* cipher/dilithium-common.c (decompose): Make it into...
(decompose_88, decompose_32): ... these two functions.
(make_hint): Make it into...
(make_hint_88, make_hint_32): ... these two functions.
(use_hint): Make it into...
(use_hint_88, use_hint_32): ... these two functions.
(poly_decompose): Make it into...
(poly_decompose_88, poly_decompose_32): ... these two functions.
(poly_make_hint): Make it into...
(poly_make_hint_88, poly_make_hint_32): ... these two functions.
(poly_use_hint): Make it into...
(poly_use_hint_88, poly_use_hint_32): ... these two functions.
(rej_eta): Make it into...
(rej_eta_2, rej_eta_4): ... these two functions.
(poly_uniform_eta): Make it into...
(poly_uniform_eta_2, poly_uniform_eta_4): ... these two functions.
(POLY_UNIFORM_ETA_NBLOCKS): Make it into...
(POLY_UNIFORM_ETA_NBLOCKS_2, POLY_UNIFORM_ETA_NBLOCKS_4): ... these
two macros.
(poly_uniform_gamma1): Make it into...
(poly_uniform_gamma1_17, poly_uniform_gamma1_19): ... these two
functions.
(POLY_UNIFORM_GAMMA1_NBLOCKS): Make it into...
(POLY_UNIFORM_GAMMA1_NBLOCKS_17, POLY_UNIFORM_GAMMA1_NBLOCKS_19):
... these two macros.
(polyeta_pack): Make it into...
(polyeta_pack_2, polyeta_pack_4): ... these two functions.
(polyeta_unpack): Make it into...
(polyeta_unpack_2, polyeta_unpack_4): ... these two functions.
(polyz_pack): Make it into...
(polyz_pack_17, polyz_pack_19): ... these two functions.
(polyz_unpack): Make it into...
(polyz_unpack_17, polyz_unpack_19): ... these two functions.
(polyw1_pack): Make it into...
(polyw1_pack_88, polyw1_pack_32): ... these two functions.
--
GnuPG-bug-id: 7640
Signed-off-by: NIIBE Yutaka <gni...@fsij.org>
---
cipher/dilithium-common.c | 371 ++++++++++++++++++++++++++++----------
1 file changed, 271 insertions(+), 100 deletions(-)
diff --git a/cipher/dilithium-common.c b/cipher/dilithium-common.c
index 3b5a17ef..2dfc4ba0 100644
--- a/cipher/dilithium-common.c
+++ b/cipher/dilithium-common.c
@@ -179,22 +179,32 @@ int32_t power2round(int32_t *a0, int32_t a) {
*
* Returns a1.
**************************************************/
-int32_t decompose(int32_t *a0, int32_t a) {
+#if !defined(DILITHIUM_MODE) || DILITHIUM_MODE == 2
+int32_t decompose_88(int32_t *a0, int32_t a) {
int32_t a1;
a1 = (a + 127) >> 7;
-#if GAMMA2 == (Q-1)/32
- a1 = (a1*1025 + (1 << 21)) >> 22;
- a1 &= 15;
-#elif GAMMA2 == (Q-1)/88
a1 = (a1*11275 + (1 << 23)) >> 24;
a1 ^= ((43 - a1) >> 31) & a1;
+
+ *a0 = a - a1*2*GAMMA2_88;
+ *a0 -= (((Q-1)/2 - *a0) >> 31) & Q;
+ return a1;
+}
#endif
+#if !defined(DILITHIUM_MODE) || DILITHIUM_MODE == 3 || DILITHIUM_MODE == 5
+int32_t decompose_32(int32_t *a0, int32_t a) {
+ int32_t a1;
- *a0 = a - a1*2*GAMMA2;
+ a1 = (a + 127) >> 7;
+ a1 = (a1*1025 + (1 << 21)) >> 22;
+ a1 &= 15;
+
+ *a0 = a - a1*2*GAMMA2_32;
*a0 -= (((Q-1)/2 - *a0) >> 31) & Q;
return a1;
}
+#endif
/*************************************************
* Name: make_hint
@@ -207,12 +217,22 @@ int32_t decompose(int32_t *a0, int32_t a) {
*
* Returns 1 if overflow.
