Commit bbe6792f authored by Nadim Kobeissi's avatar Nadim Kobeissi 💎

Enforce lengths on byte arrays

parent 9e5adc2a
# SPDX-FileCopyrightText: © 2020-2021 Nadim Kobeissi <nadim@symbolic.software>
# SPDX-License-Identifier: CC0-1.0
# Verifpal
cmd/kyber-r2d2/resource.syso
build/kyber-r2d2.*
dist
# Binaries for programs and plugins
*.exe
*.exe~
......
......@@ -8,7 +8,7 @@ lint:
test:
@go clean -testcache
@/bin/echo "[Kyber-K2SO] Running test battery..."
@go test ./cmd/kyberk2so
@go test .
clean:
@/bin/echo -n "[Kyber-K2SO] Cleaning up..."
......@@ -16,4 +16,4 @@ clean:
@$(RM) -r dist
@/bin/echo " OK"
.PHONY: all windows linux macos freebsd lint test release clean assets build cmd
.PHONY: all windows linux macos freebsd lint test release clean assets
......@@ -16,7 +16,7 @@ func byteopsCbd(buf []byte) poly {
var t, d uint32
var a, b int16
r := polyNew()
for i := 0; i < params.n/8; i++ {
for i := 0; i < paramsN/8; i++ {
t = byteopsLoad32(buf[4*i : (4*i)+4])
d = t & 0x55555555
d = d + ((t >> 1) & 0x55555555)
......@@ -30,8 +30,8 @@ func byteopsCbd(buf []byte) poly {
}
func byteopsMontgomeryReduce(a int32) int16 {
u := int16(a * int32(params.qinv))
t := int32(u) * int32(params.q)
u := int16(a * int32(paramsQinv))
t := int32(u) * int32(paramsQ)
t = a - t
t >>= 16
return int16(t)
......@@ -39,14 +39,14 @@ func byteopsMontgomeryReduce(a int32) int16 {
func byteopsBarrettReduce(a int16) int16 {
var t int16
var v int16 = int16(((uint32(1) << 26) + uint32(params.q/2)) / uint32(params.q))
var v int16 = int16(((uint32(1) << 26) + uint32(paramsQ/2)) / uint32(paramsQ))
t = int16(int32(v) * int32(a) >> 26)
t = t * int16(params.q)
t = t * int16(paramsQ)
return a - t
}
func byteopsCSubQ(a int16) int16 {
a = a - int16(params.q)
a = a + ((a >> 15) & int16(params.q))
a = a - int16(paramsQ)
a = a + ((a >> 15) & int16(paramsQ))
return a
}
......@@ -14,8 +14,8 @@ func indcpaPackPublicKey(publicKey polyvec, seed []byte) []byte {
}
func indcpaUnpackPublicKey(packedPublicKey []byte) (polyvec, []byte) {
publicKeyPolyvec := polyvecFromBytes(packedPublicKey[:params.polyvecbytes])
seed := packedPublicKey[params.polyvecbytes:]
publicKeyPolyvec := polyvecFromBytes(packedPublicKey[:paramsPolyvecBytes])
seed := packedPublicKey[paramsPolyvecBytes:]
return publicKeyPolyvec, seed
}
......@@ -32,8 +32,8 @@ func indcpaPackCiphertext(b polyvec, v poly) []byte {
}
func indcpaUnpackCiphertext(c []byte) (polyvec, poly) {
b := polyvecDecompress(c[:params.polyveccompressedbytes])
v := polyDecompress(c[params.polyveccompressedbytes:])
b := polyvecDecompress(c[:paramsPolyvecCompressedBytes])
v := polyDecompress(c[paramsPolyvecCompressedBytes:])
return b, v
}
......@@ -45,8 +45,8 @@ func indcpaRejUniform(l int, buf []byte, bufl int) ([]int16, int) {
for ctr < l && pos+2 <= bufl {
val = uint16(buf[pos]) | (uint16(buf[pos+1]) << 8)
pos = pos + 2
if val < uint16(19*params.q) {
val = val - ((val >> 12) * uint16(params.q))
if val < uint16(19*paramsQ) {
val = val - ((val >> 12) * uint16(paramsQ))
r[ctr] = int16(val)
ctr = ctr + 1
}
......@@ -55,13 +55,13 @@ func indcpaRejUniform(l int, buf []byte, bufl int) ([]int16, int) {
}
