mirror of https://github.com/oxen-io/lokinet
33 lines
1.5 KiB
Plaintext
33 lines
1.5 KiB
Plaintext
This is a reference implementation of Streamlined NTRU Prime 4591^761.
|
|
This implementation is designed primarily for clarity, subject to the
|
|
following constraints:
|
|
|
|
* The implementation is written in C. The Sage implementation in the
|
|
NTRU Prime paper is considerably more concise (and compatible).
|
|
|
|
* The implementation avoids data-dependent branches and array
|
|
indices. For example, conditional swaps are computed by arithmetic
|
|
rather than by branches.
|
|
|
|
* The implementation avoids other C operations that often take
|
|
variable time. For example, divisions by 3 are computed via
|
|
multiplications and shifts.
|
|
|
|
This implementation does _not_ sacrifice clarity for speed.
|
|
|
|
This implementation has not yet been reviewed for correctness or for
|
|
constant-time behavior. It does pass various tests and has no known
|
|
bugs, but there are at least some platforms where multiplications take
|
|
variable time, and fixing this requires platform-specific effort; see
|
|
https://www.bearssl.org/ctmul.html and http://repository.tue.nl/800603.
|
|
|
|
This implementation allows "benign malleability" of ciphertexts, as
|
|
defined in http://www.shoup.net/papers/iso-2_1.pdf. Specifically, each
|
|
32-bit ciphertext word encodes three integers between 0 and 1530; if
|
|
larger integers appear then they are silently reduced modulo 1531.
|
|
Similar comments apply to public keys.
|
|
|
|
There is a separate "avx" implementation where similar comments apply,
|
|
except that "avx" _does_ sacrifice clarity for speed on CPUs with AVX2
|
|
instructions.
|