diff --git a/src/crypto_kem/frodo/common/amd64/ref/matrix.jinc b/src/crypto_kem/frodo/common/amd64/ref/matrix.jinc index b0270ced..7deef603 100644 --- a/src/crypto_kem/frodo/common/amd64/ref/matrix.jinc +++ b/src/crypto_kem/frodo/common/amd64/ref/matrix.jinc @@ -7,60 +7,87 @@ fn __AS_plus_E(reg ptr u16[NNBAR] B, reg ptr u8[BYTES_SEED_A]seedA, reg ptr u16[ stack ptr u8[BYTES_SEED_A] s_seedA; stack ptr u16[NNBAR] s_S s_E; stack u8[2 + BYTES_SEED_A] b; + reg bool bb bb1 bb2; - reg u64 i j k; stack u64 s_i s_j s_k; + reg u64 i j k b0; stack u64 s_i s_j s_k; reg u16 tmp ac; s_B = B; s_S = S; s_E = E; // copy seedA i = 0; - while (i < BYTES_SEED_A) { + while { + bb = i < BYTES_SEED_A; + }(bb) { + ms = #update_msf(bb, ms); b[(int)i + 2] = seedA[(int)i]; i += 1; } + ms = #update_msf(!bb, ms); s_seedA = seedA; // first set B = E B = s_B; E = s_E; i = 0; - while (i < NNBAR) { + while { + bb = i < NNBAR; + }(bb) { + ms = #update_msf(bb, ms); + E = #protect_ptr(E, ms); + B = #protect_ptr(B, ms); B[(int)i] = E[(int)i]; i += 1; } + ms = #update_msf(!bb, ms); s_B = B; s_E = E; s_i = i; // calculate A and B += A * S b[u16 0] = 0; + b0 = 0; k = 0; - while (b[u16 0] < N) { + while { + bb = b0 < N; + }(bb) { + ms = #update_msf(bb, ms); s_i = i; s_j = j; s_k = k; s_S = S; s_B = B; A_row, ms = __shake128_gen_A(A_row, b, ms); i = s_i; j = s_j; k = s_k; S = s_S; B = s_B; i = 0; - while (i < NNBAR) { + while { + bb1 = i < NNBAR; + }(bb1) { + ms = #update_msf(bb1, ms); ac = 0; j = 0; // A_row * S_T_row - while (j < N) { + while { + bb2 = j < N; + }(bb2) { + ms = #update_msf(bb2, ms); + S = #protect_ptr(S, ms); tmp = A_row[(int)j]; tmp *= S[(int)i]; ac += tmp; j += 1; i += 1; } - + ms = #update_msf(!bb2, ms); + B = #protect_ptr(B, ms); + k = #protect(k, ms); B[(int)k] += ac; k += 1; } + ms = #update_msf(!bb1, ms); b[u16 0] += 1; + b0 += 1; } + ms = #update_msf(!bb, ms); return B, ms; } @@ -73,81 +100,121 @@ fn __SA_plus_E(reg ptr u16[NNBAR] B, reg ptr u8[BYTES_SEED_A]seedA, reg ptr u16[ stack ptr u16[NNBAR] s_S s_E; stack u8[2 + BYTES_SEED_A] b; - reg u64 i j k; stack u64 s_i s_j s_k; + reg u64 i j k b0; stack u64 s_i s_j s_k; reg u16 tmp s; + reg bool bb bb1 bb2; // copy seedA i = 0; - while (i < BYTES_SEED_A) { + while { + bb = i < BYTES_SEED_A; + } (bb) { + ms = #update_msf(bb, ms); b[(int)i + 2] = seedA[(int)i]; i += 1; } + ms = #update_msf(!bb, ms); s_seedA = seedA; i = 0; - while (i < NNBAR) { + while { + bb = i < NNBAR; + } (bb) { + ms = #update_msf(bb, ms); B[(int)i] = E[(int)i]; i += 1; } + ms = #update_msf(!bb, ms); s_B = B; s_S = S; s_E = E; // calculate A and B += S * A b[u16 0] = 0; + b0 = 0; - while (b[u16 0] < N) { + while { + bb = b0 < N; + } (bb) { + ms = #update_msf(bb, ms); s_i = i; A_row, ms = __shake128_gen_A(A_row, b, ms); i = s_i; i = 0; - while (i < NNBAR) { + while { + bb1 = i < NNBAR; + } (bb1) { + ms = #update_msf(bb1, ms); k = s_k; S = s_S; k = (64u)b[u16 0]; k += i; + S = #protect_ptr(S, ms); + k = #protect(k, ms); s = S[(int)k]; s_k = k; s_S = S; j = s_j; B = s_B; j = 0; - while (j < N) { + while { + bb2 = j < N; + } (bb2) { + ms = #update_msf(bb2, ms); tmp = A_row[(int)j]; tmp *= s; + B = #protect_ptr(B, ms); B[(int)i] += tmp; j += 1; i += 1; } + ms = #update_msf(!bb2, ms); s_j = j; s_B = B; } + ms = #update_msf(!bb1, ms); b[u16 0] += 1; + b0 += 1; } + ms = #update_msf(!bb, ms); return