diff --git a/scripts/copy_from_upstream/copy_from_upstream.yml b/scripts/copy_from_upstream/copy_from_upstream.yml index e3234bde4..4dee43200 100644 --- a/scripts/copy_from_upstream/copy_from_upstream.yml +++ b/scripts/copy_from_upstream/copy_from_upstream.yml @@ -20,7 +20,7 @@ upstreams: sig_meta_path: 'crypto_sign/{pqclean_scheme}/META.yml' kem_scheme_path: 'crypto_kem/{pqclean_scheme}' sig_scheme_path: 'crypto_sign/{pqclean_scheme}' - patches: [pqclean-sphincs.patch] + patches: [pqclean-sphincs.patch, pqclean-hqc-decaps.patch] ignore: pqclean_sphincs-shake-256s-simple_aarch64, pqclean_sphincs-shake-256s-simple_aarch64, pqclean_sphincs-shake-256f-simple_aarch64, pqclean_sphincs-shake-192s-simple_aarch64, pqclean_sphincs-shake-192f-simple_aarch64, pqclean_sphincs-shake-128s-simple_aarch64, pqclean_sphincs-shake-128f-simple_aarch64, pqclean_kyber512_aarch64, pqclean_kyber1024_aarch64, pqclean_kyber768_aarch64, pqclean_dilithium2_aarch64, pqclean_dilithium3_aarch64, pqclean_dilithium5_aarch64 - name: pqcrystals-kyber @@ -443,4 +443,4 @@ sigs: scheme: "rsdpg_256_small" pqclean_scheme: cross-rsdpg-256-small pretty_name_full: cross-rsdpg-256-small - signed_msg_order: msg_then_sig \ No newline at end of file + signed_msg_order: msg_then_sig diff --git a/scripts/copy_from_upstream/patches/pqclean-hqc-decaps.patch b/scripts/copy_from_upstream/patches/pqclean-hqc-decaps.patch new file mode 100644 index 000000000..87c8b004e --- /dev/null +++ b/scripts/copy_from_upstream/patches/pqclean-hqc-decaps.patch @@ -0,0 +1,88 @@ +271d40f339844ece6a2046645da68c08a04b0921 +diff --git a/crypto_kem/hqc-128/clean/kem.c b/crypto_kem/hqc-128/clean/kem.c +index ad09b35..c722a75 100644 +--- a/crypto_kem/hqc-128/clean/kem.c ++++ b/crypto_kem/hqc-128/clean/kem.c +@@ -87,7 +87,7 @@ int PQCLEAN_HQC128_CLEAN_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const ui + uint8_t result; + uint64_t u[VEC_N_SIZE_64] = {0}; + uint64_t v[VEC_N1N2_SIZE_64] = {0}; +- const uint8_t *pk = sk + SEED_BYTES; ++ const uint8_t *pk = sk + SEED_BYTES + VEC_K_SIZE_BYTES; + uint8_t sigma[VEC_K_SIZE_BYTES] = {0}; + uint8_t theta[SHAKE256_512_BYTES] = {0}; + uint64_t u2[VEC_N_SIZE_64] = {0}; +@@ -115,7 +115,7 @@ int PQCLEAN_HQC128_CLEAN_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const ui + result |= PQCLEAN_HQC128_CLEAN_vect_compare((uint8_t *)u, (uint8_t *)u2, VEC_N_SIZE_BYTES); + result |= PQCLEAN_HQC128_CLEAN_vect_compare((uint8_t *)v, (uint8_t *)v2, VEC_N1N2_SIZE_BYTES); + +- result = (uint8_t) (-((int16_t) result) >> 15); ++ result -= 1; + + for (size_t i = 0; i < VEC_K_SIZE_BYTES; ++i) { + mc[i] = (m[i] & result) ^ (sigma[i] & ~result); +@@ -126,5 +126,5 @@ int PQCLEAN_HQC128_CLEAN_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const ui + PQCLEAN_HQC128_CLEAN_store8_arr(mc + VEC_K_SIZE_BYTES + VEC_N_SIZE_BYTES, VEC_N1N2_SIZE_BYTES, v, VEC_N1N2_SIZE_64); + PQCLEAN_HQC128_CLEAN_shake256_512_ds(&shake256state, ss, mc, VEC_K_SIZE_BYTES + VEC_N_SIZE_BYTES + VEC_N1N2_SIZE_BYTES, K_FCT_DOMAIN); + +- return -(~result & 1); ++ return (result & 1) - 1; + } +diff --git a/crypto_kem/hqc-192/clean/kem.c b/crypto_kem/hqc-192/clean/kem.c +index f611ebb..95a0023 100644 +--- a/crypto_kem/hqc-192/clean/kem.c ++++ b/crypto_kem/hqc-192/clean/kem.c +@@ -87,7 +87,7 @@ int PQCLEAN_HQC192_CLEAN_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const ui + uint8_t result; + uint64_t u[VEC_N_SIZE_64] = {0}; + uint64_t v[VEC_N1N2_SIZE_64] = {0}; +- const uint8_t *pk = sk + SEED_BYTES; ++ const uint8_t *pk = sk + SEED_BYTES + VEC_K_SIZE_BYTES; + uint8_t sigma[VEC_K_SIZE_BYTES] = {0}; + uint8_t theta[SHAKE256_512_BYTES] = {0}; + uint64_t u2[VEC_N_SIZE_64] = {0}; +@@ -115,7 +115,7 @@ int PQCLEAN_HQC192_CLEAN_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const ui + result |= PQCLEAN_HQC192_CLEAN_vect_compare((uint8_t *)u, (uint8_t *)u2, VEC_N_SIZE_BYTES); + result |= PQCLEAN_HQC192_CLEAN_vect_compare((uint8_t *)v, (uint8_t *)v2, VEC_N1N2_SIZE_BYTES); + +- result = (uint8_t) (-((int16_t) result) >> 15); ++ result -= 1; + + for (size_t i = 0; i < VEC_K_SIZE_BYTES; ++i) { + mc[i] = (m[i] & result) ^ (sigma[i] & ~result); +@@ -126,5 +126,5 @@ int PQCLEAN_HQC192_CLEAN_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const ui + PQCLEAN_HQC192_CLEAN_store8_arr(mc + VEC_K_SIZE_BYTES + VEC_N_SIZE_BYTES, VEC_N1N2_SIZE_BYTES, v, VEC_N1N2_SIZE_64); + PQCLEAN_HQC192_CLEAN_shake256_512_ds(&shake256state, ss, mc, VEC_K_SIZE_BYTES + VEC_N_SIZE_BYTES + VEC_N1N2_SIZE_BYTES, K_FCT_DOMAIN); + +- return -(~result & 1); ++ return (result & 1) - 1; + } +diff --git a/crypto_kem/hqc-256/clean/kem.c b/crypto_kem/hqc-256/clean/kem.c +index 4e47e87..d4c6a08 100644 +--- a/crypto_kem/hqc-256/clean/kem.c ++++ b/crypto_kem/hqc-256/clean/kem.c +@@ -87,7 +87,7 @@ int PQCLEAN_HQC256_CLEAN_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const ui + uint8_t result; + uint64_t u[VEC_N_SIZE_64] = {0}; + uint64_t v[VEC_N1N2_SIZE_64] = {0}; +- const uint8_t *pk = sk + SEED_BYTES; ++ const uint8_t *pk = sk + SEED_BYTES + VEC_K_SIZE_BYTES; + uint8_t sigma[VEC_K_SIZE_BYTES] = {0}; + uint8_t theta[SHAKE256_512_BYTES] = {0}; + uint64_t u2[VEC_N_SIZE_64] = {0}; +@@ -115,7 +115,7 @@ int PQCLEAN_HQC256_CLEAN_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const ui + result |= PQCLEAN_HQC256_CLEAN_vect_compare((uint8_t *)u, (uint8_t *)u2, VEC_N_SIZE_BYTES); + result |= PQCLEAN_HQC256_CLEAN_vect_compare((uint8_t *)v, (uint8_t *)v2, VEC_N1N2_SIZE_BYTES); + +- result = (uint8_t) (-((int16_t) result) >> 15); ++ result -= 1; + + for (size_t i = 0; i < VEC_K_SIZE_BYTES; ++i) { + mc[i] = (m[i] & result) ^ (sigma[i] & ~result); +@@ -126,5 +126,5 @@ int PQCLEAN_HQC256_CLEAN_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const ui + PQCLEAN_HQC256_CLEAN_store8_arr(mc + VEC_K_SIZE_BYTES + VEC_N_SIZE_BYTES, VEC_N1N2_SIZE_BYTES, v, VEC_N1N2_SIZE_64); + PQCLEAN_HQC256_CLEAN_shake256_512_ds(&shake256state, ss, mc, VEC_K_SIZE_BYTES + VEC_N_SIZE_BYTES + VEC_N1N2_SIZE_BYTES, K_FCT_DOMAIN); + +- return -(~result & 1); ++ return (result & 1) - 1; + }