From 68b45d81a0154b0dfbc01429fb2b7e389fa72aeb Mon Sep 17 00:00:00 2001 From: Sebastian Ramacher Date: Mon, 9 Oct 2023 12:26:47 +0200 Subject: [PATCH] Use constants when we know them --- faest_aes.c | 789 ++++++++++++++++++++++++---------------------------- 1 file changed, 363 insertions(+), 426 deletions(-) diff --git a/faest_aes.c b/faest_aes.c index bc9b5ff..8e8aa4b 100644 --- a/faest_aes.c +++ b/faest_aes.c @@ -12,6 +12,7 @@ #include "vole.h" #include "universal_hashing.h" #include "utils.h" +#include "parameters.h" #include #include @@ -71,11 +72,9 @@ static bf256_t* column_to_row_major_and_shrink_V_256(uint8_t** v, unsigned int e // m == 1 implementations -static void aes_key_schedule_forward_1(const uint8_t* x, uint8_t Mtag, uint8_t Mkey, - const uint8_t* delta, uint8_t* out, +static void aes_key_schedule_forward_1(const uint8_t* x, uint8_t* out, const faest_paramset_t* params) { - // Step: 1 - assert(!((Mtag == 1 && Mkey == 1) || (Mkey == 1 && delta == NULL))); + // Step: 1 skipped (sanity check) const unsigned int lambda = params->faest_param.lambda; const unsigned int R = params->faest_param.R; @@ -103,11 +102,9 @@ static void aes_key_schedule_forward_1(const uint8_t* x, uint8_t Mtag, uint8_t M } } -static void aes_key_schedule_backward_1(const uint8_t* x, const uint8_t* xk, uint8_t Mtag, - uint8_t Mkey, const uint8_t* delta, uint8_t* out, +static void aes_key_schedule_backward_1(const uint8_t* x, const uint8_t* xk, uint8_t* out, const faest_paramset_t* params) { - // Step: 1 - assert(!((Mtag == 1 && Mkey == 1) || (Mkey == 1 && delta == NULL))); + // Step: 1 skipped (sanity check) const unsigned int lambda = params->faest_param.lambda; const unsigned int Ske = params->faest_param.Ske; @@ -120,30 +117,30 @@ static void aes_key_schedule_backward_1(const uint8_t* x, const uint8_t* xk, uin for (unsigned int j = 0; j < Ske; j++) { // Step 7 (bit sliced) - uint8_t x_tilde = x[j] ^ xk[(iwd + 8 * c) / 8]; + uint8_t x_tilde = x[j] ^ xk[iwd + c]; // Step 8 - if (Mtag == 0 && rmvRcon == true && c == 0) { - uint8_t rcon = Rcon[ircon]; - ircon = ircon + 1; + // this function is only called with Mtag == Mkey == 0 + if (/* Mtag == 0 && */ rmvRcon == true && c == 0) { // Steps 12 and 13, bitsliced; delta is always 0 - x_tilde ^= rcon; + x_tilde ^= Rcon[ircon]; + ++ircon; } // Step: 15..19 (bit spliced) - uint8_t y_tilde = rotr8(x_tilde, 7) ^ rotr8(x_tilde, 5) ^ rotr8(x_tilde, 2); - y_tilde ^= set_bit((1 ^ Mtag) & (1 ^ Mkey), 0); - out[j] = y_tilde ^ set_bit((1 ^ Mtag) & (1 ^ Mkey), 2); + const uint8_t y_tilde = rotr8(x_tilde, 7) ^ rotr8(x_tilde, 5) ^ rotr8(x_tilde, 2); + // this function is only called with Mtag == Mkey == 0 + // set_bit((1 ^ Mtag) & (1 ^ Mkey), 0) ^ set_bit((1 ^ Mtag) & (1 ^ Mkey), 2) == 0x5 + out[j] = y_tilde ^ 0x5; // Step: 20 - c = c + 1; - + ++c; if (c == 4) { c = 0; if (lambda == 192) { - iwd += 192; + iwd += 192 / 8; } else { - iwd += 128; + iwd += 128 / 8; if (lambda == 256) { rmvRcon = !rmvRcon; } @@ -154,42 +151,39 @@ static void aes_key_schedule_backward_1(const uint8_t* x, const uint8_t* xk, uin // lambda == 128 implementation -static void aes_key_schedule_forward_128(const bf128_t* v, uint8_t Mtag, uint8_t Mkey, - const uint8_t* delta, bf128_t* bf_out, - const faest_paramset_t* params) { - // Step: 1 - assert(!((Mtag == 1 && Mkey == 1) || (Mkey == 1 && delta == NULL))); +static void aes_key_schedule_forward_128(const bf128_t* v, bf128_t* bf_out) { + static_assert(FAEST_128F_LAMBDA == FAEST_128S_LAMBDA); + static_assert(FAEST_128F_R == FAEST_128S_R); + static_assert(FAEST_128F_Nwd == FAEST_128S_Nwd); - const unsigned int lambda = params->faest_param.lambda; - const unsigned int R = params->faest_param.R; - const unsigned int Nwd = params->faest_param.Nwd; + // Step: 1 sanity check (skipped) - memcpy(bf_out, v, lambda * sizeof(bf128_t)); + memcpy(bf_out, v, FAEST_128F_LAMBDA * sizeof(bf128_t)); // Step: 4 - unsigned int i_wd = lambda; + unsigned int i_wd = FAEST_128F_LAMBDA; // Step: 5..10 - for (unsigned int j = Nwd; j < 4 * (R + 1); j++) { - if ((j % Nwd) == 0 || (Nwd > 6 && (j % Nwd) == 4)) { + for (unsigned int j = FAEST_128F_Nwd; j < 4 * (FAEST_128F_R + 1); j++) { + if ((j % FAEST_128F_Nwd) == 0 || (FAEST_128F_Nwd > 6 && (j % FAEST_128F_Nwd) == 4)) { // copy all at once memcpy(bf_out + j * 32, v + i_wd, sizeof(bf128_t) * 32); i_wd += 32; } else { for (unsigned int i = 0; i < 32; i++) { - bf_out[(32 * j) + i] = bf128_add(bf_out[32 * (j - Nwd) + i], bf_out[32 * (j - 1) + i]); + bf_out[(32 * j) + i] = + bf128_add(bf_out[32 * (j - FAEST_128F_Nwd) + i], bf_out[32 * (j - 1) + i]); } } } } static void aes_key_schedule_backward_128(const bf128_t* v, const bf128_t* Vk, uint8_t Mtag, - uint8_t Mkey, const uint8_t* delta, bf128_t* bf_out, - const faest_paramset_t* params) { + uint8_t Mkey, const uint8_t* delta, bf128_t* bf_out) { // Step: 1 assert(!((Mtag == 1 && Mkey == 1) || (Mkey == 1 && delta == NULL))); - const unsigned int lambda = params->faest_param.lambda; - const unsigned int Ske = params->faest_param.Ske; + static_assert(FAEST_128F_LAMBDA == FAEST_128S_LAMBDA); + static_assert(FAEST_128F_Ske == FAEST_128S_Ske); const bf128_t bf_delta = delta ? bf128_load(delta) : bf128_zero(); @@ -203,7 +197,7 @@ static void aes_key_schedule_backward_128(const bf128_t* v, const bf128_t* Vk, u bf128_t bf_mkey_times_delta = bf128_mul_bit(bf_delta, Mkey); bf_mkey_times_delta = bf128_add(bf_mkey_times_delta, bf_minus_mkey); - for (unsigned int j = 0; j < Ske; j++) { + for (unsigned int j = 0; j < FAEST_128F_Ske; j++) { // Step 7 bf128_t bf_x_tilde[8]; for (unsigned int i = 0; i < 8; i++) { @@ -236,11 +230,11 @@ static void aes_key_schedule_backward_128(const bf128_t* v, const bf128_t* Vk, u if (c == 4) { c = 0; - if (lambda == 192) { + if (FAEST_128F_LAMBDA == 192) { iwd += 192; } else { iwd += 128; - if (lambda == 256) { + if (FAEST_128F_LAMBDA == 256) { rmvRcon = !rmvRcon; } } @@ -252,29 +246,28 @@ static void aes_key_schedule_constraints_128(const uint8_t* w, const bf128_t* v, const bf128_t* q, const uint8_t* delta, bf128_t* A0, bf128_t* A1, uint8_t* k, bf128_t* vk, bf128_t* B, bf128_t* qk, const faest_paramset_t* params) { - const unsigned int lambda = params->faest_param.lambda; - const unsigned int Nwd = params->faest_param.Nwd; - const unsigned int Ske = params->faest_param.Ske; - const unsigned int lambdaByte = lambda / 8; + static_assert(FAEST_128F_LAMBDA == FAEST_128S_LAMBDA); + static_assert(FAEST_128F_Ske == FAEST_128S_Ske); + static_assert(FAEST_128F_Nwd == FAEST_128S_Nwd); if (Mkey == 0) { // Step: 2 - aes_key_schedule_forward_1(w, 0, 0, NULL, k, params); + aes_key_schedule_forward_1(w, k, params); // Step: 3 - aes_key_schedule_forward_128(v, 1, 0, NULL, vk, params); + aes_key_schedule_forward_128(v, vk); // Step: 4 - uint8_t* w_dash = malloc(Ske); - aes_key_schedule_backward_1(w + lambdaByte, k, 0, 0, NULL, w_dash, params); + uint8_t w_dash[FAEST_128F_Ske]; + aes_key_schedule_backward_1(w + FAEST_128F_LAMBDA / 8, k, w_dash, params); // Step: 5 - bf128_t* v_w_dash = malloc(Ske * 8 * sizeof(bf128_t)); - aes_key_schedule_backward_128(v + lambda, vk, 1, 0, NULL, v_w_dash, params); + bf128_t v_w_dash[FAEST_128F_Ske * 8]; + aes_key_schedule_backward_128(v + FAEST_128F_LAMBDA, vk, 1, 0, NULL, v_w_dash); // Step: 6..8 - unsigned int iwd = 32 * (Nwd - 1); - for (unsigned int j = 0; j < Ske / 4; j++) { + unsigned int iwd = 32 * (FAEST_128F_Nwd - 1); + for (unsigned int j = 0; j < FAEST_128F_Ske / 4; j++) { bf128_t bf_k_hat[4]; bf128_t bf_v_k_hat[4]; bf128_t bf_w_dash_hat[4]; @@ -295,27 +288,25 @@ static void aes_key_schedule_constraints_128(const uint8_t* w, const