taigrr/arduinolibs
1
0
Fork 0
mirror of https://github.com/taigrr/arduinolibs synced 2025-01-18 04:33:12 -08:00
Code Issues Projects Releases Wiki Activity
arduinolibs/NewHope_8cpp_source.html
Rhys Weatherley 9d2e774894 Update docs
2016-08-27 14:32:42 +10:00

1262 lines
168 KiB
HTML
Raw Blame History

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/xhtml;charset=UTF-8"/>
<meta http-equiv="X-UA-Compatible" content="IE=9"/>
<meta name="generator" content="Doxygen 1.8.6"/>
<title>ArduinoLibs: NewHope.cpp Source File</title>
<link href="tabs.css" rel="stylesheet" type="text/css"/>
<script type="text/javascript" src="jquery.js"></script>
<script type="text/javascript" src="dynsections.js"></script>
<link href="search/search.css" rel="stylesheet" type="text/css"/>
<script type="text/javascript" src="search/search.js"></script>
<script type="text/javascript">
$(document).ready(function() { searchBox.OnSelectItem(0); });
</script>
<link href="doxygen.css" rel="stylesheet" type="text/css" />
</head>
<body>
<div id="top"><!-- do not remove this div, it is closed by doxygen! -->
<div id="titlearea">
<table cellspacing="0" cellpadding="0">
<tbody>
<tr style="height: 56px;">
<td style="padding-left: 0.5em;">
<div id="projectname">ArduinoLibs
</div>
</td>
</tr>
</tbody>
</table>
</div>
<!-- end header part -->
<!-- Generated by Doxygen 1.8.6 -->
<script type="text/javascript">
var searchBox = new SearchBox("searchBox", "search",false,'Search');
</script>
<div id="navrow1" class="tabs">
<ul class="tablist">
<li><a href="index.html"><span>Main&#160;Page</span></a></li>
<li><a href="pages.html"><span>Related&#160;Pages</span></a></li>
<li><a href="modules.html"><span>Modules</span></a></li>
<li><a href="annotated.html"><span>Classes</span></a></li>
<li class="current"><a href="files.html"><span>Files</span></a></li>
<li>
<div id="MSearchBox" class="MSearchBoxInactive">
<span class="left">
<img id="MSearchSelect" src="search/mag_sel.png"
onmouseover="return searchBox.OnSearchSelectShow()"
onmouseout="return searchBox.OnSearchSelectHide()"
alt=""/>
<input type="text" id="MSearchField" value="Search" accesskey="S"
onfocus="searchBox.OnSearchFieldFocus(true)"
onblur="searchBox.OnSearchFieldFocus(false)"
onkeyup="searchBox.OnSearchFieldChange(event)"/>
</span><span class="right">
<a id="MSearchClose" href="javascript:searchBox.CloseResultsWindow()"><img id="MSearchCloseImg" border="0" src="search/close.png" alt=""/></a>
</span>
</div>
</li>
</ul>
</div>
<div id="navrow2" class="tabs2">
<ul class="tablist">
<li><a href="files.html"><span>File&#160;List</span></a></li>
</ul>
</div>
<!-- window showing the filter options -->
<div id="MSearchSelectWindow"
onmouseover="return searchBox.OnSearchSelectShow()"
onmouseout="return searchBox.OnSearchSelectHide()"
onkeydown="return searchBox.OnSearchSelectKey(event)">
<a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(0)"><span class="SelectionMark">&#160;</span>All</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(1)"><span class="SelectionMark">&#160;</span>Classes</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(2)"><span class="SelectionMark">&#160;</span>Files</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(3)"><span class="SelectionMark">&#160;</span>Functions</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(4)"><span class="SelectionMark">&#160;</span>Variables</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(5)"><span class="SelectionMark">&#160;</span>Typedefs</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(6)"><span class="SelectionMark">&#160;</span>Enumerations</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(7)"><span class="SelectionMark">&#160;</span>Enumerator</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(8)"><span class="SelectionMark">&#160;</span>Friends</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(9)"><span class="SelectionMark">&#160;</span>Groups</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(10)"><span class="SelectionMark">&#160;</span>Pages</a></div>
<!-- iframe showing the search results (closed by default) -->
<div id="MSearchResultsWindow">
<iframe src="javascript:void(0)" frameborder="0"
name="MSearchResults" id="MSearchResults">
</iframe>
</div>
<div id="nav-path" class="navpath">
<ul>
<li class="navelem"><a class="el" href="dir_bc0718b08fb2015b8e59c47b2805f60c.html">libraries</a></li><li class="navelem"><a class="el" href="dir_470c03f38356b1f63943514897cb198b.html">NewHope</a></li> </ul>
</div>
</div><!-- top -->
<div class="header">
<div class="headertitle">
<div class="title">NewHope.cpp</div> </div>
</div><!--header-->
<div class="contents">
<div class="fragment"><div class="line"><a name="l00001"></a><span class="lineno"> 1</span>&#160;<span class="comment">/*</span></div>
<div class="line"><a name="l00002"></a><span class="lineno"> 2</span>&#160;<span class="comment"> * Copyright (C) 2016 Southern Storm Software, Pty Ltd.</span></div>
<div class="line"><a name="l00003"></a><span class="lineno"> 3</span>&#160;<span class="comment"> *</span></div>
<div class="line"><a name="l00004"></a><span class="lineno"> 4</span>&#160;<span class="comment"> * Permission is hereby granted, free of charge, to any person obtaining a</span></div>
<div class="line"><a name="l00005"></a><span class="lineno"> 5</span>&#160;<span class="comment"> * copy of this software and associated documentation files (the &quot;Software&quot;),</span></div>
<div class="line"><a name="l00006"></a><span class="lineno"> 6</span>&#160;<span class="comment"> * to deal in the Software without restriction, including without limitation</span></div>
<div class="line"><a name="l00007"></a><span class="lineno"> 7</span>&#160;<span class="comment"> * the rights to use, copy, modify, merge, publish, distribute, sublicense,</span></div>
<div class="line"><a name="l00008"></a><span class="lineno"> 8</span>&#160;<span class="comment"> * and/or sell copies of the Software, and to permit persons to whom the</span></div>
<div class="line"><a name="l00009"></a><span class="lineno"> 9</span>&#160;<span class="comment"> * Software is furnished to do so, subject to the following conditions:</span></div>
<div class="line"><a name="l00010"></a><span class="lineno"> 10</span>&#160;<span class="comment"> *</span></div>
<div class="line"><a name="l00011"></a><span class="lineno"> 11</span>&#160;<span class="comment"> * The above copyright notice and this permission notice shall be included</span></div>
<div class="line"><a name="l00012"></a><span class="lineno"> 12</span>&#160;<span class="comment"> * in all copies or substantial portions of the Software.</span></div>
<div class="line"><a name="l00013"></a><span class="lineno"> 13</span>&#160;<span class="comment"> *</span></div>
<div class="line"><a name="l00014"></a><span class="lineno"> 14</span>&#160;<span class="comment"> * THE SOFTWARE IS PROVIDED &quot;AS IS&quot;, WITHOUT WARRANTY OF ANY KIND, EXPRESS</span></div>
<div class="line"><a name="l00015"></a><span class="lineno"> 15</span>&#160;<span class="comment"> * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,</span></div>
<div class="line"><a name="l00016"></a><span class="lineno"> 16</span>&#160;<span class="comment"> * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE</span></div>
<div class="line"><a name="l00017"></a><span class="lineno"> 17</span>&#160;<span class="comment"> * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER</span></div>
<div class="line"><a name="l00018"></a><span class="lineno"> 18</span>&#160;<span class="comment"> * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING</span></div>
<div class="line"><a name="l00019"></a><span class="lineno"> 19</span>&#160;<span class="comment"> * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER</span></div>
<div class="line"><a name="l00020"></a><span class="lineno"> 20</span>&#160;<span class="comment"> * DEALINGS IN THE SOFTWARE.</span></div>
<div class="line"><a name="l00021"></a><span class="lineno"> 21</span>&#160;<span class="comment"> */</span></div>
<div class="line"><a name="l00022"></a><span class="lineno"> 22</span>&#160;</div>
<div class="line"><a name="l00023"></a><span class="lineno"> 23</span>&#160;<span class="preprocessor">#include &quot;NewHope.h&quot;</span></div>
<div class="line"><a name="l00024"></a><span class="lineno"> 24</span>&#160;<span class="preprocessor">#include &lt;Crypto.h&gt;</span></div>
<div class="line"><a name="l00025"></a><span class="lineno"> 25</span>&#160;<span class="preprocessor">#include &lt;ChaCha.h&gt;</span></div>
<div class="line"><a name="l00026"></a><span class="lineno"> 26</span>&#160;<span class="preprocessor">#include &lt;SHA3.h&gt;</span></div>
<div class="line"><a name="l00027"></a><span class="lineno"> 27</span>&#160;<span class="preprocessor">#include &lt;SHAKE.h&gt;</span></div>
<div class="line"><a name="l00028"></a><span class="lineno"> 28</span>&#160;<span class="preprocessor">#include &lt;RNG.h&gt;</span></div>
<div class="line"><a name="l00029"></a><span class="lineno"> 29</span>&#160;<span class="preprocessor">#include &lt;string.h&gt;</span></div>
<div class="line"><a name="l00030"></a><span class="lineno"> 30</span>&#160;</div>
<div class="line"><a name="l00033"></a><span class="lineno"> 33</span>&#160;<span class="comment">// Older Arduino IDE&#39;s don&#39;t define placement new. Provide our own definition.</span></div>
<div class="line"><a name="l00034"></a><span class="lineno"> 34</span>&#160;<span class="keywordtype">void</span> *<span class="keyword">operator</span> <span class="keyword">new</span>(<span class="keywordtype">size_t</span> size, <span class="keywordtype">void</span> *ptr)</div>
<div class="line"><a name="l00035"></a><span class="lineno"> 35</span>&#160;{</div>
<div class="line"><a name="l00036"></a><span class="lineno"> 36</span>&#160; <span class="keywordflow">return</span> ptr;</div>
<div class="line"><a name="l00037"></a><span class="lineno"> 37</span>&#160;}</div>
<div class="line"><a name="l00038"></a><span class="lineno"> 38</span>&#160;</div>
<div class="line"><a name="l00039"></a><span class="lineno"> 39</span>&#160;<span class="preprocessor">#if defined(__AVR__)</span></div>
<div class="line"><a name="l00040"></a><span class="lineno"> 40</span>&#160;<span class="preprocessor"></span><span class="preprocessor">#include &lt;avr/pgmspace.h&gt;</span></div>
<div class="line"><a name="l00041"></a><span class="lineno"> 41</span>&#160;<span class="preprocessor">#define table_read(name, index) (pgm_read_word(&amp;((name)[(index)])))</span></div>
<div class="line"><a name="l00042"></a><span class="lineno"> 42</span>&#160;<span class="preprocessor"></span><span class="preprocessor">#else</span></div>
<div class="line"><a name="l00043"></a><span class="lineno"> 43</span>&#160;<span class="preprocessor"></span><span class="preprocessor">#define PROGMEM</span></div>
<div class="line"><a name="l00044"></a><span class="lineno"> 44</span>&#160;<span class="preprocessor"></span><span class="preprocessor">#define table_read(name, index) ((name)[(index)])</span></div>
<div class="line"><a name="l00045"></a><span class="lineno"> 45</span>&#160;<span class="preprocessor"></span><span class="preprocessor">#endif</span></div>
<div class="line"><a name="l00046"></a><span class="lineno"> 46</span>&#160;<span class="preprocessor"></span></div>
<div class="line"><a name="l00158"></a><span class="lineno"> 158</span>&#160;<span class="keyword">typedef</span> <span class="keyword">struct</span></div>
<div class="line"><a name="l00159"></a><span class="lineno"> 159</span>&#160;{</div>
<div class="line"><a name="l00160"></a><span class="lineno"> 160</span>&#160; uint32_t input[16];</div>
<div class="line"><a name="l00161"></a><span class="lineno"> 161</span>&#160; uint32_t output[16];</div>
<div class="line"><a name="l00162"></a><span class="lineno"> 162</span>&#160;</div>
<div class="line"><a name="l00163"></a><span class="lineno"> 163</span>&#160;} NewHopeChaChaState;</div>
<div class="line"><a name="l00164"></a><span class="lineno"> 164</span>&#160;</div>
<div class="line"><a name="l00165"></a><span class="lineno"> 165</span>&#160;<span class="comment">// The following is public domain code from the reference C version of</span></div>
<div class="line"><a name="l00166"></a><span class="lineno"> 166</span>&#160;<span class="comment">// New Hope at https://cryptojedi.org/crypto/#newhope. This part of</span></div>
<div class="line"><a name="l00167"></a><span class="lineno"> 167</span>&#160;<span class="comment">// the Arduino port remains public domain. Original authors:</span></div>
<div class="line"><a name="l00168"></a><span class="lineno"> 168</span>&#160;<span class="comment">// Erdem Alkim, Léo Ducas, Thomas Pöppelmann, Peter Schwabe</span></div>
<div class="line"><a name="l00169"></a><span class="lineno"> 169</span>&#160;</div>
<div class="line"><a name="l00170"></a><span class="lineno"> 170</span>&#160;<span class="preprocessor">#define PARAM_N 1024</span></div>
<div class="line"><a name="l00171"></a><span class="lineno"> 171</span>&#160;<span class="preprocessor"></span><span class="preprocessor">#define PARAM_K 16</span></div>
<div class="line"><a name="l00172"></a><span class="lineno"> 172</span>&#160;<span class="preprocessor"></span><span class="preprocessor">#define PARAM_Q ((int32_t)12289)</span></div>
<div class="line"><a name="l00173"></a><span class="lineno"> 173</span>&#160;<span class="preprocessor"></span><span class="preprocessor">#define POLY_BYTES 1792</span></div>
<div class="line"><a name="l00174"></a><span class="lineno"> 174</span>&#160;<span class="preprocessor"></span><span class="preprocessor">#define NEWHOPE_SEEDBYTES 32</span></div>
<div class="line"><a name="l00175"></a><span class="lineno"> 175</span>&#160;<span class="preprocessor"></span><span class="preprocessor">#define NEWHOPE_RECBYTES 256</span></div>
<div class="line"><a name="l00176"></a><span class="lineno"> 176</span>&#160;<span class="preprocessor"></span></div>
<div class="line"><a name="l00177"></a><span class="lineno"> 177</span>&#160;<span class="keyword">static</span> uint16_t <span class="keyword">const</span> omegas_montgomery[PARAM_N/2] PROGMEM = {</div>
<div class="line"><a name="l00178"></a><span class="lineno"> 178</span>&#160; 4075,6974,7373,7965,3262,5079,522,2169,6364,1018,1041,8775,2344,</div>
<div class="line"><a name="l00179"></a><span class="lineno"> 179</span>&#160; 11011,5574,1973,4536,1050,6844,3860,3818,6118,2683,1190,4789,7822,</div>
<div class="line"><a name="l00180"></a><span class="lineno"> 180</span>&#160; 7540,6752,5456,4449,3789,12142,11973,382,3988,468,6843,5339,6196,</div>
<div class="line"><a name="l00181"></a><span class="lineno"> 181</span>&#160; 3710,11316,1254,5435,10930,3998,10256,10367,3879,11889,1728,6137,</div>
<div class="line"><a name="l00182"></a><span class="lineno"> 182</span>&#160; 4948,5862,6136,3643,6874,8724,654,10302,1702,7083,6760,56,3199,9987,</div>
<div class="line"><a name="l00183"></a><span class="lineno"> 183</span>&#160; 605,11785,8076,5594,9260,6403,4782,6212,4624,9026,8689,4080,11868,</div>
<div class="line"><a name="l00184"></a><span class="lineno"> 184</span>&#160; 6221,3602,975,8077,8851,9445,5681,3477,1105,142,241,12231,1003,</div>
<div class="line"><a name="l00185"></a><span class="lineno"> 185</span>&#160; 3532,5009,1956,6008,11404,7377,2049,10968,12097,7591,5057,3445,</div>
<div class="line"><a name="l00186"></a><span class="lineno"> 186</span>&#160; 4780,2920,7048,3127,8120,11279,6821,11502,8807,12138,2127,2839,</div>
<div class="line"><a name="l00187"></a><span class="lineno"> 187</span>&#160; 3957,431,1579,6383,9784,5874,677,3336,6234,2766,1323,9115,12237,</div>
<div class="line"><a name="l00188"></a><span class="lineno"> 188</span>&#160; 2031,6956,6413,2281,3969,3991,12133,9522,4737,10996,4774,5429,11871,</div>
<div class="line"><a name="l00189"></a><span class="lineno"> 189</span>&#160; 3772,453,5908,2882,1805,2051,1954,11713,3963,2447,6142,8174,3030,</div>
<div class="line"><a name="l00190"></a><span class="lineno"> 190</span>&#160; 1843,2361,12071,2908,3529,3434,3202,7796,2057,5369,11939,1512,6906,</div>
<div class="line"><a name="l00191"></a><span class="lineno"> 191</span>&#160; 10474,11026,49,10806,5915,1489,9789,5942,10706,10431,7535,426,8974,</div>
<div class="line"><a name="l00192"></a><span class="lineno"> 192</span>&#160; 3757,10314,9364,347,5868,9551,9634,6554,10596,9280,11566,174,2948,</div>
<div class="line"><a name="l00193"></a><span class="lineno"> 193</span>&#160; 2503,6507,10723,11606,2459,64,3656,8455,5257,5919,7856,1747,9166,</div>
<div class="line"><a name="l00194"></a><span class="lineno"> 194</span>&#160; 5486,9235,6065,835,3570,4240,11580,4046,10970,9139,1058,8210,11848,</div>
<div class="line"><a name="l00195"></a><span class="lineno"> 195</span>&#160; 922,7967,1958,10211,1112,3728,4049,11130,5990,1404,325,948,11143,</div>
<div class="line"><a name="l00196"></a><span class="lineno"> 196</span>&#160; 6190,295,11637,5766,8212,8273,2919,8527,6119,6992,8333,1360,2555,</div>
<div class="line"><a name="l00197"></a><span class="lineno"> 197</span>&#160; 6167,1200,7105,7991,3329,9597,12121,5106,5961,10695,10327,3051,9923,</div>
<div class="line"><a name="l00198"></a><span class="lineno"> 198</span>&#160; 4896,9326,81,3091,1000,7969,4611,726,1853,12149,4255,11112,2768,</div>
<div class="line"><a name="l00199"></a><span class="lineno"> 199</span>&#160; 10654,1062,2294,3553,4805,2747,4846,8577,9154,1170,2319,790,11334,</div>
<div class="line"><a name="l00200"></a><span class="lineno"> 200</span>&#160; 9275,9088,1326,5086,9094,6429,11077,10643,3504,3542,8668,9744,1479,</div>
<div class="line"><a name="l00201"></a><span class="lineno"> 201</span>&#160; 1,8246,7143,11567,10984,4134,5736,4978,10938,5777,8961,4591,5728,</div>
<div class="line"><a name="l00202"></a><span class="lineno"> 202</span>&#160; 6461,5023,9650,7468,949,9664,2975,11726,2744,9283,10092,5067,12171,</div>
<div class="line"><a name="l00203"></a><span class="lineno"> 203</span>&#160; 2476,3748,11336,6522,827,9452,5374,12159,7935,3296,3949,9893,4452,</div>
<div class="line"><a name="l00204"></a><span class="lineno"> 204</span>&#160; 10908,2525,3584,8112,8011,10616,4989,6958,11809,9447,12280,1022,</div>
<div class="line"><a name="l00205"></a><span class="lineno"> 205</span>&#160; 11950,9821,11745,5791,5092,2089,9005,2881,3289,2013,9048,729,7901,</div>
<div class="line"><a name="l00206"></a><span class="lineno"> 206</span>&#160; 1260,5755,4632,11955,2426,10593,1428,4890,5911,3932,9558,8830,3637,</div>
<div class="line"><a name="l00207"></a><span class="lineno"> 207</span>&#160; 5542,145,5179,8595,3707,10530,355,3382,4231,9741,1207,9041,7012,1168,</div>
<div class="line"><a name="l00208"></a><span class="lineno"> 208</span>&#160; 10146,11224,4645,11885,10911,10377,435,7952,4096,493,9908,6845,6039,</div>
<div class="line"><a name="l00209"></a><span class="lineno"> 209</span>&#160; 2422,2187,9723,8643,9852,9302,6022,7278,1002,4284,5088,1607,7313,</div>
<div class="line"><a name="l00210"></a><span class="lineno"> 210</span>&#160; 875,8509,9430,1045,2481,5012,7428,354,6591,9377,11847,2401,1067,</div>
<div class="line"><a name="l00211"></a><span class="lineno"> 211</span>&#160; 7188,11516,390,8511,8456,7270,545,8585,9611,12047,1537,4143,4714,</div>
<div class="line"><a name="l00212"></a><span class="lineno"> 212</span>&#160; 4885,1017,5084,1632,3066,27,1440,8526,9273,12046,11618,9289,3400,</div>
<div class="line"><a name="l00213"></a><span class="lineno"> 213</span>&#160; 9890,3136,7098,8758,11813,7384,3985,11869,6730,10745,10111,2249,</div>
<div class="line"><a name="l00214"></a><span class="lineno"> 214</span>&#160; 4048,2884,11136,2126,1630,9103,5407,2686,9042,2969,8311,9424,</div>
<div class="line"><a name="l00215"></a><span class="lineno"> 215</span>&#160; 9919,8779,5332,10626,1777,4654,10863,7351,3636,9585,5291,8374,</div>
<div class="line"><a name="l00216"></a><span class="lineno"> 216</span>&#160; 2166,4919,12176,9140,12129,7852,12286,4895,10805,2780,5195,2305,</div>
<div class="line"><a name="l00217"></a><span class="lineno"> 217</span>&#160; 7247,9644,4053,10600,3364,3271,4057,4414,9442,7917,2174</div>
<div class="line"><a name="l00218"></a><span class="lineno"> 218</span>&#160;};</div>
<div class="line"><a name="l00219"></a><span class="lineno"> 219</span>&#160;</div>
<div class="line"><a name="l00220"></a><span class="lineno"> 220</span>&#160;<span class="keyword">static</span> uint16_t <span class="keyword">const</span> omegas_inv_montgomery[PARAM_N/2] PROGMEM = {</div>
<div class="line"><a name="l00221"></a><span class="lineno"> 221</span>&#160; 4075,5315,4324,4916,10120,11767,7210,9027,10316,6715,1278,9945,</div>
<div class="line"><a name="l00222"></a><span class="lineno"> 222</span>&#160; 3514,11248,11271,5925,147,8500,7840,6833,5537,4749,4467,7500,11099,</div>
