pq_crypto 0.3.1 → 0.4.2

data/ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-1024/clean/symmetric-shake.c

@@ -0,0 +1,71 @@
+#include "fips202.h"
+#include "params.h"
+#include "symmetric.h"
+#include <stddef.h>
+#include <stdint.h>
+#include <string.h>
+
+/*************************************************
+* Name:        PQCLEAN_MLKEM1024_CLEAN_kyber_shake128_absorb
+*
+* Description: Absorb step of the SHAKE128 specialized for the Kyber context.
+*
+* Arguments:   - xof_state *state: pointer to (uninitialized) output Keccak state
+*              - const uint8_t *seed: pointer to KYBER_SYMBYTES input to be absorbed into state
+*              - uint8_t i: additional byte of input
+*              - uint8_t j: additional byte of input
+**************************************************/
+void PQCLEAN_MLKEM1024_CLEAN_kyber_shake128_absorb(xof_state *state,
+        const uint8_t seed[KYBER_SYMBYTES],
+        uint8_t x,
+        uint8_t y) {
+    uint8_t extseed[KYBER_SYMBYTES + 2];
+
+    memcpy(extseed, seed, KYBER_SYMBYTES);
+    extseed[KYBER_SYMBYTES + 0] = x;
+    extseed[KYBER_SYMBYTES + 1] = y;
+
+    shake128_absorb(state, extseed, sizeof(extseed));
+}
+
+/*************************************************
+* Name:        PQCLEAN_MLKEM1024_CLEAN_kyber_shake256_prf
+*
+* Description: Usage of SHAKE256 as a PRF, concatenates secret and public input
+*              and then generates outlen bytes of SHAKE256 output
+*
+* Arguments:   - uint8_t *out: pointer to output
+*              - size_t outlen: number of requested output bytes
+*              - const uint8_t *key: pointer to the key (of length KYBER_SYMBYTES)
+*              - uint8_t nonce: single-byte nonce (public PRF input)
+**************************************************/
+void PQCLEAN_MLKEM1024_CLEAN_kyber_shake256_prf(uint8_t *out, size_t outlen, const uint8_t key[KYBER_SYMBYTES], uint8_t nonce) {
+    uint8_t extkey[KYBER_SYMBYTES + 1];
+
+    memcpy(extkey, key, KYBER_SYMBYTES);
+    extkey[KYBER_SYMBYTES] = nonce;
+
+    shake256(out, outlen, extkey, sizeof(extkey));
+}
+
+/*************************************************
+* Name:        PQCLEAN_MLKEM1024_CLEAN_kyber_shake256_prf
+*
+* Description: Usage of SHAKE256 as a PRF, concatenates secret and public input
+*              and then generates outlen bytes of SHAKE256 output
+*
+* Arguments:   - uint8_t *out: pointer to output
+*              - size_t outlen: number of requested output bytes
+*              - const uint8_t *key: pointer to the key (of length KYBER_SYMBYTES)
+*              - uint8_t nonce: single-byte nonce (public PRF input)
+**************************************************/
+void PQCLEAN_MLKEM1024_CLEAN_kyber_shake256_rkprf(uint8_t out[KYBER_SSBYTES], const uint8_t key[KYBER_SYMBYTES], const uint8_t input[KYBER_CIPHERTEXTBYTES]) {
+    shake256incctx s;
+
+    shake256_inc_init(&s);
+    shake256_inc_absorb(&s, key, KYBER_SYMBYTES);
+    shake256_inc_absorb(&s, input, KYBER_CIPHERTEXTBYTES);
+    shake256_inc_finalize(&s);
+    shake256_inc_squeeze(out, KYBER_SSBYTES, &s);
+    shake256_inc_ctx_release(&s);
+}

data/ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-1024/clean/symmetric.h

