-
Notifications
You must be signed in to change notification settings - Fork 26
/
Copy pathlowmc_impl_aux.c.i
39 lines (34 loc) · 1.24 KB
/
lowmc_impl_aux.c.i
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
/*
* This file is part of the optimized implementation of the Picnic signature scheme.
* See the accompanying documentation for complete details.
*
* The code is provided under the MIT license, see LICENSE for
* more details.
* SPDX-License-Identifier: MIT
*/
#if defined(FN_ATTR)
FN_ATTR
#endif
static void N_LOWMC(lowmc_key_t* lowmc_key, randomTape_t* tapes) {
mzd_local_t x[((LOWMC_N) + 255) / 256] = {{{0, 0, 0, 0}}};
mzd_local_t y[((LOWMC_N) + 255) / 256];
mzd_local_t key0[((LOWMC_N) + 255) / 256];
COPY(key0, lowmc_key);
MUL(lowmc_key, key0, LOWMC_INSTANCE.ki0_matrix);
lowmc_round_t const* round = &LOWMC_INSTANCE.rounds[LOWMC_R - 1];
for (unsigned r = 0; r < LOWMC_R; ++r, round--) {
ADDMUL(x, lowmc_key, round->k_matrix);
MUL(y, x, round->li_matrix);
// recover input masks from tapes, only in first round we use the key as input
if (r == LOWMC_R - 1) {
COPY(x, key0);
} else {
bitstream_t bs = {{tapes->parity_tapes}, LOWMC_N * 2 * (LOWMC_R - 1 - r)};
mzd_from_bitstream(&bs, x, (LOWMC_N + 63) / (sizeof(uint64_t) * 8), LOWMC_N);
}
tapes->pos = LOWMC_N * 2 * (LOWMC_R - 1 - r) + LOWMC_N;
tapes->aux_pos = LOWMC_N * (LOWMC_R - 1 - r);
SBOX(x, y, tapes);
}
}
// vim: ft=c