secure_set_bits = secure_set_bits_avx512; - ctx->is_new = is_new_avx512; - } else -#endif -#if defined(S2N_BIKE_R3_AVX2) - if(s2n_bike_r3_is_avx2_enabled()) { - ctx->secure_set_bits = secure_set_bits_avx2; - ctx->is_new = is_new_avx2; - } else -#endif - { - ctx->secure_set_bits = secure_set_bits_port; - ctx->is_new = is_new_port; - } -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/sampling_portable.c b/contrib/restricted/aws/s2n/pq-crypto/bike_r3/sampling_portable.c deleted file mode 100644 index b670730f0a..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/sampling_portable.c +++ /dev/null @@ -1,60 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker, Shay Gueron and Dusan Kostic, - * AWS Cryptographic Algorithms Group. - */ - -#include <assert.h> - -#include "sampling_internal.h" -#include "utilities.h" - -#define MAX_WLIST_SIZE (T1 > DV ? T1 : DV) - -void secure_set_bits_port(OUT pad_r_t * r, - IN const size_t first_pos, - IN const idx_t *wlist, - IN const size_t w_size) -{ - assert(w_size <= MAX_WLIST_SIZE); - - // Ideally we would like to cast r.val but it is not guaranteed to be aligned - // as the entire pad_r_t structure. Thus, we assert that the position of val - // is at the beginning of r. - bike_static_assert(offsetof(pad_r_t, val) == 0, val_wrong_pos_in_pad_r_t); - uint64_t *a64 = (uint64_t *)r; - uint64_t val, mask; - - // The size of wlist can be either DV or T. So, we set it to max(D, T) - size_t pos_qw[MAX_WLIST_SIZE]; - size_t pos_bit[MAX_WLIST_SIZE]; - - // Identify the QW position of every value, and the bit position inside this QW. - for(size_t i = 0; i < w_size; i++) { - int32_t w = wlist[i] - first_pos; - pos_qw[i] = w >> 6; - pos_bit[i] = BIT(w & MASK(6)); - } - - // Fill each QW in constant time - for(size_t i = 0; i < (sizeof(*r) / sizeof(uint64_t)); i++) { - val = 0; - for(size_t j = 0; j < w_size; j++) { - mask = (-1ULL) + (!secure_cmp32(pos_qw[j], i)); - val |= (pos_bit[j] & mask); - } - a64[i] = val; - } -} - -int is_new_port(IN const idx_t *wlist, IN const size_t ctr) -{ - for(size_t i = 0; i < ctr; i++) { - if(wlist[i] == wlist[ctr]) { - return 0; - } - } - - return 1; -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/sha.h b/contrib/restricted/aws/s2n/pq-crypto/bike_r3/sha.h deleted file mode 100644 index 1857d6e638..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/sha.h +++ /dev/null @@ -1,43 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker, Shay Gueron and Dusan Kostic, - * AWS Cryptographic Algorithms Group. - */ - -#pragma once - -#include "cleanup.h" -#include "error.h" -#include "types.h" -#include "utilities.h" - -#include <openssl/sha.h> - -#define SHA384_DGST_BYTES 48ULL -#define SHA384_DGST_QWORDS (SHA384_DGST_BYTES / 8) - -#define SHA512_DGST_BYTES 64ULL -#define SHA512_DGST_QWORDS (SHA512_DGST_BYTES / 8) - -typedef struct sha384_dgst_s { - union { - uint8_t raw[SHA384_DGST_BYTES]; - uint64_t qw[SHA384_DGST_QWORDS]; - } u; -} sha384_dgst_t; -bike_static_assert(sizeof(sha384_dgst_t) == SHA384_DGST_BYTES, sha384_dgst_size); - -typedef sha384_dgst_t sha_dgst_t; -CLEANUP_FUNC(sha_dgst, sha_dgst_t) - -_INLINE_ ret_t sha(OUT sha_dgst_t * dgst, - IN const uint32_t byte_len, - IN const uint8_t *msg) -{ - if(SHA384(msg, byte_len, dgst->u.raw) != NULL) { - return SUCCESS; - } - - return FAIL; -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/types.h b/contrib/restricted/aws/s2n/pq-crypto/bike_r3/types.h deleted file mode 100644 index 436a584f3e..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/types.h +++ /dev/null @@ -1,120 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker, Shay Gueron and Dusan Kostic, - * AWS Cryptographic Algorithms Group. - */ - -#pragma once - -#include <stddef.h> -#include <stdint.h> - -#include "bike_defs.h" -#include "error.h" - -typedef struct uint128_s { - union { - uint8_t bytes[16]; // NOLINT - uint32_t dw[4]; // NOLINT - uint64_t qw[2]; // NOLINT - } u; -} uint128_t; - -// Make sure no compiler optimizations. -#pragma pack(push, 1) - -typedef struct seed_s { - uint8_t raw[SEED_BYTES]; -} seed_t; - -typedef struct seeds_s { - seed_t seed[NUM_OF_SEEDS]; -} seeds_t; - -typedef struct r_s { - uint8_t raw[R_BYTES]; -} r_t; - -typedef struct m_s { - uint8_t raw[M_BYTES]; -} m_t; - -typedef struct e_s { - r_t val[N0]; -} e_t; - -#define E0_RAW(e) ((e)->val[0].raw) -#define E1_RAW(e) ((e)->val[1].raw) - -typedef struct ct_s { - r_t c0; - m_t c1; -} ct_t; - -typedef r_t pk_t; - -typedef struct ss_st { - uint8_t raw[SS_BYTES]; -} ss_t; - -typedef uint32_t idx_t; - -typedef struct compressed_idx_d_s { - idx_t val[DV]; -} compressed_idx_d_t; - -typedef compressed_idx_d_t compressed_idx_d_ar_t[N0]; - -// The secret key holds both representations, to avoid -// the compression in Decaps. -typedef struct sk_s { - compressed_idx_d_ar_t wlist; - r_t bin[N0]; - pk_t pk; - m_t sigma; -} sk_t; - -typedef ALIGN(sizeof(idx_t)) sk_t aligned_sk_t; - -// Pad r to the next Block -typedef struct pad_r_s { - r_t val; - uint8_t pad[R_PADDED_BYTES - sizeof(r_t)]; -} ALIGN(ALIGN_BYTES) pad_r_t; - -// Double padded r, required for multiplication and squaring -typedef struct dbl_pad_r_s { - uint8_t raw[2 * R_PADDED_BYTES]; -} ALIGN(ALIGN_BYTES) dbl_pad_r_t; - -typedef struct pad_e_s { - pad_r_t val[N0]; -} ALIGN(ALIGN_BYTES) pad_e_t; - -#define PE0_RAW(e) ((e)->val[0].val.raw) -#define PE1_RAW(e) ((e)->val[1].val.raw) - -typedef struct func_k_s { - m_t m; - r_t c0; - m_t c1; -} func_k_t; - -// For a faster rotate we triplicate the syndrome (into 3 copies) -typedef struct syndrome_s { - uint64_t qw[3 * R_QWORDS]; -} ALIGN(ALIGN_BYTES) syndrome_t; - -typedef struct upc_slice_s { - union { - pad_r_t r; - uint64_t qw[sizeof(pad_r_t) / sizeof(uint64_t)]; - } ALIGN(ALIGN_BYTES) u; -} ALIGN(ALIGN_BYTES) upc_slice_t; - -typedef struct upc_s { - upc_slice_t slice[SLICES]; -} upc_t; - -#pragma pack(pop) diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/utilities.c b/contrib/restricted/aws/s2n/pq-crypto/bike_r3/utilities.c deleted file mode 100644 index 0c6ad3ea0f..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/utilities.c +++ /dev/null @@ -1,24 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker, Shay Gueron and Dusan Kostic, - * AWS Cryptographic Algorithms Group. - */ - -#include <inttypes.h> - -#include "utilities.h" - -#define BITS_IN_QWORD 64ULL -#define BITS_IN_BYTE 8ULL - -uint64_t r_bits_vector_weight(IN const r_t *in) -{ - uint64_t acc = 0; - for(size_t i = 0; i < (R_BYTES - 1); i++) { - acc += __builtin_popcount(in->raw[i]); - } - - acc += __builtin_popcount(in->raw[R_BYTES - 1] & LAST_R_BYTE_MASK); - return acc; -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/utilities.h b/contrib/restricted/aws/s2n/pq-crypto/bike_r3/utilities.h deleted file mode 100644 index f544990a1a..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/utilities.h +++ /dev/null @@ -1,139 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker, Shay Gueron and Dusan Kostic, - * AWS Cryptographic Algorithms Group. - */ - -#pragma once - -// For memset -#include <string.h> - -#include "types.h" - -uint64_t r_bits_vector_weight(IN const r_t *in); - -// "VALUE_BARRIER returns |a|, but prevents GCC and Clang from reasoning about -// the returned value. This is used to mitigate compilers undoing constant-time -// code, until we can express our requirements directly in the language. -// Note the compiler is aware that |VALUE_BARRIER| has no side effects and -// always has the same output for a given input. This allows it to eliminate -// dead code, move computations across loops, and vectorize." -// See: -// https://github.com/google/boringssl/commit/92b7c89e6e8ba82924b57153bea68241cc45f658 -#if(defined(__GNUC__) || defined(__clang__)) -# define VALUE_BARRIER(name, type) \ - _INLINE_ type name##_barrier(type a) \ - { \ - __asm__("" : "+r"(a) : /* no inputs */); \ - return a; \ - } -#else -# define VALUE_BARRIER(name, type) \ - _INLINE_ type name##_barrier(type a) { return a; } -#endif - -VALUE_BARRIER(u8, uint8_t) -VALUE_BARRIER(u32, uint32_t) -VALUE_BARRIER(u64, uint64_t) - -// Comparing value in a constant time manner -_INLINE_ uint32_t secure_cmp(IN const uint8_t *a, - IN const uint8_t *b, - IN const uint32_t size) -{ - volatile uint8_t res = 0; - - for(uint32_t i = 0; i < size; ++i) { - res |= (a[i] ^ b[i]); - } - - return (0 == res); -} - -// Return 1 if the arguments are equal to each other. Return 0 otherwise. -_INLINE_ uint32_t secure_cmp32(IN const uint32_t v1, IN const uint32_t v2) -{ -#if defined(__aarch64__) - uint32_t res; - __asm__ __volatile__("cmp %w[V1], %w[V2]; \n " - "cset %w[RES], EQ; \n" - : [RES] "=r"(res) - : [V1] "r"(v1), [V2] "r"(v2) - : "cc" /*The condition code flag*/); - return res; -#elif defined(__x86_64__) || defined(__i386__) - uint32_t res; - __asm__ __volatile__("xor %%edx, %%edx; \n" - "cmp %1, %2; \n " - "sete %%dl; \n" - "mov %%edx, %0; \n" - : "=r"(res) - : "r"(v1), "r"(v2) - : "rdx"); - return res; -#else - // Insecure comparison: The main purpose of secure_cmp32 is to avoid - // branches to prevent potential side channel leaks. To do that, - // we normally leverage some special CPU instructions such as "sete" - // (for __x86_64__) and "cset" (for __aarch64__). When dealing with general - // CPU architectures, the interpretation of the line below is left for the - // compiler. It could lead to an "insecure" branch. This case needs to be - // checked individually on such platforms - // (e.g., by checking the compiler-generated assembly). - return (v1 == v2 ? 1 : 0); -#endif -} - -// Return 0 if v1 < v2, (-1) otherwise -_INLINE_ uint32_t secure_l32_mask(IN const uint32_t v1, IN const uint32_t v2) -{ -#if defined(__aarch64__) - uint32_t res; - __asm__ __volatile__("cmp %w[V2], %w[V1]; \n " - "cset %w[RES], HI; \n" - : [RES] "=r"(res) - : [V1] "r"(v1), [V2] "r"(v2) - : "cc" /*The condition code flag*/); - return (res - 1); -#elif defined(__x86_64__) || defined(__i386__) - uint32_t res; - __asm__ __volatile__("xor %%edx, %%edx; \n" - "cmp %1, %2; \n " - "setl %%dl; \n" - "dec %%edx; \n" - "mov %%edx, %0; \n" - - : "=r"(res) - : "r"(v2), "r"(v1) - : "rdx"); - - return res; -#else - // If v1 >= v2 then the subtraction result is 0^32||(v1-v2). - // else it is 1^32||(v2-v1+1). Subsequently, negating the upper - // 32 bits gives 0 if v1 < v2 and otherwise (-1). - return ~((uint32_t)(((uint64_t)v1 - (uint64_t)v2) >> 32)); -#endif -} - -// bike_memcpy avoids the undefined behaviour of memcpy when byte_len=0 -_INLINE_ void *bike_memcpy(void *dst, const void *src, size_t byte_len) -{ - if(byte_len == 0) { - return dst; - } - - return memcpy(dst, src, byte_len); -} - -// bike_memset avoids the undefined behaviour of memset when byte_len=0 -_INLINE_ void *bike_memset(void *dst, const int ch, size_t byte_len) -{ - if(byte_len == 0) { - return dst; - } - - return memset(dst, ch, byte_len); -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/x86_64_intrinsic.h b/contrib/restricted/aws/s2n/pq-crypto/bike_r3/x86_64_intrinsic.h deleted file mode 100644 index b5c1e989bd..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/bike_r3/x86_64_intrinsic.h +++ /dev/null @@ -1,132 +0,0 @@ -/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0" - * - * Written by Nir Drucker, Shay Gueron and Dusan Kostic, - * AWS Cryptographic Algorithms Group. - */ - -// This file contains definitions of macros for SIMD intrinsic functions, used -// throughout the code package. Where necessary, we add a suffix to a macro, -// and denote the type of the elements (operateds). For example, -// - I16 denotes 16-bit wide integers, -// - U64 denotes 64-bit wide unsigned integers. - -#pragma once - -#if defined(S2N_BIKE_R3_AVX2) || defined(S2N_BIKE_R3_AVX512) -# include <immintrin.h> -#endif - -// clang 3.9 doesn't recognize this macro -#if !defined(_MM_CMPINT_EQ) -# define _MM_CMPINT_EQ (0) -#endif - -// For functions in gf2x_mul.c we use exactly the same code for -// PORTABLE, AVX2, AVX512 implementations. Based on the implementation, -// we define macros for the different data types (uint64_t, __m256i, __m512i), -// and all the required operations (LOAD, STORE, >>, <<) on these types. -#if defined(AVX2_INTERNAL) - -# define REG_T __m256i - -# define LOAD(mem) _mm256_loadu_si256((const void *)(mem)) -# define STORE(mem, reg) _mm256_storeu_si256((void *)(mem), (reg)) - -# define SLLI_I64(a, imm) _mm256_slli_epi64(a, imm) -# define SRLI_I64(a, imm) _mm256_srli_epi64(a, imm) - -#elif defined(AVX512_INTERNAL) - -# define REG_T __m512i - -# define LOAD(mem) _mm512_loadu_si512((mem)) -# define STORE(mem, reg) _mm512_storeu_si512((mem), (reg)) - -# define SLLI_I64(a, imm) _mm512_slli_epi64(a, imm) -# define SRLI_I64(a, imm) _mm512_srli_epi64(a, imm) - -#elif defined(PORTABLE_INTERNAL) - -# define REG_T uint64_t - -# define LOAD(mem) (mem)[0] -# define STORE(mem, val) (mem)[0] = val - -# define SLLI_I64(a, imm) ((a) << (imm)) -# define SRLI_I64(a, imm) ((a) >> (imm)) - -#endif - -// NOLINT is used to avoid the sizeof(T)/sizeof(T) warning when REG_T is defined -// to be uint64_t -#define REG_QWORDS (sizeof(REG_T) / sizeof(uint64_t)) // NOLINT -#define REG_DWORDS (sizeof(REG_T) / sizeof(uint32_t)) // NOLINT - -// The rest of the SIMD macros that are -// required for AVX2 and AVX512 implementation. -#if defined(AVX2_INTERNAL) - -# define SET_I8(...) _mm256_set_epi8(__VA_ARGS__) -# define SET_I32(...) _mm256_set_epi32(__VA_ARGS__) -# define SET_I64(...) _mm256_set_epi64x(__VA_ARGS__) -# define SET1_I8(a) _mm256_set1_epi8(a) -# define SET1_I16(a) _mm256_set1_epi16(a) -# define SET1_I32(a) _mm256_set1_epi32(a) -# define SET1_I64(a) _mm256_set1_epi64x(a) -# define SET_ZERO _mm256_setzero_si256() - -# define ADD_I8(a, b) _mm256_add_epi8(a, b) -# define SUB_I8(a, b) _mm256_sub_epi8(a, b) -# define ADD_I16(a, b) _mm256_add_epi16(a, b) -# define SUB_I16(a, b) _mm256_sub_epi16(a, b) -# define ADD_I64(a, b) _mm256_add_epi64(a, b) -# define SRLI_I16(a, imm) _mm256_srli_epi16(a, imm) -# define SLLI_I32(a, imm) _mm256_slli_epi32(a, imm) -# define SLLV_I32(a, b) _mm256_sllv_epi32(a, b) - -# define CMPGT_I16(a, b) _mm256_cmpgt_epi16(a, b) -# define CMPEQ_I16(a, b) _mm256_cmpeq_epi16(a, b) -# define CMPEQ_I32(a, b) _mm256_cmpeq_epi32(a, b) -# define CMPEQ_I64(a, b) _mm256_cmpeq_epi64(a, b) - -# define SHUF_I8(a, b) _mm256_shuffle_epi8(a, b) -# define BLENDV_I8(a, b, mask) _mm256_blendv_epi8(a, b, mask) -# define PERMVAR_I32(a, idx) _mm256_permutevar8x32_epi32(a, idx) -# define PERM_I64(a, imm) _mm256_permute4x64_epi64(a, imm) - -# define MOVEMASK(a) _mm256_movemask_epi8(a) - -#elif defined(AVX512_INTERNAL) - -# define MSTORE(mem, mask, reg) _mm512_mask_store_epi64((mem), (mask), (reg)) - -# define SET1_I8(a) _mm512_set1_epi8(a) -# define SET1_I32(a) _mm512_set1_epi32(a) -# define SET1_I64(a) _mm512_set1_epi64(a) -# define SET1MZ_I8(mask, a) _mm512_maskz_set1_epi8(mask, a) -# define SET1_I16(a) _mm512_set1_epi16(a) -# define SET_I64(...) _mm512_set_epi64(__VA_ARGS__) -# define SET_ZERO _mm512_setzero_si512() - -# define ADD_I16(a, b) _mm512_add_epi16(a, b) -# define ADD_I64(a, b) _mm512_add_epi64(a, b) -# define MSUB_I16(src, k, a, b) _mm512_mask_sub_epi16(src, k, a, b) -# define SRLI_I16(a, imm) _mm512_srli_epi16(a, imm) -# define SRLV_I64(a, cnt) _mm512_srlv_epi64(a, cnt) -# define SLLV_I64(a, cnt) _mm512_sllv_epi64(a, cnt) -# define MOR_I64(src, mask, a, b) _mm512_mask_or_epi64(src, mask, a, b) -# define MXOR_I64(src, mask, a, b) _mm512_mask_xor_epi64(src, mask, a, b) -# define VALIGN(a, b, count) _mm512_alignr_epi64(a, b, count) - -# define CMPM_U8(a, b, cmp_op) _mm512_cmp_epu8_mask(a, b, cmp_op) -# define CMPM_U16(a, b, cmp_op) _mm512_cmp_epu16_mask(a, b, cmp_op) -# define CMPMEQ_I64(a, b) _mm512_cmp_epi64_mask(a, b, _MM_CMPINT_EQ) -# define MCMPMEQ_I32(mask, a, b) \ - _mm512_mask_cmp_epi32_mask(mask, a, b, _MM_CMPINT_EQ) - -# define PERMX_I64(a, imm) _mm512_permutex_epi64(a, imm) -# define PERMX2VAR_I64(a, idx, b) _mm512_permutex2var_epi64(a, idx, b) -# define PERMXVAR_I64(idx, a) _mm512_permutexvar_epi64(idx, a) - -#endif diff --git a/contrib/restricted/aws/s2n/pq-crypto/kyber_90s_r2/aes.h b/contrib/restricted/aws/s2n/pq-crypto/kyber_90s_r2/aes.h deleted file mode 100644 index a14d946b5d..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/kyber_90s_r2/aes.h +++ /dev/null @@ -1,201 +0,0 @@ -/** - * \file aes.h - * \brief Header defining the API for OQS AES - * - * SPDX-License-Identifier: MIT - */ - -#ifndef OQS_AES_H -#define OQS_AES_H - -#include <stdint.h> -#include <stdlib.h> - -#define AES256_KEYBYTES 32 -#define AESCTR_NONCEBYTES 12 -#define AES_BLOCKBYTES 16 - -typedef void *aes256ctx; - -#define aes256_ecb_keyexp(r, key) OQS_AES256_ECB_load_schedule((key), (r), 1); -#define aes256_ecb(out, in, nblocks, ctx) OQS_AES256_ECB_enc_sch((in), (nblocks) * AES_BLOCKBYTES, *(ctx), (out)); -#define aes256_ctr_keyexp(r, key) OQS_AES256_CTR_load_schedule((key), (r)); -#define aes256_ctr(out, outlen, iv, ctx) OQS_AES256_CTR_sch((iv), AESCTR_NONCEBYTES, *(ctx), (out), (outlen)) -#define aes256_ctx_release(ctx) OQS_AES256_free_schedule(*(ctx)); - - -/** copied from common.h **/ - -#define OQS_EXIT_IF_NULLPTR(x) \ - do { \ - if ( (x) == (void*)0 ) \ - exit(EXIT_FAILURE); \ - } while (0) - -/** copied from common.c **/ - -/** - * Zeros out `len` bytes of memory starting at `ptr`. - * - * Designed to be protected against optimizing compilers which try to remove - * "unnecessary" operations. Should be used for all buffers containing secret - * data. - * - * @param[in] ptr The start of the memory to zero out. - * @param[in] len The number of bytes to zero out. - */ -void OQS_MEM_cleanse(void *ptr, size_t len); - -/** - * Zeros out `len` bytes of memory starting at `ptr`, then frees `ptr`. - * - * Can be called with `ptr = NULL`, in which case no operation is performed. - * - * Designed to be protected against optimizing compilers which try to remove - * "unnecessary" operations. Should be used for all buffers containing secret - * data. - * - * @param[in] ptr The start of the memory to zero out and free. - * @param[in] len The number of bytes to zero out. - */ -void OQS_MEM_secure_free(void *ptr, size_t len); - - - -/** - * Function to fill a key schedule given an initial key for use in ECB mode. - * - * @param key Initial Key. - * @param schedule Abstract data structure for a key schedule. - * @param for_encryption 1 if key schedule is for encryption, 0 if for decryption. - */ -void OQS_AES128_ECB_load_schedule(const uint8_t *key, void **schedule, int for_encryption); - -/** - * Function to free a key schedule. - * - * @param schedule Schedule generated with OQS_AES128_ECB_load_schedule(). - */ -void OQS_AES128_free_schedule(void *schedule); - -/** - * Function to encrypt blocks of plaintext using ECB mode. - * A schedule based on the key is generated and used internally. - * - * @param plaintext Plaintext to be encrypted. - * @param plaintext_len Length on the plaintext in bytes. Must be a multiple of 16. - * @param key Key to be used for encryption. - * @param ciphertext Pointer to a block of memory which >= in size to the plaintext block. The result will be written here. - */ -void OQS_AES128_ECB_enc(const uint8_t *plaintext, const size_t plaintext_len, const uint8_t *key, uint8_t *ciphertext); - -/** - * Function to decrypt blocks of plaintext using ECB mode. - * A schedule based on the key is generated and used internally. - * - * @param ciphertext Ciphertext to be decrypted. - * @param ciphertext_len Length on the ciphertext in bytes. Must be a multiple of 16. - * @param key Key to be used for encryption. - * @param plaintext Pointer to a block of memory which >= in size to the ciphertext block. The result will be written here. - */ -void OQS_AES128_ECB_dec(const uint8_t *ciphertext, const size_t ciphertext_len, const uint8_t *key, uint8_t *plaintext); - -/** - * Same as OQS_AES128_ECB_enc() except a schedule generated by - * OQS_AES128_ECB_load_schedule() is passed rather then a key. This is faster - * if the same schedule is used for multiple encryptions since it does - * not have to be regenerated from the key. - */ -void OQS_AES128_ECB_enc_sch(const uint8_t *plaintext, const size_t plaintext_len, const void *schedule, uint8_t *ciphertext); - -/** - * Same as OQS_AES128_ECB_dec() except a schedule generated by - * OQS_AES128_ECB_load_schedule() is passed rather then a key. This is faster - * if the same schedule is used for multiple encryptions since it does - * not have to be regenerated from the key. - */ -void OQS_AES128_ECB_dec_sch(const uint8_t *ciphertext, const size_t ciphertext_len, const void *schedule, uint8_t *plaintext); - -/** - * Function to fill a key schedule given an initial key for use in ECB mode. - * - * @param key Initial Key. - * @param schedule Abstract data structure for a key schedule. - * @param for_encryption 1 if key schedule is for encryption, 0 if for decryption. - */ -void OQS_AES256_ECB_load_schedule(const uint8_t *key, void **schedule, int for_encryption); - -/** - * Function to fill a key schedule given an initial key for use in CTR mode. - * - * @param key Initial Key. - * @param schedule Abstract data structure for a key schedule. - */ -void OQS_AES256_CTR_load_schedule(const uint8_t *key, void **schedule); - -/** - * Function to free a key schedule. - * - * @param schedule Schedule generated with OQS_AES256_ECB_load_schedule - * or OQS_AES256_CTR_load_schedule. - */ -void OQS_AES256_free_schedule(void *schedule); - -/** - * Function to encrypt blocks of plaintext using ECB mode. - * A schedule based on the key is generated and used internally. - * - * @param plaintext Plaintext to be encrypted. - * @param plaintext_len Length on the plaintext in bytes. Must be a multiple of 16. - * @param key Key to be used for encryption. - * @param ciphertext Pointer to a block of memory which >= in size to the plaintext block. The result will be written here. - */ -void OQS_AES256_ECB_enc(const uint8_t *plaintext, const size_t plaintext_len, const uint8_t *key, uint8_t *ciphertext); - -/** - * Function to decrypt blocks of plaintext using ECB mode. - * A schedule based on the key is generated and used internally. - * - * @param ciphertext Ciphertext to be decrypted. - * @param ciphertext_len Length on the ciphertext in bytes. Must be a multiple of 16. - * @param key Key to be used for encryption. - * @param plaintext Pointer to a block of memory which >= in size to the ciphertext block. The result will be written here. - */ -void OQS_AES256_ECB_dec(const uint8_t *ciphertext, const size_t ciphertext_len, const uint8_t *key, uint8_t *plaintext); - -/** - * Same as OQS_AES256_ECB_enc() except a schedule generated by - * OQS_AES256_ECB_load_schedule() is passed rather then a key. This is faster - * if the same schedule is used for multiple encryptions since it does - * not have to be regenerated from the key. - */ -void OQS_AES256_ECB_enc_sch(const uint8_t *plaintext, const size_t plaintext_len, const void *schedule, uint8_t *ciphertext); - -/** - * Same as OQS_AES256_ECB_dec() except a schedule generated by - * OQS_AES256_ECB_load_schedule() is passed rather then a key. This is faster - * if the same schedule is used for multiple encryptions since it does - * not have to be regenerated from the key. - */ -void OQS_AES256_ECB_dec_sch(const uint8_t *ciphertext, const size_t ciphertext_len, const void *schedule, uint8_t *plaintext); - -/** - * AES counter mode keystream generator. A scheduled generated by - * OQS_AES256_CTR_load_schedule() is passed rather then a key. - * - * Handles a 12- or 16-byte IV. If a 12-byte IV is given, then 4 counter - * bytes are initialized to all zeros. - * - * @param iv 12- or 16-byte initialization vector. - * @param iv_len Lengh of IV in bytes. - * @param schedule Abstract data structure for a key schedule. - * @param out Pointer to a block of memory which is big enough to contain out_len bytes; the result will be written here. - * @param out_len Length of output bytes to generate. - */ -void OQS_AES256_CTR_sch(const uint8_t *iv, size_t iv_len, const void *schedule, uint8_t *out, size_t out_len); - -#if defined(__cplusplus) -} // extern "C" -#endif - -#endif // OQS_AES_H diff --git a/contrib/restricted/aws/s2n/pq-crypto/kyber_90s_r2/aes256ctr.c b/contrib/restricted/aws/s2n/pq-crypto/kyber_90s_r2/aes256ctr.c deleted file mode 100644 index 0feaed6bcf..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/kyber_90s_r2/aes256ctr.c +++ /dev/null @@ -1,99 +0,0 @@ -#include "aes256ctr.h" -#include "aes.h" -#include <stddef.h> -#include <stdint.h> -#include <string.h> - -static inline void br_enc32be(unsigned char *dst, uint32_t x) { - dst[3] = (unsigned char)x; - dst[2] = (unsigned char)(x >> 8); - dst[1] = (unsigned char)(x >> 16); - dst[0] = (unsigned char)(x >> 24); -} - -static void aes256_ctr_xof(unsigned char *out, size_t outlen, const unsigned char *iv, uint32_t ctr, const aes256ctx *ctx) { - uint8_t ivw[16]; - uint8_t buf[AES_BLOCKBYTES]; - - memcpy(ivw, iv, AESCTR_NONCEBYTES); - br_enc32be(ivw + AESCTR_NONCEBYTES, ctr); - - while (outlen > AES_BLOCKBYTES) { - aes256_ecb(out, ivw, 1, ctx); - br_enc32be(ivw + AESCTR_NONCEBYTES, ++ctr); - out += AES_BLOCKBYTES; - outlen -= AES_BLOCKBYTES; - } - if (outlen > 0) { - aes256_ecb(buf, ivw, 1, ctx); - for (size_t i = 0; i < outlen; i++) { - out[i] = buf[i]; - } - } -} - -/************************************************* -* Name: aes256_prf -* -* Description: AES256 stream generation in CTR mode using 32-bit counter, -* nonce is zero-padded to 12 bytes, counter starts at zero -* -* Arguments: - uint8_t *output: pointer to output -* - size_t outlen: length of requested output in bytes -* - const uint8_t *key: pointer to 32-byte key -* - uint8_t nonce: 1-byte nonce (will be zero-padded to 12 bytes) -**************************************************/ -void PQCLEAN_KYBER51290S_CLEAN_aes256_prf(uint8_t *output, size_t outlen, const uint8_t *key, uint8_t nonce) { - uint8_t iv[12]; - for (int i = 1; i < 12; i++) { - iv[i] = 0; - } - iv[0] = nonce; - - aes256ctx ctx; - aes256_ctr_keyexp(&ctx, key); - aes256_ctr(output, outlen, iv, &ctx); - aes256_ctx_release(&ctx); -} - -/************************************************* -* Name: aes256xof_absorb -* -* Description: AES256 CTR used as a replacement for a XOF; this function -* "absorbs" a 32-byte key and two additional bytes that are zero-padded -* to a 12-byte nonce -* -* Arguments: - aes256xof_ctx *s: pointer to state to "absorb" key and IV into -* - const uint8_t *key: pointer to 32-byte key -* - uint8_t x: first additional byte to "absorb" -* - uint8_t y: second additional byte to "absorb" -**************************************************/ -void PQCLEAN_KYBER51290S_CLEAN_aes256xof_absorb(aes256xof_ctx *s, const uint8_t *key, uint8_t x, uint8_t y) { - aes256_ecb_keyexp(&s->sk_exp, key); - for (int i = 2; i < 12; i++) { - s->iv[i] = 0; - } - s->iv[0] = x; - s->iv[1] = y; - s->ctr = 0; -} - -/************************************************* -* Name: aes256xof_squeezeblocks -* -* Description: AES256 CTR used as a replacement for a XOF; this function -* generates 4 blocks out AES256-CTR output -* -* Arguments: - uint8_t *out: pointer to output -* - size_t nblocks: number of reqested 64-byte output blocks -* - aes256xof_ctx *s: AES "state", i.e. expanded key and IV -**************************************************/ -void PQCLEAN_KYBER51290S_CLEAN_aes256xof_squeezeblocks(uint8_t *out, size_t nblocks, aes256xof_ctx *s) { - aes256_ctr_xof(out, nblocks * 64, s->iv, s->ctr, &s->sk_exp); - s->ctr += (uint32_t) (4 * nblocks); -} - -/** Free the AES ctx **/ -void PQCLEAN_KYBER51290S_CLEAN_aes256xof_ctx_release(aes256xof_ctx *s) { - aes256_ctx_release(&s->sk_exp); -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/kyber_90s_r2/aes256ctr.h b/contrib/restricted/aws/s2n/pq-crypto/kyber_90s_r2/aes256ctr.h deleted file mode 100644 index 3efa256731..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/kyber_90s_r2/aes256ctr.h +++ /dev/null @@ -1,20 +0,0 @@ -#ifndef AES256CTR_H -#define AES256CTR_H - -#include "aes.h" - -#include <stddef.h> -#include <stdint.h> - -typedef struct { - aes256ctx sk_exp; - uint8_t iv[12]; - uint32_t ctr; -} aes256xof_ctx; - -void PQCLEAN_KYBER51290S_CLEAN_aes256_prf(uint8_t *output, size_t outlen, const uint8_t *key, uint8_t nonce); -void PQCLEAN_KYBER51290S_CLEAN_aes256xof_absorb(aes256xof_ctx *s, const uint8_t *key, uint8_t x, uint8_t y); -void PQCLEAN_KYBER51290S_CLEAN_aes256xof_squeezeblocks(uint8_t *out, size_t nblocks, aes256xof_ctx *s); -void PQCLEAN_KYBER51290S_CLEAN_aes256xof_ctx_release(aes256xof_ctx *s); - -#endif diff --git a/contrib/restricted/aws/s2n/pq-crypto/kyber_90s_r2/aes_c.c b/contrib/restricted/aws/s2n/pq-crypto/kyber_90s_r2/aes_c.c deleted file mode 100644 index 009054155d..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/kyber_90s_r2/aes_c.c +++ /dev/null @@ -1,576 +0,0 @@ -// Simple, thoroughly commented implementation of 128-bit AES / Rijndael using C -// Chris Hulbert - chris.hulbert@gmail.com - http://splinter.com.au/blog -// References: -// http://en.wikipedia.org/wiki/Advanced_Encryption_Standard -// http://en.wikipedia.org/wiki/Rijndael_key_schedule -// http://en.wikipedia.org/wiki/Rijndael_mix_columns -// http://en.wikipedia.org/wiki/Rijndael_S-box -// This code is public domain, or any OSI-approved license, your choice. No warranty. -// SPDX-License-Identifier: MIT - -#include <assert.h> -#include <stdio.h> -#include <string.h> - -#include "aes.h" - -typedef unsigned char byte; - -// Here are all the lookup tables for the row shifts, rcon, s-boxes, and galois field multiplications -static const byte shift_rows_table[] = {0, 5, 10, 15, 4, 9, 14, 3, 8, 13, 2, 7, 12, 1, 6, 11}; -static const byte shift_rows_table_inv[] = {0, 13, 10, 7, 4, 1, 14, 11, 8, 5, 2, 15, 12, 9, 6, 3}; -static const byte lookup_rcon[] = { - 0x8d, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36, 0x6c, 0xd8, 0xab, 0x4d, 0x9a -}; -static const byte lookup_sbox[] = { - 0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76, - 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0, 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0, - 0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc, 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15, - 0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a, 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75, - 0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0, 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84, - 0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b, 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf, - 0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85, 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8, - 0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5, 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2, - 0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17, 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73, - 0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88, 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb, - 0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c, 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79, - 0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9, 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08, - 0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6, 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a, - 0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e, 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e, - 0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94, 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf, - 0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68, 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16 -}; -static const byte lookup_sbox_inv[] = { - 0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38, 0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb, - 0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87, 0x34, 0x8e, 0x43, 0x44, 0xc4, 0xde, 0xe9, 0xcb, - 0x54, 0x7b, 0x94, 0x32, 0xa6, 0xc2, 0x23, 0x3d, 0xee, 0x4c, 0x95, 0x0b, 0x42, 0xfa, 0xc3, 0x4e, - 0x08, 0x2e, 0xa1, 0x66, 0x28, 0xd9, 0x24, 0xb2, 0x76, 0x5b, 0xa2, 0x49, 0x6d, 0x8b, 0xd1, 0x25, - 0x72, 0xf8, 0xf6, 0x64, 0x86, 0x68, 0x98, 0x16, 0xd4, 0xa4, 0x5c, 0xcc, 0x5d, 0x65, 0xb6, 0x92, - 0x6c, 0x70, 0x48, 0x50, 0xfd, 0xed, 0xb9, 0xda, 0x5e, 0x15, 0x46, 0x57, 0xa7, 0x8d, 0x9d, 0x84, - 0x90, 0xd8, 0xab, 0x00, 0x8c, 0xbc, 0xd3, 0x0a, 0xf7, 0xe4, 0x58, 0x05, 0xb8, 0xb3, 0x45, 0x06, - 0xd0, 0x2c, 0x1e, 0x8f, 0xca, 0x3f, 0x0f, 0x02, 0xc1, 0xaf, 0xbd, 0x03, 0x01, 0x13, 0x8a, 0x6b, - 0x3a, 0x91, 0x11, 0x41, 0x4f, 0x67, 0xdc, 0xea, 0x97, 0xf2, 0xcf, 0xce, 0xf0, 0xb4, 0xe6, 0x73, - 0x96, 0xac, 0x74, 0x22, 0xe7, 0xad, 0x35, 0x85, 0xe2, 0xf9, 0x37, 0xe8, 0x1c, 0x75, 0xdf, 0x6e, - 0x47, 0xf1, 0x1a, 0x71, 0x1d, 0x29, 0xc5, 0x89, 0x6f, 0xb7, 0x62, 0x0e, 0xaa, 0x18, 0xbe, 0x1b, - 0xfc, 0x56, 0x3e, 0x4b, 0xc6, 0xd2, 0x79, 0x20, 0x9a, 0xdb, 0xc0, 0xfe, 0x78, 0xcd, 0x5a, 0xf4, - 0x1f, 0xdd, 0xa8, 0x33, 0x88, 0x07, 0xc7, 0x31, 0xb1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xec, 0x5f, - 0x60, 0x51, 0x7f, 0xa9, 0x19, 0xb5, 0x4a, 0x0d, 0x2d, 0xe5, 0x7a, 0x9f, 0x93, 0xc9, 0x9c, 0xef, - 0xa0, 0xe0, 0x3b, 0x4d, 0xae, 0x2a, 0xf5, 0xb0, 0xc8, 0xeb, 0xbb, 0x3c, 0x83, 0x53, 0x99, 0x61, - 0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6, 0x26, 0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d -}; -static const byte lookup_g2[] = { - 0x00, 0x02, 0x04, 0x06, 0x08, 0x0a, 0x0c, 0x0e, 0x10, 0x12, 0x14, 0x16, 0x18, 0x1a, 0x1c, 0x1e, - 0x20, 0x22, 0x24, 0x26, 0x28, 0x2a, 0x2c, 0x2e, 0x30, 0x32, 0x34, 0x36, 0x38, 0x3a, 0x3c, 0x3e, - 0x40, 0x42, 0x44, 0x46, 0x48, 0x4a, 0x4c, 0x4e, 0x50, 0x52, 0x54, 0x56, 0x58, 0x5a, 0x5c, 0x5e, - 0x60, 0x62, 0x64, 0x66, 0x68, 0x6a, 0x6c, 0x6e, 0x70, 0x72, 0x74, 0x76, 0x78, 0x7a, 0x7c, 0x7e, - 0x80, 0x82, 0x84, 0x86, 0x88, 0x8a, 0x8c, 0x8e, 0x90, 0x92, 0x94, 0x96, 0x98, 0x9a, 0x9c, 0x9e, - 0xa0, 0xa2, 0xa4, 0xa6, 0xa8, 0xaa, 0xac, 0xae, 0xb0, 0xb2, 0xb4, 0xb6, 0xb8, 0xba, 0xbc, 0xbe, - 0xc0, 0xc2, 0xc4, 0xc6, 0xc8, 0xca, 0xcc, 0xce, 0xd0, 0xd2, 0xd4, 0xd6, 0xd8, 0xda, 0xdc, 0xde, - 0xe0, 0xe2, 0xe4, 0xe6, 0xe8, 0xea, 0xec, 0xee, 0xf0, 0xf2, 0xf4, 0xf6, 0xf8, 0xfa, 0xfc, 0xfe, - 0x1b, 0x19, 0x1f, 0x1d, 0x13, 0x11, 0x17, 0x15, 0x0b, 0x09, 0x0f, 0x0d, 0x03, 0x01, 0x07, 0x05, - 0x3b, 0x39, 0x3f, 0x3d, 0x33, 0x31, 0x37, 0x35, 0x2b, 0x29, 0x2f, 0x2d, 0x23, 0x21, 0x27, 0x25, - 0x5b, 0x59, 0x5f, 0x5d, 0x53, 0x51, 0x57, 0x55, 0x4b, 0x49, 0x4f, 0x4d, 0x43, 0x41, 0x47, 0x45, - 0x7b, 0x79, 0x7f, 0x7d, 0x73, 0x71, 0x77, 0x75, 0x6b, 0x69, 0x6f, 0x6d, 0x63, 0x61, 0x67, 0x65, - 0x9b, 0x99, 0x9f, 0x9d, 0x93, 0x91, 0x97, 0x95, 0x8b, 0x89, 0x8f, 0x8d, 0x83, 0x81, 0x87, 0x85, - 0xbb, 0xb9, 0xbf, 0xbd, 0xb3, 0xb1, 0xb7, 0xb5, 0xab, 0xa9, 0xaf, 0xad, 0xa3, 0xa1, 0xa7, 0xa5, - 0xdb, 0xd9, 0xdf, 0xdd, 0xd3, 0xd1, 0xd7, 0xd5, 0xcb, 0xc9, 0xcf, 0xcd, 0xc3, 0xc1, 0xc7, 0xc5, - 0xfb, 0xf9, 0xff, 0xfd, 0xf3, 0xf1, 0xf7, 0xf5, 0xeb, 0xe9, 0xef, 0xed, 0xe3, 0xe1, 0xe7, 0xe5 -}; -static const byte lookup_g3[] = { - 0x00, 0x03, 0x06, 0x05, 0x0c, 0x0f, 0x0a, 0x09, 0x18, 0x1b, 0x1e, 0x1d, 0x14, 0x17, 0x12, 0x11, - 0x30, 0x33, 0x36, 0x35, 0x3c, 0x3f, 0x3a, 0x39, 0x28, 0x2b, 0x2e, 0x2d, 0x24, 0x27, 0x22, 0x21, - 0x60, 0x63, 0x66, 0x65, 0x6c, 0x6f, 0x6a, 0x69, 0x78, 0x7b, 0x7e, 0x7d, 0x74, 0x77, 0x72, 0x71, - 0x50, 0x53, 0x56, 0x55, 0x5c, 0x5f, 0x5a, 0x59, 0x48, 0x4b, 0x4e, 0x4d, 0x44, 0x47, 0x42, 0x41, - 0xc0, 0xc3, 0xc6, 0xc5, 0xcc, 0xcf, 0xca, 0xc9, 0xd8, 0xdb, 0xde, 0xdd, 0xd4, 0xd7, 0xd2, 0xd1, - 0xf0, 0xf3, 0xf6, 0xf5, 0xfc, 0xff, 0xfa, 0xf9, 0xe8, 0xeb, 0xee, 0xed, 0xe4, 0xe7, 0xe2, 0xe1, - 0xa0, 0xa3, 0xa6, 0xa5, 0xac, 0xaf, 0xaa, 0xa9, 0xb8, 0xbb, 0xbe, 0xbd, 0xb4, 0xb7, 0xb2, 0xb1, - 0x90, 0x93, 0x96, 0x95, 0x9c, 0x9f, 0x9a, 0x99, 0x88, 0x8b, 0x8e, 0x8d, 0x84, 0x87, 0x82, 0x81, - 0x9b, 0x98, 0x9d, 0x9e, 0x97, 0x94, 0x91, 0x92, 0x83, 0x80, 0x85, 0x86, 0x8f, 0x8c, 0x89, 0x8a, - 0xab, 0xa8, 0xad, 0xae, 0xa7, 0xa4, 0xa1, 0xa2, 0xb3, 0xb0, 0xb5, 0xb6, 0xbf, 0xbc, 0xb9, 0xba, - 0xfb, 0xf8, 0xfd, 0xfe, 0xf7, 0xf4, 0xf1, 0xf2, 0xe3, 0xe0, 0xe5, 0xe6, 0xef, 0xec, 0xe9, 0xea, - 0xcb, 0xc8, 0xcd, 0xce, 0xc7, 0xc4, 0xc1, 0xc2, 0xd3, 0xd0, 0xd5, 0xd6, 0xdf, 0xdc, 0xd9, 0xda, - 0x5b, 0x58, 0x5d, 0x5e, 0x57, 0x54, 0x51, 0x52, 0x43, 0x40, 0x45, 0x46, 0x4f, 0x4c, 0x49, 0x4a, - 0x6b, 0x68, 0x6d, 0x6e, 0x67, 0x64, 0x61, 0x62, 0x73, 0x70, 0x75, 0x76, 0x7f, 0x7c, 0x79, 0x7a, - 0x3b, 0x38, 0x3d, 0x3e, 0x37, 0x34, 0x31, 0x32, 0x23, 0x20, 0x25, 0x26, 0x2f, 0x2c, 0x29, 0x2a, - 0x0b, 0x08, 0x0d, 0x0e, 0x07, 0x04, 0x01, 0x02, 0x13, 0x10, 0x15, 0x16, 0x1f, 0x1c, 0x19, 0x1a -}; -static const byte lookup_g9[] = { - 0x00, 0x09, 0x12, 0x1b, 0x24, 0x2d, 0x36, 0x3f, 0x48, 0x41, 0x5a, 0x53, 0x6c, 0x65, 0x7e, 0x77, - 0x90, 0x99, 0x82, 0x8b, 0xb4, 0xbd, 0xa6, 0xaf, 0xd8, 0xd1, 0xca, 0xc3, 0xfc, 0xf5, 0xee, 0xe7, - 0x3b, 0x32, 0x29, 0x20, 0x1f, 0x16, 0x0d, 0x04, 0x73, 0x7a, 0x61, 0x68, 0x57, 0x5e, 0x45, 0x4c, - 0xab, 0xa2, 0xb9, 0xb0, 0x8f, 0x86, 0x9d, 0x94, 0xe3, 0xea, 0xf1, 0xf8, 0xc7, 0xce, 0xd5, 0xdc, - 0x76, 0x7f, 0x64, 0x6d, 0x52, 0x5b, 0x40, 0x49, 0x3e, 0x37, 0x2c, 0x25, 0x1a, 0x13, 0x08, 0x01, - 0xe6, 0xef, 0xf4, 0xfd, 0xc2, 0xcb, 0xd0, 0xd9, 0xae, 0xa7, 0xbc, 0xb5, 0x8a, 0x83, 0x98, 0x91, - 0x4d, 0x44, 0x5f, 0x56, 0x69, 0x60, 0x7b, 0x72, 0x05, 0x0c, 0x17, 0x1e, 0x21, 0x28, 0x33, 0x3a, - 0xdd, 0xd4, 0xcf, 0xc6, 0xf9, 0xf0, 0xeb, 0xe2, 0x95, 0x9c, 0x87, 0x8e, 0xb1, 0xb8, 0xa3, 0xaa, - 0xec, 0xe5, 0xfe, 0xf7, 0xc8, 0xc1, 0xda, 0xd3, 0xa4, 0xad, 0xb6, 0xbf, 0x80, 0x89, 0x92, 0x9b, - 0x7c, 0x75, 0x6e, 0x67, 0x58, 0x51, 0x4a, 0x43, 0x34, 0x3d, 0x26, 0x2f, 0x10, 0x19, 0x02, 0x0b, - 0xd7, 0xde, 0xc5, 0xcc, 0xf3, 0xfa, 0xe1, 0xe8, 0x9f, 0x96, 0x8d, 0x84, 0xbb, 0xb2, 0xa9, 0xa0, - 0x47, 0x4e, 0x55, 0x5c, 0x63, 0x6a, 0x71, 0x78, 0x0f, 0x06, 0x1d, 0x14, 0x2b, 0x22, 0x39, 0x30, - 0x9a, 0x93, 0x88, 0x81, 0xbe, 0xb7, 0xac, 0xa5, 0xd2, 0xdb, 0xc0, 0xc9, 0xf6, 0xff, 0xe4, 0xed, - 0x0a, 0x03, 0x18, 0x11, 0x2e, 0x27, 0x3c, 0x35, 0x42, 0x4b, 0x50, 0x59, 0x66, 0x6f, 0x74, 0x7d, - 0xa1, 0xa8, 0xb3, 0xba, 0x85, 0x8c, 0x97, 0x9e, 0xe9, 0xe0, 0xfb, 0xf2, 0xcd, 0xc4, 0xdf, 0xd6, - 0x31, 0x38, 0x23, 0x2a, 0x15, 0x1c, 0x07, 0x0e, 0x79, 0x70, 0x6b, 0x62, 0x5d, 0x54, 0x4f, 0x46 -}; -static const byte lookup_g11[] = { - 0x00, 0x0b, 0x16, 0x1d, 0x2c, 0x27, 0x3a, 0x31, 0x58, 0x53, 0x4e, 0x45, 0x74, 0x7f, 0x62, 0x69, - 0xb0, 0xbb, 0xa6, 0xad, 0x9c, 0x97, 0x8a, 0x81, 0xe8, 0xe3, 0xfe, 0xf5, 0xc4, 0xcf, 0xd2, 0xd9, - 0x7b, 0x70, 0x6d, 0x66, 0x57, 0x5c, 0x41, 0x4a, 0x23, 0x28, 0x35, 0x3e, 0x0f, 0x04, 0x19, 0x12, - 0xcb, 0xc0, 0xdd, 0xd6, 0xe7, 0xec, 0xf1, 0xfa, 0x93, 0x98, 0x85, 0x8e, 0xbf, 0xb4, 0xa9, 0xa2, - 0xf6, 0xfd, 0xe0, 0xeb, 0xda, 0xd1, 0xcc, 0xc7, 0xae, 0xa5, 0xb8, 0xb3, 0x82, 0x89, 0x94, 0x9f, - 0x46, 0x4d, 0x50, 0x5b, 0x6a, 0x61, 0x7c, 0x77, 0x1e, 0x15, 0x08, 0x03, 0x32, 0x39, 0x24, 0x2f, - 0x8d, 0x86, 0x9b, 0x90, 0xa1, 0xaa, 0xb7, 0xbc, 0xd5, 0xde, 0xc3, 0xc8, 0xf9, 0xf2, 0xef, 0xe4, - 0x3d, 0x36, 0x2b, 0x20, 0x11, 0x1a, 0x07, 0x0c, 0x65, 0x6e, 0x73, 0x78, 0x49, 0x42, 0x5f, 0x54, - 0xf7, 0xfc, 0xe1, 0xea, 0xdb, 0xd0, 0xcd, 0xc6, 0xaf, 0xa4, 0xb9, 0xb2, 0x83, 0x88, 0x95, 0x9e, - 0x47, 0x4c, 0x51, 0x5a, 0x6b, 0x60, 0x7d, 0x76, 0x1f, 0x14, 0x09, 0x02, 0x33, 0x38, 0x25, 0x2e, - 0x8c, 0x87, 0x9a, 0x91, 0xa0, 0xab, 0xb6, 0xbd, 0xd4, 0xdf, 0xc2, 0xc9, 0xf8, 0xf3, 0xee, 0xe5, - 0x3c, 0x37, 0x2a, 0x21, 0x10, 0x1b, 0x06, 0x0d, 0x64, 0x6f, 0x72, 0x79, 0x48, 0x43, 0x5e, 0x55, - 0x01, 0x0a, 0x17, 0x1c, 0x2d, 0x26, 0x3b, 0x30, 0x59, 0x52, 0x4f, 0x44, 0x75, 0x7e, 0x63, 0x68, - 0xb1, 0xba, 0xa7, 0xac, 0x9d, 0x96, 0x8b, 0x80, 0xe9, 0xe2, 0xff, 0xf4, 0xc5, 0xce, 0xd3, 0xd8, - 0x7a, 0x71, 0x6c, 0x67, 0x56, 0x5d, 0x40, 0x4b, 0x22, 0x29, 0x34, 0x3f, 0x0e, 0x05, 0x18, 0x13, - 0xca, 0xc1, 0xdc, 0xd7, 0xe6, 0xed, 0xf0, 0xfb, 0x92, 0x99, 0x84, 0x8f, 0xbe, 0xb5, 0xa8, 0xa3 -}; -static const byte lookup_g13[] = { - 0x00, 0x0d, 0x1a, 0x17, 0x34, 0x39, 0x2e, 0x23, 0x68, 0x65, 0x72, 0x7f, 0x5c, 0x51, 0x46, 0x4b, - 0xd0, 0xdd, 0xca, 0xc7, 0xe4, 0xe9, 0xfe, 0xf3, 0xb8, 0xb5, 0xa2, 0xaf, 0x8c, 0x81, 0x96, 0x9b, - 0xbb, 0xb6, 0xa1, 0xac, 0x8f, 0x82, 0x95, 0x98, 0xd3, 0xde, 0xc9, 0xc4, 0xe7, 0xea, 0xfd, 0xf0, - 0x6b, 0x66, 0x71, 0x7c, 0x5f, 0x52, 0x45, 0x48, 0x03, 0x0e, 0x19, 0x14, 0x37, 0x3a, 0x2d, 0x20, - 0x6d, 0x60, 0x77, 0x7a, 0x59, 0x54, 0x43, 0x4e, 0x05, 0x08, 0x1f, 0x12, 0x31, 0x3c, 0x2b, 0x26, - 0xbd, 0xb0, 0xa7, 0xaa, 0x89, 0x84, 0x93, 0x9e, 0xd5, 0xd8, 0xcf, 0xc2, 0xe1, 0xec, 0xfb, 0xf6, - 0xd6, 0xdb, 0xcc, 0xc1, 0xe2, 0xef, 0xf8, 0xf5, 0xbe, 0xb3, 0xa4, 0xa9, 0x8a, 0x87, 0x90, 0x9d, - 0x06, 0x0b, 0x1c, 0x11, 0x32, 0x3f, 0x28, 0x25, 0x6e, 0x63, 0x74, 0x79, 0x5a, 0x57, 0x40, 0x4d, - 0xda, 0xd7, 0xc0, 0xcd, 0xee, 0xe3, 0xf4, 0xf9, 0xb2, 0xbf, 0xa8, 0xa5, 0x86, 0x8b, 0x9c, 0x91, - 0x0a, 0x07, 0x10, 0x1d, 0x3e, 0x33, 0x24, 0x29, 0x62, 0x6f, 0x78, 0x75, 0x56, 0x5b, 0x4c, 0x41, - 0x61, 0x6c, 0x7b, 0x76, 0x55, 0x58, 0x4f, 0x42, 0x09, 0x04, 0x13, 0x1e, 0x3d, 0x30, 0x27, 0x2a, - 0xb1, 0xbc, 0xab, 0xa6, 0x85, 0x88, 0x9f, 0x92, 0xd9, 0xd4, 0xc3, 0xce, 0xed, 0xe0, 0xf7, 0xfa, - 0xb7, 0xba, 0xad, 0xa0, 0x83, 0x8e, 0x99, 0x94, 0xdf, 0xd2, 0xc5, 0xc8, 0xeb, 0xe6, 0xf1, 0xfc, - 0x67, 0x6a, 0x7d, 0x70, 0x53, 0x5e, 0x49, 0x44, 0x0f, 0x02, 0x15, 0x18, 0x3b, 0x36, 0x21, 0x2c, - 0x0c, 0x01, 0x16, 0x1b, 0x38, 0x35, 0x22, 0x2f, 0x64, 0x69, 0x7e, 0x73, 0x50, 0x5d, 0x4a, 0x47, - 0xdc, 0xd1, 0xc6, 0xcb, 0xe8, 0xe5, 0xf2, 0xff, 0xb4, 0xb9, 0xae, 0xa3, 0x80, 0x8d, 0x9a, 0x97 -}; -static const byte lookup_g14[] = { - 0x00, 0x0e, 0x1c, 0x12, 0x38, 0x36, 0x24, 0x2a, 0x70, 0x7e, 0x6c, 0x62, 0x48, 0x46, 0x54, 0x5a, - 0xe0, 0xee, 0xfc, 0xf2, 0xd8, 0xd6, 0xc4, 0xca, 0x90, 0x9e, 0x8c, 0x82, 0xa8, 0xa6, 0xb4, 0xba, - 0xdb, 0xd5, 0xc7, 0xc9, 0xe3, 0xed, 0xff, 0xf1, 0xab, 0xa5, 0xb7, 0xb9, 0x93, 0x9d, 0x8f, 0x81, - 0x3b, 0x35, 0x27, 0x29, 0x03, 0x0d, 0x1f, 0x11, 0x4b, 0x45, 0x57, 0x59, 0x73, 0x7d, 0x6f, 0x61, - 0xad, 0xa3, 0xb1, 0xbf, 0x95, 0x9b, 0x89, 0x87, 0xdd, 0xd3, 0xc1, 0xcf, 0xe5, 0xeb, 0xf9, 0xf7, - 0x4d, 0x43, 0x51, 0x5f, 0x75, 0x7b, 0x69, 0x67, 0x3d, 0x33, 0x21, 0x2f, 0x05, 0x0b, 0x19, 0x17, - 0x76, 0x78, 0x6a, 0x64, 0x4e, 0x40, 0x52, 0x5c, 0x06, 0x08, 0x1a, 0x14, 0x3e, 0x30, 0x22, 0x2c, - 0x96, 0x98, 0x8a, 0x84, 0xae, 0xa0, 0xb2, 0xbc, 0xe6, 0xe8, 0xfa, 0xf4, 0xde, 0xd0, 0xc2, 0xcc, - 0x41, 0x4f, 0x5d, 0x53, 0x79, 0x77, 0x65, 0x6b, 0x31, 0x3f, 0x2d, 0x23, 0x09, 0x07, 0x15, 0x1b, - 0xa1, 0xaf, 0xbd, 0xb3, 0x99, 0x97, 0x85, 0x8b, 0xd1, 0xdf, 0xcd, 0xc3, 0xe9, 0xe7, 0xf5, 0xfb, - 0x9a, 0x94, 0x86, 0x88, 0xa2, 0xac, 0xbe, 0xb0, 0xea, 0xe4, 0xf6, 0xf8, 0xd2, 0xdc, 0xce, 0xc0, - 0x7a, 0x74, 0x66, 0x68, 0x42, 0x4c, 0x5e, 0x50, 0x0a, 0x04, 0x16, 0x18, 0x32, 0x3c, 0x2e, 0x20, - 0xec, 0xe2, 0xf0, 0xfe, 0xd4, 0xda, 0xc8, 0xc6, 0x9c, 0x92, 0x80, 0x8e, 0xa4, 0xaa, 0xb8, 0xb6, - 0x0c, 0x02, 0x10, 0x1e, 0x34, 0x3a, 0x28, 0x26, 0x7c, 0x72, 0x60, 0x6e, 0x44, 0x4a, 0x58, 0x56, - 0x37, 0x39, 0x2b, 0x25, 0x0f, 0x01, 0x13, 0x1d, 0x47, 0x49, 0x5b, 0x55, 0x7f, 0x71, 0x63, 0x6d, - 0xd7, 0xd9, 0xcb, 0xc5, 0xef, 0xe1, 0xf3, 0xfd, 0xa7, 0xa9, 0xbb, 0xb5, 0x9f, 0x91, 0x83, 0x8d -}; - -// Xor's all elements in a n byte array a by b -static void xor (byte *a, const byte *b, int n) { - int i; - for (i = 0; i < n; i++) { - a[i] ^= b[i]; - } -} - -// Xor the current cipher state by a specific round key -static void xor_round_key(byte *state, const byte *keys, int round) { - xor(state, keys + round * 16, 16); -} - -// Apply the rijndael s-box to all elements in an array -// http://en.wikipedia.org/wiki/Rijndael_S-box -static void sub_bytes(byte *a, int n) { - int i; - for (i = 0; i < n; i++) { - a[i] = lookup_sbox[a[i]]; - } -} -static void sub_bytes_inv(byte *a, int n) { - int i; - for (i = 0; i < n; i++) { - a[i] = lookup_sbox_inv[a[i]]; - } -} - -// Rotate the first four bytes of the input eight bits to the left -static inline void rot_word(byte *a) { - byte temp = a[0]; - a[0] = a[1]; - a[1] = a[2]; - a[2] = a[3]; - a[3] = temp; -} - -// Perform the core key schedule transform on 4 bytes, as part of the key expansion process -// http://en.wikipedia.org/wiki/Rijndael_key_schedule#Key_schedule_core -static void key_schedule_core(byte *a, int i) { - byte temp = a[0]; // Rotate the output eight bits to the left - a[0] = a[1]; - a[1] = a[2]; - a[2] = a[3]; - a[3] = temp; - sub_bytes(a, 4); // Apply Rijndael's S-box on all four individual bytes in the output word - a[0] ^= lookup_rcon[i]; // On just the first (leftmost) byte of the output word, perform the rcon operation with i - // as the input, and exclusive or the rcon output with the first byte of the output word -} - -// Expand the 16-byte key to 11 round keys (176 bytes) -// http://en.wikipedia.org/wiki/Rijndael_key_schedule#The_key_schedule -void OQS_AES128_ECB_load_schedule(const uint8_t *key, void **_schedule, int for_encryption) { - *_schedule = malloc(16 * 11); - OQS_EXIT_IF_NULLPTR(*_schedule); - uint8_t *schedule = (uint8_t *) *_schedule; - int bytes = 16; // The count of how many bytes we've created so far - int i = 1; // The rcon iteration value i is set to 1 - int j; // For repeating the second stage 3 times - byte t[4]; // Temporary working area known as 't' in the Wiki article - memcpy(schedule, key, 16); // The first 16 bytes of the expanded key are simply the encryption key - - while (bytes < 176) { // Until we have 176 bytes of expanded key, we do the following: - memcpy(t, schedule + bytes - 4, 4); // We assign the value of the previous four bytes in the expanded key to t - key_schedule_core(t, i); // We perform the key schedule core on t, with i as the rcon iteration value - i++; // We increment i by 1 - xor(t, schedule + bytes - 16, 4); // We exclusive-or t with the four-byte block 16 bytes before the new expanded key. - memcpy(schedule + bytes, t, 4); // This becomes the next 4 bytes in the expanded key - bytes += 4; // Keep track of how many expanded key bytes we've added - - // We then do the following three times to create the next twelve bytes - for (j = 0; j < 3; j++) { - memcpy(t, schedule + bytes - 4, 4); // We assign the value of the previous 4 bytes in the expanded key to t - xor(t, schedule + bytes - 16, 4); // We exclusive-or t with the four-byte block n bytes before - memcpy(schedule + bytes, t, 4); // This becomes the next 4 bytes in the expanded key - bytes += 4; // Keep track of how many expanded key bytes we've added - } - } -} - -void OQS_AES128_free_schedule(void *schedule) { - if (schedule != NULL) { - OQS_MEM_secure_free(schedule, 176); - } -} - -// Expand the 16-byte key to 15 round keys (240 bytes) -// http://en.wikipedia.org/wiki/Rijndael_key_schedule#The_key_schedule -void OQS_AES256_ECB_load_schedule(const uint8_t *key, void **_schedule, int for_encryption) { - *_schedule = malloc(16 * 15); - OQS_EXIT_IF_NULLPTR(*_schedule); - uint8_t *schedule = (uint8_t *) *_schedule; - int i = 0; // The count of how many iterations we've done - uint8_t t[4]; // Temporary working area - - // The first 32 bytes of the expanded key are simply the encryption key - memcpy(schedule, key, 8 * 4); - - // The remaining 240-32 bytes of the expanded key are computed in one of three ways: - for (i = 8; i < 4 * 15; i++) { - if (i % 8 == 0) { - memcpy(t, schedule + 4 * (i - 1), 4); // We assign the value of the previous 4 bytes in the expanded key to t - sub_bytes(t, 4); // We apply byte-wise substitution to t - rot_word(t); // We rotate t one byte left - t[0] ^= lookup_rcon[i / 8]; // We xor in the round constant - xor(t, schedule + 4 * (i - 8), 4); // We xor in the four-byte block n bytes before - memcpy(schedule + 4 * i, t, 4); // This becomes the next 4 bytes in the expanded key - } else if (i % 8 == 4) { - memcpy(t, schedule + 4 * (i - 1), 4); // We assign the value of the previous 4 bytes in the expanded key to t - sub_bytes(t, 4); // We apply byte-wise substitution to t - xor(t, schedule + 4 * (i - 8), 4); // We xor in the four-byte block n bytes before - memcpy(schedule + 4 * i, t, 4); // This becomes the next 4 bytes in the expanded key - } else { - memcpy(t, schedule + 4 * (i - 1), 4); // We assign the value of the previous 4 bytes in the expanded key to t - xor(t, schedule + 4 * (i - 8), 4); // We xor in the four-byte block n bytes before - memcpy(schedule + 4 * i, t, 4); // This becomes the next 4 bytes in the expanded key - } - } -} - -void OQS_AES256_CTR_load_schedule(const uint8_t *key, void **_schedule) { - OQS_AES256_ECB_load_schedule(key, _schedule, 1); -} - -/** copied from common.c **/ - -void OQS_MEM_cleanse(void *ptr, size_t len) { -#if defined(_WIN32) - SecureZeroMemory(ptr, len); -#elif defined(HAVE_MEMSET_S) - if (0U < len && memset_s(ptr, (rsize_t)len, 0, (rsize_t)len) != 0) { - abort(); - } -#else - typedef void *(*memset_t)(void *, int, size_t); - static volatile memset_t memset_func = memset; - memset_func(ptr, 0, len); -#endif -} - -void OQS_MEM_secure_free(void *ptr, size_t len) { - if (ptr != NULL) { - OQS_MEM_cleanse(ptr, len); - free(ptr); // IGNORE free-check - } -} - -void OQS_AES256_free_schedule(void *schedule) { - if (schedule != NULL) { - OQS_MEM_secure_free(schedule, 16 * 15); - } -} - -// Apply the shift rows step on the 16 byte cipher state -// http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#The_ShiftRows_step -static void shift_rows(byte *state) { - int i; - byte temp[16]; - memcpy(temp, state, 16); - for (i = 0; i < 16; i++) { - state[i] = temp[shift_rows_table[i]]; - } -} -static void shift_rows_inv(byte *state) { - int i; - byte temp[16]; - memcpy(temp, state, 16); - for (i = 0; i < 16; i++) { - state[i] = temp[shift_rows_table_inv[i]]; - } -} - -// Perform the mix columns matrix on one column of 4 bytes -// http://en.wikipedia.org/wiki/Rijndael_mix_columns -static void mix_col(byte *state) { - byte a0 = state[0]; - byte a1 = state[1]; - byte a2 = state[2]; - byte a3 = state[3]; - state[0] = lookup_g2[a0] ^ lookup_g3[a1] ^ a2 ^ a3; - state[1] = lookup_g2[a1] ^ lookup_g3[a2] ^ a3 ^ a0; - state[2] = lookup_g2[a2] ^ lookup_g3[a3] ^ a0 ^ a1; - state[3] = lookup_g2[a3] ^ lookup_g3[a0] ^ a1 ^ a2; -} - -// Perform the mix columns matrix on each column of the 16 bytes -static void mix_cols(byte *state) { - mix_col(state); - mix_col(state + 4); - mix_col(state + 8); - mix_col(state + 12); -} - -// Perform the inverse mix columns matrix on one column of 4 bytes -// http://en.wikipedia.org/wiki/Rijndael_mix_columns -static void mix_col_inv(byte *state) { - byte a0 = state[0]; - byte a1 = state[1]; - byte a2 = state[2]; - byte a3 = state[3]; - state[0] = lookup_g14[a0] ^ lookup_g9[a3] ^ lookup_g13[a2] ^ lookup_g11[a1]; - state[1] = lookup_g14[a1] ^ lookup_g9[a0] ^ lookup_g13[a3] ^ lookup_g11[a2]; - state[2] = lookup_g14[a2] ^ lookup_g9[a1] ^ lookup_g13[a0] ^ lookup_g11[a3]; - state[3] = lookup_g14[a3] ^ lookup_g9[a2] ^ lookup_g13[a1] ^ lookup_g11[a0]; -} - -// Perform the inverse mix columns matrix on each column of the 16 bytes -static void mix_cols_inv(byte *state) { - mix_col_inv(state); - mix_col_inv(state + 4); - mix_col_inv(state + 8); - mix_col_inv(state + 12); -} - -void oqs_aes128_enc_sch_block_c(const uint8_t *plaintext, const void *_schedule, uint8_t *ciphertext) { - const uint8_t *schedule = (const uint8_t *) _schedule; - int i; // To count the rounds - - // First Round - memcpy(ciphertext, plaintext, 16); - xor_round_key(ciphertext, schedule, 0); - - // Middle rounds - for (i = 0; i < 9; i++) { - sub_bytes(ciphertext, 16); - shift_rows(ciphertext); - mix_cols(ciphertext); - xor_round_key(ciphertext, schedule, i + 1); - } - - // Final Round - sub_bytes(ciphertext, 16); - shift_rows(ciphertext); - xor_round_key(ciphertext, schedule, 10); -} - -void oqs_aes128_dec_sch_block_c(const uint8_t *ciphertext, const void *_schedule, uint8_t *plaintext) { - const uint8_t *schedule = (const uint8_t *) _schedule; - int i; // To count the rounds - - // Reverse the final Round - memcpy(plaintext, ciphertext, 16); - xor_round_key(plaintext, schedule, 10); - shift_rows_inv(plaintext); - sub_bytes_inv(plaintext, 16); - - // Reverse the middle rounds - for (i = 0; i < 9; i++) { - xor_round_key(plaintext, schedule, 9 - i); - mix_cols_inv(plaintext); - shift_rows_inv(plaintext); - sub_bytes_inv(plaintext, 16); - } - - // Reverse the first Round - xor_round_key(plaintext, schedule, 0); -} - -void oqs_aes256_enc_sch_block_c(const uint8_t *plaintext, const void *_schedule, uint8_t *ciphertext) { - const uint8_t *schedule = (const uint8_t *) _schedule; - int i; // To count the rounds - - // First Round - memcpy(ciphertext, plaintext, 16); - xor_round_key(ciphertext, schedule, 0); - - // Middle rounds - for (i = 0; i < 13; i++) { - sub_bytes(ciphertext, 16); - shift_rows(ciphertext); - mix_cols(ciphertext); - xor_round_key(ciphertext, schedule, i + 1); - } - - // Final Round - sub_bytes(ciphertext, 16); - shift_rows(ciphertext); - xor_round_key(ciphertext, schedule, 14); -} - -void oqs_aes256_dec_sch_block_c(const uint8_t *ciphertext, const void *_schedule, uint8_t *plaintext) { - const uint8_t *schedule = (const uint8_t *) _schedule; - int i; // To count the rounds - - // Reverse the final Round - memcpy(plaintext, ciphertext, 16); - xor_round_key(plaintext, schedule, 14); - shift_rows_inv(plaintext); - sub_bytes_inv(plaintext, 16); - - // Reverse the middle rounds - for (i = 0; i < 13; i++) { - xor_round_key(plaintext, schedule, 13 - i); - mix_cols_inv(plaintext); - shift_rows_inv(plaintext); - sub_bytes_inv(plaintext, 16); - } - - // Reverse the first Round - xor_round_key(plaintext, schedule, 0); -} - -void OQS_AES128_ECB_enc(const uint8_t *plaintext, const size_t plaintext_len, const uint8_t *key, uint8_t *ciphertext) { - void *schedule = NULL; - OQS_AES128_ECB_load_schedule(key, &schedule, 1); - OQS_AES128_ECB_enc_sch(plaintext, plaintext_len, schedule, ciphertext); - OQS_AES128_free_schedule(schedule); -} - -void OQS_AES128_ECB_enc_sch(const uint8_t *plaintext, const size_t plaintext_len, const void *schedule, uint8_t *ciphertext) { - assert(plaintext_len % 16 == 0); - for (size_t block = 0; block < plaintext_len / 16; block++) { - oqs_aes128_enc_sch_block_c(plaintext + (16 * block), schedule, ciphertext + (16 * block)); - } -} - -void OQS_AES128_ECB_dec(const uint8_t *ciphertext, const size_t ciphertext_len, const uint8_t *key, uint8_t *plaintext) { - void *schedule = NULL; - OQS_AES128_ECB_load_schedule(key, &schedule, 0); - OQS_AES128_ECB_dec_sch(ciphertext, ciphertext_len, schedule, plaintext); - OQS_AES128_free_schedule(schedule); -} - -void OQS_AES128_ECB_dec_sch(const uint8_t *ciphertext, const size_t ciphertext_len, const void *schedule, uint8_t *plaintext) { - assert(ciphertext_len % 16 == 0); - for (size_t block = 0; block < ciphertext_len / 16; block++) { - oqs_aes128_dec_sch_block_c(ciphertext + (16 * block), schedule, plaintext + (16 * block)); - } -} - -void OQS_AES256_ECB_enc(const uint8_t *plaintext, const size_t plaintext_len, const uint8_t *key, uint8_t *ciphertext) { - void *schedule = NULL; - OQS_AES256_ECB_load_schedule(key, &schedule, 1); - OQS_AES256_ECB_enc_sch(plaintext, plaintext_len, schedule, ciphertext); - OQS_AES256_free_schedule(schedule); -} - -void OQS_AES256_ECB_enc_sch(const uint8_t *plaintext, const size_t plaintext_len, const void *schedule, uint8_t *ciphertext) { - assert(plaintext_len % 16 == 0); - for (size_t block = 0; block < plaintext_len / 16; block++) { - oqs_aes256_enc_sch_block_c(plaintext + (16 * block), schedule, ciphertext + (16 * block)); - } -} - -void OQS_AES256_ECB_dec(const uint8_t *ciphertext, const size_t ciphertext_len, const uint8_t *key, uint8_t *plaintext) { - void *schedule = NULL; - OQS_AES256_ECB_load_schedule(key, &schedule, 0); - OQS_AES256_ECB_dec_sch(ciphertext, ciphertext_len, schedule, plaintext); - OQS_AES256_free_schedule(schedule); -} - -void OQS_AES256_ECB_dec_sch(const uint8_t *ciphertext, const size_t ciphertext_len, const void *schedule, uint8_t *plaintext) { - assert(ciphertext_len % 16 == 0); - for (size_t block = 0; block < ciphertext_len / 16; block++) { - oqs_aes256_dec_sch_block_c(ciphertext + (16 * block), schedule, plaintext + (16 * block)); - } -} - -static inline uint32_t UINT32_TO_BE(const uint32_t x) { - union { - uint32_t val; - uint8_t bytes[4]; - } y; - - /* As part of the union, these bytes get read when y.val is read */ - y.bytes[0] = (x >> 24) & 0xFF; - y.bytes[1] = (x >> 16) & 0xFF; - y.bytes[2] = (x >> 8) & 0xFF; - /* cppcheck-suppress unreadVariable */ - y.bytes[3] = x & 0xFF; - - return y.val; -} -#define BE_TO_UINT32(n) (uint32_t)((((uint8_t *) &(n))[0] << 24) | (((uint8_t *) &(n))[1] << 16) | (((uint8_t *) &(n))[2] << 8) | (((uint8_t *) &(n))[3] << 0)) - -void OQS_AES256_CTR_sch(const uint8_t *iv, size_t iv_len, const void *schedule, uint8_t *out, size_t out_len) { - uint8_t block[16]; - uint32_t ctr; - uint32_t ctr_be; - memcpy(block, iv, 12); - if (iv_len == 12) { - ctr = 0; - } else if (iv_len == 16) { - memcpy(&ctr_be, &iv[12], 4); - - /* ctr_be gets cast to a uint8_t* before being accessed; the non-zero indices are valid */ - /* cppcheck-suppress objectIndex */ - ctr = BE_TO_UINT32(ctr_be); - } else { - exit(EXIT_FAILURE); - } - while (out_len >= 16) { - ctr_be = UINT32_TO_BE(ctr); - memcpy(&block[12], (uint8_t *) &ctr_be, 4); - oqs_aes256_enc_sch_block_c(block, schedule, out); - out += 16; - out_len -= 16; - ctr++; - } - if (out_len > 0) { - uint8_t tmp[16]; - ctr_be = UINT32_TO_BE(ctr); - memcpy(&block[12], (uint8_t *) &ctr_be, 4); - oqs_aes256_enc_sch_block_c(block, schedule, tmp); - memcpy(out, tmp, out_len); - } -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/kyber_90s_r2/cbd.c b/contrib/restricted/aws/s2n/pq-crypto/kyber_90s_r2/cbd.c deleted file mode 100644 index 89c62b933a..