pq_crypto 0.1.0

data/ext/pqcrypto/vendor/pqclean/common/sha2.h

@@ -0,0 +1,173 @@
+#ifndef SHA2_H
+#define SHA2_H
+
+#include <stddef.h>
+#include <stdint.h>
+
+/* The incremental API allows hashing of individual input blocks; these blocks
+    must be exactly 64 bytes each.
+    Use the 'finalize' functions for any remaining bytes (possibly over 64). */
+
+#define PQC_SHA256CTX_BYTES 40
+/* Structure for the incremental API */
+typedef struct {
+    uint8_t *ctx;
+} sha224ctx;
+
+/* Structure for the incremental API */
+typedef struct {
+    uint8_t *ctx;
+} sha256ctx;
+
+#define PQC_SHA512CTX_BYTES 72
+/* Structure for the incremental API */
+typedef struct {
+    uint8_t *ctx;
+} sha384ctx;
+
+/* Structure for the incremental API */
+typedef struct {
+    uint8_t *ctx;
+} sha512ctx;
+
+/* ====== SHA224 API ==== */
+
+/**
+ * Initialize the incremental hashing API.
+ *
+ * Can't be called multiple times.
+ */
+void sha224_inc_init(sha224ctx *state);
+
+/**
+ * Copy the hashing state
+ */
+void sha224_inc_ctx_clone(sha224ctx *stateout, const sha224ctx *statein);
+
+/**
+ * Absorb blocks
+ */
+void sha224_inc_blocks(sha224ctx *state, const uint8_t *in, size_t inblocks);
+
+/**
+ * Finalize and obtain the digest
+ *
+ * If applicable, this function will free the memory associated with the sha224ctx.
+ *
+ * If not calling this function, call `sha224_inc_ctx_release`
+ */
+void sha224_inc_finalize(uint8_t *out, sha224ctx *state, const uint8_t *in, size_t inlen);
+
+/**
+ * Destroy the state. Make sure to use this, as this API may not always be stack-based.
+ */
+void sha224_inc_ctx_release(sha224ctx *state);
+
+/**
+ * All-in-one sha224 function
+ */
+void sha224(uint8_t *out, const uint8_t *in, size_t inlen);
+
+/* ====== SHA256 API ==== */
+
+/**
+ * Initialize the incremental hashing API
+ */
+void sha256_inc_init(sha256ctx *state);
+
+/**
+ * Copy the hashing state
+ */
+void sha256_inc_ctx_clone(sha256ctx *stateout, const sha256ctx *statein);
+
+/**
+ * Absorb blocks
+ */
+void sha256_inc_blocks(sha256ctx *state, const uint8_t *in, size_t inblocks);
+
+/**
+ * Finalize and obtain the digest
+ *
+ * If applicable, this function will free the memory associated with the sha256ctx.
+ */
+void sha256_inc_finalize(uint8_t *out, sha256ctx *state, const uint8_t *in, size_t inlen);
+
+/**
+ * Destroy the state. Make sure to use this, as this API may not always be stack-based.
+ */
+void sha256_inc_ctx_release(sha256ctx *state);
+
+/**
+ * All-in-one sha256 function
+ */
+void sha256(uint8_t *out, const uint8_t *in, size_t inlen);
+
+/* ====== SHA384 API ==== */
+
+/**
+ * Initialize the incremental hashing API
+ */
+void sha384_inc_init(sha384ctx *state);
+
+/**
+ * Copy the hashing state
+ */
+void sha384_inc_ctx_clone(sha384ctx *stateout, const sha384ctx *statein);
+
+/**
+ * Absorb blocks
+ */
+void sha384_inc_blocks(sha384ctx *state, const uint8_t *in, size_t inblocks);
+
+/**
+ * Finalize and obtain the digest.
+ *
+ * If applicable, this function will free the memory associated with the sha384ctx.
+ */
+void sha384_inc_finalize(uint8_t *out, sha384ctx *state, const uint8_t *in, size_t inlen);
+
+/**
+ * Destroy the state. Make sure to use this if not calling finalize, as this API may not always be stack-based.
+ */
+void sha384_inc_ctx_release(sha384ctx *state);
+
+/**
+ * All-in-one sha384 function
+ */
+void sha384(uint8_t *out, const uint8_t *in, size_t inlen);
+
+/* ====== SHA512 API ==== */
+
+/**
+ * Initialize the incremental hashing API
+ */
+void sha512_inc_init(sha512ctx *state);
+
+/**
+ * Copy the hashing state
+ */
+void sha512_inc_ctx_clone(sha512ctx *stateout, const sha512ctx *statein);
+
+/**
+ * Absorb blocks
+ */
+void sha512_inc_blocks(sha512ctx *state, const uint8_t *in, size_t inblocks);
+
+/**
+ * Finalize and obtain the digest
+ *
+ * If applicable, this function will free the memory associated with the sha512ctx.
+ */
+void sha512_inc_finalize(uint8_t *out, sha512ctx *state, const uint8_t *in, size_t inlen);
+
+/**
+ * Destroy the state. Make sure to use this if not calling finalize, as this API may not always be stack-based.
+ */
+void sha512_inc_ctx_release(sha512ctx *state);
+
+/**
+ * All-in-one sha512 function
+ */
+void sha512(uint8_t *out, const uint8_t *in, size_t inlen);
+
+#endif