<div class="line"><a name="l00223"></a><span class="lineno"> 223</span>&#160; 9606,6171,8471,8429,5445,11239,7753,9090,12233,5529,5206,10587,</div>
<div class="line"><a name="l00224"></a><span class="lineno"> 224</span>&#160; 1987,11635,3565,5415,8646,6153,6427,7341,6152,10561,400,8410,1922,</div>
<div class="line"><a name="l00225"></a><span class="lineno"> 225</span>&#160; 2033,8291,1359,6854,11035,973,8579,6093,6950,5446,11821,8301,11907,</div>
<div class="line"><a name="l00226"></a><span class="lineno"> 226</span>&#160; 316,52,3174,10966,9523,6055,8953,11612,6415,2505,5906,10710,11858,</div>
<div class="line"><a name="l00227"></a><span class="lineno"> 227</span>&#160; 8332,9450,10162,151,3482,787,5468,1010,4169,9162,5241,9369,7509,</div>
<div class="line"><a name="l00228"></a><span class="lineno"> 228</span>&#160; 8844,7232,4698,192,1321,10240,4912,885,6281,10333,7280,8757,11286,</div>
<div class="line"><a name="l00229"></a><span class="lineno"> 229</span>&#160; 58,12048,12147,11184,8812,6608,2844,3438,4212,11314,8687,6068,421,</div>
<div class="line"><a name="l00230"></a><span class="lineno"> 230</span>&#160; 8209,3600,3263,7665,6077,7507,5886,3029,6695,4213,504,11684,2302,</div>
<div class="line"><a name="l00231"></a><span class="lineno"> 231</span>&#160; 1962,1594,6328,7183,168,2692,8960,4298,5184,11089,6122,9734,10929,</div>
<div class="line"><a name="l00232"></a><span class="lineno"> 232</span>&#160; 3956,5297,6170,3762,9370,4016,4077,6523,652,11994,6099,1146,11341,</div>
<div class="line"><a name="l00233"></a><span class="lineno"> 233</span>&#160; 11964,10885,6299,1159,8240,8561,11177,2078,10331,4322,11367,441,</div>
<div class="line"><a name="l00234"></a><span class="lineno"> 234</span>&#160; 4079,11231,3150,1319,8243,709,8049,8719,11454,6224,3054,6803,3123,</div>
<div class="line"><a name="l00235"></a><span class="lineno"> 235</span>&#160; 10542,4433,6370,7032,3834,8633,12225,9830,683,1566,5782,9786,9341,</div>
<div class="line"><a name="l00236"></a><span class="lineno"> 236</span>&#160; 12115,723,3009,1693,5735,2655,2738,6421,11942,2925,1975,8532,3315,</div>
<div class="line"><a name="l00237"></a><span class="lineno"> 237</span>&#160; 11863,4754,1858,1583,6347,2500,10800,6374,1483,12240,1263,1815,</div>
<div class="line"><a name="l00238"></a><span class="lineno"> 238</span>&#160; 5383,10777,350,6920,10232,4493,9087,8855,8760,9381,218,9928,10446,</div>
<div class="line"><a name="l00239"></a><span class="lineno"> 239</span>&#160; 9259,4115,6147,9842,8326,576,10335,10238,10484,9407,6381,11836,8517,</div>
<div class="line"><a name="l00240"></a><span class="lineno"> 240</span>&#160; 418,6860,7515,1293,7552,2767,156,8298,8320,10008,5876,5333,10258,</div>
<div class="line"><a name="l00241"></a><span class="lineno"> 241</span>&#160; 10115,4372,2847,7875,8232,9018,8925,1689,8236,2645,5042,9984,7094,</div>
<div class="line"><a name="l00242"></a><span class="lineno"> 242</span>&#160; 9509,1484,7394,3,4437,160,3149,113,7370,10123,3915,6998,2704,8653,</div>
<div class="line"><a name="l00243"></a><span class="lineno"> 243</span>&#160; 4938,1426,7635,10512,1663,6957,3510,2370,2865,3978,9320,3247,9603,</div>
<div class="line"><a name="l00244"></a><span class="lineno"> 244</span>&#160; 6882,3186,10659,10163,1153,9405,8241,10040,2178,1544,5559,420,8304,</div>
<div class="line"><a name="l00245"></a><span class="lineno"> 245</span>&#160; 4905,476,3531,5191,9153,2399,8889,3000,671,243,3016,3763,10849,12262,</div>
<div class="line"><a name="l00246"></a><span class="lineno"> 246</span>&#160; 9223,10657,7205,11272,7404,7575,8146,10752,242,2678,3704,11744,</div>
<div class="line"><a name="l00247"></a><span class="lineno"> 247</span>&#160; 5019,3833,3778,11899,773,5101,11222,9888,442,2912,5698,11935,4861,</div>
<div class="line"><a name="l00248"></a><span class="lineno"> 248</span>&#160; 7277,9808,11244,2859,3780,11414,4976,10682,7201,8005,11287,5011,</div>
<div class="line"><a name="l00249"></a><span class="lineno"> 249</span>&#160; 6267,2987,2437,3646,2566,10102,9867,6250,5444,2381,11796,8193,4337,</div>
<div class="line"><a name="l00250"></a><span class="lineno"> 250</span>&#160; 11854,1912,1378,404,7644,1065,2143,11121,5277,3248,11082,2548,8058,</div>
<div class="line"><a name="l00251"></a><span class="lineno"> 251</span>&#160; 8907,11934,1759,8582,3694,7110,12144,6747,8652,3459,2731,8357,6378,</div>
<div class="line"><a name="l00252"></a><span class="lineno"> 252</span>&#160; 7399,10861,1696,9863,334,7657,6534,11029,4388,11560,3241,10276,9000,</div>
<div class="line"><a name="l00253"></a><span class="lineno"> 253</span>&#160; 9408,3284,10200,7197,6498,544,2468,339,11267,9,2842,480,5331,7300,</div>
<div class="line"><a name="l00254"></a><span class="lineno"> 254</span>&#160; 1673,4278,4177,8705,9764,1381,7837,2396,8340,8993,4354,130,6915,</div>
<div class="line"><a name="l00255"></a><span class="lineno"> 255</span>&#160; 2837,11462,5767,953,8541,9813,118,7222,2197,3006,9545,563,9314,</div>
<div class="line"><a name="l00256"></a><span class="lineno"> 256</span>&#160; 2625,11340,4821,2639,7266,5828,6561,7698,3328,6512,1351,7311,6553,</div>
<div class="line"><a name="l00257"></a><span class="lineno"> 257</span>&#160; 8155,1305,722,5146,4043,12288,10810,2545,3621,8747,8785,1646,1212,</div>
<div class="line"><a name="l00258"></a><span class="lineno"> 258</span>&#160; 5860,3195,7203,10963,3201,3014,955,11499,9970,11119,3135,3712,7443,</div>
<div class="line"><a name="l00259"></a><span class="lineno"> 259</span>&#160; 9542,7484,8736,9995,11227,1635,9521,1177,8034,140,10436,11563,7678,</div>
<div class="line"><a name="l00260"></a><span class="lineno"> 260</span>&#160; 4320,11289,9198,12208,2963,7393,2366,9238</div>
<div class="line"><a name="l00261"></a><span class="lineno"> 261</span>&#160;};</div>
<div class="line"><a name="l00262"></a><span class="lineno"> 262</span>&#160;</div>
<div class="line"><a name="l00263"></a><span class="lineno"> 263</span>&#160;<span class="keyword">static</span> uint16_t <span class="keyword">const</span> psis_bitrev_montgomery[PARAM_N] PROGMEM = {</div>
<div class="line"><a name="l00264"></a><span class="lineno"> 264</span>&#160; 4075,6974,7373,7965,3262,5079,522,2169,6364,1018,1041,8775,2344,</div>
<div class="line"><a name="l00265"></a><span class="lineno"> 265</span>&#160; 11011,5574,1973,4536,1050,6844,3860,3818,6118,2683,1190,4789,7822,</div>
<div class="line"><a name="l00266"></a><span class="lineno"> 266</span>&#160; 7540,6752,5456,4449,3789,12142,11973,382,3988,468,6843,5339,6196,3710,</div>
<div class="line"><a name="l00267"></a><span class="lineno"> 267</span>&#160; 11316,1254,5435,10930,3998,10256,10367,3879,11889,1728,6137,4948,</div>
<div class="line"><a name="l00268"></a><span class="lineno"> 268</span>&#160; 5862,6136,3643,6874,8724,654,10302,1702,7083,6760,56,3199,9987,605,</div>
<div class="line"><a name="l00269"></a><span class="lineno"> 269</span>&#160; 11785,8076,5594,9260,6403,4782,6212,4624,9026,8689,4080,11868,6221,</div>
<div class="line"><a name="l00270"></a><span class="lineno"> 270</span>&#160; 3602,975,8077,8851,9445,5681,3477,1105,142,241,12231,1003,3532,5009,</div>
<div class="line"><a name="l00271"></a><span class="lineno"> 271</span>&#160; 1956,6008,11404,7377,2049,10968,12097,7591,5057,3445,4780,2920,</div>
<div class="line"><a name="l00272"></a><span class="lineno"> 272</span>&#160; 7048,3127,8120,11279,6821,11502,8807,12138,2127,2839,3957,431,1579,</div>
<div class="line"><a name="l00273"></a><span class="lineno"> 273</span>&#160; 6383,9784,5874,677,3336,6234,2766,1323,9115,12237,2031,6956,6413,</div>
<div class="line"><a name="l00274"></a><span class="lineno"> 274</span>&#160; 2281,3969,3991,12133,9522,4737,10996,4774,5429,11871,3772,453,</div>
<div class="line"><a name="l00275"></a><span class="lineno"> 275</span>&#160; 5908,2882,1805,2051,1954,11713,3963,2447,6142,8174,3030,1843,2361,</div>
<div class="line"><a name="l00276"></a><span class="lineno"> 276</span>&#160; 12071,2908,3529,3434,3202,7796,2057,5369,11939,1512,6906,10474,</div>
<div class="line"><a name="l00277"></a><span class="lineno"> 277</span>&#160; 11026,49,10806,5915,1489,9789,5942,10706,10431,7535,426,8974,3757,</div>
<div class="line"><a name="l00278"></a><span class="lineno"> 278</span>&#160; 10314,9364,347,5868,9551,9634,6554,10596,9280,11566,174,2948,2503,</div>
<div class="line"><a name="l00279"></a><span class="lineno"> 279</span>&#160; 6507,10723,11606,2459,64,3656,8455,5257,5919,7856,1747,9166,5486,</div>
<div class="line"><a name="l00280"></a><span class="lineno"> 280</span>&#160; 9235,6065,835,3570,4240,11580,4046,10970,9139,1058,8210,11848,922,</div>
<div class="line"><a name="l00281"></a><span class="lineno"> 281</span>&#160; 7967,1958,10211,1112,3728,4049,11130,5990,1404,325,948,11143,6190,</div>
<div class="line"><a name="l00282"></a><span class="lineno"> 282</span>&#160; 295,11637,5766,8212,8273,2919,8527,6119,6992,8333,1360,2555,6167,</div>
<div class="line"><a name="l00283"></a><span class="lineno"> 283</span>&#160; 1200,7105,7991,3329,9597,12121,5106,5961,10695,10327,3051,9923,</div>
<div class="line"><a name="l00284"></a><span class="lineno"> 284</span>&#160; 4896,9326,81,3091,1000,7969,4611,726,1853,12149,4255,11112,2768,</div>
<div class="line"><a name="l00285"></a><span class="lineno"> 285</span>&#160; 10654,1062,2294,3553,4805,2747,4846,8577,9154,1170,2319,790,11334,</div>
<div class="line"><a name="l00286"></a><span class="lineno"> 286</span>&#160; 9275,9088,1326,5086,9094,6429,11077,10643,3504,3542,8668,9744,1479,</div>
<div class="line"><a name="l00287"></a><span class="lineno"> 287</span>&#160; 1,8246,7143,11567,10984,4134,5736,4978,10938,5777,8961,4591,5728,</div>
<div class="line"><a name="l00288"></a><span class="lineno"> 288</span>&#160; 6461,5023,9650,7468,949,9664,2975,11726,2744,9283,10092,5067,12171,</div>
<div class="line"><a name="l00289"></a><span class="lineno"> 289</span>&#160; 2476,3748,11336,6522,827,9452,5374,12159,7935,3296,3949,9893,4452,</div>
<div class="line"><a name="l00290"></a><span class="lineno"> 290</span>&#160; 10908,2525,3584,8112,8011,10616,4989,6958,11809,9447,12280,1022,</div>
<div class="line"><a name="l00291"></a><span class="lineno"> 291</span>&#160; 11950,9821,11745,5791,5092,2089,9005,2881,3289,2013,9048,729,7901,</div>
<div class="line"><a name="l00292"></a><span class="lineno"> 292</span>&#160; 1260,5755,4632,11955,2426,10593,1428,4890,5911,3932,9558,8830,3637,</div>
<div class="line"><a name="l00293"></a><span class="lineno"> 293</span>&#160; 5542,145,5179,8595,3707,10530,355,3382,4231,9741,1207,9041,7012,</div>
<div class="line"><a name="l00294"></a><span class="lineno"> 294</span>&#160; 1168,10146,11224,4645,11885,10911,10377,435,7952,4096,493,9908,6845,</div>
<div class="line"><a name="l00295"></a><span class="lineno"> 295</span>&#160; 6039,2422,2187,9723,8643,9852,9302,6022,7278,1002,4284,5088,1607,</div>
<div class="line"><a name="l00296"></a><span class="lineno"> 296</span>&#160; 7313,875,8509,9430,1045,2481,5012,7428,354,6591,9377,11847,2401,</div>
<div class="line"><a name="l00297"></a><span class="lineno"> 297</span>&#160; 1067,7188,11516,390,8511,8456,7270,545,8585,9611,12047,1537,4143,</div>
<div class="line"><a name="l00298"></a><span class="lineno"> 298</span>&#160; 4714,4885,1017,5084,1632,3066,27,1440,8526,9273,12046,11618,9289,</div>
<div class="line"><a name="l00299"></a><span class="lineno"> 299</span>&#160; 3400,9890,3136,7098,8758,11813,7384,3985,11869,6730,10745,10111,</div>
<div class="line"><a name="l00300"></a><span class="lineno"> 300</span>&#160; 2249,4048,2884,11136,2126,1630,9103,5407,2686,9042,2969,8311,9424,</div>
<div class="line"><a name="l00301"></a><span class="lineno"> 301</span>&#160; 9919,8779,5332,10626,1777,4654,10863,7351,3636,9585,5291,8374,</div>
<div class="line"><a name="l00302"></a><span class="lineno"> 302</span>&#160; 2166,4919,12176,9140,12129,7852,12286,4895,10805,2780,5195,2305,</div>
<div class="line"><a name="l00303"></a><span class="lineno"> 303</span>&#160; 7247,9644,4053,10600,3364,3271,4057,4414,9442,7917,2174,3947,</div>
<div class="line"><a name="l00304"></a><span class="lineno"> 304</span>&#160; 11951,2455,6599,10545,10975,3654,2894,7681,7126,7287,12269,4119,</div>
<div class="line"><a name="l00305"></a><span class="lineno"> 305</span>&#160; 3343,2151,1522,7174,7350,11041,2442,2148,5959,6492,8330,8945,5598,</div>
<div class="line"><a name="l00306"></a><span class="lineno"> 306</span>&#160; 3624,10397,1325,6565,1945,11260,10077,2674,3338,3276,11034,506,</div>
<div class="line"><a name="l00307"></a><span class="lineno"> 307</span>&#160; 6505,1392,5478,8778,1178,2776,3408,10347,11124,2575,9489,12096,</div>
<div class="line"><a name="l00308"></a><span class="lineno"> 308</span>&#160; 6092,10058,4167,6085,923,11251,11912,4578,10669,11914,425,10453,</div>
<div class="line"><a name="l00309"></a><span class="lineno"> 309</span>&#160; 392,10104,8464,4235,8761,7376,2291,3375,7954,8896,6617,7790,1737,</div>
<div class="line"><a name="l00310"></a><span class="lineno"> 310</span>&#160; 11667,3982,9342,6680,636,6825,7383,512,4670,2900,12050,7735,994,</div>
<div class="line"><a name="l00311"></a><span class="lineno"> 311</span>&#160; 1687,11883,7021,146,10485,1403,5189,6094,2483,2054,3042,10945,</div>
<div class="line"><a name="l00312"></a><span class="lineno"> 312</span>&#160; 3981,10821,11826,8882,8151,180,9600,7684,5219,10880,6780,204,</div>
<div class="line"><a name="l00313"></a><span class="lineno"> 313</span>&#160; 11232,2600,7584,3121,3017,11053,7814,7043,4251,4739,11063,6771,</div>
<div class="line"><a name="l00314"></a><span class="lineno"> 314</span>&#160; 7073,9261,2360,11925,1928,11825,8024,3678,3205,3359,11197,5209,</div>
<div class="line"><a name="l00315"></a><span class="lineno"> 315</span>&#160; 8581,3238,8840,1136,9363,1826,3171,4489,7885,346,2068,1389,8257,</div>
<div class="line"><a name="l00316"></a><span class="lineno"> 316</span>&#160; 3163,4840,6127,8062,8921,612,4238,10763,8067,125,11749,10125,5416,</div>
<div class="line"><a name="l00317"></a><span class="lineno"> 317</span>&#160; 2110,716,9839,10584,11475,11873,3448,343,1908,4538,10423,7078,</div>
<div class="line"><a name="l00318"></a><span class="lineno"> 318</span>&#160; 4727,1208,11572,3589,2982,1373,1721,10753,4103,2429,4209,5412,</div>
<div class="line"><a name="l00319"></a><span class="lineno"> 319</span>&#160; 5993,9011,438,3515,7228,1218,8347,5232,8682,1327,7508,4924,448,</div>
<div class="line"><a name="l00320"></a><span class="lineno"> 320</span>&#160; 1014,10029,12221,4566,5836,12229,2717,1535,3200,5588,5845,412,</div>
<div class="line"><a name="l00321"></a><span class="lineno"> 321</span>&#160; 5102,7326,3744,3056,2528,7406,8314,9202,6454,6613,1417,10032,7784,</div>
<div class="line"><a name="l00322"></a><span class="lineno"> 322</span>&#160; 1518,3765,4176,5063,9828,2275,6636,4267,6463,2065,7725,3495,8328,</div>
<div class="line"><a name="l00323"></a><span class="lineno"> 323</span>&#160; 8755,8144,10533,5966,12077,9175,9520,5596,6302,8400,579,6781,11014,</div>
<div class="line"><a name="l00324"></a><span class="lineno"> 324</span>&#160; 5734,11113,11164,4860,1131,10844,9068,8016,9694,3837,567,9348,7000,</div>
<div class="line"><a name="l00325"></a><span class="lineno"> 325</span>&#160; 6627,7699,5082,682,11309,5207,4050,7087,844,7434,3769,293,9057,</div>
<div class="line"><a name="l00326"></a><span class="lineno"> 326</span>&#160; 6940,9344,10883,2633,8190,3944,5530,5604,3480,2171,9282,11024,2213,</div>
<div class="line"><a name="l00327"></a><span class="lineno"> 327</span>&#160; 8136,3805,767,12239,216,11520,6763,10353,7,8566,845,7235,3154,4360,</div>
<div class="line"><a name="l00328"></a><span class="lineno"> 328</span>&#160; 3285,10268,2832,3572,1282,7559,3229,8360,10583,6105,3120,6643,6203,</div>
<div class="line"><a name="l00329"></a><span class="lineno"> 329</span>&#160; 8536,8348,6919,3536,9199,10891,11463,5043,1658,5618,8787,5789,4719,</div>
<div class="line"><a name="l00330"></a><span class="lineno"> 330</span>&#160; 751,11379,6389,10783,3065,7806,6586,2622,5386,510,7628,6921,578,</div>
<div class="line"><a name="l00331"></a><span class="lineno"> 331</span>&#160; 10345,11839,8929,4684,12226,7154,9916,7302,8481,3670,11066,2334,</div>
<div class="line"><a name="l00332"></a><span class="lineno"> 332</span>&#160; 1590,7878,10734,1802,1891,5103,6151,8820,3418,7846,9951,4693,417,</div>
<div class="line"><a name="l00333"></a><span class="lineno"> 333</span>&#160; 9996,9652,4510,2946,5461,365,881,1927,1015,11675,11009,1371,12265,</div>
<div class="line"><a name="l00334"></a><span class="lineno"> 334</span>&#160; 2485,11385,5039,6742,8449,1842,12217,8176,9577,4834,7937,9461,2643,</div>
<div class="line"><a name="l00335"></a><span class="lineno"> 335</span>&#160; 11194,3045,6508,4094,3451,7911,11048,5406,4665,3020,6616,11345,</div>
<div class="line"><a name="l00336"></a><span class="lineno"> 336</span>&#160; 7519,3669,5287,1790,7014,5410,11038,11249,2035,6125,10407,4565,</div>
<div class="line"><a name="l00337"></a><span class="lineno"> 337</span>&#160; 7315,5078,10506,2840,2478,9270,4194,9195,4518,7469,1160,6878,2730,</div>
<div class="line"><a name="l00338"></a><span class="lineno"> 338</span>&#160; 10421,10036,1734,3815,10939,5832,10595,10759,4423,8420,9617,7119,</div>
<div class="line"><a name="l00339"></a><span class="lineno"> 339</span>&#160; 11010,11424,9173,189,10080,10526,3466,10588,7592,3578,11511,7785,</div>
<div class="line"><a name="l00340"></a><span class="lineno"> 340</span>&#160; 9663,530,12150,8957,2532,3317,9349,10243,1481,9332,3454,3758,7899,</div>
<div class="line"><a name="l00341"></a><span class="lineno"> 341</span>&#160; 4218,2593,11410,2276,982,6513,1849,8494,9021,4523,7988,8,457,648,</div>
<div class="line"><a name="l00342"></a><span class="lineno"> 342</span>&#160; 150,8000,2307,2301,874,5650,170,9462,2873,9855,11498,2535,11169,</div>
<div class="line"><a name="l00343"></a><span class="lineno"> 343</span>&#160; 5808,12268,9687,1901,7171,11787,3846,1573,6063,3793,466,11259,</div>
<div class="line"><a name="l00344"></a><span class="lineno"> 344</span>&#160; 10608,3821,6320,4649,6263,2929</div>
<div class="line"><a name="l00345"></a><span class="lineno"> 345</span>&#160;};</div>
<div class="line"><a name="l00346"></a><span class="lineno"> 346</span>&#160;</div>
<div class="line"><a name="l00347"></a><span class="lineno"> 347</span>&#160;<span class="keyword">static</span> uint16_t <span class="keyword">const</span> psis_inv_montgomery[PARAM_N] PROGMEM = {</div>
<div class="line"><a name="l00348"></a><span class="lineno"> 348</span>&#160; 256,10570,1510,7238,1034,7170,6291,7921,11665,3422,4000,2327,</div>
<div class="line"><a name="l00349"></a><span class="lineno"> 349</span>&#160; 2088,5565,795,10647,1521,5484,2539,7385,1055,7173,8047,11683,</div>
<div class="line"><a name="l00350"></a><span class="lineno"> 350</span>&#160; 1669,1994,3796,5809,4341,9398,11876,12230,10525,12037,12253,</div>
<div class="line"><a name="l00351"></a><span class="lineno"> 351</span>&#160; 3506,4012,9351,4847,2448,7372,9831,3160,2207,5582,2553,7387,6322,</div>
<div class="line"><a name="l00352"></a><span class="lineno"> 352</span>&#160; 9681,1383,10731,1533,219,5298,4268,7632,6357,9686,8406,4712,9451,</div>
<div class="line"><a name="l00353"></a><span class="lineno"> 353</span>&#160; 10128,4958,5975,11387,8649,11769,6948,11526,12180,1740,10782,</div>
<div class="line"><a name="l00354"></a><span class="lineno"> 354</span>&#160; 6807,2728,7412,4570,4164,4106,11120,12122,8754,11784,3439,5758,</div>
<div class="line"><a name="l00355"></a><span class="lineno"> 355</span>&#160; 11356,6889,9762,11928,1704,1999,10819,12079,12259,7018,11536,</div>
<div class="line"><a name="l00356"></a><span class="lineno"> 356</span>&#160; 1648,1991,2040,2047,2048,10826,12080,8748,8272,8204,1172,1923,</div>
<div class="line"><a name="l00357"></a><span class="lineno"> 357</span>&#160; 7297,2798,7422,6327,4415,7653,6360,11442,12168,7005,8023,9924,</div>
<div class="line"><a name="l00358"></a><span class="lineno"> 358</span>&#160; 8440,8228,2931,7441,1063,3663,5790,9605,10150,1450,8985,11817,</div>
<div class="line"><a name="l00359"></a><span class="lineno"> 359</span>&#160; 10466,10273,12001,3470,7518,1074,1909,7295,9820,4914,702,5367,</div>
<div class="line"><a name="l00360"></a><span class="lineno"> 360</span>&#160; 7789,8135,9940,1420,3714,11064,12114,12264,1752,5517,9566,11900,</div>
<div class="line"><a name="l00361"></a><span class="lineno"> 361</span>&#160; 1700,3754,5803,829,1874,7290,2797,10933,5073,7747,8129,6428,</div>
<div class="line"><a name="l00362"></a><span class="lineno"> 362</span>&#160; 6185,11417,1631,233,5300,9535,10140,11982,8734,8270,2937,10953,</div>
<div class="line"><a name="l00363"></a><span class="lineno"> 363</span>&#160; 8587,8249,2934,9197,4825,5956,4362,9401,1343,3703,529,10609,</div>
<div class="line"><a name="l00364"></a><span class="lineno"> 364</span>&#160; 12049,6988,6265,895,3639,4031,4087,4095,585,10617,8539,4731,</div>
