diff --git a/Modules/PQClean/.github/workflows/BADGES.md b/Modules/PQClean/.github/workflows/BADGES.md index f2398146..62aecf36 100644 --- a/Modules/PQClean/.github/workflows/BADGES.md +++ b/Modules/PQClean/.github/workflows/BADGES.md @@ -18,9 +18,9 @@ ![Test dilithium3](https://github.com/PQClean/PQClean/workflows/Test%20dilithium3/badge.svg?branch=master) ![Test dilithium5](https://github.com/PQClean/PQClean/workflows/Test%20dilithium5/badge.svg?branch=master) ![Test falcon-1024](https://github.com/PQClean/PQClean/workflows/Test%20falcon-1024/badge.svg?branch=master) -![Test falcon-1024-padded](https://github.com/PQClean/PQClean/workflows/Test%20falcon-1024-padded/badge.svg?branch=master) +![Test falcon-padded-1024](https://github.com/PQClean/PQClean/workflows/Test%20falcon-padded-1024/badge.svg?branch=master) ![Test falcon-512](https://github.com/PQClean/PQClean/workflows/Test%20falcon-512/badge.svg?branch=master) -![Test falcon-512-padded](https://github.com/PQClean/PQClean/workflows/Test%20falcon-512-padded/badge.svg?branch=master) +![Test falcon-padded-512](https://github.com/PQClean/PQClean/workflows/Test%20falcon-padded-512/badge.svg?branch=master) ![Test sphincs-sha2-128f-simple](https://github.com/PQClean/PQClean/workflows/Test%20sphincs-sha2-128f-simple/badge.svg?branch=master) ![Test sphincs-sha2-128s-simple](https://github.com/PQClean/PQClean/workflows/Test%20sphincs-sha2-128s-simple/badge.svg?branch=master) ![Test sphincs-sha2-192f-simple](https://github.com/PQClean/PQClean/workflows/Test%20sphincs-sha2-192f-simple/badge.svg?branch=master) diff --git a/Modules/PQClean/.github/workflows/sign_falcon-1024-padded.yml b/Modules/PQClean/.github/workflows/sign_falcon-padded-1024.yml similarity index 90% rename from Modules/PQClean/.github/workflows/sign_falcon-1024-padded.yml rename to Modules/PQClean/.github/workflows/sign_falcon-padded-1024.yml index 752739ac..fd97e5ae 100644 --- a/Modules/PQClean/.github/workflows/sign_falcon-1024-padded.yml +++ b/Modules/PQClean/.github/workflows/sign_falcon-padded-1024.yml @@ -7,13 +7,13 @@ on: - 'test/**' # do not build if other schemes duplicate_consistency files change - '!test/duplicate_consistency/*.yml' - - 'test/duplicate_consistency/falcon-1024-padded*.yml' + - 'test/duplicate_consistency/falcon-padded-1024*.yml' # build if common files change - 'common/**' # build if scheme changed - - 'crypto_sign/falcon-1024-padded/**' + - 'crypto_sign/falcon-padded-1024/**' # build if workflow file changed - - '.github/workflows/sign_falcon-1024-padded.yml' + - '.github/workflows/sign_falcon-padded-1024.yml' # Build if any files in the root change, except .md files - '*' - '!*.md' @@ -23,23 +23,23 @@ on: - 'test/**' # do not build if other schemes duplicate_consistency files change - '!test/duplicate_consistency/*.yml' - - 'test/duplicate_consistency/falcon-1024-padded*.yml' + - 'test/duplicate_consistency/falcon-padded-1024*.yml' # build if common files change - 'common/**' # build if scheme changed - - 'crypto_sign/falcon-1024-padded/**' + - 'crypto_sign/falcon-padded-1024/**' # build if workflow file changed - - '.github/workflows/sign_falcon-1024-padded.yml' + - '.github/workflows/sign_falcon-padded-1024.yml' # Build if any files in the root change, except .md files - '*' - '!*.md' schedule: - cron: '5 4 * * *' -name: Test falcon-1024-padded +name: Test falcon-padded-1024 concurrency: - group: ci-falcon-1024-padded-${{ github.ref }} + group: ci-falcon-padded-1024-${{ github.ref }} cancel-in-progress: true jobs: @@ -48,7 +48,7 @@ jobs: container: image: pqclean/ci-container:${{ matrix.arch }} env: - PQCLEAN_ONLY_SCHEMES: falcon-1024-padded + PQCLEAN_ONLY_SCHEMES: falcon-padded-1024 CC: ccache ${{ matrix.cc }} CCACHE_NOSTATS: 1 CCACHE_DIR: /ccache @@ -123,7 +123,7 @@ jobs: key: v1-python-pip - name: Run tests in container run: | - docker run --rm -e CI -e CC -e PQCLEAN_ONLY_SCHEMES=falcon-1024-padded -v $PWD:$PWD -w $PWD -v ~/ccache:/ccache pqclean/ci-container:${{ matrix.arch }} /bin/bash -c "\ + docker run --rm -e CI -e CC -e PQCLEAN_ONLY_SCHEMES=falcon-padded-1024 -v $PWD:$PWD -w $PWD -v ~/ccache:/ccache pqclean/ci-container:${{ matrix.arch }} /bin/bash -c "\ export CCACHE_NOSTATS=1 && \ export CCACHE_DIR=/ccache && \ export CCACHE_SLOPPINESS=include_file_mtime && \ @@ -140,7 +140,7 @@ jobs: - x64 - x86 env: - PQCLEAN_ONLY_SCHEMES: falcon-1024-padded + PQCLEAN_ONLY_SCHEMES: falcon-padded-1024 runs-on: windows-latest steps: - uses: actions/checkout@v3 @@ -171,7 +171,7 @@ jobs: needs: - test-native env: - PQCLEAN_ONLY_SCHEMES: falcon-1024-padded + PQCLEAN_ONLY_SCHEMES: falcon-padded-1024 CCACHE_NOSTATS: 1 CCACHE_SLOPPINESS: include_file_mtime strategy: diff --git a/Modules/PQClean/.github/workflows/sign_falcon-512-padded.yml b/Modules/PQClean/.github/workflows/sign_falcon-padded-512.yml similarity index 90% rename from Modules/PQClean/.github/workflows/sign_falcon-512-padded.yml rename to Modules/PQClean/.github/workflows/sign_falcon-padded-512.yml index f23adf28..a9c838ce 100644 --- a/Modules/PQClean/.github/workflows/sign_falcon-512-padded.yml +++ b/Modules/PQClean/.github/workflows/sign_falcon-padded-512.yml @@ -7,13 +7,13 @@ on: - 'test/**' # do not build if other schemes duplicate_consistency files change - '!test/duplicate_consistency/*.yml' - - 'test/duplicate_consistency/falcon-512-padded*.yml' + - 'test/duplicate_consistency/falcon-padded-512*.yml' # build if common files change - 'common/**' # build if scheme changed - - 'crypto_sign/falcon-512-padded/**' + - 'crypto_sign/falcon-padded-512/**' # build if workflow file changed - - '.github/workflows/sign_falcon-512-padded.yml' + - '.github/workflows/sign_falcon-padded-512.yml' # Build if any files in the root change, except .md files - '*' - '!*.md' @@ -23,23 +23,23 @@ on: - 'test/**' # do not build if other schemes duplicate_consistency files change - '!test/duplicate_consistency/*.yml' - - 'test/duplicate_consistency/falcon-512-padded*.yml' + - 'test/duplicate_consistency/falcon-padded-512*.yml' # build if common files change - 'common/**' # build if scheme changed - - 'crypto_sign/falcon-512-padded/**' + - 'crypto_sign/falcon-padded-512/**' # build if workflow file changed - - '.github/workflows/sign_falcon-512-padded.yml' + - '.github/workflows/sign_falcon-padded-512.yml' # Build if any files in the root change, except .md files - '*' - '!*.md' schedule: - cron: '5 4 * * *' -name: Test falcon-512-padded +name: Test falcon-padded-512 concurrency: - group: ci-falcon-512-padded-${{ github.ref }} + group: ci-falcon-padded-512-${{ github.ref }} cancel-in-progress: true jobs: @@ -48,7 +48,7 @@ jobs: container: image: pqclean/ci-container:${{ matrix.arch }} env: - PQCLEAN_ONLY_SCHEMES: falcon-512-padded + PQCLEAN_ONLY_SCHEMES: falcon-padded-512 CC: ccache ${{ matrix.cc }} CCACHE_NOSTATS: 1 CCACHE_DIR: /ccache @@ -123,7 +123,7 @@ jobs: key: v1-python-pip - name: Run tests in container run: | - docker run --rm -e CI -e CC -e PQCLEAN_ONLY_SCHEMES=falcon-512-padded -v $PWD:$PWD -w $PWD -v ~/ccache:/ccache pqclean/ci-container:${{ matrix.arch }} /bin/bash -c "\ + docker run --rm -e CI -e CC -e PQCLEAN_ONLY_SCHEMES=falcon-padded-512 -v $PWD:$PWD -w $PWD -v ~/ccache:/ccache pqclean/ci-container:${{ matrix.arch }} /bin/bash -c "\ export CCACHE_NOSTATS=1 && \ export CCACHE_DIR=/ccache && \ export CCACHE_SLOPPINESS=include_file_mtime && \ @@ -140,7 +140,7 @@ jobs: - x64 - x86 env: - PQCLEAN_ONLY_SCHEMES: falcon-512-padded + PQCLEAN_ONLY_SCHEMES: falcon-padded-512 runs-on: windows-latest steps: - uses: actions/checkout@v3 @@ -171,7 +171,7 @@ jobs: needs: - test-native env: - PQCLEAN_ONLY_SCHEMES: falcon-512-padded + PQCLEAN_ONLY_SCHEMES: falcon-padded-512 CCACHE_NOSTATS: 1 CCACHE_SLOPPINESS: include_file_mtime strategy: diff --git a/Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/ntt_consts.h b/Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/ntt_consts.h deleted file mode 100644 index f07b649a..00000000 --- a/Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/ntt_consts.h +++ /dev/null @@ -1,23 +0,0 @@ -#ifndef NTT_CONSTS -#define NTT_CONSTS - -#include - -extern const int16_t PQCLEAN_FALCON1024PADDED_AARCH64_qmvq[8]; - -/* - * Table for NTT, binary case: - * where g = 7 (it is a 2048-th primitive root of 1 modulo q) - */ -extern const int16_t PQCLEAN_FALCON1024PADDED_AARCH64_ntt_br[]; -extern const int16_t PQCLEAN_FALCON1024PADDED_AARCH64_ntt_qinv_br[]; - -/* - * Table for inverse NTT - * Since g = 7, 1/g = 8778 mod 12289. - */ - -extern const int16_t PQCLEAN_FALCON1024PADDED_AARCH64_invntt_br[]; -extern const int16_t PQCLEAN_FALCON1024PADDED_AARCH64_invntt_qinv_br[]; - -#endif diff --git a/Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/util.h b/Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/util.h deleted file mode 100644 index b190e1c2..00000000 --- a/Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/util.h +++ /dev/null @@ -1,8 +0,0 @@ -#ifndef UTIL_H -#define UTIL_H - -#define poly_small_to_fp PQCLEAN_FALCON1024PADDED_AARCH64_smallints_to_fpr - -void PQCLEAN_FALCON1024PADDED_AARCH64_smallints_to_fpr(fpr *r, const int8_t *t, unsigned logn); - -#endif diff --git a/Modules/PQClean/crypto_sign/falcon-1024/aarch64/api.h b/Modules/PQClean/crypto_sign/falcon-1024/aarch64/api.h index e10cb4e3..06787aac 100644 --- a/Modules/PQClean/crypto_sign/falcon-1024/aarch64/api.h +++ b/Modules/PQClean/crypto_sign/falcon-1024/aarch64/api.h @@ -10,7 +10,7 @@ #define PQCLEAN_FALCON1024_AARCH64_CRYPTO_ALGNAME "Falcon-1024" -#define PQCLEAN_FALCON1024PADDED_AARCH64_CRYPTO_BYTES 1280 // used in signature verification +#define PQCLEAN_FALCONPADDED1024_AARCH64_CRYPTO_BYTES 1280 // used in signature verification /* * Generate a new key pair. Public key goes into pk[], private key in sk[]. diff --git a/Modules/PQClean/crypto_sign/falcon-1024/aarch64/pqclean.c b/Modules/PQClean/crypto_sign/falcon-1024/aarch64/pqclean.c index 983a12c5..7355b07d 100644 --- a/Modules/PQClean/crypto_sign/falcon-1024/aarch64/pqclean.c +++ b/Modules/PQClean/crypto_sign/falcon-1024/aarch64/pqclean.c @@ -252,7 +252,7 @@ do_verify( return -1; } if (v != sigbuflen) { - if (sigbuflen == PQCLEAN_FALCON1024PADDED_AARCH64_CRYPTO_BYTES - NONCELEN - 1) { + if (sigbuflen == PQCLEAN_FALCONPADDED1024_AARCH64_CRYPTO_BYTES - NONCELEN - 1) { while (v < sigbuflen) { if (sigbuf[v++] != 0) { return -1; diff --git a/Modules/PQClean/crypto_sign/falcon-1024/avx2/api.h b/Modules/PQClean/crypto_sign/falcon-1024/avx2/api.h index c8619274..85e201fc 100644 --- a/Modules/PQClean/crypto_sign/falcon-1024/avx2/api.h +++ b/Modules/PQClean/crypto_sign/falcon-1024/avx2/api.h @@ -10,7 +10,7 @@ #define PQCLEAN_FALCON1024_AVX2_CRYPTO_ALGNAME "Falcon-1024" -#define PQCLEAN_FALCON1024PADDED_AVX2_CRYPTO_BYTES 1280 // used in signature verification +#define PQCLEAN_FALCONPADDED1024_AVX2_CRYPTO_BYTES 1280 // used in signature verification /* * Generate a new key pair. Public key goes into pk[], private key in sk[]. diff --git a/Modules/PQClean/crypto_sign/falcon-1024/avx2/pqclean.c b/Modules/PQClean/crypto_sign/falcon-1024/avx2/pqclean.c index f8c74cbd..ea214a19 100644 --- a/Modules/PQClean/crypto_sign/falcon-1024/avx2/pqclean.c +++ b/Modules/PQClean/crypto_sign/falcon-1024/avx2/pqclean.c @@ -251,7 +251,7 @@ do_verify( return -1; } if (v != sigbuflen) { - if (sigbuflen == PQCLEAN_FALCON1024PADDED_AVX2_CRYPTO_BYTES - NONCELEN - 1) { + if (sigbuflen == PQCLEAN_FALCONPADDED1024_AVX2_CRYPTO_BYTES - NONCELEN - 1) { while (v < sigbuflen) { if (sigbuf[v++] != 0) { return -1; diff --git a/Modules/PQClean/crypto_sign/falcon-1024/clean/api.h b/Modules/PQClean/crypto_sign/falcon-1024/clean/api.h index f3e5485e..cc6557fd 100644 --- a/Modules/PQClean/crypto_sign/falcon-1024/clean/api.h +++ b/Modules/PQClean/crypto_sign/falcon-1024/clean/api.h @@ -10,7 +10,7 @@ #define PQCLEAN_FALCON1024_CLEAN_CRYPTO_ALGNAME "Falcon-1024" -#define PQCLEAN_FALCON1024PADDED_CLEAN_CRYPTO_BYTES 1280 // used in signature verification +#define PQCLEAN_FALCONPADDED1024_CLEAN_CRYPTO_BYTES 1280 // used in signature verification /* * Generate a new key pair. Public key goes into pk[], private key in sk[]. diff --git a/Modules/PQClean/crypto_sign/falcon-1024/clean/pqclean.c b/Modules/PQClean/crypto_sign/falcon-1024/clean/pqclean.c index f924f517..086d249e 100644 --- a/Modules/PQClean/crypto_sign/falcon-1024/clean/pqclean.c +++ b/Modules/PQClean/crypto_sign/falcon-1024/clean/pqclean.c @@ -251,7 +251,7 @@ do_verify( return -1; } if (v != sigbuflen) { - if (sigbuflen == PQCLEAN_FALCON1024PADDED_CLEAN_CRYPTO_BYTES - NONCELEN - 1) { + if (sigbuflen == PQCLEAN_FALCONPADDED1024_CLEAN_CRYPTO_BYTES - NONCELEN - 1) { while (v < sigbuflen) { if (sigbuf[v++] != 0) { return -1; diff --git a/Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/ntt_consts.h b/Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/ntt_consts.h deleted file mode 100644 index 551cd3e0..00000000 --- a/Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/ntt_consts.h +++ /dev/null @@ -1,23 +0,0 @@ -#ifndef NTT_CONSTS -#define NTT_CONSTS - -#include - -extern const int16_t PQCLEAN_FALCON512PADDED_AARCH64_qmvq[8]; - -/* - * Table for NTT, binary case: - * where g = 7 (it is a 2048-th primitive root of 1 modulo q) - */ -extern const int16_t PQCLEAN_FALCON512PADDED_AARCH64_ntt_br[]; -extern const int16_t PQCLEAN_FALCON512PADDED_AARCH64_ntt_qinv_br[]; - -/* - * Table for inverse NTT - * Since g = 7, 1/g = 8778 mod 12289. - */ - -extern const int16_t PQCLEAN_FALCON512PADDED_AARCH64_invntt_br[]; -extern const int16_t PQCLEAN_FALCON512PADDED_AARCH64_invntt_qinv_br[]; - -#endif diff --git a/Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/util.h b/Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/util.h deleted file mode 100644 index 25b05d58..00000000 --- a/Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/util.h +++ /dev/null @@ -1,8 +0,0 @@ -#ifndef UTIL_H -#define UTIL_H - -#define poly_small_to_fp PQCLEAN_FALCON512PADDED_AARCH64_smallints_to_fpr - -void PQCLEAN_FALCON512PADDED_AARCH64_smallints_to_fpr(fpr *r, const int8_t *t, unsigned logn); - -#endif diff --git a/Modules/PQClean/crypto_sign/falcon-512/aarch64/api.h b/Modules/PQClean/crypto_sign/falcon-512/aarch64/api.h index 4770760d..d70db344 100644 --- a/Modules/PQClean/crypto_sign/falcon-512/aarch64/api.h +++ b/Modules/PQClean/crypto_sign/falcon-512/aarch64/api.h @@ -10,7 +10,7 @@ #define PQCLEAN_FALCON512_AARCH64_CRYPTO_ALGNAME "Falcon-512" -#define PQCLEAN_FALCON512PADDED_AARCH64_CRYPTO_BYTES 666 // used in signature verification +#define PQCLEAN_FALCONPADDED512_AARCH64_CRYPTO_BYTES 666 // used in signature verification /* * Generate a new key pair. Public key goes into pk[], private key in sk[]. diff --git a/Modules/PQClean/crypto_sign/falcon-512/aarch64/pqclean.c b/Modules/PQClean/crypto_sign/falcon-512/aarch64/pqclean.c index 5b05c34f..b898d746 100644 --- a/Modules/PQClean/crypto_sign/falcon-512/aarch64/pqclean.c +++ b/Modules/PQClean/crypto_sign/falcon-512/aarch64/pqclean.c @@ -252,7 +252,7 @@ do_verify( return -1; } if (v != sigbuflen) { - if (sigbuflen == PQCLEAN_FALCON512PADDED_AARCH64_CRYPTO_BYTES - NONCELEN - 1) { + if (sigbuflen == PQCLEAN_FALCONPADDED512_AARCH64_CRYPTO_BYTES - NONCELEN - 1) { while (v < sigbuflen) { if (sigbuf[v++] != 0) { return -1; diff --git a/Modules/PQClean/crypto_sign/falcon-512/avx2/api.h b/Modules/PQClean/crypto_sign/falcon-512/avx2/api.h index 648a4881..2f74f262 100644 --- a/Modules/PQClean/crypto_sign/falcon-512/avx2/api.h +++ b/Modules/PQClean/crypto_sign/falcon-512/avx2/api.h @@ -10,7 +10,7 @@ #define PQCLEAN_FALCON512_AVX2_CRYPTO_ALGNAME "Falcon-512" -#define PQCLEAN_FALCON512PADDED_AVX2_CRYPTO_BYTES 666 // used in signature verification +#define PQCLEAN_FALCONPADDED512_AVX2_CRYPTO_BYTES 666 // used in signature verification /* * Generate a new key pair. Public key goes into pk[], private key in sk[]. diff --git a/Modules/PQClean/crypto_sign/falcon-512/avx2/pqclean.c b/Modules/PQClean/crypto_sign/falcon-512/avx2/pqclean.c index c240afb9..84e393d6 100644 --- a/Modules/PQClean/crypto_sign/falcon-512/avx2/pqclean.c +++ b/Modules/PQClean/crypto_sign/falcon-512/avx2/pqclean.c @@ -251,7 +251,7 @@ do_verify( return -1; } if (v != sigbuflen) { - if (sigbuflen == PQCLEAN_FALCON512PADDED_AVX2_CRYPTO_BYTES - NONCELEN - 1) { + if (sigbuflen == PQCLEAN_FALCONPADDED512_AVX2_CRYPTO_BYTES - NONCELEN - 1) { while (v < sigbuflen) { if (sigbuf[v++] != 0) { return -1; diff --git a/Modules/PQClean/crypto_sign/falcon-512/clean/api.h b/Modules/PQClean/crypto_sign/falcon-512/clean/api.h index 59af346e..49489d2b 100644 --- a/Modules/PQClean/crypto_sign/falcon-512/clean/api.h +++ b/Modules/PQClean/crypto_sign/falcon-512/clean/api.h @@ -10,7 +10,7 @@ #define PQCLEAN_FALCON512_CLEAN_CRYPTO_ALGNAME "Falcon-512" -#define PQCLEAN_FALCON512PADDED_CLEAN_CRYPTO_BYTES 666 // used in signature verification +#define PQCLEAN_FALCONPADDED512_CLEAN_CRYPTO_BYTES 666 // used in signature verification /* * Generate a new key pair. Public key goes into pk[], private key in sk[]. diff --git a/Modules/PQClean/crypto_sign/falcon-512/clean/pqclean.c b/Modules/PQClean/crypto_sign/falcon-512/clean/pqclean.c index 2c52bea8..80d8cbe3 100644 --- a/Modules/PQClean/crypto_sign/falcon-512/clean/pqclean.c +++ b/Modules/PQClean/crypto_sign/falcon-512/clean/pqclean.c @@ -251,7 +251,7 @@ do_verify( return -1; } if (v != sigbuflen) { - if (sigbuflen == PQCLEAN_FALCON512PADDED_CLEAN_CRYPTO_BYTES - NONCELEN - 1) { + if (sigbuflen == PQCLEAN_FALCONPADDED512_CLEAN_CRYPTO_BYTES - NONCELEN - 1) { while (v < sigbuflen) { if (sigbuf[v++] != 0) { return -1; diff --git a/Modules/PQClean/crypto_sign/falcon-1024-padded/META.yml b/Modules/PQClean/crypto_sign/falcon-padded-1024/META.yml similarity index 97% rename from Modules/PQClean/crypto_sign/falcon-1024-padded/META.yml rename to Modules/PQClean/crypto_sign/falcon-padded-1024/META.yml index 1de5badd..0cb0ec18 100644 --- a/Modules/PQClean/crypto_sign/falcon-1024-padded/META.yml +++ b/Modules/PQClean/crypto_sign/falcon-padded-1024/META.yml @@ -1,5 +1,5 @@ --- -name: Falcon-1024 (PADDED) +name: Falcon-padded-1024 type: signature claimed-nist-level: 5 length-public-key: 1793 diff --git a/Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/LICENSE b/Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/LICENSE similarity index 100% rename from Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/LICENSE rename to Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/LICENSE diff --git a/Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/Makefile b/Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/Makefile similarity index 95% rename from Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/Makefile rename to Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/Makefile index 424c162a..46dea403 100644 --- a/Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/Makefile +++ b/Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/Makefile @@ -1,6 +1,6 @@ # This Makefile can be used with GNU Make or BSD Make -LIB=libfalcon-1024-padded_aarch64.a +LIB=libfalcon-padded-1024_aarch64.a SOURCES = codec.c keygen.c poly_float.c common.c fft_tree.c pqclean.c poly_int.c sign.c fpr.c ntt.c rng.c util.c fft.c ntt_consts.c sampler.c vrfy.c OBJECTS = codec.o keygen.o poly_float.o common.o fft_tree.o pqclean.o poly_int.o sign.o fpr.o ntt.o rng.o util.o fft.o ntt_consts.o sampler.o vrfy.o diff --git a/Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/api.h b/Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/api.h similarity index 66% rename from Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/api.h rename to Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/api.h index d96baee5..9b629984 100644 --- a/Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/api.h +++ b/Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/api.h @@ -1,37 +1,37 @@ -#ifndef PQCLEAN_FALCON1024PADDED_AARCH64_API_H -#define PQCLEAN_FALCON1024PADDED_AARCH64_API_H +#ifndef PQCLEAN_FALCONPADDED1024_AARCH64_API_H +#define PQCLEAN_FALCONPADDED1024_AARCH64_API_H #include #include -#define PQCLEAN_FALCON1024PADDED_AARCH64_CRYPTO_SECRETKEYBYTES 2305 -#define PQCLEAN_FALCON1024PADDED_AARCH64_CRYPTO_PUBLICKEYBYTES 1793 -#define PQCLEAN_FALCON1024PADDED_AARCH64_CRYPTO_BYTES 1280 +#define PQCLEAN_FALCONPADDED1024_AARCH64_CRYPTO_SECRETKEYBYTES 2305 +#define PQCLEAN_FALCONPADDED1024_AARCH64_CRYPTO_PUBLICKEYBYTES 1793 +#define PQCLEAN_FALCONPADDED1024_AARCH64_CRYPTO_BYTES 1280 -#define PQCLEAN_FALCON1024PADDED_AARCH64_CRYPTO_ALGNAME "Falcon-1024 (PADDED)" +#define PQCLEAN_FALCONPADDED1024_AARCH64_CRYPTO_ALGNAME "Falcon-padded-1024" /* * Generate a new key pair. Public key goes into pk[], private key in sk[]. * Key sizes are exact (in bytes): - * public (pk): PQCLEAN_FALCON1024PADDED_AARCH64_CRYPTO_PUBLICKEYBYTES - * private (sk): PQCLEAN_FALCON1024PADDED_AARCH64_CRYPTO_SECRETKEYBYTES + * public (pk): PQCLEAN_FALCONPADDED1024_AARCH64_CRYPTO_PUBLICKEYBYTES + * private (sk): PQCLEAN_FALCONPADDED1024_AARCH64_CRYPTO_SECRETKEYBYTES * * Return value: 0 on success, -1 on error. */ -int PQCLEAN_FALCON1024PADDED_AARCH64_crypto_sign_keypair( +int PQCLEAN_FALCONPADDED1024_AARCH64_crypto_sign_keypair( uint8_t *pk, uint8_t *sk); /* * Compute a signature on a provided message (m, mlen), with a given * private key (sk). Signature is written in sig[], with length written * into *siglen. Signature length is variable; maximum signature length - * (in bytes) is PQCLEAN_FALCON1024PADDED_AARCH64_CRYPTO_BYTES. + * (in bytes) is PQCLEAN_FALCONPADDED1024_AARCH64_CRYPTO_BYTES. * * sig[], m[] and sk[] may overlap each other arbitrarily. * * Return value: 0 on success, -1 on error. */ -int PQCLEAN_FALCON1024PADDED_AARCH64_crypto_sign_signature( +int PQCLEAN_FALCONPADDED1024_AARCH64_crypto_sign_signature( uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen, const uint8_t *sk); @@ -43,7 +43,7 @@ int PQCLEAN_FALCON1024PADDED_AARCH64_crypto_sign_signature( * * Return value: 0 on success, -1 on error. */ -int PQCLEAN_FALCON1024PADDED_AARCH64_crypto_sign_verify( +int PQCLEAN_FALCONPADDED1024_AARCH64_crypto_sign_verify( const uint8_t *sig, size_t siglen, const uint8_t *m, size_t mlen, const uint8_t *pk); @@ -51,14 +51,14 @@ int PQCLEAN_FALCON1024PADDED_AARCH64_crypto_sign_verify( * Compute a signature on a message and pack the signature and message * into a single object, written into sm[]. The length of that output is * written in *smlen; that length may be larger than the message length - * (mlen) by up to PQCLEAN_FALCON1024PADDED_AARCH64_CRYPTO_BYTES. + * (mlen) by up to PQCLEAN_FALCONPADDED1024_AARCH64_CRYPTO_BYTES. * * sm[] and m[] may overlap each other arbitrarily; however, sm[] shall * not overlap with sk[]. * * Return value: 0 on success, -1 on error. */ -int PQCLEAN_FALCON1024PADDED_AARCH64_crypto_sign( +int PQCLEAN_FALCONPADDED1024_AARCH64_crypto_sign( uint8_t *sm, size_t *smlen, const uint8_t *m, size_t mlen, const uint8_t *sk); @@ -67,13 +67,13 @@ int PQCLEAN_FALCON1024PADDED_AARCH64_crypto_sign( * on success, the message itself is written into m[] and its length * into *mlen. The message is shorter than the signed message object, * but the size difference depends on the signature value; the difference - * may range up to PQCLEAN_FALCON1024PADDED_AARCH64_CRYPTO_BYTES. + * may range up to PQCLEAN_FALCONPADDED1024_AARCH64_CRYPTO_BYTES. * * m[], sm[] and pk[] may overlap each other arbitrarily. * * Return value: 0 on success, -1 on error. */ -int PQCLEAN_FALCON1024PADDED_AARCH64_crypto_sign_open( +int PQCLEAN_FALCONPADDED1024_AARCH64_crypto_sign_open( uint8_t *m, size_t *mlen, const uint8_t *sm, size_t smlen, const uint8_t *pk); diff --git a/Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/codec.c b/Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/codec.c similarity index 94% rename from Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/codec.c rename to Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/codec.c index 2612c241..05a8e49f 100644 --- a/Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/codec.c +++ b/Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/codec.c @@ -34,7 +34,7 @@ /* see inner.h */ size_t -PQCLEAN_FALCON1024PADDED_AARCH64_modq_encode( +PQCLEAN_FALCONPADDED1024_AARCH64_modq_encode( void *out, size_t max_out_len, const uint16_t *x, unsigned logn) { size_t n, out_len, u; @@ -75,7 +75,7 @@ PQCLEAN_FALCON1024PADDED_AARCH64_modq_encode( /* see inner.h */ size_t -PQCLEAN_FALCON1024PADDED_AARCH64_modq_decode(uint16_t *x, const void *in, size_t max_in_len, unsigned logn) { +PQCLEAN_FALCONPADDED1024_AARCH64_modq_decode(uint16_t *x, const void *in, size_t max_in_len, unsigned logn) { size_t n, in_len, u; const uint8_t *buf; uint32_t acc; @@ -112,7 +112,7 @@ PQCLEAN_FALCON1024PADDED_AARCH64_modq_decode(uint16_t *x, const void *in, size_t /* see inner.h */ size_t -PQCLEAN_FALCON1024PADDED_AARCH64_trim_i16_encode( +PQCLEAN_FALCONPADDED1024_AARCH64_trim_i16_encode( void *out, size_t max_out_len, const int16_t *x, unsigned logn, unsigned bits) { size_t n, u, out_len; @@ -156,7 +156,7 @@ PQCLEAN_FALCON1024PADDED_AARCH64_trim_i16_encode( /* see inner.h */ size_t -PQCLEAN_FALCON1024PADDED_AARCH64_trim_i16_decode( +PQCLEAN_FALCONPADDED1024_AARCH64_trim_i16_decode( int16_t *x, unsigned logn, unsigned bits, const void *in, size_t max_in_len) { size_t n, in_len; @@ -206,7 +206,7 @@ PQCLEAN_FALCON1024PADDED_AARCH64_trim_i16_decode( /* see inner.h */ size_t -PQCLEAN_FALCON1024PADDED_AARCH64_trim_i8_encode(void *out, size_t max_out_len, +PQCLEAN_FALCONPADDED1024_AARCH64_trim_i8_encode(void *out, size_t max_out_len, const int8_t *x, uint8_t bits) { size_t u, out_len; int8_t minv, maxv; @@ -224,7 +224,7 @@ PQCLEAN_FALCON1024PADDED_AARCH64_trim_i8_encode(void *out, size_t max_out_len, maxv = (int8_t) (1 << (bits - 1)) - 1; minv = -maxv; - if (PQCLEAN_FALCON1024PADDED_AARCH64_poly_check_bound_int8(x, minv, maxv)) { + if (PQCLEAN_FALCONPADDED1024_AARCH64_poly_check_bound_int8(x, minv, maxv)) { return 0; } buf = out; @@ -247,7 +247,7 @@ PQCLEAN_FALCON1024PADDED_AARCH64_trim_i8_encode(void *out, size_t max_out_len, /* see inner.h */ size_t -PQCLEAN_FALCON1024PADDED_AARCH64_trim_i8_decode(int8_t *x, unsigned bits, +PQCLEAN_FALCONPADDED1024_AARCH64_trim_i8_decode(int8_t *x, unsigned bits, const void *in, size_t max_in_len) { size_t in_len; const uint8_t *buf; @@ -294,7 +294,7 @@ PQCLEAN_FALCON1024PADDED_AARCH64_trim_i8_decode(int8_t *x, unsigned bits, /* see inner.h */ size_t -PQCLEAN_FALCON1024PADDED_AARCH64_comp_encode(void *out, size_t max_out_len, const int16_t *x) { +PQCLEAN_FALCONPADDED1024_AARCH64_comp_encode(void *out, size_t max_out_len, const int16_t *x) { uint8_t *buf; size_t u, v; uint32_t acc; @@ -305,7 +305,7 @@ PQCLEAN_FALCON1024PADDED_AARCH64_comp_encode(void *out, size_t max_out_len, cons /* * Make sure that all values are within the -2047..+2047 range. */ - if (PQCLEAN_FALCON1024PADDED_AARCH64_poly_check_bound_int16(x, -2047, 2047)) { + if (PQCLEAN_FALCONPADDED1024_AARCH64_poly_check_bound_int16(x, -2047, 2047)) { return 0; } @@ -385,7 +385,7 @@ PQCLEAN_FALCON1024PADDED_AARCH64_comp_encode(void *out, size_t max_out_len, cons /* see inner.h */ size_t -PQCLEAN_FALCON1024PADDED_AARCH64_comp_decode(int16_t *x, const void *in, size_t max_in_len) { +PQCLEAN_FALCONPADDED1024_AARCH64_comp_decode(int16_t *x, const void *in, size_t max_in_len) { const uint8_t *buf; size_t u, v; uint32_t acc; @@ -483,7 +483,7 @@ PQCLEAN_FALCON1024PADDED_AARCH64_comp_decode(int16_t *x, const void *in, size_t * of max_fg_bits[] and max_FG_bits[] shall be greater than 8. */ -const uint8_t PQCLEAN_FALCON1024PADDED_AARCH64_max_fg_bits[] = { +const uint8_t PQCLEAN_FALCONPADDED1024_AARCH64_max_fg_bits[] = { 0, /* unused */ 8, 8, @@ -497,7 +497,7 @@ const uint8_t PQCLEAN_FALCON1024PADDED_AARCH64_max_fg_bits[] = { 5 }; -const uint8_t PQCLEAN_FALCON1024PADDED_AARCH64_max_FG_bits[] = { +const uint8_t PQCLEAN_FALCONPADDED1024_AARCH64_max_FG_bits[] = { 0, /* unused */ 8, 8, @@ -539,7 +539,7 @@ const uint8_t PQCLEAN_FALCON1024PADDED_AARCH64_max_FG_bits[] = { * in -2047..2047, i.e. 12 bits. */ -const uint8_t PQCLEAN_FALCON1024PADDED_AARCH64_max_sig_bits[] = { +const uint8_t PQCLEAN_FALCONPADDED1024_AARCH64_max_sig_bits[] = { 0, /* unused */ 10, 11, diff --git a/Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/common.c b/Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/common.c similarity index 98% rename from Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/common.c rename to Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/common.c index 91a78c05..883d8905 100644 --- a/Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/common.c +++ b/Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/common.c @@ -34,7 +34,7 @@ #include "macrous.h" /* see inner.h */ -void PQCLEAN_FALCON1024PADDED_AARCH64_hash_to_point_vartime( +void PQCLEAN_FALCONPADDED1024_AARCH64_hash_to_point_vartime( inner_shake256_context *sc, uint16_t *x, unsigned logn) { /* @@ -67,7 +67,7 @@ void PQCLEAN_FALCON1024PADDED_AARCH64_hash_to_point_vartime( } /* see inner.h */ -void PQCLEAN_FALCON1024PADDED_AARCH64_hash_to_point_ct( +void PQCLEAN_FALCONPADDED1024_AARCH64_hash_to_point_ct( inner_shake256_context *sc, uint16_t *x, unsigned logn, uint8_t *tmp) { /* @@ -255,7 +255,7 @@ static const uint32_t l2bound[] = { * thus, we enable 2 parallel dependency rather than 1 for better scheduling. * Each for loop is tuned for cache locality. */ -int PQCLEAN_FALCON1024PADDED_AARCH64_is_short(const int16_t *s1, const int16_t *s2) { +int PQCLEAN_FALCONPADDED1024_AARCH64_is_short(const int16_t *s1, const int16_t *s2) { // Total SIMD register 18 = 16 + 2 int16x8x4_t neon_s1, neon_s2, neon_s3, neon_s4; // 16 int32x4_t neon_s, neon_sh; // 2 @@ -374,7 +374,7 @@ int PQCLEAN_FALCON1024PADDED_AARCH64_is_short(const int16_t *s1, const int16_t * return s <= l2bound[FALCON_LOGN]; } -int PQCLEAN_FALCON1024PADDED_AARCH64_is_short_tmp(int16_t *s1tmp, int16_t *s2tmp, +int PQCLEAN_FALCONPADDED1024_AARCH64_is_short_tmp(int16_t *s1tmp, int16_t *s2tmp, const int16_t *hm, const fpr *t0, const fpr *t1) { // Total SIMD registers: 26 = 16 + 8 + 2 @@ -493,7 +493,7 @@ int PQCLEAN_FALCON1024PADDED_AARCH64_is_short_tmp(int16_t *s1tmp, int16_t *s2tmp return s <= l2bound[FALCON_LOGN]; } -int32_t PQCLEAN_FALCON1024PADDED_AARCH64_poly_small_sqnorm(const int8_t *f) { +int32_t PQCLEAN_FALCONPADDED1024_AARCH64_poly_small_sqnorm(const int8_t *f) { int8x16x4_t a; int16x8x4_t b, c; int32x4_t norm, norm_sh; diff --git a/Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/fft.c b/Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/fft.c similarity index 94% rename from Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/fft.c rename to Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/fft.c index b5a11c93..652a306b 100644 --- a/Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/fft.c +++ b/Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/fft.c @@ -27,7 +27,7 @@ * 1 layer of Forward FFT for 2 complex points (4 coefficients). * Note: The scalar version is faster than vectorized code. */ -static void PQCLEAN_FALCON1024PADDED_AARCH64_FFT_log2(fpr *f) { +static void PQCLEAN_FALCONPADDED1024_AARCH64_FFT_log2(fpr *f) { fpr x_re, x_im, y_re, y_im, v_re, v_im, t_re, t_im, s; x_re = f[0]; @@ -51,7 +51,7 @@ static void PQCLEAN_FALCON1024PADDED_AARCH64_FFT_log2(fpr *f) { /* * Vectorized 2 layers of Forward FFT for 4 complex points (8 coefficients). */ -static void PQCLEAN_FALCON1024PADDED_AARCH64_FFT_log3(fpr *f) { +static void PQCLEAN_FALCONPADDED1024_AARCH64_FFT_log3(fpr *f) { // Total SIMD registers: 18 = 4 + 6 + 8 float64x2x4_t tmp; // 4 float64x2x2_t s_re_im, x, y; // 6 @@ -91,7 +91,7 @@ static void PQCLEAN_FALCON1024PADDED_AARCH64_FFT_log3(fpr *f) { /* * Vectorized 3 layers of Forward FFT for 8 complex points (16 coefficients). */ -static void PQCLEAN_FALCON1024PADDED_AARCH64_FFT_log4(fpr *f) { +static void PQCLEAN_FALCONPADDED1024_AARCH64_FFT_log4(fpr *f) { // Total SIMD register: 26 = 8 + 18 float64x2x4_t t0, t1; // 8 float64x2x2_t x_re, x_im, y_re, y_im, v1, v2, tx, ty, s_re_im; // 18 @@ -158,7 +158,7 @@ static void PQCLEAN_FALCON1024PADDED_AARCH64_FFT_log4(fpr *f) { /* * Vectorized 4 layers of Forward FFT for 16 complex points (32 coefficients). */ -static void PQCLEAN_FALCON1024PADDED_AARCH64_FFT_log5(fpr *f, const unsigned logn) { +static void PQCLEAN_FALCONPADDED1024_AARCH64_FFT_log5(fpr *f, const unsigned logn) { // Total SIMD register: 34 = 2 + 32 float64x2x2_t s_re_im; // 2 float64x2x4_t x_re, x_im, y_re, y_im, t_re, t_im, v_re, v_im; // 32 @@ -287,7 +287,7 @@ static void PQCLEAN_FALCON1024PADDED_AARCH64_FFT_log5(fpr *f, const unsigned log /* * Vectorized 1 layer of Forward FFT for 16 complex points (32 coefficients). */ -static void PQCLEAN_FALCON1024PADDED_AARCH64_FFT_logn1(fpr *f, const unsigned logn) { +static void PQCLEAN_FALCONPADDED1024_AARCH64_FFT_logn1(fpr *f, const unsigned logn) { const unsigned n = 1 << logn; const unsigned hn = n >> 1; const unsigned ht = n >> 2; @@ -322,7 +322,7 @@ static void PQCLEAN_FALCON1024PADDED_AARCH64_FFT_logn1(fpr *f, const unsigned lo /* * Vectorized 2 layers of Forward FFT for 16 complex points (32 coefficients). */ -static void PQCLEAN_FALCON1024PADDED_AARCH64_FFT_logn2(fpr *f, const unsigned logn, const unsigned level) { +static void PQCLEAN_FALCONPADDED1024_AARCH64_FFT_logn2(fpr *f, const unsigned logn, const unsigned level) { const unsigned int falcon_n = 1 << logn; const unsigned int hn = falcon_n >> 1; @@ -456,7 +456,7 @@ static void PQCLEAN_FALCON1024PADDED_AARCH64_FFT_logn2(fpr *f, const unsigned lo * 1 layer of Inverse FFT for 2 complex points (4 coefficients). * Note: The scalar version is faster than vectorized code. */ -static void PQCLEAN_FALCON1024PADDED_AARCH64_iFFT_log2(fpr *f) { +static void PQCLEAN_FALCONPADDED1024_AARCH64_iFFT_log2(fpr *f) { fpr x_re, x_im, y_re, y_im, s; x_re = f[0]; y_re = f[1]; @@ -477,7 +477,7 @@ static void PQCLEAN_FALCON1024PADDED_AARCH64_iFFT_log2(fpr *f) { /* * Vectorized 2 layers of Inverse FFT for 4 complex point (8 coefficients). */ -static void PQCLEAN_FALCON1024PADDED_AARCH64_iFFT_log3(fpr *f) { +static void PQCLEAN_FALCONPADDED1024_AARCH64_iFFT_log3(fpr *f) { // Total SIMD registers: 12 = 4 + 8 float64x2x4_t tmp; // 4 float64x2x2_t x_re_im, y_re_im, v, s_re_im; // 8 @@ -526,7 +526,7 @@ static void PQCLEAN_FALCON1024PADDED_AARCH64_iFFT_log3(fpr *f) { /* * Vectorized 3 layers of Inverse FFT for 8 complex point (16 coefficients). */ -static void PQCLEAN_FALCON1024PADDED_AARCH64_iFFT_log4(fpr *f) { +static void PQCLEAN_FALCONPADDED1024_AARCH64_iFFT_log4(fpr *f) { // Total SIMD registers: 18 = 12 + 6 float64x2x4_t re, im, t; // 12 float64x2x2_t t_re, t_im, s_re_im; // 6 @@ -598,7 +598,7 @@ static void PQCLEAN_FALCON1024PADDED_AARCH64_iFFT_log4(fpr *f) { /* * Vectorized 4 layers of Inverse FFT for 16 complex point (32 coefficients). */ -static void PQCLEAN_FALCON1024PADDED_AARCH64_iFFT_log5(fpr *f, const unsigned logn, const unsigned last) { +static void PQCLEAN_FALCONPADDED1024_AARCH64_iFFT_log5(fpr *f, const unsigned logn, const unsigned last) { // Total SIMD register: 26 = 24 + 2 float64x2x4_t x_re, x_im, y_re, y_im, t_re, t_im; // 24 float64x2x2_t s_re_im; // 2 @@ -734,7 +734,7 @@ static void PQCLEAN_FALCON1024PADDED_AARCH64_iFFT_log5(fpr *f, const unsigned lo /* * Vectorized 1 layer of Inverse FFT for 16 complex points (32 coefficients). */ -static void PQCLEAN_FALCON1024PADDED_AARCH64_iFFT_logn1(fpr *f, const unsigned logn, const unsigned last) { +static void PQCLEAN_FALCONPADDED1024_AARCH64_iFFT_logn1(fpr *f, const unsigned logn, const unsigned last) { // Total SIMD register 26 = 24 + 2 float64x2x4_t a_re, a_im, b_re, b_im, t_re, t_im; // 24 float64x2_t s_re_im; // 2 @@ -776,7 +776,7 @@ static void PQCLEAN_FALCON1024PADDED_AARCH64_iFFT_logn1(fpr *f, const unsigned l /* * Vectorized 2 layers of Inverse FFT for 16 complex points (32 coefficients). */ -static void PQCLEAN_FALCON1024PADDED_AARCH64_iFFT_logn2(fpr *f, const unsigned logn, const unsigned level, unsigned last) { +static void PQCLEAN_FALCONPADDED1024_AARCH64_iFFT_logn2(fpr *f, const unsigned logn, const unsigned level, unsigned last) { const unsigned int falcon_n = 1 << logn; const unsigned int hn = falcon_n >> 1; @@ -947,41 +947,41 @@ static void PQCLEAN_FALCON1024PADDED_AARCH64_iFFT_logn2(fpr *f, const unsigned l * Support logn from [1, 10] * Can be easily extended to logn > 10 */ -void PQCLEAN_FALCON1024PADDED_AARCH64_FFT(fpr *f, const unsigned logn) { +void PQCLEAN_FALCONPADDED1024_AARCH64_FFT(fpr *f, const unsigned logn) { unsigned level = logn; switch (logn) { case 2: - PQCLEAN_FALCON1024PADDED_AARCH64_FFT_log2(f); + PQCLEAN_FALCONPADDED1024_AARCH64_FFT_log2(f); break; case 3: - PQCLEAN_FALCON1024PADDED_AARCH64_FFT_log3(f); + PQCLEAN_FALCONPADDED1024_AARCH64_FFT_log3(f); break; case 4: - PQCLEAN_FALCON1024PADDED_AARCH64_FFT_log4(f); + PQCLEAN_FALCONPADDED1024_AARCH64_FFT_log4(f); break; case 5: - PQCLEAN_FALCON1024PADDED_AARCH64_FFT_log5(f, 5); + PQCLEAN_FALCONPADDED1024_AARCH64_FFT_log5(f, 5); break; case 6: - PQCLEAN_FALCON1024PADDED_AARCH64_FFT_logn1(f, logn); - PQCLEAN_FALCON1024PADDED_AARCH64_FFT_log5(f, logn); + PQCLEAN_FALCONPADDED1024_AARCH64_FFT_logn1(f, logn); + PQCLEAN_FALCONPADDED1024_AARCH64_FFT_log5(f, logn); break; case 7: case 9: - PQCLEAN_FALCON1024PADDED_AARCH64_FFT_logn2(f, logn, level); - PQCLEAN_FALCON1024PADDED_AARCH64_FFT_log5(f, logn); + PQCLEAN_FALCONPADDED1024_AARCH64_FFT_logn2(f, logn, level); + PQCLEAN_FALCONPADDED1024_AARCH64_FFT_log5(f, logn); break; case 8: case 10: - PQCLEAN_FALCON1024PADDED_AARCH64_FFT_logn1(f, logn); - PQCLEAN_FALCON1024PADDED_AARCH64_FFT_logn2(f, logn, level - 1); - PQCLEAN_FALCON1024PADDED_AARCH64_FFT_log5(f, logn); + PQCLEAN_FALCONPADDED1024_AARCH64_FFT_logn1(f, logn); + PQCLEAN_FALCONPADDED1024_AARCH64_FFT_logn2(f, logn, level - 1); + PQCLEAN_FALCONPADDED1024_AARCH64_FFT_log5(f, logn); break; default: @@ -994,42 +994,42 @@ void PQCLEAN_FALCON1024PADDED_AARCH64_FFT(fpr *f, const unsigned logn) { * Support logn from [1, 10] * Can be easily extended to logn > 10 */ -void PQCLEAN_FALCON1024PADDED_AARCH64_iFFT(fpr *f, const unsigned logn) { +void PQCLEAN_FALCONPADDED1024_AARCH64_iFFT(fpr *f, const unsigned logn) { const unsigned level = (logn - 5) & 1; switch (logn) { case 2: - PQCLEAN_FALCON1024PADDED_AARCH64_iFFT_log2(f); + PQCLEAN_FALCONPADDED1024_AARCH64_iFFT_log2(f); break; case 3: - PQCLEAN_FALCON1024PADDED_AARCH64_iFFT_log3(f); + PQCLEAN_FALCONPADDED1024_AARCH64_iFFT_log3(f); break; case 4: - PQCLEAN_FALCON1024PADDED_AARCH64_iFFT_log4(f); + PQCLEAN_FALCONPADDED1024_AARCH64_iFFT_log4(f); break; case 5: - PQCLEAN_FALCON1024PADDED_AARCH64_iFFT_log5(f, 5, 1); + PQCLEAN_FALCONPADDED1024_AARCH64_iFFT_log5(f, 5, 1); break; case 6: - PQCLEAN_FALCON1024PADDED_AARCH64_iFFT_log5(f, logn, 0); - PQCLEAN_FALCON1024PADDED_AARCH64_iFFT_logn1(f, logn, 1); + PQCLEAN_FALCONPADDED1024_AARCH64_iFFT_log5(f, logn, 0); + PQCLEAN_FALCONPADDED1024_AARCH64_iFFT_logn1(f, logn, 1); break; case 7: case 9: - PQCLEAN_FALCON1024PADDED_AARCH64_iFFT_log5(f, logn, 0); - PQCLEAN_FALCON1024PADDED_AARCH64_iFFT_logn2(f, logn, level, 1); + PQCLEAN_FALCONPADDED1024_AARCH64_iFFT_log5(f, logn, 0); + PQCLEAN_FALCONPADDED1024_AARCH64_iFFT_logn2(f, logn, level, 1); break; case 8: case 10: - PQCLEAN_FALCON1024PADDED_AARCH64_iFFT_log5(f, logn, 0); - PQCLEAN_FALCON1024PADDED_AARCH64_iFFT_logn2(f, logn, level, 0); - PQCLEAN_FALCON1024PADDED_AARCH64_iFFT_logn1(f, logn, 1); + PQCLEAN_FALCONPADDED1024_AARCH64_iFFT_log5(f, logn, 0); + PQCLEAN_FALCONPADDED1024_AARCH64_iFFT_logn2(f, logn, level, 0); + PQCLEAN_FALCONPADDED1024_AARCH64_iFFT_logn1(f, logn, 1); break; default: diff --git a/Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/fft_tree.c b/Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/fft_tree.c similarity index 89% rename from Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/fft_tree.c rename to Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/fft_tree.c index 9b4c0fb1..6e5432e2 100644 --- a/Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/fft_tree.c +++ b/Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/fft_tree.c @@ -26,7 +26,7 @@ /* * 1 layer of Merge FFT for 2 complex points (4 coefficients). */ -static inline void PQCLEAN_FALCON1024PADDED_AARCH64_poly_mergeFFT_log2(fpr *f, const fpr *f0, const fpr *f1) { +static inline void PQCLEAN_FALCONPADDED1024_AARCH64_poly_mergeFFT_log2(fpr *f, const fpr *f0, const fpr *f1) { fpr a_re, a_im, b_re, b_im, d_re, d_im, s; a_re = f0[0]; a_im = f0[1]; @@ -46,7 +46,7 @@ static inline void PQCLEAN_FALCON1024PADDED_AARCH64_poly_mergeFFT_log2(fpr *f, c /* * Vectorized 1 layer of Merge FFT for 4 complex points (8 coefficients). */ -static inline void PQCLEAN_FALCON1024PADDED_AARCH64_poly_mergeFFT_log3(fpr *f, const fpr *f0, const fpr *f1) { +static inline void PQCLEAN_FALCONPADDED1024_AARCH64_poly_mergeFFT_log3(fpr *f, const fpr *f0, const fpr *f1) { // Total SIMD registers: 12 = 10 + 2 float64x2x2_t g1, g0, g_re, g_im, s_re_im; // 10 float64x2_t t_re, t_im; // 2 @@ -69,7 +69,7 @@ static inline void PQCLEAN_FALCON1024PADDED_AARCH64_poly_mergeFFT_log3(fpr *f, c /* * Vectorized 1 layer of Merge FFT for 8 complex points (16 coefficients). */ -static inline void PQCLEAN_FALCON1024PADDED_AARCH64_poly_mergeFFT_log4(fpr *f, const fpr *f0, const fpr *f1, const unsigned logn) { +static inline void PQCLEAN_FALCONPADDED1024_AARCH64_poly_mergeFFT_log4(fpr *f, const fpr *f0, const fpr *f1, const unsigned logn) { const unsigned n = 1 << logn; const unsigned ht = n >> 2; const fpr *fpr_merge = fpr_table[logn]; @@ -104,7 +104,7 @@ static inline void PQCLEAN_FALCON1024PADDED_AARCH64_poly_mergeFFT_log4(fpr *f, c * 1 layer of Split FFT for 2 complex points (4 coefficients). */ static void -PQCLEAN_FALCON1024PADDED_AARCH64_poly_splitFFT_log2(fpr *restrict f0, fpr *restrict f1, const fpr *restrict f) { +PQCLEAN_FALCONPADDED1024_AARCH64_poly_splitFFT_log2(fpr *restrict f0, fpr *restrict f1, const fpr *restrict f) { fpr a_re, a_im, b_re, b_im, d_re, d_im, s; a_re = f[0]; b_re = f[1]; @@ -125,7 +125,7 @@ PQCLEAN_FALCON1024PADDED_AARCH64_poly_splitFFT_log2(fpr *restrict f0, fpr *restr /* * Vectorized 1 layer of Split FFT for 4 complex points (8 coefficients). */ -static inline void PQCLEAN_FALCON1024PADDED_AARCH64_poly_splitFFT_log3(fpr *f0, fpr *f1, const fpr *f) { +static inline void PQCLEAN_FALCONPADDED1024_AARCH64_poly_splitFFT_log3(fpr *f0, fpr *f1, const fpr *f) { // Total SIMD registers: 12 float64x2x2_t re, im, g0, g1, s_re_im, tm; // 12 @@ -151,7 +151,7 @@ static inline void PQCLEAN_FALCON1024PADDED_AARCH64_poly_splitFFT_log3(fpr *f0, /* * Vectorized 1 layer of Split FFT for 8 complex points (16 coefficients). */ -static inline void PQCLEAN_FALCON1024PADDED_AARCH64_poly_splitFFT_log4(fpr *f0, fpr *f1, const fpr *f, const unsigned logn) { +static inline void PQCLEAN_FALCONPADDED1024_AARCH64_poly_splitFFT_log4(fpr *f0, fpr *f1, const fpr *f, const unsigned logn) { const unsigned n = 1 << logn; const unsigned hn = n >> 1; const unsigned ht = n >> 2; @@ -198,7 +198,7 @@ static inline void PQCLEAN_FALCON1024PADDED_AARCH64_poly_splitFFT_log4(fpr *f0, /* * Vectorized Split FFT implementation */ -void PQCLEAN_FALCON1024PADDED_AARCH64_poly_split_fft(fpr *restrict f0, fpr *restrict f1, const fpr *f, const unsigned logn) { +void PQCLEAN_FALCONPADDED1024_AARCH64_poly_split_fft(fpr *restrict f0, fpr *restrict f1, const fpr *f, const unsigned logn) { switch (logn) { case 1: // n = 2; hn = 1; qn = 0; @@ -207,15 +207,15 @@ void PQCLEAN_FALCON1024PADDED_AARCH64_poly_split_fft(fpr *restrict f0, fpr *rest break; case 2: - PQCLEAN_FALCON1024PADDED_AARCH64_poly_splitFFT_log2(f0, f1, f); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_splitFFT_log2(f0, f1, f); break; case 3: - PQCLEAN_FALCON1024PADDED_AARCH64_poly_splitFFT_log3(f0, f1, f); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_splitFFT_log3(f0, f1, f); break; default: - PQCLEAN_FALCON1024PADDED_AARCH64_poly_splitFFT_log4(f0, f1, f, logn); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_splitFFT_log4(f0, f1, f, logn); break; } } @@ -223,7 +223,7 @@ void PQCLEAN_FALCON1024PADDED_AARCH64_poly_split_fft(fpr *restrict f0, fpr *rest /* * Vectorized Merge FFT implementation */ -void PQCLEAN_FALCON1024PADDED_AARCH64_poly_merge_fft(fpr *restrict f, const fpr *restrict f0, +void PQCLEAN_FALCONPADDED1024_AARCH64_poly_merge_fft(fpr *restrict f, const fpr *restrict f0, const fpr *restrict f1, const unsigned logn) { switch (logn) { case 1: @@ -233,15 +233,15 @@ void PQCLEAN_FALCON1024PADDED_AARCH64_poly_merge_fft(fpr *restrict f, const fpr break; case 2: - PQCLEAN_FALCON1024PADDED_AARCH64_poly_mergeFFT_log2(f, f0, f1); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_mergeFFT_log2(f, f0, f1); break; case 3: - PQCLEAN_FALCON1024PADDED_AARCH64_poly_mergeFFT_log3(f, f0, f1); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_mergeFFT_log3(f, f0, f1); break; default: - PQCLEAN_FALCON1024PADDED_AARCH64_poly_mergeFFT_log4(f, f0, f1, logn); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_mergeFFT_log4(f, f0, f1, logn); break; } } diff --git a/Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/fpr.c b/Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/fpr.c similarity index 100% rename from Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/fpr.c rename to Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/fpr.c diff --git a/Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/fpr.h b/Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/fpr.h similarity index 90% rename from Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/fpr.h rename to Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/fpr.h index 330a8dd7..ae99a0bd 100644 --- a/Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/fpr.h +++ b/Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/fpr.h @@ -219,19 +219,19 @@ fpr_expm_p63(fpr x, fpr ccs) { return (uint64_t) ret; } -#define fpr_p2_tab PQCLEAN_FALCON1024PADDED_AARCH64_fpr_p2_tab +#define fpr_p2_tab PQCLEAN_FALCONPADDED1024_AARCH64_fpr_p2_tab extern const fpr fpr_p2_tab[]; -#define fpr_tab_log2 PQCLEAN_FALCON1024PADDED_AARCH64_fpr_tab_log2 -#define fpr_tab_log3 PQCLEAN_FALCON1024PADDED_AARCH64_fpr_tab_log3 -#define fpr_tab_log4 PQCLEAN_FALCON1024PADDED_AARCH64_fpr_tab_log4 -#define fpr_tab_log5 PQCLEAN_FALCON1024PADDED_AARCH64_fpr_tab_log5 -#define fpr_tab_log6 PQCLEAN_FALCON1024PADDED_AARCH64_fpr_tab_log6 -#define fpr_tab_log7 PQCLEAN_FALCON1024PADDED_AARCH64_fpr_tab_log7 -#define fpr_tab_log8 PQCLEAN_FALCON1024PADDED_AARCH64_fpr_tab_log8 -#define fpr_tab_log9 PQCLEAN_FALCON1024PADDED_AARCH64_fpr_tab_log9 -#define fpr_tab_log10 PQCLEAN_FALCON1024PADDED_AARCH64_fpr_tab_log10 -#define fpr_table PQCLEAN_FALCON1024PADDED_AARCH64_fpr_table +#define fpr_tab_log2 PQCLEAN_FALCONPADDED1024_AARCH64_fpr_tab_log2 +#define fpr_tab_log3 PQCLEAN_FALCONPADDED1024_AARCH64_fpr_tab_log3 +#define fpr_tab_log4 PQCLEAN_FALCONPADDED1024_AARCH64_fpr_tab_log4 +#define fpr_tab_log5 PQCLEAN_FALCONPADDED1024_AARCH64_fpr_tab_log5 +#define fpr_tab_log6 PQCLEAN_FALCONPADDED1024_AARCH64_fpr_tab_log6 +#define fpr_tab_log7 PQCLEAN_FALCONPADDED1024_AARCH64_fpr_tab_log7 +#define fpr_tab_log8 PQCLEAN_FALCONPADDED1024_AARCH64_fpr_tab_log8 +#define fpr_tab_log9 PQCLEAN_FALCONPADDED1024_AARCH64_fpr_tab_log9 +#define fpr_tab_log10 PQCLEAN_FALCONPADDED1024_AARCH64_fpr_tab_log10 +#define fpr_table PQCLEAN_FALCONPADDED1024_AARCH64_fpr_table extern const fpr fpr_tab_log2[]; extern const fpr fpr_tab_log3[]; diff --git a/Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/inner.h b/Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/inner.h similarity index 86% rename from Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/inner.h rename to Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/inner.h index 3a7b1a4b..9674aecf 100644 --- a/Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/inner.h +++ b/Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/inner.h @@ -43,7 +43,7 @@ * * * - All public functions (i.e. the non-static ones) must be referenced - * with the PQCLEAN_FALCON1024PADDED_AARCH64_ macro (e.g. PQCLEAN_FALCON1024PADDED_AARCH64_verify_raw for the verify_raw() + * with the PQCLEAN_FALCONPADDED1024_AARCH64_ macro (e.g. PQCLEAN_FALCONPADDED1024_AARCH64_verify_raw for the verify_raw() * function). That macro adds a prefix to the name, which is * configurable with the FALCON_PREFIX macro. This allows compiling * the code into a specific "namespace" and potentially including @@ -66,7 +66,7 @@ * word. The caller MUST use set_fpu_cw() to ensure proper precision: * * oldcw = set_fpu_cw(2); - * PQCLEAN_FALCON1024PADDED_AARCH64_sign_dyn(...); + * PQCLEAN_FALCONPADDED1024_AARCH64_sign_dyn(...); * set_fpu_cw(oldcw); * * On systems where the native floating-point precision is already @@ -156,33 +156,33 @@ set_fpu_cw(unsigned x) { * */ -size_t PQCLEAN_FALCON1024PADDED_AARCH64_modq_encode(void *out, size_t max_out_len, +size_t PQCLEAN_FALCONPADDED1024_AARCH64_modq_encode(void *out, size_t max_out_len, const uint16_t *x, unsigned logn); -size_t PQCLEAN_FALCON1024PADDED_AARCH64_trim_i16_encode(void *out, size_t max_out_len, +size_t PQCLEAN_FALCONPADDED1024_AARCH64_trim_i16_encode(void *out, size_t max_out_len, const int16_t *x, unsigned logn, unsigned bits); -size_t PQCLEAN_FALCON1024PADDED_AARCH64_trim_i8_encode(void *out, size_t max_out_len, const int8_t *x, uint8_t bits); -size_t PQCLEAN_FALCON1024PADDED_AARCH64_comp_encode(void *out, size_t max_out_len, const int16_t *x); +size_t PQCLEAN_FALCONPADDED1024_AARCH64_trim_i8_encode(void *out, size_t max_out_len, const int8_t *x, uint8_t bits); +size_t PQCLEAN_FALCONPADDED1024_AARCH64_comp_encode(void *out, size_t max_out_len, const int16_t *x); -size_t PQCLEAN_FALCON1024PADDED_AARCH64_modq_decode(uint16_t *x, const void *in, +size_t PQCLEAN_FALCONPADDED1024_AARCH64_modq_decode(uint16_t *x, const void *in, size_t max_in_len, unsigned logn); -size_t PQCLEAN_FALCON1024PADDED_AARCH64_trim_i16_decode(int16_t *x, unsigned logn, unsigned bits, +size_t PQCLEAN_FALCONPADDED1024_AARCH64_trim_i16_decode(int16_t *x, unsigned logn, unsigned bits, const void *in, size_t max_in_len); -size_t PQCLEAN_FALCON1024PADDED_AARCH64_trim_i8_decode(int8_t *x, unsigned bits, const void *in, size_t max_in_len); -size_t PQCLEAN_FALCON1024PADDED_AARCH64_comp_decode(int16_t *x, const void *in, size_t max_in_len); +size_t PQCLEAN_FALCONPADDED1024_AARCH64_trim_i8_decode(int8_t *x, unsigned bits, const void *in, size_t max_in_len); +size_t PQCLEAN_FALCONPADDED1024_AARCH64_comp_decode(int16_t *x, const void *in, size_t max_in_len); /* * Number of bits for key elements, indexed by logn (1 to 10). This * is at most 8 bits for all degrees, but some degrees may have shorter * elements. */ -extern const uint8_t PQCLEAN_FALCON1024PADDED_AARCH64_max_fg_bits[]; -extern const uint8_t PQCLEAN_FALCON1024PADDED_AARCH64_max_FG_bits[]; +extern const uint8_t PQCLEAN_FALCONPADDED1024_AARCH64_max_fg_bits[]; +extern const uint8_t PQCLEAN_FALCONPADDED1024_AARCH64_max_FG_bits[]; /* * Maximum size, in bits, of elements in a signature, indexed by logn * (1 to 10). The size includes the sign bit. */ -extern const uint8_t PQCLEAN_FALCON1024PADDED_AARCH64_max_sig_bits[]; +extern const uint8_t PQCLEAN_FALCONPADDED1024_AARCH64_max_sig_bits[]; /* ==================================================================== */ /* @@ -196,18 +196,18 @@ extern const uint8_t PQCLEAN_FALCON1024PADDED_AARCH64_max_sig_bits[]; * information to serve as a stop condition on a brute force attack on * the hashed message (provided that the nonce value is known). */ -void PQCLEAN_FALCON1024PADDED_AARCH64_hash_to_point_vartime(inner_shake256_context *sc, +void PQCLEAN_FALCONPADDED1024_AARCH64_hash_to_point_vartime(inner_shake256_context *sc, uint16_t *x, unsigned logn); /* * From a SHAKE256 context (must be already flipped), produce a new * point. The temporary buffer (tmp) must have room for 2*2^logn bytes. * This function is constant-time but is typically more expensive than - * PQCLEAN_FALCON1024PADDED_AARCH64_hash_to_point_vartime(). + * PQCLEAN_FALCONPADDED1024_AARCH64_hash_to_point_vartime(). * * tmp[] must have 16-bit alignment. */ -void PQCLEAN_FALCON1024PADDED_AARCH64_hash_to_point_ct(inner_shake256_context *sc, +void PQCLEAN_FALCONPADDED1024_AARCH64_hash_to_point_ct(inner_shake256_context *sc, uint16_t *x, unsigned logn, uint8_t *tmp); /* @@ -216,7 +216,7 @@ void PQCLEAN_FALCON1024PADDED_AARCH64_hash_to_point_ct(inner_shake256_context *s * vector with the acceptance bound. Returned value is 1 on success * (vector is short enough to be acceptable), 0 otherwise. */ -int PQCLEAN_FALCON1024PADDED_AARCH64_is_short(const int16_t *s1, const int16_t *s2); +int PQCLEAN_FALCONPADDED1024_AARCH64_is_short(const int16_t *s1, const int16_t *s2); /* * Tell whether a given vector (2N coordinates, in two halves) is @@ -228,7 +228,7 @@ int PQCLEAN_FALCON1024PADDED_AARCH64_is_short(const int16_t *s1, const int16_t * * Returned value is 1 on success (vector is short enough to be * acceptable), 0 otherwise. */ -int PQCLEAN_FALCON1024PADDED_AARCH64_is_short_tmp(int16_t *s1tmp, int16_t *s2tmp, +int PQCLEAN_FALCONPADDED1024_AARCH64_is_short_tmp(int16_t *s1tmp, int16_t *s2tmp, const int16_t *hm, const double *t0, const double *t1); @@ -239,12 +239,12 @@ int PQCLEAN_FALCON1024PADDED_AARCH64_is_short_tmp(int16_t *s1tmp, int16_t *s2tmp /* * Convert a public key to NTT. Conversion is done in place. */ -void PQCLEAN_FALCON1024PADDED_AARCH64_to_ntt(int16_t *h); +void PQCLEAN_FALCONPADDED1024_AARCH64_to_ntt(int16_t *h); /* * Convert a public key to NTT + Montgomery format. Conversion is done * in place. */ -void PQCLEAN_FALCON1024PADDED_AARCH64_to_ntt_monty(int16_t *h); +void PQCLEAN_FALCONPADDED1024_AARCH64_to_ntt_monty(int16_t *h); /* * Internal signature verification code: @@ -257,7 +257,7 @@ void PQCLEAN_FALCON1024PADDED_AARCH64_to_ntt_monty(int16_t *h); * * tmp[] must have 16-bit alignment. */ -int PQCLEAN_FALCON1024PADDED_AARCH64_verify_raw(const int16_t *c0, const int16_t *s2, +int PQCLEAN_FALCONPADDED1024_AARCH64_verify_raw(const int16_t *c0, const int16_t *s2, int16_t *h, int16_t *tmp); /* @@ -269,7 +269,7 @@ int PQCLEAN_FALCON1024PADDED_AARCH64_verify_raw(const int16_t *c0, const int16_t * The tmp[] array must have room for at least 2*2^logn elements. * tmp[] must have 16-bit alignment. */ -int PQCLEAN_FALCON1024PADDED_AARCH64_compute_public(int16_t *h, const int8_t *f, +int PQCLEAN_FALCONPADDED1024_AARCH64_compute_public(int16_t *h, const int8_t *f, const int8_t *g, int16_t *tmp); /* @@ -283,7 +283,7 @@ int PQCLEAN_FALCON1024PADDED_AARCH64_compute_public(int16_t *h, const int8_t *f, * Returned value is 1 in success, 0 on error (f not invertible). * tmp[] must have 16-bit alignment. */ -int PQCLEAN_FALCON1024PADDED_AARCH64_complete_private(int8_t *G, const int8_t *f, +int PQCLEAN_FALCONPADDED1024_AARCH64_complete_private(int8_t *G, const int8_t *f, const int8_t *g, const int8_t *F, uint8_t *tmp); @@ -293,7 +293,7 @@ int PQCLEAN_FALCON1024PADDED_AARCH64_complete_private(int8_t *G, const int8_t *f * * tmp[] must have 16-bit alignment. */ -int PQCLEAN_FALCON1024PADDED_AARCH64_is_invertible(const int16_t *s2, uint8_t *tmp); +int PQCLEAN_FALCONPADDED1024_AARCH64_is_invertible(const int16_t *s2, uint8_t *tmp); /* * Count the number of elements of value zero in the NTT representation @@ -303,7 +303,7 @@ int PQCLEAN_FALCON1024PADDED_AARCH64_is_invertible(const int16_t *s2, uint8_t *t * * tmp[] must have 16-bit alignment. */ -int PQCLEAN_FALCON1024PADDED_AARCH64_count_nttzero(const int16_t *sig, uint8_t *tmp); +int PQCLEAN_FALCONPADDED1024_AARCH64_count_nttzero(const int16_t *sig, uint8_t *tmp); /* * Internal signature verification with public key recovery: @@ -323,7 +323,7 @@ int PQCLEAN_FALCON1024PADDED_AARCH64_count_nttzero(const int16_t *sig, uint8_t * * * tmp[] must have 16-bit alignment. */ -int PQCLEAN_FALCON1024PADDED_AARCH64_verify_recover(int16_t *h, const int16_t *c0, +int PQCLEAN_FALCONPADDED1024_AARCH64_verify_recover(int16_t *h, const int16_t *c0, const int16_t *s1, const int16_t *s2, uint8_t *tmp); @@ -444,7 +444,7 @@ int PQCLEAN_FALCON1024PADDED_AARCH64_verify_recover(int16_t *h, const int16_t *c * * Returned value is 1 on success, 0 on error. */ -int PQCLEAN_FALCON1024PADDED_AARCH64_get_seed(void *seed, size_t seed_len); +int PQCLEAN_FALCONPADDED1024_AARCH64_get_seed(void *seed, size_t seed_len); /* * Structure for a PRNG. This includes a large buffer so that values @@ -471,18 +471,18 @@ typedef struct { * Instantiate a PRNG. That PRNG will feed over the provided SHAKE256 * context (in "flipped" state) to obtain its initial state. */ -void PQCLEAN_FALCON1024PADDED_AARCH64_prng_init(prng *p, inner_shake256_context *src); +void PQCLEAN_FALCONPADDED1024_AARCH64_prng_init(prng *p, inner_shake256_context *src); /* * Refill the PRNG buffer. This is normally invoked automatically, and * is declared here only so that prng_get_u64() may be inlined. */ -void PQCLEAN_FALCON1024PADDED_AARCH64_prng_refill(prng *p); +void PQCLEAN_FALCONPADDED1024_AARCH64_prng_refill(prng *p); /* * Get some bytes from a PRNG. */ -void PQCLEAN_FALCON1024PADDED_AARCH64_prng_get_bytes(prng *p, void *dst, size_t len); +void PQCLEAN_FALCONPADDED1024_AARCH64_prng_get_bytes(prng *p, void *dst, size_t len); /* * Get a 64-bit random value from a PRNG. @@ -499,7 +499,7 @@ prng_get_u64(prng *p) { */ u = p->ptr; if (u >= (sizeof p->buf.d) - 9) { - PQCLEAN_FALCON1024PADDED_AARCH64_prng_refill(p); + PQCLEAN_FALCONPADDED1024_AARCH64_prng_refill(p); u = 0; } p->ptr = u + 8; @@ -523,7 +523,7 @@ prng_get_u8(prng *p) { v = p->buf.d[p->ptr ++]; if (p->ptr == sizeof p->buf.d) { - PQCLEAN_FALCON1024PADDED_AARCH64_prng_refill(p); + PQCLEAN_FALCONPADDED1024_AARCH64_prng_refill(p); } return v; } @@ -546,7 +546,7 @@ prng_get_u8(prng *p) { * * 'logn' MUST lie between 1 and 10 (inclusive). */ -void PQCLEAN_FALCON1024PADDED_AARCH64_FFT(fpr *f, unsigned logn); +void PQCLEAN_FALCONPADDED1024_AARCH64_FFT(fpr *f, unsigned logn); /* * Compute the inverse FFT in-place: the source array should contain the @@ -556,62 +556,62 @@ void PQCLEAN_FALCON1024PADDED_AARCH64_FFT(fpr *f, unsigned logn); * * 'logn' MUST lie between 1 and 10 (inclusive). */ -void PQCLEAN_FALCON1024PADDED_AARCH64_iFFT(fpr *f, unsigned logn); +void PQCLEAN_FALCONPADDED1024_AARCH64_iFFT(fpr *f, unsigned logn); /* * Add polynomial b to polynomial a. a and b MUST NOT overlap. This * function works in both normal and FFT representations. */ -void PQCLEAN_FALCON1024PADDED_AARCH64_poly_add(fpr *c, const fpr *restrict a, const fpr *restrict b, unsigned logn); +void PQCLEAN_FALCONPADDED1024_AARCH64_poly_add(fpr *c, const fpr *restrict a, const fpr *restrict b, unsigned logn); /* * Subtract polynomial b from polynomial a. a and b MUST NOT overlap. This * function works in both normal and FFT representations. */ -void PQCLEAN_FALCON1024PADDED_AARCH64_poly_sub(fpr *c, const fpr *restrict a, const fpr *restrict b, unsigned logn); +void PQCLEAN_FALCONPADDED1024_AARCH64_poly_sub(fpr *c, const fpr *restrict a, const fpr *restrict b, unsigned logn); /* * Negate polynomial a. This function works in both normal and FFT * representations. */ -void PQCLEAN_FALCON1024PADDED_AARCH64_poly_neg(fpr *c, const fpr *restrict a, unsigned logn); +void PQCLEAN_FALCONPADDED1024_AARCH64_poly_neg(fpr *c, const fpr *restrict a, unsigned logn); /* * Compute adjoint of polynomial a. This function works only in FFT * representation. */ -void PQCLEAN_FALCON1024PADDED_AARCH64_poly_adj_fft(fpr *c, const fpr *restrict a, unsigned logn); +void PQCLEAN_FALCONPADDED1024_AARCH64_poly_adj_fft(fpr *c, const fpr *restrict a, unsigned logn); /* * Multiply polynomial a with polynomial b. a and b MUST NOT overlap. * This function works only in FFT representation. */ -void PQCLEAN_FALCON1024PADDED_AARCH64_poly_mul_fft(fpr *c, const fpr *a, const fpr *restrict b, unsigned logn); -void PQCLEAN_FALCON1024PADDED_AARCH64_poly_mul_add_fft(fpr *c, const fpr *a, const fpr *restrict b, const fpr *restrict d, unsigned logn); +void PQCLEAN_FALCONPADDED1024_AARCH64_poly_mul_fft(fpr *c, const fpr *a, const fpr *restrict b, unsigned logn); +void PQCLEAN_FALCONPADDED1024_AARCH64_poly_mul_add_fft(fpr *c, const fpr *a, const fpr *restrict b, const fpr *restrict d, unsigned logn); /* * Multiply polynomial a with the adjoint of polynomial b. a and b MUST NOT * overlap. This function works only in FFT representation. */ -void PQCLEAN_FALCON1024PADDED_AARCH64_poly_muladj_fft(fpr *d, fpr *a, const fpr *restrict b, unsigned logn); -void PQCLEAN_FALCON1024PADDED_AARCH64_poly_muladj_add_fft(fpr *c, fpr *d, +void PQCLEAN_FALCONPADDED1024_AARCH64_poly_muladj_fft(fpr *d, fpr *a, const fpr *restrict b, unsigned logn); +void PQCLEAN_FALCONPADDED1024_AARCH64_poly_muladj_add_fft(fpr *c, fpr *d, const fpr *a, const fpr *restrict b, unsigned logn); /* * Multiply polynomial with its own adjoint. This function works only in FFT * representation. */ -void PQCLEAN_FALCON1024PADDED_AARCH64_poly_mulselfadj_fft(fpr *c, const fpr *restrict a, unsigned logn); -void PQCLEAN_FALCON1024PADDED_AARCH64_poly_mulselfadj_add_fft(fpr *c, const fpr *restrict d, const fpr *restrict a, unsigned logn); +void PQCLEAN_FALCONPADDED1024_AARCH64_poly_mulselfadj_fft(fpr *c, const fpr *restrict a, unsigned logn); +void PQCLEAN_FALCONPADDED1024_AARCH64_poly_mulselfadj_add_fft(fpr *c, const fpr *restrict d, const fpr *restrict a, unsigned logn); /* * Multiply polynomial with a real constant. This function works in both * normal and FFT representations. */ -void PQCLEAN_FALCON1024PADDED_AARCH64_poly_mulconst(fpr *c, const fpr *a, const fpr x, unsigned logn); +void PQCLEAN_FALCONPADDED1024_AARCH64_poly_mulconst(fpr *c, const fpr *a, const fpr x, unsigned logn); /* * Divide polynomial a by polynomial b, modulo X^N+1 (FFT representation). * a and b MUST NOT overlap. */ -void PQCLEAN_FALCON1024PADDED_AARCH64_poly_div_fft(fpr *restrict c, const fpr *restrict a, const fpr *restrict b, unsigned logn); +void PQCLEAN_FALCONPADDED1024_AARCH64_poly_div_fft(fpr *restrict c, const fpr *restrict a, const fpr *restrict b, unsigned logn); /* * Given f and g (in FFT representation), compute 1/(f*adj(f)+g*adj(g)) @@ -621,7 +621,7 @@ void PQCLEAN_FALCON1024PADDED_AARCH64_poly_div_fft(fpr *restrict c, const fpr *r * * Array d MUST NOT overlap with either a or b. */ -void PQCLEAN_FALCON1024PADDED_AARCH64_poly_invnorm2_fft(fpr *restrict d, +void PQCLEAN_FALCONPADDED1024_AARCH64_poly_invnorm2_fft(fpr *restrict d, const fpr *restrict a, const fpr *restrict b, unsigned logn); /* @@ -629,7 +629,7 @@ void PQCLEAN_FALCON1024PADDED_AARCH64_poly_invnorm2_fft(fpr *restrict d, * (also in FFT representation). Destination d MUST NOT overlap with * any of the source arrays. */ -void PQCLEAN_FALCON1024PADDED_AARCH64_poly_add_muladj_fft(fpr *restrict d, +void PQCLEAN_FALCONPADDED1024_AARCH64_poly_add_muladj_fft(fpr *restrict d, const fpr *restrict F, const fpr *restrict G, const fpr *restrict f, const fpr *restrict g, unsigned logn); @@ -639,7 +639,7 @@ void PQCLEAN_FALCON1024PADDED_AARCH64_poly_add_muladj_fft(fpr *restrict d, * FFT coefficients are real, and the array b contains only N/2 elements. * a and b MUST NOT overlap. */ -void PQCLEAN_FALCON1024PADDED_AARCH64_poly_mul_autoadj_fft(fpr *c, const fpr *a, const fpr *restrict b, unsigned logn); +void PQCLEAN_FALCONPADDED1024_AARCH64_poly_mul_autoadj_fft(fpr *c, const fpr *a, const fpr *restrict b, unsigned logn); /* * Divide polynomial a by polynomial b, where b is autoadjoint. Both @@ -647,7 +647,7 @@ void PQCLEAN_FALCON1024PADDED_AARCH64_poly_mul_autoadj_fft(fpr *c, const fpr *a, * FFT coefficients are real, and the array b contains only N/2 elements. * a and b MUST NOT overlap. */ -void PQCLEAN_FALCON1024PADDED_AARCH64_poly_div_autoadj_fft(fpr *c, const fpr *a, const fpr *restrict b, unsigned logn); +void PQCLEAN_FALCONPADDED1024_AARCH64_poly_div_autoadj_fft(fpr *c, const fpr *a, const fpr *restrict b, unsigned logn); /* * Perform an LDL decomposition of an auto-adjoint matrix G, in FFT @@ -657,7 +657,7 @@ void PQCLEAN_FALCON1024PADDED_AARCH64_poly_div_autoadj_fft(fpr *c, const fpr *a, * (with D = [[d00, 0], [0, d11]] and L = [[1, 0], [l10, 1]]). * (In fact, d00 = g00, so the g00 operand is left unmodified.) */ -void PQCLEAN_FALCON1024PADDED_AARCH64_poly_LDL_fft(const fpr *restrict g00, +void PQCLEAN_FALCONPADDED1024_AARCH64_poly_LDL_fft(const fpr *restrict g00, fpr *restrict g01, fpr *restrict g11, unsigned logn); /* @@ -666,7 +666,7 @@ void PQCLEAN_FALCON1024PADDED_AARCH64_poly_LDL_fft(const fpr *restrict g00, * g00, g01 and g11 are unmodified; the outputs d11 and l10 are written * in two other separate buffers provided as extra parameters. */ -void PQCLEAN_FALCON1024PADDED_AARCH64_poly_LDLmv_fft(fpr *restrict d11, fpr *restrict l10, +void PQCLEAN_FALCONPADDED1024_AARCH64_poly_LDLmv_fft(fpr *restrict d11, fpr *restrict l10, const fpr *restrict g00, const fpr *restrict g01, const fpr *restrict g11, unsigned logn); @@ -675,7 +675,7 @@ void PQCLEAN_FALCON1024PADDED_AARCH64_poly_LDLmv_fft(fpr *restrict d11, fpr *res * f = f0(x^2) + x*f1(x^2), for half-size polynomials f0 and f1 * (polynomials modulo X^(N/2)+1). f0, f1 and f MUST NOT overlap. */ -void PQCLEAN_FALCON1024PADDED_AARCH64_poly_split_fft(fpr *restrict f0, fpr *restrict f1, +void PQCLEAN_FALCONPADDED1024_AARCH64_poly_split_fft(fpr *restrict f0, fpr *restrict f1, const fpr *restrict f, unsigned logn); /* @@ -684,14 +684,14 @@ void PQCLEAN_FALCON1024PADDED_AARCH64_poly_split_fft(fpr *restrict f0, fpr *rest * f = f0(x^2) + x*f1(x^2), in FFT representation modulo X^N+1. * f MUST NOT overlap with either f0 or f1. */ -void PQCLEAN_FALCON1024PADDED_AARCH64_poly_merge_fft(fpr *restrict f, +void PQCLEAN_FALCONPADDED1024_AARCH64_poly_merge_fft(fpr *restrict f, const fpr *restrict f0, const fpr *restrict f1, unsigned logn); -void PQCLEAN_FALCON1024PADDED_AARCH64_poly_fpr_of_s16(fpr *t0, const uint16_t *hm, const unsigned falcon_n); +void PQCLEAN_FALCONPADDED1024_AARCH64_poly_fpr_of_s16(fpr *t0, const uint16_t *hm, const unsigned falcon_n); -fpr PQCLEAN_FALCON1024PADDED_AARCH64_compute_bnorm(const fpr *rt1, const fpr *rt2); +fpr PQCLEAN_FALCONPADDED1024_AARCH64_compute_bnorm(const fpr *rt1, const fpr *rt2); -int32_t PQCLEAN_FALCON1024PADDED_AARCH64_poly_small_sqnorm(const int8_t *f); // common.c +int32_t PQCLEAN_FALCONPADDED1024_AARCH64_poly_small_sqnorm(const int8_t *f); // common.c /* ==================================================================== */ /* * Key pair generation. @@ -728,7 +728,7 @@ int32_t PQCLEAN_FALCON1024PADDED_AARCH64_poly_small_sqnorm(const int8_t *f); // * tmp[] must have 64-bit alignment. * This function uses floating-point rounding (see set_fpu_cw()). */ -void PQCLEAN_FALCON1024PADDED_AARCH64_keygen(inner_shake256_context *rng, +void PQCLEAN_FALCONPADDED1024_AARCH64_keygen(inner_shake256_context *rng, int8_t *f, int8_t *g, int8_t *F, int8_t *G, uint16_t *h, unsigned logn, uint8_t *tmp); @@ -747,14 +747,14 @@ void PQCLEAN_FALCON1024PADDED_AARCH64_keygen(inner_shake256_context *rng, * tmp[] must have 64-bit alignment. * This function uses floating-point rounding (see set_fpu_cw()). */ -void PQCLEAN_FALCON1024PADDED_AARCH64_expand_privkey(fpr *restrict expanded_key, +void PQCLEAN_FALCONPADDED1024_AARCH64_expand_privkey(fpr *restrict expanded_key, const int8_t *f, const int8_t *g, const int8_t *F, const int8_t *G, uint8_t *restrict tmp); /* * Compute a signature over the provided hashed message (hm); the * signature value is one short vector. This function uses an - * expanded key (as generated by PQCLEAN_FALCON1024PADDED_AARCH64_expand_privkey()). + * expanded key (as generated by PQCLEAN_FALCONPADDED1024_AARCH64_expand_privkey()). * * The sig[] and hm[] buffers may overlap. * @@ -766,7 +766,7 @@ void PQCLEAN_FALCON1024PADDED_AARCH64_expand_privkey(fpr *restrict expanded_key, * tmp[] must have 64-bit alignment. * This function uses floating-point rounding (see set_fpu_cw()). */ -void PQCLEAN_FALCON1024PADDED_AARCH64_sign_tree(int16_t *sig, inner_shake256_context *rng, +void PQCLEAN_FALCONPADDED1024_AARCH64_sign_tree(int16_t *sig, inner_shake256_context *rng, const fpr *restrict expanded_key, const uint16_t *hm, uint8_t *tmp); @@ -787,7 +787,7 @@ void PQCLEAN_FALCON1024PADDED_AARCH64_sign_tree(int16_t *sig, inner_shake256_con * tmp[] must have 64-bit alignment. * This function uses floating-point rounding (see set_fpu_cw()). */ -void PQCLEAN_FALCON1024PADDED_AARCH64_sign_dyn(int16_t *sig, inner_shake256_context *rng, +void PQCLEAN_FALCONPADDED1024_AARCH64_sign_dyn(int16_t *sig, inner_shake256_context *rng, const int8_t *restrict f, const int8_t *restrict g, const int8_t *restrict F, const int8_t *restrict G, const uint16_t *hm, uint8_t *tmp); @@ -816,9 +816,9 @@ typedef struct { fpr sigma_min; } sampler_context; -int PQCLEAN_FALCON1024PADDED_AARCH64_sampler(void *ctx, fpr mu, fpr isigma); +int PQCLEAN_FALCONPADDED1024_AARCH64_sampler(void *ctx, fpr mu, fpr isigma); -int PQCLEAN_FALCON1024PADDED_AARCH64_gaussian0_sampler(prng *p); +int PQCLEAN_FALCONPADDED1024_AARCH64_gaussian0_sampler(prng *p); /* ==================================================================== */ diff --git a/Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/keygen.c b/Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/keygen.c similarity index 97% rename from Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/keygen.c rename to Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/keygen.c index 7432a13b..d023e58c 100644 --- a/Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/keygen.c +++ b/Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/keygen.c @@ -3036,11 +3036,11 @@ solve_NTRU_intermediate(unsigned logn_top, * Compute 1/(f*adj(f)+g*adj(g)) in rt5. We also keep adj(f) * and adj(g) in rt3 and rt4, respectively. */ - PQCLEAN_FALCON1024PADDED_AARCH64_FFT(rt3, logn); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_adj_fft(rt3, rt3, logn); - PQCLEAN_FALCON1024PADDED_AARCH64_FFT(rt4, logn); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_adj_fft(rt4, rt4, logn); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_invnorm2_fft(rt5, rt3, rt4, logn); + PQCLEAN_FALCONPADDED1024_AARCH64_FFT(rt3, logn); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_adj_fft(rt3, rt3, logn); + PQCLEAN_FALCONPADDED1024_AARCH64_FFT(rt4, logn); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_adj_fft(rt4, rt4, logn); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_invnorm2_fft(rt5, rt3, rt4, logn); /* * Reduce F and G repeatedly. @@ -3096,13 +3096,13 @@ solve_NTRU_intermediate(unsigned logn_top, /* * Compute (F*adj(f)+G*adj(g))/(f*adj(f)+g*adj(g)) in rt2. */ - PQCLEAN_FALCON1024PADDED_AARCH64_FFT(rt1, logn); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_mul_fft(rt1, rt1, rt3, logn); - PQCLEAN_FALCON1024PADDED_AARCH64_FFT(rt2, logn); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_mul_fft(rt2, rt2, rt4, logn); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_add(rt2, rt2, rt1, logn); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_mul_autoadj_fft(rt2, rt2, rt5, logn); - PQCLEAN_FALCON1024PADDED_AARCH64_iFFT(rt2, logn); + PQCLEAN_FALCONPADDED1024_AARCH64_FFT(rt1, logn); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_mul_fft(rt1, rt1, rt3, logn); + PQCLEAN_FALCONPADDED1024_AARCH64_FFT(rt2, logn); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_mul_fft(rt2, rt2, rt4, logn); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_add(rt2, rt2, rt1, logn); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_mul_autoadj_fft(rt2, rt2, rt5, logn); + PQCLEAN_FALCONPADDED1024_AARCH64_iFFT(rt2, logn); /* * (f,g) are scaled by 'scale_fg', meaning that the @@ -3552,10 +3552,10 @@ solve_NTRU_binary_depth1(unsigned logn_top, * rt4 = g * in that order in RAM. We convert all of them to FFT. */ - PQCLEAN_FALCON1024PADDED_AARCH64_FFT(rt1, logn); - PQCLEAN_FALCON1024PADDED_AARCH64_FFT(rt2, logn); - PQCLEAN_FALCON1024PADDED_AARCH64_FFT(rt3, logn); - PQCLEAN_FALCON1024PADDED_AARCH64_FFT(rt4, logn); + PQCLEAN_FALCONPADDED1024_AARCH64_FFT(rt1, logn); + PQCLEAN_FALCONPADDED1024_AARCH64_FFT(rt2, logn); + PQCLEAN_FALCONPADDED1024_AARCH64_FFT(rt3, logn); + PQCLEAN_FALCONPADDED1024_AARCH64_FFT(rt4, logn); /* * Compute: @@ -3563,14 +3563,14 @@ solve_NTRU_binary_depth1(unsigned logn_top, * rt6 = 1 / (f*adj(f) + g*adj(g)) * (Note that rt6 is half-length.) */ - PQCLEAN_FALCON1024PADDED_AARCH64_poly_add_muladj_fft(rt5, rt1, rt2, rt3, rt4, logn); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_invnorm2_fft(rt6, rt3, rt4, logn); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_add_muladj_fft(rt5, rt1, rt2, rt3, rt4, logn); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_invnorm2_fft(rt6, rt3, rt4, logn); /* * Compute: * rt5 = (F*adj(f)+G*adj(g)) / (f*adj(f)+g*adj(g)) */ - PQCLEAN_FALCON1024PADDED_AARCH64_poly_mul_autoadj_fft(rt5, rt5, rt6, logn); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_mul_autoadj_fft(rt5, rt5, rt6, logn); /* * Compute k as the rounded version of rt5. Check that none of @@ -3579,7 +3579,7 @@ solve_NTRU_binary_depth1(unsigned logn_top, * note that any out-of-bounds value here implies a failure and * (f,g) will be discarded, so we can make a simple test. */ - PQCLEAN_FALCON1024PADDED_AARCH64_iFFT(rt5, logn); + PQCLEAN_FALCONPADDED1024_AARCH64_iFFT(rt5, logn); for (u = 0; u < n; u ++) { fpr z; @@ -3589,18 +3589,18 @@ solve_NTRU_binary_depth1(unsigned logn_top, } rt5[u] = fpr_of(fpr_rint(z)); } - PQCLEAN_FALCON1024PADDED_AARCH64_FFT(rt5, logn); + PQCLEAN_FALCONPADDED1024_AARCH64_FFT(rt5, logn); /* * Subtract k*f from F, and k*g from G. */ - PQCLEAN_FALCON1024PADDED_AARCH64_poly_mul_fft(rt3, rt3, rt5, logn); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_sub(rt1, rt1, rt3, logn); - PQCLEAN_FALCON1024PADDED_AARCH64_iFFT(rt1, logn); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_mul_fft(rt3, rt3, rt5, logn); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_sub(rt1, rt1, rt3, logn); + PQCLEAN_FALCONPADDED1024_AARCH64_iFFT(rt1, logn); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_mul_fft(rt4, rt4, rt5, logn); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_sub(rt2, rt2, rt4, logn); - PQCLEAN_FALCON1024PADDED_AARCH64_iFFT(rt2, logn); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_mul_fft(rt4, rt4, rt5, logn); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_sub(rt2, rt2, rt4, logn); + PQCLEAN_FALCONPADDED1024_AARCH64_iFFT(rt2, logn); /* * Convert back F and G to integers, and return. @@ -3819,7 +3819,7 @@ solve_NTRU_binary_depth0(unsigned logn, for (u = 0; u < n; u ++) { rt3[u] = fpr_of(((int32_t *)t2)[u]); } - PQCLEAN_FALCON1024PADDED_AARCH64_FFT(rt3, logn); + PQCLEAN_FALCONPADDED1024_AARCH64_FFT(rt3, logn); rt2 = align_fpr(tmp, t2); memmove(rt2, rt3, hn * sizeof * rt3); @@ -3830,14 +3830,14 @@ solve_NTRU_binary_depth0(unsigned logn, for (u = 0; u < n; u ++) { rt3[u] = fpr_of(((int32_t *)t1)[u]); } - PQCLEAN_FALCON1024PADDED_AARCH64_FFT(rt3, logn); + PQCLEAN_FALCONPADDED1024_AARCH64_FFT(rt3, logn); /* * Compute (F*adj(f)+G*adj(g))/(f*adj(f)+g*adj(g)) and get * its rounded normal representation in t1. */ - PQCLEAN_FALCON1024PADDED_AARCH64_poly_div_autoadj_fft(rt3, rt3, rt2, logn); - PQCLEAN_FALCON1024PADDED_AARCH64_iFFT(rt3, logn); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_div_autoadj_fft(rt3, rt3, rt2, logn); + PQCLEAN_FALCONPADDED1024_AARCH64_iFFT(rt3, logn); for (u = 0; u < n; u ++) { t1[u] = modp_set((int32_t)fpr_rint(rt3[u]), p); } @@ -4038,7 +4038,7 @@ poly_small_mkgauss(RNG_CONTEXT *rng, int8_t *f, unsigned logn) { /* see falcon.h */ void -PQCLEAN_FALCON1024PADDED_AARCH64_keygen(inner_shake256_context *rng, +PQCLEAN_FALCONPADDED1024_AARCH64_keygen(inner_shake256_context *rng, int8_t *f, int8_t *g, int8_t *F, int8_t *G, uint16_t *h, unsigned logn, uint8_t *tmp) { /* @@ -4107,7 +4107,7 @@ PQCLEAN_FALCON1024PADDED_AARCH64_keygen(inner_shake256_context *rng, * overwhelming probability; this guarantees that the * key will be encodable with FALCON_COMP_TRIM. */ - lim = 1 << (PQCLEAN_FALCON1024PADDED_AARCH64_max_fg_bits[logn] - 1); + lim = 1 << (PQCLEAN_FALCONPADDED1024_AARCH64_max_fg_bits[logn] - 1); for (u = 0; u < n; u ++) { /* * We can use non-CT tests since on any failure @@ -4145,24 +4145,24 @@ PQCLEAN_FALCON1024PADDED_AARCH64_keygen(inner_shake256_context *rng, rt3 = rt2 + n; poly_small_to_fp(rt1, f, logn); - PQCLEAN_FALCON1024PADDED_AARCH64_FFT(rt1, logn); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_adj_fft(rt1, rt1, logn); + PQCLEAN_FALCONPADDED1024_AARCH64_FFT(rt1, logn); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_adj_fft(rt1, rt1, logn); poly_small_to_fp(rt2, g, logn); - PQCLEAN_FALCON1024PADDED_AARCH64_FFT(rt2, logn); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_adj_fft(rt2, rt2, logn); + PQCLEAN_FALCONPADDED1024_AARCH64_FFT(rt2, logn); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_adj_fft(rt2, rt2, logn); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_invnorm2_fft(rt3, rt1, rt2, logn); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_invnorm2_fft(rt3, rt1, rt2, logn); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_mulconst(rt1, rt1, fpr_q, logn); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_mul_autoadj_fft(rt1, rt1, rt3, logn); - PQCLEAN_FALCON1024PADDED_AARCH64_iFFT(rt1, logn); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_mulconst(rt1, rt1, fpr_q, logn); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_mul_autoadj_fft(rt1, rt1, rt3, logn); + PQCLEAN_FALCONPADDED1024_AARCH64_iFFT(rt1, logn); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_mulconst(rt2, rt2, fpr_q, logn); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_mul_autoadj_fft(rt2, rt2, rt3, logn); - PQCLEAN_FALCON1024PADDED_AARCH64_iFFT(rt2, logn); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_mulconst(rt2, rt2, fpr_q, logn); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_mul_autoadj_fft(rt2, rt2, rt3, logn); + PQCLEAN_FALCONPADDED1024_AARCH64_iFFT(rt2, logn); - bnorm = PQCLEAN_FALCON1024PADDED_AARCH64_compute_bnorm(rt1, rt2); + bnorm = PQCLEAN_FALCONPADDED1024_AARCH64_compute_bnorm(rt1, rt2); if (!fpr_lt(bnorm, fpr_bnorm_max)) { continue; @@ -4180,14 +4180,14 @@ PQCLEAN_FALCON1024PADDED_AARCH64_keygen(inner_shake256_context *rng, tmp2 = (int16_t *)tmp; } - if (!PQCLEAN_FALCON1024PADDED_AARCH64_compute_public(h2, f, g, tmp2)) { + if (!PQCLEAN_FALCONPADDED1024_AARCH64_compute_public(h2, f, g, tmp2)) { continue; } /* * Solve the NTRU equation to get F and G. */ - lim = (1 << (PQCLEAN_FALCON1024PADDED_AARCH64_max_FG_bits[logn] - 1)) - 1; + lim = (1 << (PQCLEAN_FALCONPADDED1024_AARCH64_max_FG_bits[logn] - 1)) - 1; if (!solve_NTRU(logn, F, G, f, g, lim, (uint32_t *)tmp)) { continue; } diff --git a/Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/macrof.h b/Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/macrof.h similarity index 100% rename from Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/macrof.h rename to Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/macrof.h diff --git a/Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/macrofx4.h b/Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/macrofx4.h similarity index 100% rename from Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/macrofx4.h rename to Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/macrofx4.h diff --git a/Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/macrous.h b/Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/macrous.h similarity index 100% rename from Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/macrous.h rename to Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/macrous.h diff --git a/Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/ntt.c b/Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/ntt.c similarity index 98% rename from Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/ntt.c rename to Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/ntt.c index de6354f8..7007cf24 100644 --- a/Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/ntt.c +++ b/Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/ntt.c @@ -28,16 +28,16 @@ * Assume Input in the range [-Q/2, Q/2] * Total Barrett point for N = 512, 1024: 2048, 4096 */ -void PQCLEAN_FALCON1024PADDED_AARCH64_poly_ntt(int16_t a[FALCON_N], ntt_domain_t mont) { +void PQCLEAN_FALCONPADDED1024_AARCH64_poly_ntt(int16_t a[FALCON_N], ntt_domain_t mont) { // Total SIMD registers 29 = 16 + 12 + 1 int16x8x4_t v0, v1, v2, v3; // 16 int16x8x4_t zl, zh, t, t2; // 12 int16x8x2_t zlh, zhh; // 4 int16x8_t neon_qmvq; // 1 - const int16_t *ptr_ntt_br = PQCLEAN_FALCON1024PADDED_AARCH64_ntt_br; - const int16_t *ptr_ntt_qinv_br = PQCLEAN_FALCON1024PADDED_AARCH64_ntt_qinv_br; + const int16_t *ptr_ntt_br = PQCLEAN_FALCONPADDED1024_AARCH64_ntt_br; + const int16_t *ptr_ntt_qinv_br = PQCLEAN_FALCONPADDED1024_AARCH64_ntt_qinv_br; - neon_qmvq = vld1q_s16(PQCLEAN_FALCON1024PADDED_AARCH64_qmvq); + neon_qmvq = vld1q_s16(PQCLEAN_FALCONPADDED1024_AARCH64_qmvq); zl.val[0] = vld1q_s16(ptr_ntt_br); zh.val[0] = vld1q_s16(ptr_ntt_qinv_br); ptr_ntt_br += 8; @@ -413,16 +413,16 @@ void PQCLEAN_FALCON1024PADDED_AARCH64_poly_ntt(int16_t a[FALCON_N], ntt_domain_t * Assume input in range [-Q, Q] * Total Barrett point N = 512, 1024: 1792, 3840 */ -void PQCLEAN_FALCON1024PADDED_AARCH64_poly_invntt(int16_t a[FALCON_N], invntt_domain_t ninv) { +void PQCLEAN_FALCONPADDED1024_AARCH64_poly_invntt(int16_t a[FALCON_N], invntt_domain_t ninv) { // Total SIMD registers: 29 = 16 + 12 + 1 int16x8x4_t v0, v1, v2, v3; // 16 int16x8x4_t zl, zh, t, t2; // 12 int16x8x2_t zlh, zhh; // 4 int16x8_t neon_qmvq; // 1 - const int16_t *ptr_invntt_br = PQCLEAN_FALCON1024PADDED_AARCH64_invntt_br; - const int16_t *ptr_invntt_qinv_br = PQCLEAN_FALCON1024PADDED_AARCH64_invntt_qinv_br; + const int16_t *ptr_invntt_br = PQCLEAN_FALCONPADDED1024_AARCH64_invntt_br; + const int16_t *ptr_invntt_qinv_br = PQCLEAN_FALCONPADDED1024_AARCH64_invntt_qinv_br; - neon_qmvq = vld1q_s16(PQCLEAN_FALCON1024PADDED_AARCH64_qmvq); + neon_qmvq = vld1q_s16(PQCLEAN_FALCONPADDED1024_AARCH64_qmvq); unsigned j; // Layer 0, 1, 2, 3, 4, 5, 6 @@ -906,11 +906,11 @@ void PQCLEAN_FALCON1024PADDED_AARCH64_poly_invntt(int16_t a[FALCON_N], invntt_do } } -void PQCLEAN_FALCON1024PADDED_AARCH64_poly_montmul_ntt(int16_t f[FALCON_N], const int16_t g[FALCON_N]) { +void PQCLEAN_FALCONPADDED1024_AARCH64_poly_montmul_ntt(int16_t f[FALCON_N], const int16_t g[FALCON_N]) { // Total SIMD registers: 29 = 28 + 1 int16x8x4_t a, b, c, d, e1, e2, t, k; // 28 int16x8_t neon_qmvm; // 1 - neon_qmvm = vld1q_s16(PQCLEAN_FALCON1024PADDED_AARCH64_qmvq); + neon_qmvm = vld1q_s16(PQCLEAN_FALCONPADDED1024_AARCH64_qmvq); for (unsigned i = 0; i < FALCON_N; i += 64) { vload_s16_x4(a, &f[i]); diff --git a/Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/ntt_consts.c b/Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/ntt_consts.c similarity index 99% rename from Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/ntt_consts.c rename to Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/ntt_consts.c index a80f808a..f6dbf117 100644 --- a/Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/ntt_consts.c +++ b/Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/ntt_consts.c @@ -3,13 +3,13 @@ #define PADDING 0 -const int16_t PQCLEAN_FALCON1024PADDED_AARCH64_qmvq[8] = {FALCON_Q, FALCON_QINV, +const int16_t PQCLEAN_FALCONPADDED1024_AARCH64_qmvq[8] = {FALCON_Q, FALCON_QINV, FALCON_MONT, FALCON_NINV_MONT, FALCON_V, 0, FALCON_MONT_BR, FALCON_NINV_MONT_BR }; -const int16_t PQCLEAN_FALCON1024PADDED_AARCH64_ntt_br[] = { +const int16_t PQCLEAN_FALCONPADDED1024_AARCH64_ntt_br[] = { PADDING, -1479, -5146, 4043, -1305, 722, 5736, -4134, 3542, -4821, 2639, 2319, -1170, -955, -790, 1260, 4388, 4632, -5755, 2426, 334, 1428, 1696, PADDING, @@ -189,7 +189,7 @@ const int16_t PQCLEAN_FALCON1024PADDED_AARCH64_ntt_br[] = { 1255, 5784, -3338, -2674, -3408, 1165, -1178, 3511, }; // 1024->1416 -const int16_t PQCLEAN_FALCON1024PADDED_AARCH64_ntt_qinv_br[] = { +const int16_t PQCLEAN_FALCONPADDED1024_AARCH64_ntt_qinv_br[] = { PADDING, -3943, -13721, 10780, -3479, 1925, 15294, -11023, 9444, -12854, 7036, 6183, -3119, -2546, -2106, 3359, 11700, 12350, -15345, 6468, 890, 3807, 4522, PADDING, @@ -369,7 +369,7 @@ const int16_t PQCLEAN_FALCON1024PADDED_AARCH64_ntt_qinv_br[] = { 3346, 15422, -8900, -7130, -9087, 3106, -3141, 9361, }; // 1416 -const int16_t PQCLEAN_FALCON1024PADDED_AARCH64_invntt_br[] = { +const int16_t PQCLEAN_FALCONPADDED1024_AARCH64_invntt_br[] = { -3511, 1178, -1165, 3408, 2674, 3338, -5784, -1255, -193, 6092, 923, 4167, 392, 425, -1620, -377, -5163, -5002, 2151, 4119, -338, 2455, 3654, -1744, @@ -550,7 +550,7 @@ const int16_t PQCLEAN_FALCON1024PADDED_AARCH64_invntt_br[] = { 4134, -5736, -722, 1305, -4043, 5146, 6830, 12277, // ninv=1 }; // 1424 -const int16_t PQCLEAN_FALCON1024PADDED_AARCH64_invntt_qinv_br[] = { +const int16_t PQCLEAN_FALCONPADDED1024_AARCH64_invntt_qinv_br[] = { -9361, 3141, -3106, 9087, 7130, 8900, -15422, -3346, -514, 16244, 2461, 11111, 1045, 1133, -4319, -1005, -13766, -13337, 5735, 10983, -901, 6546, 9743, -4650, diff --git a/Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/ntt_consts.h b/Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/ntt_consts.h new file mode 100644 index 00000000..f04568d7 --- /dev/null +++ b/Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/ntt_consts.h @@ -0,0 +1,23 @@ +#ifndef NTT_CONSTS +#define NTT_CONSTS + +#include + +extern const int16_t PQCLEAN_FALCONPADDED1024_AARCH64_qmvq[8]; + +/* + * Table for NTT, binary case: + * where g = 7 (it is a 2048-th primitive root of 1 modulo q) + */ +extern const int16_t PQCLEAN_FALCONPADDED1024_AARCH64_ntt_br[]; +extern const int16_t PQCLEAN_FALCONPADDED1024_AARCH64_ntt_qinv_br[]; + +/* + * Table for inverse NTT + * Since g = 7, 1/g = 8778 mod 12289. + */ + +extern const int16_t PQCLEAN_FALCONPADDED1024_AARCH64_invntt_br[]; +extern const int16_t PQCLEAN_FALCONPADDED1024_AARCH64_invntt_qinv_br[]; + +#endif diff --git a/Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/params.h b/Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/params.h similarity index 100% rename from Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/params.h rename to Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/params.h diff --git a/Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/poly.h b/Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/poly.h similarity index 51% rename from Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/poly.h rename to Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/poly.h index 6789ce9e..2d750974 100644 --- a/Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/poly.h +++ b/Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/poly.h @@ -15,28 +15,28 @@ typedef enum invntt_domain { INVNTT_NINV = 1, } invntt_domain_t; -void PQCLEAN_FALCON1024PADDED_AARCH64_poly_ntt(int16_t a[FALCON_N], ntt_domain_t mont); +void PQCLEAN_FALCONPADDED1024_AARCH64_poly_ntt(int16_t a[FALCON_N], ntt_domain_t mont); -void PQCLEAN_FALCON1024PADDED_AARCH64_poly_invntt(int16_t a[FALCON_N], invntt_domain_t ninv); +void PQCLEAN_FALCONPADDED1024_AARCH64_poly_invntt(int16_t a[FALCON_N], invntt_domain_t ninv); -void PQCLEAN_FALCON1024PADDED_AARCH64_poly_int8_to_int16(int16_t out[FALCON_N], const int8_t in[FALCON_N]); +void PQCLEAN_FALCONPADDED1024_AARCH64_poly_int8_to_int16(int16_t out[FALCON_N], const int8_t in[FALCON_N]); -void PQCLEAN_FALCON1024PADDED_AARCH64_poly_div_12289(int16_t f[FALCON_N], const int16_t g[FALCON_N]); +void PQCLEAN_FALCONPADDED1024_AARCH64_poly_div_12289(int16_t f[FALCON_N], const int16_t g[FALCON_N]); -void PQCLEAN_FALCON1024PADDED_AARCH64_poly_convert_to_unsigned(int16_t f[FALCON_N]); +void PQCLEAN_FALCONPADDED1024_AARCH64_poly_convert_to_unsigned(int16_t f[FALCON_N]); -uint16_t PQCLEAN_FALCON1024PADDED_AARCH64_poly_compare_with_zero(int16_t f[FALCON_N]); +uint16_t PQCLEAN_FALCONPADDED1024_AARCH64_poly_compare_with_zero(int16_t f[FALCON_N]); -void PQCLEAN_FALCON1024PADDED_AARCH64_poly_montmul_ntt(int16_t f[FALCON_N], const int16_t g[FALCON_N]); +void PQCLEAN_FALCONPADDED1024_AARCH64_poly_montmul_ntt(int16_t f[FALCON_N], const int16_t g[FALCON_N]); -void PQCLEAN_FALCON1024PADDED_AARCH64_poly_sub_barrett(int16_t f[FALCON_N], const int16_t g[FALCON_N], const int16_t s[FALCON_N]); +void PQCLEAN_FALCONPADDED1024_AARCH64_poly_sub_barrett(int16_t f[FALCON_N], const int16_t g[FALCON_N], const int16_t s[FALCON_N]); -int PQCLEAN_FALCON1024PADDED_AARCH64_poly_int16_to_int8(int8_t G[FALCON_N], const int16_t t[FALCON_N]); +int PQCLEAN_FALCONPADDED1024_AARCH64_poly_int16_to_int8(int8_t G[FALCON_N], const int16_t t[FALCON_N]); -int PQCLEAN_FALCON1024PADDED_AARCH64_poly_check_bound_int8(const int8_t t[FALCON_N], +int PQCLEAN_FALCONPADDED1024_AARCH64_poly_check_bound_int8(const int8_t t[FALCON_N], const int8_t low, const int8_t high); -int PQCLEAN_FALCON1024PADDED_AARCH64_poly_check_bound_int16(const int16_t t[FALCON_N], +int PQCLEAN_FALCONPADDED1024_AARCH64_poly_check_bound_int16(const int16_t t[FALCON_N], const int16_t low, const int16_t high); #endif diff --git a/Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/poly_float.c b/Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/poly_float.c similarity index 94% rename from Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/poly_float.c rename to Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/poly_float.c index 1ce493d6..10a302cf 100644 --- a/Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/poly_float.c +++ b/Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/poly_float.c @@ -24,7 +24,7 @@ #include "macrofx4.h" /* see inner.h */ -void PQCLEAN_FALCON1024PADDED_AARCH64_poly_add(fpr *c, const fpr *restrict a, +void PQCLEAN_FALCONPADDED1024_AARCH64_poly_add(fpr *c, const fpr *restrict a, const fpr *restrict b, unsigned logn) { float64x2x4_t neon_a, neon_b, neon_c; float64x2x2_t neon_a2, neon_b2, neon_c2; @@ -68,7 +68,7 @@ void PQCLEAN_FALCON1024PADDED_AARCH64_poly_add(fpr *c, const fpr *restrict a, /* * c = a - b */ -void PQCLEAN_FALCON1024PADDED_AARCH64_poly_sub(fpr *c, const fpr *restrict a, +void PQCLEAN_FALCONPADDED1024_AARCH64_poly_sub(fpr *c, const fpr *restrict a, const fpr *restrict b, unsigned logn) { float64x2x4_t neon_a, neon_b, neon_c; float64x2x2_t neon_a2, neon_b2, neon_c2; @@ -110,7 +110,7 @@ void PQCLEAN_FALCON1024PADDED_AARCH64_poly_sub(fpr *c, const fpr *restrict a, /* * c = -a */ -void PQCLEAN_FALCON1024PADDED_AARCH64_poly_neg(fpr *c, const fpr *restrict a, +void PQCLEAN_FALCONPADDED1024_AARCH64_poly_neg(fpr *c, const fpr *restrict a, unsigned logn) { float64x2x4_t neon_a, neon_c; float64x2x2_t neon_a2, neon_c2; @@ -147,7 +147,7 @@ void PQCLEAN_FALCON1024PADDED_AARCH64_poly_neg(fpr *c, const fpr *restrict a, } /* see inner.h */ -void PQCLEAN_FALCON1024PADDED_AARCH64_poly_adj_fft(fpr *c, const fpr *restrict a, +void PQCLEAN_FALCONPADDED1024_AARCH64_poly_adj_fft(fpr *c, const fpr *restrict a, unsigned logn) { float64x2x4_t neon_a, neon_c; @@ -188,7 +188,7 @@ void PQCLEAN_FALCON1024PADDED_AARCH64_poly_adj_fft(fpr *c, const fpr *restrict a } } -static inline void PQCLEAN_FALCON1024PADDED_AARCH64_poly_mul_fft_log1( +static inline void PQCLEAN_FALCONPADDED1024_AARCH64_poly_mul_fft_log1( fpr *restrict c, const fpr *restrict a, const fpr *restrict b) { fpr a_re, a_im, b_re, b_im, c_re, c_im; @@ -204,7 +204,7 @@ static inline void PQCLEAN_FALCON1024PADDED_AARCH64_poly_mul_fft_log1( c[1] = c_im; } -static inline void PQCLEAN_FALCON1024PADDED_AARCH64_poly_mul_fft_log2( +static inline void PQCLEAN_FALCONPADDED1024_AARCH64_poly_mul_fft_log2( fpr *restrict c, const fpr *restrict a, const fpr *restrict b) { // n = 4 float64x2x2_t neon_a, neon_b, neon_c; @@ -228,7 +228,7 @@ static inline void PQCLEAN_FALCON1024PADDED_AARCH64_poly_mul_fft_log2( vstorex2(&c[0], neon_c); } -static inline void PQCLEAN_FALCON1024PADDED_AARCH64_poly_mul_fft_log3( +static inline void PQCLEAN_FALCONPADDED1024_AARCH64_poly_mul_fft_log3( fpr *restrict c, const fpr *restrict a, const fpr *restrict b) { // n = 8 float64x2x4_t neon_a, neon_b, neon_c; @@ -261,7 +261,7 @@ static inline void PQCLEAN_FALCON1024PADDED_AARCH64_poly_mul_fft_log3( /* * c = a * b */ -void PQCLEAN_FALCON1024PADDED_AARCH64_poly_mul_fft(fpr *c, const fpr *a, +void PQCLEAN_FALCONPADDED1024_AARCH64_poly_mul_fft(fpr *c, const fpr *a, const fpr *restrict b, unsigned logn) { // Total 32 registers @@ -271,15 +271,15 @@ void PQCLEAN_FALCON1024PADDED_AARCH64_poly_mul_fft(fpr *c, const fpr *a, const unsigned hn = falcon_n >> 1; switch (logn) { case 1: - PQCLEAN_FALCON1024PADDED_AARCH64_poly_mul_fft_log1(c, a, b); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_mul_fft_log1(c, a, b); break; case 2: - PQCLEAN_FALCON1024PADDED_AARCH64_poly_mul_fft_log2(c, a, b); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_mul_fft_log2(c, a, b); break; case 3: - PQCLEAN_FALCON1024PADDED_AARCH64_poly_mul_fft_log3(c, a, b); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_mul_fft_log3(c, a, b); break; default: @@ -298,7 +298,7 @@ void PQCLEAN_FALCON1024PADDED_AARCH64_poly_mul_fft(fpr *c, const fpr *a, } } -static inline void PQCLEAN_FALCON1024PADDED_AARCH64_poly_mul_fft_add_log1( +static inline void PQCLEAN_FALCONPADDED1024_AARCH64_poly_mul_fft_add_log1( fpr *restrict c, const fpr *restrict d, const fpr *restrict a, const fpr *restrict b) { fpr a_re, a_im, b_re, b_im, c_re, c_im, d_re, d_im; @@ -318,7 +318,7 @@ static inline void PQCLEAN_FALCON1024PADDED_AARCH64_poly_mul_fft_add_log1( } -static inline void PQCLEAN_FALCON1024PADDED_AARCH64_poly_mul_fft_add_log2( +static inline void PQCLEAN_FALCONPADDED1024_AARCH64_poly_mul_fft_add_log2( fpr *restrict c, const fpr *restrict d, const fpr *restrict a, const fpr *restrict b) { // n = 4 @@ -346,7 +346,7 @@ static inline void PQCLEAN_FALCON1024PADDED_AARCH64_poly_mul_fft_add_log2( vstorex2(&c[0], neon_d); } -static inline void PQCLEAN_FALCON1024PADDED_AARCH64_poly_mul_fft_add_log3( +static inline void PQCLEAN_FALCONPADDED1024_AARCH64_poly_mul_fft_add_log3( fpr *restrict c, const fpr *restrict d, const fpr *restrict a, const fpr *restrict b) { // n = 8 @@ -386,7 +386,7 @@ static inline void PQCLEAN_FALCON1024PADDED_AARCH64_poly_mul_fft_add_log3( /* * c = d + a * b */ -void PQCLEAN_FALCON1024PADDED_AARCH64_poly_mul_add_fft(fpr *c, const fpr *restrict d, +void PQCLEAN_FALCONPADDED1024_AARCH64_poly_mul_add_fft(fpr *c, const fpr *restrict d, const fpr *a, const fpr *restrict b, unsigned logn) { @@ -396,15 +396,15 @@ void PQCLEAN_FALCON1024PADDED_AARCH64_poly_mul_add_fft(fpr *c, const fpr *restri const unsigned hn = falcon_n >> 1; switch (logn) { case 1: - PQCLEAN_FALCON1024PADDED_AARCH64_poly_mul_fft_add_log1(c, d, a, b); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_mul_fft_add_log1(c, d, a, b); break; case 2: - PQCLEAN_FALCON1024PADDED_AARCH64_poly_mul_fft_add_log2(c, d, a, b); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_mul_fft_add_log2(c, d, a, b); break; case 3: - PQCLEAN_FALCON1024PADDED_AARCH64_poly_mul_fft_add_log3(c, d, a, b); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_mul_fft_add_log3(c, d, a, b); break; default: @@ -426,7 +426,7 @@ void PQCLEAN_FALCON1024PADDED_AARCH64_poly_mul_add_fft(fpr *c, const fpr *restri } /* see inner.h */ -void PQCLEAN_FALCON1024PADDED_AARCH64_poly_muladj_fft(fpr *d, fpr *a, +void PQCLEAN_FALCONPADDED1024_AARCH64_poly_muladj_fft(fpr *d, fpr *a, const fpr *restrict b, unsigned logn) { @@ -447,7 +447,7 @@ void PQCLEAN_FALCON1024PADDED_AARCH64_poly_muladj_fft(fpr *d, fpr *a, } // c = d + a*b -void PQCLEAN_FALCON1024PADDED_AARCH64_poly_muladj_add_fft(fpr *c, fpr *d, const fpr *a, +void PQCLEAN_FALCONPADDED1024_AARCH64_poly_muladj_add_fft(fpr *c, fpr *d, const fpr *a, const fpr *restrict b, unsigned logn) { @@ -473,7 +473,7 @@ void PQCLEAN_FALCON1024PADDED_AARCH64_poly_muladj_add_fft(fpr *c, fpr *d, const /* * c = a * adj(a) */ -void PQCLEAN_FALCON1024PADDED_AARCH64_poly_mulselfadj_fft(fpr *c, +void PQCLEAN_FALCONPADDED1024_AARCH64_poly_mulselfadj_fft(fpr *c, const fpr *restrict a, unsigned logn) { @@ -508,7 +508,7 @@ void PQCLEAN_FALCON1024PADDED_AARCH64_poly_mulselfadj_fft(fpr *c, /* * c = d + a * adj(a) */ -void PQCLEAN_FALCON1024PADDED_AARCH64_poly_mulselfadj_add_fft(fpr *c, +void PQCLEAN_FALCONPADDED1024_AARCH64_poly_mulselfadj_add_fft(fpr *c, const fpr *restrict d, const fpr *restrict a, unsigned logn) { @@ -543,7 +543,7 @@ void PQCLEAN_FALCON1024PADDED_AARCH64_poly_mulselfadj_add_fft(fpr *c, /* * c = a * scalar_x */ -void PQCLEAN_FALCON1024PADDED_AARCH64_poly_mulconst(fpr *c, const fpr *a, const fpr x, +void PQCLEAN_FALCONPADDED1024_AARCH64_poly_mulconst(fpr *c, const fpr *a, const fpr x, unsigned logn) { // assert(logn >= 3); // Total SIMD registers: 9 @@ -564,7 +564,7 @@ void PQCLEAN_FALCON1024PADDED_AARCH64_poly_mulconst(fpr *c, const fpr *a, const * Unused in the implementation */ -void PQCLEAN_FALCON1024PADDED_AARCH64_poly_div_fft(fpr *restrict c, +void PQCLEAN_FALCONPADDED1024_AARCH64_poly_div_fft(fpr *restrict c, const fpr *restrict a, const fpr *restrict b, unsigned logn) { @@ -598,7 +598,7 @@ void PQCLEAN_FALCON1024PADDED_AARCH64_poly_div_fft(fpr *restrict c, } /* see inner.h */ -void PQCLEAN_FALCON1024PADDED_AARCH64_poly_invnorm2_fft(fpr *restrict d, +void PQCLEAN_FALCONPADDED1024_AARCH64_poly_invnorm2_fft(fpr *restrict d, const fpr *restrict a, const fpr *restrict b, unsigned logn) { @@ -697,7 +697,7 @@ void PQCLEAN_FALCON1024PADDED_AARCH64_poly_invnorm2_fft(fpr *restrict d, } /* see inner.h */ -void PQCLEAN_FALCON1024PADDED_AARCH64_poly_add_muladj_fft( +void PQCLEAN_FALCONPADDED1024_AARCH64_poly_add_muladj_fft( fpr *restrict d, const fpr *restrict F, const fpr *restrict G, const fpr *restrict f, const fpr *restrict g, unsigned logn) { @@ -729,7 +729,7 @@ void PQCLEAN_FALCON1024PADDED_AARCH64_poly_add_muladj_fft( } /* see inner.h */ -void PQCLEAN_FALCON1024PADDED_AARCH64_poly_mul_autoadj_fft(fpr *c, const fpr *a, +void PQCLEAN_FALCONPADDED1024_AARCH64_poly_mul_autoadj_fft(fpr *c, const fpr *a, const fpr *restrict b, unsigned logn) { const unsigned falcon_n = 1 << logn; @@ -781,7 +781,7 @@ void PQCLEAN_FALCON1024PADDED_AARCH64_poly_mul_autoadj_fft(fpr *c, const fpr *a, } /* see inner.h */ -void PQCLEAN_FALCON1024PADDED_AARCH64_poly_div_autoadj_fft(fpr *c, const fpr *a, +void PQCLEAN_FALCONPADDED1024_AARCH64_poly_div_autoadj_fft(fpr *c, const fpr *a, const fpr *restrict b, unsigned logn) { const unsigned falcon_n = 1 << logn; @@ -803,7 +803,7 @@ void PQCLEAN_FALCON1024PADDED_AARCH64_poly_div_autoadj_fft(fpr *c, const fpr *a, } } -static inline void PQCLEAN_FALCON1024PADDED_AARCH64_poly_LDL_fft_log1( +static inline void PQCLEAN_FALCONPADDED1024_AARCH64_poly_LDL_fft_log1( const fpr *restrict g00, fpr *restrict g01, fpr *restrict g11) { float64x2x4_t g00_re, g01_re, g11_re; float64x2x4_t mu_re, m; @@ -851,7 +851,7 @@ static inline void PQCLEAN_FALCON1024PADDED_AARCH64_poly_LDL_fft_log1( vstore(&g01[0], mu_re.val[0]); } -static inline void PQCLEAN_FALCON1024PADDED_AARCH64_poly_LDL_fft_log2( +static inline void PQCLEAN_FALCONPADDED1024_AARCH64_poly_LDL_fft_log2( const fpr *restrict g00, fpr *restrict g01, fpr *restrict g11) { float64x2x4_t g00_re, g00_im, g01_re, g01_im, g11_re, g11_im; float64x2x4_t mu_re, mu_im, m, d_re, d_im; @@ -899,7 +899,7 @@ static inline void PQCLEAN_FALCON1024PADDED_AARCH64_poly_LDL_fft_log2( vstorex2(&g01[0], tmp); } -static inline void PQCLEAN_FALCON1024PADDED_AARCH64_poly_LDL_fft_log3( +static inline void PQCLEAN_FALCONPADDED1024_AARCH64_poly_LDL_fft_log3( const fpr *restrict g00, fpr *restrict g01, fpr *restrict g11) { float64x2x4_t g00_re, g00_im, g01_re, g01_im, g11_re; float64x2x4_t mu_re, mu_im, m, d_re; @@ -960,7 +960,7 @@ static inline void PQCLEAN_FALCON1024PADDED_AARCH64_poly_LDL_fft_log3( } /* see inner.h */ -void PQCLEAN_FALCON1024PADDED_AARCH64_poly_LDL_fft(const fpr *restrict g00, +void PQCLEAN_FALCONPADDED1024_AARCH64_poly_LDL_fft(const fpr *restrict g00, fpr *restrict g01, fpr *restrict g11, unsigned logn) { const unsigned falcon_n = 1 << logn; @@ -970,17 +970,17 @@ void PQCLEAN_FALCON1024PADDED_AARCH64_poly_LDL_fft(const fpr *restrict g00, switch (logn) { case 1: - PQCLEAN_FALCON1024PADDED_AARCH64_poly_LDL_fft_log1(g00, g01, g11); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_LDL_fft_log1(g00, g01, g11); break; case 2: - PQCLEAN_FALCON1024PADDED_AARCH64_poly_LDL_fft_log2(g00, g01, g11); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_LDL_fft_log2(g00, g01, g11); break; case 3: - PQCLEAN_FALCON1024PADDED_AARCH64_poly_LDL_fft_log3(g00, g01, g11); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_LDL_fft_log3(g00, g01, g11); break; @@ -1068,7 +1068,7 @@ void PQCLEAN_FALCON1024PADDED_AARCH64_poly_LDL_fft(const fpr *restrict g00, } } -static inline void PQCLEAN_FALCON1024PADDED_AARCH64_poly_LDLmv_fft_log1( +static inline void PQCLEAN_FALCONPADDED1024_AARCH64_poly_LDLmv_fft_log1( fpr *restrict d11, fpr *restrict l10, const fpr *restrict g00, const fpr *restrict g01, const fpr *restrict g11) { float64x2x4_t g00_re, g01_re, g11_re; @@ -1117,7 +1117,7 @@ static inline void PQCLEAN_FALCON1024PADDED_AARCH64_poly_LDLmv_fft_log1( vstore(&l10[0], mu_re.val[0]); } -static inline void PQCLEAN_FALCON1024PADDED_AARCH64_poly_LDLmv_fft_log2( +static inline void PQCLEAN_FALCONPADDED1024_AARCH64_poly_LDLmv_fft_log2( fpr *restrict d11, fpr *restrict l10, const fpr *restrict g00, const fpr *restrict g01, const fpr *restrict g11) { float64x2x4_t g00_re, g00_im, g01_re, g01_im, g11_re, g11_im; @@ -1166,7 +1166,7 @@ static inline void PQCLEAN_FALCON1024PADDED_AARCH64_poly_LDLmv_fft_log2( vstorex2(&l10[0], tmp); } -static inline void PQCLEAN_FALCON1024PADDED_AARCH64_poly_LDLmv_fft_log3( +static inline void PQCLEAN_FALCONPADDED1024_AARCH64_poly_LDLmv_fft_log3( fpr *restrict d11, fpr *restrict l10, const fpr *restrict g00, const fpr *restrict g01, const fpr *restrict g11) { float64x2x4_t g00_re, g00_im, g01_re, g01_im, g11_re; @@ -1227,7 +1227,7 @@ static inline void PQCLEAN_FALCON1024PADDED_AARCH64_poly_LDLmv_fft_log3( vstorex4(&l10[0], mu_re); } -void PQCLEAN_FALCON1024PADDED_AARCH64_poly_LDLmv_fft( +void PQCLEAN_FALCONPADDED1024_AARCH64_poly_LDLmv_fft( fpr *restrict d11, fpr *restrict l10, const fpr *restrict g00, const fpr *restrict g01, const fpr *restrict g11, unsigned logn) { @@ -1238,15 +1238,15 @@ void PQCLEAN_FALCON1024PADDED_AARCH64_poly_LDLmv_fft( switch (logn) { case 1: - PQCLEAN_FALCON1024PADDED_AARCH64_poly_LDLmv_fft_log1(d11, l10, g00, g01, g11); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_LDLmv_fft_log1(d11, l10, g00, g01, g11); break; case 2: - PQCLEAN_FALCON1024PADDED_AARCH64_poly_LDLmv_fft_log2(d11, l10, g00, g01, g11); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_LDLmv_fft_log2(d11, l10, g00, g01, g11); break; case 3: - PQCLEAN_FALCON1024PADDED_AARCH64_poly_LDLmv_fft_log3(d11, l10, g00, g01, g11); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_LDLmv_fft_log3(d11, l10, g00, g01, g11); break; default: @@ -1333,7 +1333,7 @@ void PQCLEAN_FALCON1024PADDED_AARCH64_poly_LDLmv_fft( } } -void PQCLEAN_FALCON1024PADDED_AARCH64_poly_fpr_of_s16(fpr *t0, const uint16_t *hm, +void PQCLEAN_FALCONPADDED1024_AARCH64_poly_fpr_of_s16(fpr *t0, const uint16_t *hm, const unsigned falcon_n) { float64x2x4_t neon_t0; uint16x8x4_t neon_hm; @@ -1403,7 +1403,7 @@ void PQCLEAN_FALCON1024PADDED_AARCH64_poly_fpr_of_s16(fpr *t0, const uint16_t *h } } -fpr PQCLEAN_FALCON1024PADDED_AARCH64_compute_bnorm(const fpr *rt1, const fpr *rt2) { +fpr PQCLEAN_FALCONPADDED1024_AARCH64_compute_bnorm(const fpr *rt1, const fpr *rt2) { float64x2x4_t r1, r11, r2, r22; float64x2x4_t bnorm, bnorm2; diff --git a/Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/poly_int.c b/Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/poly_int.c similarity index 96% rename from Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/poly_int.c rename to Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/poly_int.c index 55fc5034..d9a35397 100644 --- a/Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/poly_int.c +++ b/Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/poly_int.c @@ -25,7 +25,7 @@ #include "poly.h" #include "ntt_consts.h" -void PQCLEAN_FALCON1024PADDED_AARCH64_poly_int8_to_int16(int16_t out[FALCON_N], const int8_t in[FALCON_N]) { +void PQCLEAN_FALCONPADDED1024_AARCH64_poly_int8_to_int16(int16_t out[FALCON_N], const int8_t in[FALCON_N]) { // Total SIMD registers: 24 = 16 + 8 int16x8x4_t a, b, e, f; // 16 int8x16x4_t c, d; // 8 @@ -67,7 +67,7 @@ void PQCLEAN_FALCON1024PADDED_AARCH64_poly_int8_to_int16(int16_t out[FALCON_N], * See assembly https://godbolt.org/z/od3Ex7Mbx */ -void PQCLEAN_FALCON1024PADDED_AARCH64_poly_div_12289(int16_t f[FALCON_N], const int16_t g[FALCON_N]) { +void PQCLEAN_FALCONPADDED1024_AARCH64_poly_div_12289(int16_t f[FALCON_N], const int16_t g[FALCON_N]) { // Total SIMD registers: 24 = 4 + 19 + 1 int16x8x4_t src, dst, t, k; // 4 int16x8x4_t y0, y1, y2, y3, y4, y5, @@ -75,7 +75,7 @@ void PQCLEAN_FALCON1024PADDED_AARCH64_poly_div_12289(int16_t f[FALCON_N], const y13, y14, y15, y16, y17, y18; // 19 int16x8_t neon_qmvm; // 1 - neon_qmvm = vld1q_s16(PQCLEAN_FALCON1024PADDED_AARCH64_qmvq); + neon_qmvm = vld1q_s16(PQCLEAN_FALCONPADDED1024_AARCH64_qmvq); for (int i = 0; i < FALCON_N; i += 32) { // Find y0 = g^12287 @@ -113,11 +113,11 @@ void PQCLEAN_FALCON1024PADDED_AARCH64_poly_div_12289(int16_t f[FALCON_N], const /* * f = g - s */ -void PQCLEAN_FALCON1024PADDED_AARCH64_poly_sub_barrett(int16_t f[FALCON_N], const int16_t g[FALCON_N], const int16_t s[FALCON_N]) { +void PQCLEAN_FALCONPADDED1024_AARCH64_poly_sub_barrett(int16_t f[FALCON_N], const int16_t g[FALCON_N], const int16_t s[FALCON_N]) { // Total SIMD registers: 29 = 28 + 1 int16x8x4_t a, b, c, d, e, h, t; // 28 int16x8_t neon_qmvm; // 1 - neon_qmvm = vld1q_s16(PQCLEAN_FALCON1024PADDED_AARCH64_qmvq); + neon_qmvm = vld1q_s16(PQCLEAN_FALCONPADDED1024_AARCH64_qmvq); for (int i = 0; i < FALCON_N; i += 64) { vload_s16_x4(a, &g[i]); @@ -150,7 +150,7 @@ void PQCLEAN_FALCON1024PADDED_AARCH64_poly_sub_barrett(int16_t f[FALCON_N], cons * 1 if 0 in f[] * otherwise, 0 */ -uint16_t PQCLEAN_FALCON1024PADDED_AARCH64_poly_compare_with_zero(int16_t f[FALCON_N]) { +uint16_t PQCLEAN_FALCONPADDED1024_AARCH64_poly_compare_with_zero(int16_t f[FALCON_N]) { // Total SIMD registers: 22 = 12 + 8 + 2 int16x8x4_t a, b; // 8 uint16x8x4_t c, d, e1; // 12 @@ -197,7 +197,7 @@ uint16_t PQCLEAN_FALCON1024PADDED_AARCH64_poly_compare_with_zero(int16_t f[FALCO * Branchless conditional addtion with FALCON_Q if coeffcient is < 0 * If coefficient is larger than Q, it is subtracted with Q */ -void PQCLEAN_FALCON1024PADDED_AARCH64_poly_convert_to_unsigned(int16_t f[FALCON_N]) { +void PQCLEAN_FALCONPADDED1024_AARCH64_poly_convert_to_unsigned(int16_t f[FALCON_N]) { // Total SIMD registers: 26 = 8 + 16 + 1 + 1 uint16x8x4_t b0, b1; // 8 int16x8x4_t a0, a1, c0, c1; // 16 @@ -270,7 +270,7 @@ void PQCLEAN_FALCON1024PADDED_AARCH64_poly_convert_to_unsigned(int16_t f[FALCON_ /* * Perform conditional subtraction with Q and compare with min, max = -127, 127 */ -int PQCLEAN_FALCON1024PADDED_AARCH64_poly_int16_to_int8(int8_t G[FALCON_N], const int16_t t[FALCON_N]) { +int PQCLEAN_FALCONPADDED1024_AARCH64_poly_int16_to_int8(int8_t G[FALCON_N], const int16_t t[FALCON_N]) { // Total SIMD registers: 32 int16x8x4_t a, f; // 8 int16x8x4_t d0, d1; // 8 @@ -404,7 +404,7 @@ int PQCLEAN_FALCON1024PADDED_AARCH64_poly_int16_to_int8(int8_t G[FALCON_N], cons * Return 1 if True * Otherwise 0 */ -int PQCLEAN_FALCON1024PADDED_AARCH64_poly_check_bound_int8(const int8_t t[FALCON_N], +int PQCLEAN_FALCONPADDED1024_AARCH64_poly_check_bound_int8(const int8_t t[FALCON_N], const int8_t low, const int8_t high) { // Total SIMD registers: 15 int8x16x4_t a; // 4 @@ -455,7 +455,7 @@ int PQCLEAN_FALCON1024PADDED_AARCH64_poly_check_bound_int8(const int8_t t[FALCON * Otherwise 0 * Work for FALCON_N >= 32, or FALCON_LOGN >= 5 */ -int PQCLEAN_FALCON1024PADDED_AARCH64_poly_check_bound_int16(const int16_t t[FALCON_N], +int PQCLEAN_FALCONPADDED1024_AARCH64_poly_check_bound_int16(const int16_t t[FALCON_N], const int16_t low, const int16_t high) { // Total SIMD registers = 15 int16x8x4_t a; // 4 diff --git a/Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/pqclean.c b/Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/pqclean.c similarity index 71% rename from Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/pqclean.c rename to Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/pqclean.c index 7b8cf5da..8cc75632 100644 --- a/Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/pqclean.c +++ b/Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/pqclean.c @@ -29,16 +29,16 @@ * header byte: 0011nnnn * nonce (r) 40 bytes * value (s) compressed format - * padding to PQCLEAN_FALCON1024PADDED_AARCH64_CRYPTO_BYTES bytes + * padding to PQCLEAN_FALCONPADDED1024_AARCH64_CRYPTO_BYTES bytes * * message + signature: - * signature PQCLEAN_FALCON1024PADDED_AARCH64_CRYPTO_BYTES bytes + * signature PQCLEAN_FALCONPADDED1024_AARCH64_CRYPTO_BYTES bytes * message */ /* see api.h */ int -PQCLEAN_FALCON1024PADDED_AARCH64_crypto_sign_keypair( +PQCLEAN_FALCONPADDED1024_AARCH64_crypto_sign_keypair( uint8_t *pk, uint8_t *sk) { union { uint8_t b[28 * FALCON_N]; @@ -58,7 +58,7 @@ PQCLEAN_FALCON1024PADDED_AARCH64_crypto_sign_keypair( inner_shake256_init(&rng); inner_shake256_inject(&rng, seed, sizeof seed); inner_shake256_flip(&rng); - PQCLEAN_FALCON1024PADDED_AARCH64_keygen(&rng, f, g, F, NULL, h, FALCON_LOGN, tmp.b); + PQCLEAN_FALCONPADDED1024_AARCH64_keygen(&rng, f, g, F, NULL, h, FALCON_LOGN, tmp.b); inner_shake256_ctx_release(&rng); /* @@ -66,28 +66,28 @@ PQCLEAN_FALCON1024PADDED_AARCH64_crypto_sign_keypair( */ sk[0] = 0x50 + FALCON_LOGN; u = 1; - v = PQCLEAN_FALCON1024PADDED_AARCH64_trim_i8_encode( - sk + u, PQCLEAN_FALCON1024PADDED_AARCH64_CRYPTO_SECRETKEYBYTES - u, - f, PQCLEAN_FALCON1024PADDED_AARCH64_max_fg_bits[FALCON_LOGN]); + v = PQCLEAN_FALCONPADDED1024_AARCH64_trim_i8_encode( + sk + u, PQCLEAN_FALCONPADDED1024_AARCH64_CRYPTO_SECRETKEYBYTES - u, + f, PQCLEAN_FALCONPADDED1024_AARCH64_max_fg_bits[FALCON_LOGN]); if (v == 0) { return -1; } u += v; - v = PQCLEAN_FALCON1024PADDED_AARCH64_trim_i8_encode( - sk + u, PQCLEAN_FALCON1024PADDED_AARCH64_CRYPTO_SECRETKEYBYTES - u, - g, PQCLEAN_FALCON1024PADDED_AARCH64_max_fg_bits[FALCON_LOGN]); + v = PQCLEAN_FALCONPADDED1024_AARCH64_trim_i8_encode( + sk + u, PQCLEAN_FALCONPADDED1024_AARCH64_CRYPTO_SECRETKEYBYTES - u, + g, PQCLEAN_FALCONPADDED1024_AARCH64_max_fg_bits[FALCON_LOGN]); if (v == 0) { return -1; } u += v; - v = PQCLEAN_FALCON1024PADDED_AARCH64_trim_i8_encode( - sk + u, PQCLEAN_FALCON1024PADDED_AARCH64_CRYPTO_SECRETKEYBYTES - u, - F, PQCLEAN_FALCON1024PADDED_AARCH64_max_FG_bits[FALCON_LOGN]); + v = PQCLEAN_FALCONPADDED1024_AARCH64_trim_i8_encode( + sk + u, PQCLEAN_FALCONPADDED1024_AARCH64_CRYPTO_SECRETKEYBYTES - u, + F, PQCLEAN_FALCONPADDED1024_AARCH64_max_FG_bits[FALCON_LOGN]); if (v == 0) { return -1; } u += v; - if (u != PQCLEAN_FALCON1024PADDED_AARCH64_CRYPTO_SECRETKEYBYTES) { + if (u != PQCLEAN_FALCONPADDED1024_AARCH64_CRYPTO_SECRETKEYBYTES) { return -1; } @@ -95,10 +95,10 @@ PQCLEAN_FALCON1024PADDED_AARCH64_crypto_sign_keypair( * Encode public key. */ pk[0] = 0x00 + FALCON_LOGN; - v = PQCLEAN_FALCON1024PADDED_AARCH64_modq_encode( - pk + 1, PQCLEAN_FALCON1024PADDED_AARCH64_CRYPTO_PUBLICKEYBYTES - 1, + v = PQCLEAN_FALCONPADDED1024_AARCH64_modq_encode( + pk + 1, PQCLEAN_FALCONPADDED1024_AARCH64_CRYPTO_PUBLICKEYBYTES - 1, h, FALCON_LOGN); - if (v != PQCLEAN_FALCON1024PADDED_AARCH64_CRYPTO_PUBLICKEYBYTES - 1) { + if (v != PQCLEAN_FALCONPADDED1024_AARCH64_CRYPTO_PUBLICKEYBYTES - 1) { return -1; } @@ -142,31 +142,31 @@ do_sign(uint8_t *nonce, uint8_t *sigbuf, size_t sigbuflen, return -1; } u = 1; - v = PQCLEAN_FALCON1024PADDED_AARCH64_trim_i8_decode( - f, PQCLEAN_FALCON1024PADDED_AARCH64_max_fg_bits[FALCON_LOGN], - sk + u, PQCLEAN_FALCON1024PADDED_AARCH64_CRYPTO_SECRETKEYBYTES - u); + v = PQCLEAN_FALCONPADDED1024_AARCH64_trim_i8_decode( + f, PQCLEAN_FALCONPADDED1024_AARCH64_max_fg_bits[FALCON_LOGN], + sk + u, PQCLEAN_FALCONPADDED1024_AARCH64_CRYPTO_SECRETKEYBYTES - u); if (v == 0) { return -1; } u += v; - v = PQCLEAN_FALCON1024PADDED_AARCH64_trim_i8_decode( - g, PQCLEAN_FALCON1024PADDED_AARCH64_max_fg_bits[FALCON_LOGN], - sk + u, PQCLEAN_FALCON1024PADDED_AARCH64_CRYPTO_SECRETKEYBYTES - u); + v = PQCLEAN_FALCONPADDED1024_AARCH64_trim_i8_decode( + g, PQCLEAN_FALCONPADDED1024_AARCH64_max_fg_bits[FALCON_LOGN], + sk + u, PQCLEAN_FALCONPADDED1024_AARCH64_CRYPTO_SECRETKEYBYTES - u); if (v == 0) { return -1; } u += v; - v = PQCLEAN_FALCON1024PADDED_AARCH64_trim_i8_decode( - F, PQCLEAN_FALCON1024PADDED_AARCH64_max_FG_bits[FALCON_LOGN], - sk + u, PQCLEAN_FALCON1024PADDED_AARCH64_CRYPTO_SECRETKEYBYTES - u); + v = PQCLEAN_FALCONPADDED1024_AARCH64_trim_i8_decode( + F, PQCLEAN_FALCONPADDED1024_AARCH64_max_FG_bits[FALCON_LOGN], + sk + u, PQCLEAN_FALCONPADDED1024_AARCH64_CRYPTO_SECRETKEYBYTES - u); if (v == 0) { return -1; } u += v; - if (u != PQCLEAN_FALCON1024PADDED_AARCH64_CRYPTO_SECRETKEYBYTES) { + if (u != PQCLEAN_FALCONPADDED1024_AARCH64_CRYPTO_SECRETKEYBYTES) { return -1; } - if (!PQCLEAN_FALCON1024PADDED_AARCH64_complete_private(G, f, g, F, tmp.b)) { + if (!PQCLEAN_FALCONPADDED1024_AARCH64_complete_private(G, f, g, F, tmp.b)) { return -1; } @@ -182,7 +182,7 @@ do_sign(uint8_t *nonce, uint8_t *sigbuf, size_t sigbuflen, inner_shake256_inject(&sc, nonce, NONCELEN); inner_shake256_inject(&sc, m, mlen); inner_shake256_flip(&sc); - PQCLEAN_FALCON1024PADDED_AARCH64_hash_to_point_ct(&sc, r.hm, FALCON_LOGN, tmp.b); + PQCLEAN_FALCONPADDED1024_AARCH64_hash_to_point_ct(&sc, r.hm, FALCON_LOGN, tmp.b); inner_shake256_ctx_release(&sc); /* @@ -198,8 +198,8 @@ do_sign(uint8_t *nonce, uint8_t *sigbuf, size_t sigbuflen, * value is found that fits in the provided buffer. */ for (;;) { - PQCLEAN_FALCON1024PADDED_AARCH64_sign_dyn(r.sig, &sc, f, g, F, G, r.hm, tmp.b); - v = PQCLEAN_FALCON1024PADDED_AARCH64_comp_encode(sigbuf, sigbuflen, r.sig); + PQCLEAN_FALCONPADDED1024_AARCH64_sign_dyn(r.sig, &sc, f, g, F, G, r.hm, tmp.b); + v = PQCLEAN_FALCONPADDED1024_AARCH64_comp_encode(sigbuf, sigbuflen, r.sig); if (v != 0) { inner_shake256_ctx_release(&sc); memset(sigbuf + v, 0, sigbuflen - v); @@ -234,9 +234,9 @@ do_verify( if (pk[0] != 0x00 + FALCON_LOGN) { return -1; } - if (PQCLEAN_FALCON1024PADDED_AARCH64_modq_decode( (uint16_t *) h, - pk + 1, PQCLEAN_FALCON1024PADDED_AARCH64_CRYPTO_PUBLICKEYBYTES - 1, FALCON_LOGN) - != PQCLEAN_FALCON1024PADDED_AARCH64_CRYPTO_PUBLICKEYBYTES - 1) { + if (PQCLEAN_FALCONPADDED1024_AARCH64_modq_decode( (uint16_t *) h, + pk + 1, PQCLEAN_FALCONPADDED1024_AARCH64_CRYPTO_PUBLICKEYBYTES - 1, FALCON_LOGN) + != PQCLEAN_FALCONPADDED1024_AARCH64_CRYPTO_PUBLICKEYBYTES - 1) { return -1; } // We move the conversion to NTT domain of `h` inside verify_raw() @@ -248,12 +248,12 @@ do_verify( return -1; } - v = PQCLEAN_FALCON1024PADDED_AARCH64_comp_decode(sig, sigbuf, sigbuflen); + v = PQCLEAN_FALCONPADDED1024_AARCH64_comp_decode(sig, sigbuf, sigbuflen); if (v == 0) { return -1; } if (v != sigbuflen) { - if (sigbuflen == PQCLEAN_FALCON1024PADDED_AARCH64_CRYPTO_BYTES - NONCELEN - 1) { + if (sigbuflen == PQCLEAN_FALCONPADDED1024_AARCH64_CRYPTO_BYTES - NONCELEN - 1) { while (v < sigbuflen) { if (sigbuf[v++] != 0) { return -1; @@ -271,13 +271,13 @@ do_verify( inner_shake256_inject(&sc, nonce, NONCELEN); inner_shake256_inject(&sc, m, mlen); inner_shake256_flip(&sc); - PQCLEAN_FALCON1024PADDED_AARCH64_hash_to_point_ct(&sc, (uint16_t *) hm, FALCON_LOGN, tmp.b); + PQCLEAN_FALCONPADDED1024_AARCH64_hash_to_point_ct(&sc, (uint16_t *) hm, FALCON_LOGN, tmp.b); inner_shake256_ctx_release(&sc); /* * Verify signature. */ - if (!PQCLEAN_FALCON1024PADDED_AARCH64_verify_raw(hm, sig, h, (int16_t *) tmp.b)) { + if (!PQCLEAN_FALCONPADDED1024_AARCH64_verify_raw(hm, sig, h, (int16_t *) tmp.b)) { return -1; } return 0; @@ -285,12 +285,12 @@ do_verify( /* see api.h */ int -PQCLEAN_FALCON1024PADDED_AARCH64_crypto_sign_signature( +PQCLEAN_FALCONPADDED1024_AARCH64_crypto_sign_signature( uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen, const uint8_t *sk) { size_t vlen; - vlen = PQCLEAN_FALCON1024PADDED_AARCH64_CRYPTO_BYTES - NONCELEN - 1; + vlen = PQCLEAN_FALCONPADDED1024_AARCH64_CRYPTO_BYTES - NONCELEN - 1; if (do_sign(sig + 1, sig + 1 + NONCELEN, vlen, m, mlen, sk) < 0) { return -1; } @@ -301,7 +301,7 @@ PQCLEAN_FALCON1024PADDED_AARCH64_crypto_sign_signature( /* see api.h */ int -PQCLEAN_FALCON1024PADDED_AARCH64_crypto_sign_verify( +PQCLEAN_FALCONPADDED1024_AARCH64_crypto_sign_verify( const uint8_t *sig, size_t siglen, const uint8_t *m, size_t mlen, const uint8_t *pk) { if (siglen < 1 + NONCELEN) { @@ -316,7 +316,7 @@ PQCLEAN_FALCON1024PADDED_AARCH64_crypto_sign_verify( /* see api.h */ int -PQCLEAN_FALCON1024PADDED_AARCH64_crypto_sign( +PQCLEAN_FALCONPADDED1024_AARCH64_crypto_sign( uint8_t *sm, size_t *smlen, const uint8_t *m, size_t mlen, const uint8_t *sk) { uint8_t *sigbuf; @@ -326,9 +326,9 @@ PQCLEAN_FALCON1024PADDED_AARCH64_crypto_sign( * Move the message to its final location; this is a memmove() so * it handles overlaps properly. */ - memmove(sm + PQCLEAN_FALCON1024PADDED_AARCH64_CRYPTO_BYTES, m, mlen); + memmove(sm + PQCLEAN_FALCONPADDED1024_AARCH64_CRYPTO_BYTES, m, mlen); sigbuf = sm + 1 + NONCELEN; - sigbuflen = PQCLEAN_FALCON1024PADDED_AARCH64_CRYPTO_BYTES - NONCELEN - 1; + sigbuflen = PQCLEAN_FALCONPADDED1024_AARCH64_CRYPTO_BYTES - NONCELEN - 1; if (do_sign(sm + 1, sigbuf, sigbuflen, m, mlen, sk) < 0) { return -1; } @@ -340,17 +340,17 @@ PQCLEAN_FALCON1024PADDED_AARCH64_crypto_sign( /* see api.h */ int -PQCLEAN_FALCON1024PADDED_AARCH64_crypto_sign_open( +PQCLEAN_FALCONPADDED1024_AARCH64_crypto_sign_open( uint8_t *m, size_t *mlen, const uint8_t *sm, size_t smlen, const uint8_t *pk) { const uint8_t *sigbuf; size_t pmlen, sigbuflen; - if (smlen < PQCLEAN_FALCON1024PADDED_AARCH64_CRYPTO_BYTES) { + if (smlen < PQCLEAN_FALCONPADDED1024_AARCH64_CRYPTO_BYTES) { return -1; } - sigbuflen = PQCLEAN_FALCON1024PADDED_AARCH64_CRYPTO_BYTES - NONCELEN - 1; - pmlen = smlen - PQCLEAN_FALCON1024PADDED_AARCH64_CRYPTO_BYTES; + sigbuflen = PQCLEAN_FALCONPADDED1024_AARCH64_CRYPTO_BYTES - NONCELEN - 1; + pmlen = smlen - PQCLEAN_FALCONPADDED1024_AARCH64_CRYPTO_BYTES; if (sm[0] != 0x30 + FALCON_LOGN) { return -1; } @@ -362,7 +362,7 @@ PQCLEAN_FALCON1024PADDED_AARCH64_crypto_sign_open( * follows the signature value. */ if (do_verify(sm + 1, sigbuf, sigbuflen, - sm + PQCLEAN_FALCON1024PADDED_AARCH64_CRYPTO_BYTES, pmlen, pk) < 0) { + sm + PQCLEAN_FALCONPADDED1024_AARCH64_CRYPTO_BYTES, pmlen, pk) < 0) { return -1; } @@ -371,7 +371,7 @@ PQCLEAN_FALCON1024PADDED_AARCH64_crypto_sign_open( * to its final destination. The memmove() properly handles * overlaps. */ - memmove(m, sm + PQCLEAN_FALCON1024PADDED_AARCH64_CRYPTO_BYTES, pmlen); + memmove(m, sm + PQCLEAN_FALCONPADDED1024_AARCH64_CRYPTO_BYTES, pmlen); *mlen = pmlen; return 0; } diff --git a/Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/rng.c b/Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/rng.c similarity index 94% rename from Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/rng.c rename to Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/rng.c index dc9d9cef..33ed43d8 100644 --- a/Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/rng.c +++ b/Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/rng.c @@ -33,7 +33,7 @@ #include #include "inner.h" -int PQCLEAN_FALCON1024PADDED_AARCH64_get_seed(void *seed, size_t len) { +int PQCLEAN_FALCONPADDED1024_AARCH64_get_seed(void *seed, size_t len) { unsigned char tmp[48]; for (size_t i = 0; i < len; i++) { tmp[i] = (unsigned char) i; @@ -44,7 +44,7 @@ int PQCLEAN_FALCON1024PADDED_AARCH64_get_seed(void *seed, size_t len) { /* see inner.h */ void -PQCLEAN_FALCON1024PADDED_AARCH64_prng_init(prng *p, inner_shake256_context *src) { +PQCLEAN_FALCONPADDED1024_AARCH64_prng_init(prng *p, inner_shake256_context *src) { /* * To ensure reproducibility for a given seed, we * must enforce little-endian interpretation of @@ -67,7 +67,7 @@ PQCLEAN_FALCON1024PADDED_AARCH64_prng_init(prng *p, inner_shake256_context *src) tl = *(uint32_t *)(p->state.d + 48); th = *(uint32_t *)(p->state.d + 52); *(uint64_t *)(p->state.d + 48) = tl + (th << 32); - PQCLEAN_FALCON1024PADDED_AARCH64_prng_refill(p); + PQCLEAN_FALCONPADDED1024_AARCH64_prng_refill(p); } /* @@ -85,7 +85,7 @@ PQCLEAN_FALCON1024PADDED_AARCH64_prng_init(prng *p, inner_shake256_context *src) * The block counter is XORed into the first 8 bytes of the IV. */ void -PQCLEAN_FALCON1024PADDED_AARCH64_prng_refill(prng *p) { +PQCLEAN_FALCONPADDED1024_AARCH64_prng_refill(prng *p) { static const uint32_t CW[] = { 0x61707865, 0x3320646e, 0x79622d32, 0x6b206574 @@ -172,7 +172,7 @@ PQCLEAN_FALCON1024PADDED_AARCH64_prng_refill(prng *p) { /* see inner.h */ void -PQCLEAN_FALCON1024PADDED_AARCH64_prng_get_bytes(prng *p, void *dst, size_t len) { +PQCLEAN_FALCONPADDED1024_AARCH64_prng_get_bytes(prng *p, void *dst, size_t len) { uint8_t *buf; buf = dst; @@ -188,7 +188,7 @@ PQCLEAN_FALCON1024PADDED_AARCH64_prng_get_bytes(prng *p, void *dst, size_t len) len -= clen; p->ptr += clen; if (p->ptr == sizeof p->buf.d) { - PQCLEAN_FALCON1024PADDED_AARCH64_prng_refill(p); + PQCLEAN_FALCONPADDED1024_AARCH64_prng_refill(p); } } } diff --git a/Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/sampler.c b/Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/sampler.c similarity index 98% rename from Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/sampler.c rename to Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/sampler.c index 82d88759..1b2e4cde 100644 --- a/Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/sampler.c +++ b/Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/sampler.c @@ -37,7 +37,7 @@ * on zero and standard deviation 1.8205, with a precision of 72 bits. */ int -PQCLEAN_FALCON1024PADDED_AARCH64_gaussian0_sampler(prng *p) { +PQCLEAN_FALCONPADDED1024_AARCH64_gaussian0_sampler(prng *p) { static const uint32_t dist[] = { 10745844u, 3068844u, 3741698u, @@ -208,7 +208,7 @@ BerExp(prng *p, fpr x, fpr ccs) { * 0.5 and 1); in Falcon, sigma should always be between 1.2 and 1.9. */ int -PQCLEAN_FALCON1024PADDED_AARCH64_sampler(void *ctx, fpr mu, fpr isigma) { +PQCLEAN_FALCONPADDED1024_AARCH64_sampler(void *ctx, fpr mu, fpr isigma) { sampler_context *spc; int s; fpr r, dss, ccs; @@ -250,7 +250,7 @@ PQCLEAN_FALCON1024PADDED_AARCH64_sampler(void *ctx, fpr mu, fpr isigma) { * - b = 0: z <= 0 and sampled against a Gaussian * centered on 0. */ - z0 = PQCLEAN_FALCON1024PADDED_AARCH64_gaussian0_sampler(&spc->p); + z0 = PQCLEAN_FALCONPADDED1024_AARCH64_gaussian0_sampler(&spc->p); b = (int)prng_get_u8(&spc->p) & 1; z = b + ((b << 1) - 1) * z0; diff --git a/Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/sign.c b/Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/sign.c similarity index 80% rename from Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/sign.c rename to Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/sign.c index 9facdf1b..48e0d8de 100644 --- a/Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/sign.c +++ b/Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/sign.c @@ -90,7 +90,7 @@ ffLDL_fft_inner(fpr *restrict tree, * and the diagonal of D. Since d00 = g0, we just write d11 * into tmp. */ - PQCLEAN_FALCON1024PADDED_AARCH64_poly_LDLmv_fft(tmp, tree, g0, g1, g0, logn); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_LDLmv_fft(tmp, tree, g0, g1, g0, logn); /* * Split d00 (currently in g0) and d11 (currently in tmp). We @@ -98,8 +98,8 @@ ffLDL_fft_inner(fpr *restrict tree, * d00 splits into g1, g1+hn * d11 splits into g0, g0+hn */ - PQCLEAN_FALCON1024PADDED_AARCH64_poly_split_fft(g1, g1 + hn, g0, logn); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_split_fft(g0, g0 + hn, tmp, logn); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_split_fft(g1, g1 + hn, g0, logn); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_split_fft(g0, g0 + hn, tmp, logn); /* * Each split result is the first row of a new auto-adjoint @@ -140,9 +140,9 @@ ffLDL_fft(fpr *restrict tree, const fpr *restrict g00, tmp += n << 1; memcpy(d00, g00, n * sizeof * g00); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_LDLmv_fft(d11, tree, g00, g01, g11, logn); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_split_fft(tmp, tmp + hn, d00, logn); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_split_fft(d00, d00 + hn, d11, logn); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_LDLmv_fft(d11, tree, g00, g01, g11, logn); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_split_fft(tmp, tmp + hn, d00, logn); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_split_fft(d00, d00 + hn, d11, logn); memcpy(d11, tmp, n * sizeof * tmp); ffLDL_fft_inner(tree + n, d11, d11 + hn, logn - 1, tmp); @@ -212,7 +212,7 @@ skoff_tree(unsigned logn) { /* see inner.h */ void -PQCLEAN_FALCON1024PADDED_AARCH64_expand_privkey(fpr *restrict expanded_key, +PQCLEAN_FALCONPADDED1024_AARCH64_expand_privkey(fpr *restrict expanded_key, const int8_t *f, const int8_t *g, const int8_t *F, const int8_t *G, uint8_t *restrict tmp) { @@ -236,19 +236,19 @@ PQCLEAN_FALCON1024PADDED_AARCH64_expand_privkey(fpr *restrict expanded_key, rG = b10; rF = b11; - PQCLEAN_FALCON1024PADDED_AARCH64_smallints_to_fpr(rg, g, FALCON_LOGN); - PQCLEAN_FALCON1024PADDED_AARCH64_FFT(rg, FALCON_LOGN); + PQCLEAN_FALCONPADDED1024_AARCH64_smallints_to_fpr(rg, g, FALCON_LOGN); + PQCLEAN_FALCONPADDED1024_AARCH64_FFT(rg, FALCON_LOGN); - PQCLEAN_FALCON1024PADDED_AARCH64_smallints_to_fpr(rf, f, FALCON_LOGN); - PQCLEAN_FALCON1024PADDED_AARCH64_FFT(rf, FALCON_LOGN); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_neg(rf, rf, FALCON_LOGN); + PQCLEAN_FALCONPADDED1024_AARCH64_smallints_to_fpr(rf, f, FALCON_LOGN); + PQCLEAN_FALCONPADDED1024_AARCH64_FFT(rf, FALCON_LOGN); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_neg(rf, rf, FALCON_LOGN); - PQCLEAN_FALCON1024PADDED_AARCH64_smallints_to_fpr(rG, G, FALCON_LOGN); - PQCLEAN_FALCON1024PADDED_AARCH64_FFT(rG, FALCON_LOGN); + PQCLEAN_FALCONPADDED1024_AARCH64_smallints_to_fpr(rG, G, FALCON_LOGN); + PQCLEAN_FALCONPADDED1024_AARCH64_FFT(rG, FALCON_LOGN); - PQCLEAN_FALCON1024PADDED_AARCH64_smallints_to_fpr(rF, F, FALCON_LOGN); - PQCLEAN_FALCON1024PADDED_AARCH64_FFT(rF, FALCON_LOGN); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_neg(rF, rF, FALCON_LOGN); + PQCLEAN_FALCONPADDED1024_AARCH64_smallints_to_fpr(rF, F, FALCON_LOGN); + PQCLEAN_FALCONPADDED1024_AARCH64_FFT(rF, FALCON_LOGN); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_neg(rF, rF, FALCON_LOGN); /* * Compute the FFT for the key elements, and negate f and F. @@ -269,14 +269,14 @@ PQCLEAN_FALCON1024PADDED_AARCH64_expand_privkey(fpr *restrict expanded_key, g11 = g01 + FALCON_N; gxx = g11 + FALCON_N; - PQCLEAN_FALCON1024PADDED_AARCH64_poly_mulselfadj_fft(g00, b00, FALCON_LOGN); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_mulselfadj_add_fft(g00, g00, b01, FALCON_LOGN); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_mulselfadj_fft(g00, b00, FALCON_LOGN); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_mulselfadj_add_fft(g00, g00, b01, FALCON_LOGN); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_muladj_fft(g01, b00, b10, FALCON_LOGN); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_muladj_add_fft(g01, g01, b01, b11, FALCON_LOGN); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_muladj_fft(g01, b00, b10, FALCON_LOGN); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_muladj_add_fft(g01, g01, b01, b11, FALCON_LOGN); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_mulselfadj_fft(g11, b10, FALCON_LOGN); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_mulselfadj_add_fft(g11, g11, b11, FALCON_LOGN); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_mulselfadj_fft(g11, b10, FALCON_LOGN); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_mulselfadj_add_fft(g11, g11, b11, FALCON_LOGN); /* * Compute the Falcon tree. @@ -327,15 +327,15 @@ ffSampling_fft_dyntree(samplerZ samp, void *samp_ctx, * Decompose G into LDL. We only need d00 (identical to g00), * d11, and l10; we do that in place. */ - PQCLEAN_FALCON1024PADDED_AARCH64_poly_LDL_fft(g00, g01, g11, logn); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_LDL_fft(g00, g01, g11, logn); /* * Split d00 and d11 and expand them into half-size quasi-cyclic * Gram matrices. We also save l10 in tmp[]. */ - PQCLEAN_FALCON1024PADDED_AARCH64_poly_split_fft(tmp, tmp + hn, g00, logn); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_split_fft(tmp, tmp + hn, g00, logn); memcpy(g00, tmp, n * sizeof * tmp); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_split_fft(tmp, tmp + hn, g11, logn); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_split_fft(tmp, tmp + hn, g11, logn); memcpy(g11, tmp, n * sizeof * tmp); memcpy(tmp, g01, n * sizeof * g01); memcpy(g01, g00, hn * sizeof * g00); @@ -355,10 +355,10 @@ ffSampling_fft_dyntree(samplerZ samp, void *samp_ctx, * back into tmp + 2*n. */ z1 = tmp + n; - PQCLEAN_FALCON1024PADDED_AARCH64_poly_split_fft(z1, z1 + hn, t1, logn); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_split_fft(z1, z1 + hn, t1, logn); ffSampling_fft_dyntree(samp, samp_ctx, z1, z1 + hn, g11, g11 + hn, g01 + hn, orig_logn, logn - 1, z1 + n); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_merge_fft(tmp + (n << 1), z1, z1 + hn, logn); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_merge_fft(tmp + (n << 1), z1, z1 + hn, logn); /* * Compute tb0 = t0 + (t1 - z1) * l10. @@ -367,19 +367,19 @@ ffSampling_fft_dyntree(samplerZ samp, void *samp_ctx, * * In the end, z1 is written over t1, and tb0 is in t0. */ - PQCLEAN_FALCON1024PADDED_AARCH64_poly_sub(z1, t1, tmp + (n << 1), logn); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_sub(z1, t1, tmp + (n << 1), logn); memcpy(t1, tmp + (n << 1), n * sizeof * tmp); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_mul_add_fft(t0, t0, tmp, z1, logn); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_mul_add_fft(t0, t0, tmp, z1, logn); /* * Second recursive invocation, on the split tb0 (currently in t0) * and the left sub-tree. */ z0 = tmp; - PQCLEAN_FALCON1024PADDED_AARCH64_poly_split_fft(z0, z0 + hn, t0, logn); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_split_fft(z0, z0 + hn, t0, logn); ffSampling_fft_dyntree(samp, samp_ctx, z0, z0 + hn, g00, g00 + hn, g01, orig_logn, logn - 1, z0 + n); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_merge_fft(t0, z0, z0 + hn, logn); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_merge_fft(t0, z0, z0 + hn, logn); } /* @@ -572,24 +572,24 @@ ffSampling_fft(samplerZ samp, void *samp_ctx, * the recursive invocation, with output in tmp. We finally * merge back into z1. */ - PQCLEAN_FALCON1024PADDED_AARCH64_poly_split_fft(z1, z1 + hn, t1, logn); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_split_fft(z1, z1 + hn, t1, logn); ffSampling_fft(samp, samp_ctx, tmp, tmp + hn, tree1, z1, z1 + hn, logn - 1, tmp + n); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_merge_fft(z1, tmp, tmp + hn, logn); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_merge_fft(z1, tmp, tmp + hn, logn); /* * Compute tb0 = t0 + (t1 - z1) * L. Value tb0 ends up in tmp[]. */ - PQCLEAN_FALCON1024PADDED_AARCH64_poly_sub(tmp, t1, z1, logn); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_mul_add_fft(tmp, t0, tmp, tree, logn); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_sub(tmp, t1, z1, logn); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_mul_add_fft(tmp, t0, tmp, tree, logn); /* * Second recursive invocation. */ - PQCLEAN_FALCON1024PADDED_AARCH64_poly_split_fft(z0, z0 + hn, tmp, logn); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_split_fft(z0, z0 + hn, tmp, logn); ffSampling_fft(samp, samp_ctx, tmp, tmp + hn, tree0, z0, z0 + hn, logn - 1, tmp + n); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_merge_fft(z0, tmp, tmp + hn, logn); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_merge_fft(z0, tmp, tmp + hn, logn); } /* @@ -622,18 +622,18 @@ do_sign_tree(samplerZ samp, void *samp_ctx, int16_t *s2, /* * Set the target vector to [hm, 0] (hm is the hashed message). */ - PQCLEAN_FALCON1024PADDED_AARCH64_poly_fpr_of_s16(t0, hm, FALCON_N); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_fpr_of_s16(t0, hm, FALCON_N); /* * Apply the lattice basis to obtain the real target * vector (after normalization with regards to modulus). */ - PQCLEAN_FALCON1024PADDED_AARCH64_FFT(t0, FALCON_LOGN); + PQCLEAN_FALCONPADDED1024_AARCH64_FFT(t0, FALCON_LOGN); ni = fpr_inverse_of_q; - PQCLEAN_FALCON1024PADDED_AARCH64_poly_mul_fft(t1, t0, b01, FALCON_LOGN); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_mulconst(t1, t1, fpr_neg(ni), FALCON_LOGN); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_mul_fft(t0, t0, b11, FALCON_LOGN); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_mulconst(t0, t0, ni, FALCON_LOGN); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_mul_fft(t1, t0, b01, FALCON_LOGN); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_mulconst(t1, t1, fpr_neg(ni), FALCON_LOGN); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_mul_fft(t0, t0, b11, FALCON_LOGN); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_mulconst(t0, t0, ni, FALCON_LOGN); tx = t1 + FALCON_N; ty = tx + FALCON_N; @@ -646,13 +646,13 @@ do_sign_tree(samplerZ samp, void *samp_ctx, int16_t *s2, /* * Get the lattice point corresponding to that tiny vector. */ - PQCLEAN_FALCON1024PADDED_AARCH64_poly_mul_fft(t0, tx, b00, FALCON_LOGN); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_mul_add_fft(t0, t0, ty, b10, FALCON_LOGN); - PQCLEAN_FALCON1024PADDED_AARCH64_iFFT(t0, FALCON_LOGN); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_mul_fft(t0, tx, b00, FALCON_LOGN); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_mul_add_fft(t0, t0, ty, b10, FALCON_LOGN); + PQCLEAN_FALCONPADDED1024_AARCH64_iFFT(t0, FALCON_LOGN); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_mul_fft(t1, tx, b01, FALCON_LOGN); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_mul_add_fft(t1, t1, ty, b11, FALCON_LOGN); - PQCLEAN_FALCON1024PADDED_AARCH64_iFFT(t1, FALCON_LOGN); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_mul_fft(t1, tx, b01, FALCON_LOGN); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_mul_add_fft(t1, t1, ty, b11, FALCON_LOGN); + PQCLEAN_FALCONPADDED1024_AARCH64_iFFT(t1, FALCON_LOGN); /* * Compute the signature. @@ -671,7 +671,7 @@ do_sign_tree(samplerZ samp, void *samp_ctx, int16_t *s2, s1tmp = (int16_t *)tx; s2tmp = (int16_t *)tmp; - if (PQCLEAN_FALCON1024PADDED_AARCH64_is_short_tmp(s1tmp, s2tmp, (int16_t *) hm, t0, t1)) { + if (PQCLEAN_FALCONPADDED1024_AARCH64_is_short_tmp(s1tmp, s2tmp, (int16_t *) hm, t0, t1)) { memcpy(s2, s2tmp, FALCON_N * sizeof * s2); memcpy(tmp, s1tmp, FALCON_N * sizeof * s1tmp); return 1; @@ -708,19 +708,19 @@ do_sign_dyn(samplerZ samp, void *samp_ctx, int16_t *s2, t0 = b11 + FALCON_N; t1 = t0 + FALCON_N; - PQCLEAN_FALCON1024PADDED_AARCH64_smallints_to_fpr(b00, g, FALCON_LOGN); - PQCLEAN_FALCON1024PADDED_AARCH64_FFT(b00, FALCON_LOGN); + PQCLEAN_FALCONPADDED1024_AARCH64_smallints_to_fpr(b00, g, FALCON_LOGN); + PQCLEAN_FALCONPADDED1024_AARCH64_FFT(b00, FALCON_LOGN); - PQCLEAN_FALCON1024PADDED_AARCH64_smallints_to_fpr(b01, f, FALCON_LOGN); - PQCLEAN_FALCON1024PADDED_AARCH64_FFT(b01, FALCON_LOGN); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_neg(b01, b01, FALCON_LOGN); + PQCLEAN_FALCONPADDED1024_AARCH64_smallints_to_fpr(b01, f, FALCON_LOGN); + PQCLEAN_FALCONPADDED1024_AARCH64_FFT(b01, FALCON_LOGN); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_neg(b01, b01, FALCON_LOGN); - PQCLEAN_FALCON1024PADDED_AARCH64_smallints_to_fpr(b10, G, FALCON_LOGN); - PQCLEAN_FALCON1024PADDED_AARCH64_FFT(b10, FALCON_LOGN); + PQCLEAN_FALCONPADDED1024_AARCH64_smallints_to_fpr(b10, G, FALCON_LOGN); + PQCLEAN_FALCONPADDED1024_AARCH64_FFT(b10, FALCON_LOGN); - PQCLEAN_FALCON1024PADDED_AARCH64_smallints_to_fpr(b11, F, FALCON_LOGN); - PQCLEAN_FALCON1024PADDED_AARCH64_FFT(b11, FALCON_LOGN); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_neg(b11, b11, FALCON_LOGN); + PQCLEAN_FALCONPADDED1024_AARCH64_smallints_to_fpr(b11, F, FALCON_LOGN); + PQCLEAN_FALCONPADDED1024_AARCH64_FFT(b11, FALCON_LOGN); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_neg(b11, b11, FALCON_LOGN); /* * Compute the Gram matrix G = B·B*. Formulas are: @@ -741,17 +741,17 @@ do_sign_dyn(samplerZ samp, void *samp_ctx, int16_t *s2, * g00 | g01 | g11 | b01 | t0 | t1 */ - PQCLEAN_FALCON1024PADDED_AARCH64_poly_muladj_fft(t1, b00, b10, FALCON_LOGN); // t1 <- b00*adj(b10) + PQCLEAN_FALCONPADDED1024_AARCH64_poly_muladj_fft(t1, b00, b10, FALCON_LOGN); // t1 <- b00*adj(b10) - PQCLEAN_FALCON1024PADDED_AARCH64_poly_mulselfadj_fft(t0, b01, FALCON_LOGN); // t0 <- b01*adj(b01) - PQCLEAN_FALCON1024PADDED_AARCH64_poly_mulselfadj_fft(b00, b00, FALCON_LOGN); // b00 <- b00*adj(b00) - PQCLEAN_FALCON1024PADDED_AARCH64_poly_add(b00, b00, t0, FALCON_LOGN); // b00 <- g00 + PQCLEAN_FALCONPADDED1024_AARCH64_poly_mulselfadj_fft(t0, b01, FALCON_LOGN); // t0 <- b01*adj(b01) + PQCLEAN_FALCONPADDED1024_AARCH64_poly_mulselfadj_fft(b00, b00, FALCON_LOGN); // b00 <- b00*adj(b00) + PQCLEAN_FALCONPADDED1024_AARCH64_poly_add(b00, b00, t0, FALCON_LOGN); // b00 <- g00 memcpy(t0, b01, FALCON_N * sizeof * b01); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_muladj_add_fft(b01, t1, b01, b11, FALCON_LOGN); // b01 <- b01*adj(b11) + PQCLEAN_FALCONPADDED1024_AARCH64_poly_muladj_add_fft(b01, t1, b01, b11, FALCON_LOGN); // b01 <- b01*adj(b11) - PQCLEAN_FALCON1024PADDED_AARCH64_poly_mulselfadj_fft(b10, b10, FALCON_LOGN); // b10 <- b10*adj(b10) - PQCLEAN_FALCON1024PADDED_AARCH64_poly_mulselfadj_add_fft(b10, b10, b11, FALCON_LOGN); // t1 = g11 <- b11*adj(b11) + PQCLEAN_FALCONPADDED1024_AARCH64_poly_mulselfadj_fft(b10, b10, FALCON_LOGN); // b10 <- b10*adj(b10) + PQCLEAN_FALCONPADDED1024_AARCH64_poly_mulselfadj_add_fft(b10, b10, b11, FALCON_LOGN); // t1 = g11 <- b11*adj(b11) /* * We rename variables to make things clearer. The three elements @@ -773,18 +773,18 @@ do_sign_dyn(samplerZ samp, void *samp_ctx, int16_t *s2, /* * Set the target vector to [hm, 0] (hm is the hashed message). */ - PQCLEAN_FALCON1024PADDED_AARCH64_poly_fpr_of_s16(t0, hm, FALCON_N); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_fpr_of_s16(t0, hm, FALCON_N); /* * Apply the lattice basis to obtain the real target * vector (after normalization with regards to modulus). */ - PQCLEAN_FALCON1024PADDED_AARCH64_FFT(t0, FALCON_LOGN); + PQCLEAN_FALCONPADDED1024_AARCH64_FFT(t0, FALCON_LOGN); ni = fpr_inverse_of_q; - PQCLEAN_FALCON1024PADDED_AARCH64_poly_mul_fft(t1, t0, b01, FALCON_LOGN); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_mulconst(t1, t1, fpr_neg(ni), FALCON_LOGN); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_mul_fft(t0, t0, b11, FALCON_LOGN); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_mulconst(t0, t0, ni, FALCON_LOGN); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_mul_fft(t1, t0, b01, FALCON_LOGN); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_mulconst(t1, t1, fpr_neg(ni), FALCON_LOGN); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_mul_fft(t0, t0, b11, FALCON_LOGN); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_mulconst(t0, t0, ni, FALCON_LOGN); /* * b01 and b11 can be discarded, so we move back (t0,t1). @@ -817,19 +817,19 @@ do_sign_dyn(samplerZ samp, void *samp_ctx, int16_t *s2, t0 = b11 + FALCON_N; t1 = t0 + FALCON_N; - PQCLEAN_FALCON1024PADDED_AARCH64_smallints_to_fpr(b00, g, FALCON_LOGN); - PQCLEAN_FALCON1024PADDED_AARCH64_FFT(b00, FALCON_LOGN); + PQCLEAN_FALCONPADDED1024_AARCH64_smallints_to_fpr(b00, g, FALCON_LOGN); + PQCLEAN_FALCONPADDED1024_AARCH64_FFT(b00, FALCON_LOGN); - PQCLEAN_FALCON1024PADDED_AARCH64_smallints_to_fpr(b01, f, FALCON_LOGN); - PQCLEAN_FALCON1024PADDED_AARCH64_FFT(b01, FALCON_LOGN); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_neg(b01, b01, FALCON_LOGN); + PQCLEAN_FALCONPADDED1024_AARCH64_smallints_to_fpr(b01, f, FALCON_LOGN); + PQCLEAN_FALCONPADDED1024_AARCH64_FFT(b01, FALCON_LOGN); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_neg(b01, b01, FALCON_LOGN); - PQCLEAN_FALCON1024PADDED_AARCH64_smallints_to_fpr(b10, G, FALCON_LOGN); - PQCLEAN_FALCON1024PADDED_AARCH64_FFT(b10, FALCON_LOGN); + PQCLEAN_FALCONPADDED1024_AARCH64_smallints_to_fpr(b10, G, FALCON_LOGN); + PQCLEAN_FALCONPADDED1024_AARCH64_FFT(b10, FALCON_LOGN); - PQCLEAN_FALCON1024PADDED_AARCH64_smallints_to_fpr(b11, F, FALCON_LOGN); - PQCLEAN_FALCON1024PADDED_AARCH64_FFT(b11, FALCON_LOGN); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_neg(b11, b11, FALCON_LOGN); + PQCLEAN_FALCONPADDED1024_AARCH64_smallints_to_fpr(b11, F, FALCON_LOGN); + PQCLEAN_FALCONPADDED1024_AARCH64_FFT(b11, FALCON_LOGN); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_neg(b11, b11, FALCON_LOGN); tx = t1 + FALCON_N; ty = tx + FALCON_N; @@ -838,13 +838,13 @@ do_sign_dyn(samplerZ samp, void *samp_ctx, int16_t *s2, * Get the lattice point corresponding to that tiny vector. */ - PQCLEAN_FALCON1024PADDED_AARCH64_poly_mul_fft(tx, t0, b00, FALCON_LOGN); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_mul_fft(ty, t0, b01, FALCON_LOGN); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_mul_add_fft(t0, tx, t1, b10, FALCON_LOGN); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_mul_add_fft(t1, ty, t1, b11, FALCON_LOGN); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_mul_fft(tx, t0, b00, FALCON_LOGN); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_mul_fft(ty, t0, b01, FALCON_LOGN); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_mul_add_fft(t0, tx, t1, b10, FALCON_LOGN); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_mul_add_fft(t1, ty, t1, b11, FALCON_LOGN); - PQCLEAN_FALCON1024PADDED_AARCH64_iFFT(t0, FALCON_LOGN); - PQCLEAN_FALCON1024PADDED_AARCH64_iFFT(t1, FALCON_LOGN); + PQCLEAN_FALCONPADDED1024_AARCH64_iFFT(t0, FALCON_LOGN); + PQCLEAN_FALCONPADDED1024_AARCH64_iFFT(t1, FALCON_LOGN); /* * With "normal" degrees (e.g. 512 or 1024), it is very @@ -858,7 +858,7 @@ do_sign_dyn(samplerZ samp, void *samp_ctx, int16_t *s2, s1tmp = (int16_t *)tx; s2tmp = (int16_t *)tmp; - if (PQCLEAN_FALCON1024PADDED_AARCH64_is_short_tmp(s1tmp, s2tmp, (int16_t *) hm, t0, t1)) { + if (PQCLEAN_FALCONPADDED1024_AARCH64_is_short_tmp(s1tmp, s2tmp, (int16_t *) hm, t0, t1)) { memcpy(s2, s2tmp, FALCON_N * sizeof * s2); memcpy(tmp, s1tmp, FALCON_N * sizeof * s1tmp); return 1; @@ -868,7 +868,7 @@ do_sign_dyn(samplerZ samp, void *samp_ctx, int16_t *s2, /* see inner.h */ void -PQCLEAN_FALCON1024PADDED_AARCH64_sign_tree(int16_t *sig, inner_shake256_context *rng, +PQCLEAN_FALCONPADDED1024_AARCH64_sign_tree(int16_t *sig, inner_shake256_context *rng, const fpr *restrict expanded_key, const uint16_t *hm, uint8_t *tmp) { fpr *ftmp; @@ -894,8 +894,8 @@ PQCLEAN_FALCON1024PADDED_AARCH64_sign_tree(int16_t *sig, inner_shake256_context * SHAKE context ('rng'). */ spc.sigma_min = fpr_sigma_min_10; - PQCLEAN_FALCON1024PADDED_AARCH64_prng_init(&spc.p, rng); - samp = PQCLEAN_FALCON1024PADDED_AARCH64_sampler; + PQCLEAN_FALCONPADDED1024_AARCH64_prng_init(&spc.p, rng); + samp = PQCLEAN_FALCONPADDED1024_AARCH64_sampler; samp_ctx = &spc; /* @@ -909,7 +909,7 @@ PQCLEAN_FALCON1024PADDED_AARCH64_sign_tree(int16_t *sig, inner_shake256_context /* see inner.h */ void -PQCLEAN_FALCON1024PADDED_AARCH64_sign_dyn(int16_t *sig, inner_shake256_context *rng, +PQCLEAN_FALCONPADDED1024_AARCH64_sign_dyn(int16_t *sig, inner_shake256_context *rng, const int8_t *restrict f, const int8_t *restrict g, const int8_t *restrict F, const int8_t *restrict G, const uint16_t *hm, uint8_t *tmp) { @@ -937,8 +937,8 @@ PQCLEAN_FALCON1024PADDED_AARCH64_sign_dyn(int16_t *sig, inner_shake256_context * * SHAKE context ('rng'). */ spc.sigma_min = fpr_sigma_min_10; - PQCLEAN_FALCON1024PADDED_AARCH64_prng_init(&spc.p, rng); - samp = PQCLEAN_FALCON1024PADDED_AARCH64_sampler; + PQCLEAN_FALCONPADDED1024_AARCH64_prng_init(&spc.p, rng); + samp = PQCLEAN_FALCONPADDED1024_AARCH64_sampler; samp_ctx = &spc; /* diff --git a/Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/util.c b/Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/util.c similarity index 97% rename from Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/util.c rename to Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/util.c index d28abe43..92300bb5 100644 --- a/Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/util.c +++ b/Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/util.c @@ -27,7 +27,7 @@ * Convert an integer polynomial (with small values) into the * representation with complex numbers. */ -void PQCLEAN_FALCON1024PADDED_AARCH64_smallints_to_fpr(fpr *r, const int8_t *t, const unsigned logn) { +void PQCLEAN_FALCONPADDED1024_AARCH64_smallints_to_fpr(fpr *r, const int8_t *t, const unsigned logn) { float64x2x4_t neon_flo64, neon_fhi64; int64x2x4_t neon_lo64, neon_hi64; int32x4_t neon_lo32[2], neon_hi32[2]; diff --git a/Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/util.h b/Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/util.h new file mode 100644 index 00000000..78bd8334 --- /dev/null +++ b/Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/util.h @@ -0,0 +1,8 @@ +#ifndef UTIL_H +#define UTIL_H + +#define poly_small_to_fp PQCLEAN_FALCONPADDED1024_AARCH64_smallints_to_fpr + +void PQCLEAN_FALCONPADDED1024_AARCH64_smallints_to_fpr(fpr *r, const int8_t *t, unsigned logn); + +#endif diff --git a/Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/vrfy.c b/Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/vrfy.c similarity index 52% rename from Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/vrfy.c rename to Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/vrfy.c index 35de332c..0aa6015d 100644 --- a/Modules/PQClean/crypto_sign/falcon-1024-padded/aarch64/vrfy.c +++ b/Modules/PQClean/crypto_sign/falcon-padded-1024/aarch64/vrfy.c @@ -23,16 +23,16 @@ #include "poly.h" /* see inner.h */ -void PQCLEAN_FALCON1024PADDED_AARCH64_to_ntt(int16_t *h) { - PQCLEAN_FALCON1024PADDED_AARCH64_poly_ntt(h, NTT_NONE); +void PQCLEAN_FALCONPADDED1024_AARCH64_to_ntt(int16_t *h) { + PQCLEAN_FALCONPADDED1024_AARCH64_poly_ntt(h, NTT_NONE); } -void PQCLEAN_FALCON1024PADDED_AARCH64_to_ntt_monty(int16_t *h) { - PQCLEAN_FALCON1024PADDED_AARCH64_poly_ntt(h, NTT_MONT); +void PQCLEAN_FALCONPADDED1024_AARCH64_to_ntt_monty(int16_t *h) { + PQCLEAN_FALCONPADDED1024_AARCH64_poly_ntt(h, NTT_MONT); } /* see inner.h */ -int PQCLEAN_FALCON1024PADDED_AARCH64_verify_raw(const int16_t *c0, const int16_t *s2, +int PQCLEAN_FALCONPADDED1024_AARCH64_verify_raw(const int16_t *c0, const int16_t *s2, int16_t *h, int16_t *tmp) { int16_t *tt = tmp; @@ -41,43 +41,43 @@ int PQCLEAN_FALCON1024PADDED_AARCH64_verify_raw(const int16_t *c0, const int16_t */ memcpy(tt, s2, sizeof(int16_t) * FALCON_N); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_ntt(h, NTT_NONE); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_ntt(tt, NTT_MONT_INV); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_montmul_ntt(tt, h); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_invntt(tt, INVNTT_NONE); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_sub_barrett(tt, c0, tt); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_ntt(h, NTT_NONE); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_ntt(tt, NTT_MONT_INV); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_montmul_ntt(tt, h); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_invntt(tt, INVNTT_NONE); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_sub_barrett(tt, c0, tt); /* * Signature is valid if and only if the aggregate (s1,s2) vector * is short enough. */ - return PQCLEAN_FALCON1024PADDED_AARCH64_is_short(tt, s2); + return PQCLEAN_FALCONPADDED1024_AARCH64_is_short(tt, s2); } /* see inner.h */ -int PQCLEAN_FALCON1024PADDED_AARCH64_compute_public(int16_t *h, const int8_t *f, const int8_t *g, int16_t *tmp) { +int PQCLEAN_FALCONPADDED1024_AARCH64_compute_public(int16_t *h, const int8_t *f, const int8_t *g, int16_t *tmp) { int16_t *tt = tmp; - PQCLEAN_FALCON1024PADDED_AARCH64_poly_int8_to_int16(h, g); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_ntt(h, NTT_NONE); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_int8_to_int16(h, g); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_ntt(h, NTT_NONE); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_int8_to_int16(tt, f); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_ntt(tt, NTT_MONT); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_int8_to_int16(tt, f); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_ntt(tt, NTT_MONT); - if (PQCLEAN_FALCON1024PADDED_AARCH64_poly_compare_with_zero(tt)) { + if (PQCLEAN_FALCONPADDED1024_AARCH64_poly_compare_with_zero(tt)) { return 0; } - PQCLEAN_FALCON1024PADDED_AARCH64_poly_div_12289(h, tt); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_div_12289(h, tt); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_invntt(h, INVNTT_NINV); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_invntt(h, INVNTT_NINV); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_convert_to_unsigned(h); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_convert_to_unsigned(h); return 1; } /* see inner.h */ -int PQCLEAN_FALCON1024PADDED_AARCH64_complete_private(int8_t *G, const int8_t *f, +int PQCLEAN_FALCONPADDED1024_AARCH64_complete_private(int8_t *G, const int8_t *f, const int8_t *g, const int8_t *F, uint8_t *tmp) { int16_t *t1, *t2; @@ -85,45 +85,45 @@ int PQCLEAN_FALCON1024PADDED_AARCH64_complete_private(int8_t *G, const int8_t *f t1 = (int16_t *)tmp; t2 = t1 + FALCON_N; - PQCLEAN_FALCON1024PADDED_AARCH64_poly_int8_to_int16(t1, g); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_ntt(t1, NTT_NONE); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_int8_to_int16(t1, g); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_ntt(t1, NTT_NONE); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_int8_to_int16(t2, F); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_ntt(t2, NTT_MONT); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_int8_to_int16(t2, F); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_ntt(t2, NTT_MONT); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_montmul_ntt(t1, t2); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_montmul_ntt(t1, t2); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_int8_to_int16(t2, f); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_ntt(t2, NTT_MONT); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_int8_to_int16(t2, f); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_ntt(t2, NTT_MONT); - if (PQCLEAN_FALCON1024PADDED_AARCH64_poly_compare_with_zero(t2)) { + if (PQCLEAN_FALCONPADDED1024_AARCH64_poly_compare_with_zero(t2)) { return 0; } - PQCLEAN_FALCON1024PADDED_AARCH64_poly_div_12289(t1, t2); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_div_12289(t1, t2); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_invntt(t1, INVNTT_NINV); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_invntt(t1, INVNTT_NINV); - if (PQCLEAN_FALCON1024PADDED_AARCH64_poly_int16_to_int8(G, t1)) { + if (PQCLEAN_FALCONPADDED1024_AARCH64_poly_int16_to_int8(G, t1)) { return 0; } return 1; } /* see inner.h */ -int PQCLEAN_FALCON1024PADDED_AARCH64_is_invertible(const int16_t *s2, uint8_t *tmp) { +int PQCLEAN_FALCONPADDED1024_AARCH64_is_invertible(const int16_t *s2, uint8_t *tmp) { int16_t *tt = (int16_t *)tmp; uint16_t r; memcpy(tt, s2, sizeof(int16_t) * FALCON_N); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_ntt(tt, NTT_MONT); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_ntt(tt, NTT_MONT); - r = PQCLEAN_FALCON1024PADDED_AARCH64_poly_compare_with_zero(tt); + r = PQCLEAN_FALCONPADDED1024_AARCH64_poly_compare_with_zero(tt); return (int)(1u - (r >> 15)); } /* see inner.h */ -int PQCLEAN_FALCON1024PADDED_AARCH64_verify_recover(int16_t *h, const int16_t *c0, +int PQCLEAN_FALCONPADDED1024_AARCH64_verify_recover(int16_t *h, const int16_t *c0, const int16_t *s1, const int16_t *s2, uint8_t *tmp) { int16_t *tt = (int16_t *)tmp; @@ -137,19 +137,19 @@ int PQCLEAN_FALCON1024PADDED_AARCH64_verify_recover(int16_t *h, const int16_t *c * s2 are non-zero, then the high bit of r will be zero. */ - PQCLEAN_FALCON1024PADDED_AARCH64_poly_sub_barrett(h, c0, s1); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_ntt(h, NTT_NONE); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_sub_barrett(h, c0, s1); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_ntt(h, NTT_NONE); /* * Reduce elements of s1 and s2 modulo q; then write s2 into tt[] * and c0 - s1 into h[]. */ memcpy(tt, s2, sizeof(int16_t) * FALCON_N); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_ntt(tt, NTT_MONT); - r = PQCLEAN_FALCON1024PADDED_AARCH64_poly_compare_with_zero(tt); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_div_12289(h, tt); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_ntt(tt, NTT_MONT); + r = PQCLEAN_FALCONPADDED1024_AARCH64_poly_compare_with_zero(tt); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_div_12289(h, tt); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_invntt(h, INVNTT_NINV); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_invntt(h, INVNTT_NINV); /* * Signature is acceptable if and only if it is short enough, @@ -157,18 +157,18 @@ int PQCLEAN_FALCON1024PADDED_AARCH64_verify_recover(int16_t *h, const int16_t *c * check that the rebuilt public key matches the expected * value (e.g. through a hash). */ - r = (uint16_t) (~r & (uint16_t) - PQCLEAN_FALCON1024PADDED_AARCH64_is_short(s1, s2)); + r = (uint16_t) (~r & (uint16_t) - PQCLEAN_FALCONPADDED1024_AARCH64_is_short(s1, s2)); return (int)(r >> 15); } /* see inner.h */ -int PQCLEAN_FALCON1024PADDED_AARCH64_count_nttzero(const int16_t *sig, uint8_t *tmp) { +int PQCLEAN_FALCONPADDED1024_AARCH64_count_nttzero(const int16_t *sig, uint8_t *tmp) { int16_t *s2 = (int16_t *)tmp; memcpy(s2, sig, sizeof(int16_t) * FALCON_N); - PQCLEAN_FALCON1024PADDED_AARCH64_poly_ntt(s2, NTT_MONT); + PQCLEAN_FALCONPADDED1024_AARCH64_poly_ntt(s2, NTT_MONT); - int r = PQCLEAN_FALCON1024PADDED_AARCH64_poly_compare_with_zero(s2); + int r = PQCLEAN_FALCONPADDED1024_AARCH64_poly_compare_with_zero(s2); return r; } diff --git a/Modules/PQClean/crypto_sign/falcon-1024-padded/avx2/LICENSE b/Modules/PQClean/crypto_sign/falcon-padded-1024/avx2/LICENSE similarity index 100% rename from Modules/PQClean/crypto_sign/falcon-1024-padded/avx2/LICENSE rename to Modules/PQClean/crypto_sign/falcon-padded-1024/avx2/LICENSE diff --git a/Modules/PQClean/crypto_sign/falcon-1024-padded/avx2/Makefile b/Modules/PQClean/crypto_sign/falcon-padded-1024/avx2/Makefile similarity index 94% rename from Modules/PQClean/crypto_sign/falcon-1024-padded/avx2/Makefile rename to Modules/PQClean/crypto_sign/falcon-padded-1024/avx2/Makefile index 58988d2b..5f4cd736 100644 --- a/Modules/PQClean/crypto_sign/falcon-1024-padded/avx2/Makefile +++ b/Modules/PQClean/crypto_sign/falcon-padded-1024/avx2/Makefile @@ -1,6 +1,6 @@ # This Makefile can be used with GNU Make or BSD Make -LIB=libfalcon-1024-padded_avx2.a +LIB=libfalcon-padded-1024_avx2.a SOURCES = codec.c common.c fft.c fpr.c keygen.c pqclean.c rng.c sign.c vrfy.c OBJECTS = codec.o common.o fft.o fpr.o keygen.o pqclean.o rng.o sign.o vrfy.o diff --git a/Modules/PQClean/crypto_sign/falcon-1024-padded/avx2/Makefile.Microsoft_nmake b/Modules/PQClean/crypto_sign/falcon-padded-1024/avx2/Makefile.Microsoft_nmake similarity index 95% rename from Modules/PQClean/crypto_sign/falcon-1024-padded/avx2/Makefile.Microsoft_nmake rename to Modules/PQClean/crypto_sign/falcon-padded-1024/avx2/Makefile.Microsoft_nmake index 3d6e3828..97af9c96 100644 --- a/Modules/PQClean/crypto_sign/falcon-1024-padded/avx2/Makefile.Microsoft_nmake +++ b/Modules/PQClean/crypto_sign/falcon-padded-1024/avx2/Makefile.Microsoft_nmake @@ -1,7 +1,7 @@ # This Makefile can be used with Microsoft Visual Studio's nmake using the command: # nmake /f Makefile.Microsoft_nmake -LIBRARY=libfalcon-1024-padded_avx2.lib +LIBRARY=libfalcon-padded-1024_avx2.lib OBJECTS=codec.obj common.obj fft.obj fpr.obj keygen.obj pqclean.obj rng.obj sign.obj vrfy.obj # Warning C4146 is raised when a unary minus operator is applied to an diff --git a/Modules/PQClean/crypto_sign/falcon-1024-padded/avx2/api.h b/Modules/PQClean/crypto_sign/falcon-padded-1024/avx2/api.h similarity index 67% rename from Modules/PQClean/crypto_sign/falcon-1024-padded/avx2/api.h rename to Modules/PQClean/crypto_sign/falcon-padded-1024/avx2/api.h index a6bd3441..da610326 100644 --- a/Modules/PQClean/crypto_sign/falcon-1024-padded/avx2/api.h +++ b/Modules/PQClean/crypto_sign/falcon-padded-1024/avx2/api.h @@ -1,37 +1,37 @@ -#ifndef PQCLEAN_FALCON1024PADDED_AVX2_API_H -#define PQCLEAN_FALCON1024PADDED_AVX2_API_H +#ifndef PQCLEAN_FALCONPADDED1024_AVX2_API_H +#define PQCLEAN_FALCONPADDED1024_AVX2_API_H #include #include -#define PQCLEAN_FALCON1024PADDED_AVX2_CRYPTO_SECRETKEYBYTES 2305 -#define PQCLEAN_FALCON1024PADDED_AVX2_CRYPTO_PUBLICKEYBYTES 1793 -#define PQCLEAN_FALCON1024PADDED_AVX2_CRYPTO_BYTES 1280 +#define PQCLEAN_FALCONPADDED1024_AVX2_CRYPTO_SECRETKEYBYTES 2305 +#define PQCLEAN_FALCONPADDED1024_AVX2_CRYPTO_PUBLICKEYBYTES 1793 +#define PQCLEAN_FALCONPADDED1024_AVX2_CRYPTO_BYTES 1280 -#define PQCLEAN_FALCON1024PADDED_AVX2_CRYPTO_ALGNAME "Falcon-1024 (PADDED)" +#define PQCLEAN_FALCONPADDED1024_AVX2_CRYPTO_ALGNAME "Falcon-padded-1024" /* * Generate a new key pair. Public key goes into pk[], private key in sk[]. * Key sizes are exact (in bytes): - * public (pk): PQCLEAN_FALCON1024PADDED_AVX2_CRYPTO_PUBLICKEYBYTES - * private (sk): PQCLEAN_FALCON1024PADDED_AVX2_CRYPTO_SECRETKEYBYTES + * public (pk): PQCLEAN_FALCONPADDED1024_AVX2_CRYPTO_PUBLICKEYBYTES + * private (sk): PQCLEAN_FALCONPADDED1024_AVX2_CRYPTO_SECRETKEYBYTES * * Return value: 0 on success, -1 on error. */ -int PQCLEAN_FALCON1024PADDED_AVX2_crypto_sign_keypair( +int PQCLEAN_FALCONPADDED1024_AVX2_crypto_sign_keypair( uint8_t *pk, uint8_t *sk); /* * Compute a signature on a provided message (m, mlen), with a given * private key (sk). Signature is written in sig[], with length written * into *siglen. Signature length is variable; maximum signature length - * (in bytes) is PQCLEAN_FALCON1024PADDED_AVX2_CRYPTO_BYTES. + * (in bytes) is PQCLEAN_FALCONPADDED1024_AVX2_CRYPTO_BYTES. * * sig[], m[] and sk[] may overlap each other arbitrarily. * * Return value: 0 on success, -1 on error. */ -int PQCLEAN_FALCON1024PADDED_AVX2_crypto_sign_signature( +int PQCLEAN_FALCONPADDED1024_AVX2_crypto_sign_signature( uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen, const uint8_t *sk); @@ -43,7 +43,7 @@ int PQCLEAN_FALCON1024PADDED_AVX2_crypto_sign_signature( * * Return value: 0 on success, -1 on error. */ -int PQCLEAN_FALCON1024PADDED_AVX2_crypto_sign_verify( +int PQCLEAN_FALCONPADDED1024_AVX2_crypto_sign_verify( const uint8_t *sig, size_t siglen, const uint8_t *m, size_t mlen, const uint8_t *pk); @@ -51,14 +51,14 @@ int PQCLEAN_FALCON1024PADDED_AVX2_crypto_sign_verify( * Compute a signature on a message and pack the signature and message * into a single object, written into sm[]. The length of that output is * written in *smlen; that length may be larger than the message length - * (mlen) by up to PQCLEAN_FALCON1024PADDED_AVX2_CRYPTO_BYTES. + * (mlen) by up to PQCLEAN_FALCONPADDED1024_AVX2_CRYPTO_BYTES. * * sm[] and m[] may overlap each other arbitrarily; however, sm[] shall * not overlap with sk[]. * * Return value: 0 on success, -1 on error. */ -int PQCLEAN_FALCON1024PADDED_AVX2_crypto_sign( +int PQCLEAN_FALCONPADDED1024_AVX2_crypto_sign( uint8_t *sm, size_t *smlen, const uint8_t *m, size_t mlen, const uint8_t *sk); @@ -67,13 +67,13 @@ int PQCLEAN_FALCON1024PADDED_AVX2_crypto_sign( * on success, the message itself is written into m[] and its length * into *mlen. The message is shorter than the signed message object, * but the size difference depends on the signature value; the difference - * may range up to PQCLEAN_FALCON1024PADDED_AVX2_CRYPTO_BYTES. + * may range up to PQCLEAN_FALCONPADDED1024_AVX2_CRYPTO_BYTES. * * m[], sm[] and pk[] may overlap each other arbitrarily. * * Return value: 0 on success, -1 on error. */ -int PQCLEAN_FALCON1024PADDED_AVX2_crypto_sign_open( +int PQCLEAN_FALCONPADDED1024_AVX2_crypto_sign_open( uint8_t *m, size_t *mlen, const uint8_t *sm, size_t smlen, const uint8_t *pk); diff --git a/Modules/PQClean/crypto_sign/falcon-1024-padded/avx2/codec.c b/Modules/PQClean/crypto_sign/falcon-padded-1024/avx2/codec.c similarity index 96% rename from Modules/PQClean/crypto_sign/falcon-1024-padded/avx2/codec.c rename to Modules/PQClean/crypto_sign/falcon-padded-1024/avx2/codec.c index 406ae5cb..84466aa7 100644 --- a/Modules/PQClean/crypto_sign/falcon-1024-padded/avx2/codec.c +++ b/Modules/PQClean/crypto_sign/falcon-padded-1024/avx2/codec.c @@ -33,7 +33,7 @@ /* see inner.h */ size_t -PQCLEAN_FALCON1024PADDED_AVX2_modq_encode( +PQCLEAN_FALCONPADDED1024_AVX2_modq_encode( void *out, size_t max_out_len, const uint16_t *x, unsigned logn) { size_t n, out_len, u; @@ -73,7 +73,7 @@ PQCLEAN_FALCON1024PADDED_AVX2_modq_encode( /* see inner.h */ size_t -PQCLEAN_FALCON1024PADDED_AVX2_modq_decode( +PQCLEAN_FALCONPADDED1024_AVX2_modq_decode( uint16_t *x, unsigned logn, const void *in, size_t max_in_len) { size_t n, in_len, u; @@ -112,7 +112,7 @@ PQCLEAN_FALCON1024PADDED_AVX2_modq_decode( /* see inner.h */ size_t -PQCLEAN_FALCON1024PADDED_AVX2_trim_i16_encode( +PQCLEAN_FALCONPADDED1024_AVX2_trim_i16_encode( void *out, size_t max_out_len, const int16_t *x, unsigned logn, unsigned bits) { size_t n, u, out_len; @@ -156,7 +156,7 @@ PQCLEAN_FALCON1024PADDED_AVX2_trim_i16_encode( /* see inner.h */ size_t -PQCLEAN_FALCON1024PADDED_AVX2_trim_i16_decode( +PQCLEAN_FALCONPADDED1024_AVX2_trim_i16_decode( int16_t *x, unsigned logn, unsigned bits, const void *in, size_t max_in_len) { size_t n, in_len; @@ -206,7 +206,7 @@ PQCLEAN_FALCON1024PADDED_AVX2_trim_i16_decode( /* see inner.h */ size_t -PQCLEAN_FALCON1024PADDED_AVX2_trim_i8_encode( +PQCLEAN_FALCONPADDED1024_AVX2_trim_i8_encode( void *out, size_t max_out_len, const int8_t *x, unsigned logn, unsigned bits) { size_t n, u, out_len; @@ -250,7 +250,7 @@ PQCLEAN_FALCON1024PADDED_AVX2_trim_i8_encode( /* see inner.h */ size_t -PQCLEAN_FALCON1024PADDED_AVX2_trim_i8_decode( +PQCLEAN_FALCONPADDED1024_AVX2_trim_i8_decode( int8_t *x, unsigned logn, unsigned bits, const void *in, size_t max_in_len) { size_t n, in_len; @@ -299,7 +299,7 @@ PQCLEAN_FALCON1024PADDED_AVX2_trim_i8_decode( /* see inner.h */ size_t -PQCLEAN_FALCON1024PADDED_AVX2_comp_encode( +PQCLEAN_FALCONPADDED1024_AVX2_comp_encode( void *out, size_t max_out_len, const int16_t *x, unsigned logn) { uint8_t *buf; @@ -395,7 +395,7 @@ PQCLEAN_FALCON1024PADDED_AVX2_comp_encode( /* see inner.h */ size_t -PQCLEAN_FALCON1024PADDED_AVX2_comp_decode( +PQCLEAN_FALCONPADDED1024_AVX2_comp_decode( int16_t *x, unsigned logn, const void *in, size_t max_in_len) { const uint8_t *buf; @@ -499,7 +499,7 @@ PQCLEAN_FALCON1024PADDED_AVX2_comp_decode( * of max_fg_bits[] and max_FG_bits[] shall be greater than 8. */ -const uint8_t PQCLEAN_FALCON1024PADDED_AVX2_max_fg_bits[] = { +const uint8_t PQCLEAN_FALCONPADDED1024_AVX2_max_fg_bits[] = { 0, /* unused */ 8, 8, @@ -513,7 +513,7 @@ const uint8_t PQCLEAN_FALCON1024PADDED_AVX2_max_fg_bits[] = { 5 }; -const uint8_t PQCLEAN_FALCON1024PADDED_AVX2_max_FG_bits[] = { +const uint8_t PQCLEAN_FALCONPADDED1024_AVX2_max_FG_bits[] = { 0, /* unused */ 8, 8, @@ -555,7 +555,7 @@ const uint8_t PQCLEAN_FALCON1024PADDED_AVX2_max_FG_bits[] = { * in -2047..2047, i.e. 12 bits. */ -const uint8_t PQCLEAN_FALCON1024PADDED_AVX2_max_sig_bits[] = { +const uint8_t PQCLEAN_FALCONPADDED1024_AVX2_max_sig_bits[] = { 0, /* unused */ 10, 11, diff --git a/Modules/PQClean/crypto_sign/falcon-1024-padded/avx2/common.c b/Modules/PQClean/crypto_sign/falcon-padded-1024/avx2/common.c similarity index 97% rename from Modules/PQClean/crypto_sign/falcon-1024-padded/avx2/common.c rename to Modules/PQClean/crypto_sign/falcon-padded-1024/avx2/common.c index 3816e5c8..affe907e 100644 --- a/Modules/PQClean/crypto_sign/falcon-1024-padded/avx2/common.c +++ b/Modules/PQClean/crypto_sign/falcon-padded-1024/avx2/common.c @@ -33,7 +33,7 @@ /* see inner.h */ void -PQCLEAN_FALCON1024PADDED_AVX2_hash_to_point_vartime( +PQCLEAN_FALCONPADDED1024_AVX2_hash_to_point_vartime( inner_shake256_context *sc, uint16_t *x, unsigned logn) { /* @@ -67,7 +67,7 @@ PQCLEAN_FALCON1024PADDED_AVX2_hash_to_point_vartime( /* see inner.h */ void -PQCLEAN_FALCON1024PADDED_AVX2_hash_to_point_ct( +PQCLEAN_FALCONPADDED1024_AVX2_hash_to_point_ct( inner_shake256_context *sc, uint16_t *x, unsigned logn, uint8_t *tmp) { /* @@ -252,7 +252,7 @@ static const uint32_t l2bound[] = { /* see inner.h */ int -PQCLEAN_FALCON1024PADDED_AVX2_is_short( +PQCLEAN_FALCONPADDED1024_AVX2_is_short( const int16_t *s1, const int16_t *s2, unsigned logn) { /* * We use the l2-norm. Code below uses only 32-bit operations to @@ -282,7 +282,7 @@ PQCLEAN_FALCON1024PADDED_AVX2_is_short( /* see inner.h */ int -PQCLEAN_FALCON1024PADDED_AVX2_is_short_half( +PQCLEAN_FALCONPADDED1024_AVX2_is_short_half( uint32_t sqn, const int16_t *s2, unsigned logn) { size_t n, u; uint32_t ng; diff --git a/Modules/PQClean/crypto_sign/falcon-1024-padded/avx2/fft.c b/Modules/PQClean/crypto_sign/falcon-padded-1024/avx2/fft.c similarity index 97% rename from Modules/PQClean/crypto_sign/falcon-1024-padded/avx2/fft.c rename to Modules/PQClean/crypto_sign/falcon-padded-1024/avx2/fft.c index e979b3d5..2b8ca7b4 100644 --- a/Modules/PQClean/crypto_sign/falcon-1024-padded/avx2/fft.c +++ b/Modules/PQClean/crypto_sign/falcon-padded-1024/avx2/fft.c @@ -168,7 +168,7 @@ /* see inner.h */ void -PQCLEAN_FALCON1024PADDED_AVX2_FFT(fpr *f, unsigned logn) { +PQCLEAN_FALCONPADDED1024_AVX2_FFT(fpr *f, unsigned logn) { /* * FFT algorithm in bit-reversal order uses the following * iterative algorithm: @@ -279,7 +279,7 @@ PQCLEAN_FALCON1024PADDED_AVX2_FFT(fpr *f, unsigned logn) { /* see inner.h */ void -PQCLEAN_FALCON1024PADDED_AVX2_iFFT(fpr *f, unsigned logn) { +PQCLEAN_FALCONPADDED1024_AVX2_iFFT(fpr *f, unsigned logn) { /* * Inverse FFT algorithm in bit-reversal order uses the following * iterative algorithm: @@ -406,7 +406,7 @@ PQCLEAN_FALCON1024PADDED_AVX2_iFFT(fpr *f, unsigned logn) { /* see inner.h */ void -PQCLEAN_FALCON1024PADDED_AVX2_poly_add( +PQCLEAN_FALCONPADDED1024_AVX2_poly_add( fpr *a, const fpr *b, unsigned logn) { size_t n, u; @@ -427,7 +427,7 @@ PQCLEAN_FALCON1024PADDED_AVX2_poly_add( /* see inner.h */ void -PQCLEAN_FALCON1024PADDED_AVX2_poly_sub( +PQCLEAN_FALCONPADDED1024_AVX2_poly_sub( fpr *a, const fpr *b, unsigned logn) { size_t n, u; @@ -448,7 +448,7 @@ PQCLEAN_FALCON1024PADDED_AVX2_poly_sub( /* see inner.h */ void -PQCLEAN_FALCON1024PADDED_AVX2_poly_neg(fpr *a, unsigned logn) { +PQCLEAN_FALCONPADDED1024_AVX2_poly_neg(fpr *a, unsigned logn) { size_t n, u; n = (size_t)1 << logn; @@ -469,7 +469,7 @@ PQCLEAN_FALCON1024PADDED_AVX2_poly_neg(fpr *a, unsigned logn) { /* see inner.h */ void -PQCLEAN_FALCON1024PADDED_AVX2_poly_adj_fft(fpr *a, unsigned logn) { +PQCLEAN_FALCONPADDED1024_AVX2_poly_adj_fft(fpr *a, unsigned logn) { size_t n, u; n = (size_t)1 << logn; @@ -490,7 +490,7 @@ PQCLEAN_FALCON1024PADDED_AVX2_poly_adj_fft(fpr *a, unsigned logn) { /* see inner.h */ void -PQCLEAN_FALCON1024PADDED_AVX2_poly_mul_fft( +PQCLEAN_FALCONPADDED1024_AVX2_poly_mul_fft( fpr *a, const fpr *b, unsigned logn) { size_t n, hn, u; @@ -526,7 +526,7 @@ PQCLEAN_FALCON1024PADDED_AVX2_poly_mul_fft( /* see inner.h */ void -PQCLEAN_FALCON1024PADDED_AVX2_poly_muladj_fft( +PQCLEAN_FALCONPADDED1024_AVX2_poly_muladj_fft( fpr *a, const fpr *b, unsigned logn) { size_t n, hn, u; @@ -562,7 +562,7 @@ PQCLEAN_FALCON1024PADDED_AVX2_poly_muladj_fft( /* see inner.h */ void -PQCLEAN_FALCON1024PADDED_AVX2_poly_mulselfadj_fft(fpr *a, unsigned logn) { +PQCLEAN_FALCONPADDED1024_AVX2_poly_mulselfadj_fft(fpr *a, unsigned logn) { /* * Since each coefficient is multiplied with its own conjugate, * the result contains only real values. @@ -599,7 +599,7 @@ PQCLEAN_FALCON1024PADDED_AVX2_poly_mulselfadj_fft(fpr *a, unsigned logn) { /* see inner.h */ void -PQCLEAN_FALCON1024PADDED_AVX2_poly_mulconst(fpr *a, fpr x, unsigned logn) { +PQCLEAN_FALCONPADDED1024_AVX2_poly_mulconst(fpr *a, fpr x, unsigned logn) { size_t n, u; n = (size_t)1 << logn; @@ -620,7 +620,7 @@ PQCLEAN_FALCON1024PADDED_AVX2_poly_mulconst(fpr *a, fpr x, unsigned logn) { /* see inner.h */ void -PQCLEAN_FALCON1024PADDED_AVX2_poly_div_fft( +PQCLEAN_FALCONPADDED1024_AVX2_poly_div_fft( fpr *a, const fpr *b, unsigned logn) { size_t n, hn, u; @@ -664,7 +664,7 @@ PQCLEAN_FALCON1024PADDED_AVX2_poly_div_fft( /* see inner.h */ void -PQCLEAN_FALCON1024PADDED_AVX2_poly_invnorm2_fft(fpr *d, +PQCLEAN_FALCONPADDED1024_AVX2_poly_invnorm2_fft(fpr *d, const fpr *a, const fpr *b, unsigned logn) { size_t n, hn, u; @@ -707,7 +707,7 @@ PQCLEAN_FALCON1024PADDED_AVX2_poly_invnorm2_fft(fpr *d, /* see inner.h */ void -PQCLEAN_FALCON1024PADDED_AVX2_poly_add_muladj_fft(fpr *d, +PQCLEAN_FALCONPADDED1024_AVX2_poly_add_muladj_fft(fpr *d, const fpr *F, const fpr *G, const fpr *f, const fpr *g, unsigned logn) { size_t n, hn, u; @@ -767,7 +767,7 @@ PQCLEAN_FALCON1024PADDED_AVX2_poly_add_muladj_fft(fpr *d, /* see inner.h */ void -PQCLEAN_FALCON1024PADDED_AVX2_poly_mul_autoadj_fft( +PQCLEAN_FALCONPADDED1024_AVX2_poly_mul_autoadj_fft( fpr *a, const fpr *b, unsigned logn) { size_t n, hn, u; @@ -795,7 +795,7 @@ PQCLEAN_FALCON1024PADDED_AVX2_poly_mul_autoadj_fft( /* see inner.h */ void -PQCLEAN_FALCON1024PADDED_AVX2_poly_div_autoadj_fft( +PQCLEAN_FALCONPADDED1024_AVX2_poly_div_autoadj_fft( fpr *a, const fpr *b, unsigned logn) { size_t n, hn, u; @@ -827,7 +827,7 @@ PQCLEAN_FALCON1024PADDED_AVX2_poly_div_autoadj_fft( /* see inner.h */ void -PQCLEAN_FALCON1024PADDED_AVX2_poly_LDL_fft( +PQCLEAN_FALCONPADDED1024_AVX2_poly_LDL_fft( const fpr *g00, fpr *g01, fpr *g11, unsigned logn) { size_t n, hn, u; @@ -893,7 +893,7 @@ PQCLEAN_FALCON1024PADDED_AVX2_poly_LDL_fft( /* see inner.h */ void -PQCLEAN_FALCON1024PADDED_AVX2_poly_LDLmv_fft( +PQCLEAN_FALCONPADDED1024_AVX2_poly_LDLmv_fft( fpr *d11, fpr *l10, const fpr *g00, const fpr *g01, const fpr *g11, unsigned logn) { @@ -960,7 +960,7 @@ PQCLEAN_FALCON1024PADDED_AVX2_poly_LDLmv_fft( /* see inner.h */ void -PQCLEAN_FALCON1024PADDED_AVX2_poly_split_fft( +PQCLEAN_FALCONPADDED1024_AVX2_poly_split_fft( fpr *f0, fpr *f1, const fpr *f, unsigned logn) { /* @@ -1033,7 +1033,7 @@ PQCLEAN_FALCON1024PADDED_AVX2_poly_split_fft( /* see inner.h */ void -PQCLEAN_FALCON1024PADDED_AVX2_poly_merge_fft( +PQCLEAN_FALCONPADDED1024_AVX2_poly_merge_fft( fpr *f, const fpr *f0, const fpr *f1, unsigned logn) { size_t n, hn, qn, u; diff --git a/Modules/PQClean/crypto_sign/falcon-1024-padded/avx2/fpr.c b/Modules/PQClean/crypto_sign/falcon-padded-1024/avx2/fpr.c similarity index 100% rename from Modules/PQClean/crypto_sign/falcon-1024-padded/avx2/fpr.c rename to Modules/PQClean/crypto_sign/falcon-padded-1024/avx2/fpr.c diff --git a/Modules/PQClean/crypto_sign/falcon-1024-padded/avx2/fpr.h b/Modules/PQClean/crypto_sign/falcon-padded-1024/avx2/fpr.h similarity index 98% rename from Modules/PQClean/crypto_sign/falcon-1024-padded/avx2/fpr.h rename to Modules/PQClean/crypto_sign/falcon-padded-1024/avx2/fpr.h index f9f420aa..6073efff 100644 --- a/Modules/PQClean/crypto_sign/falcon-1024-padded/avx2/fpr.h +++ b/Modules/PQClean/crypto_sign/falcon-padded-1024/avx2/fpr.h @@ -353,10 +353,10 @@ fpr_expm_p63(fpr x, fpr ccs) { } -#define fpr_gm_tab PQCLEAN_FALCON1024PADDED_AVX2_fpr_gm_tab +#define fpr_gm_tab PQCLEAN_FALCONPADDED1024_AVX2_fpr_gm_tab extern const fpr fpr_gm_tab[]; -#define fpr_p2_tab PQCLEAN_FALCON1024PADDED_AVX2_fpr_p2_tab +#define fpr_p2_tab PQCLEAN_FALCONPADDED1024_AVX2_fpr_p2_tab extern const fpr fpr_p2_tab[]; /* ====================================================================== */ diff --git a/Modules/PQClean/crypto_sign/falcon-1024-padded/avx2/inner.h b/Modules/PQClean/crypto_sign/falcon-padded-1024/avx2/inner.h similarity index 88% rename from Modules/PQClean/crypto_sign/falcon-1024-padded/avx2/inner.h rename to Modules/PQClean/crypto_sign/falcon-padded-1024/avx2/inner.h index 9a23f8aa..5c0d57b2 100644 --- a/Modules/PQClean/crypto_sign/falcon-1024-padded/avx2/inner.h +++ b/Modules/PQClean/crypto_sign/falcon-padded-1024/avx2/inner.h @@ -42,7 +42,7 @@ * * * - All public functions (i.e. the non-static ones) must be referenced - * with the PQCLEAN_FALCON1024PADDED_AVX2_ macro (e.g. PQCLEAN_FALCON1024PADDED_AVX2_verify_raw for the verify_raw() + * with the PQCLEAN_FALCONPADDED1024_AVX2_ macro (e.g. PQCLEAN_FALCONPADDED1024_AVX2_verify_raw for the verify_raw() * function). That macro adds a prefix to the name, which is * configurable with the FALCON_PREFIX macro. This allows compiling * the code into a specific "namespace" and potentially including @@ -65,7 +65,7 @@ * word. The caller MUST use set_fpu_cw() to ensure proper precision: * * oldcw = set_fpu_cw(2); - * PQCLEAN_FALCON1024PADDED_AVX2_sign_dyn(...); + * PQCLEAN_FALCONPADDED1024_AVX2_sign_dyn(...); * set_fpu_cw(oldcw); * * On systems where the native floating-point precision is already @@ -162,22 +162,22 @@ set_fpu_cw(unsigned x) { * */ -size_t PQCLEAN_FALCON1024PADDED_AVX2_modq_encode(void *out, size_t max_out_len, +size_t PQCLEAN_FALCONPADDED1024_AVX2_modq_encode(void *out, size_t max_out_len, const uint16_t *x, unsigned logn); -size_t PQCLEAN_FALCON1024PADDED_AVX2_trim_i16_encode(void *out, size_t max_out_len, +size_t PQCLEAN_FALCONPADDED1024_AVX2_trim_i16_encode(void *out, size_t max_out_len, const int16_t *x, unsigned logn, unsigned bits); -size_t PQCLEAN_FALCON1024PADDED_AVX2_trim_i8_encode(void *out, size_t max_out_len, +size_t PQCLEAN_FALCONPADDED1024_AVX2_trim_i8_encode(void *out, size_t max_out_len, const int8_t *x, unsigned logn, unsigned bits); -size_t PQCLEAN_FALCON1024PADDED_AVX2_comp_encode(void *out, size_t max_out_len, +size_t PQCLEAN_FALCONPADDED1024_AVX2_comp_encode(void *out, size_t max_out_len, const int16_t *x, unsigned logn); -size_t PQCLEAN_FALCON1024PADDED_AVX2_modq_decode(uint16_t *x, unsigned logn, +size_t PQCLEAN_FALCONPADDED1024_AVX2_modq_decode(uint16_t *x, unsigned logn, const void *in, size_t max_in_len); -size_t PQCLEAN_FALCON1024PADDED_AVX2_trim_i16_decode(int16_t *x, unsigned logn, unsigned bits, +size_t PQCLEAN_FALCONPADDED1024_AVX2_trim_i16_decode(int16_t *x, unsigned logn, unsigned bits, const void *in, size_t max_in_len); -size_t PQCLEAN_FALCON1024PADDED_AVX2_trim_i8_decode(int8_t *x, unsigned logn, unsigned bits, +size_t PQCLEAN_FALCONPADDED1024_AVX2_trim_i8_decode(int8_t *x, unsigned logn, unsigned bits, const void *in, size_t max_in_len); -size_t PQCLEAN_FALCON1024PADDED_AVX2_comp_decode(int16_t *x, unsigned logn, +size_t PQCLEAN_FALCONPADDED1024_AVX2_comp_decode(int16_t *x, unsigned logn, const void *in, size_t max_in_len); /* @@ -185,14 +185,14 @@ size_t PQCLEAN_FALCON1024PADDED_AVX2_comp_decode(int16_t *x, unsigned logn, * is at most 8 bits for all degrees, but some degrees may have shorter * elements. */ -extern const uint8_t PQCLEAN_FALCON1024PADDED_AVX2_max_fg_bits[]; -extern const uint8_t PQCLEAN_FALCON1024PADDED_AVX2_max_FG_bits[]; +extern const uint8_t PQCLEAN_FALCONPADDED1024_AVX2_max_fg_bits[]; +extern const uint8_t PQCLEAN_FALCONPADDED1024_AVX2_max_FG_bits[]; /* * Maximum size, in bits, of elements in a signature, indexed by logn * (1 to 10). The size includes the sign bit. */ -extern const uint8_t PQCLEAN_FALCON1024PADDED_AVX2_max_sig_bits[]; +extern const uint8_t PQCLEAN_FALCONPADDED1024_AVX2_max_sig_bits[]; /* ==================================================================== */ /* @@ -206,18 +206,18 @@ extern const uint8_t PQCLEAN_FALCON1024PADDED_AVX2_max_sig_bits[]; * information to serve as a stop condition on a brute force attack on * the hashed message (provided that the nonce value is known). */ -void PQCLEAN_FALCON1024PADDED_AVX2_hash_to_point_vartime(inner_shake256_context *sc, +void PQCLEAN_FALCONPADDED1024_AVX2_hash_to_point_vartime(inner_shake256_context *sc, uint16_t *x, unsigned logn); /* * From a SHAKE256 context (must be already flipped), produce a new * point. The temporary buffer (tmp) must have room for 2*2^logn bytes. * This function is constant-time but is typically more expensive than - * PQCLEAN_FALCON1024PADDED_AVX2_hash_to_point_vartime(). + * PQCLEAN_FALCONPADDED1024_AVX2_hash_to_point_vartime(). * * tmp[] must have 16-bit alignment. */ -void PQCLEAN_FALCON1024PADDED_AVX2_hash_to_point_ct(inner_shake256_context *sc, +void PQCLEAN_FALCONPADDED1024_AVX2_hash_to_point_ct(inner_shake256_context *sc, uint16_t *x, unsigned logn, uint8_t *tmp); /* @@ -226,7 +226,7 @@ void PQCLEAN_FALCON1024PADDED_AVX2_hash_to_point_ct(inner_shake256_context *sc, * vector with the acceptance bound. Returned value is 1 on success * (vector is short enough to be acceptable), 0 otherwise. */ -int PQCLEAN_FALCON1024PADDED_AVX2_is_short(const int16_t *s1, const int16_t *s2, unsigned logn); +int PQCLEAN_FALCONPADDED1024_AVX2_is_short(const int16_t *s1, const int16_t *s2, unsigned logn); /* * Tell whether a given vector (2N coordinates, in two halves) is @@ -238,7 +238,7 @@ int PQCLEAN_FALCON1024PADDED_AVX2_is_short(const int16_t *s1, const int16_t *s2, * Returned value is 1 on success (vector is short enough to be * acceptable), 0 otherwise. */ -int PQCLEAN_FALCON1024PADDED_AVX2_is_short_half(uint32_t sqn, const int16_t *s2, unsigned logn); +int PQCLEAN_FALCONPADDED1024_AVX2_is_short_half(uint32_t sqn, const int16_t *s2, unsigned logn); /* ==================================================================== */ /* @@ -249,7 +249,7 @@ int PQCLEAN_FALCON1024PADDED_AVX2_is_short_half(uint32_t sqn, const int16_t *s2, * Convert a public key to NTT + Montgomery format. Conversion is done * in place. */ -void PQCLEAN_FALCON1024PADDED_AVX2_to_ntt_monty(uint16_t *h, unsigned logn); +void PQCLEAN_FALCONPADDED1024_AVX2_to_ntt_monty(uint16_t *h, unsigned logn); /* * Internal signature verification code: @@ -262,7 +262,7 @@ void PQCLEAN_FALCON1024PADDED_AVX2_to_ntt_monty(uint16_t *h, unsigned logn); * * tmp[] must have 16-bit alignment. */ -int PQCLEAN_FALCON1024PADDED_AVX2_verify_raw(const uint16_t *c0, const int16_t *s2, +int PQCLEAN_FALCONPADDED1024_AVX2_verify_raw(const uint16_t *c0, const int16_t *s2, const uint16_t *h, unsigned logn, uint8_t *tmp); /* @@ -274,7 +274,7 @@ int PQCLEAN_FALCON1024PADDED_AVX2_verify_raw(const uint16_t *c0, const int16_t * * The tmp[] array must have room for at least 2*2^logn elements. * tmp[] must have 16-bit alignment. */ -int PQCLEAN_FALCON1024PADDED_AVX2_compute_public(uint16_t *h, +int PQCLEAN_FALCONPADDED1024_AVX2_compute_public(uint16_t *h, const int8_t *f, const int8_t *g, unsigned logn, uint8_t *tmp); /* @@ -288,7 +288,7 @@ int PQCLEAN_FALCON1024PADDED_AVX2_compute_public(uint16_t *h, * Returned value is 1 in success, 0 on error (f not invertible). * tmp[] must have 16-bit alignment. */ -int PQCLEAN_FALCON1024PADDED_AVX2_complete_private(int8_t *G, +int PQCLEAN_FALCONPADDED1024_AVX2_complete_private(int8_t *G, const int8_t *f, const int8_t *g, const int8_t *F, unsigned logn, uint8_t *tmp); @@ -298,7 +298,7 @@ int PQCLEAN_FALCON1024PADDED_AVX2_complete_private(int8_t *G, * * tmp[] must have 16-bit alignment. */ -int PQCLEAN_FALCON1024PADDED_AVX2_is_invertible( +int PQCLEAN_FALCONPADDED1024_AVX2_is_invertible( const int16_t *s2, unsigned logn, uint8_t *tmp); /* @@ -309,7 +309,7 @@ int PQCLEAN_FALCON1024PADDED_AVX2_is_invertible( * * tmp[] must have 16-bit alignment. */ -int PQCLEAN_FALCON1024PADDED_AVX2_count_nttzero(const int16_t *sig, unsigned logn, uint8_t *tmp); +int PQCLEAN_FALCONPADDED1024_AVX2_count_nttzero(const int16_t *sig, unsigned logn, uint8_t *tmp); /* * Internal signature verification with public key recovery: @@ -329,7 +329,7 @@ int PQCLEAN_FALCON1024PADDED_AVX2_count_nttzero(const int16_t *sig, unsigned log * * tmp[] must have 16-bit alignment. */ -int PQCLEAN_FALCON1024PADDED_AVX2_verify_recover(uint16_t *h, +int PQCLEAN_FALCONPADDED1024_AVX2_verify_recover(uint16_t *h, const uint16_t *c0, const int16_t *s1, const int16_t *s2, unsigned logn, uint8_t *tmp); @@ -450,7 +450,7 @@ int PQCLEAN_FALCON1024PADDED_AVX2_verify_recover(uint16_t *h, * * Returned value is 1 on success, 0 on error. */ -int PQCLEAN_FALCON1024PADDED_AVX2_get_seed(void *seed, size_t seed_len); +int PQCLEAN_FALCONPADDED1024_AVX2_get_seed(void *seed, size_t seed_len); /* * Structure for a PRNG. This includes a large buffer so that values @@ -477,18 +477,18 @@ typedef struct { * Instantiate a PRNG. That PRNG will feed over the provided SHAKE256 * context (in "flipped" state) to obtain its initial state. */ -void PQCLEAN_FALCON1024PADDED_AVX2_prng_init(prng *p, inner_shake256_context *src); +void PQCLEAN_FALCONPADDED1024_AVX2_prng_init(prng *p, inner_shake256_context *src); /* * Refill the PRNG buffer. This is normally invoked automatically, and * is declared here only so that prng_get_u64() may be inlined. */ -void PQCLEAN_FALCON1024PADDED_AVX2_prng_refill(prng *p); +void PQCLEAN_FALCONPADDED1024_AVX2_prng_refill(prng *p); /* * Get some bytes from a PRNG. */ -void PQCLEAN_FALCON1024PADDED_AVX2_prng_get_bytes(prng *p, void *dst, size_t len); +void PQCLEAN_FALCONPADDED1024_AVX2_prng_get_bytes(prng *p, void *dst, size_t len); /* * Get a 64-bit random value from a PRNG. @@ -505,7 +505,7 @@ prng_get_u64(prng *p) { */ u = p->ptr; if (u >= (sizeof p->buf.d) - 9) { - PQCLEAN_FALCON1024PADDED_AVX2_prng_refill(p); + PQCLEAN_FALCONPADDED1024_AVX2_prng_refill(p); u = 0; } p->ptr = u + 8; @@ -529,7 +529,7 @@ prng_get_u8(prng *p) { v = p->buf.d[p->ptr ++]; if (p->ptr == sizeof p->buf.d) { - PQCLEAN_FALCON1024PADDED_AVX2_prng_refill(p); + PQCLEAN_FALCONPADDED1024_AVX2_prng_refill(p); } return v; } @@ -552,7 +552,7 @@ prng_get_u8(prng *p) { * * 'logn' MUST lie between 1 and 10 (inclusive). */ -void PQCLEAN_FALCON1024PADDED_AVX2_FFT(fpr *f, unsigned logn); +void PQCLEAN_FALCONPADDED1024_AVX2_FFT(fpr *f, unsigned logn); /* * Compute the inverse FFT in-place: the source array should contain the @@ -562,61 +562,61 @@ void PQCLEAN_FALCON1024PADDED_AVX2_FFT(fpr *f, unsigned logn); * * 'logn' MUST lie between 1 and 10 (inclusive). */ -void PQCLEAN_FALCON1024PADDED_AVX2_iFFT(fpr *f, unsigned logn); +void PQCLEAN_FALCONPADDED1024_AVX2_iFFT(fpr *f, unsigned logn); /* * Add polynomial b to polynomial a. a and b MUST NOT overlap. This * function works in both normal and FFT representations. */ -void PQCLEAN_FALCON1024PADDED_AVX2_poly_add(fpr *a, const fpr *b, unsigned logn); +void PQCLEAN_FALCONPADDED1024_AVX2_poly_add(fpr *a, const fpr *b, unsigned logn); /* * Subtract polynomial b from polynomial a. a and b MUST NOT overlap. This * function works in both normal and FFT representations. */ -void PQCLEAN_FALCON1024PADDED_AVX2_poly_sub(fpr *a, const fpr *b, unsigned logn); +void PQCLEAN_FALCONPADDED1024_AVX2_poly_sub(fpr *a, const fpr *b, unsigned logn); /* * Negate polynomial a. This function works in both normal and FFT * representations. */ -void PQCLEAN_FALCON1024PADDED_AVX2_poly_neg(fpr *a, unsigned logn); +void PQCLEAN_FALCONPADDED1024_AVX2_poly_neg(fpr *a, unsigned logn); /* * Compute adjoint of polynomial a. This function works only in FFT * representation. */ -void PQCLEAN_FALCON1024PADDED_AVX2_poly_adj_fft(fpr *a, unsigned logn); +void PQCLEAN_FALCONPADDED1024_AVX2_poly_adj_fft(fpr *a, unsigned logn); /* * Multiply polynomial a with polynomial b. a and b MUST NOT overlap. * This function works only in FFT representation. */ -void PQCLEAN_FALCON1024PADDED_AVX2_poly_mul_fft(fpr *a, const fpr *b, unsigned logn); +void PQCLEAN_FALCONPADDED1024_AVX2_poly_mul_fft(fpr *a, const fpr *b, unsigned logn); /* * Multiply polynomial a with the adjoint of polynomial b. a and b MUST NOT * overlap. This function works only in FFT representation. */ -void PQCLEAN_FALCON1024PADDED_AVX2_poly_muladj_fft(fpr *a, const fpr *b, unsigned logn); +void PQCLEAN_FALCONPADDED1024_AVX2_poly_muladj_fft(fpr *a, const fpr *b, unsigned logn); /* * Multiply polynomial with its own adjoint. This function works only in FFT * representation. */ -void PQCLEAN_FALCON1024PADDED_AVX2_poly_mulselfadj_fft(fpr *a, unsigned logn); +void PQCLEAN_FALCONPADDED1024_AVX2_poly_mulselfadj_fft(fpr *a, unsigned logn); /* * Multiply polynomial with a real constant. This function works in both * normal and FFT representations. */ -void PQCLEAN_FALCON1024PADDED_AVX2_poly_mulconst(fpr *a, fpr x, unsigned logn); +void PQCLEAN_FALCONPADDED1024_AVX2_poly_mulconst(fpr *a, fpr x, unsigned logn); /* * Divide polynomial a by polynomial b, modulo X^N+1 (FFT representation). * a and b MUST NOT overlap. */ -void PQCLEAN_FALCON1024PADDED_AVX2_poly_div_fft(fpr *a, const fpr *b, unsigned logn); +void PQCLEAN_FALCONPADDED1024_AVX2_poly_div_fft(fpr *a, const fpr *b, unsigned logn); /* * Given f and g (in FFT representation), compute 1/(f*adj(f)+g*adj(g)) @@ -626,7 +626,7 @@ void PQCLEAN_FALCON1024PADDED_AVX2_poly_div_fft(fpr *a, const fpr *b, unsigned l * * Array d MUST NOT overlap with either a or b. */ -void PQCLEAN_FALCON1024PADDED_AVX2_poly_invnorm2_fft(fpr *d, +void PQCLEAN_FALCONPADDED1024_AVX2_poly_invnorm2_fft(fpr *d, const fpr *a, const fpr *b, unsigned logn); /* @@ -634,7 +634,7 @@ void PQCLEAN_FALCON1024PADDED_AVX2_poly_invnorm2_fft(fpr *d, * (also in FFT representation). Destination d MUST NOT overlap with * any of the source arrays. */ -void PQCLEAN_FALCON1024PADDED_AVX2_poly_add_muladj_fft(fpr *d, +void PQCLEAN_FALCONPADDED1024_AVX2_poly_add_muladj_fft(fpr *d, const fpr *F, const fpr *G, const fpr *f, const fpr *g, unsigned logn); @@ -644,7 +644,7 @@ void PQCLEAN_FALCON1024PADDED_AVX2_poly_add_muladj_fft(fpr *d, * FFT coefficients are real, and the array b contains only N/2 elements. * a and b MUST NOT overlap. */ -void PQCLEAN_FALCON1024PADDED_AVX2_poly_mul_autoadj_fft(fpr *a, +void PQCLEAN_FALCONPADDED1024_AVX2_poly_mul_autoadj_fft(fpr *a, const fpr *b, unsigned logn); /* @@ -653,7 +653,7 @@ void PQCLEAN_FALCON1024PADDED_AVX2_poly_mul_autoadj_fft(fpr *a, * FFT coefficients are real, and the array b contains only N/2 elements. * a and b MUST NOT overlap. */ -void PQCLEAN_FALCON1024PADDED_AVX2_poly_div_autoadj_fft(fpr *a, +void PQCLEAN_FALCONPADDED1024_AVX2_poly_div_autoadj_fft(fpr *a, const fpr *b, unsigned logn); /* @@ -664,7 +664,7 @@ void PQCLEAN_FALCON1024PADDED_AVX2_poly_div_autoadj_fft(fpr *a, * (with D = [[d00, 0], [0, d11]] and L = [[1, 0], [l10, 1]]). * (In fact, d00 = g00, so the g00 operand is left unmodified.) */ -void PQCLEAN_FALCON1024PADDED_AVX2_poly_LDL_fft(const fpr *g00, +void PQCLEAN_FALCONPADDED1024_AVX2_poly_LDL_fft(const fpr *g00, fpr *g01, fpr *g11, unsigned logn); /* @@ -673,7 +673,7 @@ void PQCLEAN_FALCON1024PADDED_AVX2_poly_LDL_fft(const fpr *g00, * g00, g01 and g11 are unmodified; the outputs d11 and l10 are written * in two other separate buffers provided as extra parameters. */ -void PQCLEAN_FALCON1024PADDED_AVX2_poly_LDLmv_fft(fpr *d11, fpr *l10, +void PQCLEAN_FALCONPADDED1024_AVX2_poly_LDLmv_fft(fpr *d11, fpr *l10, const fpr *g00, const fpr *g01, const fpr *g11, unsigned logn); @@ -682,7 +682,7 @@ void PQCLEAN_FALCON1024PADDED_AVX2_poly_LDLmv_fft(fpr *d11, fpr *l10, * f = f0(x^2) + x*f1(x^2), for half-size polynomials f0 and f1 * (polynomials modulo X^(N/2)+1). f0, f1 and f MUST NOT overlap. */ -void PQCLEAN_FALCON1024PADDED_AVX2_poly_split_fft(fpr *f0, fpr *f1, +void PQCLEAN_FALCONPADDED1024_AVX2_poly_split_fft(fpr *f0, fpr *f1, const fpr *f, unsigned logn); /* @@ -691,7 +691,7 @@ void PQCLEAN_FALCON1024PADDED_AVX2_poly_split_fft(fpr *f0, fpr *f1, * f = f0(x^2) + x*f1(x^2), in FFT representation modulo X^N+1. * f MUST NOT overlap with either f0 or f1. */ -void PQCLEAN_FALCON1024PADDED_AVX2_poly_merge_fft(fpr *f, +void PQCLEAN_FALCONPADDED1024_AVX2_poly_merge_fft(fpr *f, const fpr *f0, const fpr *f1, unsigned logn); /* ==================================================================== */ @@ -730,7 +730,7 @@ void PQCLEAN_FALCON1024PADDED_AVX2_poly_merge_fft(fpr *f, * tmp[] must have 64-bit alignment. * This function uses floating-point rounding (see set_fpu_cw()). */ -void PQCLEAN_FALCON1024PADDED_AVX2_keygen(inner_shake256_context *rng, +void PQCLEAN_FALCONPADDED1024_AVX2_keygen(inner_shake256_context *rng, int8_t *f, int8_t *g, int8_t *F, int8_t *G, uint16_t *h, unsigned logn, uint8_t *tmp); @@ -749,14 +749,14 @@ void PQCLEAN_FALCON1024PADDED_AVX2_keygen(inner_shake256_context *rng, * tmp[] must have 64-bit alignment. * This function uses floating-point rounding (see set_fpu_cw()). */ -void PQCLEAN_FALCON1024PADDED_AVX2_expand_privkey(fpr *expanded_key, +void PQCLEAN_FALCONPADDED1024_AVX2_expand_privkey(fpr *expanded_key, const int8_t *f, const int8_t *g, const int8_t *F, const int8_t *G, unsigned logn, uint8_t *tmp); /* * Compute a signature over the provided hashed message (hm); the * signature value is one short vector. This function uses an - * expanded key (as generated by PQCLEAN_FALCON1024PADDED_AVX2_expand_privkey()). + * expanded key (as generated by PQCLEAN_FALCONPADDED1024_AVX2_expand_privkey()). * * The sig[] and hm[] buffers may overlap. * @@ -768,7 +768,7 @@ void PQCLEAN_FALCON1024PADDED_AVX2_expand_privkey(fpr *expanded_key, * tmp[] must have 64-bit alignment. * This function uses floating-point rounding (see set_fpu_cw()). */ -void PQCLEAN_FALCON1024PADDED_AVX2_sign_tree(int16_t *sig, inner_shake256_context *rng, +void PQCLEAN_FALCONPADDED1024_AVX2_sign_tree(int16_t *sig, inner_shake256_context *rng, const fpr *expanded_key, const uint16_t *hm, unsigned logn, uint8_t *tmp); @@ -789,7 +789,7 @@ void PQCLEAN_FALCON1024PADDED_AVX2_sign_tree(int16_t *sig, inner_shake256_contex * tmp[] must have 64-bit alignment. * This function uses floating-point rounding (see set_fpu_cw()). */ -void PQCLEAN_FALCON1024PADDED_AVX2_sign_dyn(int16_t *sig, inner_shake256_context *rng, +void PQCLEAN_FALCONPADDED1024_AVX2_sign_dyn(int16_t *sig, inner_shake256_context *rng, const int8_t *f, const int8_t *g, const int8_t *F, const int8_t *G, const uint16_t *hm, unsigned logn, uint8_t *tmp); @@ -818,9 +818,9 @@ typedef struct { fpr sigma_min; } sampler_context; -int PQCLEAN_FALCON1024PADDED_AVX2_sampler(void *ctx, fpr mu, fpr isigma); +int PQCLEAN_FALCONPADDED1024_AVX2_sampler(void *ctx, fpr mu, fpr isigma); -int PQCLEAN_FALCON1024PADDED_AVX2_gaussian0_sampler(prng *p); +int PQCLEAN_FALCONPADDED1024_AVX2_gaussian0_sampler(prng *p); /* ==================================================================== */ diff --git a/Modules/PQClean/crypto_sign/falcon-1024-padded/avx2/keygen.c b/Modules/PQClean/crypto_sign/falcon-padded-1024/avx2/keygen.c similarity index 98% rename from Modules/PQClean/crypto_sign/falcon-1024-padded/avx2/keygen.c rename to Modules/PQClean/crypto_sign/falcon-padded-1024/avx2/keygen.c index 6a649639..d3197b8c 100644 --- a/Modules/PQClean/crypto_sign/falcon-1024-padded/avx2/keygen.c +++ b/Modules/PQClean/crypto_sign/falcon-padded-1024/avx2/keygen.c @@ -3070,11 +3070,11 @@ solve_NTRU_intermediate(unsigned logn_top, * Compute 1/(f*adj(f)+g*adj(g)) in rt5. We also keep adj(f) * and adj(g) in rt3 and rt4, respectively. */ - PQCLEAN_FALCON1024PADDED_AVX2_FFT(rt3, logn); - PQCLEAN_FALCON1024PADDED_AVX2_FFT(rt4, logn); - PQCLEAN_FALCON1024PADDED_AVX2_poly_invnorm2_fft(rt5, rt3, rt4, logn); - PQCLEAN_FALCON1024PADDED_AVX2_poly_adj_fft(rt3, logn); - PQCLEAN_FALCON1024PADDED_AVX2_poly_adj_fft(rt4, logn); + PQCLEAN_FALCONPADDED1024_AVX2_FFT(rt3, logn); + PQCLEAN_FALCONPADDED1024_AVX2_FFT(rt4, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_invnorm2_fft(rt5, rt3, rt4, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_adj_fft(rt3, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_adj_fft(rt4, logn); /* * Reduce F and G repeatedly. @@ -3134,13 +3134,13 @@ solve_NTRU_intermediate(unsigned logn_top, /* * Compute (F*adj(f)+G*adj(g))/(f*adj(f)+g*adj(g)) in rt2. */ - PQCLEAN_FALCON1024PADDED_AVX2_FFT(rt1, logn); - PQCLEAN_FALCON1024PADDED_AVX2_FFT(rt2, logn); - PQCLEAN_FALCON1024PADDED_AVX2_poly_mul_fft(rt1, rt3, logn); - PQCLEAN_FALCON1024PADDED_AVX2_poly_mul_fft(rt2, rt4, logn); - PQCLEAN_FALCON1024PADDED_AVX2_poly_add(rt2, rt1, logn); - PQCLEAN_FALCON1024PADDED_AVX2_poly_mul_autoadj_fft(rt2, rt5, logn); - PQCLEAN_FALCON1024PADDED_AVX2_iFFT(rt2, logn); + PQCLEAN_FALCONPADDED1024_AVX2_FFT(rt1, logn); + PQCLEAN_FALCONPADDED1024_AVX2_FFT(rt2, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_mul_fft(rt1, rt3, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_mul_fft(rt2, rt4, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_add(rt2, rt1, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_mul_autoadj_fft(rt2, rt5, logn); + PQCLEAN_FALCONPADDED1024_AVX2_iFFT(rt2, logn); /* * (f,g) are scaled by 'scale_fg', meaning that the @@ -3588,10 +3588,10 @@ solve_NTRU_binary_depth1(unsigned logn_top, * rt4 = g * in that order in RAM. We convert all of them to FFT. */ - PQCLEAN_FALCON1024PADDED_AVX2_FFT(rt1, logn); - PQCLEAN_FALCON1024PADDED_AVX2_FFT(rt2, logn); - PQCLEAN_FALCON1024PADDED_AVX2_FFT(rt3, logn); - PQCLEAN_FALCON1024PADDED_AVX2_FFT(rt4, logn); + PQCLEAN_FALCONPADDED1024_AVX2_FFT(rt1, logn); + PQCLEAN_FALCONPADDED1024_AVX2_FFT(rt2, logn); + PQCLEAN_FALCONPADDED1024_AVX2_FFT(rt3, logn); + PQCLEAN_FALCONPADDED1024_AVX2_FFT(rt4, logn); /* * Compute: @@ -3601,14 +3601,14 @@ solve_NTRU_binary_depth1(unsigned logn_top, */ rt5 = rt4 + n; rt6 = rt5 + n; - PQCLEAN_FALCON1024PADDED_AVX2_poly_add_muladj_fft(rt5, rt1, rt2, rt3, rt4, logn); - PQCLEAN_FALCON1024PADDED_AVX2_poly_invnorm2_fft(rt6, rt3, rt4, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_add_muladj_fft(rt5, rt1, rt2, rt3, rt4, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_invnorm2_fft(rt6, rt3, rt4, logn); /* * Compute: * rt5 = (F*adj(f)+G*adj(g)) / (f*adj(f)+g*adj(g)) */ - PQCLEAN_FALCON1024PADDED_AVX2_poly_mul_autoadj_fft(rt5, rt6, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_mul_autoadj_fft(rt5, rt6, logn); /* * Compute k as the rounded version of rt5. Check that none of @@ -3617,7 +3617,7 @@ solve_NTRU_binary_depth1(unsigned logn_top, * note that any out-of-bounds value here implies a failure and * (f,g) will be discarded, so we can make a simple test. */ - PQCLEAN_FALCON1024PADDED_AVX2_iFFT(rt5, logn); + PQCLEAN_FALCONPADDED1024_AVX2_iFFT(rt5, logn); for (u = 0; u < n; u ++) { fpr z; @@ -3627,17 +3627,17 @@ solve_NTRU_binary_depth1(unsigned logn_top, } rt5[u] = fpr_of(fpr_rint(z)); } - PQCLEAN_FALCON1024PADDED_AVX2_FFT(rt5, logn); + PQCLEAN_FALCONPADDED1024_AVX2_FFT(rt5, logn); /* * Subtract k*f from F, and k*g from G. */ - PQCLEAN_FALCON1024PADDED_AVX2_poly_mul_fft(rt3, rt5, logn); - PQCLEAN_FALCON1024PADDED_AVX2_poly_mul_fft(rt4, rt5, logn); - PQCLEAN_FALCON1024PADDED_AVX2_poly_sub(rt1, rt3, logn); - PQCLEAN_FALCON1024PADDED_AVX2_poly_sub(rt2, rt4, logn); - PQCLEAN_FALCON1024PADDED_AVX2_iFFT(rt1, logn); - PQCLEAN_FALCON1024PADDED_AVX2_iFFT(rt2, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_mul_fft(rt3, rt5, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_mul_fft(rt4, rt5, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_sub(rt1, rt3, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_sub(rt2, rt4, logn); + PQCLEAN_FALCONPADDED1024_AVX2_iFFT(rt1, logn); + PQCLEAN_FALCONPADDED1024_AVX2_iFFT(rt2, logn); /* * Convert back F and G to integers, and return. @@ -3856,7 +3856,7 @@ solve_NTRU_binary_depth0(unsigned logn, for (u = 0; u < n; u ++) { rt3[u] = fpr_of(((int32_t *)t2)[u]); } - PQCLEAN_FALCON1024PADDED_AVX2_FFT(rt3, logn); + PQCLEAN_FALCONPADDED1024_AVX2_FFT(rt3, logn); rt2 = align_fpr(tmp, t2); memmove(rt2, rt3, hn * sizeof * rt3); @@ -3867,14 +3867,14 @@ solve_NTRU_binary_depth0(unsigned logn, for (u = 0; u < n; u ++) { rt3[u] = fpr_of(((int32_t *)t1)[u]); } - PQCLEAN_FALCON1024PADDED_AVX2_FFT(rt3, logn); + PQCLEAN_FALCONPADDED1024_AVX2_FFT(rt3, logn); /* * Compute (F*adj(f)+G*adj(g))/(f*adj(f)+g*adj(g)) and get * its rounded normal representation in t1. */ - PQCLEAN_FALCON1024PADDED_AVX2_poly_div_autoadj_fft(rt3, rt2, logn); - PQCLEAN_FALCON1024PADDED_AVX2_iFFT(rt3, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_div_autoadj_fft(rt3, rt2, logn); + PQCLEAN_FALCONPADDED1024_AVX2_iFFT(rt3, logn); for (u = 0; u < n; u ++) { t1[u] = modp_set((int32_t)fpr_rint(rt3[u]), p); } @@ -4075,7 +4075,7 @@ poly_small_mkgauss(RNG_CONTEXT *rng, int8_t *f, unsigned logn) { /* see falcon.h */ void -PQCLEAN_FALCON1024PADDED_AVX2_keygen(inner_shake256_context *rng, +PQCLEAN_FALCONPADDED1024_AVX2_keygen(inner_shake256_context *rng, int8_t *f, int8_t *g, int8_t *F, int8_t *G, uint16_t *h, unsigned logn, uint8_t *tmp) { /* @@ -4144,7 +4144,7 @@ PQCLEAN_FALCON1024PADDED_AVX2_keygen(inner_shake256_context *rng, * overwhelming probability; this guarantees that the * key will be encodable with FALCON_COMP_TRIM. */ - lim = 1 << (PQCLEAN_FALCON1024PADDED_AVX2_max_fg_bits[logn] - 1); + lim = 1 << (PQCLEAN_FALCONPADDED1024_AVX2_max_fg_bits[logn] - 1); for (u = 0; u < n; u ++) { /* * We can use non-CT tests since on any failure @@ -4182,17 +4182,17 @@ PQCLEAN_FALCON1024PADDED_AVX2_keygen(inner_shake256_context *rng, rt3 = rt2 + n; poly_small_to_fp(rt1, f, logn); poly_small_to_fp(rt2, g, logn); - PQCLEAN_FALCON1024PADDED_AVX2_FFT(rt1, logn); - PQCLEAN_FALCON1024PADDED_AVX2_FFT(rt2, logn); - PQCLEAN_FALCON1024PADDED_AVX2_poly_invnorm2_fft(rt3, rt1, rt2, logn); - PQCLEAN_FALCON1024PADDED_AVX2_poly_adj_fft(rt1, logn); - PQCLEAN_FALCON1024PADDED_AVX2_poly_adj_fft(rt2, logn); - PQCLEAN_FALCON1024PADDED_AVX2_poly_mulconst(rt1, fpr_q, logn); - PQCLEAN_FALCON1024PADDED_AVX2_poly_mulconst(rt2, fpr_q, logn); - PQCLEAN_FALCON1024PADDED_AVX2_poly_mul_autoadj_fft(rt1, rt3, logn); - PQCLEAN_FALCON1024PADDED_AVX2_poly_mul_autoadj_fft(rt2, rt3, logn); - PQCLEAN_FALCON1024PADDED_AVX2_iFFT(rt1, logn); - PQCLEAN_FALCON1024PADDED_AVX2_iFFT(rt2, logn); + PQCLEAN_FALCONPADDED1024_AVX2_FFT(rt1, logn); + PQCLEAN_FALCONPADDED1024_AVX2_FFT(rt2, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_invnorm2_fft(rt3, rt1, rt2, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_adj_fft(rt1, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_adj_fft(rt2, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_mulconst(rt1, fpr_q, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_mulconst(rt2, fpr_q, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_mul_autoadj_fft(rt1, rt3, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_mul_autoadj_fft(rt2, rt3, logn); + PQCLEAN_FALCONPADDED1024_AVX2_iFFT(rt1, logn); + PQCLEAN_FALCONPADDED1024_AVX2_iFFT(rt2, logn); bnorm = fpr_zero; for (u = 0; u < n; u ++) { bnorm = fpr_add(bnorm, fpr_sqr(rt1[u])); @@ -4213,14 +4213,14 @@ PQCLEAN_FALCON1024PADDED_AVX2_keygen(inner_shake256_context *rng, h2 = h; tmp2 = (uint16_t *)tmp; } - if (!PQCLEAN_FALCON1024PADDED_AVX2_compute_public(h2, f, g, logn, (uint8_t *)tmp2)) { + if (!PQCLEAN_FALCONPADDED1024_AVX2_compute_public(h2, f, g, logn, (uint8_t *)tmp2)) { continue; } /* * Solve the NTRU equation to get F and G. */ - lim = (1 << (PQCLEAN_FALCON1024PADDED_AVX2_max_FG_bits[logn] - 1)) - 1; + lim = (1 << (PQCLEAN_FALCONPADDED1024_AVX2_max_FG_bits[logn] - 1)) - 1; if (!solve_NTRU(logn, F, G, f, g, lim, (uint32_t *)tmp)) { continue; } diff --git a/Modules/PQClean/crypto_sign/falcon-1024-padded/avx2/pqclean.c b/Modules/PQClean/crypto_sign/falcon-padded-1024/avx2/pqclean.c similarity index 71% rename from Modules/PQClean/crypto_sign/falcon-1024-padded/avx2/pqclean.c rename to Modules/PQClean/crypto_sign/falcon-padded-1024/avx2/pqclean.c index 09e792aa..06560ed5 100644 --- a/Modules/PQClean/crypto_sign/falcon-1024-padded/avx2/pqclean.c +++ b/Modules/PQClean/crypto_sign/falcon-padded-1024/avx2/pqclean.c @@ -38,7 +38,7 @@ /* see api.h */ int -PQCLEAN_FALCON1024PADDED_AVX2_crypto_sign_keypair( +PQCLEAN_FALCONPADDED1024_AVX2_crypto_sign_keypair( uint8_t *pk, uint8_t *sk) { union { uint8_t b[FALCON_KEYGEN_TEMP_10]; @@ -58,7 +58,7 @@ PQCLEAN_FALCON1024PADDED_AVX2_crypto_sign_keypair( inner_shake256_init(&rng); inner_shake256_inject(&rng, seed, sizeof seed); inner_shake256_flip(&rng); - PQCLEAN_FALCON1024PADDED_AVX2_keygen(&rng, f, g, F, NULL, h, 10, tmp.b); + PQCLEAN_FALCONPADDED1024_AVX2_keygen(&rng, f, g, F, NULL, h, 10, tmp.b); inner_shake256_ctx_release(&rng); /* @@ -66,28 +66,28 @@ PQCLEAN_FALCON1024PADDED_AVX2_crypto_sign_keypair( */ sk[0] = 0x50 + 10; u = 1; - v = PQCLEAN_FALCON1024PADDED_AVX2_trim_i8_encode( - sk + u, PQCLEAN_FALCON1024PADDED_AVX2_CRYPTO_SECRETKEYBYTES - u, - f, 10, PQCLEAN_FALCON1024PADDED_AVX2_max_fg_bits[10]); + v = PQCLEAN_FALCONPADDED1024_AVX2_trim_i8_encode( + sk + u, PQCLEAN_FALCONPADDED1024_AVX2_CRYPTO_SECRETKEYBYTES - u, + f, 10, PQCLEAN_FALCONPADDED1024_AVX2_max_fg_bits[10]); if (v == 0) { return -1; } u += v; - v = PQCLEAN_FALCON1024PADDED_AVX2_trim_i8_encode( - sk + u, PQCLEAN_FALCON1024PADDED_AVX2_CRYPTO_SECRETKEYBYTES - u, - g, 10, PQCLEAN_FALCON1024PADDED_AVX2_max_fg_bits[10]); + v = PQCLEAN_FALCONPADDED1024_AVX2_trim_i8_encode( + sk + u, PQCLEAN_FALCONPADDED1024_AVX2_CRYPTO_SECRETKEYBYTES - u, + g, 10, PQCLEAN_FALCONPADDED1024_AVX2_max_fg_bits[10]); if (v == 0) { return -1; } u += v; - v = PQCLEAN_FALCON1024PADDED_AVX2_trim_i8_encode( - sk + u, PQCLEAN_FALCON1024PADDED_AVX2_CRYPTO_SECRETKEYBYTES - u, - F, 10, PQCLEAN_FALCON1024PADDED_AVX2_max_FG_bits[10]); + v = PQCLEAN_FALCONPADDED1024_AVX2_trim_i8_encode( + sk + u, PQCLEAN_FALCONPADDED1024_AVX2_CRYPTO_SECRETKEYBYTES - u, + F, 10, PQCLEAN_FALCONPADDED1024_AVX2_max_FG_bits[10]); if (v == 0) { return -1; } u += v; - if (u != PQCLEAN_FALCON1024PADDED_AVX2_CRYPTO_SECRETKEYBYTES) { + if (u != PQCLEAN_FALCONPADDED1024_AVX2_CRYPTO_SECRETKEYBYTES) { return -1; } @@ -95,10 +95,10 @@ PQCLEAN_FALCON1024PADDED_AVX2_crypto_sign_keypair( * Encode public key. */ pk[0] = 0x00 + 10; - v = PQCLEAN_FALCON1024PADDED_AVX2_modq_encode( - pk + 1, PQCLEAN_FALCON1024PADDED_AVX2_CRYPTO_PUBLICKEYBYTES - 1, + v = PQCLEAN_FALCONPADDED1024_AVX2_modq_encode( + pk + 1, PQCLEAN_FALCONPADDED1024_AVX2_CRYPTO_PUBLICKEYBYTES - 1, h, 10); - if (v != PQCLEAN_FALCON1024PADDED_AVX2_CRYPTO_PUBLICKEYBYTES - 1) { + if (v != PQCLEAN_FALCONPADDED1024_AVX2_CRYPTO_PUBLICKEYBYTES - 1) { return -1; } @@ -142,31 +142,31 @@ do_sign(uint8_t *nonce, uint8_t *sigbuf, size_t sigbuflen, return -1; } u = 1; - v = PQCLEAN_FALCON1024PADDED_AVX2_trim_i8_decode( - f, 10, PQCLEAN_FALCON1024PADDED_AVX2_max_fg_bits[10], - sk + u, PQCLEAN_FALCON1024PADDED_AVX2_CRYPTO_SECRETKEYBYTES - u); + v = PQCLEAN_FALCONPADDED1024_AVX2_trim_i8_decode( + f, 10, PQCLEAN_FALCONPADDED1024_AVX2_max_fg_bits[10], + sk + u, PQCLEAN_FALCONPADDED1024_AVX2_CRYPTO_SECRETKEYBYTES - u); if (v == 0) { return -1; } u += v; - v = PQCLEAN_FALCON1024PADDED_AVX2_trim_i8_decode( - g, 10, PQCLEAN_FALCON1024PADDED_AVX2_max_fg_bits[10], - sk + u, PQCLEAN_FALCON1024PADDED_AVX2_CRYPTO_SECRETKEYBYTES - u); + v = PQCLEAN_FALCONPADDED1024_AVX2_trim_i8_decode( + g, 10, PQCLEAN_FALCONPADDED1024_AVX2_max_fg_bits[10], + sk + u, PQCLEAN_FALCONPADDED1024_AVX2_CRYPTO_SECRETKEYBYTES - u); if (v == 0) { return -1; } u += v; - v = PQCLEAN_FALCON1024PADDED_AVX2_trim_i8_decode( - F, 10, PQCLEAN_FALCON1024PADDED_AVX2_max_FG_bits[10], - sk + u, PQCLEAN_FALCON1024PADDED_AVX2_CRYPTO_SECRETKEYBYTES - u); + v = PQCLEAN_FALCONPADDED1024_AVX2_trim_i8_decode( + F, 10, PQCLEAN_FALCONPADDED1024_AVX2_max_FG_bits[10], + sk + u, PQCLEAN_FALCONPADDED1024_AVX2_CRYPTO_SECRETKEYBYTES - u); if (v == 0) { return -1; } u += v; - if (u != PQCLEAN_FALCON1024PADDED_AVX2_CRYPTO_SECRETKEYBYTES) { + if (u != PQCLEAN_FALCONPADDED1024_AVX2_CRYPTO_SECRETKEYBYTES) { return -1; } - if (!PQCLEAN_FALCON1024PADDED_AVX2_complete_private(G, f, g, F, 10, tmp.b)) { + if (!PQCLEAN_FALCONPADDED1024_AVX2_complete_private(G, f, g, F, 10, tmp.b)) { return -1; } @@ -182,7 +182,7 @@ do_sign(uint8_t *nonce, uint8_t *sigbuf, size_t sigbuflen, inner_shake256_inject(&sc, nonce, NONCELEN); inner_shake256_inject(&sc, m, mlen); inner_shake256_flip(&sc); - PQCLEAN_FALCON1024PADDED_AVX2_hash_to_point_ct(&sc, r.hm, 10, tmp.b); + PQCLEAN_FALCONPADDED1024_AVX2_hash_to_point_ct(&sc, r.hm, 10, tmp.b); inner_shake256_ctx_release(&sc); /* @@ -198,8 +198,8 @@ do_sign(uint8_t *nonce, uint8_t *sigbuf, size_t sigbuflen, * value is found that fits in the provided buffer. */ for (;;) { - PQCLEAN_FALCON1024PADDED_AVX2_sign_dyn(r.sig, &sc, f, g, F, G, r.hm, 10, tmp.b); - v = PQCLEAN_FALCON1024PADDED_AVX2_comp_encode(sigbuf, sigbuflen, r.sig, 10); + PQCLEAN_FALCONPADDED1024_AVX2_sign_dyn(r.sig, &sc, f, g, F, G, r.hm, 10, tmp.b); + v = PQCLEAN_FALCONPADDED1024_AVX2_comp_encode(sigbuf, sigbuflen, r.sig, 10); if (v != 0) { inner_shake256_ctx_release(&sc); memset(sigbuf + v, 0, sigbuflen - v); @@ -233,12 +233,12 @@ do_verify( if (pk[0] != 0x00 + 10) { return -1; } - if (PQCLEAN_FALCON1024PADDED_AVX2_modq_decode(h, 10, - pk + 1, PQCLEAN_FALCON1024PADDED_AVX2_CRYPTO_PUBLICKEYBYTES - 1) - != PQCLEAN_FALCON1024PADDED_AVX2_CRYPTO_PUBLICKEYBYTES - 1) { + if (PQCLEAN_FALCONPADDED1024_AVX2_modq_decode(h, 10, + pk + 1, PQCLEAN_FALCONPADDED1024_AVX2_CRYPTO_PUBLICKEYBYTES - 1) + != PQCLEAN_FALCONPADDED1024_AVX2_CRYPTO_PUBLICKEYBYTES - 1) { return -1; } - PQCLEAN_FALCON1024PADDED_AVX2_to_ntt_monty(h, 10); + PQCLEAN_FALCONPADDED1024_AVX2_to_ntt_monty(h, 10); /* * Decode signature. @@ -247,12 +247,12 @@ do_verify( return -1; } - v = PQCLEAN_FALCON1024PADDED_AVX2_comp_decode(sig, 10, sigbuf, sigbuflen); + v = PQCLEAN_FALCONPADDED1024_AVX2_comp_decode(sig, 10, sigbuf, sigbuflen); if (v == 0) { return -1; } if (v != sigbuflen) { - if (sigbuflen == PQCLEAN_FALCON1024PADDED_AVX2_CRYPTO_BYTES - NONCELEN - 1) { + if (sigbuflen == PQCLEAN_FALCONPADDED1024_AVX2_CRYPTO_BYTES - NONCELEN - 1) { while (v < sigbuflen) { if (sigbuf[v++] != 0) { return -1; @@ -270,13 +270,13 @@ do_verify( inner_shake256_inject(&sc, nonce, NONCELEN); inner_shake256_inject(&sc, m, mlen); inner_shake256_flip(&sc); - PQCLEAN_FALCON1024PADDED_AVX2_hash_to_point_ct(&sc, hm, 10, tmp.b); + PQCLEAN_FALCONPADDED1024_AVX2_hash_to_point_ct(&sc, hm, 10, tmp.b); inner_shake256_ctx_release(&sc); /* * Verify signature. */ - if (!PQCLEAN_FALCON1024PADDED_AVX2_verify_raw(hm, sig, h, 10, tmp.b)) { + if (!PQCLEAN_FALCONPADDED1024_AVX2_verify_raw(hm, sig, h, 10, tmp.b)) { return -1; } return 0; @@ -284,12 +284,12 @@ do_verify( /* see api.h */ int -PQCLEAN_FALCON1024PADDED_AVX2_crypto_sign_signature( +PQCLEAN_FALCONPADDED1024_AVX2_crypto_sign_signature( uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen, const uint8_t *sk) { size_t vlen; - vlen = PQCLEAN_FALCON1024PADDED_AVX2_CRYPTO_BYTES - NONCELEN - 1; + vlen = PQCLEAN_FALCONPADDED1024_AVX2_CRYPTO_BYTES - NONCELEN - 1; if (do_sign(sig + 1, sig + 1 + NONCELEN, vlen, m, mlen, sk) < 0) { return -1; } @@ -300,7 +300,7 @@ PQCLEAN_FALCON1024PADDED_AVX2_crypto_sign_signature( /* see api.h */ int -PQCLEAN_FALCON1024PADDED_AVX2_crypto_sign_verify( +PQCLEAN_FALCONPADDED1024_AVX2_crypto_sign_verify( const uint8_t *sig, size_t siglen, const uint8_t *m, size_t mlen, const uint8_t *pk) { if (siglen < 1 + NONCELEN) { @@ -315,7 +315,7 @@ PQCLEAN_FALCON1024PADDED_AVX2_crypto_sign_verify( /* see api.h */ int -PQCLEAN_FALCON1024PADDED_AVX2_crypto_sign( +PQCLEAN_FALCONPADDED1024_AVX2_crypto_sign( uint8_t *sm, size_t *smlen, const uint8_t *m, size_t mlen, const uint8_t *sk) { uint8_t *sigbuf; @@ -325,9 +325,9 @@ PQCLEAN_FALCON1024PADDED_AVX2_crypto_sign( * Move the message to its final location; this is a memmove() so * it handles overlaps properly. */ - memmove(sm + PQCLEAN_FALCON1024PADDED_AVX2_CRYPTO_BYTES, m, mlen); + memmove(sm + PQCLEAN_FALCONPADDED1024_AVX2_CRYPTO_BYTES, m, mlen); sigbuf = sm + 1 + NONCELEN; - sigbuflen = PQCLEAN_FALCON1024PADDED_AVX2_CRYPTO_BYTES - NONCELEN - 1; + sigbuflen = PQCLEAN_FALCONPADDED1024_AVX2_CRYPTO_BYTES - NONCELEN - 1; if (do_sign(sm + 1, sigbuf, sigbuflen, m, mlen, sk) < 0) { return -1; } @@ -339,17 +339,17 @@ PQCLEAN_FALCON1024PADDED_AVX2_crypto_sign( /* see api.h */ int -PQCLEAN_FALCON1024PADDED_AVX2_crypto_sign_open( +PQCLEAN_FALCONPADDED1024_AVX2_crypto_sign_open( uint8_t *m, size_t *mlen, const uint8_t *sm, size_t smlen, const uint8_t *pk) { const uint8_t *sigbuf; size_t pmlen, sigbuflen; - if (smlen < PQCLEAN_FALCON1024PADDED_AVX2_CRYPTO_BYTES) { + if (smlen < PQCLEAN_FALCONPADDED1024_AVX2_CRYPTO_BYTES) { return -1; } - sigbuflen = PQCLEAN_FALCON1024PADDED_AVX2_CRYPTO_BYTES - NONCELEN - 1; - pmlen = smlen - PQCLEAN_FALCON1024PADDED_AVX2_CRYPTO_BYTES; + sigbuflen = PQCLEAN_FALCONPADDED1024_AVX2_CRYPTO_BYTES - NONCELEN - 1; + pmlen = smlen - PQCLEAN_FALCONPADDED1024_AVX2_CRYPTO_BYTES; if (sm[0] != 0x30 + 10) { return -1; } @@ -361,7 +361,7 @@ PQCLEAN_FALCON1024PADDED_AVX2_crypto_sign_open( * follows the signature value. */ if (do_verify(sm + 1, sigbuf, sigbuflen, - sm + PQCLEAN_FALCON1024PADDED_AVX2_CRYPTO_BYTES, pmlen, pk) < 0) { + sm + PQCLEAN_FALCONPADDED1024_AVX2_CRYPTO_BYTES, pmlen, pk) < 0) { return -1; } @@ -370,7 +370,7 @@ PQCLEAN_FALCON1024PADDED_AVX2_crypto_sign_open( * to its final destination. The memmove() properly handles * overlaps. */ - memmove(m, sm + PQCLEAN_FALCON1024PADDED_AVX2_CRYPTO_BYTES, pmlen); + memmove(m, sm + PQCLEAN_FALCONPADDED1024_AVX2_CRYPTO_BYTES, pmlen); *mlen = pmlen; return 0; } diff --git a/Modules/PQClean/crypto_sign/falcon-1024-padded/avx2/rng.c b/Modules/PQClean/crypto_sign/falcon-padded-1024/avx2/rng.c similarity index 95% rename from Modules/PQClean/crypto_sign/falcon-1024-padded/avx2/rng.c rename to Modules/PQClean/crypto_sign/falcon-padded-1024/avx2/rng.c index 5e9e8d51..001aecb4 100644 --- a/Modules/PQClean/crypto_sign/falcon-1024-padded/avx2/rng.c +++ b/Modules/PQClean/crypto_sign/falcon-padded-1024/avx2/rng.c @@ -35,9 +35,9 @@ /* see inner.h */ void -PQCLEAN_FALCON1024PADDED_AVX2_prng_init(prng *p, inner_shake256_context *src) { +PQCLEAN_FALCONPADDED1024_AVX2_prng_init(prng *p, inner_shake256_context *src) { inner_shake256_extract(src, p->state.d, 56); - PQCLEAN_FALCON1024PADDED_AVX2_prng_refill(p); + PQCLEAN_FALCONPADDED1024_AVX2_prng_refill(p); } /* @@ -55,7 +55,7 @@ PQCLEAN_FALCON1024PADDED_AVX2_prng_init(prng *p, inner_shake256_context *src) { * The block counter is XORed into the first 8 bytes of the IV. */ void -PQCLEAN_FALCON1024PADDED_AVX2_prng_refill(prng *p) { +PQCLEAN_FALCONPADDED1024_AVX2_prng_refill(prng *p) { static const uint32_t CW[] = { 0x61707865, 0x3320646e, 0x79622d32, 0x6b206574 @@ -157,7 +157,7 @@ PQCLEAN_FALCON1024PADDED_AVX2_prng_refill(prng *p) { /* see inner.h */ void -PQCLEAN_FALCON1024PADDED_AVX2_prng_get_bytes(prng *p, void *dst, size_t len) { +PQCLEAN_FALCONPADDED1024_AVX2_prng_get_bytes(prng *p, void *dst, size_t len) { uint8_t *buf; buf = dst; @@ -173,7 +173,7 @@ PQCLEAN_FALCON1024PADDED_AVX2_prng_get_bytes(prng *p, void *dst, size_t len) { len -= clen; p->ptr += clen; if (p->ptr == sizeof p->buf.d) { - PQCLEAN_FALCON1024PADDED_AVX2_prng_refill(p); + PQCLEAN_FALCONPADDED1024_AVX2_prng_refill(p); } } } diff --git a/Modules/PQClean/crypto_sign/falcon-1024-padded/avx2/sign.c b/Modules/PQClean/crypto_sign/falcon-padded-1024/avx2/sign.c similarity index 86% rename from Modules/PQClean/crypto_sign/falcon-1024-padded/avx2/sign.c rename to Modules/PQClean/crypto_sign/falcon-padded-1024/avx2/sign.c index c2039be0..6761dbd6 100644 --- a/Modules/PQClean/crypto_sign/falcon-1024-padded/avx2/sign.c +++ b/Modules/PQClean/crypto_sign/falcon-padded-1024/avx2/sign.c @@ -87,7 +87,7 @@ ffLDL_fft_inner(fpr *tree, * and the diagonal of D. Since d00 = g0, we just write d11 * into tmp. */ - PQCLEAN_FALCON1024PADDED_AVX2_poly_LDLmv_fft(tmp, tree, g0, g1, g0, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_LDLmv_fft(tmp, tree, g0, g1, g0, logn); /* * Split d00 (currently in g0) and d11 (currently in tmp). We @@ -95,8 +95,8 @@ ffLDL_fft_inner(fpr *tree, * d00 splits into g1, g1+hn * d11 splits into g0, g0+hn */ - PQCLEAN_FALCON1024PADDED_AVX2_poly_split_fft(g1, g1 + hn, g0, logn); - PQCLEAN_FALCON1024PADDED_AVX2_poly_split_fft(g0, g0 + hn, tmp, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_split_fft(g1, g1 + hn, g0, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_split_fft(g0, g0 + hn, tmp, logn); /* * Each split result is the first row of a new auto-adjoint @@ -137,10 +137,10 @@ ffLDL_fft(fpr *tree, const fpr *g00, tmp += n << 1; memcpy(d00, g00, n * sizeof * g00); - PQCLEAN_FALCON1024PADDED_AVX2_poly_LDLmv_fft(d11, tree, g00, g01, g11, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_LDLmv_fft(d11, tree, g00, g01, g11, logn); - PQCLEAN_FALCON1024PADDED_AVX2_poly_split_fft(tmp, tmp + hn, d00, logn); - PQCLEAN_FALCON1024PADDED_AVX2_poly_split_fft(d00, d00 + hn, d11, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_split_fft(tmp, tmp + hn, d00, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_split_fft(d00, d00 + hn, d11, logn); memcpy(d11, tmp, n * sizeof * tmp); ffLDL_fft_inner(tree + n, d11, d11 + hn, logn - 1, tmp); @@ -224,7 +224,7 @@ skoff_tree(unsigned logn) { /* see inner.h */ void -PQCLEAN_FALCON1024PADDED_AVX2_expand_privkey(fpr *expanded_key, +PQCLEAN_FALCONPADDED1024_AVX2_expand_privkey(fpr *expanded_key, const int8_t *f, const int8_t *g, const int8_t *F, const int8_t *G, unsigned logn, uint8_t *tmp) { @@ -258,12 +258,12 @@ PQCLEAN_FALCON1024PADDED_AVX2_expand_privkey(fpr *expanded_key, /* * Compute the FFT for the key elements, and negate f and F. */ - PQCLEAN_FALCON1024PADDED_AVX2_FFT(rf, logn); - PQCLEAN_FALCON1024PADDED_AVX2_FFT(rg, logn); - PQCLEAN_FALCON1024PADDED_AVX2_FFT(rF, logn); - PQCLEAN_FALCON1024PADDED_AVX2_FFT(rG, logn); - PQCLEAN_FALCON1024PADDED_AVX2_poly_neg(rf, logn); - PQCLEAN_FALCON1024PADDED_AVX2_poly_neg(rF, logn); + PQCLEAN_FALCONPADDED1024_AVX2_FFT(rf, logn); + PQCLEAN_FALCONPADDED1024_AVX2_FFT(rg, logn); + PQCLEAN_FALCONPADDED1024_AVX2_FFT(rF, logn); + PQCLEAN_FALCONPADDED1024_AVX2_FFT(rG, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_neg(rf, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_neg(rF, logn); /* * The Gram matrix is G = B·B*. Formulas are: @@ -281,22 +281,22 @@ PQCLEAN_FALCON1024PADDED_AVX2_expand_privkey(fpr *expanded_key, gxx = g11 + n; memcpy(g00, b00, n * sizeof * b00); - PQCLEAN_FALCON1024PADDED_AVX2_poly_mulselfadj_fft(g00, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_mulselfadj_fft(g00, logn); memcpy(gxx, b01, n * sizeof * b01); - PQCLEAN_FALCON1024PADDED_AVX2_poly_mulselfadj_fft(gxx, logn); - PQCLEAN_FALCON1024PADDED_AVX2_poly_add(g00, gxx, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_mulselfadj_fft(gxx, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_add(g00, gxx, logn); memcpy(g01, b00, n * sizeof * b00); - PQCLEAN_FALCON1024PADDED_AVX2_poly_muladj_fft(g01, b10, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_muladj_fft(g01, b10, logn); memcpy(gxx, b01, n * sizeof * b01); - PQCLEAN_FALCON1024PADDED_AVX2_poly_muladj_fft(gxx, b11, logn); - PQCLEAN_FALCON1024PADDED_AVX2_poly_add(g01, gxx, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_muladj_fft(gxx, b11, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_add(g01, gxx, logn); memcpy(g11, b10, n * sizeof * b10); - PQCLEAN_FALCON1024PADDED_AVX2_poly_mulselfadj_fft(g11, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_mulselfadj_fft(g11, logn); memcpy(gxx, b11, n * sizeof * b11); - PQCLEAN_FALCON1024PADDED_AVX2_poly_mulselfadj_fft(gxx, logn); - PQCLEAN_FALCON1024PADDED_AVX2_poly_add(g11, gxx, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_mulselfadj_fft(gxx, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_add(g11, gxx, logn); /* * Compute the Falcon tree. @@ -347,15 +347,15 @@ ffSampling_fft_dyntree(samplerZ samp, void *samp_ctx, * Decompose G into LDL. We only need d00 (identical to g00), * d11, and l10; we do that in place. */ - PQCLEAN_FALCON1024PADDED_AVX2_poly_LDL_fft(g00, g01, g11, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_LDL_fft(g00, g01, g11, logn); /* * Split d00 and d11 and expand them into half-size quasi-cyclic * Gram matrices. We also save l10 in tmp[]. */ - PQCLEAN_FALCON1024PADDED_AVX2_poly_split_fft(tmp, tmp + hn, g00, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_split_fft(tmp, tmp + hn, g00, logn); memcpy(g00, tmp, n * sizeof * tmp); - PQCLEAN_FALCON1024PADDED_AVX2_poly_split_fft(tmp, tmp + hn, g11, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_split_fft(tmp, tmp + hn, g11, logn); memcpy(g11, tmp, n * sizeof * tmp); memcpy(tmp, g01, n * sizeof * g01); memcpy(g01, g00, hn * sizeof * g00); @@ -375,10 +375,10 @@ ffSampling_fft_dyntree(samplerZ samp, void *samp_ctx, * back into tmp + 2*n. */ z1 = tmp + n; - PQCLEAN_FALCON1024PADDED_AVX2_poly_split_fft(z1, z1 + hn, t1, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_split_fft(z1, z1 + hn, t1, logn); ffSampling_fft_dyntree(samp, samp_ctx, z1, z1 + hn, g11, g11 + hn, g01 + hn, orig_logn, logn - 1, z1 + n); - PQCLEAN_FALCON1024PADDED_AVX2_poly_merge_fft(tmp + (n << 1), z1, z1 + hn, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_merge_fft(tmp + (n << 1), z1, z1 + hn, logn); /* * Compute tb0 = t0 + (t1 - z1) * l10. @@ -388,20 +388,20 @@ ffSampling_fft_dyntree(samplerZ samp, void *samp_ctx, * In the end, z1 is written over t1, and tb0 is in t0. */ memcpy(z1, t1, n * sizeof * t1); - PQCLEAN_FALCON1024PADDED_AVX2_poly_sub(z1, tmp + (n << 1), logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_sub(z1, tmp + (n << 1), logn); memcpy(t1, tmp + (n << 1), n * sizeof * tmp); - PQCLEAN_FALCON1024PADDED_AVX2_poly_mul_fft(tmp, z1, logn); - PQCLEAN_FALCON1024PADDED_AVX2_poly_add(t0, tmp, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_mul_fft(tmp, z1, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_add(t0, tmp, logn); /* * Second recursive invocation, on the split tb0 (currently in t0) * and the left sub-tree. */ z0 = tmp; - PQCLEAN_FALCON1024PADDED_AVX2_poly_split_fft(z0, z0 + hn, t0, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_split_fft(z0, z0 + hn, t0, logn); ffSampling_fft_dyntree(samp, samp_ctx, z0, z0 + hn, g00, g00 + hn, g01, orig_logn, logn - 1, z0 + n); - PQCLEAN_FALCON1024PADDED_AVX2_poly_merge_fft(t0, z0, z0 + hn, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_merge_fft(t0, z0, z0 + hn, logn); } /* @@ -600,26 +600,26 @@ ffSampling_fft(samplerZ samp, void *samp_ctx, * the recursive invocation, with output in tmp. We finally * merge back into z1. */ - PQCLEAN_FALCON1024PADDED_AVX2_poly_split_fft(z1, z1 + hn, t1, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_split_fft(z1, z1 + hn, t1, logn); ffSampling_fft(samp, samp_ctx, tmp, tmp + hn, tree1, z1, z1 + hn, logn - 1, tmp + n); - PQCLEAN_FALCON1024PADDED_AVX2_poly_merge_fft(z1, tmp, tmp + hn, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_merge_fft(z1, tmp, tmp + hn, logn); /* * Compute tb0 = t0 + (t1 - z1) * L. Value tb0 ends up in tmp[]. */ memcpy(tmp, t1, n * sizeof * t1); - PQCLEAN_FALCON1024PADDED_AVX2_poly_sub(tmp, z1, logn); - PQCLEAN_FALCON1024PADDED_AVX2_poly_mul_fft(tmp, tree, logn); - PQCLEAN_FALCON1024PADDED_AVX2_poly_add(tmp, t0, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_sub(tmp, z1, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_mul_fft(tmp, tree, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_add(tmp, t0, logn); /* * Second recursive invocation. */ - PQCLEAN_FALCON1024PADDED_AVX2_poly_split_fft(z0, z0 + hn, tmp, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_split_fft(z0, z0 + hn, tmp, logn); ffSampling_fft(samp, samp_ctx, tmp, tmp + hn, tree0, z0, z0 + hn, logn - 1, tmp + n); - PQCLEAN_FALCON1024PADDED_AVX2_poly_merge_fft(z0, tmp, tmp + hn, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_merge_fft(z0, tmp, tmp + hn, logn); } /* @@ -667,13 +667,13 @@ do_sign_tree(samplerZ samp, void *samp_ctx, int16_t *s2, * Apply the lattice basis to obtain the real target * vector (after normalization with regards to modulus). */ - PQCLEAN_FALCON1024PADDED_AVX2_FFT(t0, logn); + PQCLEAN_FALCONPADDED1024_AVX2_FFT(t0, logn); ni = fpr_inverse_of_q; memcpy(t1, t0, n * sizeof * t0); - PQCLEAN_FALCON1024PADDED_AVX2_poly_mul_fft(t1, b01, logn); - PQCLEAN_FALCON1024PADDED_AVX2_poly_mulconst(t1, fpr_neg(ni), logn); - PQCLEAN_FALCON1024PADDED_AVX2_poly_mul_fft(t0, b11, logn); - PQCLEAN_FALCON1024PADDED_AVX2_poly_mulconst(t0, ni, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_mul_fft(t1, b01, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_mulconst(t1, fpr_neg(ni), logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_mul_fft(t0, b11, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_mulconst(t0, ni, logn); tx = t1 + n; ty = tx + n; @@ -688,18 +688,18 @@ do_sign_tree(samplerZ samp, void *samp_ctx, int16_t *s2, */ memcpy(t0, tx, n * sizeof * tx); memcpy(t1, ty, n * sizeof * ty); - PQCLEAN_FALCON1024PADDED_AVX2_poly_mul_fft(tx, b00, logn); - PQCLEAN_FALCON1024PADDED_AVX2_poly_mul_fft(ty, b10, logn); - PQCLEAN_FALCON1024PADDED_AVX2_poly_add(tx, ty, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_mul_fft(tx, b00, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_mul_fft(ty, b10, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_add(tx, ty, logn); memcpy(ty, t0, n * sizeof * t0); - PQCLEAN_FALCON1024PADDED_AVX2_poly_mul_fft(ty, b01, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_mul_fft(ty, b01, logn); memcpy(t0, tx, n * sizeof * tx); - PQCLEAN_FALCON1024PADDED_AVX2_poly_mul_fft(t1, b11, logn); - PQCLEAN_FALCON1024PADDED_AVX2_poly_add(t1, ty, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_mul_fft(t1, b11, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_add(t1, ty, logn); - PQCLEAN_FALCON1024PADDED_AVX2_iFFT(t0, logn); - PQCLEAN_FALCON1024PADDED_AVX2_iFFT(t1, logn); + PQCLEAN_FALCONPADDED1024_AVX2_iFFT(t0, logn); + PQCLEAN_FALCONPADDED1024_AVX2_iFFT(t1, logn); /* * Compute the signature. @@ -730,7 +730,7 @@ do_sign_tree(samplerZ samp, void *samp_ctx, int16_t *s2, for (u = 0; u < n; u ++) { s2tmp[u] = (int16_t) - fpr_rint(t1[u]); } - if (PQCLEAN_FALCON1024PADDED_AVX2_is_short_half(sqn, s2tmp, logn)) { + if (PQCLEAN_FALCONPADDED1024_AVX2_is_short_half(sqn, s2tmp, logn)) { memcpy(s2, s2tmp, n * sizeof * s2); memcpy(tmp, s1tmp, n * sizeof * s1tmp); return 1; @@ -772,12 +772,12 @@ do_sign_dyn(samplerZ samp, void *samp_ctx, int16_t *s2, smallints_to_fpr(b00, g, logn); smallints_to_fpr(b11, F, logn); smallints_to_fpr(b10, G, logn); - PQCLEAN_FALCON1024PADDED_AVX2_FFT(b01, logn); - PQCLEAN_FALCON1024PADDED_AVX2_FFT(b00, logn); - PQCLEAN_FALCON1024PADDED_AVX2_FFT(b11, logn); - PQCLEAN_FALCON1024PADDED_AVX2_FFT(b10, logn); - PQCLEAN_FALCON1024PADDED_AVX2_poly_neg(b01, logn); - PQCLEAN_FALCON1024PADDED_AVX2_poly_neg(b11, logn); + PQCLEAN_FALCONPADDED1024_AVX2_FFT(b01, logn); + PQCLEAN_FALCONPADDED1024_AVX2_FFT(b00, logn); + PQCLEAN_FALCONPADDED1024_AVX2_FFT(b11, logn); + PQCLEAN_FALCONPADDED1024_AVX2_FFT(b10, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_neg(b01, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_neg(b11, logn); /* * Compute the Gram matrix G = B·B*. Formulas are: @@ -797,20 +797,20 @@ do_sign_dyn(samplerZ samp, void *samp_ctx, int16_t *s2, t1 = t0 + n; memcpy(t0, b01, n * sizeof * b01); - PQCLEAN_FALCON1024PADDED_AVX2_poly_mulselfadj_fft(t0, logn); // t0 <- b01*adj(b01) + PQCLEAN_FALCONPADDED1024_AVX2_poly_mulselfadj_fft(t0, logn); // t0 <- b01*adj(b01) memcpy(t1, b00, n * sizeof * b00); - PQCLEAN_FALCON1024PADDED_AVX2_poly_muladj_fft(t1, b10, logn); // t1 <- b00*adj(b10) - PQCLEAN_FALCON1024PADDED_AVX2_poly_mulselfadj_fft(b00, logn); // b00 <- b00*adj(b00) - PQCLEAN_FALCON1024PADDED_AVX2_poly_add(b00, t0, logn); // b00 <- g00 + PQCLEAN_FALCONPADDED1024_AVX2_poly_muladj_fft(t1, b10, logn); // t1 <- b00*adj(b10) + PQCLEAN_FALCONPADDED1024_AVX2_poly_mulselfadj_fft(b00, logn); // b00 <- b00*adj(b00) + PQCLEAN_FALCONPADDED1024_AVX2_poly_add(b00, t0, logn); // b00 <- g00 memcpy(t0, b01, n * sizeof * b01); - PQCLEAN_FALCON1024PADDED_AVX2_poly_muladj_fft(b01, b11, logn); // b01 <- b01*adj(b11) - PQCLEAN_FALCON1024PADDED_AVX2_poly_add(b01, t1, logn); // b01 <- g01 + PQCLEAN_FALCONPADDED1024_AVX2_poly_muladj_fft(b01, b11, logn); // b01 <- b01*adj(b11) + PQCLEAN_FALCONPADDED1024_AVX2_poly_add(b01, t1, logn); // b01 <- g01 - PQCLEAN_FALCON1024PADDED_AVX2_poly_mulselfadj_fft(b10, logn); // b10 <- b10*adj(b10) + PQCLEAN_FALCONPADDED1024_AVX2_poly_mulselfadj_fft(b10, logn); // b10 <- b10*adj(b10) memcpy(t1, b11, n * sizeof * b11); - PQCLEAN_FALCON1024PADDED_AVX2_poly_mulselfadj_fft(t1, logn); // t1 <- b11*adj(b11) - PQCLEAN_FALCON1024PADDED_AVX2_poly_add(b10, t1, logn); // b10 <- g11 + PQCLEAN_FALCONPADDED1024_AVX2_poly_mulselfadj_fft(t1, logn); // t1 <- b11*adj(b11) + PQCLEAN_FALCONPADDED1024_AVX2_poly_add(b10, t1, logn); // b10 <- g11 /* * We rename variables to make things clearer. The three elements @@ -843,13 +843,13 @@ do_sign_dyn(samplerZ samp, void *samp_ctx, int16_t *s2, * Apply the lattice basis to obtain the real target * vector (after normalization with regards to modulus). */ - PQCLEAN_FALCON1024PADDED_AVX2_FFT(t0, logn); + PQCLEAN_FALCONPADDED1024_AVX2_FFT(t0, logn); ni = fpr_inverse_of_q; memcpy(t1, t0, n * sizeof * t0); - PQCLEAN_FALCON1024PADDED_AVX2_poly_mul_fft(t1, b01, logn); - PQCLEAN_FALCON1024PADDED_AVX2_poly_mulconst(t1, fpr_neg(ni), logn); - PQCLEAN_FALCON1024PADDED_AVX2_poly_mul_fft(t0, b11, logn); - PQCLEAN_FALCON1024PADDED_AVX2_poly_mulconst(t0, ni, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_mul_fft(t1, b01, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_mulconst(t1, fpr_neg(ni), logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_mul_fft(t0, b11, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_mulconst(t0, ni, logn); /* * b01 and b11 can be discarded, so we move back (t0,t1). @@ -884,12 +884,12 @@ do_sign_dyn(samplerZ samp, void *samp_ctx, int16_t *s2, smallints_to_fpr(b00, g, logn); smallints_to_fpr(b11, F, logn); smallints_to_fpr(b10, G, logn); - PQCLEAN_FALCON1024PADDED_AVX2_FFT(b01, logn); - PQCLEAN_FALCON1024PADDED_AVX2_FFT(b00, logn); - PQCLEAN_FALCON1024PADDED_AVX2_FFT(b11, logn); - PQCLEAN_FALCON1024PADDED_AVX2_FFT(b10, logn); - PQCLEAN_FALCON1024PADDED_AVX2_poly_neg(b01, logn); - PQCLEAN_FALCON1024PADDED_AVX2_poly_neg(b11, logn); + PQCLEAN_FALCONPADDED1024_AVX2_FFT(b01, logn); + PQCLEAN_FALCONPADDED1024_AVX2_FFT(b00, logn); + PQCLEAN_FALCONPADDED1024_AVX2_FFT(b11, logn); + PQCLEAN_FALCONPADDED1024_AVX2_FFT(b10, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_neg(b01, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_neg(b11, logn); tx = t1 + n; ty = tx + n; @@ -898,17 +898,17 @@ do_sign_dyn(samplerZ samp, void *samp_ctx, int16_t *s2, */ memcpy(tx, t0, n * sizeof * t0); memcpy(ty, t1, n * sizeof * t1); - PQCLEAN_FALCON1024PADDED_AVX2_poly_mul_fft(tx, b00, logn); - PQCLEAN_FALCON1024PADDED_AVX2_poly_mul_fft(ty, b10, logn); - PQCLEAN_FALCON1024PADDED_AVX2_poly_add(tx, ty, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_mul_fft(tx, b00, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_mul_fft(ty, b10, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_add(tx, ty, logn); memcpy(ty, t0, n * sizeof * t0); - PQCLEAN_FALCON1024PADDED_AVX2_poly_mul_fft(ty, b01, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_mul_fft(ty, b01, logn); memcpy(t0, tx, n * sizeof * tx); - PQCLEAN_FALCON1024PADDED_AVX2_poly_mul_fft(t1, b11, logn); - PQCLEAN_FALCON1024PADDED_AVX2_poly_add(t1, ty, logn); - PQCLEAN_FALCON1024PADDED_AVX2_iFFT(t0, logn); - PQCLEAN_FALCON1024PADDED_AVX2_iFFT(t1, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_mul_fft(t1, b11, logn); + PQCLEAN_FALCONPADDED1024_AVX2_poly_add(t1, ty, logn); + PQCLEAN_FALCONPADDED1024_AVX2_iFFT(t0, logn); + PQCLEAN_FALCONPADDED1024_AVX2_iFFT(t1, logn); s1tmp = (int16_t *)tx; sqn = 0; @@ -936,7 +936,7 @@ do_sign_dyn(samplerZ samp, void *samp_ctx, int16_t *s2, for (u = 0; u < n; u ++) { s2tmp[u] = (int16_t) - fpr_rint(t1[u]); } - if (PQCLEAN_FALCON1024PADDED_AVX2_is_short_half(sqn, s2tmp, logn)) { + if (PQCLEAN_FALCONPADDED1024_AVX2_is_short_half(sqn, s2tmp, logn)) { memcpy(s2, s2tmp, n * sizeof * s2); memcpy(tmp, s1tmp, n * sizeof * s1tmp); return 1; @@ -949,7 +949,7 @@ do_sign_dyn(samplerZ samp, void *samp_ctx, int16_t *s2, * on zero and standard deviation 1.8205, with a precision of 72 bits. */ int -PQCLEAN_FALCON1024PADDED_AVX2_gaussian0_sampler(prng *p) { +PQCLEAN_FALCONPADDED1024_AVX2_gaussian0_sampler(prng *p) { /* * High words. @@ -1150,7 +1150,7 @@ BerExp(prng *p, fpr x, fpr ccs) { * 0.5 and 1); in Falcon, sigma should always be between 1.2 and 1.9. */ int -PQCLEAN_FALCON1024PADDED_AVX2_sampler(void *ctx, fpr mu, fpr isigma) { +PQCLEAN_FALCONPADDED1024_AVX2_sampler(void *ctx, fpr mu, fpr isigma) { sampler_context *spc; int s; fpr r, dss, ccs; @@ -1192,7 +1192,7 @@ PQCLEAN_FALCON1024PADDED_AVX2_sampler(void *ctx, fpr mu, fpr isigma) { * - b = 0: z <= 0 and sampled against a Gaussian * centered on 0. */ - z0 = PQCLEAN_FALCON1024PADDED_AVX2_gaussian0_sampler(&spc->p); + z0 = PQCLEAN_FALCONPADDED1024_AVX2_gaussian0_sampler(&spc->p); b = (int)prng_get_u8(&spc->p) & 1; z = b + ((b << 1) - 1) * z0; @@ -1235,7 +1235,7 @@ PQCLEAN_FALCON1024PADDED_AVX2_sampler(void *ctx, fpr mu, fpr isigma) { /* see inner.h */ void -PQCLEAN_FALCON1024PADDED_AVX2_sign_tree(int16_t *sig, inner_shake256_context *rng, +PQCLEAN_FALCONPADDED1024_AVX2_sign_tree(int16_t *sig, inner_shake256_context *rng, const fpr *expanded_key, const uint16_t *hm, unsigned logn, uint8_t *tmp) { fpr *ftmp; @@ -1261,8 +1261,8 @@ PQCLEAN_FALCON1024PADDED_AVX2_sign_tree(int16_t *sig, inner_shake256_context *rn * SHAKE context ('rng'). */ spc.sigma_min = fpr_sigma_min[logn]; - PQCLEAN_FALCON1024PADDED_AVX2_prng_init(&spc.p, rng); - samp = PQCLEAN_FALCON1024PADDED_AVX2_sampler; + PQCLEAN_FALCONPADDED1024_AVX2_prng_init(&spc.p, rng); + samp = PQCLEAN_FALCONPADDED1024_AVX2_sampler; samp_ctx = &spc; /* @@ -1277,7 +1277,7 @@ PQCLEAN_FALCON1024PADDED_AVX2_sign_tree(int16_t *sig, inner_shake256_context *rn /* see inner.h */ void -PQCLEAN_FALCON1024PADDED_AVX2_sign_dyn(int16_t *sig, inner_shake256_context *rng, +PQCLEAN_FALCONPADDED1024_AVX2_sign_dyn(int16_t *sig, inner_shake256_context *rng, const int8_t *f, const int8_t *g, const int8_t *F, const int8_t *G, const uint16_t *hm, unsigned logn, uint8_t *tmp) { @@ -1304,8 +1304,8 @@ PQCLEAN_FALCON1024PADDED_AVX2_sign_dyn(int16_t *sig, inner_shake256_context *rng * SHAKE context ('rng'). */ spc.sigma_min = fpr_sigma_min[logn]; - PQCLEAN_FALCON1024PADDED_AVX2_prng_init(&spc.p, rng); - samp = PQCLEAN_FALCON1024PADDED_AVX2_sampler; + PQCLEAN_FALCONPADDED1024_AVX2_prng_init(&spc.p, rng); + samp = PQCLEAN_FALCONPADDED1024_AVX2_sampler; samp_ctx = &spc; /* diff --git a/Modules/PQClean/crypto_sign/falcon-512-padded/clean/vrfy.c b/Modules/PQClean/crypto_sign/falcon-padded-1024/avx2/vrfy.c similarity index 98% rename from Modules/PQClean/crypto_sign/falcon-512-padded/clean/vrfy.c rename to Modules/PQClean/crypto_sign/falcon-padded-1024/avx2/vrfy.c index e76e42f2..534d5d8c 100644 --- a/Modules/PQClean/crypto_sign/falcon-512-padded/clean/vrfy.c +++ b/Modules/PQClean/crypto_sign/falcon-padded-1024/avx2/vrfy.c @@ -622,14 +622,14 @@ mq_poly_sub(uint16_t *f, const uint16_t *g, unsigned logn) { /* see inner.h */ void -PQCLEAN_FALCON512PADDED_CLEAN_to_ntt_monty(uint16_t *h, unsigned logn) { +PQCLEAN_FALCONPADDED1024_AVX2_to_ntt_monty(uint16_t *h, unsigned logn) { mq_NTT(h, logn); mq_poly_tomonty(h, logn); } /* see inner.h */ int -PQCLEAN_FALCON512PADDED_CLEAN_verify_raw(const uint16_t *c0, const int16_t *s2, +PQCLEAN_FALCONPADDED1024_AVX2_verify_raw(const uint16_t *c0, const int16_t *s2, const uint16_t *h, unsigned logn, uint8_t *tmp) { size_t u, n; uint16_t *tt; @@ -671,12 +671,12 @@ PQCLEAN_FALCON512PADDED_CLEAN_verify_raw(const uint16_t *c0, const int16_t *s2, * Signature is valid if and only if the aggregate (-s1,s2) vector * is short enough. */ - return PQCLEAN_FALCON512PADDED_CLEAN_is_short((int16_t *)tt, s2, logn); + return PQCLEAN_FALCONPADDED1024_AVX2_is_short((int16_t *)tt, s2, logn); } /* see inner.h */ int -PQCLEAN_FALCON512PADDED_CLEAN_compute_public(uint16_t *h, +PQCLEAN_FALCONPADDED1024_AVX2_compute_public(uint16_t *h, const int8_t *f, const int8_t *g, unsigned logn, uint8_t *tmp) { size_t u, n; uint16_t *tt; @@ -701,7 +701,7 @@ PQCLEAN_FALCON512PADDED_CLEAN_compute_public(uint16_t *h, /* see inner.h */ int -PQCLEAN_FALCON512PADDED_CLEAN_complete_private(int8_t *G, +PQCLEAN_FALCONPADDED1024_AVX2_complete_private(int8_t *G, const int8_t *f, const int8_t *g, const int8_t *F, unsigned logn, uint8_t *tmp) { size_t u, n; @@ -746,7 +746,7 @@ PQCLEAN_FALCON512PADDED_CLEAN_complete_private(int8_t *G, /* see inner.h */ int -PQCLEAN_FALCON512PADDED_CLEAN_is_invertible( +PQCLEAN_FALCONPADDED1024_AVX2_is_invertible( const int16_t *s2, unsigned logn, uint8_t *tmp) { size_t u, n; uint16_t *tt; @@ -771,7 +771,7 @@ PQCLEAN_FALCON512PADDED_CLEAN_is_invertible( /* see inner.h */ int -PQCLEAN_FALCON512PADDED_CLEAN_verify_recover(uint16_t *h, +PQCLEAN_FALCONPADDED1024_AVX2_verify_recover(uint16_t *h, const uint16_t *c0, const int16_t *s1, const int16_t *s2, unsigned logn, uint8_t *tmp) { size_t u, n; @@ -820,13 +820,13 @@ PQCLEAN_FALCON512PADDED_CLEAN_verify_recover(uint16_t *h, * check that the rebuilt public key matches the expected * value (e.g. through a hash). */ - r = ~r & (uint32_t) - PQCLEAN_FALCON512PADDED_CLEAN_is_short(s1, s2, logn); + r = ~r & (uint32_t) - PQCLEAN_FALCONPADDED1024_AVX2_is_short(s1, s2, logn); return (int)(r >> 31); } /* see inner.h */ int -PQCLEAN_FALCON512PADDED_CLEAN_count_nttzero(const int16_t *sig, unsigned logn, uint8_t *tmp) { +PQCLEAN_FALCONPADDED1024_AVX2_count_nttzero(const int16_t *sig, unsigned logn, uint8_t *tmp) { uint16_t *s2; size_t u, n; uint32_t r; diff --git a/Modules/PQClean/crypto_sign/falcon-1024-padded/clean/LICENSE b/Modules/PQClean/crypto_sign/falcon-padded-1024/clean/LICENSE similarity index 100% rename from Modules/PQClean/crypto_sign/falcon-1024-padded/clean/LICENSE rename to Modules/PQClean/crypto_sign/falcon-padded-1024/clean/LICENSE diff --git a/Modules/PQClean/crypto_sign/falcon-1024-padded/clean/Makefile b/Modules/PQClean/crypto_sign/falcon-padded-1024/clean/Makefile similarity index 94% rename from Modules/PQClean/crypto_sign/falcon-1024-padded/clean/Makefile rename to Modules/PQClean/crypto_sign/falcon-padded-1024/clean/Makefile index f001ebd7..5be4913c 100644 --- a/Modules/PQClean/crypto_sign/falcon-1024-padded/clean/Makefile +++ b/Modules/PQClean/crypto_sign/falcon-padded-1024/clean/Makefile @@ -1,6 +1,6 @@ # This Makefile can be used with GNU Make or BSD Make -LIB=libfalcon-1024-padded_clean.a +LIB=libfalcon-padded-1024_clean.a SOURCES = codec.c common.c fft.c fpr.c keygen.c pqclean.c rng.c sign.c vrfy.c OBJECTS = codec.o common.o fft.o fpr.o keygen.o pqclean.o rng.o sign.o vrfy.o diff --git a/Modules/PQClean/crypto_sign/falcon-1024-padded/clean/Makefile.Microsoft_nmake b/Modules/PQClean/crypto_sign/falcon-padded-1024/clean/Makefile.Microsoft_nmake similarity index 94% rename from Modules/PQClean/crypto_sign/falcon-1024-padded/clean/Makefile.Microsoft_nmake rename to Modules/PQClean/crypto_sign/falcon-padded-1024/clean/Makefile.Microsoft_nmake index 1fd3eccf..6dc222fe 100644 --- a/Modules/PQClean/crypto_sign/falcon-1024-padded/clean/Makefile.Microsoft_nmake +++ b/Modules/PQClean/crypto_sign/falcon-padded-1024/clean/Makefile.Microsoft_nmake @@ -1,7 +1,7 @@ # This Makefile can be used with Microsoft Visual Studio's nmake using the command: # nmake /f Makefile.Microsoft_nmake -LIBRARY=libfalcon-1024-padded_clean.lib +LIBRARY=libfalcon-padded-1024_clean.lib OBJECTS=codec.obj common.obj fft.obj fpr.obj keygen.obj pqclean.obj rng.obj sign.obj vrfy.obj # Warning C4146 is raised when a unary minus operator is applied to an diff --git a/Modules/PQClean/crypto_sign/falcon-1024-padded/clean/api.h b/Modules/PQClean/crypto_sign/falcon-padded-1024/clean/api.h similarity index 67% rename from Modules/PQClean/crypto_sign/falcon-1024-padded/clean/api.h rename to Modules/PQClean/crypto_sign/falcon-padded-1024/clean/api.h index 4cf895eb..0d38a55f 100644 --- a/Modules/PQClean/crypto_sign/falcon-1024-padded/clean/api.h +++ b/Modules/PQClean/crypto_sign/falcon-padded-1024/clean/api.h @@ -1,37 +1,37 @@ -#ifndef PQCLEAN_FALCON1024PADDED_CLEAN_API_H -#define PQCLEAN_FALCON1024PADDED_CLEAN_API_H +#ifndef PQCLEAN_FALCONPADDED1024_CLEAN_API_H +#define PQCLEAN_FALCONPADDED1024_CLEAN_API_H #include #include -#define PQCLEAN_FALCON1024PADDED_CLEAN_CRYPTO_SECRETKEYBYTES 2305 -#define PQCLEAN_FALCON1024PADDED_CLEAN_CRYPTO_PUBLICKEYBYTES 1793 -#define PQCLEAN_FALCON1024PADDED_CLEAN_CRYPTO_BYTES 1280 +#define PQCLEAN_FALCONPADDED1024_CLEAN_CRYPTO_SECRETKEYBYTES 2305 +#define PQCLEAN_FALCONPADDED1024_CLEAN_CRYPTO_PUBLICKEYBYTES 1793 +#define PQCLEAN_FALCONPADDED1024_CLEAN_CRYPTO_BYTES 1280 -#define PQCLEAN_FALCON1024PADDED_CLEAN_CRYPTO_ALGNAME "Falcon-1024 (PADDED)" +#define PQCLEAN_FALCONPADDED1024_CLEAN_CRYPTO_ALGNAME "Falcon-padded-1024" /* * Generate a new key pair. Public key goes into pk[], private key in sk[]. * Key sizes are exact (in bytes): - * public (pk): PQCLEAN_FALCON1024PADDED_CLEAN_CRYPTO_PUBLICKEYBYTES - * private (sk): PQCLEAN_FALCON1024PADDED_CLEAN_CRYPTO_SECRETKEYBYTES + * public (pk): PQCLEAN_FALCONPADDED1024_CLEAN_CRYPTO_PUBLICKEYBYTES + * private (sk): PQCLEAN_FALCONPADDED1024_CLEAN_CRYPTO_SECRETKEYBYTES * * Return value: 0 on success, -1 on error. */ -int PQCLEAN_FALCON1024PADDED_CLEAN_crypto_sign_keypair( +int PQCLEAN_FALCONPADDED1024_CLEAN_crypto_sign_keypair( uint8_t *pk, uint8_t *sk); /* * Compute a signature on a provided message (m, mlen), with a given * private key (sk). Signature is written in sig[], with length written * into *siglen. Signature length is variable; maximum signature length - * (in bytes) is PQCLEAN_FALCON1024PADDED_CLEAN_CRYPTO_BYTES. + * (in bytes) is PQCLEAN_FALCONPADDED1024_CLEAN_CRYPTO_BYTES. * * sig[], m[] and sk[] may overlap each other arbitrarily. * * Return value: 0 on success, -1 on error. */ -int PQCLEAN_FALCON1024PADDED_CLEAN_crypto_sign_signature( +int PQCLEAN_FALCONPADDED1024_CLEAN_crypto_sign_signature( uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen, const uint8_t *sk); @@ -43,7 +43,7 @@ int PQCLEAN_FALCON1024PADDED_CLEAN_crypto_sign_signature( * * Return value: 0 on success, -1 on error. */ -int PQCLEAN_FALCON1024PADDED_CLEAN_crypto_sign_verify( +int PQCLEAN_FALCONPADDED1024_CLEAN_crypto_sign_verify( const uint8_t *sig, size_t siglen, const uint8_t *m, size_t mlen, const uint8_t *pk); @@ -51,14 +51,14 @@ int PQCLEAN_FALCON1024PADDED_CLEAN_crypto_sign_verify( * Compute a signature on a message and pack the signature and message * into a single object, written into sm[]. The length of that output is * written in *smlen; that length may be larger than the message length - * (mlen) by up to PQCLEAN_FALCON1024PADDED_CLEAN_CRYPTO_BYTES. + * (mlen) by up to PQCLEAN_FALCONPADDED1024_CLEAN_CRYPTO_BYTES. * * sm[] and m[] may overlap each other arbitrarily; however, sm[] shall * not overlap with sk[]. * * Return value: 0 on success, -1 on error. */ -int PQCLEAN_FALCON1024PADDED_CLEAN_crypto_sign( +int PQCLEAN_FALCONPADDED1024_CLEAN_crypto_sign( uint8_t *sm, size_t *smlen, const uint8_t *m, size_t mlen, const uint8_t *sk); @@ -67,13 +67,13 @@ int PQCLEAN_FALCON1024PADDED_CLEAN_crypto_sign( * on success, the message itself is written into m[] and its length * into *mlen. The message is shorter than the signed message object, * but the size difference depends on the signature value; the difference - * may range up to PQCLEAN_FALCON1024PADDED_CLEAN_CRYPTO_BYTES. + * may range up to PQCLEAN_FALCONPADDED1024_CLEAN_CRYPTO_BYTES. * * m[], sm[] and pk[] may overlap each other arbitrarily. * * Return value: 0 on success, -1 on error. */ -int PQCLEAN_FALCON1024PADDED_CLEAN_crypto_sign_open( +int PQCLEAN_FALCONPADDED1024_CLEAN_crypto_sign_open( uint8_t *m, size_t *mlen, const uint8_t *sm, size_t smlen, const uint8_t *pk); diff --git a/Modules/PQClean/crypto_sign/falcon-1024-padded/clean/codec.c b/Modules/PQClean/crypto_sign/falcon-padded-1024/clean/codec.c similarity index 96% rename from Modules/PQClean/crypto_sign/falcon-1024-padded/clean/codec.c rename to Modules/PQClean/crypto_sign/falcon-padded-1024/clean/codec.c index d4c8f79b..9556fe73 100644 --- a/Modules/PQClean/crypto_sign/falcon-1024-padded/clean/codec.c +++ b/Modules/PQClean/crypto_sign/falcon-padded-1024/clean/codec.c @@ -33,7 +33,7 @@ /* see inner.h */ size_t -PQCLEAN_FALCON1024PADDED_CLEAN_modq_encode( +PQCLEAN_FALCONPADDED1024_CLEAN_modq_encode( void *out, size_t max_out_len, const uint16_t *x, unsigned logn) { size_t n, out_len, u; @@ -73,7 +73,7 @@ PQCLEAN_FALCON1024PADDED_CLEAN_modq_encode( /* see inner.h */ size_t -PQCLEAN_FALCON1024PADDED_CLEAN_modq_decode( +PQCLEAN_FALCONPADDED1024_CLEAN_modq_decode( uint16_t *x, unsigned logn, const void *in, size_t max_in_len) { size_t n, in_len, u; @@ -112,7 +112,7 @@ PQCLEAN_FALCON1024PADDED_CLEAN_modq_decode( /* see inner.h */ size_t -PQCLEAN_FALCON1024PADDED_CLEAN_trim_i16_encode( +PQCLEAN_FALCONPADDED1024_CLEAN_trim_i16_encode( void *out, size_t max_out_len, const int16_t *x, unsigned logn, unsigned bits) { size_t n, u, out_len; @@ -156,7 +156,7 @@ PQCLEAN_FALCON1024PADDED_CLEAN_trim_i16_encode( /* see inner.h */ size_t -PQCLEAN_FALCON1024PADDED_CLEAN_trim_i16_decode( +PQCLEAN_FALCONPADDED1024_CLEAN_trim_i16_decode( int16_t *x, unsigned logn, unsigned bits, const void *in, size_t max_in_len) { size_t n, in_len; @@ -206,7 +206,7 @@ PQCLEAN_FALCON1024PADDED_CLEAN_trim_i16_decode( /* see inner.h */ size_t -PQCLEAN_FALCON1024PADDED_CLEAN_trim_i8_encode( +PQCLEAN_FALCONPADDED1024_CLEAN_trim_i8_encode( void *out, size_t max_out_len, const int8_t *x, unsigned logn, unsigned bits) { size_t n, u, out_len; @@ -250,7 +250,7 @@ PQCLEAN_FALCON1024PADDED_CLEAN_trim_i8_encode( /* see inner.h */ size_t -PQCLEAN_FALCON1024PADDED_CLEAN_trim_i8_decode( +PQCLEAN_FALCONPADDED1024_CLEAN_trim_i8_decode( int8_t *x, unsigned logn, unsigned bits, const void *in, size_t max_in_len) { size_t n, in_len; @@ -299,7 +299,7 @@ PQCLEAN_FALCON1024PADDED_CLEAN_trim_i8_decode( /* see inner.h */ size_t -PQCLEAN_FALCON1024PADDED_CLEAN_comp_encode( +PQCLEAN_FALCONPADDED1024_CLEAN_comp_encode( void *out, size_t max_out_len, const int16_t *x, unsigned logn) { uint8_t *buf; @@ -395,7 +395,7 @@ PQCLEAN_FALCON1024PADDED_CLEAN_comp_encode( /* see inner.h */ size_t -PQCLEAN_FALCON1024PADDED_CLEAN_comp_decode( +PQCLEAN_FALCONPADDED1024_CLEAN_comp_decode( int16_t *x, unsigned logn, const void *in, size_t max_in_len) { const uint8_t *buf; @@ -499,7 +499,7 @@ PQCLEAN_FALCON1024PADDED_CLEAN_comp_decode( * of max_fg_bits[] and max_FG_bits[] shall be greater than 8. */ -const uint8_t PQCLEAN_FALCON1024PADDED_CLEAN_max_fg_bits[] = { +const uint8_t PQCLEAN_FALCONPADDED1024_CLEAN_max_fg_bits[] = { 0, /* unused */ 8, 8, @@ -513,7 +513,7 @@ const uint8_t PQCLEAN_FALCON1024PADDED_CLEAN_max_fg_bits[] = { 5 }; -const uint8_t PQCLEAN_FALCON1024PADDED_CLEAN_max_FG_bits[] = { +const uint8_t PQCLEAN_FALCONPADDED1024_CLEAN_max_FG_bits[] = { 0, /* unused */ 8, 8, @@ -555,7 +555,7 @@ const uint8_t PQCLEAN_FALCON1024PADDED_CLEAN_max_FG_bits[] = { * in -2047..2047, i.e. 12 bits. */ -const uint8_t PQCLEAN_FALCON1024PADDED_CLEAN_max_sig_bits[] = { +const uint8_t PQCLEAN_FALCONPADDED1024_CLEAN_max_sig_bits[] = { 0, /* unused */ 10, 11, diff --git a/Modules/PQClean/crypto_sign/falcon-1024-padded/clean/common.c b/Modules/PQClean/crypto_sign/falcon-padded-1024/clean/common.c similarity index 97% rename from Modules/PQClean/crypto_sign/falcon-1024-padded/clean/common.c rename to Modules/PQClean/crypto_sign/falcon-padded-1024/clean/common.c index b85ad99a..87c6771c 100644 --- a/Modules/PQClean/crypto_sign/falcon-1024-padded/clean/common.c +++ b/Modules/PQClean/crypto_sign/falcon-padded-1024/clean/common.c @@ -33,7 +33,7 @@ /* see inner.h */ void -PQCLEAN_FALCON1024PADDED_CLEAN_hash_to_point_vartime( +PQCLEAN_FALCONPADDED1024_CLEAN_hash_to_point_vartime( inner_shake256_context *sc, uint16_t *x, unsigned logn) { /* @@ -67,7 +67,7 @@ PQCLEAN_FALCON1024PADDED_CLEAN_hash_to_point_vartime( /* see inner.h */ void -PQCLEAN_FALCON1024PADDED_CLEAN_hash_to_point_ct( +PQCLEAN_FALCONPADDED1024_CLEAN_hash_to_point_ct( inner_shake256_context *sc, uint16_t *x, unsigned logn, uint8_t *tmp) { /* @@ -252,7 +252,7 @@ static const uint32_t l2bound[] = { /* see inner.h */ int -PQCLEAN_FALCON1024PADDED_CLEAN_is_short( +PQCLEAN_FALCONPADDED1024_CLEAN_is_short( const int16_t *s1, const int16_t *s2, unsigned logn) { /* * We use the l2-norm. Code below uses only 32-bit operations to @@ -282,7 +282,7 @@ PQCLEAN_FALCON1024PADDED_CLEAN_is_short( /* see inner.h */ int -PQCLEAN_FALCON1024PADDED_CLEAN_is_short_half( +PQCLEAN_FALCONPADDED1024_CLEAN_is_short_half( uint32_t sqn, const int16_t *s2, unsigned logn) { size_t n, u; uint32_t ng; diff --git a/Modules/PQClean/crypto_sign/falcon-1024-padded/clean/fft.c b/Modules/PQClean/crypto_sign/falcon-padded-1024/clean/fft.c similarity index 94% rename from Modules/PQClean/crypto_sign/falcon-1024-padded/clean/fft.c rename to Modules/PQClean/crypto_sign/falcon-padded-1024/clean/fft.c index 7795a13d..f0d5bd84 100644 --- a/Modules/PQClean/crypto_sign/falcon-1024-padded/clean/fft.c +++ b/Modules/PQClean/crypto_sign/falcon-padded-1024/clean/fft.c @@ -168,7 +168,7 @@ /* see inner.h */ void -PQCLEAN_FALCON1024PADDED_CLEAN_FFT(fpr *f, unsigned logn) { +PQCLEAN_FALCONPADDED1024_CLEAN_FFT(fpr *f, unsigned logn) { /* * FFT algorithm in bit-reversal order uses the following * iterative algorithm: @@ -248,7 +248,7 @@ PQCLEAN_FALCON1024PADDED_CLEAN_FFT(fpr *f, unsigned logn) { /* see inner.h */ void -PQCLEAN_FALCON1024PADDED_CLEAN_iFFT(fpr *f, unsigned logn) { +PQCLEAN_FALCONPADDED1024_CLEAN_iFFT(fpr *f, unsigned logn) { /* * Inverse FFT algorithm in bit-reversal order uses the following * iterative algorithm: @@ -344,7 +344,7 @@ PQCLEAN_FALCON1024PADDED_CLEAN_iFFT(fpr *f, unsigned logn) { /* see inner.h */ void -PQCLEAN_FALCON1024PADDED_CLEAN_poly_add( +PQCLEAN_FALCONPADDED1024_CLEAN_poly_add( fpr *a, const fpr *b, unsigned logn) { size_t n, u; @@ -356,7 +356,7 @@ PQCLEAN_FALCON1024PADDED_CLEAN_poly_add( /* see inner.h */ void -PQCLEAN_FALCON1024PADDED_CLEAN_poly_sub( +PQCLEAN_FALCONPADDED1024_CLEAN_poly_sub( fpr *a, const fpr *b, unsigned logn) { size_t n, u; @@ -368,7 +368,7 @@ PQCLEAN_FALCON1024PADDED_CLEAN_poly_sub( /* see inner.h */ void -PQCLEAN_FALCON1024PADDED_CLEAN_poly_neg(fpr *a, unsigned logn) { +PQCLEAN_FALCONPADDED1024_CLEAN_poly_neg(fpr *a, unsigned logn) { size_t n, u; n = (size_t)1 << logn; @@ -379,7 +379,7 @@ PQCLEAN_FALCON1024PADDED_CLEAN_poly_neg(fpr *a, unsigned logn) { /* see inner.h */ void -PQCLEAN_FALCON1024PADDED_CLEAN_poly_adj_fft(fpr *a, unsigned logn) { +PQCLEAN_FALCONPADDED1024_CLEAN_poly_adj_fft(fpr *a, unsigned logn) { size_t n, u; n = (size_t)1 << logn; @@ -390,7 +390,7 @@ PQCLEAN_FALCON1024PADDED_CLEAN_poly_adj_fft(fpr *a, unsigned logn) { /* see inner.h */ void -PQCLEAN_FALCON1024PADDED_CLEAN_poly_mul_fft( +PQCLEAN_FALCONPADDED1024_CLEAN_poly_mul_fft( fpr *a, const fpr *b, unsigned logn) { size_t n, hn, u; @@ -409,7 +409,7 @@ PQCLEAN_FALCON1024PADDED_CLEAN_poly_mul_fft( /* see inner.h */ void -PQCLEAN_FALCON1024PADDED_CLEAN_poly_muladj_fft( +PQCLEAN_FALCONPADDED1024_CLEAN_poly_muladj_fft( fpr *a, const fpr *b, unsigned logn) { size_t n, hn, u; @@ -428,7 +428,7 @@ PQCLEAN_FALCON1024PADDED_CLEAN_poly_muladj_fft( /* see inner.h */ void -PQCLEAN_FALCON1024PADDED_CLEAN_poly_mulselfadj_fft(fpr *a, unsigned logn) { +PQCLEAN_FALCONPADDED1024_CLEAN_poly_mulselfadj_fft(fpr *a, unsigned logn) { /* * Since each coefficient is multiplied with its own conjugate, * the result contains only real values. @@ -449,7 +449,7 @@ PQCLEAN_FALCON1024PADDED_CLEAN_poly_mulselfadj_fft(fpr *a, unsigned logn) { /* see inner.h */ void -PQCLEAN_FALCON1024PADDED_CLEAN_poly_mulconst(fpr *a, fpr x, unsigned logn) { +PQCLEAN_FALCONPADDED1024_CLEAN_poly_mulconst(fpr *a, fpr x, unsigned logn) { size_t n, u; n = (size_t)1 << logn; @@ -460,7 +460,7 @@ PQCLEAN_FALCON1024PADDED_CLEAN_poly_mulconst(fpr *a, fpr x, unsigned logn) { /* see inner.h */ void -PQCLEAN_FALCON1024PADDED_CLEAN_poly_div_fft( +PQCLEAN_FALCONPADDED1024_CLEAN_poly_div_fft( fpr *a, const fpr *b, unsigned logn) { size_t n, hn, u; @@ -479,7 +479,7 @@ PQCLEAN_FALCON1024PADDED_CLEAN_poly_div_fft( /* see inner.h */ void -PQCLEAN_FALCON1024PADDED_CLEAN_poly_invnorm2_fft(fpr *d, +PQCLEAN_FALCONPADDED1024_CLEAN_poly_invnorm2_fft(fpr *d, const fpr *a, const fpr *b, unsigned logn) { size_t n, hn, u; @@ -501,7 +501,7 @@ PQCLEAN_FALCON1024PADDED_CLEAN_poly_invnorm2_fft(fpr *d, /* see inner.h */ void -PQCLEAN_FALCON1024PADDED_CLEAN_poly_add_muladj_fft(fpr *d, +PQCLEAN_FALCONPADDED1024_CLEAN_poly_add_muladj_fft(fpr *d, const fpr *F, const fpr *G, const fpr *f, const fpr *g, unsigned logn) { size_t n, hn, u; @@ -531,7 +531,7 @@ PQCLEAN_FALCON1024PADDED_CLEAN_poly_add_muladj_fft(fpr *d, /* see inner.h */ void -PQCLEAN_FALCON1024PADDED_CLEAN_poly_mul_autoadj_fft( +PQCLEAN_FALCONPADDED1024_CLEAN_poly_mul_autoadj_fft( fpr *a, const fpr *b, unsigned logn) { size_t n, hn, u; @@ -545,7 +545,7 @@ PQCLEAN_FALCON1024PADDED_CLEAN_poly_mul_autoadj_fft( /* see inner.h */ void -PQCLEAN_FALCON1024PADDED_CLEAN_poly_div_autoadj_fft( +PQCLEAN_FALCONPADDED1024_CLEAN_poly_div_autoadj_fft( fpr *a, const fpr *b, unsigned logn) { size_t n, hn, u; @@ -562,7 +562,7 @@ PQCLEAN_FALCON1024PADDED_CLEAN_poly_div_autoadj_fft( /* see inner.h */ void -PQCLEAN_FALCON1024PADDED_CLEAN_poly_LDL_fft( +PQCLEAN_FALCONPADDED1024_CLEAN_poly_LDL_fft( const fpr *g00, fpr *g01, fpr *g11, unsigned logn) { size_t n, hn, u; @@ -589,7 +589,7 @@ PQCLEAN_FALCON1024PADDED_CLEAN_poly_LDL_fft( /* see inner.h */ void -PQCLEAN_FALCON1024PADDED_CLEAN_poly_LDLmv_fft( +PQCLEAN_FALCONPADDED1024_CLEAN_poly_LDLmv_fft( fpr *d11, fpr *l10, const fpr *g00, const fpr *g01, const fpr *g11, unsigned logn) { @@ -617,7 +617,7 @@ PQCLEAN_FALCON1024PADDED_CLEAN_poly_LDLmv_fft( /* see inner.h */ void -PQCLEAN_FALCON1024PADDED_CLEAN_poly_split_fft( +PQCLEAN_FALCONPADDED1024_CLEAN_poly_split_fft( fpr *f0, fpr *f1, const fpr *f, unsigned logn) { /* @@ -665,7 +665,7 @@ PQCLEAN_FALCON1024PADDED_CLEAN_poly_split_fft( /* see inner.h */ void -PQCLEAN_FALCON1024PADDED_CLEAN_poly_merge_fft( +PQCLEAN_FALCONPADDED1024_CLEAN_poly_merge_fft( fpr *f, const fpr *f0, const fpr *f1, unsigned logn) { size_t n, hn, qn, u; diff --git a/Modules/PQClean/crypto_sign/falcon-1024-padded/clean/fpr.c b/Modules/PQClean/crypto_sign/falcon-padded-1024/clean/fpr.c similarity index 100% rename from Modules/PQClean/crypto_sign/falcon-1024-padded/clean/fpr.c rename to Modules/PQClean/crypto_sign/falcon-padded-1024/clean/fpr.c diff --git a/Modules/PQClean/crypto_sign/falcon-1024-padded/clean/fpr.h b/Modules/PQClean/crypto_sign/falcon-padded-1024/clean/fpr.h similarity index 97% rename from Modules/PQClean/crypto_sign/falcon-1024-padded/clean/fpr.h rename to Modules/PQClean/crypto_sign/falcon-padded-1024/clean/fpr.h index 9f842a16..3e80b506 100644 --- a/Modules/PQClean/crypto_sign/falcon-1024-padded/clean/fpr.h +++ b/Modules/PQClean/crypto_sign/falcon-padded-1024/clean/fpr.h @@ -210,7 +210,7 @@ FPR(int s, int e, uint64_t m) { return x; } -#define fpr_scaled PQCLEAN_FALCON1024PADDED_CLEAN_fpr_scaled +#define fpr_scaled PQCLEAN_FALCONPADDED1024_CLEAN_fpr_scaled fpr fpr_scaled(int64_t i, int sc); static inline fpr @@ -384,7 +384,7 @@ fpr_trunc(fpr x) { return *(int64_t *)&xu; } -#define fpr_add PQCLEAN_FALCON1024PADDED_CLEAN_fpr_add +#define fpr_add PQCLEAN_FALCONPADDED1024_CLEAN_fpr_add fpr fpr_add(fpr x, fpr y); static inline fpr @@ -424,7 +424,7 @@ fpr_double(fpr x) { return x; } -#define fpr_mul PQCLEAN_FALCON1024PADDED_CLEAN_fpr_mul +#define fpr_mul PQCLEAN_FALCONPADDED1024_CLEAN_fpr_mul fpr fpr_mul(fpr x, fpr y); static inline fpr @@ -432,7 +432,7 @@ fpr_sqr(fpr x) { return fpr_mul(x, x); } -#define fpr_div PQCLEAN_FALCON1024PADDED_CLEAN_fpr_div +#define fpr_div PQCLEAN_FALCONPADDED1024_CLEAN_fpr_div fpr fpr_div(fpr x, fpr y); static inline fpr @@ -440,7 +440,7 @@ fpr_inv(fpr x) { return fpr_div(4607182418800017408u, x); } -#define fpr_sqrt PQCLEAN_FALCON1024PADDED_CLEAN_fpr_sqrt +#define fpr_sqrt PQCLEAN_FALCONPADDED1024_CLEAN_fpr_sqrt fpr fpr_sqrt(fpr x); static inline int @@ -479,13 +479,13 @@ fpr_lt(fpr x, fpr y) { * Compute exp(x) for x such that |x| <= ln 2. We want a precision of 50 * bits or so. */ -#define fpr_expm_p63 PQCLEAN_FALCON1024PADDED_CLEAN_fpr_expm_p63 +#define fpr_expm_p63 PQCLEAN_FALCONPADDED1024_CLEAN_fpr_expm_p63 uint64_t fpr_expm_p63(fpr x, fpr ccs); -#define fpr_gm_tab PQCLEAN_FALCON1024PADDED_CLEAN_fpr_gm_tab +#define fpr_gm_tab PQCLEAN_FALCONPADDED1024_CLEAN_fpr_gm_tab extern const fpr fpr_gm_tab[]; -#define fpr_p2_tab PQCLEAN_FALCON1024PADDED_CLEAN_fpr_p2_tab +#define fpr_p2_tab PQCLEAN_FALCONPADDED1024_CLEAN_fpr_p2_tab extern const fpr fpr_p2_tab[]; /* ====================================================================== */ diff --git a/Modules/PQClean/crypto_sign/falcon-1024-padded/clean/inner.h b/Modules/PQClean/crypto_sign/falcon-padded-1024/clean/inner.h similarity index 87% rename from Modules/PQClean/crypto_sign/falcon-1024-padded/clean/inner.h rename to Modules/PQClean/crypto_sign/falcon-padded-1024/clean/inner.h index bbd22352..c63ee1dd 100644 --- a/Modules/PQClean/crypto_sign/falcon-1024-padded/clean/inner.h +++ b/Modules/PQClean/crypto_sign/falcon-padded-1024/clean/inner.h @@ -42,7 +42,7 @@ * * * - All public functions (i.e. the non-static ones) must be referenced - * with the PQCLEAN_FALCON1024PADDED_CLEAN_ macro (e.g. PQCLEAN_FALCON1024PADDED_CLEAN_verify_raw for the verify_raw() + * with the PQCLEAN_FALCONPADDED1024_CLEAN_ macro (e.g. PQCLEAN_FALCONPADDED1024_CLEAN_verify_raw for the verify_raw() * function). That macro adds a prefix to the name, which is * configurable with the FALCON_PREFIX macro. This allows compiling * the code into a specific "namespace" and potentially including @@ -65,7 +65,7 @@ * word. The caller MUST use set_fpu_cw() to ensure proper precision: * * oldcw = set_fpu_cw(2); - * PQCLEAN_FALCON1024PADDED_CLEAN_sign_dyn(...); + * PQCLEAN_FALCONPADDED1024_CLEAN_sign_dyn(...); * set_fpu_cw(oldcw); * * On systems where the native floating-point precision is already @@ -155,22 +155,22 @@ set_fpu_cw(unsigned x) { * */ -size_t PQCLEAN_FALCON1024PADDED_CLEAN_modq_encode(void *out, size_t max_out_len, +size_t PQCLEAN_FALCONPADDED1024_CLEAN_modq_encode(void *out, size_t max_out_len, const uint16_t *x, unsigned logn); -size_t PQCLEAN_FALCON1024PADDED_CLEAN_trim_i16_encode(void *out, size_t max_out_len, +size_t PQCLEAN_FALCONPADDED1024_CLEAN_trim_i16_encode(void *out, size_t max_out_len, const int16_t *x, unsigned logn, unsigned bits); -size_t PQCLEAN_FALCON1024PADDED_CLEAN_trim_i8_encode(void *out, size_t max_out_len, +size_t PQCLEAN_FALCONPADDED1024_CLEAN_trim_i8_encode(void *out, size_t max_out_len, const int8_t *x, unsigned logn, unsigned bits); -size_t PQCLEAN_FALCON1024PADDED_CLEAN_comp_encode(void *out, size_t max_out_len, +size_t PQCLEAN_FALCONPADDED1024_CLEAN_comp_encode(void *out, size_t max_out_len, const int16_t *x, unsigned logn); -size_t PQCLEAN_FALCON1024PADDED_CLEAN_modq_decode(uint16_t *x, unsigned logn, +size_t PQCLEAN_FALCONPADDED1024_CLEAN_modq_decode(uint16_t *x, unsigned logn, const void *in, size_t max_in_len); -size_t PQCLEAN_FALCON1024PADDED_CLEAN_trim_i16_decode(int16_t *x, unsigned logn, unsigned bits, +size_t PQCLEAN_FALCONPADDED1024_CLEAN_trim_i16_decode(int16_t *x, unsigned logn, unsigned bits, const void *in, size_t max_in_len); -size_t PQCLEAN_FALCON1024PADDED_CLEAN_trim_i8_decode(int8_t *x, unsigned logn, unsigned bits, +size_t PQCLEAN_FALCONPADDED1024_CLEAN_trim_i8_decode(int8_t *x, unsigned logn, unsigned bits, const void *in, size_t max_in_len); -size_t PQCLEAN_FALCON1024PADDED_CLEAN_comp_decode(int16_t *x, unsigned logn, +size_t PQCLEAN_FALCONPADDED1024_CLEAN_comp_decode(int16_t *x, unsigned logn, const void *in, size_t max_in_len); /* @@ -178,14 +178,14 @@ size_t PQCLEAN_FALCON1024PADDED_CLEAN_comp_decode(int16_t *x, unsigned logn, * is at most 8 bits for all degrees, but some degrees may have shorter * elements. */ -extern const uint8_t PQCLEAN_FALCON1024PADDED_CLEAN_max_fg_bits[]; -extern const uint8_t PQCLEAN_FALCON1024PADDED_CLEAN_max_FG_bits[]; +extern const uint8_t PQCLEAN_FALCONPADDED1024_CLEAN_max_fg_bits[]; +extern const uint8_t PQCLEAN_FALCONPADDED1024_CLEAN_max_FG_bits[]; /* * Maximum size, in bits, of elements in a signature, indexed by logn * (1 to 10). The size includes the sign bit. */ -extern const uint8_t PQCLEAN_FALCON1024PADDED_CLEAN_max_sig_bits[]; +extern const uint8_t PQCLEAN_FALCONPADDED1024_CLEAN_max_sig_bits[]; /* ==================================================================== */ /* @@ -199,18 +199,18 @@ extern const uint8_t PQCLEAN_FALCON1024PADDED_CLEAN_max_sig_bits[]; * information to serve as a stop condition on a brute force attack on * the hashed message (provided that the nonce value is known). */ -void PQCLEAN_FALCON1024PADDED_CLEAN_hash_to_point_vartime(inner_shake256_context *sc, +void PQCLEAN_FALCONPADDED1024_CLEAN_hash_to_point_vartime(inner_shake256_context *sc, uint16_t *x, unsigned logn); /* * From a SHAKE256 context (must be already flipped), produce a new * point. The temporary buffer (tmp) must have room for 2*2^logn bytes. * This function is constant-time but is typically more expensive than - * PQCLEAN_FALCON1024PADDED_CLEAN_hash_to_point_vartime(). + * PQCLEAN_FALCONPADDED1024_CLEAN_hash_to_point_vartime(). * * tmp[] must have 16-bit alignment. */ -void PQCLEAN_FALCON1024PADDED_CLEAN_hash_to_point_ct(inner_shake256_context *sc, +void PQCLEAN_FALCONPADDED1024_CLEAN_hash_to_point_ct(inner_shake256_context *sc, uint16_t *x, unsigned logn, uint8_t *tmp); /* @@ -219,7 +219,7 @@ void PQCLEAN_FALCON1024PADDED_CLEAN_hash_to_point_ct(inner_shake256_context *sc, * vector with the acceptance bound. Returned value is 1 on success * (vector is short enough to be acceptable), 0 otherwise. */ -int PQCLEAN_FALCON1024PADDED_CLEAN_is_short(const int16_t *s1, const int16_t *s2, unsigned logn); +int PQCLEAN_FALCONPADDED1024_CLEAN_is_short(const int16_t *s1, const int16_t *s2, unsigned logn); /* * Tell whether a given vector (2N coordinates, in two halves) is @@ -231,7 +231,7 @@ int PQCLEAN_FALCON1024PADDED_CLEAN_is_short(const int16_t *s1, const int16_t *s2 * Returned value is 1 on success (vector is short enough to be * acceptable), 0 otherwise. */ -int PQCLEAN_FALCON1024PADDED_CLEAN_is_short_half(uint32_t sqn, const int16_t *s2, unsigned logn); +int PQCLEAN_FALCONPADDED1024_CLEAN_is_short_half(uint32_t sqn, const int16_t *s2, unsigned logn); /* ==================================================================== */ /* @@ -242,7 +242,7 @@ int PQCLEAN_FALCON1024PADDED_CLEAN_is_short_half(uint32_t sqn, const int16_t *s2 * Convert a public key to NTT + Montgomery format. Conversion is done * in place. */ -void PQCLEAN_FALCON1024PADDED_CLEAN_to_ntt_monty(uint16_t *h, unsigned logn); +void PQCLEAN_FALCONPADDED1024_CLEAN_to_ntt_monty(uint16_t *h, unsigned logn); /* * Internal signature verification code: @@ -255,7 +255,7 @@ void PQCLEAN_FALCON1024PADDED_CLEAN_to_ntt_monty(uint16_t *h, unsigned logn); * * tmp[] must have 16-bit alignment. */ -int PQCLEAN_FALCON1024PADDED_CLEAN_verify_raw(const uint16_t *c0, const int16_t *s2, +int PQCLEAN_FALCONPADDED1024_CLEAN_verify_raw(const uint16_t *c0, const int16_t *s2, const uint16_t *h, unsigned logn, uint8_t *tmp); /* @@ -267,7 +267,7 @@ int PQCLEAN_FALCON1024PADDED_CLEAN_verify_raw(const uint16_t *c0, const int16_t * The tmp[] array must have room for at least 2*2^logn elements. * tmp[] must have 16-bit alignment. */ -int PQCLEAN_FALCON1024PADDED_CLEAN_compute_public(uint16_t *h, +int PQCLEAN_FALCONPADDED1024_CLEAN_compute_public(uint16_t *h, const int8_t *f, const int8_t *g, unsigned logn, uint8_t *tmp); /* @@ -281,7 +281,7 @@ int PQCLEAN_FALCON1024PADDED_CLEAN_compute_public(uint16_t *h, * Returned value is 1 in success, 0 on error (f not invertible). * tmp[] must have 16-bit alignment. */ -int PQCLEAN_FALCON1024PADDED_CLEAN_complete_private(int8_t *G, +int PQCLEAN_FALCONPADDED1024_CLEAN_complete_private(int8_t *G, const int8_t *f, const int8_t *g, const int8_t *F, unsigned logn, uint8_t *tmp); @@ -291,7 +291,7 @@ int PQCLEAN_FALCON1024PADDED_CLEAN_complete_private(int8_t *G, * * tmp[] must have 16-bit alignment. */ -int PQCLEAN_FALCON1024PADDED_CLEAN_is_invertible( +int PQCLEAN_FALCONPADDED1024_CLEAN_is_invertible( const int16_t *s2, unsigned logn, uint8_t *tmp); /* @@ -302,7 +302,7 @@ int PQCLEAN_FALCON1024PADDED_CLEAN_is_invertible( * * tmp[] must have 16-bit alignment. */ -int PQCLEAN_FALCON1024PADDED_CLEAN_count_nttzero(const int16_t *sig, unsigned logn, uint8_t *tmp); +int PQCLEAN_FALCONPADDED1024_CLEAN_count_nttzero(const int16_t *sig, unsigned logn, uint8_t *tmp); /* * Internal signature verification with public key recovery: @@ -322,7 +322,7 @@ int PQCLEAN_FALCON1024PADDED_CLEAN_count_nttzero(const int16_t *sig, unsigned lo * * tmp[] must have 16-bit alignment. */ -int PQCLEAN_FALCON1024PADDED_CLEAN_verify_recover(uint16_t *h, +int PQCLEAN_FALCONPADDED1024_CLEAN_verify_recover(uint16_t *h, const uint16_t *c0, const int16_t *s1, const int16_t *s2, unsigned logn, uint8_t *tmp); @@ -443,7 +443,7 @@ int PQCLEAN_FALCON1024PADDED_CLEAN_verify_recover(uint16_t *h, * * Returned value is 1 on success, 0 on error. */ -int PQCLEAN_FALCON1024PADDED_CLEAN_get_seed(void *seed, size_t seed_len); +int PQCLEAN_FALCONPADDED1024_CLEAN_get_seed(void *seed, size_t seed_len); /* * Structure for a PRNG. This includes a large buffer so that values @@ -470,18 +470,18 @@ typedef struct { * Instantiate a PRNG. That PRNG will feed over the provided SHAKE256 * context (in "flipped" state) to obtain its initial state. */ -void PQCLEAN_FALCON1024PADDED_CLEAN_prng_init(prng *p, inner_shake256_context *src); +void PQCLEAN_FALCONPADDED1024_CLEAN_prng_init(prng *p, inner_shake256_context *src); /* * Refill the PRNG buffer. This is normally invoked automatically, and * is declared here only so that prng_get_u64() may be inlined. */ -void PQCLEAN_FALCON1024PADDED_CLEAN_prng_refill(prng *p); +void PQCLEAN_FALCONPADDED1024_CLEAN_prng_refill(prng *p); /* * Get some bytes from a PRNG. */ -void PQCLEAN_FALCON1024PADDED_CLEAN_prng_get_bytes(prng *p, void *dst, size_t len); +void PQCLEAN_FALCONPADDED1024_CLEAN_prng_get_bytes(prng *p, void *dst, size_t len); /* * Get a 64-bit random value from a PRNG. @@ -498,7 +498,7 @@ prng_get_u64(prng *p) { */ u = p->ptr; if (u >= (sizeof p->buf.d) - 9) { - PQCLEAN_FALCON1024PADDED_CLEAN_prng_refill(p); + PQCLEAN_FALCONPADDED1024_CLEAN_prng_refill(p); u = 0; } p->ptr = u + 8; @@ -522,7 +522,7 @@ prng_get_u8(prng *p) { v = p->buf.d[p->ptr ++]; if (p->ptr == sizeof p->buf.d) { - PQCLEAN_FALCON1024PADDED_CLEAN_prng_refill(p); + PQCLEAN_FALCONPADDED1024_CLEAN_prng_refill(p); } return v; } @@ -545,7 +545,7 @@ prng_get_u8(prng *p) { * * 'logn' MUST lie between 1 and 10 (inclusive). */ -void PQCLEAN_FALCON1024PADDED_CLEAN_FFT(fpr *f, unsigned logn); +void PQCLEAN_FALCONPADDED1024_CLEAN_FFT(fpr *f, unsigned logn); /* * Compute the inverse FFT in-place: the source array should contain the @@ -555,61 +555,61 @@ void PQCLEAN_FALCON1024PADDED_CLEAN_FFT(fpr *f, unsigned logn); * * 'logn' MUST lie between 1 and 10 (inclusive). */ -void PQCLEAN_FALCON1024PADDED_CLEAN_iFFT(fpr *f, unsigned logn); +void PQCLEAN_FALCONPADDED1024_CLEAN_iFFT(fpr *f, unsigned logn); /* * Add polynomial b to polynomial a. a and b MUST NOT overlap. This * function works in both normal and FFT representations. */ -void PQCLEAN_FALCON1024PADDED_CLEAN_poly_add(fpr *a, const fpr *b, unsigned logn); +void PQCLEAN_FALCONPADDED1024_CLEAN_poly_add(fpr *a, const fpr *b, unsigned logn); /* * Subtract polynomial b from polynomial a. a and b MUST NOT overlap. This * function works in both normal and FFT representations. */ -void PQCLEAN_FALCON1024PADDED_CLEAN_poly_sub(fpr *a, const fpr *b, unsigned logn); +void PQCLEAN_FALCONPADDED1024_CLEAN_poly_sub(fpr *a, const fpr *b, unsigned logn); /* * Negate polynomial a. This function works in both normal and FFT * representations. */ -void PQCLEAN_FALCON1024PADDED_CLEAN_poly_neg(fpr *a, unsigned logn); +void PQCLEAN_FALCONPADDED1024_CLEAN_poly_neg(fpr *a, unsigned logn); /* * Compute adjoint of polynomial a. This function works only in FFT * representation. */ -void PQCLEAN_FALCON1024PADDED_CLEAN_poly_adj_fft(fpr *a, unsigned logn); +void PQCLEAN_FALCONPADDED1024_CLEAN_poly_adj_fft(fpr *a, unsigned logn); /* * Multiply polynomial a with polynomial b. a and b MUST NOT overlap. * This function works only in FFT representation. */ -void PQCLEAN_FALCON1024PADDED_CLEAN_poly_mul_fft(fpr *a, const fpr *b, unsigned logn); +void PQCLEAN_FALCONPADDED1024_CLEAN_poly_mul_fft(fpr *a, const fpr *b, unsigned logn); /* * Multiply polynomial a with the adjoint of polynomial b. a and b MUST NOT * overlap. This function works only in FFT representation. */ -void PQCLEAN_FALCON1024PADDED_CLEAN_poly_muladj_fft(fpr *a, const fpr *b, unsigned logn); +void PQCLEAN_FALCONPADDED1024_CLEAN_poly_muladj_fft(fpr *a, const fpr *b, unsigned logn); /* * Multiply polynomial with its own adjoint. This function works only in FFT * representation. */ -void PQCLEAN_FALCON1024PADDED_CLEAN_poly_mulselfadj_fft(fpr *a, unsigned logn); +void PQCLEAN_FALCONPADDED1024_CLEAN_poly_mulselfadj_fft(fpr *a, unsigned logn); /* * Multiply polynomial with a real constant. This function works in both * normal and FFT representations. */ -void PQCLEAN_FALCON1024PADDED_CLEAN_poly_mulconst(fpr *a, fpr x, unsigned logn); +void PQCLEAN_FALCONPADDED1024_CLEAN_poly_mulconst(fpr *a, fpr x, unsigned logn); /* * Divide polynomial a by polynomial b, modulo X^N+1 (FFT representation). * a and b MUST NOT overlap. */ -void PQCLEAN_FALCON1024PADDED_CLEAN_poly_div_fft(fpr *a, const fpr *b, unsigned logn); +void PQCLEAN_FALCONPADDED1024_CLEAN_poly_div_fft(fpr *a, const fpr *b, unsigned logn); /* * Given f and g (in FFT representation), compute 1/(f*adj(f)+g*adj(g)) @@ -619,7 +619,7 @@ void PQCLEAN_FALCON1024PADDED_CLEAN_poly_div_fft(fpr *a, const fpr *b, unsigned * * Array d MUST NOT overlap with either a or b. */ -void PQCLEAN_FALCON1024PADDED_CLEAN_poly_invnorm2_fft(fpr *d, +void PQCLEAN_FALCONPADDED1024_CLEAN_poly_invnorm2_fft(fpr *d, const fpr *a, const fpr *b, unsigned logn); /* @@ -627,7 +627,7 @@ void PQCLEAN_FALCON1024PADDED_CLEAN_poly_invnorm2_fft(fpr *d, * (also in FFT representation). Destination d MUST NOT overlap with * any of the source arrays. */ -void PQCLEAN_FALCON1024PADDED_CLEAN_poly_add_muladj_fft(fpr *d, +void PQCLEAN_FALCONPADDED1024_CLEAN_poly_add_muladj_fft(fpr *d, const fpr *F, const fpr *G, const fpr *f, const fpr *g, unsigned logn); @@ -637,7 +637,7 @@ void PQCLEAN_FALCON1024PADDED_CLEAN_poly_add_muladj_fft(fpr *d, * FFT coefficients are real, and the array b contains only N/2 elements. * a and b MUST NOT overlap. */ -void PQCLEAN_FALCON1024PADDED_CLEAN_poly_mul_autoadj_fft(fpr *a, +void PQCLEAN_FALCONPADDED1024_CLEAN_poly_mul_autoadj_fft(fpr *a, const fpr *b, unsigned logn); /* @@ -646,7 +646,7 @@ void PQCLEAN_FALCON1024PADDED_CLEAN_poly_mul_autoadj_fft(fpr *a, * FFT coefficients are real, and the array b contains only N/2 elements. * a and b MUST NOT overlap. */ -void PQCLEAN_FALCON1024PADDED_CLEAN_poly_div_autoadj_fft(fpr *a, +void PQCLEAN_FALCONPADDED1024_CLEAN_poly_div_autoadj_fft(fpr *a, const fpr *b, unsigned logn); /* @@ -657,7 +657,7 @@ void PQCLEAN_FALCON1024PADDED_CLEAN_poly_div_autoadj_fft(fpr *a, * (with D = [[d00, 0], [0, d11]] and L = [[1, 0], [l10, 1]]). * (In fact, d00 = g00, so the g00 operand is left unmodified.) */ -void PQCLEAN_FALCON1024PADDED_CLEAN_poly_LDL_fft(const fpr *g00, +void PQCLEAN_FALCONPADDED1024_CLEAN_poly_LDL_fft(const fpr *g00, fpr *g01, fpr *g11, unsigned logn); /* @@ -666,7 +666,7 @@ void PQCLEAN_FALCON1024PADDED_CLEAN_poly_LDL_fft(const fpr *g00, * g00, g01 and g11 are unmodified; the outputs d11 and l10 are written * in two other separate buffers provided as extra parameters. */ -void PQCLEAN_FALCON1024PADDED_CLEAN_poly_LDLmv_fft(fpr *d11, fpr *l10, +void PQCLEAN_FALCONPADDED1024_CLEAN_poly_LDLmv_fft(fpr *d11, fpr *l10, const fpr *g00, const fpr *g01, const fpr *g11, unsigned logn); @@ -675,7 +675,7 @@ void PQCLEAN_FALCON1024PADDED_CLEAN_poly_LDLmv_fft(fpr *d11, fpr *l10, * f = f0(x^2) + x*f1(x^2), for half-size polynomials f0 and f1 * (polynomials modulo X^(N/2)+1). f0, f1 and f MUST NOT overlap. */ -void PQCLEAN_FALCON1024PADDED_CLEAN_poly_split_fft(fpr *f0, fpr *f1, +void PQCLEAN_FALCONPADDED1024_CLEAN_poly_split_fft(fpr *f0, fpr *f1, const fpr *f, unsigned logn); /* @@ -684,7 +684,7 @@ void PQCLEAN_FALCON1024PADDED_CLEAN_poly_split_fft(fpr *f0, fpr *f1, * f = f0(x^2) + x*f1(x^2), in FFT representation modulo X^N+1. * f MUST NOT overlap with either f0 or f1. */ -void PQCLEAN_FALCON1024PADDED_CLEAN_poly_merge_fft(fpr *f, +void PQCLEAN_FALCONPADDED1024_CLEAN_poly_merge_fft(fpr *f, const fpr *f0, const fpr *f1, unsigned logn); /* ==================================================================== */ @@ -723,7 +723,7 @@ void PQCLEAN_FALCON1024PADDED_CLEAN_poly_merge_fft(fpr *f, * tmp[] must have 64-bit alignment. * This function uses floating-point rounding (see set_fpu_cw()). */ -void PQCLEAN_FALCON1024PADDED_CLEAN_keygen(inner_shake256_context *rng, +void PQCLEAN_FALCONPADDED1024_CLEAN_keygen(inner_shake256_context *rng, int8_t *f, int8_t *g, int8_t *F, int8_t *G, uint16_t *h, unsigned logn, uint8_t *tmp); @@ -742,14 +742,14 @@ void PQCLEAN_FALCON1024PADDED_CLEAN_keygen(inner_shake256_context *rng, * tmp[] must have 64-bit alignment. * This function uses floating-point rounding (see set_fpu_cw()). */ -void PQCLEAN_FALCON1024PADDED_CLEAN_expand_privkey(fpr *expanded_key, +void PQCLEAN_FALCONPADDED1024_CLEAN_expand_privkey(fpr *expanded_key, const int8_t *f, const int8_t *g, const int8_t *F, const int8_t *G, unsigned logn, uint8_t *tmp); /* * Compute a signature over the provided hashed message (hm); the * signature value is one short vector. This function uses an - * expanded key (as generated by PQCLEAN_FALCON1024PADDED_CLEAN_expand_privkey()). + * expanded key (as generated by PQCLEAN_FALCONPADDED1024_CLEAN_expand_privkey()). * * The sig[] and hm[] buffers may overlap. * @@ -761,7 +761,7 @@ void PQCLEAN_FALCON1024PADDED_CLEAN_expand_privkey(fpr *expanded_key, * tmp[] must have 64-bit alignment. * This function uses floating-point rounding (see set_fpu_cw()). */ -void PQCLEAN_FALCON1024PADDED_CLEAN_sign_tree(int16_t *sig, inner_shake256_context *rng, +void PQCLEAN_FALCONPADDED1024_CLEAN_sign_tree(int16_t *sig, inner_shake256_context *rng, const fpr *expanded_key, const uint16_t *hm, unsigned logn, uint8_t *tmp); @@ -782,7 +782,7 @@ void PQCLEAN_FALCON1024PADDED_CLEAN_sign_tree(int16_t *sig, inner_shake256_conte * tmp[] must have 64-bit alignment. * This function uses floating-point rounding (see set_fpu_cw()). */ -void PQCLEAN_FALCON1024PADDED_CLEAN_sign_dyn(int16_t *sig, inner_shake256_context *rng, +void PQCLEAN_FALCONPADDED1024_CLEAN_sign_dyn(int16_t *sig, inner_shake256_context *rng, const int8_t *f, const int8_t *g, const int8_t *F, const int8_t *G, const uint16_t *hm, unsigned logn, uint8_t *tmp); @@ -811,9 +811,9 @@ typedef struct { fpr sigma_min; } sampler_context; -int PQCLEAN_FALCON1024PADDED_CLEAN_sampler(void *ctx, fpr mu, fpr isigma); +int PQCLEAN_FALCONPADDED1024_CLEAN_sampler(void *ctx, fpr mu, fpr isigma); -int PQCLEAN_FALCON1024PADDED_CLEAN_gaussian0_sampler(prng *p); +int PQCLEAN_FALCONPADDED1024_CLEAN_gaussian0_sampler(prng *p); /* ==================================================================== */ diff --git a/Modules/PQClean/crypto_sign/falcon-1024-padded/clean/keygen.c b/Modules/PQClean/crypto_sign/falcon-padded-1024/clean/keygen.c similarity index 98% rename from Modules/PQClean/crypto_sign/falcon-1024-padded/clean/keygen.c rename to Modules/PQClean/crypto_sign/falcon-padded-1024/clean/keygen.c index 58683659..411c3746 100644 --- a/Modules/PQClean/crypto_sign/falcon-1024-padded/clean/keygen.c +++ b/Modules/PQClean/crypto_sign/falcon-padded-1024/clean/keygen.c @@ -3071,11 +3071,11 @@ solve_NTRU_intermediate(unsigned logn_top, * Compute 1/(f*adj(f)+g*adj(g)) in rt5. We also keep adj(f) * and adj(g) in rt3 and rt4, respectively. */ - PQCLEAN_FALCON1024PADDED_CLEAN_FFT(rt3, logn); - PQCLEAN_FALCON1024PADDED_CLEAN_FFT(rt4, logn); - PQCLEAN_FALCON1024PADDED_CLEAN_poly_invnorm2_fft(rt5, rt3, rt4, logn); - PQCLEAN_FALCON1024PADDED_CLEAN_poly_adj_fft(rt3, logn); - PQCLEAN_FALCON1024PADDED_CLEAN_poly_adj_fft(rt4, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_FFT(rt3, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_FFT(rt4, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_invnorm2_fft(rt5, rt3, rt4, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_adj_fft(rt3, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_adj_fft(rt4, logn); /* * Reduce F and G repeatedly. @@ -3135,13 +3135,13 @@ solve_NTRU_intermediate(unsigned logn_top, /* * Compute (F*adj(f)+G*adj(g))/(f*adj(f)+g*adj(g)) in rt2. */ - PQCLEAN_FALCON1024PADDED_CLEAN_FFT(rt1, logn); - PQCLEAN_FALCON1024PADDED_CLEAN_FFT(rt2, logn); - PQCLEAN_FALCON1024PADDED_CLEAN_poly_mul_fft(rt1, rt3, logn); - PQCLEAN_FALCON1024PADDED_CLEAN_poly_mul_fft(rt2, rt4, logn); - PQCLEAN_FALCON1024PADDED_CLEAN_poly_add(rt2, rt1, logn); - PQCLEAN_FALCON1024PADDED_CLEAN_poly_mul_autoadj_fft(rt2, rt5, logn); - PQCLEAN_FALCON1024PADDED_CLEAN_iFFT(rt2, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_FFT(rt1, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_FFT(rt2, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_mul_fft(rt1, rt3, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_mul_fft(rt2, rt4, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_add(rt2, rt1, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_mul_autoadj_fft(rt2, rt5, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_iFFT(rt2, logn); /* * (f,g) are scaled by 'scale_fg', meaning that the @@ -3589,10 +3589,10 @@ solve_NTRU_binary_depth1(unsigned logn_top, * rt4 = g * in that order in RAM. We convert all of them to FFT. */ - PQCLEAN_FALCON1024PADDED_CLEAN_FFT(rt1, logn); - PQCLEAN_FALCON1024PADDED_CLEAN_FFT(rt2, logn); - PQCLEAN_FALCON1024PADDED_CLEAN_FFT(rt3, logn); - PQCLEAN_FALCON1024PADDED_CLEAN_FFT(rt4, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_FFT(rt1, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_FFT(rt2, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_FFT(rt3, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_FFT(rt4, logn); /* * Compute: @@ -3602,14 +3602,14 @@ solve_NTRU_binary_depth1(unsigned logn_top, */ rt5 = rt4 + n; rt6 = rt5 + n; - PQCLEAN_FALCON1024PADDED_CLEAN_poly_add_muladj_fft(rt5, rt1, rt2, rt3, rt4, logn); - PQCLEAN_FALCON1024PADDED_CLEAN_poly_invnorm2_fft(rt6, rt3, rt4, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_add_muladj_fft(rt5, rt1, rt2, rt3, rt4, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_invnorm2_fft(rt6, rt3, rt4, logn); /* * Compute: * rt5 = (F*adj(f)+G*adj(g)) / (f*adj(f)+g*adj(g)) */ - PQCLEAN_FALCON1024PADDED_CLEAN_poly_mul_autoadj_fft(rt5, rt6, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_mul_autoadj_fft(rt5, rt6, logn); /* * Compute k as the rounded version of rt5. Check that none of @@ -3618,7 +3618,7 @@ solve_NTRU_binary_depth1(unsigned logn_top, * note that any out-of-bounds value here implies a failure and * (f,g) will be discarded, so we can make a simple test. */ - PQCLEAN_FALCON1024PADDED_CLEAN_iFFT(rt5, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_iFFT(rt5, logn); for (u = 0; u < n; u ++) { fpr z; @@ -3628,17 +3628,17 @@ solve_NTRU_binary_depth1(unsigned logn_top, } rt5[u] = fpr_of(fpr_rint(z)); } - PQCLEAN_FALCON1024PADDED_CLEAN_FFT(rt5, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_FFT(rt5, logn); /* * Subtract k*f from F, and k*g from G. */ - PQCLEAN_FALCON1024PADDED_CLEAN_poly_mul_fft(rt3, rt5, logn); - PQCLEAN_FALCON1024PADDED_CLEAN_poly_mul_fft(rt4, rt5, logn); - PQCLEAN_FALCON1024PADDED_CLEAN_poly_sub(rt1, rt3, logn); - PQCLEAN_FALCON1024PADDED_CLEAN_poly_sub(rt2, rt4, logn); - PQCLEAN_FALCON1024PADDED_CLEAN_iFFT(rt1, logn); - PQCLEAN_FALCON1024PADDED_CLEAN_iFFT(rt2, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_mul_fft(rt3, rt5, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_mul_fft(rt4, rt5, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_sub(rt1, rt3, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_sub(rt2, rt4, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_iFFT(rt1, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_iFFT(rt2, logn); /* * Convert back F and G to integers, and return. @@ -3857,7 +3857,7 @@ solve_NTRU_binary_depth0(unsigned logn, for (u = 0; u < n; u ++) { rt3[u] = fpr_of(((int32_t *)t2)[u]); } - PQCLEAN_FALCON1024PADDED_CLEAN_FFT(rt3, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_FFT(rt3, logn); rt2 = align_fpr(tmp, t2); memmove(rt2, rt3, hn * sizeof * rt3); @@ -3868,14 +3868,14 @@ solve_NTRU_binary_depth0(unsigned logn, for (u = 0; u < n; u ++) { rt3[u] = fpr_of(((int32_t *)t1)[u]); } - PQCLEAN_FALCON1024PADDED_CLEAN_FFT(rt3, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_FFT(rt3, logn); /* * Compute (F*adj(f)+G*adj(g))/(f*adj(f)+g*adj(g)) and get * its rounded normal representation in t1. */ - PQCLEAN_FALCON1024PADDED_CLEAN_poly_div_autoadj_fft(rt3, rt2, logn); - PQCLEAN_FALCON1024PADDED_CLEAN_iFFT(rt3, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_div_autoadj_fft(rt3, rt2, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_iFFT(rt3, logn); for (u = 0; u < n; u ++) { t1[u] = modp_set((int32_t)fpr_rint(rt3[u]), p); } @@ -4076,7 +4076,7 @@ poly_small_mkgauss(RNG_CONTEXT *rng, int8_t *f, unsigned logn) { /* see falcon.h */ void -PQCLEAN_FALCON1024PADDED_CLEAN_keygen(inner_shake256_context *rng, +PQCLEAN_FALCONPADDED1024_CLEAN_keygen(inner_shake256_context *rng, int8_t *f, int8_t *g, int8_t *F, int8_t *G, uint16_t *h, unsigned logn, uint8_t *tmp) { /* @@ -4145,7 +4145,7 @@ PQCLEAN_FALCON1024PADDED_CLEAN_keygen(inner_shake256_context *rng, * overwhelming probability; this guarantees that the * key will be encodable with FALCON_COMP_TRIM. */ - lim = 1 << (PQCLEAN_FALCON1024PADDED_CLEAN_max_fg_bits[logn] - 1); + lim = 1 << (PQCLEAN_FALCONPADDED1024_CLEAN_max_fg_bits[logn] - 1); for (u = 0; u < n; u ++) { /* * We can use non-CT tests since on any failure @@ -4183,17 +4183,17 @@ PQCLEAN_FALCON1024PADDED_CLEAN_keygen(inner_shake256_context *rng, rt3 = rt2 + n; poly_small_to_fp(rt1, f, logn); poly_small_to_fp(rt2, g, logn); - PQCLEAN_FALCON1024PADDED_CLEAN_FFT(rt1, logn); - PQCLEAN_FALCON1024PADDED_CLEAN_FFT(rt2, logn); - PQCLEAN_FALCON1024PADDED_CLEAN_poly_invnorm2_fft(rt3, rt1, rt2, logn); - PQCLEAN_FALCON1024PADDED_CLEAN_poly_adj_fft(rt1, logn); - PQCLEAN_FALCON1024PADDED_CLEAN_poly_adj_fft(rt2, logn); - PQCLEAN_FALCON1024PADDED_CLEAN_poly_mulconst(rt1, fpr_q, logn); - PQCLEAN_FALCON1024PADDED_CLEAN_poly_mulconst(rt2, fpr_q, logn); - PQCLEAN_FALCON1024PADDED_CLEAN_poly_mul_autoadj_fft(rt1, rt3, logn); - PQCLEAN_FALCON1024PADDED_CLEAN_poly_mul_autoadj_fft(rt2, rt3, logn); - PQCLEAN_FALCON1024PADDED_CLEAN_iFFT(rt1, logn); - PQCLEAN_FALCON1024PADDED_CLEAN_iFFT(rt2, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_FFT(rt1, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_FFT(rt2, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_invnorm2_fft(rt3, rt1, rt2, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_adj_fft(rt1, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_adj_fft(rt2, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_mulconst(rt1, fpr_q, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_mulconst(rt2, fpr_q, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_mul_autoadj_fft(rt1, rt3, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_mul_autoadj_fft(rt2, rt3, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_iFFT(rt1, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_iFFT(rt2, logn); bnorm = fpr_zero; for (u = 0; u < n; u ++) { bnorm = fpr_add(bnorm, fpr_sqr(rt1[u])); @@ -4214,14 +4214,14 @@ PQCLEAN_FALCON1024PADDED_CLEAN_keygen(inner_shake256_context *rng, h2 = h; tmp2 = (uint16_t *)tmp; } - if (!PQCLEAN_FALCON1024PADDED_CLEAN_compute_public(h2, f, g, logn, (uint8_t *)tmp2)) { + if (!PQCLEAN_FALCONPADDED1024_CLEAN_compute_public(h2, f, g, logn, (uint8_t *)tmp2)) { continue; } /* * Solve the NTRU equation to get F and G. */ - lim = (1 << (PQCLEAN_FALCON1024PADDED_CLEAN_max_FG_bits[logn] - 1)) - 1; + lim = (1 << (PQCLEAN_FALCONPADDED1024_CLEAN_max_FG_bits[logn] - 1)) - 1; if (!solve_NTRU(logn, F, G, f, g, lim, (uint32_t *)tmp)) { continue; } diff --git a/Modules/PQClean/crypto_sign/falcon-1024-padded/clean/pqclean.c b/Modules/PQClean/crypto_sign/falcon-padded-1024/clean/pqclean.c similarity index 71% rename from Modules/PQClean/crypto_sign/falcon-1024-padded/clean/pqclean.c rename to Modules/PQClean/crypto_sign/falcon-padded-1024/clean/pqclean.c index 81156cf3..eb6cc85a 100644 --- a/Modules/PQClean/crypto_sign/falcon-1024-padded/clean/pqclean.c +++ b/Modules/PQClean/crypto_sign/falcon-padded-1024/clean/pqclean.c @@ -38,7 +38,7 @@ /* see api.h */ int -PQCLEAN_FALCON1024PADDED_CLEAN_crypto_sign_keypair( +PQCLEAN_FALCONPADDED1024_CLEAN_crypto_sign_keypair( uint8_t *pk, uint8_t *sk) { union { uint8_t b[FALCON_KEYGEN_TEMP_10]; @@ -58,7 +58,7 @@ PQCLEAN_FALCON1024PADDED_CLEAN_crypto_sign_keypair( inner_shake256_init(&rng); inner_shake256_inject(&rng, seed, sizeof seed); inner_shake256_flip(&rng); - PQCLEAN_FALCON1024PADDED_CLEAN_keygen(&rng, f, g, F, NULL, h, 10, tmp.b); + PQCLEAN_FALCONPADDED1024_CLEAN_keygen(&rng, f, g, F, NULL, h, 10, tmp.b); inner_shake256_ctx_release(&rng); /* @@ -66,28 +66,28 @@ PQCLEAN_FALCON1024PADDED_CLEAN_crypto_sign_keypair( */ sk[0] = 0x50 + 10; u = 1; - v = PQCLEAN_FALCON1024PADDED_CLEAN_trim_i8_encode( - sk + u, PQCLEAN_FALCON1024PADDED_CLEAN_CRYPTO_SECRETKEYBYTES - u, - f, 10, PQCLEAN_FALCON1024PADDED_CLEAN_max_fg_bits[10]); + v = PQCLEAN_FALCONPADDED1024_CLEAN_trim_i8_encode( + sk + u, PQCLEAN_FALCONPADDED1024_CLEAN_CRYPTO_SECRETKEYBYTES - u, + f, 10, PQCLEAN_FALCONPADDED1024_CLEAN_max_fg_bits[10]); if (v == 0) { return -1; } u += v; - v = PQCLEAN_FALCON1024PADDED_CLEAN_trim_i8_encode( - sk + u, PQCLEAN_FALCON1024PADDED_CLEAN_CRYPTO_SECRETKEYBYTES - u, - g, 10, PQCLEAN_FALCON1024PADDED_CLEAN_max_fg_bits[10]); + v = PQCLEAN_FALCONPADDED1024_CLEAN_trim_i8_encode( + sk + u, PQCLEAN_FALCONPADDED1024_CLEAN_CRYPTO_SECRETKEYBYTES - u, + g, 10, PQCLEAN_FALCONPADDED1024_CLEAN_max_fg_bits[10]); if (v == 0) { return -1; } u += v; - v = PQCLEAN_FALCON1024PADDED_CLEAN_trim_i8_encode( - sk + u, PQCLEAN_FALCON1024PADDED_CLEAN_CRYPTO_SECRETKEYBYTES - u, - F, 10, PQCLEAN_FALCON1024PADDED_CLEAN_max_FG_bits[10]); + v = PQCLEAN_FALCONPADDED1024_CLEAN_trim_i8_encode( + sk + u, PQCLEAN_FALCONPADDED1024_CLEAN_CRYPTO_SECRETKEYBYTES - u, + F, 10, PQCLEAN_FALCONPADDED1024_CLEAN_max_FG_bits[10]); if (v == 0) { return -1; } u += v; - if (u != PQCLEAN_FALCON1024PADDED_CLEAN_CRYPTO_SECRETKEYBYTES) { + if (u != PQCLEAN_FALCONPADDED1024_CLEAN_CRYPTO_SECRETKEYBYTES) { return -1; } @@ -95,10 +95,10 @@ PQCLEAN_FALCON1024PADDED_CLEAN_crypto_sign_keypair( * Encode public key. */ pk[0] = 0x00 + 10; - v = PQCLEAN_FALCON1024PADDED_CLEAN_modq_encode( - pk + 1, PQCLEAN_FALCON1024PADDED_CLEAN_CRYPTO_PUBLICKEYBYTES - 1, + v = PQCLEAN_FALCONPADDED1024_CLEAN_modq_encode( + pk + 1, PQCLEAN_FALCONPADDED1024_CLEAN_CRYPTO_PUBLICKEYBYTES - 1, h, 10); - if (v != PQCLEAN_FALCON1024PADDED_CLEAN_CRYPTO_PUBLICKEYBYTES - 1) { + if (v != PQCLEAN_FALCONPADDED1024_CLEAN_CRYPTO_PUBLICKEYBYTES - 1) { return -1; } @@ -142,31 +142,31 @@ do_sign(uint8_t *nonce, uint8_t *sigbuf, size_t sigbuflen, return -1; } u = 1; - v = PQCLEAN_FALCON1024PADDED_CLEAN_trim_i8_decode( - f, 10, PQCLEAN_FALCON1024PADDED_CLEAN_max_fg_bits[10], - sk + u, PQCLEAN_FALCON1024PADDED_CLEAN_CRYPTO_SECRETKEYBYTES - u); + v = PQCLEAN_FALCONPADDED1024_CLEAN_trim_i8_decode( + f, 10, PQCLEAN_FALCONPADDED1024_CLEAN_max_fg_bits[10], + sk + u, PQCLEAN_FALCONPADDED1024_CLEAN_CRYPTO_SECRETKEYBYTES - u); if (v == 0) { return -1; } u += v; - v = PQCLEAN_FALCON1024PADDED_CLEAN_trim_i8_decode( - g, 10, PQCLEAN_FALCON1024PADDED_CLEAN_max_fg_bits[10], - sk + u, PQCLEAN_FALCON1024PADDED_CLEAN_CRYPTO_SECRETKEYBYTES - u); + v = PQCLEAN_FALCONPADDED1024_CLEAN_trim_i8_decode( + g, 10, PQCLEAN_FALCONPADDED1024_CLEAN_max_fg_bits[10], + sk + u, PQCLEAN_FALCONPADDED1024_CLEAN_CRYPTO_SECRETKEYBYTES - u); if (v == 0) { return -1; } u += v; - v = PQCLEAN_FALCON1024PADDED_CLEAN_trim_i8_decode( - F, 10, PQCLEAN_FALCON1024PADDED_CLEAN_max_FG_bits[10], - sk + u, PQCLEAN_FALCON1024PADDED_CLEAN_CRYPTO_SECRETKEYBYTES - u); + v = PQCLEAN_FALCONPADDED1024_CLEAN_trim_i8_decode( + F, 10, PQCLEAN_FALCONPADDED1024_CLEAN_max_FG_bits[10], + sk + u, PQCLEAN_FALCONPADDED1024_CLEAN_CRYPTO_SECRETKEYBYTES - u); if (v == 0) { return -1; } u += v; - if (u != PQCLEAN_FALCON1024PADDED_CLEAN_CRYPTO_SECRETKEYBYTES) { + if (u != PQCLEAN_FALCONPADDED1024_CLEAN_CRYPTO_SECRETKEYBYTES) { return -1; } - if (!PQCLEAN_FALCON1024PADDED_CLEAN_complete_private(G, f, g, F, 10, tmp.b)) { + if (!PQCLEAN_FALCONPADDED1024_CLEAN_complete_private(G, f, g, F, 10, tmp.b)) { return -1; } @@ -182,7 +182,7 @@ do_sign(uint8_t *nonce, uint8_t *sigbuf, size_t sigbuflen, inner_shake256_inject(&sc, nonce, NONCELEN); inner_shake256_inject(&sc, m, mlen); inner_shake256_flip(&sc); - PQCLEAN_FALCON1024PADDED_CLEAN_hash_to_point_ct(&sc, r.hm, 10, tmp.b); + PQCLEAN_FALCONPADDED1024_CLEAN_hash_to_point_ct(&sc, r.hm, 10, tmp.b); inner_shake256_ctx_release(&sc); /* @@ -198,8 +198,8 @@ do_sign(uint8_t *nonce, uint8_t *sigbuf, size_t sigbuflen, * value is found that fits in the provided buffer. */ for (;;) { - PQCLEAN_FALCON1024PADDED_CLEAN_sign_dyn(r.sig, &sc, f, g, F, G, r.hm, 10, tmp.b); - v = PQCLEAN_FALCON1024PADDED_CLEAN_comp_encode(sigbuf, sigbuflen, r.sig, 10); + PQCLEAN_FALCONPADDED1024_CLEAN_sign_dyn(r.sig, &sc, f, g, F, G, r.hm, 10, tmp.b); + v = PQCLEAN_FALCONPADDED1024_CLEAN_comp_encode(sigbuf, sigbuflen, r.sig, 10); if (v != 0) { inner_shake256_ctx_release(&sc); memset(sigbuf + v, 0, sigbuflen - v); @@ -233,12 +233,12 @@ do_verify( if (pk[0] != 0x00 + 10) { return -1; } - if (PQCLEAN_FALCON1024PADDED_CLEAN_modq_decode(h, 10, - pk + 1, PQCLEAN_FALCON1024PADDED_CLEAN_CRYPTO_PUBLICKEYBYTES - 1) - != PQCLEAN_FALCON1024PADDED_CLEAN_CRYPTO_PUBLICKEYBYTES - 1) { + if (PQCLEAN_FALCONPADDED1024_CLEAN_modq_decode(h, 10, + pk + 1, PQCLEAN_FALCONPADDED1024_CLEAN_CRYPTO_PUBLICKEYBYTES - 1) + != PQCLEAN_FALCONPADDED1024_CLEAN_CRYPTO_PUBLICKEYBYTES - 1) { return -1; } - PQCLEAN_FALCON1024PADDED_CLEAN_to_ntt_monty(h, 10); + PQCLEAN_FALCONPADDED1024_CLEAN_to_ntt_monty(h, 10); /* * Decode signature. @@ -247,12 +247,12 @@ do_verify( return -1; } - v = PQCLEAN_FALCON1024PADDED_CLEAN_comp_decode(sig, 10, sigbuf, sigbuflen); + v = PQCLEAN_FALCONPADDED1024_CLEAN_comp_decode(sig, 10, sigbuf, sigbuflen); if (v == 0) { return -1; } if (v != sigbuflen) { - if (sigbuflen == PQCLEAN_FALCON1024PADDED_CLEAN_CRYPTO_BYTES - NONCELEN - 1) { + if (sigbuflen == PQCLEAN_FALCONPADDED1024_CLEAN_CRYPTO_BYTES - NONCELEN - 1) { while (v < sigbuflen) { if (sigbuf[v++] != 0) { return -1; @@ -270,13 +270,13 @@ do_verify( inner_shake256_inject(&sc, nonce, NONCELEN); inner_shake256_inject(&sc, m, mlen); inner_shake256_flip(&sc); - PQCLEAN_FALCON1024PADDED_CLEAN_hash_to_point_ct(&sc, hm, 10, tmp.b); + PQCLEAN_FALCONPADDED1024_CLEAN_hash_to_point_ct(&sc, hm, 10, tmp.b); inner_shake256_ctx_release(&sc); /* * Verify signature. */ - if (!PQCLEAN_FALCON1024PADDED_CLEAN_verify_raw(hm, sig, h, 10, tmp.b)) { + if (!PQCLEAN_FALCONPADDED1024_CLEAN_verify_raw(hm, sig, h, 10, tmp.b)) { return -1; } return 0; @@ -284,12 +284,12 @@ do_verify( /* see api.h */ int -PQCLEAN_FALCON1024PADDED_CLEAN_crypto_sign_signature( +PQCLEAN_FALCONPADDED1024_CLEAN_crypto_sign_signature( uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen, const uint8_t *sk) { size_t vlen; - vlen = PQCLEAN_FALCON1024PADDED_CLEAN_CRYPTO_BYTES - NONCELEN - 1; + vlen = PQCLEAN_FALCONPADDED1024_CLEAN_CRYPTO_BYTES - NONCELEN - 1; if (do_sign(sig + 1, sig + 1 + NONCELEN, vlen, m, mlen, sk) < 0) { return -1; } @@ -300,7 +300,7 @@ PQCLEAN_FALCON1024PADDED_CLEAN_crypto_sign_signature( /* see api.h */ int -PQCLEAN_FALCON1024PADDED_CLEAN_crypto_sign_verify( +PQCLEAN_FALCONPADDED1024_CLEAN_crypto_sign_verify( const uint8_t *sig, size_t siglen, const uint8_t *m, size_t mlen, const uint8_t *pk) { if (siglen < 1 + NONCELEN) { @@ -315,7 +315,7 @@ PQCLEAN_FALCON1024PADDED_CLEAN_crypto_sign_verify( /* see api.h */ int -PQCLEAN_FALCON1024PADDED_CLEAN_crypto_sign( +PQCLEAN_FALCONPADDED1024_CLEAN_crypto_sign( uint8_t *sm, size_t *smlen, const uint8_t *m, size_t mlen, const uint8_t *sk) { uint8_t *sigbuf; @@ -325,9 +325,9 @@ PQCLEAN_FALCON1024PADDED_CLEAN_crypto_sign( * Move the message to its final location; this is a memmove() so * it handles overlaps properly. */ - memmove(sm + PQCLEAN_FALCON1024PADDED_CLEAN_CRYPTO_BYTES, m, mlen); + memmove(sm + PQCLEAN_FALCONPADDED1024_CLEAN_CRYPTO_BYTES, m, mlen); sigbuf = sm + 1 + NONCELEN; - sigbuflen = PQCLEAN_FALCON1024PADDED_CLEAN_CRYPTO_BYTES - NONCELEN - 1; + sigbuflen = PQCLEAN_FALCONPADDED1024_CLEAN_CRYPTO_BYTES - NONCELEN - 1; if (do_sign(sm + 1, sigbuf, sigbuflen, m, mlen, sk) < 0) { return -1; } @@ -339,17 +339,17 @@ PQCLEAN_FALCON1024PADDED_CLEAN_crypto_sign( /* see api.h */ int -PQCLEAN_FALCON1024PADDED_CLEAN_crypto_sign_open( +PQCLEAN_FALCONPADDED1024_CLEAN_crypto_sign_open( uint8_t *m, size_t *mlen, const uint8_t *sm, size_t smlen, const uint8_t *pk) { const uint8_t *sigbuf; size_t pmlen, sigbuflen; - if (smlen < PQCLEAN_FALCON1024PADDED_CLEAN_CRYPTO_BYTES) { + if (smlen < PQCLEAN_FALCONPADDED1024_CLEAN_CRYPTO_BYTES) { return -1; } - sigbuflen = PQCLEAN_FALCON1024PADDED_CLEAN_CRYPTO_BYTES - NONCELEN - 1; - pmlen = smlen - PQCLEAN_FALCON1024PADDED_CLEAN_CRYPTO_BYTES; + sigbuflen = PQCLEAN_FALCONPADDED1024_CLEAN_CRYPTO_BYTES - NONCELEN - 1; + pmlen = smlen - PQCLEAN_FALCONPADDED1024_CLEAN_CRYPTO_BYTES; if (sm[0] != 0x30 + 10) { return -1; } @@ -361,7 +361,7 @@ PQCLEAN_FALCON1024PADDED_CLEAN_crypto_sign_open( * follows the signature value. */ if (do_verify(sm + 1, sigbuf, sigbuflen, - sm + PQCLEAN_FALCON1024PADDED_CLEAN_CRYPTO_BYTES, pmlen, pk) < 0) { + sm + PQCLEAN_FALCONPADDED1024_CLEAN_CRYPTO_BYTES, pmlen, pk) < 0) { return -1; } @@ -370,7 +370,7 @@ PQCLEAN_FALCON1024PADDED_CLEAN_crypto_sign_open( * to its final destination. The memmove() properly handles * overlaps. */ - memmove(m, sm + PQCLEAN_FALCON1024PADDED_CLEAN_CRYPTO_BYTES, pmlen); + memmove(m, sm + PQCLEAN_FALCONPADDED1024_CLEAN_CRYPTO_BYTES, pmlen); *mlen = pmlen; return 0; } diff --git a/Modules/PQClean/crypto_sign/falcon-1024-padded/clean/rng.c b/Modules/PQClean/crypto_sign/falcon-padded-1024/clean/rng.c similarity index 95% rename from Modules/PQClean/crypto_sign/falcon-1024-padded/clean/rng.c rename to Modules/PQClean/crypto_sign/falcon-padded-1024/clean/rng.c index b32f4c0e..169d35fb 100644 --- a/Modules/PQClean/crypto_sign/falcon-1024-padded/clean/rng.c +++ b/Modules/PQClean/crypto_sign/falcon-padded-1024/clean/rng.c @@ -35,7 +35,7 @@ /* see inner.h */ void -PQCLEAN_FALCON1024PADDED_CLEAN_prng_init(prng *p, inner_shake256_context *src) { +PQCLEAN_FALCONPADDED1024_CLEAN_prng_init(prng *p, inner_shake256_context *src) { /* * To ensure reproducibility for a given seed, we * must enforce little-endian interpretation of @@ -61,7 +61,7 @@ PQCLEAN_FALCON1024PADDED_CLEAN_prng_init(prng *p, inner_shake256_context *src) { tl = d32[48 / sizeof(uint32_t)]; th = d32[52 / sizeof(uint32_t)]; d64[48 / sizeof(uint64_t)] = tl + (th << 32); - PQCLEAN_FALCON1024PADDED_CLEAN_prng_refill(p); + PQCLEAN_FALCONPADDED1024_CLEAN_prng_refill(p); } /* @@ -79,7 +79,7 @@ PQCLEAN_FALCON1024PADDED_CLEAN_prng_init(prng *p, inner_shake256_context *src) { * The block counter is XORed into the first 8 bytes of the IV. */ void -PQCLEAN_FALCON1024PADDED_CLEAN_prng_refill(prng *p) { +PQCLEAN_FALCONPADDED1024_CLEAN_prng_refill(prng *p) { static const uint32_t CW[] = { 0x61707865, 0x3320646e, 0x79622d32, 0x6b206574 @@ -166,7 +166,7 @@ PQCLEAN_FALCON1024PADDED_CLEAN_prng_refill(prng *p) { /* see inner.h */ void -PQCLEAN_FALCON1024PADDED_CLEAN_prng_get_bytes(prng *p, void *dst, size_t len) { +PQCLEAN_FALCONPADDED1024_CLEAN_prng_get_bytes(prng *p, void *dst, size_t len) { uint8_t *buf; buf = dst; @@ -182,7 +182,7 @@ PQCLEAN_FALCON1024PADDED_CLEAN_prng_get_bytes(prng *p, void *dst, size_t len) { len -= clen; p->ptr += clen; if (p->ptr == sizeof p->buf.d) { - PQCLEAN_FALCON1024PADDED_CLEAN_prng_refill(p); + PQCLEAN_FALCONPADDED1024_CLEAN_prng_refill(p); } } } diff --git a/Modules/PQClean/crypto_sign/falcon-1024-padded/clean/sign.c b/Modules/PQClean/crypto_sign/falcon-padded-1024/clean/sign.c similarity index 85% rename from Modules/PQClean/crypto_sign/falcon-1024-padded/clean/sign.c rename to Modules/PQClean/crypto_sign/falcon-padded-1024/clean/sign.c index 5c3cc94e..a7dbbfc6 100644 --- a/Modules/PQClean/crypto_sign/falcon-1024-padded/clean/sign.c +++ b/Modules/PQClean/crypto_sign/falcon-padded-1024/clean/sign.c @@ -87,7 +87,7 @@ ffLDL_fft_inner(fpr *tree, * and the diagonal of D. Since d00 = g0, we just write d11 * into tmp. */ - PQCLEAN_FALCON1024PADDED_CLEAN_poly_LDLmv_fft(tmp, tree, g0, g1, g0, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_LDLmv_fft(tmp, tree, g0, g1, g0, logn); /* * Split d00 (currently in g0) and d11 (currently in tmp). We @@ -95,8 +95,8 @@ ffLDL_fft_inner(fpr *tree, * d00 splits into g1, g1+hn * d11 splits into g0, g0+hn */ - PQCLEAN_FALCON1024PADDED_CLEAN_poly_split_fft(g1, g1 + hn, g0, logn); - PQCLEAN_FALCON1024PADDED_CLEAN_poly_split_fft(g0, g0 + hn, tmp, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_split_fft(g1, g1 + hn, g0, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_split_fft(g0, g0 + hn, tmp, logn); /* * Each split result is the first row of a new auto-adjoint @@ -137,10 +137,10 @@ ffLDL_fft(fpr *tree, const fpr *g00, tmp += n << 1; memcpy(d00, g00, n * sizeof * g00); - PQCLEAN_FALCON1024PADDED_CLEAN_poly_LDLmv_fft(d11, tree, g00, g01, g11, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_LDLmv_fft(d11, tree, g00, g01, g11, logn); - PQCLEAN_FALCON1024PADDED_CLEAN_poly_split_fft(tmp, tmp + hn, d00, logn); - PQCLEAN_FALCON1024PADDED_CLEAN_poly_split_fft(d00, d00 + hn, d11, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_split_fft(tmp, tmp + hn, d00, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_split_fft(d00, d00 + hn, d11, logn); memcpy(d11, tmp, n * sizeof * tmp); ffLDL_fft_inner(tree + n, d11, d11 + hn, logn - 1, tmp); @@ -224,7 +224,7 @@ skoff_tree(unsigned logn) { /* see inner.h */ void -PQCLEAN_FALCON1024PADDED_CLEAN_expand_privkey(fpr *expanded_key, +PQCLEAN_FALCONPADDED1024_CLEAN_expand_privkey(fpr *expanded_key, const int8_t *f, const int8_t *g, const int8_t *F, const int8_t *G, unsigned logn, uint8_t *tmp) { @@ -258,12 +258,12 @@ PQCLEAN_FALCON1024PADDED_CLEAN_expand_privkey(fpr *expanded_key, /* * Compute the FFT for the key elements, and negate f and F. */ - PQCLEAN_FALCON1024PADDED_CLEAN_FFT(rf, logn); - PQCLEAN_FALCON1024PADDED_CLEAN_FFT(rg, logn); - PQCLEAN_FALCON1024PADDED_CLEAN_FFT(rF, logn); - PQCLEAN_FALCON1024PADDED_CLEAN_FFT(rG, logn); - PQCLEAN_FALCON1024PADDED_CLEAN_poly_neg(rf, logn); - PQCLEAN_FALCON1024PADDED_CLEAN_poly_neg(rF, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_FFT(rf, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_FFT(rg, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_FFT(rF, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_FFT(rG, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_neg(rf, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_neg(rF, logn); /* * The Gram matrix is G = B·B*. Formulas are: @@ -281,22 +281,22 @@ PQCLEAN_FALCON1024PADDED_CLEAN_expand_privkey(fpr *expanded_key, gxx = g11 + n; memcpy(g00, b00, n * sizeof * b00); - PQCLEAN_FALCON1024PADDED_CLEAN_poly_mulselfadj_fft(g00, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_mulselfadj_fft(g00, logn); memcpy(gxx, b01, n * sizeof * b01); - PQCLEAN_FALCON1024PADDED_CLEAN_poly_mulselfadj_fft(gxx, logn); - PQCLEAN_FALCON1024PADDED_CLEAN_poly_add(g00, gxx, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_mulselfadj_fft(gxx, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_add(g00, gxx, logn); memcpy(g01, b00, n * sizeof * b00); - PQCLEAN_FALCON1024PADDED_CLEAN_poly_muladj_fft(g01, b10, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_muladj_fft(g01, b10, logn); memcpy(gxx, b01, n * sizeof * b01); - PQCLEAN_FALCON1024PADDED_CLEAN_poly_muladj_fft(gxx, b11, logn); - PQCLEAN_FALCON1024PADDED_CLEAN_poly_add(g01, gxx, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_muladj_fft(gxx, b11, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_add(g01, gxx, logn); memcpy(g11, b10, n * sizeof * b10); - PQCLEAN_FALCON1024PADDED_CLEAN_poly_mulselfadj_fft(g11, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_mulselfadj_fft(g11, logn); memcpy(gxx, b11, n * sizeof * b11); - PQCLEAN_FALCON1024PADDED_CLEAN_poly_mulselfadj_fft(gxx, logn); - PQCLEAN_FALCON1024PADDED_CLEAN_poly_add(g11, gxx, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_mulselfadj_fft(gxx, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_add(g11, gxx, logn); /* * Compute the Falcon tree. @@ -347,15 +347,15 @@ ffSampling_fft_dyntree(samplerZ samp, void *samp_ctx, * Decompose G into LDL. We only need d00 (identical to g00), * d11, and l10; we do that in place. */ - PQCLEAN_FALCON1024PADDED_CLEAN_poly_LDL_fft(g00, g01, g11, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_LDL_fft(g00, g01, g11, logn); /* * Split d00 and d11 and expand them into half-size quasi-cyclic * Gram matrices. We also save l10 in tmp[]. */ - PQCLEAN_FALCON1024PADDED_CLEAN_poly_split_fft(tmp, tmp + hn, g00, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_split_fft(tmp, tmp + hn, g00, logn); memcpy(g00, tmp, n * sizeof * tmp); - PQCLEAN_FALCON1024PADDED_CLEAN_poly_split_fft(tmp, tmp + hn, g11, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_split_fft(tmp, tmp + hn, g11, logn); memcpy(g11, tmp, n * sizeof * tmp); memcpy(tmp, g01, n * sizeof * g01); memcpy(g01, g00, hn * sizeof * g00); @@ -375,10 +375,10 @@ ffSampling_fft_dyntree(samplerZ samp, void *samp_ctx, * back into tmp + 2*n. */ z1 = tmp + n; - PQCLEAN_FALCON1024PADDED_CLEAN_poly_split_fft(z1, z1 + hn, t1, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_split_fft(z1, z1 + hn, t1, logn); ffSampling_fft_dyntree(samp, samp_ctx, z1, z1 + hn, g11, g11 + hn, g01 + hn, orig_logn, logn - 1, z1 + n); - PQCLEAN_FALCON1024PADDED_CLEAN_poly_merge_fft(tmp + (n << 1), z1, z1 + hn, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_merge_fft(tmp + (n << 1), z1, z1 + hn, logn); /* * Compute tb0 = t0 + (t1 - z1) * l10. @@ -388,20 +388,20 @@ ffSampling_fft_dyntree(samplerZ samp, void *samp_ctx, * In the end, z1 is written over t1, and tb0 is in t0. */ memcpy(z1, t1, n * sizeof * t1); - PQCLEAN_FALCON1024PADDED_CLEAN_poly_sub(z1, tmp + (n << 1), logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_sub(z1, tmp + (n << 1), logn); memcpy(t1, tmp + (n << 1), n * sizeof * tmp); - PQCLEAN_FALCON1024PADDED_CLEAN_poly_mul_fft(tmp, z1, logn); - PQCLEAN_FALCON1024PADDED_CLEAN_poly_add(t0, tmp, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_mul_fft(tmp, z1, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_add(t0, tmp, logn); /* * Second recursive invocation, on the split tb0 (currently in t0) * and the left sub-tree. */ z0 = tmp; - PQCLEAN_FALCON1024PADDED_CLEAN_poly_split_fft(z0, z0 + hn, t0, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_split_fft(z0, z0 + hn, t0, logn); ffSampling_fft_dyntree(samp, samp_ctx, z0, z0 + hn, g00, g00 + hn, g01, orig_logn, logn - 1, z0 + n); - PQCLEAN_FALCON1024PADDED_CLEAN_poly_merge_fft(t0, z0, z0 + hn, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_merge_fft(t0, z0, z0 + hn, logn); } /* @@ -607,26 +607,26 @@ ffSampling_fft(samplerZ samp, void *samp_ctx, * the recursive invocation, with output in tmp. We finally * merge back into z1. */ - PQCLEAN_FALCON1024PADDED_CLEAN_poly_split_fft(z1, z1 + hn, t1, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_split_fft(z1, z1 + hn, t1, logn); ffSampling_fft(samp, samp_ctx, tmp, tmp + hn, tree1, z1, z1 + hn, logn - 1, tmp + n); - PQCLEAN_FALCON1024PADDED_CLEAN_poly_merge_fft(z1, tmp, tmp + hn, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_merge_fft(z1, tmp, tmp + hn, logn); /* * Compute tb0 = t0 + (t1 - z1) * L. Value tb0 ends up in tmp[]. */ memcpy(tmp, t1, n * sizeof * t1); - PQCLEAN_FALCON1024PADDED_CLEAN_poly_sub(tmp, z1, logn); - PQCLEAN_FALCON1024PADDED_CLEAN_poly_mul_fft(tmp, tree, logn); - PQCLEAN_FALCON1024PADDED_CLEAN_poly_add(tmp, t0, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_sub(tmp, z1, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_mul_fft(tmp, tree, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_add(tmp, t0, logn); /* * Second recursive invocation. */ - PQCLEAN_FALCON1024PADDED_CLEAN_poly_split_fft(z0, z0 + hn, tmp, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_split_fft(z0, z0 + hn, tmp, logn); ffSampling_fft(samp, samp_ctx, tmp, tmp + hn, tree0, z0, z0 + hn, logn - 1, tmp + n); - PQCLEAN_FALCON1024PADDED_CLEAN_poly_merge_fft(z0, tmp, tmp + hn, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_merge_fft(z0, tmp, tmp + hn, logn); } /* @@ -674,13 +674,13 @@ do_sign_tree(samplerZ samp, void *samp_ctx, int16_t *s2, * Apply the lattice basis to obtain the real target * vector (after normalization with regards to modulus). */ - PQCLEAN_FALCON1024PADDED_CLEAN_FFT(t0, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_FFT(t0, logn); ni = fpr_inverse_of_q; memcpy(t1, t0, n * sizeof * t0); - PQCLEAN_FALCON1024PADDED_CLEAN_poly_mul_fft(t1, b01, logn); - PQCLEAN_FALCON1024PADDED_CLEAN_poly_mulconst(t1, fpr_neg(ni), logn); - PQCLEAN_FALCON1024PADDED_CLEAN_poly_mul_fft(t0, b11, logn); - PQCLEAN_FALCON1024PADDED_CLEAN_poly_mulconst(t0, ni, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_mul_fft(t1, b01, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_mulconst(t1, fpr_neg(ni), logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_mul_fft(t0, b11, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_mulconst(t0, ni, logn); tx = t1 + n; ty = tx + n; @@ -695,18 +695,18 @@ do_sign_tree(samplerZ samp, void *samp_ctx, int16_t *s2, */ memcpy(t0, tx, n * sizeof * tx); memcpy(t1, ty, n * sizeof * ty); - PQCLEAN_FALCON1024PADDED_CLEAN_poly_mul_fft(tx, b00, logn); - PQCLEAN_FALCON1024PADDED_CLEAN_poly_mul_fft(ty, b10, logn); - PQCLEAN_FALCON1024PADDED_CLEAN_poly_add(tx, ty, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_mul_fft(tx, b00, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_mul_fft(ty, b10, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_add(tx, ty, logn); memcpy(ty, t0, n * sizeof * t0); - PQCLEAN_FALCON1024PADDED_CLEAN_poly_mul_fft(ty, b01, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_mul_fft(ty, b01, logn); memcpy(t0, tx, n * sizeof * tx); - PQCLEAN_FALCON1024PADDED_CLEAN_poly_mul_fft(t1, b11, logn); - PQCLEAN_FALCON1024PADDED_CLEAN_poly_add(t1, ty, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_mul_fft(t1, b11, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_add(t1, ty, logn); - PQCLEAN_FALCON1024PADDED_CLEAN_iFFT(t0, logn); - PQCLEAN_FALCON1024PADDED_CLEAN_iFFT(t1, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_iFFT(t0, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_iFFT(t1, logn); /* * Compute the signature. @@ -737,7 +737,7 @@ do_sign_tree(samplerZ samp, void *samp_ctx, int16_t *s2, for (u = 0; u < n; u ++) { s2tmp[u] = (int16_t) - fpr_rint(t1[u]); } - if (PQCLEAN_FALCON1024PADDED_CLEAN_is_short_half(sqn, s2tmp, logn)) { + if (PQCLEAN_FALCONPADDED1024_CLEAN_is_short_half(sqn, s2tmp, logn)) { memcpy(s2, s2tmp, n * sizeof * s2); memcpy(tmp, s1tmp, n * sizeof * s1tmp); return 1; @@ -779,12 +779,12 @@ do_sign_dyn(samplerZ samp, void *samp_ctx, int16_t *s2, smallints_to_fpr(b00, g, logn); smallints_to_fpr(b11, F, logn); smallints_to_fpr(b10, G, logn); - PQCLEAN_FALCON1024PADDED_CLEAN_FFT(b01, logn); - PQCLEAN_FALCON1024PADDED_CLEAN_FFT(b00, logn); - PQCLEAN_FALCON1024PADDED_CLEAN_FFT(b11, logn); - PQCLEAN_FALCON1024PADDED_CLEAN_FFT(b10, logn); - PQCLEAN_FALCON1024PADDED_CLEAN_poly_neg(b01, logn); - PQCLEAN_FALCON1024PADDED_CLEAN_poly_neg(b11, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_FFT(b01, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_FFT(b00, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_FFT(b11, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_FFT(b10, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_neg(b01, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_neg(b11, logn); /* * Compute the Gram matrix G = B·B*. Formulas are: @@ -804,20 +804,20 @@ do_sign_dyn(samplerZ samp, void *samp_ctx, int16_t *s2, t1 = t0 + n; memcpy(t0, b01, n * sizeof * b01); - PQCLEAN_FALCON1024PADDED_CLEAN_poly_mulselfadj_fft(t0, logn); // t0 <- b01*adj(b01) + PQCLEAN_FALCONPADDED1024_CLEAN_poly_mulselfadj_fft(t0, logn); // t0 <- b01*adj(b01) memcpy(t1, b00, n * sizeof * b00); - PQCLEAN_FALCON1024PADDED_CLEAN_poly_muladj_fft(t1, b10, logn); // t1 <- b00*adj(b10) - PQCLEAN_FALCON1024PADDED_CLEAN_poly_mulselfadj_fft(b00, logn); // b00 <- b00*adj(b00) - PQCLEAN_FALCON1024PADDED_CLEAN_poly_add(b00, t0, logn); // b00 <- g00 + PQCLEAN_FALCONPADDED1024_CLEAN_poly_muladj_fft(t1, b10, logn); // t1 <- b00*adj(b10) + PQCLEAN_FALCONPADDED1024_CLEAN_poly_mulselfadj_fft(b00, logn); // b00 <- b00*adj(b00) + PQCLEAN_FALCONPADDED1024_CLEAN_poly_add(b00, t0, logn); // b00 <- g00 memcpy(t0, b01, n * sizeof * b01); - PQCLEAN_FALCON1024PADDED_CLEAN_poly_muladj_fft(b01, b11, logn); // b01 <- b01*adj(b11) - PQCLEAN_FALCON1024PADDED_CLEAN_poly_add(b01, t1, logn); // b01 <- g01 + PQCLEAN_FALCONPADDED1024_CLEAN_poly_muladj_fft(b01, b11, logn); // b01 <- b01*adj(b11) + PQCLEAN_FALCONPADDED1024_CLEAN_poly_add(b01, t1, logn); // b01 <- g01 - PQCLEAN_FALCON1024PADDED_CLEAN_poly_mulselfadj_fft(b10, logn); // b10 <- b10*adj(b10) + PQCLEAN_FALCONPADDED1024_CLEAN_poly_mulselfadj_fft(b10, logn); // b10 <- b10*adj(b10) memcpy(t1, b11, n * sizeof * b11); - PQCLEAN_FALCON1024PADDED_CLEAN_poly_mulselfadj_fft(t1, logn); // t1 <- b11*adj(b11) - PQCLEAN_FALCON1024PADDED_CLEAN_poly_add(b10, t1, logn); // b10 <- g11 + PQCLEAN_FALCONPADDED1024_CLEAN_poly_mulselfadj_fft(t1, logn); // t1 <- b11*adj(b11) + PQCLEAN_FALCONPADDED1024_CLEAN_poly_add(b10, t1, logn); // b10 <- g11 /* * We rename variables to make things clearer. The three elements @@ -850,13 +850,13 @@ do_sign_dyn(samplerZ samp, void *samp_ctx, int16_t *s2, * Apply the lattice basis to obtain the real target * vector (after normalization with regards to modulus). */ - PQCLEAN_FALCON1024PADDED_CLEAN_FFT(t0, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_FFT(t0, logn); ni = fpr_inverse_of_q; memcpy(t1, t0, n * sizeof * t0); - PQCLEAN_FALCON1024PADDED_CLEAN_poly_mul_fft(t1, b01, logn); - PQCLEAN_FALCON1024PADDED_CLEAN_poly_mulconst(t1, fpr_neg(ni), logn); - PQCLEAN_FALCON1024PADDED_CLEAN_poly_mul_fft(t0, b11, logn); - PQCLEAN_FALCON1024PADDED_CLEAN_poly_mulconst(t0, ni, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_mul_fft(t1, b01, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_mulconst(t1, fpr_neg(ni), logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_mul_fft(t0, b11, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_mulconst(t0, ni, logn); /* * b01 and b11 can be discarded, so we move back (t0,t1). @@ -891,12 +891,12 @@ do_sign_dyn(samplerZ samp, void *samp_ctx, int16_t *s2, smallints_to_fpr(b00, g, logn); smallints_to_fpr(b11, F, logn); smallints_to_fpr(b10, G, logn); - PQCLEAN_FALCON1024PADDED_CLEAN_FFT(b01, logn); - PQCLEAN_FALCON1024PADDED_CLEAN_FFT(b00, logn); - PQCLEAN_FALCON1024PADDED_CLEAN_FFT(b11, logn); - PQCLEAN_FALCON1024PADDED_CLEAN_FFT(b10, logn); - PQCLEAN_FALCON1024PADDED_CLEAN_poly_neg(b01, logn); - PQCLEAN_FALCON1024PADDED_CLEAN_poly_neg(b11, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_FFT(b01, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_FFT(b00, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_FFT(b11, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_FFT(b10, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_neg(b01, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_neg(b11, logn); tx = t1 + n; ty = tx + n; @@ -905,17 +905,17 @@ do_sign_dyn(samplerZ samp, void *samp_ctx, int16_t *s2, */ memcpy(tx, t0, n * sizeof * t0); memcpy(ty, t1, n * sizeof * t1); - PQCLEAN_FALCON1024PADDED_CLEAN_poly_mul_fft(tx, b00, logn); - PQCLEAN_FALCON1024PADDED_CLEAN_poly_mul_fft(ty, b10, logn); - PQCLEAN_FALCON1024PADDED_CLEAN_poly_add(tx, ty, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_mul_fft(tx, b00, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_mul_fft(ty, b10, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_add(tx, ty, logn); memcpy(ty, t0, n * sizeof * t0); - PQCLEAN_FALCON1024PADDED_CLEAN_poly_mul_fft(ty, b01, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_mul_fft(ty, b01, logn); memcpy(t0, tx, n * sizeof * tx); - PQCLEAN_FALCON1024PADDED_CLEAN_poly_mul_fft(t1, b11, logn); - PQCLEAN_FALCON1024PADDED_CLEAN_poly_add(t1, ty, logn); - PQCLEAN_FALCON1024PADDED_CLEAN_iFFT(t0, logn); - PQCLEAN_FALCON1024PADDED_CLEAN_iFFT(t1, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_mul_fft(t1, b11, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_poly_add(t1, ty, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_iFFT(t0, logn); + PQCLEAN_FALCONPADDED1024_CLEAN_iFFT(t1, logn); s1tmp = (int16_t *)tx; sqn = 0; @@ -943,7 +943,7 @@ do_sign_dyn(samplerZ samp, void *samp_ctx, int16_t *s2, for (u = 0; u < n; u ++) { s2tmp[u] = (int16_t) - fpr_rint(t1[u]); } - if (PQCLEAN_FALCON1024PADDED_CLEAN_is_short_half(sqn, s2tmp, logn)) { + if (PQCLEAN_FALCONPADDED1024_CLEAN_is_short_half(sqn, s2tmp, logn)) { memcpy(s2, s2tmp, n * sizeof * s2); memcpy(tmp, s1tmp, n * sizeof * s1tmp); return 1; @@ -956,7 +956,7 @@ do_sign_dyn(samplerZ samp, void *samp_ctx, int16_t *s2, * on zero and standard deviation 1.8205, with a precision of 72 bits. */ int -PQCLEAN_FALCON1024PADDED_CLEAN_gaussian0_sampler(prng *p) { +PQCLEAN_FALCONPADDED1024_CLEAN_gaussian0_sampler(prng *p) { static const uint32_t dist[] = { 10745844u, 3068844u, 3741698u, @@ -1079,7 +1079,7 @@ BerExp(prng *p, fpr x, fpr ccs) { * 0.5 and 1); in Falcon, sigma should always be between 1.2 and 1.9. */ int -PQCLEAN_FALCON1024PADDED_CLEAN_sampler(void *ctx, fpr mu, fpr isigma) { +PQCLEAN_FALCONPADDED1024_CLEAN_sampler(void *ctx, fpr mu, fpr isigma) { sampler_context *spc; int s; fpr r, dss, ccs; @@ -1121,7 +1121,7 @@ PQCLEAN_FALCON1024PADDED_CLEAN_sampler(void *ctx, fpr mu, fpr isigma) { * - b = 0: z <= 0 and sampled against a Gaussian * centered on 0. */ - z0 = PQCLEAN_FALCON1024PADDED_CLEAN_gaussian0_sampler(&spc->p); + z0 = PQCLEAN_FALCONPADDED1024_CLEAN_gaussian0_sampler(&spc->p); b = (int)prng_get_u8(&spc->p) & 1; z = b + ((b << 1) - 1) * z0; @@ -1164,7 +1164,7 @@ PQCLEAN_FALCON1024PADDED_CLEAN_sampler(void *ctx, fpr mu, fpr isigma) { /* see inner.h */ void -PQCLEAN_FALCON1024PADDED_CLEAN_sign_tree(int16_t *sig, inner_shake256_context *rng, +PQCLEAN_FALCONPADDED1024_CLEAN_sign_tree(int16_t *sig, inner_shake256_context *rng, const fpr *expanded_key, const uint16_t *hm, unsigned logn, uint8_t *tmp) { fpr *ftmp; @@ -1190,8 +1190,8 @@ PQCLEAN_FALCON1024PADDED_CLEAN_sign_tree(int16_t *sig, inner_shake256_context *r * SHAKE context ('rng'). */ spc.sigma_min = fpr_sigma_min[logn]; - PQCLEAN_FALCON1024PADDED_CLEAN_prng_init(&spc.p, rng); - samp = PQCLEAN_FALCON1024PADDED_CLEAN_sampler; + PQCLEAN_FALCONPADDED1024_CLEAN_prng_init(&spc.p, rng); + samp = PQCLEAN_FALCONPADDED1024_CLEAN_sampler; samp_ctx = &spc; /* @@ -1206,7 +1206,7 @@ PQCLEAN_FALCON1024PADDED_CLEAN_sign_tree(int16_t *sig, inner_shake256_context *r /* see inner.h */ void -PQCLEAN_FALCON1024PADDED_CLEAN_sign_dyn(int16_t *sig, inner_shake256_context *rng, +PQCLEAN_FALCONPADDED1024_CLEAN_sign_dyn(int16_t *sig, inner_shake256_context *rng, const int8_t *f, const int8_t *g, const int8_t *F, const int8_t *G, const uint16_t *hm, unsigned logn, uint8_t *tmp) { @@ -1233,8 +1233,8 @@ PQCLEAN_FALCON1024PADDED_CLEAN_sign_dyn(int16_t *sig, inner_shake256_context *rn * SHAKE context ('rng'). */ spc.sigma_min = fpr_sigma_min[logn]; - PQCLEAN_FALCON1024PADDED_CLEAN_prng_init(&spc.p, rng); - samp = PQCLEAN_FALCON1024PADDED_CLEAN_sampler; + PQCLEAN_FALCONPADDED1024_CLEAN_prng_init(&spc.p, rng); + samp = PQCLEAN_FALCONPADDED1024_CLEAN_sampler; samp_ctx = &spc; /* diff --git a/Modules/PQClean/crypto_sign/falcon-1024-padded/clean/vrfy.c b/Modules/PQClean/crypto_sign/falcon-padded-1024/clean/vrfy.c similarity index 98% rename from Modules/PQClean/crypto_sign/falcon-1024-padded/clean/vrfy.c rename to Modules/PQClean/crypto_sign/falcon-padded-1024/clean/vrfy.c index b29d0e29..58dbf0be 100644 --- a/Modules/PQClean/crypto_sign/falcon-1024-padded/clean/vrfy.c +++ b/Modules/PQClean/crypto_sign/falcon-padded-1024/clean/vrfy.c @@ -622,14 +622,14 @@ mq_poly_sub(uint16_t *f, const uint16_t *g, unsigned logn) { /* see inner.h */ void -PQCLEAN_FALCON1024PADDED_CLEAN_to_ntt_monty(uint16_t *h, unsigned logn) { +PQCLEAN_FALCONPADDED1024_CLEAN_to_ntt_monty(uint16_t *h, unsigned logn) { mq_NTT(h, logn); mq_poly_tomonty(h, logn); } /* see inner.h */ int -PQCLEAN_FALCON1024PADDED_CLEAN_verify_raw(const uint16_t *c0, const int16_t *s2, +PQCLEAN_FALCONPADDED1024_CLEAN_verify_raw(const uint16_t *c0, const int16_t *s2, const uint16_t *h, unsigned logn, uint8_t *tmp) { size_t u, n; uint16_t *tt; @@ -671,12 +671,12 @@ PQCLEAN_FALCON1024PADDED_CLEAN_verify_raw(const uint16_t *c0, const int16_t *s2, * Signature is valid if and only if the aggregate (-s1,s2) vector * is short enough. */ - return PQCLEAN_FALCON1024PADDED_CLEAN_is_short((int16_t *)tt, s2, logn); + return PQCLEAN_FALCONPADDED1024_CLEAN_is_short((int16_t *)tt, s2, logn); } /* see inner.h */ int -PQCLEAN_FALCON1024PADDED_CLEAN_compute_public(uint16_t *h, +PQCLEAN_FALCONPADDED1024_CLEAN_compute_public(uint16_t *h, const int8_t *f, const int8_t *g, unsigned logn, uint8_t *tmp) { size_t u, n; uint16_t *tt; @@ -701,7 +701,7 @@ PQCLEAN_FALCON1024PADDED_CLEAN_compute_public(uint16_t *h, /* see inner.h */ int -PQCLEAN_FALCON1024PADDED_CLEAN_complete_private(int8_t *G, +PQCLEAN_FALCONPADDED1024_CLEAN_complete_private(int8_t *G, const int8_t *f, const int8_t *g, const int8_t *F, unsigned logn, uint8_t *tmp) { size_t u, n; @@ -746,7 +746,7 @@ PQCLEAN_FALCON1024PADDED_CLEAN_complete_private(int8_t *G, /* see inner.h */ int -PQCLEAN_FALCON1024PADDED_CLEAN_is_invertible( +PQCLEAN_FALCONPADDED1024_CLEAN_is_invertible( const int16_t *s2, unsigned logn, uint8_t *tmp) { size_t u, n; uint16_t *tt; @@ -771,7 +771,7 @@ PQCLEAN_FALCON1024PADDED_CLEAN_is_invertible( /* see inner.h */ int -PQCLEAN_FALCON1024PADDED_CLEAN_verify_recover(uint16_t *h, +PQCLEAN_FALCONPADDED1024_CLEAN_verify_recover(uint16_t *h, const uint16_t *c0, const int16_t *s1, const int16_t *s2, unsigned logn, uint8_t *tmp) { size_t u, n; @@ -820,13 +820,13 @@ PQCLEAN_FALCON1024PADDED_CLEAN_verify_recover(uint16_t *h, * check that the rebuilt public key matches the expected * value (e.g. through a hash). */ - r = ~r & (uint32_t) - PQCLEAN_FALCON1024PADDED_CLEAN_is_short(s1, s2, logn); + r = ~r & (uint32_t) - PQCLEAN_FALCONPADDED1024_CLEAN_is_short(s1, s2, logn); return (int)(r >> 31); } /* see inner.h */ int -PQCLEAN_FALCON1024PADDED_CLEAN_count_nttzero(const int16_t *sig, unsigned logn, uint8_t *tmp) { +PQCLEAN_FALCONPADDED1024_CLEAN_count_nttzero(const int16_t *sig, unsigned logn, uint8_t *tmp) { uint16_t *s2; size_t u, n; uint32_t r; diff --git a/Modules/PQClean/crypto_sign/falcon-512-padded/META.yml b/Modules/PQClean/crypto_sign/falcon-padded-512/META.yml similarity index 97% rename from Modules/PQClean/crypto_sign/falcon-512-padded/META.yml rename to Modules/PQClean/crypto_sign/falcon-padded-512/META.yml index 2242644d..7693d2d7 100644 --- a/Modules/PQClean/crypto_sign/falcon-512-padded/META.yml +++ b/Modules/PQClean/crypto_sign/falcon-padded-512/META.yml @@ -1,5 +1,5 @@ --- -name: Falcon-512 (PADDED) +name: Falcon-padded-512 type: signature claimed-nist-level: 1 length-public-key: 897 diff --git a/Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/LICENSE b/Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/LICENSE similarity index 100% rename from Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/LICENSE rename to Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/LICENSE diff --git a/Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/Makefile b/Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/Makefile similarity index 95% rename from Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/Makefile rename to Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/Makefile index 5f225599..4daf1457 100644 --- a/Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/Makefile +++ b/Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/Makefile @@ -1,6 +1,6 @@ # This Makefile can be used with GNU Make or BSD Make -LIB=libfalcon-512-padded_aarch64.a +LIB=libfalcon-padded-512_aarch64.a SOURCES = codec.c keygen.c poly_float.c common.c fft_tree.c pqclean.c poly_int.c sign.c fpr.c ntt.c rng.c util.c fft.c ntt_consts.c sampler.c vrfy.c OBJECTS = codec.o keygen.o poly_float.o common.o fft_tree.o pqclean.o poly_int.o sign.o fpr.o ntt.o rng.o util.o fft.o ntt_consts.o sampler.o vrfy.o diff --git a/Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/api.h b/Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/api.h similarity index 66% rename from Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/api.h rename to Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/api.h index 976c0365..deba20b3 100644 --- a/Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/api.h +++ b/Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/api.h @@ -1,37 +1,37 @@ -#ifndef PQCLEAN_FALCON512PADDED_AARCH64_API_H -#define PQCLEAN_FALCON512PADDED_AARCH64_API_H +#ifndef PQCLEAN_FALCONPADDED512_AARCH64_API_H +#define PQCLEAN_FALCONPADDED512_AARCH64_API_H #include #include -#define PQCLEAN_FALCON512PADDED_AARCH64_CRYPTO_SECRETKEYBYTES 1281 -#define PQCLEAN_FALCON512PADDED_AARCH64_CRYPTO_PUBLICKEYBYTES 897 -#define PQCLEAN_FALCON512PADDED_AARCH64_CRYPTO_BYTES 666 +#define PQCLEAN_FALCONPADDED512_AARCH64_CRYPTO_SECRETKEYBYTES 1281 +#define PQCLEAN_FALCONPADDED512_AARCH64_CRYPTO_PUBLICKEYBYTES 897 +#define PQCLEAN_FALCONPADDED512_AARCH64_CRYPTO_BYTES 666 -#define PQCLEAN_FALCON512PADDED_AARCH64_CRYPTO_ALGNAME "Falcon-512 (PADDED)" +#define PQCLEAN_FALCONPADDED512_AARCH64_CRYPTO_ALGNAME "Falcon-padded-512" /* * Generate a new key pair. Public key goes into pk[], private key in sk[]. * Key sizes are exact (in bytes): - * public (pk): PQCLEAN_FALCON512PADDED_AARCH64_CRYPTO_PUBLICKEYBYTES - * private (sk): PQCLEAN_FALCON512PADDED_AARCH64_CRYPTO_SECRETKEYBYTES + * public (pk): PQCLEAN_FALCONPADDED512_AARCH64_CRYPTO_PUBLICKEYBYTES + * private (sk): PQCLEAN_FALCONPADDED512_AARCH64_CRYPTO_SECRETKEYBYTES * * Return value: 0 on success, -1 on error. */ -int PQCLEAN_FALCON512PADDED_AARCH64_crypto_sign_keypair( +int PQCLEAN_FALCONPADDED512_AARCH64_crypto_sign_keypair( uint8_t *pk, uint8_t *sk); /* * Compute a signature on a provided message (m, mlen), with a given * private key (sk). Signature is written in sig[], with length written * into *siglen. Signature length is variable; maximum signature length - * (in bytes) is PQCLEAN_FALCON512PADDED_AARCH64_CRYPTO_BYTES. + * (in bytes) is PQCLEAN_FALCONPADDED512_AARCH64_CRYPTO_BYTES. * * sig[], m[] and sk[] may overlap each other arbitrarily. * * Return value: 0 on success, -1 on error. */ -int PQCLEAN_FALCON512PADDED_AARCH64_crypto_sign_signature( +int PQCLEAN_FALCONPADDED512_AARCH64_crypto_sign_signature( uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen, const uint8_t *sk); @@ -43,7 +43,7 @@ int PQCLEAN_FALCON512PADDED_AARCH64_crypto_sign_signature( * * Return value: 0 on success, -1 on error. */ -int PQCLEAN_FALCON512PADDED_AARCH64_crypto_sign_verify( +int PQCLEAN_FALCONPADDED512_AARCH64_crypto_sign_verify( const uint8_t *sig, size_t siglen, const uint8_t *m, size_t mlen, const uint8_t *pk); @@ -51,14 +51,14 @@ int PQCLEAN_FALCON512PADDED_AARCH64_crypto_sign_verify( * Compute a signature on a message and pack the signature and message * into a single object, written into sm[]. The length of that output is * written in *smlen; that length may be larger than the message length - * (mlen) by up to PQCLEAN_FALCON512PADDED_AARCH64_CRYPTO_BYTES. + * (mlen) by up to PQCLEAN_FALCONPADDED512_AARCH64_CRYPTO_BYTES. * * sm[] and m[] may overlap each other arbitrarily; however, sm[] shall * not overlap with sk[]. * * Return value: 0 on success, -1 on error. */ -int PQCLEAN_FALCON512PADDED_AARCH64_crypto_sign( +int PQCLEAN_FALCONPADDED512_AARCH64_crypto_sign( uint8_t *sm, size_t *smlen, const uint8_t *m, size_t mlen, const uint8_t *sk); @@ -67,13 +67,13 @@ int PQCLEAN_FALCON512PADDED_AARCH64_crypto_sign( * on success, the message itself is written into m[] and its length * into *mlen. The message is shorter than the signed message object, * but the size difference depends on the signature value; the difference - * may range up to PQCLEAN_FALCON512PADDED_AARCH64_CRYPTO_BYTES. + * may range up to PQCLEAN_FALCONPADDED512_AARCH64_CRYPTO_BYTES. * * m[], sm[] and pk[] may overlap each other arbitrarily. * * Return value: 0 on success, -1 on error. */ -int PQCLEAN_FALCON512PADDED_AARCH64_crypto_sign_open( +int PQCLEAN_FALCONPADDED512_AARCH64_crypto_sign_open( uint8_t *m, size_t *mlen, const uint8_t *sm, size_t smlen, const uint8_t *pk); diff --git a/Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/codec.c b/Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/codec.c similarity index 94% rename from Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/codec.c rename to Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/codec.c index 1d2242ae..3fe3a945 100644 --- a/Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/codec.c +++ b/Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/codec.c @@ -34,7 +34,7 @@ /* see inner.h */ size_t -PQCLEAN_FALCON512PADDED_AARCH64_modq_encode( +PQCLEAN_FALCONPADDED512_AARCH64_modq_encode( void *out, size_t max_out_len, const uint16_t *x, unsigned logn) { size_t n, out_len, u; @@ -75,7 +75,7 @@ PQCLEAN_FALCON512PADDED_AARCH64_modq_encode( /* see inner.h */ size_t -PQCLEAN_FALCON512PADDED_AARCH64_modq_decode(uint16_t *x, const void *in, size_t max_in_len, unsigned logn) { +PQCLEAN_FALCONPADDED512_AARCH64_modq_decode(uint16_t *x, const void *in, size_t max_in_len, unsigned logn) { size_t n, in_len, u; const uint8_t *buf; uint32_t acc; @@ -112,7 +112,7 @@ PQCLEAN_FALCON512PADDED_AARCH64_modq_decode(uint16_t *x, const void *in, size_t /* see inner.h */ size_t -PQCLEAN_FALCON512PADDED_AARCH64_trim_i16_encode( +PQCLEAN_FALCONPADDED512_AARCH64_trim_i16_encode( void *out, size_t max_out_len, const int16_t *x, unsigned logn, unsigned bits) { size_t n, u, out_len; @@ -156,7 +156,7 @@ PQCLEAN_FALCON512PADDED_AARCH64_trim_i16_encode( /* see inner.h */ size_t -PQCLEAN_FALCON512PADDED_AARCH64_trim_i16_decode( +PQCLEAN_FALCONPADDED512_AARCH64_trim_i16_decode( int16_t *x, unsigned logn, unsigned bits, const void *in, size_t max_in_len) { size_t n, in_len; @@ -206,7 +206,7 @@ PQCLEAN_FALCON512PADDED_AARCH64_trim_i16_decode( /* see inner.h */ size_t -PQCLEAN_FALCON512PADDED_AARCH64_trim_i8_encode(void *out, size_t max_out_len, +PQCLEAN_FALCONPADDED512_AARCH64_trim_i8_encode(void *out, size_t max_out_len, const int8_t *x, uint8_t bits) { size_t u, out_len; int8_t minv, maxv; @@ -224,7 +224,7 @@ PQCLEAN_FALCON512PADDED_AARCH64_trim_i8_encode(void *out, size_t max_out_len, maxv = (int8_t) (1 << (bits - 1)) - 1; minv = -maxv; - if (PQCLEAN_FALCON512PADDED_AARCH64_poly_check_bound_int8(x, minv, maxv)) { + if (PQCLEAN_FALCONPADDED512_AARCH64_poly_check_bound_int8(x, minv, maxv)) { return 0; } buf = out; @@ -247,7 +247,7 @@ PQCLEAN_FALCON512PADDED_AARCH64_trim_i8_encode(void *out, size_t max_out_len, /* see inner.h */ size_t -PQCLEAN_FALCON512PADDED_AARCH64_trim_i8_decode(int8_t *x, unsigned bits, +PQCLEAN_FALCONPADDED512_AARCH64_trim_i8_decode(int8_t *x, unsigned bits, const void *in, size_t max_in_len) { size_t in_len; const uint8_t *buf; @@ -294,7 +294,7 @@ PQCLEAN_FALCON512PADDED_AARCH64_trim_i8_decode(int8_t *x, unsigned bits, /* see inner.h */ size_t -PQCLEAN_FALCON512PADDED_AARCH64_comp_encode(void *out, size_t max_out_len, const int16_t *x) { +PQCLEAN_FALCONPADDED512_AARCH64_comp_encode(void *out, size_t max_out_len, const int16_t *x) { uint8_t *buf; size_t u, v; uint32_t acc; @@ -305,7 +305,7 @@ PQCLEAN_FALCON512PADDED_AARCH64_comp_encode(void *out, size_t max_out_len, const /* * Make sure that all values are within the -2047..