data/ext/pqcrypto/vendor/pqclean/common/sp800-185.c

@@ -0,0 +1,156 @@
+#include <stddef.h>
+#include <stdint.h>
+
+#include "sp800-185.h"
+
+static size_t left_encode(uint8_t *encbuf, size_t value) {
+    size_t n, i, v;
+
+    for (v = value, n = 0; v && (n < sizeof(size_t)); n++, v >>= 8) {
+        ; /* empty */
+    }
+    if (n == 0) {
+        n = 1;
+    }
+    for (i = 1; i <= n; i++) {
+        encbuf[i] = (uint8_t)(value >> (8 * (n - i)));
+    }
+    encbuf[0] = (uint8_t)n;
+    return n + 1;
+}
+
+void cshake128_inc_init(shake128incctx *state, const uint8_t *name, size_t namelen, const uint8_t *cstm, size_t cstmlen) {
+    uint8_t encbuf[sizeof(size_t) +1];
+
+    shake128_inc_init(state);
+
+    shake128_inc_absorb(state, encbuf, left_encode(encbuf, SHAKE128_RATE));
+
+    shake128_inc_absorb(state, encbuf, left_encode(encbuf, namelen * 8));
+    shake128_inc_absorb(state, name, namelen);
+
+    shake128_inc_absorb(state, encbuf, left_encode(encbuf, cstmlen * 8));
+    shake128_inc_absorb(state, cstm, cstmlen);
+
+    if (state->ctx[25] != 0) {
+        state->ctx[25] = SHAKE128_RATE - 1;
+        encbuf[0] = 0;
+        shake128_inc_absorb(state, encbuf, 1);
+    }
+}
+
+void cshake128_inc_absorb(shake128incctx *state, const uint8_t *input, size_t inlen) {
+    shake128_inc_absorb(state, input, inlen);
+}
+
+void cshake128_inc_finalize(shake128incctx *state) {
+    state->ctx[state->ctx[25] >> 3] ^= (uint64_t)0x04 << (8 * (state->ctx[25] & 0x07));
+    state->ctx[(SHAKE128_RATE - 1) >> 3] ^= (uint64_t)128 << (8 * ((SHAKE128_RATE - 1) & 0x07));
+    state->ctx[25] = 0;
+}
+
+void cshake128_inc_squeeze(uint8_t *output, size_t outlen, shake128incctx *state) {
+    shake128_inc_squeeze(output, outlen, state);
+}
+
+void cshake128_inc_ctx_release(shake128incctx *state) {
+    shake128_inc_ctx_release(state);
+}
+
+void cshake128_inc_ctx_clone(shake128incctx *dest, const shake128incctx *src) {
+    shake128_inc_ctx_clone(dest, src);
+}
+
+void cshake256_inc_init(shake256incctx *state, const uint8_t *name, size_t namelen, const uint8_t *cstm, size_t cstmlen) {
+    uint8_t encbuf[sizeof(size_t) +1];
+
+    shake256_inc_init(state);
+
+    shake256_inc_absorb(state, encbuf, left_encode(encbuf, SHAKE256_RATE));
+
+    shake256_inc_absorb(state, encbuf, left_encode(encbuf, namelen * 8));
+    shake256_inc_absorb(state, name, namelen);
+
+    shake256_inc_absorb(state, encbuf, left_encode(encbuf, cstmlen * 8));
+    shake256_inc_absorb(state, cstm, cstmlen);
+
+    if (state->ctx[25] != 0) {
+        state->ctx[25] = SHAKE256_RATE - 1;
+        encbuf[0] = 0;
+        shake256_inc_absorb(state, encbuf, 1);
+    }
+}
+
+void cshake256_inc_absorb(shake256incctx *state, const uint8_t *input, size_t inlen) {
+    shake256_inc_absorb(state, input, inlen);
+}
+
+void cshake256_inc_finalize(shake256incctx *state) {
+    state->ctx[state->ctx[25] >> 3] ^= (uint64_t)0x04 << (8 * (state->ctx[25] & 0x07));