func indcpaGenMatrix(seed []byte, transposed bool) ([]polyvec, error) {
r := make([]polyvec, params.k)
r := make([]polyvec, paramsK)
buf := make([]byte, 4*168)
xof := sha3.NewShake128()
ctr := 0
for i := 0; i < params.k; i++ {
for i := 0; i < paramsK; i++ {
r[i] = polyvecNew()
for j := 0; j < params.k; j++ {
for j := 0; j < paramsK; j++ {
transposon := []byte{byte(j), byte(i)}
if transposed {
transposon = []byte{byte(i), byte(j)}
......@@ -75,17 +75,17 @@ func indcpaGenMatrix(seed []byte, transposed bool) ([]polyvec, error) {
if err != nil {
return []polyvec{}, err
}
r[i].vec[j].coeffs, ctr = indcpaRejUniform(params.n, buf, len(buf))
for ctr < params.n {
r[i].vec[j].coeffs, ctr = indcpaRejUniform(paramsN, buf, len(buf))
for ctr < paramsN {
bufn := make([]byte, 168)
_, err = xof.Read(bufn)
if err != nil {
return []polyvec{}, err
}
missing, ctrn := indcpaRejUniform(params.n-ctr, bufn, 168)
missing, ctrn := indcpaRejUniform(paramsN-ctr, bufn, 168)
r[i].vec[j].coeffs = append(
r[i].vec[j].coeffs[:ctr],
missing[:params.n-ctr]...,
missing[:paramsN-ctr]...,
)
ctr = ctr + ctrn
}
......@@ -104,35 +104,35 @@ func indcpaKeypair() ([]byte, []byte, error) {
skpv := polyvecNew()
pkpv := polyvecNew()
e := polyvecNew()
buf := make([]byte, 2*params.symbytes)
buf := make([]byte, 2*paramsSymBytes)
h := sha3.New512()
_, err := rand.Read(buf[:params.symbytes])
_, err := rand.Read(buf[:paramsSymBytes])
if err != nil {
return []byte{}, []byte{}, err
}
_, err = h.Write(buf[:params.symbytes])
_, err = h.Write(buf[:paramsSymBytes])
if err != nil {
return []byte{}, []byte{}, err
}
buf = buf[:0]
buf = h.Sum(buf)
publicSeed, noiseSeed := buf[:params.symbytes], buf[params.symbytes:]
publicSeed, noiseSeed := buf[:paramsSymBytes], buf[paramsSymBytes:]
a, err := indcpaGenMatrix(publicSeed, false)
if err != nil {
return []byte{}, []byte{}, err
}
var nonce byte
for i := 0; i < params.k; i++ {
for i := 0; i < paramsK; i++ {
skpv.vec[i] = polyGetNoise(noiseSeed, nonce)
nonce = nonce + 1
}
for i := 0; i < params.k; i++ {
for i := 0; i < paramsK; i++ {
e.vec[i] = polyGetNoise(noiseSeed, nonce)
nonce = nonce + 1
}
skpv = polyvecNtt(skpv)
e = polyvecNtt(e)
for i := 0; i < params.k; i++ {
for i := 0; i < paramsK; i++ {
pkpv.vec[i] = polyvecPointWiseAccMontgomery(a[i], skpv)
pkpv.vec[i] = polyToMont(pkpv.vec[i])
}
......@@ -148,21 +148,21 @@ func indcpaEncrypt(m []byte, publicKey []byte, coins []byte) ([]byte, error) {
nonce := byte(0)
publicKeyPolyvec, seed := indcpaUnpackPublicKey(publicKey)
k := polyFromMsg(m)
at, err := indcpaGenMatrix(seed[:params.symbytes], true)
at, err := indcpaGenMatrix(seed[:paramsSymBytes], true)
if err != nil {
return []byte{}, err
}
for i := 0; i < params.k; i++ {
for i := 0; i < paramsK; i++ {
sp.vec[i] = polyGetNoise(coins, nonce)
nonce = nonce + 1
}
for i := 0; i < params.k; i++ {
for i := 0; i < paramsK; i++ {
ep.vec[i] = polyGetNoise(coins, nonce)
nonce = nonce + 1
}
epp := polyGetNoise(coins, nonce)
sp = polyvecNtt(sp)
for i := 0; i < params.k; i++ {
for i := 0; i < paramsK; i++ {
bp.vec[i] = polyvecPointWiseAccMontgomery(at[i], sp)
}
v := polyvecPointWiseAccMontgomery(publicKeyPolyvec, sp)
......