<div class="line"><a name="l00365"></a><span class="lineno"> 365</span>&#160; 4187,9376,3095,9220,10095,10220,1460,10742,12068,1724,5513,</div>
<div class="line"><a name="l00366"></a><span class="lineno"> 366</span>&#160; 11321,6884,2739,5658,6075,4379,11159,10372,8504,4726,9453,3106,</div>
<div class="line"><a name="l00367"></a><span class="lineno"> 367</span>&#160; 7466,11600,10435,8513,9994,8450,9985,3182,10988,8592,2983,9204,</div>
<div class="line"><a name="l00368"></a><span class="lineno"> 368</span>&#160; 4826,2445,5616,6069,867,3635,5786,11360,5134,2489,10889,12089,</div>
<div class="line"><a name="l00369"></a><span class="lineno"> 369</span>&#160; 1727,7269,2794,9177,1311,5454,9557,6632,2703,9164,10087,1441,</div>
<div class="line"><a name="l00370"></a><span class="lineno"> 370</span>&#160; 3717,531,3587,2268,324,5313,759,1864,5533,2546,7386,9833,8427,</div>
<div class="line"><a name="l00371"></a><span class="lineno"> 371</span>&#160; 4715,11207,1601,7251,4547,11183,12131,1733,10781,10318,1474,</div>
<div class="line"><a name="l00372"></a><span class="lineno"> 372</span>&#160; 10744,5046,4232,11138,10369,6748,964,7160,4534,7670,8118,8182,</div>
<div class="line"><a name="l00373"></a><span class="lineno"> 373</span>&#160; 4680,11202,6867,981,8918,1274,182,26,7026,8026,11680,12202,</div>
<div class="line"><a name="l00374"></a><span class="lineno"> 374</span>&#160; 10521,1503,7237,4545,5916,9623,8397,11733,10454,3249,9242,6587,</div>
<div class="line"><a name="l00375"></a><span class="lineno"> 375</span>&#160; 941,1890,270,10572,6777,9746,6659,6218,6155,6146,878,1881,7291,</div>
<div class="line"><a name="l00376"></a><span class="lineno"> 376</span>&#160; 11575,12187,1741,7271,8061,11685,6936,4502,9421,4857,4205,7623,</div>
<div class="line"><a name="l00377"></a><span class="lineno"> 377</span>&#160; 1089,10689,1527,8996,10063,11971,10488,6765,2722,3900,9335,11867,</div>
<div class="line"><a name="l00378"></a><span class="lineno"> 378</span>&#160; 6962,11528,5158,4248,4118,5855,2592,5637,6072,2623,7397,8079,</div>
<div class="line"><a name="l00379"></a><span class="lineno"> 379</span>&#160; 9932,4930,5971,853,3633,519,8852,11798,3441,11025,1575,225,8810,</div>
<div class="line"><a name="l00380"></a><span class="lineno"> 380</span>&#160; 11792,12218,3501,9278,3081,9218,4828,7712,8124,11694,12204,3499,</div>
<div class="line"><a name="l00381"></a><span class="lineno"> 381</span>&#160; 4011,573,3593,5780,7848,9899,10192,1456,208,7052,2763,7417,11593,</div>
<div class="line"><a name="l00382"></a><span class="lineno"> 382</span>&#160; 10434,12024,8740,11782,10461,3250,5731,7841,9898,1414,202,3540,</div>
<div class="line"><a name="l00383"></a><span class="lineno"> 383</span>&#160; 7528,2831,2160,10842,5060,4234,4116,588,84,12,7024,2759,9172,6577,</div>
<div class="line"><a name="l00384"></a><span class="lineno"> 384</span>&#160; 11473,1639,9012,3043,7457,6332,11438,1634,1989,9062,11828,8712,</div>
<div class="line"><a name="l00385"></a><span class="lineno"> 385</span>&#160; 11778,12216,10523,6770,9745,10170,4964,9487,6622,946,8913,6540,</div>
<div class="line"><a name="l00386"></a><span class="lineno"> 386</span>&#160; 6201,4397,9406,8366,9973,8447,8229,11709,8695,10020,3187,5722,</div>
<div class="line"><a name="l00387"></a><span class="lineno"> 387</span>&#160; 2573,10901,6824,4486,4152,9371,8361,2950,2177,311,1800,9035,</div>
<div class="line"><a name="l00388"></a><span class="lineno"> 388</span>&#160; 8313,11721,3430,490,70,10,1757,251,3547,7529,11609,3414,7510,</div>
<div class="line"><a name="l00389"></a><span class="lineno"> 389</span>&#160; 4584,4166,9373,1339,5458,7802,11648,1664,7260,9815,10180,6721,</div>
<div class="line"><a name="l00390"></a><span class="lineno"> 390</span>&#160; 9738,10169,8475,8233,9954,1422,8981,1283,5450,11312,1616,3742,</div>
<div class="line"><a name="l00391"></a><span class="lineno"> 391</span>&#160; 11068,10359,4991,713,3613,9294,8350,4704,672,96,7036,9783,11931,</div>
<div class="line"><a name="l00392"></a><span class="lineno"> 392</span>&#160; 3460,5761,823,10651,12055,10500,1500,5481,783,3623,11051,8601,</div>
<div class="line"><a name="l00393"></a><span class="lineno"> 393</span>&#160; 8251,8201,11705,10450,5004,4226,7626,2845,2162,3820,7568,9859,</div>
<div class="line"><a name="l00394"></a><span class="lineno"> 394</span>&#160; 3164,452,10598,1514,5483,6050,6131,4387,7649,8115,6426,918,8909,</div>
<div class="line"><a name="l00395"></a><span class="lineno"> 395</span>&#160; 8295,1185,5436,11310,8638,1234,5443,11311,5127,2488,2111,10835,</div>
<div class="line"><a name="l00396"></a><span class="lineno"> 396</span>&#160; 5059,7745,2862,3920,560,80,1767,2008,3798,11076,6849,2734,10924,</div>
<div class="line"><a name="l00397"></a><span class="lineno"> 397</span>&#160; 12094,8750,1250,10712,6797,971,7161,1023,8924,4786,7706,4612,4170,</div>
<div class="line"><a name="l00398"></a><span class="lineno"> 398</span>&#160; 7618,6355,4419,5898,11376,10403,10264,6733,4473,639,5358,2521,</div>
<div class="line"><a name="l00399"></a><span class="lineno"> 399</span>&#160; 9138,3061,5704,4326,618,5355,765,5376,768,7132,4530,9425,3102,</div>
<div class="line"><a name="l00400"></a><span class="lineno"> 400</span>&#160; 9221,6584,11474,10417,10266,12000,6981,6264,4406,2385,7363,4563,</div>
<div class="line"><a name="l00401"></a><span class="lineno"> 401</span>&#160; 4163,7617,9866,3165,9230,11852,10471,5007,5982,11388,5138,734,</div>
<div class="line"><a name="l00402"></a><span class="lineno"> 402</span>&#160; 3616,11050,12112,6997,11533,12181,10518,12036,3475,2252,7344,</div>
<div class="line"><a name="l00403"></a><span class="lineno"> 403</span>&#160; 9827,4915,9480,6621,4457,7659,9872,6677,4465,4149,7615,4599,657,</div>
<div class="line"><a name="l00404"></a><span class="lineno"> 404</span>&#160; 3605,515,10607,6782,4480,640,1847,3775,5806,2585,5636,9583,1369,</div>
<div class="line"><a name="l00405"></a><span class="lineno"> 405</span>&#160; 10729,8555,10000,11962,5220,7768,8132,8184,9947,1421,203,29,8782,</div>
<div class="line"><a name="l00406"></a><span class="lineno"> 406</span>&#160; 11788,1684,10774,10317,4985,9490,8378,4708,11206,5112,5997,7879,</div>
<div class="line"><a name="l00407"></a><span class="lineno"> 407</span>&#160; 11659,12199,8765,10030,4944,5973,6120,6141,6144,7900,11662,1666,</div>
<div class="line"><a name="l00408"></a><span class="lineno"> 408</span>&#160; 238,34,3516,5769,9602,8394,9977,6692,956,10670,6791,9748,11926,</div>
<div class="line"><a name="l00409"></a><span class="lineno"> 409</span>&#160; 8726,11780,5194,742,106,8793,10034,3189,10989,5081,4237,5872,4350,</div>
<div class="line"><a name="l00410"></a><span class="lineno"> 410</span>&#160; 2377,10873,6820,6241,11425,10410,10265,3222,5727,9596,4882,2453,</div>
<div class="line"><a name="l00411"></a><span class="lineno"> 411</span>&#160; 2106,3812,11078,12116,5242,4260,11142,8614,11764,12214,5256,4262,</div>
<div class="line"><a name="l00412"></a><span class="lineno"> 412</span>&#160; 4120,11122,5100,11262,5120,2487,5622,9581,8391,8221,2930,10952,</div>
<div class="line"><a name="l00413"></a><span class="lineno"> 413</span>&#160; 12098,6995,6266,9673,4893,699,3611,4027,5842,11368,1624,232,8811,</div>
<div class="line"><a name="l00414"></a><span class="lineno"> 414</span>&#160; 8281,1183,169,8802,3013,2186,5579,797,3625,4029,11109,1587,7249,</div>
<div class="line"><a name="l00415"></a><span class="lineno"> 415</span>&#160; 11569,8675,6506,2685,10917,12093,12261,12285,1755,7273,1039,1904,</div>
<div class="line"><a name="l00416"></a><span class="lineno"> 416</span>&#160; 272,3550,9285,3082,5707,6082,4380,7648,11626,5172,4250,9385,8363,</div>
<div class="line"><a name="l00417"></a><span class="lineno"> 417</span>&#160; 8217,4685,5936,848,8899,6538,934,1889,3781,9318,10109,10222,6727,</div>
<div class="line"><a name="l00418"></a><span class="lineno"> 418</span>&#160; 961,5404,772,5377,9546,8386,1198,8949,3034,2189,7335,4559,5918,2601,</div>
<div class="line"><a name="l00419"></a><span class="lineno"> 419</span>&#160; 10905,5069,9502,3113,7467,8089,11689,5181,9518,8382,2953,3933,4073,</div>
<div class="line"><a name="l00420"></a><span class="lineno"> 420</span>&#160; 4093,7607,8109,2914,5683,4323,11151,1593,10761,6804,972,3650,2277,</div>
<div class="line"><a name="l00421"></a><span class="lineno"> 421</span>&#160; 5592,4310,7638,9869,4921,703,1856,9043,4803,9464,1352,8971,11815,</div>
<div class="line"><a name="l00422"></a><span class="lineno"> 422</span>&#160; 5199,7765,6376,4422,7654,2849,407,8836,6529,7955,2892,9191,1313,</div>
<div class="line"><a name="l00423"></a><span class="lineno"> 423</span>&#160; 10721,12065,12257,1751,9028,8312,2943,2176,3822,546,78,8789,11789,</div>
<div class="line"><a name="l00424"></a><span class="lineno"> 424</span>&#160; 10462,12028,6985,4509,9422,1346,5459,4291,613,10621,6784,9747,3148,</div>
<div class="line"><a name="l00425"></a><span class="lineno"> 425</span>&#160; 7472,2823,5670,810,7138,8042,4660,7688,6365,6176,6149,2634,5643,</div>
<div class="line"><a name="l00426"></a><span class="lineno"> 426</span>&#160; 9584,10147,11983,5223,9524,11894,10477,8519,1217,3685,2282,326,</div>
<div class="line"><a name="l00427"></a><span class="lineno"> 427</span>&#160; 10580,3267,7489,4581,2410,5611,11335,6886,8006,8166,11700,3427,</div>
<div class="line"><a name="l00428"></a><span class="lineno"> 428</span>&#160; 11023,8597,10006,3185,455,65,5276,7776,4622,5927,7869,9902,11948,</div>
<div class="line"><a name="l00429"></a><span class="lineno"> 429</span>&#160; 5218,2501,5624,2559,10899,1557,1978,10816,10323,8497,4725,675,1852,</div>
<div class="line"><a name="l00430"></a><span class="lineno"> 430</span>&#160; 10798,12076,10503,3256,9243,3076,2195,10847,12083,10504,12034,10497</div>
<div class="line"><a name="l00431"></a><span class="lineno"> 431</span>&#160;};</div>
<div class="line"><a name="l00432"></a><span class="lineno"> 432</span>&#160;</div>
<div class="line"><a name="l00433"></a><span class="lineno"> 433</span>&#160;<span class="keyword">static</span> uint16_t <span class="keyword">const</span> bitrev_table[PARAM_N] PROGMEM = {</div>
<div class="line"><a name="l00434"></a><span class="lineno"> 434</span>&#160; 0,512,256,768,128,640,384,896,64,576,320,832,192,704,448,960,32,544,288,800,160,672,416,928,96,608,352,864,224,736,480,992,</div>
<div class="line"><a name="l00435"></a><span class="lineno"> 435</span>&#160; 16,528,272,784,144,656,400,912,80,592,336,848,208,720,464,976,48,560,304,816,176,688,432,944,112,624,368,880,240,752,496,1008,</div>
<div class="line"><a name="l00436"></a><span class="lineno"> 436</span>&#160; 8,520,264,776,136,648,392,904,72,584,328,840,200,712,456,968,40,552,296,808,168,680,424,936,104,616,360,872,232,744,488,1000,</div>
<div class="line"><a name="l00437"></a><span class="lineno"> 437</span>&#160; 24,536,280,792,152,664,408,920,88,600,344,856,216,728,472,984,56,568,312,824,184,696,440,952,120,632,376,888,248,760,504,1016,</div>
<div class="line"><a name="l00438"></a><span class="lineno"> 438</span>&#160; 4,516,260,772,132,644,388,900,68,580,324,836,196,708,452,964,36,548,292,804,164,676,420,932,100,612,356,868,228,740,484,996,</div>
<div class="line"><a name="l00439"></a><span class="lineno"> 439</span>&#160; 20,532,276,788,148,660,404,916,84,596,340,852,212,724,468,980,52,564,308,820,180,692,436,948,116,628,372,884,244,756,500,1012,</div>
<div class="line"><a name="l00440"></a><span class="lineno"> 440</span>&#160; 12,524,268,780,140,652,396,908,76,588,332,844,204,716,460,972,44,556,300,812,172,684,428,940,108,620,364,876,236,748,492,1004,</div>
<div class="line"><a name="l00441"></a><span class="lineno"> 441</span>&#160; 28,540,284,796,156,668,412,924,92,604,348,860,220,732,476,988,60,572,316,828,188,700,444,956,124,636,380,892,252,764,508,1020,</div>
<div class="line"><a name="l00442"></a><span class="lineno"> 442</span>&#160; 2,514,258,770,130,642,386,898,66,578,322,834,194,706,450,962,34,546,290,802,162,674,418,930,98,610,354,866,226,738,482,994,</div>
<div class="line"><a name="l00443"></a><span class="lineno"> 443</span>&#160; 18,530,274,786,146,658,402,914,82,594,338,850,210,722,466,978,50,562,306,818,178,690,434,946,114,626,370,882,242,754,498,1010,</div>
<div class="line"><a name="l00444"></a><span class="lineno"> 444</span>&#160; 10,522,266,778,138,650,394,906,74,586,330,842,202,714,458,970,42,554,298,810,170,682,426,938,106,618,362,874,234,746,490,1002,</div>
<div class="line"><a name="l00445"></a><span class="lineno"> 445</span>&#160; 26,538,282,794,154,666,410,922,90,602,346,858,218,730,474,986,58,570,314,826,186,698,442,954,122,634,378,890,250,762,506,1018,</div>
<div class="line"><a name="l00446"></a><span class="lineno"> 446</span>&#160; 6,518,262,774,134,646,390,902,70,582,326,838,198,710,454,966,38,550,294,806,166,678,422,934,102,614,358,870,230,742,486,998,</div>
<div class="line"><a name="l00447"></a><span class="lineno"> 447</span>&#160; 22,534,278,790,150,662,406,918,86,598,342,854,214,726,470,982,54,566,310,822,182,694,438,950,118,630,374,886,246,758,502,1014,</div>
<div class="line"><a name="l00448"></a><span class="lineno"> 448</span>&#160; 14,526,270,782,142,654,398,910,78,590,334,846,206,718,462,974,46,558,302,814,174,686,430,942,110,622,366,878,238,750,494,1006,</div>
<div class="line"><a name="l00449"></a><span class="lineno"> 449</span>&#160; 30,542,286,798,158,670,414,926,94,606,350,862,222,734,478,990,62,574,318,830,190,702,446,958,126,638,382,894,254,766,510,1022,</div>
<div class="line"><a name="l00450"></a><span class="lineno"> 450</span>&#160; 1,513,257,769,129,641,385,897,65,577,321,833,193,705,449,961,33,545,289,801,161,673,417,929,97,609,353,865,225,737,481,993,</div>
<div class="line"><a name="l00451"></a><span class="lineno"> 451</span>&#160; 17,529,273,785,145,657,401,913,81,593,337,849,209,721,465,977,49,561,305,817,177,689,433,945,113,625,369,881,241,753,497,1009,</div>
<div class="line"><a name="l00452"></a><span class="lineno"> 452</span>&#160; 9,521,265,777,137,649,393,905,73,585,329,841,201,713,457,969,41,553,297,809,169,681,425,937,105,617,361,873,233,745,489,1001,</div>
<div class="line"><a name="l00453"></a><span class="lineno"> 453</span>&#160; 25,537,281,793,153,665,409,921,89,601,345,857,217,729,473,985,57,569,313,825,185,697,441,953,121,633,377,889,249,761,505,1017,</div>
<div class="line"><a name="l00454"></a><span class="lineno"> 454</span>&#160; 5,517,261,773,133,645,389,901,69,581,325,837,197,709,453,965,37,549,293,805,165,677,421,933,101,613,357,869,229,741,485,997,</div>
<div class="line"><a name="l00455"></a><span class="lineno"> 455</span>&#160; 21,533,277,789,149,661,405,917,85,597,341,853,213,725,469,981,53,565,309,821,181,693,437,949,117,629,373,885,245,757,501,1013,</div>
<div class="line"><a name="l00456"></a><span class="lineno"> 456</span>&#160; 13,525,269,781,141,653,397,909,77,589,333,845,205,717,461,973,45,557,301,813,173,685,429,941,109,621,365,877,237,749,493,1005,</div>
<div class="line"><a name="l00457"></a><span class="lineno"> 457</span>&#160; 29,541,285,797,157,669,413,925,93,605,349,861,221,733,477,989,61,573,317,829,189,701,445,957,125,637,381,893,253,765,509,1021,</div>
<div class="line"><a name="l00458"></a><span class="lineno"> 458</span>&#160; 3,515,259,771,131,643,387,899,67,579,323,835,195,707,451,963,35,547,291,803,163,675,419,931,99,611,355,867,227,739,483,995,</div>
<div class="line"><a name="l00459"></a><span class="lineno"> 459</span>&#160; 19,531,275,787,147,659,403,915,83,595,339,851,211,723,467,979,51,563,307,819,179,691,435,947,115,627,371,883,243,755,499,1011,</div>
<div class="line"><a name="l00460"></a><span class="lineno"> 460</span>&#160; 11,523,267,779,139,651,395,907,75,587,331,843,203,715,459,971,43,555,299,811,171,683,427,939,107,619,363,875,235,747,491,1003,</div>
<div class="line"><a name="l00461"></a><span class="lineno"> 461</span>&#160; 27,539,283,795,155,667,411,923,91,603,347,859,219,731,475,987,59,571,315,827,187,699,443,955,123,635,379,891,251,763,507,1019,</div>
<div class="line"><a name="l00462"></a><span class="lineno"> 462</span>&#160; 7,519,263,775,135,647,391,903,71,583,327,839,199,711,455,967,39,551,295,807,167,679,423,935,103,615,359,871,231,743,487,999,</div>
<div class="line"><a name="l00463"></a><span class="lineno"> 463</span>&#160; 23,535,279,791,151,663,407,919,87,599,343,855,215,727,471,983,55,567,311,823,183,695,439,951,119,631,375,887,247,759,503,1015,</div>
<div class="line"><a name="l00464"></a><span class="lineno"> 464</span>&#160; 15,527,271,783,143,655,399,911,79,591,335,847,207,719,463,975,47,559,303,815,175,687,431,943,111,623,367,879,239,751,495,1007,</div>
<div class="line"><a name="l00465"></a><span class="lineno"> 465</span>&#160; 31,543,287,799,159,671,415,927,95,607,351,863,223,735,479,991,63,575,319,831,191,703,447,959,127,639,383,895,255,767,511,1023</div>
<div class="line"><a name="l00466"></a><span class="lineno"> 466</span>&#160;};</div>
<div class="line"><a name="l00467"></a><span class="lineno"> 467</span>&#160;</div>
<div class="line"><a name="l00468"></a><span class="lineno"> 468</span>&#160;<span class="comment">/* Incomplete-reduction routines; for details on allowed input ranges</span></div>
<div class="line"><a name="l00469"></a><span class="lineno"> 469</span>&#160;<span class="comment"> * and produced output ranges, see the description in the paper: </span></div>
<div class="line"><a name="l00470"></a><span class="lineno"> 470</span>&#160;<span class="comment"> * https://cryptojedi.org/papers/#newhope */</span></div>
<div class="line"><a name="l00471"></a><span class="lineno"> 471</span>&#160;</div>
<div class="line"><a name="l00472"></a><span class="lineno"> 472</span>&#160;<span class="preprocessor">#define qinv 12287 // -inverse_mod(p,2^18)</span></div>
<div class="line"><a name="l00473"></a><span class="lineno"> 473</span>&#160;<span class="preprocessor"></span><span class="preprocessor">#define rlog 18</span></div>
<div class="line"><a name="l00474"></a><span class="lineno"> 474</span>&#160;<span class="preprocessor"></span></div>
<div class="line"><a name="l00475"></a><span class="lineno"> 475</span>&#160;<span class="keyword">inline</span> uint16_t montgomery_reduce(uint32_t a)</div>
<div class="line"><a name="l00476"></a><span class="lineno"> 476</span>&#160;{</div>
<div class="line"><a name="l00477"></a><span class="lineno"> 477</span>&#160; uint32_t u;</div>
<div class="line"><a name="l00478"></a><span class="lineno"> 478</span>&#160;</div>
<div class="line"><a name="l00479"></a><span class="lineno"> 479</span>&#160; u = (a * qinv);</div>
<div class="line"><a name="l00480"></a><span class="lineno"> 480</span>&#160; u &amp;= ((((uint32_t)1)&lt;&lt;rlog)-1);</div>
<div class="line"><a name="l00481"></a><span class="lineno"> 481</span>&#160; u *= PARAM_Q;</div>
<div class="line"><a name="l00482"></a><span class="lineno"> 482</span>&#160; a = a + u;</div>
<div class="line"><a name="l00483"></a><span class="lineno"> 483</span>&#160; <span class="keywordflow">return</span> a &gt;&gt; 18;</div>
<div class="line"><a name="l00484"></a><span class="lineno"> 484</span>&#160;}</div>
<div class="line"><a name="l00485"></a><span class="lineno"> 485</span>&#160;</div>
<div class="line"><a name="l00486"></a><span class="lineno"> 486</span>&#160;<span class="keyword">inline</span> uint16_t barrett_reduce(uint16_t a)</div>
<div class="line"><a name="l00487"></a><span class="lineno"> 487</span>&#160;{</div>
<div class="line"><a name="l00488"></a><span class="lineno"> 488</span>&#160; uint32_t u;</div>
<div class="line"><a name="l00489"></a><span class="lineno"> 489</span>&#160;</div>
<div class="line"><a name="l00490"></a><span class="lineno"> 490</span>&#160; u = ((uint32_t) a * 5) &gt;&gt; 16;</div>
<div class="line"><a name="l00491"></a><span class="lineno"> 491</span>&#160; u *= PARAM_Q;</div>
<div class="line"><a name="l00492"></a><span class="lineno"> 492</span>&#160; a -= u;</div>
<div class="line"><a name="l00493"></a><span class="lineno"> 493</span>&#160; <span class="keywordflow">return</span> a;</div>
<div class="line"><a name="l00494"></a><span class="lineno"> 494</span>&#160;}</div>
<div class="line"><a name="l00495"></a><span class="lineno"> 495</span>&#160;</div>
<div class="line"><a name="l00496"></a><span class="lineno"> 496</span>&#160;<span class="keyword">static</span> <span class="keywordtype">void</span> bitrev_vector(uint16_t* poly)</div>
<div class="line"><a name="l00497"></a><span class="lineno"> 497</span>&#160;{</div>
<div class="line"><a name="l00498"></a><span class="lineno"> 498</span>&#160; <span class="keywordtype">unsigned</span> <span class="keywordtype">int</span> i,r;</div>
<div class="line"><a name="l00499"></a><span class="lineno"> 499</span>&#160; uint16_t tmp;</div>
<div class="line"><a name="l00500"></a><span class="lineno"> 500</span>&#160;</div>
