Home Explore Help
Sign In
SMusatov
/
ydb
mirror of https://github.com/ydb-platform/ydb.git
1
0
Fork 0
Files
Branch: docs-mute
Branches Tags
ydb
/
contrib
/
restricted
/
aws
/
s2n
/
pq-crypto
/
kyber_r3
/
kyber512r3_ntt.c

kyber512r3_ntt.c 4.7 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124 
  1. #include <stdint.h>
    2. 

  2. #include "kyber512r3_params.h"
    3. 

  3. #include "kyber512r3_ntt.h"
    4. 

  4. #include "kyber512r3_reduce.h"
    5. 

  5. 

  6. S2N_ENSURE_PORTABLE_OPTIMIZATIONS
    7. 

  7. 

  8. const int16_t zetas[128] = {
    9. 

  9.     2285, 2571, 2970, 1812, 1493, 1422, 287, 202, 3158, 622, 1577, 182, 962,
    10. 

  10.     2127, 1855, 1468, 573, 2004, 264, 383, 2500, 1458, 1727, 3199, 2648, 1017,
    11. 

  11.     732, 608, 1787, 411, 3124, 1758, 1223, 652, 2777, 1015, 2036, 1491, 3047,
    12. 

  12.     1785, 516, 3321, 3009, 2663, 1711, 2167, 126, 1469, 2476, 3239, 3058, 830,
    13. 

  13.     107, 1908, 3082, 2378, 2931, 961, 1821, 2604, 448, 2264, 677, 2054, 2226,
    14. 

  14.     430, 555, 843, 2078, 871, 1550, 105, 422, 587, 177, 3094, 3038, 2869, 1574,
    15. 

  15.     1653, 3083, 778, 1159, 3182, 2552, 1483, 2727, 1119, 1739, 644, 2457, 349,
    16. 

  16.     418, 329, 3173, 3254, 817, 1097, 603, 610, 1322, 2044, 1864, 384, 2114, 3193,
    17. 

  17.     1218, 1994, 2455, 220, 2142, 1670, 2144, 1799, 2051, 794, 1819, 2475, 2459,
    18. 

  18.     478, 3221, 3021, 996, 991, 958, 1869, 1522, 1628
    19. 

  19. };
    20. 

  20. 

  21. const int16_t zetas_inv[128] = {
    22. 

  22.     1701, 1807, 1460, 2371, 2338, 2333, 308, 108, 2851, 870, 854, 1510, 2535,
    23. 

  23.     1278, 1530, 1185, 1659, 1187, 3109, 874, 1335, 2111, 136, 1215, 2945, 1465,
    24. 

  24.     1285, 2007, 2719, 2726, 2232, 2512, 75, 156, 3000, 2911, 2980, 872, 2685,
    25. 

  25.     1590, 2210, 602, 1846, 777, 147, 2170, 2551, 246, 1676, 1755, 460, 291, 235,
    26. 

  26.     3152, 2742, 2907, 3224, 1779, 2458, 1251, 2486, 2774, 2899, 1103, 1275, 2652,
    27. 

  27.     1065, 2881, 725, 1508, 2368, 398, 951, 247, 1421, 3222, 2499, 271, 90, 853,
    28. 

  28.     1860, 3203, 1162, 1618, 666, 320, 8, 2813, 1544, 282, 1838, 1293, 2314, 552,
    29. 

  29.     2677, 2106, 1571, 205, 2918, 1542, 2721, 2597, 2312, 681, 130, 1602, 1871,
    30. 

  30.     829, 2946, 3065, 1325, 2756, 1861, 1474, 1202, 2367, 3147, 1752, 2707, 171,
    31. 

  31.     3127, 3042, 1907, 1836, 1517, 359, 758, 1441
    32. 

  32. };
    33. 

  33. 

  34. /*************************************************
    35. 

  35. * Name:        fqmul
    36. 

  36. *
    37. 

  37. * Description: Multiplication followed by Montgomery reduction
    38. 

  38. *
    39. 

  39. * Arguments:   - int16_t a: first factor
    40. 

  40. *              - int16_t b: second factor
    41. 

  41. *
    42. 

  42. * Returns 16-bit integer congruent to a*b*R^{-1} mod q
    43. 

  43. **************************************************/
    44. 

