Merge pull request #332 from mupq/nistdraftkyberdilithium

NIST Draft version of Kyber and Dilithium; remove divisions by KYBER_Q
mupq · Feb 27, 2024 · 403c694 · 403c694
2 parents 62244ef + c4fd63c
commit 403c694
Show file tree

Hide file tree

Showing 203 changed files with 771 additions and 1,449 deletions.
diff --git a/crypto_kem/kyber1024-90s/m4fspeed/aes256ctr.c b/crypto_kem/kyber1024-90s/m4fspeed/aes256ctr.c
diff --git a/crypto_kem/kyber1024-90s/m4fspeed/aes256ctr.h b/crypto_kem/kyber1024-90s/m4fspeed/aes256ctr.h
diff --git a/crypto_kem/kyber1024-90s/m4fspeed/api.h b/crypto_kem/kyber1024-90s/m4fspeed/api.h
diff --git a/crypto_kem/kyber1024-90s/m4fspeed/cbd.c b/crypto_kem/kyber1024-90s/m4fspeed/cbd.c
diff --git a/crypto_kem/kyber1024-90s/m4fspeed/cbd.h b/crypto_kem/kyber1024-90s/m4fspeed/cbd.h
diff --git a/crypto_kem/kyber1024-90s/m4fspeed/fastaddsub.S b/crypto_kem/kyber1024-90s/m4fspeed/fastaddsub.S
diff --git a/crypto_kem/kyber1024-90s/m4fspeed/fastbasemul.S b/crypto_kem/kyber1024-90s/m4fspeed/fastbasemul.S
diff --git a/crypto_kem/kyber1024-90s/m4fspeed/fastinvntt.S b/crypto_kem/kyber1024-90s/m4fspeed/fastinvntt.S
diff --git a/crypto_kem/kyber1024-90s/m4fspeed/fastntt.S b/crypto_kem/kyber1024-90s/m4fspeed/fastntt.S
diff --git a/crypto_kem/kyber1024-90s/m4fspeed/indcpa.c b/crypto_kem/kyber1024-90s/m4fspeed/indcpa.c
diff --git a/crypto_kem/kyber1024-90s/m4fspeed/indcpa.h b/crypto_kem/kyber1024-90s/m4fspeed/indcpa.h
diff --git a/crypto_kem/kyber1024-90s/m4fspeed/kem.c b/crypto_kem/kyber1024-90s/m4fspeed/kem.c
diff --git a/crypto_kem/kyber1024-90s/m4fspeed/macros.i b/crypto_kem/kyber1024-90s/m4fspeed/macros.i
diff --git a/crypto_kem/kyber1024-90s/m4fspeed/matacc.c b/crypto_kem/kyber1024-90s/m4fspeed/matacc.c
diff --git a/crypto_kem/kyber1024-90s/m4fspeed/matacc.h b/crypto_kem/kyber1024-90s/m4fspeed/matacc.h
diff --git a/crypto_kem/kyber1024-90s/m4fspeed/matacc.i b/crypto_kem/kyber1024-90s/m4fspeed/matacc.i
diff --git a/crypto_kem/kyber1024-90s/m4fspeed/matacc_asm.S b/crypto_kem/kyber1024-90s/m4fspeed/matacc_asm.S
diff --git a/crypto_kem/kyber1024-90s/m4fspeed/ntt.c b/crypto_kem/kyber1024-90s/m4fspeed/ntt.c
diff --git a/crypto_kem/kyber1024-90s/m4fspeed/ntt.h b/crypto_kem/kyber1024-90s/m4fspeed/ntt.h
diff --git a/crypto_kem/kyber1024-90s/m4fspeed/params.h b/crypto_kem/kyber1024-90s/m4fspeed/params.h
diff --git a/crypto_kem/kyber1024-90s/m4fspeed/poly.c b/crypto_kem/kyber1024-90s/m4fspeed/poly.c
diff --git a/crypto_kem/kyber1024-90s/m4fspeed/poly.h b/crypto_kem/kyber1024-90s/m4fspeed/poly.h
diff --git a/crypto_kem/kyber1024-90s/m4fspeed/poly_asm.S b/crypto_kem/kyber1024-90s/m4fspeed/poly_asm.S
diff --git a/crypto_kem/kyber1024-90s/m4fspeed/polyvec.c b/crypto_kem/kyber1024-90s/m4fspeed/polyvec.c