<div class="line"><a name="l00501"></a><span class="lineno"> 501</span>&#160; <span class="keywordflow">for</span>(i = 0; i &lt; PARAM_N; i++)</div>
<div class="line"><a name="l00502"></a><span class="lineno"> 502</span>&#160; {</div>
<div class="line"><a name="l00503"></a><span class="lineno"> 503</span>&#160; r = table_read(bitrev_table,i);</div>
<div class="line"><a name="l00504"></a><span class="lineno"> 504</span>&#160; <span class="keywordflow">if</span> (i &lt; r)</div>
<div class="line"><a name="l00505"></a><span class="lineno"> 505</span>&#160; {</div>
<div class="line"><a name="l00506"></a><span class="lineno"> 506</span>&#160; tmp = poly[i];</div>
<div class="line"><a name="l00507"></a><span class="lineno"> 507</span>&#160; poly[i] = poly[r];</div>
<div class="line"><a name="l00508"></a><span class="lineno"> 508</span>&#160; poly[r] = tmp;</div>
<div class="line"><a name="l00509"></a><span class="lineno"> 509</span>&#160; }</div>
<div class="line"><a name="l00510"></a><span class="lineno"> 510</span>&#160; }</div>
<div class="line"><a name="l00511"></a><span class="lineno"> 511</span>&#160;}</div>
<div class="line"><a name="l00512"></a><span class="lineno"> 512</span>&#160;</div>
<div class="line"><a name="l00513"></a><span class="lineno"> 513</span>&#160;<span class="keyword">static</span> <span class="keywordtype">void</span> mul_coefficients(uint16_t* poly, <span class="keyword">const</span> uint16_t* factors)</div>
<div class="line"><a name="l00514"></a><span class="lineno"> 514</span>&#160;{</div>
<div class="line"><a name="l00515"></a><span class="lineno"> 515</span>&#160; <span class="keywordtype">unsigned</span> <span class="keywordtype">int</span> i;</div>
<div class="line"><a name="l00516"></a><span class="lineno"> 516</span>&#160;</div>
<div class="line"><a name="l00517"></a><span class="lineno"> 517</span>&#160; <span class="keywordflow">for</span>(i = 0; i &lt; PARAM_N; i++)</div>
<div class="line"><a name="l00518"></a><span class="lineno"> 518</span>&#160; poly[i] = montgomery_reduce((poly[i] * (uint32_t)table_read(factors,i)));</div>
<div class="line"><a name="l00519"></a><span class="lineno"> 519</span>&#160;}</div>
<div class="line"><a name="l00520"></a><span class="lineno"> 520</span>&#160;</div>
<div class="line"><a name="l00521"></a><span class="lineno"> 521</span>&#160;<span class="comment">/* GS_bo_to_no; omegas need to be in Montgomery domain */</span></div>
<div class="line"><a name="l00522"></a><span class="lineno"> 522</span>&#160;<span class="keyword">static</span> <span class="keywordtype">void</span> ntt(uint16_t * a, <span class="keyword">const</span> uint16_t* omega)</div>
<div class="line"><a name="l00523"></a><span class="lineno"> 523</span>&#160;{</div>
<div class="line"><a name="l00524"></a><span class="lineno"> 524</span>&#160; <span class="keywordtype">int</span> i, start, j, jTwiddle, distance;</div>
<div class="line"><a name="l00525"></a><span class="lineno"> 525</span>&#160; uint16_t temp, W;</div>
<div class="line"><a name="l00526"></a><span class="lineno"> 526</span>&#160;</div>
<div class="line"><a name="l00527"></a><span class="lineno"> 527</span>&#160;</div>
<div class="line"><a name="l00528"></a><span class="lineno"> 528</span>&#160; <span class="keywordflow">for</span>(i=0;i&lt;10;i+=2)</div>
<div class="line"><a name="l00529"></a><span class="lineno"> 529</span>&#160; {</div>
<div class="line"><a name="l00530"></a><span class="lineno"> 530</span>&#160; <span class="comment">// Even level</span></div>
<div class="line"><a name="l00531"></a><span class="lineno"> 531</span>&#160; distance = (1&lt;&lt;i);</div>
<div class="line"><a name="l00532"></a><span class="lineno"> 532</span>&#160; <span class="keywordflow">for</span>(start = 0; start &lt; distance;start++)</div>
<div class="line"><a name="l00533"></a><span class="lineno"> 533</span>&#160; {</div>
<div class="line"><a name="l00534"></a><span class="lineno"> 534</span>&#160; jTwiddle = 0;</div>
<div class="line"><a name="l00535"></a><span class="lineno"> 535</span>&#160; <span class="keywordflow">for</span>(j=start;j&lt;PARAM_N-1;j+=2*distance)</div>
<div class="line"><a name="l00536"></a><span class="lineno"> 536</span>&#160; {</div>
<div class="line"><a name="l00537"></a><span class="lineno"> 537</span>&#160; W = table_read(omega,jTwiddle++);</div>
<div class="line"><a name="l00538"></a><span class="lineno"> 538</span>&#160; temp = a[j];</div>
<div class="line"><a name="l00539"></a><span class="lineno"> 539</span>&#160; a[j] = (temp + a[j + distance]); <span class="comment">// Omit reduction (be lazy)</span></div>
<div class="line"><a name="l00540"></a><span class="lineno"> 540</span>&#160; a[j + distance] = montgomery_reduce((W * ((uint32_t)temp + 3*PARAM_Q - a[j + distance])));</div>
<div class="line"><a name="l00541"></a><span class="lineno"> 541</span>&#160; }</div>
<div class="line"><a name="l00542"></a><span class="lineno"> 542</span>&#160; }</div>
<div class="line"><a name="l00543"></a><span class="lineno"> 543</span>&#160;</div>
<div class="line"><a name="l00544"></a><span class="lineno"> 544</span>&#160; <span class="comment">// Odd level</span></div>
<div class="line"><a name="l00545"></a><span class="lineno"> 545</span>&#160; distance &lt;&lt;= 1;</div>
<div class="line"><a name="l00546"></a><span class="lineno"> 546</span>&#160; <span class="keywordflow">for</span>(start = 0; start &lt; distance;start++)</div>
<div class="line"><a name="l00547"></a><span class="lineno"> 547</span>&#160; {</div>
<div class="line"><a name="l00548"></a><span class="lineno"> 548</span>&#160; jTwiddle = 0;</div>
<div class="line"><a name="l00549"></a><span class="lineno"> 549</span>&#160; <span class="keywordflow">for</span>(j=start;j&lt;PARAM_N-1;j+=2*distance)</div>
<div class="line"><a name="l00550"></a><span class="lineno"> 550</span>&#160; {</div>
<div class="line"><a name="l00551"></a><span class="lineno"> 551</span>&#160; W = table_read(omega,jTwiddle++);</div>
<div class="line"><a name="l00552"></a><span class="lineno"> 552</span>&#160; temp = a[j];</div>
<div class="line"><a name="l00553"></a><span class="lineno"> 553</span>&#160; a[j] = barrett_reduce((temp + a[j + distance]));</div>
<div class="line"><a name="l00554"></a><span class="lineno"> 554</span>&#160; a[j + distance] = montgomery_reduce((W * ((uint32_t)temp + 3*PARAM_Q - a[j + distance])));</div>
<div class="line"><a name="l00555"></a><span class="lineno"> 555</span>&#160; }</div>
<div class="line"><a name="l00556"></a><span class="lineno"> 556</span>&#160; }</div>
<div class="line"><a name="l00557"></a><span class="lineno"> 557</span>&#160; }</div>
<div class="line"><a name="l00558"></a><span class="lineno"> 558</span>&#160;}</div>
<div class="line"><a name="l00559"></a><span class="lineno"> 559</span>&#160;</div>
<div class="line"><a name="l00560"></a><span class="lineno"> 560</span>&#160;<span class="keyword">static</span> int32_t abs(int32_t v)</div>
<div class="line"><a name="l00561"></a><span class="lineno"> 561</span>&#160;{</div>
<div class="line"><a name="l00562"></a><span class="lineno"> 562</span>&#160; int32_t mask = v &gt;&gt; 31;</div>
<div class="line"><a name="l00563"></a><span class="lineno"> 563</span>&#160; <span class="keywordflow">return</span> (v ^ mask) - mask;</div>
<div class="line"><a name="l00564"></a><span class="lineno"> 564</span>&#160;}</div>
<div class="line"><a name="l00565"></a><span class="lineno"> 565</span>&#160;</div>
<div class="line"><a name="l00566"></a><span class="lineno"> 566</span>&#160;<span class="keyword">static</span> int32_t f(int32_t *v0, int32_t *v1, uint32_t x)</div>
<div class="line"><a name="l00567"></a><span class="lineno"> 567</span>&#160;{</div>
<div class="line"><a name="l00568"></a><span class="lineno"> 568</span>&#160; int32_t xit, t, r, b;</div>
<div class="line"><a name="l00569"></a><span class="lineno"> 569</span>&#160; </div>
<div class="line"><a name="l00570"></a><span class="lineno"> 570</span>&#160; <span class="comment">// Next 6 lines compute t = x/PARAM_Q;</span></div>
<div class="line"><a name="l00571"></a><span class="lineno"> 571</span>&#160; b = x*2730;</div>
<div class="line"><a name="l00572"></a><span class="lineno"> 572</span>&#160; t = b &gt;&gt; 25;</div>
<div class="line"><a name="l00573"></a><span class="lineno"> 573</span>&#160; b = x - t*12289;</div>
<div class="line"><a name="l00574"></a><span class="lineno"> 574</span>&#160; b = 12288 - b;</div>
<div class="line"><a name="l00575"></a><span class="lineno"> 575</span>&#160; b &gt;&gt;= 31;</div>
<div class="line"><a name="l00576"></a><span class="lineno"> 576</span>&#160; t -= b;</div>
<div class="line"><a name="l00577"></a><span class="lineno"> 577</span>&#160;</div>
<div class="line"><a name="l00578"></a><span class="lineno"> 578</span>&#160; r = t &amp; 1;</div>
<div class="line"><a name="l00579"></a><span class="lineno"> 579</span>&#160; xit = (t&gt;&gt;1);</div>
<div class="line"><a name="l00580"></a><span class="lineno"> 580</span>&#160; *v0 = xit+r; <span class="comment">// v0 = round(x/(2*PARAM_Q))</span></div>
<div class="line"><a name="l00581"></a><span class="lineno"> 581</span>&#160;</div>
<div class="line"><a name="l00582"></a><span class="lineno"> 582</span>&#160; t -= 1;</div>
<div class="line"><a name="l00583"></a><span class="lineno"> 583</span>&#160; r = t &amp; 1;</div>
<div class="line"><a name="l00584"></a><span class="lineno"> 584</span>&#160; *v1 = (t&gt;&gt;1)+r;</div>
<div class="line"><a name="l00585"></a><span class="lineno"> 585</span>&#160;</div>
<div class="line"><a name="l00586"></a><span class="lineno"> 586</span>&#160; <span class="keywordflow">return</span> abs(x-((*v0)*2*PARAM_Q));</div>
<div class="line"><a name="l00587"></a><span class="lineno"> 587</span>&#160;}</div>
<div class="line"><a name="l00588"></a><span class="lineno"> 588</span>&#160;</div>
<div class="line"><a name="l00589"></a><span class="lineno"> 589</span>&#160;<span class="keyword">static</span> int32_t g(int32_t x)</div>
<div class="line"><a name="l00590"></a><span class="lineno"> 590</span>&#160;{</div>
<div class="line"><a name="l00591"></a><span class="lineno"> 591</span>&#160; int32_t t,c,b;</div>
<div class="line"><a name="l00592"></a><span class="lineno"> 592</span>&#160;</div>
<div class="line"><a name="l00593"></a><span class="lineno"> 593</span>&#160; <span class="comment">// Next 6 lines compute t = x/(4*PARAM_Q);</span></div>
<div class="line"><a name="l00594"></a><span class="lineno"> 594</span>&#160; b = x*2730;</div>
<div class="line"><a name="l00595"></a><span class="lineno"> 595</span>&#160; t = b &gt;&gt; 27;</div>
<div class="line"><a name="l00596"></a><span class="lineno"> 596</span>&#160; b = x - t*49156;</div>
<div class="line"><a name="l00597"></a><span class="lineno"> 597</span>&#160; b = 49155 - b;</div>
<div class="line"><a name="l00598"></a><span class="lineno"> 598</span>&#160; b &gt;&gt;= 31;</div>
<div class="line"><a name="l00599"></a><span class="lineno"> 599</span>&#160; t -= b;</div>
<div class="line"><a name="l00600"></a><span class="lineno"> 600</span>&#160;</div>
<div class="line"><a name="l00601"></a><span class="lineno"> 601</span>&#160; c = t &amp; 1;</div>
<div class="line"><a name="l00602"></a><span class="lineno"> 602</span>&#160; t = (t &gt;&gt; 1) + c; <span class="comment">// t = round(x/(8*PARAM_Q))</span></div>
<div class="line"><a name="l00603"></a><span class="lineno"> 603</span>&#160;</div>
<div class="line"><a name="l00604"></a><span class="lineno"> 604</span>&#160; t *= 8*PARAM_Q;</div>
<div class="line"><a name="l00605"></a><span class="lineno"> 605</span>&#160;</div>
<div class="line"><a name="l00606"></a><span class="lineno"> 606</span>&#160; <span class="keywordflow">return</span> abs(t - x);</div>
<div class="line"><a name="l00607"></a><span class="lineno"> 607</span>&#160;}</div>
<div class="line"><a name="l00608"></a><span class="lineno"> 608</span>&#160;</div>
<div class="line"><a name="l00609"></a><span class="lineno"> 609</span>&#160;<span class="keyword">static</span> int16_t LDDecode(int32_t xi0, int32_t xi1, int32_t xi2, int32_t xi3)</div>
<div class="line"><a name="l00610"></a><span class="lineno"> 610</span>&#160;{</div>
<div class="line"><a name="l00611"></a><span class="lineno"> 611</span>&#160; int32_t t;</div>
<div class="line"><a name="l00612"></a><span class="lineno"> 612</span>&#160;</div>
<div class="line"><a name="l00613"></a><span class="lineno"> 613</span>&#160; t = g(xi0);</div>
<div class="line"><a name="l00614"></a><span class="lineno"> 614</span>&#160; t += g(xi1);</div>
<div class="line"><a name="l00615"></a><span class="lineno"> 615</span>&#160; t += g(xi2);</div>
<div class="line"><a name="l00616"></a><span class="lineno"> 616</span>&#160; t += g(xi3);</div>
<div class="line"><a name="l00617"></a><span class="lineno"> 617</span>&#160;</div>
<div class="line"><a name="l00618"></a><span class="lineno"> 618</span>&#160; t -= 8*PARAM_Q;</div>
<div class="line"><a name="l00619"></a><span class="lineno"> 619</span>&#160; t &gt;&gt;= 31;</div>
<div class="line"><a name="l00620"></a><span class="lineno"> 620</span>&#160; <span class="keywordflow">return</span> t&amp;1;</div>
<div class="line"><a name="l00621"></a><span class="lineno"> 621</span>&#160;}</div>
<div class="line"><a name="l00622"></a><span class="lineno"> 622</span>&#160;</div>
<div class="line"><a name="l00623"></a><span class="lineno"> 623</span>&#160;<span class="keyword">static</span> <span class="keywordtype">void</span> helprec(NewHopeChaChaState *chacha, uint16_t *c, <span class="keyword">const</span> uint16_t *v, <span class="keywordtype">unsigned</span> <span class="keywordtype">char</span> nonce)</div>
<div class="line"><a name="l00624"></a><span class="lineno"> 624</span>&#160;{</div>
<div class="line"><a name="l00625"></a><span class="lineno"> 625</span>&#160; int32_t v0[4], v1[4], v_tmp[4], k;</div>
<div class="line"><a name="l00626"></a><span class="lineno"> 626</span>&#160; <span class="keywordtype">unsigned</span> <span class="keywordtype">char</span> rbit;</div>
<div class="line"><a name="l00627"></a><span class="lineno"> 627</span>&#160; <span class="keywordtype">unsigned</span> <span class="keywordtype">char</span> *rand;</div>
<div class="line"><a name="l00628"></a><span class="lineno"> 628</span>&#160; <span class="keywordtype">int</span> i;</div>
<div class="line"><a name="l00629"></a><span class="lineno"> 629</span>&#160;</div>
<div class="line"><a name="l00630"></a><span class="lineno"> 630</span>&#160; chacha-&gt;input[12] = 0;</div>
<div class="line"><a name="l00631"></a><span class="lineno"> 631</span>&#160; chacha-&gt;input[13] = 0;</div>
<div class="line"><a name="l00632"></a><span class="lineno"> 632</span>&#160; chacha-&gt;input[14] = 0;</div>
<div class="line"><a name="l00633"></a><span class="lineno"> 633</span>&#160; chacha-&gt;input[15] = (((uint32_t)nonce) &lt;&lt; 24); <span class="comment">// Assumes little-endian.</span></div>
<div class="line"><a name="l00634"></a><span class="lineno"> 634</span>&#160; <a class="code" href="classChaCha.html#a41ac3262e52ff49dcd916d0b3b2e2038">ChaCha::hashCore</a>(chacha-&gt;output, chacha-&gt;input, 20);</div>
<div class="line"><a name="l00635"></a><span class="lineno"> 635</span>&#160; rand = (<span class="keywordtype">unsigned</span> <span class="keywordtype">char</span> *)chacha-&gt;output;</div>
<div class="line"><a name="l00636"></a><span class="lineno"> 636</span>&#160; </div>
<div class="line"><a name="l00637"></a><span class="lineno"> 637</span>&#160; <span class="keywordflow">for</span>(i=0; i&lt;256; i++)</div>
<div class="line"><a name="l00638"></a><span class="lineno"> 638</span>&#160; {</div>
<div class="line"><a name="l00639"></a><span class="lineno"> 639</span>&#160; rbit = (rand[i&gt;&gt;3] &gt;&gt; (i&amp;7)) &amp; 1;</div>
<div class="line"><a name="l00640"></a><span class="lineno"> 640</span>&#160;</div>
<div class="line"><a name="l00641"></a><span class="lineno"> 641</span>&#160; k = f(v0+0, v1+0, 8*(int32_t)v[ 0+i] + 4*rbit);</div>
<div class="line"><a name="l00642"></a><span class="lineno"> 642</span>&#160; k += f(v0+1, v1+1, 8*(int32_t)v[256+i] + 4*rbit);</div>
<div class="line"><a name="l00643"></a><span class="lineno"> 643</span>&#160; k += f(v0+2, v1+2, 8*(int32_t)v[512+i] + 4*rbit);</div>
<div class="line"><a name="l00644"></a><span class="lineno"> 644</span>&#160; k += f(v0+3, v1+3, 8*(int32_t)v[768+i] + 4*rbit);</div>
<div class="line"><a name="l00645"></a><span class="lineno"> 645</span>&#160;</div>
<div class="line"><a name="l00646"></a><span class="lineno"> 646</span>&#160; k = (2*PARAM_Q-1-k) &gt;&gt; 31;</div>
<div class="line"><a name="l00647"></a><span class="lineno"> 647</span>&#160;</div>
<div class="line"><a name="l00648"></a><span class="lineno"> 648</span>&#160; v_tmp[0] = ((~k) &amp; v0[0]) ^ (k &amp; v1[0]);</div>
<div class="line"><a name="l00649"></a><span class="lineno"> 649</span>&#160; v_tmp[1] = ((~k) &amp; v0[1]) ^ (k &amp; v1[1]);</div>
<div class="line"><a name="l00650"></a><span class="lineno"> 650</span>&#160; v_tmp[2] = ((~k) &amp; v0[2]) ^ (k &amp; v1[2]);</div>
<div class="line"><a name="l00651"></a><span class="lineno"> 651</span>&#160; v_tmp[3] = ((~k) &amp; v0[3]) ^ (k &amp; v1[3]);</div>
<div class="line"><a name="l00652"></a><span class="lineno"> 652</span>&#160;</div>
<div class="line"><a name="l00653"></a><span class="lineno"> 653</span>&#160; c[ 0+i] = (v_tmp[0] - v_tmp[3]) &amp; 3; </div>
<div class="line"><a name="l00654"></a><span class="lineno"> 654</span>&#160; c[256+i] = (v_tmp[1] - v_tmp[3]) &amp; 3;</div>
<div class="line"><a name="l00655"></a><span class="lineno"> 655</span>&#160; c[512+i] = (v_tmp[2] - v_tmp[3]) &amp; 3;</div>
<div class="line"><a name="l00656"></a><span class="lineno"> 656</span>&#160; c[768+i] = ( -k + 2*v_tmp[3]) &amp; 3;</div>
<div class="line"><a name="l00657"></a><span class="lineno"> 657</span>&#160; }</div>
<div class="line"><a name="l00658"></a><span class="lineno"> 658</span>&#160;</div>
<div class="line"><a name="l00659"></a><span class="lineno"> 659</span>&#160; clean(&amp;chacha, <span class="keyword">sizeof</span>(chacha));</div>
<div class="line"><a name="l00660"></a><span class="lineno"> 660</span>&#160;}</div>
<div class="line"><a name="l00661"></a><span class="lineno"> 661</span>&#160;</div>
<div class="line"><a name="l00662"></a><span class="lineno"> 662</span>&#160;<span class="keyword">static</span> <span class="keywordtype">void</span> rec(<span class="keywordtype">unsigned</span> <span class="keywordtype">char</span> *key, <span class="keyword">const</span> uint16_t *v, <span class="keyword">const</span> uint16_t *c)</div>
<div class="line"><a name="l00663"></a><span class="lineno"> 663</span>&#160;{</div>
<div class="line"><a name="l00664"></a><span class="lineno"> 664</span>&#160; <span class="keywordtype">int</span> i;</div>
<div class="line"><a name="l00665"></a><span class="lineno"> 665</span>&#160; int32_t tmp[4];</div>
<div class="line"><a name="l00666"></a><span class="lineno"> 666</span>&#160;</div>
<div class="line"><a name="l00667"></a><span class="lineno"> 667</span>&#160; <span class="keywordflow">for</span>(i=0;i&lt;32;i++)</div>
<div class="line"><a name="l00668"></a><span class="lineno"> 668</span>&#160; key[i] = 0;</div>
<div class="line"><a name="l00669"></a><span class="lineno"> 669</span>&#160;</div>
<div class="line"><a name="l00670"></a><span class="lineno"> 670</span>&#160; <span class="keywordflow">for</span>(i=0; i&lt;256; i++)</div>
<div class="line"><a name="l00671"></a><span class="lineno"> 671</span>&#160; {</div>
<div class="line"><a name="l00672"></a><span class="lineno"> 672</span>&#160; tmp[0] = 16*PARAM_Q + 8*(int32_t)v[ 0+i] - PARAM_Q * (2*(int32_t)c[ 0+i]+c[768+i]);</div>
<div class="line"><a name="l00673"></a><span class="lineno"> 673</span>&#160; tmp[1] = 16*PARAM_Q + 8*(int32_t)v[256+i] - PARAM_Q * (2*(int32_t)c[256+i]+c[768+i]);</div>
<div class="line"><a name="l00674"></a><span class="lineno"> 674</span>&#160; tmp[2] = 16*PARAM_Q + 8*(int32_t)v[512+i] - PARAM_Q * (2*(int32_t)c[512+i]+c[768+i]);</div>
<div class="line"><a name="l00675"></a><span class="lineno"> 675</span>&#160; tmp[3] = 16*PARAM_Q + 8*(int32_t)v[768+i] - PARAM_Q * ( c[768+i]);</div>
<div class="line"><a name="l00676"></a><span class="lineno"> 676</span>&#160;</div>
<div class="line"><a name="l00677"></a><span class="lineno"> 677</span>&#160; key[i&gt;&gt;3] |= LDDecode(tmp[0], tmp[1], tmp[2], tmp[3]) &lt;&lt; (i &amp; 7);</div>
<div class="line"><a name="l00678"></a><span class="lineno"> 678</span>&#160; }</div>
<div class="line"><a name="l00679"></a><span class="lineno"> 679</span>&#160;}</div>
<div class="line"><a name="l00680"></a><span class="lineno"> 680</span>&#160;</div>
<div class="line"><a name="l00681"></a><span class="lineno"> 681</span>&#160;static <span class="keywordtype">void</span> poly_frombytes(uint16_t *r, const <span class="keywordtype">unsigned</span> <span class="keywordtype">char</span> *a)</div>