B, ms; } #[returnaddress="stack"] -fn __SB_plus_E(reg ptr u16[NBAR * NBAR] V, reg ptr u16[NNBAR] S B, reg ptr u16[NBAR * NBAR] E) -> stack u16[NBAR * NBAR] { +fn __SB_plus_E(reg ptr u16[NBAR * NBAR] V, reg ptr u16[NNBAR] S B, reg ptr u16[NBAR * NBAR] E, reg u64 ms) -> stack u16[NBAR * NBAR], #msf reg u64 { reg u64 i j k ti tj; reg u16 tmp; + reg bool b b1 b2; i = 0; - while (i < NBAR * NBAR) { + while { + b = i < NBAR * NBAR; + } (b) { + ms = #update_msf(b, ms); V[(int)i] = E[(int)i]; i += 1; } + ms = #update_msf(!b, ms); i = 0; - while (i < NBAR) { + while { + b = i < NBAR; + } (b) { + ms = #update_msf(b, ms); j = 0; - while (j < NBAR) { + while { + b1 = j < NBAR; + } (b1) { + ms = #update_msf(b1, ms); ti = i * NBAR; ti += j; k = 0; - while (k < N) { + while { + b2 = k < N; + } (b2) { + ms = #update_msf(b2, ms); tj = i * N; tj += k; tmp = S[(int)tj]; @@ -158,65 +225,88 @@ fn __SB_plus_E(reg ptr u16[NBAR * NBAR] V, reg ptr u16[NNBAR] S B, reg ptr u16[N V[(int)ti] += tmp; k += 1; } + ms = #update_msf(!b2, ms); V[(int)ti] &= (1 << D) - 1; j += 1; } + ms = #update_msf(!b1, ms); i += 1; } + ms = #update_msf(!b, ms); - return V; + return V, ms; } -fn __matrix_add(reg ptr u16[NBAR * NBAR] a b) -> stack u16[NBAR * NBAR] { +fn __matrix_add(reg ptr u16[NBAR * NBAR] a b, reg u64 ms) -> stack u16[NBAR * NBAR], #msf reg u64 { reg u64 i; reg u16 tmp; + reg bool bb; i = 0; - while (i < NBAR * NBAR) { + while { + bb = i < NBAR * NBAR; + } (bb) { + ms = #update_msf(bb, ms); tmp = a[(int)i]; tmp += b[(int)i]; tmp &= (1 << D) - 1; a[(int)i] = tmp; i += 1; } + ms = #update_msf(!bb, ms); - return a; + return a, ms; } #[returnaddress="stack"] // a = b - a -fn __matrix_sub(reg ptr u16[NBAR * NBAR] a b) -> stack u16[NBAR * NBAR] { +fn __matrix_sub(reg ptr u16[NBAR * NBAR] a b, reg u64 ms) -> stack u16[NBAR * NBAR], #msf reg u64 { reg u64 i; reg u16 tmp; + reg bool bb; i = 0; - while (i < NBAR * NBAR) { + while { + bb = i < NBAR * NBAR; + } (bb) { + ms = #update_msf(bb, ms); tmp = b[(int)i]; tmp -= a[(int)i]; tmp &= (1 << D) - 1; a[(int)i] = tmp; i += 1; } + ms = #update_msf(!bb, ms); - return a; + return a, ms; } #[returnaddress="stack"] -fn __mul_BS(reg ptr u16[NBAR * NBAR] M, reg ptr u16[NNBAR]B S) -> stack u16[NBAR * NBAR] { +fn __mul_BS(reg ptr u16[NBAR * NBAR] M, reg ptr u16[NNBAR]B S, reg u64 ms) -> stack u16[NBAR * NBAR], #msf reg u64 { reg u64 i j k ti tj; reg u16 tmp; + reg bool b b1 b2; i = 0; - while (i < NBAR) { + while { + b = i < NBAR; + } (b) { + ms = #update_msf(b, ms); j = 0; - while (j < NBAR) { + while { + b1 = j < NBAR; + } (b1) { + ms = #update_msf(b1, ms); ti = i * NBAR; ti += j; M[(int)ti] = 0; k = 0; - while (k < N) { + while { + b2 = k < N; + } (b2) { + ms = #update_msf(b2, ms); tj = i * N; tj += k; tmp = B[(int)tj]; @@ -229,30 +319,38 @@ fn __mul_BS(reg ptr u16[NBAR * NBAR] M, reg ptr u16[NNBAR]B S) -> stack u16[NBAR k += 1; } + ms = #update_msf(!b2, ms); M[(int)ti] &= (1 << D) - 1; j += 1; } + ms = #update_msf(!b1, ms); i += 1; } + ms = #update_msf(!b, ms); - return M; + return M, ms; } #[returnaddress="stack"] -fn __ct_verify_NNBAR(reg ptr u16[NNBAR] a b) -> stack u8 { +fn __ct_verify_NNBAR(reg ptr u16[NNBAR] a b, reg u64 ms) -> stack u8, #msf reg u64 { reg u64 i; reg u16 ac tmp; reg u8 r; + reg bool bb; i = 0; ac = 0; - while (i < NNBAR) { + while { + bb = i < NNBAR; + } (bb) { + ms = #update_msf(bb, ms); tmp = a[(int) i]; tmp ^= b[(int)i]; ac |= tmp; i += 1; } + ms = #update_msf(!bb, ms); tmp = ac * -1; ac |= tmp; @@ -261,23 +359,28 @@ fn __ct_verify_NNBAR(reg ptr u16[NNBAR] a b) -> stack u8 { r = (8u)ac; - return r; + return r, ms; } #[returnaddress="stack"] -fn __ct_verify_NBAR2(reg ptr u16[NBAR * NBAR] a b) -> stack u8 { +fn __ct_verify_NBAR2(reg ptr u16[NBAR * NBAR] a b, reg u64 ms) -> stack u8, #msf reg u64 { reg u64 i; reg u16 ac tmp; reg u8 r; + reg bool bb; i = 0; ac = 0; - while (i < NBAR * NBAR) { + while { + bb = i < NBAR * NBAR; + } (bb) { + ms = #update_msf(bb, ms); tmp = a[(int) i]; tmp ^= b[(int)i]; ac |= tmp; i += 1; } + ms = #update_msf(!bb, ms); tmp = ac * -1; ac |= tmp; @@ -286,12 +389,13 @@ fn __ct_verify_NBAR2(reg ptr u16[NBAR * NBAR] a b) -> stack u8 { r = (8u) ac; - return r; + return r, ms; } #[returnaddress="stack"] -fn __ct_select(reg ptr u8[BYTES_SEC] out a b, reg u8 selector) -> stack u8[BYTES_SEC] { +fn __ct_select(reg ptr u8[BYTES_SEC] out a b, reg u8 selector, reg u64 ms) -> stack u8[BYTES_SEC], #msf reg u64 { reg u64 i; + reg bool bb; reg u8 n_selector tmp; @@ -299,7 +403,10 @@ fn __ct_select(reg ptr u8[BYTES_SEC] out a b, reg u8 selector) -> stack u8[BYTES n_selector ^= 0xFF; i = 0; - while (i < BYTES_SEC) { + while { + bb = i < BYTES_SEC; + } (bb) { + ms = #update_msf(bb, ms); tmp = a[(int)i]; tmp &= n_selector; out[(int)i] = tmp; @@ -310,6 +417,7 @@ fn __ct_select(reg ptr u8[BYTES_SEC] out a b, reg u8 selector) -> stack u8[BYTES i += 1; } + ms = #update_msf(!bb, ms); - return out; + return out, ms; } diff --git a/src/crypto_kem/frodo/common/amd64/ref/noise.jinc b/src/crypto_kem/frodo/common/amd64/ref/noise.jinc index c39b352f..a324ba87 100644 --- a/src/crypto_kem/frodo/common/amd64/ref/noise.jinc +++ b/src/crypto_kem/frodo/common/amd64/ref/noise.jinc @@ -1,10 +1,14 @@ -fn __sample_2NNBAR(reg ptr u16[2 * NNBAR] s) -> stack u16[2 * NNBAR] { +fn __sample_2NNBAR(reg ptr u16[2 * NNBAR] s, reg u64 ms) -> stack u16[2 * NNBAR], #msf reg u64 { reg ptr u16[CDF_TABLE_LEN] cdftp; cdftp = CDF_TABLE; + reg bool b; reg u64 i; i = 0; - while (i < 2 * NNBAR) { + while { + b = i < 2 * NNBAR; + } (b) { + ms = #update_msf(b, ms); reg u16 sample prnd sign; sample = 0; @@ -37,17 +41,22 @@ fn __sample_2NNBAR(reg ptr u16[2 * NNBAR] s) -> stack u16[2 * NNBAR] { i += 1; } + ms = #update_msf(!b, ms); - return s; + return s, ms; } -fn __sample_NBAR2(reg ptr u16[NBAR * NBAR] s) -> stack u16[NBAR * NBAR] { +fn __sample_NBAR2(reg ptr u16[NBAR * NBAR] s, reg u64 ms) -> stack u16[NBAR * NBAR], #msf reg u64 { reg ptr u16[CDF_TABLE_LEN] cdftp; cdftp = CDF_TABLE; reg u64 i; + reg bool b; i = 0; - while (i < NBAR * NBAR) { + while { + b = i < NBAR * NBAR; + } (b) { + ms = #update_msf(b, ms); reg u16 sample prnd sign; sample = 0; @@ -80,6 +89,7 @@ fn __sample_NBAR2(reg ptr u16[NBAR * NBAR] s) -> stack u16[NBAR * NBAR] { i += 1; } + ms = #update_msf(!b, ms); - return s; + return s, ms; } diff --git a/src/crypto_kem/frodo/common/amd64/ref/pack.jinc b/src/crypto_kem/frodo/common/amd64/ref/pack.jinc index 62510de2..162b81d2 100644 --- a/src/crypto_kem/frodo/common/amd64/ref/pack.jinc +++ b/src/crypto_kem/frodo/common/amd64/ref/pack.jinc @@ -1,8 +1,9 @@ -fn __pack_B(reg ptr u8[D * N]out, reg ptr u16[NNBAR] in) -> stack u8[D * N] { +fn __pack_B(reg ptr u8[D * N]out, reg ptr