* cipher/dilithium.c: Add headers from the reference implementation.
--
Generated the header by:
for f in fips202.h ntt.h packing.h params.h poly.h polyvec.h \
randombytes.h reduce.h rounding.h sign.h symmetric.h
do echo "/*************** dilithium/ref/$f */"
grep -v NAMESPACE $f | grep -v '^#include'
done > /tmp/headers
And paste into the file.
GnuPG-bug-id: 7640
Signed-off-by: NIIBE Yutaka <gni...@fsij.org>
---
cipher/dilithium.c | 389 +++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 389 insertions(+)
diff --git a/cipher/dilithium.c b/cipher/dilithium.c
index b4d49a67..6adeb231 100644
--- a/cipher/dilithium.c
+++ b/cipher/dilithium.c
@@ -20,6 +20,395 @@
Dilithium Home: https://github.com/pq-crystals/dilithium.git
*/
+/*************** dilithium/ref/fips202.h */
+#ifndef FIPS202_H
+#define FIPS202_H
+
+
+#define SHAKE128_RATE 168
+#define SHAKE256_RATE 136
+#define SHA3_256_RATE 136
+#define SHA3_512_RATE 72
+
+
+typedef struct {
+ uint64_t s[25];
+ unsigned int pos;
+} keccak_state;
+
+extern const uint64_t KeccakF_RoundConstants[];
+
+void shake128_init(keccak_state *state);
+void shake128_absorb(keccak_state *state, const uint8_t *in, size_t inlen);
+void shake128_finalize(keccak_state *state);
+void shake128_squeeze(uint8_t *out, size_t outlen, keccak_state *state);
+void shake128_absorb_once(keccak_state *state, const uint8_t *in, size_t inlen);
+void shake128_squeezeblocks(uint8_t *out, size_t nblocks, keccak_state *state);
+
+void shake256_init(keccak_state *state);
+void shake256_absorb(keccak_state *state, const uint8_t *in, size_t inlen);
+void shake256_finalize(keccak_state *state);
+void shake256_squeeze(uint8_t *out, size_t outlen, keccak_state *state);
+void shake256_absorb_once(keccak_state *state, const uint8_t *in, size_t inlen);
+void shake256_squeezeblocks(uint8_t *out, size_t nblocks, keccak_state *state);
+
+void shake128(uint8_t *out, size_t outlen, const uint8_t *in, size_t inlen);
+void shake256(uint8_t *out, size_t outlen, const uint8_t *in, size_t inlen);
+void sha3_256(uint8_t h[32], const uint8_t *in, size_t inlen);
+void sha3_512(uint8_t h[64], const uint8_t *in, size_t inlen);
+
+#endif
+/*************** dilithium/ref/ntt.h */
+#ifndef NTT_H
+#define NTT_H
+
+
+void ntt(int32_t a[N]);
+
+void invntt_tomont(int32_t a[N]);
+
+#endif
+/*************** dilithium/ref/packing.h */
+#ifndef PACKING_H
+#define PACKING_H
+
+
+void pack_pk(uint8_t pk[CRYPTO_PUBLICKEYBYTES], const uint8_t rho[SEEDBYTES], const polyveck *t1);
+
+void pack_sk(uint8_t sk[CRYPTO_SECRETKEYBYTES],
+ const uint8_t rho[SEEDBYTES],
+ const uint8_t tr[TRBYTES],
+ const uint8_t key[SEEDBYTES],
+ const polyveck *t0,
+ const polyvecl *s1,
+ const polyveck *s2);
+
+void pack_sig(uint8_t sig[CRYPTO_BYTES], const uint8_t c[CTILDEBYTES], const polyvecl *z, const polyveck *h);
+