+    state->ctx[(SHAKE256_RATE - 1) >> 3] ^= (uint64_t)128 << (8 * ((SHAKE256_RATE - 1) & 0x07));
+    state->ctx[25] = 0;
+}
+
+void cshake256_inc_squeeze(uint8_t *output, size_t outlen, shake256incctx *state) {
+    shake256_inc_squeeze(output, outlen, state);
+}
+
+void cshake256_inc_ctx_release(shake256incctx *state) {
+    shake256_inc_ctx_release(state);
+}
+
+void cshake256_inc_ctx_clone(shake256incctx *dest, const shake256incctx *src) {
+    shake256_inc_ctx_clone(dest, src);
+}
+
+/*************************************************
+ * Name:        cshake128
+ *
+ * Description: cSHAKE128 XOF with non-incremental API
+ *
+ * Arguments:   - uint8_t *output: pointer to output
+ *              - size_t outlen: requested output length in bytes
+ *              - const uint8_t *name: pointer to function-name string
+ *              - size_t namelen: length of function-name string in bytes
+ *              - const uint8_t *cstm: pointer to non-empty customization string
+ *              - size_t cstmlen: length of customization string in bytes
+ *              - const uint8_t *input: pointer to input
+ *              - size_t inlen: length of input in bytes
+ **************************************************/
+void cshake128(uint8_t *output, size_t outlen,
+               const uint8_t *name, size_t namelen,
+               const uint8_t *cstm, size_t cstmlen,
+               const uint8_t *input, size_t inlen) {
+    shake128incctx state;
+    cshake128_inc_init(&state, name, namelen, cstm, cstmlen);
+    cshake128_inc_absorb(&state, input, inlen);
+    cshake128_inc_finalize(&state);
+    cshake128_inc_squeeze(output, outlen, &state);
+    cshake128_inc_ctx_release(&state);
+}
+
+/*************************************************
+ * Name:        cshake256
+ *
+ * Description: cSHAKE256 XOF with non-incremental API
+ *
+ * Arguments:   - uint8_t *output: pointer to output
+ *              - size_t outlen: requested output length in bytes
+ *              - const uint8_t *name: pointer to function-name string
+ *              - size_t namelen: length of function-name string in bytes
+ *              - const uint8_t *cstm: pointer to non-empty customization string
+ *              - size_t cstmlen: length of customization string in bytes
+ *              - const uint8_t *input: pointer to input
+ *              - size_t inlen: length of input in bytes
+ **************************************************/
+void cshake256(uint8_t *output, size_t outlen,
+               const uint8_t *name, size_t namelen,
+               const uint8_t *cstm, size_t cstmlen,
+               const uint8_t *input, size_t inlen) {
+    shake256incctx state;
+    cshake256_inc_init(&state, name, namelen, cstm, cstmlen);
+    cshake256_inc_absorb(&state, input, inlen);
+    cshake256_inc_finalize(&state);
+    cshake256_inc_squeeze(output, outlen, &state);
+    cshake256_inc_ctx_release(&state);
+}

