mirror of
https://github.com/oxen-io/lokinet
synced 2023-12-14 06:53:00 +01:00
.. | ||
api.h | ||
dec.c | ||
enc.c | ||
implementors | ||
int32_sort.c | ||
int32_sort.h | ||
keypair.c | ||
mod3.h | ||
modq.h | ||
params.h | ||
r3.h | ||
r3_mult.c | ||
r3_recip.c | ||
random32.c | ||
randomsmall.c | ||
randomweightw.c | ||
README | ||
rq.c | ||
rq.h | ||
rq_mult.c | ||
rq_recip3.c | ||
rq_round3.c | ||
rq_rounded.c | ||
small.c | ||
small.h | ||
swap.c | ||
swap.h |
This is a reference implementation of Streamlined NTRU Prime 4591^761. This implementation is designed primarily for clarity, subject to the following constraints: * The implementation is written in C. The Sage implementation in the NTRU Prime paper is considerably more concise (and compatible). * The implementation avoids data-dependent branches and array indices. For example, conditional swaps are computed by arithmetic rather than by branches. * The implementation avoids other C operations that often take variable time. For example, divisions by 3 are computed via multiplications and shifts. This implementation does _not_ sacrifice clarity for speed. This implementation has not yet been reviewed for correctness or for constant-time behavior. It does pass various tests and has no known bugs, but there are at least some platforms where multiplications take variable time, and fixing this requires platform-specific effort; see https://www.bearssl.org/ctmul.html and http://repository.tue.nl/800603. This implementation allows "benign malleability" of ciphertexts, as defined in http://www.shoup.net/papers/iso-2_1.pdf. Specifically, each 32-bit ciphertext word encodes three integers between 0 and 1530; if larger integers appear then they are silently reduced modulo 1531. Similar comments apply to public keys. There is a separate "avx" implementation where similar comments apply, except that "avx" _does_ sacrifice clarity for speed on CPUs with AVX2 instructions.