+void unpack_pk(uint8_t rho[SEEDBYTES], polyveck *t1, const uint8_t pk[CRYPTO_PUBLICKEYBYTES]);
+
+void unpack_sk(uint8_t rho[SEEDBYTES],
+ uint8_t tr[TRBYTES],
+ uint8_t key[SEEDBYTES],
+ polyveck *t0,
+ polyvecl *s1,
+ polyveck *s2,
+ const uint8_t sk[CRYPTO_SECRETKEYBYTES]);
+
+int unpack_sig(uint8_t c[CTILDEBYTES], polyvecl *z, polyveck *h, const uint8_t sig[CRYPTO_BYTES]);
+
+#endif
+/*************** dilithium/ref/params.h */
+#ifndef PARAMS_H
+#define PARAMS_H
+
+
+#define SEEDBYTES 32
+#define CRHBYTES 64
+#define TRBYTES 64
+#define RNDBYTES 32
+#define N 256
+#define Q 8380417
+#define D 13
+#define ROOT_OF_UNITY 1753
+
+#if DILITHIUM_MODE == 2
+#define K 4
+#define L 4
+#define ETA 2
+#define TAU 39
+#define BETA 78
+#define GAMMA1 (1 << 17)
+#define GAMMA2 ((Q-1)/88)
+#define OMEGA 80
+#define CTILDEBYTES 32
+
+#elif DILITHIUM_MODE == 3
+#define K 6
+#define L 5
+#define ETA 4
+#define TAU 49
+#define BETA 196
+#define GAMMA1 (1 << 19)
+#define GAMMA2 ((Q-1)/32)
+#define OMEGA 55
+#define CTILDEBYTES 48
+
+#elif DILITHIUM_MODE == 5
+#define K 8
+#define L 7
+#define ETA 2
+#define TAU 60
+#define BETA 120
+#define GAMMA1 (1 << 19)
+#define GAMMA2 ((Q-1)/32)
+#define OMEGA 75
+#define CTILDEBYTES 64
+
+#endif
+
+#define POLYT1_PACKEDBYTES 320
+#define POLYT0_PACKEDBYTES 416
+#define POLYVECH_PACKEDBYTES (OMEGA + K)
+
+#if GAMMA1 == (1 << 17)
+#define POLYZ_PACKEDBYTES 576
+#elif GAMMA1 == (1 << 19)
+#define POLYZ_PACKEDBYTES 640
+#endif
+
+#if GAMMA2 == (Q-1)/88
+#define POLYW1_PACKEDBYTES 192
+#elif GAMMA2 == (Q-1)/32
+#define POLYW1_PACKEDBYTES 128
+#endif
+
+#if ETA == 2
+#define POLYETA_PACKEDBYTES 96
+#elif ETA == 4
+#define POLYETA_PACKEDBYTES 128
+#endif
+
+#define CRYPTO_PUBLICKEYBYTES (SEEDBYTES + K*POLYT1_PACKEDBYTES)
+#define CRYPTO_SECRETKEYBYTES (2*SEEDBYTES \
+ + TRBYTES \
+ + L*POLYETA_PACKEDBYTES \
+ + K*POLYETA_PACKEDBYTES \
+ + K*POLYT0_PACKEDBYTES)
+#define CRYPTO_BYTES (CTILDEBYTES + L*POLYZ_PACKEDBYTES + POLYVECH_PACKEDBYTES)
+
+#endif
+/*************** dilithium/ref/poly.h */
+#ifndef POLY_H
+#define POLY_H
+
+
+typedef struct {
+ int32_t coeffs[N];
+} poly;
+
+void poly_reduce(poly *a);
+void poly_caddq(poly *a);
+
+void poly_add(poly *c, const poly *a, const poly *b);
+void poly_sub(poly *c, const poly *a, const poly *b);
+void poly_shiftl(poly *a);
+
+void poly_ntt(poly *a);
+void poly_invntt_tomont(poly *a);
+void poly_pointwise_montgomery(poly *c, const poly *a, const poly *b);
+
+void poly_power2round(poly *a1, poly *a0, const poly *a);
+void poly_decompose(poly *a1, poly *a0, const poly *a);
+unsigned int poly_make_hint(poly *h, const poly *a0, const poly *a1);
+void poly_use_hint(poly *b, const poly *a, const poly *h);
+
+int poly_chknorm(const poly *a, int32_t B);
+void poly_uniform(poly *a,
+ const uint8_t seed[SEEDBYTES],
+ uint16_t nonce);
+void poly_uniform_eta(poly *a,