bf128_t* v, bf128_from_bf8(bf8_one())), A0[4 * j + r]); } - if (lambda == 192) { + if (FAEST_128F_LAMBDA == 192) { iwd = iwd + 192; } else { iwd = iwd + 128; } } - free(v_w_dash); - free(w_dash); return; } // Step: 19..20 - aes_key_schedule_forward_128(q, 0, 1, delta, qk, params); - bf128_t* q_w_dash = malloc(Ske * 8 * sizeof(bf128_t)); - aes_key_schedule_backward_128(&q[lambda], qk, 0, 1, delta, q_w_dash, params); + aes_key_schedule_forward_128(q, qk); + bf128_t q_w_dash[FAEST_128F_Ske * 8]; + aes_key_schedule_backward_128(&q[FAEST_128F_LAMBDA], qk, 0, 1, delta, q_w_dash); const bf128_t bf_delta = bf128_load(delta); // Step 23..24 - unsigned int iwd = 32 * (Nwd - 1); - for (unsigned int j = 0; j < Ske / 4; j++) { + unsigned int iwd = 32 * (FAEST_128F_Nwd - 1); + for (unsigned int j = 0; j < FAEST_128F_Ske / 4; j++) { bf128_t bf_q_hat_k[4]; bf128_t bf_q_hat_w_dash[4]; for (unsigned int r = 0; r <= 3; r++) { @@ -328,19 +319,17 @@ static void aes_key_schedule_constraints_128(const uint8_t* w, const bf128_t* v, bf128_t bf_tmp = bf128_mul(bf_q_hat_k[r], bf_q_hat_w_dash[r]); B[4 * j + r] = bf128_add(bf_tmp, bf128_mul(bf_delta, bf_delta)); } - if (lambda == 192) { + if (FAEST_128F_LAMBDA == 192) { iwd = iwd + 192; } else { iwd = iwd + 128; } } - free(q_w_dash); } static void aes_enc_forward_128_1(const uint8_t* x, const uint8_t* xk, const uint8_t* in, - uint8_t Mtag, uint8_t Mkey, bf128_t* bf_y, - const faest_paramset_t* params) { - const unsigned int R = params->faest_param.R; + uint8_t Mtag, uint8_t Mkey, bf128_t* bf_y) { + static_assert(FAEST_128F_R == FAEST_128S_R); // Step: 2 for (unsigned int i = 0; i < 16; i++) { @@ -353,7 +342,7 @@ static void aes_enc_forward_128_1(const uint8_t* x, const uint8_t* xk, const uin const bf128_t bf_two = bf128_byte_combine_bits(2); const bf128_t bf_three = bf128_byte_combine_bits(3); - for (unsigned int j = 1; j < R; j++) { + for (unsigned int j = 1; j < FAEST_128F_R; j++) { for (unsigned int c = 0; c <= 3; c++) { const unsigned int ix = 128 * (j - 1) + 32 * c; const unsigned int ik = 128 * j + 32 * c; @@ -395,9 +384,8 @@ static void aes_enc_forward_128_1(const uint8_t* x, const uint8_t* xk, const uin } static void aes_enc_forward_128(const bf128_t* bf_x, const bf128_t* bf_xk, const uint8_t* in, - uint8_t Mtag, uint8_t Mkey, const uint8_t* delta, bf128_t* bf_y, - const faest_paramset_t* params) { - const unsigned int R = params->faest_param.R; + uint8_t Mtag, uint8_t Mkey, const uint8_t* delta, bf128_t* bf_y) { + static_assert(FAEST_128F_R == FAEST_128S_R); const bf128_t bf_delta = delta ? bf128_load(delta) : bf128_zero(); const bf128_t bf_minus_mtag = bf128_from_bit(1 ^ Mtag); @@ -418,7 +406,7 @@ static void aes_enc_forward_128(const bf128_t* bf_x, const bf128_t* bf_xk, const const bf128_t bf_two = bf128_byte_combine_bits(2); const bf128_t bf_three = bf128_byte_combine_bits(3); - for (unsigned int j = 1; j < R; j++) { + for (unsigned int j = 1; j < FAEST_128F_R; j++) { for (unsigned int c = 0; c <= 3; c++) { const unsigned int ix = 128 * (j - 1) + 32 * c; const unsigned int ik = 128 * j + 32 * c; @@ -460,23 +448,22 @@ static void aes_enc_forward_128(const bf128_t* bf_x, const bf128_t* bf_xk, const } static void aes_enc_backward_128_1(const uint8_t* x, const uint8_t* xk, uint8_t Mtag, uint8_t Mkey, - const uint8_t* out, bf128_t* y_out, - const faest_paramset_t* params) { - const unsigned int R = params->faest_param.R; + const uint8_t* out, bf128_t* y_out) { + static_assert(FAEST_128F_R == FAEST_128S_R); uint8_t xtilde; // Step:2..4 - for (unsigned int j = 0; j < R; j++) { + for (unsigned int j = 0; j < FAEST_128F_R; j++) { for (unsigned int c = 0; c <= 3; c++) { for (unsigned int r = 0; r <= 3; r++) { // Step: 5..6 unsigned int ird = (128 * j) + (32 * ((c - r + 4) % 4)) + (8 * r); - if (j < (R - 1)) { + if (j < (FAEST_128F_R - 1)) { // Step: 7 xtilde = x[ird / 8]; } else { // Step: 9..11 (bit spliced) - uint8_t xout = out[(ird - 128 * (R - 1)) / 8] & -((1 ^ Mtag) & (1 ^ Mkey)); + uint8_t xout = out[(ird - 128 * (FAEST_128F_R - 1)) / 8] & -((1 ^ Mtag) & (1 ^ Mkey)); xtilde = xout ^ xk[(128 + ird) / 8]; } @@ -495,8 +482,8 @@ static void aes_enc_backward_128_1(const uint8_t* x, const uint8_t* xk, uint8_t static void aes_enc_backward_128(const bf128_t* bf_x, const bf128_t* bf_xk, uint8_t Mtag, uint8_t Mkey, const uint8_t* delta, const uint8_t* out, - bf128_t* y_out, const faest_paramset_t* params) { - const unsigned int R = params->faest_param.R; + bf128_t* y_out) { + static_assert(FAEST_128F_R == FAEST_128S_R); // Step: 1 const bf128_t bf_delta = delta ? bf128_load(delta) : bf128_zero(); @@ -504,21 +491,22 @@ static void aes_enc_backward_128(const bf128_t* bf_x, const bf128_t* bf_xk, uint bf128_mul_bit(bf128_add(bf128_mul_bit(bf_delta, Mkey), bf128_from_bit(1 ^ Mkey)), 1 ^ Mtag); // Step: 2..4 - for (unsigned int j = 0; j < R; j++) { + for (unsigned int j = 0; j < FAEST_128F_R; j++) { for (unsigned int c = 0; c <= 3; c++) { for (unsigned int r = 0; r <= 3; r++) { bf128_t bf_x_tilde[8]; // Step: 5 unsigned int ird = (128 * j) + (32 * ((c - r + 4) % 4)) + (8 * r); // Step: 6 - if (j < (R - 1)) { + if (j < (FAEST_128F_R - 1)) { // Step: 7 memcpy(bf_x_tilde, bf_x + ird, sizeof(bf_x_tilde)); } else { // Step: 10 for (unsigned int i = 0; i < 8; ++i) { // Step: 11 - bf128_t bf_xout = bf128_mul_bit(factor, get_bit(out[(ird - 128 * (R - 1)) / 8], i)); + bf128_t bf_xout = + bf128_mul_bit(factor, get_bit(out[(ird - 128 * (FAEST_128F_R - 1)) / 8], i)); // Step: 12 bf_x_tilde[i] = bf128_add(bf_xout, bf_xk[128 + ird + i]); } @@ -542,91 +530,82 @@ static void aes_enc_backward_128(const bf128_t* bf_x, const bf128_t* bf_xk, uint static void aes_enc_constraints_128(const uint8_t* in, const uint8_t* out, const uint8_t* w, const bf128_t* v, const uint8_t* k, const bf128_t* vk, uint8_t Mkey, const bf128_t* q, const bf128_t* qk, - const uint8_t* delta, bf128_t* A0, bf128_t* A1, bf128_t* B, - const faest_paramset_t* params) { - const unsigned int Senc = params->faest_param.Senc; + const uint8_t* delta, bf128_t* A0, bf128_t* A1, bf128_t* B) { + static_assert(FAEST_128F_Senc == FAEST_128S_Senc); if (Mkey == 0) { - bf128_t* s = malloc(sizeof(bf128_t) * Senc); - bf128_t* vs = malloc(sizeof(bf128_t) * Senc); - bf128_t* s_dash = malloc(sizeof(bf128_t) * Senc); - bf128_t* vs_dash = malloc(sizeof(bf128_t) * Senc); - aes_enc_forward_128_1(w, k, in, 0, 0, s, params); - aes_enc_forward_128(v, vk, in, 1, 0, NULL, vs, params); - aes_enc_backward_128_1(w, k, 0, 0, out, s_dash, params); - aes_enc_backward_128(v, vk, 1, 0, NULL, out, vs_dash, params); - - for (unsigned int j = 0; j < Senc; j++) { + bf128_t s[FAEST_128F_Senc]; + bf128_t vs[FAEST_128F_Senc]; + bf128_t s_dash[FAEST_128F_Senc]; + bf128_t vs_dash[FAEST_128F_Senc]; + aes_enc_forward_128_1(w, k, in, 0, 0, s); + aes_enc_forward_128(v, vk, in, 1, 0, NULL, vs); + aes_enc_backward_128_1(w, k, 0, 0, out, s_dash); + aes_enc_backward_128(v, vk, 1, 0, NULL, out, vs_dash); + + for (unsigned int j = 0; j < FAEST_128F_Senc; j++) { A0[j] = bf128_mul(vs[j], vs_dash[j]); A1[j] = bf128_add( bf128_add(bf128_mul(bf128_add(s[j], vs[j]), bf128_add(s_dash[j], vs_dash[j])), A0[j]), bf128_one()); } - - free(vs_dash); - free(s_dash); - free(vs); - free(s); } else { // Step: 11..12 - bf128_t* qs = malloc(sizeof(bf128_t) * Senc); - bf128_t* qs_dash = malloc(sizeof(bf128_t) * Senc); - aes_enc_forward_128(q, qk, in, 0, 1, delta, qs, params); - aes_enc_backward_128(q, qk, 0, 1, delta, out, qs_dash, params); + bf128_t qs[FAEST_128F_Senc]; + bf128_t qs_dash[FAEST_128F_Senc]; + aes_enc_forward_128(q, qk, in, 0, 1, delta, qs); + aes_enc_backward_128(q, qk, 0, 