added lambda byte/bit combine sq for 192 and 256 fields

Author: shibammukherjee

aes.c

@@ -12,6 +12,9 @@
 #include "compat.h"
 #include "utils.h"
 
+// TODO: Make it central somewhere
+#define ALLOW_ZERO_SBOX
+
 #if defined(HAVE_OPENSSL)
 #include <openssl/evp.h>
 #endif

faest.c

@@ -15,8 +15,6 @@
 #include "vole.h"
 #include "universal_hashing.h"
 
-#define NOT_ALLOW_ZERO_SBOX
-
 #include <string.h>
 
 // helpers to compute position in signature (sign)

faest_aes.c

@@ -17,6 +17,9 @@
 #include <string.h>
 #include <stdlib.h>
 
+// TODO: Make it central somewhere
+#define ALLOW_ZERO_SBOX
+
 static_assert(FAEST_128F_ELL == FAEST_128S_ELL, "Invalid parameters");
 static_assert(FAEST_128F_LAMBDA == FAEST_128S_LAMBDA, "Invalid parameters");
 static_assert(FAEST_128F_Lke == FAEST_128S_Lke, "Invalid parameters");

fields.c

@@ -9,6 +9,9 @@
 #include "fields.h"
 #include "randomness.h"
 
+// TODO: Make it central somewhere
+#define ALLOW_ZERO_SBOX
+
 // GF(2^8) with X^8 + X^4 + X^3 + X^1 + 1
 #define bf8_modulus (UINT8_C((1 << 4) | (1 << 3) | (1 << 1) | 1))
 // GF(2^64) with X^64 + X^4 + X^3 + X^1 + 1
@@ -127,7 +130,7 @@ bf128_t bf128_byte_combine_sq(const bf128_t* x) {
   bf_tmp[6] = x[6];
   bf_tmp[7] = x[7];
 
-  // first we square here
+  // first we square the macs
   bf_tmp[0] = bf_tmp[0] ^ bf_tmp[4] ^ bf_tmp[6];
   bf_tmp[1] = bf_tmp[4] ^ bf_tmp[6] ^ bf_tmp[7];
   bf_tmp[2] = bf_tmp[1] ^ bf_tmp[5];
@@ -201,7 +204,6 @@ bf128_t bf128_byte_combine_bits_sq(uint8_t x) {
     }
     return bf_out_sq;
   #endif
-
 }
 #endif
 
@@ -333,6 +335,39 @@ bf192_t bf192_byte_combine(const bf192_t* x) {
   return bf_out;
 }
 
+#if defined(ALLOW_ZERO_SBOX)
+bf192_t bf192_byte_combine_sq(const bf192_t* x) {
+
+  bf192_t bf_tmp[8];
+  bf_tmp[0] = x[0];
+  bf_tmp[1] = x[1];
+  bf_tmp[2] = x[2];
+  bf_tmp[3] = x[3];
+  bf_tmp[4] = x[4];
+  bf_tmp[5] = x[5];
+  bf_tmp[6] = x[6];
+  bf_tmp[7] = x[7];
+
+  // first we squre the macs
+  bf_tmp[0] = bf_tmp[0] ^ bf_tmp[4] ^ bf_tmp[6];
+  bf_tmp[1] = bf_tmp[4] ^ bf_tmp[6] ^ bf_tmp[7];
+  bf_tmp[2] = bf_tmp[1] ^ bf_tmp[5];
+  bf_tmp[3] = bf_tmp[4] ^ bf_tmp[5] ^ bf_tmp[6] ^ bf_tmp[7];
+  bf_tmp[4] = bf_tmp[2] ^ bf_tmp[4] ^ bf_tmp[7];
+  bf_tmp[5] = bf_tmp[5] ^ bf_tmp[6];
+  bf_tmp[6] = bf_tmp[3] ^ bf_tmp[5];
+  bf_tmp[7] = bf_tmp[6] ^ bf_tmp[7];
+
+  // now we lift the squared mac values
+  bf192_t bf_out = bf_tmp[0];
+  for (unsigned int i = 1; i < 8; ++i) {
+    bf_out = bf192_add(bf_out, bf192_mul(bf_tmp[i], bf192_alpha[i - 1]));
+  }
+  return bf_out;
+
+}
+#endif
+
 bf192_t bf192_byte_combine_bits(uint8_t x) {
 #if defined(HAVE_ATTR_VECTOR_SIZE)
   return bf192_from_bit(x & 1) ^ bf192_mul_bit(bf192_alpha[1 - 1], (x >> 1) & 1) ^
@@ -351,6 +386,45 @@ bf192_t bf192_byte_combine_bits(uint8_t x) {
 #endif
 }
 