diff --git a/crypto_kem/kyber1024-90s/m4fspeed/polyvec.h b/crypto_kem/kyber1024-90s/m4fspeed/polyvec.h
diff --git a/crypto_kem/kyber1024-90s/m4fspeed/reduce.S b/crypto_kem/kyber1024-90s/m4fspeed/reduce.S
diff --git a/crypto_kem/kyber1024-90s/m4fspeed/symmetric.h b/crypto_kem/kyber1024-90s/m4fspeed/symmetric.h
diff --git a/crypto_kem/kyber1024-90s/m4fspeed/verify.c b/crypto_kem/kyber1024-90s/m4fspeed/verify.c
diff --git a/crypto_kem/kyber1024-90s/m4fspeed/verify.h b/crypto_kem/kyber1024-90s/m4fspeed/verify.h
diff --git a/crypto_kem/kyber1024-90s/m4fstack/aes256ctr.c b/crypto_kem/kyber1024-90s/m4fstack/aes256ctr.c
diff --git a/crypto_kem/kyber1024-90s/m4fstack/aes256ctr.h b/crypto_kem/kyber1024-90s/m4fstack/aes256ctr.h
diff --git a/crypto_kem/kyber1024-90s/m4fstack/api.h b/crypto_kem/kyber1024-90s/m4fstack/api.h
diff --git a/crypto_kem/kyber1024-90s/m4fstack/cbd.c b/crypto_kem/kyber1024-90s/m4fstack/cbd.c
diff --git a/crypto_kem/kyber1024-90s/m4fstack/cbd.h b/crypto_kem/kyber1024-90s/m4fstack/cbd.h
diff --git a/crypto_kem/kyber1024-90s/m4fstack/fastaddsub.S b/crypto_kem/kyber1024-90s/m4fstack/fastaddsub.S
diff --git a/crypto_kem/kyber1024-90s/m4fstack/fastbasemul.S b/crypto_kem/kyber1024-90s/m4fstack/fastbasemul.S
diff --git a/crypto_kem/kyber1024-90s/m4fstack/fastinvntt.S b/crypto_kem/kyber1024-90s/m4fstack/fastinvntt.S
diff --git a/crypto_kem/kyber1024-90s/m4fstack/fastntt.S b/crypto_kem/kyber1024-90s/m4fstack/fastntt.S
diff --git a/crypto_kem/kyber1024-90s/m4fstack/indcpa.c b/crypto_kem/kyber1024-90s/m4fstack/indcpa.c
diff --git a/crypto_kem/kyber1024-90s/m4fstack/indcpa.h b/crypto_kem/kyber1024-90s/m4fstack/indcpa.h
diff --git a/crypto_kem/kyber1024-90s/m4fstack/kem.c b/crypto_kem/kyber1024-90s/m4fstack/kem.c
diff --git a/crypto_kem/kyber1024-90s/m4fstack/macros.i b/crypto_kem/kyber1024-90s/m4fstack/macros.i
diff --git a/crypto_kem/kyber1024-90s/m4fstack/matacc.c b/crypto_kem/kyber1024-90s/m4fstack/matacc.c
diff --git a/crypto_kem/kyber1024-90s/m4fstack/matacc.h b/crypto_kem/kyber1024-90s/m4fstack/matacc.h
diff --git a/crypto_kem/kyber1024-90s/m4fstack/matacc.i b/crypto_kem/kyber1024-90s/m4fstack/matacc.i
diff --git a/crypto_kem/kyber1024-90s/m4fstack/matacc_asm.S b/crypto_kem/kyber1024-90s/m4fstack/matacc_asm.S
diff --git a/crypto_kem/kyber1024-90s/m4fstack/ntt.c b/crypto_kem/kyber1024-90s/m4fstack/ntt.c
diff --git a/crypto_kem/kyber1024-90s/m4fstack/ntt.h b/crypto_kem/kyber1024-90s/m4fstack/ntt.h
diff --git a/crypto_kem/kyber1024-90s/m4fstack/params.h b/crypto_kem/kyber1024-90s/m4fstack/params.h
diff --git a/crypto_kem/kyber1024-90s/m4fstack/poly.c b/crypto_kem/kyber1024-90s/m4fstack/poly.c
diff --git a/crypto_kem/kyber1024-90s/m4fstack/poly.h b/crypto_kem/kyber1024-90s/m4fstack/poly.h