1, delta, out, qs_dash); // Step: 13..14 bf128_t minus_part = bf128_mul(bf128_load(delta), bf128_load(delta)); - for (unsigned int j = 0; j < Senc; j++) { + for (unsigned int j = 0; j < FAEST_128F_Senc; j++) { B[j] = bf128_add(bf128_mul(qs[j], qs_dash[j]), minus_part); } - free(qs); - free(qs_dash); } } static void aes_prove_128(const uint8_t* w, const uint8_t* u, uint8_t** V, const uint8_t* in, const uint8_t* out, const uint8_t* chall, uint8_t* a_tilde, uint8_t* b_tilde, const faest_paramset_t* params) { - const unsigned int l = params->faest_param.l; - const unsigned int Lke = params->faest_param.Lke; - const unsigned int R = params->faest_param.R; - const unsigned int Ske = params->faest_param.Ske; - const unsigned int Senc = params->faest_param.Senc; + static_assert(FAEST_128F_L == FAEST_128S_L); + static_assert(FAEST_128F_Lke == FAEST_128S_Lke); + static_assert(FAEST_128F_R == FAEST_128S_R); + static_assert(FAEST_128F_Ske == FAEST_128S_Ske); + static_assert(FAEST_128F_Senc == FAEST_128S_Senc); // Step: 1..2 - bf128_t* bf_v = column_to_row_major_and_shrink_V_128(V, l); + bf128_t* bf_v = column_to_row_major_and_shrink_V_128(V, FAEST_128F_L); // Step: 3..4 // do nothing // Step: 6 // Step: 7 - const unsigned int length_a = Ske + Senc + 1; - bf128_t* A0 = malloc(sizeof(bf128_t) * length_a); - bf128_t* A1 = malloc(sizeof(bf128_t) * length_a); - uint8_t* k = malloc((R + 1) * 128 / 8); - bf128_t* vk = malloc(sizeof(bf128_t) * ((R + 1) * 128)); - bf128_t* qk = malloc(sizeof(bf128_t) * ((R + 1) * 128)); + bf128_t* A0 = malloc(sizeof(bf128_t) * (FAEST_128F_Ske + FAEST_128F_Senc + 1)); + bf128_t* A1 = malloc(sizeof(bf128_t) * (FAEST_128F_Ske + FAEST_128F_Senc + 1)); + uint8_t* k = malloc((FAEST_128F_R + 1) * 128 / 8); + bf128_t* vk = malloc(sizeof(bf128_t) * ((FAEST_128F_R + 1) * 128)); + bf128_t* qk = malloc(sizeof(bf128_t) * ((FAEST_128F_R + 1) * 128)); aes_key_schedule_constraints_128(w, bf_v, 0, NULL, NULL, A0, A1, k, vk, NULL, qk, params); // Step: Skipping 8 in implementation // Step: 9 // Step: 10,11 - aes_enc_constraints_128(in, out, w + Lke / 8, bf_v + Lke, k, vk, 0, NULL, NULL, NULL, A0 + Ske, - A1 + Ske, NULL, params); + aes_enc_constraints_128(in, out, w + FAEST_128F_Lke / 8, bf_v + FAEST_128F_Lke, k, vk, 0, NULL, + NULL, NULL, A0 + FAEST_128F_Ske, A1 + FAEST_128F_Ske, NULL); // Step: 12 (beta == 1) free(qk); free(vk); free(k); // Step: 16..18 - A1[length_a - 1] = bf128_load(u + l / 8); - A0[length_a - 1] = bf128_sum_poly(bf_v + l); + A1[FAEST_128F_Ske + FAEST_128F_Senc] = bf128_load(u + FAEST_128F_L / 8); + A0[FAEST_128F_Ske + FAEST_128F_Senc] = bf128_sum_poly(bf_v + FAEST_128F_L); free(bf_v); - zk_hash_128(a_tilde, chall, A1, length_a - 1); - zk_hash_128(b_tilde, chall, A0, length_a - 1); + zk_hash_128(a_tilde, chall, A1, FAEST_128F_Ske + FAEST_128F_Senc); + zk_hash_128(b_tilde, chall, A0, FAEST_128F_Ske + FAEST_128F_Senc); free(A0); free(A1); @@ -635,18 +614,17 @@ static void aes_prove_128(const uint8_t* w, const uint8_t* u, uint8_t** V, const static uint8_t* aes_verify_128(const uint8_t* d, uint8_t** Q, const uint8_t* chall_2, const uint8_t* chall_3, const uint8_t* a_tilde, const uint8_t* in, const uint8_t* out, const faest_paramset_t* params) { - const unsigned int lambda = params->faest_param.lambda; - const unsigned int tau = params->faest_param.tau; - const unsigned int t0 = params->faest_param.t0; - const unsigned int k0 = params->faest_param.k0; - const unsigned int t1 = params->faest_param.t1; - const unsigned int k1 = params->faest_param.k1; - const unsigned int l = params->faest_param.l; - const unsigned int Lke = params->faest_param.Lke; - const unsigned int R = params->faest_param.R; - const unsigned int Ske = params->faest_param.Ske; - const unsigned int Senc = params->faest_param.Senc; - const unsigned int lambdaBytes = lambda / 8; + static_assert(FAEST_128F_L == FAEST_128S_L); + static_assert(FAEST_128F_Lke == FAEST_128S_Lke); + static_assert(FAEST_128F_R == FAEST_128S_R); + static_assert(FAEST_128F_Ske == FAEST_128S_Ske); + static_assert(FAEST_128F_Senc == FAEST_128S_Senc); + + const unsigned int tau = params->faest_param.tau; + const unsigned int t0 = params->faest_param.t0; + const unsigned int k0 = params->faest_param.k0; + const unsigned int t1 = params->faest_param.t1; + const unsigned int k1 = params->faest_param.k1; // Step: 1 const uint8_t* delta = chall_3; @@ -660,38 +638,34 @@ static uint8_t* aes_verify_128(const uint8_t* d, uint8_t** Q, const uint8_t* cha ChalDec(chall_3, i, k0, t0, k1, t1, decoded_challenge); for (unsigned int j = 0; j < depth; j++, ++col) { if (decoded_challenge[j] == 1) { - xor_u8_array(d, Q[col], Q[col], (l + 7) / 8); + xor_u8_array(d, Q[col], Q[col], (FAEST_128F_L + 7) / 8); } } } // Step: 11..12 - bf128_t* bf_q = column_to_row_major_and_shrink_V_128(Q, l); + bf128_t* bf_q = column_to_row_major_and_shrink_V_128(Q, FAEST_128F_L); // Step: 13 - const unsigned int length_b = Ske + Senc + 1; - uint8_t* k = malloc((R + 1) * 128); - bf128_t* vk = malloc(sizeof(bf128_t) * ((R + 1) * 128)); - bf128_t* qk = malloc(sizeof(bf128_t) * ((R + 1) * 128)); - bf128_t* B_0 = malloc(sizeof(bf128_t) * length_b); - aes_key_schedule_constraints_128(NULL, NULL, 1, bf_q, delta, NULL, NULL, k, vk, B_0, qk, params); + bf128_t* qk = malloc(sizeof(bf128_t) * ((FAEST_128F_R + 1) * 128)); + bf128_t* B_0 = malloc(sizeof(bf128_t) * (FAEST_128F_Ske + FAEST_128F_Senc + 1)); + aes_key_schedule_constraints_128(NULL, NULL, 1, bf_q, delta, NULL, NULL, NULL, NULL, B_0, qk, + params); // Step: 14 - bf128_t* B_1 = B_0 + Ske; - aes_enc_constraints_128(in, out, NULL, NULL, NULL, NULL, 1, bf_q + Lke, qk, delta, NULL, NULL, - B_1, params); + bf128_t* B_1 = B_0 + FAEST_128F_Ske; + aes_enc_constraints_128(in, out, NULL, NULL, NULL, NULL, 1, bf_q + FAEST_128F_Lke, qk, delta, + NULL, NULL, B_1); // Step: 18 (beta == 1) free(qk); - free(vk); - free(k); // Step: 20 - B_0[length_b - 1] = bf128_sum_poly(bf_q + l); + B_0[FAEST_128F_Ske + FAEST_128F_Senc] = bf128_sum_poly(bf_q + FAEST_128F_L); free(bf_q); // Step 21 - uint8_t* q_tilde = malloc(lambdaBytes); - zk_hash_128(q_tilde, chall_2, B_0, length_b - 1); + uint8_t* q_tilde = malloc(FAEST_128F_LAMBDA / 8); + zk_hash_128(q_tilde, chall_2, B_0, FAEST_128F_Ske + FAEST_128F_Senc); free(B_0); bf128_t bf_qtilde = bf128_load(q_tilde); @@ -702,41 +676,38 @@ static uint8_t* aes_verify_128(const uint8_t* d, uint8_t** Q, const uint8_t* cha // lambda == 192 implementation -static void aes_key_schedule_forward_192(const bf192_t* v, uint8_t Mtag, uint8_t Mkey, - const uint8_t* delta, bf192_t* bf_out, - const faest_paramset_t* params) { - // Step: 1 - assert(!((Mtag == 1 && Mkey == 1) || (Mkey == 1 && delta == NULL))); +static void aes_key_schedule_forward_192(const bf192_t* v, bf192_t* bf_out) { + static_assert(FAEST_192F_LAMBDA == FAEST_192S_LAMBDA); + static_assert(FAEST_192F_Nwd == FAEST_192S_Nwd); + static_assert(FAEST_192F_R == FAEST_192S_R); - const unsigned int lambda = params->faest_param.lambda; - const unsigned int R = params->faest_param.R; - const unsigned int Nwd = params->faest_param.Nwd; + // Step: 1 sanity check (skipped) - memcpy(bf_out, v, lambda * sizeof(bf192_t)); + memcpy(bf_out, v, FAEST_192F_LAMBDA * sizeof(bf192_t)); // Step: 4 - unsigned int i_wd = lambda; + unsigned int i_wd = FAEST_192F_LAMBDA; // Step: 5..10 - for (unsigned int j = Nwd; j < 4 * (R + 1); j++) { - if ((j % Nwd) == 0 || (Nwd > 6 && (j % Nwd) == 4)) { + for (unsigned int j = FAEST_192F_Nwd; j < 4 * (FAEST_192F_R + 1); j++) { + if ((j % FAEST_192F_Nwd) == 0 || (FAEST_192F_Nwd > 6 && (j % FAEST_192F_Nwd) == 4)) { memcpy(bf_out + j * 32, v + i_wd, sizeof(bf192_t) * 32); i_wd += 32; } else { for (unsigned int i = 0; i < 32; i++) { - bf_out[(32 * j) + i] = bf192_add(bf_out[32 * (j - Nwd) + i], bf_out[32 * (j - 1) + i]); + bf_out[(32 * j) + i] = + bf192_add(bf_out[32 * (j - FAEST_192F_Nwd) + i], bf_out[32 * (j - 1) + i]); } } } } static void aes_key_schedule_backward_192(const bf192_t* v, const bf192_t* Vk, uint8_t Mtag, - uint8_t Mkey, const uint8_t* delta, bf192_t* bf_out, - const faest_paramset_t* params) { + uint8_t Mkey, const uint8_t* delta, bf192_t* bf_out) { // Step: 1 assert(!