data/ext/pqcrypto/vendor/pqclean/common/sp800-185.h

@@ -0,0 +1,27 @@
+#ifndef SP800_185_H
+#define SP800_185_H
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include "fips202.h"
+
+void cshake128_inc_init(shake128incctx *state, const uint8_t *name, size_t namelen, const uint8_t *cstm, size_t cstmlen);
+void cshake128_inc_absorb(shake128incctx *state, const uint8_t *input, size_t inlen);
+void cshake128_inc_finalize(shake128incctx *state);
+void cshake128_inc_squeeze(uint8_t *output, size_t outlen, shake128incctx *state);
+void cshake128_inc_ctx_release(shake128incctx *state);
+void cshake128_inc_ctx_clone(shake128incctx *dest, const shake128incctx *src);
+
+void cshake128(uint8_t *output, size_t outlen, const uint8_t *name, size_t namelen, const uint8_t *cstm, size_t cstmlen, const uint8_t *input, size_t inlen);
+
+void cshake256_inc_init(shake256incctx *state, const uint8_t *name, size_t namelen, const uint8_t *cstm, size_t cstmlen);
+void cshake256_inc_absorb(shake256incctx *state, const uint8_t *input, size_t inlen);
+void cshake256_inc_finalize(shake256incctx *state);
+void cshake256_inc_squeeze(uint8_t *output, size_t outlen, shake256incctx *state);
+void cshake256_inc_ctx_release(shake256incctx *state);
+void cshake256_inc_ctx_clone(shake256incctx *dest, const shake256incctx *src);
+
+void cshake256(uint8_t *output, size_t outlen, const uint8_t *name, size_t namelen, const uint8_t *cstm, size_t cstmlen, const uint8_t *input, size_t inlen);
+
+#endif

data/ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-768/clean/LICENSE

@@ -0,0 +1,5 @@
+Public Domain (https://creativecommons.org/share-your-work/public-domain/cc0/)
+
+For Keccak and AES we are using public-domain
+code from sources and by authors listed in
+comments on top of the respective files.

data/ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-768/clean/Makefile

@@ -0,0 +1,19 @@
+# This Makefile can be used with GNU Make or BSD Make
+
+LIB=libml-kem-768_clean.a
+HEADERS=api.h cbd.h indcpa.h kem.h ntt.h params.h poly.h polyvec.h reduce.h symmetric.h verify.h 
+OBJECTS=cbd.o indcpa.o kem.o ntt.o poly.o polyvec.o reduce.o symmetric-shake.o verify.o 
+
+CFLAGS=-O3 -Wall -Wextra -Wpedantic -Werror -Wmissing-prototypes -Wredundant-decls -std=c99 -I../../../common $(EXTRAFLAGS)
+
+all: $(LIB)
+
+%.o: %.c $(HEADERS)
+	$(CC) $(CFLAGS) -c -o $@ $<
+
+$(LIB): $(OBJECTS)
+	$(AR) -r $@ $(OBJECTS)
+
+clean:
+	$(RM) $(OBJECTS)
+	$(RM) $(LIB)

data/ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-768/clean/Makefile.Microsoft_nmake

@@ -0,0 +1,23 @@
+# This Makefile can be used with Microsoft Visual Studio's nmake using the command:
+#    nmake /f Makefile.Microsoft_nmake
+
+LIBRARY=libml-kem-768_clean.lib
+OBJECTS=cbd.obj indcpa.obj kem.obj ntt.obj poly.obj polyvec.obj reduce.obj symmetric-shake.obj verify.obj 
+
+# Warning C4146 is raised when a unary minus operator is applied to an
+# unsigned type; this has nonetheless been standard and portable for as
+# long as there has been a C standard, and we need it for constant-time
+# computations. Thus, we disable that spurious warning.
+CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /WX /wd4146
+
+all: $(LIBRARY)
+
+# Make sure objects are recompiled if headers change.
+$(OBJECTS): *.h
+
+$(LIBRARY): $(OBJECTS)
+    LIB.EXE /NOLOGO /WX /OUT:$@ $**
+
+clean:
+    -DEL $(OBJECTS)
+    -DEL $(LIBRARY)

data/ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-768/clean/api.h

@@ -0,0 +1,18 @@
+#ifndef PQCLEAN_MLKEM768_CLEAN_API_H
+#define PQCLEAN_MLKEM768_CLEAN_API_H
+
+#include <stdint.h>
+
+#define PQCLEAN_MLKEM768_CLEAN_CRYPTO_SECRETKEYBYTES  2400
+#define PQCLEAN_MLKEM768_CLEAN_CRYPTO_PUBLICKEYBYTES  1184
+#define PQCLEAN_MLKEM768_CLEAN_CRYPTO_CIPHERTEXTBYTES 1088
+#define PQCLEAN_MLKEM768_CLEAN_CRYPTO_BYTES           32
+#define PQCLEAN_MLKEM768_CLEAN_CRYPTO_ALGNAME "ML-KEM-768"
+
+int PQCLEAN_MLKEM768_CLEAN_crypto_kem_keypair(uint8_t *pk, uint8_t *sk);
+
+int PQCLEAN_MLKEM768_CLEAN_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
+
+int PQCLEAN_MLKEM768_CLEAN_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
+
+#endif

