@theqrl/dilithium5 0.0.1

package/README.md

@@ -0,0 +1,11 @@
+# `@theqrl/dilithium5`
+
+> TODO: description
+
+## Usage
+
+```
+const dilithium5 = require('@theqrl/dilithium5');
+
+// TODO: DEMONSTRATE API
+```

package/package.json

@@ -0,0 +1,51 @@
+{
+  "name": "@theqrl/dilithium5",
+  "version": "0.0.1",
+  "description": "Dilithium-5 cryptography",
+  "keywords": [
+    "dilithium",
+    "post-quantum",
+    "cryptography"
+  ],
+  "author": "QRL contributors <info@theqrl.org> (https://theqrl.org)",
+  "homepage": "https://github.com/theQRL/qrypto.js#readme",
+  "license": "MIT",
+  "main": "src/sign.js",
+  "type": "module",
+  "directories": {
+    "lib": "src",
+    "test": "test"
+  },
+  "files": [
+    "src"
+  ],
+  "publishConfig": {
+    "access": "public"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/theQRL/qrypto.js.git"
+  },
+  "scripts": {
+    "test": "../../node_modules/mocha/bin/mocha.js",
+    "lint-check": "eslint 'src/**/*.js' 'test/**/*.js'",
+    "lint": "eslint --fix 'src/**/*.js' 'test/**/*.js'",
+    "report-coverage": "c8 --reporter=text-lcov npm run test > coverage.lcov"
+  },
+  "bugs": {
+    "url": "https://github.com/theQRL/qrypto.js/issues"
+  },
+  "devDependencies": {
+    "chai": "^4.3.7",
+    "codecov": "^3.8.3",
+    "eslint": "^8.33.0",
+    "eslint-config-airbnb": "^19.0.4",
+    "eslint-config-prettier": "^8.6.0",
+    "eslint-plugin-import": "^2.27.5",
+    "eslint-plugin-prettier": "^4.2.1",
+    "esm": "^3.2.25",
+    "mocha": "^10.2.0",
+    "c8": "^7.13.0",
+    "prettier": "^2.8.3"
+  }
+}

package/src/const.js

@@ -0,0 +1,60 @@
+export const Shake128Rate = 168;
+export const Shake256Rate = 136;
+export const Stream128BlockBytes = Shake128Rate;
+export const Stream256BlockBytes = Shake256Rate;
+
+export const SeedBytes = 32;
+export const CRHBytes = 64;
+export const N = 256;
+export const Q = 8380417;
+export const QInv = 58728449;
+export const D = 13;
+
+export const K = 8;
+export const L = 7;
+export const ETA = 2;
+export const TAU = 60;
+export const BETA = 120;
+export const GAMMA1 = 1 << 19;
+export const GAMMA2 = Math.floor((Q - 1) / 32);
+export const OMEGA = 75;
+
+export const PolyT1PackedBytes = 320;
+export const PolyT0PackedBytes = 416;
+export const PolyETAPackedBytes = 96;
+export const PolyZPackedBytes = 640;
+export const PolyVecHPackedBytes = OMEGA + K;
+export const PolyW1PackedBytes = 128;
+
+export const CryptoPublicKeyBytes = SeedBytes + K * PolyT1PackedBytes;
+export const CryptoSecretKeyBytes =
+  3 * SeedBytes + L * PolyETAPackedBytes + K * PolyETAPackedBytes + K * PolyT0PackedBytes;
+export const CryptoBytes = SeedBytes + L * PolyZPackedBytes + PolyVecHPackedBytes;
+
+export const PolyUniformNBlocks = Math.floor((768 + Stream128BlockBytes - 1) / Stream128BlockBytes);
+export const PolyUniformETANBlocks = Math.floor((136 + Stream256BlockBytes - 1) / Stream256BlockBytes);