+ const uint8_t seed[CRHBYTES],
+ uint16_t nonce);
+void poly_uniform_gamma1(poly *a,
+ const uint8_t seed[CRHBYTES],
+ uint16_t nonce);
+void poly_challenge(poly *c, const uint8_t seed[CTILDEBYTES]);
+
+void polyeta_pack(uint8_t *r, const poly *a);
+void polyeta_unpack(poly *r, const uint8_t *a);
+
+void polyt1_pack(uint8_t *r, const poly *a);
+void polyt1_unpack(poly *r, const uint8_t *a);
+
+void polyt0_pack(uint8_t *r, const poly *a);
+void polyt0_unpack(poly *r, const uint8_t *a);
+
+void polyz_pack(uint8_t *r, const poly *a);
+void polyz_unpack(poly *r, const uint8_t *a);
+
+void polyw1_pack(uint8_t *r, const poly *a);
+
+#endif
+/*************** dilithium/ref/polyvec.h */
+#ifndef POLYVEC_H
+#define POLYVEC_H
+
+
+/* Vectors of polynomials of length L */
+typedef struct {
+ poly vec[L];
+} polyvecl;
+
+void polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce);
+
+void polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce);
+
+void polyvecl_reduce(polyvecl *v);
+
+void polyvecl_add(polyvecl *w, const polyvecl *u, const polyvecl *v);
+
+void polyvecl_ntt(polyvecl *v);
+void polyvecl_invntt_tomont(polyvecl *v);
+void polyvecl_pointwise_poly_montgomery(polyvecl *r, const poly *a, const polyvecl *v);
+#define polyvecl_pointwise_acc_montgomery \
+void polyvecl_pointwise_acc_montgomery(poly *w,
+ const polyvecl *u,
+ const polyvecl *v);
+
+
+int polyvecl_chknorm(const polyvecl *v, int32_t B);
+
+
+
+/* Vectors of polynomials of length K */
+typedef struct {
+ poly vec[K];
+} polyveck;
+
+void polyveck_uniform_eta(polyveck *v, const uint8_t seed[CRHBYTES], uint16_t nonce);
+
+void polyveck_reduce(polyveck *v);
+void polyveck_caddq(polyveck *v);
+
+void polyveck_add(polyveck *w, const polyveck *u, const polyveck *v);
+void polyveck_sub(polyveck *w, const polyveck *u, const polyveck *v);
+void polyveck_shiftl(polyveck *v);
+
+void polyveck_ntt(polyveck *v);
+void polyveck_invntt_tomont(polyveck *v);
+void polyveck_pointwise_poly_montgomery(polyveck *r, const poly *a, const polyveck *v);
+
+int polyveck_chknorm(const polyveck *v, int32_t B);
+
+void polyveck_power2round(polyveck *v1, polyveck *v0, const polyveck *v);
+void polyveck_decompose(polyveck *v1, polyveck *v0, const polyveck *v);
+unsigned int polyveck_make_hint(polyveck *h,
+ const polyveck *v0,
+ const polyveck *v1);
+void polyveck_use_hint(polyveck *w, const polyveck *v, const polyveck *h);
+
+void polyveck_pack_w1(uint8_t r[K*POLYW1_PACKEDBYTES], const polyveck *w1);
+
+void polyvec_matrix_expand(polyvecl mat[K], const uint8_t rho[SEEDBYTES]);
+
+void polyvec_matrix_pointwise_montgomery(polyveck *t, const polyvecl mat[K], const polyvecl *v);
+
+#endif
+/*************** dilithium/ref/randombytes.h */
+#ifndef RANDOMBYTES_H
+#define RANDOMBYTES_H
+
+
+void randombytes(uint8_t *out, size_t outlen);
+