@@ -0,0 +1,30 @@
+#ifndef PQCLEAN_MLKEM1024_CLEAN_SYMMETRIC_H
+#define PQCLEAN_MLKEM1024_CLEAN_SYMMETRIC_H
+#include "fips202.h"
+#include "params.h"
+#include <stddef.h>
+#include <stdint.h>
+
+
+typedef shake128ctx xof_state;
+
+void PQCLEAN_MLKEM1024_CLEAN_kyber_shake128_absorb(xof_state *s,
+        const uint8_t seed[KYBER_SYMBYTES],
+        uint8_t x,
+        uint8_t y);
+
+void PQCLEAN_MLKEM1024_CLEAN_kyber_shake256_prf(uint8_t *out, size_t outlen, const uint8_t key[KYBER_SYMBYTES], uint8_t nonce);
+
+void PQCLEAN_MLKEM1024_CLEAN_kyber_shake256_rkprf(uint8_t out[KYBER_SSBYTES], const uint8_t key[KYBER_SYMBYTES], const uint8_t input[KYBER_CIPHERTEXTBYTES]);
+
+#define XOF_BLOCKBYTES SHAKE128_RATE
+
+#define hash_h(OUT, IN, INBYTES) sha3_256(OUT, IN, INBYTES)
+#define hash_g(OUT, IN, INBYTES) sha3_512(OUT, IN, INBYTES)
+#define xof_absorb(STATE, SEED, X, Y) PQCLEAN_MLKEM1024_CLEAN_kyber_shake128_absorb(STATE, SEED, X, Y)
+#define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) shake128_squeezeblocks(OUT, OUTBLOCKS, STATE)
+#define xof_ctx_release(STATE) shake128_ctx_release(STATE)
+#define prf(OUT, OUTBYTES, KEY, NONCE) PQCLEAN_MLKEM1024_CLEAN_kyber_shake256_prf(OUT, OUTBYTES, KEY, NONCE)
+#define rkprf(OUT, KEY, INPUT) PQCLEAN_MLKEM1024_CLEAN_kyber_shake256_rkprf(OUT, KEY, INPUT)
+
+#endif /* SYMMETRIC_H */

data/ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-1024/clean/verify.c

@@ -0,0 +1,67 @@
+#include "compat.h"
+#include "verify.h"
+#include <stddef.h>
+#include <stdint.h>
+
+/*************************************************
+* Name:        PQCLEAN_MLKEM1024_CLEAN_verify
+*
+* Description: Compare two arrays for equality in constant time.
+*
+* Arguments:   const uint8_t *a: pointer to first byte array
+*              const uint8_t *b: pointer to second byte array
+*              size_t len:       length of the byte arrays
+*
+* Returns 0 if the byte arrays are equal, 1 otherwise
+**************************************************/
+int PQCLEAN_MLKEM1024_CLEAN_verify(const uint8_t *a, const uint8_t *b, size_t len) {
+    size_t i;
+    uint8_t r = 0;
+
+    for (i = 0; i < len; i++) {
+        r |= a[i] ^ b[i];
+    }
+
+    return (-(uint64_t)r) >> 63;
+}
+
+/*************************************************
+* Name:        PQCLEAN_MLKEM1024_CLEAN_cmov
+*
+* Description: Copy len bytes from x to r if b is 1;
+*              don't modify x if b is 0. Requires b to be in {0,1};
+*              assumes two's complement representation of negative integers.
+*              Runs in constant time.
+*
+* Arguments:   uint8_t *r:       pointer to output byte array
+*              const uint8_t *x: pointer to input byte array
+*              size_t len:       Amount of bytes to be copied
+*              uint8_t b:        Condition bit; has to be in {0,1}
+**************************************************/
+void PQCLEAN_MLKEM1024_CLEAN_cmov(uint8_t *r, const uint8_t *x, size_t len, uint8_t b) {
+    size_t i;
+
+    PQCLEAN_PREVENT_BRANCH_HACK(b);
+
+    b = -b;
+    for (i = 0; i < len; i++) {
+        r[i] ^= b & (r[i] ^ x[i]);
+    }
+}
+
+
+/*************************************************
+* Name:        PQCLEAN_MLKEM1024_CLEAN_cmov_int16
+*
+* Description: Copy input v to *r if b is 1, don't modify *r if b is 0.
+*              Requires b to be in {0,1};
+*              Runs in constant time.
+*
+* Arguments:   int16_t *r:       pointer to output int16_t
+*              int16_t v:        input int16_t
+*              uint8_t b:        Condition bit; has to be in {0,1}
+**************************************************/
+void PQCLEAN_MLKEM1024_CLEAN_cmov_int16(int16_t *r, int16_t v, uint16_t b) {
+    b = -b;
+    *r ^= b & ((*r) ^ v);
+}