data/ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-768/clean/cbd.c

@@ -0,0 +1,83 @@
+#include "cbd.h"
+#include "params.h"
+#include <stdint.h>
+
+/*************************************************
+* Name:        load32_littleendian
+*
+* Description: load 4 bytes into a 32-bit integer
+*              in little-endian order
+*
+* Arguments:   - const uint8_t *x: pointer to input byte array
+*
+* Returns 32-bit unsigned integer loaded from x
+**************************************************/
+static uint32_t load32_littleendian(const uint8_t x[4]) {
+    uint32_t r;
+    r  = (uint32_t)x[0];
+    r |= (uint32_t)x[1] << 8;
+    r |= (uint32_t)x[2] << 16;
+    r |= (uint32_t)x[3] << 24;
+    return r;
+}
+
+/*************************************************
+* Name:        load24_littleendian
+*
+* Description: load 3 bytes into a 32-bit integer
+*              in little-endian order.
+*              This function is only needed for Kyber-512
+*
+* Arguments:   - const uint8_t *x: pointer to input byte array
+*
+* Returns 32-bit unsigned integer loaded from x (most significant byte is zero)
+**************************************************/
+
+
+/*************************************************
+* Name:        cbd2
+*
+* Description: Given an array of uniformly random bytes, compute
+*              polynomial with coefficients distributed according to
+*              a centered binomial distribution with parameter eta=2
+*
+* Arguments:   - poly *r: pointer to output polynomial
+*              - const uint8_t *buf: pointer to input byte array
+**************************************************/
+static void cbd2(poly *r, const uint8_t buf[2 * KYBER_N / 4]) {
+    unsigned int i, j;
+    uint32_t t, d;
+    int16_t a, b;
+
+    for (i = 0; i < KYBER_N / 8; i++) {
+        t  = load32_littleendian(buf + 4 * i);
+        d  = t & 0x55555555;
+        d += (t >> 1) & 0x55555555;
+
+        for (j = 0; j < 8; j++) {
+            a = (d >> (4 * j + 0)) & 0x3;
+            b = (d >> (4 * j + 2)) & 0x3;
+            r->coeffs[8 * i + j] = a - b;
+        }
+    }
+}
+
+/*************************************************
+* Name:        cbd3
+*
+* Description: Given an array of uniformly random bytes, compute
+*              polynomial with coefficients distributed according to
+*              a centered binomial distribution with parameter eta=3.
+*              This function is only needed for Kyber-512
+*
+* Arguments:   - poly *r: pointer to output polynomial
+*              - const uint8_t *buf: pointer to input byte array
+**************************************************/
+
+void PQCLEAN_MLKEM768_CLEAN_poly_cbd_eta1(poly *r, const uint8_t buf[KYBER_ETA1 * KYBER_N / 4]) {
+    cbd2(r, buf);
+}
+
+void PQCLEAN_MLKEM768_CLEAN_poly_cbd_eta2(poly *r, const uint8_t buf[KYBER_ETA2 * KYBER_N / 4]) {
+    cbd2(r, buf);
+}

data/ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-768/clean/cbd.h

@@ -0,0 +1,11 @@
+#ifndef PQCLEAN_MLKEM768_CLEAN_CBD_H
+#define PQCLEAN_MLKEM768_CLEAN_CBD_H
+#include "params.h"
+#include "poly.h"
+#include <stdint.h>
+
+void PQCLEAN_MLKEM768_CLEAN_poly_cbd_eta1(poly *r, const uint8_t buf[KYBER_ETA1 * KYBER_N / 4]);
+
+void PQCLEAN_MLKEM768_CLEAN_poly_cbd_eta2(poly *r, const uint8_t buf[KYBER_ETA2 * KYBER_N / 4]);
+
+#endif