diff --git a/crypto_kem/kyber1024-90s/m4fstack/poly_asm.S b/crypto_kem/kyber1024-90s/m4fstack/poly_asm.S
diff --git a/crypto_kem/kyber1024-90s/m4fstack/polyvec.c b/crypto_kem/kyber1024-90s/m4fstack/polyvec.c
diff --git a/crypto_kem/kyber1024-90s/m4fstack/polyvec.h b/crypto_kem/kyber1024-90s/m4fstack/polyvec.h
diff --git a/crypto_kem/kyber1024-90s/m4fstack/reduce.S b/crypto_kem/kyber1024-90s/m4fstack/reduce.S
diff --git a/crypto_kem/kyber1024-90s/m4fstack/symmetric.h b/crypto_kem/kyber1024-90s/m4fstack/symmetric.h
diff --git a/crypto_kem/kyber1024-90s/m4fstack/verify.c b/crypto_kem/kyber1024-90s/m4fstack/verify.c
diff --git a/crypto_kem/kyber1024-90s/m4fstack/verify.h b/crypto_kem/kyber1024-90s/m4fstack/verify.h
diff --git a/crypto_kem/kyber512-90s/m4fspeed/aes256ctr.c b/crypto_kem/kyber512-90s/m4fspeed/aes256ctr.c
diff --git a/crypto_kem/kyber512-90s/m4fspeed/aes256ctr.h b/crypto_kem/kyber512-90s/m4fspeed/aes256ctr.h
diff --git a/crypto_kem/kyber512-90s/m4fspeed/api.h b/crypto_kem/kyber512-90s/m4fspeed/api.h
diff --git a/crypto_kem/kyber512-90s/m4fspeed/cbd.c b/crypto_kem/kyber512-90s/m4fspeed/cbd.c
diff --git a/crypto_kem/kyber512-90s/m4fspeed/cbd.h b/crypto_kem/kyber512-90s/m4fspeed/cbd.h
diff --git a/crypto_kem/kyber512-90s/m4fspeed/fastaddsub.S b/crypto_kem/kyber512-90s/m4fspeed/fastaddsub.S
diff --git a/crypto_kem/kyber512-90s/m4fspeed/fastbasemul.S b/crypto_kem/kyber512-90s/m4fspeed/fastbasemul.S
diff --git a/crypto_kem/kyber512-90s/m4fspeed/fastinvntt.S b/crypto_kem/kyber512-90s/m4fspeed/fastinvntt.S
diff --git a/crypto_kem/kyber512-90s/m4fspeed/fastntt.S b/crypto_kem/kyber512-90s/m4fspeed/fastntt.S
diff --git a/crypto_kem/kyber512-90s/m4fspeed/indcpa.c b/crypto_kem/kyber512-90s/m4fspeed/indcpa.c
diff --git a/crypto_kem/kyber512-90s/m4fspeed/indcpa.h b/crypto_kem/kyber512-90s/m4fspeed/indcpa.h
diff --git a/crypto_kem/kyber512-90s/m4fspeed/kem.c b/crypto_kem/kyber512-90s/m4fspeed/kem.c
diff --git a/crypto_kem/kyber512-90s/m4fspeed/macros.i b/crypto_kem/kyber512-90s/m4fspeed/macros.i
diff --git a/crypto_kem/kyber512-90s/m4fspeed/matacc.c b/crypto_kem/kyber512-90s/m4fspeed/matacc.c
diff --git a/crypto_kem/kyber512-90s/m4fspeed/matacc.h b/crypto_kem/kyber512-90s/m4fspeed/matacc.h
diff --git a/crypto_kem/kyber512-90s/m4fspeed/matacc.i b/crypto_kem/kyber512-90s/m4fspeed/matacc.i
diff --git a/crypto_kem/kyber512-90s/m4fspeed/matacc_asm.S b/crypto_kem/kyber512-90s/m4fspeed/matacc_asm.S
diff --git a/crypto_kem/kyber512-90s/m4fspeed/ntt.c b/crypto_kem/kyber512-90s/m4fspeed/ntt.c
diff --git a/crypto_kem/kyber512-90s/m4fspeed/ntt.h b/crypto_kem/kyber512-90s/m4fspeed/ntt.h
diff --git a/crypto_kem/kyber512-90s/m4fspeed/params.h b/crypto_kem/kyber512-90s/m4fspeed/params.h
