xs/vendor/git.schwanenlied.me/yawning/newhope.git/poly.go
Russ Magee caac02a77b 1/2 Updated Makefile to allow VENDOR flag (adds -vendor to version string)
2/2 Added vendor/ dir to lock down dependent pkg versions.
The author of git.schwanenlied.me/yawning/{chacha20,newhope,kyber}.git has copied
their repos to gitlab.com/yawning/ but some imports of chacha20 from newhope still
inconsistently refer to git.schwanenlied.me/, breaking build.
Licenses for chacha20 also changed from CC0 to AGPL, which may or may not be an
issue. Until the two aforementioned issues are resolved, locking to last-good
versions is probably the best way forward for now.

To build with vendored deps, use make VENDOR=1 clean all
2020-01-29 13:55:38 -08:00

212 lines
4.7 KiB
Go

// poly.go - NewHope polynomial.
//
// To the extent possible under law, Yawning Angel has waived all copyright
// and related or neighboring rights to newhope, using the Creative
// Commons "CC0" public domain dedication. See LICENSE or
// <http://creativecommons.org/publicdomain/zero/1.0/> for full details.
package newhope
import (
"encoding/binary"
"git.schwanenlied.me/yawning/chacha20.git"
"golang.org/x/crypto/sha3"
)
const (
// PolyBytes is the length of an encoded polynomial in bytes.
PolyBytes = 1792
shake128Rate = 168 // Stupid that this isn't exposed.
)
type poly struct {
coeffs [paramN]uint16
}
func (p *poly) reset() {
for i := range p.coeffs {
p.coeffs[i] = 0
}
}
func (p *poly) fromBytes(a []byte) {
for i := 0; i < paramN/4; i++ {
p.coeffs[4*i+0] = uint16(a[7*i+0]) | ((uint16(a[7*i+1]) & 0x3f) << 8)
p.coeffs[4*i+1] = (uint16(a[7*i+1]) >> 6) | (uint16(a[7*i+2]) << 2) | ((uint16(a[7*i+3]) & 0x0f) << 10)
p.coeffs[4*i+2] = (uint16(a[7*i+3]) >> 4) | (uint16(a[7*i+4]) << 4) | ((uint16(a[7*i+5]) & 0x03) << 12)
p.coeffs[4*i+3] = (uint16(a[7*i+5]) >> 2) | (uint16(a[7*i+6]) << 6)
}
}
func (p *poly) toBytes(r []byte) {
for i := 0; i < paramN/4; i++ {
// Make sure that coefficients have only 14 bits.
t0 := barrettReduce(p.coeffs[4*i+0])
t1 := barrettReduce(p.coeffs[4*i+1])
t2 := barrettReduce(p.coeffs[4*i+2])
t3 := barrettReduce(p.coeffs[4*i+3])
// Make sure that coefficients are in [0,q]
m := t0 - paramQ
c := int16(m)
c >>= 15
t0 = m ^ ((t0 ^ m) & uint16(c))
m = t1 - paramQ
c = int16(m)
c >>= 15
t1 = m ^ ((t1 ^ m) & uint16(c))
m = t2 - paramQ
c = int16(m)
c >>= 15
t2 = m ^ ((t2 ^ m) & uint16(c))
m = t3 - paramQ
c = int16(m)
c >>= 15
t3 = m ^ ((t3 ^ m) & uint16(c))
r[7*i+0] = byte(t0 & 0xff)
r[7*i+1] = byte(t0>>8) | byte(t1<<6)
r[7*i+2] = byte(t1 >> 2)
r[7*i+3] = byte(t1>>10) | byte(t2<<4)
r[7*i+4] = byte(t2 >> 4)
r[7*i+5] = byte(t2>>12) | byte(t3<<2)
r[7*i+6] = byte(t3 >> 6)
}
}
func (p *poly) discardTo(xbuf []byte) bool {
var x [shake128Rate * 16 / 2]uint16
for i := range x {
x[i] = binary.LittleEndian.Uint16(xbuf[i*2:])
}
for i := 0; i < 16; i++ {
batcher84(x[i:])
}
// Check whether we're safe:
r := int(0)
for i := 1000; i < 1024; i++ {
r |= 61444 - int(x[i])
}
if r>>31 != 0 {
return true
}
// If we are, copy coefficients to polynomial:
for i := range p.coeffs {
p.coeffs[i] = x[i]
}
return false
}
func (p *poly) uniform(seed *[SeedBytes]byte, torSampling bool) {
if !torSampling {
// Reference version, vartime.
nBlocks := 14
var buf [shake128Rate * 14]byte
// h and buf are left unscrubbed because the output is public.
h := sha3.NewShake128()
h.Write(seed[:])
h.Read(buf[:])
for ctr, pos := 0, 0; ctr < paramN; {
val := binary.LittleEndian.Uint16(buf[pos:])
if val < 5*paramQ {
p.coeffs[ctr] = val
ctr++
}
pos += 2
if pos > shake128Rate*nBlocks-2 {
nBlocks = 1
h.Read(buf[:shake128Rate])
pos = 0
}
}
} else {
// `torref` version, every valid `a` is generate in constant time,
// though the number of attempts varies.
const nBlocks = 16
var buf [shake128Rate * nBlocks]byte
// h and buf are left unscrubbed because the output is public.
h := sha3.NewShake128()
h.Write(seed[:])
for {
h.Read(buf[:])
if !p.discardTo(buf[:]) {
break
}
}
}
}
func (p *poly) getNoise(seed *[SeedBytes]byte, nonce byte) {
// The `ref` code uses a uint32 vector instead of a byte vector,
// but converting between the two in Go is cumbersome.
var buf [4 * paramN]byte
var n [8]byte
n[0] = nonce
stream, err := chacha20.NewCipher(seed[:], n[:])
if err != nil {
panic(err)
}
stream.KeyStream(buf[:])
stream.Reset()
for i := 0; i < paramN; i++ {
t := binary.LittleEndian.Uint32(buf[4*i:])
d := uint32(0)
for j := uint(0); j < 8; j++ {
d += (t >> j) & 0x01010101
}
a := ((d >> 8) & 0xff) + (d & 0xff)
b := (d >> 24) + ((d >> 16) & 0xff)
p.coeffs[i] = uint16(a) + paramQ - uint16(b)
}
// Scrub the random bits...
memwipe(buf[:])
}
func (p *poly) pointwise(a, b *poly) {
for i := range p.coeffs {
t := montgomeryReduce(3186 * uint32(b.coeffs[i])) // t is now in Montgomery domain
p.coeffs[i] = montgomeryReduce(uint32(a.coeffs[i]) * uint32(t)) // p.coeffs[i] is back in normal domain
}
}
func (p *poly) add(a, b *poly) {
for i := range p.coeffs {
p.coeffs[i] = barrettReduce(a.coeffs[i] + b.coeffs[i])
}
}
func (p *poly) ntt() {
p.mulCoefficients(&psisBitrevMontgomery)
ntt(&p.coeffs, &omegasMontgomery)
}
func (p *poly) invNtt() {
p.bitrev()
ntt(&p.coeffs, &omegasInvMontgomery)
p.mulCoefficients(&psisInvMontgomery)
}
func init() {
if paramK != 16 {
panic("poly.getNoise() only supports k=16")
}
}