+#endif
+/*************** dilithium/ref/reduce.h */
+#ifndef REDUCE_H
+#define REDUCE_H
+
+
+#define MONT -4186625 // 2^32 % Q
+#define QINV 58728449 // q^(-1) mod 2^32
+
+int32_t montgomery_reduce(int64_t a);
+
+int32_t reduce32(int32_t a);
+
+int32_t caddq(int32_t a);
+
+int32_t freeze(int32_t a);
+
+#endif
+/*************** dilithium/ref/rounding.h */
+#ifndef ROUNDING_H
+#define ROUNDING_H
+
+
+int32_t power2round(int32_t *a0, int32_t a);
+
+int32_t decompose(int32_t *a0, int32_t a);
+
+unsigned int make_hint(int32_t a0, int32_t a1);
+
+int32_t use_hint(int32_t a, unsigned int hint);
+
+#endif
+/*************** dilithium/ref/sign.h */
+#ifndef SIGN_H
+#define SIGN_H
+
+
+int crypto_sign_keypair(uint8_t *pk, uint8_t *sk);
+
+int crypto_sign_signature_internal(uint8_t *sig,
+ size_t *siglen,
+ const uint8_t *m,
+ size_t mlen,
+ const uint8_t *pre,
+ size_t prelen,
+ const uint8_t rnd[RNDBYTES],
+ const uint8_t *sk);
+
+int crypto_sign_signature(uint8_t *sig, size_t *siglen,
+ const uint8_t *m, size_t mlen,
+ const uint8_t *ctx, size_t ctxlen,
+ const uint8_t *sk);
+
+int crypto_sign(uint8_t *sm, size_t *smlen,
+ const uint8_t *m, size_t mlen,
+ const uint8_t *ctx, size_t ctxlen,
+ const uint8_t *sk);
+
+int crypto_sign_verify_internal(const uint8_t *sig,
+ size_t siglen,
+ const uint8_t *m,
+ size_t mlen,
+ const uint8_t *pre,
+ size_t prelen,
+ const uint8_t *pk);
+
+int crypto_sign_verify(const uint8_t *sig, size_t siglen,
+ const uint8_t *m, size_t mlen,
+ const uint8_t *ctx, size_t ctxlen,
+ const uint8_t *pk);
+
+int crypto_sign_open(uint8_t *m, size_t *mlen,
+ const uint8_t *sm, size_t smlen,
+ const uint8_t *ctx, size_t ctxlen,
+ const uint8_t *pk);
+
+#endif
+/*************** dilithium/ref/symmetric.h */
+#ifndef SYMMETRIC_H
+#define SYMMETRIC_H
+
+
+
+typedef keccak_state stream128_state;
+typedef keccak_state stream256_state;
+
+void dilithium_shake128_stream_init(keccak_state *state,
+ const uint8_t seed[SEEDBYTES],
+ uint16_t nonce);
+
+void dilithium_shake256_stream_init(keccak_state *state,
+ const uint8_t seed[CRHBYTES],
+ uint16_t nonce);
+
+#define STREAM128_BLOCKBYTES SHAKE128_RATE
+#define STREAM256_BLOCKBYTES SHAKE256_RATE
+
+#define stream128_init(STATE, SEED, NONCE) \
+ dilithium_shake128_stream_init(STATE, SEED, NONCE)
+#define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) \
+ shake128_squeezeblocks(OUT, OUTBLOCKS, STATE)
+#define stream256_init(STATE, SEED, NONCE) \
+ dilithium_shake256_stream_init(STATE, SEED, NONCE)
+#define stream256_squeezeblocks(OUT, OUTBLOCKS, STATE) \
+ shake256_squeezeblocks(OUT, OUTBLOCKS, STATE)
+
+#endif
/*************** dilithium/ref/ntt.c */
static const int32_t zetas[N] = {
_______________________________________________
Gcrypt-devel mailing list
Gcrypt-devel@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gcrypt-devel
