mirror of https://github.com/oxen-io/lokinet
You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
|
5 years ago | |
---|---|---|
.. | ||
README | 6 years ago | |
api.h | 6 years ago | |
dec.c | 5 years ago | |
enc.c | 6 years ago | |
implementors | 6 years ago | |
int32_sort.c | 6 years ago | |
int32_sort.h | 6 years ago | |
keypair.c | 6 years ago | |
mod3.h | 6 years ago | |
modq.h | 6 years ago | |
params.h | 6 years ago | |
r3.h | 6 years ago | |
r3_mult.c | 6 years ago | |
r3_recip.c | 6 years ago | |
random32.c | 5 years ago | |
randomsmall.c | 6 years ago | |
randomweightw.c | 6 years ago | |
rq.c | 6 years ago | |
rq.h | 6 years ago | |
rq_mult.c | 6 years ago | |
rq_recip3.c | 6 years ago | |
rq_round3.c | 6 years ago | |
rq_rounded.c | 6 years ago | |
small.c | 6 years ago | |
small.h | 6 years ago | |
swap.c | 6 years ago | |
swap.h | 6 years ago |
README
This is a reference implementation of Streamlined NTRU Prime 4591^761. This implementation is designed primarily for clarity, subject to the following constraints: * The implementation is written in C. The Sage implementation in the NTRU Prime paper is considerably more concise (and compatible). * The implementation avoids data-dependent branches and array indices. For example, conditional swaps are computed by arithmetic rather than by branches. * The implementation avoids other C operations that often take variable time. For example, divisions by 3 are computed via multiplications and shifts. This implementation does _not_ sacrifice clarity for speed. This implementation has not yet been reviewed for correctness or for constant-time behavior. It does pass various tests and has no known bugs, but there are at least some platforms where multiplications take variable time, and fixing this requires platform-specific effort; see https://www.bearssl.org/ctmul.html and http://repository.tue.nl/800603. This implementation allows "benign malleability" of ciphertexts, as defined in http://www.shoup.net/papers/iso-2_1.pdf. Specifically, each 32-bit ciphertext word encodes three integers between 0 and 1530; if larger integers appear then they are silently reduced modulo 1531. Similar comments apply to public keys. There is a separate "avx" implementation where similar comments apply, except that "avx" _does_ sacrifice clarity for speed on CPUs with AVX2 instructions.