......@@ -15,58 +15,71 @@ import (
// KemKeypair returns a Kyber-768 private key and a corresponding Kyber-768 public key.
// An accompanying error is returned if no sufficient randomness could be obtained from the system.
func KemKeypair() ([]byte, []byte, error) {
func KemKeypair() ([paramsSecretKeyBytes]byte, [paramsPublicKeyBytes]byte, error) {
var privateKeyFixedLength [paramsSecretKeyBytes]byte
var publicKeyFixedLength [paramsPublicKeyBytes]byte
indcpaPrivateKey, indcpaPublicKey, err := indcpaKeypair()
if err != nil {
return []byte{}, []byte{}, err
return privateKeyFixedLength, publicKeyFixedLength, err
}
pkh := sha3.Sum256(indcpaPublicKey)
rnd := make([]byte, params.symbytes)
rnd := make([]byte, paramsSymBytes)
_, err = rand.Read(rnd)
if err != nil {
return []byte{}, []byte{}, err
return privateKeyFixedLength, publicKeyFixedLength, err
}
privateKey := append(indcpaPrivateKey, indcpaPublicKey...)
privateKey = append(privateKey, pkh[:]...)
privateKey = append(privateKey, rnd...)
return privateKey, indcpaPublicKey, nil
copy(privateKeyFixedLength[:], privateKey)
copy(publicKeyFixedLength[:], indcpaPublicKey)
return privateKeyFixedLength, publicKeyFixedLength, nil
}
// KemEncrypt takes a public key (from KemKeypair) as input and returns a ciphertext and a 32-byte shared secret.
// An accompanying error is returned if no sufficient randomness could be obtained from the system.
func KemEncrypt(publicKey []byte) ([]byte, []byte, error) {
sharedSecret := make([]byte, params.symbytes)
buf := make([]byte, 2*params.symbytes)
_, err := rand.Read(buf[:params.symbytes])
func KemEncrypt(publicKey [paramsPublicKeyBytes]byte) ([paramsIndcpaBytes]byte, [paramsSymBytes]byte, error) {
var ciphertextFixedLength [paramsIndcpaBytes]byte
var sharedSecretFixedLength [paramsSymBytes]byte
sharedSecret := make([]byte, paramsSymBytes)
buf := make([]byte, 2*paramsSymBytes)
_, err := rand.Read(buf[:paramsSymBytes])
if err != nil {
return []byte{}, []byte{}, err
return ciphertextFixedLength, sharedSecretFixedLength, err
}
buf1 := sha3.Sum256(buf[:params.symbytes])
buf2 := sha3.Sum256(publicKey)
buf1 := sha3.Sum256(buf[:paramsSymBytes])
buf2 := sha3.Sum256(publicKey[:])
kr := sha3.Sum512(append(buf1[:], buf2[:]...))
ciphertext, err := indcpaEncrypt(buf1[:], publicKey, kr[params.symbytes:])
ciphertext, err := indcpaEncrypt(buf1[:], publicKey[:], kr[paramsSymBytes:])
krc := sha3.Sum256(ciphertext)
sha3.ShakeSum256(sharedSecret, append(kr[:params.symbytes], krc[:]...))
return ciphertext, sharedSecret, err
sha3.ShakeSum256(sharedSecret, append(kr[:paramsSymBytes], krc[:]...))
copy(ciphertextFixedLength[:], ciphertext)
copy(sharedSecretFixedLength[:], sharedSecret)
return ciphertextFixedLength, sharedSecretFixedLength, err
}
// KemDecrypt takes a ciphertext (from KeyEncrypt), a private key (from KemKeypair) and returns a 32-byte shared secret.