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/kyber_90s_r2/cbd.c +++ /dev/null @@ -1,51 +0,0 @@ -#include "cbd.h" -#include "params.h" - -#include <stddef.h> -#include <stdint.h> - -/************************************************* -* Name: load32_littleendian -* -* Description: load bytes into a 32-bit integer -* in little-endian order -* -* Arguments: - const uint8_t *x: pointer to input byte array -* -* Returns 32-bit unsigned integer loaded from x -**************************************************/ -static uint32_t load32_littleendian(const uint8_t *x) { - uint32_t r; - r = (uint32_t)x[0]; - r |= (uint32_t)x[1] << 8; - r |= (uint32_t)x[2] << 16; - r |= (uint32_t)x[3] << 24; - return r; -} - -/************************************************* -* Name: cbd -* -* Description: Given an array of uniformly random bytes, compute -* polynomial with coefficients distributed according to -* a centered binomial distribution with parameter KYBER_ETA -* specialized for KYBER_ETA=2 -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *buf: pointer to input byte array -**************************************************/ -void PQCLEAN_KYBER51290S_CLEAN_cbd(poly *r, const uint8_t *buf) { - int16_t a, b; - - for (size_t i = 0; i < KYBER_N / 8; i++) { - uint32_t t = load32_littleendian(buf + 4 * i); - uint32_t d = t & 0x55555555; - d += (t >> 1) & 0x55555555; - - for (size_t j = 0; j < 8; j++) { - a = (d >> 4 * j) & 0x3; - b = (d >> (4 * j + 2)) & 0x3; - r->coeffs[8 * i + j] = a - b; - } - } -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/kyber_90s_r2/cbd.h b/contrib/restricted/aws/s2n/pq-crypto/kyber_90s_r2/cbd.h deleted file mode 100644 index a3f4c21d28..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/kyber_90s_r2/cbd.h +++ /dev/null @@ -1,8 +0,0 @@ -#ifndef CBD_H -#define CBD_H - -#include "poly.h" - -void PQCLEAN_KYBER51290S_CLEAN_cbd(poly *r, const uint8_t *buf); - -#endif diff --git a/contrib/restricted/aws/s2n/pq-crypto/kyber_90s_r2/indcpa.c b/contrib/restricted/aws/s2n/pq-crypto/kyber_90s_r2/indcpa.c deleted file mode 100644 index 4c520b693f..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/kyber_90s_r2/indcpa.c +++ /dev/null @@ -1,301 +0,0 @@ -#include "indcpa.h" -#include "ntt.h" -#include "params.h" -#include "poly.h" -#include "polyvec.h" -#include "../s2n_pq_random.h" -#include "utils/s2n_safety.h" -#include "symmetric.h" - -#include <stdint.h> - -/************************************************* -* Name: pack_pk -* -* Description: Serialize the public key as concatenation of the -* serialized vector of polynomials pk -* and the public seed used to generate the matrix A. -* -* Arguments: uint8_t *r: pointer to the output serialized public key -* const poly *pk: pointer to the input public-key polynomial -* const uint8_t *seed: pointer to the input public seed -**************************************************/ -static void pack_pk(uint8_t *r, polyvec *pk, const uint8_t *seed) { - PQCLEAN_KYBER51290S_CLEAN_polyvec_tobytes(r, pk); - for (size_t i = 0; i < KYBER_SYMBYTES; i++) { - r[i + KYBER_POLYVECBYTES] = seed[i]; - } -} - -/************************************************* -* Name: unpack_pk -* -* Description: De-serialize public key from a byte array; -* approximate inverse of pack_pk -* -* Arguments: - polyvec *pk: pointer to output public-key vector of polynomials -* - uint8_t *seed: pointer to output seed to generate matrix A -* - const uint8_t *packedpk: pointer to input serialized public key -**************************************************/ -static void unpack_pk(polyvec *pk, uint8_t *seed, const uint8_t *packedpk) { - PQCLEAN_KYBER51290S_CLEAN_polyvec_frombytes(pk, packedpk); - for (size_t i = 0; i < KYBER_SYMBYTES; i++) { - seed[i] = packedpk[i + KYBER_POLYVECBYTES]; - } -} - -/************************************************* -* Name: pack_sk -* -* Description: Serialize the secret key -* -* Arguments: - uint8_t *r: pointer to output serialized secret key -* - const polyvec *sk: pointer to input vector of polynomials (secret key) -**************************************************/ -static void pack_sk(uint8_t *r, polyvec *sk) { - PQCLEAN_KYBER51290S_CLEAN_polyvec_tobytes(r, sk); -} - -/************************************************* -* Name: unpack_sk -* -* Description: De-serialize the secret key; -* inverse of pack_sk -* -* Arguments: - polyvec *sk: pointer to output vector of polynomials (secret key) -* - const uint8_t *packedsk: pointer to input serialized secret key -**************************************************/ -static void unpack_sk(polyvec *sk, const uint8_t *packedsk) { - PQCLEAN_KYBER51290S_CLEAN_polyvec_frombytes(sk, packedsk); -} - -/************************************************* -* Name: pack_ciphertext -* -* Description: Serialize the ciphertext as concatenation of the -* compressed and serialized vector of polynomials b -* and the compressed and serialized polynomial v -* -* Arguments: uint8_t *r: pointer to the output serialized ciphertext -* const poly *pk: pointer to the input vector of polynomials b -* const uint8_t *seed: pointer to the input polynomial v -**************************************************/ -static void pack_ciphertext(uint8_t *r, polyvec *b, poly *v) { - PQCLEAN_KYBER51290S_CLEAN_polyvec_compress(r, b); - PQCLEAN_KYBER51290S_CLEAN_poly_compress(r + KYBER_POLYVECCOMPRESSEDBYTES, v); -} - -/************************************************* -* Name: unpack_ciphertext -* -* Description: De-serialize and decompress ciphertext from a byte array; -* approximate inverse of pack_ciphertext -* -* Arguments: - polyvec *b: pointer to the output vector of polynomials b -* - poly *v: pointer to the output polynomial v -* - const uint8_t *c: pointer to the input serialized ciphertext -**************************************************/ -static void unpack_ciphertext(polyvec *b, poly *v, const uint8_t *c) { - PQCLEAN_KYBER51290S_CLEAN_polyvec_decompress(b, c); - PQCLEAN_KYBER51290S_CLEAN_poly_decompress(v, c + KYBER_POLYVECCOMPRESSEDBYTES); -} - -/************************************************* -* Name: rej_uniform -* -* Description: Run rejection sampling on uniform random bytes to generate -* uniform random integers mod q -* -* Arguments: - int16_t *r: pointer to output buffer -* - size_t len: requested number of 16-bit integers (uniform mod q) -* - const uint8_t *buf: pointer to input buffer (assumed to be uniform random bytes) -* - size_t buflen: length of input buffer in bytes -* -* Returns number of sampled 16-bit integers (at most len) -**************************************************/ -static size_t rej_uniform(int16_t *r, size_t len, const uint8_t *buf, size_t buflen) { - size_t ctr, pos; - - ctr = pos = 0; - while (ctr < len && pos + 2 <= buflen) { - uint16_t val = (uint16_t)(buf[pos] | ((uint16_t)buf[pos + 1] << 8)); - pos += 2; - - if (val < 19 * KYBER_Q) { - val -= (uint16_t)((val >> 12) * KYBER_Q); // Barrett reduction - r[ctr++] = (int16_t)val; - } - } - - return ctr; -} - -#define gen_a(A,B) gen_matrix(A,B,0) -#define gen_at(A,B) gen_matrix(A,B,1) - -/************************************************* -* Name: gen_matrix -* -* Description: Deterministically generate matrix A (or the transpose of A) -* from a seed. Entries of the matrix are polynomials that look -* uniformly random. Performs rejection sampling on output of -* a XOF -* -* Arguments: - polyvec *a: pointer to ouptput matrix A -* - const uint8_t *seed: pointer to input seed -* - int transposed: boolean deciding whether A or A^T is generated -**************************************************/ -#define MAXNBLOCKS ((530+XOF_BLOCKBYTES)/XOF_BLOCKBYTES) /* 530 is expected number of required bytes */ -static void gen_matrix(polyvec *a, const uint8_t *seed, int transposed) { - size_t ctr; - uint8_t i, j; - uint8_t buf[XOF_BLOCKBYTES * MAXNBLOCKS + 1]; - xof_state state; - - for (i = 0; i < KYBER_K; i++) { - for (j = 0; j < KYBER_K; j++) { - if (transposed) { - xof_absorb(&state, seed, i, j); - } else { - xof_absorb(&state, seed, j, i); - } - - xof_squeezeblocks(buf, MAXNBLOCKS, &state); - ctr = rej_uniform(a[i].vec[j].coeffs, KYBER_N, buf, MAXNBLOCKS * XOF_BLOCKBYTES); - - while (ctr < KYBER_N) { - xof_squeezeblocks(buf, 1, &state); - ctr += rej_uniform(a[i].vec[j].coeffs + ctr, KYBER_N - ctr, buf, XOF_BLOCKBYTES); - } - xof_ctx_release(&state); - } - } -} - -/************************************************* -* Name: indcpa_keypair -* -* Description: Generates public and private key for the CPA-secure -* public-key encryption scheme underlying Kyber -* -* Arguments: - uint8_t *pk: pointer to output public key (of length KYBER_INDCPA_PUBLICKEYBYTES bytes) -* - uint8_t *sk: pointer to output private key (of length KYBER_INDCPA_SECRETKEYBYTES bytes) -**************************************************/ -int PQCLEAN_KYBER51290S_CLEAN_indcpa_keypair(uint8_t *pk, uint8_t *sk) { - polyvec a[KYBER_K], e, pkpv, skpv; - uint8_t buf[2 * KYBER_SYMBYTES]; - uint8_t *publicseed = buf; - uint8_t *noiseseed = buf + KYBER_SYMBYTES; - uint8_t nonce = 0; - - POSIX_GUARD_RESULT(s2n_get_random_bytes(buf, KYBER_SYMBYTES)); - hash_g(buf, buf, KYBER_SYMBYTES); - - gen_a(a, publicseed); - - for (size_t i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER51290S_CLEAN_poly_getnoise(skpv.vec + i, noiseseed, nonce++); - } - for (size_t i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER51290S_CLEAN_poly_getnoise(e.vec + i, noiseseed, nonce++); - } - - PQCLEAN_KYBER51290S_CLEAN_polyvec_ntt(&skpv); - PQCLEAN_KYBER51290S_CLEAN_polyvec_ntt(&e); - - // matrix-vector multiplication - for (size_t i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER51290S_CLEAN_polyvec_pointwise_acc(&pkpv.vec[i], &a[i], &skpv); - PQCLEAN_KYBER51290S_CLEAN_poly_frommont(&pkpv.vec[i]); - } - - PQCLEAN_KYBER51290S_CLEAN_polyvec_add(&pkpv, &pkpv, &e); - PQCLEAN_KYBER51290S_CLEAN_polyvec_reduce(&pkpv); - - pack_sk(sk, &skpv); - pack_pk(pk, &pkpv, publicseed); - return 0; -} - -/************************************************* -* Name: indcpa_enc -* -* Description: Encryption function of the CPA-secure -* public-key encryption scheme underlying Kyber. -* -* Arguments: - uint8_t *c: pointer to output ciphertext (of length KYBER_INDCPA_BYTES bytes) -* - const uint8_t *m: pointer to input message (of length KYBER_INDCPA_MSGBYTES bytes) -* - const uint8_t *pk: pointer to input public key (of length KYBER_INDCPA_PUBLICKEYBYTES bytes) -* - const uint8_t *coin: pointer to input random coins used as seed (of length KYBER_SYMBYTES bytes) -* to deterministically generate all randomness -**************************************************/ -void PQCLEAN_KYBER51290S_CLEAN_indcpa_enc(uint8_t *c, - const uint8_t *m, - const uint8_t *pk, - const uint8_t *coins) { - polyvec sp, pkpv, ep, at[KYBER_K], bp; - poly v, k, epp; - uint8_t seed[KYBER_SYMBYTES]; - uint8_t nonce = 0; - - unpack_pk(&pkpv, seed, pk); - PQCLEAN_KYBER51290S_CLEAN_poly_frommsg(&k, m); - gen_at(at, seed); - - for (size_t i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER51290S_CLEAN_poly_getnoise(sp.vec + i, coins, nonce++); - } - for (size_t i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER51290S_CLEAN_poly_getnoise(ep.vec + i, coins, nonce++); - } - PQCLEAN_KYBER51290S_CLEAN_poly_getnoise(&epp, coins, nonce++); - - PQCLEAN_KYBER51290S_CLEAN_polyvec_ntt(&sp); - - // matrix-vector multiplication - for (size_t i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER51290S_CLEAN_polyvec_pointwise_acc(&bp.vec[i], &at[i], &sp); - } - - PQCLEAN_KYBER51290S_CLEAN_polyvec_pointwise_acc(&v, &pkpv, &sp); - - PQCLEAN_KYBER51290S_CLEAN_polyvec_invntt(&bp); - PQCLEAN_KYBER51290S_CLEAN_poly_invntt(&v); - - PQCLEAN_KYBER51290S_CLEAN_polyvec_add(&bp, &bp, &ep); - PQCLEAN_KYBER51290S_CLEAN_poly_add(&v, &v, &epp); - PQCLEAN_KYBER51290S_CLEAN_poly_add(&v, &v, &k); - PQCLEAN_KYBER51290S_CLEAN_polyvec_reduce(&bp); - PQCLEAN_KYBER51290S_CLEAN_poly_reduce(&v); - - pack_ciphertext(c, &bp, &v); -} - -/************************************************* -* Name: indcpa_dec -* -* Description: Decryption function of the CPA-secure -* public-key encryption scheme underlying Kyber. -* -* Arguments: - uint8_t *m: pointer to output decrypted message (of length KYBER_INDCPA_MSGBYTES) -* - const uint8_t *c: pointer to input ciphertext (of length KYBER_INDCPA_BYTES) -* - const uint8_t *sk: pointer to input secret key (of length KYBER_INDCPA_SECRETKEYBYTES) -**************************************************/ -void PQCLEAN_KYBER51290S_CLEAN_indcpa_dec(uint8_t *m, - const uint8_t *c, - const uint8_t *sk) { - polyvec bp, skpv; - poly v, mp; - - unpack_ciphertext(&bp, &v, c); - unpack_sk(&skpv, sk); - - PQCLEAN_KYBER51290S_CLEAN_polyvec_ntt(&bp); - PQCLEAN_KYBER51290S_CLEAN_polyvec_pointwise_acc(&mp, &skpv, &bp); - PQCLEAN_KYBER51290S_CLEAN_poly_invntt(&mp); - - PQCLEAN_KYBER51290S_CLEAN_poly_sub(&mp, &v, &mp); - PQCLEAN_KYBER51290S_CLEAN_poly_reduce(&mp); - - PQCLEAN_KYBER51290S_CLEAN_poly_tomsg(m, &mp); -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/kyber_90s_r2/indcpa.h b/contrib/restricted/aws/s2n/pq-crypto/kyber_90s_r2/indcpa.h deleted file mode 100644 index 802e72f9e2..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/kyber_90s_r2/indcpa.h +++ /dev/null @@ -1,21 +0,0 @@ -#ifndef INDCPA_H -#define INDCPA_H - -#include <stdint.h> - -int PQCLEAN_KYBER51290S_CLEAN_indcpa_keypair( - uint8_t *pk, - uint8_t *sk); - -void PQCLEAN_KYBER51290S_CLEAN_indcpa_enc( - uint8_t *c, - const uint8_t *m, - const uint8_t *pk, - const uint8_t *coins); - -void PQCLEAN_KYBER51290S_CLEAN_indcpa_dec( - uint8_t *m, - const uint8_t *c, - const uint8_t *sk); - -#endif diff --git a/contrib/restricted/aws/s2n/pq-crypto/kyber_90s_r2/kyber_90s_r2_kem.c b/contrib/restricted/aws/s2n/pq-crypto/kyber_90s_r2/kyber_90s_r2_kem.c deleted file mode 100644 index 5b4c088b11..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/kyber_90s_r2/kyber_90s_r2_kem.c +++ /dev/null @@ -1,106 +0,0 @@ -#include "indcpa.h" -#include "params.h" -#include "symmetric.h" -#include "verify.h" - -#include "../s2n_pq_random.h" -#include "utils/s2n_safety.h" -#include "tls/s2n_kem.h" -#include "pq-crypto/s2n_pq.h" - -#include <stdlib.h> - -/************************************************* -* Name: crypto_kem_keypair -* -* Description: Generates public and private key -* for CCA-secure Kyber key encapsulation mechanism -* -* Arguments: - uint8_t *pk: pointer to output public key (an already allocated array of CRYPTO_PUBLICKEYBYTES bytes) -* - uint8_t *sk: pointer to output private key (an already allocated array of CRYPTO_SECRETKEYBYTES bytes) -* -* Returns 0 (success) -**************************************************/ -int kyber_512_90s_r2_crypto_kem_keypair(uint8_t *pk, uint8_t *sk) { - POSIX_ENSURE(s2n_pq_is_enabled(), S2N_ERR_PQ_DISABLED); - size_t i; - PQCLEAN_KYBER51290S_CLEAN_indcpa_keypair(pk, sk); - for (i = 0; i < KYBER_INDCPA_PUBLICKEYBYTES; i++) { - sk[i + KYBER_INDCPA_SECRETKEYBYTES] = pk[i]; - } - hash_h(sk + KYBER_SECRETKEYBYTES - 2 * KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES); - POSIX_GUARD_RESULT(s2n_get_random_bytes(sk + KYBER_SECRETKEYBYTES - KYBER_SYMBYTES, KYBER_SYMBYTES)); /* Value z for pseudo-random output on reject */ - return 0; -} - -/************************************************* -* Name: crypto_kem_enc -* -* Description: Generates cipher text and shared -* secret for given public key -* -* Arguments: - uint8_t *ct: pointer to output cipher text (an already allocated array of CRYPTO_CIPHERTEXTBYTES bytes) -* - uint8_t *ss: pointer to output shared secret (an already allocated array of CRYPTO_BYTES bytes) -* - const uint8_t *pk: pointer to input public key (an already allocated array of CRYPTO_PUBLICKEYBYTES bytes) -* -* Returns 0 (success) -**************************************************/ -int kyber_512_90s_r2_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk) { - POSIX_ENSURE(s2n_pq_is_enabled(), S2N_ERR_PQ_DISABLED); - uint8_t kr[2 * KYBER_SYMBYTES]; /* Will contain key, coins */ - uint8_t buf[2 * KYBER_SYMBYTES]; - - POSIX_GUARD_RESULT(s2n_get_random_bytes(buf, KYBER_SYMBYTES)); - hash_h(buf, buf, KYBER_SYMBYTES); /* Don't release system RNG output */ - - hash_h(buf + KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES); /* Multitarget countermeasure for coins + contributory KEM */ - hash_g(kr, buf, 2 * KYBER_SYMBYTES); - - PQCLEAN_KYBER51290S_CLEAN_indcpa_enc(ct, buf, pk, kr + KYBER_SYMBYTES); /* coins are in kr+KYBER_SYMBYTES */ - - hash_h(kr + KYBER_SYMBYTES, ct, KYBER_CIPHERTEXTBYTES); /* overwrite coins in kr with H(c) */ - kdf(ss, kr, 2 * KYBER_SYMBYTES); /* hash concatenation of pre-k and H(c) to k */ - return 0; -} - -/************************************************* -* Name: crypto_kem_dec -* -* Description: Generates shared secret for given -* cipher text and private key -* -* Arguments: - uint8_t *ss: pointer to output shared secret (an already allocated array of CRYPTO_BYTES bytes) -* - const uint8_t *ct: pointer to input cipher text (an already allocated array of CRYPTO_CIPHERTEXTBYTES bytes) -* - const uint8_t *sk: pointer to input private key (an already allocated array of CRYPTO_SECRETKEYBYTES bytes) -* -* Returns 0. -* -* On failure, ss will contain a pseudo-random value. -**************************************************/ -int kyber_512_90s_r2_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk) { - POSIX_ENSURE(s2n_pq_is_enabled(), S2N_ERR_PQ_DISABLED); - size_t i; - uint8_t fail; - uint8_t cmp[KYBER_CIPHERTEXTBYTES]; - uint8_t buf[2 * KYBER_SYMBYTES]; - uint8_t kr[2 * KYBER_SYMBYTES]; /* Will contain key, coins */ - const uint8_t *pk = sk + KYBER_INDCPA_SECRETKEYBYTES; - - PQCLEAN_KYBER51290S_CLEAN_indcpa_dec(buf, ct, sk); - - for (i = 0; i < KYBER_SYMBYTES; i++) { /* Multitarget countermeasure for coins + contributory KEM */ - buf[KYBER_SYMBYTES + i] = sk[KYBER_SECRETKEYBYTES - 2 * KYBER_SYMBYTES + i]; /* Save hash by storing H(pk) in sk */ - } - hash_g(kr, buf, 2 * KYBER_SYMBYTES); - - PQCLEAN_KYBER51290S_CLEAN_indcpa_enc(cmp, buf, pk, kr + KYBER_SYMBYTES); /* coins are in kr+KYBER_SYMBYTES */ - - fail = PQCLEAN_KYBER51290S_CLEAN_verify(ct, cmp, KYBER_CIPHERTEXTBYTES); - - hash_h(kr + KYBER_SYMBYTES, ct, KYBER_CIPHERTEXTBYTES); /* overwrite coins in kr with H(c) */ - - PQCLEAN_KYBER51290S_CLEAN_cmov(kr, sk + KYBER_SECRETKEYBYTES - KYBER_SYMBYTES, KYBER_SYMBYTES, fail); /* Overwrite pre-k with z on re-encryption failure */ - - kdf(ss, kr, 2 * KYBER_SYMBYTES); /* hash concatenation of pre-k and H(c) to k */ - return 0; -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/kyber_90s_r2/ntt.c b/contrib/restricted/aws/s2n/pq-crypto/kyber_90s_r2/ntt.c deleted file mode 100644 index 28ee4c9562..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/kyber_90s_r2/ntt.c +++ /dev/null @@ -1,155 +0,0 @@ -#include "ntt.h" -#include "params.h" -#include "reduce.h" - -#include <stddef.h> -#include <stdint.h> - -/* Code to generate zetas and zetas_inv used in the number-theoretic transform: - -#define KYBER_ROOT_OF_UNITY 17 - -static const uint16_t tree[128] = { - 0, 64, 32, 96, 16, 80, 48, 112, 8, 72, 40, 104, 24, 88, 56, 120, - 4, 68, 36, 100, 20, 84, 52, 116, 12, 76, 44, 108, 28, 92, 60, 124, - 2, 66, 34, 98, 18, 82, 50, 114, 10, 74, 42, 106, 26, 90, 58, 122, - 6, 70, 38, 102, 22, 86, 54, 118, 14, 78, 46, 110, 30, 94, 62, 126, - 1, 65, 33, 97, 17, 81, 49, 113, 9, 73, 41, 105, 25, 89, 57, 121, - 5, 69, 37, 101, 21, 85, 53, 117, 13, 77, 45, 109, 29, 93, 61, 125, - 3, 67, 35, 99, 19, 83, 51, 115, 11, 75, 43, 107, 27, 91, 59, 123, - 7, 71, 39, 103, 23, 87, 55, 119, 15, 79, 47, 111, 31, 95, 63, 127}; - - -static int16_t fqmul(int16_t a, int16_t b) { - return montgomery_reduce((int32_t)a*b); -} - -void init_ntt() { - unsigned int i, j, k; - int16_t tmp[128]; - - tmp[0] = MONT; - for(i = 1; i < 128; ++i) - tmp[i] = fqmul(tmp[i-1], KYBER_ROOT_OF_UNITY*MONT % KYBER_Q); - - for(i = 0; i < 128; ++i) - zetas[i] = tmp[tree[i]]; - - k = 0; - for(i = 64; i >= 1; i >>= 1) - for(j = i; j < 2*i; ++j) - zetas_inv[k++] = -tmp[128 - tree[j]]; - - zetas_inv[127] = MONT * (MONT * (KYBER_Q - 1) * ((KYBER_Q - 1)/128) % KYBER_Q) % KYBER_Q; -} - -*/ -const int16_t PQCLEAN_KYBER51290S_CLEAN_zetas[128] = { - 2285, 2571, 2970, 1812, 1493, 1422, 287, 202, 3158, 622, 1577, 182, 962, 2127, 1855, 1468, - 573, 2004, 264, 383, 2500, 1458, 1727, 3199, 2648, 1017, 732, 608, 1787, 411, 3124, 1758, - 1223, 652, 2777, 1015, 2036, 1491, 3047, 1785, 516, 3321, 3009, 2663, 1711, 2167, 126, 1469, - 2476, 3239, 3058, 830, 107, 1908, 3082, 2378, 2931, 961, 1821, 2604, 448, 2264, 677, 2054, - 2226, 430, 555, 843, 2078, 871, 1550, 105, 422, 587, 177, 3094, 3038, 2869, 1574, 1653, - 3083, 778, 1159, 3182, 2552, 1483, 2727, 1119, 1739, 644, 2457, 349, 418, 329, 3173, 3254, - 817, 1097, 603, 610, 1322, 2044, 1864, 384, 2114, 3193, 1218, 1994, 2455, 220, 2142, 1670, - 2144, 1799, 2051, 794, 1819, 2475, 2459, 478, 3221, 3021, 996, 991, 958, 1869, 1522, 1628 -}; - -const int16_t PQCLEAN_KYBER51290S_CLEAN_zetas_inv[128] = { - 1701, 1807, 1460, 2371, 2338, 2333, 308, 108, 2851, 870, 854, 1510, 2535, 1278, 1530, 1185, - 1659, 1187, 3109, 874, 1335, 2111, 136, 1215, 2945, 1465, 1285, 2007, 2719, 2726, 2232, 2512, - 75, 156, 3000, 2911, 2980, 872, 2685, 1590, 2210, 602, 1846, 777, 147, 2170, 2551, 246, - 1676, 1755, 460, 291, 235, 3152, 2742, 2907, 3224, 1779, 2458, 1251, 2486, 2774, 2899, 1103, - 1275, 2652, 1065, 2881, 725, 1508, 2368, 398, 951, 247, 1421, 3222, 2499, 271, 90, 853, - 1860, 3203, 1162, 1618, 666, 320, 8, 2813, 1544, 282, 1838, 1293, 2314, 552, 2677, 2106, - 1571, 205, 2918, 1542, 2721, 2597, 2312, 681, 130, 1602, 1871, 829, 2946, 3065, 1325, 2756, - 1861, 1474, 1202, 2367, 3147, 1752, 2707, 171, 3127, 3042, 1907, 1836, 1517, 359, 758, 1441 -}; - - -/************************************************* -* Name: fqmul -* -* Description: Multiplication followed by Montgomery reduction -* -* Arguments: - int16_t a: first factor -* - int16_t b: second factor -* -* Returns 16-bit integer congruent to a*b*R^{-1} mod q -**************************************************/ -static int16_t fqmul(int16_t a, int16_t b) { - return PQCLEAN_KYBER51290S_CLEAN_montgomery_reduce((int32_t)a * b); -} - -/************************************************* -* Name: ntt -* -* Description: Inplace number-theoretic transform (NTT) in Rq -* input is in standard order, output is in bitreversed order -* -* Arguments: - int16_t poly[256]: pointer to input/output vector of elements of Zq -**************************************************/ -void PQCLEAN_KYBER51290S_CLEAN_ntt(int16_t poly[256]) { - size_t j, k = 1; - int16_t t, zeta; - - for (size_t len = 128; len >= 2; len >>= 1) { - for (size_t start = 0; start < 256; start = j + len) { - zeta = PQCLEAN_KYBER51290S_CLEAN_zetas[k++]; - for (j = start; j < start + len; ++j) { - t = fqmul(zeta, poly[j + len]); - poly[j + len] = poly[j] - t; - poly[j] = poly[j] + t; - } - } - } -} - -/************************************************* -* Name: invntt -* -* Description: Inplace inverse number-theoretic transform in Rq -* input is in bitreversed order, output is in standard order -* -* Arguments: - int16_t poly[256]: pointer to input/output vector of elements of Zq -**************************************************/ -void PQCLEAN_KYBER51290S_CLEAN_invntt(int16_t poly[256]) { - size_t j, k = 0; - int16_t t, zeta; - - for (size_t len = 2; len <= 128; len <<= 1) { - for (size_t start = 0; start < 256; start = j + len) { - zeta = PQCLEAN_KYBER51290S_CLEAN_zetas_inv[k++]; - for (j = start; j < start + len; ++j) { - t = poly[j]; - poly[j] = PQCLEAN_KYBER51290S_CLEAN_barrett_reduce(t + poly[j + len]); - poly[j + len] = t - poly[j + len]; - poly[j + len] = fqmul(zeta, poly[j + len]); - } - } - } - - for (j = 0; j < 256; ++j) { - poly[j] = fqmul(poly[j], PQCLEAN_KYBER51290S_CLEAN_zetas_inv[127]); - } -} - -/************************************************* -* Name: basemul -* -* Description: Multiplication of polynomials in Zq[X]/((X^2-zeta)) -* used for multiplication of elements in Rq in NTT domain -* -* Arguments: - int16_t r[2]: pointer to the output polynomial -* - const int16_t a[2]: pointer to the first factor -* - const int16_t b[2]: pointer to the second factor -* - int16_t zeta: integer defining the reduction polynomial -**************************************************/ -void PQCLEAN_KYBER51290S_CLEAN_basemul(int16_t r[2], const int16_t a[2], const int16_t b[2], int16_t zeta) { - r[0] = fqmul(a[1], b[1]); - r[0] = fqmul(r[0], zeta); - r[0] += fqmul(a[0], b[0]); - - r[1] = fqmul(a[0], b[1]); - r[1] += fqmul(a[1], b[0]); -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/kyber_90s_r2/ntt.h b/contrib/restricted/aws/s2n/pq-crypto/kyber_90s_r2/ntt.h deleted file mode 100644 index 66fc5a9484..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/kyber_90s_r2/ntt.h +++ /dev/null @@ -1,13 +0,0 @@ -#ifndef NTT_H -#define NTT_H - -#include <stdint.h> - -extern const int16_t PQCLEAN_KYBER51290S_CLEAN_zetas[128]; -extern const int16_t PQCLEAN_KYBER51290S_CLEAN_zetasinv[128]; - -void PQCLEAN_KYBER51290S_CLEAN_ntt(int16_t poly[256]); -void PQCLEAN_KYBER51290S_CLEAN_invntt(int16_t poly[256]); -void PQCLEAN_KYBER51290S_CLEAN_basemul(int16_t r[2], const int16_t a[2], const int16_t b[2], int16_t zeta); - -#endif diff --git a/contrib/restricted/aws/s2n/pq-crypto/kyber_90s_r2/params.h b/contrib/restricted/aws/s2n/pq-crypto/kyber_90s_r2/params.h deleted file mode 100644 index d086d4c694..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/kyber_90s_r2/params.h +++ /dev/null @@ -1,32 +0,0 @@ -#ifndef PARAMS_H -#define PARAMS_H - - -/* Don't change parameters below this line */ - -#define KYBER_N 256 -#define KYBER_Q 3329 - -#define KYBER_ETA 2 - -#define KYBER_SYMBYTES 32 /* size in bytes of hashes, and seeds */ -#define KYBER_SSBYTES 32 /* size in bytes of shared key */ - -#define KYBER_POLYBYTES 384 -#define KYBER_POLYVECBYTES (KYBER_K * KYBER_POLYBYTES) - - -#define KYBER_K 2 -#define KYBER_POLYCOMPRESSEDBYTES 96 -#define KYBER_POLYVECCOMPRESSEDBYTES (KYBER_K * 320) - -#define KYBER_INDCPA_MSGBYTES KYBER_SYMBYTES -#define KYBER_INDCPA_PUBLICKEYBYTES (KYBER_POLYVECBYTES + KYBER_SYMBYTES) -#define KYBER_INDCPA_SECRETKEYBYTES (KYBER_POLYVECBYTES) -#define KYBER_INDCPA_BYTES (KYBER_POLYVECCOMPRESSEDBYTES + KYBER_POLYCOMPRESSEDBYTES) - -#define KYBER_PUBLICKEYBYTES (KYBER_INDCPA_PUBLICKEYBYTES) -#define KYBER_SECRETKEYBYTES (KYBER_INDCPA_SECRETKEYBYTES + KYBER_INDCPA_PUBLICKEYBYTES + 2*KYBER_SYMBYTES) /* 32 bytes of additional space to save H(pk) */ -#define KYBER_CIPHERTEXTBYTES KYBER_INDCPA_BYTES - -#endif diff --git a/contrib/restricted/aws/s2n/pq-crypto/kyber_90s_r2/poly.c b/contrib/restricted/aws/s2n/pq-crypto/kyber_90s_r2/poly.c deleted file mode 100644 index f7e8ef87e8..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/kyber_90s_r2/poly.c +++ /dev/null @@ -1,277 +0,0 @@ -#include "cbd.h" -#include "ntt.h" -#include "params.h" -#include "poly.h" -#include "reduce.h" -#include "symmetric.h" - -#include <stdint.h> -/************************************************* -* Name: poly_compress -* -* Description: Compression and subsequent serialization of a polynomial -* -* Arguments: - uint8_t *r: pointer to output byte array (needs space for KYBER_POLYCOMPRESSEDBYTES bytes) -* - const poly *a: pointer to input polynomial -**************************************************/ -void PQCLEAN_KYBER51290S_CLEAN_poly_compress(uint8_t *r, poly *a) { - uint8_t t[8]; - size_t k = 0; - - PQCLEAN_KYBER51290S_CLEAN_poly_csubq(a); - - for (size_t i = 0; i < KYBER_N; i += 8) { - for (size_t j = 0; j < 8; j++) { - t[j] = ((((uint32_t)a->coeffs[i + j] << 3) + KYBER_Q / 2) / KYBER_Q) & 7; - } - - r[k] = (uint8_t)( t[0] | (t[1] << 3) | (t[2] << 6)); - r[k + 1] = (uint8_t)((t[2] >> 2) | (t[3] << 1) | (t[4] << 4) | (t[5] << 7)); - r[k + 2] = (uint8_t)((t[5] >> 1) | (t[6] << 2) | (t[7] << 5)); - k += 3; - } -} - -/************************************************* -* Name: poly_decompress -* -* Description: De-serialization and subsequent decompression of a polynomial; -* approximate inverse of poly_compress -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *a: pointer to input byte array (of length KYBER_POLYCOMPRESSEDBYTES bytes) -**************************************************/ -void PQCLEAN_KYBER51290S_CLEAN_poly_decompress(poly *r, const uint8_t *a) { - for (size_t i = 0; i < KYBER_N; i += 8) { - r->coeffs[i + 0] = (int16_t)( (((a[0] & 7) * KYBER_Q) + 4) >> 3); - r->coeffs[i + 1] = (int16_t)(((((a[0] >> 3) & 7) * KYBER_Q) + 4) >> 3); - r->coeffs[i + 2] = (int16_t)(((((a[0] >> 6) | ((a[1] << 2) & 4)) * KYBER_Q) + 4) >> 3); - r->coeffs[i + 3] = (int16_t)(((((a[1] >> 1) & 7) * KYBER_Q) + 4) >> 3); - r->coeffs[i + 4] = (int16_t)(((((a[1] >> 4) & 7) * KYBER_Q) + 4) >> 3); - r->coeffs[i + 5] = (int16_t)(((((a[1] >> 7) | ((a[2] << 1) & 6)) * KYBER_Q) + 4) >> 3); - r->coeffs[i + 6] = (int16_t)(((((a[2] >> 2) & 7) * KYBER_Q) + 4) >> 3); - r->coeffs[i + 7] = (int16_t)(((((a[2] >> 5)) * KYBER_Q) + 4) >> 3); - a += 3; - } -} - -/************************************************* -* Name: poly_tobytes -* -* Description: Serialization of a polynomial -* -* Arguments: - uint8_t *r: pointer to output byte array (needs space for KYBER_POLYBYTES bytes) -* - const poly *a: pointer to input polynomial -**************************************************/ -void PQCLEAN_KYBER51290S_CLEAN_poly_tobytes(uint8_t *r, poly *a) { - PQCLEAN_KYBER51290S_CLEAN_poly_csubq(a); - - for (size_t i = 0; i < KYBER_N / 2; i++) { - int16_t t0 = a->coeffs[2 * i]; - int16_t t1 = a->coeffs[2 * i + 1]; - r[3 * i] = t0 & 0xff; - r[3 * i + 1] = (uint8_t)((t0 >> 8) | ((t1 & 0xf) << 4)); - r[3 * i + 2] = (uint8_t)(t1 >> 4); - } -} - -/************************************************* -* Name: poly_frombytes -* -* Description: De-serialization of a polynomial; -* inverse of poly_tobytes -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *a: pointer to input byte array (of KYBER_POLYBYTES bytes) -**************************************************/ -void PQCLEAN_KYBER51290S_CLEAN_poly_frombytes(poly *r, const uint8_t *a) { - for (size_t i = 0; i < KYBER_N / 2; i++) { - r->coeffs[2 * i] = (int16_t)(a[3 * i] | ((uint16_t)a[3 * i + 1] & 0x0f) << 8); - r->coeffs[2 * i + 1] = (int16_t)(a[3 * i + 1] >> 4 | ((uint16_t)a[3 * i + 2] & 0xff) << 4); - } -} - -/************************************************* -* Name: poly_getnoise -* -* Description: Sample a polynomial deterministically from a seed and a nonce, -* with output polynomial close to centered binomial distribution -* with parameter KYBER_ETA -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *seed: pointer to input seed (pointing to array of length KYBER_SYMBYTES bytes) -* - uint8_t nonce: one-byte input nonce -**************************************************/ -void PQCLEAN_KYBER51290S_CLEAN_poly_getnoise(poly *r, const uint8_t *seed, uint8_t nonce) { - uint8_t buf[KYBER_ETA * KYBER_N / 4]; - - prf(buf, KYBER_ETA * KYBER_N / 4, seed, nonce); - PQCLEAN_KYBER51290S_CLEAN_cbd(r, buf); -} - -/************************************************* -* Name: poly_ntt -* -* Description: Computes negacyclic number-theoretic transform (NTT) of -* a polynomial in place; -* inputs assumed to be in normal order, output in bitreversed order -* -* Arguments: - uint16_t *r: pointer to in/output polynomial -**************************************************/ -void PQCLEAN_KYBER51290S_CLEAN_poly_ntt(poly *r) { - PQCLEAN_KYBER51290S_CLEAN_ntt(r->coeffs); - PQCLEAN_KYBER51290S_CLEAN_poly_reduce(r); -} - -/************************************************* -* Name: poly_invntt -* -* Description: Computes inverse of negacyclic number-theoretic transform (NTT) of -* a polynomial in place; -* inputs assumed to be in bitreversed order, output in normal order -* -* Arguments: - uint16_t *a: pointer to in/output polynomial -**************************************************/ -void PQCLEAN_KYBER51290S_CLEAN_poly_invntt(poly *r) { - PQCLEAN_KYBER51290S_CLEAN_invntt(r->coeffs); -} - -/************************************************* -* Name: poly_basemul -* -* Description: Multiplication of two polynomials in NTT domain -* -* Arguments: - poly *r: pointer to output polynomial -* - const poly *a: pointer to first input polynomial -* - const poly *b: pointer to second input polynomial -**************************************************/ -void PQCLEAN_KYBER51290S_CLEAN_poly_basemul(poly *r, const poly *a, const poly *b) { - for (size_t i = 0; i < KYBER_N / 4; ++i) { - PQCLEAN_KYBER51290S_CLEAN_basemul( - r->coeffs + 4 * i, - a->coeffs + 4 * i, - b->coeffs + 4 * i, - PQCLEAN_KYBER51290S_CLEAN_zetas[64 + i]); - PQCLEAN_KYBER51290S_CLEAN_basemul( - r->coeffs + 4 * i + 2, - a->coeffs + 4 * i + 2, - b->coeffs + 4 * i + 2, - -PQCLEAN_KYBER51290S_CLEAN_zetas[64 + i]); - } -} - -/************************************************* -* Name: poly_frommont -* -* Description: Inplace conversion of all coefficients of a polynomial -* from Montgomery domain to normal domain -* -* Arguments: - poly *r: pointer to input/output polynomial -**************************************************/ -void PQCLEAN_KYBER51290S_CLEAN_poly_frommont(poly *r) { - const int16_t f = (1ULL << 32) % KYBER_Q; - - for (size_t i = 0; i < KYBER_N; i++) { - r->coeffs[i] = PQCLEAN_KYBER51290S_CLEAN_montgomery_reduce( - (int32_t)r->coeffs[i] * f); - } -} - -/************************************************* -* Name: poly_reduce -* -* Description: Applies Barrett reduction to all coefficients of a polynomial -* for details of the Barrett reduction see comments in reduce.c -* -* Arguments: - poly *r: pointer to input/output polynomial -**************************************************/ -void PQCLEAN_KYBER51290S_CLEAN_poly_reduce(poly *r) { - for (size_t i = 0; i < KYBER_N; i++) { - r->coeffs[i] = PQCLEAN_KYBER51290S_CLEAN_barrett_reduce(r->coeffs[i]); - } -} - -/************************************************* -* Name: poly_csubq -* -* Description: Applies conditional subtraction of q to each coefficient of a polynomial -* for details of conditional subtraction of q see comments in reduce.c -* -* Arguments: - poly *r: pointer to input/output polynomial -**************************************************/ -void PQCLEAN_KYBER51290S_CLEAN_poly_csubq(poly *r) { - for (size_t i = 0; i < KYBER_N; i++) { - r->coeffs[i] = PQCLEAN_KYBER51290S_CLEAN_csubq(r->coeffs[i]); - } -} - -/************************************************* -* Name: poly_add -* -* Description: Add two polynomials -* -* Arguments: - poly *r: pointer to output polynomial -* - const poly *a: pointer to first input polynomial -* - const poly *b: pointer to second input polynomial -**************************************************/ -void PQCLEAN_KYBER51290S_CLEAN_poly_add(poly *r, const poly *a, const poly *b) { - for (size_t i = 0; i < KYBER_N; i++) { - r->coeffs[i] = a->coeffs[i] + b->coeffs[i]; - } -} - -/************************************************* -* Name: poly_sub -* -* Description: Subtract two polynomials -* -* Arguments: - poly *r: pointer to output polynomial -* - const poly *a: pointer to first input polynomial -* - const poly *b: pointer to second input polynomial -**************************************************/ -void PQCLEAN_KYBER51290S_CLEAN_poly_sub(poly *r, const poly *a, const poly *b) { - for (size_t i = 0; i < KYBER_N; i++) { - r->coeffs[i] = a->coeffs[i] - b->coeffs[i]; - } -} - -/************************************************* -* Name: poly_frommsg -* -* Description: Convert 32-byte message to polynomial -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *msg: pointer to input message -**************************************************/ -void PQCLEAN_KYBER51290S_CLEAN_poly_frommsg(poly *r, const uint8_t msg[KYBER_SYMBYTES]) { - uint16_t mask; - - for (size_t i = 0; i < KYBER_SYMBYTES; i++) { - for (size_t j = 0; j < 8; j++) { - mask = -((msg[i] >> j) & 1); - r->coeffs[8 * i + j] = mask & ((KYBER_Q + 1) / 2); - } - } -} - -/************************************************* -* Name: poly_tomsg -* -* Description: Convert polynomial to 32-byte message -* -* Arguments: - uint8_t *msg: pointer to output message -* - const poly *a: pointer to input polynomial -**************************************************/ -void PQCLEAN_KYBER51290S_CLEAN_poly_tomsg(uint8_t msg[KYBER_SYMBYTES], poly *a) { - uint16_t t; - - PQCLEAN_KYBER51290S_CLEAN_poly_csubq(a); - - for (size_t i = 0; i < KYBER_SYMBYTES; i++) { - msg[i] = 0; - for (size_t j = 0; j < 8; j++) { - t = (((a->coeffs[8 * i + j] << 1) + KYBER_Q / 2) / KYBER_Q) & 1; - msg[i] |= t << j; - } - } -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/kyber_90s_r2/poly.h b/contrib/restricted/aws/s2n/pq-crypto/kyber_90s_r2/poly.h deleted file mode 100644 index fbab1da702..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/kyber_90s_r2/poly.h +++ /dev/null @@ -1,37 +0,0 @@ -#ifndef POLY_H -#define POLY_H - -#include "params.h" - -#include <stdint.h> -/* - * Elements of R_q = Z_q[X]/(X^n + 1). Represents polynomial - * coeffs[0] + X*coeffs[1] + X^2*xoeffs[2] + ... + X^{n-1}*coeffs[n-1] - */ -typedef struct { - int16_t coeffs[KYBER_N]; -} poly; - -void PQCLEAN_KYBER51290S_CLEAN_poly_compress(uint8_t *r, poly *a); -void PQCLEAN_KYBER51290S_CLEAN_poly_decompress(poly *r, const uint8_t *a); - -void PQCLEAN_KYBER51290S_CLEAN_poly_tobytes(uint8_t *r, poly *a); -void PQCLEAN_KYBER51290S_CLEAN_poly_frombytes(poly *r, const uint8_t *a); - -void PQCLEAN_KYBER51290S_CLEAN_poly_frommsg(poly *r, const uint8_t msg[KYBER_SYMBYTES]); -void PQCLEAN_KYBER51290S_CLEAN_poly_tomsg(uint8_t msg[KYBER_SYMBYTES], poly *a); - -void PQCLEAN_KYBER51290S_CLEAN_poly_getnoise(poly *r, const uint8_t *seed, uint8_t nonce); - -void PQCLEAN_KYBER51290S_CLEAN_poly_ntt(poly *r); -void PQCLEAN_KYBER51290S_CLEAN_poly_invntt(poly *r); -void PQCLEAN_KYBER51290S_CLEAN_poly_basemul(poly *r, const poly *a, const poly *b); -void PQCLEAN_KYBER51290S_CLEAN_poly_frommont(poly *r); - -void PQCLEAN_KYBER51290S_CLEAN_poly_reduce(poly *r); -void PQCLEAN_KYBER51290S_CLEAN_poly_csubq(poly *r); - -void PQCLEAN_KYBER51290S_CLEAN_poly_add(poly *r, const poly *a, const poly *b); -void PQCLEAN_KYBER51290S_CLEAN_poly_sub(poly *r, const poly *a, const poly *b); - -#endif diff --git a/contrib/restricted/aws/s2n/pq-crypto/kyber_90s_r2/polyvec.c b/contrib/restricted/aws/s2n/pq-crypto/kyber_90s_r2/polyvec.c deleted file mode 100644 index 8d90e7e0c7..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/kyber_90s_r2/polyvec.c +++ /dev/null @@ -1,175 +0,0 @@ -#include "polyvec.h" - -#include "poly.h" - -#include <stddef.h> -#include <stdint.h> -/************************************************* -* Name: polyvec_compress -* -* Description: Compress and serialize vector of polynomials -* -* Arguments: - uint8_t *r: pointer to output byte array (needs space for KYBER_POLYVECCOMPRESSEDBYTES) -* - const polyvec *a: pointer to input vector of polynomials -**************************************************/ -void PQCLEAN_KYBER51290S_CLEAN_polyvec_compress(uint8_t *r, polyvec *a) { - PQCLEAN_KYBER51290S_CLEAN_polyvec_csubq(a); - - uint16_t t[4]; - for (size_t i = 0; i < KYBER_K; i++) { - for (size_t j = 0; j < KYBER_N / 4; j++) { - for (size_t k = 0; k < 4; k++) { - t[k] = ((((uint32_t)a->vec[i].coeffs[4 * j + k] << 10) + KYBER_Q / 2) / KYBER_Q) & 0x3ff; - } - - r[5 * j + 0] = (uint8_t)t[0]; - r[5 * j + 1] = (uint8_t)((t[0] >> 8) | ((t[1] & 0x3f) << 2)); - r[5 * j + 2] = (uint8_t)((t[1] >> 6) | ((t[2] & 0x0f) << 4)); - r[5 * j + 3] = (uint8_t)((t[2] >> 4) | ((t[3] & 0x03) << 6)); - r[5 * j + 4] = (uint8_t)((t[3] >> 2)); - } - r += 320; - } -} - -/************************************************* -* Name: polyvec_decompress -* -* Description: De-serialize and decompress vector of polynomials; -* approximate inverse of polyvec_compress -* -* Arguments: - polyvec *r: pointer to output vector of polynomials -* - uint8_t *a: pointer to input byte array (of length KYBER_POLYVECCOMPRESSEDBYTES) -**************************************************/ -void PQCLEAN_KYBER51290S_CLEAN_polyvec_decompress(polyvec *r, const uint8_t *a) { - for (size_t i = 0; i < KYBER_K; i++) { - for (size_t j = 0; j < KYBER_N / 4; j++) { - r->vec[i].coeffs[4 * j + 0] = (int16_t)( (((a[5 * j + 0] | (((uint32_t)a[5 * j + 1] & 0x03) << 8)) * KYBER_Q) + 512) >> 10); - r->vec[i].coeffs[4 * j + 1] = (int16_t)(((((a[5 * j + 1] >> 2) | (((uint32_t)a[5 * j + 2] & 0x0f) << 6)) * KYBER_Q) + 512) >> 10); - r->vec[i].coeffs[4 * j + 2] = (int16_t)(((((a[5 * j + 2] >> 4) | (((uint32_t)a[5 * j + 3] & 0x3f) << 4)) * KYBER_Q) + 512) >> 10); - r->vec[i].coeffs[4 * j + 3] = (int16_t)(((((a[5 * j + 3] >> 6) | (((uint32_t)a[5 * j + 4] & 0xff) << 2)) * KYBER_Q) + 512) >> 10); - } - a += 320; - } -} - -/************************************************* -* Name: polyvec_tobytes -* -* Description: Serialize vector of polynomials -* -* Arguments: - uint8_t *r: pointer to output byte array (needs space for KYBER_POLYVECBYTES) -* - const polyvec *a: pointer to input vector of polynomials -**************************************************/ -void PQCLEAN_KYBER51290S_CLEAN_polyvec_tobytes(uint8_t *r, polyvec *a) { - for (size_t i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER51290S_CLEAN_poly_tobytes(r + i * KYBER_POLYBYTES, &a->vec[i]); - } -} - -/************************************************* -* Name: polyvec_frombytes -* -* Description: De-serialize vector of polynomials; -* inverse of polyvec_tobytes -* -* Arguments: - uint8_t *r: pointer to output byte array -* - const polyvec *a: pointer to input vector of polynomials (of length KYBER_POLYVECBYTES) -**************************************************/ -void PQCLEAN_KYBER51290S_CLEAN_polyvec_frombytes(polyvec *r, const uint8_t *a) { - for (size_t i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER51290S_CLEAN_poly_frombytes(&r->vec[i], a + i * KYBER_POLYBYTES); - } -} - -/************************************************* -* Name: polyvec_ntt -* -* Description: Apply forward NTT to all elements of a vector of polynomials -* -* Arguments: - polyvec *r: pointer to in/output vector of polynomials -**************************************************/ -void PQCLEAN_KYBER51290S_CLEAN_polyvec_ntt(polyvec *r) { - for (size_t i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER51290S_CLEAN_poly_ntt(&r->vec[i]); - } -} - -/************************************************* -* Name: polyvec_invntt -* -* Description: Apply inverse NTT to all elements of a vector of polynomials -* -* Arguments: - polyvec *r: pointer to in/output vector of polynomials -**************************************************/ -void PQCLEAN_KYBER51290S_CLEAN_polyvec_invntt(polyvec *r) { - for (size_t i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER51290S_CLEAN_poly_invntt(&r->vec[i]); - } -} - -/************************************************* -* Name: polyvec_pointwise_acc -* -* Description: Pointwise multiply elements of a and b and accumulate into r -* -* Arguments: - poly *r: pointer to output polynomial -* - const polyvec *a: pointer to first input vector of polynomials -* - const polyvec *b: pointer to second input vector of polynomials -**************************************************/ -void PQCLEAN_KYBER51290S_CLEAN_polyvec_pointwise_acc(poly *r, const polyvec *a, const polyvec *b) { - poly t; - - PQCLEAN_KYBER51290S_CLEAN_poly_basemul(r, &a->vec[0], &b->vec[0]); - for (size_t i = 1; i < KYBER_K; i++) { - PQCLEAN_KYBER51290S_CLEAN_poly_basemul(&t, &a->vec[i], &b->vec[i]); - PQCLEAN_KYBER51290S_CLEAN_poly_add(r, r, &t); - } - - PQCLEAN_KYBER51290S_CLEAN_poly_reduce(r); -} - -/************************************************* -* Name: polyvec_reduce -* -* Description: Applies Barrett reduction to each coefficient -* of each element of a vector of polynomials -* for details of the Barrett reduction see comments in reduce.c -* -* Arguments: - poly *r: pointer to input/output polynomial -**************************************************/ -void PQCLEAN_KYBER51290S_CLEAN_polyvec_reduce(polyvec *r) { - for (size_t i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER51290S_CLEAN_poly_reduce(&r->vec[i]); - } -} - -/************************************************* -* Name: polyvec_csubq -* -* Description: Applies conditional subtraction of q to each coefficient -* of each element of a vector of polynomials -* for details of conditional subtraction of q see comments in reduce.c -* -* Arguments: - poly *r: pointer to input/output polynomial -**************************************************/ -void PQCLEAN_KYBER51290S_CLEAN_polyvec_csubq(polyvec *r) { - for (size_t i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER51290S_CLEAN_poly_csubq(&r->vec[i]); - } -} - -/************************************************* -* Name: polyvec_add -* -* Description: Add vectors of polynomials -* -* Arguments: - polyvec *r: pointer to output vector of polynomials -* - const polyvec *a: pointer to first input vector of polynomials -* - const polyvec *b: pointer to second input vector of polynomials -**************************************************/ -void PQCLEAN_KYBER51290S_CLEAN_polyvec_add(polyvec *r, const polyvec *a, const polyvec *b) { - for (size_t i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER51290S_CLEAN_poly_add(&r->vec[i], &a->vec[i], &b->vec[i]); - } -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/kyber_90s_r2/polyvec.h b/contrib/restricted/aws/s2n/pq-crypto/kyber_90s_r2/polyvec.h deleted file mode 100644 index abf3fb9bfc..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/kyber_90s_r2/polyvec.h +++ /dev/null @@ -1,29 +0,0 @@ -#ifndef POLYVEC_H -#define POLYVEC_H - -#include "params.h" -#include "poly.h" - -#include <stdint.h> - -typedef struct { - poly vec[KYBER_K]; -} polyvec; - -void PQCLEAN_KYBER51290S_CLEAN_polyvec_compress(uint8_t *r, polyvec *a); -void PQCLEAN_KYBER51290S_CLEAN_polyvec_decompress(polyvec *r, const uint8_t *a); - -void PQCLEAN_KYBER51290S_CLEAN_polyvec_tobytes(uint8_t *r, polyvec *a); -void PQCLEAN_KYBER51290S_CLEAN_polyvec_frombytes(polyvec *r, const uint8_t *a); - -void PQCLEAN_KYBER51290S_CLEAN_polyvec_ntt(polyvec *r); -void PQCLEAN_KYBER51290S_CLEAN_polyvec_invntt(polyvec *r); - -void PQCLEAN_KYBER51290S_CLEAN_polyvec_pointwise_acc(poly *r, const polyvec *a, const polyvec *b); - -void PQCLEAN_KYBER51290S_CLEAN_polyvec_reduce(polyvec *r); -void PQCLEAN_KYBER51290S_CLEAN_polyvec_csubq(polyvec *r); - -void PQCLEAN_KYBER51290S_CLEAN_polyvec_add(polyvec *r, const polyvec *a, const polyvec *b); - -#endif diff --git a/contrib/restricted/aws/s2n/pq-crypto/kyber_90s_r2/reduce.c b/contrib/restricted/aws/s2n/pq-crypto/kyber_90s_r2/reduce.c deleted file mode 100644 index 2447fef117..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/kyber_90s_r2/reduce.c +++ /dev/null @@ -1,61 +0,0 @@ -#include "reduce.h" - -#include "params.h" - -#include <stdint.h> -/************************************************* -* Name: montgomery_reduce -* -* Description: Montgomery reduction; given a 32-bit integer a, computes -* 16-bit integer congruent to a * R^-1 mod q, -* where R=2^16 -* -* Arguments: - int32_t a: input integer to be reduced; has to be in {-q2^15,...,q2^15-1} -* -* Returns: integer in {-q+1,...,q-1} congruent to a * R^-1 modulo q. -**************************************************/ -int16_t PQCLEAN_KYBER51290S_CLEAN_montgomery_reduce(int32_t a) { - int32_t t; - int16_t u; - - u = (int16_t)(a * (int64_t)QINV); - t = (int32_t)u * KYBER_Q; - t = a - t; - t >>= 16; - return (int16_t)t; -} - -/************************************************* -* Name: barrett_reduce -* -* Description: Barrett reduction; given a 16-bit integer a, computes -* 16-bit integer congruent to a mod q in {0,...,q} -* -* Arguments: - int16_t a: input integer to be reduced -* -* Returns: integer in {0,...,q} congruent to a modulo q. -**************************************************/ -int16_t PQCLEAN_KYBER51290S_CLEAN_barrett_reduce(int16_t a) { - int32_t t; - const int32_t v = (1U << 26) / KYBER_Q + 1; - - t = v * a; - t >>= 26; - t *= KYBER_Q; - return a - (int16_t)t; -} - -/************************************************* -* Name: csubq -* -* Description: Conditionallly subtract q -* -* Arguments: - int16_t a: input integer -* -* Returns: a - q if a >= q, else a -**************************************************/ -int16_t PQCLEAN_KYBER51290S_CLEAN_csubq(int16_t a) { - a -= KYBER_Q; - a += (a >> 15) & KYBER_Q; - return a; -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/kyber_90s_r2/reduce.h b/contrib/restricted/aws/s2n/pq-crypto/kyber_90s_r2/reduce.h deleted file mode 100644 index f9a9b76213..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/kyber_90s_r2/reduce.h +++ /dev/null @@ -1,15 +0,0 @@ -#ifndef REDUCE_H -#define REDUCE_H - -#include <stdint.h> - -#define MONT 2285 // 2^16 % Q -#define QINV 62209 // q^(-1) mod 2^16 - -int16_t PQCLEAN_KYBER51290S_CLEAN_montgomery_reduce(int32_t a); - -int16_t PQCLEAN_KYBER51290S_CLEAN_barrett_reduce(int16_t a); - -int16_t PQCLEAN_KYBER51290S_CLEAN_csubq(int16_t a); - -#endif diff --git a/contrib/restricted/aws/s2n/pq-crypto/kyber_90s_r2/sha2.h b/contrib/restricted/aws/s2n/pq-crypto/kyber_90s_r2/sha2.h deleted file mode 100644 index 05d16074d4..