diff --git a/crypto_kem/kyber512-90s/m4fspeed/poly.c b/crypto_kem/kyber512-90s/m4fspeed/poly.c
diff --git a/crypto_kem/kyber512-90s/m4fspeed/poly.h b/crypto_kem/kyber512-90s/m4fspeed/poly.h
diff --git a/crypto_kem/kyber512-90s/m4fspeed/poly_asm.S b/crypto_kem/kyber512-90s/m4fspeed/poly_asm.S
diff --git a/crypto_kem/kyber512-90s/m4fspeed/polyvec.c b/crypto_kem/kyber512-90s/m4fspeed/polyvec.c
diff --git a/crypto_kem/kyber512-90s/m4fspeed/polyvec.h b/crypto_kem/kyber512-90s/m4fspeed/polyvec.h
diff --git a/crypto_kem/kyber512-90s/m4fspeed/reduce.S b/crypto_kem/kyber512-90s/m4fspeed/reduce.S
diff --git a/crypto_kem/kyber512-90s/m4fspeed/symmetric.h b/crypto_kem/kyber512-90s/m4fspeed/symmetric.h
diff --git a/crypto_kem/kyber512-90s/m4fspeed/verify.c b/crypto_kem/kyber512-90s/m4fspeed/verify.c
diff --git a/crypto_kem/kyber512-90s/m4fspeed/verify.h b/crypto_kem/kyber512-90s/m4fspeed/verify.h
diff --git a/crypto_kem/kyber512-90s/m4fstack/aes256ctr.c b/crypto_kem/kyber512-90s/m4fstack/aes256ctr.c
diff --git a/crypto_kem/kyber512-90s/m4fstack/aes256ctr.h b/crypto_kem/kyber512-90s/m4fstack/aes256ctr.h
diff --git a/crypto_kem/kyber512-90s/m4fstack/api.h b/crypto_kem/kyber512-90s/m4fstack/api.h
diff --git a/crypto_kem/kyber512-90s/m4fstack/cbd.c b/crypto_kem/kyber512-90s/m4fstack/cbd.c
diff --git a/crypto_kem/kyber512-90s/m4fstack/cbd.h b/crypto_kem/kyber512-90s/m4fstack/cbd.h
diff --git a/crypto_kem/kyber512-90s/m4fstack/fastaddsub.S b/crypto_kem/kyber512-90s/m4fstack/fastaddsub.S
diff --git a/crypto_kem/kyber512-90s/m4fstack/fastbasemul.S b/crypto_kem/kyber512-90s/m4fstack/fastbasemul.S
diff --git a/crypto_kem/kyber512-90s/m4fstack/fastinvntt.S b/crypto_kem/kyber512-90s/m4fstack/fastinvntt.S
diff --git a/crypto_kem/kyber512-90s/m4fstack/fastntt.S b/crypto_kem/kyber512-90s/m4fstack/fastntt.S
diff --git a/crypto_kem/kyber512-90s/m4fstack/indcpa.c b/crypto_kem/kyber512-90s/m4fstack/indcpa.c
diff --git a/crypto_kem/kyber512-90s/m4fstack/indcpa.h b/crypto_kem/kyber512-90s/m4fstack/indcpa.h
diff --git a/crypto_kem/kyber512-90s/m4fstack/kem.c b/crypto_kem/kyber512-90s/m4fstack/kem.c
diff --git a/crypto_kem/kyber512-90s/m4fstack/macros.i b/crypto_kem/kyber512-90s/m4fstack/macros.i
diff --git a/crypto_kem/kyber512-90s/m4fstack/matacc.c b/crypto_kem/kyber512-90s/m4fstack/matacc.c
diff --git a/crypto_kem/kyber512-90s/m4fstack/matacc.h b/crypto_kem/kyber512-90s/m4fstack/matacc.h
diff --git a/crypto_kem/kyber512-90s/m4fstack/matacc.i b/crypto_kem/kyber512-90s/m4fstack/matacc.i
diff --git a/crypto_kem/kyber512-90s/m4fstack/matacc_asm.S b/crypto_kem/kyber512-90s/m4fstack/matacc_asm.S
diff --git a/crypto_kem/kyber512-90s/m4fstack/ntt.c b/crypto_kem/kyber512-90s/m4fstack/ntt.c
diff --git a/crypto_kem/kyber512-90s/m4fstack/ntt.h b/crypto_kem/kyber512-90s/m4fstack/ntt.h