**************************************************/
-unsigned int make_hint(int32_t a0, int32_t a1) {
- if(a0 > GAMMA2 || a0 < -GAMMA2 || (a0 == -GAMMA2 && a1 != 0))
+#if !defined(DILITHIUM_MODE) || DILITHIUM_MODE == 2
+unsigned int make_hint_88(int32_t a0, int32_t a1) {
+ if(a0 > GAMMA2_88 || a0 < -GAMMA2_88 || (a0 == -GAMMA2_88 && a1 != 0))
return 1;
return 0;
}
+#endif
+#if !defined(DILITHIUM_MODE) || DILITHIUM_MODE == 3 || DILITHIUM_MODE == 5
+unsigned int make_hint_32(int32_t a0, int32_t a1) {
+ if(a0 > GAMMA2_32 || a0 < -GAMMA2_32 || (a0 == -GAMMA2_32 && a1 != 0))
+ return 1;
+
+ return 0;
+}
+#endif
/*************************************************
* Name: use_hint
@@ -224,25 +244,34 @@ unsigned int make_hint(int32_t a0, int32_t a1) {
*
* Returns corrected high bits.
**************************************************/
-int32_t use_hint(int32_t a, unsigned int hint) {
+#if !defined(DILITHIUM_MODE) || DILITHIUM_MODE == 2
+int32_t use_hint_88(int32_t a, unsigned int hint) {
int32_t a0, a1;
- a1 = decompose(&a0, a);
+ a1 = decompose_88(&a0, a);
if(hint == 0)
return a1;
-#if GAMMA2 == (Q-1)/32
- if(a0 > 0)
- return (a1 + 1) & 15;
- else
- return (a1 - 1) & 15;
-#elif GAMMA2 == (Q-1)/88
if(a0 > 0)
return (a1 == 43) ? 0 : a1 + 1;
else
return (a1 == 0) ? 43 : a1 - 1;
+}
#endif
+#if !defined(DILITHIUM_MODE) || DILITHIUM_MODE == 3 || DILITHIUM_MODE == 5
+int32_t use_hint_32(int32_t a, unsigned int hint) {
+ int32_t a0, a1;
+
+ a1 = decompose_32(&a0, a);
+ if(hint == 0)
+ return a1;
+
+ if(a0 > 0)
+ return (a1 + 1) & 15;
+ else
+ return (a1 - 1) & 15;
}
+#endif
/*************** dilithium/ref/poly.c */
#ifdef DBENCH
@@ -438,15 +467,28 @@ void poly_power2round(poly *a1, poly *a0, const poly *a) {
* - poly *a0: pointer to output polynomial with coefficients c0
* - const poly *a: pointer to input polynomial
**************************************************/
-void poly_decompose(poly *a1, poly *a0, const poly *a) {
+#if !defined(DILITHIUM_MODE) || DILITHIUM_MODE == 2
+void poly_decompose_88(poly *a1, poly *a0, const poly *a) {
+ unsigned int i;
+ DBENCH_START();
+
+ for(i = 0; i < N; ++i)
+ a1->coeffs[i] = decompose_88(&a0->coeffs[i], a->coeffs[i]);
+
+ DBENCH_STOP(*tround);
+}
+#endif
+#if !defined(DILITHIUM_MODE) || DILITHIUM_MODE == 3 || DILITHIUM_MODE == 5
+void poly_decompose_32(poly *a1, poly *a0, const poly *a) {
unsigned int i;
DBENCH_START();
for(i = 0; i < N; ++i)
- a1->coeffs[i] = decompose(&a0->coeffs[i], a->coeffs[i]);
+ a1->coeffs[i] = decompose_32(&a0->coeffs[i], a->coeffs[i]);
DBENCH_STOP(*tround);
}
+#endif
/*************************************************
* Name: poly_make_hint
@@ -461,18 +503,34 @@ void poly_decompose(poly *a1, poly *a0, const poly *a) {
*
* Returns number of 1 bits.