data/ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-1024/clean/verify.h

@@ -0,0 +1,13 @@
+#ifndef PQCLEAN_MLKEM1024_CLEAN_VERIFY_H
+#define PQCLEAN_MLKEM1024_CLEAN_VERIFY_H
+#include "params.h"
+#include <stddef.h>
+#include <stdint.h>
+
+int PQCLEAN_MLKEM1024_CLEAN_verify(const uint8_t *a, const uint8_t *b, size_t len);
+
+void PQCLEAN_MLKEM1024_CLEAN_cmov(uint8_t *r, const uint8_t *x, size_t len, uint8_t b);
+
+void PQCLEAN_MLKEM1024_CLEAN_cmov_int16(int16_t *r, int16_t v, uint16_t b);
+
+#endif

data/ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-512/clean/LICENSE

@@ -0,0 +1,5 @@
+Public Domain (https://creativecommons.org/share-your-work/public-domain/cc0/)
+
+For Keccak and AES we are using public-domain
+code from sources and by authors listed in
+comments on top of the respective files.

data/ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-512/clean/Makefile

@@ -0,0 +1,19 @@
+# This Makefile can be used with GNU Make or BSD Make
+
+LIB=libml-kem-512_clean.a
+HEADERS=api.h cbd.h indcpa.h kem.h ntt.h params.h poly.h polyvec.h reduce.h symmetric.h verify.h 
+OBJECTS=cbd.o indcpa.o kem.o ntt.o poly.o polyvec.o reduce.o symmetric-shake.o verify.o 
+
+CFLAGS=-O3 -Wall -Wextra -Wpedantic -Werror -Wmissing-prototypes -Wredundant-decls -std=c99 -I../../../common $(EXTRAFLAGS)
+
+all: $(LIB)
+
+%.o: %.c $(HEADERS)
+	$(CC) $(CFLAGS) -c -o $@ $<
+
+$(LIB): $(OBJECTS)
+	$(AR) -r $@ $(OBJECTS)
+
+clean:
+	$(RM) $(OBJECTS)
+	$(RM) $(LIB)

data/ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-512/clean/Makefile.Microsoft_nmake

@@ -0,0 +1,23 @@
+# This Makefile can be used with Microsoft Visual Studio's nmake using the command:
+#    nmake /f Makefile.Microsoft_nmake
+
+LIBRARY=libml-kem-512_clean.lib
+OBJECTS=cbd.obj indcpa.obj kem.obj ntt.obj poly.obj polyvec.obj reduce.obj symmetric-shake.obj verify.obj 
+
+# Warning C4146 is raised when a unary minus operator is applied to an
+# unsigned type; this has nonetheless been standard and portable for as
+# long as there has been a C standard, and we need it for constant-time
+# computations. Thus, we disable that spurious warning.
+CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /WX /wd4146
+
+all: $(LIBRARY)
+
+# Make sure objects are recompiled if headers change.
+$(OBJECTS): *.h
+
+$(LIBRARY): $(OBJECTS)
+    LIB.EXE /NOLOGO /WX /OUT:$@ $**
+
+clean:
+    -DEL $(OBJECTS)
+    -DEL $(LIBRARY)

data/ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-512/clean/api.h

@@ -0,0 +1,18 @@
+#ifndef PQCLEAN_MLKEM512_CLEAN_API_H
+#define PQCLEAN_MLKEM512_CLEAN_API_H
+
+#include <stdint.h>
+
+#define PQCLEAN_MLKEM512_CLEAN_CRYPTO_SECRETKEYBYTES  1632
+#define PQCLEAN_MLKEM512_CLEAN_CRYPTO_PUBLICKEYBYTES  800
+#define PQCLEAN_MLKEM512_CLEAN_CRYPTO_CIPHERTEXTBYTES 768
+#define PQCLEAN_MLKEM512_CLEAN_CRYPTO_BYTES           32
+#define PQCLEAN_MLKEM512_CLEAN_CRYPTO_ALGNAME "ML-KEM-512"
+
+int PQCLEAN_MLKEM512_CLEAN_crypto_kem_keypair(uint8_t *pk, uint8_t *sk);
+
+int PQCLEAN_MLKEM512_CLEAN_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
+
+int PQCLEAN_MLKEM512_CLEAN_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
+
+#endif

