Skip to content

Commit 5c9c314

Browse files
sebastinassebastinas
committed
Merge branch 'nist-submission-round-2' of github.com:faest-sign/faest-ref into nist-submission-round-2
# Conflicts: # faest.c # random_oracle.c # random_oracle.h
2 parents 1f99775 + b2c1efd commit 5c9c314

File tree

7 files changed

+211
-107
lines changed

7 files changed

+211
-107
lines changed

aes.c

Lines changed: 45 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -228,6 +228,36 @@ static void load_state(aes_block_t state, const uint8_t* src, unsigned int block
228228
}
229229
}
230230

231+
static uint8_t invnorm(uint8_t in) {
232+
bf8_t x = bf8_byte_combine_bits(in);
233+
if (x == 0) {
234+
return 0;
235+
} else {
236+
bf8_t bf_x_17 = bf8_inv(x);
237+
for (unsigned int i = 0; i < 4; i++) {
238+
bf_x_17 = bf8_mul(bf_x_17, bf_x_17);
239+
}
240+
bf_x_17 = bf8_mul(bf_x_17, bf8_inv(x));
241+
uint8_t y_prime = 0;
242+
bf8_store(y_prime, bf_x_17);
243+
uint8_t y = 0;
244+
y ^= ((y_prime >> 0) & 1) << 0;
245+
y ^= ((y_prime >> 2) & 1) << 1;
246+
y ^= ((y_prime >> 6) & 1) << 2;
247+
y ^= ((y_prime >> 7) & 1) << 3;
248+
return y;
249+
}
250+
}
251+
252+
static void store_invnorm_state(uint8_t* dst, aes_block_t state, unsigned int block_words) {
253+
254+
for (unsigned int i = 0; i != block_words * 4; ++i) { // going thorugh each block
255+
uint8_t normstate = invnorm(state[i / 4][i % 4]);
256+
bf8_store(&dst[i], normstate);
257+
}
258+
259+
}
260+
231261
static void store_state(uint8_t* dst, aes_block_t state, unsigned int block_words) {
232262
for (unsigned int i = 0; i != block_words * 4; ++i) {
233263
bf8_store(&dst[i], state[i / 4][i % 4]);
@@ -495,18 +525,28 @@ uint8_t* aes_extend_witness(const uint8_t* key, const uint8_t* in, const faest_p
495525
// Step 13
496526
add_round_key(0, state, &round_keys, block_words);
497527

498-
for (unsigned int round = 1; round < num_rounds; ++round) {
528+
for (unsigned int round = 0; round < num_rounds-1; ++round) {
529+
530+
if (round % 2 == 0) {
531+
// save inverse norm of the S-box inputs, in coloumn major order
532+
store_invnorm_state(w, state, block_words);
533+
w += sizeof(aes_word_t) * block_words;
534+
}
499535
// Step 15
500536
sub_bytes(state, block_words);
501537
// Step 16
502538
shift_row(state, block_words);
503-
// Step 17
504-
store_state(w, state, block_words);
505-
w += sizeof(aes_word_t) * block_words;
539+
if (round % 2 == 1) {
540+
// Step 17
541+
store_state(w, state, block_words);
542+
w += sizeof(aes_word_t) * block_words;
543+
}
506544
// Step 18
507545
mix_column(state, block_words);
508546
// Step 19
509-
add_round_key(round, state, &round_keys, block_words);
547+
add_round_key(round + 1, state, &round_keys, block_words);
548+
549+
510550
}
511551
// last round is not commited to, so not computed
512552
}

0 commit comments

Comments
 (0)