**************************************************/
-unsigned int poly_make_hint(poly *h, const poly *a0, const poly *a1) {
+#if !defined(DILITHIUM_MODE) || DILITHIUM_MODE == 2
+unsigned int poly_make_hint_88(poly *h, const poly *a0, const poly *a1) {
unsigned int i, s = 0;
DBENCH_START();
for(i = 0; i < N; ++i) {
- h->coeffs[i] = make_hint(a0->coeffs[i], a1->coeffs[i]);
+ h->coeffs[i] = make_hint_88(a0->coeffs[i], a1->coeffs[i]);
s += h->coeffs[i];
}
DBENCH_STOP(*tround);
return s;
}
+#endif
+#if !defined(DILITHIUM_MODE) || DILITHIUM_MODE == 3 || DILITHIUM_MODE == 5
+unsigned int poly_make_hint_32(poly *h, const poly *a0, const poly *a1) {
+ unsigned int i, s = 0;
+ DBENCH_START();
+
+ for(i = 0; i < N; ++i) {
+ h->coeffs[i] = make_hint_32(a0->coeffs[i], a1->coeffs[i]);
+ s += h->coeffs[i];
+ }
+
+ DBENCH_STOP(*tround);
+ return s;
+}
+#endif
/*************************************************
* Name: poly_use_hint
@@ -483,15 +541,28 @@ unsigned int poly_make_hint(poly *h, const poly *a0, const poly *a1) {
* - const poly *a: pointer to input polynomial
* - const poly *h: pointer to input hint polynomial
**************************************************/
-void poly_use_hint(poly *b, const poly *a, const poly *h) {
+#if !defined(DILITHIUM_MODE) || DILITHIUM_MODE == 2
+void poly_use_hint_88(poly *b, const poly *a, const poly *h) {
unsigned int i;
DBENCH_START();
for(i = 0; i < N; ++i)
- b->coeffs[i] = use_hint(a->coeffs[i], h->coeffs[i]);
+ b->coeffs[i] = use_hint_88(a->coeffs[i], h->coeffs[i]);
DBENCH_STOP(*tround);
}
+#endif
+#if !defined(DILITHIUM_MODE) || DILITHIUM_MODE == 3 || DILITHIUM_MODE == 5
+void poly_use_hint_32(poly *b, const poly *a, const poly *h) {
+ unsigned int i;
+ DBENCH_START();
+
+ for(i = 0; i < N; ++i)
+ b->coeffs[i] = use_hint_32(a->coeffs[i], h->coeffs[i]);
+
+ DBENCH_STOP(*tround);
+}
+#endif
/*************************************************
* Name: poly_chknorm
@@ -619,10 +690,11 @@ void poly_uniform(poly *a,
* Returns number of sampled coefficients. Can be smaller than len if not enough
* random bytes were given.
**************************************************/
-static unsigned int rej_eta(int32_t *a,
- unsigned int len,
- const uint8_t *buf,
- unsigned int buflen)
+#if !defined(DILITHIUM_MODE) || DILITHIUM_MODE == 2 || DILITHIUM_MODE == 5
+static unsigned int rej_eta_2(int32_t *a,
+ unsigned int len,
+ const uint8_t *buf,
+ unsigned int buflen)
{
unsigned int ctr, pos;
uint32_t t0, t1;
@@ -633,7 +705,6 @@ static unsigned int rej_eta(int32_t *a,
t0 = buf[pos] & 0x0F;
t1 = buf[pos++] >> 4;
-#if ETA == 2
if(t0 < 15) {
t0 = t0 - (205*t0 >> 10)*5;
a[ctr++] = 2 - t0;