u16[NNBAR] in, reg u64 ms) -> stack u8[D * N], #msf reg u64 { reg u64 i j; inline int k MID TERM Mask; reg u64 ac tmp; reg u16 acm tm; + reg bool b; Mask = (1 << D) - 1; TERM = (D - 1)/2; @@ -13,7 +14,10 @@ fn __pack_B(reg ptr u8[D * N]out, reg ptr u16[NNBAR] in) -> stack u8[D * N] { // process 16 * 8 bits at a time // process 2 parts: | 4 * D bits | 4 * D bits | // separate into: | TERM bytes | 1st half of MID bytes | 2nd half of MID bytes | TERM bytes | - while (i < NNBAR) { + while { + b = i < NNBAR; + } (b) { + ms = #update_msf(b, ms); ac = 0; acm = 0; @@ -72,15 +76,17 @@ fn __pack_B(reg ptr u8[D * N]out, reg ptr u16[NNBAR] in) -> stack u8[D * N] { i += 8; j += D; } + ms = #update_msf(!b, ms); - return out; + return out, ms; } -fn __unpack_B(reg ptr u16[NNBAR]out, reg ptr u8[D * N]in) -> stack u16[NNBAR] { +fn __unpack_B(reg ptr u16[NNBAR]out, reg ptr u8[D * N]in, reg u64 ms) -> stack u16[NNBAR], #msf reg u64 { inline int k TERM MID MASK; reg u64 i j ac tmp; reg u16 acm tm; + reg bool b; // D = TERM + MID + TERM TERM = (D - 1)/2; @@ -93,7 +99,10 @@ fn __unpack_B(reg ptr u16[NNBAR]out, reg ptr u8[D * N]in) -> stack u16[NNBAR] { // separate processing into: | TERM bytes | MID bytes | TERM bytes | // combined 1st half 4 * D bits: | TERM | 1st half of MID | // combined 2nd half 4 * D bits: | 2nd half of MID | TERM | - while (i < D * N) { + while { + b = i < D * N; + } (b) { + ms = #update_msf(b, ms); ac = 0; acm = 0; @@ -157,15 +166,17 @@ fn __unpack_B(reg ptr u16[NNBAR]out, reg ptr u8[D * N]in) -> stack u16[NNBAR] { i += D; j += 8; } + ms = #update_msf(!b, ms); - return out; + return out, ms; } -fn __pack_C(reg ptr u8[D * NBAR]out, reg ptr u16[NBAR * NBAR] in) -> stack u8[D * NBAR] { +fn __pack_C(reg ptr u8[D * NBAR]out, reg ptr u16[NBAR * NBAR] in, reg u64 ms) -> stack u8[D * NBAR], #msf reg u64 { reg u64 i j; inline int k MID TERM Mask; reg u64 ac tmp; reg u16 acm tm; + reg bool b; Mask = (1 << D) - 1; TERM = (D - 1)/2; @@ -176,7 +187,10 @@ fn __pack_C(reg ptr u8[D * NBAR]out, reg ptr u16[NBAR * NBAR] in) -> stack u8[D // process 16 * 8 bits at a time // process 2 parts: | 4 * D bits | 4 * D bits | // separate into: | TERM bytes | 1st half of MID bytes | 2nd half of MID bytes | TERM bytes | - while (i < NBAR * NBAR) { + while { + b = i < NBAR * NBAR; + } (b) { + ms = #update_msf(b, ms); ac = 0; acm = 0; @@ -235,15 +249,17 @@ fn __pack_C(reg ptr u8[D * NBAR]out, reg ptr u16[NBAR * NBAR] in) -> stack u8[D i += 8; j += D; } + ms = #update_msf(!b, ms); - return out; + return out, ms; } -fn __unpack_C(reg ptr u16[NBAR * NBAR]out, reg ptr u8[D * NBAR]in) -> stack u16[NBAR * NBAR] { +fn __unpack_C(reg ptr u16[NBAR * NBAR]out, reg ptr u8[D * NBAR]in, reg u64 ms) -> stack u16[NBAR * NBAR], #msf reg u64 { inline int k TERM MID MASK; reg u64 i j ac tmp; reg u16 acm tm; + reg bool b; // D = TERM + MID + TERM TERM = (D - 1)/2; @@ -256,7 +272,10 @@ fn __unpack_C(reg ptr u16[NBAR * NBAR]out, reg ptr u8[D * NBAR]in) -> stack u16[ // separate processing into: | TERM bytes | MID bytes | TERM bytes | // combined 1st half 4 * D bits: | TERM | 1st half of MID | // combined 2nd half 4 * D bits: | 2nd half of MID | TERM | - while (i < D * NBAR) { + while { + b = i < D * NBAR; + } (b) { + ms = #update_msf(b, ms); ac = 0; acm = 0; @@ -320,6 +339,7 @@ fn __unpack_C(reg ptr u16[NBAR * NBAR]out, reg ptr u8[D * NBAR]in) -> stack u16[ i += D; j += 8; } + ms = #update_msf(!b, ms); - return out; + return out, ms; } diff --git a/src/crypto_kem/frodo/frodo640shake/amd64/ref/kem.jazz b/src/crypto_kem/frodo/frodo640shake/amd64/ref/kem.jazz index f345a6c8..08b16a84 100644 --- a/src/crypto_kem/frodo/frodo640shake/amd64/ref/kem.jazz +++ b/src/crypto_kem/frodo/frodo640shake/amd64/ref/kem.jazz @@ -1,7 +1,7 @@ from Jade require "crypto_kem/frodo/common/frodo640_params.jinc" from Jade require "crypto_kem/frodo/frodo640shake/amd64/ref/kem.jinc" -export fn jade_kem_frodo_frodo640shake_amd64_ref_keypair_derand(#public reg u64 pkp skp coinsp) -> #public reg u64 { +export fn jade_kem_frodo_frodo640shake_amd64_ref_keypair_derand(#transient reg u64 pkp skp coinsp) -> #public reg u64 { reg u64 r ms; ms = #init_msf(); @@ -10,7 +10,7 @@ export fn jade_kem_frodo_frodo640shake_amd64_ref_keypair_derand(#public reg u64 return r; } -export fn jade_kem_frodo_frodo640shake_amd64_ref_keypair(#public reg u64 pkp skp) -> #public reg u64 { +export fn jade_kem_frodo_frodo640shake_amd64_ref_keypair(#transient reg u64 pkp skp) -> #public reg u64 { reg u64 r ms; ms = #init_msf(); @@ -19,7 +19,7 @@ export fn jade_kem_frodo_frodo640shake_amd64_ref_keypair(#public reg u64 pkp skp return r; } -export fn jade_kem_frodo_frodo640shake_amd64_ref_enc_derand(#public reg u64 ctp ssp pkp coinsp) -> #public reg u64 { +export fn jade_kem_frodo_frodo640shake_amd64_ref_enc_derand(#transient reg u64 ctp ssp pkp coinsp) -> #public reg u64 { reg u64 r ms; ms = #init_msf(); @@ -28,7 +28,7 @@ export fn jade_kem_frodo_frodo640shake_amd64_ref_enc_derand(#public reg u64 ctp return r; } -export fn jade_kem_frodo_frodo640shake_amd64_ref_enc(#public reg u64 ctp ssp pkp) -> #public reg u64 { +export fn jade_kem_frodo_frodo640shake_amd64_ref_enc(#transient reg u64 ctp ssp pkp) -> #public reg u64 { reg u64 r ms; ms = #init_msf(); @@ -37,7 +37,7 @@ export fn jade_kem_frodo_frodo640shake_amd64_ref_enc(#public reg u64 ctp ssp pkp return r; } -export fn jade_kem_frodo_frodo640shake_amd64_ref_dec(#public reg u64 ssp ctp skp) -> #public reg u64 { +export fn jade_kem_frodo_frodo640shake_amd64_ref_dec(#transient reg u64 ssp ctp skp) -> #public reg u64 { reg u64 r ms; ms = #init_msf(); diff --git a/src/crypto_kem/frodo/frodo640shake/amd64/ref/kem.jinc b/src/crypto_kem/frodo/frodo640shake/amd64/ref/kem.jinc index 0a0e066e..e70654c5 100644 --- a/src/crypto_kem/frodo/frodo640shake/amd64/ref/kem.jinc +++ b/src/crypto_kem/frodo/frodo640shake/amd64/ref/kem.jinc @@ -8,31 +8,38 @@ from Jade require "crypto_kem/frodo/common/amd64/ref/pack.jinc" fn __gen_SE(reg ptr u16[2 * NNBAR] SE, reg ptr u8[BYTES_SEED_SE] r, reg u64 ms) -> stack u16[2 * NNBAR], #msf reg u64 { stack u8[1 + BYTES_SEED_SE] seed_se; reg u64 i; stack u64 s_i; + reg bool b; r = r; i = 0; - while (i < BYTES_SEED_SE) { + + while { + b = i < BYTES_SEED_SE; + } (b) { + ms = #update_msf(b, ms); seed_se[(int)i + 1] = r[(int)i]; i += 1; } + ms = #update_msf(!b, ms); s_i = i; // S || E seed_se[0] = 0x5F; SE, ms = __shake128_r(SE, seed_se, ms); - SE = __sample_2NNBAR(SE); + SE, ms = __sample_2NNBAR(SE, ms); return SE, ms; } // coins = s || seed SE || z fn __frodo_amd64_ref_keypair_derand(reg u64 pkp skp, reg ptr u8[BYTES_SEED_A + BYTES_SEED_SE + BYTES_SEC] coins, reg u64 ms) -> #msf reg u64 { - #public stack u16[2 * NNBAR] SE; + stack