+2047 range. */ - if (PQCLEAN_FALCON512PADDED_AARCH64_poly_check_bound_int16(x, -2047, 2047)) { + if (PQCLEAN_FALCONPADDED512_AARCH64_poly_check_bound_int16(x, -2047, 2047)) { return 0; } @@ -385,7 +385,7 @@ PQCLEAN_FALCON512PADDED_AARCH64_comp_encode(void *out, size_t max_out_len, const /* see inner.h */ size_t -PQCLEAN_FALCON512PADDED_AARCH64_comp_decode(int16_t *x, const void *in, size_t max_in_len) { +PQCLEAN_FALCONPADDED512_AARCH64_comp_decode(int16_t *x, const void *in, size_t max_in_len) { const uint8_t *buf; size_t u, v; uint32_t acc; @@ -483,7 +483,7 @@ PQCLEAN_FALCON512PADDED_AARCH64_comp_decode(int16_t *x, const void *in, size_t m * of max_fg_bits[] and max_FG_bits[] shall be greater than 8. */ -const uint8_t PQCLEAN_FALCON512PADDED_AARCH64_max_fg_bits[] = { +const uint8_t PQCLEAN_FALCONPADDED512_AARCH64_max_fg_bits[] = { 0, /* unused */ 8, 8, @@ -497,7 +497,7 @@ const uint8_t PQCLEAN_FALCON512PADDED_AARCH64_max_fg_bits[] = { 5 }; -const uint8_t PQCLEAN_FALCON512PADDED_AARCH64_max_FG_bits[] = { +const uint8_t PQCLEAN_FALCONPADDED512_AARCH64_max_FG_bits[] = { 0, /* unused */ 8, 8, @@ -539,7 +539,7 @@ const uint8_t PQCLEAN_FALCON512PADDED_AARCH64_max_FG_bits[] = { * in -2047..2047, i.e. 12 bits. */ -const uint8_t PQCLEAN_FALCON512PADDED_AARCH64_max_sig_bits[] = { +const uint8_t PQCLEAN_FALCONPADDED512_AARCH64_max_sig_bits[] = { 0, /* unused */ 10, 11, diff --git a/Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/common.c b/Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/common.c similarity index 98% rename from Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/common.c rename to Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/common.c index 6e346b8e..b461baa8 100644 --- a/Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/common.c +++ b/Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/common.c @@ -34,7 +34,7 @@ #include "macrous.h" /* see inner.h */ -void PQCLEAN_FALCON512PADDED_AARCH64_hash_to_point_vartime( +void PQCLEAN_FALCONPADDED512_AARCH64_hash_to_point_vartime( inner_shake256_context *sc, uint16_t *x, unsigned logn) { /* @@ -67,7 +67,7 @@ void PQCLEAN_FALCON512PADDED_AARCH64_hash_to_point_vartime( } /* see inner.h */ -void PQCLEAN_FALCON512PADDED_AARCH64_hash_to_point_ct( +void PQCLEAN_FALCONPADDED512_AARCH64_hash_to_point_ct( inner_shake256_context *sc, uint16_t *x, unsigned logn, uint8_t *tmp) { /* @@ -255,7 +255,7 @@ static const uint32_t l2bound[] = { * thus, we enable 2 parallel dependency rather than 1 for better scheduling. * Each for loop is tuned for cache locality. */ -int PQCLEAN_FALCON512PADDED_AARCH64_is_short(const int16_t *s1, const int16_t *s2) { +int PQCLEAN_FALCONPADDED512_AARCH64_is_short(const int16_t *s1, const int16_t *s2) { // Total SIMD register 18 = 16 + 2 int16x8x4_t neon_s1, neon_s2, neon_s3, neon_s4; // 16 int32x4_t neon_s, neon_sh; // 2 @@ -374,7 +374,7 @@ int PQCLEAN_FALCON512PADDED_AARCH64_is_short(const int16_t *s1, const int16_t *s return s <= l2bound[FALCON_LOGN]; } -int PQCLEAN_FALCON512PADDED_AARCH64_is_short_tmp(int16_t *s1tmp, int16_t *s2tmp, +int PQCLEAN_FALCONPADDED512_AARCH64_is_short_tmp(int16_t *s1tmp, int16_t *s2tmp, const int16_t *hm, const fpr *t0, const fpr *t1) { // Total SIMD registers: 26 = 16 + 8 + 2 @@ -493,7 +493,7 @@ int PQCLEAN_FALCON512PADDED_AARCH64_is_short_tmp(int16_t *s1tmp, int16_t *s2tmp, return s <= l2bound[FALCON_LOGN]; } -int32_t PQCLEAN_FALCON512PADDED_AARCH64_poly_small_sqnorm(const int8_t *f) { +int32_t PQCLEAN_FALCONPADDED512_AARCH64_poly_small_sqnorm(const int8_t *f) { int8x16x4_t a; int16x8x4_t b, c; int32x4_t norm, norm_sh; diff --git a/Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/fft.c b/Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/fft.c similarity index 94% rename from Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/fft.c rename to Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/fft.c index 96cd90ee..9de1bc33 100644 --- a/Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/fft.c +++ b/Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/fft.c @@ -27,7 +27,7 @@ * 1 layer of Forward FFT for 2 complex points (4 coefficients). * Note: The scalar version is faster than vectorized code. */ -static void PQCLEAN_FALCON512PADDED_AARCH64_FFT_log2(fpr *f) { +static void PQCLEAN_FALCONPADDED512_AARCH64_FFT_log2(fpr *f) { fpr x_re, x_im, y_re, y_im, v_re, v_im, t_re, t_im, s; x_re = f[0]; @@ -51,7 +51,7 @@ static void PQCLEAN_FALCON512PADDED_AARCH64_FFT_log2(fpr *f) { /* * Vectorized 2 layers of Forward FFT for 4 complex points (8 coefficients). */ -static void PQCLEAN_FALCON512PADDED_AARCH64_FFT_log3(fpr *f) { +static void PQCLEAN_FALCONPADDED512_AARCH64_FFT_log3(fpr *f) { // Total SIMD registers: 18 = 4 + 6 + 8 float64x2x4_t tmp; // 4 float64x2x2_t s_re_im, x, y; // 6 @@ -91,7 +91,7 @@ static void PQCLEAN_FALCON512PADDED_AARCH64_FFT_log3(fpr *f) { /* * Vectorized 3 layers of Forward FFT for 8 complex points (16 coefficients). */ -static void PQCLEAN_FALCON512PADDED_AARCH64_FFT_log4(fpr *f) { +static void PQCLEAN_FALCONPADDED512_AARCH64_FFT_log4(fpr *f) { // Total SIMD register: 26 = 8 + 18 float64x2x4_t t0, t1; // 8 float64x2x2_t x_re, x_im, y_re, y_im, v1, v2, tx, ty, s_re_im; // 18 @@ -158,7 +158,7 @@ static void PQCLEAN_FALCON512PADDED_AARCH64_FFT_log4(fpr *f) { /* * Vectorized 4 layers of Forward FFT for 16 complex points (32 coefficients). */ -static void PQCLEAN_FALCON512PADDED_AARCH64_FFT_log5(fpr *f, const unsigned logn) { +static void PQCLEAN_FALCONPADDED512_AARCH64_FFT_log5(fpr *f, const unsigned logn) { // Total SIMD register: 34 = 2 + 32 float64x2x2_t s_re_im; // 2 float64x2x4_t x_re, x_im, y_re, y_im, t_re, t_im, v_re, v_im; // 32 @@ -287,7 +287,7 @@ static void PQCLEAN_FALCON512PADDED_AARCH64_FFT_log5(fpr *f, const unsigned logn /* * Vectorized 1 layer of Forward FFT for 16 complex points (32 coefficients). */ -static void PQCLEAN_FALCON512PADDED_AARCH64_FFT_logn1(fpr *f, const unsigned logn) { +static void PQCLEAN_FALCONPADDED512_AARCH64_FFT_logn1(fpr *f, const unsigned logn) { const unsigned n = 1 << logn; const unsigned hn = n >> 1; const unsigned ht = n >> 2; @@ -322,7 +322,7 @@ static void PQCLEAN_FALCON512PADDED_AARCH64_FFT_logn1(fpr *f, const unsigned log /* * Vectorized 2 layers of Forward FFT for 16 complex points (32 coefficients). */ -static void PQCLEAN_FALCON512PADDED_AARCH64_FFT_logn2(fpr *f, const unsigned logn, const unsigned level) { +static void PQCLEAN_FALCONPADDED512_AARCH64_FFT_logn2(fpr *f, const unsigned logn, const unsigned level) { const unsigned int falcon_n = 1 << logn; const unsigned int hn = falcon_n >> 1; @@ -456,7 +456,7 @@ static void PQCLEAN_FALCON512PADDED_AARCH64_FFT_logn2(fpr *f, const unsigned log * 1 layer of Inverse FFT for 2 complex points (4 coefficients). * Note: The scalar version is faster than vectorized code. */ -static void PQCLEAN_FALCON512PADDED_AARCH64_iFFT_log2(fpr *f) { +static void PQCLEAN_FALCONPADDED512_AARCH64_iFFT_log2(fpr *f) { fpr x_re, x_im, y_re, y_im, s; x_re = f[0]; y_re = f[1]; @@ -477,7 +477,7 @@ static void PQCLEAN_FALCON512PADDED_AARCH64_iFFT_log2(fpr *f) { /* * Vectorized 2 layers of Inverse FFT for 4 complex point (8 coefficients). */ -static void PQCLEAN_FALCON512PADDED_AARCH64_iFFT_log3(fpr *f) { +static void PQCLEAN_FALCONPADDED512_AARCH64_iFFT_log3(fpr *f) { // Total SIMD registers: 12 = 4 + 8 float64x2x4_t tmp; // 4 float64x2x2_t x_re_im, y_re_im, v, s_re_im; // 8 @@ -526,7 +526,7 @@ static void PQCLEAN_FALCON512PADDED_AARCH64_iFFT_log3(fpr *f) { /* * Vectorized 3 layers of Inverse FFT for 8 complex point (16 coefficients). */ -static void PQCLEAN_FALCON512PADDED_AARCH64_iFFT_log4(fpr *f) { +static void PQCLEAN_FALCONPADDED512_AARCH64_iFFT_log4(fpr *f) { // Total SIMD registers: 18 = 12 + 6 float64x2x4_t re, im, t; // 12 float64x2x2_t t_re, t_im, s_re_im; // 6 @@ -598,7 +598,7 @@ static void PQCLEAN_FALCON512PADDED_AARCH64_iFFT_log4(fpr *f) { /* * Vectorized 4 layers of Inverse FFT for 16 complex point (32 coefficients). */ -static void PQCLEAN_FALCON512PADDED_AARCH64_iFFT_log5(fpr *f, const unsigned logn, const unsigned last) { +static void PQCLEAN_FALCONPADDED512_AARCH64_iFFT_log5(fpr *f, const unsigned logn, const unsigned last) { // Total SIMD register: 26 = 24 + 2 float64x2x4_t x_re, x_im, y_re, y_im, t_re, t_im; // 24 float64x2x2_t s_re_im; // 2 @@ -734,7 +734,7 @@ static void PQCLEAN_FALCON512PADDED_AARCH64_iFFT_log5(fpr *f, const unsigned log /* * Vectorized 1 layer of Inverse FFT for 16 complex points (32 coefficients). */ -static void PQCLEAN_FALCON512PADDED_AARCH64_iFFT_logn1(fpr *f, const unsigned logn, const unsigned last) { +static void PQCLEAN_FALCONPADDED512_AARCH64_iFFT_logn1(fpr *f, const unsigned logn, const unsigned last) { // Total SIMD register 26 = 24 + 2 float64x2x4_t a_re, a_im, b_re, b_im, t_re, t_im; // 24 float64x2_t s_re_im; // 2 @@ -776,7 +776,7 @@ static void PQCLEAN_FALCON512PADDED_AARCH64_iFFT_logn1(fpr *f, const unsigned lo /* * Vectorized 2 layers of Inverse FFT for 16 complex points (32 coefficients). */ -static void PQCLEAN_FALCON512PADDED_AARCH64_iFFT_logn2(fpr *f, const unsigned logn, const unsigned level, unsigned last) { +static void PQCLEAN_FALCONPADDED512_AARCH64_iFFT_logn2(fpr *f, const unsigned logn, const unsigned level, unsigned last) { const unsigned int falcon_n = 1 << logn; const unsigned int hn = falcon_n >> 1; @@ -947,41 +947,41 @@ static void PQCLEAN_FALCON512PADDED_AARCH64_iFFT_logn2(fpr *f, const unsigned lo * Support logn from [1, 10] * Can be easily extended to logn > 10 */ -void PQCLEAN_FALCON512PADDED_AARCH64_FFT(fpr *f, const unsigned logn) { +void PQCLEAN_FALCONPADDED512_AARCH64_FFT(fpr *f, const unsigned logn) { unsigned level = logn; switch (logn) { case 2: - PQCLEAN_FALCON512PADDED_AARCH64_FFT_log2(f); + PQCLEAN_FALCONPADDED512_AARCH64_FFT_log2(f); break; case 3: - PQCLEAN_FALCON512PADDED_AARCH64_FFT_log3(f); + PQCLEAN_FALCONPADDED512_AARCH64_FFT_log3(f); break; case 4: - PQCLEAN_FALCON512PADDED_AARCH64_FFT_log4(f); + PQCLEAN_FALCONPADDED512_AARCH64_FFT_log4(f); break; case 5: - PQCLEAN_FALCON512PADDED_AARCH64_FFT_log5(f, 5); + PQCLEAN_FALCONPADDED512_AARCH64_FFT_log5(f, 5); break; case 6: - PQCLEAN_FALCON512PADDED_AARCH64_FFT_logn1(f, logn); - PQCLEAN_FALCON512PADDED_AARCH64_FFT_log5(f, logn); + PQCLEAN_FALCONPADDED512_AARCH64_FFT_logn1(f, logn); + PQCLEAN_FALCONPADDED512_AARCH64_FFT_log5(f, logn); break; case 7: case 9: - PQCLEAN_FALCON512PADDED_AARCH64_FFT_logn2(f, logn, level); - PQCLEAN_FALCON512PADDED_AARCH64_FFT_log5(f, logn); + PQCLEAN_FALCONPADDED512_AARCH64_FFT_logn2(f, logn, level); + PQCLEAN_FALCONPADDED512_AARCH64_FFT_log5(f, logn); break; case 8: case 10: - PQCLEAN_FALCON512PADDED_AARCH64_FFT_logn1(f, logn); - PQCLEAN_FALCON512PADDED_AARCH64_FFT_logn2(f, logn, level - 1); - PQCLEAN_FALCON512PADDED_AARCH64_FFT_log5(f, logn); + PQCLEAN_FALCONPADDED512_AARCH64_FFT_logn1(f, logn); + PQCLEAN_FALCONPADDED512_AARCH64_FFT_logn2(f, logn, level - 1); + PQCLEAN_FALCONPADDED512_AARCH64_FFT_log5(f, logn); break; default: @@ -994,42 +994,42 @@ void PQCLEAN_FALCON512PADDED_AARCH64_FFT(fpr *f, const unsigned logn) { * Support logn from [1, 10] * Can be easily extended to logn > 10 */ -void PQCLEAN_FALCON512PADDED_AARCH64_iFFT(fpr *f, const unsigned logn) { +void PQCLEAN_FALCONPADDED512_AARCH64_iFFT(fpr *f, const unsigned logn) { const unsigned level = (logn - 5) & 1; switch (logn) { case 2: - PQCLEAN_FALCON512PADDED_AARCH64_iFFT_log2(f); + PQCLEAN_FALCONPADDED512_AARCH64_iFFT_log2(f); break; case 3: - PQCLEAN_FALCON512PADDED_AARCH64_iFFT_log3(f); + PQCLEAN_FALCONPADDED512_AARCH64_iFFT_log3(f); break; case 4: - PQCLEAN_FALCON512PADDED_AARCH64_iFFT_log4(f); + PQCLEAN_FALCONPADDED512_AARCH64_iFFT_log4(f); break; case 5: - PQCLEAN_FALCON512PADDED_AARCH64_iFFT_log5(f, 5, 1); + PQCLEAN_FALCONPADDED512_AARCH64_iFFT_log5(f, 5, 1); break; case 6: - PQCLEAN_FALCON512PADDED_AARCH64_iFFT_log5(f, logn, 0); - PQCLEAN_FALCON512PADDED_AARCH64_iFFT_logn1(f, logn, 1); + PQCLEAN_FALCONPADDED512_AARCH64_iFFT_log5(f, logn, 0); + PQCLEAN_FALCONPADDED512_AARCH64_iFFT_logn1(f, logn, 1); break; case 7: case 9: - PQCLEAN_FALCON512PADDED_AARCH64_iFFT_log5(f, logn, 0); - PQCLEAN_FALCON512PADDED_AARCH64_iFFT_logn2(f, logn, level, 1); + PQCLEAN_FALCONPADDED512_AARCH64_iFFT_log5(f, logn, 0); + PQCLEAN_FALCONPADDED512_AARCH64_iFFT_logn2(f, logn, level, 1); break; case 8: case 10: - PQCLEAN_FALCON512PADDED_AARCH64_iFFT_log5(f, logn, 0); - PQCLEAN_FALCON512PADDED_AARCH64_iFFT_logn2(f, logn, level, 0); - PQCLEAN_FALCON512PADDED_AARCH64_iFFT_logn1(f, logn, 1); + PQCLEAN_FALCONPADDED512_AARCH64_iFFT_log5(f, logn, 0); + PQCLEAN_FALCONPADDED512_AARCH64_iFFT_logn2(f, logn, level, 0); + PQCLEAN_FALCONPADDED512_AARCH64_iFFT_logn1(f, logn, 1); break; default: diff --git a/Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/fft_tree.c b/Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/fft_tree.c similarity index 89% rename from Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/fft_tree.c rename to Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/fft_tree.c index 88a2f50b..7ff6baca 100644 --- a/Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/fft_tree.c +++ b/Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/fft_tree.c @@ -26,7 +26,7 @@ /* * 1 layer of Merge FFT for 2 complex points (4 coefficients). */ -static inline void PQCLEAN_FALCON512PADDED_AARCH64_poly_mergeFFT_log2(fpr *f, const fpr *f0, const fpr *f1) { +static inline void PQCLEAN_FALCONPADDED512_AARCH64_poly_mergeFFT_log2(fpr *f, const fpr *f0, const fpr *f1) { fpr a_re, a_im, b_re, b_im, d_re, d_im, s; a_re = f0[0]; a_im = f0[1]; @@ -46,7 +46,7 @@ static inline void PQCLEAN_FALCON512PADDED_AARCH64_poly_mergeFFT_log2(fpr *f, co /* * Vectorized 1 layer of Merge FFT for 4 complex points (8 coefficients). */ -static inline void PQCLEAN_FALCON512PADDED_AARCH64_poly_mergeFFT_log3(fpr *f, const fpr *f0, const fpr *f1) { +static inline void PQCLEAN_FALCONPADDED512_AARCH64_poly_mergeFFT_log3(fpr *f, const fpr *f0, const fpr *f1) { // Total SIMD registers: 12 = 10 + 2 float64x2x2_t g1, g0, g_re, g_im, s_re_im; // 10 float64x2_t t_re, t_im; // 2 @@ -69,7 +69,7 @@ static inline void PQCLEAN_FALCON512PADDED_AARCH64_poly_mergeFFT_log3(fpr *f, co /* * Vectorized 1 layer of Merge FFT for 8 complex points (16 coefficients). */ -static inline void PQCLEAN_FALCON512PADDED_AARCH64_poly_mergeFFT_log4(fpr *f, const fpr *f0, const fpr *f1, const unsigned logn) { +static inline void PQCLEAN_FALCONPADDED512_AARCH64_poly_mergeFFT_log4(fpr *f, const fpr *f0, const fpr *f1, const unsigned logn) { const unsigned n = 1 << logn; const unsigned ht = n >> 2; const fpr *fpr_merge = fpr_table[logn]; @@ -104,7 +104,7 @@ static inline void PQCLEAN_FALCON512PADDED_AARCH64_poly_mergeFFT_log4(fpr *f, co * 1 layer of Split FFT for 2 complex points (4 coefficients). */ static void -PQCLEAN_FALCON512PADDED_AARCH64_poly_splitFFT_log2(fpr *restrict f0, fpr *restrict f1, const fpr *restrict f) { +PQCLEAN_FALCONPADDED512_AARCH64_poly_splitFFT_log2(fpr *restrict f0, fpr *restrict f1, const fpr *restrict f) { fpr a_re, a_im, b_re, b_im, d_re, d_im, s; a_re = f[0]; b_re = f[1]; @@ -125,7 +125,7 @@ PQCLEAN_FALCON512PADDED_AARCH64_poly_splitFFT_log2(fpr *restrict f0, fpr *restri /* * Vectorized 1 layer of Split FFT for 4 complex points (8 coefficients). */ -static inline void PQCLEAN_FALCON512PADDED_AARCH64_poly_splitFFT_log3(fpr *f0, fpr *f1, const fpr *f) { +static inline void PQCLEAN_FALCONPADDED512_AARCH64_poly_splitFFT_log3(fpr *f0, fpr *f1, const fpr *f) { // Total SIMD registers: 12 float64x2x2_t re, im, g0, g1, s_re_im, tm; // 12 @@ -151,7 +151,7 @@ static inline void PQCLEAN_FALCON512PADDED_AARCH64_poly_splitFFT_log3(fpr *f0, f /* * Vectorized 1 layer of Split FFT for 8 complex points (16 coefficients). */ -static inline void PQCLEAN_FALCON512PADDED_AARCH64_poly_splitFFT_log4(fpr *f0, fpr *f1, const fpr *f, const unsigned logn) { +static inline void PQCLEAN_FALCONPADDED512_AARCH64_poly_splitFFT_log4(fpr *f0, fpr *f1, const fpr *f, const unsigned logn) { const unsigned n = 1 << logn; const unsigned hn = n >> 1; const unsigned ht = n >> 2; @@ -198,7 +198,7 @@ static inline void PQCLEAN_FALCON512PADDED_AARCH64_poly_splitFFT_log4(fpr *f0, f /* * Vectorized Split FFT implementation */ -void PQCLEAN_FALCON512PADDED_AARCH64_poly_split_fft(fpr *restrict f0, fpr *restrict f1, const fpr *f, const unsigned logn) { +void PQCLEAN_FALCONPADDED512_AARCH64_poly_split_fft(fpr *restrict f0, fpr *restrict f1, const fpr *f, const unsigned logn) { switch (logn) { case 1: // n = 2; hn = 1; qn = 0; @@ -207,15 +207,15 @@ void PQCLEAN_FALCON512PADDED_AARCH64_poly_split_fft(fpr *restrict f0, fpr *restr break; case 2: - PQCLEAN_FALCON512PADDED_AARCH64_poly_splitFFT_log2(f0, f1, f); + PQCLEAN_FALCONPADDED512_AARCH64_poly_splitFFT_log2(f0, f1, f); break; case 3: - PQCLEAN_FALCON512PADDED_AARCH64_poly_splitFFT_log3(f0, f1, f); + PQCLEAN_FALCONPADDED512_AARCH64_poly_splitFFT_log3(f0, f1, f); break; default: - PQCLEAN_FALCON512PADDED_AARCH64_poly_splitFFT_log4(f0, f1, f, logn); + PQCLEAN_FALCONPADDED512_AARCH64_poly_splitFFT_log4(f0, f1, f, logn); break; } } @@ -223,7 +223,7 @@ void PQCLEAN_FALCON512PADDED_AARCH64_poly_split_fft(fpr *restrict f0, fpr *restr /* * Vectorized Merge FFT implementation */ -void PQCLEAN_FALCON512PADDED_AARCH64_poly_merge_fft(fpr *restrict f, const fpr *restrict f0, +void PQCLEAN_FALCONPADDED512_AARCH64_poly_merge_fft(fpr *restrict f, const fpr *restrict f0, const fpr *restrict f1, const unsigned logn) { switch (logn) { case 1: @@ -233,15 +233,15 @@ void PQCLEAN_FALCON512PADDED_AARCH64_poly_merge_fft(fpr *restrict f, const fpr * break; case 2: - PQCLEAN_FALCON512PADDED_AARCH64_poly_mergeFFT_log2(f, f0, f1); + PQCLEAN_FALCONPADDED512_AARCH64_poly_mergeFFT_log2(f, f0, f1); break; case 3: - PQCLEAN_FALCON512PADDED_AARCH64_poly_mergeFFT_log3(f, f0, f1); + PQCLEAN_FALCONPADDED512_AARCH64_poly_mergeFFT_log3(f, f0, f1); break; default: - PQCLEAN_FALCON512PADDED_AARCH64_poly_mergeFFT_log4(f, f0, f1, logn); + PQCLEAN_FALCONPADDED512_AARCH64_poly_mergeFFT_log4(f, f0, f1, logn); break; } } diff --git a/Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/fpr.c b/Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/fpr.c similarity index 100% rename from Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/fpr.c rename to Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/fpr.c diff --git a/Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/fpr.h b/Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/fpr.h similarity index 91% rename from Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/fpr.h rename to Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/fpr.h index 64584adc..6a045a45 100644 --- a/Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/fpr.h +++ b/Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/fpr.h @@ -219,18 +219,18 @@ fpr_expm_p63(fpr x, fpr ccs) { return (uint64_t) ret; } -#define fpr_p2_tab PQCLEAN_FALCON512PADDED_AARCH64_fpr_p2_tab +#define fpr_p2_tab PQCLEAN_FALCONPADDED512_AARCH64_fpr_p2_tab extern const fpr fpr_p2_tab[]; -#define fpr_tab_log2 PQCLEAN_FALCON512PADDED_AARCH64_fpr_tab_log2 -#define fpr_tab_log3 PQCLEAN_FALCON512PADDED_AARCH64_fpr_tab_log3 -#define fpr_tab_log4 PQCLEAN_FALCON512PADDED_AARCH64_fpr_tab_log4 -#define fpr_tab_log5 PQCLEAN_FALCON512PADDED_AARCH64_fpr_tab_log5 -#define fpr_tab_log6 PQCLEAN_FALCON512PADDED_AARCH64_fpr_tab_log6 -#define fpr_tab_log7 PQCLEAN_FALCON512PADDED_AARCH64_fpr_tab_log7 -#define fpr_tab_log8 PQCLEAN_FALCON512PADDED_AARCH64_fpr_tab_log8 -#define fpr_tab_log9 PQCLEAN_FALCON512PADDED_AARCH64_fpr_tab_log9 -#define fpr_table PQCLEAN_FALCON512PADDED_AARCH64_fpr_table +#define fpr_tab_log2 PQCLEAN_FALCONPADDED512_AARCH64_fpr_tab_log2 +#define fpr_tab_log3 PQCLEAN_FALCONPADDED512_AARCH64_fpr_tab_log3 +#define fpr_tab_log4 PQCLEAN_FALCONPADDED512_AARCH64_fpr_tab_log4 +#define fpr_tab_log5 PQCLEAN_FALCONPADDED512_AARCH64_fpr_tab_log5 +#define fpr_tab_log6 PQCLEAN_FALCONPADDED512_AARCH64_fpr_tab_log6 +#define fpr_tab_log7 PQCLEAN_FALCONPADDED512_AARCH64_fpr_tab_log7 +#define fpr_tab_log8 PQCLEAN_FALCONPADDED512_AARCH64_fpr_tab_log8 +#define fpr_tab_log9 PQCLEAN_FALCONPADDED512_AARCH64_fpr_tab_log9 +#define fpr_table PQCLEAN_FALCONPADDED512_AARCH64_fpr_table extern const fpr fpr_tab_log2[]; extern const fpr fpr_tab_log3[]; diff --git a/Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/inner.h b/Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/inner.h similarity index 86% rename from Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/inner.h rename to Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/inner.h index 0ae5c9aa..65b0e779 100644 --- a/Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/inner.h +++ b/Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/inner.h @@ -43,7 +43,7 @@ * * * - All public functions (i.e. the non-static ones) must be referenced - * with the PQCLEAN_FALCON512PADDED_AARCH64_ macro (e.g. PQCLEAN_FALCON512PADDED_AARCH64_verify_raw for the verify_raw() + * with the PQCLEAN_FALCONPADDED512_AARCH64_ macro (e.g. PQCLEAN_FALCONPADDED512_AARCH64_verify_raw for the verify_raw() * function). That macro adds a prefix to the name, which is * configurable with the FALCON_PREFIX macro. This allows compiling * the code into a specific "namespace" and potentially including @@ -66,7 +66,7 @@ * word. The caller MUST use set_fpu_cw() to ensure proper precision: * * oldcw = set_fpu_cw(2); - * PQCLEAN_FALCON512PADDED_AARCH64_sign_dyn(...); + * PQCLEAN_FALCONPADDED512_AARCH64_sign_dyn(...); * set_fpu_cw(oldcw); * * On systems where the native floating-point precision is already @@ -156,33 +156,33 @@ set_fpu_cw(unsigned x) { * */ -size_t PQCLEAN_FALCON512PADDED_AARCH64_modq_encode(void *out, size_t max_out_len, +size_t PQCLEAN_FALCONPADDED512_AARCH64_modq_encode(void *out, size_t max_out_len, const uint16_t *x, unsigned logn); -size_t PQCLEAN_FALCON512PADDED_AARCH64_trim_i16_encode(void *out, size_t max_out_len, +size_t PQCLEAN_FALCONPADDED512_AARCH64_trim_i16_encode(void *out, size_t max_out_len, const int16_t *x, unsigned logn, unsigned bits); -size_t PQCLEAN_FALCON512PADDED_AARCH64_trim_i8_encode(void *out, size_t max_out_len, const int8_t *x, uint8_t bits); -size_t PQCLEAN_FALCON512PADDED_AARCH64_comp_encode(void *out, size_t max_out_len, const int16_t *x); +size_t PQCLEAN_FALCONPADDED512_AARCH64_trim_i8_encode(void *out, size_t max_out_len, const int8_t *x, uint8_t bits); +size_t PQCLEAN_FALCONPADDED512_AARCH64_comp_encode(void *out, size_t max_out_len, const int16_t *x); -size_t PQCLEAN_FALCON512PADDED_AARCH64_modq_decode(uint16_t *x, const void *in, +size_t PQCLEAN_FALCONPADDED512_AARCH64_modq_decode(uint16_t *x, const void *in, size_t max_in_len, unsigned logn); -size_t PQCLEAN_FALCON512PADDED_AARCH64_trim_i16_decode(int16_t *x, unsigned logn, unsigned bits, +size_t PQCLEAN_FALCONPADDED512_AARCH64_trim_i16_decode(int16_t *x, unsigned logn, unsigned bits, const void *in, size_t max_in_len); -size_t PQCLEAN_FALCON512PADDED_AARCH64_trim_i8_decode(int8_t *x, unsigned bits, const void *in, size_t max_in_len); -size_t PQCLEAN_FALCON512PADDED_AARCH64_comp_decode(int16_t *x, const void *in, size_t max_in_len); +size_t PQCLEAN_FALCONPADDED512_AARCH64_trim_i8_decode(int8_t *x, unsigned bits, const void *in, size_t max_in_len); +size_t PQCLEAN_FALCONPADDED512_AARCH64_comp_decode(int16_t *x, const void *in, size_t max_in_len); /* * Number of bits for key elements, indexed by logn (1 to 10). This * is at most 8 bits for all degrees, but some degrees may have shorter * elements. */ -extern const uint8_t PQCLEAN_FALCON512PADDED_AARCH64_max_fg_bits[]; -extern const uint8_t PQCLEAN_FALCON512PADDED_AARCH64_max_FG_bits[]; +extern const uint8_t PQCLEAN_FALCONPADDED512_AARCH64_max_fg_bits[]; +extern const uint8_t PQCLEAN_FALCONPADDED512_AARCH64_max_FG_bits[]; /* * Maximum size, in bits, of elements in a signature, indexed by logn * (1 to 10). The size includes the sign bit. */ -extern const uint8_t PQCLEAN_FALCON512PADDED_AARCH64_max_sig_bits[]; +extern const uint8_t PQCLEAN_FALCONPADDED512_AARCH64_max_sig_bits[]; /* ==================================================================== */ /* @@ -196,18 +196,18 @@ extern const uint8_t PQCLEAN_FALCON512PADDED_AARCH64_max_sig_bits[]; * information to serve as a stop condition on a brute force attack on * the hashed message (provided that the nonce value is known). */ -void PQCLEAN_FALCON512PADDED_AARCH64_hash_to_point_vartime(inner_shake256_context *sc, +void PQCLEAN_FALCONPADDED512_AARCH64_hash_to_point_vartime(inner_shake256_context *sc, uint16_t *x, unsigned logn); /* * From a SHAKE256 context (must be already flipped), produce a new * point. The temporary buffer (tmp) must have room for 2*2^logn bytes. * This function is constant-time but is typically more expensive than - * PQCLEAN_FALCON512PADDED_AARCH64_hash_to_point_vartime(). + * PQCLEAN_FALCONPADDED512_AARCH64_hash_to_point_vartime(). * * tmp[] must have 16-bit alignment. */ -void PQCLEAN_FALCON512PADDED_AARCH64_hash_to_point_ct(inner_shake256_context *sc, +void PQCLEAN_FALCONPADDED512_AARCH64_hash_to_point_ct(inner_shake256_context *sc, uint16_t *x, unsigned logn, uint8_t *tmp); /* @@ -216,7 +216,7 @@ void PQCLEAN_FALCON512PADDED_AARCH64_hash_to_point_ct(inner_shake256_context *sc * vector with the acceptance bound. Returned value is 1 on success * (vector is short enough to be acceptable), 0 otherwise. */ -int PQCLEAN_FALCON512PADDED_AARCH64_is_short(const int16_t *s1, const int16_t *s2); +int PQCLEAN_FALCONPADDED512_AARCH64_is_short(const int16_t *s1, const int16_t *s2); /* * Tell whether a given vector (2N coordinates, in two halves) is @@ -228,7 +228,7 @@ int PQCLEAN_FALCON512PADDED_AARCH64_is_short(const int16_t *s1, const int16_t *s * Returned value is 1 on success (vector is short enough to be * acceptable), 0 otherwise. */ -int PQCLEAN_FALCON512PADDED_AARCH64_is_short_tmp(int16_t *s1tmp, int16_t *s2tmp, +int PQCLEAN_FALCONPADDED512_AARCH64_is_short_tmp(int16_t *s1tmp, int16_t *s2tmp, const int16_t *hm, const double *t0, const double *t1); @@ -239,12 +239,12 @@ int PQCLEAN_FALCON512PADDED_AARCH64_is_short_tmp(int16_t *s1tmp, int16_t *s2tmp, /* * Convert a public key to NTT. Conversion is done in place. */ -void PQCLEAN_FALCON512PADDED_AARCH64_to_ntt(int16_t *h); +void PQCLEAN_FALCONPADDED512_AARCH64_to_ntt(int16_t *h); /* * Convert a public key to NTT + Montgomery format. Conversion is done * in place. */ -void PQCLEAN_FALCON512PADDED_AARCH64_to_ntt_monty(int16_t *h); +void PQCLEAN_FALCONPADDED512_AARCH64_to_ntt_monty(int16_t *h); /* * Internal signature verification code: @@ -257,7 +257,7 @@ void PQCLEAN_FALCON512PADDED_AARCH64_to_ntt_monty(int16_t *h); * * tmp[] must have 16-bit alignment. */ -int PQCLEAN_FALCON512PADDED_AARCH64_verify_raw(const int16_t *c0, const int16_t *s2, +int PQCLEAN_FALCONPADDED512_AARCH64_verify_raw(const int16_t *c0, const int16_t *s2, int16_t *h, int16_t *tmp); /* @@ -269,7 +269,7 @@ int PQCLEAN_FALCON512PADDED_AARCH64_verify_raw(const int16_t *c0, const int16_t * The tmp[] array must have room for at least 2*2^logn elements. * tmp[] must have 16-bit alignment. */ -int PQCLEAN_FALCON512PADDED_AARCH64_compute_public(int16_t *h, const int8_t *f, +int PQCLEAN_FALCONPADDED512_AARCH64_compute_public(int16_t *h, const int8_t *f, const int8_t *g, int16_t *tmp); /* @@ -283,7 +283,7 @@ int PQCLEAN_FALCON512PADDED_AARCH64_compute_public(int16_t *h, const int8_t *f, * Returned value is 1 in success, 0 on error (f not invertible). * tmp[] must have 16-bit alignment. */ -int PQCLEAN_FALCON512PADDED_AARCH64_complete_private(int8_t *G, const int8_t *f, +int PQCLEAN_FALCONPADDED512_AARCH64_complete_private(int8_t *G, const int8_t *f, const int8_t *g, const int8_t *F, uint8_t *tmp); @@ -293,7 +293,7 @@ int PQCLEAN_FALCON512PADDED_AARCH64_complete_private(int8_t *G, const int8_t *f, * * tmp[] must have 16-bit alignment. */ -int PQCLEAN_FALCON512PADDED_AARCH64_is_invertible(const int16_t *s2, uint8_t *tmp); +int PQCLEAN_FALCONPADDED512_AARCH64_is_invertible(const int16_t *s2, uint8_t *tmp); /* * Count the number of elements of value zero in the NTT representation @@ -303,7 +303,7 @@ int PQCLEAN_FALCON512PADDED_AARCH64_is_invertible(const int16_t *s2, uint8_t *tm * * tmp[] must have 16-bit alignment. */ -int PQCLEAN_FALCON512PADDED_AARCH64_count_nttzero(const int16_t *sig, uint8_t *tmp); +int PQCLEAN_FALCONPADDED512_AARCH64_count_nttzero(const int16_t *sig, uint8_t *tmp); /* * Internal signature verification with public key recovery: @@ -323,7 +323,7 @@ int PQCLEAN_FALCON512PADDED_AARCH64_count_nttzero(const int16_t *sig, uint8_t *t * * tmp[] must have 16-bit alignment. */ -int PQCLEAN_FALCON512PADDED_AARCH64_verify_recover(int16_t *h, const int16_t *c0, +int PQCLEAN_FALCONPADDED512_AARCH64_verify_recover(int16_t *h, const int16_t *c0, const int16_t *s1, const int16_t *s2, uint8_t *tmp); @@ -444,7 +444,7 @@ int PQCLEAN_FALCON512PADDED_AARCH64_verify_recover(int16_t *h, const int16_t *c0 * * Returned value is 1 on success, 0 on error. */ -int PQCLEAN_FALCON512PADDED_AARCH64_get_seed(void *seed, size_t seed_len); +int PQCLEAN_FALCONPADDED512_AARCH64_get_seed(void *seed, size_t seed_len); /* * Structure for a PRNG. This includes a large buffer so that values @@ -471,18 +471,18 @@ typedef struct { * Instantiate a PRNG. That PRNG will feed over the provided SHAKE256 * context (in "flipped" state) to obtain its initial state. */ -void PQCLEAN_FALCON512PADDED_AARCH64_prng_init(prng *p, inner_shake256_context *src); +void PQCLEAN_FALCONPADDED512_AARCH64_prng_init(prng *p, inner_shake256_context *src); /* * Refill the PRNG buffer. This is normally invoked automatically, and * is declared here only so that prng_get_u64() may be inlined. */ -void PQCLEAN_FALCON512PADDED_AARCH64_prng_refill(prng *p); +void PQCLEAN_FALCONPADDED512_AARCH64_prng_refill(prng *p); /* * Get some bytes from a PRNG. */ -void PQCLEAN_FALCON512PADDED_AARCH64_prng_get_bytes(prng *p, void *dst, size_t len); +void PQCLEAN_FALCONPADDED512_AARCH64_prng_get_bytes(prng *p, void *dst, size_t len); /* * Get a 64-bit random value from a PRNG. @@ -499,7 +499,7 @@ prng_get_u64(prng *p) { */ u = p->ptr; if (u >= (sizeof p->buf.d) - 9) { - PQCLEAN_FALCON512PADDED_AARCH64_prng_refill(p); + PQCLEAN_FALCONPADDED512_AARCH64_prng_refill(p); u = 0; } p->ptr = u + 8; @@ -523,7 +523,7 @@ prng_get_u8(prng *p) { v = p->buf.d[p->ptr ++]; if (p->ptr == sizeof p->buf.d) { - PQCLEAN_FALCON512PADDED_AARCH64_prng_refill(p); + PQCLEAN_FALCONPADDED512_AARCH64_prng_refill(p); } return v; } @@ -546,7 +546,7 @@ prng_get_u8(prng *p) { * * 'logn' MUST lie between 1 and 10 (inclusive). */ -void PQCLEAN_FALCON512PADDED_AARCH64_FFT(fpr *f, unsigned logn); +void PQCLEAN_FALCONPADDED512_AARCH64_FFT(fpr *f, unsigned logn); /* * Compute the inverse FFT in-place: the source array should contain the @@ -556,62 +556,62 @@ void PQCLEAN_FALCON512PADDED_AARCH64_FFT(fpr *f, unsigned logn); * * 'logn' MUST lie between 1 and 10 (inclusive). */ -void PQCLEAN_FALCON512PADDED_AARCH64_iFFT(fpr *f, unsigned logn); +void PQCLEAN_FALCONPADDED512_AARCH64_iFFT(fpr *f, unsigned logn); /* * Add polynomial b to polynomial a. a and b MUST NOT overlap. This * function works in both normal and FFT representations. */ -void PQCLEAN_FALCON512PADDED_AARCH64_poly_add(fpr *c, const fpr *restrict a, const fpr *restrict b, unsigned logn); +void PQCLEAN_FALCONPADDED512_AARCH64_poly_add(fpr *c, const fpr *restrict a, const fpr *restrict b, unsigned logn); /* * Subtract polynomial b from polynomial a. a and b MUST NOT overlap. This * function works in both normal and FFT representations. */ -void PQCLEAN_FALCON512PADDED_AARCH64_poly_sub(fpr *c, const fpr *restrict a, const fpr *restrict b, unsigned logn); +void PQCLEAN_FALCONPADDED512_AARCH64_poly_sub(fpr *c, const fpr *restrict a, const fpr *restrict b, unsigned logn); /* * Negate polynomial a. This function works in both normal and FFT * representations. */ -void PQCLEAN_FALCON512PADDED_AARCH64_poly_neg(fpr *c, const fpr *restrict a, unsigned logn); +void PQCLEAN_FALCONPADDED512_AARCH64_poly_neg(fpr *c, const fpr *restrict a, unsigned logn); /* * Compute adjoint of polynomial a. This function works only in FFT * representation. */ -void PQCLEAN_FALCON512PADDED_AARCH64_poly_adj_fft(fpr *c, const fpr *restrict a, unsigned logn); +void PQCLEAN_FALCONPADDED512_AARCH64_poly_adj_fft(fpr *c, const fpr *restrict a, unsigned logn); /* * Multiply polynomial a with polynomial b. a and b MUST NOT overlap. * This function works only in FFT representation. */ -void PQCLEAN_FALCON512PADDED_AARCH64_poly_mul_fft(fpr *c, const fpr *a, const fpr *restrict b, unsigned logn); -void PQCLEAN_FALCON512PADDED_AARCH64_poly_mul_add_fft(fpr *c, const fpr *a, const fpr *restrict b, const fpr *restrict d, unsigned logn); +void PQCLEAN_FALCONPADDED512_AARCH64_poly_mul_fft(fpr *c, const fpr *a, const fpr *restrict b, unsigned logn); +void PQCLEAN_FALCONPADDED512_AARCH64_poly_mul_add_fft(fpr *c, const fpr *a, const fpr *restrict b, const fpr *restrict d, unsigned logn); /* * Multiply polynomial a with the adjoint of polynomial b. a and b MUST NOT * overlap. This function works only in FFT representation. */ -void PQCLEAN_FALCON512PADDED_AARCH64_poly_muladj_fft(fpr *d, fpr *a, const fpr *restrict b, unsigned logn); -void PQCLEAN_FALCON512PADDED_AARCH64_poly_muladj_add_fft(fpr *c, fpr *d, +void PQCLEAN_FALCONPADDED512_AARCH64_poly_muladj_fft(fpr *d, fpr *a, const fpr *restrict b, unsigned logn); +void PQCLEAN_FALCONPADDED512_AARCH64_poly_muladj_add_fft(fpr *c, fpr *d, const fpr *a, const fpr *restrict b, unsigned logn); /* * Multiply polynomial with its own adjoint. This function works only in FFT * representation. */ -void PQCLEAN_FALCON512PADDED_AARCH64_poly_mulselfadj_fft(fpr *c, const fpr *restrict a, unsigned logn); -void PQCLEAN_FALCON512PADDED_AARCH64_poly_mulselfadj_add_fft(fpr *c, const fpr *restrict d, const fpr *restrict a, unsigned logn); +void PQCLEAN_FALCONPADDED512_AARCH64_poly_mulselfadj_fft(fpr *c, const fpr *restrict a, unsigned logn); +void PQCLEAN_FALCONPADDED512_AARCH64_poly_mulselfadj_add_fft(fpr *c, const fpr *restrict d, const fpr *restrict a, unsigned logn); /* * Multiply polynomial with a real constant. This function works in both * normal and FFT representations. */ -void PQCLEAN_FALCON512PADDED_AARCH64_poly_mulconst(fpr *c, const fpr *a, const fpr x, unsigned logn); +void PQCLEAN_FALCONPADDED512_AARCH64_poly_mulconst(fpr *c, const fpr *a, const fpr x, unsigned logn); /* * Divide polynomial a by polynomial b, modulo X^N+1 (FFT representation). * a and b MUST NOT overlap. */ -void PQCLEAN_FALCON512PADDED_AARCH64_poly_div_fft(fpr *restrict c, const fpr *restrict a, const fpr *restrict b, unsigned logn); +void PQCLEAN_FALCONPADDED512_AARCH64_poly_div_fft(fpr *restrict c, const fpr *restrict a, const fpr *restrict b, unsigned logn); /* * Given f and g (in FFT representation), compute 1/(f*adj(f)+g*adj(g)) @@ -621,7 +621,7 @@ void PQCLEAN_FALCON512PADDED_AARCH64_poly_div_fft(fpr *restrict c, const fpr *re * * Array d MUST NOT overlap with either a or b. */ -void PQCLEAN_FALCON512PADDED_AARCH64_poly_invnorm2_fft(fpr *restrict d, +void PQCLEAN_FALCONPADDED512_AARCH64_poly_invnorm2_fft(fpr *restrict d, const fpr *restrict a, const fpr *restrict b, unsigned logn); /* @@ -629,7 +629,7 @@ void PQCLEAN_FALCON512PADDED_AARCH64_poly_invnorm2_fft(fpr *restrict d, * (also in FFT representation). Destination d MUST NOT overlap with * any of the source arrays. */ -void PQCLEAN_FALCON512PADDED_AARCH64_poly_add_muladj_fft(fpr *restrict d, +void PQCLEAN_FALCONPADDED512_AARCH64_poly_add_muladj_fft(fpr *restrict d, const fpr *restrict F, const fpr *restrict G, const fpr *restrict f, const fpr *restrict g, unsigned logn); @@ -639,7 +639,7 @@ void PQCLEAN_FALCON512PADDED_AARCH64_poly_add_muladj_fft(fpr *restrict d, * FFT coefficients are real, and the array b contains only N/2 elements. * a and b MUST NOT overlap. */ -void PQCLEAN_FALCON512PADDED_AARCH64_poly_mul_autoadj_fft(fpr *c, const fpr *a, const fpr *restrict b, unsigned logn); +void PQCLEAN_FALCONPADDED512_AARCH64_poly_mul_autoadj_fft(fpr *c, const fpr *a, const fpr *restrict b, unsigned logn); /* * Divide polynomial a by polynomial b, where b is autoadjoint. Both @@ -647,7 +647,7 @@ void PQCLEAN_FALCON512PADDED_AARCH64_poly_mul_autoadj_fft(fpr *c, const fpr *a, * FFT coefficients are real, and the array b contains only N/2 elements. * a and b MUST NOT overlap. */ -void PQCLEAN_FALCON512PADDED_AARCH64_poly_div_autoadj_fft(fpr *c, const fpr *a, const fpr *restrict b, unsigned logn); +void PQCLEAN_FALCONPADDED512_AARCH64_poly_div_autoadj_fft(fpr *c, const fpr *a, const fpr *restrict b, unsigned logn); /* * Perform an LDL decomposition of an auto-adjoint matrix G, in FFT @@ -657,7 +657,7 @@ void PQCLEAN_FALCON512PADDED_AARCH64_poly_div_autoadj_fft(fpr *c, const fpr *a, * (with D = [[d00, 0], [0, d11]] and L = [[1, 0], [l10, 1]]). * (In fact, d00 = g00, so the g00 operand is left unmodified.) */ -void PQCLEAN_FALCON512PADDED_AARCH64_poly_LDL_fft(const fpr *restrict g00, +void PQCLEAN_FALCONPADDED512_AARCH64_poly_LDL_fft(const fpr *restrict g00, fpr *restrict g01, fpr *restrict g11, unsigned logn); /* @@ -666,7 +666,7 @@ void PQCLEAN_FALCON512PADDED_AARCH64_poly_LDL_fft(const fpr *restrict g00, * g00, g01 and g11 are unmodified; the outputs d11 and l10 are written * in two other separate buffers provided as extra parameters. */ -void PQCLEAN_FALCON512PADDED_AARCH64_poly_LDLmv_fft(fpr *restrict d11, fpr *restrict l10, +void PQCLEAN_FALCONPADDED512_AARCH64_poly_LDLmv_fft(fpr *restrict d11, fpr *restrict l10, const fpr *restrict g00, const fpr *restrict g01, const fpr *restrict g11, unsigned logn); @@ -675,7 +675,7 @@ void PQCLEAN_FALCON512PADDED_AARCH64_poly_LDLmv_fft(fpr *restrict d11, fpr *rest * f = f0(x^2) + x*f1(x^2), for half-size polynomials f0 and f1 * (polynomials modulo X^(N/2)+1). f0, f1 and f MUST NOT overlap. */ -void PQCLEAN_FALCON512PADDED_AARCH64_poly_split_fft(fpr *restrict f0, fpr *restrict f1, +void PQCLEAN_FALCONPADDED512_AARCH64_poly_split_fft(fpr *restrict f0, fpr *restrict f1, const fpr *restrict f, unsigned logn); /* @@ -684,14 +684,14 @@ void PQCLEAN_FALCON512PADDED_AARCH64_poly_split_fft(fpr *restrict f0, fpr *restr * f = f0(x^2) + x*f1(x^2), in FFT representation modulo X^N+1. * f MUST NOT overlap with either f0 or f1. */ -void PQCLEAN_FALCON512PADDED_AARCH64_poly_merge_fft(fpr *restrict f, +void PQCLEAN_FALCONPADDED512_AARCH64_poly_merge_fft(fpr *restrict f, const fpr *restrict f0, const fpr *restrict f1, unsigned logn); -void PQCLEAN_FALCON512PADDED_AARCH64_poly_fpr_of_s16(fpr *t0, const uint16_t *hm, const unsigned falcon_n); +void PQCLEAN_FALCONPADDED512_AARCH64_poly_fpr_of_s16(fpr *t0, const uint16_t *hm, const unsigned falcon_n); -fpr PQCLEAN_FALCON512PADDED_AARCH64_compute_bnorm(const fpr *rt1, const fpr *rt2); +fpr PQCLEAN_FALCONPADDED512_AARCH64_compute_bnorm(const fpr *rt1, const fpr *rt2); -int32_t PQCLEAN_FALCON512PADDED_AARCH64_poly_small_sqnorm(const int8_t *f); // common.c +int32_t PQCLEAN_FALCONPADDED512_AARCH64_poly_small_sqnorm(const int8_t *f); // common.c /* ==================================================================== */ /* * Key pair generation. @@ -728,7 +728,7 @@ int32_t PQCLEAN_FALCON512PADDED_AARCH64_poly_small_sqnorm(const int8_t *f); // c * tmp[] must have 64-bit alignment. * This function uses floating-point rounding (see set_fpu_cw()). */ -void PQCLEAN_FALCON512PADDED_AARCH64_keygen(inner_shake256_context *rng, +void PQCLEAN_FALCONPADDED512_AARCH64_keygen(inner_shake256_context *rng, int8_t *f, int8_t *g, int8_t *F, int8_t *G, uint16_t *h, unsigned logn, uint8_t *tmp); @@ -747,14 +747,14 @@ void PQCLEAN_FALCON512PADDED_AARCH64_keygen(inner_shake256_context *rng, * tmp[] must have 64-bit alignment. * This function uses floating-point rounding (see set_fpu_cw()). */ -void PQCLEAN_FALCON512PADDED_AARCH64_expand_privkey(fpr *restrict expanded_key, +void PQCLEAN_FALCONPADDED512_AARCH64_expand_privkey(fpr *restrict expanded_key, const int8_t *f, const int8_t *g, const int8_t *F, const int8_t *G, uint8_t *restrict tmp); /* * Compute a signature over the provided hashed message (hm); the * signature value is one short vector. This function uses an - * expanded key (as generated by PQCLEAN_FALCON512PADDED_AARCH64_expand_privkey()). + * expanded key (as generated by PQCLEAN_FALCONPADDED512_AARCH64_expand_privkey()). * * The sig[] and hm[] buffers may overlap. * @@ -766,7 +766,7 @@ void PQCLEAN_FALCON512PADDED_AARCH64_expand_privkey(fpr *restrict expanded_key, * tmp[] must have 64-bit alignment. * This function uses floating-point rounding (see set_fpu_cw()). */ -void PQCLEAN_FALCON512PADDED_AARCH64_sign_tree(int16_t *sig, inner_shake256_context *rng, +void PQCLEAN_FALCONPADDED512_AARCH64_sign_tree(int16_t *sig, inner_shake256_context *rng, const fpr *restrict expanded_key, const uint16_t *hm, uint8_t *tmp); @@ -787,7 +787,7 @@ void PQCLEAN_FALCON512PADDED_AARCH64_sign_tree(int16_t *sig, inner_shake256_cont * tmp[] must have 64-bit alignment. * This function uses floating-point rounding (see set_fpu_cw()). */ -void PQCLEAN_FALCON512PADDED_AARCH64_sign_dyn(int16_t *sig, inner_shake256_context *rng, +void PQCLEAN_FALCONPADDED512_AARCH64_sign_dyn(int16_t *sig, inner_shake256_context *rng, const int8_t *restrict f, const int8_t *restrict g, const int8_t *restrict F, const int8_t *restrict G, const uint16_t *hm, uint8_t *tmp); @@ -816,9 +816,9 @@ typedef struct { fpr sigma_min; } sampler_context; -int PQCLEAN_FALCON512PADDED_AARCH64_sampler(void *ctx, fpr mu, fpr isigma); +int PQCLEAN_FALCONPADDED512_AARCH64_sampler(void *ctx, fpr mu, fpr isigma); -int PQCLEAN_FALCON512PADDED_AARCH64_gaussian0_sampler(prng *p); +int PQCLEAN_FALCONPADDED512_AARCH64_gaussian0_sampler(prng *p); /* ==================================================================== */ diff --git a/Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/keygen.c b/Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/keygen.c similarity index 97% rename from Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/keygen.c rename to Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/keygen.c index 3f3f1b4c..feee9d48 100644 --- a/Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/keygen.c +++ b/Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/keygen.c @@ -3036,11 +3036,11 @@ solve_NTRU_intermediate(unsigned logn_top, * Compute 1/(f*adj(f)+g*adj(g)) in rt5. We also keep adj(f) * and adj(g) in rt3 and rt4, respectively. */ - PQCLEAN_FALCON512PADDED_AARCH64_FFT(rt3, logn); - PQCLEAN_FALCON512PADDED_AARCH64_poly_adj_fft(rt3, rt3, logn); - PQCLEAN_FALCON512PADDED_AARCH64_FFT(rt4, logn); - PQCLEAN_FALCON512PADDED_AARCH64_poly_adj_fft(rt4, rt4, logn); - PQCLEAN_FALCON512PADDED_AARCH64_poly_invnorm2_fft(rt5, rt3, rt4, logn); + PQCLEAN_FALCONPADDED512_AARCH64_FFT(rt3, logn); + PQCLEAN_FALCONPADDED512_AARCH64_poly_adj_fft(rt3, rt3, logn); + PQCLEAN_FALCONPADDED512_AARCH64_FFT(rt4, logn); + PQCLEAN_FALCONPADDED512_AARCH64_poly_adj_fft(rt4, rt4, logn); + PQCLEAN_FALCONPADDED512_AARCH64_poly_invnorm2_fft(rt5, rt3, rt4, logn); /* * Reduce F and G repeatedly. @@ -3096,13 +3096,13 @@ solve_NTRU_intermediate(unsigned logn_top, /* * Compute (F*adj(f)+G*adj(g))/(f*adj(f)+g*adj(g)) in rt2. */ - PQCLEAN_FALCON512PADDED_AARCH64_FFT(rt1, logn); - PQCLEAN_FALCON512PADDED_AARCH64_poly_mul_fft(rt1, rt1, rt3, logn); - PQCLEAN_FALCON512PADDED_AARCH64_FFT(rt2, logn); - PQCLEAN_FALCON512PADDED_AARCH64_poly_mul_fft(rt2, rt2, rt4, logn); - PQCLEAN_FALCON512PADDED_AARCH64_poly_add(rt2, rt2, rt1, logn); - PQCLEAN_FALCON512PADDED_AARCH64_poly_mul_autoadj_fft(rt2, rt2, rt5, logn); - PQCLEAN_FALCON512PADDED_AARCH64_iFFT(rt2, logn); + PQCLEAN_FALCONPADDED512_AARCH64_FFT(rt1, logn); + PQCLEAN_FALCONPADDED512_AARCH64_poly_mul_fft(rt1, rt1, rt3, logn); + PQCLEAN_FALCONPADDED512_AARCH64_FFT(rt2, logn); + PQCLEAN_FALCONPADDED512_AARCH64_poly_mul_fft(rt2, rt2, rt4, logn); + PQCLEAN_FALCONPADDED512_AARCH64_poly_add(rt2, rt2, rt1, logn); + PQCLEAN_FALCONPADDED512_AARCH64_poly_mul_autoadj_fft(rt2, rt2, rt5, logn); + PQCLEAN_FALCONPADDED512_AARCH64_iFFT(rt2, logn); /* * (f,g) are scaled by 'scale_fg', meaning that the @@ -3552,10 +3552,10 @@ solve_NTRU_binary_depth1(unsigned logn_top, * rt4 = g * in that order in RAM. We convert all of them to FFT. */ - PQCLEAN_FALCON512PADDED_AARCH64_FFT(rt1, logn); - PQCLEAN_FALCON512PADDED_AARCH64_FFT(rt2, logn); - PQCLEAN_FALCON512PADDED_AARCH64_FFT(rt3, logn); - PQCLEAN_FALCON512PADDED_AARCH64_FFT(rt4, logn); + PQCLEAN_FALCONPADDED512_AARCH64_FFT(rt1, logn); + PQCLEAN_FALCONPADDED512_AARCH64_FFT(rt2, logn); + PQCLEAN_FALCONPADDED512_AARCH64_FFT(rt3, logn); + PQCLEAN_FALCONPADDED512_AARCH64_FFT(rt4, logn); /* * Compute: @@ -3563,14 +3563,14 @@ solve_NTRU_binary_depth1(unsigned logn_top, * rt6 = 1 / (f*adj(f) + g*adj(g)) * (Note that rt6 is half-length.) */ - PQCLEAN_FALCON512PADDED_AARCH64_poly_add_muladj_fft(rt5, rt1, rt2, rt3, rt4, logn); - PQCLEAN_FALCON512PADDED_AARCH64_poly_invnorm2_fft(rt6, rt3, rt4, logn); + PQCLEAN_FALCONPADDED512_AARCH64_poly_add_muladj_fft(rt5, rt1, rt2, rt3, rt4, logn); + PQCLEAN_FALCONPADDED512_AARCH64_poly_invnorm2_fft(rt6, rt3, rt4, logn); /* * Compute: * rt5 = (F*adj(f)+G*adj(g)) / (f*adj(f)+g*adj(g)) */ - PQCLEAN_FALCON512PADDED_AARCH64_poly_mul_autoadj_fft(rt5, rt5, rt6, logn); + PQCLEAN_FALCONPADDED512_AARCH64_poly_mul_autoadj_fft(rt5, rt5, rt6, logn); /* * Compute k as the rounded version of rt5. Check that none of @@ -3579,7 +3579,7 @@ solve_NTRU_binary_depth1(unsigned logn_top, * note that any out-of-bounds value here implies a failure and * (f,g) will be discarded, so we can make a simple test. */ - PQCLEAN_FALCON512PADDED_AARCH64_iFFT(rt5, logn); + PQCLEAN_FALCONPADDED512_AARCH64_iFFT(rt5, logn); for (u = 0; u < n; u ++) { fpr z; @@ -3589,18 +3589,18 @@ solve_NTRU_binary_depth1(unsigned logn_top, } rt5[u] = fpr_of(fpr_rint(z)); } - PQCLEAN_FALCON512PADDED_AARCH64_FFT(rt5, logn); + PQCLEAN_FALCONPADDED512_AARCH64_FFT(rt5, logn); /* * Subtract k*f from F, and k*g from G. */ - PQCLEAN_FALCON512PADDED_AARCH64_poly_mul_fft(rt3, rt3, rt5, logn); - PQCLEAN_FALCON512PADDED_AARCH64_poly_sub(rt1, rt1, rt3, logn); - PQCLEAN_FALCON512PADDED_AARCH64_iFFT(rt1, logn); + PQCLEAN_FALCONPADDED512_AARCH64_poly_mul_fft(rt3, rt3, rt5, logn); + PQCLEAN_FALCONPADDED512_AARCH64_poly_sub(rt1, rt1, rt3, logn); + PQCLEAN_FALCONPADDED512_AARCH64_iFFT(rt1, logn); - PQCLEAN_FALCON512PADDED_AARCH64_poly_mul_fft(rt4, rt4, rt5, logn); - PQCLEAN_FALCON512PADDED_AARCH64_poly_sub(rt2, rt2, rt4, logn); - PQCLEAN_FALCON512PADDED_AARCH64_iFFT(rt2, logn); + PQCLEAN_FALCONPADDED512_AARCH64_poly_mul_fft(rt4, rt4, rt5, logn); + PQCLEAN_FALCONPADDED512_AARCH64_poly_sub(rt2, rt2, rt4, logn); + PQCLEAN_FALCONPADDED512_AARCH64_iFFT(rt2, logn); /* * Convert back F and G to integers, and return. @@ -3819,7 +3819,7 @@ solve_NTRU_binary_depth0(unsigned logn, for (u = 0; u < n; u ++) { rt3[u] = fpr_of(((int32_t *)t2)[u]); } - PQCLEAN_FALCON512PADDED_AARCH64_FFT(rt3, logn); + PQCLEAN_FALCONPADDED512_AARCH64_FFT(rt3, logn); rt2 = align_fpr(tmp, t2); memmove(rt2, rt3, hn * sizeof * rt3); @@ -3830,14 +3830,14 @@ solve_NTRU_binary_depth0(unsigned logn, for (u = 0; u < n; u ++) { rt3[u] = fpr_of(((int32_t *)t1)[u]); } - PQCLEAN_FALCON512PADDED_AARCH64_FFT(rt3, logn); + PQCLEAN_FALCONPADDED512_AARCH64_FFT(rt3, logn); /* * Compute (F*adj(f)+G*adj(g))/(f*adj(f)+g*adj(g)) and get * its rounded normal representation in t1. */ - PQCLEAN_FALCON512PADDED_AARCH64_poly_div_autoadj_fft(rt3, rt3, rt2, logn); - PQCLEAN_FALCON512PADDED_AARCH64_iFFT(rt3, logn); + PQCLEAN_FALCONPADDED512_AARCH64_poly_div_autoadj_fft(rt3, rt3, rt2, logn); + PQCLEAN_FALCONPADDED512_AARCH64_iFFT(rt3, logn); for (u = 0; u < n; u ++) { t1[u] = modp_set((int32_t)fpr_rint(rt3[u]), p); } @@ -4038,7 +4038,7 @@ poly_small_mkgauss(RNG_CONTEXT *rng, int8_t *f, unsigned logn) { /* see falcon.h */ void -PQCLEAN_FALCON512PADDED_AARCH64_keygen(inner_shake256_context *rng, +PQCLEAN_FALCONPADDED512_AARCH64_keygen(inner_shake256_context *rng, int8_t *f, int8_t *g, int8_t *F, int8_t *G, uint16_t *h, unsigned logn, uint8_t *tmp) { /* @@ -4107,7 +4107,7 @@ PQCLEAN_FALCON512PADDED_AARCH64_keygen(inner_shake256_context *rng, * overwhelming probability; this guarantees that the * key will be encodable with FALCON_COMP_TRIM. */ - lim = 1 << (PQCLEAN_FALCON512PADDED_AARCH64_max_fg_bits[logn] - 1); + lim = 1 << (PQCLEAN_FALCONPADDED512_AARCH64_max_fg_bits[logn] - 1); for (u = 0; u < n; u ++) { /* * We can use non-CT tests since on any failure @@ -4145,24 +4145,24 @@ PQCLEAN_FALCON512PADDED_AARCH64_keygen(inner_shake256_context *rng, rt3 = rt2 + n; poly_small_to_fp(rt1, f, logn); - PQCLEAN_FALCON512PADDED_AARCH64_FFT(rt1, logn); - PQCLEAN_FALCON512PADDED_AARCH64_poly_adj_fft(rt1, rt1, logn); + PQCLEAN_FALCONPADDED512_AARCH64_FFT(rt1, logn); + PQCLEAN_FALCONPADDED512_AARCH64_poly_adj_fft(rt1, rt1, logn); poly_small_to_fp(rt2, g, logn); - PQCLEAN_FALCON512PADDED_AARCH64_FFT(rt2, logn); - PQCLEAN_FALCON512PADDED_AARCH64_poly_adj_fft(rt2, rt2, logn); + PQCLEAN_FALCONPADDED512_AARCH64_FFT(rt2, logn); + PQCLEAN_FALCONPADDED512_AARCH64_poly_adj_fft(rt2, rt2, logn); - PQCLEAN_FALCON512PADDED_AARCH64_poly_invnorm2_fft(rt3, rt1, rt2, logn); + PQCLEAN_FALCONPADDED512_AARCH64_poly_invnorm2_fft(rt3, rt1, rt2, logn); - PQCLEAN_FALCON512PADDED_AARCH64_poly_mulconst(rt1, rt1, fpr_q, logn); - PQCLEAN_FALCON512PADDED_AARCH64_poly_mul_autoadj_fft(rt1, rt1, rt3, logn); - PQCLEAN_FALCON512PADDED_AARCH64_iFFT(rt1, logn); + PQCLEAN_FALCONPADDED512_AARCH64_poly_mulconst(rt1, rt1, fpr_q, logn); + PQCLEAN_FALCONPADDED512_AARCH64_poly_mul_autoadj_fft(rt1, rt1, rt3, logn); + PQCLEAN_FALCONPADDED512_AARCH64_iFFT(rt1, logn); - PQCLEAN_FALCON512PADDED_AARCH64_poly_mulconst(rt2, rt2, fpr_q, logn); - PQCLEAN_FALCON512PADDED_AARCH64_poly_mul_autoadj_fft(rt2, rt2, rt3, logn); - PQCLEAN_FALCON512PADDED_AARCH64_iFFT(rt2, logn); + PQCLEAN_FALCONPADDED512_AARCH64_poly_mulconst(rt2, rt2, fpr_q, logn); + PQCLEAN_FALCONPADDED512_AARCH64_poly_mul_autoadj_fft(rt2, rt2, rt3, logn); + PQCLEAN_FALCONPADDED512_AARCH64_iFFT(rt2, logn); - bnorm = PQCLEAN_FALCON512PADDED_AARCH64_compute_bnorm(rt1, rt2); + bnorm = PQCLEAN_FALCONPADDED512_AARCH64_compute_bnorm(rt1, rt2); if (!fpr_lt(bnorm, fpr_bnorm_max)) { continue; @@ -4180,14 +4180,14 @@ PQCLEAN_FALCON512PADDED_AARCH64_keygen(inner_shake256_context *rng, tmp2 = (int16_t *)tmp; } - if (!PQCLEAN_FALCON512PADDED_AARCH64_compute_public(h2, f, g, tmp2)) { + if (!PQCLEAN_FALCONPADDED512_AARCH64_compute_public(h2, f, g, tmp2)) { continue; } /* * Solve the NTRU equation to get F and G. */ - lim = (1 << (PQCLEAN_FALCON512PADDED_AARCH64_max_FG_bits[logn] - 1)) - 1; + lim = (1 << (PQCLEAN_FALCONPADDED512_AARCH64_max_FG_bits[logn] - 1)) - 1; if (!solve_NTRU(logn, F, G, f, g, lim, (uint32_t *)tmp)) { continue; } diff --git a/Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/macrof.h b/Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/macrof.h similarity index 100% rename from Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/macrof.h rename to Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/macrof.h diff --git a/Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/macrofx4.h b/Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/macrofx4.h similarity index 100% rename from Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/macrofx4.h rename to Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/macrofx4.h diff --git a/Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/macrous.h b/Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/macrous.h similarity index 100% rename from Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/macrous.h rename to Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/macrous.h diff --git a/Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/ntt.c b/Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/ntt.c similarity index 97% rename from Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/ntt.c rename to Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/ntt.c index dabd31d9..9b8c7e92 100644 --- a/Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/ntt.c +++ b/Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/ntt.c @@ -30,16 +30,16 @@ * Assume Input in the range [-Q/2, Q/2] * Total Barrett point for N = 512, 1024: 2048, 4096 */ -void PQCLEAN_FALCON512PADDED_AARCH64_poly_ntt(int16_t a[FALCON_N], ntt_domain_t mont) { +void PQCLEAN_FALCONPADDED512_AARCH64_poly_ntt(int16_t a[FALCON_N], ntt_domain_t mont) { // Total SIMD registers 29 = 16 + 12 + 1 int16x8x4_t v0, v1, v2, v3; // 16 int16x8x4_t zl, zh, t, t2; // 12 int16x8x2_t zlh, zhh; // 4 int16x8_t neon_qmvq; // 1 - const int16_t *ptr_ntt_br = PQCLEAN_FALCON512PADDED_AARCH64_ntt_br; - const int16_t *ptr_ntt_qinv_br = PQCLEAN_FALCON512PADDED_AARCH64_ntt_qinv_br; + const int16_t *ptr_ntt_br = PQCLEAN_FALCONPADDED512_AARCH64_ntt_br; + const int16_t *ptr_ntt_qinv_br = PQCLEAN_FALCONPADDED512_AARCH64_ntt_qinv_br; - neon_qmvq = vld1q_s16(PQCLEAN_FALCON512PADDED_AARCH64_qmvq); + neon_qmvq = vld1q_s16(PQCLEAN_FALCONPADDED512_AARCH64_qmvq); zl.val[0] = vld1q_s16(ptr_ntt_br); zh.val[0] = vld1q_s16(ptr_ntt_qinv_br); ptr_ntt_br += 8; @@ -335,16 +335,16 @@ void PQCLEAN_FALCON512PADDED_AARCH64_poly_ntt(int16_t a[FALCON_N], ntt_domain_t * Assume input in range [-Q, Q] * Total Barrett point N = 512, 1024: 1792, 3840 */ -void PQCLEAN_FALCON512PADDED_AARCH64_poly_invntt(int16_t a[FALCON_N], invntt_domain_t ninv) { +void PQCLEAN_FALCONPADDED512_AARCH64_poly_invntt(int16_t a[FALCON_N], invntt_domain_t ninv) { // Total SIMD registers: 29 = 16 + 12 + 1 int16x8x4_t v0, v1, v2, v3; // 16 int16x8x4_t zl, zh, t, t2; // 12 int16x8x2_t zlh, zhh; // 4 int16x8_t neon_qmvq; // 1 - const int16_t *ptr_invntt_br = PQCLEAN_FALCON512PADDED_AARCH64_invntt_br; - const int16_t *ptr_invntt_qinv_br = PQCLEAN_FALCON512PADDED_AARCH64_invntt_qinv_br; + const int16_t *ptr_invntt_br = PQCLEAN_FALCONPADDED512_AARCH64_invntt_br; + const int16_t *ptr_invntt_qinv_br = PQCLEAN_FALCONPADDED512_AARCH64_invntt_qinv_br; - neon_qmvq = vld1q_s16(PQCLEAN_FALCON512PADDED_AARCH64_qmvq); + neon_qmvq = vld1q_s16(PQCLEAN_FALCONPADDED512_AARCH64_qmvq); unsigned j; // Layer 0, 1, 2, 3, 4, 5, 6 @@ -800,11 +800,11 @@ void PQCLEAN_FALCON512PADDED_AARCH64_poly_invntt(int16_t a[FALCON_N], invntt_dom } } -void PQCLEAN_FALCON512PADDED_AARCH64_poly_montmul_ntt(int16_t f[FALCON_N], const int16_t g[FALCON_N]) { +void PQCLEAN_FALCONPADDED512_AARCH64_poly_montmul_ntt(int16_t f[FALCON_N], const int16_t g[FALCON_N]) { // Total SIMD registers: 29 = 28 + 1 int16x8x4_t a, b, c, d, e1, e2, t, k; // 28 int16x8_t neon_qmvm; // 1 - neon_qmvm = vld1q_s16(PQCLEAN_FALCON512PADDED_AARCH64_qmvq); + neon_qmvm = vld1q_s16(PQCLEAN_FALCONPADDED512_AARCH64_qmvq); for (int i = 0; i < FALCON_N; i += 64) { vload_s16_x4(a, &f[i]); diff --git a/Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/ntt_consts.c b/Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/ntt_consts.c similarity index 98% rename from Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/ntt_consts.c rename to Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/ntt_consts.c index 339bd03b..1f0076eb 100644 --- a/Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/ntt_consts.c +++ b/Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/ntt_consts.c @@ -3,13 +3,13 @@ #define PADDING 0 -const int16_t PQCLEAN_FALCON512PADDED_AARCH64_qmvq[8] = {FALCON_Q, FALCON_QINV, +const int16_t PQCLEAN_FALCONPADDED512_AARCH64_qmvq[8] = {FALCON_Q, FALCON_QINV, FALCON_MONT, FALCON_NINV_MONT, FALCON_V, 0, FALCON_MONT_BR, FALCON_NINV_MONT_BR }; -const int16_t PQCLEAN_FALCON512PADDED_AARCH64_ntt_br[] = { +const int16_t PQCLEAN_FALCONPADDED512_AARCH64_ntt_br[] = { PADDING, -1479, -5146, 4043, PADDING, PADDING, PADDING, PADDING, -1305, 3542, -3504, -4821, 2639, -2625, -949, 2319, -1170, -955, -790, -3201, 3014, 5086, -1326, PADDING, @@ -101,7 +101,7 @@ const int16_t PQCLEAN_FALCON512PADDED_AARCH64_ntt_br[] = { 5446, 6093, -3988, -382, -3998, 1922, -5435, -1254, }; // 512->712 -const int16_t PQCLEAN_FALCON512PADDED_AARCH64_ntt_qinv_br[] = { +const int16_t PQCLEAN_FALCONPADDED512_AARCH64_ntt_qinv_br[] = { PADDING, -3943, -13721, 10780, PADDING, PADDING, PADDING, PADDING, -3479, 9444, -9343, -12854, 7036, -6999, -2530, 6183, -3119, -2546, -2106, -8535, 8036, 13561, -3535, PADDING, @@ -192,7 +192,7 @@ const int16_t PQCLEAN_FALCON512PADDED_AARCH64_ntt_qinv_br[] = { 9505, 5298, 13881, -149, -15630, -9713, -16364, -4607, 14521, 16246, -10633, -1018, -10660, 5124, -14492, -3343, }; // 712 -const int16_t PQCLEAN_FALCON512PADDED_AARCH64_invntt_br[] = { +const int16_t PQCLEAN_FALCONPADDED512_AARCH64_invntt_br[] = { 1254, 5435, -1922, 3998, 382, 3988, -6093, -5446, 1728, 6137, 3643, 5862, 56, -5206, -1987, -3565, 1018, 1041, 5574, 2344, -5315, -4916, 522, 3262, @@ -284,7 +284,7 @@ const int16_t PQCLEAN_FALCON512PADDED_AARCH64_invntt_br[] = { -4043, 5146, 1371, 12265, 1479, PADDING, PADDING, PADDING, }; // 712 -const int16_t PQCLEAN_FALCON512PADDED_AARCH64_invntt_qinv_br[] = { +const int16_t PQCLEAN_FALCONPADDED512_AARCH64_invntt_qinv_br[] = { 3343, 14492, -5124, 10660, 1018, 10633, -16246, -14521, 4607, 16364, 9713, 15630, 149, -13881, -5298, -9505, 2714, 2775, 14862, 6250, -14172, -13108, 1391, 8697, diff --git a/Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/ntt_consts.h b/Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/ntt_consts.h new file mode 100644 index 00000000..ded71964 --- /dev/null +++ b/Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/ntt_consts.h @@ -0,0 +1,23 @@ +#ifndef NTT_CONSTS +#define NTT_CONSTS + +#include + +extern const int16_t PQCLEAN_FALCONPADDED512_AARCH64_qmvq[8]; + +/* + * Table for NTT, binary case: + * where g = 7 (it is a 2048-th primitive root of 1 modulo q) + */ +extern const int16_t PQCLEAN_FALCONPADDED512_AARCH64_ntt_br[]; +extern const int16_t PQCLEAN_FALCONPADDED512_AARCH64_ntt_qinv_br[]; + +/* + * Table for inverse NTT + * Since g = 7, 1/g = 8778 mod 12289. + */ + +extern const int16_t PQCLEAN_FALCONPADDED512_AARCH64_invntt_br[]; +extern const int16_t PQCLEAN_FALCONPADDED512_AARCH64_invntt_qinv_br[]; + +#endif diff --git a/Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/params.h b/Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/params.h similarity index 100% rename from Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/params.h rename to Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/params.h diff --git a/Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/poly.h b/Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/poly.h similarity index 51% rename from Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/poly.h rename to Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/poly.h index 0b67f93d..73836b3f 100644 --- a/Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/poly.h +++ b/Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/poly.h @@ -15,28 +15,28 @@ typedef enum invntt_domain { INVNTT_NINV = 1, } invntt_domain_t; -void PQCLEAN_FALCON512PADDED_AARCH64_poly_ntt(int16_t a[FALCON_N], ntt_domain_t mont); +void PQCLEAN_FALCONPADDED512_AARCH64_poly_ntt(int16_t a[FALCON_N], ntt_domain_t mont); -void PQCLEAN_FALCON512PADDED_AARCH64_poly_invntt(int16_t a[FALCON_N], invntt_domain_t ninv); +void PQCLEAN_FALCONPADDED512_AARCH64_poly_invntt(int16_t a[FALCON_N], invntt_domain_t ninv); -void PQCLEAN_FALCON512PADDED_AARCH64_poly_int8_to_int16(int16_t out[FALCON_N], const int8_t in[FALCON_N]); +void PQCLEAN_FALCONPADDED512_AARCH64_poly_int8_to_int16(int16_t out[FALCON_N], const int8_t in[FALCON_N]); -void PQCLEAN_FALCON512PADDED_AARCH64_poly_div_12289(int16_t f[FALCON_N], const int16_t g[FALCON_N]); +void PQCLEAN_FALCONPADDED512_AARCH64_poly_div_12289(int16_t f[FALCON_N], const int16_t g[FALCON_N]); -void PQCLEAN_FALCON512PADDED_AARCH64_poly_convert_to_unsigned(int16_t f[FALCON_N]); +void PQCLEAN_FALCONPADDED512_AARCH64_poly_convert_to_unsigned(int16_t f[FALCON_N]); -uint16_t PQCLEAN_FALCON512PADDED_AARCH64_poly_compare_with_zero(int16_t f[FALCON_N]); +uint16_t PQCLEAN_FALCONPADDED512_AARCH64_poly_compare_with_zero(int16_t f[FALCON_N]); -void PQCLEAN_FALCON512PADDED_AARCH64_poly_montmul_ntt(int16_t f[FALCON_N], const int16_t g[FALCON_N]); +void PQCLEAN_FALCONPADDED512_AARCH64_poly_montmul_ntt(int16_t f[FALCON_N], const int16_t g[FALCON_N]); -void PQCLEAN_FALCON512PADDED_AARCH64_poly_sub_barrett(int16_t f[FALCON_N], const int16_t g[FALCON_N], const int16_t s[FALCON_N]); +void PQCLEAN_FALCONPADDED512_AARCH64_poly_sub_barrett(int16_t f[FALCON_N], const int16_t g[FALCON_N], const int16_t s[FALCON_N]); -int PQCLEAN_FALCON512PADDED_AARCH64_poly_int16_to_int8(int8_t G[FALCON_N], const int16_t t[FALCON_N]); +int PQCLEAN_FALCONPADDED512_AARCH64_poly_int16_to_int8(int8_t G[FALCON_N], const int16_t t[FALCON_N]); -int PQCLEAN_FALCON512PADDED_AARCH64_poly_check_bound_int8(const int8_t t[FALCON_N], +int PQCLEAN_FALCONPADDED512_AARCH64_poly_check_bound_int8(const int8_t t[FALCON_N], const int8_t low, const int8_t high); -int PQCLEAN_FALCON512PADDED_AARCH64_poly_check_bound_int16(const int16_t t[FALCON_N], +int PQCLEAN_FALCONPADDED512_AARCH64_poly_check_bound_int16(const int16_t t[FALCON_N], const int16_t low, const int16_t high); #endif diff --git a/Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/poly_float.c b/Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/poly_float.c similarity index 94% rename from Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/poly_float.c rename to Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/poly_float.c index 1cd42435..b3eb7598 100644 --- a/Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/poly_float.c +++ b/Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/poly_float.c @@ -24,7 +24,7 @@ #include "macrofx4.h" /* see inner.h */ -void PQCLEAN_FALCON512PADDED_AARCH64_poly_add(fpr *c, const fpr *restrict a, +void PQCLEAN_FALCONPADDED512_AARCH64_poly_add(fpr *c, const fpr *restrict a, const fpr *restrict b, unsigned logn) { float64x2x4_t neon_a, neon_b, neon_c; float64x2x2_t neon_a2, neon_b2, neon_c2; @@ -68,7 +68,7 @@ void PQCLEAN_FALCON512PADDED_AARCH64_poly_add(fpr *c, const fpr *restrict a, /* * c = a - b */ -void PQCLEAN_FALCON512PADDED_AARCH64_poly_sub(fpr *c, const fpr *restrict a, +void PQCLEAN_FALCONPADDED512_AARCH64_poly_sub(fpr *c, const fpr *restrict a, const fpr *restrict b, unsigned logn) { float64x2x4_t neon_a, neon_b, neon_c; float64x2x2_t neon_a2, neon_b2, neon_c2; @@ -110,7 +110,7 @@ void PQCLEAN_FALCON512PADDED_AARCH64_poly_sub(fpr *c, const fpr *restrict a, /* * c = -a */ -void PQCLEAN_FALCON512PADDED_AARCH64_poly_neg(fpr *c, const fpr *restrict a, +void PQCLEAN_FALCONPADDED512_AARCH64_poly_neg(fpr *c, const fpr *restrict a, unsigned logn) { float64x2x4_t neon_a, neon_c; float64x2x2_t neon_a2, neon_c2; @@ -147,7 +147,7 @@ void PQCLEAN_FALCON512PADDED_AARCH64_poly_neg(fpr *c, const fpr *restrict a, } /* see inner.h */ -void PQCLEAN_FALCON512PADDED_AARCH64_poly_adj_fft(fpr *c, const fpr *restrict a, +void PQCLEAN_FALCONPADDED512_AARCH64_poly_adj_fft(fpr *c, const fpr *restrict a, unsigned logn) { float64x2x4_t neon_a, neon_c; @@ -188,7 +188,7 @@ void PQCLEAN_FALCON512PADDED_AARCH64_poly_adj_fft(fpr *c, const fpr *restrict a, } } -static inline void PQCLEAN_FALCON512PADDED_AARCH64_poly_mul_fft_log1( +static inline void PQCLEAN_FALCONPADDED512_AARCH64_poly_mul_fft_log1( fpr *restrict c, const fpr *restrict a, const fpr *restrict b) { fpr a_re, a_im, b_re, b_im, c_re, c_im; @@ -204,7 +204,7 @@ static inline void PQCLEAN_FALCON512PADDED_AARCH64_poly_mul_fft_log1( c[1] = c_im; } -static inline void PQCLEAN_FALCON512PADDED_AARCH64_poly_mul_fft_log2( +static inline void PQCLEAN_FALCONPADDED512_AARCH64_poly_mul_fft_log2( fpr *restrict c, const fpr *restrict a, const fpr *restrict b) { // n = 4 float64x2x2_t neon_a, neon_b, neon_c; @@ -228,7 +228,7 @@ static inline void PQCLEAN_FALCON512PADDED_AARCH64_poly_mul_fft_log2( vstorex2(&c[0], neon_c); } -static inline void PQCLEAN_FALCON512PADDED_AARCH64_poly_mul_fft_log3( +static inline void PQCLEAN_FALCONPADDED512_AARCH64_poly_mul_fft_log3( fpr *restrict c, const fpr *restrict a, const fpr *restrict b) { // n = 8 float64x2x4_t neon_a, neon_b, neon_c; @@ -261,7 +261,7 @@ static inline void PQCLEAN_FALCON512PADDED_AARCH64_poly_mul_fft_log3( /* * c = a * b */ -void PQCLEAN_FALCON512PADDED_AARCH64_poly_mul_fft(fpr *c, const fpr *a, +void PQCLEAN_FALCONPADDED512_AARCH64_poly_mul_fft(fpr *c, const fpr *a, const fpr *restrict b, unsigned logn) { // Total 32 registers @@ -271,15 +271,15 @@ void PQCLEAN_FALCON512PADDED_AARCH64_poly_mul_fft(fpr *c, const fpr *a, const unsigned hn = falcon_n >> 1; switch (logn) { case 1: - PQCLEAN_FALCON512PADDED_AARCH64_poly_mul_fft_log1(c, a, b); + PQCLEAN_FALCONPADDED512_AARCH64_poly_mul_fft_log1(c, a, b); break; case 2: - PQCLEAN_FALCON512PADDED_AARCH64_poly_mul_fft_log2(c, a, b); + PQCLEAN_FALCONPADDED512_AARCH64_poly_mul_fft_log2(c, a, b); break; case 3: - PQCLEAN_FALCON512PADDED_AARCH64_poly_mul_fft_log3(c, a, b); + PQCLEAN_FALCONPADDED512_AARCH64_poly_mul_fft_log3(c, a, b); break; default: @@ -298,7 +298,7 @@ void PQCLEAN_FALCON512PADDED_AARCH64_poly_mul_fft(fpr *c, const fpr *a, } } -static inline void PQCLEAN_FALCON512PADDED_AARCH64_poly_mul_fft_add_log1( +static inline void PQCLEAN_FALCONPADDED512_AARCH64_poly_mul_fft_add_log1( fpr *restrict c, const fpr *restrict d, const fpr *restrict a, const fpr *restrict b) { fpr a_re, a_im, b_re, b_im, c_re, c_im, d_re, d_im; @@ -318,7 +318,7 @@ static inline void PQCLEAN_FALCON512PADDED_AARCH64_poly_mul_fft_add_log1( } -static inline void PQCLEAN_FALCON512PADDED_AARCH64_poly_mul_fft_add_log2( +static inline void PQCLEAN_FALCONPADDED512_AARCH64_poly_mul_fft_add_log2( fpr *restrict c, const fpr *restrict d, const fpr *restrict a, const fpr *restrict b) { // n = 4 @@ -346,7 +346,7 @@ static inline void PQCLEAN_FALCON512PADDED_AARCH64_poly_mul_fft_add_log2( vstorex2(&c[0], neon_d); } -static inline void PQCLEAN_FALCON512PADDED_AARCH64_poly_mul_fft_add_log3( +static inline void PQCLEAN_FALCONPADDED512_AARCH64_poly_mul_fft_add_log3( fpr *restrict c, const fpr *restrict d, const fpr *restrict a, const fpr *restrict b) { // n = 8 @@ -386,7 +386,7 @@ static inline void PQCLEAN_FALCON512PADDED_AARCH64_poly_mul_fft_add_log3( /* * c = d + a * b */ -void PQCLEAN_FALCON512PADDED_AARCH64_poly_mul_add_fft(fpr *c, const fpr *restrict d, +void PQCLEAN_FALCONPADDED512_AARCH64_poly_mul_add_fft(fpr *c, const fpr *restrict d, const fpr *a, const fpr *restrict b, unsigned logn) { @@ -396,15 +396,15 @@ void PQCLEAN_FALCON512PADDED_AARCH64_poly_mul_add_fft(fpr *c, const fpr *restric const unsigned hn = falcon_n >> 1; switch (logn) { case 1: - PQCLEAN_FALCON512PADDED_AARCH64_poly_mul_fft_add_log1(c, d, a, b); + PQCLEAN_FALCONPADDED512_AARCH64_poly_mul_fft_add_log1(c, d, a, b); break; case 2: - PQCLEAN_FALCON512PADDED_AARCH64_poly_mul_fft_add_log2(c, d, a, b); + PQCLEAN_FALCONPADDED512_AARCH64_poly_mul_fft_add_log2(c, d, a, b); break; case 3: - PQCLEAN_FALCON512PADDED_AARCH64_poly_mul_fft_add_log3(c, d, a, b); + PQCLEAN_FALCONPADDED512_AARCH64_poly_mul_fft_add_log3(c, d, a, b); break; default: @@ -426,7 +426,7 @@ void PQCLEAN_FALCON512PADDED_AARCH64_poly_mul_add_fft(fpr *c, const fpr *restric } /* see inner.h */ -void PQCLEAN_FALCON512PADDED_AARCH64_poly_muladj_fft(fpr *d, fpr *a, +void PQCLEAN_FALCONPADDED512_AARCH64_poly_muladj_fft(fpr *d, fpr *a, const fpr *restrict b, unsigned logn) { @@ -447,7 +447,7 @@ void PQCLEAN_FALCON512PADDED_AARCH64_poly_muladj_fft(fpr *d, fpr *a, } // c = d + a*b -void PQCLEAN_FALCON512PADDED_AARCH64_poly_muladj_add_fft(fpr *c, fpr *d, const fpr *a, +void PQCLEAN_FALCONPADDED512_AARCH64_poly_muladj_add_fft(fpr *c, fpr *d, const fpr *a, const fpr *restrict b, unsigned logn) { @@ -473,7 +473,7 @@ void PQCLEAN_FALCON512PADDED_AARCH64_poly_muladj_add_fft(fpr *c, fpr *d, const f /* * c = a * adj(a) */ -void PQCLEAN_FALCON512PADDED_AARCH64_poly_mulselfadj_fft(fpr *c, +void PQCLEAN_FALCONPADDED512_AARCH64_poly_mulselfadj_fft(fpr *c, const fpr *restrict a, unsigned logn) { @@ -508,7 +508,7 @@ void PQCLEAN_FALCON512PADDED_AARCH64_poly_mulselfadj_fft(fpr *c, /* * c = d + a * adj(a) */ -void PQCLEAN_FALCON512PADDED_AARCH64_poly_mulselfadj_add_fft(fpr *c, +void PQCLEAN_FALCONPADDED512_AARCH64_poly_mulselfadj_add_fft(fpr *c, const fpr *restrict d, const fpr *restrict a, unsigned logn) { @@ -543,7 +543,7 @@ void PQCLEAN_FALCON512PADDED_AARCH64_poly_mulselfadj_add_fft(fpr *c, /* * c = a * scalar_x */ -void PQCLEAN_FALCON512PADDED_AARCH64_poly_mulconst(fpr *c, const fpr *a, const fpr x, +void PQCLEAN_FALCONPADDED512_AARCH64_poly_mulconst(fpr *c, const fpr *a, const fpr x, unsigned logn) { // assert(logn >= 3); // Total SIMD registers: 9 @@ -564,7 +564,7 @@ void PQCLEAN_FALCON512PADDED_AARCH64_poly_mulconst(fpr *c, const fpr *a, const f * Unused in the implementation */ -void PQCLEAN_FALCON512PADDED_AARCH64_poly_div_fft(fpr *restrict c, +void PQCLEAN_FALCONPADDED512_AARCH64_poly_div_fft(fpr *restrict c, const fpr *restrict a, const fpr *restrict b, unsigned logn) { @@ -598,7 +598,7 @@ void PQCLEAN_FALCON512PADDED_AARCH64_poly_div_fft(fpr *restrict c, } /* see inner.h */ -void PQCLEAN_FALCON512PADDED_AARCH64_poly_invnorm2_fft(fpr *restrict d, +void PQCLEAN_FALCONPADDED512_AARCH64_poly_invnorm2_fft(fpr *restrict d, const fpr *restrict a, const fpr *restrict b, unsigned logn) { @@ -697,7 +697,7 @@ void PQCLEAN_FALCON512PADDED_AARCH64_poly_invnorm2_fft(fpr *restrict d, } /* see inner.h */ -void PQCLEAN_FALCON512PADDED_AARCH64_poly_add_muladj_fft( +void PQCLEAN_FALCONPADDED512_AARCH64_poly_add_muladj_fft( fpr *restrict d, const fpr *restrict F, const fpr *restrict G, const fpr *restrict f, const fpr *restrict g, unsigned logn) { @@ -729,7 +729,7 @@ void PQCLEAN_FALCON512PADDED_AARCH64_poly_add_muladj_fft( } /* see inner.h */ -void PQCLEAN_FALCON512PADDED_AARCH64_poly_mul_autoadj_fft(fpr *c, const fpr *a, +void PQCLEAN_FALCONPADDED512_AARCH64_poly_mul_autoadj_fft(fpr *c, const fpr *a, const fpr *restrict b, unsigned logn) { const unsigned falcon_n = 1 << logn; @@ -781,7 +781,7 @@ void PQCLEAN_FALCON512PADDED_AARCH64_poly_mul_autoadj_fft(fpr *c, const fpr *a, } /* see inner.h */ -void PQCLEAN_FALCON512PADDED_AARCH64_poly_div_autoadj_fft(fpr *c, const fpr *a, +void PQCLEAN_FALCONPADDED512_AARCH64_poly_div_autoadj_fft(fpr *c, const fpr *a, const fpr *restrict b, unsigned logn) { const unsigned falcon_n = 1 << logn; @@ -803,7 +803,7 @@ void PQCLEAN_FALCON512PADDED_AARCH64_poly_div_autoadj_fft(fpr *c, const fpr *a, } } -static inline void PQCLEAN_FALCON512PADDED_AARCH64_poly_LDL_fft_log1( +static inline void PQCLEAN_FALCONPADDED512_AARCH64_poly_LDL_fft_log1( const fpr *restrict g00, fpr *restrict g01, fpr *restrict g11) { float64x2x4_t g00_re, g01_re, g11_re; float64x2x4_t mu_re, m; @@ -851,7 +851,7 @@ static inline void PQCLEAN_FALCON512PADDED_AARCH64_poly_LDL_fft_log1( vstore(&g01[0], mu_re.val[0]); } -static inline void PQCLEAN_FALCON512PADDED_AARCH64_poly_LDL_fft_log2( +static inline void PQCLEAN_FALCONPADDED512_AARCH64_poly_LDL_fft_log2( const fpr *restrict g00, fpr *restrict g01, fpr *restrict g11) { float64x2x4_t g00_re, g00_im, g01_re, g01_im, g11_re, g11_im; float64x2x4_t mu_re, mu_im, m, d_re, d_im; @@ -899,7 +899,7 @@ static inline void PQCLEAN_FALCON512PADDED_AARCH64_poly_LDL_fft_log2( vstorex2(&g01[0], tmp); } -static inline void PQCLEAN_FALCON512PADDED_AARCH64_poly_LDL_fft_log3( +static inline void PQCLEAN_FALCONPADDED512_AARCH64_poly_LDL_fft_log3( const fpr *restrict g00, fpr *restrict g01, fpr *restrict g11) { float64x2x4_t g00_re, g00_im, g01_re, g01_im, g11_re; float64x2x4_t mu_re, mu_im, m, d_re; @@ -960,7 +960,7 @@ static inline void PQCLEAN_FALCON512PADDED_AARCH64_poly_LDL_fft_log3( } /* see inner.h */ -void PQCLEAN_FALCON512PADDED_AARCH64_poly_LDL_fft(const fpr *restrict g00, +void PQCLEAN_FALCONPADDED512_AARCH64_poly_LDL_fft(const fpr *restrict g00, fpr *restrict g01, fpr *restrict g11, unsigned logn) { const unsigned falcon_n = 1 << logn; @@ -970,17 +970,17 @@ void PQCLEAN_FALCON512PADDED_AARCH64_poly_LDL_fft(const fpr *restrict g00, switch (logn) { case 1: - PQCLEAN_FALCON512PADDED_AARCH64_poly_LDL_fft_log1(g00, g01, g11); + PQCLEAN_FALCONPADDED512_AARCH64_poly_LDL_fft_log1(g00, g01, g11); break; case 2: - PQCLEAN_FALCON512PADDED_AARCH64_poly_LDL_fft_log2(g00, g01, g11); + PQCLEAN_FALCONPADDED512_AARCH64_poly_LDL_fft_log2(g00, g01, g11); break; case 3: - PQCLEAN_FALCON512PADDED_AARCH64_poly_LDL_fft_log3(g00, g01, g11); + PQCLEAN_FALCONPADDED512_AARCH64_poly_LDL_fft_log3(g00, g01, g11); break; @@ -1068,7 +1068,7 @@ void PQCLEAN_FALCON512PADDED_AARCH64_poly_LDL_fft(const fpr *restrict g00, } } -static inline void PQCLEAN_FALCON512PADDED_AARCH64_poly_LDLmv_fft_log1( +static inline void PQCLEAN_FALCONPADDED512_AARCH64_poly_LDLmv_fft_log1( fpr *restrict d11, fpr *restrict l10, const fpr *restrict g00, const fpr *restrict g01, const fpr *restrict g11) { float64x2x4_t g00_re, g01_re, g11_re; @@ -1117,7 +1117,7 @@ static inline void PQCLEAN_FALCON512PADDED_AARCH64_poly_LDLmv_fft_log1( vstore(&l10[0], mu_re.val[0]); } -static inline void PQCLEAN_FALCON512PADDED_AARCH64_poly_LDLmv_fft_log2( +static inline void PQCLEAN_FALCONPADDED512_AARCH64_poly_LDLmv_fft_log2( fpr *restrict d11, fpr *restrict l10, const fpr *restrict g00, const fpr *restrict g01, const fpr *restrict g11) { float64x2x4_t g00_re, g00_im, g01_re, g01_im, g11_re, g11_im; @@ -1166,7 +1166,7 @@ static inline void PQCLEAN_FALCON512PADDED_AARCH64_poly_LDLmv_fft_log2( vstorex2(&l10[0], tmp); } -static inline void PQCLEAN_FALCON512PADDED_AARCH64_poly_LDLmv_fft_log3( +static inline void PQCLEAN_FALCONPADDED512_AARCH64_poly_LDLmv_fft_log3( fpr *restrict d11, fpr *restrict l10, const fpr *restrict g00, const fpr *restrict g01, const fpr *restrict g11) { float64x2x4_t g00_re, g00_im, g01_re, g01_im, g11_re; @@ -1227,7 +1227,7 @@ static inline void PQCLEAN_FALCON512PADDED_AARCH64_poly_LDLmv_fft_log3( vstorex4(&l10[0], mu_re); } -void PQCLEAN_FALCON512PADDED_AARCH64_poly_LDLmv_fft( +void PQCLEAN_FALCONPADDED512_AARCH64_poly_LDLmv_fft( fpr *restrict d11, fpr *restrict l10, const fpr *restrict g00, const fpr *restrict g01, const fpr *restrict g11, unsigned logn) { @@ -1238,15 +1238,15 @@ void PQCLEAN_FALCON512PADDED_AARCH64_poly_LDLmv_fft( switch (logn) { case 1: - PQCLEAN_FALCON512PADDED_AARCH64_poly_LDLmv_fft_log1(d11, l10, g00, g01, g11); + PQCLEAN_FALCONPADDED512_AARCH64_poly_LDLmv_fft_log1(d11, l10, g00, g01, g11); break; case 2: - PQCLEAN_FALCON512PADDED_AARCH64_poly_LDLmv_fft_log2(d11, l10, g00, g01, g11); + PQCLEAN_FALCONPADDED512_AARCH64_poly_LDLmv_fft_log2(d11, l10, g00, g01, g11); break; case 3: - PQCLEAN_FALCON512PADDED_AARCH64_poly_LDLmv_fft_log3(d11, l10, g00, g01, g11); + PQCLEAN_FALCONPADDED512_AARCH64_poly_LDLmv_fft_log3(d11, l10, g00, g01, g11); break; default: @@ -1333,7 +1333,7 @@ void PQCLEAN_FALCON512PADDED_AARCH64_poly_LDLmv_fft( } } -void PQCLEAN_FALCON512PADDED_AARCH64_poly_fpr_of_s16(fpr *t0, const uint16_t *hm, +void PQCLEAN_FALCONPADDED512_AARCH64_poly_fpr_of_s16(fpr *t0, const uint16_t *hm, const unsigned falcon_n) { float64x2x4_t neon_t0; uint16x8x4_t neon_hm; @@ -1403,7 +1403,7 @@ void PQCLEAN_FALCON512PADDED_AARCH64_poly_fpr_of_s16(fpr *t0, const uint16_t *hm } } -fpr PQCLEAN_FALCON512PADDED_AARCH64_compute_bnorm(const fpr *rt1, const fpr *rt2) { +fpr PQCLEAN_FALCONPADDED512_AARCH64_compute_bnorm(const fpr *rt1, const fpr *rt2) { float64x2x4_t r1, r11, r2, r22; float64x2x4_t bnorm, bnorm2; diff --git a/Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/poly_int.c b/Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/poly_int.c similarity index 96% rename from Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/poly_int.c rename to Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/poly_int.c index ea6851f4..3e112068 100644 --- a/Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/poly_int.c +++ b/Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/poly_int.c @@ -25,7 +25,7 @@ #include "poly.h" #include "ntt_consts.h" -void PQCLEAN_FALCON512PADDED_AARCH64_poly_int8_to_int16(int16_t out[FALCON_N], const int8_t in[FALCON_N]) { +void PQCLEAN_FALCONPADDED512_AARCH64_poly_int8_to_int16(int16_t out[FALCON_N], const int8_t in[FALCON_N]) { // Total SIMD registers: 24 = 16 + 8 int16x8x4_t a, b, e, f; // 16 int8x16x4_t c, d; // 8 @@ -67,7 +67,7 @@ void PQCLEAN_FALCON512PADDED_AARCH64_poly_int8_to_int16(int16_t out[FALCON_N], c * See assembly https://godbolt.org/z/od3Ex7Mbx */ -void PQCLEAN_FALCON512PADDED_AARCH64_poly_div_12289(int16_t f[FALCON_N], const int16_t g[FALCON_N]) { +void PQCLEAN_FALCONPADDED512_AARCH64_poly_div_12289(int16_t f[FALCON_N], const int16_t g[FALCON_N]) { // Total SIMD registers: 24 = 4 + 19 + 1 int16x8x4_t src, dst, t, k; // 4 int16x8x4_t y0, y1, y2, y3, y4, y5, @@ -75,7 +75,7 @@ void PQCLEAN_FALCON512PADDED_AARCH64_poly_div_12289(int16_t f[FALCON_N], const i y13, y14, y15, y16, y17, y18; // 19 int16x8_t neon_qmvm; // 1 - neon_qmvm = vld1q_s16(PQCLEAN_FALCON512PADDED_AARCH64_qmvq); + neon_qmvm = vld1q_s16(PQCLEAN_FALCONPADDED512_AARCH64_qmvq); for (int i = 0; i < FALCON_N; i += 32) { // Find y0 = g^12287 @@ -113,11 +113,11 @@ void PQCLEAN_FALCON512PADDED_AARCH64_poly_div_12289(int16_t f[FALCON_N], const i /* * f = g - s */ -void PQCLEAN_FALCON512PADDED_AARCH64_poly_sub_barrett(int16_t f[FALCON_N], const int16_t g[FALCON_N], const int16_t s[FALCON_N]) { +void PQCLEAN_FALCONPADDED512_AARCH64_poly_sub_barrett(int16_t f[FALCON_N], const int16_t g[FALCON_N], const int16_t s[FALCON_N]) { // Total SIMD registers: 29 = 28 + 1 int16x8x4_t a, b, c, d, e, h, t; // 28 int16x8_t neon_qmvm; // 1 - neon_qmvm = vld1q_s16(PQCLEAN_FALCON512PADDED_AARCH64_qmvq); + neon_qmvm = vld1q_s16(PQCLEAN_FALCONPADDED512_AARCH64_qmvq); for (int i = 0; i < FALCON_N; i += 64) { vload_s16_x4(a, &g[i]); @@ -150,7 +150,7 @@ void PQCLEAN_FALCON512PADDED_AARCH64_poly_sub_barrett(int16_t f[FALCON_N], const * 1 if 0 in f[] * otherwise, 0 */ -uint16_t PQCLEAN_FALCON512PADDED_AARCH64_poly_compare_with_zero(int16_t f[FALCON_N]) { +uint16_t PQCLEAN_FALCONPADDED512_AARCH64_poly_compare_with_zero(int16_t f[FALCON_N]) { // Total SIMD registers: 22 = 12 + 8 + 2 int16x8x4_t a, b; // 8 uint16x8x4_t c, d, e1; // 12 @@ -197,7 +197,7 @@ uint16_t PQCLEAN_FALCON512PADDED_AARCH64_poly_compare_with_zero(int16_t f[FALCON * Branchless conditional addtion with FALCON_Q if coeffcient is < 0 * If coefficient is larger than Q, it is subtracted with Q */ -void PQCLEAN_FALCON512PADDED_AARCH64_poly_convert_to_unsigned(int16_t f[FALCON_N]) { +void PQCLEAN_FALCONPADDED512_AARCH64_poly_convert_to_unsigned(int16_t f[FALCON_N]) { // Total SIMD registers: 26 = 8 + 16 + 1 + 1 uint16x8x4_t b0, b1; // 8 int16x8x4_t a0, a1, c0, c1; // 16 @@ -270,7 +270,7 @@ void PQCLEAN_FALCON512PADDED_AARCH64_poly_convert_to_unsigned(int16_t f[FALCON_N /* * Perform conditional subtraction with Q and compare with min, max = -127, 127 */ -int PQCLEAN_FALCON512PADDED_AARCH64_poly_int16_to_int8(int8_t G[FALCON_N], const int16_t t[FALCON_N]) { +int PQCLEAN_FALCONPADDED512_AARCH64_poly_int16_to_int8(int8_t G[FALCON_N], const int16_t t[FALCON_N]) { // Total SIMD registers: 32 int16x8x4_t a, f; // 8 int16x8x4_t d0, d1; // 8 @@ -404,7 +404,7 @@ int PQCLEAN_FALCON512PADDED_AARCH64_poly_int16_to_int8(int8_t G[FALCON_N], const * Return 1 if True * Otherwise 0 */ -int PQCLEAN_FALCON512PADDED_AARCH64_poly_check_bound_int8(const int8_t t[FALCON_N], +int PQCLEAN_FALCONPADDED512_AARCH64_poly_check_bound_int8(const int8_t t[FALCON_N], const int8_t low, const int8_t high) { // Total SIMD registers: 15 int8x16x4_t a; // 4 @@ -455,7 +455,7 @@ int PQCLEAN_FALCON512PADDED_AARCH64_poly_check_bound_int8(const int8_t t[FALCON_ * Otherwise 0 * Work for FALCON_N >= 32, or FALCON_LOGN >= 5 */ -int PQCLEAN_FALCON512PADDED_AARCH64_poly_check_bound_int16(const int16_t t[FALCON_N], +int PQCLEAN_FALCONPADDED512_AARCH64_poly_check_bound_int16(const int16_t t[FALCON_N], const int16_t low, const int16_t high) { // Total SIMD registers = 15 int16x8x4_t a; // 4 diff --git a/Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/pqclean.c b/Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/pqclean.c similarity index 71% rename from Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/pqclean.c rename to Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/pqclean.c index b9437d55..bd6f0494 100644 --- a/Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/pqclean.c +++ b/Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/pqclean.c @@ -29,16 +29,16 @@ * header byte: 0011nnnn * nonce (r) 40 bytes * value (s) compressed format - * padding to PQCLEAN_FALCON512PADDED_AARCH64_CRYPTO_BYTES bytes + * padding to PQCLEAN_FALCONPADDED512_AARCH64_CRYPTO_BYTES bytes * * message + signature: - * signature PQCLEAN_FALCON512PADDED_AARCH64_CRYPTO_BYTES bytes + * signature PQCLEAN_FALCONPADDED512_AARCH64_CRYPTO_BYTES bytes * message */ /* see api.h */ int -PQCLEAN_FALCON512PADDED_AARCH64_crypto_sign_keypair( +PQCLEAN_FALCONPADDED512_AARCH64_crypto_sign_keypair( uint8_t *pk, uint8_t *sk) { union { uint8_t b[28 * FALCON_N]; @@ -58,7 +58,7 @@ PQCLEAN_FALCON512PADDED_AARCH64_crypto_sign_keypair( inner_shake256_init(&rng); inner_shake256_inject(&rng, seed, sizeof seed); inner_shake256_flip(&rng); - PQCLEAN_FALCON512PADDED_AARCH64_keygen(&rng, f, g, F, NULL, h, FALCON_LOGN, tmp.b); + PQCLEAN_FALCONPADDED512_AARCH64_keygen(&rng, f, g, F, NULL, h, FALCON_LOGN, tmp.b); inner_shake256_ctx_release(&rng); /* @@ -66,28 +66,28 @@ PQCLEAN_FALCON512PADDED_AARCH64_crypto_sign_keypair( */ sk[0] = 0x50 + FALCON_LOGN; u = 1; - v = PQCLEAN_FALCON512PADDED_AARCH64_trim_i8_encode( - sk + u, PQCLEAN_FALCON512PADDED_AARCH64_CRYPTO_SECRETKEYBYTES - u, - f, PQCLEAN_FALCON512PADDED_AARCH64_max_fg_bits[FALCON_LOGN]); + v = PQCLEAN_FALCONPADDED512_AARCH64_trim_i8_encode( + sk + u, PQCLEAN_FALCONPADDED512_AARCH64_CRYPTO_SECRETKEYBYTES - u, + f, PQCLEAN_FALCONPADDED512_AARCH64_max_fg_bits[FALCON_LOGN]); if (v == 0) { return -1; } u += v; - v = PQCLEAN_FALCON512PADDED_AARCH64_trim_i8_encode( - sk + u, PQCLEAN_FALCON512PADDED_AARCH64_CRYPTO_SECRETKEYBYTES - u, - g, PQCLEAN_FALCON512PADDED_AARCH64_max_fg_bits[FALCON_LOGN]); + v = PQCLEAN_FALCONPADDED512_AARCH64_trim_i8_encode( + sk + u, PQCLEAN_FALCONPADDED512_AARCH64_CRYPTO_SECRETKEYBYTES - u, + g, PQCLEAN_FALCONPADDED512_AARCH64_max_fg_bits[FALCON_LOGN]); if (v == 0) { return -1; } u += v; - v = PQCLEAN_FALCON512PADDED_AARCH64_trim_i8_encode( - sk + u, PQCLEAN_FALCON512PADDED_AARCH64_CRYPTO_SECRETKEYBYTES - u, - F, PQCLEAN_FALCON512PADDED_AARCH64_max_FG_bits[FALCON_LOGN]); + v = PQCLEAN_FALCONPADDED512_AARCH64_trim_i8_encode( + sk + u, PQCLEAN_FALCONPADDED512_AARCH64_CRYPTO_SECRETKEYBYTES - u, + F, PQCLEAN_FALCONPADDED512_AARCH64_max_FG_bits[FALCON_LOGN]); if (v == 0) { return -1; } u += v; - if (u != PQCLEAN_FALCON512PADDED_AARCH64_CRYPTO_SECRETKEYBYTES) { + if (u != PQCLEAN_FALCONPADDED512_AARCH64_CRYPTO_SECRETKEYBYTES) { return -1; } @@ -95,10 +95,10 @@ PQCLEAN_FALCON512PADDED_AARCH64_crypto_sign_keypair( * Encode public key. */ pk[0] = 0x00 + FALCON_LOGN; - v = PQCLEAN_FALCON512PADDED_AARCH64_modq_encode( - pk + 1, PQCLEAN_FALCON512PADDED_AARCH64_CRYPTO_PUBLICKEYBYTES - 1, + v = PQCLEAN_FALCONPADDED512_AARCH64_modq_encode( + pk + 1, PQCLEAN_FALCONPADDED512_AARCH64_CRYPTO_PUBLICKEYBYTES - 1, h, FALCON_LOGN); - if (v != PQCLEAN_FALCON512PADDED_AARCH64_CRYPTO_PUBLICKEYBYTES - 1) { + if (v != PQCLEAN_FALCONPADDED512_AARCH64_CRYPTO_PUBLICKEYBYTES - 1) { return -1; } @@ -142,31 +142,31 @@ do_sign(uint8_t *nonce, uint8_t *sigbuf, size_t sigbuflen, return -1; } u = 1; - v = PQCLEAN_FALCON512PADDED_AARCH64_trim_i8_decode( - f, PQCLEAN_FALCON512PADDED_AARCH64_max_fg_bits[FALCON_LOGN], - sk + u, PQCLEAN_FALCON512PADDED_AARCH64_CRYPTO_SECRETKEYBYTES - u); + v = PQCLEAN_FALCONPADDED512_AARCH64_trim_i8_decode( + f, PQCLEAN_FALCONPADDED512_AARCH64_max_fg_bits[FALCON_LOGN], + sk + u, PQCLEAN_FALCONPADDED512_AARCH64_CRYPTO_SECRETKEYBYTES - u); if (v == 0) { return -1; } u += v; - v = PQCLEAN_FALCON512PADDED_AARCH64_trim_i8_decode( - g, PQCLEAN_FALCON512PADDED_AARCH64_max_fg_bits[FALCON_LOGN], - sk + u, PQCLEAN_FALCON512PADDED_AARCH64_CRYPTO_SECRETKEYBYTES - u); + v = PQCLEAN_FALCONPADDED512_AARCH64_trim_i8_decode( + g, PQCLEAN_FALCONPADDED512_AARCH64_max_fg_bits[FALCON_LOGN], + sk + u, PQCLEAN_FALCONPADDED512_AARCH64_CRYPTO_SECRETKEYBYTES - u); if (v == 0) { return -1; } u += v; - v = PQCLEAN_FALCON512PADDED_AARCH64_trim_i8_decode( - F, PQCLEAN_FALCON512PADDED_AARCH64_max_FG_bits[FALCON_LOGN], - sk + u, PQCLEAN_FALCON512PADDED_AARCH64_CRYPTO_SECRETKEYBYTES - u); + v = PQCLEAN_FALCONPADDED512_AARCH64_trim_i8_decode( + F, PQCLEAN_FALCONPADDED512_AARCH64_max_FG_bits[FALCON_LOGN], + sk + u, PQCLEAN_FALCONPADDED512_AARCH64_CRYPTO_SECRETKEYBYTES - u); if (v == 0) { return -1; } u += v; - if (u != PQCLEAN_FALCON512PADDED_AARCH64_CRYPTO_SECRETKEYBYTES) { + if (u != PQCLEAN_FALCONPADDED512_AARCH64_CRYPTO_SECRETKEYBYTES) { return -1; } - if (!PQCLEAN_FALCON512PADDED_AARCH64_complete_private(G, f, g, F, tmp.b)) { + if (!PQCLEAN_FALCONPADDED512_AARCH64_complete_private(G, f, g, F, tmp.b)) { return -1; } @@ -182,7 +182,7 @@ do_sign(uint8_t *nonce, uint8_t *sigbuf, size_t sigbuflen, inner_shake256_inject(&sc, nonce, NONCELEN); inner_shake256_inject(&sc, m, mlen); inner_shake256_flip(&sc); - PQCLEAN_FALCON512PADDED_AARCH64_hash_to_point_ct(&sc, r.hm, FALCON_LOGN, tmp.b); + PQCLEAN_FALCONPADDED512_AARCH64_hash_to_point_ct(&sc, r.hm, FALCON_LOGN, tmp.b); inner_shake256_ctx_release(&sc); /* @@ -198,8 +198,8 @@ do_sign(uint8_t *nonce, uint8_t *sigbuf, size_t sigbuflen, * value is found that fits in the provided buffer. */ for (;;) { - PQCLEAN_FALCON512PADDED_AARCH64_sign_dyn(r.sig, &sc, f, g, F, G, r.hm, tmp.b); - v = PQCLEAN_FALCON512PADDED_AARCH64_comp_encode(sigbuf, sigbuflen, r.sig); + PQCLEAN_FALCONPADDED512_AARCH64_sign_dyn(r.sig, &sc, f, g, F, G, r.hm, tmp.b); + v = PQCLEAN_FALCONPADDED512_AARCH64_comp_encode(sigbuf, sigbuflen, r.sig); if (v != 0) { inner_shake256_ctx_release(&sc); memset(sigbuf + v, 0, sigbuflen - v); @@ -234,9 +234,9 @@ do_verify( if (pk[0] != 0x00 + FALCON_LOGN) { return -1; } - if (PQCLEAN_FALCON512PADDED_AARCH64_modq_decode( (uint16_t *) h, - pk + 1, PQCLEAN_FALCON512PADDED_AARCH64_CRYPTO_PUBLICKEYBYTES - 1, FALCON_LOGN) - != PQCLEAN_FALCON512PADDED_AARCH64_CRYPTO_PUBLICKEYBYTES - 1) { + if (PQCLEAN_FALCONPADDED512_AARCH64_modq_decode( (uint16_t *) h, + pk + 1, PQCLEAN_FALCONPADDED512_AARCH64_CRYPTO_PUBLICKEYBYTES - 1, FALCON_LOGN) + != PQCLEAN_FALCONPADDED512_AARCH64_CRYPTO_PUBLICKEYBYTES - 1) { return -1; } // We move the conversion to NTT domain of `h` inside verify_raw() @@ -248,12 +248,12 @@ do_verify( return -1; } - v = PQCLEAN_FALCON512PADDED_AARCH64_comp_decode(sig, sigbuf, sigbuflen); + v = PQCLEAN_FALCONPADDED512_AARCH64_comp_decode(sig, sigbuf, sigbuflen); if (v == 0) { return -1; } if (v != sigbuflen) { - if (sigbuflen == PQCLEAN_FALCON512PADDED_AARCH64_CRYPTO_BYTES - NONCELEN - 1) { + if (sigbuflen == PQCLEAN_FALCONPADDED512_AARCH64_CRYPTO_BYTES - NONCELEN - 1) { while (v < sigbuflen) { if (sigbuf[v++] != 0) { return -1; @@ -271,13 +271,13 @@ do_verify( inner_shake256_inject(&sc, nonce, NONCELEN); inner_shake256_inject(&sc, m, mlen); inner_shake256_flip(&sc); - PQCLEAN_FALCON512PADDED_AARCH64_hash_to_point_ct(&sc, (uint16_t *) hm, FALCON_LOGN, tmp.b); + PQCLEAN_FALCONPADDED512_AARCH64_hash_to_point_ct(&sc, (uint16_t *) hm, FALCON_LOGN, tmp.b); inner_shake256_ctx_release(&sc); /* * Verify signature. */ - if (!PQCLEAN_FALCON512PADDED_AARCH64_verify_raw(hm, sig, h, (int16_t *) tmp.b)) { + if (!PQCLEAN_FALCONPADDED512_AARCH64_verify_raw(hm, sig, h, (int16_t *) tmp.b)) { return -1; } return 0; @@ -285,12 +285,12 @@ do_verify( /* see api.h */ int -PQCLEAN_FALCON512PADDED_AARCH64_crypto_sign_signature( +PQCLEAN_FALCONPADDED512_AARCH64_crypto_sign_signature( uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen, const uint8_t *sk) { size_t vlen; - vlen = PQCLEAN_FALCON512PADDED_AARCH64_CRYPTO_BYTES - NONCELEN - 1; + vlen = PQCLEAN_FALCONPADDED512_AARCH64_CRYPTO_BYTES - NONCELEN - 1; if (do_sign(sig + 1, sig + 1 + NONCELEN, vlen, m, mlen, sk) < 0) { return -1; } @@ -301,7 +301,7 @@ PQCLEAN_FALCON512PADDED_AARCH64_crypto_sign_signature( /* see api.h */ int -PQCLEAN_FALCON512PADDED_AARCH64_crypto_sign_verify( +PQCLEAN_FALCONPADDED512_AARCH64_crypto_sign_verify( const uint8_t *sig, size_t siglen, const uint8_t *m, size_t mlen, const uint8_t *pk) { if (siglen < 1 + NONCELEN) { @@ -316,7 +316,7 @@ PQCLEAN_FALCON512PADDED_AARCH64_crypto_sign_verify( /* see api.h */ int -PQCLEAN_FALCON512PADDED_AARCH64_crypto_sign( +PQCLEAN_FALCONPADDED512_AARCH64_crypto_sign( uint8_t *sm, size_t *smlen, const uint8_t *m, size_t mlen, const uint8_t *sk) { uint8_t *sigbuf; @@ -326,9 +326,9 @@ PQCLEAN_FALCON512PADDED_AARCH64_crypto_sign( * Move the message to its final location; this is a memmove() so * it handles overlaps properly. */ - memmove(sm + PQCLEAN_FALCON512PADDED_AARCH64_CRYPTO_BYTES, m, mlen); + memmove(sm + PQCLEAN_FALCONPADDED512_AARCH64_CRYPTO_BYTES, m, mlen); sigbuf = sm + 1 + NONCELEN; - sigbuflen = PQCLEAN_FALCON512PADDED_AARCH64_CRYPTO_BYTES - NONCELEN - 1; + sigbuflen = PQCLEAN_FALCONPADDED512_AARCH64_CRYPTO_BYTES - NONCELEN - 1; if (do_sign(sm + 1, sigbuf, sigbuflen, m, mlen, sk) < 0) { return -1; } @@ -340,17 +340,17 @@ PQCLEAN_FALCON512PADDED_AARCH64_crypto_sign( /* see api.h */ int -PQCLEAN_FALCON512PADDED_AARCH64_crypto_sign_open( +PQCLEAN_FALCONPADDED512_AARCH64_crypto_sign_open( uint8_t *m, size_t *mlen, const uint8_t *sm, size_t smlen, const uint8_t *pk) { const uint8_t *sigbuf; size_t pmlen, sigbuflen; - if (smlen < PQCLEAN_FALCON512PADDED_AARCH64_CRYPTO_BYTES) { + if (smlen < PQCLEAN_FALCONPADDED512_AARCH64_CRYPTO_BYTES) { return -1; } - sigbuflen = PQCLEAN_FALCON512PADDED_AARCH64_CRYPTO_BYTES - NONCELEN - 1; - pmlen = smlen - PQCLEAN_FALCON512PADDED_AARCH64_CRYPTO_BYTES; + sigbuflen = PQCLEAN_FALCONPADDED512_AARCH64_CRYPTO_BYTES - NONCELEN - 1; + pmlen = smlen - PQCLEAN_FALCONPADDED512_AARCH64_CRYPTO_BYTES; if (sm[0] != 0x30 + FALCON_LOGN) { return -1; } @@ -362,7 +362,7 @@ PQCLEAN_FALCON512PADDED_AARCH64_crypto_sign_open( * follows the signature value. */ if (do_verify(sm + 1, sigbuf, sigbuflen, - sm + PQCLEAN_FALCON512PADDED_AARCH64_CRYPTO_BYTES, pmlen, pk) < 0) { + sm + PQCLEAN_FALCONPADDED512_AARCH64_CRYPTO_BYTES, pmlen, pk) < 0) { return -1; } @@ -371,7 +371,7 @@ PQCLEAN_FALCON512PADDED_AARCH64_crypto_sign_open( * to its final destination. The memmove() properly handles * overlaps. */ - memmove(m, sm + PQCLEAN_FALCON512PADDED_AARCH64_CRYPTO_BYTES, pmlen); + memmove(m, sm + PQCLEAN_FALCONPADDED512_AARCH64_CRYPTO_BYTES, pmlen); *mlen = pmlen; return 0; } diff --git a/Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/rng.c b/Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/rng.c similarity index 94% rename from Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/rng.c rename to Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/rng.c index 34e73c67..cd5bd770 100644 --- a/Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/rng.c +++ b/Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/rng.c @@ -33,7 +33,7 @@ #include #include "inner.h" -int PQCLEAN_FALCON512PADDED_AARCH64_get_seed(void *seed, size_t len) { +int PQCLEAN_FALCONPADDED512_AARCH64_get_seed(void *seed, size_t len) { unsigned char tmp[48]; for (size_t i = 0; i < len; i++) { tmp[i] = (unsigned char) i; @@ -44,7 +44,7 @@ int PQCLEAN_FALCON512PADDED_AARCH64_get_seed(void *seed, size_t len) { /* see inner.h */ void -PQCLEAN_FALCON512PADDED_AARCH64_prng_init(prng *p, inner_shake256_context *src) { +PQCLEAN_FALCONPADDED512_AARCH64_prng_init(prng *p, inner_shake256_context *src) { /* * To ensure reproducibility for a given seed, we * must enforce little-endian interpretation of @@ -67,7 +67,7 @@ PQCLEAN_FALCON512PADDED_AARCH64_prng_init(prng *p, inner_shake256_context *src) tl = *(uint32_t *)(p->state.d + 48); th = *(uint32_t *)(p->state.d + 52); *(uint64_t *)(p->state.d + 48) = tl + (th << 32); - PQCLEAN_FALCON512PADDED_AARCH64_prng_refill(p); + PQCLEAN_FALCONPADDED512_AARCH64_prng_refill(p); } /* @@ -85,7 +85,7 @@ PQCLEAN_FALCON512PADDED_AARCH64_prng_init(prng *p, inner_shake256_context *src) * The block counter is XORed into the first 8 bytes of the IV. */ void -PQCLEAN_FALCON512PADDED_AARCH64_prng_refill(prng *p) { +PQCLEAN_FALCONPADDED512_AARCH64_prng_refill(prng *p) { static const uint32_t CW[] = { 0x61707865, 0x3320646e, 0x79622d32, 0x6b206574 @@ -172,7 +172,7 @@ PQCLEAN_FALCON512PADDED_AARCH64_prng_refill(prng *p) { /* see inner.h */ void -PQCLEAN_FALCON512PADDED_AARCH64_prng_get_bytes(prng *p, void *dst, size_t len) { +PQCLEAN_FALCONPADDED512_AARCH64_prng_get_bytes(prng *p, void *dst, size_t len) { uint8_t *buf; buf = dst; @@ -188,7 +188,7 @@ PQCLEAN_FALCON512PADDED_AARCH64_prng_get_bytes(prng *p, void *dst, size_t len) { len -= clen; p->ptr += clen; if (p->ptr == sizeof p->buf.d) { - PQCLEAN_FALCON512PADDED_AARCH64_prng_refill(p); + PQCLEAN_FALCONPADDED512_AARCH64_prng_refill(p); } } } diff --git a/Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/sampler.c b/Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/sampler.c similarity index 98% rename from Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/sampler.c rename to Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/sampler.c index 2aa17f96..e77dc4b5 100644 --- a/Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/sampler.c +++ b/Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/sampler.c @@ -37,7 +37,7 @@ * on zero and standard deviation 1.8205, with a precision of 72 bits. */ int -PQCLEAN_FALCON512PADDED_AARCH64_gaussian0_sampler(prng *p) { +PQCLEAN_FALCONPADDED512_AARCH64_gaussian0_sampler(prng *p) { static const uint32_t dist[] = { 10745844u, 3068844u, 3741698u, @@ -208,7 +208,7 @@ BerExp(prng *p, fpr x, fpr ccs) { * 0.5 and 1); in Falcon, sigma should always be between 1.2 and 1.9. */ int -PQCLEAN_FALCON512PADDED_AARCH64_sampler(void *ctx, fpr mu, fpr isigma) { +PQCLEAN_FALCONPADDED512_AARCH64_sampler(void *ctx, fpr mu, fpr isigma) { sampler_context *spc; int s; fpr r, dss, ccs; @@ -250,7 +250,7 @@ PQCLEAN_FALCON512PADDED_AARCH64_sampler(void *ctx, fpr mu, fpr isigma) { * - b = 0: z <= 0 and sampled against a Gaussian * centered on 0. */ - z0 = PQCLEAN_FALCON512PADDED_AARCH64_gaussian0_sampler(&spc->p); + z0 = PQCLEAN_FALCONPADDED512_AARCH64_gaussian0_sampler(&spc->p); b = (int)prng_get_u8(&spc->p) & 1; z = b + ((b << 1) - 1) * z0; diff --git a/Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/sign.c b/Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/sign.c similarity index 80% rename from Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/sign.c rename to Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/sign.c index ea0d3cf1..550a6e43 100644 --- a/Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/sign.c +++ b/Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/sign.c @@ -91,7 +91,7 @@ ffLDL_fft_inner(fpr *restrict tree, * and the diagonal of D. Since d00 = g0, we just write d11 * into tmp. */ - PQCLEAN_FALCON512PADDED_AARCH64_poly_LDLmv_fft(tmp, tree, g0, g1, g0, logn); + PQCLEAN_FALCONPADDED512_AARCH64_poly_LDLmv_fft(tmp, tree, g0, g1, g0, logn); /* * Split d00 (currently in g0) and d11 (currently in tmp). We @@ -99,8 +99,8 @@ ffLDL_fft_inner(fpr *restrict tree, * d00 splits into g1, g1+hn * d11 splits into g0, g0+hn */ - PQCLEAN_FALCON512PADDED_AARCH64_poly_split_fft(g1, g1 + hn, g0, logn); - PQCLEAN_FALCON512PADDED_AARCH64_poly_split_fft(g0, g0 + hn, tmp, logn); + PQCLEAN_FALCONPADDED512_AARCH64_poly_split_fft(g1, g1 + hn, g0, logn); + PQCLEAN_FALCONPADDED512_AARCH64_poly_split_fft(g0, g0 + hn, tmp, logn); /* * Each split result is the first row of a new auto-adjoint @@ -141,9 +141,9 @@ ffLDL_fft(fpr *restrict tree, const fpr *restrict g00, tmp += n << 1; memcpy(d00, g00, n * sizeof * g00); - PQCLEAN_FALCON512PADDED_AARCH64_poly_LDLmv_fft(d11, tree, g00, g01, g11, logn); - PQCLEAN_FALCON512PADDED_AARCH64_poly_split_fft(tmp, tmp + hn, d00, logn); - PQCLEAN_FALCON512PADDED_AARCH64_poly_split_fft(d00, d00 + hn, d11, logn); + PQCLEAN_FALCONPADDED512_AARCH64_poly_LDLmv_fft(d11, tree, g00, g01, g11, logn); + PQCLEAN_FALCONPADDED512_AARCH64_poly_split_fft(tmp, tmp + hn, d00, logn); + PQCLEAN_FALCONPADDED512_AARCH64_poly_split_fft(d00, d00 + hn, d11, logn); memcpy(d11, tmp, n * sizeof * tmp); ffLDL_fft_inner(tree + n, d11, d11 + hn, logn - 1, tmp); @@ -213,7 +213,7 @@ skoff_tree(unsigned logn) { /* see inner.h */ void -PQCLEAN_FALCON512PADDED_AARCH64_expand_privkey(fpr *restrict expanded_key, +PQCLEAN_FALCONPADDED512_AARCH64_expand_privkey(fpr *restrict expanded_key, const int8_t *f, const int8_t *g, const int8_t *F, const int8_t *G, uint8_t *restrict tmp) { @@ -237,19 +237,19 @@ PQCLEAN_FALCON512PADDED_AARCH64_expand_privkey(fpr *restrict expanded_key, rG = b10; rF = b11; - PQCLEAN_FALCON512PADDED_AARCH64_smallints_to_fpr(rg, g, FALCON_LOGN); - PQCLEAN_FALCON512PADDED_AARCH64_FFT(rg, FALCON_LOGN); + PQCLEAN_FALCONPADDED512_AARCH64_smallints_to_fpr(rg, g, FALCON_LOGN); + PQCLEAN_FALCONPADDED512_AARCH64_FFT(rg, FALCON_LOGN); - PQCLEAN_FALCON512PADDED_AARCH64_smallints_to_fpr(rf, f, FALCON_LOGN); - PQCLEAN_FALCON512PADDED_AARCH64_FFT(rf, FALCON_LOGN); - PQCLEAN_FALCON512PADDED_AARCH64_poly_neg(rf, rf, FALCON_LOGN); + PQCLEAN_FALCONPADDED512_AARCH64_smallints_to_fpr(rf, f, FALCON_LOGN); + PQCLEAN_FALCONPADDED512_AARCH64_FFT(rf, FALCON_LOGN); + PQCLEAN_FALCONPADDED512_AARCH64_poly_neg(rf, rf, FALCON_LOGN); - PQCLEAN_FALCON512PADDED_AARCH64_smallints_to_fpr(rG, G, FALCON_LOGN); - PQCLEAN_FALCON512PADDED_AARCH64_FFT(rG, FALCON_LOGN); + PQCLEAN_FALCONPADDED512_AARCH64_smallints_to_fpr(rG, G, FALCON_LOGN); + PQCLEAN_FALCONPADDED512_AARCH64_FFT(rG, FALCON_LOGN); - PQCLEAN_FALCON512PADDED_AARCH64_smallints_to_fpr(rF, F, FALCON_LOGN); - PQCLEAN_FALCON512PADDED_AARCH64_FFT(rF, FALCON_LOGN); - PQCLEAN_FALCON512PADDED_AARCH64_poly_neg(rF, rF, FALCON_LOGN); + PQCLEAN_FALCONPADDED512_AARCH64_smallints_to_fpr(rF, F, FALCON_LOGN); + PQCLEAN_FALCONPADDED512_AARCH64_FFT(rF, FALCON_LOGN); + PQCLEAN_FALCONPADDED512_AARCH64_poly_neg(rF, rF, FALCON_LOGN); /* * Compute the FFT for the key elements, and negate f and F. @@ -270,14 +270,14 @@ PQCLEAN_FALCON512PADDED_AARCH64_expand_privkey(fpr *restrict expanded_key, g11 = g01 + FALCON_N; gxx = g11 + FALCON_N; - PQCLEAN_FALCON512PADDED_AARCH64_poly_mulselfadj_fft(g00, b00, FALCON_LOGN); - PQCLEAN_FALCON512PADDED_AARCH64_poly_mulselfadj_add_fft(g00, g00, b01, FALCON_LOGN); + PQCLEAN_FALCONPADDED512_AARCH64_poly_mulselfadj_fft(g00, b00, FALCON_LOGN); + PQCLEAN_FALCONPADDED512_AARCH64_poly_mulselfadj_add_fft(g00, g00, b01, FALCON_LOGN); - PQCLEAN_FALCON512PADDED_AARCH64_poly_muladj_fft(g01, b00, b10, FALCON_LOGN); - PQCLEAN_FALCON512PADDED_AARCH64_poly_muladj_add_fft(g01, g01, b01, b11, FALCON_LOGN); + PQCLEAN_FALCONPADDED512_AARCH64_poly_muladj_fft(g01, b00, b10, FALCON_LOGN); + PQCLEAN_FALCONPADDED512_AARCH64_poly_muladj_add_fft(g01, g01, b01, b11, FALCON_LOGN); - PQCLEAN_FALCON512PADDED_AARCH64_poly_mulselfadj_fft(g11, b10, FALCON_LOGN); - PQCLEAN_FALCON512PADDED_AARCH64_poly_mulselfadj_add_fft(g11, g11, b11, FALCON_LOGN); + PQCLEAN_FALCONPADDED512_AARCH64_poly_mulselfadj_fft(g11, b10, FALCON_LOGN); + PQCLEAN_FALCONPADDED512_AARCH64_poly_mulselfadj_add_fft(g11, g11, b11, FALCON_LOGN); /* * Compute the Falcon tree. @@ -328,15 +328,15 @@ ffSampling_fft_dyntree(samplerZ samp, void *samp_ctx, * Decompose G into LDL. We only need d00 (identical to g00), * d11, and l10; we do that in place. */ - PQCLEAN_FALCON512PADDED_AARCH64_poly_LDL_fft(g00, g01, g11, logn); + PQCLEAN_FALCONPADDED512_AARCH64_poly_LDL_fft(g00, g01, g11, logn); /* * Split d00 and d11 and expand them into half-size quasi-cyclic * Gram matrices. We also save l10 in tmp[]. */ - PQCLEAN_FALCON512PADDED_AARCH64_poly_split_fft(tmp, tmp + hn, g00, logn); + PQCLEAN_FALCONPADDED512_AARCH64_poly_split_fft(tmp, tmp + hn, g00, logn); memcpy(g00, tmp, n * sizeof * tmp); - PQCLEAN_FALCON512PADDED_AARCH64_poly_split_fft(tmp, tmp + hn, g11, logn); + PQCLEAN_FALCONPADDED512_AARCH64_poly_split_fft(tmp, tmp + hn, g11, logn); memcpy(g11, tmp, n * sizeof * tmp); memcpy(tmp, g01, n * sizeof * g01); memcpy(g01, g00, hn * sizeof * g00); @@ -356,10 +356,10 @@ ffSampling_fft_dyntree(samplerZ samp, void *samp_ctx, * back into tmp + 2*n. */ z1 = tmp + n; - PQCLEAN_FALCON512PADDED_AARCH64_poly_split_fft(z1, z1 + hn, t1, logn); + PQCLEAN_FALCONPADDED512_AARCH64_poly_split_fft(z1, z1 + hn, t1, logn); ffSampling_fft_dyntree(samp, samp_ctx, z1, z1 + hn, g11, g11 + hn, g01 + hn, orig_logn, logn - 1, z1 + n); - PQCLEAN_FALCON512PADDED_AARCH64_poly_merge_fft(tmp + (n << 1), z1, z1 + hn, logn); + PQCLEAN_FALCONPADDED512_AARCH64_poly_merge_fft(tmp + (n << 1), z1, z1 + hn, logn); /* * Compute tb0 = t0 + (t1 - z1) * l10. @@ -368,19 +368,19 @@ ffSampling_fft_dyntree(samplerZ samp, void *samp_ctx, * * In the end, z1 is written over t1, and tb0 is in t0. */ - PQCLEAN_FALCON512PADDED_AARCH64_poly_sub(z1, t1, tmp + (n << 1), logn); + PQCLEAN_FALCONPADDED512_AARCH64_poly_sub(z1, t1, tmp + (n << 1), logn); memcpy(t1, tmp + (n << 1), n * sizeof * tmp); - PQCLEAN_FALCON512PADDED_AARCH64_poly_mul_add_fft(t0, t0, tmp, z1, logn); + PQCLEAN_FALCONPADDED512_AARCH64_poly_mul_add_fft(t0, t0, tmp, z1, logn); /* * Second recursive invocation, on the split tb0 (currently in t0) * and the left sub-tree. */ z0 = tmp; - PQCLEAN_FALCON512PADDED_AARCH64_poly_split_fft(z0, z0 + hn, t0, logn); + PQCLEAN_FALCONPADDED512_AARCH64_poly_split_fft(z0, z0 + hn, t0, logn); ffSampling_fft_dyntree(samp, samp_ctx, z0, z0 + hn, g00, g00 + hn, g01, orig_logn, logn - 1, z0 + n); - PQCLEAN_FALCON512PADDED_AARCH64_poly_merge_fft(t0, z0, z0 + hn, logn); + PQCLEAN_FALCONPADDED512_AARCH64_poly_merge_fft(t0, z0, z0 + hn, logn); } /* @@ -573,24 +573,24 @@ ffSampling_fft(samplerZ samp, void *samp_ctx, * the recursive invocation, with output in tmp. We finally * merge back into z1. */ - PQCLEAN_FALCON512PADDED_AARCH64_poly_split_fft(z1, z1 + hn, t1, logn); + PQCLEAN_FALCONPADDED512_AARCH64_poly_split_fft(z1, z1 + hn, t1, logn); ffSampling_fft(samp, samp_ctx, tmp, tmp + hn, tree1, z1, z1 + hn, logn - 1, tmp + n); - PQCLEAN_FALCON512PADDED_AARCH64_poly_merge_fft(z1, tmp, tmp + hn, logn); + PQCLEAN_FALCONPADDED512_AARCH64_poly_merge_fft(z1, tmp, tmp + hn, logn); /* * Compute tb0 = t0 + (t1 - z1) * L. Value tb0 ends up in tmp[]. */ - PQCLEAN_FALCON512PADDED_AARCH64_poly_sub(tmp, t1, z1, logn); - PQCLEAN_FALCON512PADDED_AARCH64_poly_mul_add_fft(tmp, t0, tmp, tree, logn); + PQCLEAN_FALCONPADDED512_AARCH64_poly_sub(tmp, t1, z1, logn); + PQCLEAN_FALCONPADDED512_AARCH64_poly_mul_add_fft(tmp, t0, tmp, tree, logn); /* * Second recursive invocation. */ - PQCLEAN_FALCON512PADDED_AARCH64_poly_split_fft(z0, z0 + hn, tmp, logn); + PQCLEAN_FALCONPADDED512_AARCH64_poly_split_fft(z0, z0 + hn, tmp, logn); ffSampling_fft(samp, samp_ctx, tmp, tmp + hn, tree0, z0, z0 + hn, logn - 1, tmp + n); - PQCLEAN_FALCON512PADDED_AARCH64_poly_merge_fft(z0, tmp, tmp + hn, logn); + PQCLEAN_FALCONPADDED512_AARCH64_poly_merge_fft(z0, tmp, tmp + hn, logn); } /* @@ -623,18 +623,18 @@ do_sign_tree(samplerZ samp, void *samp_ctx, int16_t *s2, /* * Set the target vector to [hm, 0] (hm is the hashed message). */ - PQCLEAN_FALCON512PADDED_AARCH64_poly_fpr_of_s16(t0, hm, FALCON_N); + PQCLEAN_FALCONPADDED512_AARCH64_poly_fpr_of_s16(t0, hm, FALCON_N); /* * Apply the lattice basis to obtain the real target * vector (after normalization with regards to modulus). */ - PQCLEAN_FALCON512PADDED_AARCH64_FFT(t0, FALCON_LOGN); + PQCLEAN_FALCONPADDED512_AARCH64_FFT(t0, FALCON_LOGN); ni = fpr_inverse_of_q; - PQCLEAN_FALCON512PADDED_AARCH64_poly_mul_fft(t1, t0, b01, FALCON_LOGN); - PQCLEAN_FALCON512PADDED_AARCH64_poly_mulconst(t1, t1, fpr_neg(ni), FALCON_LOGN); - PQCLEAN_FALCON512PADDED_AARCH64_poly_mul_fft(t0, t0, b11, FALCON_LOGN); - PQCLEAN_FALCON512PADDED_AARCH64_poly_mulconst(t0, t0, ni, FALCON_LOGN); + PQCLEAN_FALCONPADDED512_AARCH64_poly_mul_fft(t1, t0, b01, FALCON_LOGN); + PQCLEAN_FALCONPADDED512_AARCH64_poly_mulconst(t1, t1, fpr_neg(ni), FALCON_LOGN); + PQCLEAN_FALCONPADDED512_AARCH64_poly_mul_fft(t0, t0, b11, FALCON_LOGN); + PQCLEAN_FALCONPADDED512_AARCH64_poly_mulconst(t0, t0, ni, FALCON_LOGN); tx = t1 + FALCON_N; ty = tx + FALCON_N; @@ -647,13 +647,13 @@ do_sign_tree(samplerZ samp, void *samp_ctx, int16_t *s2, /* * Get the lattice point corresponding to that tiny vector. */ - PQCLEAN_FALCON512PADDED_AARCH64_poly_mul_fft(t0, tx, b00, FALCON_LOGN); - PQCLEAN_FALCON512PADDED_AARCH64_poly_mul_add_fft(t0, t0, ty, b10, FALCON_LOGN); - PQCLEAN_FALCON512PADDED_AARCH64_iFFT(t0, FALCON_LOGN); + PQCLEAN_FALCONPADDED512_AARCH64_poly_mul_fft(t0, tx, b00, FALCON_LOGN); + PQCLEAN_FALCONPADDED512_AARCH64_poly_mul_add_fft(t0, t0, ty, b10, FALCON_LOGN); + PQCLEAN_FALCONPADDED512_AARCH64_iFFT(t0, FALCON_LOGN); - PQCLEAN_FALCON512PADDED_AARCH64_poly_mul_fft(t1, tx, b01, FALCON_LOGN); - PQCLEAN_FALCON512PADDED_AARCH64_poly_mul_add_fft(t1, t1, ty, b11, FALCON_LOGN); - PQCLEAN_FALCON512PADDED_AARCH64_iFFT(t1, FALCON_LOGN); + PQCLEAN_FALCONPADDED512_AARCH64_poly_mul_fft(t1, tx, b01, FALCON_LOGN); + PQCLEAN_FALCONPADDED512_AARCH64_poly_mul_add_fft(t1, t1, ty, b11, FALCON_LOGN); + PQCLEAN_FALCONPADDED512_AARCH64_iFFT(t1, FALCON_LOGN); /* * Compute the signature. @@ -672,7 +672,7 @@ do_sign_tree(samplerZ samp, void *samp_ctx, int16_t *s2, s1tmp = (int16_t *)tx; s2tmp = (int16_t *)tmp; - if (PQCLEAN_FALCON512PADDED_AARCH64_is_short_tmp(s1tmp, s2tmp, (int16_t *) hm, t0, t1)) { + if (PQCLEAN_FALCONPADDED512_AARCH64_is_short_tmp(s1tmp, s2tmp, (int16_t *) hm, t0, t1)) { memcpy(s2, s2tmp, FALCON_N * sizeof * s2); memcpy(tmp, s1tmp, FALCON_N * sizeof * s1tmp); return 1; @@ -709,19 +709,19 @@ do_sign_dyn(samplerZ samp, void *samp_ctx, int16_t *s2, t0 = b11 + FALCON_N; t1 = t0 + FALCON_N; - PQCLEAN_FALCON512PADDED_AARCH64_smallints_to_fpr(b00, g, FALCON_LOGN); - PQCLEAN_FALCON512PADDED_AARCH64_FFT(b00, FALCON_LOGN); + PQCLEAN_FALCONPADDED512_AARCH64_smallints_to_fpr(b00, g, FALCON_LOGN); + PQCLEAN_FALCONPADDED512_AARCH64_FFT(b00, FALCON_LOGN); - PQCLEAN_FALCON512PADDED_AARCH64_smallints_to_fpr(b01, f, FALCON_LOGN); - PQCLEAN_FALCON512PADDED_AARCH64_FFT(b01, FALCON_LOGN); - PQCLEAN_FALCON512PADDED_AARCH64_poly_neg(b01, b01, FALCON_LOGN); + PQCLEAN_FALCONPADDED512_AARCH64_smallints_to_fpr(b01, f, FALCON_LOGN); + PQCLEAN_FALCONPADDED512_AARCH64_FFT(b01, FALCON_LOGN); + PQCLEAN_FALCONPADDED512_AARCH64_poly_neg(b01, b01, FALCON_LOGN); - PQCLEAN_FALCON512PADDED_AARCH64_smallints_to_fpr(b10, G, FALCON_LOGN); - PQCLEAN_FALCON512PADDED_AARCH64_FFT(b10, FALCON_LOGN); + PQCLEAN_FALCONPADDED512_AARCH64_smallints_to_fpr(b10, G, FALCON_LOGN); + PQCLEAN_FALCONPADDED512_AARCH64_FFT(b10, FALCON_LOGN); - PQCLEAN_FALCON512PADDED_AARCH64_smallints_to_fpr(b11, F, FALCON_LOGN); - PQCLEAN_FALCON512PADDED_AARCH64_FFT(b11, FALCON_LOGN); - PQCLEAN_FALCON512PADDED_AARCH64_poly_neg(b11, b11, FALCON_LOGN); + PQCLEAN_FALCONPADDED512_AARCH64_smallints_to_fpr(b11, F, FALCON_LOGN); + PQCLEAN_FALCONPADDED512_AARCH64_FFT(b11, FALCON_LOGN); + PQCLEAN_FALCONPADDED512_AARCH64_poly_neg(b11, b11, FALCON_LOGN); /* * Compute the Gram matrix G = B·B*. Formulas are: @@ -742,17 +742,17 @@ do_sign_dyn(samplerZ samp, void *samp_ctx, int16_t *s2, * g00 | g01 | g11 | b01 | t0 | t1 */ - PQCLEAN_FALCON512PADDED_AARCH64_poly_muladj_fft(t1, b00, b10, FALCON_LOGN); // t1 <- b00*adj(b10) + PQCLEAN_FALCONPADDED512_AARCH64_poly_muladj_fft(t1, b00, b10, FALCON_LOGN); // t1 <- b00*adj(b10) - PQCLEAN_FALCON512PADDED_AARCH64_poly_mulselfadj_fft(t0, b01, FALCON_LOGN); // t0 <- b01*adj(b01) - PQCLEAN_FALCON512PADDED_AARCH64_poly_mulselfadj_fft(b00, b00, FALCON_LOGN); // b00 <- b00*adj(b00) - PQCLEAN_FALCON512PADDED_AARCH64_poly_add(b00, b00, t0, FALCON_LOGN); // b00 <- g00 + PQCLEAN_FALCONPADDED512_AARCH64_poly_mulselfadj_fft(t0, b01, FALCON_LOGN); // t0 <- b01*adj(b01) + PQCLEAN_FALCONPADDED512_AARCH64_poly_mulselfadj_fft(b00, b00, FALCON_LOGN); // b00 <- b00*adj(b00) + PQCLEAN_FALCONPADDED512_AARCH64_poly_add(b00, b00, t0, FALCON_LOGN); // b00 <- g00 memcpy(t0, b01, FALCON_N * sizeof * b01); - PQCLEAN_FALCON512PADDED_AARCH64_poly_muladj_add_fft(b01, t1, b01, b11, FALCON_LOGN); // b01 <- b01*adj(b11) + PQCLEAN_FALCONPADDED512_AARCH64_poly_muladj_add_fft(b01, t1, b01, b11, FALCON_LOGN); // b01 <- b01*adj(b11) - PQCLEAN_FALCON512PADDED_AARCH64_poly_mulselfadj_fft(b10, b10, FALCON_LOGN); // b10 <- b10*adj(b10) - PQCLEAN_FALCON512PADDED_AARCH64_poly_mulselfadj_add_fft(b10, b10, b11, FALCON_LOGN); // t1 = g11 <- b11*adj(b11) + PQCLEAN_FALCONPADDED512_AARCH64_poly_mulselfadj_fft(b10, b10, FALCON_LOGN); // b10 <- b10*adj(b10) + PQCLEAN_FALCONPADDED512_AARCH64_poly_mulselfadj_add_fft(b10, b10, b11, FALCON_LOGN); // t1 = g11 <- b11*adj(b11) /* * We rename variables to make things clearer. The three elements @@ -774,18 +774,18 @@ do_sign_dyn(samplerZ samp, void *samp_ctx, int16_t *s2, /* * Set the target vector to [hm, 0] (hm is the hashed message). */ - PQCLEAN_FALCON512PADDED_AARCH64_poly_fpr_of_s16(t0, hm, FALCON_N); + PQCLEAN_FALCONPADDED512_AARCH64_poly_fpr_of_s16(t0, hm, FALCON_N); /* * Apply the lattice basis to obtain the real target * vector (after normalization with regards to modulus). */ - PQCLEAN_FALCON512PADDED_AARCH64_FFT(t0, FALCON_LOGN); + PQCLEAN_FALCONPADDED512_AARCH64_FFT(t0, FALCON_LOGN); ni = fpr_inverse_of_q; - PQCLEAN_FALCON512PADDED_AARCH64_poly_mul_fft(t1, t0, b01, FALCON_LOGN); - PQCLEAN_FALCON512PADDED_AARCH64_poly_mulconst(t1, t1, fpr_neg(ni), FALCON_LOGN); - PQCLEAN_FALCON512PADDED_AARCH64_poly_mul_fft(t0, t0, b11, FALCON_LOGN); - PQCLEAN_FALCON512PADDED_AARCH64_poly_mulconst(t0, t0, ni, FALCON_LOGN); + PQCLEAN_FALCONPADDED512_AARCH64_poly_mul_fft(t1, t0, b01, FALCON_LOGN); + PQCLEAN_FALCONPADDED512_AARCH64_poly_mulconst(t1, t1, fpr_neg(ni), FALCON_LOGN); + PQCLEAN_FALCONPADDED512_AARCH64_poly_mul_fft(t0, t0, b11, FALCON_LOGN); + PQCLEAN_FALCONPADDED512_AARCH64_poly_mulconst(t0, t0, ni, FALCON_LOGN); /* * b01 and b11 can be discarded, so we move back (t0,t1). @@ -818,19 +818,19 @@ do_sign_dyn(samplerZ samp, void *samp_ctx, int16_t *s2, t0 = b11 + FALCON_N; t1 = t0 + FALCON_N; - PQCLEAN_FALCON512PADDED_AARCH64_smallints_to_fpr(b00, g, FALCON_LOGN); - PQCLEAN_FALCON512PADDED_AARCH64_FFT(b00, FALCON_LOGN); + PQCLEAN_FALCONPADDED512_AARCH64_smallints_to_fpr(b00, g, FALCON_LOGN); + PQCLEAN_FALCONPADDED512_AARCH64_FFT(b00, FALCON_LOGN); - PQCLEAN_FALCON512PADDED_AARCH64_smallints_to_fpr(b01, f, FALCON_LOGN); - PQCLEAN_FALCON512PADDED_AARCH64_FFT(b01, FALCON_LOGN); - PQCLEAN_FALCON512PADDED_AARCH64_poly_neg(b01, b01, FALCON_LOGN); + PQCLEAN_FALCONPADDED512_AARCH64_smallints_to_fpr(b01, f, FALCON_LOGN); + PQCLEAN_FALCONPADDED512_AARCH64_FFT(b01, FALCON_LOGN); + PQCLEAN_FALCONPADDED512_AARCH64_poly_neg(b01, b01, FALCON_LOGN); - PQCLEAN_FALCON512PADDED_AARCH64_smallints_to_fpr(b10, G, FALCON_LOGN); - PQCLEAN_FALCON512PADDED_AARCH64_FFT(b10, FALCON_LOGN); + PQCLEAN_FALCONPADDED512_AARCH64_smallints_to_fpr(b10, G, FALCON_LOGN); + PQCLEAN_FALCONPADDED512_AARCH64_FFT(b10, FALCON_LOGN); - PQCLEAN_FALCON512PADDED_AARCH64_smallints_to_fpr(b11, F, FALCON_LOGN); - PQCLEAN_FALCON512PADDED_AARCH64_FFT(b11, FALCON_LOGN); - PQCLEAN_FALCON512PADDED_AARCH64_poly_neg(b11, b11, FALCON_LOGN); + PQCLEAN_FALCONPADDED512_AARCH64_smallints_to_fpr(b11, F, FALCON_LOGN); + PQCLEAN_FALCONPADDED512_AARCH64_FFT(b11, FALCON_LOGN); + PQCLEAN_FALCONPADDED512_AARCH64_poly_neg(b11, b11, FALCON_LOGN); tx = t1 + FALCON_N; ty = tx + FALCON_N; @@ -839,13 +839,13 @@ do_sign_dyn(samplerZ samp, void *samp_ctx, int16_t *s2, * Get the lattice point corresponding to that tiny vector. */ - PQCLEAN_FALCON512PADDED_AARCH64_poly_mul_fft(tx, t0, b00, FALCON_LOGN); - PQCLEAN_FALCON512PADDED_AARCH64_poly_mul_fft(ty, t0, b01, FALCON_LOGN); - PQCLEAN_FALCON512PADDED_AARCH64_poly_mul_add_fft(t0, tx, t1, b10, FALCON_LOGN); - PQCLEAN_FALCON512PADDED_AARCH64_poly_mul_add_fft(t1, ty, t1, b11, FALCON_LOGN); + PQCLEAN_FALCONPADDED512_AARCH64_poly_mul_fft(tx, t0, b00, FALCON_LOGN); + PQCLEAN_FALCONPADDED512_AARCH64_poly_mul_fft(ty, t0, b01, FALCON_LOGN); + PQCLEAN_FALCONPADDED512_AARCH64_poly_mul_add_fft(t0, tx, t1, b10, FALCON_LOGN); + PQCLEAN_FALCONPADDED512_AARCH64_poly_mul_add_fft(t1, ty, t1, b11, FALCON_LOGN); - PQCLEAN_FALCON512PADDED_AARCH64_iFFT(t0, FALCON_LOGN); - PQCLEAN_FALCON512PADDED_AARCH64_iFFT(t1, FALCON_LOGN); + PQCLEAN_FALCONPADDED512_AARCH64_iFFT(t0, FALCON_LOGN); + PQCLEAN_FALCONPADDED512_AARCH64_iFFT(t1, FALCON_LOGN); /* * With "normal" degrees (e.g. 512 or 1024), it is very @@ -859,7 +859,7 @@ do_sign_dyn(samplerZ samp, void *samp_ctx, int16_t *s2, s1tmp = (int16_t *)tx; s2tmp = (int16_t *)tmp; - if (PQCLEAN_FALCON512PADDED_AARCH64_is_short_tmp(s1tmp, s2tmp, (int16_t *) hm, t0, t1)) { + if (PQCLEAN_FALCONPADDED512_AARCH64_is_short_tmp(s1tmp, s2tmp, (int16_t *) hm, t0, t1)) { memcpy(s2, s2tmp, FALCON_N * sizeof * s2); memcpy(tmp, s1tmp, FALCON_N * sizeof * s1tmp); return 1; @@ -869,7 +869,7 @@ do_sign_dyn(samplerZ samp, void *samp_ctx, int16_t *s2, /* see inner.h */ void -PQCLEAN_FALCON512PADDED_AARCH64_sign_tree(int16_t *sig, inner_shake256_context *rng, +PQCLEAN_FALCONPADDED512_AARCH64_sign_tree(int16_t *sig, inner_shake256_context *rng, const fpr *restrict expanded_key, const uint16_t *hm, uint8_t *tmp) { fpr *ftmp; @@ -895,8 +895,8 @@ PQCLEAN_FALCON512PADDED_AARCH64_sign_tree(int16_t *sig, inner_shake256_context * * SHAKE context ('rng'). */ spc.sigma_min = fpr_sigma_min_9; - PQCLEAN_FALCON512PADDED_AARCH64_prng_init(&spc.p, rng); - samp = PQCLEAN_FALCON512PADDED_AARCH64_sampler; + PQCLEAN_FALCONPADDED512_AARCH64_prng_init(&spc.p, rng); + samp = PQCLEAN_FALCONPADDED512_AARCH64_sampler; samp_ctx = &spc; /* @@ -910,7 +910,7 @@ PQCLEAN_FALCON512PADDED_AARCH64_sign_tree(int16_t *sig, inner_shake256_context * /* see inner.h */ void -PQCLEAN_FALCON512PADDED_AARCH64_sign_dyn(int16_t *sig, inner_shake256_context *rng, +PQCLEAN_FALCONPADDED512_AARCH64_sign_dyn(int16_t *sig, inner_shake256_context *rng, const int8_t *restrict f, const int8_t *restrict g, const int8_t *restrict F, const int8_t *restrict G, const uint16_t *hm, uint8_t *tmp) { @@ -939,8 +939,8 @@ PQCLEAN_FALCON512PADDED_AARCH64_sign_dyn(int16_t *sig, inner_shake256_context *r */ spc.sigma_min = fpr_sigma_min_9; - PQCLEAN_FALCON512PADDED_AARCH64_prng_init(&spc.p, rng); - samp = PQCLEAN_FALCON512PADDED_AARCH64_sampler; + PQCLEAN_FALCONPADDED512_AARCH64_prng_init(&spc.p, rng); + samp = PQCLEAN_FALCONPADDED512_AARCH64_sampler; samp_ctx = &spc; /* diff --git a/Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/util.c b/Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/util.c similarity index 97% rename from Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/util.c rename to Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/util.c index 6d8ca159..5f63c48f 100644 --- a/Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/util.c +++ b/Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/util.c @@ -27,7 +27,7 @@ * Convert an integer polynomial (with small values) into the * representation with complex numbers. */ -void PQCLEAN_FALCON512PADDED_AARCH64_smallints_to_fpr(fpr *r, const int8_t *t, const unsigned logn) { +void PQCLEAN_FALCONPADDED512_AARCH64_smallints_to_fpr(fpr *r, const int8_t *t, const unsigned logn) { float64x2x4_t neon_flo64, neon_fhi64; int64x2x4_t neon_lo64, neon_hi64; int32x4_t neon_lo32[2], neon_hi32[2]; diff --git a/Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/util.h b/Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/util.h new file mode 100644 index 00000000..e3576bc5 --- /dev/null +++ b/Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/util.h @@ -0,0 +1,8 @@ +#ifndef UTIL_H +#define UTIL_H + +#define poly_small_to_fp PQCLEAN_FALCONPADDED512_AARCH64_smallints_to_fpr + +void PQCLEAN_FALCONPADDED512_AARCH64_smallints_to_fpr(fpr *r, const int8_t *t, unsigned logn); + +#endif diff --git a/Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/vrfy.c b/Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/vrfy.c similarity index 52% rename from Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/vrfy.c rename to Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/vrfy.c index 3fc0735a..c1345d95 100644 --- a/Modules/PQClean/crypto_sign/falcon-512-padded/aarch64/vrfy.c +++ b/Modules/PQClean/crypto_sign/falcon-padded-512/aarch64/vrfy.c @@ -23,16 +23,16 @@ #include "poly.h" /* see inner.h */ -void PQCLEAN_FALCON512PADDED_AARCH64_to_ntt(int16_t *h) { - PQCLEAN_FALCON512PADDED_AARCH64_poly_ntt(h, NTT_NONE); +void PQCLEAN_FALCONPADDED512_AARCH64_to_ntt(int16_t *h) { + PQCLEAN_FALCONPADDED512_AARCH64_poly_ntt(h, NTT_NONE); } -void PQCLEAN_FALCON512PADDED_AARCH64_to_ntt_monty(int16_t *h) { - PQCLEAN_FALCON512PADDED_AARCH64_poly_ntt(h, NTT_MONT); +void PQCLEAN_FALCONPADDED512_AARCH64_to_ntt_monty(int16_t *h) { + PQCLEAN_FALCONPADDED512_AARCH64_poly_ntt(h, NTT_MONT); } /* see inner.h */ -int PQCLEAN_FALCON512PADDED_AARCH64_verify_raw(const int16_t *c0, const int16_t *s2, +int PQCLEAN_FALCONPADDED512_AARCH64_verify_raw(const int16_t *c0, const int16_t *s2, int16_t *h, int16_t *tmp) { int16_t *tt = tmp; @@ -41,43 +41,43 @@ int PQCLEAN_FALCON512PADDED_AARCH64_verify_raw(const int16_t *c0, const int16_t */ memcpy(tt, s2, sizeof(int16_t) * FALCON_N); - PQCLEAN_FALCON512PADDED_AARCH64_poly_ntt(h, NTT_NONE); - PQCLEAN_FALCON512PADDED_AARCH64_poly_ntt(tt, NTT_MONT_INV); - PQCLEAN_FALCON512PADDED_AARCH64_poly_montmul_ntt(tt, h); - PQCLEAN_FALCON512PADDED_AARCH64_poly_invntt(tt, INVNTT_NONE); - PQCLEAN_FALCON512PADDED_AARCH64_poly_sub_barrett(tt, c0, tt); + PQCLEAN_FALCONPADDED512_AARCH64_poly_ntt(h, NTT_NONE); + PQCLEAN_FALCONPADDED512_AARCH64_poly_ntt(tt, NTT_MONT_INV); + PQCLEAN_FALCONPADDED512_AARCH64_poly_montmul_ntt(tt, h); + PQCLEAN_FALCONPADDED512_AARCH64_poly_invntt(tt, INVNTT_NONE); + PQCLEAN_FALCONPADDED512_AARCH64_poly_sub_barrett(tt, c0, tt); /* * Signature is valid if and only if the aggregate (s1,s2) vector * is short enough. */ - return PQCLEAN_FALCON512PADDED_AARCH64_is_short(tt, s2); + return PQCLEAN_FALCONPADDED512_AARCH64_is_short(tt, s2); } /* see inner.h */ -int PQCLEAN_FALCON512PADDED_AARCH64_compute_public(int16_t *h, const int8_t *f, const int8_t *g, int16_t *tmp) { +int PQCLEAN_FALCONPADDED512_AARCH64_compute_public(int16_t *h, const int8_t *f, const int8_t *g, int16_t *tmp) { int16_t *tt = tmp; - PQCLEAN_FALCON512PADDED_AARCH64_poly_int8_to_int16(h, g); - PQCLEAN_FALCON512PADDED_AARCH64_poly_ntt(h, NTT_NONE); + PQCLEAN_FALCONPADDED512_AARCH64_poly_int8_to_int16(h, g); + PQCLEAN_FALCONPADDED512_AARCH64_poly_ntt(h, NTT_NONE); - PQCLEAN_FALCON512PADDED_AARCH64_poly_int8_to_int16(tt, f); - PQCLEAN_FALCON512PADDED_AARCH64_poly_ntt(tt, NTT_MONT); + PQCLEAN_FALCONPADDED512_AARCH64_poly_int8_to_int16(tt, f); + PQCLEAN_FALCONPADDED512_AARCH64_poly_ntt(tt, NTT_MONT); - if (PQCLEAN_FALCON512PADDED_AARCH64_poly_compare_with_zero(tt)) { + if (PQCLEAN_FALCONPADDED512_AARCH64_poly_compare_with_zero(tt)) { return 0; } - PQCLEAN_FALCON512PADDED_AARCH64_poly_div_12289(h, tt); + PQCLEAN_FALCONPADDED512_AARCH64_poly_div_12289(h, tt); - PQCLEAN_FALCON512PADDED_AARCH64_poly_invntt(h, INVNTT_NINV); + PQCLEAN_FALCONPADDED512_AARCH64_poly_invntt(h, INVNTT_NINV); - PQCLEAN_FALCON512PADDED_AARCH64_poly_convert_to_unsigned(h); + PQCLEAN_FALCONPADDED512_AARCH64_poly_convert_to_unsigned(h); return 1; } /* see inner.h */ -int PQCLEAN_FALCON512PADDED_AARCH64_complete_private(int8_t *G, const int8_t *f, +int PQCLEAN_FALCONPADDED512_AARCH64_complete_private(int8_t *G, const int8_t *f, const int8_t *g, const int8_t *F, uint8_t *tmp) { int16_t *t1, *t2; @@ -85,45 +85,45 @@ int PQCLEAN_FALCON512PADDED_AARCH64_complete_private(int8_t *G, const int8_t *f, t1 = (int16_t *)tmp; t2 = t1 + FALCON_N; - PQCLEAN_FALCON512PADDED_AARCH64_poly_int8_to_int16(t1, g); - PQCLEAN_FALCON512PADDED_AARCH64_poly_ntt(t1, NTT_NONE); + PQCLEAN_FALCONPADDED512_AARCH64_poly_int8_to_int16(t1, g); + PQCLEAN_FALCONPADDED512_AARCH64_poly_ntt(t1, NTT_NONE); - PQCLEAN_FALCON512PADDED_AARCH64_poly_int8_to_int16(t2, F); - PQCLEAN_FALCON512PADDED_AARCH64_poly_ntt(t2, NTT_MONT); + PQCLEAN_FALCONPADDED512_AARCH64_poly_int8_to_int16(t2, F); + PQCLEAN_FALCONPADDED512_AARCH64_poly_ntt(t2, NTT_MONT); - PQCLEAN_FALCON512PADDED_AARCH64_poly_montmul_ntt(t1, t2); + PQCLEAN_FALCONPADDED512_AARCH64_poly_montmul_ntt(t1, t2); - PQCLEAN_FALCON512PADDED_AARCH64_poly_int8_to_int16(t2, f); - PQCLEAN_FALCON512PADDED_AARCH64_poly_ntt(t2, NTT_MONT); + PQCLEAN_FALCONPADDED512_AARCH64_poly_int8_to_int16(t2, f); + PQCLEAN_FALCONPADDED512_AARCH64_poly_ntt(t2, NTT_MONT); - if (PQCLEAN_FALCON512PADDED_AARCH64_poly_compare_with_zero(t2)) { + if (PQCLEAN_FALCONPADDED512_AARCH64_poly_compare_with_zero(t2)) { return 0; } - PQCLEAN_FALCON512PADDED_AARCH64_poly_div_12289(t1, t2); + PQCLEAN_FALCONPADDED512_AARCH64_poly_div_12289(t1, t2); - PQCLEAN_FALCON512PADDED_AARCH64_poly_invntt(t1, INVNTT_NINV); + PQCLEAN_FALCONPADDED512_AARCH64_poly_invntt(t1, INVNTT_NINV); - if (PQCLEAN_FALCON512PADDED_AARCH64_poly_int16_to_int8(G, t1)) { + if (PQCLEAN_FALCONPADDED512_AARCH64_poly_int16_to_int8(G, t1)) { return 0; } return 1; } /* see inner.h */ -int PQCLEAN_FALCON512PADDED_AARCH64_is_invertible(const int16_t *s2, uint8_t *tmp) { +int PQCLEAN_FALCONPADDED512_AARCH64_is_invertible(const int16_t *s2, uint8_t *tmp) { int16_t *tt = (int16_t *)tmp; uint16_t r; memcpy(tt, s2, sizeof(int16_t) * FALCON_N); - PQCLEAN_FALCON512PADDED_AARCH64_poly_ntt(tt, NTT_MONT); + PQCLEAN_FALCONPADDED512_AARCH64_poly_ntt(tt, NTT_MONT); - r = PQCLEAN_FALCON512PADDED_AARCH64_poly_compare_with_zero(tt); + r = PQCLEAN_FALCONPADDED512_AARCH64_poly_compare_with_zero(tt); return (int)(1u - (r >> 15)); } /* see inner.h */ -int PQCLEAN_FALCON512PADDED_AARCH64_verify_recover(int16_t *h, const int16_t *c0, +int PQCLEAN_FALCONPADDED512_AARCH64_verify_recover(int16_t *h, const int16_t *c0, const int16_t *s1, const int16_t *s2, uint8_t *tmp) { int16_t *tt = (int16_t *)tmp; @@ -137,19 +137,19 @@ int PQCLEAN_FALCON512PADDED_AARCH64_verify_recover(int16_t *h, const int16_t *c0 * s2 are non-zero, then the high bit of r will be zero. */ - PQCLEAN_FALCON512PADDED_AARCH64_poly_sub_barrett(h, c0, s1); - PQCLEAN_FALCON512PADDED_AARCH64_poly_ntt(h, NTT_NONE); + PQCLEAN_FALCONPADDED512_AARCH64_poly_sub_barrett(h, c0, s1); + PQCLEAN_FALCONPADDED512_AARCH64_poly_ntt(h, NTT_NONE); /* * Reduce elements of s1 and s2 modulo q; then write s2 into tt[] * and c0 - s1 into h[]. */ memcpy(tt, s2, sizeof(int16_t) * FALCON_N); - PQCLEAN_FALCON512PADDED_AARCH64_poly_ntt(tt, NTT_MONT); - r = PQCLEAN_FALCON512PADDED_AARCH64_poly_compare_with_zero(tt); - PQCLEAN_FALCON512PADDED_AARCH64_poly_div_12289(h, tt); + PQCLEAN_FALCONPADDED512_AARCH64_poly_ntt(tt, NTT_MONT); + r = PQCLEAN_FALCONPADDED512_AARCH64_poly_compare_with_zero(tt); + PQCLEAN_FALCONPADDED512_AARCH64_poly_div_12289(h, tt); - PQCLEAN_FALCON512PADDED_AARCH64_poly_invntt(h, INVNTT_NINV); + PQCLEAN_FALCONPADDED512_AARCH64_poly_invntt(h, INVNTT_NINV); /* * Signature is acceptable if and only if it is short enough, @@ -157,18 +157,18 @@ int PQCLEAN_FALCON512PADDED_AARCH64_verify_recover(int16_t *h, const int16_t *c0 * check that the rebuilt public key matches the expected * value (e.g. through a hash). */ - r = (uint16_t) (~r & (uint16_t) - PQCLEAN_FALCON512PADDED_AARCH64_is_short(s1, s2)); + r = (uint16_t) (~r & (uint16_t) - PQCLEAN_FALCONPADDED512_AARCH64_is_short(s1, s2)); return (int)(r >> 15); } /* see inner.h */ -int PQCLEAN_FALCON512PADDED_AARCH64_count_nttzero(const int16_t *sig, uint8_t *tmp) { +int PQCLEAN_FALCONPADDED512_AARCH64_count_nttzero(const int16_t *sig, uint8_t *tmp) { int16_t *s2 = (int16_t *)tmp; memcpy(s2, sig, sizeof(int16_t) * FALCON_N); - PQCLEAN_FALCON512PADDED_AARCH64_poly_ntt(s2, NTT_MONT); + PQCLEAN_FALCONPADDED512_AARCH64_poly_ntt(s2, NTT_MONT); - int r = PQCLEAN_FALCON512PADDED_AARCH64_poly_compare_with_zero(s2); + int r = PQCLEAN_FALCONPADDED512_AARCH64_poly_compare_with_zero(s2); return r; } diff --git a/Modules/PQClean/crypto_sign/falcon-512-padded/avx2/LICENSE b/Modules/PQClean/crypto_sign/falcon-padded-512/avx2/LICENSE similarity index 100% rename from Modules/PQClean/crypto_sign/falcon-512-padded/avx2/LICENSE rename to Modules/PQClean/crypto_sign/falcon-padded-512/avx2/LICENSE diff --git a/Modules/PQClean/crypto_sign/falcon-512-padded/avx2/Makefile b/Modules/PQClean/crypto_sign/falcon-padded-512/avx2/Makefile similarity index 94% rename from Modules/PQClean/crypto_sign/falcon-512-padded/avx2/Makefile rename to Modules/PQClean/crypto_sign/falcon-padded-512/avx2/Makefile index d7c43137..91068210 100644 --- a/Modules/PQClean/crypto_sign/falcon-512-padded/avx2/Makefile +++ b/Modules/PQClean/crypto_sign/falcon-padded-512/avx2/Makefile @@ -1,6 +1,6 @@ # This Makefile can be used with GNU Make or BSD Make -LIB=libfalcon-512-padded_avx2.a +LIB=libfalcon-padded-512_avx2.a SOURCES = codec.c common.c fft.c fpr.c keygen.c pqclean.c rng.c sign.c vrfy.c OBJECTS = codec.o common.o fft.o fpr.o keygen.o pqclean.o rng.o sign.o vrfy.o diff --git a/Modules/PQClean/crypto_sign/falcon-512-padded/avx2/Makefile.Microsoft_nmake b/Modules/PQClean/crypto_sign/falcon-padded-512/avx2/Makefile.Microsoft_nmake similarity index 95% rename from Modules/PQClean/crypto_sign/falcon-512-padded/avx2/Makefile.Microsoft_nmake rename to Modules/PQClean/crypto_sign/falcon-padded-512/avx2/Makefile.Microsoft_nmake index 400b487f..06e23d93 100644 --- a/Modules/PQClean/crypto_sign/falcon-512-padded/avx2/Makefile.Microsoft_nmake +++ b/Modules/PQClean/crypto_sign/falcon-padded-512/avx2/Makefile.Microsoft_nmake @@ -1,7 +1,7 @@ # This Makefile can be used with Microsoft Visual Studio's nmake using the command: # nmake /f Makefile.Microsoft_nmake -LIBRARY=libfalcon-512-padded_avx2.lib +LIBRARY=libfalcon-padded-512_avx2.lib OBJECTS=codec.obj common.obj fft.obj fpr.obj keygen.obj pqclean.obj rng.obj sign.obj vrfy.obj # Warning C4146 is raised when a unary minus operator is applied to an diff --git a/Modules/PQClean/crypto_sign/falcon-512-padded/avx2/api.h b/Modules/PQClean/crypto_sign/falcon-padded-512/avx2/api.h similarity index 67% rename from Modules/PQClean/crypto_sign/falcon-512-padded/avx2/api.h rename to Modules/PQClean/crypto_sign/falcon-padded-512/avx2/api.h index 635fde6f..c039206c 100644 --- a/Modules/PQClean/crypto_sign/falcon-512-padded/avx2/api.h +++ b/Modules/PQClean/crypto_sign/falcon-padded-512/avx2/api.h @@ -1,37 +1,37 @@ -#ifndef PQCLEAN_FALCON512PADDED_AVX2_API_H -#define PQCLEAN_FALCON512PADDED_AVX2_API_H +#ifndef PQCLEAN_FALCONPADDED512_AVX2_API_H +#define PQCLEAN_FALCONPADDED512_AVX2_API_H #include #include -#define PQCLEAN_FALCON512PADDED_AVX2_CRYPTO_SECRETKEYBYTES 1281 -#define PQCLEAN_FALCON512PADDED_AVX2_CRYPTO_PUBLICKEYBYTES 897 -#define PQCLEAN_FALCON512PADDED_AVX2_CRYPTO_BYTES 666 +#define PQCLEAN_FALCONPADDED512_AVX2_CRYPTO_SECRETKEYBYTES 1281 +#define PQCLEAN_FALCONPADDED512_AVX2_CRYPTO_PUBLICKEYBYTES 897 +#define PQCLEAN_FALCONPADDED512_AVX2_CRYPTO_BYTES 666 -#define PQCLEAN_FALCON512PADDED_AVX2_CRYPTO_ALGNAME "Falcon-512 (PADDED)" +#define PQCLEAN_FALCONPADDED512_AVX2_CRYPTO_ALGNAME "Falcon-padded-512" /* * Generate a new key pair. Public key goes into pk[], private key in sk[]. * Key sizes are exact (in bytes): - * public (pk): PQCLEAN_FALCON512PADDED_AVX2_CRYPTO_PUBLICKEYBYTES - * private (sk): PQCLEAN_FALCON512PADDED_AVX2_CRYPTO_SECRETKEYBYTES + * public (pk): PQCLEAN_FALCONPADDED512_AVX2_CRYPTO_PUBLICKEYBYTES + * private (sk): PQCLEAN_FALCONPADDED512_AVX2_CRYPTO_SECRETKEYBYTES * * Return value: 0 on success, -1 on error. */ -int PQCLEAN_FALCON512PADDED_AVX2_crypto_sign_keypair( +int PQCLEAN_FALCONPADDED512_AVX2_crypto_sign_keypair( uint8_t *pk, uint8_t *sk); /* * Compute a signature on a provided message (m, mlen), with a given * private key (sk). Signature is written in sig[], with length written * into *siglen. Signature length is variable; maximum signature length - * (in bytes) is PQCLEAN_FALCON512PADDED_AVX2_CRYPTO_BYTES. + * (in bytes) is PQCLEAN_FALCONPADDED512_AVX2_CRYPTO_BYTES. * * sig[], m[] and sk[] may overlap each other arbitrarily. * * Return value: 0 on success, -1 on error. */ -int PQCLEAN_FALCON512PADDED_AVX2_crypto_sign_signature( +int PQCLEAN_FALCONPADDED512_AVX2_crypto_sign_signature( uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen, const uint8_t *sk); @@ -43,7 +43,7 @@ int PQCLEAN_FALCON512PADDED_AVX2_crypto_sign_signature( * * Return value: 0 on success, -1 on error. */ -int PQCLEAN_FALCON512PADDED_AVX2_crypto_sign_verify( +int PQCLEAN_FALCONPADDED512_AVX2_crypto_sign_verify( const uint8_t *sig, size_t siglen, const uint8_t *m, size_t mlen, const uint8_t *pk); @@ -51,14 +51,14 @@ int PQCLEAN_FALCON512PADDED_AVX2_crypto_sign_verify( * Compute a signature on a message and pack the signature and message * into a single object, written into sm[]. The length of that output is * written in *smlen; that length may be larger than the message length - * (mlen) by up to PQCLEAN_FALCON512PADDED_AVX2_CRYPTO_BYTES. + * (mlen) by up to PQCLEAN_FALCONPADDED512_AVX2_CRYPTO_BYTES. * * sm[] and m[] may overlap each other arbitrarily; however, sm[] shall * not overlap with sk[]. * * Return value: 0 on success, -1 on error. */ -int PQCLEAN_FALCON512PADDED_AVX2_crypto_sign( +int PQCLEAN_FALCONPADDED512_AVX2_crypto_sign( uint8_t *sm, size_t *smlen, const uint8_t *m, size_t mlen, const uint8_t *sk); @@ -67,13 +67,13 @@ int PQCLEAN_FALCON512PADDED_AVX2_crypto_sign( * on success, the message itself is written into m[] and its length * into *mlen. The message is shorter than the signed message object, * but the size difference depends on the signature value; the difference - * may range up to PQCLEAN_FALCON512PADDED_AVX2_CRYPTO_BYTES. + * may range up to PQCLEAN_FALCONPADDED512_AVX2_CRYPTO_BYTES. * * m[], sm[] and pk[] may overlap each other arbitrarily. * * Return value: 0 on success, -1 on error. */ -int PQCLEAN_FALCON512PADDED_AVX2_crypto_sign_open( +int PQCLEAN_FALCONPADDED512_AVX2_crypto_sign_open( uint8_t *m, size_t *mlen, const uint8_t *sm, size_t smlen, const uint8_t *pk); diff --git a/Modules/PQClean/crypto_sign/falcon-512-padded/avx2/codec.c b/Modules/PQClean/crypto_sign/falcon-padded-512/avx2/codec.c similarity index 96% rename from Modules/PQClean/crypto_sign/falcon-512-padded/avx2/codec.c rename to Modules/PQClean/crypto_sign/falcon-padded-512/avx2/codec.c index 21184436..64f07533 100644 --- a/Modules/PQClean/crypto_sign/falcon-512-padded/avx2/codec.c +++ b/Modules/PQClean/crypto_sign/falcon-padded-512/avx2/codec.c @@ -33,7 +33,7 @@ /* see inner.h */ size_t -PQCLEAN_FALCON512PADDED_AVX2_modq_encode( +PQCLEAN_FALCONPADDED512_AVX2_modq_encode( void *out, size_t max_out_len, const uint16_t *x, unsigned logn) { size_t n, out_len, u; @@ -73,7 +73,7 @@ PQCLEAN_FALCON512PADDED_AVX2_modq_encode( /* see inner.h */ size_t -PQCLEAN_FALCON512PADDED_AVX2_modq_decode( +PQCLEAN_FALCONPADDED512_AVX2_modq_decode( uint16_t *x, unsigned logn, const void *in, size_t max_in_len) { size_t n, in_len, u; @@ -112,7 +112,7 @@ PQCLEAN_FALCON512PADDED_AVX2_modq_decode( /* see inner.h */ size_t -PQCLEAN_FALCON512PADDED_AVX2_trim_i16_encode( +PQCLEAN_FALCONPADDED512_AVX2_trim_i16_encode( void *out, size_t max_out_len, const int16_t *x, unsigned logn, unsigned bits) { size_t n, u, out_len; @@ -156,7 +156,7 @@ PQCLEAN_FALCON512PADDED_AVX2_trim_i16_encode( /* see inner.h */ size_t -PQCLEAN_FALCON512PADDED_AVX2_trim_i16_decode( +PQCLEAN_FALCONPADDED512_AVX2_trim_i16_decode( int16_t *x, unsigned logn, unsigned bits, const void *in, size_t max_in_len) { size_t n, in_len; @@ -206,7 +206,7 @@ PQCLEAN_FALCON512PADDED_AVX2_trim_i16_decode( /* see inner.h */ size_t -PQCLEAN_FALCON512PADDED_AVX2_trim_i8_encode( +PQCLEAN_FALCONPADDED512_AVX2_trim_i8_encode( void *out, size_t max_out_len, const int8_t *x, unsigned logn, unsigned bits) { size_t n, u, out_len; @@ -250,7 +250,7 @@ PQCLEAN_FALCON512PADDED_AVX2_trim_i8_encode( /* see inner.h */ size_t -PQCLEAN_FALCON512PADDED_AVX2_trim_i8_decode( +PQCLEAN_FALCONPADDED512_AVX2_trim_i8_decode( int8_t *x, unsigned logn, unsigned bits, const void *in, size_t max_in_len) { size_t n, in_len; @@ -299,7 +299,7 @@ PQCLEAN_FALCON512PADDED_AVX2_trim_i8_decode( /* see inner.h */ size_t -PQCLEAN_FALCON512PADDED_AVX2_comp_encode( +PQCLEAN_FALCONPADDED512_AVX2_comp_encode( void *out, size_t max_out_len, const int16_t *x, unsigned logn) { uint8_t *buf; @@ -395,7 +395,7 @@ PQCLEAN_FALCON512PADDED_AVX2_comp_encode( /* see inner.h */ size_t -PQCLEAN_FALCON512PADDED_AVX2_comp_decode( +PQCLEAN_FALCONPADDED512_AVX2_comp_decode( int16_t *x, unsigned logn, const void *in, size_t max_in_len) { const uint8_t *buf; @@ -499,7 +499,7 @@ PQCLEAN_FALCON512PADDED_AVX2_comp_decode( * of max_fg_bits[] and max_FG_bits[] shall be greater than 8. */ -const uint8_t PQCLEAN_FALCON512PADDED_AVX2_max_fg_bits[] = { +const uint8_t PQCLEAN_FALCONPADDED512_AVX2_max_fg_bits[] = { 0, /* unused */ 8, 8, @@ -513,7 +513,7 @@ const uint8_t PQCLEAN_FALCON512PADDED_AVX2_max_fg_bits[] = { 5 }; -const uint8_t PQCLEAN_FALCON512PADDED_AVX2_max_FG_bits[] = { +const uint8_t PQCLEAN_FALCONPADDED512_AVX2_max_FG_bits[] = { 0, /* unused */ 8, 8, @@ -555,7 +555,7 @@ const uint8_t PQCLEAN_FALCON512PADDED_AVX2_max_FG_bits[] = { * in -2047..2047, i.e. 12 bits. */ -const uint8_t PQCLEAN_FALCON512PADDED_AVX2_max_sig_bits[] = { +const uint8_t PQCLEAN_FALCONPADDED512_AVX2_max_sig_bits[] = { 0, /* unused */ 10, 11, diff --git a/Modules/PQClean/crypto_sign/falcon-512-padded/avx2/common.c b/Modules/PQClean/crypto_sign/falcon-padded-512/avx2/common.c similarity index 97% rename from Modules/PQClean/crypto_sign/falcon-512-padded/avx2/common.c rename to Modules/PQClean/crypto_sign/falcon-padded-512/avx2/common.c index 6d1097f3..70ef4d04 100644 --- a/Modules/PQClean/crypto_sign/falcon-512-padded/avx2/common.c +++ b/Modules/PQClean/crypto_sign/falcon-padded-512/avx2/common.c @@ -33,7 +33,7 @@ /* see inner.h */ void -PQCLEAN_FALCON512PADDED_AVX2_hash_to_point_vartime( +PQCLEAN_FALCONPADDED512_AVX2_hash_to_point_vartime( inner_shake256_context *sc, uint16_t *x, unsigned logn) { /* @@ -67,7 +67,7 @@ PQCLEAN_FALCON512PADDED_AVX2_hash_to_point_vartime( /* see inner.h */ void -PQCLEAN_FALCON512PADDED_AVX2_hash_to_point_ct( +PQCLEAN_FALCONPADDED512_AVX2_hash_to_point_ct( inner_shake256_context *sc, uint16_t *x, unsigned logn, uint8_t *tmp) { /* @@ -252,7 +252,7 @@ static const uint32_t l2bound[] = { /* see inner.h */ int -PQCLEAN_FALCON512PADDED_AVX2_is_short( +PQCLEAN_FALCONPADDED512_AVX2_is_short( const int16_t *s1, const int16_t *s2, unsigned logn) { /* * We use the l2-norm. Code below uses only 32-bit operations to @@ -282,7 +282,7 @@ PQCLEAN_FALCON512PADDED_AVX2_is_short( /* see inner.h */ int -PQCLEAN_FALCON512PADDED_AVX2_is_short_half( +PQCLEAN_FALCONPADDED512_AVX2_is_short_half( uint32_t sqn, const int16_t *s2, unsigned logn) { size_t n, u; uint32_t ng; diff --git a/Modules/PQClean/crypto_sign/falcon-512-padded/avx2/fft.c b/Modules/PQClean/crypto_sign/falcon-padded-512/avx2/fft.c similarity index 97% rename from Modules/PQClean/crypto_sign/falcon-512-padded/avx2/fft.c rename to Modules/PQClean/crypto_sign/falcon-padded-512/avx2/fft.c index 619ace36..8ba5b435 100644 --- a/Modules/PQClean/crypto_sign/falcon-512-padded/avx2/fft.c +++ b/Modules/PQClean/crypto_sign/falcon-padded-512/avx2/fft.c @@ -168,7 +168,7 @@ /* see inner.h */ void -PQCLEAN_FALCON512PADDED_AVX2_FFT(fpr *f, unsigned logn) { +PQCLEAN_FALCONPADDED512_AVX2_FFT(fpr *f, unsigned logn) { /* * FFT algorithm in bit-reversal order uses the following * iterative algorithm: @@ -279,7 +279,7 @@ PQCLEAN_FALCON512PADDED_AVX2_FFT(fpr *f, unsigned logn) { /* see inner.h */ void -PQCLEAN_FALCON512PADDED_AVX2_iFFT(fpr *f, unsigned logn) { +PQCLEAN_FALCONPADDED512_AVX2_iFFT(fpr *f, unsigned logn) { /* * Inverse FFT algorithm in bit-reversal order uses the following * iterative algorithm: @@ -406,7 +406,7 @@ PQCLEAN_FALCON512PADDED_AVX2_iFFT(fpr *f, unsigned logn) { /* see inner.h */ void -PQCLEAN_FALCON512PADDED_AVX2_poly_add( +PQCLEAN_FALCONPADDED512_AVX2_poly_add( fpr *a, const fpr *b, unsigned logn) { size_t n, u; @@ -427,7 +427,7 @@ PQCLEAN_FALCON512PADDED_AVX2_poly_add( /* see inner.h */ void -PQCLEAN_FALCON512PADDED_AVX2_poly_sub( +PQCLEAN_FALCONPADDED512_AVX2_poly_sub( fpr *a, const fpr *b, unsigned logn) { size_t n, u; @@ -448,7 +448,7 @@ PQCLEAN_FALCON512PADDED_AVX2_poly_sub( /* see inner.h */ void -PQCLEAN_FALCON512PADDED_AVX2_poly_neg(fpr *a, unsigned logn) { +PQCLEAN_FALCONPADDED512_AVX2_poly_neg(fpr *a, unsigned logn) { size_t n, u; n = (size_t)1 << logn; @@ -469,7 +469,7 @@ PQCLEAN_FALCON512PADDED_AVX2_poly_neg(fpr *a, unsigned logn) { /* see inner.h */ void -PQCLEAN_FALCON512PADDED_AVX2_poly_adj_fft(fpr *a, unsigned logn) { +PQCLEAN_FALCONPADDED512_AVX2_poly_adj_fft(fpr *a, unsigned logn) { size_t n, u; n = (size_t)1 << logn; @@ -490,7 +490,7 @@ PQCLEAN_FALCON512PADDED_AVX2_poly_adj_fft(fpr *a, unsigned logn) { /* see inner.h */ void -PQCLEAN_FALCON512PADDED_AVX2_poly_mul_fft( +PQCLEAN_FALCONPADDED512_AVX2_poly_mul_fft( fpr *a, const fpr *b, unsigned logn) { size_t n, hn, u; @@ -526,7 +526,7 @@ PQCLEAN_FALCON512PADDED_AVX2_poly_mul_fft( /* see inner.h */ void -PQCLEAN_FALCON512PADDED_AVX2_poly_muladj_fft( +PQCLEAN_FALCONPADDED512_AVX2_poly_muladj_fft( fpr *a, const fpr *b, unsigned logn) { size_t n, hn, u; @@ -562,7 +562,7 @@ PQCLEAN_FALCON512PADDED_AVX2_poly_muladj_fft( /* see inner.h */ void -PQCLEAN_FALCON512PADDED_AVX2_poly_mulselfadj_fft(fpr *a, unsigned logn) { +PQCLEAN_FALCONPADDED512_AVX2_poly_mulselfadj_fft(fpr *a, unsigned logn) { /* * Since each coefficient is multiplied with its own conjugate, * the result contains only real values. @@ -599,7 +599,7 @@ PQCLEAN_FALCON512PADDED_AVX2_poly_mulselfadj_fft(fpr *a, unsigned logn) { /* see inner.h */ void -PQCLEAN_FALCON512PADDED_AVX2_poly_mulconst(fpr *a, fpr x, unsigned logn) { +PQCLEAN_FALCONPADDED512_AVX2_poly_mulconst(fpr *a, fpr x, unsigned logn) { size_t n, u; n = (size_t)1 << logn; @@ -620,7 +620,7 @@ PQCLEAN_FALCON512PADDED_AVX2_poly_mulconst(fpr *a, fpr x, unsigned logn) { /* see inner.h */ void -PQCLEAN_FALCON512PADDED_AVX2_poly_div_fft( +PQCLEAN_FALCONPADDED512_AVX2_poly_div_fft( fpr *a, const fpr *b, unsigned logn) { size_t n, hn, u; @@ -664,7 +664,7 @@ PQCLEAN_FALCON512PADDED_AVX2_poly_div_fft( /* see inner.h */ void -PQCLEAN_FALCON512PADDED_AVX2_poly_invnorm2_fft(fpr *d, +PQCLEAN_FALCONPADDED512_AVX2_poly_invnorm2_fft(fpr *d, const fpr *a, const fpr *b, unsigned logn) { size_t n, hn, u; @@ -707,7 +707,7 @@ PQCLEAN_FALCON512PADDED_AVX2_poly_invnorm2_fft(fpr *d, /* see inner.h */ void -PQCLEAN_FALCON512PADDED_AVX2_poly_add_muladj_fft(fpr *d, +PQCLEAN_FALCONPADDED512_AVX2_poly_add_muladj_fft(fpr *d, const fpr *F, const fpr *G, const fpr *f, const fpr *g, unsigned logn) { size_t n, hn, u; @@ -767,7 +767,7 @@ PQCLEAN_FALCON512PADDED_AVX2_poly_add_muladj_fft(fpr *d, /* see inner.h */ void -PQCLEAN_FALCON512PADDED_AVX2_poly_mul_autoadj_fft( +PQCLEAN_FALCONPADDED512_AVX2_poly_mul_autoadj_fft( fpr *a, const fpr *b, unsigned logn) { size_t n, hn, u; @@ -795,7 +795,7 @@ PQCLEAN_FALCON512PADDED_AVX2_poly_mul_autoadj_fft( /* see inner.h */ void -PQCLEAN_FALCON512PADDED_AVX2_poly_div_autoadj_fft( +PQCLEAN_FALCONPADDED512_AVX2_poly_div_autoadj_fft( fpr *a, const fpr *b, unsigned logn) { size_t n, hn, u; @@ -827,7 +827,7 @@ PQCLEAN_FALCON512PADDED_AVX2_poly_div_autoadj_fft( /* see inner.h */ void -PQCLEAN_FALCON512PADDED_AVX2_poly_LDL_fft( +PQCLEAN_FALCONPADDED512_AVX2_poly_LDL_fft( const fpr *g00, fpr *g01, fpr *g11, unsigned logn) { size_t n, hn, u; @@ -893,7 +893,7 @@ PQCLEAN_FALCON512PADDED_AVX2_poly_LDL_fft( /* see inner.h */ void -PQCLEAN_FALCON512PADDED_AVX2_poly_LDLmv_fft( +PQCLEAN_FALCONPADDED512_AVX2_poly_LDLmv_fft( fpr *d11, fpr *l10, const fpr *g00, const fpr *g01, const fpr *g11, unsigned logn) { @@ -960,7 +960,7 @@ PQCLEAN_FALCON512PADDED_AVX2_poly_LDLmv_fft( /* see inner.h */ void -PQCLEAN_FALCON512PADDED_AVX2_poly_split_fft( +PQCLEAN_FALCONPADDED512_AVX2_poly_split_fft( fpr *f0, fpr *f1, const fpr *f, unsigned logn) { /* @@ -1033,7 +1033,7 @@ PQCLEAN_FALCON512PADDED_AVX2_poly_split_fft( /* see inner.h */ void -PQCLEAN_FALCON512PADDED_AVX2_poly_merge_fft( +PQCLEAN_FALCONPADDED512_AVX2_poly_merge_fft( fpr *f, const fpr *f0, const fpr *f1, unsigned logn) { size_t n, hn, qn, u; diff --git a/Modules/PQClean/crypto_sign/falcon-512-padded/avx2/fpr.c b/Modules/PQClean/crypto_sign/falcon-padded-512/avx2/fpr.c similarity index 100% rename from Modules/PQClean/crypto_sign/falcon-512-padded/avx2/fpr.c rename to Modules/PQClean/crypto_sign/falcon-padded-512/avx2/fpr.c diff --git a/Modules/PQClean/crypto_sign/falcon-512-padded/avx2/fpr.h b/Modules/PQClean/crypto_sign/falcon-padded-512/avx2/fpr.h similarity index 98% rename from Modules/PQClean/crypto_sign/falcon-512-padded/avx2/fpr.h rename to Modules/PQClean/crypto_sign/falcon-padded-512/avx2/fpr.h index 34878b04..a0aefe70 100644 --- a/Modules/PQClean/crypto_sign/falcon-512-padded/avx2/fpr.h +++ b/Modules/PQClean/crypto_sign/falcon-padded-512/avx2/fpr.h @@ -353,10 +353,10 @@ fpr_expm_p63(fpr x, fpr ccs) { } -#define fpr_gm_tab PQCLEAN_FALCON512PADDED_AVX2_fpr_gm_tab +#define fpr_gm_tab PQCLEAN_FALCONPADDED512_AVX2_fpr_gm_tab extern const fpr fpr_gm_tab[]; -#define fpr_p2_tab PQCLEAN_FALCON512PADDED_AVX2_fpr_p2_tab +#define fpr_p2_tab PQCLEAN_FALCONPADDED512_AVX2_fpr_p2_tab extern const fpr fpr_p2_tab[]; /* ====================================================================== */ diff --git a/Modules/PQClean/crypto_sign/falcon-512-padded/avx2/inner.h b/Modules/PQClean/crypto_sign/falcon-padded-512/avx2/inner.h similarity index 88% rename from Modules/PQClean/crypto_sign/falcon-512-padded/avx2/inner.h rename to Modules/PQClean/crypto_sign/falcon-padded-512/avx2/inner.h index 6935595e..778174f9 100644 --- a/Modules/PQClean/crypto_sign/falcon-512-padded/avx2/inner.h +++ b/Modules/PQClean/crypto_sign/falcon-padded-512/avx2/inner.h @@ -42,7 +42,7 @@ * * * - All public functions (i.e. the non-static ones) must be referenced - * with the PQCLEAN_FALCON512PADDED_AVX2_ macro (e.g. PQCLEAN_FALCON512PADDED_AVX2_verify_raw for the verify_raw() + * with the PQCLEAN_FALCONPADDED512_AVX2_ macro (e.g. PQCLEAN_FALCONPADDED512_AVX2_verify_raw for the verify_raw() * function). That macro adds a prefix to the name, which is * configurable with the FALCON_PREFIX macro. This allows compiling * the code into a specific "namespace" and potentially including @@ -65,7 +65,7 @@ * word. The caller MUST use set_fpu_cw() to ensure proper precision: * * oldcw = set_fpu_cw(2); - * PQCLEAN_FALCON512PADDED_AVX2_sign_dyn(...); + * PQCLEAN_FALCONPADDED512_AVX2_sign_dyn(...); * set_fpu_cw(oldcw); * * On systems where the native floating-point precision is already @@ -162,22 +162,22 @@ set_fpu_cw(unsigned x) { * */ -size_t PQCLEAN_FALCON512PADDED_AVX2_modq_encode(void *out, size_t max_out_len, +size_t PQCLEAN_FALCONPADDED512_AVX2_modq_encode(void *out, size_t max_out_len, const uint16_t *x, unsigned logn); -size_t PQCLEAN_FALCON512PADDED_AVX2_trim_i16_encode(void *out, size_t max_out_len, +size_t PQCLEAN_FALCONPADDED512_AVX2_trim_i16_encode(void *out, size_t max_out_len, const int16_t *x, unsigned logn, unsigned bits); -size_t PQCLEAN_FALCON512PADDED_AVX2_trim_i8_encode(void *out, size_t max_out_len, +size_t PQCLEAN_FALCONPADDED512_AVX2_trim_i8_encode(void *out, size_t max_out_len, const int8_t *x, unsigned logn, unsigned bits); -size_t PQCLEAN_FALCON512PADDED_AVX2_comp_encode(void *out, size_t max_out_len, +size_t PQCLEAN_FALCONPADDED512_AVX2_comp_encode(void *out, size_t max_out_len, const int16_t *x, unsigned logn); -size_t PQCLEAN_FALCON512PADDED_AVX2_modq_decode(uint16_t *x, unsigned logn, +size_t PQCLEAN_FALCONPADDED512_AVX2_modq_decode(uint16_t *x, unsigned logn, const void *in, size_t max_in_len); -size_t PQCLEAN_FALCON512PADDED_AVX2_trim_i16_decode(int16_t *x, unsigned logn, unsigned bits, +size_t PQCLEAN_FALCONPADDED512_AVX2_trim_i16_decode(int16_t *x, unsigned logn, unsigned bits, const void *in, size_t max_in_len); -size_t PQCLEAN_FALCON512PADDED_AVX2_trim_i8_decode(int8_t *x, unsigned logn, unsigned bits, +size_t PQCLEAN_FALCONPADDED512_AVX2_trim_i8_decode(int8_t *x, unsigned logn, unsigned bits, const void *in, size_t max_in_len); -size_t PQCLEAN_FALCON512PADDED_AVX2_comp_decode(int16_t *x, unsigned logn, +size_t PQCLEAN_FALCONPADDED512_AVX2_comp_decode(int16_t *x, unsigned logn, const void *in, size_t max_in_len); /* @@ -185,14 +185,14 @@ size_t PQCLEAN_FALCON512PADDED_AVX2_comp_decode(int16_t *x, unsigned logn, * is at most 8 bits for all degrees, but some degrees may have shorter * elements. */ -extern const uint8_t PQCLEAN_FALCON512PADDED_AVX2_max_fg_bits[]; -extern const uint8_t PQCLEAN_FALCON512PADDED_AVX2_max_FG_bits[]; +extern const uint8_t PQCLEAN_FALCONPADDED512_AVX2_max_fg_bits[]; +extern const uint8_t PQCLEAN_FALCONPADDED512_AVX2_max_FG_bits[]; /* * Maximum size, in bits, of elements in a signature, indexed by logn * (1 to 10). The size includes the sign bit. */ -extern const uint8_t PQCLEAN_FALCON512PADDED_AVX2_max_sig_bits[]; +extern const uint8_t PQCLEAN_FALCONPADDED512_AVX2_max_sig_bits[]; /* ==================================================================== */ /* @@ -206,18 +206,18 @@ extern const uint8_t PQCLEAN_FALCON512PADDED_AVX2_max_sig_bits[]; * information to serve as a stop condition on a brute force attack