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/kyber_90s_r2/sha2.h +++ /dev/null @@ -1,254 +0,0 @@ -// SPDX-License-Identifier: MIT - -#ifndef SHA2_H -#define SHA2_H - -#include <stddef.h> -#include <stdint.h> - -#define PQC_SHA256CTX_BYTES 40 -#define PQC_SHA512CTX_BYTES 72 - -typedef struct { - uint8_t *ctx; -} sha256ctx; -#define sha256_inc_init oqs_sha2_sha256_inc_init -#define sha256_inc_ctx_clone oqs_sha2_sha256_inc_ctx_clone -#define sha256_inc_ctx_release oqs_sha2_sha256_inc_ctx_release -#define sha256_inc_blocks oqs_sha2_sha256_inc_blocks -#define sha256_inc_finalize oqs_sha2_sha256_inc_finalize -#define sha256 OQS_SHA2_sha256 - -typedef struct { - uint8_t *ctx; -} sha512ctx; -#define sha512_inc_init oqs_sha2_sha512_inc_init -#define sha512_inc_ctx_clone oqs_sha2_sha512_inc_ctx_clone -#define sha512_inc_ctx_release oqs_sha2_sha512_inc_ctx_release -#define sha512_inc_blocks oqs_sha2_sha512_inc_blocks -#define sha512_inc_finalize oqs_sha2_sha512_inc_finalize -#define sha512 OQS_SHA2_sha512 - -/** - * \brief Process a message with SHA-256 and return the hash code in the output byte array. - * - * \warning The output array must be at least 32 bytes in length. - * - * \param output The output byte array - * \param input The message input byte array - * \param inplen The number of message bytes to process - */ -void OQS_SHA2_sha256(uint8_t *output, const uint8_t *input, size_t inplen); - -/** Data structure for the state of the SHA-256 incremental hashing API. */ -typedef struct { - /** Internal state */ - void *ctx; -} OQS_SHA2_sha256_ctx; - -/** - * \brief Allocate and initialize the state for the SHA-256 incremental hashing API. - * - * \warning The state must be released by OQS_SHA2_sha256_inc_finalize - * or OQS_SHA2_sha256_inc_ctx_release. - * - * \param state Pointer to the state - */ -void OQS_SHA2_sha256_inc_init(OQS_SHA2_sha256_ctx *state); - -/** - * \brief Duplicate state for the SHA-256 incremental hashing API. - * - * \warning dest must be allocated by the caller. Caller is responsible - * for releasing dest by calling either OQS_SHA3_sha3_256_inc_finalize or - * OQS_SHA3_sha3_256_inc_ctx_release. - * - * \param dest The function state to copy into; must be initialized - * \param src The function state to copy; must be initialized - */ -void OQS_SHA2_sha256_inc_ctx_clone(OQS_SHA2_sha256_ctx *dest, const OQS_SHA2_sha256_ctx *src); - -/** - * \brief Process blocks with SHA-256 and update the state. - * - * \warning The state must be initialized by OQS_SHA2_sha256_inc_init or OQS_SHA2_sha256_inc_ctx_clone. - * - * \param state The state to update - * \param in Message input byte array - * \param inblocks The number of blocks of message bytes to process - */ -void OQS_SHA2_sha256_inc_blocks(OQS_SHA2_sha256_ctx *state, const uint8_t *in, size_t inblocks); - -/** - * \brief Process more message bytes with SHA-256 and return the hash code in the output byte array. - * - * \warning The output array must be at least 32 bytes in length. The state is - * deallocated by this function and can not be used again after calling - * this function without calling OQS_SHA2_sha256_inc_init again. - * - * \param out The output byte array - * \param state The state - * \param in Additional message input byte array - * \param inlen The number of additional message bytes to process - */ -void OQS_SHA2_sha256_inc_finalize(uint8_t *out, OQS_SHA2_sha256_ctx *state, const uint8_t *in, size_t inlen); - -/** - * \brief Destroy state. - * - * \warning The state is deallocated by this function and can not be used again after calling - * this function without calling OQS_SHA2_sha256_inc_init again. - * - * \param state The state - */ -void OQS_SHA2_sha256_inc_ctx_release(OQS_SHA2_sha256_ctx *state); - -/** - * \brief Process a message with SHA-384 and return the hash code in the output byte array. - * - * \warning The output array must be at least 48 bytes in length. - * - * \param output The output byte array - * \param input The message input byte array - * \param inplen The number of message bytes to process - */ -void OQS_SHA2_sha384(uint8_t *output, const uint8_t *input, size_t inplen); - -/** Data structure for the state of the SHA-384 incremental hashing API. */ -typedef struct { - /** Internal state. */ - void *ctx; -} OQS_SHA2_sha384_ctx; - -/** - * \brief Allocate and initialize the state for the SHA-384 incremental hashing API. - * - * \warning The state must be released by OQS_SHA2_sha384_inc_finalize - * or OQS_SHA2_sha384_inc_ctx_release. - * - * \param state Pointer to the state - */ -void OQS_SHA2_sha384_inc_init(OQS_SHA2_sha384_ctx *state); - -/** - * \brief Duplicate state for the SHA-384 incremental hashing API. - * - * \warning dest must be allocated by the caller. Caller is responsible - * for releasing dest by calling either OQS_SHA3_sha3_384_inc_finalize or - * OQS_SHA3_sha3_384_inc_ctx_release. - * - * \param dest The function state to copy into; must be initialized - * \param src The function state to copy; must be initialized - */ -void OQS_SHA2_sha384_inc_ctx_clone(OQS_SHA2_sha384_ctx *dest, const OQS_SHA2_sha384_ctx *src); - -/** - * \brief Process blocks with SHA-384 and update the state. - * - * \warning The state must be initialized by OQS_SHA2_sha384_inc_init or OQS_SHA2_sha384_inc_ctx_clone. - * - * \param state The state to update - * \param in Message input byte array - * \param inblocks The number of blocks of message bytes to process - */ -void OQS_SHA2_sha384_inc_blocks(OQS_SHA2_sha384_ctx *state, const uint8_t *in, size_t inblocks); - -/** - * \brief Process more message bytes with SHA-384 and return the hash code in the output byte array. - * - * \warning The output array must be at least 48 bytes in length. The state is - * deallocated by this function and can not be used again after calling - * this function without calling OQS_SHA2_sha384_inc_init again. - * - * \param out The output byte array - * \param state The state - * \param in Additional message input byte array - * \param inlen The number of additional message bytes to process - */ -void OQS_SHA2_sha384_inc_finalize(uint8_t *out, OQS_SHA2_sha384_ctx *state, const uint8_t *in, size_t inlen); - -/** - * \brief Destroy state. - * - * \warning The state is deallocated by this function and can not be used again after calling - * this function without calling OQS_SHA2_sha384_inc_init again. - * - * \param state The state - */ -void OQS_SHA2_sha384_inc_ctx_release(OQS_SHA2_sha384_ctx *state); - -/** - * \brief Process a message with SHA-512 and return the hash code in the output byte array. - * - * \warning The output array must be at least 64 bytes in length. - * - * \param output The output byte array - * \param input The message input byte array - * \param inplen The number of message bytes to process - */ -void OQS_SHA2_sha512(uint8_t *output, const uint8_t *input, size_t inplen); - -/** Data structure for the state of the SHA-512 incremental hashing API. */ -typedef struct { - /** Internal state. */ - void *ctx; -} OQS_SHA2_sha512_ctx; - -/** - * \brief Allocate and initialize the state for the SHA-512 incremental hashing API. - * - * \warning The state must be released by OQS_SHA2_sha512_inc_finalize - * or OQS_SHA2_sha512_inc_ctx_release. - * - * \param state Pointer to the state - */ -void OQS_SHA2_sha512_inc_init(OQS_SHA2_sha512_ctx *state); - -/** - * \brief Duplicate state for the SHA-512 incremental hashing API. - * - * \warning dest must be allocated by the caller. Caller is responsible - * for releasing dest by calling either OQS_SHA3_sha3_512_inc_finalize or - * OQS_SHA3_sha3_512_inc_ctx_release. - * - * \param dest The function state to copy into; must be initialized - * \param src The function state to copy; must be initialized - */ -void OQS_SHA2_sha512_inc_ctx_clone(OQS_SHA2_sha512_ctx *dest, const OQS_SHA2_sha512_ctx *src); - -/** - * \brief Process blocks with SHA-512 and update the state. - * - * \warning The state must be initialized by OQS_SHA2_sha512_inc_init or OQS_SHA2_sha512_inc_ctx_clone. - * - * \param state The state to update - * \param in Message input byte array - * \param inblocks The number of blocks of message bytes to process - */ -void OQS_SHA2_sha512_inc_blocks(OQS_SHA2_sha512_ctx *state, const uint8_t *in, size_t inblocks); - -/** - * \brief Process more message bytes with SHA-512 and return the hash code in the output byte array. - * - * \warning The output array must be at least 64 bytes in length. The state is - * deallocated by this function and can not be used again after calling - * this function without calling OQS_SHA2_sha512_inc_init again. - * - * \param out The output byte array - * \param state The state - * \param in Additional message input byte array - * \param inlen The number of additional message bytes to process - */ -void OQS_SHA2_sha512_inc_finalize(uint8_t *out, OQS_SHA2_sha512_ctx *state, const uint8_t *in, size_t inlen); - -/** - * \brief Destroy state. - * - * \warning The state is deallocated by this function and can not be used again after calling - * this function without calling OQS_SHA2_sha512_inc_init again. - * - * \param state The state - */ -void OQS_SHA2_sha512_inc_ctx_release(OQS_SHA2_sha512_ctx *state); - -#endif diff --git a/contrib/restricted/aws/s2n/pq-crypto/kyber_90s_r2/sha2_c.c b/contrib/restricted/aws/s2n/pq-crypto/kyber_90s_r2/sha2_c.c deleted file mode 100644 index 557ebcb861..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/kyber_90s_r2/sha2_c.c +++ /dev/null @@ -1,706 +0,0 @@ -// SPDX-License-Identifier: Public domain - -#include "sha2.h" -#include <stdio.h> - -/* Based on the public domain implementation in - * crypto_hash/sha512/ref/ from http://bench.cr.yp.to/supercop.html - * by D. J. Bernstein */ - -#include <stddef.h> -#include <stdint.h> -#include <stdlib.h> -#include <string.h> - -static uint32_t load_bigendian_32(const uint8_t *x) { - return (uint32_t)(x[3]) | (((uint32_t)(x[2])) << 8) | - (((uint32_t)(x[1])) << 16) | (((uint32_t)(x[0])) << 24); -} - -static uint64_t load_bigendian_64(const uint8_t *x) { - return (uint64_t)(x[7]) | (((uint64_t)(x[6])) << 8) | - (((uint64_t)(x[5])) << 16) | (((uint64_t)(x[4])) << 24) | - (((uint64_t)(x[3])) << 32) | (((uint64_t)(x[2])) << 40) | - (((uint64_t)(x[1])) << 48) | (((uint64_t)(x[0])) << 56); -} - -static void store_bigendian_32(uint8_t *x, uint64_t u) { - x[3] = (uint8_t) u; - u >>= 8; - x[2] = (uint8_t) u; - u >>= 8; - x[1] = (uint8_t) u; - u >>= 8; - x[0] = (uint8_t) u; -} - -static void store_bigendian_64(uint8_t *x, uint64_t u) { - x[7] = (uint8_t) u; - u >>= 8; - x[6] = (uint8_t) u; - u >>= 8; - x[5] = (uint8_t) u; - u >>= 8; - x[4] = (uint8_t) u; - u >>= 8; - x[3] = (uint8_t) u; - u >>= 8; - x[2] = (uint8_t) u; - u >>= 8; - x[1] = (uint8_t) u; - u >>= 8; - x[0] = (uint8_t) u; -} - -#define SHR(x, c) ((x) >> (c)) -#define ROTR_32(x, c) (((x) >> (c)) | ((x) << (32 - (c)))) -#define ROTR_64(x, c) (((x) >> (c)) | ((x) << (64 - (c)))) - -#define Ch(x, y, z) (((x) & (y)) ^ (~(x) & (z))) -#define Maj(x, y, z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) - -#define Sigma0_32(x) (ROTR_32(x, 2) ^ ROTR_32(x,13) ^ ROTR_32(x,22)) -#define Sigma1_32(x) (ROTR_32(x, 6) ^ ROTR_32(x,11) ^ ROTR_32(x,25)) -#define sigma0_32(x) (ROTR_32(x, 7) ^ ROTR_32(x,18) ^ SHR(x, 3)) -#define sigma1_32(x) (ROTR_32(x,17) ^ ROTR_32(x,19) ^ SHR(x,10)) - -#define Sigma0_64(x) (ROTR_64(x, 28) ^ ROTR_64(x, 34) ^ ROTR_64(x, 39)) -#define Sigma1_64(x) (ROTR_64(x, 14) ^ ROTR_64(x, 18) ^ ROTR_64(x, 41)) -#define sigma0_64(x) (ROTR_64(x, 1) ^ ROTR_64(x, 8) ^ SHR(x, 7)) -#define sigma1_64(x) (ROTR_64(x, 19) ^ ROTR_64(x, 61) ^ SHR(x, 6)) - -#define M_32(w0, w14, w9, w1) w0 = sigma1_32(w14) + (w9) + sigma0_32(w1) + (w0); -#define M_64(w0, w14, w9, w1) w0 = sigma1_64(w14) + (w9) + sigma0_64(w1) + (w0); - -#define EXPAND_32 \ - M_32(w0, w14, w9, w1) \ - M_32(w1, w15, w10, w2) \ - M_32(w2, w0, w11, w3) \ - M_32(w3, w1, w12, w4) \ - M_32(w4, w2, w13, w5) \ - M_32(w5, w3, w14, w6) \ - M_32(w6, w4, w15, w7) \ - M_32(w7, w5, w0, w8) \ - M_32(w8, w6, w1, w9) \ - M_32(w9, w7, w2, w10) \ - M_32(w10, w8, w3, w11) \ - M_32(w11, w9, w4, w12) \ - M_32(w12, w10, w5, w13) \ - M_32(w13, w11, w6, w14) \ - M_32(w14, w12, w7, w15) \ - M_32(w15, w13, w8, w0) - -#define EXPAND_64 \ - M_64(w0, w14, w9, w1) \ - M_64(w1, w15, w10, w2) \ - M_64(w2, w0, w11, w3) \ - M_64(w3, w1, w12, w4) \ - M_64(w4, w2, w13, w5) \ - M_64(w5, w3, w14, w6) \ - M_64(w6, w4, w15, w7) \ - M_64(w7, w5, w0, w8) \ - M_64(w8, w6, w1, w9) \ - M_64(w9, w7, w2, w10) \ - M_64(w10, w8, w3, w11) \ - M_64(w11, w9, w4, w12) \ - M_64(w12, w10, w5, w13) \ - M_64(w13, w11, w6, w14) \ - M_64(w14, w12, w7, w15) \ - M_64(w15, w13, w8, w0) - -#define F_32(w, k) \ - T1 = h + Sigma1_32(e) + Ch(e, f, g) + (k) + (w); \ - T2 = Sigma0_32(a) + Maj(a, b, c); \ - h = g; \ - g = f; \ - f = e; \ - e = d + T1; \ - d = c; \ - c = b; \ - b = a; \ - a = T1 + T2; - -#define F_64(w, k) \ - T1 = h + Sigma1_64(e) + Ch(e, f, g) + (k) + (w); \ - T2 = Sigma0_64(a) + Maj(a, b, c); \ - h = g; \ - g = f; \ - f = e; \ - e = d + T1; \ - d = c; \ - c = b; \ - b = a; \ - a = T1 + T2; - -static size_t crypto_hashblocks_sha256(uint8_t *statebytes, - const uint8_t *in, size_t inlen) { - uint32_t state[8]; - uint32_t a; - uint32_t b; - uint32_t c; - uint32_t d; - uint32_t e; - uint32_t f; - uint32_t g; - uint32_t h; - - a = load_bigendian_32(statebytes + 0); - state[0] = a; - b = load_bigendian_32(statebytes + 4); - state[1] = b; - c = load_bigendian_32(statebytes + 8); - state[2] = c; - d = load_bigendian_32(statebytes + 12); - state[3] = d; - e = load_bigendian_32(statebytes + 16); - state[4] = e; - f = load_bigendian_32(statebytes + 20); - state[5] = f; - g = load_bigendian_32(statebytes + 24); - state[6] = g; - h = load_bigendian_32(statebytes + 28); - state[7] = h; - - while (inlen >= 64) { - uint32_t w0 = load_bigendian_32(in + 0); - uint32_t w1 = load_bigendian_32(in + 4); - uint32_t w2 = load_bigendian_32(in + 8); - uint32_t w3 = load_bigendian_32(in + 12); - uint32_t w4 = load_bigendian_32(in + 16); - uint32_t w5 = load_bigendian_32(in + 20); - uint32_t w6 = load_bigendian_32(in + 24); - uint32_t w7 = load_bigendian_32(in + 28); - uint32_t w8 = load_bigendian_32(in + 32); - uint32_t w9 = load_bigendian_32(in + 36); - uint32_t w10 = load_bigendian_32(in + 40); - uint32_t w11 = load_bigendian_32(in + 44); - uint32_t w12 = load_bigendian_32(in + 48); - uint32_t w13 = load_bigendian_32(in + 52); - uint32_t w14 = load_bigendian_32(in + 56); - uint32_t w15 = load_bigendian_32(in + 60); - - uint32_t T1; - uint32_t T2; - - F_32(w0, 0x428a2f98) - F_32(w1, 0x71374491) - F_32(w2, 0xb5c0fbcf) - F_32(w3, 0xe9b5dba5) - F_32(w4, 0x3956c25b) - F_32(w5, 0x59f111f1) - F_32(w6, 0x923f82a4) - F_32(w7, 0xab1c5ed5) - F_32(w8, 0xd807aa98) - F_32(w9, 0x12835b01) - F_32(w10, 0x243185be) - F_32(w11, 0x550c7dc3) - F_32(w12, 0x72be5d74) - F_32(w13, 0x80deb1fe) - F_32(w14, 0x9bdc06a7) - F_32(w15, 0xc19bf174) - - EXPAND_32 - - F_32(w0, 0xe49b69c1) - F_32(w1, 0xefbe4786) - F_32(w2, 0x0fc19dc6) - F_32(w3, 0x240ca1cc) - F_32(w4, 0x2de92c6f) - F_32(w5, 0x4a7484aa) - F_32(w6, 0x5cb0a9dc) - F_32(w7, 0x76f988da) - F_32(w8, 0x983e5152) - F_32(w9, 0xa831c66d) - F_32(w10, 0xb00327c8) - F_32(w11, 0xbf597fc7) - F_32(w12, 0xc6e00bf3) - F_32(w13, 0xd5a79147) - F_32(w14, 0x06ca6351) - F_32(w15, 0x14292967) - - EXPAND_32 - - F_32(w0, 0x27b70a85) - F_32(w1, 0x2e1b2138) - F_32(w2, 0x4d2c6dfc) - F_32(w3, 0x53380d13) - F_32(w4, 0x650a7354) - F_32(w5, 0x766a0abb) - F_32(w6, 0x81c2c92e) - F_32(w7, 0x92722c85) - F_32(w8, 0xa2bfe8a1) - F_32(w9, 0xa81a664b) - F_32(w10, 0xc24b8b70) - F_32(w11, 0xc76c51a3) - F_32(w12, 0xd192e819) - F_32(w13, 0xd6990624) - F_32(w14, 0xf40e3585) - F_32(w15, 0x106aa070) - - EXPAND_32 - - F_32(w0, 0x19a4c116) - F_32(w1, 0x1e376c08) - F_32(w2, 0x2748774c) - F_32(w3, 0x34b0bcb5) - F_32(w4, 0x391c0cb3) - F_32(w5, 0x4ed8aa4a) - F_32(w6, 0x5b9cca4f) - F_32(w7, 0x682e6ff3) - F_32(w8, 0x748f82ee) - F_32(w9, 0x78a5636f) - F_32(w10, 0x84c87814) - F_32(w11, 0x8cc70208) - F_32(w12, 0x90befffa) - F_32(w13, 0xa4506ceb) - F_32(w14, 0xbef9a3f7) - F_32(w15, 0xc67178f2) - - a += state[0]; - b += state[1]; - c += state[2]; - d += state[3]; - e += state[4]; - f += state[5]; - g += state[6]; - h += state[7]; - - state[0] = a; - state[1] = b; - state[2] = c; - state[3] = d; - state[4] = e; - state[5] = f; - state[6] = g; - state[7] = h; - - in += 64; - inlen -= 64; - } - - store_bigendian_32(statebytes + 0, state[0]); - store_bigendian_32(statebytes + 4, state[1]); - store_bigendian_32(statebytes + 8, state[2]); - store_bigendian_32(statebytes + 12, state[3]); - store_bigendian_32(statebytes + 16, state[4]); - store_bigendian_32(statebytes + 20, state[5]); - store_bigendian_32(statebytes + 24, state[6]); - store_bigendian_32(statebytes + 28, state[7]); - - return inlen; -} - -static size_t crypto_hashblocks_sha512(uint8_t *statebytes, - const uint8_t *in, size_t inlen) { - uint64_t state[8]; - uint64_t a; - uint64_t b; - uint64_t c; - uint64_t d; - uint64_t e; - uint64_t f; - uint64_t g; - uint64_t h; - - a = load_bigendian_64(statebytes + 0); - state[0] = a; - b = load_bigendian_64(statebytes + 8); - state[1] = b; - c = load_bigendian_64(statebytes + 16); - state[2] = c; - d = load_bigendian_64(statebytes + 24); - state[3] = d; - e = load_bigendian_64(statebytes + 32); - state[4] = e; - f = load_bigendian_64(statebytes + 40); - state[5] = f; - g = load_bigendian_64(statebytes + 48); - state[6] = g; - h = load_bigendian_64(statebytes + 56); - state[7] = h; - - while (inlen >= 128) { - uint64_t w0 = load_bigendian_64(in + 0); - uint64_t w1 = load_bigendian_64(in + 8); - uint64_t w2 = load_bigendian_64(in + 16); - uint64_t w3 = load_bigendian_64(in + 24); - uint64_t w4 = load_bigendian_64(in + 32); - uint64_t w5 = load_bigendian_64(in + 40); - uint64_t w6 = load_bigendian_64(in + 48); - uint64_t w7 = load_bigendian_64(in + 56); - uint64_t w8 = load_bigendian_64(in + 64); - uint64_t w9 = load_bigendian_64(in + 72); - uint64_t w10 = load_bigendian_64(in + 80); - uint64_t w11 = load_bigendian_64(in + 88); - uint64_t w12 = load_bigendian_64(in + 96); - uint64_t w13 = load_bigendian_64(in + 104); - uint64_t w14 = load_bigendian_64(in + 112); - uint64_t w15 = load_bigendian_64(in + 120); - - uint64_t T1; - uint64_t T2; - - F_64(w0, 0x428a2f98d728ae22ULL) - F_64(w1, 0x7137449123ef65cdULL) - F_64(w2, 0xb5c0fbcfec4d3b2fULL) - F_64(w3, 0xe9b5dba58189dbbcULL) - F_64(w4, 0x3956c25bf348b538ULL) - F_64(w5, 0x59f111f1b605d019ULL) - F_64(w6, 0x923f82a4af194f9bULL) - F_64(w7, 0xab1c5ed5da6d8118ULL) - F_64(w8, 0xd807aa98a3030242ULL) - F_64(w9, 0x12835b0145706fbeULL) - F_64(w10, 0x243185be4ee4b28cULL) - F_64(w11, 0x550c7dc3d5ffb4e2ULL) - F_64(w12, 0x72be5d74f27b896fULL) - F_64(w13, 0x80deb1fe3b1696b1ULL) - F_64(w14, 0x9bdc06a725c71235ULL) - F_64(w15, 0xc19bf174cf692694ULL) - - EXPAND_64 - - F_64(w0, 0xe49b69c19ef14ad2ULL) - F_64(w1, 0xefbe4786384f25e3ULL) - F_64(w2, 0x0fc19dc68b8cd5b5ULL) - F_64(w3, 0x240ca1cc77ac9c65ULL) - F_64(w4, 0x2de92c6f592b0275ULL) - F_64(w5, 0x4a7484aa6ea6e483ULL) - F_64(w6, 0x5cb0a9dcbd41fbd4ULL) - F_64(w7, 0x76f988da831153b5ULL) - F_64(w8, 0x983e5152ee66dfabULL) - F_64(w9, 0xa831c66d2db43210ULL) - F_64(w10, 0xb00327c898fb213fULL) - F_64(w11, 0xbf597fc7beef0ee4ULL) - F_64(w12, 0xc6e00bf33da88fc2ULL) - F_64(w13, 0xd5a79147930aa725ULL) - F_64(w14, 0x06ca6351e003826fULL) - F_64(w15, 0x142929670a0e6e70ULL) - - EXPAND_64 - - F_64(w0, 0x27b70a8546d22ffcULL) - F_64(w1, 0x2e1b21385c26c926ULL) - F_64(w2, 0x4d2c6dfc5ac42aedULL) - F_64(w3, 0x53380d139d95b3dfULL) - F_64(w4, 0x650a73548baf63deULL) - F_64(w5, 0x766a0abb3c77b2a8ULL) - F_64(w6, 0x81c2c92e47edaee6ULL) - F_64(w7, 0x92722c851482353bULL) - F_64(w8, 0xa2bfe8a14cf10364ULL) - F_64(w9, 0xa81a664bbc423001ULL) - F_64(w10, 0xc24b8b70d0f89791ULL) - F_64(w11, 0xc76c51a30654be30ULL) - F_64(w12, 0xd192e819d6ef5218ULL) - F_64(w13, 0xd69906245565a910ULL) - F_64(w14, 0xf40e35855771202aULL) - F_64(w15, 0x106aa07032bbd1b8ULL) - - EXPAND_64 - - F_64(w0, 0x19a4c116b8d2d0c8ULL) - F_64(w1, 0x1e376c085141ab53ULL) - F_64(w2, 0x2748774cdf8eeb99ULL) - F_64(w3, 0x34b0bcb5e19b48a8ULL) - F_64(w4, 0x391c0cb3c5c95a63ULL) - F_64(w5, 0x4ed8aa4ae3418acbULL) - F_64(w6, 0x5b9cca4f7763e373ULL) - F_64(w7, 0x682e6ff3d6b2b8a3ULL) - F_64(w8, 0x748f82ee5defb2fcULL) - F_64(w9, 0x78a5636f43172f60ULL) - F_64(w10, 0x84c87814a1f0ab72ULL) - F_64(w11, 0x8cc702081a6439ecULL) - F_64(w12, 0x90befffa23631e28ULL) - F_64(w13, 0xa4506cebde82bde9ULL) - F_64(w14, 0xbef9a3f7b2c67915ULL) - F_64(w15, 0xc67178f2e372532bULL) - - EXPAND_64 - - F_64(w0, 0xca273eceea26619cULL) - F_64(w1, 0xd186b8c721c0c207ULL) - F_64(w2, 0xeada7dd6cde0eb1eULL) - F_64(w3, 0xf57d4f7fee6ed178ULL) - F_64(w4, 0x06f067aa72176fbaULL) - F_64(w5, 0x0a637dc5a2c898a6ULL) - F_64(w6, 0x113f9804bef90daeULL) - F_64(w7, 0x1b710b35131c471bULL) - F_64(w8, 0x28db77f523047d84ULL) - F_64(w9, 0x32caab7b40c72493ULL) - F_64(w10, 0x3c9ebe0a15c9bebcULL) - F_64(w11, 0x431d67c49c100d4cULL) - F_64(w12, 0x4cc5d4becb3e42b6ULL) - F_64(w13, 0x597f299cfc657e2aULL) - F_64(w14, 0x5fcb6fab3ad6faecULL) - F_64(w15, 0x6c44198c4a475817ULL) - - a += state[0]; - b += state[1]; - c += state[2]; - d += state[3]; - e += state[4]; - f += state[5]; - g += state[6]; - h += state[7]; - - state[0] = a; - state[1] = b; - state[2] = c; - state[3] = d; - state[4] = e; - state[5] = f; - state[6] = g; - state[7] = h; - - in += 128; - inlen -= 128; - } - - store_bigendian_64(statebytes + 0, state[0]); - store_bigendian_64(statebytes + 8, state[1]); - store_bigendian_64(statebytes + 16, state[2]); - store_bigendian_64(statebytes + 24, state[3]); - store_bigendian_64(statebytes + 32, state[4]); - store_bigendian_64(statebytes + 40, state[5]); - store_bigendian_64(statebytes + 48, state[6]); - store_bigendian_64(statebytes + 56, state[7]); - - return inlen; -} - -static const uint8_t iv_256[32] = { - 0x6a, 0x09, 0xe6, 0x67, 0xbb, 0x67, 0xae, 0x85, - 0x3c, 0x6e, 0xf3, 0x72, 0xa5, 0x4f, 0xf5, 0x3a, - 0x51, 0x0e, 0x52, 0x7f, 0x9b, 0x05, 0x68, 0x8c, - 0x1f, 0x83, 0xd9, 0xab, 0x5b, 0xe0, 0xcd, 0x19 -}; - -static const uint8_t iv_512[64] = { - 0x6a, 0x09, 0xe6, 0x67, 0xf3, 0xbc, 0xc9, 0x08, 0xbb, 0x67, 0xae, - 0x85, 0x84, 0xca, 0xa7, 0x3b, 0x3c, 0x6e, 0xf3, 0x72, 0xfe, 0x94, - 0xf8, 0x2b, 0xa5, 0x4f, 0xf5, 0x3a, 0x5f, 0x1d, 0x36, 0xf1, 0x51, - 0x0e, 0x52, 0x7f, 0xad, 0xe6, 0x82, 0xd1, 0x9b, 0x05, 0x68, 0x8c, - 0x2b, 0x3e, 0x6c, 0x1f, 0x1f, 0x83, 0xd9, 0xab, 0xfb, 0x41, 0xbd, - 0x6b, 0x5b, 0xe0, 0xcd, 0x19, 0x13, 0x7e, 0x21, 0x79 -}; - -void sha256_inc_init(sha256ctx *state) { - state->ctx = malloc(PQC_SHA256CTX_BYTES); - if (state->ctx == NULL) { - exit(111); - } - for (size_t i = 0; i < 32; ++i) { - state->ctx[i] = iv_256[i]; - } - for (size_t i = 32; i < 40; ++i) { - state->ctx[i] = 0; - } -} - -void sha512_inc_init(sha512ctx *state) { - state->ctx = malloc(PQC_SHA512CTX_BYTES); - if (state->ctx == NULL) { - exit(111); - } - for (size_t i = 0; i < 64; ++i) { - state->ctx[i] = iv_512[i]; - } - for (size_t i = 64; i < 72; ++i) { - state->ctx[i] = 0; - } -} - -void sha256_inc_ctx_clone(sha256ctx *stateout, const sha256ctx *statein) { - stateout->ctx = malloc(PQC_SHA256CTX_BYTES); - if (stateout->ctx == NULL) { - exit(111); - } - memcpy(stateout->ctx, statein->ctx, PQC_SHA256CTX_BYTES); -} - -void sha512_inc_ctx_clone(sha512ctx *stateout, const sha512ctx *statein) { - stateout->ctx = malloc(PQC_SHA512CTX_BYTES); - if (stateout->ctx == NULL) { - exit(111); - } - memcpy(stateout->ctx, statein->ctx, PQC_SHA512CTX_BYTES); -} - -/* Destroy the hash state. */ -void sha256_inc_ctx_release(sha256ctx *state) { - free(state->ctx); // IGNORE free-check -} - -/* Destroy the hash state. */ -void sha512_inc_ctx_release(sha512ctx *state) { - free(state->ctx); // IGNORE free-check -} - -void sha256_inc_blocks(sha256ctx *state, const uint8_t *in, size_t inblocks) { - uint64_t bytes = load_bigendian_64(state->ctx + 32); - - crypto_hashblocks_sha256(state->ctx, in, 64 * inblocks); - bytes += 64 * inblocks; - - store_bigendian_64(state->ctx + 32, bytes); -} - -void sha512_inc_blocks(sha512ctx *state, const uint8_t *in, size_t inblocks) { - uint64_t bytes = load_bigendian_64(state->ctx + 64); - - crypto_hashblocks_sha512(state->ctx, in, 128 * inblocks); - bytes += 128 * inblocks; - - store_bigendian_64(state->ctx + 64, bytes); -} - -void sha256_inc_finalize(uint8_t *out, sha256ctx *state, const uint8_t *in, size_t inlen) { - uint8_t padded[128]; - uint64_t bytes = load_bigendian_64(state->ctx + 32) + inlen; - - crypto_hashblocks_sha256(state->ctx, in, inlen); - in += inlen; - inlen &= 63; - in -= inlen; - - for (size_t i = 0; i < inlen; ++i) { - padded[i] = in[i]; - } - padded[inlen] = 0x80; - - if (inlen < 56) { - for (size_t i = inlen + 1; i < 56; ++i) { - padded[i] = 0; - } - padded[56] = (uint8_t) (bytes >> 53); - padded[57] = (uint8_t) (bytes >> 45); - padded[58] = (uint8_t) (bytes >> 37); - padded[59] = (uint8_t) (bytes >> 29); - padded[60] = (uint8_t) (bytes >> 21); - padded[61] = (uint8_t) (bytes >> 13); - padded[62] = (uint8_t) (bytes >> 5); - padded[63] = (uint8_t) (bytes << 3); - crypto_hashblocks_sha256(state->ctx, padded, 64); - } else { - for (size_t i = inlen + 1; i < 120; ++i) { - padded[i] = 0; - } - padded[120] = (uint8_t) (bytes >> 53); - padded[121] = (uint8_t) (bytes >> 45); - padded[122] = (uint8_t) (bytes >> 37); - padded[123] = (uint8_t) (bytes >> 29); - padded[124] = (uint8_t) (bytes >> 21); - padded[125] = (uint8_t) (bytes >> 13); - padded[126] = (uint8_t) (bytes >> 5); - padded[127] = (uint8_t) (bytes << 3); - crypto_hashblocks_sha256(state->ctx, padded, 128); - } - - for (size_t i = 0; i < 32; ++i) { - out[i] = state->ctx[i]; - } - sha256_inc_ctx_release(state); -} - -void sha512_inc_finalize(uint8_t *out, sha512ctx *state, const uint8_t *in, size_t inlen) { - uint8_t padded[256]; - uint64_t bytes = load_bigendian_64(state->ctx + 64) + inlen; - - crypto_hashblocks_sha512(state->ctx, in, inlen); - in += inlen; - inlen &= 127; - in -= inlen; - - for (size_t i = 0; i < inlen; ++i) { - padded[i] = in[i]; - } - padded[inlen] = 0x80; - - if (inlen < 112) { - for (size_t i = inlen + 1; i < 119; ++i) { - padded[i] = 0; - } - padded[119] = (uint8_t) (bytes >> 61); - padded[120] = (uint8_t) (bytes >> 53); - padded[121] = (uint8_t) (bytes >> 45); - padded[122] = (uint8_t) (bytes >> 37); - padded[123] = (uint8_t) (bytes >> 29); - padded[124] = (uint8_t) (bytes >> 21); - padded[125] = (uint8_t) (bytes >> 13); - padded[126] = (uint8_t) (bytes >> 5); - padded[127] = (uint8_t) (bytes << 3); - crypto_hashblocks_sha512(state->ctx, padded, 128); - } else { - for (size_t i = inlen + 1; i < 247; ++i) { - padded[i] = 0; - } - padded[247] = (uint8_t) (bytes >> 61); - padded[248] = (uint8_t) (bytes >> 53); - padded[249] = (uint8_t) (bytes >> 45); - padded[250] = (uint8_t) (bytes >> 37); - padded[251] = (uint8_t) (bytes >> 29); - padded[252] = (uint8_t) (bytes >> 21); - padded[253] = (uint8_t) (bytes >> 13); - padded[254] = (uint8_t) (bytes >> 5); - padded[255] = (uint8_t) (bytes << 3); - crypto_hashblocks_sha512(state->ctx, padded, 256); - } - - for (size_t i = 0; i < 64; ++i) { - out[i] = state->ctx[i]; - } - sha512_inc_ctx_release(state); -} - -void sha256(uint8_t *out, const uint8_t *in, size_t inlen) { - sha256ctx state; - - sha256_inc_init(&state); - sha256_inc_finalize(out, &state, in, inlen); -} - -void sha512(uint8_t *out, const uint8_t *in, size_t inlen) { - sha512ctx state; - - sha512_inc_init(&state); - sha512_inc_finalize(out, &state, in, inlen); -} - -void OQS_SHA2_sha256_inc_init(OQS_SHA2_sha256_ctx *state) { - oqs_sha2_sha256_inc_init((sha256ctx *) state); -} - -void OQS_SHA2_sha256_inc_ctx_clone(OQS_SHA2_sha256_ctx *dest, const OQS_SHA2_sha256_ctx *src) { - oqs_sha2_sha256_inc_ctx_clone((sha256ctx *) dest, (const sha256ctx *) src); -} - -void OQS_SHA2_sha256_inc_ctx_release(OQS_SHA2_sha256_ctx *state) { - oqs_sha2_sha256_inc_ctx_release((sha256ctx *) state); -} - -void OQS_SHA2_sha256_inc_blocks(OQS_SHA2_sha256_ctx *state, const uint8_t *in, size_t inblocks) { - oqs_sha2_sha256_inc_blocks((sha256ctx *) state, in, inblocks); -} - -void OQS_SHA2_sha256_inc_finalize(uint8_t *out, OQS_SHA2_sha256_ctx *state, const uint8_t *in, size_t inlen) { - oqs_sha2_sha256_inc_finalize(out, (sha256ctx *) state, in, inlen); -} - -void OQS_SHA2_sha512_inc_init(OQS_SHA2_sha512_ctx *state) { - oqs_sha2_sha512_inc_init((sha512ctx *) state); -} - -void OQS_SHA2_sha512_inc_ctx_clone(OQS_SHA2_sha512_ctx *dest, const OQS_SHA2_sha512_ctx *src) { - oqs_sha2_sha512_inc_ctx_clone((sha512ctx *) dest, (const sha512ctx *) src); -} - -void OQS_SHA2_sha512_inc_ctx_release(OQS_SHA2_sha512_ctx *state) { - oqs_sha2_sha512_inc_ctx_release((sha512ctx *) state); -} - -void OQS_SHA2_sha512_inc_blocks(OQS_SHA2_sha512_ctx *state, const uint8_t *in, size_t inblocks) { - oqs_sha2_sha512_inc_blocks((sha512ctx *) state, in, inblocks); -} - -void OQS_SHA2_sha512_inc_finalize(uint8_t *out, OQS_SHA2_sha512_ctx *state, const uint8_t *in, size_t inlen) { - oqs_sha2_sha512_inc_finalize(out, (sha512ctx *) state, in, inlen); -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/kyber_90s_r2/symmetric.h b/contrib/restricted/aws/s2n/pq-crypto/kyber_90s_r2/symmetric.h deleted file mode 100644 index e1bc27433a..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/kyber_90s_r2/symmetric.h +++ /dev/null @@ -1,23 +0,0 @@ -#ifndef SYMMETRIC_H -#define SYMMETRIC_H - -#include "params.h" - - -#include "aes256ctr.h" -#include "sha2.h" - -#define hash_h(OUT, IN, INBYTES) sha256(OUT, IN, INBYTES) -#define hash_g(OUT, IN, INBYTES) sha512(OUT, IN, INBYTES) -#define xof_absorb(STATE, IN, X, Y) PQCLEAN_KYBER51290S_CLEAN_aes256xof_absorb(STATE, IN, X, Y) -#define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) PQCLEAN_KYBER51290S_CLEAN_aes256xof_squeezeblocks(OUT, OUTBLOCKS, STATE) -#define xof_ctx_release(STATE) PQCLEAN_KYBER51290S_CLEAN_aes256xof_ctx_release(STATE) -#define prf(OUT, OUTBYTES, KEY, NONCE) PQCLEAN_KYBER51290S_CLEAN_aes256_prf(OUT, OUTBYTES, KEY, NONCE) -#define kdf(OUT, IN, INBYTES) sha256(OUT, IN, INBYTES) - -#define XOF_BLOCKBYTES 64 - -typedef aes256xof_ctx xof_state; - - -#endif /* SYMMETRIC_H */ diff --git a/contrib/restricted/aws/s2n/pq-crypto/kyber_90s_r2/verify.c b/contrib/restricted/aws/s2n/pq-crypto/kyber_90s_r2/verify.c deleted file mode 100644 index 35867a9920..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/kyber_90s_r2/verify.c +++ /dev/null @@ -1,50 +0,0 @@ -#include "verify.h" - -#include <stddef.h> -#include <stdint.h> - -/************************************************* -* Name: verify -* -* Description: Compare two arrays for equality in constant time. -* -* Arguments: const uint8_t *a: pointer to first byte array -* const uint8_t *b: pointer to second byte array -* size_t len: length of the byte arrays -* -* Returns 0 if the byte arrays are equal, 1 otherwise -**************************************************/ -uint8_t PQCLEAN_KYBER51290S_CLEAN_verify(const uint8_t *a, const uint8_t *b, size_t len) { - uint64_t r; - size_t i; - r = 0; - - for (i = 0; i < len; i++) { - r |= a[i] ^ b[i]; - } - - r = (-r) >> 63; - return (uint8_t)r; -} - -/************************************************* -* Name: cmov -* -* Description: Copy len bytes from x to r if b is 1; -* don't modify x if b is 0. Requires b to be in {0,1}; -* assumes two's complement representation of negative integers. -* Runs in constant time. -* -* Arguments: uint8_t *r: pointer to output byte array -* const uint8_t *x: pointer to input byte array -* size_t len: Amount of bytes to be copied -* uint8_t b: Condition bit; has to be in {0,1} -**************************************************/ -void PQCLEAN_KYBER51290S_CLEAN_cmov(uint8_t *r, const uint8_t *x, size_t len, uint8_t b) { - size_t i; - - b = -b; - for (i = 0; i < len; i++) { - r[i] ^= b & (x[i] ^ r[i]); - } -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/kyber_90s_r2/verify.h b/contrib/restricted/aws/s2n/pq-crypto/kyber_90s_r2/verify.h deleted file mode 100644 index 7ece5735a8..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/kyber_90s_r2/verify.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef VERIFY_H -#define VERIFY_H - -#include <stddef.h> -#include <stdint.h> - -uint8_t PQCLEAN_KYBER51290S_CLEAN_verify(const uint8_t *a, const uint8_t *b, size_t len); - -void PQCLEAN_KYBER51290S_CLEAN_cmov(uint8_t *r, const uint8_t *x, size_t len, uint8_t b); - -#endif diff --git a/contrib/restricted/aws/s2n/pq-crypto/kyber_r2/cbd.c b/contrib/restricted/aws/s2n/pq-crypto/kyber_r2/cbd.c deleted file mode 100644 index b4fc010ca9..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/kyber_r2/cbd.c +++ /dev/null @@ -1,51 +0,0 @@ -#include "cbd.h" -#include "params.h" - -#include <stddef.h> -#include <stdint.h> - -/************************************************* -* Name: load32_littleendian -* -* Description: load bytes into a 32-bit integer -* in little-endian order -* -* Arguments: - const uint8_t *x: pointer to input byte array -* -* Returns 32-bit unsigned integer loaded from x -**************************************************/ -static uint32_t load32_littleendian(const uint8_t *x) { - uint32_t r; - r = (uint32_t)x[0]; - r |= (uint32_t)x[1] << 8; - r |= (uint32_t)x[2] << 16; - r |= (uint32_t)x[3] << 24; - return r; -} - -/************************************************* -* Name: cbd -* -* Description: Given an array of uniformly random bytes, compute -* polynomial with coefficients distributed according to -* a centered binomial distribution with parameter KYBER_ETA -* specialized for KYBER_ETA=2 -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *buf: pointer to input byte array -**************************************************/ -void PQCLEAN_KYBER512_CLEAN_cbd(poly *r, const uint8_t *buf) { - int16_t a, b; - - for (size_t i = 0; i < KYBER_N / 8; i++) { - uint32_t t = load32_littleendian(buf + 4 * i); - uint32_t d = t & 0x55555555; - d += (t >> 1) & 0x55555555; - - for (size_t j = 0; j < 8; j++) { - a = (d >> 4 * j) & 0x3; - b = (d >> (4 * j + 2)) & 0x3; - r->coeffs[8 * i + j] = a - b; - } - } -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/kyber_r2/cbd.h b/contrib/restricted/aws/s2n/pq-crypto/kyber_r2/cbd.h deleted file mode 100644 index 2eb5dc89cc..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/kyber_r2/cbd.h +++ /dev/null @@ -1,8 +0,0 @@ -#ifndef CBD_H -#define CBD_H - -#include "poly.h" - -void PQCLEAN_KYBER512_CLEAN_cbd(poly *r, const uint8_t *buf); - -#endif diff --git a/contrib/restricted/aws/s2n/pq-crypto/kyber_r2/fips202_kyber_r2.c b/contrib/restricted/aws/s2n/pq-crypto/kyber_r2/fips202_kyber_r2.c deleted file mode 100644 index 2ba848f951..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/kyber_r2/fips202_kyber_r2.c +++ /dev/null @@ -1,619 +0,0 @@ -/* Based on the public domain implementation in - * crypto_hash/keccakc512/simple/ from http://bench.cr.yp.to/supercop.html - * by Ronny Van Keer - * and the public domain "TweetFips202" implementation - * from https://twitter.com/tweetfips202 - * by Gilles Van Assche, Daniel J. Bernstein, and Peter Schwabe - * SPDX-License-Identifier: Public domain - */ - -#include "fips202_kyber_r2.h" -#include "symmetric.h" - -#include <stddef.h> -#include <stdint.h> -#include <stdlib.h> -#include <string.h> - -#define PQC_SHAKEINCCTX_BYTES (sizeof(uint64_t)*26) -#define PQC_SHAKECTX_BYTES (sizeof(uint64_t)*25) - -#define NROUNDS 24 -#define ROL(a, offset) (((a) << (offset)) ^ ((a) >> (64 - (offset)))) - -/************************************************* - * Name: load64 - * - * Description: Load 8 bytes into uint64_t in little-endian order - * - * Arguments: - const uint8_t *x: pointer to input byte array - * - * Returns the loaded 64-bit unsigned integer - **************************************************/ -static uint64_t load64(const uint8_t *x) { - uint64_t r = 0; - for (size_t i = 0; i < 8; ++i) { - r |= (uint64_t)x[i] << 8 * i; - } - - return r; -} - -/************************************************* - * Name: store64 - * - * Description: Store a 64-bit integer to a byte array in little-endian order - * - * Arguments: - uint8_t *x: pointer to the output byte array - * - uint64_t u: input 64-bit unsigned integer - **************************************************/ -static void store64(uint8_t *x, uint64_t u) { - for (size_t i = 0; i < 8; ++i) { - x[i] = (uint8_t) (u >> 8 * i); - } -} - -/* Keccak round constants */ -static const uint64_t KeccakF_RoundConstants[NROUNDS] = { - 0x0000000000000001ULL, 0x0000000000008082ULL, - 0x800000000000808aULL, 0x8000000080008000ULL, - 0x000000000000808bULL, 0x0000000080000001ULL, - 0x8000000080008081ULL, 0x8000000000008009ULL, - 0x000000000000008aULL, 0x0000000000000088ULL, - 0x0000000080008009ULL, 0x000000008000000aULL, - 0x000000008000808bULL, 0x800000000000008bULL, - 0x8000000000008089ULL, 0x8000000000008003ULL, - 0x8000000000008002ULL, 0x8000000000000080ULL, - 0x000000000000800aULL, 0x800000008000000aULL, - 0x8000000080008081ULL, 0x8000000000008080ULL, - 0x0000000080000001ULL, 0x8000000080008008ULL -}; - -/************************************************* - * Name: KeccakF1600_StatePermute - * - * Description: The Keccak F1600 Permutation - * - * Arguments: - uint64_t *state: pointer to input/output Keccak state - **************************************************/ -static void KeccakF1600_StatePermute(uint64_t *state) { - int round; - - uint64_t Aba, Abe, Abi, Abo, Abu; - uint64_t Aga, Age, Agi, Ago, Agu; - uint64_t Aka, Ake, Aki, Ako, Aku; - uint64_t Ama, Ame, Ami, Amo, Amu; - uint64_t Asa, Ase, Asi, Aso, Asu; - uint64_t BCa, BCe, BCi, BCo, BCu; - - // copyFromState(A, state) - Aba = state[0]; - Abe = state[1]; - Abi = state[2]; - Abo = state[3]; - Abu = state[4]; - Aga = state[5]; - Age = state[6]; - Agi = state[7]; - Ago = state[8]; - Agu = state[9]; - Aka = state[10]; - Ake = state[11]; - Aki = state[12]; - Ako = state[13]; - Aku = state[14]; - Ama = state[15]; - Ame = state[16]; - Ami = state[17]; - Amo = state[18]; - Amu = state[19]; - Asa = state[20]; - Ase = state[21]; - Asi = state[22]; - Aso = state[23]; - Asu = state[24]; - - for (round = 0; round < NROUNDS; round += 2) { - uint64_t Da, De, Di, Do, Du; - uint64_t Eba, Ebe, Ebi, Ebo, Ebu; - uint64_t Ega, Ege, Egi, Ego, Egu; - uint64_t Eka, Eke, Eki, Eko, Eku; - uint64_t Ema, Eme, Emi, Emo, Emu; - uint64_t Esa, Ese, Esi, Eso, Esu; - - // prepareTheta - BCa = Aba ^ Aga ^ Aka ^ Ama ^ Asa; - BCe = Abe ^ Age ^ Ake ^ Ame ^ Ase; - BCi = Abi ^ Agi ^ Aki ^ Ami ^ Asi; - BCo = Abo ^ Ago ^ Ako ^ Amo ^ Aso; - BCu = Abu ^ Agu ^ Aku ^ Amu ^ Asu; - - // thetaRhoPiChiIotaPrepareTheta(round , A, E) - Da = BCu ^ ROL(BCe, 1); - De = BCa ^ ROL(BCi, 1); - Di = BCe ^ ROL(BCo, 1); - Do = BCi ^ ROL(BCu, 1); - Du = BCo ^ ROL(BCa, 1); - - Aba ^= Da; - BCa = Aba; - Age ^= De; - BCe = ROL(Age, 44); - Aki ^= Di; - BCi = ROL(Aki, 43); - Amo ^= Do; - BCo = ROL(Amo, 21); - Asu ^= Du; - BCu = ROL(Asu, 14); - Eba = BCa ^ ((~BCe) & BCi); - Eba ^= KeccakF_RoundConstants[round]; - Ebe = BCe ^ ((~BCi) & BCo); - Ebi = BCi ^ ((~BCo) & BCu); - Ebo = BCo ^ ((~BCu) & BCa); - Ebu = BCu ^ ((~BCa) & BCe); - - Abo ^= Do; - BCa = ROL(Abo, 28); - Agu ^= Du; - BCe = ROL(Agu, 20); - Aka ^= Da; - BCi = ROL(Aka, 3); - Ame ^= De; - BCo = ROL(Ame, 45); - Asi ^= Di; - BCu = ROL(Asi, 61); - Ega = BCa ^ ((~BCe) & BCi); - Ege = BCe ^ ((~BCi) & BCo); - Egi = BCi ^ ((~BCo) & BCu); - Ego = BCo ^ ((~BCu) & BCa); - Egu = BCu ^ ((~BCa) & BCe); - - Abe ^= De; - BCa = ROL(Abe, 1); - Agi ^= Di; - BCe = ROL(Agi, 6); - Ako ^= Do; - BCi = ROL(Ako, 25); - Amu ^= Du; - BCo = ROL(Amu, 8); - Asa ^= Da; - BCu = ROL(Asa, 18); - Eka = BCa ^ ((~BCe) & BCi); - Eke = BCe ^ ((~BCi) & BCo); - Eki = BCi ^ ((~BCo) & BCu); - Eko = BCo ^ ((~BCu) & BCa); - Eku = BCu ^ ((~BCa) & BCe); - - Abu ^= Du; - BCa = ROL(Abu, 27); - Aga ^= Da; - BCe = ROL(Aga, 36); - Ake ^= De; - BCi = ROL(Ake, 10); - Ami ^= Di; - BCo = ROL(Ami, 15); - Aso ^= Do; - BCu = ROL(Aso, 56); - Ema = BCa ^ ((~BCe) & BCi); - Eme = BCe ^ ((~BCi) & BCo); - Emi = BCi ^ ((~BCo) & BCu); - Emo = BCo ^ ((~BCu) & BCa); - Emu = BCu ^ ((~BCa) & BCe); - - Abi ^= Di; - BCa = ROL(Abi, 62); - Ago ^= Do; - BCe = ROL(Ago, 55); - Aku ^= Du; - BCi = ROL(Aku, 39); - Ama ^= Da; - BCo = ROL(Ama, 41); - Ase ^= De; - BCu = ROL(Ase, 2); - Esa = BCa ^ ((~BCe) & BCi); - Ese = BCe ^ ((~BCi) & BCo); - Esi = BCi ^ ((~BCo) & BCu); - Eso = BCo ^ ((~BCu) & BCa); - Esu = BCu ^ ((~BCa) & BCe); - - // prepareTheta - BCa = Eba ^ Ega ^ Eka ^ Ema ^ Esa; - BCe = Ebe ^ Ege ^ Eke ^ Eme ^ Ese; - BCi = Ebi ^ Egi ^ Eki ^ Emi ^ Esi; - BCo = Ebo ^ Ego ^ Eko ^ Emo ^ Eso; - BCu = Ebu ^ Egu ^ Eku ^ Emu ^ Esu; - - // thetaRhoPiChiIotaPrepareTheta(round+1, E, A) - Da = BCu ^ ROL(BCe, 1); - De = BCa ^ ROL(BCi, 1); - Di = BCe ^ ROL(BCo, 1); - Do = BCi ^ ROL(BCu, 1); - Du = BCo ^ ROL(BCa, 1); - - Eba ^= Da; - BCa = Eba; - Ege ^= De; - BCe = ROL(Ege, 44); - Eki ^= Di; - BCi = ROL(Eki, 43); - Emo ^= Do; - BCo = ROL(Emo, 21); - Esu ^= Du; - BCu = ROL(Esu, 14); - Aba = BCa ^ ((~BCe) & BCi); - Aba ^= KeccakF_RoundConstants[round + 1]; - Abe = BCe ^ ((~BCi) & BCo); - Abi = BCi ^ ((~BCo) & BCu); - Abo = BCo ^ ((~BCu) & BCa); - Abu = BCu ^ ((~BCa) & BCe); - - Ebo ^= Do; - BCa = ROL(Ebo, 28); - Egu ^= Du; - BCe = ROL(Egu, 20); - Eka ^= Da; - BCi = ROL(Eka, 3); - Eme ^= De; - BCo = ROL(Eme, 45); - Esi ^= Di; - BCu = ROL(Esi, 61); - Aga = BCa ^ ((~BCe) & BCi); - Age = BCe ^ ((~BCi) & BCo); - Agi = BCi ^ ((~BCo) & BCu); - Ago = BCo ^ ((~BCu) & BCa); - Agu = BCu ^ ((~BCa) & BCe); - - Ebe ^= De; - BCa = ROL(Ebe, 1); - Egi ^= Di; - BCe = ROL(Egi, 6); - Eko ^= Do; - BCi = ROL(Eko, 25); - Emu ^= Du; - BCo = ROL(Emu, 8); - Esa ^= Da; - BCu = ROL(Esa, 18); - Aka = BCa ^ ((~BCe) & BCi); - Ake = BCe ^ ((~BCi) & BCo); - Aki = BCi ^ ((~BCo) & BCu); - Ako = BCo ^ ((~BCu) & BCa); - Aku = BCu ^ ((~BCa) & BCe); - - Ebu ^= Du; - BCa = ROL(Ebu, 27); - Ega ^= Da; - BCe = ROL(Ega, 36); - Eke ^= De; - BCi = ROL(Eke, 10); - Emi ^= Di; - BCo = ROL(Emi, 15); - Eso ^= Do; - BCu = ROL(Eso, 56); - Ama = BCa ^ ((~BCe) & BCi); - Ame = BCe ^ ((~BCi) & BCo); - Ami = BCi ^ ((~BCo) & BCu); - Amo = BCo ^ ((~BCu) & BCa); - Amu = BCu ^ ((~BCa) & BCe); - - Ebi ^= Di; - BCa = ROL(Ebi, 62); - Ego ^= Do; - BCe = ROL(Ego, 55); - Eku ^= Du; - BCi = ROL(Eku, 39); - Ema ^= Da; - BCo = ROL(Ema, 41); - Ese ^= De; - BCu = ROL(Ese, 2); - Asa = BCa ^ ((~BCe) & BCi); - Ase = BCe ^ ((~BCi) & BCo); - Asi = BCi ^ ((~BCo) & BCu); - Aso = BCo ^ ((~BCu) & BCa); - Asu = BCu ^ ((~BCa) & BCe); - } - - // copyToState(state, A) - state[0] = Aba; - state[1] = Abe; - state[2] = Abi; - state[3] = Abo; - state[4] = Abu; - state[5] = Aga; - state[6] = Age; - state[7] = Agi; - state[8] = Ago; - state[9] = Agu; - state[10] = Aka; - state[11] = Ake; - state[12] = Aki; - state[13] = Ako; - state[14] = Aku; - state[15] = Ama; - state[16] = Ame; - state[17] = Ami; - state[18] = Amo; - state[19] = Amu; - state[20] = Asa; - state[21] = Ase; - state[22] = Asi; - state[23] = Aso; - state[24] = Asu; -} - -/************************************************* - * Name: keccak_absorb - * - * Description: Absorb step of Keccak; - * non-incremental, starts by zeroeing the state. - * - * Arguments: - uint64_t *s: pointer to (uninitialized) output Keccak state - * - uint32_t r: rate in bytes (e.g., 168 for SHAKE128) - * - const uint8_t *m: pointer to input to be absorbed into s - * - size_t mlen: length of input in bytes - * - uint8_t p: domain-separation byte for different - * Keccak-derived functions - **************************************************/ -static void keccak_absorb(uint64_t *s, uint32_t r, const uint8_t *m, - size_t mlen, uint8_t p) { - size_t i; - uint8_t t[200]; - - /* Zero state */ - for (i = 0; i < 25; ++i) { - s[i] = 0; - } - - while (mlen >= r) { - for (i = 0; i < r / 8; ++i) { - s[i] ^= load64(m + 8 * i); - } - - KeccakF1600_StatePermute(s); - mlen -= r; - m += r; - } - - for (i = 0; i < r; ++i) { - t[i] = 0; - } - for (i = 0; i < mlen; ++i) { - t[i] = m[i]; - } - t[i] = p; - t[r - 1] |= 128; - for (i = 0; i < r / 8; ++i) { - s[i] ^= load64(t + 8 * i); - } -} - -/************************************************* - * Name: keccak_squeezeblocks - * - * Description: Squeeze step of Keccak. Squeezes full blocks of r bytes each. - * Modifies the state. Can be called multiple times to keep - * squeezing, i.e., is incremental. - * - * Arguments: - uint8_t *h: pointer to output blocks - * - size_t nblocks: number of blocks to be - * squeezed (written to h) - * - uint64_t *s: pointer to input/output Keccak state - * - uint32_t r: rate in bytes (e.g., 168 for SHAKE128) - **************************************************/ -static void keccak_squeezeblocks(uint8_t *h, size_t nblocks, - uint64_t *s, uint32_t r) { - while (nblocks > 0) { - KeccakF1600_StatePermute(s); - for (size_t i = 0; i < (r >> 3); i++) { - store64(h + 8 * i, s[i]); - } - h += r; - nblocks--; - } -} - -/************************************************* - * Name: shake128_absorb - * - * Description: Absorb step of the SHAKE128 XOF. - * non-incremental, starts by zeroeing the state. - * - * Arguments: - uint64_t *s: pointer to (uninitialized) output Keccak state - * - const uint8_t *input: pointer to input to be absorbed - * into s - * - size_t inlen: length of input in bytes - **************************************************/ -void shake128_absorb(shake128ctx *state, const uint8_t *input, size_t inlen) { - state->ctx = malloc(PQC_SHAKECTX_BYTES); - if (state->ctx == NULL) { - exit(111); - } - keccak_absorb(state->ctx, SHAKE128_RATE, input, inlen, 0x1F); -} - -/************************************************* - * Name: shake128_squeezeblocks - * - * Description: Squeeze step of SHAKE128 XOF. Squeezes full blocks of - * SHAKE128_RATE bytes each. Modifies the state. Can be called - * multiple times to keep squeezing, i.e., is incremental. - * - * Arguments: - uint8_t *output: pointer to output blocks - * - size_t nblocks: number of blocks to be squeezed - * (written to output) - * - shake128ctx *state: pointer to input/output Keccak state - **************************************************/ -void shake128_squeezeblocks(uint8_t *output, size_t nblocks, shake128ctx *state) { - keccak_squeezeblocks(output, nblocks, state->ctx, SHAKE128_RATE); -} - -void shake128_ctx_clone(shake128ctx *dest, const shake128ctx *src) { - dest->ctx = malloc(PQC_SHAKECTX_BYTES); - if (dest->ctx == NULL) { - exit(111); - } - memcpy(dest->ctx, src->ctx, PQC_SHAKECTX_BYTES); -} - -/** Release the allocated state. Call only once. */ -void shake128_ctx_release(shake128ctx *state) { - free(state->ctx); // IGNORE free-check -} - -/************************************************* - * Name: shake256_absorb - * - * Description: Absorb step of the SHAKE256 XOF. - * non-incremental, starts by zeroeing the state. - * - * Arguments: - shake256ctx *state: pointer to (uninitialized) output Keccak state - * - const uint8_t *input: pointer to input to be absorbed - * into s - * - size_t inlen: length of input in bytes - **************************************************/ -void shake256_absorb(shake256ctx *state, const uint8_t *input, size_t inlen) { - state->ctx = malloc(PQC_SHAKECTX_BYTES); - if (state->ctx == NULL) { - exit(111); - } - keccak_absorb(state->ctx, SHAKE256_RATE, input, inlen, 0x1F); -} - -/************************************************* - * Name: shake256_squeezeblocks - * - * Description: Squeeze step of SHAKE256 XOF. Squeezes full blocks of - * SHAKE256_RATE bytes each. Modifies the state. Can be called - * multiple times to keep squeezing, i.e., is incremental. - * - * Arguments: - uint8_t *output: pointer to output blocks - * - size_t nblocks: number of blocks to be squeezed - * (written to output) - * - shake256ctx *state: pointer to input/output Keccak state - **************************************************/ -void shake256_squeezeblocks(uint8_t *output, size_t nblocks, shake256ctx *state) { - keccak_squeezeblocks(output, nblocks, state->ctx, SHAKE256_RATE); -} - -void shake256_ctx_clone(shake256ctx *dest, const shake256ctx *src) { - dest->ctx = malloc(PQC_SHAKECTX_BYTES); - if (dest->ctx == NULL) { - exit(111); - } - memcpy(dest->ctx, src->ctx, PQC_SHAKECTX_BYTES); -} - -/** Release the allocated state. Call only once. */ -void shake256_ctx_release(shake256ctx *state) { - free(state->ctx); // IGNORE free-check -} - -/************************************************* - * Name: shake128 - * - * Description: SHAKE128 XOF with non-incremental API - * - * Arguments: - uint8_t *output: pointer to output - * - size_t outlen: requested output length in bytes - * - const uint8_t *input: pointer to input - * - size_t inlen: length of input in bytes - **************************************************/ -void shake128(uint8_t *output, size_t outlen, - const uint8_t *input, size_t inlen) { - size_t nblocks = outlen / SHAKE128_RATE; - uint8_t t[SHAKE128_RATE]; - shake128ctx s; - - shake128_absorb(&s, input, inlen); - shake128_squeezeblocks(output, nblocks, &s); - - output += nblocks * SHAKE128_RATE; - outlen -= nblocks * SHAKE128_RATE; - - if (outlen) { - shake128_squeezeblocks(t, 1, &s); - for (size_t i = 0; i < outlen; ++i) { - output[i] = t[i]; - } - } - shake128_ctx_release(&s); -} - -/************************************************* - * Name: shake256 - * - * Description: SHAKE256 XOF with non-incremental API - * - * Arguments: - uint8_t *output: pointer to output - * - size_t outlen: requested output length in bytes - * - const uint8_t *input: pointer to input - * - size_t inlen: length of input in bytes - **************************************************/ -void shake256_kyber(uint8_t *output, size_t outlen, - const uint8_t *input, size_t inlen) { - size_t nblocks = outlen / SHAKE256_RATE; - uint8_t t[SHAKE256_RATE]; - shake256ctx s; - - shake256_absorb(&s, input, inlen); - shake256_squeezeblocks(output, nblocks, &s); - - output += nblocks * SHAKE256_RATE; - outlen -= nblocks * SHAKE256_RATE; - - if (outlen) { - shake256_squeezeblocks(t, 1, &s); - for (size_t i = 0; i < outlen; ++i) { - output[i] = t[i]; - } - } - shake256_ctx_release(&s); -} - -/************************************************* - * Name: sha3_256 - * - * Description: SHA3-256 with non-incremental API - * - * Arguments: - uint8_t *output: pointer to output - * - const uint8_t *input: pointer to input - * - size_t inlen: length of input in bytes - **************************************************/ -void sha3_256(uint8_t *output, const uint8_t *input, size_t inlen) { - uint64_t s[25]; - uint8_t t[SHA3_256_RATE]; - - /* Absorb input */ - keccak_absorb(s, SHA3_256_RATE, input, inlen, 0x06); - - /* Squeeze output */ - keccak_squeezeblocks(t, 1, s, SHA3_256_RATE); - - for (size_t i = 0; i < 32; i++) { - output[i] = t[i]; - } -} - - -/************************************************* - * Name: sha3_512 - * - * Description: SHA3-512 with non-incremental API - * - * Arguments: - uint8_t *output: pointer to output - * - const uint8_t *input: pointer to input - * - size_t inlen: length of input in bytes - **************************************************/ -void sha3_512(uint8_t *output, const uint8_t *input, size_t inlen) { - uint64_t s[25]; - uint8_t t[SHA3_512_RATE]; - - /* Absorb input */ - keccak_absorb(s, SHA3_512_RATE, input, inlen, 0x06); - - /* Squeeze output */ - keccak_squeezeblocks(t, 1, s, SHA3_512_RATE); - - for (size_t i = 0; i < 64; i++) { - output[i] = t[i]; - } -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/kyber_r2/fips202_kyber_r2.h b/contrib/restricted/aws/s2n/pq-crypto/kyber_r2/fips202_kyber_r2.h deleted file mode 100644 index d9a39e2ec1..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/kyber_r2/fips202_kyber_r2.h +++ /dev/null @@ -1,36 +0,0 @@ -// SPDX-License-Identifier: MIT - -#ifndef FIPS202_KYBER_R2_H -#define FIPS202_KYBER_R2_H - -#include <stdint.h> -#include <stddef.h> - -/** Data structure for the state of the SHAKE128 non-incremental hashing API. */ -typedef struct { - /** Internal state. */ - void *ctx; -} shake128ctx; - -/** Data structure for the state of the SHAKE256 non-incremental hashing API. */ -typedef struct { - /** Internal state. */ - void *ctx; -} shake256ctx; - -typedef shake128ctx keccak_state; - - -#define SHAKE128_RATE 168 -#define SHAKE256_RATE 136 -#define SHA3_256_RATE 136 -#define SHA3_512_RATE 72 - -void shake128_absorb(shake128ctx *state, const uint8_t *input, size_t inlen); -void shake128_squeezeblocks(uint8_t *output, size_t nblocks, shake128ctx *state); -void shake256_kyber(uint8_t *output, size_t outlen, const uint8_t *input, size_t inlen); -void sha3_256(uint8_t *output, const uint8_t *input, size_t inlen); -void sha3_512(uint8_t *output, const uint8_t *input, size_t inlen); -void shake128_ctx_release(shake128ctx *state); - -#endif // FIPS202_KYBER_R2_H diff --git a/contrib/restricted/aws/s2n/pq-crypto/kyber_r2/indcpa.c b/contrib/restricted/aws/s2n/pq-crypto/kyber_r2/indcpa.c deleted file mode 100644 index 1b76bb9b0c..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/kyber_r2/indcpa.c +++ /dev/null @@ -1,301 +0,0 @@ -#include "indcpa.h" -#include "ntt.h" -#include "params.h" -#include "poly.h" -#include "polyvec.h" -#include "../s2n_pq_random.h" -#include "utils/s2n_safety.h" -#include "symmetric.h" - -#include <stdint.h> - -/************************************************* -* Name: pack_pk -* -* Description: Serialize the public key as concatenation of the -* serialized vector of polynomials pk -* and the public seed used to generate the matrix A. -* -* Arguments: uint8_t *r: pointer to the output serialized public key -* const poly *pk: pointer to the input public-key polynomial -* const uint8_t *seed: pointer to the input public seed -**************************************************/ -static void pack_pk(uint8_t *r, polyvec *pk, const uint8_t *seed) { - PQCLEAN_KYBER512_CLEAN_polyvec_tobytes(r, pk); - for (size_t i = 0; i < KYBER_SYMBYTES; i++) { - r[i + KYBER_POLYVECBYTES] = seed[i]; - } -} - -/************************************************* -* Name: unpack_pk -* -* Description: De-serialize public key from a byte array; -* approximate inverse of pack_pk -* -* Arguments: - polyvec *pk: pointer to output public-key vector of polynomials -* - uint8_t *seed: pointer to output seed to generate matrix A -* - const uint8_t *packedpk: pointer to input serialized public key -**************************************************/ -static void unpack_pk(polyvec *pk, uint8_t *seed, const uint8_t *packedpk) { - PQCLEAN_KYBER512_CLEAN_polyvec_frombytes(pk, packedpk); - for (size_t i = 0; i < KYBER_SYMBYTES; i++) { - seed[i] = packedpk[i + KYBER_POLYVECBYTES]; - } -} - -/************************************************* -* Name: pack_sk -* -* Description: Serialize the secret key -* -* Arguments: - uint8_t *r: pointer to output serialized secret key -* - const polyvec *sk: pointer to input vector of polynomials (secret key) -**************************************************/ -static void pack_sk(uint8_t *r, polyvec *sk) { - PQCLEAN_KYBER512_CLEAN_polyvec_tobytes(r, sk); -} - -/************************************************* -* Name: unpack_sk -* -* Description: De-serialize the secret key; -* inverse of pack_sk -* -* Arguments: - polyvec *sk: pointer to output vector of polynomials (secret key) -* - const uint8_t *packedsk: pointer to input serialized secret key -**************************************************/ -static void unpack_sk(polyvec *sk, const uint8_t *packedsk) { - PQCLEAN_KYBER512_CLEAN_polyvec_frombytes(sk, packedsk); -} - -/************************************************* -* Name: pack_ciphertext -* -* Description: Serialize the ciphertext as concatenation of the -* compressed and serialized vector of polynomials b -* and the compressed and serialized polynomial v -* -* Arguments: uint8_t *r: pointer to the output serialized ciphertext -* const poly *pk: pointer to the input vector of polynomials b -* const uint8_t *seed: pointer to the input polynomial v -**************************************************/ -static void pack_ciphertext(uint8_t *r, polyvec *b, poly *v) { - PQCLEAN_KYBER512_CLEAN_polyvec_compress(r, b); - PQCLEAN_KYBER512_CLEAN_poly_compress(r + KYBER_POLYVECCOMPRESSEDBYTES, v); -} - -/************************************************* -* Name: unpack_ciphertext -* -* Description: De-serialize and decompress ciphertext from a byte array; -* approximate inverse of pack_ciphertext -* -* Arguments: - polyvec *b: pointer to the output vector of polynomials b -* - poly *v: pointer to the output polynomial v -* - const uint8_t *c: pointer to the input serialized ciphertext -**************************************************/ -static void unpack_ciphertext(polyvec *b, poly *v, const uint8_t *c) { - PQCLEAN_KYBER512_CLEAN_polyvec_decompress(b, c); - PQCLEAN_KYBER512_CLEAN_poly_decompress(v, c + KYBER_POLYVECCOMPRESSEDBYTES); -} - -/************************************************* -* Name: rej_uniform -* -* Description: Run rejection sampling on uniform random bytes to generate -* uniform random integers mod q -* -* Arguments: - int16_t *r: pointer to output buffer -* - size_t len: requested number of 16-bit integers (uniform mod q) -* - const uint8_t *buf: pointer to input buffer (assumed to be uniform random bytes) -* - size_t buflen: length of input buffer in bytes -* -* Returns number of sampled 16-bit integers (at most len) -**************************************************/ -static size_t rej_uniform(int16_t *r, size_t len, const uint8_t *buf, size_t buflen) { - size_t ctr, pos; - - ctr = pos = 0; - while (ctr < len && pos + 2 <= buflen) { - uint16_t val = (uint16_t)(buf[pos] | ((uint16_t)buf[pos + 1] << 8)); - pos += 2; - - if (val < 19 * KYBER_Q) { - val -= (uint16_t)((val >> 12) * KYBER_Q); // Barrett reduction - r[ctr++] = (int16_t)val; - } - } - - return ctr; -} - -#define gen_a(A,B) gen_matrix(A,B,0) -#define gen_at(A,B) gen_matrix(A,B,1) - -/************************************************* -* Name: gen_matrix -* -* Description: Deterministically generate matrix A (or the transpose of A) -* from a seed. Entries of the matrix are polynomials that look -* uniformly random. Performs rejection sampling on output of -* a XOF -* -* Arguments: - polyvec *a: pointer to ouptput matrix A -* - const uint8_t *seed: pointer to input seed -* - int transposed: boolean deciding whether A or A^T is generated -**************************************************/ -#define MAXNBLOCKS ((530+XOF_BLOCKBYTES)/XOF_BLOCKBYTES) /* 530 is expected number of required bytes */ -static void gen_matrix(polyvec *a, const uint8_t *seed, int transposed) { - size_t ctr; - uint8_t i, j; - uint8_t buf[XOF_BLOCKBYTES * MAXNBLOCKS + 1]; - xof_state state; - - for (i = 0; i < KYBER_K; i++) { - for (j = 0; j < KYBER_K; j++) { - if (transposed) { - xof_absorb(&state, seed, i, j); - } else { - xof_absorb(&state, seed, j, i); - } - - xof_squeezeblocks(buf, MAXNBLOCKS, &state); - ctr = rej_uniform(a[i].vec[j].coeffs, KYBER_N, buf, MAXNBLOCKS * XOF_BLOCKBYTES); - - while (ctr < KYBER_N) { - xof_squeezeblocks(buf, 1, &state); - ctr += rej_uniform(a[i].vec[j].coeffs + ctr, KYBER_N - ctr, buf, XOF_BLOCKBYTES); - } - xof_ctx_release(&state); - } - } -} - -/************************************************* -* Name: indcpa_keypair -* -* Description: Generates public and private key for the CPA-secure -* public-key encryption scheme underlying Kyber -* -* Arguments: - uint8_t *pk: pointer to output public key (of length KYBER_INDCPA_PUBLICKEYBYTES bytes) -* - uint8_t *sk: pointer to output private key (of length KYBER_INDCPA_SECRETKEYBYTES bytes) -**************************************************/ -int PQCLEAN_KYBER512_CLEAN_indcpa_keypair(uint8_t *pk, uint8_t *sk) { - polyvec a[KYBER_K], e, pkpv, skpv; - uint8_t buf[2 * KYBER_SYMBYTES]; - uint8_t *publicseed = buf; - uint8_t *noiseseed = buf + KYBER_SYMBYTES; - uint8_t nonce = 0; - - POSIX_GUARD_RESULT(s2n_get_random_bytes(buf, KYBER_SYMBYTES)); - hash_g(buf, buf, KYBER_SYMBYTES); - - gen_a(a, publicseed); - - for (size_t i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER512_CLEAN_poly_getnoise(skpv.vec + i, noiseseed, nonce++); - } - for (size_t i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER512_CLEAN_poly_getnoise(e.vec + i, noiseseed, nonce++); - } - - PQCLEAN_KYBER512_CLEAN_polyvec_ntt(&skpv); - PQCLEAN_KYBER512_CLEAN_polyvec_ntt(&e); - - // matrix-vector multiplication - for (size_t i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER512_CLEAN_polyvec_pointwise_acc(&pkpv.vec[i], &a[i], &skpv); - PQCLEAN_KYBER512_CLEAN_poly_frommont(&pkpv.vec[i]); - } - - PQCLEAN_KYBER512_CLEAN_polyvec_add(&pkpv, &pkpv, &e); - PQCLEAN_KYBER512_CLEAN_polyvec_reduce(&pkpv); - - pack_sk(sk, &skpv); - pack_pk(pk, &pkpv, publicseed); - return 0; -} - -/************************************************* -* Name: indcpa_enc -* -* Description: Encryption function of the CPA-secure -* public-key encryption scheme underlying Kyber. -* -* Arguments: - uint8_t *c: pointer to output ciphertext (of length KYBER_INDCPA_BYTES bytes) -* - const uint8_t *m: pointer to input message (of length KYBER_INDCPA_MSGBYTES bytes) -* - const uint8_t *pk: pointer to input public key (of length KYBER_INDCPA_PUBLICKEYBYTES bytes) -* - const uint8_t *coin: pointer to input random coins used as seed (of length KYBER_SYMBYTES bytes) -* to deterministically generate all randomness -**************************************************/ -void PQCLEAN_KYBER512_CLEAN_indcpa_enc(uint8_t *c, - const uint8_t *m, - const uint8_t *pk, - const uint8_t *coins) { - polyvec sp, pkpv, ep, at[KYBER_K], bp; - poly v, k, epp; - uint8_t seed[KYBER_SYMBYTES]; - uint8_t nonce = 0; - - unpack_pk(&pkpv, seed, pk); - PQCLEAN_KYBER512_CLEAN_poly_frommsg(&k, m); - gen_at(at, seed); - - for (size_t i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER512_CLEAN_poly_getnoise(sp.vec + i, coins, nonce++); - } - for (size_t i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER512_CLEAN_poly_getnoise(ep.vec + i, coins, nonce++); - } - PQCLEAN_KYBER512_CLEAN_poly_getnoise(&epp, coins, nonce++); - - PQCLEAN_KYBER512_CLEAN_polyvec_ntt(&sp); - - // matrix-vector multiplication - for (size_t i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER512_CLEAN_polyvec_pointwise_acc(&bp.vec[i], &at[i], &sp); - } - - PQCLEAN_KYBER512_CLEAN_polyvec_pointwise_acc(&v, &pkpv, &sp); - - PQCLEAN_KYBER512_CLEAN_polyvec_invntt(&bp); - PQCLEAN_KYBER512_CLEAN_poly_invntt(&v); - - PQCLEAN_KYBER512_CLEAN_polyvec_add(&bp, &bp, &ep); - PQCLEAN_KYBER512_CLEAN_poly_add(&v, &v, &epp); - PQCLEAN_KYBER512_CLEAN_poly_add(&v, &v, &k); - PQCLEAN_KYBER512_CLEAN_polyvec_reduce(&bp); - PQCLEAN_KYBER512_CLEAN_poly_reduce(&v); - - pack_ciphertext(c, &bp, &v); -} - -/************************************************* -* Name: indcpa_dec -* -* Description: Decryption function of the CPA-secure -* public-key encryption scheme underlying Kyber. -* -* Arguments: - uint8_t *m: pointer to output decrypted message (of length KYBER_INDCPA_MSGBYTES) -* - const uint8_t *c: pointer to input ciphertext (of length KYBER_INDCPA_BYTES) -* - const uint8_t *sk: pointer to input secret key (of length KYBER_INDCPA_SECRETKEYBYTES) -**************************************************/ -void PQCLEAN_KYBER512_CLEAN_indcpa_dec(uint8_t *m, - const uint8_t *c, - const uint8_t *sk) { - polyvec bp, skpv; - poly v, mp; - - unpack_ciphertext(&bp, &v, c); - unpack_sk(&skpv, sk); - - PQCLEAN_KYBER512_CLEAN_polyvec_ntt(&bp); - PQCLEAN_KYBER512_CLEAN_polyvec_pointwise_acc(&mp, &skpv, &bp); - PQCLEAN_KYBER512_CLEAN_poly_invntt(&mp); - - PQCLEAN_KYBER512_CLEAN_poly_sub(&mp, &v, &mp); - PQCLEAN_KYBER512_CLEAN_poly_reduce(&mp); - - PQCLEAN_KYBER512_CLEAN_poly_tomsg(m, &mp); -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/kyber_r2/indcpa.h b/contrib/restricted/aws/s2n/pq-crypto/kyber_r2/indcpa.h deleted file mode 100644 index 23328f0970..