((Mtag == 1 && Mkey == 1) || (Mkey == 1 && delta == NULL))); - const unsigned int lambda = params->faest_param.lambda; - const unsigned int Ske = params->faest_param.Ske; + static_assert(FAEST_192F_LAMBDA == FAEST_192S_LAMBDA); + static_assert(FAEST_192F_Ske == FAEST_192S_Ske); const bf192_t bf_delta = delta ? bf192_load(delta) : bf192_zero(); unsigned int iwd = 0; @@ -749,7 +720,7 @@ static void aes_key_schedule_backward_192(const bf192_t* v, const bf192_t* Vk, u bf192_t bf_mkey_times_delta = bf192_mul_bit(bf_delta, Mkey); bf_mkey_times_delta = bf192_add(bf_mkey_times_delta, bf_minus_mkey); - for (unsigned int j = 0; j < Ske; j++) { + for (unsigned int j = 0; j < FAEST_192F_Ske; j++) { // Step 7 bf192_t bf_x_tilde[8]; for (unsigned int i = 0; i < 8; i++) { @@ -782,11 +753,11 @@ static void aes_key_schedule_backward_192(const bf192_t* v, const bf192_t* Vk, u if (c == 4) { c = 0; - if (lambda == 192) { + if (FAEST_192F_LAMBDA == 192) { iwd += 192; } else { iwd += 128; - if (lambda == 256) { + if (FAEST_192F_LAMBDA == 256) { rmvRcon = !rmvRcon; } } @@ -798,29 +769,28 @@ static void aes_key_schedule_constraints_192(const uint8_t* w, const bf192_t* v, const bf192_t* q, const uint8_t* delta, bf192_t* A0, bf192_t* A1, uint8_t* k, bf192_t* vk, bf192_t* B, bf192_t* qk, const faest_paramset_t* params) { - const unsigned int lambda = params->faest_param.lambda; - const unsigned int Nwd = params->faest_param.Nwd; - const unsigned int Ske = params->faest_param.Ske; - const unsigned int lambdaByte = lambda / 8; + static_assert(FAEST_192F_LAMBDA == FAEST_192S_LAMBDA); + static_assert(FAEST_192F_Nwd == FAEST_192S_Nwd); + static_assert(FAEST_192F_Ske == FAEST_192S_Ske); if (Mkey == 0) { // Step: 2 - aes_key_schedule_forward_1(w, 0, 0, NULL, k, params); + aes_key_schedule_forward_1(w, k, params); // Step: 3 - aes_key_schedule_forward_192(v, 1, 0, NULL, vk, params); + aes_key_schedule_forward_192(v, vk); // Step: 4 - uint8_t* w_dash = malloc(Ske); - aes_key_schedule_backward_1(w + lambdaByte, k, 0, 0, NULL, w_dash, params); + uint8_t w_dash[FAEST_192F_Ske]; + aes_key_schedule_backward_1(w + FAEST_192F_LAMBDA / 8, k, w_dash, params); // Step: 5 - bf192_t* v_w_dash = malloc(Ske * 8 * sizeof(bf192_t)); - aes_key_schedule_backward_192(v + lambda, vk, 1, 0, NULL, v_w_dash, params); + bf192_t v_w_dash[FAEST_192F_Ske * 8]; + aes_key_schedule_backward_192(v + FAEST_192F_LAMBDA, vk, 1, 0, NULL, v_w_dash); // Step: 6..8 - unsigned int iwd = 32 * (Nwd - 1); - for (unsigned int j = 0; j < Ske / 4; j++) { + unsigned int iwd = 32 * (FAEST_192F_Nwd - 1); + for (unsigned int j = 0; j < FAEST_192F_Ske / 4; j++) { bf192_t bf_k_hat[4]; bf192_t bf_v_k_hat[4]; bf192_t bf_w_dash_hat[4]; @@ -841,27 +811,25 @@ static void aes_key_schedule_constraints_192(const uint8_t* w, const bf192_t* v, bf192_from_bf8(bf8_one())), A0[4 * j + r]); } - if (lambda == 192) { + if (FAEST_192F_LAMBDA == 192) { iwd = iwd + 192; } else { iwd = iwd + 128; } } - free(v_w_dash); - free(w_dash); return; } // Step: 19..20 - aes_key_schedule_forward_192(q, 0, 1, delta, qk, params); - bf192_t* q_w_dash = malloc(Ske * 8 * sizeof(bf192_t)); - aes_key_schedule_backward_192(&q[lambda], qk, 0, 1, delta, q_w_dash, params); + aes_key_schedule_forward_192(q, qk); + bf192_t q_w_dash[FAEST_192F_Ske * 8]; + aes_key_schedule_backward_192(&q[FAEST_192F_LAMBDA], qk, 0, 1, delta, q_w_dash); const bf192_t bf_delta = bf192_load(delta); // Step 23..24 - unsigned int iwd = 32 * (Nwd - 1); - for (unsigned int j = 0; j < Ske / 4; j++) { + unsigned int iwd = 32 * (FAEST_192F_Nwd - 1); + for (unsigned int j = 0; j < FAEST_192F_Ske / 4; j++) { bf192_t bf_q_hat_k[4]; bf192_t bf_q_hat_w_dash[4]; for (unsigned int r = 0; r <= 3; r++) { @@ -874,19 +842,17 @@ static void aes_key_schedule_constraints_192(const uint8_t* w, const bf192_t* v, bf192_t bf_tmp = bf192_mul(bf_q_hat_k[r], bf_q_hat_w_dash[r]); B[4 * j + r] = bf192_add(bf_tmp, bf192_mul(bf_delta, bf_delta)); } - if (lambda == 192) { + if (FAEST_192F_LAMBDA == 192) { iwd = iwd + 192; } else { iwd = iwd + 128; } } - free(q_w_dash); } static void aes_enc_forward_192_1(const uint8_t* x, const uint8_t* xk, const uint8_t* in, - uint8_t Mtag, uint8_t Mkey, bf192_t* bf_y, - const faest_paramset_t* params) { - const unsigned int R = params->faest_param.R; + uint8_t Mtag, uint8_t Mkey, bf192_t* bf_y) { + static_assert(FAEST_192F_R == FAEST_192S_R); // Step: 2 for (unsigned int i = 0; i < 16; i++) { @@ -899,7 +865,7 @@ static void aes_enc_forward_192_1(const uint8_t* x, const uint8_t* xk, const uin const bf192_t bf_two = bf192_byte_combine_bits(2); const bf192_t bf_three = bf192_byte_combine_bits(3); - for (unsigned int j = 1; j < R; j++) { + for (unsigned int j = 1; j < FAEST_192F_R; j++) { for (unsigned int c = 0; c <= 3; c++) { const unsigned int ix = 128 * (j - 1) + 32 * c; const unsigned int ik = 128 * j + 32 * c; @@ -942,9 +908,8 @@ static void aes_enc_forward_192_1(const uint8_t* x, const uint8_t* xk, const uin } static void aes_enc_forward_192(const bf192_t* bf_x, const bf192_t* bf_xk, const uint8_t* in, - uint8_t Mtag, uint8_t Mkey, const uint8_t* delta, bf192_t* bf_y, - const faest_paramset_t* params) { - const unsigned int R = params->faest_param.R; + uint8_t Mtag, uint8_t Mkey, const uint8_t* delta, bf192_t* bf_y) { + static_assert(FAEST_192F_R == FAEST_192S_R); const bf192_t bf_delta = delta ? bf192_load(delta) : bf192_zero(); const bf192_t bf_minus_mtag = bf192_from_bit(1 ^ Mtag); @@ -964,7 +929,7 @@ static void aes_enc_forward_192(const bf192_t* bf_x, const bf192_t* bf_xk, const const bf192_t bf_two = bf192_byte_combine_bits(2); const bf192_t bf_three = bf192_byte_combine_bits(3); - for (unsigned int j = 1; j < R; j++) { + for (unsigned int j = 1; j < FAEST_192F_R; j++) { for (unsigned int c = 0; c <= 3; c++) { const unsigned int ix = 128 * (j - 1) + 32 * c; const unsigned int ik = 128 * j + 32 * c; @@ -1006,23 +971,22 @@ static void aes_enc_forward_192(const bf192_t* bf_x, const bf192_t* bf_xk, const } static void aes_enc_backward_192_1(const uint8_t* x, const uint8_t* xk, uint8_t Mtag, uint8_t Mkey, - const uint8_t* out, bf192_t* y_out, - const faest_paramset_t* params) { - const unsigned int R = params->faest_param.R; + const uint8_t* out, bf192_t* y_out) { + static_assert(FAEST_192F_R == FAEST_192S_R); uint8_t xtilde; // Step:2..4 - for (unsigned int j = 0; j < R; j++) { + for (unsigned int j = 0; j < FAEST_192F_R; j++) { for (unsigned int c = 0; c <= 3; c++) { for (unsigned int r = 0; r <= 3; r++) { // Step: 5..6 unsigned int ird = (128 * j) + (32 * ((c - r + 4) % 4)) + (8 * r); - if (j < (R - 1)) { + if (j < (FAEST_192F_R - 1)) { // Step: 7 xtilde = x[ird / 8]; } else { // Step: 9..11 (bit spliced) - uint8_t xout = out[(ird - 128 * (R - 1)) / 8] & -((1 ^ Mtag) & (1 ^ Mkey)); + uint8_t xout = out[(ird - 128 * (FAEST_192F_R - 1)) / 8] & -((1 ^ Mtag) & (1 ^ Mkey)); xtilde = xout ^ xk[(128 + ird) / 8]; } @@ -1041,8 +1005,8 @@ static void aes_enc_backward_192_1(const uint8_t* x, const uint8_t* xk, uint8_t static void aes_enc_backward_192(const bf192_t* bf_x, const bf192_t* bf_xk, uint8_t