@@ -642,17 +713,37 @@ static unsigned int rej_eta(int32_t *a,
t1 = t1 - (205*t1 >> 10)*5;
a[ctr++] = 2 - t1;
}
-#elif ETA == 4
+ }
+
+ DBENCH_STOP(*tsample);
+ return ctr;
+}
+#endif
+#if !defined(DILITHIUM_MODE) || DILITHIUM_MODE == 3
+static unsigned int rej_eta_4(int32_t *a,
+ unsigned int len,
+ const uint8_t *buf,
+ unsigned int buflen)
+{
+ unsigned int ctr, pos;
+ uint32_t t0, t1;
+ DBENCH_START();
+
+ ctr = pos = 0;
+ while(ctr < len && pos < buflen) {
+ t0 = buf[pos] & 0x0F;
+ t1 = buf[pos++] >> 4;
+
if(t0 < 9)
a[ctr++] = 4 - t0;
if(t1 < 9 && ctr < len)
a[ctr++] = 4 - t1;
-#endif
}
DBENCH_STOP(*tsample);
return ctr;
}
+#endif
/*************************************************
* Name: poly_uniform_eta
@@ -665,30 +756,50 @@ static unsigned int rej_eta(int32_t *a,
* - const uint8_t seed[]: byte array with seed of length CRHBYTES
* - uint16_t nonce: 2-byte nonce
**************************************************/
-#if ETA == 2
-#define POLY_UNIFORM_ETA_NBLOCKS ((136 + STREAM256_BLOCKBYTES - 1)/STREAM256_BLOCKBYTES)
-#elif ETA == 4
-#define POLY_UNIFORM_ETA_NBLOCKS ((227 + STREAM256_BLOCKBYTES - 1)/STREAM256_BLOCKBYTES)
+#if !defined(DILITHIUM_MODE) || DILITHIUM_MODE == 2 || DILITHIUM_MODE == 5
+#define POLY_UNIFORM_ETA_NBLOCKS_2 ((136 + STREAM256_BLOCKBYTES - 1)/STREAM256_BLOCKBYTES)
+void poly_uniform_eta_2(poly *a,
+ const uint8_t seed[CRHBYTES],
+ uint16_t nonce)
+{
+ unsigned int ctr;
+ unsigned int buflen = POLY_UNIFORM_ETA_NBLOCKS_2*STREAM256_BLOCKBYTES;
+ uint8_t buf[POLY_UNIFORM_ETA_NBLOCKS_2*STREAM256_BLOCKBYTES];
+ stream256_state state;
+
+ stream256_init(&state, seed, nonce);
+ stream256_squeezeblocks(buf, POLY_UNIFORM_ETA_NBLOCKS_2, &state);
+
+ ctr = rej_eta_2(a->coeffs, N, buf, buflen);
+
+ while(ctr < N) {
+ stream256_squeezeblocks(buf, 1, &state);
+ ctr += rej_eta_2(a->coeffs + ctr, N - ctr, buf, STREAM256_BLOCKBYTES);
+ }
+}
#endif
-void poly_uniform_eta(poly *a,
- const uint8_t seed[CRHBYTES],
- uint16_t nonce)
+#if !defined(DILITHIUM_MODE) || DILITHIUM_MODE == 3
+#define POLY_UNIFORM_ETA_NBLOCKS_4 ((227 + STREAM256_BLOCKBYTES - 1)/STREAM256_BLOCKBYTES)
+void poly_uniform_eta_4(poly *a,
+ const uint8_t seed[CRHBYTES],
+ uint16_t nonce)
{
unsigned int ctr;
- unsigned int buflen = POLY_UNIFORM_ETA_NBLOCKS*STREAM256_BLOCKBYTES;
- uint8_t buf[POLY_UNIFORM_ETA_NBLOCKS*STREAM256_BLOCKBYTES];
+ unsigned int buflen = POLY_UNIFORM_ETA_NBLOCKS_4*STREAM256_BLOCKBYTES;
+ uint8_t buf[POLY_UNIFORM_ETA_NBLOCKS_4*STREAM256_BLOCKBYTES];
stream256_state state;
stream256_init(&state, seed, nonce);
- stream256_squeezeblocks(buf, POLY_UNIFORM_ETA_NBLOCKS, &state);
+ stream256_squeezeblocks(buf, POLY_UNIFORM_ETA_NBLOCKS_4, &state);