data/ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-512/clean/cbd.c

@@ -0,0 +1,108 @@
+#include "cbd.h"
+#include "params.h"
+#include <stdint.h>
+
+/*************************************************
+* Name:        load32_littleendian
+*
+* Description: load 4 bytes into a 32-bit integer
+*              in little-endian order
+*
+* Arguments:   - const uint8_t *x: pointer to input byte array
+*
+* Returns 32-bit unsigned integer loaded from x
+**************************************************/
+static uint32_t load32_littleendian(const uint8_t x[4]) {
+    uint32_t r;
+    r  = (uint32_t)x[0];
+    r |= (uint32_t)x[1] << 8;
+    r |= (uint32_t)x[2] << 16;
+    r |= (uint32_t)x[3] << 24;
+    return r;
+}
+
+/*************************************************
+* Name:        load24_littleendian
+*
+* Description: load 3 bytes into a 32-bit integer
+*              in little-endian order.
+*              This function is only needed for Kyber-512
+*
+* Arguments:   - const uint8_t *x: pointer to input byte array
+*
+* Returns 32-bit unsigned integer loaded from x (most significant byte is zero)
+**************************************************/
+static uint32_t load24_littleendian(const uint8_t x[3]) {
+    uint32_t r;
+    r  = (uint32_t)x[0];
+    r |= (uint32_t)x[1] << 8;
+    r |= (uint32_t)x[2] << 16;
+    return r;
+}
+
+
+/*************************************************
+* Name:        cbd2
+*
+* Description: Given an array of uniformly random bytes, compute
+*              polynomial with coefficients distributed according to
+*              a centered binomial distribution with parameter eta=2
+*
+* Arguments:   - poly *r: pointer to output polynomial
+*              - const uint8_t *buf: pointer to input byte array
+**************************************************/
+static void cbd2(poly *r, const uint8_t buf[2 * KYBER_N / 4]) {
+    unsigned int i, j;
+    uint32_t t, d;
+    int16_t a, b;
+
+    for (i = 0; i < KYBER_N / 8; i++) {
+        t  = load32_littleendian(buf + 4 * i);
+        d  = t & 0x55555555;
+        d += (t >> 1) & 0x55555555;
+
+        for (j = 0; j < 8; j++) {
+            a = (d >> (4 * j + 0)) & 0x3;
+            b = (d >> (4 * j + 2)) & 0x3;
+            r->coeffs[8 * i + j] = a - b;
+        }
+    }
+}
+
+/*************************************************
+* Name:        cbd3
+*
+* Description: Given an array of uniformly random bytes, compute
+*              polynomial with coefficients distributed according to
+*              a centered binomial distribution with parameter eta=3.
+*              This function is only needed for Kyber-512
+*
+* Arguments:   - poly *r: pointer to output polynomial
+*              - const uint8_t *buf: pointer to input byte array
+**************************************************/
+static void cbd3(poly *r, const uint8_t buf[3 * KYBER_N / 4]) {
+    unsigned int i, j;
+    uint32_t t, d;
+    int16_t a, b;
+
+    for (i = 0; i < KYBER_N / 4; i++) {
+        t  = load24_littleendian(buf + 3 * i);
+        d  = t & 0x00249249;
+        d += (t >> 1) & 0x00249249;
+        d += (t >> 2) & 0x00249249;
+
+        for (j = 0; j < 4; j++) {
+            a = (d >> (6 * j + 0)) & 0x7;
+            b = (d >> (6 * j + 3)) & 0x7;
+            r->coeffs[4 * i + j] = a - b;
+        }
+    }
+}
+
+void PQCLEAN_MLKEM512_CLEAN_poly_cbd_eta1(poly *r, const uint8_t buf[KYBER_ETA1 * KYBER_N / 4]) {
+    cbd3(r, buf);
+}
+
+void PQCLEAN_MLKEM512_CLEAN_poly_cbd_eta2(poly *r, const uint8_t buf[KYBER_ETA2 * KYBER_N / 4]) {
+    cbd2(r, buf);
+}

data/ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-512/clean/cbd.h

@@ -0,0 +1,11 @@
+#ifndef PQCLEAN_MLKEM512_CLEAN_CBD_H
+#define PQCLEAN_MLKEM512_CLEAN_CBD_H
+#include "params.h"
+#include "poly.h"
+#include <stdint.h>
+
+void PQCLEAN_MLKEM512_CLEAN_poly_cbd_eta1(poly *r, const uint8_t buf[KYBER_ETA1 * KYBER_N / 4]);
+
+void PQCLEAN_MLKEM512_CLEAN_poly_cbd_eta2(poly *r, const uint8_t buf[KYBER_ETA2 * KYBER_N / 4]);
+
+#endif