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/kyber_r2/indcpa.h +++ /dev/null @@ -1,21 +0,0 @@ -#ifndef INDCPA_H -#define INDCPA_H - -#include <stdint.h> - -int PQCLEAN_KYBER512_CLEAN_indcpa_keypair( - uint8_t *pk, - uint8_t *sk); - -void PQCLEAN_KYBER512_CLEAN_indcpa_enc( - uint8_t *c, - const uint8_t *m, - const uint8_t *pk, - const uint8_t *coins); - -void PQCLEAN_KYBER512_CLEAN_indcpa_dec( - uint8_t *m, - const uint8_t *c, - const uint8_t *sk); - -#endif diff --git a/contrib/restricted/aws/s2n/pq-crypto/kyber_r2/kyber_r2_kem.c b/contrib/restricted/aws/s2n/pq-crypto/kyber_r2/kyber_r2_kem.c deleted file mode 100644 index 140ec352d4..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/kyber_r2/kyber_r2_kem.c +++ /dev/null @@ -1,106 +0,0 @@ -#include "indcpa.h" -#include "params.h" -#include "symmetric.h" -#include "verify.h" - -#include "../s2n_pq_random.h" -#include "utils/s2n_safety.h" -#include "tls/s2n_kem.h" -#include "pq-crypto/s2n_pq.h" - -#include <stdlib.h> - -/************************************************* -* Name: crypto_kem_keypair -* -* Description: Generates public and private key -* for CCA-secure Kyber key encapsulation mechanism -* -* Arguments: - uint8_t *pk: pointer to output public key (an already allocated array of CRYPTO_PUBLICKEYBYTES bytes) -* - uint8_t *sk: pointer to output private key (an already allocated array of CRYPTO_SECRETKEYBYTES bytes) -* -* Returns 0 (success) -**************************************************/ -int kyber_512_r2_crypto_kem_keypair(uint8_t *pk, uint8_t *sk) { - POSIX_ENSURE(s2n_pq_is_enabled(), S2N_ERR_PQ_DISABLED); - size_t i; - PQCLEAN_KYBER512_CLEAN_indcpa_keypair(pk, sk); - for (i = 0; i < KYBER_INDCPA_PUBLICKEYBYTES; i++) { - sk[i + KYBER_INDCPA_SECRETKEYBYTES] = pk[i]; - } - hash_h(sk + KYBER_SECRETKEYBYTES - 2 * KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES); - POSIX_GUARD_RESULT(s2n_get_random_bytes(sk + KYBER_SECRETKEYBYTES - KYBER_SYMBYTES, KYBER_SYMBYTES)); /* Value z for pseudo-random output on reject */ - return 0; -} - -/************************************************* -* Name: crypto_kem_enc -* -* Description: Generates cipher text and shared -* secret for given public key -* -* Arguments: - uint8_t *ct: pointer to output cipher text (an already allocated array of CRYPTO_CIPHERTEXTBYTES bytes) -* - uint8_t *ss: pointer to output shared secret (an already allocated array of CRYPTO_BYTES bytes) -* - const uint8_t *pk: pointer to input public key (an already allocated array of CRYPTO_PUBLICKEYBYTES bytes) -* -* Returns 0 (success) -**************************************************/ -int kyber_512_r2_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk) { - POSIX_ENSURE(s2n_pq_is_enabled(), S2N_ERR_PQ_DISABLED); - uint8_t kr[2 * KYBER_SYMBYTES]; /* Will contain key, coins */ - uint8_t buf[2 * KYBER_SYMBYTES]; - - POSIX_GUARD_RESULT(s2n_get_random_bytes(buf, KYBER_SYMBYTES)); - hash_h(buf, buf, KYBER_SYMBYTES); /* Don't release system RNG output */ - - hash_h(buf + KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES); /* Multitarget countermeasure for coins + contributory KEM */ - hash_g(kr, buf, 2 * KYBER_SYMBYTES); - - PQCLEAN_KYBER512_CLEAN_indcpa_enc(ct, buf, pk, kr + KYBER_SYMBYTES); /* coins are in kr+KYBER_SYMBYTES */ - - hash_h(kr + KYBER_SYMBYTES, ct, KYBER_CIPHERTEXTBYTES); /* overwrite coins in kr with H(c) */ - kdf(ss, kr, 2 * KYBER_SYMBYTES); /* hash concatenation of pre-k and H(c) to k */ - return 0; -} - -/************************************************* -* Name: crypto_kem_dec -* -* Description: Generates shared secret for given -* cipher text and private key -* -* Arguments: - uint8_t *ss: pointer to output shared secret (an already allocated array of CRYPTO_BYTES bytes) -* - const uint8_t *ct: pointer to input cipher text (an already allocated array of CRYPTO_CIPHERTEXTBYTES bytes) -* - const uint8_t *sk: pointer to input private key (an already allocated array of CRYPTO_SECRETKEYBYTES bytes) -* -* Returns 0. -* -* On failure, ss will contain a pseudo-random value. -**************************************************/ -int kyber_512_r2_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk) { - POSIX_ENSURE(s2n_pq_is_enabled(), S2N_ERR_PQ_DISABLED); - size_t i; - uint8_t fail; - uint8_t cmp[KYBER_CIPHERTEXTBYTES]; - uint8_t buf[2 * KYBER_SYMBYTES]; - uint8_t kr[2 * KYBER_SYMBYTES]; /* Will contain key, coins */ - const uint8_t *pk = sk + KYBER_INDCPA_SECRETKEYBYTES; - - PQCLEAN_KYBER512_CLEAN_indcpa_dec(buf, ct, sk); - - for (i = 0; i < KYBER_SYMBYTES; i++) { /* Multitarget countermeasure for coins + contributory KEM */ - buf[KYBER_SYMBYTES + i] = sk[KYBER_SECRETKEYBYTES - 2 * KYBER_SYMBYTES + i]; /* Save hash by storing H(pk) in sk */ - } - hash_g(kr, buf, 2 * KYBER_SYMBYTES); - - PQCLEAN_KYBER512_CLEAN_indcpa_enc(cmp, buf, pk, kr + KYBER_SYMBYTES); /* coins are in kr+KYBER_SYMBYTES */ - - fail = PQCLEAN_KYBER512_CLEAN_verify(ct, cmp, KYBER_CIPHERTEXTBYTES); - - hash_h(kr + KYBER_SYMBYTES, ct, KYBER_CIPHERTEXTBYTES); /* overwrite coins in kr with H(c) */ - - PQCLEAN_KYBER512_CLEAN_cmov(kr, sk + KYBER_SECRETKEYBYTES - KYBER_SYMBYTES, KYBER_SYMBYTES, fail); /* Overwrite pre-k with z on re-encryption failure */ - - kdf(ss, kr, 2 * KYBER_SYMBYTES); /* hash concatenation of pre-k and H(c) to k */ - return 0; -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/kyber_r2/ntt.c b/contrib/restricted/aws/s2n/pq-crypto/kyber_r2/ntt.c deleted file mode 100644 index 444664b3e2..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/kyber_r2/ntt.c +++ /dev/null @@ -1,155 +0,0 @@ -#include "ntt.h" -#include "params.h" -#include "reduce.h" - -#include <stddef.h> -#include <stdint.h> - -/* Code to generate zetas and zetas_inv used in the number-theoretic transform: - -#define KYBER_ROOT_OF_UNITY 17 - -static const uint16_t tree[128] = { - 0, 64, 32, 96, 16, 80, 48, 112, 8, 72, 40, 104, 24, 88, 56, 120, - 4, 68, 36, 100, 20, 84, 52, 116, 12, 76, 44, 108, 28, 92, 60, 124, - 2, 66, 34, 98, 18, 82, 50, 114, 10, 74, 42, 106, 26, 90, 58, 122, - 6, 70, 38, 102, 22, 86, 54, 118, 14, 78, 46, 110, 30, 94, 62, 126, - 1, 65, 33, 97, 17, 81, 49, 113, 9, 73, 41, 105, 25, 89, 57, 121, - 5, 69, 37, 101, 21, 85, 53, 117, 13, 77, 45, 109, 29, 93, 61, 125, - 3, 67, 35, 99, 19, 83, 51, 115, 11, 75, 43, 107, 27, 91, 59, 123, - 7, 71, 39, 103, 23, 87, 55, 119, 15, 79, 47, 111, 31, 95, 63, 127}; - - -static int16_t fqmul(int16_t a, int16_t b) { - return montgomery_reduce((int32_t)a*b); -} - -void init_ntt() { - unsigned int i, j, k; - int16_t tmp[128]; - - tmp[0] = MONT; - for(i = 1; i < 128; ++i) - tmp[i] = fqmul(tmp[i-1], KYBER_ROOT_OF_UNITY*MONT % KYBER_Q); - - for(i = 0; i < 128; ++i) - zetas[i] = tmp[tree[i]]; - - k = 0; - for(i = 64; i >= 1; i >>= 1) - for(j = i; j < 2*i; ++j) - zetas_inv[k++] = -tmp[128 - tree[j]]; - - zetas_inv[127] = MONT * (MONT * (KYBER_Q - 1) * ((KYBER_Q - 1)/128) % KYBER_Q) % KYBER_Q; -} - -*/ -const int16_t PQCLEAN_KYBER512_CLEAN_zetas[128] = { - 2285, 2571, 2970, 1812, 1493, 1422, 287, 202, 3158, 622, 1577, 182, 962, 2127, 1855, 1468, - 573, 2004, 264, 383, 2500, 1458, 1727, 3199, 2648, 1017, 732, 608, 1787, 411, 3124, 1758, - 1223, 652, 2777, 1015, 2036, 1491, 3047, 1785, 516, 3321, 3009, 2663, 1711, 2167, 126, 1469, - 2476, 3239, 3058, 830, 107, 1908, 3082, 2378, 2931, 961, 1821, 2604, 448, 2264, 677, 2054, - 2226, 430, 555, 843, 2078, 871, 1550, 105, 422, 587, 177, 3094, 3038, 2869, 1574, 1653, - 3083, 778, 1159, 3182, 2552, 1483, 2727, 1119, 1739, 644, 2457, 349, 418, 329, 3173, 3254, - 817, 1097, 603, 610, 1322, 2044, 1864, 384, 2114, 3193, 1218, 1994, 2455, 220, 2142, 1670, - 2144, 1799, 2051, 794, 1819, 2475, 2459, 478, 3221, 3021, 996, 991, 958, 1869, 1522, 1628 -}; - -const int16_t PQCLEAN_KYBER512_CLEAN_zetas_inv[128] = { - 1701, 1807, 1460, 2371, 2338, 2333, 308, 108, 2851, 870, 854, 1510, 2535, 1278, 1530, 1185, - 1659, 1187, 3109, 874, 1335, 2111, 136, 1215, 2945, 1465, 1285, 2007, 2719, 2726, 2232, 2512, - 75, 156, 3000, 2911, 2980, 872, 2685, 1590, 2210, 602, 1846, 777, 147, 2170, 2551, 246, - 1676, 1755, 460, 291, 235, 3152, 2742, 2907, 3224, 1779, 2458, 1251, 2486, 2774, 2899, 1103, - 1275, 2652, 1065, 2881, 725, 1508, 2368, 398, 951, 247, 1421, 3222, 2499, 271, 90, 853, - 1860, 3203, 1162, 1618, 666, 320, 8, 2813, 1544, 282, 1838, 1293, 2314, 552, 2677, 2106, - 1571, 205, 2918, 1542, 2721, 2597, 2312, 681, 130, 1602, 1871, 829, 2946, 3065, 1325, 2756, - 1861, 1474, 1202, 2367, 3147, 1752, 2707, 171, 3127, 3042, 1907, 1836, 1517, 359, 758, 1441 -}; - - -/************************************************* -* Name: fqmul -* -* Description: Multiplication followed by Montgomery reduction -* -* Arguments: - int16_t a: first factor -* - int16_t b: second factor -* -* Returns 16-bit integer congruent to a*b*R^{-1} mod q -**************************************************/ -static int16_t fqmul(int16_t a, int16_t b) { - return PQCLEAN_KYBER512_CLEAN_montgomery_reduce((int32_t)a * b); -} - -/************************************************* -* Name: ntt -* -* Description: Inplace number-theoretic transform (NTT) in Rq -* input is in standard order, output is in bitreversed order -* -* Arguments: - int16_t poly[256]: pointer to input/output vector of elements of Zq -**************************************************/ -void PQCLEAN_KYBER512_CLEAN_ntt(int16_t poly[256]) { - size_t j, k = 1; - int16_t t, zeta; - - for (size_t len = 128; len >= 2; len >>= 1) { - for (size_t start = 0; start < 256; start = j + len) { - zeta = PQCLEAN_KYBER512_CLEAN_zetas[k++]; - for (j = start; j < start + len; ++j) { - t = fqmul(zeta, poly[j + len]); - poly[j + len] = poly[j] - t; - poly[j] = poly[j] + t; - } - } - } -} - -/************************************************* -* Name: invntt -* -* Description: Inplace inverse number-theoretic transform in Rq -* input is in bitreversed order, output is in standard order -* -* Arguments: - int16_t poly[256]: pointer to input/output vector of elements of Zq -**************************************************/ -void PQCLEAN_KYBER512_CLEAN_invntt(int16_t poly[256]) { - size_t j, k = 0; - int16_t t, zeta; - - for (size_t len = 2; len <= 128; len <<= 1) { - for (size_t start = 0; start < 256; start = j + len) { - zeta = PQCLEAN_KYBER512_CLEAN_zetas_inv[k++]; - for (j = start; j < start + len; ++j) { - t = poly[j]; - poly[j] = PQCLEAN_KYBER512_CLEAN_barrett_reduce(t + poly[j + len]); - poly[j + len] = t - poly[j + len]; - poly[j + len] = fqmul(zeta, poly[j + len]); - } - } - } - - for (j = 0; j < 256; ++j) { - poly[j] = fqmul(poly[j], PQCLEAN_KYBER512_CLEAN_zetas_inv[127]); - } -} - -/************************************************* -* Name: basemul -* -* Description: Multiplication of polynomials in Zq[X]/((X^2-zeta)) -* used for multiplication of elements in Rq in NTT domain -* -* Arguments: - int16_t r[2]: pointer to the output polynomial -* - const int16_t a[2]: pointer to the first factor -* - const int16_t b[2]: pointer to the second factor -* - int16_t zeta: integer defining the reduction polynomial -**************************************************/ -void PQCLEAN_KYBER512_CLEAN_basemul(int16_t r[2], const int16_t a[2], const int16_t b[2], int16_t zeta) { - r[0] = fqmul(a[1], b[1]); - r[0] = fqmul(r[0], zeta); - r[0] += fqmul(a[0], b[0]); - - r[1] = fqmul(a[0], b[1]); - r[1] += fqmul(a[1], b[0]); -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/kyber_r2/ntt.h b/contrib/restricted/aws/s2n/pq-crypto/kyber_r2/ntt.h deleted file mode 100644 index 7885e7cdc6..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/kyber_r2/ntt.h +++ /dev/null @@ -1,13 +0,0 @@ -#ifndef NTT_H -#define NTT_H - -#include <stdint.h> - -extern const int16_t PQCLEAN_KYBER512_CLEAN_zetas[128]; -extern const int16_t PQCLEAN_KYBER512_CLEAN_zetasinv[128]; - -void PQCLEAN_KYBER512_CLEAN_ntt(int16_t poly[256]); -void PQCLEAN_KYBER512_CLEAN_invntt(int16_t poly[256]); -void PQCLEAN_KYBER512_CLEAN_basemul(int16_t r[2], const int16_t a[2], const int16_t b[2], int16_t zeta); - -#endif diff --git a/contrib/restricted/aws/s2n/pq-crypto/kyber_r2/params.h b/contrib/restricted/aws/s2n/pq-crypto/kyber_r2/params.h deleted file mode 100644 index d086d4c694..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/kyber_r2/params.h +++ /dev/null @@ -1,32 +0,0 @@ -#ifndef PARAMS_H -#define PARAMS_H - - -/* Don't change parameters below this line */ - -#define KYBER_N 256 -#define KYBER_Q 3329 - -#define KYBER_ETA 2 - -#define KYBER_SYMBYTES 32 /* size in bytes of hashes, and seeds */ -#define KYBER_SSBYTES 32 /* size in bytes of shared key */ - -#define KYBER_POLYBYTES 384 -#define KYBER_POLYVECBYTES (KYBER_K * KYBER_POLYBYTES) - - -#define KYBER_K 2 -#define KYBER_POLYCOMPRESSEDBYTES 96 -#define KYBER_POLYVECCOMPRESSEDBYTES (KYBER_K * 320) - -#define KYBER_INDCPA_MSGBYTES KYBER_SYMBYTES -#define KYBER_INDCPA_PUBLICKEYBYTES (KYBER_POLYVECBYTES + KYBER_SYMBYTES) -#define KYBER_INDCPA_SECRETKEYBYTES (KYBER_POLYVECBYTES) -#define KYBER_INDCPA_BYTES (KYBER_POLYVECCOMPRESSEDBYTES + KYBER_POLYCOMPRESSEDBYTES) - -#define KYBER_PUBLICKEYBYTES (KYBER_INDCPA_PUBLICKEYBYTES) -#define KYBER_SECRETKEYBYTES (KYBER_INDCPA_SECRETKEYBYTES + KYBER_INDCPA_PUBLICKEYBYTES + 2*KYBER_SYMBYTES) /* 32 bytes of additional space to save H(pk) */ -#define KYBER_CIPHERTEXTBYTES KYBER_INDCPA_BYTES - -#endif diff --git a/contrib/restricted/aws/s2n/pq-crypto/kyber_r2/poly.c b/contrib/restricted/aws/s2n/pq-crypto/kyber_r2/poly.c deleted file mode 100644 index 694b4e9942..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/kyber_r2/poly.c +++ /dev/null @@ -1,277 +0,0 @@ -#include "cbd.h" -#include "ntt.h" -#include "params.h" -#include "poly.h" -#include "reduce.h" -#include "symmetric.h" - -#include <stdint.h> -/************************************************* -* Name: poly_compress -* -* Description: Compression and subsequent serialization of a polynomial -* -* Arguments: - uint8_t *r: pointer to output byte array (needs space for KYBER_POLYCOMPRESSEDBYTES bytes) -* - const poly *a: pointer to input polynomial -**************************************************/ -void PQCLEAN_KYBER512_CLEAN_poly_compress(uint8_t *r, poly *a) { - uint8_t t[8]; - size_t k = 0; - - PQCLEAN_KYBER512_CLEAN_poly_csubq(a); - - for (size_t i = 0; i < KYBER_N; i += 8) { - for (size_t j = 0; j < 8; j++) { - t[j] = ((((uint32_t)a->coeffs[i + j] << 3) + KYBER_Q / 2) / KYBER_Q) & 7; - } - - r[k] = (uint8_t)( t[0] | (t[1] << 3) | (t[2] << 6)); - r[k + 1] = (uint8_t)((t[2] >> 2) | (t[3] << 1) | (t[4] << 4) | (t[5] << 7)); - r[k + 2] = (uint8_t)((t[5] >> 1) | (t[6] << 2) | (t[7] << 5)); - k += 3; - } -} - -/************************************************* -* Name: poly_decompress -* -* Description: De-serialization and subsequent decompression of a polynomial; -* approximate inverse of poly_compress -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *a: pointer to input byte array (of length KYBER_POLYCOMPRESSEDBYTES bytes) -**************************************************/ -void PQCLEAN_KYBER512_CLEAN_poly_decompress(poly *r, const uint8_t *a) { - for (size_t i = 0; i < KYBER_N; i += 8) { - r->coeffs[i + 0] = (int16_t)( (((a[0] & 7) * KYBER_Q) + 4) >> 3); - r->coeffs[i + 1] = (int16_t)(((((a[0] >> 3) & 7) * KYBER_Q) + 4) >> 3); - r->coeffs[i + 2] = (int16_t)(((((a[0] >> 6) | ((a[1] << 2) & 4)) * KYBER_Q) + 4) >> 3); - r->coeffs[i + 3] = (int16_t)(((((a[1] >> 1) & 7) * KYBER_Q) + 4) >> 3); - r->coeffs[i + 4] = (int16_t)(((((a[1] >> 4) & 7) * KYBER_Q) + 4) >> 3); - r->coeffs[i + 5] = (int16_t)(((((a[1] >> 7) | ((a[2] << 1) & 6)) * KYBER_Q) + 4) >> 3); - r->coeffs[i + 6] = (int16_t)(((((a[2] >> 2) & 7) * KYBER_Q) + 4) >> 3); - r->coeffs[i + 7] = (int16_t)(((((a[2] >> 5)) * KYBER_Q) + 4) >> 3); - a += 3; - } -} - -/************************************************* -* Name: poly_tobytes -* -* Description: Serialization of a polynomial -* -* Arguments: - uint8_t *r: pointer to output byte array (needs space for KYBER_POLYBYTES bytes) -* - const poly *a: pointer to input polynomial -**************************************************/ -void PQCLEAN_KYBER512_CLEAN_poly_tobytes(uint8_t *r, poly *a) { - PQCLEAN_KYBER512_CLEAN_poly_csubq(a); - - for (size_t i = 0; i < KYBER_N / 2; i++) { - int16_t t0 = a->coeffs[2 * i]; - int16_t t1 = a->coeffs[2 * i + 1]; - r[3 * i] = t0 & 0xff; - r[3 * i + 1] = (uint8_t)((t0 >> 8) | ((t1 & 0xf) << 4)); - r[3 * i + 2] = (uint8_t)(t1 >> 4); - } -} - -/************************************************* -* Name: poly_frombytes -* -* Description: De-serialization of a polynomial; -* inverse of poly_tobytes -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *a: pointer to input byte array (of KYBER_POLYBYTES bytes) -**************************************************/ -void PQCLEAN_KYBER512_CLEAN_poly_frombytes(poly *r, const uint8_t *a) { - for (size_t i = 0; i < KYBER_N / 2; i++) { - r->coeffs[2 * i] = (int16_t)(a[3 * i] | ((uint16_t)a[3 * i + 1] & 0x0f) << 8); - r->coeffs[2 * i + 1] = (int16_t)(a[3 * i + 1] >> 4 | ((uint16_t)a[3 * i + 2] & 0xff) << 4); - } -} - -/************************************************* -* Name: poly_getnoise -* -* Description: Sample a polynomial deterministically from a seed and a nonce, -* with output polynomial close to centered binomial distribution -* with parameter KYBER_ETA -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *seed: pointer to input seed (pointing to array of length KYBER_SYMBYTES bytes) -* - uint8_t nonce: one-byte input nonce -**************************************************/ -void PQCLEAN_KYBER512_CLEAN_poly_getnoise(poly *r, const uint8_t *seed, uint8_t nonce) { - uint8_t buf[KYBER_ETA * KYBER_N / 4]; - - prf(buf, KYBER_ETA * KYBER_N / 4, seed, nonce); - PQCLEAN_KYBER512_CLEAN_cbd(r, buf); -} - -/************************************************* -* Name: poly_ntt -* -* Description: Computes negacyclic number-theoretic transform (NTT) of -* a polynomial in place; -* inputs assumed to be in normal order, output in bitreversed order -* -* Arguments: - uint16_t *r: pointer to in/output polynomial -**************************************************/ -void PQCLEAN_KYBER512_CLEAN_poly_ntt(poly *r) { - PQCLEAN_KYBER512_CLEAN_ntt(r->coeffs); - PQCLEAN_KYBER512_CLEAN_poly_reduce(r); -} - -/************************************************* -* Name: poly_invntt -* -* Description: Computes inverse of negacyclic number-theoretic transform (NTT) of -* a polynomial in place; -* inputs assumed to be in bitreversed order, output in normal order -* -* Arguments: - uint16_t *a: pointer to in/output polynomial -**************************************************/ -void PQCLEAN_KYBER512_CLEAN_poly_invntt(poly *r) { - PQCLEAN_KYBER512_CLEAN_invntt(r->coeffs); -} - -/************************************************* -* Name: poly_basemul -* -* Description: Multiplication of two polynomials in NTT domain -* -* Arguments: - poly *r: pointer to output polynomial -* - const poly *a: pointer to first input polynomial -* - const poly *b: pointer to second input polynomial -**************************************************/ -void PQCLEAN_KYBER512_CLEAN_poly_basemul(poly *r, const poly *a, const poly *b) { - for (size_t i = 0; i < KYBER_N / 4; ++i) { - PQCLEAN_KYBER512_CLEAN_basemul( - r->coeffs + 4 * i, - a->coeffs + 4 * i, - b->coeffs + 4 * i, - PQCLEAN_KYBER512_CLEAN_zetas[64 + i]); - PQCLEAN_KYBER512_CLEAN_basemul( - r->coeffs + 4 * i + 2, - a->coeffs + 4 * i + 2, - b->coeffs + 4 * i + 2, - -PQCLEAN_KYBER512_CLEAN_zetas[64 + i]); - } -} - -/************************************************* -* Name: poly_frommont -* -* Description: Inplace conversion of all coefficients of a polynomial -* from Montgomery domain to normal domain -* -* Arguments: - poly *r: pointer to input/output polynomial -**************************************************/ -void PQCLEAN_KYBER512_CLEAN_poly_frommont(poly *r) { - const int16_t f = (1ULL << 32) % KYBER_Q; - - for (size_t i = 0; i < KYBER_N; i++) { - r->coeffs[i] = PQCLEAN_KYBER512_CLEAN_montgomery_reduce( - (int32_t)r->coeffs[i] * f); - } -} - -/************************************************* -* Name: poly_reduce -* -* Description: Applies Barrett reduction to all coefficients of a polynomial -* for details of the Barrett reduction see comments in reduce.c -* -* Arguments: - poly *r: pointer to input/output polynomial -**************************************************/ -void PQCLEAN_KYBER512_CLEAN_poly_reduce(poly *r) { - for (size_t i = 0; i < KYBER_N; i++) { - r->coeffs[i] = PQCLEAN_KYBER512_CLEAN_barrett_reduce(r->coeffs[i]); - } -} - -/************************************************* -* Name: poly_csubq -* -* Description: Applies conditional subtraction of q to each coefficient of a polynomial -* for details of conditional subtraction of q see comments in reduce.c -* -* Arguments: - poly *r: pointer to input/output polynomial -**************************************************/ -void PQCLEAN_KYBER512_CLEAN_poly_csubq(poly *r) { - for (size_t i = 0; i < KYBER_N; i++) { - r->coeffs[i] = PQCLEAN_KYBER512_CLEAN_csubq(r->coeffs[i]); - } -} - -/************************************************* -* Name: poly_add -* -* Description: Add two polynomials -* -* Arguments: - poly *r: pointer to output polynomial -* - const poly *a: pointer to first input polynomial -* - const poly *b: pointer to second input polynomial -**************************************************/ -void PQCLEAN_KYBER512_CLEAN_poly_add(poly *r, const poly *a, const poly *b) { - for (size_t i = 0; i < KYBER_N; i++) { - r->coeffs[i] = a->coeffs[i] + b->coeffs[i]; - } -} - -/************************************************* -* Name: poly_sub -* -* Description: Subtract two polynomials -* -* Arguments: - poly *r: pointer to output polynomial -* - const poly *a: pointer to first input polynomial -* - const poly *b: pointer to second input polynomial -**************************************************/ -void PQCLEAN_KYBER512_CLEAN_poly_sub(poly *r, const poly *a, const poly *b) { - for (size_t i = 0; i < KYBER_N; i++) { - r->coeffs[i] = a->coeffs[i] - b->coeffs[i]; - } -} - -/************************************************* -* Name: poly_frommsg -* -* Description: Convert 32-byte message to polynomial -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *msg: pointer to input message -**************************************************/ -void PQCLEAN_KYBER512_CLEAN_poly_frommsg(poly *r, const uint8_t msg[KYBER_SYMBYTES]) { - uint16_t mask; - - for (size_t i = 0; i < KYBER_SYMBYTES; i++) { - for (size_t j = 0; j < 8; j++) { - mask = -((msg[i] >> j) & 1); - r->coeffs[8 * i + j] = mask & ((KYBER_Q + 1) / 2); - } - } -} - -/************************************************* -* Name: poly_tomsg -* -* Description: Convert polynomial to 32-byte message -* -* Arguments: - uint8_t *msg: pointer to output message -* - const poly *a: pointer to input polynomial -**************************************************/ -void PQCLEAN_KYBER512_CLEAN_poly_tomsg(uint8_t msg[KYBER_SYMBYTES], poly *a) { - uint16_t t; - - PQCLEAN_KYBER512_CLEAN_poly_csubq(a); - - for (size_t i = 0; i < KYBER_SYMBYTES; i++) { - msg[i] = 0; - for (size_t j = 0; j < 8; j++) { - t = (((a->coeffs[8 * i + j] << 1) + KYBER_Q / 2) / KYBER_Q) & 1; - msg[i] |= t << j; - } - } -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/kyber_r2/poly.h b/contrib/restricted/aws/s2n/pq-crypto/kyber_r2/poly.h deleted file mode 100644 index ecdc7c2951..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/kyber_r2/poly.h +++ /dev/null @@ -1,37 +0,0 @@ -#ifndef POLY_H -#define POLY_H - -#include "params.h" - -#include <stdint.h> -/* - * Elements of R_q = Z_q[X]/(X^n + 1). Represents polynomial - * coeffs[0] + X*coeffs[1] + X^2*xoeffs[2] + ... + X^{n-1}*coeffs[n-1] - */ -typedef struct { - int16_t coeffs[KYBER_N]; -} poly; - -void PQCLEAN_KYBER512_CLEAN_poly_compress(uint8_t *r, poly *a); -void PQCLEAN_KYBER512_CLEAN_poly_decompress(poly *r, const uint8_t *a); - -void PQCLEAN_KYBER512_CLEAN_poly_tobytes(uint8_t *r, poly *a); -void PQCLEAN_KYBER512_CLEAN_poly_frombytes(poly *r, const uint8_t *a); - -void PQCLEAN_KYBER512_CLEAN_poly_frommsg(poly *r, const uint8_t msg[KYBER_SYMBYTES]); -void PQCLEAN_KYBER512_CLEAN_poly_tomsg(uint8_t msg[KYBER_SYMBYTES], poly *a); - -void PQCLEAN_KYBER512_CLEAN_poly_getnoise(poly *r, const uint8_t *seed, uint8_t nonce); - -void PQCLEAN_KYBER512_CLEAN_poly_ntt(poly *r); -void PQCLEAN_KYBER512_CLEAN_poly_invntt(poly *r); -void PQCLEAN_KYBER512_CLEAN_poly_basemul(poly *r, const poly *a, const poly *b); -void PQCLEAN_KYBER512_CLEAN_poly_frommont(poly *r); - -void PQCLEAN_KYBER512_CLEAN_poly_reduce(poly *r); -void PQCLEAN_KYBER512_CLEAN_poly_csubq(poly *r); - -void PQCLEAN_KYBER512_CLEAN_poly_add(poly *r, const poly *a, const poly *b); -void PQCLEAN_KYBER512_CLEAN_poly_sub(poly *r, const poly *a, const poly *b); - -#endif diff --git a/contrib/restricted/aws/s2n/pq-crypto/kyber_r2/polyvec.c b/contrib/restricted/aws/s2n/pq-crypto/kyber_r2/polyvec.c deleted file mode 100644 index ab4a352a73..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/kyber_r2/polyvec.c +++ /dev/null @@ -1,175 +0,0 @@ -#include "polyvec.h" - -#include "poly.h" - -#include <stddef.h> -#include <stdint.h> -/************************************************* -* Name: polyvec_compress -* -* Description: Compress and serialize vector of polynomials -* -* Arguments: - uint8_t *r: pointer to output byte array (needs space for KYBER_POLYVECCOMPRESSEDBYTES) -* - const polyvec *a: pointer to input vector of polynomials -**************************************************/ -void PQCLEAN_KYBER512_CLEAN_polyvec_compress(uint8_t *r, polyvec *a) { - PQCLEAN_KYBER512_CLEAN_polyvec_csubq(a); - - uint16_t t[4]; - for (size_t i = 0; i < KYBER_K; i++) { - for (size_t j = 0; j < KYBER_N / 4; j++) { - for (size_t k = 0; k < 4; k++) { - t[k] = ((((uint32_t)a->vec[i].coeffs[4 * j + k] << 10) + KYBER_Q / 2) / KYBER_Q) & 0x3ff; - } - - r[5 * j + 0] = (uint8_t)t[0]; - r[5 * j + 1] = (uint8_t)((t[0] >> 8) | ((t[1] & 0x3f) << 2)); - r[5 * j + 2] = (uint8_t)((t[1] >> 6) | ((t[2] & 0x0f) << 4)); - r[5 * j + 3] = (uint8_t)((t[2] >> 4) | ((t[3] & 0x03) << 6)); - r[5 * j + 4] = (uint8_t)((t[3] >> 2)); - } - r += 320; - } -} - -/************************************************* -* Name: polyvec_decompress -* -* Description: De-serialize and decompress vector of polynomials; -* approximate inverse of polyvec_compress -* -* Arguments: - polyvec *r: pointer to output vector of polynomials -* - uint8_t *a: pointer to input byte array (of length KYBER_POLYVECCOMPRESSEDBYTES) -**************************************************/ -void PQCLEAN_KYBER512_CLEAN_polyvec_decompress(polyvec *r, const uint8_t *a) { - for (size_t i = 0; i < KYBER_K; i++) { - for (size_t j = 0; j < KYBER_N / 4; j++) { - r->vec[i].coeffs[4 * j + 0] = (int16_t)( (((a[5 * j + 0] | (((uint32_t)a[5 * j + 1] & 0x03) << 8)) * KYBER_Q) + 512) >> 10); - r->vec[i].coeffs[4 * j + 1] = (int16_t)(((((a[5 * j + 1] >> 2) | (((uint32_t)a[5 * j + 2] & 0x0f) << 6)) * KYBER_Q) + 512) >> 10); - r->vec[i].coeffs[4 * j + 2] = (int16_t)(((((a[5 * j + 2] >> 4) | (((uint32_t)a[5 * j + 3] & 0x3f) << 4)) * KYBER_Q) + 512) >> 10); - r->vec[i].coeffs[4 * j + 3] = (int16_t)(((((a[5 * j + 3] >> 6) | (((uint32_t)a[5 * j + 4] & 0xff) << 2)) * KYBER_Q) + 512) >> 10); - } - a += 320; - } -} - -/************************************************* -* Name: polyvec_tobytes -* -* Description: Serialize vector of polynomials -* -* Arguments: - uint8_t *r: pointer to output byte array (needs space for KYBER_POLYVECBYTES) -* - const polyvec *a: pointer to input vector of polynomials -**************************************************/ -void PQCLEAN_KYBER512_CLEAN_polyvec_tobytes(uint8_t *r, polyvec *a) { - for (size_t i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER512_CLEAN_poly_tobytes(r + i * KYBER_POLYBYTES, &a->vec[i]); - } -} - -/************************************************* -* Name: polyvec_frombytes -* -* Description: De-serialize vector of polynomials; -* inverse of polyvec_tobytes -* -* Arguments: - uint8_t *r: pointer to output byte array -* - const polyvec *a: pointer to input vector of polynomials (of length KYBER_POLYVECBYTES) -**************************************************/ -void PQCLEAN_KYBER512_CLEAN_polyvec_frombytes(polyvec *r, const uint8_t *a) { - for (size_t i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER512_CLEAN_poly_frombytes(&r->vec[i], a + i * KYBER_POLYBYTES); - } -} - -/************************************************* -* Name: polyvec_ntt -* -* Description: Apply forward NTT to all elements of a vector of polynomials -* -* Arguments: - polyvec *r: pointer to in/output vector of polynomials -**************************************************/ -void PQCLEAN_KYBER512_CLEAN_polyvec_ntt(polyvec *r) { - for (size_t i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER512_CLEAN_poly_ntt(&r->vec[i]); - } -} - -/************************************************* -* Name: polyvec_invntt -* -* Description: Apply inverse NTT to all elements of a vector of polynomials -* -* Arguments: - polyvec *r: pointer to in/output vector of polynomials -**************************************************/ -void PQCLEAN_KYBER512_CLEAN_polyvec_invntt(polyvec *r) { - for (size_t i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER512_CLEAN_poly_invntt(&r->vec[i]); - } -} - -/************************************************* -* Name: polyvec_pointwise_acc -* -* Description: Pointwise multiply elements of a and b and accumulate into r -* -* Arguments: - poly *r: pointer to output polynomial -* - const polyvec *a: pointer to first input vector of polynomials -* - const polyvec *b: pointer to second input vector of polynomials -**************************************************/ -void PQCLEAN_KYBER512_CLEAN_polyvec_pointwise_acc(poly *r, const polyvec *a, const polyvec *b) { - poly t; - - PQCLEAN_KYBER512_CLEAN_poly_basemul(r, &a->vec[0], &b->vec[0]); - for (size_t i = 1; i < KYBER_K; i++) { - PQCLEAN_KYBER512_CLEAN_poly_basemul(&t, &a->vec[i], &b->vec[i]); - PQCLEAN_KYBER512_CLEAN_poly_add(r, r, &t); - } - - PQCLEAN_KYBER512_CLEAN_poly_reduce(r); -} - -/************************************************* -* Name: polyvec_reduce -* -* Description: Applies Barrett reduction to each coefficient -* of each element of a vector of polynomials -* for details of the Barrett reduction see comments in reduce.c -* -* Arguments: - poly *r: pointer to input/output polynomial -**************************************************/ -void PQCLEAN_KYBER512_CLEAN_polyvec_reduce(polyvec *r) { - for (size_t i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER512_CLEAN_poly_reduce(&r->vec[i]); - } -} - -/************************************************* -* Name: polyvec_csubq -* -* Description: Applies conditional subtraction of q to each coefficient -* of each element of a vector of polynomials -* for details of conditional subtraction of q see comments in reduce.c -* -* Arguments: - poly *r: pointer to input/output polynomial -**************************************************/ -void PQCLEAN_KYBER512_CLEAN_polyvec_csubq(polyvec *r) { - for (size_t i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER512_CLEAN_poly_csubq(&r->vec[i]); - } -} - -/************************************************* -* Name: polyvec_add -* -* Description: Add vectors of polynomials -* -* Arguments: - polyvec *r: pointer to output vector of polynomials -* - const polyvec *a: pointer to first input vector of polynomials -* - const polyvec *b: pointer to second input vector of polynomials -**************************************************/ -void PQCLEAN_KYBER512_CLEAN_polyvec_add(polyvec *r, const polyvec *a, const polyvec *b) { - for (size_t i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER512_CLEAN_poly_add(&r->vec[i], &a->vec[i], &b->vec[i]); - } -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/kyber_r2/polyvec.h b/contrib/restricted/aws/s2n/pq-crypto/kyber_r2/polyvec.h deleted file mode 100644 index 159d1bd29d..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/kyber_r2/polyvec.h +++ /dev/null @@ -1,29 +0,0 @@ -#ifndef POLYVEC_H -#define POLYVEC_H - -#include "params.h" -#include "poly.h" - -#include <stdint.h> - -typedef struct { - poly vec[KYBER_K]; -} polyvec; - -void PQCLEAN_KYBER512_CLEAN_polyvec_compress(uint8_t *r, polyvec *a); -void PQCLEAN_KYBER512_CLEAN_polyvec_decompress(polyvec *r, const uint8_t *a); - -void PQCLEAN_KYBER512_CLEAN_polyvec_tobytes(uint8_t *r, polyvec *a); -void PQCLEAN_KYBER512_CLEAN_polyvec_frombytes(polyvec *r, const uint8_t *a); - -void PQCLEAN_KYBER512_CLEAN_polyvec_ntt(polyvec *r); -void PQCLEAN_KYBER512_CLEAN_polyvec_invntt(polyvec *r); - -void PQCLEAN_KYBER512_CLEAN_polyvec_pointwise_acc(poly *r, const polyvec *a, const polyvec *b); - -void PQCLEAN_KYBER512_CLEAN_polyvec_reduce(polyvec *r); -void PQCLEAN_KYBER512_CLEAN_polyvec_csubq(polyvec *r); - -void PQCLEAN_KYBER512_CLEAN_polyvec_add(polyvec *r, const polyvec *a, const polyvec *b); - -#endif diff --git a/contrib/restricted/aws/s2n/pq-crypto/kyber_r2/reduce.c b/contrib/restricted/aws/s2n/pq-crypto/kyber_r2/reduce.c deleted file mode 100644 index 60415deefe..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/kyber_r2/reduce.c +++ /dev/null @@ -1,61 +0,0 @@ -#include "reduce.h" - -#include "params.h" - -#include <stdint.h> -/************************************************* -* Name: montgomery_reduce -* -* Description: Montgomery reduction; given a 32-bit integer a, computes -* 16-bit integer congruent to a * R^-1 mod q, -* where R=2^16 -* -* Arguments: - int32_t a: input integer to be reduced; has to be in {-q2^15,...,q2^15-1} -* -* Returns: integer in {-q+1,...,q-1} congruent to a * R^-1 modulo q. -**************************************************/ -int16_t PQCLEAN_KYBER512_CLEAN_montgomery_reduce(int32_t a) { - int32_t t; - int16_t u; - - u = (int16_t)(a * (int64_t)QINV); - t = (int32_t)u * KYBER_Q; - t = a - t; - t >>= 16; - return (int16_t)t; -} - -/************************************************* -* Name: barrett_reduce -* -* Description: Barrett reduction; given a 16-bit integer a, computes -* 16-bit integer congruent to a mod q in {0,...,q} -* -* Arguments: - int16_t a: input integer to be reduced -* -* Returns: integer in {0,...,q} congruent to a modulo q. -**************************************************/ -int16_t PQCLEAN_KYBER512_CLEAN_barrett_reduce(int16_t a) { - int32_t t; - const int32_t v = (1U << 26) / KYBER_Q + 1; - - t = v * a; - t >>= 26; - t *= KYBER_Q; - return a - (int16_t)t; -} - -/************************************************* -* Name: csubq -* -* Description: Conditionallly subtract q -* -* Arguments: - int16_t a: input integer -* -* Returns: a - q if a >= q, else a -**************************************************/ -int16_t PQCLEAN_KYBER512_CLEAN_csubq(int16_t a) { - a -= KYBER_Q; - a += (a >> 15) & KYBER_Q; - return a; -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/kyber_r2/reduce.h b/contrib/restricted/aws/s2n/pq-crypto/kyber_r2/reduce.h deleted file mode 100644 index 68a7f570ca..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/kyber_r2/reduce.h +++ /dev/null @@ -1,15 +0,0 @@ -#ifndef REDUCE_H -#define REDUCE_H - -#include <stdint.h> - -#define MONT 2285 // 2^16 % Q -#define QINV 62209 // q^(-1) mod 2^16 - -int16_t PQCLEAN_KYBER512_CLEAN_montgomery_reduce(int32_t a); - -int16_t PQCLEAN_KYBER512_CLEAN_barrett_reduce(int16_t a); - -int16_t PQCLEAN_KYBER512_CLEAN_csubq(int16_t a); - -#endif diff --git a/contrib/restricted/aws/s2n/pq-crypto/kyber_r2/symmetric-fips202.c b/contrib/restricted/aws/s2n/pq-crypto/kyber_r2/symmetric-fips202.c deleted file mode 100644 index d482a66682..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/kyber_r2/symmetric-fips202.c +++ /dev/null @@ -1,63 +0,0 @@ -#include "fips202_kyber_r2.h" -#include "symmetric.h" - -#include <stdlib.h> -/************************************************* -* Name: kyber_shake128_absorb -* -* Description: Absorb step of the SHAKE128 specialized for the Kyber context. - -* Arguments: - keccak_state *s: pointer to (uninitialized) output Keccak state -* - const uint8_t *input: pointer to KYBER_SYMBYTES input to be absorbed into s -* - uint8_t i additional byte of input -* - uint8_t j additional byte of input -**************************************************/ -void PQCLEAN_KYBER512_CLEAN_kyber_shake128_absorb(keccak_state *s, const uint8_t *input, uint8_t x, uint8_t y) { - size_t i; - uint8_t extseed[KYBER_SYMBYTES + 2]; - - for (i = 0; i < KYBER_SYMBYTES; i++) { - extseed[i] = input[i]; - } - extseed[i++] = x; - extseed[i] = y; - shake128_absorb(s, extseed, KYBER_SYMBYTES + 2); -} - -/************************************************* -* Name: kyber_shake128_squeezeblocks -* -* Description: Squeeze step of SHAKE128 XOF. Squeezes full blocks of SHAKE128_RATE bytes each. -* Modifies the state. Can be called multiple times to keep squeezing, -* i.e., is incremental. -* -* Arguments: - uint8_t *output: pointer to output blocks -* - unsigned long long nblocks: number of blocks to be squeezed (written to output) -* - keccak_state *s: pointer to in/output Keccak state -**************************************************/ -void PQCLEAN_KYBER512_CLEAN_kyber_shake128_squeezeblocks(uint8_t *output, size_t nblocks, keccak_state *s) { - shake128_squeezeblocks(output, nblocks, s); -} - -/************************************************* -* Name: shake256_prf -* -* Description: Usage of SHAKE256 as a PRF, concatenates secret and public input -* and then generates outlen bytes of SHAKE256 output -* -* Arguments: - uint8_t *output: pointer to output -* - size_t outlen: number of requested output bytes -* - const uint8_t * key: pointer to the key (of length KYBER_SYMBYTES) -* - const uint8_t nonce: single-byte nonce (public PRF input) -**************************************************/ -void PQCLEAN_KYBER512_CLEAN_shake256_prf(uint8_t *output, size_t outlen, const uint8_t *key, uint8_t nonce) { - uint8_t extkey[KYBER_SYMBYTES + 1]; - size_t i; - - for (i = 0; i < KYBER_SYMBYTES; i++) { - extkey[i] = key[i]; - } - extkey[i] = nonce; - - shake256_kyber(output, outlen, extkey, KYBER_SYMBYTES + 1); -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/kyber_r2/symmetric.h b/contrib/restricted/aws/s2n/pq-crypto/kyber_r2/symmetric.h deleted file mode 100644 index 26128e2431..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/kyber_r2/symmetric.h +++ /dev/null @@ -1,30 +0,0 @@ -#ifndef SYMMETRIC_H -#define SYMMETRIC_H - -#include "params.h" - - -#include "fips202_kyber_r2.h" - -#include <stdint.h> -#include <stddef.h> - - -void PQCLEAN_KYBER512_CLEAN_kyber_shake128_absorb(keccak_state *s, const uint8_t *input, uint8_t x, uint8_t y); -void PQCLEAN_KYBER512_CLEAN_kyber_shake128_squeezeblocks(uint8_t *output, size_t nblocks, keccak_state *s); -void PQCLEAN_KYBER512_CLEAN_shake256_prf(uint8_t *output, size_t outlen, const uint8_t *key, uint8_t nonce); - -#define hash_h(OUT, IN, INBYTES) sha3_256(OUT, IN, INBYTES) -#define hash_g(OUT, IN, INBYTES) sha3_512(OUT, IN, INBYTES) -#define xof_absorb(STATE, IN, X, Y) PQCLEAN_KYBER512_CLEAN_kyber_shake128_absorb(STATE, IN, X, Y) -#define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) PQCLEAN_KYBER512_CLEAN_kyber_shake128_squeezeblocks(OUT, OUTBLOCKS, STATE) -#define xof_ctx_release(STATE) shake128_ctx_release(STATE) -#define prf(OUT, OUTBYTES, KEY, NONCE) PQCLEAN_KYBER512_CLEAN_shake256_prf(OUT, OUTBYTES, KEY, NONCE) -#define kdf(OUT, IN, INBYTES) shake256_kyber(OUT, KYBER_SSBYTES, IN, INBYTES) - -#define XOF_BLOCKBYTES 168 - -typedef keccak_state xof_state; - - -#endif /* SYMMETRIC_H */ diff --git a/contrib/restricted/aws/s2n/pq-crypto/kyber_r2/verify.c b/contrib/restricted/aws/s2n/pq-crypto/kyber_r2/verify.c deleted file mode 100644 index 149e52d7b0..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/kyber_r2/verify.c +++ /dev/null @@ -1,50 +0,0 @@ -#include "verify.h" - -#include <stddef.h> -#include <stdint.h> - -/************************************************* -* Name: verify -* -* Description: Compare two arrays for equality in constant time. -* -* Arguments: const uint8_t *a: pointer to first byte array -* const uint8_t *b: pointer to second byte array -* size_t len: length of the byte arrays -* -* Returns 0 if the byte arrays are equal, 1 otherwise -**************************************************/ -uint8_t PQCLEAN_KYBER512_CLEAN_verify(const uint8_t *a, const uint8_t *b, size_t len) { - uint64_t r; - size_t i; - r = 0; - - for (i = 0; i < len; i++) { - r |= a[i] ^ b[i]; - } - - r = (-r) >> 63; - return (uint8_t)r; -} - -/************************************************* -* Name: cmov -* -* Description: Copy len bytes from x to r if b is 1; -* don't modify x if b is 0. Requires b to be in {0,1}; -* assumes two's complement representation of negative integers. -* Runs in constant time. -* -* Arguments: uint8_t *r: pointer to output byte array -* const uint8_t *x: pointer to input byte array -* size_t len: Amount of bytes to be copied -* uint8_t b: Condition bit; has to be in {0,1} -**************************************************/ -void PQCLEAN_KYBER512_CLEAN_cmov(uint8_t *r, const uint8_t *x, size_t len, uint8_t b) { - size_t i; - - b = -b; - for (i = 0; i < len; i++) { - r[i] ^= b & (x[i] ^ r[i]); - } -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/kyber_r2/verify.h b/contrib/restricted/aws/s2n/pq-crypto/kyber_r2/verify.h deleted file mode 100644 index d95be219df..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/kyber_r2/verify.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef VERIFY_H -#define VERIFY_H - -#include <stddef.h> -#include <stdint.h> - -uint8_t PQCLEAN_KYBER512_CLEAN_verify(const uint8_t *a, const uint8_t *b, size_t len); - -void PQCLEAN_KYBER512_CLEAN_cmov(uint8_t *r, const uint8_t *x, size_t len, uint8_t b); - -#endif diff --git a/contrib/restricted/aws/s2n/pq-crypto/s2n_pq.c b/contrib/restricted/aws/s2n/pq-crypto/s2n_pq.c index 8eda65be59..e684aed377 100644 --- a/contrib/restricted/aws/s2n/pq-crypto/s2n_pq.c +++ b/contrib/restricted/aws/s2n/pq-crypto/s2n_pq.c @@ -16,14 +16,6 @@ #include "s2n_pq.h" #include "crypto/s2n_openssl.h" -static bool sikep434r3_asm_enabled = false; - -/* BIKE Round-3 code supports several levels of optimization */ -static bool bike_r3_avx2_enabled = false; -static bool bike_r3_avx512_enabled = false; -static bool bike_r3_pclmul_enabled = false; -static bool bike_r3_vpclmul_enabled = false; - static bool kyber512r3_avx2_bmi2_enabled = false; #if defined(S2N_CPUID_AVAILABLE) @@ -37,19 +29,11 @@ static bool kyber512r3_avx2_bmi2_enabled = false; /* The cpuid.h header included with older versions of gcc and * clang doesn't include definitions for bit_ADX, bit_BMI2, or * __get_cpuid_count(). */ -#if !defined(bit_ADX) - #define bit_ADX (1 << 19) -#endif - #if !defined(bit_BMI2) #define bit_BMI2 (1 << 8) #endif -/* BIKE related CPU features */ #define EBX_BIT_AVX2 (1 << 5) -#define EBX_BIT_AVX512 (1 << 16) -#define ECX_BIT_VPCLMUL (1 << 10) -#define ECX_BIT_PCLMUL (1 << 1) bool s2n_get_cpuid_count(uint32_t leaf, uint32_t sub_leaf, uint32_t *eax, uint32_t *ebx, uint32_t *ecx, uint32_t *edx) { /* 0x80000000 probes for extended cpuid info */ @@ -73,16 +57,6 @@ bool s2n_cpu_supports_bmi2() { return (ebx & bit_BMI2); } -/* https://en.wikipedia.org/wiki/Intel_ADX */ -bool s2n_cpu_supports_adx() { - uint32_t eax, ebx, ecx, edx; - if (!s2n_get_cpuid_count(EXTENDED_FEATURES_LEAF, EXTENDED_FEATURES_SUBLEAF_ZERO, &eax, &ebx, &ecx, &edx)) { - return false; - } - - return (ebx & bit_ADX); -} - bool s2n_cpu_supports_avx2() { uint32_t eax, ebx, ecx, edx; if (!s2n_get_cpuid_count(EXTENDED_FEATURES_LEAF, EXTENDED_FEATURES_SUBLEAF_ZERO, &eax, &ebx, &ecx, &edx)) { @@ -92,69 +66,6 @@ bool s2n_cpu_supports_avx2() { return (ebx & EBX_BIT_AVX2); } -bool s2n_cpu_supports_sikep434r3_asm() { -#if defined(S2N_SIKE_P434_R3_ASM) - /* The sikep434r3 assembly code always requires BMI2. If the assembly - * was compiled with support for ADX, we also require ADX at runtime. */ -#if defined(S2N_ADX) - return s2n_cpu_supports_bmi2() && s2n_cpu_supports_adx(); -#else - return s2n_cpu_supports_bmi2(); -#endif -#else - /* sikep434r3 assembly was not supported at compile time */ - return false; -#endif /* defined(S2N_SIKE_P434_R3_ASM) */ -} - -bool s2n_cpu_supports_bike_r3_avx2() { -#if defined(S2N_BIKE_R3_AVX2) - uint32_t eax, ebx, ecx, edx; - if (!s2n_get_cpuid_count(EXTENDED_FEATURES_LEAF, EXTENDED_FEATURES_SUBLEAF_ZERO, &eax, &ebx, &ecx, &edx)) { - return false; - } - return ((ebx & EBX_BIT_AVX2) != 0); -#else - return false; -#endif -} - -bool s2n_cpu_supports_bike_r3_avx512() { -#if defined(S2N_BIKE_R3_AVX512) - uint32_t eax, ebx, ecx, edx; - if (!s2n_get_cpuid_count(EXTENDED_FEATURES_LEAF, EXTENDED_FEATURES_SUBLEAF_ZERO, &eax, &ebx, &ecx, &edx)) { - return false; - } - return ((ebx & EBX_BIT_AVX512) != 0); -#else - return false; -#endif -} - -bool s2n_cpu_supports_bike_r3_pclmul() { -#if defined(S2N_BIKE_R3_PCLMUL) - uint32_t eax, ebx, ecx, edx; - if (!s2n_get_cpuid_count(PROCESSOR_INFO_AND_FEATURES, EXTENDED_FEATURES_SUBLEAF_ZERO, &eax, &ebx, &ecx, &edx)) { - return false; - } - return ((ecx & ECX_BIT_PCLMUL) != 0); -#else - return false; -#endif -} - -bool s2n_cpu_supports_bike_r3_vpclmul() { -#if defined(S2N_BIKE_R3_AVX512) - uint32_t eax, ebx, ecx, edx; - if (!s2n_get_cpuid_count(EXTENDED_FEATURES_LEAF, EXTENDED_FEATURES_SUBLEAF_ZERO, &eax, &ebx, &ecx, &edx)) { - return false; - } - return ((ecx & ECX_BIT_VPCLMUL) != 0); -#else - return false; -#endif -} - bool s2n_cpu_supports_kyber512r3_avx2_bmi2() { #if defined(S2N_KYBER512R3_AVX2_BMI2) return s2n_cpu_supports_bmi2() && s2n_cpu_supports_avx2(); @@ -166,51 +77,12 @@ bool s2n_cpu_supports_kyber512r3_avx2_bmi2() { #else /* defined(S2N_CPUID_AVAILABLE) */ /* If CPUID is not available, we cannot perform necessary run-time checks. */ -bool s2n_cpu_supports_sikep434r3_asm() { - return false; -} - -bool s2n_cpu_supports_bike_r3_avx2() { - return false; -} - -bool s2n_cpu_supports_bike_r3_avx512() { - return false; -} - -bool s2n_cpu_supports_bike_r3_pclmul() { - return false; -} - -bool s2n_cpu_supports_bike_r3_vpclmul() { - return false; -} - bool s2n_cpu_supports_kyber512r3_avx2_bmi2() { return false; } #endif /* defined(S2N_CPUID_AVAILABLE) */ -bool s2n_sikep434r3_asm_is_enabled() { - return sikep434r3_asm_enabled; -} - -bool s2n_bike_r3_is_avx2_enabled() { - return bike_r3_avx2_enabled; -} - -bool s2n_bike_r3_is_avx512_enabled() { - return bike_r3_avx512_enabled; -} - -bool s2n_bike_r3_is_pclmul_enabled() { - return bike_r3_pclmul_enabled; -} - -bool s2n_bike_r3_is_vpclmul_enabled() { - return bike_r3_vpclmul_enabled; -} bool s2n_kyber512r3_is_avx2_bmi2_enabled() { return kyber512r3_avx2_bmi2_enabled; @@ -225,66 +97,12 @@ bool s2n_pq_is_enabled() { #endif } -S2N_RESULT s2n_disable_sikep434r3_asm() { - sikep434r3_asm_enabled = false; - return S2N_RESULT_OK; -} - -S2N_RESULT s2n_disable_bike_r3_opt_all() { - bike_r3_avx2_enabled = false; - bike_r3_avx512_enabled = false; - bike_r3_pclmul_enabled = false; - bike_r3_vpclmul_enabled = false; - return S2N_RESULT_OK; -} S2N_RESULT s2n_disable_kyber512r3_opt_avx2_bmi2() { kyber512r3_avx2_bmi2_enabled = false; return S2N_RESULT_OK; } -S2N_RESULT s2n_try_enable_bike_r3_opt_pclmul() { - if (s2n_pq_is_enabled() && s2n_cpu_supports_bike_r3_pclmul()) { - bike_r3_pclmul_enabled = true; - } - return S2N_RESULT_OK; -} - -S2N_RESULT s2n_try_enable_bike_r3_opt_avx2() { - /* When AVX2 is available, PCLMUL is too by default. */ - RESULT_ENSURE_OK(s2n_try_enable_bike_r3_opt_pclmul(), S2N_ERR_SAFETY); - if (s2n_pq_is_enabled() && s2n_cpu_supports_bike_r3_avx2()) { - bike_r3_avx2_enabled = true; - } - return S2N_RESULT_OK; -} - -S2N_RESULT s2n_try_enable_bike_r3_opt_avx512() { - /* When AVX512 is available, AVX2 is too by default. */ - RESULT_ENSURE_OK(s2n_try_enable_bike_r3_opt_avx2(), S2N_ERR_SAFETY); - if (s2n_pq_is_enabled() && s2n_cpu_supports_bike_r3_avx512()) { - bike_r3_avx512_enabled = true; - } - return S2N_RESULT_OK; -} - -S2N_RESULT s2n_try_enable_bike_r3_opt_vpclmul() { - RESULT_ENSURE_OK(s2n_try_enable_bike_r3_opt_avx512(), S2N_ERR_SAFETY); - /* Only Enable VPCLMUL if AVX512 is also supported. This is to because the BIKE R3 VPCLMUL requires 512-bit version - * of VPCLMUL, and not the 256-bit version that is available on AMD Zen 3 processors. */ - if (s2n_pq_is_enabled() && s2n_cpu_supports_bike_r3_vpclmul() && s2n_bike_r3_is_avx512_enabled()) { - bike_r3_vpclmul_enabled = true; - } - return S2N_RESULT_OK; -} - -S2N_RESULT s2n_try_enable_sikep434r3_asm() { - if (s2n_pq_is_enabled() && s2n_cpu_supports_sikep434r3_asm()) { - sikep434r3_asm_enabled = true; - } - return S2N_RESULT_OK; -} - S2N_RESULT s2n_try_enable_kyber512r3_opt_avx2_bmi2() { if (s2n_pq_is_enabled() && s2n_cpu_supports_kyber512r3_avx2_bmi2()) { kyber512r3_avx2_bmi2_enabled = true; @@ -292,18 +110,7 @@ S2N_RESULT s2n_try_enable_kyber512r3_opt_avx2_bmi2() { return S2N_RESULT_OK; } -S2N_RESULT s2n_bike_r3_x86_64_opt_init() -{ - /* try_enable_vpclmul function recursively tries to enable - * all the optimizations (avx2, avx512, pclmul, vpclmul), - * so it's sufficient to call only this function. */ - RESULT_ENSURE_OK(s2n_try_enable_bike_r3_opt_vpclmul(), S2N_ERR_SAFETY); - return S2N_RESULT_OK; -} - S2N_RESULT s2n_pq_init() { - RESULT_ENSURE_OK(s2n_try_enable_sikep434r3_asm(), S2N_ERR_SAFETY); - RESULT_ENSURE_OK(s2n_bike_r3_x86_64_opt_init(), S2N_ERR_SAFETY); RESULT_ENSURE_OK(s2n_try_enable_kyber512r3_opt_avx2_bmi2(), S2N_ERR_SAFETY); return S2N_RESULT_OK; diff --git a/contrib/restricted/aws/s2n/pq-crypto/s2n_pq.h b/contrib/restricted/aws/s2n/pq-crypto/s2n_pq.h index 2af5c4c940..6a4ed533f2 100644 --- a/contrib/restricted/aws/s2n/pq-crypto/s2n_pq.h +++ b/contrib/restricted/aws/s2n/pq-crypto/s2n_pq.h @@ -20,20 +20,6 @@ #include "utils/s2n_safety.h" #include "crypto/s2n_fips.h" -bool s2n_sikep434r3_asm_is_enabled(void); -S2N_RESULT s2n_disable_sikep434r3_asm(void); -S2N_RESULT s2n_try_enable_sikep434r3_asm(void); - -bool s2n_bike_r3_is_avx2_enabled(void); -bool s2n_bike_r3_is_avx512_enabled(void); -bool s2n_bike_r3_is_pclmul_enabled(void); -bool s2n_bike_r3_is_vpclmul_enabled(void); -S2N_RESULT s2n_disable_bike_r3_opt_all(void); -S2N_RESULT s2n_try_enable_bike_r3_opt_pclmul(void); -S2N_RESULT s2n_try_enable_bike_r3_opt_avx2(void); -S2N_RESULT s2n_try_enable_bike_r3_opt_avx512(void); -S2N_RESULT s2n_try_enable_bike_r3_opt_vpclmul(void); - bool s2n_kyber512r3_is_avx2_bmi2_enabled(void); S2N_RESULT s2n_try_enable_kyber512r3_opt_avx2_bmi2(void); S2N_RESULT s2n_disable_kyber512r3_opt_avx2_bmi2(void); diff --git a/contrib/restricted/aws/s2n/pq-crypto/sike_r1/LICENSE.txt b/contrib/restricted/aws/s2n/pq-crypto/sike_r1/LICENSE.txt deleted file mode 100644 index 8045e6b0e7..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/sike_r1/LICENSE.txt +++ /dev/null @@ -1,28 +0,0 @@ -Supersingular Isogeny Key Encapsulation (SIKE) - -Copyright (c) 2016-2017 Microsoft Corporation -Copyright (c) 2017 InfoSec Global, Reza Azarderakhsh, Matthew - Campagna, Luca De Feo, Amir Jalali, David Jao, - Brian Koziel, Joost Renes, and David Urbanik -All rights reserved. - -MIT License - -Permission is hereby granted, free of charge, to any person obtaining a -copy of this software and associated documentation files (the -""Software""), to deal in the Software without restriction, including -without limitation the rights to use, copy, modify, merge, publish, -distribute, sublicense, and/or sell copies of the Software, and to -permit persons to whom the Software is furnished to do so, subject to -the following conditions: - -The above copyright notice and this permission notice shall be included -in all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED *AS IS*, WITHOUT WARRANTY OF ANY KIND, EXPRESS -OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF -MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. -IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY -CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, -TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE -SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
