forked from IAIK/Picnic
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathlowmc_impl_partial.c.i
66 lines (57 loc) · 2.04 KB
/
lowmc_impl_partial.c.i
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
/*
* This file is part of the optimized implementation of the Picnic signature scheme.
* See the accompanying documentation for complete details.
*
* The code is provided under the MIT license, see LICENSE for
* more details.
* SPDX-License-Identifier: MIT
*/
#if defined(FN_ATTR)
FN_ATTR
#endif
#if defined(RECORD_STATE)
static void N_LOWMC(lowmc_key_t const* lowmc_key, mzd_local_t const* p, recorded_state_t* state) {
#else
static void N_LOWMC(lowmc_key_t const* lowmc_key, mzd_local_t const* p, mzd_local_t* c) {
#endif
mzd_local_t x[((LOWMC_N) + 255) / 256];
mzd_local_t y[((LOWMC_N) + 255) / 256];
mzd_local_t nl_part[(LOWMC_R * 32 + 255) / 256];
XOR(x, p, LOWMC_INSTANCE.precomputed_constant_linear);
ADDMUL(x, lowmc_key, LOWMC_INSTANCE.k0_matrix);
MUL_MC(nl_part, lowmc_key, LOWMC_INSTANCE.precomputed_non_linear_part_matrix);
XOR_MC(nl_part, nl_part, LOWMC_INSTANCE.precomputed_constant_non_linear);
// multiply non-linear part of state with Z0 matrix
lowmc_partial_round_t const* round = LOWMC_INSTANCE.rounds;
for (unsigned i = 0; i < LOWMC_R - 1; ++i, ++round) {
#if defined(RECORD_STATE)
COPY(state[i].state, x);
#endif
SBOX(x);
const word nl = CONST_BLOCK(nl_part, i >> 3)->w64[(i & 0x7) >> 1];
BLOCK(x, 0)->w64[(LOWMC_N) / (sizeof(word) * 8) - 1] ^=
(nl << (1 - (i & 1)) * 32) & WORD_C(0xFFFFFFFF00000000);
MUL_Z(y, x, round->z_matrix);
SHUFFLE(x, round->r_mask);
ADDMUL_R(y, x, round->r_matrix);
BLOCK(x, 0)->w64[(LOWMC_N) / (sizeof(word) * 8) - 1] &=
WORD_C(0x00000003FFFFFFFF); // clear nl part
XOR(x, y, x);
}
#if defined(RECORD_STATE)
COPY(state[LOWMC_R - 1].state, x);
#endif
SBOX(x);
unsigned int i = (LOWMC_R - 1);
const word nl = CONST_BLOCK(nl_part, i >> 3)->w64[(i & 0x7) >> 1];
BLOCK(x, 0)->w64[(LOWMC_N) / (sizeof(word) * 8) - 1] ^=
(nl << (1 - (i & 1)) * 32) & WORD_C(0xFFFFFFFF00000000);
MUL(y, x, LOWMC_INSTANCE.zr_matrix);
COPY(x, y);
#if defined(RECORD_STATE)
COPY(state[LOWMC_R].state, x);
#else
COPY(c, x);
#endif
}
// vim: ft=c