+#if defined(ALLOW_ZERO_SBOX)
+bf192_t bf192_byte_combine_bits_sq(uint8_t x) {
+
+  // first we do the squaring
+  uint8_t bits[8];
+  for(unsigned int i = 0; i < 8; i++) {
+    bits[i] = (x >> i) & 1;
+  }
+  bits[0] = bits[0] ^ bits[4] ^ bits[6];
+  bits[1] = bits[4] ^ bits[6] ^ bits[7];
+  bits[2] = bits[1] ^ bits[5];
+  bits[3] = bits[4] ^ bits[5] ^ bits[6] ^ bits[7];
+  bits[4] = bits[2] ^ bits[4] ^ bits[7];
+  bits[5] = bits[5] ^ bits[6];
+  bits[6] = bits[3] ^ bits[5];
+  bits[7] = bits[6] ^ bits[7];
+  uint8_t sq_x = 0;
+  for(unsigned int i = 0; i < 8; i++) {
+    sq_x ^= (bits[i] << i);
+  }
+
+  #if defined(HAVE_ATTR_VECTOR_SIZE)
+  return bf192_from_bit(sq_x & 1) ^ bf192_mul_bit(bf192_alpha[1 - 1], (sq_x >> 1) & 1) ^
+         bf192_mul_bit(bf192_alpha[2 - 1], (sq_x >> 2) & 1) ^
+         bf192_mul_bit(bf192_alpha[3 - 1], (sq_x >> 3) & 1) ^
+         bf192_mul_bit(bf192_alpha[4 - 1], (sq_x >> 4) & 1) ^
+         bf192_mul_bit(bf192_alpha[5 - 1], (sq_x >> 5) & 1) ^
+         bf192_mul_bit(bf192_alpha[6 - 1], (sq_x >> 6) & 1) ^
+         bf192_mul_bit(bf192_alpha[7 - 1], (sq_x >> 7) & 1);
+  #else
+    bf192_t bf_out_sq = bf192_from_bit(sq_x & 1);
+    for (unsigned int i = 1; i < 8; ++i) {
+      bf_out_sq = bf192_add(bf_out_sq, bf192_mul_bit(bf192_alpha[i - 1], (sq_x >> i) & 1));
+    }
+    return bf_out_sq;
+  #endif
+}
+#endif
+
 bf192_t bf192_rand(void) {
   uint8_t buf[BF192_NUM_BYTES];
   rand_bytes(buf, sizeof(buf));
@@ -492,6 +566,38 @@ bf256_t bf256_byte_combine(const bf256_t* x) {
   return bf_out;
 }
 
+#if defined(ALLOW_ZERO_SBOX)
+bf256_t bf256_byte_combine_sq(const bf256_t* x) {
+  
+  bf192_t bf_tmp[8];
+  bf_tmp[0] = x[0];
+  bf_tmp[1] = x[1];
+  bf_tmp[2] = x[2];
+  bf_tmp[3] = x[3];
+  bf_tmp[4] = x[4];
+  bf_tmp[5] = x[5];
+  bf_tmp[6] = x[6];
+  bf_tmp[7] = x[7];
+
+  // first we square the macs
+  bf_tmp[0] = bf_tmp[0] ^ bf_tmp[4] ^ bf_tmp[6];
+  bf_tmp[1] = bf_tmp[4] ^ bf_tmp[6] ^ bf_tmp[7];
+  bf_tmp[2] = bf_tmp[1] ^ bf_tmp[5];
+  bf_tmp[3] = bf_tmp[4] ^ bf_tmp[5] ^ bf_tmp[6] ^ bf_tmp[7];
+  bf_tmp[4] = bf_tmp[2] ^ bf_tmp[4] ^ bf_tmp[7];
+  bf_tmp[5] = bf_tmp[5] ^ bf_tmp[6];
+  bf_tmp[6] = bf_tmp[3] ^ bf_tmp[5];
+  bf_tmp[7] = bf_tmp[6] ^ bf_tmp[7];
+
+  // now we lift the squared mac values
+  bf256_t bf_out = bf_tmp[0];
+  for (unsigned int i = 1; i < 8; ++i) {
+    bf_out = bf256_add(bf_out, bf256_mul(bf_tmp[i], bf256_alpha[i - 1]));
+  }
+  return bf_out;
+}
+#endif
+
 bf256_t bf256_byte_combine_bits(uint8_t x) {
 #if defined(HAVE_ATTR_VECTOR_SIZE)
   return bf256_from_bit(x & 1) ^ bf256_mul_bit(bf256_alpha[1 - 1], (x >> 1) & 1) ^
@@ -510,6 +616,44 @@ bf256_t bf256_byte_combine_bits(uint8_t x) {
 #endif
 }
 