\ No newline at end of file diff --git a/contrib/restricted/aws/s2n/pq-crypto/sike_r1/P503_internal_r1.h b/contrib/restricted/aws/s2n/pq-crypto/sike_r1/P503_internal_r1.h deleted file mode 100644 index 64465f19ed..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/sike_r1/P503_internal_r1.h +++ /dev/null @@ -1,261 +0,0 @@ -/******************************************************************************************** -* Supersingular Isogeny Key Encapsulation Library -* -* Abstract: internal header file for P503 -*********************************************************************************************/ - -#ifndef __P503_INTERNAL_H__ -#define __P503_INTERNAL_H__ - -#include "sike_r1_namespace.h" -#include "api_r1.h" - -#if (TARGET == TARGET_AMD64) - #define NWORDS_FIELD 8 // Number of words of a 503-bit field element - #define p503_ZERO_WORDS 3 // Number of "0" digits in the least significant part of p503 + 1 -#elif (TARGET == TARGET_x86) - #define NWORDS_FIELD 16 - #define p503_ZERO_WORDS 7 -#elif (TARGET == TARGET_ARM) - #define NWORDS_FIELD 16 - #define p503_ZERO_WORDS 7 -#elif (TARGET == TARGET_ARM64) - #define NWORDS_FIELD 8 - #define p503_ZERO_WORDS 3 -#endif - -// Basic constants - -#define NBITS_FIELD 503 -#define MAXBITS_FIELD 512 -#define MAXWORDS_FIELD ((MAXBITS_FIELD+RADIX-1)/RADIX) // Max. number of words to represent field elements -#define NWORDS64_FIELD ((NBITS_FIELD+63)/64) // Number of 64-bit words of a 503-bit field element -#define NBITS_ORDER 256 -#define NWORDS_ORDER ((NBITS_ORDER+RADIX-1)/RADIX) // Number of words of oA and oB, where oA and oB are the subgroup orders of Alice and Bob, resp. -#define NWORDS64_ORDER ((NBITS_ORDER+63)/64) // Number of 64-bit words of a 256-bit element -#define MAXBITS_ORDER NBITS_ORDER -#define MAXWORDS_ORDER ((MAXBITS_ORDER+RADIX-1)/RADIX) // Max. number of words to represent elements in [1, oA-1] or [1, oB]. -#define ALICE 0 -#define BOB 1 -#define OALICE_BITS 250 -#define OBOB_BITS 253 -#define OBOB_EXPON 159 -#define MASK_ALICE 0x03 -#define MASK_BOB 0x0F -#define PRIME p503 -#define PARAM_A 0 -#define PARAM_C 1 -// Fixed parameters for isogeny tree computation -#define MAX_INT_POINTS_ALICE 7 -#define MAX_INT_POINTS_BOB 8 -#define MAX_Alice 125 -#define MAX_Bob 159 -#define MSG_BYTES 24 -#define SECRETKEY_A_BYTES (OALICE_BITS + 7) / 8 -#define SECRETKEY_B_BYTES (OBOB_BITS + 7) / 8 -#define FP2_ENCODED_BYTES 2*((NBITS_FIELD + 7) / 8) - - -// SIDH's basic element definitions and point representations - -typedef digit_t felm_t[NWORDS_FIELD]; // Datatype for representing 503-bit field elements (512-bit max.) -typedef digit_t dfelm_t[2*NWORDS_FIELD]; // Datatype for representing double-precision 2x503-bit field elements (512-bit max.) -typedef struct felm_s -{ - felm_t e[2]; -} f2elm_t; // Datatype for representing quadratic extension field elements GF(p503^2) -typedef f2elm_t publickey_t[3]; // Datatype for representing public keys equivalent to three GF(p503^2) elements - -typedef struct { f2elm_t X; f2elm_t Z; } point_proj; // Point representation in projective XZ Montgomery coordinates. -typedef point_proj point_proj_t[1]; - - - -/**************** Function prototypes ****************/ -/************* Multiprecision functions **************/ - -// Copy wordsize digits, c = a, where lng(a) = nwords -void copy_words(const digit_t* a, digit_t* c, const unsigned int nwords); - -// Multiprecision addition, c = a+b, where lng(a) = lng(b) = nwords. Returns the carry bit -unsigned int mp_add(const digit_t* a, const digit_t* b, digit_t* c, const unsigned int nwords); - -// 503-bit multiprecision addition, c = a+b -void mp_add503(const digit_t* a, const digit_t* b, digit_t* c); -void mp_add503_asm(const digit_t* a, const digit_t* b, digit_t* c); -//void mp_addmask503_asm(const digit_t* a, const digit_t mask, digit_t* c); - -// 2x503-bit multiprecision addition, c = a+b -void mp_add503x2(const digit_t* a, const digit_t* b, digit_t* c); -void mp_add503x2_asm(const digit_t* a, const digit_t* b, digit_t* c); - -// Multiprecision subtraction, c = a-b, where lng(a) = lng(b) = nwords. Returns the borrow bit -unsigned int mp_sub(const digit_t* a, const digit_t* b, digit_t* c, const unsigned int nwords); -digit_t mp_sub503x2_asm(const digit_t* a, const digit_t* b, digit_t* c); - -// Multiprecision right shift by one -void mp_shiftr1(digit_t* x, const unsigned int nwords); - -// Digit multiplication, digit * digit -> 2-digit result -void digit_x_digit(const digit_t a, const digit_t b, digit_t* c); - -// Multiprecision comba multiply, c = a*b, where lng(a) = lng(b) = nwords. -void mp_mul(const digit_t* a, const digit_t* b, digit_t* c, const unsigned int nwords); - -void multiply(const digit_t* a, const digit_t* b, digit_t* c, const unsigned int nwords); - -// Montgomery multiplication modulo the group order, mc = ma*mb*r' mod order, where ma,mb,mc in [0, order-1] -void Montgomery_multiply_mod_order(const digit_t* ma, const digit_t* mb, digit_t* mc, const digit_t* order, const digit_t* Montgomery_rprime); - -// (Non-constant time) Montgomery inversion modulo the curve order using a^(-1) = a^(order-2) mod order -//void Montgomery_inversion_mod_order(const digit_t* ma, digit_t* mc, const digit_t* order, const digit_t* Montgomery_rprime); - -void Montgomery_inversion_mod_order_bingcd(const digit_t* a, digit_t* c, const digit_t* order, const digit_t* Montgomery_rprime, const digit_t* Montgomery_R2); - -// Conversion of elements in Z_r to Montgomery representation, where the order r is up to 384 bits. -void to_Montgomery_mod_order(const digit_t* a, digit_t* mc, const digit_t* order, const digit_t* Montgomery_rprime, const digit_t* Montgomery_Rprime); - -// Conversion of elements in Z_r from Montgomery to standard representation, where the order is up to 384 bits. -void from_Montgomery_mod_order(const digit_t* ma, digit_t* c, const digit_t* order, const digit_t* Montgomery_rprime); - -// Inversion modulo Alice's order 2^372. -void inv_mod_orderA(const digit_t* a, digit_t* c); - -/************ Field arithmetic functions *************/ - -// Copy of a field element, c = a -void fpcopy503(const felm_t a, felm_t c); - -// Zeroing a field element, a = 0 -void fpzero503(felm_t a); - -// Non constant-time comparison of two field elements. If a = b return TRUE, otherwise, return FALSE -bool fpequal503_non_constant_time(const felm_t a, const felm_t b); - -// Modular addition, c = a+b mod p503 -extern void fpadd503(const digit_t* a, const digit_t* b, digit_t* c); -extern void fpadd503_asm(const digit_t* a, const digit_t* b, digit_t* c); - -// Modular subtraction, c = a-b mod p503 -extern void fpsub503(const digit_t* a, const digit_t* b, digit_t* c); -extern void fpsub503_asm(const digit_t* a, const digit_t* b, digit_t* c); - -// Modular negation, a = -a mod p503 -extern void fpneg503(digit_t* a); - -// Modular division by two, c = a/2 mod p503. -void fpdiv2_503(const digit_t* a, digit_t* c); - -// Modular correction to reduce field element a in [0, 2*p503-1] to [0, p503-1]. -void fpcorrection503(digit_t* a); - -// 503-bit Montgomery reduction, c = a mod p -void rdc_mont(const dfelm_t ma, felm_t mc); - -// Field multiplication using Montgomery arithmetic, c = a*b*R^-1 mod p503, where R=2^768 -void fpmul503_mont(const felm_t a, const felm_t b, felm_t c); -void mul503_asm(const felm_t a, const felm_t b, dfelm_t c); -void rdc503_asm(const dfelm_t ma, dfelm_t mc); - -// Field squaring using Montgomery arithmetic, c = a*b*R^-1 mod p503, where R=2^768 -void fpsqr503_mont(const felm_t ma, felm_t mc); - -// Conversion to Montgomery representation -void to_mont(const felm_t a, felm_t mc); - -// Conversion from Montgomery representation to standard representation -void from_mont(const felm_t ma, felm_t c); - -// Field inversion, a = a^-1 in GF(p503) -void fpinv503_mont(felm_t a); - -// Field inversion, a = a^-1 in GF(p503) using the binary GCD -void fpinv503_mont_bingcd(felm_t a); - -// Chain to compute (p503-3)/4 using Montgomery arithmetic -void fpinv503_chain_mont(felm_t a); - -/************ GF(p^2) arithmetic functions *************/ - -// Copy of a GF(p503^2) element, c = a -void fp2copy503(const f2elm_t *a, f2elm_t *c); - -// GF(p503^2) negation, a = -a in GF(p503^2) -void fp2neg503(f2elm_t *a); - -// GF(p503^2) addition, c = a+b in GF(p503^2) -extern void fp2add503(const f2elm_t *a, const f2elm_t *b, f2elm_t *c); - -// GF(p503^2) subtraction, c = a-b in GF(p503^2) -extern void fp2sub503(const f2elm_t *a, const f2elm_t *b, f2elm_t *c); - -// GF(p503^2) division by two, c = a/2 in GF(p503^2) -void fp2div2_503(const f2elm_t *a, f2elm_t *c); - -// Modular correction, a = a in GF(p503^2) -void fp2correction503(f2elm_t *a); - -// GF(p503^2) squaring using Montgomery arithmetic, c = a^2 in GF(p503^2) -void fp2sqr503_mont(const f2elm_t *a, f2elm_t *c); - -// GF(p503^2) multiplication using Montgomery arithmetic, c = a*b in GF(p503^2) -void fp2mul503_mont(const f2elm_t *a, const f2elm_t *b, f2elm_t *c); - -// Conversion of a GF(p503^2) element to Montgomery representation -void to_fp2mont(const f2elm_t *a, f2elm_t *mc); - -// Conversion of a GF(p503^2) element from Montgomery representation to standard representation -void from_fp2mont(const f2elm_t *ma, f2elm_t *c); - -// GF(p503^2) inversion using Montgomery arithmetic, a = (a0-i*a1)/(a0^2+a1^2) -void fp2inv503_mont(f2elm_t *a); - -// GF(p503^2) inversion, a = (a0-i*a1)/(a0^2+a1^2), GF(p503) inversion done using the binary GCD -void fp2inv503_mont_bingcd(f2elm_t *a); - -// n-way Montgomery inversion -void mont_n_way_inv(const f2elm_t* vec, const int n, f2elm_t* out); - -/************ Elliptic curve and isogeny functions *************/ - -// Computes the j-invariant of a Montgomery curve with projective constant. -void j_inv(const f2elm_t *A, const f2elm_t *C, f2elm_t *jinv); - -// Simultaneous doubling and differential addition. -void xDBLADD(point_proj_t P, point_proj_t Q, const f2elm_t *xPQ, const f2elm_t *A24); - -// Doubling of a Montgomery point in projective coordinates (X:Z). -void xDBL(const point_proj_t P, point_proj_t Q, const f2elm_t *A24plus, const f2elm_t *C24); - -// Computes [2^e](X:Z) on Montgomery curve with projective constant via e repeated doublings. -void xDBLe(const point_proj_t P, point_proj_t Q, const f2elm_t *A24plus, const f2elm_t *C24, const int e); - -// Differential addition. -void xADD(point_proj_t P, const point_proj_t Q, const f2elm_t *xPQ); - -// Computes the corresponding 4-isogeny of a projective Montgomery point (X4:Z4) of order 4. -void get_4_isog(const point_proj_t P, f2elm_t *A24plus, f2elm_t *C24, f2elm_t* coeff); - -// Evaluates the isogeny at the point (X:Z) in the domain of the isogeny. -void eval_4_isog(point_proj_t P, f2elm_t* coeff); - -// Tripling of a Montgomery point in projective coordinates (X:Z). -void xTPL(const point_proj_t P, point_proj_t Q, const f2elm_t *A24minus, const f2elm_t *A24plus); - -// Computes [3^e](X:Z) on Montgomery curve with projective constant via e repeated triplings. -void xTPLe(const point_proj_t P, point_proj_t Q, const f2elm_t *A24minus, const f2elm_t *A24plus, const int e); - -// Computes the corresponding 3-isogeny of a projective Montgomery point (X3:Z3) of order 3. -void get_3_isog(const point_proj_t P, f2elm_t *A24minus, f2elm_t *A24plus, f2elm_t* coeff); - -// Computes the 3-isogeny R=phi(X:Z), given projective point (X3:Z3) of order 3 on a Montgomery curve and a point P with coefficients given in coeff. -void eval_3_isog(point_proj_t Q, const f2elm_t* coeff); - -// 3-way simultaneous inversion -void inv_3_way(f2elm_t *z1, f2elm_t *z2, f2elm_t *z3); - -// Given the x-coordinates of P, Q, and R, returns the value A corresponding to the Montgomery curve E_A: y^2=x^3+A*x^2+x such that R=Q-P on E_A. -void get_A(const f2elm_t *xP, const f2elm_t *xQ, const f2elm_t *xR, f2elm_t *A); - - -#endif diff --git a/contrib/restricted/aws/s2n/pq-crypto/sike_r1/P503_r1.c b/contrib/restricted/aws/s2n/pq-crypto/sike_r1/P503_r1.c deleted file mode 100644 index 3d4a2045ab..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/sike_r1/P503_r1.c +++ /dev/null @@ -1,114 +0,0 @@ -/******************************************************************************************** -* Supersingular Isogeny Key Encapsulation Library -* -* Abstract: supersingular isogeny parameters and generation of functions for P503 -*********************************************************************************************/ - -#include "sike_r1_namespace.h" -#include "P503_internal_r1.h" - -// Encoding of field elements, elements over Z_order, elements over GF(p^2) and elliptic curve points: -// -------------------------------------------------------------------------------------------------- -// Elements over GF(p) and Z_order are encoded with the least significant octet (and digit) located at the leftmost position (i.e., little endian format). -// Elements (a+b*i) over GF(p^2), where a and b are defined over GF(p), are encoded as {a, b}, with a in the least significant position. -// Elliptic curve points P = (x,y) are encoded as {x, y}, with x in the least significant position. -// Internally, the number of digits used to represent all these elements is obtained by approximating the number of bits to the immediately greater multiple of 32. -// For example, a 503-bit field element is represented with Ceil(503 / 64) = 8 64-bit digits or Ceil(503 / 32) = 16 32-bit digits. - -// -// Curve isogeny system "SIDHp503". Base curve: Montgomery curve By^2 = Cx^3 + Ax^2 + Cx defined over GF(p503^2), where A=0, B=1, C=1 and p503 = 2^250*3^159-1 -// - -const uint64_t p503[NWORDS64_FIELD] = { 0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF, 0xABFFFFFFFFFFFFFF, - 0x13085BDA2211E7A0, 0x1B9BF6C87B7E7DAF, 0x6045C6BDDA77A4D0, 0x004066F541811E1E }; -const uint64_t p503p1[NWORDS64_FIELD] = { 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0xAC00000000000000, - 0x13085BDA2211E7A0, 0x1B9BF6C87B7E7DAF, 0x6045C6BDDA77A4D0, 0x004066F541811E1E }; -const uint64_t p503x2[NWORDS64_FIELD] = { 0xFFFFFFFFFFFFFFFE, 0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF, 0x57FFFFFFFFFFFFFF, - 0x2610B7B44423CF41, 0x3737ED90F6FCFB5E, 0xC08B8D7BB4EF49A0, 0x0080CDEA83023C3C }; -// Order of Alice's subgroup -const uint64_t Alice_order[NWORDS64_ORDER] = { 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0400000000000000 }; -// Order of Bob's subgroup -const uint64_t Bob_order[NWORDS64_ORDER] = { 0xC216F6888479E82B, 0xE6FDB21EDF9F6BC4, 0x1171AF769DE93406, 0x1019BD5060478798 }; -// Alice's generator values {XPA0 + XPA1*i, XQA0, XRA0 + XRA1*i} in GF(p503^2), expressed in Montgomery representation -const uint64_t A_gen[5*NWORDS64_FIELD] = { 0xE7EF4AA786D855AF, 0xED5758F03EB34D3B, 0x09AE172535A86AA9, 0x237B9CC07D622723, - 0xE3A284CBA4E7932D, 0x27481D9176C5E63F, 0x6A323FF55C6E71BF, 0x002ECC31A6FB8773, // XPA0 - 0x64D02E4E90A620B8, 0xDAB8128537D4B9F1, 0x4BADF77B8A228F98, 0x0F5DBDF9D1FB7D1B, - 0xBEC4DB288E1A0DCC, 0xE76A8665E80675DB, 0x6D6F252E12929463, 0x003188BD1463FACC, // XPA1 - 0xB79D41025DE85D56, 0x0B867DA9DF169686, 0x740E5368021C827D, 0x20615D72157BF25C, - 0xFF1590013C9B9F5B, 0xC884DCADE8C16CEA, 0xEBD05E53BF724E01, 0x0032FEF8FDA5748C, // XQA0 - 0x12E2E849AA0A8006, 0x41CF47008635A1E8, 0x9CD720A70798AED7, 0x42A820B42FCF04CF, - 0x7BF9BAD32AAE88B1, 0xF619127A54090BBE, 0x1CB10D8F56408EAA, 0x001D6B54C3C0EDEB, // XRA0 - 0x34DB54931CBAAC36, 0x420A18CB8DD5F0C4, 0x32008C1A48C0F44D, 0x3B3BA772B1CFD44D, - 0xA74B058FDAF13515, 0x095FC9CA7EEC17B4, 0x448E829D28F120F8, 0x00261EC3ED16A489 }; // XRA1 -// Bob's generator values {XPB0 + XPB1*i, XQB0, XRB0 + XRB1*i} in GF(p503^2), expressed in Montgomery representation -const uint64_t B_gen[5*NWORDS64_FIELD] = { 0x7EDE37F4FA0BC727, 0xF7F8EC5C8598941C, 0xD15519B516B5F5C8, 0xF6D5AC9B87A36282, - 0x7B19F105B30E952E, 0x13BD8B2025B4EBEE, 0x7B96D27F4EC579A2, 0x00140850CAB7E5DE, // XPB0 - 0x7764909DAE7B7B2D, 0x578ABB16284911AB, 0x76E2BFD146A6BF4D, 0x4824044B23AA02F0, - 0x1105048912A321F3, 0xB8A2E482CF0F10C1, 0x42FF7D0BE2152085, 0x0018E599C5223352, // XPB1 - 0x4256C520FB388820, 0x744FD7C3BAAF0A13, 0x4B6A2DDDB12CBCB8, 0xE46826E27F427DF8, - 0xFE4A663CD505A61B, 0xD6B3A1BAF025C695, 0x7C3BB62B8FCC00BD, 0x003AFDDE4A35746C, // XQB0 - 0x75601CD1E6C0DFCB, 0x1A9007239B58F93E, 0xC1F1BE80C62107AC, 0x7F513B898F29FF08, - 0xEA0BEDFF43E1F7B2, 0x2C6D94018CBAE6D0, 0x3A430D31BCD84672, 0x000D26892ECCFE83, // XRB0 - 0x1119D62AEA3007A1, 0xE3702AA4E04BAE1B, 0x9AB96F7D59F990E7, 0xF58440E8B43319C0, - 0xAF8134BEE1489775, 0xE7F7774E905192AA, 0xF54AE09308E98039, 0x001EF7A041A86112 }; // XRB1 -// Montgomery constant Montgomery_R2 = (2^512)^2 mod p503 -const uint64_t Montgomery_R2[NWORDS64_FIELD] = { 0x5289A0CF641D011F, 0x9B88257189FED2B9, 0xA3B365D58DC8F17A, 0x5BC57AB6EFF168EC, - 0x9E51998BD84D4423, 0xBF8999CBAC3B5695, 0x46E9127BCE14CDB6, 0x003F6CFCE8B81771 }; -// Value one in Montgomery representation -const uint64_t Montgomery_one[NWORDS64_FIELD] = { 0x00000000000003F9, 0x0000000000000000, 0x0000000000000000, 0xB400000000000000, - 0x63CB1A6EA6DED2B4, 0x51689D8D667EB37D, 0x8ACD77C71AB24142, 0x0026FBAEC60F5953 }; -// Value (2^256)^2 mod 3^159 -const uint64_t Montgomery_Rprime[NWORDS64_ORDER] = { 0x0C2615CA3C5BAA99, 0x5A4FF3072AB6AA6A, 0xA6AFD4B039AD6AA2, 0x010DA06A26DD05CB }; -// Value -(3^159)^-1 mod 2^256 -const uint64_t Montgomery_rprime[NWORDS64_ORDER] = { 0x49C8A87190C0697D, 0x2EB7968EA0F0A558, 0x944257B696777FA2, 0xBAA4DDCD6139D2B3 }; -// Value order_Bob/3 mod p503 -const uint64_t Border_div3[NWORDS_ORDER] = { 0xEB5CFCD82C28A2B9, 0x4CFF3B5F9FDFCE96, 0xB07B3A7CDF4DBC02, 0x055DE9C5756D2D32 }; - - -// Fixed parameters for isogeny tree computation -const unsigned int strat_Alice[MAX_Alice-1] = { -61, 32, 16, 8, 4, 2, 1, 1, 2, 1, 1, 4, 2, 1, 1, 2, 1, 1, 8, 4, 2, 1, 1, 2, 1, 1, -4, 2, 1, 1, 2, 1, 1, 16, 8, 4, 2, 1, 1, 2, 1, 1, 4, 2, 1, 1, 2, 1, 1, 8, 4, 2, 1, -1, 2, 1, 1, 4, 2, 1, 1, 2, 1, 1, 29, 16, 8, 4, 2, 1, 1, 2, 1, 1, 4, 2, 1, 1, 2, 1, -1, 8, 4, 2, 1, 1, 2, 1, 1, 4, 2, 1, 1, 2, 1, 1, 13, 8, 4, 2, 1, 1, 2, 1, 1, 4, 2, -1, 1, 2, 1, 1, 5, 4, 2, 1, 1, 2, 1, 1, 2, 1, 1, 1 }; - -const unsigned int strat_Bob[MAX_Bob-1] = { -71, 38, 21, 13, 8, 4, 2, 1, 1, 2, 1, 1, 4, 2, 1, 1, 2, 1, 1, 5, 4, 2, 1, 1, 2, 1, -1, 2, 1, 1, 1, 9, 5, 3, 2, 1, 1, 1, 1, 2, 1, 1, 1, 4, 2, 1, 1, 1, 2, 1, 1, 17, 9, -5, 3, 2, 1, 1, 1, 1, 2, 1, 1, 1, 4, 2, 1, 1, 1, 2, 1, 1, 8, 4, 2, 1, 1, 1, 2, 1, -1, 4, 2, 1, 1, 2, 1, 1, 33, 17, 9, 5, 3, 2, 1, 1, 1, 1, 2, 1, 1, 1, 4, 2, 1, 1, 1, -2, 1, 1, 8, 4, 2, 1, 1, 1, 2, 1, 1, 4, 2, 1, 1, 2, 1, 1, 16, 8, 4, 2, 1, 1, 1, 2, -1, 1, 4, 2, 1, 1, 2, 1, 1, 8, 4, 2, 1, 1, 2, 1, 1, 4, 2, 1, 1, 2, 1, 1 }; - -// Setting up macro defines and including GF(p), GF(p^2), curve, isogeny and kex functions -#define fpcopy fpcopy503 -#define fpzero fpzero503 -#define fpadd fpadd503 -#define fpsub fpsub503 -#define fpneg fpneg503 -#define fpdiv2 fpdiv2_503 -#define fpcorrection fpcorrection503 -#define fpmul_mont fpmul503_mont -#define fpsqr_mont fpsqr503_mont -#define fpinv_mont fpinv503_mont -#define fpinv_chain_mont fpinv503_chain_mont -#define fpinv_mont_bingcd fpinv503_mont_bingcd -#define fp2copy fp2copy503 -#define fp2add fp2add503 -#define fp2sub fp2sub503 -#define fp2neg fp2neg503 -#define fp2div2 fp2div2_503 -#define fp2correction fp2correction503 -#define fp2mul_mont fp2mul503_mont -#define fp2sqr_mont fp2sqr503_mont -#define fp2inv_mont fp2inv503_mont -#define fp2inv_mont_bingcd fp2inv503_mont_bingcd -#define fpequal_non_constant_time fpequal503_non_constant_time -#define mp_add_asm mp_add503_asm -#define mp_addx2_asm mp_add503x2_asm -#define mp_subx2_asm mp_sub503x2_asm - -#include "fpx_r1.c" -#include "ec_isogeny_r1.c" -#include "sidh_r1.c" diff --git a/contrib/restricted/aws/s2n/pq-crypto/sike_r1/api_r1.h b/contrib/restricted/aws/s2n/pq-crypto/sike_r1/api_r1.h deleted file mode 100644 index 210a90e000..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/sike_r1/api_r1.h +++ /dev/null @@ -1,76 +0,0 @@ -/******************************************************************************************** -* Supersingular Isogeny Key Encapsulation Library -* -* Abstract: API header file for P503 -*********************************************************************************************/ - -#ifndef __P503_API_H__ -#define __P503_API_H__ - -#include "sike_r1_namespace.h" -#include "config_r1.h" - -// Encoding of keys for KEM-based isogeny system "SIKEp503" (wire format): -// ---------------------------------------------------------------------- -// Elements over GF(p503) are encoded in 63 octets in little endian format (i.e., the least significant octet is located in the lowest memory address). -// Elements (a+b*i) over GF(p503^2), where a and b are defined over GF(p503), are encoded as {a, b}, with a in the lowest memory portion. -// -// Private keys sk consist of the concatenation of a 24-byte random value, a value in the range [0, 2^252-1] and the public key pk. In the SIKE API, -// private keys are encoded in 434 octets in little endian format. -// Public keys pk consist of 3 elements in GF(p503^2). In the SIKE API, pk is encoded in 378 octets. -// Ciphertexts ct consist of the concatenation of a public key value and a 24-byte value. In the SIKE API, ct is encoded in 378 + 24 = 402 octets. -// Shared keys ss consist of a value of 16 octets. - - -/*********************** Ephemeral key exchange API ***********************/ - -#define SIDH_SECRETKEYBYTES 32 -#define SIDH_PUBLICKEYBYTES 378 -#define SIDH_BYTES 126 - -// SECURITY NOTE: SIDH supports ephemeral Diffie-Hellman key exchange. It is NOT secure to use it with static keys. -// See "On the Security of Supersingular Isogeny Cryptosystems", S.D. Galbraith, C. Petit, B. Shani and Y.B. Ti, in ASIACRYPT 2016, 2016. -// Extended version available at: http://eprint.iacr.org/2016/859 - -// Generation of Bob's secret key -// Outputs random value in [0, 2^Floor(Log(2,3^159)) - 1] to be used as Bob's private key -int random_mod_order_B(unsigned char* random_digits); - -// Alice's ephemeral public key generation -// Input: a private key PrivateKeyA in the range [0, 2^250 - 1], stored in 32 bytes. -// Output: the public key PublicKeyA consisting of 3 GF(p503^2) elements encoded in 378 bytes. -int EphemeralKeyGeneration_A(const digit_t* PrivateKeyA, unsigned char* PublicKeyA); - -// Bob's ephemeral key-pair generation -// It produces a private key PrivateKeyB and computes the public key PublicKeyB. -// The private key is an integer in the range [0, 2^Floor(Log(2,3^159)) - 1], stored in 32 bytes. -// The public key consists of 3 GF(p503^2) elements encoded in 378 bytes. -int EphemeralKeyGeneration_B(const digit_t* PrivateKeyB, unsigned char* PublicKeyB); - -// Alice's ephemeral shared secret computation -// It produces a shared secret key SharedSecretA using her secret key PrivateKeyA and Bob's public key PublicKeyB -// Inputs: Alice's PrivateKeyA is an integer in the range [0, 2^250 - 1], stored in 32 bytes. -// Bob's PublicKeyB consists of 3 GF(p503^2) elements encoded in 378 bytes. -// Output: a shared secret SharedSecretA that consists of one element in GF(p503^2) encoded in 126 bytes. -int EphemeralSecretAgreement_A(const digit_t* PrivateKeyA, const unsigned char* PublicKeyB, unsigned char* SharedSecretA); - -// Bob's ephemeral shared secret computation -// It produces a shared secret key SharedSecretB using his secret key PrivateKeyB and Alice's public key PublicKeyA -// Inputs: Bob's PrivateKeyB is an integer in the range [0, 2^Floor(Log(2,3^159)) - 1], stored in 32 bytes. -// Alice's PublicKeyA consists of 3 GF(p503^2) elements encoded in 378 bytes. -// Output: a shared secret SharedSecretB that consists of one element in GF(p503^2) encoded in 126 bytes. -int EphemeralSecretAgreement_B(const digit_t* PrivateKeyB, const unsigned char* PublicKeyA, unsigned char* SharedSecretB); - - -// Encoding of keys for KEX-based isogeny system "SIDHp503" (wire format): -// ---------------------------------------------------------------------- -// Elements over GF(p503) are encoded in 63 octets in little endian format (i.e., the least significant octet is located in the lowest memory address). -// Elements (a+b*i) over GF(p503^2), where a and b are defined over GF(p503), are encoded as {a, b}, with a in the lowest memory portion. -// -// Private keys PrivateKeyA and PrivateKeyB can have values in the range [0, 2^250-1] and [0, 2^252-1], resp. In the SIDH API, private keys are encoded -// in 32 octets in little endian format. -// Public keys PublicKeyA and PublicKeyB consist of 3 elements in GF(p503^2). In the SIDH API, they are encoded in 378 octets. -// Shared keys SharedSecretA and SharedSecretB consist of one element in GF(p503^2). In the SIDH API, they are encoded in 126 octets. - - -#endif diff --git a/contrib/restricted/aws/s2n/pq-crypto/sike_r1/config_r1.h b/contrib/restricted/aws/s2n/pq-crypto/sike_r1/config_r1.h deleted file mode 100644 index f9bc5d36d0..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/sike_r1/config_r1.h +++ /dev/null @@ -1,146 +0,0 @@ -/******************************************************************************************** -* Supersingular Isogeny Key Encapsulation Library -* -* Abstract: configuration file and platform-dependent macros -*********************************************************************************************/ - -#ifndef __CONFIG_H__ -#define __CONFIG_H__ - -#include "sike_r1_namespace.h" -#include <stdint.h> -#include <stdbool.h> -#include <stddef.h> - -// Definition of compiler - -#define COMPILER_GCC 1 -#define COMPILER_CLANG 2 - -#if defined(__GNUC__) // GNU GCC compiler - #define COMPILER COMPILER_GCC -#elif defined(__clang__) // Clang compiler - #define COMPILER COMPILER_CLANG -#else - #error -- "Unsupported COMPILER" -#endif - -#define _AMD64_ - -// Definition of the targeted architecture and basic data types - -#define TARGET_AMD64 1 -#define TARGET_x86 2 -#define TARGET_ARM 3 -#define TARGET_ARM64 4 - -#if defined(_AMD64_) - #define TARGET TARGET_AMD64 - #define RADIX 64 - #define LOG2RADIX 6 - typedef uint64_t digit_t; // Unsigned 64-bit digit -#elif defined(_X86_) - #define TARGET TARGET_x86 - #define RADIX 32 - #define LOG2RADIX 5 - typedef uint32_t digit_t; // Unsigned 32-bit digit -#elif defined(_ARM_) - #define TARGET TARGET_ARM - #define RADIX 32 - #define LOG2RADIX 5 - typedef uint32_t digit_t; // Unsigned 32-bit digit -#elif defined(_ARM64_) - #define TARGET TARGET_ARM64 - #define RADIX 64 - #define LOG2RADIX 6 - typedef uint64_t digit_t; // Unsigned 64-bit digit -#else - #error -- "Unsupported ARCHITECTURE" -#endif - -#define RADIX64 64 - - -// Selection of implementation: optimized_generic - -#if defined(_OPTIMIZED_GENERIC_) - #define OPTIMIZED_GENERIC_IMPLEMENTATION -#endif - - -// Extended datatype support - -typedef uint64_t uint128_t[2]; - - -// Macro definitions - -#define NBITS_TO_NBYTES(nbits) (((nbits)+7)/8) // Conversion macro from number of bits to number of bytes -#define NBITS_TO_NWORDS(nbits) (((nbits)+(sizeof(digit_t)*8)-1)/(sizeof(digit_t)*8)) // Conversion macro from number of bits to number of computer words -#define NBYTES_TO_NWORDS(nbytes) (((nbytes)+sizeof(digit_t)-1)/sizeof(digit_t)) // Conversion macro from number of bytes to number of computer words - -// Macro to avoid compiler warnings when detecting unreferenced parameters -#define UNREFERENCED_PARAMETER(PAR) ((void)(PAR)) - - -/********************** Constant-time unsigned comparisons ***********************/ - -// The following functions return 1 (TRUE) if condition is true, 0 (FALSE) otherwise - -static __inline unsigned int is_digit_nonzero_ct(digit_t x) -{ // Is x != 0? - return (unsigned int)((x | (0-x)) >> (RADIX-1)); -} - -static __inline unsigned int is_digit_zero_ct(digit_t x) -{ // Is x = 0? - return (unsigned int)(1 ^ is_digit_nonzero_ct(x)); -} - -static __inline unsigned int is_digit_lessthan_ct(digit_t x, digit_t y) -{ // Is x < y? - return (unsigned int)((x ^ ((x ^ y) | ((x - y) ^ y))) >> (RADIX-1)); -} - - -/********************** Macros for platform-dependent operations **********************/ - -// Digit multiplication -#define MUL(multiplier, multiplicand, hi, lo) \ - digit_x_digit((multiplier), (multiplicand), &(lo)); - -// Digit addition with carry -#define ADDC(carryIn, addend1, addend2, carryOut, sumOut) \ - { digit_t tempReg = (addend1) + (digit_t)(carryIn); \ - (sumOut) = (addend2) + tempReg; \ - (carryOut) = (is_digit_lessthan_ct(tempReg, (digit_t)(carryIn)) | is_digit_lessthan_ct((sumOut), tempReg)); } - -// Digit subtraction with borrow -#define SUBC(borrowIn, minuend, subtrahend, borrowOut, differenceOut) \ - { digit_t tempReg = (minuend) - (subtrahend); \ - unsigned int borrowReg = (is_digit_lessthan_ct((minuend), (subtrahend)) | ((borrowIn) & is_digit_zero_ct(tempReg))); \ - (differenceOut) = tempReg - (digit_t)(borrowIn); \ - (borrowOut) = borrowReg; } - -// Shift right with flexible datatype -#define SHIFTR(highIn, lowIn, shift, shiftOut, DigitSize) \ - (shiftOut) = ((lowIn) >> (shift)) ^ ((highIn) << (DigitSize - (shift))); - -// Shift left with flexible datatype -#define SHIFTL(highIn, lowIn, shift, shiftOut, DigitSize) \ - (shiftOut) = ((highIn) << (shift)) ^ ((lowIn) >> (DigitSize - (shift))); - -// 64x64-bit multiplication -#define MUL128(multiplier, multiplicand, product) \ - mp_mul((digit_t*)&(multiplier), (digit_t*)&(multiplicand), (digit_t*)&(product), NWORDS_FIELD/2); - -// 128-bit addition, inputs < 2^127 -#define ADD128(addend1, addend2, addition) \ - mp_add((digit_t*)(addend1), (digit_t*)(addend2), (digit_t*)(addition), NWORDS_FIELD); - -// 128-bit addition with output carry -#define ADC128(addend1, addend2, carry, addition) \ - (carry) = mp_add((digit_t*)(addend1), (digit_t*)(addend2), (digit_t*)(addition), NWORDS_FIELD); - - -#endif diff --git a/contrib/restricted/aws/s2n/pq-crypto/sike_r1/ec_isogeny_r1.c b/contrib/restricted/aws/s2n/pq-crypto/sike_r1/ec_isogeny_r1.c deleted file mode 100644 index 50dfd68373..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/sike_r1/ec_isogeny_r1.c +++ /dev/null @@ -1,388 +0,0 @@ -/******************************************************************************************** -* Supersingular Isogeny Key Encapsulation Library -* -* Abstract: elliptic curve and isogeny functions -*********************************************************************************************/ - -#include "sike_r1_namespace.h" -#include "P503_internal_r1.h" - -void xDBL(const point_proj_t P, point_proj_t Q, const f2elm_t *A24plus, const f2elm_t *C24) -{ // Doubling of a Montgomery point in projective coordinates (X:Z). - // Input: projective Montgomery x-coordinates P = (X1:Z1), where x1=X1/Z1 and Montgomery curve constants A+2C and 4C. - // Output: projective Montgomery x-coordinates Q = 2*P = (X2:Z2). - f2elm_t _t0, _t1; - f2elm_t *t0=&_t0, *t1=&_t1; - - fp2sub(&P->X, &P->Z, t0); // t0 = X1-Z1 - fp2add(&P->X, &P->Z, t1); // t1 = X1+Z1 - fp2sqr_mont(t0, t0); // t0 = (X1-Z1)^2 - fp2sqr_mont(t1, t1); // t1 = (X1+Z1)^2 - fp2mul_mont(C24, t0, &Q->Z); // Z2 = C24*(X1-Z1)^2 - fp2mul_mont(t1, &Q->Z, &Q->X); // X2 = C24*(X1-Z1)^2*(X1+Z1)^2 - fp2sub(t1, t0, t1); // t1 = (X1+Z1)^2-(X1-Z1)^2 - fp2mul_mont(A24plus, t1, t0); // t0 = A24plus*[(X1+Z1)^2-(X1-Z1)^2] - fp2add(&Q->Z, t0, &Q->Z); // Z2 = A24plus*[(X1+Z1)^2-(X1-Z1)^2] + C24*(X1-Z1)^2 - fp2mul_mont(&Q->Z, t1, &Q->Z); // Z2 = [A24plus*[(X1+Z1)^2-(X1-Z1)^2] + C24*(X1-Z1)^2]*[(X1+Z1)^2-(X1-Z1)^2] -} - - -void xDBLe(const point_proj_t P, point_proj_t Q, const f2elm_t *A24plus, const f2elm_t *C24, const int e) -{ // Computes [2^e](X:Z) on Montgomery curve with projective constant via e repeated doublings. - // Input: projective Montgomery x-coordinates P = (XP:ZP), such that xP=XP/ZP and Montgomery curve constants A+2C and 4C. - // Output: projective Montgomery x-coordinates Q <- (2^e)*P. - - copy_words((const digit_t*)P, (digit_t*)Q, 2*2*NWORDS_FIELD); - - for (int i = 0; i < e; i++) { - xDBL(Q, Q, A24plus, C24); - } -} - - -void get_4_isog(const point_proj_t P, f2elm_t *A24plus, f2elm_t *C24, f2elm_t* coeff) -{ // Computes the corresponding 4-isogeny of a projective Montgomery point (X4:Z4) of order 4. - // Input: projective point of order four P = (X4:Z4). - // Output: the 4-isogenous Montgomery curve with projective coefficients A+2C/4C and the 3 coefficients - // that are used to evaluate the isogeny at a point in eval_4_isog(). - - fp2sub(&P->X, &P->Z, &coeff[1]); // coeff[1] = X4-Z4 - fp2add(&P->X, &P->Z, &coeff[2]); // coeff[2] = X4+Z4 - fp2sqr_mont(&P->Z, &coeff[0]); // coeff[0] = Z4^2 - fp2add(&coeff[0], &coeff[0], &coeff[0]); // coeff[0] = 2*Z4^2 - fp2sqr_mont(&coeff[0], C24); // C24 = 4*Z4^4 - fp2add(&coeff[0], &coeff[0], &coeff[0]); // coeff[0] = 4*Z4^2 - fp2sqr_mont(&P->X, A24plus); // A24plus = X4^2 - fp2add(A24plus, A24plus, A24plus); // A24plus = 2*X4^2 - fp2sqr_mont(A24plus, A24plus); // A24plus = 4*X4^4 -} - - -void eval_4_isog(point_proj_t P, f2elm_t* coeff) -{ // Evaluates the isogeny at the point (X:Z) in the domain of the isogeny, given a 4-isogeny phi defined - // by the 3 coefficients in coeff (computed in the function get_4_isog()). - // Inputs: the coefficients defining the isogeny, and the projective point P = (X:Z). - // Output: the projective point P = phi(P) = (X:Z) in the codomain. - f2elm_t _t0, _t1; - f2elm_t *t0=&_t0, *t1=&_t1; - - fp2add(&P->X, &P->Z, t0); // t0 = X+Z - fp2sub(&P->X, &P->Z, t1); // t1 = X-Z - fp2mul_mont(t0, &coeff[1], &P->X); // X = (X+Z)*coeff[1] - fp2mul_mont(t1, &coeff[2], &P->Z); // Z = (X-Z)*coeff[2] - fp2mul_mont(t0, t1, t0); // t0 = (X+Z)*(X-Z) - fp2mul_mont(t0, &coeff[0], t0); // t0 = coeff[0]*(X+Z)*(X-Z) - fp2add(&P->X, &P->Z, t1); // t1 = (X-Z)*coeff[2] + (X+Z)*coeff[1] - fp2sub(&P->X, &P->Z, &P->Z); // Z = (X-Z)*coeff[2] - (X+Z)*coeff[1] - fp2sqr_mont(t1, t1); // t1 = [(X-Z)*coeff[2] + (X+Z)*coeff[1]]^2 - fp2sqr_mont(&P->Z, &P->Z); // Z = [(X-Z)*coeff[2] - (X+Z)*coeff[1]]^2 - fp2add(t1, t0, &P->X); // X = coeff[0]*(X+Z)*(X-Z) + [(X-Z)*coeff[2] + (X+Z)*coeff[1]]^2 - fp2sub(&P->Z, t0, t0); // t0 = [(X-Z)*coeff[2] - (X+Z)*coeff[1]]^2 - coeff[0]*(X+Z)*(X-Z) - fp2mul_mont(&P->X, t1, &P->X); // Xfinal - fp2mul_mont(&P->Z, t0, &P->Z); // Zfinal -} - - -void xTPL(const point_proj_t P, point_proj_t Q, const f2elm_t *A24minus, const f2elm_t *A24plus) -{ // Tripling of a Montgomery point in projective coordinates (X:Z). - // Input: projective Montgomery x-coordinates P = (X:Z), where x=X/Z and Montgomery curve constants A24plus = A+2C and A24minus = A-2C. - // Output: projective Montgomery x-coordinates Q = 3*P = (X3:Z3). - f2elm_t _t0, _t1, _t2, _t3, _t4, _t5, _t6; - f2elm_t *t0=&_t0, *t1=&_t1, *t2=&_t2 ; - f2elm_t *t3=&_t3, *t4=&_t4, *t5=&_t5, *t6=&_t6; - - fp2sub(&P->X, &P->Z, t0); // t0 = X-Z - fp2sqr_mont(t0, t2); // t2 = (X-Z)^2 - fp2add(&P->X, &P->Z, t1); // t1 = X+Z - fp2sqr_mont(t1, t3); // t3 = (X+Z)^2 - fp2add(t0, t1, t4); // t4 = 2*X - fp2sub(t1, t0, t0); // t0 = 2*Z - fp2sqr_mont(t4, t1); // t1 = 4*X^2 - fp2sub(t1, t3, t1); // t1 = 4*X^2 - (X+Z)^2 - fp2sub(t1, t2, t1); // t1 = 4*X^2 - (X+Z)^2 - (X-Z)^2 - fp2mul_mont(t3, A24plus, t5); // t5 = A24plus*(X+Z)^2 - fp2mul_mont(t3, t5, t3); // t3 = A24plus*(X+Z)^3 - fp2mul_mont(A24minus, t2, t6); // t6 = A24minus*(X-Z)^2 - fp2mul_mont(t2, t6, t2); // t2 = A24minus*(X-Z)^3 - fp2sub(t2, t3, t3); // t3 = A24minus*(X-Z)^3 - coeff*(X+Z)^3 - fp2sub(t5, t6, t2); // t2 = A24plus*(X+Z)^2 - A24minus*(X-Z)^2 - fp2mul_mont(t1, t2, t1); // t1 = [4*X^2 - (X+Z)^2 - (X-Z)^2]*[A24plus*(X+Z)^2 - A24minus*(X-Z)^2] - fp2add(t3, t1, t2); // t2 = [4*X^2 - (X+Z)^2 - (X-Z)^2]*[A24plus*(X+Z)^2 - A24minus*(X-Z)^2] + A24minus*(X-Z)^3 - coeff*(X+Z)^3 - fp2sqr_mont(t2, t2); // t2 = t2^2 - fp2mul_mont(t4, t2, &Q->X); // X3 = 2*X*t2 - fp2sub(t3, t1, t1); // t1 = A24minus*(X-Z)^3 - A24plus*(X+Z)^3 - [4*X^2 - (X+Z)^2 - (X-Z)^2]*[A24plus*(X+Z)^2 - A24minus*(X-Z)^2] - fp2sqr_mont(t1, t1); // t1 = t1^2 - fp2mul_mont(t0, t1, &Q->Z); // Z3 = 2*Z*t1 -} - - -void xTPLe(const point_proj_t P, point_proj_t Q, const f2elm_t *A24minus, const f2elm_t *A24plus, const int e) -{ // Computes [3^e](X:Z) on Montgomery curve with projective constant via e repeated triplings. - // Input: projective Montgomery x-coordinates P = (XP:ZP), such that xP=XP/ZP and Montgomery curve constants A24plus = A+2C and A24minus = A-2C. - // Output: projective Montgomery x-coordinates Q <- (3^e)*P. - - copy_words((const digit_t*)P, (digit_t*)Q, 2*2*NWORDS_FIELD); - - for (int i = 0; i < e; i++) { - xTPL(Q, Q, A24minus, A24plus); - } -} - - -void get_3_isog(const point_proj_t P, f2elm_t *A24minus, f2elm_t *A24plus, f2elm_t* coeff) -{ // Computes the corresponding 3-isogeny of a projective Montgomery point (X3:Z3) of order 3. - // Input: projective point of order three P = (X3:Z3). - // Output: the 3-isogenous Montgomery curve with projective coefficient A/C. - f2elm_t _t0, _t1, _t2, _t3, _t4; - f2elm_t *t0=&_t0, *t1=&_t1, *t2=&_t2 ; - f2elm_t *t3=&_t3, *t4=&_t4 ; - - fp2sub(&P->X, &P->Z, &coeff[0]); // coeff0 = X-Z - fp2sqr_mont(&coeff[0], t0); // t0 = (X-Z)^2 - fp2add(&P->X, &P->Z, &coeff[1]); // coeff1 = X+Z - fp2sqr_mont(&coeff[1], t1); // t1 = (X+Z)^2 - fp2add(t0, t1, t2); // t2 = (X+Z)^2 + (X-Z)^2 - fp2add(&coeff[0], &coeff[1], t3); // t3 = 2*X - fp2sqr_mont(t3, t3); // t3 = 4*X^2 - fp2sub(t3, t2, t3); // t3 = 4*X^2 - (X+Z)^2 - (X-Z)^2 - fp2add(t1, t3, t2); // t2 = 4*X^2 - (X-Z)^2 - fp2add(t3, t0, t3); // t3 = 4*X^2 - (X+Z)^2 - fp2add(t0, t3, t4); // t4 = 4*X^2 - (X+Z)^2 + (X-Z)^2 - fp2add(t4, t4, t4); // t4 = 2(4*X^2 - (X+Z)^2 + (X-Z)^2) - fp2add(t1, t4, t4); // t4 = 8*X^2 - (X+Z)^2 + 2*(X-Z)^2 - fp2mul_mont(t2, t4, A24minus); // A24minus = [4*X^2 - (X-Z)^2]*[8*X^2 - (X+Z)^2 + 2*(X-Z)^2] - fp2add(t1, t2, t4); // t4 = 4*X^2 + (X+Z)^2 - (X-Z)^2 - fp2add(t4, t4, t4); // t4 = 2(4*X^2 + (X+Z)^2 - (X-Z)^2) - fp2add(t0, t4, t4); // t4 = 8*X^2 + 2*(X+Z)^2 - (X-Z)^2 - fp2mul_mont(t3, t4, t4); // t4 = [4*X^2 - (X+Z)^2]*[8*X^2 + 2*(X+Z)^2 - (X-Z)^2] - fp2sub(t4, A24minus, t0); // t0 = [4*X^2 - (X+Z)^2]*[8*X^2 + 2*(X+Z)^2 - (X-Z)^2] - [4*X^2 - (X-Z)^2]*[8*X^2 - (X+Z)^2 + 2*(X-Z)^2] - fp2add(A24minus, t0, A24plus); // A24plus = 8*X^2 - (X+Z)^2 + 2*(X-Z)^2 -} - - -void eval_3_isog(point_proj_t Q, const f2elm_t* coeff) -{ // Computes the 3-isogeny R=phi(X:Z), given projective point (X3:Z3) of order 3 on a Montgomery curve and - // a point P with 2 coefficients in coeff (computed in the function get_3_isog()). - // Inputs: projective points P = (X3:Z3) and Q = (X:Z). - // Output: the projective point Q <- phi(Q) = (X3:Z3). - f2elm_t _t0, _t1, _t2; - f2elm_t *t0=&_t0, *t1=&_t1, *t2=&_t2 ; - - fp2add(&Q->X, &Q->Z, t0); // t0 = X+Z - fp2sub(&Q->X, &Q->Z, t1); // t1 = X-Z - fp2mul_mont(t0, &coeff[0], t0); // t0 = coeff0*(X+Z) - fp2mul_mont(t1, &coeff[1], t1); // t1 = coeff1*(X-Z) - fp2add(t0, t1, t2); // t2 = coeff0*(X-Z) + coeff1*(X+Z) - fp2sub(t1, t0, t0); // t0 = coeff0*(X-Z) - coeff1*(X+Z) - fp2sqr_mont(t2, t2); // t2 = [coeff0*(X-Z) + coeff1*(X+Z)]^2 - fp2sqr_mont(t0, t0); // t1 = [coeff0*(X-Z) - coeff1*(X+Z)]^2 - fp2mul_mont(&Q->X, t2, &Q->X); // X3final = X*[coeff0*(X-Z) + coeff1*(X+Z)]^2 - fp2mul_mont(&Q->Z, t0, &Q->Z); // Z3final = Z*[coeff0*(X-Z) - coeff1*(X+Z)]^2 -} - - -void inv_3_way(f2elm_t *z1, f2elm_t *z2, f2elm_t *z3) -{ // 3-way simultaneous inversion - // Input: z1,z2,z3 - // Output: 1/z1,1/z2,1/z3 (override inputs). - f2elm_t _t0, _t1, _t2, _t3; - f2elm_t *t0=&_t0, *t1=&_t1; - f2elm_t *t2=&_t2, *t3=&_t3; - - fp2mul_mont(z1, z2, t0); // t0 = z1*z2 - fp2mul_mont(z3, t0, t1); // t1 = z1*z2*z3 - fp2inv_mont(t1); // t1 = 1/(z1*z2*z3) - fp2mul_mont(z3, t1, t2); // t2 = 1/(z1*z2) - fp2mul_mont(t2, z2, t3); // t3 = 1/z1 - fp2mul_mont(t2, z1, z2); // z2 = 1/z2 - fp2mul_mont(t0, t1, z3); // z3 = 1/z3 - fp2copy(t3, z1); // z1 = 1/z1 -} - - -void get_A(const f2elm_t *xP, const f2elm_t *xQ, const f2elm_t *xR, f2elm_t *A) -{ // Given the x-coordinates of P, Q, and R, returns the value A corresponding to the Montgomery curve E_A: y^2=x^3+A*x^2+x such that R=Q-P on E_A. - // Input: the x-coordinates xP, xQ, and xR of the points P, Q and R. - // Output: the coefficient A corresponding to the curve E_A: y^2=x^3+A*x^2+x. - f2elm_t _t0, _t1, one = {0}; - f2elm_t *t0=&_t0, *t1=&_t1; - - fpcopy((const digit_t*)&Montgomery_one, one.e[0]); - fp2add(xP, xQ, t1); // t1 = xP+xQ - fp2mul_mont(xP, xQ, t0); // t0 = xP*xQ - fp2mul_mont(xR, t1, A); // A = xR*t1 - fp2add(t0, A, A); // A = A+t0 - fp2mul_mont(t0, xR, t0); // t0 = t0*xR - fp2sub(A, &one, A); // A = A-1 - fp2add(t0, t0, t0); // t0 = t0+t0 - fp2add(t1, xR, t1); // t1 = t1+xR - fp2add(t0, t0, t0); // t0 = t0+t0 - fp2sqr_mont(A, A); // A = A^2 - fp2inv_mont(t0); // t0 = 1/t0 - fp2mul_mont(A, t0, A); // A = A*t0 - fp2sub(A, t1, A); // Afinal = A-t1 -} - - -void j_inv(const f2elm_t *A, const f2elm_t *C, f2elm_t *jinv) -{ // Computes the j-invariant of a Montgomery curve with projective constant. - // Input: A,C in GF(p^2). - // Output: j=256*(A^2-3*C^2)^3/(C^4*(A^2-4*C^2)), which is the j-invariant of the Montgomery curve B*y^2=x^3+(A/C)*x^2+x or (equivalently) j-invariant of B'*y^2=C*x^3+A*x^2+C*x. - f2elm_t _t0, _t1; - f2elm_t *t0=&_t0, *t1=&_t1; - - fp2sqr_mont(A, jinv); // jinv = A^2 - fp2sqr_mont(C, t1); // t1 = C^2 - fp2add(t1, t1, t0); // t0 = t1+t1 - fp2sub(jinv, t0, t0); // t0 = jinv-t0 - fp2sub(t0, t1, t0); // t0 = t0-t1 - fp2sub(t0, t1, jinv); // jinv = t0-t1 - fp2sqr_mont(t1, t1); // t1 = t1^2 - fp2mul_mont(jinv, t1, jinv); // jinv = jinv*t1 - fp2add(t0, t0, t0); // t0 = t0+t0 - fp2add(t0, t0, t0); // t0 = t0+t0 - fp2sqr_mont(t0, t1); // t1 = t0^2 - fp2mul_mont(t0, t1, t0); // t0 = t0*t1 - fp2add(t0, t0, t0); // t0 = t0+t0 - fp2add(t0, t0, t0); // t0 = t0+t0 - fp2inv_mont(jinv); // jinv = 1/jinv - fp2mul_mont(jinv, t0, jinv); // jinv = t0*jinv -} - - -void xDBLADD(point_proj_t P, point_proj_t Q, const f2elm_t *xPQ, const f2elm_t *A24) -{ // Simultaneous doubling and differential addition. - // Input: projective Montgomery points P=(XP:ZP) and Q=(XQ:ZQ) such that xP=XP/ZP and xQ=XQ/ZQ, affine difference xPQ=x(P-Q) and Montgomery curve constant A24=(A+2)/4. - // Output: projective Montgomery points P <- 2*P = (X2P:Z2P) such that x(2P)=X2P/Z2P, and Q <- P+Q = (XQP:ZQP) such that = x(Q+P)=XQP/ZQP. - f2elm_t _t0, _t1, _t2; - f2elm_t *t0=&_t0, *t1=&_t1, *t2=&_t2; - - fp2add(&P->X, &P->Z, t0); // t0 = XP+ZP - fp2sub(&P->X, &P->Z, t1); // t1 = XP-ZP - fp2sqr_mont(t0, &P->X); // XP = (XP+ZP)^2 - fp2sub(&Q->X, &Q->Z, t2); // t2 = XQ-ZQ - fp2correction(t2); - fp2add(&Q->X,&Q->Z, &Q->X); // XQ = XQ+ZQ - fp2mul_mont(t0, t2, t0); // t0 = (XP+ZP)*(XQ-ZQ) - fp2sqr_mont(t1, &P->Z); // ZP = (XP-ZP)^2 - fp2mul_mont(t1, &Q->X, t1); // t1 = (XP-ZP)*(XQ+ZQ) - fp2sub(&P->X, &P->Z, t2); // t2 = (XP+ZP)^2-(XP-ZP)^2 - fp2mul_mont(&P->X, &P->Z, &P->X); // XP = (XP+ZP)^2*(XP-ZP)^2 - fp2mul_mont(t2, A24, &Q->X); // XQ = A24*[(XP+ZP)^2-(XP-ZP)^2] - fp2sub(t0, t1, &Q->Z); // ZQ = (XP+ZP)*(XQ-ZQ)-(XP-ZP)*(XQ+ZQ) - fp2add(&Q->X, &P->Z, &P->Z); // ZP = A24*[(XP+ZP)^2-(XP-ZP)^2]+(XP-ZP)^2 - fp2add(t0, t1, &Q->X); // XQ = (XP+ZP)*(XQ-ZQ)+(XP-ZP)*(XQ+ZQ) - fp2mul_mont(&P->Z, t2, &P->Z); // ZP = [A24*[(XP+ZP)^2-(XP-ZP)^2]+(XP-ZP)^2]*[(XP+ZP)^2-(XP-ZP)^2] - fp2sqr_mont(&Q->Z, &Q->Z); // ZQ = [(XP+ZP)*(XQ-ZQ)-(XP-ZP)*(XQ+ZQ)]^2 - fp2sqr_mont(&Q->X, &Q->X); // XQ = [(XP+ZP)*(XQ-ZQ)+(XP-ZP)*(XQ+ZQ)]^2 - fp2mul_mont(&Q->Z, xPQ, &Q->Z); // ZQ = xPQ*[(XP+ZP)*(XQ-ZQ)-(XP-ZP)*(XQ+ZQ)]^2 -} - - -static void swap_points(point_proj_t P, point_proj_t Q, const digit_t option) -{ // Swap points. - // If option = 0 then P <- P and Q <- Q, else if option = 0xFF...FF then P <- Q and Q <- P - unsigned int i; - - for (i = 0; i < NWORDS_FIELD; i++) { - digit_t temp = option & (P->X.e[0][i] ^ Q->X.e[0][i]); - P->X.e[0][i] = temp ^ P->X.e[0][i]; - Q->X.e[0][i] = temp ^ Q->X.e[0][i]; - temp = option & (P->Z.e[0][i] ^ Q->Z.e[0][i]); - P->Z.e[0][i] = temp ^ P->Z.e[0][i]; - Q->Z.e[0][i] = temp ^ Q->Z.e[0][i]; - temp = option & (P->X.e[1][i] ^ Q->X.e[1][i]); - P->X.e[1][i] = temp ^ P->X.e[1][i]; - Q->X.e[1][i] = temp ^ Q->X.e[1][i]; - temp = option & (P->Z.e[1][i] ^ Q->Z.e[1][i]); - P->Z.e[1][i] = temp ^ P->Z.e[1][i]; - Q->Z.e[1][i] = temp ^ Q->Z.e[1][i]; - } -} - - -static void LADDER3PT(const f2elm_t *xP, const f2elm_t *xQ, const f2elm_t *xPQ, const digit_t* m, const unsigned int AliceOrBob, point_proj_t R, const f2elm_t *A) -{ - point_proj_t R0 = {0}, R2 = {0}; - f2elm_t _A24 = {0}; - f2elm_t *A24=&_A24; - int i, nbits, prevbit = 0; - - if (AliceOrBob == ALICE) { - nbits = OALICE_BITS; - } else { - nbits = OBOB_BITS; - } - - // Initializing constant - fpcopy((const digit_t*)&Montgomery_one, A24->e[0]); - fp2add(A24, A24, A24); - fp2add(A, A24, A24); - fp2div2(A24, A24); - fp2div2(A24, A24); // A24 = (A+2)/4 - - // Initializing points - fp2copy(xQ, &R0->X); - fpcopy((const digit_t*)&Montgomery_one, (digit_t*)R0->Z.e); - fp2copy(xPQ, &R2->X); - fpcopy((const digit_t*)&Montgomery_one, (digit_t*)R2->Z.e); - fp2copy(xP, &R->X); - fpcopy((const digit_t*)&Montgomery_one, (digit_t*)R->Z.e); - fpzero((digit_t*)(R->Z.e)[1]); - - // Main loop - for (i = 0; i < nbits; i++) { - int bit = (m[i >> LOG2RADIX] >> (i & (RADIX-1))) & 1; - int swap = bit ^ prevbit; - prevbit = bit; - digit_t mask = 0 - (digit_t)swap; - - swap_points(R, R2, mask); - xDBLADD(R0, R2, &R->X, A24); - fp2mul_mont(&R2->X, &R->Z, &R2->X); - } -} - -void xTPL_fast(const point_proj_t P, point_proj_t Q, const f2elm_t *A2) -{ // Montgomery curve (E: y^2 = x^3 + A*x^2 + x) x-only tripling at a cost of 5M + 6S + 11A. - // Input : projective Montgomery x-coordinates P = (X:Z), where x=X/Z and Montgomery curve constant A/2. - // Output: projective Montgomery x-coordinates Q = 3*P = (X3:Z3). - f2elm_t _t1, _t2, _t3, _t4; - f2elm_t *t1=&_t1, *t2=&_t2, *t3=&_t3, *t4=&_t4; - - fp2sqr_mont(&P->X, t1); // t1 = x^2 - fp2sqr_mont(&P->Z, t2); // t2 = z^2 - fp2add(t1, t2, t3); // t3 = t1 + t2 - fp2add(&P->X, &P->Z, t4); // t4 = x + z - fp2sqr_mont(t4, t4); // t4 = t4^2 - fp2sub(t4, t3, t4); // t4 = t4 - t3 - fp2mul_mont(A2, t4, t4); // t4 = t4*A2 - fp2add(t3, t4, t4); // t4 = t4 + t3 - fp2sub(t1, t2, t3); // t3 = t1 - t2 - fp2sqr_mont(t3, t3); // t3 = t3^2 - fp2mul_mont(t1, t4, t1); // t1 = t1*t4 - fp2add(t1, t1, t1); // t1 = 2*t1 - fp2add(t1, t1, t1); // t1 = 4*t1 - fp2sub(t1, t3, t1); // t1 = t1 - t3 - fp2sqr_mont(t1, t1); // t1 = t1^2 - fp2mul_mont(t2, t4, t2); // t2 = t2*t4 - fp2add(t2, t2, t2); // t2 = 2*t2 - fp2add(t2, t2, t2); // t2 = 4*t2 - fp2sub(t2, t3, t2); // t2 = t2 - t3 - fp2sqr_mont(t2, t2); // t2 = t2^2 - fp2mul_mont(&P->X, t2, &Q->X); // x = x*t2 - fp2mul_mont(&P->Z, t1, &Q->Z); // z = z*t1 -} - - -void xTPLe_fast(point_proj_t P, point_proj_t Q, const f2elm_t *A2, int e) -{ // Computes [3^e](X:Z) on Montgomery curve with projective constant via e repeated triplings. e triplings in E costs e*(5M + 6S + 11A) - // Input: projective Montgomery x-coordinates P = (X:Z), where x=X/Z, Montgomery curve constant A2 = A/2 and the number of triplings e. - // Output: projective Montgomery x-coordinates Q <- [3^e]P. - - copy_words((digit_t*)P, (digit_t*)Q, 2 * 2 * NWORDS_FIELD); - - for (int i = 0; i < e; i++) { - xTPL_fast(Q, Q, A2); - } -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/sike_r1/fips202_r1.c b/contrib/restricted/aws/s2n/pq-crypto/sike_r1/fips202_r1.c deleted file mode 100644 index 2a5ee4494e..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/sike_r1/fips202_r1.c +++ /dev/null @@ -1,429 +0,0 @@ -/******************************************************************************************** -* SHA3-derived functions: SHAKE and cSHAKE -* -* Based on the public domain implementation in crypto_hash/keccakc512/simple/ -* from http://bench.cr.yp.to/supercop.html by Ronny Van Keer -* and the public domain "TweetFips202" implementation from https://twitter.com/tweetfips202 -* by Gilles Van Assche, Daniel J. Bernstein, and Peter Schwabe -* -* See NIST Special Publication 800-185 for more information: -* http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-185.pdf -* -*********************************************************************************************/ - -#include <stdint.h> -#include <assert.h> -#include "fips202_r1.h" - -#define NROUNDS 24 -#define ROL(a, offset) ((a << offset) ^ (a >> (64-offset))) - - -static uint64_t load64(const unsigned char *x) -{ - unsigned long long r = 0, i; - - for (i = 0; i < 8; ++i) { - r |= (unsigned long long)x[i] << 8 * i; - } - return r; -} - - -static void store64(uint8_t *x, uint64_t u) -{ - unsigned int i; - - for (i = 0; i < 8; ++i) { - x[i] = u; - u >>= 8; - } -} - - -static const uint64_t KeccakF_RoundConstants[NROUNDS] = -{ - (uint64_t)0x0000000000000001ULL, - (uint64_t)0x0000000000008082ULL, - (uint64_t)0x800000000000808aULL, - (uint64_t)0x8000000080008000ULL, - (uint64_t)0x000000000000808bULL, - (uint64_t)0x0000000080000001ULL, - (uint64_t)0x8000000080008081ULL, - (uint64_t)0x8000000000008009ULL, - (uint64_t)0x000000000000008aULL, - (uint64_t)0x0000000000000088ULL, - (uint64_t)0x0000000080008009ULL, - (uint64_t)0x000000008000000aULL, - (uint64_t)0x000000008000808bULL, - (uint64_t)0x800000000000008bULL, - (uint64_t)0x8000000000008089ULL, - (uint64_t)0x8000000000008003ULL, - (uint64_t)0x8000000000008002ULL, - (uint64_t)0x8000000000000080ULL, - (uint64_t)0x000000000000800aULL, - (uint64_t)0x800000008000000aULL, - (uint64_t)0x8000000080008081ULL, - (uint64_t)0x8000000000008080ULL, - (uint64_t)0x0000000080000001ULL, - (uint64_t)0x8000000080008008ULL -}; - - -void KeccakF1600_StatePermute(uint64_t * state) -{ - int round; - - uint64_t Aba, Abe, Abi, Abo, Abu; - uint64_t Aga, Age, Agi, Ago, Agu; - uint64_t Aka, Ake, Aki, Ako, Aku; - uint64_t Ama, Ame, Ami, Amo, Amu; - uint64_t Asa, Ase, Asi, Aso, Asu; - uint64_t BCa, BCe, BCi, BCo, BCu; - - //copyFromState(A, state) - Aba = state[ 0]; - Abe = state[ 1]; - Abi = state[ 2]; - Abo = state[ 3]; - Abu = state[ 4]; - Aga = state[ 5]; - Age = state[ 6]; - Agi = state[ 7]; - Ago = state[ 8]; - Agu = state[ 9]; - Aka = state[10]; - Ake = state[11]; - Aki = state[12]; - Ako = state[13]; - Aku = state[14]; - Ama = state[15]; - Ame = state[16]; - Ami = state[17]; - Amo = state[18]; - Amu = state[19]; - Asa = state[20]; - Ase = state[21]; - Asi = state[22]; - Aso = state[23]; - Asu = state[24]; - - for( round = 0; round < NROUNDS; round += 2 ) { - uint64_t Da, De, Di, Do, Du; - uint64_t Eba, Ebe, Ebi, Ebo, Ebu; - uint64_t Ega, Ege, Egi, Ego, Egu; - uint64_t Eka, Eke, Eki, Eko, Eku; - uint64_t Ema, Eme, Emi, Emo, Emu; - uint64_t Esa, Ese, Esi, Eso, Esu; - - // prepareTheta - BCa = Aba^Aga^Aka^Ama^Asa; - BCe = Abe^Age^Ake^Ame^Ase; - BCi = Abi^Agi^Aki^Ami^Asi; - BCo = Abo^Ago^Ako^Amo^Aso; - BCu = Abu^Agu^Aku^Amu^Asu; - - //thetaRhoPiChiIotaPrepareTheta(round , A, E) - Da = BCu^ROL(BCe, 1); - De = BCa^ROL(BCi, 1); - Di = BCe^ROL(BCo, 1); - Do = BCi^ROL(BCu, 1); - Du = BCo^ROL(BCa, 1); - - Aba ^= Da; - BCa = Aba; - Age ^= De; - BCe = ROL(Age, 44); - Aki ^= Di; - BCi = ROL(Aki, 43); - Amo ^= Do; - BCo = ROL(Amo, 21); - Asu ^= Du; - BCu = ROL(Asu, 14); - Eba = BCa ^((~BCe)& BCi ); - Eba ^= (uint64_t)KeccakF_RoundConstants[round]; - Ebe = BCe ^((~BCi)& BCo ); - Ebi = BCi ^((~BCo)& BCu ); - Ebo = BCo ^((~BCu)& BCa ); - Ebu = BCu ^((~BCa)& BCe ); - - Abo ^= Do; - BCa = ROL(Abo, 28); - Agu ^= Du; - BCe = ROL(Agu, 20); - Aka ^= Da; - BCi = ROL(Aka, 3); - Ame ^= De; - BCo = ROL(Ame, 45); - Asi ^= Di; - BCu = ROL(Asi, 61); - Ega = BCa ^((~BCe)& BCi ); - Ege = BCe ^((~BCi)& BCo ); - Egi = BCi ^((~BCo)& BCu ); - Ego = BCo ^((~BCu)& BCa ); - Egu = BCu ^((~BCa)& BCe ); - - Abe ^= De; - BCa = ROL(Abe, 1); - Agi ^= Di; - BCe = ROL(Agi, 6); - Ako ^= Do; - BCi = ROL(Ako, 25); - Amu ^= Du; - BCo = ROL(Amu, 8); - Asa ^= Da; - BCu = ROL(Asa, 18); - Eka = BCa ^((~BCe)& BCi ); - Eke = BCe ^((~BCi)& BCo ); - Eki = BCi ^((~BCo)& BCu ); - Eko = BCo ^((~BCu)& BCa ); - Eku = BCu ^((~BCa)& BCe ); - - Abu ^= Du; - BCa = ROL(Abu, 27); - Aga ^= Da; - BCe = ROL(Aga, 36); - Ake ^= De; - BCi = ROL(Ake, 10); - Ami ^= Di; - BCo = ROL(Ami, 15); - Aso ^= Do; - BCu = ROL(Aso, 56); - Ema = BCa ^((~BCe)& BCi ); - Eme = BCe ^((~BCi)& BCo ); - Emi = BCi ^((~BCo)& BCu ); - Emo = BCo ^((~BCu)& BCa ); - Emu = BCu ^((~BCa)& BCe ); - - Abi ^= Di; - BCa = ROL(Abi, 62); - Ago ^= Do; - BCe = ROL(Ago, 55); - Aku ^= Du; - BCi = ROL(Aku, 39); - Ama ^= Da; - BCo = ROL(Ama, 41); - Ase ^= De; - BCu = ROL(Ase, 2); - Esa = BCa ^((~BCe)& BCi ); - Ese = BCe ^((~BCi)& BCo ); - Esi = BCi ^((~BCo)& BCu ); - Eso = BCo ^((~BCu)& BCa ); - Esu = BCu ^((~BCa)& BCe ); - - // prepareTheta - BCa = Eba^Ega^Eka^Ema^Esa; - BCe = Ebe^Ege^Eke^Eme^Ese; - BCi = Ebi^Egi^Eki^Emi^Esi; - BCo = Ebo^Ego^Eko^Emo^Eso; - BCu = Ebu^Egu^Eku^Emu^Esu; - - //thetaRhoPiChiIotaPrepareTheta(round+1, E, A) - Da = BCu^ROL(BCe, 1); - De = BCa^ROL(BCi, 1); - Di = BCe^ROL(BCo, 1); - Do = BCi^ROL(BCu, 1); - Du = BCo^ROL(BCa, 1); - - Eba ^= Da; - BCa = Eba; - Ege ^= De; - BCe = ROL(Ege, 44); - Eki ^= Di; - BCi = ROL(Eki, 43); - Emo ^= Do; - BCo = ROL(Emo, 21); - Esu ^= Du; - BCu = ROL(Esu, 14); - Aba = BCa ^((~BCe)& BCi ); - Aba ^= (uint64_t)KeccakF_RoundConstants[round+1]; - Abe = BCe ^((~BCi)& BCo ); - Abi = BCi ^((~BCo)& BCu ); - Abo = BCo ^((~BCu)& BCa ); - Abu = BCu ^((~BCa)& BCe ); - - Ebo ^= Do; - BCa = ROL(Ebo, 28); - Egu ^= Du; - BCe = ROL(Egu, 20); - Eka ^= Da; - BCi = ROL(Eka, 3); - Eme ^= De; - BCo = ROL(Eme, 45); - Esi ^= Di; - BCu = ROL(Esi, 61); - Aga = BCa ^((~BCe)& BCi ); - Age = BCe ^((~BCi)& BCo ); - Agi = BCi ^((~BCo)& BCu ); - Ago = BCo ^((~BCu)& BCa ); - Agu = BCu ^((~BCa)& BCe ); - - Ebe ^= De; - BCa = ROL(Ebe, 1); - Egi ^= Di; - BCe = ROL(Egi, 6); - Eko ^= Do; - BCi = ROL(Eko, 25); - Emu ^= Du; - BCo = ROL(Emu, 8); - Esa ^= Da; - BCu = ROL(Esa, 18); - Aka = BCa ^((~BCe)& BCi ); - Ake = BCe ^((~BCi)& BCo ); - Aki = BCi ^((~BCo)& BCu ); - Ako = BCo ^((~BCu)& BCa ); - Aku = BCu ^((~BCa)& BCe ); - - Ebu ^= Du; - BCa = ROL(Ebu, 27); - Ega ^= Da; - BCe = ROL(Ega, 36); - Eke ^= De; - BCi = ROL(Eke, 10); - Emi ^= Di; - BCo = ROL(Emi, 15); - Eso ^= Do; - BCu = ROL(Eso, 56); - Ama = BCa ^((~BCe)& BCi ); - Ame = BCe ^((~BCi)& BCo ); - Ami = BCi ^((~BCo)& BCu ); - Amo = BCo ^((~BCu)& BCa ); - Amu = BCu ^((~BCa)& BCe ); - - Ebi ^= Di; - BCa = ROL(Ebi, 62); - Ego ^= Do; - BCe = ROL(Ego, 55); - Eku ^= Du; - BCi = ROL(Eku, 39); - Ema ^= Da; - BCo = ROL(Ema, 41); - Ese ^= De; - BCu = ROL(Ese, 2); - Asa = BCa ^((~BCe)& BCi ); - Ase = BCe ^((~BCi)& BCo ); - Asi = BCi ^((~BCo)& BCu ); - Aso = BCo ^((~BCu)& BCa ); - Asu = BCu ^((~BCa)& BCe ); - } - - //copyToState(state, A) - state[ 0] = Aba; - state[ 1] = Abe; - state[ 2] = Abi; - state[ 3] = Abo; - state[ 4] = Abu; - state[ 5] = Aga; - state[ 6] = Age; - state[ 7] = Agi; - state[ 8] = Ago; - state[ 9] = Agu; - state[10] = Aka; - state[11] = Ake; - state[12] = Aki; - state[13] = Ako; - state[14] = Aku; - state[15] = Ama; - state[16] = Ame; - state[17] = Ami; - state[18] = Amo; - state[19] = Amu; - state[20] = Asa; - state[21] = Ase; - state[22] = Asi; - state[23] = Aso; - state[24] = Asu; - - #undef round -} - -#include <string.h> -#define MIN(a, b) ((a) < (b) ? (a) : (b)) - - -static void keccak_absorb(uint64_t *s, unsigned int r, const unsigned char *m, unsigned long long int mlen, unsigned char p) -{ - unsigned long long i; - unsigned char t[200]; - - while (mlen >= r) - { - for (i = 0; i < r / 8; ++i) - s[i] ^= load64(m + 8 * i); - - KeccakF1600_StatePermute(s); - mlen -= r; - m += r; - } - - for (i = 0; i < r; ++i) - t[i] = 0; - for (i = 0; i < mlen; ++i) - t[i] = m[i]; - t[i] = p; - t[r - 1] |= 128; - for (i = 0; i < r / 8; ++i) - s[i] ^= load64(t + 8 * i); -} - - -static void keccak_squeezeblocks(unsigned char *h, unsigned long long int nblocks, uint64_t *s, unsigned int r) -{ - unsigned int i; - - while(nblocks > 0) - { - KeccakF1600_StatePermute(s); - for (i = 0; i < (r>>3); i++) - { - store64(h+8*i, s[i]); - } - h += r; - nblocks--; - } -} - -/********** cSHAKE256 ***********/ - -void cshake256_simple_absorb(uint64_t s[25], uint16_t cstm, const unsigned char *in, unsigned long long inlen) -{ - unsigned char *sep = (unsigned char*)s; - unsigned int i; - - for (i = 0; i < 25; i++) - s[i] = 0; - - /* Absorb customization (domain-separation) string */ - sep[0] = 0x01; - sep[1] = 0x88; - sep[2] = 0x01; - sep[3] = 0x00; - sep[4] = 0x01; - sep[5] = 16; // fixed bitlen of cstm - sep[6] = cstm & 0xff; - sep[7] = cstm >> 8; - - KeccakF1600_StatePermute(s); - - /* Absorb input */ - keccak_absorb(s, SHAKE256_RATE, in, inlen, 0x04); -} - -void cshake256_simple(unsigned char *output, unsigned long long outlen, uint16_t cstm, const unsigned char *in, unsigned long long inlen) -{ - uint64_t s[25]; - unsigned char t[SHAKE256_RATE]; - - cshake256_simple_absorb(s, cstm, in, inlen); - - /* Squeeze output */ - keccak_squeezeblocks(output, outlen/SHAKE256_RATE, s, SHAKE256_RATE); - output += (outlen/SHAKE256_RATE)*SHAKE256_RATE; - - if(outlen%SHAKE256_RATE) - { - keccak_squeezeblocks(t, 1, s, SHAKE256_RATE); - for (unsigned int i = 0; i < outlen%SHAKE256_RATE; i++) - output[i] = t[i]; - } -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/sike_r1/fips202_r1.h b/contrib/restricted/aws/s2n/pq-crypto/sike_r1/fips202_r1.h deleted file mode 100644 index 983537c2ca..