Mtag, uint8_t Mkey, const uint8_t* delta, const uint8_t* out, - bf192_t* y_out, const faest_paramset_t* params) { - const unsigned int R = params->faest_param.R; + bf192_t* y_out) { + static_assert(FAEST_192F_R == FAEST_192S_R); // Step: 1 const bf192_t bf_delta = delta ? bf192_load(delta) : bf192_zero(); @@ -1050,21 +1014,22 @@ static void aes_enc_backward_192(const bf192_t* bf_x, const bf192_t* bf_xk, uint bf192_mul_bit(bf192_add(bf192_mul_bit(bf_delta, Mkey), bf192_from_bit(1 ^ Mkey)), 1 ^ Mtag); // Step: 2..4 - for (unsigned int j = 0; j < R; j++) { + for (unsigned int j = 0; j < FAEST_192F_R; j++) { for (unsigned int c = 0; c <= 3; c++) { for (unsigned int r = 0; r <= 3; r++) { bf192_t bf_x_tilde[8]; // Step: 5 unsigned int ird = (128 * j) + (32 * ((c - r + 4) % 4)) + (8 * r); // Step: 6 - if (j < (R - 1)) { + if (j < (FAEST_192F_R - 1)) { // Step: 7 memcpy(bf_x_tilde, bf_x + ird, sizeof(bf_x_tilde)); } else { // Step: 10 for (unsigned int i = 0; i < 8; ++i) { // Step: 11 - bf192_t bf_xout = bf192_mul_bit(factor, get_bit(out[(ird - 128 * (R - 1)) / 8], i)); + bf192_t bf_xout = + bf192_mul_bit(factor, get_bit(out[(ird - 128 * (FAEST_192F_R - 1)) / 8], i)); // Step: 12 bf_x_tilde[i] = bf192_add(bf_xout, bf_xk[128 + ird + i]); } @@ -1088,94 +1053,86 @@ static void aes_enc_backward_192(const bf192_t* bf_x, const bf192_t* bf_xk, uint static void aes_enc_constraints_192(const uint8_t* in, const uint8_t* out, const uint8_t* w, const bf192_t* v, const uint8_t* k, const bf192_t* vk, uint8_t Mkey, const bf192_t* q, const bf192_t* qk, - const uint8_t* delta, bf192_t* A0, bf192_t* A1, bf192_t* B, - const faest_paramset_t* params) { - const unsigned int Senc = params->faest_param.Senc; + const uint8_t* delta, bf192_t* A0, bf192_t* A1, bf192_t* B) { + static_assert(FAEST_192F_Senc == FAEST_192S_Senc); if (Mkey == 0) { - bf192_t* s = malloc(sizeof(bf192_t) * Senc); - bf192_t* vs = malloc(sizeof(bf192_t) * Senc); - bf192_t* s_dash = malloc(sizeof(bf192_t) * Senc); - bf192_t* vs_dash = malloc(sizeof(bf192_t) * Senc); - aes_enc_forward_192_1(w, k, in, 0, 0, s, params); - aes_enc_forward_192(v, vk, in, 1, 0, NULL, vs, params); - aes_enc_backward_192_1(w, k, 0, 0, out, s_dash, params); - aes_enc_backward_192(v, vk, 1, 0, NULL, out, vs_dash, params); - - for (unsigned int j = 0; j < Senc; j++) { + bf192_t s[FAEST_192F_Senc]; + bf192_t vs[FAEST_192F_Senc]; + bf192_t s_dash[FAEST_192F_Senc]; + bf192_t vs_dash[FAEST_192F_Senc]; + aes_enc_forward_192_1(w, k, in, 0, 0, s); + aes_enc_forward_192(v, vk, in, 1, 0, NULL, vs); + aes_enc_backward_192_1(w, k, 0, 0, out, s_dash); + aes_enc_backward_192(v, vk, 1, 0, NULL, out, vs_dash); + + for (unsigned int j = 0; j < FAEST_192F_Senc; j++) { A0[j] = bf192_mul(vs[j], vs_dash[j]); A1[j] = bf192_add( bf192_add(bf192_mul(bf192_add(s[j], vs[j]), bf192_add(s_dash[j], vs_dash[j])), A0[j]), bf192_one()); } - - free(vs_dash); - free(s_dash); - free(vs); - free(s); } else { // Step: 11..12 - bf192_t* qs = malloc(sizeof(bf192_t) * Senc); - bf192_t* qs_dash = malloc(sizeof(bf192_t) * Senc); - aes_enc_forward_192(q, qk, in, 0, 1, delta, qs, params); - aes_enc_backward_192(q, qk, 0, 1, delta, out, qs_dash, params); + bf192_t qs[FAEST_192F_Senc]; + bf192_t qs_dash[FAEST_192F_Senc]; + aes_enc_forward_192(q, qk, in, 0, 1, delta, qs); + aes_enc_backward_192(q, qk, 0, 1, delta, out, qs_dash); // Step: 13..14 bf192_t minus_part = bf192_mul(bf192_load(delta), bf192_load(delta)); - for (unsigned int j = 0; j < Senc; j++) { + for (unsigned int j = 0; j < FAEST_192F_Senc; j++) { B[j] = bf192_add(bf192_mul(qs[j], qs_dash[j]), minus_part); } - free(qs); - free(qs_dash); } } static void aes_prove_192(const uint8_t* w, const uint8_t* u, uint8_t** V, const uint8_t* in, const uint8_t* out, const uint8_t* chall, uint8_t* a_tilde, uint8_t* b_tilde, const faest_paramset_t* params) { - const unsigned int l = params->faest_param.l; - const unsigned int Lke = params->faest_param.Lke; - const unsigned int Lenc = params->faest_param.Lenc; - const unsigned int R = params->faest_param.R; - const unsigned int Ske = params->faest_param.Ske; - const unsigned int Senc = params->faest_param.Senc; + static_assert(FAEST_192F_L == FAEST_192S_L); + static_assert(FAEST_192F_Lke == FAEST_192S_Lke); + static_assert(FAEST_192F_R == FAEST_192S_R); + static_assert(FAEST_192F_Ske == FAEST_192S_Ske); + static_assert(FAEST_192F_Senc == FAEST_192S_Senc); // Step: 1..2 - bf192_t* bf_v = column_to_row_major_and_shrink_V_192(V, l); + bf192_t* bf_v = column_to_row_major_and_shrink_V_192(V, FAEST_192F_L); // Step: 3..4 // do nothing // Step: 6 // Step: 7 - const unsigned int length_a = Ske + 2 * Senc + 1; - bf192_t* A0 = malloc(sizeof(bf192_t) * length_a); - bf192_t* A1 = malloc(sizeof(bf192_t) * length_a); - uint8_t* k = malloc((R + 1) * 128 / 8); - bf192_t* vk = malloc(sizeof(bf192_t) * ((R + 1) * 128)); - bf192_t* qk = malloc(sizeof(bf192_t) * ((R + 1) * 128)); + bf192_t* A0 = malloc(sizeof(bf192_t) * (FAEST_192F_Ske + 2 * FAEST_192F_Senc + 1)); + bf192_t* A1 = malloc(sizeof(bf192_t) * (FAEST_192F_Ske + 2 * FAEST_192F_Senc + 1)); + uint8_t* k = malloc((FAEST_192F_R + 1) * 128 / 8); + bf192_t* vk = malloc(sizeof(bf192_t) * ((FAEST_192F_R + 1) * 128)); + bf192_t* qk = malloc(sizeof(bf192_t) * ((FAEST_192F_R + 1) * 128)); aes_key_schedule_constraints_192(w, bf_v, 0, NULL, NULL, A0, A1, k, vk, NULL, qk, params); // Step: Skipping 8 in implementation // Step: 9 // Step: 10,11 - aes_enc_constraints_192(in, out, w + Lke / 8, bf_v + Lke, k, vk, 0, NULL, NULL, NULL, A0 + Ske, - A1 + Ske, NULL, params); + aes_enc_constraints_192(in, out, w + FAEST_192F_Lke / 8, bf_v + FAEST_192F_Lke, k, vk, 0, NULL, + NULL, NULL, A0 + FAEST_192F_Ske, A1 + FAEST_192F_Ske, NULL); // Step: 12-15 - aes_enc_constraints_192(in + 16, out + 16, w + (Lke + Lenc) / 8, bf_v + Lke + Lenc, k, vk, 0, - NULL, NULL, NULL, A0 + (Ske + Senc), A1 + (Ske + Senc), NULL, params); + aes_enc_constraints_192(in + 16, out + 16, w + (FAEST_192F_Lke + FAEST_192F_Lenc) / 8, + bf_v + FAEST_192F_Lke + FAEST_192F_Lenc, k, vk, 0, NULL, NULL, NULL, + A0 + (FAEST_192F_Ske + FAEST_192F_Senc), + A1 + (FAEST_192F_Ske + FAEST_192F_Senc), NULL); free(qk); free(vk); free(k); // Step: 16..18 - A1[length_a - 1] = bf192_load(u + l / 8); - A0[length_a - 1] = bf192_sum_poly(bf_v + l); + A1[FAEST_192F_Ske + 2 * FAEST_192F_Senc] = bf192_load(u + FAEST_192F_L / 8); + A0[FAEST_192F_Ske + 2 * FAEST_192F_Senc] = bf192_sum_poly(bf_v + FAEST_192F_L); free(bf_v); - zk_hash_192(a_tilde, chall, A1, length_a - 1); - zk_hash_192(b_tilde, chall, A0, length_a - 1); + zk_hash_192(a_tilde, chall, A1, FAEST_192F_Ske + 2 * FAEST_192F_Senc); + zk_hash_192(b_tilde, chall, A0, FAEST_192F_Ske + 2 * FAEST_192F_Senc); free(A0); free(A1); @@ -1184,19 +1141,17 @@ static void aes_prove_192(const uint8_t* w, const uint8_t* u, uint8_t** V, const static uint8_t* aes_verify_192(const uint8_t* d, uint8_t** Q, const uint8_t* chall_2, const uint8_t* chall_3, const uint8_t* a_tilde, const uint8_t* in, const uint8_t* out, const faest_paramset_t* params) { - const unsigned int lambda = params->faest_param.lambda; - const unsigned int tau = params->faest_param.tau; - const unsigned int t0 = params->faest_param.t0; - const unsigned int k0 = params->faest_param.k0; - const unsigned int t1 = params->faest_param.t1; - const unsigned int k1 = params->faest_param.k1; - const unsigned int l = params->faest_param.l; - const unsigned int Lke = params->faest_param.Lke; - const unsigned int Lenc = params->faest_param.Lenc; - const unsigned int R = params->faest_param.R; - const unsigned int Ske = params->faest_param.Ske; - const unsigned int Senc = params->faest_param.Senc; - const unsigned int lambdaBytes = lambda / 8; + static_assert(FAEST_192F_L == FAEST_192S_L); + static_assert(FAEST_192F_Lke == FAEST_192S_Lke); + static_assert(FAEST_192F_R == FAEST_192S_R); + static_assert(FAEST_192F_Ske == FAEST_192S_Ske); + static_assert(FAEST_192F_Senc == FAEST_192S_Senc); + + const unsigned int tau = params->faest_param.tau; + const unsigned int t0 = params->faest_param.t0; + const unsigned int k0 = params->faest_param.k0; + const unsigned int t1 = params->faest_param.t1; + const unsigned int k1 = params->faest_param.k1; // Step: 1 const uint8_t* delta = chall_3; @@ -1210,42 +1165,41 @@ static uint8_t* aes_verify_192(const uint8_t* d, uint8_t** Q, const uint8_t* cha ChalDec(chall_3, i, k0, t0, k1, t1, decoded_challenge); for (unsigned int j = 0; j < depth; j++, ++col) { if (decoded_challenge[j] == 1) { - xor_u8_array(d, Q[col], Q[col], (l + 7) / 8); + xor_u8_array(d, Q[col], Q[col], (FAEST_192F_L + 7) / 8); } } } // Step: 11..12 - bf192_t* bf_q = column_to_row_major_and_shrink_V_192(Q, l); + bf192_t* bf_q = column_to_row_major_and_shrink_V_192(Q, FAEST_192F_L); // Step: 13 - const unsigned int length_b = Ske + 2 * Senc + 1; - uint8_t* k = malloc((R + 1) * 128); - bf192_t* vk = malloc(sizeof(bf192_t) * ((R + 1) * 128)); - bf192_t* qk = malloc(sizeof(bf192_t) * ((R + 1) * 128)); - bf192_t* B_0 = malloc(sizeof(bf192_t) * length_b); + uint8_t* k = malloc((FAEST_192F_R + 1) * 128); + bf192_t* vk = malloc(sizeof(bf192_t) * ((FAEST_192F_R + 1) * 128)); + bf192_t* qk = malloc(sizeof(bf192_t) * ((FAEST_192F_R + 1) * 128)); + bf192_t* B_0 = malloc(sizeof(bf192_t) * (FAEST_192F_Ske + 2 * FAEST_192F_Senc + 1)); aes_key_schedule_constraints_192(NULL, NULL, 1, bf_q, delta, NULL, NULL, k, vk, B_0, qk, params); // Step: 14 - bf192_t* B_1 = B_0 + Ske; - aes_enc_constraints_192(in, out, NULL, NULL, NULL, NULL, 1, bf_q + Lke, qk, delta, NULL, NULL, - B_1, params); + bf192_t* B_1 = B_0 + FAEST_192F_Ske; + aes_enc_constraints_192(in, out, NULL, NULL, NULL, NULL, 1, bf_q + FAEST_192F_Lke, qk, delta, + NULL, NULL, B_1); // Step: 18 - bf192_t* B_2 = B_0 + (Ske + Senc); - aes_enc_constraints_192(in + 16, out + 16, NULL, NULL, NULL, NULL, 1, bf_q + (Lke + Lenc), qk, - delta, NULL, NULL, B_2, params); + bf192_t* B_2 = B_0 + FAEST_192F_Ske + FAEST_192F_Senc; + aes_enc_constraints_192(in + 16, out + 16, NULL, NULL, NULL, NULL, 1, + bf_q + FAEST_192F_Lke + FAEST_192F_Lenc, qk, delta, NULL, NULL, B_2); free(qk); free(vk); free(k); // Step: 20 - B_0[length_b - 1] = bf192_sum_poly(bf_q + l); + B_0[FAEST_192F_Ske + 2 * FAEST_192F_Senc] = bf192_sum_poly(bf_q + FAEST_192F_L); free(bf_q); // Step 21 - uint8_t* q_tilde = malloc(lambdaBytes); - zk_hash_192(q_tilde, chall_2, B_0, length_b - 1); + uint8_t* q_tilde = malloc(FAEST_192F_LAMBDA / 8); + zk_hash_192(q_tilde, chall_2, B_0, FAEST_192F_Ske + 2 * FAEST_192F_Senc); free(B_0); bf192_t bf_qtilde = bf192_load(q_tilde); @@ -1256,42 +1210,38 @@ static uint8_t* aes_verify_192(const uint8_t* d, uint8_t** Q, const uint8_t* cha // lambda == 256 implementation -static void aes_key_schedule_forward_256(const bf256_t* v, uint8_t Mtag, uint8_t Mkey, - const uint8_t* delta, bf256_t* bf_out, - const faest_paramset_t* params) { - // Step: 1 - assert(!((Mtag == 1 && Mkey == 1) || (Mkey == 1 && delta == NULL))); +static void aes_key_schedule_forward_256(const bf256_t* v, bf256_t* bf_out) { + static_assert(FAEST_256F_LAMBDA == FAEST_256S_LAMBDA); + static_assert(FAEST_256F_Ske == FAEST_256S_Ske); - const unsigned int lambda = params->faest_param.lambda; - const unsigned int R = params->faest_param.R; - const unsigned int Nwd = params->faest_param.Nwd; + // Step: 1 sanity check (skipped) - memcpy(bf_out, v, sizeof(bf256_t) * lambda); + memcpy(bf_out, v, sizeof(bf256_t) * FAEST_256F_LAMBDA); // Step: 4 - unsigned int i_wd = lambda; + unsigned int i_wd = FAEST_256F_LAMBDA; // Step: 5..10 - for (unsigned int j = Nwd; j < 4 * (R + 1); j++) { - if ((j % Nwd) == 0 || (Nwd > 6 && (j % Nwd) == 4)) { + for (unsigned int j = FAEST_256F_Nwd; j < 4 * (FAEST_256F_R + 1); j++) { + if ((j % FAEST_256F_Nwd) == 0 || (FAEST_256F_Nwd > 6 && (j % FAEST_256F_Nwd) == 4)) { memcpy(bf_out + j * 32, v + i_wd, sizeof(bf256_t) * 32); i_wd += 32; } else { for (unsigned int i = 0; i < 32; i++) { - bf_out[(32 * j) + i] = bf256_add(bf_out[32 * (j - Nwd) + i], bf_out[32 * (j - 1) + i]); + bf_out[(32 * j) + i] = + bf256_add(bf_out[32 * (j - FAEST_256F_Nwd) + i], bf_out[32 * (j - 1) + i]); } } } } static void aes_key_schedule_backward_256(const bf256_t* v, const bf256_t* Vk, uint8_t Mtag, - uint8_t Mkey, const uint8_t* delta, bf256_t* bf_out, - const faest_paramset_t* params) { + uint8_t Mkey, const uint8_t* delta, bf256_t* bf_out) { + static_assert(FAEST_256F_LAMBDA == FAEST_256S_LAMBDA); + static_assert(FAEST_256F_Ske == FAEST_256S_Ske); + // Step: 1 assert(!((Mtag == 1 && Mkey == 1) || (Mkey == 1 && delta == NULL))); - const unsigned int lambda = params->faest_param.lambda; - const unsigned int Ske = params->faest_param.Ske; - unsigned int iwd = 0; unsigned int c = 0; bool rmvRcon = true; @@ -1303,7 +1253,7 @@ static void aes_key_schedule_backward_256(const bf256_t* v, const bf256_t* Vk, u bf256_t bf_mkey_times_delta = bf256_mul_bit(bf_delta, Mkey); bf_mkey_times_delta = bf256_add(bf_mkey_times_delta, bf_minus_mkey); - for (unsigned int j = 0; j < Ske; j++) { + for (unsigned int j = 0; j < FAEST_256F_Ske; j++) { // Step 7 bf256_t bf_x_tilde[8]; for (unsigned int i = 0; i < 8; i++) { @@ -1336,11 +1286,11 @@ static void aes_key_schedule_backward_256(const bf256_t* v, const bf256_t* Vk, u if (c == 4) { c = 0; - if (lambda == 192) { + if (FAEST_256F_LAMBDA == 192) { iwd += 192; } else { iwd += 128; - if (lambda == 256) { + if (FAEST_256F_LAMBDA == 256) { rmvRcon = !rmvRcon; } } @@ -1352,31 +1302,30 @@ static void aes_key_schedule_constraints_256(const uint8_t* w, const bf256_t* v, const bf256_t* q, const uint8_t* delta, bf256_t* A0, bf256_t* A1, uint8_t* k, bf256_t* vk, bf256_t* B, bf256_t* qk, const faest_paramset_t* params) { - const unsigned int lambda = params->faest_param.lambda; - const unsigned int Nwd = params->faest_param.Nwd; - const unsigned int Ske = params->faest_param.Ske; - const unsigned int lambdaByte = lambda / 8; + static_assert(FAEST_256F_LAMBDA == FAEST_256S_LAMBDA); + static_assert(FAEST_256F_Nwd == FAEST_256S_Nwd); + static_assert(FAEST_256F_Ske == FAEST_256S_Ske); bool rotate_word = true; if (Mkey == 0) { // Step: 2 - aes_key_schedule_forward_1(w, 0, 0, NULL, k, params); + aes_key_schedule_forward_1(w, k, params); // Step: 3 - aes_key_schedule_forward_256(v, 1, 0, NULL, vk, params); + aes_key_schedule_forward_256(v, vk); // Step: 4 - uint8_t* w_dash = malloc(Ske); - aes_key_schedule_backward_1(w + lambdaByte, k, 0, 0, NULL, w_dash, params); + uint8_t w_dash[FAEST_256F_Ske]; + aes_key_schedule_backward_1(w + FAEST_256F_LAMBDA / 8, k, w_dash, params); // Step: 5 - bf256_t* v_w_dash = malloc(Ske * 8 * sizeof(bf256_t)); - aes_key_schedule_backward_256(v + lambda, vk, 1, 0, NULL, v_w_dash, params); + bf256_t v_w_dash[FAEST_256F_Ske * 8]; + aes_key_schedule_backward_256(v + FAEST_256F_LAMBDA, vk, 1, 0, NULL, v_w_dash); // Step: 6..8 - unsigned int iwd = 32 * (Nwd - 1); - for (unsigned int j = 0; j < Ske / 4; j++) { + unsigned int iwd = 32 * (FAEST_256F_Nwd - 1); + for (unsigned int j = 0; j < FAEST_256F_Ske / 4; j++) { bf256_t bf_k_hat[4]; bf256_t bf_v_k_hat[4]; bf256_t bf_w_dash_hat[4]; @@ -1404,30 +1353,28 @@ static void aes_key_schedule_constraints_256(const uint8_t* w, const bf256_t* v, bf256_from_bf8(bf8_one())), A0[4 * j + r]); } - if (lambda == 192) { + if (FAEST_256F_LAMBDA == 192) { iwd = iwd + 192; } else { iwd = iwd + 128; - if (lambda == 256) { + if (FAEST_256F_LAMBDA == 256) { rotate_word = !rotate_word; } } } - free(v_w_dash); - free(w_dash); return; } // Step: 19..20 - aes_key_schedule_forward_256(q, 0, 1, delta, qk, params); - bf256_t* q_w_dash = malloc(Ske * 8 * sizeof(bf256_t)); - aes_key_schedule_backward_256(&q[lambda], qk, 0, 1, delta, q_w_dash, params); + aes_key_schedule_forward_256(q, qk); + bf256_t* q_w_dash = malloc(FAEST_256F_Ske * 8 * sizeof(bf256_t)); + aes_key_schedule_backward_256(&q[FAEST_256F_LAMBDA], qk, 0, 1, delta, q_w_dash); const bf256_t bf_delta = bf256_load(delta); // Step 23..24 - unsigned int iwd = 32 * (Nwd - 1); - for (unsigned int j = 0; j < Ske / 4; j++) { + unsigned int iwd = 32 * (FAEST_256F_Nwd - 1); + for (unsigned int j = 0; j < FAEST_256F_Ske / 4; j++) { bf256_t bf_q_hat_k[4]; bf256_t bf_q_hat_w_dash[4]; for (unsigned int r = 0; r <= 3; r++) { @@ -1445,11 +1392,11 @@ static void aes_key_schedule_constraints_256(const uint8_t* w, const bf256_t* v, bf256_t bf_tmp = bf256_mul(bf_q_hat_k[r], bf_q_hat_w_dash[r]); B[4 * j + r] = bf256_add(bf_tmp, bf256_mul(bf_delta, bf_delta)); } - if (lambda == 192) { + if (FAEST_256F_LAMBDA == 192) { iwd = iwd + 192; } else { iwd = iwd + 128; - if (lambda == 256) { + if (FAEST_256F_LAMBDA == 256) { rotate_word = !rotate_word; } } @@ -1458,9 +1405,8 @@ static void aes_key_schedule_constraints_256(const uint8_t* w, const bf256_t* v, } static void aes_enc_forward_256_1(const uint8_t* x, const uint8_t* xk, const uint8_t* in, - uint8_t Mtag, uint8_t Mkey, bf256_t* bf_y, - const faest_paramset_t* params) { - const unsigned int R = params->faest_param.R; + uint8_t Mtag, uint8_t Mkey, bf256_t* bf_y) { + static_assert(FAEST_256F_R == FAEST_256S_R); // Step: 2 for (unsigned int i = 0; i < 16; i++) { @@ -1473,7 +1419,7 @@ static void aes_enc_forward_256_1(const uint8_t* x, const uint8_t* xk, const uin const bf256_t bf_two = bf256_byte_combine_bits(2); const bf256_t bf_three = bf256_byte_combine_bits(3); - for (unsigned int j = 1; j < R; j++) { + for (unsigned int j = 1; j < FAEST_256F_R; j++) { for (unsigned int c = 0; c <= 3; c++) { const unsigned int ix = 128 * (j - 1) + 32 * c; const unsigned int ik = 128 * j + 32 * c; @@ -1515,9 +1461,8 @@ static void aes_enc_forward_256_1(const uint8_t* x, const uint8_t* xk, const uin } static void aes_enc_forward_256(const bf256_t* bf_x, const bf256_t* bf_xk, const uint8_t* in, - uint8_t Mtag, uint8_t Mkey, const uint8_t* delta, bf256_t* bf_y, - const faest_paramset_t* params) { - const unsigned int R = params->faest_param.R; + uint8_t Mtag, uint8_t Mkey, const uint8_t* delta, bf256_t* bf_y) { + static_assert(FAEST_256F_R == FAEST_256S_R); const bf256_t bf_delta = delta ? bf256_load(delta) : bf256_zero(); const bf256_t bf_minus_mtag = bf256_from_bit(1 ^ Mtag); @@ -1537,7 +1482,7 @@ static void aes_enc_forward_256(const bf256_t* bf_x, const bf256_t* bf_xk, const const bf256_t bf_two = bf256_byte_combine_bits(2); const bf256_t bf_three = bf256_byte_combine_bits(3); - for (unsigned int j = 1; j < R; j++) { + for (unsigned int j = 1; j < FAEST_256S_R; j++) { for (unsigned int c = 0; c <= 3; c++) { const unsigned int ix = 128 * (j - 1) + 32 * c; const unsigned int ik = 128 * j + 32 * c; @@ -1579,23 +1524,22 @@ static void aes_enc_forward_256(const bf256_t* bf_x, const bf256_t* bf_xk, const } static void aes_enc_backward_256_1(const uint8_t* x, const uint8_t* xk, uint8_t Mtag, uint8_t Mkey, - const uint8_t* out, bf256_t* y_out, - const faest_paramset_t* params) { - const unsigned int R = params->faest_param.R; + const uint8_t* out, bf256_t* y_out) { + static_assert(FAEST_256F_R == FAEST_256S_R); uint8_t xtilde; // Step:2..4 - for (unsigned int j = 0; j < R; j++) { + for (unsigned int j = 0; j < FAEST_256F_R; j++) { for (unsigned int c = 0; c <= 3; c++) { for (unsigned int r = 0; r <= 3; r++) { // Step: 5..6 unsigned int ird = (128 * j) + (32 * ((c - r + 4) % 4)) + (8 * r); - if (j < (R - 1)) { + if (j < (FAEST_256F_R - 1)) { // Step: 7 xtilde = x[ird / 8]; } else { // Step: 9..11 (bit spliced) - uint8_t xout = out[(ird - 128 * (R - 1)) / 8] & -((1 ^ Mtag) & (1 ^ Mkey)); + uint8_t xout = out[(ird - 128 * (FAEST_256F_R - 1)) / 8] & -((1 ^ Mtag) & (1 ^ Mkey)); xtilde = xout ^ xk[(128 + ird) / 8]; } @@ -1613,8 +1557,8 @@ static void aes_enc_backward_256_1(const uint8_t* x, const uint8_t* xk, uint8_t static void aes_enc_backward_256(const bf256_t* bf_x, const bf256_t* bf_xk, uint8_t Mtag, uint8_t Mkey, const uint8_t* delta, const uint8_t* out, - bf256_t* y_out, const faest_paramset_t* params) { - const unsigned int R = params->faest_param.R; + bf256_t* y_out) { + static_assert(FAEST_256F_R == FAEST_256S_R); // Step: 1 const bf256_t bf_delta = delta ? bf256_load(delta) : bf256_zero(); @@ -1622,21 +1566,22 @@ static void aes_enc_backward_256(const bf256_t* bf_x, const bf256_t* bf_xk, uint bf256_mul_bit(bf256_add(bf256_mul_bit(bf_delta, Mkey), bf256_from_bit(1 ^ Mkey)), 1 ^ Mtag); // Step: 2..4 - for (unsigned int j = 0; j < R; j++) { + for (unsigned int j = 0; j < FAEST_256F_R; j++) { for (unsigned int c = 0; c <= 3; c++) { for (unsigned int r = 0; r <= 3; r++) { bf256_t bf_x_tilde[8]; // Step: 5 unsigned int ird = (128 * j) + (32 * ((c - r + 4) % 4)) + (8 * r); // Step: 6 - if (j < (R - 1)) { + if (j < (FAEST_256F_R - 1)) { // Step: 7 memcpy(bf_x_tilde, bf_x + ird, sizeof(bf_x_tilde)); } else { // Step: 10 for (unsigned int i = 0; i < 8; ++i) { // Step: 11 - bf256_t bf_xout = bf256_mul_bit(factor, get_bit(out[(ird - 128 * (R - 1)) / 8], i)); + bf256_t bf_xout = + bf256_mul_bit(factor, get_bit(out[(ird - 128 * (FAEST_256F_R - 1)) / 8], i)); // Step: 12 bf_x_tilde[i] = bf256_add(bf_xout, bf_xk[128 + ird + i]); } @@ -1660,94 +1605,87 @@ static void aes_enc_backward_256(const bf256_t* bf_x, const bf256_t* bf_xk, uint static void aes_enc_constraints_256(const uint8_t* in, const uint8_t* out, const uint8_t* w, const bf256_t* v, const uint8_t* k, const bf256_t* vk, uint8_t Mkey, const bf256_t* q, const bf256_t* qk, - const uint8_t* delta, bf256_t* A0, bf256_t* A1, bf256_t* B, - const faest_paramset_t* params) { - const unsigned int Senc = params->faest_param.Senc; + const uint8_t* delta, bf256_t* A0, bf256_t* A1, bf256_t* B) { + static_assert(FAEST_256F_Senc == FAEST_256S_Senc); if (Mkey == 0) { - bf256_t* s = malloc(sizeof(bf256_t) * Senc); - bf256_t* vs = malloc(sizeof(bf256_t) * Senc); - bf256_t* s_dash = malloc(sizeof(bf256_t) * Senc); - bf256_t* vs_dash = malloc(sizeof(bf256_t) * Senc); - aes_enc_forward_256_1(w, k, in, 0, 0, s, params); - aes_enc_forward_256(v, vk, in, 1, 0, NULL, vs, params); - aes_enc_backward_256_1(w, k, 0, 0, out, s_dash, params); - aes_enc_backward_256(v, vk, 1, 0, NULL, out, vs_dash, params); - - for (unsigned int j = 0; j < Senc; j++) { + bf256_t s[FAEST_256F_Senc]; + bf256_t vs[FAEST_256F_Senc]; + bf256_t s_dash[FAEST_256F_Senc]; + bf256_t vs_dash[FAEST_256F_Senc]; + aes_enc_forward_256_1(w, k, in, 0, 0, s); + aes_enc_forward_256(v, vk, in, 1, 0, NULL, vs); + aes_enc_backward_256_1(w, k, 0, 0, out, s_dash); + aes_enc_backward_256(v, vk, 1, 0, NULL, out, vs_dash); + + for (unsigned int j = 0; j < FAEST_256F_Senc; j++) { A0[j] = bf256_mul(vs[j], vs_dash[j]); A1[j] = bf256_add( bf256_add(bf256_mul(bf256_add(s[j], vs[j]), bf256_add(s_dash[j], vs_dash[j])), A0[j]), bf256_one()); } - - free(vs_dash); - free(s_dash); - free(vs); - free(s); } else { // Step: 11..12 - bf256_t* qs = malloc(sizeof(bf256_t) * Senc); - bf256_t* qs_dash = malloc(sizeof(bf256_t) * Senc); - aes_enc_forward_256(q, qk, in, 0, 