on * the hashed message (provided that the nonce value is known). */ -void PQCLEAN_FALCON512PADDED_AVX2_hash_to_point_vartime(inner_shake256_context *sc, +void PQCLEAN_FALCONPADDED512_AVX2_hash_to_point_vartime(inner_shake256_context *sc, uint16_t *x, unsigned logn); /* * From a SHAKE256 context (must be already flipped), produce a new * point. The temporary buffer (tmp) must have room for 2*2^logn bytes. * This function is constant-time but is typically more expensive than - * PQCLEAN_FALCON512PADDED_AVX2_hash_to_point_vartime(). + * PQCLEAN_FALCONPADDED512_AVX2_hash_to_point_vartime(). * * tmp[] must have 16-bit alignment. */ -void PQCLEAN_FALCON512PADDED_AVX2_hash_to_point_ct(inner_shake256_context *sc, +void PQCLEAN_FALCONPADDED512_AVX2_hash_to_point_ct(inner_shake256_context *sc, uint16_t *x, unsigned logn, uint8_t *tmp); /* @@ -226,7 +226,7 @@ void PQCLEAN_FALCON512PADDED_AVX2_hash_to_point_ct(inner_shake256_context *sc, * vector with the acceptance bound. Returned value is 1 on success * (vector is short enough to be acceptable), 0 otherwise. */ -int PQCLEAN_FALCON512PADDED_AVX2_is_short(const int16_t *s1, const int16_t *s2, unsigned logn); +int PQCLEAN_FALCONPADDED512_AVX2_is_short(const int16_t *s1, const int16_t *s2, unsigned logn); /* * Tell whether a given vector (2N coordinates, in two halves) is @@ -238,7 +238,7 @@ int PQCLEAN_FALCON512PADDED_AVX2_is_short(const int16_t *s1, const int16_t *s2, * Returned value is 1 on success (vector is short enough to be * acceptable), 0 otherwise. */ -int PQCLEAN_FALCON512PADDED_AVX2_is_short_half(uint32_t sqn, const int16_t *s2, unsigned logn); +int PQCLEAN_FALCONPADDED512_AVX2_is_short_half(uint32_t sqn, const int16_t *s2, unsigned logn); /* ==================================================================== */ /* @@ -249,7 +249,7 @@ int PQCLEAN_FALCON512PADDED_AVX2_is_short_half(uint32_t sqn, const int16_t *s2, * Convert a public key to NTT + Montgomery format. Conversion is done * in place. */ -void PQCLEAN_FALCON512PADDED_AVX2_to_ntt_monty(uint16_t *h, unsigned logn); +void PQCLEAN_FALCONPADDED512_AVX2_to_ntt_monty(uint16_t *h, unsigned logn); /* * Internal signature verification code: @@ -262,7 +262,7 @@ void PQCLEAN_FALCON512PADDED_AVX2_to_ntt_monty(uint16_t *h, unsigned logn); * * tmp[] must have 16-bit alignment. */ -int PQCLEAN_FALCON512PADDED_AVX2_verify_raw(const uint16_t *c0, const int16_t *s2, +int PQCLEAN_FALCONPADDED512_AVX2_verify_raw(const uint16_t *c0, const int16_t *s2, const uint16_t *h, unsigned logn, uint8_t *tmp); /* @@ -274,7 +274,7 @@ int PQCLEAN_FALCON512PADDED_AVX2_verify_raw(const uint16_t *c0, const int16_t *s * The tmp[] array must have room for at least 2*2^logn elements. * tmp[] must have 16-bit alignment. */ -int PQCLEAN_FALCON512PADDED_AVX2_compute_public(uint16_t *h, +int PQCLEAN_FALCONPADDED512_AVX2_compute_public(uint16_t *h, const int8_t *f, const int8_t *g, unsigned logn, uint8_t *tmp); /* @@ -288,7 +288,7 @@ int PQCLEAN_FALCON512PADDED_AVX2_compute_public(uint16_t *h, * Returned value is 1 in success, 0 on error (f not invertible). * tmp[] must have 16-bit alignment. */ -int PQCLEAN_FALCON512PADDED_AVX2_complete_private(int8_t *G, +int PQCLEAN_FALCONPADDED512_AVX2_complete_private(int8_t *G, const int8_t *f, const int8_t *g, const int8_t *F, unsigned logn, uint8_t *tmp); @@ -298,7 +298,7 @@ int PQCLEAN_FALCON512PADDED_AVX2_complete_private(int8_t *G, * * tmp[] must have 16-bit alignment. */ -int PQCLEAN_FALCON512PADDED_AVX2_is_invertible( +int PQCLEAN_FALCONPADDED512_AVX2_is_invertible( const int16_t *s2, unsigned logn, uint8_t *tmp); /* @@ -309,7 +309,7 @@ int PQCLEAN_FALCON512PADDED_AVX2_is_invertible( * * tmp[] must have 16-bit alignment. */ -int PQCLEAN_FALCON512PADDED_AVX2_count_nttzero(const int16_t *sig, unsigned logn, uint8_t *tmp); +int PQCLEAN_FALCONPADDED512_AVX2_count_nttzero(const int16_t *sig, unsigned logn, uint8_t *tmp); /* * Internal signature verification with public key recovery: @@ -329,7 +329,7 @@ int PQCLEAN_FALCON512PADDED_AVX2_count_nttzero(const int16_t *sig, unsigned logn * * tmp[] must have 16-bit alignment. */ -int PQCLEAN_FALCON512PADDED_AVX2_verify_recover(uint16_t *h, +int PQCLEAN_FALCONPADDED512_AVX2_verify_recover(uint16_t *h, const uint16_t *c0, const int16_t *s1, const int16_t *s2, unsigned logn, uint8_t *tmp); @@ -450,7 +450,7 @@ int PQCLEAN_FALCON512PADDED_AVX2_verify_recover(uint16_t *h, * * Returned value is 1 on success, 0 on error. */ -int PQCLEAN_FALCON512PADDED_AVX2_get_seed(void *seed, size_t seed_len); +int PQCLEAN_FALCONPADDED512_AVX2_get_seed(void *seed, size_t seed_len); /* * Structure for a PRNG. This includes a large buffer so that values @@ -477,18 +477,18 @@ typedef struct { * Instantiate a PRNG. That PRNG will feed over the provided SHAKE256 * context (in "flipped" state) to obtain its initial state. */ -void PQCLEAN_FALCON512PADDED_AVX2_prng_init(prng *p, inner_shake256_context *src); +void PQCLEAN_FALCONPADDED512_AVX2_prng_init(prng *p, inner_shake256_context *src); /* * Refill the PRNG buffer. This is normally invoked automatically, and * is declared here only so that prng_get_u64() may be inlined. */ -void PQCLEAN_FALCON512PADDED_AVX2_prng_refill(prng *p); +void PQCLEAN_FALCONPADDED512_AVX2_prng_refill(prng *p); /* * Get some bytes from a PRNG. */ -void PQCLEAN_FALCON512PADDED_AVX2_prng_get_bytes(prng *p, void *dst, size_t len); +void PQCLEAN_FALCONPADDED512_AVX2_prng_get_bytes(prng *p, void *dst, size_t len); /* * Get a 64-bit random value from a PRNG. @@ -505,7 +505,7 @@ prng_get_u64(prng *p) { */ u = p->ptr; if (u >= (sizeof p->buf.d) - 9) { - PQCLEAN_FALCON512PADDED_AVX2_prng_refill(p); + PQCLEAN_FALCONPADDED512_AVX2_prng_refill(p); u = 0; } p->ptr = u + 8; @@ -529,7 +529,7 @@ prng_get_u8(prng *p) { v = p->buf.d[p->ptr ++]; if (p->ptr == sizeof p->buf.d) { - PQCLEAN_FALCON512PADDED_AVX2_prng_refill(p); + PQCLEAN_FALCONPADDED512_AVX2_prng_refill(p); } return v; } @@ -552,7 +552,7 @@ prng_get_u8(prng *p) { * * 'logn' MUST lie between 1 and 10 (inclusive). */ -void PQCLEAN_FALCON512PADDED_AVX2_FFT(fpr *f, unsigned logn); +void PQCLEAN_FALCONPADDED512_AVX2_FFT(fpr *f, unsigned logn); /* * Compute the inverse FFT in-place: the source array should contain the @@ -562,61 +562,61 @@ void PQCLEAN_FALCON512PADDED_AVX2_FFT(fpr *f, unsigned logn); * * 'logn' MUST lie between 1 and 10 (inclusive). */ -void PQCLEAN_FALCON512PADDED_AVX2_iFFT(fpr *f, unsigned logn); +void PQCLEAN_FALCONPADDED512_AVX2_iFFT(fpr *f, unsigned logn); /* * Add polynomial b to polynomial a. a and b MUST NOT overlap. This * function works in both normal and FFT representations. */ -void PQCLEAN_FALCON512PADDED_AVX2_poly_add(fpr *a, const fpr *b, unsigned logn); +void PQCLEAN_FALCONPADDED512_AVX2_poly_add(fpr *a, const fpr *b, unsigned logn); /* * Subtract polynomial b from polynomial a. a and b MUST NOT overlap. This * function works in both normal and FFT representations. */ -void PQCLEAN_FALCON512PADDED_AVX2_poly_sub(fpr *a, const fpr *b, unsigned logn); +void PQCLEAN_FALCONPADDED512_AVX2_poly_sub(fpr *a, const fpr *b, unsigned logn); /* * Negate polynomial a. This function works in both normal and FFT * representations. */ -void PQCLEAN_FALCON512PADDED_AVX2_poly_neg(fpr *a, unsigned logn); +void PQCLEAN_FALCONPADDED512_AVX2_poly_neg(fpr *a, unsigned logn); /* * Compute adjoint of polynomial a. This function works only in FFT * representation. */ -void PQCLEAN_FALCON512PADDED_AVX2_poly_adj_fft(fpr *a, unsigned logn); +void PQCLEAN_FALCONPADDED512_AVX2_poly_adj_fft(fpr *a, unsigned logn); /* * Multiply polynomial a with polynomial b. a and b MUST NOT overlap. * This function works only in FFT representation. */ -void PQCLEAN_FALCON512PADDED_AVX2_poly_mul_fft(fpr *a, const fpr *b, unsigned logn); +void PQCLEAN_FALCONPADDED512_AVX2_poly_mul_fft(fpr *a, const fpr *b, unsigned logn); /* * Multiply polynomial a with the adjoint of polynomial b. a and b MUST NOT * overlap. This function works only in FFT representation. */ -void PQCLEAN_FALCON512PADDED_AVX2_poly_muladj_fft(fpr *a, const fpr *b, unsigned logn); +void PQCLEAN_FALCONPADDED512_AVX2_poly_muladj_fft(fpr *a, const fpr *b, unsigned logn); /* * Multiply polynomial with its own adjoint. This function works only in FFT * representation. */ -void PQCLEAN_FALCON512PADDED_AVX2_poly_mulselfadj_fft(fpr *a, unsigned logn); +void PQCLEAN_FALCONPADDED512_AVX2_poly_mulselfadj_fft(fpr *a, unsigned logn); /* * Multiply polynomial with a real constant. This function works in both * normal and FFT representations. */ -void PQCLEAN_FALCON512PADDED_AVX2_poly_mulconst(fpr *a, fpr x, unsigned logn); +void PQCLEAN_FALCONPADDED512_AVX2_poly_mulconst(fpr *a, fpr x, unsigned logn); /* * Divide polynomial a by polynomial b, modulo X^N+1 (FFT representation). * a and b MUST NOT overlap. */ -void PQCLEAN_FALCON512PADDED_AVX2_poly_div_fft(fpr *a, const fpr *b, unsigned logn); +void PQCLEAN_FALCONPADDED512_AVX2_poly_div_fft(fpr *a, const fpr *b, unsigned logn); /* * Given f and g (in FFT representation), compute 1/(f*adj(f)+g*adj(g)) @@ -626,7 +626,7 @@ void PQCLEAN_FALCON512PADDED_AVX2_poly_div_fft(fpr *a, const fpr *b, unsigned lo * * Array d MUST NOT overlap with either a or b. */ -void PQCLEAN_FALCON512PADDED_AVX2_poly_invnorm2_fft(fpr *d, +void PQCLEAN_FALCONPADDED512_AVX2_poly_invnorm2_fft(fpr *d, const fpr *a, const fpr *b, unsigned logn); /* @@ -634,7 +634,7 @@ void PQCLEAN_FALCON512PADDED_AVX2_poly_invnorm2_fft(fpr *d, * (also in FFT representation). Destination d MUST NOT overlap with * any of the source arrays. */ -void PQCLEAN_FALCON512PADDED_AVX2_poly_add_muladj_fft(fpr *d, +void PQCLEAN_FALCONPADDED512_AVX2_poly_add_muladj_fft(fpr *d, const fpr *F, const fpr *G, const fpr *f, const fpr *g, unsigned logn); @@ -644,7 +644,7 @@ void PQCLEAN_FALCON512PADDED_AVX2_poly_add_muladj_fft(fpr *d, * FFT coefficients are real, and the array b contains only N/2 elements. * a and b MUST NOT overlap. */ -void PQCLEAN_FALCON512PADDED_AVX2_poly_mul_autoadj_fft(fpr *a, +void PQCLEAN_FALCONPADDED512_AVX2_poly_mul_autoadj_fft(fpr *a, const fpr *b, unsigned logn); /* @@ -653,7 +653,7 @@ void PQCLEAN_FALCON512PADDED_AVX2_poly_mul_autoadj_fft(fpr *a, * FFT coefficients are real, and the array b contains only N/2 elements. * a and b MUST NOT overlap. */ -void PQCLEAN_FALCON512PADDED_AVX2_poly_div_autoadj_fft(fpr *a, +void PQCLEAN_FALCONPADDED512_AVX2_poly_div_autoadj_fft(fpr *a, const fpr *b, unsigned logn); /* @@ -664,7 +664,7 @@ void PQCLEAN_FALCON512PADDED_AVX2_poly_div_autoadj_fft(fpr *a, * (with D = [[d00, 0], [0, d11]] and L = [[1, 0], [l10, 1]]). * (In fact, d00 = g00, so the g00 operand is left unmodified.) */ -void PQCLEAN_FALCON512PADDED_AVX2_poly_LDL_fft(const fpr *g00, +void PQCLEAN_FALCONPADDED512_AVX2_poly_LDL_fft(const fpr *g00, fpr *g01, fpr *g11, unsigned logn); /* @@ -673,7 +673,7 @@ void PQCLEAN_FALCON512PADDED_AVX2_poly_LDL_fft(const fpr *g00, * g00, g01 and g11 are unmodified; the outputs d11 and l10 are written * in two other separate buffers provided as extra parameters. */ -void PQCLEAN_FALCON512PADDED_AVX2_poly_LDLmv_fft(fpr *d11, fpr *l10, +void PQCLEAN_FALCONPADDED512_AVX2_poly_LDLmv_fft(fpr *d11, fpr *l10, const fpr *g00, const fpr *g01, const fpr *g11, unsigned logn); @@ -682,7 +682,7 @@ void PQCLEAN_FALCON512PADDED_AVX2_poly_LDLmv_fft(fpr *d11, fpr *l10, * f = f0(x^2) + x*f1(x^2), for half-size polynomials f0 and f1 * (polynomials modulo X^(N/2)+1). f0, f1 and f MUST NOT overlap. */ -void PQCLEAN_FALCON512PADDED_AVX2_poly_split_fft(fpr *f0, fpr *f1, +void PQCLEAN_FALCONPADDED512_AVX2_poly_split_fft(fpr *f0, fpr *f1, const fpr *f, unsigned logn); /* @@ -691,7 +691,7 @@ void PQCLEAN_FALCON512PADDED_AVX2_poly_split_fft(fpr *f0, fpr *f1, * f = f0(x^2) + x*f1(x^2), in FFT representation modulo X^N+1. * f MUST NOT overlap with either f0 or f1. */ -void PQCLEAN_FALCON512PADDED_AVX2_poly_merge_fft(fpr *f, +void PQCLEAN_FALCONPADDED512_AVX2_poly_merge_fft(fpr *f, const fpr *f0, const fpr *f1, unsigned logn); /* ==================================================================== */ @@ -730,7 +730,7 @@ void PQCLEAN_FALCON512PADDED_AVX2_poly_merge_fft(fpr *f, * tmp[] must have 64-bit alignment. * This function uses floating-point rounding (see set_fpu_cw()). */ -void PQCLEAN_FALCON512PADDED_AVX2_keygen(inner_shake256_context *rng, +void PQCLEAN_FALCONPADDED512_AVX2_keygen(inner_shake256_context *rng, int8_t *f, int8_t *g, int8_t *F, int8_t *G, uint16_t *h, unsigned logn, uint8_t *tmp); @@ -749,14 +749,14 @@ void PQCLEAN_FALCON512PADDED_AVX2_keygen(inner_shake256_context *rng, * tmp[] must have 64-bit alignment. * This function uses floating-point rounding (see set_fpu_cw()). */ -void PQCLEAN_FALCON512PADDED_AVX2_expand_privkey(fpr *expanded_key, +void PQCLEAN_FALCONPADDED512_AVX2_expand_privkey(fpr *expanded_key, const int8_t *f, const int8_t *g, const int8_t *F, const int8_t *G, unsigned logn, uint8_t *tmp); /* * Compute a signature over the provided hashed message (hm); the * signature value is one short vector. This function uses an - * expanded key (as generated by PQCLEAN_FALCON512PADDED_AVX2_expand_privkey()). + * expanded key (as generated by PQCLEAN_FALCONPADDED512_AVX2_expand_privkey()). * * The sig[] and hm[] buffers may overlap. * @@ -768,7 +768,7 @@ void PQCLEAN_FALCON512PADDED_AVX2_expand_privkey(fpr *expanded_key, * tmp[] must have 64-bit alignment. * This function uses floating-point rounding (see set_fpu_cw()). */ -void PQCLEAN_FALCON512PADDED_AVX2_sign_tree(int16_t *sig, inner_shake256_context *rng, +void PQCLEAN_FALCONPADDED512_AVX2_sign_tree(int16_t *sig, inner_shake256_context *rng, const fpr *expanded_key, const uint16_t *hm, unsigned logn, uint8_t *tmp); @@ -789,7 +789,7 @@ void PQCLEAN_FALCON512PADDED_AVX2_sign_tree(int16_t *sig, inner_shake256_context * tmp[] must have 64-bit alignment. * This function uses floating-point rounding (see set_fpu_cw()). */ -void PQCLEAN_FALCON512PADDED_AVX2_sign_dyn(int16_t *sig, inner_shake256_context *rng, +void PQCLEAN_FALCONPADDED512_AVX2_sign_dyn(int16_t *sig, inner_shake256_context *rng, const int8_t *f, const int8_t *g, const int8_t *F, const int8_t *G, const uint16_t *hm, unsigned logn, uint8_t *tmp); @@ -818,9 +818,9 @@ typedef struct { fpr sigma_min; } sampler_context; -int PQCLEAN_FALCON512PADDED_AVX2_sampler(void *ctx, fpr mu, fpr isigma); +int PQCLEAN_FALCONPADDED512_AVX2_sampler(void *ctx, fpr mu, fpr isigma); -int PQCLEAN_FALCON512PADDED_AVX2_gaussian0_sampler(prng *p); +int PQCLEAN_FALCONPADDED512_AVX2_gaussian0_sampler(prng *p); /* ==================================================================== */ diff --git a/Modules/PQClean/crypto_sign/falcon-512-padded/avx2/keygen.c b/Modules/PQClean/crypto_sign/falcon-padded-512/avx2/keygen.c similarity index 98% rename from Modules/PQClean/crypto_sign/falcon-512-padded/avx2/keygen.c rename to Modules/PQClean/crypto_sign/falcon-padded-512/avx2/keygen.c index 06aa5efc..8644e916 100644 --- a/Modules/PQClean/crypto_sign/falcon-512-padded/avx2/keygen.c +++ b/Modules/PQClean/crypto_sign/falcon-padded-512/avx2/keygen.c @@ -3070,11 +3070,11 @@ solve_NTRU_intermediate(unsigned logn_top, * Compute 1/(f*adj(f)+g*adj(g)) in rt5. We also keep adj(f) * and adj(g) in rt3 and rt4, respectively. */ - PQCLEAN_FALCON512PADDED_AVX2_FFT(rt3, logn); - PQCLEAN_FALCON512PADDED_AVX2_FFT(rt4, logn); - PQCLEAN_FALCON512PADDED_AVX2_poly_invnorm2_fft(rt5, rt3, rt4, logn); - PQCLEAN_FALCON512PADDED_AVX2_poly_adj_fft(rt3, logn); - PQCLEAN_FALCON512PADDED_AVX2_poly_adj_fft(rt4, logn); + PQCLEAN_FALCONPADDED512_AVX2_FFT(rt3, logn); + PQCLEAN_FALCONPADDED512_AVX2_FFT(rt4, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_invnorm2_fft(rt5, rt3, rt4, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_adj_fft(rt3, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_adj_fft(rt4, logn); /* * Reduce F and G repeatedly. @@ -3134,13 +3134,13 @@ solve_NTRU_intermediate(unsigned logn_top, /* * Compute (F*adj(f)+G*adj(g))/(f*adj(f)+g*adj(g)) in rt2. */ - PQCLEAN_FALCON512PADDED_AVX2_FFT(rt1, logn); - PQCLEAN_FALCON512PADDED_AVX2_FFT(rt2, logn); - PQCLEAN_FALCON512PADDED_AVX2_poly_mul_fft(rt1, rt3, logn); - PQCLEAN_FALCON512PADDED_AVX2_poly_mul_fft(rt2, rt4, logn); - PQCLEAN_FALCON512PADDED_AVX2_poly_add(rt2, rt1, logn); - PQCLEAN_FALCON512PADDED_AVX2_poly_mul_autoadj_fft(rt2, rt5, logn); - PQCLEAN_FALCON512PADDED_AVX2_iFFT(rt2, logn); + PQCLEAN_FALCONPADDED512_AVX2_FFT(rt1, logn); + PQCLEAN_FALCONPADDED512_AVX2_FFT(rt2, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_mul_fft(rt1, rt3, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_mul_fft(rt2, rt4, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_add(rt2, rt1, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_mul_autoadj_fft(rt2, rt5, logn); + PQCLEAN_FALCONPADDED512_AVX2_iFFT(rt2, logn); /* * (f,g) are scaled by 'scale_fg', meaning that the @@ -3588,10 +3588,10 @@ solve_NTRU_binary_depth1(unsigned logn_top, * rt4 = g * in that order in RAM. We convert all of them to FFT. */ - PQCLEAN_FALCON512PADDED_AVX2_FFT(rt1, logn); - PQCLEAN_FALCON512PADDED_AVX2_FFT(rt2, logn); - PQCLEAN_FALCON512PADDED_AVX2_FFT(rt3, logn); - PQCLEAN_FALCON512PADDED_AVX2_FFT(rt4, logn); + PQCLEAN_FALCONPADDED512_AVX2_FFT(rt1, logn); + PQCLEAN_FALCONPADDED512_AVX2_FFT(rt2, logn); + PQCLEAN_FALCONPADDED512_AVX2_FFT(rt3, logn); + PQCLEAN_FALCONPADDED512_AVX2_FFT(rt4, logn); /* * Compute: @@ -3601,14 +3601,14 @@ solve_NTRU_binary_depth1(unsigned logn_top, */ rt5 = rt4 + n; rt6 = rt5 + n; - PQCLEAN_FALCON512PADDED_AVX2_poly_add_muladj_fft(rt5, rt1, rt2, rt3, rt4, logn); - PQCLEAN_FALCON512PADDED_AVX2_poly_invnorm2_fft(rt6, rt3, rt4, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_add_muladj_fft(rt5, rt1, rt2, rt3, rt4, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_invnorm2_fft(rt6, rt3, rt4, logn); /* * Compute: * rt5 = (F*adj(f)+G*adj(g)) / (f*adj(f)+g*adj(g)) */ - PQCLEAN_FALCON512PADDED_AVX2_poly_mul_autoadj_fft(rt5, rt6, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_mul_autoadj_fft(rt5, rt6, logn); /* * Compute k as the rounded version of rt5. Check that none of @@ -3617,7 +3617,7 @@ solve_NTRU_binary_depth1(unsigned logn_top, * note that any out-of-bounds value here implies a failure and * (f,g) will be discarded, so we can make a simple test. */ - PQCLEAN_FALCON512PADDED_AVX2_iFFT(rt5, logn); + PQCLEAN_FALCONPADDED512_AVX2_iFFT(rt5, logn); for (u = 0; u < n; u ++) { fpr z; @@ -3627,17 +3627,17 @@ solve_NTRU_binary_depth1(unsigned logn_top, } rt5[u] = fpr_of(fpr_rint(z)); } - PQCLEAN_FALCON512PADDED_AVX2_FFT(rt5, logn); + PQCLEAN_FALCONPADDED512_AVX2_FFT(rt5, logn); /* * Subtract k*f from F, and k*g from G. */ - PQCLEAN_FALCON512PADDED_AVX2_poly_mul_fft(rt3, rt5, logn); - PQCLEAN_FALCON512PADDED_AVX2_poly_mul_fft(rt4, rt5, logn); - PQCLEAN_FALCON512PADDED_AVX2_poly_sub(rt1, rt3, logn); - PQCLEAN_FALCON512PADDED_AVX2_poly_sub(rt2, rt4, logn); - PQCLEAN_FALCON512PADDED_AVX2_iFFT(rt1, logn); - PQCLEAN_FALCON512PADDED_AVX2_iFFT(rt2, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_mul_fft(rt3, rt5, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_mul_fft(rt4, rt5, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_sub(rt1, rt3, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_sub(rt2, rt4, logn); + PQCLEAN_FALCONPADDED512_AVX2_iFFT(rt1, logn); + PQCLEAN_FALCONPADDED512_AVX2_iFFT(rt2, logn); /* * Convert back F and G to integers, and return. @@ -3856,7 +3856,7 @@ solve_NTRU_binary_depth0(unsigned logn, for (u = 0; u < n; u ++) { rt3[u] = fpr_of(((int32_t *)t2)[u]); } - PQCLEAN_FALCON512PADDED_AVX2_FFT(rt3, logn); + PQCLEAN_FALCONPADDED512_AVX2_FFT(rt3, logn); rt2 = align_fpr(tmp, t2); memmove(rt2, rt3, hn * sizeof * rt3); @@ -3867,14 +3867,14 @@ solve_NTRU_binary_depth0(unsigned logn, for (u = 0; u < n; u ++) { rt3[u] = fpr_of(((int32_t *)t1)[u]); } - PQCLEAN_FALCON512PADDED_AVX2_FFT(rt3, logn); + PQCLEAN_FALCONPADDED512_AVX2_FFT(rt3, logn); /* * Compute (F*adj(f)+G*adj(g))/(f*adj(f)+g*adj(g)) and get * its rounded normal representation in t1. */ - PQCLEAN_FALCON512PADDED_AVX2_poly_div_autoadj_fft(rt3, rt2, logn); - PQCLEAN_FALCON512PADDED_AVX2_iFFT(rt3, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_div_autoadj_fft(rt3, rt2, logn); + PQCLEAN_FALCONPADDED512_AVX2_iFFT(rt3, logn); for (u = 0; u < n; u ++) { t1[u] = modp_set((int32_t)fpr_rint(rt3[u]), p); } @@ -4075,7 +4075,7 @@ poly_small_mkgauss(RNG_CONTEXT *rng, int8_t *f, unsigned logn) { /* see falcon.h */ void -PQCLEAN_FALCON512PADDED_AVX2_keygen(inner_shake256_context *rng, +PQCLEAN_FALCONPADDED512_AVX2_keygen(inner_shake256_context *rng, int8_t *f, int8_t *g, int8_t *F, int8_t *G, uint16_t *h, unsigned logn, uint8_t *tmp) { /* @@ -4144,7 +4144,7 @@ PQCLEAN_FALCON512PADDED_AVX2_keygen(inner_shake256_context *rng, * overwhelming probability; this guarantees that the * key will be encodable with FALCON_COMP_TRIM. */ - lim = 1 << (PQCLEAN_FALCON512PADDED_AVX2_max_fg_bits[logn] - 1); + lim = 1 << (PQCLEAN_FALCONPADDED512_AVX2_max_fg_bits[logn] - 1); for (u = 0; u < n; u ++) { /* * We can use non-CT tests since on any failure @@ -4182,17 +4182,17 @@ PQCLEAN_FALCON512PADDED_AVX2_keygen(inner_shake256_context *rng, rt3 = rt2 + n; poly_small_to_fp(rt1, f, logn); poly_small_to_fp(rt2, g, logn); - PQCLEAN_FALCON512PADDED_AVX2_FFT(rt1, logn); - PQCLEAN_FALCON512PADDED_AVX2_FFT(rt2, logn); - PQCLEAN_FALCON512PADDED_AVX2_poly_invnorm2_fft(rt3, rt1, rt2, logn); - PQCLEAN_FALCON512PADDED_AVX2_poly_adj_fft(rt1, logn); - PQCLEAN_FALCON512PADDED_AVX2_poly_adj_fft(rt2, logn); - PQCLEAN_FALCON512PADDED_AVX2_poly_mulconst(rt1, fpr_q, logn); - PQCLEAN_FALCON512PADDED_AVX2_poly_mulconst(rt2, fpr_q, logn); - PQCLEAN_FALCON512PADDED_AVX2_poly_mul_autoadj_fft(rt1, rt3, logn); - PQCLEAN_FALCON512PADDED_AVX2_poly_mul_autoadj_fft(rt2, rt3, logn); - PQCLEAN_FALCON512PADDED_AVX2_iFFT(rt1, logn); - PQCLEAN_FALCON512PADDED_AVX2_iFFT(rt2, logn); + PQCLEAN_FALCONPADDED512_AVX2_FFT(rt1, logn); + PQCLEAN_FALCONPADDED512_AVX2_FFT(rt2, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_invnorm2_fft(rt3, rt1, rt2, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_adj_fft(rt1, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_adj_fft(rt2, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_mulconst(rt1, fpr_q, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_mulconst(rt2, fpr_q, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_mul_autoadj_fft(rt1, rt3, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_mul_autoadj_fft(rt2, rt3, logn); + PQCLEAN_FALCONPADDED512_AVX2_iFFT(rt1, logn); + PQCLEAN_FALCONPADDED512_AVX2_iFFT(rt2, logn); bnorm = fpr_zero; for (u = 0; u < n; u ++) { bnorm = fpr_add(bnorm, fpr_sqr(rt1[u])); @@ -4213,14 +4213,14 @@ PQCLEAN_FALCON512PADDED_AVX2_keygen(inner_shake256_context *rng, h2 = h; tmp2 = (uint16_t *)tmp; } - if (!PQCLEAN_FALCON512PADDED_AVX2_compute_public(h2, f, g, logn, (uint8_t *)tmp2)) { + if (!PQCLEAN_FALCONPADDED512_AVX2_compute_public(h2, f, g, logn, (uint8_t *)tmp2)) { continue; } /* * Solve the NTRU equation to get F and G. */ - lim = (1 << (PQCLEAN_FALCON512PADDED_AVX2_max_FG_bits[logn] - 1)) - 1; + lim = (1 << (PQCLEAN_FALCONPADDED512_AVX2_max_FG_bits[logn] - 1)) - 1; if (!solve_NTRU(logn, F, G, f, g, lim, (uint32_t *)tmp)) { continue; } diff --git a/Modules/PQClean/crypto_sign/falcon-512-padded/avx2/pqclean.c b/Modules/PQClean/crypto_sign/falcon-padded-512/avx2/pqclean.c similarity index 71% rename from Modules/PQClean/crypto_sign/falcon-512-padded/avx2/pqclean.c rename to Modules/PQClean/crypto_sign/falcon-padded-512/avx2/pqclean.c index 85e77d11..17110500 100644 --- a/Modules/PQClean/crypto_sign/falcon-512-padded/avx2/pqclean.c +++ b/Modules/PQClean/crypto_sign/falcon-padded-512/avx2/pqclean.c @@ -38,7 +38,7 @@ /* see api.h */ int -PQCLEAN_FALCON512PADDED_AVX2_crypto_sign_keypair( +PQCLEAN_FALCONPADDED512_AVX2_crypto_sign_keypair( uint8_t *pk, uint8_t *sk) { union { uint8_t b[FALCON_KEYGEN_TEMP_9]; @@ -58,7 +58,7 @@ PQCLEAN_FALCON512PADDED_AVX2_crypto_sign_keypair( inner_shake256_init(&rng); inner_shake256_inject(&rng, seed, sizeof seed); inner_shake256_flip(&rng); - PQCLEAN_FALCON512PADDED_AVX2_keygen(&rng, f, g, F, NULL, h, 9, tmp.b); + PQCLEAN_FALCONPADDED512_AVX2_keygen(&rng, f, g, F, NULL, h, 9, tmp.b); inner_shake256_ctx_release(&rng); /* @@ -66,28 +66,28 @@ PQCLEAN_FALCON512PADDED_AVX2_crypto_sign_keypair( */ sk[0] = 0x50 + 9; u = 1; - v = PQCLEAN_FALCON512PADDED_AVX2_trim_i8_encode( - sk + u, PQCLEAN_FALCON512PADDED_AVX2_CRYPTO_SECRETKEYBYTES - u, - f, 9, PQCLEAN_FALCON512PADDED_AVX2_max_fg_bits[9]); + v = PQCLEAN_FALCONPADDED512_AVX2_trim_i8_encode( + sk + u, PQCLEAN_FALCONPADDED512_AVX2_CRYPTO_SECRETKEYBYTES - u, + f, 9, PQCLEAN_FALCONPADDED512_AVX2_max_fg_bits[9]); if (v == 0) { return -1; } u += v; - v = PQCLEAN_FALCON512PADDED_AVX2_trim_i8_encode( - sk + u, PQCLEAN_FALCON512PADDED_AVX2_CRYPTO_SECRETKEYBYTES - u, - g, 9, PQCLEAN_FALCON512PADDED_AVX2_max_fg_bits[9]); + v = PQCLEAN_FALCONPADDED512_AVX2_trim_i8_encode( + sk + u, PQCLEAN_FALCONPADDED512_AVX2_CRYPTO_SECRETKEYBYTES - u, + g, 9, PQCLEAN_FALCONPADDED512_AVX2_max_fg_bits[9]); if (v == 0) { return -1; } u += v; - v = PQCLEAN_FALCON512PADDED_AVX2_trim_i8_encode( - sk + u, PQCLEAN_FALCON512PADDED_AVX2_CRYPTO_SECRETKEYBYTES - u, - F, 9, PQCLEAN_FALCON512PADDED_AVX2_max_FG_bits[9]); + v = PQCLEAN_FALCONPADDED512_AVX2_trim_i8_encode( + sk + u, PQCLEAN_FALCONPADDED512_AVX2_CRYPTO_SECRETKEYBYTES - u, + F, 9, PQCLEAN_FALCONPADDED512_AVX2_max_FG_bits[9]); if (v == 0) { return -1; } u += v; - if (u != PQCLEAN_FALCON512PADDED_AVX2_CRYPTO_SECRETKEYBYTES) { + if (u != PQCLEAN_FALCONPADDED512_AVX2_CRYPTO_SECRETKEYBYTES) { return -1; } @@ -95,10 +95,10 @@ PQCLEAN_FALCON512PADDED_AVX2_crypto_sign_keypair( * Encode public key. */ pk[0] = 0x00 + 9; - v = PQCLEAN_FALCON512PADDED_AVX2_modq_encode( - pk + 1, PQCLEAN_FALCON512PADDED_AVX2_CRYPTO_PUBLICKEYBYTES - 1, + v = PQCLEAN_FALCONPADDED512_AVX2_modq_encode( + pk + 1, PQCLEAN_FALCONPADDED512_AVX2_CRYPTO_PUBLICKEYBYTES - 1, h, 9); - if (v != PQCLEAN_FALCON512PADDED_AVX2_CRYPTO_PUBLICKEYBYTES - 1) { + if (v != PQCLEAN_FALCONPADDED512_AVX2_CRYPTO_PUBLICKEYBYTES - 1) { return -1; } @@ -142,31 +142,31 @@ do_sign(uint8_t *nonce, uint8_t *sigbuf, size_t sigbuflen, return -1; } u = 1; - v = PQCLEAN_FALCON512PADDED_AVX2_trim_i8_decode( - f, 9, PQCLEAN_FALCON512PADDED_AVX2_max_fg_bits[9], - sk + u, PQCLEAN_FALCON512PADDED_AVX2_CRYPTO_SECRETKEYBYTES - u); + v = PQCLEAN_FALCONPADDED512_AVX2_trim_i8_decode( + f, 9, PQCLEAN_FALCONPADDED512_AVX2_max_fg_bits[9], + sk + u, PQCLEAN_FALCONPADDED512_AVX2_CRYPTO_SECRETKEYBYTES - u); if (v == 0) { return -1; } u += v; - v = PQCLEAN_FALCON512PADDED_AVX2_trim_i8_decode( - g, 9, PQCLEAN_FALCON512PADDED_AVX2_max_fg_bits[9], - sk + u, PQCLEAN_FALCON512PADDED_AVX2_CRYPTO_SECRETKEYBYTES - u); + v = PQCLEAN_FALCONPADDED512_AVX2_trim_i8_decode( + g, 9, PQCLEAN_FALCONPADDED512_AVX2_max_fg_bits[9], + sk + u, PQCLEAN_FALCONPADDED512_AVX2_CRYPTO_SECRETKEYBYTES - u); if (v == 0) { return -1; } u += v; - v = PQCLEAN_FALCON512PADDED_AVX2_trim_i8_decode( - F, 9, PQCLEAN_FALCON512PADDED_AVX2_max_FG_bits[9], - sk + u, PQCLEAN_FALCON512PADDED_AVX2_CRYPTO_SECRETKEYBYTES - u); + v = PQCLEAN_FALCONPADDED512_AVX2_trim_i8_decode( + F, 9, PQCLEAN_FALCONPADDED512_AVX2_max_FG_bits[9], + sk + u, PQCLEAN_FALCONPADDED512_AVX2_CRYPTO_SECRETKEYBYTES - u); if (v == 0) { return -1; } u += v; - if (u != PQCLEAN_FALCON512PADDED_AVX2_CRYPTO_SECRETKEYBYTES) { + if (u != PQCLEAN_FALCONPADDED512_AVX2_CRYPTO_SECRETKEYBYTES) { return -1; } - if (!PQCLEAN_FALCON512PADDED_AVX2_complete_private(G, f, g, F, 9, tmp.b)) { + if (!PQCLEAN_FALCONPADDED512_AVX2_complete_private(G, f, g, F, 9, tmp.b)) { return -1; } @@ -182,7 +182,7 @@ do_sign(uint8_t *nonce, uint8_t *sigbuf, size_t sigbuflen, inner_shake256_inject(&sc, nonce, NONCELEN); inner_shake256_inject(&sc, m, mlen); inner_shake256_flip(&sc); - PQCLEAN_FALCON512PADDED_AVX2_hash_to_point_ct(&sc, r.hm, 9, tmp.b); + PQCLEAN_FALCONPADDED512_AVX2_hash_to_point_ct(&sc, r.hm, 9, tmp.b); inner_shake256_ctx_release(&sc); /* @@ -198,8 +198,8 @@ do_sign(uint8_t *nonce, uint8_t *sigbuf, size_t sigbuflen, * value is found that fits in the provided buffer. */ for (;;) { - PQCLEAN_FALCON512PADDED_AVX2_sign_dyn(r.sig, &sc, f, g, F, G, r.hm, 9, tmp.b); - v = PQCLEAN_FALCON512PADDED_AVX2_comp_encode(sigbuf, sigbuflen, r.sig, 9); + PQCLEAN_FALCONPADDED512_AVX2_sign_dyn(r.sig, &sc, f, g, F, G, r.hm, 9, tmp.b); + v = PQCLEAN_FALCONPADDED512_AVX2_comp_encode(sigbuf, sigbuflen, r.sig, 9); if (v != 0) { inner_shake256_ctx_release(&sc); memset(sigbuf + v, 0, sigbuflen - v); @@ -233,12 +233,12 @@ do_verify( if (pk[0] != 0x00 + 9) { return -1; } - if (PQCLEAN_FALCON512PADDED_AVX2_modq_decode(h, 9, - pk + 1, PQCLEAN_FALCON512PADDED_AVX2_CRYPTO_PUBLICKEYBYTES - 1) - != PQCLEAN_FALCON512PADDED_AVX2_CRYPTO_PUBLICKEYBYTES - 1) { + if (PQCLEAN_FALCONPADDED512_AVX2_modq_decode(h, 9, + pk + 1, PQCLEAN_FALCONPADDED512_AVX2_CRYPTO_PUBLICKEYBYTES - 1) + != PQCLEAN_FALCONPADDED512_AVX2_CRYPTO_PUBLICKEYBYTES - 1) { return -1; } - PQCLEAN_FALCON512PADDED_AVX2_to_ntt_monty(h, 9); + PQCLEAN_FALCONPADDED512_AVX2_to_ntt_monty(h, 9); /* * Decode signature. @@ -247,12 +247,12 @@ do_verify( return -1; } - v = PQCLEAN_FALCON512PADDED_AVX2_comp_decode(sig, 9, sigbuf, sigbuflen); + v = PQCLEAN_FALCONPADDED512_AVX2_comp_decode(sig, 9, sigbuf, sigbuflen); if (v == 0) { return -1; } if (v != sigbuflen) { - if (sigbuflen == PQCLEAN_FALCON512PADDED_AVX2_CRYPTO_BYTES - NONCELEN - 1) { + if (sigbuflen == PQCLEAN_FALCONPADDED512_AVX2_CRYPTO_BYTES - NONCELEN - 1) { while (v < sigbuflen) { if (sigbuf[v++] != 0) { return -1; @@ -270,13 +270,13 @@ do_verify( inner_shake256_inject(&sc, nonce, NONCELEN); inner_shake256_inject(&sc, m, mlen); inner_shake256_flip(&sc); - PQCLEAN_FALCON512PADDED_AVX2_hash_to_point_ct(&sc, hm, 9, tmp.b); + PQCLEAN_FALCONPADDED512_AVX2_hash_to_point_ct(&sc, hm, 9, tmp.b); inner_shake256_ctx_release(&sc); /* * Verify signature. */ - if (!PQCLEAN_FALCON512PADDED_AVX2_verify_raw(hm, sig, h, 9, tmp.b)) { + if (!PQCLEAN_FALCONPADDED512_AVX2_verify_raw(hm, sig, h, 9, tmp.b)) { return -1; } return 0; @@ -284,12 +284,12 @@ do_verify( /* see api.h */ int -PQCLEAN_FALCON512PADDED_AVX2_crypto_sign_signature( +PQCLEAN_FALCONPADDED512_AVX2_crypto_sign_signature( uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen, const uint8_t *sk) { size_t vlen; - vlen = PQCLEAN_FALCON512PADDED_AVX2_CRYPTO_BYTES - NONCELEN - 1; + vlen = PQCLEAN_FALCONPADDED512_AVX2_CRYPTO_BYTES - NONCELEN - 1; if (do_sign(sig + 1, sig + 1 + NONCELEN, vlen, m, mlen, sk) < 0) { return -1; } @@ -300,7 +300,7 @@ PQCLEAN_FALCON512PADDED_AVX2_crypto_sign_signature( /* see api.h */ int -PQCLEAN_FALCON512PADDED_AVX2_crypto_sign_verify( +PQCLEAN_FALCONPADDED512_AVX2_crypto_sign_verify( const uint8_t *sig, size_t siglen, const uint8_t *m, size_t mlen, const uint8_t *pk) { if (siglen < 1 + NONCELEN) { @@ -315,7 +315,7 @@ PQCLEAN_FALCON512PADDED_AVX2_crypto_sign_verify( /* see api.h */ int -PQCLEAN_FALCON512PADDED_AVX2_crypto_sign( +PQCLEAN_FALCONPADDED512_AVX2_crypto_sign( uint8_t *sm, size_t *smlen, const uint8_t *m, size_t mlen, const uint8_t *sk) { uint8_t *sigbuf; @@ -325,9 +325,9 @@ PQCLEAN_FALCON512PADDED_AVX2_crypto_sign( * Move the message to its final location; this is a memmove() so * it handles overlaps properly. */ - memmove(sm + PQCLEAN_FALCON512PADDED_AVX2_CRYPTO_BYTES, m, mlen); + memmove(sm + PQCLEAN_FALCONPADDED512_AVX2_CRYPTO_BYTES, m, mlen); sigbuf = sm + 1 + NONCELEN; - sigbuflen = PQCLEAN_FALCON512PADDED_AVX2_CRYPTO_BYTES - NONCELEN - 1; + sigbuflen = PQCLEAN_FALCONPADDED512_AVX2_CRYPTO_BYTES - NONCELEN - 1; if (do_sign(sm + 1, sigbuf, sigbuflen, m, mlen, sk) < 0) { return -1; } @@ -339,17 +339,17 @@ PQCLEAN_FALCON512PADDED_AVX2_crypto_sign( /* see api.h */ int -PQCLEAN_FALCON512PADDED_AVX2_crypto_sign_open( +PQCLEAN_FALCONPADDED512_AVX2_crypto_sign_open( uint8_t *m, size_t *mlen, const uint8_t *sm, size_t smlen, const uint8_t *pk) { const uint8_t *sigbuf; size_t pmlen, sigbuflen; - if (smlen < PQCLEAN_FALCON512PADDED_AVX2_CRYPTO_BYTES) { + if (smlen < PQCLEAN_FALCONPADDED512_AVX2_CRYPTO_BYTES) { return -1; } - sigbuflen = PQCLEAN_FALCON512PADDED_AVX2_CRYPTO_BYTES - NONCELEN - 1; - pmlen = smlen - PQCLEAN_FALCON512PADDED_AVX2_CRYPTO_BYTES; + sigbuflen = PQCLEAN_FALCONPADDED512_AVX2_CRYPTO_BYTES - NONCELEN - 1; + pmlen = smlen - PQCLEAN_FALCONPADDED512_AVX2_CRYPTO_BYTES; if (sm[0] != 0x30 + 9) { return -1; } @@ -361,7 +361,7 @@ PQCLEAN_FALCON512PADDED_AVX2_crypto_sign_open( * follows the signature value. */ if (do_verify(sm + 1, sigbuf, sigbuflen, - sm + PQCLEAN_FALCON512PADDED_AVX2_CRYPTO_BYTES, pmlen, pk) < 0) { + sm + PQCLEAN_FALCONPADDED512_AVX2_CRYPTO_BYTES, pmlen, pk) < 0) { return -1; } @@ -370,7 +370,7 @@ PQCLEAN_FALCON512PADDED_AVX2_crypto_sign_open( * to its final destination. The memmove() properly handles * overlaps. */ - memmove(m, sm + PQCLEAN_FALCON512PADDED_AVX2_CRYPTO_BYTES, pmlen); + memmove(m, sm + PQCLEAN_FALCONPADDED512_AVX2_CRYPTO_BYTES, pmlen); *mlen = pmlen; return 0; } diff --git a/Modules/PQClean/crypto_sign/falcon-512-padded/avx2/rng.c b/Modules/PQClean/crypto_sign/falcon-padded-512/avx2/rng.c similarity index 95% rename from Modules/PQClean/crypto_sign/falcon-512-padded/avx2/rng.c rename to Modules/PQClean/crypto_sign/falcon-padded-512/avx2/rng.c index 6422b29f..203d31f9 100644 --- a/Modules/PQClean/crypto_sign/falcon-512-padded/avx2/rng.c +++ b/Modules/PQClean/crypto_sign/falcon-padded-512/avx2/rng.c @@ -35,9 +35,9 @@ /* see inner.h */ void -PQCLEAN_FALCON512PADDED_AVX2_prng_init(prng *p, inner_shake256_context *src) { +PQCLEAN_FALCONPADDED512_AVX2_prng_init(prng *p, inner_shake256_context *src) { inner_shake256_extract(src, p->state.d, 56); - PQCLEAN_FALCON512PADDED_AVX2_prng_refill(p); + PQCLEAN_FALCONPADDED512_AVX2_prng_refill(p); } /* @@ -55,7 +55,7 @@ PQCLEAN_FALCON512PADDED_AVX2_prng_init(prng *p, inner_shake256_context *src) { * The block counter is XORed into the first 8 bytes of the IV. */ void -PQCLEAN_FALCON512PADDED_AVX2_prng_refill(prng *p) { +PQCLEAN_FALCONPADDED512_AVX2_prng_refill(prng *p) { static const uint32_t CW[] = { 0x61707865, 0x3320646e, 0x79622d32, 0x6b206574 @@ -157,7 +157,7 @@ PQCLEAN_FALCON512PADDED_AVX2_prng_refill(prng *p) { /* see inner.h */ void -PQCLEAN_FALCON512PADDED_AVX2_prng_get_bytes(prng *p, void *dst, size_t len) { +PQCLEAN_FALCONPADDED512_AVX2_prng_get_bytes(prng *p, void *dst, size_t len) { uint8_t *buf; buf = dst; @@ -173,7 +173,7 @@ PQCLEAN_FALCON512PADDED_AVX2_prng_get_bytes(prng *p, void *dst, size_t len) { len -= clen; p->ptr += clen; if (p->ptr == sizeof p->buf.d) { - PQCLEAN_FALCON512PADDED_AVX2_prng_refill(p); + PQCLEAN_FALCONPADDED512_AVX2_prng_refill(p); } } } diff --git a/Modules/PQClean/crypto_sign/falcon-512-padded/avx2/sign.c b/Modules/PQClean/crypto_sign/falcon-padded-512/avx2/sign.c similarity index 86% rename from Modules/PQClean/crypto_sign/falcon-512-padded/avx2/sign.c rename to Modules/PQClean/crypto_sign/falcon-padded-512/avx2/sign.c index f89dd522..0e8eb717 100644 --- a/Modules/PQClean/crypto_sign/falcon-512-padded/avx2/sign.c +++ b/Modules/PQClean/crypto_sign/falcon-padded-512/avx2/sign.c @@ -87,7 +87,7 @@ ffLDL_fft_inner(fpr *tree, * and the diagonal of D. Since d00 = g0, we just write d11 * into tmp. */ - PQCLEAN_FALCON512PADDED_AVX2_poly_LDLmv_fft(tmp, tree, g0, g1, g0, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_LDLmv_fft(tmp, tree, g0, g1, g0, logn); /* * Split d00 (currently in g0) and d11 (currently in tmp). We @@ -95,8 +95,8 @@ ffLDL_fft_inner(fpr *tree, * d00 splits into g1, g1+hn * d11 splits into g0, g0+hn */ - PQCLEAN_FALCON512PADDED_AVX2_poly_split_fft(g1, g1 + hn, g0, logn); - PQCLEAN_FALCON512PADDED_AVX2_poly_split_fft(g0, g0 + hn, tmp, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_split_fft(g1, g1 + hn, g0, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_split_fft(g0, g0 + hn, tmp, logn); /* * Each split result is the first row of a new auto-adjoint @@ -137,10 +137,10 @@ ffLDL_fft(fpr *tree, const fpr *g00, tmp += n << 1; memcpy(d00, g00, n * sizeof * g00); - PQCLEAN_FALCON512PADDED_AVX2_poly_LDLmv_fft(d11, tree, g00, g01, g11, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_LDLmv_fft(d11, tree, g00, g01, g11, logn); - PQCLEAN_FALCON512PADDED_AVX2_poly_split_fft(tmp, tmp + hn, d00, logn); - PQCLEAN_FALCON512PADDED_AVX2_poly_split_fft(d00, d00 + hn, d11, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_split_fft(tmp, tmp + hn, d00, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_split_fft(d00, d00 + hn, d11, logn); memcpy(d11, tmp, n * sizeof * tmp); ffLDL_fft_inner(tree + n, d11, d11 + hn, logn - 1, tmp); @@ -224,7 +224,7 @@ skoff_tree(unsigned logn) { /* see inner.h */ void -PQCLEAN_FALCON512PADDED_AVX2_expand_privkey(fpr *expanded_key, +PQCLEAN_FALCONPADDED512_AVX2_expand_privkey(fpr *expanded_key, const int8_t *f, const int8_t *g, const int8_t *F, const int8_t *G, unsigned logn, uint8_t *tmp) { @@ -258,12 +258,12 @@ PQCLEAN_FALCON512PADDED_AVX2_expand_privkey(fpr *expanded_key, /* * Compute the FFT for the key elements, and negate f and F. */ - PQCLEAN_FALCON512PADDED_AVX2_FFT(rf, logn); - PQCLEAN_FALCON512PADDED_AVX2_FFT(rg, logn); - PQCLEAN_FALCON512PADDED_AVX2_FFT(rF, logn); - PQCLEAN_FALCON512PADDED_AVX2_FFT(rG, logn); - PQCLEAN_FALCON512PADDED_AVX2_poly_neg(rf, logn); - PQCLEAN_FALCON512PADDED_AVX2_poly_neg(rF, logn); + PQCLEAN_FALCONPADDED512_AVX2_FFT(rf, logn); + PQCLEAN_FALCONPADDED512_AVX2_FFT(rg, logn); + PQCLEAN_FALCONPADDED512_AVX2_FFT(rF, logn); + PQCLEAN_FALCONPADDED512_AVX2_FFT(rG, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_neg(rf, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_neg(rF, logn); /* * The Gram matrix is G = B·B*. Formulas are: @@ -281,22 +281,22 @@ PQCLEAN_FALCON512PADDED_AVX2_expand_privkey(fpr *expanded_key, gxx = g11 + n; memcpy(g00, b00, n * sizeof * b00); - PQCLEAN_FALCON512PADDED_AVX2_poly_mulselfadj_fft(g00, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_mulselfadj_fft(g00, logn); memcpy(gxx, b01, n * sizeof * b01); - PQCLEAN_FALCON512PADDED_AVX2_poly_mulselfadj_fft(gxx, logn); - PQCLEAN_FALCON512PADDED_AVX2_poly_add(g00, gxx, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_mulselfadj_fft(gxx, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_add(g00, gxx, logn); memcpy(g01, b00, n * sizeof * b00); - PQCLEAN_FALCON512PADDED_AVX2_poly_muladj_fft(g01, b10, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_muladj_fft(g01, b10, logn); memcpy(gxx, b01, n * sizeof * b01); - PQCLEAN_FALCON512PADDED_AVX2_poly_muladj_fft(gxx, b11, logn); - PQCLEAN_FALCON512PADDED_AVX2_poly_add(g01, gxx, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_muladj_fft(gxx, b11, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_add(g01, gxx, logn); memcpy(g11, b10, n * sizeof * b10); - PQCLEAN_FALCON512PADDED_AVX2_poly_mulselfadj_fft(g11, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_mulselfadj_fft(g11, logn); memcpy(gxx, b11, n * sizeof * b11); - PQCLEAN_FALCON512PADDED_AVX2_poly_mulselfadj_fft(gxx, logn); - PQCLEAN_FALCON512PADDED_AVX2_poly_add(g11, gxx, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_mulselfadj_fft(gxx, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_add(g11, gxx, logn); /* * Compute the Falcon tree. @@ -347,15 +347,15 @@ ffSampling_fft_dyntree(samplerZ samp, void *samp_ctx, * Decompose G into LDL. We only need d00 (identical to g00), * d11, and l10; we do that in place. */ - PQCLEAN_FALCON512PADDED_AVX2_poly_LDL_fft(g00, g01, g11, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_LDL_fft(g00, g01, g11, logn); /* * Split d00 and d11 and expand them into half-size quasi-cyclic * Gram matrices. We also save l10 in tmp[]. */ - PQCLEAN_FALCON512PADDED_AVX2_poly_split_fft(tmp, tmp + hn, g00, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_split_fft(tmp, tmp + hn, g00, logn); memcpy(g00, tmp, n * sizeof * tmp); - PQCLEAN_FALCON512PADDED_AVX2_poly_split_fft(tmp, tmp + hn, g11, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_split_fft(tmp, tmp + hn, g11, logn); memcpy(g11, tmp, n * sizeof * tmp); memcpy(tmp, g01, n * sizeof * g01); memcpy(g01, g00, hn * sizeof * g00); @@ -375,10 +375,10 @@ ffSampling_fft_dyntree(samplerZ samp, void *samp_ctx, * back into tmp + 2*n. */ z1 = tmp + n; - PQCLEAN_FALCON512PADDED_AVX2_poly_split_fft(z1, z1 + hn, t1, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_split_fft(z1, z1 + hn, t1, logn); ffSampling_fft_dyntree(samp, samp_ctx, z1, z1 + hn, g11, g11 + hn, g01 + hn, orig_logn, logn - 1, z1 + n); - PQCLEAN_FALCON512PADDED_AVX2_poly_merge_fft(tmp + (n << 1), z1, z1 + hn, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_merge_fft(tmp + (n << 1), z1, z1 + hn, logn); /* * Compute tb0 = t0 + (t1 - z1) * l10. @@ -388,20 +388,20 @@ ffSampling_fft_dyntree(samplerZ samp, void *samp_ctx, * In the end, z1 is written over t1, and tb0 is in t0. */ memcpy(z1, t1, n * sizeof * t1); - PQCLEAN_FALCON512PADDED_AVX2_poly_sub(z1, tmp + (n << 1), logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_sub(z1, tmp + (n << 1), logn); memcpy(t1, tmp + (n << 1), n * sizeof * tmp); - PQCLEAN_FALCON512PADDED_AVX2_poly_mul_fft(tmp, z1, logn); - PQCLEAN_FALCON512PADDED_AVX2_poly_add(t0, tmp, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_mul_fft(tmp, z1, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_add(t0, tmp, logn); /* * Second recursive invocation, on the split tb0 (currently in t0) * and the left sub-tree. */ z0 = tmp; - PQCLEAN_FALCON512PADDED_AVX2_poly_split_fft(z0, z0 + hn, t0, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_split_fft(z0, z0 + hn, t0, logn); ffSampling_fft_dyntree(samp, samp_ctx, z0, z0 + hn, g00, g00 + hn, g01, orig_logn, logn - 1, z0 + n); - PQCLEAN_FALCON512PADDED_AVX2_poly_merge_fft(t0, z0, z0 + hn, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_merge_fft(t0, z0, z0 + hn, logn); } /* @@ -600,26 +600,26 @@ ffSampling_fft(samplerZ samp, void *samp_ctx, * the recursive invocation, with output in tmp. We finally * merge back into z1. */ - PQCLEAN_FALCON512PADDED_AVX2_poly_split_fft(z1, z1 + hn, t1, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_split_fft(z1, z1 + hn, t1, logn); ffSampling_fft(samp, samp_ctx, tmp, tmp + hn, tree1, z1, z1 + hn, logn - 1, tmp + n); - PQCLEAN_FALCON512PADDED_AVX2_poly_merge_fft(z1, tmp, tmp + hn, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_merge_fft(z1, tmp, tmp + hn, logn); /* * Compute tb0 = t0 + (t1 - z1) * L. Value tb0 ends up in tmp[]. */ memcpy(tmp, t1, n * sizeof * t1); - PQCLEAN_FALCON512PADDED_AVX2_poly_sub(tmp, z1, logn); - PQCLEAN_FALCON512PADDED_AVX2_poly_mul_fft(tmp, tree, logn); - PQCLEAN_FALCON512PADDED_AVX2_poly_add(tmp, t0, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_sub(tmp, z1, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_mul_fft(tmp, tree, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_add(tmp, t0, logn); /* * Second recursive invocation. */ - PQCLEAN_FALCON512PADDED_AVX2_poly_split_fft(z0, z0 + hn, tmp, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_split_fft(z0, z0 + hn, tmp, logn); ffSampling_fft(samp, samp_ctx, tmp, tmp + hn, tree0, z0, z0 + hn, logn - 1, tmp + n); - PQCLEAN_FALCON512PADDED_AVX2_poly_merge_fft(z0, tmp, tmp + hn, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_merge_fft(z0, tmp, tmp + hn, logn); } /* @@ -667,13 +667,13 @@ do_sign_tree(samplerZ samp, void *samp_ctx, int16_t *s2, * Apply the lattice basis to obtain the real target * vector (after normalization with regards to modulus). */ - PQCLEAN_FALCON512PADDED_AVX2_FFT(t0, logn); + PQCLEAN_FALCONPADDED512_AVX2_FFT(t0, logn); ni = fpr_inverse_of_q; memcpy(t1, t0, n * sizeof * t0); - PQCLEAN_FALCON512PADDED_AVX2_poly_mul_fft(t1, b01, logn); - PQCLEAN_FALCON512PADDED_AVX2_poly_mulconst(t1, fpr_neg(ni), logn); - PQCLEAN_FALCON512PADDED_AVX2_poly_mul_fft(t0, b11, logn); - PQCLEAN_FALCON512PADDED_AVX2_poly_mulconst(t0, ni, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_mul_fft(t1, b01, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_mulconst(t1, fpr_neg(ni), logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_mul_fft(t0, b11, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_mulconst(t0, ni, logn); tx = t1 + n; ty = tx + n; @@ -688,18 +688,18 @@ do_sign_tree(samplerZ samp, void *samp_ctx, int16_t *s2, */ memcpy(t0, tx, n * sizeof * tx); memcpy(t1, ty, n * sizeof * ty); - PQCLEAN_FALCON512PADDED_AVX2_poly_mul_fft(tx, b00, logn); - PQCLEAN_FALCON512PADDED_AVX2_poly_mul_fft(ty, b10, logn); - PQCLEAN_FALCON512PADDED_AVX2_poly_add(tx, ty, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_mul_fft(tx, b00, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_mul_fft(ty, b10, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_add(tx, ty, logn); memcpy(ty, t0, n * sizeof * t0); - PQCLEAN_FALCON512PADDED_AVX2_poly_mul_fft(ty, b01, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_mul_fft(ty, b01, logn); memcpy(t0, tx, n * sizeof * tx); - PQCLEAN_FALCON512PADDED_AVX2_poly_mul_fft(t1, b11, logn); - PQCLEAN_FALCON512PADDED_AVX2_poly_add(t1, ty, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_mul_fft(t1, b11, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_add(t1, ty, logn); - PQCLEAN_FALCON512PADDED_AVX2_iFFT(t0, logn); - PQCLEAN_FALCON512PADDED_AVX2_iFFT(t1, logn); + PQCLEAN_FALCONPADDED512_AVX2_iFFT(t0, logn); + PQCLEAN_FALCONPADDED512_AVX2_iFFT(t1, logn); /* * Compute the signature. @@ -730,7 +730,7 @@ do_sign_tree(samplerZ samp, void *samp_ctx, int16_t *s2, for (u = 0; u < n; u ++) { s2tmp[u] = (int16_t) - fpr_rint(t1[u]); } - if (PQCLEAN_FALCON512PADDED_AVX2_is_short_half(sqn, s2tmp, logn)) { + if (PQCLEAN_FALCONPADDED512_AVX2_is_short_half(sqn, s2tmp, logn)) { memcpy(s2, s2tmp, n * sizeof * s2); memcpy(tmp, s1tmp, n * sizeof * s1tmp); return 1; @@ -772,12 +772,12 @@ do_sign_dyn(samplerZ samp, void *samp_ctx, int16_t *s2, smallints_to_fpr(b00, g, logn); smallints_to_fpr(b11, F, logn); smallints_to_fpr(b10, G, logn); - PQCLEAN_FALCON512PADDED_AVX2_FFT(b01, logn); - PQCLEAN_FALCON512PADDED_AVX2_FFT(b00, logn); - PQCLEAN_FALCON512PADDED_AVX2_FFT(b11, logn); - PQCLEAN_FALCON512PADDED_AVX2_FFT(b10, logn); - PQCLEAN_FALCON512PADDED_AVX2_poly_neg(b01, logn); - PQCLEAN_FALCON512PADDED_AVX2_poly_neg(b11, logn); + PQCLEAN_FALCONPADDED512_AVX2_FFT(b01, logn); + PQCLEAN_FALCONPADDED512_AVX2_FFT(b00, logn); + PQCLEAN_FALCONPADDED512_AVX2_FFT(b11, logn); + PQCLEAN_FALCONPADDED512_AVX2_FFT(b10, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_neg(b01, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_neg(b11, logn); /* * Compute the Gram matrix G = B·B*. Formulas are: @@ -797,20 +797,20 @@ do_sign_dyn(samplerZ samp, void *samp_ctx, int16_t *s2, t1 = t0 + n; memcpy(t0, b01, n * sizeof * b01); - PQCLEAN_FALCON512PADDED_AVX2_poly_mulselfadj_fft(t0, logn); // t0 <- b01*adj(b01) + PQCLEAN_FALCONPADDED512_AVX2_poly_mulselfadj_fft(t0, logn); // t0 <- b01*adj(b01) memcpy(t1, b00, n * sizeof * b00); - PQCLEAN_FALCON512PADDED_AVX2_poly_muladj_fft(t1, b10, logn); // t1 <- b00*adj(b10) - PQCLEAN_FALCON512PADDED_AVX2_poly_mulselfadj_fft(b00, logn); // b00 <- b00*adj(b00) - PQCLEAN_FALCON512PADDED_AVX2_poly_add(b00, t0, logn); // b00 <- g00 + PQCLEAN_FALCONPADDED512_AVX2_poly_muladj_fft(t1, b10, logn); // t1 <- b00*adj(b10) + PQCLEAN_FALCONPADDED512_AVX2_poly_mulselfadj_fft(b00, logn); // b00 <- b00*adj(b00) + PQCLEAN_FALCONPADDED512_AVX2_poly_add(b00, t0, logn); // b00 <- g00 memcpy(t0, b01, n * sizeof * b01); - PQCLEAN_FALCON512PADDED_AVX2_poly_muladj_fft(b01, b11, logn); // b01 <- b01*adj(b11) - PQCLEAN_FALCON512PADDED_AVX2_poly_add(b01, t1, logn); // b01 <- g01 + PQCLEAN_FALCONPADDED512_AVX2_poly_muladj_fft(b01, b11, logn); // b01 <- b01*adj(b11) + PQCLEAN_FALCONPADDED512_AVX2_poly_add(b01, t1, logn); // b01 <- g01 - PQCLEAN_FALCON512PADDED_AVX2_poly_mulselfadj_fft(b10, logn); // b10 <- b10*adj(b10) + PQCLEAN_FALCONPADDED512_AVX2_poly_mulselfadj_fft(b10, logn); // b10 <- b10*adj(b10) memcpy(t1, b11, n * sizeof * b11); - PQCLEAN_FALCON512PADDED_AVX2_poly_mulselfadj_fft(t1, logn); // t1 <- b11*adj(b11) - PQCLEAN_FALCON512PADDED_AVX2_poly_add(b10, t1, logn); // b10 <- g11 + PQCLEAN_FALCONPADDED512_AVX2_poly_mulselfadj_fft(t1, logn); // t1 <- b11*adj(b11) + PQCLEAN_FALCONPADDED512_AVX2_poly_add(b10, t1, logn); // b10 <- g11 /* * We rename variables to make things clearer. The three elements @@ -843,13 +843,13 @@ do_sign_dyn(samplerZ samp, void *samp_ctx, int16_t *s2, * Apply the lattice basis to obtain the real target * vector (after normalization with regards to modulus). */ - PQCLEAN_FALCON512PADDED_AVX2_FFT(t0, logn); + PQCLEAN_FALCONPADDED512_AVX2_FFT(t0, logn); ni = fpr_inverse_of_q; memcpy(t1, t0, n * sizeof * t0); - PQCLEAN_FALCON512PADDED_AVX2_poly_mul_fft(t1, b01, logn); - PQCLEAN_FALCON512PADDED_AVX2_poly_mulconst(t1, fpr_neg(ni), logn); - PQCLEAN_FALCON512PADDED_AVX2_poly_mul_fft(t0, b11, logn); - PQCLEAN_FALCON512PADDED_AVX2_poly_mulconst(t0, ni, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_mul_fft(t1, b01, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_mulconst(t1, fpr_neg(ni), logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_mul_fft(t0, b11, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_mulconst(t0, ni, logn); /* * b01 and b11 can be discarded, so we move back (t0,t1). @@ -884,12 +884,12 @@ do_sign_dyn(samplerZ samp, void *samp_ctx, int16_t *s2, smallints_to_fpr(b00, g, logn); smallints_to_fpr(b11, F, logn); smallints_to_fpr(b10, G, logn); - PQCLEAN_FALCON512PADDED_AVX2_FFT(b01, logn); - PQCLEAN_FALCON512PADDED_AVX2_FFT(b00, logn); - PQCLEAN_FALCON512PADDED_AVX2_FFT(b11, logn); - PQCLEAN_FALCON512PADDED_AVX2_FFT(b10, logn); - PQCLEAN_FALCON512PADDED_AVX2_poly_neg(b01, logn); - PQCLEAN_FALCON512PADDED_AVX2_poly_neg(b11, logn); + PQCLEAN_FALCONPADDED512_AVX2_FFT(b01, logn); + PQCLEAN_FALCONPADDED512_AVX2_FFT(b00, logn); + PQCLEAN_FALCONPADDED512_AVX2_FFT(b11, logn); + PQCLEAN_FALCONPADDED512_AVX2_FFT(b10, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_neg(b01, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_neg(b11, logn); tx = t1 + n; ty = tx + n; @@ -898,17 +898,17 @@ do_sign_dyn(samplerZ samp, void *samp_ctx, int16_t *s2, */ memcpy(tx, t0, n * sizeof * t0); memcpy(ty, t1, n * sizeof * t1); - PQCLEAN_FALCON512PADDED_AVX2_poly_mul_fft(tx, b00, logn); - PQCLEAN_FALCON512PADDED_AVX2_poly_mul_fft(ty, b10, logn); - PQCLEAN_FALCON512PADDED_AVX2_poly_add(tx, ty, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_mul_fft(tx, b00, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_mul_fft(ty, b10, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_add(tx, ty, logn); memcpy(ty, t0, n * sizeof * t0); - PQCLEAN_FALCON512PADDED_AVX2_poly_mul_fft(ty, b01, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_mul_fft(ty, b01, logn); memcpy(t0, tx, n * sizeof * tx); - PQCLEAN_FALCON512PADDED_AVX2_poly_mul_fft(t1, b11, logn); - PQCLEAN_FALCON512PADDED_AVX2_poly_add(t1, ty, logn); - PQCLEAN_FALCON512PADDED_AVX2_iFFT(t0, logn); - PQCLEAN_FALCON512PADDED_AVX2_iFFT(t1, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_mul_fft(t1, b11, logn); + PQCLEAN_FALCONPADDED512_AVX2_poly_add(t1, ty, logn); + PQCLEAN_FALCONPADDED512_AVX2_iFFT(t0, logn); + PQCLEAN_FALCONPADDED512_AVX2_iFFT(t1, logn); s1tmp = (int16_t *)tx; sqn = 0; @@ -936,7 +936,7 @@ do_sign_dyn(samplerZ samp, void *samp_ctx, int16_t *s2, for (u = 0; u < n; u ++) { s2tmp[u] = (int16_t) - fpr_rint(t1[u]); } - if (PQCLEAN_FALCON512PADDED_AVX2_is_short_half(sqn, s2tmp, logn)) { + if (PQCLEAN_FALCONPADDED512_AVX2_is_short_half(sqn, s2tmp, logn)) { memcpy(s2, s2tmp, n * sizeof * s2); memcpy(tmp, s1tmp, n * sizeof * s1tmp); return 1; @@ -949,7 +949,7 @@ do_sign_dyn(samplerZ samp, void *samp_ctx, int16_t *s2, * on zero and standard deviation 1.8205, with a precision of 72 bits. */ int -PQCLEAN_FALCON512PADDED_AVX2_gaussian0_sampler(prng *p) { +PQCLEAN_FALCONPADDED512_AVX2_gaussian0_sampler(prng *p) { /* * High words. @@ -1150,7 +1150,7 @@ BerExp(prng *p, fpr x, fpr ccs) { * 0.5 and 1); in Falcon, sigma should always be between 1.2 and 1.9. */ int -PQCLEAN_FALCON512PADDED_AVX2_sampler(void *ctx, fpr mu, fpr isigma) { +PQCLEAN_FALCONPADDED512_AVX2_sampler(void *ctx, fpr mu, fpr isigma) { sampler_context *spc; int s; fpr r, dss, ccs; @@ -1192,7 +1192,7 @@ PQCLEAN_FALCON512PADDED_AVX2_sampler(void *ctx, fpr mu, fpr isigma) { * - b = 0: z <= 0 and sampled against a Gaussian * centered on 0. */ - z0 = PQCLEAN_FALCON512PADDED_AVX2_gaussian0_sampler(&spc->p); + z0 = PQCLEAN_FALCONPADDED512_AVX2_gaussian0_sampler(&spc->p); b = (int)prng_get_u8(&spc->p) & 1; z = b + ((b << 1) - 1) * z0; @@ -1235,7 +1235,7 @@ PQCLEAN_FALCON512PADDED_AVX2_sampler(void *ctx, fpr mu, fpr isigma) { /* see inner.h */ void -PQCLEAN_FALCON512PADDED_AVX2_sign_tree(int16_t *sig, inner_shake256_context *rng, +PQCLEAN_FALCONPADDED512_AVX2_sign_tree(int16_t *sig, inner_shake256_context *rng, const fpr *expanded_key, const uint16_t *hm, unsigned logn, uint8_t *tmp) { fpr *ftmp; @@ -1261,8 +1261,8 @@ PQCLEAN_FALCON512PADDED_AVX2_sign_tree(int16_t *sig, inner_shake256_context *rng * SHAKE context ('rng'). */ spc.sigma_min = fpr_sigma_min[logn]; - PQCLEAN_FALCON512PADDED_AVX2_prng_init(&spc.p, rng); - samp = PQCLEAN_FALCON512PADDED_AVX2_sampler; + PQCLEAN_FALCONPADDED512_AVX2_prng_init(&spc.p, rng); + samp = PQCLEAN_FALCONPADDED512_AVX2_sampler; samp_ctx = &spc; /* @@ -1277,7 +1277,7 @@ PQCLEAN_FALCON512PADDED_AVX2_sign_tree(int16_t *sig, inner_shake256_context *rng /* see inner.h */ void -PQCLEAN_FALCON512PADDED_AVX2_sign_dyn(int16_t *sig, inner_shake256_context *rng, +PQCLEAN_FALCONPADDED512_AVX2_sign_dyn(int16_t *sig, inner_shake256_context *rng, const int8_t *f, const int8_t *g, const int8_t *F, const int8_t *G, const uint16_t *hm, unsigned logn, uint8_t *tmp) { @@ -1304,8 +1304,8 @@ PQCLEAN_FALCON512PADDED_AVX2_sign_dyn(int16_t *sig, inner_shake256_context *rng, * SHAKE context ('rng'). */ spc.sigma_min = fpr_sigma_min[logn]; - PQCLEAN_FALCON512PADDED_AVX2_prng_init(&spc.p, rng); - samp = PQCLEAN_FALCON512PADDED_AVX2_sampler; + PQCLEAN_FALCONPADDED512_AVX2_prng_init(&spc.p, rng); + samp = PQCLEAN_FALCONPADDED512_AVX2_sampler; samp_ctx = &spc; /* diff --git a/Modules/PQClean/crypto_sign/falcon-512-padded/avx2/vrfy.c b/Modules/PQClean/crypto_sign/falcon-padded-512/avx2/vrfy.c similarity index 98% rename from Modules/PQClean/crypto_sign/falcon-512-padded/avx2/vrfy.c rename to Modules/PQClean/crypto_sign/falcon-padded-512/avx2/vrfy.c index cd968acb..6abf55d1 100644 --- a/Modules/PQClean/crypto_sign/falcon-512-padded/avx2/vrfy.c +++ b/Modules/PQClean/crypto_sign/falcon-padded-512/avx2/vrfy.c @@ -622,14 +622,14 @@ mq_poly_sub(uint16_t *f, const uint16_t *g, unsigned logn) { /* see inner.h */ void -PQCLEAN_FALCON512PADDED_AVX2_to_ntt_monty(uint16_t *h, unsigned logn) { +PQCLEAN_FALCONPADDED512_AVX2_to_ntt_monty(uint16_t *h, unsigned logn) { mq_NTT(h, logn); mq_poly_tomonty(h, logn); } /* see inner.h */ int -PQCLEAN_FALCON512PADDED_AVX2_verify_raw(const uint16_t *c0, const int16_t *s2, +PQCLEAN_FALCONPADDED512_AVX2_verify_raw(const uint16_t *c0, const int16_t *s2, const uint16_t *h, unsigned logn, uint8_t *tmp) { size_t u, n; uint16_t *tt; @@ -671,12 +671,12 @@ PQCLEAN_FALCON512PADDED_AVX2_verify_raw(const uint16_t *c0, const int16_t *s2, * Signature is valid if and only if the aggregate (-s1,s2) vector * is short enough. */ - return PQCLEAN_FALCON512PADDED_AVX2_is_short((int16_t *)tt, s2, logn); + return PQCLEAN_FALCONPADDED512_AVX2_is_short((int16_t *)tt, s2, logn); } /* see inner.h */ int -PQCLEAN_FALCON512PADDED_AVX2_compute_public(uint16_t *h, +PQCLEAN_FALCONPADDED512_AVX2_compute_public(uint16_t *h, const int8_t *f, const int8_t *g, unsigned logn, uint8_t *tmp) { size_t u, n; uint16_t *tt; @@ -701,7 +701,7 @@ PQCLEAN_FALCON512PADDED_AVX2_compute_public(uint16_t *h, /* see inner.h */ int -PQCLEAN_FALCON512PADDED_AVX2_complete_private(int8_t *G, +PQCLEAN_FALCONPADDED512_AVX2_complete_private(int8_t *G, const int8_t *f, const int8_t *g, const int8_t *F, unsigned logn, uint8_t *tmp) { size_t u, n; @@ -746,7 +746,7 @@ PQCLEAN_FALCON512PADDED_AVX2_complete_private(int8_t *G, /* see inner.h */ int -PQCLEAN_FALCON512PADDED_AVX2_is_invertible( +PQCLEAN_FALCONPADDED512_AVX2_is_invertible( const int16_t *s2, unsigned logn, uint8_t *tmp) { size_t u, n; uint16_t *tt; @@ -771,7 +771,7 @@ PQCLEAN_FALCON512PADDED_AVX2_is_invertible( /* see inner.h */ int -PQCLEAN_FALCON512PADDED_AVX2_verify_recover(uint16_t *h, +PQCLEAN_FALCONPADDED512_AVX2_verify_recover(uint16_t *h, const uint16_t *c0, const int16_t *s1, const int16_t *s2, unsigned logn, uint8_t *tmp) { size_t u, n; @@ -820,13 +820,13 @@ PQCLEAN_FALCON512PADDED_AVX2_verify_recover(uint16_t *h, * check that the rebuilt public key matches the expected * value (e.g. through a hash). */ - r = ~r & (uint32_t) - PQCLEAN_FALCON512PADDED_AVX2_is_short(s1, s2, logn); + r = ~r & (uint32_t) - PQCLEAN_FALCONPADDED512_AVX2_is_short(s1, s2, logn); return (int)(r >> 31); } /* see inner.h */ int -PQCLEAN_FALCON512PADDED_AVX2_count_nttzero(const int16_t *sig, unsigned logn, uint8_t *tmp) { +PQCLEAN_FALCONPADDED512_AVX2_count_nttzero(const int16_t *sig, unsigned logn, uint8_t *tmp) { uint16_t *s2; size_t u, n; uint32_t r; diff --git a/Modules/PQClean/crypto_sign/falcon-512-padded/clean/LICENSE b/Modules/PQClean/crypto_sign/falcon-padded-512/clean/LICENSE similarity index 100% rename from Modules/PQClean/crypto_sign/falcon-512-padded/clean/LICENSE rename to Modules/PQClean/crypto_sign/falcon-padded-512/clean/LICENSE diff --git a/Modules/PQClean/crypto_sign/falcon-512-padded/clean/Makefile b/Modules/PQClean/crypto_sign/falcon-padded-512/clean/Makefile similarity index 94% rename from Modules/PQClean/crypto_sign/falcon-512-padded/clean/Makefile rename to Modules/PQClean/crypto_sign/falcon-padded-512/clean/Makefile index 323b616a..c81e4712 100644 --- a/Modules/PQClean/crypto_sign/falcon-512-padded/clean/Makefile +++ b/Modules/PQClean/crypto_sign/falcon-padded-512/clean/Makefile @@ -1,6 +1,6 @@ # This Makefile can be used with GNU Make or BSD Make -LIB=libfalcon-512-padded_clean.a +LIB=libfalcon-padded-512_clean.a SOURCES = codec.c common.c fft.c fpr.c keygen.c pqclean.c rng.c sign.c vrfy.c OBJECTS = codec.o common.o fft.o fpr.o keygen.o pqclean.o rng.o sign.o vrfy.o diff --git a/Modules/PQClean/crypto_sign/falcon-512-padded/clean/Makefile.Microsoft_nmake b/Modules/PQClean/crypto_sign/falcon-padded-512/clean/Makefile.Microsoft_nmake similarity index 95% rename from Modules/PQClean/crypto_sign/falcon-512-padded/clean/Makefile.Microsoft_nmake rename to Modules/PQClean/crypto_sign/falcon-padded-512/clean/Makefile.Microsoft_nmake index a236d12a..c690bc44 100644 --- a/Modules/PQClean/crypto_sign/falcon-512-padded/clean/Makefile.Microsoft_nmake +++ b/Modules/PQClean/crypto_sign/falcon-padded-512/clean/Makefile.Microsoft_nmake @@ -1,7 +1,7 @@ # This Makefile can be used with Microsoft Visual Studio's nmake using the command: # nmake /f Makefile.Microsoft_nmake -LIBRARY=libfalcon-512-padded_clean.lib +LIBRARY=libfalcon-padded-512_clean.lib OBJECTS=codec.obj common.obj fft.obj fpr.obj keygen.obj pqclean.obj rng.obj sign.obj vrfy.obj # Warning C4146 is raised when a unary minus operator is applied to an diff --git a/Modules/PQClean/crypto_sign/falcon-512-padded/clean/api.h b/Modules/PQClean/crypto_sign/falcon-padded-512/clean/api.h similarity index 67% rename from Modules/PQClean/crypto_sign/falcon-512-padded/clean/api.h rename to Modules/PQClean/crypto_sign/falcon-padded-512/clean/api.h index 7374057d..47c13146 100644 --- a/Modules/PQClean/crypto_sign/falcon-512-padded/clean/api.h +++ b/Modules/PQClean/crypto_sign/falcon-padded-512/clean/api.h @@ -1,37 +1,37 @@ -#ifndef PQCLEAN_FALCON512PADDED_CLEAN_API_H -#define PQCLEAN_FALCON512PADDED_CLEAN_API_H +#ifndef PQCLEAN_FALCONPADDED512_CLEAN_API_H +#define PQCLEAN_FALCONPADDED512_CLEAN_API_H #include #include -#define PQCLEAN_FALCON512PADDED_CLEAN_CRYPTO_SECRETKEYBYTES 1281 -#define PQCLEAN_FALCON512PADDED_CLEAN_CRYPTO_PUBLICKEYBYTES 897 -#define PQCLEAN_FALCON512PADDED_CLEAN_CRYPTO_BYTES 666 +#define PQCLEAN_FALCONPADDED512_CLEAN_CRYPTO_SECRETKEYBYTES 1281 +#define PQCLEAN_FALCONPADDED512_CLEAN_CRYPTO_PUBLICKEYBYTES 897 +#define PQCLEAN_FALCONPADDED512_CLEAN_CRYPTO_BYTES 666 -#define PQCLEAN_FALCON512PADDED_CLEAN_CRYPTO_ALGNAME "Falcon-512 (PADDED)" +#define PQCLEAN_FALCONPADDED512_CLEAN_CRYPTO_ALGNAME "Falcon-padded-512" /* * Generate a new key pair. Public key goes into pk[], private key in sk[]. * Key sizes are exact (in bytes): - * public (pk): PQCLEAN_FALCON512PADDED_CLEAN_CRYPTO_PUBLICKEYBYTES - * private (sk): PQCLEAN_FALCON512PADDED_CLEAN_CRYPTO_SECRETKEYBYTES + * public (pk): PQCLEAN_FALCONPADDED512_CLEAN_CRYPTO_PUBLICKEYBYTES + * private (sk): PQCLEAN_FALCONPADDED512_CLEAN_CRYPTO_SECRETKEYBYTES * * Return value: 0 on success, -1 on error. */ -int PQCLEAN_FALCON512PADDED_CLEAN_crypto_sign_keypair( +int PQCLEAN_FALCONPADDED512_CLEAN_crypto_sign_keypair( uint8_t *pk, uint8_t *sk); /* * Compute a signature on a provided message (m, mlen), with a given * private key (sk). Signature is written in sig[], with length written * into *siglen. Signature length is variable; maximum signature length - * (in bytes) is PQCLEAN_FALCON512PADDED_CLEAN_CRYPTO_BYTES. + * (in bytes) is PQCLEAN_FALCONPADDED512_CLEAN_CRYPTO_BYTES. * * sig[], m[] and sk[] may overlap each other arbitrarily. * * Return value: 0 on success, -1 on error. */ -int PQCLEAN_FALCON512PADDED_CLEAN_crypto_sign_signature( +int PQCLEAN_FALCONPADDED512_CLEAN_crypto_sign_signature( uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen, const uint8_t *sk); @@ -43,7 +43,7 @@ int PQCLEAN_FALCON512PADDED_CLEAN_crypto_sign_signature( * * Return value: 0 on success, -1 on error. */ -int PQCLEAN_FALCON512PADDED_CLEAN_crypto_sign_verify( +int PQCLEAN_FALCONPADDED512_CLEAN_crypto_sign_verify( const uint8_t *sig, size_t siglen, const uint8_t *m, size_t mlen, const uint8_t *pk); @@ -51,14 +51,14 @@ int PQCLEAN_FALCON512PADDED_CLEAN_crypto_sign_verify( * Compute a signature on a message and pack the signature and message * into a single object, written into sm[]. The length of that output is * written in *smlen; that length may be larger than the message length - * (mlen) by up to PQCLEAN_FALCON512PADDED_CLEAN_CRYPTO_BYTES. + * (mlen) by up to PQCLEAN_FALCONPADDED512_CLEAN_CRYPTO_BYTES. * * sm[] and m[] may overlap each other arbitrarily; however, sm[] shall * not overlap with sk[]. * * Return value: 0 on success, -1 on error. */ -int PQCLEAN_FALCON512PADDED_CLEAN_crypto_sign( +int PQCLEAN_FALCONPADDED512_CLEAN_crypto_sign( uint8_t *sm, size_t *smlen, const uint8_t *m, size_t mlen, const uint8_t *sk); @@ -67,13 +67,13 @@ int PQCLEAN_FALCON512PADDED_CLEAN_crypto_sign( * on success, the message itself is written into m[] and its length * into *mlen. The message is shorter than the signed message object, * but the size difference depends on the signature value; the difference - * may range up to PQCLEAN_FALCON512PADDED_CLEAN_CRYPTO_BYTES. + * may range up to PQCLEAN_FALCONPADDED512_CLEAN_CRYPTO_BYTES. * * m[], sm[] and pk[] may overlap each other arbitrarily. * * Return value: 0 on success, -1 on error. */ -int PQCLEAN_FALCON512PADDED_CLEAN_crypto_sign_open( +int PQCLEAN_FALCONPADDED512_CLEAN_crypto_sign_open( uint8_t *m, size_t *mlen, const uint8_t *sm, size_t smlen, const uint8_t *pk); diff --git a/Modules/PQClean/crypto_sign/falcon-512-padded/clean/codec.c b/Modules/PQClean/crypto_sign/falcon-padded-512/clean/codec.c similarity index 96% rename from Modules/PQClean/crypto_sign/falcon-512-padded/clean/codec.c rename to Modules/PQClean/crypto_sign/falcon-padded-512/clean/codec.c index 9e6e5c49..2105122e 100644 --- a/Modules/PQClean/crypto_sign/falcon-512-padded/clean/codec.c +++ b/Modules/PQClean/crypto_sign/falcon-padded-512/clean/codec.c @@ -33,7 +33,7 @@ /* see inner.h */ size_t -PQCLEAN_FALCON512PADDED_CLEAN_modq_encode( +PQCLEAN_FALCONPADDED512_CLEAN_modq_encode( void *out, size_t max_out_len, const uint16_t *x, unsigned logn) { size_t n, out_len, u; @@ -73,7 +73,7 @@ PQCLEAN_FALCON512PADDED_CLEAN_modq_encode( /* see inner.h */ size_t -PQCLEAN_FALCON512PADDED_CLEAN_modq_decode( +PQCLEAN_FALCONPADDED512_CLEAN_modq_decode( uint16_t *x, unsigned logn, const void *in, size_t max_in_len) { size_t n, in_len, u; @@ -112,7 +112,7 @@ PQCLEAN_FALCON512PADDED_CLEAN_modq_decode( /* see inner.h */ size_t -PQCLEAN_FALCON512PADDED_CLEAN_trim_i16_encode( +PQCLEAN_FALCONPADDED512_CLEAN_trim_i16_encode( void *out, size_t max_out_len, const int16_t *x, unsigned logn, unsigned bits) { size_t n, u, out_len; @@ -156,7 +156,7 @@ PQCLEAN_FALCON512PADDED_CLEAN_trim_i16_encode( /* see inner.h */ size_t -PQCLEAN_FALCON512PADDED_CLEAN_trim_i16_decode( +PQCLEAN_FALCONPADDED512_CLEAN_trim_i16_decode( int16_t *x, unsigned logn, unsigned bits, const void *in, size_t max_in_len) { size_t n, in_len; @@ -206,7 +206,7 @@ PQCLEAN_FALCON512PADDED_CLEAN_trim_i16_decode( /* see inner.h */ size_t -PQCLEAN_FALCON512PADDED_CLEAN_trim_i8_encode( +PQCLEAN_FALCONPADDED512_CLEAN_trim_i8_encode( void *out, size_t max_out_len, const int8_t *x, unsigned logn, unsigned bits) { size_t n, u, out_len; @@ -250,7 +250,7 @@ PQCLEAN_FALCON512PADDED_CLEAN_trim_i8_encode( /* see inner.h */ size_t -PQCLEAN_FALCON512PADDED_CLEAN_trim_i8_decode( +PQCLEAN_FALCONPADDED512_CLEAN_trim_i8_decode( int8_t *x, unsigned logn, unsigned bits, const void *in, size_t max_in_len) { size_t n, in_len; @@ -299,7 +299,7 @@ PQCLEAN_FALCON512PADDED_CLEAN_trim_i8_decode( /* see inner.h */ size_t -PQCLEAN_FALCON512PADDED_CLEAN_comp_encode( +PQCLEAN_FALCONPADDED512_CLEAN_comp_encode( void *out, size_t max_out_len, const int16_t *x, unsigned logn) { uint8_t *buf; @@ -395,7 +395,7 @@ PQCLEAN_FALCON512PADDED_CLEAN_comp_encode( /* see inner.h */ size_t -PQCLEAN_FALCON512PADDED_CLEAN_comp_decode( +PQCLEAN_FALCONPADDED512_CLEAN_comp_decode( int16_t *x, unsigned logn, const void *in, size_t max_in_len) { const uint8_t *buf; @@ -499,7 +499,7 @@ PQCLEAN_FALCON512PADDED_CLEAN_comp_decode( * of max_fg_bits[] and max_FG_bits[] shall be greater than 8. */ -const uint8_t PQCLEAN_FALCON512PADDED_CLEAN_max_fg_bits[] = { +const uint8_t PQCLEAN_FALCONPADDED512_CLEAN_max_fg_bits[] = { 0, /* unused */ 8, 8, @@ -513,7 +513,7 @@ const uint8_t PQCLEAN_FALCON512PADDED_CLEAN_max_fg_bits[] = { 5 }; -const uint8_t PQCLEAN_FALCON512PADDED_CLEAN_max_FG_bits[] = { +const uint8_t PQCLEAN_FALCONPADDED512_CLEAN_max_FG_bits[] = { 0, /* unused */ 8, 8, @@ -555,7 +555,7 @@ const uint8_t PQCLEAN_FALCON512PADDED_CLEAN_max_FG_bits[] = { * in -2047..2047, i.e. 12 bits. */ -const uint8_t PQCLEAN_FALCON512PADDED_CLEAN_max_sig_bits[] = { +const uint8_t PQCLEAN_FALCONPADDED512_CLEAN_max_sig_bits[] = { 0, /* unused */ 10, 11, diff --git a/Modules/PQClean/crypto_sign/falcon-512-padded/clean/common.c b/Modules/PQClean/crypto_sign/falcon-padded-512/clean/common.c similarity index 97% rename from Modules/PQClean/crypto_sign/falcon-512-padded/clean/common.c rename to Modules/PQClean/crypto_sign/falcon-padded-512/clean/common.c index 2695488a..74e88e90 100644 --- a/Modules/PQClean/crypto_sign/falcon-512-padded/clean/common.c +++ b/Modules/PQClean/crypto_sign/falcon-padded-512/clean/common.c @@ -33,7 +33,7 @@ /* see inner.h */ void -PQCLEAN_FALCON512PADDED_CLEAN_hash_to_point_vartime( +PQCLEAN_FALCONPADDED512_CLEAN_hash_to_point_vartime( inner_shake256_context *sc, uint16_t *x, unsigned logn) { /* @@ -67,7 +67,7 @@ PQCLEAN_FALCON512PADDED_CLEAN_hash_to_point_vartime( /* see inner.h */ void -PQCLEAN_FALCON512PADDED_CLEAN_hash_to_point_ct( +PQCLEAN_FALCONPADDED512_CLEAN_hash_to_point_ct( inner_shake256_context *sc, uint16_t *x, unsigned logn, uint8_t *tmp) { /* @@ -252,7 +252,7 @@ static const uint32_t l2bound[] = { /* see inner.h */ int -PQCLEAN_FALCON512PADDED_CLEAN_is_short( +PQCLEAN_FALCONPADDED512_CLEAN_is_short( const int16_t *s1, const int16_t *s2, unsigned logn) { /* * We use the l2-norm. Code below uses only 32-bit operations to @@ -282,7 +282,7 @@ PQCLEAN_FALCON512PADDED_CLEAN_is_short( /* see inner.h */ int -PQCLEAN_FALCON512PADDED_CLEAN_is_short_half( +PQCLEAN_FALCONPADDED512_CLEAN_is_short_half( uint32_t sqn, const int16_t *s2, unsigned logn) { size_t n, u; uint32_t ng; diff --git a/Modules/PQClean/crypto_sign/falcon-512-padded/clean/fft.c b/Modules/PQClean/crypto_sign/falcon-padded-512/clean/fft.c similarity index 95% rename from Modules/PQClean/crypto_sign/falcon-512-padded/clean/fft.c rename to Modules/PQClean/crypto_sign/falcon-padded-512/clean/fft.c index c2aadc4d..011fbe11 100644 --- a/Modules/PQClean/crypto_sign/falcon-512-padded/clean/fft.c +++ b/Modules/PQClean/crypto_sign/falcon-padded-512/clean/fft.c @@ -168,7 +168,7 @@ /* see inner.h */ void -PQCLEAN_FALCON512PADDED_CLEAN_FFT(fpr *f, unsigned logn) { +PQCLEAN_FALCONPADDED512_CLEAN_FFT(fpr *f, unsigned logn) { /* * FFT algorithm in bit-reversal order uses the following * iterative algorithm: @@ -248,7 +248,7 @@ PQCLEAN_FALCON512PADDED_CLEAN_FFT(fpr *f, unsigned logn) { /* see inner.h */ void -PQCLEAN_FALCON512PADDED_CLEAN_iFFT(fpr *f, unsigned logn) { +PQCLEAN_FALCONPADDED512_CLEAN_iFFT(fpr *f, unsigned logn) { /* * Inverse FFT algorithm in bit-reversal order uses the following * iterative algorithm: @@ -344,7 +344,7 @@ PQCLEAN_FALCON512PADDED_CLEAN_iFFT(fpr *f, unsigned logn) { /* see inner.h */ void -PQCLEAN_FALCON512PADDED_CLEAN_poly_add( +PQCLEAN_FALCONPADDED512_CLEAN_poly_add( fpr *a, const fpr *b, unsigned logn) { size_t n, u; @@ -356,7 +356,7 @@ PQCLEAN_FALCON512PADDED_CLEAN_poly_add( /* see inner.h */ void -PQCLEAN_FALCON512PADDED_CLEAN_poly_sub( +PQCLEAN_FALCONPADDED512_CLEAN_poly_sub( fpr *a, const fpr *b, unsigned logn) { size_t n, u; @@ -368,7 +368,7 @@ PQCLEAN_FALCON512PADDED_CLEAN_poly_sub( /* see inner.h */ void -PQCLEAN_FALCON512PADDED_CLEAN_poly_neg(fpr *a, unsigned logn) { +PQCLEAN_FALCONPADDED512_CLEAN_poly_neg(fpr *a, unsigned logn) { size_t n, u; n = (size_t)1 << logn; @@ -379,7 +379,7 @@ PQCLEAN_FALCON512PADDED_CLEAN_poly_neg(fpr *a, unsigned logn) { /* see inner.h */ void -PQCLEAN_FALCON512PADDED_CLEAN_poly_adj_fft(fpr *a, unsigned logn) { +PQCLEAN_FALCONPADDED512_CLEAN_poly_adj_fft(fpr *a, unsigned logn) { size_t n, u; n = (size_t)1 << logn; @@ -390,7 +390,7 @@ PQCLEAN_FALCON512PADDED_CLEAN_poly_adj_fft(fpr *a, unsigned logn) { /* see inner.h */ void -PQCLEAN_FALCON512PADDED_CLEAN_poly_mul_fft( +PQCLEAN_FALCONPADDED512_CLEAN_poly_mul_fft( fpr *a, const fpr *b, unsigned logn) { size_t n, hn, u; @@ -409,7 +409,7 @@ PQCLEAN_FALCON512PADDED_CLEAN_poly_mul_fft( /* see inner.h */ void -PQCLEAN_FALCON512PADDED_CLEAN_poly_muladj_fft( +PQCLEAN_FALCONPADDED512_CLEAN_poly_muladj_fft( fpr *a, const fpr *b, unsigned logn) { size_t n, hn, u; @@ -428,7 +428,7 @@ PQCLEAN_FALCON512PADDED_CLEAN_poly_muladj_fft( /* see inner.h */ void -PQCLEAN_FALCON512PADDED_CLEAN_poly_mulselfadj_fft(fpr *a, unsigned logn) { +PQCLEAN_FALCONPADDED512_CLEAN_poly_mulselfadj_fft(fpr *a, unsigned logn) { /* * Since each coefficient is multiplied with its own conjugate, * the result contains only real values. @@ -449,7 +449,7 @@ PQCLEAN_FALCON512PADDED_CLEAN_poly_mulselfadj_fft(fpr *a, unsigned logn) { /* see inner.h */ void -PQCLEAN_FALCON512PADDED_CLEAN_poly_mulconst(fpr *a, fpr x, unsigned logn) { +PQCLEAN_FALCONPADDED512_CLEAN_poly_mulconst(fpr *a, fpr x, unsigned logn) { size_t n, u; n = (size_t)1 << logn; @@ -460,7 +460,7 @@ PQCLEAN_FALCON512PADDED_CLEAN_poly_mulconst(fpr *a, fpr x, unsigned logn) { /* see inner.h */ void -PQCLEAN_FALCON512PADDED_CLEAN_poly_div_fft( +PQCLEAN_FALCONPADDED512_CLEAN_poly_div_fft( fpr *a, const fpr *b, unsigned logn) { size_t n, hn, u; @@ -479,7 +479,7 @@ PQCLEAN_FALCON512PADDED_CLEAN_poly_div_fft( /* see inner.h */ void -PQCLEAN_FALCON512PADDED_CLEAN_poly_invnorm2_fft(fpr *d, +PQCLEAN_FALCONPADDED512_CLEAN_poly_invnorm2_fft(fpr *d, const fpr *a, const fpr *b, unsigned logn) { size_t n, hn, u; @@ -501,7 +501,7 @@ PQCLEAN_FALCON512PADDED_CLEAN_poly_invnorm2_fft(fpr *d, /* see inner.h */ void -PQCLEAN_FALCON512PADDED_CLEAN_poly_add_muladj_fft(fpr *d, +PQCLEAN_FALCONPADDED512_CLEAN_poly_add_muladj_fft(fpr *d, const fpr *F, const fpr *G, const fpr *f, const fpr *g, unsigned logn) { size_t n, hn, u; @@ -531,7 +531,7 @@ PQCLEAN_FALCON512PADDED_CLEAN_poly_add_muladj_fft(fpr *d, /* see inner.h */ void -PQCLEAN_FALCON512PADDED_CLEAN_poly_mul_autoadj_fft( +PQCLEAN_FALCONPADDED512_CLEAN_poly_mul_autoadj_fft( fpr *a, const fpr *b, unsigned logn) { size_t n, hn, u; @@ -545,7 +545,7 @@ PQCLEAN_FALCON512PADDED_CLEAN_poly_mul_autoadj_fft( /* see inner.h */ void -PQCLEAN_FALCON512PADDED_CLEAN_poly_div_autoadj_fft( +PQCLEAN_FALCONPADDED512_CLEAN_poly_div_autoadj_fft( fpr *a, const fpr *b, unsigned logn) { size_t n, hn, u; @@ -562,7 +562,7 @@ PQCLEAN_FALCON512PADDED_CLEAN_poly_div_autoadj_fft( /* see inner.h */ void -PQCLEAN_FALCON512PADDED_CLEAN_poly_LDL_fft( +PQCLEAN_FALCONPADDED512_CLEAN_poly_LDL_fft( const fpr *g00, fpr *g01, fpr *g11, unsigned logn) { size_t n, hn, u; @@ -589,7 +589,7 @@ PQCLEAN_FALCON512PADDED_CLEAN_poly_LDL_fft( /* see inner.h */ void -PQCLEAN_FALCON512PADDED_CLEAN_poly_LDLmv_fft( +PQCLEAN_FALCONPADDED512_CLEAN_poly_LDLmv_fft( fpr *d11, fpr *l10, const fpr *g00, const fpr *g01, const fpr *g11, unsigned logn) { @@ -617,7 +617,7 @@ PQCLEAN_FALCON512PADDED_CLEAN_poly_LDLmv_fft( /* see inner.h */ void -PQCLEAN_FALCON512PADDED_CLEAN_poly_split_fft( +PQCLEAN_FALCONPADDED512_CLEAN_poly_split_fft( fpr *f0, fpr *f1, const fpr *f, unsigned logn) { /* @@ -665,7 +665,7 @@ PQCLEAN_FALCON512PADDED_CLEAN_poly_split_fft( /* see inner.h */ void -PQCLEAN_FALCON512PADDED_CLEAN_poly_merge_fft( +PQCLEAN_FALCONPADDED512_CLEAN_poly_merge_fft( fpr *f, const fpr *f0, const fpr *f1, unsigned logn) { size_t n, hn, qn, u; diff --git a/Modules/PQClean/crypto_sign/falcon-512-padded/clean/fpr.c b/Modules/PQClean/crypto_sign/falcon-padded-512/clean/fpr.c similarity index 100% rename from Modules/PQClean/crypto_sign/falcon-512-padded/clean/fpr.c rename to Modules/PQClean/crypto_sign/falcon-padded-512/clean/fpr.c diff --git a/Modules/PQClean/crypto_sign/falcon-512-padded/clean/fpr.h b/Modules/PQClean/crypto_sign/falcon-padded-512/clean/fpr.h similarity index 97% rename from Modules/PQClean/crypto_sign/falcon-512-padded/clean/fpr.h rename to Modules/PQClean/crypto_sign/falcon-padded-512/clean/fpr.h index 56fd1133..beab1ab6 100644 --- a/Modules/PQClean/crypto_sign/falcon-512-padded/clean/fpr.h +++ b/Modules/PQClean/crypto_sign/falcon-padded-512/clean/fpr.h @@ -210,7 +210,7 @@ FPR(int s, int e, uint64_t m) { return x; } -#define fpr_scaled PQCLEAN_FALCON512PADDED_CLEAN_fpr_scaled +#define fpr_scaled PQCLEAN_FALCONPADDED512_CLEAN_fpr_scaled fpr fpr_scaled(int64_t i, int sc); static inline fpr @@ -384,7 +384,7 @@ fpr_trunc(fpr x) { return *(int64_t *)&xu; } -#define fpr_add PQCLEAN_FALCON512PADDED_CLEAN_fpr_add +#define fpr_add PQCLEAN_FALCONPADDED512_CLEAN_fpr_add fpr fpr_add(fpr x, fpr y); static inline fpr @@ -424,7 +424,7 @@ fpr_double(fpr x) { return x; } -#define fpr_mul PQCLEAN_FALCON512PADDED_CLEAN_fpr_mul +#define fpr_mul PQCLEAN_FALCONPADDED512_CLEAN_fpr_mul fpr fpr_mul(fpr x, fpr y); static inline fpr @@ -432,7 +432,7 @@ fpr_sqr(fpr x) { return fpr_mul(x, x); } -#define fpr_div PQCLEAN_FALCON512PADDED_CLEAN_fpr_div +#define fpr_div PQCLEAN_FALCONPADDED512_CLEAN_fpr_div fpr fpr_div(fpr x, fpr y); static inline fpr @@ -440,7 +440,7 @@ fpr_inv(fpr x) { return fpr_div(4607182418800017408u, x); } -#define fpr_sqrt PQCLEAN_FALCON512PADDED_CLEAN_fpr_sqrt +#define fpr_sqrt PQCLEAN_FALCONPADDED512_CLEAN_fpr_sqrt fpr fpr_sqrt(fpr x); static inline int @@ -479,13 +479,13 @@ fpr_lt(fpr x, fpr y) { * Compute exp(x) for x such that |x| <= ln 2. We want a precision of 50 * bits or so. */ -#define fpr_expm_p63 PQCLEAN_FALCON512PADDED_CLEAN_fpr_expm_p63 +#define fpr_expm_p63 PQCLEAN_FALCONPADDED512_CLEAN_fpr_expm_p63 uint64_t fpr_expm_p63(fpr x, fpr ccs); -#define fpr_gm_tab PQCLEAN_FALCON512PADDED_CLEAN_fpr_gm_tab +#define fpr_gm_tab PQCLEAN_FALCONPADDED512_CLEAN_fpr_gm_tab extern const fpr fpr_gm_tab[]; -#define fpr_p2_tab PQCLEAN_FALCON512PADDED_CLEAN_fpr_p2_tab +#define fpr_p2_tab PQCLEAN_FALCONPADDED512_CLEAN_fpr_p2_tab extern const fpr fpr_p2_tab[]; /* ====================================================================== */ diff --git a/Modules/PQClean/crypto_sign/falcon-512-padded/clean/inner.h b/Modules/PQClean/crypto_sign/falcon-padded-512/clean/inner.h similarity index 88% rename from Modules/PQClean/crypto_sign/falcon-512-padded/clean/inner.h rename to Modules/PQClean/crypto_sign/falcon-padded-512/clean/inner.h index fb7750fa..361f0626 100644 --- a/Modules/PQClean/crypto_sign/falcon-512-padded/clean/inner.h +++ b/Modules/PQClean/crypto_sign/falcon-padded-512/clean/inner.h @@ -42,7 +42,7 @@ * * * - All public functions (i.e. the non-static ones) must be referenced - * with the PQCLEAN_FALCON512PADDED_CLEAN_ macro (e.g. PQCLEAN_FALCON512PADDED_CLEAN_verify_raw for the verify_raw() + * with the PQCLEAN_FALCONPADDED512_CLEAN_ macro (e.g. PQCLEAN_FALCONPADDED512_CLEAN_verify_raw for the verify_raw() * function). That macro adds a prefix to the name, which is * configurable with the FALCON_PREFIX macro. This allows compiling * the code into a specific "namespace" and potentially including @@ -65,7 +65,7 @@ * word. The caller MUST use set_fpu_cw() to ensure proper precision: * * oldcw = set_fpu_cw(2); - * PQCLEAN_FALCON512PADDED_CLEAN_sign_dyn(...); + * PQCLEAN_FALCONPADDED512_CLEAN_sign_dyn(...); * set_fpu_cw(oldcw); * * On systems where the native floating-point precision is already @@ -155,22 +155,22 @@ set_fpu_cw(unsigned x) { * */ -size_t PQCLEAN_FALCON512PADDED_CLEAN_modq_encode(void *out, size_t max_out_len, +size_t PQCLEAN_FALCONPADDED512_CLEAN_modq_encode(void *out, size_t max_out_len, const uint16_t *x, unsigned logn); -size_t PQCLEAN_FALCON512PADDED_CLEAN_trim_i16_encode(void *out, size_t max_out_len, +size_t PQCLEAN_FALCONPADDED512_CLEAN_trim_i16_encode(void *out, size_t max_out_len, const int16_t *x, unsigned logn, unsigned bits); -size_t PQCLEAN_FALCON512PADDED_CLEAN_trim_i8_encode(void *out, size_t max_out_len, +size_t PQCLEAN_FALCONPADDED512_CLEAN_trim_i8_encode(void *out, size_t max_out_len, const int8_t *x, unsigned logn, unsigned bits); -size_t PQCLEAN_FALCON512PADDED_CLEAN_comp_encode(void *out, size_t max_out_len, +size_t PQCLEAN_FALCONPADDED512_CLEAN_comp_encode(void *out, size_t max_out_len, const int16_t *x, unsigned logn); -size_t PQCLEAN_FALCON512PADDED_CLEAN_modq_decode(uint16_t *x, unsigned