<div class="line"><a name="l00682"></a><span class="lineno"> 682</span>&#160;{</div>
<div class="line"><a name="l00683"></a><span class="lineno"> 683</span>&#160; <span class="keywordtype">int</span> i;</div>
<div class="line"><a name="l00684"></a><span class="lineno"> 684</span>&#160; <span class="keywordflow">for</span>(i=0;i&lt;PARAM_N/4;i++)</div>
<div class="line"><a name="l00685"></a><span class="lineno"> 685</span>&#160; {</div>
<div class="line"><a name="l00686"></a><span class="lineno"> 686</span>&#160; r[4*i+0] = a[7*i+0] | (((uint16_t)a[7*i+1] &amp; 0x3f) &lt;&lt; 8);</div>
<div class="line"><a name="l00687"></a><span class="lineno"> 687</span>&#160; r[4*i+1] = (a[7*i+1] &gt;&gt; 6) | (((uint16_t)a[7*i+2]) &lt;&lt; 2) | (((uint16_t)a[7*i+3] &amp; 0x0f) &lt;&lt; 10);</div>
<div class="line"><a name="l00688"></a><span class="lineno"> 688</span>&#160; r[4*i+2] = (a[7*i+3] &gt;&gt; 4) | (((uint16_t)a[7*i+4]) &lt;&lt; 4) | (((uint16_t)a[7*i+5] &amp; 0x03) &lt;&lt; 12);</div>
<div class="line"><a name="l00689"></a><span class="lineno"> 689</span>&#160; r[4*i+3] = (a[7*i+5] &gt;&gt; 2) | (((uint16_t)a[7*i+6]) &lt;&lt; 6); </div>
<div class="line"><a name="l00690"></a><span class="lineno"> 690</span>&#160; }</div>
<div class="line"><a name="l00691"></a><span class="lineno"> 691</span>&#160;}</div>
<div class="line"><a name="l00692"></a><span class="lineno"> 692</span>&#160;</div>
<div class="line"><a name="l00693"></a><span class="lineno"> 693</span>&#160;<span class="keyword">static</span> <span class="keywordtype">void</span> poly_tobytes(<span class="keywordtype">unsigned</span> <span class="keywordtype">char</span> *r, <span class="keyword">const</span> uint16_t *p)</div>
<div class="line"><a name="l00694"></a><span class="lineno"> 694</span>&#160;{</div>
<div class="line"><a name="l00695"></a><span class="lineno"> 695</span>&#160; <span class="keywordtype">int</span> i;</div>
<div class="line"><a name="l00696"></a><span class="lineno"> 696</span>&#160; uint16_t t0,t1,t2,t3,m;</div>
<div class="line"><a name="l00697"></a><span class="lineno"> 697</span>&#160; int16_t c;</div>
<div class="line"><a name="l00698"></a><span class="lineno"> 698</span>&#160; <span class="keywordflow">for</span>(i=0;i&lt;PARAM_N/4;i++)</div>
<div class="line"><a name="l00699"></a><span class="lineno"> 699</span>&#160; {</div>
<div class="line"><a name="l00700"></a><span class="lineno"> 700</span>&#160; t0 = barrett_reduce(p[4*i+0]); <span class="comment">//Make sure that coefficients have only 14 bits</span></div>
<div class="line"><a name="l00701"></a><span class="lineno"> 701</span>&#160; t1 = barrett_reduce(p[4*i+1]);</div>
<div class="line"><a name="l00702"></a><span class="lineno"> 702</span>&#160; t2 = barrett_reduce(p[4*i+2]);</div>
<div class="line"><a name="l00703"></a><span class="lineno"> 703</span>&#160; t3 = barrett_reduce(p[4*i+3]);</div>
<div class="line"><a name="l00704"></a><span class="lineno"> 704</span>&#160;</div>
<div class="line"><a name="l00705"></a><span class="lineno"> 705</span>&#160; m = t0 - PARAM_Q;</div>
<div class="line"><a name="l00706"></a><span class="lineno"> 706</span>&#160; c = m;</div>
<div class="line"><a name="l00707"></a><span class="lineno"> 707</span>&#160; c &gt;&gt;= 15;</div>
<div class="line"><a name="l00708"></a><span class="lineno"> 708</span>&#160; t0 = m ^ ((t0^m)&amp;c); <span class="comment">// &lt;Make sure that coefficients are in [0,q]</span></div>
<div class="line"><a name="l00709"></a><span class="lineno"> 709</span>&#160;</div>
<div class="line"><a name="l00710"></a><span class="lineno"> 710</span>&#160; m = t1 - PARAM_Q;</div>
<div class="line"><a name="l00711"></a><span class="lineno"> 711</span>&#160; c = m;</div>
<div class="line"><a name="l00712"></a><span class="lineno"> 712</span>&#160; c &gt;&gt;= 15;</div>
<div class="line"><a name="l00713"></a><span class="lineno"> 713</span>&#160; t1 = m ^ ((t1^m)&amp;c); <span class="comment">// &lt;Make sure that coefficients are in [0,q]</span></div>
<div class="line"><a name="l00714"></a><span class="lineno"> 714</span>&#160;</div>
<div class="line"><a name="l00715"></a><span class="lineno"> 715</span>&#160; m = t2 - PARAM_Q;</div>
<div class="line"><a name="l00716"></a><span class="lineno"> 716</span>&#160; c = m;</div>
<div class="line"><a name="l00717"></a><span class="lineno"> 717</span>&#160; c &gt;&gt;= 15;</div>
<div class="line"><a name="l00718"></a><span class="lineno"> 718</span>&#160; t2 = m ^ ((t2^m)&amp;c); <span class="comment">// &lt;Make sure that coefficients are in [0,q]</span></div>
<div class="line"><a name="l00719"></a><span class="lineno"> 719</span>&#160;</div>
<div class="line"><a name="l00720"></a><span class="lineno"> 720</span>&#160; m = t3 - PARAM_Q;</div>
<div class="line"><a name="l00721"></a><span class="lineno"> 721</span>&#160; c = m;</div>
<div class="line"><a name="l00722"></a><span class="lineno"> 722</span>&#160; c &gt;&gt;= 15;</div>
<div class="line"><a name="l00723"></a><span class="lineno"> 723</span>&#160; t3 = m ^ ((t3^m)&amp;c); <span class="comment">// &lt;Make sure that coefficients are in [0,q]</span></div>
<div class="line"><a name="l00724"></a><span class="lineno"> 724</span>&#160;</div>
<div class="line"><a name="l00725"></a><span class="lineno"> 725</span>&#160; r[7*i+0] = t0 &amp; 0xff;</div>
<div class="line"><a name="l00726"></a><span class="lineno"> 726</span>&#160; r[7*i+1] = (t0 &gt;&gt; 8) | (t1 &lt;&lt; 6);</div>
<div class="line"><a name="l00727"></a><span class="lineno"> 727</span>&#160; r[7*i+2] = (t1 &gt;&gt; 2);</div>
<div class="line"><a name="l00728"></a><span class="lineno"> 728</span>&#160; r[7*i+3] = (t1 &gt;&gt; 10) | (t2 &lt;&lt; 4);</div>
<div class="line"><a name="l00729"></a><span class="lineno"> 729</span>&#160; r[7*i+4] = (t2 &gt;&gt; 4);</div>
<div class="line"><a name="l00730"></a><span class="lineno"> 730</span>&#160; r[7*i+5] = (t2 &gt;&gt; 12) | (t3 &lt;&lt; 2);</div>
<div class="line"><a name="l00731"></a><span class="lineno"> 731</span>&#160; r[7*i+6] = (t3 &gt;&gt; 6);</div>
<div class="line"><a name="l00732"></a><span class="lineno"> 732</span>&#160; }</div>
<div class="line"><a name="l00733"></a><span class="lineno"> 733</span>&#160;}</div>
<div class="line"><a name="l00734"></a><span class="lineno"> 734</span>&#160;</div>
<div class="line"><a name="l00735"></a><span class="lineno"> 735</span>&#160;<span class="keyword">static</span> <span class="keywordtype">void</span> poly_pointwise(uint16_t *r, <span class="keyword">const</span> uint16_t *a, <span class="keyword">const</span> uint16_t *b)</div>
<div class="line"><a name="l00736"></a><span class="lineno"> 736</span>&#160;{</div>
<div class="line"><a name="l00737"></a><span class="lineno"> 737</span>&#160; <span class="keywordtype">int</span> i;</div>
<div class="line"><a name="l00738"></a><span class="lineno"> 738</span>&#160; uint16_t t;</div>
<div class="line"><a name="l00739"></a><span class="lineno"> 739</span>&#160; <span class="keywordflow">for</span>(i=0;i&lt;PARAM_N;i++)</div>
<div class="line"><a name="l00740"></a><span class="lineno"> 740</span>&#160; {</div>
<div class="line"><a name="l00741"></a><span class="lineno"> 741</span>&#160; t = montgomery_reduce(3186*(uint32_t)b[i]); <span class="comment">/* t is now in Montgomery domain */</span></div>
<div class="line"><a name="l00742"></a><span class="lineno"> 742</span>&#160; r[i] = montgomery_reduce(a[i] * (uint32_t)t); <span class="comment">/* r-&gt;coeffs[i] is back in normal domain */</span></div>
<div class="line"><a name="l00743"></a><span class="lineno"> 743</span>&#160; }</div>
<div class="line"><a name="l00744"></a><span class="lineno"> 744</span>&#160;}</div>
<div class="line"><a name="l00745"></a><span class="lineno"> 745</span>&#160;</div>
<div class="line"><a name="l00746"></a><span class="lineno"> 746</span>&#160;<span class="keyword">static</span> <span class="keywordtype">void</span> poly_add(uint16_t *r, <span class="keyword">const</span> uint16_t *a, <span class="keyword">const</span> uint16_t *b)</div>
<div class="line"><a name="l00747"></a><span class="lineno"> 747</span>&#160;{</div>
<div class="line"><a name="l00748"></a><span class="lineno"> 748</span>&#160; <span class="keywordtype">int</span> i;</div>
<div class="line"><a name="l00749"></a><span class="lineno"> 749</span>&#160; <span class="keywordflow">for</span>(i=0;i&lt;PARAM_N;i++)</div>
<div class="line"><a name="l00750"></a><span class="lineno"> 750</span>&#160; r[i] = barrett_reduce(a[i] + (uint32_t)b[i]);</div>
<div class="line"><a name="l00751"></a><span class="lineno"> 751</span>&#160;}</div>
<div class="line"><a name="l00752"></a><span class="lineno"> 752</span>&#160;</div>
<div class="line"><a name="l00753"></a><span class="lineno"> 753</span>&#160;<span class="keyword">static</span> <span class="keywordtype">void</span> poly_ntt(uint16_t *r)</div>
<div class="line"><a name="l00754"></a><span class="lineno"> 754</span>&#160;{</div>
<div class="line"><a name="l00755"></a><span class="lineno"> 755</span>&#160; mul_coefficients(r, psis_bitrev_montgomery); </div>
<div class="line"><a name="l00756"></a><span class="lineno"> 756</span>&#160; ntt(r, omegas_montgomery);</div>
<div class="line"><a name="l00757"></a><span class="lineno"> 757</span>&#160;}</div>
<div class="line"><a name="l00758"></a><span class="lineno"> 758</span>&#160;</div>
<div class="line"><a name="l00759"></a><span class="lineno"> 759</span>&#160;<span class="keyword">static</span> <span class="keywordtype">void</span> poly_invntt(uint16_t *r)</div>
<div class="line"><a name="l00760"></a><span class="lineno"> 760</span>&#160;{</div>
<div class="line"><a name="l00761"></a><span class="lineno"> 761</span>&#160; bitrev_vector(r);</div>
<div class="line"><a name="l00762"></a><span class="lineno"> 762</span>&#160; ntt(r, omegas_inv_montgomery);</div>
<div class="line"><a name="l00763"></a><span class="lineno"> 763</span>&#160; mul_coefficients(r, psis_inv_montgomery);</div>
<div class="line"><a name="l00764"></a><span class="lineno"> 764</span>&#160;}</div>
<div class="line"><a name="l00765"></a><span class="lineno"> 765</span>&#160;</div>
<div class="line"><a name="l00766"></a><span class="lineno"> 766</span>&#160;<span class="keyword">static</span> <span class="keywordtype">void</span> encode_b_2nd_half(<span class="keywordtype">unsigned</span> <span class="keywordtype">char</span> *r, <span class="keyword">const</span> uint16_t *c)</div>
<div class="line"><a name="l00767"></a><span class="lineno"> 767</span>&#160;{</div>
<div class="line"><a name="l00768"></a><span class="lineno"> 768</span>&#160; <span class="keywordtype">int</span> i;</div>
<div class="line"><a name="l00769"></a><span class="lineno"> 769</span>&#160; <span class="keywordflow">for</span>(i=0;i&lt;PARAM_N/4;i++)</div>
<div class="line"><a name="l00770"></a><span class="lineno"> 770</span>&#160; r[POLY_BYTES+i] = c[4*i] | (c[4*i+1] &lt;&lt; 2) | (c[4*i+2] &lt;&lt; 4) | (c[4*i+3] &lt;&lt; 6);</div>
<div class="line"><a name="l00771"></a><span class="lineno"> 771</span>&#160;}</div>
<div class="line"><a name="l00772"></a><span class="lineno"> 772</span>&#160;</div>
<div class="line"><a name="l00773"></a><span class="lineno"> 773</span>&#160;<span class="keyword">static</span> <span class="keywordtype">void</span> decode_b_2nd_half(uint16_t *c, <span class="keyword">const</span> <span class="keywordtype">unsigned</span> <span class="keywordtype">char</span> *r)</div>
<div class="line"><a name="l00774"></a><span class="lineno"> 774</span>&#160;{</div>
<div class="line"><a name="l00775"></a><span class="lineno"> 775</span>&#160; <span class="keywordtype">int</span> i;</div>
<div class="line"><a name="l00776"></a><span class="lineno"> 776</span>&#160; <span class="keywordflow">for</span>(i=0;i&lt;PARAM_N/4;i++)</div>
<div class="line"><a name="l00777"></a><span class="lineno"> 777</span>&#160; {</div>
<div class="line"><a name="l00778"></a><span class="lineno"> 778</span>&#160; c[4*i+0] = r[POLY_BYTES+i] &amp; 0x03;</div>
<div class="line"><a name="l00779"></a><span class="lineno"> 779</span>&#160; c[4*i+1] = (r[POLY_BYTES+i] &gt;&gt; 2) &amp; 0x03;</div>
<div class="line"><a name="l00780"></a><span class="lineno"> 780</span>&#160; c[4*i+2] = (r[POLY_BYTES+i] &gt;&gt; 4) &amp; 0x03;</div>
<div class="line"><a name="l00781"></a><span class="lineno"> 781</span>&#160; c[4*i+3] = (r[POLY_BYTES+i] &gt;&gt; 6);</div>
<div class="line"><a name="l00782"></a><span class="lineno"> 782</span>&#160; }</div>
<div class="line"><a name="l00783"></a><span class="lineno"> 783</span>&#160;}</div>
<div class="line"><a name="l00784"></a><span class="lineno"> 784</span>&#160;</div>
<div class="line"><a name="l00785"></a><span class="lineno"> 785</span>&#160;<span class="preprocessor">#define _5q (5*PARAM_Q)</span></div>
<div class="line"><a name="l00786"></a><span class="lineno"> 786</span>&#160;<span class="preprocessor"></span></div>
<div class="line"><a name="l00787"></a><span class="lineno"> 787</span>&#160;<span class="preprocessor">#define compare_and_swap(x,i,j) \</span></div>
<div class="line"><a name="l00788"></a><span class="lineno"> 788</span>&#160;<span class="preprocessor"> c = _5q - 1 - x[16*(i)];\</span></div>
<div class="line"><a name="l00789"></a><span class="lineno"> 789</span>&#160;<span class="preprocessor"> c &gt;&gt;= 31;\</span></div>
<div class="line"><a name="l00790"></a><span class="lineno"> 790</span>&#160;<span class="preprocessor"> t = x[16*(i)] ^ x[16*(j)];\</span></div>
<div class="line"><a name="l00791"></a><span class="lineno"> 791</span>&#160;<span class="preprocessor"> t &amp;= c;\</span></div>
<div class="line"><a name="l00792"></a><span class="lineno"> 792</span>&#160;<span class="preprocessor"> x[16*(i)] ^= t;\</span></div>
<div class="line"><a name="l00793"></a><span class="lineno"> 793</span>&#160;<span class="preprocessor"> x[16*(j)] ^= t;</span></div>
<div class="line"><a name="l00794"></a><span class="lineno"> 794</span>&#160;<span class="preprocessor"></span></div>
<div class="line"><a name="l00795"></a><span class="lineno"> 795</span>&#160;<span class="keyword">static</span> <span class="keywordtype">void</span> batcher84(uint16_t *x);</div>
<div class="line"><a name="l00796"></a><span class="lineno"> 796</span>&#160;</div>
<div class="line"><a name="l00797"></a><span class="lineno"> 797</span>&#160;<span class="keyword">static</span> <span class="keywordtype">int</span> discardtopoly(uint16_t *x)</div>
<div class="line"><a name="l00798"></a><span class="lineno"> 798</span>&#160;{</div>
<div class="line"><a name="l00799"></a><span class="lineno"> 799</span>&#160; int32_t i, r=0;</div>
<div class="line"><a name="l00800"></a><span class="lineno"> 800</span>&#160;</div>
<div class="line"><a name="l00801"></a><span class="lineno"> 801</span>&#160; <span class="keywordflow">for</span>(i=0;i&lt;16;i++)</div>
<div class="line"><a name="l00802"></a><span class="lineno"> 802</span>&#160; batcher84(x+i);</div>
<div class="line"><a name="l00803"></a><span class="lineno"> 803</span>&#160;</div>
<div class="line"><a name="l00804"></a><span class="lineno"> 804</span>&#160; <span class="comment">// Check whether we&#39;re safe:</span></div>
<div class="line"><a name="l00805"></a><span class="lineno"> 805</span>&#160; <span class="keywordflow">for</span>(i=1008;i&lt;1024;i++)</div>
<div class="line"><a name="l00806"></a><span class="lineno"> 806</span>&#160; r |= 61444 - x[i];</div>
<div class="line"><a name="l00807"></a><span class="lineno"> 807</span>&#160; <span class="keywordflow">if</span>(r &gt;&gt;= 31) <span class="keywordflow">return</span> -1;</div>
<div class="line"><a name="l00808"></a><span class="lineno"> 808</span>&#160;</div>
<div class="line"><a name="l00809"></a><span class="lineno"> 809</span>&#160; <span class="keywordflow">return</span> 0;</div>
<div class="line"><a name="l00810"></a><span class="lineno"> 810</span>&#160;}</div>
<div class="line"><a name="l00811"></a><span class="lineno"> 811</span>&#160;</div>
<div class="line"><a name="l00812"></a><span class="lineno"> 812</span>&#160;<span class="comment">// End of public domain code imported from the C reference code.</span></div>
<div class="line"><a name="l00813"></a><span class="lineno"> 813</span>&#160; </div>
<div class="line"><a name="l00814"></a><span class="lineno"> 814</span>&#160;<span class="comment">// Code size efficient (but slower) version of the Batcher sort.</span></div>
<div class="line"><a name="l00815"></a><span class="lineno"> 815</span>&#160;<span class="comment">// https://en.wikipedia.org/wiki/Batcher_odd%E2%80%93even_mergesort</span></div>
<div class="line"><a name="l00816"></a><span class="lineno"> 816</span>&#160;<span class="keyword">static</span> <span class="keywordtype">void</span> oddeven_merge(uint16_t *x, <span class="keywordtype">unsigned</span> lo, <span class="keywordtype">unsigned</span> hi, <span class="keywordtype">unsigned</span> r)</div>
<div class="line"><a name="l00817"></a><span class="lineno"> 817</span>&#160;{</div>
<div class="line"><a name="l00818"></a><span class="lineno"> 818</span>&#160; <span class="keywordtype">unsigned</span> step = r * 2;</div>
<div class="line"><a name="l00819"></a><span class="lineno"> 819</span>&#160; <span class="keywordtype">unsigned</span> i;</div>
<div class="line"><a name="l00820"></a><span class="lineno"> 820</span>&#160; int32_t c;</div>
<div class="line"><a name="l00821"></a><span class="lineno"> 821</span>&#160; uint16_t t;</div>
<div class="line"><a name="l00822"></a><span class="lineno"> 822</span>&#160; <span class="keywordflow">if</span> (lo &gt;= 84)</div>
<div class="line"><a name="l00823"></a><span class="lineno"> 823</span>&#160; <span class="keywordflow">return</span>;</div>
<div class="line"><a name="l00824"></a><span class="lineno"> 824</span>&#160; <span class="keywordflow">if</span> (step &lt; (hi - lo)) {</div>
<div class="line"><a name="l00825"></a><span class="lineno"> 825</span>&#160; <span class="keywordflow">if</span> ((step * 2) &gt;= (hi - lo) &amp;&amp; hi &lt; 84) {</div>
<div class="line"><a name="l00826"></a><span class="lineno"> 826</span>&#160; <span class="comment">// The next recursion down is a leaf, so unroll a little.</span></div>
<div class="line"><a name="l00827"></a><span class="lineno"> 827</span>&#160; compare_and_swap(x, lo, lo + step);</div>
<div class="line"><a name="l00828"></a><span class="lineno"> 828</span>&#160; compare_and_swap(x, lo + r, lo + r + step);</div>
<div class="line"><a name="l00829"></a><span class="lineno"> 829</span>&#160; compare_and_swap(x, lo + r, lo + step);</div>
<div class="line"><a name="l00830"></a><span class="lineno"> 830</span>&#160; <span class="keywordflow">return</span>;</div>
<div class="line"><a name="l00831"></a><span class="lineno"> 831</span>&#160; }</div>
<div class="line"><a name="l00832"></a><span class="lineno"> 832</span>&#160; oddeven_merge(x, lo, hi, step);</div>
<div class="line"><a name="l00833"></a><span class="lineno"> 833</span>&#160; oddeven_merge(x, lo + r, hi, step);</div>
<div class="line"><a name="l00834"></a><span class="lineno"> 834</span>&#160; <span class="keywordflow">for</span> (i = lo + r; i &lt; (hi - r) &amp;&amp; (i + r) &lt; 84; i += step) {</div>
<div class="line"><a name="l00835"></a><span class="lineno"> 835</span>&#160; compare_and_swap(x, i, i + r);</div>
<div class="line"><a name="l00836"></a><span class="lineno"> 836</span>&#160; }</div>
<div class="line"><a name="l00837"></a><span class="lineno"> 837</span>&#160; } <span class="keywordflow">else</span> <span class="keywordflow">if</span> ((lo + r) &lt; 84) {</div>
<div class="line"><a name="l00838"></a><span class="lineno"> 838</span>&#160; compare_and_swap(x, lo, lo + r);</div>
<div class="line"><a name="l00839"></a><span class="lineno"> 839</span>&#160; }</div>
<div class="line"><a name="l00840"></a><span class="lineno"> 840</span>&#160;}</div>
<div class="line"><a name="l00841"></a><span class="lineno"> 841</span>&#160;<span class="keyword">static</span> <span class="keywordtype">void</span> oddeven_merge_sort_range(uint16_t *x, <span class="keywordtype">unsigned</span> lo, <span class="keywordtype">unsigned</span> hi)</div>
<div class="line"><a name="l00842"></a><span class="lineno"> 842</span>&#160;{</div>
<div class="line"><a name="l00843"></a><span class="lineno"> 843</span>&#160; <span class="keywordflow">if</span> (lo == hi || lo &gt;= 84)</div>
<div class="line"><a name="l00844"></a><span class="lineno"> 844</span>&#160; <span class="keywordflow">return</span>;</div>
<div class="line"><a name="l00845"></a><span class="lineno"> 845</span>&#160; <span class="keywordtype">unsigned</span> mid = lo + ((hi - lo) / 2);</div>
<div class="line"><a name="l00846"></a><span class="lineno"> 846</span>&#160; <span class="keywordflow">if</span> ((hi - lo) == 3 &amp;&amp; hi &lt; 84) {</div>