// An accompanying error is returned if no sufficient randomness could be obtained from the system.
func KemDecrypt(ciphertext []byte, privateKey []byte) ([]byte, error) {
sharedSecret := make([]byte, params.symbytes)
indcpaPrivateKey := privateKey[:params.indcpasecretkeybytes]
pki := params.indcpasecretkeybytes + params.indcpapublickeybytes
publicKey := privateKey[params.indcpasecretkeybytes:pki]
buf := indcpaDecrypt(ciphertext, indcpaPrivateKey)
ski := params.secretkeybytes - 2*params.symbytes
kr := sha3.Sum512(append(buf, privateKey[ski:ski+params.symbytes]...))
cmp, err := indcpaEncrypt(buf, publicKey, kr[params.symbytes:])
fail := byte(1 - subtle.ConstantTimeCompare(ciphertext, cmp))
krh := sha3.Sum256(ciphertext)
for i := 0; i < params.symbytes; i++ {
skx := privateKey[:params.secretkeybytes-params.symbytes+i]
func KemDecrypt(
ciphertext [paramsIndcpaBytes]byte,
privateKey [paramsSecretKeyBytes]byte,
) ([paramsSymBytes]byte, error) {
var sharedSecretFixedLength [paramsSymBytes]byte
sharedSecret := make([]byte, paramsSymBytes)
indcpaPrivateKey := privateKey[:paramsIndcpaSecretKeyBytes]
pki := paramsIndcpaSecretKeyBytes + paramsIndcpaPublicKeyBytes
publicKey := privateKey[paramsIndcpaSecretKeyBytes:pki]
buf := indcpaDecrypt(ciphertext[:], indcpaPrivateKey)
ski := paramsSecretKeyBytes - 2*paramsSymBytes
kr := sha3.Sum512(append(buf, privateKey[ski:ski+paramsSymBytes]...))
cmp, err := indcpaEncrypt(buf, publicKey, kr[paramsSymBytes:])
fail := byte(1 - subtle.ConstantTimeCompare(ciphertext[:], cmp))
krh := sha3.Sum256(ciphertext[:])
for i := 0; i < paramsSymBytes; i++ {
skx := privateKey[:paramsSecretKeyBytes-paramsSymBytes+i]
kr[i] = kr[i] ^ (fail & (kr[i] ^ skx[i]))
}
sha3.ShakeSum256(sharedSecret, append(kr[:params.symbytes], krh[:]...))
return sharedSecret, err
sha3.ShakeSum256(sharedSecret, append(kr[:paramsSymBytes], krh[:]...))
copy(sharedSecretFixedLength[:], sharedSecret)
return sharedSecretFixedLength, err
}
......@@ -22,7 +22,7 @@ func TestMain(t *testing.T) {
if err != nil {
t.Error(err)
}
if subtle.ConstantTimeCompare(ssA, ssB) == 0 {
if subtle.ConstantTimeCompare(ssA[:], ssB[:]) == 0 {
t.Error("shared secret failed")
}
}
......