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/sike_r1/fips202_r1.h +++ /dev/null @@ -1,13 +0,0 @@ -#ifndef FIPS202_R1_H -#define FIPS202_R1_H - -#include "sike_r1_namespace.h" -#include <stdint.h> - -#define SHAKE128_RATE 168 -#define SHAKE256_RATE 136 - -void cshake256_simple_absorb(uint64_t s[25], uint16_t cstm, const unsigned char *in, unsigned long long inlen); -void cshake256_simple(unsigned char *output, unsigned long long outlen, uint16_t cstm, const unsigned char *in, unsigned long long inlen); - -#endif // FIPS202_R1_H diff --git a/contrib/restricted/aws/s2n/pq-crypto/sike_r1/fp_generic_r1.c b/contrib/restricted/aws/s2n/pq-crypto/sike_r1/fp_generic_r1.c deleted file mode 100644 index 4a35a81f7f..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/sike_r1/fp_generic_r1.c +++ /dev/null @@ -1,225 +0,0 @@ -/******************************************************************************************** -* Supersingular Isogeny Key Encapsulation Library -* -* Abstract: portable modular arithmetic for P503 -*********************************************************************************************/ - -#include "sike_r1_namespace.h" -#include "P503_internal_r1.h" - -// Global constants -extern const uint64_t p503[NWORDS_FIELD]; -extern const uint64_t p503p1[NWORDS_FIELD]; -extern const uint64_t p503x2[NWORDS_FIELD]; - -void fpadd503(const digit_t* a, const digit_t* b, digit_t* c) -{ // Modular addition, c = a+b mod p503. - // Inputs: a, b in [0, 2*p503-1] - // Output: c in [0, 2*p503-1] - unsigned int i, carry = 0; - digit_t mask; - - for (i = 0; i < NWORDS_FIELD; i++) { - ADDC(carry, a[i], b[i], carry, c[i]); - } - - carry = 0; - for (i = 0; i < NWORDS_FIELD; i++) { - SUBC(carry, c[i], ((const digit_t*)p503x2)[i], carry, c[i]); - } - mask = 0 - (digit_t)carry; - - carry = 0; - for (i = 0; i < NWORDS_FIELD; i++) { - ADDC(carry, c[i], ((const digit_t*)p503x2)[i] & mask, carry, c[i]); - } -} - - -void fpsub503(const digit_t* a, const digit_t* b, digit_t* c) -{ // Modular subtraction, c = a-b mod p503. - // Inputs: a, b in [0, 2*p503-1] - // Output: c in [0, 2*p503-1] - unsigned int i, borrow = 0; - digit_t mask; - - for (i = 0; i < NWORDS_FIELD; i++) { - SUBC(borrow, a[i], b[i], borrow, c[i]); - } - mask = 0 - (digit_t)borrow; - - borrow = 0; - for (i = 0; i < NWORDS_FIELD; i++) { - ADDC(borrow, c[i], ((const digit_t*)p503x2)[i] & mask, borrow, c[i]); - } -} - - -void fpneg503(digit_t* a) -{ // Modular negation, a = -a mod p503. - // Input/output: a in [0, 2*p503-1] - unsigned int i, borrow = 0; - - for (i = 0; i < NWORDS_FIELD; i++) { - SUBC(borrow, ((const digit_t*)p503x2)[i], a[i], borrow, a[i]); - } -} - - -void fpdiv2_503(const digit_t* a, digit_t* c) -{ // Modular division by two, c = a/2 mod p503. - // Input : a in [0, 2*p503-1] - // Output: c in [0, 2*p503-1] - unsigned int i, carry = 0; - digit_t mask; - - mask = 0 - (digit_t)(a[0] & 1); // If a is odd compute a+p503 - for (i = 0; i < NWORDS_FIELD; i++) { - ADDC(carry, a[i], ((const digit_t*)p503)[i] & mask, carry, c[i]); - } - - mp_shiftr1(c, NWORDS_FIELD); -} - - -void fpcorrection503(digit_t* a) -{ // Modular correction to reduce field element a in [0, 2*p503-1] to [0, p503-1]. - unsigned int i, borrow = 0; - digit_t mask; - - for (i = 0; i < NWORDS_FIELD; i++) { - SUBC(borrow, a[i], ((const digit_t*)p503)[i], borrow, a[i]); - } - mask = 0 - (digit_t)borrow; - - borrow = 0; - for (i = 0; i < NWORDS_FIELD; i++) { - ADDC(borrow, a[i], ((const digit_t*)p503)[i] & mask, borrow, a[i]); - } -} - - -void digit_x_digit(const digit_t a, const digit_t b, digit_t* c) -{ // Digit multiplication, digit * digit -> 2-digit result - register digit_t al, ah, bl, bh, temp; - digit_t albl, albh, ahbl, ahbh, res1, res2, res3, carry; - digit_t mask_low = (digit_t)(-1) >> (sizeof(digit_t)*4), mask_high = (digit_t)(-1) << (sizeof(digit_t)*4); - - al = a & mask_low; // Low part - ah = a >> (sizeof(digit_t) * 4); // High part - bl = b & mask_low; - bh = b >> (sizeof(digit_t) * 4); - - albl = al*bl; - albh = al*bh; - ahbl = ah*bl; - ahbh = ah*bh; - c[0] = albl & mask_low; // C00 - - res1 = albl >> (sizeof(digit_t) * 4); - res2 = ahbl & mask_low; - res3 = albh & mask_low; - temp = res1 + res2 + res3; - carry = temp >> (sizeof(digit_t) * 4); - c[0] ^= temp << (sizeof(digit_t) * 4); // C01 - - res1 = ahbl >> (sizeof(digit_t) * 4); - res2 = albh >> (sizeof(digit_t) * 4); - res3 = ahbh & mask_low; - temp = res1 + res2 + res3 + carry; - c[1] = temp & mask_low; // C10 - carry = temp & mask_high; - c[1] ^= (ahbh & mask_high) + carry; // C11 -} - - -void mp_mul(const digit_t* a, const digit_t* b, digit_t* c, const unsigned int nwords) -{ // Multiprecision comba multiply, c = a*b, where lng(a) = lng(b) = nwords. - unsigned int i, j, carry; - digit_t t = 0, u = 0, v = 0, UV[2]; - - for (i = 0; i < nwords; i++) { - for (j = 0; j <= i; j++) { - MUL(a[j], b[i-j], UV+1, UV[0]); - ADDC(0, UV[0], v, carry, v); - ADDC(carry, UV[1], u, carry, u); - t += carry; - } - c[i] = v; - v = u; - u = t; - t = 0; - } - - for (i = nwords; i < 2*nwords-1; i++) { - for (j = i-nwords+1; j < nwords; j++) { - MUL(a[j], b[i-j], UV+1, UV[0]); - ADDC(0, UV[0], v, carry, v); - ADDC(carry, UV[1], u, carry, u); - t += carry; - } - c[i] = v; - v = u; - u = t; - t = 0; - } - c[2*nwords-1] = v; -} - - -void rdc_mont(const dfelm_t ma, felm_t mc) -{ // Efficient Montgomery reduction using comba and exploiting the special form of the prime p503. - // mc = ma*R^-1 mod p503x2, where R = 2^512. - // If ma < 2^512*p503, the output mc is in the range [0, 2*p503-1]. - // ma is assumed to be in Montgomery representation. - unsigned int i, j, carry, count = p503_ZERO_WORDS; - digit_t UV[2], t = 0, u = 0, v = 0; - - for (i = 0; i < NWORDS_FIELD; i++) { - mc[i] = 0; - } - - for (i = 0; i < NWORDS_FIELD; i++) { - for (j = 0; j < i; j++) { - if (j < (i-p503_ZERO_WORDS+1)) { - MUL(mc[j], ((const digit_t*)p503p1)[i-j], UV+1, UV[0]); - ADDC(0, UV[0], v, carry, v); - ADDC(carry, UV[1], u, carry, u); - t += carry; - } - } - ADDC(0, v, ma[i], carry, v); - ADDC(carry, u, 0, carry, u); - t += carry; - mc[i] = v; - v = u; - u = t; - t = 0; - } - - for (i = NWORDS_FIELD; i < 2*NWORDS_FIELD-1; i++) { - if (count > 0) { - count -= 1; - } - for (j = i-NWORDS_FIELD+1; j < NWORDS_FIELD; j++) { - if (j < (NWORDS_FIELD-count)) { - MUL(mc[j], ((const digit_t*)p503p1)[i-j], UV+1, UV[0]); - ADDC(0, UV[0], v, carry, v); - ADDC(carry, UV[1], u, carry, u); - t += carry; - } - } - ADDC(0, v, ma[i], carry, v); - ADDC(carry, u, 0, carry, u); - t += carry; - mc[i-NWORDS_FIELD] = v; - v = u; - u = t; - t = 0; - } - - /* `carry` isn't read after this, but it's still a necessary argument to the macro */ - /* cppcheck-suppress unreadVariable */ - ADDC(0, v, ma[2*NWORDS_FIELD-1], carry, v); - mc[NWORDS_FIELD-1] = v; -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/sike_r1/fpx_r1.c b/contrib/restricted/aws/s2n/pq-crypto/sike_r1/fpx_r1.c deleted file mode 100644 index 82ae6cfceb..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/sike_r1/fpx_r1.c +++ /dev/null @@ -1,367 +0,0 @@ -/******************************************************************************************** -* Supersingular Isogeny Key Encapsulation Library -* -* Abstract: core functions over GF(p) and GF(p^2) -*********************************************************************************************/ - -#include "sike_r1_namespace.h" -#include "P503_internal_r1.h" - -__inline void fpcopy(const felm_t a, felm_t c) -{ // Copy a field element, c = a. - unsigned int i; - - for (i = 0; i < NWORDS_FIELD; i++) - c[i] = a[i]; -} - - -__inline void fpzero(felm_t a) -{ // Zero a field element, a = 0. - unsigned int i; - - for (i = 0; i < NWORDS_FIELD; i++) - a[i] = 0; -} - - -void to_mont(const felm_t a, felm_t mc) -{ // Conversion to Montgomery representation, - // mc = a*R^2*R^(-1) mod p = a*R mod p, where a in [0, p-1]. - // The Montgomery constant R^2 mod p is the global value "Montgomery_R2". - - fpmul_mont(a, (const digit_t*)&Montgomery_R2, mc); -} - - -void from_mont(const felm_t ma, felm_t c) -{ // Conversion from Montgomery representation to standard representation, - // c = ma*R^(-1) mod p = a mod p, where ma in [0, p-1]. - digit_t one[NWORDS_FIELD] = {0}; - - one[0] = 1; - fpmul_mont(ma, one, c); - fpcorrection(c); -} - - -void copy_words(const digit_t* a, digit_t* c, const unsigned int nwords) -{ // Copy wordsize digits, c = a, where lng(a) = nwords. - unsigned int i; - - for (i = 0; i < nwords; i++) { - c[i] = a[i]; - } -} - - -void fpmul_mont(const felm_t ma, const felm_t mb, felm_t mc) -{ // Multiprecision multiplication, c = a*b mod p. - dfelm_t temp = {0}; - - mp_mul(ma, mb, temp, NWORDS_FIELD); - rdc_mont(temp, mc); -} - - -void fpsqr_mont(const felm_t ma, felm_t mc) -{ // Multiprecision squaring, c = a^2 mod p. - dfelm_t temp = {0}; - - mp_mul(ma, ma, temp, NWORDS_FIELD); - rdc_mont(temp, mc); -} - - -void fpinv_mont(felm_t a) -{ // Field inversion using Montgomery arithmetic, a = a^(-1)*R mod p. - felm_t tt; - - fpcopy(a, tt); - fpinv_chain_mont(tt); - fpsqr_mont(tt, tt); - fpsqr_mont(tt, tt); - fpmul_mont(a, tt, a); -} - - -void fp2copy(const f2elm_t *a, f2elm_t *c) -{ // Copy a GF(p^2) element, c = a. - fpcopy(a->e[0], c->e[0]); - fpcopy(a->e[1], c->e[1]); -} - -void fp2neg(f2elm_t *a) -{ // GF(p^2) negation, a = -a in GF(p^2). - fpneg(a->e[0]); - fpneg(a->e[1]); -} - - -__inline void fp2add(const f2elm_t *a, const f2elm_t *b, f2elm_t *c) -{ // GF(p^2) addition, c = a+b in GF(p^2). - fpadd(a->e[0], b->e[0], c->e[0]); - fpadd(a->e[1], b->e[1], c->e[1]); -} - - -__inline void fp2sub(const f2elm_t *a, const f2elm_t *b, f2elm_t *c) -{ // GF(p^2) subtraction, c = a-b in GF(p^2). - fpsub(a->e[0], b->e[0], c->e[0]); - fpsub(a->e[1], b->e[1], c->e[1]); -} - - -void fp2div2(const f2elm_t *a, f2elm_t *c) -{ // GF(p^2) division by two, c = a/2 in GF(p^2). - fpdiv2(a->e[0], c->e[0]); - fpdiv2(a->e[1], c->e[1]); -} - - -void fp2correction(f2elm_t *a) -{ // Modular correction, a = a in GF(p^2). - fpcorrection(a->e[0]); - fpcorrection(a->e[1]); -} - - -__inline static void mp_addfast(const digit_t* a, const digit_t* b, digit_t* c) -{ // Multiprecision addition, c = a+b. - - mp_add(a, b, c, NWORDS_FIELD); -} - - -__inline static void mp_addfastx2(const digit_t* a, const digit_t* b, digit_t* c) -{ // Double-length multiprecision addition, c = a+b. - - mp_add(a, b, c, 2*NWORDS_FIELD); -} - - -void fp2sqr_mont(const f2elm_t *a, f2elm_t *c) -{ // GF(p^2) squaring using Montgomery arithmetic, c = a^2 in GF(p^2). - // Inputs: a = a0+a1*i, where a0, a1 are in [0, 2*p-1] - // Output: c = c0+c1*i, where c0, c1 are in [0, 2*p-1] - felm_t t1, t2, t3; - - mp_addfast(a->e[0], a->e[1], t1); // t1 = a0+a1 - fpsub(a->e[0], a->e[1], t2); // t2 = a0-a1 - mp_addfast(a->e[0], a->e[0], t3); // t3 = 2a0 - fpmul_mont(t1, t2, c->e[0]); // c0 = (a0+a1)(a0-a1) - fpmul_mont(t3, a->e[1], c->e[1]); // c1 = 2a0*a1 -} - - -unsigned int mp_sub(const digit_t* a, const digit_t* b, digit_t* c, const unsigned int nwords) -{ // Multiprecision subtraction, c = a-b, where lng(a) = lng(b) = nwords. Returns the borrow bit. - unsigned int i, borrow = 0; - - for (i = 0; i < nwords; i++) { - SUBC(borrow, a[i], b[i], borrow, c[i]); - } - - return borrow; -} - - -__inline static digit_t mp_subfast(const digit_t* a, const digit_t* b, digit_t* c) -{ // Multiprecision subtraction, c = a-b, where lng(a) = lng(b) = 2*NWORDS_FIELD. - // If c < 0 then returns mask = 0xFF..F, else mask = 0x00..0 - - return (0 - (digit_t)mp_sub(a, b, c, 2*NWORDS_FIELD)); -} - - -void fp2mul_mont(const f2elm_t *a, const f2elm_t *b, f2elm_t *c) -{ // GF(p^2) multiplication using Montgomery arithmetic, c = a*b in GF(p^2). - // Inputs: a = a0+a1*i and b = b0+b1*i, where a0, a1, b0, b1 are in [0, 2*p-1] - // Output: c = c0+c1*i, where c0, c1 are in [0, 2*p-1] - felm_t t1, t2; - dfelm_t tt1, tt2, tt3; - digit_t mask; - unsigned int i, borrow = 0; - - mp_mul(a->e[0], b->e[0], tt1, NWORDS_FIELD); // tt1 = a0*b0 - mp_mul(a->e[1], b->e[1], tt2, NWORDS_FIELD); // tt2 = a1*b1 - mp_addfast(a->e[0], a->e[1], t1); // t1 = a0+a1 - mp_addfast(b->e[0], b->e[1], t2); // t2 = b0+b1 - mask = mp_subfast(tt1, tt2, tt3); // tt3 = a0*b0 - a1*b1. If tt3 < 0 then mask = 0xFF..F, else if tt3 >= 0 then mask = 0x00..0 - for (i = 0; i < NWORDS_FIELD; i++) { - ADDC(borrow, tt3[NWORDS_FIELD+i], ((const digit_t*)PRIME)[i] & mask, borrow, tt3[NWORDS_FIELD+i]); - } - rdc_mont(tt3, c->e[0]); // c[0] = a0*b0 - a1*b1 - mp_addfastx2(tt1, tt2, tt1); // tt1 = a0*b0 + a1*b1 - mp_mul(t1, t2, tt2, NWORDS_FIELD); // tt2 = (a0+a1)*(b0+b1) - mp_subfast(tt2, tt1, tt2); // tt2 = (a0+a1)*(b0+b1) - a0*b0 - a1*b1 - rdc_mont(tt2, c->e[1]); // c[1] = (a0+a1)*(b0+b1) - a0*b0 - a1*b1 -} - - -void fpinv_chain_mont(felm_t a) -{ // Chain to compute a^(p-3)/4 using Montgomery arithmetic. - unsigned int i, j; - felm_t t[15], tt; - - // Precomputed table - fpsqr_mont(a, tt); - fpmul_mont(a, tt, t[0]); - for (i = 0; i <= 13; i++) fpmul_mont(t[i], tt, t[i+1]); - - fpcopy(a, tt); - for (i = 0; i < 8; i++) fpsqr_mont(tt, tt); - fpmul_mont(a, tt, tt); - for (i = 0; i < 5; i++) fpsqr_mont(tt, tt); - fpmul_mont(t[8], tt, tt); - for (i = 0; i < 5; i++) fpsqr_mont(tt, tt); - fpmul_mont(t[6], tt, tt); - for (i = 0; i < 6; i++) fpsqr_mont(tt, tt); - fpmul_mont(t[9], tt, tt); - for (i = 0; i < 7; i++) fpsqr_mont(tt, tt); - fpmul_mont(t[0], tt, tt); - for (i = 0; i < 7; i++) fpsqr_mont(tt, tt); - fpmul_mont(a, tt, tt); - for (i = 0; i < 7; i++) fpsqr_mont(tt, tt); - fpmul_mont(t[6], tt, tt); - for (i = 0; i < 7; i++) fpsqr_mont(tt, tt); - fpmul_mont(t[2], tt, tt); - for (i = 0; i < 5; i++) fpsqr_mont(tt, tt); - fpmul_mont(t[8], tt, tt); - for (i = 0; i < 7; i++) fpsqr_mont(tt, tt); - fpmul_mont(a, tt, tt); - for (i = 0; i < 8; i++) fpsqr_mont(tt, tt); - fpmul_mont(t[10], tt, tt); - for (i = 0; i < 5; i++) fpsqr_mont(tt, tt); - fpmul_mont(t[0], tt, tt); - for (i = 0; i < 6; i++) fpsqr_mont(tt, tt); - fpmul_mont(t[10], tt, tt); - for (i = 0; i < 5; i++) fpsqr_mont(tt, tt); - fpmul_mont(t[10], tt, tt); - for (i = 0; i < 5; i++) fpsqr_mont(tt, tt); - fpmul_mont(t[5], tt, tt); - for (i = 0; i < 5; i++) fpsqr_mont(tt, tt); - fpmul_mont(t[2], tt, tt); - for (i = 0; i < 5; i++) fpsqr_mont(tt, tt); - fpmul_mont(t[6], tt, tt); - for (i = 0; i < 5; i++) fpsqr_mont(tt, tt); - fpmul_mont(t[3], tt, tt); - for (i = 0; i < 6; i++) fpsqr_mont(tt, tt); - fpmul_mont(t[5], tt, tt); - for (i = 0; i < 12; i++) fpsqr_mont(tt, tt); - fpmul_mont(t[12], tt, tt); - for (i = 0; i < 5; i++) fpsqr_mont(tt, tt); - fpmul_mont(t[8], tt, tt); - for (i = 0; i < 5; i++) fpsqr_mont(tt, tt); - fpmul_mont(t[6], tt, tt); - for (i = 0; i < 5; i++) fpsqr_mont(tt, tt); - fpmul_mont(t[12], tt, tt); - for (i = 0; i < 6; i++) fpsqr_mont(tt, tt); - fpmul_mont(t[11], tt, tt); - for (i = 0; i < 8; i++) fpsqr_mont(tt, tt); - fpmul_mont(t[6], tt, tt); - for (i = 0; i < 5; i++) fpsqr_mont(tt, tt); - fpmul_mont(t[5], tt, tt); - for (i = 0; i < 5; i++) fpsqr_mont(tt, tt); - fpmul_mont(t[14], tt, tt); - for (i = 0; i < 7; i++) fpsqr_mont(tt, tt); - fpmul_mont(t[14], tt, tt); - for (i = 0; i < 5; i++) fpsqr_mont(tt, tt); - fpmul_mont(t[5], tt, tt); - for (i = 0; i < 5; i++) fpsqr_mont(tt, tt); - fpmul_mont(t[6], tt, tt); - for (i = 0; i < 8; i++) fpsqr_mont(tt, tt); - fpmul_mont(t[8], tt, tt); - for (i = 0; i < 5; i++) fpsqr_mont(tt, tt); - fpmul_mont(a, tt, tt); - for (i = 0; i < 8; i++) fpsqr_mont(tt, tt); - fpmul_mont(t[4], tt, tt); - for (i = 0; i < 5; i++) fpsqr_mont(tt, tt); - fpmul_mont(t[6], tt, tt); - for (i = 0; i < 5; i++) fpsqr_mont(tt, tt); - fpmul_mont(t[5], tt, tt); - for (i = 0; i < 8; i++) fpsqr_mont(tt, tt); - fpmul_mont(t[7], tt, tt); - for (i = 0; i < 5; i++) fpsqr_mont(tt, tt); - fpmul_mont(a, tt, tt); - for (i = 0; i < 5; i++) fpsqr_mont(tt, tt); - fpmul_mont(t[0], tt, tt); - for (i = 0; i < 5; i++) fpsqr_mont(tt, tt); - fpmul_mont(t[11], tt, tt); - for (i = 0; i < 5; i++) fpsqr_mont(tt, tt); - fpmul_mont(t[13], tt, tt); - for (i = 0; i < 8; i++) fpsqr_mont(tt, tt); - fpmul_mont(t[1], tt, tt); - for (i = 0; i < 6; i++) fpsqr_mont(tt, tt); - fpmul_mont(t[10], tt, tt); - for (j = 0; j < 49; j++) { - for (i = 0; i < 5; i++) fpsqr_mont(tt, tt); - fpmul_mont(t[14], tt, tt); - } - fpcopy(tt, a); -} - - -void fp2inv_mont(f2elm_t *a) -{// GF(p^2) inversion using Montgomery arithmetic, a = (a0-i*a1)/(a0^2+a1^2). - f2elm_t t1; - - fpsqr_mont(a->e[0], t1.e[0]); // t10 = a0^2 - fpsqr_mont(a->e[1], t1.e[1]); // t11 = a1^2 - fpadd(t1.e[0], t1.e[1], t1.e[0]); // t10 = a0^2+a1^2 - fpinv_mont(t1.e[0]); // t10 = (a0^2+a1^2)^-1 - fpneg(a->e[1]); // a = a0-i*a1 - fpmul_mont(a->e[0], t1.e[0], a->e[0]); - fpmul_mont(a->e[1], t1.e[0], a->e[1]); // a = (a0-i*a1)*(a0^2+a1^2)^-1 -} - - -void to_fp2mont(const f2elm_t *a, f2elm_t *mc) -{ // Conversion of a GF(p^2) element to Montgomery representation, - // mc_i = a_i*R^2*R^(-1) = a_i*R in GF(p^2). - - to_mont(a->e[0], mc->e[0]); - to_mont(a->e[1], mc->e[1]); -} - - -void from_fp2mont(const f2elm_t *ma, f2elm_t *c) -{ // Conversion of a GF(p^2) element from Montgomery representation to standard representation, - // c_i = ma_i*R^(-1) = a_i in GF(p^2). - - from_mont(ma->e[0], c->e[0]); - from_mont(ma->e[1], c->e[1]); -} - -unsigned int is_felm_zero(const felm_t x) -{ // Is x = 0? return 1 (TRUE) if condition is true, 0 (FALSE) otherwise. - // SECURITY NOTE: This function does not run in constant-time. - - for (unsigned int i = 0; i < NWORDS_FIELD; i++) { - if (x[i] != 0) { - return 0; - } - } - return 1; -} - -unsigned int mp_add(const digit_t* a, const digit_t* b, digit_t* c, const unsigned int nwords) -{ // Multiprecision addition, c = a+b, where lng(a) = lng(b) = nwords. Returns the carry bit. - unsigned int i, carry = 0; - - for (i = 0; i < nwords; i++) { - ADDC(carry, a[i], b[i], carry, c[i]); - } - - return carry; -} - -void mp_shiftr1(digit_t* x, const unsigned int nwords) -{ // Multiprecision right shift by one. - unsigned int i; - - for (i = 0; i < nwords-1; i++) { - SHIFTR(x[i+1], x[i], 1, x[i], RADIX); - } - x[nwords-1] >>= 1; -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/sike_r1/sidh_r1.c b/contrib/restricted/aws/s2n/pq-crypto/sike_r1/sidh_r1.c deleted file mode 100644 index 3f49fa1461..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/sike_r1/sidh_r1.c +++ /dev/null @@ -1,377 +0,0 @@ -/******************************************************************************************** -* Supersingular Isogeny Key Encapsulation Library -* -* Abstract: ephemeral supersingular isogeny Diffie-Hellman key exchange (SIDH) -*********************************************************************************************/ - -#include "sike_r1_namespace.h" -#include "P503_internal_r1.h" -#include "pq-crypto/s2n_pq_random.h" -#include "utils/s2n_safety.h" - -static void clear_words(void* mem, digit_t nwords) -{ // Clear digits from memory. "nwords" indicates the number of digits to be zeroed. - // This function uses the volatile type qualifier to inform the compiler not to optimize out the memory clearing. - unsigned int i; - volatile digit_t *v = mem; - - for (i = 0; i < nwords; i++) { - v[i] = 0; - } -} - -static void init_basis(const digit_t *gen, f2elm_t *XP, f2elm_t *XQ, f2elm_t *XR) -{ // Initialization of basis points - - fpcopy(gen, XP->e[0]); - fpcopy(gen + NWORDS_FIELD, XP->e[1]); - fpcopy(gen + 2*NWORDS_FIELD, XQ->e[0]); - fpzero(XQ->e[1]); - fpcopy(gen + 3*NWORDS_FIELD, XR->e[0]); - fpcopy(gen + 4*NWORDS_FIELD, XR->e[1]); -} - - -static void fp2_encode(const f2elm_t *x, unsigned char *enc) -{ // Conversion of GF(p^2) element from Montgomery to standard representation, and encoding by removing leading 0 bytes - unsigned int i; - f2elm_t t; - - from_fp2mont(x, &t); - for (i = 0; i < FP2_ENCODED_BYTES / 2; i++) { - enc[i] = ((unsigned char*)t.e)[i]; - enc[i + FP2_ENCODED_BYTES / 2] = ((unsigned char*)t.e)[i + MAXBITS_FIELD / 8]; - } -} - - -static void fp2_decode(const unsigned char *enc, f2elm_t *x) -{ // Parse byte sequence back into GF(p^2) element, and conversion to Montgomery representation - unsigned int i; - - for (i = 0; i < 2*(MAXBITS_FIELD / 8); i++) ((unsigned char *)x->e)[i] = 0; - for (i = 0; i < FP2_ENCODED_BYTES / 2; i++) { - ((unsigned char*)x->e)[i] = enc[i]; - ((unsigned char*)x->e)[i + MAXBITS_FIELD / 8] = enc[i + FP2_ENCODED_BYTES / 2]; - } - to_fp2mont(x, x); -} - -int random_mod_order_B(unsigned char* random_digits) -{ // Generation of Bob's secret key - // Outputs random value in [0, 2^Floor(Log(2, oB)) - 1] - unsigned long long nbytes = NBITS_TO_NBYTES(OBOB_BITS-1); - - clear_words((void*)random_digits, MAXWORDS_ORDER); - POSIX_GUARD_RESULT(s2n_get_random_bytes(random_digits, nbytes)); - random_digits[nbytes-1] &= MASK_BOB; // Masking last byte - - return S2N_SUCCESS; -} - - -int EphemeralKeyGeneration_A(const digit_t* PrivateKeyA, unsigned char* PublicKeyA) -{ // Alice's ephemeral public key generation - // Input: a private key PrivateKeyA in the range [0, 2^eA - 1]. - // Output: the public key PublicKeyA consisting of 3 elements in GF(p^2) which are encoded by removing leading 0 bytes. - point_proj_t R, phiP = {0}, phiQ = {0}, phiR = {0}, pts[MAX_INT_POINTS_ALICE]; - f2elm_t _XPA, _XQA, _XRA, coeff[3], _A24plus = {0}, _C24 = {0}, _A = {0}; - f2elm_t *XPA=&_XPA, *XQA=&_XQA, *XRA=&_XRA, *A24plus=&_A24plus, *C24=&_C24, *A=&_A; - unsigned int i, row, m, index = 0, pts_index[MAX_INT_POINTS_ALICE], npts = 0, ii = 0; - - - // Initialize basis points - init_basis((const digit_t*)A_gen, XPA, XQA, XRA); - init_basis((const digit_t*)B_gen, &phiP->X, &phiQ->X, &phiR->X); - fpcopy((const digit_t*)&Montgomery_one, (phiP->Z.e)[0]); - fpcopy((const digit_t*)&Montgomery_one, (phiQ->Z.e)[0]); - fpcopy((const digit_t*)&Montgomery_one, (phiR->Z.e)[0]); - - // Initialize constants - fpcopy((const digit_t*)&Montgomery_one, A24plus->e[0]); - fp2add(A24plus, A24plus, C24); - - // Retrieve kernel point - LADDER3PT(XPA, XQA, XRA, PrivateKeyA, ALICE, R, A); - - // Traverse tree - index = 0; - for (row = 1; row < MAX_Alice; row++) { - while (index < MAX_Alice-row) { - fp2copy(&R->X, &pts[npts]->X); - fp2copy(&R->Z, &pts[npts]->Z); - pts_index[npts++] = index; - m = strat_Alice[ii++]; - xDBLe(R, R, A24plus, C24, (int)(2*m)); - index += m; - } - get_4_isog(R, A24plus, C24, coeff); - - for (i = 0; i < npts; i++) { - eval_4_isog(pts[i], coeff); - } - eval_4_isog(phiP, coeff); - eval_4_isog(phiQ, coeff); - eval_4_isog(phiR, coeff); - - fp2copy(&pts[npts-1]->X, &R->X); - fp2copy(&pts[npts-1]->Z, &R->Z); - index = pts_index[npts-1]; - npts -= 1; - } - - get_4_isog(R, A24plus, C24, coeff); - eval_4_isog(phiP, coeff); - eval_4_isog(phiQ, coeff); - eval_4_isog(phiR, coeff); - - inv_3_way(&phiP->Z, &phiQ->Z, &phiR->Z); - fp2mul_mont(&phiP->X, &phiP->Z, &phiP->X); - fp2mul_mont(&phiQ->X, &phiQ->Z, &phiQ->X); - fp2mul_mont(&phiR->X, &phiR->Z, &phiR->X); - - // Format public key - fp2_encode(&phiP->X, PublicKeyA); - fp2_encode(&phiQ->X, PublicKeyA + FP2_ENCODED_BYTES); - fp2_encode(&phiR->X, PublicKeyA + 2*FP2_ENCODED_BYTES); - - return S2N_SUCCESS; -} - - -int EphemeralKeyGeneration_B(const digit_t* PrivateKeyB, unsigned char* PublicKeyB) -{ // Bob's ephemeral public key generation - // Input: a private key PrivateKeyB in the range [0, 2^Floor(Log(2,oB)) - 1]. - // Output: the public key PublicKeyB consisting of 3 elements in GF(p^2) which are encoded by removing leading 0 bytes. - point_proj_t R, phiP = {0}, phiQ = {0}, phiR = {0}, pts[MAX_INT_POINTS_BOB]; - f2elm_t _XPB, _XQB, _XRB, coeff[3], _A24plus = {0}, _A24minus = {0}, _A = {0}; - f2elm_t *XPB=&_XPB, *XQB=&_XQB, *XRB=&_XRB, *A24plus=&_A24plus, *A24minus=&_A24minus, *A=&_A; - unsigned int i, row, m, index = 0, pts_index[MAX_INT_POINTS_BOB], npts = 0, ii = 0; - - // Initialize basis points - init_basis((const digit_t*)B_gen, XPB, XQB, XRB); - init_basis((const digit_t*)A_gen, &phiP->X, &phiQ->X, &phiR->X); - fpcopy((const digit_t*)&Montgomery_one, (phiP->Z.e)[0]); - fpcopy((const digit_t*)&Montgomery_one, (phiQ->Z.e)[0]); - fpcopy((const digit_t*)&Montgomery_one, (phiR->Z.e)[0]); - - // Initialize constants - fpcopy((const digit_t*)&Montgomery_one, A24plus->e[0]); - fp2add(A24plus, A24plus, A24plus); - fp2copy(A24plus, A24minus); - fp2neg(A24minus); - - // Retrieve kernel point - LADDER3PT(XPB, XQB, XRB, PrivateKeyB, BOB, R, A); - - // Traverse tree - index = 0; - for (row = 1; row < MAX_Bob; row++) { - while (index < MAX_Bob-row) { - fp2copy(&R->X, &pts[npts]->X); - fp2copy(&R->Z, &pts[npts]->Z); - pts_index[npts++] = index; - m = strat_Bob[ii++]; - xTPLe(R, R, A24minus, A24plus, (int)m); - index += m; - } - get_3_isog(R, A24minus, A24plus, coeff); - - for (i = 0; i < npts; i++) { - eval_3_isog(pts[i], coeff); - } - eval_3_isog(phiP, coeff); - eval_3_isog(phiQ, coeff); - eval_3_isog(phiR, coeff); - - fp2copy(&pts[npts-1]->X, &R->X); - fp2copy(&pts[npts-1]->Z, &R->Z); - index = pts_index[npts-1]; - npts -= 1; - } - - get_3_isog(R, A24minus, A24plus, coeff); - eval_3_isog(phiP, coeff); - eval_3_isog(phiQ, coeff); - eval_3_isog(phiR, coeff); - - inv_3_way(&phiP->Z, &phiQ->Z, &phiR->Z); - fp2mul_mont(&phiP->X, &phiP->Z, &phiP->X); - fp2mul_mont(&phiQ->X, &phiQ->Z, &phiQ->X); - fp2mul_mont(&phiR->X, &phiR->Z, &phiR->X); - - // Format public key - fp2_encode(&phiP->X, PublicKeyB); - fp2_encode(&phiQ->X, PublicKeyB + FP2_ENCODED_BYTES); - fp2_encode(&phiR->X, PublicKeyB + 2*FP2_ENCODED_BYTES); - - return S2N_SUCCESS; -} - - -int EphemeralSecretAgreement_A(const digit_t* PrivateKeyA, const unsigned char* PublicKeyB, unsigned char* SharedSecretA) -{ // Alice's ephemeral shared secret computation - // It produces a shared secret key SharedSecretA using her secret key PrivateKeyA and Bob's public key PublicKeyB - // Inputs: Alice's PrivateKeyA is an integer in the range [0, oA-1]. - // Bob's PublicKeyB consists of 3 elements in GF(p^2) encoded by removing leading 0 bytes. - // Output: a shared secret SharedSecretA that consists of one element in GF(p^2) encoded by removing leading 0 bytes. - point_proj_t R, pts[MAX_INT_POINTS_ALICE]; - f2elm_t coeff[3], PKB[3], _jinv; - f2elm_t _A24plus = {0}, _C24 = {0}, _A = {0}; - f2elm_t *jinv=&_jinv, *A24plus=&_A24plus, *C24=&_C24, *A=&_A; - unsigned int i, row, m, index = 0, pts_index[MAX_INT_POINTS_ALICE], npts = 0, ii = 0; - - // Initialize images of Bob's basis - fp2_decode(PublicKeyB, &PKB[0]); - fp2_decode(PublicKeyB + FP2_ENCODED_BYTES, &PKB[1]); - fp2_decode(PublicKeyB + 2*FP2_ENCODED_BYTES, &PKB[2]); - - // Initialize constants - get_A(&PKB[0], &PKB[1], &PKB[2], A); // TODO: Can return projective A? - fpadd((const digit_t*)&Montgomery_one, (const digit_t*)&Montgomery_one, C24->e[0]); - fp2add(A, C24, A24plus); - fpadd(C24->e[0], C24->e[0], C24->e[0]); - - // Retrieve kernel point - LADDER3PT(&PKB[0], &PKB[1], &PKB[2], PrivateKeyA, ALICE, R, A); - - // Traverse tree - index = 0; - for (row = 1; row < MAX_Alice; row++) { - while (index < MAX_Alice-row) { - fp2copy(&R->X, &pts[npts]->X); - fp2copy(&R->Z, &pts[npts]->Z); - pts_index[npts++] = index; - m = strat_Alice[ii++]; - xDBLe(R, R, A24plus, C24, (int)(2*m)); - index += m; - } - get_4_isog(R, A24plus, C24, coeff); - - for (i = 0; i < npts; i++) { - eval_4_isog(pts[i], coeff); - } - - fp2copy(&pts[npts-1]->X, &R->X); - fp2copy(&pts[npts-1]->Z, &R->Z); - index = pts_index[npts-1]; - npts -= 1; - } - - get_4_isog(R, A24plus, C24, coeff); - fp2div2(C24, C24); - fp2sub(A24plus, C24, A24plus); - fp2div2(C24, C24); - j_inv(A24plus, C24, jinv); - fp2_encode(jinv, SharedSecretA); // Format shared secret - - return S2N_SUCCESS; -} - -int sike_p503_r1_publickey_validation(const f2elm_t *PKB, const f2elm_t *A) -{ // Public key validation - point_proj_t P = { 0 }, Q = { 0 }; - f2elm_t _A2={0}, _tmp1={0}, _tmp2={0}; - f2elm_t *A2=&_A2, *tmp1=&_tmp1, *tmp2=&_tmp2; - - // Verify that P and Q generate E_A[3^e_3] by checking that [3^(e_3-1)]P != [+-3^(e_3-1)]Q - fp2div2(A, A2); - fp2copy(&PKB[0], &P->X); - fpcopy((const digit_t*)&Montgomery_one, (digit_t*)&P->Z); - fp2copy(&PKB[1], &Q->X); - fpcopy((const digit_t*)&Montgomery_one, (digit_t*)&Q->Z); - - xTPLe_fast(P, P, A2, MAX_Bob - 1); - xTPLe_fast(Q, Q, A2, MAX_Bob - 1); - fp2correction(&P->Z); - fp2correction(&Q->Z); - - if ((is_felm_zero((P->Z.e)[0]) && is_felm_zero((P->Z.e)[1])) || (is_felm_zero((Q->Z.e)[0]) && is_felm_zero((Q->Z.e)[1]))) { - return 1; - } - - fp2mul_mont(&P->X, &Q->Z, tmp1); - fp2mul_mont(&P->Z, &Q->X, tmp2); - fp2correction(tmp1); - fp2correction(tmp2); - - if (memcmp((uint8_t*)tmp1, (uint8_t*)tmp2, FP2_ENCODED_BYTES) == 0) { - return 1; - } - - // Check that Ord(P) = Ord(Q) = 3^(e_3) - xTPL_fast(P, P, A2); - xTPL_fast(Q, Q, A2); - fp2correction(&P->Z); - fp2correction(&Q->Z); - - if (!is_felm_zero((P->Z.e)[0]) || !is_felm_zero((P->Z.e)[1]) || !is_felm_zero((Q->Z.e)[0]) || !is_felm_zero((Q->Z.e)[1])) { - return 1; - } - - return 0; -} - -int EphemeralSecretAgreement_B(const digit_t* PrivateKeyB, const unsigned char* PublicKeyA, unsigned char* SharedSecretB) -{ // Bob's ephemeral shared secret computation - // It produces a shared secret key SharedSecretB using his secret key PrivateKeyB and Alice's public key PublicKeyA - // Inputs: Bob's PrivateKeyB is an integer in the range [0, 2^Floor(Log(2,oB)) - 1]. - // Alice's PublicKeyA consists of 3 elements in GF(p^2) encoded by removing leading 0 bytes. - // Output: a shared secret SharedSecretB that consists of one element in GF(p^2) encoded by removing leading 0 bytes. - point_proj_t R, pts[MAX_INT_POINTS_BOB]; - f2elm_t coeff[3], PKB[3], _jinv; - f2elm_t _A24plus = {0}, _A24minus = {0}, _A = {0}; - f2elm_t *jinv=&_jinv, *A24plus=&_A24plus, *A24minus=&_A24minus, *A=&_A; - unsigned int i, row, m, index = 0, pts_index[MAX_INT_POINTS_BOB], npts = 0, ii = 0; - - // Initialize images of Alice's basis - fp2_decode(PublicKeyA, &PKB[0]); - fp2_decode(PublicKeyA + FP2_ENCODED_BYTES, &PKB[1]); - fp2_decode(PublicKeyA + 2*FP2_ENCODED_BYTES, &PKB[2]); - - // Initialize constants - get_A(&PKB[0], &PKB[1], &PKB[2], A); // TODO: Can return projective A? - fpadd((const digit_t*)&Montgomery_one, (const digit_t*)&Montgomery_one, A24minus->e[0]); - fp2add(A, A24minus, A24plus); - fp2sub(A, A24minus, A24minus); - - // Always perform public key validation before using peer's public key - if (sike_p503_r1_publickey_validation(PKB, A) == 1) { - return 1; - } - - // Retrieve kernel point - LADDER3PT(&PKB[0], &PKB[1], &PKB[2], PrivateKeyB, BOB, R, A); - - // Traverse tree - index = 0; - for (row = 1; row < MAX_Bob; row++) { - while (index < MAX_Bob-row) { - fp2copy(&R->X, &pts[npts]->X); - fp2copy(&R->Z, &pts[npts]->Z); - pts_index[npts++] = index; - m = strat_Bob[ii++]; - xTPLe(R, R, A24minus, A24plus, (int)m); - index += m; - } - get_3_isog(R, A24minus, A24plus, coeff); - - for (i = 0; i < npts; i++) { - eval_3_isog(pts[i], coeff); - } - - fp2copy(&pts[npts-1]->X, &R->X); - fp2copy(&pts[npts-1]->Z, &R->Z); - index = pts_index[npts-1]; - npts -= 1; - } - - get_3_isog(R, A24minus, A24plus, coeff); - fp2add(A24plus, A24minus, A); - fp2add(A, A, A); - fp2sub(A24plus, A24minus, A24plus); - j_inv(A, A24plus, jinv); - fp2_encode(jinv, SharedSecretB); // Format shared secret - - return S2N_SUCCESS; -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/sike_r1/sike_r1_kem.c b/contrib/restricted/aws/s2n/pq-crypto/sike_r1/sike_r1_kem.c deleted file mode 100644 index 973640e156..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/sike_r1/sike_r1_kem.c +++ /dev/null @@ -1,135 +0,0 @@ -/******************************************************************************************** -* Supersingular Isogeny Key Encapsulation Library -* -* Abstract: supersingular isogeny key encapsulation (SIKE) protocol -*********************************************************************************************/ - -#include <string.h> -#include "P503_internal_r1.h" -#include "fips202_r1.h" -#include "pq-crypto/s2n_pq_random.h" -#include "utils/s2n_safety.h" -#include "tls/s2n_kem.h" -#include "pq-crypto/s2n_pq.h" - -int SIKE_P503_r1_crypto_kem_keypair(unsigned char *pk, unsigned char *sk) -{ // SIKE's key generation - // Outputs: secret key sk (SIKE_P503_R1_SECRET_KEY_BYTES = MSG_BYTES + SECRETKEY_B_BYTES + SIKE_P503_R1_PUBLIC_KEY_BYTES bytes) - // public key pk (SIKE_P503_R1_PUBLIC_KEY_BYTES bytes) - POSIX_ENSURE(s2n_pq_is_enabled(), S2N_ERR_PQ_DISABLED); - - digit_t _sk[SECRETKEY_B_BYTES/sizeof(digit_t)]; - - // Generate lower portion of secret key sk <- s||SK - POSIX_GUARD_RESULT(s2n_get_random_bytes(sk, MSG_BYTES)); - POSIX_GUARD(random_mod_order_B((unsigned char*)_sk)); - - // Generate public key pk - EphemeralKeyGeneration_B(_sk, pk); - - memcpy(sk + MSG_BYTES, _sk, SECRETKEY_B_BYTES); - // Append public key pk to secret key sk - memcpy(&sk[MSG_BYTES + SECRETKEY_B_BYTES], pk, SIKE_P503_R1_PUBLIC_KEY_BYTES); - - return 0; -} - - -int SIKE_P503_r1_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk) -{ // SIKE's encapsulation - // Input: public key pk (SIKE_P503_R1_PUBLIC_KEY_BYTES bytes) - // Outputs: shared secret ss (SIKE_P503_R1_SHARED_SECRET_BYTES bytes) - // ciphertext message ct (SIKE_P503_R1_CIPHERTEXT_BYTES = SIKE_P503_R1_PUBLIC_KEY_BYTES + MSG_BYTES bytes) - POSIX_ENSURE(s2n_pq_is_enabled(), S2N_ERR_PQ_DISABLED); - - const uint16_t G = 0; - const uint16_t H = 1; - const uint16_t P = 2; - union { - unsigned char b[SECRETKEY_A_BYTES]; - digit_t d[SECRETKEY_A_BYTES/sizeof(digit_t)]; - } ephemeralsk; - unsigned char jinvariant[FP2_ENCODED_BYTES]; - unsigned char h[MSG_BYTES]; - unsigned char temp[SIKE_P503_R1_CIPHERTEXT_BYTES+MSG_BYTES]; - unsigned int i; - - // Generate ephemeralsk <- G(m||pk) mod oA - POSIX_GUARD_RESULT(s2n_get_random_bytes(temp, MSG_BYTES)); - memcpy(&temp[MSG_BYTES], pk, SIKE_P503_R1_PUBLIC_KEY_BYTES); - cshake256_simple(ephemeralsk.b, SECRETKEY_A_BYTES, G, temp, SIKE_P503_R1_PUBLIC_KEY_BYTES+MSG_BYTES); - - /* ephemeralsk is a union; the memory set here through .b will get accessed through the .d member later */ - /* cppcheck-suppress unreadVariable */ - ephemeralsk.b[SECRETKEY_A_BYTES - 1] &= MASK_ALICE; - - // Encrypt - EphemeralKeyGeneration_A(ephemeralsk.d, ct); - EphemeralSecretAgreement_A(ephemeralsk.d, pk, jinvariant); - cshake256_simple(h, MSG_BYTES, P, jinvariant, FP2_ENCODED_BYTES); - for (i = 0; i < MSG_BYTES; i++) ct[i + SIKE_P503_R1_PUBLIC_KEY_BYTES] = temp[i] ^ h[i]; - - // Generate shared secret ss <- H(m||ct) - memcpy(&temp[MSG_BYTES], ct, SIKE_P503_R1_CIPHERTEXT_BYTES); - cshake256_simple(ss, SIKE_P503_R1_SHARED_SECRET_BYTES, H, temp, SIKE_P503_R1_CIPHERTEXT_BYTES+MSG_BYTES); - - return 0; -} - - -int SIKE_P503_r1_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk) -{ // SIKE's decapsulation - // Input: secret key sk (SIKE_P503_R1_SECRET_KEY_BYTES = MSG_BYTES + SECRETKEY_B_BYTES + SIKE_P503_R1_PUBLIC_KEY_BYTES bytes) - // ciphertext message ct (SIKE_P503_R1_CIPHERTEXT_BYTES = SIKE_P503_R1_PUBLIC_KEY_BYTES + MSG_BYTES bytes) - // Outputs: shared secret ss (SIKE_P503_R1_SHARED_SECRET_BYTES bytes) - POSIX_ENSURE(s2n_pq_is_enabled(), S2N_ERR_PQ_DISABLED); - - const uint16_t G = 0; - const uint16_t H = 1; - const uint16_t P = 2; - union { - unsigned char b[SECRETKEY_A_BYTES]; - digit_t d[SECRETKEY_A_BYTES/sizeof(digit_t)]; - } ephemeralsk_; - unsigned char jinvariant_[FP2_ENCODED_BYTES]; - unsigned char h_[MSG_BYTES]; - unsigned char c0_[SIKE_P503_R1_PUBLIC_KEY_BYTES]; - unsigned char temp[SIKE_P503_R1_CIPHERTEXT_BYTES+MSG_BYTES]; - unsigned int i; - bool dont_copy = 1; - - digit_t _sk[SECRETKEY_B_BYTES/sizeof(digit_t)]; - - memcpy(_sk, sk + MSG_BYTES, SECRETKEY_B_BYTES); - - // Decrypt - if (!(EphemeralSecretAgreement_B(_sk, ct, jinvariant_) == 0)) { - goto S2N_SIKE_P503_R1_HASHING; - } - cshake256_simple(h_, MSG_BYTES, P, jinvariant_, FP2_ENCODED_BYTES); - for (i = 0; i < MSG_BYTES; i++) temp[i] = ct[i + SIKE_P503_R1_PUBLIC_KEY_BYTES] ^ h_[i]; - - // Generate ephemeralsk_ <- G(m||pk) mod oA - memcpy(&temp[MSG_BYTES], &sk[MSG_BYTES + SECRETKEY_B_BYTES], SIKE_P503_R1_PUBLIC_KEY_BYTES); - cshake256_simple(ephemeralsk_.b, SECRETKEY_A_BYTES, G, temp, SIKE_P503_R1_PUBLIC_KEY_BYTES+MSG_BYTES); - - /* ephemeralsk_ is a union; the memory set here through .b will get accessed through the .d member later */ - /* cppcheck-suppress unreadVariable */ - /* cppcheck-suppress uninitvar */ - ephemeralsk_.b[SECRETKEY_A_BYTES - 1] &= MASK_ALICE; - - // Generate shared secret ss <- H(m||ct) or output ss <- H(s||ct) - EphemeralKeyGeneration_A(ephemeralsk_.d, c0_); - - // Note: This step deviates from the NIST supplied code by using constant time operations. - // We only want to copy the data if c0_ and ct are different - dont_copy = s2n_constant_time_equals(c0_, ct, SIKE_P503_R1_PUBLIC_KEY_BYTES); -S2N_SIKE_P503_R1_HASHING: - // The last argument to s2n_constant_time_copy_or_dont is dont and thus prevents the copy when non-zero/true - s2n_constant_time_copy_or_dont(temp, sk, MSG_BYTES, dont_copy); - - memcpy(&temp[MSG_BYTES], ct, SIKE_P503_R1_CIPHERTEXT_BYTES); - cshake256_simple(ss, SIKE_P503_R1_SHARED_SECRET_BYTES, H, temp, SIKE_P503_R1_CIPHERTEXT_BYTES+MSG_BYTES); - - return 0; -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/sike_r1/sike_r1_namespace.h b/contrib/restricted/aws/s2n/pq-crypto/sike_r1/sike_r1_namespace.h deleted file mode 100644 index b3e37982fa..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/sike_r1/sike_r1_namespace.h +++ /dev/null @@ -1,63 +0,0 @@ -#ifndef SIKE_R1_NAMESPACE_H -#define SIKE_R1_NAMESPACE_H - -#define random_mod_order_B random_mod_order_B_r1 -#define EphemeralKeyGeneration_A EphemeralKeyGeneration_A_r1 -#define EphemeralKeyGeneration_B EphemeralKeyGeneration_B_r1 -#define EphemeralSecretAgreement_A EphemeralSecretAgreement_A_r1 -#define EphemeralSecretAgreement_B EphemeralSecretAgreement_B_r1 -#define xDBL xDBL_r1 -#define xDBLe xDBLe_r1 -#define get_4_isog get_4_isog_r1 -#define eval_4_isog eval_4_isog_r1 -#define xTPL xTPL_r1 -#define xTPLe xTPLe_r1 -#define get_3_isog get_3_isog_r1 -#define eval_3_isog eval_3_isog_r1 -#define inv_3_way inv_3_way_r1 -#define get_A get_A_r1 -#define j_inv j_inv_r1 -#define xDBLADD xDBLADD_r1 -#define swap_points swap_points_r1 -#define LADDER3PT LADDER3PT_r1 -#define xTPL_fast xTPL_fast_r1 -#define xTPLe_fast xTPLe_fast_r1 -#define load64 load64_r1 -#define store64 store64_r1 -#define KeccakF1600_StatePermute KeccakF1600_StatePermute_r1 -#define keccak_absorb keccak_absorb_r1 -#define keccak_squeezeblocks keccak_squeezeblocks_r1 -#define cshake256_simple_absorb cshake256_simple_absorb_r1 -#define cshake256_simple cshake256_simple_r1 -#define digit_x_digit digit_x_digit_r1 -#define mp_mul mp_mul_r1 -#define rdc_mont rdc_mont_r1 -#define to_mont to_mont_r1 -#define from_mont from_mont_r1 -#define copy_words copy_words_r1 -#define mp_addfast mp_addfast_r1 -#define mp_addfastx2 mp_addfastx2_r1 -#define mp_sub mp_sub_r1 -#define mp_subfast mp_subfast_r1 -#define to_fp2mont to_fp2mont_r1 -#define from_fp2mont from_fp2mont_r1 -#define is_felm_zero is_felm_zero_r1 -#define mp_add mp_add_r1 -#define mp_shiftr1 mp_shiftr1_r1 -#define Alice_order Alice_order_r1 -#define Bob_order Bob_order_r1 -#define A_gen A_gen_r1 -#define B_gen B_gen_r1 -#define Montgomery_R2 Montgomery_R2_r1 -#define Montgomery_one Montgomery_one_r1 -#define Montgomery_Rprime Montgomery_Rprime_r1 -#define Montgomery_rprime Montgomery_rprime_r1 -#define Border_div3 Border_div3_r1 -#define strat_Alice strat_Alice_r1 -#define strat_Bob strat_Bob_r1 -#define clear_words clear_words_r1 -#define init_basis init_basis_r1 -#define fp2_encode fp2_encode_r1 -#define fp2_decode fp2_decode_r1 - -#endif // SIKE_R1_NAMESPACE_H diff --git a/contrib/restricted/aws/s2n/pq-crypto/sike_r3/sikep434r3.c b/contrib/restricted/aws/s2n/pq-crypto/sike_r3/sikep434r3.c deleted file mode 100644 index 7ce71ae3d3..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/sike_r3/sikep434r3.c +++ /dev/null @@ -1,146 +0,0 @@ -/******************************************************************************************** -* Supersingular Isogeny Key Encapsulation Library -* -* Abstract: supersingular isogeny parameters and generation of functions for P434 -*********************************************************************************************/ - -#include "sikep434r3.h" - -/* Encoding of field elements, elements over Z_order, elements over GF(p^2) and elliptic curve points: - * - * Elements over GF(p) and Z_order are encoded with the least significant octet (and digit) located at - * the leftmost position (i.e., little endian format). Elements (a+b*i) over GF(p^2), where a and b are - * defined over GF(p), are encoded as {a, b}, with a in the least significant position. Elliptic curve - * points P = (x,y) are encoded as {x, y}, with x in the least significant position. Internally, the - * number of digits used to represent all these elements is obtained by approximating the number of bits - * to the immediately greater multiple of 32. For example, a 434-bit field element is represented with - * Ceil(434 / 64) = 7 64-bit digits or Ceil(434 / 32) = 14 32-bit digits. - * - * Curve isogeny system "SIDHp434". Base curve: Montgomery curve By^2 = Cx^3 + Ax^2 + Cx defined over - * GF(p434^2), where A=6, B=1, C=1 and p434 = 2^216*3^137-1 */ - -const uint64_t p434[S2N_SIKE_P434_R3_NWORDS64_FIELD] = { - 0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF, - 0xFDC1767AE2FFFFFF, 0x7BC65C783158AEA3, 0x6CFC5FD681C52056, - 0x0002341F27177344 -}; - -const uint64_t p434x2[S2N_SIKE_P434_R3_NWORDS64_FIELD] = { - 0xFFFFFFFFFFFFFFFE, 0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF, - 0xFB82ECF5C5FFFFFF, 0xF78CB8F062B15D47, 0xD9F8BFAD038A40AC, - 0x0004683E4E2EE688 -}; - -const uint64_t p434x4[S2N_SIKE_P434_R3_NWORDS64_FIELD] = { - 0xFFFFFFFFFFFFFFFC, 0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF, - 0xF705D9EB8BFFFFFF, 0xEF1971E0C562BA8F, 0xB3F17F5A07148159, - 0x0008D07C9C5DCD11 -}; - -const uint64_t p434p1[S2N_SIKE_P434_R3_NWORDS64_FIELD] = { - 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, - 0xFDC1767AE3000000, 0x7BC65C783158AEA3, 0x6CFC5FD681C52056, - 0x0002341F27177344 -}; - -/* Alice's generator values {XPA0 + XPA1*i, XQA0 + xQA1*i, XRA0 + XRA1*i} in GF(p434^2), - * expressed in Montgomery representation */ -const uint64_t A_gen[6*S2N_SIKE_P434_R3_NWORDS64_FIELD] = { - 0x05ADF455C5C345BF, 0x91935C5CC767AC2B, 0xAFE4E879951F0257, - 0x70E792DC89FA27B1, 0xF797F526BB48C8CD, 0x2181DB6131AF621F, - 0x00000A1C08B1ECC4, /* XPA0 */ - - 0x74840EB87CDA7788, 0x2971AA0ECF9F9D0B, 0xCB5732BDF41715D5, - 0x8CD8E51F7AACFFAA, 0xA7F424730D7E419F, 0xD671EB919A179E8C, - 0x0000FFA26C5A924A, /* XPA1 */ - - 0xFEC6E64588B7273B, 0xD2A626D74CBBF1C6, 0xF8F58F07A78098C7, - 0xE23941F470841B03, 0x1B63EDA2045538DD, 0x735CFEB0FFD49215, - 0x0001C4CB77542876, /* XQA0 */ - - 0xADB0F733C17FFDD6, 0x6AFFBD037DA0A050, 0x680EC43DB144E02F, - 0x1E2E5D5FF524E374, 0xE2DDA115260E2995, 0xA6E4B552E2EDE508, - 0x00018ECCDDF4B53E, /* XQA1 */ - - 0x01BA4DB518CD6C7D, 0x2CB0251FE3CC0611, 0x259B0C6949A9121B, - 0x60E17AC16D2F82AD, 0x3AA41F1CE175D92D, 0x413FBE6A9B9BC4F3, - 0x00022A81D8D55643, /* XRA0 */ - - 0xB8ADBC70FC82E54A, 0xEF9CDDB0D5FADDED, 0x5820C734C80096A0, - 0x7799994BAA96E0E4, 0x044961599E379AF8, 0xDB2B94FBF09F27E2, - 0x0000B87FC716C0C6 /* XRA1 */ -}; - -/* Bob's generator values {XPB0, XQB0, XRB0 + XRB1*i} in GF(p434^2), expressed in Montgomery representation */ -const uint64_t B_gen[6*S2N_SIKE_P434_R3_NWORDS64_FIELD] = { - 0x6E5497556EDD48A3, 0x2A61B501546F1C05, 0xEB919446D049887D, - 0x5864A4A69D450C4F, 0xB883F276A6490D2B, 0x22CC287022D5F5B9, - 0x0001BED4772E551F, /* XPB0 */ - - 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, - 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, - 0x0000000000000000, /* XPB1 */ - - 0xFAE2A3F93D8B6B8E, 0x494871F51700FE1C, 0xEF1A94228413C27C, - 0x498FF4A4AF60BD62, 0xB00AD2A708267E8A, 0xF4328294E017837F, - 0x000034080181D8AE, /* XQB0 */ - - 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, - 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, - 0x0000000000000000, /* XQB1 */ - - 0x283B34FAFEFDC8E4, 0x9208F44977C3E647, 0x7DEAE962816F4E9A, - 0x68A2BA8AA262EC9D, 0x8176F112EA43F45B, 0x02106D022634F504, - 0x00007E8A50F02E37, /* XRB0 */ - - 0xB378B7C1DA22CCB1, 0x6D089C99AD1D9230, 0xEBE15711813E2369, - 0x2B35A68239D48A53, 0x445F6FD138407C93, 0xBEF93B29A3F6B54B, - 0x000173FA910377D3 /* XRB1 */ -}; - -/* Montgomery constant Montgomery_R2 = (2^448)^2 mod p434 */ -const uint64_t Montgomery_R2[S2N_SIKE_P434_R3_NWORDS64_FIELD] = { - 0x28E55B65DCD69B30, 0xACEC7367768798C2, 0xAB27973F8311688D, - 0x175CC6AF8D6C7C0B, 0xABCD92BF2DDE347E, 0x69E16A61C7686D9A, - 0x000025A89BCDD12A -}; - -/* Value one in Montgomery representation */ -const uint64_t Montgomery_one[S2N_SIKE_P434_R3_NWORDS64_FIELD] = { - 0x000000000000742C, 0x0000000000000000, 0x0000000000000000, - 0xB90FF404FC000000, 0xD801A4FB559FACD4, 0xE93254545F77410C, - 0x0000ECEEA7BD2EDA -}; - -/* Fixed parameters for isogeny tree computation */ -const unsigned int strat_Alice[S2N_SIKE_P434_R3_MAX_ALICE-1] = { - 48, 28, 16, 8, 4, 2, 1, 1, 2, 1, 1, 4, 2, 1, 1, 2, 1, 1, 8, 4, 2, 1, 1, 2, 1, 1, 4, 2, 1, 1, 2, 1, 1, 13, 7, 4, - 2, 1, 1, 2, 1, 1, 3, 2, 1, 1, 1, 1, 5, 4, 2, 1, 1, 2, 1, 1, 2, 1, 1, 1, 21, 12, 7, 4, 2, 1, 1, 2, 1, 1, 3, 2, - 1, 1, 1, 1, 5, 3, 2, 1, 1, 1, 1, 2, 1, 1, 1, 9, 5, 3, 2, 1, 1, 1, 1, 2, 1, 1, 1, 4, 2, 1, 1, 1, 2, 1, 1 -}; - -const unsigned int strat_Bob[S2N_SIKE_P434_R3_MAX_BOB-1] = { - 66, 33, 17, 9, 5, 3, 2, 1, 1, 1, 1, 2, 1, 1, 1, 4, 2, 1, 1, 1, 2, 1, 1, 8, 4, 2, 1, 1, 1, 2, 1, 1, 4, 2, 1, 1, - 2, 1, 1, 16, 8, 4, 2, 1, 1, 1, 2, 1, 1, 4, 2, 1, 1, 2, 1, 1, 8, 4, 2, 1, 1, 2, 1, 1, 4, 2, 1, 1, 2, 1, 1, 32, - 16, 8, 4, 3, 1, 1, 1, 1, 2, 1, 1, 4, 2, 1, 1, 2, 1, 1, 8, 4, 2, 1, 1, 2, 1, 1, 4, 2, 1, 1, 2, 1, 1, 16, 8, 4, - 2, 1, 1, 2, 1, 1, 4, 2, 1, 1, 2, 1, 1, 8, 4, 2, 1, 1, 2, 1, 1, 4, 2, 1, 1, 2, 1, 1 -}; - -/* Returns true if the machine is big endian */ -bool is_big_endian() -{ - uint16_t i = 1; - uint8_t *ptr = (uint8_t *)&i; - return !(*ptr); -} - -uint32_t bswap32(uint32_t x) -{ - uint32_t i = (x >> 16) | (x << 16); - return ((i & UINT32_C(0xff00ff00)) >> 8) | ((i & UINT32_C(0x00ff00ff)) << 8); -} - -uint64_t bswap64(uint64_t x) -{ - return bswap32(x >> 32) | (((uint64_t)bswap32(x)) << 32); -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/sike_r3/sikep434r3.h b/contrib/restricted/aws/s2n/pq-crypto/sike_r3/sikep434r3.h deleted file mode 100644 index 5b797b1d7f..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/sike_r3/sikep434r3.h +++ /dev/null @@ -1,181 +0,0 @@ -/******************************************************************************************** -* Supersingular Isogeny Key Encapsulation Library -* -* Abstract: supersingular isogeny parameters, generation of functions for P434; -* configuration and platform-dependent macros -*********************************************************************************************/ - -#pragma once - -#include <stdint.h> -#include <stdbool.h> -#include <stddef.h> - -/* All sikep434r3 functions and global variables in the pq-crypto/sike_r3 directory - * should be defined using this namespace macro to avoid symbol collisions. For example, - * in foo.h, declare a function as follows: - * - * #define foo_function S2N_SIKE_P434_R3_NAMESPACE(foo_function) - * int foo_function(int foo_argument); */ -#define S2N_SIKE_P434_R3_NAMESPACE(s) s2n_sike_p434_r3_##s - -/* Endian-related functionality */ -/* Returns true if the machine is big endian */ -#define is_big_endian S2N_SIKE_P434_R3_NAMESPACE(is_big_endian) -bool is_big_endian(void); - -#define bswap32 S2N_SIKE_P434_R3_NAMESPACE(bswap32) -uint32_t bswap32(uint32_t x); - -#define bswap64 S2N_SIKE_P434_R3_NAMESPACE(bswap64) -uint64_t bswap64(uint64_t x); - -/* Arch specific definitions */ -#define digit_t S2N_SIKE_P434_R3_NAMESPACE(digit_t) -#define hdigit_t S2N_SIKE_P434_R3_NAMESPACE(hdigit_t) -#if defined(_AMD64_) || defined(__x86_64) || defined(__x86_64__) || defined(__aarch64__) || defined(_S390X_) || defined(_ARM64_) || defined(__powerpc64__) || (defined(__riscv) && (__riscv_xlen == 64)) - #define S2N_SIKE_P434_R3_NWORDS_FIELD 7 /* Number of words of a 434-bit field element */ - #define S2N_SIKE_P434_R3_ZERO_WORDS 3 /* Number of "0" digits in the least significant part of p434 + 1 */ - #define S2N_SIKE_P434_R3_RADIX 64 - #define S2N_SIKE_P434_R3_LOG2RADIX 6 - #define S2N_SIKE_P434_R3_BSWAP_DIGIT(i) bswap64((i)) - typedef uint64_t digit_t; - typedef uint32_t hdigit_t; -#elif defined(_X86_) || defined(_ARM_) || defined(__arm__) || defined(__i386__) - #define S2N_SIKE_P434_R3_NWORDS_FIELD 14 /* Number of words of a 434-bit field element */ - #define S2N_SIKE_P434_R3_ZERO_WORDS 6 /* Number of "0" digits in the least significant part of p434 + 1 */ - #define S2N_SIKE_P434_R3_RADIX 32 - #define S2N_SIKE_P434_R3_LOG2RADIX 5 - #define S2N_SIKE_P434_R3_BSWAP_DIGIT(i) bswap32((i)) - typedef uint32_t digit_t; - typedef uint16_t hdigit_t; -#else - #error -- "Unsupported ARCHITECTURE" -#endif - -/* Basic constants */ -#define S2N_SIKE_P434_R3_NBITS_FIELD 434 -#define S2N_SIKE_P434_R3_MAXBITS_FIELD 448 -/* Number of 64-bit words of a 434-bit field element */ -#define S2N_SIKE_P434_R3_NWORDS64_FIELD ((S2N_SIKE_P434_R3_NBITS_FIELD+63)/64) -#define S2N_SIKE_P434_R3_NBITS_ORDER 256 -/* Number of words of oA and oB, where oA and oB are the subgroup orders of Alice and Bob, resp. */ -#define S2N_SIKE_P434_R3_NWORDS_ORDER ((S2N_SIKE_P434_R3_NBITS_ORDER+S2N_SIKE_P434_R3_RADIX-1)/S2N_SIKE_P434_R3_RADIX) -#define S2N_SIKE_P434_R3_ALICE 0 -#define S2N_SIKE_P434_R3_BOB 1 -#define S2N_SIKE_P434_R3_OALICE_BITS 216 -#define S2N_SIKE_P434_R3_OBOB_BITS 218 -#define S2N_SIKE_P434_R3_MASK_ALICE 0xFF -#define S2N_SIKE_P434_R3_MASK_BOB 0x01 - -/* Fixed parameters for isogeny tree computation */ -#define S2N_SIKE_P434_R3_MAX_INT_POINTS_ALICE 7 -#define S2N_SIKE_P434_R3_MAX_INT_POINTS_BOB 8 -#define S2N_SIKE_P434_R3_MAX_ALICE 108 -#define S2N_SIKE_P434_R3_MAX_BOB 137 -#define S2N_SIKE_P434_R3_MSG_BYTES 16 -#define S2N_SIKE_P434_R3_SECRETKEY_A_BYTES ((S2N_SIKE_P434_R3_OALICE_BITS + 7) / 8) -#define S2N_SIKE_P434_R3_SECRETKEY_B_BYTES ((S2N_SIKE_P434_R3_OBOB_BITS - 1 + 7) / 8) -#define S2N_SIKE_P434_R3_FP2_ENCODED_BYTES (2 * ((S2N_SIKE_P434_R3_NBITS_FIELD + 7) / 8)) - -/* SIDH's basic element definitions and point representations */ -/* Datatype for representing 434-bit field elements (448-bit max.) */ -#define felm_t S2N_SIKE_P434_R3_NAMESPACE(felm_t) -typedef digit_t felm_t[S2N_SIKE_P434_R3_NWORDS_FIELD]; - -/* Datatype for representing double-precision 2x434-bit field elements (2x448-bit max.) */ -#define dfelm_t S2N_SIKE_P434_R3_NAMESPACE(dfelm_t) -typedef digit_t dfelm_t[2*S2N_SIKE_P434_R3_NWORDS_FIELD]; - -/* Datatype for representing quadratic extension field elements GF(p434^2) */ -#define f2elm_t S2N_SIKE_P434_R3_NAMESPACE(f2elm_t) -#define felm_s S2N_SIKE_P434_R3_NAMESPACE(felm_s) -typedef struct felm_s { - felm_t e[2]; -} f2elm_t; - -/* Point representation in projective XZ Montgomery coordinates. */ -#define point_proj S2N_SIKE_P434_R3_NAMESPACE(point_proj) -typedef struct { f2elm_t X; f2elm_t Z; } point_proj; -#define point_proj_t S2N_SIKE_P434_R3_NAMESPACE(point_proj_t) -typedef point_proj point_proj_t[1]; - -/* Macro to avoid compiler warnings when detecting unreferenced parameters */ -#define S2N_SIKE_P434_R3_UNREFERENCED_PARAMETER(PAR) ((void)(PAR)) - -/********************** Constant-time unsigned comparisons ***********************/ -/* The following functions return 1 (TRUE) if condition is true, 0 (FALSE) otherwise */ - -/* Is x != 0? */ -static __inline unsigned int is_digit_nonzero_ct(const digit_t x) -{ - return (unsigned int)((x | (0-x)) >> (S2N_SIKE_P434_R3_RADIX-1)); -} - -/* Is x = 0? */ -static __inline unsigned int is_digit_zero_ct(const digit_t x) -{ - return (unsigned int)(1 ^ is_digit_nonzero_ct(x)); -} - -/* Is x < y? */ -static __inline unsigned int is_digit_lessthan_ct(const digit_t x, const digit_t y) -{ - return (unsigned int)((x ^ ((x ^ y) | ((x - y) ^ y))) >> (S2N_SIKE_P434_R3_RADIX-1)); -} - -/* Definitions for generic C implementation */ - -typedef uint64_t uint128_t[2]; - -/* Digit multiplication */ -#define S2N_SIKE_P434_R3_MUL(multiplier, multiplicand, hi, lo) \ - digit_x_digit((multiplier), (multiplicand), &(lo)); - -/* Digit addition with carry */ -#define S2N_SIKE_P434_R3_ADDC(carryIn, addend1, addend2, carryOut, sumOut) \ - { digit_t tempReg = (addend1) + (digit_t)(carryIn); \ - (sumOut) = (addend2) + tempReg; \ - (carryOut) = (is_digit_lessthan_ct(tempReg, (digit_t)(carryIn)) | is_digit_lessthan_ct((sumOut), tempReg)); } - -/* Digit subtraction with borrow */ -#define S2N_SIKE_P434_R3_SUBC(borrowIn, minuend, subtrahend, borrowOut, differenceOut) \ - { digit_t tempReg = (minuend) - (subtrahend); \ - unsigned int borrowReg = (is_digit_lessthan_ct((minuend), (subtrahend)) | ((borrowIn) & is_digit_zero_ct(tempReg))); \ - (differenceOut) = tempReg - (digit_t)(borrowIn); \ - (borrowOut) = borrowReg; } - -/* Shift right with flexible datatype */ -#define S2N_SIKE_P434_R3_SHIFTR(highIn, lowIn, shift, shiftOut, DigitSize) \ - (shiftOut) = ((lowIn) >> (shift)) ^ ((highIn) << ((DigitSize) - (shift))); - -/* Fixed parameters for computation */ -#define p434 S2N_SIKE_P434_R3_NAMESPACE(p434) -extern const uint64_t p434[S2N_SIKE_P434_R3_NWORDS64_FIELD]; - -#define p434x2 S2N_SIKE_P434_R3_NAMESPACE(p434x2) -extern const uint64_t p434x2[S2N_SIKE_P434_R3_NWORDS64_FIELD]; - -#define p434x4 S2N_SIKE_P434_R3_NAMESPACE(p434x4) -extern const uint64_t p434x4[S2N_SIKE_P434_R3_NWORDS64_FIELD]; - -#define p434p1 S2N_SIKE_P434_R3_NAMESPACE(p434p1) -extern const uint64_t p434p1[S2N_SIKE_P434_R3_NWORDS64_FIELD]; - -#define A_gen S2N_SIKE_P434_R3_NAMESPACE(A_gen) -extern const uint64_t A_gen[6*S2N_SIKE_P434_R3_NWORDS64_FIELD]; - -#define B_gen S2N_SIKE_P434_R3_NAMESPACE(B_gen) -extern const uint64_t B_gen[6*S2N_SIKE_P434_R3_NWORDS64_FIELD]; - -#define Montgomery_R2 S2N_SIKE_P434_R3_NAMESPACE(Montgomery_R2) -extern const uint64_t Montgomery_R2[S2N_SIKE_P434_R3_NWORDS64_FIELD]; - -#define Montgomery_one S2N_SIKE_P434_R3_NAMESPACE(Montgomery_one) -extern const uint64_t Montgomery_one[S2N_SIKE_P434_R3_NWORDS64_FIELD]; - -#define strat_Alice S2N_SIKE_P434_R3_NAMESPACE(strat_Alice) -extern const unsigned int strat_Alice[S2N_SIKE_P434_R3_MAX_ALICE-1]; - -#define strat_Bob S2N_SIKE_P434_R3_NAMESPACE(strat_Bob) -extern const unsigned int strat_Bob[S2N_SIKE_P434_R3_MAX_BOB-1]; diff --git a/contrib/restricted/aws/s2n/pq-crypto/sike_r3/sikep434r3_api.h b/contrib/restricted/aws/s2n/pq-crypto/sike_r3/sikep434r3_api.h deleted file mode 100644 index cf3c4feb85..