In development......

include/internal/cleanup.h

@@ -48,6 +48,7 @@ _INLINE_ void secure_clean(OUT uint8_t *p, IN const uint32_t len)
 CLEANUP_FUNC(r, r_t)
 CLEANUP_FUNC(m, m_t)
 CLEANUP_FUNC(e, e_t)
+CLEANUP_FUNC(e_two, e_t_two)
 CLEANUP_FUNC(sk, sk_t)
 CLEANUP_FUNC(sk_two, sk_t_two)
 CLEANUP_FUNC(ss, ss_t)

include/internal/gf2x.h

@@ -22,6 +22,18 @@ gf2x_mod_add(OUT pad_r_t *c, IN const pad_r_t *a, IN const pad_r_t *b)
   }
 }
 
+_INLINE_ void
+gf2x_mod_add_two(OUT pad_r_t_two *c, IN const pad_r_t_two *a, IN const pad_r_t_two *b)
+{
+  const uint64_t *a_qwords = (const uint64_t *)a;
+  const uint64_t *b_qwords = (const uint64_t *)b;
+  uint64_t *      c_qwords = (uint64_t *)c;
+
+  for(size_t i = 0; i < R_PADDED_QWORDS_TWO; i++) {
+    c_qwords[i] = a_qwords[i] ^ b_qwords[i];
+  }
+}
+
 // c = a*b mod (x^r - 1)
 void gf2x_mod_mul(OUT pad_r_t *c, IN const pad_r_t *a, IN const pad_r_t *b);
 void gf2x_mod_mul_two(OUT pad_r_t_two *c, IN const pad_r_t_two *a, IN const pad_r_t_two *b);

include/internal/types.h

@@ -48,6 +48,10 @@ typedef struct e_s {
   r_t val[N0];
 } e_t;
 
+typedef struct e_s_two {
+  r_t_two val[N0];
+} e_t_two;
+
 #define E0_RAW(e) ((e)->val[0].raw)
 #define E1_RAW(e) ((e)->val[1].raw)
 

src/kem.c

@@ -83,6 +83,24 @@ _INLINE_ ret_t function_l(OUT m_t *out, IN const pad_e_t *e)
   return SUCCESS;
 }
 
+_INLINE_ ret_t function_l_two(OUT m_t *out, IN const pad_e_t_two *e)
+{
+  DEFER_CLEANUP(sha_dgst_t dgst = {0}, sha_dgst_cleanup);
+  DEFER_CLEANUP(e_t_two tmp, e_two_cleanup);
+
+  // Take the padding away
+  tmp.val[0] = e->val[0].val;
+  tmp.val[1] = e->val[1].val;
+
+  GUARD(sha(&dgst, sizeof(tmp), (uint8_t *)&tmp));
+
+  // Truncate the SHA384 digest to a 256-bits m_t
+  bike_static_assert(sizeof(dgst) >= sizeof(*out), dgst_size_lt_m_size);
+  bike_memcpy(out->raw, dgst.u.raw, sizeof(*out));
+
+  return SUCCESS;
+}
+
 // Generate the Shared Secret K(m, c0, c1)
 _INLINE_ ret_t function_k(OUT ss_t *out, IN const m_t *m, IN const ct_t *ct)
 {
@@ -137,6 +155,39 @@ _INLINE_ ret_t encrypt(OUT ct_t         *ct,
   return SUCCESS;
 }
 
+_INLINE_ ret_t encrypt_two(OUT ct_t_two         *ct,
+                           IN const pad_e_t_two *e,
+                           IN const pk_t_two    *pk,
+                           IN const m_t         *m)
+{
+  // Pad the public key and the ciphertext
+  pad_r_t_two p_ct = {0};
+  pad_r_t_two p_pk = {0};
+  p_pk.val     = *pk;
+
+  // Generate the ciphertext
+  // ct = pk * e1 + e0
+  gf2x_mod_mul_two(&p_ct, &e->val[1], &p_pk);
+  gf2x_mod_add_two(&p_ct, &p_ct, &e->val[0]);
+
+  ct->c0 = p_ct.val;
+
+  // c1 = L(e0, e1)
+  GUARD(function_l_two(&ct->c1, e));
+
+  // m xor L(e0, e1)
+  for(size_t i = 0; i < sizeof(*m); i++) {
+    ct->c1.raw[i] ^= m->raw[i];
+  }
+
+  print("e0: ", (const uint64_t *)PE0_RAW(e), R_BITS_TWO);
+  print("e1: ", (const uint64_t *)PE1_RAW(e), R_BITS_TWO);
+  print("c0:  ", (uint64_t *)ct->c0.raw, R_BITS_TWO);
+  print("c1:  ", (uint64_t *)ct->c1.raw, M_BITS);
+
+  return SUCCESS;
+}
+
 _INLINE_ ret_t reencrypt(OUT m_t *m, IN const pad_e_t *e, IN const ct_t *l_ct)
 {
   DEFER_CLEANUP(m_t tmp, m_cleanup);
@@ -256,8 +307,8 @@ int crypto_kem_enc(OUT unsigned char      *ct,
                    IN const unsigned char *pk_two)
 {
   // Public values (they do not require cleanup on exit).
-  pk_t l_pk;
-  ct_t l_ct;
+  pk_t     l_pk;
+  ct_t     l_ct;
   pk_t_two l_pk_two;
   ct_t_two l_ct_two;
 
@@ -283,10 +334,11 @@ int crypto_kem_enc(OUT unsigned char      *ct,
   // Calculate the ciphertext
   GUARD(encrypt(&l_ct, &e, &l_pk, &m));
 
-
   // TODO 计算 e_two 为部分值
   // 拷贝 e_two 为 e 的前部分值
 
+  GUARD(encrypt_two(&l_ct_two, &e_two, &l_pk_two, &m));
+
   // Generate the shared secret
   GUARD(function_k(&l_ss, &m, &l_ct));