u16[2 * NNBAR] SE; stack u16[NNBAR] B; - stack u64 s_pkp s_skp; + #mmx reg u64 s_pkp s_skp; reg u64 i; stack u64 s_i; + reg bool b; s_pkp = pkp; s_skp = skp; @@ -54,43 +61,63 @@ fn __frodo_amd64_ref_keypair_derand(reg u64 pkp skp, reg ptr u8[BYTES_SEED_A + B B, ms = __AS_plus_E(B, pk[0:BYTES_SEED_A], SE[0:NNBAR], SE[NNBAR:NNBAR], ms); // pack - pk[BYTES_SEED_A:D * N] = __pack_B(pk[BYTES_SEED_A:D * N], B); + pk[BYTES_SEED_A:D * N], ms = __pack_B(pk[BYTES_SEED_A:D * N], B, ms); // i = s_i; i = 0; - while (i < BYTES_SEC) { + while { + b = i < BYTES_SEC; + } (b) { + ms = #update_msf(b, ms); sk[(int) i] = coins[(int)i]; i += 1; } + ms = #update_msf(!b, ms); i = 0; - while (i < BYTES_PK) { + while { + b = i < BYTES_PK; + } (b) { + ms = #update_msf(b, ms); sk[BYTES_SEC + (int)i] = pk[(int)i]; i += 1; } + ms = #update_msf(!b, ms); i = 0; - while (i < 2 * NNBAR) { + while { + b = i < 2 * NNBAR; + } (b) { + ms = #update_msf(b, ms); sk[BYTES_SEC + BYTES_PK + (int)i] = SE.[u8 (int)i]; i += 1; } + ms = #update_msf(!b, ms); s_i = i; sk[BYTES_SEC + BYTES_PK + 2 * NNBAR : BYTES_SEC], ms = __shake128_pkh(sk[BYTES_SEC + BYTES_PK + 2 * NNBAR:BYTES_SEC], pk, ms); pkp = s_pkp; i = 0; - while (i < BYTES_PK) { + while { + b = i < BYTES_PK; + } (b) { + ms = #update_msf(b, ms); (u8)[pkp + i] = pk[(int) i]; i += 1; } + ms = #update_msf(!b, ms); skp = s_skp; i = 0; - while (i < BYTES_SK) { + while { + b = i < BYTES_SK; + } (b) { + ms = #update_msf(b, ms); (u8)[skp + i] = sk[(int) i]; i += 1; } + ms = #update_msf(!b, ms); return ms; } @@ -119,6 +146,8 @@ fn __frodo_amd64_ref_enc_derand(reg u64 ctp ssp pkp, reg ptr u8[BYTES_SEC + BYTE stack u16[NBAR * NBAR] V C; stack u8[BYTES_SEC] ss; + reg bool b; + pkp = pkp; s_ctp = ctp; s_ssp = ssp; @@ -127,23 +156,35 @@ fn __frodo_amd64_ref_enc_derand(reg u64 ctp ssp pkp, reg ptr u8[BYTES_SEC + BYTE // gen u || salt i = 0; - while (i < BYTES_SEC + BYTES_SALT) { + while { + b = i < BYTES_SEC + BYTES_SALT; + } (b) { + ms = #update_msf(b, ms); pkh_u_salt[BYTES_SEC + (int)i] = coins[(int)i]; i += 1; } + ms = #update_msf(!b, ms); i = 0; - while (i < BYTES_SALT) { + while { + b = i < BYTES_SALT; + } (b) { + ms = #update_msf(b, ms); ct_k[D * N + D * NBAR + (int)i] = pkh_u_salt[BYTES_SEC * 2 + (int)i]; i += 1; } + ms = #update_msf(!b, ms); // read pk i = 0; - while (i < BYTES_PK) { + while { + b = i < BYTES_PK; + } (b) { + ms = #update_msf(b, ms); #declassify pk[(int)i] = (u8) [pkp + i]; i += 1; } + ms = #update_msf(!b, ms); s_i = i; // pkh @@ -155,45 +196,53 @@ fn __frodo_amd64_ref_enc_derand(reg u64 ctp ssp pkp, reg ptr u8[BYTES_SEC + BYTE // copy seed SE seedSE[0] = 0x96; i = s_i; i = 0; - while (i < BYTES_SEED_SE) { + while { + b = i < BYTES_SEED_SE; + } (b) { + ms = #update_msf(b, ms); seedSE[1 + (int)i] = seedSE_k[(int)i]; i += 1; } + ms = #update_msf(!b, ms); // copy k i = 0; - while (i < BYTES_SEC) { + while { + b = i < BYTES_SEC; + } (b) { + ms = #update_msf(b, ms); ct_k[BYTES_CT + (int)i] = seedSE_k[BYTES_SEED_SE + (int)i]; i += 1; } + ms = #update_msf(!b, ms); s_i = i; // gen input bit string for sampling S and E SEE, ms = __shake128_encap_r(SEE, seedSE, ms); // S' || E' - SEE[0:2 * NNBAR] = __sample_2NNBAR(SEE[0:2 * NNBAR]); + SEE[0:2 * NNBAR], ms = __sample_2NNBAR(SEE[0:2 * NNBAR], ms); // E'' - SEE[NNBAR * 2:NBAR * NBAR] = __sample_NBAR2(SEE[NNBAR * 2:NBAR * NBAR]); + SEE[NNBAR * 2:NBAR * NBAR], ms = __sample_NBAR2(SEE[NNBAR * 2:NBAR * NBAR], ms); // B' = S'A + E'' Bp, ms = __SA_plus_E(Bp, pk[0:BYTES_SEED_A], SEE[0:NNBAR], SEE[NNBAR:NNBAR], ms); // c1 <- Pack(B') - ct_k[0:D * N] = __pack_B(ct_k[0:D * N], Bp); + ct_k[0:D * N], ms = __pack_B(ct_k[0:D * N], Bp, ms); // B <- Unpack(b) - B = __unpack_B(B, pk[BYTES_SEED_A:D * N]); + B, ms = __unpack_B(B, pk[BYTES_SEED_A:D * N], ms); // V = S'B + E'' - V = __SB_plus_E(V, SEE[0:NNBAR], B, SEE[NNBAR * 2:NBAR * NBAR]); + V, ms = __SB_plus_E(V, SEE[0:NNBAR], B, SEE[NNBAR * 2:NBAR * NBAR], ms); // C = V + Encode(u) C = __encode(C, pkh_u_salt[BYTES_SEC:BYTES_SEC]); - C = __matrix_add(C, V); + C, ms = __matrix_add(C, V, ms); // c2 <- Pack(C) - ct_k[D * N: D * NBAR] = __pack_C(ct_k[D * N: D * NBAR], C); + ct_k[D * N: D * NBAR], ms = __pack_C(ct_k[D * N: D * NBAR], C, ms); // ss <- shake(c1 || c2 || salt || k) ss, ms = __shake128_ss(ss, ct_k, ms); @@ -201,16 +250,26 @@ fn __frodo_amd64_ref_enc_derand(reg u64 ctp ssp pkp, reg ptr u8[BYTES_SEC + BYTE i = s_i; i = 0; ctp = s_ctp; ssp = s_ssp; - while (i < BYTES_CT) { + while { + b = i < BYTES_CT; + } (b) { + ms = #update_msf(b, ms); + ctp = #protect(ctp, ms); (u8)[ctp + i] = ct_k[(int)i]; i += 1; } + ms = #update_msf(!b, ms); i = 0; - while (i < BYTES_SEC) { + while { + b = i < BYTES_SEC; + } (b) { + ms = #update_msf(b, ms); + ssp = #protect(ssp, ms); (u8)[ssp + i] = ss[(int)i]; i += 1; } + ms = #update_msf(!b, ms); return ms; } @@ -227,6 +286,7 @@ fn _frodo_amd64_ref_dec(reg u64 ssp ctp skp ms) -> #msf reg u64 { stack u8[BYTES_SEED_SE + BYTES_SEC] seedSE_k; stack u8[1 + BYTES_SEED_SE] seedSE; stack u8[BYTES_SEC] ss; + reg bool b; // S' || E' || E'' stack u16[2 * NNBAR + NBAR * NBAR] SEE; @@ -241,54 +301,78 @@ fn _frodo_amd64_ref_dec(reg u64 ssp ctp skp ms) -> #msf reg u64 { // read ct i = 0; - while (i < BYTES_CT) { + while { + b = i < BYTES_CT; + } (b) { + ms = #update_msf(b, ms); ct_k[(int) i] = (u8)[ctp + i]; i += 1; } + ms = #update_msf(!b, ms); s_ctp = ctp; i = 0; - while (i < BYTES_SEC) { + while { + b = i < BYTES_SEC; + } (b) { + ms = #update_msf(b, ms); s[(int) i] = (u8)[skp + i]; i += 1; } + ms = #update_msf(!b, ms); i = 0; - while (i < BYTES_PK) { + while { + b = i < BYTES_PK; + } (b) { + ms = #update_msf(b, ms); #declassify pk[(int)i] = (u8)[skp + BYTES_SEC + i]; i += 1; } + ms = #update_msf(!b, ms); i = 0; - while (i < 2 * NNBAR) { + while { + b = i < 2 * NNBAR; + } (b) { + ms = #update_msf(b, ms); ST[(int)i] = (u8)[skp + BYTES_SEC + BYTES_PK + i]; i += 1; } + ms = #update_msf(!b, ms); // copy pkh i = 0; - while (i < BYTES_SEC) { + while { + b = i < BYTES_SEC; + } (b) { + ms = #update_msf(b, ms); pkh_u_salt[(int)i] = (u8)[skp + BYTES_SK - BYTES_SEC + i]; i += 1; } + ms = #update_msf(!b, ms); s_skp = skp; // copy salt i = 0; - while (i < BYTES_SALT) { + while { + b = i < BYTES_SALT; + } (b) { + ms = #update_msf(b, ms); pkh_u_salt[BYTES_SEC * 2 + (int)i] = ct_k[BYTES_CT - BYTES_SALT + (int)i]; i += 1; } + ms = #update_msf(!b, ms); s_i = i; // B' <- Unpack(c1) - Bp = __unpack_B(Bp, ct_k[0:D * N]); + Bp, ms = __unpack_B(Bp, ct_k[0:D * N], ms); // C <- Unpack(c2) - C = __unpack_C(C, ct_k[D * N:D * NBAR]); + C, ms = __unpack_C(C, ct_k[D * N:D * NBAR], ms); // M = C - B'S - M = __mul_BS(M, Bp, ST); - M = __matrix_sub(M, C); + M, ms = __mul_BS(M, Bp, ST, ms); + M, ms = __matrix_sub(M, C, ms); pkh_u_salt[BYTES_SEC:BYTES_SEC] = __decode(pkh_u_salt[BYTES_SEC:BYTES_SEC], M); @@ -296,17 +380,21 @@ fn _frodo_amd64_ref_dec(reg u64 ssp ctp skp ms) -> #msf reg u64 { seedSE[0] = 0x96; i = s_i; i = 0; - while (i < BYTES_SEED_SE) { + while { + b = i < BYTES_SEED_SE; + } (b) { + ms = #update_msf(b, ms); seedSE[1 + (int)i] = seedSE_k[(int)i]; i += 1; } + ms = #update_msf(!b, ms); SEE, ms = __shake128_encap_r(SEE, seedSE, ms); // S' || E' - SEE[0:2 * NNBAR] = __sample_2NNBAR(SEE[0:2 * NNBAR]); + SEE[0:2 * NNBAR], ms = __sample_2NNBAR(SEE[0:2 * NNBAR], ms); // E'' - SEE[NNBAR * 2:NBAR * NBAR] = __sample_NBAR2(SEE[NNBAR * 2:NBAR * NBAR]); + SEE[NNBAR * 2:NBAR * NBAR], ms = __sample_NBAR2(SEE[NNBAR * 2:NBAR * NBAR], ms); // B'' = S'A + E' Bpp, ms = __SA_plus_E(Bpp, pk[0:BYTES_SEED_A], SEE[0:NNBAR], SEE[NNBAR:NNBAR], ms); @@ -314,34 +402,43 @@ fn _frodo_amd64_ref_dec(reg u64 ssp ctp skp ms) -> #msf reg u64 { // B'' (mod q) i = s_i; i = 0; - while (i < NNBAR) { + while { + b = i < NNBAR; + } (b) { + ms = #update_msf(b, ms); Bpp[(int)i] &= (1 << D) - 1; i += 1; } + ms = #update_msf(!b, ms); // - B = __unpack_B(B, pk[BYTES_SEED_A:BYTES_PK - BYTES_SEED_A]); + B, ms = __unpack_B(B, pk[BYTES_SEED_A:BYTES_PK - BYTES_SEED_A], ms); - V = __SB_plus_E(V, SEE[0:NNBAR], B, SEE[NNBAR * 2:NBAR * NBAR]); + V, ms = __SB_plus_E(V, SEE[0:NNBAR], B, SEE[NNBAR * 2:NBAR * NBAR], ms); Cp = __encode(Cp, pkh_u_salt[BYTES_SEC:BYTES_SEC]); - Cp = __matrix_add(Cp, V); + Cp, ms = __matrix_add(Cp, V, ms); - s1 = __ct_verify_NNBAR(Bp, Bpp); - s2 = __ct_verify_NBAR2(C, Cp); + s1, ms = __ct_verify_NNBAR(Bp, Bpp, ms); + s2, ms = __ct_verify_NBAR2(C, Cp, ms); s1 |= s2; - ct_k[BYTES_CT:BYTES_SEC] = __ct_select(ct_k[BYTES_CT:BYTES_SEC], seedSE_k[BYTES_SEED_SE:BYTES_SEC], s, s1); + ct_k[BYTES_CT:BYTES_SEC], ms = __ct_select(ct_k[BYTES_CT:BYTES_SEC], seedSE_k[BYTES_SEED_SE:BYTES_SEC], s, s1, ms); ss, ms = __shake128_ss(ss, ct_k, ms); ssp = s_ssp; i = s_i; i = 0; - while (i < BYTES_SEC) { + while { + b = i < BYTES_SEC; + } (b) { + ms = #update_msf(b, ms); + ssp = #protect(ssp, ms); (u8)[ssp + i] = ss[(int)i]; i += 1; } + ms = #update_msf(!b, ms); return ms; } @@ -363,15 +460,20 @@ fn _frodo_amd64_ref_keypair(reg u64 pkp skp ms) -> #msf reg u64 { fn _frodo_amd64_ref_keypair_derand(reg u64 pkp skp coinsp ms) -> #msf reg u64 { #public stack u8[BYTES_SEED_A + BYTES_SEED_SE + BYTES_SEC] coins; reg u64 i; stack u64 s_i; + reg bool b; pkp = pkp; skp = skp; i = 0; - while (i < BYTES_SEED_A + BYTES_SEED_SE + BYTES_SEC) { + while { + b = i < BYTES_SEED_A + BYTES_SEED_SE + BYTES_SEC; + } (b) { + ms = #update_msf(b, ms); #declassify coins[(int)i] = (u8)[coinsp + i]; i += 1; } + ms = #update_msf(!b, ms); s_i = i; ms = __frodo_amd64_ref_keypair_derand(pkp, skp, coins, ms); @@ -381,16 +483,21 @@ fn _frodo_amd64_ref_keypair_derand(reg u64 pkp skp coinsp ms) -> #msf reg u64 { fn _frodo_amd64_ref_enc_derand(reg u64 ctp ssp pkp coinsp ms) -> #msf reg u64 { stack u8[BYTES_SEC + BYTES_SALT] coins; reg u64 i; stack u64 s_i; + reg bool b; pkp = pkp; ctp = ctp; ssp = ssp; i = 0; - while (i < BYTES_SEC + BYTES_SALT) { + while { + b = i < BYTES_SEC + BYTES_SALT; + } (b) { + ms = #update_msf(b, ms); coins[(int)i] = (u8)[coinsp + i]; i += 1; } + ms = #update_msf(!b, ms); s_i = i; ms = __frodo_amd64_ref_enc_derand(ctp, ssp, pkp, coins, ms);