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/sike_r3/sikep434r3_api.h +++ /dev/null @@ -1,78 +0,0 @@ -/******************************************************************************************** -* Supersingular Isogeny Key Encapsulation Library -* -* Abstract: API header file for P434 -*********************************************************************************************/ - -#pragma once - -#include "sikep434r3.h" - -/*********************** Key encapsulation mechanism API ***********************/ -/* Encoding of keys for KEM-based isogeny system "SIKEp434" (wire format): - * - * Elements over GF(p434) are encoded in 55 octets in little endian format (i.e., the least - * significant octet is located in the lowest memory address). Elements (a+b*i) over GF(p434^2), - * where a and b are defined over GF(p434), are encoded as {a, b}, with a in the lowest memory portion. - * - * Private keys sk consist of the concatenation of a 16-byte random value, a value in the range - * [0, 2^217-1] and the public key pk. In the SIKE API, private keys are encoded in 374 octets in - * little endian format. Public keys pk consist of 3 elements in GF(p434^2). In the SIKE API, pk - * is encoded in 330 octets. Ciphertexts ct consist of the concatenation of a public key value - * and a 16-byte value. In the SIKE API, ct is encoded in 330 + 16 = 346 octets. Shared keys ss - * consist of a value of 16 octets. */ - -/*********************** Ephemeral key exchange API ***********************/ - -/* SECURITY NOTE: SIDH supports ephemeral Diffie-Hellman key exchange. It is NOT secure to use - * it with static keys. See "On the Security of Supersingular Isogeny Cryptosystems", S.D. Galbraith, - * C. Petit, B. Shani and Y.B. Ti, in ASIACRYPT 2016, 2016. Extended version available at: - * http://eprint.iacr.org/2016/859 */ - -/* Generation of Bob's secret key - * Outputs random value in [0, 2^Floor(Log(2,3^137)) - 1] to be used as Bob's private key */ -#define random_mod_order_B S2N_SIKE_P434_R3_NAMESPACE(random_mod_order_B) -int random_mod_order_B(unsigned char* random_digits); - -/* Alice's ephemeral public key generation - * Input: a private key PrivateKeyA in the range [0, 2^216 - 1], stored in 27 bytes. - * Output: the public key PublicKeyA consisting of 3 GF(p434^2) elements encoded in 330 bytes. */ -#define EphemeralKeyGeneration_A S2N_SIKE_P434_R3_NAMESPACE(EphemeralKeyGeneration_A) -int EphemeralKeyGeneration_A(const unsigned char* PrivateKeyA, unsigned char* PublicKeyA); - -/* Bob's ephemeral key-pair generation - * It produces a private key PrivateKeyB and computes the public key PublicKeyB. - * The private key is an integer in the range [0, 2^Floor(Log(2,3^137)) - 1], stored in 28 bytes. - * The public key consists of 3 GF(p434^2) elements encoded in 330 bytes. */ -#define EphemeralKeyGeneration_B S2N_SIKE_P434_R3_NAMESPACE(EphemeralKeyGeneration_B) -int EphemeralKeyGeneration_B(const unsigned char* PrivateKeyB, unsigned char* PublicKeyB); - -/* Alice's ephemeral shared secret computation - * It produces a shared secret key SharedSecretA using her secret key PrivateKeyA and Bob's public key PublicKeyB - * Inputs: Alice's PrivateKeyA is an integer in the range [0, 2^216 - 1], stored in 27 bytes. - * Bob's PublicKeyB consists of 3 GF(p434^2) elements encoded in 330 bytes. - * Output: a shared secret SharedSecretA that consists of one element in GF(p434^2) encoded in 110 bytes. */ -#define EphemeralSecretAgreement_A S2N_SIKE_P434_R3_NAMESPACE(EphemeralSecretAgreement_A) -int EphemeralSecretAgreement_A(const unsigned char* PrivateKeyA, const unsigned char* PublicKeyB, unsigned char* SharedSecretA); - -/* Bob's ephemeral shared secret computation - * It produces a shared secret key SharedSecretB using his secret key PrivateKeyB and Alice's public key PublicKeyA - * Inputs: Bob's PrivateKeyB is an integer in the range [0, 2^Floor(Log(2,3^137)) - 1], stored in 28 bytes. - * Alice's PublicKeyA consists of 3 GF(p434^2) elements encoded in 330 bytes. - * Output: a shared secret SharedSecretB that consists of one element in GF(p434^2) encoded in 110 bytes. */ -#define EphemeralSecretAgreement_B S2N_SIKE_P434_R3_NAMESPACE(EphemeralSecretAgreement_B) -int EphemeralSecretAgreement_B(const unsigned char* PrivateKeyB, const unsigned char* PublicKeyA, unsigned char* SharedSecretB); - -/* Encoding of keys for KEX-based isogeny system "SIDHp434" (wire format): - * - * Elements over GF(p434) are encoded in 55 octets in little endian format (i.e., the - * least significant octet is located in the lowest memory address). Elements (a+b*i) - * over GF(p434^2), where a and b are defined over GF(p434), are encoded as {a, b}, with - * a in the lowest memory portion. - * - * Private keys PrivateKeyA and PrivateKeyB can have values in the range [0, 2^216-1] and - * [0, 2^Floor(Log(2,3^137)) - 1], resp. In the SIDH API, Alice's and Bob's private keys - * are encoded in 27 and 28 octets, resp., in little endian format. Public keys PublicKeyA - * and PublicKeyB consist of 3 elements in GF(p434^2). In the SIDH API, they are encoded in - * 330 octets. Shared keys SharedSecretA and SharedSecretB consist of one element in GF(p434^2). - * In the SIDH API, they are encoded in 110 octets. */ diff --git a/contrib/restricted/aws/s2n/pq-crypto/sike_r3/sikep434r3_ec_isogeny.c b/contrib/restricted/aws/s2n/pq-crypto/sike_r3/sikep434r3_ec_isogeny.c deleted file mode 100644 index a2e3dd969b..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/sike_r3/sikep434r3_ec_isogeny.c +++ /dev/null @@ -1,388 +0,0 @@ -/******************************************************************************************** -* Supersingular Isogeny Key Encapsulation Library -* -* Abstract: elliptic curve and isogeny functions -*********************************************************************************************/ - -#include "sikep434r3.h" -#include "sikep434r3_fpx.h" -#include "sikep434r3_ec_isogeny.h" - -/* Doubling of a Montgomery point in projective coordinates (X:Z). - * Input: projective Montgomery x-coordinates P = (X1:Z1), where x1=X1/Z1 and Montgomery curve constants A+2C and 4C. - * Output: projective Montgomery x-coordinates Q = 2*P = (X2:Z2). */ -void xDBL(const point_proj_t P, point_proj_t Q, const f2elm_t *A24plus, const f2elm_t *C24) -{ - f2elm_t _t0, _t1; - f2elm_t *t0=&_t0, *t1=&_t1; - - mp2_sub_p2(&P->X, &P->Z, t0); /* t0 = X1-Z1 */ - mp2_add(&P->X, &P->Z, t1); /* t1 = X1+Z1 */ - fp2sqr_mont(t0, t0); /* t0 = (X1-Z1)^2 */ - fp2sqr_mont(t1, t1); /* t1 = (X1+Z1)^2 */ - fp2mul_mont(C24, t0, &Q->Z); /* Z2 = C24*(X1-Z1)^2 */ - fp2mul_mont(t1, &Q->Z, &Q->X); /* X2 = C24*(X1-Z1)^2*(X1+Z1)^2 */ - mp2_sub_p2(t1, t0, t1); /* t1 = (X1+Z1)^2-(X1-Z1)^2 */ - fp2mul_mont(A24plus, t1, t0); /* t0 = A24plus*[(X1+Z1)^2-(X1-Z1)^2] */ - mp2_add(&Q->Z, t0, &Q->Z); /* Z2 = A24plus*[(X1+Z1)^2-(X1-Z1)^2] + C24*(X1-Z1)^2 */ - fp2mul_mont(&Q->Z, t1, &Q->Z); /* Z2 = [A24plus*[(X1+Z1)^2-(X1-Z1)^2] + C24*(X1-Z1)^2]*[(X1+Z1)^2-(X1-Z1)^2] */ -} - -/* Computes [2^e](X:Z) on Montgomery curve with projective constant via e repeated doublings. - * Input: projective Montgomery x-coordinates P = (XP:ZP), such that xP=XP/ZP and Montgomery curve constants A+2C and 4C. - * Output: projective Montgomery x-coordinates Q <- (2^e)*P. */ -void xDBLe(const point_proj_t P, point_proj_t Q, const f2elm_t *A24plus, const f2elm_t *C24, const int e) -{ - copy_words((const digit_t*)P, (digit_t*)Q, 2*2*S2N_SIKE_P434_R3_NWORDS_FIELD); - - for (int i = 0; i < e; i++) { - xDBL(Q, Q, A24plus, C24); - } -} - -/* Computes the corresponding 4-isogeny of a projective Montgomery point (X4:Z4) of order 4. - * Input: projective point of order four P = (X4:Z4). - * Output: the 4-isogenous Montgomery curve with projective coefficients A+2C/4C and the 3 coefficients - * that are used to evaluate the isogeny at a point in eval_4_isog(). */ -void get_4_isog(const point_proj_t P, f2elm_t *A24plus, f2elm_t *C24, f2elm_t *coeff) -{ - mp2_sub_p2(&P->X, &P->Z, &coeff[1]); /* coeff[1] = X4-Z4 */ - mp2_add(&P->X, &P->Z, &coeff[2]); /* coeff[2] = X4+Z4 */ - fp2sqr_mont(&P->Z, &coeff[0]); /* coeff[0] = Z4^2 */ - mp2_add(&coeff[0], &coeff[0], &coeff[0]); /* coeff[0] = 2*Z4^2 */ - fp2sqr_mont(&coeff[0], C24); /* C24 = 4*Z4^4 */ - mp2_add(&coeff[0], &coeff[0], &coeff[0]); /* coeff[0] = 4*Z4^2 */ - fp2sqr_mont(&P->X, A24plus); /* A24plus = X4^2 */ - mp2_add(A24plus, A24plus, A24plus); /* A24plus = 2*X4^2 */ - fp2sqr_mont(A24plus, A24plus); /* A24plus = 4*X4^4 */ -} - -/* Evaluates the isogeny at the point (X:Z) in the domain of the isogeny, given a 4-isogeny phi defined - * by the 3 coefficients in coeff (computed in the function get_4_isog()). - * Inputs: the coefficients defining the isogeny, and the projective point P = (X:Z). - * Output: the projective point P = phi(P) = (X:Z) in the codomain. */ -void eval_4_isog(point_proj_t P, f2elm_t *coeff) -{ - f2elm_t _t0, _t1; - f2elm_t *t0=&_t0, *t1=&_t1; - - mp2_add(&P->X, &P->Z, t0); /* t0 = X+Z */ - mp2_sub_p2(&P->X, &P->Z, t1); /* t1 = X-Z */ - fp2mul_mont(t0, &coeff[1], &P->X); /* X = (X+Z)*coeff[1] */ - fp2mul_mont(t1, &coeff[2], &P->Z); /* Z = (X-Z)*coeff[2] */ - fp2mul_mont(t0, t1, t0); /* t0 = (X+Z)*(X-Z) */ - fp2mul_mont(&coeff[0], t0, t0); /* t0 = coeff[0]*(X+Z)*(X-Z) */ - mp2_add(&P->X, &P->Z, t1); /* t1 = (X-Z)*coeff[2] + (X+Z)*coeff[1] */ - mp2_sub_p2(&P->X, &P->Z, &P->Z); /* Z = (X-Z)*coeff[2] - (X+Z)*coeff[1] */ - fp2sqr_mont(t1, t1); /* t1 = [(X-Z)*coeff[2] + (X+Z)*coeff[1]]^2 */ - fp2sqr_mont(&P->Z, &P->Z); /* Z = [(X-Z)*coeff[2] - (X+Z)*coeff[1]]^2 */ - mp2_add(t1, t0, &P->X); /* X = coeff[0]*(X+Z)*(X-Z) + [(X-Z)*coeff[2] + (X+Z)*coeff[1]]^2 */ - mp2_sub_p2(&P->Z, t0, t0); /* t0 = [(X-Z)*coeff[2] - (X+Z)*coeff[1]]^2 - coeff[0]*(X+Z)*(X-Z) */ - fp2mul_mont(&P->X, t1, &P->X); /* Xfinal */ - fp2mul_mont(&P->Z, t0, &P->Z); /* Zfinal */ -} - -/* Tripling of a Montgomery point in projective coordinates (X:Z). - * Input: projective Montgomery x-coordinates P = (X:Z), where x=X/Z and Montgomery curve constants A24plus = A+2C and A24minus = A-2C. - * Output: projective Montgomery x-coordinates Q = 3*P = (X3:Z3). */ -void xTPL(const point_proj_t P, point_proj_t Q, const f2elm_t *A24minus, const f2elm_t *A24plus) -{ - f2elm_t _t0, _t1, _t2, _t3, _t4, _t5, _t6; - f2elm_t *t0=&_t0, *t1=&_t1, *t2=&_t2, *t3=&_t3, *t4=&_t4, *t5=&_t5, *t6=&_t6; - - mp2_sub_p2(&P->X, &P->Z, t0); /* t0 = X-Z */ - fp2sqr_mont(t0, t2); /* t2 = (X-Z)^2 */ - mp2_add(&P->X, &P->Z, t1); /* t1 = X+Z */ - fp2sqr_mont(t1, t3); /* t3 = (X+Z)^2 */ - mp2_add(&P->X, &P->X, t4); /* t4 = 2*X */ - mp2_add(&P->Z, &P->Z, t0); /* t0 = 2*Z */ - fp2sqr_mont(t4, t1); /* t1 = 4*X^2 */ - mp2_sub_p2(t1, t3, t1); /* t1 = 4*X^2 - (X+Z)^2 */ - mp2_sub_p2(t1, t2, t1); /* t1 = 4*X^2 - (X+Z)^2 - (X-Z)^2 */ - fp2mul_mont(A24plus, t3, t5); /* t5 = A24plus*(X+Z)^2 */ - fp2mul_mont(t3, t5, t3); /* t3 = A24plus*(X+Z)^4 */ - fp2mul_mont(A24minus, t2, t6); /* t6 = A24minus*(X-Z)^2 */ - fp2mul_mont(t2, t6, t2); /* t2 = A24minus*(X-Z)^4 */ - mp2_sub_p2(t2, t3, t3); /* t3 = A24minus*(X-Z)^4 - A24plus*(X+Z)^4 */ - mp2_sub_p2(t5, t6, t2); /* t2 = A24plus*(X+Z)^2 - A24minus*(X-Z)^2 */ - fp2mul_mont(t1, t2, t1); /* t1 = [4*X^2 - (X+Z)^2 - (X-Z)^2]*[A24plus*(X+Z)^2 - A24minus*(X-Z)^2] */ - fp2add(t3, t1, t2); /* t2 = [4*X^2 - (X+Z)^2 - (X-Z)^2]*[A24plus*(X+Z)^2 - A24minus*(X-Z)^2] + A24minus*(X-Z)^4 - A24plus*(X+Z)^4 */ - fp2sqr_mont(t2, t2); /* t2 = t2^2 */ - fp2mul_mont(t4, t2, &Q->X); /* X3 = 2*X*t2 */ - fp2sub(t3, t1, t1); /* t1 = A24minus*(X-Z)^4 - A24plus*(X+Z)^4 - [4*X^2 - (X+Z)^2 - (X-Z)^2]*[A24plus*(X+Z)^2 - A24minus*(X-Z)^2] */ - fp2sqr_mont(t1, t1); /* t1 = t1^2 */ - fp2mul_mont(t0, t1, &Q->Z); /* Z3 = 2*Z*t1 */ -} - -/* Computes [3^e](X:Z) on Montgomery curve with projective constant via e repeated triplings. - * Input: projective Montgomery x-coordinates P = (XP:ZP), such that xP=XP/ZP and Montgomery curve constants A24plus = A+2C and A24minus = A-2C. - * Output: projective Montgomery x-coordinates Q <- (3^e)*P. */ -void xTPLe(const point_proj_t P, point_proj_t Q, const f2elm_t *A24minus, const f2elm_t *A24plus, const int e) -{ - copy_words((const digit_t*)P, (digit_t*)Q, 2*2*S2N_SIKE_P434_R3_NWORDS_FIELD); - - for (int i = 0; i < e; i++) { - xTPL(Q, Q, A24minus, A24plus); - } -} - -/* Computes the corresponding 3-isogeny of a projective Montgomery point (X3:Z3) of order 3. - * Input: projective point of order three P = (X3:Z3). - * Output: the 3-isogenous Montgomery curve with projective coefficient A/C. */ -void get_3_isog(const point_proj_t P, f2elm_t *A24minus, f2elm_t *A24plus, f2elm_t *coeff) -{ - f2elm_t _t0, _t1, _t2, _t3, _t4; - f2elm_t *t0=&_t0, *t1=&_t1, *t2=&_t2, *t3=&_t3, *t4=&_t4; - - mp2_sub_p2(&P->X, &P->Z, &coeff[0]); /* coeff0 = X-Z */ - fp2sqr_mont(&coeff[0], t0); /* t0 = (X-Z)^2 */ - mp2_add(&P->X, &P->Z, &coeff[1]); /* coeff1 = X+Z */ - fp2sqr_mont(&coeff[1], t1); /* t1 = (X+Z)^2 */ - mp2_add(&P->X, &P->X, t3); /* t3 = 2*X */ - fp2sqr_mont(t3, t3); /* t3 = 4*X^2 */ - fp2sub(t3, t0, t2); /* t2 = 4*X^2 - (X-Z)^2 */ - fp2sub(t3, t1, t3); /* t3 = 4*X^2 - (X+Z)^2 */ - mp2_add(t0, t3, t4); /* t4 = 4*X^2 - (X+Z)^2 + (X-Z)^2 */ - mp2_add(t4, t4, t4); /* t4 = 2(4*X^2 - (X+Z)^2 + (X-Z)^2) */ - mp2_add(t1, t4, t4); /* t4 = 8*X^2 - (X+Z)^2 + 2*(X-Z)^2 */ - fp2mul_mont(t2, t4, A24minus); /* A24minus = [4*X^2 - (X-Z)^2]*[8*X^2 - (X+Z)^2 + 2*(X-Z)^2] */ - mp2_add(t1, t2, t4); /* t4 = 4*X^2 + (X+Z)^2 - (X-Z)^2 */ - mp2_add(t4, t4, t4); /* t4 = 2(4*X^2 + (X+Z)^2 - (X-Z)^2) */ - mp2_add(t0, t4, t4); /* t4 = 8*X^2 + 2*(X+Z)^2 - (X-Z)^2 */ - fp2mul_mont(t3, t4, A24plus); /* A24plus = [4*X^2 - (X+Z)^2]*[8*X^2 + 2*(X+Z)^2 - (X-Z)^2] */ -} - -/* Computes the 3-isogeny R=phi(X:Z), given projective point (X3:Z3) of order 3 on a Montgomery curve and - * a point P with 2 coefficients in coeff (computed in the function get_3_isog()). - * Inputs: projective points P = (X3:Z3) and Q = (X:Z). - * Output: the projective point Q <- phi(Q) = (X3:Z3). */ -void eval_3_isog(point_proj_t Q, const f2elm_t *coeff) -{ - f2elm_t _t0, _t1, _t2; - f2elm_t *t0=&_t0, *t1=&_t1, *t2=&_t2; - - mp2_add(&Q->X, &Q->Z, t0); /* t0 = X+Z */ - mp2_sub_p2(&Q->X, &Q->Z, t1); /* t1 = X-Z */ - fp2mul_mont(&coeff[0], t0, t0); /* t0 = coeff0*(X+Z) */ - fp2mul_mont(&coeff[1], t1, t1); /* t1 = coeff1*(X-Z) */ - mp2_add(t0, t1, t2); /* t2 = coeff0*(X+Z) + coeff1*(X-Z) */ - mp2_sub_p2(t1, t0, t0); /* t0 = coeff1*(X-Z) - coeff0*(X+Z) */ - fp2sqr_mont(t2, t2); /* t2 = [coeff0*(X+Z) + coeff1*(X-Z)]^2 */ - fp2sqr_mont(t0, t0); /* t0 = [coeff1*(X-Z) - coeff0*(X+Z)]^2 */ - fp2mul_mont(&Q->X, t2, &Q->X); /* X3final = X*[coeff0*(X+Z) + coeff1*(X-Z)]^2 */ - fp2mul_mont(&Q->Z, t0, &Q->Z); /* Z3final = Z*[coeff1*(X-Z) - coeff0*(X+Z)]^2 */ -} - -/* 3-way simultaneous inversion - * Input: z1,z2,z3 - * Output: 1/z1,1/z2,1/z3 (override inputs). */ -void inv_3_way(f2elm_t *z1, f2elm_t *z2, f2elm_t *z3) -{ - f2elm_t _t0, _t1, _t2, _t3; - f2elm_t *t0=&_t0, *t1=&_t1, *t2=&_t2, *t3=&_t3; - - fp2mul_mont(z1, z2, t0); /* t0 = z1*z2 */ - fp2mul_mont(z3, t0, t1); /* t1 = z1*z2*z3 */ - fp2inv_mont(t1); /* t1 = 1/(z1*z2*z3) */ - fp2mul_mont(z3, t1, t2); /* t2 = 1/(z1*z2) */ - fp2mul_mont(t2, z2, t3); /* t3 = 1/z1 */ - fp2mul_mont(t2, z1, z2); /* z2 = 1/z2 */ - fp2mul_mont(t0, t1, z3); /* z3 = 1/z3 */ - fp2copy(t3, z1); /* z1 = 1/z1 */ -} - -/* Given the x-coordinates of P, Q, and R, returns the value A corresponding to the - * Montgomery curve E_A: y^2=x^3+A*x^2+x such that R=Q-P on E_A. - * Input: the x-coordinates xP, xQ, and xR of the points P, Q and R. - * Output: the coefficient A corresponding to the curve E_A: y^2=x^3+A*x^2+x. */ -void get_A(const f2elm_t *xP, const f2elm_t *xQ, const f2elm_t *xR, f2elm_t *A) -{ - f2elm_t _t0, _t1, one = {0}; - f2elm_t *t0=&_t0, *t1=&_t1; - - - fpcopy((const digit_t*)&Montgomery_one,one.e[0]); - fp2add(xP, xQ, t1); /* t1 = xP+xQ */ - fp2mul_mont(xP, xQ, t0); /* t0 = xP*xQ */ - fp2mul_mont(xR, t1, A); /* A = xR*t1 */ - fp2add(t0, A, A); /* A = A+t0 */ - fp2mul_mont(t0, xR, t0); /* t0 = t0*xR */ - fp2sub(A, &one, A); /* A = A-1 */ - fp2add(t0, t0, t0); /* t0 = t0+t0 */ - fp2add(t1, xR, t1); /* t1 = t1+xR */ - fp2add(t0, t0, t0); /* t0 = t0+t0 */ - fp2sqr_mont(A, A); /* A = A^2 */ - fp2inv_mont(t0); /* t0 = 1/t0 */ - fp2mul_mont(A, t0, A); /* A = A*t0 */ - fp2sub(A, t1, A); /* Afinal = A-t1 */ -} - -/* Computes the j-invariant of a Montgomery curve with projective constant. - * Input: A,C in GF(p^2). - * Output: j=256*(A^2-3*C^2)^3/(C^4*(A^2-4*C^2)), which is the j-invariant of the Montgomery curve - * B*y^2=x^3+(A/C)*x^2+x or (equivalently) j-invariant of B'*y^2=C*x^3+A*x^2+C*x. */ -void j_inv(const f2elm_t *A, const f2elm_t *C, f2elm_t *jinv) -{ - f2elm_t _t0, _t1; - f2elm_t *t0=&_t0, *t1=&_t1; - - fp2sqr_mont(A, jinv); /* jinv = A^2 */ - fp2sqr_mont(C, t1); /* t1 = C^2 */ - fp2add(t1, t1, t0); /* t0 = t1+t1 */ - fp2sub(jinv, t0, t0); /* t0 = jinv-t0 */ - fp2sub(t0, t1, t0); /* t0 = t0-t1 */ - fp2sub(t0, t1, jinv); /* jinv = t0-t1 */ - fp2sqr_mont(t1, t1); /* t1 = t1^2 */ - fp2mul_mont(jinv, t1, jinv); /* jinv = jinv*t1 */ - fp2add(t0, t0, t0); /* t0 = t0+t0 */ - fp2add(t0, t0, t0); /* t0 = t0+t0 */ - fp2sqr_mont(t0, t1); /* t1 = t0^2 */ - fp2mul_mont(t0, t1, t0); /* t0 = t0*t1 */ - fp2add(t0, t0, t0); /* t0 = t0+t0 */ - fp2add(t0, t0, t0); /* t0 = t0+t0 */ - fp2inv_mont(jinv); /* jinv = 1/jinv */ - fp2mul_mont(jinv, t0, jinv); /* jinv = t0*jinv */ -} - -/* Simultaneous doubling and differential addition. - * Input: projective Montgomery points P=(XP:ZP) and Q=(XQ:ZQ) such that xP=XP/ZP and xQ=XQ/ZQ, - * affine difference xPQ=x(P-Q) and Montgomery curve constant A24=(A+2)/4. - * Output: projective Montgomery points P <- 2*P = (X2P:Z2P) such that x(2P)=X2P/Z2P, - * and Q <- P+Q = (XQP:ZQP) such that = x(Q+P)=XQP/ZQP. */ -static void xDBLADD(point_proj_t P, point_proj_t Q, const f2elm_t *xPQ, const f2elm_t *A24) -{ - f2elm_t _t0, _t1, _t2; - f2elm_t *t0=&_t0, *t1=&_t1, *t2=&_t2; - - mp2_add(&P->X, &P->Z, t0); /* t0 = XP+ZP */ - mp2_sub_p2(&P->X, &P->Z, t1); /* t1 = XP-ZP */ - fp2sqr_mont(t0, &P->X); /* XP = (XP+ZP)^2 */ - mp2_sub_p2(&Q->X, &Q->Z, t2); /* t2 = XQ-ZQ */ - mp2_add(&Q->X, &Q->Z, &Q->X); /* XQ = XQ+ZQ */ - fp2mul_mont(t0, t2, t0); /* t0 = (XP+ZP)*(XQ-ZQ) */ - fp2sqr_mont(t1, &P->Z); /* ZP = (XP-ZP)^2 */ - fp2mul_mont(t1, &Q->X, t1); /* t1 = (XP-ZP)*(XQ+ZQ) */ - mp2_sub_p2(&P->X, &P->Z, t2); /* t2 = (XP+ZP)^2-(XP-ZP)^2 */ - fp2mul_mont(&P->X, &P->Z, &P->X); /* XP = (XP+ZP)^2*(XP-ZP)^2 */ - fp2mul_mont(A24, t2, &Q->X); /* XQ = A24*[(XP+ZP)^2-(XP-ZP)^2] */ - mp2_sub_p2(t0, t1, &Q->Z); /* ZQ = (XP+ZP)*(XQ-ZQ)-(XP-ZP)*(XQ+ZQ) */ - mp2_add(&Q->X, &P->Z, &P->Z); /* ZP = A24*[(XP+ZP)^2-(XP-ZP)^2]+(XP-ZP)^2 */ - mp2_add(t0, t1, &Q->X); /* XQ = (XP+ZP)*(XQ-ZQ)+(XP-ZP)*(XQ+ZQ) */ - fp2mul_mont(&P->Z, t2, &P->Z); /* ZP = [A24*[(XP+ZP)^2-(XP-ZP)^2]+(XP-ZP)^2]*[(XP+ZP)^2-(XP-ZP)^2] */ - fp2sqr_mont(&Q->Z, &Q->Z); /* ZQ = [(XP+ZP)*(XQ-ZQ)-(XP-ZP)*(XQ+ZQ)]^2 */ - fp2sqr_mont(&Q->X, &Q->X); /* XQ = [(XP+ZP)*(XQ-ZQ)+(XP-ZP)*(XQ+ZQ)]^2 */ - fp2mul_mont(&Q->Z, xPQ, &Q->Z); /* ZQ = xPQ*[(XP+ZP)*(XQ-ZQ)-(XP-ZP)*(XQ+ZQ)]^2 */ -} - -/* Swap points. - * If option = 0 then P <- P and Q <- Q, else if option = 0xFF...FF then P <- Q and Q <- P */ -static void swap_points(point_proj_t P, point_proj_t Q, const digit_t option) -{ - unsigned int i; - - for (i = 0; i < S2N_SIKE_P434_R3_NWORDS_FIELD; i++) { - digit_t temp = option & (P->X.e[0][i] ^ Q->X.e[0][i]); - P->X.e[0][i] = temp ^ P->X.e[0][i]; - Q->X.e[0][i] = temp ^ Q->X.e[0][i]; - temp = option & (P->X.e[1][i] ^ Q->X.e[1][i]); - P->X.e[1][i] = temp ^ P->X.e[1][i]; - Q->X.e[1][i] = temp ^ Q->X.e[1][i]; - temp = option & (P->Z.e[0][i] ^ Q->Z.e[0][i]); - P->Z.e[0][i] = temp ^ P->Z.e[0][i]; - Q->Z.e[0][i] = temp ^ Q->Z.e[0][i]; - temp = option & (P->Z.e[1][i] ^ Q->Z.e[1][i]); - P->Z.e[1][i] = temp ^ P->Z.e[1][i]; - Q->Z.e[1][i] = temp ^ Q->Z.e[1][i]; - } -} - -void LADDER3PT(const f2elm_t *xP, const f2elm_t *xQ, const f2elm_t *xPQ, const digit_t* m, - const unsigned int AliceOrBob, point_proj_t R, const f2elm_t *A) -{ - point_proj_t R0 = {0}, R2 = {0}; - f2elm_t _A24 = {0}; - f2elm_t *A24 = &_A24; - digit_t mask; - int i, nbits, swap, prevbit = 0; - - if (AliceOrBob == S2N_SIKE_P434_R3_ALICE) { - nbits = S2N_SIKE_P434_R3_OALICE_BITS; - } else { - nbits = S2N_SIKE_P434_R3_OBOB_BITS - 1; - } - - /* Initializing constant */ - fpcopy((const digit_t*)&Montgomery_one, A24->e[0]); - mp2_add(A24, A24, A24); - mp2_add(A, A24, A24); - fp2div2(A24, A24); - fp2div2(A24, A24); /* A24 = (A+2)/4 */ - - /* Initializing points */ - fp2copy(xQ, &R0->X); - fpcopy((const digit_t*)&Montgomery_one, (digit_t*)&R0->Z); - fp2copy(xPQ, &R2->X); - fpcopy((const digit_t*)&Montgomery_one, (digit_t*)&R2->Z); - fp2copy(xP, &R->X); - fpcopy((const digit_t*)&Montgomery_one, (digit_t*)&R->Z); - fpzero((digit_t*)(R->Z.e)[1]); - - /* Main loop */ - for (i = 0; i < nbits; i++) { - int bit = (m[i >> S2N_SIKE_P434_R3_LOG2RADIX] >> (i & (S2N_SIKE_P434_R3_RADIX-1))) & 1; - swap = bit ^ prevbit; - prevbit = bit; - mask = 0 - (digit_t)swap; - - swap_points(R, R2, mask); - xDBLADD(R0, R2, &R->X, A24); - fp2mul_mont(&R2->X, &R->Z, &R2->X); - } - swap = 0 ^ prevbit; - mask = 0 - (digit_t)swap; - swap_points(R, R2, mask); -} - -void xTPL_fast(const point_proj_t P, point_proj_t Q, const f2elm_t *A2) -{ // Montgomery curve (E: y^2 = x^3 + A*x^2 + x) x-only tripling at a cost of 5M + 6S + 11A. - // Input : projective Montgomery x-coordinates P = (X:Z), where x=X/Z and Montgomery curve constant A/2. - // Output: projective Montgomery x-coordinates Q = 3*P = (X3:Z3). - f2elm_t _t1, _t2, _t3, _t4; - f2elm_t *t1=&_t1, *t2=&_t2, *t3=&_t3, *t4=&_t4; - - fp2sqr_mont(&P->X, t1); // t1 = x^2 - fp2sqr_mont(&P->Z, t2); // t2 = z^2 - fp2add(t1, t2, t3); // t3 = t1 + t2 - fp2add(&P->X, &P->Z, t4); // t4 = x + z - fp2sqr_mont(t4, t4); // t4 = t4^2 - fp2sub(t4, t3, t4); // t4 = t4 - t3 - fp2mul_mont(A2, t4, t4); // t4 = t4*A2 - fp2add(t3, t4, t4); // t4 = t4 + t3 - fp2sub(t1, t2, t3); // t3 = t1 - t2 - fp2sqr_mont(t3, t3); // t3 = t3^2 - fp2mul_mont(t1, t4, t1); // t1 = t1*t4 - fp2add(t1, t1, t1); // t1 = 2*t1 - fp2add(t1, t1, t1); // t1 = 4*t1 - fp2sub(t1, t3, t1); // t1 = t1 - t3 - fp2sqr_mont(t1, t1); // t1 = t1^2 - fp2mul_mont(t2, t4, t2); // t2 = t2*t4 - fp2add(t2, t2, t2); // t2 = 2*t2 - fp2add(t2, t2, t2); // t2 = 4*t2 - fp2sub(t2, t3, t2); // t2 = t2 - t3 - fp2sqr_mont(t2, t2); // t2 = t2^2 - fp2mul_mont(&P->X, t2, &Q->X); // x = x*t2 - fp2mul_mont(&P->Z, t1, &Q->Z); // z = z*t1 -} - - -void xTPLe_fast(point_proj_t P, point_proj_t Q, const f2elm_t *A2, int e) -{ // Computes [3^e](X:Z) on Montgomery curve with projective constant via e repeated triplings. e triplings in E costs e*(5M + 6S + 11A) - // Input: projective Montgomery x-coordinates P = (X:Z), where x=X/Z, Montgomery curve constant A2 = A/2 and the number of triplings e. - // Output: projective Montgomery x-coordinates Q <- [3^e]P. - - copy_words((digit_t*)P, (digit_t*)Q, 2 * 2 * S2N_SIKE_P434_R3_NWORDS_FIELD); - - for (int i = 0; i < e; i++) { - xTPL_fast(Q, Q, A2); - } -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/sike_r3/sikep434r3_ec_isogeny.h b/contrib/restricted/aws/s2n/pq-crypto/sike_r3/sikep434r3_ec_isogeny.h deleted file mode 100644 index c09111e9d0..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/sike_r3/sikep434r3_ec_isogeny.h +++ /dev/null @@ -1,52 +0,0 @@ -/******************************************************************************************** -* Supersingular Isogeny Key Encapsulation Library -* -* Abstract: elliptic curve and isogeny functions -*********************************************************************************************/ - -#pragma once - -#include "sikep434r3.h" - -#define xDBL S2N_SIKE_P434_R3_NAMESPACE(xDBL) -void xDBL(const point_proj_t P, point_proj_t Q, const f2elm_t *A24plus, const f2elm_t *C24); - -#define xDBLe S2N_SIKE_P434_R3_NAMESPACE(xDBLe) -void xDBLe(const point_proj_t P, point_proj_t Q, const f2elm_t *A24plus, const f2elm_t *C24, const int e); - -#define get_4_isog S2N_SIKE_P434_R3_NAMESPACE(get_4_isog) -void get_4_isog(const point_proj_t P, f2elm_t *A24plus, f2elm_t *C24, f2elm_t *coeff); - -#define eval_4_isog S2N_SIKE_P434_R3_NAMESPACE(eval_4_isog) -void eval_4_isog(point_proj_t P, f2elm_t* coeff); - -#define xTPL S2N_SIKE_P434_R3_NAMESPACE(xTPL) -void xTPL(const point_proj_t P, point_proj_t Q, const f2elm_t *A24minus, const f2elm_t *A24plus); - -#define xTPLe S2N_SIKE_P434_R3_NAMESPACE(xTPLe) -void xTPLe(const point_proj_t P, point_proj_t Q, const f2elm_t *A24minus, const f2elm_t *A24plus, const int e); - -#define get_3_isog S2N_SIKE_P434_R3_NAMESPACE(get_3_isog) -void get_3_isog(const point_proj_t P, f2elm_t *A24minus, f2elm_t *A24plus, f2elm_t *coeff); - -#define eval_3_isog S2N_SIKE_P434_R3_NAMESPACE(eval_3_isog) -void eval_3_isog(point_proj_t Q, const f2elm_t *coeff); - -#define inv_3_way S2N_SIKE_P434_R3_NAMESPACE(inv_3_way) -void inv_3_way(f2elm_t *z1, f2elm_t *z2, f2elm_t *z3); - -#define get_A S2N_SIKE_P434_R3_NAMESPACE(get_A) -void get_A(const f2elm_t *xP, const f2elm_t *xQ, const f2elm_t *xR, f2elm_t *A); - -#define j_inv S2N_SIKE_P434_R3_NAMESPACE(j_inv) -void j_inv(const f2elm_t *A, const f2elm_t *C, f2elm_t *jinv); - -#define LADDER3PT S2N_SIKE_P434_R3_NAMESPACE(LADDER3PT) -void LADDER3PT(const f2elm_t *xP, const f2elm_t *xQ, const f2elm_t *xPQ, const digit_t *m, - const unsigned int AliceOrBob, point_proj_t R, const f2elm_t *A); - -#define xTPL_fast S2N_SIKE_P434_R3_NAMESPACE(xTPL_fast) -void xTPL_fast(const point_proj_t P, point_proj_t Q, const f2elm_t *A2); - -#define xTPLe_fast S2N_SIKE_P434_R3_NAMESPACE(xTPLe_fast) -void xTPLe_fast(point_proj_t P, point_proj_t Q, const f2elm_t *A2, int e); diff --git a/contrib/restricted/aws/s2n/pq-crypto/sike_r3/sikep434r3_fips202.c b/contrib/restricted/aws/s2n/pq-crypto/sike_r3/sikep434r3_fips202.c deleted file mode 100644 index 413cb2b8e4..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/sike_r3/sikep434r3_fips202.c +++ /dev/null @@ -1,417 +0,0 @@ -/******************************************************************************************** -* SHA3-derived function SHAKE -* -* Based on the public domain implementation in crypto_hash/keccakc512/simple/ -* from http://bench.cr.yp.to/supercop.html by Ronny Van Keer -* and the public domain "TweetFips202" implementation from https://twitter.com/tweetfips202 -* by Gilles Van Assche, Daniel J. Bernstein, and Peter Schwabe -* -* See NIST Special Publication 800-185 for more information: -* http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-185.pdf -* -*********************************************************************************************/ - -#include <stdint.h> -#include <stddef.h> -#include "sikep434r3.h" -#include "sikep434r3_fips202.h" - -#define NROUNDS 24 -#define ROL(a, offset) ((a << offset) ^ (a >> (64-offset))) - -/************************************************* - * Name: load64 - * - * Description: Load 8 bytes into uint64_t in little-endian order - * - * Arguments: - const uint8_t *x: pointer to input byte array - * - * Returns the loaded 64-bit unsigned integer - **************************************************/ -static uint64_t load64(const uint8_t *x) { - uint64_t r = 0; - for (size_t i = 0; i < 8; ++i) { - r |= (uint64_t)x[i] << 8 * i; - } - - return r; -} - -/************************************************* - * Name: store64 - * - * Description: Store a 64-bit integer to a byte array in little-endian order - * - * Arguments: - uint8_t *x: pointer to the output byte array - * - uint64_t u: input 64-bit unsigned integer - **************************************************/ -static void store64(uint8_t *x, uint64_t u) { - for (size_t i = 0; i < 8; ++i) { - x[i] = (uint8_t) (u >> 8 * i); - } -} - -static const uint64_t KeccakF_RoundConstants[NROUNDS] = { - (uint64_t)0x0000000000000001ULL, - (uint64_t)0x0000000000008082ULL, - (uint64_t)0x800000000000808aULL, - (uint64_t)0x8000000080008000ULL, - (uint64_t)0x000000000000808bULL, - (uint64_t)0x0000000080000001ULL, - (uint64_t)0x8000000080008081ULL, - (uint64_t)0x8000000000008009ULL, - (uint64_t)0x000000000000008aULL, - (uint64_t)0x0000000000000088ULL, - (uint64_t)0x0000000080008009ULL, - (uint64_t)0x000000008000000aULL, - (uint64_t)0x000000008000808bULL, - (uint64_t)0x800000000000008bULL, - (uint64_t)0x8000000000008089ULL, - (uint64_t)0x8000000000008003ULL, - (uint64_t)0x8000000000008002ULL, - (uint64_t)0x8000000000000080ULL, - (uint64_t)0x000000000000800aULL, - (uint64_t)0x800000008000000aULL, - (uint64_t)0x8000000080008081ULL, - (uint64_t)0x8000000000008080ULL, - (uint64_t)0x0000000080000001ULL, - (uint64_t)0x8000000080008008ULL, -}; - -static void KeccakF1600_StatePermute(uint64_t * state) -{ - int round; - uint64_t Aba, Abe, Abi, Abo, Abu; - uint64_t Aga, Age, Agi, Ago, Agu; - uint64_t Aka, Ake, Aki, Ako, Aku; - uint64_t Ama, Ame, Ami, Amo, Amu; - uint64_t Asa, Ase, Asi, Aso, Asu; - - /* copyFromState(A, state) */ - Aba = state[ 0]; - Abe = state[ 1]; - Abi = state[ 2]; - Abo = state[ 3]; - Abu = state[ 4]; - Aga = state[ 5]; - Age = state[ 6]; - Agi = state[ 7]; - Ago = state[ 8]; - Agu = state[ 9]; - Aka = state[10]; - Ake = state[11]; - Aki = state[12]; - Ako = state[13]; - Aku = state[14]; - Ama = state[15]; - Ame = state[16]; - Ami = state[17]; - Amo = state[18]; - Amu = state[19]; - Asa = state[20]; - Ase = state[21]; - Asi = state[22]; - Aso = state[23]; - Asu = state[24]; - - for( round = 0; round < NROUNDS; round += 2 ) { - uint64_t BCa, BCe, BCi, BCo, BCu; - uint64_t Da, De, Di, Do, Du; - uint64_t Eba, Ebe, Ebi, Ebo, Ebu; - uint64_t Ega, Ege, Egi, Ego, Egu; - uint64_t Eka, Eke, Eki, Eko, Eku; - uint64_t Ema, Eme, Emi, Emo, Emu; - uint64_t Esa, Ese, Esi, Eso, Esu; - - /* prepareTheta */ - BCa = Aba^Aga^Aka^Ama^Asa; - BCe = Abe^Age^Ake^Ame^Ase; - BCi = Abi^Agi^Aki^Ami^Asi; - BCo = Abo^Ago^Ako^Amo^Aso; - BCu = Abu^Agu^Aku^Amu^Asu; - - /* thetaRhoPiChiIotaPrepareTheta(round , A, E) */ - Da = BCu^ROL(BCe, 1); - De = BCa^ROL(BCi, 1); - Di = BCe^ROL(BCo, 1); - Do = BCi^ROL(BCu, 1); - Du = BCo^ROL(BCa, 1); - - Aba ^= Da; - BCa = Aba; - Age ^= De; - BCe = ROL(Age, 44); - Aki ^= Di; - BCi = ROL(Aki, 43); - Amo ^= Do; - BCo = ROL(Amo, 21); - Asu ^= Du; - BCu = ROL(Asu, 14); - Eba = BCa ^((~BCe)& BCi ); - Eba ^= (uint64_t)KeccakF_RoundConstants[round]; - Ebe = BCe ^((~BCi)& BCo ); - Ebi = BCi ^((~BCo)& BCu ); - Ebo = BCo ^((~BCu)& BCa ); - Ebu = BCu ^((~BCa)& BCe ); - - Abo ^= Do; - BCa = ROL(Abo, 28); - Agu ^= Du; - BCe = ROL(Agu, 20); - Aka ^= Da; - BCi = ROL(Aka, 3); - Ame ^= De; - BCo = ROL(Ame, 45); - Asi ^= Di; - BCu = ROL(Asi, 61); - Ega = BCa ^((~BCe)& BCi ); - Ege = BCe ^((~BCi)& BCo ); - Egi = BCi ^((~BCo)& BCu ); - Ego = BCo ^((~BCu)& BCa ); - Egu = BCu ^((~BCa)& BCe ); - - Abe ^= De; - BCa = ROL(Abe, 1); - Agi ^= Di; - BCe = ROL(Agi, 6); - Ako ^= Do; - BCi = ROL(Ako, 25); - Amu ^= Du; - BCo = ROL(Amu, 8); - Asa ^= Da; - BCu = ROL(Asa, 18); - Eka = BCa ^((~BCe)& BCi ); - Eke = BCe ^((~BCi)& BCo ); - Eki = BCi ^((~BCo)& BCu ); - Eko = BCo ^((~BCu)& BCa ); - Eku = BCu ^((~BCa)& BCe ); - - Abu ^= Du; - BCa = ROL(Abu, 27); - Aga ^= Da; - BCe = ROL(Aga, 36); - Ake ^= De; - BCi = ROL(Ake, 10); - Ami ^= Di; - BCo = ROL(Ami, 15); - Aso ^= Do; - BCu = ROL(Aso, 56); - Ema = BCa ^((~BCe)& BCi ); - Eme = BCe ^((~BCi)& BCo ); - Emi = BCi ^((~BCo)& BCu ); - Emo = BCo ^((~BCu)& BCa ); - Emu = BCu ^((~BCa)& BCe ); - - Abi ^= Di; - BCa = ROL(Abi, 62); - Ago ^= Do; - BCe = ROL(Ago, 55); - Aku ^= Du; - BCi = ROL(Aku, 39); - Ama ^= Da; - BCo = ROL(Ama, 41); - Ase ^= De; - BCu = ROL(Ase, 2); - Esa = BCa ^((~BCe)& BCi ); - Ese = BCe ^((~BCi)& BCo ); - Esi = BCi ^((~BCo)& BCu ); - Eso = BCo ^((~BCu)& BCa ); - Esu = BCu ^((~BCa)& BCe ); - - /* prepareTheta */ - BCa = Eba^Ega^Eka^Ema^Esa; - BCe = Ebe^Ege^Eke^Eme^Ese; - BCi = Ebi^Egi^Eki^Emi^Esi; - BCo = Ebo^Ego^Eko^Emo^Eso; - BCu = Ebu^Egu^Eku^Emu^Esu; - - /* thetaRhoPiChiIotaPrepareTheta(round+1, E, A) */ - Da = BCu^ROL(BCe, 1); - De = BCa^ROL(BCi, 1); - Di = BCe^ROL(BCo, 1); - Do = BCi^ROL(BCu, 1); - Du = BCo^ROL(BCa, 1); - - Eba ^= Da; - BCa = Eba; - Ege ^= De; - BCe = ROL(Ege, 44); - Eki ^= Di; - BCi = ROL(Eki, 43); - Emo ^= Do; - BCo = ROL(Emo, 21); - Esu ^= Du; - BCu = ROL(Esu, 14); - Aba = BCa ^((~BCe)& BCi ); - Aba ^= (uint64_t)KeccakF_RoundConstants[round+1]; - Abe = BCe ^((~BCi)& BCo ); - Abi = BCi ^((~BCo)& BCu ); - Abo = BCo ^((~BCu)& BCa ); - Abu = BCu ^((~BCa)& BCe ); - - Ebo ^= Do; - BCa = ROL(Ebo, 28); - Egu ^= Du; - BCe = ROL(Egu, 20); - Eka ^= Da; - BCi = ROL(Eka, 3); - Eme ^= De; - BCo = ROL(Eme, 45); - Esi ^= Di; - BCu = ROL(Esi, 61); - Aga = BCa ^((~BCe)& BCi ); - Age = BCe ^((~BCi)& BCo ); - Agi = BCi ^((~BCo)& BCu ); - Ago = BCo ^((~BCu)& BCa ); - Agu = BCu ^((~BCa)& BCe ); - - Ebe ^= De; - BCa = ROL(Ebe, 1); - Egi ^= Di; - BCe = ROL(Egi, 6); - Eko ^= Do; - BCi = ROL(Eko, 25); - Emu ^= Du; - BCo = ROL(Emu, 8); - Esa ^= Da; - BCu = ROL(Esa, 18); - Aka = BCa ^((~BCe)& BCi ); - Ake = BCe ^((~BCi)& BCo ); - Aki = BCi ^((~BCo)& BCu ); - Ako = BCo ^((~BCu)& BCa ); - Aku = BCu ^((~BCa)& BCe ); - - Ebu ^= Du; - BCa = ROL(Ebu, 27); - Ega ^= Da; - BCe = ROL(Ega, 36); - Eke ^= De; - BCi = ROL(Eke, 10); - Emi ^= Di; - BCo = ROL(Emi, 15); - Eso ^= Do; - BCu = ROL(Eso, 56); - Ama = BCa ^((~BCe)& BCi ); - Ame = BCe ^((~BCi)& BCo ); - Ami = BCi ^((~BCo)& BCu ); - Amo = BCo ^((~BCu)& BCa ); - Amu = BCu ^((~BCa)& BCe ); - - Ebi ^= Di; - BCa = ROL(Ebi, 62); - Ego ^= Do; - BCe = ROL(Ego, 55); - Eku ^= Du; - BCi = ROL(Eku, 39); - Ema ^= Da; - BCo = ROL(Ema, 41); - Ese ^= De; - BCu = ROL(Ese, 2); - Asa = BCa ^((~BCe)& BCi ); - Ase = BCe ^((~BCi)& BCo ); - Asi = BCi ^((~BCo)& BCu ); - Aso = BCo ^((~BCu)& BCa ); - Asu = BCu ^((~BCa)& BCe ); - } - - /* copyToState(state, A) */ - state[ 0] = Aba; - state[ 1] = Abe; - state[ 2] = Abi; - state[ 3] = Abo; - state[ 4] = Abu; - state[ 5] = Aga; - state[ 6] = Age; - state[ 7] = Agi; - state[ 8] = Ago; - state[ 9] = Agu; - state[10] = Aka; - state[11] = Ake; - state[12] = Aki; - state[13] = Ako; - state[14] = Aku; - state[15] = Ama; - state[16] = Ame; - state[17] = Ami; - state[18] = Amo; - state[19] = Amu; - state[20] = Asa; - state[21] = Ase; - state[22] = Asi; - state[23] = Aso; - state[24] = Asu; -} - -static void keccak_absorb(uint64_t *s, unsigned int r, const unsigned char *m, unsigned long long int mlen, - unsigned char p) -{ - unsigned long long i; - unsigned char t[200]; - - while (mlen >= r) { - for (i = 0; i < r / 8; ++i) - s[i] ^= load64(m + 8 * i); - - KeccakF1600_StatePermute(s); - mlen -= r; - m += r; - } - - for (i = 0; i < r; ++i) { - t[i] = 0; - } - for (i = 0; i < mlen; ++i) { - t[i] = m[i]; - } - - t[i] = p; - t[r - 1] |= 128; - - for (i = 0; i < r / 8; ++i) { - s[i] ^= load64(t + 8 * i); - } -} - -static void keccak_squeezeblocks(unsigned char *h, unsigned long long int nblocks, uint64_t *s, unsigned int r) -{ - unsigned int i; - - while(nblocks > 0) { - KeccakF1600_StatePermute(s); - for (i = 0; i < (r>>3); i++) { - store64(h+8*i, s[i]); - } - - h += r; - nblocks--; - } -} - -void shake256(unsigned char *output, unsigned long long outlen, const unsigned char *input, unsigned long long inlen) -{ - uint64_t s[25]; - unsigned char t[SHAKE256_RATE]; - unsigned long long nblocks = outlen / SHAKE256_RATE; - size_t i; - - for (i = 0; i < 25; ++i) { - s[i] = 0; - } - - /* Absorb input */ - keccak_absorb(s, SHAKE256_RATE, input, inlen, 0x1F); - - /* Squeeze output */ - keccak_squeezeblocks(output, nblocks, s, SHAKE256_RATE); - - output += nblocks * SHAKE256_RATE; - outlen -= nblocks * SHAKE256_RATE; - - if (outlen) { - keccak_squeezeblocks(t, 1, s, SHAKE256_RATE); - - for (i = 0; i < outlen; i++) { - output[i] = t[i]; - } - } -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/sike_r3/sikep434r3_fips202.h b/contrib/restricted/aws/s2n/pq-crypto/sike_r3/sikep434r3_fips202.h deleted file mode 100644 index 9dd237a491..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/sike_r3/sikep434r3_fips202.h +++ /dev/null @@ -1,23 +0,0 @@ -/******************************************************************************************** -* SHA3-derived function SHAKE -* -* Based on the public domain implementation in crypto_hash/keccakc512/simple/ -* from http://bench.cr.yp.to/supercop.html by Ronny Van Keer -* and the public domain "TweetFips202" implementation from https://twitter.com/tweetfips202 -* by Gilles Van Assche, Daniel J. Bernstein, and Peter Schwabe -* -* See NIST Special Publication 800-185 for more information: -* http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-185.pdf -* -*********************************************************************************************/ - -#pragma once - -#include <stdint.h> -#include "sikep434r3.h" - -#define SHAKE128_RATE 168 -#define SHAKE256_RATE 136 - -#define shake256 S2N_SIKE_P434_R3_NAMESPACE(shake256) -void shake256(unsigned char *output, unsigned long long outlen, const unsigned char *input, unsigned long long inlen); diff --git a/contrib/restricted/aws/s2n/pq-crypto/sike_r3/sikep434r3_fp.c b/contrib/restricted/aws/s2n/pq-crypto/sike_r3/sikep434r3_fp.c deleted file mode 100644 index 867ac0f6c1..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/sike_r3/sikep434r3_fp.c +++ /dev/null @@ -1,297 +0,0 @@ -/******************************************************************************************** -* Supersingular Isogeny Key Encapsulation Library -* -* Abstract: modular arithmetic for P434 -*********************************************************************************************/ - -#include "sikep434r3.h" -#include "pq-crypto/s2n_pq.h" -#include "sikep434r3_fp.h" -#include "sikep434r3_fpx.h" -#include "sikep434r3_fp_x64_asm.h" - -/* Multiprecision subtraction with correction with 2*p, c = a-b+2p. */ -void mp_sub434_p2(const digit_t* a, const digit_t* b, digit_t* c) -{ -#if defined(S2N_SIKE_P434_R3_ASM) - if (s2n_sikep434r3_asm_is_enabled()) { - mp_sub434_p2_asm(a, b, c); - return; - } -#endif - - unsigned int i, borrow = 0; - - for (i = 0; i < S2N_SIKE_P434_R3_NWORDS_FIELD; i++) { - S2N_SIKE_P434_R3_SUBC(borrow, a[i], b[i], borrow, c[i]); - } - - borrow = 0; - for (i = 0; i < S2N_SIKE_P434_R3_NWORDS_FIELD; i++) { - S2N_SIKE_P434_R3_ADDC(borrow, c[i], ((const digit_t*)p434x2)[i], borrow, c[i]); - } -} - -/* Multiprecision subtraction with correction with 4*p, c = a-b+4p. */ -void mp_sub434_p4(const digit_t* a, const digit_t* b, digit_t* c) -{ -#if defined(S2N_SIKE_P434_R3_ASM) - if (s2n_sikep434r3_asm_is_enabled()) { - mp_sub434_p4_asm(a, b, c); - return; - } -#endif - - unsigned int i, borrow = 0; - - for (i = 0; i < S2N_SIKE_P434_R3_NWORDS_FIELD; i++) { - S2N_SIKE_P434_R3_SUBC(borrow, a[i], b[i], borrow, c[i]); - } - - borrow = 0; - for (i = 0; i < S2N_SIKE_P434_R3_NWORDS_FIELD; i++) { - S2N_SIKE_P434_R3_ADDC(borrow, c[i], ((const digit_t*)p434x4)[i], borrow, c[i]); - } -} - -/* Modular addition, c = a+b mod p434. - * Inputs: a, b in [0, 2*p434-1] - * Output: c in [0, 2*p434-1] */ -void fpadd434(const digit_t* a, const digit_t* b, digit_t* c) -{ -#if defined(S2N_SIKE_P434_R3_ASM) - if (s2n_sikep434r3_asm_is_enabled()) { - fpadd434_asm(a, b, c); - return; - } -#endif - unsigned int i, carry = 0; - digit_t mask; - - for (i = 0; i < S2N_SIKE_P434_R3_NWORDS_FIELD; i++) { - S2N_SIKE_P434_R3_ADDC(carry, a[i], b[i], carry, c[i]); - } - - carry = 0; - for (i = 0; i < S2N_SIKE_P434_R3_NWORDS_FIELD; i++) { - S2N_SIKE_P434_R3_SUBC(carry, c[i], ((const digit_t*)p434x2)[i], carry, c[i]); - } - mask = 0 - (digit_t)carry; - - carry = 0; - for (i = 0; i < S2N_SIKE_P434_R3_NWORDS_FIELD; i++) { - S2N_SIKE_P434_R3_ADDC(carry, c[i], ((const digit_t*)p434x2)[i] & mask, carry, c[i]); - } -} - -/* Modular subtraction, c = a-b mod p434. - * Inputs: a, b in [0, 2*p434-1] - * Output: c in [0, 2*p434-1] */ -void fpsub434(const digit_t* a, const digit_t* b, digit_t* c) -{ -#if defined(S2N_SIKE_P434_R3_ASM) - if (s2n_sikep434r3_asm_is_enabled()) { - fpsub434_asm(a, b, c); - return; - } -#endif - - unsigned int i, borrow = 0; - digit_t mask; - - for (i = 0; i < S2N_SIKE_P434_R3_NWORDS_FIELD; i++) { - S2N_SIKE_P434_R3_SUBC(borrow, a[i], b[i], borrow, c[i]); - } - mask = 0 - (digit_t)borrow; - - borrow = 0; - for (i = 0; i < S2N_SIKE_P434_R3_NWORDS_FIELD; i++) { - S2N_SIKE_P434_R3_ADDC(borrow, c[i], ((const digit_t*)p434x2)[i] & mask, borrow, c[i]); - } -} - -/* Modular negation, a = -a mod p434. - * Input/output: a in [0, 2*p434-1] */ -void fpneg434(digit_t* a) -{ - unsigned int i, borrow = 0; - - for (i = 0; i < S2N_SIKE_P434_R3_NWORDS_FIELD; i++) { - S2N_SIKE_P434_R3_SUBC(borrow, ((const digit_t*)p434x2)[i], a[i], borrow, a[i]); - } -} - -/* Modular division by two, c = a/2 mod p434. - * Input : a in [0, 2*p434-1] - * Output: c in [0, 2*p434-1] */ -void fpdiv2_434(const digit_t* a, digit_t* c) -{ - unsigned int i, carry = 0; - digit_t mask; - - mask = 0 - (digit_t)(a[0] & 1); /* If a is odd compute a+p434 */ - for (i = 0; i < S2N_SIKE_P434_R3_NWORDS_FIELD; i++) { - S2N_SIKE_P434_R3_ADDC(carry, a[i], ((const digit_t*)p434)[i] & mask, carry, c[i]); - } - - mp_shiftr1(c, S2N_SIKE_P434_R3_NWORDS_FIELD); -} - -/* Modular correction to reduce field element a in [0, 2*p434-1] to [0, p434-1]. */ -void fpcorrection434(digit_t* a) -{ - unsigned int i, borrow = 0; - digit_t mask; - - for (i = 0; i < S2N_SIKE_P434_R3_NWORDS_FIELD; i++) { - S2N_SIKE_P434_R3_SUBC(borrow, a[i], ((const digit_t*)p434)[i], borrow, a[i]); - } - mask = 0 - (digit_t)borrow; - - borrow = 0; - for (i = 0; i < S2N_SIKE_P434_R3_NWORDS_FIELD; i++) { - S2N_SIKE_P434_R3_ADDC(borrow, a[i], ((const digit_t*)p434)[i] & mask, borrow, a[i]); - } -} - -/* Digit multiplication, digit * digit -> 2-digit result */ -void digit_x_digit(const digit_t a, const digit_t b, digit_t* c) -{ - register digit_t al, ah, bl, bh, temp; - digit_t albl, albh, ahbl, ahbh, res1, res2, res3, carry; - digit_t mask_low = (digit_t)(-1) >> (sizeof(digit_t)*4), mask_high = (digit_t)(-1) << (sizeof(digit_t)*4); - - al = a & mask_low; /* Low part */ - ah = a >> (sizeof(digit_t) * 4); /* High part */ - bl = b & mask_low; - bh = b >> (sizeof(digit_t) * 4); - - albl = al*bl; - albh = al*bh; - ahbl = ah*bl; - ahbh = ah*bh; - c[0] = albl & mask_low; /* C00 */ - - res1 = albl >> (sizeof(digit_t) * 4); - res2 = ahbl & mask_low; - res3 = albh & mask_low; - temp = res1 + res2 + res3; - carry = temp >> (sizeof(digit_t) * 4); - c[0] ^= temp << (sizeof(digit_t) * 4); /* C01 */ - - res1 = ahbl >> (sizeof(digit_t) * 4); - res2 = albh >> (sizeof(digit_t) * 4); - res3 = ahbh & mask_low; - temp = res1 + res2 + res3 + carry; - c[1] = temp & mask_low; /* C10 */ - carry = temp & mask_high; - c[1] ^= (ahbh & mask_high) + carry; /* C11 */ -} - -/* Multiprecision comba multiply, c = a*b, where lng(a) = lng(b) = nwords. */ -void mp_mul(const digit_t* a, const digit_t* b, digit_t* c, const unsigned int nwords) -{ -#if defined(S2N_SIKE_P434_R3_ASM) - if (s2n_sikep434r3_asm_is_enabled()) { - S2N_SIKE_P434_R3_UNREFERENCED_PARAMETER(nwords); - mul434_asm(a, b, c); - return; - } -#endif - - unsigned int i, j; - digit_t t = 0, u = 0, v = 0, UV[2]; - unsigned int carry; - - for (i = 0; i < nwords; i++) { - for (j = 0; j <= i; j++) { - S2N_SIKE_P434_R3_MUL(a[j], b[i-j], UV+1, UV[0]); - S2N_SIKE_P434_R3_ADDC(0, UV[0], v, carry, v); - S2N_SIKE_P434_R3_ADDC(carry, UV[1], u, carry, u); - t += carry; - } - c[i] = v; - v = u; - u = t; - t = 0; - } - - for (i = nwords; i < 2*nwords-1; i++) { - for (j = i-nwords+1; j < nwords; j++) { - S2N_SIKE_P434_R3_MUL(a[j], b[i-j], UV+1, UV[0]); - S2N_SIKE_P434_R3_ADDC(0, UV[0], v, carry, v); - S2N_SIKE_P434_R3_ADDC(carry, UV[1], u, carry, u); - t += carry; - } - c[i] = v; - v = u; - u = t; - t = 0; - } - c[2*nwords-1] = v; -} - -/* Efficient Montgomery reduction using comba and exploiting the special form of the prime p434. - * mc = ma*R^-1 mod p434x2, where R = 2^448. - * If ma < 2^448*p434, the output mc is in the range [0, 2*p434-1]. - * ma is assumed to be in Montgomery representation. */ -void rdc_mont(digit_t* ma, digit_t* mc) -{ -#if defined(S2N_SIKE_P434_R3_ASM) - if (s2n_sikep434r3_asm_is_enabled()) { - rdc434_asm(ma, mc); - return; - } -#endif - - unsigned int i, j, carry, count = S2N_SIKE_P434_R3_ZERO_WORDS; - digit_t UV[2], t = 0, u = 0, v = 0; - - for (i = 0; i < S2N_SIKE_P434_R3_NWORDS_FIELD; i++) { - mc[i] = 0; - } - - for (i = 0; i < S2N_SIKE_P434_R3_NWORDS_FIELD; i++) { - for (j = 0; j < i; j++) { - if (j < (i-S2N_SIKE_P434_R3_ZERO_WORDS+1)) { - S2N_SIKE_P434_R3_MUL(mc[j], ((const digit_t*)p434p1)[i-j], UV+1, UV[0]); - S2N_SIKE_P434_R3_ADDC(0, UV[0], v, carry, v); - S2N_SIKE_P434_R3_ADDC(carry, UV[1], u, carry, u); - t += carry; - } - } - S2N_SIKE_P434_R3_ADDC(0, v, ma[i], carry, v); - S2N_SIKE_P434_R3_ADDC(carry, u, 0, carry, u); - t += carry; - mc[i] = v; - v = u; - u = t; - t = 0; - } - - for (i = S2N_SIKE_P434_R3_NWORDS_FIELD; i < 2*S2N_SIKE_P434_R3_NWORDS_FIELD-1; i++) { - if (count > 0) { - count -= 1; - } - for (j = i-S2N_SIKE_P434_R3_NWORDS_FIELD+1; j < S2N_SIKE_P434_R3_NWORDS_FIELD; j++) { - if (j < (S2N_SIKE_P434_R3_NWORDS_FIELD-count)) { - S2N_SIKE_P434_R3_MUL(mc[j], ((const digit_t*)p434p1)[i-j], UV+1, UV[0]); - S2N_SIKE_P434_R3_ADDC(0, UV[0], v, carry, v); - S2N_SIKE_P434_R3_ADDC(carry, UV[1], u, carry, u); - t += carry; - } - } - S2N_SIKE_P434_R3_ADDC(0, v, ma[i], carry, v); - S2N_SIKE_P434_R3_ADDC(carry, u, 0, carry, u); - t += carry; - mc[i-S2N_SIKE_P434_R3_NWORDS_FIELD] = v; - v = u; - u = t; - t = 0; - } - - /* `carry` isn't read after this, but it's still a necessary argument to the macro */ - /* cppcheck-suppress unreadVariable */ - S2N_SIKE_P434_R3_ADDC(0, v, ma[2*S2N_SIKE_P434_R3_NWORDS_FIELD-1], carry, v); - mc[S2N_SIKE_P434_R3_NWORDS_FIELD-1] = v; -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/sike_r3/sikep434r3_fp.h b/contrib/restricted/aws/s2n/pq-crypto/sike_r3/sikep434r3_fp.h deleted file mode 100644 index 7844ba0457..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/sike_r3/sikep434r3_fp.h +++ /dev/null @@ -1,39 +0,0 @@ -/******************************************************************************************** -* Supersingular Isogeny Key Encapsulation Library -* -* Abstract: modular arithmetic for P434 -*********************************************************************************************/ - -#pragma once - -#include "sikep434r3.h" - -#define mp_sub434_p2 S2N_SIKE_P434_R3_NAMESPACE(mp_sub434_p2) -void mp_sub434_p2(const digit_t* a, const digit_t* b, digit_t* c); - -#define mp_sub434_p4 S2N_SIKE_P434_R3_NAMESPACE(mp_sub434_p4) -void mp_sub434_p4(const digit_t* a, const digit_t* b, digit_t* c); - -#define fpadd434 S2N_SIKE_P434_R3_NAMESPACE(fpadd434) -void fpadd434(const digit_t* a, const digit_t* b, digit_t* c); - -#define fpsub434 S2N_SIKE_P434_R3_NAMESPACE(fpsub434) -void fpsub434(const digit_t* a, const digit_t* b, digit_t* c); - -#define fpneg434 S2N_SIKE_P434_R3_NAMESPACE(fpneg434) -void fpneg434(digit_t* a); - -#define fpdiv2_434 S2N_SIKE_P434_R3_NAMESPACE(fpdiv2_434) -void fpdiv2_434(const digit_t* a, digit_t* c); - -#define fpcorrection434 S2N_SIKE_P434_R3_NAMESPACE(fpcorrection434) -void fpcorrection434(digit_t* a); - -#define digit_x_digit S2N_SIKE_P434_R3_NAMESPACE(digit_x_digit) -void digit_x_digit(const digit_t a, const digit_t b, digit_t* c); - -#define mp_mul S2N_SIKE_P434_R3_NAMESPACE(mp_mul) -void mp_mul(const digit_t* a, const digit_t* b, digit_t* c, const unsigned int nwords); - -#define rdc_mont S2N_SIKE_P434_R3_NAMESPACE(rdc_mont) -void rdc_mont(digit_t* ma, digit_t* mc); diff --git a/contrib/restricted/aws/s2n/pq-crypto/sike_r3/sikep434r3_fp_x64_asm.S b/contrib/restricted/aws/s2n/pq-crypto/sike_r3/sikep434r3_fp_x64_asm.S deleted file mode 100644 index 1814a8b25a..