<div class="line"><a name="l00847"></a><span class="lineno"> 847</span>&#160; <span class="comment">// Optimization for sub lists of size 4. Unroll the comparisons.</span></div>
<div class="line"><a name="l00848"></a><span class="lineno"> 848</span>&#160; int32_t c;</div>
<div class="line"><a name="l00849"></a><span class="lineno"> 849</span>&#160; uint16_t t;</div>
<div class="line"><a name="l00850"></a><span class="lineno"> 850</span>&#160; compare_and_swap(x, lo , lo + 1);</div>
<div class="line"><a name="l00851"></a><span class="lineno"> 851</span>&#160; compare_and_swap(x, lo + 2, lo + 3);</div>
<div class="line"><a name="l00852"></a><span class="lineno"> 852</span>&#160; compare_and_swap(x, lo , lo + 2);</div>
<div class="line"><a name="l00853"></a><span class="lineno"> 853</span>&#160; compare_and_swap(x, lo + 1, lo + 3);</div>
<div class="line"><a name="l00854"></a><span class="lineno"> 854</span>&#160; compare_and_swap(x, lo + 1, lo + 2);</div>
<div class="line"><a name="l00855"></a><span class="lineno"> 855</span>&#160; <span class="keywordflow">return</span>;</div>
<div class="line"><a name="l00856"></a><span class="lineno"> 856</span>&#160; }</div>
<div class="line"><a name="l00857"></a><span class="lineno"> 857</span>&#160; oddeven_merge_sort_range(x, lo, mid);</div>
<div class="line"><a name="l00858"></a><span class="lineno"> 858</span>&#160; oddeven_merge_sort_range(x, mid + 1, hi);</div>
<div class="line"><a name="l00859"></a><span class="lineno"> 859</span>&#160; oddeven_merge(x, lo, hi, 1);</div>
<div class="line"><a name="l00860"></a><span class="lineno"> 860</span>&#160;}</div>
<div class="line"><a name="l00861"></a><span class="lineno"> 861</span>&#160;<span class="keyword">static</span> <span class="keywordtype">void</span> batcher84(uint16_t *x)</div>
<div class="line"><a name="l00862"></a><span class="lineno"> 862</span>&#160;{</div>
<div class="line"><a name="l00863"></a><span class="lineno"> 863</span>&#160; <span class="comment">// Batcher sort is defined over a power of two list size but 84</span></div>
<div class="line"><a name="l00864"></a><span class="lineno"> 864</span>&#160; <span class="comment">// is not a power of two. Round up to the next power of two and</span></div>
<div class="line"><a name="l00865"></a><span class="lineno"> 865</span>&#160; <span class="comment">// then ignore any swap with an index that is out of range.</span></div>
<div class="line"><a name="l00866"></a><span class="lineno"> 866</span>&#160; oddeven_merge_sort_range(x, 0, 127);</div>
<div class="line"><a name="l00867"></a><span class="lineno"> 867</span>&#160;}</div>
<div class="line"><a name="l00868"></a><span class="lineno"> 868</span>&#160;</div>
<div class="line"><a name="l00869"></a><span class="lineno"> 869</span>&#160;<span class="comment">// Formats the ChaCha20 input block using a key.</span></div>
<div class="line"><a name="l00870"></a><span class="lineno"> 870</span>&#160;<span class="keyword">static</span> <span class="keywordtype">void</span> crypto_chacha20_set_key(uint32_t *block, <span class="keyword">const</span> <span class="keywordtype">unsigned</span> <span class="keywordtype">char</span> *k)</div>
<div class="line"><a name="l00871"></a><span class="lineno"> 871</span>&#160;{</div>
<div class="line"><a name="l00872"></a><span class="lineno"> 872</span>&#160; <span class="keyword">static</span> <span class="keyword">const</span> <span class="keywordtype">char</span> tag256[] PROGMEM = <span class="stringliteral">&quot;expand 32-byte k&quot;</span>;</div>
<div class="line"><a name="l00873"></a><span class="lineno"> 873</span>&#160;<span class="preprocessor">#if defined(__AVR__)</span></div>
<div class="line"><a name="l00874"></a><span class="lineno"> 874</span>&#160;<span class="preprocessor"></span> memcpy_P(block, tag256, 16);</div>
<div class="line"><a name="l00875"></a><span class="lineno"> 875</span>&#160;<span class="preprocessor">#else</span></div>
<div class="line"><a name="l00876"></a><span class="lineno"> 876</span>&#160;<span class="preprocessor"></span> memcpy(block, tag256, 16);</div>
<div class="line"><a name="l00877"></a><span class="lineno"> 877</span>&#160;<span class="preprocessor">#endif</span></div>
<div class="line"><a name="l00878"></a><span class="lineno"> 878</span>&#160;<span class="preprocessor"></span> memcpy(block + 4, k, 32);</div>
<div class="line"><a name="l00879"></a><span class="lineno"> 879</span>&#160; memset(block + 12, 0, 8);</div>
<div class="line"><a name="l00880"></a><span class="lineno"> 880</span>&#160;}</div>
<div class="line"><a name="l00881"></a><span class="lineno"> 881</span>&#160;</div>
<div class="line"><a name="l00882"></a><span class="lineno"> 882</span>&#160;<span class="keyword">static</span> <span class="keywordtype">void</span> poly_uniform(<a class="code" href="classSHAKE128.html">SHAKE128</a> *shake, uint16_t *a, <span class="keyword">const</span> <span class="keywordtype">unsigned</span> <span class="keywordtype">char</span> *seed)</div>
<div class="line"><a name="l00883"></a><span class="lineno"> 883</span>&#160;{</div>
<div class="line"><a name="l00884"></a><span class="lineno"> 884</span>&#160; <span class="keywordtype">int</span> ctr = 0;</div>
<div class="line"><a name="l00885"></a><span class="lineno"> 885</span>&#160; <span class="keywordtype">int</span> posn = PARAM_N;</div>
<div class="line"><a name="l00886"></a><span class="lineno"> 886</span>&#160; uint16_t val;</div>
<div class="line"><a name="l00887"></a><span class="lineno"> 887</span>&#160;</div>
<div class="line"><a name="l00888"></a><span class="lineno"> 888</span>&#160; <span class="comment">// Absorb the seed material into the SHAKE128 object.</span></div>
<div class="line"><a name="l00889"></a><span class="lineno"> 889</span>&#160; shake-&gt;<a class="code" href="classSHAKE.html#aa6f3a32427433aabe20adccb6994a4aa">update</a>(seed, NEWHOPE_SEEDBYTES);</div>
<div class="line"><a name="l00890"></a><span class="lineno"> 890</span>&#160;</div>
<div class="line"><a name="l00891"></a><span class="lineno"> 891</span>&#160; <span class="keywordflow">while</span> (ctr &lt; PARAM_N) {</div>
<div class="line"><a name="l00892"></a><span class="lineno"> 892</span>&#160; <span class="comment">// Extract data from the SHAKE128 object directly into &quot;a&quot;.</span></div>
<div class="line"><a name="l00893"></a><span class="lineno"> 893</span>&#160; <span class="keywordflow">if</span> (posn &gt;= PARAM_N) {</div>
<div class="line"><a name="l00894"></a><span class="lineno"> 894</span>&#160; shake-&gt;<a class="code" href="classSHAKE.html#ac3fe37617644e3498d40a86e846562fb">extend</a>((uint8_t *)(a + ctr),</div>
<div class="line"><a name="l00895"></a><span class="lineno"> 895</span>&#160; (PARAM_N - ctr) * <span class="keyword">sizeof</span>(uint16_t));</div>
<div class="line"><a name="l00896"></a><span class="lineno"> 896</span>&#160; posn = ctr;</div>
<div class="line"><a name="l00897"></a><span class="lineno"> 897</span>&#160; }</div>
<div class="line"><a name="l00898"></a><span class="lineno"> 898</span>&#160;</div>
<div class="line"><a name="l00899"></a><span class="lineno"> 899</span>&#160; <span class="comment">// Process as much of the data as we can, discarding values</span></div>
<div class="line"><a name="l00900"></a><span class="lineno"> 900</span>&#160; <span class="comment">// that are greater than or equal to 5 * PARAM_Q.</span></div>
<div class="line"><a name="l00901"></a><span class="lineno"> 901</span>&#160; <span class="keywordflow">while</span> (posn &lt; PARAM_N) {</div>
<div class="line"><a name="l00902"></a><span class="lineno"> 902</span>&#160; val = a[posn++];</div>
<div class="line"><a name="l00903"></a><span class="lineno"> 903</span>&#160; <span class="keywordflow">if</span> (val &lt; (5 * PARAM_Q))</div>
<div class="line"><a name="l00904"></a><span class="lineno"> 904</span>&#160; a[ctr++] = val;</div>
<div class="line"><a name="l00905"></a><span class="lineno"> 905</span>&#160; }</div>
<div class="line"><a name="l00906"></a><span class="lineno"> 906</span>&#160; }</div>
<div class="line"><a name="l00907"></a><span class="lineno"> 907</span>&#160;}</div>
<div class="line"><a name="l00908"></a><span class="lineno"> 908</span>&#160;</div>
<div class="line"><a name="l00909"></a><span class="lineno"> 909</span>&#160;<span class="keyword">static</span> <span class="keywordtype">void</span> poly_uniform_torref(<a class="code" href="classSHAKE128.html">SHAKE128</a> *shake, uint16_t *a, <span class="keyword">const</span> <span class="keywordtype">unsigned</span> <span class="keywordtype">char</span> *seed)</div>
<div class="line"><a name="l00910"></a><span class="lineno"> 910</span>&#160;{</div>
<div class="line"><a name="l00911"></a><span class="lineno"> 911</span>&#160; shake-&gt;<a class="code" href="classSHAKE.html#aa6f3a32427433aabe20adccb6994a4aa">update</a>(seed, 32);</div>
<div class="line"><a name="l00912"></a><span class="lineno"> 912</span>&#160; <span class="keywordflow">do</span> {</div>
<div class="line"><a name="l00913"></a><span class="lineno"> 913</span>&#160; shake-&gt;<a class="code" href="classSHAKE.html#ac3fe37617644e3498d40a86e846562fb">extend</a>((uint8_t *)a, 84 * 16 * <span class="keyword">sizeof</span>(uint16_t));</div>
<div class="line"><a name="l00914"></a><span class="lineno"> 914</span>&#160; } <span class="keywordflow">while</span> (discardtopoly(a));</div>
<div class="line"><a name="l00915"></a><span class="lineno"> 915</span>&#160;}</div>
<div class="line"><a name="l00916"></a><span class="lineno"> 916</span>&#160;</div>
<div class="line"><a name="l00917"></a><span class="lineno"> 917</span>&#160;<span class="keyword">static</span> <span class="keywordtype">void</span> poly_getnoise(uint16_t *r, NewHopeChaChaState *chacha, <span class="keywordtype">unsigned</span> <span class="keywordtype">char</span> nonce)</div>
<div class="line"><a name="l00918"></a><span class="lineno"> 918</span>&#160;{</div>
<div class="line"><a name="l00919"></a><span class="lineno"> 919</span>&#160; <span class="keywordtype">int</span> i, j;</div>
<div class="line"><a name="l00920"></a><span class="lineno"> 920</span>&#160; uint32_t a, b;</div>
<div class="line"><a name="l00921"></a><span class="lineno"> 921</span>&#160;</div>
<div class="line"><a name="l00922"></a><span class="lineno"> 922</span>&#160; <span class="comment">// Note: The rest of this function assumes that we are running on a</span></div>
<div class="line"><a name="l00923"></a><span class="lineno"> 923</span>&#160; <span class="comment">// little-endian CPU. Since we&#39;re generating random noise from a</span></div>
<div class="line"><a name="l00924"></a><span class="lineno"> 924</span>&#160; <span class="comment">// random seed, it doesn&#39;t actually matter what the endian-ness is</span></div>
<div class="line"><a name="l00925"></a><span class="lineno"> 925</span>&#160; <span class="comment">// as it will be just as random in both directions. It&#39;s only a</span></div>
<div class="line"><a name="l00926"></a><span class="lineno"> 926</span>&#160; <span class="comment">// problem for verifying fixed test vectors.</span></div>
<div class="line"><a name="l00927"></a><span class="lineno"> 927</span>&#160;</div>
<div class="line"><a name="l00928"></a><span class="lineno"> 928</span>&#160; chacha-&gt;input[12] = 0;</div>
<div class="line"><a name="l00929"></a><span class="lineno"> 929</span>&#160; chacha-&gt;input[13] = 0;</div>
<div class="line"><a name="l00930"></a><span class="lineno"> 930</span>&#160; chacha-&gt;input[14] = nonce; <span class="comment">// Assumes little-endian.</span></div>
<div class="line"><a name="l00931"></a><span class="lineno"> 931</span>&#160; chacha-&gt;input[15] = 0;</div>
<div class="line"><a name="l00932"></a><span class="lineno"> 932</span>&#160;</div>
<div class="line"><a name="l00933"></a><span class="lineno"> 933</span>&#160; <span class="keywordflow">for</span> (i = 0; i &lt; PARAM_N; ++i) {</div>
<div class="line"><a name="l00934"></a><span class="lineno"> 934</span>&#160; <span class="comment">// Generate a new block of random data if necessary.</span></div>
<div class="line"><a name="l00935"></a><span class="lineno"> 935</span>&#160; j = i % 16;</div>
<div class="line"><a name="l00936"></a><span class="lineno"> 936</span>&#160; <span class="keywordflow">if</span> (j == 0) {</div>
<div class="line"><a name="l00937"></a><span class="lineno"> 937</span>&#160; <a class="code" href="classChaCha.html#a41ac3262e52ff49dcd916d0b3b2e2038">ChaCha::hashCore</a>(chacha-&gt;output, chacha-&gt;input, 20);</div>
<div class="line"><a name="l00938"></a><span class="lineno"> 938</span>&#160; ++(chacha-&gt;input[12]); <span class="comment">// Assumes little-endian.</span></div>
<div class="line"><a name="l00939"></a><span class="lineno"> 939</span>&#160; }</div>
<div class="line"><a name="l00940"></a><span class="lineno"> 940</span>&#160;</div>
<div class="line"><a name="l00941"></a><span class="lineno"> 941</span>&#160; <span class="comment">// This is a slightly more efficient way to count bits than in</span></div>
<div class="line"><a name="l00942"></a><span class="lineno"> 942</span>&#160; <span class="comment">// the reference C implementation. The technique is from:</span></div>
<div class="line"><a name="l00943"></a><span class="lineno"> 943</span>&#160; <span class="comment">// https://graphics.stanford.edu/~seander/bithacks.html#CountBitsSetParallel</span></div>
<div class="line"><a name="l00944"></a><span class="lineno"> 944</span>&#160; a = chacha-&gt;output[j] &amp; 0xFFFF; <span class="comment">// Assumes little-endian.</span></div>
<div class="line"><a name="l00945"></a><span class="lineno"> 945</span>&#160; a = a - ((a &gt;&gt; 1) &amp; 0x5555);</div>
<div class="line"><a name="l00946"></a><span class="lineno"> 946</span>&#160; a = (a &amp; 0x3333) + ((a &gt;&gt; 2) &amp; 0x3333);</div>
<div class="line"><a name="l00947"></a><span class="lineno"> 947</span>&#160; a = ((a &gt;&gt; 4) + a) &amp; 0x0F0F;</div>
<div class="line"><a name="l00948"></a><span class="lineno"> 948</span>&#160; a = ((a &gt;&gt; 8) + a) &amp; 0x00FF;</div>
<div class="line"><a name="l00949"></a><span class="lineno"> 949</span>&#160;</div>
<div class="line"><a name="l00950"></a><span class="lineno"> 950</span>&#160; b = (chacha-&gt;output[j] &gt;&gt; 16) &amp; 0xFFFF; <span class="comment">// Assumes little-endian.</span></div>
<div class="line"><a name="l00951"></a><span class="lineno"> 951</span>&#160; b = b - ((b &gt;&gt; 1) &amp; 0x5555);</div>
<div class="line"><a name="l00952"></a><span class="lineno"> 952</span>&#160; b = (b &amp; 0x3333) + ((b &gt;&gt; 2) &amp; 0x3333);</div>
<div class="line"><a name="l00953"></a><span class="lineno"> 953</span>&#160; b = ((b &gt;&gt; 4) + b) &amp; 0x0F0F;</div>
<div class="line"><a name="l00954"></a><span class="lineno"> 954</span>&#160; b = ((b &gt;&gt; 8) + b) &amp; 0x00FF;</div>
<div class="line"><a name="l00955"></a><span class="lineno"> 955</span>&#160;</div>
<div class="line"><a name="l00956"></a><span class="lineno"> 956</span>&#160; r[i] = a + PARAM_Q - b;</div>
<div class="line"><a name="l00957"></a><span class="lineno"> 957</span>&#160; }</div>
<div class="line"><a name="l00958"></a><span class="lineno"> 958</span>&#160;</div>
<div class="line"><a name="l00959"></a><span class="lineno"> 959</span>&#160; clean(&amp;chacha, <span class="keyword">sizeof</span>(chacha));</div>
<div class="line"><a name="l00960"></a><span class="lineno"> 960</span>&#160;}</div>
<div class="line"><a name="l00961"></a><span class="lineno"> 961</span>&#160;</div>
<div class="line"><a name="l00984"></a><span class="lineno"> 984</span>&#160;<span class="preprocessor">#define ALLOC_OBJ(type, name) \</span></div>
<div class="line"><a name="l00985"></a><span class="lineno"> 985</span>&#160;<span class="preprocessor"> uint64_t name##_x[(sizeof(type) + sizeof(uint64_t) - 1) / sizeof(uint64_t)]</span></div>
<div class="line"><a name="l00986"></a><span class="lineno"> 986</span>&#160;<span class="preprocessor"></span></div>
<div class="line"><a name="l00987"></a><span class="lineno"> 987</span>&#160;<span class="preprocessor">#define INIT_OBJ(type, name) \</span></div>
<div class="line"><a name="l00988"></a><span class="lineno"> 988</span>&#160;<span class="preprocessor"> type *name = new (state.name##_x) type</span></div>
<div class="line"><a name="l00989"></a><span class="lineno"> 989</span>&#160;<span class="preprocessor"></span></div>
<div class="line"><a name="l00990"></a><span class="lineno"> 990</span>&#160;<span class="preprocessor">#if defined(__AVR__)</span></div>
<div class="line"><a name="l00991"></a><span class="lineno"> 991</span>&#160;<span class="preprocessor"></span><span class="preprocessor">#define NEWHOPE_BYTE_ALIGNED 1</span></div>
<div class="line"><a name="l00992"></a><span class="lineno"> 992</span>&#160;<span class="preprocessor"></span><span class="preprocessor">#else</span></div>
<div class="line"><a name="l00993"></a><span class="lineno"> 993</span>&#160;<span class="preprocessor"></span><span class="preprocessor">#define NEWHOPE_BYTE_ALIGNED 0</span></div>
<div class="line"><a name="l00994"></a><span class="lineno"> 994</span>&#160;<span class="preprocessor"></span><span class="preprocessor">#endif</span></div>
<div class="line"><a name="l00995"></a><span class="lineno"> 995</span>&#160;<span class="preprocessor"></span></div>
<div class="line"><a name="l01014"></a><span class="lineno"><a class="line" href="classNewHope.html#a335b17b40949f66aa579d1035384662c"> 1014</a></span>&#160;<span class="keywordtype">void</span> <a class="code" href="classNewHope.html#a335b17b40949f66aa579d1035384662c">NewHope::keygen</a>(uint8_t send[NEWHOPE_SENDABYTES], <a class="code" href="structNewHopePrivateKey.html">NewHopePrivateKey</a> &amp;sk,</div>
<div class="line"><a name="l01015"></a><span class="lineno"> 1015</span>&#160; <a class="code" href="classNewHope.html#a679601da301134f037c3a5786bd7085f">Variant</a> variant, <span class="keyword">const</span> uint8_t *random_seed)</div>
<div class="line"><a name="l01016"></a><span class="lineno"> 1016</span>&#160;{</div>
<div class="line"><a name="l01017"></a><span class="lineno"> 1017</span>&#160; <span class="comment">// The order of calls is rearranged compared to the reference C version.</span></div>
<div class="line"><a name="l01018"></a><span class="lineno"> 1018</span>&#160; <span class="comment">// This allows us to get away with two temporary poly objects (a, pk)</span></div>
<div class="line"><a name="l01019"></a><span class="lineno"> 1019</span>&#160; <span class="comment">// instead of four (a, e, r, pk). This saves 4k of stack space.</span></div>
<div class="line"><a name="l01020"></a><span class="lineno"> 1020</span>&#160; <span class="comment">//</span></div>
<div class="line"><a name="l01021"></a><span class="lineno"> 1021</span>&#160; <span class="comment">// We also combine most of the state into a single union, which allows</span></div>
<div class="line"><a name="l01022"></a><span class="lineno"> 1022</span>&#160; <span class="comment">// us to overlap some of the larger objects and reuse the stack space</span></div>
<div class="line"><a name="l01023"></a><span class="lineno"> 1023</span>&#160; <span class="comment">// at different points within this function.</span></div>
<div class="line"><a name="l01024"></a><span class="lineno"> 1024</span>&#160; <span class="keyword">union </span>{</div>
<div class="line"><a name="l01025"></a><span class="lineno"> 1025</span>&#160; <span class="keyword">struct </span>{</div>
<div class="line"><a name="l01026"></a><span class="lineno"> 1026</span>&#160; uint16_t a[PARAM_N]; <span class="comment">// Value of &quot;a&quot; as a &quot;poly&quot; object.</span></div>
<div class="line"><a name="l01027"></a><span class="lineno"> 1027</span>&#160; uint16_t pk[PARAM_N]; <span class="comment">// Value of &quot;pk&quot; as a &quot;poly&quot; object.</span></div>
<div class="line"><a name="l01028"></a><span class="lineno"> 1028</span>&#160; };</div>
<div class="line"><a name="l01029"></a><span class="lineno"> 1029</span>&#160; <span class="keyword">struct </span>{</div>
<div class="line"><a name="l01030"></a><span class="lineno"> 1030</span>&#160; uint16_t a_ext[84 * 16]; <span class="comment">// Value of &quot;a&quot; for torref uniform.</span></div>
<div class="line"><a name="l01031"></a><span class="lineno"> 1031</span>&#160; ALLOC_OBJ(<a class="code" href="classSHAKE128.html">SHAKE128</a>, shake); <span class="comment">// SHAKE128 object for poly_uniform().</span></div>
<div class="line"><a name="l01032"></a><span class="lineno"> 1032</span>&#160; };</div>
<div class="line"><a name="l01033"></a><span class="lineno"> 1033</span>&#160; ALLOC_OBJ(<a class="code" href="classSHA3__256.html">SHA3_256</a>, sha3); <span class="comment">// SHA3 object for hashing the seed.</span></div>
<div class="line"><a name="l01034"></a><span class="lineno"> 1034</span>&#160; } state;</div>