  44. static int16_t fqmul(int16_t a, int16_t b) {
    45. 

  45.     return montgomery_reduce((int32_t)a * b);
    46. 

  46. }
    47. 

  47. 

  48. /*************************************************
    49. 

  49. * Name:        ntt
    50. 

  50. *
    51. 

  51. * Description: Inplace number-theoretic transform (NTT) in Rq
    52. 

  52. *              input is in standard order, output is in bitreversed order
    53. 

  53. *
    54. 

  54. * Arguments:   - int16_t r[256]: pointer to input/output vector of elements
    55. 

  55. *                                of Zq
    56. 

  56. **************************************************/
    57. 

  57. void ntt(int16_t r[256]) {
    58. 

  58.     unsigned int len, start, j, k;
    59. 

  59.     int16_t t, zeta;
    60. 

  60. 

  61.     k = 1;
    62. 

  62.     for (len = 128; len >= 2; len >>= 1) {
    63. 

  63.         for (start = 0; start < 256; start = j + len) {
    64. 

  64.             zeta = zetas[k++];
    65. 

  65.             for (j = start; j < start + len; ++j) {
    66. 

  66.                 t = fqmul(zeta, r[j + len]);
    67. 

  67.                 r[j + len] = r[j] - t;
    68. 

  68.                 r[j] = r[j] + t;
    69. 

  69.             }
    70. 

  70.         }
    71. 

  71.     }
    72. 

  72. }
    73. 

  73. 

  74. /*************************************************
    75. 

  75. * Name:        invntt_tomont
    76. 

  76. *
    77. 

  77. * Description: Inplace inverse number-theoretic transform in Rq and
    78. 

  78. *              multiplication by Montgomery factor 2^16.
    79. 

  79. *              Input is in bitreversed order, output is in standard order
    80. 

  80. *
    81. 

  81. * Arguments:   - int16_t r[256]: pointer to input/output vector of elements
    82. 

  82. *                                of Zq
    83. 

  83. **************************************************/
    84. 

  84. void invntt(int16_t r[256]) {
    85. 

  85.     unsigned int start, len, j, k;
    86. 

  86.     int16_t t, zeta;
    87. 

  87. 

  88.     k = 0;
    89. 

  89.     for (len = 2; len <= 128; len <<= 1) {
    90. 

  90.         for (start = 0; start < 256; start = j + len) {
    91. 

  91.             zeta = zetas_inv[k++];
    92. 

  92.             for (j = start; j < start + len; ++j) {
    93. 

  93.                 t = r[j];
    94. 

  94.                 r[j] = barrett_reduce(t + r[j + len]);
    95. 

  95.                 r[j + len] = t - r[j + len];
    96. 

  96.                 r[j + len] = fqmul(zeta, r[j + len]);
    97. 

  97.             }
    98. 

  98.         }
    99. 

  99.     }
    100. 

  100. 

  101.     for (j = 0; j < 256; ++j) {
    102. 

  102.         r[j] = fqmul(r[j], zetas_inv[127]);
    103. 

  103.     }
    104. 

  104. }
    105. 

  105. 

  106. /*************************************************
    107. 

  107. * Name:        basemul
    108. 

  108. *
    109. 

  109. * Description: Multiplication of polynomials in Zq[X]/(X^2-zeta)
    110. 

  110. *              used for multiplication of elements in Rq in NTT domain
    111. 

  111. *
    112. 

  112. * Arguments:   - int16_t r[2]:       pointer to the output polynomial
    113. 

  113. *              - const int16_t a[2]: pointer to the first factor
    114. 

  114. *              - const int16_t b[2]: pointer to the second factor
    115. 

  115. *              - int16_t zeta:       integer defining the reduction polynomial
    116. 

  116. **************************************************/
    117. 

  117. void basemul(int16_t r[2], const int16_t a[2], const int16_t b[2], int16_t zeta) {
    118. 

  118.     r[0]  = fqmul(a[1], b[1]);
    119. 

  119.     r[0]  = fqmul(r[0], zeta);
    120. 

  120.     r[0] += fqmul(a[0], b[0]);
    121. 

  121. 

  122.     r[1]  = fqmul(a[0], b[1]);
    123. 

  123.     r[1] += fqmul(a[1], b[0]);
    124. 

  124. }
    125.