- ctr = rej_eta(a->coeffs, N, buf, buflen);
+ ctr = rej_eta_4(a->coeffs, N, buf, buflen);
while(ctr < N) {
stream256_squeezeblocks(buf, 1, &state);
- ctr += rej_eta(a->coeffs + ctr, N - ctr, buf, STREAM256_BLOCKBYTES);
+ ctr += rej_eta_4(a->coeffs + ctr, N - ctr, buf, STREAM256_BLOCKBYTES);
}
}
+#endif
/*************************************************
* Name: poly_uniform_gamma1m1
@@ -701,18 +812,36 @@ void poly_uniform_eta(poly *a,
* - const uint8_t seed[]: byte array with seed of length CRHBYTES
* - uint16_t nonce: 16-bit nonce
**************************************************/
-#define POLY_UNIFORM_GAMMA1_NBLOCKS ((POLYZ_PACKEDBYTES + STREAM256_BLOCKBYTES - 1)/STREAM256_BLOCKBYTES)
-void poly_uniform_gamma1(poly *a,
- const uint8_t seed[CRHBYTES],
- uint16_t nonce)
+#if !defined(DILITHIUM_MODE) || DILITHIUM_MODE == 2
+#define POLY_UNIFORM_GAMMA1_NBLOCKS_17 ((POLYZ_PACKEDBYTES_17 + STREAM256_BLOCKBYTES - 1)/STREAM256_BLOCKBYTES)
+void polyz_unpack_17(poly *r, const uint8_t *a);/* Forward declarations */
+void poly_uniform_gamma1_17(poly *a,
+ const uint8_t seed[CRHBYTES],
+ uint16_t nonce)
{
- uint8_t buf[POLY_UNIFORM_GAMMA1_NBLOCKS*STREAM256_BLOCKBYTES];
+ uint8_t buf[POLY_UNIFORM_GAMMA1_NBLOCKS_17*STREAM256_BLOCKBYTES];
stream256_state state;
stream256_init(&state, seed, nonce);
- stream256_squeezeblocks(buf, POLY_UNIFORM_GAMMA1_NBLOCKS, &state);
- polyz_unpack(a, buf);
+ stream256_squeezeblocks(buf, POLY_UNIFORM_GAMMA1_NBLOCKS_17, &state);
+ polyz_unpack_17(a, buf);
}
+#endif
+#if !defined(DILITHIUM_MODE) || DILITHIUM_MODE == 3 || DILITHIUM_MODE == 5
+#define POLY_UNIFORM_GAMMA1_NBLOCKS_19 ((POLYZ_PACKEDBYTES_19 + STREAM256_BLOCKBYTES - 1)/STREAM256_BLOCKBYTES)
+void polyz_unpack_19(poly *r, const uint8_t *a);/* Forward declarations */
+void poly_uniform_gamma1_19(poly *a,
+ const uint8_t seed[CRHBYTES],
+ uint16_t nonce)
+{
+ uint8_t buf[POLY_UNIFORM_GAMMA1_NBLOCKS_19*STREAM256_BLOCKBYTES];
+ stream256_state state;
+
+ stream256_init(&state, seed, nonce);
+ stream256_squeezeblocks(buf, POLY_UNIFORM_GAMMA1_NBLOCKS_19, &state);
+ polyz_unpack_19(a, buf);
+}
+#endif
/*************************************************
* Name: polyeta_pack
@@ -723,36 +852,45 @@ void poly_uniform_gamma1(poly *a,
* POLYETA_PACKEDBYTES bytes
* - const poly *a: pointer to input polynomial
**************************************************/
-void polyeta_pack(uint8_t *r, const poly *a) {
+#if !defined(DILITHIUM_MODE) || DILITHIUM_MODE == 2 || DILITHIUM_MODE == 5
+void polyeta_pack_2(uint8_t *r, const poly *a) {
unsigned int i;
uint8_t t[8];
DBENCH_START();
-#if ETA == 2
for(i = 0; i < N/8; ++i) {