logn, +size_t PQCLEAN_FALCONPADDED512_CLEAN_modq_decode(uint16_t *x, unsigned logn, const void *in, size_t max_in_len); -size_t PQCLEAN_FALCON512PADDED_CLEAN_trim_i16_decode(int16_t *x, unsigned logn, unsigned bits, +size_t PQCLEAN_FALCONPADDED512_CLEAN_trim_i16_decode(int16_t *x, unsigned logn, unsigned bits, const void *in, size_t max_in_len); -size_t PQCLEAN_FALCON512PADDED_CLEAN_trim_i8_decode(int8_t *x, unsigned logn, unsigned bits, +size_t PQCLEAN_FALCONPADDED512_CLEAN_trim_i8_decode(int8_t *x, unsigned logn, unsigned bits, const void *in, size_t max_in_len); -size_t PQCLEAN_FALCON512PADDED_CLEAN_comp_decode(int16_t *x, unsigned logn, +size_t PQCLEAN_FALCONPADDED512_CLEAN_comp_decode(int16_t *x, unsigned logn, const void *in, size_t max_in_len); /* @@ -178,14 +178,14 @@ size_t PQCLEAN_FALCON512PADDED_CLEAN_comp_decode(int16_t *x, unsigned logn, * is at most 8 bits for all degrees, but some degrees may have shorter * elements. */ -extern const uint8_t PQCLEAN_FALCON512PADDED_CLEAN_max_fg_bits[]; -extern const uint8_t PQCLEAN_FALCON512PADDED_CLEAN_max_FG_bits[]; +extern const uint8_t PQCLEAN_FALCONPADDED512_CLEAN_max_fg_bits[]; +extern const uint8_t PQCLEAN_FALCONPADDED512_CLEAN_max_FG_bits[]; /* * Maximum size, in bits, of elements in a signature, indexed by logn * (1 to 10). The size includes the sign bit. */ -extern const uint8_t PQCLEAN_FALCON512PADDED_CLEAN_max_sig_bits[]; +extern const uint8_t PQCLEAN_FALCONPADDED512_CLEAN_max_sig_bits[]; /* ==================================================================== */ /* @@ -199,18 +199,18 @@ extern const uint8_t PQCLEAN_FALCON512PADDED_CLEAN_max_sig_bits[]; * information to serve as a stop condition on a brute force attack on * the hashed message (provided that the nonce value is known). */ -void PQCLEAN_FALCON512PADDED_CLEAN_hash_to_point_vartime(inner_shake256_context *sc, +void PQCLEAN_FALCONPADDED512_CLEAN_hash_to_point_vartime(inner_shake256_context *sc, uint16_t *x, unsigned logn); /* * From a SHAKE256 context (must be already flipped), produce a new * point. The temporary buffer (tmp) must have room for 2*2^logn bytes. * This function is constant-time but is typically more expensive than - * PQCLEAN_FALCON512PADDED_CLEAN_hash_to_point_vartime(). + * PQCLEAN_FALCONPADDED512_CLEAN_hash_to_point_vartime(). * * tmp[] must have 16-bit alignment. */ -void PQCLEAN_FALCON512PADDED_CLEAN_hash_to_point_ct(inner_shake256_context *sc, +void PQCLEAN_FALCONPADDED512_CLEAN_hash_to_point_ct(inner_shake256_context *sc, uint16_t *x, unsigned logn, uint8_t *tmp); /* @@ -219,7 +219,7 @@ void PQCLEAN_FALCON512PADDED_CLEAN_hash_to_point_ct(inner_shake256_context *sc, * vector with the acceptance bound. Returned value is 1 on success * (vector is short enough to be acceptable), 0 otherwise. */ -int PQCLEAN_FALCON512PADDED_CLEAN_is_short(const int16_t *s1, const int16_t *s2, unsigned logn); +int PQCLEAN_FALCONPADDED512_CLEAN_is_short(const int16_t *s1, const int16_t *s2, unsigned logn); /* * Tell whether a given vector (2N coordinates, in two halves) is @@ -231,7 +231,7 @@ int PQCLEAN_FALCON512PADDED_CLEAN_is_short(const int16_t *s1, const int16_t *s2, * Returned value is 1 on success (vector is short enough to be * acceptable), 0 otherwise. */ -int PQCLEAN_FALCON512PADDED_CLEAN_is_short_half(uint32_t sqn, const int16_t *s2, unsigned logn); +int PQCLEAN_FALCONPADDED512_CLEAN_is_short_half(uint32_t sqn, const int16_t *s2, unsigned logn); /* ==================================================================== */ /* @@ -242,7 +242,7 @@ int PQCLEAN_FALCON512PADDED_CLEAN_is_short_half(uint32_t sqn, const int16_t *s2, * Convert a public key to NTT + Montgomery format. Conversion is done * in place. */ -void PQCLEAN_FALCON512PADDED_CLEAN_to_ntt_monty(uint16_t *h, unsigned logn); +void PQCLEAN_FALCONPADDED512_CLEAN_to_ntt_monty(uint16_t *h, unsigned logn); /* * Internal signature verification code: @@ -255,7 +255,7 @@ void PQCLEAN_FALCON512PADDED_CLEAN_to_ntt_monty(uint16_t *h, unsigned logn); * * tmp[] must have 16-bit alignment. */ -int PQCLEAN_FALCON512PADDED_CLEAN_verify_raw(const uint16_t *c0, const int16_t *s2, +int PQCLEAN_FALCONPADDED512_CLEAN_verify_raw(const uint16_t *c0, const int16_t *s2, const uint16_t *h, unsigned logn, uint8_t *tmp); /* @@ -267,7 +267,7 @@ int PQCLEAN_FALCON512PADDED_CLEAN_verify_raw(const uint16_t *c0, const int16_t * * The tmp[] array must have room for at least 2*2^logn elements. * tmp[] must have 16-bit alignment. */ -int PQCLEAN_FALCON512PADDED_CLEAN_compute_public(uint16_t *h, +int PQCLEAN_FALCONPADDED512_CLEAN_compute_public(uint16_t *h, const int8_t *f, const int8_t *g, unsigned logn, uint8_t *tmp); /* @@ -281,7 +281,7 @@ int PQCLEAN_FALCON512PADDED_CLEAN_compute_public(uint16_t *h, * Returned value is 1 in success, 0 on error (f not invertible). * tmp[] must have 16-bit alignment. */ -int PQCLEAN_FALCON512PADDED_CLEAN_complete_private(int8_t *G, +int PQCLEAN_FALCONPADDED512_CLEAN_complete_private(int8_t *G, const int8_t *f, const int8_t *g, const int8_t *F, unsigned logn, uint8_t *tmp); @@ -291,7 +291,7 @@ int PQCLEAN_FALCON512PADDED_CLEAN_complete_private(int8_t *G, * * tmp[] must have 16-bit alignment. */ -int PQCLEAN_FALCON512PADDED_CLEAN_is_invertible( +int PQCLEAN_FALCONPADDED512_CLEAN_is_invertible( const int16_t *s2, unsigned logn, uint8_t *tmp); /* @@ -302,7 +302,7 @@ int PQCLEAN_FALCON512PADDED_CLEAN_is_invertible( * * tmp[] must have 16-bit alignment. */ -int PQCLEAN_FALCON512PADDED_CLEAN_count_nttzero(const int16_t *sig, unsigned logn, uint8_t *tmp); +int PQCLEAN_FALCONPADDED512_CLEAN_count_nttzero(const int16_t *sig, unsigned logn, uint8_t *tmp); /* * Internal signature verification with public key recovery: @@ -322,7 +322,7 @@ int PQCLEAN_FALCON512PADDED_CLEAN_count_nttzero(const int16_t *sig, unsigned log * * tmp[] must have 16-bit alignment. */ -int PQCLEAN_FALCON512PADDED_CLEAN_verify_recover(uint16_t *h, +int PQCLEAN_FALCONPADDED512_CLEAN_verify_recover(uint16_t *h, const uint16_t *c0, const int16_t *s1, const int16_t *s2, unsigned logn, uint8_t *tmp); @@ -443,7 +443,7 @@ int PQCLEAN_FALCON512PADDED_CLEAN_verify_recover(uint16_t *h, * * Returned value is 1 on success, 0 on error. */ -int PQCLEAN_FALCON512PADDED_CLEAN_get_seed(void *seed, size_t seed_len); +int PQCLEAN_FALCONPADDED512_CLEAN_get_seed(void *seed, size_t seed_len); /* * Structure for a PRNG. This includes a large buffer so that values @@ -470,18 +470,18 @@ typedef struct { * Instantiate a PRNG. That PRNG will feed over the provided SHAKE256 * context (in "flipped" state) to obtain its initial state. */ -void PQCLEAN_FALCON512PADDED_CLEAN_prng_init(prng *p, inner_shake256_context *src); +void PQCLEAN_FALCONPADDED512_CLEAN_prng_init(prng *p, inner_shake256_context *src); /* * Refill the PRNG buffer. This is normally invoked automatically, and * is declared here only so that prng_get_u64() may be inlined. */ -void PQCLEAN_FALCON512PADDED_CLEAN_prng_refill(prng *p); +void PQCLEAN_FALCONPADDED512_CLEAN_prng_refill(prng *p); /* * Get some bytes from a PRNG. */ -void PQCLEAN_FALCON512PADDED_CLEAN_prng_get_bytes(prng *p, void *dst, size_t len); +void PQCLEAN_FALCONPADDED512_CLEAN_prng_get_bytes(prng *p, void *dst, size_t len); /* * Get a 64-bit random value from a PRNG. @@ -498,7 +498,7 @@ prng_get_u64(prng *p) { */ u = p->ptr; if (u >= (sizeof p->buf.d) - 9) { - PQCLEAN_FALCON512PADDED_CLEAN_prng_refill(p); + PQCLEAN_FALCONPADDED512_CLEAN_prng_refill(p); u = 0; } p->ptr = u + 8; @@ -522,7 +522,7 @@ prng_get_u8(prng *p) { v = p->buf.d[p->ptr ++]; if (p->ptr == sizeof p->buf.d) { - PQCLEAN_FALCON512PADDED_CLEAN_prng_refill(p); + PQCLEAN_FALCONPADDED512_CLEAN_prng_refill(p); } return v; } @@ -545,7 +545,7 @@ prng_get_u8(prng *p) { * * 'logn' MUST lie between 1 and 10 (inclusive). */ -void PQCLEAN_FALCON512PADDED_CLEAN_FFT(fpr *f, unsigned logn); +void PQCLEAN_FALCONPADDED512_CLEAN_FFT(fpr *f, unsigned logn); /* * Compute the inverse FFT in-place: the source array should contain the @@ -555,61 +555,61 @@ void PQCLEAN_FALCON512PADDED_CLEAN_FFT(fpr *f, unsigned logn); * * 'logn' MUST lie between 1 and 10 (inclusive). */ -void PQCLEAN_FALCON512PADDED_CLEAN_iFFT(fpr *f, unsigned logn); +void PQCLEAN_FALCONPADDED512_CLEAN_iFFT(fpr *f, unsigned logn); /* * Add polynomial b to polynomial a. a and b MUST NOT overlap. This * function works in both normal and FFT representations. */ -void PQCLEAN_FALCON512PADDED_CLEAN_poly_add(fpr *a, const fpr *b, unsigned logn); +void PQCLEAN_FALCONPADDED512_CLEAN_poly_add(fpr *a, const fpr *b, unsigned logn); /* * Subtract polynomial b from polynomial a. a and b MUST NOT overlap. This * function works in both normal and FFT representations. */ -void PQCLEAN_FALCON512PADDED_CLEAN_poly_sub(fpr *a, const fpr *b, unsigned logn); +void PQCLEAN_FALCONPADDED512_CLEAN_poly_sub(fpr *a, const fpr *b, unsigned logn); /* * Negate polynomial a. This function works in both normal and FFT * representations. */ -void PQCLEAN_FALCON512PADDED_CLEAN_poly_neg(fpr *a, unsigned logn); +void PQCLEAN_FALCONPADDED512_CLEAN_poly_neg(fpr *a, unsigned logn); /* * Compute adjoint of polynomial a. This function works only in FFT * representation. */ -void PQCLEAN_FALCON512PADDED_CLEAN_poly_adj_fft(fpr *a, unsigned logn); +void PQCLEAN_FALCONPADDED512_CLEAN_poly_adj_fft(fpr *a, unsigned logn); /* * Multiply polynomial a with polynomial b. a and b MUST NOT overlap. * This function works only in FFT representation. */ -void PQCLEAN_FALCON512PADDED_CLEAN_poly_mul_fft(fpr *a, const fpr *b, unsigned logn); +void PQCLEAN_FALCONPADDED512_CLEAN_poly_mul_fft(fpr *a, const fpr *b, unsigned logn); /* * Multiply polynomial a with the adjoint of polynomial b. a and b MUST NOT * overlap. This function works only in FFT representation. */ -void PQCLEAN_FALCON512PADDED_CLEAN_poly_muladj_fft(fpr *a, const fpr *b, unsigned logn); +void PQCLEAN_FALCONPADDED512_CLEAN_poly_muladj_fft(fpr *a, const fpr *b, unsigned logn); /* * Multiply polynomial with its own adjoint. This function works only in FFT * representation. */ -void PQCLEAN_FALCON512PADDED_CLEAN_poly_mulselfadj_fft(fpr *a, unsigned logn); +void PQCLEAN_FALCONPADDED512_CLEAN_poly_mulselfadj_fft(fpr *a, unsigned logn); /* * Multiply polynomial with a real constant. This function works in both * normal and FFT representations. */ -void PQCLEAN_FALCON512PADDED_CLEAN_poly_mulconst(fpr *a, fpr x, unsigned logn); +void PQCLEAN_FALCONPADDED512_CLEAN_poly_mulconst(fpr *a, fpr x, unsigned logn); /* * Divide polynomial a by polynomial b, modulo X^N+1 (FFT representation). * a and b MUST NOT overlap. */ -void PQCLEAN_FALCON512PADDED_CLEAN_poly_div_fft(fpr *a, const fpr *b, unsigned logn); +void PQCLEAN_FALCONPADDED512_CLEAN_poly_div_fft(fpr *a, const fpr *b, unsigned logn); /* * Given f and g (in FFT representation), compute 1/(f*adj(f)+g*adj(g)) @@ -619,7 +619,7 @@ void PQCLEAN_FALCON512PADDED_CLEAN_poly_div_fft(fpr *a, const fpr *b, unsigned l * * Array d MUST NOT overlap with either a or b. */ -void PQCLEAN_FALCON512PADDED_CLEAN_poly_invnorm2_fft(fpr *d, +void PQCLEAN_FALCONPADDED512_CLEAN_poly_invnorm2_fft(fpr *d, const fpr *a, const fpr *b, unsigned logn); /* @@ -627,7 +627,7 @@ void PQCLEAN_FALCON512PADDED_CLEAN_poly_invnorm2_fft(fpr *d, * (also in FFT representation). Destination d MUST NOT overlap with * any of the source arrays. */ -void PQCLEAN_FALCON512PADDED_CLEAN_poly_add_muladj_fft(fpr *d, +void PQCLEAN_FALCONPADDED512_CLEAN_poly_add_muladj_fft(fpr *d, const fpr *F, const fpr *G, const fpr *f, const fpr *g, unsigned logn); @@ -637,7 +637,7 @@ void PQCLEAN_FALCON512PADDED_CLEAN_poly_add_muladj_fft(fpr *d, * FFT coefficients are real, and the array b contains only N/2 elements. * a and b MUST NOT overlap. */ -void PQCLEAN_FALCON512PADDED_CLEAN_poly_mul_autoadj_fft(fpr *a, +void PQCLEAN_FALCONPADDED512_CLEAN_poly_mul_autoadj_fft(fpr *a, const fpr *b, unsigned logn); /* @@ -646,7 +646,7 @@ void PQCLEAN_FALCON512PADDED_CLEAN_poly_mul_autoadj_fft(fpr *a, * FFT coefficients are real, and the array b contains only N/2 elements. * a and b MUST NOT overlap. */ -void PQCLEAN_FALCON512PADDED_CLEAN_poly_div_autoadj_fft(fpr *a, +void PQCLEAN_FALCONPADDED512_CLEAN_poly_div_autoadj_fft(fpr *a, const fpr *b, unsigned logn); /* @@ -657,7 +657,7 @@ void PQCLEAN_FALCON512PADDED_CLEAN_poly_div_autoadj_fft(fpr *a, * (with D = [[d00, 0], [0, d11]] and L = [[1, 0], [l10, 1]]). * (In fact, d00 = g00, so the g00 operand is left unmodified.) */ -void PQCLEAN_FALCON512PADDED_CLEAN_poly_LDL_fft(const fpr *g00, +void PQCLEAN_FALCONPADDED512_CLEAN_poly_LDL_fft(const fpr *g00, fpr *g01, fpr *g11, unsigned logn); /* @@ -666,7 +666,7 @@ void PQCLEAN_FALCON512PADDED_CLEAN_poly_LDL_fft(const fpr *g00, * g00, g01 and g11 are unmodified; the outputs d11 and l10 are written * in two other separate buffers provided as extra parameters. */ -void PQCLEAN_FALCON512PADDED_CLEAN_poly_LDLmv_fft(fpr *d11, fpr *l10, +void PQCLEAN_FALCONPADDED512_CLEAN_poly_LDLmv_fft(fpr *d11, fpr *l10, const fpr *g00, const fpr *g01, const fpr *g11, unsigned logn); @@ -675,7 +675,7 @@ void PQCLEAN_FALCON512PADDED_CLEAN_poly_LDLmv_fft(fpr *d11, fpr *l10, * f = f0(x^2) + x*f1(x^2), for half-size polynomials f0 and f1 * (polynomials modulo X^(N/2)+1). f0, f1 and f MUST NOT overlap. */ -void PQCLEAN_FALCON512PADDED_CLEAN_poly_split_fft(fpr *f0, fpr *f1, +void PQCLEAN_FALCONPADDED512_CLEAN_poly_split_fft(fpr *f0, fpr *f1, const fpr *f, unsigned logn); /* @@ -684,7 +684,7 @@ void PQCLEAN_FALCON512PADDED_CLEAN_poly_split_fft(fpr *f0, fpr *f1, * f = f0(x^2) + x*f1(x^2), in FFT representation modulo X^N+1. * f MUST NOT overlap with either f0 or f1. */ -void PQCLEAN_FALCON512PADDED_CLEAN_poly_merge_fft(fpr *f, +void PQCLEAN_FALCONPADDED512_CLEAN_poly_merge_fft(fpr *f, const fpr *f0, const fpr *f1, unsigned logn); /* ==================================================================== */ @@ -723,7 +723,7 @@ void PQCLEAN_FALCON512PADDED_CLEAN_poly_merge_fft(fpr *f, * tmp[] must have 64-bit alignment. * This function uses floating-point rounding (see set_fpu_cw()). */ -void PQCLEAN_FALCON512PADDED_CLEAN_keygen(inner_shake256_context *rng, +void PQCLEAN_FALCONPADDED512_CLEAN_keygen(inner_shake256_context *rng, int8_t *f, int8_t *g, int8_t *F, int8_t *G, uint16_t *h, unsigned logn, uint8_t *tmp); @@ -742,14 +742,14 @@ void PQCLEAN_FALCON512PADDED_CLEAN_keygen(inner_shake256_context *rng, * tmp[] must have 64-bit alignment. * This function uses floating-point rounding (see set_fpu_cw()). */ -void PQCLEAN_FALCON512PADDED_CLEAN_expand_privkey(fpr *expanded_key, +void PQCLEAN_FALCONPADDED512_CLEAN_expand_privkey(fpr *expanded_key, const int8_t *f, const int8_t *g, const int8_t *F, const int8_t *G, unsigned logn, uint8_t *tmp); /* * Compute a signature over the provided hashed message (hm); the * signature value is one short vector. This function uses an - * expanded key (as generated by PQCLEAN_FALCON512PADDED_CLEAN_expand_privkey()). + * expanded key (as generated by PQCLEAN_FALCONPADDED512_CLEAN_expand_privkey()). * * The sig[] and hm[] buffers may overlap. * @@ -761,7 +761,7 @@ void PQCLEAN_FALCON512PADDED_CLEAN_expand_privkey(fpr *expanded_key, * tmp[] must have 64-bit alignment. * This function uses floating-point rounding (see set_fpu_cw()). */ -void PQCLEAN_FALCON512PADDED_CLEAN_sign_tree(int16_t *sig, inner_shake256_context *rng, +void PQCLEAN_FALCONPADDED512_CLEAN_sign_tree(int16_t *sig, inner_shake256_context *rng, const fpr *expanded_key, const uint16_t *hm, unsigned logn, uint8_t *tmp); @@ -782,7 +782,7 @@ void PQCLEAN_FALCON512PADDED_CLEAN_sign_tree(int16_t *sig, inner_shake256_contex * tmp[] must have 64-bit alignment. * This function uses floating-point rounding (see set_fpu_cw()). */ -void PQCLEAN_FALCON512PADDED_CLEAN_sign_dyn(int16_t *sig, inner_shake256_context *rng, +void PQCLEAN_FALCONPADDED512_CLEAN_sign_dyn(int16_t *sig, inner_shake256_context *rng, const int8_t *f, const int8_t *g, const int8_t *F, const int8_t *G, const uint16_t *hm, unsigned logn, uint8_t *tmp); @@ -811,9 +811,9 @@ typedef struct { fpr sigma_min; } sampler_context; -int PQCLEAN_FALCON512PADDED_CLEAN_sampler(void *ctx, fpr mu, fpr isigma); +int PQCLEAN_FALCONPADDED512_CLEAN_sampler(void *ctx, fpr mu, fpr isigma); -int PQCLEAN_FALCON512PADDED_CLEAN_gaussian0_sampler(prng *p); +int PQCLEAN_FALCONPADDED512_CLEAN_gaussian0_sampler(prng *p); /* ==================================================================== */ diff --git a/Modules/PQClean/crypto_sign/falcon-512-padded/clean/keygen.c b/Modules/PQClean/crypto_sign/falcon-padded-512/clean/keygen.c similarity index 98% rename from Modules/PQClean/crypto_sign/falcon-512-padded/clean/keygen.c rename to Modules/PQClean/crypto_sign/falcon-padded-512/clean/keygen.c index ac663b13..f556877c 100644 --- a/Modules/PQClean/crypto_sign/falcon-512-padded/clean/keygen.c +++ b/Modules/PQClean/crypto_sign/falcon-padded-512/clean/keygen.c @@ -3071,11 +3071,11 @@ solve_NTRU_intermediate(unsigned logn_top, * Compute 1/(f*adj(f)+g*adj(g)) in rt5. We also keep adj(f) * and adj(g) in rt3 and rt4, respectively. */ - PQCLEAN_FALCON512PADDED_CLEAN_FFT(rt3, logn); - PQCLEAN_FALCON512PADDED_CLEAN_FFT(rt4, logn); - PQCLEAN_FALCON512PADDED_CLEAN_poly_invnorm2_fft(rt5, rt3, rt4, logn); - PQCLEAN_FALCON512PADDED_CLEAN_poly_adj_fft(rt3, logn); - PQCLEAN_FALCON512PADDED_CLEAN_poly_adj_fft(rt4, logn); + PQCLEAN_FALCONPADDED512_CLEAN_FFT(rt3, logn); + PQCLEAN_FALCONPADDED512_CLEAN_FFT(rt4, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_invnorm2_fft(rt5, rt3, rt4, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_adj_fft(rt3, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_adj_fft(rt4, logn); /* * Reduce F and G repeatedly. @@ -3135,13 +3135,13 @@ solve_NTRU_intermediate(unsigned logn_top, /* * Compute (F*adj(f)+G*adj(g))/(f*adj(f)+g*adj(g)) in rt2. */ - PQCLEAN_FALCON512PADDED_CLEAN_FFT(rt1, logn); - PQCLEAN_FALCON512PADDED_CLEAN_FFT(rt2, logn); - PQCLEAN_FALCON512PADDED_CLEAN_poly_mul_fft(rt1, rt3, logn); - PQCLEAN_FALCON512PADDED_CLEAN_poly_mul_fft(rt2, rt4, logn); - PQCLEAN_FALCON512PADDED_CLEAN_poly_add(rt2, rt1, logn); - PQCLEAN_FALCON512PADDED_CLEAN_poly_mul_autoadj_fft(rt2, rt5, logn); - PQCLEAN_FALCON512PADDED_CLEAN_iFFT(rt2, logn); + PQCLEAN_FALCONPADDED512_CLEAN_FFT(rt1, logn); + PQCLEAN_FALCONPADDED512_CLEAN_FFT(rt2, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_mul_fft(rt1, rt3, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_mul_fft(rt2, rt4, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_add(rt2, rt1, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_mul_autoadj_fft(rt2, rt5, logn); + PQCLEAN_FALCONPADDED512_CLEAN_iFFT(rt2, logn); /* * (f,g) are scaled by 'scale_fg', meaning that the @@ -3589,10 +3589,10 @@ solve_NTRU_binary_depth1(unsigned logn_top, * rt4 = g * in that order in RAM. We convert all of them to FFT. */ - PQCLEAN_FALCON512PADDED_CLEAN_FFT(rt1, logn); - PQCLEAN_FALCON512PADDED_CLEAN_FFT(rt2, logn); - PQCLEAN_FALCON512PADDED_CLEAN_FFT(rt3, logn); - PQCLEAN_FALCON512PADDED_CLEAN_FFT(rt4, logn); + PQCLEAN_FALCONPADDED512_CLEAN_FFT(rt1, logn); + PQCLEAN_FALCONPADDED512_CLEAN_FFT(rt2, logn); + PQCLEAN_FALCONPADDED512_CLEAN_FFT(rt3, logn); + PQCLEAN_FALCONPADDED512_CLEAN_FFT(rt4, logn); /* * Compute: @@ -3602,14 +3602,14 @@ solve_NTRU_binary_depth1(unsigned logn_top, */ rt5 = rt4 + n; rt6 = rt5 + n; - PQCLEAN_FALCON512PADDED_CLEAN_poly_add_muladj_fft(rt5, rt1, rt2, rt3, rt4, logn); - PQCLEAN_FALCON512PADDED_CLEAN_poly_invnorm2_fft(rt6, rt3, rt4, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_add_muladj_fft(rt5, rt1, rt2, rt3, rt4, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_invnorm2_fft(rt6, rt3, rt4, logn); /* * Compute: * rt5 = (F*adj(f)+G*adj(g)) / (f*adj(f)+g*adj(g)) */ - PQCLEAN_FALCON512PADDED_CLEAN_poly_mul_autoadj_fft(rt5, rt6, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_mul_autoadj_fft(rt5, rt6, logn); /* * Compute k as the rounded version of rt5. Check that none of @@ -3618,7 +3618,7 @@ solve_NTRU_binary_depth1(unsigned logn_top, * note that any out-of-bounds value here implies a failure and * (f,g) will be discarded, so we can make a simple test. */ - PQCLEAN_FALCON512PADDED_CLEAN_iFFT(rt5, logn); + PQCLEAN_FALCONPADDED512_CLEAN_iFFT(rt5, logn); for (u = 0; u < n; u ++) { fpr z; @@ -3628,17 +3628,17 @@ solve_NTRU_binary_depth1(unsigned logn_top, } rt5[u] = fpr_of(fpr_rint(z)); } - PQCLEAN_FALCON512PADDED_CLEAN_FFT(rt5, logn); + PQCLEAN_FALCONPADDED512_CLEAN_FFT(rt5, logn); /* * Subtract k*f from F, and k*g from G. */ - PQCLEAN_FALCON512PADDED_CLEAN_poly_mul_fft(rt3, rt5, logn); - PQCLEAN_FALCON512PADDED_CLEAN_poly_mul_fft(rt4, rt5, logn); - PQCLEAN_FALCON512PADDED_CLEAN_poly_sub(rt1, rt3, logn); - PQCLEAN_FALCON512PADDED_CLEAN_poly_sub(rt2, rt4, logn); - PQCLEAN_FALCON512PADDED_CLEAN_iFFT(rt1, logn); - PQCLEAN_FALCON512PADDED_CLEAN_iFFT(rt2, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_mul_fft(rt3, rt5, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_mul_fft(rt4, rt5, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_sub(rt1, rt3, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_sub(rt2, rt4, logn); + PQCLEAN_FALCONPADDED512_CLEAN_iFFT(rt1, logn); + PQCLEAN_FALCONPADDED512_CLEAN_iFFT(rt2, logn); /* * Convert back F and G to integers, and return. @@ -3857,7 +3857,7 @@ solve_NTRU_binary_depth0(unsigned logn, for (u = 0; u < n; u ++) { rt3[u] = fpr_of(((int32_t *)t2)[u]); } - PQCLEAN_FALCON512PADDED_CLEAN_FFT(rt3, logn); + PQCLEAN_FALCONPADDED512_CLEAN_FFT(rt3, logn); rt2 = align_fpr(tmp, t2); memmove(rt2, rt3, hn * sizeof * rt3); @@ -3868,14 +3868,14 @@ solve_NTRU_binary_depth0(unsigned logn, for (u = 0; u < n; u ++) { rt3[u] = fpr_of(((int32_t *)t1)[u]); } - PQCLEAN_FALCON512PADDED_CLEAN_FFT(rt3, logn); + PQCLEAN_FALCONPADDED512_CLEAN_FFT(rt3, logn); /* * Compute (F*adj(f)+G*adj(g))/(f*adj(f)+g*adj(g)) and get * its rounded normal representation in t1. */ - PQCLEAN_FALCON512PADDED_CLEAN_poly_div_autoadj_fft(rt3, rt2, logn); - PQCLEAN_FALCON512PADDED_CLEAN_iFFT(rt3, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_div_autoadj_fft(rt3, rt2, logn); + PQCLEAN_FALCONPADDED512_CLEAN_iFFT(rt3, logn); for (u = 0; u < n; u ++) { t1[u] = modp_set((int32_t)fpr_rint(rt3[u]), p); } @@ -4076,7 +4076,7 @@ poly_small_mkgauss(RNG_CONTEXT *rng, int8_t *f, unsigned logn) { /* see falcon.h */ void -PQCLEAN_FALCON512PADDED_CLEAN_keygen(inner_shake256_context *rng, +PQCLEAN_FALCONPADDED512_CLEAN_keygen(inner_shake256_context *rng, int8_t *f, int8_t *g, int8_t *F, int8_t *G, uint16_t *h, unsigned logn, uint8_t *tmp) { /* @@ -4145,7 +4145,7 @@ PQCLEAN_FALCON512PADDED_CLEAN_keygen(inner_shake256_context *rng, * overwhelming probability; this guarantees that the * key will be encodable with FALCON_COMP_TRIM. */ - lim = 1 << (PQCLEAN_FALCON512PADDED_CLEAN_max_fg_bits[logn] - 1); + lim = 1 << (PQCLEAN_FALCONPADDED512_CLEAN_max_fg_bits[logn] - 1); for (u = 0; u < n; u ++) { /* * We can use non-CT tests since on any failure @@ -4183,17 +4183,17 @@ PQCLEAN_FALCON512PADDED_CLEAN_keygen(inner_shake256_context *rng, rt3 = rt2 + n; poly_small_to_fp(rt1, f, logn); poly_small_to_fp(rt2, g, logn); - PQCLEAN_FALCON512PADDED_CLEAN_FFT(rt1, logn); - PQCLEAN_FALCON512PADDED_CLEAN_FFT(rt2, logn); - PQCLEAN_FALCON512PADDED_CLEAN_poly_invnorm2_fft(rt3, rt1, rt2, logn); - PQCLEAN_FALCON512PADDED_CLEAN_poly_adj_fft(rt1, logn); - PQCLEAN_FALCON512PADDED_CLEAN_poly_adj_fft(rt2, logn); - PQCLEAN_FALCON512PADDED_CLEAN_poly_mulconst(rt1, fpr_q, logn); - PQCLEAN_FALCON512PADDED_CLEAN_poly_mulconst(rt2, fpr_q, logn); - PQCLEAN_FALCON512PADDED_CLEAN_poly_mul_autoadj_fft(rt1, rt3, logn); - PQCLEAN_FALCON512PADDED_CLEAN_poly_mul_autoadj_fft(rt2, rt3, logn); - PQCLEAN_FALCON512PADDED_CLEAN_iFFT(rt1, logn); - PQCLEAN_FALCON512PADDED_CLEAN_iFFT(rt2, logn); + PQCLEAN_FALCONPADDED512_CLEAN_FFT(rt1, logn); + PQCLEAN_FALCONPADDED512_CLEAN_FFT(rt2, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_invnorm2_fft(rt3, rt1, rt2, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_adj_fft(rt1, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_adj_fft(rt2, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_mulconst(rt1, fpr_q, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_mulconst(rt2, fpr_q, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_mul_autoadj_fft(rt1, rt3, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_mul_autoadj_fft(rt2, rt3, logn); + PQCLEAN_FALCONPADDED512_CLEAN_iFFT(rt1, logn); + PQCLEAN_FALCONPADDED512_CLEAN_iFFT(rt2, logn); bnorm = fpr_zero; for (u = 0; u < n; u ++) { bnorm = fpr_add(bnorm, fpr_sqr(rt1[u])); @@ -4214,14 +4214,14 @@ PQCLEAN_FALCON512PADDED_CLEAN_keygen(inner_shake256_context *rng, h2 = h; tmp2 = (uint16_t *)tmp; } - if (!PQCLEAN_FALCON512PADDED_CLEAN_compute_public(h2, f, g, logn, (uint8_t *)tmp2)) { + if (!PQCLEAN_FALCONPADDED512_CLEAN_compute_public(h2, f, g, logn, (uint8_t *)tmp2)) { continue; } /* * Solve the NTRU equation to get F and G. */ - lim = (1 << (PQCLEAN_FALCON512PADDED_CLEAN_max_FG_bits[logn] - 1)) - 1; + lim = (1 << (PQCLEAN_FALCONPADDED512_CLEAN_max_FG_bits[logn] - 1)) - 1; if (!solve_NTRU(logn, F, G, f, g, lim, (uint32_t *)tmp)) { continue; } diff --git a/Modules/PQClean/crypto_sign/falcon-512-padded/clean/pqclean.c b/Modules/PQClean/crypto_sign/falcon-padded-512/clean/pqclean.c similarity index 71% rename from Modules/PQClean/crypto_sign/falcon-512-padded/clean/pqclean.c rename to Modules/PQClean/crypto_sign/falcon-padded-512/clean/pqclean.c index 152c0245..7edf6a87 100644 --- a/Modules/PQClean/crypto_sign/falcon-512-padded/clean/pqclean.c +++ b/Modules/PQClean/crypto_sign/falcon-padded-512/clean/pqclean.c @@ -38,7 +38,7 @@ /* see api.h */ int -PQCLEAN_FALCON512PADDED_CLEAN_crypto_sign_keypair( +PQCLEAN_FALCONPADDED512_CLEAN_crypto_sign_keypair( uint8_t *pk, uint8_t *sk) { union { uint8_t b[FALCON_KEYGEN_TEMP_9]; @@ -58,7 +58,7 @@ PQCLEAN_FALCON512PADDED_CLEAN_crypto_sign_keypair( inner_shake256_init(&rng); inner_shake256_inject(&rng, seed, sizeof seed); inner_shake256_flip(&rng); - PQCLEAN_FALCON512PADDED_CLEAN_keygen(&rng, f, g, F, NULL, h, 9, tmp.b); + PQCLEAN_FALCONPADDED512_CLEAN_keygen(&rng, f, g, F, NULL, h, 9, tmp.b); inner_shake256_ctx_release(&rng); /* @@ -66,28 +66,28 @@ PQCLEAN_FALCON512PADDED_CLEAN_crypto_sign_keypair( */ sk[0] = 0x50 + 9; u = 1; - v = PQCLEAN_FALCON512PADDED_CLEAN_trim_i8_encode( - sk + u, PQCLEAN_FALCON512PADDED_CLEAN_CRYPTO_SECRETKEYBYTES - u, - f, 9, PQCLEAN_FALCON512PADDED_CLEAN_max_fg_bits[9]); + v = PQCLEAN_FALCONPADDED512_CLEAN_trim_i8_encode( + sk + u, PQCLEAN_FALCONPADDED512_CLEAN_CRYPTO_SECRETKEYBYTES - u, + f, 9, PQCLEAN_FALCONPADDED512_CLEAN_max_fg_bits[9]); if (v == 0) { return -1; } u += v; - v = PQCLEAN_FALCON512PADDED_CLEAN_trim_i8_encode( - sk + u, PQCLEAN_FALCON512PADDED_CLEAN_CRYPTO_SECRETKEYBYTES - u, - g, 9, PQCLEAN_FALCON512PADDED_CLEAN_max_fg_bits[9]); + v = PQCLEAN_FALCONPADDED512_CLEAN_trim_i8_encode( + sk + u, PQCLEAN_FALCONPADDED512_CLEAN_CRYPTO_SECRETKEYBYTES - u, + g, 9, PQCLEAN_FALCONPADDED512_CLEAN_max_fg_bits[9]); if (v == 0) { return -1; } u += v; - v = PQCLEAN_FALCON512PADDED_CLEAN_trim_i8_encode( - sk + u, PQCLEAN_FALCON512PADDED_CLEAN_CRYPTO_SECRETKEYBYTES - u, - F, 9, PQCLEAN_FALCON512PADDED_CLEAN_max_FG_bits[9]); + v = PQCLEAN_FALCONPADDED512_CLEAN_trim_i8_encode( + sk + u, PQCLEAN_FALCONPADDED512_CLEAN_CRYPTO_SECRETKEYBYTES - u, + F, 9, PQCLEAN_FALCONPADDED512_CLEAN_max_FG_bits[9]); if (v == 0) { return -1; } u += v; - if (u != PQCLEAN_FALCON512PADDED_CLEAN_CRYPTO_SECRETKEYBYTES) { + if (u != PQCLEAN_FALCONPADDED512_CLEAN_CRYPTO_SECRETKEYBYTES) { return -1; } @@ -95,10 +95,10 @@ PQCLEAN_FALCON512PADDED_CLEAN_crypto_sign_keypair( * Encode public key. */ pk[0] = 0x00 + 9; - v = PQCLEAN_FALCON512PADDED_CLEAN_modq_encode( - pk + 1, PQCLEAN_FALCON512PADDED_CLEAN_CRYPTO_PUBLICKEYBYTES - 1, + v = PQCLEAN_FALCONPADDED512_CLEAN_modq_encode( + pk + 1, PQCLEAN_FALCONPADDED512_CLEAN_CRYPTO_PUBLICKEYBYTES - 1, h, 9); - if (v != PQCLEAN_FALCON512PADDED_CLEAN_CRYPTO_PUBLICKEYBYTES - 1) { + if (v != PQCLEAN_FALCONPADDED512_CLEAN_CRYPTO_PUBLICKEYBYTES - 1) { return -1; } @@ -142,31 +142,31 @@ do_sign(uint8_t *nonce, uint8_t *sigbuf, size_t sigbuflen, return -1; } u = 1; - v = PQCLEAN_FALCON512PADDED_CLEAN_trim_i8_decode( - f, 9, PQCLEAN_FALCON512PADDED_CLEAN_max_fg_bits[9], - sk + u, PQCLEAN_FALCON512PADDED_CLEAN_CRYPTO_SECRETKEYBYTES - u); + v = PQCLEAN_FALCONPADDED512_CLEAN_trim_i8_decode( + f, 9, PQCLEAN_FALCONPADDED512_CLEAN_max_fg_bits[9], + sk + u, PQCLEAN_FALCONPADDED512_CLEAN_CRYPTO_SECRETKEYBYTES - u); if (v == 0) { return -1; } u += v; - v = PQCLEAN_FALCON512PADDED_CLEAN_trim_i8_decode( - g, 9, PQCLEAN_FALCON512PADDED_CLEAN_max_fg_bits[9], - sk + u, PQCLEAN_FALCON512PADDED_CLEAN_CRYPTO_SECRETKEYBYTES - u); + v = PQCLEAN_FALCONPADDED512_CLEAN_trim_i8_decode( + g, 9, PQCLEAN_FALCONPADDED512_CLEAN_max_fg_bits[9], + sk + u, PQCLEAN_FALCONPADDED512_CLEAN_CRYPTO_SECRETKEYBYTES - u); if (v == 0) { return -1; } u += v; - v = PQCLEAN_FALCON512PADDED_CLEAN_trim_i8_decode( - F, 9, PQCLEAN_FALCON512PADDED_CLEAN_max_FG_bits[9], - sk + u, PQCLEAN_FALCON512PADDED_CLEAN_CRYPTO_SECRETKEYBYTES - u); + v = PQCLEAN_FALCONPADDED512_CLEAN_trim_i8_decode( + F, 9, PQCLEAN_FALCONPADDED512_CLEAN_max_FG_bits[9], + sk + u, PQCLEAN_FALCONPADDED512_CLEAN_CRYPTO_SECRETKEYBYTES - u); if (v == 0) { return -1; } u += v; - if (u != PQCLEAN_FALCON512PADDED_CLEAN_CRYPTO_SECRETKEYBYTES) { + if (u != PQCLEAN_FALCONPADDED512_CLEAN_CRYPTO_SECRETKEYBYTES) { return -1; } - if (!PQCLEAN_FALCON512PADDED_CLEAN_complete_private(G, f, g, F, 9, tmp.b)) { + if (!PQCLEAN_FALCONPADDED512_CLEAN_complete_private(G, f, g, F, 9, tmp.b)) { return -1; } @@ -182,7 +182,7 @@ do_sign(uint8_t *nonce, uint8_t *sigbuf, size_t sigbuflen, inner_shake256_inject(&sc, nonce, NONCELEN); inner_shake256_inject(&sc, m, mlen); inner_shake256_flip(&sc); - PQCLEAN_FALCON512PADDED_CLEAN_hash_to_point_ct(&sc, r.hm, 9, tmp.b); + PQCLEAN_FALCONPADDED512_CLEAN_hash_to_point_ct(&sc, r.hm, 9, tmp.b); inner_shake256_ctx_release(&sc); /* @@ -198,8 +198,8 @@ do_sign(uint8_t *nonce, uint8_t *sigbuf, size_t sigbuflen, * value is found that fits in the provided buffer. */ for (;;) { - PQCLEAN_FALCON512PADDED_CLEAN_sign_dyn(r.sig, &sc, f, g, F, G, r.hm, 9, tmp.b); - v = PQCLEAN_FALCON512PADDED_CLEAN_comp_encode(sigbuf, sigbuflen, r.sig, 9); + PQCLEAN_FALCONPADDED512_CLEAN_sign_dyn(r.sig, &sc, f, g, F, G, r.hm, 9, tmp.b); + v = PQCLEAN_FALCONPADDED512_CLEAN_comp_encode(sigbuf, sigbuflen, r.sig, 9); if (v != 0) { inner_shake256_ctx_release(&sc); memset(sigbuf + v, 0, sigbuflen - v); @@ -233,12 +233,12 @@ do_verify( if (pk[0] != 0x00 + 9) { return -1; } - if (PQCLEAN_FALCON512PADDED_CLEAN_modq_decode(h, 9, - pk + 1, PQCLEAN_FALCON512PADDED_CLEAN_CRYPTO_PUBLICKEYBYTES - 1) - != PQCLEAN_FALCON512PADDED_CLEAN_CRYPTO_PUBLICKEYBYTES - 1) { + if (PQCLEAN_FALCONPADDED512_CLEAN_modq_decode(h, 9, + pk + 1, PQCLEAN_FALCONPADDED512_CLEAN_CRYPTO_PUBLICKEYBYTES - 1) + != PQCLEAN_FALCONPADDED512_CLEAN_CRYPTO_PUBLICKEYBYTES - 1) { return -1; } - PQCLEAN_FALCON512PADDED_CLEAN_to_ntt_monty(h, 9); + PQCLEAN_FALCONPADDED512_CLEAN_to_ntt_monty(h, 9); /* * Decode signature. @@ -247,12 +247,12 @@ do_verify( return -1; } - v = PQCLEAN_FALCON512PADDED_CLEAN_comp_decode(sig, 9, sigbuf, sigbuflen); + v = PQCLEAN_FALCONPADDED512_CLEAN_comp_decode(sig, 9, sigbuf, sigbuflen); if (v == 0) { return -1; } if (v != sigbuflen) { - if (sigbuflen == PQCLEAN_FALCON512PADDED_CLEAN_CRYPTO_BYTES - NONCELEN - 1) { + if (sigbuflen == PQCLEAN_FALCONPADDED512_CLEAN_CRYPTO_BYTES - NONCELEN - 1) { while (v < sigbuflen) { if (sigbuf[v++] != 0) { return -1; @@ -270,13 +270,13 @@ do_verify( inner_shake256_inject(&sc, nonce, NONCELEN); inner_shake256_inject(&sc, m, mlen); inner_shake256_flip(&sc); - PQCLEAN_FALCON512PADDED_CLEAN_hash_to_point_ct(&sc, hm, 9, tmp.b); + PQCLEAN_FALCONPADDED512_CLEAN_hash_to_point_ct(&sc, hm, 9, tmp.b); inner_shake256_ctx_release(&sc); /* * Verify signature. */ - if (!PQCLEAN_FALCON512PADDED_CLEAN_verify_raw(hm, sig, h, 9, tmp.b)) { + if (!PQCLEAN_FALCONPADDED512_CLEAN_verify_raw(hm, sig, h, 9, tmp.b)) { return -1; } return 0; @@ -284,12 +284,12 @@ do_verify( /* see api.h */ int -PQCLEAN_FALCON512PADDED_CLEAN_crypto_sign_signature( +PQCLEAN_FALCONPADDED512_CLEAN_crypto_sign_signature( uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen, const uint8_t *sk) { size_t vlen; - vlen = PQCLEAN_FALCON512PADDED_CLEAN_CRYPTO_BYTES - NONCELEN - 1; + vlen = PQCLEAN_FALCONPADDED512_CLEAN_CRYPTO_BYTES - NONCELEN - 1; if (do_sign(sig + 1, sig + 1 + NONCELEN, vlen, m, mlen, sk) < 0) { return -1; } @@ -300,7 +300,7 @@ PQCLEAN_FALCON512PADDED_CLEAN_crypto_sign_signature( /* see api.h */ int -PQCLEAN_FALCON512PADDED_CLEAN_crypto_sign_verify( +PQCLEAN_FALCONPADDED512_CLEAN_crypto_sign_verify( const uint8_t *sig, size_t siglen, const uint8_t *m, size_t mlen, const uint8_t *pk) { if (siglen < 1 + NONCELEN) { @@ -315,7 +315,7 @@ PQCLEAN_FALCON512PADDED_CLEAN_crypto_sign_verify( /* see api.h */ int -PQCLEAN_FALCON512PADDED_CLEAN_crypto_sign( +PQCLEAN_FALCONPADDED512_CLEAN_crypto_sign( uint8_t *sm, size_t *smlen, const uint8_t *m, size_t mlen, const uint8_t *sk) { uint8_t *sigbuf; @@ -325,9 +325,9 @@ PQCLEAN_FALCON512PADDED_CLEAN_crypto_sign( * Move the message to its final location; this is a memmove() so * it handles overlaps properly. */ - memmove(sm + PQCLEAN_FALCON512PADDED_CLEAN_CRYPTO_BYTES, m, mlen); + memmove(sm + PQCLEAN_FALCONPADDED512_CLEAN_CRYPTO_BYTES, m, mlen); sigbuf = sm + 1 + NONCELEN; - sigbuflen = PQCLEAN_FALCON512PADDED_CLEAN_CRYPTO_BYTES - NONCELEN - 1; + sigbuflen = PQCLEAN_FALCONPADDED512_CLEAN_CRYPTO_BYTES - NONCELEN - 1; if (do_sign(sm + 1, sigbuf, sigbuflen, m, mlen, sk) < 0) { return -1; } @@ -339,17 +339,17 @@ PQCLEAN_FALCON512PADDED_CLEAN_crypto_sign( /* see api.h */ int -PQCLEAN_FALCON512PADDED_CLEAN_crypto_sign_open( +PQCLEAN_FALCONPADDED512_CLEAN_crypto_sign_open( uint8_t *m, size_t *mlen, const uint8_t *sm, size_t smlen, const uint8_t *pk) { const uint8_t *sigbuf; size_t pmlen, sigbuflen; - if (smlen < PQCLEAN_FALCON512PADDED_CLEAN_CRYPTO_BYTES) { + if (smlen < PQCLEAN_FALCONPADDED512_CLEAN_CRYPTO_BYTES) { return -1; } - sigbuflen = PQCLEAN_FALCON512PADDED_CLEAN_CRYPTO_BYTES - NONCELEN - 1; - pmlen = smlen - PQCLEAN_FALCON512PADDED_CLEAN_CRYPTO_BYTES; + sigbuflen = PQCLEAN_FALCONPADDED512_CLEAN_CRYPTO_BYTES - NONCELEN - 1; + pmlen = smlen - PQCLEAN_FALCONPADDED512_CLEAN_CRYPTO_BYTES; if (sm[0] != 0x30 + 9) { return -1; } @@ -361,7 +361,7 @@ PQCLEAN_FALCON512PADDED_CLEAN_crypto_sign_open( * follows the signature value. */ if (do_verify(sm + 1, sigbuf, sigbuflen, - sm + PQCLEAN_FALCON512PADDED_CLEAN_CRYPTO_BYTES, pmlen, pk) < 0) { + sm + PQCLEAN_FALCONPADDED512_CLEAN_CRYPTO_BYTES, pmlen, pk) < 0) { return -1; } @@ -370,7 +370,7 @@ PQCLEAN_FALCON512PADDED_CLEAN_crypto_sign_open( * to its final destination. The memmove() properly handles * overlaps. */ - memmove(m, sm + PQCLEAN_FALCON512PADDED_CLEAN_CRYPTO_BYTES, pmlen); + memmove(m, sm + PQCLEAN_FALCONPADDED512_CLEAN_CRYPTO_BYTES, pmlen); *mlen = pmlen; return 0; } diff --git a/Modules/PQClean/crypto_sign/falcon-512-padded/clean/rng.c b/Modules/PQClean/crypto_sign/falcon-padded-512/clean/rng.c similarity index 95% rename from Modules/PQClean/crypto_sign/falcon-512-padded/clean/rng.c rename to Modules/PQClean/crypto_sign/falcon-padded-512/clean/rng.c index b2454fd1..ccce5e88 100644 --- a/Modules/PQClean/crypto_sign/falcon-512-padded/clean/rng.c +++ b/Modules/PQClean/crypto_sign/falcon-padded-512/clean/rng.c @@ -35,7 +35,7 @@ /* see inner.h */ void -PQCLEAN_FALCON512PADDED_CLEAN_prng_init(prng *p, inner_shake256_context *src) { +PQCLEAN_FALCONPADDED512_CLEAN_prng_init(prng *p, inner_shake256_context *src) { /* * To ensure reproducibility for a given seed, we * must enforce little-endian interpretation of @@ -61,7 +61,7 @@ PQCLEAN_FALCON512PADDED_CLEAN_prng_init(prng *p, inner_shake256_context *src) { tl = d32[48 / sizeof(uint32_t)]; th = d32[52 / sizeof(uint32_t)]; d64[48 / sizeof(uint64_t)] = tl + (th << 32); - PQCLEAN_FALCON512PADDED_CLEAN_prng_refill(p); + PQCLEAN_FALCONPADDED512_CLEAN_prng_refill(p); } /* @@ -79,7 +79,7 @@ PQCLEAN_FALCON512PADDED_CLEAN_prng_init(prng *p, inner_shake256_context *src) { * The block counter is XORed into the first 8 bytes of the IV. */ void -PQCLEAN_FALCON512PADDED_CLEAN_prng_refill(prng *p) { +PQCLEAN_FALCONPADDED512_CLEAN_prng_refill(prng *p) { static const uint32_t CW[] = { 0x61707865, 0x3320646e, 0x79622d32, 0x6b206574 @@ -166,7 +166,7 @@ PQCLEAN_FALCON512PADDED_CLEAN_prng_refill(prng *p) { /* see inner.h */ void -PQCLEAN_FALCON512PADDED_CLEAN_prng_get_bytes(prng *p, void *dst, size_t len) { +PQCLEAN_FALCONPADDED512_CLEAN_prng_get_bytes(prng *p, void *dst, size_t len) { uint8_t *buf; buf = dst; @@ -182,7 +182,7 @@ PQCLEAN_FALCON512PADDED_CLEAN_prng_get_bytes(prng *p, void *dst, size_t len) { len -= clen; p->ptr += clen; if (p->ptr == sizeof p->buf.d) { - PQCLEAN_FALCON512PADDED_CLEAN_prng_refill(p); + PQCLEAN_FALCONPADDED512_CLEAN_prng_refill(p); } } } diff --git a/Modules/PQClean/crypto_sign/falcon-512-padded/clean/sign.c b/Modules/PQClean/crypto_sign/falcon-padded-512/clean/sign.c similarity index 85% rename from Modules/PQClean/crypto_sign/falcon-512-padded/clean/sign.c rename to Modules/PQClean/crypto_sign/falcon-padded-512/clean/sign.c index 657c54c0..5e37a461 100644 --- a/Modules/PQClean/crypto_sign/falcon-512-padded/clean/sign.c +++ b/Modules/PQClean/crypto_sign/falcon-padded-512/clean/sign.c @@ -87,7 +87,7 @@ ffLDL_fft_inner(fpr *tree, * and the diagonal of D. Since d00 = g0, we just write d11 * into tmp. */ - PQCLEAN_FALCON512PADDED_CLEAN_poly_LDLmv_fft(tmp, tree, g0, g1, g0, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_LDLmv_fft(tmp, tree, g0, g1, g0, logn); /* * Split d00 (currently in g0) and d11 (currently in tmp). We @@ -95,8 +95,8 @@ ffLDL_fft_inner(fpr *tree, * d00 splits into g1, g1+hn * d11 splits into g0, g0+hn */ - PQCLEAN_FALCON512PADDED_CLEAN_poly_split_fft(g1, g1 + hn, g0, logn); - PQCLEAN_FALCON512PADDED_CLEAN_poly_split_fft(g0, g0 + hn, tmp, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_split_fft(g1, g1 + hn, g0, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_split_fft(g0, g0 + hn, tmp, logn); /* * Each split result is the first row of a new auto-adjoint @@ -137,10 +137,10 @@ ffLDL_fft(fpr *tree, const fpr *g00, tmp += n << 1; memcpy(d00, g00, n * sizeof * g00); - PQCLEAN_FALCON512PADDED_CLEAN_poly_LDLmv_fft(d11, tree, g00, g01, g11, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_LDLmv_fft(d11, tree, g00, g01, g11, logn); - PQCLEAN_FALCON512PADDED_CLEAN_poly_split_fft(tmp, tmp + hn, d00, logn); - PQCLEAN_FALCON512PADDED_CLEAN_poly_split_fft(d00, d00 + hn, d11, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_split_fft(tmp, tmp + hn, d00, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_split_fft(d00, d00 + hn, d11, logn); memcpy(d11, tmp, n * sizeof * tmp); ffLDL_fft_inner(tree + n, d11, d11 + hn, logn - 1, tmp); @@ -224,7 +224,7 @@ skoff_tree(unsigned logn) { /* see inner.h */ void -PQCLEAN_FALCON512PADDED_CLEAN_expand_privkey(fpr *expanded_key, +PQCLEAN_FALCONPADDED512_CLEAN_expand_privkey(fpr *expanded_key, const int8_t *f, const int8_t *g, const int8_t *F, const int8_t *G, unsigned logn, uint8_t *tmp) { @@ -258,12 +258,12 @@ PQCLEAN_FALCON512PADDED_CLEAN_expand_privkey(fpr *expanded_key, /* * Compute the FFT for the key elements, and negate f and F. */ - PQCLEAN_FALCON512PADDED_CLEAN_FFT(rf, logn); - PQCLEAN_FALCON512PADDED_CLEAN_FFT(rg, logn); - PQCLEAN_FALCON512PADDED_CLEAN_FFT(rF, logn); - PQCLEAN_FALCON512PADDED_CLEAN_FFT(rG, logn); - PQCLEAN_FALCON512PADDED_CLEAN_poly_neg(rf, logn); - PQCLEAN_FALCON512PADDED_CLEAN_poly_neg(rF, logn); + PQCLEAN_FALCONPADDED512_CLEAN_FFT(rf, logn); + PQCLEAN_FALCONPADDED512_CLEAN_FFT(rg, logn); + PQCLEAN_FALCONPADDED512_CLEAN_FFT(rF, logn); + PQCLEAN_FALCONPADDED512_CLEAN_FFT(rG, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_neg(rf, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_neg(rF, logn); /* * The Gram matrix is G = B·B*. Formulas are: @@ -281,22 +281,22 @@ PQCLEAN_FALCON512PADDED_CLEAN_expand_privkey(fpr *expanded_key, gxx = g11 + n; memcpy(g00, b00, n * sizeof * b00); - PQCLEAN_FALCON512PADDED_CLEAN_poly_mulselfadj_fft(g00, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_mulselfadj_fft(g00, logn); memcpy(gxx, b01, n * sizeof * b01); - PQCLEAN_FALCON512PADDED_CLEAN_poly_mulselfadj_fft(gxx, logn); - PQCLEAN_FALCON512PADDED_CLEAN_poly_add(g00, gxx, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_mulselfadj_fft(gxx, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_add(g00, gxx, logn); memcpy(g01, b00, n * sizeof * b00); - PQCLEAN_FALCON512PADDED_CLEAN_poly_muladj_fft(g01, b10, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_muladj_fft(g01, b10, logn); memcpy(gxx, b01, n * sizeof * b01); - PQCLEAN_FALCON512PADDED_CLEAN_poly_muladj_fft(gxx, b11, logn); - PQCLEAN_FALCON512PADDED_CLEAN_poly_add(g01, gxx, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_muladj_fft(gxx, b11, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_add(g01, gxx, logn); memcpy(g11, b10, n * sizeof * b10); - PQCLEAN_FALCON512PADDED_CLEAN_poly_mulselfadj_fft(g11, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_mulselfadj_fft(g11, logn); memcpy(gxx, b11, n * sizeof * b11); - PQCLEAN_FALCON512PADDED_CLEAN_poly_mulselfadj_fft(gxx, logn); - PQCLEAN_FALCON512PADDED_CLEAN_poly_add(g11, gxx, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_mulselfadj_fft(gxx, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_add(g11, gxx, logn); /* * Compute the Falcon tree. @@ -347,15 +347,15 @@ ffSampling_fft_dyntree(samplerZ samp, void *samp_ctx, * Decompose G into LDL. We only need d00 (identical to g00), * d11, and l10; we do that in place. */ - PQCLEAN_FALCON512PADDED_CLEAN_poly_LDL_fft(g00, g01, g11, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_LDL_fft(g00, g01, g11, logn); /* * Split d00 and d11 and expand them into half-size quasi-cyclic * Gram matrices. We also save l10 in tmp[]. */ - PQCLEAN_FALCON512PADDED_CLEAN_poly_split_fft(tmp, tmp + hn, g00, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_split_fft(tmp, tmp + hn, g00, logn); memcpy(g00, tmp, n * sizeof * tmp); - PQCLEAN_FALCON512PADDED_CLEAN_poly_split_fft(tmp, tmp + hn, g11, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_split_fft(tmp, tmp + hn, g11, logn); memcpy(g11, tmp, n * sizeof * tmp); memcpy(tmp, g01, n * sizeof * g01); memcpy(g01, g00, hn * sizeof * g00); @@ -375,10 +375,10 @@ ffSampling_fft_dyntree(samplerZ samp, void *samp_ctx, * back into tmp + 2*n. */ z1 = tmp + n; - PQCLEAN_FALCON512PADDED_CLEAN_poly_split_fft(z1, z1 + hn, t1, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_split_fft(z1, z1 + hn, t1, logn); ffSampling_fft_dyntree(samp, samp_ctx, z1, z1 + hn, g11, g11 + hn, g01 + hn, orig_logn, logn - 1, z1 + n); - PQCLEAN_FALCON512PADDED_CLEAN_poly_merge_fft(tmp + (n << 1), z1, z1 + hn, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_merge_fft(tmp + (n << 1), z1, z1 + hn, logn); /* * Compute tb0 = t0 + (t1 - z1) * l10. @@ -388,20 +388,20 @@ ffSampling_fft_dyntree(samplerZ samp, void *samp_ctx, * In the end, z1 is written over t1, and tb0 is in t0. */ memcpy(z1, t1, n * sizeof * t1); - PQCLEAN_FALCON512PADDED_CLEAN_poly_sub(z1, tmp + (n << 1), logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_sub(z1, tmp + (n << 1), logn); memcpy(t1, tmp + (n << 1), n * sizeof * tmp); - PQCLEAN_FALCON512PADDED_CLEAN_poly_mul_fft(tmp, z1, logn); - PQCLEAN_FALCON512PADDED_CLEAN_poly_add(t0, tmp, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_mul_fft(tmp, z1, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_add(t0, tmp, logn); /* * Second recursive invocation, on the split tb0 (currently in t0) * and the left sub-tree. */ z0 = tmp; - PQCLEAN_FALCON512PADDED_CLEAN_poly_split_fft(z0, z0 + hn, t0, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_split_fft(z0, z0 + hn, t0, logn); ffSampling_fft_dyntree(samp, samp_ctx, z0, z0 + hn, g00, g00 + hn, g01, orig_logn, logn - 1, z0 + n); - PQCLEAN_FALCON512PADDED_CLEAN_poly_merge_fft(t0, z0, z0 + hn, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_merge_fft(t0, z0, z0 + hn, logn); } /* @@ -607,26 +607,26 @@ ffSampling_fft(samplerZ samp, void *samp_ctx, * the recursive invocation, with output in tmp. We finally * merge back into z1. */ - PQCLEAN_FALCON512PADDED_CLEAN_poly_split_fft(z1, z1 + hn, t1, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_split_fft(z1, z1 + hn, t1, logn); ffSampling_fft(samp, samp_ctx, tmp, tmp + hn, tree1, z1, z1 + hn, logn - 1, tmp + n); - PQCLEAN_FALCON512PADDED_CLEAN_poly_merge_fft(z1, tmp, tmp + hn, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_merge_fft(z1, tmp, tmp + hn, logn); /* * Compute tb0 = t0 + (t1 - z1) * L. Value tb0 ends up in tmp[]. */ memcpy(tmp, t1, n * sizeof * t1); - PQCLEAN_FALCON512PADDED_CLEAN_poly_sub(tmp, z1, logn); - PQCLEAN_FALCON512PADDED_CLEAN_poly_mul_fft(tmp, tree, logn); - PQCLEAN_FALCON512PADDED_CLEAN_poly_add(tmp, t0, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_sub(tmp, z1, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_mul_fft(tmp, tree, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_add(tmp, t0, logn); /* * Second recursive invocation. */ - PQCLEAN_FALCON512PADDED_CLEAN_poly_split_fft(z0, z0 + hn, tmp, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_split_fft(z0, z0 + hn, tmp, logn); ffSampling_fft(samp, samp_ctx, tmp, tmp + hn, tree0, z0, z0 + hn, logn - 1, tmp + n); - PQCLEAN_FALCON512PADDED_CLEAN_poly_merge_fft(z0, tmp, tmp + hn, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_merge_fft(z0, tmp, tmp + hn, logn); } /* @@ -674,13 +674,13 @@ do_sign_tree(samplerZ samp, void *samp_ctx, int16_t *s2, * Apply the lattice basis to obtain the real target * vector (after normalization with regards to modulus). */ - PQCLEAN_FALCON512PADDED_CLEAN_FFT(t0, logn); + PQCLEAN_FALCONPADDED512_CLEAN_FFT(t0, logn); ni = fpr_inverse_of_q; memcpy(t1, t0, n * sizeof * t0); - PQCLEAN_FALCON512PADDED_CLEAN_poly_mul_fft(t1, b01, logn); - PQCLEAN_FALCON512PADDED_CLEAN_poly_mulconst(t1, fpr_neg(ni), logn); - PQCLEAN_FALCON512PADDED_CLEAN_poly_mul_fft(t0, b11, logn); - PQCLEAN_FALCON512PADDED_CLEAN_poly_mulconst(t0, ni, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_mul_fft(t1, b01, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_mulconst(t1, fpr_neg(ni), logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_mul_fft(t0, b11, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_mulconst(t0, ni, logn); tx = t1 + n; ty = tx + n; @@ -695,18 +695,18 @@ do_sign_tree(samplerZ samp, void *samp_ctx, int16_t *s2, */ memcpy(t0, tx, n * sizeof * tx); memcpy(t1, ty, n * sizeof * ty); - PQCLEAN_FALCON512PADDED_CLEAN_poly_mul_fft(tx, b00, logn); - PQCLEAN_FALCON512PADDED_CLEAN_poly_mul_fft(ty, b10, logn); - PQCLEAN_FALCON512PADDED_CLEAN_poly_add(tx, ty, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_mul_fft(tx, b00, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_mul_fft(ty, b10, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_add(tx, ty, logn); memcpy(ty, t0, n * sizeof * t0); - PQCLEAN_FALCON512PADDED_CLEAN_poly_mul_fft(ty, b01, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_mul_fft(ty, b01, logn); memcpy(t0, tx, n * sizeof * tx); - PQCLEAN_FALCON512PADDED_CLEAN_poly_mul_fft(t1, b11, logn); - PQCLEAN_FALCON512PADDED_CLEAN_poly_add(t1, ty, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_mul_fft(t1, b11, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_add(t1, ty, logn); - PQCLEAN_FALCON512PADDED_CLEAN_iFFT(t0, logn); - PQCLEAN_FALCON512PADDED_CLEAN_iFFT(t1, logn); + PQCLEAN_FALCONPADDED512_CLEAN_iFFT(t0, logn); + PQCLEAN_FALCONPADDED512_CLEAN_iFFT(t1, logn); /* * Compute the signature. @@ -737,7 +737,7 @@ do_sign_tree(samplerZ samp, void *samp_ctx, int16_t *s2, for (u = 0; u < n; u ++) { s2tmp[u] = (int16_t) - fpr_rint(t1[u]); } - if (PQCLEAN_FALCON512PADDED_CLEAN_is_short_half(sqn, s2tmp, logn)) { + if (PQCLEAN_FALCONPADDED512_CLEAN_is_short_half(sqn, s2tmp, logn)) { memcpy(s2, s2tmp, n * sizeof * s2); memcpy(tmp, s1tmp, n * sizeof * s1tmp); return 1; @@ -779,12 +779,12 @@ do_sign_dyn(samplerZ samp, void *samp_ctx, int16_t *s2, smallints_to_fpr(b00, g, logn); smallints_to_fpr(b11, F, logn); smallints_to_fpr(b10, G, logn); - PQCLEAN_FALCON512PADDED_CLEAN_FFT(b01, logn); - PQCLEAN_FALCON512PADDED_CLEAN_FFT(b00, logn); - PQCLEAN_FALCON512PADDED_CLEAN_FFT(b11, logn); - PQCLEAN_FALCON512PADDED_CLEAN_FFT(b10, logn); - PQCLEAN_FALCON512PADDED_CLEAN_poly_neg(b01, logn); - PQCLEAN_FALCON512PADDED_CLEAN_poly_neg(b11, logn); + PQCLEAN_FALCONPADDED512_CLEAN_FFT(b01, logn); + PQCLEAN_FALCONPADDED512_CLEAN_FFT(b00, logn); + PQCLEAN_FALCONPADDED512_CLEAN_FFT(b11, logn); + PQCLEAN_FALCONPADDED512_CLEAN_FFT(b10, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_neg(b01, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_neg(b11, logn); /* * Compute the Gram matrix G = B·B*. Formulas are: @@ -804,20 +804,20 @@ do_sign_dyn(samplerZ samp, void *samp_ctx, int16_t *s2, t1 = t0 + n; memcpy(t0, b01, n * sizeof * b01); - PQCLEAN_FALCON512PADDED_CLEAN_poly_mulselfadj_fft(t0, logn); // t0 <- b01*adj(b01) + PQCLEAN_FALCONPADDED512_CLEAN_poly_mulselfadj_fft(t0, logn); // t0 <- b01*adj(b01) memcpy(t1, b00, n * sizeof * b00); - PQCLEAN_FALCON512PADDED_CLEAN_poly_muladj_fft(t1, b10, logn); // t1 <- b00*adj(b10) - PQCLEAN_FALCON512PADDED_CLEAN_poly_mulselfadj_fft(b00, logn); // b00 <- b00*adj(b00) - PQCLEAN_FALCON512PADDED_CLEAN_poly_add(b00, t0, logn); // b00 <- g00 + PQCLEAN_FALCONPADDED512_CLEAN_poly_muladj_fft(t1, b10, logn); // t1 <- b00*adj(b10) + PQCLEAN_FALCONPADDED512_CLEAN_poly_mulselfadj_fft(b00, logn); // b00 <- b00*adj(b00) + PQCLEAN_FALCONPADDED512_CLEAN_poly_add(b00, t0, logn); // b00 <- g00 memcpy(t0, b01, n * sizeof * b01); - PQCLEAN_FALCON512PADDED_CLEAN_poly_muladj_fft(b01, b11, logn); // b01 <- b01*adj(b11) - PQCLEAN_FALCON512PADDED_CLEAN_poly_add(b01, t1, logn); // b01 <- g01 + PQCLEAN_FALCONPADDED512_CLEAN_poly_muladj_fft(b01, b11, logn); // b01 <- b01*adj(b11) + PQCLEAN_FALCONPADDED512_CLEAN_poly_add(b01, t1, logn); // b01 <- g01 - PQCLEAN_FALCON512PADDED_CLEAN_poly_mulselfadj_fft(b10, logn); // b10 <- b10*adj(b10) + PQCLEAN_FALCONPADDED512_CLEAN_poly_mulselfadj_fft(b10, logn); // b10 <- b10*adj(b10) memcpy(t1, b11, n * sizeof * b11); - PQCLEAN_FALCON512PADDED_CLEAN_poly_mulselfadj_fft(t1, logn); // t1 <- b11*adj(b11) - PQCLEAN_FALCON512PADDED_CLEAN_poly_add(b10, t1, logn); // b10 <- g11 + PQCLEAN_FALCONPADDED512_CLEAN_poly_mulselfadj_fft(t1, logn); // t1 <- b11*adj(b11) + PQCLEAN_FALCONPADDED512_CLEAN_poly_add(b10, t1, logn); // b10 <- g11 /* * We rename variables to make things clearer. The three elements @@ -850,13 +850,13 @@ do_sign_dyn(samplerZ samp, void *samp_ctx, int16_t *s2, * Apply the lattice basis to obtain the real target * vector (after normalization with regards to modulus). */ - PQCLEAN_FALCON512PADDED_CLEAN_FFT(t0, logn); + PQCLEAN_FALCONPADDED512_CLEAN_FFT(t0, logn); ni = fpr_inverse_of_q; memcpy(t1, t0, n * sizeof * t0); - PQCLEAN_FALCON512PADDED_CLEAN_poly_mul_fft(t1, b01, logn); - PQCLEAN_FALCON512PADDED_CLEAN_poly_mulconst(t1, fpr_neg(ni), logn); - PQCLEAN_FALCON512PADDED_CLEAN_poly_mul_fft(t0, b11, logn); - PQCLEAN_FALCON512PADDED_CLEAN_poly_mulconst(t0, ni, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_mul_fft(t1, b01, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_mulconst(t1, fpr_neg(ni), logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_mul_fft(t0, b11, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_mulconst(t0, ni, logn); /* * b01 and b11 can be discarded, so we move back (t0,t1). @@ -891,12 +891,12 @@ do_sign_dyn(samplerZ samp, void *samp_ctx, int16_t *s2, smallints_to_fpr(b00, g, logn); smallints_to_fpr(b11, F, logn); smallints_to_fpr(b10, G, logn); - PQCLEAN_FALCON512PADDED_CLEAN_FFT(b01, logn); - PQCLEAN_FALCON512PADDED_CLEAN_FFT(b00, logn); - PQCLEAN_FALCON512PADDED_CLEAN_FFT(b11, logn); - PQCLEAN_FALCON512PADDED_CLEAN_FFT(b10, logn); - PQCLEAN_FALCON512PADDED_CLEAN_poly_neg(b01, logn); - PQCLEAN_FALCON512PADDED_CLEAN_poly_neg(b11, logn); + PQCLEAN_FALCONPADDED512_CLEAN_FFT(b01, logn); + PQCLEAN_FALCONPADDED512_CLEAN_FFT(b00, logn); + PQCLEAN_FALCONPADDED512_CLEAN_FFT(b11, logn); + PQCLEAN_FALCONPADDED512_CLEAN_FFT(b10, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_neg(b01, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_neg(b11, logn); tx = t1 + n; ty = tx + n; @@ -905,17 +905,17 @@ do_sign_dyn(samplerZ samp, void *samp_ctx, int16_t *s2, */ memcpy(tx, t0, n * sizeof * t0); memcpy(ty, t1, n * sizeof * t1); - PQCLEAN_FALCON512PADDED_CLEAN_poly_mul_fft(tx, b00, logn); - PQCLEAN_FALCON512PADDED_CLEAN_poly_mul_fft(ty, b10, logn); - PQCLEAN_FALCON512PADDED_CLEAN_poly_add(tx, ty, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_mul_fft(tx, b00, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_mul_fft(ty, b10, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_add(tx, ty, logn); memcpy(ty, t0, n * sizeof * t0); - PQCLEAN_FALCON512PADDED_CLEAN_poly_mul_fft(ty, b01, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_mul_fft(ty, b01, logn); memcpy(t0, tx, n * sizeof * tx); - PQCLEAN_FALCON512PADDED_CLEAN_poly_mul_fft(t1, b11, logn); - PQCLEAN_FALCON512PADDED_CLEAN_poly_add(t1, ty, logn); - PQCLEAN_FALCON512PADDED_CLEAN_iFFT(t0, logn); - PQCLEAN_FALCON512PADDED_CLEAN_iFFT(t1, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_mul_fft(t1, b11, logn); + PQCLEAN_FALCONPADDED512_CLEAN_poly_add(t1, ty, logn); + PQCLEAN_FALCONPADDED512_CLEAN_iFFT(t0, logn); + PQCLEAN_FALCONPADDED512_CLEAN_iFFT(t1, logn); s1tmp = (int16_t *)tx; sqn = 0; @@ -943,7 +943,7 @@ do_sign_dyn(samplerZ samp, void *samp_ctx, int16_t *s2, for (u = 0; u < n; u ++) { s2tmp[u] = (int16_t) - fpr_rint(t1[u]); } - if (PQCLEAN_FALCON512PADDED_CLEAN_is_short_half(sqn, s2tmp, logn)) { + if (PQCLEAN_FALCONPADDED512_CLEAN_is_short_half(sqn, s2tmp, logn)) { memcpy(s2, s2tmp, n * sizeof * s2); memcpy(tmp, s1tmp, n * sizeof * s1tmp); return 1; @@ -956,7 +956,7 @@ do_sign_dyn(samplerZ samp, void *samp_ctx, int16_t *s2, * on zero and standard deviation 1.8205, with a precision of 72 bits. */ int -PQCLEAN_FALCON512PADDED_CLEAN_gaussian0_sampler(prng *p) { +PQCLEAN_FALCONPADDED512_CLEAN_gaussian0_sampler(prng *p) { static const uint32_t dist[] = { 10745844u, 3068844u, 3741698u, @@ -1079,7 +1079,7 @@ BerExp(prng *p, fpr x, fpr ccs) { * 0.5 and 1); in Falcon, sigma should always be between 1.2 and 1.9. */ int -PQCLEAN_FALCON512PADDED_CLEAN_sampler(void *ctx, fpr mu, fpr isigma) { +PQCLEAN_FALCONPADDED512_CLEAN_sampler(void *ctx, fpr mu, fpr isigma) { sampler_context *spc; int s; fpr r, dss, ccs; @@ -1121,7 +1121,7 @@ PQCLEAN_FALCON512PADDED_CLEAN_sampler(void *ctx, fpr mu, fpr isigma) { * - b = 0: z <= 0 and sampled against a Gaussian * centered on 0. */ - z0 = PQCLEAN_FALCON512PADDED_CLEAN_gaussian0_sampler(&spc->p); + z0 = PQCLEAN_FALCONPADDED512_CLEAN_gaussian0_sampler(&spc->p); b = (int)prng_get_u8(&spc->p) & 1; z = b + ((b << 1) - 1) * z0; @@ -1164,7 +1164,7 @@ PQCLEAN_FALCON512PADDED_CLEAN_sampler(void *ctx, fpr mu, fpr isigma) { /* see inner.h */ void -PQCLEAN_FALCON512PADDED_CLEAN_sign_tree(int16_t *sig, inner_shake256_context *rng, +PQCLEAN_FALCONPADDED512_CLEAN_sign_tree(int16_t *sig, inner_shake256_context *rng, const fpr *expanded_key, const uint16_t *hm, unsigned logn, uint8_t *tmp) { fpr *ftmp; @@ -1190,8 +1190,8 @@ PQCLEAN_FALCON512PADDED_CLEAN_sign_tree(int16_t *sig, inner_shake256_context *rn * SHAKE context ('rng'). */ spc.sigma_min = fpr_sigma_min[logn]; - PQCLEAN_FALCON512PADDED_CLEAN_prng_init(&spc.p, rng); - samp = PQCLEAN_FALCON512PADDED_CLEAN_sampler; + PQCLEAN_FALCONPADDED512_CLEAN_prng_init(&spc.p, rng); + samp = PQCLEAN_FALCONPADDED512_CLEAN_sampler; samp_ctx = &spc; /* @@ -1206,7 +1206,7 @@ PQCLEAN_FALCON512PADDED_CLEAN_sign_tree(int16_t *sig, inner_shake256_context *rn /* see inner.h */ void -PQCLEAN_FALCON512PADDED_CLEAN_sign_dyn(int16_t *sig, inner_shake256_context *rng, +PQCLEAN_FALCONPADDED512_CLEAN_sign_dyn(int16_t *sig, inner_shake256_context *rng, const int8_t *f, const int8_t *g, const int8_t *F, const int8_t *G, const uint16_t *hm, unsigned logn, uint8_t *tmp) { @@ -1233,8 +1233,8 @@ PQCLEAN_FALCON512PADDED_CLEAN_sign_dyn(int16_t *sig, inner_shake256_context *rng * SHAKE context ('rng'). */ spc.sigma_min = fpr_sigma_min[logn]; - PQCLEAN_FALCON512PADDED_CLEAN_prng_init(&spc.p, rng); - samp = PQCLEAN_FALCON512PADDED_CLEAN_sampler; + PQCLEAN_FALCONPADDED512_CLEAN_prng_init(&spc.p, rng); + samp = PQCLEAN_FALCONPADDED512_CLEAN_sampler; samp_ctx = &spc; /* diff --git a/Modules/PQClean/crypto_sign/falcon-1024-padded/avx2/vrfy.c b/Modules/PQClean/crypto_sign/falcon-padded-512/clean/vrfy.c similarity index 98% rename from Modules/PQClean/crypto_sign/falcon-1024-padded/avx2/vrfy.c rename to Modules/PQClean/crypto_sign/falcon-padded-512/clean/vrfy.c index 4cafa22f..5bcc2b52 100644 --- a/Modules/PQClean/crypto_sign/falcon-1024-padded/avx2/vrfy.c +++ b/Modules/PQClean/crypto_sign/falcon-padded-512/clean/vrfy.c @@ -622,14 +622,14 @@ mq_poly_sub(uint16_t *f, const uint16_t *g, unsigned logn) { /* see inner.h */ void -PQCLEAN_FALCON1024PADDED_AVX2_to_ntt_monty(uint16_t *h, unsigned logn) { +PQCLEAN_FALCONPADDED512_CLEAN_to_ntt_monty(uint16_t *h, unsigned logn) { mq_NTT(h, logn); mq_poly_tomonty(h, logn); } /* see inner.h */ int -PQCLEAN_FALCON1024PADDED_AVX2_verify_raw(const uint16_t *c0, const int16_t *s2, +PQCLEAN_FALCONPADDED512_CLEAN_verify_raw(const uint16_t *c0, const int16_t *s2, const uint16_t *h, unsigned logn, uint8_t *tmp) { size_t u, n; uint16_t *tt; @@ -671,12 +671,12 @@ PQCLEAN_FALCON1024PADDED_AVX2_verify_raw(const uint16_t *c0, const int16_t *s2, * Signature is valid if and only if the aggregate (-s1,s2) vector * is short enough. */ - return PQCLEAN_FALCON1024PADDED_AVX2_is_short((int16_t *)tt, s2, logn); + return PQCLEAN_FALCONPADDED512_CLEAN_is_short((int16_t *)tt, s2, logn); } /* see inner.h */ int -PQCLEAN_FALCON1024PADDED_AVX2_compute_public(uint16_t *h, +PQCLEAN_FALCONPADDED512_CLEAN_compute_public(uint16_t *h, const int8_t *f, const int8_t *g, unsigned logn, uint8_t *tmp) { size_t u, n; uint16_t *tt; @@ -701,7 +701,7 @@ PQCLEAN_FALCON1024PADDED_AVX2_compute_public(uint16_t *h, /* see inner.h */ int -PQCLEAN_FALCON1024PADDED_AVX2_complete_private(int8_t *G, +PQCLEAN_FALCONPADDED512_CLEAN_complete_private(int8_t *G, const int8_t *f, const int8_t *g, const int8_t *F, unsigned logn, uint8_t *tmp) { size_t u, n; @@ -746,7 +746,7 @@ PQCLEAN_FALCON1024PADDED_AVX2_complete_private(int8_t *G, /* see inner.h */ int -PQCLEAN_FALCON1024PADDED_AVX2_is_invertible( +PQCLEAN_FALCONPADDED512_CLEAN_is_invertible( const int16_t *s2, unsigned logn, uint8_t *tmp) { size_t u, n; uint16_t *tt; @@ -771,7 +771,7 @@ PQCLEAN_FALCON1024PADDED_AVX2_is_invertible( /* see inner.h */ int -PQCLEAN_FALCON1024PADDED_AVX2_verify_recover(uint16_t *h, +PQCLEAN_FALCONPADDED512_CLEAN_verify_recover(uint16_t *h, const uint16_t *c0, const int16_t *s1, const int16_t *s2, unsigned logn, uint8_t *tmp) { size_t u, n; @@ -820,13 +820,13 @@ PQCLEAN_FALCON1024PADDED_AVX2_verify_recover(uint16_t *h, * check that the rebuilt public key matches the expected * value (e.g. through a hash). */ - r = ~r & (uint32_t) - PQCLEAN_FALCON1024PADDED_AVX2_is_short(s1, s2, logn); + r = ~r & (uint32_t) - PQCLEAN_FALCONPADDED512_CLEAN_is_short(s1, s2, logn); return (int)(r >> 31); } /* see inner.h */ int -PQCLEAN_FALCON1024PADDED_AVX2_count_nttzero(const int16_t *sig, unsigned logn, uint8_t *tmp) { +PQCLEAN_FALCONPADDED512_CLEAN_count_nttzero(const int16_t *sig, unsigned logn, uint8_t *tmp) { uint16_t *s2; size_t u, n; uint32_t r; diff --git a/Modules/PQClean/test/Makefile b/Modules/PQClean/test/Makefile index 8691f077..a5f7c51a 100644 --- a/Modules/PQClean/test/Makefile +++ b/Modules/PQClean/test/Makefile @@ -20,12 +20,12 @@ SCHEME_LIBRARY=$(SCHEME_DIR)/lib$(SCHEME)_$(IMPLEMENTATION).a SCHEME_FILES=$(wildcard $(SCHEME_DIR)/*.[chsS]) ifeq ($(SCHEME), falcon-512) - INTEROP=$(SCHEME)-padded + INTEROP=falcon-padded-512 else ifeq ($(SCHEME), falcon-1024) - INTEROP=$(SCHEME)-padded -else ifeq ($(SCHEME), falcon-512-padded) + INTEROP=falcon-padded-1024 +else ifeq ($(SCHEME), falcon-padded-512) INTEROP=falcon-512 -else ifeq ($(SCHEME), falcon-1024-padded) +else ifeq ($(SCHEME), falcon-padded-1024) INTEROP=falcon-1024 endif diff --git a/Modules/PQClean/test/Makefile.Microsoft_nmake b/Modules/PQClean/test/Makefile.Microsoft_nmake index bf86f6d5..481aa1c9 100644 --- a/Modules/PQClean/test/Makefile.Microsoft_nmake +++ b/Modules/PQClean/test/Makefile.Microsoft_nmake @@ -20,15 +20,15 @@ COMMON_OBJECTS_NOPATH=aes.obj fips202.obj sha2.obj sp800-185.obj nistseedexpande DEST_DIR=..\bin !IF "$(SCHEME)" == "falcon-512" -INTEROP=$(SCHEME)-padded -INTEROP_UPPERCASE=FALCON512PADDED +INTEROP=falcon-padded-512 +INTEROP_UPPERCASE=FALCONPADDED512 !ELSEIF "$(SCHEME)" == "falcon-1024" -INTEROP=$(SCHEME)-padded -INTEROP_UPPERCASE=FALCON1024PADDED -!ELSEIF "$(SCHEME)" == "falcon-512-padded" +INTEROP=falcon-padded-1024 +INTEROP_UPPERCASE=FALCONPADDED1024 +!ELSEIF "$(SCHEME)" == "falcon-padded-512" INTEROP=falcon-512 INTEROP_UPPERCASE=FALCON512 -!ELSEIF "$(SCHEME)" == "falcon-1024-padded" +!ELSEIF "$(SCHEME)" == "falcon-padded-1024" INTEROP=falcon-1024 INTEROP_UPPERCASE=FALCON1024 !ENDIF diff --git a/Modules/PQClean/test/duplicate_consistency/falcon-1024_aarch64.yml b/Modules/PQClean/test/duplicate_consistency/falcon-1024_aarch64.yml index 25d8a082..5cdb73ca 100644 --- a/Modules/PQClean/test/duplicate_consistency/falcon-1024_aarch64.yml +++ b/Modules/PQClean/test/duplicate_consistency/falcon-1024_aarch64.yml @@ -33,7 +33,7 @@ consistency_checks: files: - api.h - source: - scheme: falcon-512-padded + scheme: falcon-padded-512 implementation: aarch64 files: - inner.h @@ -55,7 +55,7 @@ consistency_checks: - util.c - vrfy.c - source: - scheme: falcon-1024-padded + scheme: falcon-padded-1024 implementation: aarch64 files: - inner.h diff --git a/Modules/PQClean/test/duplicate_consistency/falcon-1024_avx2.yml b/Modules/PQClean/test/duplicate_consistency/falcon-1024_avx2.yml index c3fab9e2..94ec81a1 100644 --- a/Modules/PQClean/test/duplicate_consistency/falcon-1024_avx2.yml +++ b/Modules/PQClean/test/duplicate_consistency/falcon-1024_avx2.yml @@ -35,14 +35,14 @@ consistency_checks: files: - api.h - source: - scheme: falcon-512-padded + scheme: falcon-padded-512 implementation: clean files: - codec.c - common.c - vrfy.c - source: - scheme: falcon-512-padded + scheme: falcon-padded-512 implementation: avx2 files: - fpr.h @@ -56,14 +56,14 @@ consistency_checks: - sign.c - vrfy.c - source: - scheme: falcon-1024-padded + scheme: falcon-padded-1024 implementation: clean files: - codec.c - common.c - vrfy.c - source: - scheme: falcon-1024-padded + scheme: falcon-padded-1024 implementation: avx2 files: - fpr.h diff --git a/Modules/PQClean/test/duplicate_consistency/falcon-1024_clean.yml b/Modules/PQClean/test/duplicate_consistency/falcon-1024_clean.yml index da086934..b1b1b52b 100644 --- a/Modules/PQClean/test/duplicate_consistency/falcon-1024_clean.yml +++ b/Modules/PQClean/test/duplicate_consistency/falcon-1024_clean.yml @@ -35,7 +35,7 @@ consistency_checks: files: - api.h - source: - scheme: falcon-512-padded + scheme: falcon-padded-512 implementation: clean files: - fpr.h @@ -49,14 +49,14 @@ consistency_checks: - sign.c - vrfy.c - source: - scheme: falcon-512-padded + scheme: falcon-padded-512 implementation: avx2 files: - codec.c - common.c - vrfy.c - source: - scheme: falcon-1024-padded + scheme: falcon-padded-1024 implementation: clean files: - fpr.h @@ -70,7 +70,7 @@ consistency_checks: - sign.c - vrfy.c - source: - scheme: falcon-1024-padded + scheme: falcon-padded-1024 implementation: avx2 files: - codec.c diff --git a/Modules/PQClean/test/duplicate_consistency/falcon-512_aarch64.yml b/Modules/PQClean/test/duplicate_consistency/falcon-512_aarch64.yml index cc1273dc..bd994db6 100644 --- a/Modules/PQClean/test/duplicate_consistency/falcon-512_aarch64.yml +++ b/Modules/PQClean/test/duplicate_consistency/falcon-512_aarch64.yml @@ -33,7 +33,7 @@ consistency_checks: - util.c - vrfy.c - source: - scheme: falcon-512-padded + scheme: falcon-padded-512 implementation: aarch64 files: - inner.h @@ -55,7 +55,7 @@ consistency_checks: - util.c - vrfy.c - source: - scheme: falcon-1024-padded + scheme: falcon-padded-1024 implementation: aarch64 files: - inner.h diff --git a/Modules/PQClean/test/duplicate_consistency/falcon-512_avx2.yml b/Modules/PQClean/test/duplicate_consistency/falcon-512_avx2.yml index 59400915..2fcd5e23 100644 --- a/Modules/PQClean/test/duplicate_consistency/falcon-512_avx2.yml +++ b/Modules/PQClean/test/duplicate_consistency/falcon-512_avx2.yml @@ -35,14 +35,14 @@ consistency_checks: - sign.c - vrfy.c - source: - scheme: falcon-512-padded + scheme: falcon-padded-512 implementation: clean files: - codec.c - common.c - vrfy.c - source: - scheme: falcon-512-padded + scheme: falcon-padded-512 implementation: avx2 files: - fpr.h @@ -56,14 +56,14 @@ consistency_checks: - sign.c - vrfy.c - source: - scheme: falcon-1024-padded + scheme: falcon-padded-1024 implementation: clean files: - codec.c - common.c - vrfy.c - source: - scheme: falcon-1024-padded + scheme: falcon-padded-1024 implementation: avx2 files: - fpr.h diff --git a/Modules/PQClean/test/duplicate_consistency/falcon-512_clean.yml b/Modules/PQClean/test/duplicate_consistency/falcon-512_clean.yml index 60b7382e..553708bb 100644 --- a/Modules/PQClean/test/duplicate_consistency/falcon-512_clean.yml +++ b/Modules/PQClean/test/duplicate_consistency/falcon-512_clean.yml @@ -35,7 +35,7 @@ consistency_checks: - common.c - vrfy.c - source: - scheme: falcon-512-padded + scheme: falcon-padded-512 implementation: clean files: - fpr.h @@ -49,14 +49,14 @@ consistency_checks: - sign.c - vrfy.c - source: - scheme: falcon-512-padded + scheme: falcon-padded-512 implementation: avx2 files: - codec.c - common.c - vrfy.c - source: - scheme: falcon-1024-padded + scheme: falcon-padded-1024 implementation: clean files: - fpr.h @@ -70,7 +70,7 @@ consistency_checks: - sign.c - vrfy.c - source: - scheme: falcon-1024-padded + scheme: falcon-padded-1024 implementation: avx2 files: - codec.c diff --git a/Modules/PQClean/test/duplicate_consistency/falcon-1024-padded_aarch64.yml b/Modules/PQClean/test/duplicate_consistency/falcon-padded-1024_aarch64.yml similarity index 92% rename from Modules/PQClean/test/duplicate_consistency/falcon-1024-padded_aarch64.yml rename to Modules/PQClean/test/duplicate_consistency/falcon-padded-1024_aarch64.yml index 130920c2..ee7cacb3 100644 --- a/Modules/PQClean/test/duplicate_consistency/falcon-1024-padded_aarch64.yml +++ b/Modules/PQClean/test/duplicate_consistency/falcon-padded-1024_aarch64.yml @@ -44,7 +44,7 @@ consistency_checks: - util.c - vrfy.c - source: - scheme: falcon-512-padded + scheme: falcon-padded-512 implementation: aarch64 files: - inner.h @@ -67,12 +67,12 @@ consistency_checks: - util.c - vrfy.c - source: - scheme: falcon-1024-padded + scheme: falcon-padded-1024 implementation: clean files: - api.h - source: - scheme: falcon-1024-padded + scheme: falcon-padded-1024 implementation: avx2 files: - api.h diff --git a/Modules/PQClean/test/duplicate_consistency/falcon-512-padded_avx2.yml b/Modules/PQClean/test/duplicate_consistency/falcon-padded-1024_avx2.yml similarity index 90% rename from Modules/PQClean/test/duplicate_consistency/falcon-512-padded_avx2.yml rename to Modules/PQClean/test/duplicate_consistency/falcon-padded-1024_avx2.yml index f388be85..fcfde090 100644 --- a/Modules/PQClean/test/duplicate_consistency/falcon-512-padded_avx2.yml +++ b/Modules/PQClean/test/duplicate_consistency/falcon-padded-1024_avx2.yml @@ -42,28 +42,14 @@ consistency_checks: - sign.c - vrfy.c - source: - scheme: falcon-512-padded - implementation: clean - files: - - api.h - - codec.c - - common.c - - pqclean.c - - vrfy.c - - source: - scheme: falcon-512-padded - implementation: aarch64 - files: - - api.h - - source: - scheme: falcon-1024-padded + scheme: falcon-padded-512 implementation: clean files: - codec.c - common.c - vrfy.c - source: - scheme: falcon-1024-padded + scheme: falcon-padded-512 implementation: avx2 files: - fpr.h @@ -76,3 +62,17 @@ consistency_checks: - rng.c - sign.c - vrfy.c + - source: + scheme: falcon-padded-1024 + implementation: clean + files: + - api.h + - codec.c + - common.c + - pqclean.c + - vrfy.c + - source: + scheme: falcon-padded-1024 + implementation: aarch64 + files: + - api.h diff --git a/Modules/PQClean/test/duplicate_consistency/falcon-1024-padded_clean.yml b/Modules/PQClean/test/duplicate_consistency/falcon-padded-1024_clean.yml similarity index 90% rename from Modules/PQClean/test/duplicate_consistency/falcon-1024-padded_clean.yml rename to Modules/PQClean/test/duplicate_consistency/falcon-padded-1024_clean.yml index f548190f..a79132d6 100644 --- a/Modules/PQClean/test/duplicate_consistency/falcon-1024-padded_clean.yml +++ b/Modules/PQClean/test/duplicate_consistency/falcon-padded-1024_clean.yml @@ -42,7 +42,7 @@ consistency_checks: - common.c - vrfy.c - source: - scheme: falcon-512-padded + scheme: falcon-padded-512 implementation: clean files: - fpr.h @@ -56,14 +56,14 @@ consistency_checks: - sign.c - vrfy.c - source: - scheme: falcon-512-padded + scheme: falcon-padded-512 implementation: avx2 files: - codec.c - common.c - vrfy.c - source: - scheme: falcon-1024-padded + scheme: falcon-padded-1024 implementation: avx2 files: - api.h @@ -72,7 +72,7 @@ consistency_checks: - pqclean.c - vrfy.c - source: - scheme: falcon-1024-padded + scheme: falcon-padded-1024 implementation: aarch64 files: - api.h diff --git a/Modules/PQClean/test/duplicate_consistency/falcon-512-padded_aarch64.yml b/Modules/PQClean/test/duplicate_consistency/falcon-padded-512_aarch64.yml similarity index 93% rename from Modules/PQClean/test/duplicate_consistency/falcon-512-padded_aarch64.yml rename to Modules/PQClean/test/duplicate_consistency/falcon-padded-512_aarch64.yml index 924836d3..f87eace8 100644 --- a/Modules/PQClean/test/duplicate_consistency/falcon-512-padded_aarch64.yml +++ b/Modules/PQClean/test/duplicate_consistency/falcon-padded-512_aarch64.yml @@ -44,17 +44,17 @@ consistency_checks: - util.c - vrfy.c - source: - scheme: falcon-512-padded + scheme: falcon-padded-512 implementation: clean files: - api.h - source: - scheme: falcon-512-padded + scheme: falcon-padded-512 implementation: avx2 files: - api.h - source: - scheme: falcon-1024-padded + scheme: falcon-padded-1024 implementation: aarch64 files: - inner.h diff --git a/Modules/PQClean/test/duplicate_consistency/falcon-1024-padded_avx2.yml b/Modules/PQClean/test/duplicate_consistency/falcon-padded-512_avx2.yml similarity index 90% rename from Modules/PQClean/test/duplicate_consistency/falcon-1024-padded_avx2.yml rename to Modules/PQClean/test/duplicate_consistency/falcon-padded-512_avx2.yml index da319933..516f0b60 100644 --- a/Modules/PQClean/test/duplicate_consistency/falcon-1024-padded_avx2.yml +++ b/Modules/PQClean/test/duplicate_consistency/falcon-padded-512_avx2.yml @@ -42,14 +42,28 @@ consistency_checks: - sign.c - vrfy.c - source: - scheme: falcon-512-padded + scheme: falcon-padded-512 + implementation: clean + files: + - api.h + - codec.c + - common.c + - pqclean.c + - vrfy.c + - source: + scheme: falcon-padded-512 + implementation: aarch64 + files: + - api.h + - source: + scheme: falcon-padded-1024 implementation: clean files: - codec.c - common.c - vrfy.c - source: - scheme: falcon-512-padded + scheme: falcon-padded-1024 implementation: avx2 files: - fpr.h @@ -62,17 +76,3 @@ consistency_checks: - rng.c - sign.c - vrfy.c - - source: - scheme: falcon-1024-padded - implementation: clean - files: - - api.h - - codec.c - - common.c - - pqclean.c - - vrfy.c - - source: - scheme: falcon-1024-padded - implementation: aarch64 - files: - - api.h diff --git a/Modules/PQClean/test/duplicate_consistency/falcon-512-padded_clean.yml b/Modules/PQClean/test/duplicate_consistency/falcon-padded-512_clean.yml similarity index 90% rename from Modules/PQClean/test/duplicate_consistency/falcon-512-padded_clean.yml rename to Modules/PQClean/test/duplicate_consistency/falcon-padded-512_clean.yml index e2c24acc..c2794d82 100644 --- a/Modules/PQClean/test/duplicate_consistency/falcon-512-padded_clean.yml +++ b/Modules/PQClean/test/duplicate_consistency/falcon-padded-512_clean.yml @@ -42,7 +42,7 @@ consistency_checks: - common.c - vrfy.c - source: - scheme: falcon-512-padded + scheme: falcon-padded-512 implementation: avx2 files: - api.h @@ -51,12 +51,12 @@ consistency_checks: - pqclean.c - vrfy.c - source: - scheme: falcon-512-padded + scheme: falcon-padded-512 implementation: aarch64 files: - api.h - source: - scheme: falcon-1024-padded + scheme: falcon-padded-1024 implementation: clean files: - fpr.h @@ -70,7 +70,7 @@ consistency_checks: - sign.c - vrfy.c - source: - scheme: falcon-1024-padded + scheme: falcon-padded-1024 implementation: avx2 files: - codec.c diff --git a/Modules/PQClean/test/pqclean.py b/Modules/PQClean/test/pqclean.py index 0dceadf5..e48003f4 100644 --- a/Modules/PQClean/test/pqclean.py +++ b/Modules/PQClean/test/pqclean.py @@ -22,7 +22,11 @@ def namespace_prefix(self): # only useful for Falcon def padded_namespace_prefix(self): - return 'PQCLEAN_{}PADDED_'.format(self.name.upper()).replace('-', '') + if self.name.startswith('falcon-'): + return 'PQCLEAN_{}PADDED{}_'.format(*self.name.upper().split('-')) + else: # return a dummy value + return self.namespace_prefix() + @staticmethod @lru_cache(maxsize=None) diff --git a/Modules/PQClean/test/test_duplicate_consistency.py b/Modules/PQClean/test/test_duplicate_consistency.py index 6dea3a58..3a43bf30 100644 --- a/Modules/PQClean/test/test_duplicate_consistency.py +++ b/Modules/PQClean/test/test_duplicate_consistency.py @@ -65,11 +65,11 @@ def test_duplicate_consistency(implementation, source, files): target_src = file_get_contents(target_path)\ .replace(source.namespace_prefix(), '')\ .replace(source.padded_namespace_prefix(), 'PADDED')\ - .replace(' ', '') + .replace(' ', '') # the padded replace must come after the namespace replace this_src = file_get_contents(this_path)\ .replace(implementation.namespace_prefix(), '')\ .replace(implementation.padded_namespace_prefix(), 'PADDED')\ - .replace(' ', '') + .replace(' ', '') # the padded replace must come after the namespace replace if not this_src == target_src: diff = difflib.unified_diff( diff --git a/Modules/PQClean/test/test_functest.py b/Modules/PQClean/test/test_functest.py index 72b8f3ae..39e54e9a 100644 --- a/Modules/PQClean/test/test_functest.py +++ b/Modules/PQClean/test/test_functest.py @@ -28,12 +28,12 @@ def test_functest(implementation, impl_path, test_dir, dest_dir = os.path.join(test_dir, 'bin') # handle Falcon PADDED and COMPACT interop testing if implementation.scheme.name.startswith("falcon-"): - if implementation.scheme.name.endswith("-padded"): - # strip off "-padded" suffix to get interop scheme name - interop_src = pqclean.Implementation.by_name(implementation.scheme.name[:-len("-padded")], implementation.name).path() + if implementation.scheme.name.startswith("falcon-padded-"): + # delete "-padded" to get interop scheme name + interop_src = pqclean.Implementation.by_name(implementation.scheme.name.replace('-padded', '', 1), implementation.name).path() else: - # add "-padded" suffix to get interop scheme name - interop_src = pqclean.Implementation.by_name(implementation.scheme.name + "-padded", implementation.name).path() + # add "-padded" to get interop scheme name + interop_src = pqclean.Implementation.by_name(implementation.scheme.name.replace('falcon-', 'falcon-padded-', 1), implementation.name).path() interop_dir = helpers.add_interop_files(interop_src, os.path.join(impl_path, '..')) helpers.make('functest', TYPE=implementation.scheme.type, @@ -91,12 +91,12 @@ def test_functest_sanitizers(implementation, impl_path, test_dir, # handle Falcon PADDED and COMPACT interop testing if implementation.scheme.name.startswith("falcon-"): - if implementation.scheme.name.endswith("-padded"): - # strip off "-padded" suffix to get interop scheme name - interop_src = pqclean.Implementation.by_name(implementation.scheme.name[:-len("-padded")], implementation.name).path() + if implementation.scheme.name.startswith("falcon-padded-"): + # delete "-padded" to get interop scheme name + interop_src = pqclean.Implementation.by_name(implementation.scheme.name.replace('-padded', '', 1), implementation.name).path() else: - # add "-padded" suffix to get interop scheme name - interop_src = pqclean.Implementation.by_name(implementation.scheme.name + "-padded", implementation.name).path() + # add "-padded" to get interop scheme name + interop_src = pqclean.Implementation.by_name(implementation.scheme.name.replace('falcon-', 'falcon-padded-', 1), implementation.name).path() interop_dir = helpers.add_interop_files(interop_src, os.path.join(impl_path, '..')) helpers.make('clean-scheme', 'clean-interop', 'functest', diff --git a/Modules/PQClean/test/test_valgrind.py b/Modules/PQClean/test/test_valgrind.py index 27a6ab92..8b1b8239 100644 --- a/Modules/PQClean/test/test_valgrind.py +++ b/Modules/PQClean/test/test_valgrind.py @@ -42,12 +42,12 @@ def test_valgrind(implementation: pqclean.Implementation, impl_path, test_dir, # handle Falcon PADDED and COMPACT interop testing if implementation.scheme.name.startswith("falcon-"): - if implementation.scheme.name.endswith("-padded"): - # strip off "-padded" suffix to get interop scheme name - interop_src = pqclean.Implementation.by_name(implementation.scheme.name[:-len("-padded")], implementation.name).path() + if implementation.scheme.name.startswith("falcon-padded-"): + # delete "-padded" to get interop scheme name + interop_src = pqclean.Implementation.by_name(implementation.scheme.name.replace('-padded', '', 1), implementation.name).path() else: - # add "-padded" suffix to get interop scheme name - interop_src = pqclean.Implementation.by_name(implementation.scheme.name + "-padded", implementation.name).path() + # add "-padded" to get interop scheme name + interop_src = pqclean.Implementation.by_name(implementation.scheme.name.replace('falcon-', 'falcon-padded-', 1), implementation.name).path() interop_dir = helpers.add_interop_files(interop_src, os.path.join(impl_path, '..')) helpers.make(TYPE=implementation.scheme.type, SCHEME=implementation.scheme.name,