......@@ -3,38 +3,18 @@
package kyberk2so
type paramsStruct struct {
k int
n int
q int
eta int
polybytes int
polycompressedbytes int
polyvecbytes int
polyveccompressedbytes int
qinv int
symbytes int
secretkeybytes int
publickeybytes int
indcpasecretkeybytes int
indcpapublickeybytes int
indcpabytes int
}
var params paramsStruct = paramsStruct{
k: 3,
n: 256,
q: 3329,
eta: 2,
polybytes: 384,
polycompressedbytes: 128,
polyvecbytes: (3 * 384),
polyveccompressedbytes: (3 * 320),
qinv: 62209,
symbytes: 32,
secretkeybytes: ((3 * 384) + ((3 * 384) + 32) + 2*32),
publickeybytes: ((3 * 384) + 32),
indcpasecretkeybytes: (3 * 384),
indcpapublickeybytes: ((3 * 384) + 32),
indcpabytes: ((3 * 320) + 128),
}
const paramsK int = 3
const paramsN int = 256
const paramsQ int = 3329
const paramsETA int = 2
const paramsPolyBytes int = 384
const paramsPolyCompressedBytes int = 128
const paramsQinv int = 62209
const paramsSymBytes int = 32
const paramsPolyvecBytes int = paramsK * paramsPolyBytes
const paramsPolyvecCompressedBytes int = paramsK * 320
const paramsSecretKeyBytes int = paramsPolyvecBytes + ((paramsPolyvecBytes + paramsSymBytes) + 2*paramsSymBytes)
const paramsPublicKeyBytes int = paramsPolyvecBytes + paramsSymBytes
const paramsIndcpaSecretKeyBytes int = paramsK * paramsPolyBytes
const paramsIndcpaPublicKeyBytes int = paramsPolyvecBytes + paramsSymBytes
const paramsIndcpaBytes int = paramsPolyvecCompressedBytes + paramsPolyCompressedBytes
......@@ -13,27 +13,27 @@ type polyvec struct {
func polyNew() poly {
var p poly
p.coeffs = make([]int16, params.n)
p.coeffs = make([]int16, paramsN)
return p
}
func polyvecNew() polyvec {
var pv polyvec
pv.vec = make([]poly, params.k)
for i := 0; i < params.k; i++ {
pv.vec = make([]poly, paramsK)
for i := 0; i < paramsK; i++ {
pv.vec[i] = polyNew()
}
return pv
}
func polyCompress(a poly) []byte {
r := make([]byte, params.polycompressedbytes)
r := make([]byte, paramsPolyCompressedBytes)
t := make([]byte, 8)
a = polyCSubQ(a)
rr := 0
for i := 0; i < params.n/8; i++ {
for i := 0; i < paramsN/8; i++ {
for j := 0; j < 8; j++ {
t[j] = byte((((uint16(a.coeffs[8*i+j]) << 4) + uint16(params.q/2)) / uint16(params.q)) & 15)
t[j] = byte((((uint16(a.coeffs[8*i+j]) << 4) + uint16(paramsQ/2)) / uint16(paramsQ)) & 15)
}
r[rr+0] = t[0] | (t[1] << 4)
r[rr+1] = t[2] | (t[3] << 4)
......@@ -47,9 +47,9 @@ func polyCompress(a poly) []byte {
func polyDecompress(a []byte) poly {
r := polyNew()
aa := 0
for i := 0; i < params.n/2; i++ {
r.coeffs[2*i+0] = int16(((uint16(a[aa]&15) * uint16(params.q)) + 8) >> 4)
r.coeffs[2*i+1] = int16(((uint16(a[aa]>>4) * uint16(params.q)) + 8) >> 4)
for i := 0; i < paramsN/2; i++ {
r.coeffs[2*i+0] = int16(((uint16(a[aa]&15) * uint16(paramsQ)) + 8) >> 4)
r.coeffs[2*i+1] = int16(((uint16(a[aa]>>4) * uint16(paramsQ)) + 8) >> 4)
aa = aa + 1
}
return r
......@@ -57,9 +57,9 @@ func polyDecompress(a []byte) poly {
func polyToBytes(a poly) []byte {
var t0, t1 uint16
r := make([]byte, params.polybytes)
r := make([]byte, paramsPolyBytes)
a = polyCSubQ(a)
for i := 0; i < params.n/2; i++ {
for i := 0; i < paramsN/2; i++ {