- t[0] = ETA - a->coeffs[8*i+0];
- t[1] = ETA - a->coeffs[8*i+1];
- t[2] = ETA - a->coeffs[8*i+2];
- t[3] = ETA - a->coeffs[8*i+3];
- t[4] = ETA - a->coeffs[8*i+4];
- t[5] = ETA - a->coeffs[8*i+5];
- t[6] = ETA - a->coeffs[8*i+6];
- t[7] = ETA - a->coeffs[8*i+7];
+ t[0] = ETA2 - a->coeffs[8*i+0];
+ t[1] = ETA2 - a->coeffs[8*i+1];
+ t[2] = ETA2 - a->coeffs[8*i+2];
+ t[3] = ETA2 - a->coeffs[8*i+3];
+ t[4] = ETA2 - a->coeffs[8*i+4];
+ t[5] = ETA2 - a->coeffs[8*i+5];
+ t[6] = ETA2 - a->coeffs[8*i+6];
+ t[7] = ETA2 - a->coeffs[8*i+7];
r[3*i+0] = (t[0] >> 0) | (t[1] << 3) | (t[2] << 6);
r[3*i+1] = (t[2] >> 2) | (t[3] << 1) | (t[4] << 4) | (t[5] << 7);
r[3*i+2] = (t[5] >> 1) | (t[6] << 2) | (t[7] << 5);
}
-#elif ETA == 4
+
+ DBENCH_STOP(*tpack);
+}
+#endif
+#if !defined(DILITHIUM_MODE) || DILITHIUM_MODE == 3
+void polyeta_pack_4(uint8_t *r, const poly *a) {
+ unsigned int i;
+ uint8_t t[8];
+ DBENCH_START();
+
for(i = 0; i < N/2; ++i) {
- t[0] = ETA - a->coeffs[2*i+0];
- t[1] = ETA - a->coeffs[2*i+1];
+ t[0] = ETA4 - a->coeffs[2*i+0];
+ t[1] = ETA4 - a->coeffs[2*i+1];
r[i] = t[0] | (t[1] << 4);
}
-#endif
DBENCH_STOP(*tpack);
}
+#endif
/*************************************************
* Name: polyeta_unpack
@@ -762,11 +900,11 @@ void polyeta_pack(uint8_t *r, const poly *a) {
* Arguments: - poly *r: pointer to output polynomial
* - const uint8_t *a: byte array with bit-packed polynomial
**************************************************/
-void polyeta_unpack(poly *r, const uint8_t *a) {
+#if !defined(DILITHIUM_MODE) || DILITHIUM_MODE == 2 || DILITHIUM_MODE == 5
+void polyeta_unpack_2(poly *r, const uint8_t *a) {
unsigned int i;
DBENCH_START();
-#if ETA == 2
for(i = 0; i < N/8; ++i) {
r->coeffs[8*i+0] = (a[3*i+0] >> 0) & 7;
r->coeffs[8*i+1] = (a[3*i+0] >> 3) & 7;
@@ -777,26 +915,34 @@ void polyeta_unpack(poly *r, const uint8_t *a) {
r->coeffs[8*i+6] = (a[3*i+2] >> 2) & 7;
r->coeffs[8*i+7] = (a[3*i+2] >> 5) & 7;
- r->coeffs[8*i+0] = ETA - r->coeffs[8*i+0];
- r->coeffs[8*i+1] = ETA - r->coeffs[8*i+1];
- r->coeffs[8*i+2] = ETA - r->coeffs[8*i+2];
- r->coeffs[8*i+3] = ETA - r->coeffs[8*i+3];
- r->coeffs[8*i+4] = ETA - r->coeffs[8*i+4];
- r->coeffs[8*i+5] = ETA - r->coeffs[8*i+5];
- r->coeffs[8*i+6] = ETA - r->coeffs[8*i+6];
- r->coeffs[8*i+7] = ETA - r->coeffs[8*i+7];
+ r->coeffs[8*i+0] = ETA2 - r->coeffs[8*i+0];
+ r->coeffs[8*i+1] = ETA2 - r->coeffs[8*i+1];
+ r->coeffs[8*i+2] = ETA2 - r->coeffs[8*i+2];
+ r->coeffs[8*i+3] = ETA2 - r->coeffs[8*i+3];
+ r->coeffs[8*i+4] = ETA2 - r->coeffs[8*i+4];
+ r->coeffs[8*i+5] = ETA2 - r->coeffs[8*i+5];
+ r->coeffs[8*i+6] = ETA2 - r->coeffs[8*i+6];
+ r->coeffs[8*i+7] = ETA2 - r->coeffs[8*i+7];
}