+export const PolyUniformGamma1NBlocks = Math.floor((PolyZPackedBytes + Stream256BlockBytes - 1) / Stream256BlockBytes);
+
+export const zetas = [
+  0, 25847, -2608894, -518909, 237124, -777960, -876248, 466468, 1826347, 2353451, -359251, -2091905, 3119733, -2884855,
+  3111497, 2680103, 2725464, 1024112, -1079900, 3585928, -549488, -1119584, 2619752, -2108549, -2118186, -3859737,
+  -1399561, -3277672, 1757237, -19422, 4010497, 280005, 2706023, 95776, 3077325, 3530437, -1661693, -3592148, -2537516,
+  3915439, -3861115, -3043716, 3574422, -2867647, 3539968, -300467, 2348700, -539299, -1699267, -1643818, 3505694,
+  -3821735, 3507263, -2140649, -1600420, 3699596, 811944, 531354, 954230, 3881043, 3900724, -2556880, 2071892, -2797779,
+  -3930395, -1528703, -3677745, -3041255, -1452451, 3475950, 2176455, -1585221, -1257611, 1939314, -4083598, -1000202,
+  -3190144, -3157330, -3632928, 126922, 3412210, -983419, 2147896, 2715295, -2967645, -3693493, -411027, -2477047,
+  -671102, -1228525, -22981, -1308169, -381987, 1349076, 1852771, -1430430, -3343383, 264944, 508951, 3097992, 44288,
+  -1100098, 904516, 3958618, -3724342, -8578, 1653064, -3249728, 2389356, -210977, 759969, -1316856, 189548, -3553272,
+  3159746, -1851402, -2409325, -177440, 1315589, 1341330, 1285669, -1584928, -812732, -1439742, -3019102, -3881060,
+  -3628969, 3839961, 2091667, 3407706, 2316500, 3817976, -3342478, 2244091, -2446433, -3562462, 266997, 2434439,
+  -1235728, 3513181, -3520352, -3759364, -1197226, -3193378, 900702, 1859098, 909542, 819034, 495491, -1613174, -43260,
+  -522500, -655327, -3122442, 2031748, 3207046, -3556995, -525098, -768622, -3595838, 342297, 286988, -2437823, 4108315,
+  3437287, -3342277, 1735879, 203044, 2842341, 2691481, -2590150, 1265009, 4055324, 1247620, 2486353, 1595974, -3767016,
+  1250494, 2635921, -3548272, -2994039, 1869119, 1903435, -1050970, -1333058, 1237275, -3318210, -1430225, -451100,
+  1312455, 3306115, -1962642, -1279661, 1917081, -2546312, -1374803, 1500165, 777191, 2235880, 3406031, -542412,
+  -2831860, -1671176, -1846953, -2584293, -3724270, 594136, -3776993, -2013608, 2432395, 2454455, -164721, 1957272,
+  3369112, 185531, -1207385, -3183426, 162844, 1616392, 3014001, 810149, 1652634, -3694233, -1799107, -3038916, 3523897,
+  3866901, 269760, 2213111, -975884, 1717735, 472078, -426683, 1723600, -1803090, 1910376, -1667432, -1104333, -260646,
+  -3833893, -2939036, -2235985, -420899, -2286327, 183443, -976891, 1612842, -3545687, -554416, 3919660, -48306,
+  -1362209, 3937738, 1400424, -846154, 1976782,
+];

package/src/fips202.js

@@ -0,0 +1,430 @@
+import { Shake128Rate, Shake256Rate } from './const.js';
+
+const NRounds = 24;
+
+const KeccakFRoundConstants = BigUint64Array.from([
+  0x0000000000000001n,
+  0x0000000000008082n,
+  0x800000000000808an,
+  0x8000000080008000n,
+  0x000000000000808bn,