diff --git a/crypto_kem/kyber512-90s/m4fstack/params.h b/crypto_kem/kyber512-90s/m4fstack/params.h
diff --git a/crypto_kem/kyber512-90s/m4fstack/poly.c b/crypto_kem/kyber512-90s/m4fstack/poly.c
diff --git a/crypto_kem/kyber512-90s/m4fstack/poly.h b/crypto_kem/kyber512-90s/m4fstack/poly.h
diff --git a/crypto_kem/kyber512-90s/m4fstack/poly_asm.S b/crypto_kem/kyber512-90s/m4fstack/poly_asm.S
diff --git a/crypto_kem/kyber512-90s/m4fstack/polyvec.c b/crypto_kem/kyber512-90s/m4fstack/polyvec.c
diff --git a/crypto_kem/kyber512-90s/m4fstack/polyvec.h b/crypto_kem/kyber512-90s/m4fstack/polyvec.h
diff --git a/crypto_kem/kyber512-90s/m4fstack/reduce.S b/crypto_kem/kyber512-90s/m4fstack/reduce.S
diff --git a/crypto_kem/kyber512-90s/m4fstack/symmetric.h b/crypto_kem/kyber512-90s/m4fstack/symmetric.h
diff --git a/crypto_kem/kyber512-90s/m4fstack/verify.c b/crypto_kem/kyber512-90s/m4fstack/verify.c
diff --git a/crypto_kem/kyber512-90s/m4fstack/verify.h b/crypto_kem/kyber512-90s/m4fstack/verify.h
diff --git a/crypto_kem/kyber512/m4fspeed/indcpa.c b/crypto_kem/kyber512/m4fspeed/indcpa.c
@@ -9,16 +9,23 @@
 #include <string.h>
 #include <stdint.h>
 
+
 /*************************************************
-* Name:        indcpa_keypair
+* Name:        indcpa_keypair_derand
 *
 * Description: Generates public and private key for the CPA-secure
 *              public-key encryption scheme underlying Kyber
 *
-* Arguments:   - unsigned char *pk: pointer to output public key (of length KYBER_INDCPA_PUBLICKEYBYTES bytes)
-*              - unsigned char *sk: pointer to output private key (of length KYBER_INDCPA_SECRETKEYBYTES bytes)
+* Arguments:   - uint8_t *pk: pointer to output public key
+*                             (of length KYBER_INDCPA_PUBLICKEYBYTES bytes)
+*              - uint8_t *sk: pointer to output private key
+*                             (of length KYBER_INDCPA_SECRETKEYBYTES bytes)
+*              - const uint8_t *coins: pointer to input randomness
+*                             (of length KYBER_SYMBYTES bytes)
 **************************************************/
-void indcpa_keypair(unsigned char *pk, unsigned char *sk) {
+void indcpa_keypair_derand(unsigned char *pk,
+                    unsigned char *sk, 
+                    const unsigned char *coins){
     polyvec skpv, skpv_prime;
     poly pkp;
     unsigned char buf[2 * KYBER_SYMBYTES];
@@ -27,8 +34,7 @@ void indcpa_keypair(unsigned char *pk, unsigned char *sk) {
     int i;
     unsigned char nonce = 0;
 
-    randombytes(buf, KYBER_SYMBYTES);
-    hash_g(buf, buf, KYBER_SYMBYTES);
+    hash_g(buf, coins, KYBER_SYMBYTES);
 
     for (i = 0; i < KYBER_K; i++)
         poly_getnoise_eta1(skpv.vec + i, noiseseed, nonce++);