-#elif ETA == 4
+
+ DBENCH_STOP(*tpack);
+}
+#endif
+#if !defined(DILITHIUM_MODE) || DILITHIUM_MODE == 3
+void polyeta_unpack_4(poly *r, const uint8_t *a) {
+ unsigned int i;
+ DBENCH_START();
+
for(i = 0; i < N/2; ++i) {
r->coeffs[2*i+0] = a[i] & 0x0F;
r->coeffs[2*i+1] = a[i] >> 4;
- r->coeffs[2*i+0] = ETA - r->coeffs[2*i+0];
- r->coeffs[2*i+1] = ETA - r->coeffs[2*i+1];
+ r->coeffs[2*i+0] = ETA4 - r->coeffs[2*i+0];
+ r->coeffs[2*i+1] = ETA4 - r->coeffs[2*i+1];
}
-#endif
DBENCH_STOP(*tpack);
}
+#endif
/*************************************************
* Name: polyt1_pack
@@ -967,17 +1113,17 @@ void polyt0_unpack(poly *r, const uint8_t *a) {
* POLYZ_PACKEDBYTES bytes
* - const poly *a: pointer to input polynomial
**************************************************/
-void polyz_pack(uint8_t *r, const poly *a) {
+#if !defined(DILITHIUM_MODE) || DILITHIUM_MODE == 2
+void polyz_pack_17(uint8_t *r, const poly *a) {
unsigned int i;
uint32_t t[4];
DBENCH_START();
-#if GAMMA1 == (1 << 17)
for(i = 0; i < N/4; ++i) {
- t[0] = GAMMA1 - a->coeffs[4*i+0];
- t[1] = GAMMA1 - a->coeffs[4*i+1];
- t[2] = GAMMA1 - a->coeffs[4*i+2];
- t[3] = GAMMA1 - a->coeffs[4*i+3];
+ t[0] = GAMMA1_17 - a->coeffs[4*i+0];
+ t[1] = GAMMA1_17 - a->coeffs[4*i+1];
+ t[2] = GAMMA1_17 - a->coeffs[4*i+2];
+ t[3] = GAMMA1_17 - a->coeffs[4*i+3];
r[9*i+0] = t[0];
r[9*i+1] = t[0] >> 8;
@@ -992,10 +1138,19 @@ void polyz_pack(uint8_t *r, const poly *a) {
r[9*i+7] = t[3] >> 2;
r[9*i+8] = t[3] >> 10;
}
-#elif GAMMA1 == (1 << 19)
+
+ DBENCH_STOP(*tpack);
+}
+#endif
+#if !defined(DILITHIUM_MODE) || DILITHIUM_MODE == 3 || DILITHIUM_MODE == 5
+void polyz_pack_19(uint8_t *r, const poly *a) {
+ unsigned int i;
+ uint32_t t[4];
+ DBENCH_START();
+
for(i = 0; i < N/2; ++i) {
- t[0] = GAMMA1 - a->coeffs[2*i+0];
- t[1] = GAMMA1 - a->coeffs[2*i+1];
+ t[0] = GAMMA1_19 - a->coeffs[2*i+0];
+ t[1] = GAMMA1_19 - a->coeffs[2*i+1];
r[5*i+0] = t[0];
r[5*i+1] = t[0] >> 8;
@@ -1004,10 +1159,10 @@ void polyz_pack(uint8_t *r, const poly *a) {
r[5*i+3] = t[1] >> 4;
r[5*i+4] = t[1] >> 12;
}
-#endif
DBENCH_STOP(*tpack);
}
+#endif
/*************************************************
* Name: polyz_unpack
@@ -1018,11 +1173,11 @@ void polyz_pack(uint8_t *r, const poly *a) {
* Arguments: - poly *r: pointer to output polynomial
* - const uint8_t *a: byte array with bit-packed polynomial
**************************************************/
-void polyz_unpack(poly *r, const uint8_t *a) {
+#if !defined(DILITHIUM_MODE) || DILITHIUM_MODE == 2
+void polyz_unpack_17(poly *r, const uint8_t *a) {
unsigned int i;
DBENCH_START();
-#if GAMMA1 == (1 << 17)
for(i = 0; i < N/4; ++i) {
r->coeffs[4*i+0] = a[9*i+0];