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/sike_r3/sikep434r3_fp_x64_asm.S +++ /dev/null @@ -1,1054 +0,0 @@ -//******************************************************************************************* -// Supersingular Isogeny Key Encapsulation Library -// -// Abstract: field arithmetic in x64 assembly for P434 on Linux -//******************************************************************************************* - -/* Requires bmi2 instruction set for mulx. adx instructions are optional, but preferred. */ -.intel_syntax noprefix - -#define S2N_SIKE_P434_R3_NAMESPACE(s) s2n_sike_p434_r3_##s - -// Registers that are used for parameter passing: -#define reg_p1 rdi -#define reg_p2 rsi -#define reg_p3 rdx - -// Define addition instructions -#ifdef S2N_ADX - -#define ADD1 adox -#define ADC1 adox -#define ADD2 adcx -#define ADC2 adcx - -#else - -#define ADD1 add -#define ADC1 adc -#define ADD2 add -#define ADC2 adc - -#endif - -#if defined(__linux__) && defined(__ELF__) -.section .note.GNU-stack,"",%progbits -#endif - -.text - -#define asm_p434 S2N_SIKE_P434_R3_NAMESPACE(asm_p434) -.align 32 -.type asm_p434, @object -.size asm_p434, 56 -asm_p434: -.quad -1 -.quad -1 -.quad -1 -.quad -161717841442111489 -.quad 8918917783347572387 -.quad 7853257225132122198 -.quad 620258357900100 - - -#define asm_p434x2 S2N_SIKE_P434_R3_NAMESPACE(asm_p434x2) -.align 32 -.type asm_p434x2, @object -.size asm_p434x2, 56 -asm_p434x2: -.quad -2 -.quad -1 -.quad -1 -.quad -323435682884222977 -.quad -608908507014406841 -.quad -2740229623445307220 -.quad 1240516715800200 - - -#define asm_p434x4 S2N_SIKE_P434_R3_NAMESPACE(asm_p434x4) -.align 32 -.type asm_p434x4, @object -.size asm_p434x4, 56 -asm_p434x4: -.quad -4 -.quad -1 -.quad -1 -.quad -646871365768445953 -.quad -1217817014028813681 -.quad -5480459246890614439 -.quad 2481033431600401 - - -#define asm_p434p1 S2N_SIKE_P434_R3_NAMESPACE(asm_p434p1) -.align 32 -.type asm_p434p1, @object -.size asm_p434p1, 56 -asm_p434p1: -.quad 0 -.quad 0 -.quad 0 -.quad -161717841442111488 -.quad 8918917783347572387 -.quad 7853257225132122198 -.quad 620258357900100 - -//*********************************************************************** -// Field addition -// Operation: c [reg_p3] = a [reg_p1] + b [reg_p2] -//*********************************************************************** -#define fpadd434_asm S2N_SIKE_P434_R3_NAMESPACE(fpadd434_asm) -.global fpadd434_asm -fpadd434_asm: - push r12 - push r13 - push r14 - push r15 - push rbx - push rbp - - xor rax, rax - mov r8, [reg_p1] - mov r9, [reg_p1+8] - mov r10, [reg_p1+16] - mov r11, [reg_p1+24] - mov r12, [reg_p1+32] - mov r13, [reg_p1+40] - mov r14, [reg_p1+48] - add r8, [reg_p2] - adc r9, [reg_p2+8] - adc r10, [reg_p2+16] - adc r11, [reg_p2+24] - adc r12, [reg_p2+32] - adc r13, [reg_p2+40] - adc r14, [reg_p2+48] - - mov rbx, [rip+asm_p434x2] - sub r8, rbx - mov rcx, [rip+asm_p434x2+8] - sbb r9, rcx - sbb r10, rcx - mov rdi, [rip+asm_p434x2+24] - sbb r11, rdi - mov rsi, [rip+asm_p434x2+32] - sbb r12, rsi - mov rbp, [rip+asm_p434x2+40] - sbb r13, rbp - mov r15, [rip+asm_p434x2+48] - sbb r14, r15 - sbb rax, 0 - - and rbx, rax - and rcx, rax - and rdi, rax - and rsi, rax - and rbp, rax - and r15, rax - - add r8, rbx - adc r9, rcx - adc r10, rcx - adc r11, rdi - adc r12, rsi - adc r13, rbp - adc r14, r15 - mov [reg_p3], r8 - mov [reg_p3+8], r9 - mov [reg_p3+16], r10 - mov [reg_p3+24], r11 - mov [reg_p3+32], r12 - mov [reg_p3+40], r13 - mov [reg_p3+48], r14 - - pop rbp - pop rbx - pop r15 - pop r14 - pop r13 - pop r12 - ret - -//*********************************************************************** -// Field subtraction -// Operation: c [reg_p3] = a [reg_p1] - b [reg_p2] -//*********************************************************************** -#define fpsub434_asm S2N_SIKE_P434_R3_NAMESPACE(fpsub434_asm) -.global fpsub434_asm -fpsub434_asm: - push r12 - push r13 - push r14 - - xor rax, rax - mov r8, [reg_p1] - mov r9, [reg_p1+8] - mov r10, [reg_p1+16] - mov r11, [reg_p1+24] - mov r12, [reg_p1+32] - mov r13, [reg_p1+40] - mov r14, [reg_p1+48] - sub r8, [reg_p2] - sbb r9, [reg_p2+8] - sbb r10, [reg_p2+16] - sbb r11, [reg_p2+24] - sbb r12, [reg_p2+32] - sbb r13, [reg_p2+40] - sbb r14, [reg_p2+48] - sbb rax, 0 - - mov rcx, [rip+asm_p434x2] - mov rdi, [rip+asm_p434x2+8] - mov rsi, [rip+asm_p434x2+24] - and rcx, rax - and rdi, rax - and rsi, rax - add r8, rcx - adc r9, rdi - adc r10, rdi - adc r11, rsi - mov [reg_p3], r8 - mov [reg_p3+8], r9 - mov [reg_p3+16], r10 - mov [reg_p3+24], r11 - setc cl - - mov r8, [rip+asm_p434x2+32] - mov rdi, [rip+asm_p434x2+40] - mov rsi, [rip+asm_p434x2+48] - and r8, rax - and rdi, rax - and rsi, rax - bt rcx, 0 - adc r12, r8 - adc r13, rdi - adc r14, rsi - mov [reg_p3+32], r12 - mov [reg_p3+40], r13 - mov [reg_p3+48], r14 - - pop r14 - pop r13 - pop r12 - ret - -///////////////////////////////////////////////////////////////// MACRO -.macro SUB434_PX P0 - push r12 - push r13 - - mov r8, [reg_p1] - mov r9, [reg_p1+8] - mov r10, [reg_p1+16] - mov r11, [reg_p1+24] - mov r12, [reg_p1+32] - mov r13, [reg_p1+40] - mov rcx, [reg_p1+48] - sub r8, [reg_p2] - sbb r9, [reg_p2+8] - sbb r10, [reg_p2+16] - sbb r11, [reg_p2+24] - sbb r12, [reg_p2+32] - sbb r13, [reg_p2+40] - sbb rcx, [reg_p2+48] - - mov rax, [rip+\P0] - mov rdi, [rip+\P0+8] - mov rsi, [rip+\P0+24] - add r8, rax - mov rax, [rip+\P0+32] - adc r9, rdi - adc r10, rdi - adc r11, rsi - mov rdi, [rip+\P0+40] - mov rsi, [rip+\P0+48] - adc r12, rax - adc r13, rdi - adc rcx, rsi - mov [reg_p3], r8 - mov [reg_p3+8], r9 - mov [reg_p3+16], r10 - mov [reg_p3+24], r11 - mov [reg_p3+32], r12 - mov [reg_p3+40], r13 - mov [reg_p3+48], rcx - - pop r13 - pop r12 -.endm - -//*********************************************************************** -// Multiprecision subtraction with correction with 2*p434 -// Operation: c [reg_p3] = a [reg_p1] - b [reg_p2] + 2*p434 -//*********************************************************************** -#define mp_sub434_p2_asm S2N_SIKE_P434_R3_NAMESPACE(mp_sub434_p2_asm) -.global mp_sub434_p2_asm -mp_sub434_p2_asm: - SUB434_PX asm_p434x2 - ret - -//*********************************************************************** -// Multiprecision subtraction with correction with 4*p434 -// Operation: c [reg_p3] = a [reg_p1] - b [reg_p2] + 4*p434 -//*********************************************************************** -#define mp_sub434_p4_asm S2N_SIKE_P434_R3_NAMESPACE(mp_sub434_p4_asm) -.global mp_sub434_p4_asm -mp_sub434_p4_asm: - SUB434_PX asm_p434x4 - ret - -///////////////////////////////////////////////////////////////// MACRO -// Schoolbook integer multiplication -// Inputs: memory pointers M0 and M1 -// Outputs: memory pointer C and regs T1, T3, rax -// Temps: regs T0:T6 -///////////////////////////////////////////////////////////////// -#ifdef S2N_ADX - -.macro MUL192_SCHOOL M0, M1, C, T0, T1, T2, T3, T4, T5, T6 - mov rdx, \M0 - mulx \T0, \T1, \M1 // T0:T1 = A0*B0 - mov \C, \T1 // C0_final - mulx \T1, \T2, 8\M1 // T1:T2 = A0*B1 - xor rax, rax - adox \T0, \T2 - mulx \T2, \T3, 16\M1 // T2:T3 = A0*B2 - adox \T1, \T3 - - mov rdx, 8\M0 - mulx \T3, \T4, \M1 // T3:T4 = A1*B0 - adox \T2, rax - xor rax, rax - mulx \T5, \T6, 8\M1 // T5:T6 = A1*B1 - adox \T4, \T0 - mov 8\C, \T4 // C1_final - adcx \T3, \T6 - mulx \T6, \T0, 16\M1 // T6:T0 = A1*B2 - adox \T3, \T1 - adcx \T5, \T0 - adcx \T6, rax - adox \T5, \T2 - - mov rdx, 16\M0 - mulx \T1, \T0, \M1 // T1:T0 = A2*B0 - adox \T6, rax - xor rax, rax - mulx \T4, \T2, 8\M1 // T4:T2 = A2*B1 - adox \T0, \T3 - mov 16\C, \T0 // C2_final - adcx \T1, \T5 - mulx \T0, \T3, 16\M1 // T0:T3 = A2*B2 - adcx \T4, \T6 - adcx \T0, rax - adox \T1, \T2 - adox \T3, \T4 - adox rax, \T0 -.endm - -///////////////////////////////////////////////////////////////// MACRO -// Schoolbook integer multiplication -// Inputs: memory pointers M0 and M1 -// Outputs: memory pointer C -// Temps: regs T0:T9 -///////////////////////////////////////////////////////////////// -.macro MUL256_SCHOOL M0, M1, C, T0, T1, T2, T3, T4, T5, T6, T7, T8, T9 - mov rdx, \M0 - mulx \T0, \T1, \M1 // T0:T1 = A0*B0 - mov \C, \T1 // C0_final - mulx \T1, \T2, 8\M1 // T1:T2 = A0*B1 - xor rax, rax - adox \T0, \T2 - mulx \T2, \T3, 16\M1 // T2:T3 = A0*B2 - adox \T1, \T3 - mulx \T3, \T4, 24\M1 // T3:T4 = A0*B3 - adox \T2, \T4 - - mov rdx, 8\M0 - mulx \T5, \T4, \M1 // T5:T4 = A1*B0 - adox \T3, rax - xor rax, rax - mulx \T6, \T7, 8\M1 // T6:T7 = A1*B1 - adox \T4, \T0 - mov 8\C, \T4 // C1_final - adcx \T5, \T7 - mulx \T7, \T8, 16\M1 // T7:T8 = A1*B2 - adcx \T6, \T8 - adox \T5, \T1 - mulx \T8, \T9, 24\M1 // T8:T9 = A1*B3 - adcx \T7, \T9 - adcx \T8, rax - adox \T6, \T2 - - mov rdx, 16\M0 - mulx \T1, \T0, \M1 // T1:T0 = A2*B0 - adox \T7, \T3 - adox \T8, rax - xor rax, rax - mulx \T2, \T3, 8\M1 // T2:T3 = A2*B1 - adox \T0, \T5 - mov 16\C, \T0 // C2_final - adcx \T1, \T3 - mulx \T3, \T4, 16\M1 // T3:T4 = A2*B2 - adcx \T2, \T4 - adox \T1, \T6 - mulx \T4,\T9, 24\M1 // T3:T4 = A2*B3 - adcx \T3, \T9 - mov rdx, 24\M0 - adcx \T4, rax - - adox \T2, \T7 - adox \T3, \T8 - adox \T4, rax - - mulx \T5, \T0, \M1 // T5:T0 = A3*B0 - xor rax, rax - mulx \T6, \T7, 8\M1 // T6:T7 = A3*B1 - adcx \T5, \T7 - adox \T1, \T0 - mulx \T7, \T8, 16\M1 // T7:T8 = A3*B2 - adcx \T6, \T8 - adox \T2, \T5 - mulx \T8, \T9, 24\M1 // T8:T9 = A3*B3 - adcx \T7, \T9 - adcx \T8, rax - - adox \T3, \T6 - adox \T4, \T7 - adox \T8, rax - mov 24\C, \T1 // C3_final - mov 32\C, \T2 // C4_final - mov 40\C, \T3 // C5_final - mov 48\C, \T4 // C6_final - mov 56\C, \T8 // C7_final -.endm - -#else // S2N_ADX - -.macro MUL192_SCHOOL M0, M1, C, T0, T1, T2, T3, T4, T5, T6 - mov rdx, \M0 - mulx \T0, \T1, \M1 // T0:T1 = A0*B0 - mov \C, \T1 // C0_final - mulx \T1, \T2, 8\M1 // T1:T2 = A0*B1 - add \T0, \T2 - mulx \T2, \T3, 16\M1 // T2:T3 = A0*B2 - adc \T1, \T3 - - mov rdx, 8\M0 - mulx \T3, \T4, \M1 // T3:T4 = A1*B0 - adc \T2, 0 - mulx \T5, \T6, 8\M1 // T5:T6 = A1*B1 - add \T4, \T0 - mov 8\C, \T4 // C1_final - adc \T3, \T1 - adc \T5, \T2 - mulx \T2, \T1, 16\M1 // T2:T1 = A1*B2 - adc \T2, 0 - - add \T3, \T6 - adc \T5, \T1 - adc \T2, 0 - - mov rdx, 16\M0 - mulx \T1, \T0, \M1 // T1:T0 = A2*B0 - add \T0, \T3 - mov 16\C, \T0 // C2_final - mulx \T4, \T6, 8\M1 // T4:T6 = A2*B1 - adc \T1, \T5 - adc \T2, \T4 - mulx rax, \T3, 16\M1 // rax:T3 = A2*B2 - adc rax, 0 - add \T1, \T6 - adc \T3, \T2 - adc rax, 0 -.endm - -.macro MUL256_SCHOOL M0, M1, C, T0, T1, T2, T3, T4, T5, T6, T7, T8, T9 - mov rdx, \M0 - mulx \T0, \T1, \M1 // T0:T1 = A0*B0 - mov \C, \T1 // C0_final - mulx \T1, \T2, 8\M1 // T1:T2 = A0*B1 - add \T0, \T2 - mulx \T2, \T3, 16\M1 // T2:T3 = A0*B2 - adc \T1, \T3 - mulx \T3, \T4, 24\M1 // T3:T4 = A0*B3 - adc \T2, \T4 - mov rdx, 8\M0 - adc \T3, 0 - - mulx \T5, \T4, \M1 // T5:T4 = A1*B0 - mulx \T6, \T7, 8\M1 // T6:T7 = A1*B1 - add \T5, \T7 - mulx \T7, \T8, 16\M1 // T7:T8 = A1*B2 - adc \T6, \T8 - mulx \T8, \T9, 24\M1 // T8:T9 = A1*B3 - adc \T7, \T9 - adc \T8, 0 - - add \T4, \T0 - mov 8\C, \T4 // C1_final - adc \T5, \T1 - adc \T6, \T2 - adc \T7, \T3 - mov rdx, 16\M0 - adc \T8, 0 - - mulx \T1, \T0, \M1 // T1:T0 = A2*B0 - mulx \T2, \T3, 8\M1 // T2:T3 = A2*B1 - add \T1, \T3 - mulx \T3, \T4, 16\M1 // T3:T4 = A2*B2 - adc \T2, \T4 - mulx \T4,\T9, 24\M1 // T3:T4 = A2*B3 - adc \T3, \T9 - mov rdx, 24\M0 - adc \T4, 0 - - add \T0, \T5 - mov 16\C, \T0 // C2_final - adc \T1, \T6 - adc \T2, \T7 - adc \T3, \T8 - adc \T4, 0 - - mulx \T5, \T0, \M1 // T5:T0 = A3*B0 - mulx \T6, \T7, 8\M1 // T6:T7 = A3*B1 - add \T5, \T7 - mulx \T7, \T8, 16\M1 // T7:T8 = A3*B2 - adc \T6, \T8 - mulx \T8, \T9, 24\M1 // T8:T9 = A3*B3 - adc \T7, \T9 - adc \T8, 0 - - add \T1, \T0 - mov 24\C, \T1 // C3_final - adc \T2, \T5 - mov 32\C, \T2 // C4_final - adc \T3, \T6 - mov 40\C, \T3 // C5_final - adc \T4, \T7 - mov 48\C, \T4 // C6_final - adc \T8, 0 - mov 56\C, \T8 // C7_final -.endm - -#endif // S2N_ADX - -//***************************************************************************** -// 434-bit multiplication using Karatsuba (one level), schoolbook (one level) -//***************************************************************************** -#define mul434_asm S2N_SIKE_P434_R3_NAMESPACE(mul434_asm) -.global mul434_asm -mul434_asm: - push r12 - push r13 - push r14 - push r15 - mov rcx, reg_p3 - - // r8-r11 <- AH + AL, rax <- mask - xor rax, rax - mov r8, [reg_p1] - mov r9, [reg_p1+8] - mov r10, [reg_p1+16] - mov r11, [reg_p1+24] - push rbx - push rbp - sub rsp, 96 - add r8, [reg_p1+32] - adc r9, [reg_p1+40] - adc r10, [reg_p1+48] - adc r11, 0 - sbb rax, 0 - mov [rsp], r8 - mov [rsp+8], r9 - mov [rsp+16], r10 - mov [rsp+24], r11 - - // r12-r15 <- BH + BL, rbx <- mask - xor rbx, rbx - mov r12, [reg_p2] - mov r13, [reg_p2+8] - mov r14, [reg_p2+16] - mov r15, [reg_p2+24] - add r12, [reg_p2+32] - adc r13, [reg_p2+40] - adc r14, [reg_p2+48] - adc r15, 0 - sbb rbx, 0 - mov [rsp+32], r12 - mov [rsp+40], r13 - mov [rsp+48], r14 - mov [rsp+56], r15 - - // r12-r15 <- masked (BH + BL) - and r12, rax - and r13, rax - and r14, rax - and r15, rax - - // r8-r11 <- masked (AH + AL) - and r8, rbx - and r9, rbx - and r10, rbx - and r11, rbx - - // r8-r11 <- masked (AH + AL) + masked (AH + AL) - add r8, r12 - adc r9, r13 - adc r10, r14 - adc r11, r15 - mov [rsp+64], r8 - mov [rsp+72], r9 - mov [rsp+80], r10 - mov [rsp+88], r11 - - // [rsp] <- (AH+AL) x (BH+BL), low part - MUL256_SCHOOL [rsp], [rsp+32], [rsp], r8, r9, r10, r11, r12, r13, r14, r15, rbx, rbp - - // [rcx] <- AL x BL - MUL256_SCHOOL [reg_p1], [reg_p2], [rcx], r8, r9, r10, r11, r12, r13, r14, r15, rbx, rbp // Result C0-C3 - - // [rcx+64], rbx, rbp, rax <- AH x BH - MUL192_SCHOOL [reg_p1+32], [reg_p2+32], [rcx+64], r8, rbx, r10, rbp, r12, r13, r14 - - // r8-r11 <- (AH+AL) x (BH+BL), final step - mov r8, [rsp+64] - mov r9, [rsp+72] - mov r10, [rsp+80] - mov r11, [rsp+88] - mov rdx, [rsp+32] - add r8, rdx - mov rdx, [rsp+40] - adc r9, rdx - mov rdx, [rsp+48] - adc r10, rdx - mov rdx, [rsp+56] - adc r11, rdx - - // r8-r15 <- (AH+AL) x (BH+BL) - ALxBL - mov r12, [rsp] - mov r13, [rsp+8] - mov r14, [rsp+16] - mov r15, [rsp+24] - sub r12, [rcx] - sbb r13, [rcx+8] - sbb r14, [rcx+16] - sbb r15, [rcx+24] - sbb r8, [rcx+32] - sbb r9, [rcx+40] - sbb r10, [rcx+48] - sbb r11, [rcx+56] - - // r8-r15 <- (AH+AL) x (BH+BL) - ALxBL - AHxBH - sub r12, [rcx+64] - sbb r13, [rcx+72] - sbb r14, [rcx+80] - sbb r15, rbx - sbb r8, rbp - sbb r9, rax - sbb r10, 0 - sbb r11, 0 - - add r12, [rcx+32] - mov [rcx+32], r12 // Result C4-C7 - adc r13, [rcx+40] - mov [rcx+40], r13 - adc r14, [rcx+48] - mov [rcx+48], r14 - adc r15, [rcx+56] - mov [rcx+56], r15 - adc r8, [rcx+64] - mov [rcx+64], r8 // Result C8-C15 - adc r9, [rcx+72] - mov [rcx+72], r9 - adc r10, [rcx+80] - mov [rcx+80], r10 - adc r11, rbx - mov [rcx+88], r11 - adc rbp, 0 - mov [rcx+96], rbp - adc rax, 0 - mov [rcx+104], rax - - add rsp, 96 - pop rbp - pop rbx - pop r15 - pop r14 - pop r13 - pop r12 - ret - -///////////////////////////////////////////////////////////////// MACRO -// Schoolbook integer multiplication -// Inputs: reg I0 and memory pointer M1 -// Outputs: regs T0:T4 -// Temps: regs T0:T5 -///////////////////////////////////////////////////////////////// -.macro MUL64x256_SCHOOL I0, M1, T0, T1, T2, T3, T4, T5 - mulx \T2, \T4, 8\M1 - xor rax, rax - mulx \T3, \T5, 16\M1 - ADD1 \T1, \T4 // T1 <- C1_final - ADC1 \T2, \T5 // T2 <- C2_final - mulx \T4, \T5, 24\M1 - ADC1 \T3, \T5 // T3 <- C3_final - ADC1 \T4, rax // T4 <- C4_final -.endm - -///////////////////////////////////////////////////////////////// MACRO -// Schoolbook integer multiplication -// Inputs: regs I0 and I1, and memory pointer M1 -// Outputs: regs T0:T5 -// Temps: regs T0:T5 -///////////////////////////////////////////////////////////////// -#ifdef S2N_ADX - -.macro MUL128x256_SCHOOL I0, I1, M1, T0, T1, T2, T3, T4, T5 - mulx \T2, \T4, 8\M1 - xor rax, rax - mulx \T3, \T5, 16\M1 - ADD1 \T1, \T4 - ADC1 \T2, \T5 - mulx \T4, \T5, 24\M1 - ADC1 \T3, \T5 - ADC1 \T4, rax - - xor rax, rax - mov rdx, \I1 - mulx \I1, \T5, \M1 - ADD2 \T1, \T5 // T1 <- C1_final - ADC2 \T2, \I1 - mulx \T5, \I1, 8\M1 - ADC2 \T3, \T5 - ADD1 \T2, \I1 - mulx \T5, \I1, 16\M1 - ADC2 \T4, \T5 - ADC1 \T3, \I1 - mulx \T5, \I1, 24\M1 - ADC2 \T5, rax - ADC1 \T4, \I1 - ADC1 \T5, rax -.endm - -#else // S2N_ADX - -.macro MUL128x256_SCHOOL I0, I1, M1, T0, T1, T2, T3, T4, T5 - mulx \T2, \T4, 8\M1 - mulx \T3, \T5, 16\M1 - add \T1, \T4 - adc \T2, \T5 - mulx \T4, \T5, 24\M1 - adc \T3, \T5 - adc \T4, 0 - - mov rdx, \I1 - mulx \I1, \T5, \M1 - add \T1, \T5 // T1 <- C1_final - adc \T2, \I1 - mulx \T5, \I1, 8\M1 - adc \T3, \T5 - mulx \T5, rax, 16\M1 - adc \T4, \T5 - mulx \T5, rdx, 24\M1 - adc \T5, 0 - add \T2, \I1 - adc \T3, rax - adc \T4, rdx - adc \T5, 0 -.endm - -#endif // S2N_ADX - -//************************************************************************************** -// Montgomery reduction -// Based on method described in Faz-Hernandez et al. https://eprint.iacr.org/2017/1015 -// Operation: c [reg_p2] = a [reg_p1] -//************************************************************************************** -#define rdc434_asm S2N_SIKE_P434_R3_NAMESPACE(rdc434_asm) -.global rdc434_asm -rdc434_asm: - push r14 - - // a[0-1] x p434p1_nz --> result: r8:r13 - mov rdx, [reg_p1] - mov r14, [reg_p1+8] - mulx r9, r8, [rip+asm_p434p1+24] // result r8 - push r12 - push r13 - push r15 - push rbp - push rbx - MUL128x256_SCHOOL rdx, r14, [rip+asm_p434p1+24], r8, r9, r10, r11, r12, r13 - - mov rdx, [reg_p1+16] - mov rcx, [reg_p1+72] - add r8, [reg_p1+24] - adc r9, [reg_p1+32] - adc r10, [reg_p1+40] - adc r11, [reg_p1+48] - adc r12, [reg_p1+56] - adc r13, [reg_p1+64] - adc rcx, 0 - mulx rbp, rbx, [rip+asm_p434p1+24] // result rbx - mov [reg_p2], r9 - mov [reg_p2+8], r10 - mov [reg_p2+16], r11 - mov [reg_p2+24], r12 - mov [reg_p2+32], r13 - mov r9, [reg_p1+80] - mov r10, [reg_p1+88] - mov r11, [reg_p1+96] - mov rdi, [reg_p1+104] - adc r9, 0 - adc r10, 0 - adc r11, 0 - adc rdi, 0 - - // a[2-3] x p434p1_nz --> result: rbx, rbp, r12:r15 - MUL128x256_SCHOOL rdx, r8, [rip+asm_p434p1+24], rbx, rbp, r12, r13, r14, r15 - - mov rdx, [reg_p2] - add rbx, [reg_p2+8] - adc rbp, [reg_p2+16] - adc r12, [reg_p2+24] - adc r13, [reg_p2+32] - adc r14, rcx - mov rcx, 0 - adc r15, r9 - adc rcx, r10 - mulx r9, r8, [rip+asm_p434p1+24] // result r8 - mov [reg_p2], rbp - mov [reg_p2+8], r12 - mov [reg_p2+16], r13 - adc r11, 0 - adc rdi, 0 - - // a[4-5] x p434p1_nz --> result: r8:r13 - MUL128x256_SCHOOL rdx, rbx, [rip+asm_p434p1+24], r8, r9, r10, rbp, r12, r13 - - mov rdx, [reg_p2] - add r8, [reg_p2+8] - adc r9, [reg_p2+16] - adc r10, r14 - adc rbp, r15 - adc r12, rcx - adc r13, r11 - adc rdi, 0 - mulx r15, r14, [rip+asm_p434p1+24] // result r14 - mov [reg_p2], r8 // Final result c0-c1 - mov [reg_p2+8], r9 - - // a[6-7] x p434p1_nz --> result: r14:r15, r8:r9, r11 - MUL64x256_SCHOOL rdx, [rip+asm_p434p1+24], r14, r15, r8, r9, r11, rcx - - // Final result c2:c6 - add r14, r10 - adc r15, rbp - pop rbx - pop rbp - adc r8, r12 - adc r9, r13 - adc r11, rdi - mov [reg_p2+16], r14 - mov [reg_p2+24], r15 - pop r15 - pop r13 - mov [reg_p2+32], r8 - mov [reg_p2+40], r9 - mov [reg_p2+48], r11 - - pop r12 - pop r14 - ret - -//*********************************************************************** -// 434-bit multiprecision addition -// Operation: c [reg_p3] = a [reg_p1] + b [reg_p2] -//*********************************************************************** -#define mp_add434_asm S2N_SIKE_P434_R3_NAMESPACE(mp_add434_asm) -.global mp_add434_asm -mp_add434_asm: - mov r8, [reg_p1] - mov r9, [reg_p1+8] - mov r10, [reg_p1+16] - mov r11, [reg_p1+24] - add r8, [reg_p2] - adc r9, [reg_p2+8] - adc r10, [reg_p2+16] - adc r11, [reg_p2+24] - mov [reg_p3], r8 - mov [reg_p3+8], r9 - mov [reg_p3+16], r10 - mov [reg_p3+24], r11 - - mov r8, [reg_p1+32] - mov r9, [reg_p1+40] - mov r10, [reg_p1+48] - adc r8, [reg_p2+32] - adc r9, [reg_p2+40] - adc r10, [reg_p2+48] - mov [reg_p3+32], r8 - mov [reg_p3+40], r9 - mov [reg_p3+48], r10 - ret - -//*************************************************************************** -// 2x434-bit multiprecision subtraction/addition -// Operation: c [reg_p3] = a [reg_p1] - b [reg_p2]. If c < 0, add p434*2^448 -//*************************************************************************** -#define mp_subadd434x2_asm S2N_SIKE_P434_R3_NAMESPACE(mp_subadd434x2_asm) -.global mp_subadd434x2_asm -mp_subadd434x2_asm: - push r12 - push r13 - push r14 - push r15 - xor rax, rax - mov r8, [reg_p1] - mov r9, [reg_p1+8] - mov r10, [reg_p1+16] - mov r11, [reg_p1+24] - mov r12, [reg_p1+32] - sub r8, [reg_p2] - sbb r9, [reg_p2+8] - sbb r10, [reg_p2+16] - sbb r11, [reg_p2+24] - sbb r12, [reg_p2+32] - mov [reg_p3], r8 - mov [reg_p3+8], r9 - mov [reg_p3+16], r10 - mov [reg_p3+24], r11 - mov [reg_p3+32], r12 - - mov r8, [reg_p1+40] - mov r9, [reg_p1+48] - mov r10, [reg_p1+56] - mov r11, [reg_p1+64] - mov r12, [reg_p1+72] - sbb r8, [reg_p2+40] - sbb r9, [reg_p2+48] - sbb r10, [reg_p2+56] - sbb r11, [reg_p2+64] - sbb r12, [reg_p2+72] - mov [reg_p3+40], r8 - mov [reg_p3+48], r9 - mov [reg_p3+56], r10 - - mov r13, [reg_p1+80] - mov r14, [reg_p1+88] - mov r15, [reg_p1+96] - mov rcx, [reg_p1+104] - sbb r13, [reg_p2+80] - sbb r14, [reg_p2+88] - sbb r15, [reg_p2+96] - sbb rcx, [reg_p2+104] - sbb rax, 0 - - // Add p434 anded with the mask in rax - mov r8, [rip+asm_p434] - mov r9, [rip+asm_p434+24] - mov r10, [rip+asm_p434+32] - mov rdi, [rip+asm_p434+40] - mov rsi, [rip+asm_p434+48] - and r8, rax - and r9, rax - and r10, rax - and rdi, rax - and rsi, rax - mov rax, [reg_p3+56] - add rax, r8 - adc r11, r8 - adc r12, r8 - adc r13, r9 - adc r14, r10 - adc r15, rdi - adc rcx, rsi - - mov [reg_p3+56], rax - mov [reg_p3+64], r11 - mov [reg_p3+72], r12 - mov [reg_p3+80], r13 - mov [reg_p3+88], r14 - mov [reg_p3+96], r15 - mov [reg_p3+104], rcx - pop r15 - pop r14 - pop r13 - pop r12 - ret - -//*********************************************************************** -// Double 2x434-bit multiprecision subtraction -// Operation: c [reg_p3] = c [reg_p3] - a [reg_p1] - b [reg_p2] -//*********************************************************************** -#define mp_dblsub434x2_asm S2N_SIKE_P434_R3_NAMESPACE(mp_dblsub434x2_asm) -.global mp_dblsub434x2_asm -mp_dblsub434x2_asm: - push r12 - push r13 - push r14 - - mov r8, [reg_p3] - mov r9, [reg_p3+8] - mov r10, [reg_p3+16] - mov r11, [reg_p3+24] - mov r12, [reg_p3+32] - mov r13, [reg_p3+40] - mov r14, [reg_p3+48] - sub r8, [reg_p1] - sbb r9, [reg_p1+8] - sbb r10, [reg_p1+16] - sbb r11, [reg_p1+24] - sbb r12, [reg_p1+32] - sbb r13, [reg_p1+40] - sbb r14, [reg_p1+48] - setc al - sub r8, [reg_p2] - sbb r9, [reg_p2+8] - sbb r10, [reg_p2+16] - sbb r11, [reg_p2+24] - sbb r12, [reg_p2+32] - sbb r13, [reg_p2+40] - sbb r14, [reg_p2+48] - setc cl - mov [reg_p3], r8 - mov [reg_p3+8], r9 - mov [reg_p3+16], r10 - mov [reg_p3+24], r11 - mov [reg_p3+32], r12 - mov [reg_p3+40], r13 - mov [reg_p3+48], r14 - - mov r8, [reg_p3+56] - mov r9, [reg_p3+64] - mov r10, [reg_p3+72] - mov r11, [reg_p3+80] - mov r12, [reg_p3+88] - mov r13, [reg_p3+96] - mov r14, [reg_p3+104] - bt rax, 0 - sbb r8, [reg_p1+56] - sbb r9, [reg_p1+64] - sbb r10, [reg_p1+72] - sbb r11, [reg_p1+80] - sbb r12, [reg_p1+88] - sbb r13, [reg_p1+96] - sbb r14, [reg_p1+104] - bt rcx, 0 - sbb r8, [reg_p2+56] - sbb r9, [reg_p2+64] - sbb r10, [reg_p2+72] - sbb r11, [reg_p2+80] - sbb r12, [reg_p2+88] - sbb r13, [reg_p2+96] - sbb r14, [reg_p2+104] - mov [reg_p3+56], r8 - mov [reg_p3+64], r9 - mov [reg_p3+72], r10 - mov [reg_p3+80], r11 - mov [reg_p3+88], r12 - mov [reg_p3+96], r13 - mov [reg_p3+104], r14 - - pop r14 - pop r13 - pop r12 - ret diff --git a/contrib/restricted/aws/s2n/pq-crypto/sike_r3/sikep434r3_fp_x64_asm.h b/contrib/restricted/aws/s2n/pq-crypto/sike_r3/sikep434r3_fp_x64_asm.h deleted file mode 100644 index 1753e25fb4..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/sike_r3/sikep434r3_fp_x64_asm.h +++ /dev/null @@ -1,38 +0,0 @@ -/******************************************************************************************** -* Supersingular Isogeny Key Encapsulation Library -* -* Abstract: x86_64 assembly optimized modular arithmetic for P434 -*********************************************************************************************/ - -#pragma once - -#if defined(S2N_SIKE_P434_R3_ASM) - -#define fpadd434_asm S2N_SIKE_P434_R3_NAMESPACE(fpadd434_asm) -void fpadd434_asm(const digit_t* a, const digit_t* b, digit_t* c); - -#define fpsub434_asm S2N_SIKE_P434_R3_NAMESPACE(fpsub434_asm) -void fpsub434_asm(const digit_t* a, const digit_t* b, digit_t* c); - -#define mul434_asm S2N_SIKE_P434_R3_NAMESPACE(mul434_asm) -void mul434_asm(const digit_t* a, const digit_t* b, digit_t* c); - -#define rdc434_asm S2N_SIKE_P434_R3_NAMESPACE(rdc434_asm) -void rdc434_asm(digit_t* ma, digit_t* mc); - -#define mp_add434_asm S2N_SIKE_P434_R3_NAMESPACE(mp_add434_asm) -void mp_add434_asm(const digit_t* a, const digit_t* b, digit_t* c); - -#define mp_subadd434x2_asm S2N_SIKE_P434_R3_NAMESPACE(mp_subadd434x2_asm) -void mp_subadd434x2_asm(const digit_t* a, const digit_t* b, digit_t* c); - -#define mp_dblsub434x2_asm S2N_SIKE_P434_R3_NAMESPACE(mp_dblsub434x2_asm) -void mp_dblsub434x2_asm(const digit_t* a, const digit_t* b, digit_t* c); - -#define mp_sub434_p2_asm S2N_SIKE_P434_R3_NAMESPACE(mp_sub434_p2_asm) -void mp_sub434_p2_asm(const digit_t* a, const digit_t* b, digit_t* c); - -#define mp_sub434_p4_asm S2N_SIKE_P434_R3_NAMESPACE(mp_sub434_p4_asm) -void mp_sub434_p4_asm(const digit_t* a, const digit_t* b, digit_t* c); - -#endif diff --git a/contrib/restricted/aws/s2n/pq-crypto/sike_r3/sikep434r3_fpx.c b/contrib/restricted/aws/s2n/pq-crypto/sike_r3/sikep434r3_fpx.c deleted file mode 100644 index d9cb686edf..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/sike_r3/sikep434r3_fpx.c +++ /dev/null @@ -1,512 +0,0 @@ -/******************************************************************************************** -* Supersingular Isogeny Key Encapsulation Library -* -* Abstract: core functions over GF(p) and GF(p^2) -*********************************************************************************************/ - -#include <string.h> -#include "sikep434r3.h" -#include "sikep434r3_fp.h" -#include "sikep434r3_fpx.h" -#include "pq-crypto/s2n_pq.h" -#include "sikep434r3_fp_x64_asm.h" - -static void fpmul_mont(const felm_t ma, const felm_t mb, felm_t mc); -static void to_mont(const felm_t a, felm_t mc); -static void from_mont(const felm_t ma, felm_t c); -static void fpsqr_mont(const felm_t ma, felm_t mc); -static unsigned int mp_sub(const digit_t* a, const digit_t* b, digit_t* c, const unsigned int nwords); -static void fpinv_chain_mont(felm_t a); -static void fpinv_mont(felm_t a); -static void to_fp2mont(const f2elm_t *a, f2elm_t *mc); -static void from_fp2mont(const f2elm_t *ma, f2elm_t *c); - -/* Encoding digits to bytes according to endianness */ -__inline static void encode_to_bytes(const digit_t* x, unsigned char* enc, int nbytes) -{ - if (is_big_endian()) { - int ndigits = nbytes / sizeof(digit_t); - int rem = nbytes % sizeof(digit_t); - - for (int i = 0; i < ndigits; i++) { - digit_t temp = S2N_SIKE_P434_R3_BSWAP_DIGIT(x[i]); - memcpy(enc + (i * sizeof(digit_t)), (unsigned char *)&temp, sizeof(digit_t)); - } - - if (rem) { - digit_t ld = S2N_SIKE_P434_R3_BSWAP_DIGIT(x[ndigits]); - memcpy(enc + ndigits * sizeof(digit_t), (unsigned char *) &ld, rem); - } - } else { - memcpy(enc, (const unsigned char *) x, nbytes); - } -} - -/* Conversion of GF(p^2) element from Montgomery to standard representation, - * and encoding by removing leading 0 bytes */ -void fp2_encode(const f2elm_t *x, unsigned char *enc) -{ - f2elm_t t; - - from_fp2mont(x, &t); - encode_to_bytes(t.e[0], enc, S2N_SIKE_P434_R3_FP2_ENCODED_BYTES / 2); - encode_to_bytes(t.e[1], enc + S2N_SIKE_P434_R3_FP2_ENCODED_BYTES / 2, S2N_SIKE_P434_R3_FP2_ENCODED_BYTES / 2); -} - -/* Parse byte sequence back into GF(p^2) element, and conversion to Montgomery representation */ -void fp2_decode(const unsigned char *x, f2elm_t *dec) -{ - decode_to_digits(x, dec->e[0], S2N_SIKE_P434_R3_FP2_ENCODED_BYTES / 2, S2N_SIKE_P434_R3_NWORDS_FIELD); - decode_to_digits(x + S2N_SIKE_P434_R3_FP2_ENCODED_BYTES / 2, dec->e[1], S2N_SIKE_P434_R3_FP2_ENCODED_BYTES / 2, S2N_SIKE_P434_R3_NWORDS_FIELD); - to_fp2mont(dec, dec); -} - -/* Multiprecision multiplication, c = a*b mod p. */ -static void fpmul_mont(const felm_t ma, const felm_t mb, felm_t mc) -{ - dfelm_t temp = {0}; - - mp_mul(ma, mb, temp, S2N_SIKE_P434_R3_NWORDS_FIELD); - rdc_mont(temp, mc); -} - -/* Conversion to Montgomery representation, - * mc = a*R^2*R^(-1) mod p = a*R mod p, where a in [0, p-1]. - * The Montgomery constant R^2 mod p is the global value "Montgomery_R2". */ -static void to_mont(const felm_t a, felm_t mc) -{ - fpmul_mont(a, (const digit_t*)&Montgomery_R2, mc); -} - -/* Conversion from Montgomery representation to standard representation, - * c = ma*R^(-1) mod p = a mod p, where ma in [0, p-1]. */ -static void from_mont(const felm_t ma, felm_t c) -{ - digit_t one[S2N_SIKE_P434_R3_NWORDS_FIELD] = {0}; - - one[0] = 1; - fpmul_mont(ma, one, c); - fpcorrection434(c); -} - -/* Copy wordsize digits, c = a, where lng(a) = nwords. */ -void copy_words(const digit_t* a, digit_t* c, const unsigned int nwords) -{ - unsigned int i; - - for (i = 0; i < nwords; i++) { - c[i] = a[i]; - } -} - -/* Multiprecision squaring, c = a^2 mod p. */ -static void fpsqr_mont(const felm_t ma, felm_t mc) -{ - dfelm_t temp = {0}; - - mp_mul(ma, ma, temp, S2N_SIKE_P434_R3_NWORDS_FIELD); - rdc_mont(temp, mc); -} - -/* Copy a GF(p^2) element, c = a. */ -void fp2copy(const f2elm_t *a, f2elm_t *c) -{ - fpcopy(a->e[0], c->e[0]); - fpcopy(a->e[1], c->e[1]); -} - -/* GF(p^2) division by two, c = a/2 in GF(p^2). */ -void fp2div2(const f2elm_t *a, f2elm_t *c) -{ - fpdiv2_434(a->e[0], c->e[0]); - fpdiv2_434(a->e[1], c->e[1]); -} - -void fpcorrection(digit_t* a) -{ // Modular correction to reduce field element a in [0, 2*p434-1] to [0, p434-1]. - unsigned int i, borrow = 0; - digit_t mask; - - for (i = 0; i < S2N_SIKE_P434_R3_NWORDS_FIELD; i++) { - S2N_SIKE_P434_R3_SUBC(borrow, a[i], ((const digit_t*)p434)[i], borrow, a[i]); - } - mask = 0 - (digit_t)borrow; - - borrow = 0; - for (i = 0; i < S2N_SIKE_P434_R3_NWORDS_FIELD; i++) { - S2N_SIKE_P434_R3_ADDC(borrow, a[i], ((const digit_t*)p434)[i] & mask, borrow, a[i]); - } -} - -void fp2correction(f2elm_t *a) -{ // Modular correction, a = a in GF(p^2). - fpcorrection(a->e[0]); - fpcorrection(a->e[1]); -} - -/* Multiprecision addition, c = a+b, where lng(a) = lng(b) = nwords. Returns the carry bit. */ -unsigned int mp_add(const digit_t* a, const digit_t* b, digit_t* c, const unsigned int nwords) -{ - unsigned int i, carry = 0; - - for (i = 0; i < nwords; i++) { - S2N_SIKE_P434_R3_ADDC(carry, a[i], b[i], carry, c[i]); - } - - return carry; -} - -/* GF(p^2) squaring using Montgomery arithmetic, c = a^2 in GF(p^2). - * Inputs: a = a0+a1*i, where a0, a1 are in [0, 2*p-1] - * Output: c = c0+c1*i, where c0, c1 are in [0, 2*p-1] */ -void fp2sqr_mont(const f2elm_t *a, f2elm_t *c) -{ - felm_t t1, t2, t3; - - mp_addfast(a->e[0], a->e[1], t1); /* t1 = a0+a1 */ - mp_sub434_p4(a->e[0], a->e[1], t2); /* t2 = a0-a1 */ - mp_addfast(a->e[0], a->e[0], t3); /* t3 = 2a0 */ - fpmul_mont(t1, t2, c->e[0]); /* c0 = (a0+a1)(a0-a1) */ - fpmul_mont(t3, a->e[1], c->e[1]); /* c1 = 2a0*a1 */ -} - -/* Multiprecision subtraction, c = a-b, where lng(a) = lng(b) = nwords. Returns the borrow bit. */ -static unsigned int mp_sub(const digit_t* a, const digit_t* b, digit_t* c, const unsigned int nwords) -{ - unsigned int i, borrow = 0; - - for (i = 0; i < nwords; i++) { - S2N_SIKE_P434_R3_SUBC(borrow, a[i], b[i], borrow, c[i]); - } - - return borrow; -} - -/* Multiprecision subtraction followed by addition with p*2^S2N_SIKE_P434_R3_MAXBITS_FIELD, - * c = a-b+(p*2^S2N_SIKE_P434_R3_MAXBITS_FIELD) if a-b < 0, otherwise c=a-b. */ -__inline static void mp_subaddfast(const digit_t* a, const digit_t* b, digit_t* c) -{ -#if defined(S2N_SIKE_P434_R3_ASM) - if (s2n_sikep434r3_asm_is_enabled()) { - mp_subadd434x2_asm(a, b, c); - return; - } -#endif - - felm_t t1; - - digit_t mask = 0 - (digit_t)mp_sub(a, b, c, 2*S2N_SIKE_P434_R3_NWORDS_FIELD); - for (int i = 0; i < S2N_SIKE_P434_R3_NWORDS_FIELD; i++) { - t1[i] = ((const digit_t *) p434)[i] & mask; - } - mp_addfast((digit_t*)&c[S2N_SIKE_P434_R3_NWORDS_FIELD], t1, (digit_t*)&c[S2N_SIKE_P434_R3_NWORDS_FIELD]); -} - -/* Multiprecision subtraction, c = c-a-b, where lng(a) = lng(b) = 2*S2N_SIKE_P434_R3_NWORDS_FIELD. */ -__inline static void mp_dblsubfast(const digit_t* a, const digit_t* b, digit_t* c) -{ -#if defined(S2N_SIKE_P434_R3_ASM) - if (s2n_sikep434r3_asm_is_enabled()) { - mp_dblsub434x2_asm(a, b, c); - return; - } -#endif - - mp_sub(c, a, c, 2*S2N_SIKE_P434_R3_NWORDS_FIELD); - mp_sub(c, b, c, 2*S2N_SIKE_P434_R3_NWORDS_FIELD); -} - -/* GF(p^2) multiplication using Montgomery arithmetic, c = a*b in GF(p^2). - * Inputs: a = a0+a1*i and b = b0+b1*i, where a0, a1, b0, b1 are in [0, 2*p-1] - * Output: c = c0+c1*i, where c0, c1 are in [0, 2*p-1] */ -void fp2mul_mont(const f2elm_t *a, const f2elm_t *b, f2elm_t *c) -{ - felm_t t1, t2; - dfelm_t tt1, tt2, tt3; - - mp_addfast(a->e[0], a->e[1], t1); /* t1 = a0+a1 */ - mp_addfast(b->e[0], b->e[1], t2); /* t2 = b0+b1 */ - mp_mul(a->e[0], b->e[0], tt1, S2N_SIKE_P434_R3_NWORDS_FIELD); /* tt1 = a0*b0 */ - mp_mul(a->e[1], b->e[1], tt2, S2N_SIKE_P434_R3_NWORDS_FIELD); /* tt2 = a1*b1 */ - mp_mul(t1, t2, tt3, S2N_SIKE_P434_R3_NWORDS_FIELD); /* tt3 = (a0+a1)*(b0+b1) */ - mp_dblsubfast(tt1, tt2, tt3); /* tt3 = (a0+a1)*(b0+b1) - a0*b0 - a1*b1 */ - mp_subaddfast(tt1, tt2, tt1); /* tt1 = a0*b0 - a1*b1 + p*2^S2N_SIKE_P434_R3_MAXBITS_FIELD if a0*b0 - a1*b1 < 0, else tt1 = a0*b0 - a1*b1 */ - rdc_mont(tt3, c->e[1]); /* c[1] = (a0+a1)*(b0+b1) - a0*b0 - a1*b1 */ - rdc_mont(tt1, c->e[0]); /* c[0] = a0*b0 - a1*b1 */ -} - -/* Chain to compute a^(p-3)/4 using Montgomery arithmetic. */ -static void fpinv_chain_mont(felm_t a) -{ - unsigned int i, j; - felm_t t[31], tt; - - /* Precomputed table */ - fpsqr_mont(a, tt); - fpmul_mont(a, tt, t[0]); - for (i = 0; i <= 29; i++) { - fpmul_mont(t[i], tt, t[i + 1]); - } - - fpcopy(a, tt); - for (i = 0; i < 7; i++) { - fpsqr_mont(tt, tt); - } - fpmul_mont(t[5], tt, tt); - for (i = 0; i < 10; i++) { - fpsqr_mont(tt, tt); - } - fpmul_mont(t[14], tt, tt); - for (i = 0; i < 6; i++) { - fpsqr_mont(tt, tt); - } - fpmul_mont(t[3], tt, tt); - for (i = 0; i < 6; i++) { - fpsqr_mont(tt, tt); - } - fpmul_mont(t[23], tt, tt); - for (i = 0; i < 6; i++) { - fpsqr_mont(tt, tt); - } - fpmul_mont(t[13], tt, tt); - for (i = 0; i < 6; i++) { - fpsqr_mont(tt, tt); - } - fpmul_mont(t[24], tt, tt); - for (i = 0; i < 6; i++) { - fpsqr_mont(tt, tt); - } - fpmul_mont(t[7], tt, tt); - for (i = 0; i < 8; i++) { - fpsqr_mont(tt, tt); - } - fpmul_mont(t[12], tt, tt); - for (i = 0; i < 8; i++) { - fpsqr_mont(tt, tt); - } - fpmul_mont(t[30], tt, tt); - for (i = 0; i < 6; i++) { - fpsqr_mont(tt, tt); - } - fpmul_mont(t[1], tt, tt); - for (i = 0; i < 6; i++) { - fpsqr_mont(tt, tt); - } - fpmul_mont(t[30], tt, tt); - for (i = 0; i < 7; i++) { - fpsqr_mont(tt, tt); - } - fpmul_mont(t[21], tt, tt); - for (i = 0; i < 9; i++) { - fpsqr_mont(tt, tt); - } - fpmul_mont(t[2], tt, tt); - for (i = 0; i < 9; i++) { - fpsqr_mont(tt, tt); - } - fpmul_mont(t[19], tt, tt); - for (i = 0; i < 9; i++) { - fpsqr_mont(tt, tt); - } - fpmul_mont(t[1], tt, tt); - for (i = 0; i < 7; i++) { - fpsqr_mont(tt, tt); - } - fpmul_mont(t[24], tt, tt); - for (i = 0; i < 6; i++) { - fpsqr_mont(tt, tt); - } - fpmul_mont(t[26], tt, tt); - for (i = 0; i < 6; i++) { - fpsqr_mont(tt, tt); - } - fpmul_mont(t[16], tt, tt); - for (i = 0; i < 7; i++) { - fpsqr_mont(tt, tt); - } - fpmul_mont(t[10], tt, tt); - for (i = 0; i < 7; i++) { - fpsqr_mont(tt, tt); - } - fpmul_mont(t[6], tt, tt); - for (i = 0; i < 7; i++) { - fpsqr_mont(tt, tt); - } - fpmul_mont(t[0], tt, tt); - for (i = 0; i < 9; i++) { - fpsqr_mont(tt, tt); - } - fpmul_mont(t[20], tt, tt); - for (i = 0; i < 8; i++) { - fpsqr_mont(tt, tt); - } - fpmul_mont(t[9], tt, tt); - for (i = 0; i < 6; i++) { - fpsqr_mont(tt, tt); - } - fpmul_mont(t[25], tt, tt); - for (i = 0; i < 9; i++) { - fpsqr_mont(tt, tt); - } - fpmul_mont(t[30], tt, tt); - for (i = 0; i < 6; i++) { - fpsqr_mont(tt, tt); - } - fpmul_mont(t[26], tt, tt); - for (i = 0; i < 6; i++) { - fpsqr_mont(tt, tt); - } - fpmul_mont(a, tt, tt); - for (i = 0; i < 7; i++) { - fpsqr_mont(tt, tt); - } - fpmul_mont(t[28], tt, tt); - for (i = 0; i < 6; i++) { - fpsqr_mont(tt, tt); - } - fpmul_mont(t[6], tt, tt); - for (i = 0; i < 6; i++) { - fpsqr_mont(tt, tt); - } - fpmul_mont(t[10], tt, tt); - for (i = 0; i < 9; i++) { - fpsqr_mont(tt, tt); - } - fpmul_mont(t[22], tt, tt); - for (j = 0; j < 35; j++) { - for (i = 0; i < 6; i++) fpsqr_mont(tt, tt); - fpmul_mont(t[30], tt, tt); - } - fpcopy(tt, a); -} - -/* Field inversion using Montgomery arithmetic, a = a^(-1)*R mod p. */ -static void fpinv_mont(felm_t a) -{ - felm_t tt; - - fpcopy(a, tt); - fpinv_chain_mont(tt); - fpsqr_mont(tt, tt); - fpsqr_mont(tt, tt); - fpmul_mont(a, tt, a); -} - -/* GF(p^2) inversion using Montgomery arithmetic, a = (a0-i*a1)/(a0^2+a1^2). */ -void fp2inv_mont(f2elm_t *a) -{ - f2elm_t t1; - - fpsqr_mont(a->e[0], t1.e[0]); /* t10 = a0^2 */ - fpsqr_mont(a->e[1], t1.e[1]); /* t11 = a1^2 */ - fpadd434(t1.e[0], t1.e[1], t1.e[0]); /* t10 = a0^2+a1^2 */ - fpinv_mont(t1.e[0]); /* t10 = (a0^2+a1^2)^-1 */ - fpneg434(a->e[1]); /* a = a0-i*a1 */ - fpmul_mont(a->e[0], t1.e[0], a->e[0]); - fpmul_mont(a->e[1], t1.e[0], a->e[1]); /* a = (a0-i*a1)*(a0^2+a1^2)^-1 */ -} - -/* Conversion of a GF(p^2) element to Montgomery representation, - * mc_i = a_i*R^2*R^(-1) = a_i*R in GF(p^2). */ -static void to_fp2mont(const f2elm_t *a, f2elm_t *mc) -{ - to_mont(a->e[0], mc->e[0]); - to_mont(a->e[1], mc->e[1]); -} - -/* Conversion of a GF(p^2) element from Montgomery representation to standard representation, - * c_i = ma_i*R^(-1) = a_i in GF(p^2). */ -static void from_fp2mont(const f2elm_t *ma, f2elm_t *c) -{ - from_mont(ma->e[0], c->e[0]); - from_mont(ma->e[1], c->e[1]); -} - -/* Multiprecision right shift by one. */ -void mp_shiftr1(digit_t* x, const unsigned int nwords) -{ - unsigned int i; - - for (i = 0; i < nwords-1; i++) { - S2N_SIKE_P434_R3_SHIFTR(x[i+1], x[i], 1, x[i], S2N_SIKE_P434_R3_RADIX); - } - x[nwords-1] >>= 1; -} - -unsigned int is_felm_zero(const felm_t x) -{ // Is x = 0? return 1 (TRUE) if condition is true, 0 (FALSE) otherwise. - // SECURITY NOTE: This function does not run in constant-time. - - for (unsigned int i = 0; i < S2N_SIKE_P434_R3_NWORDS_FIELD; i++) { - if (x[i] != 0) { - return 0; - } - } - return 1; -} - -void decode_to_digits(const unsigned char* x, digit_t* dec, int nbytes, int ndigits) -{ - dec[ndigits - 1] = 0; - memcpy((unsigned char*)dec, x, nbytes); - - if (is_big_endian()) { - for (int i = 0; i < ndigits; i++) { - dec[i] = S2N_SIKE_P434_R3_BSWAP_DIGIT(dec[i]); - } - } -} - -void fpcopy(const felm_t a, felm_t c) -{ - unsigned int i; - - for (i = 0; i < S2N_SIKE_P434_R3_NWORDS_FIELD; i++) { - c[i] = a[i]; - } -} - -void fpzero(felm_t a) -{ - unsigned int i; - - for (i = 0; i < S2N_SIKE_P434_R3_NWORDS_FIELD; i++) { - a[i] = 0; - } -} - -void fp2add(const f2elm_t *a, const f2elm_t *b, f2elm_t *c) -{ - fpadd434(a->e[0], b->e[0], c->e[0]); - fpadd434(a->e[1], b->e[1], c->e[1]); -} - -void fp2sub(const f2elm_t *a, const f2elm_t *b, f2elm_t *c) -{ - fpsub434(a->e[0], b->e[0], c->e[0]); - fpsub434(a->e[1], b->e[1], c->e[1]); -} - -void mp_addfast(const digit_t* a, const digit_t* b, digit_t* c) -{ -#if defined(S2N_SIKE_P434_R3_ASM) - if (s2n_sikep434r3_asm_is_enabled()) { - mp_add434_asm(a, b, c); - return; - } -#endif - - mp_add(a, b, c, S2N_SIKE_P434_R3_NWORDS_FIELD); -} - -void mp2_add(const f2elm_t *a, const f2elm_t *b, f2elm_t *c) -{ - mp_addfast(a->e[0], b->e[0], c->e[0]); - mp_addfast(a->e[1], b->e[1], c->e[1]); -} - -void mp2_sub_p2(const f2elm_t *a, const f2elm_t *b, f2elm_t *c) -{ - mp_sub434_p2(a->e[0], b->e[0], c->e[0]); - mp_sub434_p2(a->e[1], b->e[1], c->e[1]); -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/sike_r3/sikep434r3_fpx.h b/contrib/restricted/aws/s2n/pq-crypto/sike_r3/sikep434r3_fpx.h deleted file mode 100644 index c6d8e8dc94..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/sike_r3/sikep434r3_fpx.h +++ /dev/null @@ -1,71 +0,0 @@ -/******************************************************************************************** -* Supersingular Isogeny Key Encapsulation Library -* -* Abstract: core functions over GF(p) and GF(p^2) -*********************************************************************************************/ - -#pragma once - -#include <string.h> -#include "sikep434r3.h" -#include "sikep434r3_fp.h" - -#define fp2_encode S2N_SIKE_P434_R3_NAMESPACE(fp2_encode) -void fp2_encode(const f2elm_t *x, unsigned char *enc); - -#define fp2_decode S2N_SIKE_P434_R3_NAMESPACE(fp2_decode) -void fp2_decode(const unsigned char *x, f2elm_t *dec); - -#define copy_words S2N_SIKE_P434_R3_NAMESPACE(copy_words) -void copy_words(const digit_t* a, digit_t* c, const unsigned int nwords); - -#define fp2copy S2N_SIKE_P434_R3_NAMESPACE(fp2copy) -void fp2copy(const f2elm_t *a, f2elm_t *c); - -#define fp2div2 S2N_SIKE_P434_R3_NAMESPACE(fp2div2) -void fp2div2(const f2elm_t *a, f2elm_t *c); - -#define fp2correction S2N_SIKE_P434_R3_NAMESPACE(fp2correction) -void fp2correction(f2elm_t *a); - -#define mp_add S2N_SIKE_P434_R3_NAMESPACE(mp_add) -unsigned int mp_add(const digit_t* a, const digit_t* b, digit_t* c, const unsigned int nwords); - -#define fp2sqr_mont S2N_SIKE_P434_R3_NAMESPACE(fp2sqr_mont) -void fp2sqr_mont(const f2elm_t *a, f2elm_t *c); - -#define fp2mul_mont S2N_SIKE_P434_R3_NAMESPACE(fp2mul_mont) -void fp2mul_mont(const f2elm_t *a, const f2elm_t *b, f2elm_t *c); - -#define fp2inv_mont S2N_SIKE_P434_R3_NAMESPACE(fp2inv_mont) -void fp2inv_mont(f2elm_t *a); - -#define mp_shiftr1 S2N_SIKE_P434_R3_NAMESPACE(mp_shiftr1) -void mp_shiftr1(digit_t* x, const unsigned int nwords); - -#define is_felm_zero S2N_SIKE_P434_R3_NAMESPACE(is_felm_zero) -unsigned int is_felm_zero(const felm_t x); - -#define decode_to_digits S2N_SIKE_P434_R3_NAMESPACE(decode_to_digits) -void decode_to_digits(const unsigned char* x, digit_t* dec, int nbytes, int ndigits); - -#define fpcopy S2N_SIKE_P434_R3_NAMESPACE(fpcopy) -void fpcopy(const felm_t a, felm_t c); - -#define fpzero S2N_SIKE_P434_R3_NAMESPACE(fpzero) -void fpzero(felm_t a); - -#define fp2add S2N_SIKE_P434_R3_NAMESPACE(fp2add) -void fp2add(const f2elm_t *a, const f2elm_t *b, f2elm_t *c); - -#define fp2sub S2N_SIKE_P434_R3_NAMESPACE(fp2sub) -void fp2sub(const f2elm_t *a, const f2elm_t *b, f2elm_t *c); - -#define mp_addfast S2N_SIKE_P434_R3_NAMESPACE(mp_addfast) -void mp_addfast(const digit_t* a, const digit_t* b, digit_t* c); - -#define mp2_add S2N_SIKE_P434_R3_NAMESPACE(mp2_add) -void mp2_add(const f2elm_t *a, const f2elm_t *b, f2elm_t *c); - -#define mp2_sub_p2 S2N_SIKE_P434_R3_NAMESPACE(mp2_sub_p2) -void mp2_sub_p2(const f2elm_t *a, const f2elm_t *b, f2elm_t *c); diff --git a/contrib/restricted/aws/s2n/pq-crypto/sike_r3/sikep434r3_kem.c b/contrib/restricted/aws/s2n/pq-crypto/sike_r3/sikep434r3_kem.c deleted file mode 100644 index 9ce254fbf1..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/sike_r3/sikep434r3_kem.c +++ /dev/null @@ -1,117 +0,0 @@ -/******************************************************************************************** -* Supersingular Isogeny Key Encapsulation Library -* -* Abstract: supersingular isogeny key encapsulation (SIKE) protocol -*********************************************************************************************/ - -#include <string.h> -#include "sikep434r3.h" -#include "sikep434r3_fips202.h" -#include "utils/s2n_safety.h" -#include "tls/s2n_kem.h" -#include "pq-crypto/s2n_pq.h" -#include "pq-crypto/s2n_pq_random.h" -#include "sikep434r3_fpx.h" -#include "sikep434r3_api.h" - -/* SIKE's key generation - * Outputs: secret key sk (S2N_SIKE_P434_R3_SECRET_KEY_BYTES = S2N_SIKE_P434_R3_MSG_BYTES + S2N_SIKE_P434_R3_SECRETKEY_B_BYTES + S2N_SIKE_P434_R3_PUBLIC_KEY_BYTES bytes) - * public key pk (S2N_SIKE_P434_R3_PUBLIC_KEY_BYTES bytes) */ -int s2n_sike_p434_r3_crypto_kem_keypair(unsigned char *pk, unsigned char *sk) -{ - POSIX_ENSURE(s2n_pq_is_enabled(), S2N_ERR_PQ_DISABLED); - - /* Generate lower portion of secret key sk <- s||SK */ - POSIX_GUARD_RESULT(s2n_get_random_bytes(sk, S2N_SIKE_P434_R3_MSG_BYTES)); - POSIX_GUARD(random_mod_order_B(sk + S2N_SIKE_P434_R3_MSG_BYTES)); - - /* Generate public key pk */ - EphemeralKeyGeneration_B(sk + S2N_SIKE_P434_R3_MSG_BYTES, pk); - - /* Append public key pk to secret key sk */ - memcpy(&sk[S2N_SIKE_P434_R3_MSG_BYTES + S2N_SIKE_P434_R3_SECRETKEY_B_BYTES], pk, S2N_SIKE_P434_R3_PUBLIC_KEY_BYTES); - - return S2N_SUCCESS; -} - -/* SIKE's encapsulation - * Input: public key pk (S2N_SIKE_P434_R3_PUBLIC_KEY_BYTES bytes) - * Outputs: shared secret ss (S2N_SIKE_P434_R3_SHARED_SECRET_BYTES bytes) - * ciphertext message ct (S2N_SIKE_P434_R3_CIPHERTEXT_BYTES = S2N_SIKE_P434_R3_PUBLIC_KEY_BYTES + S2N_SIKE_P434_R3_MSG_BYTES bytes) */ -int s2n_sike_p434_r3_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk) -{ - POSIX_ENSURE(s2n_pq_is_enabled(), S2N_ERR_PQ_DISABLED); - - unsigned char ephemeralsk[S2N_SIKE_P434_R3_SECRETKEY_A_BYTES]; - unsigned char jinvariant[S2N_SIKE_P434_R3_FP2_ENCODED_BYTES]; - unsigned char h[S2N_SIKE_P434_R3_MSG_BYTES]; - unsigned char temp[S2N_SIKE_P434_R3_CIPHERTEXT_BYTES+S2N_SIKE_P434_R3_MSG_BYTES]; - - /* Generate ephemeralsk <- G(m||pk) mod oA */ - POSIX_GUARD_RESULT(s2n_get_random_bytes(temp, S2N_SIKE_P434_R3_MSG_BYTES)); - memcpy(&temp[S2N_SIKE_P434_R3_MSG_BYTES], pk, S2N_SIKE_P434_R3_PUBLIC_KEY_BYTES); - shake256(ephemeralsk, S2N_SIKE_P434_R3_SECRETKEY_A_BYTES, temp, S2N_SIKE_P434_R3_PUBLIC_KEY_BYTES+S2N_SIKE_P434_R3_MSG_BYTES); - ephemeralsk[S2N_SIKE_P434_R3_SECRETKEY_A_BYTES - 1] &= S2N_SIKE_P434_R3_MASK_ALICE; - - /* Encrypt */ - EphemeralKeyGeneration_A(ephemeralsk, ct); - EphemeralSecretAgreement_A(ephemeralsk, pk, jinvariant); - shake256(h, S2N_SIKE_P434_R3_MSG_BYTES, jinvariant, S2N_SIKE_P434_R3_FP2_ENCODED_BYTES); - for (int i = 0; i < S2N_SIKE_P434_R3_MSG_BYTES; i++) { - ct[i + S2N_SIKE_P434_R3_PUBLIC_KEY_BYTES] = temp[i] ^ h[i]; - } - - /* Generate shared secret ss <- H(m||ct) */ - memcpy(&temp[S2N_SIKE_P434_R3_MSG_BYTES], ct, S2N_SIKE_P434_R3_CIPHERTEXT_BYTES); - shake256(ss, S2N_SIKE_P434_R3_SHARED_SECRET_BYTES, temp, S2N_SIKE_P434_R3_CIPHERTEXT_BYTES+S2N_SIKE_P434_R3_MSG_BYTES); - - return S2N_SUCCESS; -} - -/* SIKE's decapsulation - * Input: secret key sk (S2N_SIKE_P434_R3_SECRET_KEY_BYTES = S2N_SIKE_P434_R3_MSG_BYTES + S2N_SIKE_P434_R3_SECRETKEY_B_BYTES + S2N_SIKE_P434_R3_PUBLIC_KEY_BYTES bytes) - * ciphertext message ct (S2N_SIKE_P434_R3_CIPHERTEXT_BYTES = S2N_SIKE_P434_R3_PUBLIC_KEY_BYTES + S2N_SIKE_P434_R3_MSG_BYTES bytes) - * Outputs: shared secret ss (S2N_SIKE_P434_R3_SHARED_SECRET_BYTES bytes) */ -int s2n_sike_p434_r3_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk) -{ - POSIX_ENSURE(s2n_pq_is_enabled(), S2N_ERR_PQ_DISABLED); - - unsigned char ephemeralsk_[S2N_SIKE_P434_R3_SECRETKEY_A_BYTES]; - unsigned char jinvariant_[S2N_SIKE_P434_R3_FP2_ENCODED_BYTES]; - unsigned char h_[S2N_SIKE_P434_R3_MSG_BYTES]; - unsigned char c0_[S2N_SIKE_P434_R3_PUBLIC_KEY_BYTES]; - unsigned char temp[S2N_SIKE_P434_R3_CIPHERTEXT_BYTES+S2N_SIKE_P434_R3_MSG_BYTES]; - bool dont_copy = 1; - - /* Decrypt */ - if (!(EphemeralSecretAgreement_B(sk + S2N_SIKE_P434_R3_MSG_BYTES, ct, jinvariant_) == 0)) { - goto S2N_SIKE_P434_R3_HASHING; - } - - shake256(h_, S2N_SIKE_P434_R3_MSG_BYTES, jinvariant_, S2N_SIKE_P434_R3_FP2_ENCODED_BYTES); - for (int i = 0; i < S2N_SIKE_P434_R3_MSG_BYTES; i++) { - temp[i] = ct[i + S2N_SIKE_P434_R3_PUBLIC_KEY_BYTES] ^ h_[i]; - } - - /* Generate ephemeralsk_ <- G(m||pk) mod oA */ - memcpy(&temp[S2N_SIKE_P434_R3_MSG_BYTES], &sk[S2N_SIKE_P434_R3_MSG_BYTES + S2N_SIKE_P434_R3_SECRETKEY_B_BYTES], S2N_SIKE_P434_R3_PUBLIC_KEY_BYTES); - shake256(ephemeralsk_, S2N_SIKE_P434_R3_SECRETKEY_A_BYTES, temp, S2N_SIKE_P434_R3_PUBLIC_KEY_BYTES+S2N_SIKE_P434_R3_MSG_BYTES); - ephemeralsk_[S2N_SIKE_P434_R3_SECRETKEY_A_BYTES - 1] &= S2N_SIKE_P434_R3_MASK_ALICE; - - /* Generate shared secret ss <- H(m||ct), or output ss <- H(s||ct) in case of ct verification failure */ - EphemeralKeyGeneration_A(ephemeralsk_, c0_); - - /* Verify ciphertext. - * If c0_ and ct are NOT equal, decaps failed and we overwrite the shared secret - * with pseudorandom noise (ss = H(s||ct)) by performing the copy (dont_copy = false). - * - * If c0_ and ct are equal, then decaps succeeded and we skip the overwrite and output - * the actual shared secret: ss = H(m||ct) (dont_copy = true). */ - dont_copy = s2n_constant_time_equals(c0_, ct, S2N_SIKE_P434_R3_PUBLIC_KEY_BYTES); -S2N_SIKE_P434_R3_HASHING: - POSIX_GUARD(s2n_constant_time_copy_or_dont(temp, sk, S2N_SIKE_P434_R3_MSG_BYTES, dont_copy)); - memcpy(&temp[S2N_SIKE_P434_R3_MSG_BYTES], ct, S2N_SIKE_P434_R3_CIPHERTEXT_BYTES); - shake256(ss, S2N_SIKE_P434_R3_SHARED_SECRET_BYTES, temp, S2N_SIKE_P434_R3_CIPHERTEXT_BYTES+S2N_SIKE_P434_R3_MSG_BYTES); - - return S2N_SUCCESS; -} diff --git a/contrib/restricted/aws/s2n/pq-crypto/sike_r3/sikep434r3_sidh.c b/contrib/restricted/aws/s2n/pq-crypto/sike_r3/sikep434r3_sidh.c deleted file mode 100644 index 8bd5124b41..0000000000 --- a/contrib/restricted/aws/s2n/pq-crypto/sike_r3/sikep434r3_sidh.c +++ /dev/null @@ -1,357 +0,0 @@ -/******************************************************************************************** -* Supersingular Isogeny Key Encapsulation Library -* -* Abstract: ephemeral supersingular isogeny Diffie-Hellman key exchange (SIDH) -*********************************************************************************************/ - -#include "sikep434r3.h" -#include "pq-crypto/s2n_pq_random.h" -#include "utils/s2n_safety.h" -#include "sikep434r3_fpx.h" -#include "sikep434r3_ec_isogeny.h" -#include "sikep434r3_api.h" - -/* Initialization of basis points */ -static void init_basis(const digit_t *gen, f2elm_t *XP, f2elm_t *XQ, f2elm_t *XR) -{ - fpcopy(gen, XP->e[0]); - fpcopy(gen + S2N_SIKE_P434_R3_NWORDS_FIELD, XP->e[1]); - fpcopy(gen + 2*S2N_SIKE_P434_R3_NWORDS_FIELD, XQ->e[0]); - fpcopy(gen + 3*S2N_SIKE_P434_R3_NWORDS_FIELD, XQ->e[1]); - fpcopy(gen + 4*S2N_SIKE_P434_R3_NWORDS_FIELD, XR->e[0]); - fpcopy(gen + 5*S2N_SIKE_P434_R3_NWORDS_FIELD, XR->e[1]); -} - -/* Generation of Bob's secret key - * Outputs random value in [0, 2^Floor(Log(2, oB)) - 1] */ -int random_mod_order_B(unsigned char* random_digits) -{ - POSIX_GUARD_RESULT(s2n_get_random_bytes(random_digits, S2N_SIKE_P434_R3_SECRETKEY_B_BYTES)); - random_digits[S2N_SIKE_P434_R3_SECRETKEY_B_BYTES-1] &= S2N_SIKE_P434_R3_MASK_BOB; /* Masking last byte */ - - return 0; -} - -/* Alice's ephemeral public key generation - * Input: a private key PrivateKeyA in the range [0, 2^eA - 1]. - * Output: the public key PublicKeyA consisting of 3 elements in GF(p^2) which are encoded - * by removing leading 0 bytes. */ -int EphemeralKeyGeneration_A(const unsigned char* PrivateKeyA, unsigned char* PublicKeyA) -{ - point_proj_t R, phiP = {0}, phiQ = {0}, phiR = {0}, pts[S2N_SIKE_P434_R3_MAX_INT_POINTS_ALICE]; - f2elm_t _XPA, _XQA, _XRA, coeff[3], _A24plus = {0}, _C24 = {0}, _A = {0}; - f2elm_t *XPA=&_XPA, *XQA=&_XQA, *XRA=&_XRA, *A24plus=&_A24plus, *C24=&_C24, *A=&_A; - unsigned int i, row, m, tree_index = 0, pts_index[S2N_SIKE_P434_R3_MAX_INT_POINTS_ALICE], npts = 0, ii = 0; - digit_t SecretKeyA[S2N_SIKE_P434_R3_NWORDS_ORDER] = {0}; - - /* Initialize basis points */ - init_basis((const digit_t*)A_gen, XPA, XQA, XRA); - init_basis((const digit_t*)B_gen, &phiP->X, &phiQ->X, &phiR->X); - fpcopy((const digit_t*)&Montgomery_one, (phiP->Z.e)[0]); - fpcopy((const digit_t*)&Montgomery_one, (phiQ->Z.e)[0]); - fpcopy((const digit_t*)&Montgomery_one, (phiR->Z.e)[0]); - - /* Initialize constants: A24plus = A+2C, C24 = 4C, where A=6, C=1 */ - fpcopy((const digit_t*)&Montgomery_one, A24plus->e[0]); - mp2_add(A24plus, A24plus, A24plus); - mp2_add(A24plus, A24plus, C24); - mp2_add(A24plus, C24, A); - mp2_add(C24, C24, A24plus); - - /* Retrieve kernel point */ - decode_to_digits(PrivateKeyA, SecretKeyA, S2N_SIKE_P434_R3_SECRETKEY_A_BYTES, S2N_SIKE_P434_R3_NWORDS_ORDER); - LADDER3PT(XPA, XQA, XRA, SecretKeyA, S2N_SIKE_P434_R3_ALICE, R, A); - - /* Traverse tree */ - tree_index = 0; - for (row = 1; row < S2N_SIKE_P434_R3_MAX_ALICE; row++) { - while (tree_index < S2N_SIKE_P434_R3_MAX_ALICE-row) { - fp2copy(&R->X, &pts[npts]->X); - fp2copy(&R->Z, &pts[npts]->Z); - pts_index[npts++] = tree_index; - m = strat_Alice[ii++]; - xDBLe(R, R, A24plus, C24, (int)(2*m)); - tree_index += m; - } - get_4_isog(R, A24plus, C24, coeff); - - for (i = 0; i < npts; i++) { - eval_4_isog(pts[i], coeff); - } - eval_4_isog(phiP, coeff); - eval_4_isog(phiQ, coeff); - eval_4_isog(phiR, coeff); - - fp2copy(&pts[npts-1]->X, &R->X); - fp2copy(&pts[npts-1]->Z, &R->Z); - tree_index = pts_index[npts-1]; - npts -= 1; - } - - get_4_isog(R, A24plus, C24, coeff); - eval_4_isog(phiP, coeff); - eval_4_isog(phiQ, coeff); - eval_4_isog(phiR, coeff); - - inv_3_way(&phiP->Z, &phiQ->Z, &phiR->Z); - fp2mul_mont(&phiP->X, &phiP->Z, &phiP->X); - fp2mul_mont(&phiQ->X, &phiQ->Z, &phiQ->X); - fp2mul_mont(&phiR->X, &phiR->Z, &phiR->X); - - /* Format public key */ - fp2_encode(&phiP->X, PublicKeyA); - fp2_encode(&phiQ->X, PublicKeyA + S2N_SIKE_P434_R3_FP2_ENCODED_BYTES); - fp2_encode(&phiR->X, PublicKeyA + 2*S2N_SIKE_P434_R3_FP2_ENCODED_BYTES); - - return 0; -} - -/* Bob's ephemeral public key generation - * Input: a private key PrivateKeyB in the range [0, 2^Floor(Log(2,oB)) - 1]. - * Output: the public key PublicKeyB consisting of 3 elements in GF(p^2) which are encoded - * by removing leading 0 bytes. */ -int EphemeralKeyGeneration_B(const unsigned char* PrivateKeyB, unsigned char* PublicKeyB) -{ - point_proj_t R, phiP = {0}, phiQ = {0}, phiR = {0}, pts[S2N_SIKE_P434_R3_MAX_INT_POINTS_BOB]; - f2elm_t _XPB, _XQB, _XRB, coeff[3], _A24plus = {0}, _A24minus = {0}, _A = {0}; - f2elm_t *XPB=&_XPB, *XQB=&_XQB, *XRB=&_XRB, *A24plus=&_A24plus, *A24minus=&_A24minus, *A=&_A; - - unsigned int i, row, m, tree_index = 0, pts_index[S2N_SIKE_P434_R3_MAX_INT_POINTS_BOB], npts = 0, ii = 0; - digit_t SecretKeyB[S2N_SIKE_P434_R3_NWORDS_ORDER] = {0}; - - /* Initialize basis points */ - init_basis((const digit_t*)B_gen, XPB, XQB, XRB); - init_basis((const digit_t*)A_gen, &phiP->X, &phiQ->X, &phiR->X); - fpcopy((const digit_t*)&Montgomery_one, (phiP->Z.e)[0]); - fpcopy((const digit_t*)&Montgomery_one, (phiQ->Z.e)[0]); - fpcopy((const digit_t*)&Montgomery_one, (phiR->Z.e)[0]); - - /* Initialize constants: A24minus = A-2C, A24plus = A+2C, where A=6, C=1 */ - fpcopy((const digit_t*)&Montgomery_one, A24plus->e[0]); - mp2_add(A24plus, A24plus, A24plus); - mp2_add(A24plus, A24plus, A24minus); - mp2_add(A24plus, A24minus, A); - mp2_add(A24minus, A24minus, A24plus); - - /* Retrieve kernel point */ - decode_to_digits(PrivateKeyB, SecretKeyB, S2N_SIKE_P434_R3_SECRETKEY_B_BYTES, S2N_SIKE_P434_R3_NWORDS_ORDER); - LADDER3PT(XPB, XQB, XRB, SecretKeyB, S2N_SIKE_P434_R3_BOB, R, A); - - /* Traverse tree */ - tree_index = 0; - for (row = 1; row < S2N_SIKE_P434_R3_MAX_BOB; row++) { - while (tree_index < S2N_SIKE_P434_R3_MAX_BOB-row) { - fp2copy(&R->X, &pts[npts]->X); - fp2copy(&R->Z, &pts[npts]->Z); - pts_index[npts++] = tree_index; - m = strat_Bob[ii++]; - xTPLe(R, R, A24minus, A24plus, (int)m); - tree_index += m; - } - get_3_isog(R, A24minus, A24plus, coeff); - - for (i = 0; i < npts; i++) { - eval_3_isog(pts[i], coeff); - } - eval_3_isog(phiP, coeff); - eval_3_isog(phiQ, coeff); - eval_3_isog(phiR, coeff); - - fp2copy(&pts[npts-1]->X, &R->X); - fp2copy(&pts[npts-1]->Z, &R->Z); - tree_index = pts_index[npts-1]; - npts -= 1; - } - - get_3_isog(R, A24minus, A24plus, coeff); - eval_3_isog(phiP, coeff); - eval_3_isog(phiQ, coeff); - eval_3_isog(phiR, coeff); - - inv_3_way(&phiP->Z, &phiQ->Z, &phiR->Z); - fp2mul_mont(&phiP->X, &phiP->Z, &phiP->X); - fp2mul_mont(&phiQ->X, &phiQ->Z, &phiQ->X); - fp2mul_mont(&phiR->X, &phiR->Z, &phiR->X); - - /* Format public key */ - fp2_encode(&phiP->X, PublicKeyB); - fp2_encode(&phiQ->X, PublicKeyB + S2N_SIKE_P434_R3_FP2_ENCODED_BYTES); - fp2_encode(&phiR->X, PublicKeyB + 2*S2N_SIKE_P434_R3_FP2_ENCODED_BYTES); - - return 0; -} - -/* Alice's ephemeral shared secret computation - * It produces a shared secret key SharedSecretA using her secret key PrivateKeyA and Bob's public key PublicKeyB - * Inputs: Alice's PrivateKeyA is an integer in the range [0, oA-1]. - * Bob's PublicKeyB consists of 3 elements in GF(p^2) encoded by removing leading 0 bytes. - * Output: a shared secret SharedSecretA that consists of one element in GF(p^2) encoded - * by removing leading 0 bytes. */ -int EphemeralSecretAgreement_A(const unsigned char* PrivateKeyA, const unsigned char* PublicKeyB, - unsigned char* SharedSecretA) -{ - point_proj_t R, pts[S2N_SIKE_P434_R3_MAX_INT_POINTS_ALICE]; - f2elm_t coeff[3], PKB[3], _jinv; - f2elm_t _A24plus = {0}, _C24 = {0}, _A = {0}; - f2elm_t *jinv=&_jinv, *A24plus=&_A24plus, *C24=&_C24, *A=&_A; - unsigned int i, row, m, tree_index = 0, pts_index[S2N_SIKE_P434_R3_MAX_INT_POINTS_ALICE], npts = 0, ii = 0; - digit_t SecretKeyA[S2N_SIKE_P434_R3_NWORDS_ORDER] = {0}; - - /* Initialize images of Bob's basis */ - fp2_decode(PublicKeyB, &PKB[0]); - fp2_decode(PublicKeyB + S2N_SIKE_P434_R3_FP2_ENCODED_BYTES, &PKB[1]); - fp2_decode(PublicKeyB + 2*S2N_SIKE_P434_R3_FP2_ENCODED_BYTES, &PKB[2]); - - /* Initialize constants: A24plus = A+2C, C24 = 4C, where C=1 */ - get_A(&PKB[0], &PKB[1], &PKB[2], A); - mp_add((const digit_t*)&Montgomery_one, (const digit_t*)&Montgomery_one, C24->e[0], S2N_SIKE_P434_R3_NWORDS_FIELD); - mp2_add(A, C24, A24plus); - mp_add(C24->e[0], C24->e[0], C24->e[0], S2N_SIKE_P434_R3_NWORDS_FIELD); - - /* Retrieve kernel point */ - decode_to_digits(PrivateKeyA, SecretKeyA, S2N_SIKE_P434_R3_SECRETKEY_A_BYTES, S2N_SIKE_P434_R3_NWORDS_ORDER); - LADDER3PT(&PKB[0], &PKB[1], &PKB[2], SecretKeyA, S2N_SIKE_P434_R3_ALICE, R, A); - - /* Traverse tree */ - tree_index = 0; - for (row = 1; row < S2N_SIKE_P434_R3_MAX_ALICE; row++) { - while (tree_index < S2N_SIKE_P434_R3_MAX_ALICE-row) { - fp2copy(&R->X, &pts[npts]->X); - fp2copy(&R->Z, &pts[npts]->Z); - pts_index[npts++] = tree_index; - m = strat_Alice[ii++]; - xDBLe(R, R, A24plus, C24, (int)(2*m)); - tree_index += m; - } - get_4_isog(R, A24plus, C24, coeff); - - for (i = 0; i < npts; i++) { - eval_4_isog(pts[i], coeff); - } - - fp2copy(&pts[npts-1]->X, &R->X); - fp2copy(&pts[npts-1]->Z, &R->Z); - tree_index = pts_index[npts-1]; - npts -= 1; - } - - get_4_isog(R, A24plus, C24, coeff); - mp2_add(A24plus, A24plus, A24plus); - fp2sub(A24plus, C24, A24plus); - fp2add(A24plus, A24plus, A24plus); - j_inv(A24plus, C24, jinv); - fp2_encode(jinv, SharedSecretA); /* Format shared secret */ - - return 0; -} - -int sike_p434_r3_publickey_validation(const f2elm_t *PKB, const f2elm_t *A) -{ // Public key validation - point_proj_t P = { 0 }, Q = { 0 }; - f2elm_t _A2={0}, _tmp1={0}, _tmp2={0}; - f2elm_t *A2=&_A2, *tmp1=&_tmp1, *tmp2=&_tmp2; - - // Verify that P and Q generate E_A[3^e_3] by checking that [3^(e_3-1)]P != [+-3^(e_3-1)]Q - fp2div2(A, A2); - fp2copy(&PKB[0], &P->X); - fpcopy((const digit_t*)&Montgomery_one, (digit_t*)&P->Z); - fp2copy(&PKB[1], &Q->X); - fpcopy((const digit_t*)&Montgomery_one, (digit_t*)&Q->Z); - - xTPLe_fast(P, P, A2, S2N_SIKE_P434_R3_MAX_BOB - 1); - xTPLe_fast(Q, Q, A2, S2N_SIKE_P434_R3_MAX_BOB - 1); - fp2correction(&P->Z); - fp2correction(&Q->Z); - - if ((is_felm_zero((P->Z.e)[0]) && is_felm_zero((P->Z.e)[1])) || (is_felm_zero((Q->Z.e)[0]) && is_felm_zero((Q->Z.e)[1]))) { - return 1; - } - - fp2mul_mont(&P->X, &Q->Z, tmp1); - fp2mul_mont(&P->Z, &Q->X, tmp2); - fp2correction(tmp1); - fp2correction(tmp2); - - if (memcmp((uint8_t*)tmp1, (uint8_t*)tmp2, S2N_SIKE_P434_R3_FP2_ENCODED_BYTES) == 0) { - return 1; - } - - // Check that Ord(P) = Ord(Q) = 3^(e_3) - xTPL_fast(P, P, A2); - xTPL_fast(Q, Q, A2); - fp2correction(&P->Z); - fp2correction(&Q->Z); - - if (!is_felm_zero((P->Z.e)[0]) || !is_felm_zero((P->Z.e)[1]) || !is_felm_zero((Q->Z.e)[0]) || !is_felm_zero((Q->Z.e)[1])) { - return 1; - } - - return 0; -} - -/* Bob's ephemeral shared secret computation - * It produces a shared secret key SharedSecretB using his secret key PrivateKeyB and Alice's public key PublicKeyA - * Inputs: Bob's PrivateKeyB is an integer in the range [0, 2^Floor(Log(2,oB)) - 1]. - * Alice's PublicKeyA consists of 3 elements in GF(p^2) encoded by removing leading 0 bytes. - * Output: a shared secret SharedSecretB that consists of one element in GF(p^2) encoded - * by removing leading 0 bytes. */ -int EphemeralSecretAgreement_B(const unsigned char* PrivateKeyB, const unsigned char* PublicKeyA, unsigned char* SharedSecretB) { - point_proj_t R, pts[S2N_SIKE_P434_R3_MAX_INT_POINTS_BOB]; - f2elm_t coeff[3], PKB[3], _jinv; - f2elm_t _A24plus = {0}, _A24minus = {0}, _A = {0}; - f2elm_t *jinv=&_jinv, *A24plus=&_A24plus, *A24minus=&_A24minus, *A=&_A; - unsigned int i, row, m, tree_index = 0, pts_index[S2N_SIKE_P434_R3_MAX_INT_POINTS_BOB], npts = 0, ii = 0; - digit_t SecretKeyB[S2N_SIKE_P434_R3_NWORDS_ORDER] = {0}; - - /* Initialize images of Alice's basis */ - fp2_decode(PublicKeyA, &PKB[0]); - fp2_decode(PublicKeyA + S2N_SIKE_P434_R3_FP2_ENCODED_BYTES, &PKB[1]); - fp2_decode(PublicKeyA + 2*S2N_SIKE_P434_R3_FP2_ENCODED_BYTES, &PKB[2]); - - /* Initialize constants: A24plus = A+2C, A24minus = A-2C, where C=1 */ - get_A(&PKB[0], &PKB[1], &PKB[2], A); - mp_add((const digit_t*)&Montgomery_one, (const digit_t*)&Montgomery_one, A24minus->e[0], S2N_SIKE_P434_R3_NWORDS_FIELD); - mp2_add(A, A24minus, A24plus); - mp2_sub_p2(A, A24minus, A24minus); - - // Always perform public key validation before using peer's public key - if (sike_p434_r3_publickey_validation(PKB, A) == 1) { - return 1; - } - - /* Retrieve kernel point */ - decode_to_digits(PrivateKeyB, SecretKeyB, S2N_SIKE_P434_R3_SECRETKEY_B_BYTES, S2N_SIKE_P434_R3_NWORDS_ORDER); - LADDER3PT(&PKB[0], &PKB[1], &PKB[2], SecretKeyB, S2N_SIKE_P434_R3_BOB, R, A); - - /* Traverse tree */ - tree_index = 0; - for (row = 1; row < S2N_SIKE_P434_R3_MAX_BOB; row++) { - while (tree_index < S2N_SIKE_P434_R3_MAX_BOB-row) { - fp2copy(&R->X, &pts[npts]->X); - fp2copy(&R->Z, &pts[npts]->Z); - pts_index[npts++] = tree_index; - m = strat_Bob[ii++]; - xTPLe(R, R, A24minus, A24plus, (int)m); - tree_index += m; - } - get_3_isog(R, A24minus, A24plus, coeff); - - for (i = 0; i < npts; i++) { - eval_3_isog(pts[i], coeff); - } - - fp2copy(&pts[npts-1]->X, &R->X); - fp2copy(&pts[npts-1]->Z, &R->Z); - tree_index = pts_index[npts-1]; - npts -= 1; - } - - get_3_isog(R, A24minus, A24plus, coeff); - fp2add(A24plus, A24minus, A); - fp2add(A, A, A); - fp2sub(A24plus, A24minus, A24plus); - j_inv(A, A24plus, jinv); - fp2_encode(jinv, SharedSecretB); /* Format shared secret */ - - return 0; -} |