1, delta, qs, params); - aes_enc_backward_256(q, qk, 0, 1, delta, out, qs_dash, params); + bf256_t qs[FAEST_256F_Senc]; + bf256_t qs_dash[FAEST_256F_Senc]; + aes_enc_forward_256(q, qk, in, 0, 1, delta, qs); + aes_enc_backward_256(q, qk, 0, 1, delta, out, qs_dash); // Step: 13..14 bf256_t minus_part = bf256_mul(bf256_load(delta), bf256_load(delta)); - for (unsigned int j = 0; j < Senc; j++) { + for (unsigned int j = 0; j < FAEST_256F_Senc; j++) { B[j] = bf256_add(bf256_mul(qs[j], qs_dash[j]), minus_part); } - free(qs); - free(qs_dash); } } static void aes_prove_256(const uint8_t* w, const uint8_t* u, uint8_t** V, const uint8_t* in, const uint8_t* out, const uint8_t* chall, uint8_t* a_tilde, uint8_t* b_tilde, const faest_paramset_t* params) { - const unsigned int l = params->faest_param.l; - const unsigned int Lke = params->faest_param.Lke; - const unsigned int Lenc = params->faest_param.Lenc; - const unsigned int R = params->faest_param.R; - const unsigned int Ske = params->faest_param.Ske; - const unsigned int Senc = params->faest_param.Senc; + static_assert(FAEST_256F_L == FAEST_256S_L); + static_assert(FAEST_256F_Lke == FAEST_256S_Lke); + static_assert(FAEST_256F_Lenc == FAEST_256S_Lenc); + static_assert(FAEST_256F_R == FAEST_256S_R); + static_assert(FAEST_256F_Ske == FAEST_256S_Ske); + static_assert(FAEST_256F_Senc == FAEST_256S_Senc); // Step: 1..2 - bf256_t* bf_v = column_to_row_major_and_shrink_V_256(V, l); + bf256_t* bf_v = column_to_row_major_and_shrink_V_256(V, FAEST_256F_L); // Step: 3..4 // do nothing // Step: 6 // Step: 7 - const unsigned int length_a = Ske + 2 * Senc + 1; - bf256_t* A0 = malloc(sizeof(bf256_t) * length_a); - bf256_t* A1 = malloc(sizeof(bf256_t) * length_a); - uint8_t* k = malloc((R + 1) * 128 / 8); - bf256_t* vk = malloc(sizeof(bf256_t) * ((R + 1) * 128)); - bf256_t* qk = malloc(sizeof(bf256_t) * ((R + 1) * 128)); + bf256_t* A0 = malloc(sizeof(bf256_t) * (FAEST_256F_Ske + 2 * FAEST_256F_Senc + 1)); + bf256_t* A1 = malloc(sizeof(bf256_t) * (FAEST_256F_Ske + 2 * FAEST_256F_Senc + 1)); + uint8_t* k = malloc((FAEST_256F_R + 1) * 128 / 8); + bf256_t* vk = malloc(sizeof(bf256_t) * ((FAEST_256F_R + 1) * 128)); + bf256_t* qk = malloc(sizeof(bf256_t) * ((FAEST_256F_R + 1) * 128)); aes_key_schedule_constraints_256(w, bf_v, 0, NULL, NULL, A0, A1, k, vk, NULL, qk, params); // Step: Skipping 8 in implementation // Step: 9 // Step: 10,11 - aes_enc_constraints_256(in, out, w + Lke / 8, bf_v + Lke, k, vk, 0, NULL, NULL, NULL, A0 + Ske, - A1 + Ske, NULL, params); + aes_enc_constraints_256(in, out, w + FAEST_256F_Lke / 8, bf_v + FAEST_256F_Lke, k, vk, 0, NULL, + NULL, NULL, A0 + FAEST_256F_Ske, A1 + FAEST_256F_Ske, NULL); // Step: 12-15 - aes_enc_constraints_256(in + 16, out + 16, w + (Lke + Lenc) / 8, bf_v + Lke + Lenc, k, vk, 0, - NULL, NULL, NULL, A0 + (Ske + Senc), A1 + (Ske + Senc), NULL, params); + aes_enc_constraints_256(in + 16, out + 16, w + (FAEST_256F_Lke + FAEST_256F_Lenc) / 8, + bf_v + FAEST_256F_Lke + FAEST_256F_Lenc, k, vk, 0, NULL, NULL, NULL, + A0 + FAEST_256F_Ske + FAEST_256F_Senc, + A1 + FAEST_256F_Ske + FAEST_256F_Senc, NULL); free(qk); free(vk); free(k); // Step: 16..18 - A1[length_a - 1] = bf256_load(u + l / 8); - A0[length_a - 1] = bf256_sum_poly(bf_v + l); + A1[FAEST_256F_Ske + 2 * FAEST_256F_Senc] = bf256_load(u + FAEST_256F_L / 8); + A0[FAEST_256F_Ske + 2 * FAEST_256F_Senc] = bf256_sum_poly(bf_v + FAEST_256F_L); free(bf_v); - zk_hash_256(a_tilde, chall, A1, length_a - 1); - zk_hash_256(b_tilde, chall, A0, length_a - 1); + zk_hash_256(a_tilde, chall, A1, FAEST_256F_Ske + 2 * FAEST_256F_Senc); + zk_hash_256(b_tilde, chall, A0, FAEST_256F_Ske + 2 * FAEST_256F_Senc); free(A0); free(A1); @@ -1756,19 +1694,19 @@ static void aes_prove_256(const uint8_t* w, const uint8_t* u, uint8_t** V, const static uint8_t* aes_verify_256(const uint8_t* d, uint8_t** Q, const uint8_t* chall_2, const uint8_t* chall_3, const uint8_t* a_tilde, const uint8_t* in, const uint8_t* out, const faest_paramset_t* params) { - const unsigned int lambda = params->faest_param.lambda; - const unsigned int tau = params->faest_param.tau; - const unsigned int t0 = params->faest_param.t0; - const unsigned int k0 = params->faest_param.k0; - const unsigned int t1 = params->faest_param.t1; - const unsigned int k1 = params->faest_param.k1; - const unsigned int l = params->faest_param.l; - const unsigned int Lke = params->faest_param.Lke; - const unsigned int Lenc = params->faest_param.Lenc; - const unsigned int R = params->faest_param.R; - const unsigned int Ske = params->faest_param.Ske; - const unsigned int Senc = params->faest_param.Senc; - const unsigned int lambdaBytes = lambda / 8; + static_assert(FAEST_256F_LAMBDA == FAEST_256S_LAMBDA); + static_assert(FAEST_256F_L == FAEST_256S_L); + static_assert(FAEST_256F_Lke == FAEST_256S_Lke); + static_assert(FAEST_256F_Lenc == FAEST_256S_Lenc); + static_assert(FAEST_256F_R == FAEST_256S_R); + static_assert(FAEST_256F_Ske == FAEST_256S_Ske); + static_assert(FAEST_256F_Senc == FAEST_256S_Senc); + + const unsigned int tau = params->faest_param.tau; + const unsigned int t0 = params->faest_param.t0; + const unsigned int k0 = params->faest_param.k0; + const unsigned int t1 = params->faest_param.t1; + const unsigned int k1 = params->faest_param.k1; // Step: 1 const uint8_t* delta = chall_3; @@ -1782,42 +1720,41 @@ static uint8_t* aes_verify_256(const uint8_t* d, uint8_t** Q, const uint8_t* cha ChalDec(chall_3, i, k0, t0, k1, t1, decoded_challenge); for (unsigned int j = 0; j < depth; j++, ++col) { if (decoded_challenge[j] == 1) { - xor_u8_array(d, Q[col], Q[col], (l + 7) / 8); + xor_u8_array(d, Q[col], Q[col], (FAEST_256F_L + 7) / 8); } } } // Step: 11..12 - bf256_t* bf_q = column_to_row_major_and_shrink_V_256(Q, l); + bf256_t* bf_q = column_to_row_major_and_shrink_V_256(Q, FAEST_256F_L); // Step: 13 - const unsigned int length_b = Ske + 2 * Senc + 1; - uint8_t* k = malloc((R + 1) * 128); - bf256_t* vk = malloc(sizeof(bf256_t) * ((R + 1) * 128)); - bf256_t* qk = malloc(sizeof(bf256_t) * ((R + 1) * 128)); - bf256_t* B_0 = malloc(sizeof(bf256_t) * length_b); + uint8_t* k = malloc((FAEST_256F_R + 1) * 128); + bf256_t* vk = malloc(sizeof(bf256_t) * ((FAEST_256F_R + 1) * 128)); + bf256_t* qk = malloc(sizeof(bf256_t) * ((FAEST_256F_R + 1) * 128)); + bf256_t* B_0 = malloc(sizeof(bf256_t) * (FAEST_256F_Ske + 2 * FAEST_256F_Senc + 1)); aes_key_schedule_constraints_256(NULL, NULL, 1, bf_q, delta, NULL, NULL, k, vk, B_0, qk, params); // Step: 14 - bf256_t* B_1 = B_0 + Ske; - aes_enc_constraints_256(in, out, NULL, NULL, NULL, NULL, 1, bf_q + Lke, qk, delta, NULL, NULL, - B_1, params); + bf256_t* B_1 = B_0 + FAEST_256F_Ske; + aes_enc_constraints_256(in, out, NULL, NULL, NULL, NULL, 1, bf_q + FAEST_256F_Lke, qk, delta, + NULL, NULL, B_1); // Step: 18 - bf256_t* B_2 = B_0 + (Ske + Senc); - aes_enc_constraints_256(in + 16, out + 16, NULL, NULL, NULL, NULL, 1, bf_q + (Lke + Lenc), qk, - delta, NULL, NULL, B_2, params); + bf256_t* B_2 = B_0 + (FAEST_256F_Ske + FAEST_256F_Senc); + aes_enc_constraints_256(in + 16, out + 16, NULL, NULL, NULL, NULL, 1, + bf_q + (FAEST_256F_Lke + FAEST_256F_Lenc), qk, delta, NULL, NULL, B_2); free(qk); free(vk); free(k); // Step: 20 - B_0[length_b - 1] = bf256_sum_poly(bf_q + l); + B_0[FAEST_256F_Ske + 2 * FAEST_256F_Senc] = bf256_sum_poly(bf_q + FAEST_256F_L); free(bf_q); // Step 21 - uint8_t* q_tilde = malloc(lambdaBytes); - zk_hash_256(q_tilde, chall_2, B_0, length_b - 1); + uint8_t* q_tilde = malloc(FAEST_256F_LAMBDA / 8); + zk_hash_256(q_tilde, chall_2, B_0, FAEST_256F_Ske + 2 * FAEST_256F_Senc); free(B_0); bf256_t bf_qtilde = bf256_load(q_tilde);