mirror of
https://gogs.blitter.com/RLabs/xs
synced 2024-08-14 10:26:42 +00:00
caac02a77b
2/2 Added vendor/ dir to lock down dependent pkg versions.
The author of git.schwanenlied.me/yawning/{chacha20,newhope,kyber}.git has copied
their repos to gitlab.com/yawning/ but some imports of chacha20 from newhope still
inconsistently refer to git.schwanenlied.me/, breaking build.
Licenses for chacha20 also changed from CC0 to AGPL, which may or may not be an
issue. Until the two aforementioned issues are resolved, locking to last-good
versions is probably the best way forward for now.
To build with vendored deps, use make VENDOR=1 clean all
65 lines
1.9 KiB
Go
65 lines
1.9 KiB
Go
// ntt.go - Number-Theoretic Transform.
|
|
//
|
|
// To the extent possible under law, Yawning Angel has waived all copyright
|
|
// and related or neighboring rights to the software, using the Creative
|
|
// Commons "CC0" public domain dedication. See LICENSE or
|
|
// <http://creativecommons.org/publicdomain/zero/1.0/> for full details.
|
|
|
|
package kyber
|
|
|
|
// Computes negacyclic number-theoretic transform (NTT) of a polynomial (vector
|
|
// of 256 coefficients) in place; inputs assumed to be in normal order, output
|
|
// in bitreversed order.
|
|
func nttRef(p *[kyberN]uint16) {
|
|
var j int
|
|
k := 1
|
|
for level := 7; level >= 0; level-- {
|
|
distance := 1 << uint(level)
|
|
for start := 0; start < kyberN; start = j + distance {
|
|
zeta := zetas[k]
|
|
k++
|
|
for j = start; j < start+distance; j++ {
|
|
t := montgomeryReduce(uint32(zeta) * uint32(p[j+distance]))
|
|
p[j+distance] = barrettReduce(p[j] + 4*kyberQ - t)
|
|
|
|
if level&1 == 1 { // odd level
|
|
p[j] = p[j] + t // Omit reduction (be lazy)
|
|
} else {
|
|
p[j] = barrettReduce(p[j] + t)
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
// Computes inverse of negacyclic number-theoretic transform (NTT) of a
|
|
// polynomial (vector of 256 coefficients) in place; inputs assumed to be in
|
|
// bitreversed order, output in normal order.
|
|
func invnttRef(a *[kyberN]uint16) {
|
|
for level := 0; level < 8; level++ {
|
|
distance := 1 << uint(level)
|
|
for start := 0; start < distance; start++ {
|
|
var jTwiddle int
|
|
for j := start; j < kyberN-1; j += 2 * distance {
|
|
w := uint32(omegasInvBitrevMontgomery[jTwiddle])
|
|
jTwiddle++
|
|
|
|
temp := a[j]
|
|
|
|
if level&1 == 1 { // odd level
|
|
a[j] = barrettReduce(temp + a[j+distance])
|
|
} else {
|
|
a[j] = temp + a[j+distance] // Omit reduction (be lazy)
|
|
}
|
|
|
|
t := w * (uint32(temp) + 4*kyberQ - uint32(a[j+distance]))
|
|
|
|
a[j+distance] = montgomeryReduce(t)
|
|
}
|
|
}
|
|
}
|
|
|
|
for i, v := range psisInvMontgomery {
|
|
a[i] = montgomeryReduce(uint32(a[i]) * uint32(v))
|
|
}
|
|
}
|