r->coeffs[4*i+0] |= (uint32_t)a[9*i+1] << 8;
@@ -1044,12 +1199,20 @@ void polyz_unpack(poly *r, const uint8_t *a) {
r->coeffs[4*i+3] |= (uint32_t)a[9*i+8] << 10;
r->coeffs[4*i+3] &= 0x3FFFF;
- r->coeffs[4*i+0] = GAMMA1 - r->coeffs[4*i+0];
- r->coeffs[4*i+1] = GAMMA1 - r->coeffs[4*i+1];
- r->coeffs[4*i+2] = GAMMA1 - r->coeffs[4*i+2];
- r->coeffs[4*i+3] = GAMMA1 - r->coeffs[4*i+3];
+ r->coeffs[4*i+0] = GAMMA1_17 - r->coeffs[4*i+0];
+ r->coeffs[4*i+1] = GAMMA1_17 - r->coeffs[4*i+1];
+ r->coeffs[4*i+2] = GAMMA1_17 - r->coeffs[4*i+2];
+ r->coeffs[4*i+3] = GAMMA1_17 - r->coeffs[4*i+3];
}
-#elif GAMMA1 == (1 << 19)
+
+ DBENCH_STOP(*tpack);
+}
+#endif
+#if !defined(DILITHIUM_MODE) || DILITHIUM_MODE == 3 || DILITHIUM_MODE == 5
+void polyz_unpack_19(poly *r, const uint8_t *a) {
+ unsigned int i;
+ DBENCH_START();
+
for(i = 0; i < N/2; ++i) {
r->coeffs[2*i+0] = a[5*i+0];
r->coeffs[2*i+0] |= (uint32_t)a[5*i+1] << 8;
@@ -1061,13 +1224,13 @@ void polyz_unpack(poly *r, const uint8_t *a) {
r->coeffs[2*i+1] |= (uint32_t)a[5*i+4] << 12;
/* r->coeffs[2*i+1] &= 0xFFFFF; */ /* No effect, since we're anyway at 20 bits */
- r->coeffs[2*i+0] = GAMMA1 - r->coeffs[2*i+0];
- r->coeffs[2*i+1] = GAMMA1 - r->coeffs[2*i+1];
+ r->coeffs[2*i+0] = GAMMA1_19 - r->coeffs[2*i+0];
+ r->coeffs[2*i+1] = GAMMA1_19 - r->coeffs[2*i+1];
}
-#endif
DBENCH_STOP(*tpack);
}
+#endif
/*************************************************
* Name: polyw1_pack
@@ -1079,11 +1242,11 @@ void polyz_unpack(poly *r, const uint8_t *a) {
* POLYW1_PACKEDBYTES bytes
* - const poly *a: pointer to input polynomial
**************************************************/
-void polyw1_pack(uint8_t *r, const poly *a) {
+#if !defined(DILITHIUM_MODE) || DILITHIUM_MODE == 2
+void polyw1_pack_88(uint8_t *r, const poly *a) {
unsigned int i;
DBENCH_START();
-#if GAMMA2 == (Q-1)/88
for(i = 0; i < N/4; ++i) {
r[3*i+0] = a->coeffs[4*i+0];
r[3*i+0] |= a->coeffs[4*i+1] << 6;
@@ -1092,13 +1255,21 @@ void polyw1_pack(uint8_t *r, const poly *a) {
r[3*i+2] = a->coeffs[4*i+2] >> 4;
r[3*i+2] |= a->coeffs[4*i+3] << 2;
}
-#elif GAMMA2 == (Q-1)/32
+
+ DBENCH_STOP(*tpack);
+}
+#endif
+#if !defined(DILITHIUM_MODE) || DILITHIUM_MODE == 3 || DILITHIUM_MODE == 5
+void polyw1_pack_32(uint8_t *r, const poly *a) {
+ unsigned int i;
+ DBENCH_START();
+
for(i = 0; i < N/2; ++i)
r[i] = a->coeffs[2*i+0] | (a->coeffs[2*i+1] << 4);
-#endif
DBENCH_STOP(*tpack);
}
+#endif
/*************** dilithium/ref/reduce.c */
/*************************************************
_______________________________________________
Gcrypt-devel mailing list
Gcrypt-devel@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gcrypt-devel