<div class="line"><a name="l01035"></a><span class="lineno"> 1035</span>&#160;</div>
<div class="line"><a name="l01036"></a><span class="lineno"> 1036</span>&#160; <span class="comment">// Hide the ChaCha state and the noise seed inside &quot;send&quot;.</span></div>
<div class="line"><a name="l01037"></a><span class="lineno"> 1037</span>&#160;<span class="preprocessor">#if NEWHOPE_BYTE_ALIGNED</span></div>
<div class="line"><a name="l01038"></a><span class="lineno"> 1038</span>&#160;<span class="preprocessor"></span><span class="preprocessor"> #define chacha (*((NewHopeChaChaState *)send))</span></div>
<div class="line"><a name="l01039"></a><span class="lineno"> 1039</span>&#160;<span class="preprocessor"></span><span class="preprocessor">#else</span></div>
<div class="line"><a name="l01040"></a><span class="lineno"> 1040</span>&#160;<span class="preprocessor"></span> NewHopeChaChaState chacha;</div>
<div class="line"><a name="l01041"></a><span class="lineno"> 1041</span>&#160;<span class="preprocessor">#endif</span></div>
<div class="line"><a name="l01042"></a><span class="lineno"> 1042</span>&#160;<span class="preprocessor"></span><span class="preprocessor">#if NEWHOPE_SMALL_FOOTPRINT</span></div>
<div class="line"><a name="l01043"></a><span class="lineno"> 1043</span>&#160;<span class="preprocessor"></span><span class="preprocessor"> #define noiseseed (sk.seed)</span></div>
<div class="line"><a name="l01044"></a><span class="lineno"> 1044</span>&#160;<span class="preprocessor"></span><span class="preprocessor">#else</span></div>
<div class="line"><a name="l01045"></a><span class="lineno"> 1045</span>&#160;<span class="preprocessor"></span><span class="preprocessor"> #define noiseseed (send + sizeof(NewHopeChaChaState))</span></div>
<div class="line"><a name="l01046"></a><span class="lineno"> 1046</span>&#160;<span class="preprocessor"></span><span class="preprocessor">#endif</span></div>
<div class="line"><a name="l01047"></a><span class="lineno"> 1047</span>&#160;<span class="preprocessor"></span></div>
<div class="line"><a name="l01048"></a><span class="lineno"> 1048</span>&#160; <span class="keywordflow">if</span> (!random_seed) {</div>
<div class="line"><a name="l01049"></a><span class="lineno"> 1049</span>&#160; RNG.<a class="code" href="classRNGClass.html#a418a833cf18198fd7e5d6dbd78c99c29">rand</a>(send + POLY_BYTES, NEWHOPE_SEEDBYTES);</div>
<div class="line"><a name="l01050"></a><span class="lineno"> 1050</span>&#160; RNG.<a class="code" href="classRNGClass.html#a418a833cf18198fd7e5d6dbd78c99c29">rand</a>(noiseseed, 32);</div>
<div class="line"><a name="l01051"></a><span class="lineno"> 1051</span>&#160; } <span class="keywordflow">else</span> {</div>
<div class="line"><a name="l01052"></a><span class="lineno"> 1052</span>&#160; memcpy(send + POLY_BYTES, random_seed, NEWHOPE_SEEDBYTES);</div>
<div class="line"><a name="l01053"></a><span class="lineno"> 1053</span>&#160; memcpy(noiseseed, random_seed + NEWHOPE_SEEDBYTES, 32);</div>
<div class="line"><a name="l01054"></a><span class="lineno"> 1054</span>&#160; }</div>
<div class="line"><a name="l01055"></a><span class="lineno"> 1055</span>&#160; INIT_OBJ(<a class="code" href="classSHA3__256.html">SHA3_256</a>, sha3);</div>
<div class="line"><a name="l01056"></a><span class="lineno"> 1056</span>&#160; sha3-&gt;update(send + POLY_BYTES, NEWHOPE_SEEDBYTES);</div>
<div class="line"><a name="l01057"></a><span class="lineno"> 1057</span>&#160; sha3-&gt;finalize(send + POLY_BYTES, NEWHOPE_SEEDBYTES);</div>
<div class="line"><a name="l01058"></a><span class="lineno"> 1058</span>&#160;</div>
<div class="line"><a name="l01059"></a><span class="lineno"> 1059</span>&#160; INIT_OBJ(<a class="code" href="classSHAKE128.html">SHAKE128</a>, shake);</div>
<div class="line"><a name="l01060"></a><span class="lineno"> 1060</span>&#160; <span class="keywordflow">if</span> (variant == <a class="code" href="classNewHope.html#a679601da301134f037c3a5786bd7085fa2326f3fd76345d5900834593a74f6596">Ref</a>)</div>
<div class="line"><a name="l01061"></a><span class="lineno"> 1061</span>&#160; poly_uniform(shake, state.a, send + POLY_BYTES);</div>
<div class="line"><a name="l01062"></a><span class="lineno"> 1062</span>&#160; <span class="keywordflow">else</span></div>
<div class="line"><a name="l01063"></a><span class="lineno"> 1063</span>&#160; poly_uniform_torref(shake, state.a_ext, send + POLY_BYTES);</div>
<div class="line"><a name="l01064"></a><span class="lineno"> 1064</span>&#160;</div>
<div class="line"><a name="l01065"></a><span class="lineno"> 1065</span>&#160; crypto_chacha20_set_key(chacha.input, noiseseed);</div>
<div class="line"><a name="l01066"></a><span class="lineno"> 1066</span>&#160;</div>
<div class="line"><a name="l01067"></a><span class="lineno"> 1067</span>&#160;<span class="preprocessor">#if NEWHOPE_SMALL_FOOTPRINT</span></div>
<div class="line"><a name="l01068"></a><span class="lineno"> 1068</span>&#160;<span class="preprocessor"></span> poly_getnoise(state.pk, &amp;chacha, 0);</div>
<div class="line"><a name="l01069"></a><span class="lineno"> 1069</span>&#160; poly_ntt(state.pk);</div>
<div class="line"><a name="l01070"></a><span class="lineno"> 1070</span>&#160; poly_pointwise(state.pk, state.pk, state.a);</div>
<div class="line"><a name="l01071"></a><span class="lineno"> 1071</span>&#160;<span class="preprocessor">#else</span></div>
<div class="line"><a name="l01072"></a><span class="lineno"> 1072</span>&#160;<span class="preprocessor"></span> poly_getnoise(sk.coeffs, &amp;chacha, 0);</div>
<div class="line"><a name="l01073"></a><span class="lineno"> 1073</span>&#160; poly_ntt(sk.coeffs);</div>
<div class="line"><a name="l01074"></a><span class="lineno"> 1074</span>&#160; poly_pointwise(state.pk, sk.coeffs, state.a);</div>
<div class="line"><a name="l01075"></a><span class="lineno"> 1075</span>&#160;<span class="preprocessor">#endif</span></div>
<div class="line"><a name="l01076"></a><span class="lineno"> 1076</span>&#160;<span class="preprocessor"></span> </div>
<div class="line"><a name="l01077"></a><span class="lineno"> 1077</span>&#160; poly_getnoise(state.a, &amp;chacha, 1);</div>
<div class="line"><a name="l01078"></a><span class="lineno"> 1078</span>&#160; poly_ntt(state.a);</div>
<div class="line"><a name="l01079"></a><span class="lineno"> 1079</span>&#160;</div>
<div class="line"><a name="l01080"></a><span class="lineno"> 1080</span>&#160; poly_add(state.pk, state.a, state.pk);</div>
<div class="line"><a name="l01081"></a><span class="lineno"> 1081</span>&#160;</div>
<div class="line"><a name="l01082"></a><span class="lineno"> 1082</span>&#160; poly_tobytes(send, state.pk);</div>
<div class="line"><a name="l01083"></a><span class="lineno"> 1083</span>&#160;</div>
<div class="line"><a name="l01084"></a><span class="lineno"> 1084</span>&#160; clean(&amp;state, <span class="keyword">sizeof</span>(state));</div>
<div class="line"><a name="l01085"></a><span class="lineno"> 1085</span>&#160;<span class="preprocessor">#if !NEWHOPE_BYTE_ALIGNED</span></div>
<div class="line"><a name="l01086"></a><span class="lineno"> 1086</span>&#160;<span class="preprocessor"></span> clean(&amp;chacha, <span class="keyword">sizeof</span>(chacha));</div>
<div class="line"><a name="l01087"></a><span class="lineno"> 1087</span>&#160;<span class="preprocessor">#endif</span></div>
<div class="line"><a name="l01088"></a><span class="lineno"> 1088</span>&#160;<span class="preprocessor"></span><span class="preprocessor"> #undef noiseseed</span></div>
<div class="line"><a name="l01089"></a><span class="lineno"> 1089</span>&#160;<span class="preprocessor"></span><span class="preprocessor"> #undef chacha</span></div>
<div class="line"><a name="l01090"></a><span class="lineno"> 1090</span>&#160;<span class="preprocessor"></span>}</div>
<div class="line"><a name="l01091"></a><span class="lineno"> 1091</span>&#160;</div>
<div class="line"><a name="l01116"></a><span class="lineno"><a class="line" href="classNewHope.html#a2f09529f5f73cf9763c28b58b13bbd14"> 1116</a></span>&#160;<span class="keywordtype">void</span> <a class="code" href="classNewHope.html#a2f09529f5f73cf9763c28b58b13bbd14">NewHope::sharedb</a>(uint8_t shared_key[NEWHOPE_SHAREDBYTES],</div>
<div class="line"><a name="l01117"></a><span class="lineno"> 1117</span>&#160; uint8_t send[NEWHOPE_SENDBBYTES],</div>
<div class="line"><a name="l01118"></a><span class="lineno"> 1118</span>&#160; uint8_t received[NEWHOPE_SENDABYTES],</div>
<div class="line"><a name="l01119"></a><span class="lineno"> 1119</span>&#160; <a class="code" href="classNewHope.html#a679601da301134f037c3a5786bd7085f">Variant</a> variant, <span class="keyword">const</span> uint8_t *random_seed)</div>
<div class="line"><a name="l01120"></a><span class="lineno"> 1120</span>&#160;{</div>
<div class="line"><a name="l01121"></a><span class="lineno"> 1121</span>&#160;<span class="preprocessor">#if NEWHOPE_SMALL_FOOTPRINT &amp;&amp; NEWHOPE_BYTE_ALIGNED</span></div>
<div class="line"><a name="l01122"></a><span class="lineno"> 1122</span>&#160;<span class="preprocessor"></span> <span class="comment">// The order of calls is rearranged compared to the reference C version.</span></div>
<div class="line"><a name="l01123"></a><span class="lineno"> 1123</span>&#160; <span class="comment">// This allows us to get away with 2 temporary poly objects (v, a)</span></div>
<div class="line"><a name="l01124"></a><span class="lineno"> 1124</span>&#160; <span class="comment">// instead of 8 (sp, ep, v, a, pka, c, epp, bp). Saves 12k of stack space.</span></div>
<div class="line"><a name="l01125"></a><span class="lineno"> 1125</span>&#160; <span class="comment">// To achieve this, we reuse &quot;send&quot; as the third temporary poly object bp.</span></div>
<div class="line"><a name="l01126"></a><span class="lineno"> 1126</span>&#160; <span class="comment">//</span></div>
<div class="line"><a name="l01127"></a><span class="lineno"> 1127</span>&#160; <span class="comment">// We also combine most of the state into a single union, which allows</span></div>
<div class="line"><a name="l01128"></a><span class="lineno"> 1128</span>&#160; <span class="comment">// us to overlap some of the larger objects and reuse the stack space</span></div>
<div class="line"><a name="l01129"></a><span class="lineno"> 1129</span>&#160; <span class="comment">// at different points within this function.</span></div>
<div class="line"><a name="l01130"></a><span class="lineno"> 1130</span>&#160; <span class="keyword">union </span>{</div>
<div class="line"><a name="l01131"></a><span class="lineno"> 1131</span>&#160; <span class="keyword">struct </span>{</div>
<div class="line"><a name="l01132"></a><span class="lineno"> 1132</span>&#160; uint16_t a[PARAM_N]; <span class="comment">// Value of &quot;a&quot; as a &quot;poly&quot; object.</span></div>
<div class="line"><a name="l01133"></a><span class="lineno"> 1133</span>&#160; uint16_t v[PARAM_N]; <span class="comment">// Value of &quot;v&quot; as a &quot;poly&quot; object.</span></div>
<div class="line"><a name="l01134"></a><span class="lineno"> 1134</span>&#160; };</div>
<div class="line"><a name="l01135"></a><span class="lineno"> 1135</span>&#160; <span class="keyword">struct </span>{</div>
<div class="line"><a name="l01136"></a><span class="lineno"> 1136</span>&#160; uint16_t a_ext[84 * 16]; <span class="comment">// Value of &quot;a&quot; for torref uniform.</span></div>
<div class="line"><a name="l01137"></a><span class="lineno"> 1137</span>&#160; ALLOC_OBJ(<a class="code" href="classSHAKE128.html">SHAKE128</a>, shake); <span class="comment">// SHAKE128 object for poly_uniform().</span></div>
<div class="line"><a name="l01138"></a><span class="lineno"> 1138</span>&#160; };</div>
<div class="line"><a name="l01139"></a><span class="lineno"> 1139</span>&#160; ALLOC_OBJ(<a class="code" href="classSHA3__256.html">SHA3_256</a>, sha3); <span class="comment">// SHA3 object for hashing the result.</span></div>
<div class="line"><a name="l01140"></a><span class="lineno"> 1140</span>&#160; } state;</div>
<div class="line"><a name="l01141"></a><span class="lineno"> 1141</span>&#160; uint8_t seed[32];</div>
<div class="line"><a name="l01142"></a><span class="lineno"> 1142</span>&#160; NewHopeChaChaState chacha;</div>
<div class="line"><a name="l01143"></a><span class="lineno"> 1143</span>&#160;<span class="preprocessor"> #define bp ((uint16_t *)send)</span></div>
<div class="line"><a name="l01144"></a><span class="lineno"> 1144</span>&#160;<span class="preprocessor"></span></div>
<div class="line"><a name="l01145"></a><span class="lineno"> 1145</span>&#160; <span class="keywordflow">if</span> (!random_seed) {</div>
<div class="line"><a name="l01146"></a><span class="lineno"> 1146</span>&#160; RNG.<a class="code" href="classRNGClass.html#a418a833cf18198fd7e5d6dbd78c99c29">rand</a>(seed, 32);</div>
<div class="line"><a name="l01147"></a><span class="lineno"> 1147</span>&#160; crypto_chacha20_set_key(chacha.input, seed);</div>
<div class="line"><a name="l01148"></a><span class="lineno"> 1148</span>&#160; } <span class="keywordflow">else</span> {</div>
<div class="line"><a name="l01149"></a><span class="lineno"> 1149</span>&#160; crypto_chacha20_set_key(chacha.input, random_seed);</div>
<div class="line"><a name="l01150"></a><span class="lineno"> 1150</span>&#160; }</div>
<div class="line"><a name="l01151"></a><span class="lineno"> 1151</span>&#160;</div>
<div class="line"><a name="l01152"></a><span class="lineno"> 1152</span>&#160; poly_frombytes(state.a, received);</div>
<div class="line"><a name="l01153"></a><span class="lineno"> 1153</span>&#160; memcpy(seed, received + POLY_BYTES, 32);</div>
<div class="line"><a name="l01154"></a><span class="lineno"> 1154</span>&#160;</div>
<div class="line"><a name="l01155"></a><span class="lineno"> 1155</span>&#160; poly_getnoise(bp, &amp;chacha, 0);</div>
<div class="line"><a name="l01156"></a><span class="lineno"> 1156</span>&#160; poly_ntt(bp);</div>
<div class="line"><a name="l01157"></a><span class="lineno"> 1157</span>&#160;</div>
<div class="line"><a name="l01158"></a><span class="lineno"> 1158</span>&#160; poly_pointwise(state.v, state.a, bp);</div>
<div class="line"><a name="l01159"></a><span class="lineno"> 1159</span>&#160; poly_invntt(state.v);</div>
<div class="line"><a name="l01160"></a><span class="lineno"> 1160</span>&#160;</div>
<div class="line"><a name="l01161"></a><span class="lineno"> 1161</span>&#160; poly_getnoise(bp, &amp;chacha, 2);</div>
<div class="line"><a name="l01162"></a><span class="lineno"> 1162</span>&#160;</div>
<div class="line"><a name="l01163"></a><span class="lineno"> 1163</span>&#160; poly_add(state.v, state.v, bp);</div>
<div class="line"><a name="l01164"></a><span class="lineno"> 1164</span>&#160;</div>
<div class="line"><a name="l01165"></a><span class="lineno"> 1165</span>&#160; helprec(&amp;chacha, state.a, state.v, 3);</div>
<div class="line"><a name="l01166"></a><span class="lineno"> 1166</span>&#160;</div>
<div class="line"><a name="l01167"></a><span class="lineno"> 1167</span>&#160; encode_b_2nd_half(send, state.a);</div>
<div class="line"><a name="l01168"></a><span class="lineno"> 1168</span>&#160; </div>
<div class="line"><a name="l01169"></a><span class="lineno"> 1169</span>&#160; rec(shared_key, state.v, state.a);</div>
<div class="line"><a name="l01170"></a><span class="lineno"> 1170</span>&#160;</div>
<div class="line"><a name="l01171"></a><span class="lineno"> 1171</span>&#160; INIT_OBJ(<a class="code" href="classSHA3__256.html">SHA3_256</a>, sha3);</div>
<div class="line"><a name="l01172"></a><span class="lineno"> 1172</span>&#160; sha3-&gt;update(shared_key, 32);</div>
<div class="line"><a name="l01173"></a><span class="lineno"> 1173</span>&#160; sha3-&gt;finalize(shared_key, 32);</div>
<div class="line"><a name="l01174"></a><span class="lineno"> 1174</span>&#160;</div>
<div class="line"><a name="l01175"></a><span class="lineno"> 1175</span>&#160; INIT_OBJ(<a class="code" href="classSHAKE128.html">SHAKE128</a>, shake);</div>
<div class="line"><a name="l01176"></a><span class="lineno"> 1176</span>&#160; <span class="keywordflow">if</span> (variant == <a class="code" href="classNewHope.html#a679601da301134f037c3a5786bd7085fa2326f3fd76345d5900834593a74f6596">Ref</a>)</div>
<div class="line"><a name="l01177"></a><span class="lineno"> 1177</span>&#160; poly_uniform(shake, state.a, seed);</div>
<div class="line"><a name="l01178"></a><span class="lineno"> 1178</span>&#160; <span class="keywordflow">else</span></div>
<div class="line"><a name="l01179"></a><span class="lineno"> 1179</span>&#160; poly_uniform_torref(shake, state.a_ext, seed);</div>
<div class="line"><a name="l01180"></a><span class="lineno"> 1180</span>&#160;</div>
<div class="line"><a name="l01181"></a><span class="lineno"> 1181</span>&#160; poly_getnoise(state.v, &amp;chacha, 0);</div>
<div class="line"><a name="l01182"></a><span class="lineno"> 1182</span>&#160; poly_ntt(state.v);</div>
<div class="line"><a name="l01183"></a><span class="lineno"> 1183</span>&#160;</div>
<div class="line"><a name="l01184"></a><span class="lineno"> 1184</span>&#160; poly_pointwise(state.a, state.a, state.v);</div>
<div class="line"><a name="l01185"></a><span class="lineno"> 1185</span>&#160;</div>
<div class="line"><a name="l01186"></a><span class="lineno"> 1186</span>&#160; poly_getnoise(state.v, &amp;chacha, 1);</div>
<div class="line"><a name="l01187"></a><span class="lineno"> 1187</span>&#160; poly_ntt(state.v);</div>
<div class="line"><a name="l01188"></a><span class="lineno"> 1188</span>&#160;</div>
<div class="line"><a name="l01189"></a><span class="lineno"> 1189</span>&#160; poly_add(state.a, state.a, state.v);</div>
<div class="line"><a name="l01190"></a><span class="lineno"> 1190</span>&#160;</div>
<div class="line"><a name="l01191"></a><span class="lineno"> 1191</span>&#160; poly_tobytes(send, state.a);</div>
<div class="line"><a name="l01192"></a><span class="lineno"> 1192</span>&#160;</div>
<div class="line"><a name="l01193"></a><span class="lineno"> 1193</span>&#160; clean(&amp;state, <span class="keyword">sizeof</span>(state));</div>
<div class="line"><a name="l01194"></a><span class="lineno"> 1194</span>&#160; clean(&amp;chacha, <span class="keyword">sizeof</span>(chacha));</div>
<div class="line"><a name="l01195"></a><span class="lineno"> 1195</span>&#160; clean(seed, <span class="keyword">sizeof</span>(seed));</div>
<div class="line"><a name="l01196"></a><span class="lineno"> 1196</span>&#160;<span class="preprocessor"> #undef bp</span></div>
<div class="line"><a name="l01197"></a><span class="lineno"> 1197</span>&#160;<span class="preprocessor"></span><span class="preprocessor">#else</span></div>
<div class="line"><a name="l01198"></a><span class="lineno"> 1198</span>&#160;<span class="preprocessor"></span> <span class="comment">// The order of calls is rearranged compared to the reference C version.</span></div>
<div class="line"><a name="l01199"></a><span class="lineno"> 1199</span>&#160; <span class="comment">// This allows us to get away with 3 temporary poly objects (v, a, bp)</span></div>
<div class="line"><a name="l01200"></a><span class="lineno"> 1200</span>&#160; <span class="comment">// instead of 8 (sp, ep, v, a, pka, c, epp, bp). Saves 10k of stack space.</span></div>
<div class="line"><a name="l01201"></a><span class="lineno"> 1201</span>&#160; <span class="comment">//</span></div>
<div class="line"><a name="l01202"></a><span class="lineno"> 1202</span>&#160; <span class="comment">// We also combine most of the state into a single union, which allows</span></div>
<div class="line"><a name="l01203"></a><span class="lineno"> 1203</span>&#160; <span class="comment">// us to overlap some of the larger objects and reuse the stack space</span></div>
<div class="line"><a name="l01204"></a><span class="lineno"> 1204</span>&#160; <span class="comment">// at different points within this function.</span></div>
<div class="line"><a name="l01205"></a><span class="lineno"> 1205</span>&#160; <span class="keyword">union </span>{</div>
<div class="line"><a name="l01206"></a><span class="lineno"> 1206</span>&#160; <span class="keyword">struct </span>{</div>
<div class="line"><a name="l01207"></a><span class="lineno"> 1207</span>&#160; uint16_t a[PARAM_N]; <span class="comment">// Value of &quot;a&quot; as a &quot;poly&quot; object.</span></div>
<div class="line"><a name="l01208"></a><span class="lineno"> 1208</span>&#160; uint16_t v[PARAM_N]; <span class="comment">// Value of &quot;v&quot; as a &quot;poly&quot; object.</span></div>
<div class="line"><a name="l01209"></a><span class="lineno"> 1209</span>&#160; uint16_t bp[PARAM_N]; <span class="comment">// Value of &quot;bp&quot; as a &quot;poly&quot; object.</span></div>
<div class="line"><a name="l01210"></a><span class="lineno"> 1210</span>&#160; };</div>
<div class="line"><a name="l01211"></a><span class="lineno"> 1211</span>&#160; <span class="keyword">struct </span>{</div>