+  0x0000000080000001n,
+  0x8000000080008081n,
+  0x8000000000008009n,
+  0x000000000000008an,
+  0x0000000000000088n,
+  0x0000000080008009n,
+  0x000000008000000an,
+  0x000000008000808bn,
+  0x800000000000008bn,
+  0x8000000000008089n,
+  0x8000000000008003n,
+  0x8000000000008002n,
+  0x8000000000000080n,
+  0x000000000000800an,
+  0x800000008000000an,
+  0x8000000080008081n,
+  0x8000000000008080n,
+  0x0000000080000001n,
+  0x8000000080008008n,
+]);
+
+export class KeccakState {
+  constructor() {
+    this.s = new BigUint64Array(25);
+    this.pos = 0;
+  }
+}
+
+function ROL(a, offset) {
+  return BigInt.asUintN(64, BigInt.asUintN(64, a << offset) ^ (a >> (64n - offset)));
+}
+
+function load64(x, xOffset) {
+  let r = BigInt(0);
+
+  for (let i = 0; i < 8; i++) r = BigInt.asUintN(64, r | BigInt.asUintN(64, BigInt(x[xOffset + i]) << BigInt(8 * i)));
+
+  return r;
+}
+
+function store64(x, xOffset, u) {
+  for (let i = 0; i < 8; i++) x[xOffset + i] = Number((u >> BigInt(8 * i)) & 0xffn);
+}
+
+function KeccakF1600StatePermute(state) {
+  //copyFromState(A, state)
+  let Aba = state[0];
+  let Abe = state[1];
+  let Abi = state[2];
+  let Abo = state[3];
+  let Abu = state[4];
+  let Aga = state[5];
+  let Age = state[6];
+  let Agi = state[7];
+  let Ago = state[8];
+  let Agu = state[9];
+  let Aka = state[10];
+  let Ake = state[11];
+  let Aki = state[12];
+  let Ako = state[13];
+  let Aku = state[14];
+  let Ama = state[15];
+  let Ame = state[16];
+  let Ami = state[17];
+  let Amo = state[18];
+  let Amu = state[19];
+  let Asa = state[20];
+  let Ase = state[21];
+  let Asi = state[22];
+  let Aso = state[23];
+  let Asu = state[24];
+
+  for (let round = 0; round < NRounds; round += 2) {
+    //    prepareTheta
+    let BCa = BigInt.asUintN(64, Aba ^ Aga ^ Aka ^ Ama ^ Asa);
+    let BCe = BigInt.asUintN(64, Abe ^ Age ^ Ake ^ Ame ^ Ase);
+    let BCi = BigInt.asUintN(64, Abi ^ Agi ^ Aki ^ Ami ^ Asi);
+    let BCo = BigInt.asUintN(64, Abo ^ Ago ^ Ako ^ Amo ^ Aso);
+    let BCu = BigInt.asUintN(64, Abu ^ Agu ^ Aku ^ Amu ^ Asu);
+
+    //thetaRhoPiChiIotaPrepareTheta(round, A, E)
+    let Da = BigInt.asUintN(64, BCu ^ ROL(BCe, 1n));
+    let De = BigInt.asUintN(64, BCa ^ ROL(BCi, 1n));
+    let Di = BigInt.asUintN(64, BCe ^ ROL(BCo, 1n));
+    let Do = BigInt.asUintN(64, BCi ^ ROL(BCu, 1n));
+    let Du = BigInt.asUintN(64, BCo ^ ROL(BCa, 1n));
+
+    Aba = BigInt.asUintN(64, Aba ^ Da);
+    BCa = Aba;
+    Age = BigInt.asUintN(64, Age ^ De);
+    BCe = ROL(Age, 44n);
+    Aki = BigInt.asUintN(64, Aki ^ Di);
+    BCi = ROL(Aki, 43n);
+    Amo = BigInt.asUintN(64, Amo ^ Do);
+    BCo = ROL(Amo, 21n);
+    Asu = BigInt.asUintN(64, Asu ^ Du);
+    BCu = ROL(Asu, 14n);
+    let Eba = BigInt.asUintN(64, BCa ^ (~BCe & BCi));
+    Eba = BigInt.asUintN(64, Eba ^ KeccakFRoundConstants[round]);
+    let Ebe = BigInt.asUintN(64, BCe ^ (~BCi & BCo));
+    let Ebi = BigInt.asUintN(64, BCi ^ (~BCo & BCu));
+    let Ebo = BigInt.asUintN(64, BCo ^ (~BCu & BCa));
+    let Ebu = BigInt.asUintN(64, BCu ^ (~BCa & BCe));
+
+    Abo = BigInt.asUintN(64, Abo ^ Do);
+    BCa = ROL(Abo, 28n);
+    Agu = BigInt.asUintN(64, Agu ^ Du);
+    BCe = ROL(Agu, 20n);
+    Aka = BigInt.asUintN(64, Aka ^ Da);
+    BCi = ROL(Aka, 3n);
+    Ame = BigInt.asUintN(64, Ame ^ De);
+    BCo = ROL(Ame, 45n);
+    Asi = BigInt.asUintN(64, Asi ^ Di);
+    BCu = ROL(Asi, 61n);
+    let Ega = BigInt.asUintN(64, BCa ^ (~BCe & BCi));
+    let Ege = BigInt.asUintN(64, BCe ^ (~BCi & BCo));
+    let Egi = BigInt.asUintN(64, BCi ^ (~BCo & BCu));
+    let Ego = BigInt.asUintN(64, BCo ^ (~BCu & BCa));
+    let Egu = BigInt.asUintN(64, BCu ^ (~BCa & BCe));
+
+    Abe = BigInt.asUintN(64, Abe ^ De);
+    BCa = ROL(Abe, 1n);
+    Agi = BigInt.asUintN(64, Agi ^ Di);
+    BCe = ROL(Agi, 6n);
+    Ako = BigInt.asUintN(64, Ako ^ Do);
+    BCi = ROL(Ako, 25n);
+    Amu = BigInt.asUintN(64, Amu ^ Du);
+    BCo = ROL(Amu, 8n);
+    Asa = BigInt.asUintN(64, Asa ^ Da);
+    BCu = ROL(Asa, 18n);
+    let Eka = BigInt.asUintN(64, BCa ^ (~BCe & BCi));
+    let Eke = BigInt.asUintN(64, BCe ^ (~BCi & BCo));
+    let Eki = BigInt.asUintN(64, BCi ^ (~BCo & BCu));
+    let Eko = BigInt.asUintN(64, BCo ^ (~BCu & BCa));
+    let Eku = BigInt.asUintN(64, BCu ^ (~BCa & BCe));
+
+    Abu = BigInt.asUintN(64, Abu ^ Du);
+    BCa = ROL(Abu, 27n);
+    Aga = BigInt.asUintN(64, Aga ^ Da);
+    BCe = ROL(Aga, 36n);
+    Ake = BigInt.asUintN(64, Ake ^ De);
+    BCi = ROL(Ake, 10n);
+    Ami = BigInt.asUintN(64, Ami ^ Di);
+    BCo = ROL(Ami, 15n);
+    Aso = BigInt.asUintN(64, Aso ^ Do);
+    BCu = ROL(Aso, 56n);
+    let Ema = BigInt.asUintN(64, BCa ^ (~BCe & BCi));
+    let Eme = BigInt.asUintN(64, BCe ^ (~BCi & BCo));
+    let Emi = BigInt.asUintN(64, BCi ^ (~BCo & BCu));
+    let Emo = BigInt.asUintN(64, BCo ^ (~BCu & BCa));
+    let Emu = BigInt.asUintN(64, BCu ^ (~BCa & BCe));
+
+    Abi = BigInt.asUintN(64, Abi ^ Di);
+    BCa = ROL(Abi, 62n);
+    Ago = BigInt.asUintN(64, Ago ^ Do);
+    BCe = ROL(Ago, 55n);
+    Aku = BigInt.asUintN(64, Aku ^ Du);
+    BCi = ROL(Aku, 39n);
+    Ama = BigInt.asUintN(64, Ama ^ Da);
+    BCo = ROL(Ama, 41n);
+    Ase = BigInt.asUintN(64, Ase ^ De);
+    BCu = ROL(Ase, 2n);
+    let Esa = BigInt.asUintN(64, BCa ^ (~BCe & BCi));
+    let Ese = BigInt.asUintN(64, BCe ^ (~BCi & BCo));
+    let Esi = BigInt.asUintN(64, BCi ^ (~BCo & BCu));
+    let Eso = BigInt.asUintN(64, BCo ^ (~BCu & BCa));
+    let Esu = BigInt.asUintN(64, BCu ^ (~BCa & BCe));
+
+    //    prepareTheta
+    BCa = BigInt.asUintN(64, Eba ^ Ega ^ Eka ^ Ema ^ Esa);
+    BCe = BigInt.asUintN(64, Ebe ^ Ege ^ Eke ^ Eme ^ Ese);
+    BCi = BigInt.asUintN(64, Ebi ^ Egi ^ Eki ^ Emi ^ Esi);
+    BCo = BigInt.asUintN(64, Ebo ^ Ego ^ Eko ^ Emo ^ Eso);
+    BCu = BigInt.asUintN(64, Ebu ^ Egu ^ Eku ^ Emu ^ Esu);
+
+    //thetaRhoPiChiIotaPrepareTheta(round+1, E, A)
+    Da = BigInt.asUintN(64, BCu ^ ROL(BCe, 1n));
+    De = BigInt.asUintN(64, BCa ^ ROL(BCi, 1n));
+    Di = BigInt.asUintN(64, BCe ^ ROL(BCo, 1n));
+    Do = BigInt.asUintN(64, BCi ^ ROL(BCu, 1n));
+    Du = BigInt.asUintN(64, BCo ^ ROL(BCa, 1n));
+
+    Eba = BigInt.asUintN(64, Eba ^ Da);
+    BCa = Eba;
+    Ege = BigInt.asUintN(64, Ege ^ De);
+    BCe = ROL(Ege, 44n);
+    Eki = BigInt.asUintN(64, Eki ^ Di);
+    BCi = ROL(Eki, 43n);
+    Emo = BigInt.asUintN(64, Emo ^ Do);
+    BCo = ROL(Emo, 21n);
+    Esu = BigInt.asUintN(64, Esu ^ Du);
+    BCu = ROL(Esu, 14n);
+    Aba = BigInt.asUintN(64, BCa ^ (~BCe & BCi));
+    Aba = BigInt.asUintN(64, Aba ^ KeccakFRoundConstants[round + 1]);
+    Abe = BigInt.asUintN(64, BCe ^ (~BCi & BCo));
+    Abi = BigInt.asUintN(64, BCi ^ (~BCo & BCu));
+    Abo = BigInt.asUintN(64, BCo ^ (~BCu & BCa));
+    Abu = BigInt.asUintN(64, BCu ^ (~BCa & BCe));
+
+    Ebo = BigInt.asUintN(64, Ebo ^ Do);
+    BCa = ROL(Ebo, 28n);
+    Egu = BigInt.asUintN(64, Egu ^ Du);
+    BCe = ROL(Egu, 20n);
+    Eka = BigInt.asUintN(64, Eka ^ Da);
+    BCi = ROL(Eka, 3n);
+    Eme = BigInt.asUintN(64, Eme ^ De);
+    BCo = ROL(Eme, 45n);
+    Esi = BigInt.asUintN(64, Esi ^ Di);
+    BCu = ROL(Esi, 61n);
+    Aga = BigInt.asUintN(64, BCa ^ (~BCe & BCi));
+    Age = BigInt.asUintN(64, BCe ^ (~BCi & BCo));
+    Agi = BigInt.asUintN(64, BCi ^ (~BCo & BCu));
+    Ago = BigInt.asUintN(64, BCo ^ (~BCu & BCa));
+    Agu = BigInt.asUintN(64, BCu ^ (~BCa & BCe));
+
+    Ebe = BigInt.asUintN(64, Ebe ^ De);
+    BCa = ROL(Ebe, 1n);
+    Egi = BigInt.asUintN(64, Egi ^ Di);
+    BCe = ROL(Egi, 6n);
+    Eko = BigInt.asUintN(64, Eko ^ Do);
+    BCi = ROL(Eko, 25n);
+    Emu = BigInt.asUintN(64, Emu ^ Du);
+    BCo = ROL(Emu, 8n);
+    Esa = BigInt.asUintN(64, Esa ^ Da);
+    BCu = ROL(Esa, 18n);
+    Aka = BigInt.asUintN(64, BCa ^ (~BCe & BCi));
+    Ake = BigInt.asUintN(64, BCe ^ (~BCi & BCo));
+    Aki = BigInt.asUintN(64, BCi ^ (~BCo & BCu));
+    Ako = BigInt.asUintN(64, BCo ^ (~BCu & BCa));
+    Aku = BigInt.asUintN(64, BCu ^ (~BCa & BCe));
+
+    Ebu = BigInt.asUintN(64, Ebu ^ Du);
+    BCa = ROL(Ebu, 27n);
+    Ega = BigInt.asUintN(64, Ega ^ Da);
+    BCe = ROL(Ega, 36n);
+    Eke = BigInt.asUintN(64, Eke ^ De);
+    BCi = ROL(Eke, 10n);
+    Emi = BigInt.asUintN(64, Emi ^ Di);
+    BCo = ROL(Emi, 15n);
+    Eso = BigInt.asUintN(64, Eso ^ Do);
+    BCu = ROL(Eso, 56n);
+    Ama = BigInt.asUintN(64, BCa ^ (~BCe & BCi));
+    Ame = BigInt.asUintN(64, BCe ^ (~BCi & BCo));
+    Ami = BigInt.asUintN(64, BCi ^ (~BCo & BCu));
+    Amo = BigInt.asUintN(64, BCo ^ (~BCu & BCa));
+    Amu = BigInt.asUintN(64, BCu ^ (~BCa & BCe));
+
+    Ebi = BigInt.asUintN(64, Ebi ^ Di);
+    BCa = ROL(Ebi, 62n);
+    Ego = BigInt.asUintN(64, Ego ^ Do);
+    BCe = ROL(Ego, 55n);
+    Eku = BigInt.asUintN(64, Eku ^ Du);
+    BCi = ROL(Eku, 39n);
+    Ema = BigInt.asUintN(64, Ema ^ Da);
+    BCo = ROL(Ema, 41n);
+    Ese = BigInt.asUintN(64, Ese ^ De);
+    BCu = ROL(Ese, 2n);
+    Asa = BigInt.asUintN(64, BCa ^ (~BCe & BCi));
+    Ase = BigInt.asUintN(64, BCe ^ (~BCi & BCo));
+    Asi = BigInt.asUintN(64, BCi ^ (~BCo & BCu));
+    Aso = BigInt.asUintN(64, BCo ^ (~BCu & BCa));
+    Asu = BigInt.asUintN(64, BCu ^ (~BCa & BCe));
+  }
+
+  state[0] = Aba;
+  state[1] = Abe;
+  state[2] = Abi;
+  state[3] = Abo;
+  state[4] = Abu;
+  state[5] = Aga;
+  state[6] = Age;
+  state[7] = Agi;
+  state[8] = Ago;
+  state[9] = Agu;
+  state[10] = Aka;
+  state[11] = Ake;
+  state[12] = Aki;
+  state[13] = Ako;
+  state[14] = Aku;
+  state[15] = Ama;
+  state[16] = Ame;
+  state[17] = Ami;
+  state[18] = Amo;
+  state[19] = Amu;
+  state[20] = Asa;
+  state[21] = Ase;
+  state[22] = Asi;
+  state[23] = Aso;
+  state[24] = Asu;
+}
+
+function keccakInit(s) {
+  for (let i = 0; i < 25; i++) s[i] = 0n;
+}
+
+function keccakAbsorb(s, pos, r, input) {
+  let inLen = input.length;
+  let i;
+  let inputOffset = 0;
+  while (pos + inLen >= r) {
+    for (i = pos; i < r; i++)
+      s[Math.floor(i / 8)] = BigInt.asUintN(
+        64,
+        s[Math.floor(i / 8)] ^ (BigInt(input[inputOffset++]) << BigInt(8 * (i % 8)))
+      );
+    inLen -= r - pos;
+    KeccakF1600StatePermute(s);
+    pos = 0;
+  }
+
+  for (i = pos; i < pos + inLen; i++) {
+    s[Math.floor(i / 8)] = BigInt.asUintN(
+      64,
+      s[Math.floor(i / 8)] ^ (BigInt(input[inputOffset++]) << BigInt(8 * (i % 8)))
+    );
+  }
+
+  return i;
+}
+
+function keccakFinalize(s, pos, r, p) {
+  s[Math.floor(pos / 8)] = BigInt.asUintN(64, s[Math.floor(pos / 8)] ^ (BigInt(p) << BigInt(8 * (pos % 8))));
+  s[Math.floor(r / 8) - 1] = BigInt.asUintN(64, s[Math.floor(r / 8) - 1] ^ (1n << 63n));
+}
+
+function keccakSqueeze(out, s, pos, r) {
+  let outLen = out.length;
+  let outputOffset = 0;
+  let i = 0;
+
+  while (outLen) {
+    if (pos === r) {
+      KeccakF1600StatePermute(s);
+      pos = 0;
+    }
+    for (i = pos; i < r && i < pos + outLen; i++) out[outputOffset++] = s[Math.floor(i / 8)] >> BigInt(8 * (i % 8));
+    outLen -= i - pos;
+    pos = i;
+  }
+
+  return pos;
+}
+
+function keccakAbsorbOnce(s, r, input, p) {
+  let inLen = input.length;
+  let inputOffset = 0;
+  let i;
+
+  for (i = 0; i < 25; i++) s[i] = 0;
+
+  while (inLen >= r) {
+    for (i = 0; i < Math.floor(r / 8); i++) s[i] = BigInt.asUintN(64, s[i] ^ load64(input, inputOffset + 8 * i));
+    inputOffset += r;
+    inLen -= r;
+    KeccakF1600StatePermute(s);
+  }
+
+  for (i = 0; i < inLen; i++)
+    s[Math.floor(i / 8)] = BigInt.asUintN(
+      64,
+      s[Math.floor(i / 8)] ^ (BigInt(input[inputOffset + i]) << BigInt(8 * (i % 8)))
+    );
+
+  s[Math.floor(i / 8)] = BigInt.asUintN(64, s[Math.floor(i / 8)] ^ (BigInt(p) << BigInt(8 * (i % 8))));
+  s[Math.floor((r - 1) / 8)] = BigInt.asUintN(64, s[Math.floor((r - 1) / 8)] ^ (1n << 63n));
+}
+
+function keccakSqueezeBlocks(output, outputOffset, nBlocks, s, r) {
+  while (nBlocks) {
+    KeccakF1600StatePermute(s);
+    for (let i = 0; i < Math.floor(r / 8); i++) store64(output, outputOffset + 8 * i, s[i]);
+    outputOffset += r;
+    nBlocks -= 1;
+  }
+}
+
+export function shake128Init(state) {
+  keccakInit(state.s);
+  state.pos = 0;
+}
+
+export function shake128Absorb(state, input) {
+  state.pos = keccakAbsorb(state.s, state.pos, Shake128Rate, input);
+}
+
+export function shake128Finalize(state) {
+  keccakFinalize(state.s, state.pos, Shake128Rate, 0x1f);
+  state.pos = Shake128Rate;
+}
+
+export function shake128Squeeze(out, state) {
+  state.pos = keccakSqueeze(out, state.s, state.pos, Shake128Rate);
+}
+
+export function shake128AbsorbOnce(state, input) {
+  keccakAbsorbOnce(state.s, Shake128Rate, input, 0x1f);
+  state.pos = Shake128Rate;
+}
+
+export function shake128SqueezeBlocks(out, outputOffset, nBlocks, state) {
+  keccakSqueezeBlocks(out, outputOffset, nBlocks, state.s, Shake128Rate);
+}
+
+export function shake256Init(state) {
+  keccakInit(state.s);
+  state.pos = 0;
+}
+
+export function shake256Absorb(state, input) {
+  state.pos = keccakAbsorb(state.s, state.pos, Shake256Rate, input);
+}
+
+export function shake256Finalize(state) {
+  keccakFinalize(state.s, state.pos, Shake256Rate, 0x1f);
+  state.pos = Shake256Rate;
+}
+
+export function shake256SqueezeBlocks(out, outputOffset, nBlocks, state) {
+  keccakSqueezeBlocks(out, outputOffset, nBlocks, state.s, Shake256Rate);
+}

package/src/ntt.js

@@ -0,0 +1,40 @@
+import { N, zetas } from './const.js';
+import { montgomeryReduce } from './reduce.js';
+
+export function ntt(a) {
+  let k = 0;
+  let j = 0;
+
+  for (let len = 128; len > 0; len >>= 1) {
+    for (let start = 0; start < N; start = j + len) {
+      const zeta = zetas[++k];
+      for (j = start; j < start + len; ++j) {
+        const t = Number(montgomeryReduce(BigInt.asIntN(64, BigInt(zeta) * BigInt(a[j + len]))));
+        a[j + len] = a[j] - t;
+        a[j] = a[j] + t;
+      }
+    }
+  }
+}
+
+export function invNTTToMont(a) {
+  const f = 41978n; // mont^2/256
+  let j = 0;
+  let k = 256;
+
+  for (let len = 1; len < N; len <<= 1) {
+    for (let start = 0; start < N; start = j + len) {
+      const zeta = BigInt.asIntN(32, BigInt(-zetas[--k]));
+      for (j = start; j < start + len; ++j) {
+        const t = a[j];
+        a[j] = t + a[j + len];
+        a[j + len] = t - a[j + len];
+        a[j + len] = Number(montgomeryReduce(BigInt.asIntN(64, zeta * BigInt(a[j + len]))));
+      }
+    }
+  }
+
+  for (let j = 0; j < N; ++j) {
+    a[j] = Number(montgomeryReduce(BigInt.asIntN(64, f * BigInt(a[j]))));
+  }
+}