t0 = uint16(a.coeffs[2*i])
t1 = uint16(a.coeffs[2*i+1])
r[3*i+0] = byte(t0 >> 0)
......@@ -71,7 +71,7 @@ func polyToBytes(a poly) []byte {
func polyFromBytes(a []byte) poly {
r := polyNew()
for i := 0; i < params.n/2; i++ {
for i := 0; i < paramsN/2; i++ {
r.coeffs[2*i] = int16(((uint16(a[3*i+0]) >> 0) | (uint16(a[3*i+1]) << 8)) & 0xFFF)
r.coeffs[2*i+1] = int16(((uint16(a[3*i+1]) >> 4) | (uint16(a[3*i+2]) << 4)) & 0xFFF)
}
......@@ -81,23 +81,23 @@ func polyFromBytes(a []byte) poly {
func polyFromMsg(msg []byte) poly {
r := polyNew()
var mask int16
for i := 0; i < params.n/8; i++ {
for i := 0; i < paramsN/8; i++ {
for j := 0; j < 8; j++ {
mask = -int16((msg[i] >> j) & 1)
r.coeffs[8*i+j] = mask & int16((params.q+1)/2)
r.coeffs[8*i+j] = mask & int16((paramsQ+1)/2)
}
}
return r
}
func polyToMsg(a poly) []byte {
msg := make([]byte, params.symbytes)
msg := make([]byte, paramsSymBytes)
var t uint16
a = polyCSubQ(a)
for i := 0; i < params.n/8; i++ {
for i := 0; i < paramsN/8; i++ {
msg[i] = 0
for j := 0; j < 8; j++ {
t = (((uint16(a.coeffs[8*i+j]) << 1) + uint16(params.q/2)) / uint16(params.q)) & 1
t = (((uint16(a.coeffs[8*i+j]) << 1) + uint16(paramsQ/2)) / uint16(paramsQ)) & 1
msg[i] |= byte(t << j)
}
}
......@@ -105,7 +105,7 @@ func polyToMsg(a poly) []byte {
}
func polyGetNoise(seed []byte, nonce byte) poly {
l := params.eta * params.n / 4
l := paramsETA * paramsN / 4
p := indcpaPrf(l, seed, nonce)
return byteopsCbd(p)
}
......@@ -124,7 +124,7 @@ func polyInvNttToMont(a poly) poly {
func polyBaseMulMontgomery(a poly, b poly) poly {
r := polyNew()
for i := 0; i < params.n/4; i++ {
for i := 0; i < paramsN/4; i++ {
rx := nttBaseMul(
a.coeffs[4*i+0], a.coeffs[4*i+1],
b.coeffs[4*i+0], b.coeffs[4*i+1],
......@@ -145,8 +145,8 @@ func polyBaseMulMontgomery(a poly, b poly) poly {
func polyToMont(a poly) poly {
r := polyNew()
var f int16 = int16((uint64(1) << 32) % uint64(params.q))
for i := 0; i < params.n; i++ {
var f int16 = int16((uint64(1) << 32) % uint64(paramsQ))
for i := 0; i < paramsN; i++ {
r.coeffs[i] = byteopsMontgomeryReduce(int32(a.coeffs[i]) * int32(f))
}
return r
......@@ -154,7 +154,7 @@ func polyToMont(a poly) poly {
func polyReduce(a poly) poly {
r := polyNew()
for i := 0; i < params.n; i++ {
for i := 0; i < paramsN; i++ {
r.coeffs[i] = byteopsBarrettReduce(a.coeffs[i])
}
return r
......@@ -162,7 +162,7 @@ func polyReduce(a poly) poly {
func polyCSubQ(a poly) poly {
r := polyNew()
for i := 0; i < params.n; i++ {
for i := 0; i < paramsN; i++ {
r.coeffs[i] = byteopsCSubQ(a.coeffs[i])
}
return r
......@@ -170,7 +170,7 @@ func polyCSubQ(a poly) poly {
func polyAdd(a poly, b poly) poly {
r := polyNew()
for i := 0; i < params.n; i++ {
for i := 0; i < paramsN; i++ {
r.coeffs[i] = a.coeffs[i] + b.coeffs[i]
}
return r
......@@ -178,21 +178,21 @@ func polyAdd(a poly, b poly) poly {
func polySub(a poly, b poly) poly {
r := polyNew()
for i := 0; i < params.n; i++ {
for i := 0; i < paramsN; i++ {
r.coeffs[i] = a.coeffs[i] - b.coeffs[i]
}
return r
}
func polyvecCompress(a polyvec) []byte {
r := make([]byte, params.polyveccompressedbytes)
