mirror of
https://github.com/oxen-io/lokinet
synced 2023-12-14 06:53:00 +01:00
| .. | ||
| api.h | ||
| dec.c | ||
| enc.c | ||
| implementors | ||
| int32_sort.c | ||
| int32_sort.h | ||
| keypair.c | ||
| mod3.h | ||
| modq.h | ||
| params.h | ||
| r3.h | ||
| r3_mult.c | ||
| r3_recip.c | ||
| random32.c | ||
| randomsmall.c | ||
| randomweightw.c | ||
| README | ||
| rq.c | ||
| rq.h | ||
| rq_mult.c | ||
| rq_recip3.c | ||
| rq_round3.c | ||
| rq_rounded.c | ||
| small.c | ||
| small.h | ||
| swap.c | ||
| swap.h | ||
This is a reference implementation of Streamlined NTRU Prime 4591^761.
This implementation is designed primarily for clarity, subject to the
following constraints:
* The implementation is written in C. The Sage implementation in the
NTRU Prime paper is considerably more concise (and compatible).
* The implementation avoids data-dependent branches and array
indices. For example, conditional swaps are computed by arithmetic
rather than by branches.
* The implementation avoids other C operations that often take
variable time. For example, divisions by 3 are computed via
multiplications and shifts.
This implementation does _not_ sacrifice clarity for speed.
This implementation has not yet been reviewed for correctness or for
constant-time behavior. It does pass various tests and has no known
bugs, but there are at least some platforms where multiplications take
variable time, and fixing this requires platform-specific effort; see
https://www.bearssl.org/ctmul.html and http://repository.tue.nl/800603.
This implementation allows "benign malleability" of ciphertexts, as
defined in http://www.shoup.net/papers/iso-2_1.pdf. Specifically, each
32-bit ciphertext word encodes three integers between 0 and 1530; if
larger integers appear then they are silently reduced modulo 1531.
Similar comments apply to public keys.
There is a separate "avx" implementation where similar comments apply,
except that "avx" _does_ sacrifice clarity for speed on CPUs with AVX2
instructions.