+#if defined(ALLOW_ZERO_SBOX)
+bf256_t bf256_byte_combine_bits_sq(uint8_t x) {
+  // first we do the squaring
+  uint8_t bits[8];
+  for(unsigned int i = 0; i < 8; i++) {
+    bits[i] = (x >> i) & 1;
+  }
+  bits[0] = bits[0] ^ bits[4] ^ bits[6];
+  bits[1] = bits[4] ^ bits[6] ^ bits[7];
+  bits[2] = bits[1] ^ bits[5];
+  bits[3] = bits[4] ^ bits[5] ^ bits[6] ^ bits[7];
+  bits[4] = bits[2] ^ bits[4] ^ bits[7];
+  bits[5] = bits[5] ^ bits[6];
+  bits[6] = bits[3] ^ bits[5];
+  bits[7] = bits[6] ^ bits[7];
+  uint8_t sq_x = 0;
+  for(unsigned int i = 0; i < 8; i++) {
+    sq_x ^= (bits[i] << i);
+  }
+  #if defined(HAVE_ATTR_VECTOR_SIZE)
+  return bf256_from_bit(sq_x & 1) ^ bf256_mul_bit(bf256_alpha[1 - 1], (sq_x >> 1) & 1) ^
+         bf256_mul_bit(bf256_alpha[2 - 1], (sq_x >> 2) & 1) ^
+         bf256_mul_bit(bf256_alpha[3 - 1], (sq_x >> 3) & 1) ^
+         bf256_mul_bit(bf256_alpha[4 - 1], (sq_x >> 4) & 1) ^
+         bf256_mul_bit(bf256_alpha[5 - 1], (sq_x >> 5) & 1) ^
+         bf256_mul_bit(bf256_alpha[6 - 1], (sq_x >> 6) & 1) ^
+         bf256_mul_bit(bf256_alpha[7 - 1], (sq_x >> 7) & 1);
+  #else
+  bf256_t bf_out_sq = bf256_from_bit(sq_x & 1);
+  for (unsigned int i = 1; i < 8; ++i) {
+    bf_out_sq = bf256_add(bf_out_sq, bf256_mul_bit(bf256_alpha[i - 1], (sq_x >> i) & 1));
+  }
+  return bf_out_sq;
+  #endif
+
+}
+#endif
+
 bf256_t bf256_rand(void) {
   uint8_t buf[BF256_NUM_BYTES];
   rand_bytes(buf, sizeof(buf));

fields.h

@@ -11,6 +11,9 @@
 #include <stdint.h>
 #include <string.h>
 
+// TODO: Make it central somewhere
+#define ALLOW_ZERO_SBOX
+
 FAEST_BEGIN_C_DECL
 
 typedef uint8_t bf8_t;
@@ -193,9 +196,10 @@ ATTR_CONST ATTR_ALWAYS_INLINE static inline bf128_t bf128_one(void) {
 
 ATTR_PURE bf128_t bf128_byte_combine(const bf128_t* x);
 ATTR_PURE bf128_t bf128_byte_combine_bits(uint8_t x);
+#if defined(ALLOW_ZERO_SBOX)
 ATTR_PURE bf128_t bf128_byte_combine_sq(const bf128_t* x);
 ATTR_PURE bf128_t bf128_byte_combine_bits_sq(uint8_t x);
-
+#endif
 bf128_t bf128_rand(void);
 
 #if defined(HAVE_ATTR_VECTOR_SIZE)
@@ -275,6 +279,10 @@ ATTR_CONST ATTR_ALWAYS_INLINE static inline bf192_t bf192_one(void) {
 
 ATTR_PURE bf192_t bf192_byte_combine(const bf192_t* x);
 ATTR_PURE bf192_t bf192_byte_combine_bits(uint8_t x);
+#if defined(ALLOW_ZERO_SBOX)
+ATTR_PURE bf192_t bf192_byte_combine_sq(const bf192_t* x);
+ATTR_PURE bf192_t bf192_byte_combine_bits_sq(uint8_t x);
+#endif
 bf192_t bf192_rand(void);
 
 #if defined(HAVE_ATTR_VECTOR_SIZE)
@@ -351,6 +359,10 @@ ATTR_CONST ATTR_ALWAYS_INLINE static inline bf256_t bf256_one(void) {
 
 ATTR_PURE bf256_t bf256_byte_combine(const bf256_t* x);
 ATTR_PURE bf256_t bf256_byte_combine_bits(uint8_t x);
+#if defined(ALLOW_ZERO_SBOX)
+ATTR_PURE bf256_t bf256_byte_combine_sq(const bf256_t* x);
+ATTR_PURE bf256_t bf256_byte_combine_bits_sq(uint8_t x);
+#endif
 bf256_t bf256_rand(void);
 
 #if defined(HAVE_ATTR_VECTOR_SIZE)