r := make([]byte, paramsPolyvecCompressedBytes)
t := make([]uint16, 4)
a = polyvecCSubQ(a)
rr := 0
for i := 0; i < params.k; i++ {
for j := 0; j < params.n/4; j++ {
for i := 0; i < paramsK; i++ {
for j := 0; j < paramsN/4; j++ {
for k := 0; k < 4; k++ {
t[k] = uint16((((uint32(a.vec[i].coeffs[4*j+k]) << 10) + uint32(params.q/2)) / uint32(params.q)) & 0x3ff)
t[k] = uint16((((uint32(a.vec[i].coeffs[4*j+k]) << 10) + uint32(paramsQ/2)) / uint32(paramsQ)) & 0x3ff)
}
r[rr+0] = byte(t[0] >> 0)
r[rr+1] = byte((t[0] >> 8) | (t[1] << 2))
......@@ -209,15 +209,15 @@ func polyvecDecompress(a []byte) polyvec {
r := polyvecNew()
aa := 0
t := make([]uint16, 4)
for i := 0; i < params.k; i++ {
for j := 0; j < params.n/4; j++ {
for i := 0; i < paramsK; i++ {
for j := 0; j < paramsN/4; j++ {
t[0] = (uint16(a[aa+0]) >> 0) | (uint16(a[aa+1]) << 8)
t[1] = (uint16(a[aa+1]) >> 2) | (uint16(a[aa+2]) << 6)
t[2] = (uint16(a[aa+2]) >> 4) | (uint16(a[aa+3]) << 4)
t[3] = (uint16(a[aa+3]) >> 6) | (uint16(a[aa+4]) << 2)
aa = aa + 5
for k := 0; k < 4; k++ {
r.vec[i].coeffs[4*j+k] = int16((uint32(t[k]&0x3FF)*uint32(params.q) + 512) >> 10)
r.vec[i].coeffs[4*j+k] = int16((uint32(t[k]&0x3FF)*uint32(paramsQ) + 512) >> 10)
}
}
}
......@@ -226,7 +226,7 @@ func polyvecDecompress(a []byte) polyvec {
func polyvecToBytes(a polyvec) []byte {
r := []byte{}
for i := 0; i < params.k; i++ {
for i := 0; i < paramsK; i++ {
r = append(r, polyToBytes(a.vec[i])...)
}
return r
......@@ -234,9 +234,9 @@ func polyvecToBytes(a polyvec) []byte {
func polyvecFromBytes(a []byte) polyvec {
r := polyvecNew()
for i := 0; i < params.k; i++ {
start := (i * params.polybytes)
end := (i + 1) * params.polybytes
for i := 0; i < paramsK; i++ {
start := (i * paramsPolyBytes)
end := (i + 1) * paramsPolyBytes
r.vec[i] = polyFromBytes(a[start:end])
}
return r
......@@ -244,7 +244,7 @@ func polyvecFromBytes(a []byte) polyvec {
func polyvecNtt(a polyvec) polyvec {
r := polyvecNew()
for i := 0; i < params.k; i++ {
for i := 0; i < paramsK; i++ {
r.vec[i] = polyNtt(a.vec[i])
}
return r
......@@ -252,7 +252,7 @@ func polyvecNtt(a polyvec) polyvec {
func polyvecInvNttToMont(a polyvec) polyvec {
r := polyvecNew()
for i := 0; i < params.k; i++ {
for i := 0; i < paramsK; i++ {
r.vec[i] = polyInvNttToMont(a.vec[i])
}
return r
......@@ -260,7 +260,7 @@ func polyvecInvNttToMont(a polyvec) polyvec {
func polyvecPointWiseAccMontgomery(a polyvec, b polyvec) poly {
r := polyBaseMulMontgomery(a.vec[0], b.vec[0])
for i := 1; i < params.k; i++ {
for i := 1; i < paramsK; i++ {
t := polyBaseMulMontgomery(a.vec[i], b.vec[i])
r = polyAdd(r, t)
}
......@@ -269,7 +269,7 @@ func polyvecPointWiseAccMontgomery(a polyvec, b polyvec) poly {
func polyvecReduce(a polyvec) polyvec {
r := polyvecNew()
for i := 0; i < params.k; i++ {
for i := 0; i < paramsK; i++ {
r.vec[i] = polyReduce(a.vec[i])
}
return r
......@@ -277,7 +277,7 @@ func polyvecReduce(a polyvec) polyvec {
func polyvecCSubQ(a polyvec) polyvec {
r := polyvecNew()
for i := 0; i < params.k; i++ {
for i := 0; i < paramsK; i++ {
r.vec[i] = polyCSubQ(a.vec[i])
}