<div class="line"><a name="l01212"></a><span class="lineno"> 1212</span>&#160; uint16_t a_ext[84 * 16]; <span class="comment">// Value of &quot;a&quot; for torref uniform.</span></div>
<div class="line"><a name="l01213"></a><span class="lineno"> 1213</span>&#160; ALLOC_OBJ(<a class="code" href="classSHAKE128.html">SHAKE128</a>, shake); <span class="comment">// SHAKE128 object for poly_uniform().</span></div>
<div class="line"><a name="l01214"></a><span class="lineno"> 1214</span>&#160; };</div>
<div class="line"><a name="l01215"></a><span class="lineno"> 1215</span>&#160; ALLOC_OBJ(<a class="code" href="classSHA3__256.html">SHA3_256</a>, sha3); <span class="comment">// SHA3 object for hashing the result.</span></div>
<div class="line"><a name="l01216"></a><span class="lineno"> 1216</span>&#160; } state;</div>
<div class="line"><a name="l01217"></a><span class="lineno"> 1217</span>&#160;</div>
<div class="line"><a name="l01218"></a><span class="lineno"> 1218</span>&#160; <span class="comment">// Hide the ChaCha state and the noise seed inside &quot;send&quot;.</span></div>
<div class="line"><a name="l01219"></a><span class="lineno"> 1219</span>&#160; <span class="comment">// Put them at the end of the &quot;send&quot; buffer in case &quot;received&quot;</span></div>
<div class="line"><a name="l01220"></a><span class="lineno"> 1220</span>&#160; <span class="comment">// overlaps with the start of &quot;send&quot;.</span></div>
<div class="line"><a name="l01221"></a><span class="lineno"> 1221</span>&#160;<span class="preprocessor">#if NEWHOPE_BYTE_ALIGNED</span></div>
<div class="line"><a name="l01222"></a><span class="lineno"> 1222</span>&#160;<span class="preprocessor"></span><span class="preprocessor"> #define chacha (*((NewHopeChaChaState *)(send + NEWHOPE_SENDABYTES)))</span></div>
<div class="line"><a name="l01223"></a><span class="lineno"> 1223</span>&#160;<span class="preprocessor"></span><span class="preprocessor">#else</span></div>
<div class="line"><a name="l01224"></a><span class="lineno"> 1224</span>&#160;<span class="preprocessor"></span> NewHopeChaChaState chacha;</div>
<div class="line"><a name="l01225"></a><span class="lineno"> 1225</span>&#160;<span class="preprocessor">#endif</span></div>
<div class="line"><a name="l01226"></a><span class="lineno"> 1226</span>&#160;<span class="preprocessor"></span><span class="preprocessor"> #define noiseseed (send + NEWHOPE_SENDABYTES + sizeof(NewHopeChaChaState))</span></div>
<div class="line"><a name="l01227"></a><span class="lineno"> 1227</span>&#160;<span class="preprocessor"></span></div>
<div class="line"><a name="l01228"></a><span class="lineno"> 1228</span>&#160; <span class="keywordflow">if</span> (!random_seed)</div>
<div class="line"><a name="l01229"></a><span class="lineno"> 1229</span>&#160; RNG.<a class="code" href="classRNGClass.html#a418a833cf18198fd7e5d6dbd78c99c29">rand</a>(noiseseed, 32);</div>
<div class="line"><a name="l01230"></a><span class="lineno"> 1230</span>&#160; <span class="keywordflow">else</span></div>
<div class="line"><a name="l01231"></a><span class="lineno"> 1231</span>&#160; memcpy(noiseseed, random_seed, 32);</div>
<div class="line"><a name="l01232"></a><span class="lineno"> 1232</span>&#160;</div>
<div class="line"><a name="l01233"></a><span class="lineno"> 1233</span>&#160; INIT_OBJ(<a class="code" href="classSHAKE128.html">SHAKE128</a>, shake);</div>
<div class="line"><a name="l01234"></a><span class="lineno"> 1234</span>&#160; <span class="keywordflow">if</span> (variant == <a class="code" href="classNewHope.html#a679601da301134f037c3a5786bd7085fa2326f3fd76345d5900834593a74f6596">Ref</a>)</div>
<div class="line"><a name="l01235"></a><span class="lineno"> 1235</span>&#160; poly_uniform(shake, state.a, received + POLY_BYTES);</div>
<div class="line"><a name="l01236"></a><span class="lineno"> 1236</span>&#160; <span class="keywordflow">else</span></div>
<div class="line"><a name="l01237"></a><span class="lineno"> 1237</span>&#160; poly_uniform_torref(shake, state.a_ext, received + POLY_BYTES);</div>
<div class="line"><a name="l01238"></a><span class="lineno"> 1238</span>&#160;</div>
<div class="line"><a name="l01239"></a><span class="lineno"> 1239</span>&#160; crypto_chacha20_set_key(chacha.input, noiseseed);</div>
<div class="line"><a name="l01240"></a><span class="lineno"> 1240</span>&#160;</div>
<div class="line"><a name="l01241"></a><span class="lineno"> 1241</span>&#160; poly_getnoise(state.v, &amp;chacha, 0);</div>
<div class="line"><a name="l01242"></a><span class="lineno"> 1242</span>&#160; poly_ntt(state.v);</div>
<div class="line"><a name="l01243"></a><span class="lineno"> 1243</span>&#160;</div>
<div class="line"><a name="l01244"></a><span class="lineno"> 1244</span>&#160; poly_pointwise(state.bp, state.a, state.v);</div>
<div class="line"><a name="l01245"></a><span class="lineno"> 1245</span>&#160;</div>
<div class="line"><a name="l01246"></a><span class="lineno"> 1246</span>&#160; poly_getnoise(state.a, &amp;chacha, 1);</div>
<div class="line"><a name="l01247"></a><span class="lineno"> 1247</span>&#160; poly_ntt(state.a);</div>
<div class="line"><a name="l01248"></a><span class="lineno"> 1248</span>&#160;</div>
<div class="line"><a name="l01249"></a><span class="lineno"> 1249</span>&#160; poly_add(state.bp, state.bp, state.a);</div>
<div class="line"><a name="l01250"></a><span class="lineno"> 1250</span>&#160; </div>
<div class="line"><a name="l01251"></a><span class="lineno"> 1251</span>&#160; poly_frombytes(state.a, received);</div>
<div class="line"><a name="l01252"></a><span class="lineno"> 1252</span>&#160;</div>
<div class="line"><a name="l01253"></a><span class="lineno"> 1253</span>&#160; poly_pointwise(state.v, state.a, state.v);</div>
<div class="line"><a name="l01254"></a><span class="lineno"> 1254</span>&#160; poly_invntt(state.v);</div>
<div class="line"><a name="l01255"></a><span class="lineno"> 1255</span>&#160;</div>
<div class="line"><a name="l01256"></a><span class="lineno"> 1256</span>&#160; poly_getnoise(state.a, &amp;chacha, 2);</div>
<div class="line"><a name="l01257"></a><span class="lineno"> 1257</span>&#160; poly_add(state.v, state.v, state.a);</div>
<div class="line"><a name="l01258"></a><span class="lineno"> 1258</span>&#160;</div>
<div class="line"><a name="l01259"></a><span class="lineno"> 1259</span>&#160; helprec(&amp;chacha, state.a, state.v, 3);</div>
<div class="line"><a name="l01260"></a><span class="lineno"> 1260</span>&#160;</div>
<div class="line"><a name="l01261"></a><span class="lineno"> 1261</span>&#160; poly_tobytes(send, state.bp);</div>
<div class="line"><a name="l01262"></a><span class="lineno"> 1262</span>&#160; encode_b_2nd_half(send, state.a);</div>
<div class="line"><a name="l01263"></a><span class="lineno"> 1263</span>&#160; </div>
<div class="line"><a name="l01264"></a><span class="lineno"> 1264</span>&#160; rec(shared_key, state.v, state.a);</div>
<div class="line"><a name="l01265"></a><span class="lineno"> 1265</span>&#160;</div>
<div class="line"><a name="l01266"></a><span class="lineno"> 1266</span>&#160; INIT_OBJ(<a class="code" href="classSHA3__256.html">SHA3_256</a>, sha3);</div>
<div class="line"><a name="l01267"></a><span class="lineno"> 1267</span>&#160; sha3-&gt;update(shared_key, 32);</div>
<div class="line"><a name="l01268"></a><span class="lineno"> 1268</span>&#160; sha3-&gt;finalize(shared_key, 32);</div>
<div class="line"><a name="l01269"></a><span class="lineno"> 1269</span>&#160;</div>
<div class="line"><a name="l01270"></a><span class="lineno"> 1270</span>&#160; clean(&amp;state, <span class="keyword">sizeof</span>(state));</div>
<div class="line"><a name="l01271"></a><span class="lineno"> 1271</span>&#160;<span class="preprocessor">#if !NEWHOPE_BYTE_ALIGNED</span></div>
<div class="line"><a name="l01272"></a><span class="lineno"> 1272</span>&#160;<span class="preprocessor"></span> clean(&amp;chacha, <span class="keyword">sizeof</span>(chacha));</div>
<div class="line"><a name="l01273"></a><span class="lineno"> 1273</span>&#160;<span class="preprocessor">#endif</span></div>
<div class="line"><a name="l01274"></a><span class="lineno"> 1274</span>&#160;<span class="preprocessor"></span><span class="preprocessor">#undef noiseseed</span></div>
<div class="line"><a name="l01275"></a><span class="lineno"> 1275</span>&#160;<span class="preprocessor"></span><span class="preprocessor">#undef chacha</span></div>
<div class="line"><a name="l01276"></a><span class="lineno"> 1276</span>&#160;<span class="preprocessor"></span><span class="preprocessor">#endif</span></div>
<div class="line"><a name="l01277"></a><span class="lineno"> 1277</span>&#160;<span class="preprocessor"></span>}</div>
<div class="line"><a name="l01278"></a><span class="lineno"> 1278</span>&#160;</div>
<div class="line"><a name="l01288"></a><span class="lineno"><a class="line" href="classNewHope.html#ac8128e0799fe74a6c69c541e0d6bd66e"> 1288</a></span>&#160;<span class="keywordtype">void</span> <a class="code" href="classNewHope.html#ac8128e0799fe74a6c69c541e0d6bd66e">NewHope::shareda</a>(uint8_t shared_key[NEWHOPE_SHAREDBYTES],</div>
<div class="line"><a name="l01289"></a><span class="lineno"> 1289</span>&#160; <span class="keyword">const</span> <a class="code" href="structNewHopePrivateKey.html">NewHopePrivateKey</a> &amp;sk,</div>
<div class="line"><a name="l01290"></a><span class="lineno"> 1290</span>&#160; uint8_t received[NEWHOPE_SENDBBYTES])</div>
<div class="line"><a name="l01291"></a><span class="lineno"> 1291</span>&#160;{</div>
<div class="line"><a name="l01292"></a><span class="lineno"> 1292</span>&#160; <span class="comment">// The order of calls is rearranged compared to the reference C version.</span></div>
<div class="line"><a name="l01293"></a><span class="lineno"> 1293</span>&#160; <span class="comment">// This allows us to get away with two temporary poly objects (v, bp)</span></div>
<div class="line"><a name="l01294"></a><span class="lineno"> 1294</span>&#160; <span class="comment">// instead of three (v, bp, c). This saves 2k of stack space.</span></div>
<div class="line"><a name="l01295"></a><span class="lineno"> 1295</span>&#160; <span class="comment">//</span></div>
<div class="line"><a name="l01296"></a><span class="lineno"> 1296</span>&#160; <span class="comment">// We also combine most of the state into a single union, which allows</span></div>
<div class="line"><a name="l01297"></a><span class="lineno"> 1297</span>&#160; <span class="comment">// us to overlap some of the larger objects and reuse the stack space</span></div>
<div class="line"><a name="l01298"></a><span class="lineno"> 1298</span>&#160; <span class="comment">// at different points within this function.</span></div>
<div class="line"><a name="l01299"></a><span class="lineno"> 1299</span>&#160; <span class="keyword">union </span>{</div>
<div class="line"><a name="l01300"></a><span class="lineno"> 1300</span>&#160; <span class="keyword">struct </span>{</div>
<div class="line"><a name="l01301"></a><span class="lineno"> 1301</span>&#160; uint16_t v[PARAM_N]; <span class="comment">// Value of &quot;v&quot; as a &quot;poly&quot; object.</span></div>
<div class="line"><a name="l01302"></a><span class="lineno"> 1302</span>&#160; uint16_t bp[PARAM_N]; <span class="comment">// Value of &quot;bp&quot; as a &quot;poly&quot; object.</span></div>
<div class="line"><a name="l01303"></a><span class="lineno"> 1303</span>&#160; };</div>
<div class="line"><a name="l01304"></a><span class="lineno"> 1304</span>&#160; <span class="keyword">struct </span>{</div>
<div class="line"><a name="l01305"></a><span class="lineno"> 1305</span>&#160; uint16_t v_alt[PARAM_N];</div>
<div class="line"><a name="l01306"></a><span class="lineno"> 1306</span>&#160; ALLOC_OBJ(NewHopeChaChaState, chacha);</div>
<div class="line"><a name="l01307"></a><span class="lineno"> 1307</span>&#160; };</div>
<div class="line"><a name="l01308"></a><span class="lineno"> 1308</span>&#160; ALLOC_OBJ(<a class="code" href="classSHA3__256.html">SHA3_256</a>, sha3); <span class="comment">// SHA3 object for hashing the result.</span></div>
<div class="line"><a name="l01309"></a><span class="lineno"> 1309</span>&#160; } state;</div>
<div class="line"><a name="l01310"></a><span class="lineno"> 1310</span>&#160;</div>
<div class="line"><a name="l01311"></a><span class="lineno"> 1311</span>&#160;<span class="preprocessor">#if NEWHOPE_SMALL_FOOTPRINT</span></div>
<div class="line"><a name="l01312"></a><span class="lineno"> 1312</span>&#160;<span class="preprocessor"></span> <span class="comment">// Re-create the full private key for Alice from the seed.</span></div>
<div class="line"><a name="l01313"></a><span class="lineno"> 1313</span>&#160; INIT_OBJ(NewHopeChaChaState, chacha);</div>
<div class="line"><a name="l01314"></a><span class="lineno"> 1314</span>&#160; crypto_chacha20_set_key(chacha-&gt;input, sk.seed);</div>
<div class="line"><a name="l01315"></a><span class="lineno"> 1315</span>&#160; poly_getnoise(state.v, chacha, 0);</div>
<div class="line"><a name="l01316"></a><span class="lineno"> 1316</span>&#160; poly_ntt(state.v);</div>
<div class="line"><a name="l01317"></a><span class="lineno"> 1317</span>&#160; poly_frombytes(state.bp, received);</div>
<div class="line"><a name="l01318"></a><span class="lineno"> 1318</span>&#160; poly_pointwise(state.v, state.v, state.bp);</div>
<div class="line"><a name="l01319"></a><span class="lineno"> 1319</span>&#160; poly_invntt(state.v);</div>
<div class="line"><a name="l01320"></a><span class="lineno"> 1320</span>&#160;<span class="preprocessor">#else</span></div>
<div class="line"><a name="l01321"></a><span class="lineno"> 1321</span>&#160;<span class="preprocessor"></span> <span class="comment">// Alice&#39;s full private key was supplied.</span></div>
<div class="line"><a name="l01322"></a><span class="lineno"> 1322</span>&#160; poly_frombytes(state.bp, received);</div>
<div class="line"><a name="l01323"></a><span class="lineno"> 1323</span>&#160; poly_pointwise(state.v, sk.coeffs, state.bp);</div>
<div class="line"><a name="l01324"></a><span class="lineno"> 1324</span>&#160; poly_invntt(state.v);</div>
<div class="line"><a name="l01325"></a><span class="lineno"> 1325</span>&#160;<span class="preprocessor">#endif</span></div>
<div class="line"><a name="l01326"></a><span class="lineno"> 1326</span>&#160;<span class="preprocessor"></span></div>
<div class="line"><a name="l01327"></a><span class="lineno"> 1327</span>&#160; decode_b_2nd_half(state.bp, received);</div>
<div class="line"><a name="l01328"></a><span class="lineno"> 1328</span>&#160; </div>
<div class="line"><a name="l01329"></a><span class="lineno"> 1329</span>&#160; rec(shared_key, state.v, state.bp);</div>
<div class="line"><a name="l01330"></a><span class="lineno"> 1330</span>&#160;</div>
<div class="line"><a name="l01331"></a><span class="lineno"> 1331</span>&#160; INIT_OBJ(<a class="code" href="classSHA3__256.html">SHA3_256</a>, sha3);</div>
<div class="line"><a name="l01332"></a><span class="lineno"> 1332</span>&#160; sha3-&gt;update(shared_key, 32);</div>
<div class="line"><a name="l01333"></a><span class="lineno"> 1333</span>&#160; sha3-&gt;finalize(shared_key, 32);</div>
<div class="line"><a name="l01334"></a><span class="lineno"> 1334</span>&#160;</div>
<div class="line"><a name="l01335"></a><span class="lineno"> 1335</span>&#160; clean(&amp;state, <span class="keyword">sizeof</span>(state));</div>
<div class="line"><a name="l01336"></a><span class="lineno"> 1336</span>&#160;}</div>
<div class="ttc" id="classRNGClass_html_a418a833cf18198fd7e5d6dbd78c99c29"><div class="ttname"><a href="classRNGClass.html#a418a833cf18198fd7e5d6dbd78c99c29">RNGClass::rand</a></div><div class="ttdeci">void rand(uint8_t *data, size_t len)</div><div class="ttdoc">Generates random bytes into a caller-supplied buffer. </div><div class="ttdef"><b>Definition:</b> <a href="RNG_8cpp_source.html#l00508">RNG.cpp:508</a></div></div>
<div class="ttc" id="classNewHope_html_a679601da301134f037c3a5786bd7085f"><div class="ttname"><a href="classNewHope.html#a679601da301134f037c3a5786bd7085f">NewHope::Variant</a></div><div class="ttdeci">Variant</div><div class="ttdoc">Describes the variant of the New Hope algorithm to implement. </div><div class="ttdef"><b>Definition:</b> <a href="NewHope_8h_source.html#l00057">NewHope.h:57</a></div></div>
<div class="ttc" id="classSHAKE128_html"><div class="ttname"><a href="classSHAKE128.html">SHAKE128</a></div><div class="ttdoc">SHAKE Extendable-Output Function (XOF) with 128-bit security. </div><div class="ttdef"><b>Definition:</b> <a href="SHAKE_8h_source.html#l00052">SHAKE.h:52</a></div></div>
<div class="ttc" id="classNewHope_html_a335b17b40949f66aa579d1035384662c"><div class="ttname"><a href="classNewHope.html#a335b17b40949f66aa579d1035384662c">NewHope::keygen</a></div><div class="ttdeci">static void keygen(uint8_t send[NEWHOPE_SENDABYTES], NewHopePrivateKey &amp;sk, Variant variant=Ref, const uint8_t *random_seed=0)</div><div class="ttdoc">Generates the key pair for Alice in a New Hope key exchange. </div><div class="ttdef"><b>Definition:</b> <a href="NewHope_8cpp_source.html#l01014">NewHope.cpp:1014</a></div></div>
<div class="ttc" id="classNewHope_html_ac8128e0799fe74a6c69c541e0d6bd66e"><div class="ttname"><a href="classNewHope.html#ac8128e0799fe74a6c69c541e0d6bd66e">NewHope::shareda</a></div><div class="ttdeci">static void shareda(uint8_t shared_key[NEWHOPE_SHAREDBYTES], const NewHopePrivateKey &amp;sk, uint8_t received[NEWHOPE_SENDBBYTES])</div><div class="ttdoc">Generates the shared secret for Alice. </div><div class="ttdef"><b>Definition:</b> <a href="NewHope_8cpp_source.html#l01288">NewHope.cpp:1288</a></div></div>
<div class="ttc" id="structNewHopePrivateKey_html"><div class="ttname"><a href="structNewHopePrivateKey.html">NewHopePrivateKey</a></div><div class="ttdoc">NewHope private key representation. </div><div class="ttdef"><b>Definition:</b> <a href="NewHope_8h_source.html#l00038">NewHope.h:38</a></div></div>
<div class="ttc" id="classNewHope_html_a2f09529f5f73cf9763c28b58b13bbd14"><div class="ttname"><a href="classNewHope.html#a2f09529f5f73cf9763c28b58b13bbd14">NewHope::sharedb</a></div><div class="ttdeci">static void sharedb(uint8_t shared_key[NEWHOPE_SHAREDBYTES], uint8_t send[NEWHOPE_SENDBBYTES], uint8_t received[NEWHOPE_SENDABYTES], Variant variant=Ref, const uint8_t *random_seed=0)</div><div class="ttdoc">Generates the public key and shared secret for Bob. </div><div class="ttdef"><b>Definition:</b> <a href="NewHope_8cpp_source.html#l01116">NewHope.cpp:1116</a></div></div>
<div class="ttc" id="classSHAKE_html_aa6f3a32427433aabe20adccb6994a4aa"><div class="ttname"><a href="classSHAKE.html#aa6f3a32427433aabe20adccb6994a4aa">SHAKE::update</a></div><div class="ttdeci">void update(const void *data, size_t len)</div><div class="ttdoc">Updates the XOF with more data. </div><div class="ttdef"><b>Definition:</b> <a href="SHAKE_8cpp_source.html#l00064">SHAKE.cpp:64</a></div></div>
<div class="ttc" id="classChaCha_html_a41ac3262e52ff49dcd916d0b3b2e2038"><div class="ttname"><a href="classChaCha.html#a41ac3262e52ff49dcd916d0b3b2e2038">ChaCha::hashCore</a></div><div class="ttdeci">static void hashCore(uint32_t *output, const uint32_t *input, uint8_t rounds)</div><div class="ttdoc">Executes the ChaCha hash core on an input memory block. </div><div class="ttdef"><b>Definition:</b> <a href="ChaCha_8cpp_source.html#l00253">ChaCha.cpp:253</a></div></div>
<div class="ttc" id="classSHA3__256_html"><div class="ttname"><a href="classSHA3__256.html">SHA3_256</a></div><div class="ttdoc">SHA3-256 hash algorithm. </div><div class="ttdef"><b>Definition:</b> <a href="SHA3_8h_source.html#l00029">SHA3.h:29</a></div></div>
<div class="ttc" id="classNewHope_html_a679601da301134f037c3a5786bd7085fa2326f3fd76345d5900834593a74f6596"><div class="ttname"><a href="classNewHope.html#a679601da301134f037c3a5786bd7085fa2326f3fd76345d5900834593a74f6596">NewHope::Ref</a></div><div class="ttdoc">The standard &quot;reference&quot; version of the New Hope algorithm. </div><div class="ttdef"><b>Definition:</b> <a href="NewHope_8h_source.html#l00059">NewHope.h:59</a></div></div>
<div class="ttc" id="classSHAKE_html_ac3fe37617644e3498d40a86e846562fb"><div class="ttname"><a href="classSHAKE.html#ac3fe37617644e3498d40a86e846562fb">SHAKE::extend</a></div><div class="ttdeci">void extend(uint8_t *data, size_t len)</div><div class="ttdoc">Generates extendable output from this XOF. </div><div class="ttdef"><b>Definition:</b> <a href="SHAKE_8cpp_source.html#l00071">SHAKE.cpp:71</a></div></div>
</div><!-- fragment --></div><!-- contents -->
<!-- start footer part -->
<hr class="footer"/><address class="footer"><small>
Generated on Sat Aug 27 2016 14:32:20 for ArduinoLibs by &#160;<a href="http://www.doxygen.org/index.html">
<img class="footer" src="doxygen.png" alt="doxygen"/>
</a> 1.8.6
</small></address>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink